Feature Typical Configuration Examples

S300, S500, S2700, S3700, S5700, S6700, S7700, and
S9700 Series Switches

Typical Configuration Examples 3 Feature Typical Configuration Examples
3 Feature Typical Configuration Examples
3.1 Applicable Products and Versions

3.2 Quick Configuration Guide
3.3 Typical Basic Configuration
3.4 Typical Device Management Configuration
3.5 Typical Ethernet Interface Configuration
3.6 Typical Ethernet Switching Configuration
3.7 Typical IP Service Configuration
3.8 Typical IP Multicast Configuration
3.9 Typical Routing Configuration
3.10 Typical MPLS and VPN Configurations
3.11 Typical WLAN-AC Configuration (Applicable to Versions V200R005 to
V200R008)
3.12 Typical WLAN-AC Configuration (Applicable to V200R009 and Later Versions)
3.13 Typical Reliability Configuration
3.14 Typical User Access and Authentication Configuration
3.15 Typical Security Configuration
3.16 Typical QoS Configuration
3.17 Typical Network Management and Monitoring Configuration
3.18 Typical Free Mobility and Service Chaining Configuration
3.19 Example for Deploying the NGFW Module and IPS Module on a Switch
3.20 Typical Configuration for Interoperation Between Switches and Firewalls
3.21 Typical Configuration for Interoperation Between Switches and Routers
Issue 35 (2022-10-26) Copyright © Huawei Technologies Co., Ltd. 930

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.1 Applicable Products and Versions

This chapter applies to multiple versions of modular and fixed switches (S300,
S500, S2700, S3700, S5700, S6700, S7700, and S9700) configured using
commands. Examples in this chapter apply to different products and versions. For
details, see "Configuration Notes" of each example.
Unless otherwise specified, the configuration examples apply to the product
models and software versions listed in Table 3-1.
Table 3-1 Applicable product models and software versions

Product Model Software Version
S300 V200R020C10, V200R021C00, V200R021C01
S500 V200R020C10, V200R021C00, V200R021C01
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2752EI V100R006C05
S2720-EI V200R006C10, V200R009C00, V200R010C00,

V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10, V200R020C00,
V200R020C10, V200R021C00
S2730S-S V200R020C10, V200R021C00
S2750-EI V200R003C00, V200R005C00SPC300, V200R006C00,

V200R007C00, V200R008C00, V200R009C00,
V200R010C00, V200R011C00, V200R011C10,
V200R012C00
S3700-SI V100R006C05
S3700-EI V100R006C05
S3700-HI V200R001C00
S5700-SI V200R001C00, V200R002C00, V200R003C00,

V200R005C00
S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02&C03)
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00SPC500&C01&C02)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
S5700-LI V200R001C00, V200R002C00,

V200R003(C00&C02&C10), V200R005C00SPC300,
V200R006C00, V200R007C00, V200R008C00,
V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00
S5700S-LI V200R001C00, V200R002C00, V200R003C00,

V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C00, V200R011C10, V200R012C00
S5710-C-LI V200R001C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10, V200R012C00
S5710-EI V200R001C00, V200R002C00, V200R003C00,

V200R005(C00&C02)
S5720-LI, S5720S-LI V200R010C00, V200R011C00, V200R011C10,

V200R012(C00&C20), V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10,
V200R021C00
S5720-EI V200R007C00, V200R008C00, V200R009C00,

V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5710-HI V200R003C00, V200R005(C00&C02&C03)
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5730-HI V200R012C00, V200R013C00, V200R019C00,

V200R019C10
S5731-H V200R013C02, V200R019C00, V200R019C10,

V200R020C00, V200R020C10, V200R021C00,
V200R021C01
S5720-SI, S5720S-SI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10, V200R012C00,
V200R013C00, V200R019C00, V200R019C10
S5720I-SI V200R012C00, V200R013C00, V200R019C00,

V200R019C10, V200R020C00, V200R020C10,
V200R021C00
S5730-SI V200R011C10, V200R012C00, V200R013C00,

V200R019C00, V200R019C10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
S5730S-EI V200R011C10, V200R012C00, V200R013C00,

V200R019C00, V200R019C10
S5731-S, S5731S-S V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00, V200R021C01
S5731S-H V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00, V200R021C01
S5732-H V200R019C00, V200R019C10, V200R019C20,

V200R020C00, V200R020C10, V200R021C00
S5735-L, S5735S-L V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S5735-L-I V200R021C00, V200R021C01
S5735-L1 V200R020C10, V200R021C00, V200R021C01
S5735S-L1 V200R020C10, V200R021C00, V200R021C01
S5735S-L-M V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S5735-S, S5735S-S V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S5735-S-I V200R019C10, V200R020C00, V200R020C10,

V200R020C30, V200R021C00
S5735S-H V200R020C00, V200R020C10, V200R021C00,

V200R021C01
S5736-S V200R020C00, V200R020C10, V200R020C30,

V200R021C00, V200R021C01
S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)
S6720-EI V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10, V200R012C00,
V200R013C00, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00
S6720S-EI V200R009C00, V200R010C00, V200R011C00,

V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10, V200R020C00,
V200R020C10, V200R021C00
S6720-LI, S6720S-LI V200R011C00, V200R011C10, V200R012C00,

V200R013C00, V200R019C00, V200R019C10
S6720-SI, S6720S-SI V200R011C00, V200R011C10, V200R012C00,

V200R013C00, V200R019C00, V200R019C10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
S6720-HI V200R012C00, V200R013C00, V200R019C00,

V200R019C10
S6730-H V200R013C02, V200R019C00, V200R019C10,

V200R020C00, V200R020C10, V200R021C00
S6730-S, S6730S-S V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S6730S-H V200R019C10, V200R020C00, V200R020C10,

V200R021C00
S7703, S7706, S7712 V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005C00, V200R006C00, V200R007C00,
V200R008C00, V200R009C00, V200R010C00,
V200R011C10, V200R012C00, V200R013C00,
V200R013C02, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00,
V200R021C01
S7703 PoE V200R013C00, V200R019C00, V200R019C10,

V200R020C00, V200R020C10, V200R021C00,
V200R021C01
S7706 PoE V200R013C00, V200R019C00, V200R019C10,

V200R020C00, V200R020C10, V200R021C00,
V200R021C01
S9703, S9706, S9712 V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005C00, V200R006C00, V200R007(C00&C10),
V200R008C00, V200R009C00, V200R010C00,
V200R011C10, V200R012C00, V200R013C00
3.2 Quick Configuration Guide
3.2.1 Before You Start

This document will help you log in to and quickly configure Huawei S series
switches. For more service configurations, see the Switch Configuration Guide.
NOTE
This document is for switches running V200R003C00 and later.

You can run the display version command in the user view to check the version of the
device.
Before configuring any data, complete the following tasks:

1. Install and power on the switch. For details refer to the S7700 and S9700
Quick Installation Guide, S12700 Quick Installation Guide, or S2700,
S3700, S5700, and S6700 Series Switches Quick Start Guide.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Place the following contact details around your workplace:

Telephone number of the agent responsible for your network construction
and service.
3. Visit the Huawei Enterprise Service Technical Support website (http://
support.huawei.com/enterprise) to register an account. With an account,
you can browse or download more product documents, cases, and bulletins.
You can also enjoy our subscription and message push services.
3.2.2 Small-Sized Campus Networks
3.2.2.1 Networking Diagram

NOTE
This section uses the S2750 as an access switch (ACC1), S5700 as a core switch (CORE), and
an AR series router as an egress router (Router) as examples to demonstrate the
configuration procedure for small-sized campus networks.
● On small sized networks, S2700&S3700 switches are deployed at the access

layer, S5700&S6700 switches is deployed at the core layer, and an AR series
router works as the egress router.
● The access switches and core switch connect through Eth-Trunk to ensure
reliability.
● On an access switch, each department has a VLAN allocated so that services
are separated by VLANs. Configuring a VLANIF interface on the core switch
implements Layer 3 communication between different departments.
● The core switch functions as a DHCP Server to allocate IP addresses to user
devices on the campus network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Configuring DHCP Snooping on the access switches prevents intranet users

from connecting a small router to the intranet to allocate IP addresses.
Configuring IPSG on the access switches prevents intranet users from
changing IP addresses.
3.2.2.2 Data Plan

Before configuring the switches and router, prepare the following data for use in
the next section.
Action Compon Data Description

ent
Configure Manage 10.10.1.1/24 The management IP address is

the ment IP used to log in to the switch.
manageme address
nt IP
address and Manage VLAN 5 A modular switch's
Telnet ment management interface is
VLAN Ethernet0/0/0.
A fixed switch's management
interface is MEth0/0/1.
For switches without
management interfaces, you are
advised to use VLANIF
interfaces for inband
management.
Configure Eth- Static LACP The Eth-Trunk works in load

interfaces Trunk balancing or static LACP mode.
and VLANs type
Port type The Trunk port This configuration is for Trunk

connects to a and Access port setup. If a
switch, and the Hybrid port setup is available
Access port on a switch, this port can
connects to a PC. connect to either a host or
another switch.
VLAN ID ACC1: VLAN 10 VLAN1 is the default VLAN on

ACC2: VLAN 20 the switch.
CORE: VLANs 100, To isolate departments A and B
10, and 20 at Layer 2, add A to VLAN 10
and B to VLAN 20.
CORE connects to the egress
router through VLANIF100.
Configure DHCP CORE Configure the DHCP server

DHCP Server function on CORE.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

ent
Address VLAN 10: IP address Terminals in department A

pool pool 10 obtain IP addresses from IP
VLAN 20: IP address address pool 10.
pool 20 Terminals in department B
obtain IP addresses from IP
address pool 20.
Address Based on a global N/A

allocatio address pool
n
Configure IP CORE: CORE connects to the campus

routing of address VLANIF100 egress router through VLANIF
CORE 10.10.100.1/24 100 so that the campus intranet
VLANIF10 can communicate with the
10.10.10.1/24 Internet.
VLANIF20 Configure a default route on
10.10.20.1/24 CORE with the next hop
pointing to the egress router.
After configuring the IP
addresses of VLANIF 10 and
VLANIF 20 on CORE,
departments A and B can then
communicate through CORE.
Configure Public GE0/0/1: GE0/0/1 is the public interface

the egress interface 1.1.1.2/30 that connects the egress router
router IP to the Internet.
address
Public 1.1.1.1/30 The public gateway address is

gateway the IP address of the carrier
device that connects to the
egress router. Configure a
default route to this IP address
on the egress router to forward
intranet traffic to the Internet.
DNS 8.8.8.8 The DNS server resolves domain

server names into IP addresses.
address
Intranet GE1/0/0: GE1/0/0 connects the egress

interface 10.10.100.2/24 router to the intranet.
IP
address
Configure Trusted Eth-Trunk1 N/A

DHCP interface
snooping
and IPSG

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.2.2.3 Quickly Configuring Small-Sized Campus Networks

Follow the procedure shown below to configure the switches and router. Once
configurations are complete, user devices within the campus can communicate
with each other, and intranet users can access the Internet.
3.2.2.3.1 Logging In to the Switch

1. Connect your PC to the switch through the console cable provided with the
switch. If your PC does not have a serial port, use a USB to serial cable.
NOTE
If the switch has a Mini USB port, you can connect your PC to the switch using a Mini
USB cable. For this configuration procedure, see the corresponding Configuration
Guide - Basic Configuration based on the version of the device.
2. Open the terminal emulation program on your PC. Create a connection and
set the interface and communication parameters.
Select an available port on your PC. For example, if your PC runs a Windows
operating system, you can view port information in Device Manager and
select a port. Table 3-2 lists the communication parameters on the switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-2 Default settings of the console port on the switch
Parameter Default Value
Transmission rate 9600 bit/s
Flow control No flow control
Parity No parity check
Stop bits 1
Data bit 8
3. Press Connect until the following information is displayed. Enter your new
password, and then re-enter it to confirm.
Login authentication
Username:
Password:
NOTE
The default username and password are available in S Series Switches Default
Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained
the access permission of the document, see Help on the website to find out how to
obtain it.
You can now run commands to configure the switch. Enter a question mark
(?) after a command whenever you need help.
3.2.2.3.2 Configuring the Management IP Address and Telnet

After configuring the management IP address of a switch, you can log in to the
switch using this address. CORE is used in the example below to show the
procedure of configuring the management IP address and Telnet.
1. Configure the management IP address.

<HUAWEI> system-view
[HUAWEI] vlan 5 //Create management VLAN 5.
[HUAWEI-VLAN5] management-vlan
[HUAWEI-VLAN5] quit
[HUAWEI] interface vlanif 5
[HUAWEI-vlanif5] ip address 10.10.1.1 24
[HUAWEI-vlanif5] quit
2. Add the management interface to the management VLAN.

[HUAWEI] interface GigabitEthernet 0/0/8 //Assume that the interface connected to the NMS
is GigabitEthernet0/0/8.
[HUAWEI-GigabitEthernet0/0/8] port link-type trunk
[HUAWEI-GigabitEthernet0/0/8] port trunk allow-pass vlan 5
[HUAWEI-GigabitEthernet0/0/8] quit
3. Configure Telnet.
[HUAWEI] telnet server enable //By default, the Telnet function is disabled.
[HUAWEI] telnet server-source -i vlanif 5 //In V200R020 and later versions, you must run this
command to configure the port for connecting to the server. Otherwise, Telnet is unavailable.
[HUAWEI] user-interface vty 0 4 //An administrator generally logs in to the switch through Telnet.
AAA authentication is recommended.
[HUAWEI-ui-vty0-4] protocol inbound telnet //V200R006 and earlier versions support Telnet.
V200R007 and later versions support SSH by default. If the switch runs V200R007 or a later version,
run this command before logging to the switch using Telnet.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HUAWEI-ui-vty0-4] authentication-mode aaa

[HUAWEI-ui-vty0-4] idle-timeout 15
[HUAWEI-ui-vty0-4] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin password irreversible-cipher Helloworld@6789 //Configure the
user name and password for Telnet login. The user name is case-insensitive, whereas the password is
case-sensitive.
[HUAWEI-aaa] local-user admin privilege level 15 //Set the administrator account level to 15
(highest).
[HUAWEI-aaa] local-user admin service-type telnet
NOTE
Use of STelnet V2 to log in to the switch is recommended because the Telnet protocol
has security risks. For this configuration procedure, see the corresponding
Configuration Guide - Basic Configuration based on the version of the device.
4. Log in to the switch from an operation terminal through Telnet. When the
user view prompt is displayed, you have successfully logged in.
C:\Documents and Settings\Administrator> telnet 10.10.1.1 //Enter the management IP address and
press Enter.
Username:admin //Enter the user name and password.

Password:
Info: The max number of VTY users is 5, and the number
of current VTY users on line is 1.
The current login time is 2014-05-06 18:33:18+00:00.
<HUAWEI> //User view prompt
3.2.2.3.3 Configuring Interfaces and VLANs
Configure the access switch.

1. Starting with access switch ACC1 as an example, create service VLAN 10 on
ACC1.
[HUAWEI] sysname ACC1 //Set the switch name to ACC1.
[ACC1] vlan batch 10 //Create VLANs in a batch.
2. Configure Eth-Trunk 1, through which ACC1 connects to the CORE, to allow

the packets from the VLAN of department A to pass through.
[ACC1] interface eth-trunk 1
[ACC1-Eth-Trunk1] port link-type trunk //Set Eth-Trunk 1 type to Trunk for VLAN
transparent transmission.
[ACC1-Eth-Trunk1] port trunk allow-pass vlan 10 //Configure Eth-Trunk 1 to transparently
transmit the service VLAN on ACC1.
[ACC1-Eth-Trunk1] mode lacp //Configure the LACP mode on Eth-Trunk 1.
[ACC1-Eth-Trunk1] quit
[ACC1] interface GigabitEthernet 0/0/1 //Add member interfaces to Eth-Trunk 1.
[ACC1-GigabitEthernet0/0/1] eth-Trunk 1
[ACC1-GigabitEthernet0/0/1] quit
[ACC1] interface GigabitEthernet 0/0/2
[ACC1-GigabitEthernet0/0/2] eth-Trunk 1
3. Configure the interfaces on ACC1 that connect user devices so that user
devices can be added to the VLAN. Configure the interfaces as edge ports.
[ACC1] interface Ethernet 0/0/2 //Configure the interface connecting to PC1.
[ACC1-Ethernet0/0/2] port link-type access
[ACC1-Ethernet0/0/2] port default vlan 10
[ACC1-Ethernet0/0/2] stp edged-port enable
[ACC1-Ethernet0/0/2] quit
[ACC1] interface Ethernet 0/0/3 //Configure the interface connecting to PC2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[ACC1] interface Ethernet 0/0/4 //Configure the interface connecting to printers.
NOTE
To add all users connected to ACC1 to VLAN 10, you can add Eth-Trunk1 on CORE to
VLAN 10 as an Access interface and do not add interfaces on ACC1 to VLAN 10,
simplifying the configuration. This configuration ensures that all users connected to
Eth-Trunk1 belong to VLAN 10.
4. Configure the BPDU protection function to improve network stability.
[ACC1] stp bpdu-protection
Configure the core switch (CORE)

1. Create the VLANs for CORE to communicate with ACC1, ACC2, and the egress
router.
[HUAWEI] sysname CORE //Set the switch name to CORE.
[CORE] vlan batch 10 20 100 //Create VLANs in a batch.
2. Configure downstream interfaces and VLANIF interfaces. Communication

between departments A and B uses VLANIF interfaces. For example, CORE
connects to ACC1 through Eth-Trunk 1.
[CORE] interface eth-trunk 1
[CORE-Eth-Trunk1] port link-type trunk //Set the interface type to Trunk for VLAN transparent
transmission.
[CORE-Eth-Trunk1] port trunk allow-pass vlan 10 //Configure Eth-Trunk 1 to transparently transmit
the service VLAN on ACC1.
[CORE-Eth-Trunk1] mode lacp //Configure the LACP mode.
[CORE-Eth-Trunk1] quit
[CORE] interface GigabitEthernet 0/0/1 //Add member interfaces to Eth-Trunk 1.
[CORE-GigabitEthernet0/0/1] eth-trunk 1
[CORE-GigabitEthernet0/0/1] quit
[CORE] interface GigabitEthernet 0/0/2
[CORE-GigabitEthernet0/0/2] eth-trunk 1
[CORE] interface Vlanif 10 //Configure a VLANIF interface to allow department A to
communicate with department B through Layer 3.
[CORE-Vlanif10] ip address 10.10.10.1 24
[CORE-Vlanif10] quit
[CORE] interface Vlanif 20 //Configure a VLANIF interface to allow department B to
communicate with department A through Layer 3.
3. Configure upstream interfaces and VLANIF interfaces to allow the campus

network to communicate with the Internet.
[CORE] interface GigabitEthernet 0/0/20
[CORE-GigabitEthernet0/0/20] port link-type access //Set the access mode.
[CORE-GigabitEthernet0/0/20] port default vlan 100
[CORE] interface Vlanif 100 //Configure a VLANIF interface to allow CORE to communicate
with the router at Layer 3.
4. After configuring the interfaces and VLANs, run the following commands to
view the configuration results. For details about the command output, see the
corresponding Command Reference based on the version of the device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Run the display eth-trunk command to view the configurations of Eth-Trunk

on ACC1. ACC1's GE0/0/1 and GE0/0/2 interfaces have been added to Eth-
Trunk 1.
[ACC1] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 0200-0000-6704
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 1
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState Weight
GigabitEthernet0/0/1 Selected 1000M 32768 2 289 10111100 1
Partner:
--------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey PortState
GigabitEthernet0/0/1 32768 0012-3321-2212 32768 2 289 10111100
Run the display vlan command to view VLAN configurations on ACC1. On

ACC1, interfaces Eth0/0/2 to Eth0/0/4 have been added to VLAN 10 in
Untagged mode, and Eth-Trunk 1 has been added to VLAN 10 in Tagged
mode.
[ACC1] display vlan
The total number of VLANs is : 1
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports

--------------------------------------------------------------------------------
10 common UT:Eth0/0/2(U) Eth0/0/3(U) Eth0/0/4(U)
TG:Eth-Trunk1(U)
VID Status Property MAC-LRN Statistics Description

--------------------------------------------------------------------------------
10 enable default enable disable VLAN 0010
Run the display eth-trunk command to view Eth-Trunk configurations on

CORE. CORE's GE0/0/1 and GE0/0/2 interfaces have been added to Eth-Trunk
1.
[CORE] display eth-trunk 1
Local:
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 0200-0000-6703
--------------------------------------------------------------------------------
Partner:
--------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Run the display vlan command to view VLAN configurations on CORE. On

CORE, Eth-Trunk 1 has been added to VLAN 10, Eth-Trunk 2 has been added
to VLAN 20, and GE0/0/20 has been added to VLAN 100 in Tagged mode.
[CORE] display vlan
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Type Ports

--------------------------------------------------------------------------------
10 common TG:Eth-Trunk1(U)
20 common TG:Eth-Trunk2(U)
100 common TG:GE0/0/20(U)

--------------------------------------------------------------------------------
3.2.2.3.4 Configuring DHCP

Configure the DHCP server on CORE to allocate IP addresses to user devices in
department A (VLAN 10) and department B (VLAN 20).
Department A is used in the example below.
NOTE
In this section, a global address pool is configured. You can also configure an interface-
based address pool. For details on this process, see the corresponding Configuration Guide
- IP Service based on the version of the device.
1. Create a global address pool, configure the egress gateway and lease (the
default lease, one day, is used, so no command is executed), and allocate
fixed IP address 10.10.10.254 to the printer with MAC address a-b-c.
<CORE> system-view
[CORE] dhcp enable
[CORE] ip pool 10
[CORE-ip-pool-10] network 10.10.10.0 mask 24 //Specify the address pool range that is used to
allocate IP addresses to users in department A.
[CORE-ip-pool-10] gateway-list 10.10.10.1 //Configure the gateway address for users in
department A.
[CORE-ip-pool-10] static-bind ip-address 10.10.10.254 mac-address a-b-c //Allocate fixed IP
address to the printer.
[CORE-ip-pool-10] quit
2. Configure the global address pool to allocate IP addresses to user devices in

department A.
[CORE] interface vlanif 10
[CORE-Vlanif10] dhcp select global //Configure the global address pool to allocate IP addresses
to users in department A.
3. Run the display ip pool command to view configuration and usage

information. The example below shows the configuration of global address
pool 10.
[CORE] display ip pool name 10
Pool-name : 10
Pool-No :0
Lease : 1 Days 0 Hours 0 Minutes
Domain-name : -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Local Status : Unlocked
Gateway-0 : 10.10.10.1
Network : 10.10.10.0
Mask : 255.255.255.0
VPN instance :
--
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict

Disable
-----------------------------------------------------------------------------
10.10.10.1 10.10.10.254 253 4 249(0) 0

0
-----------------------------------------------------------------------------
NOTE
After completing the DHCP server configuration, configure network adapters on

terminal PCs to automatically obtain IP addresses. The terminal PCs then can obtain IP
addresses from the DHCP server and access the Internet.
NOTE
After dynamic IP address allocation is configured, it takes a PC a long time to obtain

an IP address after it starts. The reason is that an STP-enabled switch recalculates the
spanning tree topology every time a PC connects to the switch. To solve this problem,
disable STP or configure the switch interface that connects to user devices as an edge
port. ACC1 is used in the example below.
# Disable STP
[ACC1-GigabitEthernet 0/0/1] stp disable //Alternatively, run the undo stp enable command.
# Configure the switch interface that connects to user devices as an edge

port.
[ACC1-GigabitEthernet0/0/1] stp edged-port enable
After either of the preceding operations is performed, terminal PCs can rapidly
obtain IP addresses after they start.
3.2.2.3.5 Configuring Routing

1. Configure a default static route to the campus egress gateway on CORE so
that CORE forwards intranet traffic to the egress router.
[CORE] ip route-static 0.0.0.0 0 10.10.100.2
2. Run the display ip routing-table command on CORE to view the IP routing

table. A default static route whose next hop address is 10.10.100.2 exists,
indicating that the static route is successfully configured. The three direct
routes are automatically generated through link detection.
[CORE] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public

Destinations : 5 Routes : 5
Destination/Mask Proto Pre Cost Flags NextHop

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Interface
0.0.0.0/0 Static 60 0 RD 10.10.100.2

Vlanif100
10.10.10.0/24 Direct 0 0 D 10.10.10.1

Vlanif10
10.10.10.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.10.20.0/24 Direct 0 0 D 10.10.20.1
Vlanif20
10.10.20.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.10.100.0/24 Direct 0 0 D 10.10.100.1
Vlanif100
10.10.100.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
3.2.2.3.6 Configuring the Egress Router

NOTE
Before configuring the egress router, prepare the following data:

● Public IP address: 1.1.1.2/30;
● Public gateway address: 1.1.1.1;
● DNS server address: 8.8.8.8.
The carrier provides these IP addresses after approving bandwidth service applications.
When configuring a network, use the actual IP addresses provided by the carrier.
1. Configure IP addresses for egress router interfaces connecting to the intranet
and Internet.
[Router] interface GigabitEthernet 0/0/1
[Router-GigabitEthernet0/0/1] ip address 1.1.1.2 30
[Router-GigabitEthernet1/0/0] ip address 10.10.100.2 24
2. Configure an ACL to allow users on some network segments to access the
Internet.
[Router] acl 2000
[Router-acl-basic-2000] rule permit source 10.10.10.0 0.0.0.255
3. Configure NAT on the interface connecting to the Internet so that intranet
users can access the Internet.
[Router-GigabitEthernet0/0/1] nat outbound 2000
4. Configure a specific route to the intranet and a default static route to the
Internet.
[Router] ip route-static 10.10.10.0 255.255.255.0 10.10.100.1
5. Configure DNS resolution. The carrier provides the DNS server address.
[Router] dns resolve
[Router] dns server 8.8.8.8
[Router] dns proxy enable
3.2.2.3.7 Configuring DHCP Snooping and IPSG

User devices can automatically obtain IP addresses after DHCP is configured. If a
user connects a small router to the intranet and enable the DHCP server on the
router, authorized intranet users may obtain IP addresses allocated by the small
router and cannot access the Internet. To prevent athis problem, configure DHCP
snooping.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Enable DHCP snooping on ACC1.

<ACC1> system-view
[ACC1] dhcp enable //Enable DHCP.
[ACC1] dhcp snooping enable //Enable DHCP snooping.
2. Enable DHCP snooping on Eth-Trunk1 that connects to the DHCP server and
configure it as a trusted interface.
[ACC1] interface eth-trunk 1
[ACC1-Eth-Trunk1] dhcp snooping enable //Enable DHCP snooping.
[ACC1-Eth-Trunk1] dhcp snooping trusted //Configure Eth-Trunk1 as a trusted interface.
[ACC1-Eth-Trunk1] quit
3. Enable DHCP snooping on interfaces that connect to user devices.
[ACC1] interface ethernet 0/0/2 //Configure the interface connecting to PC1.
[ACC1-Ethernet0/0/2] dhcp snooping enable
[ACC1] interface ethernet 0/0/3 //Configure the interface connecting to PC2.
[ACC1] interface ethernet 0/0/4 //Configure the interface connecting to printers.
After the preceding configuration is complete, user devices in department A
can obtain IP addresses from only the authorized DHCP server,and will not
use IP addresses allocated by the small router.
To prevent users from changing IP addresses and attacking the intranet,
enable IPSG after enabling DHCP snooping on the access switch. ACC1 is used
in the example below.
4. On ACC1, enable IPSG in VLAN 10.
[ACC1] vlan10
[ACC1-vlan10] ip source check user-bind enable //Enable IPSG.
[ACC1-vlan10] quit
ACC1 matches packets received from VLAN 10 with dynamic binding entries
in the DHCP snooping binding table. If a packet matches an entry, ACC1
forwards the packet; otherwise, ACC1 discards the packet. To check packets
received from a specified user device instead of all user devices in the VLAN,
enable IPSG on the interface connecting to the device.
NOTE
If static IP address allocation is configured, bind IP addresses and MAC addresses to

prevent users from changing IP addresses and attacking the network. For this
configuration procedure, see "Example for Configuring IPSG to Prevent Hosts with
Static IP Addresses from Changing Their Own IP Addresses" in the Typical
Configuration Examples.
For details about how to configure the switch to prevent users from
connecting a small router (bogus DHCP server) to the intranet and changing
IP addresses, see "Configuring Basic Functions of DHCP Snooping",
"Configuring IPSG", and configuration examples in the corresponding
Configuration Guide – Security based on the version of the device.
3.2.2.3.8 Verifying Services

1. Select two PCs within a department to perform ping tests and verify whether
Layer 2 interworking within the department is normal.
The following example uses two PCs (PC1 and PC2) in department A. The two
PCs communicate at Layer 2 through ACC1. If they can ping each other
successfully, Layer 2 interworking is normal.
<PC1> ping 10.10.10.100 //Assume that PC2 automatically obtains an IP address 10.10.10.100
through DHCP.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
PING 10.10.10.100 data bytes, press CTRL_C to break

Reply from 10.10.10.100 : bytes=56 Sequence=1 ttl=253 time=62 ms
--- 10.10.10.100 ping statistics ---

5 packet(s) transmitted
5 packet(s) received //PC1 can ping PC2 successfully, indicating that Layer 2 interworking between
PC1 and PC2 is normal.
2. Select one PC from each department to perform ping tests and verify whether
the two departments can communicate at Layer 3 through VLANIF interfaces.
Users in department A and department B communicate at Layer 3 through
VLANIF interfaces on CORE. If PC1 and PC3 can ping each other successfully,
users in the two departments can normally communicate at Layer 3 through
VLANIF interfaces. The ping command is similar to that in step 1.
3. Select one PC from each department to ping a public network address and
verify whether intranet users of the company can access the Internet
normally.
The following example uses department A. Generally, you can ping a public
network gateway address from PC1 to verify whether PC1 can access the
Internet. The public network gateway address is the IP address of the carrier
device to which the egress router connects. If the ping test succeeds, intranet
users can access the Internet normally. The ping command is similar to that in
step 1.
3.2.2.3.9 Saving the Configuration

You must save your data to the configuration file before restarting the switch.
Unsaved data configured via command lines will be lost after the switch restarts.
1. Save the data to the configuration file. The example below shows the
procedure of saving CORE's configuration file.
<CORE> save
The current configuration will be written to the device.
Are you sure to continue?[Y/N]y
Now saving the current configuration to the slot 0..
Save the configuration successfully.
3.2.3 Small- and Mid-Sized Campus Networks

NOTE
This section uses the S2750 as an access switch (ACC1), S5700 as a core switch (CORE), and
an AR series router as an egress router (Router) as examples to demonstrate the
configuration procedure for small- and mid-sized campus networks.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● On small- and mid-sized networks, S2700&S3700 switches are deployed at

the access layer, S5700&S6700 switches are deployed at the core layer, and an
AR series router works as the egress router.
● The core switches run VRRP to ensure reliability and load balance traffic to
effectively use resources.
● On an access switch, each department has a VLAN allocated so that services
are separated by VLANs. Configuring VLANIF interfaces on the core switches
implements Layer 3 communication between different departments.
● The core switches function as DHCP servers to allocate IP addresses to user
devices on the campus network.
● Configuring DHCP snooping on the access switches prevents intranet users
from connecting a small router to the intranet to allocate IP addresses.
Configuring IPSG on the access switches prevents intranet users from
changing IP addresses.
3.2.3.2 Data Plan

the next section.

ent
Configure Manage 10.10.1.1/24 The management IP address is

the ment used to log in to the switch.
manageme interface
nt IP IP
address and address
Telnet

S300, S500, S2700, S3700, S5700, S6700, S7700, and

ent
Manage VLAN 5 A modular switch's

ment management interface is
VLAN Ethernet0/0/0.
A fixed switch's management
interface is MEth0/0/1.
For switches without
management interfaces, you are
advised to use VLANIF
interfaces for inband
management.
Configure Port type The Trunk port This configuration is for Trunk
interfaces connects to a and Access port setup. If a
and VLANs switch, and the Hybrid port setup is available on
Access port a switch, this port can connect
connects to a PC. to either a host or another
switch.
VLAN ID ACC1: VLAN 10, 20 VLAN1 is the default VLAN on

CORE1: VLAN 10, the switch.
20, 30, 40, 50, 100, To isolate departments A and B
300 at Layer 2, add A to VLAN 10
and B to VLAN 20.
CORE1 connects to the egress
router through VLANIF100.
Configure DHCP CORE1,CORE2 Configure the DHCP server on

DHCP server CORE1 and CORE2.
Address VLAN 10: IP Terminals in department A

pool address pool 10 obtain IP addresses from IP
VLAN 20: IP address pool 10.
address pool 20 Terminals in department B
obtain IP addresses from IP
address pool 20.
Address Based on a global N/A

allocatio address pool
n

S300, S500, S2700, S3700, S5700, S6700, S7700, and

ent
Configure IP CORE1: CORE1 connects to the campus

core address VLANIF 100 egress router through VLANIF
switches 172.16.1.1/24 100 and connects to CORE2
through VLANIF 300.
VLANIF 300
Configure a primary route to
172.16.3.1/24 CORE1 with the next hop
VLANIF 10 pointing to the egress router
192.168.10.1/24 and a backup route with the
VLANIF 20 next hop pointing to CORE2.
192.168.20.1/24 After configuring the IP
addresses of VLANIF 10 and
VLANIF 20 on CORE1,
departments A and B can then
communicate through CORE1.
Link N/A The link aggregation mode can

aggregat be load balancing or static
ion LACP.
Configure Public GE0/0/0: GE0/0/0 is the public interface

the egress interface 1.1.1.2/30 that connects the egress router
router IP to the Internet.
address
Public 1.1.1.1/30 The public gateway address is

gateway the IP address of the carrier
device that connects to the
egress router. Configure a
default route to this IP address
on the egress router to forward
intranet traffic to the Internet.
DNS 8.8.8.8 The DNS server resolves domain

server names into IP addresses.
address
Intranet GE0/0/1: GE0/0/1 and GE0/0/2 connect

interface 172.16.1.2/24 the egress router to the
IP intranet. They connect to CORE1
address GE0/0/2: and CORE2, respectively.
172.16.2.2/24
Configure Trusted GE0/0/3 After trusted interfaces are

DHCP interface GE0/0/4 configured, user devices only
snooping s receive DHCP packets from the
and IPSG trusted interfaces, preventing
users from connecting a small
router to the intranet to
allocate IP addresses.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

ent
Configure FTP FTP server: 1. The egress router uses NAT to

intranet server 192.168.50.10 translate between the public
servers Web and private IP addresses of
Web server: intranet servers.
server
192.168.50.20 2. External users can access the
intranet servers using public IP
addresses.
3.2.3.3 Quickly Configuring Small- and Mid-Sized Campus Networks

Follow the procedure shown below to configure the switches and router. Once
configurations are complete, user devices within the campus can communicate
with each other, and intranet users can access the Internet.
3.2.3.3.1 Logging In to the Switch

1. Connect your PC to the switch through the console cable provided with the
switch. If your PC does not have a serial port, use a USB to serial cable.
NOTE
If the switch has a Mini USB port, you can connect your PC to the switch using a Mini
USB cable. For this configuration procedure, see the corresponding Configuration
Guide - Basic Configuration based on the version of the device.
2. Open the terminal emulation program on your PC. Create a connection and
set the interface and communication parameters.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Select an available port on your PC. For example, if your PC runs a Windows
operating system, you can view port information in Device Manager and
select a port. Table 3-3 lists the communication parameters on the switch.
Table 3-3 Default settings of the console port on the switch

Parameter Default Value
Transmission rate 9600 bit/s
Flow control No flow control
Stop bits 1
Data bit 8
3. Press Connect until the following information is displayed. Enter your new
password, and then re-enter it to confirm.
Username:
Password:
NOTE
Usernames and Passwords (Enterprise Network or Carrier). If you have not obtained
the access permission of the document, see Help on the website to find out how to
obtain it.
You can now run commands to configure the switch. Enter a question mark
(?) after a command whenever you need help.
3.2.3.3.2 Configuring the Management IP Address and Telnet

After configuring the management IP address of a switch, you can log in to the
switch using this address. CORE1 is used in the example below to show the
procedure of configuring the management IP address and Telnet.
1. Configure the management IP address.
[HUAWEI] vlan 5 //Create management VLAN 5.
[HUAWEI-VLAN5] management-vlan
[HUAWEI-VLAN5] quit
[HUAWEI] interface vlanif 5 //Create the VLANIF interface of the management VLAN.
[HUAWEI-vlanif5] ip address 10.10.1.1 24 //Configure an IP address for the VLANIF interface.
2. Add the management interface to the management VLAN.
[HUAWEI] interface GigabitEthernet 0/0/8 //Assume that the interface connected to the NMS is
GigabitEthernet 0/0/8.
[HUAWEI-GigabitEthernet0/0/8] port link-type trunk
[HUAWEI-GigabitEthernet0/0/8] port trunk allow-pass vlan 5
[HUAWEI-GigabitEthernet0/0/8] quit
3. Configure Telnet.
[HUAWEI] telnet server enable //By default, the Telnet function is disabled.
[HUAWEI] telnet server-source -i vlanif 5 //In V200R020 and later versions, you must run this
command to configure the port for connecting to the server. Otherwise, Telnet is unavailable.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HUAWEI] user-interface vty 0 4 //An administrator generally logs in to the switch through Telnet.
AAA authentication is recommended.
[HUAWEI-ui-vty0-4] protocol inbound telnet //V200R006 and earlier versions support Telnet.
V200R007 and later versions support SSH by default. If the switch runs V200R007 or a later version,
run this command before logging to the switch using Telnet.
[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] idle-timeout 15
[HUAWEI-ui-vty0-4] quit
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin password irreversible-cipher Helloworld@6789 //Configure the
user name and password for Telnet login. The user name is case-insensitive, whereas the password is
case-sensitive.
[HUAWEI-aaa] local-user admin privilege level 15 //Set the administrator account level to 15
(highest).
[HUAWEI-aaa] local-user admin service-type telnet
[HUAWEI-aaa] quit
NOTE
Use of STelnet V2 to log in to the switch is recommended because the Telnet protocol
has security risks. For this configuration procedure, see the corresponding
Configuration Guide - Basic Configuration based on the version of the device.
4. Log in to the switch from an operation terminal through Telnet. When the
user view prompt is displayed, you have successfully logged in.
C:\Documents and Settings\Administrator> telnet 10.10.1.1 //Enter the management IP address and
press Enter.
Username:admin //Enter the user name and password.

Password:
<HUAWEI> //User view prompt
3.2.3.3.3 Configuring Network Connectivity
Configure the access switch

1. Starting with access switch ACC1 as an example, create service VLANs 10 and
20 on ACC1.
[HUAWEI] sysname ACC1 //Set the switch name to ACC1.
[ACC1] vlan batch 10 20 //Create VLANs in a batch.
2. Configure GE0/0/3 and GE0/0/4, through which ACC1 connects to CORE1 and
CORE2 respectively, to allow the packets from the VLANs of departments A
and B to pass through.
[ACC1-GigabitEthernet0/0/3] port link-type trunk //Set GE0/0/3 type to Trunk for VLAN
[ACC1-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 20 //Configure GE0/0/3 to transparently
transmit the service VLANs on ACC1.
[ACC1-GigabitEthernet0/0/4] port link-type trunk //Set GE0/0/4 type to Trunk for VLAN
[ACC1-GigabitEthernet0/0/4] port trunk allow-pass vlan 10 20 //Configure GE0/0/4 to transparently
transmit the service VLANs on ACC1.
3. Configure the interfaces on ACC1 that connect user devices so that user
devices in different departments can be added to VLANs.
[ACC1] interface GigabitEthernet 0/0/1 //Configure the interface connecting to department A.
[ACC1-GigabitEthernet0/0/1] port link-type access

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[ACC1-GigabitEthernet0/0/1] port default vlan 10

[ACC1] interface GigabitEthernet 0/0/2 //Configure the interface connecting to department B.
4. Configure the BPDU protection function to improve network stability.

[ACC1] stp bpdu-protection
NOTE
To add all users connected to ACC1 to VLAN 10, you can add interfaces on CORE1 and
CORE2 that directly connect to ACC1 as Access interfaces and do not add interfaces on
ACC1 to VLAN 10, simplifying the configuration. This configuration ensures that all
users connected to Eth-Trunk1 belong to VLAN 10.
Configure the aggregation/core switch (CORE1).

1. Create the VLANs for CORE1 to communicate with the access switches,
CORE2, and egress router.
[HUAWEI] sysname CORE1 //Set the switch name to CORE1.
[CORE1] vlan batch 10 20 30 40 50 100 300 //Create VLANs in a batch.
2. Configure user-side interfaces and VLANIF interfaces. Communication

between departments uses VLANIF interfaces. For example, CORE1 connects
to ACC1 through GE0/0/1. The configurations on other interfaces are not
mentioned here.
[CORE1] interface GigabitEthernet 0/0/1
[CORE1-GigabitEthernet0/0/1] port link-type trunk //Set the interface type to Trunk for VLAN
[CORE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20 //Configure GE0/0/1 to
transparently transmit service VLANs on ACC1.
[CORE1-GigabitEthernet0/0/1] quit
[CORE1] interface Vlanif 10 //Configure VLANIF 10 to allow department A to
communicate with department B through Layer 3.
[CORE1-Vlanif10] ip address 192.168.10.1 24
[CORE1-Vlanif10] quit
[CORE1] interface Vlanif 20 //Configure VLANIF 20 to allow department B to
communicate with department A through Layer 3.
3. Configure interfaces connecting to the egress router and VLANIF interfaces.

[CORE1-GigabitEthernet0/0/7] port link-type access //Set the access mode.
[CORE1-GigabitEthernet0/0/7] port default vlan 100
[CORE1] interface Vlanif 100 //Configure a VLANIF interface to allow CORE1 to
communicate with the router at Layer 3.
4. Configure interfaces that directly connect to CORE2 and configure a VLANIF

interface.
[CORE1] interface gigabitethernet 0/0/5
[CORE1-GigabitEthernet0/0/5] port link-type access //Set the access mode.
[CORE1-GigabitEthernet0/0/5] port default vlan 300
[CORE1] interface Vlanif 300

S300, S500, S2700, S3700, S5700, S6700, S7700, and
View the configuration results.

1. After configuring the interfaces and VLANs, run the following commands to
view the configuration results. For details about the command output, see the
corresponding Command Reference based on the version of the device.
Run the display vlan command to view VLAN configurations on ACC1
[ACC1] display vlan
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Type Ports

--------------------------------------------------------------------------------
10 common UT: GE0/0/1(U) TG:GE0/0/3(U) GE0/0/4(U)
20 common UT: GE0/0/2(U) TG:GE0/0/3(U) GE0/0/4(U) //ACC1's upstream and downstream
interfaces have been added to VLANs 10 and 20. The upstream interfaces transparently transmit all
service VLANs.

--------------------------------------------------------------------------------
Run the display vlan command to view VLAN configurations on CORE1.

[CORE1] display vlan
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VID Type Ports

--------------------------------------------------------------------------------
300 common UT:GE0/0/5(U) //On CORE1, interfaces connecting to access
switches have been added to corresponding service VLANs.

--------------------------------------------------------------------------------
Configure IP addresses for egress router interfaces.

1. Configure an IP address for the interface connecting to the intranet.
[HUAWEI] sysname Router //Set the device name to Router.
[Router-GigabitEthernet0/0/1] ip address 172.16.1.2 24 //Configure an IP address for the interface
connecting to CORE1.
[Router-GigabitEthernet0/0/1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
connecting to CORE2.
2. Configure an IP address for the interface connecting to the Internet.

connecting to the Internet.
(Optional) Configure a static route.

If a dynamic routing protocol is configured, skip this step.
1. Configure a default static route to the egress router and a backup static route
on CORE1 and CORE2, respectively.
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.1.2 //Configure a default static route to the egress
router on CORE1.
[CORE1] ip route-static 0.0.0.0 0.0.0.0 172.16.3.2 preference 70 //Configure a backup static route
to CORE2 on CORE1.
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.2.2
[CORE2] ip route-static 0.0.0.0 0.0.0.0 172.16.3.1 preference 70
2. On the egress router, configure a default static route to the carrier device.
3. On the egress router, configure primary and backup routes. The next hop of
the primary route is CORE1 and that of the backup route is CORE2.
[Router] ip route-static 192.168.10.0 255.255.255.0 172.16.2.1 preference 70 //Configure a backup
route to department A with the next hop pointing to CORE2.
[Router] ip route-static 192.168.20.0 255.255.255.0 172.16.2.1 preference 70 //Configure a backup
route to department B with the next hop pointing to CORE2.
Configure VRRP to implement virtual gateway redundancy.

After VRRP is configured on CORE1 and CORE2, the access switches forward traffic
to CORE1. If CORE1 fails, a VRRP switchover occurs and CORE2 becomes the
master. The access switches then forward traffic to CORE2.
1. Create VRRP groups 1 and 2 on CORE1 and CORE2. Set the priority of CORE1
to 120 and set the preemption delay to 20s so that CORE1 functions as the
master in VLANs 10 and 20.
[CORE1-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3 //Configure a virtual IP address for VRRP
group 1.
[CORE1-Vlanif10] vrrp vrid 1 priority 120 //Set the priority of CORE1 to 120.
[CORE1-Vlanif10] vrrp vrid 1 preempt-mode timer delay 20
[CORE1-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3 //Configure a virtual IP address for VRRP
group 2.
[CORE1-Vlanif20] vrrp vrid 2 priority 120
2. CORE2 uses the default priority and functions as the backup in VLANs 10 and
20.
[CORE2-Vlanif10] vrrp vrid 1 virtual-ip 192.168.10.3
[CORE2-Vlanif20] vrrp vrid 2 virtual-ip 192.168.20.3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
A physical loop exists between CORE1, CORE2, and ACC1, the actual links do not form
a loop, and STP is enabled on the switches (Sx7 series) by default. To prevent the loop
from affecting the VRRP master and backup status on CORE1 and CORE2, disable STP
on upstream interfaces of ACC1. The example below shows the configuration on ACC1.
[ACC1-GigabitEthernet0/0/3] stp disable //Disable STP on the upstream interface GE0/0/3.
[ACC1-GigabitEthernet0/0/4] stp disable
If no loop exists on the network, you can also run the stp disable command
to disable STP on the access switch.
[ACC1] stp disable
Warning:The global STP state will be changed. Continue? [Y/N] y
Configure the egress router to allow intranet users to access the Internet.
1. Configure an ACL to allow users to access the Internet. The example below
allows users in VLANs 10 and 20 to access the Internet.
[Router] acl 2000
[Router-acl-basic-2000] rule permit source 192.168.10.0 0.0.0.255 //Allow users in VLAN 10 to
access the Internet.
[Router-acl-basic-2000] rule permit source 192.168.20.0 0.0.0.255 //Allow users in VLAN 20 to
[Router-acl-basic-2000] quit
2. Configure NAT on the interface connecting to the Internet so that intranet

users can access the Internet.
3. Configure DNS resolution. The carrier provides the DNS server address.
[Router] dns resolve
[Router] dns server 8.8.8.8
[Router] dns proxy enable
4. After completing the preceding configuration, configure static IP addresses for

intranet users in VLAN 10 and set the gateway address to 192.168.10.3.
Intranet users then can access the Internet.
3.2.3.3.4 Configuring DHCP
Configure the DHCP server.

The administrator configures fixed IP addresses for user devices so that users can
access the Internet. As the network expands, it is difficult for the administrator to
manually configure a large number of IP addresses and manage them. In addition,
if a user changes the configured IP address, an IP address conflict occurs and the
related users cannot access the Internet. Therefore, the administrator decides to
configure fixed IP addresses for several user devices, and configure the other user
devices to automatically obtain IP addresses from the DHCP server.
Configure the DHCP server on CORE1 and CORE2 to dynamically allocate IP

addresses to user devices in all departments. CORE1 functions as the active DHCP
server. Department A is used in the example below.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● In this section, a global address pool is configured. You can also configure an interface-
based address pool. For details on this process, see the corresponding Configuration
Guide - IP Service based on the version of the device.
● To prevent IP address conflicts caused by an active/standby switchover in VRRP
networking, configure the active DHCP server to allocate the first half of all IP addresses
in the address pool and the standby DHCP server to allocate the second half.
1. Configure CORE1 as the active DHCP server to allocate IP addresses ranging
from 192.168.10.1 to 192.168.10.127.
<CORE1> system-view
[CORE1] dhcp enable
[CORE1] ip pool 10
[CORE1-ip-pool-10] gateway-list 192.168.10.3 //Configure the gateway address.
[CORE1-ip-pool-10] network 192.168.10.0 mask 24 //Configure the range of allocable IP
addresses.
[CORE1-ip-pool-10] excluded-ip-address 192.168.10.128 192.168.10.254 // Exclude IP addresses
ranging from 192.168.10.128 to 192.168.10.254.
[CORE1-ip-pool-10] lease day 0 hour 20 minute 0 //Configure the IP address lease.
[CORE1-ip-pool-10] dns-list 8.8.8.8 //Configure the DNS server address.
[CORE1-ip-pool-10] quit
2. Configure CORE2 as the standby DHCP server to allocate the second half of
all IP addresses in the address pool.
<CORE2> system-view
[CORE2] dhcp enable
[CORE2] ip pool 10
[CORE2-ip-pool-10] gateway-list 192.168.10.3
[CORE2-ip-pool-10] network 192.168.10.0 mask 24
[CORE2-ip-pool-10] excluded-ip-address 192.168.10.1 192.168.10.2
[CORE2-ip-pool-10] excluded-ip-address 192.168.10.4 192.168.10.127
[CORE2-ip-pool-10] lease day 0 hour 20 minute 0
[CORE2-ip-pool-10] dns-list 8.8.8.8
[CORE2-ip-pool-10] quit
The procedure of configuring dynamic IP address allocation in VLAN 20 is
similar to the preceding configuration procedure.
3. Configure users in department A to obtain IP addresses from the global
address pool.
[CORE1] interface vlanif 10
[CORE1-Vlanif10] dhcp select global //Configure users in department A to obtain IP addresses
from the global address pool.
[CORE2] interface vlanif 10
[CORE2-Vlanif10] dhcp select global
4. Run the display ip pool command to view the configuration and IP address
allocation in the global address pool 10.
[CORE1] display ip pool name 10
Pool-name : 10
Pool-No :0
Domain-name : -
DNS-server0 : 8.8.8.8
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 192.168.10.3
Network : 192.168.10.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
192.168.10.1 192.168.10.254 253 1 125(0) 0 127

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
After completing the DHCP server configuration, configure network adapters on

terminal PCs to automatically obtain IP addresses. The terminal PCs then can obtain IP
addresses from the DHCP server and access the Internet.
NOTE
After dynamic IP address allocation is configured, it takes a PC a long time to obtain

an IP address after it starts. The reason is that an STP-enabled switch recalculates the
spanning tree topology every time a PC connects to the switch. To solve this problem,
disable STP or configure the switch interface that connects to user devices as an edge
port. ACC1 is used in the example below.
# Disable STP.
[ACC1-GigabitEthernet0/0/1] stp disable //Alternatively, run the undo stp enable command.
# Configure the switch interface that connects to user devices as an edge

port.
[ACC1-GigabitEthernet0/0/1] stp edged-port enable
After either of the preceding operations is performed, terminal PCs can rapidly
obtain IP addresses after they start.
Configure DHCP snooping and IPSG.

User devices can automatically obtain IP addresses after DHCP is configured. If a
user connects a small router to the intranet and enable the DHCP server on the
router, authorized intranet users may obtain IP addresses allocated by the small
router and cannot access the Internet. To prevent this problem, configure DHCP
snooping.
1. Enable DHCP snooping on ACC1.

<ACC1> system-view
[ACC1] dhcp enable //Enable DHCP.
[ACC1] dhcp snooping enable //Enable DHCP snooping.
2. Configure DHCP snooping on interfaces connecting to user devices.

[ACC1] interface GigabitEthernet 0/0/1 //Configure the interface connecting to user
devices in department A.
[ACC1-GigabitEthernet0/0/1] dhcp snooping enable
[ACC1] interface GigabitEthernet 0/0/2 //Configure the interface connecting to user
devices in department B.
3. Enable DHCP snooping on interfaces connecting to DHCP servers and

configure the interfaces as trusted interfaces.
[ACC1] interface GigabitEthernet 0/0/3 //Configure the interface connecting to CORE1.
[ACC1-GigabitEthernet0/0/3] dhcp snooping enable //Enable DHCP snooping.
[ACC1-GigabitEthernet0/0/3] dhcp snooping trusted //Configure the interface as a trusted interface.
[ACC1] interface GigabitEthernet 0/0/4 //Configure the interface connecting to CORE2.
[ACC1-GigabitEthernet0/0/4] dhcp snooping trusted

S300, S500, S2700, S3700, S5700, S6700, S7700, and
After the preceding configuration is complete, user devices in department A

can obtain IP addresses from only the authorized DHCP server, and will not
use IP addresses allocated by the small router.
To prevent users from changing IP addresses and attacking the intranet,
enable IPSG after enabling DHCP snooping on the access switch. ACC1 is used
in the example below.
4. On ACC1, enable IPSG in VLAN 10.
[ACC1] vlan 10
[ACC1-vlan10] ip source check user-bind enable //Enable IPSG.
[ACC1-vlan10] quit
ACC1 matches packets received from VLAN 10 with dynamic binding entries
in the DHCP snooping binding table. If a packet matches an entry, ACC1
forwards the packet; otherwise, ACC1 discards the packet. To check packets
received from a specified user device instead of all user devices in the VLAN,
enable IPSG on the interface connecting to the device.
NOTE
If static IP address allocation is configured, bind IP addresses and MAC addresses to

prevent users from changing IP addresses and attacking the network. For this
configuration procedure, see "Example for Configuring IPSG to Prevent Hosts with
Static IP Addresses from Changing Their Own IP Addresses" in the Typical
Configuration Examples.
For details about how to configure the switch to prevent users from
connecting a small router (bogus DHCP server) to the intranet and changing
IP addresses, see "Configuring Basic Functions of DHCP Snooping",
"Configuring IPSG", and configuration examples in the corresponding
Configuration Guide – Security based on the version of the device.
3.2.3.3.5 Configuring OSPF
NOTE
Devices on the intranet use static routes. If a link fails, the administrator needs to manually
configure a new static route, interrupting network services for a long time. Configuring a
dynamic routing protocol prevents this problem. If a link fails, the dynamic routing protocol
switches traffic forwarded through the faulty link to a normal link based on an algorithm.
After the faulty link recovers, the routing protocol switches traffic back to the link. OSPF
configuration is used in the example below.
1. Delete all static routes on CORE1 and CORE2.

[CORE1] undo ip route-static all
[CORE2] undo ip route-static all
2. On the egress router, delete the static route to the intranet and retain the
static route to the Internet.
[Router] undo ip route-static 192.168.10.0 24
[Router] undo ip route-static 192.168.20.0 24
3. Configure OSPF on CORE1.

[CORE1] ospf 100 router-id 2.2.2.2
[CORE1-ospf-100] area 0
[CORE1-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[CORE1-ospf-100-area-0.0.0.0] quit
[CORE1-ospf-100] quit
4. Configure OSPF on CORE2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CORE2] ospf 100 router-id 3.3.3.3

[CORE2-ospf-100] area 0
[CORE2-ospf-100-area-0.0.0.0] quit
[CORE2-ospf-100] quit
5. Configure OSPF on the egress router. To connect the intranet to the Internet,
configure a default static route to the Internet. Advertise the default route in
the OSPF area, and configure a default static route to the carrier device.
[Router] ospf 100 router-id 1.1.1.1
[Router-ospf-100] default-route-advertise always
[Router-ospf-100] area 0
[Router-ospf-100-area-0.0.0.0] network 172.16.1.0 0.0.0.255
[Router-ospf-100-area-0.0.0.0] network 172.16.2.0 0.0.0.255
[Router-ospf-100-area-0.0.0.0] quit
[Router-ospf-100] quit
For details on OSPF configuration and commands, see "OSPF Configuration"
and configuration examples in the corresponding Configuration Guide - IP
Unicast Routing based on the version of the device.
3.2.3.3.6 Configuring Reliability and Load Balancing
Configure association between VRRP and the interface status to monitor

links
NOTE
If the link from CORE1 to the egress router fails, traffic is forwarded over the
interconnection link between CORE1 and CORE2 to CORE2, increasing traffic load and
imposing high stability and bandwidth requirements on the link. You can configure
association between VRRP and the interface status to implement fast active/standby
switchover upon an uplink or downlink failure. If you configure this function on the
upstream interface of the master in the VRRP group, the master lowers its priority to
implement an active/standby switchover when it detects that the upstream interface goes
Down.
# Configure association between VRRP and the status of the upstream interface
on CORE1 to monitor the uplink.
[CORE1-Vlanif10] vrrp vrid 1 track interface GigabitEthernet 0/0/7 reduced 100 //
Configure association between VRRP and the upstream interface status.
[CORE1-Vlanif20] vrrp vrid 2 track interface GigabitEthernet 0/0/7 reduced 100
Configure load balancing

NOTE
As service traffic increases, the link between CORE1 and the egress router has high
bandwidth utilization, whereas the link between CORE2 and the egress router is idle,
wasting resources and lowering reliability. To effectively use the two links, you can
configure load balancing on CORE1 and CORE2 so that CORE1 function as the master in
some VLANs while CORE2 function as the master in the other VLANs. The two links then
load balance traffic from all VLANs, effectively using network resources. Configure CORE1
to still function as the master in VLAN 10, and change the priority of CORE2 so that CORE2
functions as the master in VLAN 20.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Delete the VRRP priority and preemption delay configuration on VLANIF 20 of

CORE1.
[CORE1-Vlanif20] undo vrrp vrid 2 preempt-mode timer delay
[CORE1-Vlanif20] undo vrrp vrid 2 priority
2. Configure CORE2 as the master in VLAN 20 and set the preemption delay to
20s.
[CORE2-Vlanif20] vrrp vrid 2 priority 120
3. Configure association between VRRP and the status of the upstream interface
on CORE2 to monitor the uplink.
[CORE2-Vlanif20] vrrp vrid 2 track interface GigabitEthernet 0/0/7 reduced 100
3.2.3.3.7 Configuring Link Aggregation

If the uplink of CORE1 or CORE2 fails, traffic passes through the link between
CORE1 and CORE2. However, the bandwidth of the link may be insufficient,
causing packet loss. You can bind multiple physical links into a logical link to
increase the bandwidth and improve the link reliability. CORE1 is used in the
example below.
1. Restore the default configuration on an interface. Skip this step if the

interface uses the default configuration. The example below shows the
procedure of restoring the default configuration on an interface.
[CORE1-GigabitEthernet0/0/5] dis this
#
interface GigabitEthernet0/0/5
port link-type access
port default vlan 300
#
return
[CORE1-GigabitEthernet0/0/5] undo port default vlan
[CORE1-GigabitEthernet0/0/5] undo port link-type
2. In V200R005 and later versions, you can run the clear configuration this
command to restore the default configuration on an interface. The interface
will be shut down after the default configuration is restored. Run the undo
shutdown command to enable the interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CORE1-GigabitEthernet0/0/5] clear configuration this

Warning: All configurations of the interface will be cleared, and its state will beshutdown. Continue?
[Y/N] :y
Info:Total 2 command(s) executed, 2 successful, 0 failed.
[CORE1-GigabitEthernet0/0/5] undo shutdown
3. Configure link aggregation.

Method 1: Configure link aggregation in load balancing mode.
[CORE1] interface Eth-Trunk 1
[CORE1-Eth-Trunk1] trunkport GigabitEthernet 0/0/5 to 0/0/6
[CORE1-Eth-Trunk1] port link-type access
[CORE1-Eth-Trunk1] port default vlan 300
[CORE1-Eth-Trunk1] quit
Method 2: Configure link aggregation in LACP mode.

[CORE1-Eth-Trunk1] mode lacp
[CORE1-Eth-Trunk1] trunkport GigabitEthernet 0/0/5 to 0/0/6
[CORE1-Eth-Trunk1] port link-type access
[CORE1-Eth-Trunk1] port default vlan 300
# Set the system priority of CORE1 to 100 so that CORE1 becomes the Actor.
[CORE1] lacp priority 100
# On CORE1, set the maximum number of active interfaces to 2.

[CORE1-Eth-Trunk1] max active-linknumber 2
# On CORE1, set interface priorities to determine active links. (Configure

GE0/0/5 and GE0/0/6 as active interfaces.)
[CORE1-GigabitEthernet0/0/5] lacp priority 100
[CORE1-GigabitEthernet0/0/6] lacp priority 100
The configuration of CORE2 is similar to that of CORE1. The difference is that

CORE2 uses the default system priority.
For details on link aggregation configuration and commands, see "Link
Aggregation Configuration" and configuration examples in the corresponding
ConfigurationGuide - Ethernet Switching based on the version of the
device.
3.2.3.3.8 Configuring Rate Limiting
Configure rate limiting based on the IP address

Configuring IP address-based rate limiting on the switch is complicated and
consumes a lot of hardware ACL resources. Therefore, You can configure IP
address-based rate limiting on the egress router's physical interfaces connecting to
the core switches.
Because bandwidth resources are limited and service traffic transmission must be
ensured, the upload and download rate of each intranet IP address cannot exceed
512 kbit/s.
1. On GE0/0/1, configure IP address-based rate limiting for network segments
192.168.10.0 and 192.168.20.0 and limit the rate to 512 kbit/s. Note that IP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
address-based rate limiting is configured on LAN-side interfaces because NAT-

enabled WAN-side interfaces cannot identify intranet IP addresses. When
configuring IP address-based rate limiting on LAN-side interfaces, specify the
source IP address in the inbound direction to limit the upload rate, and specify
the destination IP address in the outbound direction to limit the download
rate.
[Router-GigabitEthernet0/0/1] qos car inbound source-ip-address range 192.168.10.1 to
192.168.10.254 per-address cir 512
[Router-GigabitEthernet0/0/1] qos car outbound destination-ip-address range 192.168.10.1 to
192.168.10.254 per-address cir 512
[Router-GigabitEthernet0/0/1] qos car inbound source-ip-address range 192.168.20.1 to
192.168.20.254 per-address cir 512
[Router-GigabitEthernet0/0/1] qos car outbound destination-ip-address range 192.168.20.1 to
192.168.20.254 per-address cir 512
The procedure of configuring IP address-based rate limiting for other network

segments on GE0/0/2 is similar to the preceding procedure.
Configure rate limiting based on all traffic on a network segment

To reserve sufficient bandwidth resources for department A as services grow,
configure rate limiting for department B. The Internet access rate in department B
cannot exceed 2 Mbit/s and the download rate cannot exceed 4 Mbit/s.
1. Configure an ACL on the egress router to allow packets from department B to
pass through.
[Router] acl 2222
2. Configure rate limiting on LAN-side interfaces of the egress router to limit the
Internet access rate and download rate.
[Router-GigabitEthernet0/0/1] qos car inbound acl 2222 cir 2048
[Router-GigabitEthernet0/0/1] qos car outbound acl 2222 cir 4096
The configuration procedure on GE0/0/2 is similar to that on GE0/0/1.

For details on rate limiting configuration and commands, see "Traffic Policing
and Traffic Shaping Configurations" and configuration examples in the
corresponding Configuration Guide – QoS based on the version of the
device.
3.2.3.3.9 Configuring NAT Server and Multiple Egress Interfaces
Configure NAT Server

As services grow, the web server and FTP server on the intranet need to provide
services to both internal and external users who access the servers using public IP
addresses.
1. Configure the egress router to allow external users to access intranet servers
using public IP addresses.
[Router-GigabitEthernet0/0/0] nat server protocol tcp global current-interface www inside
192.168.50.20 www
Warning:The port 80 is well-known port. If you continue it may cause function failure.
Are you sure to continue?[Y/N]:y
[Router-GigabitEthernet0/0/0] nat server protocol tcp global current-interface ftp inside

S300, S500, S2700, S3700, S5700, S6700, S7700, and
192.168.50.10 ftp
2. Enable NAT ALG for FTP on the egress router.

[Router] nat alg ftp enable
3. Configure an ACL to allow intranet users to access intranet servers using

public IP addresses.
[Router] acl 3333
[Router-acl-adv-3333] rule permit ip source 192.168.10.0 0.0.0.255 destination 202.101.111.2
0.0.0.0
0.0.0.0
[Router-acl-adv-3333] quit
4. Configure NAT on egress router interfaces connecting to the intranet.

5. Configure a mapping table of internal servers on egress router interfaces

connecting to the intranet.
[Router-GigabitEthernet0/0/1] nat server protocol tcp global interface GigabitEthernet 0/0/0
www inside 192.168.50.20 www
[Router-GigabitEthernet0/0/1] nat server protocol tcp global interface GigabitEthernet 0/0/0 ftp
inside 192.168.50.10 ftp
The configuration procedure on GE0/0/2 is similar to that on GE0/0/1.

For details on NAT configuration and commands for AR routers, see "NAT
Configuration" and configuration examples in the corresponding
ConfigurationGuide - IP Service, as well as "NAT" in Typical Configuration
Examples based on the version of the device.
Configure multiple egress interfaces to the Internet

The enterprise applied for only one link from the carrier. As services grow, the link
cannot provide sufficient bandwidth for the enterprise. The enterprise applies for
another link. The original single egress interface changes to two egress interfaces.
Configure the router to forward traffic from different network segments on the
intranet to the Internet through specified links.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configure GE1/0/0 to provide Internet access using PPPoE dial-up.

Configure policy-based routing (PBR) to allow users on different network
segments to access the Internet through different carriers.
1. Configure an ACL for NAT.
[Router] acl 2015
2. Configure a dialer ACL.
[Router] dialer-rule
[Router-dialer-rule] dialer-rule 1 ip permit
[Router-dialer-rule] quit
3. Configure a dialer interface.
[Router] interface Dialer 0
[Router-Dialer0] ip address ppp-negotiate
[Router-Dialer0] ppp chap user Router
[Router-Dialer0] ppp chap password cipher Router@123
[Router-Dialer0] dialer user user
[Router-Dialer0] dialer bundle 1
[Router-Dialer0] dialer-group 1
[Router-Dialer0] ppp ipcp dns request
[Router-Dialer0] ppp ipcp dns admit-any
[Router-Dialer0] quit
4. Configure NAT.
[Router-Dialer0] nat outbound 2015
5. Set the maximum segment size (MSS) of TCP packets to 1200 bytes. If the
default value (1460 bytes) is used, the Internet access rate may be slow.
[Router-Dialer0] tcp adjust-mss 1200
6. Enable PPPoE on the physical interface GE1/0/0 connecting to the carrier
device.
[Router-GigabitEthernet1/0/0] pppoe-client dial-bundle-number 1
7. Configure a default static route to the Internet with Dialer 0 as the outbound
interface.
[Router] ip route-static 0.0.0.0 0 Dialer 0
8. Configure an ACL to match data flows. Traffic exchanged between internal
users is not redirected.
[Router] acl 3000
0.0.0.255
0.0.0.255
[Router] acl 3001
[Router-acl-adv-3001] rule permit ip source 192.168.10.0 0.0.0.255
[Router] acl 3002
[Router-acl-adv-3002] rule permit ip source 192.168.20.0 0.0.0.255
9. Configure traffic classifiers c0, c1, and c2, and configure matching rules based
on ACL 3000, ACL 3001, and ACL 3002 in the traffic classifiers, respectively.
[Router] traffic classifier c0
[Router-classifier-c0] if-match acl 3000
[Router-classifier-c0] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

10. Configure traffic behavior to not redirect traffic exchanged between internal
users, to redirect traffic from the internal network segment 192.168.10.0 to
the next hop address 1.1.1.1, and to redirect traffic from the internal network
segment 192.168.20.0 to the outbound interface Dialer 0.
[Router] traffic behavior b0
[Router-behavior-b0] permit
[Router-behavior-b0] quit
[Router-behavior-b1] redirect ip-nexthop 1.1.1.1
[Router-behavior-b2] redirect interface Dialer 0
11. Configure a traffic policy and bind traffic classifiers to traffic behavior in the
traffic policy.
[Router] traffic policy test
[Router-trafficpolicy-test] classifier c0 behavior b0
[Router-trafficpolicy-test] quit
12. Apply the traffic policy to egress router interfaces connecting to the core
switches.
[Router-GigabitEthernet0/0/1] traffic-policy test inbound
[Router-GigabitEthernet0/0/2] traffic-policy test inbound
After PBR is configured, intranet users on the network segment 192.168.10.0

access the Internet through GE0/0/0, and intranet users on the network segment
192.168.20.0 access the Internet through GE1/0/0 using PPPoE dial-up.
For details on PBR configuration and commands, see "PBR Configuration" and
configuration examples in the corresponding Configuration Guide - IP Unicast
Routing based on the version of the device.
3.2.3.3.10 Verifying Services and Saving the Configuration
Verify services
1. Select two PCs from two departments to perform ping tests and verify
whether the two departments can communicate at Layer 3 through VLANIF
interfaces.The following example uses two PCs (PC1 and PC2) in departments
A and B. The two PCs communicate at Layer 3 through CORE1 (or CORE2). If
they can ping each other successfully, Layer 3 interworking is normal.
<PC1> ping 192.168.20.254 // Assume that PC2 automatically obtains an IP address
192.168.20.254 through DHCP.
PING 192.168.20.254 data bytes, press CTRL_C to break
--- 192.168.20.254 ping statistics ---


S300, S500, S2700, S3700, S5700, S6700, S7700, and
5 packet(s) received //PC1 can ping PC2 successfully, indicating that Layer 3 interworking
between PC1 and PC2 is normal.
2. Select two PCs within a department to perform ping tests and verify whether
Layer 2 interworking within the department is normal.
Users in department A communicate at Layer 2 through ACC1. If the two PCs
can ping each other successfully, users in department A can normally
communicate at Layer 2. The ping command is similar to that in step 1.
3. Select two PCs from two departments to ping a public IP address and verify
whether intranet users of the company can access the Internet normally.The
following example uses department A. Generally, you can ping a public
network gateway address from PC1 to verify whether PC1 can access the
Internet. The public network gateway address is the IP address of the carrier
device to which the egress router connects. If the ping test succeeds, intranet
users can access the Internet normally. The ping command is similar to that in
step 1.
Save the configuration

You must save your data to the configuration file before restarting the switch.
Unsaved data configured via command lines will be lost after the switch restarts.
The example below shows the procedure of saving CORE1's configuration file.
<CORE1> save
The current configuration will be written to the device.
3.2.4 Mid-sized Campus WLANs

NOTE
This section uses an S series switch running V200R012 and an AR series router running
V200R010 as examples to demonstrate how to configure a medium-sized campus WLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● A WLAN with SSID wlan-net is required so that users can access the Internet
from anywhere at any time.
● The S5720-LI that supports the PoE function can be deployed at the access
layer and connects to APs to provide wireless network access for STAs.
● The S5720-HI can be deployed as an AC at the aggregation layer to control
and manage STAs. The AC functions as a DHCP server to assign IP addresses
to APs.
● An AR series router can be deployed as the egress of the campus network.
The router functions as a DHCP server to assign IP addresses to STAs.
● VLANs in a VLAN pool can be configured as service VLANs. IP addresses are
assigned to STAs from the interface address pools corresponding to the VLANs
in the VLAN pool.
3.2.4.2 Data Plan

the next section.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Item Data
DHCP server ● The AC functions as a DHCP server to assign IP

addresses to APs.
● Router functions as a DHCP server to assign IP
addresses to APs.
IP address pool for 10.23.100.2 to 10.23.100.254/24

APs
IP address pool for ● 10.23.101.2 to 10.23.101.254/24

STAs ● 10.23.102.2 to 10.23.102.254/24
VLAN pool ● Name: sta-pool

● VLANs in the VLAN pool: VLAN 101 and VLAN 102
Source interface IP VLANIF 100: 10.23.100.1/24

address of the AC
AP group ● Name: ap-group1

● Referenced profiles: VAP profile wlan-vap and
regulatory domain profile domain1
Regulatory domain ● Name: domain1

profile ● Country code: CN
SSID profile ● Name: wlan-ssid

● SSID name: wlan-net
Security profile ● Name: wlan-security

● Security policy: WPA2+PSK+AES
● Password: YsHsjx_202206
VAP profile ● Name: wlan-vap

● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN pool
● Referenced profiles: SSID profile wlan-ssid and
security profile wlan-security
3.2.4.3 Configuration Roadmap

NOTE
Various profiles are designed based on different functions and features of WLANs to help
users configure and maintain functions of WLANs. These profiles are called WLAN profiles.
The following figure shows the referencing relationships between WLAN profiles. By getting
to know the referencing relationships, you can easily grasp the configuration roadmap of
WLAN profiles and complete configurations.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.2.4.4 Quickly Configuring Mid-sized Campus WLANs

Follow the procedure shown below to configure network devices to build a
wireless network for the campus and enable users to access the Internet from
anywhere at any time.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.2.4.4.1 Setting the NAC Mode to Unified on the AC
NOTE
The S5720-HI supports both the NAC unified mode and common mode. Compared with the
NAC common mode, the NAC unified mode can be configured based on templates, making
the configuration clearer and configuration model easier to understand. Based on the
preceding advantages, you are advised to set the NAC mode to unified.
1. Check the NAC mode before and after the AC restarts.

<HUAWEI> display authentication mode
Current authentication mode is common-mode
Next authentication mode is unified-mode
The NAC mode is as follows before and after the AC restarts.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– unified-mode: unified mode

– common-mode: common mode
2. If the current NAC mode is common, switch the NAC mode to unified to
ensure that users can access the Internet.
[HUAWEI] authentication unified-mode
NOTE
In versions earlier than V200R007C00, after the NAC mode is switched, you need to
manually save the configuration file and restart the AC to make the new NAC mode
take effect. In V200R007C00 and later versions, after the NAC mode is switched, the
AC automatically saves the configuration file and restarts.
3.2.4.4.2 Configuring the AC So That the AC and APs Can Transmit CAPWAP
Packets
1. Add GE0/0/1, GE0/0/2, and GE0/0/3 on Switch_A to VLAN 100 (management
VLAN).
[HUAWEI] sysname Switch_A
[Switch_A] vlan batch 100
[Switch_A] interface gigabitethernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port link-type trunk
[Switch_A-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_A-GigabitEthernet0/0/1] port-isolate enable
[Switch_A-GigabitEthernet0/0/1] quit
2. Add GE0/0/1 connecting the AC to Switch_A to VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface gigabitethernet 0/0/1
[AC-GigabitEthernet0/0/1] port link-type trunk
[AC-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[AC-GigabitEthernet0/0/1] quit
NOTE
In tunnel forwarding mode, APs encapsulate data packets over CAPWAP data tunnels
and send them to the AC, which then forwards these packets to the upper-layer
network. In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. The network between the AC and APs can permit packets only with
management VLAN tags to pass through, and does not permit packets with service
VLAN tags to pass through.
3.2.4.4.3 Configuring the AC to Communicate with the Upstream Network Device

1. Configure VLAN 101 (service VLAN), VLAN 102 (service VLAN), and VLANIF
200.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Configure uplink interfaces of the AC to transparently transmit packets of service

VLANs as required and communicate with the upstream network device.
[AC] vlanbatch 101 102 200
[AC] interface vlanif 101
[AC-Vlanif101] ip address 10.23.101.1 24
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif200] quit
2. Configure the default route on the AC.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.23.200.1
3. Add GE0/0/2 connecting the AC to Router to VLAN 200.

3.2.4.4.4 Configuring the AC to Assign IP Addresses to APs and Router to Assign IP

Addresses to STAs
Configure the AC as a DHCP server to assign IP addresses to APs from an interface
IP address pool, the AC as a DHCP relay agent, and Router connected to the AC to
assign IP addresses to STAs.
1. Configure the AC to assign IP addresses to APs from an interface address

pool.
[AC] dhcp enable
[AC-Vlanif100] dhcp select interface
[AC-Vlanif100] quit
2. Configure the AC as a DHCP relay agent.

[AC-Vlanif101] dhcp select relay
[AC-Vlanif101] dhcp relay server-ip 10.23.200.1
[AC-Vlanif101] quit
[AC-Vlanif102] dhcp select relay
[AC-Vlanif102] dhcp relay server-ip 10.23.200.1
[AC-Vlanif102] quit
3. Configure Router as a DHCP server to assign IP addresses to STAs.

<Huawei> system-view
[Huawei] sysname Router
[Router] dhcp enable
[Router] ip pool sta-ip-pool1
[Router-ip-pool-sta-ip-pool1] gateway-list 10.23.101.1
[Router-ip-pool-sta-ip-pool1] network 10.23.101.0 mask 24
[Router-ip-pool-sta-ip-pool1] quit
[Router] ip pool sta-ip-pool2
[Router-ip-pool-sta-ip-pool2] gateway-list 10.23.102.1
[Router-ip-pool-sta-ip-pool2] network 10.23.102.0 mask 24
[Router-ip-pool-sta-ip-pool2] quit
[Router] vlan batch 200
[Router] interface vlanif 200
[Router-Vlanif200] ip address 10.23.200.1 24
[Router-Vlanif200] dhcp select global
[Router-Vlanif200] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Router] interface gigabitethernet 2/0/0

[Router-GigabitEthernet2/0/0] port link-type trunk
[Router-GigabitEthernet2/0/0] port trunk allow-pass vlan 200
[Router] ip route-static 10.23.101.0 24 10.23.200.2
[Router] ip route-static 10.23.102.0 24 10.23.200.2
NOTE
Configure an IP address for the DNS server as needed using either of the following
methods:
● In the interface address pool scenario, run the dhcp server dns-list ip-address
&<1-8> command in the VLANIF interface view.
● In the global address pool scenario, run the dns-list ip-address &<1-8> command
in the IP address pool view.
3.2.4.4.5 Configuring a VLAN Pool for Service VLANs

WLANs allow STAs to access in flexible modes at different locations. STAs may
connect to the same WLAN in a location (such as the entrance of an office or a
stadium), and roam to a wireless network covered by other APs.
If each SSID has only one service VLAN to deliver wireless access to STAs, IP
address resources may become insufficient in areas with a large number of STAs,
and IP addresses in other areas are wasted. You can configure VLANs in a VLAN
pool as service VLAN of STAs so that one SSID can use multiple service VLANs to
provide wireless access services.
New STAs are dynamically assigned to VLANs in the VLAN pool, which reduces the
number of STAs in each VLAN and also the size of the broadcast domain.
Additionally, IP addresses are evenly allocated, preventing IP address waste.
1. Create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and set the
VLAN assignment algorithm to hash in the VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
NOTE
In this example, the VLAN assignment algorithm is set to hash (default value). If the
default setting is retained, you do not need to run the assignment hash command.
Only VLAN 101 and VLAN 102 are added to the VLAN pool in this example. You can
add multiple VLANs to the VLAN pool using the same method. You also need to create
corresponding VLANIF interfaces, and configure IP addresses and interface address
pools.
3.2.4.4.6 Configuring APs to Go Online

1. Create an AP group to which the APs with the same configuration can be
added.
[AC] wlan
[AC-wlan-view] ap-group name ap-group1
[AC-wlan-ap-group-ap-group1] quit
2. Create a regulatory domain profile, configure the AC's country code in the
profile, and apply the profile to the AP group.
[AC-wlan-view] regulatory-domain-profile name domain1
[AC-wlan-regulate-domain-domain1] country-code cn
[AC-wlan-regulate-domain-domain1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
Warning: Modifying the country code will clear channel, power and antenna gain configurations of
the radio and reset the AP. Continue?[Y/N]:y
[AC-wlan-view] quit
3. Configure the AC's source interface.

[AC] capwap source interface vlanif 100
4. Import APs offline on the AC and add the APs to the AP group ap-group1.
Assume that APs' MAC addresses are 00e0-fc76-e360 and 00e0-fc74-9640.
Configure names for the APs based on the APs' deployment locations, so that
you can know where the APs are deployed from their names. For example,
name the AP with MAC address 00e0-fc76-e360 as area_1 if it is deployed in
area 1.
NOTE
● The default AP authentication mode configured using the ap auth-mode

command is MAC address authentication. If the default settings are retained, you
do not need to run the ap auth-mode mac-auth command.
● In this example, the AP5030DN with radio 0 and radio 1 is used. Radio 0 of the
AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz
frequency band.
[AC] wlan
[AC-wlan-view] ap auth-mode mac-auth
[AC-wlan-view] ap-id 0 ap-mac 00e0-fc76-e360
[AC-wlan-ap-0] ap-name area_1
Warning: This operation may cause AP reset. Continue? [Y/N]:y
[AC-wlan-ap-0] ap-group ap-group1
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power
and antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
[AC-wlan-view] ap-id 1 ap-mac 00e0-fc74-9640
[AC-wlan-ap-1] quit
5. After the APs are powered on, run the display ap all command to check the
AP states. If the value of the State field displays nor, the APs have gone
online successfully.
[AC-wlan-view] display ap all
Total AP information:
nor : normal [2]
Extra information:
P : insufficient power supply
------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime ExtraInfo
------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 5M:2S -
1 00e0-fc74-9640 area_2 ap-group1 10.23.100.253 AP5030DN nor 0 5M:4S -
------------------------------------------------------------------------------------
Total: 2
3.2.4.4.7 Configuring WLAN Service Parameters

1. Create security profile wlan-security and set a security policy in the profile.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to

YsHsjx_202206. In practice, configure a security policy based on service requirements.
[AC-wlan-view] security-profile name wlan-security
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes
[AC-wlan-sec-prof-wlan-security] quit
2. Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-view] ssid-profile name wlan-ssid
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net
[AC-wlan-ssid-prof-wlan-ssid] quit
3. Create VAP profile wlan-vap, set the data forwarding mode and service
VLAN, and apply the security profile and SSID profile to this VAP profile.
[AC-wlan-view] vap-profile name wlan-vap
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
[AC-wlan-vap-prof-wlan-vap] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap] quit
4. Bind VAP profile wlan-vap to the AP group, and apply the profile to radio 0
and radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan1 radio all
3.2.4.4.8 Configuring Channels and Power for AP Radios

NOTE
The automatic channel and power calibration functions are enabled by default. The manual
channel and power configurations take effect only when these functions are disabled. The
channel and power configuration for the AP's radio 0 in this example is for reference only.
In actual scenarios, configure channels and power for AP radios based on country codes of
the APs and network planning results.
1. Disable the automatic channel and power calibration functions of the AP's
radio 0, and set a channel and power for radio 0.
[AC-wlan-view] ap-id 0
[AC-wlan-ap-0] radio 0
[AC-wlan-radio-0/0] calibrate auto-channel-select disable
[AC-wlan-radio-0/0] calibrate auto-txpower-select disable
[AC-wlan-radio-0/0] channel 20mhz 6
Warning: This action may cause service interruption. Continue?[Y/N]y
[AC-wlan-radio-0/0] eirp 127
[AC-wlan-radio-0/0] quit
2. Disable the automatic channel and power calibration functions of the AP's
radio 1 and set a channel and power for radio 1.
[AC-wlan-radio-0/1] calibrate auto-channel-select disable
[AC-wlan-radio-0/1] calibrate auto-txpower-select disable
[AC-wlan-ap-0] quit
3.2.4.4.9 Verifying the Configuration

1. After the configuration is complete, run the display vap ssid wlan-net
command. If the value of the Status field in the command output is displayed
as ON, the VAPs have been successfully created on the AP radios.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] display vap ssid wlan-net

WID : WLAN ID
---------------------------------------------------------------------------
AP ID AP name RfID WID BSSID Status Auth type STA SSID
---------------------------------------------------------------------------
0 area_1 0 1 60DE-4476-E360 ON WPA2-PSK 0 wlan-net
0 area_1 1 1 60DE-4476-E370 ON WPA2-PSK 0 wlan-net
1 area_2 0 1 60DE-4474-9640 ON WPA2-PSK 0 wlan-net
1 area_2 1 1 60DE-4474-9650 ON WPA2-PSK 0 wlan-net
---------------------------------------------------------------------------
Total: 4
2. Connect STAs to the WLAN with SSID wlan-net and enter password
YsHsjx_202206. Run the display station ssid wlan-net command on the AC.
The command output shows that the STAs are connected to the WLAN wlan-
net.
[AC-wlan-view] display station ssid wlan-net
Rf/WLAN: Radio ID/WLAN ID
Rx/Tx: link receive rate/link transmit rate(Mbps)
------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address
------------------------------------------------------------------------------
e019-1dc7-1e08 0 area_1 1/1 5G 11n 38/64 -68 102 10.23.102.254
14cf-9202-13dc 1 area_2 0/1 2.4G 11n 3/34 -68 101 10.23.101.254
------------------------------------------------------------------------------
Total: 2 2.4G: 1 5G: 1
[AC-wlan-view] quit
[AC] quit
3.2.4.4.10 Saving the Configuration

1. The data configured using the preceding commands are temporary. If you do
not save the configuration, the configuration will be lost after the AC restarts.
To enable the current configuration to take effect after the AC restarts, save
the current configurations into a configuration file.
Take the configuration on the AC as an example.
<AC> save
The current configuration will be written to flash:/vrpcfg.zip.
3.2.5 FAQs
3.2.5.1 How Can I Delete or Clear Configurations and Restore Factory

Settings?
NOTE
Back up the configuration file before restoring factory settings; otherwise, all configuration
data will be deleted.
Restore the factory settings of a switch.

<HUAWEI> reset saved-configuration
Warning: The action will delete the saved configuration in the device.
The configuration will be erased to reconfigure. Continue? [Y/N]:y
Warning: Now clearing the configuration in the device.
Info: Succeeded in clearing the configuration in the device.
<HUAWEI> reboot
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next startup saved-configuration

S300, S500, S2700, S3700, S5700, S6700, S7700, and
file flash:/vrpcfg.zip. Continue? [Y/N]:n

Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save
diagnostic-information'.
System will reboot! Continue?[Y/N]:y
3.2.5.2 How Can I Clear Interface Configurations with One Command?

Run the clear configuration this command in the interface view or the clear
configuration interface command in the system view. Then shut down the
interface.
NOTE
The interface shuts down after interface configurations are cleared. To enable the interface
again, run the undo shutdown configuration.
3.2.5.3 How Can I Reset the Console Port Password?

If your Telnet account level is 3 or higher, you can log in to the switch from an
operational terminal through Telnet to change the console port password.
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher YsHsjx_202206
[HUAWEI-ui-console0] return
3.2.5.4 How Can I Reset the Telnet Password?

Log in to the switch through the console port to change the Telnet password.
(AAA authentication is used in the example below.)
[HUAWEI] aaa
[HUAWEI-aaa] local-user user11 password irreversible-cipher YsHsjx_202206
If you forget your user name, see Configuring the Management IP Address and
Telnet to create a user name and reset the password.
3.2.5.5 How Can I Specify the Unallocatable IP Addresses in an Address Pool?

If some IP addresses in an address pool need to be reserved for certain services,
such as DNS, these IP addresses must be excluded from the pool of allocable IP
addresses. If these IP addresses are allocated by the DHCP server, IP address
conflict may occur.
Configuration method:
Run this command in the interface or interface address pool view: dhcp server
excluded-ip-address start-ip-address [ end-ip-address ]
Run this command in the global address pool view: excluded-ip-address start-ip-
address [ end-ip-address ]
3.2.5.6 How Can I Configure the Lease?

By default, a lease expires after one day. In situations where a user is working
away from their home or office, such as a café or airport, a short-term lease is

S300, S500, S2700, S3700, S5700, S6700, S7700, and
recommended. In situations where users are primarily working from one location,
long-term leases are recommended.
lease { day day [ hour hour [ minute minute ] ] | unlimited }
Run this command in the global address pool view: lease { day day [ hour hour
[ minute minute ] ] | unlimited }
3.2.5.7 How Can I Specify Fixed IP Addresses Allocated to Clients?

Some important servers require fixed IP addresses, so you can specify the fixed IP
addresses allocated to them.
These IP addresses must be in the IP address pool that can be dynamically
allocated.
static-bind ip-address ip-address mac-address mac-address
Run this command in the global address pool view: static-bind ip-address ip-
address mac-address mac-address [ option-template template-name ]
3.3 Typical Basic Configuration
3.3.1 Typical Login Configuration
3.3.1.1 Example for Configuring Switch Login Through a Console Port
Overview
After a PC is connected to a switch through a dedicated console cable, you can
perform login configurations and use the PC to manage the switch.
Logging in through a console port is a basic login mode and forms the basis of
other login modes such as Telnet and STelnet. When you log in to a switch for the
first time or if you cannot remotely log in to a switch, you can log in to the switch
through a console port.
Configuration Notes
● Prepare a console cable. If you use a laptop or a PC without a serial port,
prepare a USB to serial cable and install the driver stored on the CD-ROM
(delivered with the cable) according to instructions.
● Install the terminal emulation software on the PC. You can use the built-in
HyperTerminal of Windows 2000 on the PC. If no built-in terminal emulation
software is available, prepare the terminal emulation software. For details on
how to use terminal emulation software, see the related usage guide or
online help.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● This example applies to switches that support the console interface.

NOTE
The following uses the command lines and outputs of the S7700 running V200R006C00 as an
example.
Networking Requirements
The IT maintenance department of a company purchases S series switches, which
are configured by network administrators. A network administrator usually logs in
to a new switch through a console port and then performs initial configurations.
As shown in Figure 3-1, the serial port of a PC is connected to the console port of
the Switch through a console cable. The user wants to log in to the Switch
through the console port and requires local authentication upon the next login. To
facilitate remote maintenance on the Switch, the user wants to configure the
Telnet function.
Figure 3-1 Networking diagram for configuring switch login through a console
port
Configuration Roadmap
The configuration roadmap is as follows:
1. Configure terminal emulation software, set the connected port and
communication parameters, and log in to the Switch.
2. Configure basic information for the Switch, including the date, time, time
zone, and name, to facilitate management.
3. Configure an authentication mode for the console user interface so that the
user is authenticated upon the next login through the console port.
4. Configure the management IP address and Telnet to facilitate remote
maintenance on the Switch.
Procedure
Step 1 Connect the DB9 female connector of the console cable to the serial port (COM)
on the PC, and connect the RJ45 connector to the console port on the switch, as
shown in Figure 3-2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-2 Connecting to the switch through the console port
NOTE
● If you use a laptop or a PC without a serial port, prepare a USB to serial cable. Install
the driver stored on the CD-ROM (delivered with the cable) according to instructions,
connect the USB-DB9 female connector of the cable to the USB port on the PC, and
connect the RJ-45 connector to the console port on the switch.
● If the switch has two MPUs, you can log in to the switch through the console port on
either of the two MPUs.
Step 2 Configure terminal emulation software and log in to the Switch.

Start terminal emulation software on the PC. Establish a connection, and set the
connected port and communication parameters. Table 3-4 lists the default
attribute settings of a console port.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-4 Default attribute settings of a console port

Parameter Default Setting
Baud rate 9600 bit/s
Flow Control No flow control
Stop bits 1
Data bits 8
Step 3 Configure basic information for the Switch.

# Set the date, time, time zone, and name.
NOTE
The time zone varies depending on the location of a switch. Set the time zone based on the site
requirements. The following information is only for reference.
<HUAWEI> clock timezone BJ add 08:00:00 //BJ is the name of the time zone, and 08:00:00 indicates
that the local time is 8 plus the system default UTC time zone.
<HUAWEI> clock datetime 10:10:00 2014-07-26 //Set the current date and time. Before setting the
current time, check the time zone and set a correct time zone offset to ensure the correct local time.
[HUAWEI] sysname Switch //Set the switch name to Switch.
Step 4 Configure an authentication mode for the console user interface. (From V200R010
to V200R019, the default authentication mode for the console user interface is
AAA authentication. In V200R020 and later versions, the default authentication
mode for the console user interface is password authentication. The method of
changing the authentication mode is similar and is not provided here.)
# Set the authentication mode of the console interface to AAA, and create a local
user.
[Switch] user-interface console 0
[Switch-ui-console0] authentication-mode aaa //Set the authentication mode of the user to AAA.
[Switch-ui-console0] quit
[Switch] aaa
[Switch-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 //Create a local
user named admin1234 and set its password to Helloworld@6789. Versions earlier than V200R003
support only the cipher keyword but do not support irreversible-cipher.
[Switch-aaa] local-user admin1234 privilege level 15 //Set the user level to 15.
[Switch-aaa] local-user admin1234 service-type terminal //Set the access type to terminal, that is,
console user.
[Switch-aaa] quit
Step 5 Configure the management IP address and Telnet.

# Configure the management IP address.
[Switch] vlan 10
[Switch-vlan10] interface vlanif 10 //Configure VLANIF 10 as the management interface.
[Switch-Vlanif10] ip address 10.1.1.1 24
[Switch-Vlanif10] quit
[Switch] interface gigabitethernet 0/0/10 //GE0/0/10 is the physical interface used for logging in to the
switch through the web system on a PC. Select an interface based on actual networking requirements.
[Switch-GigabitEthernet0/0/10] port link-type access //Set the interface type to access.
[Switch-GigabitEthernet0/0/10] port default vlan 10 //Add GE0/0/10 to VLAN 10.
[Switch-GigabitEthernet0/0/10] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the Telnet function.

[Switch] telnet server enable //Enable Telnet.
[Switch] telnet server-source -i Vlanif 10 //Configure the source interface of the server as the interface
corresponding to 10.1.1.1. Assume that the interface is Vlanif 10.
[Switch] user-interface vty 0 4 //Enter the user interface views of VTY 0 to VTY 4.
[Switch-ui-vty0-4] protocol inbound telnet //Set the protocol supported by the VTY user interface to
Telnet.
[Switch-ui-vty0-4] user privilege level 15 //Set the level of users in VTY 0 to VTY 4 to 15.
[Switch-ui-vty0-4] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY 4
to AAA.
[Switch-ui-vty0-4] quit
[Switch] aaa
[Switch-aaa] local-user admin123 password irreversible-cipher Huawei@6789 //Create a local user
named admin1234 and set its password to Huawei@6789. Versions earlier than V200R003 support only
the cipher keyword but do not support irreversible-cipher.
[Switch-aaa] local-user admin123 privilege level 15 //Set the user level to 15.
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]y
[Switch-aaa] local-user admin123 service-type telnet //Set the access type to telnet, that is, Telnet user.
[Switch-aaa] quit
Step 6 Verify the configuration.

When logging in to the switch again through the console port after completing
the configuration, you need to enter the user name and authentication password
configured in the preceding steps to pass identity authentication and log in to the
switch successfully. You can also log in to the switch using Telnet.
----End
Configuration Files
Switch configuration file
#
sysname Switch
#
vlan batch 10
#
telnet server enable
telnet server-source -i Vlanif 10
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin123 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj
+,$>NP>63de|G~ws,9G%^%#
local-user admin123 privilege level 15
local-user admin123 service-type telnet
local-user admin1234 password irreversible-cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj
+,$>NP>63de|G~ws,9G%^%#
local-user admin1234 service-type terminal
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
user-interface con 0
authentication-mode aaa
user-interface vty 0 4
user privilege level 15
protocol inbound telnet

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
Related Content
Videos
Log In to a Switch Through the Console Port.
3.3.1.2 Example for Configuring Telnet Login (Based on ACL Rules and
RADIUS Authentication)
Overview
Telnet login to a switch facilitates remote management and maintenance on the
switch so that you do not need to connect a terminal to each switch. By default,
you cannot log in to a switch using Telnet. You need to log in to a switch through
a console port and configure the Telnet function first. For details, see 3.3.1.1
Example for Configuring Switch Login Through a Console Port.
An Access Control List (ACL) is a packet filter that filters packets based on rules.
One or more rules describe the packet matching conditions, such as the source
address, destination address, and port number of packets. For packets that match
the ACL rules configured on a device, the device forwards or discards these
packets according to the policies used by the service module to which the ACL is
applied.
RADIUS uses the client/server model in distributed mode and protects a network
against unauthorized access. It is often used on networks that require high
security and remote user access control. After Telnet login based on RADIUS
authentication is configured, a switch sends the user name and password of a
login user to the RADIUS server. The RADIUS server then authenticates the user
and records the user operations, ensuring network security.
If ACLs and RADIUS authentication are both configured, packets matching ACL
rules reach an upper-layer module and then are authenticated in RADIUS mode
based on the user name and password. The Telnet login mode based on ACL rules
and RADIUS authentication therefore ensures network security.
Configuration Notes
● Telnet is an insecure protocol. Using STelnet V2 is recommended.
● Ensure that the user terminal has reachable routes to the switch and RADIUS
server.
● Ensure that the IP address, port number, and shared key of the RADIUS server
are configured correctly on the switch and are the same as those on the
RADIUS server.
● Ensure that a user has been configured on the RADIUS server. In this example,
the user admin123@huawei.com (in the format of user name@domain
name) and password Example@123 have been configured.
● This example applies to all versions of all S series switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
example.
The network administrator requires remote management and maintenance on a
switch and high network security for protecting the network against unauthorized
access. To meet the requirements, configure Telnet login based on ACL rules and
RADIUS authentication.
As shown in Figure 3-3, the Switch has reachable routes to the administrator and
the RADIUS server. The IP address and port number of the RADIUS server are
10.2.1.1/24 and 1812 respectively.
Figure 3-3 Networking diagram for configuring Telnet login based on ACL rules
and RADIUS authentication
1. Configure the Telnet protocol so that users can log in to the Switch using
Telnet.
2. Configure an ACL rule to ensure that only users matching the ACL rule can
log in to the Switch.
3. Configure the RADIUS protocol to implement RADIUS authentication. After
the configuration is complete, you can use the user name and password
configured on the RADIUS server to log in to the Switch using Telnet, ensuring
user login security.
Procedure
Step 1 Configure Telnet login.
[HUAWEI] sysname Switch
[Switch] telnet server enable //Enable Telnet.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet. By
default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and later
versions support SSH.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
to AAA.
Step 2 Configure a basic ACL rule.

[Switch] acl 2008
[Switch-acl-basic-2008] rule permit source 10.137.217.177 0
[Switch-acl-basic-2008] quit
[Switch] user-interface vty 0 14
[Switch-ui-vty0-14] acl 2008 inbound //Allow only users matching ACL 2008 in VTY 0 to VTY 14 to log in
to the switch.
Step 3 Configure RADIUS authentication.

# Configure a RADIUS server template on the Switch to implement
communication with the RADIUS server.
[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812 //Configure the RADIUS server.
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared key of the RADIUS
server to Huawei@6789.
[Switch-radius-1] quit
NOTE
If the RADIUS server does not support a user name containing the domain name, run the
undo radius-server user-name domain-included command to configure the Switch to
send packets carrying a user name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being

RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication mode to RADIUS.
[Switch-aaa-authen-sch1] quit
# Create a domain, and apply the AAA authentication scheme and RADIUS server
template in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the authentication scheme
sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server template 1 to the domain.
[Switch-aaa-domain-huawei.com] quit
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain

so that an administrator does not need to enter the domain name for logging in
to the Switch.
[Switch] domain huawei.com admin

Choose Start > Run as an administrator. Enter cmd to open the Windows
Command Prompt window. Type telnet 10.1.1.1, and press Enter.
C:\Documents and Settings\Administrator> telnet 10.1.1.1
In the login interface, type the user name admin123 and password Example@123
as prompted and press Enter. Authentication succeeds, and you successfully log in
to the Switch using Telnet. (The following information is only for reference.)
Username:admin123

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Password:
<Switch>
----End
Configuration Files
#
sysname Switch
#
domain huawei.com admin
#
#
radius-server template 1
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|
G~ws,9G%^%#
radius-server authentication 10.2.1.1 1812 weight 80
#
acl number 2008
rule 5 permit source 10.137.217.177 0
#
aaa
authentication-scheme sch1
authentication-mode radius
domain huawei.com
radius-server 1
#
acl 2008 inbound
#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
3.3.1.3 Example for Configuring STelnet Login (Based on RADIUS

Authentication)
Overview
The Secure Shell (SSH) protocol implements secure remote login on insecure
networks, which ensures data integrity and reliability and guarantees secure data
transmission. STelnet, based on the SSH protocol, ensures information security and
provides powerful authentication function. STelnet protects a switch against
attacks such as IP spoofing. By default, you cannot log in to a switch using
STelnet. You need to log in to a switch using a console port or Telnet, and
configure the STelnet function and user interface parameters first.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
RADIUS uses the client/server model in distributed mode and protects a network
against unauthorized access. It is often used on networks that require high
security and remote user access control. After STelnet login based on RADIUS
authentication is configured, a switch sends the user name and password of a
login user to the RADIUS server. The RADIUS server then authenticates the user
and records the user operations, ensuring network security.
Configuration Notes
● STelnet V1 is an insecure protocol. Using STelnet V2 is recommended.
● Ensure that the user terminal has SSH server login software installed before
configuring STelnet login. In this example, the third-party software PuTTY is
used as the SSH server login software.
● Ensure that the user terminal has reachable routes to the switch and RADIUS
server.
● Ensure that the IP address, port number, and shared key of the RADIUS server
are configured correctly on the switch and are the same as those on the
RADIUS server.
● Ensure that a user has been configured on the RADIUS server. In this example,
the user admin123@huawei.com (in the format of user name@domain
name) and password Example@123 have been configured.
NOTE
example.
The network administrator requires remote login to a switch and high network
security for protecting the network against unauthorized access. To meet the
requirements, configure STelnet login based on RADIUS authentication.
As shown in Figure 3-4, the Switch functions as the SSH server and has a
reachable route to the RADIUS server. The IP address and port number of the
RADIUS server are 10.2.1.1/24 and 1812 respectively.
Figure 3-4 Networking diagram for configuring STelnet login based on RADIUS
authentication

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Generate a local key pair on the SSH server to implement secure data
exchange between the server and client.
2. Configure the STelnet protocol so that users can log in to the Switch using
STelnet.
3. Configure the RADIUS protocol to implement RADIUS authentication. After
the configuration is complete, you can use the user name and password
configured on the RADIUS server to log in to the Switch using STelnet,
ensuring user login security.
Procedure
Step 1 Configure STelnet login.
# Generate a local key pair on the server.
[HUAWEI] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: HUAWEI_Host_DSA.
Info: The key modulus can be any one of the following : 1024, 2048.
Info: If the key modulus is greater than 512, it may take a few minutes.
Please input the modulus [default=2048]:
Info: Generating keys...
Info: Succeeded in creating the DSA host keys.
# Configure the VTY user interface.

[Switch] stelnet server enable //Enable the STelnet server function.
[Switch] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface
to AAA.
[Switch-ui-vty0-14] protocol inbound ssh //Configure the user interface views in VTY 0 to VTY 14 to
support SSH.
# Set the authentication mode of the SSH user admin123 to password

authentication, and service type to STelnet.
[Switch] ssh user admin123 authentication-type password //Set the authentication of the SSH user
admin123 to password authentication.
[Switch] ssh user admin123 service-type stelnet //Set the service type of the SSH user admin123 to
STelnet.
NOTE
To configure password authentication for multiple SSH users, run the ssh authentication-
type default password command to specify password authentication as the default
authentication mode of SSH users. After this configuration is complete, you do not need to
configure the authentication mode and service type for each SSH user, simplifying
configuration and improving efficiency.

# Configure a RADIUS server template on the Switch to implement
communication with the RADIUS server.
[Switch] radius-server template 1 //Enter the RADIUS server template view.
[Switch-radius-1] radius-server authentication 10.2.1.1 1812 //Configure the RADIUS server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch-radius-1] radius-server shared-key cipher Huawei@6789 //Set the shared key of the RADIUS
server to Huawei@6789.
NOTE
If the RADIUS server does not support a user name containing the domain name, run the
undo radius-server user-name domain-included command to configure the Switch to
send packets carrying a user name without the domain name to the RADIUS server.
# Configure an AAA authentication scheme, with the authentication mode being

RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1 //Create an authentication scheme named sch1.
[Switch-aaa-authen-sch1] authentication-mode radius //Set the authentication mode to RADIUS.
# Create a domain, and apply the AAA authentication scheme and RADIUS server
template in the domain.
[Switch-aaa] domain huawei.com //Create a domain named huawei.com and enter the domain view.
[Switch-aaa-domain-huawei.com] authentication-scheme sch1 //Configure the authentication scheme
sch1 for the domain.
[Switch-aaa-domain-huawei.com] radius-server 1 //Apply the RADIUS server template 1 to the domain.
[Switch-aaa] quit
# Configure the domain huawei.com as the default global management domain

so that an administrator does not need to enter the domain name for logging in
to the Switch.

# Log in to the Switch using PuTTY on the PC. Enter the IP address of the Switch
and set the protocol type to SSH, as shown in Figure 3-5.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-5 Connecting to the SSH server using PuTTY
# Click Open. In the login interface, type the user name admin123 and password
Example@123 as prompted and press Enter. Authentication succeeds, and you
successfully log in to the Switch using STelnet. (The following information is only
for reference.)
login as: admin123
password:

of current VTY users online is 2.
<Switch>
----End
Configuration Files
#
sysname Switch
#
#
radius-server shared-key cipher %^%#}+ysUO*B&+p'NRQR0{ZW7[GA*Z*!X@o:Va15dxQAj+,$>NP>63de|
G~ws,9G%^%#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
aaa
domain huawei.com
radius-server 1
#
#
stelnet server enable
ssh server-source -i Vlanif 10
ssh user admin123
ssh user admin123 authentication-type password
ssh user admin123 service-type stelnet
#
return
Related Content
Videos
Remotely Log In to a Switch Using Telnet.
3.3.1.4 Example for Configuring the Device as the Telnet Client to Log In to
Another Device
As shown in Figure 3-6, the PC and Client have reachable routes to each other;
Client and Server have reachable routes to each other. The user needs to manage
and maintain Server remotely. However, the PC cannot directly log in to Server
through Telnet because it has no reachable route to Server. The user can log in to
Client through Telnet, and then log in to Server from Client. To prevent
unauthorized devices from logging in to Server through Telnet, an ACL needs to be
configured to allow only the Telnet connection from Client to Server.
Figure 3-6 Networking diagram of configuring the device as the Telnet client to
log in to another device

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTICE
The Telnet protocol poses a security risk, and therefore the STelnet V2 protocol is
recommended.
1. Configure the Telnet authentication mode on Server.
2. Configure the login user information on Server.
3. Configure an ACL on Server to allow Client access.
4. Log in to Server from Client through Telnet.
Procedure
Step 1 Configure the Telnet authentication mode and password on Server.
[HUAWEI] sysname Server
[Server] telnet server enable //Enable Telnet.
[Server] telnet server-source -i Vlanif 10 //Configure the source interface of the server as the interface
[Server] user-interface vty 0 4
[Server-ui-vty0-4] user privilege level 15
[Server-ui-vty0-4] protocol inbound telnet
[Server-ui-vty0-4] authentication-mode aaa
[Server-ui-vty0-4] quit
Step 2 Configure the login user information.

[Server] aaa
[Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789
[Server-aaa] local-user admin1234 service-type telnet
[Server-aaa] local-user admin1234 privilege level 3
[Server-aaa] quit
Step 3 Configure an ACL on Switch2 to allow Client access.

[Server] acl 2000
[Server-acl-basic-2000] rule permit source 10.1.1.1 0
[Server-acl-basic-2000] quit
[Server] user-interface vty 0 4
[Server-ui-vty0-4] acl 2000 inbound
[Server-ui-vty0-4] quit
NOTE
It is optional to configure an ACL for Telnet services.

# After the preceding configuration, you can log in to Server from Client through
Telnet. You cannot log in to Server from other devices.
[HUAWEI] sysname Client
[Client] quit
<Client> telnet 10.2.1.1
Trying 10.2.1.1 ...
Press CTRL+K to abort
Connected to 10.2.1.1 ...

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Warning: Telnet is not a secure protocol, and it is recommended to use STelnet.
Username:admin1234
Password:
<Server>
----End
Configuration File
Server configuration file
#
sysname Server
#
#
acl number 2000
#
aaa
local-user admin1234 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/
xHryO-Y7m{=A>kWc.-q}>*$
local-user admin1234 service-type telnet
#
acl 2000 inbound
#
return
3.3.1.5 Example for Configuring the Device as the STelnet Client to Log In to
Another Device
The enterprise requires that secure data exchange should be performed between
the server and client. As shown in Figure 3-7, two login users client001 and
client002 are configured and they use the password and DSA authentication
modes respectively to log in to the SSH server.
Figure 3-7 Networking diagram of logging in to another device through STelnet

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTICE
The STelnet V1 protocol poses a security risk, and therefore the STelnet V2 mode is
recommended.
1. Generate a local key pair on the SSH server to implement secure data
exchange between the server and client.
2. Configure different authentication modes for the SSH users client001 and
client002 on the SSH server.
3. Enable the STelnet service on the SSH server.
4. Configure the STelnet server type for the SSH users client001 and client002
on the SSH server.
5. Log in to the SSH server as the client001 and client002 users through
STelnet.
Procedure
Step 1 Generate a local key pair on the server.
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create
Info: The key name will be: SSH Server_Host_DSA.
Info: The DSA host key named SSH Server_Host_DSA already exists.
Info: Generating keys........
Step 2 Create an SSH user on the server.
# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound ssh
[SSH Server-ui-vty0-4] quit
● Create an SSH user named client001.

# Create an SSH user named client001 and configure the password
authentication mode for the user.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Example@123
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
[SSH Server] ssh user client001
[SSH Server] ssh user client001 authentication-type password
● Create an SSH user named client002.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create an SSH user named client002 and configure the DSA authentication
mode for the user.
[SSH Server] ssh user client002
[SSH Server] ssh user client002 authentication-type dsa
# Generate a local key pair for Client002.
[HUAWEI] sysname client002
[client002] dsa local-key-pair create
Info: The DSA host key named SSH Server_Host_DSA already exists.
# Check the public key in the DSA key pair generated on the client.
[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created: 2014-03-03 16:51:28-05:13
Key name: client002_Host
Key modulus : 2048
Key type: DSA encryption Key
Key fingerprint: c0:52:b0:37:4c:b2:64:d1:8f:ff:a1:42:87:09:8c:6f
=====================================================
Key code:
30820109 02820100 CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116 87B79B0C
5698C582 69A9F4D0 45ED0E53 AF2EDEC1 A09DF4BE 459E34B6 6697B85D 2191A00E
92F3A5E7 FB0E73E7 F0212432 E898D979 8EAA491E E2B69727 4B51A2BE CD86A144
16748D1E 4847A814 3FE50862 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074
B839305A 7F7BCE2C 606F6C91 EA958B6D AC46C12B 8C2B1E03 98F1C09D 3AF2A69D
6867F930 DF992692 9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A C0A4CDB3
ADDAE853 DB86B9FA DB13CCA9 D8CF6EC1 530CC2F5 697C4707 90829982 4339507F
F354FAF9 0F9CD2C2 F7D6FF3D 901D700F F0588104 856B9592 71D773E2 E76E8EEB
431FB60D 60ABC20B 0203 010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAABAQDKl7zeaXzt6dmrlHWeAE0VyLlRFoe3mwxW
mMWCaan00EXtDlOvLt7BoJ30vkWeNLZml7hdIZGgDpLzpef7DnPn8CEkMuiY2XmO
qkke4raXJ0tRor7NhqFEFnSNHkhHqBQ/5QhibrGtgetJoF5k9tGGxOlM2wTFMHS4
OTBaf3vOLGBvbJHqlYttrEbBK4wrHgOY8cCdOvKmnWhn+TDfmSaSmpIWgpFic/xN
2HXURLw3Ht27j2rApM2zrdroU9uGufrbE8yp2M9uwVMMwvVpfEcHkIKZgkM5UH/z
VPr5D5zSwvfW/z2QHXAP8FiBBIVrlZJx13Pi526O60Mftg1gq8IL
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :

ssh-dsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQDKl7zeaXzt6dmrlHWeAE0VyLlRFoe3mwxWmMWCaan00EXtD
lOvLt7BoJ30vkWeNLZml7hdIZGgDpLzpef7DnPn8CEkMuiY2XmOqkke4raXJ0tRor7NhqFEFnSNHkhHqBQ
/5QhibrGtgetJoF5k9tGGxOlM2wTFMHS4OTBaf3vOLGBvbJHqlYttrEbBK4wrHgOY8cCdOvKmnWhn
+TDfmSaSmpIWgpFic/
xN2HXURLw3Ht27j2rApM2zrdroU9uGufrbE8yp2M9uwVMMwvVpfEcHkIKZgkM5UH/zVPr5D5zSwvfW/
z2QHXAP8FiBBIVrlZJx13Pi526O60Mftg1gq8IL dsa-key
# Configure the generated public key in the DSA key pair on the server. The
bold part in the display command output indicates the generated public key
in the DSA key pair. Copy the key to the server.
NOTE
The public key must be a hexadecimal string. If it is not a hexadecimal string, convert
it into a hexadecimal string in advance.
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
Info: Enter "DSA key code" view, return the last view with "public-key-code end".
[SSH Server-dsa-key-code] 30820109

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SSH Server-dsa-key-code] CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116
[SSH Server-dsa-key-code] 87B79B0C 5698C582 69A9F4D0 45ED0E53 AF2EDEC1
[SSH Server-dsa-key-code] A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7
[SSH Server-dsa-key-code] FB0E73E7 F0212432 E898D979 8EAA491E E2B69727
[SSH Server-dsa-key-code] 4B51A2BE CD86A144 16748D1E 4847A814 3FE50862
[SSH Server-dsa-key-code] 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074
[SSH Server-dsa-key-code] B839305A 7F7BCE2C 606F6C91 EA958B6D AC46C12B
[SSH Server-dsa-key-code] 8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692
[SSH Server-dsa-key-code] 9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A
[SSH Server-dsa-key-code] C0A4CDB3 ADDAE853 DB86B9FA DB13CCA9 D8CF6EC1
[SSH Server-dsa-key-code] 530CC2F5 697C4707 90829982 4339507F F354FAF9
[SSH Server-dsa-key-code] 0F9CD2C2 F7D6FF3D 901D700F F0588104 856B9592
[SSH Server-dsa-key-code] 71D773E2 E76E8EEB 431FB60D 60ABC20B
[SSH Server-dsa-key-code] public-key-code end
[SSH Server-dsa-public-key] peer-public-key end
# Bind the DSA public key of the STelnet client to the SSH user client002 on
the SSH server.
[SSH Server] ssh user client002 assign dsa-key dsakey001
Step 3 Enable the STelnet service on the SSH server.

# Enable the STelnet service.
[SSH Server] stelnet server enable //Enable the STelnet server function. In V200R020 and later versions,
you must run the ssh server-source command to set the source interface of the server to the interface
using the IP address 10.1.1.1 so that the client can connect to the server through 10.1.1.1.
Step 4 Configure the STelnet service type for the client001 and client002 users.
[SSH Server] ssh user client001 service-type stelnet
[SSH Server] ssh user client002 service-type stelnet
Step 5 Connect the STelnet client to the SSH server.

# Enable the first authentication function on the SSH client upon the first login.
Enable the first authentication function for Client001.
[client001] ssh client first-time enable
Enable the first authentication function for Client002.

[client002] ssh client first-time enable
# Log in to the SSH server from Client001 in password authentication mode by

entering the user name and password.
[client001] stelnet 10.1.1.1
Please input the username:client001
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Please select public key type for user authentication [R for RSA; D for DSA; Enter for Skip publickey
authentication; Ctrl_C for Can
cel], Please select [R, D, Enter or Ctrl_C]:d
Enter password:
Enter the password. The following information indicates that you have logged in
successfully:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
<SSH Server>
# Log in to the SSH server from Client002 in DSA authentication mode.

[client002] stelnet 10.1.1.1 user-identity-key dsa
Trying 10.1.1.1 ...
authentication; Ctrl_C for Can
cel], Please select [R, D, Enter or Ctrl_C]:d
<SSH Server>
If the user view is displayed, you have logged in successfully. If the message
"Session is disconnected" is displayed, the login fails.
Run the display ssh server status command. You can see that the STelnet service
has been enabled. Run the display ssh user-information command. Information
about the configured SSH users is displayed.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version :2.0
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0
# Check information about SSH users.

[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory :-
Service-type : stelnet
Authorization-cmd : No
User 2:
Authentication-type : dsa
User-public-key-name : dsakey001
User-public-key-type : dsa
Sftp-directory :-
Service-type : stelnet
----End
Configuration File
● SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin

S300, S500, S2700, S3700, S5700, S6700, S7700, and
30820109
02820100
CA97BCDE 697CEDE9 D9AB9475 9E004D15 C8B95116 87B79B0C 5698C582 69A9F4D0
45ED0E53 AF2EDEC1 A09DF4BE 459E34B6 6697B85D 2191A00E 92F3A5E7 FB0E73E7
F0212432 E898D979 8EAA491E E2B69727 4B51A2BE CD86A144 16748D1E 4847A814
3FE50862 6EB1AD81 EB49A05E 64F6D186 C4E94CDB 04C53074 B839305A 7F7BCE2C
606F6C91 EA958B6D AC46C12B 8C2B1E03 98F1C09D 3AF2A69D 6867F930 DF992692
9A921682 916273FC 4DD875D4 44BC371E DDBB8F6A C0A4CDB3 ADDAE853 DB86B9FA
DB13CCA9 D8CF6EC1 530CC2F5 697C4707 90829982 4339507F F354FAF9 0F9CD2C2
F7D6FF3D 901D700F F0588104 856B9592 71D773E2 E76E8EEB 431FB60D 60ABC20B
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher $1a$gRNl~ukoL~0.WU)C2]~2a}Cz/Y0-u8M{j@Ql6/
xHryO-Y7m{=A>kWc.-q}>*$
local-user client001 privilege level 3
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
ssh user client002 service-type stelnet
#
#
return
● Client001 configuration file

#
sysname client001
#
ssh client first-time enable
#
return
● Client002 configuration file

#
sysname client002
#
#
return
3.3.1.6 Example for Configuring Switch Login Through the Web System
3.3.1.6.1 Factory Settings of Web Page Files for S Series Switches

For fixed switches, in V200R006 and later versions, the web page file has been
integrated in the system software and loaded. For factory settings of web page
files in versions earlier than V200R006, see the following tables.
For modular switches:
● For factory settings of web page files in versions earlier than V200R006, see
the following tables.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● In V200R006 and later versions (except V200R020C00 and later versions used
on SRUA and SRUB, such as S7700-V200R020C00SPC300-SRUA&B.cc), the
web page file has been integrated in the system software and loaded.
● In V200R020C00 and later versions, the system software used on SRUA and
SRUB does not integrate the web page file. To use the web function, obtain
the web page file, upload it to the root directory of the device storage, and
run the http server load filename command to load it.
Table 3-5 Factory settings of web page files for fixed switches
Product V100R006 V200R001 V200R002 V200R003 V200R005
Model C05
S2700-SI/ A web - - - -
S2700-EI page file is
saved in
the storage
medium,
but is not
loaded.
S2710-SI A web - - - -
page file is
saved in
the storage
medium,
but is not
loaded.
S2750-EI - - - A web The system

page file is software
saved in contains a
the storage web page
medium, file that is
and is loaded.
loaded.
S3700-SI/ A web - - - -
S3700-EI page file is
saved in
the storage
medium,
but is not
loaded.
S3700-HI - The - - -
storage
medium
does not
contain a
web page
file.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model C05
S5710-C-LI - The - - -
storage
medium
does not
contain a
web page
file.
S5700-EI/ - The A web A web The system

S5700-SI storage page file is page file is software
medium saved in saved in contains a
does not the storage the storage web page
contain a medium, medium, file that is
web page but is not and is loaded for
file. loaded. loaded. the
Classics
web
system,
but does
not
contain a
web page
file for the
EasyOpera
tion web
system.
S5700-LI/ - The A web A web The system

S5700S-LI storage page file is page file is software
web page but is not and is loaded.
file. loaded. loaded.
NOTE
The web
page file
for the
S5700-10P-
LI needs to
be loaded
manually.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model C05
S5710-EI - The A web A web The system

storage page file is page file is software
Classics
web
system,
but does
not
contain a
web page
file for the
EasyOpera
tion web
system.
S5700-HI - The A web A web The system

Classics
web
system,
but does
not
contain a
web page
file for the
EasyOpera
tion web
system.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model C05
S5710-HI - - A web A web The system

page file is page file is software
saved in saved in contains a
the storage the storage web page
medium, medium, file that is
but is not and is loaded for
loaded. loaded. the
Classics
web
system,
but does
not
contain a
web page
file for the
EasyOpera
tion web
system.
S6700-EI - The A web A web The system

Classics
web
system,
but does
not
contain a
web page
file for the
EasyOpera
tion web
system.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-6 Factory settings of web page files for modular switches
Product V200R001 V200R002 V200R003 V200R005
Model
S7700 The storage A web page A web page The system

medium does file is saved in file is saved in software
not contain a the storage the storage contains a
web page file. medium, but medium, and web page file
is not loaded. is loaded. that is
loaded.
S9700 The storage A web page A web page The system

medium does file is saved in file is saved in software
not contain a the storage the storage contains a
web page file. medium, but medium, and web page file
is not loaded. is loaded. that is
loaded.
NOTE
A hyphen (-) indicates that the version is not available for the model.
3.3.1.6.2 Example for Configuring Switch Login Through the Web System
(V200R001)
Overview
The web system uses the built-in web server on a switch to provide a GUI through
which users can perform switch management and maintenance. Users can log in
to the web system from terminals using HTTPS.
Configuration Notes
This example applies to V200R001 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700-EI running V200R001C00
as an example.
As shown in Figure 3-8, a switch functions as the HTTPS server. The user wants to
log in to the web system using HTTPS to manage and maintain the switch. The
user has obtained the server digital certificate 1_servercert_pem_dsa.pem and
private key file 1_serverkey_pem_dsa.pem from the CA.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-8 Networking diagram for configuring switch login through the web
system
1. Configure a management IP address for remotely transferring files and
logging in to the switch through the web system.
2. Upload the required files to the HTTPS server through FTP, including the web
page file, server digital certificate, and private key file.
3. Load the web page file and digital certificate.
4. Bind an SSL policy and enable the HTTPS service.
5. Configure a web user and enter the web system login page.
NOTICE
FTP is an insecure protocol. Using SFTP V2, SCP, or FTPS is recommended.
Procedure
Step 1 Obtain the web page file.
The following methods are available:
● Obtain the web page file from a Huawei agent.
● Download the web page file from the Huawei enterprise technical support
website (http://support.huawei.com/enterprise). In V200R001, the web
page file is named in the format of product name-software version.web page
file version.web.zip.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed
on the website. If not, an exception may occur during file download. Download the file
again.
Step 2 Configure a management IP address.

[HUAWEI] sysname HTTPS_Server
[HTTPS_Server] vlan 10
[HTTPS_Server-vlan10] quit
[HTTPS_Server] interface vlanif 10 //Configure VLANIF 10 as the management interface.
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address and deploy the route based
on the network plan to ensure reachability between the PC and switch.
[HTTPS_Server-Vlanif10] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HTTPS_Server] interface gigabitethernet 0/0/10 //In this example, GE0/0/10 is the physical interface
used for logging in to the switch through the web system on a PC. Select an interface based on actual
networking requirements.
[HTTPS_Server-GigabitEthernet0/0/10] port link-type access //Set the interface type to access.
[HTTPS_Server-GigabitEthernet0/0/10] port default vlan 10 //Add the interface to VLAN 10.
[HTTPS_Server-GigabitEthernet0/0/10] quit
Step 3 Upload the web page file and digital certificate to the HTTPS server through FTP.
# Configure VTY user interfaces on the HTTPS server.

[HTTPS_Server] user-interface vty 0 14 //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY user
interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit
# Configure the FTP function for the switch and information about an FTP user,
including the password, user level, service type, and authorized directory.
[HTTPS_Server] ftp server enable //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password cipher Helloworld@6789 //Set the login password to
Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP authorized directory to
flash:/.
[HTTPS_Server-aaa] quit
[HTTPS_Server] quit
# Log in to the HTTPS server from the PC through FTP and upload the web page
file and digital certificate to the HTTPS server.
Connect the PC to the switch using FTP. Enter the user name client001 and
password Helloworld@6789 and set the file transfer mode to binary.
The following example assumes that the PC runs the Windows XP operating
system.
C:\Documents and Settings\Administrator> ftp 192.168.0.1
Connected to 192.168.0.1.
220 FTP service ready.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file and digital certificate to the HTTPS server from the PC.
ftp> put web.zip //Upload the web page file. The web.zip file is used as an example here.
200 Port command okay.
150 Opening BINARY mode data connection for web.zip
226 Transfer complete.
ftp: 1308478 bytes sent in 11 Seconds 4.6Kbytes/sec.
ftp> put 1_servercert_pem_dsa.pem
150 Opening BINARY mode data connection for 1_servercert_pem_dsa.pem
ftp> put 1_serverkey_pem_dsa.pem
150 Opening BINARY mode data connection for 1_serverkey_pem_dsa.pem
ftp: 951 bytes sent in 1 Second 4.6Kbytes/sec.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Run the dir command on the Switch to check whether the web page file and
digital certificate exist in the current storage directory.
NOTE
If the sizes of the web page file and digital certificate in the current storage directory on
the switch is different from those on the PC, an exception may occur during file transfer.
Upload the files again.
# Create the subdirectory security on the HTTPS server and copy the digital
certificate and private key file to the subdirectory.
<HTTPS_Server> mkdir security
<HTTPS_Server> copy 1_servercert_pem_dsa.pem security
Copy flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem?[Y/N]:y
100% complete
Info: Copied file flash:/1_servercert_pem_dsa.pem to flash:/security/1_servercert_pem_dsa.pem...Done.
<HTTPS_Server> copy 1_serverkey_pem_dsa.pem security
Copy flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem?[Y/N]:y
100% complete
Info: Copied file flash:/1_serverkey_pem_dsa.pem to flash:/security/1_serverkey_pem_dsa.pem...Done.
# Run the dir command in the security subdirectory to check the digital
certificate.
<HTTPS_Server> cd security
<HTTPS_Server> dir
Directory of flash:/security/
Idx Attr Size(Byte) Date Time FileName

0 -rw- 1,200 Sep 26 2013 22:35:37 1_servercert_pem_dsa.pem
1 -rw- 736 Sep 26 2013 22:36:11 1_serverkey_pem_dsa.pem
30,008 KB total (348 KB free)
Step 4 Load the web page file and digital certificate.
# Load the web page file.

<HTTPS_Server> system-view
[HTTPS_Server] http server load web.zip
# Create an SSL policy and load the PEM digital certificate.

[HTTPS_Server] ssl policy http_server
[HTTPS_Server-ssl-policy-http_server] certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa
key-file 1_serverkey_pem_dsa.pem auth-code 123456
[HTTPS_Server-ssl-policy-http_server] quit
# After the preceding configurations are complete, run the display ssl policy
command on the HTTPS server to check detailed information about the loaded
digital certificate.
[HTTPS_Server] display ssl policy
SSL Policy Name: http_server

Policy Applicants:
Key-pair Type: DSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_dsa.pem
Key-file Filename: 1_serverkey_pem_dsa.pem
Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 5 Bind an SSL policy and enable the HTTPS service.

NOTE
Disable the HTTP service before enabling the HTTPS service.

[HTTPS_Server] undo http server enable //Disable the HTTP service.
[HTTPS_Server] http secure-server ssl-policy http_server //Bind an SSL policy named http_server to the
HTTP server.
[HTTPS_Server] http secure-server enable //Enable the HTTPS service.
Step 6 Configure a web user and enter the web system login page.
# Configure a web user.

[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789 //Create a local user named
admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user admin service-type http //Set the access type to http, that is, web user.
# Enter the web system login page.
Open the web browser on the PC, type https://192.168.0.1 in the address box, and
press Enter. The web system login page is displayed, as shown in Figure 3-9.
You can log in to the web system using the Internet Explorer (6.0 or 8.0) or Firefox
(3.5) browsers. If the browser version or browser patch version is not within the
preceding ranges, the web page may be displayed incorrectly. Additionally, the
web browser used to log in to the web system must support JavaScript.
Enter the user name, password, and verification code. Click Login. The web system
home page is displayed.
Figure 3-9 Web system login page
Log in to the switch through the web system. The login succeeds.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Run the display http server command to view the SSL policy name and the
HTTPS server status.
[HTTPS_Server] display http server
HTTP Server Status : disabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users :0
Maximum Users Allowed :5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
----End
Configuration Files
HTTPS_Server configuration file
#
sysname HTTPS_Server
#
FTP server enable
#
vlan batch 10
#
undo http server enable
http server load web.zip
http secure-server ssl-policy http_server
http secure-server enable
#
aaa
local-user admin password cipher %$%$_h,hW_!nJ!2gXkH9v$X)+,#w%$%$
local-user admin privilege level 15
local-user admin service-type http
local-user client001 password cipher %$%$jD,QKAhe{Yd9kD9Fqi#I+QH~%$%$
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_dsa.pem key-pair dsa key-file 1_serverkey_pem_dsa.pem auth-
code 123456
#
return
(V100R006C05&V200R002&V200R003)
Overview

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
This example applies to V100R006C05, V200R002, and V200R003 of all S series
switches.
NOTE
as an example.
As shown in Figure 3-10, a switch functions as the HTTPS server. The user wants
to log in to the web system using HTTPS to manage and maintain the switch.
system
NOTE
The web page file is delivered with a switch. For all switches in V100R006C05&V200R002
and S5700-10P-LI switches in V200R003C00, you need to load the web page file. Fixed
switches excluding S5700-10P-LI in V200R003 have loaded the web page file before
delivery. Step 2 can be skipped.
A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital certificate
can meet security requirements, you do not need to upload a digital certificate or manually
configure an SSL policy, simplifying configuration. The following configuration uses the
default SSL policy provided by the switch as an example.
1. Configure a management IP address for logging in to the switch through the

web system.
2. Load the web page file.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address and deploy the route
based on the network plan to ensure reachability between the PC and switch.
Step 2 Load the web page file.

NOTE
● Run the dir command to view the name of the web page file carried by the switch.
● In V100R006C05, the web page file is named in the format of product name-software
version.web page file version.web.zip. In V200R002 and V200R003, the web page file is
named in the format of product name-software version.web page file version.web.7z.
[HTTPS_Server] http server load web.7z //Upload the web page file. The web.7z file is used as an
example here.
Step 3 Enable the HTTPS service.

[HTTPS_Server] http secure-server enable //The HTTPS service is enabled by default and does not
require manual configuration. If the HTTPS service is manually disabled, run this command to enable it.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password cipher Helloworld@6789 //Create a local user named
admin and set its password to Helloworld@6789.
[HTTPS_Server-aaa] local-user admin service-type http //Set the access type to http, that is, web user.

You can use the Internet Explorer (6.0 – 9.0), Firefox (3.5 – 17.0) browsers to log in
to the web system for V100R006C05, use the Internet Explorer (8.0), Firefox (3.6)
browsers to log in to the web system for V200R001C00, use the Internet Explorer
(6.0 – 9.0), Firefox (3.5 – 17.0) browsers to log in to the web system for
V2100R003C00. If the browser version or browser patch version is not within the
preceding ranges, the web page may be displayed incorrectly. Additionally, the
web browser used to log in to the web system must support JavaScript.
Enter the user name, password, and verification code. Click Login. The web system
home page is displayed.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Run the display http server command to view the status of the HTTPS server.
HTTP Server Status : enabled
HTTP SSL Policy : Default
----End
Configuration Files
#
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password cipher %$%$+8;_RIkI680;]{;b/Vo&T/l>%$%$
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
(V200R005)
Overview
The web system is available in EasyOperation and Classics versions.

● The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations.
● The Classics version inherits the web page style of Huawei switches and
provides comprehensive configuration and management functions.
Configuration Notes
This example applies to V200R005 of all S series switches.
NOTE
The following uses the command lines and outputs of the S5700-HI running V200R005 as
an example.
system
NOTE
A switch provides a default SSL policy and has a randomly generated self-signed digital
certificate in the web page file. If the default SSL policy and self-signed digital certificate
can meet security requirements, you do not need to upload a digital certificate or manually
configure an SSL policy, simplifying configuration. The following configuration uses the
default SSL policy provided by the switch as an example.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The system software of the following switch models in V200R005 has integrated
and loaded the web page file (including the EasyOperation and Classics editions).
You only need to configure a web user and enter the web system login page.
● Modular switch: all models
● Fixed switch: S2750, S5700-LI, S5700S-LI
The Classics web page file has been loaded on the S5700-SI, S5700-EI, S5710-EI,
S5700-HI, S5710-HI, and S6700-EI in V200R005, and has been loaded. To use the
Classics web system, you only need to configure a web user and enter the web
system login page. To use the EasyOperation web system, perform the
configuration based on the following roadmap:
1. Configure a management IP address for remotely transferring files and
logging in to the switch through the web system.
2. Upload the web page file to the HTTPS server through FTP.
3. Load the web page file.
NOTICE
FTP is an insecure protocol. Using SFTP V2, SCP, or FTPS is recommended.
Procedure
Step 1 Obtain the web page file.
The following methods are available:
● Obtain the web page file from a Huawei agent.
● Download the web page file from the Huawei enterprise technical support
website (http://support.huawei.com/enterprise).
– For a fixed switch, download the system software containing the web
page file.
– For a modular switch, download the web page file.
– In V200R005, the web page file is named in the format of product name-
software version.web page file version.web.7z.
NOTE
Check whether the size of the obtained web page file is the same as the file size displayed
on the website. If not, an exception may occur during file download. Download the file
again.

[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address and deploy the route based
on the network plan to ensure reachability between the PC and switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Upload the web page file to the HTTPS server through FTP.
# Configure VTY user interfaces on the HTTPS server.

[HTTPS_Server] user-interface vty 0 14 //Enter VTY user interfaces 0 to 14.
[HTTPS_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY user
interfaces 0 to 14 to AAA.
[HTTPS_Server-ui-vty0-14] quit
# Configure the FTP function for the switch and information about an FTP user,
including the password, user level, service type, and authorized directory.
[HTTPS_Server] ftp server enable //Enable the FTP server function.
[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login
password to Helloworld@6789.
[HTTPS_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15.
[HTTPS_Server-aaa] local-user client001 service-type ftp //Set the user service type to FTP.
[HTTPS_Server-aaa] local-user client001 ftp-directory flash:/ //Set the FTP authorized directory to
flash:/.
# Log in to the HTTPS server from the PC through FTP and upload the web page
file to the HTTPS server.
Connect the PC to the switch using FTP. Enter the user name client001 and
password Helloworld@6789 and set the file transfer mode to binary.
system.
User (192.168.0.1:(none)): client001
331 Password required for client001.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. By default, files are transferred in ASCII mode.
200 Type set to I.
ftp>
Upload the web page file to the HTTPS server from the PC.
ftp> put web.7z //Upload the web page file. The web.7z file is used as an example here.
150 Opening BINARY mode data connection for web.zip
NOTE
If the size of the web page file in the current directory on the switch is different from that
on the PC, an exception may occur during file transfer. Upload the web page file again.
Step 4 Load the web page file.
# Load the web page file.

[HTTPS_Server] http server load web.7z //Load the web page file.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher Helloworld@6789 //Set the login
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service type to HTTP.

Enter the web user name admin and password Helloworld@6789, and click GO
or press Enter. The web system home page is displayed. The EasyOperation web
system is logged in by default.


S300, S500, S2700, S3700, S5700, S6700, S7700, and
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
----End
Configuration Files
#
#
FTP server enable
#
vlan batch 10
#
http server load web.7z
#
aaa
local-user admin password irreversible-cipher %@%@wU:(2j8~r8Htyu3.]',NwU`Td[-A9~9"%4Kvhm'0RV[/
U`Ww%@%@
local-user client001 password irreversible-cipher %@%@5d~9:M^ipCfL
\iB)EQd>,,ajwsi[\ad,saejin[qndi83Uwe%@%@
local-user client001 ftp-directory flash:/
local-user client001 service-type ftp
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
#
return
Related Content
Videos
Log In to a Switch Using the Web System.
Configure a Switch Using the Web System.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
(V200R006 and later versions)
Overview
The web system is available in EasyOperation and Classics versions.
● The EasyOperation version provides rich graphics and a more user-friendly UI
on which users can perform monitoring, configuration, maintenance, and
other network operations.
● The Classics version inherits the web page style of Huawei switches and
provides comprehensive configuration and management functions.
NOTE
In V200R011C10 and later versions, the Classics version is not supported.
Configuration Notes
This example applies to V200R006 and later versions of all S series switches.
NOTE
as an example.
system
● The system software of the switch has integrated and loaded the web page
file. No manual configuration is required.
● A switch provides a default SSL policy and has a randomly generated self-
signed digital certificate in the web page file. If the default SSL policy and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
self-signed digital certificate can meet security requirements, you do not need
to upload a digital certificate or manually configure an SSL policy, simplifying
configuration. The following configuration uses the default SSL policy
provided by the switch as an example.
● Configure a management IP address for logging in to the switch through the
web system.
● Configure a web user and enter the web system login page.
Procedure
[HTTPS_Server-Vlanif10] ip address 192.168.0.1 24 //Configure the IP address and deploy the route
based on the network plan to ensure reachability between the PC and switch.

[HTTPS_Server] http server-source -i Vlanif 10 //Set the source interface of the server to VLANIF 10 so
that the client can connect to the server through 192.168.0.1.

[HTTPS_Server] aaa
[HTTPS_Server-aaa] local-user admin password irreversible-cipher Helloworld@6789 //Set the login
Warning: This operation may affect online users, are you sure to change the user privilege level ?[Y/N]Y
[HTTPS_Server-aaa] local-user admin service-type http //Set the user service type to HTTP.
Table 3-7 lists browser versions required for login to a switch through the web
system. If the browser version or browser patch version is not within the preceding
ranges, the web page may not be properly displayed. Upgrade the browser and
browser patch. In addition, the browser must support JavaScript.
Enter the web user name admin and password Helloworld@6789, and click GO
or press Enter. The web system home page is displayed. The EasyOperation web
system is logged in by default.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-7 Mapping between the product version and browser version
Product Browser Version for Browser Version for Classic
Version EasyOperation Web System Web System
V200R006 IE 8.0 to 11.0, Firefox 12.0 to IE 8.0 to 11.0, or Firefox 12.0 to

28.0, or Chrome 23.0 to 34.0 28.0
V200R007 IE 8.0 to 11.0, Firefox 12.0 to IE 8.0 to 11.0, or Firefox 12.0 to

32.0, or Chrome 23.0 to 37.0 32.0
V200R008 IE 10.0, IE 11.0, Firefox 31.0 to IE 10.0, IE 11.0, or Firefox 31.0

35.0, or Chrome 30.0 to 39.0 to 35.0
V200R009 IE 10.0, IE 11.0, Firefox 35.0 to IE 10.0, IE 11.0, or Firefox 35.0

45.0, or Chrome 34.0 to 49.0 to 45.0
V200R010 Microsoft Edge, IE 10.0, IE 11.0, IE 10.0, IE 11.0, or Firefox 39.0

Firefox 39.0 to 49.0, or Chrome to 49.0
39.0 to 54.0
V200R011C Microsoft Edge, IE 10.0, IE 11.0, –

10 Firefox 53.0 to 59.0, or Chrome
54.0 to 66.0
V200R012( Microsoft Edge, IE 10.0, IE 11.0, –

C00&C20) Firefox 53.0 to 59.0, or Chrome
54.0 to 66.0
V200R013C Microsoft Edge, IE 10.0, IE 11.0, –

00 Firefox 58.0 to 62.0, or Chrome
60.0 to 69.0
V200R013C Microsoft Edge, IE10.0, IE11.0, –

02 Firefox 61.0 to Firefox 66.0, or
Chrome 64.0 to Chrome 73.0






S300, S500, S2700, S3700, S5700, S6700, S7700, and
Product Browser Version for Browser Version for Classic

Version EasyOperation Web System Web System

00SPC600 Firefox 85.0 to Firefox 89.0, or





S300, S500, S2700, S3700, S5700, S6700, S7700, and
HTTP IPv6 Server Status : disabled
HTTP IPv6 Server Port : 80(80)
HTTP IPv6 Secure-server Status : disabled
HTTP IPv6 Secure-server Port : 443(443)
HTTP server source address : 0.0.0.0 //This field displays HTTP server source interface in V200R020
and later versions.
----End
Configuration Files
#
#
vlan batch 10
#
aaa
local-user admin password irreversible-cipher %#%#wU:(2j8~r8Htyu3.]',NwU`Td[-A9~9"%4Kvhm'0RV[/
U`Ww%#%#
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
#
return
3.3.2 Typical File Management Configuration
3.3.2.1 Example for Logging In to the Switch to Manage Files
Overview
You can log in to the switch using the console port, Telnet, or STelnet to manage
storage, directories, and local files. Only logged in users can manage the storage.
To transfer files, you can use FTP, TFTP, Secure Copy Protocol (SCP), or FTPS.
Configuration Notes
● Before logging in to the switch to manage files, complete the following task:
– Log in to the switch from a terminal.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
The following uses the command lines and outputs of the S5720-EI running V200R008C00 as an
example.
A user logs in to the Switch using the console port, Telnet, or STelnet from the PC,
and needs to perform the following operations on the files on the Switch:
● View the files and subdirectories in the current directory.
● Create the directory test. Copy the file vrpcfg.zip to test and rename the file
as backup.zip.
● View files in test.
Figure 3-16 Networking diagram for logging in to the switch to manage files
Procedure
Step 1 View the files and subdirectories in the current directory.
[Switch] quit
<Switch> dir
Directory of flash:/

0 -rw- 889 Mar 01 2012 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2012 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2012 17:20:10 vrpcfg.zip
3 -rw- 812 Dec 12 2011 15:43:10 hostkey
4 drw- - Mar 01 2012 14:41:46 compatible
5 -rw- 540 Dec 12 2011 15:43:12 serverkey
...
509,256 KB total (52,752 KB free)
Step 2 Create the directory test. Copy the file vrpcfg.zip to test and rename the file as
backup.zip.
# Create the directory test.
<Switch> mkdir test
Info: Create directory flash:/test......Done.
# Copy the file vrpcfg.zip to test and rename the file as backup.zip.
<Switch> copy vrpcfg.zip flash:/test/backup.zip //Set the target file name to backup.zip. If not
specified, the target file name is the same as the source file name.
Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete/
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
Step 3 View files in test.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Access test.
<Switch> cd test
# View the current directory.

<Switch> pwd
flash:/test
# View files in test.

<Switch> dir
Directory of flash:/test/

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip
509,256 KB total (52,748 KB free)
----End
Configuration Files
#
sysname Switch
#
return
3.3.2.2 Example for Managing Files Using FTP
Overview
After a switch is configured as an FTP server, users can access the switch using the
FTP client software on the local terminals. Users can then manage files between
the switch and local terminals. The configuration for managing files using FTP is
simple, and FTP supports file transfer and file directory management.
FTP provides the authorization and authentication functions for managing files.
However, data is transferred in plaintext, which brings security risks.
FTP is applicable to file management when high network security is not required,
and is often used in version upgrades.
Configuration Notes
● Before managing files using FTP, complete the following tasks:
– Ensure that routes are reachable between the terminal and the switch.
– Ensure that FTP client software is installed on the terminal.
● FTP is an insecure protocol. Using SFTP V2, Secure Copy Protocol (SCP), or
FTPS is recommended.
● If the number of FTP users on the switch reaches the maximum value (5),
new authorized users cannot log in. To ensure that new FTP users successfully
log in to the switch, FTP users who have completed file operations need to
get offline.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
example.
As shown in Figure 3-17, the PC connects to the switch, and the IP address of the
management network interface on the switch is 10.136.23.5. The switch needs to
be upgraded. The switch is required to function as the FTP server so that you can
upload the system software from the PC to the switch and back up the
configuration file to the PC.
Figure 3-17 Networking diagram for managing files using FTP
1. Configure the FTP function for the switch and information about an FTP user,
including the user name and password, user level, service type, and
authorized directory.
2. Save the current configuration file on the switch.
3. Establish an FTP connection between the PC and the switch.
4. Upload the system software to the switch and back up the configuration file
of the switch to the PC.
Procedure
Step 1 Configure the FTP function for the switch and information about an FTP user.
[HUAWEI] sysname FTP_Server
[FTP_Server] ftp server enable //Enable the FTP server function.
[FTP_Server] ftp server-source -i Vlanif 10 //Configure the source interface of the server as the interface
[FTP_Server] aaa
[FTP_Server-aaa] local-user admin1234 password irreversible-cipher Helloworld@6789 //Set the login
[FTP_Server-aaa] local-user admin1234 privilege level 15 //Set the user level to 15.
[FTP_Server-aaa] local-user admin1234 service-type ftp //Set the user service type to FTP.
[FTP_Server-aaa] local-user admin1234 ftp-directory flash:/ //Set the FTP service authorized directory to
flash:/.
[FTP_Server-aaa] quit
[FTP_Server] quit
Step 2 Save the current configuration file on the switch.

<FTP_Server> save

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Establish an FTP connection between the PC and the switch. Enter the user name
admin1234 and password Helloworld@6789 and set the file transfer mode to
binary.
system.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary //Set the file transfer mode to binary. The default mode is ASCII.
200 Type set to I.
ftp>
The ASCII mode is used to transfer text files, and the binary mode is used to
transfer programs including the system software (with the file name extension
of .cc, .bin, or .pat), images, voices, videos, compressed packages, and database
files.
Step 4 Upload the system software to the switch and back up the configuration file of
the switch to the PC.
# Upload the system software to the switch.
ftp> put devicesoft.cc
150 Opening BINARY mode data connection for devicesoft.cc
ftp: 106616955 bytes sent in 151.05 Seconds 560.79Kbytes/sec.
# Back up the configuration file of the switch to the PC.

ftp> get vrpcfg.zip
150 Opening BINARY mode data connection for vrpcfg.zip.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.
NOTE
Before uploading and downloading files to the FTP server, determine the FTP working
directory on the FTP client. For example, the default FTP working directory on the Windows
XP operating system is the login user working directory (such as C:\Documents and
Settings\Administrator). This directory also stores the system software to be uploaded and
backup configuration file.

# Run the dir command on the switch to check whether the system software is
uploaded to the switch.
<FTP_Server> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 106,616,955 Mar 13 2012 14:24:24 devicesoft.cc

S300, S500, S2700, S3700, S5700, S6700, S7700, and
7 drw- - Oct 31 2011 10:20:28 sysdrv

8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 23,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der
14 drw- - Nov 04 2011 13:58:36 security
...
509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the FTP working directory on the
PC.
----End
Configuration Files
FTP_Server configuration file
#
sysname FTP_Server
#
FTP server enable
#
aaa
local-user admin1234 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H
$J<6@KTSL/J'\}I-%^%#
local-user admin1234 ftp-directory flash:/
local-user admin1234 service-type ftp
#
return
Related Content
Videos
Remotely Transfer Files Using FTP.
3.3.2.3 Example for Managing Files Using SFTP
Overview
After a switch is configured as an SFTP server, users can communicate with the
switch using SFTP. The SSH protocol can be used to ensure connection security.
SFTP implements data encryption and protects data integrity, ensuring high
security. Both SFTP and FTP configured for the switch.
SFTP is applicable to file management when high network security is required, and
is often used for downloading logs and backing up the configuration file.
Configuration Notes
● Before managing files using SFTP, complete the following tasks:
– Ensure that routes are reachable between the terminal and the switch.
– Ensure that SSH client software is installed on the terminal.
● SFTP V1 is an insecure protocol. Using SFTP V2 or FTPS is recommended.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE
example.
As shown in Figure 3-18, the PC connects to the switch, and the IP address of the
management network interface on the switch is 10.136.23.4. Files need to be
securely transferred between the PC and switch to prevent man-in-the-middle
attacks and some network attacks (such as DNS spoofing and IP spoofing).
Configure the switch as the SSH server to provide the SFTP service so that the SSH
server can authenticate the client and encrypt data in bidirectional mode to
ensure secure file transfer.
Figure 3-18 Networking diagram for managing files using SFTP
1. Generate a local key pair on the SSH server and enable the SFTP server
function to implement secure data exchange between the server and client.
2. Configure VTY user interfaces on the SSH server.
3. Configure an SSH user, including the authentication mode, service type, SFTP
authorized directory, user name, and password.
4. Use the third-party software OpenSSH to access the SSH server.
Procedure
Step 1 Generate a local key pair on the SSH server and enable the SFTP server function.
[HUAWEI] sysname SSH_Server
[SSH_Server] dsa local-key-pair create //Generate a local DSA key pair.
Info: The key name will be: SSH_Server_Host_DSA.
Info: The key modulus can be any one of the following : 1024,
2048.
Info: If the key modulus is greater than 512, it may take a few
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is
used.
Info: Generating keys...
[SSH_Server] sftp server enable //Enable the SFTP server function.
[SSH_Server] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 # Configure VTY user interfaces on the SSH_Server.

[SSH_Server] user-interface vty 0 14 //Enter the user interface views of VTY 0 to VTY 14.
[SSH_Server-ui-vty0-14] authentication-mode aaa //Set the authentication mode of users in VTY 0 to
VTY 14 to AAA.
[SSH_Server-ui-vty0-14] protocol inbound ssh //Configure the user interface views of VTY 0 to VTY 14 to
support SSH.
[SSH_Server-ui-vty0-14] quit
Step 3 Configure an SSH user, including the authentication mode, service type, SFTP
authorized directory, user name, and password.
[SSH_Server] ssh user client001 authentication-type password //Set the authentication mode to
password authentication.
[SSH_Server] ssh user client001 service-type sftp //Set the user service type to SFTP.
[SSH_Server] ssh user client001 sftp-directory flash: //Set the SFTP service authorized directory to flash:.
[SSH_Server] aaa
[SSH_Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login
[SSH_Server-aaa] local-user client001 privilege level 15 //Set the user level to 15.
[SSH_Server-aaa] local-user client001 service-type SSH //Set the user service type to SSH.
[SSH_Server-aaa] quit
Step 4 Access the SFTP server using OpenSSH.

OpenSSH commands can be used in the Windows Command Prompt window only
after the OpenSSH software is installed.
NOTE
Ensure that the OpenSSH version matches the operating system of the PC. Otherwise, you
may fail to access the switch using SFTP.
Figure 3-19 Windows Command Prompt window
After the PC connects to the switch using the third-party software, enter the SFTP
view to perform file operations.
----End
Configuration Files
SSH_Server configuration file
#
sysname SSH_Server
#
aaa
local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H$J<6@KTSL/

S300, S500, S2700, S3700, S5700, S6700, S7700, and
J'\}I-%^%#
#
sftp server enable
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
#
return
3.3.2.4 Example for Accessing Files on Other Devices Using TFTP
Overview
After a switch is configured as a TFTP client, it can access the remote TFTP server
to upload and download files on the TFTP server. When you access other devices
using TFTP, you do not need to enter the user name or password, simplifying
information exchange. TFTP has no authorization or authentication mechanism
and transfers data in plaintext, which brings security risks and is vulnerable to
network viruses and attacks. Exercise caution when using TFTP.
On a good-performance LAN in a lab, TFTP can be used for the system software
loading and upgrade.
Configuration Notes
● Before accessing files on the TFTP server, ensure that routes are reachable
between the switch and TFTP server.
● The switch can only function as a TFTP client.
● The TFTP mode supports only file transfer, but does not support interaction.
● TFTP has no authorization or authentication mechanism and transfers data in
plaintext, which brings security risks and is vulnerable to network viruses and
attacks.
NOTE
example.
As shown in Figure 3-20, the remote server at IP address 10.1.1.1/24 functions as
the TFTP server. The switch at IP address 10.2.1.1/24 functions as the TFTP client
and has reachable routes to the TFTP server.
The switch needs to be upgraded. You need to download the system software
from the TFTP server to the switch and back up the current configuration file of
the switch to the TFTP server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-20 Networking diagram for accessing files on another device using TFTP
1. Run the TFTP software on the TFTP server and set the TFTP working directory.
2. Upload and download files on the switch using TFTP commands.
Procedure
Step 1 Run the TFTP software on the TFTP server and set the TFTP working directory. For
the detailed operations, see the help document of the third-party TFTP software.
Step 2 Upload and download files on the switch using TFTP commands.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc //Download devicesoft.cc.
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please
wait...
|
TFTP: Downloading the file successfully.
106616955 byte(s) received in 722 second(s).
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip //Upload vrpcfg.zip.
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...
100%
TFTP: Uploading the file successfully.
7717 byte(s) sent in 1 second(s).

downloaded to the switch.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...
509,256 KB total (52,752 KB free)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Check whether the file vrpcfg.zip is stored in the working directory on the TFTP
server.
----End
Configuration Files
None
3.3.2.5 Example for Accessing Files on Other Devices Using FTP
Overview
After a switch is configured as an FTP client, it can log in to the FTP server for
transferring files and managing files and directories on the FTP server. The
configuration for accessing other devices using FTP is simple, and FTP supports file
transfer and file directory management. FTP provides the authorization and
authentication functions for managing files. However, data is transferred in
plaintext, which brings security risks.
FTP is applicable to file transfer when high network security is not required, and is
often used for downloading the system software from the FTP server and backing
up the configuration file.
Configuration Notes
● Before accessing files on the FTP server, ensure that routes are reachable
between the switch and FTP server.
● FTP is an insecure protocol. Using SFTP V2, Secure Copy Protocol (SCP), or
FTPS is recommended.
NOTE
example.
As shown in Figure 3-21, the remote server at IP address 10.1.1.1/24 functions as
the FTP server. The switch at IP address 10.2.1.1/24 functions as the FTP client and
has reachable routes to the FTP server.
The switch needs to be upgraded. You need to download the system software
from the FTP server to the switch and back up the current configuration file of the
switch to the FTP server.
Figure 3-21 Networking diagram for accessing files on another device using FTP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Run the FTP software on the FTP server and configure an FTP user.
2. Establish an FTP connection between the switch and the FTP server.
3. Upload and download files on the switch using FTP commands.
Procedure
Step 1 Run the FTP software on the FTP server and configure an FTP user. For the
detailed operations, see the help document of the third-party FTP software.
Step 2 Establish an FTP connection between the switch and the FTP server.
<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
Step 3 Upload and download files on the switch using FTP commands.
[ftp] binary //Set the file transfer mode to binary. The default mode is ASCII.
[ftp] get devicesoft.cc //Download the system software on the FTP server to the switch.
[ftp] put vrpcfg.zip //Upload the backup configuration file on the switch to the FTP server.
[ftp] quit
The ASCII mode is used to transfer text files, and the binary mode is used to
transfer programs including the system software (with the file name extension
of .cc, .bin, or .pat), images, voices, videos, compressed packages, and database
files.

downloaded to the switch.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...

S300, S500, S2700, S3700, S5700, S6700, S7700, and
509,256 KB total (52,752 KB free)
# Check whether the file vrpcfg.zip is stored in the working directory on the FTP
server.
----End
Configuration Files
None
3.3.2.6 Example for Accessing Files on Other Devices Using SFTP
Overview
SFTP is an SSH-based secure file transfer protocol, which uses secure connections
for data transmission. After a switch is configured as an SFTP client, the remote
SFTP server can authenticate the client and encrypt data in bidirectional mode to
ensure secure file transfer and directory management.
SFTP is applicable to accessing files on other devices when high network security
is required, and is used for uploading and downloading logs.
Configuration Notes
● Before accessing files on the SSH server using SFTP, ensure that routes are
reachable between the switch and SSH server.
● SFTP V1 is an insecure protocol. Using SFTP V2 or FTPS is recommended.
NOTE
example.
As shown in Figure 3-22, the routes between the SSH server and clients client001
and client002 are reachable. A Huawei switch is used as the SSH server in this
example.
The clients client001 and client002 are required to connect to the SSH server in
password and DSA authentication modes respectively to ensure secure access to
files on the SSH server.
Figure 3-22 Networking diagram for accessing files on another device using SFTP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Generate a local key pair on the SSH server and enable the SFTP server
function to implement secure data exchange between the server and client.
2. Configure the clients client001 and client002 on the SSH server to log in to
the SSH server in password and DSA authentication modes, respectively.
3. Generate a local key pair on client002 and configure the generated DSA
public key on the SSH server, which implements authentication for the client
when a user logs in to the server from the client.
4. On the SSH server, enable client001 and client002 to log in to the SSH server
using SFTP and access the files.
Procedure
Step 1 On the SSH server, generate a local key pair and enable the SFTP server function.
[HUAWEI] sysname SSH Server
[SSH Server] dsa local-key-pair create //Generate a local DSA key pair.
2048.
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used.
[SSH Server] sftp server enable //Enable the SFTP server function. In V200R020 and later versions, you
must run the ssh server-source command to set the source interface of the server to the interface using
the IP address 10.1.1.1 so that the client can connect to the server through 10.1.1.1.
[SSH_Server] ssh server-source -i Vlanif 10 //Configure the source interface of the server as the interface
Info: Succeeded in starting the SFTP server.
Step 2 Create SSH users on the SSH server.

# Configure VTY user interfaces on the SSH server.
[SSH Server] user-interface vty 0 4 //Enter the user interface views of VTY 0 to VTY 4.
[SSH Server-ui-vty0-4] authentication-mode aaa //Set the authentication mode of users in VTY 0 to VTY
4 to AAA.
[SSH Server-ui-vty0-4] protocol inbound ssh //Configure the user interface views of VTY 0 to VTY 4 to
support SSH.
[SSH Server-ui-vty0-4] user privilege level 3 //Set the user level to 3.
[SSH Server-ui-vty0-4] quit
# Create an SSH user named client001 and configure the password

authentication mode for the user.
[SSH Server] ssh user client001 //Create an SSH user.
[SSH Server] ssh user client001 authentication-type password //Set the authentication mode to
password authentication.
[SSH Server] ssh user client001 service-type sftp //Set the user service type to SFTP.
[SSH Server] ssh user client001 sftp-directory flash: //Set the SFTP service authorized directory to flash:.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password irreversible-cipher Helloworld@6789 //Set the login
[SSH Server-aaa] local-user client001 service-type ssh //Set the user service type to SSH.
[SSH Server-aaa] local-user client001 privilege level 3 //Set the user level to 3.
[SSH Server-aaa] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create an SSH user named client002 and configure the DSA authentication
mode for the user.
[SSH Server] ssh user client002 //Create an SSH user.
[SSH Server] ssh user client002 authentication-type dsa //Set the authentication mode to DSA
authentication.
[SSH Server] ssh user client002 service-type sftp //Set the user service type to SFTP.
[SSH Server] ssh user client002 sftp-directory flash: //Set the SFTP service authorized directory to flash:.
Step 3 Generate a local key pair on client002 and configure the generated DSA public
key on the SSH server.
# Generate a local key pair on client002.
[client002] dsa local-key-pair create //Generate a local DSA key pair.
2048.
minutes.
Please input the modulus [default=2048]: //Press Enter. The default key length (2048 bits) is used.
# Check the DSA public key generated on client002.

[client002] display dsa local-key-pair public
=====================================================
Time of Key pair created:2014-08-27 06:35:16+08:00

Key name : client002_Host_DSA
Key modulus : 2048
Key type : DSA encryption Key
Key fingerprint: b7:68:86:90:d8:19:f3:e6:4a:f2:e9:fd:e4:24:ef:a5
=====================================================
Key code:
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3
E6FB60BE
8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
AAB59973 9AB02185 856A881F 9197368B
92DBF684
9D1C746B A27E12F9 8A28E4B6 D0587D65
5979A750
5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
4EA0EE50 1FC6695D 03D68D51
9324E493
0214

S300, S500, S2700, S3700, S5700, S6700, S7700, and
C6C484E1 F0076B8A FCAD302B 98B50A3A

542ABEBB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4
7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76
BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC
3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40
46560DA4
2036205C 6EFAB148 66E6A106 0DF6258B
EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669
FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7
74959017
62B08070 24564B2E E79C6E1D 86793548
76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3
AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35
DF038976
4538434F F39924F0 5BF17AC8 8E340991
B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230
DB7461F7
C15B6DBA 65C9EFAB 247DB13D
4942E2FF
02820100
D7C6399A 86F7B38C 85168EF8 692BD9B4
01AA7BCD
98559075 98039259 0C54818C 650A95C7
0A5250EB
12124E5B C4123350 C190CC8B 4FFFD418
7E8F113F
6C36AB4B A56D2D1D 2C874C75 8400DAFE
4BABF957
4EDC8E7C DF5934DB 3AD717E5 50B1096B
C0B46DE5
3FB508FA CB76FF1C 42CF7082 7DDEEB47
5C5C4F64
B1C8815C 496AC1E0 04C10EDD FE849B76
6DA15B48
0C9CF0B1 10BDDC08 41A65C28 8E21ADC6
48A93DF6
14552C1F 76A401AE E06E482D 6582052E
5B11A678
A467B38A B77C1C55 D367E253 FFA44841
FC38A462
B9AC24E6 DAD01628 F09ED629 58F666C1
1DEF7BD0
634C3D13 D75F2614 8CB49AFC 498A5195
F443CA4D
C02FF228 A90D7593 AE46C5D0 4B224FEE
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C
+i5420+TrnNbrf9IQ
IZrA9BrUe/HqzUNdOa+o
+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZUwmhW
qZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5
iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/
mwkBzj7uPBdQW

S300, S500, S2700, S3700, S5700, S6700, S7700, and
srXdcuNim7WSRL+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/
K0w
K5i1CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/
ooC6+07
dr6BC0IhrY0y93I/g1n0a2b/eAXMP4bV1lvUJL1wZ37/Gs
+bPM4CzUBGVg2kIDYg
XG76sUhm5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfE
Byn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrky
eCbUzeUYmpPqUx4P+CGZ7zXfA4l2RThDT/
OZJPBb8XrIjjQJkbXqCmKpFe5j9mDA
kjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U4
2SkvxBhh7W+pMLesuDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/
LmeFNt
AEaxHc4nLmvjxDuyjoTSA/AAYJDYJ6HWZoScy3mzDCUtEMGuaL/
6SRUuH5wf9hMf
LZzmb6ETrf8S5RZWVyZv3TKm3/
FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCo
otdHydlhfz9CtIYH3gfhnjXoq/
X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/
AOOu8jCp0l6vOUH4cniOONh6Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/
NneGPPMN
+A==
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys

file :
ssh-dss AAAAB3NzaC1kc3MAAAEBAN7eulyCRNy45paRfO/rwLPm+2C+i5420+TrnNbrf9IQIZrA9BrUe/
HqzUNdOa+o+stqeBkwXuFH5CiRLmBFKzfKF9YRwu5MRrS8dyZU
wmhWqZ7PpdgANnsxqQUi8TlJb0GC2/2qtZlzmrAhhYVqiB
+RlzaLktv2hJ0cdGuifhL5iijkttBYfWVZeadQVBPpHvyWHD95IJYlz6jX1Gn6NaOeN7YUBH1TXc1jrzBYs6Jb
eccUtjJrfbYGfr8VPMGnILDhp+OcE/6zuibmsFLcW//ufFxSFI/mwkBzj7uPBdQWsrXdcuNim7WSRL
+fopxPzU6g7lAfxmldA9aNUZMk5JMAAAAVAMbEhOHwB2uK/K0wK5i1
CjpUKr67AAABADrBF0bulZy9MPZpxX4pC8R8tbv9lq6SFXopxyNy/ooC6+07dr6BC0IhrY0y93I/g1n0a2b/
eAXMP4bV1lvUJL1wZ37/Gs+bPM4CzUBGVg2kIDYgXG76sUhm
5qEGDfYli+4xz+dLbFm0b+Wan75k+YLsNqZp/1l/
t5pW4y7BWgZZPRfEByn1h8d0lZAXYrCAcCRWSy7nnG4dhnk1SHbMZiodPeHRLHnhAsCxDlycRCizrrkyeCbUzeU
YmpPq
Ux4P+CGZ7zXfA4l2RThDT/OZJPBb8XrIjjQJkbXqCmKpFe5j9mDAkjYMXS15avIw23Rh98Fbbbplye
+rJH2xPUlC4v8AAAEAVkz2m0fokxPL5DekN8U42SkvxBhh7W+pMLes
uDOBY9PIqfwcZqY23Oi7/eJGojmX0wYTOWi8t09Qn/LmeFNtAEaxHc4nLmvjxDuyjoTSA/
AAYJDYJ6HWZoScy3mzDCUtEMGuaL/6SRUuH5wf9hMfLZzmb6ETrf8S5RZWVyZv
3TKm3/FEAH7PNQYe8BYYG3SCfvgtqYQzRTZrDL6wLbCootdHydlhfz9CtIYH3gfhnjXoq/
X6HLQAFTexhBuoJ7nCtjC9c1HhJFicadQK2iY/AOOu8jCp0l6vOUH4cniOONh6
Mts9UiJNYnvZsjVJFzdkRsNpvcMBhK4/NneGPPMN+A== dsa-key
# Configure the generated DSA public key on the SSH server. The bold part in the
display command output indicates the generated DSA public key. Copy the key to
the SSH server.
[SSH Server] dsa peer-public-key dsakey001 encoding-type der
[SSH Server-dsa-public-key] public-key-code begin
[SSH Server-dsa-key-code]30820322
[SSH Server-dsa-key-code]DEDEBA5C 8244DCB8 E696917C EFEBC0B3
E6FB60BE
[SSH Server-dsa-key-code]8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
[SSH Server-dsa-key-code]EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
[SSH Server-dsa-key-code]60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
[SSH Server-dsa-key-code]A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
[SSH Server-dsa-key-code]AAB59973 9AB02185 856A881F 9197368B
92DBF684
[SSH Server-dsa-key-code]9D1C746B A27E12F9 8A28E4B6 D0587D65

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5979A750
[SSH Server-dsa-key-code]5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
[SSH Server-dsa-key-code]9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
[SSH Server-dsa-key-code]326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
[SSH Server-dsa-key-code]BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
[SSH Server-dsa-key-code]8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
[SSH Server-dsa-key-code]4EA0EE50 1FC6695D 03D68D51
9324E493
[SSH Server-dsa-key-code]C6C484E1 F0076B8A FCAD302B 98B50A3A
542ABEBB
[SSH Server-dsa-key-code]3AC11746 EE959CBD 30F669C5 7E290BC4
7CB5BBFD
[SSH Server-dsa-key-code]96AE9215 7A29C723 72FE8A02 EBED3B76
BE810B42
[SSH Server-dsa-key-code]21AD8D32 F7723F83 59F46B66 FF7805CC
3F86D5D6
[SSH Server-dsa-key-code]5BD424BD 70677EFF 1ACF9B3C CE02CD40
46560DA4
[SSH Server-dsa-key-code]2036205C 6EFAB148 66E6A106 0DF6258B
EE31CFE7
[SSH Server-dsa-key-code]4B6C59B4 6FE59A9F BE64F982 EC36A669
FF597FB7
[SSH Server-dsa-key-code]9A56E32E C15A0659 3D17C407 29F587C7
74959017
[SSH Server-dsa-key-code]62B08070 24564B2E E79C6E1D 86793548
76CC662A
[SSH Server-dsa-key-code]1D3DE1D1 2C79E102 C0B10E5C 9C4428B3
AEB93278
[SSH Server-dsa-key-code]26D4CDE5 189A93EA 531E0FF8 2199EF35
DF038976
[SSH Server-dsa-key-code]4538434F F39924F0 5BF17AC8 8E340991
B5EA0A62
[SSH Server-dsa-key-code]A915EE63 F660C092 360C5D2D 796AF230
DB7461F7
[SSH Server-dsa-key-code]C15B6DBA 65C9EFAB 247DB13D
4942E2FF
[SSH Server-dsa-key-code]D7C6399A 86F7B38C 85168EF8 692BD9B4
01AA7BCD
[SSH Server-dsa-key-code]98559075 98039259 0C54818C 650A95C7
0A5250EB
[SSH Server-dsa-key-code]12124E5B C4123350 C190CC8B 4FFFD418
7E8F113F
[SSH Server-dsa-key-code]6C36AB4B A56D2D1D 2C874C75 8400DAFE
4BABF957
[SSH Server-dsa-key-code]4EDC8E7C DF5934DB 3AD717E5 50B1096B
C0B46DE5
[SSH Server-dsa-key-code]3FB508FA CB76FF1C 42CF7082 7DDEEB47
5C5C4F64
[SSH Server-dsa-key-code]B1C8815C 496AC1E0 04C10EDD FE849B76
6DA15B48
[SSH Server-dsa-key-code]0C9CF0B1 10BDDC08 41A65C28 8E21ADC6
48A93DF6
[SSH Server-dsa-key-code]14552C1F 76A401AE E06E482D 6582052E
5B11A678
[SSH Server-dsa-key-code]A467B38A B77C1C55 D367E253 FFA44841
FC38A462
[SSH Server-dsa-key-code]B9AC24E6 DAD01628 F09ED629 58F666C1
1DEF7BD0
[SSH Server-dsa-key-code]634C3D13 D75F2614 8CB49AFC 498A5195
F443CA4D
[SSH Server-dsa-key-code]C02FF228 A90D7593 AE46C5D0 4B224FEE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SSH Server-dsa-key-code] public-key-code end

[SSH Server-dsa-public-key] peer-public-key end
# On the SSH server, bind the DSA public key to client002.

[SSH Server] ssh user client002 assign dsa-key dsakey001
Step 4 Connect SFTP clients to the SSH server.
# Enable the first authentication function on the SSH clients upon the first login.
[client001] ssh client first-time enable //Enable the first authentication function on client001.
[client002] ssh client first-time enable //Enable the first authentication function on client002.
# Log in to the SSH server from client001 in password authentication mode.

[client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
password:SSH_SERVER_CODE
authentication; Ctrl_C for Cancel], Please select [R, D, Enter or
Ctrl_C]:D
Enter password:
sftp-client>
# Log in to the SSH server from client002 in DSA authentication mode.

[client002] sftp 10.1.1.1
Trying 10.1.1.1 ...
password:SSH_SERVER_CODE
authentication; Ctrl_C for Cancel], Please select [R, D, Enter or
Ctrl_C]:D
sftp-client>
Run the display ssh server status command on the SSH server to check whether
the SFTP service is enabled. Run the display ssh user-information command to
check information about SSH users on the server.
# Check the status of the SSH server.

[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
SSH server source :0.0.0.0
ACL4 number :0
ACL6 number :0
# Check information about SSH users.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SSH Server] display ssh user-information

User 1:
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:
Service-type : sftp
User 2:
Authentication-type : dsa
User-public-key-name : dsakey001
User-public-key-type : dsa
Sftp-directory : flash:
Service-type : sftp
----End
Configuration Files
● SSH server configuration file
#
sysname SSH Server
#
dsa peer-public-key dsakey001 encoding-type der
public-key-code begin
30820322
02820100
DEDEBA5C 8244DCB8 E696917C EFEBC0B3
E6FB60BE
8B9E36D3 E4EB9CD6 EB7FD210 219AC0F4
1AD47BF1
EACD435D 39AFA8FA CB6A7819 305EE147
E428912E
60452B37 CA17D611 C2EE4C46 B4BC7726
54C26856
A99ECFA5 D800367B 31A90522 F139496F
4182DBFD
AAB59973 9AB02185 856A881F 9197368B
92DBF684
9D1C746B A27E12F9 8A28E4B6 D0587D65
5979A750
5413E91E FC961C3F 79209625 CFA8D7D4
69FA35A3
9E37B614 047D535D CD63AF30 58B3A25B
79C714B6
326B7DB6 067EBF15 3CC1A720 B0E1A7E3
9C13FEB3
BA26E6B0 52DC5BFF EE7C5C52 148FE6C2
40738FBB
8F05D416 B2B5DD72 E3629BB5 9244BF9F
A29C4FCD
4EA0EE50 1FC6695D 03D68D51
9324E493
0214
C6C484E1 F0076B8A FCAD302B 98B50A3A
542ABEBB
02820100
3AC11746 EE959CBD 30F669C5 7E290BC4
7CB5BBFD
96AE9215 7A29C723 72FE8A02 EBED3B76
BE810B42
21AD8D32 F7723F83 59F46B66 FF7805CC
3F86D5D6
5BD424BD 70677EFF 1ACF9B3C CE02CD40
46560DA4

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2036205C 6EFAB148 66E6A106 0DF6258B

EE31CFE7
4B6C59B4 6FE59A9F BE64F982 EC36A669
FF597FB7
9A56E32E C15A0659 3D17C407 29F587C7
74959017
62B08070 24564B2E E79C6E1D 86793548
76CC662A
1D3DE1D1 2C79E102 C0B10E5C 9C4428B3
AEB93278
26D4CDE5 189A93EA 531E0FF8 2199EF35
DF038976
4538434F F39924F0 5BF17AC8 8E340991
B5EA0A62
A915EE63 F660C092 360C5D2D 796AF230
DB7461F7
C15B6DBA 65C9EFAB 247DB13D
4942E2FF
02820100
D7C6399A 86F7B38C 85168EF8 692BD9B4
01AA7BCD
98559075 98039259 0C54818C 650A95C7
0A5250EB
12124E5B C4123350 C190CC8B 4FFFD418
7E8F113F
6C36AB4B A56D2D1D 2C874C75 8400DAFE
4BABF957
4EDC8E7C DF5934DB 3AD717E5 50B1096B
C0B46DE5
3FB508FA CB76FF1C 42CF7082 7DDEEB47
5C5C4F64
B1C8815C 496AC1E0 04C10EDD FE849B76
6DA15B48
0C9CF0B1 10BDDC08 41A65C28 8E21ADC6
48A93DF6
14552C1F 76A401AE E06E482D 6582052E
5B11A678
A467B38A B77C1C55 D367E253 FFA44841
FC38A462
B9AC24E6 DAD01628 F09ED629 58F666C1
1DEF7BD0
634C3D13 D75F2614 8CB49AFC 498A5195
F443CA4D
C02FF228 A90D7593 AE46C5D0 4B224FEE
public-key-code end
peer-public-key end
#
aaa
local-user client001 password irreversible-cipher %^%#-=9Z)M,-aL$_U%#$W^1T-\}Fqpe$E<#H
$J<6@KTSL/J'\}I-%^%#
#
sftp server enable
ssh user client001
ssh user client002
ssh user client002 authentication-type dsa
ssh user client002 assign dsa-key dsakey001
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● client001 configuration file

#
sysname client001
#
#
return
● client002 configuration file

#
sysname client002
#
#
return
3.3.3 Example for Upgrading a New Device

Preparations for the Upgrade
1. Prepare the upgrade tools, including the operation terminal PC, Ethernet
cable, and serial cable.
2. Obtaining the Target System Software
– Enterprise users: Log in to https://support.huawei.com/e, enter the
switch model in the search box, and click the path that is automatically
displayed below the search box to enter the product page. On the page
that is displayed, click Software Download and select the version. On the
Version and Patch tab page, obtain the system software (.cc) required
for the upgrade.
– Carrier users: Log in to https://support.huawei.com, enter the switch
model in the search box, and click the path that is automatically
that is displayed, click Software, select a version in the VxxxRxxxCxx or
VxxxRxxxCxxSPCxxx format, go to the corresponding version path, and
obtain the system software (.cc) required for the upgrade.
3. Obtaining the Patch File of the Target System Software
– Enterprise users: Log in to https://support.huawei.com/e, enter the
switch model in the search box, and click the path that is automatically
that is displayed, click Software Download, select a version, and click the
path under the Public Patch in V and R Version tab to obtain the patch
file (.pat) required for the upgrade.
– Carrier users: Log in to https://support.huawei.com, enter the switch
model in the search box, and click the path that is automatically
that is displayed, click Software, select a version in VxxxRxxxSPHxxx
format, go to the corresponding version path, and obtain the patch file
(.pat) required for the upgrade.
4. Enable the FTP server function on the PC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● Most laptops do not provide COM ports and can only be connected to devices
through USB ports. In this case, you need to purchase a USB-serial cable, directly
connect the COM female connector to the COM male connector of the console
communication cable delivered with the device, and connect the USB port of the
device to that of the PC. Then install the driver delivered with the USB-serial cable
on the PC or download a USB-to-RS232 driver from the Internet.
Establishing the Upgrade Environment in FTP Mode

1. Connect the switch to the PC using a console communication cable and
Ethernet cable to establish the networking. As shown in Figure 3-23, connect
the console communication cable to the console port of the switch and
connect the Ethernet cable to any Ethernet port. (GigabitEthernet 0/0/1 is
used as an example here.)
Figure 3-23 Networking diagram for upgrading a new device
2. Start the terminal emulation software on your PC, create a connection, select
the connected COM port, and set communication parameters. Communication
parameter settings on the terminal emulation software must be the same as
the default settings on the switch, which are: 9600 bit/s baud rate, 8 data bits,
1 stop bit, no parity check, and no flow control.
3. Enter the user name and password.
Usernames and Passwords (Enterprise Network or Carrier). If you have not
obtained the access permission of the document, see Help on the website to
find out how to obtain it.
4. Configure a management IP address for the switch to make the switch and PC
reside on the same network segment, so that the switch and PC can ping
each other.
[HUAWEI] interface vlanif 1
[HUAWEI-vlanif1] ip address 10.10.1.1 24 //10.10.1.1/24 is the IP address configured for the
VLANIF interface. You can configure the interface IP address based on the actual situation. Ensure
that the interface IP address is on the same network segment as the PC.
Version Upgrade Operations

1. Configure the switch as an FTP client to transmit files between the FTP server
and the PC.
<HUAWEI> ftp 10.10.1.2 //10.10.1.2 is the IP address of the terminal PC.
[ftp] get S5720-HI-V200R010C00SPC600.cc //Load the system software to the switch. S5720-HI-
V200R010C00SPC600.cc is the file name of the system software.
[ftp] get S5720-HI-V200R010SPH013.pat //Load the patch file to the switch. S5720-HI-
V200R010SPH013.pat is the file name of the system patch.
2. Check whether the system software and patch file are successfully loaded.
<HUAWEI> dir flash: //Check whether the size of the loaded file is the same as that of the file on
the PC. If not, delete the file and load it again.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

0 -rw- 106,395,444 Jul 22 2017 23:44:18 S5720-HI-V200R010C00SPC600.cc
1 -rw- 84210 Jun 28 2017 05:16:29 S5720-HI-V200R010SPH013.pat
2 drw- - Jan 01 2017 00:00:44 dhcp
3 drw- - Dec 03 2013 09:22:27 user
4 -rw- 13,432 Jan 01 2017 00:00:45 default_ca.cer
3. Specify the system software and patch for next startup of the switch.
<HUAWEI> startup system-software S5720-HI-V200R010C00SPC600.cc //Set the system software
for next startup.
<HUAWEI> startup patch S5720-HI-V200R010SPH013.pat //Set the patch for next startup.
NOTE
If the switch is a modular switch with two MPUs, run the following command in the user
view to set the system software and patch to be used by the standby MPU.
● copy S5720-HI-V200R010C00SPC600.cc slave#flash:
● startup system-software S5720-HI-V200R010C00SPC600.cc slave-board
● startup patch S5720-HI-V200R010SPH013.pat slave-board
4. Check the configuration for next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/defaultdevicesoft.cc
Startup system software: flash:/defaultdevicesoft.cc
Next startup system software: flash:/S5720-HI-V200R010C00SPC600.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: default
Next startup paf file: default
Startup license file: default
Next startup license file: default
Startup patch package: flash:/patch.pat
Next startup patch package: flash:/S5720-HI-V200R010SPH013.pat
5. Restart the switch.

<HUAWEI> reboot fast
Info: If want to reboot with saving diagnostic information, input 'N' and then e
xecute 'reboot save diagnostic-information'.
System will reboot! Continue?[Y/N]: y
NOTE
If the system software of the switch is damaged and you cannot restart the switch, you can use
the BootLoad program to modify the system software, configuration files, and patch files, and
configure the switch to start with the specified files. This implements the system software
restoration and rollback of the switch. For detailed operations, see Configuration Guide - Basic
Configuration Guide - BootLoad Menu Operation.
Verifying the Upgrade

After the switch is restarted, check whether the upgrade succeeds following Table
3-8.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-8 Upgrade verification table
No. Item Check Criteria
1 Check the system software. Run the display startup

command to check whether the
running system software
(displayed in the Configured
startup system software field) is
the target version.
Run the display patch-
information command to check
whether the patch package
name and patch package version
are of the patch package to be
loaded and check whether the
patch package state is Running.
Run the check version
command to check whether the
software to be upgraded is
displayed in the output. If the
command output is not empty,
run the upgrade all command
to upgrade the software.
2 Check the running status of the Run the display device

switch. command to check whether all
components of the switch are
present (displayed in the Online
field), and the registration status
(displayed in the Register field)
and running status (displayed in
the Status field) of the
components.
3.4 Typical Device Management Configuration
3.4.1 Typical Stack Configuration of Fixed Switches
3.4.1.1 Overview of Stack

Fixed switches are often deployed at the aggregation layer and access layer. Unlike
modular switches, fixed switches have a fixed number of ports and cannot add
LPUs to expand the number of ports. When the network expands continuously, the
number of ports provided by a single fixed switch may be insufficient to meet
network requirements. Stack technology uses physical member ports and stack
cables to combine multiple stacking-capable switches into one logical switch. You
can set up a stack to improve network scalability and device reliability.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.4.1.2 Stack Deployment Method and Recommendations
3.4.1.2.1 Recommended Stack Deployment Scenarios
Scenario 1: The Stack System Operates on Aggregation Switches

This is the most common scenario when aggregation switches set up a stack
system, as shown in Figure 3-24.
The following switch models can set up a stack system in this scenario: S6700-EI,
S6720S-EI, S6720-EI, S6720-HI, S6730-H, S6730S-H, S5700-HI, S5710-HI, S5710-EI,
S5700-EI, S5700-SI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731S-H, S5732-H.
In this scenario, each switch in a stack connects to a core device through Eth-
Trunk. The stack system simplifies management of aggregation devices and
improves uplink reliability of aggregation devices.
Figure 3-24 Stack system operating on aggregation switches
Scenario 2: The Stack System Operates on Access Switches

This is the most common scenario when Layer 2 access switches set up a stack
system, as shown in Figure 3-25.
S2750-EI, S5700-LI, S5700-EI, S5710-C-LI, S5710-X-LI, S5720-LI, S5735-L, S5735S-L,
S5735S-L-M, S5720S-LI, S5700-SI, S5720-SI, S5735-S, S5735S-S, S5720S-SI, S5720I-
SI, S5700S-LI, S5730-SI, S5730S-EI, S5731-S, S5731S-S, S6720-LI, S6720S-LI, S6720-
SI, S6720S-SI, S6730-S, S6730S-S.
In this scenario, each switch in a stack connects to an aggregation device through
Eth-Trunk. The stack system simplifies management and improves uplink reliability
of access devices.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-25 Stack system operating on access switches
Scenario 3: The Stack System Operates on an Access Ring

This scenario rarely occurs. Figure 3-26 shows the networking of this scenario.
S2750-EI, S5700-LI, S5700-EI, S5710-C-LI, S5710-X-LI, S5720-LI, S5735-L, S5735S-L,
S5735S-L-M, S5720S-LI, S5700-SI, S5720-SI, S5735-S, S5735S-S, S5720S-SI, S5720I-
SI, S5700S-LI, S5730-SI, S5730S-EI, S5731-S, S5731S-S, S6720-LI, S6720S-LI, S6720-
SI, S6720S-SI, S6730-S, S6730S-S.
In this scenario, multiple stack systems form a ring through Eth-Trunk, and one
stack system connects to aggregation switches through Eth-Trunk. This scenario
reduces the number of management IP addresses of access devices.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-26 Stack system operating on an access ring
Recommendations
NOTE
The following recommendations are provided based on the positioning of fixed switch models. If
customers have special requirements, it is recommended to deploy high-end devices at a lower
network layer; it is not recommended to deploy low-end devices at a higher network layer. For
example, it is recommended to deploy aggregation switches at the access layer rather than to
deploy access switches at the aggregation layer.
To ensure stack reliability and bandwidth, you are advised to do as follows:
● Ensure that each member device connects to the core device through an uplink port. This
connection prevents upstream traffic forwarding from being affected when any member
device fails.
● When using multiple devices to set up a stack, ensure the same stack bandwidth between
any two devices. Otherwise, the bandwidth of the stack system is the minimum stack
bandwidth.
Table 3-9 Scenario recommendations
Model Scenario 1 Scenario 2 Scenario 3
S5700-HI, S5710- First preferred Second preferred Not

HI, S5710-EI, recommended
S6700-EI

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Model Scenario 1 Scenario 2 Scenario 3
S5720-EI, S5720- First preferred Second preferred Second preferred

HI, S5730-HI,
S5731-H, S5731S-
H, S5732-H,
S6720-EI, S6720S-
EI, S6720-HI,
S6730-H, S6730S-
H
S5700-EI, S5700- First preferred First preferred Second preferred

SI
S5720-SI, S5735- Second preferred First preferred First preferred

S, S5735S-S
S5720S-SI,
S5720I-SI, S5731-
S, S5731S-S,
S6730-S, S6730S-
S
S2720-EI, S2750- Not First preferred Second preferred

EI, S5700-LI, recommended
S5720-LI, S5735-
L, S5735S-L,
S5735S-L-M,
S5720S-LI, S5730-
SI, S5730S-EI,
S6720-LI, S6720S-
LI, S6720-SI,
S6720S-SI
S5700S-LI, S5710- Not First preferred First preferred

C-LI, S5710-X-LI recommended
3.4.1.2.2 Determining the Stack Topology
Networking for a Stack of More Than Two Member Devices

A stack can be connected in a chain or ring topology depending on the stack
connection mode, as shown in Figure 3-27. Table 3-10 compares the two stack
topologies in terms of reliability, link bandwidth utilization, and convenience of
cable connections.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-27 Stack topologies
Table 3-10 Comparison between stack topologies
Stack Topology Advantages Disadvantages Applicable

Scenario
Chain topology Applicable to ● Low reliability: Member devices

long-distance If any stack are far from one
stacking because link fails, the another and a
the first and last stack splits. ring topology is
member switches ● Low stack link difficult to deploy.
do not need to be utilization: The
connected by a entire stack
physical link. relies on a
single path.
Ring topology ● High reliability: The first and last Member switches
If a stack link member switches are located near
fails, the need to be one another.
topology connected by a
changes from physical link, so
ring to chain, this topology is
and the stack not applicable to
can still long-distance
function stacking.
normally.
● High link
bandwidth
efficiency: Data
can be
forwarded
along the
shortest path.
Networking for a Stack of Two Member Devices

● Two devices can set up a stack in a chain topology, as shown in Figure 3-28.
In this topology, only one logical stack port exists between the two devices
and no loop exists in the stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-28 Only one logical stack port between two member devices
● Two devices can set up a stack with back-to-back networking, as shown in

Figure 3-29. In this networking, two logical stack ports exist between the two
devices, and one loop exists in the stack, which will be automatically
eliminated by the system.
Figure 3-29 Two logical stack ports between two member devices
When using two devices to set up a stack, you are advised to do as follows:
● If the devices provide no more than 28 ports, use the networking with only
one logical stack port. Otherwise, use the back-to-back networking.
● If more member devices need to be added to the stack in the future, use the
back-to-back networking, which will require minimum modification to the
existing system.
● Connect at least two stack cables between the two devices to ensure
reliability.
3.4.1.2.3 Stack Configuration and Deployment Recommendations
Feature Limitations
Version restrictions:
● When multiple switches set up a stack, member switches will synchronize the
running version of the master switch. If a member switch does not support
this running version, it will restart repeatedly.
● In V200R009C00, if MPLS-incapable S5720-EIs exist in a stack, this stack
cannot have MPLS enabled. If member devices in a stack are running MPLS
services, adding MPLS-incapable S5720-EIs to the stack is not allowed.
● An S5720-HI supports the stacking function since V200R009C00. When a
member device in a stack is faulty and fails to restart for three consecutive
times, the device attempts to roll back to a version earlier than V200R009C00
for restart. When the device restarts successfully after rolling back to a version
earlier than V200R009C00, a multi-active situation may occur because the
version earlier than V200R009C00 does not support the stacking function. To
prevent this situation, you are advised to delete the system software earlier
than V200R009C00 from member devices when using S5720-HIs to set up a
stack.
● When two stack member devices use ports on S7Q02001 and ES5D21Q02Q00
cards, respectively, to set up a stack, ensure that the device versions are the
same. Otherwise, the stack ports cannot go Up.
MAD specifications:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● You can configure a maximum of eight direct detection links for each member
switch in a stack.
● You can configure the relay mode on a maximum of four Eth-Trunks in a
stack.
● In V200R008C00 and earlier versions, you can configure a maximum of 64
Eth-Trunks on a relay agent to provide the relay function for multiple stacks.
This restriction does not apply to versions later than V200R008C00.
After multiple switches form a stack, the following features cannot be
configured in the stack:
● Y.1731 one- and two-way frame delay measurement
● N:1 VLAN Mapping
● IPv6 over IPv4 tunnel
● IPv4 over IPv6 tunnel
● E-Trunk
When you establish a stack on the switches that support both stack card
connection and service port connection, such as S5720-C-EI, note the
following:
● All member switches must use the same stack connection mode.
● When a member switch has stack cards installed and the service port stack
configuration, the switch uses the service port connection mode to establish a
stack. It does not use the stack card connection mode even though a stack
fails to be established in service port connection mode and stack cards are
connected correctly.
● A switch uses the stack card connection mode to establish a stack only when
it has no service port stack configuration.
● If a switch is currently using the stack card connection mode, perform the
service port stack configuration on the switch before changing the stack
connection mode to service port connection. After the service port stack
configuration is complete, the switch uses the service port connection mode
when restarting.
● If a switch using the stack card connection mode has service port
configuration, a smooth upgrade cannot be performed on the switch.
● If a switch is currently using the service port connection mode, correctly
connect stack cards and stack cables and clear the existing service port stack
configuration before changing the stack connection mode to stack card
connection. You can use the reset stack-port configuration command to
clear the existing service port stack configuration.
● When changing service port connection to stack card connection, you are
advised to remove the cables connected to service ports to prevent loops.
Deployment Recommendations
● Connect a stack to other network devices using an Eth-Trunk and add one
port of each member switch to the Eth-Trunk.
● When a stack connects to access devices, configure ports directly connected to
terminals as STP edge ports to prevent STP re-calculation when the ports
alternate between Up and Down states. This configuration ensures normal
traffic forwarding.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● If storm control needs to be configured on many ports, replace storm control

with traffic suppression to save CPU resources.
● If port security needs to be configured on many ports, replace port security
with MAC address learning limiting to save CPU resources.
● Loops may occur on a network to which a stack connects. Run the mac-
address flapping action error-down command to set an interface to the
error-down state when MAC address flapping is detected on the interface.
This improves system processing performance and allows the peer device to
detect that the interface becomes Down. Additionally, if the peer device has
redundant links, traffic can be rapidly switched to a normal link.
3.4.1.3 Example for Setting Up a Stack Using Stack Cards (V200R001 and
Later Versions)
A new enterprise network needs to provide sufficient ports for access devices, and
the network structure should be simple to facilitate configuration and
management.
As shown in Figure 3-30, SwitchA, SwitchB, and SwitchC need to set up a stack in
a ring topology and connect to SwitchD through an inter-device Eth-Trunk.
SwitchA, SwitchB, and SwitchC are the master, standby, and slave switches
respectively, with stack IDs of 0, 1, and 2 and stack priorities of 200, 100, and 100.
As the three switches function as one logical device on the network, the number
of ports is increased and network management and maintenance are simplified.
In this example, S5700-EIs set up a stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-30 Stack networking
1. Power off SwitchA, SwitchB, and SwitchC, install an ES5D00ETPC00 stack card
on each switch, and then power on the three switches.
NOTE
● The ES5D00ETPC00 stack card does not support hot swap. You need to power off a
switch before installing the stack card on the switch.
● You can perform software configurations only after installing a stack card on the
switch.
2. Enable the stacking function.
3. Configure stack IDs and stack priorities for member switches to facilitate
device management and identification.
4. Power off SwitchA, SwitchB, and SwitchC, connect physical member ports
using PCIe cables, and then power on the three switches.
5. Configure an inter-device Eth-Trunk to increase reliability and uplink
bandwidth.
6. Configure multi-active detection (MAD) in relay mode to ensure network
availability when the stack splits. The stack split detection mechanism is
called dual-active detection (DAD) in V200R002 and earlier versions and MAD
in later versions.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Turn off power supplies of SwitchA, SwitchB, and SwitchC, install an
ES5D00ETPC00 stack card on each switch, and then power on the three switches.
Step 2 Enable the stacking function. This function is enabled by default.
Step 3 Configure stack IDs and stack priorities. The default stack ID is 0, and the default
stack priority is 100.
[SwitchA] stack slot 0 priority 200 //Set the stack priority of the master switch to 200, which is larger
than those of other member switches, and use the default stack ID 0.
[SwitchB] stack slot 0 renumber 1 //Use the default stack priority 100 and set the stack ID to 1.
[SwitchC] stack slot 0 renumber 2 //Use the default stack priority 100 and set the stack ID to 2.
Step 4 Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using PCIe cables as shown in Figure 3-31, and then power on the
three switches.
NOTE
● Run the save command to save the configurations before you power off the switches.
● STACK 1 port of one switch must be connected to STACK 2 port of another switch.
Otherwise, the stack cannot be set up.
● To ensure that a stack can be set up successfully, you are advised to perform operations
in the following sequence. First, power on the switch that you want to specify as the
master switch. In this example, SwitchA becomes the master switch after you complete
the following operations.
1. Power off SwitchA, SwitchB, and SwitchC.
2. Connect SwitchA and SwitchB with a stack cable.
3. Power on and start SwitchA and then power on SwitchB.
4. Check whether SwitchA and SwitchB set up a stack successfully. For details, see step
5.
5. Connect SwitchC to SwitchB and SwitchA using stack cables and then power on
SwitchC.
6. Check whether SwitchA, SwitchB, and SwitchC set up a stack successfully. For details,
see step 5.
Figure 3-31 Stack connection

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 5 Check whether a stack is set up successfully.
# Check the stack indicator status.
Press the MODE button on any member switch to change the mode status
indicator to the stack mode.
● If the mode status indicators on all the member switches change to the stack
mode, the stack is set up successfully.
● If the mode status indicator on any member switch does not change to the
stack mode, the stack is not set up.
NOTE
● The S5700-EI, S5700-SI, and S5710-C-LI use the same mode status indicator to show the
stack and speed modes. After you press the MODE button, the indicator is steady red and off
after 45 seconds, indicating that the switch enters the stack mode.
● The S5720-EI has an independent stack mode indicator (STCK indicator). After you press the
MODE button, the indicator is steady green or blinking and off after 45 seconds, indicating
that the switch enters the stack mode.
# Check basic stack information.
Log in to the stack to check whether the number of member switches in the stack
is the same as the actual value and whether the stack topology is the same as the
actual hardware connection.
<SwitchA> system-view
[SwitchA] sysname Stack
[Stack] display stack
Stack mode: Card
Stack topology type: Ring
Stack system MAC: xxxx-xxxx-xxx5
MAC switch delay time: 10 min
Stack reserved vlan : 4093
Slot of the active management port: 0
Slot Role Mac address Priority Device type
-------------------------------------------------------------
0 Master xxxx-xxxx-xxx5 200 S5728C-EI
1 Standby xxxx-xxxx-xxx1 100 S5728C-EI
2 Slave xxxx-xxxx-xxx2 100 S5728C-EI
Step 6 Configure an inter-device Eth-Trunk.
# Create an Eth-Trunk in the stack and configure uplink physical ports as Eth-
Trunk member ports.
[Stack] interface eth-trunk 10
[Stack-Eth-Trunk10] trunkport gigabitethernet 0/0/5
[Stack-Eth-Trunk10] quit
# Create an Eth-Trunk on SwitchD and configure the ports connected to the stack
as Eth-Trunk member ports.
[HUAWEI] sysname SwitchD
[SwitchD] interface eth-trunk 10
[SwitchD-Eth-Trunk10] trunkport gigabitethernet 0/0/1
[SwitchD-Eth-Trunk10] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 7 Verify the Eth-Trunk configuration.

# Check Eth-Trunk member port information. The following displays information
about Eth-Trunk member ports in the stack.
[Stack] display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Working Mode : Normal
Number Of Ports in Trunk = 3
Number Of Up Ports in Trunk = 3
Operate status: up
Interface GigabitEthernet0/0/5, valid, operate up, weight=1

Step 8 Configure MAD in relay mode and configure SwitchD as the relay agent.
# In the stack, configure MAD in relay mode on the inter-device Eth-Trunk.
[Stack-Eth-Trunk10] mad detect mode relay //This command is used in versions later than V200R002.
The command used in V200R002 and earlier versions is dual-active detect mode relay.
[Stack-Eth-Trunk10] return
# On SwitchD, configure MAD in relay mode on the Eth-Trunk.

[SwitchD-Eth-Trunk10] mad relay //This command is used in versions later than V200R002. The
command used in V200R002 and earlier versions is dual-active relay.
[SwitchD-Eth-Trunk10] return
Step 9 Verify the MAD configuration.

# Check the MAD configuration of the stack.
<Stack> display mad verbose //This command is used in versions later than V200R002. The command
used in V200R002 and earlier versions is display dual-active verbose.
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
Mad relay detect interfaces configured:
Eth-Trunk10
Excluded ports(configurable):
Excluded ports(can not be configured):
# Check the MAD proxy configuration on SwitchD.

<SwitchD> display mad proxy //This command is used in versions later than V200R002. The command
used in V200R002 and earlier versions is display dual-active proxy.
Mad relay interfaces configured:
Eth-Trunk10
----End
Configuration Files
● Stack configuration file (the stack configuration is written to the flash
memory instead of the configuration file)
#
sysname Stack
#
interface Eth-Trunk10
mad detect mode relay
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
● SwitchD configuration file

#
sysname SwitchD
#
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
3.4.1.4 Example for Setting Up a Stack Using Service Ports (V100R006C05)
Overview
When S2710-SI, S2700-EI, S3700-SI, and S3700-EI switches set up stacks using
service ports, you do not need to manually configure stack ports. After the
switches are correctly connected using stack cables, a stack can be set up
automatically.
management.
In this example, S3700-EIs set up a stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. The stacking function is enabled by default on the S3700-EI. Therefore, these
switches can set up a stack immediately after they are connected using stack
cables, without additional configuration. To facilitate device management and
identification, configure device names, stack IDs, and stack priorities for stack
member switches.
using SFP stack cables, and then power on the three switches.
bandwidth.
Procedure
Step 1 Configure device names to differentiate devices.
# Configure a device name for SwitchA.

[HUAWEI] sysname SwitchA
# Configure a device name for SwitchB.

[HUAWEI] sysname SwitchB
# Configure a device name for SwitchC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HUAWEI] sysname SwitchC
member ports using SFP stack cables as shown in Figure 3-33, and then power on
the three switches.
NOTE
in the following sequence. To specify a member switch as the master switch, power on
that switch first. In this example, SwitchA becomes the master switch after you
complete the following operations.
4.
SwitchC.
see step 4.

# Log in to the stack through the console port of the master switch to check
whether the number of member switches in the stack is the same as the actual
value and whether the stack topology is the same as the actual hardware
connection.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
MAC switch delay time: never
Stack reserved vlanid : 4093
-------------------------------------------------------------
0 Master xxxx-xxxx-xxx8 200 S3728TP-EI
1 Standby xxxx-xxxx-xxx1 100 S3728TP-EI
2 Slave xxxx-xxxx-xxx5 100 S3728TP-EI

Trunk member ports.
[Stack-Eth-Trunk10] trunkport ethernet 0/0/5
[SwitchD-Eth-Trunk10] trunkport ethernet 0/0/1

<Stack> display trunkmembership eth-trunk 10
Trunk ID: 10
used status: VALID
TYPE: ethernet
Number Of UP Ports in Trunk = 3
operate status: up
Interface Ethernet0/0/5, valid, operate up, weight=1

----End
Configuration Files
#
sysname Stack
#
#
interface Ethernet0/0/5
eth-trunk 10
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 10
#
eth-trunk 10
#
return

#
sysname SwitchD
#
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
3.4.1.5 Example for Setting Up a Stack Using Service Ports (V200R001 to

V200R002)
Overview
Service port connection allows member switches to be connected using service
ports, without requiring dedicated stack cards.
To improve stack efficiency and reduce manual configuration, since V200R011C10,
switches can set up a stack using dedicated stack cables. Service port connections
are classified into ordinary and dedicated cable connections based on cable types.
● Ordinary cable connection: Switches use optical cables, network cables, and
high-speed cables to set up a stack.
● Dedicated cable connection: Switches use dedicated stack cables to set up a
stack. The two ends of a dedicated stack cable are the master end with the
Master tag and the slave end without any tag. The device connected to the
master end of a dedicated stack cable assumes the master role and the device
connected to the slave end assumes the slave role only after you perform
operations as required.
management.
In this example, S5700-LIs set up a stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure logical stack ports and add physical member ports to the
corresponding logical stack ports to enable packet forwarding between
member switches.
using SFP+ stack cables, and then power on the three switches.
bandwidth.
5. Configure dual-active detection (DAD) in relay mode to ensure network
availability when the stack splits.
Procedure
Step 1 Configure logical stack ports and add physical member ports to them.
NOTE
Interface stack-port 0/1 of one switch must be connected to interface stack-port 0/2 of
another switch. Otherwise, the stack cannot be set up.
# Configure service ports GigabitEthernet0/0/27 and GigabitEthernet0/0/28 on

SwitchA as physical member ports and add them to corresponding logical stack
ports.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] stack port interface gigabitethernet 0/0/27 enable
[SwitchA] stack port interface gigabitethernet 0/0/28 enable
[SwitchA] interface stack-port 0/1
[SwitchA-stack-port0/1] port member-group interface gigabitethernet 0/0/27
[SwitchA-stack-port0/1] quit
[SwitchA-stack-port0/2] port member-group interface gigabitethernet 0/0/28

SwitchB as physical member ports and add them to corresponding logical stack
ports.
[SwitchB] stack port interface gigabitethernet 0/0/27 enable
[SwitchB] stack port interface gigabitethernet 0/0/28 enable
[SwitchB] interface stack-port 0/1
[SwitchB-stack-port0/1] port member-group interface gigabitethernet 0/0/27
[SwitchB-stack-port0/1] quit
[SwitchB-stack-port0/2] port member-group interface gigabitethernet 0/0/28

SwitchC as physical member ports and add them to corresponding logical stack
ports.
[SwitchC] stack port interface gigabitethernet 0/0/27 enable
[SwitchC] stack port interface gigabitethernet 0/0/28 enable
[SwitchC] interface stack-port 0/1
[SwitchC-stack-port0/1] port member-group interface gigabitethernet 0/0/27
[SwitchC-stack-port0/1] quit
[SwitchC-stack-port0/2] port member-group interface gigabitethernet 0/0/28
member ports using SFP+ stack cables as shown in Figure 3-35, and then power
on the three switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
4.
SwitchC.
see step 4.

NOTE
● The S6700-EI uses the mode status indicator to show the stack and speed modes. After you
press the MODE button, the indicator is steady red and off after 45 seconds, indicating that
the switch enters the stack mode.
● The S5700-LI and S5710-EI have an independent stack mode indicator (STCK indicator).
After you press the MODE button, the indicator is steady green or blinking and off after 45
seconds, indicating that the switch enters the stack mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Log in to the stack to check whether the number of member switches in the stack
is the same as the actual value and whether the stack topology is the same as the
actual hardware connection.
Stack topology type : Ring
Stack system MAC: 00e0-fc00-1234
Stack reserved vlanid : 4093
-------------------------------------------------------------
0 Master 00e0-fc00-1234 200 S5700-28P-LI-AC
1 Standby 00e0-fc00-1235 100 S5700-28P-LI-AC
2 Slave 00e0-fc00-1236 100 S5700-28P-LI-AC

Trunk member ports.

Trunk ID: 10
Used status: VALID
TYPE: ethernet
Operate status: up

Step 7 Configure DAD in relay mode on SwitchD and configure SwitchD as the relay
agent.
# In the stack, configure DAD in relay mode on the inter-device Eth-Trunk.
[Stack-Eth-Trunk10] dual-active detect mode relay
# On SwitchD, configure DAD in relay mode on the Eth-Trunk.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchD-Eth-Trunk10] dual-active relay
Step 8 Verify the DAD configuration.

# Check the DAD configuration of the stack.
<Stack> display dual-active verbose
Current DAD status: Detect
Dual-active direct detect interfaces configured:
Dual-active relay detect interfaces configured:
Eth-Trunk10
GigabitEthernet0/0/27
# Check the DAD proxy configuration on SwitchD.

<SwitchD> display dual-active proxy
Dual-active relay interfaces configured:
Eth-Trunk10
----End
Configuration Files
#
sysname Stack
#
dual-active detect mode relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
#
sysname SwitchD
#
dual-active relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.4.1.6 Example for Setting Up a Stack Using Service Ports (V200R003 and
Later Versions)
Overview
management.
In this example, S5700-28X-LI-AC set up a stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure logical stack ports and add physical member ports to the
corresponding logical stack ports to enable packet forwarding between
member switches.
3. Turn off power supplies of SwitchA, SwitchB, and SwitchC, connect physical
member ports using SFP+ stack cables, and then power on the three switches.
bandwidth.
5. Configure multi-active detection (MAD) in relay mode to ensure network
availability when the stack splits.
Procedure
Step 1 Configure logical stack ports and add physical member ports to them.
NOTE
Interface stack-port 0/1 of one switch must be connected to interface stack-port 0/2 of
another switch. Otherwise, the stack cannot be set up.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

SwitchA as physical member ports and add them to corresponding logical stack
ports.
[SwitchA-stack-port0/1] port interface gigabitethernet 0/0/27 enable
[SwitchA-stack-port0/2] port interface gigabitethernet 0/0/28 enable

SwitchB as physical member ports and add them to corresponding logical stack
ports.
[SwitchB-stack-port0/1] port interface gigabitethernet 0/0/27 enable
[SwitchB-stack-port0/2] port interface gigabitethernet 0/0/28 enable

SwitchC as physical member ports and add them to corresponding logical stack
ports.
[SwitchC-stack-port0/1] port interface gigabitethernet 0/0/27 enable
[SwitchC-stack-port0/2] port interface gigabitethernet 0/0/28 enable
member ports using SFP+ stack cables as shown in Figure 3-37, and then power
on the three switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
4.
SwitchC.
see step 4.


S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● The S5700-SI, S5700-EI, S5700-HI, S6700-EI, S5710-C-LI use the same mode status indicator
to show the stack and speed modes. After you press the MODE button, the indicator is
steady red and off after 45 seconds, indicating that the switch enters the stack mode.
● The S5732-H, S6730-S, S6730S-S, S6720-HI, S6730-H, and S6730S-H have an independent
stack master/slave indicator to show the MST. If the indicator is off, the switch is not a stack
master. If the indicator is steady green, the switch is a stack master or standalone switch.
● Other models have an independent stack mode indicator (STCK indicator). After you press
the MODE button, the indicator is steady green or blinking and off after 45 seconds,
indicating that the switch enters the stack mode.

Log in to the stack through the console port of any member switch to check
value and whether the stack topology is the same as the actual hardware
connection.
Stack mode: Service-port
-------------------------------------------------------------
0 Master xxxx-xxxx-xxx5 200 S5700-28P-LI-AC
1 Standby xxxx-xxxx-xxx4 100 S5700-28P-LI-AC
2 Slave xxxx-xxxx-xxx1 100 S5700-28P-LI-AC

Trunk member ports.

Trunk ID: 10
Used status: VALID
TYPE: ethernet

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Operate status: up

Step 7 Configure MAD in relay mode on SwitchD and configure SwitchD as the relay
agent.
# In the stack, configure MAD in relay mode on the inter-device Eth-Trunk.
[Stack-Eth-Trunk10] mad detect mode relay
# On SwitchD, configure MAD in relay mode on the Eth-Trunk.

[SwitchD-Eth-Trunk10] mad relay

# Check the MAD configuration of the stack.
<Stack> display mad verbose
Eth-Trunk10

<SwitchD> display mad proxy
Eth-Trunk10
----End
Configuration Files
#
sysname Stack
#
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

#
sysname SwitchD
#
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
3.4.1.7 Example for Establishing a Stack Through Service Port Connections

Using Dedicated Stack Cables (V200R011C10 and Later Versions)
Overview
Precautions
● Connect member switches using dedicated stack cables based on the
following rules:
– Connect the switches in sequence from top to bottom.
– Ensure that all logical stack ports of the top switch are connected to the
master ends of cables, all logical stack ports of the bottom switch are
connected to the slave ends of cables, and two logical stack ports of the
intermediate switch are connected to the master and slave ends
respectively.
– After the switches have been connected using dedicated stack cables,
they automatically set up a stack and their stack IDs as well as stack
roles are automatically assigned.
– If the switches are not connected in a ring topology, you only need to
ensure that logical stack port 1 of the local switch is connected to logical

S300, S500, S2700, S3700, S5700, S6700, S7700, and
stack port 2 of the remote switch. In this situation, these switches can set
up a stack, but their master and standby roles and stack IDs are
randomly generated.
● Ensure that there are no service configurations on the ports that have
dedicated stack cables connected. Otherwise, these ports cannot
automatically become stack ports and the switches cannot set up a stack.
– On ASs in an SVF system, ensure that there are no other configurations
except the shutdown and stp root-protection command configurations
on ports.
– On other switches, ensure that there are no other configurations except
the shutdown command configuration on ports.
● If logical stack port numbers have been manually configured before dedicated
stack cables are connected, the configured port numbers still take effect after
the cables are connected. You need to connect these ports based on the
configured port numbers. If logical stack port numbers are not manually
configured, corresponding logical stack port numbers will be automatically
generated after dedicated stack cables are connected. To view logical stack
ports of ports supporting dedicated stack cables and master as well as slave
ends of the cables connected to these ports, run the display stack port auto-
cable-info command.
An enterprise network needs to provide sufficient ports for access devices, and the
network structure should be simple to facilitate configuration and management.
As shown in Figure 3-38, Switches A to C set up a stack in a ring topology and
connect to SwitchD through an inter-chassis Eth-Trunk. To reduce the
configuration, Switches A to C set up a stack using dedicated stack cables. In the
stack, SwitchA needs to function as the master switch, Switch B as the standby
switch, and SwitchC as the slave switch.
This example describes how to use S5720-28P-PWR-LI-AC switches to set up a
stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-38 Stack topology
1. Power off SwitchA, SwitchB, and SwitchC to ensure security.
2. Connect the switches using dedicated stack cables based on dedicated stack
cable connection rules.
3. Power on these switches in the following sequence to ensure that SwitchA,
SwitchB, and SwitchC become the master switch, standby switch, and slave
switch respectively.
4. Save the stack configuration automatically generated for dedicated cable
stacking to the flash memory. This ensures that the stack configuration still
takes effect when these cables are removed or other cables are connected.
5. Configure an inter-chassis Eth-Trunk to increase reliability and uplink
bandwidth.
6. Configure multi-active detection in relay mode to ensure network availability
when the stack splits.
Procedure
Step 1 Power off SwitchA, SwitchB, and SwitchC.
Step 2 Power off SwitchA, SwitchB, and SwitchC and then connect them using dedicated
stack cables as shown in Figure 3-39.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● Logical stack port 1 of the local switch must be connected to logical stack port 2 of the
adjacent switch. Otherwise, these switches cannot set up a stack.
● All logical stack ports of SwitchA must be connected to the master ends of dedicated stack
cables, and all logical stack ports of SwitchC must be connected to the slave ends of these
cables.
Figure 3-39 Dedicated stack cable connection
Step 3 Power on SwitchA, SwitchB, and SwitchC in sequence.
# Power on these switches in the following sequence to ensure that SwitchA,

SwitchB, and SwitchC become the master switch, standby switch, and slave switch
respectively.
1. Power on SwitchA first.

2. Power on SwitchB after SwitchA starts.
3. Power on SwitchC after SwitchB starts.
The preceding power-on sequence can guarantee only roles of these switches but
not their slot IDs. The following assumes that SwitchA, SwitchB, and SwitchC use
automatically generated slot IDs 0, 1, and 2 respectively.
Step 4 Check whether a stack has been set up successfully.
Press the mode switching (MODE) button on any member switch to change the
mode status indicator to the stack mode.
● If the mode status indicators on all member switches change to the stack
mode, a stack has been set up successfully.
stack mode, a stack has not been set up.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● The S5700-SI, S5700-EI, S5700-HI, S6700-EI, S5710-C-LI use the same mode status indicator
to show the stack and speed modes. After you press the MODE button, the indicator is
steady red and off after 45 seconds, indicating that the switch enters the stack mode.
● The S5732-H, S6730-S, S6730S-S, S6720-HI, S6730-H, and S6730S-H have an independent
stack master/slave indicator to show the MST. If the indicator is off, the switch is not a stack
master. If the indicator is steady green, the switch is a stack master or standalone switch.
● Other models have an independent stack mode indicator (STCK indicator). After you press
the MODE button, the indicator is steady green or blinking and off after 45 seconds,
indicating that the switch enters the stack mode.

Log in to the stack through the console port of any member switch to check
value and whether the stack topology status is the same as the actual hardware
connection.
-------------------------------------------------------------
0 Master xxxx-xxxx-xxx5 100 S5720-28P-LI-AC
1 Standby xxxx-xxxx-xxx4 100 S5720-28P-LI-AC
2 Slave xxxx-xxxx-xxx1 100 S5720-28P-LI-AC
Step 5 Save the stack configuration that is automatically generated for dedicated cable
stacking to the flash memory.
# After verifying that a stack has been set up, save the stack configuration that is
automatically generated for dedicated cable stacking to the flash memory.
[Stack] save stack configuration
Warning: This operation will save all stack configurations to flash. Are you sure you want to continue? [Y/
N]:y

Trunk member ports.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Trunk ID: 10
Used status: VALID
TYPE: ethernet
Operate status: up

Step 8 Configure MAD in relay mode on SwitchD and configure SwitchD as the relay
agent.
# In the stack, configure MAD in relay mode on the inter-chassis Eth-Trunk.
[Stack-Eth-Trunk10] mad detect mode relay
# Configure MAD in relay mode on the relay agent SwitchD.

[SwitchD-Eth-Trunk10] mad relay

# Check detailed MAD configuration of the stack.
<Stack> display mad verbose
Eth-Trunk10

<SwitchD> display mad proxy
Eth-Trunk10
----End
Configuration Files
#
sysname Stack
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
#
sysname SwitchD
#
mad relay
#
eth-trunk 10
#
eth-trunk 10
#
eth-trunk 10
#
return
3.4.1.8 Stacked Switch Replacement Guide

You may need to replace a faulty member switch in a stack. To prevent services
from being interrupted during the switch replacement, use inter-device link
aggregation to connect upstream and downstream devices for link backup.
● Replace one member switch in a stack of two member switches.
SwitchA and SwitchB set up a stack. SwitchA is faulty and needs to be
replaced by SwitchC. You are advised to follow this procedure to complete the
replacement:
a. Before the replacement, ensure that SwitchC has the same system
software version and hardware model as SwitchA. To check the system
software version and hardware model of switches, run the display
version and display device commands.
b. Run the display stack, display stack configuration, and display stack
port commands to check and record the before-replacement stack status,
stack configuration, and stack port status.
c. Before connecting SwitchC with stack cables, power on it and perform the
following procedure to configure it:
i. After SwitchC starts, upload the configuration file of SwitchA to
SwitchC.
ii. Run the startup saved-configuration configuration-file command to
specify the uploaded configuration file as the configuration file used
for the next startup of SwitchC, and then restart SwitchC.
iii. After SwitchC restarts, manually copy the stack configuration
displayed using the display stack configuration command to
SwitchC to ensure that SwitchC has the same stack configuration as
SwitchA.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. After the configuration is complete, check whether SwitchC has the same
stack configuration as SwitchA. If so, power off SwitchC.
e. (Optional) To prevent OSPF, BGP, or LDP flapping during an master/
backup switchover in a stack, configure graceful restart (GR) for the
corresponding protocol. For details, see the configuration guide of the
corresponding protocol.
f. Run the display stack command to check whether SwitchA is the master
switch. If so, run the slave switchover command to perform an active/
standby switchover in the stack. If not, go to the next step.
<HUAWEI> display switchover state //Check whether the active/standby switchover
conditions are met.
Slot 0 HA FSM State(master): realtime or routine backup. //The switchover can be performed
only in this state.
Slot 1 HA FSM State(slave): receiving realtime or routine data.
[HUAWEI] slave switchover enable //Enable the active/standby switchover.
[HUAWEI] slave switchover //Perform an active/standby switchover.
Warning: This operation will switch the slave board to the master board. Continue? [Y/N]:y
After an active/standby switchover is performed, the master switch will
restart. After the switch restarts and joins the stack again, go to the next
step. To check whether the switch has joined the stack again, run the
display stack command.
g. Power off and remove SwitchA.
h. Install SwitchC and connect cables to its service ports, stack ports, and
ports that have dual-active detection (DAD) configured.
i. Power on SwitchC so that SwitchC joins the stack as a new member. Run
the display stack command to check whether SwitchC can set up a stack
with SwitchB.
j. After SwitchC and SwitchB set up a stack, run the display stack
configuration and display stack port commands to check the stack
configuration and interface status. Ensure that the stack configuration is
the same as that used before the device replacement and that interfaces
become Up normally.
k. After confirming all services are normal, run the save command to save
the stack configuration.
l. If the current master and standby switches are different from those
before the device replacement, perform an active/standby switchover.
● Replace one member switch in a stack of three or more member switches
(in a ring topology).
In a stack set up by three or more member switches in a ring topology, the
device replacement procedure is similar to that in a stack of two member
switches. For details, see Replace one member switch in a stack of two
member switches.
● Replace one member switch in a stack of three or more member switches
(in a chain topology).
In a stack set up by three or more member switches in a chain topology, the
replacement procedure of edge switches on both ends is similar to that in a
stack of two member switches. For details, see Replace one member switch
in a stack of two member switches. To replace an intermediate switch,
change the stack connection topology to the ring topology and then replace
the switch according to Replace one member switch in a stack of two
member switches. The procedure is as follows:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
a. On edge switches on both ends, create a logical stack port and add
member ports into the logical stack port, and then connect these ports
using cables.
[HUAWEI] interface stack-port 1/1 //Create a logical stack port.
[HUAWEI-stack-port1/1] port interface gigabitethernet 1/0/46 enable //Add a member
port to the logical stack port.
After cables are connected, run the display stack command to check
whether the stack connection topology is changed to the ring topology.
b. After the stack connection topology changes to ring topology, replace the
switch according to Replace one member switch in a stack of two
member switches.
c. To restore the stack connection topology to chain topology after the
replacement, remove the stack cables connected in step 1.
3.4.1.9 Changing the Stack ID
In Figure 3-40, the stack IDs of stack members are 3, 1, and 2 from top to bottom.
These stack IDs need to be planned again based on the location to facilitate
device management.
Figure 3-40 Networking diagram
Check information about the stack members with the stack IDs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
<Stack> display stack

Stack system MAC: 00e0-fc00-1234
Stack reserved VLAN: 4093
Slot Role MAC address Priority Device type
-------------------------------------------------------------
3 Master 00e0-fc00-1234 200
1 Standby 00e0-fc00-1235 150
2 Slave 00e0-fc00-1236 150
The stack IDs need to be changed according to the following rules: After the
change, check whether the change is correct based on the MAC addresses of the
devices.
● Slot 3 → Slot 1
NOTE
To change the stack IDs, you need to restart the devices, which interrupts services. Therefore,
perform this operation in a specified period.
Procedure
Step 1 Shut down the uplink and downlink ports of the stack to isolate the stack from
the network.
<Stack> system-view
[Stack] interface gigabitethernet 3/0/8
[Stack-GigabitEthernet3/0/8] shutdown
[Stack-GigabitEthernet3/0/8] quit
Step 2 After the stack IDs are changed, the configurations of the interfaces with the
original stack IDs will be lost. Therefore, you need to perform the same
configurations on the new interfaces before changing the stack IDs.
For example: The configurations of the interfaces with the original stack IDs are as
follows:
#
description ToPC
#
eth-trunk 10
#
eth-trunk 10
#
description ToIPPhone-01

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
Change the configurations of these interfaces to the configurations of the

interfaces with the new stack IDs.
[Stack] interface gigabitethernet 1/0/6 // Correspond to GE3/0/6.
[Stack-GigabitEthernet1/0/6] description ToPC
[Stack-GigabitEthernet1/0/6] port link-type access
[Stack-GigabitEthernet1/0/6] port default vlan 10
[Stack-GigabitEthernet1/0/8] eth-trunk 10
[Stack-GigabitEthernet2/0/9] eth-trunk 10
[Stack-GigabitEthernet3/0/5] description ToIPPhone-01
[Stack-GigabitEthernet3/0/5] port link-type access
[Stack-GigabitEthernet3/0/5] port default vlan 20
Step 3 Change the stack IDs, save the configurations, and restart the switches.
[Stack] stack slot 3 renumber 1
Info: The assigned slot ID already exists in the stack system.
Warning: All the configurations related to the slot ID will be lost after the slot ID is
modified.
Do not frequently modify the slot ID because it will make the stack split. Continue? [Y/
N]:y
Info: Stack configuration has been changed, and the device needs to restart to make the configuration
effective.
modified.
N]:y
effective.
modified.
N]:y
effective.
[Stack] quit
<Stack> save
The current configuration will be written to flash:/vrpcfg.zip.
Now saving the current configuration to the slot 3.........
Now saving the current configuration to the slot 1.
Now saving the current configuration to the slot 2.
<Stack> reboot
Info: The system is now comparing the configuration, please wait...................
Info: If want to reboot with saving diagnostic information, input 'N' and then execute 'reboot save
diagnostic-information'.
System will reboot! Continue?[Y/N]:y
Step 4 After the restart is complete, check whether the stack status, stack IDs, and
interface configurations are correct. If the configurations on the interfaces are
incorrect, reconfigure the interfaces.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
<Stack> display stack

Stack reserved VLAN: 4093
Slot Role MAC address Priority Device type
-------------------------------------------------------------
1 Master xxxx-xxxx-xxx4 200
2 Standby xxxx-xxxx-xxx1 150
3 Slave xxxx-xxxx-xxx2 150
Step 5 If the configurations are correct, enable the uplink and downlink ports of the
stack.
<Stack> system-view
[Stack-GigabitEthernet1/0/8] undo shutdown
----End
3.4.2 Typical CSS Configuration of Modular Switches
3.4.2.1 CSS Support
3.4.2.1.1 CSS Version Requirements
Table 3-11 Products and versions supporting CSS

Prod Prod Version Supporting CSS Card Version Supporting Service
uct uct Clustering Port Clustering
Mode
l
S770 S770 Not supported Not supported

0 3
S770
3 PoE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Prod Prod Version Supporting CSS Card Version Supporting Service

uct uct Clustering Port Clustering
Mode
l
S770 V200R001(C00&C10), V200R002C00, V200R003C00,

6 V200R002C00, V200R003C00, V200R005C00, V200R006C00,
S771 V200R005C00, V200R006C00, V200R007C00, V200R008C00,
2 V200R007C00, V200R008C00, V200R009C00, V200R010C00,
V200R009C00, V200R010C00, V200R011C10, V200R012C00,
V200R011C10, V200R012C00, V200R013C00, V200R013C02,
V200R013C00, V200R019C00, V200R019C00, V200R019C10,
V200R019C10, V200R020C00, V200R020C00, V200R020C10,
V200R020C10, V200R021C00, V200R021C00, V200R021C01
V200R021C01
S770 V200R013C00, V200R019C00, V200R013C00, V200R019C00,

6 PoE V200R019C10, V200R020C00, V200R019C10, V200R020C00,
V200R020C10, V200R021C00, V200R020C10, V200R021C00,
V200R021C01 V200R021C01
S970 S970 Not supported Not supported

0 3
S970 V200R003C00, V200R005C00, V200R001C01, V200R002C00,

6 V200R006C00, V200R007C00, V200R003C00, V200R005C00,
S971 V200R008C00, V200R009C00, V200R006C00, V200R007C00,
2 V200R010C00, V200R011C10, V200R008C00, V200R009C00,
V200R012C00, V200R013C00 V200R010C00, V200R011C10,
V200R012C00, V200R013C00
3.4.2.1.2 Software and Hardware Support for S7700 CSS Card Clustering
Table 3-12 Software and Hardware Support for S7706&S7706 PoE&S7712 CSS
Card Clustering
Device Model ● S7706
● S7706 PoE
● S7712

S300, S500, S2700, S3700, S5700, S6700, S7700, and
CSS Card and ● CSS card: ES02VSTSA ● CSS card: ES1D2VS04000

Installation (All ports on the CSS (CSS ports on the CSS cards
Slot cards must be must have at least one
connected.) cable connected and ports
● Installation slot: subcard on both ends of the cable
slots of ES1D2SRUAC00, must use the same port
ES0D00SRUA00 (non- number.)
VER.A) and ● Installation slot: subcard
ES0D00SRUB00 (non- slots of LSS7SRUHA100,
VER.A) ES1D2SRUH000,
LSS7SRUHD000,
CSS card and MPU models are
ES1D2SRUH002,
abbreviated to VSTSA, SRUA, and
LSS7SRUH1000,
SRUB respectively. LSS7SRUE1000,
LSS7SRUED000, and
ES1D2SRUE000
CSS card and MPU models are
abbreviated to VS04, SRUHA1, SRUH,
SRUHD, SRUH1, SRUE1, SRUED, and
SRUE respectively.
Hot Swap of Not supported Supported

CSS Cards
Number of CSS 2 2
Cards
Supported by
Each Chassis
Number of CSS Four 16G ports Four 10G ports

Ports on Each
CSS Card and
Bandwidth of a
Single CSS Port

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Pluggable ● 3 m and 10 m QSFP+ ● 1 m, 3 m, 5 m, and 10 m

Modules for high-speed cable SFP+ high-speed cable
Ports on CSS ● QSFP+ optical module ● SFP+ optical module and
Cards (only QSFP-40G-SR4, fiber
QSFP-40G-iSR4, and ● 3 m and 10 m SFP+ AOC
QSFP-40G-eSR4) and cable
fiber
● 10 m QSFP+ AOC cable
(supported since
V200R010C00)
● 5 m QSFP+ high-speed
cable (supported since
V200R011C10)
NOTE
1-to-4 QSFP+ high-speed
cable, 1-to-4 QSFP+ AOC
cable, and QSFP+ optical
modules that connect a 40GE
port to four 10GE ports using
a 1-to-4 cable do not support
CSS.
Hardware ● Two S7706s, two S7706 ● Two S7706s, two S7706

Configuration PoEs, two S7712s, one PoEs, two S7712s, one
S7706 and one S7712, S7706 and one S7712, one
one S7706 PoE and one S7706 PoE and one S7706,
S7706, or one S7706 PoE or one S7706 PoE and one
and one S7712 can set S7712 can set up a CSS.
up a CSS. ● Each chassis can have only
● Each chassis must have one SRU installed, and a
both active and standby CSS card can be installed in
MPUs installed, and the any MPU slot. To ensure
two MPUs must have reliability, you are advised
stack cards installed. to install two MPUs in each
● SRUs in the same chassis chassis.
must be the same model. ● SRUs in the same chassis
To set up a stack, the must be the same model.
local and remote chassis To set up a stack, the local
must use SRUs of the and remote chassis must
same model or use SRUA use SRUs of the same
and SRUB respectively. model or use SRUH and
SRUE respectively(both
chassis must run
V200R010C00 or a later
version), or use SRUH1 and
SRUE respectively, or use
SRUH and SRUH1
respectively.
License No
Required

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.4.2.1.3 Software and Hardware Support for S9700 CSS Card Clustering
Device Model ● S9706

● S9712
CSS Card and CSS card: EH1D2VS08000 (Eight ports on a CSS card are
Installation Slot divided into two groups, each of which must have at least
one cable connected.)
Installation slot: subcard slot of EH1D2SRUC000
CSS card and MPU models are abbreviated to VS08 and SRUC respectively.
Hot Swap of Not supported

CSS Cards
Number of CSS 2
Cards
Supported by
Each Chassis
Number of CSS Eight 10G ports

Ports on Each
CSS Card and
Bandwidth of a
Single CSS Port
Pluggable ● 1 m, 3 m, 5 m, and 10 m SFP+ high-speed cable

Modules for ● SFP+ optical module and fiber
Ports on CSS
Cards ● 3 m and 10 m SFP+ AOC cable
Hardware ● Two S9706s, one S9706 and one S9712, or two S9712s
Configuration can set up a CSS.
● Switches to set up a CSS must have both active and
standby MPUs installed, and the two MPUs must have
stack cards installed.
License No
Required

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.4.2.1.4 Software and Hardware Support for S7700 Service Port Clustering
NOTE
● Only two S7706 switches, two S7706 PoE switches, two S7712 switches, one S7706 and
one S7706 PoE, one S7706 and one S7712, or one S7706 PoE and one S7712 can set up
a CSS.
● SRUs in the same chassis must be the same model. To set up a stack, the local and
remote chassis must use SRUs of the same model, use SRUA and SRUB respectively, or
use SRUH and SRUE respectively, or use SRUH1 and SRUE respectively, or use SRUH1
and SRUE1 respectively, or use SRUH and SRUE1 respectively, or use SRUE and SRUE1
respectively, or use SRUH and SRUH1 respectively(both chassis must run V200R010C00
or a later version).
● Each chassis can have at most two LPUs for CSS connection. It is recommended that you
use the same type of LPUs in a chassis for CSS connection. The two chassis must use the
same type of ports for CSS connection, for example, 10GE SFP+ optical ports.
● Each LPU allows only one logical CSS port. Each logical CSS port supports a maximum
of 32 physical member ports.
● Some ports on an LPU can function as CSS ports, while other ports on the LPU function
as service ports.
● A CSS can be set up as long as a logical CSS port has one CSS member port in Up state.
● Ports do not support the CSS function after being split.
● S7700 service port clustering is not under license control.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
MPU LPU Model Pluggable Usage Constraints

model Modules on
Service Ports
SRUA/ ● ES1D2X08SE ● 1 m, 3 m, 5 m, ● On the ES1D2X08SED4

SRUB/ D4 and 10 m SFP+ and ES0D0X12SA00 LPUs,
SRUE/ ● ES1D2X08SE high-speed at most four ports can be
SRUE1/ D5 cable configured as CSS
SRUH/ ● SFP+ optical physical member ports.
SRUH1/ ● ES0D0X12SA The four physical member
00 module and
SRUHA1 fiber ports must be the first
● ES0D0X12SA four ports (numbered 0 to
01 ● 3 m and 10 m 3) or the last four ports
SFP+ AOC cable (numbered 4 to 7) on the
● ES1D2X16SF
NOTE LPUs.
C0
The ES0D0X12SA00
● ES1D2X40SF and ES0D0X12SA01 ● On the ES1D2X16SFC0,
C0 do not support 3 m ES1D2X40SFC0,
and 5 m SFP+ high- ES1D2X32SSC0, and
● ES1D2X32SS speed cables. ES1D2X16SSC2 LPUs, four
C0 contiguous ports must be
● ES1D2X16SS configured as a group of
C2 physical member ports
together. The port
numbers of the four ports
must start with 4xN and
end with 4xN+3 (N = 0, 1,
2...). For example, ports 0
to 3 or ports 4 to 7 must
be configured together,
but ports 2 to 5 cannot be
configured together. If
any port in a group is
configured as a physical
member port, the other
three ports of the same
group must also be
configured as physical
member ports.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

model Modules on
Service Ports
ES1D2L02QFC0 ● 1 m, 3 m, and 5 None

m QSFP+ high-
speed cable
● QSFP+ optical
module and
fiber
(QSFP-40G-SR-
BD optical
modules can be
used for CSS
since
V200R019C10S
PC500.)
● 10 m QSFP+
AOC cable
(supported
since
V200R009C00)
SRUHX1 ● LSS7X24BX6 ● 1 m, 3 m, 5 m, The SRUHX1 is available in

E0 and 10 m SFP+ V200R019C10 and later
● LSS7X24BX6 high-speed versions.
S0 cable
● LSS7X48SX6 ● SFP+ optical
E0 module and
fiber
● LSS7X48SX6
S0 ● 3 m and 10 m
SFP+ AOC cable
● LSS7C02BX6 ● QSFP+ optical

E0 (40GE module and
ports) fiber
● LSS7L12QX6 ● 10 m QSFP+
E0 AOC cable
● LSS7C06HX6 ● 1 m and 3 m
S0 QSFP28 high-
● LSS7C06HX6 speed cable
E0 ● QSFP28 optical
● LSS7C02BX6 module and
E0 (100GE fiber
ports) ● 10 m QSFP28
AOC cable

S300, S500, S2700, S3700, S5700, S6700, S7700, and

model Modules on
Service Ports
● LSS7M24VX6 Category 6A or The SRUHX1 is available in

E1 (MultiGE higher network V200R021C00 and later
ports) cables (If Category versions.
● LSS7M24VX6 6 cables are used,
S1 (MultiGE ensure that the
ports) cables meet
requirements of
● LSS7M24BX6 TSB-155.)
E0 (MultiGE
ports)
● LSS7M24BX6
S0 (MultiGE
ports)
3.4.2.1.5 Software and Hardware Support for S9700 Service Port Clustering
Device ● S9706
Model ● S9712
Service Card ● EH1D2X08SED4 ● EH1D2L02QFC0

Model ● EH1D2X08SED5 ● EH1D2L08QFC0
NOTE
● EH1D2X12SSA0
For details
about ● EH1D2X16SFC0
service
cards, see
● EH1D2X40SFC0
"Cards" in ● EH1D2X32SSC0
the
Hardware ● EH1D2X16SSC2
Description
of the
specific
product
model.
Pluggable ● 1 m, 3 m, 5 m, and 10 m ● 1 m, 3 m, and 5 m QSFP+

Modules on SFP+ high-speed cable high-speed cable
Service Ports ● SFP+ optical module and ● QSFP+ optical module
fiber (except the QSFP-40G-SR-
● 3 m and 10 m SFP+ AOC BD model) and fiber
cable ● 10 m QSFP+ AOC cable
NOTE (supported since
The EH1D2X12SSA0 does not V200R009C00)
support 3 m and 5 m SFP+ high-
speed cables.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Usage ● On the EH1D2X08SED4 and The interconnected CSS

Constraints EH1D2X08SED5 LPUs, at physical member ports on the
most four ports can be two member switches must be
configured as CSS physical both 40GE ports. XGE ports
member ports. The four derived from a 40GE port
physical member ports cannot be added to a logical
must be the first four ports CSS port.
(numbered 0 to 3) or the
last four ports (numbered 4
to 7) on the LPUs.
● On the EH1D2X16SFC0,
EH1D2X40SFC0,
EH1D2X32SSC0 and
EH1D2X16SSC2 LPUs, four
contiguous ports must be
configured as a group of
physical member ports
together. The port numbers
of the four ports must start
with 4xN and end with 4xN
+3 (N = 0, 1, 2...). For
example, ports 0 to 3 or
ports 4 to 7 must be
configured together, but
ports 2 to 5 cannot be
configured together. If any
port in a group is
configured as a physical
member port, the other
three ports of the same
group must also be
configured as physical
member ports.
Hardware ● Only two S9706 switches, two S9712 switches, or one S9706
Configuratio and one S9712 can set up a CSS.
n ● MPUs in one chassis must be the same model. MPUs in the
local and peer chassis can be different models but are
recommended to be the same model.
● Each chassis can have at most two LPUs for CSS connection.
It is recommended that you use the same type of LPUs in a
chassis for CSS connection. The two chassis must use the
same type of ports for CSS connection, for example, 10GE
SFP+ optical ports.
● Each LPU allows only one logical CSS port. Each logical CSS
port supports a maximum of 32 physical member ports.
● Some ports on an LPU can function as CSS ports, while other
ports on the LPU function as service ports.
● A CSS can be set up as long as a logical CSS port has one CSS
member port in Up state.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
License No
Required
3.4.2.2 Example for Setting Up a CSS of Two Member Switches Using CSS
Cards
Overview of CSS
A Cluster Switch System (CSS), also called a cluster, is a logical switch consisting
of two clustering-capable switches. It provides high forwarding performance and
high network reliability and scalability, while simplifying network management.
● High reliability: Member switches in a CSS work in redundancy mode. Link
redundancy can also be implemented between member switches through link
aggregation.
● High scalability: Switches can set up a CSS to increase the number of ports,
bandwidth, and packet processing capabilities.
● Simplified configuration and management: After two switches set up a CSS,
they are virtualized into one device. You can log in to the CSS from either
member switch to configure and manage the entire CSS.
In CSS card connection mode, member switches are connected using CSS cards on
MPUs and cluster cables. Compared with the service port connection mode, the
CSS card connection mode does not occupy common service ports, is easy to
configure, ensures high stability and low latency, but has higher hardware
requirements.
After a CSS is set up, you are advised to perform the following configurations:
● To simplify network configuration, increase uplink bandwidth, and improve
reliability, configure inter-device Eth-Trunks in the CSS, connect downstream
devices to the CSS in dual-homing mode, and add uplink and downlink ports
of the CSS to the Eth-Trunks.
● Configure the multi-active detection (MAD) function in the CSS. Two member
switches in a CSS use the same IP address and MAC address (CSS system MAC
address). Therefore, after the CSS splits, two CSSs using the same IP address
and MAC address exist. To prevent this situation, a mechanism is required to
check for IP address and MAC address conflicts after a split. MAD is a CSS
split detection protocol that provides split detection, multi-active handling,
and fault recovery mechanisms when a CSS splits due to a link failure. This
minimizes the impact of a CSS split on services.
MAD can be implemented in direct or relay mode, but these modes cannot be
configured simultaneously in a CSS. You can configure MAD in relay mode for
a CSS when an inter-device Eth-Trunk is configured in the CSS. The direct
mode occupies additional ports, and these ports can only be used for MAD
after being connected using common cables. In contrast to the direct mode,
the relay mode does not occupy additional ports.
Guidelines
● After two switches set up a CSS, the following features cannot be configured
in the CSS:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– Synchronous Ethernet clock

– Precision Time Protocol (PTP) (IEEE 1588)
– Web system configuration (In V200R001C00, the web system is not
supported. In V200R002C00 and later versions, you can log in to the CSS
through the web system to perform configurations.)
● When configuring MAD, focus on the differences in the command syntax
between V200R002C00 (and earlier versions) and V200R003C00 (and later
versions). In V200R002C00 and earlier versions, the split detection function is
called dual-active detection (DAD).
● Regardless of how many MAD links exist, ports of the standby switch will be
shut down and no longer forward service packets as long as the CSS splits.
An enterprise needs to build a network that has a reliable core layer and simple
structure to facilitate configuration and management.
To meet requirements of the enterprise, core switches SwitchA and SwitchB set up
a CSS in CSS card connection mode. SwitchA is the master switch, and SwitchB is
the standby switch. Figure 3-41 shows the network topology. Aggregation
switches connect to the CSS through Eth-Trunks, and the CSS connects to the
upstream network through an Eth-Trunk. In this example, the core switches are
the S9706 switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-41 Setting up a CSS
1. Install hardware modules on SwitchA and SwitchB.

2. Set the CSS connection mode on SwitchA and SwitchB and set their CSS IDs to
1 and 2 and CSS priorities to 100 and 10 respectively. These configurations
ensure that SwitchA has a higher probability to become the master switch.
3. Enable the CSS function on SwitchA and then on SwitchB to ensure that
SwitchA becomes the master switch.
4. Check whether a CSS is set up successfully.
5. Configure uplink and downlink Eth-Trunks for the CSS to improve forwarding
bandwidth and reliability.
6. Configure MAD to minimize the impact of a CSS split on the network.
Procedure
Step 1 Install hardware modules.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The following describes only the rule for connecting cluster cables between two
member switches. If you also need to install MPUs and CSS cards and learn about
installation details, see the Switch Cluster Setup Guide.
Select the required connection diagram based on the device model and CSS card
model to connect cluster cables.
Figure 3-42 VSTSA CSS card connections (S7706&S7706 PoE&S7712)
NOTE
Follow these rules when connecting VSTSA CSS cards: Each VSTSA CSS card has four ports.
All ports with the same port number and color must be connected, as shown in the
preceding figure. For example, port 1 in blue on the left chassis must be connected to port
1 in blue on the right chassis.
The CSS set up using VSTSA CSS cards allows at most one faulty cluster cable.
Figure 3-43 VS04 CSS card connections (S7706&S7706 PoE&S7712)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Follow these rules when connecting VS04 CSS cards:

● Each VS04 CSS card has four ports. All ports with the same port number must be
connected, as shown in the preceding figure. For example, port 1 in blue on the left
chassis must be connected to port 1 in blue on the right chassis. The two chassis can
be connected through one cable. However, it is recommended that the two chassis be
connected through multiple cables.
● Each CSS card on the local chassis can be connected to only one CSS card on the peer
chassis.
Step 2 Configure the CSS connection mode, CSS ID, and CSS priority.
# Configure the CSS function on SwitchA. Retain the default CSS connection mode
(CSS card connection) and the default CSS ID 1, and set the CSS priority to 100.
[SwitchA] set css priority 100
# Configure the CSS function on SwitchB. Retain the default CSS connection mode
(CSS card connection), and set the CSS ID to 2 and CSS priority to 10.
[SwitchB] set css id 2
[SwitchB] set css priority 10
# Check the CSS configuration.
NOTE
After the configuration is complete, run the display css status saved command to check
the CSS configuration.
Check the CSS configuration on SwitchA.

[SwitchA] display css status saved
Current Id Saved Id CSS Enable CSS Mode Priority Master force
------------------------------------------------------------------------------
1 1 Off CSS card 100 Off
Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
------------------------------------------------------------------------------
1 2 Off CSS card 10 Off
Step 3 Enable the CSS function.

# Enable the CSS function on SwitchA and restart SwitchA.
[SwitchA] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS
card. Reboot now? [Y/N]:y
# Enable the CSS function on SwitchB and restart SwitchB.

[SwitchB] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is CSS
card. Reboot now? [Y/N]:y
Step 4 Check whether a CSS is set up successfully.

# View the indicator status.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The MASTER indicator on a CSS card of SwitchA is steady on, indicating that the
MPU with the CSS card installed is the active MPU of the CSS and SwitchA is the
master switch.
The MASTER indicators on the CSS cards of SwitchB are off, indicating that
SwitchB is the standby switch.
# Log in to the CSS through the console port on any MPU to check whether the
CSS has been set up successfully. In versions earlier than V200R005C00, you must
log in to the CSS through the console port on the active MPU.
<SwitchA> display device
Chassis 1 (Master Switch)
S9706's Device status:
Slot Sub Type Online Power Register Status Role
---------------------------------------
7 - EH1D2SRUC000 Present PowerOn Registered Normal Master
1 EH1D2VS08000 Present PowerOn Registered Normal NA
8 - EH1D2SRUC000 Present PowerOn Registered Normal Slave
PWR1 - - Present PowerOn Registered Normal NA
PWR2 - - Present - Unregistered - NA
CMU2 - EH1D200CMU00 Present PowerOn Registered Normal Master
FAN1 - - Present PowerOn Registered Abnormal NA
FAN2 - - Present - Unregistered - NA
Chassis 2 (Standby Switch)
---------------------------------------
FAN1 - - Present PowerOn Registered Normal NA
The command output shows the card status of both member switches, indicating
that the CSS has been set up successfully.
# Check whether CSS links are normal.
<SwitchA> display css channel
Chassis 1 || Chassis 2
================================================================================
Num [SRUC HG] [VS08 Port(Status)] || [VS08 Port(Status)] [SRUC HG]
1 1/7 0/12 -- 1/7/0/1(UP 10G) ---||--- 2/7/0/1(UP 10G) -- 2/7 0/12
2 1/7 0/16 -- 1/7/0/2(UP 10G) ---||--- 2/7/0/2(UP 10G) -- 2/7 0/16
3 1/7 0/13 -- 1/7/0/3(UP 10G) ---||--- 2/7/0/3(UP 10G) -- 2/7 0/13
4 1/7 0/17 -- 1/7/0/4(UP 10G) ---||--- 2/7/0/4(UP 10G) -- 2/7 0/17
5 1/7 0/14 -- 1/7/0/5(UP 10G) ---||--- 2/8/0/5(UP 10G) -- 2/8 0/14
6 1/7 0/18 -- 1/7/0/6(UP 10G) ---||--- 2/8/0/6(UP 10G) -- 2/8 0/18
7 1/7 0/15 -- 1/7/0/7(UP 10G) ---||--- 2/8/0/7(UP 10G) -- 2/8 0/15
8 1/7 0/19 -- 1/7/0/8(UP 10G) ---||--- 2/8/0/8(UP 10G) -- 2/8 0/19
9 1/8 0/12 -- 1/8/0/1(UP 10G) ---||--- 2/8/0/1(UP 10G) -- 2/8 0/12
10 1/8 0/16 -- 1/8/0/2(UP 10G) ---||--- 2/8/0/2(UP 10G) -- 2/8 0/16
11 1/8 0/13 -- 1/8/0/3(UP 10G) ---||--- 2/8/0/3(UP 10G) -- 2/8 0/13
12 1/8 0/17 -- 1/8/0/4(UP 10G) ---||--- 2/8/0/4(UP 10G) -- 2/8 0/17
13 1/8 0/14 -- 1/8/0/5(UP 10G) ---||--- 2/7/0/5(UP 10G) -- 2/7 0/14
14 1/8 0/18 -- 1/8/0/6(UP 10G) ---||--- 2/7/0/6(UP 10G) -- 2/7 0/18
15 1/8 0/15 -- 1/8/0/7(UP 10G) ---||--- 2/7/0/7(UP 10G) -- 2/7 0/15
16 1/8 0/19 -- 1/8/0/8(UP 10G) ---||--- 2/7/0/8(UP 10G) -- 2/7 0/19
The command output shows that all the CSS links are Up, indicating that the CSS
has been set up successfully.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 5 Configure Eth-Trunks between the CSS and its upstream and downstream devices.
# Configure an Eth-Trunk in the CSS and add uplink ports to the Eth-Trunk.
[SwitchA] sysname CSS //Rename the CSS.
[CSS] interface eth-trunk 10
[CSS-Eth-Trunk10] quit
[CSS] interface gigabitethernet 1/1/0/4
[CSS-GigabitEthernet1/1/0/4] eth-trunk 10
[CSS-GigabitEthernet1/1/0/4] quit
# Configure an Eth-Trunk in the CSS and add the downlink ports connected to
SwitchC to the Eth-Trunk.
SwitchD to the Eth-Trunk.
[CSS-GigabitEthernet2/1/0/3] return
# Configure an Eth-Trunk on SwitchE and add member ports to the Eth-Trunk.

[HUAWEI] sysname SwitchE
[SwitchE] interface eth-trunk 10
[SwitchE-Eth-Trunk10] quit
[SwitchE] interface gigabitethernet 1/0/1
[SwitchE-GigabitEthernet1/0/1] eth-trunk 10
[SwitchE-GigabitEthernet1/0/1] quit
[SwitchE] interface gigabitethernet 1/0/2
[SwitchE-GigabitEthernet1/0/2] eth-trunk 10
[SwitchE-GigabitEthernet1/0/2] quit
# Configure an Eth-Trunk on SwitchC and add member ports to the Eth-Trunk.

[SwitchC] interface eth-trunk 20
[SwitchC-Eth-Trunk20] quit
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] eth-trunk 20
[SwitchC-GigabitEthernet1/0/1] quit
# Configure an Eth-Trunk on SwitchD and add member ports to the Eth-Trunk.


S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] eth-trunk 30
[SwitchD-GigabitEthernet1/0/1] quit
# Verify the configuration.

After the configuration is complete, run the display trunkmembership eth-trunk
command in any view to check information about Eth-Trunk member ports. For
example:
The command output shows information about member ports in Eth-Trunk 10.
<CSS> display trunkmembership eth-trunk 10
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Operate status: up
Interface GigabitEthernet1/1/0/4, valid, operate up, weight=1

Step 6 Configure the MAD function. The following procedure configures MAD in relay
mode and configures SwitchC as the relay agent using the commands applicable
to V200R003C00 and later versions.
# In the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<CSS> system-view
[CSS-Eth-Trunk20] mad detect mode relay //In V200R002C00 and earlier versions, the command is
dual-active detect mode relay.
[CSS] quit
# Configure the MAD proxy function on SwitchC.

[SwitchC-Eth-Trunk20] mad relay //In V200R002C00 and earlier versions, the command is
dual-active relay.
[SwitchC] quit

Check the MAD configuration in the CSS.
<CSS> display mad //In V200R002C00 and earlier versions, the command is display
dual-active.
MAD direct detection enabled: NO
MAD relay detection enabled: YES
Check MAD proxy information on SwitchC.

<SwitchC> display mad proxy //In V200R002C00 and earlier versions, the command is
display dual-active proxy.
Eth-Trunk20
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
● CSS configuration file
#
sysname CSS
#
#
#
#
interface GigabitEthernet1/1/0/3
eth-trunk 20
#
eth-trunk 10
#
eth-trunk 30
#
eth-trunk 30
#
eth-trunk 10
#
eth-trunk 20
#
return
● SwitchC configuration file
#
sysname SwitchC
#
mad relay
#
eth-trunk 20
#
eth-trunk 20
#
return
#
sysname SwitchD
#
#
eth-trunk 30
#
eth-trunk 30
#
return
● SwitchE configuration file
#
sysname SwitchE
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 10
#
eth-trunk 10
#
return
Related Information
Tool
CSS Assistant
3.4.2.3 Example for Setting Up a CSS Using Service Ports
Overview of CSS
A Cluster Switch System (CSS), also called a cluster, is a logical switch consisting
of two clustering-capable switches. It provides high forwarding performance and
high network reliability and scalability, while simplifying network management.
● High reliability: Member switches in a CSS work in redundancy mode. Link
redundancy can also be implemented between member switches through link
aggregation.
● High scalability: Switches can set up a CSS to increase the number of ports,
bandwidth, and packet processing capabilities.
● Simplified configuration and management: After two switches set up a CSS,
they are virtualized into one device. You can log in to the CSS from either
member switch to configure and manage the entire CSS.
In service port connection mode, member switches are connected using service
ports, without a need for CSS cards. The service ports must be configured as
physical member ports of logical CSS ports. Figure 3-44 shows physical member
ports and logical CSS ports in a CSS.
Figure 3-44 Service port connection
● Physical member port

A physical member port is a service port used to set up a CSS link between
CSS member switches. Physical member ports forward service packets or CSS
protocol packets between member switches.
● Logical CSS port
A logical CSS port is bound to physical member ports for CSS connection.
Each CSS member switch supports two logical CSS ports.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Compared with the CSS card connection mode, the service port connection mode
is more flexible but is complex to configure and needs to occupy service ports on
LPUs.
After a CSS is set up, you are advised to perform the following configurations:
● To simplify network configuration, increase uplink bandwidth, and improve
reliability, configure inter-device Eth-Trunks in the CSS, connect downstream
devices to the CSS in dual-homing mode, and add uplink and downlink ports
of the CSS to the Eth-Trunks.
● Configure the multi-active detection (MAD) function in the CSS. Two member
switches in a CSS use the same IP address and MAC address (CSS system MAC
address). Therefore, after the CSS splits, two CSSs using the same IP address
and MAC address exist. To prevent this situation, a mechanism is required to
check for IP address and MAC address conflicts after a split. MAD is a CSS
split detection protocol that provides split detection, multi-active handling,
and fault recovery mechanisms when a CSS splits due to a link failure. This
minimizes the impact of a CSS split on services.
MAD can be implemented in direct or relay mode, but these modes cannot be
configured simultaneously in a CSS. You can configure MAD in relay mode for
a CSS when an inter-device Eth-Trunk is configured in the CSS. The direct
mode occupies additional ports, and these ports can only be used for MAD
after being connected using common cables. In contrast to the direct mode,
the relay mode does not occupy additional ports.
Guidelines
● When switches using SRUAs, SRUBs, SRUCs, and SRUDs set up a CSS in
service port clustering mode, the system software file (system startup
package) must be saved in the CF card. If it is saved in the flash memory, the
CSS cannot be set up in service port clustering mode.
● After two switches set up a CSS, the following features cannot be configured
in the CSS:
– Synchronous Ethernet clock
– Precision Time Protocol (PTP) (IEEE 1588)
● When configuring MAD, focus on the differences in the command syntax
between V200R002C00 and V200R003C00 (and later versions). In
V200R002C00, the split detection function is called dual-active detection
(DAD).
● Regardless of how many MAD links exist, ports of the standby switch will be
shut down and no longer forward service packets as long as the CSS splits.
An enterprise needs to build a network that has a reliable core layer and simple
structure to facilitate configuration and management and reduce deployment
costs.
To meet requirements of the enterprise, core switches SwitchA and SwitchB set up
a CSS in service port connection mode. SwitchA is the master switch, and SwitchB
is the standby switch. Figure 3-45 shows the network topology. Aggregation
switches connect to the CSS through Eth-Trunks, and the CSS connects to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
upstream network through an Eth-Trunk. In this example, the core switches are
the S9706 switches.
Figure 3-45 Setting up a CSS
1. Install LPUs on SwitchA and SwitchB, and connect cluster cables. Connect four
service ports on two LPUs of each switch to improve bandwidth and reliability.
2. Set the CSS connection mode on SwitchA and SwitchB and set their CSS IDs to
1 and 2 and CSS priorities to 100 and 10 respectively. These configurations
ensure that SwitchA has a higher probability to become the master switch.
3. Configure two logical CSS ports on each of SwitchA and SwitchB and add two
physical member ports to each logical CSS port.
4. Enable the CSS function on SwitchA and then on SwitchB to ensure that
SwitchA becomes the master switch.
5. Check whether a CSS is set up successfully.
6. Configure uplink and downlink Eth-Trunks for the CSS to improve forwarding
bandwidth and reliability.
7. Configure MAD to minimize the impact of a CSS split on the network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Install hardware modules.
The following describes only the rule for connecting cluster cables between two
member switches. If you also need to install LPUs and learn about installation
details, see the Switch Cluster Setup Guide.
Connect cluster cables according to the connection rule shown in Figure 3-46.
Figure 3-46 Connection rule for service port clustering
Service ports are connected in two ways according to link distribution:

● 1+0 networking
Each member switch has one logical CSS port and connects to the other
member switch through physical member ports on one service card.
● 1+1 networking
Each member switch has two logical CSS ports, and physical member ports of
the logical CSS ports are located on two service cards. CSS links on the two
service cards implement link redundancy. The preceding figure shows the
cable connections in this networking.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
When connecting cluster cables, pay attention to the following points:

● Physical member ports of a logical CSS port on one switch must connect to physical
member ports of a logical CSS port on the other switch.
● In 1+1 networking, it is recommended that two service cards have the same number
of CSS links.
To ensure reliability, pay attention to the following points when using the preceding two
service port clustering networkings:
● You are advised to install MPUs in between CSS cards.
● To ensure high reliability, you are advised to use 1+1 networking and configure multi-
active detection (MAD).
● At least two physical member ports on an LPU must be added to one logical CSS port.
● It is recommended that the cards where uplink ports and MAD-enabled port are
located be the LPUs that are not used for CSS connections.
Step 2 Configure the CSS connection mode, CSS ID, and CSS priority.
# Configure the CSS function on SwitchA. Configure the service port connection
mode, set the CSS priority to 100, and retain the default CSS ID 1.
[SwitchA] set css mode lpu
# Configure the CSS function on SwitchB. Configure the service port connection
mode, and set the CSS ID to 2 and CSS priority to 10.
[SwitchB] set css mode lpu
# Check the CSS configuration.
NOTE
After the configuration is complete, run the display css status saved command to check
the CSS configuration.
Check the CSS configuration on SwitchA.

[SwitchA] display css status saved
------------------------------------------------------------------------------
1 1 Off LPU 100 Off
Check the CSS configuration on SwitchB.

[SwitchB] display css status saved
------------------------------------------------------------------------------
1 2 Off LPU 10 Off
Step 3 Configure logical CSS ports.
# On SwitchA, configure service ports XGE1/0/1 and XGE1/0/2 as physical member

ports and add them to CSS port 1, and configure service ports XGE2/0/1 and
XGE2/0/2 as physical member ports and add them to CSS port 2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] interface css-port 1

[SwitchA-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet 1/0/2 enable
[SwitchA-css-port1] quit
[SwitchA] interface css-port 2
[SwitchA-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet 2/0/2 enable
[SwitchA-css-port2] quit
# On SwitchB, configure service ports XGE1/0/1 and XGE1/0/2 as physical member

ports and add them to CSS port 1, and configure service ports XGE2/0/1 and
XGE2/0/2 as physical member ports and add them to CSS port 2.
[SwitchB] interface css-port 1
[SwitchB-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet 1/0/2 enable
[SwitchB-css-port1] quit
[SwitchB] interface css-port 2
[SwitchB-css-port2] port interface xgigabitethernet 2/0/1 to xgigabitethernet 2/0/2 enable
[SwitchB-css-port2] quit
NOTE
After the configuration is complete, run the display css css-port saved command to check
whether the ports are Up.
Step 4 Enable the CSS function.

Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is
LPU. Reboot now? [Y/N]:y

Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS mode is
LPU. Reboot now? [Y/N]:y
Step 5 Check whether a CSS is set up successfully.

# View the indicator status.
The ACT indicator on an MPU of SwitchA is steady green, indicating that the MPU
is the active MPU of the CSS and SwitchA is the master switch.
The ACT indicator on an MPU of SwitchB is blinking green, indicating that the
MPU is the standby MPU of the CSS and SwitchB is the standby switch.
# Log in to the CSS through the console port on any MPU to check whether the
CSS has been set up successfully.
<SwitchA> display device
---------------------------------------
1 - EH1D2X12SSA0 Present PowerOn Registered Normal NA

S300, S500, S2700, S3700, S5700, S6700, S7700, and
---------------------------------------
The command output shows the card status of both member switches, indicating
that the CSS has been set up successfully.
# Check whether the CSS link topology is the same as the actual hardware
connection.
<SwitchA> display css channel all
CSS link-down-delay: 500ms
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
1 1/1 XGigabitEthernet1/1/0/1 XGigabitEthernet2/1/0/1 2/1
================================================================================
Num [CSS port] [LPU Port] || [LPU Port] [CSS port]
The command output shows that the CSS link topology is the same as the actual
hardware connection, indicating that the CSS has been set up successfully.
Step 6 Configure Eth-Trunks between the CSS and its upstream and downstream devices.
# Configure an Eth-Trunk in the CSS and add uplink ports to the Eth-Trunk.
[SwitchA] sysname CSS //Rename the CSS.
[CSS] interface xgigabitethernet 1/3/0/4
[CSS-XGigabitEthernet1/3/0/4] eth-trunk 10
[CSS-XGigabitEthernet1/3/0/4] quit
[CSS] interface xgigabitethernet 2/3/0/4
[CSS-XGigabitEthernet2/3/0/4] eth-trunk 10
[CSS-XGigabitEthernet2/3/0/4] quit
SwitchC to the Eth-Trunk.
SwitchD to the Eth-Trunk.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[CSS-GigabitEthernet2/4/0/3] return
# Configure an Eth-Trunk on SwitchE and add member ports to the Eth-Trunk.

[HUAWEI] sysname SwitchE
[SwitchE] interface eth-trunk 10
[SwitchE-Eth-Trunk10] quit
[SwitchE] interface xgigabitethernet 1/0/1
[SwitchE-XGigabitEthernet1/0/1] eth-trunk 10
[SwitchE-XGigabitEthernet1/0/1] quit
[SwitchE] interface xgigabitethernet 1/0/2
[SwitchE-XGigabitEthernet1/0/2] eth-trunk 10
[SwitchE-XGigabitEthernet1/0/2] quit
# Configure an Eth-Trunk on SwitchC and add member ports to the Eth-Trunk.

# Configure an Eth-Trunk on SwitchD and add member ports to the Eth-Trunk.


command in any view to check information about Eth-Trunk member ports. For
example:
The command output shows information about member ports in Eth-Trunk 10.
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Operate status: up
Interface XGigabitEthernet1/3/0/4, valid, operate up, weight=1

Interface XGigabitEthernet2/3/0/4, valid, operate up, weight=1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 7 Configure the MAD function. The following procedure configures MAD in relay
mode and configures SwitchC as the relay agent using the commands applicable
to V200R003C00 and later versions.
# In the CSS, configure MAD in relay mode for the inter-device Eth-Trunk.
<CSS> system-view
[CSS-Eth-Trunk20] mad detect mode relay //In V200R002C00, the command is dual-active detect
mode relay.
[CSS] quit
# Configure the MAD proxy function on SwitchC.

[SwitchC-Eth-Trunk20] mad relay //In V200R002C00, the command is dual-active relay.
[SwitchC] quit

Check the MAD configuration in the CSS.
<CSS> display mad //In V200R002C00, the command is display dual-active.
MAD direct detection enabled: NO
MAD relay detection enabled: YES
Check MAD proxy information on SwitchC.

<SwitchC> display mad proxy //In V200R002C00, the command is display dual-active proxy.
Eth-Trunk20
----End
Configuration Files
#
sysname CSS
#
#
#
#
eth-trunk 20
#
interface XGigabitEthernet1/3/0/4
eth-trunk 10
#
eth-trunk 30
#
eth-trunk 30
#
interface XGigabitEthernet2/3/0/4
eth-trunk 10
#
eth-trunk 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

#
sysname SwitchC
#
mad relay
#
eth-trunk 20
#
eth-trunk 20
#
return

#
sysname SwitchD
#
#
eth-trunk 30
#
eth-trunk 30
#
return

#
sysname SwitchE
#
#
interface XGigabitEthernet1/0/1
eth-trunk 10
#
eth-trunk 10
#
return
Related Information
Tool
CSS Assistant
3.4.2.4 Combining Standalone Switches into a CSS
Two modular switches at the aggregation layer use VRRP and STP to implement
gateway backup. To simplify the configuration, the two modular switches need to
be combined into a logical CSS.
In Figure 3-47, S1 and S2 at the aggregation layer are two standalone switches
and need to be combined into a CSS to simplify configuration and facilitate
maintenance and management.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-47 Networking diagram of combining standalone switches into a CSS
When two standalone devices are combined into a CSS, major configuration
changes include:
● The VRRP gateway backup protocol deployed at the aggregation layer is not
required and its configuration needs to be deleted.
● The STP loop prevention protocol deployed at the access layer is not required
and its configuration needs to be deleted.
● The links at the access, aggregation, and core layers are changed to Eth-
Trunks, and related interface configurations need to be changed, including
basic VLAN configuration, QoS configuration, and ACL configuration.
Guidelines
● This operation applies to CSS card clustering and service port clustering.
Before combining two standalone switches into a CSS, ensure that the
hardware and software of the two switches meet CSS requirements. For CSS
card clustering, CSS cards and cluster cables have been prepared. For service
port clustering, service cards that support service port clustering and cluster
cables have been prepared.
● After the CSS function is enabled on a standalone switch, configurations on
the interfaces of the switch will be lost. Therefore, back up the configuration
file before enabling the CSS function.
● The following procedure provides only the related configurations. Whether
other configurations need to be changed depends on the actual networking.
Procedure
Step 1 In the original networking, traffic at the access layer is load-balanced among
multiple links through STP and VRRP. In Figure 3-48, some traffic is forwarded
through S1 and some traffic is forwarded through S2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-48 Existing traffic forwarding
Step 2 Manually shut down the uplink and downlink ports of S2 to change the STP and
VRRP status so that S2 is isolated from the network and all traffic is forwarded
through S1, as shown in Figure 3-49.
Figure 3-49 Traffic forwarding after an STP and VRRP status switchover

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Back up the configuration file of S2. After the CSS function is enabled on a
standalone switch, the interface number format on the switch is changed from
slot ID/subcard ID/port number to stack member ID/slot ID/subcard ID/port
number, and the configurations on the interfaces of the switch are lost.
Step 4 Change S2 to the CSS state.
● Procedure for configuring service port clustering
a. Power off S2, install service cards, and power on S2.
b. Configure the CSS connection mode and CSS priority on S2.
<S2> system-view
[S2] set css mode lpu
[S2] set css priority 200 // Set the CSS priority to 200 to make S2 become the CSS master. The
default CSS priority is 1.
[S2] display css status saved // Check whether the configuration is correct.
Current Id Saved Id CSS Enable CSS Mode Priority Master
Force
------------------------------------------------------------------------------
1 1 Off LPU 200 On
c. Configure service ports as CSS ports. For example, configure service ports
XGE1/0/1, XGE1/0/2, XGE2/0/1, and XGE2/0/2 as CSS ports.
[S2] interface css-port 1
[S2-css-port1] port interface xgigabitethernet 1/0/1 to xgigabitethernet 1/0/2 enable
[S2-css-port1] quit
[S2-css-port2] quit
d. Enable the CSS function on S2 and restart S2.

[S2] css enable
Warning: The CSS configuration will take effect only after the system is rebooted. The next CSS
mode is LPU. Reboot now? [Y/N]:y
e. After S2 is restarted, check its CSS status. If the following output is

displayed, S2 has been changed to the CSS state:
<S2> display device
---------------------------------------
3 - EH1D2S04SX1E Present PowerOn Registered Normal
NA
NA
● Procedure for configuring CSS card clustering

a. Power off S2, install CSS cards, and power on S2.
b. Configure the CSS priority on S2.
<S2> system-view
[S2] set css priority 200 // Set the CSS priority to 200 to make S2 become the CSS master. The
default CSS priority is 1.
Force
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1 1 Off CSS card 200 On

c. Enable the CSS function on S2 and restart S2.
[S2] css enable
mode is CSS card. Reboot now? [Y/N]:y
d. After S2 is restarted, check its CSS status. If the following output is
displayed, S2 has been changed to the CSS state:
<S2> display device
---------------------------------------
NA
NA
Step 5 Change the configuration of S2, which has been changed to a single-chassis
cluster CSS-1. Alternatively, change the configuration after S1 and S2 are
combined into a CSS. Changing the configuration of S2 before S1 and S2 are
combined into a CSS can reduce the traffic loss.
Figure 3-50 Single-chassis CSS
1. Bind uplink ports XGE1/4/0/1 and XGE1/4/0/2 of CSS-1 to Eth-Trunks and

move the configurations of these ports to the Eth-Trunks.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
For example: The configurations on the original ports (connecting CSS-1 to

devices at the core layer) are as follows:
#
undo portswitch
ip address 192.168.4.2 255.255.255.0
#
port link-type trunk
port trunk allow-pass vlan 100 200
#
Change the configurations.
<S2> system-view
[S2] sysname CSS // Change the device name to facilitate maintenance.
[CSS] interface eth-trunk 20 // Add the port connecting the CSS to a core device to Eth-Trunk 20.
[CSS-Eth-Trunk20] trunkport xgigabitethernet1/4/0/1
[CSS-Eth-Trunk20] ip address 192.168.4.2 255.255.255.0
[CSS] interface eth-trunk 10 // Add the port connecting the CSS to another core device to Eth-Trunk
10.
[CSS-Eth-Trunk10] port link-type trunk
[CSS-Eth-Trunk10] port trunk allow-pass vlan 100 200
2. Change the configurations of devices at the core layer and access layer and
bind physical ports to Eth-Trunks. The procedure is similar to the preceding
procedure.
3. Delete the VRRP configuration on CSS-1.
For example, the configurations of VLANIF interfaces are as follows:
#
interface Vlanif100
ip address 10.1.10.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.10.111
vrrp vrid 1 priority 120
#
interface Vlanif200
ip address 10.1.20.1 255.255.255.0
#
Delete the configurations of VLANIF interfaces.
[CSS] interface vlanif 100
[CSS-Vlanif100] undo vrrp vrid 1
[CSS-Vlanif100] undo ip address
[CSS-Vlanif100] quit
[CSS] interface vlanif 200
[CSS-Vlanif200] undo vrrp vrid 2
[CSS-Vlanif200] undo ip address
[CSS-Vlanif200] quit
4. Delete unnecessary network segments from the OSPF routing domain.
5. Change the configurations of the interfaces on which QoS and ACLs are
configured to bind these interfaces to Eth-Trunks.
6. Change the STP priority of CSS-1 so that CSS-1 becomes the root switch of all
VLANs.
Step 6 Run the undo shutdown command to disable the interfaces on CSS-1 to check
whether Layer 2 and Layer 3 forwarding between CSS-1 and devices at the access
layer and core layer is normal.
Step 7 After confirming that Layer 2 and Layer 3 forwarding between CSS-1 and devices
at the access layer and core layer is normal, shut down interfaces on S1 so that S1
is isolated from the network and all traffic is forwarded through CSS-1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-51 Traffic switched to CSS-1
Step 8 Change S1 to the CSS state. After S1 is added to CSS-1, S1 uses the configuration
file of CSS-1.
● Procedure for configuring service port clustering
a. Power off S1, install service cards, connect the cluster cables between S1
and CSS-1, and power on S1.
b. Configure the cluster connection mode and CSS ID and retain the default
CSS priority 1 on S1.
<S1> system-view
[S1] set css mode lpu
[S1] set css id 2
Force
------------------------------------------------------------------------------
1 2 Off LPU 1 On
c. Configure service ports as CSS ports. For example, configure service ports
XGE1/0/1, XGE1/0/2, XGE2/0/1, and XGE2/0/2 as CSS ports.
[S1-css-port1] quit
[S1-css-port2] quit
d. Enable the CSS function on S1 and restart S1.

[S1] css enable
mode is LPU. Reboot now? [Y/N]:y
e. After S1 is restarted, check its CSS status. If the following output is

displayed, S1 has joined the CSS.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
<CSS> display device

---------------------------------------
NA
NA
---------------------------------------
NA
NA
● Procedure for configuring CSS card clustering
a. Power off S1, install CSS cards, connect the cluster cables between S1 and
CSS-1, and power on S1.
b. Configure the CSS ID and retain the default CSS priority 1 on S1.
<S1> system-view
[S1] set css id 2
c. Enable the CSS function on S1 and restart S1.
[S1] css enable
mode is CSS card. Reboot now? [Y/N]:y
d. After S1 is restarted, check its CSS status. If the following output is
displayed, S1 has joined the CSS.
<CSS> display device
---------------------------------------
NA
NA

S300, S500, S2700, S3700, S5700, S6700, S7700, and

---------------------------------------
NA
NA
Step 9 S1 is changed to CSS-2 and becomes the stack standby.
Figure 3-52 Two CSS systems merging into one
Step 10 Change the configurations of CSS-2 and add interfaces of CSS-2 to Eth-Trunks.
1. Add uplink ports XGE2/4/0/1 and XGE2/4/0/2 of CSS-2 to Eth-Trunks.
2. Change the configurations of devices at the core layer and access layer and
bind physical ports to Eth-Trunks. The procedure is similar to the preceding
procedure.
Step 11 Run the undo shutdown command to disable the interfaces of CSS-2 and check
whether Layer 2 and Layer 3 forwarding between CSS-2 and devices at the core

S300, S500, S2700, S3700, S5700, S6700, S7700, and
layer and access layer is normal. In this case, S1 and S2 have been combined into
a CSS, as shown in Figure 3-53.
Figure 3-53 Traffic forwarding after a CSS merge
----End
3.4.3 Typical SVF Configuration
3.4.3.1 Information to Know Before SVF Deployment
3.4.3.1.1 SVF Technical Characteristics

A traditional campus network has the following characteristics:
● Core and aggregation devices have fixed services.
● Access devices are widely distributed.
● Access devices use simple, similar service configurations.
● Access devices have many ports.
● The trend towards wired and wireless convergence grows for access devices.
Management and configuration of access devices are time-consuming due to the
preceding characteristics. Super Virtual Fabric (SVF) technology effectively
simplifies management and configuration of access devices.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-54 SVF networking diagram
As shown in Figure 3-54, SVF simplifies campus network management and

maintenance. According to characteristics of campus networks, SVF technology
allows you to configure and maintain access devices as well as manage access
users in a uniform manner.
In an SVF system, a parent manages and configures the SVF system. Client refers
to all access devices, including wired access devices (ASs) and wireless access
devices (APs).
SVF has the following technical characteristics:
● Manages wired and wireless users on the parent in a uniform manner.
● Configures services of access switches (ASs) through the parent. For the
configurable services and service configuration modes, see 3.4.3.1.3 SVF
Service Deployment Limitations.
● Maintains the status of ASs and access points (APs) through the parent,
including device registration status and heartbeat, version and patch status,
important alarms, port status, and user status of all ASs and APs.
● Supports at most two levels of ASs (level-1 and level-2 ASs) and one level of
APs. When eSight is used to manage the SVF system, SVF can better simplify
device management.
The following table lists SVF hardware and software requirements.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● When the parent version is earlier than V200R011C10, the AS version must be the same
as the parent version. Otherwise, this AS cannot go online. For example, if the parent
version is V200R010C00, the AS version must also be V200R010C00. When the parent
version is V200R011C10 or later, the parent version and AS version can be different, but
the parent version must be higher than or the same as the AS version and the AS
version must also be V200R011C10 or later. Table1 describes the version mapping
between parent and AS. Table2 describes supported Parent and AS switch models in
different software versions.
● APs must use the software version matching that of the parent. For details, see "WLAN
Service Configuration - Licensing Requirements and Limitations for WLAN" in the
Configuration Guide - WLAN-AC.
● To check AP device types supported by the parent by default, run the display ap-type
all command on the parent.
Table 3-13 Version mapping between parent and AS

Parent Version Required AS Version
V200R007C00 V200R007C00
V200R008C00 V200R008C00
V200R009C00 V200R009C00
V200R010C00 V200R010C00
V200R011C10 V200R011C10
V200R012C00 V200R011C10, V200R012C00
V200R013C00 V200R011C10, V200R012C00, V200R013C00
V200R019C00 V200R012C00, V200R013C00, V200R019C00
V200R019C10 V200R012C00, V200R013C00, V200R019C00,

V200R019C10
V200R020C00 V200R013C00, V200R019C00, V200R019C10,

V200R020C00
V200R020C10 V200R013C00, V200R019C00, V200R019C10,

V200R020C00, V200R020C10
Table 3-14 Supported parent and AS switch models

Softwar Supported Parent Switch Supported AS Switch Models
e Models
Version
V200R0 ● S7703, S7706, S7712 S2750-EI, S5700-LI, S5700S-LI,

07C00 ● S9703, S9706, S9712 S5720-EI

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e Models
Version
V200R0 ● S7703, S7706, S7712 S2750-EI, S5700-LI, S5700S-LI,

08C00 ● S9703, S9706, S9712 S5710-X-LI, S5720-SI, S5720S-SI,
S5720-EI
V200R0 ● S7703, S7706, S7712 S2720-EI, S2750-EI, S5700-LI,

09C00 ● S9703, S9706, S9712 S5700S-LI, S5710-X-LI, S5720-SI,
S5720S-SI, S5720-EI, S6720-EI,
S6720S-EI
V200R0 ● S7703, S7706, S7712 ● S2720-EI, S2750-EI, S5700-LI,

10C00 ● S9703, S9706, S9712 S5700S-LI, S5710-X-LI, S5720-
LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720-EI, S6720-EI,
S6720S-EI
● S600-E
V200R0 ● S7703, S7706, S7712 ● S2720-EI, S2750-EI, S5700-LI,

11C10 ● S9703, S9706, S9712 S5700S-LI, S5710-X-LI, S5720-
LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720-EI, S5730-SI,
S5730S-EI, S6720-EI, S6720S-
EI, S6720-LI, S6720S-LI, S6720-
SI, S6720S-SI
● S600-E
V200R0 ● S7703, S7706, S7712 ● S2720-EI, S2750-EI, S5700-LI,

12C00 ● S9703, S9706, S9712 S5700S-LI, S5710-X-LI, S5720-
LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720I-SI, S5720-
EI, S5730-SI, S5730S-EI,
S5730-HI, S6720-EI, S6720S-EI,
S6720-LI, S6720S-LI, S6720-SI,
S6720S-SI
● S600-E
V200R0 ● S7703, S7703 PoE, S7706, ● S2720-EI, S5720-LI, S5720S-LI,

13C00 S7706 PoE, S7712 S5720-SI, S5720S-SI, S5720I-
● S9703, S9706, S9712 SI, S5720-EI, S5730-SI,
S5730S-EI, S5730-HI, S6720-EI,
S6720S-EI, S6720-LI, S6720S-
LI, S6720-SI, S6720S-SI
● S600-E

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e Models
Version
V200R0 ● S7703, S7703 PoE, S7706, ● S2720-EI, S5720-LI, S5735-L,

19C00 S7706 PoE, S7712 S5735S-L, S5735S-L-M,
S5720S-LI, S5720-SI, S5735-S,
S5735S-S, S5720S-SI, S5720I-
SI, S5720-EI, S5730-SI,
S5730S-EI, S5730-HI, S5731-H,
S5731S-H, S5732-H, S5731-S,
S5731S-S, S6730-H, S6730-S,
S6730S-S, S6720-EI, S6720S-EI,
S6720-LI, S6720S-LI, S6720-SI,
S6720S-SI
● S600-E
V200R0 ● S7703, S7703 PoE, S7706, ● S2720-EI, S5720-LI, S5735-L,

19C10 S7706 PoE, S7712 S5735S-L, S5735S-L-M,
S5720S-LI, S5720-SI, S5735-S,
S5735S-S, S5735-S-I, S5720S-
SI, S5720I-SI, S5720-EI, S5730-
SI, S5730S-EI, S5730-HI,
S5731-H, S5731S-H, S5732-H,
S5731-S, S5731S-S, S6730-H,
S6730S-H, S6730-S, S6730S-S,
S6720-EI, S6720S-EI, S6720-LI,
S6720S-LI, S6720-SI, S6720S-SI
● S600-E

20C00 S7706 PoE, S7712 S5720I-SI, S5731-H, S5731S-H,
S5731-S, S5731S-S, S5732-H,
S5735-L, S5735S-L, S5735S-L-
M, S5735-S, S5735S-S, S5735-
S-I, S5735S-H, S5736-S,
S6720S-S, S6720-EI, S6720S-EI,
S6730-H, S6730S-H, S6730-S,
S6730S-S
● S600-E

20C10 S7706 PoE, S7712 S5720I-SI, S5731-H, S5731S-H,
S5731-S, S5731S-S, S5732-H,
S5735-L, S5735-L1, S5735S-L,
S5735S-L1, S5735S-L-M,
S5735-S, S5735S-S, S5735-S-I,
S5735S-H, S5736-S, S6720S-S,
S6720-EI, S6720S-EI, S6730-H,
S6730S-H, S6730-S, S6730S-S
● S600-E

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.4.3.1.2 Application Scenarios for SVF

Based on SVF technical characteristics, the parent must be connected to ASs and
APs across a Layer 2 network and ASs must be deployed at the access layer of a
campus network and directly connected to users. ASs cannot be used as
aggregation devices. In versions earlier than V200R011C10, user-side ports of ASs
cannot be added to an Eth-Trunk. In V200R011C10 or later versions, user-side
ports of ASs can be added to an Eth-Trunk. Due to these limitations, SVF applies to
the following scenarios. If your network does not meet the following SVF
networking requirements, SVF cannot be deployed on your network. You are
advised to log in to each device to configure services.
Scenario 1: Wired Campus Network Access

In a wired campus network access scenario, all user terminals access a campus
network through wired links. In such a scenario, user terminals are directly
connected to ASs, and the parent functions as the access gateway of users. SVF
supports two types of networking, depending on whether the parent and ASs are
directly connected or connected across an intermediate network:
● Networking in which the parent and ASs are directly connected, as shown in
Figure 3-55
a. The parent can be a standalone device, a cluster switch system (CSS) of
two modular devices, or a stack of multiple member devices.
b. At most two levels of ASs are supported in an SVF system. Each AS can
be a standalone device or a stack of multiple member devices. In
V200R008C00 and earlier versions, each AS can be a stack of up to three
member devices that are the same model and provide the same number
of ports. From V200R009C00, each AS can be a stack of up to five
or different numbers of ports.
c. User terminals can access the network through level-1 or level-2 ASs. The
parent functions as the access gateway of users.
If a new campus network is built with unconfigured devices, this networking
is recommended.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-55 Networking in which the parent and ASs are directly connected
on a wired campus network
● Networking in which the parent and ASs are connected across an

intermediate network, as shown in Figure 3-56
b. An SVF system supports at most one level of ASs. Each AS can be a
standalone device or a stack of multiple member devices. In
c. User terminals can access the network through ASs. The parent functions
as the access gateway of users.
If a campus network is reconstructed and devices of different vendors are
deployed on the campus network, this networking is recommended.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-56 Networking in which the parent and ASs are connected across an
intermediate network on a wired campus network
Scenario 2: Wired and Wireless Converged Campus Network Access

On a wired and wireless converged campus network, some user terminals access
the network wiredly, while others access the network wirelessly. In the scenario,
the parent functions as the access gateway of users. SVF supports two types of
networking, depending on whether the parent and ASs&APs are connected across
an intermediate network:
● Networking in which the parent and ASs&APs are directly connected, as
shown in Figure 3-57
b. An SVF system supports at most two levels of ASs (level-1 and level-2
ASs). Each AS can be a standalone device or a stack of multiple member
devices. In V200R008C00 and earlier versions, each AS can be a stack of
up to three member devices that are the same model and provide the
same number of ports. From V200R009C00, each AS can be a stack of up
to five member devices that are the same model and provide the same
number or different numbers of ports.
c. APs can be connected to level-1 or level-2 ASs.
d. Wired user terminals access the network through level-1 or level-2 ASs.
Wireless user terminals access the network through APs. The parent
functions as the access gateway of users.
If a new campus network is built with unconfigured devices, this networking
is recommended.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-57 Networking in which the parent and ASs&APs are directly
connected on a wired and wireless converged campus network
● Networking in which the parent and ASs&APs are connected across an

intermediate network, as shown in Figure 3-58
b. An SVF system supports at most one level of ASs. Each AS can be a
standalone device or a stack of multiple member devices. In
c. APs are connected to ASs.
d. Wired user terminals access the network through ASs. Wireless user
terminals access the network through APs. The parent functions as the
access gateway of users.
If a campus network is reconstructed and devices of different vendors are
deployed on the campus network, this networking is recommended.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-58 Networking in which the parent and ASs&APs are connected
across an intermediate network on a wired and wireless converged campus
network
Scenario 3: Campus Network of Multiple SVF Systems

On a campus network with more than 200 access devices, you can set up multiple
SVF systems to simplify campus network management, as shown in Figure 3-59.
Figure 3-59 Campus network of multiple SVF systems

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.4.3.1.3 SVF Service Deployment Limitations

SVF supports two service configuration modes: centralized mode and independent
mode.
● In centralized mode, all service configurations of ASs are performed on the
parent. Therefore, which services can be configured on ASs depends on which
services can be configured on the parent, rather than depending on which
services are supported by a standalone access switch. AS-supported services
apply to most access switches.
In centralized mode, you can either deliver service configurations to multiple
ASs using profiles or global batch configuration or configure a single AS
directly.
● In independent mode, since V200R010, you need to log in to an AS to
configure this AS using commands.
The independent mode supports more service configurations than the
centralized mode. When services cannot be batch configured on the parent
for an AS, log in to the AS to configure this AS separately. After the AS
changes from the centralized mode to independent mode, the configuration
file generated using profiles or directly configured before the mode switchover
will be retained.
The following describes the configurable functions in different service
configuration modes.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Centralized Mode (Batch Configuration: Functions Globally Delivered)

Function Description
Configure the SVF An SVF system supports two forwarding modes: centralized
forwarding mode. forwarding and distributed forwarding.
● In centralized forwarding mode, traffic forwarded by the
local AS and forwarded between ASs is sent to the
parent for forwarding.
● In distributed forwarding mode, an AS directly forwards
local traffic and the parent forwards traffic between
ASs.
NOTE
● In centralized forwarding mode, ports of the ASs connected to
the same fabric port of the parent are isolated and so cannot
communicate at Layer 2, and need to have proxy ARP in the
corresponding VLAN configured using the arp-proxy inner-
sub-vlan-proxy enable command to communicate at Layer 3.
● In centralized forwarding mode, after an AS goes offline, traffic
of its attached network cannot be forwarded by the parent and
will be interrupted.
● In distributed forwarding mode, after an AS goes offline, in
versions earlier than V200R012C00, downlink ports of the AS
are automatically shut down. As a result, traffic of the AS
attached network will be interrupted. In V200R012C00 and
later versions, downlink ports of the AS will not be shut down,
and traffic of the AS attached network will be forwarded as
usual.
By default, the forwarding mode of an SVF system is
distributed forwarding.
Configure the URL To improve web application security, data from

encoding function untrustworthy sources must be encoded before being sent
for an AS (This to clients. URL encoding is most commonly used in web
function is applications. After URL encoding is enabled for ASs, special
supported in characters in redirect URLs are converted to secure
V200R009 and formats, preventing clients from mistaking them for syntax
later versions). signs or instructions and unexpectedly modifying the
original syntax. In this way, cross-site scripting attacks and
injection attacks are prevented. By default, URL encoding is
enabled in ASs. This function can be disabled using the
portal url-encode disable command.
Configure In addition to the configurations in service profiles, the

authentication- parent delivers the configured Portal authentication-free
free rules. rules to ASs. Authentication-free rules 0 to 127 can be
delivered to ASs of the S5720-EI model; authentication-
free rules 0 to 31 can be delivered to ASs of other models;
authentication-free rules outside the two ranges will not
be delivered to ASs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Function Description
Enable IGMP By default, IGMP snooping is disabled for service VLANs on

snooping for a an AS.
service VLAN on
an AS (This
function is
supported in
V200R010 and
later versions).
Enable the By default, the authentication configuration is cleared after

function of an AS goes offline.
retaining the
authentication
configuration after
an AS goes offline.
(This function is
supported in
V200R019 and
later versions.)
Centralized Mode (Batch Configuration: Functions Delivered Using Profiles)

Function Sub-function Service
Device Administrator User name and password of the local

management administrator
Traffic policing Rate limit for outgoing ARP and DHCP

packets on an uplink fabric port
BPDU BPDU protection on ASs (supported only

protection in V200R013C00 and later versions)
Basic network VLAN Addition and removal of ports to or from

service management a VLAN
Configuration of the port that connects

an AS to an AP
Voice VLAN based on LLDP or CDP

negotiation

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Enhanced Basic QoS Trust 802.1p (This function is not

network service supported in V200R011C10 and later
versions)
NOTE
In V200R011C10 and later versions, the
priority-trust enable command cannot be
executed in the network enhanced profile
view to configure the priority trust function.
● In V200R011C10 and V200R012: When the
S2720-EI, S2750-EI, S5700-LI, S5700S-LI,
S5710-X-LI, S5720-LI, S5720S-LI, S5720-SI,
S5720I-SI, or S5720S-SI switches go online
as ASs, the parent delivers the default
trust 8021p configuration. When other
switches go online as ASs, by default, they
use the default trust 8021p configuration.
Therefore, the parent does not need to
deliver the configuration.
● In versions later than V200R012: When the
switches go online as ASs, by default, they
use the default trust 8021p configuration.
Therefore, the parent does not need to
deliver the configuration.
Traffic Broadcast, multicast, and unknown

suppression unicast traffic suppression on a port
Rate limiting Port rate limiting
STP STP edge port
Port security Port security, aging time of secure

(supported only dynamic MAC addresses, and sticky MAC.
in
V200R019C00
and later
versions)
Access security DHCP snooping, IPSG, and DAI
MAC Action taken on an interface in case of

management MAC address flapping
(supported only Alarm function for MAC address learning
in and aging
V200R013C00
and later
versions)
Access service Access ● 802.1X authentication, MAC address

authentication authentication, and Portal
authentication
● Access control over IPv6 users and
single-stack authentication (supported
in V200R019 and later versions)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Access control MAC address limiting
Maximum number of access users on an

AS port (This function is supported in
V200R010 and later versions)
Traffic policing Rate limit for incoming ARP and DHCP

packets on an AS port
QoS service Priority To configure priority mapping based on

(supported only mapping DSCP priorities, run the trust dscp
in V200R013C00 command.
and later Queue To configure a queue scheduling mode,
versions) scheduling run the qos { pq | wrr | drr } command.
mode
Queue To configure a queue scheduling weight,

scheduling run the qos queue command.
weight
Traffic policy Packet re- To configure the packet re-marking rule

services marking and information, run the policy
(supported only command.
in V200R019C00
and later
versions)
Centralized Mode (Single Configuration: Functions Delivered Using the

direct-command Command)
NOTE
The interface view cannot be the Eth-Trunk interface view.

In versions earlier than V200R019C00, a maximum of 4096 commands can be configured. In
V200R019C00 and later versions, a maximum of 8192 commands can be configured.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Servic Format View Function Configuratio

e n
Categ Dependency
ory and
Restriction
Energy port-auto-sleep enable Interface Enables the This

- view port sleeping command
saving function on can be used
manag an electrical on electrical
ement interface. interfaces
and combo
interfaces
working as
electrical
interfaces.
PoE poe force-power Interface Enables -

view forcible PoE
power supply
on an
interface.
poe legacy enable Interface Enables an -

view interface to
check
compatibility
of PDs.
poe priority { critical | Interface Sets the -

high | low } view power supply
priority of a
PoE
interface.
poe af-inrush enable slot System Configures -

slot-id view the IEEE
802.3at-
compliant
device to
provide
power in
accordance
with IEEE
802.3af.
poe high-inrush enable System Configures a -

slot slot-id view device to
allow high
inrush
current
during
power-on.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
undo poe enable Interface Disables the -

(supported in view PoE function
V200R011C10 and later on an
versions) interface.
Ethern undo negotiation auto Interface Configures ● This

et view an interface command
interfa to work in cannot be
ces non-auto configured
negotiation on combo
mode. interfaces.
After you run ● Do not
the undo cancel the
direct- undo
command negotiati
command, on auto
the interface command
works in when
auto speed or
negotiation duplex is
mode. specified.
speed { 10 | 100 | 1000 | Interface Sets the rate ● This

2500 | 5000 | 10000 } view in non-auto command
negotiation cannot be
mode. configured
on combo
interfaces.
● Ensure
that the
interface
works in
non-auto
negotiatio
n mode
before
configurin
g this
command.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
speed auto-negotiation Interface Enables ● Support

view auto- for this
negotiation command
on a GE varies
optical depending
interface. on switch
models.
For
details,
see the
speed
auto-
negotiati
on
command
in the
Command
Reference
- Interface
Managem
ent
Command
s-
Ethernet
Interface
Configurat
ion
Command
s.
● Ensure
that the
interface
works in
auto-
negotiatio
n mode
before
configurin
g this
command.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
duplex { full | half } Interface Sets the ● This

view duplex mode command
for an cannot be
electrical configured
interface in on combo
non-auto interfaces.
negotiation ● Ensure
mode. that the
interface
works in
non-auto
negotiatio
n mode
before
configurin
g this
command.
● When the
working
rate of a
GE
electrical
interface
is 1000
Mbit/s,
the
interface
supports
only the
full duplex
mode.
loopback internal Interface Configures a -

view loopback
detection
mode on an
interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
description description Interface Configures The

(supported in view the description
V200R011C10 and later description contains a
versions) for an maximum of
interface. 52 characters
in
V200R011C1
0, and the
description
contains a
maximum of
116
characters in
V200R012C0
0 and later
versions.
Eth- description description Eth-Trunk Configures The

Trunk (supported in interface the description
interfa V200R019C00 and later view description contains a
ce versions) for an Eth- maximum of
Trunk 116
interface. characters.
The
description
can be
configured
for a service
Eth-Trunk
interface or
an Eth-Trunk
interface
used in an
SVF system
to connect
upstream
and
downstream
devices. The
description
cannot be
configured
for Eth-
Trunk0.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
Port port bridge enable Interface Enables the -

bridge view bridging
function on
an interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
Port port-security max-mac- Interface Sets the ● The port-

Securit num max-number view maximum security
y number of max-mac-
(suppo secure MAC num max-
rted in addresses number
V200R that can be command
019C0 learned on in direct
0 and an interface. configurat
later ion mode
version is
s) mutually
exclusive
with the
mac-limit
maximum
max-num
command
configured
in a user
access
profile
and
cannot be
both
configured
.
● Port
security
(and
sticky
MAC if
needed)
must be
enabled in
a network
enhanced
profile,
and then
run the
direct-
command
command
to deliver
this
command.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
port-security mac- Interface Configures a Port security

address sticky mac- view sticky MAC and sticky
address vlan vlan-id address MAC must be
entry. enabled in a
network
enhanced
profile, and
then run the
direct-
command
command to
deliver this
command.
save sticky-mac System Saves the -

configuration view sticky MAC
addresses on
an AS to a
file named
unimng-
xxxx.ztbl.
xxxx in the
file name
represents
the
management
MAC address
of the AS.
Voice voice-vlan mac-address System Configures -

VLAN mac-address mask mask view the OUI
(supported in address of
V200R011C10 and later the voice
versions) VLAN.
LBDT loopback-detect enable Interface Enables -

view loopback
detection on
an interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
loopback-detect packet Interface Enables If you

vlan vlan-id view loopback configure this
detection for command
a specified multiple
VLAN. times,
loopback
detection is
enabled for
multiple
VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
ARP arp speed-limit source- System Configures ● Only some

rate mac maximum maximum view ARP rate models
limitin limiting support
g based on this
source MAC command.
addresses. For
details,
see the
arp
speed-
limit
source-
mac
command
in the
Command
Reference
- Security
Command
s - ARP
Security
Configurat
ion
Command
s.
● The value
of
maximum
maximum
ranges
from 0 to
256.
● This
function
takes
effect only
for the
ARP
packets
sent to
the CPU.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
arp speed-limit source-ip System Configures ● The value

maximum maximum view ARP rate of
limiting maximum
based on maximum
source IP ranges
addresses. from 0 to
256.
● This
function
takes
effect only
for the
ARP
packets
sent to
the CPU.
Stack port interface { interface- Stack Configures a Before

type interface-number1 interface service restoring the
[ to interface-type view: interface as stack
interface-number2 ] } stack- a stack member
enable (supported in port member port ports that are
V200R010 and later member- and adds it added to a
versions) id/port-id to a stack stack port in
port. direct
configuration
mode as
common
service
interfaces,
you do not
need to run
the
shutdown
interface
command in
the stack
interface
view.
stack slot slot-id priority System Sets a stack -

priority (supported in view priority for a
V200R010 and later member
versions) switch in a
stack.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
stack slot slot-id System Changes the A stack ID

renumber new-slot-id view stack ID of a cannot be
(supported in specified changed in
V200R011C10 and later member the following
versions) switch in a situations:
stack. ● The switch
NOTICE is a
If there are standalon
services
e switch
running,
delivering that does
this not join
command any stack.
may cause
● The newly
service
interruptions configured
and stack ID is
configuration an
loss. existing
Therefore, stack ID of
you are
a specified
advised to
deliver this member
command switch in a
when an AS stack.
is
unconfigured
● Ports with
. the
specified
slot-id
have been
configured
as
member
ports of
an uplink
fabric
port.
● Ports with
the
specified
slot-id
have been
configured
as
member
ports of a
downlink

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
fabric
port.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
User access-user arp-detect System Sets the ● In

Access vlan vlan-id ip-address ip- view source IP V200R012
and address mac-address mac- address and C00, this
Authe address source MAC command
nticati address of can be
on offline configured
(suppo detection only one.
rted in packets in a If you
V200R VLAN. want to
012C0 modify
0 and the
later configurat
version ion, delete
s) the
existing
configurat
ion and
then
perform
the
configurat
ion again.
● In
V200R013
C00, when
vlan, ip-
address,
and mac-
address
are all
different,
multiple
configurat
ions of
this
command
can be
generated.
If any one
of vlan,
ip-
address,
and mac-
address
has been
configured

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
, delete
the
existing
configurat
ion before
reconfigur
ing them.
● In
V200R019
and later
versions,
multiple
configurat
ions of
this
command
can be
generated
regardless
of
whether
the VLAN,
IP address,
and MAC
address
are the
same. You
do not
need to
delete the
existing
configurat
ion. If the
newly
configured
VLAN is
the same
as the
existing
one, the IP
address
and MAC
address in
the
original
configurat

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
ion are
replaced
with the
newly
configured
IP address
and MAC
address. If
the newly
configured
VLAN is
different
from the
existing
one, a
new
configurat
ion is
generated.
access-user arp-detect System Sets the -

default ip-address ip- view default
address source IP
address of
offline
detection
packets.
undo user-detect System Disables the -

view online user
detection
function.
authentication speed- System Configures -

limit max-num max-num- view the rate limit
value interval interval- for an access
value (supported in device to
V200R013C00 and later send user
versions) association
and
disassociatio
n request
messages.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

e n
Categ Dependency
ory and
Restriction
access-user arp-detect System Configures If you run

fallback ip-address mask- view an IP address this
length (supported in required for command
V200R013C00 and later calculating multiple
versions) the source times, only
address of the latest
offline configuration
detection takes effect.
packets.
access-user arp-detect System Configures -

delay delay (supported in view the delay for
V200R013C00 and later sending
versions) offline
detection
packets.
static-user start-ip- System Configures a If the IP

address [ end-ip-address ] view static user. address of a
[ mac-address mac- static user is
address | vlan vlan-id ] set to an IP
(supported in address
V200R019C00 and later range, any IP
versions) address in
this address
range cannot
be modified
or deleted.
Centralized Mode (Configurable Commands After Logins to ASs Using the

attach-as Command or Console Port)
Commands that can be configured after you log in to an AS in centralized
configuration mode are mainly used for fault diagnosis.
● In the user view and diagnostic view, all commands are supported except the
commands listed in Table 3-15. Additionally, in V200R009 and earlier
versions, the diagnostic view can be displayed only after the diagnose-
command command is executed in the user view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-15 Commands not supported in the user view and diagnostic view of
ASs
Command View
configuration copy file file-name to User view

running
configuration copy startup to file User view

file-name
configuration exclusive User view
format drive User view
lldp clear neighbor [ interface User view

interface-type interface-number ]
local-user change-password User view
lock User view
startup patch patch-name [ slave- User view

board | slot slot-id ]
startup saved-configuration User view

configuration-file [ slot slot-id ]
startup system-software system-file User view
[ all | slave-board | slot slot-id ]
save [ all ] [ configuration-file ] User view
save logfile [ all ] User view
reboot [ fast | save diagnostic- User view

information ]
schedule reboot { at time | delay User view

interval [ force ] }
rollback User view
cli enable-config Diagnostic view
configuration datasync start script- Diagnostic view

file script-file { result-file result-file }
test-device port loopback slot { slot- Diagnostic view

id | interface { interface-type
interface-number1 [ to interface-
type interface-number2 ] }
&<1-10> }
stack enable Diagnostic view

undo stack enable
undo startup system-software Diagnostic view

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Commands that are supported in other views are used for service diagnosis
and fault location. In V200R009 and earlier versions, the uni-mng diag-mode
enable command must be executed first to enable the diagnostic mode.
Table 3-16 Commands supported in other views

Command Function Configuration Guidelines
port-mirroring Binds a mirrored You are not advised to perform

undo port- port to an service configurations on Eth-Trunk
mirroring observing port. member ports of an AS that are
bound to a fabric port, as doing so
may cause a failure of SVF system
setup.
traffic-mirror Configures the You are not advised to perform

undo traffic- traffic mirroring service configurations on Eth-Trunk
mirror function. member ports of an AS that are
setup.
observe-port Configures an Generally, an observing port is

undo observe- observing port. dedicated to monitoring forwarding
port of mirrored traffic. Therefore,
configuring an AS port with service
configurations as an observing port
is not recommended. If a port has
been configured as an observing
port, do not deliver service
configurations to this port through
service profiles or the direct-
command command.
You are not advised to perform
service configurations on Eth-Trunk
member ports of an AS that are
setup.
traffic-statistic Enables the If you delete the traffic-statistic

undo traffic- traffic statistics command that is delivered by the
statistic collection parent to an AS, you will fail to
function. obtain traffic statistics about the AS
on the parent.
You are not advised to perform
service configurations on Eth-Trunk
member ports of an AS that are
setup.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
capture-packet Configures the In an SVF system, an Eth-Trunk

packet header bound to a fabric port cannot
obtaining capture service packets.
function.
acl 2000-2999 Creates or If the number of traffic policies on

undo acl deletes an ACL an AS reaches the upper limit, the
2000-2999 rule. parent fails to deliver the IPSG or
DAI configurations. Run the display
● Versions uni-mng commit-result profile
earlier than command on the parent to check the
V200R019: configuration delivery result. If the
acl command output shows that the
3000-3998 configuration delivery fails, run the
undo acl display uni-mng execute-failed-
3000-3998 record profile as name as-name
command to check execution failure
● V200R019 records after the configuration is
and later delivered to an AS. The command
versions: output provides detailed information
acl about the delivery failure. You can
3901-3998 log in to the AS to check whether the
undo acl ACL resources are used up.
3901-3998
acl 4000-4997
undo acl
4000-4997
rule Creates an ACL -

undo rule rule.
interface Eth- Creates or In V200R011C10 and later versions,

Trunk deletes an Eth- you can only enter the Eth-Trunk
undo interface Trunk interface interface view and cannot create or
Eth-Trunk or displays the delete Eth-Trunk interfaces.
Eth-Trunk Do not delete Eth-Trunk0 or Eth-
interface view. Trunk interfaces that are bound to
the downlink fabric port from an AS.
interface Displays the -

interface-type physical service
interface- interface view.
number
display Displays the -
device status or
configurations.
quit Returns to the -

upper-level view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
return Returns to the -

user view.
interface stack- Displays the -

port stack port view.
shutdown Shuts down/ This command is configured in the

interface restores a stack stack port view.
undo shutdown member port.
interface
mad restore Restores all the -

blocked
interfaces of a
standby switch
that enters the
Recovery state
after its stack
splits.
reset trace Clears all the -

instance diagnosis
(supported in instances on a
V200R010 and device.
later versions)
save trace Saves diagnosis -

information information in
(supported in the buffer area
V200R010 and as a file.
later versions)
Commands Used for service -

starting with the diagnosis and
trace keyword executed in the
(supported in system view.
V200R010 and
later versions)
Commands
starting with the
undo trace
keyword
(supported in
V200R010 and
later versions)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Commands Configures the -

starting with rules for
info-center outputting
source information to
(supported in information
V200R019 and channels in the
later versions) information
center.
Independent Mode (Configurable Commands After Logins to ASs Using the

attach-as Command or Console Port)
The independent mode has been supported since V200R010. In independent
mode, the commands listed in the following table can be configured on ASs.
When configuring these commands, pay attention to the following points:
● These commands vary depending on the AS device type. For details, see the
command reference of these devices.
● In independent mode, configuring some commands may cause an AS's failure
to go online. To prevent this problem, some commands listed in the following
table are not supported. If an unsupported command is executed on an AS, an
error message is displayed.
Function Command
Basic Configuration CLI overview commands
File management commands
System startup commands
Device Management Hardware configuration commands
Energy-saving configuration commands
PoE configuration commands
Stack configuration commands (except the smooth

upgrade commands)
Commands for configuring rules for outputting

information to information channels in the
information center (supported in V200R019 and later
versions)
Interface Management Basic interface configuration commands
Ethernet interface configuration commands
Logical interface configuration commands
Ethernet Switching MAC address table configuration commands

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Function Command
Link aggregation commands
VLAN configuration commands
VLAN aggregation configuration commands
MUX VLAN configuration commands
Voice VLAN configuration commands
QinQ configuration commands
VLAN mapping configuration commands
Loopback detection configuration commands
BPDU protection configuration commands

(supported in V200R012C00 and later versions)
Layer 2 protocol tunneling commands
IP Service IPv4 configuration commands
ARP configuration commands
DHCP policy VLAN configuration commands
Reliability DLDP configuration commands
MAC swap loopback configuration commands
User Access and AAA configuration commands

Authentication
NAC configuration commands (unified mode)
Policy association configuration commands
Security ACL configuration commands
Local attack defense configuration commands
Attack defense configuration commands
MFF configuration commands
Traffic suppression and storm control configuration

commands
ARP security configuration commands
Port security configuration commands
DHCP snooping configuration commands
ND snooping configuration commands
PPPoE+ configuration commands
IP source guard configuration commands

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Function Command
SAVI configuration commands
MPAC configuration commands
QoS MQC configuration commands
Priority mapping commands
Traffic policing, traffic shaping, and interface-based

rate limiting commands
Congestion avoidance and congestion management

commands
Filtering configuration commands
Redirection configuration commands
Statistics configuration commands
ACL-based simplified traffic policy commands
Network Management display and snmp-agent trap enable feature-name

and Monitoring commands in SNMP configuration commands
LLDP configuration commands
Service diagnosis configuration commands
Mirroring configuration commands
Packet obtaining configuration command
Ping and tracert configuration commands
3.4.3.2 SVF System Planning
3.4.3.2.1 Planning SVF System Networking

An SVF system supports at most two levels of ASs and one level of APs. Before
setting up an SVF system, determine the SVF application scenario and select the
required networking based on deployment restrictions, reliability, and system CPU
consumption.
Determining Campus Network Scenarios

When determining campus network scenarios, consider factors such as the
terminal quantity, terminal type, whether to reuse existing devices, and CPU/
memory capabilities of the parent.
1. Calculate the number of required ASs based on the number of wired
terminals.
2. Calculate the number of required APs based on the number of wireless
terminals.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Determine whether to reuse existing devices. These devices can be reused to

transparently transmit packets between the parent and ASs. It is not
recommended to connect users to these existing devices, as doing so may
cause a failure to set up an SVF system.
4. An SVF system is configured and maintained on the parent. If more ASs&APs
are deployed, more terminals can connect to the campus network, requiring
more CPU and memory resources of the parent. Table 3-17 lists the
recommended maximum numbers of ASs&APs and access terminals in an SVF
system depending on CPU and memory capabilities of the parent. If the
number of access terminals exceeds the recommended value, you are advised
to divide the campus network into multiple SVF systems according to
Scenario 3: Campus Network of Multiple SVF Systems.
Table 3-17 Recommended maximum numbers of ASs&APs and access

terminals
Model of the Parent Recommended Recommended
Maximum Number of Maximum Number of
ASs APs
S9712, S9706 48 800
● S7703 and S7703 256 1000

PoE: with MCUD
● S7706, S7706 PoE,
and S7712: with
SRUE, SRUED,
SRUE1, SRUH1,
SRUHA1, SRUHX1,
SRUHD, or SRUH
S7706, S7706 PoE, and 32 300

S7712: with SRUA or
SRUB
S5720-HI 32 600
S5730-HI, S5731-H, 32 600

S5731S-H, S5732-H,
S6720-HI, S6730-H,
S6730S-H
● S7703 and S7703 4 0

PoE: with MCUA
● S9703
S6720-EI, S6720S-EI, 32 0
S6730-S, S6730S-S
5. Select the required networking scenario. Table 3-18 lists the recommended
scenarios.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-18 Recommended networking scenarios

Number of Terminals Terminal Recommend
Type ed
Networking
Scenario
The number of terminals does not exceed Only wired Scenario 1:

the recommended value on the parent. terminals Networking
exist, and no in which the
existing parent and
devices need ASs are
to be reused. directly
connected
on a wired
campus
network
Only wired Scenario 1:

terminals Networking
exist, and in which the
existing parent and
devices need ASs are
to be reused. connected
across an
intermediat
e network
on a wired
campus
network
Both wired Scenario 2:

and wireless Networking
terminals in which the
exist, and no parent and
existing ASs&APs are
devices need directly
to be reused. connected
on a wired
and wireless
converged
campus
network

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Number of Terminals Terminal Recommend

Type ed
Networking
Scenario
Both wired Scenario 2:

and wireless Networking
terminals in which the
exist, and parent and
existing ASs&APs are
devices need connected
to be reused. across an
intermediat
e network
on a wired
and wireless
converged
campus
network
The number of terminals exceeds the During system planning, you

recommended value on the parent. are advised to divide the
campus network into
multiple SVF systems.
Scenario 3: Campus
Network of Multiple SVF
Systems shows networking
scenarios. In each SVF
system, ensure that the
number of terminals does
not exceed the
recommended value on the
parent, and select the
recommended scenario
according to the terminal
type.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Networking deployment recommendations
Figure 3-60 Ideal SVF networking
Figure 3-60 shows an ideal SVF networking. It has the following characteristics:
1. The parent is a CSS of two member devices.
2. Each Level-1 AS is dual-homed to two member devices of the parent through
uplink ports.
3. When an AS is a stack of multiple member devices, each member device is
connected to its upstream device through at least one link.
4. ASs are connected to upstream devices through uplink optical ports or uplink
combo ports.
5. APs are single-homed to ASs.
This SVF networking has the following advantages:
1. A failure of a single link between two devices affects only the bandwidth but
not services.
2. An AS performs multi-active detection (MAD), and its upstream device
functions as the MAD relay agent. When the AS splits as a stack, it can work
with the upstream device to perform MAD without affecting the system
stability.
Implementing the ideal SVF networking may fail because of restrictions such as
the distance between devices and cabling difficulties. You need to identify these
networking restrictions in advance and take appropriate measures. The following
provides suggestions on SVF deployment in different situations:
1. If the parent is a standalone device:
a. Deploy two MPUs on the parent to ensure reliability.
b. Connect each AS to the parent using at least two links and ensure that
the links are connected to at least two different LPUs of the parent.
2. If a level-1 AS cannot be dual-homed to the parent:
– Use a standalone device as a level-1 AS. If the AS needs to be a stack,
deploy member devices in the same physical location and ensure stack

S300, S500, S2700, S3700, S5700, S6700, S7700, and
cable reliability. Otherwise, device conflicts cannot be resolved after the

stack splits, affecting system reliability.
3. If the AS is a stack of multiple member devices and you cannot ensure that
each member device connects to its upstream device through at least one
link:
– Deploy member devices in the same physical location and ensure stack
cable reliability. Otherwise, device conflicts cannot be resolved after the
stack splits, affecting system reliability.
4. If member ports of the fabric port that connects an AS to an upstream device
can only be connected through twisted pairs:
– Use copper modules to convert the optical/electrical attributes of ports
when uplink ports of ASs are GE ports.
– Select ASs that have uplink combo ports, for example, some S2750-EI
models.
Improving System Reliability

1. Improve reliability of the parent using the following methods:
a. Set up a CSS of two member devices for the parent.
b. Deploy MAD to take recovery actions when the CSS splits.
2. Improve reliability of an AS using the following methods:
a. If the parent is a CSS of two member devices, dual-home the level-1 AS
to two member devices of the parent.
b. If the AS is a stack of multiple member devices, ensure that each member
device is connected to its upstream device through at least one link.
c. If the AS is a stack of multiple member devices, set up the stack in ring
topology.
d. If the AS is a stack of multiple member devices, deploy all the member
devices in the same physical location to reduce the risk of a stack split
caused by link failures.
3.4.3.2.2 Planning Member Devices of an SVF System

After determining networking of an SVF system, you need to select member
devices for the SVF system.
Determining the Parent

1. Determine the parent device type.
The parent device type is determined by the campus network scale. For
details, see Determining Campus Network Scenarios.
2. Determine the number of devices for the parent.
a. The parent manages and maintains the entire SVF system. You are
advised to deploy a CSS of two modular switches as the parent to ensure
reliability of the SVF system.
b. S9703, S7703 PoE, and S7703 do not support the CSS function, and
S5720-HI in V200R008C00 and earlier versions does not support the stack
function. If your campus network requires high reliability, these switch
models are not recommended as the parent.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Determine the card type on the parent.

a. In a wired and wireless convergence scenario, you need to deploy X series
cards on the parent.
b. If an AS needs to connect to two LPUs of the parent, you are advised to
connect the AS to LPUs of the same type.
c. If the campus network provides only wired access and does not require
access authentication, you do not need to deploy X series cards on the
parent. If access terminals need to be authenticated, you are advised to
deploy X series cards on the parent because X series cards support a large
number of user entries and allow more flexible access control policies.
d. You need to use optical interface cards to connect the parent to ASs
because uplink ports of most AS types are optical ports. If an AS uses a
10GE optical port to connect to a GE port of the parent, the 10GE optical
port must be able to switch to the GE mode through auto sensing.
e. If the parent connects to ASs only through twisted pairs, you are advised
to use ASs with uplink combo ports to connect to the electrical interface
cards of the parent. Otherwise, you need to use copper modules to
ensure the connectivity between ASs and the parent.
Determining ASs
Select level-1 and level-2 ASs according to the following requirements:
1. ASs can connect to the parent only through uplink ports, and uplink ports of
most ASs are optical ports. Therefore, when an SVF system has two levels of
ASs, use ASs with downlink optical ports as level-1 ASs. Otherwise, you need
to use copper modules to ensure the connectivity between level-1 and level-2
ASs.
2. When services in an SVF system are similar, use ASs of the same type so that
faulty ASs can be replaced.
Select ASs according to hardware characteristics and the following table to meet
different networking requirements.
Table 3-19 Recommended AS types in different networking modes

Networking Device Positioning Recommended Device
Type
Two levels of ASs exist, Level-1 AS S6720-EI, S6720S-EI,

and level-1 ASs are S6720-SI, S6720S-SI,
directly connected to the S6730-H, S6730S-H,
parent S5730-HI, S5731-H,
S5731S-H, S5732-H,
S5720-EI with downlink
optical ports

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Type
Level-2 AS S6730-S, S6730S-S,

S6720-LI, S6720S-LI,
S6720-SI, S6720S-SI,
S5700-LI with uplink GE
optical ports, S5700S-LI,
S5730-SI, S5736-S,
S5735S-H, S5730S-EI,
S5720-LI, S2730S-S,
S5735-L-I, S5735-
L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI,
S2750-EI, S2720-EI,
S5720-SI, S5735-S, S500,
S5735S-S, S5735-S-I,
S5720S-SI, S5720I-SI,
S5710-X-LI, S5731-S,
S5731S-S, S600-E
ASs are directly AS S6720-LI, S6720S-LI,

connected to the parent S6720-SI, S6720S-SI,
S6720-EI, S6720S-EI,
S6730-S, S6730S-S,
S5720-EI, S5700-LI,
S5700S-LI, S6730-H,
S6730S-H, S5730-HI,
S5731-H, S5731S-H,
S5732-H, S5731-S,
S5731S-S, S5730-SI,
S5736-S, S5735S-H,
S5730S-EI, S5720-LI,
S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI,
S2750-EI, S2720-EI,
S5720-SI, S5735-S, S500,
S5735S-S, S5735-S-I,
S5720S-SI, S5720I-SI,
S5710-X-LI, S600-E

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Type
ASs are connected to the AS S6720-LI, S6720S-LI,

parent across an S6720-SI, S6720S-SI,
intermediate network S6720-EI, S6720S-EI,
S6730-S, S6730S-S,
S5720-EI, S5700-LI,
S5700S-LI, S6730-H,
S6730S-H, S5730-HI,
S5731-H, S5731S-H,
S5732-H, S5731-S,
S5731S-S, S5730-SI,
S5736-S, S5735S-H,
S5730S-EI, S5720-LI,
S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L,
S5735S-L, S5735S-L1,
S5735S-L-M, S5720S-LI,
S2750-EI, S2720-EI,
S5720-SI, S5735-S, S500,
S5735S-S, S5735-S-I,
S5720S-SI, S5720I-SI,
S5710-X-LI, S600-E
Devices that do not join Devices with downlink

the SVF system optical ports and
(intermediate network supporting Eth-Trunk
devices)
Determining APs
You need to select APs that are supported by the parent. First, use the following
methods to check whether the AP types are supported by the parent:
● (Recommended) Run the display ap-type all command on the parent to
check the AP types currently supported.
● Check the version mapping of the device model for the parent to check the
AP types supported by the parent.
3.4.3.3 AS Service Configuration
3.4.3.3.1 AS Service Configuration Method and Roadmap
Configuration Method
In an SVF system, two AS service configuration modes are available: centralized
mode and independent mode. The two modes cannot be used on the same AS.
In centralized mode, all service configurations for ASs are performed on the
parent. Therefore, which services can be configured on ASs depends on the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
services that can be configured on the parent, but not depend on the services
supported by a standalone access switch.
Table 3-20 Configurations in centralized mode

Method Description
Global Configure service functions in the uni-mng view of the parent

configura (except that authentication-free rules need to be configured in the
tion system view), and then run the commit as { name as-name | all }
command to deliver AS service configurations. This mode supports
few configurations.
Profile- Create service profiles and specified device and port groups on the
based parent, bind the service profiles to the device and port groups, and
configura then run the commit as { name as-name | all } command to deliver
tion AS service configurations. If multiple ASs or ports in an SVF system
need the same configurations, you can add these ASs or ports to the
same group for batch configuration. In this manner, the
configuration efficiency is improved.
Direct Run the direct-command command on the parent to directly

configura deliver configurations to an AS. These configurations will take effect
tion on the AS immediately.
In independent mode, you can log in to an AS to configure services on the AS

using commands. After the configuration is complete, run the upload config
command to save the configuration file to the AS and upload it to the parent. The
independent mode supports more service configurations than the centralized
mode. When services cannot be batch configured on the parent for an AS, log in
to the AS to configure this AS. After the AS changes from the centralized mode to
independent mode, all the service configurations performed using profiles or
directly delivered before mode switching will be retained.
1. Determine the services to be configured for an AS.
2. Determine the configuration method based on 3.4.3.1.3 SVF Service
Deployment Limitations. For example, you need to configure SNMP on an
AS. According to "Service Configuration Supported on an AS", you determine
that SNMP can be configured only in independent mode.
3. Configure services based on the configuration method. Figure 3-61 illustrates
the process of delivering configurations from the parent to AS ports using
service profiles.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-61 Process of delivering configurations from the parent to AS ports

using service profiles
The configuration delivery process has the following phases:

a. Create port groups and add AS ports into port groups. Each port group is
a set of ports, which are connected to users with the same service
characteristics.
b. Create service profiles. Each service profile is a set of services to be
delivered.
c. Bind service profiles to port groups.
d. Commit the configurations on the parent so that services can be
automatically delivered to ASs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
When configuring services for ASs through port groups, you only need to
focus on user ports on ASs. Whether services of fabric ports need to be
manually configured depends on networking scenarios:
– When the parent is directly connected to ASs, service configurations of
fabric ports on the parent and ASs will be automatically generated
according to service configurations of user ports.
– When the parent is connected to ASs across an intermediate network,
you need to configure services for the fabric port of the parent.
3.4.3.3.2 AS Access User Network Partitioning Configuration

During access user network partitioning, you need to add user ports to VLANs.
In a campus network, you can classify users based on departments and configure
same services for the same type of users. AS ports are directly connected to users,
so you can add AS ports connected to the same type of users to the same port
group. This operation simplifies the port configuration and greatly reduces the
configuration workload. When configuring a port group, pay attention to the
following:
● When configuring port groups, ensure that the port groups meet the
specifications listed in Table 3-21.
Table 3-21 Port group specifications

Port Group Type Maximum Number of Restrictions on AS
Port Groups Ports and Port Groups
Supported by an SVF
System
Port group directly 256 ● V200R009 and

connected to users earlier versions:
Ports on an AS can
be added to a
maximum of six
directly connected
user port groups.
● V200R010 and later
versions: Ports on an
AS can be added to
a maximum of
sixteen directly
connected user port
groups.
Port group directly 1 Ports on an AS can be

connected to APs added to a maximum
of one AP connected
port group.
● In V200R009 and earlier versions, user ports on each AS can have a maximum
of 1 default VLAN, 1 voice VLAN, and 16 allowed VLANs. In V200R010 and
later versions, user ports on each AS can have a maximum of 1 default VLAN,
1 voice VLAN, and 32 allowed VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● In versions earlier than V200R011C10, user ports on an AS cannot be

configured as Eth-Trunk member ports. In V200R011C10 or later versions, user
ports on an AS can be configured as Eth-Trunk member ports.
3.4.3.3.3 AS Access User Authentication Configuration

NOTE
If access users do not need to be authenticated, skip this section.
In an SVF system shown in Figure 3-62, the parent functions as the access control
authentication point of all users, and so services of the authentication server only
need to be configured on the parent once, simplifying deployment. The access
control enforcement points of all users are deployed on ASs. To ensure security,
users who fail authentication cannot access ASs.
Figure 3-62 Access control authentication point and enforcement points
An SVF system supports three access user authentication modes: MAC, 802.1X,
and Portal. Table 3-22 lists the characteristics and application scenarios of the
three authentication modes.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-22 Characteristics and application scenarios of authentication modes

Authenticatio Characteristics Applicable Scenario
n Mode
MAC ● No client software needs Dumb terminals, such as

to be installed. printers and fax machines,
● Users do not need to enter need to connect to the
user names and passwords network.
when logging in to the
network.
● MAC addresses of all users
need to be configured,
complicating the
configurations.
802.1X ● The 802.1X client software The network is newly built,

needs to be installed. users are densely distributed,
● Easy-to-remember user and high information security
names can be configured. is required.
● Users need to enter user
names and passwords
network.
Portal ● No client software needs Users are sparsely distributed

to be installed. or move freely.
● Easy-to-remember user
names can be configured.
● Users need to enter user
names and passwords
network.
An SVF system supports only one combination of authentication modes. The

combination can contain one or more of MAC, 802.1X, and Portal authentication
modes according to scenario requirements.
● Wired access terminal authentication scenario
a. Wired access terminal authentication mode

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-23 Recommended authentication modes in a wired access

terminal authentication scenario
Scenario Scenario Typical Recommen Remarks
Characteris Terminal ded
tics Authenticat
ion Mode
Campus ● The Laptops and 802.1X ● Configur

office network printers e dumb
network is closed, terminals
users such as
seldom printers
change as static
their users on
locations, the
and high parent.
security ● Configur
is e 802.1X
required. authentic
● Locations ation on
of some all AS
laptops ports to
may which
change. access
For terminals
example, are
these connecte
laptops d.
are ● Use
moved centralize
from d
offices to forwardi
meeting ng of
rooms or user
moved traffic
between and UCL
departm to
ents. impleme
● A few nt inter-
dumb departm
terminals ental
such as user
printers isolation.
exist.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

tics Authenticat
ion Mode
Educational ● The Laptops Portal If terminals

institution network need to be
is closed, isolated, use
and centralized
terminals forwarding.
are Otherwise,
densely use
distribute distributed
d. forwarding
● Locations to improve
of wired bandwidth
terminals forwarding
seldom efficiency.
change,
and
communi
cation
between
local
users
generally
does not
need to
be
restricted
.
b. Precautions for configuring wired access terminal authentication

i. It is not recommended to configure the combination of MAC and
802.1X (or Portal) authentication modes. If such combination is
configured, concurrent access performance is reduced for terminals
requiring 802.1X authentication when the system first performs MAC
authentication on these terminals.
ii. When Portal authentication is configured, the built-in Portal server is
not supported.
iii. Terminals cannot send DHCPv6 and neighbor discovery (ND) packets
to trigger authentication.
iv. When authentication-free rules are configured on the parent, the
parent delivers the authentication-free rules within the specified
range to all ASs. For example, the parent can deliver authentication-
free rules 0 to 127 to ASs of the S5720-EI model and 0 to 31 to ASs
of other switch models. Authentication-free rules delivered to ASs do
not carry interface information.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
v. In an SVF system, network access rights can be authorized through

authentication-free rules but not a UCL group before users pass NAC
authentication.
c. Precautions for authorizing wired access terminals
▪ In an SVF system running a version earlier than V200R011C10,

authorization VLANs cannot be assigned to wired users. In an SVF
system running V200R011C10 or later, authorization VLANs can be
assigned to wired users.
● Wireless access terminal authentication scenario
a. Wireless access terminal authentication mode

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-24 Recommended authentication modes in a wireless access

terminal authentication scenario
tics Authenticat
ion Mode
Campus ● The Laptops, 802.1X ● When a

Bring Your network PADs, and large
Own Device is closed, mobile number
(BYOD) users phones of users
network seldom roam
change simultan
their eously,
locations, non-
and high roaming
security users will
is not be
required. disconne
● Many cted, but
users roaming
roam users
simultan may be
eously. disconne
cted.
● Roaming
users will
not be
disconne
cted
when a
few users
roam
simultan
eously.
● Use
tunnel
forwardi
ng.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

tics Authenticat
ion Mode
Educational ● The Laptops MAC+Portal ● When a

institution network large
is closed, number
and of users
terminals roam
are simultan
densely eously,
distribute non-
d. roaming
● Many users will
users not be
roam disconne
simultan cted, but
eously. roaming
users
may be
disconne
cted.
● Use
tunnel
forwardi
ng.
b. Precautions for configuring wireless access terminal authentication

You are advised to configure tunnel forwarding.
3.4.3.3.4 AS Security Configuration
Common Attack Scenarios in the Campus Network

Security configurations are used to prevent an SVF system against various attacks.
Common attacks in a campus network include attacks on the control plane and
forwarding plane. Table 3-25 lists attack types and their impacts on the campus
network.
Table 3-25 Attack types and scenarios

Attack Type Attack Subtype Impact
Attack on the ARP attack with fixed source The CPU usage of the
control plane MAC address parent becomes high, and
traffic of some users is
ARP attack with fixed source interrupted.
IP address

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Attack Type Attack Subtype Impact
ARP attack from bogus A large number of gateway

gateways collision alarms will be
generated on the parent.
ARP spoofing gateway Users cannot access the

attack network.
ARP flooding attack Users cannot learn ARP

entries and even cannot
access the network.
Bogus DHCP server attack Users cannot obtain

expected IP addresses.
DHCP flooding attack When terminals are not

authenticated, users cannot
obtain IP addresses.
Attack on the ARP Miss attack with fixed The parent has a high CPU
forwarding plane source IP address usage and cannot learn ARP
entries.
IP packet attack with the The CPU usage of the

device IP address as parent becomes high.
destination IP address Packet loss occurs or traffic
forwarding is interrupted
when the parent pings the
gateway. The parent
responds slowly during a
Telnet login to the parent.
Unicast IP packets of
protocols such as BGP and
LDP cannot be processed in
a timely manner, preventing
these protocols from
working normally.
DDoS attack Uplink ports are congested,

and user traffic is
interrupted.
Attack Defense Methods and Recommendations

In an SVF system, ASs are connected to terminals, and AS ports are directly
connected to terminals. By default, some device security measures have been
deployed in an SVF system. For example, packet rate limiting has been configured
in the inbound or outbound direction of AS ports. You can also run commands to
perform security configurations on the ports to which terminals are connected.
Table 3-26 lists attack defense methods and recommendations.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-26 Attack defense methods and recommendations

Attack Attack Attack Defense Method Attack Defense Method
Type Subtype Used When Terminals Used When Terminals
Need to Be Do Not Need to Be
Authenticated Authenticated
Wired Wireless Wired Wireless

Terminal Terminal Terminal Terminal
Access Access Access Access
Attack ARP attack Automatic Configure Configure Configure

on the with fixed defense attack ARP packet attack
control source MAC against ARP defense rate limiting defense
plane address packet policies on on AS ports. policies on
attacks has APs. APs.
ARP attack been
with fixed supported.
source IP
address
ARP attack Configure the ARP gateway anti-collision function on

from bogus the parent.
gateways
ARP Set the forwarding mode to centralized forwarding.

spoofing
gateway
attack
ARP The ARP anti-flooding function is automatically

flooding enabled in the outbound direction of ASs. Therefore,
attack ARP flooding attacks can only affect attacked ASs.
Configure rate limiting for incoming ARP packets on
AS ports to which terminals are connected after attack
sources are identified.
Bogus None Configure Configure

DHCP DHCP DHCP
server snooping on snooping
attack ASs. on APs.
DHCP The DHCP anti-flooding function is automatically

flooding enabled in the outbound direction of ASs. Therefore,
attack ARP flooding attacks can only affect attacked ASs.
Configure rate limiting for incoming DHCP packets on
AS ports to which terminals are connected after attack
sources are identified.
Attack ARP Miss Configure rate limiting for ARP Miss packets on the
on the attack with parent to limit the packets based on the source IP
forwardi fixed source address.
ng plane IP address

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Attack Attack Attack Defense Method Attack Defense Method

Type Subtype Used When Terminals Used When Terminals
Need to Be Do Not Need to Be
Authenticated Authenticated
Wired Wireless Wired Wireless

Terminal Terminal Terminal Terminal
Access Access Access Access
IP packet Configure a blacklist on the parent.

attack with
the device
IP address
as
destination
IP address
DDoS Configure rate limiting, broadcast, multicast, and

attack unknown unicast traffic suppression on ports.
3.4.3.4 Example for Configuring SVF (S7700 as the Parent)
Precautions
● The Super Virtual Fabric (SVF) function on a parent is license controlled. The
license only enables the SVF function but does not control SVF service
specifications and only needs to be loaded on the parent.
● After the SVF function is enabled, switches do not support the In-Service
Software Upgrade (ISSU) function.
● When the parent version is earlier than V200R011C10, the AS version must be
the same as the parent version. Otherwise, this AS cannot go online. For
example, if the parent version is V200R010C00, the AS version must also be
V200R010C00.
● When the parent version is V200R011C10 or later, the parent version and AS
version can be different, but the parent version must be higher than or the
same as the AS version and the AS version must also be V200R011C10 or
later.
● When GE optical interfaces are connected to XGE optical interfaces to connect
level-1 ASs to the parent or connect level-2 ASs to level-1 ASs, these
interfaces must use GE instead of XGE optical modules.
● All member ports of the Eth-Trunk bound to the fabric port that connects the
parent to an AS must be located on X series cards or on non-X series cards.
Otherwise, an access point (AP) cannot connect to the SVF system.
● If an AS is a stack set up using service ports, the AS must join an SVF system
after having the stacking function configured. This limitation does not apply
to an AS that is a stack set up using stack cards.
● When a cluster switch system (CSS) functioning as the parent is faulty:
– If one member switch in the CSS is faulty, the SVF function is not
affected.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– If the CSS splits but two member switches are working normally, the SVF
function becomes unavailable because ASs do not know which switch is
the parent. In this situation, you are advised to configure the dual-active
detection (DAD) function.
A new campus network has a large number of wired and wireless access devices.
The widely distributed access devices complicate management and configuration
of the access layer. Unified management and configuration of wired and wireless
access devices is required to reduce the management cost.
In this example, complete the following operations on access devices:
● Configure the administrator user name and password for access devices.
● Assign VLANs to ports of access devices.
● Set the user access authentication mode to 802.1X authentication.
As shown in Figure 3-63, two aggregation switches (SwitchA and SwitchB) set up
a Cluster Switching System (CSS) to improve reliability and function as the parent
to connect to multiple ASs and APs. Multiple active detection (MAD) in direct
mode must be configured on the parent to avoid conflicts when the CSS splits.
In this example, two S7700s function as the parent, an S5700-28P-PWR-LI
functions as a level-1 AS, an S2750-28TP-EI functions as a level-2 AS, and an
AP5010DN-AGN functions as an AP.
Figure 3-63 SVF networking

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
Item Data Description
Parent CSS of two (SwitchA and Set the CSS connection

SwitchB) mode to CSS card.
Directly connected MAD GE1/2/0/1 and –

ports on the parent GE2/2/0/1
Cards that connect the 1/1 and 2/1 cards: X1E –

parent to ASs cards of the same type
MAC addresses of the Parent: 00e0-fc00-1100 –

parent, ASs 1 to 5, and AS1: 00e0-fc00-0011
AP
AS2: 00e0-fc00-0022
AS3: 00e0-fc00-0033
AS4: 00e0-fc00-0044
AS5: 00e0-fc00-0055
AP: 00e0-fc00-0005
SVF management VLAN VLAN 11 –
IP address of the 192.168.11.1 –

management VLANIF
interface
Ports that connect the GE1/1/0/1 and Add the two ports to
parent to AS1 GE2/1/0/1 Eth-Trunk1 and bind
them to Fabric-port 1.
Ports that connect AS1 GE0/0/23 and GE0/0/24 Add the two ports to
to AS4 Eth-Trunk4 and bind
Ports that connect AS3 GE0/0/23 and GE0/0/24 Add the two ports to
to AS5 Eth-Trunk5 and bind
Port that connects AS2 GE0/0/24 Add the port to the AP

to the AP port group.
AS authentication mode Whitelist authentication –

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service configuration for Administrator profile: Bind admin_profile to

the AS administrator admin_profile, in which admin_group.
profile you can configure the
administrator user name
and password
AS group: admin_group,
which includes all the
ASs
Service configuration for Network basic profile: Bind basic_profile_1 to

the AS network basic basic_profile_1, in which port_group_1.
profile you can configure Bind basic_profile_2 to
default VLAN 10 port_group_2.
Network basic profile:
basic_profile_2, in which
you can configure
default VLAN 20
Port group:
port_group_1, which
includes all AS1 and AS4
ports and all AS2 ports
(except GE0/0/24 that
directly connects to the
AP)
Port group:
port_group_2, which
includes all AS3 and AS5
ports
Service configuration for User access profile: Bind access_profile to

the AS user access access_profile, in which port_group_1 and
profile you can set the user port_group_2.
access authentication
mode to 802.1X
authentication.
1. Configure SwitchA and SwitchB in the parent to set up a CSS using CSS cards
and configure MAD in direct mode to ensure high reliability of the SVF
system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters, including AS names (optional),
authentication mode, and fabric ports that connect the parent to level-1 ASs
and level-1 ASs to level-2 ASs.
4. Connect level-1 ASs to the parent and level-2 ASs using cables.
5. Configure service profiles and bind them to ASs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
6. Configure the downlink port (GE0/0/24) that connects AS2 to the AP,
configure AP access parameters, power on the AP, and connect the AP and
AS2 using cables to ensure that the AP can connect to the SVF system.
7. Log in to ASs to check the service configurations of the ASs.
Procedure
Step 1 Configure SwitchA and SwitchB in the parent to set up a CSS.
# Set the CSS connection mode, CSS ID, and CSS priority to CSS card connection,
1, and 100 for SwitchA.
[SwitchA] set css mode css-card
[SwitchA] set css id 1
# Set the CSS connection mode, CSS ID, and CSS priority to CSS card connection,
2, and 10 for SwitchB.
[SwitchB] set css mode css-card


# Log in to the CSS and configure MAD in direct mode.

[SwitchA] interface gigabitethernet 1/2/0/1
[SwitchA-GigabitEthernet1/2/0/1] mad detect mode direct
[SwitchA-GigabitEthernet1/2/0/1] quit
[SwitchA-GigabitEthernet2/2/0/1] mad detect mode direct
Step 2 Configure the management VLAN in the SVF system and enable the SVF function
on the parent.
[SwitchA] vlan batch 11
[SwitchA] dhcp enable
[SwitchA] interface vlanif 11
[SwitchA-Vlanif11] ip address 192.168.11.1 24
[SwitchA-Vlanif11] dhcp select interface
[SwitchA-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[SwitchA-Vlanif11] quit
[SwitchA] capwap source interface vlanif 11
[SwitchA] stp mode rstp
[SwitchA] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
Step 3 Configure AS access parameters.
# (Optional) Configure a name for each AS.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● If you do not perform this step, the system will generate AS device information when ASs
connect to the SVF system. An AS name is in the format of system default name-system
MAC address.
● If you need to perform this step, ensure that the configured model and mac-address
parameters are consistent with the actual AS information. The value of mac-address must
be the AS management MAC address or system MAC address. To view the AS management
MAC address, run the display as access configuration command on the AS. If the
management MAC displays --, the value of mac-address is the system MAC address. If the
configured parameters are inconsistent with the actual AS information, the AS cannot go
online.
[SwitchA-um] as name as1 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0011
[SwitchA-um-as-as1] quit
[SwitchA-um] as name as4 model S2750-28TP-EI-AC mac-address 00e0-fc00-0044
[SwitchA-um] as name as5 model S2750-28TP-EI-AC mac-address 00e0-fc00-0055
# Configure the fabric port that connects the parent to AS1.

[SwitchA-um] interface fabric-port 1
[SwitchA-um-fabric-port-1] port member-group interface eth-trunk 1
[SwitchA-um-fabric-port-1] quit
[SwitchA-um] quit
[SwitchA-GigabitEthernet1/1/0/1] eth-trunk 1

[SwitchA] uni-mng
[SwitchA-um] quit

[SwitchA] uni-mng
[SwitchA-um] quit
# Configure the fabric ports that connect AS1 to AS4 and AS3 to AS5.
[SwitchA] uni-mng
[SwitchA-um] as name as1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA-um-as-as1] down-direction fabric-port 4 member-group interface eth-trunk 4

[SwitchA-um-as-as1] port eth-trunk 4 trunkmember interface gigabitethernet 0/0/23 to 0/0/24
[SwitchA-um] as name as3
[SwitchA-um-as-as3] down-direction fabric-port 5 member-group interface eth-trunk 5
[SwitchA-um-as-as3] port eth-trunk 5 trunkmember interface gigabitethernet 0/0/23 to 0/0/24
[SwitchA-um] quit
# Configure whitelist authentication for ASs to connect to an SVF system.

To view the AS management MAC address, run the display as access
configuration command on the AS. If the management MAC displays --, the MAC
address configured in the whitelist is the AS system MAC address. Otherwise, the
MAC address configured in the whitelist is the AS management MAC address.
[SwitchA] as-auth
[SwitchA-as-auth] undo auth-mode
[SwitchA-as-auth] whitelist mac-address 00e0-fc00-0011
[SwitchA-as-auth] quit
Step 4 Run the reset saved-configuration command to clear the configurations of ASs,
restart the ASs, and then connect level-1 ASs to the parent and level-2 ASs using
cables. Subsequently, an SVF system is set up.
NOTE
● Before restarting an AS, check whether the port that connects this AS to the parent is a
downlink port. You can run the display port connection-type access all command on this
AS to view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port before
restarting this AS. Otherwise, this AS cannot go online.
● Before connecting an AS to the parent, ensure that the AS has no configuration file and no
input on the console port.
# After connecting cables, run the display as all command to check whether ASs
have connected to the SVF system.
[SwitchA] display as all
Total: 5, Normal: 5, Fault: 0, Idle: 0, Version mismatch: 0
--------------------------------------------------------------------------------
No. Type MAC IP State Name
--------------------------------------------------------------------------------
0 S5700-P-LI 00e0-fc00-0011 192.168.11.254 normal as1
3 S2750-EI 00e0-fc00-0044 192.168.11.251 normal as4
4 S2750-EI 00e0-fc00-0055 192.168.11.250 normal as5
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS
has connected to the SVF system.
# Run the display uni-mng topology information command to view SVF
topology information.
[SwitchA] display uni-mng topology information
The topology information of uni-mng network:
<-->: direct link <??>: indirect link
T: Trunk ID *: independent AS
------------------------------------------------------------------------------
Local MAC Hop Local Port T || T Peer Port Peer MAC

S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
00e0-fc00-1100 0 GE1/1/0/1 1 <-->0 GE0/0/27 00e0-fc00-0011
00e0-fc00-1100 0 GE2/1/0/1 1 <-->0 GE0/0/28 00e0-fc00-0011
00e0-fc00-1100 0 GE1/1/0/2 2 <-->0 GE0/0/27 00e0-fc00-0022
00e0-fc00-1100 0 GE2/1/0/2 2 <-->0 GE0/0/28 00e0-fc00-0022
00e0-fc00-1100 0 GE1/1/0/3 3 <-->0 GE0/0/27 00e0-fc00-0033
00e0-fc00-1100 0 GE2/1/0/3 3 <-->0 GE0/0/28 00e0-fc00-0033
00e0-fc00-0011 1 GE0/0/23 4 <-->0 GE0/0/1 00e0-fc00-0044
00e0-fc00-0011 1 GE0/0/24 4 <-->0 GE0/0/2 00e0-fc00-0044
00e0-fc00-0033 1 GE0/0/23 5 <-->0 GE0/0/1 00e0-fc00-0055
00e0-fc00-0033 1 GE0/0/24 5 <-->0 GE0/0/2 00e0-fc00-0055
------------------------------------------------------------------------------
Total items displayed : 10
# Run the display uni-mng upgrade-info verbose command to view all AS

version information.
[SwitchA] display uni-mng upgrade-info verbose
The total number of AS is : 5
----------------------------------------------------------------------------
AS name : as1
Work status : NO-UPGRADE
Startup system-software : flash:/s5700-p-li.cc
Startup version : V200R008C00
Startup patch : --
Next startup system-software : --
Next startup patch : --
Download system-software : --
Download version : --
Download patch : --
Method : --
Upgrading phase : --
Last operation result : --
Error reason : --
Last operation time : --
----------------------------------------------------------------------------
AS name : as2
Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
AS name : as3
Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
AS name : as4

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Startup system-software : flash:/s2750-ei.cc

Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
AS name : as5
Startup system-software : flash:/s2750-ei.cc
Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
Step 5 Configure service profiles and bind them to ASs.

# Configure an AS administrator profile and bind it to all ASs.
[SwitchA] uni-mng
[SwitchA-um] as-admin-profile name admin_profile
[SwitchA-um-as-admin-admin_profile] user asuser password YsHsjx_202206
[SwitchA-um-as-admin-admin_profile] quit
[SwitchA-um] as-group name admin_group
[SwitchA-um-as-group-admin_group] as name-include as
[SwitchA-um-as-group-admin_group] as-admin-profile admin_profile
[SwitchA-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to AS ports.

[SwitchA-um] network-basic-profile name basic_profile_1
[SwitchA-um-net-basic-basic_profile_1] user-vlan 10
[SwitchA-um-net-basic-basic_profile_1] quit
[SwitchA-um] network-basic-profile name basic_profile_2
[SwitchA-um-net-basic-basic_profile_2] user-vlan 20
[SwitchA-um-net-basic-basic_profile_2] quit
[SwitchA-um] port-group name port_group_1
[SwitchA-um-portgroup-port_group_1] as name as1 interface all
[SwitchA-um-portgroup-port_group_1] as name as2 interface gigabitethernet 0/0/1 to 0/0/23 //
GigabitEthernet0/0/24 connects AS2 to the AP.
[SwitchA-um-portgroup-port_group_1] network-basic-profile basic_profile_1
[SwitchA-um-portgroup-port_group_1] quit
[SwitchA-um-portgroup-port_group_2] network-basic-profile basic_profile_2
[SwitchA-um] quit
# Configure a user access profile and bind it to all AS ports.

If the switch is running V200R007C00 or V200R008C00, run:
[SwitchA] uni-mng
[SwitchA-um] user-access-profile name access_profile

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA-um-user-access-access_profile] authentication dot1x

[SwitchA-um-user-access-access_profile] quit
[SwitchA-um-portgroup-port_group_1] user-access-profile access_profile
If the switch is running V200R009C00 or a later version, run:

[SwitchA] dot1x-access-profile name 1
[SwitchA-dot1x-access-profile-1] quit
[SwitchA] authentication-profile name dot1x_auth
[SwitchA-authen-profile-dot1x_auth] dot1x-access-profile 1
[SwitchA-authen-profile-dot1x_auth] quit
[SwitchA] uni-mng
[SwitchA-um-user-access-access_profile] authentication-profile dot1x_auth
# Commit the configurations so that the configurations in service profiles can be

delivered to ASs.
[SwitchA-um] commit as all
Warning: Committing the configuration will take a long time. Continue?[Y/N]: y
# Run the display uni-mng commit-result profile command to check whether

the configurations in service profiles have been delivered to ASs.
[SwitchA-um] display uni-mng commit-result profile
Result of profile:
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
as1 2014-08-25 22:29:18 Success/Success
--------------------------------------------------------------------------------
When the Commit/Execute Result field in the command output displays Success/
Success for an AS, the configurations in service profiles have been delivered to the
AS.
Step 6 Connect the AP to AS2.
# Add the port that connects AS2 to the AP to an AP port group.

[SwitchA] uni-mng
[SwitchA-um] port-group connect-ap name ap
[SwitchA-um-portgroup-ap-ap] as name as2 interface gigabitethernet 0/0/24
[SwitchA-um-portgroup-ap-ap] quit
[SwitchA-um] quit
# Configure an AP ID.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] wlan
[SwitchA-wlan-view] ap id 1 ap-type ap5010dn-agn mac 00e0-fc00-0005
[SwitchA-wlan-ap-1] quit

[SwitchA] wlan
[SwitchA-wlan-view] ap-id 1 ap-type ap5010dn-agn ap-mac 00e0-fc00-0005
[SwitchA-wlan-ap-1] ap-name ap-1
[SwitchA-wlan-ap-1] quit
# Configure no authentication for the AP to connect to an SVF system.

[SwitchA-wlan-view] ap-auth-mode no-auth
[SwitchA-wlan-view] quit

[SwitchA-wlan-view] ap auth-mode no-auth
[SwitchA-wlan-view] quit
# Power on the AP and connect the AP to AS2 using cables. Then run the display
ap all command to check whether the AP has connected to the SVF system.
In V200R007C00 or V200R008C00, the following information is displayed:

[SwitchA] display ap all
All AP(s) information:
Normal[1],Fault[0],Commit-failed[0],Committing[0],Config[0],Download[0]
Config-failed[0],Standby[0],Type-not-match[0],Ver-mismatch[0]
------------------------------------------------------------------------------
AP AP AP Profile AP AP
/Region
ID Type MAC ID State Sysname
------------------------------------------------------------------------------
1 AP5010DN-AGN 00e0-fc00-0005 0/0 normal ap-1
------------------------------------------------------------------------------
Total number: 1,printed: 1
In V200R009C00 or a later version, the following information is displayed:

[SwitchA] display ap all
nor : normal [1]
-----------------------------------------------------------------------------------------
ID MAC Name Group IP Type State STA Uptime
-----------------------------------------------------------------------------------------
1 00e0-fc00-0005 ap-1 default 192.168.11.249 AP5010DN-AGN nor 0 6H:3M:40S
-----------------------------------------------------------------------------------------
Total: 1
Step 7 Log in to ASs to check the service configurations of the ASs. The following uses
the login to AS1 as example.
# Run the attach as name as-name command on the parent to log in to AS1 and
check whether the configured login user name and password are correct.
[SwitchA] uni-mng
[SwitchA-um] attach as name as1
Info: Connecting to the remote AS now. Use the quit command to return to the user view.
Trying 192.168.11.254 ...
Connected to 192.168.11.254 ...

S300, S500, S2700, S3700, S5700, S6700, S7700, and

<HUAWEI>
# Check whether service configurations of AS ports are generated.
NOTE
To check access authentication configuration of V200R009C00 or a later version, you need to

run the display authentication interface interface-type interface-number command on an AS.
<HUAWEI> display current-configuration
......
#
port link-type hybrid
port hybrid tagged vlan 1 11
stp instance 0 cost 200
traffic-filter outbound acl 4998
traffic-limit outbound acl 3999 cir 128 pir 128 cbs 16000 pbs 16000
traffic-statistic outbound acl 3999
mode lacp
#
stp root-protection
authentication access-point
authentication dot1x
#
eth-trunk 0
broadcast-suppression 100
#
......
----End
Configuration Summary
1. When setting up a CSS for a parent, use the CSS card or service port
connection mode according to networking requirements. This example uses
the CSS card connection.
2. You can configure service profiles and bind them to ASs before or after the
ASs connect to the SVF system. The AS service configuration mode includes
the pre-configured and non-pre-configured modes depending on the time
services are configured. Whatever configuration mode you use, you must run
the commit as { name as-name | all } command to commit the configuration
after completing it.
– Pre-configured mode: Before ASs connect to the SVF system, pre-
configure service profiles, bind them to the ASs, save the configuration on
the parent, and then run the commit as { name as-name | all }
command to commit the configuration. When the ASs connect to the SVF
system, configurations in the service profiles are automatically delivered
to the ASs.
– Non-pre-configured mode: After ASs connect to the SVF system,
configure service profiles, bind them to the ASs, and then run the
commit as { name as-name | all } command to commit the
configuration so that configurations in the service profiles can be
delivered to the ASs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. After the SVF function is enabled, the Spanning Tree Protocol (STP) and Link
Layer Discovery Protocol (LLDP) functions are enabled globally on the parent.
Pay attention to the following points when using the STP and LLDP functions
in an SVF system:
– You can disable the STP and LLDP functions only on ports, not globally.
– Do not disable the LLDP function on member ports of a fabric port, ports
connected to APs, and AP uplink ports. Otherwise, the SVF topology will
become abnormal.
4. After the SVF function is enabled, the parent will change STP to Rapid
Spanning Tree Protocol (RSTP) and set the priority of instance 0 to 28762
using the stp instance 0 priority 28672 command. Note that the priority of
instance 0 cannot be set to a value greater than 28672. After the SVF function
is disabled, the default priority of instance 0 is restored. When the SVF
function is enabled or disabled, STP recalculates the port roles and changes
the port status. Traffic on the ports will be interrupted temporarily.
5. The MAD relay function is automatically enabled on the Eth-Trunk to which a
downlink fabric port is bound, and the MAD function is automatically enabled
on the Eth-Trunk to which an uplink fabric port is bound to perform MAD in
an AS that is a stack. When the standby switch in the AS is removed, MAD
cannot be performed because the standby switch restarts automatically
without saving the configuration.
6. To prevent the SVF function from being affected, do not perform MIB
operations to modify the configuration automatically generated in an SVF
system, for example, the configuration of STP, LLDP, and Eth-Trunk to which a
fabric port is bound.
7. If an AP has connected to the parent before the SVF function is enabled, the
parent cannot collect topology information about the AP after the uni-mng
command is used to enable the SVF function. You need to run the commit
{ all | ap ap-id } command in the WLAN view to commit the AP configuration.
Subsequently, the parent can collect topology information about the AP. From
V200R011C10, WLAN configurations are automatically delivered, without the
need of running the commit all command.
8. On the parent, there may be a delay in displaying the output of some
commands executed on ASs, including the patch delete all and patch load
filename all [ active | run ] commands.
9. In an SVF system, the maximum frame length allowed by ports cannot be
configured on an AS. Therefore, the maximum frame length (including the
CRC field) is the default value. The default value varies with the AS, for
details, see the jumboframe enable command.
10. Internal attacks of a management VLAN will cause ASs to disconnect from
the SVF system. You need to error down the attacked ports or remove the
ports from the management VLAN after identifying the attack source.
11. After an AS disconnects from the SVF system, in versions earlier than
V200R012C00, all downlink ports of the AS will be error down. In
V200R012C00 and later versions, to ensure that downlink networks of the AS
can communicate with each other, downlink ports of the AS will not be error
down.
12. Configured Control and Provisioning of Wireless Access Points (CAPWAP)
tunnel parameters apply to the SVF system. To ensure that the CAPWAP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
tunnel of the SVF system works normally, you are advised to retain the
default CAPWAP tunnel parameters.
13. When an AS is an S5700-10P-LI, S5700-10P-PWR-LI-AC, S2720-EI
(V200R009C00 and V200R010C00) or S2750-EI, and the assign forward-
mode ipv4-hardware command has been executed in the system view to
enable Layer 3 hardware forwarding for IPv4 packets before the AS connects
to the SVF system:
– The AS cannot negotiate to connect to the SVF system if the AS directly
connects to the parent.
– Configuring a management VLAN is not allowed if the AS connects to the
parent across a network.
You need to start the AS in standalone mode and then run the undo assign
forward-mode command in the system view to disable Layer 3 hardware
forwarding for IPv4 packets.
14. In the SVF system, network access rights available before users pass network
admission control (NAC) authentication can be authorized through
authentication-free rules instead of a user control list (UCL) group.
15. SVF does not support built-in Portal servers.
Parent Configuration File (configuration in V200R008C00 as an example)

#
sysname SwitchA
#
vlan batch 11
#
stp mode rstp
stp instance 0 priority 28672
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
dhcp select interface
dhcp server option 43 ip-address 192.168.11.1
#
port hybrid tagged vlan 1 10 to 11
stp root-protection
authentication control-point open
mode lacp
loop-detection disable
mad relay
#
stp root-protection
mode lacp
mad relay
#
port hybrid tagged vlan 1 11 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
stp root-protection
mode lacp
mad relay
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
mad detect mode direct
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
#
capwap source interface vlanif11
#
wlan
wlan ap lldp enable
ap-auth-mode no-auth
ap id 1 type-id 30 mac 00e0-fc00-0005 sn 2102355547W0E3000316
wlan work-group default
#
as-auth
whitelist mac-address 00e0-fc00-0011
#
uni-mng
as name as1 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0011 //Check whether the
configurations of ASs and ports connected to ASs are correct.
down-direction fabric-port 4 member-group interface Eth-Trunk 4
port Eth-Trunk 4 trunkmember interface GigabitEthernet 0/0/23
as name as2 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0022
as name as3 model S5700-28P-PWR-LI-AC mac-address 00e0-fc00-0033
as name as4 model S2750-28TP-EI-AC mac-address 00e0-fc00-0044
as name as5 model S2750-28TP-EI-AC mac-address 00e0-fc00-0055
interface fabric-port 1
port member-group interface Eth-Trunk 1
as-admin-profile name admin_profile //Check the administrator profile configuration.
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
network-basic-profile name basic_profile_1 //Check the network basic profile configuration.
user-vlan 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
network-basic-profile name basic_profile_2

user-vlan 20
user-access-profile name access_profile //Check the user access profile configuration.
as-group name admin_group //Check whether an AS group has been created and whether it has
been bound to the AS administrator profile.
as-admin-profile admin_profile
as name as1
as name as2
as name as3
as name as4
as name as5
port-group name port_group_1 //Check whether a port group has been bound to service profiles
and whether service ports of ASs have been added to the port group.
network-basic-profile basic_profile_1
user-access-profile access_profile
as name as1 interface GigabitEthernet 0/0/1 to 0/0/24
as name as4 interface Ethernet 0/0/1 to 0/0/24
port-group name port_group_2 //Check whether a port group has been bound to service profiles
and whether service ports of ASs have been added to the port group.
as name as5 interface Ethernet 0/0/1 to 0/0/24
port-group connect-ap name ap
as name as2 interface GigabitEthernet 0/0/24
#
return
3.4.3.5 Example for Configuring SVF (S6720S-EI as the Parent)
Precautions
● The Super Virtual Fabric (SVF) function on a parent is license controlled. The
license only enables the SVF function but does not control SVF service
specifications and only needs to be loaded on the parent.
● The SVF function is mutually exclusive with the web initial login mode,
EasyDeploy, USB-based deployment, and NETCONF functions.
● When the parent version is earlier than V200R011C10, the AS version must be
the same as the parent version. Otherwise, this AS cannot go online. For
example, if the parent version is V200R010C00, the AS version must also be
V200R010C00.
● When the parent version is V200R011C10 or later, the parent version and AS
version can be different, but the parent version must be higher than or the
same as the AS version and the AS version must also be V200R011C10 or
later.
● When GE optical interfaces are connected to XGE optical interfaces to connect
level-1 ASs to the parent or connect level-2 ASs to level-1 ASs, these
interfaces must use GE instead of XGE optical modules.
● If an AS is a stack set up using service ports, the AS must join an SVF system
after having the stacking function configured. This limitation does not apply
to an AS that is a stack set up using stack cards.
● When a cluster switch system (CSS) functioning as the parent is faulty:
– If one member switch in the CSS is faulty, the SVF function is not
affected.
– If the CSS splits but two member switches are working normally, the SVF
function becomes unavailable because ASs do not know which switch is

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the parent. In this situation, you are advised to configure the dual-active
detection (DAD) function.
A new campus network has a large number of wired access devices. The widely
distributed access devices complicate management and configuration of the
access layer. Unified management and configuration of wired access devices is
required to reduce the management cost.
In this example, complete the following operations on access devices:
● Configure the administrator user name and password for access devices.
● Assign VLANs to ports of access devices.
● Set the user access authentication mode to 802.1X authentication.
As shown in Figure 3-64, two aggregation switches (SwitchA and SwitchB) set up
a stack to improve reliability and function as the parent to connect to multiple
ASs. Multiple active detection (MAD) in direct mode must be configured on the
parent to avoid conflicts when the stack splits.
In this example, the parent is S6720S-26Q-EI-24S, and ASs are S5700S-28P-LI.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data plan
Parent A stack established by The service port

SwitchA and SwitchB connection mode is used
(twoS6720S-26Q-EI-24S to set up the stack, and
switches) the two 40GE ports on
each member switch are
used as physical member
ports of the logical stack
port.
Directly connected MAD XGE0/0/4 and XGE1/0/4 –

ports on the parent
MAC addresses of the Parent: 00e0-fc00-1100 –

parent, ASs 1 to 3 AS1: 00e0-fc00-0011
AS2: 00e0-fc00-0022
AS3: 00e0-fc00-0033
SVF management VLAN VLAN 11 –
IP address of the 192.168.11.1 –

management VLANIF
interface
Ports that connect the XGE0/0/1 and XGE1/0/1 Add the two ports to
parent to AS1 Eth-Trunk1 and bind
AS authentication mode Whitelist authentication –
Service configuration for Administrator profile: Bind admin_profile to

the AS administrator admin_profile, in which admin_group.
profile you can configure the
administrator user name
and password
AS group: admin_group,
which includes all the
ASs

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service configuration for Network basic profile: Bind basic_profile to

the AS network basic basic_profile, in which port_group.
profile you can configure
default VLAN 10
Port group: port_group,
which includes all AS1
ports, all AS2 ports, and
all AS3 ports
Service configuration for User access profile: Bind access_profile to

the AS user access access_profile, in which port_group and
profile you can set the user port_group.
access authentication
mode to 802.1X
authentication.
1. Set up a stack between the parent switches using the service port connection
mode. Then set the stack working mode to parent and configure MAD in
direct mode to ensure high reliability of the SVF system.
2. Enable the SVF function on the parent.
3. Configure AS access parameters, including AS names (optional),
authentication mode, and fabric ports that connect the parent to ASs.
4. Connect ASs to the parent using cables.
5. Configure service profiles and bind them to ASs.
6. Log in to ASs to check the service configurations of the ASs.
Procedure
Step 1 Set up a stack between the two switches used as the parent. Set the stack working
mode to parent and configure MAD in direct mode.
# Configure service ports 40GE0/0/1 and 40GE0/0/2 of SwitchA as physical
member ports and add them to the logical stack ports.
[SwitchA-stack-port0/1] port interface 40ge 0/0/1 enable
[SwitchA-stack-port0/2] port interface 40ge 0/0/2 enable
# Configure service ports 40GE0/0/1 and 40GE0/0/2 of SwitchB as physical

member ports and add them to the logical stack ports.
[SwitchB-stack-port0/1] port interface 40ge 0/0/1 enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchB-stack-port0/2] port interface 40ge 0/0/2 enable
# Set the stack priority of SwitchA to 200.

[SwitchA] stack slot 0 priority 200
# Set the stack ID of SwitchB to 1.

[SwitchB] stack slot 0 renumber 1
# Power off SwitchA and SwitchB, connect the physical member ports with QSFP+
copper ports, and then power on the switches. Connect the member port of logical
stack port 1 on one switch to the member port of logical stack port 2 on the other
switch.
# Log in to the stack and configure it to work in parent mode.
NOTE
[SwitchA] as-mode disable
Warning: Switching the AS mode will clear current configuration and reboot the system. Continue? [Y/N]:y
# Log in to the stack and configure MAD in direct mode.

[SwitchA] interface xgigabitethernet 0/0/4
[SwitchA-XGigabitEthernet0/0/4] mad detect mode direct
[SwitchA-XGigabitEthernet0/0/4] quit
[SwitchA-XGigabitEthernet1/0/4] mad detect mode direct
Step 2 Configure the management VLAN in the SVF system and enable the SVF function
on the parent.
[SwitchA-Vlanif11] dhcp select interface
[SwitchA-Vlanif11] dhcp server option 43 ip-address 192.168.11.1
[SwitchA] capwap source interface vlanif 11
[SwitchA] uni-mng
Warning: This operation will enable the uni-mng mode and disconnect all ASs. STP calculation may be
triggered and service traffic will be affected. Continue? [Y/N]:y
Step 3 Configure AS access parameters.

# (Optional) Configure a name for each AS.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● If you do not perform this step, the system will generate AS device information when ASs
connect to the SVF system. An AS name is in the format of system default name-system
MAC address.
● If you need to perform this step, ensure that the configured model and mac-address
parameters are consistent with the actual AS information. The value of mac-address must
be the AS management MAC address or system MAC address. To view the AS management
MAC address, run the display as access configuration command on the AS. If the
management MAC displays --, the value of mac-address is the system MAC address. If the
configured parameters are inconsistent with the actual AS information, the AS cannot go
online.
[SwitchA-um] as name as1 model S5700S-28P-LI-AC mac-address 00e0-fc00-0011

[SwitchA-um] quit
[SwitchA-XGigabitEthernet0/0/1] eth-trunk 1

[SwitchA] uni-mng
[SwitchA-um] quit
[SwitchA] interface gigabitethernet 1/0/2

[SwitchA] uni-mng
[SwitchA-um] quit
# Configure whitelist authentication for ASs to connect to an SVF system.

To view the AS management MAC address, run the display as access
configuration command on the AS. If the management MAC displays --, the MAC
address configured in the whitelist is the AS system MAC address. Otherwise, the
MAC address configured in the whitelist is the AS management MAC address.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] as-auth
[SwitchA-as-auth] undo auth-mode
[SwitchA-as-auth] quit
Step 4 Run the reset saved-configuration command to clear the configurations of ASs,
restart the ASs, and then connect ASs to the parent using cables. Subsequently, an
SVF system is set up.
NOTE
● Before restarting an AS, check whether the port that connects this AS to the parent is a
downlink port. You can run the display port connection-type access all command on this
AS to view all downlink ports on it. If this port is a downlink port, run the uni-mng up-
direction fabric-port command on this AS to configure this port as an uplink port before
restarting this AS. Otherwise, this AS cannot go online.
● Before connecting an AS to the parent, ensure that the AS has no configuration file and no
input on the console port.
# After connecting cables, run the display as all command to check whether ASs
have connected to the SVF system.
[SwitchA] display as all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 S5700S-P-LI 00e0-fc00-0011 192.168.11.254 normal as1
--------------------------------------------------------------------------------
When the State field in the command output displays normal for an AS, the AS
has connected to the SVF system.
# Run the display uni-mng topology information command to view SVF

topology information.
[SwitchA] display uni-mng topology information
The topology information of uni-mng network:
<-->: direct link <??>: indirect link
T: Trunk ID *: independent AS
------------------------------------------------------------------------------
Local MAC Hop Local Port T || T Peer Port Peer MAC
------------------------------------------------------------------------------
00e0-fc00-1100 0 XGE0/0/1 1 <-->0 GE0/0/27 00e0-fc00-0011
00e0-fc00-1100 0 XGE1/0/1 1 <-->0 GE0/0/28 00e0-fc00-0011
00e0-fc00-1100 0 XGE0/0/2 2 <-->0 GE0/0/27 00e0-fc00-0022
00e0-fc00-1100 0 XGE1/0/2 2 <-->0 GE0/0/28 00e0-fc00-0022
00e0-fc00-1100 0 XGE0/0/3 3 <-->0 GE0/0/27 00e0-fc00-0033
00e0-fc00-1100 0 XGE1/0/3 3 <-->0 GE0/0/28 00e0-fc00-0033
------------------------------------------------------------------------------
Total items displayed : 6
# Run the display uni-mng upgrade-info verbose command to view all AS

version information.
[SwitchA] display uni-mng upgrade-info verbose
The total number of AS is : 3
----------------------------------------------------------------------------
AS name : as1
Startup system-software : flash:/s5700s-p-li.cc

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
AS name : as2
Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
AS name : as3
Startup patch : --
Download patch : --
Method : --
Error reason : --
----------------------------------------------------------------------------
Step 5 Configure service profiles and bind them to ASs.

# Configure an AS administrator profile and bind it to all ASs.
[SwitchA] uni-mng
[SwitchA-um] as-admin-profile name admin_profile
[SwitchA-um-as-admin-admin_profile] user asuser password YsHsjx_202206
[SwitchA-um-as-admin-admin_profile] quit
[SwitchA-um] as-group name admin_group
[SwitchA-um-as-group-admin_group] as name-include as
[SwitchA-um-as-group-admin_group] as-admin-profile admin_profile
[SwitchA-um-as-group-admin_group] quit
# Configure network basic profiles and bind them to AS ports.

[SwitchA-um] network-basic-profile name basic_profile
[SwitchA-um-net-basic-basic_profile] user-vlan 10
[SwitchA-um-net-basic-basic_profile] quit
[SwitchA-um] port-group name port_group
[SwitchA-um-portgroup-port_group] as name as1 interface all
[SwitchA-um-portgroup-port_group] network-basic-profile basic_profile
[SwitchA-um-portgroup-port_group] quit
[SwitchA-um] quit
# Configure a user access profile and bind it to all AS ports.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] dot1x-access-profile name 1

[SwitchA-dot1x-access-profile-1] quit
[SwitchA] authentication-profile name dot1x_auth
[SwitchA-authen-profile-dot1x_auth] dot1x-access-profile 1
[SwitchA-authen-profile-dot1x_auth] quit
[SwitchA] uni-mng
[SwitchA-um-user-access-access_profile] authentication-profile dot1x_auth
[SwitchA-um] port-group name port_group
[SwitchA-um-portgroup-port_group] user-access-profile access_profile
[SwitchA-um-portgroup-port_group] quit
# Commit the configurations so that the configurations in service profiles can be

delivered to ASs.
# Run the display uni-mng commit-result profile command to check whether

the configurations in service profiles have been delivered to ASs.
[SwitchA-um] display uni-mng commit-result profile
Result of profile:
--------------------------------------------------------------------------------
AS Name Commit Time Commit/Execute Result
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
When the Commit/Execute Result field in the command output displays Success/
Success for an AS, the configurations in service profiles have been delivered to the
AS.
Step 6 Log in to ASs to check the service configurations of the ASs. The following uses
the login to AS1 as example.
# Run the attach as name as-name command on the parent to log in to AS1 and
check whether the configured login user name and password are correct.
[SwitchA-um] attach as name as1
Info: Connecting to the remote AS now. Use the quit command to return to the user view.
Trying 192.168.11.254 ...
Connected to 192.168.11.254 ...
<HUAWEI>
# Check whether service configurations of AS ports are generated.

<HUAWEI> display current-configuration
......
#
mode lacp

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
stp root-protection
authentication access-point
#
eth-trunk 0
broadcast-suppression 100
#
......
----End
Configuration Summary
1. You can configure service profiles and bind them to ASs before or after the
ASs connect to the SVF system. The AS service configuration mode includes
the pre-configured and non-pre-configured modes depending on the time
services are configured. Whatever configuration mode you use, you must run
the commit as { name as-name | all } command to commit the configuration
after completing it.
– Pre-configured mode: Before ASs connect to the SVF system, pre-
configure service profiles, bind them to the ASs, save the configuration on
the parent, and then run the commit as { name as-name | all }
command to commit the configuration. When the ASs connect to the SVF
system, configurations in the service profiles are automatically delivered
to the ASs.
– Non-pre-configured mode: After ASs connect to the SVF system,
configure service profiles, bind them to the ASs, and then run the
commit as { name as-name | all } command to commit the
configuration so that configurations in the service profiles can be
delivered to the ASs.
2. After the SVF function is enabled, the Spanning Tree Protocol (STP) and Link
Layer Discovery Protocol (LLDP) functions are enabled globally on the parent.
Pay attention to the following points when using the STP and LLDP functions
in an SVF system:
– You can disable the STP and LLDP functions only on ports, not globally.
– Do not disable the LLDP function on member ports of a fabric port.
Otherwise, the SVF topology will become abnormal.
3. After the SVF function is enabled, the parent will change STP to Rapid
Spanning Tree Protocol (RSTP) and set the priority of instance 0 to 28762
using the stp instance 0 priority 28672 command. Note that the priority of
instance 0 cannot be set to a value greater than 28672. After the SVF function
is disabled, the default priority of instance 0 is restored. When the SVF
function is enabled or disabled, STP recalculates the port roles and changes
the port status. Traffic on the ports will be interrupted temporarily.
4. The MAD relay function is automatically enabled on the Eth-Trunk to which a
downlink fabric port is bound, and the MAD function is automatically enabled
on the Eth-Trunk to which an uplink fabric port is bound to perform MAD in
an AS that is a stack. When the standby switch in the AS is removed, MAD
cannot be performed because the standby switch restarts automatically
without saving the configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5. To prevent the SVF function from being affected, do not perform MIB
operations to modify the configuration automatically generated in an SVF
system, for example, the configuration of STP, LLDP, and Eth-Trunk to which a
fabric port is bound.
6. On the parent, there may be a delay in displaying the output of some
commands executed on ASs, including the patch delete all and patch load
filename all [ active | run ] commands.
7. In an SVF system, the maximum frame length allowed by ports cannot be
configured on an AS. Therefore, the maximum frame length is the default
value 9216 (including the CRC field).
8. Internal attacks of a management VLAN will cause ASs to disconnect from
the SVF system. You need to error down the attacked ports or remove the
ports from the management VLAN after identifying the attack source.
9. After an AS disconnects from the SVF system, in versions earlier than
V200R012C00, all downlink ports of the AS will be error down. In
V200R012C00 and later versions, to ensure that downlink networks of the AS
can communicate with each other, downlink ports of the AS will not be error
down.
10. Configured Control and Provisioning of Wireless Access Points (CAPWAP)
tunnel parameters apply to the SVF system. To ensure that the CAPWAP
tunnel of the SVF system works normally, you are advised to retain the
default CAPWAP tunnel parameters.
11. In the SVF system, network access rights available before users pass network
admission control (NAC) authentication can be authorized through
authentication-free rules instead of a user control list (UCL) group.
12. SVF does not support built-in Portal servers.
Parent Configuration File (configuration in V200R011C10 as an example)

#
sysname SwitchA
#
vlan batch 11
#
stp mode rstp
#
authentication-profile name dot1x_auth
dot1x-access-profile 1
#
lldp enable
#
dhcp enable
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
stp root-protection
stp edged-port disable
mode lacp
mad relay
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

stp root-protection
mode lacp
mad relay
#
stp root-protection
mode lacp
mad relay
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
#
#
as-auth
#
uni-mng
as name as1 model S5700S-28P-LI-AC mac-address 00e0-fc00-0011 //Check whether the AS
configuration and ports connected to the ASs are correct.
as name as2 model S5700S-28P-LI-AC mac-address 00e0-fc00-0022
as name as3 model S5700S-28P-LI-AC mac-address 00e0-fc00-0033
as-admin-profile name admin_profile //Check the administrator profile configuration.
user asuser password %^%#Ky,WNqWh_DZ[(V96yvSEph)VLMc/+U}>]i2:"9n:%^%#
network-basic-profile name basic_profile //Check the network basic profile configuration.
user-vlan 10
user-access-profile name access_profile //Check the user access profile configuration.
authentication-profile dot1x_auth
as-group name admin_group //Check whether an AS group has been created and bound to the
AS administrator profile.
as name as1
as name as2
as name as3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
port-group name port_group //Check whether the port group has been bound to service profiles
and whether ports connected to ASs have been added to the port group.
network-basic-profile basic_profile
#
dot1x-access-profile name 1
#
return
3.4.3.6 Example for Configuring Services for ASs
AS Service Configuration Overview

In an SVF system, two AS service configuration modes are available: centralized
mode and independent mode. The two modes cannot be used on the same AS.
In centralized mode, all service configurations for ASs are performed on the
parent. Therefore, which services can be configured on ASs depends on the
services that can be configured on the parent, but not depend on the services
supported by a standalone access switch.
Table 3-27 Configurations in centralized mode
Method Description
Global Configure service functions in the uni-mng view of the parent

configura (except that authentication-free rules need to be configured in the
tion system view), and then run the commit as { name as-name | all }
command to deliver AS service configurations. This mode supports
few configurations.
Profile- Create service profiles and specified device and port groups on the
based parent, bind the service profiles to the device and port groups, and
configura then run the commit as { name as-name | all } command to deliver
tion AS service configurations. If multiple ASs or ports in an SVF system
need the same configurations, you can add these ASs or ports to the
same group for batch configuration. In this manner, the
configuration efficiency is improved.
Direct Run the direct-command command on the parent to directly

configura deliver configurations to an AS. These configurations will take effect
tion on the AS immediately.
In independent mode, you can log in to an AS to configure services on the AS

using commands. After the configuration is complete, run the upload config
command to save the configuration file to the AS and upload it to the parent. The
independent mode supports more service configurations than the centralized
mode. When services cannot be batch configured on the parent for an AS, log in
to the AS to configure this AS. After the AS changes from the centralized mode to
independent mode, all the service configurations performed using profiles or
directly delivered before mode switching will be retained.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Precautions
● Not all services can be configured on an AS. For the services that can be
configured on an AS, see 3.4.3.1.3 SVF Service Deployment Limitations.
● In versions earlier than V200R020C00, you do not need to configure an AS
administrator before configuring services for an AS in centralized mode. In
V200R020C00 and later versions, before configuring services for an AS in
centralized mode, configure an AS administrator and deliver the configuration
to the AS.
● Before configuring services for an AS, ensure that the AS has gone online.
● In this example, services for ASs are configured in centralized mode.
As shown in Figure 3-65, to facilitate management and configuration of a new
campus network, devices at the access, aggregation, and core layers have set up
an SVF system. In this system, two core switches set up a CSS and function as the
parent, aggregation switches function as level-1 ASs, and access switches function
as level-2 ASs. The gateway is deployed on the parent. You need to perform the
following operations on the parent to configure services for ASs:
● Configure the administrator user name and password for each AS.
● Add interfaces on each AS to VLANs.
● Connect an access switch to a server using an Eth-Trunk.
● Set the authentication mode for PCs and printers to MAC address
authentication.
● Configure traffic suppression, traffic rate limiting, and port security for ASs to
improve security.
● Configure descriptions for AS interfaces to identify the interface usage.
In this example, the S7700 functions as the parent, the S5700-28P-PWR-LI
functions as a level-1 AS, and the S2750-28TP-EI functions as a level-2 AS.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
VLAN used VLAN 20, VLAN 30, VLAN 40, -

for user and VLAN 50
communic
ation
Eth-Trunk Eth-Trunk10 This interface cannot be a fabric

interface port in the SVF system.
connecting
access
switches to
servers
AS Group AS group admin_group, -

containing all ASs in the SVF
system.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Port Group ● Port group port_group_1, -

containing GE0/0/2 on AS 4.
● Port group port_group_2,
containing GE0/0/2 and
GE0/0/3 on AS 5.
AS Administrator profile Bind the administrator profile

administra admin_profile, in which the admin_profile to the AS group
tor profile administrator user name and admin_group.
password are configured
Network ● Network basic profile ● Bind network basic profile

basic basic_profile_1, in which the basic_profile_1 to port
profile default VLAN is set to VLAN group port_group_1.
20. ● Bind network basic profile
● Network basic profile basic_profile_2 to port
basic_profile_2, in which the group port_group_2.
default VLAN is set to VLAN ● Bind network basic profile
30. basic_profile_3 to port
● Network basic profile group port_group_3.
basic_profile_3, in which the ● Bind network basic profile
default VLAN is set to VLAN basic_profile_4 to port
40. group port_group_4.
● Network basic profile
basic_profile_4, in which the
default VLAN is set to VLAN
50.
Network ● Network enhanced profile ● Bind network enhanced

enhanced network_profile_1, in which profile network_profile_1 to
profile traffic suppression and traffic port_group_1 and
rate limiting are configured. port_group_2.
● Network enhanced profile ● Bind network enhanced
network_profile_2, in which profile network_profile_2 to
port security is configured. port_group_4.
User User access profile Bind user access profile

access access_profile_1, in which the access_profile_1 to
profile user access authentication port_group_1, port_group_2,
mode is set to MAC address and port_group_4.
authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure the user name and password of the AS administrator in an AS
administrator profile.
2. Create an Eth-Trunk interface for a level-2 AS to connect to a server and add
physical interfaces to this Eth-Trunk interface.
3. Configure a description for each interface to identify the interface usage.
4. Configure VLANs on ASs in batches.
5. Add interfaces to VLANs using network basic profiles.
6. Configure traffic suppression and traffic rate limiting in a network enhanced
profile.
7. Configure port security in a network enhanced profile and set the maximum
number of secure MAC addresses that can be learned on an interface.
8. Configure the user authentication mode in a user access profile.
Procedure
NOTE
After the configuration is complete, run the commit as { name as-name | all } command in
the uni-mng view to commit the configuration so that the configuration can be delivered to
ASs and take effect.
1. Run the display as all command to check whether each AS has gone online.
If the value of State of an AS is normal, the AS goes online normally.
<HUAWEI> display as all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
3 S2750-EI 00e0-fc00-0044 192.168.11.251 normal as4
4 S2750-EI 00e0-fc00-0055 192.168.11.250 normal as5
2. Configure the user name and password of the AS administrator in an AS

administrator profile.
After the user name and password are configured for an AS, you need to
enter the user name and password when logging in to the AS through the
console port. However, when running the attach as command on the parent
to log in to an AS, you can automatically log in to the AS without entering
the user name and password of the AS administrator.
[HUAWEI] sysname Parent
[Parent] uni-mng
[Parent-um] as-admin-profile name admin_profile // Create an AS administrator profile.
[Parent-um-as-admin-admin_profile] user asuser password YsHsjx_202206 // Configure the user
name and password of the AS administrator in the AS administrator profile.
[Parent-um-as-admin-admin_profile] quit
[Parent-um] as-group name admin_group // Create an AS group.
[Parent-um-as-group-admin_group] as name-include as // Add ASs of which the name contains as
to the AS group.
[Parent-um-as-group-admin_group] as-admin-profile admin_profile // Bind the AS administrator
profile to the AS group.
[Parent-um-as-group-admin_group] quit
3. Create an Eth-Trunk interface on AS 5 and add physical interfaces to the Eth-

Trunk interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Parent-um] as name as5

[Parent-um-as-as5] uni eth-trunk 10 // Create an Eth-Trunk interface on AS 5.
[Parent-um-as-as5] port eth-trunk 10 trunkmember interface GigabitEthernet 0/0/2 // Add
interfaces to the Eth-Trunk interface.
[Parent-um-as-as5] port eth-trunk 10 trunkmember interface GigabitEthernet 0/0/3
[Parent-um-as-as5] quit
4. Configure a description for each interface on AS 4 and AS 5.

[Parent-um-as-as4] direct-command view GigabitEthernet 0/0/2 command description connect-
to-pc1
to-pc2
[Parent-um-as-as5] direct-command view Eth-Trunk 10 command description connect-to-server
to-printer
5. Create VLANs for ASs in batches.

[Parent-um] as service-vlan authorization 20 30 40 50 // Create VLANs on ASs.
6. Create network basic profiles to add interfaces on ASs to VLANs.

# Create network basic profiles.
[Parent-um] network-basic-profile name basic_profile_1 // Create a network basic profile.
[Parent-um-net-basic-basic_profile_1] user-vlan 20 // Configure the default VLAN in the
network basic profile.
[Parent-um-net-basic-basic_profile_1] quit
[Parent-um] network-basic-profile name basic_profile_2
[Parent-um-net-basic-basic_profile_2] user-vlan 30
# Configure port groups and bind a network basic profile to each port group.
[Parent-um] port-group name port_group_1 // Create a port group.
[Parent-um-portgroup-port_group_1] as name as4 interface gigabitethernet 0/0/2 // Add the port
on AS 4 to the port group.
[Parent-um-portgroup-port_group_1] network-basic-profile basic_profile_1 // Bind the network
basic profile basic_profile_1 to this port group.
[Parent-um-portgroup-port_group_1] quit
[Parent-um] port-group name port_group_2
[Parent-um-portgroup-port_group_2] as name as4 interface gigabitethernet 0/0/3
[Parent-um-portgroup-port_group_2] network-basic-profile basic_profile_2
[Parent-um-portgroup-port_group_3] as name as5 interface eth-trunk 10
[Parent-um-portgroup-port_group_4] as name as5 interface gigabitethernet 0/0/4
7. Create a network enhanced profile to configure traffic suppression and traffic

rate limiting.
# Create a network enhanced profile.
[Parent-um] network-enhanced-profile name network_profile_1 // Create a network enhanced
profile.
[Parent-um-net-enhanced-profile_1] broadcast-suppression packets 1488000 // Configure traffic
suppression.
[Parent-um-net-enhanced-profile_1] multicast-suppression packets 1488000
[Parent-um-net-enhanced-profile_1] unicast-suppression packets 1488000 // Configure traffic rate
limiting.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Parent-um-net-enhanced-profile_1] rate-limit 10000

[Parent-um-net-enhanced-profile_1] quit
# Bind the network enhanced profile to the desired port group.
[Parent-um-portgroup-port_group_1] network-enhanced-profile network_profile_1 // Bind the
network enhanced profile network_profile_1 to port_group_1.
[Parent-um-portgroup-port_group_2] network-enhanced-profile network_profile_1
8. Create a network enhanced profile to configure port security. Port security can
be configured only in V200R019C00 and later versions.
# Configure port security in the network enhanced profile.
[Parent-um] network-enhanced-profile name network_profile_2
[Parent-um-net-enhanced-profile_2] port-security enable
[Parent-um-net-enhanced-profile_2] quit
# Bind the network enhanced profile to the desired port group.
[Parent-um-portgroup-port_group_4] network-enhanced-profile network_profile_2
[Parent-um] commit as all // You can set the maximum number of secure MAC addresses that can
be learned on an interface after the preceding configuration is delivered to ASs.
Warning: Committing the configuration will take a long time. Continue? [Y/
N]:y
Info: This operation may take a few seconds. Please wait...
# Set the maximum number of secure MAC addresses that can be learned on
an interface.
[Parent-um-as-as5] direct-command view GigabitEthernet 0/0/4 command port-security max-
mac-num 5
[Parent-um] quit
9. Configure the user authentication mode in a user access profile.
# Create and configure a RADIUS server profile.
[Parent] radius-server template test // Create a RADIUS server profile named test.
[Parent-radius-test] radius-server authentication 192.168.100.182 1812 // Configure the IP address
and port number of the RADIUS authentication server.
[Parent-radius-test] radius-server accounting 192.168.100.182 1813 // Configure the IP address and
port number of the RADIUS accounting server.
[Parent-radius-test] radius-server shared-key cipher YsHsjx_202206 // Configure a RADIUS shared
key.
[Parent-radius-test] quit
# Configure an authentication scheme.
[Parent] aaa
[Parent-aaa] authentication-scheme radius // Create an AAA authentication scheme named radius.
[Parent-aaa-authen-radius] authentication-mode radius // Configure RADIUS authentication.
[Parent-aaa-authen-radius] quit
# Create an AAA domain and configure the RADIUS server profile and
authentication scheme.
[Parent-aaa] domain default // Cnfigure the default authentication domain.
[Parent-aaa-domain-default] authentication-scheme radius // Bind AAA authentication scheme
radius to the default domain.
[Parent-aaa-domain-default] radius-server test // Bind RADIUS server profile test to the default
domain.
[Parent-aaa-domain-default] quit
[Parent-aaa] quit
# Configure a MAC access profile.
[Parent] mac-access-profile name mac_1 // Create a MAC access profile.
[Parent-mac-access-profile-mac_1] quit
[Parent] authentication-profile name mac_auth // Create an authentication profile named
mac_auth.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Parent-authen-profile-mac_auth] mac-access-profile mac_1 // Bind the MAC access profile to the

authentication profile.
[Parent-authen-profile-mac_auth] quit
# Bind the user access profile to the desired port group.

[Parent] uni-mng
[Parent-um] user-access-profile name mac_access_profile // Create a user access profile.
[Parent-um-user-access-mac_access_profile] authentication-profile mac_auth // Bind the
authentication profile mac_auth to the user access profile.
[Parent-um-user-access-mac_access_profile] quit
[Parent-um-portgroup-port_group_1] user-access-profile mac_access_profile // Bind the user access
profile to port_group_1.
[Parent-um-portgroup-port_group_2] user-access-profile mac_access_profile
[Parent-um-portgroup-port_group_4] user-access-profile mac_access_profile
[Parent-um] commit as all // Deliver the configuration to ASs.
Warning: Committing the configuration will take a long time. Continue? [Y/
N]:y
Info: This operation may take a few seconds. Please wait...
10. Log in to ASs to check their service configurations. The following uses AS 4 as
an example.
# On the parent, run the attach as name as-name command to log in to AS
4. You can run the quit command to log out the AS after a successful login.
[Parent-um] attach as name as4
Info: Connecting to the remote AS now. Use the quit command to return to the user
view.
Trying 192.168.11.72 ...
Connected to 192.168.11.72 ...
Info: The max number of VTY users is 10, and the

number
The current login time is 2020-07-21
08:34:21+00:00.
Info: Lastest accessed IP: Invalid IP address Time: 2020-07-21 07:45:50 Failed: 0
<as4>
# Check whether interface configurations on the AS are generated.

<as4> display current-configuration
......
#
port hybrid tagged vlan 1 11 20 30 40
50
traffic-limit outbound acl 3999 cir 128 pir 128 cbs 16000 pbs
16000
traffic-limit outbound acl 4999 cir 32 pir 32 cbs 4000 pbs
4000
mode lacp
#
description connect-to-server
port hybrid pvid vlan 40
port hybrid tagged vlan 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
port hybrid untagged vlan 40

stp root-protection
mixed-rate link enable
#
stp root-protection
#
......
# Run the display authentication interface interface-type interface-number
command on the AS to check whether the access authentication configuration
is delivered.
<as4> display authentication interface gigabitEthernet 0/0/4
Authentication profile: authentication-
profile
Authentication access-point: Enable
Authentication access-point max-user:
-
Port authentication order:
MAC
Parent Configuration File

#
sysname Parent
#
vlan batch 11
#
stp mode rstp
#
authentication-profile name mac_auth
mac-access-profile mac_1
#
dhcp enable
#
radius-server template test
radius-server shared-key cipher %^%#e33GK([auIJQ+54M/i7>u5!/M8*A%0]~a@FQ,41K%^%#
radius-server accounting 192.168.100.182 1813 weight 80
#
aaa
authentication-scheme radius
domain default
authentication-scheme radius
radius-server test
#
interface Vlanif11
ip address 192.168.11.1 255.255.255.0
#
port hybrid tagged vlan 1 11 20 30 40 50
stp root-protection
mode lacp
mad relay
#
stp root-protection
mode lacp
mad relay
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
stp root-protection
mode lacp
mad relay
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
#
eth-trunk 1
#
eth-trunk 2
#
eth-trunk 3
#
#
#
as-auth
#
uni-mng
as name as1 model S5700-28P-PWR-LI mac-address 00e0-fc00-0011
as name as4 model S2750-28TP-EI mac-address 00e0-fc00-0044
as name as5 model S2750-28TP-EI mac-address 00e0-fc00-0055
uni eth-trunk 10
port eth-trunk 10 trunkmember interface GigabitEthernet 0/0/2
port eth-trunk 10 trunkmember interface GigabitEthernet 0/0/3
direct-command view GigabitEthernet 0/0/2 command description connect-to-pc1
direct-command view GigabitEthernet 0/0/3 command description connect-to-pc2
direct-command view Eth-Trunk 10 command description connect-to-server
direct-command view GigabitEthernet 0/0/4 command description connect-to-printer
direct-command view GigabitEthernet 0/0/4 command port-security max-mac-num 5
as service-vlan authorization 20 30 40 50
as-admin-profile name admin_profile

S300, S500, S2700, S3700, S5700, S6700, S7700, and
user asuser password %^%#89K0/.3zL)ytd>4S6DRA]EF1DLRzEQ6|m.P\z8*!%^%#

user-vlan 20
user-vlan 30
user-vlan 40
user-vlan 50
network-enhanced-profile name network_profile_1
broadcast-suppression packets 1488000
multicast-suppression packets 1488000
unicast-suppression packets 1488000
rate-limit 10000
network-enhanced-profile name network_profile_2
port-security enable
user-access-profile name mac_access_profile
authentication-profile mac_auth
as-group name admin_group
as name as1
as name as2
as name as3
as name as4
as name as5
port-group name port_group_1
network-enhanced-profile network_profile_1
user-access-profile mac_access_profile
as name as5 interface Eth-Trunk 10
#
mac-access-profile name mac_1
mac-access-profile name mac_access_profile
#
return
3.5 Typical Ethernet Interface Configuration
3.5.1 Example for Configuring a Combo Interface

Overview
A combo interface consists of a GE electrical interface and a GE optical interface
on the panel. The multiplexed electrical and optical interfaces cannot work at the
same time. When one interface works, the other interface is disabled. You can use
the electrical or optical interface according to networking requirements.
The electrical and optical interfaces share one interface view. When you enable
the electrical or optical interface, configure the interface attributes (such as the
rate and duplex mode) in the same interface view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● Usage restrictions:
– The electrical and optical interfaces of a combo interface are multiplexed.
The optical interface cannot have a copper module installed.
– When a combo interface works in auto mode and the combo optical
interface has an optical module installed, the combo interface works as
an optical interface after the device restarts.
– You can configure the working mode of the combo interface based on
the remote interface type. If the local combo electrical interface is
connected to a remote electrical interface, configure the combo interface
to work in copper mode. If the local combo optical interface is connected
to a remote optical interface, configure the combo interface to work in
fiber mode. If the local combo interface is configured to work in a
different mode from the remote interface, the two interfaces cannot
communicate.
● This example applies to switches that support the combo interface.
As shown in Figure 3-66, PC1, PC2, and PC3 connect to GE1/0/1, GE1/0/2 and
GE1/0/3 of the Switch respectively. The Switch connects to the Internet through
the combo interface GE1/0/4. You can configure the working mode of the combo
interface based on the remote interface type. In this example, the remote interface
at the Internet side is an electrical interface.
Figure 3-66 Networking diagram for configuring the working mode of a combo
interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Configure the combo interface to work as an electrical interface. This
configuration ensures that the combo interface's working mode does not
change when the transmission medium changes, for example, a GE optical
module is installed.
Procedure
Step 1 Configure the combo interface GE1/0/4 to work as an electrical interface.
[Switch] interface gigabitethernet 1/0/4
[Switch-GigabitEthernet1/0/4] combo-port copper //Configure the combo interface to work as an
electrical interface. By default, the combo interface's working mode is auto.

Run the display interface gigabitethernet 1/0/4 command in any view to check
the working mode of the combo interface.
[Switch] display interface gigabitethernet 1/0/4
...
Port Mode: FORCE COPPER
Speed : 1000, Loopback: NONE
Duplex: FULL, Negotiation: ENABLE
Mdi : AUTO, Flow-control: DISABLE
...
If COMBO AUTO is displayed, the combo interface automatically selects the

working mode. If FORCE FIBER is displayed, the combo interface is configured to
work as an optical interface. If FORCE COPPER is displayed, the combo interface is
configured to work as an electrical interface. The preceding command output
shows that the combo interface is configured to work as an electrical interface.
----End
Configuration File
#
sysname Switch
#
combo-port copper
#
return
3.5.2 Example for Configuring the Rate and Duplex Mode of

an Ethernet Interface
Overview
Interfaces can work in the following two duplex modes:
● Half-duplex mode: An interface in this mode can send data only when it is
not receiving data and, conversely, it can receive data only when it is not
sending data. A limit on the transmission distance applies to this mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Full-duplex mode: An interface in this mode can send and receive data
simultaneously. The maximum throughput in full-duplex mode is theoretically
double that in half-duplex mode. There is no limit on the transmission
distance in this mode.
You can configure the rate and duplex mode of an Ethernet interface working in
either auto-negotiation or non-auto-negotiation mode.
● In auto-negotiation mode, interfaces at both ends of a link negotiate the rate
and duplex mode. If the negotiation succeeds, the two interfaces use the
same duplex mode and rate. The auto-negotiation function takes effect only
when both the connected devices support it. If the remote device does not
support auto-negotiation or uses a different auto-negotiation mode, the
connected interfaces may be Down.
● You can configure the local interface to work in non-auto-negotiation mode
and manually configure the interface rate and duplex mode in the following
situations:
The remote device does not support auto-negotiation.
After auto-negotiation is configured, the local and remote devices cannot
communicate.
After auto-negotiation is configured, the physical link between the local and
remote devices is connected, but many error packets are generated or packet
loss occurs.
Configuration Notes
● Usage restrictions
– Ethernet interfaces at both ends of a link must work in the same auto-
negotiation mode. Otherwise, the interfaces may be Down.
– When the working rate of a GE electrical interface is 1000 Mbit/s, the
interface supports only the full-duplex mode and does not need to
negotiate the duplex mode with the remote interface.
– Interfaces at both ends of a link must use the same rate and duplex
mode.
As shown in Figure 3-67, Server1, Server2, and Server3 form a server cluster and
connect to GE1/0/1, GE1/0/2, and GE1/0/3 of the Switch respectively. The Switch
connects to the Internet through GE1/0/4.
Due to limitations of network adapters on the servers, GE1/0/1, GE1/0/2, and
GE1/0/3 can only work in half-duplex mode after negotiating with connected
server interfaces. As a result, packet loss occurs when the service traffic volume is
high. In addition, the rate is negotiated to 1000 Mbit/s for GE1/0/1, GE1/0/2, and
GE1/0/3. When the three servers concurrently send data at the rate of 1000
Mbit/s, the outbound interface GE1/0/4 will be congested. Users require that
packet loss and congestion do not occur.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-67 Networking diagram for configuring the rate and duplex mode in
non-auto-negotiation mode
● Configure the switch interfaces to work in non-auto-negotiation mode to
prevent the interface rate from being affected by the network adapter rate on
the servers.
● Set the duplex mode to full-duplex for the interfaces working in non-auto-
negotiation mode to avoid packet loss.
● Set the rate to 100 Mbit/s for the interfaces working in non-auto-negotiation
mode to avoid congestion on the outbound interface.
Procedure
Step 1 Create a port group and add GE1/0/1, GE1/0/2, and GE1/0/3 to the port group.
[Switch] port-group portgroup1 //Create a permanent port group portgroup1.
[Switch-port-group-portgroup1] group-member GE1/0/1 to GE1/0/3 //Add GE1/0/1,GE1/0/2, and
GE1/0/3 to portgroup1.
Step 2 Configure GE1/0/1, GE1/0/2, and GE1/0/3to work in non-auto-negotiation mode,

and set the duplex mode to full-duplex and rate to 100 Mbit/s for these interfaces
in a batch.
[Switch-port-group-portgroup1] undo negotiation auto //Configure interfaces to work in non-auto-
negotiation mode in a batch.
[Switch-GigabitEthernet1/0/1] undo negotiation auto
[Switch-port-group-portgroup1] duplex full //Set the duplex mode of the interfaces to full-duplex in a
batch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch-GigabitEthernet1/0/1] duplex full

[Switch-port-group-portgroup1] speed 100 //Set the rate of the interfaces to 100 Mbit/s in a batch.
[Switch-GigabitEthernet1/0/1] speed 100
[Switch-port-group-portgroup1] quit
NOTE
After a configuration command is executed in the port group view, the device will deliver
the configuration to each port in the port group and display the configuration of each port.

Run the display interface gigabitethernet 1/0/1 command in any view to check
the interface rate and duplex mode.
[Switch] display interface gigabitethernet 1/0/1
...
Port Mode: COMMON COPPER
Speed : 100, Loopback: NONE
Duplex: FULL, Negotiation: DISABLE
Mdi : AUTO, Flow-control: DISABLE
...
The command output shows that the interface works in non-negotiation mode,
the rate is 100 Mbit/s, and the duplex mode is full-duplex.
Similarly, run the display interface gigabitethernet 1/0/2 and display interface
gigabitethernet 1/0/3 commands on GE1/0/2 and GE1/0/3 respectively to check
interface working information.
----End
Configuration File
#
sysname Switch
#
undo negotiation auto
speed 100
#
speed 100
#
speed 100
#
port-group portgroup1
group-member GigabitEthernet1/0/1
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.5.3 Example for Switching an Interface Between Layer 2 and

Layer 3 Modes
Overview
Due to hardware restrictions of interface cards, some Ethernet interfaces work in
only Layer 2 or Layer 3 mode, whereas other Ethernet interfaces can work in both
Layer 2 and Layer 3 modes.
Configuration Notes
● By default, an Ethernet interface works in Layer 2 mode and belongs to VLAN
1. An interface is not removed from VLAN 1 immediately after being switched
to Layer 3 mode. It is removed from VLAN 1 only when Layer 3 protocols are
Up.
● You can configure Layer 2 and Layer 3 modes of an Ethernet interface in the
Ethernet interface view or system view. If the configurations in the two views
differ, the latest configuration takes effect.
● The minimum interval between running the portswitch and undo portswitch
commands is 30 seconds. That is, after changing the mode of an Ethernet
interface, wait at least 30 seconds before changing the mode again.
● If service configurations (such as the port link-type trunk configuration) exist
on an interface, clear all service configurations before switching the interface
between Layer 2 and Layer 3 modes. The mode switching configuration takes
effect on an interface when only attribute configurations (such as shutdown
and description configurations) exist on the interface.
● On switches running V200R003 and earlier versions, IP addresses cannot be
assigned to Ethernet interfaces in Layer 3 mode.
● This example applies to the following products and versions:
– S5700-EI: V200R005C00&C01
– S5700-HI: V200R001C00, V200R002C00, V200R003C00,
V200R005C00&C01
– S5710-EI: V200R002C00, V200R003C00, V200R005C00
– S6700-EI: V200R005C00&C01
– S5710-HI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S,
S5731S-H, S5732-H, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H,
S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see
Table 3-1 in "Applicable Products and Versions" for details.
As shown in Figure 3-68, PC1, PC2, PC3, and PC4 are on four network segments,
and SwitchB, SwitchC, SwitchD, and SwitchE are access switches for these four
network segments, respectively. It is required that four physical Ethernet interfaces
on SwitchA be configured as gateway interfaces for these four network segments.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-68 Networking diagram for configuring the rate and duplex mode in
non-auto-negotiation mode
● Change interfaces to Layer 3 mode.

● Configure IP addresses of Layer 3 Ethernet interfaces as gateway addresses.
Procedure
Step 1 Change interfaces to Layer 3 mode.
# Change an interface to Layer 3 mode.

[SwitchA-GigabitEthernet1/0/1] undo portswitch
[SwitchA-GigabitEthernet1/0/1] quit
# Change Ethernet interfaces to Layer 3 mode in a batch.

[SwitchA] undo portswitch batch gigabitethernet 1/0/2 to 1/0/4

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Configure IP addresses of Layer 3 Ethernet interfaces as gateway addresses.
# Configure the IP address of GE1/0/1 as a gateway address. The configurations of

GE1/0/2, GE1/0/3, and GE1/0/4 are similar to the configuration of GE1/0/1, and
are not mentioned here. For details, see the configuration files.
[SwitchA-GigabitEthernet1/0/1] ip address 10.10.1.1 24
Step 3 Run the display interface gigabitethernet 1/0/1 command in any view to check
the interface working mode.
[SwitchA] display interface gigabitethernet 1/0/1
...
Description:
Route Port,The Maximum Frame Length is 9216
Internet Address is 10.10.1.1/24
...
If Switch Port is displayed, the interface works in Layer 2 mode. If Route Port is
displayed, the interface works in Layer 3 mode. The preceding command output
shows that the interface works in Layer 3 mode.
Similarly, run the display interface gigabitethernet 1/0/2, display interface

gigabitethernet 1/0/3, and display interface gigabitethernet 1/0/4 commands
on GE1/0/2, GE1/0/3, and GE1/0/4 respectively to check the interface working
mode.
----End
Configuration File
SwitchA configuration file
#
sysname SwitchA
#
undo portswitch
ip address 10.10.1.1 255.255.255.0
#
undo portswitch
ip address 10.10.2.1 255.255.255.0
#
undo portswitch
ip address 10.10.3.1 255.255.255.0
#
undo portswitch
ip address 10.10.4.1 255.255.255.0
#
return
Follow-up Procedure
NOTE
To view detailed information about software mappings, visit Info-Finder, select a product
series or product model, and click Hardware Center.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.5.4 Example for Configuring Port Isolation

Overview
To implement Layer 2 isolation between interfaces, you can add each interface to
a different VLAN. However, this method wastes VLAN resources. Port isolation can
isolate interfaces in the same VLAN, and a port isolation group can effectively
implement Layer 2 isolation between these interfaces. Port isolation provides
secure and flexible networking solutions.
The port isolation mode can be Layer 2 isolation and Layer 3 interworking or
Layer 2 and Layer 3 isolation.
● To isolate broadcast packets in the same VLAN but allow users connecting to
different interfaces to communicate at Layer 3, you can set the port isolation
mode to Layer 2 isolation and Layer 3 interworking.
● To prevent interfaces in the same VLAN from communicating at both Layer 2
and Layer 3, you can set the port isolation mode to Layer 2 and Layer 3
isolation.
Configuration Notes
● Do not add both the uplink and downlink interfaces to the same port
isolation group unless required. Otherwise, the uplink and downlink interfaces
cannot communicate.
● S series switches support Layer 2 isolation and Layer 3 interworking.
● All S series chassis switches support Layer 2 and Layer 3 isolation. S series box
switches support Layer 2 and Layer 3 isolation excluding the S2700-SI and
S2700-EI running V100R006C05 and the S2720-EI, S5720-LI, S6720-LI,
S6720S-LI, S5710-C-LI, and S5720S-LI running V200R001 and later versions.
An R&D office of a company contains employees from the company, partner
company A, and partner company B. As shown in Figure 3-69, PC1 and PC2 are
used by two employees from partner companies A and B respectively, and PC3 is
used by an R&D employee from the company. The requirements are as follows:
● VLAN resources need to be saved.
● Employees from partner companies A and B cannot communicate with each
other.
● Employees from partner companies A and B can communicate with the
company's employees.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-69 Networking diagram for configuring port isolation
1. Add interfaces to a VLAN.
2. Add the interfaces to a port isolation group to implement Layer 2 isolation
between these interfaces. The default port isolation mode is Layer 2 isolation
and Layer 3 interworking.
Procedure
Step 1 Configure port isolation.
# Configure port isolation on GE1/0/1.
[Switch] vlan 10
[Switch-vlan10] quit
[Switch-GigabitEthernet1/0/1] port link-type access //Set the interface type of GE1/0/1 to access.
[Switch-GigabitEthernet1/0/1] port-isolate enable //By default, the interface is added to port isolation
group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-
isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.

[Switch-GigabitEthernet1/0/2] port-isolate enable //By default, the interface is added to port isolation

S300, S500, S2700, S3700, S5700, S6700, S7700, and
group 1 and the port isolation mode is Layer 2 isolation and Layer 3 interworking. You can run the port-
isolate mode all command to set the port isolation mode to Layer 2 and Layer 3 isolation.
# Add GE1/0/3 to VLAN 10.

# PC1 and PC2 cannot communicate with each other.
# PC1 and PC3 can communicate with each other.
# PC2 and PC3 can communicate with each other.
----End
Configuration File
#
sysname Switch
#
vlan batch 10
#
port-isolate enable group 1
#
#
#
return
Related Content
Videos
Configure Port Isolation.
3.6 Typical Ethernet Switching Configuration
3.6.1 Typical MAC Configuration

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.6.1.1 Example for Configuring Static MAC Address Entries
Overview
MAC address entries are automatically generated when the switch learns the
source MAC addresses of packets. Static MAC address entries are manually
configured.
A network administrator manually adds MAC address entries of authorized users

into the MAC address table. The static MAC address entries are often used to
prevent unauthorized users from intercepting data of authorized users.
If a large number of static MAC address entries are manually configured, network
maintenance can be difficult. You can enable port security to dynamically bind
MAC addresses to interfaces.
Configuration Notes
This example applies to all versions of all S series switches.
In Figure 3-70, the server connects to the switch through GE1/0/2. To prevent the
switch from broadcasting packets destined for the server, the static MAC address
entry of the server needs to be configured on the switch. This ensures that the
switch unicasts packets destined for the server through GE1/0/2. The MAC address
of the PC is statically bound to GE1/0/1 to ensure secure communication between
the PC and server.
Figure 3-70 Networking for configuring static MAC address entries

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Create a VLAN on the switch and add an interface to the VLAN to implement
Layer 2 forwarding.
2. Configure the static MAC address entry of the server on the switch.
3. Configure the static MAC address entry of the PC on the switch.
Procedure
Step 1 Create VLAN 2 on the switch and add GE1/0/1 and GE1/0/2to VLAN 2.
[Switch] vlan batch 2 //Create VLAN 2.
[Switch-GigabitEthernet1/0/1] port link-type access //The interface connected to the PC must be the
access interface. The default link type of an interface is not access, so you need to manually configure the
access interface.
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to that of GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type access
[Switch-GigabitEthernet1/0/2] port default vlan 2
Step 2 Configure the static MAC address entry of the server on the switch.
[Switch] mac-address static xxxx-xxxx-xxx4 gigabitethernet 1/0/2 vlan 2
Step 3 Configure the static MAC address entry of the PC on the switch.
[Switch] mac-address static xxxx-xxxx-xxx2 gigabitethernet 1/0/1 vlan 2

# Run the display mac-address static vlan 2 command in any view to check
whether static MAC address entries were successfully added to the MAC address
table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx2 2/- GE1/0/1 static
xxxx-xxxx-xxx4 2/- GE1/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 2
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
port default vlan 2
#
port default vlan 2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
mac-address static xxxx-xxxx-xxx2 GigabitEthernet1/0/1 vlan 2
mac-address static xxxx-xxxx-xxx4 GigabitEthernet1/0/2 vlan 2
#
return
3.6.1.2 Example for Configuring Blackhole MAC Address Entries
Overview
Blackhole MAC address entries can be used to prevent attacks from unauthorized
users. The switch discards packets from or destined to blackhole MAC addresses.
Configuration Notes
As shown in Figure 3-71, the switch receives a packet from an unauthorized PC
whose MAC address is 0005-0005-0005 and belongs to VLAN 3. This MAC address
can be configured as a blackhole MAC address to filter packets from the
unauthorized user.
Figure 3-71 Networking for configuring blackhole MAC address entries
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure a blackhole MAC address to block packets from this MAC address.
Procedure
Step 1 Configure a blackhole MAC address entry.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch] vlan 3 //Create VLAN 3.

[Switch-vlan3] quit
[Switch] mac-address blackhole xxxx-xxxx-xxx5 vlan 3 //Configure MAC address 0005-0005-0005 as the
blackhole MAC address in VLAN 3.
# Run the display mac-address blackhole command in any view to check

whether the blackhole MAC address entry was successfully added to the MAC
address table.
[Switch] display mac-address blackhole
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
xxxx-xxxx-xxx5 3/- - blackhole
-------------------------------------------------------------------------------
Total items displayed = 1
----End
Configuration Files
#
sysname Switch
#
vlan batch 3
#
mac-address blackhole xxxx-xxxx-xxx5 vlan 3
#
return
3.6.1.3 Example for Configuring MAC Address Limiting in a VLAN
Overview
The switch limits the number of MAC address entries based on VLANs or
interfaces. In offices where clients seldom change, you can configure MAC address
limiting to control user access. This can protect against certain attacks. For
example, if an attacker forges a large number of packets with different source
MAC addresses and sends the packets to the device, finite MAC address entries in
the MAC address table of the device may be exhausted. When the MAC address
table is full, the device cannot learn source MAC addresses of valid packets. As a
result, the device broadcasts the valid packets, wasting bandwidth resources.
MAC address limiting in a VLAN can limit the number of MAC address entries on
multiple interfaces in a VLAN.
Configuration Notes
● After the port-security enable command is configured on an interface, MAC
address limiting cannot take effect on the interface. Do not configure port
security and MAC address limiting on the same interface simultaneously.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● After the number of learned MAC address entries reaches the limit, SA cards
of S series and F series cards of chassis devices and box devices (excluding the
S5720-EI) cannot discard packets with nonexistent source MAC addresses.
In Figure 3-72, user network 1 is connected to GE1/0/1 of the switch through
LSW1, user network 2 is connected to GE1/0/2 of the switch through LSW2, and
GE1/0/1 and GE1/0/2 belong to VLAN 2. To control the number of access users,
configure MAC address limiting in VLAN 2.
Figure 3-72 Networking of MAC address limiting in a VLAN
1. Create a VLAN and add interfaces to the VLAN to implement Layer 2
forwarding.
2. Configure MAC address limiting in a VLAN to prevent MAC address attacks
and control the number of access users.
Procedure
Step 1 Create VLAN 2 and add GE1/0/1 and GE1/0/2 to VLAN 2.
[Switch] vlan batch 2
[Switch-GigabitEthernet1/0/1] port link-type trunk //Configure the link type of the interface as trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 //Add GE1/0/1 to VLAN 2.
[Switch] interface gigabitethernet 1/0/2 //The configuration of GE1/0/2 is similar to the configuration of
GE1/0/1.
[Switch-GigabitEthernet1/0/2] port link-type trunk
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Configure the following MAC address limiting rule in VLAN 2: A maximum of 100
MAC addresses can be learned. When the number of learned MAC address entries
reaches the limit, the device forwards the packets with new source MAC address
entries and generates an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 action forward //The default action taken for packets in
different versions is different. You are advised to manually configure the action. For fixed switches, the
action parameter can be set in the VLAN view only on the S5720-EI. On other fixed switches, the forward
action is used in the VLAN view by default, and the action parameter does not need to be set. The alarm
function is enabled by default, so you do not need to configure the alarm function manually.
[Switch-vlan2] quit
# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
[Switch] display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100 action forward
#
port trunk allow-pass vlan 2
#
#
return
3.6.1.4 Example for Configuring MAC Address Limiting on an Interface
Overview
The switch limits the number of MAC address entries based on VLANs or
interfaces. In offices where clients seldom change, you can configure MAC address
limiting to control user access. This can protect against certain attacks. For
example, if an attacker forges a large number of packets with different source
MAC addresses and sends the packets to the device, finite MAC address entries in
the MAC address table of the device may be exhausted. When the MAC address
table is full, the device cannot learn source MAC addresses of valid packets. As a
result, the device broadcasts the valid packets, wasting bandwidth resources.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
MAC address limiting on an interface can be used in scenarios where users

connected to an interface in small and medium-sized enterprises are fixed and
seldom change.
Configuration Notes
● After port-security enable is configured on an interface, MAC address
limiting cannot be configured on the interface.
In Figure 3-73, user network 1 and user network 2 connect to the switch through
the LSW, and GE1/0/1 of the switch connects to the LSW. User network 1 and user
network 2 belong to VLAN 10 and VLAN 20 respectively. On the switch, MAC
address limiting can be configured on GE1/0/1 to control the number of access
users.
Figure 3-73 Networking of MAC address limiting on an interface
1. Create VLANs and add interfaces to the VLANs to implement Layer 2

forwarding.
2. Configure MAC address limiting on an interface to control the number of
access users.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Create VLAN 10 and VLAN 20 and add GE1/0/1 to VLAN 10 and VLAN 20.
[Switch] vlan batch 10 20 //Create VLAN 10 and VLAN 20.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add GE1/0/1 to VLAN 10 and VLAN 20.
Step 2 Configure the switch to learn a maximum of 100 MAC address entries on GE1/0/1.
When the number of learned MAC address entries reaches the limit, the switch
discards the packets with new source MAC address entries and generates an
alarm.
[Switch-GigabitEthernet1/0/1] mac-limit maximum 100 action discard //The default action taken for
packets in different versions is different. You are advised to manually specify the action. The alarm function
is enabled by default, so you do not need to specify it manually.

# Run the display mac-limit command in any view to check whether the MAC
address limiting rule is successfully configured.
[Switch] display mac-limit
MAC limit is enabled
Total MAC limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
GE1/0/1 - - 100 - discard enable
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
mac-limit maximum 100
#
return
3.6.2 Link Aggregation Configuration
3.6.2.1 Precautions for Inter-Card Eth-Trunk Deployment
Interfaces on different cards on a modular switch may be added to an Eth-Trunk

to improve reliability. If cards with Eth-Trunk specification extension are involved in
an inter-card Eth-Trunk, the following requirements apply to the hash mode of the
cards:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● If an Eth-Trunk is configured between cards with and without Eth-Trunk

specification extension, the cards with Eth-Trunk specification extension must
work in normal mode.
● If an Eth-Trunk is configured between cards with Eth-Trunk specification
extension, the hash mode of the cards must be the same.
Cards are classified into cards with and without Eth-Trunk specification extension,
as described in Table 3-28.
Table 3-28 Card series and Eth-Trunk specification extension
Eth-Trunk Specification Extension Card Series
Extensible EE series
FC series
SC series
X series
ET1D2X48SEC0 and EH1D2X48SEC0 in the
EC series
Non-extensible BC series
EA series
ED series
FA series
SA series
EC1series
EA1series
EC series (excluding the ET1D2X48SEC0
and EH1D2X48SEC0)
Precautions for an Inter-Card Eth-Trunk Without Eth-Trunk Specification

Extension
● Upgrade
After a version earlier than V200R010C00 is upgraded to V200R010C00 or a
later version, the card hash mode is as follows:
– If the configuration is not saved before the card is started or installed, the
installed FC series, SC series, EE series, ET1D2X48SEC0, or EH1D2X48SEC0
card works in advanced mode and the corresponding configuration is
generated.
– If the configuration is saved before the card is started or installed, the
card works in normal mode.
● Card replacement
Table 3-29 lists the hash modes of cards in a slot before and after card
replacement.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-29 Hash modes of cards in a slot before and after card replacement
Replaced Card Hash Mode New Card Hash
of the Mode of
Replaced the
Card New
Card
Card with Eth-Trunk advanced Card with Eth-Trunk advance

specification extension specification extension d
Card with Eth-Trunk advanced Card without Eth-Trunk N/A

specification extension specification extension
Card with Eth-Trunk normal Card with Eth-Trunk normal

Card with Eth-Trunk normal Card without Eth-Trunk N/A

Card without Eth-Trunk N/A Card with Eth-Trunk normal

● Card removal
When the card with Eth-Trunk specification extension in advanced mode is
removed, the configuration of the hash mode is reserved in the system. You
can run the undo eth-trunk load-balance hash-mode command to clear the
configuration of the hash mode.
● Other
– When interfaces on the card with Eth-Trunk specification extension form
an inter-card Eth-Trunk with interfaces on other cards, the hash mode of
the card with Eth-Trunk specification extension cannot be changed. To
change the hash mode of the card with Eth-Trunk specification extension,
first delete the inter-card Eth-Trunk member interfaces of the card with
Eth-Trunk specification extension from the inter-card Eth-Trunk.
– When interfaces on the FC series, SC series, EE series, ET1D2X48SEC0, or
EH1D2X48SEC0 card, card without Eth-Trunk specification extension, and
X series card working in normal mode form an inter-card Eth-Trunk, first
run the unknown-unicast load-balance command to set the load
balancing mode of unknown unicast packets to lbid. After the inter-card
Eth-Trunk is created, the load balancing mode of unknown unicast
packets cannot be changed.
– If interfaces on the card with Eth-Trunk specification extension in normal
mode or card without Eth-Trunk specification extension are added to the
same Eth-Trunk with interfaces on the card with Eth-Trunk specification
extension in advanced mode, load balancing of the Eth-Trunk is uneven,
packet loss or excess packets may occur for non-known unicast traffic,
and the alarm IFPDT_1.3.6.1.4.1.2011.5.25.157.2.211
hwNotSameBoardInTrunk is triggered.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Precautions for an Inter-Card Eth-Trunk with Eth-Trunk Specification

Extension
● Upgrade
After a version earlier than V200R010C00 is upgraded to V200R010C00 or a
later version, the card hash mode is as follows:
– If the configuration is not saved before the card is started or installed, the
card works in advanced mode and the corresponding configuration is
generated.
– If the configuration is saved before the card is started or installed, the
card works in normal mode.
● Configuration effectiveness
– When the assign trunk command is used to change Eth-Trunk
specifications on a switch of V200R003, V200R005, or V200R006, you
need to restart the switch to make the configuration take effect.
– When the assign trunk command is used to change Eth-Trunk
specifications on a switch of V200R007 or later, you need to save the
configuration and restart the switch to make the configuration take
effect.
● Configuration ineffectiveness
If you use the assign trunk command to modify Eth-Trunk specifications, the
existing Eth-Trunk configuration will be invalid or lost. Exercise caution when
you run this command.
– When the configured Eth-Trunk specifications are reduced and the Eth-
Trunks that exceed the specifications are configured, the configuration of
excess Eth-Trunks is invalid.
– When the configured value of group-number is larger than 128 or the
configured value of member-number is larger than 16, the switch can
only use the enhanced mode to load balance known unicast packets. The
common mode is invalid for the known unicast packets.
● Load balancing
– When interfaces on the FC series, SC series, EE series, ET1D2X48SEC0, or
EH1D2X48SEC0 card, card without Eth-Trunk specification extension, and
X series card working in normal mode form an inter-card Eth-Trunk, first
run the unknown-unicast load-balance command to set the load
balancing mode of unknown unicast packets to lbid. After the inter-card
Eth-Trunk is created, the load balancing mode of unknown unicast
packets cannot be changed.
– If incoming traffic enters the Eth-Trunk on the card without Eth-Trunk
specification extension, outgoing traffic goes out of the card with Eth-
Trunk specification extension, and the Eth-Trunk on the card with Eth-
Trunk specification extension has more than eight member interfaces,
traffic may be unevenly load balanced on the Eth-Trunk of the card with
Eth-Trunk specification extension and known unicast traffic can be only
sent out from the eight Eth-Trunk member interfaces.
– If interfaces on the card with Eth-Trunk specification extension in normal
mode or card without Eth-Trunk specification extension are added to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
same Eth-Trunk with interfaces on the card with Eth-Trunk specification

extension in advanced mode, load balancing of the Eth-Trunk is uneven
and the alarm IFPDT_1.3.6.1.4.1.2011.5.25.157.2.211
hwNotSameBoardInTrunk is triggered.
● Card installation
If only cards with Eth-Trunk specification extension are installed on a switch
and the configuration specified by the assign trunk command takes effect,
the hash mode of cards that are installed later is as follows:
– Card with Eth-Trunk specification extension: If the Eth-Trunk index is
larger than 127, cards with Eth-Trunk specification extension work in
advanced mode, and the corresponding configuration is generated. If the
Eth-Trunk index does not exceed 127, cards with Eth-Trunk specification
extension work in normal mode.
– Card without Eth-Trunk specification extension: The Eth-Trunk index
cannot exceed 127. However, if the Eth-Trunk index exceeds 127, the card
without Eth-Trunk specification extension fails to be registered, and the
L2IFPPI_1.3.6.1.4.1.2011.5.25.219.2.2.13_hwBoardPowerOff alarm is
triggered. If the Eth-Trunk index does not exceed 127 but the value of
member-number is larger than 8, the
IFPDT_1.3.6.1.4.1.2011.5.25.157.2.247_hwBoardNotSupportAssignTrunk
alarm is triggered.
NOTE
The index is the internal number that the switch allocates to each Eth-Trunk, and
is different from the Eth-Trunk ID. If the configured number of Eth-Trunks
supported by the switch is larger than 128 and many Eth-Trunks are created on
the switch, the index larger than 127 may be occupied. The card without Eth-
Trunk specification extension can only use the index of 127 or smaller, the system
checks the index and limits its registration. If the non-registered card without
Eth-Trunk specification extension is reserved, this card cannot be registered even
if the switch restarts.
– You can run the display reset-reason command to check the registration
failure cause. The system displays the message "This LPU only supports
the trunks with index 127 or smaller than 127.". If the card without Eth-
Trunk specification extension must be used, you must delete the Eth-
Trunk with the index larger than 127.
● Card replacement
Table 3-30 lists the hash modes of cards in a slot before and after card
replacement.
Table 3-30 Hash modes of cards in a slot before and after card replacement
Replaced Card Hash New Card Hash

Mode of Mode of
the the
Replaced New
Card Card
Card with Eth-Trunk advanced Card with Eth-Trunk advance

specification extension specification extension d

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Replaced Card Hash New Card Hash

Mode of Mode of
the the
Replaced New
Card Card
Card with Eth-Trunk advanced Card without Eth-Trunk N/A

Card with Eth-Trunk normal Card with Eth-Trunk normal

Card with Eth-Trunk normal Card without Eth-Trunk N/A

Card without Eth-Trunk N/A Card with Eth-Trunk normal

● Card removal
When the card with Eth-Trunk specification extension in advanced mode is
removed, the configuration of the hash mode is reserved in the system. You
can run the undo eth-trunk load-balance hash-mode command to clear the
configuration of the hash mode.
● Other
– When interfaces on the card with Eth-Trunk specification extension form
an inter-card Eth-Trunk with interfaces on other cards, the hash mode of
the card with Eth-Trunk specification extension cannot be changed. To
change the hash mode of the card with Eth-Trunk specification extension,
first delete the inter-card Eth-Trunk member interfaces of the card with
Eth-Trunk specification extension from the inter-card Eth-Trunk.
– If a switch functions as a WLAN AC, X series cards are used and APs are
connected to the switch through an inter-card Eth-Trunk on the user side,
and non-X series cards are used on the network side, the actual Eth-Trunk
specifications cannot reach those configured using this command and
may be as low as half of the configured specifications.
– The card without Eth-Trunk specification extension and the card with Eth-
Trunk specification extension working in normal mode do not support
Eth-Trunk specification extensions. If the switch that is configured with
Eth-Trunk specification extensions is equipped with these cards, a
maximum of eight Eth-Trunk member interfaces are allowed on these
cards.
3.6.2.2 Example for Configuring Link Aggregation in Manual Mode When

Switches Are Directly Connected
Overview
Ethernet link aggregation increases link bandwidth by bundling multiple physical
links to form a logical link. Link aggregation can work in manual mode or Link
Aggregation Control Protocol (LACP) mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
In manual mode, you must manually create an Eth-Trunk and add member
interfaces to the Eth-Trunk. In this mode, LACP is not required. If a high link
bandwidth between two directly connected devices is required but the remote
device does not support LACP, you can use the manual mode. The manual mode
can increase bandwidth, enhance reliability, and implement load balancing.
In manual mode, all active links forward data and load balance traffic.
Configuration Notes
● Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
● Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, and flow control mode.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk. Otherwise, the two ends cannot communicate.
● Both devices of an Eth-Trunk must use the same link aggregation mode.
In Figure 3-74, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Data transmission and link reliability need to be ensured.
Figure 3-74 Networking for configuring link aggregation in manual mode
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase

link bandwidth.
2. Create VLANs and add interfaces to the VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Set the load balancing mode to ensure that traffic is load balanced between
member interfaces of the Eth-Trunk and enhance reliability.
Procedure
Step 1 Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to the
Eth-Trunk.
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1, GE1/0/2, and GE1/0/3 to
Eth-Trunk 1.
[SwitchA-Eth-Trunk1] quit
[SwitchB] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/1 to 1/0/3 //Add GE1/0/1, GE1/0/2, and GE1/0/3 to
Eth-Trunk 1.
[SwitchB-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs.

# Create VLAN 10 and VLAN 20 and add interfaces to them. The configuration of
SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] vlan batch 10 20
[SwitchA-GigabitEthernet1/0/4] port link-type trunk //Configure the interface as a trunk interface. The
default link type of an interface is not trunk.
[SwitchA-GigabitEthernet1/0/4] port trunk allow-pass vlan 10
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass

through. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] port link-type trunk //Configure the interface as a trunk interface. The default link
type of an interface is not trunk.
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac //Configure load balancing based on the source and
destination MAC addresses on Eth-Trunk 1.

Run the display eth-trunk 1 command in any view to check whether the Eth-
Trunk is created and whether member interfaces are added.
[SwitchA] display eth-trunk 1
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
--------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
PortName Status Weight

GigabitEthernet1/0/1 Up 1
The preceding information shows that Eth-Trunk 1 contains three member

interfaces: GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3.
The member interface status is Up and the value of Operate status of Eth-Trunk 1
is up.
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
● SwitchB configuration file

#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
return
3.6.2.3 Example for Configuring Link Aggregation in LACP Mode When

Switches Are Directly Connected
Overview
Ethernet link aggregation increases link bandwidth by bundling multiple physical
links to form a logical link. Link aggregation can work in manual mode or Link
Aggregation Control Protocol (LACP) mode.
If a high link bandwidth between two directly connected devices is required and
devices support LACP, the LACP mode is recommended. The LACP mode increases
bandwidth, improves reliability, implements load balancing, enhances Eth-Trunk
fault tolerance, and provides backup.
In LACP mode, some links are active links and other links are backup links. All the
active links participate in data forwarding. If an active link becomes faulty, a
backup link is selected to replace the faulty link. That is, the number of links
participating in data forwarding remains unchanged.
Configuration Notes
● Member interfaces of an Eth-Trunk must use the same Ethernet type and rate.
● Both devices of the Eth-Trunk must use the same number of physical
interfaces, interface rate, duplex mode, and flow control mode.
● If an interface of the local device is added to an Eth-Trunk, an interface of the
remote device directly connected to the interface of the local device must also
be added to an Eth-Trunk. Otherwise, the two ends cannot communicate.
● Both devices of an Eth-Trunk must use the same link aggregation mode.
In Figure 3-75, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and
SwitchB. The link between SwitchA and SwitchB is required to provide high
bandwidth to implement inter-VLAN communication. Link aggregation in LACP
mode is configured on SwitchA and SwitchB to improve the bandwidth and
reliability. The following requirements must be met:
● Two active links implement load balancing.

● One link functions as the backup link. When a fault occurs on an active link,
the backup link replaces the faulty link to maintain reliable data transmission.
● Devices in the same VLAN can communicate.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-75 Networking diagram for configuring link aggregation in LACP mode
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to
implement link aggregation.
2. Add member interfaces to the Eth-Trunk.
3. Set the LACP system priority and determine the Actor so that the Partner
selects active interfaces based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve
reliability.
5. Set LACP interface priorities and determine active interfaces so that interfaces
with higher priorities are selected as active interfaces.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode.
The configuration of SwitchB is similar to that of SwitchA, and is not mentioned
here.
[SwitchA] interface eth-trunk 1 //Create Eth-Trunk 1.
[SwitchA-Eth-Trunk1] mode lacp //Configure link aggregation in LACP mode.
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is

similar to that of SwitchA, and is not mentioned here.
[SwitchA-GigabitEthernet1/0/1] eth-trunk 1 //Add GE1/0/1 to Eth-Trunk 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 3 Set the LACP system priority of SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100 //The default LACP system priority is 32768. Change the LACP priority of
SwitchA to be higher than that of SwitchB so that SwitchA functions as the Actor.
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2 //The default upper threshold for the number of active
interfaces in the LAG is 8. Change the upper threshold for the number of active interfaces to 2.
Step 5 Set the LACP system priority and determine active links on SwitchA.
[SwitchA-GigabitEthernet1/0/1] lacp priority 100 //The default LACP interface priority is 32768. Change
the LACP priority of GE1/0/1 to 100 so that GE1/0/1 serves as the active interface.
[SwitchA-GigabitEthernet1/0/2] lacp priority 100 //The default LACP interface priority is 32768. Change
the LACP priority of GE1/0/2 to 100 so that GE1/0/2 serves as the active interface.

# Create VLAN 10 and VLAN 20 and add interfaces to them. The configuration of
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass

through. The configuration of SwitchB is similar to the configuration of SwitchA,
[SwitchA-Eth-Trunk1] port link-type trunk //Configure the interface as a trunk interface. The default link
type of an interface is not trunk.

# Check information about the Eth-Trunk on each Switch and check whether link
negotiation is successful.
Local:
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 00e0-fca8-0417
--------------------------------------------------------------------------------
GigabitEthernet1/0/1 Selected 1GE 100 6145 2865 11111100 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2865 11100000 1
Partner:
--------------------------------------------------------------------------------
GigabitEthernet1/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
[SwitchB] display eth-trunk 1
Local:
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
--------------------------------------------------------------------------------
GigabitEthernet1/0/3 Unselect 1GE 32768 6147 2609 11110000 1
Partner:
--------------------------------------------------------------------------------
GigabitEthernet1/0/1 100 00e0-fca8-0417 100 6145 2865 11111100
The preceding information shows that the LACP system priority of SwitchA is 100
and is higher than the LACP system priority of SwitchB. GigabitEthernet1/0/1 and
GigabitEthernet1/0/2 are active interfaces and are in Selected state.
GigabitEthernet1/0/3 is in Unselect state. In addition, load balancing and
redundancy are implemented.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
lacp priority 100
#
mode lacp
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
return
#
sysname SwitchB
#
vlan batch 10 20
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
3.6.2.4 Example for Connecting an E-Trunk to a VPLS Network
Overview
Enhanced Trunk (E-Trunk) is an extension to LACP (a link aggregation protocol for
a single device) and implements link aggregation among multiple devices. E-Trunk
achieves device-level link reliability but not card-level link reliability.
When a CE is dual-homed to a VPLS, VLL, or PWE3 network, an E-Trunk can be
configured to protect the links between the CE and PEs and implement backup
between PEs. If no E-Trunk is configured, a CE can be connected to only one PE
using an Eth-Trunk. If the Eth-Trunk or the PE fails, the CE cannot communicate
with the PE. After the E-Trunk is used, the CE can be dual-homed to two PEs to
implement backup.
Configuration Notes
● Devices must use link aggregation in LACP mode.
● In Figure 3-76, the E-Trunk configuration on PE1 and PE2 must be the same.
The Eth-Trunks between PE1 and CE1 and between PE2 and CE1 must use the
same rate and duplex mode (key values must be the same) and join the same
E-Trunk. After the Eth-Trunks are added to the E-Trunk, ensure that the LACP
priorities and system IDs of PE1 and PE2 are the same. On CE1, interfaces
directly connected to PE1 and PE2 must be added to the same Eth-Trunk. The

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Eth-Trunk can have a different Eth-Trunk ID from that on the PEs. For
example, the CE is configured with Eth-Trunk 20, while both PEs are
configured with Eth-Trunk 10.
● You must specify an IP address (loopback address recommended) for each PE
to ensure Layer 3 connectivity. Ensure that the peer IP address of a PE is the
local IP address of the other PE.
● The E-Trunk must be bound to a BFD session.
● You must set the same protocol packet password for PE1 and PE2.
● This example applies to the following products:
– S5700-HI, S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5731-H,
S5731S-H, S5732-H
– S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
● For the product models whose applicable versions are not listed above, see
NOTE
To view detailed information about software mappings, visit Info-Finder, select a

product series or product model, and click Hardware Center.
If no E-Trunk is configured, a CE can be connected to only one PE using an Eth-
Trunk. If the Eth-Trunk or the PE fails, the CE cannot communicate with the PE.
After an E-Trunk is configured, the CE can be dual-homed to PEs. E-Trunk achieves
device-level link reliability but not card-level link reliability.
In Figure 3-76, CE1 is connected to PE1 and PE2 using two Eth-Trunks in LACP
mode and is dual-homed to a VPLS network.
Initially, CE1 communicates with CE2 on the VPLS network through PE1. If PE1 or
the Eth-Trunk between CE1 and PE1 fails, CE1 cannot communicate with CE2. To
prevent service interruption, configure an E-Trunk on PE1 and PE2. When
communication between CE1 and PE1 fails, traffic is switched to PE2 so that CE1
can communicate with CE2 through PE2. When PE1 or the Eth-Trunk between CE1
and PE1 recovers, traffic is switched back to PE1.
The E-Trunk implements backup of link aggregation groups (LAGs) between PE1
and PE2 and therefore improves network reliability.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-76 Connecting an E-Trunk to a VPLS network
Switch Interface Layer 3 Interface IP Address
PE1 GigabitEthernet1/0 - -
/1
- GigabitEthernet1/0 - -
/2
- GigabitEthernet1/0 VLANIF 100 10.1.1.1/24

/3
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet1/0 - -
/1
/2

/3
- Loopback1 - 2.2.2.9/32
PE3 GigabitEthernet1/0 VLANIF 100 10.1.1.2/24

/1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Switch Interface Layer 3 Interface IP Address

/2
- GigabitEthernet1/0 GigabitEthernet1/0 -
/3 /3.1
- Loopback1 - 3.3.3.9/32
CE1 GigabitEthernet1/0 - -
/1
/2
/3
/4
CE2 GigabitEthernet1/0 - -
/3
1. Configure an E-Trunk.
– Create Eth-Trunks in LACP mode between CE1 and PE1 and between CE1
and PE2. Add member interfaces to the Eth-Trunks.
– Create an E-Trunk on PE1 and PE2 and add the two Eth-Trunks in LACP
mode to the E-Trunk.
– Set E-Trunk parameters:
▪ E-Trunk priority
▪ LACP system ID and LACP priority of the E-Trunk
▪ Interval at which Hello packets are sent
▪ Time multiplier for detecting Hello packets
▪ IP addresses of the local and remote ends

– Bind the E-Trunk to a BFD session.
2. Configure CE1 to connect to the VPLS network as follows:
– Configure a routing protocol on the backbone network to implement the
interworking between devices.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– Configure basic MPLS functions and LDP.

– Enable MPLS L2VPN on PEs.
– Configure a VSI and specify LDP as the signaling protocol.
– Create Eth-Trunk sub-interfaces and bind the VSI to the sub-interfaces.
Procedure
Step 1 Configure VLANs and IP addresses on the PW-side interfaces according to Figure
3-76. Configure a routing protocol on the backbone network to implement the
interworking between devices. OSPF is used in this example.
# Configure aggregation switch PE1.

[HUAWEI] sysname PE1
[PE1] vlan batch 100
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk allow-pass vlan 100
[PE1-GigabitEthernet1/0/3] quit
[PE1] interface vlanif 100
[PE1-Vlanif100] ip address 10.1.1.1 24
[PE1-Vlanif100] quit
[PE1] interface loopback 1
[PE1-LoopBack1] ip address 1.1.1.9 32
[PE1-LoopBack1] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit

[PE2] vlan batch 200
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

[PE3] vlan batch 100 200

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
After the configuration is complete, PE1, PE2, and PE3 use OSPF to discover IP
routes to each other's Loopback1 interface, and can ping one another. Run the
display ip routing-table command on PE1, PE2, and PE3 to determine whether
the PEs have learned the routes to one another.
NOTE
● The AC-side interface and PW-side interface of a PE cannot be added to the same VLAN;
otherwise, a loop may occur.
● When configuring OSPF, configure PE1, PE2, and PE3 to advertise 32-bit loopback
addresses.
Step 2 Configure Eth-Trunks in LACP mode on user-side switch CE1, PE1, and PE2, and
add member interfaces to the Eth-Trunks. Configure Layer 2 forwarding on CE1.
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] vlan batch 10
[CE1] interface eth-trunk 20 //Create Eth-Trunk 20 and enter the view of Eth-Trunk 20.
[CE1-Eth-Trunk20] port link-type trunk //Set the link type of the interface to trunk.
[CE1-Eth-Trunk20] port trunk allow-pass vlan 10 //Add Eth-Trunk 20 to VLAN 10.
[CE1-Eth-Trunk20] mode lacp //Configure Eth-Trunk 20 to work in LACP mode.
[CE1-Eth-Trunk20] trunkport GigabitEthernet 1/0/1 to 1/0/4 //Add GE1/0/1 to GE1/0/4 to Eth-Trunk20.
[CE1-Eth-Trunk20] quit
# Configure PE1.
[PE1] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE1-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE1-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE1-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and GE1/0/2 to Eth-Trunk10.
[PE1-Eth-Trunk10] quit
# Configure PE2.
[PE2] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE2-Eth-Trunk10] mode lacp //Configure Eth-Trunk 10 to work in LACP mode.
[PE2-Eth-Trunk10] trunkport GigabitEthernet 1/0/1 to 1/0/2 //Add GE1/0/1 and GE1/0/2 to Eth-Trunk10.
Step 3 Create an E-Trunk and set the LACP priority, LACP system ID, E-Trunk priority, time
multiplier for detecting hello packets, interval at which hello packets are sent, and
local and remote IP addresses.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure PE1.
[PE1] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE1-e-trunk-1] quit
[PE1] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE1] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1 to 00E0-FC00-0000.
[PE1] e-trunk 1 //Enter the view of E-Trunk 1.
[PE1-e-trunk-1] priority 10 //Set the priority of E-Trunk 1 to 10.
[PE1-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for detecting hello packets to
3.
[PE1-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent to 9 ms.
[PE1-e-trunk-1] peer-address 2.2.2.9 source-address 1.1.1.9 //Set the remote IP address to 2.2.2.9 and
local IP address to 1.1.1.9.
# Configure PE2.
[PE2] e-trunk 1 //Create E-Trunk 1 and enter the view of E-Trunk 1.
[PE2] lacp e-trunk priority 1 //Set the LACP priority of E-Trunk 1 to 1.
[PE2] lacp e-trunk system-id 00E0-FC00-0000 //Set the LACP system ID of E-Trunk 1 to 00E0-FC00-0000.
[PE2-e-trunk-1] priority 20 //Set the priority of E-Trunk 1 to 20.
[PE2-e-trunk-1] timer hold-on-failure multiplier 3 //Set the time multiplier for detecting hello packets to
3.
[PE2-e-trunk-1] timer hello 9 //Set the interval at which hello packets are sent to 9 ms.
[PE2-e-trunk-1] peer-address 1.1.1.9 source-address 2.2.2.9 //Set the remote IP address to 1.1.1.9 and
local IP address to 2.2.2.9.
Step 4 Add the Eth-Trunks in LACP mode to the E-Trunk.

# Configure PE1.
[PE1] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE1-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
# Configure PE2.
[PE2] interface eth-trunk 10 //Enter the view of Eth-Trunk 10.
[PE2-Eth-Trunk10] e-trunk 1 //Add Eth-Trunk 10 to E-Trunk 1.
Step 5 Bind the E-Trunk to a BFD session.

● Create a BFD session.
# Configure PE1.
[PE1] bfd //Enable BFD.
[PE1-bfd] quit
[PE1] bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9 //Create a BFD session named hello1 and
bind the BFD session to remote IP address 2.2.2.9 and local IP address 1.1.1.9.
[PE1-bfd-session-hello1] discriminator local 1 //Set the local discriminator to 1.
[PE1-bfd-session-hello1] discriminator remote 2 //Set the remote discriminator to 2.
[PE1-bfd-session-hello1] commit //Commit the BFD session configuration.
[PE1-bfd-session-hello1] quit
The IP addresses of the local and remote ends of a BFD session must be the
same as those of the E-Trunk.
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9 //Create a BFD session named hello2 and
bind the BFD session to remote IP address 1.1.1.9 and local IP address 2.2.2.9.
[PE2-bfd-session-hello2] discriminator local 2 //Set the local discriminator to 2.
[PE2-bfd-session-hello2] discriminator remote 1 //Set the remote discriminator to 1.
[PE2-bfd-session-hello2] commit //Commit the BFD session configuration.
[PE2-bfd-session-hello2] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Bind E-Trunk 1 to the BFD session.

# Configure PE1.
[PE1-e-trunk-1] e-trunk track bfd-session session-name hello1 //Bind E-Trunk 1 to the BFD session
hello1.
# Configure PE2.
[PE2-e-trunk-1] e-trunk track bfd-session session-name hello2 //Bind E-Trunk 1 to the BFD session
hello2.
Step 6 Configure PEs so that CE1 can access the VPLS network.
1. Configure basic MPLS functions and LDP on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9 //Set the LSR ID to 1.1.1.9.
[PE1] mpls //Enable global MPLS.
[PE1-mpls] quit
[PE1] mpls ldp //Enable global LDP.
[PE1-mpls-ldp] quit
[PE1-Vlanif100] mpls //Enable MPLS on an interface.
[PE1-Vlanif100] mpls ldp //Enable LDP on an interface.
# Configure PE2.
[PE2-mpls] quit
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3-mpls] quit
[PE3-mpls-ldp] quit
After the configuration is complete, run the display mpls ldp session
command on PEs to determine whether the status of the remote LDP peer
relationship is Operational. This indicates that remote LDP sessions are set
up.
2. Enable MPLS L2VPN on PE1, PE2, and PE3.
# Configure PE1.
[PE1] mpls l2vpn //Enable global MPLS L2VPN.
[PE1-l2vpn] quit
# Configure PE2.
[PE2-l2vpn] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure PE3.
[PE3-l2vpn] quit
3. Create a VSI ldp1 on PE1, PE2, and PE3 and specify LDP as the signaling
protocol in the VSI.
# Configure PE1.
[PE1] vsi ldp1 static //Create a VSI named ldp1 and configure static member discovery.
[PE1-vsi-ldp1] pwsignal ldp //Set the signaling mode to LDP.
[PE1-vsi-ldp1-ldp] vsi-id 2 //Set the ID of the VSI to 2.
[PE1-vsi-ldp1-ldp] peer 3.3.3.9 //Set the peer address of the VSI to 3.3.3.9.
[PE1-vsi-ldp1-ldp] quit
[PE1-vsi-ldp1] quit
# Configure PE2.
[PE2-vsi-ldp1] quit
# Configure PE3.
[PE3-vsi-ldp1] quit
4. Configure Eth-Trunk sub-interfaces on PE1 and PE2, and bind the VSI to the
Eth-Trunk sub-interfaces.
# Configure PE1.
[PE1] vcmp role silent
[PE1] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of Eth-Trunk 10.1.
[PE1-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q encapsulation on
Eth-Trunk 10.1 to VLAN 10.
[PE1-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE1-Eth-Trunk10.1] quit
# Configure PE2.
[PE2] interface Eth-Trunk 10.1 //Create Eth-Trunk 10.1 and enter the view of Eth-Trunk 10.1.
[PE2-Eth-Trunk10.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q encapsulation on
Eth-Trunk 10.1 to VLAN 10.
[PE2-Eth-Trunk10.1] l2 binding vsi ldp1 //Bind Eth-Trunk 10.1 to the VSI ldp1.
[PE2-Eth-Trunk10.1] quit
5. Configure a sub-interface on PE3 and bind the VSI to the sub-interface.

# Configure PE3.
[PE3] interface gigabitethernet 1/0/3.1 //Create GE1/0/3.1 and enter the view of GE1/0/3.1.
[PE3-GigabitEthernet1/0/3.1] dot1q termination vid 10 //Set the single VLAN ID for dot1q
encapsulation on GE1/0/3.1 to VLAN 10.
[PE3-GigabitEthernet1/0/3.1] l2 binding vsi ldp1 //Bind GE1/0/3.1 to the VSI ldp1.
[PE3-GigabitEthernet1/0/3.1] quit

● Run the display eth-trunk command on CE1 to check the Eth-Trunk
configuration.
● Run the display e-trunk command to check information about the E-Trunk.
# Check information about E-Trunk 1 on PE1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1] display e-trunk 1

The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 10 System-ID : 00e0-0f74-eb00
Peer-IP : 2.2.2.9 Source-IP : 1.1.1.9
State : Master Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 41 Send : 42
RecDrop : 0 SndDrop : 0
Peer-Priority : 20 Peer-System-ID : 00e0-3b6c-6100
Peer-Fail-Time (100ms) : 27 BFD-Session : hello1
Description : -
Sequence : Enable
--------------------------------------------------------------------------------
The Member information
Type ID LocalPhyState Work-Mode State Causation Remote-ID
Eth-Trunk 10 Up auto Master ETRUNK_MASTER 10
# Check information about E-Trunk 1 on PE2.

[PE2] display e-trunk 1
The E-Trunk information
E-TRUNK-ID : 1 Revert-Delay-Time (s) : 120
Priority : 20 System-ID : 00e0-3b6c-6100
Peer-IP : 1.1.1.9 Source-IP : 2.2.2.9
State : Backup Causation : PRI
Send-Period (100ms) : 9 Fail-Time (100ms) : 27
Receive : 43 Send : 42
RecDrop : 3 SndDrop : 0
Peer-Priority : 10 Peer-System-ID : 00e0-0f74-eb00
Peer-Fail-Time (100ms) : 27 BFD-Session : hello2
Description : -
Sequence : Enable
--------------------------------------------------------------------------------
The Member information
Type ID LocalPhyState Work-Mode State Causation Remote-ID
Eth-Trunk 10 Down auto Backup ETRUNK_BACKUP 10
The preceding information shows that the E-Trunk priority on PE1 is 10, and
the E-Trunk status is Master; the E-Trunk priority on PE2 is 20, and the E-
Trunk status is Backup. Device backup is implemented.
----End
Configuration Files
● CE1 configuration file
#
sysname CE1
#
vlan batch 10
#
mode lacp
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20
#
eth-trunk 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
● PE1 configuration file
#
sysname PE1
#
vcmp role silent
#
vlan batch 100
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 10
peer-address 2.2.2.9 source-address 1.1.1.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello1
#
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
dot1q termination vid 10
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bfd hello1 bind peer-ip 2.2.2.9 source-ip 1.1.1.9
discriminator local 1
discriminator remote 2
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
network 10.1.1.0 0.0.0.255

#
return
#
sysname PE2
#
vcmp role silent
#
vlan batch 200
#
lacp e-trunk system-id 00e0-fc00-0000
lacp e-trunk priority 1
#
bfd
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
mpls
mpls ldp
#
e-trunk 1
priority 20
peer-address 1.1.1.9 source-address 2.2.2.9
timer hello 9
timer hold-on-failure multiplier 3
e-trunk track bfd-session session-name hello2
#
mode lacp
e-trunk 1
#
interface Eth-Trunk10.1
l2 binding vsi ldp1
#
eth-trunk 10
#
eth-trunk 10
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bfd hello2 bind peer-ip 1.1.1.9 source-ip 2.2.2.9
commit
#
ospf 1
area 0.0.0.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
network 2.2.2.9 0.0.0.0

network 10.1.2.0 0.0.0.255
#
return

#
sysname PE3
#
vcmp role silent
#
vlan batch 100 200
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif200
ip address 10.1.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface GigabitEthernet1/0/3.1
l2 binding vsi ldp1
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
3.6.2.5 Example for Configuring an Eth-Trunk to Preferentially Forward Local

Traffic in a CSS or Stack
Overview
In a CSS or stack, an Eth-Trunk is configured as the outbound interface of traffic to
ensure reliable transmission. Member interfaces of the Eth-Trunk are located on

S300, S500, S2700, S3700, S5700, S6700, S7700, and
different chassis. When devices in the CSS or stack forward traffic, the Eth-Trunk
may select an inter-chassis member interface based on a hash algorithm. The
cable bandwidth between devices in the CSS or stack is limited, so inter-chassis
traffic forwarding occupies bandwidth resources between devices, lowering traffic
forwarding efficiency. To address this issue, you can enable an Eth-Trunk to
preferentially forward local traffic.
Configuration Notes
● If active interfaces of an Eth-Trunk on the local device have sufficient
bandwidth to forward traffic, you can configure the Eth-Trunk to preferentially
forward local traffic. This improves traffic forwarding efficiency and increases
bandwidth capacity between devices in the CSS.
● If active interfaces of an Eth-Trunk on the local device do not have sufficient
bandwidth to forward traffic, you can configure the Eth-Trunk not to
preferentially forward local traffic. In this case, some traffic on the local
device is forwarded through member interfaces of an Eth-Trunk on another
device, preventing packet loss.
– S2720-EI, S2750-EI: For the applicable versions, see TableTable 3-1.
– S2730S-S: For the applicable versions, see TableTable 3-1.
– S5710-X-LI, S5720-EI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI,
S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S,
S5731S-H, S5732-H: For the applicable versions, see TableTable 3-1.
– S6720-EI, S6720S-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-HI,
S6730-H, S6730S-H, S6730-S, S6730S-S: For the applicable versions, see
TableTable 3-1.
– S5700-LI, S5700-HI, S5710-EI, S6700-EI: running V200R003C00 and later
versions.
– S5700S-LI: running V200R008C00 and later versions.
NOTE
Only S5700S-28P-PWR-LI-AC, S5700S-28X-LI-AC, and S5700S-52X-LI-AC support

this function.
– S5700-SI, S5700-EI: running V200R002C00 and later versions.
– S5710-HI: V200R005C03.
– S300, S5735-L, S5735S-L, S5735S-L-M, S5735-S, S500, S5735S-S:
V200R019C10 and later versions.
– S5735-L-I, S5735-L1,S5735S-L1: For the applicable versions, see
TableTable 3-1.
– S7706, S7712, S7706 PoE: For the applicable versions, see TableTable 3-1.
– S9706, S9712: For the applicable versions, see TableTable 3-1.
NOTE


S300, S500, S2700, S3700, S5700, S6700, S7700, and
On the network shown in Figure 3-77, CSS technology is used to increase the
total capacity of switches. Switch3 and Switch4 are connected through stack
cables to form a logical switch. To implement backup between switches and
improve reliability, physical interfaces on the two switches are added to an Eth-
Trunk. In normal situations, traffic from VLAN 2 and VLAN 3 is forwarded through
GE1/0/1 and GE1/0/2 respectively. This increases bandwidth capacity between
switches and reduces traffic forwarding efficiency.
To ensure that traffic from VLAN 2 is forwarded through GE1/0/1 and traffic from
VLAN 3 is forwarded through GE1/0/2, you can configure the Eth-Trunk to
preferentially forward local traffic.
Figure 3-77 Preferentially forwarding local traffic

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Create an Eth-Trunk.
2. Add member interfaces to the Eth-Trunk.
3. Enable the Eth-Trunk to preferentially forward local traffic.
4. Add interfaces to VLANs to implement Layer 2 connectivity.
Procedure
Step 1 Create an Eth-Trunk and configure the ID of a VLAN from which packets can pass
through the Eth-Trunk.
# Configure the CSS.
[HUAWEI] sysname CSS
[CSS] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[CSS-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[CSS-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to allow all VLANs.
# Configure the aggregation switch PE.

[HUAWEI] sysname PE
[PE] interface eth-trunk 10 //Create Eth-Trunk 10 and enter the view of Eth-Trunk 10.
[PE-Eth-Trunk10] port link-type trunk //Set the link type of the interface to trunk.
[PE-Eth-Trunk10] port trunk allow-pass vlan all //Configure the interface to allow all VLANs.
[PE-Eth-Trunk10] quit
Step 2 Add member interfaces to the Eth-Trunk.

[CSS-GigabitEthernet1/1/0/4] eth-trunk 10 //Add GE1/1/0/4 to Eth-Trunk 10.
[CSS-GigabitEthernet2/1/0/4] eth-trunk 10 //Add GE2/1/0/4 to Eth-Trunk 10.
# Configure the PE.

[PE] interface gigabitethernet 1/0/1
[PE-GigabitEthernet1/0/1] eth-trunk 10 //Add GE1/0/1 to Eth-Trunk 10.
[PE-GigabitEthernet1/0/1] quit
[PE] interface gigabitethernet 1/0/2
[PE-GigabitEthernet1/0/2] eth-trunk 10 //Add GE1/0/2 to Eth-Trunk 10.
[PE-GigabitEthernet1/0/2] quit
Step 3 Configure the Eth-Trunk on devices in the CSS to preferentially forward local
traffic.
[CSS-Eth-Trunk10] local-preference enable //Enable Eth-Trunk 10 to preferentially forward local traffic.
NOTE
By default, an Eth-Trunk is enabled to preferentially forward local traffic. If you run the
local-preference enable command, the system displays the message "Error: The local
preferential forwarding mode has been configured."
Step 4 Configure Layer 2 forwarding.

[CSS] vlan batch 2 3

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[CSS-GigabitEthernet1/1/0/3] port link-type trunk
[CSS-GigabitEthernet1/1/0/3] port trunk allow-pass vlan 2
[CSS-GigabitEthernet2/1/0/3] port link-type trunk
[CSS-GigabitEthernet2/1/0/3] port trunk allow-pass vlan 3
# Configure access switch Switch1.

[HUAWEI] sysname Switch1
[Switch1] vlan 2
[Switch1-vlan2] quit
[Switch1] interface gigabitethernet 1/0/1
[Switch1-GigabitEthernet1/0/1] port link-type trunk
[Switch1-GigabitEthernet1/0/1] port trunk allow-pass vlan 2
[Switch1-GigabitEthernet1/0/1] quit
# Configure access switch Switch2.

[Switch2] vlan 3

command in any view to check information about member interfaces of the Eth-
Trunk.
The display on the CSS is used as an example.
Trunk ID: 10
Used status: VALID
TYPE: ethernet
Operate status: up

----End
Configuration Files
#
sysname CSS
#
vlan batch 2 3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
port trunk allow-pass vlan 2 to 4094
#
#
#
eth-trunk 10
#
eth-trunk 10
#
return
● PE configuration file
#
sysname PE
#
#
eth-trunk 10
#
eth-trunk 10
#
return
● Switch1 configuration file

#
sysname Switch1
#
vlan batch 2
#
#
#
return
● Switch2 configuration file

#
sysname Switch2
#
vlan batch 3
#
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.6.2.6 Example for Configuring an Eth-Trunk and Association Between VRRP

and the Interface Status
Association Between VRRP and the Interface Status

Additional technologies are required to enhance the VRRP active/standby function.
For example, when the link from the master to a network is disconnected, VRRP
cannot detect the fault and an active/standby switchover cannot be performed. As
a result, hosts cannot remotely access the network through the master. To address
this issue, you can configure association between VRRP and the interface status.
When the master detects that the uplink interface fails, the master reduces its
priority to be lower than the priority of the backup and immediately sends VRRP
packets. After the backup receives the VRRP packets, it detects that the priority in
the VRRP packets is lower than its priority and switches to the master. This ensures
correct traffic forwarding.
Configuration Notes
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005 and later versions, VRRP can be configured on the VLANIF
interface and Layer 3 Ethernet interface.
For a modular switch in V200R006 and later versions, VRRP can be configured
on the VLANIF interface, Layer 3 Ethernet interface, Dot1q termination sub-
interface, and QinQ termination sub-interface.
For a fixed switch in V200R009 and later versions, VRRP can be configured on
the VLANIF interface, Layer 3 Ethernet interface, and sub-interface.
● Ensure that each device of the same VRRP group is configured with the same
VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● A VRRP group can be associated with a maximum of eight interfaces.
Association between a VRRP group and the interface status cannot be
configured on the device as the IP address owner.
– S2720-EI: V200R011C10 and later versions
– S3700-EI, S3700-HI
– S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI,
S5710-EI, S5720-EI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I,
S5735S-H, S5736-S, S5735-S, S500, S5735S-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE

As shown in Figure 3-78, the user hosts are dual-homed to SwitchA and SwitchB
through the switch. The requirements are as follows:
● The hosts use SwitchA as the default gateway to connect to the Internet.
When SwitchA or the downlink/uplink fails, SwitchB functions as the gateway
to implement gateway backup.
● The bandwidth of the link between SwitchA and SwitchB is increased to
implement link backup and improve link reliability.
● After SwitchA recovers, it becomes the gateway within 20s.
Figure 3-78 Networking of association between VRRP and the interface status
A VRRP group in active/standby mode is used to implement gateway backup. The
configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2
isolation and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to
the Eth-Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority
for SwitchA so that SwitchA functions as the master to forward traffic, and set

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the preemption delay to 20s on SwitchA. Set a lower priority for SwitchB so
that SwitchB functions as the backup.
5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group
can detect the fault of the master and perform an active/standby switchover
immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface on core devices. SwitchA is used as an

example. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here. For details, see the configuration files.
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 101 to 180
# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan batch 11 to 15 101 to 180
[Switch-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 11 to 15 101 to 180

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an

example. The configurations of SwitchB and SwitchC are similar to the
configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 2 Configure a super-VLAN on SwitchA and SwitchB.
# Configure a super-VLAN on SwitchA. The configuration of SwitchB is similar to

the configuration of SwitchA, and is not mentioned here. For details, see the
[SwitchA] vlan 11
[SwitchA-vlan11] aggregate-vlan
[SwitchA-vlan11] access-vlan 101 to 116 301
[SwitchA-vlan11] quit
[SwitchA] vlan 12
[SwitchA] vlan 13
[SwitchA] vlan 14
[SwitchA] vlan 15
Step 3 Configure link aggregation on SwitchA and SwitchB.
# Create Eth-Trunk 1 in LACP mode on SwitchA. The configuration of SwitchB is

similar to the configuration of SwitchA, and is not mentioned here. For details, see
the configuration files.
[SwitchA-Eth-Trunk1] mode lacp
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] undo port trunk allow-pass vlan 1
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 301 to 305
# Add member interfaces on SwitchA to Eth-Trunk 1. The configuration of SwitchB

is similar to the configuration of SwitchA, and is not mentioned here. For details,
see the configuration files.
[SwitchA-GigabitEthernet1/0/3] eth-trunk 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 4 Configure VRRP groups on SwitchA and SwitchB.
# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and
the preemption delay to 20s.
[SwitchA-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchA-Vlanif11] vrrp vrid 1 priority 120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay 20 //The device in a VRRP
group uses the immediate preemption mode by default. Change the preemption delay of the master to
prevent traffic interruptions when the master and backup frequently preempt the bandwidth on an
unstable network.
[SwitchA-Vlanif11] vrrp vrid 1 track interface gigabitethernet 1/0/1 reduced 100 //Associate the VRRP
group with the uplink interface. Set the decreased priority to ensure that the priority of the backup is higher
than the priority of the master. Then an active/standby switchover can be triggered.
group with the downlink interface. Set the decreased priority to ensure that the priority of the backup is
higher than the priority of the master. Then an active/standby switchover can be triggered.
[SwitchA-Vlanif11] vrrp advertise send-mode 301 //Specify VLAN 301 where
VRRP packets are transmitted to save the network bandwidth.
[SwitchA-Vlanif12] vrrp vrid 2 priority 120
[SwitchA-Vlanif12] vrrp vrid 2 preempt-mode timer delay 20
[SwitchA-Vlanif12] vrrp vrid 2 track interface gigabitethernet 1/0/1 reduced 100
[SwitchA-Vlanif12] vrrp advertise send-mode 302
# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
[SwitchB] interface vlanif 11
[SwitchB-Vlanif11] vrrp vrid 1 virtual-ip 10.1.1.1
[SwitchB-Vlanif11] vrrp advertise send-mode 301
[SwitchB-Vlanif11] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 5 Disable STP on SwitchA, SwitchB, SwitchC, and Switch.

# Disable global STP on SwitchA, SwitchB, SwitchC, and Switch. SwitchA is used as
an example. The configurations of SwitchB, SwitchC, and the switch are similar to
the configuration of SwitchA, and are not mentioned here. For details, see the
[SwitchA] stp disable
Warning: The global STP state will be changed. Continue?[Y/N]:y

# After the configuration is complete, run the display vrrp command on SwitchA.
You can see that SwitchA is the master in VRRP group 1. VRRP group 1 is used as
an example. Information of other VRRP groups is similar to information of VRRP
group 1.
[SwitchA] display vrrp 1
Vlanif11 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.1
Master IP : 10.1.1.2
Send VRRP packet to subvlan : 301
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Track IF : GigabitEthernet1/0/1 Priority reduced : 100
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the display vrrp command on SwitchB. You can see that SwitchB is the
backup. VRRP group 1 is used as an example.
[SwitchB] display vrrp 1
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the shutdown command on GE1/0/1 of SwitchA to simulate a link fault.

Then run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA is in Backup state, SwitchB enters the Master state, and the associated
interface becomes Down.
[SwitchA-GigabitEthernet1/0/1] shutdown
State : Backup
PriorityRun : 20
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : DOWN
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
State : Master
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
# Run the undo shutdown command on GE1/0/1 of SwitchA.

[SwitchA-GigabitEthernet1/0/1] undo shutdown
# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see
that SwitchA is restored as the master and SwitchB is restored as the backup, and
the associated interface is in Up state.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
● Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable #
vlan 11
aggregate-vlan
access-vlan 101 to 116 301
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 preempt-mode timer delay 20
vrrp vrid 1 track interface gigabitethernet1/0/1 reduced 100
vrrp advertise send-mode 301
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
undo port trunk allow-pass vlan 1
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● Configuration file of SwitchB
#
sysname SwitchB
#
vlan batch 11 to 15 101 to 180 200 301 to 305
#
stp disable #
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
mode lacp
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of SwitchC
#
sysname SwitchC
#
vlan batch 200 300 400
#
stp disable #
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of the switch
#
sysname Switch
#
vlan batch 11 to 15 101 to 180

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
stp disable #
port trunk allow-pass vlan 11 to 15 101 to 180
#
#
return
3.6.3 Typical VLAN Configuration
3.6.3.1 Example for Configuring Interface-based VLAN Assignment
Overview
VLANs can be assigned based on interfaces, MAC addresses, IP subnets, protocols,
and policies (MAC addresses, IP addresses, and interfaces). Table 3-31 compares
different VLAN assignment modes.
Table 3-31 Comparisons among VLAN assignment modes

VLAN Implementation Advantage Disadvan Usage
Assignme tage Scenario
nt Mode
Interface- VLANs are assigned It is simple to The Applies to

based based on interfaces. define VLAN network networks
VLAN A network members. administr of any
assignmen administrator ator scale and
t preconfigures a PVID needs to with
for each interface on a reconfigur devices at
switch. When an e VLANs fixed
untagged frame arrives when locations.
at an interface, the VLAN
switch adds the PVID of members
the interface to the change.
frame. The frame is
then transmitted in the
VLAN specified by the
PVID.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode
MAC VLANs are assigned When physical The Applies to

address- based on source MAC locations of network small-
based addresses of frames. users change, administr scale
VLAN A network the network ator must networks
assignmen administrator administrator predefine where
t preconfigures mappings does not need VLANs for user
between MAC to reconfigure all terminals
addresses and VLAN VLANs for the members often
IDs. When receiving an users. This on a change
untagged frame, the improves network. physical
switch adds the VLAN security and locations
tag mapping the MAC access flexibility but their
address of the frame to on a network. NICs
the frame. Then the seldom
frame is transmitted in change,
the specified VLAN. for
example,
mobile
computer
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode
IP subnet- VLANs are assigned ● When Users are Applies to

based based on source IP physical evenly scenarios
VLAN addresses and subnet locations of spread where
assignmen masks. users and there are
t A network change, the multiple high
administrator network users are requireme
preconfigures mappings administrato on the nts for
between IP addresses r does not same mobility
and VLAN IDs. When need to network and
receiving an untagged reconfigure segment. simplified
frame, the switch adds VLANs for managem
the VLAN tag mapping the users. ent and
the IP address of the ● This mode low
frame to the frame. reduces requireme
Then the frame is communicati nts for
transmitted in the on traffic security.
specified VLAN. and allows a For
broadcast example,
domain to this mode
span can be
multiple used if a
switches. PC with
multiple
IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a
new
VLAN
automatic
ally after
the PC's
IP address
changes.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode
Protocol- VLANs are assigned This mode ● The Applies to

based based on protocol binds service networ networks
VLAN (suite) types and types to VLANs, k using
assignmen encapsulation formats facilitating admini multiple
t of frames. management strator protocols.
A network and must
administrator maintenance. preconf
preconfigures mappings igure
between protocol types mappi
and VLAN IDs. When ngs
receiving an untagged betwee
frame, the switch adds n all
the VLAN tag mapping protoc
the protocol type of the ol
frame to the frame. The types
frame is then and
transmitted in the VLAN
specified VLAN. IDs.
● The
switch
needs
to
analyz
e
protoc
ol
addres
s
format
s and
conver
t the
format
s,
which
consu
mes
excessi
ve
resourc
es.
Theref
ore,
this
mode
slows
down
switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode
respon
se
time.
Policy- VLANs are assigned ● This mode Each Applies to

based based on policies such provides policy complex
VLAN as combinations of high security. needs to networks.
assignmen interfaces, MAC MAC be
t (MAC addresses, and IP addresses or manually
addresses, addresses. IP addresses configure
IP A network of users who d.
addresses, administrator have been
and preconfigures policies. bound to
interfaces) When receiving an VLANs
untagged frame that cannot be
matches a configured changed.
policy, the switch adds ● The network
a specified VLAN tag to administrato
the frame. The frame is r can flexibly
then transmitted in the select which
specified VLAN. policies to
use
according to
the
managemen
t mode and
requirements
.
Interface-based VLAN assignment is the simplest and most commonly used

method.
Configuration Notes
This example applies to all versions of all switches.
In Figure 3-79, the switch of an enterprise connects to many users, and users
accessing the same service connect to the enterprise network through different
devices. To ensure communication security and prevent broadcast storms, the
enterprise requires that users using the same service communicate with each
other and users accessing different services be isolated. You can configure
interface-based VLAN assignment on the switch so that the switch adds interfaces
connected to users using the same service to the same VLAN. Users in different
VLANs cannot communicate with each other at Layer 2, and users in the same
VLAN can communicate with each other.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-79 Networking of interface-based VLAN assignment
1. Create VLANs and add interfaces that connect users to VLANs to isolate Layer
2 traffic of different services.
2. Configure link types of interfaces between SwitchA and SwitchB and VLANs
allowed by interfaces so that users accessing the same service can
communicate with each other through SwitchA and SwitchB.
Procedure
Step 1 Create VLAN 2 and VLAN 3 on SwitchA and add interfaces that are connected to
users to VLANs. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
[SwitchA] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.
[SwitchA-GigabitEthernet1/0/1] port link-type access //The interface connected to the access device must
be the access interface. The default link type of an interface is not access, so you need to manually
configure the access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add GE1/0/1 to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port link-type access
[SwitchA-GigabitEthernet1/0/2] port default vlan 3 //Add GE1/0/2 to VLAN 3.
Step 2 Configure the link type of the interface on SwitchA that is connected to SwitchB
and VLAN allowed by the interface. The configuration of SwitchB is similar to the
configuration of SwitchA, and is not mentioned here.

[SwitchA-GigabitEthernet1/0/3] port link-type trunk //The link type of interfaces connecting switches
must be trunk. The default link type of an interface is not trunk, so you need to manually configure the
trunk interface.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 3 //Add GE1/0/3 to VLAN 2 and VLAN 3.
User1 and User2 are on the same network segment, for example,
192.168.100.0/24; User3 and User4 are on the same network segment, for
example, 192.168.200.0/24.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
User1 and User2 can ping each other, but cannot ping User3 or User4. User3 and
User4 can ping each other, but cannot ping User1 or User2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
SwitchB configuration file

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
#
return
Related Content
Support Community
● VLAN Assignment
● VLAN Basics
Videos
● Configuring Interface-based VLAN Assignment

● Configuring Interface-based VLAN Assignment (FAQ)
● Deploying a Layer 2 Switch on a LAN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.6.3.2 Example for Configuring Interface-based VLAN Assignment (Access

Device Used as the Gateway)
Overview
and policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN
assignment is the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on
interfaces. A network administrator preconfigures a PVID for each interface on a
switch. When an untagged frame arrives at an interface, the switch adds the PVID
of the interface to the frame. Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 3 switch, the
access switch can be used as the gateway of PCs to simplify the configuration of
the aggregation switch.
Configuration Notes
In Figure 3-80, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1 and
PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3
belongs to VLAN 4 and connects to SW1 through SW3. SW2 functions as the
gateway of PC1 and PC2, and SW3 is used as the gateway of PC3. Static routes are
configured on switches so that PCs can communicate with each other and can be
connected to the router.
Figure 3-80 Configuring access devices as gateways

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure interface-based assignment on the access switch to implement

Layer 2 interworking.
2. Configure access switches as gateways of PCs to implement communication
between PCs on different network segments.
3. Configure static routes on the aggregation switch so that PCs can
communicate with the router.
Procedure
Step 1 Configure SW2.
# Create VLANs.
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Add interfaces to VLANs.

[SW2] interface gigabitethernet 1/0/23
[SW2-GigabitEthernet1/0/23] port link-type access //Configure the interface connected to the PC as the
access interface.
[SW2-GigabitEthernet1/0/23] port default vlan 2 //Add PC1 to VLAN 2.
[SW2-GigabitEthernet1/0/23] quit
[SW2-GigabitEthernet1/0/24] port link-type access
# Configure VLANIF interfaces and configure IP addresses for VLANIF interfaces as

gateway addresses of PCs.
[SW2] interface vlanif 2 //Create VLANIF 2.
[SW2-Vlanif2] ip address 192.168.2.1 24 //Configure an IP address for VLANIF 2. The IP address is the
gateway address of PC1.
[SW2-Vlanif2] quit
[SW2-Vlanif3] quit
# Connect SW2 to SW1.

[SW2] vlan batch 5 //Create VLAN 5.
[SW2-GigabitEthernet1/0/1] port default vlan 5 //Configure SW2 and SW1 to communicate in untagged
mode.
[SW2-Vlanif5] ip address 192.168.5.2 24 //Configure an IP address for VLANIF 5. The IP address is the IP
address of the interconnected interface between SW1 and SW2.
[SW2-Vlanif5] quit
[SW2] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1 //Configure a default route so that the PC can access the
router. The next hop address is the IP address of the interface connected to SW1.
# Create VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HUAWEI] sysname SW3 //Change the device name to SW3.

access interface.

[SW3-Vlanif4] quit
# Connect SW3 to SW1.

[SW3-GigabitEthernet1/0/1] port default vlan 5 //Configure SW3 and SW1 to communicate in untagged
mode.
address of interconnected interface between SW3 and SW1.
[SW3-Vlanif5] quit
[SW3] ip route-static 0.0.0.0 0.0.0.0 192.168.5.1 //Configure a default route so that the PC can access the
router. The next hop address is the IP address of the interface connected to SW1.

# Create VLANs.
# Add interfaces connected to PCs to VLANs.

[SW1-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the router as the
access interface.
[SW1-GigabitEthernet1/0/1] port default vlan 5
[SW1-GigabitEthernet1/0/2] port link-type access //Configure the interface connected to SW2 as the
access interface.
[SW1-GigabitEthernet1/0/3] port link-type access //Configure the interface connected to SW3 as the
access interface.
# Configure VLANIF interfaces so that PCs can connect to the router.

address of the interface connected to the router.
[SW1-Vlanif5] quit
# Configure a static route so that PCs on different network segments can

communicate with each other.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SW1] ip route-static 192.168.2.0 255.255.255.0 192.168.5.2 //Configure a static route. Packets with the
destination IP address of 192.168.2.0/24 are forwarded to the next hop address of 192.168.5.2. The next hop
address is the IP address of the VLANIF interface connected to SW2.
# Configure a default route so that PCs can communicate with the router.
[SW1] ip route-static 0.0.0.0 0.0.0.0 192.168.5.4 //The IP address is the IP address of the interface
connected to SW1.

PC1, PC2, and PC3 can access each other, and they can communicate with the
router.
----End
Configuration Files
SW1 configuration file
#
sysname SW1
#
vlan batch 5
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
port default vlan 5
#
port default vlan 5
#
port default vlan 5
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.4
ip route-static 192.168.2.0 255.255.255.0 192.168.5.2
ip route-static 192.168.3.0 255.255.255.0 192.168.5.2
ip route-static 192.168.4.0 255.255.255.0 192.168.5.3
#
return

#
sysname SW2
#
vlan batch 2 to 3 5
#
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif5

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 192.168.5.2 255.255.255.0

#
port default vlan 5
#
port default vlan 2
#
port default vlan 3
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return

#
sysname SW3
#
vlan batch 4 to 5
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.3 255.255.255.0
#
port default vlan 5
#
port default vlan 4
#
ip route-static 0.0.0.0 0.0.0.0 192.168.5.1
#
return
3.6.3.3 Example for Configuring Interface-based VLAN Assignment

(Aggregation Device Used as the Gateway)
Overview
and policies (MAC addresses, IP addresses, and interfaces). Interface-based VLAN
assignment is the simplest and commonly used.
Interface-based VLAN assignment indicates that VLANs are assigned based on

interfaces. A network administrator preconfigures a PVID for each interface on a
switch. When an untagged frame arrives at an interface, the switch adds the PVID
of the interface to the frame. Then the frame is transmitted in a specified VLAN.
In typical hierarchical networking, when the access switch is a Layer 2 switch, the
aggregation switch can be used as the gateway of PCs. The configuration of the
access switch is simplified, and PCs access the external network through one
outbound interface, thereby facilitating maintenance and management.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
In Figure 3-81, PC1 and PC2 belong to VLAN 2 and VLAN 3, respectively. PC1 and
PC2 connect to the aggregation switch SW1 through the access switch SW2. PC3
belongs to VLAN 4 and connects to SW1 through SW3. No configuration is
performed on SW3, and SW3 functions as the hub and is plug-and-play. SW1
functions as the gateway of PC1, PC2, and PC3 so that PCs can communicate with
each other and can be connected to the router.
Figure 3-81 Configuring the aggregation device as the gateway
1. Configure interface-based assignment on the access switch to implement

Layer 2 interworking.
2. Configure the aggregation switch as the gateway of PCs to implement Layer 3
interworking between PCs on different network segments.
3. Configure the interface connecting the aggregation switch and router.
Procedure
# Create VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HUAWEI] sysname SW2 //Change the device name to SW2 for easy identification.
[SW2] vlan batch 2 3 //Create VLAN 2 and VLAN 3 in a batch.

access interface.
[SW2-GigabitEthernet1/0/1] port link-type trunk //Configure the interface connected to the aggregation
switch as the trunk interface.
[SW2-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 3 //Add the interface to VLAN 2 and VLAN 3.

# Create VLANs.
[SW1] vlan batch 2 to 5 //Create VLANs 2 to 5.
# Add interfaces connected to PCs to VLANs.

[SW1-GigabitEthernet1/0/2] port link-type trunk //Configure the interface connected to SW1 as the trunk
interface.
[SW1-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 3 //Add the interface to VLAN 2 and VLAN 3.
[SW1-GigabitEthernet1/0/3] port link-type access //Configure the interface connected to PC3 as the
access interface.

[SW1-Vlanif2] quit
[SW1-Vlanif3] quit
[SW1-Vlanif4] quit
# Add interfaces connected to routers to VLANs.

[SW1-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the router as the
access interface. The interface communicates with the router in untagged mode.
[SW1-GigabitEthernet1/0/1] port default vlan 5 //Add the router to VLAN 5.
# Configure VLANIF interfaces so that PCs can connect to the router.

[SW1-Vlanif5] ip address 192.168.5.1 24 //Configure an IP address for VLANIF 5. The IP address is used for

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interoperation with the router.

[SW1-Vlanif5] quit
PC1, PC2, and PC3 can access each other, and they can communicate with the
router.
----End
Configuration Files
#
sysname SW1
#
vlan batch 2 to 5
#
interface Vlanif2
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif3
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif4
ip address 192.168.4.1 255.255.255.0
#
interface Vlanif5
ip address 192.168.5.1 255.255.255.0
#
port default vlan 5
#
#
port default vlan 4
#
return

#
sysname SW2
#
vlan batch 2 to 3
#
#
port default vlan 2
#
port default vlan 3
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.6.3.4 Example for Configuring MAC Address-based VLAN Assignment
Overview
MAC address-based VLAN assignment applies to small-scale networks where user
terminals often change physical locations but their NICs seldom change, for
example, mobile computers.

nt Mode

frame. The frame is
PVID.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode

example,
mobile
computer
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode

broadcast example,
domain to this mode
span can be
multiple used if a
switches. PC with
multiple
IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a
new
VLAN
automatic
ally after
the PC's
IP address
changes.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode

A network and must
frame is then and
● The
switch
needs
to
analyz
e
protoc
ol
addres
s
format
s and
conver
t the
format
s,
which
consu
mes
excessi
ve
resourc
es.
Theref
ore,
this
mode
slows
down
switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode
respon
se
time.

use
according to
the
managemen
t mode and
requirements
.
Configuration Notes
In Figure 3-82, GE1/0/1 interfaces on SwitchA and SwitchB connect to two
conference rooms, respectively. Laptop1 and Laptop2 are portal computers used in
the two conferences rooms. Laptop1 and Laptop2 belong to two departments,
which belong to VLAN 100 and VLAN 200, respectively. Regardless of which
conference room in which Laptop1 and Laptop2 are used, Laptop1 and Laptop2
are required to access the servers of their respective departments (Server1 and
Server2, respectively). The MAC addresses of Laptop1 and Laptop2 are 00e0-
fcef-00c0 and 00e0-fcef-00c1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-82 Networking of MAC address-based VLAN assignment
1. Create VLANs on SwitchA and SwitchB and add interfaces to VLANs to
implement Layer 2 connectivity.
2. Configure MAC address-based VLAN assignment on SwitchA and SwitchB.
3. Configure transparent transmission of VLAN tagged-packets on the switch so
that Laptop1 and Laptop2 can access Server1 and Server2 of their respective
departments.
Procedure
Step 1 Configure SwitchA. The configuration of SwitchB is similar to the configuration of
SwitchA, and is not mentioned here.
[SwitchA] vlan batch 100 200 //Create VLAN 100 and VLAN 200.
[SwitchA-GigabitEthernet1/0/2] port link-type trunk //The link type of interfaces connecting switches
must be trunk. The default link type of an interface is not trunk, so you need to manually configure the
trunk interface.
[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 //Add GE1/0/2 to VLAN 100 and
VLAN 200.
[SwitchA] vlan 100
[SwitchA-vlan100] mac-vlan mac-address 00e0-fcef-00c0 //Packets with the MAC address of 00e0-
fcef-00c0 are transmitted in VLAN 100.
[SwitchA] vlan 200
[SwitchA-vlan200] mac-vlan mac-address 00e0-fcef-00c1 //Packets with the MAC address of 00e0-
fcef-00c1 are transmitted in VLAN 200.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //MAC address-based VLAN assignment can only
be enabled on hybrid interfaces. In V200R005C00 and later versions, the default link type of an interface is
not hybrid, so you need to manually configure the hybrid interface.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 //Add the interface to VLAN 100 and
VLAN 200 in untagged mode.
[SwitchA-GigabitEthernet1/0/1] mac-vlan enable //Enable MAC address-based VLAN assignment on the
interface.
Step 2 Configure the switch. The configurations of GE1/0/2, GE1/0/3, and GE1/0/4 are
similar to the configuration of GE1/0/1, and are not mentioned here.
[Switch] vlan batch 100 200
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 200 //Add GE1/0/1 to VLAN 100 and VLAN
200.

# Run the display mac-vlan mac-address all command in any view to check the
configuration of MAC address-based VLAN assignment.
[SwitchA] display mac-vlan mac-address all
---------------------------------------------------
MAC Address MASK VLAN Priority
---------------------------------------------------
00e0-fcef-00c0 ffff-ffff-ffff 100 0
00e0-fcef-00c1 ffff-ffff-ffff 200 0
Total MAC VLAN address count: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
port hybrid untagged vlan 100 200
mac-vlan enable
#
#
vlan 100
mac-vlan mac-address 00e0-fcef-00c0 priority 0
vlan 200
#
return

#
sysname SwitchB
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
vlan batch 100 200

#
mac-vlan enable
#
#
vlan 100
vlan 200
#
return

#
sysname Switch
#
vlan batch 100 200
#
#
#
#
#
return
3.6.3.5 Example for Configuring IP Subnet-based VLAN Assignment
Overview of IP Subnet-based VLAN Assignment

IP subnet-based VLAN assignment applies to scenarios where there are high
requirements for mobility and simplified management and low requirements for
security. For example, this mode can be used if a PC with multiple IP addresses
needs to access servers on different network segments or a PC needs to join a new
VLAN automatically after the PC's IP address changes.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode

frame. The frame is
PVID.

example,
mobile
computer
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode

broadcast example,
domain to this mode
span can be
multiple used if a
switches. PC with
multiple
IP
addresses
needs to
access
servers on
different
network
segments
or a PC
needs to
join a
new
VLAN
automatic
ally after
the PC's
IP address
changes.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode

A network and must
frame is then and
● The
switch
needs
to
analyz
e
protoc
ol
addres
s
format
s and
conver
t the
format
s,
which
consu
mes
excessi
ve
resourc
es.
Theref
ore,
this
mode
slows
down
switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and

nt Mode
respon
se
time.

use
according to
the
managemen
t mode and
requirements
.
Configuration Notes
In Figure 3-83, an enterprise has multiple services, including IPTV, VoIP, and
Internet access. Each service uses a different IP subnet. To facilitate management,
the company requires that packets of the same service be transmitted in the same
VLAN and packets of different services in different VLANs. The switch receives
packets of multiple services such as data, IPTV, and voice services, and user devices
of these services use IP addresses on different IP subnets. The switch needs to
assign VLANs to packets of different services so that the router can transmit
packets with different VLAN IDs to different servers.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-83 Networking of IP subnet-based VLAN assignment
1. Create VLANs and add interfaces to VLANs so that the interfaces allow the IP
subnet-based VLANs.
2. Enable IP subnet-based VLAN assignment and associate IP subnets with
VLANs so that the switch determines VLANs based on source IP addresses or
network segments of packets.
Procedure
Step 1 Create VLANs.
[Switch] vlan batch 100 200 300 //Create VLAN100, VLAN 200, and VLAN 300 in a batch.
Step 2 Configure interfaces.

[Switch-GigabitEthernet1/0/1] port link-type hybrid //IP subnet-based VLAN assignment can only be
enabled on hybrid interfaces. In V200R005C00 and later versions, the default link type of an interface is not
hybrid, so you need to manually configure the hybrid interface.
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100 200 300 //Add the interface to VLANs
100, 200, and 300 in untagged mode.
[Switch-GigabitEthernet1/0/1] ip-subnet-vlan enable //Enable IP subnet-based VLAN assignment.
[Switch-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200 300
Step 3 Configure IP subnet-based VLAN assignment.

[Switch] vlan 100
[Switch-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2 //Configure the device to forward packets
with the IP address of 192.168.1.2/24 and priority of 2 in VLAN 100.
[Switch] vlan 200

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch] vlan 300

# Run the display ip-subnet-vlan vlan all command on the switch. The following
information is displayed:
[Switch] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
#
sysname Switch
#
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
port hybrid untagged vlan 100 200 300
ip-subnet-vlan enable
#
port trunk allow-pass vlan 100 200 300
#
return
3.6.3.6 Example for Directly Connecting a Terminal to a Layer 3 Gateway to

Implement Inter-VLAN Communication
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same
VLAN. That is, hosts in different VLANs cannot communicate at Layer 2 because
VLAN technology isolates broadcast domains. In real-world applications, hosts in
different VLANs often need to communicate, so inter-VLAN communication needs
to be implemented to resolve this. Layer 3 routing or VLAN technology is required
to implement inter-VLAN communication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Huawei provides a variety of technologies to implement inter-VLAN

communication. The following two technologies are commonly used:
● VLANIF interface
A VLANIF interface is a Layer 3 logical interface. You can configure an IP
address for a VLANIF interface to implement inter-VLAN Layer 3
communication.
● Dot1q termination sub-interface
Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical
interface. You can configure dot1q termination and an IP address for a sub-
interface to implement inter-VLAN Layer 3 communication.
VLANIF interfaces are the most commonly used for inter-VLAN communication
due to their simple configurations. However, a VLANIF interface needs to be
configured for each VLAN and each VLANIF interface requires an IP address, which
wastes IP addresses.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts
on different network segments in different VLANs to communicate, whereas
super-VLAN (VLAN aggregation) and the VLAN Switch function allow hosts on the
same network segment in different VLANs to communicate.
Configuration Notes
● The default gateway address of hosts in a VLAN must be the IP address of the
VLANIF interface that corresponds to the VLAN.
● This example applies to all versions of all switches.
Different user hosts of an enterprise transmit the same service, and are located on
different network segments. User hosts transmitting the same service belong to
different VLANs and need to communicate.
In Figure 3-84, User1 and User2 access the same service but belong to different
VLANs and are located on different network segments. User1 and User2 need to
communicate.
Figure 3-84 Networking for configuring inter-VLAN communication using VLANIF

interfaces

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Create VLANs and determine the VLANs to which users belong.
2. Add interfaces to VLANs and configure the interfaces to allow the VLANs.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces
to implement Layer 3 connectivity.
Procedure
Step 1 Configure the switch.
# Create VLANs, and configure interfaces on the switch connected to user hosts as
access interfaces and add them to VLANs.
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[Switch-GigabitEthernet1/0/1] port default vlan 10 //Add the interface to VLAN 10.
# Assign IP addresses to VLANIF interfaces.

[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24 //Set the IP address of VLANIF 10 to 10.10.10.2/24.
[Switch-Vlanif20] ip address 10.10.20.2 24 //Set the IP address of VLANIF 20 to 10.10.20.2/24.

Configure the IP address of 10.10.10.3/24 and default gateway address as
10.10.10.2/24 (VLANIF 10's IP address) for User1 in VLAN 10.
Configure the IP address of 10.10.20.3/24 and default gateway address as
10.10.20.2/24 (VLANIF 20's IP address) for User2 in VLAN 20.
After the configuration is complete, User1 in VLAN 10 and User2 in VLAN 20 can
communicate.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.10.20.2 255.255.255.0

#
#
#
return
Related Content
Support Community
VLAN Communication
Videos
Deploying a Layer 3 Switch on a LAN
3.6.3.7 Example for Connecting a Terminal to a Layer 3 Gateway Through a

Layer 2 Switch
Overview
After VLANs are assigned, broadcast packets are only forwarded within the same
VLAN. That is, hosts in different VLANs cannot communicate at Layer 2 because
VLAN technology isolates broadcast domains. In real-world applications, hosts in
different VLANs often need to communicate, so inter-VLAN communication needs
to be implemented to resolve this. Layer 3 routing or VLAN technology is required
to implement inter-VLAN communication.
Huawei provides a variety of technologies to implement inter-VLAN

communication. The following two technologies are commonly used:
● VLANIF interface
A VLANIF interface is a Layer 3 logical interface. You can configure an IP
address for a VLANIF interface to implement inter-VLAN Layer 3
communication.
● Dot1q termination sub-interface
Similar to a VLANIF interface, a sub-interface is also a Layer 3 logical
interface. You can configure dot1q termination and an IP address for a sub-
interface to implement inter-VLAN Layer 3 communication.
Inter-VLAN communication through a dot1q termination sub-interface is used in

scenarios where an Ethernet interface connects to many VLANs. Because data
flows from different VLANs preempt the bandwidth of the primary Ethernet
interface, communication bottlenecks may occur when the network is busy.
The VLANIF interface and Dot1q termination sub-interface can only allow hosts
on different network segments in different VLANs to communicate, whereas
super-VLAN (VLAN aggregation) and the VLAN Switch function allow hosts on the
same network segment in different VLANs to communicate.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● Only E series cards, X series cards, F series cards, SC cards among S series of
the S7700&S9700 support the termination sub-interface. For details, see the
card classification in Hardware Description.
X1E cards among X series support the termination sub-interface in
● For Layer 2 interfaces, only hybrid and trunk interfaces support termination
sub-interfaces.
● The VLAN IDs terminated by a sub-interface cannot be created in the system
view or be displayed.
● When IP packets need to be sent out from the termination sub-interface and
there is no corresponding ARP entry on the device. If ARP broadcast is not
enabled on the termination sub-interface through the command arp
broadcast enable, the system does not send or forward broadcast ARP
packets to learn ARP entries. In this case, the IP packets are discarded directly.
● This example applies to all versions of the modular switches.
In Figure 3-85, Host A and Host B belong to the R&D department, and Host C and
Host D belong to the quality department. The two departments are connected
through a Layer 2 switch, and require Layer 2 isolation and Layer 3 connectivity.
Figure 3-85 Networking for connecting a terminal to a Layer 3 gateway through a

Layer 2 switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure interface-based assignment on the Layer 2 switch to implement

Layer 2 isolation.
2. Configure sub-interface termination on the Layer 3 switch to implement Layer
3 connectivity.
Procedure
Step 1 Configure Layer 2 switch SwitchA.
# Create VLANs.
[HUAWEI] sysname SwitchA //Change the device name to SwitchA for easy identification.
[SwitchA] vlan batch 2 to 3 //Create VLAN 2 and VLAN 3 in a batch.
# Add the interface connected to the host to VLANs.

[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the PC as the
access interface.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add Host A to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port default vlan 2 //Add Host B to VLAN 2.
[SwitchA-GigabitEthernet1/0/3] port link-type access //Configure the interface connected to the PC as the
access interface.
[SwitchA-GigabitEthernet1/0/3] port default vlan 3 //Add Host C to VLAN 3.
[SwitchA-GigabitEthernet1/0/4] port default vlan 3 //Add Host D to VLAN 3.
# Enable the interface connected to the Layer 3 switch to transparently transmit

packets from a specified VLAN.
[SwitchA-GigabitEthernet1/0/5] port link-type trunk //Configure the interface connected to the switch as
the trunk interface.
[SwitchA-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 to 3 //Add the interface to VLAN 2 and
VLAN 3.
Step 2 Configure Layer 3 switch SwitchB.

[HUAWEI] sysname SwitchB //Change the device name to SwitchB.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port link-type hybrid //In V200R005 earlier versions, you do not need to
manually configure the link type of the interface to hybrid.
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/1.1 //Create a sub-interface and enter the sub-interface view.
[SwitchB-GigabitEthernet1/0/1.1] dot1q termination vid 2 //Set the VLAN ID for dot1q termination on
GE1/0/1.1 to VLAN 2.
[SwitchB-GigabitEthernet1/0/1.1] ip address 1.1.1.1 24
[SwitchB-GigabitEthernet1/0/1.1] arp broadcast enable //A termination sub-interface directly discards
broadcast packets, so the sub-interface needs to be configured to forward ARP broadcast packets.
[SwitchB-GigabitEthernet1/0/1.1] quit
[SwitchB] interface gigabitethernet 1/0/1.2 //Create a sub-interface and enter the sub-interface view.
[SwitchB-GigabitEthernet1/0/1.2] dot1q termination vid 3 //Set the VLAN ID for dot1q termination on
GE1/0/1.2 to VLAN 3.
[SwitchB-GigabitEthernet1/0/1.2] ip address 2.2.2.1 24
[SwitchB-GigabitEthernet1/0/1.2] arp broadcast enable
[SwitchB-GigabitEthernet1/0/1.2] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Configure the IP address 1.1.1.2/24 for Host A and the default gateway address as
the IP address 1.1.1.1.1/24 of GE1/0/1.1.
Configure the IP address 1.1.1.3/24 for Host B and the default gateway address as
the IP address 1.1.1.1.1/24 of GE1/0/1.1.
Configure the IP address 2.2.2.2/24 for Host C and the default gateway address as
the IP address 2.2.2.1/24 of GE1/0/1.2.
Configure the IP address 2.2.2.3/24 for Host D and the default gateway address as
the IP address 2.2.2.1/24 of GE1/0/1.2.
After the configuration is complete, Host A, Host B, Host C, and Host D can ping
each other and communicate at Layer 3.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
#
return

#
sysname SwitchB
#
#
ip address 1.1.1.1 255.255.255.0
arp broadcast enable
#
ip address 2.2.2.1 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
return
3.6.3.8 Example for Configuring Communication Between Different Network

Segments Through Static Routes
Overview
In addition to configuring an IP address for a VLANIF interface, you need to
configure a static route or a dynamic routing protocol when PCs on different
network segments across several switches need to communicate. This is because
only a direct route is generated for the VLANIF interface's IP address on the switch
and a VLANIF interface can only impalement interworking between PCs on
different network segments through one switch.
Static routes can be easily configured and have low requirements on the system.
They are applicable to simple, stable, and small-scale networks. However, static
routes cannot automatically adapt to changes in the network topology, and
manual intervention is required.
With routing algorithms, dynamic routing protocols can automatically adapt to
changes in the network topology. They are applicable to the network where some
Layer 3 devices are deployed. The configurations of dynamic routes are complex.
Dynamic routes have higher requirements on the system than static ones and
consume more network and system resources.
Configuration Notes
In Figure 3-86, to ensure security and facilitate management, an enterprise
assigns a VLAN for a server. The user device belongs to VLAN 10, and the server
belongs to VLAN 20. Access, aggregation, and core switches are deployed between
the user and server. Access switches are layer 2 switches, and aggregation and
core switches are Layer 3 switches. The user and server need to communicate with
each other due to service requirements.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-86 Networking for configuring communication between different

network segments through static routes
1. Configure interface-based VLAN assignment to implement Layer 2
communication.
2. Configure VLANIF 10 on the aggregation switch AGG and configure an IP
address for VLANIF 10 as the gateway address of the user; configure VLANIF
20 on the core switch CORE and configure an IP address for VLANIF 20 as the
gateway address of the server.
3. On the aggregation switch AGG, configure a static route from AGG to the
network segment of VLANIF 20; on the core switch CORE, configure a static
route from CORE to the network segment of VLANIF 10. The communication
across network segments is therefore implemented.
Procedure
Step 1 Configure the access switch ACC1.
# Create VLANs.
[HUAWEI] sysname ACC1 //Change the device name to ACC1 for easy identification.
[ACC1] vlan batch 10 //Create VLAN 10 in a batch.

[ACC1] interface gigabitethernet 1/0/1
[ACC1-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to a user host as

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the access interface.

[ACC1-GigabitEthernet1/0/1] port default vlan 10 //Add the user device to VLAN 10.
[ACC1-GigabitEthernet1/0/2] port link-type trunk //Configure the interface connected to the aggregation
switch as the trunk interface.
[ACC1-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 //Add the interface connected to the
aggregation switch to VLAN 10.
Step 2 Configure the access switch ACC2.
# Create VLANs.
[HUAWEI] sysname ACC2 //Change the device name to ACC2.
[ACC2] vlan batch 20 //Create VLAN 20 in a batch.

[ACC2-GigabitEthernet1/0/1] port link-type access //Configure the interface connected to the server as
the access interface.
[ACC2-GigabitEthernet1/0/1] port default vlan 20 //Add the user device to VLAN 20.
[ACC2-GigabitEthernet1/0/2] port link-type trunk //Configure the interface connected to the core switch
as the trunk interface.
[ACC2-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 //Add the interface connected to the core
switch to VLAN 20.
Step 3 Configure the aggregation switch AGG.
# Create VLANs.
[HUAWEI] sysname AGG //Change the device name to AGG.
[AGG] vlan batch 10 30 //Create VLAN 10 and VLAN 30 in a batch.

[AGG] interface gigabitethernet 1/0/2
[AGG-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as the trunk interface.
[AGG-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 //Add the interface to VLAN 10.
[AGG-GigabitEthernet1/0/2] quit
[AGG-GigabitEthernet1/0/3] port link-type trunk //Configure the interface as the trunk interface.
[AGG-GigabitEthernet1/0/3] port trunk allow-pass vlan 30 //Add the interface connected to the core
switch to VLAN 30.
# Create VLANIF 10 and configure an IP address for VLANIF 10 as the gateway

address.
[AGG] interface vlanif 10 //Create VLANIF 10.
[AGG-Vlanif10] ip address 10.1.1.1 24 //Configure an IP address for VLANIF 10. The IP address is the
gateway address.
[AGG-Vlanif10] quit
# Create VLANIF 30 and configure an IP address for VLANIF 30.

[AGG] interface vlanif 30 //Create VLANIF 30.
[AGG-Vlanif30] ip address 10.10.30.1 24 //Configure an IP address for VLANIF 30. The IP address cannot
conflict with IP addresses of the user and server.
[AGG-Vlanif30] quit
# Configure a static route so that the PC can access the server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AGG] ip route-static 192.168.1.0 255.255.255.0 10.10.30.2 //Configure a static route. The packets with
the destination IP address of 192.168.1.0/24 are forwarded to the IP address 10.10.30.2 of VLANIF 30 on the
core switch.
Step 4 Configure the core switch CORE.

# Create VLANs.
[HUAWEI] sysname CORE //Change the device name to CORE.
[CORE] vlan batch 20 30 //Create VLAN 20 and VLAN 30 in a batch.

[CORE] interface gigabitethernet 1/0/2
[CORE-GigabitEthernet1/0/2] port link-type trunk //Configure the interface as the trunk interface.
[CORE-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 //Add the interface to VLAN 20.
[CORE] interface gigabitethernet 1/0/3
[CORE-GigabitEthernet1/0/3] port link-type trunk //Configure the interface as the trunk interface.
[CORE-GigabitEthernet1/0/3] port trunk allow-pass vlan 30 //Add the interface to VLAN 30.
# Create VLANIF 20 and configure an IP address for VLANIF 20 as the gateway

address of the server.
[CORE] interface vlanif 20 //Create VLANIF 20.
[CORE-Vlanif20] ip address 192.168.1.1 24 //Configure an IP address for VLANIF 20. The IP address is the
gateway address of the server.
# Create VLANIF 30 and configure an IP address for VLANIF 30.

[CORE] interface vlanif 30 //Create VLANIF 30.
[CORE-Vlanif30] ip address 10.10.30.2 24 //Configure an IP address for VLANIF 30.
# Configure a static route so that the server and PC can access each other.
[CORE] ip route-static 10.1.1.0 255.255.255.0 10.10.30.1 //Configure a static route. The packets with the
destination IP address of 10.1.1.0/24 are forwarded to the IP address 10.10.30.1 of VLANIF 30 on the
aggregation switch.

Configure the IP address of 10.1.1.2/24 for the PC in VLAN 10 and the default
gateway address as 10.1.1.1 (VLANIF 10's IP address).
Configure the IP address of 192.168.1.2/24 for the server in VLAN 20 and the
default gateway address as 192.168.1.1 (VLANIF 20's IP address).
After the configuration is complete, the PC in VLAN 10 and the server in VLAN 20
can access each other.
----End
Configuration Files
ACC1 configuration file
#
sysname ACC1
#
vlan batch 10
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
ACC2 configuration file

#
sysname ACC2
#
vlan batch 20
#
#
#
return
AGG configuration file

#
sysname AGG
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.1 255.255.255.0
#
#
#
ip route-static 192.168.1.0 255.255.255.0 10.10.30.2
#
return
CORE configuration file

#
sysname CORE
#
vlan batch 20 30
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.10.30.2 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
ip route-static 10.1.1.0 255.255.255.0 10.10.30.1
#
return
3.6.3.9 Example for Configuring the Super-VLAN
Super-VLAN Overview
Super-VLAN, also called VLAN aggregation, reduces the number of required IP
addresses, isolates broadcast storms, and controls Layer 2 access on interfaces. A
super-VLAN can be associated with multiple sub-VLANs, which are isolated at
Layer 2. All sub-VLANs use the IP address of the corresponding VLANIF interface
for the super-VLAN to implement Layer 3 connectivity with an external network,
thereby reducing the number of IP addresses required.
The super-VLAN applies to scenarios where many users and VLANs exist, IP
addresses of devices in many VLANs are on the same network segment, and inter-
VLAN Layer 2 isolation needs to be implemented. Inter-VLAN proxy ARP can be
enabled to implement inter-VLAN communication. For example, this can be used
in hotels and residential buildings requiring broadband access. A room or
household is assigned a VLAN and isolated. An IP network segment cannot be
allocated to each VLAN because IP addresses are finite and there are many VLANs.
The VLANs can only share an IP network segment. Assume that the IP network
segment of VLAN 10 is 10.10.10.0/24. A household may use only one or two IP
addresses; however, over 200 IP addresses are consumed. Super-VLAN technology
allows users in VLANs 11 to 100 to share the IP network segment of 10.10.10.0/24,
thereby reducing the number of IP addresses required.
Super-VLAN is Layer 3 technology configured on a Layer 3 switch, whereas MUX

VLAN is configured on a Layer 2 switch. The MUX VLAN is more complex to
configure than super-VLAN, but its access control is more flexible. When the
switch queries temporarily offline users in the super-VLAN, the gateway needs to
broadcast packets in each sub-VLAN, consuming many CPU resources.
Configuration Notes
● VLAN 1 cannot be configured as a super-VLAN.
● No physical interface can be added to a VLAN configured as a super-VLAN.
– S2752EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-EI, S5700-SI, S5700-HI, S5710-EI, S5720-EI, S5720-SI, S5720S-SI,
S5720I-SI, S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H,
S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I
– S6700-EI, S6720-EI, S6720S-EI, S6720-SI, S6720S-SI, S6720-HI, S6730-H,
S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE

In Figure 3-87, a company has many departments on the same network segment.
To improve service security, the company assigns different departments to
different VLANs. VLAN 2 and VLAN 3 belong to different departments. Each
department wants to access the Internet, and PCs in different departments need
to communicate.
Figure 3-87 Networking of the super-VLAN
Configure VLAN aggregation on SwitchB to add VLANs of different departments
to a super-VLAN so that PCs in different departments can access the Internet
using the super-VLAN. Deploy proxy ARP in the super-VLAN so that PCs in
different departments can communicate. The configuration roadmap is as follows:
1. Configure VLANs and interfaces on SwitchA and SwitchB, add PCs of different
departments to different VLANs, and configure interfaces on SwitchA and
SwitchB to transparently transmit packets from VLANs.
2. Configure a super-VLAN, a VLANIF interface, and a static route on SwitchB so
that PCs in different departments can access the Internet.
3. Configure proxy ARP in the super-VLAN on SwitchB so that PCs in different
departments can communicate at Layer 3.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Configure SwitchA.
# Add GE1/0/1, GE1/0/2, GE1/0/3, and GE1/0/4 to VLANs.
[SwitchA] vlan batch 2 to 3
[SwitchA-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[SwitchA-GigabitEthernet1/0/1] port default vlan 2 //Add the interface to VLAN 2.
[SwitchA-GigabitEthernet1/0/2] port default vlan 2
# Configure GE1/0/5 to transparently transmit packets from VLAN 2 and VLAN 3.

Step 2 Configure SwitchB.

# Create VLAN 2, VLAN 3, VLAN 4, and VLAN 10 and configure the interface of
SwitchB connected to SwitchA to transparently transmit packets from VLAN 2 and
VLAN 3 to SwitchB.
[SwitchB] vlan batch 2 3 4 10
[SwitchB-GigabitEthernet1/0/5] port link-type trunk
[SwitchB-GigabitEthernet1/0/5] port trunk allow-pass vlan 2 3
# Configure super-VLAN 4 on SwitchB and add VLAN 2 and VLAN 3 to super-VLAN

4 as sub-VLANs.
[SwitchB] vlan 4
[SwitchB-vlan4] aggregate-vlan
[SwitchB-vlan4] access-vlan 2 to 3
[SwitchB-vlan4] quit
# Create and configure VLANIF 4 so that PCs in different departments can access
the Internet using super-VLAN 4.
[SwitchB-Vlanif4] ip address 10.1.1.1 24
# Configure the uplink interface GE1/0/1 to transparently transmit packets from

the VLAN that SwitchB and router belong to.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10

# Create and configure VLANIF 10 and specify the IP address of VLANIF 10 as the
IP address for connecting SwitchB and the router.
# Configure a static route to the router on SwitchB so that users can access the
Internet.
[SwitchB] ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
NOTE
Configure the router interface connected to SwitchB and assign the IP address of 10.10.1.2
to the router interface. See the router configuration manual.
Step 3 Assign IP addresses to PCs.

Configure IP addresses for PCs and ensure that their IP addresses are on the same
network segment as 10.1.1.1/24 (IP address of VLANIF 4).
After the configuration is complete, PCs in each department can access the
Internet, but PCs in VLAN 2 and VLAN 3 cannot ping each other.
Step 4 Configure proxy ARP.
# Configure proxy ARP in super-VLAN 4 on SwitchB so that users in different
departments can communicate at Layer 3.
[SwitchB-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

After the configuration is complete, users in VLAN 2 and VLAN 3 can ping each
other and access the Internet.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

port default vlan 3
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 4 10
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
interface Vlanif10
ip address 10.10.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.10.1.2
#
return
3.6.3.10 Example for Configuring MUX VLAN to Isolate Users in the Same
VLAN
MUX VLAN Overview

Multiplex VLAN (MUX VLAN) provides a mechanism to control network resources
using VLANs. It can implement inter-VLAN communication and intra-VLAN
isolation. The MUX VLAN is often used in enterprises and in hotels and residential
buildings requiring broadband access. An enterprise, hotel, or residential building
shares the same VLAN, but each department, room, or household is isolated.
MUX VLAN is configured on a Layer 2 switch, whereas super-VLAN technology is

configured on a Layer 3 switch. MUX VLAN is more flexible in access control, but
its configuration is complex.
Configuration Notes
● The VLAN ID assigned to a principal VLAN cannot be used to configure the
super-VLAN or sub-VLAN. Additionally, it is not recommended that this VLAN
ID be used to configure VLAN mapping and VLAN stacking.
● The VLAN ID assigned to a group or separate VLAN cannot be used to
configure a VLANIF interface, super-VLAN, or sub-VLAN. Additionally, it is not

S300, S500, S2700, S3700, S5700, S6700, S7700, and
recommended that this VLAN ID be used to configure VLAN mapping and

VLAN stacking.
● Disabling MAC address learning or limiting the number of learned MAC
addresses on an interface affects the MUX VLAN function on the interface.
● MUX VLAN and port security cannot be configured on the same interface
simultaneously.
● MUX VLAN and MAC address authentication cannot be configured on the
same interface simultaneously.
● MUX VLAN and 802.1x authentication cannot be configured on the same
interface simultaneously.
● If the MUX VLAN function is enabled on an interface, VLAN mapping and
VLAN stacking cannot be configured on the interface.
● This example applies to all versions of all switches.
All employees of an enterprise can access servers on the enterprise network. The
enterprise allows some employees to communicate but isolates other employees.
In Figure 3-88, Switch1 is deployed at the aggregation layer and used as the
gateway for downstream hosts. Switch2, Switch3, Switch4, Switch5, and Switch6
are access switches. Their GE1/0/1 interfaces connect to downstream hosts, and
their GE1/0/2 interfaces connect to Switch1. You can configure MUX VLAN on
Switch1. This reduces the number of VLAN IDs on the enterprise network and
facilitates network management.
Figure 3-88 Networking of MUX VLAN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure the principal VLAN and a VLANIF interface. The IP address of the
VLANIF interface is used as the gateway IP address for downstream hosts and
servers.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to VLANs and enable the MUX VLAN function on the
interfaces.
5. Add interfaces of access switches to VLANs.
Procedure
Step 1 Enable the MUX VLAN function on Switch1.
# On Switch1, create VLAN 2, VLAN 3, and VLAN 4, and a VLANIF interface for
VLAN 2. The IP address of the VLANIF interface is used as the gateway IP address
for downstream hosts and servers.
[Switch1] vlan batch 2 3 4
[Switch1] interface vlanif 2
[Switch1-Vlanif2] ip address 192.168.100.100 24
[Switch1-Vlanif2] quit
# Configure the group VLAN and separate VLAN of the MUX VLAN on Switch1.
[Switch1] vlan 2
[Switch1-vlan2] mux-vlan
[Switch1-vlan2] subordinate group 3 //Configure VLAN 3 as the group VLAN.
[Switch1-vlan2] subordinate separate 4 //Configure VLAN 4 as the separate VLAN.
# Add interfaces to the VLANs on Switch1 and enable the MUX VLAN function on
interfaces.
[Switch1-GigabitEthernet1/0/2] port mux-vlan enable vlan 2 //In V200R003C00 and earlier versions, you
do not need to specify the VLAN. An interface can only join the MUX VLAN or Separate VLAN, or a group
VLAN.
[Switch1-GigabitEthernet1/0/3] port mux-vlan enable vlan 3

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Configure interfaces of access switches and add them to VLANs. The
configurations of Switch3, Switch4, Switch5, and Switch6 are similar to the
configuration of Switch2, and are not mentioned here.
[Switch2] vlan batch 2
[Switch2-GigabitEthernet1/0/1] port link-type access //Configure the link type of the interface as access.
[Switch2-GigabitEthernet1/0/1] port default vlan 2
[Switch2-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 //Configure the link type of the interface as
trunk.

The server can communicate with HostB, HostC, HostD, and HostE.
HostB can communicate with HostC.
HostD cannot communicate with HostE.
HostB and HostC cannot communicate with either HostD or HostE.
----End
Configuration Files
Switch1 configuration file
#
sysname Switch1
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
port mux-vlan enable vlan 2
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
#
sysname Switch2
#
vlan batch 2
#
port default vlan 2
#
#
return
#
sysname Switch3
#
vlan batch 3
#
port default vlan 3
#
#
return
#
sysname Switch4
#
vlan batch 3
#
port default vlan 3
#
#
return
#
sysname Switch5
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
vlan batch 4
#
port default vlan 4
#
#
return
#
sysname Switch6
#
vlan batch 4
#
port default vlan 4
#
#
return
3.6.4 Typical QinQ Configuration
3.6.4.1 Example for Configuring Basic QinQ
QinQ Overview
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q
tag to 802.1Q tagged packets. It allows services in a private VLAN to be
transparently transmitted over a public network.
Basic QinQ, also called QinQ tunneling, is performed on interfaces. When an
interface enabled with basic QinQ receives a packet, the device adds the default
VLAN tag of its interface to the packet. If the received packet is tagged, it has
double VLAN tags. If the received packet is untagged, it has the default VLAN tag
of the interface.
When too many VLANs are required, you can configure basic QinQ. Basic QinQ, by
adding an outer tag, expands VLAN space and solves the VLAN shortage problem.
Configuration Notes
As shown in Figure 3-89, a network has two enterprises: enterprise 1 and
enterprise 2. Both enterprises have two branches. Enterprise 1 and enterprise 2
networks connect to SwitchA and SwitchB, respectively, of the ISP network. In
addition, there are non-Huawei devices on the public network and the TPID in the
outer VLAN tag is 0x9100.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The requirements are as follows:

● VLANs need to be independently assigned to enterprise 1 and enterprise 2.
● Traffic between the two branches of each enterprise is transparently
transmitted through the public network. Users accessing the same service in
different branches of each enterprise are allowed to communicate, and users
accessing different services must be isolated.
QinQ can be used to meet the preceding requirements. Configure VLAN 100 and
VLAN 200 to implement connectivity of enterprise 1 and enterprise 2 respectively
and to isolate enterprise 1 and enterprise 2; configure the TPID in the outer VLAN
tag on switch interfaces connected to non-Huawei devices so that Huawei
switches can communicate with the non-Huawei devices.
Figure 3-89 Networking of basic QinQ
1. Create VLAN 100 and VLAN 200 on SwitchA and SwitchB, configure
connected interfaces as QinQ interfaces, and add the interfaces to VLANs so
that different VLAN tags are added to packets of different services.
2. Add interfaces of SwitchA and SwitchB that are connected to the public
network to VLANs so that packets from VLAN 100 and VLAN 200 are allowed
to pass through.
3. Configure the TPID in the outer VLAN tag on interfaces of SwitchA and
SwitchB that are connected to the public network so that SwitchA and
SwitchB can communicate with non-Huawei devices.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create VLAN 100 and VLAN 200 on SwitchA.

# Create VLAN 100 and VLAN 200 on SwitchB.

[SwitchB] vlan batch 100 200
Step 2 Set the link type of interfaces to QinQ.
# Configure GE1/0/1 and GE1/0/2 of SwitchA as QinQ interfaces, and set the
default VLAN of GE1/0/1 to VLAN 100 and the default VLAN of GE1/0/2 to VLAN
200. VLAN 100 and VLAN 200 are added to outer tags. The configuration of
[SwitchA-GigabitEthernet1/0/1] port link-type dot1q-tunnel //Configure the link type of the interface as
QinQ.
[SwitchA-GigabitEthernet1/0/2] port link-type dot1q-tunnel //Configure the link type of the interface as
QinQ.
Step 3 Configure switch interfaces connected to the public network.
# Add GE1/0/3 on Switch A to VLAN 100 and VLAN 200. The configuration of
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 100 200
Step 4 Configure the TPID in the outer VLAN tag.
# Set the TPID in the outer VLAN tag to 0x9100 on SwitchA.

[SwitchA-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer VLAN tag to 0x9100.
# Set the TPID in the outer VLAN tag to 0x9100 on SwitchB.

[SwitchB-GigabitEthernet1/0/3] qinq protocol 9100 //Set the TPID in the outer VLAN tag to 0x9100.
On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of the

other branch in enterprise 1. The ping operation succeeds, indicating that branches
of enterprise 1 can communicate with each other.
On a PC in a VLAN of a branch in enterprise 2, ping a PC in the same VLAN of the

other branch in enterprise 2. The ping operation succeeds, indicating that branches
of enterprise 2 can communicate with each other.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
On a PC in a VLAN of a branch in enterprise 1, ping a PC in the same VLAN of a

branch in enterprise 2. The ping operation fails, indicating that enterprise 1 and
enterprise 2 are isolated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
port link-type dot1q-tunnel
#
#
qinq protocol 9100
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return
Related Content
Videos
Configuring QinQ
3.6.4.2 Example for Configuring VLAN ID-based Selective QinQ
QinQ Overview

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of

QinQ. Selective QinQ is performed based on interfaces and VLAN IDs. In addition
to functions of basic QinQ, selective QinQ takes different actions for packets
received by the same interface based on VLANs.
VLAN ID-based selective QinQ adds different outer VLAN tags to packets with
different inner VLAN IDs.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following
points:
● Before configuring selective QinQ on a fixed switch, you must run the qinq
vlan-translation enable command to enable VLAN translation.
● You are advised to configure selective QinQ on a hybrid interface. Selective
QinQ can take effect on the interface only in the inbound direction.
● The outer VLAN must be created before Selective QinQ is performed.
● When an interface configured with VLAN stacking needs to remove the outer
tag from outgoing frames, the interface must join the VLAN specified by
stack-vlan in untagged mode. If the outer VLAN does not need to be
removed, the interface must join the VLAN specified by stack-vlan in tagged
mode.
● The device configured with selective QinQ can add only one outer VLAN tag
to a frame with an inner VLAN tag on an interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.
● VLAN mapping (for example, port vlan-mapping vlan 20 map-vlan 20)
must be configured to map the VLAN to itself from which single-tagged
packets need to be transparently transmitted after selective QinQ is
configured on the following cards and devices:
– ES0D0G24SA00, ES0D0G24CA00, EH1D2G24SSA0, and EH1D2S24CSA0
cards
– S5700-EI, S3700-EI, and S3700-SI
As shown in Figure 3-90, Internet access users (using PCs) and VoIP users (using
VoIP phones) connect to the ISP network through SwitchA and SwitchB and
communicate with each other through the ISP network.
In the enterprise, VLAN 100 is allocated to PCs and VLAN 300 is allocated to VoIP
phones.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-90 Networking of VLAN ID-based selective QinQ
1. Create VLANs on SwitchA and SwitchB.
2. Configure link types of interfaces and add interfaces to VLANs on SwitchA
and SwitchB.
3. Configure selective QinQ on interfaces of SwitchA and SwitchB.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN
tag to be added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag
to be added.
Step 2 Configure selective QinQ on interfaces.

NOTE
When a fixed switch is used, you must run the qinq vlan-translation enable command in the
interface view to enable VLAN translation.
# Configure GE1/0/1 on SwitchA.

[SwitchA-GigabitEthernet1/0/1] port link-type hybrid
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid interface to VLANs in

S300, S500, S2700, S3700, S5700, S6700, S7700, and
untagged mode.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag
as VLAN 100 and add VLAN 2 in the outer VLAN tag.
[SwitchA-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag
# Configure GE1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3 //Add the hybrid interface to VLANs in
untagged mode.
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 100 stack-vlan 2 //Configure the inner VLAN tag
[SwitchB-GigabitEthernet1/0/1] port vlan-stacking vlan 300 stack-vlan 3 //Configure the inner VLAN tag
Step 3 Configure other interfaces.
# Add GE1/0/2 on SwitchA to VLAN 2 and VLAN 3.

# Add GE1/0/2 on SwitchB to VLAN 2 and VLAN 3.

If the configurations on SwitchA and SwitchB are correct, you can obtain the
following information:
● PCs can communicate with each other through the ISP network.
● VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port hybrid untagged vlan 2 to 3
port vlan-stacking vlan 100 stack-vlan 2
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname SwitchB
#
vlan batch 2 to 3
#
#
#
return
Related Content
Videos
Configuring QinQ
3.6.4.3 Example for Configuring Flow-based Selective QinQ
QinQ Overview
Selective QinQ, also called VLAN stacking or QinQ stacking, is an extension of

QinQ. Selective QinQ is performed based on interfaces and VLAN IDs. In addition
to functions of basic QinQ, selective QinQ takes different actions for packets
received by the same interface based on VLANs.
Flow-based selective QinQ adds outer VLAN tags based on traffic policies. It can
provide differentiated services based on service types.
Configuration Notes
When configuring selective QinQ on the switch, pay attention to the following
points:
● You are advised to configure selective QinQ on a hybrid interface. Selective

QinQ can take effect on the interface only in the inbound direction.
● The outer VLAN must be created before Selective QinQ is performed.
● When an interface configured with VLAN stacking needs to remove the outer
tag from outgoing frames, the interface must join the VLAN specified by
stack-vlan in untagged mode. If the outer VLAN does not need to be
removed, the interface must join the VLAN specified by stack-vlan in tagged
mode.
● The device configured with selective QinQ can add only one outer VLAN tag
to a frame with an inner VLAN tag on an interface.
● If only single-tagged packets from a VLAN need to be transparently
transmitted, do not specify the VLAN as the inner VLAN of selective QinQ.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-91, Internet access users (using PCs) and VoIP users (using
VoIP phones) connect to the ISP network through SwitchA and SwitchB and
communicate with each other through the ISP network.
It is required that packets of PCs and VoIP phones are tagged VLAN 2 and VLAN 3
respectively when the packets are transmitted through the ISP network. Flow-
based selective QinQ can be configured to meet the requirement.
Figure 3-91 Networking of flow-based selective QinQ
1. Create VLANs on SwitchA and SwitchB.

2. Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA
and SwitchB.
3. Configure link types of interfaces on SwitchA and SwitchB and add the
interfaces to VLANs.
4. Apply the traffic policies to interfaces on SwitchA and SwitchB to implement
selective QinQ.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN
tag to be added.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag
to be added.
Step 2 Configure traffic classifiers, traffic behaviors, and traffic policies on SwitchA and
SwitchB.
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchA.
[SwitchA] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchA-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets
from VLANs 100 to 200.
[SwitchA-classifier-name1] quit
[SwitchA] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchA-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer
VLAN tag in a traffic behavior. In V200R009 and later versions, the command is changed to add-tag vlan-id.
[SwitchA-behavior-name1] quit
[SwitchA] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchA-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets
[SwitchA-classifier-name2] quit
[SwitchA] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchA-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer
[SwitchA-behavior-name2] quit
[SwitchA] traffic policy name1 //Configure a traffic policy named name1.
[SwitchA-trafficpolicy-name1] classifier name1 behavior name1
[SwitchA-trafficpolicy-name1] classifier name2 behavior name2
[SwitchA-trafficpolicy-name1] quit
# Configure the traffic classifiers, traffic behaviors, and traffic policy on SwitchB.
[SwitchB] traffic classifier name1 //Configure a traffic classifier named name1.
[SwitchB-classifier-name1] if-match vlan-id 100 to 200 //Configure a matching rule to match packets
[SwitchB-classifier-name1] quit
[SwitchB] traffic behavior name1 //Configure a traffic behavior named name1.
[SwitchB-behavior-name1] nest top-most vlan-id 2 //Configure an action of adding VLAN 2 in an outer
[SwitchB-behavior-name1] quit
[SwitchB] traffic classifier name2 //Configure a traffic classifier named name2.
[SwitchB-classifier-name2] if-match vlan-id 300 to 400 //Configure a matching rule to match packets
[SwitchB-classifier-name2] quit
[SwitchB] traffic behavior name2 //Configure a traffic behavior named name2.
[SwitchB-behavior-name2] nest top-most vlan-id 3 //Configure an action of adding VLAN 3 in an outer
[SwitchB-behavior-name2] quit
[SwitchB] traffic policy name1 //Configure a traffic policy named name1.
[SwitchB-trafficpolicy-name1] classifier name1 behavior name1
[SwitchB-trafficpolicy-name1] classifier name2 behavior name2
[SwitchB-trafficpolicy-name1] quit
Step 3 Apply the traffic policies to interfaces on SwitchA and SwitchB to implement
selective QinQ.
# Configure GE1/0/1 on SwitchA.
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface in the inbound direction.

# Configure GE1/0/1 on SwitchB.

[SwitchB-GigabitEthernet1/0/1] port link-type hybrid
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet1/0/1] traffic-policy name1 inbound //Apply the traffic policy name1 to the
interface in the inbound direction.
Step 4 Configure other interfaces.



If the configurations on SwitchA and SwitchB are correct, you can obtain the
following information:
● PCs can communicate with each other through the ISP network.
● VoIP phones can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
traffic classifier name1 operator or precedence 5
if-match vlan-id 100 to 200
#
traffic behavior name1
permit
nest top-most vlan-id 2
permit
#
traffic policy name1 match-order config
classifier name1 behavior name1
#
traffic-policy name1 inbound
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#
#
permit
permit
#
traffic policy name1 match-order config
#
traffic-policy name1 inbound
#
#
return
3.6.5 Typical Examples of MSTP/RRPP/SEP/VBST
3.6.5.1 Example for Configuring STP
Overview
Generally, redundant links are used on an Ethernet switching network to provide
link backup and enhance network reliability. The use of redundant links, however,
may produce loops, causing broadcast storms and rendering the MAC address
table unstable. As a result, the communication quality deteriorates, and
communication services may be interrupted. The Spanning Tree Protocol (STP) is
used to solve these problems. STP prevents loops. Devices running STP discover
loops on the network by exchanging information with each other, and block some
ports to eliminate loops.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP)
defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined
in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table
3-34 compares STP, RSTP, and MSTP.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-34 Comparisons among STP, RSTP, and MSTP

Spannin Characteristics Application Scenario
g Tree
Protocol
STP ● Forms a loop-free tree to User or service traffic does not

prevent broadcast storms and need to be differentiated, and all
implement redundancy. VLANs share a spanning tree.
● Provides slow convergence.
RSTP ● Forms a loop-free tree to

prevent broadcast storms and
implement redundancy.
● Provides fast convergence.
MSTP ● Forms multiple loop-free User or service traffic needs to be

trees to prevent broadcast differentiated and load balanced.
storms and implement Traffic from different VLANs is
redundancy. forwarded through different
● Provides fast convergence. spanning trees that are
independent of each other.
● Implements load balancing
among VLANs and forwards
traffic in different VLANs
along different paths.
Configuration Notes
● The ports connected to terminals do not participate in STP calculation.
Therefore, configure the ports as edge ports or disable STP on the ports.
To implement redundancy on a complex network, network designers tend to
deploy multiple physical links between two devices, one of which is the primary
link and the others are backup links. Loops may occur, causing broadcast storms
or rendering the MAC address table unstable.
After a network designer deploys a network, STP can be deployed on the network
to prevent loops. When loops exist on a network, STP blocks a port to eliminate
the loops. In Figure 3-92, SwitchA, SwitchB, SwitchC, and SwitchD running STP
exchange STP BPDUs to discover loops on the network and block ports to prune
the network into a loop-free tree network. STP prevents infinite looping of packets
to ensure packet processing capabilities of switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-92 STP networking
1. Configure the switching devices on the ring network to work in STP mode.
2. Configure the root bridge and secondary root bridge.
3. Configure the path cost of a port so that the port can be blocked.
4. Enable STP to eliminate loops.
Procedure
Step 1 Configure basic STP functions.
1. Configure the switching devices on the ring network to work in STP mode.
# Configure SwitchA to work in STP mode.
[SwitchA] stp mode stp
# Configure SwitchB to work in STP mode.

[SwitchB] stp mode stp
# Configure SwitchC to work in STP mode.

[SwitchC] stp mode stp

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure SwitchD to work in STP mode.

[SwitchD] stp mode stp

# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.

[SwitchD] stp root secondary
NOTE
– The path cost range depends on the algorithm. Huawei's proprietary algorithm is
used as an example. Set the path costs of the ports to be blocked to 20000.
– Switching devices on the same network must use the same algorithm to calculate
the path cost of ports.
# Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.
[SwitchA] stp pathcost-standard legacy
# Configure SwitchB to use Huawei's proprietary algorithm to calculate the

path cost.
[SwitchB] stp pathcost-standard legacy
# Configure SwitchC to use Huawei's proprietary algorithm to calculate the

path cost.
[SwitchC] stp pathcost-standard legacy
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.

[SwitchC-GigabitEthernet1/0/1] stp cost 20000
# Configure SwitchD to use Huawei's proprietary algorithm to calculate the

path cost.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

– Configure the ports connected to PCs as edge ports.
# Configure GigabitEthernet1/0/2 of SwitchB as an edge port.
[SwitchB-GigabitEthernet1/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchB.

[SwitchB] stp bpdu-protection
# Configure GigabitEthernet1/0/2 of SwitchC as an edge port.

[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
(Optional) Configure BPDU protection on SwitchC.

[SwitchC] stp bpdu-protection

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
– Enable STP globally on devices.
# Enable STP globally on SwitchA.
[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable

After the configuration is complete and the network topology becomes stable,
perform the following operations to verify the configuration.
# Run the display stp brief command on SwitchA to view the port status and
protection type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 and

GigabitEthernet1/0/1 connected to SwitchB and SwitchD are selected as designed
ports.
# Run the display stp interface gigabitethernet 1/0/1 brief command on
SwitchB to check the status of GigabitEthernet1/0/1. The following information is
displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 becomes the designated port and is in FORWARDING state.

# Run the display stp brief command on SwitchC to check the port status.
[SwitchC] display stp brief
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
GigabitEthernet1/0/3 becomes the root port and is in FORWARDING state.

GigabitEthernet1/0/1 becomes the alternate port and is in DISCARDING state.
----End
Configuration Files
#
sysname SwitchA

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
#
return
#
sysname SwitchB
#
stp mode stp
stp bpdu-protection
#
stp edged-port enable
#
return
#
sysname SwitchC
#
stp mode stp
stp bpdu-protection
#
#
#
return
#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
#
return
Related Content
Videos
Configuring STP to Prevent Loops
3.6.5.2 Example for Configuring RSTP
Overview

S300, S500, S2700, S3700, S5700, S6700, S7700, and
in IEEE 802.1s.

g Tree
Protocol



Configuration Notes
● The ports connected to terminals do not participate in RSTP calculation.
or rendering the MAC address table unstable.
After a network designer deploys a network, RSTP can be deployed on the
network to prevent loops. When loops exist on a network, RSTP blocks a port to
eliminate the loops. In Figure 3-93, SwitchA, SwitchB, SwitchC, and SwitchD
running RSTP exchange RSTP BPDUs to discover loops on the network and block
ports to prune the network into a loop-free tree network. RSTP prevents infinite
looping of packets to ensure packet processing capabilities of switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-93 RSTP networking
1. Configure basic RSTP functions on switching devices of the ring network.
a. Configure the switching devices on the ring network to work in RSTP
mode.
b. Configure the root bridge and secondary root bridge.
c. Configure the path cost of a port so that the port can be blocked.
d. Enable RSTP to eliminate loops.
2. Enable protection functions to protect devices or links. For example, enable
root protection on the designed port of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the switching devices on the ring network to work in RSTP mode.
# Configure SwitchA to work in RSTP mode.
# Configure SwitchB to work in RSTP mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchB] stp mode rstp
# Configure SwitchC to work in RSTP mode.
[SwitchC] stp mode rstp
# Configure SwitchD to work in RSTP mode.
[SwitchD] stp mode rstp
# Configure SwitchA as the root bridge.
[SwitchA] stp root primary
# Configure SwitchD as the secondary root bridge.
[SwitchD] stp root secondary
NOTE
used as an example. Set the path costs of the ports to be blocked to 20000.
path cost.
path cost.
path cost.
# Set the path cost of GigabitEthernet1/0/1 on SwitchC to 20000.
[SwitchC-GigabitEthernet1/0/1] stp cost 20000
path cost.
4. Enable RSTP to eliminate loops.
– Configure the ports connected to PCs as edge ports.
# Configure GigabitEthernet1/0/2 on SwitchB as an edge port.
# Configure GigabitEthernet1/0/2 on SwitchC as an edge port.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE
– Enable RSTP globally on devices.
# Enable RSTP on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Enable protection functions. The following uses root protection on the designated
port of the root bridge as an example.
# Configure root protection on GigabitEthernet1/0/1 of SwitchA.
[SwitchA-GigabitEthernet1/0/1] stp root-protection
# Configure root protection on GigabitEthernet1/0/2 of SwitchA.


# Run the display stp brief command on SwitchA to view the status and
protection type on the ports. The displayed information is as follows:
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
After SwitchA is configured as the root bridge, GigabitEthernet1/0/2 and

GigabitEthernet1/0/1 connected to SwitchB and SwitchD become designed ports
and configured with root protection.
# Run the display stp interface gigabitethernet 1/0/1 brief command on
SwitchB to check the status of GigabitEthernet1/0/1. The following information is
displayed:
[SwitchB] display stp interface gigabitethernet 1/0/1 brief
GigabitEthernet1/0/1 becomes the designated port and is in FORWARDING state.

# Run the display stp brief command on SwitchC to check the port status.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

GE1/0/1 becomes the alternate port and is in DISCARDING state.

GE1/0/3 becomes the root port and is in FORWARDING state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
#
stp root-protection
#
stp root-protection
#
return
#
sysname SwitchB
#
stp mode rstp
stp bpdu-protection
#
#
return
#
sysname SwitchC
#
stp mode rstp
stp bpdu-protection
#
#
#
return
#
sysname SwitchD
#
stp mode rstp
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Related Content
Videos
Configuring STP to Prevent Loops
3.6.5.3 Example for Configuring MSTP
Overview
in IEEE 802.1s.

g Tree
Protocol




S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● The ports connected to terminals do not participate in MSTP calculation.
or rendering the MAC address table unstable. MSTP can be used to prevent loops.
MSTP blocks redundant links and prunes a network into a tree topology free from
loops.
In Figure 3-94, SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. MSTP uses
multiple instances to implement load balancing of traffic in VLANs 2 to 10 and
VLANs 11 to 20. The VLAN mapping table that defines the mapping between
VLANs and MSTIs can be used.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-94 MSTP networking
1. Configure basic MSTP functions on switching devices of the ring network.
root protection on the designed port of the root bridge in each MSTI.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
When the link between the root bridge and secondary root bridge goes Down, the port
enabled with root protection becomes Discarding because root protection takes effect.
To improve reliability, you are advised to bind the link between the root bridge and
secondary root bridge to an Eth-Trunk.
3. Configure Layer 2 forwarding on devices.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD (access switches) in the
MST region RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switches belong to the same MST region when they have the same:
– Name of the MST region
– Mapping between VLANs and MSTIs
– Revision level of the MST region
# Configure an MST region of root bridge SwitchA in MSTI 1.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchA-mst-region] quit
# Configure an MST region of root bridge SwitchB in MSTI 1.
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchB-mst-region] quit
# Configure an MST region of SwitchC.
[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchC-mst-region] quit
# Configure an MST region of SwitchD.
[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchD-mst-region] instance 1 vlan 2 to 10 //Map VLANs 2 to 10 to MSTI 1.
[SwitchD-mst-region] instance 2 vlan 11 to 20 //Map VLANs 11 to 20 to MSTI 2.
[SwitchD-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchD-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in
the MST region RG1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– Configure the root bridge and secondary root bridge in MSTI 1.

# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
larger than the default values.
NOTE
used as an example. Set the path costs of the ports to be blocked in MSTI 1 and
MSTI 2 to 20000.
Configure SwitchA to use Huawei's proprietary algorithm to calculate the
path cost.

path cost.

path cost and set the path cost of GE1/0/2 to 20000 in MSTI 2.
[SwitchC-GigabitEthernet1/0/2] stp instance 2 cost 20000

path cost and set the path cost of GE1/0/2 to 20000 in MSTI 1.
[SwitchD-GigabitEthernet1/0/2] stp instance 1 cost 20000
4. Enable MSTP to eliminate loops.

– Enable MSTP globally on devices.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

– Configure the ports connected to the terminal as edge ports.

# Configure GE1/0/1 of SwitchC as an edge port.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Configure GE1/0/1 of SwitchC as an edge port.

[SwitchD-GigabitEthernet1/0/1] stp edged-port enable
(Optional) Configure BPDU protection on SwitchD.

[SwitchD] stp bpdu-protection
NOTE
Step 2 Enable protection functions. For example, enable root protection on the designed
port of the root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on switches of the ring network.

● Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
# Create VLANs 2 to 20 on SwitchB.

[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.

[SwitchC] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchD.

[SwitchD] vlan batch 2 to 20
● Add ports connected to the ring to VLANs.

# Add GE1/0/1 on SwitchA to VLANs.
# Add Eth-Trunk1 on SwitchA to VLANs.

[SwitchA] interface Eth-Trunk 1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 1/0/3
# Add GE1/0/1 on SwitchB to VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 20
# Add Eth-Trunk1 on SwitchB to VLANs.

[SwitchB] interface Eth-Trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/2
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 1/0/3
[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 2 to 20
# Add GE1/0/1 on SwitchC to VLANs.

[SwitchC-GigabitEthernet1/0/1] port link-type access
[SwitchC-GigabitEthernet1/0/1] port default vlan 2

[SwitchC-GigabitEthernet1/0/2] port link-type trunk
[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

# Add GE1/0/1 on SwitchD to VLANs.

[SwitchD-GigabitEthernet1/0/1] port link-type access
[SwitchD-GigabitEthernet1/0/1] port default vlan 11

[SwitchD-GigabitEthernet1/0/2] port link-type trunk
[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 20

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 2 to 20

NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in
MSTI 0.
0 Eth-Trunk1 DESI FORWARDING NONE

S300, S500, S2700, S3700, S5700, S6700, S7700, and

2 Eth-Trunk1 ROOT FORWARDING NONE
In MSTI 1, Eth-Trunk1 and GE1/0/1 on SwitchA are designed ports because

SwitchA is the root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and
Eth-Trunk1 is the root port.
# Run the display stp brief command on SwitchB. The following information is
displayed:
[SwitchB] display stp brief
In MSTI 2, GE1/0/1 and Eth-Trunk1 on SwitchB are designed ports because

SwitchB is the root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and
Eth-Trunk1 is the root port.
# Run the display stp interface brief command on SwitchC. The following
[SwitchC] display stp interface gigabitethernet 1/0/3 brief
GE1/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchC is
blocked in MSTI 2 and is the designated port in MSTI 1.
# Run the display stp interface brief command on SwitchD. The following
[SwitchD] display stp interface gigabitethernet 1/0/3 brief
[SwitchD] display stp interface gigabitethernet 1/0/2 brief
GE1/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE1/0/2 on SwitchD is
blocked in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 2 to 20
#
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
active region-configuration
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchB
#
vlan batch 2 to 20
#
#
region-name RG1
#
#
stp root-protection
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname SwitchC
#
vlan batch 2 to 20
#
stp bpdu-protection

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
region-name RG1
#
port default vlan 2
#
#
#
return
#
sysname SwitchD
#
vlan batch 2 to 20
#
stp bpdu-protection
#
region-name RG1
#
#
#
#
return
Related Content
Videos
Configuring MSTP to Prevent Loops
3.6.5.4 Example for Configuring MSTP and VRRP
Overview
When VRRP is deployed on a network, multiple devices transmit services
simultaneously. Each virtual device consists of one master and several backups. If

S300, S500, S2700, S3700, S5700, S6700, S7700, and
redundant links need to be deployed for access backup, MSTP needs to be

deployed to eliminate loops and ensure load balancing of traffic.
Configuration Notes
● The ports connected to terminals do not participate in MSTP calculation.
– S2730S-S
– S3700-EI, S3700-HI
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-L-I, S5735-L1,
S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I, S5735S-H,
S5736-S, S5735-S, S500, S5735S-S
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

In Figure 3-95, hosts connect to the network through SwitchC. SwitchC is dual-
homed to SwitchA and SwitchB and connects to the Internet. Redundant links are
deployed for access backup. The use of redundant links, however, may produce
loops, causing broadcast storms and rendering the MAC address table unstable.
It is required that network loops be prevented when redundant links are deployed,
traffic be switched to another link when one link is disconnected, and network
bandwidth be effectively used.
MSTP can be configured on the network. MSTP blocks redundant links and prunes
a network into a tree topology free from loops. VRRP can be configured on
SwitchA and SwitchB. HostA connects to the Internet with SwitchA as the default
gateway and SwitchB as the backup gateway; HostB connects to the Internet with
SwitchB as the default gateway and SwitchA as the backup gateway. This setting
implements reliability and traffic load balancing.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-95 Networking for configuring MSTP and VRRP
Device Interface VLANIF Interface IP Address
SwitchA GE1/0/1 and VLANIF 2 10.1.2.102/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.102/24

GE1/0/2
GE1/0/3 VLANIF 4 10.1.4.102/24
SwitchB GE1/0/1 and VLANIF 2 10.1.2.103/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.103/24

GE1/0/2
GE1/0/3 VLANIF 5 10.1.5.103/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure basic MSTP functions on switching devices of the ring network.
a. Configure an MST region and create multi-instance, and map VLAN 2 to
MSTI 1 and VLAN 3 to MSTI 2 to load balance traffic.
b. Configure the root bridge and secondary root bridge in each MST region.
c. Configure the path cost of a port in each MSTI so that the port can be
blocked.
d. Enable MSTP to prevent loops.
▪ Enable MSTP globally.
▪ Enable MSTP on all ports except the ports connected to hosts.

root protection on the designed port of the root bridge in each MSTI.
3. Configure Layer 2 forwarding on devices.
NOTE
In this example, SwitchA and SwitchB need to support VRRP and OSPF. For details
about the models supporting VRRP and OSPF, see the documentation.
5. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP group 2,
configure SwitchB as the master and SwitchA as the backup.
Procedure
1. Configure SwitchA, SwitchB, and SwitchC in the MST region RG1 and create
MSTI 1 and MSTI 2.
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration //Enter the MST region view.
[SwitchA-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchA-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchA-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchA-mst-region] active region-configuration //Activate the MST region configuration.
# Configure an MST region on SwitchB.
[SwitchB] stp region-configuration //Enter the MST region view.
[SwitchB-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchB-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchB-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchB-mst-region] active region-configuration //Activate the MST region configuration.
# Configure an MST region on SwitchC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchC] stp region-configuration //Enter the MST region view.

[SwitchC-mst-region] region-name RG1 //Configure the region name as RG1.
[SwitchC-mst-region] instance 1 vlan 2 //Maps VLAN 2 to MSTI 1.
[SwitchC-mst-region] instance 2 vlan 3 //Maps VLAN 3 to MSTI 2.
[SwitchC-mst-region] active region-configuration //Activate the MST region configuration.
[SwitchC-mst-region] quit
2. Configure root bridges and secondary root bridges of MSTI 1 and MSTI 2 in
the MST region RG1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be
larger than the default values.
NOTE
used as an example. Set the path costs of the ports to be blocked in MSTI 1 and
MSTI 2 to 20000.
path cost.

path cost.

path cost, and set the path cost of GE1/0/1 in MSTI 2 to 20000 and path cost
of GE1/0/4 in MSTI 1 to 20000.
4. Enable MSTP to eliminate loops.

– Enable MSTP globally on devices.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– Configure the ports connected to hosts as edge ports.


– Configure the ports connected to the router as edge ports.

# Configure the SwitchA.
[SwitchA-GigabitEthernet1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on SwitchA.

[SwitchA] stp bpdu-protection
# Configure the SwitchB.


NOTE
Step 2 Enable protection functions. For example, enable root protection on the designed
port of the root bridge in each MSTI.
# Enable root protection on GE1/0/1 of SwitchA.
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection

● Create VLAN 2 and VLAN 3 on SwitchA, SwitchB, and SwitchC.
# Create VLAN 2 and VLAN 3 on SwitchA.
# Create VLAN 2 and VLAN 3 on SwitchB.

[SwitchB] vlan batch 2 to 3
# Create VLAN 2 and VLAN 3 on SwitchC.



S300, S500, S2700, S3700, S5700, S6700, S7700, and


NOTE
MSTI 1 and MSTI 2 are used as examples, so you do not need to check the port status in
MSTI 0.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
In MSTI 1, GE1/0/2 and GE1/0/1 on SwitchA are designed ports because SwitchA is
the root bridge. In MSTI 2, GE1/0/1 on SwitchA is the designed port and GE1/0/2 is
the root port.
# Run the display stp brief command on SwitchB. The displayed information is as
follows:
In MSTI 2, GE1/0/1 and GE1/0/2 on SwitchB are designed ports because SwitchB is
the root bridge. In MSTI 1, GE1/0/1 on SwitchB is the designed port and GE1/0/2 is
the root port.
# Run the display stp interface brief command on SwitchC. The displayed
information is as follows:
GE1/0/1 on SwitchC is the root port in MSTI 1 and is blocked in MSTI 2. GE1/0/4
on SwitchC is blocked in MSTI 1 and is the designated port in MSTI 2.
# Assign an IP address to each interface. SwitchA is used as an example. The
configuration of SwitchB is similar to that of SwitchA, and is not mentioned here.
For details, see the configuration files.
# Configure OSPF between SwitchA, SwitchB, and router. SwitchA is used as an

example. The configuration of SwitchB is similar to that of SwitchA, and is not
mentioned here. For details, see the configuration files.
[SwitchA] ospf 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 6 Configure VRRP groups.

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to
120 and the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 //Create VRRP group 1 and set the virtual IP address to
10.1.2.100.
[SwitchA-Vlanif2] vrrp vrid 1 priority 120 //Set the priority of VRRP group 1 to 120.
[SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay of VRRP group 1
to 20s.
[SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100 //Create VRRP group 1 and set the virtual IP address to
10.1.2.100.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set the virtual IP address to
10.1.3.100.
[SwitchB-Vlanif3] vrrp vrid 2 priority 120 //Set the priority of VRRP group 2 to 120.
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20 //Set the preemption delay of VRRP group 2
to 20s.
[SwitchA-Vlanif3] vrrp vrid 2 virtual-ip 10.1.3.100 //Create VRRP group 2 and set the virtual IP address to
10.1.3.100.
# Set virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of

HostA, and virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway
of HostB.
The following output shows that SwitchA is the master in VRRP group 1 and the
backup in VRRP group 2.
[SwitchA] display vrrp
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Backup
Virtual IP : 10.1.3.100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# After the configuration is complete, run the display vrrp command on SwitchB.
The following output shows that SwitchB is the backup in VRRP group 1 and the
master in VRRP group 2.
[SwitchB] display vrrp
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 4
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 2 to 3
#
stp bpdu-protection
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
#
port default vlan 2
#
port default vlan 3
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.6.5.5 Example for Configuring a Single RRPP Ring with a Single Instance
Overview
In most situations, the ring network topology is applied to MANs and enterprise
networks to improve network reliability. When a fault occurs on a node or on a
link between nodes, data services are switched to the standby link to ensure
service continuity. However, broadcast storms may occur on a ring network.
Many protocols can prevent broadcast storms on ring networks. However, if a fault
occurs on a ring network, it takes time for the devices to switch data services to
the standby link. If the convergence time is too long, services are interrupted.
To shorten the convergence time and eliminate the impact of network scale on
convergence time, Huawei developed the Rapid Ring Protection Protocol (RRPP).
Compared with other Ethernet ring technologies, RRPP has the following
advantages:
● RRPP is suitable for networks composed of many network nodes because the
number of nodes does not affect convergence time.
● RRPP prevents broadcast storms caused by data loops when an Ethernet ring
is complete.
● When a link on an Ethernet ring network fails, the standby link can rapidly
restore the communication among the Ethernet ring network nodes.
Configuration Notes
● STP and Smart Link must be disabled on the interface added to an RRPP
domain.
● DHCP and MAC address limiting rules cannot be configured in an RRPP
control VLAN.
● When the mapping between the protected instance and MUX VLAN needs to
be configured, you are advised to configure the principal VLAN, subordinate
group VLAN, and subordinate separate VLAN in the MUX VLAN in the
protected instance. Otherwise, loops may occur.
In Figure 3-96, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and to implement
fast convergence to rapidly restore communication between nodes in the ring
when the ring fails. You can enable RRPP on SwitchA, SwitchB, and SwitchC to
meet this requirement.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-96 Networking of a single RRPP ring
1. Create an RRPP domain and its control VLAN.
2. Map VLANs from which data needs to pass through in the RRPP ring to
instance 1, including data VLANs 100 to 300 and control VLANs 20 and 21
(VLAN 21 is the sub-control VLAN generated by the device).
3. Configure interfaces to be added to the RRPP domain on the devices so that
data can pass through the interfaces. Disable protocols that conflict with
RRPP, such as STP.
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and
configure SwitchA, SwitchB, and SwitchC as nodes in ring 1 in domain 1.
Configure SwitchA as the master node in ring 1 and configure SwitchB and
SwitchC as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar to the
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major control VLAN and a
sub-control VLAN. You only need to specify the major control VLAN. The system uses the VLAN whose ID is
one greater than the ID of the major control VLAN as the sub-control VLAN.
[SwitchA-rrpp-domain-region1] quit
Step 2 Map instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300 //Add the major control VLAN, sub-control VLAN,
and data VLANs to instance 1.
[SwitchA-mst-region] active region-configuration
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces,
configure the interfaces to allow VLANs 100 to 300 to pass through, and disable
STP on the interfaces.
[SwitchA-GigabitEthernet2/0/1] stp disable
Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure SwitchA.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
protected instance of the RRPP domain.
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 2/0/1
secondary-port gigabitethernet 2/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
# Configure SwitchB.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-
port gigabitethernet 2/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure SwitchC.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 2/0/1 secondary-
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Step 5 Enable RRPP.
[SwitchA] rrpp enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
perform the following operations to verify the configuration. The display on
SwitchA is used as an example.
# Run the display rrpp brief command on SwitchA. The following information is
displayed:
[SwitchA] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 20 sub 21
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is

ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchA. The major

control VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21.
SwitchA is the master node in ring 1. The primary interface is
GigabitEthernet2/0/1 and the secondary interface is GigabitEthernet2/0/2.
# Run the display rrpp verbose domain command on SwitchA. The following
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet2/0/1 Port status: UP
Secondary port : GigabitEthernet2/0/2 Port status: BLOCKED
The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA
#
#
rrpp enable
#
instance 1 vlan 20 to 21 100 to 300
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rrpp domain 1
control-vlan 20
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet2/0/1 secondary-port GigabitEthernet2/0/2
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
Relevant Information
Video
Configure RRPP
3.6.5.6 Example for Configuring Tangent RRPP Rings
Overview
Generally, a metro Ethernet network uses two-layer rings:
● One layer is the aggregation layer between aggregation devices PE-AGGs, for
example, RRPP domain 1 in Figure 3-97.
● The other layer is the access layer between PE-AGGs and UPEs, for example,
RRPP domain 2 and RRPP domain 3 in Figure 3-97.
In Figure 3-97, intersecting RRPP rings can be used. RRPP rings are configured at
aggregation and access layers, and the two layers are connected through tangent
RRPP rings.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-97 Tangent RRPP rings
Two tangent rings cannot belong to the same RRPP domain. The tangent point of
the two tangent rings belongs to two RRPP domains, and the major node can be
located in the tangent point.
When there are multiple tangent RRPP rings, a fault on a ring does not affect
other domains and the convergence process of RRPP rings in a domain is the same
as that of a single ring.
Configuration Notes
● STP and Smart Link must be disabled on the interface added to an RRPP
domain.
● DHCP and MAC address limiting rules cannot be configured in an RRPP
control VLAN.
● When the mapping between the protected instance and MUX VLAN needs to
be configured, you are advised to configure the principal VLAN, subordinate
group VLAN, and subordinate separate VLAN in the MUX VLAN in the
protected instance. Otherwise, loops may occur.
In Figure 3-97, the network is required to prevent loops when the ring is complete
and to implement fast convergence to rapidly restore communication between
nodes in the ring when the ring fails. RRPP can meet this requirement. RRPP
supports multiple rings. You can configure RRPP rings at the aggregation and
access layers. The two rings are tangent, simplifying the network configuration.
SwitchA, SwitchB, SwitchC, SwitchD, and SwitchE in Figure 3-98 correspond to
UPE1, UPE2, PE-AGG3, PE-AGG2, and PE-AGG1 in Figure 3-97, respectively. Figure

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3-98 is used as an example to describe how to configure tangent RRPP rings with
a single instance.
Figure 3-98 Networking of tangent RRPP rings
1. Map the VLANs that need to pass through ring 1 to instance 1, including data
VLANs and control VLANs, which are used for configuring protected VLANs.
Map the VLANs that need to pass through ring 2 to instance 2, including data
VLANs and control VLANs, which are used for configuring protected VLANs.
2. Create RRPP domains, control VLANs and configure protected VLANs for
configuring RRPP rings.
3. Configure interfaces to be added to the RRPP domain on the devices so that
data can pass through the interfaces. Disable protocols that conflict with
RRPP, such as STP.
4. Create RRPP rings in RRPP domains.
a. Configure SwitchA, SwitchB, and SwitchC to be in ring 2 of RRPP domain
2.
b. Configure SwitchC, SwitchD, and SwitchE to be in ring 1 of RRPP domain
1.
c. Configure SwitchA as the master node in ring 2, and configure SwitchB
and SwitchC as transit nodes in ring 2.
d. Configure SwitchE as the master node in ring 1, and configure SwitchC
and SwitchD as transit nodes in ring 1.
5. Enable the RRPP ring and RRPP on devices.
Procedure
Step 1 Configure instance 2 and map it to the data VLANs and control VLANs allowed by
the RRPP interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure SwitchA. The configurations of SwitchB, SwitchC, SwitchD, and

SwitchE are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA-mst-region] instance 2 vlan 20 to 21 ///Add the major control VLAN and sub-control VLAN to
instance 1.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs of the
RRPP domains.
# Configure SwitchE. The configurations of SwitchA, SwitchB, SwitchC, and
SwitchD are similar to the configuration of SwitchE, and are not mentioned here.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10 //Each RRPP domain has a major control VLAN and a sub-
control VLAN. You only need to specify the major control VLAN. The system uses the VLAN whose ID is one
greater than the ID of the major control VLAN as the sub-control VLAN.
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
[SwitchE-rrpp-domain-region1] quit
Step 3 Configure the interfaces to be added to RRPP rings as trunk interfaces and disable
STP on the interfaces.
Step 4 Create and enable the RRPP ring.

● Configure nodes in ring 2.
# Configure SwitchA as the master node in ring 2 and specify the primary and
secondary interfaces.
# Configure SwitchB as a transit node in ring 2 (major ring) and specify the
primary and secondary interfaces.
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port gigabitethernet 2/0/1
# Configure SwitchC as a transit node in ring 2 and specify the primary and

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchC-rrpp-domain-region2] ring 2 node-mode transit primary-port gigabitethernet 2/0/1
● Configure nodes in ring 1.

# Configure SwitchE as the master node in ring 1 (major ring) and specify the
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 1/0/1
[SwitchE-rrpp-domain-region1] ring 1 enable
[SwitchE-rrpp-domain-region1] quit
# Configure SwitchC as a transit node in ring 1 and specify the primary and
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
# Configure SwitchD as a transit node in ring 1 and specify the primary and
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
[SwitchD-rrpp-domain-region1] ring 1 enable
[SwitchD-rrpp-domain-region1] quit
Step 5 Enable RRPP.


perform the following operations to verify the configuration. The tangent point
SwitchC is used as an example.
# Run the display rrpp brief command on SwitchC. The following information is
displayed:
[SwitchC] display rrpp brief

Domain Index : 1
----------------------------------------------------------------------------
1 0 T GigabitEthernet1/0/1 GigabitEthernet1/0/2 Yes

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Domain Index : 2
----------------------------------------------------------------------------
2 0 T GigabitEthernet2/0/1 GigabitEthernet2/0/2 Yes
According to the preceding information, RRPP is enabled on SwitchC. The major

control VLAN of RRPP domain 1 is VLAN 10 and the sub-control VLAN is VLAN 11.
SwitchC is a transit node in ring 1. The primary interface is GigabitEthernet1/0/1
and the secondary interface is GigabitEthernet1/0/2.
The major control VLAN of SwitchC in RRPP domain 2 is VLAN 20 and the sub-
control VLAN is VLAN 21. SwitchC is a transit node in ring 2. The primary interface
is GigabitEthernet2/0/1 and the secondary interface is GigabitEthernet2/0/2.
On SwitchC, run the display rrpp verbose domain command. The following
information is displayed.
# Check detailed information about RRPP domain 1 on SwitchC.
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet1/0/2 Port status: UP
# Check detailed information about RRPP domain 2 on SwitchC.

[SwitchC] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring :2
Ring Level :0
Node Mode : Transit
Ring State : LinkUp
Secondary port : GigabitEthernet2/0/2 Port status: UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
rrpp domain 2
control-vlan 20
level 0
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
#
rrpp domain 2
control-vlan 20
level 0
ring 2 enable
#
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
#
rrpp enable
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rrpp domain 1
control-vlan 10
level 0
ring 1 enable
rrpp domain 2
control-vlan 20
level 0
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
#
rrpp domain 1
control-vlan 10
level 0
ring 1 enable
#
stp disable
#
stp disable
#
return
Video
Configure RRPP
3.6.5.7 Example for Configuring RRPP Snooping on a VPLS Network
Overview
RRPP snooping notifies a VPLS network of changes in an RRPP ring. After RRPP
snooping is enabled on sub-interfaces or VLANIF interfaces, the VPLS network can
transparently transmit RRPP packets, detect changes in the RRPP ring, and update
forwarding entries. This ensures that traffic can be rapidly switched to a non-
blocking path.
In Figure 3-99, UPEs constitute an RRPP ring and connect to the VPLS network
where NPEs are located. NPEs are connected through a PW, so they cannot serve
as RRPP nodes to respond to RRPP packets. As a result, the VPLS network cannot
detect changes to the RRPP ring status. When the RRPP ring topology changes,
each node on the VPLS network forwards downstream data according to the MAC
address table generated before the RRPP ring topology changes. Consequently, the
downstream traffic cannot be forwarded

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-99 Networking for configuring RRPP snooping on a VPLS network
You can enable RRPP snooping on the sub-interface or VLANIF interface of NPED
and associate the interface with VSIs on the local device. When the RRPP ring is
faulty, NPED on the VPLS network deletes forwarding entries of VSIs (including
the associated VSIs) on the local node and forwarding entries of NPEB to re-learn
forwarding entries. This ensures that traffic can be switched to a normal path and
downstream traffic can be properly forwarded.
Configuration Notes
● RRPP and RRPP snooping cannot be configured on the same interface.
● SA series cards and XGE interfaces connected to ET1D2IPS0S00,
ET1D2FW00S00, ET1D2FW00S01, ET1D2FW00S02, and ACU2 cards do not
support RRPP snooping. In earlier versions of V200R007C00, X1E series cards
do not support RRPP snooping.
S5731S-H, S5731-S, S5731S-S, S5732-H
– S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730S-S, S6730-H, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE


S300, S500, S2700, S3700, S5700, S6700, S7700, and
Video
Configure RRPP
In Figure 3-100, SwitchA, SwitchB, SwitchC, and SwitchD constitute an RRPP ring.
The network is required to prevent loops when the ring is complete and to
implement fast convergence to rapidly restore communication between nodes in
the ring when the ring fails. The VPLS network can transparently transmit RRPP
packets, detect RRPP ring status changes, and update forwarding entries so that
traffic can be rapidly switched to a normal path according to the ring status.
Figure 3-100 Networking of RRPP snooping
1. Configure a VPLS network.
2. Configure an RRPP ring to prevent loops and implement fast convergence
when a device fails.
3. Enable RRPP snooping so that the VPLS network can transparently transmit
RRPP packets and detect RRPP ring status change.
4. Associate interfaces with VSIs so that SwitchC and SwitchD on the VPLS
network can delete the MAC address tables of their VSIs when a fault occurs
on the RRPP ring network.
NOTE
VLAN termination sub-interfaces can be created on a non-VCMP client.
Procedure
Step 1 Configure VPLS. SwitchC is used as an example. The configuration of SwitchD is
similar to the configuration of SwitchC, and is not mentioned here. For details, see

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
This example provides only configurations of sub-interfaces on SwitchC and SwitchD

connected to the RRPP ring. The configurations of devices on the VPLS network are not
mentioned.
# Configure GE2/0/0.10 on SwitchC to allow the packets of VLAN 10 to pass

through and bind GE2/0/0.10 to VSI 10.
[SwitchC-GigabitEthernet2/0/0] undo portswitch
[SwitchC] interface gigabitethernet 2/0/0.10
[SwitchC-GigabitEthernet2/0/0.10] dot1q termination vid 10
[SwitchC-GigabitEthernet2/0/0.10] l2 binding vsi VSI10 //Bind a VSI to the sub-interface.
[SwitchC-GigabitEthernet2/0/0.10] quit
# Configure GE2/0/0.20 on SwitchC to allow packets of VLAN 20 (control VLAN of

RRPP) to pass through and bind GE2/0/0.20 to VSI 20.
[SwitchC-GigabitEthernet2/0/0.20] dot1q termination vid 20
[SwitchC-GigabitEthernet2/0/0.20] l2 binding vsi VSI20
Step 2 Create an RRPP domain and its control VLAN.

# Create VLAN 10 on SwitchA.
[SwitchA-mst-region] instance 1 vlan 10 20 21 //Add the major control VLAN, sub-control VLAN, and data
VLAN to instance 1.
# Configure SwitchA (master node in ring 1) in RRPP domain 1 and VLAN 20 as

the control VLAN.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure instance 1 as the
[SwitchA-rrpp-domain-region1] control-vlan 20 //Each RRPP domain has a major control
VLAN and a sub-control VLAN. You only need to specify the major control VLAN. The system uses the VLAN
whose ID is one greater than the ID of the major control VLAN as the sub-control VLAN.
# Create VLAN 10 on SwitchB.

[SwitchB] vlan batch 10
[SwitchB] stp region-configuration
[SwitchB-mst-region] instance 1 vlan 10 20 21
[SwitchB-mst-region] active region-configuration
# Configure SwitchB (transit node in ring 1) in RRPP domain 1 and VLAN 20 as

the control VLAN.
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] control-vlan 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Disable STP on the interfaces to be added to the RRPP ring.

# Disable STP on the interfaces to be added to the RRPP ring on SwitchA.
# Disable STP on the interfaces to be added to the RRPP ring on SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp disable
[SwitchB-GigabitEthernet1/0/2] stp disable
Step 4 Create an RRPP ring.

# Configure SwitchA as the master node in ring 1 and specify the primary and
# Configure SwitchB as a transit node in ring 1 (major ring) and specify the
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1 secondary-
Step 5 Enable RRPP.

# Enable RRPP on SwitchA.
# Enable RRPP on SwitchB.

[SwitchB] rrpp enable
Step 6 Configure RRPP snooping.

# Enable RRPP snooping on GE2/0/0.20 of SwitchC.
[SwitchC-GigabitEthernet2/0/0.20] rrpp snooping enable
# Enable RRPP snooping on GE2/0/0.20 of SwitchD.

[SwitchD] interface gigabitethernet 2/0/0.20
[SwitchD-GigabitEthernet2/0/0.20] rrpp snooping enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 7 Configure association between interfaces and VSIs.

# Associate VSI 10 with GE2/0/0.20 on SwitchC.
[SwitchC-GigabitEthernet2/0/0.20] rrpp snooping vsi VSI10
# Associate VSI 10 with GE2/0/0.20 on SwitchD.

[SwitchD-GigabitEthernet2/0/0.20] rrpp snooping vsi VSI10
[SwitchD-GigabitEthernet2/0/0.20] quit

perform the following operations to verify the configuration. SwitchA is used as an
example.
● Run the display rrpp brief command on SwitchA. The following information
is displayed:
[SwitchA] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
According to the preceding information, RRPP is enabled on SwitchA. The

major control VLAN of RRPP domain 1 is VLAN 20 and the sub-control VLAN
is VLAN 21. SwitchA is the master node in ring 1. The primary interface is
GE1/0/1 and the secondary interface is GE1/0/2.
● Run the display rrpp verbose domain command on SwitchA. The following
information is displayed.
# Check detailed information about RRPP domain 1 on SwitchA.
[SwitchA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Master
Is Enabled : Enable Is Active : Yes
# Check the RRPP snooping configuration on GE2/0/0.20 of SwitchC.

[SwitchC] display rrpp snooping enable interface gigabitethernet 2/0/0.20
Port VsiName Vlan
---------------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI20 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The preceding information shows that VSI 20 and VLAN 20 are associated
with GE2/0/0.20.
# Check information about other VSIs associated with GE2/0/0.20 on SwitchC.
[SwitchC] display rrpp snooping vsi interface gigabitethernet 2/0/0.20
Port VsiName
---------------------------------------------------------------------
GigabitEthernet2/0/0.20 VSI10
GigabitEthernet2/0/0.20 VSI20
The preceding information shows that GE2/0/0.20 is associated with VSI 10

and VSI 20.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 to 21
#
rrpp enable
#
instance 1 vlan 10 20 to 21
#
rrpp domain 1
control-vlan 20
level 0
ring 1 enable
#
port trunk allow-pass vlan 10 20 to 21
stp disable
#
stp disable
#
return

#
sysname SwitchB
#
#
rrpp enable
#
instance 1 vlan 10 20 to 21
#
rrpp domain 1
control-vlan 20
level 0
ring 1 enable
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
stp disable
#
stp disable
#
return
#
sysname SwitchC
#
undo portswitch
#
l2 binding vsi VSI10
#
rrpp snooping enable
rrpp snooping vsi VSI10
#
return
#
sysname SwitchD
#
undo portswitch
#
#
rrpp snooping enable
rrpp snooping vsi VSI10
#
return
3.6.5.8 Example for Configuring SEP and MSTP on a Network
Overview
Generally, redundant links are used to provide link backup and enhance network
reliability. The use of redundant links, however, may produce loops. Loops cause
infinite looping of packets, leading to broadcast storms and MAC address table
instability. As a result, the communication quality deteriorates, and
communication services may be interrupted. To block redundant links and ensure
that they can be restored immediately to resume communication when a link fault
occurs on a ring network, you can deploy SEP and MSTP on the ring network.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Company A needs to deploy multiple Layer 2 access devices. In Figure 3-101,
Layer 2 switching devices form a ring at the access layer, and Layer 3 devices form
a ring at the aggregation layer. The aggregation layer uses MSTP to eliminate
redundant links. Company A requires that services be rapidly switched to prevent
traffic interruption when a link at the access layer fails.
You can deploy multiple Layer 2 devices in a ring and configure SEP to meet the
following requirements of company A:
● When there is no faulty link on the ring network, SEP can eliminate loops.
● When a link fails on the ring network, SEP can quickly restore communication
between nodes in the ring.
● The topology change notification function is configured on an edge device in
a SEP segment so that devices on the upper-layer network can promptly
detect topology changes on the lower-layer network. After receiving a
topology change notification from a lower-layer network, a device on an
upper-layer network sends a TC packet to instruct other devices to delete
original MAC addresses and learn new MAC addresses. This ensures nonstop
traffic forwarding.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-101 SEP and MSTP networking
NOTE
In this example, NPE1 and NPE2 use NE40Es running V600R008C00.

To ensure reliability of the entire network, you are advised to configure the following
functions:
● VRRP group between NPE1 and NPE2 to improve device-level reliability
● BFD session between NPE1 and NPE2 to detect the link status and therefore
implement fast switchover in the VRRP group

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on
edge devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1
and LSW2 connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located,
specify the interface in the middle of the SEP segment as the interface to
block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-
layer network running MSTP can be notified of topology changes in the
SEP segment.
2. Configure basic MSTP functions.
a. Add PE1 to PE4, LSW1, and LSW2 to the MST region RG1.
b. Create VLANs on PE1 to PE4, LSW1, and LSW2 and add interfaces on the
STP ring to the VLANs.
c. Configure PE3 as the root bridge and PE4 as the secondary root bridge.
3. Set up a single-hop BFD session between NPE1 and NPE2 to detect the status
of the interfaces configured with VRRP. Then, report the detection result to
VRRP to complete VRRP fast switching.
4. Configure VRRP.
a. Create VRRP group 1 on GE 1/0/1 of NPE1, and set a higher VRRP priority
for NPE1 to ensure that NPE1 functions as the master.
b. Create VRRP group 1 in the view of GE 1/0/1 interface of NPE2, and allow
NPE2 to use the default VRRP priority.
c. Bind a BFD session to VRRP group 1.
5. Configure Layer 2 forwarding on the CE and LSW1 to LSW3.
NOTE
PE1 and PE2 are aggregation switches, PE3 is the root bridge, PE4 is the secondary root bridge,
LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the
control VLAN of SEP segment 1.
# Configure access switch LSW1.
[HUAWEI] sysname LSW1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW1] sep segment 1 //Create SEP segment 1.

[LSW1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.
[LSW1-sep-segment1] protected-instance all //Configure all protected instances of SEP segment 1.
[LSW1-sep-segment1] quit
NOTE
– The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration
file after the control VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
2. Add access switch LSW1 to LSW3 to SEP segment 1 and configure interface
roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to a SEP

segment, disable STP on the interface.
[LSW1] interface gigabitethernet 1/0/1
[LSW1-GigabitEthernet1/0/1] port link-type hybrid
[LSW1-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor primary //Configure the interface as
the no-neighbor primary edge interface and add it to SEP segment 1.
[LSW1-GigabitEthernet1/0/1] quit
[LSW1-GigabitEthernet1/0/2] stp disable //Disable STP.
[LSW1-GigabitEthernet1/0/2] sep segment 1 //Add the interface to SEP segment 1.
[LSW2-GigabitEthernet1/0/1] sep segment 1 edge no-neighbor secondary //Configure the interface
as the no-neighbor secondary edge interface and add it to SEP segment 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

3. Specify a blocking interface.
# In SEP segment 1, set the mode of blocking an interface on access switch
LSW1 where the no-neighbor primary edge interface is located to block the
interface in the middle of the SEP segment.
[LSW1] sep segment 1
[LSW1-sep-segment1] block port middle
4. Configure a preemption mode.
# Configure manual preemption on access switch LSW1.
[LSW1-sep-segment1] preempt manual
5. Configure the SEP topology change notification function.
Configure devices in SEP segment 1 to notify the MSTP network of topology
changes.
[LSW1-sep-segment1] tc-notify stp
[LSW2] sep segment 1
[LSW2-sep-segment1] tc-notify stp

1. Configure an MST region.
[PE1] stp region-configuration //Enter the MST region view.
[PE1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[PE1-mst-region] active region-configuration //Activate MST region configuration.
[PE1-mst-region] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW1] stp region-configuration //Enter the MST region view.

[LSW1-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW1-mst-region] active region-configuration //Activate MST region configuration.
[LSW1-mst-region] quit
[LSW2] stp region-configuration //Enter the MST region view.
[LSW2-mst-region] region-name RG1 //Configure the MST region name as RG1.
[LSW2-mst-region] active region-configuration //Activate MST region configuration.
2. Create a VLAN and add interfaces on the ring network to the VLAN.
# On aggregation switch PE1, create VLAN 100 and add GE1/0/1, GE1/0/2,
and GE1/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1]interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type hybrid
[PE1-GigabitEthernet1/0/1] port hybrid tagged vlan 100
# On aggregation switch PE2, PE3, and PE4, create VLAN 100 and add
GE1/0/1, GE1/0/2, and GE1/0/3 to VLAN 100.
The configurations of aggregation switch PE2, PE3, and PE4 are similar to the
configuration of aggregation switch PE1, and are not mentioned here. For
details, see configuration files in this example.
On access switch LSW1 and LSW2, create VLAN 100 and add GE1/0/1 to
VLAN 100. The configurations of access switch LSW1 and LSW2 are similar to
the configuration of aggregation switch PE1, and are not mentioned here. For
details, see configuration files in this example.
3. Enable MSTP.
[PE1] stp enable
[PE2] stp enable
[PE3] stp enable
[PE4] stp enable
[LSW1] stp enable
[LSW2] stp enable
4. Configure aggregation switch PE3 as the root bridge and aggregation switch
PE4 as the secondary root bridge.
# Set the priority of aggregation switch PE3 to 0 in MSTI 0 to ensure that
aggregation switch PE3 functions as the root bridge.
[PE3] stp root primary

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Set the priority of aggregation switch PE4 to 4096 in MSTI 0 to ensure that
aggregation switch PE4 functions as the secondary root bridge.
[PE4] stp root secondary
Step 3 Configure VLAN 100 to transmit VRRP packets and VLAN 200 to transmit BFD
packets.

[PE3-GigabitEthernet1/0/2] port hybrid tagged vlan 100 200

Step 4 Configure a BFD session.

1. Configure IP addresses for interfaces.
# Configure an IP address for an interface on NPE1 and create a sub-interface
for the interface.
[HUAWEI] sysname NPE1
[NPE1] vlan 100
[NPE1-vlan100] quit
[NPE1] interface gigabitethernet 1/0/1
[NPE1-GigabitEthernet1/0/1] undo shutdown
[NPE1-GigabitEthernet1/0/1] ip address 10.2.1.1 24
[NPE1-GigabitEthernet1/0/1] quit
[NPE1] interface gigabitethernet 1/0/1.1
[NPE1-GigabitEthernet1/0/1.1] undo shutdown
[NPE1-GigabitEthernet1/0/1.1] vlan-type dot1q 100
[NPE1-GigabitEthernet1/0/1.1] ip address 10.1.1.1 24
[NPE1-GigabitEthernet1/0/1.1] quit

for the interface.
[NPE2] vlan 100
[NPE2-vlan100] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Create a BFD session.

# Enable BFD on NPE1 and configure a BFD session between NPE1 and NPE2.
[NPE1] bfd
[NPE1-bfd] quit
[NPE1] bfd NPE2 bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a static BFD
session to monitor the link of the VRRP group.
[NPE1-bfd-session-npe2] discriminator local 1
[NPE1-bfd-session-npe2] discriminator remote 2
[NPE1-bfd-session-npe2] commit
[NPE1-bfd-session-npe2] quit
[NPE2] bfd
[NPE2-bfd] quit
# After completing the configuration, run the display bfd session all on NPE1
and NPE2. The command output shows that the BFD session is set up
between NPE1 and NPE2 and its status is Up.
Use the display on NPE1 as an example.
[NPE1] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 224.0.0.184 Up S_IP_IF GigabitEthernet1/0/1
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
3. Configure association between BFD status and sub-interface status.

# Configure NPE1.
[NPE1] bfd
[NPE1-bfd] quit
[NPE1] bfd NPE2
[NPE1-bfd-session-npe2] process-interface-status sub-if
# Configure NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1
After completing the preceding configurations, run the display bfd session all
verbose command on NPE1 and NPE2. Check that the Proc interface status
field displays Enable (Sub-If).
[NPE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 257 (One Hop) State : Up Name : npe2
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet1/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Bind Interface : GigabitEthernet1/0/1

FSM Board Id :0 TOS-EXP :7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi :3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number :-
Destination Port : 3784 TTL : 255
Proc Interface Status : Enable(Sub-If) Process PST : Disable
WTR Interval (ms) :- Local Demand Mode : Disable
Active Multi :3
Last Local Diagnostic : No Diagnostic
Bind Application : IFNET
Session TX TmrID : 93 Session Detect TmrID : 94
Session Init TmrID :- Session WTR TmrID :-
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
Step 5 Configure VRRP.
● # Configure an IP address for an interface on NPE1, create VRRP group 1, and

set the VRRP priority of NPE1 to 120 so that NPE1 can function as the master.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 virtual-ip 10.1.1.10
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP
group is 100. Change the priority of the master to be higher than that of the backup.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 preempt-mode timer delay 10 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the master to prevent
service interruptions on an unstable network where devices in the VRRP group preempt to be the
master.

allow NPE2 to use the default value so that NPE1 can function as the backup.
● # On NPE1, bind the VRRP group and the BFD session.

[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 track bfd-session 1 peer

After completing the preceding configurations, run the display vrrp command on
NPE1. Check that the status of NPE1 is Master. Run the display vrrp command on
NPE2. Check that the status of NPE2 is Backup.
[NPE1] display vrrp
GigabitEthernet1/0/1.1 | Virtual Router 1
State : Master
PriorityRun : 120
Preempt : YES Delay Time : 10
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Config track link-bfd down-number : 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Track BFD : 1 type: peer

BFD-session state : UP
Create time : 2013-12-29 22:46:32 UTC+07:00
Last change time : 2013-12-29 22:46:35 UTC+07:00
[NPE2] display vrrp
State : Backup
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Create time : 2013-12-29 22:46:32 UTC+07:00
Step 6 Configure the Layer 2 forwarding function on the user-side switch CE and access
switch LSW1 to LSW3.
The configuration details are not mentioned here. For details, see configuration
files in this example.
● # Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and
then run the display sep interface command on LSW3 to check whether
GE1/0/2 on LSW3 changes from the discarding state to the forwarding state.
<LSW3> display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
● Run the shutdown command on GE 1/0/1.1 on NPE1 to simulate an interface
fault, and then run the display vrrp command on NPE2 to check whether the
status of NPE2 changes from backup to master.
[NPE2] display vrrp
State : Master
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and

BFD-session state : DOWN
Create time : 2013-12-29 22:46:32 UTC+07:00
----End
Configuration Files
● LSW1 configuration file
#
sysname LSW1
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
#
sep segment 1 edge no-neighbor primary
#
stp disable
sep segment 1
#
return
#
sysname LSW2
#
vlan batch 10 100
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#
sep segment 1 edge no-neighbor secondary
#
stp disable
sep segment 1
#
return
#
sysname LSW3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100
#
return
#
sysname PE1
#
vlan batch 100
#
region-name RG1
#
#
#
#
return
#
sysname PE2
#
vlan batch 100
#
region-name RG1
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
#
sysname PE3
#
vlan batch 100
#
#
region-name RG1
#
#
#
#
return
#
sysname PE4
#
vlan batch 100
#
#
region-name RG1
#
#
#
#
return
● NPE1 configuration file
#
sysname NPE1
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.1 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and

vrrp vrid 1 track bfd-session 1 peer
#
bfd npe2 bind peer-ip default-ip interface GigabitEthernet1/0/1
process-interface-status sub-if
commit
#
return

#
sysname NPE2
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.2 255.255.255.0
#
commit
#
return
● CE configuration file
#
sysname CE
#
vlan batch 100
#
#
return
Related Content
Videos
Configuring SEP
3.6.5.9 Example for Configuring SEP and RRPP on a Network
Overview
Generally, redundant links are used to provide link backup and enhance network
reliability. The use of redundant links, however, may produce loops. Loops cause
infinite looping of packets, leading to broadcast storms and MAC address table
instability. As a result, the communication quality deteriorates, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
communication services may be interrupted. To block redundant links and ensure

that the blocked links can be restored immediately to resume communication
when a link fault occurs on a ring network, you can deploy SEP and RRPP on the
ring network.
Configuration Notes
In Figure 3-102, Layer 2 switching devices at access and aggregation layers
constitute a ring network and connect to the core layer. The aggregation layer
uses RRPP to eliminate redundant links, and the access layer uses SEP.
● When there is no faulty link on the ring network, SEP can eliminate loops on
the Ethernet network.
● When a link fails on the ring network, SEP can quickly restore communication
between nodes in the ring.
● The topology change notification function is configured on an edge device in
a SEP segment so that devices on the upper-layer network can promptly
detect topology changes on the lower-layer network.
After receiving a topology change notification from a lower-layer network, a
device on an upper-layer network sends a TC packet to instruct other devices
to delete original MAC addresses and learn new MAC addresses. This ensures
nonstop traffic forwarding.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-102 SEP and RRPP networking
NOTE
In this example, NPE1 and NPE2 use NE40Es running V600R008C00.

To ensure reliability of the entire network, you are advised to configure the following
functions:
● VRRP group between NPE1 and NPE2 to improve device-level reliability
● BFD session between NPE1 and NPE2 to detect the link status and therefore
implement fast switchover in the VRRP group

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure basic SEP functions.
a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure
VLAN 10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment and configure interface
roles on edge devices (PE1 and PE2) of the SEP segment.
c. On the device where the primary edge interface is located, specify the
mode in which an interface is blocked.
d. Configure a SEP preemption mode to ensure that the specified blocked
interface takes effect when the fault is rectified.
e. Configure the topology change notification function so that the upper-
layer network running RRPP can be notified of topology changes in the
SEP segment.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, configure VLAN 5 as the control VLAN
on PE1 to PE4, and configure the protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as the transit nodes on
the major ring, and configure primary and secondary interfaces of the
master node.
c. Create VLANs on PE1 to PE4 and add interfaces on the RRPP ring to the
VLANs.
3. Set up a single-hop BFD session between NPE1 and NPE2 to detect the status
of the interfaces configured with VRRP. Then, report the detection result to
VRRP to complete VRRP fast switching.
4. Configure VRRP.
a. Create VRRP group 1 on GE 1/0/1 of NPE1, and set a higher VRRP priority
for NPE1 to ensure that NPE1 functions as the master.
b. Create VRRP group 1 in the view of GE 1/0/1 interface of NPE2, and allow
NPE2 to use the default VRRP priority.
c. Bind a BFD session to VRRP group 1.
5. Configure Layer 2 forwarding on the CE, LSW1 to LSW3, and PE1 to PE4.
NOTE
PEs are aggregation switches, LSWs are access switches, and CEs are user-side switches.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 and configure VLAN 10 as the control VLAN of SEP
segment 1.
[PE1] sep segment 1 //Create SEP segment 1.
[PE1-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-sep-segment1] protected-instance all //Configure all protected instances of SEP segment 1.

[PE1-sep-segment1] quit
[PE2] sep segment 1 //Create SEP segment 1.
[PE2-sep-segment1] control-vlan 10 //Configure VLAN 10 as the control VLAN of SEP segment 1.
[PE2-sep-segment1] protected-instance all //Configure all protected instances of SEP segment 1.
NOTE
– The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration
file after the control VLAN is created.
– Each SEP segment must have a control VLAN. After an interface is added to a SEP
segment that has a control VLAN, the interface is automatically added to the control
VLAN.
2. Add aggregation switch PE1, aggregation switch PE2, and access switch LSW1
to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on Layer 2 interfaces. Before adding an interface to a SEP

segment, disable STP on the interface.
[PE1-GigabitEthernet1/0/1] stp disable //Disable STP.
[PE1-GigabitEthernet1/0/1] sep segment 1 edge primary //Configure the interface as the primary
edge interface and add it to SEP segment 1.
[LSW1-GigabitEthernet1/0/1] port link-type trunk

S300, S500, S2700, S3700, S5700, S6700, S7700, and




[PE2-GigabitEthernet1/0/1] sep segment 1 edge secondary //Configure the interface as the
secondary edge interface and add it to SEP segment 1.
After the configuration is complete, run the display sep topology command
on aggregation switch PE1 to check the topology of the SEP segment. The
command output shows that the blocked interface is one of the two
interfaces on the link that last completes neighbor negotiation.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW1 GE1/0/1 common forwarding 2
PE2 GE1/0/1 secondary discarding 8
3. Specify a blocked interface.

# In SEP segment 1, set the mode of blocking an interface on aggregation
switch PE1 where the primary edge interface is located to block the interface
in the middle of the SEP segment.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Configure a preemption mode.

# In SEP segment 1, configure the manual preemption mode on aggregation
switch PE1 where the primary edge interface is located.
[PE1-sep-segment1] preempt manual
5. Configure the SEP topology change notification function.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configure devices in SEP segment 1 to notify the RRPP network of topology

changes.
[PE1-sep-segment1] tc-notify rrpp

[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the configuration is complete, perform the following operations to verify the
configuration. Aggregation switch PE1 is used as an example.
● Run the display sep topology command on aggregation switch PE1 to check
the topology of the SEP segment.
The command output shows that GE1/0/2 of access switch LSW3 is in
discarding state and other interfaces are in forwarding state.
[PE1] display sep topology
SEP segment 1
-------------------------------------------------------------------------
System Name Port Name Port Role Port Status Hop
-------------------------------------------------------------------------
PE1 GE1/0/1 primary forwarding 1
LSW3 GE1/0/2 common discarding 4
PE2 GE1/0/1 secondary forwarding 8
● Run the display sep interface verbose command on aggregation switch PE1
to check detailed information about interfaces in the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE1/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE1/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add aggregation switch PE1 to PE4 to RRPP domain 1, configure VLAN 5 as
the control VLAN on aggregation switch PE1 to PE4, and configure the
protected VLAN.
[PE1-mst-region] instance 1 vlan 5 6 100 //Map VLAN 5, VLAN 6, and VLAN 100 to MSTI 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1] rrpp domain 1 //Create RRPP domain 1.
[PE1-rrpp-domain-region1] control-vlan 5 //Configure VLAN 5 as the control VLAN of RRPP domain
1.
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1 //Configure the protected VLAN in
protected instance 1.
1.
1.
1.
NOTE
The control VLAN must be a VLAN that has not been created or used. However, the
command for creating a common VLAN is automatically displayed in the configuration file
after the control VLAN is created.
2. Create a VLAN and add interfaces on the ring network to the VLAN.
[PE1] vlan 100
[PE1-vlan100] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE2] vlan 100

[PE2-vlan100] quit
# On aggregation switch PE3, create VLAN 100 and add GE1/0/1 and GE1/0/2
to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
# On aggregation switch PE4, create VLAN 100 and add GE1/0/1 and GE1/0/2
to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit
3. Configure aggregation switch PE1 as the master node and aggregation switch
PE2 to PE4 as the transit nodes on the major ring, and configure primary and
secondary interfaces of the master node.
[PE1] rrpp domain 1 //Enter the view of RRPP domain 1.
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet 1/0/2
secondary-port gigabitethernet 1/0/3 level 0 //Configure the master node on RRPP primary ring 1
in RRPP domain 1, and configure GE1/0/2 as the primary interface and GE1/0/3 as the secondary
interface.
[PE1-rrpp-domain-region1] ring 1 enable //Enable the RRPP ring.
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/2
secondary-port gigabitethernet 1/0/3 level 0 //Configure the transit node on RRPP primary ring 1
interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE3-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet 1/0/1
secondary-port gigabitethernet 1/0/2 level 0 //Configure the transit node on RRPP primary ring 1
interface.
[PE4-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet1/0/1
secondary-port gigabitethernet1/0/2 level 0 //Configure the transit node on RRPP primary ring 1 in
RRPP domain 1, and configure GE1/0/1 as the primary interface and GE1/0/2 as the secondary
interface.
4. Enable RRPP.
[PE1] rrpp enable
[PE2] rrpp enable
[PE3] rrpp enable
[PE4] rrpp enable
After the configuration is complete, run the display rrpp brief or display rrpp
verbose domain command. Aggregation switch PE1 is used as an example.
[PE1] display rrpp brief

Domain Index : 1

----------------------------------------------------------------------------
According to the preceding information, RRPP is enabled on aggregation switch

PE1. The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in
RRPP domain 1. VLANs mapping Instance1 are protected VLANs. Aggregation
switch PE1 is the master node in ring 1. The primary interface is GE1/0/2 and the
secondary interface is GE1/0/3.
[PE1] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring :1
Ring Level :0
Node Mode : Master

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The major control VLAN is VLAN 5 and the sub-control VLAN is VLAN 6 in RRPP
domain 1. VLANs mapping Instance1 are protected VLANs. Aggregation switch
PE1 is the master node in Complete state. The primary interface is GE1/0/2 and
the secondary interface is GE1/0/3.
Step 3 Configure VLAN 100 to transmit VRRP packets and VLAN 200 to transmit BFD
packets.
[PE3-GigabitEthernet1/0/2] port trunk allow-pass vlan 100 200

Step 4 Configure a BFD session.

1. Configure IP addresses for interfaces.
for the interface.
[NPE1] vlan 100
[NPE1-vlan100] quit

for the interface.
[NPE2] vlan 100
[NPE2-vlan100] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

2. Create a BFD session.

[NPE1] bfd
[NPE1-bfd] quit
[NPE2] bfd
[NPE2-bfd] quit
# After completing the configuration, run the display bfd session all on NPE1
and NPE2. The command output shows that the BFD session is set up
between NPE1 and NPE2 and its status is Up.
[NPE1] display bfd session all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 2 224.0.0.184 Up S_IP_IF GigabitEthernet1/0/1
--------------------------------------------------------------------------------
3. Configure association between BFD status and sub-interface status.

# Configure NPE1.
[NPE1] bfd
[NPE1-bfd] quit
[NPE1] bfd NPE2
# Configure NPE2.
[NPE2] bfd
[NPE2-bfd] quit
[NPE2] bfd NPE1
After completing the preceding configurations, run the display bfd session all
verbose command on NPE1 and NPE2. Check that the Proc interface status
field displays Enable (Sub-If).
[NPE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 257 (One Hop) State : Up Name : npe2
--------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Bind Peer IP Address : 224.0.0.184
Proc Interface Status : Enable(Sub-If) Process PST : Disable
WTR Interval (ms) :- Local Demand Mode : Disable
Active Multi :3
Session TX TmrID : 93 Session Detect TmrID : 94
--------------------------------------------------------------------------------

set the VRRP priority of NPE1 to 120 so that NPE1 can function as the master.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP
group is 100. Change the priority of the master to be higher than that of the backup.
[NPE1-GigabitEthernet1/0/1.1] vrrp vrid 1 preempt-mode timer delay 10 //A device in a VRRP
group uses immediate preemption by default. Change the preemption delay of the master to prevent
service interruptions on an unstable network where devices in the VRRP group preempt to be the
master.

allow NPE2 to use the default value so that NPE1 can function as the backup.


After completing the preceding configurations, run the display vrrp command on
NPE1. Check that the status of NPE1 is Master. Run the display vrrp command on
NPE2. Check that the status of NPE2 is Backup.
[NPE1] display vrrp
State : Master
PriorityRun : 120
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Check TTL : YES

Create time : 2013-12-29 22:46:32 UTC+07:00
[NPE2] display vrrp
State : Backup
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101
Check TTL : YES
Create time : 2013-12-29 22:46:32 UTC+07:00
Step 6 Configure Layer 2 forwarding on the user-side switch CE, access switch LSW1 to
LSW3, and aggregation switch PE1 to PE4.
The configuration details are not mentioned here. For details, see configuration
files in this example.
● # Run the shutdown command on GE1/0/1 of LSW2 to simulate a fault, and
then run the display sep interface command on LSW3 to check whether
GE1/0/2 on LSW3 changes from the discarding state to the forwarding state.
[LSW3] display sep interface gigabitethernet 1/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE1/0/2 common up forwarding
● Run the shutdown command on GE 1/0/1.1 on NPE1 to simulate an interface
fault, and then run the display vrrp command on NPE2 to check whether the
status of NPE2 changes from backup to master.
[NPE2] display vrrp
State : Master
PriorityRun : 100
TimerRun : 1
TimerConfig : 1
Auth Type : NONE
Virtual Mac : 0000-5e00-0101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Check TTL : YES

Create time : 2013-12-29 22:46:32 UTC+07:00
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return
#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#
instance 1 vlan 5 to 6 100
#
rrpp domain 1
control-vlan 5
ring 1 node-mode master primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3
level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
sep segment 1 edge primary
#
port trunk allow-pass vlan 5 to 6 100
stp disable
#
stp disable
#
return
#
sysname PE2
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port GigabitEthernet 1/0/2 secondary-port GigabitEthernet 1/0/3
level 0
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
sep segment 1 edge secondary
#
stp disable
#
stp disable
#
return

#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
port trunk allow-pass 100 200
stp disable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
level 0
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#
port trunk allow-pass 100 200
stp disable
#
return
#
sysname NPE1
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.1 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.1 255.255.255.0
#
commit
#
return
#
sysname NPE2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 100
#
bfd
#
undo shutdown
ip address 10.2.1.2 255.255.255.0
#
vlan-type dot1q 100
ip address 10.1.1.2 255.255.255.0
#
commit
#
return
● CE configuration file
#
sysname CE1
#
vlan batch 100
#
#
return
3.6.5.10 Example for Configuring VBST
Overview
VLAN-based Spanning Tree (VBST) constructs a spanning tree in each VLAN so
that traffic from different VLANs can be forwarded through different spanning
trees. VBST is a Huawei proprietary that is equivalent to the Spanning Tree
Protocol (STP) or Rapid Spanning Tree Protocol (RSTP) running in each VLAN.
Spanning trees in different VLANs are independent of each other.
Currently, the three standard spanning tree protocols are STP, RSTP, and Multiple
Spanning Tree Protocol (MSTP). STP and RSTP cannot implement VLAN-based
load balancing, because all the VLANs on a LAN share a spanning tree and
packets in all VLANs are forwarded along this spanning tree. In addition, the
blocked link does not carry any traffic, which wastes bandwidth and may prevent
some VLANs from forwarding packets. MSTP is generally preferred because it is
compatible with STP and RSTP, ensures fast convergence, and provides multiple
paths to load balance traffic.
On enterprise networks, enterprise users need functions that are easy to use and
maintain, whereas the configuration of MSTP multi-instance and multi-process is
complex and requires in-depth knowledge.
To address this issue, Huawei developed VBST. VBST constructs a spanning tree in
each VLAN so that traffic from different VLANs is load balanced along different
spanning trees. In addition, VBST is easy to configure and maintain.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
This example applies to all models of V200R005C00 and later versions.
When configuring VBST on the switch, pay attention to the following points:
● When HVRP is enabled on a modular switch, do not change the STP mode to
VBST.
● When VBST is enabled on a ring network, VBST immediately starts spanning
tree calculation. Parameters such as the device priority and port priority affect
spanning tree calculation, and changes of these parameters may cause
network flapping. To ensure fast and stable spanning tree calculation, perform
basic configurations on the switch and interfaces before enabling VBST.
● If the protected instance has been configured in a SEP segment or ERPS ring
but the mapping between protected instances and VLANs is not configured,
VBST cannot be enabled.
● VBST cannot be enabled in the ignored VLAN or control VLAN used by ERPS,
RRPP, SEP, or Smart Link.
● If 1:N (N>1) mapping between MSTIs and VLANs has been configured on the
switch, you must delete the mapping before changing the STP working mode
to VBST.
● If stp vpls-subinterface enable has been configured on the switch, you must
run the undo stp vpls-subinterface enable command on the interface before
changing the STP working mode to VBST.
● If the device has been configured as the root bridge or secondary root bridge,
run the undo stp vlan { vlan-id1 [ to vlan-id2 ] } &<1-10> root command to
disable the root bridge or secondary root bridge function and run the stp vlan
{ vlan-id1 [ to vlan-id2 ] } &<1-10> priority priority command to change the
device priority.
● When the number of MSTIs that are dynamically specified exceeds the
number of protected VLANs, STP is disabled in a created VLAN in the
configuration file, for example, stp vlan 100 disable.
● To prevent frequent network flapping, ensure that the values of Hello time,
Forward Delay, and Max Age conform to the following formulas:
– 2 x (Forward Delay - 1.0 second) >= Max Age
– Max Age >= 2 x (Hello Time + 1.0 second)
● It is recommended that fast convergence in normal mode be used. If the fast
mode is used, frequently deleting ARP entries may result in 100% CPU usage
of the MPU and LPU. As a result, packet processing expires and network
flapping occurs.
● After all ports are configured as edge ports and BPDU filter ports in the
system view, none of ports on the switch send BPDUs or negotiate the VBST
status with directly connected ports on the peer device. All ports are in
forwarding state. This may cause loops on the network, leading to broadcast
storms. Exercise caution when you configure a port as an edge port and BPDU
filter port.
● After a port is configured as an edge port and BPDU filter port in the
interface view, the port does not process or send BPDUs. The port cannot
negotiate the VBST status with the directly connected port on the peer device.
Exercise caution when you configure a port as an edge port and BPDU filter
port.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Root protection takes effect only on designated ports.

● An alternate port is the backup of the root port. If a switch has an alternate
port, configure loop protection on both the root port and alternate port.
In Figure 3-103, SwitchC and SwitchD (access switches) are dual-homed to
SwitchA and SwitchB (aggregation switches). SwitchC transmits traffic from VLAN
10 and VLAN 20, and SwitchD transmits traffic from VLAN 20 and VLAN 30. A ring
network is formed between the access layer and aggregation layer. The enterprise
requires that service traffic in each VLAN be correctly forwarded and service traffic
from different VLANs be load balanced to improve link use efficiency.
Figure 3-103 VBST networking

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VBST can be used to eliminate loops between the access layer and aggregation
layer and ensures that service traffic in each VLAN is correctly forwarded. In
addition, traffic from different VLANs can be load balanced. The configuration
roadmap is as follows:
1. Configure Layer 2 forwarding on access and aggregation switches.
2. Configure basic VBST functions on SwitchA, SwitchB, SwitchC, and SwitchD.
Perform the following operations so that a spanning tree shown in Figure
3-103 is formed through calculation:
– Configure SwitchA and SwitchB as the root bridge and secondary root
bridge of VLAN 10 respectively, configure SwitchA and SwitchB as the
root bridge and secondary root bridge of VLAN 20 respectively, and
configure SwitchB and SwitchA as the root bridge and secondary root
bridge of VLAN 30 respectively.
– Set a larger path cost for GE1/0/2 on SwitchC in VLAN 10 and VLAN 20
so that GE1/0/2 is blocked in spanning trees of VLAN 10 and VLAN 20.
Set a larger path cost for GE1/0/2 on SwitchD in VLAN 20 and VLAN 30
so that GE1/0/2 is blocked in the spanning tree of VLAN 20 and VLAN 30.
3. Configure ports on SwitchC and SwitchD connected to terminals as edge ports
to reduce VBST topology calculation and improve topology convergence.
Procedure
● Create VLAN 10, VLAN 20, and VLAN 30 on SwitchA, SwitchB, SwitchC, and
SwitchD.
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchA.
[SwitchA] vlan batch 10 20 30
# Create VLAN 10, VLAN 20, and VLAN 30 on aggregation switch SwitchB.
[SwitchB] vlan batch 10 20 30
# Create VLAN 10 and VLAN 20 on access switch SwitchC.
[SwitchC] vlan batch 10 20
# Create VLAN 20 and VLAN 30 on access switch SwitchD.
[SwitchD] vlan batch 20 30
# Add GE1/0/1 on SwitchA to VLAN 10, VLAN 20, and VLAN 30.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Add GE1/0/1 on SwitchB to VLAN 10, VLAN 20, and VLAN 30.
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 30


# Add GE1/0/2 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/2] port trunk allow-pass vlan 10 20
# Add GE1/0/3 on SwitchC to VLAN 10 and VLAN 20.

[SwitchC-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
# Add GE1/0/4 on SwitchC to VLAN 10 and GE1/0/5 to VLAN 20.

# Add GE1/0/2 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/2] port trunk allow-pass vlan 20 30
# Add GE1/0/3 on SwitchD to VLAN 20 and VLAN 30.

[SwitchD-GigabitEthernet1/0/3] port trunk allow-pass vlan 20 30
# Add GE1/0/4 on SwitchD to VLAN 20 and GE1/0/5 to VLAN 30.


S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Configure basic VBST functions.

1. Configure switches on the ring network to work in VBST mode.
# Configure SwitchA to work in VBST mode.
[SwitchA] stp mode vbst
# Configure SwitchB to work in VBST mode.
[SwitchB] stp mode vbst
# Configure SwitchC to work in VBST mode.
[SwitchC] stp mode vbst
# Configure SwitchD to work in VBST mode.
[SwitchD] stp mode vbst
– Configure the root bridge and secondary root bridge in VLAN 10.
# Configure SwitchA as the root bridge in VLAN 10.
[SwitchA] stp vlan 10 root primary
# Configure SwitchB as the secondary root bridge in VLAN 10.
[SwitchB] stp vlan 10 root secondary
# Configure SwitchA as the root bridge in VLAN 20.
[SwitchA] stp vlan 20 root primary
# Configure SwitchB as the secondary root bridge in VLAN 20.
[SwitchB] stp vlan 20 root secondary
# Configure SwitchB as the root bridge in VLAN 30.
[SwitchB] stp vlan 30 root primary
# Configure SwitchA as the secondary root bridge in VLAN 30.
[SwitchA] stp vlan 30 root secondary
3. Configure the path cost for a port in each VLAN so that the port can be
blocked.
NOTE
– The path cost range depends on the algorithm. IEEE 802.1t standard is used as an
example. Set the path costs of the ports to be blocked to 2000000.
– All switches on the same network must use the same path cost calculation
method.
# Set the path cost of GE1/0/2 on SwitchC to 2000000 in VLAN 10 and VLAN
20.
[SwitchC-GigabitEthernet1/0/2] stp vlan 10 cost 2000000
[SwitchC-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
# Set the path cost of GE1/0/2 on SwitchD to 2000000 in VLAN 20 and VLAN
30.
[SwitchD-GigabitEthernet1/0/2] stp vlan 20 cost 2000000
[SwitchD-GigabitEthernet1/0/2] stp vlan 30 cost 2000000

S300, S500, S2700, S3700, S5700, S6700, S7700, and
4. Enable VBST to eliminate loops.

– Disable VBST in VLAN 1 on all devices.
NOTE
By default, all ports join VLAN 1 and VBST is enabled in VLAN 1. To reduce
spanning tree calculation, disable VBST in VLAN 1. To prevent loops in VLAN 1
after VBST is disabled, delete ports from VLAN 1.
# Disable VBST in VLAN 1 on SwitchA.
[SwitchA] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchB.
[SwitchB] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchC.
[SwitchC] stp vlan 1 disable
# Disable VBST in VLAN 1 on SwitchD.
[SwitchD] stp vlan 1 disable
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchA from VLAN 1.
# Delete GE1/0/1, GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.
[SwitchB-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
# Delete GE1/0/2, and GE1/0/3 on SwitchB from VLAN 1.
[SwitchC-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchC-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
# Delete GE1/0/2, and GE1/0/3 on SwitchD from VLAN 1.
[SwitchD-GigabitEthernet1/0/2] undo port trunk allow-pass vlan 1
[SwitchD-GigabitEthernet1/0/3] undo port trunk allow-pass vlan 1
– Enable VBST globally.
# Enable VBST on SwitchA globally.
# Enable VBST on SwitchB globally.
# Enable VBST on SwitchC globally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Enable VBST on SwitchD globally.

– Enable VBST globally.

By default, VBST is enabled globally.
Run the display stp global command to check the VBST status. If VBST is
disabled, run the stp enable command in the system view to enable
VBST globally.
– Enable VBST in a VLAN.
By default, VBST is enabled in a VLAN.
Run the display stp vlan vlan-id command to check the VBST status. If
the message "The protocol is disabled" is displayed, VBST is disabled in
the VLAN. Run the stp vlan vlan-id enable command in the system view
to enable VBST in the VLAN.
– Enable VBST on a port.
By default, VBST is enabled on a Layer 2 Ethernet interface.
Run the display stp interface interface-type interface-number command
to check the VBST status on a port. If the message "The protocol is
disabled" is displayed, VBST is disabled on the port. Run the stp enable
command in the interface view to enable VBST on the port.
Step 3 Configure ports connected to terminals as edge ports to improve topology
convergence.
# On SwitchC and SwitchD, configure GE1/0/4 and GE1/0/5 connected to
terminals as edge ports.

# Run the display stp bridge local command on SwitchA to check the STP
working mode.
[SwitchA] display stp bridge local
VLAN-ID Bridge ID Hello Max Forward Protocol
Time Age Delay
----- -------------------- ----- --- ------- ---------------------------
10 10.0200-0000-6703 2 20 15 VBST
20 20.0200-0000-6703 2 20 15 VBST
30 4126.0200-0000-6703 2 20 15 VBST
The preceding information shows that the VBST mode is used.

# Run the display stp brief command on SwitchA to check the port status.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

VLAN-ID Port Role STP State Protection
The preceding information shows that SwitchA participates in spanning tree

calculation in VLAN 10, VLAN 20, and VLAN 30. For example, SwitchA is the root
bridge in VLAN 10 and VLAN 20, so GE1/0/1 and GE1/0/3 in VLAN 10 are selected
as designated ports. GE1/0/1, GE1/0/2, and GE1/0/3 in VLAN 20 are selected as
designated ports. SwitchA is the secondary root bridge in VLAN 30, so GE1/0/1 is
selected as the root port and GE1/0/2 is selected as the designated port in VLAN
30.
# Run the display stp vlan 10 command on SwitchA to check detailed
information about VLAN 10.
[SwitchA] display stp vlan 10
-------[VLAN 10 Global Info]-------
Bridge ID :10 .0200-0000-6703
Bridge Diameter :7
Config Times :Hello 2s MaxAge 20s FwDly 15s
Active Times :Hello 2s MaxAge 20s FwDly 15s
Root ID / RPC :10 .0200-0000-6703 / 0 (This bridge is the root)
RootPortId :0.0
Root Type :Primary
BPDU-Protection :Disabled
STP Converge Mode :Normal
Time since last TC :0 days 0h:10m:46s
Number of TC :1
----[Port4093(GigabitEthernet1/0/1)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=20000
Desg. Bridge/Port :10 .0200-0000-6703 / 128.4093
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Port Revert Slow :Disabled
Port Agreement Legacy :Disabled
Transit Limit :6 packets/hello
Protection Type :None
Port STP Mode :VBST
BPDU Encapsulation :Config=VBST / Active=VBST
----[Port4092(GigabitEthernet1/0/3)][FORWARDING]----
Port Role :Designated Port
Port Priority :128
Port Cost(Dot1T) :Config=Auto / Active=199999
Desg. Bridge/Port :10 .0200-0000-6703 / 128.4092
Port Edged :Config=Default / Active=Disabled
Point-to-point :Config=Auto / Active=true
Port Revert Slow :Disabled
Port Agreement Legacy :Disabled
Transit Limit :6 packets/hello
Protection Type :None
Port STP Mode :VBST
BPDU Encapsulation :Config=VBST / Active=VBST
The preceding information shows that SwitchA is selected as the root bridge in
VLAN 10 and GE1/0/1 and GE1/0/3 are selected as designated ports in
FORWARDING state.
# Run the display stp brief command on SwitchB, SwitchC, and SwitchD to check
the port status.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchD] display stp brief
The preceding information shows that SwitchB participates in spanning tree

calculation in VLAN 10, VLAN 20, and VLAN 30, SwitchC participates in spanning
tree calculation in VLAN 10 and VLAN 20, and SwitchD participates in spanning
tree calculation in VLAN 20 and VLAN 30. After the calculation is complete, ports
are selected as different roles to eliminate loops.
Different spanning trees are formed in VLAN 10, VLAN 20, and VLAN 30, and
traffic in VLAN 10, VLAN 20, and VLAN 30 is forwarded along different spanning
trees to implement load balancing.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 30 root secondary
stp vlan 10 20 root primary
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
#
sysname SwitchB
#
vlan batch 10 20 30
#
stp mode vbst
#
stp vlan 1 disable
stp vlan 10 20 root secondary
stp vlan 30 root primary
#
#
#
#
return
#
sysname SwitchC
#
vlan batch 10 20
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 10 20 cost 2000000
#
#
#
#
return
#
sysname SwitchD
#
vlan batch 20 30

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
stp mode vbst
#
stp vlan 1 disable
#
stp vlan 20 30 cost 2000000
#
#
#
#
return
3.6.6 Typical Loopback Detection Configuration
3.6.6.1 Example for Configuring LDT to Detect Loops on the Downstream

Network
Overview
When a loop occurs on a network, broadcast, multicast, and unknown unicast
packets are repeatedly transmitted on the network. This wastes network resources
and may even cause a network breakdown. To minimize the impact of loops on a
Layer 2 network, a detection technology that quickly notifies users of loops is
required. When a loop occurs, users are requested to check network connections
and configurations, and control the problematic interface.
Loop detection (LDT) periodically sends LDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can
be different), and determines whether loops occur on the interface, local network,
or downstream network.
● If LDT packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
● If LDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface.
After loops are detected, the device can send alarms to the NMS and record logs,
and can control the interface status (the interface is shut down by default)
according to the device configuration so that the impact of loops on the device
and network is minimized. The device provides the following actions after LDT
detects a loop:
● Trap: The device reports a trap to the NMS and records a log, but does not
take any action on the interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Block: The device blocks this interface, and can forward only BPDUs.
● No learning: The interface is disabled from learning MAC addresses.
● Shutdown: The device shuts down the interface.
● Quitvlan: The interface is removed from the VLAN where a loop occurs.
The problematic interface continues to send LDT packets. If the device receives no
LDT packets from the problematic interface within the recovery time, it considers
that the loop is eliminated on the interface and restores the interface.
LDT can only detect loops on a single node, but cannot eliminate loops on the
entire network in the same manner as ring network technologies of ERPS, RRPP,
SEP, Smart Link, and STP/RSTP/MSTP/VBST.
Configuration Notes
● In V200R008C00 and earlier versions, LDT does not take effect in dynamic
VLANs
● LDT and LBDT cannot be configured simultaneously.
● LDT needs to send a large number of LDT packets to detect loops, occupying
system resources. Therefore, disable LDT if loops do not need to be detected.
● When loops occur in multiple VLANs on many interfaces, LDT performance is
lowered due to limitations of security policies and CPU processing capability.
The greater the number of involved VLANs and interfaces, the lower the
performance. In particular, the performance of the standby chassis in the
cluster is lowered. Manually eliminating loops is recommended.
● LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart
Link, and STP/RSTP/MSTP/VBST. Do not configure ring network technologies
on an interface of a LDT-enabled VLAN. If LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT
on the interface first.
● LDT sends only tagged packets and can only detect loops based on VLANs.
LDT can detect loops in a maximum of 4094 VLANs.
● When a loop occurs on the network-side interface where the Block or
Shutdown action is configured, all services on the device are interrupted. Do
not deploy LDT on the network-side interface.
● The Quitvlan action cannot be used with GVRP, HVRP, or the action of
removing an interface from the VLAN where MAC address flapping occurs.
● The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP
runs normally and prevent GVRP loops, do not enable GVRP on the blocked
port of LDT.
In Figure 3-104, a new branch network of an enterprise connects to the
aggregation switch Switch, and VLANs 10 to 20 are deployed on the branch
network. Loops occur due to incorrect connections or configurations. As a result,
communication on the Switch and uplink network is affected.
It is required that the Switch should immediately detect loops on the new branch
network to prevent the impact of loops on the Switch and uplink network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-104 Networking for configuring LDT to detect loops on the downstream
network
1. Enable LDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so
that loops on the downstream network can be detected.
2. Configure an action after loops are detected so that the Switch can
immediately shut down the interface where a loop is detected. This prevents
the impact of the loop on the Switch and uplink network.
NOTE
Configure interfaces on other switching devices as trunk or hybrid interfaces and configure
these interfaces to allow packets from corresponding VLANs to pass through. This ensures
Layer 2 connectivity on the new network and between the new network and the Switch.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable //Enable LDT globally.
Step 2 Enable LDT in VLANs.

[Switch] vlan batch 10 to 20
[Switch] loop-detection enable vlan 10 to 20 //Enable the device to detect loops on all interfaces in
VLANs 10 to 20.
Step 3 Set the interval for sending LDT packets.

[Switch] loop-detection interval-time 10 //Set the interval for sending LDT packets to 10s.
Step 4 Configure an action taken after a loop is detected.

# Enable the trap function for LDT.
[Switch] snmp-agent trap enable feature-name ldttrap //Enable the LDT alarm function so that the
device can send LDT traps.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Set the action to Shutdown.

[Switch-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default link
type of a switch interface is not hybrid. You can choose run the port link-type hybrid command to
configure the link type of the interface as hybrid.
[Switch-GigabitEthernet1/0/1] stp disable //Disable STP on the interface.
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 10 to 20
[Switch-GigabitEthernet1/0/1] loop-detection mode port-shutdown ///Configure the Shutdown action to
be taken on GE1/0/1 after a loop is detected.
# After the configuration is complete, run the display loop-detection command

to check global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following VLANs enable loop-detection:
VLAN 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
GigabitEthernet1/0/1 Include Vlans:
10
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
NULL
# Check LDT information on GE1/0/1.

[Switch] display loop-detection interface gigabitethernet 1/0/1
The port is enabled.
The port's status list:
Status WorkMode Recovery-time EnabledVLAN
-----------------------------------------------------------------------
Shutdown Shutdown 255 10
Normal Shutdown 255 11
The command output shows that LDT is enabled in VLANs 10 to 20 and the
Shutdown action is taken on GE1/0/1 in VLAN 10, indicating that loops are
detected in VLAN 10.
NOTE
After loops are detected in one or more VLANs, the system shuts down the involved
interface and loops are removed. In this case, LDT may be unable to detect all VLANs where
loops occur.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
port hybrid tagged vlan 10 to 20
stp disable
#
snmp-agent trap enable feature-name LDTTRAP
#
return
3.6.6.2 Example for Configuring LDT to Detect Loops on the Local Network
Overview
Loop detection (LDT) periodically sends LDT packets on an interface to check
whether the packets return to the local device (receive and transmit interfaces can
be different), and determines whether loops occur on the interface, local network,
or downstream network.
● If LDT packets are received by the same interface, a loopback occurs on the
interface or a loop occurs on the network connected to the interface.
● If LDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface.
and network is minimized. The device provides the following actions after LDT
detects a loop:
The problematic interface continues to send LDT packets. If the device receives no
LDT packets from the problematic interface within the recovery time, it considers
that the loop is eliminated on the interface and restores the interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
LDT can only detect loops on a single node, but cannot eliminate loops on the
Configuration Notes
● In V200R008C00 and earlier versions, LDT does not take effect in dynamic
VLANs
● LDT and LBDT cannot be configured simultaneously.
● LDT needs to send a large number of LDT packets to detect loops, occupying
system resources. Therefore, disable LDT if loops do not need to be detected.
● When loops occur in multiple VLANs on many interfaces, LDT performance is
lowered due to limitations of security policies and CPU processing capability.
The greater the number of involved VLANs and interfaces, the lower the
performance. In particular, the performance of the standby chassis in the
cluster is lowered. Manually eliminating loops is recommended.
● LDT cannot be used with ring network technologies of ERPS, RRPP, SEP, Smart
Link, and STP/RSTP/MSTP/VBST. Do not configure ring network technologies
on an interface of a LDT-enabled VLAN. If LDT has been enabled globally and
ring network technologies need to be configured on an interface, disable LDT
on the interface first.
● LDT sends only tagged packets and can only detect loops based on VLANs.
LDT can detect loops in a maximum of 4094 VLANs.
● When a loop occurs on the network-side interface where the Block or
Shutdown action is configured, all services on the device are interrupted. Do
not deploy LDT on the network-side interface.
● The Quitvlan action cannot be used with GVRP, HVRP, or the action of
removing an interface from the VLAN where MAC address flapping occurs.
● The blocked ports of LDT cannot block GVRP packets. To ensure that GVRP
port of LDT.
In Figure 3-105, an enterprise uses Layer 2 networking. The Switch is the
aggregation switch, and each switch allows packets from VLANs 10 to 20 to pass
through. Because employees often move, the network topology changes
frequently. Connections or configurations may be incorrect due to misoperations.
As a result, loops may occur in VLANs 10 to 20.
Loops cause broadcast storms and affect device and network communication. It is
required that loops be detected and eliminated in VLANs in a timely manner to
prevent broadcast storms.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-105 Networking for configuring LDT to detect loops on the local network
Loops need to be detected in VLANs 10 to 20. Because there are more than eight
VLANs, you can configure LDT to detect loops and configure an action after loops
are detected to prevent broadcast storms. All VLANs share a link. To prevent loop
removal in a VLAN from affecting data forwarding in other VLANs, configure the
Quitvlan action. The configuration roadmap is as follows:
1. Enable LDT on GE1/0/0 and GE2/0/0 on the Switch to detect loops in VLANs
10 to 20.
2. Configure an action to be taken after a loop is detected on GE1/0/0 and
GE2/0/0, and set the recovery time so that the Switch can immediately take
the preconfigured action on the interface to prevent broadcast storms after a
loop is detected. In addition, the Switch can restore the interface after the
loop is eliminated.
NOTE
these interfaces to allow packets from corresponding VLANs to pass through to ensure
Layer 2 connectivity.
Procedure
Step 1 Enable global LDT.
[Switch] loop-detection enable //Enable LDT globally.
Step 2 Enable LDT in VLANs.

[Switch] loop-detection enable vlan 10 to 20 //Enable the device to detect loops on all interfaces in
VLANs 10 to 20.
Step 3 Set the interval for sending LDT packets.

[Switch] loop-detection interval-time 10 //Set the interval for sending LDT packets to 10s.
Step 4 Configure an action to be taken after a loop is detected.

# Enable the trap function for LDT.
[Switch] snmp-agent trap enable feature-name ldttrap //Enable the LDT alarm function so that the
device can send LDT traps.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Set the action to Quitvlan.

[Switch-GigabitEthernet1/0/0] loop-detection mode port-quitvlan //Configure the Quitvlan action to be
taken after a loop is detected.
[Switch-GigabitEthernet2/0/0] port link-type hybrid
[Switch-GigabitEthernet2/0/0] loop-detection mode port-quitvlan //Configure the Quitvlan action to be
Step 5 Set the interface recovery time.

[Switch-GigabitEthernet1/0/0] loop-detection recovery-time 30 //Set the recovery time to 30s.
[Switch-GigabitEthernet2/0/0] loop-detection recovery-time 30 //Set the recovery time to 30s.

1. Check the LDT configuration.
# After the configuration is complete, run the display loop-detection
command to check global LDT information.
[Switch] display loop-detection
Loop Detection is enabled.
Detection interval time is 10 seconds.
Following VLANs enable loop-detection:
VLAN 10 to 20
Following ports are blocked for loop:
NULL
Following ports are shutdown for loop:
NULL
Following ports are nolearning for loop:
NULL
Following ports are trapped for loop:
NULL
Following ports are quitvlan for loop:
10 11 12 16 19
13 14 15 17 18
20
# Check LDT information on GE1/0/0 and GE2/0/0.

-----------------------------------------------------------------------
Quitvlan Quitvlan 30 10
Normal Quitvlan 30 13

S300, S500, S2700, S3700, S5700, S6700, S7700, and
-----------------------------------------------------------------------
In the command output, LDT is enabled in VLANs 10 to 20, GE1/0/0 is

removed from VLANs 10, 11, 12, 16, and 19, and GE2/0/0 is removed from
VLANs 13, 14, 15, 17, 18, and 20.
NOTE
The VLANs that an interface is removed from are uncertain, but the interface will be
removed from all VLANs where loops occur.
2. After the loop is eliminated (for example, GE2/0/0 is shut down, and
connections between devices are corrected), check whether GE1/0/0 and
GE2/0/0 are restored.
-----------------------------------------------------------------------
-----------------------------------------------------------------------
The command output shows that GE1/0/0 and GE2/0/0 are restored.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname Switch
#
vlan batch 10 to 20
#
loop-detection enable
loop-detection interval-time 10
loop-detection enable vlan 10 to 20
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
stp disable
loop-detection mode port-quitvlan
loop-detection recovery-time 30
#
snmp-agent trap enable feature-name LDTTRAP
#
return
3.6.6.3 Example for Configuring LBDT to Detect Loopbacks on an Interface
Overview
Loopback detection (LBDT) periodically sends LBDT packets on an interface to
check whether the packets return to the local device (receive and transmit
interfaces can be different), and determines whether loops occur on the interface,
local network, or downstream network.
● If LBDT packets are received and sent by the same interface, a loopback
occurs on the interface or a loop occurs on the network connected to the
interface.
● If LBDT packets are received by another interface on the same device, a loop
occurs on the network connected to the interface or device.
and network is minimized. The device provides the following actions after LBDT
detects a loop:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The problematic interface continues to send LBDT packets. After the configured
recovery time expires, the system attempts to restore the problematic interface. If
the device receives no LBDT packets from the problematic interface within the
next recovery time, it considers that the loop is eliminated on the interface and
restores the interface.
LBDT can only detect loops on a single node, but cannot eliminate loops on the
Configuration Notes
● In V200R008C00 and earlier versions, LBDT does not take effect in dynamic
VLANs. In V200R008C00 and later versions, the LBDT-enabled switch can
detect loops in dynamic VLANs, but the Quitvlan action is invalid for dynamic
VLANs.
● LBDT needs to send a large number of LBDT packets to detect loops,
occupying system resources. Therefore, disable LBDT if loops do not need to
be detected.
● In versions earlier than V200R019C00, LBDT cannot be configured on an Eth-
Trunk or its member interfaces. In V200R019C00 and later versions, LBDT can
be configured on an Eth-Trunk but cannot be configured on its member
interfaces.
● Manual LBDT can be configured on a maximum of 128 Eth-Trunks.
● An interface can send LBDT packets with the specified VLAN tag only when
the specified VLAN has been created.
● LBDT can detect loops in a maximum of 32 VLANs.
● When the PVID of the interface in the loop is the detected VLAN ID or the
interface joins the detected VLAN in untagged mode, VLAN tags of LBDT
packets are removed. As a result, the packet priority changes and the system
may fail to detect loops.
● When the Quitvlan action is used, the configuration file remains unchanged.
● The LBDT action and MAC address flapping action affect each other, and
cannot be configured simultaneously.
● The Quitvlan action of LBDT conflicts with dynamic removal from VLANs (for
example, GVRP and HVRP), and cannot be configured simultaneously.
● The blocked ports of LBDT cannot block GVRP packets. To ensure that GVRP
port of LBDT.
● On a modular switch, LBDT and loop detection (LDT) cannot be configured
simultaneously.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
In Figure 3-106, aggregation switch SwitchA on an enterprise network connects to
access switch SwitchB. To prevent loopbacks on a TX-RX interface (GE1/0/0)
because optical fibers are connected incorrectly or the interface is damaged by
high voltage, SwitchA is required to detect loopbacks on GE1/0/0. Furthermore, it
is required that the interface be blocked to reduce the impact of the loopback on
the network when a loopback is detected, and the interface be restored after the
loopback is removed.
Figure 3-106 Networking for configuring LBDT to detect loopbacks on an

interface
To detect loopbacks on downlink interface GE1/0/0 of SwitchA, configure LBDT on
GE1/0/0 of SwitchA. The configuration roadmap is as follows:
1. Enable LBDT on GE1/0/0 of SwitchA to detect loopbacks.

2. Configure an action to be taken after a loopback is detected and set the
recovery time. After a loopback is detected, the Switch blocks the interface to
reduce the impact of the loopback on the network. After a loop is eliminated,
the interface can be restored.
Procedure
Step 1 Enable LBDT on an interface.
[SwitchA-GigabitEthernet1/0/0] loopback-detect enable //Enable LBDT on the interface.
Step 2 Configure an action to be taken after a loop is detected and set the recovery time.
[SwitchA-GigabitEthernet1/0/0] loopback-detect action block //Configure the Block action to be taken
after a loop is detected.
[SwitchA-GigabitEthernet1/0/0] loopback-detect recovery-time 30 //Set the recovery delay to 30s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Run the display loopback-detect command to check the LBDT configuration.

[SwitchA] display loopback-detect
Loopback-detect sending-packet interval:
5
----------------------------------------------------------------------------------
Interface RecoverTime Action Status

----------------------------------------------------------------------------------
GigabitEthernet1/0/0 30 block
NORMAL
----------------------------------------------------------------------------------
The preceding command output shows that the LBDT configuration is

successful.
2. After about 5s, run the display loopback-detect command to check whether
GE1/0/0 is blocked.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
GigabitEthernet1/0/0 30 block BLOCK(Loopback

detected)
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/0 is blocked, indicating

that a loopback occurs on GE1/0/0.
3. Manually remove the loopback. Run the display loopback-detect command
to check whether GE1/0/0 is restored.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/0 is restored.
----End
Configuration Files
#
sysname SwitchA
#
loopback-detect recovery-time 30
loopback-detect enable
loopback-detect action block
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.6.6.4 Example for Configuring LBDT to Detect Loops on the Downstream

Network
Overview

interface.
detects a loop:
Configuration Notes
VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

be detected.
interfaces.
port of LBDT.
simultaneously.
In Figure 3-107, a new department of an enterprise connects to the aggregation
switch Switch. This department belongs to VLAN 100. Loops occur due to incorrect
connections or configurations. As a result, communication on the Switch and
uplink network is affected.
It is required that the Switch should detect loops on the new network to prevent
the impact of loops on the Switch and connected network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-107 Networking for configuring LBDT to detect loops on the downstream
network
1. Enable LBDT on GE1/0/1 of the Switch to detect loops in a specified VLAN so

that loops on the downstream network can be detected.
2. Set LBDT parameters so that the Switch can immediately shut down GE1/0/1
after a loop is detected. This prevents the impact of the loop on the Switch
and connected network.
NOTE
these interfaces to allow packets from corresponding VLANs to pass through. This ensures
Layer 2 connectivity on the new network and between the new network and the Switch.
Procedure
Step 1 Enable LBDT on the interface.
[Switch-GigabitEthernet1/0/1] loopback-detect enable //Enable LBDT on the interface.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100
[Switch] interface gigabitEthernet 1/0/1
[Switch-GigabitEthernet1/0/1] port hybrid tagged vlan 100
[Switch-GigabitEthernet1/0/1] loopback-detect packet vlan 100 //Enable LBDT to detect loops in VLAN
100.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Configure LBDT parameters.
# Set the interval for sending LBDT packets.

[Switch] loopback-detect packet-interval 10
# Configure an action to be taken after a loop is detected.

[Switch-GigabitEthernet1/0/1] loopback-detect action shutdown //Configure the Shutdown action to be

[Switch] display loopback-detect
10
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 shutdown
NORMAL
----------------------------------------------------------------------------------

successful.
2. Construct loops on the downstream network and run the display loopback-
detect command to check whether GE1/0/1 is shut down.
10
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
GigabitEthernet1/0/1 30 shutdown SHUTDOWN(Loopback

detected)
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/1 is shut down.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#
loopback-detect packet vlan 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
3.6.6.5 Example for Configuring LBDT to Detect Loops on the Local Network
Overview
interface.
detects a loop:
Configuration Notes
VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

be detected.
interfaces.
port of LBDT.
simultaneously.
In Figure 3-108, a small-scale enterprise uses Layer 2 networking and belongs to
VLAN 100. Because employees often move, the network topology changes
frequently. Loops occur due to incorrect connections or configurations during the
change. As a result, broadcast storms occur and affect communication of the
Switch and entire network.
The requirements are as follows:
● The Switch detects loops.
● When a loop exists, the interface is blocked to reduce the impact of the loop
on the Switch and network.
● When the loop is eliminated, the interface can be restored.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-108 Networking for configuring LBDT to detect loops on the local
network
To detect loops on the network where the Switch is deployed, configure LBDT on
GE1/0/1 and GE1/0/2 of the Switch. In this example, untagged LBDT packets sent
by the Switch will be discarded by other switches on the network. As a result, the
packets cannot be sent back to the Switch, and LBDT fails. Therefore, LBDT is
configured in a specified VLAN. The configuration roadmap is as follows:
1. Enable LBDT on interfaces and configure the Switch to detect loops in VLAN
100 to implement LBDT on the network where the Switch is located.
2. Configure an action to be taken after a loop is detected and set the recovery
time. After a loop is detected, the Switch blocks the interface to reduce the
impact of the loop on the network. After a loop is eliminated, the interface
can be restored.
NOTE
these interfaces to allow packets from corresponding VLANs to pass through to ensure
Layer 2 connectivity.
Procedure
Step 1 Enable LBDT on interfaces.
Step 2 Specify the VLAN ID of LBDT packets.

[Switch] vlan 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
100.
100.
Step 3 Configure an action to be taken after a loop is detected and set the recovery time.
[Switch-GigabitEthernet1/0/1] loopback-detect action block //Configure the Block action to be taken
[Switch-GigabitEthernet1/0/1] loopback-detect recovery-time 30 //Set the recovery time to 30s.
[Switch-GigabitEthernet1/0/2] loopback-detect action block //Configure the Block action to be taken
[Switch-GigabitEthernet1/0/2] loopback-detect recovery-time 30 //Set the recovery time to 30s.

5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
----------------------------------------------------------------------------------

successful.
2. After about 5s, run the display loopback-detect command to check whether
GE1/0/1 or GE1/0/2 is blocked.
5
----------------------------------------------------------------------------------

----------------------------------------------------------------------------------
NORMAL
GigabitEthernet1/0/2 30 block BLOCK(Loopback detected)
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/2 is blocked.

3. Shut down GE1/0/1. After 30s, run the display loopback-detect command to
check whether GE1/0/2 is restored.
5
----------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
----------------------------------------------------------------------------------
NORMAL
GigabitEthernet1/0/2 30 block NORMAL
----------------------------------------------------------------------------------
The preceding command output shows that GE1/0/2 is restored.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
#
#
return
3.7 Typical IP Service Configuration
3.7.1 Configuring ARP
3.7.1.1 Example for Configuring Static ARP
Overview
Static ARP allows a network administrator to create fixed mappings between IP
and MAC addresses.
Dynamic ARP can leave networks vulnerable to ARP spoofs or attacks (when
malicious devices send falsified ARP messages to link an attacker's MAC address
with the IP address of a legitimate device). As a result, ARP entries may be
incorrectly learned. However, if a static ARP entry is configured on a device, the
device can communicate with the peer device using only the specified MAC
address. Network attackers cannot modify the mapping between the IP and MAC
addresses using ARP packets, ensuring communication between the two devices.
Static ARP entries are applicable when:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Networks contain critical devices such as servers. Network attackers cannot

update the ARP entries containing IP addresses of the critical devices on the
switch using ARP attack packets, ensuring communication between users and
the critical devices.
● Networks contain user devices with multicast MAC addresses. By default, a
device does not learn ARP entries when the source MAC addresses of received
ARP packets are multicast MAC addresses.
● A network administrator wants to prevent an IP address from accessing
devices. The network administrator binds the IP address to an unavailable
MAC address.
Configuration Notes
● The number of static ARP entries configured on the device cannot exceed the
maximum number of static ARP entries on the device. You can run the
display arp statistics all command to check the number of existing ARP
entries on the device.
NOTE

As shown in Figure 3-109, the Switch connects different departments of an
enterprise. The departments are added to different VLANs. Fixed IP addresses have
been manually assigned to the file backup server and hosts in the president's
office, and dynamic IP addresses have been assigned to hosts in other
departments using DHCP. Hosts in the marketing department can access the
Internet and are often attacked by ARP packets. Attackers attack the Switch and
modify dynamic ARP entries on the Switch. As a result, communication between
hosts in the president's office and external devices is interrupted and hosts in
departments fail to access the file backup server. The company requires that static
ARP entries be configured on the Switch so that hosts in the president's office can
communicate with external devices and hosts in departments can access the file
backup server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-109 Networking diagram for configuring static ARP
1. Configure static ARP entries for hosts in the president's office on the Switch to
prevent ARP entries of the hosts in the president's office from being modified
by ARP attack packets.
2. Configure a static ARP entry for the file backup server on the Switch to
prevent the ARP entry of the file backup server from being modified by ARP
attack packets.
Procedure
Step 1 Create VLANs on the Switch and configure an IP address for each interface.
# Create VLAN 10, add the interfaces to VLAN 10, and configure an IP address for
VLANIF 10.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure GE1/0/2 as the primary interface and configure an IP address for it.
[Switch-GigabitEthernet1/0/2] undo portswitch
[Switch-GigabitEthernet1/0/2] ip address 10.164.10.10 24
# Configure GE1/0/3 as the primary interface and configure an IP address for it.
[Switch-GigabitEthernet1/0/3] undo portswitch
[Switch-GigabitEthernet1/0/3] ip address 10.164.20.1 24
NOTE
If the Switch does not support the configuration that uses the undo portswitch command
to configure an interface as the primary interface and then configures an IP address for it,
configure the interface as a VLANIF interface and then configure an IP address for it.
Step 2 Configure static ARP entries on the Switch.

[Switch] arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface gigabitethernet 1/0/1 //Configure a static
ARP entry for hosts in the president's office
[Switch] arp static 10.164.10.1 00e0-fc02-1234 interface gigabitethernet 1/0/2 //Configure a static ARP
entry for the file backup server

# Run the display arp static command to check the configured static ARP entries.
[Switch] display arp static
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
10.164.1.1 00e0-fc01-0001 S-- GE1/0/1
10/-
10.164.10.1 00e0-fc02-1234 S-- GE1/0/2
40/-
------------------------------------------------------------------------------
Total:2 Dynamic:0 Static:2 Interface:0
# Ping the IP address 10.164.20.2/24 of the interface on the Router connecting to

the Switch from a host (the IP address is 10.164.1.1/24, using Windows 7
operating system as an example) in the president's office. The ping succeeds.
C:\Documents and Settings\Administrator> ping 10.164.20.2
Pinging 10.164.20.2 with 32 bytes of data:
Reply from 10.164.20.2: bytes=32 time=1ms TTL=128
Ping statistics for 10.164.20.2:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 1ms, Average = 1ms
# Ping the IP address 10.164.10.1/24 of the file backup server from a host (for
example, using the IP address 10.164.2.100/24 and Windows 7 operating system)
in the marketing department. The ping succeeds.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Ping the IP address 10.164.10.1/24 of the file backup server from a host (for
example, using the IP address 10.164.3.100/24 and Windows 7 operating system)
in the R&D department. The ping succeeds.

----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.164.1.20 255.255.255.0
#
#
undo portswitch
ip address 10.164.10.10 255.255.255.0
#
undo portswitch
ip address 10.164.20.1 255.255.255.0
#
arp static 10.164.1.1 00e0-fc01-0001 vid 10 interface GigabitEthernet1/0/1
arp static 10.164.10.1 00e0-fc02-1234 interface GigabitEthernet1/0/2
#
return
3.7.1.2 Example for Configuring Routed Proxy ARP
Overview
When an enterprise network is divided into subnets, two subnets may belong to
the same network segment but different physical networks. These two subnets are
isolated by the switch. You can modify the routing information about the hosts on
the network, so that the data packets destined for other subnets are sent to the
gateway connected to different subnets and then forwarded by the gateway to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
destination. However, to implement this solution, you must configure routes for all
hosts on the subnets. This complicates management and maintenance.
Deploying routed proxy ARP on the gateway can effectively solve the
management and maintenance problems in subnet division. Routed proxy ARP
allows the communication between the hosts whose IP addresses belong to the
same network segment but different physical networks. In addition, the default
gateway does not need to be configured on the hosts, facilitating management
and maintenance.
Configuration Notes
After routed proxy ARP is enabled on the device, reduce the aging time of ARP
entries on hosts. In this way, the invalid ARP entries do not take effect as soon as
possible, reducing the number of packets that are sent to but cannot be forwarded
by the switch.
This example applies to the following products:
● V200R005C00SPC300 and later versions: S2750-EI, S5700-LI, S5700S-LI
● S2700-EI, S2710-SI, S2720-EI, S3700-SI, S3700-EI, S3700-HI
● S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-LI, S5710-EI, S5710-HI,
S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI,
S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H,
S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1,
S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
● S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
For the product models whose applicable versions are not listed above, see Table
3-1 in "Applicable Products and Versions" for details.
NOTE
As shown in Figure 3-110, branch A and branch B of the enterprise are located in
different cities and their host IP addresses belong to the same network segment
172.16.0.0/16. There are reachable routes between Switch_1 connected to branch
A and Switch_2 connected to branch B. Branch A and branch B belong to different
broadcast domains; therefore, they cannot communicate on a LAN. Hosts in the
branches are not configured with default gateway addresses, so they cannot
communicate across network segments. The enterprise requires that branch A and
branch B communicate without changing the host configurations.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-110 Networking diagram for configuring routed proxy ARP
1. Add the interface connecting Switch_1 and branch A to VLAN 10 and add the
interface connecting Switch_2 and branch B to VLAN 20.
2. Enable routed proxy ARP on VLANIF interfaces of branch A and branch B to
allow the two branches to communicate.
Procedure
Step 1 Create VLANs, add interfaces to VLANs, and configure IP addresses for the
interfaces.
# Configure Switch_1.
[HUAWEI] sysname Switch_1
[Switch_1] vlan batch 10
[Switch_1] interface gigabitethernet 1/0/1
[Switch_1-GigabitEthernet1/0/1] port link-type access
[Switch_1-GigabitEthernet1/0/1] port default vlan 10
[Switch_1-GigabitEthernet1/0/1] quit
[Switch_1] interface vlanif 10
[Switch_1-Vlanif10] ip address 172.16.1.1 24
[Switch_2-GigabitEthernet1/0/1] port link-type access
[Switch_2-GigabitEthernet1/0/1] port default vlan 20
Step 2 Configure routed proxy ARP.

[Switch_1-Vlanif10] arp-proxy enable //Configure routed proxy ARP
[Switch_1-Vlanif10] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch_2-Vlanif20] arp-proxy enable //Configure routed proxy ARP
# Check ARP entries of VLANIF 10 on Switch_1. The command output shows the
MAC address mapping the IP address of VLANIF 10.
[Switch_1] display arp interface vlanif 10
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN/CEVLAN
------------------------------------------------------------------------------
172.16.1.1 00e0-fc12-3456 I- Vlanif10
------------------------------------------------------------------------------
Total:1 Dynamic:0 Static:0 Interface:1
# Select Host_1 (using Windows 7 as an example) at 172.16.1.2/16 in branch A

and select Host_2 at 172.16.2.2/16 in branch B. Ping the IP address of Host_2 on
Host_1. The ping operation is successful.
Reply from 172.16.2.2: bytes=32 time<1ms TTL=128

# Check the ARP table on Host_1. The command output shows that the MAC
address mapping the IP address of Host_2 is the MAC address of VLANIF 10 on
Switch_1, indicating that Host_1 and Host_2 can communicate with each other
through ARP proxy.
C:\Documents and Settings\Administrator> arp -a
Interface: 172.16.1.2 --- 0xd
Internet Address Physical Address Type
172.16.2.2 00e0-fc12-3456 dynamic
...
----End
Configuration Files
● Switch_1 configuration file
#
sysname Switch_1
#
vlan batch 10
#
interface Vlanif10
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
sysname Switch_2
#
vlan batch 20
#
interface Vlanif20
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
#
return
3.7.2 Typical DHCP Configuration
3.7.2.1 Example for Configuring the Device as a DHCP Server (Based on the
Interface Address Pool)
DHCP Server Overview

Users require that all terminals on a network dynamically obtain network
parameters such as IP addresses, DNS server IP address, routing information, and
gateway information. The users do not need to manually configure the network
parameters including terminal IP addresses. In addition, some mobile terminals
(for example, mobile phones, tablets, and laptops) should support plug-and-play,
without modification on network parameters each time. To meet these
requirements, the DHCP server function can be configured on an aggregation-
layer user gateway or a core-layer device to assign network parameters such as IP
addresses to terminals.
The Dynamic Host Configuration Protocol (DHCP) uses the client/server mode to
dynamically configure and uniformly manage network parameters for users. The
DHCP server uses an address pool to assign network parameters such as IP
addresses to the users. The global address pool or an interface address pool can
be used.
The configuration of an interface address pool is simple, which can be used only
when the users and DHCP server belong to the same network segment and the
server can only assign network parameters to the users on the interface. It is
applicable to small networks with a limited number of devices and controllable
configuration and maintenance workload. After the DHCP server function based
on the interface address pool is configured on the user gateway, the hosts and
mobile terminals on the interface can automatically obtain network parameters
such as IP addresses, without manual configuration and modification.
Compared with an interface address pool, the global address pool can be applied
to large networks. The DHCP server function based on the global address pool
should be configured on a core device, or an exclusive DHCP server be used to
assign network parameters such as IP addresses. The user gateway only needs to
be enabled with the DHCP relay function. For details, see 3.7.2.4 Example for
Configuring the Device as a DHCP Relay (on the Same Network).

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● V200R009C00 and later versions: S2720-EI
● S3700-SI, S3700-EI, S3700-HI
● S5700-SI, S5700-EI, S5700-HI, S5710-X-LI, S5710-EI, S5710-HI, S5720-LI,
S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI,
S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-
L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-111, an enterprise divides two network segments for office
terminals: 10.1.1.0/24 for employees with fixed office terminals and 10.1.2.0/24 for
employees on business trips to temporarily access the network. The enterprise
requires that DHCP be used to assign IP addresses to employees with fixed office
terminals and employees on business trips. A PC (DHCP Client_1) requires fixed IP
address 10.1.1.100/24 to meet service requirements.
Figure 3-111 Networking diagram for configuring the device as a DHCP server

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configure the DHCP server function on the Switch to dynamically assign IP
addresses to the terminals on the two network segments. Configure the IP address
lease to 30 days for the employees with fixed office terminals on 10.1.1.0/24 and
one day for the employees on business trips on 10.1.2.0/24 to temporarily access
the network.
NOTE
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2
communication.
Procedure
Step 1 Enable the DHCP service. By default, the service is disabled.
[Switch] dhcp enable
Step 2 Add interfaces to VLANs.


Step 3 Configure IP addresses for VLANIF interfaces.

# Configure an IP address for VLANIF 10.
[Switch-Vlanif10] ip address 10.1.1.1 24 //Network segment assigned by the enterprise for fixed office
terminals

[Switch-Vlanif11] ip address 10.1.2.1 24 //Network segment assigned by the enterprise for employees on
business trips
Step 4 Configure an interface address pool.

# Configure the terminals connected to VLANIF 10 to obtain IP addresses from the
interface address pool.
[Switch-Vlanif10] dhcp select interface //Enable the DHCP server function based on the interface address

S300, S500, S2700, S3700, S5700, S6700, S7700, and
pool on the interface. By default, the function is disabled.

[Switch-Vlanif10] dhcp server lease day 30 //The default lease is one day. Modify the lease to 30 days.
[Switch-Vlanif10] dhcp server static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456 //Allocate
a fixed IP address to Client_1.
# Configure the terminals connected to VLANIF 11 to obtain IP addresses from the

interface address pool. The default lease (one day) is used and does not need to
be configured.
[Switch-Vlanif11] dhcp select interface //Enable the DHCP server function based on the interface address
Step 5 Enable the device to save DHCP data to the storage device. If a fault occurs on the
device, you can run the dhcp server database recover command after the system
restarts to restore DHCP data from files on the storage device.
[Switch] dhcp server database enable
Step 6 Configure each terminal (using the PC running Windows 7 as an example) to

automatically obtain an IP address.
1. Right-click Network and choose Properties to display the Network and
Sharing Center window.
2. Click Local Area Connection to display the Local Area Connection Status
window.
3. Click Properties to display the Local Area Connection Properties window.
4. Select Internet Protocol Version 4 (TCP/IPv4) and click Properties to display
the Internet Protocol Version 4 (TCP/IPv4) Properties window. Select
Obtain an IP address automatically, and click OK.
Run the display ip pool command on the Switch to check the configuration of
VLANIF 10 and VLANIF 11. For example, the enterprise has 100 employees with
fixed office terminals and 3 employees on business trips.
[Switch] display ip pool interface vlanif10
Pool-name : Vlanif10
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
Conflicted address recycle interval: -
Address Statistic: Total :253 Used :100
Idle :153 Expired :0
Conflict :0 Disable :0
-------------------------------------------------------------------------------
Network section
Start End Total Used Idle(Expired) Conflict Disabled
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch] display ip pool interface vlanif11

Pool-No :1
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Gateway-0 : 10.1.2.1
Network : 10.1.2.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 3 250(0) 0 0
-------------------------------------------------------------------------------
Check IP address information on Client_1 (using Windows 7 operating system).

The IP address 10.1.1.100/24 has been assigned to Client_1.
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 10.1.1.100
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.1.1
Check IP address information another DHCP client (for example, a terminal

belonging to the network segment 10.1.1.0/24 and using Windows 7 operating
system). An IP address has been assigned.
C:\Documents and Settings\Administrator>ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection 2:
Connection-specific DNS Suffix . :

IPv4 Address. . . . . . . . . . . : 10.1.1.51
Subnet Mask . . . . . . . . . . . : 255.255.254.0
Default Gateway . . . . . . . . . : 10.1.1.1
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10 to 11
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
dhcp enable
#
dhcp server database enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server static-bind ip-address 10.1.1.100 mac-address 00e0-fc12-3456
dhcp server lease day 30 hour 0 minute 0
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
#
#
#
return
3.7.2.2 Example for Configuring a Device as the DHCP Server (Based on the
Global Address Pool)

be used.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● S3700-SI, S3700-EI, S3700-HI
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-112, an enterprise has two offices, to save network
resources, the switch functions as the DHCP server to allocate IP addresses to
hosts in the two offices. Hosts in office 1 are on the network segment 10.1.1.0/25
and are added to VLAN 10, the lease of IP addresses for these hosts is ten days;
hosts in office 2 are on the network segment 10.1.1.128/25 and are added to
VLAN 11, the lease of IP addresses for these hosts is two days.
Figure 3-112 Networking diagram for configuring a device as the DHCP server

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configure the switch as the DHCP server to dynamically allocate IP addresses and
the DNS server address to hosts in the two offices. PCs on the network segment
10.1.1.0/25 are for employees in office 1 and obtain IP addresses with a lease of
ten days. PCs on the network segment 10.1.1.128/25 are for employees in office 2
and obtain IP addresses with a lease of two days.
Procedure
Step 1 Enable the DHCP service.
[Switch] dhcp enable
Step 2 Add interfaces to a VLAN.

[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 10

Step 3 Configure IP addresses for VLANIF interfaces.


Step 4 Configure global address pools.
# Configure the IP addresses and relevant network parameters of the global

address pool pool1.
[Switch] ip pool pool1
[Switch-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.128
[Switch-ip-pool-pool1] dns-list 10.1.2.3
[Switch-ip-pool-pool1] gateway-list 10.1.1.1
[Switch-ip-pool-pool1] lease day 10
[Switch-ip-pool-pool1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the IP addresses and relevant network parameters of the global

address pool pool2.
[Switch] ip pool pool2
[Switch-ip-pool-pool1] network 10.1.1.128 mask 255.255.255.128
[Switch-ip-pool-pool1] dns-list 10.1.2.3
[Switch-ip-pool-pool1] gateway-list 10.1.1.129
[Switch-ip-pool-pool1] lease day 2
[Switch-ip-pool-pool1] quit
Step 5 Enable the DHCP server.

# Enable the DHCP server on VLANIF 10.
[Switch-Vlanif10] dhcp select global
# Enable the DHCP server on VLANIF 11.

[Switch-Vlanif11] dhcp select global

# Run the display ip pool name pool1 command on the switch to view IP address
allocation in the global address pool pool1. The Used field displays the number of
allocated IP addresses. The following uses the command output in V200R011C10
as an example.
[Switch] display ip pool name pool1
Pool-name : pool1
Pool-No :0
Domain-name :-
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.128
VPN instance : --
Logging : Disable
Conflict :0 Disabled :0
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.126 125 2 123(0) 0 0
-------------------------------------------------------------------------------
# Run the display ip pool name pool2 command on the switch to view IP address
allocation in the global address pool pool2. The Used field displays the number of
allocated IP addresses. The following uses the command output in V200R011C10
as an example.
[Switch] display ip pool name pool2
Pool-name : pool2
Pool-No :1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Domain-name :-
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.129
Network : 10.1.1.128
Mask : 255.255.255.128
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.1.129 10.1.1.254 125 2 123(0) 0 0
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 to 11
#
dhcp enable
#
ip pool pool1
gateway-list 10.1.1.1
network 10.1.1.0 mask 255.255.255.128
lease day 10 hour 0 minute 0
dns-list 10.1.2.3
#
ip pool pool2
network 10.1.1.128 mask 255.255.255.128
dns-list 10.1.2.3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif11
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.7.2.3 Example for Configuring a DHCP Server to Allocate Different

Network Parameters from the Global Address Pool to Dynamic and Static
Clients

be used.
Configuration Notes
● S3700-SI, S3700-EI, S3700-HI
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-113, the IP phone and PCs are devices in an office area. To
uniformly manage devices and reduce manual configuration costs, the
administrator needs to configure hosts to dynamically obtain IP addresses through
DHCP. PCs are fixed terminals in the duty room. They need to always be online
and use domain names to access network devices. In addition to obtaining an IP
address dynamically, the PCs require an unlimited IP address lease and need to
obtain information about the DNS server. The IP phone uses a fixed IP address
10.1.1.4/24 and its MAC address is 00e0-fc12-3456. In addition to obtaining an IP
address, the IP phone needs to dynamically obtain the startup configuration file.
The startup configuration file configuration.ini is stored on the FTP server. The
routes between the FTP server and IP phone must be reachable. The gateway
address of the PCs and IP phone is 10.1.1.1/24.
1. Create a DHCP Option template on SwitchA. In the DHCP Option template
view, configure the startup configuration file for the static client IP phone, and
specify the IP address of the FTP server for the IP phone.
2. Create a global address pool on SwitchA. In the global address pool view,
configure the IP address lease and information about the DNS server for the
dynamic client PCs. Bind an IP address and the DHCP Option template to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
MAC address of the static client IP phone. In this way, the DHCP server can
allocate different network parameters to dynamic and static clients.
Procedure
Step 1 Create a VLAN and configure an IP address for the VLANIF interface.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 10
[SwitchA-Vlanif10] ip address 10.1.1.1 255.255.255.0
Step 2 Enable the DHCP service.

Step 3 Create a DHCP Option template. In the DHCP Option template view, configure the
startup configuration file for the static client IP phone, and specify the IP address
of the file server for the IP phone.
[SwitchA] dhcp option template template1
[SwitchA-dhcp-option-template-template1] gateway-list 10.1.1.1
[SwitchA-dhcp-option-template-template1] bootfile configuration.ini
[SwitchA-dhcp-option-template-template1] next-server 10.1.1.3
[SwitchA-dhcp-option-template-template1] quit
Step 4 Create an IP address pool. In the IP address pool view, configure the gateway
address, IP address lease, and IP address of the DNS server for the PCs. Allocate a
fixed IP address to the IP phone and configure the startup configuration file.
[SwitchA] ip pool pool1
[SwitchA-ip-pool-pool1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-pool1] dns-list 10.1.1.2
[SwitchA-ip-pool-pool1] gateway-list 10.1.1.1
[SwitchA-ip-pool-pool1] excluded-ip-address 10.1.1.2 10.1.1.3
[SwitchA-ip-pool-pool1] lease unlimited
[SwitchA-ip-pool-pool1] static-bind ip-address 10.1.1.4 mac-address 00e0-fc12-3456 option-template
template1
[SwitchA-ip-pool-pool1] quit
Step 5 Enable the DHCP server function on the VLANIF 10 interface.

[SwitchA-Vlanif10] dhcp select global
Step 6 Enable the device to save DHCP data to the storage device. If a fault occurs on the
device, you can run the dhcp server database recover command after the system
restarts to restore DHCP data from files on the storage device.
[SwitchA] dhcp server database enable

# Run the display ip pool name pool1 command on SwitchA to view the address
pool configuration. The following uses the command output in V200R011C10 as
an example.
[SwitchA] display ip pool name pool1
Pool-name : pool1
Pool-No :0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Lease : unlimited
Domain-name :-
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 4 249(0) 0 2
-------------------------------------------------------------------------------
# Run the display dhcp option template name template1 command on SwitchA
to view the DHCP Option template configuration.
[SwitchA] display dhcp option template name template1
-----------------------------------------------------------------------------
Template-Name : template1
Template-No : 0
Next-server : 10.1.1.3
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Bootfile : configuration.ini
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
dhcp server database enable
#
dhcp option template template1
next-server 10.1.1.3
bootfile configuration.ini
#
ip pool pool1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.2 10.1.1.3
static-bind ip-address 10.1.1.4 mac-address 00e0-fc12-3456 option-template template1
lease unlimited
dns-list 10.1.1.2
#
interface Vlanif10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.1.1.1 255.255.255.0

dhcp select global
#
#
return
3.7.2.4 Example for Configuring the Device as a DHCP Relay (on the Same
Network)
DHCP Relay Overview

A DHCP relay forwards DHCP packets between the DHCP server and clients. When
the DHCP server and clients belong to different network segment, the DHCP relay
needs to be configured. For DHCP clients, the DHCP relay is the DHCP server; for
the DHCP server, the DHCP relay is a DHCP client.
The DHCP relay function applies to large networks with many sparsely-distributed
user gateways. To reduce the maintenance workload, the network administrator
does not want to configure the DHCP server function on each aggregation switch
(user gateway) and requires that the DHCP server function be configured on a
core device or an exclusive DHCP server be deployed in the server area. In this
case, the aggregation switches functioning as the user gateways need to be
configured with the DHCP relay function to implement exchange of DHCP packets
between the DHCP server and clients.
Configuration Notes
● S2720-EI, S3700-SI, S3700-EI, S3700-HI
● S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-X-LI, S5710-EI,
S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5720-EI,
S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S, S5731S-S,
S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H,
S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-114, an enterprise deploys the DHCP server on the core
switch. The DHCP server and terminals in the enterprise belong to different

S300, S500, S2700, S3700, S5700, S6700, S7700, and
network segments. The enterprise requires that the DHCP server should
dynamically assign IP addresses to the terminals.
Figure 3-114 Networking diagram for configuring the device as a DHCP relay
1. Configure the DHCP relay on SwitchA (user gateway) to forward DHCP
packets between the terminals and DHCP server.
2. On SwitchB, configure the DHCP server based on the global address pool so
that the DHCP server can assign IP addresses from the global address pool to
the terminals.
NOTE
Use a Huawei S series switch as an example for the DHCP server (SwitchB).
On the LSW, configure the interface link type and VLAN to implement Layer 2 communication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Configure the DHCP relay on SwitchA.
# Add the interface to the VLAN.
# Enable the DHCP relay function on the interface.

[SwitchA] dhcp enable //Enable the DHCP service. By default, the service is disabled.
[SwitchA-Vlanif100] dhcp select relay //Enable the DHCP relay function. By default, the function is
disabled.
[SwitchA-Vlanif100] dhcp relay server-ip 192.168.20.2 //Configure the DHCP server IP address for the
DHCP relay agent.
Step 2 Configure the DHCP server function based on the global address pool on SwitchB.
# Enable the DHCP service. By default, the service is disabled.
[SwitchB] dhcp enable
# Configure VLANIF 200 to work in global address pool mode.

[SwitchB] vlan 200
[SwitchB-Vlanif200] dhcp select global //Enable the DHCP server function based on the global address
# Create an address pool and configure the attributes. The default lease (one day)
is used and does not need to be configured.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 10.10.20.0 mask 24 //Configure the network segment and mask of the
global address pool.
[SwitchB-ip-pool-pool1] gateway-list 10.10.20.1 //Configure the gateway address assigned to the
terminals.
[SwitchB-ip-pool-pool1] quit
Step 3 Configure static routes to the terminals on SwitchB.



S300, S500, S2700, S3700, S5700, S6700, S7700, and

window.
# Run the display dhcp relay interface vlanif 100 command on SwitchA to check
the DHCP relay configuration.
[SwitchA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server IP address [00] : 192.168.20.2
Gateway address in use : 10.10.20.1
# Run the display ip pool command on SwitchB to check the IP address allocation
of pool1. For example, the enterprise has 100 terminals. The following uses the
command output in V200R011C10 as an example.
[SwitchB] display ip pool name pool1
Pool-name : pool1
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Position : Local
Status : Unlocked
Gateway-0 : 10.10.20.1
Network : 10.10.20.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.10.20.1 10.10.20.254 253 1 252(0) 0 0
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
interface Vlanif100
ip address 10.10.20.1 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
dhcp select relay

dhcp relay server-ip 192.168.20.2
#
interface Vlanif200
ip address 192.168.20.1 255.255.255.0
#
#
#
return

#
sysname SwitchB
#
vlan batch 200
#
dhcp enable
#
ip pool pool1
network 10.10.20.0 mask 255.255.255.0
#
interface Vlanif200
ip address 192.168.20.2 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.20.0 255.255.255.0 192.168.20.1
#
return
3.7.2.5 Example for Configuring the Device as a DHCP Relay (Across a GRE
Tunnel)
DHCP Relay Overview

A DHCP relay forwards DHCP packets between the DHCP server and clients. When
the DHCP server and clients belong to different network segment, the DHCP relay
needs to be configured. For DHCP clients, the DHCP relay is the DHCP server; for
the DHCP server, the DHCP relay is a DHCP client.
The DHCP relay function applies to large networks with many sparsely-distributed
user gateways. To reduce the maintenance workload, the network administrator
does not want to configure the DHCP server function on each aggregation switch
(user gateway) and requires that the DHCP server function be configured on a
core device or an exclusive DHCP server be deployed in the server area. In this
case, the aggregation switches functioning as the user gateways need to be
configured with the DHCP relay function to implement exchange of DHCP packets
between the DHCP server and clients.
The DHCP relay and DHCP server can be deployed across a VPN (such as GRE or
MPLS L3VPN) network. A GRE tunnel is used as an example to describe how to
configure a DHCP relay.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● S5710-EI, S5720-EI, S5700-HI, S5710-HI, S5720-HI, S5730-HI, S5731-H, S5731-
S, S5731S-S, S5731S-H, S5732-H
● S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730-S, S6730S-S,
S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-115, an enterprise deploys its headquarters and branch in
different areas. A GRE tunnel is deployed between the headquarters and branch to
enable them to communicate. To facilitate unified management, the enterprise
administrator deploys the DHCP server on Switch_1 in the headquarters to assign
IP addresses to the terminals in the headquarters and branch. The network
segments 10.1.1.0/24 and 10.2.1.0/24 are planned for the headquarters and
branch respectively.
Figure 3-115 Networking diagram for configuring the device as a DHCP relay

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Run OSPF between Switch_1, Switch_2, and Switch_3 to ensure the

communication between devices.
2. On Switch_1 and Switch_3, configure tunnel interfaces and create a GRE
tunnel.
3. On Switch_1, configure the DHCP server based on the global address pool so
that the DHCP server can assign IP addresses from the global address pool to
the terminals in the headquarters and branch.
4. On Switch_3, configure the DHCP relay function to function as the branch's
gateway to forward DHCP packets between the terminals and DHCP servers
so that the terminals can apply to the DHCP server for IP addresses.
NOTE
Use a Huawei S series switch as an example for the DHCP server (Switch_1).
Configure the interface link types and VLANs on LSW_1 and LSW_2 to implement Layer 2
communication.
Procedure
Step 1 Configure an IP address for each physical interface on Switch_1 through Switch_3.
[Switch_1] vlan batch 10 30
[Switch_1-GigabitEthernet1/0/0] port link-type trunk
[Switch_1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Run OSPF between Switch_1, Switch_2, and Switch_3.

[Switch_1] ospf 1
[Switch_1-ospf-1] area 0
[Switch_1-ospf-1-area-0.0.0.0] network 10.20.1.0 0.0.0.255
[Switch_1-ospf-1-area-0.0.0.0] quit
[Switch_1-ospf-1] quit
[Switch_2] ospf 1
[Switch_3] ospf 1
Step 3 Configure static routes.

# Configure a static route to the network segment on Switch_1.
[Switch_1] ip route-static 10.2.1.0 255.255.255.0 tunnel 1
# Configure a static route to the server segment on Switch_3.

[Switch_3] ip route-static 10.1.1.0 255.255.255.0 tunnel 1
Step 4 Configure tunnel interfaces.

[Switch_1] interface tunnel 1
[Switch_1-Tunnel1] tunnel-protocol gre
[Switch_1-Tunnel1] ip address 10.40.1.1 24
[Switch_1-Tunnel1] source 10.20.1.1
[Switch_1-Tunnel1] destination 10.30.1.2
[Switch_1-Tunnel1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch_3] interface tunnel 1

[Switch_3-Tunnel1] tunnel-protocol gre
[Switch_3-Tunnel1] ip address 10.40.1.2 24
[Switch_3-Tunnel1] source 10.30.1.2
[Switch_3-Tunnel1] destination 10.20.1.1
[Switch_3-Tunnel1] quit
Step 5 Configure the DHCP server function on Switch_1.

[Switch_1] dhcp enable
# Create a global address pool and configure related parameters.

[Switch_1] ip pool pool1
[Switch_1-ip-pool-pool1] network 10.2.1.0 mask 255.255.255.0 //Network segment for terminals in the
branch
[Switch_1-ip-pool-pool1] gateway-list 10.2.1.1 //Gateway address for terminals in the branch
[Switch_1-ip-pool-pool1] quit
[Switch_1-ip-pool-pool2] network 10.1.1.0 mask 255.255.255.0 //Network segment for terminals in the
headquarters
[Switch_1-ip-pool-pool2] gateway-list 10.1.1.1 //Gateway address for terminals in the headquarters
# Configure the terminals connected to VLANIF30 to obtain IP addresses from the

global address pool.
[Switch_1-Vlanif30] dhcp select global //Enable the DHCP server function based on the global address
Step 6 # Configure the DHCP relay function on Switch_3.

# Configure the DHCP relay function on VLANIF 30 and specifies the DHCP server
address for the relay.
[Switch_3-Vlanif30] dhcp select relay //Enable the DHCP relay function. By default, the function is
disabled.
[Switch_3-Vlanif30] dhcp relay server-ip 10.1.1.1 //Configure the DHCP server IP address for the DHCP
relay agent.

window.
Step 8 Verify the configuration. The following uses the command output in V200R010C00
as an example.
# Run the display dhcp relay interface vlanif 30 command on Switch_3 to check
the DHCP relay configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch_3] display dhcp relay interface vlanif 30

DHCP relay agent running information of interface Vlanif30 :
Server IP address [00] : 10.1.1.1
Gateway address in use : 10.2.1.1
# Run the display ip pool command on Switch_1 to check the IP address

allocation of pool1 and pool2. For example, the headquarters has 100 terminals
and the branch has 50 terminals.
[Switch_1] display ip pool name pool1
Pool-name : pool1
Pool-No :0
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Gateway-0 : 10.2.1.1
Network : 10.2.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.2.1.1 10.2.1.254 253 50 203(0) 0 0
-------------------------------------------------------------------------------
Pool-name : pool2
Pool-No :1
Domain-name :-
DNS-server0 :-
NBNS-server0 :-
Netbios-type :-
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 100 153(0) 0 0
-------------------------------------------------------------------------------
----End
Configuration Files
● Configuration file of Switch_1
#
sysname Switch_1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
vlan batch 10 30
#
dhcp enable
#
ip pool pool1
network 10.2.1.0 mask 255.255.255.0
#
ip pool pool2
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.20.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
#
#
interface Tunnel1
ip address 10.40.1.1 255.255.255.0
tunnel-protocol gre
source 10.20.1.1
destination 10.30.1.2
#
ospf 1
area 0.0.0.0
network 10.20.1.0 0.0.0.255
#
ip route-static 10.2.1.0 255.255.255.0 Tunnel1
#
return

#
sysname Switch_2
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.20.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.30.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.20.1.0 0.0.0.255
network 10.30.1.0 0.0.0.255
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname Switch_3
#
vlan batch 20 30
#
dhcp enable
#
interface Vlanif20
ip address 10.30.1.2 255.255.255.0
#
interface Vlanif30
ip address 10.2.1.1 255.255.255.0
dhcp select relay
#
#
#
interface Tunnel1
ip address 10.40.1.2 255.255.255.0
tunnel-protocol gre
source 10.30.1.2
destination 10.20.1.1
#
ospf 1
area 0.0.0.0
network 10.30.1.0 0.0.0.255
#
ip route-static 10.1.1.0 255.255.255.0 Tunnel1
#
return
3.7.2.6 Example for Configuring a DHCP Client
DHCP Client Overview

A device can function as a DHCP client and dynamically obtain network
parameters including the IP address from a DHCP server. This mechanism lowers
manual costs, reduces errors, and facilitates unified management.
Configuration Notes
This example applies to:
● Chassis switches: V200R005 and later versions
● Fixed switches: V100R006 and later versions
NOTE
As shown in Figure 3-116, Switch_1 functions as the DHCP client to dynamically
obtain information including the IP address, DNS server address, and gateway
address from the DHCP server (Switch_2).

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Configure Switch_1 as the DHCP client to dynamically obtain the IP address
from a DHCP server.
2. Configure Switch_2 as the DHCP server to dynamically allocate network
parameters including IP addresses to Switch_1.
Procedure
Step 1 Configure Switch_1 as the DHCP client.
# Create VLAN 10, and add GE1/0/1 to VLAN 10.
<HUAWEI> system-view [HUAWEI] sysname Switch_1
[Switch_1] vlan 10
[Switch_1-vlan10] quit
# Enable the DHCP client function on VLANIF 10.

[Switch_1-Vlanif10] ip address dhcp-alloc
Step 2 Create a global address pool on Switch_2 and set corresponding attributes.
1. Enable the DHCP service.
2. Create VLAN 10, and add GE1/0/1 to VLAN 10.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch_2] vlan 10
[Switch_2-vlan10] quit
3. Configure VLANIF 10 to work in global address pool mode.

[Switch_2-Vlanif10] dhcp select global
4. Create an address pool and set corresponding attributes.

[Switch_2-ip-pool-pool1] network 192.168.1.0 mask 24
[Switch_2-ip-pool-pool1] gateway-list 192.168.1.126
[Switch_2-ip-pool-pool1] dns-list 192.168.1.2
[Switch_2-ip-pool-pool1] excluded-ip-address 192.168.1.2

# Run the display this command on VLANIF 10 of Switch_1 to view the DHCP
client configuration.
[Switch_1-Vlanif10] display this
#
interface Vlanif10
ip address dhcp-alloc
#
return
# After VLANIF 10 obtains an IP address, run the display dhcp client command
on Switch_1 to view the status of the DHCP client on VLANIF 10. The following
uses the command output in V200R011C10 as an example.
[Switch_1] display dhcp client
DHCP client lease information on interface Vlanif10 :
Current machine state : Bound
Internet address assigned via : DHCP
Physical address : xxxx-xxxx-xxxx
IP address : 192.168.1.162
Subnet mask : 255.255.255.0
Gateway ip address : 192.168.1.126
DHCP server : 192.168.1.1
Lease obtained at : 2017-06-23 14:52:40
Lease expires at : 2017-06-24 14:52:40
Lease renews at : 2017-06-24 02:52:40
Lease rebinds at : 2017-06-24 11:52:40
DNS : 192.168.1.2
# On Switch_2, run the display ip pool name pool1 command to view IP address
allocation in the address pool. The Used field displays the number of used IP
addresses in the address pool. The following uses the command output in
V200R011C10 as an example.
Pool-name : pool1
Pool-No :0
Domain-name :-
DNS-server0 : 192.168.1.2
NBNS-server0 :-
Netbios-type :-
Position : Local

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Status : Unlocked
Gateway-0 : 192.168.1.126
Network : 192.168.1.0
Mask : 255.255.255.0
VPN instance : --
Logging : Disable
-------------------------------------------------------------------------------
Network section
-------------------------------------------------------------------------------
192.168.1.1 192.168.1.254 253 1 251(0) 0 1
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 10
#
interface Vlanif10
ip address dhcp-alloc
#
#
return

#
sysname Switch_2
#
vlan batch 10
#
dhcp enable
#
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
excluded-ip-address 192.168.1.2
dns-list 192.168.1.2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.7.2.7 Example for Configuring DHCP Servers Based on the Global Address
Pool on the Same Network Segment in VRRP Networking

be used.
Configuration Notes
● S3700-EI, S3700-HI
● S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI,
S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI,
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-
L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S500, S5735-S, S5735S-
S, S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
As shown in Figure 3-117, a host in an enterprise is dual-homed to SwitchA and
SwitchB through Switch. SwitchA functions as the master DHCP server to allocate
IP addresses to the host. If the master DHCP server fails, a backup DHCP server
must allocate an IP address to the host.
1. Configure IP addresses for interfaces connecting SwitchA and SwitchB to

implement network-layer connectivity. Configure Switch to transparently
transmit Layer 2 packets.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA has a higher
priority and functions as the DHCP server to allocate IP addresses to clients.
SwitchB has a lower priority and functions as a backup DHCP server.
3. Create global address pools on SwitchA and SwitchB, and set corresponding
attributes.
4. Configure a loop prevention protocol on Switch, SwitchA, and SwitchB to
prevent loops. In this example, STP is configured.
Procedure
Step 1 Configure network-layer connectivity among devices.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure IP addresses for interfaces connecting SwitchA and SwitchB. SwitchA

is used as an example. The configuration on SwitchB is similar to that on SwitchA.
For details, see the configuration file of SwitchB.
# Configure Layer 2 transparent transmission on Switch.

[Switch] vlan 100
Step 2 Create address pools and set corresponding attributes.
# Enable DHCP on SwitchA.

# Create an address pool on SwitchA and specify an IP address range 10.1.1.2 to

10.1.1.128, which is exclusive from the IP address range of the address pool on
SwitchB.
NOTE
Information about the address pool on the master DHCP server cannot be backed up to a
backup DHCP server in real time. To prevent IP address conflicts after a master/backup
switchover, ensure that the address pool ranges on the master and backup DHCP servers
are exclusive to one another.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchA-ip-pool-1] gateway-list 10.1.1.111
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.1
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.129 10.1.1.254
[SwitchA-ip-pool-1] lease day 10
[SwitchA-ip-pool-1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create an address pool on SwitchB and specify an IP address range 10.1.1.130 to

10.1.1.254, which is exclusive from the IP address range of the address pool on
SwitchA.
[SwitchB] ip pool 1
[SwitchB-ip-pool-1] network 10.1.1.0 mask 255.255.255.0
[SwitchB-ip-pool-1] gateway-list 10.1.1.111
[SwitchB-ip-pool-1] excluded-ip-address 10.1.1.1 10.1.1.110
[SwitchB-ip-pool-1] excluded-ip-address 10.1.1.112 10.1.1.129
[SwitchB-ip-pool-1] lease day 10
[SwitchB-ip-pool-1] quit
Step 3 Configure a VRRP group.

# Create VRRP group 1 on SwitchA, set the priority of SwitchA in the VRRP group
to 120, and configure clients to obtain IP addresses from a global address pool.
[SwitchA-Vlanif100] dhcp select global
# Create VRRP group 1 on SwitchB, set the priority of SwitchB in the VRRP group
to 100 (default), and configure clients to obtain IP addresses from a global
address pool.
[SwitchB-Vlanif100] dhcp select global
Step 4 Configure STP to prevent loops.

# Enable STP globally on Switch. The configurations on SwitchA and SwitchB are
similar to that on Switch. For details, see the configuration files of SwitchA and
SwitchB.
[Switch] stp enable
# Disable STP on GE1/0/3 of Switch, and set the path cost of GE1/0/1 to 20000.
[Switch-GigabitEthernet1/0/3] stp disable
[Switch-GigabitEthernet1/0/1] stp cost 20000

# Run the display vrrp command on SwitchA and SwitchB. The command output
shows that SwitchA is Master and SwitchB is Backup in the VRRP group.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Virtual MAC : 0000-5e00-0101

Check TTL : YES
Create time : 2017-01-12 20:15:46
Last change time : 2017-01-12 20:15:46
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2017-01-12 20:15:46
Last change time : 2017-01-12 20:15:46
# Run the display ip pool command on SwitchA and SwitchB. The command
output shows that SwitchA, but not SwitchB, successfully allocated an IP address
to the client. The following uses the command output in V200R011C10 as an
example.
[SwitchA] display ip pool
-------------------------------------------------------------------------------
Pool-name :1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :253
Used :1 Idle :125
Expired :0 Conflict :0 Disable :127
[SwitchB] display ip pool
-------------------------------------------------------------------------------
Pool-name :1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Total :253
Used :0 Idle :125
Expired :0 Conflict :0 Disable :128
# Run the shutdown command on GE1/0/2 and GE1/0/5 of SwitchA to simulate a

fault.
# Run the display vrrp command on SwitchA and SwitchB. The command output
shows that SwitchA is Initialize and SwitchB is Master in the VRRP group.
State : Initialize
Virtual IP : 10.1.1.111
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2017-01-12 20:15:46
Last change time : 2017-01-12 20:15:46
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.129
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2017-01-12 20:15:46
Last change time : 2017-01-12 20:15:46
# Run the display ip pool command on SwitchB to view the address pool
configuration.
[SwitchB] display ip pool
Pool-name :1
Pool-No :0
Position : Local
Status : Unlocked
Gateway-0 : 10.1.1.111
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Total :253
Used :1 Idle :124
Expired :0 Conflict :0 Disabled :128
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.0
excluded-ip-address 10.1.1.1
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
#
#
return

#
sysname SwitchB
#
vlan batch 100
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif100
ip address 10.1.1.129 255.255.255.0
dhcp select global
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
● Configuration file of Switch

#
sysname Switch
#
vlan batch 100
#
#
#
stp disable
#
return
3.8 Typical IP Multicast Configuration
3.8.1 Example for Connecting to the CDN Server to the IPTV

Network Through Two Switches That Form a Dual-Node
Cluster on the Ring Network
Solution Overview
With the rapid development of IPTV services, the IPTV platform needs to provide
services to a growing number of users, who in turn raise increasingly high
requirements on the reliability of the IPTV live broadcast service. IPTV is a type of
video service, which means that end users have extremely high requirements on
service continuity. Therefore, service continuity must be ensured during routine
maintenance as well as in key event assurance and major version upgrade
assurance.
Figure 3-118 shows the networking diagram of the broadcast and television
network in a region. To ensure the quality of live TV, the live streams sent by the
broadcast and television multicast source server must be first forwarded to the
MRF transcoding server for transcoding and then forwarded by the transcoding
server to receivers. The transcoding server is connected to the IPTV network
through two switches that form a dual-node cluster on the ring network, thereby
improving network reliability.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Normal forwarding path for multicast streams sent by the multicast source
server: Core -> PE1 -> LSW1 -> CDN -> Transcoding server
● Normal forwarding path for multicast streams transcoded by the transcoding
server: Transcoding server -> CDN -> LSW1 -> PE1 -> AGG -> ACC1 and ACC2
● Normal forwarding path for unicast streams sent from the recording server to
a receiver: Recording server -> CDN -> LSW1 -> PE1 -> AGG -> ACC1 or ACC2
Figure 3-118 Video traffic forwarding path in the scenario when the CDN server is
connected to two switches that form a dual-node cluster on a ring network
Configuration Notes
In this example, Core, PE1, and PE2 are modular switches, and the other devices
are fixed switches. All S series switch models can be used in this example.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-119 shows the IPTV network diagram in a region. A receiver can watch
live TV programs and catch-up TV programs. The network requirements are as
follows:
● Multicast live streams sent by the multicast source server are first forwarded
to the CDN server for transcoding and recording and then forwarded to
receivers.
● Receivers can also order catch-up TV programs in unicast mode.
● Layer 3 multicast, L2/L3 mixed multicast, and IGMP snooping are deployed to
forward multicast traffic.
● OSPF is used to implement traffic forwarding at Layer 3. LSW1 and LSW2
establish neighbor relationships with PE1 and PE2 respectively in area 1 of
OSPF process 1. Core establishes neighbor relationships with PE1 and PE2 in
area 0 of OSPF process 1.
● MSTP is deployed between CDN, LSW1, and LSW2 to prevent loops; VRRP is
deployed on LSW1 and LSW2 to improve network reliability.
● To ensure access security, traffic policies are configured on LSW1 and LSW2 to
restrict the access of multicast source servers.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-119 Basic IPTV networking in the scenario when the CDN server is
connected to two switches that form a dual-node cluster on a ring network
Data Plan
Table 3-37 VLAN plan
Item Description
VLAN VLAN to which users connected to ACC1 belong.

33

34
VLAN VLAN used by a user to watch a catch-up TV program.

88
VLAN VLAN used by LSW1 and LSW2.

301

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Description
VLAN VLAN used after multicast live streams are transcoded.

400
VLAN VLAN used before multicast live streams are transcoded.

530
Table 3-38 IP address plan
Product Item Description
Core GE1/0/1: 66.1.1.3/24 Layer 3 interface connected to the

multicast source server.
GE1/0/2: 20.1.1.3/24 Layer 3 interface connected to PE2.
LoopBack0: 1.1.1.3 -
PE1 GE1/0/2: 12.1.1.1/24 Layer 3 interface connected to Core.
Vlanif10: 10.1.1.1/24 Interface connected to LSW1.

(corresponding to physical
interface GE1/0/1)
Vlanif11: 11.1.1.1/24 Interface connected to AGG.

interface GE1/0/4)

interface GE1/0/1)

interface GE1/0/4)
AGG Vlanif11: 11.1.1.8/24 Interface connected to PE1.

interface GE0/0/4)
Vlanif22: 22.1.1.8/24 Interface connected to PE2.

interface GE0/0/5)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Vlanif33: 33.1.1.8/24 Interface connected to ACC1.

interface GE0/0/1)

interface GE0/0/2)
LSW1 Vlanif10: 10.1.1.2/24 Interface connected to PE1.

interface GE0/0/1)
Vlanif88: 88.1.1.7/24 Interface used for communication

(corresponding to physical with the recording server.
interface GE0/0/2)

(corresponding to physical GE0/0/3 and GE0/0/4 are bundled
interfaces GE0/0/3 and to form Eth-Trunk1.
GE0/0/4)

(corresponding to physical with the CDN server after
interface GE0/0/2) transcoding.

(corresponding to physical with the CDN server before
LSW2 Vlanif10: 10.1.2.2/24 Interface connected to PE2.

interface GE0/0/1)

interface GE0/0/2)

(corresponding to physical GE0/0/3 and GE0/0/4 are bundled
interfaces GE0/0/3 and to form Eth-Trunk1.
GE0/0/4)



S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Configure MSTP to prevent loops.
3. Configure an IP address for each VLANIF interface.
4. Configure VRRP to implement gateway redundancy.
5. Configure OSPF to implement Layer 3 interworking.
6. Configure Layer 3 multicast.
7. Configure IGMP snooping to enable Layer 2 multicast.
8. Configure traffic policies to control the access of multicast sources.
Procedure
# Create a VLAN on ACC1 and add related interfaces to the VLAN.
[HUAWEI] sysname ACC1
[ACC1] vlan batch 33
[ACC1-GigabitEthernet0/0/1] description ACC1***to***AGG
[ACC1-GigabitEthernet0/0/1] port link-type trunk
[ACC1-GigabitEthernet0/0/1] port trunk allow-pass vlan 33

# Create VLANs on AGG and add related interfaces to the VLANs.

[HUAWEI] sysname AGG
[AGG] vlan batch 11 22 33 to 34
[AGG-GigabitEthernet0/0/1] description AGG***to***ACC1
[AGG-GigabitEthernet0/0/1] port link-type trunk
[AGG-GigabitEthernet0/0/1] port trunk allow-pass vlan 33

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AGG-GigabitEthernet0/0/4] description AGG***to***PE1
# Create VLANs on PE1 and add related interfaces to the VLANs.

[PE1] vlan batch 10 to 11
[PE1-GigabitEthernet1/0/1] description PE1***to***LSW1
[PE1-GigabitEthernet1/0/1] port link-type access
[PE1-GigabitEthernet1/0/1] port default vlan 10
[PE1-GigabitEthernet1/0/4] description PE1***to***AGG

[PE2-GigabitEthernet1/0/1] description PE2***to***LSW2
[PE2-GigabitEthernet1/0/1] port link-type access
[PE2-GigabitEthernet1/0/1] port default vlan 10
# Create VLANs on LSW1 and add related interfaces to the VLANs.

[LSW1] vlan batch 10 88 301 400 530
[LSW1] interface eth-trunk1
[LSW1-Eth-Trunk1] description LSW1***to***LSW2
[LSW1-Eth-Trunk1] port link-type trunk
[LSW1-Eth-Trunk1] port trunk allow-pass vlan 88 301 400 530
[LSW1-Eth-Trunk1] quit
[LSW1-GigabitEthernet0/0/3] eth-trunk 1
[LSW1-GigabitEthernet0/0/1] description LSW1***to***PE1
[LSW1-GigabitEthernet0/0/1] port link-type access
[LSW1-GigabitEthernet0/0/1] port default vlan 10
[LSW1-GigabitEthernet0/0/2] description LSW1***to***CDN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW1-GigabitEthernet0/0/2] port trunk allow-pass vlan 88 301 400 530

# Create VLANs on LSW2 and add related interfaces to the VLANs.

[LSW2] vlan batch 10 88 301 400 530
[LSW2] interface eth-trunk1
[LSW2-Eth-Trunk1] description LSW1***to***LSW2
[LSW2-Eth-Trunk1] port link-type trunk
[LSW2-Eth-Trunk1] port trunk allow-pass vlan 88 301 400 530
[LSW2-Eth-Trunk1] quit
[LSW2-GigabitEthernet0/0/1] description LSW2***to***PE2
[LSW2-GigabitEthernet0/0/1] port link-type access
[LSW2-GigabitEthernet0/0/1] port default vlan 10
[LSW2-GigabitEthernet0/0/2] description LSW2***to***CDN
[LSW2-GigabitEthernet0/0/2] port trunk allow-pass vlan 88 301 400 530
# Create VLANs on CDN and add related interfaces to the VLANs.

[HUAWEI] sysname CDN
[CDN] vlan batch 88 301 400 530
[CDN] interface gigabitethernet 0/0/1
[CDN-GigabitEthernet0/0/1] description CDN***to***LSW2
[CDN-GigabitEthernet0/0/1] port link-type trunk
[CDN-GigabitEthernet0/0/1] port trunk allow-pass vlan 88 301 400 530
[CDN-GigabitEthernet0/0/1] quit
[CDN-GigabitEthernet0/0/2] description CDN***to***LSW1
[CDN-GigabitEthernet0/0/2] port link-type trunk
[CDN-GigabitEthernet0/0/2] port trunk allow-pass vlan 88 301 400 530
[CDN-GigabitEthernet0/0/3] description CDN***to***HMS-Server
[CDN-GigabitEthernet0/0/3] port link-type access
[CDN-GigabitEthernet0/0/3] port default vlan 88
[CDN-GigabitEthernet0/0/4] description CDN***to***MRF-IN
[CDN-GigabitEthernet0/0/5] description CDN***to***MRF-OUT
Step 2 Configure MSTP. LSW1, LSW2, and CDN form a Layer 2 loop, so MSTP is used to
break the loop.
# Configure an MSTP region on LSW1 and enable MSTP.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name IPTV
[LSW1-mst-region] instance 1 vlan 530
[LSW1-mst-region] instance 2 vlan 88 301 400
[LSW1-mst-region] active region-configuration

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW1] stp instance 1 root primary

[LSW1] stp instance 2 root secondary
[LSW1] stp enable //By default, MSTP is enabled globally and on interfaces. Therefore, you only need to
disable MSTP on the interfaces that do not participate in MSTP calculation.
[LSW1-GigabitEthernet0/0/1] stp disable
# Configure an MSTP region on LSW2 and enable MSTP.

[LSW2] stp region-configuration
[LSW2-mst-region] region-name IPTV
[LSW2-mst-region] instance 1 vlan 530
[LSW2-mst-region] instance 2 vlan 88 301 400
[LSW2-mst-region] active region-configuration
[LSW2] stp instance 1 root secondary
[LSW2] stp instance 2 root primary
[LSW2] stp enable //By default, MSTP is enabled globally and on interfaces. Therefore, you only need to
[LSW2-GigabitEthernet0/0/1] stp disable
# Configure an MSTP region on CDN and enable MSTP.

[CDN] stp region-configuration
[CDN-mst-region] region-name IPTV
[CDN-mst-region] instance 1 vlan 530
[CDN-mst-region] instance 2 vlan 88 301 400
[CDN-mst-region] active region-configuration
[CDN-mst-region] quit
[CDN] stp enable //By default, MSTP is enabled globally and on interfaces. Therefore, you only need to
[CDN-GigabitEthernet0/0/3] stp disable
Step 3 Assign an IP address to each interface.
# Configure IP addresses for the interfaces on Core.

[HUAWEI] sysname Core
[Core] interface gigabitethernet 1/0/1
[Core-GigabitEthernet1/0/1] undo portswitch
[Core-GigabitEthernet1/0/1] description Core***to***Sever
[Core-GigabitEthernet1/0/1] ip address 66.1.1.3 255.255.255.0
[Core-GigabitEthernet1/0/1] quit
[Core-GigabitEthernet1/0/2] description Core***to***PE2
[Core] interface LoopBack0
[Core-LoopBack0] ip address 1.1.1.3 255.255.255.255
[Core-LoopBack0] quit
# Configure IP addresses for the interfaces on PE1.

[PE1-Vlanif10] description to***LSW1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-Vlanif10] ip address 10.1.1.1 255.255.255.0

[PE1-Vlanif10] quit
[PE1-Vlanif11] description to***AGG
[PE1-Vlanif11] quit
[PE1-GigabitEthernet1/0/2] undo portswitch
[PE1-GigabitEthernet1/0/2] description PE1***to***Core
[PE1-GigabitEthernet1/0/2] ip address 12.1.1.1 255.255.255.0
[PE1-GigabitEthernet1/0/3] description PE1***to***PE2
[PE1] interface LoopBack0
[PE1-LoopBack0] ip address 1.1.1.1 255.255.255.255

[PE2-Vlanif10] description to***LSW2
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit
# Configure IP addresses for the interfaces on AGG.

[AGG] interface vlanif 11
[AGG-Vlanif11] description to***PE1
[AGG-Vlanif11] ip address 11.1.1.8 255.255.255.0
[AGG-Vlanif11] quit
[AGG-Vlanif22] quit
[AGG-Vlanif33] description to***ACC1
[AGG-Vlanif33] quit
[AGG-Vlanif34] quit
[AGG] interface LoopBack0
[AGG-LoopBack0] ip address 1.1.1.4 255.255.255.255
[AGG-LoopBack0] quit
# Configure IP addresses for the interfaces on LSW1.

[LSW1] interface vlanif 10
[LSW1-Vlanif10] description to***PE1
[LSW1-Vlanif10] ip address 10.1.1.2 255.255.255.0
[LSW1-Vlanif10] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW1-Vlanif88] description to***HMS

[LSW1-Vlanif301] description to***LSW2
[LSW1-Vlanif400] description to***MRF IN
[LSW1-Vlanif530] description to***MRF OUT
# Configure IP addresses for the interfaces on LSW2.

[LSW2-Vlanif10] description to***PE2
[LSW2-Vlanif88] description to***HMS
[LSW2-Vlanif301] description to***LSW2
[LSW2-Vlanif400] description to***MRF IN
[LSW2-Vlanif530] description to***MRF OUT

# Configure VRRP on LSW1.
[LSW1-Vlanif88] vrrp vrid 2 virtual-ip 88.1.1.100
[LSW1-Vlanif88] vrrp vrid 2 priority 120
[LSW1-Vlanif88] vrrp vrid 2 preempt-mode timer delay 20
[LSW1-Vlanif88] vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 100
# Configure VRRP on LSW2.

Step 5 Configure OSPF.

# Configure OSPF on Core.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Core] ospf 1
[Core-ospf-1] area 0
[Core-ospf-1-area-0.0.0.0] quit
[Core-ospf-1] quit
[Core-GigabitEthernet1/0/1] ospf enable 1 area 0.0.0.0
[Core-LoopBack0] ospf enable 1 area 0.0.0.0
# Configure OSPF on PE1.

[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] area 1
[PE1-ospf-1-area-0.0.0.1] nssa
[PE1-ospf-1] quit
[PE1-Vlanif10] ospf enable 1 area 0.0.0.1
[PE1-Vlanif10] quit
[PE1-Vlanif11] quit
[PE1-GigabitEthernet1/0/2] ospf enable 1 area 0.0.0.0
[PE1-LoopBack0] ospf enable 1 area 0.0.0.0

[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] area 1
[PE2-ospf-1] quit
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit
# Configure OSPF on AGG, and change the cost of the related interface for route
backup.
[AGG] ospf 1
[AGG-ospf-1] area 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AGG-ospf-1-area-0.0.0.0] quit
[AGG-ospf-1] quit
[AGG-Vlanif11] ospf enable 1 area 0.0.0.0
[AGG-Vlanif11] quit
[AGG-Vlanif22] ospf cost 10000
[AGG-Vlanif22] quit
[AGG-Vlanif33] quit
[AGG-Vlanif34] quit
[AGG-LoopBack0] ospf enable 1 area 0.0.0.0
# Configure OSPF on LSW1.

[LSW1-Vlanif10] ospf enable 1 area 0.0.0.1
[LSW1-Vlanif301] ospf network-type p2p
[LSW1-Vlanif301] ospf timer hello 1
[LSW1] ospf 1 router-id 192.168.1.1
[LSW1-ospf-1] default-route-advertise
[LSW1-ospf-1] silent-interface Vlanif88
[LSW1-ospf-1] area 1
[LSW1-ospf-1-area-0.0.0.1] network 5.1.1.0 0.0.0.255
[LSW1-ospf-1-area-0.0.0.1] nssa
[LSW1-ospf-1-area-0.0.0.1] quit
[LSW1-ospf-1] quit
# Configure OSPF on LSW2.

[LSW2-Vlanif10] ospf enable 1 area 0.0.0.1
[LSW2-Vlanif301] ospf network-type p2p
[LSW2-Vlanif301] ospf timer hello 1
[LSW2] ospf 1 router-id 192.168.1.2
[LSW2-ospf-1] default-route-advertise
[LSW2-ospf-1] area 1
[LSW2-ospf-1-area-0.0.0.1] nssa
[LSW2-ospf-1-area-0.0.0.1] quit
[LSW2-ospf-1] quit
Step 6 Configure Layer 3 multicast.
# Configure Layer 3 multicast on Core.

[Core] multicast routing-enable
[Core] pim
[Core-pim] static-rp 1.1.1.2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Core-pim] quit
[Core-GigabitEthernet1/0/1] pim sm
# Configure Layer 3 multicast on PE1.

[PE1] multicast routing-enable
[PE1] pim
[PE1-pim] c-bsr LoopBack0
[PE1-pim] c-rp LoopBack0
[PE1-pim] static-rp 1.1.1.2
[PE1-pim] quit
[PE1-Vlanif10] pim sm
[PE1-Vlanif10] quit
[PE1-Vlanif11] quit
[PE1-GigabitEthernet1/0/2] pim sm
[PE1-LoopBack0] pim sm

[PE2] pim
[PE2-pim] quit
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit
# Configure Layer 3 multicast on AGG.

[AGG] multicast routing-enable
[AGG] pim
[AGG-pim] static-rp 1.1.1.2
[AGG-pim] quit
[AGG-Vlanif11] pim sm
[AGG-Vlanif11] quit
[AGG-Vlanif22] quit
[AGG-Vlanif33] igmp enable //The interface is connected to users, so IGMP needs to be enabled on it.
[AGG-Vlanif33] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AGG-Vlanif34] igmp enable
[AGG-Vlanif34] quit
# Configure Layer 3 multicast on LSW1.

[LSW1] multicast routing-enable
[LSW1] pim
[LSW1-pim] static-rp 1.1.1.1
[LSW1-pim] quit
[LSW1-Vlanif10] pim sm
[LSW1-Vlanif400] pim hello-option dr-priority 100 //Adjust the priority for DR election to ensure that
multicast traffic is preferentially forwarded by LSW1.
[LSW1-Vlanif400] igmp enable
[LSW1-Vlanif530] pim hello-option dr-priority 100
[LSW1-Vlanif530] igmp enable //The interface is connected to the decoding server, so IGMP needs to be
enabled on the interface.
# Configure Layer 3 multicast on LSW2.

[LSW2] multicast routing-enable
[LSW2] pim
[LSW2-pim] static-rp 1.1.1.1
[LSW2-pim] quit
Step 7 Configure IGMP snooping to enable Layer 2 multicast.

# Enable IGMP snooping on ACC1.
[ACC1] igmp-snooping enable
[ACC1] vlan 33
[ACC1-vlan33] igmp-snooping enable
[ACC1-vlan33] multicast drop-unknown
[ACC1-vlan33] quit

[ACC2] vlan 34
[ACC2-vlan34] quit
# Enable IGMP snooping on LSW1.

[LSW1] igmp-snooping enable
[LSW1] vlan 301
[LSW1-vlan301] igmp-snooping enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW1-vlan301] quit
[LSW1] vlan 530
[LSW1-vlan530] quit
# Enable IGMP snooping on LSW2.

[LSW2] igmp-snooping enable
[LSW2] vlan 301
[LSW2-vlan301] quit
[LSW2] vlan 530
[LSW2-vlan530] quit
Step 8 Configure traffic policies to control the access of multicast sources.
# Configure traffic policies on LSW1.

[LSW1] acl number 3000
[LSW1-acl-adv-3000] description ***ACL FOR IPTV_Service_IN***
[LSW1-acl-adv-3000] rule 1 permit ip source 66.1.1.0 0.0.0.255 destination 4.1.1.0 0.0.0.127
[LSW1-acl-adv-3000] quit
[LSW1-acl-adv-3998] description ***ACL FOR Multicast Remark***
[LSW1-acl-adv-3998] rule 5 permit ip source 5.1.1.80 0.0.0.15
[LSW1] traffic classifier IPTV_Service_IN
[LSW1-classifier-IPTV_Service_IN] if-match acl 3000
[LSW1-classifier-IPTV_Service_IN] quit
[LSW1] traffic classifier IPTV_Multicast_Remark
[LSW1-classifier-IPTV_Multicast_Remark] if-match acl 3998
[LSW1-classifier-IPTV_Multicast_Remark] quit
[LSW1] traffic behavior IPTV_Service_IN
[LSW1-behavior-IPTV_Service_IN] permit
[LSW1-behavior-IPTV_Service_IN] quit
[LSW1] traffic behavior IPTV_Multicast_Remark
[LSW1-behavior-IPTV_Multicast_Remark] permit
[LSW1-behavior-IPTV_Multicast_Remark] remark dscp af41
[LSW1-behavior-IPTV_Multicast_Remark] quit
[LSW1] traffic policy IPTV_Service_IN
[LSW1-trafficpolicy-IPTV_Service_IN] classifier IPTV_Service_IN behavior IPTV_Service_IN
[LSW1-trafficpolicy-IPTV_Service_IN] quit
[LSW1] traffic policy IPTV_Multicast_Remark
[LSW1-trafficpolicy-IPTV_Multicast_Remark] classifier IPTV_Multicast_Remark behavior
IPTV_Multicast_Remark
[LSW1-trafficpolicy-IPTV_Multicast_Remark] quit
[LSW1-GigabitEthernet0/0/1] traffic-policy IPTV_Service_IN inbound
[LSW1-GigabitEthernet0/0/2] traffic-policy IPTV_Multicast_Remark inbound
# Configure traffic policies on LSW2.

[LSW2-acl-adv-3000] description ***ACL FOR IPTV_Service_IN***
[LSW2-acl-adv-3000] rule 1 permit ip source 66.1.1.0 0.0.0.255 destination 4.1.1.0 0.0.0.127
[LSW2-acl-adv-3998] description ***ACL FOR Multicast Remark***
[LSW2-acl-adv-3998] rule 5 permit ip source 5.1.1.80 0.0.0.15
[LSW2] traffic classifier IPTV_Service_IN
[LSW2-classifier-IPTV_Service_IN] if-match acl 3000
[LSW2-classifier-IPTV_Service_IN] quit
[LSW2] traffic classifier IPTV_Multicast_Remark
[LSW2-classifier-IPTV_Multicast_Remark] if-match acl 3998
[LSW2-classifier-IPTV_Multicast_Remark] quit
[LSW2] traffic behavior IPTV_Service_IN
[LSW2-behavior-IPTV_Service_IN] permit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[LSW2-behavior-IPTV_Service_IN] quit
[LSW2] traffic behavior IPTV_Multicast_Remark
[LSW2-behavior-IPTV_Multicast_Remark] permit
[LSW2-behavior-IPTV_Multicast_Remark] remark dscp af41
[LSW2-behavior-IPTV_Multicast_Remark] quit
[LSW2] traffic policy IPTV_Service_IN
[LSW2-trafficpolicy-IPTV_Service_IN] classifier IPTV_Service_IN behavior IPTV_Service_IN
[LSW2-trafficpolicy-IPTV_Service_IN] quit
[LSW2] traffic policy IPTV_Multicast_Remark
[LSW2-trafficpolicy-IPTV_Multicast_Remark] classifier IPTV_Multicast_Remark behavior
[LSW2-trafficpolicy-IPTV_Multicast_Remark] quit
[LSW2-GigabitEthernet0/0/1] traffic-policy IPTV_Service_IN inbound
[LSW2-GigabitEthernet0/0/2] traffic-policy IPTV_Multicast_Remark inbound

# After the configuration is complete, PIM neighbor information can be correctly
generated on Core, PE1, PE2, and AGG.
[Core] display pim neighbor
VPN-Instance: public net
Total Number of Neighbors = 2
Neighbor Interface Uptime Expires Dr-Priority BFD-

Session
12.1.1.1 GE1/0/3 01:09:01 00:01:43 1 N
20.1.1.2 GE1/0/2 01:06:30 00:01:39 1 N
[PE1] display pim neighbor

Session
12.1.1.2 GE1/0/2 01:10:48 00:01:27 1 N
60.1.1.2 GE1/0/3 01:08:06 00:01:40 1 N
10.1.1.2 Vlanif10 00:39:38 00:01:21 1 N
11.1.1.8 Vlanif11 01:05:16 00:01:30 1 N

Session
20.1.1.3 GE1/0/2 01:11:32 00:01:42 1 N
60.1.1.1 GE1/0/3 01:11:18 00:01:27 1 N
10.1.2.2 Vlanif10 00:41:06 00:01:39 1 N
22.1.1.8 Vlanif22 01:08:28 00:01:42 1 N
[AGG] display pim neighbor

Session
11.1.1.1 Vlanif11 01:09:30 00:01:20 1 N
22.1.1.2 Vlanif22 01:08:34 00:01:18 1 N
# After users send IGMP Report messages, ACC1 and ACC2 can generate
information about multicast group member ports correctly.
[ACC1]display igmp-snooping port-info
--------------------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
--------------------------------------------------------------------------------
VLAN 33, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-

S300, S500, S2700, S3700, S5700, S6700, S7700, and
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
[ACC2] display igmp-snooping port-info
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VLAN 34, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
# After the multicast source sends a multicast packet and the decoding server
sends a join message, LSW1 and PE1 can generate the multicast routing entry
correctly.
[LSW1] display pim routing-table
Total 1 (*, G) entry; 0 (S, G) entry
(*, 225.0.0.1)
RP: 1.1.1.1
Protocol: pim-sm, Flag: WC
UpTime: 00:06:50
Upstream interface: Vlanif10
Upstream neighbor: 10.1.1.1
RPF prime neighbor: 10.1.1.1
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif530
Protocol: igmp, UpTime: 00:01:42, Expires: -
[PE1] display pim routing-table
(*, 225.0.0.1)
RP: 1.1.1.1 (local)
UpTime: 00:12:46
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
1: Vlanif10
Protocol: pim-sm, UpTime: 00:08:59, Expires: 00:02:31
----End
Configuration Files
● Core configuration file
#
sysname Core
#
multicast routing-enable
#
undo portswitch
description Core***to***Sever
ip address 66.1.1.3 255.255.255.0
pim sm
ospf enable 1 area 0.0.0.0
#
undo portswitch
description Core***to***PE2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 20.1.1.3 255.255.255.0

pim sm
#
undo portswitch
ip address 12.1.1.2 255.255.255.0
pim sm
#
interface LoopBack0
ip address 1.1.1.3 255.255.255.255
#
ospf 1
area 0.0.0.0
#
pim
static-rp 1.1.1.2
#
return
● Configuration file of PE devices

S300, S500, S2700, S3700, S5700, S6700, S7700, and
PE1 Configuration File PE2 Configuration File

# #
sysname PE1 sysname PE2
# #
vlan batch 10 to 11 vlan batch 10 22
# #
multicast routing-enable multicast routing-enable
# #
interface Vlanif10 interface Vlanif10
description to***LSW1 description to***LSW2
ip address 10.1.1.1 255.255.255.0 ip address 10.1.2.1 255.255.255.0
pim sm pim sm
ospf enable 1 area 0.0.0.1 ospf enable 1 area 0.0.0.1
# #
description to***AGG description to***AGG
pim sm pim sm
# #
interface GigabitEthernet1/0/1 interface GigabitEthernet1/0/1
description PE1***to***LSW1 description PE2***to***LSW2
port link-type access port link-type access
port default vlan 10 port default vlan 10
# #
undo portswitch undo portswitch
description PE1***to***Core description PE2***to***Core
pim sm pim sm
# #
description PE1***to***PE2 description PE2***to***PE1
pim sm pim sm
# #
description PE1***to***AGG description PE2***to***AGG
port link-type trunk port link-type trunk
port trunk allow-pass vlan 11 port trunk allow-pass vlan 22
# #
interface LoopBack0 interface LoopBack0
pim sm ospf enable 1 area 0.0.0.0
ospf enable 1 area 0.0.0.0 #
# ospf 1
ospf 1 area 0.0.0.0
area 0.0.0.0 area 0.0.0.1
area 0.0.0.1 nssa
nssa #
# pim
pim static-rp 1.1.1.2
c-bsr LoopBack0 #
c-rp LoopBack0 return
static-rp 1.1.1.2
#
return
● LSW configuration files

S300, S500, S2700, S3700, S5700, S6700, S7700, and
LSW1 Configuration File LSW2 Configuration File

# #
sysname LSW1 sysname LSW2
# #
vlan batch 10 88 301 400 530 vlan batch 10 88 301 400 530
# #
stp instance 1 root primary stp instance 1 root secondary
stp instance 2 root secondary stp instance 2 root primary
# #
# #
igmp-snooping enable igmp-snooping enable
# #
stp region-configuration stp region-configuration
region-name IPTV region-name IPTV
instance 1 vlan 530 instance 1 vlan 530
instance 2 vlan 88 301 400 instance 2 vlan 88 301 400
active region-configuration active region-configuration
# #
acl number 3000 acl number 3000
description ***ACL FOR IPTV_Service_IN*** description ***ACL FOR IPTV_Service_IN***
rule 1 permit ip source 66.1.1.0 0.0.0.255 rule 1 permit ip source 66.1.1.0 0.0.0.255
destination 4.1.1.0 0.0.0.127 destination 4.1.1.0 0.0.0.127
acl number 3998 acl number 3998
description ***ACL FOR Multicast Remark*** description ***ACL FOR Multicast Remark***
rule 5 permit ip source 5.1.1.80 0.0.0.15 rule 5 permit ip source 5.1.1.80 0.0.0.15
# #
traffic classifier IPTV_Multicast_Remark traffic classifier IPTV_Multicast_Remark
operator or operator or
if-match acl 3998 if-match acl 3998
traffic classifier IPTV_Service_IN operator or traffic classifier IPTV_Service_IN operator or
if-match acl 3000 if-match acl 3000
# #
traffic behavior IPTV_Multicast_Remark traffic behavior IPTV_Multicast_Remark
permit permit
remark dscp af41 remark dscp af41
traffic behavior IPTV_Service_IN traffic behavior IPTV_Service_IN
permit permit
# #
traffic policy IPTV_Multicast_Remark match- traffic policy IPTV_Multicast_Remark match-
order config order config
classifier IPTV_Multicast_Remark behavior classifier IPTV_Multicast_Remark behavior
IPTV_Multicast_Remark IPTV_Multicast_Remark
traffic policy IPTV_Service_IN match-order traffic policy IPTV_Service_IN match-order
config config
classifier IPTV_Service_IN behavior classifier IPTV_Service_IN behavior
IPTV_Service_IN IPTV_Service_IN
# #
vlan 10 vlan 10
description to***PE1 description to***PE2
vlan 301 vlan 301
description to***LSW2 description to***LSW1
vlan 400 vlan 400
description ***MRF IN*** description ***MRF IN***
multicast drop-unknown multicast drop-unknown
vlan 530 vlan 530
description ***MRF OUT*** description ***MRF OUT***
# #
description to***PE1 description to***PE2
pim sm pim sm

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# #
description to***HMS description to***HMS
vrrp vrid 2 virtual-ip 88.1.1.100 vrrp vrid 2 virtual-ip 88.1.1.100
vrrp vrid 2 priority 120 #
vrrp vrid 2 preempt-mode timer delay 20 interface Vlanif301
vrrp vrid 2 track interface GigabitEthernet0/0/1 description LSW2***to***LSW1
reduced 100 ip address 31.1.1.2 255.255.255.0
# pim sm
interface Vlanif301 ospf network-type p2p
description LSW1***to***LSW2 ospf timer hello 1
ip address 31.1.1.1 255.255.255.0 #
pim sm interface Vlanif400
ospf network-type p2p description to***MRF IN
ospf timer hello 1 ip address 4.1.1.3 255.255.255.0
# vrrp vrid 40 virtual-ip 4.1.1.10
interface Vlanif400 pim sm
description to***MRF IN igmp enable
ip address 4.1.1.2 255.255.255.0 #
vrrp vrid 40 virtual-ip 4.1.1.10 interface Vlanif530
vrrp vrid 40 priority 120 description to***MRF OUT
pim hello-option dr-priority 100 ip address 5.1.1.3 255.255.255.0
pim sm vrrp vrid 53 virtual-ip 5.1.1.10
igmp enable pim sm
# igmp enable
interface Vlanif530 #
description to***MRF OUT interface Eth-Trunk1
ip address 5.1.1.2 255.255.255.0 description LSW2***to***LSW1
vrrp vrid 53 virtual-ip 5.1.1.10 port link-type trunk
vrrp vrid 53 priority 120 port trunk allow-pass vlan 88 301 400 530
pim hello-option dr-priority 100 #
pim sm interface GigabitEthernet0/0/1
igmp enable description LSW2***to***PE2
# port link-type access
interface Eth-Trunk1 port default vlan 10
description LSW1***to***LSW2 stp disable
port link-type trunk traffic-policy IPTV_Service_IN inbound
port trunk allow-pass vlan 88 301 400 530 #
# interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/1 description LSW2***to***CDN
description LSW1***to***PE1 port link-type trunk
port link-type access port trunk allow-pass vlan 88 301 400 530
port default vlan 10 traffic-policy IPTV_Multicast_Remark inbound
stp disable #
traffic-policy IPTV_Service_IN inbound interface GigabitEthernet0/0/3
# eth-trunk 1
interface GigabitEthernet0/0/2 #
description LSW1***to***CDN interface GigabitEthernet0/0/4
port link-type trunk eth-trunk 1
port trunk allow-pass vlan 88 301 400 530 #
traffic-policy IPTV_Multicast_Remark inbound ospf 1 router-id 192.168.1.2
# default-route-advertise
interface GigabitEthernet0/0/3 silent-interface Vlanif88
eth-trunk 1 silent-interface Vlanif530
# silent-interface Vlanif400
interface GigabitEthernet0/0/4 area 0.0.0.1
eth-trunk 1 network 5.1.1.0 0.0.0.255
# network 10.1.1.0 0.0.0.255
ospf 1 router-id 192.168.1.1 network 31.1.1.0 0.0.0.255
default-route-advertise network 88.1.1.0 0.0.0.255
silent-interface Vlanif88 nssa
silent-interface Vlanif530
silent-interface Vlanif400 #
area 0.0.0.1 pim
network 10.1.1.0 0.0.0.255 static-rp 1.1.1.1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

network 31.1.1.0 0.0.0.255 #
network 88.1.1.0 0.0.0.255 return
network 5.1.1.0 0.0.0.255
nssa
#
pim
static-rp 1.1.1.1
#
return
● CDN configuration file

#
sysname CDN
#
vlan batch 88 301 400 530
#
region-name IPTV
instance 1 vlan 530
instance 2 vlan 88 301 400
#
description CDN***to***LSW2
port trunk allow-pass vlan 88 301 400 530
#
description CDN***to***LSW1
#
description CDN***to***HMS-Server
stp disable
#
description CDN***to***MRF-IN
stp disable
#
description CDN***to***MRF-OUT
stp disable
#
return
● AGG configuration file

#
sysname AGG
#
vlan batch 11 22 33 to 34
#
#
interface Vlanif11
description to***PE1
ip address 11.1.1.8 255.255.255.0
pim sm

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif22
ip address 22.1.1.8 255.255.255.0
pim sm
ospf cost 10000
#
interface Vlanif33
description to***ACC1
ip address 33.1.1.8 255.255.255.0
pim sm
igmp enable
#
interface Vlanif34
ip address 34.1.1.8 255.255.255.0
pim sm
igmp enable
#
description AGG***to***ACC1
#
#
description AGG***to***PE1
#
#
interface LoopBack0
ip address 1.1.1.4 255.255.255.255
#
ospf 1
area 0.0.0.0
#
pim
static-rp 1.1.1.2
#
return
● ACC configuration files

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ACC1 Configuration File ACC2 Configuration File

# #
sysname ACC1 sysname ACC2
# #
vlan batch 33 vlan batch 34
# #
# #
vlan 33 vlan 34
# #
description ACC1***to***AGG description ACC2***to***AGG
# #
# #
# #
return return
3.8.2 Example for Connecting the CDN Server to a Switch

Stack System That Connects to PE Devices of the IPTV
Network Through Eth-Trunk
Solution Overview
With the rapid development of IPTV services, the IPTV platform needs to provide
services to a growing number of users, who in turn raise increasingly high
requirements on the reliability of the IPTV live broadcast service. IPTV is a type of
video service, which means that end users have extremely high requirements on
service continuity. Therefore, service continuity must be ensured during routine
maintenance as well as in key event assurance and major version upgrade
assurance.
Figure 3-120 shows the networking diagram of the broadcast and television
network in a region. To ensure the quality of live TV, the live streams sent by the
broadcast and television multicast source server must be first forwarded to the
MRF transcoding server for transcoding and then forwarded by the transcoding
server to receivers. The transcoding server is connected to a switch stack system,
which connects to PE devices of the IPTV network through Eth-Trunk. This
improves network reliability.
● Normal forwarding path for multicast streams sent by the multicast source
server: Core -> PE1 -> Stack -> CDN -> Transcoding server
● Normal forwarding path for multicast streams transcoded by the transcoding
server: Transcoding server -> CDN -> Stack -> PE1 -> AGG -> ACC1 and ACC2
● Normal forwarding path for unicast streams sent from the recording server to
a receiver: Recording server -> CDN -> Stack -> PE1 -> AGG -> ACC1 or ACC2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-120 Video traffic forwarding path in the scenario when the transcoding
server is connected to a switch stack system that connects to PE devices of the
IPTV network through Eth-Trunk
Configuration Notes
In this example, Core, PE1, and PE2 are modular switches, and the other devices
are fixed switches. All S series switch models can be used in this example.
Figure 3-121 shows the IPTV network diagram in a region. A receiver can watch
live TV programs and catch-up TV programs. The network requirements are as
follows:
● Multicast live streams sent by the multicast source server are first forwarded
to the CDN server for transcoding and recording and then forwarded to
receivers.
● Receivers can also order catch-up TV programs in unicast mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Layer 3 multicast, L2/L3 mixed multicast, and IGMP snooping are deployed to
forward multicast traffic.
● OSPF is used to implement traffic forwarding at Layer 3. The switch stack
system (named Stack) establishes neighbor relationships with PE1 and PE2 in
area 1 of OSPF process 1. Core establishes neighbor relationships with PE1
and PE2 in area 0 of OSPF process 1.
● To ensure access security, traffic policies are configured on Stack to restrict
the access of multicast source servers.
Figure 3-121 Basic IPTV networking in the scenario when the transcoding server is
connected to a switch stack system that connects to PE devices of the IPTV
network through Eth-Trunk

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan

Item Description

33

34
VLAN VLAN used by a user to watch a catch-up TV program.

88
VLAN VLAN used after multicast live streams are transcoded.

400
VLAN VLAN used before multicast live streams are transcoded.

530
Table 3-40 IP address plan

Core GE1/0/1: 66.1.1.3/24 Layer 3 interface connected to the

multicast source server.
Vlanif10: 10.1.1.1/24 Interface connected to Stack. The

(corresponding to Eth-Trunk2) member physical interfaces of Eth-
Trunk2 are GE1/0/6 and GE1/0/7.

interface GE1/0/4)
Vlanif21: 21.1.1.1/24 Interface connected to Stack. The


S300, S500, S2700, S3700, S5700, S6700, S7700, and

interface GE1/0/4)
AGG Vlanif11: 11.1.1.8/24 Interface connected to PE1.

interface GE0/0/4)
Vlanif22: 22.1.1.8/24 Interface connected to PE2.

interface GE0/0/5)

interface GE0/0/1)

interface GE0/0/2)
Stack Vlanif10: 10.1.1.2/24 Interface connected to PE1. The


interface GE0/0/2)
Vlanif21: 21.1.1.2/24 Interface connected to PE2. The



2. Configure an IP address for each VLANIF interface.
3. Configure OSPF to implement Layer 3 interworking.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
4. Configure Layer 3 multicast.

5. Configure IGMP snooping to enable Layer 2 multicast.
6. Configure traffic policies to control the access of multicast sources.
Procedure


# Create VLANs on AGG and add related interfaces to the VLANs.

[AGG] vlan batch 11 22 33 34

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[PE1] interface eth-trunk2
[PE1-Eth-Trunk1] description PE1***to***Stack
[PE1-Eth-Trunk1] port link-type access
[PE1-Eth-Trunk1] port default vlan 10
[PE1-Eth-Trunk1] trunkport gigabitethernet 1/0/6

[PE2] interface eth-trunk2
[PE2-Eth-Trunk1] description PE2***to***Stack
[PE2-Eth-Trunk1] port link-type access
[PE2-Eth-Trunk1] port default vlan 21
# Create VLANs on Stack and add related interfaces to the VLANs.

[HUAWEI] sysname Stack
[Stack] vlan batch 10 21 88 301 400 530
[Stack] interface eth-trunk1
[Stack-Eth-Trunk1] description Stack***to***CDN
[Stack-Eth-Trunk1] port link-type trunk
[Stack-Eth-Trunk1] port trunk allow-pass vlan 88 301 400 530
[Stack-Eth-Trunk2] description Stack***to***PE1
[Stack-Eth-Trunk2] port link-type access
[Stack-Eth-Trunk2] port default vlan 10
[Stack-Eth-Trunk3] description Stack***to***PE2
[Stack-Eth-Trunk3] port link-type access
[Stack-Eth-Trunk3] port default vlan 21
# Create VLANs on CDN and add related interfaces to the VLANs.

[HUAWEI] sysname CDN
[CDN] vlan batch 88 301 400 530
[CDN] interface eth-trunk1
[CDN-Eth-Trunk1] description CDN***to***Stack

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CDN-Eth-Trunk1] port link-type trunk

[CDN-Eth-Trunk1] port trunk allow-pass vlan 88 301 400 530
[CDN-Eth-Trunk1] trunkport gigabitethernet 0/0/1
[CDN-Eth-Trunk1] trunkport gigabitethernet 0/0/2
[CDN-Eth-Trunk1] quit
[CDN-GigabitEthernet0/0/3] description CDN***to***HMS-Server
[CDN-GigabitEthernet0/0/4] description CDN***to***MRF-IN
[CDN-GigabitEthernet0/0/4] description CDN***to***MRF-OUT
Step 2 Assign an IP address to each interface.
# Configure IP addresses for the interfaces on Core.

[Core-GigabitEthernet1/0/1] description Core***to***Sever
[Core-LoopBack0] ip address 1.1.1.3 255.255.255.255

[PE1-Vlanif10] description to***Stack
[PE1-Vlanif10] quit
[PE1-Vlanif11] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE2-Vlanif10] description to***Stack
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit
# Configure IP addresses for the interfaces on AGG.

[AGG-Vlanif11] quit
[AGG-Vlanif22] quit
[AGG-Vlanif33] quit
[AGG-Vlanif34] quit
[AGG-LoopBack0] ip address 1.1.1.4 255.255.255.255
# Configure IP addresses for the interfaces on Stack.

[Stack] interface vlanif 10
[Stack-Vlanif10] description to***PE1
[Stack-Vlanif10] ip address 10.1.1.2 255.255.255.0
[Stack-Vlanif10] quit
[Stack-Vlanif10] description to***PE2
[Stack-Vlanif88] description to***HMS
[Stack-Vlanif301] description to***LSW2
[Stack-Vlanif400] description to***MRF IN
[Stack-Vlanif530] description to***MRF OUT

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Configure OSPF.

# Configure OSPF on Core.
[Core] ospf 1
[Core-ospf-1] area 0
[Core-ospf-1-area-0.0.0.0] quit
[Core-ospf-1] quit
[Core-LoopBack0] ospf enable 1 area 0.0.0.0

[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] area 1
[PE1-ospf-1] quit
[PE1-Vlanif10] quit
[PE1-Vlanif11] quit

[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] area 1
[PE2-ospf-1] quit
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure OSPF on AGG, and change the cost of the related interface for route
backup.
[AGG] ospf 1
[AGG-ospf-1] area 0
[AGG-ospf-1-area-0.0.0.0] quit
[AGG-ospf-1] quit
[AGG-Vlanif11] quit
[AGG-Vlanif22] ospf cost 10000
[AGG-Vlanif22] quit
[AGG-Vlanif33] quit
[AGG-Vlanif34] quit
[AGG-LoopBack0] ospf enable 1 area 0.0.0.0
# Configure OSPF on Stack.

[Stack-Vlanif10] ospf enable 1 area 0.0.0.1
[Stack-Vlanif10] ospf enable 1 area 0.0.0.1
[Stack-Vlanif301] ospf network-type p2p
[Stack-Vlanif301] ospf timer hello 1
[Stack] ospf 1 router-id 192.168.1.1
[Stack-ospf-1] default-route-advertise
[Stack-ospf-1] silent-interface Vlanif88
[Stack-ospf-1] area 1
[Stack-ospf-1-area-0.0.0.1] network 5.1.1.0 0.0.0.255
[Stack-ospf-1-area-0.0.0.1] nssa
[Stack-ospf-1-area-0.0.0.1] quit
[Stack-ospf-1] quit
Step 4 Configure Layer 3 multicast.

# Configure Layer 3 multicast on Core.
[Core] multicast routing-enable
[Core] pim
[Core-pim] static-rp 1.1.1.2
[Core-pim] quit

[PE1] pim
[PE1-pim] c-bsr LoopBack0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-pim] c-rp LoopBack0

[PE1-pim] quit
[PE1-Vlanif10] quit
[PE1-Vlanif11] quit

[PE2] pim
[PE2-pim] quit
[PE2-Vlanif10] quit
[PE2-Vlanif22] quit
# Configure Layer 3 multicast on AGG.

[AGG] multicast routing-enable
[AGG] pim
[AGG-pim] static-rp 1.1.1.2
[AGG-pim] quit
[AGG-Vlanif11] quit
[AGG-Vlanif22] quit
[AGG-Vlanif33] igmp enable //The interface is connected to users, so IGMP needs to be enabled on it.
[AGG-Vlanif33] quit
[AGG-Vlanif34] igmp enable
[AGG-Vlanif34] quit
# Configure Layer 3 multicast on Stack.

[Stack] multicast routing-enable
[Stack] pim
[Stack-pim] static-rp 1.1.1.1
[Stack-pim] quit
[Stack-Vlanif10] pim sm

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Stack-Vlanif400] igmp enable
[Stack-Vlanif530] igmp enable //The interface is connected to the decoding server, so IGMP needs to be
enabled on the interface.
Step 5 Configure IGMP snooping to enable Layer 2 multicast.

[ACC1] vlan 33
[ACC1-vlan33] quit

[ACC2] vlan 34
[ACC2-vlan34] quit
# Enable IGMP snooping on Stack.

[Stack] igmp-snooping enable
[Stack] vlan 301
[Stack-vlan301] igmp-snooping enable
[Stack-vlan301] quit
[Stack] vlan 530
[Stack-vlan530] igmp-snooping enable
[Stack-vlan530] quit
Step 6 Configure traffic policies to control the access of multicast sources.

# Configure traffic policies on Stack.
[Stack] acl number 3000
[Stack-acl-adv-3000] description ***ACL FOR IPTV_Service_IN***
[Stack-acl-adv-3000] rule 1 permit ip source 66.1.1.0 0.0.0.255 destination 4.1.1.0 0.0.0.127
[Stack-acl-adv-3000] quit
[Stack] acl number 3998
[Stack-acl-adv-3998] description ***ACL FOR Multicast Remark***
[Stack-acl-adv-3998] rule 5 permit ip source 5.1.1.80 0.0.0.15
[Stack-acl-adv-3998] quit
[Stack] traffic classifier IPTV_Service_IN
[Stack-classifier-IPTV_Service_IN] if-match acl 3000
[Stack-classifier-IPTV_Service_IN] quit
[Stack] traffic classifier IPTV_Multicast_Remark
[Stack-classifier-IPTV_Multicast_Remark] if-match acl 3998
[Stack-classifier-IPTV_Multicast_Remark] quit
[Stack] traffic behavior IPTV_Service_IN
[Stack-behavior-IPTV_Service_IN] permit
[Stack-behavior-IPTV_Service_IN] quit
[Stack] traffic behavior IPTV_Multicast_Remark
[Stack-behavior-IPTV_Multicast_Remark] permit
[Stack-behavior-IPTV_Multicast_Remark] remark dscp af41
[Stack-behavior-IPTV_Multicast_Remark] quit
[Stack] traffic policy IPTV_Service_IN
[Stack-trafficpolicy-IPTV_Service_IN] classifier IPTV_Service_IN behavior IPTV_Service_IN
[Stack-trafficpolicy-IPTV_Service_IN] quit
[Stack] traffic policy IPTV_Multicast_Remark
[Stack-trafficpolicy-IPTV_Multicast_Remark] classifier IPTV_Multicast_Remark behavior

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Stack-trafficpolicy-IPTV_Multicast_Remark] quit
[Stack] interface Eth
[Stack-Eth-Trunk2] traffic-policy IPTV_Service_IN inbound
[Stack-Eth-Trunk3] traffic-policy IPTV_Service_IN inbound
[Stack-Eth-Trunk1] traffic-policy IPTV_Multicast_Remark inbound

# After the configuration is complete, PIM neighbor information can be correctly
generated on Core, PE1, PE2, and AGG.
[Core] display pim neighbor

Session
12.1.1.1 GE1/0/3 01:09:01 00:01:43 1 N
20.1.1.2 GE1/0/2 01:06:30 00:01:39 1 N

Session
12.1.1.2 GE1/0/2 01:10:48 00:01:27 1 N
60.1.1.2 GE1/0/3 01:08:06 00:01:40 1 N
10.1.1.2 Vlanif10 00:39:38 00:01:21 1 N
11.1.1.8 Vlanif11 01:05:16 00:01:30 1 N

Session
20.1.1.3 GE1/0/2 01:11:32 00:01:42 1 N
60.1.1.1 GE1/0/3 01:11:18 00:01:27 1 N
10.1.2.2 Vlanif21 00:41:06 00:01:39 1 N
21.1.1.2 Vlanif22 01:08:28 00:01:42 1 N
[AGG] display pim neighbor

Session
11.1.1.1 Vlanif11 01:09:30 00:01:20 1 N
22.1.1.2 Vlanif22 01:08:34 00:01:18 1 N
# After users send IGMP Report messages, ACC1 and ACC2 can generate
information about multicast group member ports correctly.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
VLAN 33, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
--------------------------------------------------------------------------------
VLAN 34, 1 Entry(s)
(*, 225.1.1.1) GE0/0/2 -D-
GE0/0/3 -D-
2 port(s) include
--------------------------------------------------------------------------------
# After the multicast source sends a multicast packet and the decoding server
sends a join message, Stack and PE1 can generate the multicast routing entry
correctly.
[Stack] display pim routing-table
(*, 225.0.0.1)
RP: 1.1.1.1
UpTime: 02:41:03
1: Vlanif530
Protocol: igmp, UpTime: 02:41:03, Expires: -
[PE1] display pim routing-table

(*, 225.0.0.1)
RP: 1.1.1.1 (local)
UpTime: 02:39:32
Upstream interface: Register
Upstream neighbor: NULL
RPF prime neighbor: NULL
1: Vlanif10
Protocol: pim-sm, UpTime: 02:39:32, Expires: 00:02:58
----End
Configuration Files
● Core configuration file
#
sysname Core
#
#
undo portswitch
description Core***to***Sever
ip address 66.1.1.3 255.255.255.0
pim sm
#
undo portswitch
ip address 20.1.1.3 255.255.255.0
pim sm
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
undo portswitch
ip address 12.1.1.2 255.255.255.0
pim sm
#
interface LoopBack0
ip address 1.1.1.3 255.255.255.255
#
ospf 1
area 0.0.0.0
#
pim
static-rp 1.1.1.2
#
return
● Configuration file of PE devices

S300, S500, S2700, S3700, S5700, S6700, S7700, and
PE1 Configuration File PE2 Configuration File

# #
sysname PE1 sysname PE2
# #
vlan batch 10 to 11 vlan batch 21 to 22
# #
# #
description to***Stack description to***Stack
pim sm pim sm
# #
description to***AGG description to***AGG
pim sm pim sm
# #
interface Eth-Trunk2 interface Eth-Trunk3
description PE1***to***Stack description PE2***to***Stack
# #
description PE1***to***Core description PE2***to***Core
pim sm pim sm
#
undo portswitch interface GigabitEthernet1/0/3
description PE1***to***PE2 undo portswitch
ip address 60.1.1.1 255.255.255.0 description PE2***to***PE1
pim sm ip address 60.1.1.2 255.255.255.0
ospf enable 1 area 0.0.0.0 pim sm
# ospf enable 1 area 0.0.0.0
description PE1***to***AGG interface GigabitEthernet1/0/4
port link-type trunk description PE2***to***AGG
port trunk allow-pass vlan 11 port link-type trunk
# port trunk allow-pass vlan 22
eth-trunk2 interface GigabitEthernet1/0/6
# eth-trunk3
eth-trunk2 interface GigabitEthernet1/0/7
# eth-trunk3
interface LoopBack0 #
ip address 1.1.1.1 255.255.255.255 interface LoopBack0
pim sm ip address 1.1.1.2 255.255.255.255
# #
ospf 1 ospf 1
area 0.0.0.0 area 0.0.0.0
area 0.0.0.1 area 0.0.0.1
nssa nssa
# #
pim pim
c-bsr LoopBack0 static-rp 1.1.1.2
c-rp LoopBack0 #
static-rp 1.1.1.2 return
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Stack configuration file

#
sysname Stack
#
vlan batch 10 21 88 301 400 530
#
#
igmp-snooping enable
#
acl number 3000
description ***ACL FOR IPTV_Service_IN***
rule 1 permit ip source 66.1.1.0 0.0.0.255 destination 4.1.1.0 0.0.0.127
acl number 3998
description ***ACL FOR Multicast Remark***
rule 5 permit ip source 5.1.1.80 0.0.0.15
#
traffic classifier IPTV_Multicast_Remark operator or
if-match acl 3998
traffic classifier IPTV_Service_IN operator or
if-match acl 3000
#
traffic behavior IPTV_Multicast_Remark
permit
remark dscp af41
traffic behavior IPTV_Service_IN
permit
#
traffic policy IPTV_Multicast_Remark match-order config
classifier IPTV_Multicast_Remark behavior IPTV_Multicast_Remark
traffic policy IPTV_Service_IN match-order config
classifier IPTV_Service_IN behavior IPTV_Service_IN
#
vlan 10
vlan 21
vlan 301
description to***LSW2
vlan 400
description ***MRF IN***
multicast drop-unknown
vlan 530
description ***MRF OUT***
multicast drop-unknown
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 21.1.1.2 255.255.255.0
pim sm
#
interface Vlanif88
description to***HMS
ip address 88.1.1.7 255.255.255.0
vrrp vrid 2 track interface GigabitEthernet0/0/1 reduced 100
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif301
description LSW1***to***LSW2
ip address 31.1.1.1 255.255.255.0
pim sm
ospf network-type p2p
ospf timer hello 1
#
interface Vlanif400
description to***MRF IN
ip address 4.1.1.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif530
description to***MRF OUT
ip address 5.1.1.2 255.255.255.0
pim sm
igmp enable
#
description Stack***to***CDN
traffic-policy IPTV_Multicast_Remark inbound
#
description Stack***to***PE1
traffic-policy IPTV_Service_IN inbound
#
description Stack***to***PE2
traffic-policy IPTV_Service_IN inbound
#
eth-trunk1
#
eth-trunk2
#
eth-trunk3
#
eth-trunk1
#
eth-trunk2
#
eth-trunk3
#
ospf 1 router-id 192.168.1.1
default-route-advertise
area 0.0.0.1
network 10.1.1.0 0.0.0.255
network 31.1.1.0 0.0.0.255
network 88.1.1.0 0.0.0.255
network 5.1.1.0 0.0.0.255

S300, S500, S2700, S3700, S5700, S6700, S7700, and
nssa
#
pim
static-rp 1.1.1.1
#
return
● CDN configuration file

#
sysname CDN
#
vlan batch 88 301 400 530
#
description CDN***to***Stack
#
eth-trunk1
#
eth-trunk1
#
description CDN***to***HMS-Server
stp disable
#
description CDN***to***MRF-IN
stp disable
#
description CDN***to***MRF-OUT
stp disable
#
return
● AGG configuration file

#
sysname AGG
#
vlan batch 11 22 33 to 34
#
#
interface Vlanif11
ip address 11.1.1.8 255.255.255.0
pim sm
#
interface Vlanif22
ip address 22.1.1.8 255.255.255.0
pim sm
ospf cost 10000
#
interface Vlanif33
ip address 33.1.1.8 255.255.255.0
pim sm
igmp enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
interface Vlanif34
ip address 34.1.1.8 255.255.255.0
pim sm
igmp enable
#
#
#
#
#
interface LoopBack0
ip address 1.1.1.4 255.255.255.255
#
ospf 1
area 0.0.0.0
#
pim
static-rp 1.1.1.2
#
return
● ACC configuration files

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ACC1 Configuration File ACC2 Configuration File

# #
sysname ACC1 sysname ACC2
# #
vlan batch 33 vlan batch 34
# #
# #
vlan 33 vlan 34
# #
description ACC1***to***AGG description ACC2***to***AGG
# #
# #
# #
return return
3.9 Typical Routing Configuration
3.9.1 Typical Static Route Configuration
3.9.1.1 Example for Configuring Static Routes for Interworking Between

Different Network Segments
Static Route Overview

Static routes use less bandwidth than dynamic routes and do not use CPU
resources for route calculation and update analysis. They are manually configured
by administrators. If a network fault occurs or the topology changes, static routes
must be manually reconfigured as they cannot be automatically updated. Static
routes have five parameters: destination IP address, mask, outbound interface,
next hop, and priority.
Static routes are generally suitable for simple networks. However, they can be
used on complex networks to improve network performance and ensure
bandwidth for important applications.
Configuration Notes
● Communication between two devices is bidirectional, so reachable routes
must be available in both directions. To enable two devices to communicate
through static routes, configure a static route on the local device and then
configure a return route on the peer device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● If an enterprise network has two egresses, two equal-cost static routes can be
configured for load balancing. In this case, two non-equal-cost static routes
can be configured for active/standby backup. When the active link is faulty,
traffic is switched from the active link to the standby link.
As shown in Figure 3-122, hosts on different network segments are connected
using several switches. Every two hosts on different network segments can
communicate with each other without using dynamic routing protocols.
Figure 3-122 Networking diagram of configuring static routes for interworking

between different network segments
1. Create VLANs, add interfaces to the VLANs, and assign IPv4 addresses to
VLANIF interfaces so that neighboring devices can communicate with each
other.
2. Configure the IPv4 default gateway on each host, and configure IPv4 static
routes or default static routes on each Switch so that hosts on different
network segments can communicate with each other.
Procedure
# Configure SwitchA. The configurations of SwitchB and SwitchC are similar.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Assign IPv4 addresses to the VLANIF interfaces.

Step 3 Configure hosts.

Set the default gateway addresses of PC1, PC2, and PC3 to 10.1.1.1, 10.1.2.1, and
10.1.3.1 respectively.
Step 4 Configure static routes.
# Configure a default IPv4 route on SwitchA.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
# Configure two IPv4 static routes on SwitchB.

# Configure a default IPv4 route on SwitchC.

[SwitchC] ip route-static 0.0.0.0 0.0.0.0 10.1.4.5

# Check the IP routing table on SwitchA.
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib, T - to vpn-instance
------------------------------------------------------------------------------
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 10.1.4.2 Vlanif10

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif30
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.1.4.0/30 Direct 0 0 D 10.1.4.1 Vlanif10
10.1.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the ping command to verify the connectivity.

[SwitchA] ping 10.1.3.1
PING 10.1.3.1: 56 data bytes, press CTRL_C to break
Reply from 10.1.3.1: bytes=56 Sequence=1 ttl=253 time=62 ms

S300, S500, S2700, S3700, S5700, S6700, S7700, and
--- 10.1.3.1 ping statistics ---

5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 62/62/63 ms
# Run the tracert command to verify the connectivity.

[SwitchA] tracert 10.1.3.1
traceroute to 10.1.3.1(10.1.3.1), max hops: 30 ,packet length: 40,press CTRL_C to break
1 10.1.4.2 31 ms 32 ms 31 ms
2 10.1.3.1 62 ms 63 ms 62 ms
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.2
#
return

#
sysname SwitchB
#
vlan batch 10 20 40
#
interface Vlanif10
ip address 10.1.4.2 255.255.255.252
#
interface Vlanif20
ip address 10.1.4.5 255.255.255.252
#
interface Vlanif40
ip address 10.1.2.1 255.255.255.0
#
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip route-static 10.1.1.0 255.255.255.0 10.1.4.1

ip route-static 10.1.3.0 255.255.255.0 10.1.4.6
#
return

#
sysname SwitchC
#
vlan batch 20 50
#
interface Vlanif20
ip address 10.1.4.6 255.255.255.252
#
interface Vlanif50
ip address 10.1.3.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.4.5
#
return
Video
How to Configure a Static Route
How to Configure a Default Route
How to Configure a Floating Static Route
3.9.1.2 Example for Configuring Static Routes for Load Balancing

Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– S3700-SI, S3700-EI, S3700-HI
– S5700-SI, S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-SI, S5720S-SI,
S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H,
S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I,
S5735S-H, S5736-S
– S6700-EI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI, S6720-HI, S6730-H,
S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
On the network shown in Figure 3-123, PC1 and PC2 are connected through four
switches. Data traffic can be transmitted from PC1 to PC2 through two links: PC1-
>SwitchA->SwitchB->SwitchC->PC2 and PC1->SwitchA->SwitchD->SwitchC->PC2.
To improve link efficiency, users want to implement load balancing between the
two links. That is, traffic from PC1 to PC2 is evenly balanced between the two
links. When faults occur on one of the two links, traffic is automatically switched
to the other link.
NOTE
In this scenario, ensure that all connected interfaces have STP disabled. If STP is enabled
and VLANIF interfaces of switches are used to construct a Layer 3 ring network, an
interface on the network will be blocked. As a result, Layer 3 services on the network
cannot run normally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-123 Configuring static routes for load balancing
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure IP address and default gateways for hosts.
Procedure
Step 1 Specify the VLANs to which interfaces belong.
# Configure SwitchA. The configurations of SwitchB, SwitchC, and SwitchD are

similar.
Step 2 Configure an IP address for each VLANIF interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

similar.
Step 3 Configure static routes from PC1 to PC2.

# On SwitchA, configure two equal-cost static routes. The next hop of one route
points to SwitchB, and that of the other route points to SwitchD. This
configuration can implement load balancing for traffic from PC1 to PC2.
[SwitchA] ip route-static 10.1.2.0 24 192.168.12.2
[SwitchB] ip route-static 10.1.2.0 24 192.168.23.2
# Configure SwitchD.
[SwitchD] ip route-static 10.1.2.0 24 192.168.34.1

# On SwitchC, configure two equal-cost static routes. The next hop of one route
points to SwitchB, and that of the other route points to SwitchD. This
configuration can implement load balancing for traffic from PC2 to PC1.
[SwitchC] ip route-static 10.1.1.0 24 192.168.23.1

Assign IP address 10.1.1.2/24 and default gateway IP address 10.1.1.1 to PC1;
assign IP address 10.1.2.2/24 and default gateway IP address 10.1.2.1 to PC2.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Static 60 0 RD 192.168.12.2 Vlanif100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Static 60 0 RD 192.168.14.2 Vlanif400

192.168.12.0/24 Direct 0 0 D 192.168.12.1 Vlanif100
192.168.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.14.0/24 Direct 0 0 D 192.168.14.1 Vlanif400
192.168.14.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
The IP routing table on SwitchA contains two equal-cost routes to network

segment 10.1.2.0/24. In this situation, data traffic is evenly balanced between two
different links, achieving load balancing.
----End
Configuration Files
#
sysname SwitchA
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.1 255.255.255.0
#
#
#
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.1 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return

#
sysname SwitchC
#
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.34.1 255.255.255.0
#
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1
ip route-static 10.1.1.0 255.255.255.0 192.168.34.2
#
return

#
sysname SwitchD
#
vlan batch 300 400
#
interface Vlanif300
ip address 192.168.34.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.14.1
ip route-static 10.1.2.0 255.255.255.0 192.168.34.1
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.9.1.3 Example for Configuring Static Routes for Link Backup

Configuration Notes
On the network shown in Figure 3-124, PC1 and PC2 are connected through four
switches. Data traffic of PC1 can reach PC2 through two links: PC1->SwitchA-
>SwitchB->SwitchC->PC2 and PC1->SwitchA->SwitchD->SwitchC->PC2. To improve
reliability, users want to implement backup between the two links. That is, traffic
from PC1 to PC2 is first transmitted through the link that passes through SwitchB.
When faults occur on this link, traffic is automatically switched to the link that
passes through SwitchD.
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-124 Configuring static routes for link backup
1. Create VLANs, add interfaces to the VLANs, and assign IP addresses to VLANIF
interfaces.
2. Configure static routes in two directions of data traffic.
3. Configure IP address and default gateways for hosts.
Procedure

similar.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

similar.

# On SwitchA, configure two static routes with different priorities. The next hop of
one route points to SwitchB, and that of the other route points to SwitchD.
Subsequently, data traffic is first forwarded to SwitchB. When faults occur on the
link that passes through SwitchB, the traffic is automatically switched to SwitchD.
[SwitchA] ip route-static 10.1.2.0 24 192.168.14.2 preference 70
Step 4 Configure static routes from PC2 to PC1 and ensure that the active and standby
links in two directions are the same.
# On SwitchC, configure two static routes with different priorities. The next hop of
one route points to SwitchB, and that of the other route points to SwitchD.
Subsequently, data traffic is first forwarded to SwitchB. When faults occur on the
link that passes through SwitchB, traffic is automatically switched to SwitchD.
[SwitchC] ip route-static 10.1.1.0 24 192.168.34.2 preference 70

Assign IP address 10.1.1.2/24 and default gateway IP address 10.1.1.1 to PC1;
assign IP address 10.1.2.2/24 and default gateway IP address 10.1.2.1 to PC2.
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Static 60 0 RD 192.168.12.2 Vlanif100
192.168.12.0/24 Direct 0 0 D 192.168.12.1 Vlanif100
192.168.12.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.14.0/24 Direct 0 0 D 192.168.14.1 Vlanif400
192.168.14.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
# Check detailed information about the IP routing table on SwitchA.

[SwitchA] display ip routing-table 10.1.2.0 24 verbose
------------------------------------------------------------------------------
Routing Table : Public
Summary Count : 2
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
Preference: 60 Cost: 0
NextHop: 192.168.12.2 Neighbour: 0.0.0.0
State: Active Adv Relied Age: 00h13m13s
Tag: 0 Priority: medium
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000001
RelayNextHop: 0.0.0.0 Interface: Vlanif100
TunnelID: 0x0 Flags: RD
Destination: 10.1.2.0/24
Protocol: Static Process ID: 0
Preference: 70 Cost: 0
NextHop: 192.168.14.2 Neighbour: 0.0.0.0
State: Inactive Adv Relied Age: 00h00m45s
Tag: 0 Priority: medium
Label: NULL QoSInfo: 0x0
IndirectID: 0x80000002
RelayNextHop: 0.0.0.0 Interface: Vlanif400
TunnelID: 0x0 Flags: R
The IP routing table on SwitchA contains only one active route to network
segment 10.1.2.0/24. Normally, data traffic from PC1 to PC2 is transmitted
through the link that passes through SwitchB. Detailed information about the IP
routing table on SwitchA shows two routes to network segment 10.1.2.0/24: one
Active route that passes through SwitchB and the other Inactive route that passes
through SwitchD. When faults occur on the active link, the Inactive route will
become active to take over the traffic. This implements link backup.
----End
Configuration Files
#
sysname SwitchA
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif100
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif400

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 192.168.14.1 255.255.255.0

#
#
#
#
ip route-static 10.1.2.0 255.255.255.0 192.168.12.2
ip route-static 10.1.2.0 255.255.255.0 192.168.14.2 preference 70
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.12.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.1 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.12.1
ip route-static 10.1.2.0 255.255.255.0 192.168.23.2
#
return
#
sysname SwitchC
#
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.23.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.34.1 255.255.255.0
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
ip route-static 10.1.1.0 255.255.255.0 192.168.23.1
ip route-static 10.1.1.0 255.255.255.0 192.168.34.2 preference 70
#
return

#
sysname SwitchD
#
vlan batch 300 400
#
interface Vlanif300
ip address 192.168.34.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.14.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 192.168.14.1
ip route-static 10.1.2.0 255.255.255.0 192.168.34.1
#
return
Video
3.9.1.4 Example for Configuring NQA for IPv4 Static Routes
Overview of NQA for IPv4 Static Routes

The network quality analysis (NQA) technology measures network performance
and collects statistics on the delay, jitter, and packet loss ratio. NQA can measure
real-time network QoS, and perform effective network fault diagnosis and
location.
On a simple network or on a network where the route to the destination cannot

be established using dynamic routing protocols, static routes can be configured.
Unlike dynamic routing protocols, static routes do not have a dedicated detection
mechanism. If a fault occurs, static routes cannot detect the fault, and the
network administrator must delete the corresponding static route. This delays the
link switchover and may cause lengthy service interruptions.
BFD for IPv4 static routes is adaptable to link changes but both ends of the link
must support BFD. If either end of a link does not support BFD, NQA for IPv4
static routes can be configured. When an NQA test instance detects a link fault, it
instructs the routing management module to delete the associated static route

S300, S500, S2700, S3700, S5700, S6700, S7700, and
from the IP routing table. Then service traffic switches to a route without any link
fault to prevent lengthy service interruptions.
Configuration Notes
● The NQA function of the switch is license controlled. If the license is
unavailable, NQA commands can be run, but the NQA function does not take
effect.
● Applicable products and versions: V200R003C00 and later versions
As shown in Figure 3-125, SwitchA on a company network is connected to two
egress routers (RouterA and RouterB) through two default static routes to
implement load balancing. The company wants to deploy a link failure detection
mechanism for the default static routes, so that traffic can be switched from a
faulty link to the other functioning link promptly to prevent services from being
interrupted.
NOTE
Figure 3-125 Configuring NQA for IPv4 static routes
1. Create VLANs, add interfaces to the VLANs, and configure IP addresses for
VLANIF interfaces, so that neighboring devices can communicate with each
other.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Create ICMP NQA test instances to monitor the status of links.

ICMP NQA test instances need to be created on the NQA client SwitchA to
detect the status of links between SwitchA and RouterA and between SwitchA
and RouterB.
3. Configure default static routes and bind them to the NQA test instances.
Default static routes destined for RouterA and RouterB need to be configured
on SwitchA and bound to NQA test instances. In this way, if an NQA test
instance detects a link failure, traffic is switched to the other link.
Procedure
Step 1 On SwitchA, create VLANs and add interfaces to them.
Step 2 On SwitchA, configure an IP address for each VLANIF interface.

Step 3 On SwitchA, configure NQA test instances.

[SwitchA] nqa test-instance user test1
[SwitchA-nqa-user-test1] test-type icmp
[SwitchA-nqa-user-test1] destination-address ipv4 10.1.10.1
[SwitchA-nqa-user-test1] frequency 11
[SwitchA-nqa-user-test1] probe-count 2
[SwitchA-nqa-user-test1] interval seconds 5
[SwitchA-nqa-user-test1] timeout 4
[SwitchA-nqa-user-test1] start now
[SwitchA-nqa-user-test1] quit
[SwitchA] nqa test-instance user test2
[SwitchA-nqa-user-test2] test-type icmp
[SwitchA-nqa-user-test2] destination-address ipv4 10.1.20.1
[SwitchA-nqa-user-test2] frequency 11
[SwitchA-nqa-user-test2] probe-count 2
[SwitchA-nqa-user-test2] interval seconds 5
[SwitchA-nqa-user-test2] timeout 4
[SwitchA-nqa-user-test2] start now
[SwitchA-nqa-user-test2] quit
Step 4 Configure default static routes and bind them to the NQA test instances.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 track nqa user test1
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.1.20.1 track nqa user test2

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Check the configuration of NQA for default static routes. The command output
shows that the default static routes have been bound to NQA test instances.
[SwitchA] display current-configuration | include nqa
ip route-static 0.0.0.0 0.0.0.0 10.1.10.1 track nqa user test1
nqa test-instance user test1
# Check NQA test results.

[SwitchA] display nqa results test-instance user test1
NQA entry(user, test1) :testflag is active ,testtype is icmp

1 . Test 10 result The test is finished
Send operation times: 2 Receive response times: 2
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:10.1.10.1
Min/Max/Average Completion Time: 30/30/30
Sum/Square-Sum Completion Time: 7/25
Last Good Probe Time: 2014-09-09 09:55:38.2
Lost packet ratio: 0 %

Completion:success and Lost packet ratio: 0 % in the command output show

that the links between SwitchA and RouterA and between SwitchA and RouterB
are normal.
# Check the routing table. The command output shows that there are two default
static routes destined for RouterA and RouterB, respectively.
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 10.1.10.1 Vlanif100

Static 60 0 RD 10.1.20.1 Vlanif200
10.1.10.0/24 Direct 0 0 D 10.1.10.2 Vlanif100
10.1.10.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.20.0/24 Direct 0 0 D 10.1.20.2 Vlanif200
10.1.20.2/32 Direct 0 0 D 127.0.0.1 Vlanif200
10.1.30.0/24 Direct 0 0 D 10.1.30.2 Vlanif300
10.1.30.2/32 Direct 0 0 D 127.0.0.1 Vlanif300

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Shut down GigabitEthernet1/0/2 on SwitchA to simulate a link fault.

# Check NQA test results.



Completion:failed RTD OverThresholds number: 0
Completion:failed and Lost packet ratio: 100 % in the command output show
that the link between SwitchA and RouterB is faulty.
# Check the routing table. Only the default static route to RouterA is available.
------------------------------------------------------------------------------
0.0.0.0/0 Static 60 0 RD 10.1.10.1 Vlanif100

10.1.10.0/24 Direct 0 0 D 10.1.10.2 Vlanif100
10.1.10.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.30.0/24 Direct 0 0 D 10.1.30.2 Vlanif300
10.1.30.2/32 Direct 0 0 D 127.0.0.1 Vlanif300
----End
Configuration Files
#
sysname SwitchA
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
interface Vlanif100
ip address 10.1.10.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif300
ip address 10.1.30.2 255.255.255.0
#
#
#
#
#
test-type icmp
destination-address ipv4 10.1.10.1
frequency 11
interval seconds 5
timeout 4
probe-count 2
start now
#
test-type icmp
destination-address ipv4 10.1.20.1
frequency 11
interval seconds 5
timeout 4
probe-count 2
start now
#
return
Video
3.9.1.5 Example for Configuring EFM for IPv4 Static Routes
Overview of EFM for IPv4 Static Routes

Ethernet in the first mile (EFM) defines the specifications of the Ethernet physical
layer for user access and implements Ethernet management and maintenance.
EFM provides link-level operation and management (OAM), for example, link
connectivity detection, link fault monitoring, remote fault notification, and remote
loopback functions on a link between two directly-connected devices.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Static routes are easy to configure and therefore widely used on networks with
simple structures. Unlike dynamic routing protocols, static routes do not have a
dedicated detection mechanism. If a fault occurs, static routes cannot detect the
fault, and the network administrator must delete the corresponding static route.
This delays the link switchover and may cause lengthy service interruptions. IP
networks are being used more often to carry multiple services such as voice and
video services. These services pose high requirements on network reliability, and
fast fault detection and processing. EFM for IPv4 static routes can be configured to
provide the detection mechanism for static routes so that they can detect the link
quality changes in real time and switch services immediately.
Configuration Notes
● By default, EFM is disabled globally and on interfaces.
● After EFM OAM is enabled on an interface, the interface starts to send OAM
PDUs to perform the point-to-point EFM link detection. EFM link detection
can be implemented between two interfaces only after EFM OAM is enabled
on the peer interface.
● Applicable products and versions: switches of all models.
As shown in Figure 3-126, SwitchA connects to the NMS across a network
segment through SwitchB. SwitchA and SwitchB need to detect the link quality in
real time. When the link between them becomes faulty, the corresponding static
route is deleted from the IP routing table. Then traffic switches from the faulty
link to a normal route to improve network reliability.
Figure 3-126 Networking for configuring EFM for a static IPv4 route
1. Enable EFM OAM globally and on interfaces of SwitchA and SwitchB to
implement real-time link quality detection.
2. Configure a static route from SwitchA to the NMS and bind it to the EFM
state to associate the static route with EFM. When a link where the static
route resides becomes faulty, traffic switches to a route without link faults.
Procedure
Step 1 Specify the VLAN to which the interfaces belong.
# Configure SwitchA. The configuration of SwitchB is similar.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] vlan 10

# Configure SwitchA. The configuration of SwitchB is similar.
Step 3 Configure an EFM session between SwitchA and SwitchB.

# Enable EFM OAM on SwitchA.
[SwitchA] efm enable //Enable EFM globally.
[SwitchA-GigabitEthernet1/0/1] efm enable //Enable EFM on an interface.
# Enable EFM OAM on SwitchB.

[SwitchB] efm enable //Enable EFM globally.
[SwitchB-GigabitEthernet1/0/1] efm enable //Enable EFM on an interface.
Step 4 Configure a static route and bind it to the EFM state.

# Configure a static route from SwitchA to the external network and bind it to the
EFM state of GigabitEthernet1/0/1.
[SwitchA] ip route-static 192.168.2.0 24 192.168.1.2 track efm-state gigabitethernet1/0/1

# After the configuration is complete, run the display efm session all command
on SwitchA and SwitchB. The command output shows that an EFM session has
been set up and in detect mode. That is, the interface is in handshake state. The
following uses the display on SwitchA as an example.
[SwitchA] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --
# Check the IP routing table on SwitchA. The IP routing table contains the static
route.
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Static 60 0 RD 192.168.1.2 Vlanif10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Run the undo efm enable command in the view of GigabitEthernet1/0/1 on

SwitchB to simulate a link fault.
[SwitchB-GigabitEthernet1/0/1] undo efm enable
# Run the display efm session all command on SwitchA. The command output
shows that the EFM OAM protocol state is discovery, indicating that the interface
is in OAM discovery state.
----------------------------------------------------------------------
GigabitEthernet1/0/1 discovery --
# Check the IP routing table on SwitchA. The IP routing table does not contain the
static route 192.168.2.0/24. This is because the static route is bound to the EFM
state. After EFM OAM detects a link fault, it rapidly notifies SwitchA that the static
route is unavailable.
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
# Run the efm enable command in the view of GigabitEthernet1/0/1 on SwitchB

to simulate link recovery.
[SwitchB-GigabitEthernet1/0/1]efm enable
# Run the display efm session all command on SwitchA. The command output
shows that the EFM OAM protocol state is detect, indicating that the interface is
in handshake state again.
----------------------------------------------------------------------
GigabitEthernet1/0/1 detect --
# Check the IP routing table on SwitchA. The IP routing table contains the static
route 192.168.2.0/24 again. After EFM OAM detects that the link recovers from a
fault, it rapidly notifies that the bound static route is valid again.
------------------------------------------------------------------------------

192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Static 60 0 RD 192.168.1.2 Vlanif10
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
efm enable
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
efm enable
#
ip route-static 192.168.2.0 255.255.255.0 192.168.1.2 track efm-state GigabitEthernet1/0/1
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
efm enable
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
efm enable
#
#
return
Video
3.9.2 Typical OSPF Configuration

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.9.2.1 Example for Configuring Basic OSPF Functions
OSPF Overview
The Open Shortest Path First (OSPF) protocol is a link-state Interior Gateway
Protocol (IGP) developed by the Internet Engineering Task Force (IETF). OSPF
Version 2 defined in RFC 2328 is used in IPv4.
OSPF is loop-free, provides fast route convergence, and supports area partitioning,
equal-cost routes, authentication, and multicast transmission. Therefore, OSPF is
widely used as the mainstream IGP in various industries, including the enterprise,
carrier, government, finance, education, and health care industries.
OSPF uses the hierarchical design, provides various routing policies, and applies to
networks of different sizes and topologies. OSPF is often the first choice for
deploying an IGP.
Configuration Notes
● Each router ID in an OSPF process must be unique on an OSPF network.
Otherwise, the OSPF neighbor relationship cannot be established and routing
information is incorrect. You are advised to configure a unique router ID for
each OSPF process on an OSPF device.
● OSPF partitions an AS into different areas, in which Area 0 is the backbone
area. OSPF requires that all non-backbone areas maintain the connectivity
with the backbone area and devices in the backbone area maintain the
connectivity with each other.
● Network types of interfaces on both ends of a link must be the same;
otherwise, the two interfaces cannot establish an OSPF neighbor relationship.
On a link, if the network type of one OSPF interface is broadcast and the
other is P2P, the two OSPF interfaces can still establish an OSPF neighbor
relationship but cannot learn routing information from each other.
● The IP address masks of OSPF interfaces on both ends of a link must be the
same; otherwise, the two OSPF interfaces cannot establish an OSPF neighbor
relationship. On a P2MP network, however, you can run the ospf p2mp-
mask-ignore command to disable a device from checking the network mask
so that an OSPF neighbor relationship can be established.
● On a broadcast or NBMA network, there must be at least one OSPF interface
of which the DR priority is not 0 to ensure that the DR can be elected.
Otherwise, the neighbor status of devices on both ends can only be 2-Way.
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI,
S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S,
S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
– S6700-EI, S6720-LI, S6720S-LI, S6720-SI, S6720S-SI, S6720-EI, S6720S-EI,
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-127, SwitchA, SwitchB, and SwitchC reside on the OSPF
network. The three switches need to communicate with each other, and SwitchA
and SwitchB function as core switches to support network expansion.
Figure 3-127 Networking diagram for configuring basic OSPF functions
1. Configure an IP address for each VLANIF interface on each switch and specify
the VLAN to which the interfaces belong to implement interworking.
2. Configure basic OSPF functions on each switch and partition the OSPF
network into Area 0 and Area 1 with SwitchA as the area border router (ABR).
Consequently, the area where SwitchA and SwitchB reside becomes the
backbone area and can be used to expand the OSPF network.
Procedure


S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 3 Configure basic OSPF functions.

[SwitchA] ospf 1 router-id 10.1.1.1 //Create an OSPF process 1 with the router ID 10.1.1.1.
[SwitchA-ospf-1] area 0 //Create Area 0 and enter the Area 0 view.
[SwitchA-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255 //Configure a network segment in Area 0.
[SwitchA-ospf-1] area 1 //Create Area 1 and enter the Area 1 view.
[SwitchA-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255 //Configure a network segment in Area 1.
[SwitchA-ospf-1-area-0.0.0.1] return
[SwitchB] ospf 1 router-id 10.2.2.2
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 192.168.0.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] return
[SwitchC] ospf 1 router-id 10.3.3.3
[SwitchC-ospf-1] area 1
[SwitchC-ospf-1-area-0.0.0.1] network 192.168.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.1] return

# Check information about OSPF neighbors of SwitchA.
<SwitchA> display ospf peer
OSPF Process 1 with Router ID 10.1.1.1

Neighbors
Area 0.0.0.0 interface 192.168.0.1(Vlanif10)'s neighbors

Router ID: 10.2.2.2 Address: 192.168.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: 192.168.0.2 BDR: 192.168.0.1 MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:15:04
Authentication Sequence: [ 0 ]
Neighbors

DR: 192.168.1.2 BDR: 192.168.1.1 MTU: 0
# Check OSPF routing information on SwitchC.

<SwitchC> display ospf routing

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Routing Tables
Routing for Network

Destination Cost Type NextHop AdvRouter Area
192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Total Nets: 2
Intra Area: 1 Inter Area: 1 ASE: 0 NSSA: 0
The preceding command output shows that SwitchC has a route to 192.168.0.0/24
and the route is an inter-area route.
# Check the routing table on SwitchB and perform the ping operation to test the
connectivity between SwitchB and SwitchC.
<SwitchB> display ospf routing

Routing Tables
Routing for Network

192.168.0.0/24 1 Transit 192.168.0.2 10.2.2.2 0.0.0.0
192.168.1.0/24 2 Inter-area 192.168.0.1 10.1.1.1 0.0.0.0
Total Nets: 2
The preceding command output shows that SwitchB has a route to 192.168.1.0/24
and the route is an inter-area route.
# On SwitchB, perform a ping operation to test the connectivity between SwitchB
and SwitchC.
<SwitchB> ping 192.168.1.2

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
#
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
return
3.9.2.2 Example for Configuring an OSPF Stub Area
Stub Area Overview

A stub area is an area that does not allow an ABR to advertise received AS
external routes. In a stub area, the routing table size and transmitted routing
information volume of routers are greatly reduced. A stub area is often placed at
the edge of an AS. To ensure the reachability of a destination outside the AS, the
ABR in the stub area generates a default route and advertises it to the non-ABR
routers in the stub area.
Assume that a device of Company H connects to the backbone area through a
single link. The device has low performance and a small routing table. The area

S300, S500, S2700, S3700, S5700, S6700, S7700, and
where the device resides needs to access other areas or network segments outside
the OSPF area, and the next-hop address of routes of the device is the IP address
of the next-hop core device of the link. Therefore, the area where the device
resides does not need to learn a large number of OSPF external routes and can be
configured as a stub area. This configuration can reduce the routing table size of
the area and resource consumption of the device.
Configuration Notes
● The backbone area cannot be configured as a stub area.
● An ASBR cannot exist in a stub area. That is, external routes are not
advertised in a stub area.
● A virtual link cannot pass through a stub area.
● To configure an area as a stub area, configure stub area attributes on all the
routers in this area using the stub command.
● To configure an area as a totally stub area, run the stub command on all the
routers in this area, and run the stub no-summary command on the ABR in
this area.
● The stub no-summary command can only be configured on an ABR to
prevent the ABR from advertising Type 3 LSAs within a stub area. After this
command is configured on the ABR, the area becomes a totally stub area, the
number of routing entries on routers in the area is reduced, and there are
only intra-area routes and a default route advertised by the ABR.
– S3700-EI, S3700-HI
S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-128, SwitchA, SwitchB, and SwitchC run OSPF, and the OSPF
network is divided into Area 0 and Area 1. SwitchB functions as an ASBR to
communicate with external networks. The OSPF routing table size on SwitchC
needs to be reduced without affecting communication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-128 Networking diagram for OSPF stub area configuration
1. Configure basic OSPF functions on each switch to implement interworking in
the OSPF network.
2. Configure a static route on SwitchB and import the route to the OSPF routing
table to ensure that there is a reachable route from the OSPF network to
external networks.
3. Configure Area 1 as a stub area to reduce the OSPF routing table size on
SwitchC.
4. Prohibit the ABR (SwitchA) in Area 1 from advertising Type 3 LSAs within the
stub area to configure Area 1 as a totally stub area. This configuration
minimizes the OSPF routing table size on SwitchC.
Procedure

# Configure SwitchA. The configurations of Switch B and SwitchC are similar.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] ospf 1 router-id 10.1.1.1
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
[SwitchC-ospf-1-area-0.0.0.1] quit
[SwitchC-ospf-1] quit
Step 4 Configure SwitchB to import a static route.

[SwitchB] ip route-static 10.0.0.0 8 null 0
[SwitchB] ospf 1
[SwitchB-ospf-1] import-route static type 1 //SwitchB functions as an ASBR and imports external routes.
# Check the OSPF routing table on SwitchC. The command output shows that the
OSPF routing table contains an AS external route.
[SwitchC] display ospf routing

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter
10.0.0.0/8 3 Type1 1 192.168.1.1 10.2.2.2
Total Nets: 3
Step 5 Configure Area 1 as a stub area.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] stub //Configure Area 1 as a stub area. All the routers in Area 1 must have
the stub command configured.
[SwitchC] ospf 1
[SwitchC-ospf-1-area-0.0.0.1] stub //Configure Area 1 as a stub area. All the routers in Area 1 must have

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the stub command configured.

OSPF routing table does not contain the AS external route 10.0.0.0/8 but contains
a default route to external networks.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
0.0.0.0/0 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Total Nets: 3
Step 6 Configure Area 1 as a totally stub area.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] stub no-summary //Configure Area 1 as a totally stub area. An ABR in Area
1 must have the stub no-summary command configured, while other routers in Area 1 must have the stub
command configured.

OSPF routing table contains only an intra-area OSPF route and a default route to
external networks but does not contain the Inter-Area route 192.168.0.0/24.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.1
0.0.0.0/0 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.1
Total Nets: 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
#
import-route static type 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
#
ip route-static 10.0.0.0 255.0.0.0 NULL0
#
return

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
#
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub
#
return
3.9.2.3 Example for Configuring an OSPF NSSA
NSSA Overview
An NSSA is a special type of OSPF area. It is similar to a stub area in that neither
of them transmits routes learned from other areas in the AS they reside. The
difference is that an NSSA allows AS external routes to be imported and
advertised in the entire AS whereas a stub area does not. To ensure the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
reachability of AS external routes, the ABR in an NSSA generates a default route

and advertises the route to the other routers in the NSSA.
An NSSA allows Type 7 LSAs (NSSA External LSAs) to be advertised. Type 7 LSAs
are generated by the ASBR of the NSSA. When reaching the ABR of the NSSA,
these LSAs can be translated into Type 5 LSAs (AS External LSAs) and advertised
to other areas.
Assume that a device of Company H connects to the backbone area through a

single link. The device has low performance and a small routing table. The
company wants to configure the area where the device resides as a stub area to
reduce the routing table size and system resource consumption of the device. In
addition, AS external routes need to be imported and advertised to the entire AS.
However, a stub area cannot meet this requirement because it does not allow
received AS external routes to be advertised. Therefore, the area needs to be
configured as an NSSA.
Configuration Notes
● The backbone area cannot be configured as an NSSA.
● To configure an area as an NSSA, configure NSSA attributes on all the routers
in this area.
● A virtual link cannot pass through an NSSA.
● To reduce the number of LSAs that are transmitted to the NSSA, configure
no-summary on an ABR. This prevents the ABR from transmitting Type 3
LSAs to the NSSA, making the area a totally NSSA.
– S3700-EI, S3700-HI
S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-129, SwitchA, SwitchB, SwitchC, and SwitchD run OSPF, and
the OSPF network is divided into Area 0 and Area 1. Devices in Area 1 need to be
prohibited from receiving external routes imported from other areas and to
communicate with external networks using the external routes imported by the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ASBR in Area 1. SwitchB transmits many services, so SwitchA needs to translate

Type 7 LSAs into Type 5 LSAs and send the LSAs to other OSPF areas.
NOTE
Figure 3-129 Networking diagram for OSPF NSSA configuration
1. Configure basic OSPF functions on each switch to implement interworking in
the OSPF network.
2. Configure Area 1 as an NSSA, configure a static route on SwitchD, and
configure SwitchD to import the static route into the OSPF routing table so
that switches in Area 1 can communicate with external networks only through
SwitchD.
3. Configure SwitchA as an LSA translator to translate Type 7 LSAs into Type 5
LSAs and send the LSAs to other OSPF areas.
Procedure
similar.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

similar.

[SwitchD] ospf 1 router-id 10.4.4.4
[SwitchD-ospf-1] area 1
[SwitchD-ospf-1-area-0.0.0.1] network 192.168.3.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.1] quit
[SwitchD-ospf-1] quit
Step 4 Configure Area 1 as an NSSA.

[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the devices in Area 1 must have the
nssa command configured.
[SwitchB] ospf 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchB-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the devices in Area 1 must have the
[SwitchD] ospf 1
[SwitchD-ospf-1-area-0.0.0.1] nssa //Configure Area 1 as an NSSA. All the devices in Area 1 must have the
Step 5 Configure SwitchD to import a static route.

[SwitchD] ip route-static 172.16.0.0 16 null 0
[SwitchD] ospf 1
[SwitchD-ospf-1] import-route static //Configure SwitchD to function as an ASBR of the NSSA to import
external routes.
# Check the OSPF routing table on SwitchC.


Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.0
192.168.2.0/24 1 Transit 192.168.2.2 10.3.3.3 0.0.0.0
192.168.3.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.0
192.168.4.0/24 2 Inter-area 192.168.2.1 10.2.2.2 0.0.0.0
Routing for ASEs
172.16.0.0/16 1 Type2 1 192.168.1.1 10.2.2.2
Total Nets: 5
The command output shows that the AS external routes imported into the NSSA
are advertised by SwitchB to other areas. That is, SwitchB translates Type 7 LSAs
into Type 5 LSAs. This is because OSPF selects the ABR with a larger router ID as
an LSA translator.
Step 6 Configure SwitchA as an LSA translator.
[SwitchA] ospf 1
[SwitchA-ospf-1-area-0.0.0.1] nssa translator-always

# Wait for 40 seconds and then check the OSPF routing table on SwitchC.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.2 10.3.3.3 0.0.0.0
192.168.2.0/24 1 Transit 192.168.2.2 10.3.3.3 0.0.0.0
192.168.3.0/24 2 Inter-area 192.168.1.1 10.1.1.1 0.0.0.0
192.168.4.0/24 2 Inter-area 192.168.2.1 10.2.2.2 0.0.0.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Routing for ASEs

172.16.0.0/16 1 Type2 1 192.168.1.1 10.1.1.1
Total Nets: 5
The command output shows that the AS external routes imported into the NSSA
are advertised by SwitchA to other areas. That is, SwitchA translates Type 7 LSAs
into Type 5 LSAs.
NOTE
By default, the new LSA translator works with the previous LSA translator to translate LSAs
for 40 seconds. After 40 seconds, only the new LSA translator translates LSAs.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
area 0.0.0.1
network 192.168.3.0 0.0.0.255
nssa translator-always
#
return
#
sysname SwitchB
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.2 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
area 0.0.0.0
network 192.168.2.0 0.0.0.255
area 0.0.0.1
network 192.168.4.0 0.0.0.255
nssa
#
return

#
sysname SwitchC
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
#
#
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of SwitchD

#
sysname SwitchD
#
vlan batch 30 40
#
interface Vlanif30
ip address 192.168.3.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
#
#
import-route static
area 0.0.0.1
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
nssa
#
ip route-static 172.16.0.0 255.255.0.0 NULL0
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.9.2.4 Example for Configuring OSPF Load Balancing
OSPF Load Balancing Overview

Equal-cost multiple path (ECMP) evenly load balances traffic over multiple paths
between each two network nodes. ECMP reduces traffic load on each path and
enhances network robustness. If a routing protocol discovers multiple routes to
the same destination and these routes have the same cost, traffic can be load
balanced among the routes. When load balancing is configured, the router
forwards packets according to five factors, namely, the source addresses,
destination addresses, source ports, destination ports, and protocols in the packets.
If the five factors are the same, the router always chooses the next-hop address
that is the same as the last one to send packets. If the five factors are different,
the router chooses the relatively idle path to forward packets.
On an OSPF network, multiple equal-cost paths may exist between two network
elements (NEs), while a single path carries all service traffic. Users require that all
service traffic be load balanced over multiple paths to improve network reliability
and resource usage. In this case, OSPF can be configured.
Configuration Notes
● The maximum number of equal-cost routes for load balancing can be
configured using the maximum load-balancing command.
● To cancel load balancing, you can set the maximum number of equal-cost
routes to 1.
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-SI, S5720S-SI, S5720I-SI,
S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I, S5735S-H,
S5736-S
S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-130, four switches all belong to Area0 on the OSPF network.
Load balancing needs to be configured so that the traffic from SwitchA is sent to
SwitchD through SwitchB and SwitchC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Figure 3-130 Networking diagram for configuring load balancing among OSPF
routes
1. Configure basic OSPF functions on each switch to implement basic
connections on the OSPF network.
2. Configure load balancing on SwitchA.
Procedure
Step 1 Configure VLANs to which each interface belongs.
similar.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

similar.

[SwitchD] ospf 1 router-id 10.10.10.4
# Display the routing table of SwitchA.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50

172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.2.2 Vlanif20
OSPF 10 3 D 10.1.1.2 Vlanif10
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, two next hops 10.1.1.2 (SwitchB) and 10.1.2.2
(SwitchC) of SwitchA both become valid routes.
Step 4 Configure the weight of equal-cost routes on SwitchA.
If you do not want to implement load balancing between SwitchB and SwitchC,
set the weight of equal-cost routes to specify the next hop.
[SwitchA] ospf 1
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1 //Specify the weight parameter to set the priority of equal-
cost routes. The default weight value is 255. A larger priority value indicates a lower priority.
# Check the routing table on SwitchA.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.2.2 Vlanif20
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, the priority of the next hop 10.1.2.2 (SwitchC) with
the weight 1 is higher than that of 10.1.1.2 (SwitchB), after the weight is set for
equal-cost routes. OSPF selects the route with the next hop 10.1.2.2 as the optimal
route.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
#
nexthop 10.1.2.2 weight 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return
#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
network 10.1.2.0 0.0.0.255

network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
vlan batch 30 40 60
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
#
#
#
#
area 0.0.0.0
network 172.17.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
3.9.2.5 Example for Configuring BFD for OSPF
BFD for OSPF Overview

Bidirectional forwarding detection (BFD) is a mechanism used to detect
communication faults between forwarding engines. BFD detects connectivity of a
data protocol on a path between two systems. The path can be a physical or
logical link. In BFD for OSPF, a BFD session is associated with OSPF. The BFD
session quickly detects a link fault and then notifies OSPF of the fault. This speeds
up OSPF's response to the change of the network topology.
Any link fault or topology change on the network will cause the device to
recalculate routes. If the OSPF detection mechanism is used, the route
recalculation time is the OSPF protocol convergence time. In this case, OSPF
detects faults in seconds. In high-speed data transmission, for example, at gigabit
rates, a detection time longer than one second results in the loss of a large
amount of data. In delay-sensitive services such as voice, a delay longer than one
second is unacceptable. When an OSPF network requires high reliability or the
services running on the network are delay-sensitive, BFD for OSPF can be
configured. BFD speeds up OSPF network convergence and then OSPF can detect
the fault in milliseconds if a fault occurs in the link between neighbors.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● BFD needs to be configured on the two ends between which the OSPF
neighbor relationship is established.
● The two ends that establish BFD sessions must be located in the same
network segment on an OSPF area.
● The ospf bfd enable and ospf bfd block commands are mutually exclusive
and cannot be enabled at the same time.
– S3700-EI, S3700-HI
– S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-SI, S5720S-SI, S5720I-SI,
S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S, S5735S-S, S5735-S-I, S5735S-H,
S5736-S
S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-131, OSPF runs among SwitchA, SwitchB, and SwitchC, and
the switch between SwitchA and SwitchB only provides the transparent
transmission function. SwitchA and SwitchB need to quickly detect the status of
the link between them. When the link SwitchA->SwitchB is faulty, services can be
quickly switched to the backup link SwitchA->SwitchC->SwitchB.
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-131 Networking diagram of configuring BFD for OSPF
1. Configure basic OSPF functions on SwitchA, SwitchB, and SwitchC to
implement basic connections on the OSPF network.
2. Configure BFD for OSPF on SwitchA, SwitchB, and SwitchC so that services
can be quickly switched to the backup link when the link between SwitchA
and SwitchB is faulty.
Procedure
Step 1 Configure VLANs to which each interface belongs.
# Configure SwitchA. The configurations of SwitchB and SwitchC are the same as
the configuration of SwitchA.


S300, S500, S2700, S3700, S5700, S6700, S7700, and

# After the preceding configurations, run the display ospf peer command. The
neighbor relationships are set up among SwitchA, SwitchB, and SwitchC. The
command output of SwitchA is used as an example.
[SwitchA] display ospf peer

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
Neighbors

DR: 10.3.3.2 BDR: 10.3.3.1 MTU: 0
# Check the OSPF routing table on SwitchA. You can see the routing entries to
SwitchB and SwitchC. However, the next-hop address of the route to the
destination network segment 172.16.1.0/24 is 10.3.3.2, which indicates that the
traffic is transmitted on the link SwitchA→SwitchB.
[SwitchA] display ospf routing

Routing Tables

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Routing for Network

10.1.1.0/24 1 Transit 10.1.1.1 10.10.10.1 0.0.0.0
10.3.3.0/24 1 Transit 10.3.3.1 10.10.10.1 0.0.0.0
10.2.2.0/24 2 Transit 10.1.1.2 10.10.10.3 0.0.0.0
10.2.2.0/24 2 Transit 10.3.3.2 10.10.10.3 0.0.0.0
172.16.1.0/24 2 Stub 10.3.3.2 10.10.10.2 0.0.0.0
Total Nets: 5
Step 4 Configure BFD for OSPF.

# Configure BFD for OSPF on SwitchA.
[SwitchA] bfd //Enable BFD globally.
[SwitchA-bfd] quit
[SwitchA] ospf 1
[SwitchA-ospf-1] bfd all-interfaces enable //Enable BFD in OSPF process 1.
# Configure BFD for OSPF on SwitchB.

[SwitchB] bfd //Enable BFD globally.
[SwitchB-bfd] quit
[SwitchB] ospf 1
[SwitchB-ospf-1] bfd all-interfaces enable //Enable BFD in OSPF process 1.
# Configure BFD for OSPF on SwitchC.

[SwitchC] bfd //Enable BFD globally.
[SwitchC-bfd] quit
[SwitchC] ospf 1
[SwitchC-ospf-1] bfd all-interfaces enable //Enable BFD in OSPF process 1.
# After the preceding configurations, run the display ospf bfd session all
command on SwitchA, SwitchB, or SwitchC. The peer BFD session is Up. The
command output of SwitchA is used as an example.
[SwitchA] display ospf bfd session all

Area 0.0.0.0 interface 10.1.1.1(Vlanif10)'s BFD Sessions
NeighborId:10.10.10.3 AreaId:0.0.0.0 Interface:Vlanif10

BFDState:up rx :1000 tx :1000
Multiplier:3 BFD Local Dis:8195 LocalIpAdd:10.1.1.1
RemoteIpAdd:10.1.1.2 Diagnostic Info:No diagnostic information
NeighborId:10.10.10.2 AreaId:0.0.0.0 Interface:Vlanif30


# Run the shutdown command on GE1/0/1 of SwitchB to simulate the link fault.
[SwitchB-GigabitEthernet1/0/1] shutdown
# Check the OSPF routing table on SwitchA.

[SwitchA] display ospf routing

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Routing Tables
Routing for Network

10.1.1.0/24 1 Transit 10.1.1.1 10.10.10.1 0.0.0.0
10.2.2.0/24 2 Transit 10.1.1.2 10.10.10.3 0.0.0.0
172.16.1.0/24 3 Stub 10.1.1.2 10.10.10.2 0.0.0.0
Total Nets: 3
When the link SwitchA->SwitchB is faulty, the backup link SwitchA->SwitchC-

>SwitchB takes effect and the next-hop address of the route to the destination
network segment 172.16.1.0/24 changes to 10.1.1.2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.3.3.1 255.255.255.0
#
#
#
bfd all-interfaces enable
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.3.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 20 30 40
#
bfd
#
interface Vlanif20
ip address 10.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 10.3.3.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
#
area 0.0.0.0
network 10.2.2.0 0.0.0.255
network 10.3.3.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.2.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
3.9.3 Typical PBR Configuration
3.9.3.1 Example for Configuring Traffic Policies to Implement Policy-based

Routing (Redirection to Different Next Hops)
Policy-based Routing Overview

Traditionally, a device searches its routing table for routes based on destination
addresses of received packets and then forwards the packets according to the
routes. Currently, more users require packet routing based on user-defined policies.
Policy-based routing (PBR) is a data forwarding mechanism implemented based
on user-defined policies.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
On S series switches, PBR is implemented by redirecting incoming Layer 3 packets

that match traffic classification rules on an interface to a specified next-hop IP
address.
When a specific data flow needs to be transmitted to a specified next hop, PBR
can be configured to meet this requirement. For example, different data flows can
be transmitted on different links to improve link efficiency. Data flows can be
directed to security devices such as firewalls for security filtering. Service data can
be transmitted on a low-cost link to reduce enterprises' data service costs without
compromising service quality.
Configuration Notes
● If a device does not have the ARP entry that matches the specified next-hop
IP address, the device triggers ARP learning. If the device cannot learn the
ARP entry, packets are forwarded along the previous forwarding path without
being redirected.
● If multiple next-hop IP addresses are configured using the redirect ip-
nexthop or redirect ipv6-nexthop command, the device redirects packets in
active/standby link mode. That is, the device determines active and standby
links according to the sequence in which next-hop IP addresses were
configured. The first configured next-hop IP address has the highest priority
and its link functions as the active link, while links of other next-hop IP
addresses function as standby links. When the active link is Down, the
standby link of the second-highest-priority next-hop IP address is selected as
the new active link.
● If multiple next-hop IP addresses are configured using the redirect ip-
multihop or redirect ipv6-multihop command, the device redirects packets
in equal-cost route load balancing mode.
– S2752EI: V100R005 and V100R006
– S3700-SI, S3700-EI, S3700-HI
– S5700-SI, S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI,
S5720-SI, S5720S-SI, S5720I-SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI,
S5730S-EI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S,
S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M,
S5735-S, S500, S5735S-S, S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
As shown in Figure 3-132, an enterprise network is dual-homed to two external
network devices through the Switch. One uplink is a high-speed link with the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
gateway at 10.1.20.1/24, and the other is a low-speed link with the gateway at
10.1.30.1/24.
The enterprise intranet has two network segments: 192.168.1.0/24 and
192.168.2.0/24. Network segment 192.168.1.0/24 belongs to the server zone and
requires high link bandwidth. Therefore, traffic of this network segment needs to
be transmitted on the high-speed link. Network segment 192.168.2.0/24 is used
for Internet access and traffic of this network segment is transmitted on the low-
speed link.
Figure 3-132 PBR networking
1. Create VLANs, configure interfaces, and configure routes to connect enterprise
users to the external network.
2. Configure ACLs to match data flows of network segments 192.168.1.0 and
192.168.2.0.
3. Create traffic classifiers and reference the ACLs to differentiate packets.
4. Configure traffic behaviors to transmit data traffic matching different ACLs on
different links and allow traffic transmitted between the intranet users to pass
through first.
5. Configure a traffic policy, bind the traffic classifiers and traffic behaviors to it,
and apply it to the inbound direction of GE1/0/3 on the Switch to implement
PBR.
Procedure
Step 1 Create VLANs, configure interfaces, and configure routes for interworking.
# Create VLANs 10 and 20 on SwitchA.
# On Switch, set the link types of the interfaces connected to PCs to access and
interface connected to the Switch to trunk, and add the interfaces to VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create VLANs 10, 20, 100, and 200 on the Switch.

[Switch] vlan batch 10 20 100 200
# On the Switch, set the link types of the interfaces connected to SwitchA to trunk
and interface connected to the external network to access, and add the interfaces
to VLANs.
[Switch-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20
# On the Switch, configure VLANIF10 and VLANIF20 as user gateways and assign
IP addresses 192.168.1.1/24 and 192.168.2.1/24 to them.
# On the Switch, configure VLANIF 100 and VLANIF 200 to connect to external
network devices and assign IP addresses to 10.1.20.2/24 and 10.1.30.2/24 to them,
respectively.
# On the Switch, configure two default routes and set their next-hop IP addresses
to IP addresses of the two external network devices.
[Switch] ip route-static 0.0.0.0 0 10.1.20.1
After the preceding configuration is complete, intranet users can access the
external network. To ensure that data flows of network segments 192.168.1.0/24
and 192.168.2.0/24 are transmitted on the high-speed link and low-speed link
respectively, perform the following configurations.
Step 2 Configure ACLs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# On the Switch, create advanced ACLs 3000, 3001, and 3002.
[Switch] acl 3000 //This ACL is used to match data traffic between two network segments of the intranet.
The data traffic does not need to be redirected. If this configuration is not performed, traffic between the
network segments will be redirected. As a result, communication between the network segments will fail.
[Switch-acl-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
Switch-acl-adv-3000] quit
[Switch] acl 3001 //Match data traffic of the intranet network segment 192.168.1.0/24.
[Switch-acl-adv-3001] rule permit ip source 192.168.1.0 0.0.0.255
[Switch-acl-adv-3001] quit
[Switch] acl 3002 //Match data traffic of the intranet network segment 192.168.2.0/24.
Step 3 Configure traffic classifiers.

On the Switch, create traffic classifiers c0, c1, and c2, and bind c0 to ACL 3000, c1
to ACL 3001, and c2 to ACL 3002.
[Switch] traffic classifier c0 operator or
[Switch-classifier-c0] if-match acl 3000
[Switch-classifier-c0] quit
Step 4 Configure traffic behaviors.

# On the Switch, create traffic behaviors b0, b1, and b2, configure the permit
action in b0, and configure actions that redirect packets to IP addresses 10.1.20.1
and 10.1.30.1 in b1 and b2 respectively.
[Switch] traffic behavior b0
[Switch-behavior-b0] permit
[Switch-behavior-b0] quit
[Switch-behavior-b1] redirect ip-nexthop 10.1.20.1
[Switch-behavior-b2] redirect ip-nexthop 10.1.30.1
Step 5 Configure a traffic policy and apply the traffic policy to an interface.
# On the Switch, create a traffic policy p1 and bind the traffic classifiers and
traffic behaviors to this traffic policy.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c0 behavior b0
[Switch-trafficpolicy-p1] quit
# Apply the traffic policy p1 to the inbound direction of GE1/0/3 on the Switch.
[Switch-GigabitEthernet1/0/3] traffic-policy p1 inbound
[Switch-GigabitEthernet1/0/3] return

# Check the ACL configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
<Switch> display acl 3000

Advanced ACL 3000, 2 rules
Acl's step is 5
Advanced ACL 3001, 1 rule
Acl's step is 5
Acl's step is 5
# Check the traffic classifier configuration.

<Switch> display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c2
Precedence: 15
Operator: OR
Rule(s) : if-match acl 3002
Classifier: c0
Precedence: 5
Operator: OR
Classifier: c1
Precedence: 10
Operator: OR
Total classifier number is 3
# Check the traffic policy configuration.

<Switch> display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c0
Operator: OR
Behavior: b0
Permit
Classifier: c1
Operator: OR
Behavior: b1
Permit
Redirect: no forced
Redirect ip-nexthop
10.1.20.1
Classifier: c2
Operator: OR
Behavior: b2
Permit
Redirect: no forced
Redirect ip-nexthop
10.1.30.1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
#
#
return
● Switch configuration file
#
sysname Switch
#
vlan batch 10 20 100 200
#
acl number 3000
acl number 3001
acl number 3002
#
traffic classifier c0 operator or precedence 5
if-match acl 3000
if-match acl 3001
if-match acl 3002
#
traffic behavior b0
permit
traffic behavior b1
permit
redirect ip-nexthop 10.1.20.1
traffic behavior b2
permit
redirect ip-nexthop 10.1.30.1
#
traffic policy p1 match-order config
classifier c0 behavior b0
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 10.1.30.2 255.255.255.0
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
traffic-policy p1 inbound
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
ip route-static 0.0.0.0 0.0.0.0 10.1.30.1
#
return
3.10 Typical MPLS and VPN Configurations
3.10.1 Typical BGP/MPLS IP VPN Configurations
3.10.1.1 Example for Configuring BGP/MPLS IP VPN
BGP/MPLS IP VPN Overview

BGP/MPLS IP VPN is an MPLS-based L3VPN that can be flexibly deployed and
easily extended, and is suitable for deployment on a large scale. To add a new site,
the network administrator only needs to modify the configuration of the edge
nodes serving the new site.
BGP/MPLS IP VPN is suitable for communication between the headquarters and

branches in different locations. As communication data needs to traverse the
backbone network of the carrier, BGP is used to advertise VPN routes over the
backbone network and MPLS is used to forward VPN packets on the backbone
network. As different departments of an enterprise need to be isolated, BGP/MPLS
IP VPN can isolate route, address space, and access between different VPNs.
Configuration Notes
– S5700-HI, S5710-EI: V200R002C00 and later versions
– S5720-HI: V200R007C10 and later versions
– S5710-HI, S5730-HI, S5731-H, S5731S-H, S5732-H: For the applicable
versions, see Table 3-1 in the section "Applicable Products and Versions."
– S5731-S, S5731S-S, S6730-S, S6730S-S: V200R022C00 and later versions
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H: For the applicable
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712: For
the applicable versions, see Table 3-1 in the section "Applicable Products
and Versions."
● The SA series cards do not support the BGP/MPLS IP VPN function. The X1E
series cards of V200R006C00 and later versions support the BGP/MPLS IP VPN
function.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
As shown in Figure 3-133:
● CE1 connects to the headquarters R&D area of a company, and CE3 connects
to the branch R&D area. CE1 and CE3 belong to vpna.
● CE2 connects to the headquarters non-R&D area, and CE4 connects to the
branch non-R&D area. CE2 and CE4 belong to vpnb.
BGP/MPLS IP VPN needs to be deployed for the company to ensure secure

communication between the headquarters and branch while isolating data
between the R&D area and non-R&D area.
Figure 3-133 Networking diagram for configuring BGP/MPLS IP VPN
1. Configure OSPF between the P and PEs to ensure IP connectivity on the

backbone network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Configure basic MPLS capabilities and MPLS LDP on the P and PEs to
establish MPLS LSP tunnels for VPN data transmission on the backbone
network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure VPN instances vpna and vpnb on PE1 and PE2. Set the VPN target
of vpna to 111:1 and the VPN target of vpnb to 222:2. This configuration
allows users in the same VPN to communicate with each other and isolates
users on different VPNs. Bind the PE interfaces connected to CEs to the
corresponding VPN instances to provide access for VPN users.
5. Configure EBGP on the CEs and PEs to exchange VPN routing information.
Procedure
Step 1 Configure an IGP on the MPLS backbone network so that PEs and P can
# Configure PE1.
[PE1] vlan batch 10 20 30
[PE1-Vlanif30] quit
[PE1] ospf 1 router-id 1.1.1.9
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 1/0/0
[P-GigabitEthernet1/0/0] port link-type trunk
[P-GigabitEthernet1/0/0] port trunk allow-pass vlan 30
[P-GigabitEthernet1/0/0] quit
[P-GigabitEthernet2/0/0] port link-type trunk
[P-GigabitEthernet2/0/0] port trunk allow-pass vlan 60
[P] interface vlanif 30

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[P-Vlanif30] ip address 172.1.1.2 24

[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 40 50 60
[PE2-Vlanif60] quit
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships are established

between PE1 and P, and between PE2 and P. Run the display ospf peer command.
The command output shows that the neighbor status is Full. Run the display ip
routing-table command. The command output shows that PEs have learned the
routes to Loopback1 of each other.
The information displayed on PE1 is used as an example.
[PE1] display ip routing-table
------------------------------------------------------------------------------
1.1.1.9/32 Direct 0 0 D 127.0.0.1 LoopBack1

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif30
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif30
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif30
[PE1] display ospf peer

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Neighbors

DR: 172.1.1.2 BDR: 172.1.1.1 MTU: 0
Step 2 Configure basic MPLS capabilities and MPLS LDP on the MPLS backbone network
to establish LDP LSPs.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] mpls ldp
[PE1-Vlanif30] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] mpls ldp
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and
the P and between the P and PE2. Run the display mpls ldp session command.
The command output shows that the Status field is Operational. Run the display
mpls ldp lsp command. Information about the established LDP LSPs is displayed.
[PE1] display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv

S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 0000:00:01 6/6
------------------------------------------------------------------------------
TOTAL: 1 session(s) Found.
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1024 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.1.1.2 Vlanif30
2.2.2.9/32 1024/3 2.2.2.9 172.1.1.2 Vlanif30
3.3.3.9/32 NULL/1025 - 172.1.1.2 Vlanif30
3.3.3.9/32 1025/1025 2.2.2.9 172.1.1.2 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure VPN instances on PEs and bind the interfaces connected to CEs to the
VPN instances.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-Vlanif40] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE2-Vlanif50] quit
# Assign IP addresses to the interfaces on the CE1 connecting to the headquarters

R&D area according to Figure 3-133. The configurations on CE2, CE3, and CE4 are
similar to the configuration on CE1 and are not mentioned here.
[CE1] vlan batch 10
[CE1] interface gigabitethernet 1/0/0
[CE1-GigabitEthernet1/0/0] port link-type trunk
[CE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10
[CE1-GigabitEthernet1/0/0] quit
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 24
[CE1-Vlanif10] quit
After the configuration is complete, run the display ip vpn-instance verbose

command on the PEs to check the configuration of VPN instances. Each PE can
ping its connected CE.
NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP address
by setting -a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-
address dest-ip-address command to ping a remote CE. If the source IP address is not
specified, the ping fails.
PE1 is used as an example.

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
Total IPv4 VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : Vlanif10
Address family ipv4
Create date : 2014-11-03 02:39:34+00:00
Up time : 0 days, 22 hours, 24 minutes and 53 seconds
Route Distinguisher : 100:1
Export VPN Targets : 111:1
Import VPN Targets : 111:1
Label Policy : label per instance
Per-Instance Label : 4098
Log Interval : 5
VPN-Instance Name and ID : vpnb, 2

Interfaces : Vlanif20
Address family ipv4
Create date : 2014-11-03 02:39:34+00:00
Log Interval : 5
[PE1] ping -vpn-instance vpna 10.1.1.1


S300, S500, S2700, S3700, S5700, S6700, S7700, and

0.00% packet loss
Step 4 Establish EBGP peer relationships between PEs and CEs and import VPN routes
into BGP.
# Configure CE1 connecting to the headquarters R&D area. The configurations on
CE2, CE3, and CE4 are similar to the configuration on CE1 and are not mentioned
here.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct
[CE1-bgp] quit
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1

[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance peer
command on the PEs. The command output shows that BGP peer relationships
have been established between the PEs and CEs.
The peer relationship between PE1 and CE1 is used as an example.
[PE1] display bgp vpnv4 vpn-instance vpna peer
BGP local router ID : 1.1.1.9

Local AS number : 100
VPN-Instance vpna, Router ID 1.1.1.9:
Total number of peers : 1 Peers in established state : 1
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established 1
Step 5 Establish MP-IBGP peer relationships between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on the PEs. The command output shows that BGP peer
relationships have been established between the PEs.
[PE1] display bgp peer

3.3.3.9 4 100 12 6 0 00:02:21 Established 0

[PE1] display bgp vpnv4 all peer

3.3.3.9 4 100 12 18 0 00:09:38 Established 0

Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 25 25 0 00:17:57 Established 1
VPN-Instance vpnb, Router ID 1.1.1.9:
10.2.1.1 4 65420 21 22 0 00:17:10 Established 1
Run the display ip routing-table vpn-instance command on the PEs to view the
routes to the remote CEs.

[PE1] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------
Routing Tables: vpna

10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
Routing Tables: vpnb

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 Vlanif30
CEs in the same VPN can ping each other, whereas CEs in different VPNs cannot.
For example, CE1 connecting to the headquarters R&D area can ping CE3
connecting to the branch R&D area at 10.3.1.1 but cannot ping CE4 connecting to
the branch non-R&D area at 10.4.1.1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CE1] ping 10.3.1.1

0.00% packet loss
----End
Configuration Files
● Configuration file of PE1
#
sysname PE1
#
vlan batch 10 20 30
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 export-extcommunity
vpn-target 111:1 import-extcommunity
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
bgp 100
peer 3.3.3.9 as-number 100
peer 3.3.3.9 connect-interface LoopBack1
#
ipv4-family unicast
undo synchronization
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
● Configuration file of P
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
#
return
#
sysname PE2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 40 50 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 172.2.1.0 0.0.0.255
#
return
● Configuration file of CE1 connecting to the headquarters R&D area
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
peer 10.1.1.2 enable
#
return
● Configuration file of CE2 connecting to the headquarters non-R&D area
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
● Configuration file of CE3 connecting to the branch R&D area
#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast

S300, S500, S2700, S3700, S5700, S6700, S7700, and
import-route direct
#
return
● Configuration file of CE4 connecting to the branch non-R&D area

#
sysname CE4
#
vlan batch 50
#
interface Vlanif50
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
3.10.1.2 Example for Configuring an MCE
MCE Overview
A multi-VPN-instance customer edge (MCE) device can function as a CE device for
multiple VPN instances in BGP/MPLS IP VPN networking. This differs from the
traditional BGP/MPLS IP VPN architecture, which requires each VPN instance to
use a CE device to connect to a PE device.
MCE is suitable when users on a private network need to be divided into multiple
VPNs or when services of users in different VPNs must be completely isolated.
Deploying a CE device for each VPN increases the cost of device procurement and
maintenance. On the other hand, if multiple VPNs share one CE device, data
security cannot be ensured because all the VPNs use the same routing table.
An MCE device creates and maintains an independent VRF for each VPN to
ensures data security between different VPNs while reducing network construction
and maintenance costs. The Multi-VRF application isolates forwarding paths of
different VPNs on a private network and advertises routes of each VPN to the peer
PE device, ensuring that VPN packets are correctly transmitted on the public
network.
Configuration Notes
● In V100R006C05, only the S3700-EI supports the MCE function.
In other versions, all the switch models except the S5700-SI, S5710-C-LI,
S5710-X-LI, S5700S-LI, S5700-LI, and S2750-EI support the MCE function.
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The headquarters and branches of a company need to communicate through
MPLS VPN, and two services of the company must be isolated. To reduce
hardware costs, the company wants the branch to connect to the PE through just
one CE.
As shown in Figure 3-134, the networking requirements are as follows:
● CE1 and CE2 connect to the headquarters. CE1 belongs to vpna, and CE2
belongs to vpnb.
● The MCE connects to vpna and vpnb of the branch through SwitchA and
SwitchB.
Users in the same VPN need to communicate with each other, whereas users in
different VPNs must be isolated.
Figure 3-134 Networking diagram for configuring an MCE
1. Configure OSPF between PEs so that they can communicate and configure
MP-IBGP to exchange VPN routing information.
2. Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP
LSPs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Create VPN instances vpna and vpnb on the MCE and PEs to isolate services.
4. Establish EBGP peer relationships between PE1 and its connected CEs, and
import BGP routes to the VPN routing table of PE1.
5. Configure routing between the MCE and VPN sites and between the MCE and
PE2.
Procedure
Step 1 Configure VLANs on interfaces and assign IP addresses to the VLANIF interfaces
and loopback interfaces according to Figure 3-134.
# Configure PE1.
[PE1] vlan batch 30
[PE1-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
# Configure CE1. The configuration on CE2, SwitchA and SwitchB is similar to the
configuration on PE1 and is not mentioned here.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
Step 2 Configure OSPF on PEs of the backbone network.

# Configure PE1.
[PE1] ospf
[PE1-ospf-1] area 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, PEs can obtain Loopback1 address of each
other.
------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 1 D 172.1.1.1 Vlanif30

172.1.1.0/24 Direct 0 0 D 172.1.1.2 Vlanif30
172.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif30
Step 3 Configure basic MPLS capabilities and MPLS LDP on the PEs to establish LDP LSPs.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
After the configuration is complete, run the display mpls ldp session command
on the PEs. The command output shows that the MPLS LDP session between the
PEs is in Operational state.


S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
------------------------------------------------------------------------------
1.1.1.9:0 Operational DU Active 0000:00:04 17/17
------------------------------------------------------------------------------
Step 4 Configure VPN instances on the PEs. On PE1, bind the interfaces connected to CE1
and CE2 to the VPN instances respectively. On PE2, bind the interface connected to
the MCE to the VPN instances.
# Configure PE1.
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1 //Set the RD to 100:1.
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both //Add the RT value 100:1 to routes exported
from the VPN instance vpna to MP-BGP. Only the routes with the RT value 100:1 can be imported to vpna.
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-Vlanif10] ip binding vpn-instance vpna //Bind the interface to vpna.
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 5 Configure VPN instances on the MCE and bind the interfaces connected to
SwitchA and SwitchB to the VPN instances respectively.
# Configure MCE.
[HUAWEI] sysname MCE
[MCE] vlan batch 60 70 100 200
[MCE] interface gigabitethernet 1/0/0
[MCE-GigabitEthernet1/0/0] port link-type trunk
[MCE-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 200
[MCE-GigabitEthernet1/0/0] quit
[MCE-GigabitEthernet3/0/0] port trunk allow-pass vlan 60
[MCE-GigabitEthernet4/0/0] port trunk allow-pass vlan 70
[MCE] ip vpn-instance vpna
[MCE-vpn-instance-vpna] ipv4-family
[MCE-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[MCE-vpn-instance-vpna-af-ipv4] quit
[MCE-vpn-instance-vpna] quit
[MCE] ip vpn-instance vpnb
[MCE-vpn-instance-vpnb] ipv4-family
[MCE-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[MCE-vpn-instance-vpnb-af-ipv4] quit
[MCE-vpn-instance-vpnb] quit
[MCE] interface vlanif 60
[MCE-Vlanif60] ip binding vpn-instance vpna
[MCE-Vlanif60] ip address 10.3.1.2 24
[MCE-Vlanif60] quit
[MCE-Vlanif70] ip binding vpn-instance vpnb
[MCE-Vlanif70] quit
[MCE-Vlanif100] ip binding vpn-instance vpna
[MCE-Vlanif100] quit
[MCE-Vlanif200] ip binding vpn-instance vpnb
[MCE-Vlanif200] quit
Step 6 Establish an MP-IBGP peer relationship between PEs. Establish an EBGP peer
relationship between PE1 and CE1, and between PE1 and CE2.
# Configure PE1. The configuration on PE2 is similar to the configuration on PE1
[PE1] bgp 100
[PE1-bgp-vpna] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
# Configure CE1. The configuration on CE2 is similar to the configuration on CE1

[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100 //Establish an EBGP peer relationship between PE1 and CE1 and
import VPN routes.
[CE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer command
on PE1. The command output shows that PE1 has established an IBGP peer
relationship with PE2 and EBGP peer relationships with CE1 and CE2. The peer
relationships are in Established state.
[PE1] display bgp vpnv4 all peer

2.2.2.9 4 100 2 8 0 00:00:29 Established 0
Peer of IPv4-family for vpn instance :

10.1.1.1 4 65410 4 5 0 00:00:28 Established 2
VPN-Instance vpnb, Router ID 1.1.1.9:

10.2.1.1 4 65420 4 5 0 00:00:28 Established 2
Step 7 Configure routing between the MCE and VPN sites.

The MCE directly connects to vpna, and no routing protocol is used in vpna.
Configure static routes to implement communication between the MCE and vpna.
● Configure SwitchA.
Assign IP address 192.168.1.1/24 to the interface connected to vpna. The
configuration details are not mentioned here.
[SwitchA] ip route-static 0.0.0.0 0.0.0.0 10.3.1.2 //Create a default route destined to the MCE for
SwitchA.
● Configure the MCE.

[MCE] ip route-static vpn-instance vpna 192.168.1.0 24 10.3.1.1 //Create a VPN route destined to
SwitchA for the VPN instance vpna.
● Check the routes of vpna on the MCE.

[MCE] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
10.3.1.0/24 Direct 0 0 D 10.3.1.2 Vlanif60

10.3.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif60
10.5.1.0/24 Direct 0 0 D 10.5.1.2 Vlanif100
10.5.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.1.0/24 Static 60 0 RD 10.3.1.1 Vlanif60
The preceding information shows that the MCE has a static route to vpna.
The RIP protocol runs in vpnb. Configure RIP process 200 on the MCE and bind it
to vpnb so that routes learned by RIP are added to the routing table of vpnb.
● Configure the MCE.
[MCE] rip 200 vpn-instance vpnb
[MCE-rip-200] version 2
[MCE-rip-200] network 10.0.0.0
[MCE-rip-200] import-route ospf 200 //Import OSPF routes so that SwitchB can learn routes to the
MCE.
[MCE-rip-200] quit
● Configure SwitchB.
Assign IP address 192.168.2.1/24 to the interface connected to vpnb. The
configuration is not provided here.
[SwitchB] rip 200
[SwitchB-rip-200] version 2
[SwitchB-rip-200] network 10.0.0.0
[SwitchB-rip-200] network 192.168.2.0
[SwitchB-rip-200] quit
● Check the routes of vpnb on the MCE.

[MCE] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------
10.4.1.0/24 Direct 0 0 D 10.4.1.2 Vlanif70

10.4.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif70
10.6.1.0/24 Direct 0 0 D 10.6.1.2 Vlanif200
10.6.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif200
192.168.2.0/24 RIP 100 1 D 10.4.1.1 Vlanif70
The preceding information shows that the MCE has learned the route to vpnb
using RIP. The route to vpnb and the route to vpna (192.168.1.0) are
maintained in different VPN routing tables so that users in the two VPNs are
isolated from each other.
Step 8 Configure OSPF multi-instance between the MCE and PE2.
# Configure PE2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
To configure OSPF multi-instance between the MCE and PE2, complete the following tasks
on PE2:
● In the OSPF view, import BGP routes and advertise VPN routes of PE1 to the MCE.
● In the BGP view, import routes of the OSPF processes and advertise the VPN routes of
the MCE to PE1.
[PE2] ospf 100 vpn-instance vpna
[PE2-ospf-100] import-route bgp //Import BGP routes to OSPF 100 in vpna between the PE and MCE, so
that the MCE learns routes to CE1.
[PE2-ospf-100] area 0
[PE2-ospf-100] quit
[PE2] ospf 200 vpn-instance vpnb
[PE2-ospf-200] import-route bgp
[PE2-ospf-200] area 0
[PE2-ospf-200-area-0.0.0.0] network 10.6.1.0 0.0.0.255 //Import BGP routes to OSPF 200 in vpnb
between the PE and MCE, so that the MCE learns routes to CE2.
[PE2-ospf-200] quit
[PE2] bgp 100
[PE2-bgp-vpna] import-route ospf 100 //Import OSPF 100 to BGP so that PE2 adds the VPNv4 prefix to
routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpna] quit
[PE2-bgp-vpnb] import-route ospf 200 //Import OSPF 200 to BGP so that PE2 adds the VPNv4 prefix to
routes and uses MP-IBGP to advertise routes to PE1.
[PE2-bgp-vpnb] quit
# Configure the MCE.
NOTE
Import VPN routes to the OSPF processes.

[MCE] ospf 100 vpn-instance vpna //Configure dynamic OSPF routes for the VPN instance vpna.
[MCE-ospf-100] import-route static //Import static private routes of SwitchA to the MCE.
[MCE-ospf-100] vpn-instance-capability simple //Disable loop detection for OSPF VPN, so that the MCE
can learn routes re-advertised from PE2.
[MCE-ospf-100] area 0
[MCE-ospf-100-area-0.0.0.0] network 10.3.1.0 0.0.0.255
[MCE-ospf-100-area-0.0.0.0] quit
[MCE-ospf-100] quit
[MCE] ospf 200 vpn-instance vpnb
[MCE-ospf-200] import-route rip 200
[MCE-ospf-200] vpn-instance-capability simple
[MCE-ospf-200] area 0
[MCE-ospf-200-area-0.0.0.0] quit
[MCE-ospf-200] quit
Step 9 Verify the configurations.
After the configuration is complete, run the display ip routing-table vpn-

instance command on the MCE to view the routes to the remote CEs. The VPN
instance vpna is used as an example.
[MCE] display ip routing-table vpn-instance vpna
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
10.1.1.0/24 O_ASE 150 1 D 10.5.1.1 Vlanif100

10.3.1.0/24 Direct 0 0 D 10.3.1.2 Vlanif60
10.3.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif60
10.5.1.0/24 Direct 0 0 D 10.5.1.2 Vlanif100
10.5.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.1.0/24 Static 60 0 RD 10.3.1.1 Vlanif60
Run the display ip routing-table vpn-instance command on the PEs to view the
routes to the remote CEs. The VPN instance vpna on PE1 is used as an example.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.3.1.0/24 IBGP 255 3 RD 2.2.2.9 Vlanif30
10.5.1.0/24 IBGP 255 0 RD 2.2.2.9 Vlanif30
192.168.1.0/24 IBGP 255 2 RD 2.2.2.9 Vlanif30
CE1 and SwitchA can communicate with each other. CE2 and SwitchB can
communicate with each other. The information displayed on CE1 is used as an
example.
[CE1] ping 10.3.1.1

0.00% packet loss
CE1 cannot ping CE2 or SwitchB. SwitchA cannot ping CE2 or SwitchB. The ping
from CE1 to SwitchB is used as an example.
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
#
sysname CE1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
#
sysname PE1
#
vlan batch 10 20 30
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
#
import-route direct
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
return
#
sysname PE2
#
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 2.2.2.9

S300, S500, S2700, S3700, S5700, S6700, S7700, and
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif100
ip address 10.5.1.1 255.255.255.0
#
interface Vlanif200
ip address 10.6.1.1 255.255.255.0
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route ospf 100
#
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.1.1.0 0.0.0.255
#
ospf 100 vpn-instance vpna
import-route bgp
area 0.0.0.0
network 10.5.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route bgp
area 0.0.0.0
network 10.6.1.0 0.0.0.255
#
return
● MCE configuration file
#
sysname MCE
#
vlan batch 60 70 100 200
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ipv4-family
#
ipv4-family
#
interface Vlanif60
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif100
ip address 10.5.1.2 255.255.255.0
#
interface Vlanif200
ip address 10.6.1.2 255.255.255.0
#
#
#
#
ospf 100 vpn-instance vpna
import-route static
vpn-instance-capability simple
area 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.5.1.0 0.0.0.255
#
ospf 200 vpn-instance vpnb
import-route rip 200
area 0.0.0.0
network 10.4.1.0 0.0.0.255
network 10.6.1.0 0.0.0.255
#
rip 200 vpn-instance vpnb
version 2
network 10.0.0.0
#
ip route-static vpn-instance vpna 192.168.1.0 255.255.255.0 10.3.1.1
#
return
#
sysname SwitchA
#
vlan batch 10 60
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
ip route-static 0.0.0.0 0.0.0.0 10.3.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 70
#
interface Vlanif10
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif70
ip address 10.4.1.1 255.255.255.0
#
#
#
rip 200
version 2
network 10.0.0.0
network 192.168.2.0
#
return
3.10.1.3 Example for Configuring Multicast VPN Access Through MCE

Devices
Multicast VPN Overview

Multicast VPN technology allows multicast services to run on BGP/MPLS IP VPN
networks. This technology encapsulates multicast packets from a private network
to enable the packets to be forwarded along the multicast distribution tree (MDT)
on a public network. When the packets reach the destination network, they are
decapsulated and forwarded to receivers as multicast packets of the private
network.
Multicast VPN is used to address the following problems occurring during the
multicast service deployment on BGP/MPLS IP VPN networks:
● VPN multicast packets cannot pass the reverse path forwarding (RPF) check
on the public network.
In multicast forwarding, multicast routers perform RPF checks on multicast
packets based on the multicast source address and inbound interface. Only
multicast packets from the RPF interface are forwarded. Each router needs to
know the unicast route to the multicast source. The provider (P) device on a
BGP/MPLS IP VPN network does not know the VPN routes; therefore, RPF
checks fail on the P device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Overlapping multicast source addresses or group addresses on VPNs lead to

inter-VPN communication.
A BGP/MPLS IP VPN network allows overlapping addresses in sites on each
VPN; therefore, the multicast source addresses or group addresses of different
VPNs may overlap. A PE device must correctly forward multicast packets from
a VPN to only the users at the sites on the same VPN to prevent
communication between different VPNs.
● VPN packets are forwarded in unicast mode on the public network. When the
multicast traffic volume is high, loads on the public network increase greatly.
Multicast technology ensures that each link transmits only one copy of
multicast packets. Each device replicates multicast data according to the
number of outbound interfaces, and the bandwidth consumed does not
increase with the number of receivers. If the public network supports
multicast forwarding, multicast packets are replicated only at bifurcation
points on the public network. This on-demand replication mechanism reduces
loads on the public network and conserves bandwidth.
● All PE devices on a VPN can receive multicast packets from a multicast source
on the same VPN. When the multicast traffic volume is high, loads on the PE
devices increase greatly.
A VPN is composed of multiple sites, each of which connects to a different PE.
Some sites may not have receivers. If VPN multicast data is forwarded only to
the PE devices with receivers connected, burdens on PE devices are reduced.
Configuration Notes
● If multicast VPN in multicast domain (MD) mode is used on switches, the
PIM-SM SSM model cannot be used on the public network.
● Multicast VPN cannot be deployed on inter-AS BGP/MPLS IPv4 VPN networks.
● Multicast VPN cannot be deployed on BGP/MPLS IPv6 VPN networks.
● Interfaces on the following interface cards cannot be configured as member
interfaces of Eth-Trunk multicast loopback interfaces:
– V200R001 to V200R003: ES0D0G24SA00, ES0D0G24CA00,
ES0D0X12SA00, ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for
the S7700; EH1D2G24SSA0, EH1D2S24CSA0, EH1D2X12SSA0,
EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700
– V200R005 to V200R009: X1E series, ES0D0G24SA00, ES0D0G24CA00,
ES1D2G48SBC0, and ES1D2G48TBC0 interface cards for the S7700; X1E
series, EH1D2G48SBC0, and EH1D2G48TBC0 interface cards for the S9700
– S5700-HI: V200R005(C01&C02)
– S5710-HI: V200R005C02
– S5720-HI, S5720-EI, S6720-EI, S6720S-EI: V200R010C00 and later versions
– S6720S-EI: V200R010C00 and later versions
– S6720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H,
S6730-H, S6730S-H, S6730-S, S6730S-S: For the applicable versions, see
Table 3-1 in the section "Applicable Products and Versions."
and Versions."

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE

As shown in Figure 3-135, a company deploys two services, data of which is
transmitted in multicast mode. The VPN site blue using service A and the VPN site
white using service B both connect to the backbone network through the MCE
devices. Multicast VPN in MD mode can be deployed to meet the multicast service
requirements of the company. This configuration can isolate data of different
services and reduces multicast traffic loads on the public network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-135 Multicast VPN access through MCE devices
1. Configure BGP/MPLS IP VPN to ensure connectivity of the VPN network.

2. Configure multicast loopback interfaces, share-group addresses, and multicast
tunnel interfaces (MTIs) for VPN instances on the PE devices to implement
multicast VPN in MD mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Enable multicast routing and PIM on all the devices. Configure the multicast
function in the public network between the PE and P devices. Configure the
multicast function in the VPN instances between PE and MCE devices, and
between the MCE and CE devices.
Procedure
Step 1 Configure BGP/MPLS IP VPN.
1. Configure the Open Shortest Path First (OSPF) protocol on the backbone
network to allow communication between the provider edge devices (PE1 and
PE2) and intermediate device P.
# Configure PE1.
<PE1> system-view
[PE1] interface loopback 0 //Create a loopback interface.
[PE1] router id 1.1.1.1 //Set the router ID of PE1 to 1.1.1.1 for route management.
[PE1] vlan batch 30
[PE1-GigabitEthernet2/0/0] port link-type trunk //Set the link type of the interface to trunk,
which is not the default link type.
[PE1] interface vlanif 30 //Create a VLANIF interface.
[PE1-Vlanif30] quit
[PE1] ospf
[PE1-ospf-1] area 0
[PE1-ospf-1-area-0.0.0.0] network 10.1.3.0 0.0.0.255 //Specify that the interface running OSPF is
the one connected to the 10.1.3.0 network segment and that the interface belongs to Area 0.
[PE1-ospf-1] quit
The configurations on P and PE2 are similar to the configuration of PE1, and
are not mentioned here.
After the configuration is complete, OSPF neighbor relationships can be set

up between PE1 and P and between P and PE2. Run the display ospf peer
command on PE1, P, and PE2, and you can see that the neighbors are in Full
state. Run the display ip routing-table command, and you can see that PE
devices have learned the routes to Loopback0 of each other.
2. Enable basic MPLS capabilities and MPLS LDP on the provider edge devices
PE1 and PE2 to set up LDP LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.1 //Set the LSR ID of PE1 to 1.1.1.1.
[PE1] mpls //Enable MPLS globally.
[PE1-mpls] quit
[PE1] mpls ldp //Enable MPLS LDP globally.
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls //Enable MPLS on the VLANIF interface.
[PE1-Vlanif30] mpls ldp //Enable MPLS LDP on the VLANIF interface.
[PE1-Vlanif30] quit
The configurations on P and PE2 are similar to the configuration of PE1, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
After the configuration is complete, LDP sessions can be set up between PE1
and P and between P and PE2. Run the display mpls ldp session command
on the PE and P devices, and you can see that LDP session is in Operational
state.
3. Establish a Multiprotocol Interior Border Gateway Protocol (MP-IBGP) peer
relationship between the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.3 as-number 100 //Create BGP peer 3.3.3.3 and set its AS number to 100.
[PE1-bgp] peer 3.3.3.3 connect-interface loopback 0 //Specify LoopBack0 as the source interface
to send BGP packets to BGP peer 3.3.3.3.
[PE1-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE1-bgp-af-vpnv4] peer 3.3.3.3 enable //Enable the local switch to exchange BGP-VPNv4 routes
with BGP peer 3.3.3.3.
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.1 as-number 100 //Create BGP peer 1.1.1.1 and set its AS number to 100.
[PE2-bgp] peer 1.1.1.1 connect-interface loopback 0 //Specify LoopBack0 as the source interface
to send BGP packets to 1.1.1.1.
[PE2-bgp] ipv4-family vpnv4 //Enter the BGP-VPNv4 address family view.
[PE2-bgp-af-vpnv4] peer 1.1.1.1 enable ///Enable the local switch to exchange BGP-VPNv4 routes
with BGP peer 1.1.1.1.
[PE2-bgp] quit
After the configuration is complete, run the display bgp vpnv4 all peer
command on the PE devices. You can see that a BGP peer relationship has
been set up between PE1 and PE2 and is in Established state.
4. Create VPN instances blue and white on the provider edge devices PE1 and
PE2, and aggregate egress devices MCE1 and MCE2 for branches, to connect
each service site's egress CE to the PE devices through the MCE devices.
# Configure PE1.
[PE1] ip vpn-instance blue //Create VPN instance blue.
[PE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[PE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
and import VPN target list of VPN instance blue.
[PE1-vpn-instance-blue-af-ipv4] quit
[PE1-vpn-instance-blue] quit
[PE1] ip vpn-instance white //Create VPN instance white.
[PE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[PE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target list
and import VPN target list of VPN instance white.
[PE1-vpn-instance-white-af-ipv4] quit
[PE1-vpn-instance-white] quit
[PE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF10 so that
VLANIF10 becomes a private network interface of VPN instance blue.
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance blue to VLANIF20 so that
VLANIF20 becomes a private network interface of VPN instance white.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE1-Vlanif20] quit
# Configure MCE1.
[MCE1] ip vpn-instance blue //Create VPN instance blue.
[MCE1-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[MCE1-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
[MCE1-vpn-instance-blue-af-ipv4] quit
[MCE1-vpn-instance-blue] quit
[MCE1] ip vpn-instance white //Create VPN instance white.
[MCE1-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[MCE1-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target
list and import VPN target list of VPN instance white.
[MCE1-vpn-instance-white-af-ipv4] quit
[MCE1-vpn-instance-white] quit
[MCE1] vlan batch 10 20 100 200
[MCE1] interface gigabitethernet 1/0/0
[MCE1-GigabitEthernet1/0/0] port link-type trunk //Set the link type of the interface to trunk,
[MCE1-GigabitEthernet1/0/0] port trunk allow-pass vlan 10 20
[MCE1-GigabitEthernet1/0/0] quit
[MCE1-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[MCE1] interface vlanif 10
[MCE1-Vlanif10] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF10 so that
[MCE1-Vlanif10] ip address 10.1.1.2 24
[MCE1-Vlanif10] quit
[MCE1-Vlanif20] ip binding vpn-instance white //Bind VPN instance white to VLANIF20 so that
# Configure PE2.
[PE2] ip vpn-instance blue //Create VPN instance blue.
[PE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[PE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
[PE2] ip vpn-instance white //Create VPN instance white.
[PE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[PE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target list
and import VPN target list of VPN instance white.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE2-Vlanif50] ip binding vpn-instance blue //Bind VPN instance blue to VLANIF50 so that
[PE2-Vlanif50] quit
[PE2-Vlanif60] ip binding vpn-instance white //Bind VPN instance white to VLANIF60 so that
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] ip vpn-instance blue //Create VPN instance blue.
[MCE2-vpn-instance-blue] route-distinguisher 100:1 //Set the RD of VPN instance blue to 100:1.
[MCE2-vpn-instance-blue-af-ipv4] vpn-target 111:1 both //Add 111:1 to the export VPN target list
[MCE2-vpn-instance-blue-af-ipv4] quit
[MCE2] ip vpn-instance white //Create VPN instance white.
[MCE2-vpn-instance-white] route-distinguisher 200:1 //Set the RD of VPN instance white to 200:1.
[MCE2-vpn-instance-white-af-ipv4] vpn-target 222:1 both //Add 222:1 to the export VPN target
list and import VPN target list of VPN instance white.
[MCE2-vpn-instance-white-af-ipv4] quit
[MCE2] vlan batch 50 60 300 400
[MCE2-GigabitEthernet1/0/0] port trunk allow-pass vlan 50 60
5. Configure OSPF on the provider edge devices PE1 and PE2, branches'
aggregate egress devices MCE1 and MCE2, and each service site's egress CE.
Import VPN routes to the OSPF routing table.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure PE1.
[PE1] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[PE1-ospf-2] import-route bgp //Import BGP routes.
[PE1-ospf-2] area 0
[PE1-ospf-2] quit
[PE1] ospf 3 vpn-instance white //Create an OSPF process to serve VPN instance white.
[PE1-ospf-3] area 0
[PE1-ospf-3] quit
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family view of BGP-VPN
instance blue.
[PE1-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.
[PE1-bgp-blue] quit
[PE1-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family view of BGP-VPN
instance white
[PE1-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE1-bgp-white] quit
[PE1-bgp] quit
# Configure MCE1.
[MCE1] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[MCE1-ospf-1] vpn-instance-capability simple //Disable OSPF routing loop detection.
[MCE1-ospf-1] area 0
[MCE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the interface is running
OSPF is the one connected to the 10.1.1.0 network segment and that the interface belongs to Area 0.
OSPF is the one connected to the 192.168.1.0 network segment and that the interface belongs to
Area 0.
[MCE1-ospf-1-area-0.0.0.0] quit
[MCE1-ospf-1] quit
[MCE1] ospf 2 vpn-instance white //Create an OSPF process to serve VPN instance white.
Area 0.
[MCE1-ospf-2] quit
# Configure PE2.
[PE2] ospf 2 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
[PE2-ospf-2] area 0
[PE2-ospf-2-area-0.0.0.0] network 10.1.5.0 0.0.0.255 //Specify that the interface is running OSPF
is the one connected to the 10.1.5.0 network segment and that the interface belongs to Area 0.
[PE2-ospf-2] quit
[PE2] ospf 3 vpn-instance white //Create an OSPF process to serve VPN instance white.
[PE2-ospf-3] area 0
[PE2-ospf-3-area-0.0.0.0] network 10.1.6.0 0.0.0.255 //Specify that the interface is running OSPF
[PE2-ospf-3] quit
[PE2] bgp 100
[PE2-bgp] ipv4-family vpn-instance blue //Enter the IPv4 address family view of BGP-VPN
instance blue.
[PE2-bgp-blue] import-route ospf 2 //Import routes of OSPF process 2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE2-bgp-blue] quit
[PE2-bgp] ipv4-family vpn-instance white //Enter the IPv4 address family view of BGP-VPN
instance white.
[PE2-bgp-white] import-route ospf 3 //Import routes of OSPF process 3.
[PE2-bgp-white] quit
[PE2-bgp] quit
# Configure MCE2.
[MCE2] ospf 1 vpn-instance blue //Create an OSPF process to serve VPN instance blue.
Area 0.
[MCE2-ospf-1] quit
[MCE2] ospf 2 vpn-instance white //Create an OSPF process to serve VPN instance white.
Area 0.
[MCE2-ospf-2] quit
# Configure CE1, egress for a site of service A.

[CE1] vlan batch 100 101
[CE1-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk,
[CE1-Vlanif100] quit
[CE1] ospf
[CE1-ospf-1] area 0
[CE1-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255 //Specify that the interface is running
Area 0.
Area 0.
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
# Configure CE2, egress for a site of service B.


S300, S500, S2700, S3700, S5700, S6700, S7700, and

[CE2] ospf
[CE2-ospf-1] area 0
Area 0.
Area 0.
[CE2-ospf-1] quit

[CE3] ospf
[CE3-ospf-1] area 0
Area 0.
Area 0.
[CE3-ospf-1] quit

[CE4] ospf

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CE4-ospf-1] area 0
Area 0.
Area 0.
[CE4-ospf-1] quit
After the configuration is complete, run the display ip routing-table vpn-

instance vpn-instance-name command on the PE or MCE devices. You can see
that the local PE or MCE device has a VPN route to the remote PE. Run the
display ip routing-table protocol ospf command on the CE devices. You can
see that CE1 and CE3 have learned routes to each other, and CE2 and CE4
have learned routes to each other.
Step 2 Configure multicast loopback interfaces, share-group addresses, and MTIs for VPN
instances on the provider edge devices PE1 and PE2.
# Configure PE1.
[PE1] interface eth-trunk 10
[PE1-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a multicast loopback
interface.
[PE1-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface GE3/0/5 to Eth-Trunk 10.
[PE1] ip vpn-instance blue
[PE1-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance blue.
[PE1-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel 0 //Specify
239.1.1.1 as the Share-Group for VPN instance blue and bind it to multicast tunnel interface MTI0.
[PE1-vpn-instance-blue] ipv4-family
[PE1-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback 0 //Configure the MTI to
use the address of Loopback0 as the default address.
[PE1] ip vpn-instance white
[PE1-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance white.
[PE1-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel 10 //Specify
239.1.2.1 as the Share-Group for VPN instance white and bind it to multicast tunnel interface MTI0.
[PE1-vpn-instance-white] ipv4-family
[PE1-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback 0 //Configure the MTI
to use the address of Loopback0 as the default address.
# Configure PE2.
[PE2] interface eth-trunk 10
[PE2-Eth-Trunk10] service type multicast-tunnel //Configure Eth-Trunk 10 as a multicast loopback
interface.
[PE2-Eth-Trunk10] trunkport gigabitethernet 3/0/5 //Bind member interface GE3/0/5 to Eth-Trunk 10.
[PE2] ip vpn-instance blue
[PE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance blue.
[PE2-vpn-instance-blue] multicast-domain share-group 239.1.1.1 binding mtunnel 0 //Specify
239.1.1.1 as the Share-Group for VPN instance blue and bind it to multicast tunnel interface MTI0.
[PE2-vpn-instance-blue] ipv4-family
[PE2-vpn-instance-blue-af-ipv4] multicast-domain source-interface loopback 0 //Configure the MTI to
use the address of Loopback0 as the default address.
[PE2] ip vpn-instance white
[PE2-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance white.
[PE2-vpn-instance-white] multicast-domain share-group 239.1.2.1 binding mtunnel 10 //Specify
239.1.2.1 as the Share-Group for VPN instance white and bind it to multicast tunnel interface MTI0.
[PE2-vpn-instance-white] ipv4-family
[PE2-vpn-instance-white-af-ipv4] multicast-domain source-interface loopback 0 //Configure the MTI

S300, S500, S2700, S3700, S5700, S6700, S7700, and
to use the address of Loopback0 as the default address.

Step 3 Configure the multicast function on the public and private networks.
1. Configure the multicast function on the public network.
Enable PIM-SM on the public network. Configure Loopback0 of the provider's
intermediate device P as a candidate bootstrap router (C-BSR) and candidate
rendezvous point (C-RP) on the public network.
# Configure PE1.
[PE1] multicast routing-enable //Enable multicast routing globally.
[PE1-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[PE1-Vlanif30] quit
[PE1-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
# Configure PE2.
[PE2] multicast routing-enable //Enable multicast routing globally.
[PE2-Vlanif40] quit
[PE2-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
# Configure P.
[P] multicast routing-enable //Enable multicast routing globally.
[P-Vlanif30] pim sm //Enable PIM-SM on VLANIF30.
[P-Vlanif30] quit
[P-Vlanif40] pim sm //Enable PIM-SM on VLANIF40.
[P-Vlanif40] quit
[P-LoopBack0] pim sm //Enable PIM-SM on Loopback0.
[P-LoopBack0] quit
[P] pim
[P-pim] c-bsr loopback 0 //Configure Loopback0 as a C-BSR interface.
[P-pim] c-rp loopback 0 //Configure Loopback0 as a C-RP interface.
2. Configure the multicast function on the private network.

Enable PIM-SM on the private networks. Configure VLANIF 10 of provider
edge PE1 as a C-BSR and C-RP of VPN instance blue, and configure VLANIF 20
of PE1 as a C-BSR and C-RP of VPN instance white. Configure IGMP on
VLANIF 301 of service site egress CE3 and VLANIF 401 of service site egress
CE4. (The two VLANIF interfaces are connected to network segments of
receivers.)
# Configure PE1.
[PE1-Vlanif10] quit
[PE1-Vlanif20] quit
[PE1] pim vpn-instance blue
[PE1-pim-blue] c-bsr vlanif 10 //Configure VLANIF10 as a C-BSR interface for VPN instance blue.
[PE1-pim-blue] c-rp vlanif 10 //Configure VLANIF10 as a C-RP interface for VPN instance blue.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-pim-blue] quit
[PE1] pim vpn-instance white
[PE1-pim-white] c-bsr vlanif 20 //Configure VLANIF20 as a C-BSR interface for VPN instance white.
[PE1-pim-white] c-rp vlanif 20 //Configure VLANIF20 as a C-RP interface for VPN instance white.
[PE1-pim-white] quit
# Configure MCE1.
[MCE1] multicast routing-enable //Enable multicast routing globally.
[MCE1] ip vpn-instance blue
[MCE1-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance
blue.
[MCE1] ip vpn-instance white
[MCE1-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance
white.
[MCE1-Vlanif10] pim sm //Enable PIM-SM on VLANIF10.
# Configure PE2.
[PE2-Vlanif50] quit
[PE2-Vlanif60] quit
# Configure MCE2.
[MCE2] multicast routing-enable //Enable multicast routing globally.
[MCE2] ip vpn-instance blue
[MCE2-vpn-instance-blue] multicast routing-enable //Enable multicast routing in VPN instance
blue.
[MCE2] ip vpn-instance white
[MCE2-vpn-instance-white] multicast routing-enable //Enable multicast routing in VPN instance
white.
[MCE2] interface vlanif 50 //Enable PIM-SM on VLANIF50.
[MCE2-Vlanif50] pim sm

[CE1] multicast routing-enable //Enable multicast routing globally.
[CE1-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.

S300, S500, S2700, S3700, S5700, S6700, S7700, and



[CE3-Vlanif301] igmp enable //Enable PIM-SM on VLANIF301.

[CE4-Vlanif401] igmp enable //Enable IGMP VLANIF401.

After the configuration is complete, receivers on the private networks can receive
multicast data from the multicast source.
----End
Configuration Files
● Configuration file of provider edge PE1
#
sysname PE1
#
router id 1.1.1.1
#
vlan batch 10 20 30
#
#
ip vpn-instance blue
ipv4-family
multicast-domain source-interface LoopBack0
multicast-domain share-group 239.1.1.1 binding mtunnel 0
#
ip vpn-instance white
ipv4-family

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip binding vpn-instance blue
ip address 10.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip binding vpn-instance white
ip address 10.1.2.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
pim sm
mpls
mpls ldp
#
stp disable
service type multicast-tunnel
#
#
#
eth-trunk 10
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
interface MTunnel0
#
interface MTunnel10
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.3.0 0.0.0.255
#
ospf 2 vpn-instance blue
import-route bgp
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
ospf 3 vpn-instance white
import-route bgp
area 0.0.0.0
network 10.1.2.0 0.0.0.255
#
pim vpn-instance blue
c-bsr Vlanif10
c-rp Vlanif10
#
pim vpn-instance white
c-bsr Vlanif20
c-rp Vlanif20
#
return
● Configuration file of provider edge PE2
#
sysname PE2
#
router id 3.3.3.3
#
vlan batch 40 50 60
#
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif60

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.1.6.1 255.255.255.0

pim sm
#
stp disable
service type multicast-tunnel
#
#
#
eth-trunk 10
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
interface MTunnel0
#
interface MTunnel10
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
#
ipv4-family vpn-instance blue
import-route ospf 2
#
ipv4-family vpn-instance white
import-route ospf 3
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.4.0 0.0.0.255
#
import-route bgp
area 0.0.0.0
network 10.1.5.0 0.0.0.255
#
import-route bgp
area 0.0.0.0
network 10.1.6.0 0.0.0.255
#
return
● Configuration file of provider intermediate device P
#
sysname P
#
router id 2.2.2.2
#
vlan batch 30 40

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
pim sm
mpls
mpls ldp
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
return
● Configuration file of branches' aggregate egress MCE1
#
sysname MCE1
#
vlan batch 10 20 100 200
#
#
ipv4-family
#
ipv4-family
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
pim sm

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Configuration file of branches' aggregate egress MCE2
#
sysname MCE2
#
vlan batch 50 60 300 400
#
#
ipv4-family
#
ipv4-family
#
interface Vlanif50
ip address 10.1.5.2 255.255.255.0
pim sm
#
interface Vlanif60

S300, S500, S2700, S3700, S5700, S6700, S7700, and

ip address 10.1.6.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
area 0.0.0.0
network 10.1.5.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
area 0.0.0.0
network 10.1.6.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
return
● Configuration file of CE1, egress for a site of service A
#
sysname CE1
#
vlan batch 100 to 101
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.11.0 0.0.0.255
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Configuration file of CE2, egress for a site of service B

#
sysname CE2
#
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif201
ip address 192.168.12.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.12.0 0.0.0.255
#
return
● Configuration file of CE3, egress for a site of service A.
#
sysname CE3
#
#
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif301
ip address 192.168.13.1 255.255.255.0
pim sm
igmp enable
#
#
#
ospf 1
area 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.13.0 0.0.0.255
#
return
● Configuration file of CE4, egress for a site of service B
#
sysname CE4
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif400
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif401
ip address 192.168.14.1 255.255.255.0
pim sm
igmp enable
#
#
#
ospf 1
area 0.0.0.0
network 192.168.4.0 0.0.0.255
network 192.168.14.0 0.0.0.255
#
return
3.10.1.4 Example for Configuring L3VPN and VRRP
L3VPN and VRRP Overview

L3VPN is suitable for communication between the headquarters and branches in
different locations. As communication data needs to traverse the backbone
network of the ISP, BGP is used to advertise VPN routes and MPLS is used to
forward VPN packets on the backbone network. As different departments of an
enterprise need to be isolated, BGP/MPLS IP VPN can implement route isolation,
address space isolation, and access isolation between different VPNs.
Generally, all hosts on the same network segment have the same default route
with the gateway address as the next hop address. The hosts use the default route
to send packets to the gateway and the gateway forwards the packets to other
network segments. When the gateway fails, the hosts with the same default route
cannot communicate with external networks. Configuring multiple egress
gateways is a common method to improve system reliability. However, route
selection between the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual
router without changing the networking, and uses the virtual router IP address as
the default gateway address to implement gateway backup. When the master in
the virtual router fails, VRRP uses a backup to transmit service traffic.
It is recommended that you set the preemption delay of the backup in a VRRP
group to 0, configure the master in preemption mode, and set the preemption
delay to be longer than 15s. These settings allow a period of time for status
synchronization between the uplink and downlink on an unstable network. If the
preceding settings are not used, two masters may coexist and user devices may
learn incorrect address of the master. As a result, traffic is interrupted.
● Preemption mode: A backup preempts to be the master when its priority is
higher than the master.
● Non-preemption mode: As long as the master is working properly, the backup
with a higher priority cannot become the master.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
VRID.
interface.
– S6700-EI: V200R005(C00&C01)
and Versions."
function.
NOTE
In Figure 3-136, CE1 and CE2 belong to vpna, and CE1 is dual-homed to PE1 and
PE2 through the switch. The requirements are as follows:
● Normally, CE1 uses PE1 as the default gateway to communicate with CE2.
When PE1 becomes faulty, PE2 takes over PE1, implementing gateway
redundancy.
● After PE1 recovers, it preempts to be the master to transmit data after a
preemption delay of 20s.
NOTE
In this scenario, to avoid loops, ensure that all connected interfaces have STP disabled and
connected interfaces are removed from VLAN 1. If STP is enabled and VLANIF interfaces of
switches are used to construct a Layer 3 ring network, an interface on the network will be
blocked. As a result, Layer 3 services on the network cannot run normally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-136 Networking for configuring L3VPN and VRRP
Device Interface VLANIF Interface IP Address
PE1 GE1/0/1 VLANIF 300 192.168.1.1/24
GE1/0/2 VLANIF 100 10.1.1.1/24
GE1/0/5 VLANIF 100 10.1.1.1/24
PE2 GE1/0/1 VLANIF 200 192.168.2.1/24
GE1/0/2 VLANIF 100 10.1.1.2/24
GE1/0/5 VLANIF 100 10.1.1.2/24
PE3 GE1/0/1 VLANIF 300 192.168.1.2/24
GE1/0/2 VLANIF 200 192.168.2.2/24
GE1/0/3 VLANIF 400 172.16.1.100/24
CE1 GE1/0/3 VLANIF 100 10.1.1.100/24
CE2 GE1/0/3 VLANIF 400 172.16.1.200/24
VRRP is configured to implement gateway redundancy on the L3VPN. The
1. Configure OSPF between PEs to implement IP connectivity on the backbone
network.
2. Configure basic MPLS functions and MPLS LDP on PEs so that MPLS LSPs can
be established to transmit VPN data.
3. Configure VPN instances on PEs to implement connectivity between VPNs.
Bind VPN instances to PE interfaces connected to CEs so that VPN users can
be connected.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
4. Configure MP-IBGP between PE1 and PE3, and between PE2 and PE3 to
exchange VPN routing information.
5. Configure EBGP between CEs and PEs to exchange VPN routing information.
6. Configure a loop prevention protocol on PE1, PE2, and switch to prevent
loops. Here, MSTP is used.
7. Configure a VRRP group on PE1 and PE2. Set a higher priority for PE1 so that
PE1 functions as the master to forward traffic, and set the preemption delay
to 20s on PE1. Set a lower priority for PE2 so that PE2 functions as the
backup.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PEs can
# Configure PE1.
[PE1] vlan 300
[PE1-vlan300] quit
[PE1-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[PE1-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] vlan 200
[PE2-vlan200] quit
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
# Configure PE3.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE3] ospf 1
[PE3-ospf-1] area 0
[PE3-ospf-1] quit
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the
MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif300] mpls
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 3 Configure a VPN instance on each PE and connect CEs to PEs.

# Configure the switch.
[Switch] vlan 100
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure PE3.
[PE3] vlan 400
[PE3-vlan400] quit
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet1/0/3] port link-type hybrid
[CE1-GigabitEthernet1/0/3] port hybrid pvid vlan 100
[CE1-GigabitEthernet1/0/3] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 400
[CE2-vlan400] quit
[CE2-GigabitEthernet1/0/3] port hybrid pvid vlan 400
[CE2-GigabitEthernet1/0/3] port hybrid untagged vlan 400
Step 4 Set up EBGP peer relationships between PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure CE2.
[CE2] bgp 65430
[CE2-bgp] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure PE1.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp-vpna] quit
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp-vpna] quit
[PE3-bgp] quit
Step 5 Set up MP-IBGP peer relationships between PEs.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
# Configure PE3.
[PE3] bgp 100
[PE3-bgp] quit
Step 6 Configure MSTP to block the link between PE2 and the switch and prevent loops.
# Configure PE1 to work in MSTP mode.
[PE1] stp mode mstp
# Configure PE2 to work in MSTP mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE2] stp mode mstp
# Configure the switch to work in MSTP mode.

[Switch] stp mode mstp
# Configure PE1 as the root bridge.

[PE1] stp root primary
# Configure PE2 as the secondary root bridge.

[PE2] stp root secondary
# Set the path cost of the port connecting PE2 and the switch to 400000 to block
the link between PE2 and the switch.
[PE2-GigabitEthernet1/0/2] stp cost 400000
[Switch-GigabitEthernet1/0/2] stp cost 400000
# Disable STP on GigabitEthernet1/0/3 connecting SwitchA and CE1.

[Switch-GigabitEthernet1/0/3] stp disable
# Enable STP on PE1 globally.

[PE1] stp enable
# Enable STP on PE2 globally.

[PE2] stp enable
# Enable STP on the switch globally.

[Switch] stp enable
# After the configuration is complete, run the display stp brief command on the
switch. You can see that GE1/0/2 is the alternate port and in DISCARDING state.
[Switch] display stp brief

# Configure VRRP group 1 on PE1, and set the priority of PE1 to 120 and the
preemption delay to 20s.
[PE1-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.
[PE1-Vlanif100] vrrp vrid 1 priority 120 //Set the priority to 120.
[PE1-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay to 20s.
# Configure VRRP group 1 on PE2. PE2 uses default value 100.

[PE2-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111 //Create VRRP group 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# After the configuration is complete, run the display vrrp command on PE1 and
PE2. You can see that PE1 is in Master state and PE2 is in Backup state.
[PE1] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[PE2] display vrrp
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the shutdown command on GE1/0/2 and GE1/0/5 of PE1 to simulate a link
fault.
[PE1-GigabitEthernet1/0/2] shutdown
[PE1-GigabitEthernet1/0/5] shutdown
# Run the display vrrp command on PE2 to check the VRRP status. The command
output shows that PE2 is in Master state.
[PE2] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Create time : 2012-01-12 20:15:46

Last change time : 2012-01-12 20:18:40
# Run the undo shutdown command on GE1/0/2 and GE1/0/5 of PE1. After 20s,
run the display vrrp command on PE1 to check the VRRP status. PE1 restores to
be in Master state.
[PE1-GigabitEthernet1/0/2] undo shutdown
[PE1-GigabitEthernet1/0/5] undo shutdown
[PE1] display vrrp
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
#
sysname PE1
#
vlan batch 100 300
#
#
ipv4-family
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
mpls
mpls ldp
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
#
sysname PE2
#
vlan batch 100 200
#
#
ipv4-family
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
mpls
mpls ldp
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.3 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.3 enable
#
import-route direct
peer 10.1.1.100 as-number 65410
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.2.0 0.0.0.255
#
return
#
sysname PE3
#
#
ipv4-family
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif400

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 172.16.1.100 255.255.255.0

#
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.1 enable
peer 2.2.2.2 enable
#
import-route direct
peer 172.16.1.200 as-number 65430
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname Switch
#
vlan batch 100
#
#
#
stp disable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
● Configuration file of CE1

#
sysname CE1
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.100 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
vlan batch 400
#
interface Vlanif400
ip address 172.16.1.200 255.255.255.0
#
#
bgp 65430
peer 172.16.1.100 as-number 100
#
ipv4-family unicast
import-route direct
#
return
3.10.1.5 Example for Configuring Routing Policies to Control Mutual Access

Between L3VPN Users
Overview
easily extended, and is suitable for deployment on a large scale. BGP/MPLS IP VPN
technology can be used to implement secure communication or isolation between
branches in different locations.
Routing policies are used to filter routes and set route attributes. You can change
route attributes to change a route over which network traffic is transmitted.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
BGP/MPLS IP VPN can be combined with routing policies to control the receiving
and advertisement of VPN routes, implementing mutual access between specific
branch users.
Configuration Notes
– S6700-EI: V200R005(C00&C01)
and Versions."
function.
NOTE
As shown in Figure 3-137, CE1 is connected to the branch Site 1, and CE2 is
connected to the branch Site 2. Site 1 and Site 2 communicate with each other
over the ISP backbone network. The enterprise requires that L3VPN users on some
network segments can securely communicate with each other to meet service
requirements.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-137 Configuring routing policies to control mutual access between

L3VPN users
1. Configure OSPF between the PE devices to ensure IP connectivity on the
backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up
MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Create VPN instances on the PE devices, bind CE interfaces to the VPN
instances, and assign different VPN targets to the VPN instances to isolate
users from different branches.
4. Configure routing policies on the PE devices and change the VPN targets of
routes filtered out based on specified routing policies to implement
communication between branch users on a specified network segment.
5. Set up EBGP peer relationships between the CE and PE devices so that they
can exchange VPN routing information.
6. Configure MP-IBGP between the PE devices to enable them to exchange VPN
routing information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE devices
can communicate with each other.
# Configure PE1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure PE2.
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, run the display ospf peer command. The
command output shows that OSPF neighbor relationship has been set up between
PE1 and PE2, and the neighbor status is Full. Run the display ip routing-table
command on PE1 and PE2, and you can view that PE1 and PE2 have learned the
routes to each other's Loopback1 address.
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP
LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
After the configuration is complete, PE1 and PE2 have established LDP sessions.
Run the display mpls ldp session command, and you can view that the LDP
session status is Operational.
Step 3 Configure a VPN instance on each PE device and connect the CE devices to the PE
devices.
# Configure PE1.
[PE1-Vlanif10] quit
# Configure PE2.
[PE2-Vlanif10] quit
# Assign IP addresses to interfaces on CE1 and CE2 according to Figure 3-137.

[CE1] vlan batch 10
[CE1-Vlanif10] quit
[CE2] vlan batch 10
[CE2-Vlanif10] quit

command on PE1 and PE2 to view VPN instance configuration. The PE devices can
ping CE devices attached to them.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify
a source IP address when pinging the CE device connected to the remote PE device. To
specify the source IP address, set the -a source-ip-address parameter in the ping -vpn-
instance vpn-instance-name -a source-ip-address dest-ip-address command. If no source IP
address is specified, the ping operation fails.
Step 4 Configure routing policies.
# Configure PE1.
[PE1] ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
[PE1] route-policy vpnroute permit node 1
[PE1-route-policy] if-match ip-prefix ipPrefix1
[PE1-route-policy] apply extcommunity rt 222:1
[PE1-route-policy] quit
[PE1-vpn-instance-vpna] export route-policy vpnroute
# Configure PE2.
[PE2] ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
[PE2] route-policy vpnroute permit node 1
[PE2-route-policy] if-match ip-prefix ipPrefix1
[PE2-route-policy] apply extcommunity rt 111:1
[PE2-route-policy] quit
[PE2-vpn-instance-vpna] export route-policy vpnroute
Step 5 Set up EBGP peer relationships between the PE and CE devices and import VPN
routes.
# Configure CE1. The configuration of CE2 is similar to that of CE1, and is not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp] quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance
vpna peer command on PE1 and PE2. You can view that BGP peer relationships
between PE and CE devices have been established and are in the Established state.
Step 6 Set up an MP-IBGP peer relationship between PE1 and PE2.
# Configure PE1.
[PE1] bgp 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] quit
After the configuration is complete, run the display bgp peer or display bgp
vpnv4 all peer command on PE1 and PE2. You can view that the BGP peer
relationships have been established between the PE devices and are in the
Established state.
# Run the ping -vpn-instance command on PE1 and PE2. You can successfully
ping the CE site that is attached to the peer PE device.
The display on PE1 is used as an example:

0.00% packet loss
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 172.10.1.1 255.255.255.0

mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 2.2.2.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 2.2.2.9 enable
#
import-route direct
peer 192.168.1.2 as-number 65410
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 222:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.1.0 24 greater-equal 24 less-equal 32
#
return
#
sysname PE2
#
vlan batch 10 100
#
ipv4-family
export route-policy vpnroute
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif100
ip address 172.10.1.2 255.255.255.0
mpls
mpls ldp

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
peer 192.168.2.2 as-number 65420
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 172.10.1.0 0.0.0.255
#
route-policy vpnroute permit node 1
if-match ip-prefix ipPrefix1
apply extcommunity rt 111:1
#
ip ip-prefix ipPrefix1 index 10 permit 192.168.2.0 24 greater-equal 24 less-equal 32
#
return
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
Configuration file of CE2
#
sysname CE2
#
vlan batch 10
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif10
ip address 192.168.2.2 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
3.10.2 Example for Connecting QinQ Termination Sub-

interfaces to a VLL Network
Overview
As a point-to-point (P2P) Layer 2 tunneling technology based on MPLS, VLL
transparently transmits Layer 2 data packets over the MPLS backbone network, so
that geographically isolated sites that belong to the same VLAN can communicate
with each other.
After QinQ termination sub-interfaces are connected to a VLL network, the sub-
interfaces on devices terminate double VLAN tags before sending the packets to
the VLL network.
QinQ termination sub-interfaces apply to scenarios where all the VLANs (such as
VLAN 100 to VLAN 200) of one site need to communicate with a remote site over
the VLL network or VLAN resources of the public network need to be saved. In
these scenarios, the switching device deployed between the CE and PE devices
adds the same outer VLAN tag to packets carrying different inner VLAN tags from
different CE devices. The sub-interface on the PE device then terminates double
VLAN tags in QinQ packets and sends the packets to the VLL tunnel.
QinQ is an extension to MAN Ethernet VPN on the core VLL network. It can form
an end-to-end VPN solution to implement Layer 2 communication between
geographically isolated users.
Configuration Notes
– S6700-EI: V200R005(C00&C01)
– S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S:
For the applicable versions, see Table 3-1 in the section "Applicable
Products and Versions."

S300, S500, S2700, S3700, S5700, S6700, S7700, and
and Versions."
● The SA series cards do not support the VLL function. The X1E series cards of
V200R007 and later versions support the VLL function.
NOTE
As shown in Figure 3-138, CE1 and CE2 are connected to PE1 and PE2 respectively
through VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 is connected to CE1 and PE1.
Switch2 is connected to CE2 and PE2.
You are required to configure selective QinQ on the interfaces connected to CEs so
that the Switch adds the VLAN tags specified by the carrier to the packets sent
from CEs.
When the Switch is connected to multiple CEs, the Switch can add the same VLAN
tag to the packets from different CEs, thereby saving VLAN IDs on the public
network.
Figure 3-138 Networking diagram for connecting QinQ termination sub-interfaces

to a VLL network
Switch Interface VLANIF Interface IP Address
PE1 GigabitEthernet1/0/0 GigabitEthernet1/0/0.1 -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Switch Interface VLANIF Interface IP Address
- GigabitEthernet2/0/0 VLANIF20 10.1.1.1/24
- Loopback1 - 1.1.1.1/32
PE2 GigabitEthernet1/0/0 VLANIF30 10.2.2.1/24
- GigabitEthernet2/0/0 GigabitEthernet2/0/0.1 -
- Loopback1 - 3.3.3.3/32
P GigabitEthernet1/0/0 VLANIF30 10.2.2.2/24
- GigabitEthernet2/0/0 VLANIF20 10.1.1.2/24
- Loopback1 - 2.2.2.2/32
CE1 GigabitEthernet1/0/0 VLANIF10 10.10.10.1/24
CE2 GigabitEthernet1/0/0 VLANIF10 10.10.10.2/24
1. Configure a routing protocol on devices (PE and P) of the backbone network
to implement interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP for data
transmission.
3. Enable MPLS L2VPN and create VC connections on PEs.
4. Configure QinQ termination sub-interfaces on PE interfaces connected to the
switches to implement VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs, and P belong and assign IP
addresses to VLANIF interfaces according to Figure 3-138.
# Configure CE1 to ensure that packets sent from CE1 to Switch1 carry single
VLAN tag.
[CE1] vlan batch 10
[CE1-Vlanif10] quit
# Configure CE2 to ensure that packets sent from CE2 to Switch2 carry single
VLAN tag.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CE2] vlan batch 10

[CE2-Vlanif10] quit
# Configure PE1.
[PE1] vlan batch 20
[PE1-Vlanif20] quit
# Configure the P.
[HUAWEI] sysname P
[P-GigabitEthernet1/0/0] port link-type hybrid
[P-GigabitEthernet1/0/0] port hybrid pvid vlan 30
[P-GigabitEthernet1/0/0] port hybrid tagged vlan 30
[P-GigabitEthernet2/0/0] port hybrid tagged vlan 20
[P-Vlanif20] quit
[P-Vlanif30] quit
# Configure PE2.
[PE2] vlan batch 30
[PE2-Vlanif30] quit
Step 2 Configure selective QinQ on interfaces of the Switch and specify the VLANs
allowed by the interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1] interface gigabitethernet2/0/0
[Switch1-GigabitEthernet2/0/0] port link-type hybrid

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100

[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a fixed switch, first run
the qinq vlan-translation enable command to enable VLAN translation.
[Switch2] vlan 100
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100
[Switch2-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100 //On a fixed switch, first run
the qinq vlan-translation enable command to enable VLAN translation.
Step 3 Configure an IGP on the MPLS backbone network. OSPF is used as an example.
Configure PE1, P, and PE2 to advertise 32-bit loopback interface addresses as the
LSR IDs.
# Configure PE1.
[PE1] router id 1.1.1.1
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure the P.
[P] router id 2.2.2.2
[P-LoopBack1] quit
[P] ospf 1
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] router id 3.3.3.3
[PE2] ospf 1
[PE2-ospf-1] area 0
[PE2-ospf-1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# After the configuration is complete, PE1, P, and PE2 can establish OSPF neighbor
relationships. Run the display ospf peer command. You can see that the OSPF
neighbor relationship status is Full. Run the display ip routing-table command.
You can see that the PEs learn the route to the Loopback1 interface of each other.

Neighbors

DR: 10.1.1.2 BDR: 10.1.1.1 MTU: 0
------------------------------------------------------------------------------

2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif20
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif20
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.2.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif20
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 5 Set up a remote LDP session between PEs.
# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] remote-ip 3.3.3.3
[PE1-mpls-ldp-remote-3.3.3.3] quit
# Configure PE2.
[PE2] mpls ldp remote-peer 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] remote-ip 1.1.1.1
[PE2-mpls-ldp-remote-1.1.1.1] quit
After the configuration is complete, run the display mpls ldp session command
on PE1 to view the LDP session setup. You can see that an LDP session is set up
between PE1 and PE2.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.
# On PE1, create a VC connection on gigabitethernet1/0/0.1 connected to Switch1.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] interface gigabitethernet1/0/0
[PE1] interface gigabitethernet1/0/0.1
[PE1-GigabitEthernet1/0/0.1] qinq termination pe-vid 100 ce-vid 10
[PE1-GigabitEthernet1/0/0.1] mpls l2vc 3.3.3.3 101
# On PE2, create a VC connection on gigabitethernet2/0/0.1 connected to Switch2.

[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2] interface gigabitethernet2/0/0
[PE2] interface gigabitethernet2/0/0.1
[PE2-GigabitEthernet2/0/0.1] mpls l2vc 1.1.1.1 101

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Check the L2VPN connections on PEs. You can see that an L2VC connection has
been set up and is in Up state.
[PE1] display mpls l2vc interface gigabitethernet1/0/0.1
*client interface : GigabitEthernet1/0/0.1 is up
Administrator PW : no
session state : up
AC status : up
Ignore AC state : disable
VC state : up
Ignore AC state : disable
Label state :0
Token state :0
VC ID : 101
VC type : VLAN
destination : 3.3.3.3
local group ID :0 remote group ID :0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey :8
NKey :3
PW redundancy mode : frr
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : be
Color : --
DomainId : --
Domain Name : --
CE1 and CE2 can ping each other.

The display on CE1 is used as an example:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[CE1] ping 10.10.10.2


0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
#
return
● Configuration file of Switch1

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
router id 1.1.1.1
#
vcmp role silent
#
vlan batch 20
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
remote-ip 3.3.3.3
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface GigabitEthernet1/0/0 port link-type hybrid
#
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.3 101
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
● Configuration file of the P

#
sysname P
#
router id 2.2.2.2
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
#
sysname PE2
#
router id 3.3.3.3
#
vcmp role silent
#
vlan batch 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
mpls ldp
#
mpls ldp remote-peer 1.1.1.1
remote-ip 1.1.1.1
#
interface Vlanif30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
interface GigabitEthernet2/0/0 port link-type hybrid
#
mpls l2vc 1.1.1.1 101
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
#
sysname Switch2
#
vlan batch 100
#
#
#
return
#
sysname CE2
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
#
return
3.10.3 Example for Deploying BGP/MPLS IP VPN and VPLS on

One ISP Network
Overview
easily extended, and is suitable for deployment on a large scale. To add a new site,
the network administrator only needs to modify the configuration of the edge
nodes serving the new site.
BGP/MPLS IP VPN is suitable for communication between the headquarters and

branches in different locations. As communication data needs to traverse the
backbone network of the ISP, BGP is used to advertise VPN routes over the
backbone network and MPLS is used to forward VPN packets on the backbone
network. As different departments of an enterprise need to be isolated, BGP/MPLS
IP VPN can isolate route, address space, and access between different VPNs.
VPLS integrates the advantages provided by Ethernet and MPLS. By emulating

traditional LAN functions, VPLS enables users who are far apart and on different
Ethernet LANs to communicate with each other over the IP/MPLS network
provided by the ISP as if they were on the same LAN.
As enterprises set up more and more branches in different regions and office
flexibility increases, applications such as instant messaging and teleconferencing
are increasingly widely used. This imposes high requirements for end-to-end (E2E)
datacom technologies. Multiple enterprise branches distributed in different regions
need to communicate over the metropolitan area network (MAN) provided by the
ISP. Layer 2 service packets between enterprise branches need to be transmitted
over the MAN using the VPLS technology, so that the enterprise branches in
different regions can communicate with each other.
The ISP can use the same PE device to provide VPLS and L3VPN services for
enterprises to reduce the network construction costs.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– S6700-EI: V200R005(C00&C01)
and Versions."
● The SA series cards cannot be used in this example. The X1E series cards of
V200R007 and later versions can be used in this example.
NOTE
As shown in Figure 3-139:
● An ISP provides both VPLS and L3VPN services.
● CE1 connected to the headquarters of enterprise A and CE3 connected to a
branch belong to the same VPLS to provide Layer 2 services. CE1 and CE3 are
bound to vpna to implement secure transmission of Layer 3 data.
● CE2 connected to the headquarters of enterprise B and CE4 connected to a
branch belong to the same VPLS to provide Layer 2 services. CE2 and CE3 are
bound to vpna to implement secure transmission of Layer 3 data.
● Selective QinQ needs to be configured on CE-side interfaces on switches to
add outer VLAN tags specified by the ISP to the packets sent from CE devices.
If a switch connects to multiple CE devices, it can add the same VLAN tag to
packets from different CE devices. This saves VLAN IDs on the ISP network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-139 Networking for deploying BGP/MPLS IP VPN and VPLS on one ISP
network
Data Plan
Device Interface Sub-interface IP Address
PE1 GigabitEthernet1/0 GigabitEthernet1/0 10.1.1.2/24

/0 /0.1
PE1 GigabitEthernet1/0 GigabitEthernet1/0 -

/0 /0.2

/0 /0.1

/0 /0.2

/0 /0.1

/0 /0.2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Device Interface Sub-interface IP Address

/0 /0.1

/0 /0.2
1. Configure OSPF between the P and PE devices to ensure IP connectivity on
the backbone network.
2. Enable basic MPLS capabilities and MPLS LDP on the P and PE devices to set
up MPLS LSP tunnels for VPN data transmission on the backbone network.
3. Configure MP-IBGP on PE1 and PE2 to enable them to exchange VPN routing
information.
4. Configure BGP/MPLS IP VPN. Configure L3VPN instances vpna and vpnb on
PE1 and PE2. Set the VPN target of vpna to 111:1 and the VPN target of vpnb
to 222:2. This configuration allows users in the same VPN to communicate
with each other and isolates users of different VPNs. Configure dot1q
termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent
from CE2 and CE4.
5. Configure the VPLS service. Create VPLS VSI instances on PE1 and PE2. In each
VSI instance, specify BGP as the signaling protocol, and set the RD, VPN target
and site. Bind sub-interfaces to VSI instances so that the sub-interfaces
function as AC interfaces to provide access for VPLS users. Configure dot1q
termination sub-interfaces for single-tagged packets sent from CE1 and CE3.
Configure QinQ termination sub-interfaces for double-tagged packets sent
from CE2 and CE4.
6. Configure selective QinQ on CE-side interfaces of the switches and specify the
VLANs allowed by the interfaces.
7. Set up EBGP peer relationships between the CE and PE devices so that they
can exchange VPN routing information.
Procedure
Step 1 Configure an IGP protocol on the MPLS backbone network so that the PE and P
devices can communicate with each other.
# Configure PE1.
[PE1] vlan batch 30

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE1-Vlanif30] quit
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure the P.
[HUAWEI] sysname P
[P-LoopBack1] quit
[P-GigabitEthernet1/0/0] port hybrid untagged vlan 30
[P-GigabitEthernet2/0/0] port hybrid untagged vlan 60
[P-Vlanif30] quit
[P-Vlanif60] quit
[P] ospf 1 router-id 2.2.2.9
[P-ospf-1] area 0
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 60
[PE2-Vlanif60] quit
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
After the configuration is complete, OSPF neighbor relationships can be set up

between PE1, P, and PE2. Run the display ospf peer command on PE1, P, and PE2,

S300, S500, S2700, S3700, S5700, S6700, S7700, and
and you can view that the neighbor status is Full. Run the display ip routing-
table command on PE1 and PE2, and you can view that PE1 and PE2 have learned
the routes to each other's Loopback1 address.

------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.16.1.2 Vlanif30
3.3.3.9/32 OSPF 10 2 D 172.16.1.2 Vlanif30
172.1.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif30
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
172.2.1.0/24 OSPF 10 2 D 172.16.1.2 Vlanif30

Neighbors

DR: 172.16.1.2 BDR: 172.16.1.1 MTU: 0
Step 2 Enable basic MPLS capabilities and MPLS LDP on the PE devices to set up LDP
LSPs on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure the P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
After the configuration is complete, LDP sessions are established between PE1 and
the P and between the P and PE2. Run the display mpls ldp session command on
PE1, P, and PE2, and you can view that the LDP session status is Operational. Run
the display mpls ldp lsp command, and you can view information about the
established LDP LSPs.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
Flag after Out IF: (I) - LSP Is Only Iterated by RLFA
-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/1025 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 172.16.1.2 Vlanif30
2.2.2.9/32 1024/3 2.2.2.9 172.16.1.2 Vlanif30
3.3.3.9/32 NULL/1025 - 172.16.1.2 Vlanif30
3.3.3.9/32 1025/1025 2.2.2.9 172.16.1.2 Vlanif30
-------------------------------------------------------------------------------
TOTAL: 5 Normal LSP(s) Found.
TOTAL: 1 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
Step 3 Configure L3VPN instances on the PE devices. Configure dot1q termination sub-
interfaces for single-tagged packets from vpna. Configure QinQ termination sub-
interfaces for double-tagged packets from vpnb. (Layer 3 service users are
identified by VLAN 10 and VLAN 20, and the PE devices use VLAN 10 and VLAN
100 to identify Layer 3 services.)
# Configure PE1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[PE1] interface gigabitethernet 1/0/0.1
[PE1-GigabitEthernet1/0/0.1] dot1q termination vid 10
[PE1-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE1-GigabitEthernet1/0/0.1] ip address 10.1.1.2 24
[PE1-GigabitEthernet1/0/0.1] arp broadcast enable
[PE1-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure PE2.
[PE2-GigabitEthernet1/0/0.1] ip binding vpn-instance vpna
[PE2-GigabitEthernet2/0/0.1] ip binding vpn-instance vpnb
# Configure CE1 connecting to the headquarters of enterprise A. Configure IP

addresses for interfaces of CE2, CE3, and CE4 according to Figure 3-139. The
configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and
[CE1] vlan batch 10 to 11
[CE1-GigabitEthernet1/0/0] port hybrid tagged vlan 10 to 11

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[CE1-Vlanif10] quit
Step 4 Configure selective QinQ on CE-side interfaces of the switches and specify the
VLANs allowed by the interfaces.
[Switch1] vlan batch 100 200
[Switch1-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200
[Switch1-GigabitEthernet1/0/0] port vlan-stacking vlan 20 stack-vlan 100
[Switch2] vlan batch 100 200
[Switch2-GigabitEthernet2/0/0] port hybrid tagged vlan 100 200
[Switch2-GigabitEthernet1/0/0] port hybrid untagged vlan 100 200

command on PE1 and PE2 to view VPN instance configuration. The PE devices can
ping CE devices attached to them.
NOTE
If a PE device has multiple interfaces bound to the same VPN instance, you need to specify
a source IP address when pinging the CE device connected to the remote PE device. To
specify the source IP address, set the -a source-ip-address parameter in the ping -vpn-
instance vpn-instance-name -a source-ip-address dest-ip-address command. If no source IP
address is specified, the ping operation fails.
The ping test from PE1 to CE1 is used as an example:

[PE1] display ip vpn-instance verbose
Total VPN-Instances configured : 2
VPN-Instance Name and ID : vpna, 1

Interfaces : GigabitEthernet1/0/0.1
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Log Interval : 5

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VPN-Instance Name and ID : vpnb, 2

Interfaces : GigabitEthernet2/0/0.1
Address family ipv4
Create date : 2012/07/25 00:58:17 UTC+08:00
Log Interval : 5

0.00% packet loss
Step 5 Create VPLS VSI instances on PE1 and PE2. In each VSI instance, specify BGP as the
signaling protocol, and set the RD, VPN target and site. Bind sub-interfaces to VSI
instances so that the sub-interfaces function as AC interfaces to provide access for
VPLS users. Configure dot1q termination sub-interfaces for single-tagged packets
sent from CE1 and CE3. Configure QinQ termination sub-interfaces for double-
tagged packets sent from CE2 and CE4. (The CE devices use VLAN 11 and VLAN
21 to identify Layer 2 service users, and the PE devices use VLAN 11 and VLAN
200 to identify Layer 2 services.)
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1] vsi vsi1 auto
[PE1-vsi-vsi1] pwsignal bgp
[PE1-vsi-vsi1-bgp] route-distinguisher 101:1
[PE1-vsi-vsi1-bgp] vpn-target 100:1 import-extcommunity
[PE1-vsi-vsi1-bgp] vpn-target 100:1 export-extcommunity
[PE1-vsi-vsi1-bgp] site 1 range 5 default-offset 0
[PE1-vsi-vsi1-bgp] quit
[PE1-vsi-vsi1] quit
[PE1] vsi vsi2 auto
[PE1-vsi-vsi2] quit
[PE1-GigabitEthernet1/0/0.2] l2 binding vsi vsi1
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[PE2] vsi vsi1 auto

[PE2-vsi-vsi1] quit
[PE2] vsi vsi2 auto
[PE2-vsi-vsi2] quit
Step 6 Set up EBGP peer relationships between the PE and CE devices and import L3VPN
routes to BGP.
# Configure CE1 connecting to the headquarters of enterprise A. The
configurations of CE2, CE3, and CE4 are similar to that of CE1, and are not
mentioned here.
[CE1] bgp 65410
[CE1-bgp] quit
# Configure PE1. The configuration of PE2 is similar to that of PE1, and is not
mentioned here.
[PE1] bgp 100
[PE1-bgp-vpna] quit
[PE1-bgp-vpnb] quit
[PE1-bgp]quit
After the configuration is complete, run the display bgp vpnv4 vpn-instance vpn-
instance-name peer command on the PE devices. You can view that BGP peer
relationships between PE and CE devices have been established and are in the
Established state.
The BGP peer relationship between PE1 and CE1 is used as an example:
[PE1] display bgp vpnv4 vpn-instance vpna peer

10.1.1.1 4 65410 11 9 0 00:07:25 Established 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 7 Set up an MP-IBGP peer relationship between PE1 and PE2.

# Configure PE1.
[PE1] bgp 100
[PE1-bgp] vpls-family
[PE1-bgp-af-vpls] peer 3.3.3.9 enable
[PE1-bgp-af-vpls] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] vpls-family
[PE2-bgp-af-vpls] peer 1.1.1.9 enable
[PE2-bgp-af-vpls] quit
[PE2-bgp] quit

Run the display ip routing-table vpn-instance command on PE1 and PE2 to view
the L3VPN routes to the remote CE devices.
------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.2 GigabitEthernet1/0/0.1
10.3.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet1/0/0.1
[PE1] display ip routing-table vpn-instance vpnb
------------------------------------------------------------------------------

10.4.1.0/24 IBGP 255 0 RD 3.3.3.9 GigabitEthernet2/0/0.1
CE devices in the same VPN instance can successfully ping each other, whereas CE
devices in different VPN instances cannot.
For example, CE1 connecting to the headquarters of enterprise A can successfully
ping CE3 connecting to a branch at 10.3.1.1 but cannot ping CE4 connecting to the
headquarters of enterprise B at 10.4.1.1.
[CE1] ping 10.3.1.1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

0.00% packet loss
[CE1] ping 10.4.1.1
Request time out
Request time out
Request time out
Request time out
Request time out
100.00% packet loss
Run the display vsi name vsi2 verbose command on PE1, and you can view that
vsi2 has a PW to PE2 and is in Up state.
[PE1] display vsi name vsi2 verbose
***VSI Name : vsi2

Administrator VSI : no
Isolate Spoken : disable
VSI Index :1
PW Signaling : bgp
Member Discovery Style : auto
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Diffserv Mode : uniform
Mpls Exp : --
DomainId : 255
Domain Name :
Ignore AcState : disable
P2P VSI : disable
Create Time : 0 days, 0 hours, 22 minutes, 6 seconds
VSI State : up
BGP RD : 101:2
SiteID/Range/Offset : 1/5/0
Import vpn target : 200:1
Export vpn target : 200:1
Remote Label Block : 35845/5/0
Local Label Block : 0/35845/5/0
Interface Name : GigabitEthernet2/0/0.2

State : up
Access Port : false
Last Up Time : 2012/12/24 21:19:48
Total Up Time : 0 days, 0 hours, 20 minutes, 42 seconds
**PW Information:
*Peer Ip Address : 3.3.3.9

PW State : up
Local VC Label : 35847
Remote VC Label : 35846
PW Type : label
Local VCCV : alert lsp-ping bfd
Remote VCCV : alert lsp-ping bfd
Tunnel ID : 0x5
Broadcast Tunnel ID : 0x5
Broad BackupTunnel ID : 0x0
Ckey : 0xc
Nkey : 0xb
Main PW Token : 0x5

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Slave PW Token : 0x0

Tnl Type : LSP
OutInterface : Vlanif30
Backup OutInterface :
Stp Enable :0
PW Last Up Time : 2012/12/24 21:38:43
PW Total Up Time : 0 days, 0 hours, 1 minutes, 47 seconds
----End
Configuration Files
#
sysname PE1
#
vcmp role silent
#
vlan batch 30
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
site 1 range 5 default-offset 0
#
vsi vsi2 auto
pwsignal bgp
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
ip address 10.1.1.2 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

l2 binding vsi vsi1
#
#
ip address 10.2.1.2 255.255.255.0
#
l2 binding vsi vsi2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
vpls-family
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
import-route direct
#
import-route direct
#
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
● Configuration file of the P device
#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.16.1.2 255.255.255.0
mpls
mpls ldp

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return
#
sysname PE2
#
vcmp role silent
#
vlan batch 60
#
ipv4-family
#
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi vsi1 auto
pwsignal bgp
#
vsi vsi2 auto
pwsignal bgp
#
mpls ldp
#
interface Vlanif60
ip address 172.17.1.2 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
mpls
mpls ldp
#
#
ip address 10.3.1.2 255.255.255.0
#
l2 binding vsi vsi1
#
#
ip address 10.4.1.2 255.255.255.0
#
l2 binding vsi vsi2
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
vpls-family
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
import-route direct
#
import-route direct
#
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return
● Configuration file of CE1 connecting to the headquarters of enterprise A

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname CE1
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return
● Configuration file of CE2 connecting to the headquarters of enterprise B

#
sysname CE2
#
vlan batch 20 to 21
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return
● Configuration file of CE3 connecting to a branch of enterprise A

#
sysname CE3
#
vlan batch 10 to 11
#
interface Vlanif10
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return
● Configuration file of CE4 connecting to a branch of enterprise B

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname CE4
#
vlan batch 20 to 21
#
interface Vlanif20
ip address 10.4.1.1 255.255.255.0
#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return

#
sysname Switch1
#
vlan batch 100 200
#
#
#
return

#
sysname Switch2
#
vlan batch 100 200
#
#
#
return
3.11 Typical WLAN-AC Configuration (Applicable to

Versions V200R005 to V200R008)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.11.1 Example for Configuring WLAN Services on a Small-

Scale Network
Small-Scale WLAN Overview
In this document, a Wireless Local Area Network (WLAN) uses 2.4 GHz or 5 GHz
radio as transmission medium. WLANs are widely used due to their low cost,
flexibility, scalability, and mobility compared to wired networks.
A small-scale WLAN can be a small campus network independently deployed for a
small- or medium-sized enterprise, or a branch network. A small-scale WLAN
requires only a few network devices to serve its users.
Configuration Notes
● In this example, the security policy is WPA2-PSK-CCMP. To ensure network
security, choose an appropriate security policy according to your network
configurations.
● In tunnel forwarding mode, the management VLAN and service VLAN cannot
be the same. If you set the forwarding mode to direct forwarding, you are not
advised to configure the management VLAN and service VLAN to be the
same.
● In direct forwarding mode, configure port isolation on the interface directly
connected to APs. If port isolation is not configured, many broadcast packets
will be transmitted in the VLANs or WLAN users on different APs can directly
communicate at Layer 2.
● Configure the management VLAN and service VLAN:
– In tunnel forwarding mode, service packets are encapsulated in a
CAPWAP tunnel and forwarded to the AC. The AC then forwards the
packets to the upper-layer network or APs. Service packets and
management packets can be forwarded normally only if the network
between the AC and APs is added to the management VLAN and the
network between the AC and upper-layer network is added to the service
VLAN.
– In direct forwarding mode, service packets are not encapsulated into a
CAPWAP tunnel, but are directly forwarded to the upper-layer network or
APs. Service packets and management packets can be forwarded
normally only if the network between the AC and APs is added to the
management VLAN and the network between APs and upper-layer
network is added to the service VLAN.
● How to configure the source interface:
– In V200R005 and V200R006, run the wlan ac source interface
{ loopback loopback-number | vlanif vlan-id } command in the WLAN
view.
– In V200R007 and V200R008, run the capwap source interface
{ loopback loopback-number | vlanif vlan-id } command in the system
view.
● No ACK mechanism is provided for multicast packet transmission on air
interfaces. In addition, wireless links are unstable. To ensure stable
transmission of multicast packets, they are usually sent at low rates. If a large

S300, S500, S2700, S3700, S5700, S6700, S7700, and
number of such multicast packets are sent from the network side, the air
interfaces may be congested. You are advised to configure multicast packet
suppression to reduce impact of a large number of low-rate multicast packets
on the wireless network. Exercise caution when configuring the rate limit;
otherwise, the multicast services may be affected.
– In direct forwarding mode, you are advised to configure multicast packet
suppression on switch interfaces connected to APs.
– In tunnel forwarding mode, you are advised to configure multicast packet
suppression in traffic profiles of the AC.
For details on how to configure traffic suppression, see How Do I Configure
Multicast Packet Suppression to Reduce Impact of a Large Number of
Low-Rate Multicast Packets on the Wireless Network?.
● The following table lists applicable products and versions.
Table 3-41 Applicable products and versions

Softw Product Model AP Model and Version
are
Versi
on
V200 S7700, S9700 V200R005C00:

R005 AP2010DN, AP3010DN-AGN, AP5010DN-AGN,
C00 AP5010SN-GN, AP5030DN, AP5130DN,
AP6010SN-GN, AP6010DN-AGN, AP6310SN-
GN, AP6510DN-AGN, AP6610DN-AGN,
AP7110DN-AGN, AP7110SN-GN
V200 S5720-HI, S7700, V200R005C00:

R006 S9700 AP2010DN, AP3010DN-AGN, AP5010DN-AGN,
V200 S5720-HI, S7700, V200R005C10:

AP7110DN-AGN, AP7110SN-GN, AP8030DN,
AP8130DN
V200R005C20:
AP7030DE, AP9330DN

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
AP2030DN, AP4030DN, AP4130DN
NOTE
For S7700, you are advised to deploy S7712 or S7706 switches for WLAN services. S7703
switches are not recommended.
An enterprise has a small-scale branch network. The enterprise needs to deploy
WLAN services for mobile office so that its employees can access the enterprise
internal network anywhere and anytime.
As shown in Figure 3-140, the AC connects to APs through a PoE switch, and the
PoE switch provides power for APs. The WLAN service is configured on the AC, and
delivered to APs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-140 Networking of a small-scale WLAN
Data Planning
Table 3-42 Data planning
IP address of the AC's 192.168.10.1/24 None

source interface
WMM profile Name: wmm None
Radio profile Name: radio None
Security profile ● Name: security None

● Security and
authentication policy:
WPA2+PSK
● Authentication key:
Example@123
● Encryption mode:
CCMP
Traffic profile Name: traffic None

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service set ● Name: test None

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding
DHCP server The AC functions as the None

DHCP server to assign IP
addresses to the AP and
STAs.
AP gateway and IP VLANIF 100: None

address pool range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24
STA gateway and IP VLANIF 101: None

192.168.11.2 to
192.168.11.254/24
1. Configure the AP, AC, SwitchA, and upstream device to implement Layer 2
interoperation.
2. Configure the AC as a DHCP server to assign IP addresses to STAs and the AP
from an IP address pool of an interface.
3. Configure AC system parameters, including the country code, AC ID, carrier ID,
and source interface used by the AC to communicate with the AP.
4. Set the AP authentication mode and add the AP to an AP region.
5. Configure a VAP and deliver VAP parameters to the AP so that STAs can
access the WLAN.
a. Configure a WMM profile and radio profile on the AP, retain the default
settings of the WMM profile and radio profile, bind the WMM profile to
the radio profile to enable STAs to communicate with the AP.
b. Configure a WLAN-ESS interface so that radio packets can be sent to the
WLAN service module after reaching the AC.
c. Configure a security profile and traffic profile on the AP, retain the
default settings of the security profile and traffic profile, configure a
service set, bind the WLAN-ESS interface, security profile, and traffic
profile to the service set to apply security policies and QoS policies to
STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Configure a VAP and deliver VAP parameters to the AP so that STAs can
access the Internet through the WLAN.
Procedure
Step 1 Set the NAC mode to unified mode on the AC (default setting). Configure SwitchA
and the AC to allow the AP and AC to transmit CAPWAP packets.
# Add GE0/0/1 that connects SwitchA to the AP and GE0/0/2 that connects
SwitchA to the AC to the management VLAN 100.
[SwitchA-GigabitEthernet0/0/1] port trunk pvid vlan 100
# Add GE1/0/1 that connects the AC to SwitchA to VLAN 100.

[HUAWEI] sysname AC
[AC] vlan batch 100 101
Step 2 Configure the AC to communicate with the upstream device.

NOTE
Configure AC uplink interfaces to transparently transmit service VLAN packets as required

and communicate with the upstream device.
# Add AC uplink interface GE1/0/2 to service VLAN 101.

Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to assign an IP address to the AP from the
IP address pool on VLANIF 100, and assign IP addresses to STAs from the IP
address pool on VLANIF 101.
[AC] dhcp enable //Enable the DHCP function.
[AC-Vlanif100] dhcp select interface //Configure an interface-based address pool.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure AC system parameters.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the country code.

[AC] wlan ac-global country-code cn
Warning: Modify the country code may delete configuration on those AP which use
the global country code and reset them, continue?[Y/N]:y
# Configure the AC ID and carrier ID.

[AC] wlan ac-global ac id 1 carrier id other //The default AC ID is 0. Set the AC ID to 1.
# Configure the source interface.

[AC] wlan
[AC-wlan-view] wlan ac source interface vlanif 100
Step 5 Manage the AP on the AC.

# Check the AP type ID after obtaining the MAC address of the AP.
[AC-wlan-view] display ap-type all
All AP types information:
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23
# Set the AP authentication mode to MAC address authentication (default

setting). Add the AP offline based on the AP type ID. Assume that the AP type is
AP6010DN-AGN, and the MAC address of the AP is 00e0-fc11-1111.
[AC-wlan-view] ap id 0 type-id 19 mac 00e0-fc11-1111
[AC-wlan-ap-0] quit
# Configure an AP region and add the AP to the AP region.

[AC-wlan-view] ap-region id 10 //Create AP region 10.
[AC-wlan-ap-region-10] quit
[AC-wlan-view] ap id 0
[AC-wlan-ap-0] region-id 10 //Add AP to region 10.
[AC-wlan-ap-0] quit
# Power on the APs and run the display ap all command on the AC to check the
AP running status. The command output shows that the AP status is normal.
All AP information: Normal[1],Fault[0],Commit-

S300, S500, S2700, S3700, S5700, S6700, S7700, and
failed[0],Committing[0],Config[0],Download[0]
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Configure WLAN service parameters.
# Create a WMM profile named wmm.

[AC-wlan-view] wmm-profile name wmm id 1
[AC-wlan-wmm-prof-wmm] quit
# Create a radio profile named radio and bind the WMM profile wmm to the
radio profile.
[AC-wlan-view] radio-profile name radio id 1
[AC-wlan-radio-prof-radio] wmm-profile name wmm
[AC-wlan-radio-prof-radio] quit
[AC-wlan-view] quit
# Create WLAN-ESS interface 1.

[AC] interface wlan-ess 1
[AC-Wlan-Ess1] port trunk allow-pass vlan 101
[AC-Wlan-Ess1] quit
# Create a security profile named security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1
[AC-wlan-sec-prof-security] security-policy wpa2 //Configure security policy WPA2.
[AC-wlan-sec-prof-security] wpa2 authentication-method psk pass-phrase cipher Example@123
encryption-method ccmp //Set the encryption method to PSK+CCMP.
[AC-wlan-sec-prof-security] quit
# Create a traffic profile named traffic.

[AC-wlan-view] traffic-profile name traffic id 1
[AC-wlan-traffic-prof-traffic] quit
# Create a service set named test and bind the WLAN-ESS interface, security
profile, and traffic profile to the service set.
[AC-wlan-view] service-set name test id 1
[AC-wlan-service-set-test] ssid test //Set the SSID to test.
[AC-wlan-service-set-test] wlan-ess 1
[AC-wlan-service-set-test] security-profile name security
[AC-wlan-service-set-test] traffic-profile name traffic
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID to 101. The default VLAN ID is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-service-set-test] quit
Step 7 Configure a VAP and deliver VAP parameters to the AP.
# Configure a VAP.
[AC-wlan-view] ap 0 radio 0
[AC-wlan-radio-0/0] radio-profile name radio //Bind the radio template to a radio.
[AC-wlan-radio-0/0] service-set name test //Bind the service set to the radio.
# Commit the configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] commit ap 0
Warning: Committing configuration may cause service interruption, continue?[Y/N]y

After the configuration is complete, run the display vap ap 0 radio 0 command.
The command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
All VAP Information(Total-1):
SS: Service-set BP: Bridge-profile MP: Mesh-profile
----------------------------------------------------------------------
AP ID Radio ID SS ID BP ID MP ID WLAN ID BSSID Type
----------------------------------------------------------------------
0 0 1 - - 1 00E0-FC11-1111 service
----------------------------------------------------------------------
Total: 1
When a STA detects the wireless network test and associates with it, the wireless
PC is allocated an IP address. You need to enter the pre-shared key to access the
wireless network. You can run the display station assoc-info command on the
AC. The command output shows that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
STA MAC AP ID RADIO ID SS ID SSID
------------------------------------------------------------------------------
00e0-fc11-1113 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
port trunk pvid vlan 100
#
#
return
● AC configuration file
#
sysname AC
#
#
wlan ac-global carrier id other ac id 1
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 192.168.11.1 255.255.255.0

#
#
#
interface Wlan-Ess1
#
wlan
wlan ac source interface vlanif100
ap-region id 10
ap id 0 type-id 19 mac 00e0-fc11-1111 sn 210235419610CB002287
region-id 10
wmm-profile name wmm id 1
traffic-profile name traffic id 1
security-profile name security id 1
security-policy wpa2
wpa2 authentication-method psk pass-phrase cipher %@%@}PSoXN{buC{{i+L![@/I<|C"%@%@
encryption-method ccmp
service-set name test id 1
forward-mode tunnel
wlan-ess 1
ssid test
traffic-profile id 1
security-profile id 1
service-vlan 101
radio-profile name radio id 1
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
service-set id 1 wlan 1
#
return
3.11.2 Example for Configuring the WLAN Service on Medium-

and Large-Scale Campus Networks
Medium- and Large-Scale WLAN Overview
Medium and large campus WLANs are deployed in headquarters of large and
medium enterprises, branches of large enterprises, colleges and universities, and
airports.
Configuration Notes
configurations.
same.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

VLAN.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-141, an enterprise's AC connects to the egress gateway
Router of the campus network and connects to APs through a PoE switch. The PoE
switch provides power to APs.
The enterprise requires a WLAN with SSID test so that users can access the
enterprise internal network from anywhere and anytime. The Router needs to
function as a DHCP server to assign IP addresses on 10.10.10.0/24 to users and
manage users on the AC.
Figure 3-141 WLAN service configuration networking on a medium-scale network
Data Planning

source interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● Security and
WPA2+PSK
Example@123
CCMP

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

addresses to APs, and
the Router functions as
the DHCP server to
assign IP addresses to
STAs.

192.168.10.2 to
192.168.10.254/24

10.10.10.3 to
10.10.10.254/24
1. Configure the AP, AC, and upstream device to implement network
interoperation.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an
interface IP address pool, configure the AC as a DHCP relay agent, and
configure the Router connected to the AC to assign IP addresses to STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Configure the WLAN service for users to connect to the Internet.
Procedure

[HUAWEI] sysname AC
[AC] vlan batch 100
# Configure VLAN 101 (service VLAN) and VLANIF 102.

[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure a default route on the AC.

[AC] ip route-static 0.0.0.0 0.0.0.0 10.11.10.1 //Configure a default route destined for Router.
# Add GE1/0/2 that connects the AC to the Router to VLAN 102.

Step 3 Configure the AC to assign an IP address to the AP and configure the Router to
# Configure the AC to assign an IP address to the AP from an interface IP address

pool.
[AC] dhcp enable
[AC-Vlanif100] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the AC as the DHCP relay agent and enable user entry detection on
the AC.
[AC-Vlanif101] dhcp select relay //Configure the DHCP relay function.
[AC-Vlanif101] dhcp relay server-ip 10.11.10.1 //Set the DHCP server address for DHCP relay to
10.11.10.1, which resides on Router.
[AC-Vlanif101] quit
# Configure the Router as a DHCP server to assign IP addresses to STAs.

[Router] ip pool sta //Configure the address pool to assign IP addresses to STAs.
[Router-ip-pool-sta] gateway-list 10.10.10.1
[Router-ip-pool-sta] network 10.10.10.0 mask 24
[Router-ip-pool-sta] quit
[Router-Vlanif102] dhcp select global //Configure a global address pool.
[Router] ip route-static 10.10.10.0 24 10.11.10.2 //Configure a route on the Router destined for the
network segment 10.10.10.0/24.



[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

[AC-wlan-ap-0] quit

[AC-wlan-ap-0] quit
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

radio profile.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Configure a VAP.

After the configuration is complete, run the display vap ap 0 radio 0 command.
The command output shows that the VAP has been created.
[AC-wlan-view] display vap ap 0 radio 0
----------------------------------------------------------------------
----------------------------------------------------------------------
0 0 1 - - 1 00E0-FC11-1111 service
----------------------------------------------------------------------
Total: 1
When a STA detects the wireless network test and associates with it, the wireless
PC is allocated an IP address. You need to enter the pre-shared key to access the
wireless network. You can run the display station assoc-info command on the
AC. The command output shows that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 0 radio 0
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc11-1113 0 0 1 test
------------------------------------------------------------------------------
Total stations: 1
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
● Router configuration file
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Wlan-Ess1
#
ip route-static 0.0.0.0 0.0.0.0 10.11.10.1
#
wlan
ap-region id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
3.11.3 Example for Configuring Unified Access for Wired and

Wireless Users
Overview of Unified Access for Wired and Wireless Users

In practice, both wired and wireless users need to access one network. For
example, the PCs and printers of a company connect to the network in wired
mode, and laptops and mobile phones connect wirelessly. After unified access for
wired and wireless users is configured on a network, users of both types can
access the network and be managed in a unified manner.
Configuration Notes
● In this example, Portal authentication is used. To ensure network security,
configure an appropriate security policy according to service requirements.
same.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

VLAN.
view.
view.

are
Versi
on
V200 S7700, S9700 V200R005C00:


S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
A hospital needs to deploy both a wired and a wireless network. To simplify
management and maintenance, the administrator requires that wired and wireless
users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and
wireless users roam under the same AC.
As shown in Figure 3-142, the AC connects to the egress gateway Router in the
uplink direction. In the downlink direction, the AC connects to and manages APs

S300, S500, S2700, S3700, S5700, S6700, S7700, and
through S5700-1 and S5700-2 access switches. The S5700-1 and S5700-2 are
deployed in the first and second floors, respectively. An AP2010DN is deployed in
each room to provide both wired and wireless access. The AP5030DN is deployed
in the corridor to provide wireless network coverage. The S5700-1 and S5700-2 are
PoE switches directly providing power to connected APs.
To facilitate network planning and management, the access switches are only
used to transparently transmit data at Layer 2, and all gateways are configured on
the AC
The AC functions as the DHCP server to allocate IP addresses to APs, STAs, and
PCs.
Figure 3-142 Networking for unified wired and wireless access
Data Planning
Table 3-46 Network data planning
Item Interface VLAN Descr

iptio
n
AC GE1/0/1 100, 201 Conn

ected
to the
S570
0-1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
GE1/0/2 100, 202 Conn

ected
to the
S570
0-2
GE1/0/3 200 Conn

ected
to the
contr
oller
GE1/0/4 300 Conn

ected
to the
egres
s
gate
way
S570 GE0/0/1 100, 201 Conn

0-1 ected
to the
AC
GE0/0/2 100, 201 Conn

ected
to
AP10
1
GE0/0/3 100, 201 Conn

ected
to
AP10
2
GE0/0/4 100, 201 Conn

ected
to
AP10
3
S570 GE0/0/1 100, 202 Conn

0-2 ected
to the
AC

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
GE0/0/2 100, 202 Conn

ected
to
AP20
1
GE0/0/3 100, 202 Conn

ected
to
AP20
2
GE0/0/4 100, 202 Conn

ected
to
AP20
3

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP10 Eth0/0/0 201 GE0/

1 and Eth0/0/1 0/0
AP10 conne
2 GE0/0/0 cts to
the
S570
0-1.
Eth0/
0/0
and
Eth0/
0/1
conne
cts to
wired
users.
AP10
1 and
AP10
2 are
AP20
10DN
s and
are
deplo
yed in
room
s on
the
first
floor
to
provi
de
wired
and
wirele
ss
acces
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP10 - - AP10
3 3 is
an
AP50
30DN
and is
deplo
yed in
the
corrid
or on
the
first
floor
to
provi
de
wirele
ss
acces
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP20 Eth0/0/0 202 GE0/

1 and Eth0/0/1 0/0
AP20 conne
2 GE0/0/0 cts to
the
S570
0-2.
Eth0/
0/0
and
Eth0/
0/1
conne
cts to
wired
users.
AP20
1 and
AP20
2 are
AP20
10DN
s and
are
deplo
yed in
room
s on
the
secon
d
floor
to
provi
de
wired
and
wirele
ss
acces
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP20 - - AP20
3 3 is
an
AP50
30DN
and is
deplo
yed in
the
corrid
or on
the
secon
d
floor
to
provi
de
wirele
ss
acces
s.
Table 3-47 Service data planning

IP address of the AC's 10.23.100.1/24 -

source interface
Country code CN -
WMM profile Name: wmm -
Radio profile Name: radio -
Security profile ● Name: security -

● Security and
OPEN
Traffic profile Name: traffic -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service set ● Name: floor_1 Provides WLAN network

● SSID: hospital-wlan coverage for the first
floor.
● WLAN virtual
interface: WLAN-ESS1
● Data forwarding
mode: tunnel
forwarding
● Name: floor_2 Provides WLAN network

● SSID: hospital-wlan coverage for the second
floor.
● WLAN virtual
● Data forwarding
mode: tunnel
forwarding
DHCP server The AC functions as the -

DHCP server to allocate
IP addresses to APs,
STAs, and PCs.
AP gateway and IP VLANIF 100: -

10.23.100.2-10.23.100.25
4/24
Gateway and IP address VLANIF 101: -

pool range of the 10.23.101.1/24
wireless users 10.23.101.2-10.23.101.25
4/24
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24

pool range of the wired 10.23.201.1/24
users 10.23.201.2-10.23.201.25
4/24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.25
4/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Server parameters Authentication server: ● The Service Controller

● IP address: (SC) provides RADIUS
10.23.200.1 server and Portal
server functions;
● Port number: 1812 therefore, the IP
● RADIUS shared key: address of the SC is
YsHsjx_202206 used for the
authentication server,
Accounting server: accounting server,
● IP address: authorization server,
10.23.200.1 and Portal server.
● Port number: 1813 ● Configure a RADIUS
● RADIUS shared key: accounting server to
YsHsjx_202206 collect user login and
logout information.
Authorization server: The port numbers of
● IP address: the authentication
10.23.200.1 server and accounting
server must be the
● RADIUS shared key: same as those of the
YsHsjx_202206 RADIUS server.
Portal server: ● Configure an
authorization server
● IP address:
to enable the RADIUS
10.23.200.1
server to deliver
● Port number that the authorization rules to
AC uses to listen on the AC. The shared
Portal protocol key of the
packets: 2000 authorization server
● Destination port must be the same as
number in the packets that of the
that the AC sends to authentication server
the Portal server: and accounting server.
50200
● Portal shared key:
YsHsjx_202206
● Encryption key for the
URL parameters that
the AC sends to the
Portal server:
YsHsjx_202206
Table 3-48 Radio channel data planning
AP101 Radio 0: channel 1 and Use the WLAN Planner

power level 10 to plan AP installation

S300, S500, S2700, S3700, S5700, S6700, S7700, and
AP102 Radio 0: channel 6 and locations, and the

power level 10 working channel and
power of the AP radio.
AP103 Radio 0: channel 11 and Set the channel mode
power level 10 and power mode to
Radio 1: channel 153 and fixed, and configure the
power level 10 channel and power for
each AP.
AP201 Radio 0: channel 1 and
power level 10

power level 10

power level 10
Radio 1: channel 157 and
power level 10
1. Configure all network devices to enable the APs, S5700-1, S5700-2, and AC to
communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users,
and wireless users.
3. Configure a RADIUS server template, configure authentication, accounting,
and authorization in the template, and configure Portal authentication.
4. Configure basic WLAN services, including AC system parameters, AP
management, and WLAN service parameters.
5. Configure VAPs and deliver VAP parameters to APs.
6. Verify the configuration to ensure that both wired and wireless users can
Procedure
Step 1 Configure network devices to communicate with each other.
# Add GE0/0/1 to GE0/0/4 of the S5700-1 to VLAN 100 (management VLAN) and
VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of the
S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set
PVIDs for interfaces directly connected to APs. You are advised to configure port
isolation on these interfaces to reduce unnecessary broadcast traffic. The S5700-1
is used as an example here. The configuration on the S5700-2 is similar. For
details, see the configuration file of the S5700-2.
[HUAWEI] sysname S5700-1
[S5700-1] vlan batch 100 201
[S5700-1] interface gigabitethernet 0/0/1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[S5700-1-GigabitEthernet0/0/1] port link-type trunk

[S5700-1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 201
[S5700-1-GigabitEthernet0/0/1] quit
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the interface directly
connected to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to reduce broadcast
packets.
[S5700-1-GigabitEthernet0/0/3] port trunk pvid vlan 100
[S5700-1-GigabitEthernet0/0/3] port-isolate enable
# On the AC, add GE1/0/1 (connected to the S5700-1) to VLAN 100 and VLAN
201, GE1/0/2 (connected to the S5700-2) to VLAN 100 and VLAN 202, GE1/0/4
(connected to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to
the controller) to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 201
# Configure VLANIF 200 for communication between the AC and controller.

[AC] interface vlanif200
[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for communication between the AC
and controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.
NOTE
Configure the DNS server as required. The common methods are as follows:
● In interface address pool scenarios, run the dhcp server dns-list ip-address &<1-8>
command in the VLANIF interface view.
● In global address pool scenarios, run the dns-list ip-address &<1-8> command in the IP
address pool view.
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface
address pool.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC] dhcp enable

[AC] interface vlanif 100 //Configure an interface address pool to assign IP addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] quit
[AC] interface vlanif 101 //Configure an interface address pool to assign IP addresses to STAs on the first
floor.
[AC-Vlanif101] description manage_floor1_sta
[AC-Vlanif101] quit
[AC] interface vlanif 102 //Configure an interface address pool to assign IP addresses to STAs on the
second floor.
[AC-Vlanif102] quit
[AC] interface vlanif 201 //Configure an interface address pool to assign IP addresses to PCs on the first
floor.
[AC-Vlanif201] description manage_floor1_pc
[AC-Vlanif201] quit
[AC] interface vlanif 202 //Configure an interface address pool to assign IP addresses to PCs on the
second floor.
[AC-Vlanif202] quit
Step 3 Configure a RADIUS server template, configure authentication, accounting, and

authorization in the template, and configure Portal authentication.
# Configure a RADIUS server template on the AC, and configure authentication,

accounting, and authorization in the template.
[AC] radius-server template radius1 //Create the RADIUS server template radius1
[AC-radius-radius1] radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight
80 //Configure the RADIUS authentication server and authentication port 1812. The AC uses the IP
address 10.23.200.2 to communicate with the RADIUS server.
[AC-radius-radius1] radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight
80 //Configure the RADIUS accounting server to collect user login and logout information and set the
accounting port number to 1813. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS
server
[AC-radius-radius1] radius-server shared-key cipher YsHsjx_202206 //Configure the shared key for the
RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user name that the device
sends to the RADIUS server does not carry the domain name. Configure the command when the RADIUS
server does not accept the user name with the domain name.
[AC-radius-radius1] quit
[AC] radius-server authorization 10.23.200.1 shared-key cipher YsHsjx_202206 //Configure an IP
address for the RADIUS authorization server, set the shared key to YsHsjx_202206, same as the
authentication and accounting keys. Configure the authorization server so that the RADIUS server can
deliver authorization rules to the AC.
[AC] aaa
[AC-aaa] authentication-scheme radius1 //Create the authentication scheme radius1.
[AC-aaa-authen-radius1] authentication-mode radius //If the controller functions as the RADIUS server,
the authentication mode must be set to RADIUS.
[AC-aaa-authen-radius1] quit
[AC-aaa] accounting-scheme radius1 //Create the accounting scheme radius 1.
[AC-aaa-accounting-radius1] accounting-mode radius //Set the accounting mode to RADIUS. To facilitate
account status information maintenance on the RADIUS server, including the login and logout information,
and forced logout information, the accounting mode must be set to radius.
[AC-aaa-accounting-radius1] quit
[AC-aaa] domain portal1 //Create the domain portal1.
[AC-aaa-domain-portal1] authentication-scheme radius1 //Bind the authentication scheme radius1.
[AC-aaa-domain-portal1] accounting-scheme radius1 //Bind the accounting scheme radius1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-aaa-domain-portal1] radius-server radius1 //Bind the RADIUS server template radius1.

[AC-aaa-domain-portal1] quit
[AC-aaa] quit
# Configure the Portal server.

[AC] web-auth-server portal1 //Create the Portal server template portal1.
[AC-web-auth-server-portal1] server-ip 10.23.200.1 //Configure an IP address for the Portal server.
[AC-web-auth-server-portal1] port 50200 //Set the destination port number used by the device to send
packets to the Portal server to 50200 (default setting).
[AC-web-auth-server-portal1] shared-key cipher YsHsjx_202206 //Configure the shared key for message
exchange between the AC and Portal server.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal //Configure the URL for a Portal server.
[AC-web-auth-server-portal1] quit
# Bind the Portal server template to the WLAN-ESS interface, enable Portal
authentication for wireless users, and configure non-authentication for wired
users.
[AC-Wlan-Ess1] domain name portal1 force //Configure the forcible user domain portal1.
[AC-Wlan-Ess1] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess1] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess1] web-auth-server portal1 direct //Bind the Portal server template portal1 and specify
Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] domain name portal1 force //Configure the forcible user domain portal1.
[AC-Wlan-Ess2] domain name portal1 //Configure the default user domain portal1.
[AC-Wlan-Ess2] authentication portal //Configure Portal authentication.
[AC-Wlan-Ess2] web-auth-server portal1 direct //Bind the Portal server template portal1 and specify
Layer 2 authentication as the Portal authentication mode.
[AC-Wlan-Ess2] quit

# Configure the AC's country code.
[AC] wlan ac-global country-code cn //Configure the AC country code. Radio features of APs managed by
the AC must conform to local laws and regulations. The default country code is CN.
Warning: Modifying the country code will clear channel configurations of the AP radio using the country
code and reset the AP. If th
e new country code does not support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y

# Configure the AC's source interface.

[AC] wlan
Step 5 Manage the APs on the AC.

# Check the AP type IDs after obtaining the MAC addresses of the APs.
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

setting). Add the APs offline based on the obtained AP type IDs.
[AC-wlan-view] ap id 101 type-id 38 mac 00e0-fc76-e320 //Add the AP2010DN offline with the MAC
address 00e0-fc76-e320 and AP ID 101.
[AC-wlan-ap-101] quit
[AC-wlan-view] ap id 103 type-id 35 mac 00e0-fc04-b520 //Add the AP5030DN offline with the MAC
address 00e0-fc04-b520 and AP ID 103.
[AC-wlan-view] ap id 203 type-id 35 mac 00e0-fc04-b540 //Add the AP5030DN offline with the MAC
address 00e0-fc04-b540 and AP ID 203.
# Configure AP regions and add the APs to the AP regions.

[AC-wlan-view] ap-region id 1 //Create AP region1 and add APs on the first floor to AP region1.
[AC-wlan-ap-region-1] ap-region-name floor1 //Name the AP region1 floor1.
[AC-wlan-ap-101] region-id 1 //Add AP 101 to AP region1.
[AC-wlan-ap-102] region-id 1
[AC-wlan-view] ap-region id 2 //Create AP region2 and add APs on the second floor to AP region2.
[AC-wlan-ap-region-2] ap-region-name floor2
# Power on the APs and run the display ap all command to check the AP state. If
the AP State field is normal, the APs have gone online.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
101 AP2010DN 00e0-fc76-e320 0/1 normal ap-101
103 AP5030DN 00e0-fc04-b520 0/1 normal ap-103
203 AP5030DN 00e0-fc04-b540 0/2 normal ap-203
------------------------------------------------------------------------------
# Configure an AP2010DN's uplink interface GE0/0/0 and downlink interfaces

Eth0/0/0 and Eth0/0/1 to allow wired service packets to pass.
[AC-wlan-ap-101] lineate-port ethernet 0 pvid vlan 201 //The downlink interface of the AP2010DN is
used to connect wired terminals, such as the PCs. Set a PVID for the interface. VLAN 201 is used to transmit
wired service packets of the first floor.
[AC-wlan-ap-101] lineate-port ethernet 0 vlan untagged 201 //The downlink interface of the AP2010DN
is used to connect wired terminals. Add the interface to VLAN 201 in untagged mode.
[AC-wlan-ap-101] lineate-port ethernet 1 pvid vlan 201
[AC-wlan-ap-101] lineate-port ethernet 1 vlan untagged 201
[AC-wlan-ap-101] lineate-port gigabitethernet 0 vlan tagged 201 //The uplink interface of the
AP2010DN is used to connect to the upper-layer devices. Add the interface to VLAN 201 in tagged mode.
[AC-wlan-ap-102] lineate-port gigabitethernet 0 vlan tagged 201
[AC-wlan-ap-201] lineate-port ethernet 0 pvid vlan 202 //The downlink interface of the AP2010DN is
used to connect wired terminals, such as the PCs. Set a PVID for the interface. VLAN 202 is used to transmit
wired service packets of the second floor.

# Create the WMM profile wmm.
# Create the radio profile radio and bind the WMM profile wmm to the radio
profile.
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to fixed.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the radio to fixed.
[AC-wlan-view] quit
# Create WLAN-ESS interface 1 and WLAN-ESS interface 2.

[AC-Wlan-Ess1] port trunk allow-pass vlan 101 102 //Configure the wlan-ess interface to allow packets
from wireless service VLANs to pass through, which is one of the prerequisites for intra-AC roaming.
[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] port trunk allow-pass vlan 101 102
[AC-Wlan-Ess2] quit
# Create the security profile security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1 //Portal authentication has been enabled on the
interface. Set the security policy to OPEN (default setting), that is, no authentication and no encryption.
# Create the traffic profile traffic.

# Create service sets floor1 and floor2, and bind the service VLANs, WLAN-ESS
interfaces, security profile, and traffic profile to the service sets. Set the forwarding
mode to tunnel forwarding.
[AC-wlan-view] service-set name floor1 id 1 //Create the service set floor1.
[AC-wlan-service-set-floor1] ssid hospital-wlan //Set the SSID to hospital-wlan.
[AC-wlan-service-set-floor1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-floor1] security-profile name security //Bind the security profile security.
[AC-wlan-service-set-floor1] traffic-profile name traffic //Bind the traffic profile traffic.
[AC-wlan-service-set-floor1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-floor1] forward-mode tunnel //Set the forwarding mode to tunnel forwarding. The
default forwarding mode is direct forwarding.
[AC-wlan-service-set-floor1] user-isolate //Configure Layer 2 isolation for users connected to the same
VAP.
[AC-wlan-service-set-floor1] quit
[AC-wlan-view] service-set name floor2 id 2
[AC-wlan-service-set-floor2] ssid hospital-wlan //Set the SSID to hospital-wlan. All service sets must be
configured with the same SSID, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] wlan-ess 2
[AC-wlan-service-set-floor2] security-profile name security //Bind the security profile security. All service
sets must have the same security profile bound, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-floor2] traffic-profile name traffic
[AC-wlan-service-set-floor2] service-vlan 102
[AC-wlan-service-set-floor2] forward-mode tunnel
[AC-wlan-service-set-floor2] user-isolate
[AC-wlan-service-set-floor2] quit
Step 7 Configure VAPs and deliver VAP parameters to the APs.

# Configure VAPs.
[AC-wlan-view] ap 101 radio 0 //Configure radio0 of the AP2010DN.
[AC-wlan-radio-101/0] radio-profile name radio //Bind the radio profile to the radio.
[AC-wlan-radio-101/0] service-set name floor1 //Bind the service set to the radio. A VAP is generated
after the binding.
[AC-wlan-radio-101/0] channel 20mhz 1 //Configure the channel based on the planning result of the
WLAN Planner.
[AC-wlan-radio-101/0] power-level 10 //Configure the power based on the planning result of the WLAN
Planner.
[AC-wlan-radio-102/0] radio-profile name radio
[AC-wlan-radio-102/0] service-set name floor1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-radio-102/0] power-level 10
[AC-wlan-view] ap 103 radio 1 //The AP5030 supports two radios. This step configures radio 1.
# Deliver the configuration to the APs.

[AC-wlan-view] commit all //After the WLAN service configuration is complete on the AC, the
configuration takes effect after you deliver it to the APs.
Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y
# After the configuration is complete, run the display vap all command. The
command output shows that VAPs have been created.
[AC-wlan-view] display vap all
----------------------------------------------------------------------
----------------------------------------------------------------------
101 0 1 - - 1 00e0-fc76-e320 service
102 0 1 - - 1 00e0-fc76-e340 service
103 0 1 - - 1 00e0-fc04-b520 service
103 1 1 - - 1 00e0-fc04-b530 service
201 0 2 - - 1 00e0-fc76-e360 service
202 0 2 - - 1 00e0-fc76-e380 service
203 0 2 - - 1 00e0-fc04-b540 service
203 1 2 - - 1 00e0-fc04-b550 service
----------------------------------------------------------------------
Total: 8

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# STAs discover the WLAN with the SSID hospital-wlan and associate with the
WLAN. The STAs are allocated IP addresses. After you enter the key, the STAs can
access the wireless network. Run the display station assoc-info command on the
AC. The command output shows that the STAs are connected to the WLAN
hospital-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
00e0-fcc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
hospital-wlan
------------------------------------------------------------------------------
Total stations: 1
# STAs and PCs obtain IP addresses and connect to the network properly.
----End
Configuration Files
● S5700-1 configuration file
#
sysname S5700-1
#
vlan batch 100 201
#
#
#
#
#
return
#
sysname S5700-2
#
vlan batch 100 202
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
#
return
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
#
dhcp enable
#
radius-server template radius1
radius-server shared-key cipher %#%#ut)92(w\&0@UJ}J7}^3Z9x`9~Y$`2D1AGwDQ[+S.%#%#
radius-server authentication 10.23.200.1 1812 source ip-address 10.23.200.2 weight 80
radius-server accounting 10.23.200.1 1813 source ip-address 10.23.200.2 weight 80
undo radius-server user-name domain-included
radius-server authorization 10.23.200.1 shared-key cipher %#%#[m1~SG]5CAzg~K35!b^Wa';{=+k_40Q
\YK~}UX6T%#%#
#
web-auth-server portal1
server-ip 10.23.200.1
port 50200
shared-key cipher %#%#^B],0yW|oJ1;j:U&`%}(=@2t*]e.$TOVrx@(I6rT%#%#
url http://10.23.200.1:8080/portal
#
aaa
authentication-scheme radius1
accounting-scheme radius1
accounting-mode radius
domain portal1
radius-server radius1
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
description manage_floor1_sta
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201

S300, S500, S2700, S3700, S5700, S6700, S7700, and
description manage_floor1_pc
ip address 10.23.201.1 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#
#
#
#
interface Wlan-Ess1
domain name portal1 force
domain name portal1
authentication portal
web-auth-server portal1 direct
#
interface Wlan-Ess2
domain name portal1
#
#
wlan
ap-region id 1
ap-region-name floor1
ap-region id 2
ap-region-name floor2
ap id 101 type-id 38 mac 00e0-fc76-e320
region-id 1
lineate-port ethernet 0 pvid vlan 201
lineate-port ethernet 0 vlan untagged 201
lineate-port gigabitethernet 0 vlan tagged 201
region-id 1
ap id 103 type-id 35 mac 00e0-fc04-b520
region-id 1
region-id 2

S300, S500, S2700, S3700, S5700, S6700, S7700, and

region-id 2
ap id 203 type-id 35 mac 00e0-fc04-b540
region-id 2
service-set name floor1 id 1
forward-mode tunnel
wlan-ess 1
ssid hospital-wlan
user-isolate
service-vlan 101
service-set name floor2 id 2
forward-mode tunnel
wlan-ess 2
ssid hospital-wlan
user-isolate
service-vlan 102
channel-mode fixed
power-mode fixed
wmm-profile id 1
ap 101 radio 0
radio-profile id 1
power-level 10
ap 102 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
ap 103 radio 0
radio-profile id 1
channel 20MHz 11
power-level 10
ap 103 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
ap 201 radio 0
radio-profile id 1
power-level 10
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
ap 203 radio 0
radio-profile id 1
channel 20MHz 11
power-level 10
ap 203 radio 1
radio-profile id 1
channel 20MHz 157
power-level 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
3.11.4 Example for Configuring WLAN Services for a Wireless

City Project (AC Bypass Deployment, Portal Authentication)
WLAN Service Overview
You can configure WLAN services to allow wireless users to easily access a wireless
network and move around within its coverage area.
Configuration Notes
VLAN.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
A city needs to deploy the wireless smart city project and requires that Portal
authentication be used for wireless users. Due to the large number of wireless
users, high wireless service performance and Portal authentication performance
are required.
As shown in Figure 3-143, the S9700 core switch functions as the gateway for
STAs and APs and as a DHCP server to assign IP addresses to STAs and APs. The
S9700 connects to APs through PoE access switches S5700-1 and S5700-2. The AC
and APs are located on a Layer 3 network. The AC is the X series card on the
S9700 and connected to the S9700 through Eth-Trunk in bypass mode.
used to transparently transmit data at Layer 2.
Figure 3-143 Networking diagram for configuring WLAN services for a wireless
city project

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Planning

Item Interface VLAN Description
AC Eth-Trunk1 100 Configured to improve

network bandwidth and
reliability
Add GE2/0/1 and GE2/0/2 to
Eth-Trunk 1 and connect the
two interfaces to the S9700.
S570 GE0/0/1 10, 101 Connected to the AC

0-1
GE0/0/2 10, 101 Connected to AP101
S570 GE0/0/1 20, 102 Connected to the AC

0-2
S970 GE1/0/1 10, 101 Connected to the S5700-1

0
GE1/0/2 20, 102 Connected to the S5700-2
GE1/0/3 300 Connected to the Controller
GE1/0/4 101, 102 Connected to the upper-layer

network
Eth-Trunk1 100 Configured to improve

network bandwidth and
reliability
Add GE1/0/5 and GE1/0/6 to
Eth-Trunk 1 and connect the
two interfaces to the AC.


source interface
Country code CN -
WMM profile Name: wmm -
Radio profile Name: radio -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Security profile ● Name: security -

● Security and
OPEN
Traffic profile Name: traffic -
Service set ● Name: area_1 Provides WLAN network

● SSID: city-wlan coverage for Area1.
● WLAN virtual
● Service data
forwarding mode:
direct forwarding
● Name: area_2 Provides WLAN network

● SSID: city-wlan coverage for Area2.
● WLAN virtual
● Service data
forwarding mode:
direct forwarding
DHCP server The S9700 functions as -

the DHCP server to
assign IP addresses to
APs and STAs.
AP gateway and IP VLANIF 10: Gateway and IP address

address pool range 10.23.10.1/24 pool for AP101 and
10.23.10.2-10.23.10.254/ AP102
24
VLANIF 20: Gateway and IP address

10.23.20.1/24 pool for AP201 and
10.23.20.2-10.23.20.254/ AP202
24
STA gateway and IP VLANIF 101: -

10.23.101.2-10.23.101.25
4/24
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Server parameters Authentication server: ● Three Service

● Active IP address: Controllers (SCs) are
10.23.30.1 deployed on the
network. Controller1
● Active IP address: and Controller2 are
10.23.30.2 used for load
● Standby IP address: balancing, and
10.23.30.3 Controller3 serves as a
● Port number: 1812 backup.
● RADIUS shared key: ● The Service Controller
YsHsjx_202206 (SC) provides RADIUS
server and Portal
Accounting server: server functions;
● Active IP address: therefore, the IP
10.23.30.1 address of the SC is
used for the
● Active IP address: authentication server,
10.23.30.2 accounting server,
● Standby IP address: authorization server,
logout information.
● Active IP address: the authentication
server must be the
● Active IP address: same as those of the
10.23.30.2 RADIUS server.
● Standby IP address: ● Configure an
10.23.30.3 authorization server
● RADIUS shared key: to enable the RADIUS
YsHsjx_202206 server to deliver
authorization rules to
the AC. The shared
key of the
must be the same as
that of the
authentication server
and accounting server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal server:
● Active IP address:
10.23.30.1
10.23.30.2
● Standby IP address:
10.23.30.3
● Port number that the
AC uses to listen on
Portal protocol
packets: 2000
● Destination port
number in the
packets that the AC
sends to the Portal
server: 50100
YsHsjx_202206
URL parameters that
the AC sends to the
Portal server:
YsHsjx_202206


Radio 1: channel 153 and locations, and the
power of the AP radio.
each AP.
power level 10
power level 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and

power level 10
power level 10
1. Configure all network devices to enable the APs, S5700-1, S5700-2, S9700,
and AC to communicate with upper-layer devices.
2. Configure the AC as a DHCP server to assign IP addresses to the STAs and
APs.
Procedure
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-1 to VLAN 10 (management
VLAN) and VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected
to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic.
[S5700-1] vlan batch 10 101
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 10 //Set a PVID for the interface directly connected
to the AP.
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to reduce broadcast packets.
# Add interfaces GE0/0/1 to GE0/0/3 of the S5700-2 to VLAN 20 (management

VLAN) and VLAN 102 (service VLAN). Set PVIDs for interfaces directly connected
to APs. You are advised to configure port isolation on these interfaces to reduce
unnecessary broadcast traffic.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[S5700-2] vlan batch 20 102
to the AP.
# On the S9700, add GE1/0/1 connected to the S5700-1 to VLAN 10 and VLAN
101, GE1/0/2 connected to the S5700-2 to VLAN 20 and VLAN 102, GE1/0/3
connected to the Controller to VLAN 300, GE1/0/4 connected to the upper-layer
network to VLAN 101 and VLAN 102, and GE1/0/5 and GE1/0/6 connected to the
AC to Eth-Trunk 1. Add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname S9700
[S9700] vlan batch 10 20 100 101 102 300
[S9700] interface gigabitethernet 1/0/1
[S9700-GigabitEthernet1/0/1] port link-type trunk
[S9700-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 101
[S9700-GigabitEthernet1/0/1] quit
[S9700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S9700] interface eth-trunk 1
[S9700-Eth-Trunk1] port link-type trunk
[S9700-Eth-Trunk1] port trunk allow-pass vlan 100
[S9700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and GE1/0/6 to Eth-Trunk1.
[S9700-Eth-Trunk1] quit
# On the S9700, configure VLANIF 100 for communication with the AC and
VLANIF 300 for communication with the Controller.
[S9700] interface vlanif100
[S9700-Vlanif100] ip address 10.23.100.10 24 //Configure an IP address for communication between the
S9700 and AC.
[S9700-Vlanif100] quit
S9700 and Controller.
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S9700 to Eth-Trunk 1
and add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-Eth-Trunk1] port link-type trunk

[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2 to Eth-Trunk1.
[AC-Eth-Trunk1] quit
# Configure VLANIF 100 on the AC for communication with the S9700.

[AC-Vlanif100] ip address 10.23.100.1 24 //Configure an IP address for communication between the S9700
and AC.
[AC-Vlanif100] quit
Step 2 Configure the S9700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S9700 to assign IP addresses to the STAs and APs from the global
address pool.
[S9700] dhcp enable
[S9700] interface vlanif 10 //Configure a global address pool to assign IP addresses to AP101 and AP102.
[S9700-Vlanif10] description manage_ap1
[S9700-Vlanif10] ip address 10.23.10.1 24
[S9700-Vlanif10] dhcp select global
[S9700] ip pool manage_ap1
[S9700-ip-pool-manage_ap1] gateway-list 10.23.10.1
[S9700-ip-pool-manage_ap1] network 10.23.10.0 mask 255.255.255.0
[S9700-ip-pool-manage_ap1] option 43 sub-option 2 ip-address 10.23.100.1 //Since a Layer 3 network is
deployed between the AC and APs, configure Option43 to advertise the AC's IP address to APs.
[S9700-ip-pool-manage_ap1] quit
deployed between the AC and APs, configure Option43 to advertise the AC¡¯s IP address to the APs.
[S9700] interface vlanif 101 //Configure a global IP address pool to assign IP addresses to STAs connected
to AP101 and AP102.
[S9700-Vlanif101] description manage_area1_sta
[S9700] ip pool manage_area1_sta
[S9700-ip-pool-manage_area1_sta] gateway-list 10.23.101.1
[S9700-ip-pool-manage_area1_sta] network 10.23.101.0 mask 255.255.255.0
[S9700-ip-pool-manage_area1_sta] quit
to AP201 and AP202.
# Configure a default route to the S9700 on the AC.



S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC] radius-server template radius1 //Create the RADIUS server template radius1.
80 //Configure the active RADIUS authentication server 1 and authentication port 1812. The AC uses the
IP address 10.23.100.1 to communicate with the active RADIUS authentication server 1.
20 //Configure the standby RADIUS authentication server, with the weight value lower than the active
authentication server. Set the authentication port number to 1812. The AC uses the IP address 10.23.100.1
to communicate with the standby RADIUS authentication server.
80 //Configure the active RADIUS accounting server 1 to collect user login and logout information and set
the accounting port number to 1813. The AC uses the IP address 10.23.100.1 to communicate with the
active RADIUS accounting server 1.
20 //Configure the standby RADIUS accounting server, with the weight value lower than the active
accounting server. Set the accounting port number to 1813. The AC uses the IP address 10.23.100.1 to
communicate with the standby RADIUS accounting server.
[AC-radius-radius1] radius-server shared-key cipher YsHsjx_202206 //Configure the shared key for the
RADIUS server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS automatic detection
interval to 30s. The default value is 60s.
[AC] aaa
[AC-aaa-authen-radius1] authentication-mode radius //If the Controller functions as the RADIUS server,
[AC-aaa-accounting-radius1] accounting realtime 15 //Enable real-time accounting and set the
accounting interval to 15 minutes. By default, real-time accounting is disabled.
[AC-aaa] quit
# Configure a Portal server template for each of the three Controllers.

[AC] web-auth-server portal1 //Create the Portal server template portal1 for Controller1.
[AC-web-auth-server-portal1] url http://10.23.30.1:8080/portal //Configure the URL to the Portal server.
[AC-web-auth-server-portal1] server-detect interval 30 action log //Set the RADIUS automatic detection
[AC-web-auth-server-portal2] server-ip 10.23.30.2
[AC-web-auth-server-portal2] port 50100
[AC-web-auth-server-portal2] shared-key cipher YsHsjx_202206
[AC-web-auth-server-portal2] url http://10.23.30.2:8080/portal
[AC-web-auth-server-portal2] server-detect interval 30 action log

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Bind the Portal server templates to service VLANIF interfaces to enable Portal
authentication.
[AC-Vlanif101] domain name portal1 force //Configure the forcible user domain portal1.
[AC-Vlanif101] domain name portal1 //Configure the default user domain portal1.
[AC-Vlanif101] authentication portal //Configure Portal authentication.
[AC-Vlanif101] web-auth-server portal1 portal3 layer3 //Bind the Portal server templates portal1 and
portal3.
[AC-Vlanif101] quit
[AC-Vlanif102] domain name portal1 force
[AC-Vlanif102] domain name portal1
[AC-Vlanif102] authentication portal
[AC-Vlanif102] web-auth-server portal2 portal3 layer3
[AC-Vlanif102] quit

# Configure the AC's country code.
[AC] wlan ac-global country-code cn //Configure the AC country code. Radio features of APs managed by
the AC must conform to local laws and regulations. The default country code is CN.
Warning: Modifying the country code will clear channel configurations of the AP radio using the country
code and reset the AP. If th
e new country code does not support the radio, all configurations of the radio are cleared. Continue?[Y/N]:y


[AC] wlan
Step 5 Manage the APs on the AC.

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

setting). Add the APs offline according to the obtained AP type IDs.
[AC-wlan-view] ap id 101 type-id 19 mac 00e0-fc76-e320 //Add the AP6010DN-AGN offline with the
MAC address 00e0-fc76-e320 and AP ID 101.
# Configure AP regions and add the APs to the AP regions.

[AC-wlan-view] ap-region id 1 //Create AP region1 and add APs in area1 to AP region 1.
[AC-wlan-ap-region-1] ap-region-name area1 //Name the AP region1 area1.
[AC-wlan-ap-101] region-id 1 //Add AP 101 to AP region1.
[AC-wlan-view] ap-region id 2 //Create AP region2 and add APs in area2 to AP region 2.
[AC-wlan-ap-region-2] ap-region-name area2
the AP State field displays as normal, the APs have gone online.
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
101 AP6010DN-AGN 00e0-fc76-e320 0/1 normal ap-101
------------------------------------------------------------------------------

# Create the WMM profile wmm.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Create the radio profile radio and bind the WMM profile wmm to the radio
profile.
[AC-wlan-radio-prof-radio] power-mode fixed //Set the power mode of the radio to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode of the radio to fixed.
[AC-wlan-view] quit
# Create WLAN-ESS interface 1 and WLAN-ESS interface 2.

[AC-Wlan-Ess1] port trunk allow-pass vlan 101 102 //Configure the wlan-ess interface to allow packets
from wireless service VLANs to pass through, which is one of the prerequisites for intra-AC roaming.
[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] quit
# Create the security profile security.

[AC] wlan
[AC-wlan-view] security-profile name security id 1 //Portal authentication has been enabled on the
interface. Set the security policy to OPEN (default setting), that is, no authentication and no encryption.
# Create the traffic profile traffic.

# Create service sets area1 and area2, and bind the service VLANs, WLAN-ESS
interfaces, security profile, and traffic profile to the service sets. Set the forwarding
mode to direct forwarding.
[AC-wlan-view] service-set name area1 id 1 //Create the service set area1.
[AC-wlan-service-set-area1] ssid city-wlan //Set the SSID to city-wlan.
[AC-wlan-service-set-area1] wlan-ess 1 //Bind the WLAN-ESS interface.
[AC-wlan-service-set-area1] security-profile name security //Bind the security profile security.
[AC-wlan-service-set-area1] traffic-profile name traffic //Bind the traffic profile traffic.
[AC-wlan-service-set-area1] service-vlan 101 //Bind the service VLAN 101.
[AC-wlan-service-set-area1] forward-mode direct-forward //Set the forwarding mode to direct
forwarding (default setting).
[AC-wlan-service-set-area1] user-isolate //Configure Layer 2 isolation for users connected to the same VAP.
[AC-wlan-service-set-area1] quit
[AC-wlan-view] service-set name area2 id 2
[AC-wlan-service-set-area2] ssid city-wlan //Set the SSID to city-wlan. All service sets must be configured
with the same SSID, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] wlan-ess 2
[AC-wlan-service-set-area2] security-profile name security //Bind the security profile security. All service
sets must have the same security profile bound, which is one of the prerequisites for intra-AC roaming.
[AC-wlan-service-set-area2] traffic-profile name traffic
[AC-wlan-service-set-area2] service-vlan 102
[AC-wlan-service-set-area2] forward-mode direct-forward
[AC-wlan-service-set-area2] user-isolate
[AC-wlan-service-set-area2] quit
Step 7 Configure VAPs and deliver VAP parameters to the APs.

# Configure VAPs.
[AC-wlan-view] ap 101 radio 0 //Configure radio0 of the AP6010DN-AGN.
[AC-wlan-radio-101/0] service-set name area1 //Bind the service set to the radio. A VAP is generated after
the binding.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
WLAN Planner.
[AC-wlan-radio-101/0] power-level 10 //Configure the power based on the planning result of the WLAN
Planner.
[AC-wlan-view] ap 101 radio 1 //Configure radio1 of the AP6010DN-AGN.
[AC-wlan-radio-101/1] service-set name area1

Warning: Committing configuration may cause service interruption, continue?[Y/N]
:y

----------------------------------------------------------------------
----------------------------------------------------------------------
101 0 1 - - 1 00e0-fc76-e320 service
101 1 1 - - 1 00e0-fc76-e330 service
102 0 1 - - 1 00e0-fc76-e340 service
102 1 1 - - 1 00e0-fc76-e350 service

S300, S500, S2700, S3700, S5700, S6700, S7700, and
201 0 2 - - 1 00e0-fc76-e360 service

201 1 2 - - 1 00e0-fc76-e370 service
202 0 2 - - 1 00e0-fc76-e380 service
202 1 2 - - 1 00e0-fc76-e390 service
----------------------------------------------------------------------
Total: 8
# STAs discover the WLAN with the SSID city-wlan and associate with the WLAN.
The STAs are allocated IP addresses. After you enter the key, the STAs can access
the wireless network. Run the display station assoc-info command on the AC.
The command output shows that the STAs are connected to the WLAN city-wlan.
[AC-wlan-view] display station assoc-info all
AP/Rf/WLAN: AP ID/Radio ID/WLAN ID
------------------------------------------------------------------------------
STA MAC AP/Rf/WLAN Rx/Tx Mode RSSI IP address
SSID
------------------------------------------------------------------------------
00e0-fcc7-1e08 101/0/1 6/11 11n -89 10.23.101.254
city-wlan
------------------------------------------------------------------------------
Total stations: 1
# STAs obtain IP addresses and connect to the network.
----End
Configuration Files
#
sysname S5700-1
#
vlan batch 10 101
#
#
#
#
return

#
sysname S5700-2
#
vlan batch 20 102
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
● S9700 configuration file
#
sysname S9700
#
vlan batch 10 20 100 to 102 300
#
dhcp enable
#
ip pool manage_ap1
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 2 ip-address 10.23.100.1
#
ip pool manage_ap2
network 10.23.20.0 mask 255.255.255.0
#
ip pool manage_area1_sta
network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#
interface Vlanif10
description manage_ap1
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
description manage_area1_sta
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname AC
#
#
#
radius-server shared-key cipher %#%#8M.(7SIkd!~zHjCXjHv%}13$Y#:t3:m]N$G^9yn3%#%#
radius-server detect-server interval 30
#
server-ip 10.23.30.1
port 50100
shared-key cipher %#%#a^9$8KWl#+C4xc2}#BEQ4!ZIOciEV7$%dT'S/3JX%#%#
url http://10.23.30.1:8080/portal
server-detect interval 30 action log
#
port 50100
shared-key cipher %#%#3'uk~,dhv>_!~;W!v6A3YiqL2UU|*4Q>{UH%Tw'A%#%#
url http://10.23.30.2:8080/portal
#
port 50100
shared-key cipher %#%#un.DDNfj[X\.u3&zIya<P,3wBg'cEQFedz,DoIO"%#%#
url http://10.23.30.3:8080/portal
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
web-auth-server portal1 portal3 layer3
domain name portal1
#
interface Vlanif102

S300, S500, S2700, S3700, S5700, S6700, S7700, and

domain name portal1
#
#
eth-trunk 1
#
eth-trunk 1
#
interface Wlan-Ess1
#
interface Wlan-Ess2
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
#
#
wlan
ap-region id 1
ap-region-name area1
ap-region id 2
ap-region-name area2
region-id 1
region-id 1
region-id 2
region-id 2
service-set name area1 id 1
wlan-ess 1
ssid city-wlan
user-isolate
service-vlan 101
service-set name area2 id 2
wlan-ess 2
ssid city-wlan
user-isolate
service-vlan 102
channel-mode fixed
power-mode fixed
wmm-profile id 1
ap 101 radio 0
radio-profile id 1
power-level 10
ap 101 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
ap 102 radio 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
radio-profile id 1
channel 20MHz 6
power-level 10
ap 102 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
ap 201 radio 0
radio-profile id 1
power-level 10
ap 201 radio 1
radio-profile id 1
channel 20MHz 153
power-level 10
ap 202 radio 0
radio-profile id 1
channel 20MHz 6
power-level 10
ap 202 radio 1
radio-profile id 1
channel 20MHz 161
power-level 10
#
return
3.11.5 Example for Configuring MAC Address Authentication

on the Wireless Side
MAC Address Authentication on the Wireless Side Overview
MAC address authentication controls a user's network access rights based on their
interface and MAC address. The user does not need to install any client software.
The device starts authenticating a user when it first detects the user's MAC
address on the interface where MAC address authentication has been enabled.
During the authentication process, the user does not need to enter a user name or
password.
Configuration Notes
same.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

VLAN.
view.
view.

are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
As shown in Figure 3-144, the enterprise's AC connects to the egress gateway
(Router) and RADIUS server, and connects to the AP through SwitchA. The WLAN
with the SSID of test is available for wireless users and terminals to access
network resources. The gateway also functions as a DHCP server to provide IP
addresses on the 10.10.10.0/24 network segment for STAs, which are managed by
the AC.
The WLAN authentication client cannot be installed on wireless devices providing
public services, such as wireless printers and phones. For these devices, use MAC
address authentication. The RADIUS server authenticates wireless devices using
their MAC addresses. No authentication is required when STAs access the WLAN,
facilitating the use of WLAN services.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-144 Networking diagram for configuring MAC address authentication on

the wireless side
Data Planning
WLAN service Open system authentication+non-encryption
Management VLAN VLAN 100
Service VLAN VLAN 101
Source interface on the AC VLANIF 100: 192.168.10.1/24
AC carrier ID/AC ID Other/1
AP region ID 10
Service set ● SSID: test

● Data forwarding mode: tunnel forwarding

S300, S500, S2700, S3700, S5700, S6700, S7700, and
SwitchA VLAN VLAN 100
DHCP server ● IP addresses that the AC assigns to APs:

192.168.10.2 to 192.168.10.254/24
● IP addresses that Router assigns to STAs:
10.10.10.2 to 10.10.10.254/24
Gateway for the AP VLANIF 100: 192.168.10.1/24
Gateway for STAs VLANIF 101: 10.10.10.1/24
RADIUS authentication ● IP address: 10.12.10.1

parameters ● Port number: 1812
● Shared key: YsHsjx_202206
● AAA domain: huawei.com
MAC address of a STA 0011-2233-4455
1. Configure WLAN basic services so that STAs can access the WLAN. This
example uses default configurations.
2. Configure a RADIUS server template and apply it to an AAA domain
3. Configure MAC address authentication on the WLAN-ESS interface to
authenticate STAs.
Procedure

[HUAWEI] sysname AC

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Configure VLANIF 101 (service VLAN), VLANIF 102, and VLANIF 103.
[AC] vlan batch 101 102 103
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit

# Add GE1/0/2 that connects the AC to the RADIUS server to VLAN 103.
# On the AC, configure a static route.

pool.
[AC] dhcp enable
[AC-Vlanif100] quit
the AC.
[AC-Vlanif101] quit


S300, S500, S2700, S3700, S5700, S6700, S7700, and


1. Configure a RADIUS server template, an AAA authentication scheme, and
domain information.
NOTE
The STA sends its MAC address as the user name to the RADIUS server for
authentication, so the AC needs to be disabled from adding a domain name to the
user name (default setting).
[AC] radius-server template radius_huawei
[AC-radius-radius_huawei] radius-server authentication 10.12.10.1 1812
[AC-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
[AC-radius-radius_huawei] quit
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei
[AC-aaa-authen-radius_huawei] authentication-mode radius
[AC-aaa-authen-radius_huawei] quit
[AC-aaa] domain huawei.com
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei
[AC-aaa-domain-huawei.com] radius-server radius_huawei
[AC-aaa-domain-huawei.com] quit
[AC-aaa] quit
2. Globally configure user names in MAC address authentication without the

delimiter "-" (default setting).
3. Test whether a STA can be authenticated using RADIUS authentication. In
MAC address authentication, a STA's MAC address is used as the user name
and password.
[AC] test-aaa 001122334455 001122334455 radius-template radius_huawei
Info: Account test succeed.



[AC] wlan

------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

[AC-wlan-ap-0] quit

[AC-wlan-ap-0] quit
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

radio profile.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
[AC-wlan-sec-prof-security] security open

[AC-wlan-service-set-test] ssid test //Set the SSID name to test.
[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID of the service set to 101. The default value
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to tunnel forwarding.
Step 8 Configure MAC address authentication on the WLAN-ESS interface.

[AC-wlan-view] quit
[AC-Wlan-Ess1] authentication mac-authen
[AC-Wlan-Ess1] domain name huawei.com force
[AC-Wlan-Ess1] permit-domain name huawei.com
[AC-Wlan-Ess1] quit
[AC] wlan

# Configure a VAP.


● The WLAN with SSID test is available for STAs connected to the AP.
● After the WLAN function is enabled on wireless devices, they can access the
WLAN and provide public services.
● After the STA connects to the WLAN, authentication is performed
automatically. You can then directly access the WLAN.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
#
sysname AC
#
#
#
dhcp enable
#
radius-server template radius_huawei
radius-server shared-key cipher %@%@hH67%f}f8X"AE&Pw`wS~{:;0%@%@
#
aaa
authentication-scheme radius_huawei
domain huawei.com
radius-server radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
#
#
#
interface WLAN-ESS1
authentication mac-authen
permit-domain name huawei.com
domain name huawei.com force
#
wlan
ap-region id 10
region-id 10
security open
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
3.11.6 Example for Configuring Portal Authentication on the

Wireless Side
Portal Authentication on the Wireless Side Overview
Portal authentication, also known as web authentication, uses a Portal website to
authenticate users when they go online. The users can use network resources only
after they pass the authentication.
A user can access a known Portal authentication website and enter a user name
and password for authentication. This mode is called active authentication. If a
user attempts to access other external networks through HTTP, the device forcibly

S300, S500, S2700, S3700, S5700, S6700, S7700, and
redirects the user to the Portal authentication website. This mode is called forcible
authentication.
Configuration Notes
same.
VLAN.
view.
view.

are
Versi
on
V200 S7700, S9700 V200R005C00:


S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
As shown in Figure 3-145, the AC deployed in a public area connects to the egress
gateway (Router), RADIUS server, and Portal server, and connects to the AP
through SwitchA. Users can access network resources through the WLAN with the
SSID of test. The gateway also functions as a DHCP server to assign IP addresses
on the 10.10.10.0/24 network segment to STAs, which are managed by the AC.
Because the WLAN is too easy for users to access, there are potential security
risks. To facilitate access to the WLAN, use the default security policy on the AC, in

S300, S500, S2700, S3700, S5700, S6700, S7700, and
which STAs are not authenticated and data is not encrypted. To centrally manage
STAs and allow only paid users to access the Internet, configure Portal
authentication on the AC. Any user who attempts to access the Internet is
redirected to the Portal authentication web page. A paying user connects to the
Internet after entering the user name and password, and the RADIUS server starts
accounting. A non-paying user must pay for the WLAN service and use the
obtained user name and password to complete Portal authentication. Generally,
the Portal authentication web page provides the paying function.
Figure 3-145 Networking diagram for configuring Portal authentication on the

wireless side
Data planning
WLAN service Open system authentication+non-encryption
Management VLAN VLAN 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service VLAN VLAN 101
Source interface on the AC VLANIF 100: 192.168.10.1/24
AC carrier ID/AC ID Other/1
AP region ID 10
Service set ● SSID: test

● Data forwarding mode: tunnel forwarding
SwitchA VLAN VLAN 100
DHCP server ● IP addresses that the AC assigns to APs:

192.168.10.2 to 192.168.10.254/24
● IP addresses that Router assigns to STAs:
10.10.10.2 to 10.10.10.254/24
Gateway for the AP VLANIF 100: 192.168.10.1/24
Gateway for STAs VLANIF 101: 10.10.10.1/24
RADIUS server parameters ● Server IP address: 10.12.10.1

● Authentication port number: 1812
● Accounting port number: 1813
● Shared key: YsHsjx_202206
● AAA domain: huawei.com
User name and password of ● User name: test@huawei.com

STAs ● Password: YsHsjx_202206
Portal server parameters ● Server IP address: 10.13.10.1

● Shared key: huawei
1. Configure WLAN basic services so that STAs can access the WLAN. This
example uses default configurations.
2. Configure a RADIUS server template, apply it to an AAA domain, and use a
RADIUS server to authenticate STAs' identities and perform accounting.
3. Configure Portal authentication so that Hypertext Transfer Protocol (HTTP)
request packets from a user are redirected to the web page of the Portal
server. After the user enters identity information, the STA sends the user
identity information to the RADIUS server.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[HUAWEI] sysname AC

# Configure VLANIF 101 (service VLAN), VLANIF 102, VLANIF 103, and VLANIF
104.
[AC] vlan batch 101 102 103 104
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit
[AC-Vlanif104] quit

# Add GE1/0/3 that connects the AC to the RADIUS server to VLAN 103.
# Add GE1/0/4 that connects the AC to the Portal server to VLAN 104.
# On the AC, configure a default route.


S300, S500, S2700, S3700, S5700, S6700, S7700, and

pool.
[AC] dhcp enable
[AC-Vlanif100] quit
the AC.
[AC-Vlanif101] quit

Step 4 Configure RADIUS authentication and accounting.
# Configure a RADIUS server template, an AAA authentication scheme, an AAA

accounting scheme, and domain information.
[AC-radius-radius_huawei] radius-server accounting 10.12.10.1 1813
[AC-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
[AC] aaa
[AC-aaa] accounting-scheme radius_huawei
[AC-aaa-accounting-radius_huawei] accounting-mode radius
[AC-aaa-accounting-radius_huawei] quit
[AC-aaa-domain-huawei.com] accounting-scheme radius_huawei
[AC-aaa] quit
# Test whether a STA can be authenticated using RADIUS authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC] test-aaa test@huawei.com YsHsjx_202206 radius-template radius_huawei

Step 5 Configure Portal authentication.

# Configuring Portal server parameters. Set the port number to 50100 (default
setting).
[AC] web-auth-server test
[AC-web-auth-server-test] server-ip 10.13.10.1
[AC-web-auth-server-test] shared-key cipher huawei
[AC-web-auth-server-test] url http://10.13.10.1
[AC-web-auth-server-test] quit



[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23


S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-ap-0] quit

[AC-wlan-ap-0] quit
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

radio profile.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
[AC-wlan-sec-prof-security] security open


S300, S500, S2700, S3700, S5700, S6700, S7700, and
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the forwarding mode to tunnel forwarding.
Step 9 Configure Portal authentication on the WLAN-ESS interface.

[AC-wlan-view] quit
[AC-Wlan-Ess1] authentication portal
[AC-Wlan-Ess1] web-auth-server test direct
[AC-Wlan-Ess1] quit
[AC] wlan

# Configure a VAP.


● The WLAN with SSID test is available for STAs connected to the AP.
● The wireless PC obtains an IP address after it associates with the WLAN.
● When a user opens their browser and attempts to access the network, the
user is automatically redirected to the authentication page. After entering the
correct user name and password on the page, the user can log in to the
network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

#
sysname Router
#
vlan batch 102
#
dhcp enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
ip pool sta
network 10.10.10.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.11.10.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.10.10.0 255.255.255.0 10.11.10.2
#
return
#
sysname AC
#
#
#
dhcp enable
#
radius-server shared-key cipher %#%#Dh.LR>nZA,K_(/~3#i!@a;6}Vk\T_9`ocp<^c"q%%#%
#
web-auth-server test
port 50100
shared-key cipher %#%#Q"r\<Ei]o@"%dKN@Y(i,:nj2IY$e>=mXxg8Cdb]0%#%#
url http://10.13.10.1
#
aaa
accounting-scheme radius_huawei
domain huawei.com
accounting-scheme radius_huawei
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.11.10.2 255.255.255.0
#
interface Vlanif103
ip address 10.12.10.2 255.255.255.0
#
interface Vlanif104
ip address 10.13.10.2 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
#
interface Wlan-Ess1
web-auth-server test direct
#
wlan
ap-region id 10
ap id 0 type-id 19 mac 00e0-fc11-1111 sn AB35015384
region-id 10
security open
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
wmm-profile id 1
ap 0 radio 0
radio-profile id 1
#
return
3.11.7 Configuring Radio Calibration
3.11.7.1 Example for Configuring Radio Calibration
Radio Calibration Overview

Radio calibration can dynamically adjust channels and power of APs managed by
the same AC to ensure that the APs work optimally. On a WLAN, the operating
status of APs is affected by the radio environment. For example, signal
interference occurs if adjacent APs managed by the same AC work on overlapping
channels or an AP has high power. In this case, you can configure radio calibration
on the AC.
Typical application scenarios of radio calibration are as follows:
● During AP deployment, configure radio calibration to enable APs to
automatically select the optimal channels.
● When new APs are added to a network or the network environment changes,
configure radio calibration so that APs can adjust channels and power at
scheduled time to work optimally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
configurations.
same.
VLAN.
view.
view.
● When configuring radio calibration, set the channel mode and power mode of
an AP that needs radio calibration to auto.
● In the following example, scheduled radio calibration is used as an example.
Configure the APs to perform radio calibration in off-peak hours, for example,
between 00:00 am and 06:00 am.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
As shown in Figure 3-146, a WLAN containing three APs (AP1, AP2, and AP3) is
deployed on the campus network. The three APs join AP region 10.
Users expect the three APs to automatically adjust their channels and power to
reduce interference and perform optimally.
Figure 3-146 Networking for configuring radio calibration
Data Planning
Table 3-58 Data required for completing the configuration

source interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● Security and
WPA2+PSK
Example@123
CCMP

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

addresses to APs and
STAs.

address range 192.168.10.1/24
192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24
MAC addresses of APs ● AP1: 00e0-fc76-e360 None

● AP2: 00e0-fc04-b500
● AP3: 00e0-fc96-e4c0
1. Configure basic WLAN services to ensure that users can access the Internet
through WLAN.
2. Set the radio calibration mode to schedule mode for APs to enable the APs to
dynamically adjust channels and power so that the APs perform optimally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
and the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4
to VLAN 100 (management VLAN).

[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Connect the AC to upstream devices.

# Add AC's uplink interface GE1/0/4 to VLAN 101.
[AC] vlan batch 101
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and APs.
# Configure the AC as a DHCP server to assign IP addresses to the APs from the IP
address pool on VLANIF 100 and assign IP addresses to STAs from the IP address
pool on VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit


S300, S500, S2700, S3700, S5700, S6700, S7700, and



[AC] wlan
Step 5 Manage APs on the AC.

# Check the MAC address of the AP and view the AP type ID.
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

setting). Add the AP offline according to the AP type ID. Assume that the AP type
is AP6010DN-AGN and the MAC addresses of the APs are 00e0-fc76-e360, 00e0-
fc04-b500, and 00e0-fc96-e4c0 respectively.
[AC-wlan-view] ap id 1 type-id 19 mac 00e0-fc76-e360
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 type-id 19 mac 00e0-fc04-b500
[AC-wlan-ap-2] quit
[AC-wlan-view] ap id 3 type-id 19 mac 00e0-fc96-e4c0
[AC-wlan-ap-3] quit
# Configure an AP region and add the APs to the AP region.

[AC-wlan-ap-1] region-id 10 //Add APs to region 10.
[AC-wlan-ap-1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Power on the three APs and run the display ap all command on the AC to
check the AP state. The command output shows that the APs are in normal state.
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
2 AP6010DN-AGN 00e0-fc04-b500 0/10 normal ap-2
3 AP6010DN-AGN 00e0-fc96-e4c0 0/10 normal ap-3
------------------------------------------------------------------------------

# Create a WMM profile named wmm and retain the default settings in the
profile.
radio profile. Set the channel mode and power mode to auto in the radio profile
(default settings).
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
# Create a traffic profile named traffic and retain the default settings in the
profile.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-service-set-test] service-vlan 101 //Set the VLAN ID for a service set to 101. The default VLAN
ID for a service set is 1.
Step 7 Configure VAPs and deliver VAP parameters to APs.

# Configure VAPs.
[AC-wlan-radio-2/0] service-set name test
Step 8 Configure radio calibration.

# Set the radio working mode to hybrid.
[AC-wlan-radio-1/0] work-mode hybrid
Warning: Modify the work mode may cause business interruption, continue?(y/n)[n]:y
# Set the radio calibration mode to schedule and configure the device to start
radio calibration at 3:00 a.m. every day.
[AC-wlan-view] calibrate enable schedule time 03:00:00
# Enable radio calibration in the radio profile view (default setting).


● After the preceding configurations are complete, the AC begins to adjust the
channels and power of the three APs to ensure that the APs perform
optimally.
● STAs can connect to the WLAN with SSID test. Use AP1 as an example. Run
the display station assoc-info ap 1 command on AC. The command output
shows that the STAs associate with the WLAN test.
[AC-wlan-view] display station assoc-info ap 1
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
00e0-fc08-9abf 1 0 1 test
------------------------------------------------------------------------------
Total stations: 1
You can run the display statistics calibrate ap 1 radio 0 command on AC to
check radio calibration statistics on AP1.
[AC-wlan-view] display statistics calibrate ap 1 radio 0
-----------------------------------------------------------------------
Signal environment deterioration :1
Power calibration :1
Channel calibration :0
-----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface gigabitethernet0/0/1
#
#
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
interface Wlan-Ess1
#
wlan
ap-region id 10
ap id 1 type-id 19 mac 00e0-fc76-e360 sn 210235419610CB002287
region-id 10
ap id 2 type-id 19 mac 00e0-fc04-b500 sn 210235555310CC000094
region-id 10
ap id 3 type-id 19 mac 00e0-fc96-e4c0 sn 210235582910D1000039
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
calibrate enable schedule time 03:00:00
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
work-mode hybrid
ap 2 radio 0
radio-profile id 1
work-mode hybrid
ap 3 radio 0
radio-profile id 1
work-mode hybrid
#
return
3.11.7.2 Example for Configuring Session-based Static Load Balancing
Session-based Static Load Balancing Overview

Load balancing can evenly distribute AP traffic loads to ensure sufficient
bandwidth for each STA and to prevent a heavy load on a single AP. In static load
balancing, APs are manually added to a load balancing group. When a STA wants
to connect to an AP in this load balancing group, the AC uses a load balancing
algorithm to determine whether to allow the STA to connect to the AP. If the
connection is not allowed, the STA connects to a different AP with a lighter load.
Static load balancing can be used in scenarios such as conference rooms. For
example, if two APs are deployed in a conference room, you can add the two APs
to a load balancing group to prevent heavy load on a single AP.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
configurations.
same.
VLAN.
view.
view.
● Each load balancing group supports a maximum of three APs.
● APs on which load balancing needs to be configured must be configured
within the same AP region.
● A load balancing group is a set of radios, and each radio can join only one
load balancing group. If dual-band APs are used, traffic is load balanced
among APs working on the same frequency band. That is, a dual-band AP can
join two load balancing groups.
● All APs in a load balancing group work on the same frequency band (2.4 GHz
or 5 GHz). AP radios in a load balancing group must have different channels
configured and work on different channels.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
As shown in Figure 3-147, AP1 and AP2 connect to the AC through SwitchA and
join AP region 10.
When a large number of STAs access the Internet through the same AP, the AP
becomes heavily loaded and WLAN service quality deteriorates. Therefore, the
STAs need to be balanced on the two APs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-147 Networking for configuring session-based static load balancing
Data Planning

source interface

● Security and
WPA2+PSK
Example@123
CCMP

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

STAs.

192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24

● AP2: 00e0-fc04-b500
1. Configure the WLAN service so that users can connect to the Internet through
the WLAN.
2. Configure session-based static load balancing to prevent new STAs from
associating with heavily-loaded APs.
Procedure
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the
management VLAN 100.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[HUAWEI] sysname AC
[AC] vlan batch 100

# Add the AC's uplink interface GE1/0/3 to VLAN 101.
[AC] vlan batch 101
# Configure a DHCP server to assign IP addresses to the APs from the IP address
pool on VLANIF 100 and assign IP addresses to STAs from the IP address pool on
VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan


S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

setting). Add the APs offline based on the AP type ID. Assume that the type of AP1
and AP2 is AP6010DN-AGN, and their MAC addresses are 00e0-fc76-e360 and
00e0-fc04-b500, respectively.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
# Power on AP1 and AP2 and run the display ap all command on the AC to check
the AP state. The command output shows that the APs are in normal state.
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and

profile.
radio profile. Set the channel mode to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The default value is auto.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
profile.
[AC-wlan-service-set-test] ssid test //Name the SSID test.
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel forwarding.

# Configure VAPs.
[AC-wlan-radio-1/0] radio-profile name radio //Bind the radio profile to a radio.
[AC-wlan-radio-1/0] channel 20mhz 11 //Set the working channel of the radio to 11 and the channel
bandwidth to 20 MHz.
Step 8 Configure a load balancing group, add AP1 and AP2 to the load balancing group,
and set the load balancing mode of the group to session-based load balancing.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] load-balance-group name huawei //Create load balancing group huawei.

[AC-wlan-load-group-huawei] member ap-id 1 radio-id 0 //Add AP1 radio 0 to load balancing group
huawei.
[AC-wlan-load-group-huawei] member ap-id 2 radio-id 0
[AC-wlan-load-group-huawei] session gap 5 //Configure session-based static load balancing and set the
load difference threshold to 5%. The default value is 4%.
[AC-wlan-load-group-huawei] associate-threshold 10 //Set the maximum number of association requests
in a static load balancing group to 10. The default value is 6.
[AC-wlan-load-group-huawei] quit
[AC-wlan-view] commit ap 1 //Commit configurations.

● After the preceding configuration is complete, STAs can discover the WLAN
with SSID test.
● When a new STA requests to access the Internet through an AP, the AC uses a
static load balancing algorithm to determine whether to allow access from
the STA. If the requested AP has more than 5% greater load than the other
AP, the AC rejects the association request of the STA. If the STA continues to
send more than 10 association requests to the AP, the AC allows the STA to
associate with the AP.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 192.168.11.1 255.255.255.0

#
#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 11
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
load-balance-group name huawei id 0
associate-threshold 10
session gap 5
member ap-id 1 radio-id 0
member ap-id 2 radio-id 0
#
return
3.11.7.3 Example for Configuring Traffic-based Dynamic Load Balancing
Traffic-based Dynamic Load Balancing Overview

bandwidth for each STA. When a STA joins the network, the AC adds the APs that
report the STA to a load balancing group, and then uses a load balancing
algorithm to determine whether to allow access from the STA.
Dynamic load balancing applies to high-density wireless environments, such as

stadiums and stations.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Static load balancing supports a limited number of group members, and all
members must be manually added to the group and work on the same frequency
band. Dynamic load balancing overcomes these limitations and better ensures
bandwidth for each STA.
Configuration Notes
configurations.
same.
VLAN.
view.
view.
● Radio traffic statistics packets are sent and received together with Echo
packets. In this example, traffic-based dynamic load balancing is used. You are
advised to set the CAPWAP heartbeat detection interval to between 30s and
60s so that the radio traffic statistics can be updated in a timely manner.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
As shown in Figure 3-148, AP1 and AP2 connecting to the AC through SwitchA
are dual-band APs and join AP region 10. STAs in AP region 10 support 2.4 GHz
and 5 GHz frequency bands. Both 2.4 GHz and 5 GHz WLANs need to be deployed
in AP region 10.
When a large number of STAs access the Internet through the same AP, the AP
becomes heavily loaded and WLAN service quality deteriorates. Therefore, the
STAs need to be balanced on the two APs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-148 Networking for configuring traffic-based dynamic load balancing
Data Planning

source interface

● Security and
WPA2+PSK
Example@123
CCMP

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

STAs.

192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24

● AP2: 00e0-fc04-b500
1. Configure the WLAN service so that users can connect to the Internet through
the WLAN.
2. Configure traffic-based dynamic load balancing to prevent new STAs from
associating with heavily-loaded APs.
Procedure
# Configure SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[HUAWEI] sysname AC
[AC] vlan batch 100

# Add the AC's uplink interface GE1/0/3 to VLAN 101.
[AC] vlan batch 101
VLANIF 101.
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan


S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

and AP2 is AP6010DN-AGN, and their MAC addresses are 00e0-fc76-e360 and
00e0-fc04-b500, respectively.
[AC-wlan-view] ap-auth-mode mac-auth
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and

profile.
radio profile. Set the channel mode to fixed.
[AC-wlan-radio-prof-radio] channel-mode fixed //Set the channel mode fixed. The default value is auto.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan
profile.
[AC-wlan-service-set-test] ssid test //Name the SSID test.
is 1.
[AC-wlan-service-set-test] forward-mode tunnel //Set the service forwarding mode to tunnel forwarding.

# Configure VAPs.
[AC-wlan-radio-1/0] radio-profile name radio //Bind the radio profile to a radio.
[AC-wlan-radio-1/0] channel 20mhz 11 //Set the working channel of the radio to 11 and the channel
bandwidth to 20 MHz.
[AC-wlan-radio-1/1] channel 40mhz-plus 157 //Set the working channel of the radio to 157 and the
channel bandwidth to 40MHz Plus.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-radio-2/1] channel 40mhz-plus 149
Step 8 Configure dynamic load balancing.

[AC-wlan-view] sta-load-balance enable //Enable dynamic load balancing.
[AC-wlan-view] sta-load-balance mode traffic //Configure traffic-based dynamic load balancing.
[AC-wlan-view] sta-load-balance traffic gap 25 //Set the load difference threshold to 25%. The default
value is 20%.
[AC-wlan-view] sta-load-balance associate-threshold 10 //Set the maximum number of association
requests in dynamic load balancing to 10. The default value is 6.
[AC-wlan-view] commit ap 1 //Commit the configuration.
[AC-wlan-view] quit

● After the preceding configuration is complete, STAs can discover the WLAN
with SSID test.
● You can run the display sta-load-balance config command on the AC to
check the dynamic load balancing configuration.
[AC] display sta-load-balance config
Sta-load-balance config:
------------------------------------------------------------------------------
Sta-load-balance enable : Yes
Sta-load-balance mode : Traffic
Sta-load-balance session gap threshold :4
Sta-load-balance traffic gap threshold : 25
Sta-load-balance associate threshold : 10
------------------------------------------------------------------------------
● If a new STA requests to connect to one of the four VAPs in AP region 10, the
AC uses a dynamic load balancing algorithm to determine whether to allow
access from the STA. If the requested VAP has more than 25% greater load
than the other VAPs, the AC rejects the association request of the STA. If the
STA continues to send more than 10 association requests to the VAP, the AC
allows the STA to associate with the AP.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
sta-load-balance enable
sta-load-balance mode traffic
sta-load-balance traffic gap 25
sta-load-balance associate-threshold 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
channel 20MHz 11
ap 1 radio 1
radio-profile id 1
channel 40MHz-plus 157

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
ap 2 radio 1
radio-profile id 1
#
return
3.11.8 Configuring WLAN Roaming
3.11.8.1 Example for Configuring Non-Fast Roaming Between APs in the

Same Service VLAN
Roaming Between APs in the Same Service VLAN Overview

WLAN roaming allows a STA to move from the coverage area of an AP to that of
another AP with nonstop service transmission. Roaming between APs in the same
service VLAN allows a STA to move between two APs that connect to the same AC
without service interruption.
Roaming between APs in the same service VLAN is classified into fast roaming and
non-fast roaming. Non-fast roaming technology is used when a STA uses a non-
WPA2-802.1X security policy. If a STA uses WPA2-802.1X but does not support fast
roaming, the STA still needs to complete 802.1X authentication before roaming
between two APs. When the user uses the WPA2-802.1X security policy and
supports fast roaming, the user does not need to perform 802.1X authentication
again during roaming and only needs to perform key negotiation. Fast roaming
reduces roaming delay and improves service experience.
Configuration Notes
● The APs on which WLAN roaming is implemented must use the same SSID
and security profiles, and the security profiles must have the same
configurations.
● In direct forwarding mode, if the ARP entry of a user is not aged out in time
on the access device connected to the AP after the user roams, services of the
user will be temporarily interrupted. You are advised to enable STA address
learning on the AC. After the function is enabled, the AP will send a
gratuitous ARP packet to the access device so that the access device can
update ARP entries in a timely manner. This ensures nonstop service
transmission during user roaming.
You can use either of the following methods to enable STA address learning
according to the version of your product:
– Versions earlier than V200R007C20 and V200R008: run the learn client
ip-address enable command in the service set view.
– V200R007C20: run the undo learn-client-address disable command in
the VAP profile view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
view.
view.

are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:


S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
As shown in Figure 3-149, a department on a campus network deploys two APs
that are managed and controlled by an AC, which dynamically assigns IP
addresses to the APs and STAs. All users in the department belong to the same
VLAN, that is, AP1 and AP2 use the same service VLAN. The default security policy
(WEP open system authentication) is used. User data is forwarded through
tunnels.
The department requires services to be uninterrupted when a STA moves from AP1
to AP2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-149 Networking diagram for configuring non-fast roaming between APs
in the same service VLAN
Data Planning

source interface

● Security and
WPA2+PSK
Example@123
CCMP

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding
DHCP server The AC functions as a None

STAs.

192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24
1. The default security policy is used and access authentication is not required,
which shortens the roaming switchover time. Configure non-fast roaming
between APs in the same service VLAN to ensure nonstop service transmission
during roaming.
2. Configure parameters used for communication between the AC and APs to
transmit CAPWAP packets.
3. Configure the AC to function as a DHCP server to assign IP addresses to APs
and STAs.
4. Configure basic WLAN services to enable the STAs to connect to the WLAN.
Procedure
Step 1 Set the NAC mode on AC to unified mode (default setting). Configure SwitchA and
the AC to allow the APs and AC to transmit CAPWAP packets.
# Configure the SwitchA: add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[HUAWEI] sysname AC
[AC] vlan batch 100
# Add AC uplink interface GE1/0/3 to VLAN 101 (service VLAN).

[AC] vlan batch 101
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and the AP.
[AC-Vlanif100] quit
[AC-Vlanif101] quit



[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

and AP2 is AP6010DN-AGN, and their MAC addresses are 00e0-fc11-1111 and
00e0-fc12-3456, respectively.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-view] ap-region id 10 //Create AP region 10
[AC-wlan-ap-1] region-id 10 //Add AP1 to region 10
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and

------------------------------------------------------------------------------

radio profile.
[AC-wlan-view] quit

[AC-Wlan-Ess1] quit

[AC] wlan

After the configuration is complete, the STA can connect to the WLAN with the
SSID test in the coverage area of AP1.
Assume that the STA MAC address is 00e0-fc12-3457. When the STA connects to
the WLAN with the SSID test in the coverage area of AP1, run the display station
assoc-info ap 1 command on the AC to check the STA access information.
<HUAWEI> display station assoc-info ap 1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
When the STA moves from the coverage of AP1 to that of AP2, run the display
station assoc-info ap 2 command on the AC to check the STA access information.
The STA is associated with AP2.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1
Run the display station roam-track sta 00e0-fc12-3457 command on the AC to

check the STA roaming track.
<HUAWEI> display station roam-track sta 00e0-fc12-3457
------------------------------------------------------------------------------
AP ID Radio ID BSSID TIME
------------------------------------------------------------------------------
1 0 00e0-fc11-1111 2012/12/23 14:40:37
2 0 00e0-fc12-3456 2012/12/23 14:40:39
------------------------------------------------------------------------------
Number of roam track: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
interface Wlan-Ess1
#
wlan
ap-region id 10
ap id 1 type-id 19 mac 00e0-fc11-1111 sn 190901007618
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
3.11.8.2 Example for Configuring Fast Roaming Between APs in the Same
Service VLAN
Roaming Between APs in the Same Service VLAN Overview

again during roaming and only needs to perform key negotiation. Fast roaming
reduces roaming delay and improves service experience.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
configurations.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-150, a department on a campus network deploys two APs
that are managed and controlled by an AC, which dynamically assigns IP
addresses to the APs and STAs. All users in the department belong to the same
VLAN, that is, AP1 and AP2 use the same service VLAN. The security policy
WPA2-802.1X is used. User data is forwarded through tunnels.
The department requires services to be uninterrupted when a STA moves from AP1
to AP2.
Figure 3-150 Networking diagram for configuring fast roaming between APs in
the same service VLAN
Data Planning

source interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● Security and
WPA2+802.1X
hello
CCMP

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

STAs.

192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24
1. The security policy WPA2-802.1X is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming
during roaming.
and STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5. Configure key negotiation between STAs and APs to shorten the roaming
switchover time.
Procedure

[HUAWEI] sysname AC
[AC] vlan batch 100

# Add the AC's uplink interface GE1/0/3 to VLAN 101 and add GE1/0/4 of the AC
connecting to the RADIUS server to VLAN 102.
[AC-GigabitEthernet1/0/4] port trunk pvid vlan 102
Step 3 Configure the AC as a DHCP server to assign IP addresses to STAs and APs, and
configure VLANIF 102 to allow the AC to communicate with the RADIUS server.
VLANIF 101.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-Vlanif100] quit
[AC-Vlanif101] quit
# Configure VLANIF 102.

[AC-Vlanif102] quit
Step 4 Configure an AAA domain to which a RADIUS server template is applied.

domain information.
NOTE
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812 //Specify the IP address
and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure the shared key of a
RADIUS server
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the authentication mode to
radius.
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure an
authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS server template
for the domain.
[AC-aaa] quit
NOTE
After domain huawei.com is configured, the domain name is added to the

authentication user name.
2. Test whether a STA can be authenticated using RADIUS authentication. A user
name test@huawei.com and password YsHsjx_202206 have been configured
on the RADIUS server.



[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and

------------------------------------------------------------------------------

# Create a WMM profile named wmm and retain the default parameter settings.
radio profile.
[AC-wlan-radio-prof-radio] channel-mode fixed
[AC-wlan-view] quit

[AC-Wlan-Ess1] authentication dot1x //Enable 802.1X authentication.
[AC-Wlan-Ess1] dot1x authentication-method eap //Configure EAP relay authentication for 802.1X users.
[AC-Wlan-Ess1] domain name huawei.com force //Configure a forcible authentication domain.
[AC-Wlan-Ess1] permit-domain name huawei.com //Configure a permitted domain for WLAN users.
[AC-Wlan-Ess1] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method ccmp //Configure
WPA2 802.1X authentication and encryption.
# Create a traffic profile named traffic and retain the default parameter settings.
[AC-wlan-service-set-test] ssid test
[AC-wlan-service-set-test] service-vlan 101
[AC-wlan-service-set-test] forward-mode tunnel
# Configure a VAP.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

SSID test in the coverage area of AP1. Use 802.1X authentication on the STA and
enter the user name and password. If the authentication succeeds, the STA can
connect to the Internet. Configure the STA according to the configured
authentication mode PEAP.
● Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select
Manually create a network profile. Add SSID test. Set the
authentication mode to WPA2-Enterprise, the encryption mode to CCMP,
and the algorithm to AES. Click Next.
b. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP
type to PEAP and click Settings. In the displayed dialog box, deselect
Validate server certificate and click Configure. In the displayed dialog
box, deselect Automatically use my Windows logon name and
password and click OK.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 0 00e0-fc11-1111 2012/12/23 14:40:37
2 0 00e0-fc12-3456 2012/12/23 14:40:39
------------------------------------------------------------------------------
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return
#
sysname AC
#
#
#
dhcp enable
#
radius-server shared-key cipher %@%@xI&d>!p~&X_GJ0~yU/z!,x,J%@%@
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.0.1 255.255.255.0
#
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Wlan-Ess1
dot1x authentication-method eap
#
wlan
ap-region id 10
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 101
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
3.11.8.3 Example for Configuring Non-Fast Roaming Between APs in

Different Service VLANs
Roaming Between APs in Different Service VLANs Overview

another AP with nonstop service transmission. In roaming between APs in
different service VLANs, APs before and after STA roaming belong to different
service VLANs. To prevent services of a user from being interrupted during WLAN
roaming, ensure that the service VLAN of the user remains unchanged after the
user roams between two APs.
again during roaming and only needs to perform key negotiation. In this case, fast
roaming reduces the roaming delay and improves the WLAN service experience.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
configurations.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:

V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-151, two APs are deployed in a campus network to provide
WLAN services for employees of two departments, and are managed and
controlled by an AC. The AC dynamically assigns IP addresses to the APs and STAs.
The employees of the two departments belong to different VLANs, that is, AP1
belongs to VLAN101 and AP2 belongs to VLAN102. The default security policy
(WEP open system authentication) is used. User data is forwarded through
tunnels.
The department requires that services should not be interrupted when a STA
moves from AP1 to AP2.
Figure 3-151 Networking diagram for configuring non-fast roaming between APs
in different service VLANs
Data Planning

source interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● Security and
WPA2+PSK
Example@123
CCMP
Service set ● Name: huawei-1 None

● SSID: test
● WLAN virtual
interface: WLAN-ESS
0
● Data forwarding
mode: tunnel
forwarding
● Name: huawei-2 None

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

STAs.

192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLANIF 102: None

192.168.121.1/24
192.168.12.2 to
192.168.12.254/24
1. The default security policy is used and access authentication is not required,
which shortens the roaming switchover time. Configure non-fast roaming
between APs in different service VLANs to ensure nonstop service
transmission during roaming.
and STAs.
Procedure

[HUAWEI] sysname AC
[AC] vlan batch 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Connect the AC to the upper-level network device.

# Add the AC's uplink interface GE1/0/3 to VLAN101 and VLAN102.
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs
and APs.
# Configure the DHCP server based on the interface address pool. VLANIF 100
provides IP addresses for AP1 and AP2, VLANIF 101 provides IP addresses for STAs
connected to AP1, and VLANIF 102 provides IP addresses for STAs connected to
AP2.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit



[AC] wlan

------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN

S300, S500, S2700, S3700, S5700, S6700, S7700, and
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

radio profile.
[AC-wlan-view] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create a WLAN-ESS interface. To implement roaming between APs in different

service VLANs, configure two service VLANs (VLAN101 and VLAN102) on each
WLAN-ESS interface.
[AC-Wlan-Ess0] quit
[AC-Wlan-Ess1] quit
Create a security profile named security.

[AC] wlan
# Configure service sets for AP1 and AP2, and set the data forwarding mode to
tunnel forwarding.
[AC-wlan-view] service-set name huawei-1
[AC-wlan-service-set-huawei-1] ssid test
[AC-wlan-service-set-huawei-1] wlan-ess 0
[AC-wlan-service-set-huawei-1] service-vlan 101
[AC-wlan-service-set-huawei-1] security-profile name security
[AC-wlan-service-set-huawei-1] traffic-profile name traffic
[AC-wlan-service-set-huawei-1] forward-mode tunnel
[AC-wlan-service-set-huawei-1] quit
# Configure a VAP.
[AC-wlan-radio-1/0] service-set name huawei-1


SSID test in the coverage area of AP1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test
------------------------------------------------------------------------------
Total stations: 1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 0 00e0-fc11-1111 2012/12/23 14:40:37
2 0 00e0-fc12-3456 2012/12/23 14:40:39
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return
#
sysname AC
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
#
#
#
#
interface Wlan-Ess0
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
service-set name huawei-1 id 0
forward-mode tunnel
wlan-ess 0
ssid test
service-vlan 101
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 102
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
radio-profile id 1
channel 20MHz 6
#
return
3.11.8.4 Example for Configuring Fast Roaming Between APs in Different

Service VLANs
Roaming Between APs in Different Service VLANs Overview

another AP with nonstop service transmission. In roaming between APs in
different service VLANs, APs before and after STA roaming belong to different
service VLANs. To prevent services of a user from being interrupted during WLAN
roaming, ensure that the service VLAN of the user remains unchanged after the
user roams between two APs.
again during roaming and only needs to perform key negotiation. In this case, fast
roaming reduces the roaming delay and improves the WLAN service experience.
Configuration Notes
configurations.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

view.
view.

are
Versi
on
V200 S7700, S9700 V200R005C00:

V200 S5720-HI, S7700, V200R005C00:


S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200 S5720-HI, S7700, V200R005C10:

AP8130DN
V200R005C20:
AP7030DE, AP9330DN
V200R005C30:
NOTE
As shown in Figure 3-152, two APs are deployed in a campus network to provide
WLAN services for employees of two departments, and are managed and
controlled by an AC. The AC dynamically assigns IP addresses to the APs and STAs.
The employees of the two departments belong to different VLANs, that is, AP1
belongs to VLAN101 and AP2 belongs to VLAN102. The security policy
WPA2-802.1X is used. User data is forwarded through tunnels.
The department requires that services should not be interrupted when a STA
moves from AP1 to AP2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-152 Networking diagram for configuring fast roaming between APs in
different service VLANs
Data Planning

source interface

● Security and
WPA2+802.1X
hello
CCMP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service set ● Name: huawei-1 None

● SSID: test
● WLAN virtual
interface: WLAN-ESS
0
● Data forwarding
mode: tunnel
forwarding
● Name: huawei-2 None

● SSID: test
● WLAN virtual
interface: WLAN-ESS
1
● Data forwarding
mode: tunnel
forwarding

STAs.

192.168.10.2 to
192.168.10.254/24

192.168.11.2 to
192.168.11.254/24
VLANIF 102: None

192.168.121.1/24
192.168.12.2 to
192.168.12.254/24
1. The security policy WPA2-802.1X is used and access authentication is required,
which results in longer roaming switchover time. Configure fast roaming
during roaming.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

3. Configure the AC as a DHCP server to assign IP addresses to the STAs and
APs.
5. Configure key negotiation between STAs and APs to shorten the roaming
switchover time.
Procedure

[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Connect the AC to the upper-level network device.

# Add the AC uplink interface GE1/0/3 to VLAN 101 and VLAN 102, and add
GE1/0/4 of the AC connecting to the RADIUS server to VLAN 103.
[AC] vlan batch 101 to 103
[AC-GigabitEthernet1/0/4] port trunk pvid vlan 103
Step 3 Configure the AC to function as a DHCP server to assign IP addresses to the STAs
and APs, and configure VLANIF 103 to allow the AC to communicate with the
RADIUS server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the DHCP server based on the interface address pool. VLANIF100
provides IP addresses for AP1 and AP2, VLANIF101 provides IP addresses for STAs
connected to AP1, and VLANIF102 provides IP addresses for STAs connected to
AP2.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
# Configure VLANIF 103.

[AC-Vlanif103] quit
Step 4 Configure an AAA domain to which a RADIUS server template is applied.

domain information.
NOTE
Ensure that the AC and RADIUS server have the same shared key.
[AC] radius-server template radius_huawei //Creates a RADIUS server template
[AC-radius-radius_huawei] radius-server authentication 192.168.0.2 1812 //Specify the IP address
and the port number of a RADIUS authentication server.
[AC-radius-radius_huawei] radius-server shared-key cipher hello //Configure the shared key of a
RADIUS server
[AC] aaa
[AC-aaa] authentication-scheme radius_huawei //Create an authentication scheme
[AC-aaa-authen-radius_huawei] authentication-mode radius //Set the authentication mode to
radius.
[AC-aaa] domain huawei.com //Create a domain
[AC-aaa-domain-huawei.com] authentication-scheme radius_huawei //Configure an
authentication scheme in the domain.
[AC-aaa-domain-huawei.com] radius-server radius_huawei //Configure a RADIUS server template
for the domain.
[AC-aaa] quit
NOTE
After domain huawei.com is configured, the domain name is added to the

authentication user name.
2. Test whether a STA can be authenticated using RADIUS authentication. A user
name test@huawei.com and password YsHsjx_202206 have been configured
on the RADIUS server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and



[AC] wlan
------------------------------------------------------------------------------
ID Type
------------------------------------------------------------------------------
17 AP6010SN-GN
19 AP6010DN-AGN
21 AP6310SN-GN
23 AP6510DN-AGN
25 AP6610DN-AGN
27 AP7110SN-GN
28 AP7110DN-AGN
29 AP5010SN-GN
30 AP5010DN-AGN
31 AP3010DN-AGN
33 AP6510DN-AGN-US
34 AP6610DN-AGN-US
35 AP5030DN
36 AP5130DN
37 AP7030DE
38 AP2010DN
39 AP8130DN
40 AP8030DN
42 AP9330DN
43 AP4030DN
44 AP4130DN
45 AP3030DN
46 AP2030DN
------------------------------------------------------------------------------
Total number: 23

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
------------------------------------------------------------------------------

radio profile.
[AC-wlan-view] quit
# Create a WLAN-ESS interface. To implement roaming between APs in different

service VLANs, configure two service VLANs (VLAN101 and VLAN102) on each
WLAN-ESS interface.
[AC-Wlan-Ess0] authentication dot1x //Enable 802.1X authentication.
[AC-Wlan-Ess0] dot1x authentication-method eap //Configure EAP relay authentication for 802.1X users.
[AC-Wlan-Ess0] domain name huawei.com force //Configure a forcible authentication domain.
[AC-Wlan-Ess0] permit-domain name huawei.com //Configure a permitted domain for WLAN users.
[AC-Wlan-Ess0] quit
[AC-Wlan-Ess1] authentication dot1x
[AC-Wlan-Ess1] dot1x authentication-method eap
[AC-Wlan-Ess1] quit
# Create a security profile named security and configure the security policy to
WPA2-802.1X.
[AC] wlan
[AC-wlan-sec-prof-security] security-policy wpa2
[AC-wlan-sec-prof-security] wpa2 authentication-method dot1x encryption-method ccmp //Configure
WPA2 802.1X authentication and encryption.
# Configure service sets for AP1 and AP2, and set the data forwarding mode to
tunnel forwarding.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure a VAP.


SSID test in the coverage area of AP1. Use 802.1X authentication on the STA and
enter the user name and password. If the authentication succeeds, the STA can
connect to the Internet. Configure the STA according to the configured
authentication mode PEAP.
● Configuration on the Windows 7 operating system:
a. Access the Manage wireless networks page, click Add, and select
Manually create a network profile. Add SSID test. Set the
authentication mode to WPA2-Enterprise, the encryption mode to CCMP,
and the algorithm to AES. Click Next.
b. Scan SSIDs and double-click SSID test. On the Security tab page, set EAP
type to PEAP and click Settings. In the displayed dialog box, deselect
Validate server certificate and click Configure. In the displayed dialog
box, deselect Automatically use my Windows logon name and
password and click OK.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 1 0 0 test

S300, S500, S2700, S3700, S5700, S6700, S7700, and
------------------------------------------------------------------------------
Total stations: 1
------------------------------------------------------------------------------
------------------------------------------------------------------------------
00e0-fc12-3457 2 0 1 test
------------------------------------------------------------------------------
Total stations: 1

------------------------------------------------------------------------------
------------------------------------------------------------------------------
1 0 00e0-fc11-1111 2012/12/23 14:40:37
2 0 00e0-fc12-3456 2012/12/23 14:40:39
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
#
return
● Configuration file of the AC

#
sysname AC
#
#
#
dhcp enable
#
radius-server shared-key cipher %@%@xI&d>!p~&X_GJ0~yU/z!,x,J%@%@
#
aaa

S300, S500, S2700, S3700, S5700, S6700, S7700, and
domain huawei.com
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.11.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.12.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.0.1 255.255.255.0
#
#
#
#
#
interface Wlan-Ess0
#
interface Wlan-Ess1
#
wlan
ap-region id 10
region-id 10
region-id 10
forward-mode tunnel
wlan-ess 0
ssid test

S300, S500, S2700, S3700, S5700, S6700, S7700, and
service-vlan 101
forward-mode tunnel
wlan-ess 1
ssid test
service-vlan 102
channel-mode fixed
wmm-profile id 1
ap 1 radio 0
radio-profile id 1
ap 2 radio 0
radio-profile id 1
channel 20MHz 6
#
return
3.11.9 Example for Configuring the WLAN Service Using WDS

Technology
WDS Overview
A wireless distribution system (WDS) connects two or more wired or wireless LANs
using wireless links to establish a large network.
On a traditional WLAN network, APs connect to an AC through wired uplinks.

However, wired connections are difficult or costly to implement in areas where
network cables are difficult to deploy, such as tunnels and docks. WDS technology
connects APs to an AP using wireless links to facilitate WLAN deployment in
complex geographical environments, reduce network deployment cost, allow
flexible networking, and make the network easy to expand.
APs on a WDS network work in any of the following modes:

● Root: A root AP connects to an AC using a wired link and connects to a
middle or leaf AP using a wireless uplink.
● Middle: A middle AP is an intermediate node using wireless links to connect
an upstream root AP and a downstream leaf AP.
● Leaf: A leaf AP connects to a root or middle AP using an uplink wireless link.
Both WDS and mesh technologies can implement wireless bridging between APs.
A WDS network supports a maximum of three hops (for example, a WDS link can
be established along a root node, a middle node, and a leaf node), has a tree
topology, and does not support link redundancy between nodes. On the other
hand, a mesh network supports a maximum of eight hops, has a mesh topology,
and supports link redundancy between nodes. These factors make a mesh network
more reliable than a WDS network. You can choose the WDS or mesh technology
to deploy wireless bridging between APs according to your networking needs.
Configuration Notes
● The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the WDS function.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● On a WDS or mesh network, an 802.11ac AP cannot interoperate with

non-802.11ac APs regardless of their radio types. Only 802.11ac APs can
interoperate with each other.
NOTE
Among all WDS- and mesh-capable APs, only the AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE,
AP7050DN-E, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
● If radio 0 of the AP8130DN is configured to work on the 5 GHz frequency
band and used for WDS or mesh services, the software version of the AP
connected to the AP8130DN must be V200R005C10 or later.
● When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single
WDS network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node.
Middle nodes do not set up WDS links between each other.
– Three hops are recommended for each WDS link (a 3-hop WDS link
includes a root node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.
NOTE
APs supporting WDS can be interconnected. APs with 802.11ac and 802.11n chips are
not subject to interoperation constraints.
● You cannot use WDS and mesh technologies on the same network.
● If WDS and Mesh services are configured on an AP radio, WIDS, spectrum
analysis, or WLAN location on the radio does not take effect.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S7700, S9700 V200R005C00:

R005 AP3010DN-AGN, AP5010DN-AGN, AP5010SN-
C00 GN, AP5030DN, AP5130DN, AP6010SN-GN,
AP6010DN-AGN, AP6510DN-AGN,
AP6610DN-AGN, AP7110DN-AGN, AP7110SN-
GN
V200 S5720-HI, S7700, V200R005C00:

R006 S9700 AP3010DN-AGN, AP5010DN-AGN, AP5010SN-
GN
V200 S5720-HI, S7700, V200R005C10:

GN, AP8030DN, AP8130DN
V200 S5720-HI, S7700, V200R005C10:

V200R005C30:
AP4030DN, AP4130DN
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A
can connect to SwitchA through cables, but AP2 in Area B and AP3 in Area C
cannot. The enterprise needs to provide Internet access for WLAN users in the
three areas and wired users in Area C, as shown in Figure 3-153.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-153 WLAN WDS networking
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of
the APs used as WDS bridges. The following table provides the data plan for this
example.
NOTE
The APs used in this example are AP6010DN-AGN.
Table 3-72 AP data required for completing the configuration
AP Type MAC
AP1 AP6010DN-AGN 00e0-fc59-1ee0
AP2 AP6010DN-AGN 00e0-fc59-1d20
The following provides data planning for mesh service configuration.
Table 3-73 Service data required for completing the configuration
VLAN Management VLAN: 100 None

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service VLANs: 101, 102, 103, 104, The WDS bridges must
105, 106 allow packets of service
● Area A: VLAN 101 for WLAN VLANs to which Area A,
services Area B, and Area C
belong to pass through.
● Area B: VLAN 102 for WLAN
services
● Area C: VLAN 103 for WLAN
services
● Area C: VLANs 104, 105, and
106 on AP3 wired interfaces
Service Direct forwarding mode None

forwarding
mode on APs
IP address of VLANIF 100: 192.168.10.1/24 None

the AC's
source
interface
AP region AP1: 101, AP2: 102, AP3: 103 None
WMM profile Name: wp01 None
Radio profile Name: rp01 and rp02 Use radio profile rp02
for the WDS service and
radio profile rp01 for the
basic WLAN service.
Security profile ● Name: sp01 WDS bridges support

● Security and authentication only the security policy
policy: WPA2+PSK using WPA2+PSK
authentication and
● Authentication key: CCMP encryption.
Example@123
In this example, the
● Encryption mode: CCMP security profile sp01 is
also used for the basic
WLAN service. Select an
appropriate security
policy for the WLAN
service in real world
applications.
Traffic profile Name: tp01 None
Bridge profile ● Name: bp01 All APs on a WDS

● Bridge identifier: ChinaNet01 network must have the
same bridge ID.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service set ● Name: ss01 None

● SSID: ChinaSer01
● WLAN virtual interface: WLAN-
ESS 1
● Service data forwarding mode:
direct forwarding
● Name: ss02 None

ESS 2
direct forwarding
● Name: ss03 None

ESS 3
direct forwarding
Bridge Name: bw01 and bw02 A WDS whitelist profile

whitelist contains MAC addresses
of neighboring APs
allowed to set up WDS
links with an AP. After a
WDS whitelist profile is
applied to an AP radio,
only APs with MAC
addresses in the whitelist
can access the AP, and
other APs are denied. In
the WDS, only APs with
radios working in root
mode and middle mode
can have a whitelist
configured. APs in leaf
mode require no
whitelist.
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the
AC, SwitchA, and AP1.
2. Configure the WDS function to allow AP2 and AP3 to connect to the AC using
wireless links.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Configure the basic WLAN service to provide Internet access service for WLAN
users in Area A, Area B, and Area C.
Procedure
Step 1 Connect AC and AP1.
# Configure the access switch SwitchA. Add GE0/0/1 on SwitchA to VLAN 100
(management VLAN), and set the PVID of GE0/0/1 to VLAN 100. Configure
GE0/0/1 and GE0/0/2 to allow packets from VLANs 100 to 106 to pass through.
NOTE
Configure port isolation on GE0/0/1 that connects SwitchA and AP. Otherwise, unnecessary
packets are broadcast in the VLAN or WLAN users of different APs can communicate with each
other at Layer 2.
[SwitchA] interface gigabitEthernet 0/0/1
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the port isolation group is not specified, the
interface is added to port isolation group 1 by default.
# Set the NAC mode to unified mode on the AC (default setting). Configure
GE1/0/0 to allow packets from VLANs 100 to 106 to pass through.
[HUAWEI] sysname AC
[AC] interface gigabitEthernet 1/0/0
[AC-GigabitEthernet1/0/0] port trunk allow-pass vlan 100 to 106
Step 2 Configure the AC to allocate IP addresses for APs and STAs.
# Configure AC as a DHCP server to allocate IP addresses to APs and STAs using

an address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC-Vlanif102] quit
[AC-Vlanif103] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and



[AC] wlan
Step 4 Configure the AC to manage APs.

[AC-wlan-view] ap id 1 ap-type AP6010DN-AGN mac 00e0-fc59-1ee0
[AC-wlan-ap-1] quit
[AC-wlan-view] ap id 2 ap-type AP6010DN-AGN mac 00e0-fc59-1d20
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID
0. AP regions 101, 102, and 103 are used as an example here.
[AC-wlan-view] ap-region id 101
# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By
default, an AP is added to region 0. This example adds the three APs to regions
101, 102, and 103 respectively.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Set WDS bridge parameters.

# Create a WMM profile named wp01 and retain the default settings in the
profile.
[AC-wlan-view] wmm-profile name wp01
[AC-wlan-wmm-prof-wp01] quit
# Create a radio profile rp02 for the WDS bridges, set the channel mode to fixed
and retain the default settings for other parameters, and bind the WMM profile
wp01 to the radio profile. The default channel mode is auto, but the fixed mode
must be used in this example.
[AC-wlan-view] radio-profile name rp02 id 1
[AC-wlan-radio-prof-rp02] wmm-profile name wp01
[AC-wlan-radio-prof-rp02] channel-mode fixed // The APs along the WDS link must use the same
channel, so the fixed mode must be used.
[AC-wlan-radio-prof-rp02] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create the bridge whitelists bw01 and bw02. By default, no bridge whitelist is
created. This example uses whitelist bw01 for the root node and whitelist bw02
for the middle node to control the connection between neighboring APs.
[AC-wlan-view] bridge-whitelist name bw01
[AC-wlan-br-whitelist-bw01] peer ap mac 00e0-fc59-1d20 // The middle AP needs to connect to the
root AP, so AP2's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw01] quit
[AC-wlan-view] bridge-whitelist name bw02
[AC-wlan-br-whitelist-bw02] peer ap mac 00e0-fc59-1d40 // The leaf AP needs to connect to the
middle AP, so AP3's MAC address is added to bw01.
[AC-wlan-br-whitelist-bw02] quit
# Bind the radio profile rp02 to radio 1 of AP1, set the bridge mode of radio 1 to
root, and bind the bridge whitelist bw01 to radio 1. By default, no bridge whitelist
is bound to a radio. This example binds bridge whitelist bw01 to the root AP's
radio.
[AC-wlan-radio-1/1] radio-profile name rp02
[AC-wlan-radio-1/1] bridge enable mode root
[AC-wlan-radio-1/1] bridge-whitelist name bw01
[AC-wlan-radio-1/1] bridge whitelist enable
# Bind the radio profile rp02 to radio 1 of AP2, set the bridge mode of radio 1 to
middle, and bind the bridge whitelist bw02 to radio 1. By default, no bridge
whitelist is bound to a radio. This example binds bridge whitelist bw02 to the
middle AP's radio.
[AC-wlan-radio-2/1] bridge enable mode middle
[AC-wlan-radio-2/1] bridge-whitelist name bw02
[AC-wlan-radio-2/1] bridge whitelist enable
# Bind AP3 radio 1 to the radio profile rp02 and set the wireless bridge working
mode to leaf.
[AC-wlan-radio-3/1] bridge enable mode leaf
# After the preceding configurations are complete, power on the APs. If the APs
are already powered on, restart the root AP to make the configuration take effect.
Run the display ap all and display bridge-link all commands on the AC to check
whether the APs work properly and whether WVLs are successfully established. If
the WVLs are displayed and the states of all the APs are normal, the management
bridge is successfully established.
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc59-1ee0 0/101 normal ap-1
2 AP6010DN-AGN 00e0-fc59-1d20 0/102 normal ap-2
------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] display bridge-link all

------------------------------------------------------------------------------
AP ID AP MAC Radio ID Coverage Distance(100m) Channel Bridge Work Mode
Peer AP MAC Peer AP ID Peer AP Status RSSI(dBm) Max RSSI(dBm)
------------------------------------------------------------------------------
1 00e0-fc59-1ee0 1 3 149 root
00e0-fc59-1d20 2 normal -33 -32
2 00e0-fc59-1d20 1 3 149 middle
00e0-fc59-1ee0 1 normal -31 -31
2 00e0-fc59-1d20 1 3 149 middle
00e0-fc59-1d40 3 normal -33 -32
3 00e0-fc59-1d40 1 3 149 leaf
00e0-fc59-1d20 2 normal -31 -31
------------------------------------------------------------------------------
Total: 4
Step 6 Configure a radio profile and a WLAN-ESS interface.

# Create the radio profile rp01 for user services, use the default settings, and bind
the radio profile to the WMM profile wp01.
[AC-wlan-view] quit
# Create three WLAN-ESS interfaces.

[AC-Wlan-Ess1] quit
[AC-Wlan-Ess2] quit
[AC-Wlan-Ess3] quit
Step 7 Configure the bridge profile and service set.

# Create security profile sp01, set the security and authentication policy to WPA2-
PSK, set the authentication key to Example@123, and set the encryption mode to
CCMP.
NOTE
The AP that establishes the bridge on a WDS network supports only WPA2+PSK+CCMP.
[AC] wlan
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher Example@123
[AC-wlan-sec-prof-sp01] quit
# Create a bridge profile with the name bp01 and identifier ChinaNet01, and
bind the bridge profile to the security profile sp01.
[AC-wlan-view] bridge-profile name bp01
[AC-wlan-bridge-prof-bp01] bridge-name ChinaNet01
[AC-wlan-bridge-prof-bp01] vlan tagged 101 to 106 // Allow packets of service VLANs to pass.
[AC-wlan-bridge-prof-bp01] security-profile name sp01
[AC-wlan-bridge-prof-bp01] quit
# Create traffic profile tp01 and use the default settings.

[AC-wlan-view] traffic-profile name tp01
[AC-wlan-traffic-prof-tp01] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create and configure a service set ss01 and SSID ChinaSer01.

[AC-wlan-view] service-set name ss01
[AC-wlan-service-set-ss01] traffic-profile name tp01
[AC-wlan-service-set-ss01] security-profile name sp01
[AC-wlan-service-set-ss01] ssid ChinaSer01
[AC-wlan-service-set-ss01] service-vlan 101 // Change the VLAN ID of the service set to 101. (The
default VLAN ID is 1.)
[AC-wlan-service-set-ss01] wlan-ess 1
[AC-wlan-service-set-ss01] quit


# Create a bridge VAP on AP1 radio 1 and bind the radio to the bridge profile.
Create a service VAP on AP1 radio 0 and bind the radio to the radio profile and
service set.
[AC-wlan-radio-1/0] service-set name ss01
[AC-wlan-radio-1/1] bridge-profile name bp01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 // Radios that establish a WDS link must use the same
channel and bandwidth. Here, the radios use 40 MHz bandwidth and channel 157.
service set.
service set.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 8 Configure APs' wired interfaces.

# Set parameters for the AP3 wired interface.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 mode endpoint // On a WDS network, downlink wired
interfaces of APs must be set to the endpoint mode.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 vlan tagged 104 to 106 // Add the AP's wired interface
to VLANs 104, 105, and 106 in tagged mode.
[AC-wlan-ap-3] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the
configurations take effect.
Step 9 Deliver parameters to APs.

# Deliver the AP parameters on the AC for the configurations to take effect.

WLAN users in areas A, B, and C and wired users in area C can access the Internet.
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return
#
sysname AC
#
#
#
dhcp enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif101
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
#
#
interface Wlan-Ess1
#
interface Wlan-Ess2
#
interface Wlan-Ess3
#
wlan
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 00e0-fc59-1ee0 sn 210235555310CC003587
region-id 101
ap id 2 type-id 19 mac 00e0-fc59-1d20 sn 210235555310CC000094
region-id 102
ap id 3 type-id 19 mac 00e0-fc59-1d40 sn 210235555310CC00AC69
region-id 103
lineate-port gigabitethernet 0 mode endpoint
lineate-port gigabitethernet 0 vlan tagged 104 to 106
wmm-profile name wp01 id 0
traffic-profile name tp01 id 0
security-profile name sp01 id 0
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\{QFUWb
%@%@ encryption-method ccmp
service-set name ss01 id 0
wlan-ess 1
ssid ChinaSer01
service-vlan 101
wlan-ess 2
ssid ChinaSer02
service-vlan 102
wlan-ess 3
ssid ChinaSer03
service-vlan 103
bridge-profile name bp01 id 0
bridge-name ChinaNet01

S300, S500, S2700, S3700, S5700, S6700, S7700, and
vlan tagged 101 to 106
radio-profile name rp01 id 0
wmm-profile id 0
channel-mode fixed
wmm-profile id 1
bridge-whitelist name bw01 id 0
peer ap mac 00e0-fc59-1d20
bridge-whitelist name bw02 id 1
peer ap mac 0046-4b59-1d40
ap 1 radio 0
radio-profile id 0
ap 1 radio 1
radio-profile id 1
bridge enable mode root
bridge whitelist enable
bridge-whitelist id 0
bridge-profile id 0
ap 2 radio 0
radio-profile id 0
ap 2 radio 1
radio-profile id 1
bridge enable mode middle
bridge whitelist enable
bridge-whitelist id 1
bridge-profile id 0
ap 3 radio 0
radio-profile id 0
ap 3 radio 1
radio-profile id 1
bridge enable mode leaf
bridge-profile id 0
#
return
3.11.10 Example for Configuring the WLAN Service Using

Mesh Technology
Mesh Overview
Mesh is short for wireless mesh network (WMN), which consists of APs wirelessly
connected in a mesh topology.
Wired network deployment is costly in areas where network cables are difficult to
deploy, for example, tunnels and docks. In these areas, the mesh technology can
be used to deploy a wireless network quickly. A mesh network supports dynamic
and automatic configuration, allowing you to add or remove mesh nodes flexibly.
In addition, the mesh technology supports link redundancy so that the failure of a
single node will not affect the entire network. This makes networks more robust.
A mesh network has two types of nodes:
● Mesh portal point (MPP): a mesh point that provides the portal function to
connect the mesh network to other types of networks for communication.
● Mesh point (MP): a mesh-capable node that uses IEEE 802.11 MAC and
physical layer protocols for wireless communication. This node supports

S300, S500, S2700, S3700, S5700, S6700, S7700, and
automatic topology discovery, automatic route discovery, and data packet

forwarding. MPs can provide both mesh service and user access service.
Configuration Notes
● The AP2030DN, AP7030DE, AP9330DN, AP6310SN-GN and AP2010DN do not
support the mesh function.
NOTE
Among all WDS- and mesh-capable APs, only the AP4050DN, AP4051DN, AP4151DN,
AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN, AP8130DN-W,
AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN, AP7050DE,
AP7050DN-E, AP4030TN, AP4050DN-E, and AP4050DN-HD are 802.11ac APs.
● It is recommended that you deploy no more than 40 mesh nodes on a mesh
network.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

are
Versi
on
V200 S7700, S9700 V200R005C00:

R005 AP3010DN-AGN, AP5010DN-AGN, AP5010SN-
GN
V200 S5720-HI, S7700, V200R005C00:

GN
V200 S5720-HI, S7700, V200R005C10:

V200 S5720-HI, S7700, V200R005C10:

V200R005C30:
AP4030DN, AP4130DN
An enterprise has three office locations: Area A, Area B, and Area C. AP1 in Area A
can connect to the access switch (SwitchA) through a wired link, but AP2 in Area
B and AP3 in Area C cannot. A WMN needs to be deployed in the three areas to
connect AP2 and AP3 to the enterprise network, as shown in Figure 3-154.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-154 Mesh networking
Data Plan
Before configuring the mesh service, determine the types and MAC addresses of
the APs used as mesh nodes. The following table provides the data plan for this
example.
NOTE
AP Type MAC
AP1 AP6010DN-AGN 00e0-fc59-1ee0
Table 3-76 Service data required for completing the configuration
VLAN Management VLAN: 100 None

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service VLAN: Wired interfaces of AP1 and

● Area B: VLAN 102 AP3 must allow packets of
VLANs to which Area B and
● Area C: VLAN 103 and VLANs Area C belong to pass through.
104, 105, and 106 on wired
interfaces of AP3
AP Direct forwarding None

service
data
forwardi
ng mode
IP VLANIF 100: 192.168.10.1/24 None

address
of the
AC's
source
interface
AP ● AP region 101 for AP1 None

region ● AP region 102 for AP2
● AP region 103 for AP3
WMM Name: wp01 None

profile
Radio Name: rp01 and rp02 None

profile
Security ● Name: sp01 Mesh links support only the

profile ● Security and authentication security policy using WPA2+PSK
policy: WPA2+PSK authentication and CCMP
encryption.
YsHsjx_202206 In this example, the security
profile sp01 is also used for the
● Encryption mode: CCMP basic WLAN service. Select an
encryption appropriate security policy for
the WLAN service in real world
applications.
Traffic Name: tp01 None

profile
Mesh ● Name: mesh01 All APs on a mesh network

profile ● ID: ChinaNet01 must have the same mesh
network ID.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service ● Name: ss02 None

set ● SSID: ChinaSer02
ESS 2
direct forwarding
● Name: ss03 None

ESS 3
direct forwarding
Mesh Name: mesh01 A mesh whitelist specifies the

whitelist MAC addresses of nodes that
are allowed to connect to an AP.
After a mesh whitelist is bound
to a radio of an AP, only the
neighboring nodes with the
MAC addresses in the whitelist
can connect to the AP.
1. Configure the AC and SwitchA to implement Layer 2 connectivity between the
AC, SwitchA, and AP1.
2. Configure the mesh function to enable AP2 and AP3 to connect to the AC
through mesh links.
3. Configure the basic WLAN service to provide Internet access service for WLAN
users in Area A, Area B, and Area C.
Procedure
Step 1 Connect AP1 to the AC.
# Configure SwitchA. Add GE0/0/1 of SwitchA to management VLAN 100, set the
PVID to VLAN 100, and configure GE0/0/1 and GE0/0/2 to allow packets from
VLAN 100 and VLANs 102 to 106 to pass through.
NOTE
You are advised to configure port isolation on GE0/0/1 that connects SwitchA to AP1. If port
isolation is not configured, unnecessary packets are broadcast in the VLANs or WLAN users
connected to different APs can communicate with each other at Layer 2.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] vlan batch 100 102 to 106

[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 102 to 106
[SwitchA-GigabitEthernet0/0/1] port-isolate enable //If the isolation group is not specified for an
interface, the interface is added to isolation group 1.
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 102 to 106
# Set the NAC mode to unified mode on the AC (default setting). Configure
GE1/0/1 to allow packets from VLAN 100 and VLANs 102 to 106 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100 102 to 106
[AC-GigabitEthernet1/0/1] port trunk allow-pass vlan 100 102 to 106
Step 2 Configure the AC to assign IP addresses to STAs and APs.

[AC] dhcp enable
[AC-Vlanif102] quit
[AC-Vlanif103] quit
[AC-Vlanif100] quit



[AC] wlan

# Add the APs offline.
[AC-wlan-view] ap id 1 ap-type AP6010DN-AGN mac 00e0-fc59-1ee0
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
# Configure the Ethernet interfaces that connect APs to SwitchA to allow packets
from VLAN 102 to VLAN 106 to pass through.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
If MPP Ethernet interfaces are not configured to allow packets carrying service VLAN tags to
pass through, communication fails.
[AC-wlan-ap-1] lineate-port gigabitethernet 0 vlan tagged 102 to 106
[AC-wlan-ap-1] quit
# Create AP regions 101, 102, and 103. An AC has a default AP region with the ID
0. AP regions 101, 102, and 103 are used as an example here.
# Add AP1 to AP region 101, AP2 to AP region 102, and AP3 to AP region 103. By
default, an AP is added to region 0. This example adds the three APs to regions
101, 102, and 103 respectively.
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] quit
[AC-wlan-ap-3] quit
Step 5 Configure mesh parameters.

# Create a WMM profile named wp01 and retain the default settings in the
profile.
[AC-wlan-view] wmm-profile name wp01 id 1
[AC-wlan-wmm-prof-wp01] quit
# Create a radio profile rp02, set the channel mode to fixed and retain the default
settings for other parameters, and bind the WMM profile wp01 to the radio
profile. The default channel mode is auto, but the fixed mode must be used in
this example.
[AC-wlan-radio-prof-rp02] channel-mode fixed //The APs along the mesh link must use the same
channel, so the fixed mode is used here.
# Create a mesh whitelist mesh01. By default, no mesh whitelist is created. This

example uses mesh whitelist mesh01 for the mesh nodes.
[AC-wlan-view] mesh-whitelist name mesh01
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 00e0-fc59-1d20
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 00e0-fc59-1d40
[AC-wlan-mesh-whitelist-mesh01] peer ap mac 00e0-fc59-1ee0 //Configure the whitelists according to
your needs. In this example, whitelists can be created among three APs to ensure robustness of the mesh
network, so the MAC addresses of three APs are added to mesh01.
[AC-wlan-mesh-whitelist-mesh01] quit
# Create security profile sp01, set the security and authentication policy to WPA2-
PSK, set the authentication key to YsHsjx_202206, and set the encryption mode to
CCMP.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
On a WMN, the APs that connect to each other wirelessly support only security policy
WPA2+PSK+CCMP.
[AC-wlan-view] security-profile name sp01
[AC-wlan-sec-prof-sp01] security-policy wpa2
[AC-wlan-sec-prof-sp01] wpa2 authentication-method psk pass-phrase cipher YsHsjx_202206
[AC-wlan-sec-prof-sp01] quit
# Create a mesh profile mesh01. Set the mesh network ID to ChinaNet01, bind
the security profile sp01 to the mesh profile, and retain the default settings of
other parameters.
[AC-wlan-view] mesh-profile name mesh01
[AC-wlan-mesh-prof-mesh01] mesh-id ChinaNet01
[AC-wlan-mesh-prof-mesh01] security-profile name sp01
[AC-wlan-mesh-prof-mesh01] quit
Step 6 Configure a WLAN radio profile and WLAN-ESS interfaces.

# Create a radio profile rp01, retain the default settings in the profile, and bind it
to the WMM profile wp01.
[AC-wlan-view] quit
# Create WLAN-ESS interfaces.

[AC-Wlan-Ess2] quit
[AC-Wlan-Ess3] quit
Step 7 Configure a mesh profile and service sets.

# Create a traffic profile named tp01 and retain the default settings in the profile.
[AC] wlan
[AC-wlan-view] traffic-profile name tp01
[AC-wlan-traffic-prof-tp01] quit

[AC-wlan-service-set-ss02] service-vlan 102 //Set the VLAN ID of service set to 102. By default, the
VLAN ID of service set is 1.

[AC-wlan-service-set-ss03] service-vlan 103 //Set the VLAN ID of service set to 103. By default, the
VLAN ID of service set is 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create a mesh VAP on radio 1 of AP1 and set the role of radio 1 to MPP, and
bind the mesh whitelist mesh01 and mesh profile mesh01 to the radio.
[AC-wlan-radio-1/1] mesh-role mesh-portal
[AC-wlan-radio-1/1] mesh-whitelist name mesh01
[AC-wlan-radio-1/1] mesh-profile name mesh01
[AC-wlan-radio-1/1] channel 40mhz-plus 157 //Radios setting up a mesh link must use the same
channel and bandwidth. This example uses 40 MHz bandwidth and channel 157.
# Create a mesh VAP on radio 1 of AP2 and set the role of radio 1 to MP, and bind
the mesh whitelist mesh01 and mesh profile mesh01 to the radio. Create a
service VAP on radio 0 of AP2 and bind radio profile rp01 and service set ss02 to
radio 0.
[AC-wlan-radio-2/1] mesh-role mesh-node
# Create a mesh VAP on radio 1 of AP3 and set the role of radio 1 to MP, and bind
the mesh whitelist mesh01 and mesh profile mesh01 to the radio. Create a
service VAP on radio 0 of AP3 and bind radio profile rp01 and service set ss03 to
radio 0.
[AC-wlan-radio-3/1] mesh-role mesh-node
Step 8 Configure AP's wired interfaces.

# Set parameters for the AP3 wired interface.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 vlan tagged 104 to 106 //Add the wired interface of
AP3 to VLANs 104 to 106 in tagged mode.
[AC-wlan-ap-3] lineate-port gigabitethernet 0 mode endpoint //Set the downlink wired interface of
AP3 to the endpoint mode.
[AC-wlan-ap-3] quit
NOTE
After changing the working mode of AP wired interfaces, reset the APs to make the
configurations take effect.
Step 9 Deliver parameters to APs.

# Deliver the AP parameters on the AC for the configurations to take effect.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Run the display ap all command on the AC to check whether the status of APs
is normal and run the display mesh-link all command on the AC to check
whether mesh links have been established. If the command output shows that APs
are in normal state and displays mesh link information, APs have established
mesh links.
All AP information:
------------------------------------------------------------------------------
/Region
------------------------------------------------------------------------------
1 AP6010DN-AGN 00e0-fc59-1ee0 0/101 normal ap-1
------------------------------------------------------------------------------
Total number: 3
[AC-wlan-view] display mesh-link all
----------------------------------------------------------------------
AP ID Radio ID Mesh-link ID WLAN ID Peer AP ID Mesh Role
----------------------------------------------------------------------
1 1 0 16 3 mesh-portal
1 1 1 16 2 mesh-portal
2 1 0 16 3 mesh-node
----------------------------------------------------------------------
Total: 6
----End
Configuration Files
#
sysname SwitchA
#
#
#
#
return
#
sysname AC
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
dhcp enable
#
interface Vlanif100
ip address 192.168.10.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif103
ip address 192.168.3.1 255.255.255.0
#
#
interface Wlan-Ess2
#
interface Wlan-Ess3
#
wlan
ap-region id 101
ap-region id 102
ap-region id 103
ap id 1 type-id 19 mac 00e0-fc59-1ee0 sn 210235555310CC003587
region-id 101
ap id 2 type-id 19 mac 00e0-fc59-1d20 sn 210235555310CC000094
region-id 102
ap id 3 type-id 19 mac 00e0-fc59-1d40 sn 210235555310CC00AC69
region-id 103
lineate-port gigabitethernet 0 mode endpoint
wmm-profile name wp01 id 1
traffic-profile name tp01 id 0
security-profile name sp01 id 0
wpa2 authentication-method psk pass-phrase cipher %@%@QGZ2"N.FU!8XFIGcV\{QFUWb
%@%@ encryption-method ccmp
wlan-ess 2
ssid ChinaSer02
service-vlan 102
wlan-ess 3
ssid ChinaSer03
service-vlan 103
mesh-profile name mesh01 id 0
mesh-id ChinaNet01
wmm-profile id 1
channel-mode fixed
wmm-profile id 1
mesh-whitelist name mesh01 id 0
peer ap mac 00e0-fc59-1ee0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ap 1 radio 1
radio-profile id 1
mesh-role mesh-portal
mesh-whitelist id 0
mesh-profile id 0
ap 2 radio 0
radio-profile id 0
ap 2 radio 1
radio-profile id 1
mesh-whitelist id 0
mesh-profile id 0
ap 3 radio 0
radio-profile id 0
ap 3 radio 1
radio-profile id 1
mesh-whitelist id 0
mesh-profile id 0
#
return
3.11.11 Common Misconfigurations
3.11.11.1 Multicast Packet Suppression Is Not Configured, Causing Slow

Network Access of STAs
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces.
In addition, wireless links are unstable. To ensure stable transmission of multicast
packets, they are usually sent at low rates. If a large amount of abnormal
multicast traffic is received on the network side, the air interfaces may be
congested, and STAs may suffer from slow network access. You are advised to
configure multicast packet suppression to reduce impact of a large number of
low-rate multicast packets on the wireless network. Exercise caution when
configuring the rate limit; otherwise, the multicast services may be affected.
● In direct forwarding mode, you are advised to configure multicast packet
● In tunnel forwarding mode, you are advised to configure multicast packet
suppression on WLAN-ESS interfaces of the AC.
Procedure
● Configure multicast packet suppression in direct forwarding mode.
a. Create the traffic classifier test and define a matching rule.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 00e0-fc00-0000 mac-address-mask ffff-
ff00-0000 //Match the destination MAC address of multicast packets.
[SwitchA-classifier-test] quit
b. Create the traffic behavior test, enable traffic statistics collection, and set
the traffic rate limit.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] traffic behavior test

[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If multicast services are
available, you are advised to set the rate limit according to the service traffic.
[SwitchA-behavior-test] quit
c. Create the traffic policy test and bind the traffic classifier and traffic
behavior to the traffic policy.
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.

[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
● Configure multicast packet suppression in tunnel forwarding mode.

[HUAWEI] sysname AC
[AC] traffic classifier test
[AC-classifier-test] if-match destination-mac 00e0-fc00-0000 mac-address-mask ffff-
[AC-classifier-test] quit
[AC] traffic behavior test
[AC-behavior-test] statistic enable
[AC-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If multicast services are
[AC-behavior-test] quit
[AC] traffic policy test
[AC-trafficpolicy-test] classifier test behavior test
[AC-trafficpolicy-test] quit
d. Apply the traffic policy to inbound or outbound directions of interfaces.

[AC-Wlan-Ess1] traffic-policy test inbound
[AC-Wlan-Ess1] traffic-policy test outbound
[AC-Wlan-Ess1] quit
----End
3.12 Typical WLAN-AC Configuration (Applicable to

V200R009 and Later Versions)
3.12.1 Wireless Network Deployment and Configuration

Suggestions
This document provides brief suggestions for deploying and configuring a wireless
network, covering the best practices. The suggestions aim to detail precautions for
wireless network implementation in most scenarios.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.12.1.1 Network Design Suggestion
Enabling STP Edge Ports Connected to APs

To improve network stability and prevent network loops caused by incorrect
connections, the Spanning Tree Protocol (STP) is enabled on the device by default.
When an STP-enabled port on the device is connected to another device that does
not support STP, the port is blocked for 30 seconds. It is recommended that switch
ports connected to APs be configured as STP edge ports, so that the APs can
rapidly connect to the network.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] stp edged-port enable
Enabling LLDP on the PoE Ports Connected to APs

After the Link Layer Discovery Protocol (LLDP) is configured, the device can
analyze powered devices (PDs). When LLDP is disabled, the device can detect and
classify PDs only by analyzing the current and resistance between the device and
PDs. Compared with current and resistance analysis, the LLDP function provides
more comprehensive and accurate analysis.
Enable LLDP globally. After LLDP is enabled globally, the LLDP function is enabled
on all ports by default.
[HUAWEI] lldp enable
Configuring VLANs
In practice, the management VLAN and service VLAN must be configured for
management packets and service data packets.
● Management VLAN: transmits packets that are forwarded through CAPWAP
tunnels, including management packets and service data packets forwarded
through CAPWAP tunnels.
● Service VLAN: transmits service data packets.
NOTE
● It is recommended that you use different VLANs for the management VLAN and service
VLAN.
● You are not advised to use VLAN 1 as the management VLAN or service VLAN.
● In tunnel forwarding mode, the management VLAN and service VLAN must be different. The
network between the AC and AP can only permit packets with management VLAN tags to
pass through, and cannot permit packets with service VLAN tags to pass through.
● When a downlink GE interface of an AD9431DN-24X works in middle mode, the interface
allows packets from all VLANs but no VLAN is created by default. VLANs are automatically
created or deleted based on the VLAN list on the connected RU.
The following describes the forwarding process of management and service data
packets. Here, VLAN m and VLAN m' represent management VLANs, while VLAN s
and VLAN s' represent service VLANs.
● When an AP connects to an AC through a Layer 2 network, VLAN m is the
same as VLAN m', and VLAN s is the same as VLAN s'.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● When an AP connects to an AC through a Layer 3 network, VLAN m is

different from VLAN m', and VLAN s is different from VLAN s'.
● Figure 3-155 shows the process of forwarding management packets through
CAPWAP tunnels.
Figure 3-155 Forwarding management packets through CAPWAP tunnels
In Figure 3-155:
– In the uplink direction (from the AP to the AC): When receiving
management packets, the AP encapsulates the packets in CAPWAP
packets. The switch tags the packets with VLAN m. The AC decapsulates
the CAPWAP packets and removes the tag VLAN m'.
– In the downlink direction (from the AC to the AP): When receiving
downstream management packets, the AC encapsulates the packets in
CAPWAP packets and tags them with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets.
● Figure 3-156 shows the process of directly forwarding service data packets.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-156 Forwarding service data packet directly
In Figure 3-156, service data packets are not encapsulated in CAPWAP

packets.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and forwards the packets to the destination.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets in 802.3 format reach the AP (the
packets are tagged with VLAN s' by upstream devices), the AP converts
the 802.3 packets into 802.11 packets and forwards them to the STA.
● Figure 3-157 shows the process of forwarding service data packets through
CAPWAP tunnels.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-157 Forwarding service data packets through CAPWAP tunnels
In Figure 3-157, service data packets are encapsulated in CAPWAP packets

and transmitted through CAPWAP data tunnels.
– In the uplink direction (from the STA to the Internet): When upstream
service data packets in 802.11 format are sent from the STA to the AP,
the AP converts the packets into 802.3 packets, tags the packets with
VLAN s, and encapsulates them in CAPWAP packets. The upstream switch
tags the packets with VLAN m. The AC decapsulates the CAPWAP packets
and removes the tag VLAN m' from the packets.
– In the downlink direction (from the Internet to the STA): When
downstream service data packets reach the AC, the AC encapsulates the
packets in CAPWAP packets, allows the packets carrying VLAN s to pass
through, and tags the packets with VLAN m'. The switch removes VLAN
m from the packets. The AP decapsulates the CAPWAP packets, removes
VLAN s, converts the 802.3 packets into 802.11 packets, and forwards
them to the STA.
Management VLAN tag VLAN m is the outer tag of CAPWAP-encapsulated
packets. The intermediate devices between the AC and AP can only
transparently transmit packets carrying VLAN m and cannot be configured
with VLAN s encapsulated in the CAPWAP packets.
Enabling the STP TC Protection Function

The STP function is enabled on an AC by default. STP can prevent network loops
caused by incorrect connections or required by link backup.
When the STP topology changes, the device sends Topology Change (TC) packets
to instruct other devices to update their forwarding tables. If network flapping

S300, S500, S2700, S3700, S5700, S6700, S7700, and
occurs, the devices will receive a large number of TC packets in a short period of
time, and update MAC address or ARP entries frequently. As a result, the devices
are heavily burdened, threatening network stability.
The STP TC protection function is enabled by default. After enabling the TC
protection function, you can set the number of times a switching device processes
TC packets within a given time. If the number of TC packets received by the
switching device within the given time exceeds the specified threshold, the
switching device processes TC packets only for the specified number of times. For
the TC packets exceeding the threshold, the switching device processes them
together after the timer expires. In this way, the switching device is prevented
from frequently deleting its MAC address and ARP entries, and therefore relieved
from the ensuing burdens.
# If you need to understand how the switching device processes TC packets,
enable the TC protection alarm function.
[HUAWEI] stp tc-protection
Disabling an AC from Responding to TC Packets, Enabling MAC-ARP

Association, and Disabling IP Traffic Forwarding at Layer 2 During Link
Switching on a Ring Network When the AC Functions As a Gateway
In normal cases, when STP detects network topology changes, the device sends TC
packets to instruct its ARP module to age out or delete ARP entries. In this case,
the device needs to learn ARP entries again to obtain the latest ARP entry
information. However, if the network topology changes frequently or network
devices on the network have a large number of ARP entries, ARP learning will
increase the number of ARP packets. These ARP packets will occupy excessive
system resources and affect running of other services.
To prevent this situation, you can disable APR tables from responding to TC
packets. In this way, ARP entries of network devices on the network are not aged
out or deleted even if the network topology changes. In addition, you can enable
MAC address-triggered ARP entry update to prevent user service interruption even
if ARP entries are not updated in a timely manner. In wireless scenarios, IP traffic
forwarding at Layer 2 is not supported when links are switched on a ring network.
Therefore, it is recommended that this function be disabled.
# Disable the device from aging out or deleting ARP entries upon network
topology changes.
[HUAWEI] arp topology-change disable
# Enable MAC address-triggered ARP entry update.

[HUAWEI] mac-address update arp
# Disable IP traffic forwarding at Layer 2 when links are switched on a ring

network.
[HUAWEI] ip forwarding converge normal
Configuring Port Isolation on Ports Connected to APs

In wireless application scenarios, APs typically do not need to access each other at
Layer 2 or exchange broadcast packets. Therefore, you can configure port isolation

S300, S500, S2700, S3700, S5700, S6700, S7700, and
on switch ports connected to APs. This function improves user communication

security and prevents invalid broadcast packet data from being sent to the APs,
ensuring the APs' forwarding performance and user services. In addition, port
isolation needs to be configured for Layer 2 network devices connected to the AP
gateway. For example, port isolation needs to be configured on the ports of
aggregation switches connected to APs on the same Layer 2 network.
[HUAWEI] interface gigabitethernet 1/0/1
[HUAWEI-GigabitEthernet1/0/1] port-isolate enable group 1
User Isolation Is Recommended in Accounting Scenarios

In a traffic profile, user isolation prevents Layer 2 packets of all users from being
forwarded to each other. That is, the users cannot communicate with each other
after user isolation is enabled. This improves user communication security and
enables the gateway to centrally forward user traffic, facilitating user accounting
and management.
# Configure traffic profile traffic1 and Layer 2 wireless user isolation in the
profile.
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name traffic1
[HUAWEI-wlan-traffic-prof-traffic1] user-isolate l2
Enabling Optimized ARP Reply

A gateway may receive a large number of ARP Request packets that request the
device to reply with its local interface MAC address. If all these ARP Request
packets are sent to the control board for processing, the gateway's CPU is busy
with these ARP Request packets and cannot process other services.
To address the preceding problem, enable optimized ARP reply, which improves
the switch's capability of defending against ARP flood attack. After this function is
enabled, the switch performs the following operations:
● When receiving an ARP Request packet of which the destination IP address is
the local interface address, the LPU directly returns an ARP Reply packet.
● When a switch receives an ARP Request packet of which the destination IP
address is not the local interface address and intra-VLAN proxy ARP is enabled
on the switch, the LPU checks whether the ARP Request packet meets the
proxy condition. If so, the LPU returns an ARP Reply packet. If not, the LPU
discards the packet.
The optimized ARP reply function is applicable to the device with multiple LPUs
configured.
By default, the optimized ARP reply function is enabled. After a device receives an
ARP Request packet, the device checks whether an ARP entry corresponding to the
source IP address of the ARP Request packet exists.
● If the corresponding ARP entry exists, the switch performs optimized ARP
reply to this ARP Request packet.
● If the corresponding ARP entry does not exist, the switch does not perform
optimized ARP reply to this ARP Request packet.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Optimized ARP reply enabled globally or on a specified VLANIF does not take
effect if any of the following commands is executed:
● arp anti-attack gateway-duplicate enable: enables the ARP gateway anti-
collision function.
● arp ip-conflict-detect enable: enables IP address conflict detection.
● arp anti-attack check user-bind enable: enables dynamic ARP inspection.
● dhcp snooping arp security enable: enables egress ARP inspection.
● arp over-vpls enable: enables ARP proxy on the device located on a VPLS
network.
● arp-proxy enable: configures the routed ARP proxy function.
After the optimized ARP reply function is enabled, the following functions become
invalid:
● ARP rate limiting based on source MAC addresses (configured using the arp
speed-limit source-mac command)
● ARP rate limiting based on source IP addresses (configured using the arp
speed-limit source-ip command)
● Global ARP rate limiting, ARP rate limiting in VLANs, as well as ARP rate
limiting on interfaces (configured using the arp anti-attack rate-limit
enable command)
Reliability Configuration
ACs use cluster switch system (CSS) technology for networking, and access
switches are connected to different members in the CSS through Eth-Trunks. If one
AC is faulty, the network can be restored rapidly.
Figure 3-158 Reliability configuration
ARP Proxy Is Not Recommended When the AC Serves as a Gateway

The ARP proxy function increases the burden on the gateway, reducing the
number of wireless users supported by the AC. It is recommended that the ARP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
proxy function be disabled when the AC serves as the gateway, unless otherwise
required.
The AC Is Not Recommended as a DHCP Server

Wireless users roam, causing DHCP lease renewal (a short lease). This poses high
requirements for the performance of the DHCP server. When the AC serves as a
DHCP server, AC system performance is consumed, reducing the number of
wireless users supported by the AC. Therefore, it is not recommended that the AC
serve as both the gateway and DHCP server, unless otherwise required.
Properly Deploying eSight

If eSight is deployed, it periodically collects system data from the AC. In this case,
you need to deploy Performance Management (PM) and set the collection interval
to 30 minutes or longer.
PM is a technology used to collect and measure various system performance
indicators. The following uses the collection interval of 30 minutes as an example.
[HUAWEI] pm
[HUAWEI-pm] statistics-task task1
[HUAWEI-pm-statistics-task1] sample-interval 30
PM technology periodically collects system data and consumes system resources. If

eSight is not deployed, it is recommended that PM be disabled.
3.12.1.2 WLAN Service Configuration Suggestion
Configuring WPA2 + 802.1X Authentication

In commercial use environments, secure authentication and encryption modes are
required. WPA2-AES encryption is recommended. High-security 802.1X
authentication together with AES encryption is more suitable for closed enterprise
networks.
# Configure WPA2 authentication (802.1X authentication and AES encryption).
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa2 dot1x aes
If STAs of multiple types exist, you can configure different authentication and
encryption modes. Hybrid encryption is recommended.
# Configure WPA-WPA2 authentication (802.1X authentication and hybrid
encryption).
[HUAWEI] wlan
[HUAWEI-wlan-view] security-profile name p1
[HUAWEI-wlan-sec-prof-p1] security wpa-wpa2 dot1x aes-tkip
Configuring the Retransmission Timeout Interval for RADIUS Request

Packets
For a large-scale or busy network, configure the shortest retransmission timeout
interval for RADIUS request packets. When a long retransmission timeout interval

S300, S500, S2700, S3700, S5700, S6700, S7700, and
is set, retransmission occupies system resources. A short retransmission timeout

interval can improve the AC's packet processing capability.
The default retransmission timeout interval for wireless users is 5 seconds, which is
suitable for most wireless user authentication scenarios. When IP addresses of
more than eight authentication servers are configured in a RADIUS server
template, or 802.1X authentication is used, it is recommended that the
retransmission timeout interval be set to 1 second to improve network processing
efficiency.
# Set the retransmission timeout interval of RADIUS request packets to 1 second.
[HUAWEI] radius-server template test1
[HUAWEI-radius-test1] radius-server timeout 1
Configuring the Timeout Interval for Sending 802.1X Authentication

Requests
By default, the timeout interval for an AC to send 802.1X authentication requests
is 30 seconds, and the maximum number of retransmission times is 2. In some
scenarios, you can adjust these values properly to optimize network deployment.
If one-time passwords (OTPs) are used, for example, access passwords are sent by
network maintenance departments to STAs through short messages, users send
requests for applying for passwords, and receive the applied passwords, and enter
the passwords for authentication. This process may take more than 30 seconds. In
this case, set a longer timeout interval for sending 802.1X authentication requests.
If the network environment is poor (for example, wireless interference is severe)
and many packets are lost, you are advised to set a short timeout interval for
sending 802.1X authentication requests and a large number of retransmission
times to improve network convergence performance.
# Set the timeout interval for sending 802.1X authentication requests to 20
seconds, and the maximum number of retransmission times to 4.
[HUAWEI] dot1x timer tx-period 20
[HUAWEI] dot1x-access-profile name d1
[HUAWEI-dot1x-access-profile-d1] dot1x retry 4
Reducing the Number of SSIDs

SSIDs identify different wireless networks. When you search for available wireless
networks on a STA, the displayed wireless network names are SSIDs.
It is recommended that a limited number of SSIDs be configured on an AC. A
maximum of 16 SSIDs can be configured for each AP. Too many SSIDs occupy AC
system resources.
Reducing the Association Aging Time of STAs

STAs in stadiums move frequently, and a large number of STAs associate with APs
deployed at stadium entrances in a short period of time. As a result, no new STA
can associate with the APs after the number of associated STAs reaches the upper
limit.
Many STAs will leave the coverage area of the APs. Therefore, you are advised to
set the association aging time of STAs to 1 minute.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
In wireless city scenarios, you are advised to reduce the association aging time of
STAs. One minute is recommended.
# Set the association aging time of STAs to 1 minute in the SSID profile ssid1.
[HUAWEI] wlan
[HUAWEI-wlan-view] ssid-profile name ssid1
[HUAWEI-wlan-ssid-prof-ssid1] association-timeout 1
STA Blacklist and Whitelist Are Not Recommended

On a WLAN, the blacklist or whitelist can be configured to filter access from STAs
based on specified rules. The blacklist or whitelist allows authorized STAs to
connect to the WLAN and rejects access from unauthorized STAs.
The STA blacklist and whitelist increase the burden on the AC and degrade AC
performance. Therefore, the blacklist and whitelist are not recommended, unless
otherwise required.
802.11r Is Not Recommended

802.11r is an IEEE protocol that defines fast roaming. Before associating with
target APs, STAs complete handshakes for initial identity authentication. By
default, 802.11r is disabled.
Only iOS 6 and later versions support 802.11r. STAs that do not support 802.11r
cannot associate with 802.11r-enabled WLANs. It is recommended that 802.11r be
disabled when multiple types of STAs exist on a WLAN.
AP Load Balancing Is Not Recommended

After AP load balancing is configured, APs in the load balancing group forward
received Probe packets to the AC. The AC then determines the APs from which
STAs can access the WLAN. Too many Probe packets may degrade AC
performance. Therefore, it is recommended that the AP load balancing function be
disabled, unless otherwise required.
The Function of Recording Successful STA Associations in the Log Is Not

Recommended
After the function of recording successful STA associations in the log is enabled,
information about successfully associated STAs is recorded in the log, so that the
administrator can view information about successful STA associations. Recording
successful STA associations in the log degrades AC performance, especially in
scenarios with a large number of STAs. Therefore, it is recommended that this
function be disabled. This function is disabled by default.
# Disable the function of recording successful STA associations in the log.

[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-assoc enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Reporting Information about STA Traffic and Online Duration on APs Is Not
Recommended
You can enable an AC to report information about STA traffic and online duration
on APs to eSight. After this function is enabled, the AC collects and reports the
information to eSight through Syslog when STAs get offline or roam within the
AC, which facilitates data query on eSight.
Frequent information reporting degrades AC performance, especially in scenarios

with a large number of STAs. Therefore, it is recommended that this function be
disabled no matter whether eSight is deployed on a WLAN. This function is
disabled by default.
# Disable the AC from reporting information about STA traffic and online duration
on APs.
[HUAWEI] wlan
[HUAWEI-wlan-view] undo report-sta-info enable
Enabling the Function of Disconnecting Weak-Signal STAs

This function is recommended in high-density stadium and higher education
scenarios, but not recommended in wireless city scenarios.
3.12.1.3 Security Configuration Suggestion
Network Security Suggestion

To protect network devices' CPU against attacks and ensure that users can use
network resources properly, user control traffic and data traffic need to be limited.
It is recommended that the traffic be limited on network edges, that is, on APs.
● Control traffic limiting: ARP, ND, and IGMP flood attack detection is enabled
on an AP by default. The rate thresholds for ARP, ND, and IGMP flood attack
detection are 5 pps, 16 pps, and 4 pps, respectively. You are not advised to
change the default values. When service traffic is heavy on a network, the
values can be increased properly. However, it is recommended that the values
be increased by no more than 100%.
# Set the rate threshold for ARP flood attack detection to 10 pps. (This
function is supported only by V200R010.)
[HUAWEI] wlan
[HUAWEI-wlan-view] vap-profile name profile1
[HUAWEI-wlan-vap-prof-profile1] anti-attack arp-flood sta-rate-threshold 10
● Data traffic limiting: The rate limit of upstream and downstream packets for
each STA or all STAs associated with a VAP is configured in a traffic profile on
an AP.
# Set the rate limit of upstream packets to 1 Mbit/s for each STA associated
with the VAP that has the traffic profile p1.
[HUAWEI] wlan
[HUAWEI-wlan-view] traffic-profile name p1
[HUAWEI-wlan-traffic-prof-p1] rate-limit client up 1024
Different suggestions are provided for X series cards and non-X series cards of ACs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● The user-level rate limiting function is recommended for X series cards and is
enabled by default. Supported packet types include ARP Request, ARP Reply,
ND, DHCP Request, DHCPv6 Request, and 802.1X. By default, the user-level
rate limit is 10 pps. You can adjust the rate limit for a specified STA.
# Set the rate limit threshold for the STA with MAC address 000a-000b-000c
to 20 pps.
[HUAWEI] cpu-defend host-car mac-address 000a-000b-000c pps 20
● The attack source tracing function is recommended for non-X series cards and
is enabled by default. If the number of protocol packets of normal services
exceeds the specified checking threshold and an attack source punishment
action is configured, the attack source tracing function may affect these
normal services. You can attempt to disable the attack source tracing function
or disable this function for corresponding protocols to restore the services.
# Configure the device to discard packets from the identified source every 10
seconds.
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] auto-defend action deny timer 10
# Delete IGMP and TTL-expired packets from the list of traced packets.
[HUAWEI] cpu-defend policy test
[HUAWEI-cpu-defend-policy-test] auto-defend enable
[HUAWEI-cpu-defend-policy-test] undo auto-defend protocol igmp ttl-expired
ICMP Fast Reply Is Recommended

Ping is a common method for checking network connectivity. However, a large
number of ICMP packets affect device performance, reducing the number of
wireless users supported by the AC. The ICMP fast reply function is enabled on a
switch by default. Keep this function enabled, unless otherwise required.
CAPWAP Tunnel Encryption Is Not Recommended

The parent and an AS transmit management packets through a Control and
Provisioning of Wireless Access Points (CAPWAP) tunnel. To ensure tunnel
confidentiality and security, you can use Datagram Transport Layer Security
(DTLS) to encrypt packets transmitted in the CAPWAP tunnel. DTLS encryption,
however, degrades AC performance. It is recommended that DTLS encryption be
disabled in scenarios without high security requirements or special customer
requirements.
3.12.1.4 Radio Configuration Suggestion
WIDS Is Not Recommended

Wireless Intrusion Detection System (WIDS) enables monitoring APs to
periodically detect wireless signals. In this manner, the AC can obtain information
about devices on the wireless network and take measures to prevent access from
unauthorized devices. Frequent monitoring and data reporting, however, degrade
AC performance. Therefore, it is recommended that WIDS be disabled, unless
otherwise required.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Scanning Channels of Unauthorized Devices

If the WIDS function is enabled, an AP scans all channels supported by the
corresponding country code by default. Frequent channel scanning degrades AC
performance. It is recommended that only calibration channels be scanned.
# Configure an air scan channel set that contains all calibration channels.
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name myprofile
[HUAWEI-wlan-air-scan-prof-myprofile] scan-channel-set dca-channel
Configuring a Proper Interval for Reporting Information About Unauthorized

Devices
If WIDS is enabled, a monitoring AP caches information about detected wireless
devices at the interval at which an AP incrementally reports wireless device
information. When the interval is reached, the monitoring AP reports the
information to the AC and then clears the reported information.
By default, an AP incrementally reports wireless device information to an AC at an
interval of 300 seconds. You are not advised to change the default value. When a
short interval is set, suspicious devices can be rapidly detected. If the interval is
too short, however, information about unauthorized devices that exist
instantaneously may be incorrectly reported. As a result, the reported information
may be incorrect, and information reporting occupies unnecessary AC and AP
resources.
# Set the interval at which an AP incrementally reports wireless device information
to an AC to 120 seconds.
[HUAWEI] wlan
[HUAWEI-wlan-view] air-scan-profile name myprofile
[HUAWEI-wlan-air-scan-prof-myprofile] quit
[HUAWEI-wlan-view] ap-group name office
[HUAWEI-wlan-ap-group-office] radio 0
[HUAWEI-wlan-group-radio-office/0] wids device detect enable
[HUAWEI-wlan-group-radio-office/0] quit
[HUAWEI-wlan-ap-group-office] quit
[HUAWEI-wlan-view] wids-profile name office
[HUAWEI-wlan-wids-prof-office] device report-interval 120
Properly Configuring Radio Calibration

On a WLAN, operating status of APs is affected by the radio environment. In this
case, you can configure radio calibration. The radio calibration function can
dynamically adjust channels and power of APs managed by the same AC to ensure
that the APs work at the optimal performance.
Figure 3-159 Channels in the 2.4 GHz frequency band

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Frequent radio calibration degrades AC performance. Because radio signals are

centralized in high-density stadiums, radio calibration is triggered frequently to
prevent signal overlapping and interference. Therefore, it is recommended that
radio calibration be disabled in high-density stadiums, and manual or scheduled
calibration be used.
Figure 3-160 Channel adjustment principle
# Set the radio calibration mode to manual.

[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable manual
# Set the radio calibration mode to schedule and set the time for scheduled radio
calibration to 20:30:00.
[HUAWEI] wlan
[HUAWEI-wlan-view] calibrate enable schedule time 20:30:00
Properly Configuring Band Steering

Compared with the 2.4 GHz frequency band, the 5 GHz frequency band has fewer
interference sources and more available channels, and provides higher access
capability.
Most STAs support both the 5 GHz and 2.4 GHz frequency bands, and usually
associate with the 2.4 GHz frequency band by default when connecting to the
Internet through APs. To associate STAs with the 5 GHz frequency band, you need
to manually select the 5 GHz frequency band. The band steering function
addresses this issue.
After the band steering function is enabled for a specified SSID on the AC, the AP
preferentially associates the STAs connected to the SSID with the 5 GHz frequency

S300, S500, S2700, S3700, S5700, S6700, S7700, and
band. After the 5 GHz frequency band is fully loaded, the AP steers the STAs to
the 2.4 GHz frequency band.
If both radios of an AP use the same VAP profile, the band steering function takes
effect on both the radios as long as the function is enabled for an SSID on one
radio of the AP. For example, if the band steering function is enabled for the SSID
huawei on the 2.4 GHz radio but not on the 5 GHz radio, the AP preferentially
steers STAs associated with the SSID to the 5 GHz radio.
The band steering function is enabled by default. Single-radio APs do not support
the band steering function.
Enabling Smart Roaming Based on Scenarios

On a traditional WLAN, when a STA is moving away from an AP, the STA's access
rate becomes lower, but the STA still associates with the AP instead of re-initiating
a connection with the AP or roaming to another AP. This degrades user experience.
The smart roaming function can address this issue. When detecting that the
signal-to-noise ratio (SNR) or access rate of a STA is lower than the specified
threshold, the AP sends a Disassociation packet to the STA so that the STA can
reconnect to the AP or roam to another AP.
This function applies to high-density static scenarios, for example, lecture halls.
This function is not recommended in scenarios where STAs move frequently, such
as wireless cities. If this function is enabled, you are advised to retain the default
roaming threshold.
If a high roaming threshold is configured, STAs may go offline frequently. If a

small roaming threshold is configured, STAs cannot roam to APs with better
signals in a timely manner.
# Enable smart roaming. (in versions earlier than V200R011C10SPC600)

[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name myprofile
[HUAWEI-wlan-rrm-prof-myprofile] smart-roam enable
# Enable smart roaming. (in versions between V200R011C10SPC600 and

V200R021C00SPC100)
[HUAWEI] wlan
[HUAWEI-wlan-rrm-prof-myprofile] undo smart-roam disable
# Enable smart roaming. (in V200R021C00SPC100 and later versions)

[HUAWEI] wlan
[HUAWEI-wlan-rrm-prof-myprofile] smart-roam enable
Dynamic EDCA Parameter Adjustment Is Recommended

A WLAN has only three non-overlapping channels on the 2.4 GHz frequency band.
When APs are densely deployed in high-density indoor scenarios of universities,
multiple APs have to work on the same channel. As a result, co-channel
interference is caused and degrades network performance.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The dynamic EDCA parameter adjustment function allows APs to adjust EDCA
parameters flexibly by detecting the number of STAs to reduce the possibility of
collision, improve the throughput, and enhance user experience.
# Enable dynamic EDCA parameter adjustment.
[HUAWEI] wlan
[HUAWEI-wlan-rrm-prof-myprofile] dynamic-edca enable
Enabling the Short GI

In high-density indoor scenarios of universities, you are advised to enable the
short GI to improve the transmission rate of 802.11n and 802.11ac packets.
# Set the GI mode to short.
[HUAWEI] wlan
[HUAWEI-wlan-view] radio-2g-profile name default
[HUAWEI-wlan-radio-2g-prof-default] guard-interval-mode short
Setting the RTS-CTS Operation Mode in a Radio Profile

The Request To Send/Clear To Send (RTS/CTS) handshake protocol prevents data
transmission failures caused by channel conflicts. If STAs perform RTS/CTS
handshakes before sending data each time, RTS frames consume high channel
bandwidth. In high-density indoor scenarios of universities, you are advised to use
the RTS/CTS mode.
# Set the RTS-CTS operation mode to rts-cts in a radio profile.
[HUAWEI] wlan
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-2g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-2g-prof-default] quit
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-mode rts-cts
[HUAWEI-wlan-radio-5g-prof-default] rts-cts-threshold 1400
[HUAWEI-wlan-radio-5g-prof-default] quit
Disconnecting Weak-Signal STAs

If the uplink signal strength of a STA received by an AP is low, the STA is far away
from the AP. If the STA continues to connect to the AP, a large number of packets
are retransmitted and air interface resources are wasted. To prevent the STA from
reducing the throughput of the entire AP, you are advised to force the STA to go
offline so that the STA can associate with an AP with better signal quality.
NOTE
If a large signal strength threshold is set, STAs may go offline easily. Set a proper threshold
based on the actual situation.
# Enable the function of disconnecting weak-signal STAs (V200R011C00 and

earlier versions).
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] smart-roam enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[HUAWEI-wlan-rrm-prof-default] smart-roam roam-threshold check-snr

[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
# Enable the function of disconnecting weak-signal STAs (V200R011C10 and later

versions).
[HUAWEI] wlan
[HUAWEI-wlan-view] rrm-profile name default
[HUAWEI-wlan-rrm-prof-default] undo smart-roam quick-kickoff-threshold disable
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold check-snr
[HUAWEI-wlan-rrm-prof-default] smart-roam quick-kickoff-threshold snr 20
3.12.2 General Precautions for WLAN

● For details about WLAN AC service deployment on ACU2, see the
corresponding ACU2 manual.
● Before configurations in this chapter, set the NAC mode to unified (default).
To check the current NAC mode, run the display authentication mode
command.
● For mapping between switch versions and AP versions, and AP models
supported by different versions, see Quick Reference for WLAN AP Version
Mapping and Models.
3.12.3 Example for Configuring WLAN Services on a Small-

Scale Network
Small-Scale WLAN Overview
A small-scale WLAN can be a small campus network independently deployed for a
small- or medium-sized enterprise, or a branch network. A small-scale WLAN
requires only a few network devices to serve its users.
Configuration Notes
● For details about common WLAN configuration notes, see 3.12.2 General
Precautions for WLAN. For more deployment and configuration suggestions,
see 3.12.1 Wireless Network Deployment and Configuration Suggestions.
● From V200R011C10, WLAN configurations are automatically delivered,
without the need of running the commit all command.
● In this example, the security policy is WPA2-PSK-AES. To ensure network
configurations.
same.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

packets to the upper-layer network. Service packets and management
packets can be forwarded normally only if the network between the AC
and APs is added to the management VLAN and the network between
the AC and upper-layer network is added to the service VLAN.
CAPWAP tunnel, but are directly forwarded to the upper-layer network.
Service packets and management packets can be forwarded normally
only if the network between APs and upper-layer network is added to the
service VLAN and the network between the AC and APs is added to the
management VLAN.
● For applicable products and versions, see Quick Reference for WLAN AP
Version Mapping and Models.
An enterprise has a small-scale branch network. The enterprise needs to deploy
WLAN services for mobile office so that its employees can access the enterprise
internal network anywhere and anytime.
As shown in Figure 3-161, the AC is connected to the AP through a PoE switch,
and the PoE switch supplies power to the AP. The WLAN service is configured on
the AC, and delivered to APs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-161 Networking of a small-scale WLAN
Data Planning

Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to APs

server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs
IP address VLANIF 100: 10.23.100.1/24

of the AC's
source
interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data

● Referenced profiles: VAP profile wlan-vap and regulatory
domain profile domain1
Regulatory ● Name: domain1

domain ● Country code: CN
profile
SSID ● Name: wlan-ssid

profile ● SSID name: wlan-net
Security ● Name: wlan-security

profile ● Security policy: WPA2+PSK+AES
VAP ● Name: wlan-vap

profile ● Forwarding mode: tunnel forwarding
● Service VLAN: VLAN 101
● Referenced profiles: SSID profile wlan-ssid and security profile
wlan-security
1. Configure the AP, AC, SwitchA, and upstream device to implement Layer 2
interoperation.
2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and AP.
3. Configure the AP to go online.
a. Create an AP group to allow for the unified configuration of multiple APs.
b. Configure AC system parameters, including the country code and source
interface used by the AC to communicate with the AP.
c. Configure the AP authentication mode and import the AP offline so that
the AP can go online properly.
4. Configure WLAN service parameters for STAs to access the WLAN.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchA-GigabitEthernet0/0/1] port-isolate enable

[HUAWEI] sysname AC
[AC-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1

NOTE


Step 3 Configure the AC as a DHCP server to allocate IP addresses to STAs and the AP.
# Configure the AC as the DHCP server to allocate an IP address to the AP from
the IP address pool on VLANIF 100, and allocate IP addresses to STAs from the IP
NOTE
address pool view.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure the AP to go online.

# Create an AP group.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC] wlan
# Create a regulatory domain profile, configure the AC country code in the profile,
and apply the profile to the AP group.
Warning: This configuration change will clear the channel and power configurations of radios, and may
restart APs. Continue?[Y/N]:y
[AC-wlan-view] quit

# Import an AP offline on the WLAN AC and add the AP to AP group ap-group1.

Assume that the AP's MAC address is 00e0-fc11-1111. Configure a name for the
AP based on the AP's deployment location, so that you can know where the AP is
deployed from its name. For example, name the AP area_1 if it is deployed in Area
1.
NOTE
The default AP authentication mode is MAC address authentication. If the default settings are
retained, you do not need to run the ap auth-mode mac-auth command.
The AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
Warning: This operation may cause AP reset. If the country code changes, it will clear channel, power and
antenna gain configuration s of the radio, Whether to continue? [Y/N]:y
[AC-wlan-ap-0] quit
# Power on the AP and run the display ap all command to check the AP state. If
the State field is displayed as nor, the AP has gone online.
nor : normal [1]
Extrainfo : Extra information
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.100.254 AP5030DN nor 0 10S -
--------------------------------------------------------------------------------------------------
Total: 1

# Create security profile wlan-security and set the security policy in the profile.
NOTE
In this example, the security policy is set to WPA2+PSK+AES and password to YsHsjx_202206. In
actual situations, the security policy must be configured according to service requirements.
[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes //Configure security

S300, S500, S2700, S3700, S5700, S6700, S7700, and
policy WPA2+PSK+AES.
# Create SSID profile wlan-ssid and set the SSID name to wlan-net.
[AC-wlan-ssid-prof-wlan-ssid] ssid wlan-net //Set the SSID to wlan-net.
# Create VAP profile wlan-vap, set the data forwarding mode and service VLAN,
and apply the security profile and SSID profile to the VAP profile.
[AC-wlan-vap-prof-wlan-vap] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
# Bind VAP profile wlan-vap to the AP group and apply the profile to radio 0 and
radio 1 of the AP.
[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio 0
Step 6 Commit the configuration.

[AC-wlan-view] commit all
Warning: Committing configuration may cause service interruption, continue?[Y/N]:y
After the service configuration is complete, run the display vap ssid wlan-net
command. In the command output, if Status is ON, the VAPs have been
successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
0 area_1 0 1 00E0-FC11-1111 ON WPA2-PSK 0 wlan-net
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password
YsHsjx_202206. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
00e0-fc11-1115 0 area_1 1/1 5G 11n 46/59 -68 101 10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security-profile name wlan-security
security wpa2 psk pass-phrase %^%#m"tz0f>~7.[`^6RWdzwCy16hJj/Mc!,}s`X*B]}A%^%# aes
ssid-profile name wlan-ssid
ssid wlan-net
vap-profile name wlan-vap
forward-mode tunnel
service-vlan vlan-id 101
ssid-profile wlan-ssid
security-profile wlan-security
regulatory-domain-profile name domain1
ap-group name ap-group1
regulatory-domain-profile domain1
radio 0
vap-profile wlan-vap wlan 1
radio 1
ap-id 0 type-id 35 ap-mac 00e0-fc11-1111 ap-sn 210235554710CB000042

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ap-name area_1
ap-group ap-group1
#
return
3.12.4 Example for Configuring the WLAN Service on Medium-

and Large-Scale Campus Networks
Medium- and Large-Scale WLAN Overview
Medium- and large-scale campus WLANs are deployed in headquarters of large
and medium enterprises, branches of large enterprises, colleges and universities,
and airports.
Configuration Notes
configurations.
same.
management VLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-162, an enterprise's AC connects to the egress gateway
Router of the campus network and connects to the AP through a PoE switch. The
PoE switch provides power to the AP.
The enterprise requires a WLAN with SSID wlan-net so that users can access the
enterprise internal network from anywhere and anytime. The Router needs to
function as a DHCP server to assign IP addresses on 10.23.101.0/24 to users and
manage users on the AC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-162 WLAN service configuration networking on a medium-scale network
Data Planning

Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to APs,

server and the Router functions as the DHCP server to assign IP addresses
to STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.3-10.23.101.254/24
pool for
STAs

of the AC's
source
interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data


profile



wlan-security
1. Configure the APs, AC, and upper-layer devices to communicate with each
other.
2. Configure the AC as a DHCP server to assign an IP address to the AP from an
3. Configure the WLAN service for users to connect to the Internet.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[HUAWEI] sysname AC
[AC] vlan batch 100

# Configure VLANIF 101 (service VLAN) and VLANIF 102.
[AC-Vlanif101] quit
[AC-Vlanif102] quit


pool.
[AC] dhcp enable
[AC-Vlanif100] quit
the AC.
[AC-Vlanif101] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
address pool view.
[Router-GigabitEthernet2/0/0] undo port trunk allow-pass vlan 1

[AC] wlan
[AC-wlan-view] quit


1.
NOTE
[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
Total: 1
NOTE

is 1.
radio 1 of the AP.


S300, S500, S2700, S3700, S5700, S6700, S7700, and
After the service configuration is complete, run the display vap ssid wlan-net
command. In the command output, if Status is ON, the VAPs have been
successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
-------------------------------------------------------------------------------
Total: 2
Connect STAs to the WLAN with SSID wlan-net and enter the password
YsHsjx_202206. Run the display station ssid wlan-net command on the AC. The
command output shows that the STAs are connected to the WLAN wlan-net.
---------------------------------------------------------------------------------
---------------------------------------------------------------------------------
00e0-fc11-1115 0 area_1 1/1 5G 11n 46/59 -68 101 10.23.101.254
---------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
dhcp select global

#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-id 0 type-id 35 ap-mac 60de-4476-e360 ap-sn 210235554710CB000042
ap-name area_1
ap-group ap-group1
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.12.5 Example for Configuring Unified Access for Wired and

Wireless Users
Overview of Unified Access for Wired and Wireless Users
In practice, both wired and wireless users need to access one network. For
example, the PCs and printers of a company connect to the network in wired
mode, and laptops and mobile phones connect wirelessly. After unified access for
wired and wireless users is configured on a network, both wired and wireless users
can access the network and be managed in a unified manner.
Configuration Notes
● Configure a proper RADIUS packet retransmission timeout interval.
For a large-scale or busy network, configure the shortest retransmission
timeout interval for RADIUS request packets. When a long retransmission
timeout interval is set, retransmission occupies system resources. A short
retransmission timeout interval can improve the AC's packet processing
capability.
The default retransmission timeout interval for wireless users is 5 seconds,
which is suitable for most wireless user authentication scenarios. When IP
addresses of more than eight authentication servers are configured in a
RADIUS server template, or 802.1X authentication is used, it is recommended
that the retransmission timeout interval be set to 1 second to improve
network processing efficiency.
same.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

management VLAN.
A hospital needs to deploy both a wired and a wireless network. To simplify
management and maintenance, the administrator requires that wired and wireless
users be centrally managed on the AC, non-authentication and Portal
authentication be configured for the wired and wireless users respectively, and
intra-AC roaming is enabled for wireless users.
As shown in Figure 3-163, the AC connects to the egress gateway Router in the
uplink direction. In the downstream direction, the AC connects to and manages
APs through access switches S5700-1 and S5700-2. S5700-1 is deployed on the
first floor, and S5700-2 is deployed on the second floor. An AP2030DN is deployed
in each room to provide both wired and wireless access. AP5030DNs are deployed
in corridors to provide wireless network coverage. Both S5700-1 and S5700-2 are
PoE switches and supply power to connected APs.
used to transparently transmit data at Layer 2, and all gateways are configured on
the AC.
The AC functions as a DHCP server to assign IP addresses to APs, STAs, and PCs.
The following uses an AC running V200R009C00 as an example. The key
configurations vary in different versions. For details, see the Command Reference
in the actual version.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-163 Networking for unified wired and wireless access
Data Planning

iptio
n
AC GE1/0/1 100, 201 Conn

ected
to
S570
0-1
GE1/0/2 100, 202 Conn

ected
to
S570
0-2
GE1/0/3 200 Conn

ected
to the
contr
oller

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
GE1/0/4 300 Conn

ected
to the
egres
s
gate
way
S570 GE0/0/1 100, 201 Conn

0-1 ected
to the
AC
GE0/0/2 100, 201 Conn

ected
to
AP10
1
GE0/0/3 100, 201 Conn

ected
to
AP10
2
GE0/0/4 100, 201 Conn

ected
to
AP10
3
S570 GE0/0/1 100, 202 Conn

0-2 ected
to the
AC
GE0/0/2 100, 202 Conn

ected
to
AP20
1
GE0/0/3 100, 202 Conn

ected
to
AP20
2

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
GE0/0/4 100, 202 Conn

ected
to
AP20
3
AP10 Eth0/0/0 201 GE0/

1 and Eth0/0/1 0/0
AP10 conne
2 GE0/0/0 cts to
S570
0-1.
Eth0/
0/0
and
Eth0/
0/1
conne
cts to
wired
users.
AP10
1 and
AP10
2 are
AP20
30DN
s and
deplo
yed in
room
s on
the
first
floor
to
provi
de
both
wired
and
wirele
ss
acces
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP10 - - AP10
3 3 is
an
AP50
30DN
and
deplo
yed in
the
corrid
or on
the
first
floor
to
provi
de
wirele
ss
acces
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP20 Eth0/0/0 202 GE0/

1 and Eth0/0/1 0/0
AP20 conne
2 GE0/0/0 cts to
S570
0-2.
Eth0/
0/0
and
Eth0/
0/1
conne
cts to
wired
users.
AP20
1 and
AP20
2 are
AP20
30DN
s and
deplo
yed in
room
s on
the
secon
d
floor
to
provi
de
both
wired
and
wirele
ss
acces
s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

iptio
n
AP20 - - AP20
3 3 is
an
AP50
30DN
and
deplo
yed in
the
corrid
or on
the
secon
d
floor
to
provi
de
wirele
ss
acces
s.

source interface
AP group ● Name: ap-group1 -

● Referenced profiles:
VAP profile wlan-
vap1, regulatory
domain profile
domain1, and radio
profiles radio-2g and
radio-5g
● Name: ap-group2
VAP profile wlan-
vap2, regulatory
domain profile
domain1, and radio
radio-5g

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal access profile ● Name: portal1 -

● Referenced template:
Portal server template
portal1
Authentication profile ● Name: portal1 -

● Referenced profile:
Portal access profile
portal1
Regulatory domain ● Name: domain1 -

AP wired port profile Name: wired1, wired2, -

wired3, or wired4
RRM profile Name: rrm1 -
Radio profile ● Name: radio-2g or -

radio-5g
RRM profile rrm1
Security profile ● Name: wlan-security -

● Security and
OPEN
SSID profile ● Name: wlan-ssid -

● SSID: hospital-wlan
Traffic profile Name: traffic1 -
VAP profile ● Name: wlan-vap1 Provides WLAN network

● SSID: hospital-wlan coverage for the first
floor of the building.
● Service data
forwarding mode:
tunnel forwarding
● Service VLAN: VLAN
101
security profile wlan-
security, SSID profile
wlan-ssid,
authentication profile
portal1, and traffic
profile traffic1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Name: wlan-vap2 Provides WLAN network

● SSID: hospital-wlan coverage for the second
floor of the building.
● Service data
forwarding mode:
tunnel forwarding
102
wlan-ssid,
profile traffic1
DHCP server The AC functions as a -

addresses to APs, STAs,
and PCs.
AP gateway and IP VLANIF 100: -

10.23.100.2-10.23.100.25
4/24

pool range of STAs 10.23.101.1/24
10.23.101.2-10.23.101.25
4/24
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24

pool range of wired 10.23.201.1/24
users 10.23.201.2-10.23.201.25
4/24
VLANIF 202: -
10.23.202.1/24
10.23.202.2-10.23.202.25
4/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Server parameters Authentication server: ● The controller

● IP address: provides RADIUS
10.23.200.1 server and Portal
server functions;
● Port number: 1812 therefore, the
● RADIUS shared key: controller IP address
YsHsjx_202206 is used as the
● IP address: authorization server,
logout information.
● IP address: the authentication
server must be the
● RADIUS shared key: same as those of the
YsHsjx_202206 RADIUS server.
Portal server: ● Configure an
● IP address:
to enable the RADIUS
10.23.200.1
server to deliver
● Port number that the authorization rules to
AC uses to listen on the AC. The shared
Portal protocol key of the
packets: 2000 authorization server
● Destination port must be the same as
number in the packets that of the
that the AC sends to authentication server
the Portal server: and accounting server.
50100
YsHsjx_202206
URL parameters that
the AC sends to the
Portal server:
YsHsjx_202206


S300, S500, S2700, S3700, S5700, S6700, S7700, and
AP102 Radio 0: channel 6 and locations, and the

power of each AP radio.
each AP.
power level 10

power level 10

power level 10
power level 10
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, and other
network devices.
2. Configure the AC as a DHCP server to assign IP addresses to APs, wired users,
and wireless users.
Procedure
# Add GE0/0/1 to GE0/0/4 of S5700-1 to VLAN 100 (management VLAN) and
VLAN 201 (VLAN for wired service packets), and add GE0/0/1 to GE0/0/4 of
S5700-2 to VLAN 100 and VLAN 202 (VLAN for wireless service packets). Set
PVIDs for interfaces directly connected to APs. You are advised to configure port
isolation on these interfaces to reduce unnecessary broadcast traffic. S5700-1 is
used as an example here. The configuration on S5700-2 is similar. For details, see
the configuration file of S5700-2.
[S5700-1] vlan batch 100 201

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[S5700-1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[S5700-1-GigabitEthernet0/0/2] port trunk pvid vlan 100 //Set a PVID for the interface directly
connected to APs.
[S5700-1-GigabitEthernet0/0/2] stp edged-port enable
[S5700-1-GigabitEthernet0/0/2] port-isolate enable //Configure port isolation to reduce broadcast
packets.
# On the AC, add GE1/0/1 (connected to S5700-1) to VLAN 100 and VLAN 201,
GE1/0/2 (connected to S5700-2) to VLAN 100 and VLAN 202, GE1/0/4 (connected
to the upper-layer network) to VLAN 300, and GE1/0/3 (connected to the
controller) to VLAN 200.
[HUAWEI] sysname AC
[AC] vlan batch 100 200 201 202 300
# Configure VLANIF 200 for communication between the AC and controller.

[AC-Vlanif200] ip address 10.23.200.2 24 //Configure an IP address for the AC to communicate with the
controller.
[AC-Vlanif200] quit
Step 2 Configure the AC as a DHCP server to assign IP addresses to PCs, APs, and STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the AC to assign IP addresses to PCs, APs, and STAs from an interface
address pool.
NOTE
address pool view.
[AC] dhcp enable
[AC] interface vlanif 100 //Configure an interface address pool to assign IP addresses to APs.
[AC-Vlanif100] description manage_ap
[AC-Vlanif100] quit
[AC] interface vlanif 101 //Configure an interface address pool to assign IP addresses to STAs on the first
floor.
[AC-Vlanif101] quit
[AC] interface vlanif 102 //Configure an interface address pool to assign IP addresses to STAs on the
second floor.
[AC-Vlanif102] quit
[AC] interface vlanif 201 //Configure an interface address pool to assign IP addresses to PCs on the first
floor.
[AC-Vlanif201] quit
[AC] interface vlanif 202 //Configure an interface address pool to assign IP addresses to PCs on the
second floor.
[AC-Vlanif202] quit

80 //Configure the RADIUS authentication server and authentication port 1812. The AC uses the IP
address 10.23.200.2 to communicate with the RADIUS server.
80 //Configure the RADIUS accounting server to collect user login and logout information and set the
accounting port number to 1813. The AC uses the IP address 10.23.200.2 to communicate with the RADIUS
server.
[AC-radius-radius1] radius-server shared-key cipher YsHsjx_202206 //Configure a shared key for the
RADIUS server.
[AC-radius-radius1] undo radius-server user-name domain-included //The user name that the device
sends to the RADIUS server does not carry the domain name. Configure the command when the RADIUS
server does not accept the user name with the domain name.
[AC] radius-server authorization 10.23.200.1 shared-key cipher YsHsjx_202206 //Configure an IP
address for the RADIUS authorization server, set the shared key to YsHsjx_202206, same as the
authentication and accounting keys. Configure the authorization server so that the RADIUS server can
deliver authorization rules to the AC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC] aaa
[AC-aaa] quit

[AC] web-auth-server portal1 //Create the Portal server template portal1.
[AC-web-auth-server-portal1] url http://10.23.200.1:8080/portal //Configure the URL of the Portal server.
# Enable Portal authentication for wireless users, and configure non-

authentication for wired users.
[AC] portal-access-profile name portal1
[AC-portal-acces-profile-portal1] web-auth-server portal1 direct //Bind the Portal server template
portal1 and specify Layer 2 authentication as the Portal authentication mode.
[AC-portal-acces-profile-portal1] quit
[AC] authentication-profile name portal1
[AC-authen-profile-portal1] portal-access-profile portal1
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible user domain portal1.
[AC-authen-profile-portal1] quit
Step 4 Configure APs to go online.

# Create AP groups.
[AC] wlan
and apply the profile to the AP groups.
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country code. Radio features of
APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-view] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Import the APs offline on the AC.

[AC] wlan
[AC-wlan-ap-101] ap-name ap-101
[AC-wlan-ap-101] ap-group ap-group1 //Add APs on the first floor to ap-group1.
[AC-wlan-view] ap-id 103 ap-mac 00e0-fc76-b520
[AC-wlan-ap-201] ap-group ap-group2 //Add APs on the second floor to ap-group2.
the State field is nor, the APs have gone online.
nor : normal [6]
ExtraInfo : Extra information
-------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
101 00e0-fc76-e320 ap-101 ap-group1 10.23.101.254 AP2030DN nor 0 10S -
103 00e0-fc76-b520 ap-103 ap-group1 10.23.101.252 AP5030DN nor 0 23S -
203 00e0-fc76-b540 ap-203 ap-group2 10.23.102.252 AP5030DN nor 0 55S -
-------------------------------------------------------------------------------------------------
Total: 6
# Configure the AP2030DN's uplink interface GE0/0/0 and downlink interfaces

Eth0/0/0 and Eth0/0/1 to allow wired service packets to pass through.
[AC-wlan-view] wired-port-profile name wired1
[AC-wlan-wired-port-wired1] vlan pvid 201 //The downlink interface of the AP2030DN is used to connect
wired terminals, such as the PCs. Set a PVID for the interface. VLAN 201 is used to transmit wired service

S300, S500, S2700, S3700, S5700, S6700, S7700, and
packets of the first floor.

[AC-wlan-wired-port-wired1] vlan untagged 201 //The downlink interface of the AP2030DN is used to
connect to wired terminals. Add the interface to VLAN 201 in untagged mode.
[AC-wlan-wired-port-wired1] quit
[AC-wlan-wired-port-wired2] vlan tagged 201 //The uplink interface of the AP2030DN is used to connect
to the upper-layer devices. Add the interface to VLAN 201 in tagged mode.
[AC-wlan-wired-port-wired3] vlan pvid 202 //The downlink interface of the AP2030DN is used to connect
wired terminals, such as the PCs. Set a PVID for the interface. VLAN 202 is used to transmit wired service
packets of the second floor.
[AC-wlan-wired-port-wired3] vlan untagged 202
[AC-wlan-wired-port-wired4] vlan tagged 202
[AC-wlan-ap-101] wired-port-profile wired1 ethernet 0
[AC-wlan-ap-101] wired-port-profile wired2 gigabitethernet 0
# Create RRM profile rrm1. By default, the automatic channel and transmit power
selection functions are enabled. When you need to manually specify the channel
and power for a radio, set the channel and transmit power selection modes to
fixed.
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable //Set the channel selection mode of the
radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable //Set the channel mode of the radio to
fixed.
[AC-wlan-rrm-prof-rrm1] quit
NOTE
In V200R012 and later versions, the commands for configuring the channel selection and
transmit power selection modes are executed in the AP group radio view or AP radio view
instead of in the RRM profile view. For example, run the following commands to set the
channel and transmit power selection modes of radio 0 of APs in AP group 1 to fixed:
[AC-wlan-ap-group-ap-group1] radio 0
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select disable
[AC-wlan-group-radio-ap-group1/0] quit
# Create radio profiles radio-2g and radio-5g, and bind the RRM profile rrm1 to
the radio files.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] radio-2g-profile name radio-2g

[AC-wlan-radio-2g-prof-radio-2g] rrm-profile rrm1
[AC-wlan-radio-2g-prof-radio-2g] quit
[AC-wlan-view] security-profile name wlan-security //Portal authentication has been enabled on the
interface. Set the security policy to OPEN, that is, no authentication and no encryption.
[AC-wlan-sec-prof-wlan-security] security open
# Create SSID profile wlan-ssid and set the SSID name to hospital-wlan.
[AC-wlan-ssid-prof-wlan-ssid] ssid hospital-wlan //Set the SSID to hospital-wlan.
# Create traffic profile traffic1 and configure Layer 2 user isolation.

[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding
mode and service VLANs, and apply the security profile, SSID profile, and
authentication profile to the VAP profile.
[AC-wlan-view] vap-profile name wlan-vap1
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101 //Set the VLAN ID to 101. By default, the VLAN ID
is 1.
[AC-wlan-vap-prof-wlan-vap1] security-profile wlan-security
[AC-wlan-vap-prof-wlan-vap1] ssid-profile wlan-ssid
[AC-wlan-vap-prof-wlan-vap1] authentication-profile portal1
[AC-wlan-vap-prof-wlan-vap1] traffic-profile traffic1
[AC-wlan-vap-prof-wlan-vap1] quit
[AC-wlan-vap-prof-wlan-vap2] forward-mode tunnel //Set the service forwarding mode to tunnel.
[AC-wlan-vap-prof-wlan-vap2] service-vlan vlan-id 102 // //Set the VLAN ID to 102. By default, the VLAN
ID is 1.
[AC-wlan-vap-prof-wlan-vap2] authentication-profile portal1
# Bind the VAP profile and radio profile to the AP group.

[AC-wlan-ap-group-ap-group1] vap-profile wlan-vap1 wlan 1 radio 0
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g //In V200R010C00 and later versions, you need
to specify the radio ID using the radio-2g-profile radio-2g radio 0 command.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio-5g // //In V200R010C00 and later versions, you
need to specify the radio ID using the radio-5g-profile radio-5g radio 1 command.
[AC-wlan-ap-group-ap-group2] radio-2g-profile radio-2g

# Configure VAPs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

WLAN Planner.
[AC-wlan-radio-101/0] eirp 10 //Configure the power based on the planning result of the WLAN Planner.
[AC-wlan-ap-103] radio 1 //The AP5030 supports two radios. This step configures radio 1.


WID : WLAN ID
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
101 ap-101 0 1 00E0-FC76-E320 ON OPEN 0 hospital-wlan
103 ap-103 0 1 00E0-FC76-B520 ON OPEN 0 hospital-wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

---------------------------------------------------------------------------------
Total: 8
# Connect STAs to the WLAN with SSID hospital-wlan. After you enter the
password, the STAs can access the wireless network. Run the display station all
command on the AC. The command output shows that the STAs are connected to
the WLAN hospital-wlan.
[AC-wlan-view] display station all
----------------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
----------------------------------------------------------------------------------------------------------
00e0-fc12-3456 0 ap-101 0/1 2.4G 11n 3/8 -70 10 10.23.101.254 hospital-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname S5700-1
#
vlan batch 100 201
#
#
#
#
#
return
#
sysname S5700-2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 100 202
#
#
#
#
#
return
#
sysname AC
#
vlan batch 100 to 102 200 to 202 300
#
authentication-profile name portal1
portal-access-profile portal1
access-domain portal1
access-domain portal1 force
#
dhcp enable
#
radius-server shared-key cipher %^%#ZGx{:~QFtUUhhG!`ba-PTj=H1p_J<1/%ZAXuB5)0%^%#
radius-server authorization 10.23.200.1 shared-key cipher %^%#w]=@OYp:T9"u@{I2RD4U5QJi2{u]
$M{]DND|;=s"%^%#
#
server-ip 10.23.200.1
port 50100
shared-key cipher %^%#yJ0=%9W@FVMN/=HIR9EN@1abUN6>a(Bn@MHR7Bl4%^%#
url http://10.23.200.1:8080/portal
#
portal-access-profile name portal1
#
aaa
domain portal1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif100
description manage_ap
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
#
interface Vlanif200
ip address 10.23.200.2 255.255.255.0
#
interface Vlanif201
ip address 10.23.201.1 255.255.255.0
#
interface Vlanif202
ip address 10.23.202.1 255.255.255.0
#
#
#
#
#
#
wlan
traffic-profile name traffic1
user-isolate l2
security open
ssid hospital-wlan
vap-profile name wlan-vap1
forward-mode tunnel
traffic-profile traffic1
authentication-profile portal1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
forward-mode tunnel
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
radio-2g-profile name radio-2g
rrm-profile rrm1
rrm-profile rrm1
wired-port-profile name wired1
vlan pvid 201
vlan untagged 201
vlan tagged 201
vlan pvid 202
vlan untagged 202
vlan tagged 202
radio 0
radio-2g-profile radio-2g
vap-profile wlan-vap1 wlan 1
radio 1
radio 2
radio 0
radio 1
radio 2
ap-id 101 type-id 35 ap-mac 00e0-fc76-e320 ap-sn 210235419610CB002378
ap-name ap-101
ap-group ap-group1
wired-port-profile wired1 ethernet 0
wired-port-profile wired2 gigabitethernet 0
radio 0
channel 20mhz 1
eirp 10
ap-name ap-102
ap-group ap-group1
radio 0
channel 20mhz 6
eirp 10
ap-id 103 type-id 35 ap-mac 00e0-fc76-b520 ap-sn 210235419610CB002561

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ap-name ap-103
ap-group ap-group1
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
ap-id 203 type-id 35 ap-mac 00e0-fc76-b540 ap-sn 210235419610CB002632
ap-name ap-203
ap-group ap-group2
radio 0
channel 20mhz 11
eirp 10
radio 1
channel 20mhz 157
eirp 10
#
return
Support Community
NA
3.12.6 Example for Configuring WLAN Services for a Wireless

City Project (AC Bypass Deployment, Portal Authentication)
WLAN Service Overview
You can configure WLAN services to allow wireless users to easily access a wireless
network and move around within its coverage area.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and

capability.
● Select an inter-card or inter-chassis interface as a member interface of the
Eth-Trunk to improve interface reliability.
management VLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
A city needs to deploy the wireless smart city project and requires that Portal
authentication be used for wireless users. Due to the large number of wireless
users, high wireless service performance and Portal authentication performance
are required.
As shown in Figure 3-164, the core switch S7700 functions as the gateway for
STAs and APs and as a DHCP server to assign IP addresses to STAs and APs. The
S7700 connects to APs through PoE access switches S5700-1 and S5700-2. The AC
and APs are located on a Layer 3 network. The AC is the X series card on the
S7700 and connected to the S7700 through Eth-Trunk in bypass mode.
used to transparently transmit data at Layer 2.
Figure 3-164 Networking for configuring WLAN services for a wireless city project

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Planning
Item Interface VLAN Description
AC Eth-Trunk1 100 Configured to improve network

bandwidth and reliability
Add GE2/0/1 and GE2/0/2 to Eth-
Trunk 1 and connect the two
interfaces to the S7700.
S5700-1 GE0/0/1 10, 101 Connected to the AC
S5700-2 GE0/0/1 20, 102 Connected to the AC
S7700 GE1/0/1 10, 101 Connected to S5700-1
GE1/0/2 20, 102 Connected to S5700-2
GE1/0/3 300 Connected to the controller
GE1/0/4 101, 102 Connected to the upper-layer

network
Eth-Trunk1 100 Configured to improve network

bandwidth and reliability
Add GE1/0/5 and GE1/0/6 to Eth-
Trunk 1 and connect the two
interfaces to the AC.

source interface
AP group ● Name: ap-group1 -

VAP profile wlan-
vap1, regulatory
domain profile
domain1, and radio
radio-5g

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Name: ap-group2
VAP profile wlan-
vap2, regulatory
domain profile
domain1, and radio
radio-5g
Portal access profile ● Name: portal1 -

● Referenced templates:
Portal server
templates portal1
and portal3
● Name: portal2
● Referenced templates:
Portal server
templates portal2
and portal3
Authentication profile ● Name: portal1 -

portal1
● Name: portal2
portal2
Regulatory domain ● Name: domain1 -

RRM profile Name: rrm1 -
Radio profile ● Name: radio-2g or -

radio-5g
RRM profile rrm1
Security profile ● Name: wlan-security -

● Security and
OPEN
SSID profile ● Name: wlan-ssid -

● SSID: hospital-wlan
Traffic profile Name: traffic1 -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VAP profile ● Name: wlan-vap1 Provides WLAN network

● SSID: city-wlan coverage for Area 1.
● Service data
forwarding mode:
direct forwarding
101
wlan-ssid,
profile traffic1
● Name: wlan-vap2 Provides WLAN network

● SSID: city-wlan coverage for Area 2.
● Service data
forwarding mode:
direct forwarding
102
wlan-ssid,
profile traffic1
DHCP server The S7700 functions as a -

STAs.
Gateway and IP address VLANIF 10: 10.23.10.1/24 Gateway and IP address

pool range of APs 10.23.10.2-10.23.10.254/ pool for AP101 and
24 AP102
VLANIF 20: 10.23.20.1/24 Gateway and IP address

10.23.20.2-10.23.20.254/ pool for AP201 and
24 AP202

pool range of STAs 10.23.101.1/24
10.23.101.2-10.23.101.25
4/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLANIF 102: -
10.23.102.1/24
10.23.102.2-10.23.102.25
4/24
Server parameters Authentication server: ● Three controller

● Active IP address: nodes are deployed
10.23.30.1 on the network.
Controller node 1 and
● Active IP address: controller node 2 are
10.23.30.2 used for load
● Standby IP address: balancing, and
10.23.30.3 controller node 3
● Port number: 1812 serves as a backup.
● RADIUS shared key: ● The controller
YsHsjx_202206 provides RADIUS
server and Portal
Accounting server: server functions;
● Active IP address: therefore, the
10.23.30.1 controller IP address
is used as the
● Active IP address: authentication server,
10.23.30.2 accounting server,
● Standby IP address: authorization server,
logout information.
● Active IP address: the authentication
server must be the
● Active IP address: same as those of the
10.23.30.2 RADIUS server.
● Standby IP address: ● Configure an
10.23.30.3 authorization server
● RADIUS shared key: to enable the RADIUS
YsHsjx_202206 server to deliver
authorization rules to
the AC. The shared
key of the
must be the same as
that of the
authentication server
and accounting server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal server:
10.23.30.1
10.23.30.2
● Standby IP address:
10.23.30.3
● Port number that the
AC uses to listen on
Portal protocol
packets: 2000
● Destination port
number in the packets
that the AC sends to
the Portal server:
50100
YsHsjx_202206
URL parameters that
the AC sends to the
Portal server:
YsHsjx_202206


Radio 1: channel 153 and locations, and the
power of each AP radio.
each AP.
power level 10
power level 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and

power level 10
power level 10
1. Configure network interworking of the AC, APs, S5700-1, S5700-2, S7700, and
other network devices.
2. Configure the S7700 as a DHCP server to assign IP addresses to APs and STAs.
Procedure
VLAN 101 (service VLAN). Set PVIDs for interfaces directly connected to APs. You
are advised to configure port isolation on these interfaces to reduce unnecessary
broadcast traffic.
[S5700-1] vlan batch 10 101
to the AP.

VLAN 102 (service VLAN). Set PVIDs for interfaces directly connected to APs. You

S300, S500, S2700, S3700, S5700, S6700, S7700, and
are advised to configure port isolation on these interfaces to reduce unnecessary

broadcast traffic.
[S5700-2] vlan batch 20 102
to the AP.
# On the S7700, add GE1/0/1 (connected to S5700-1) to VLAN 10 and VLAN 101,
GE1/0/2 (connected to S5700-2) to VLAN 20 and VLAN 102, GE1/0/3 (connected
to the controller) to VLAN 300, GE1/0/4 (connected to the upper-layer network)
to VLAN 101 and VLAN 102, and GE1/0/5 and GE1/0/6 (connected to the AC) to
Eth-Trunk 1. Add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname S7700
[S7700] vlan batch 10 20 100 101 102 300
[S7700-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
[S7700-GigabitEthernet1/0/3] port trunk allow-pass vlan 300
[S7700] interface eth-trunk 1
[S7700-Eth-Trunk1] port link-type trunk
[S7700-Eth-Trunk1] port trunk allow-pass vlan 100
[S7700-Eth-Trunk1] undo port trunk allow-pass vlan 1
[S7700-Eth-Trunk1] trunkport gigabitethernet 1/0/5 1/0/6 //Add GE1/0/5 and GE1/0/6 to Eth-Trunk 1.
You are advised to select inter-card or inter-chassis interfaces as member interfaces of the Eth-Trunk to
improve interface reliability.
[S7700-Eth-Trunk1] quit
# On the S7700, configure VLANIF 100 for communication with the AC and
VLANIF 300 for communication with the controller.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S7700 and AC.
S7700 and controller.
# On the AC, add GE2/0/1 and GE2/0/2 connected to the S7700 to Eth-Trunk 1
and add Eth-Trunk 1 to VLAN 100.
[HUAWEI] sysname AC
[AC] vlan batch 100
[AC] interface eth-trunk 1
[AC-Eth-Trunk1] port link-type trunk
[AC-Eth-Trunk1] port trunk allow-pass vlan 100
[AC-Eth-Trunk1] undo port trunk allow-pass vlan 1
[AC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 2/0/2 //Add GE2/0/1 and GE2/0/2 to Eth-Trunk1. You
are advised to select inter-card or inter-chassis interfaces as member interfaces of the Eth-Trunk to improve
interface reliability.
[AC-Eth-Trunk1] quit
# Configure VLANIF 100 on the AC for communication with the S7700.

[AC-Vlanif100] ip address 10.23.100.1 24 //Configure an IP address for communication between the S7700
and AC.
[AC-Vlanif100] quit
Step 2 Configure the S7700 as a DHCP server to assign IP addresses to APs and STAs.
# Configure the S7700 to assign IP addresses to the STAs and APs from the global
address pool.
NOTE
address pool view.
[S7700] dhcp enable
deployed between the AC and APs, configure Option43 to advertise the AC's IP address to the APs.
deployed between the AC and APs, configure Option 43 to advertise the AC's IP address to the APs.
to AP101 and AP102.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

to AP201 and AP202.
# Configure a default route to the S7700 on the AC.



20 //Configure the standby RADIUS authentication server, with the weight value lower than the active
authentication server. Set the authentication port number to 1812. The AC uses the IP address 10.23.100.1
to communicate with the standby RADIUS authentication server.
20 //Configure the standby RADIUS accounting server, with the weight value lower than the active
accounting server. Set the accounting port number to 1813. The AC uses the IP address 10.23.100.1 to
communicate with the standby RADIUS accounting server.
[AC-radius-radius1] radius-server shared-key cipher YsHsjx_202206 //Configure a shared key for the
RADIUS server.
[AC-radius-radius1] radius-server detect-server interval 30 //Set the RADIUS automatic detection
[AC] aaa
[AC-aaa-accounting-radius1] accounting realtime 15 //Enable real-time accounting and set the
accounting interval to 15 minutes. By default, real-time accounting is disabled.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-aaa] quit
# Configure a Portal server template for each of the three controller nodes.
[AC] web-auth-server portal1 //Create the Portal server template portal1 for controller node 1.
[AC-web-auth-server-portal1] url http://10.23.30.1:8080/portal //Configure the URL of the Portal server.
[AC-web-auth-server-portal1] server-detect interval 30 action log //Set the RADIUS automatic detection
# Configure Portal authentication.

[AC-portal-access-profile-portal1] web-auth-server portal1 portal3 layer3 //Bind the Portal server
template portal1 and portal3.
[AC-portal-access-profile-portal1] quit
[AC-portal-access-profile-portal2] web-auth-server portal2 portal3 layer3
[AC-portal-access-profile-portal2] quit
[AC-authen-profile-portal1] access-domain portal1 force //Configure the forcible user domain portal1.
[AC-authen-profile-portal1] access-domain portal1 //Configure the default user domain portal1.
[AC-authen-profile-portal2] access-domain portal1 force
[AC-authen-profile-portal2] access-domain portal1
# Bind the authentication files to the service VLANIF interfaces.

[AC-Vlanif101] authentication-profile portal1
[AC-Vlanif101] quit
[AC-Vlanif102] authentication-profile portal2
[AC-Vlanif102] quit
Step 4 Configure APs to go online.

# Create AP groups.
[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-regulate-domain-domain1] country-code cn //Configure the AC country code. Radio features of
APs managed by the AC must conform to local laws and regulations. The default country code is CN.
[AC-wlan-view] quit

# Import the APs offline on the AC.

[AC] wlan
[AC-wlan-ap-101] ap-group ap-group1 //Add APs on the first floor to ap-group1.
[AC-wlan-ap-201] ap-group ap-group2 //Add APs on the second floor to ap-group2.
nor : normal [4]
-------------------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------------------
101 00e0-fc76-e320 ap-101 ap-group1 10.23.101.254 AP5030DN nor 0 10S

S300, S500, S2700, S3700, S5700, S6700, S7700, and
-------------------------------------------------------------------------------------------------
Total: 4

# Create RRM profile rrm1. By default, the automatic channel and transmit power
selection functions are enabled. When you need to manually specify the channel
and power for a radio, set the channel and transmit power selection modes to
fixed.
[AC-wlan-view] rrm-profile name rrm1
[AC-wlan-rrm-prof-rrm1] calibrate auto-channel-select disable //Set the channel selection mode of the
radio to fixed.
[AC-wlan-rrm-prof-rrm1] calibrate auto-txpower-select disable //Set the channel mode of the radio to
fixed.
[AC-wlan-rrm-prof-rrm1] quit
NOTE
channel and transmit power selection modes of radio 0 of APs in AP group 1 to fixed:
# Create radio profiles radio-2g and radio-5g, and bind the RRM profile rrm1 to
the radio files.
[AC-wlan-view] security-profile name wlan-security //Portal authentication has been enabled on the
interface. Set the security policy to OPEN, that is, no authentication and no encryption.
# Create SSID profile wlan-ssid and set the SSID name to city-wlan.
[AC-wlan-ssid-prof-wlan-ssid] ssid city-wlan //Set the SSID to city-wlan.
# Create traffic profile traffic1 and configure Layer 2 user isolation.

[AC-wlan-view] traffic-profile name traffic1
[AC-wlan-traffic-prof-traffic1] user-isolate l2
# Create VAP profiles wlan-vap1 and wlan-vap2, configure the data forwarding
mode and service VLANs, and apply the security profile, SSID profile, and
authentication profile to the VAP profile.
[AC-wlan-vap-prof-wlan-vap1] forward-mode direct-forward //Set the service forwarding mode to direct.
is 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-vap-prof-wlan-vap2] forward-mode direct-forward //Set the service forwarding mode to direct.
is 1.
# Bind the VAP profile and radio profile to the AP group.

[AC-wlan-ap-group-ap-group1] radio-2g-profile radio-2g //In V200R010C00 and later versions, you need
to specify the radio ID using the radio-2g-profile radio-2g radio 0 command.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio-5g // //In V200R010C00 and later versions, you
need to specify the radio ID using the radio-5g-profile radio-5g radio 1 command.

# Configure VAPs.
WLAN Planner.
[AC-wlan-radio-101/0] eirp 10 //Configure the power based on the planning result of the WLAN Planner.

S300, S500, S2700, S3700, S5700, S6700, S7700, and



WID : WLAN ID
----------------------------------------------------------------------------------
----------------------------------------------------------------------------------
101 ap-101 0 1 00E0-FC76-E320 ON OPEN 0 city-wlan
----------------------------------------------------------------------------------
Total: 8
# Connect STAs to the WLAN with SSID city-wlan. After you enter the password,
the STAs can access the wireless network. Run the display station all command
on the AC. The command output shows that the STAs are connected to the WLAN
city-wlan.
[AC-wlan-view] display station all
----------------------------------------------------------------------------------------------------------
STA MAC AP ID Ap name Rf/WLAN Band Type Rx/Tx RSSI VLAN IP address SSID
----------------------------------------------------------------------------------------------------------
00e0-fc08-9abf 0 ap-101 0/1 2.4G 11n 3/8 -70 10 10.23.101.254 city-wlan
----------------------------------------------------------------------------------------------------------
Total: 1 2.4G: 1 5G: 0
----End
Configuration Files
#
sysname S5700-1
#
vlan batch 10 101
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
#
sysname S5700-2
#
vlan batch 20 102
#
#
#
#
return
● S7700 configuration file
#
sysname S7700
#
vlan batch 10 20 100 to 102 300
#
dhcp enable
#
ip pool manage_ap1
network 10.23.10.0 mask 255.255.255.0
#
ip pool manage_ap2
network 10.23.20.0 mask 255.255.255.0
#
network 10.23.101.0 mask 255.255.255.0
#
network 10.23.102.0 mask 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select global
#
interface Vlanif20
ip address 10.23.20.1 255.255.255.0
dhcp select global
#
interface Vlanif100
ip address 10.23.100.10 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select global
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
interface Vlanif300
ip address 10.23.30.10 255.255.255.0
#
#
#
#
#
#
eth-trunk 1
#
eth-trunk 1
#
return
#
sysname AC
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
radius-server shared-key cipher %^%#~!W(.rpP$Psx"U>yy2uGMbJf-c.>vIWU[@V85Qe*%^%#
radius-server detect-server interval 30
#
port 50100
shared-key cipher %^%#T)1I)52A-*iIrZ>='1l:P[[TYo!BX7_Z/AJkCGxC%^%#
url http://10.23.30.1:8080/portal
#
port 50100
shared-key cipher %^%#"xJ,SrfdB4>n]ZAJ@|0IG`g@JAT"m81Jv8R3I{CM%^%#
url http://10.23.30.2:8080/portal
#
port 50100
shared-key cipher %^%#dS6|(!NeF>qv;O7bJ[5D^QF"5#Na<,AG4b~y@3[(%^%#
url http://10.23.30.3:8080/portal
#
#
#
aaa
accounting realtime 15
domain portal1
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
#
interface Vlanif102
#
#
eth-trunk 1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 1
#
ip route-static 0.0.0.0 0.0.0.0 10.23.100.10
#
#
wlan
traffic-profile name traffic1
user-isolate l2
security open
ssid-profile name default
rrm-profile name rrm1
calibrate auto-channel-select disable
calibrate auto-txpower-select disable
rrm-profile rrm1
rrm-profile rrm1
radio 0
radio 1
radio 2
radio 0
radio 1
radio 2
ap-id 101 ap-mac 00e0-fc76-e320 ap-sn 210235419610CB002000
ap-name ap-101
ap-group ap-group1
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-102
ap-group ap-group1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
ap-name ap-201
ap-group ap-group2
radio 0
channel 20mhz 1
eirp 10
radio 1
channel 20mhz 153
eirp 10
ap-name ap-202
ap-group ap-group2
radio 0
channel 20mhz 6
eirp 10
radio 1
channel 20mhz 161
eirp 10
#
return
3.12.7 Example for Configuring MAC Address Authentication

on the Wireless Side
MAC Address Authentication on the Wireless Side Overview
MAC address authentication controls a user's network access rights based on the
their interface and MAC address. The user does not need to install any client
software. The device starts authenticating a user when detecting the user's MAC
address for the first time on the interface where MAC address authentication has
been enabled. During the authentication process, the user does not need to enter
a user name or password.
Configuration Notes
capability.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● In this example, MAC address authentication is used. To ensure network

security, configure an appropriate security policy according to service
requirements.
management VLAN.
As shown in Figure 3-165, an AC in an enterprise is connected to the AP through
access switch SwitchA. The enterprise deploys the WLAN wlan-net to provide
wireless network access. The AC functions as a DHCP server to assign IP addresses
on the network segment 10.23.101.0/24 to wireless users.
Because the WLAN is open to users, access control is required for the WLAN to
ensure information security. Configure MAC address authentication to
authenticate dumb terminals such as wireless network printers and wireless
phones that do not support an authentication client. MAC addresses of terminals
are used as user information and sent to the RADIUS server for authentication.
When users connect to the WLAN, authentication is not required.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-165 Networking diagram for configuring MAC address authentication on

the wireless side
Data Planning
Table 3-85 Data plan
Item Data
RADIUS Name of the RADIUS authentication scheme: radius_huawei

authentica Name of the RADIUS server template: radius_huawei
tion
parameter ● IP address: 10.23.200.1
s ● Authentication port number: 1812
● Shared key: Example@123
AAA domain: huawei.com
MAC ● Name: m1
access ● User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
Authentica ● Name: p1
tion ● Bound profile: MAC access profile m1
profile
● Forcible authentication domain: huawei.com
DHCP The AC functions as a DHCP server to assign IP addresses to the AP

server and STAs.
IP address 10.23.100.2 to 10.23.100.254/24

pool for
the AP
IP address 10.23.101.2 to 10.23.101.254/24

pool for
the STAs

of the AC's
source
interface

● Bound profile: VAP profile wlan-vap and regulatory domain
profile domain1

profile


profile ● Security policy: Open

● Bound profile: SSID profile wlan-ssid, security profile wlan-
security, and authentication profile p1
1. Configure basic WLAN services so that the AC can communicate with upper-
layer and lower-layer devices and the AP can go online.
2. Configure RADIUS authentication parameters.
3. Configure a MAC access profile to manage MAC access control parameters.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
4. Configure an authentication profile to manage NAC configuration.

5. Configure WLAN service parameters, and bind a security policy profile and an
authentication profile to a VAP profile to control access from STAs.
Procedure

[HUAWEI] sysname AC

NOTE




S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
address pool view.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure a route from the AC to the RADIUS server. (Assume that the IP address
of the upper-layer device connected to the AC is 10.23.101.2.)

[AC] wlan
[AC-wlan-view] quit


1.
NOTE
[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC-wlan-ap-0] quit
nor : normal [1]
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------------------
Total: 1
Step 6 Configure a RADIUS server template and a RADIUS authentication scheme.

NOTE
Ensure that the RADIUS server IP address, port number, and shared key are configured
correctly and are the same as those on the RADIUS server.
# Configure a RADIUS server template.

[AC-radius-radius_huawei] radius-server shared-key cipher Example@123
# Configure a RADIUS authentication scheme.

[AC] aaa
# Create an AAA domain and configure the RADIUS server template and
authentication scheme.
[AC-aaa] quit
Step 7 Configure the MAC access profile m1.

NOTE
In a MAC access profile, a MAC address without hyphens (-) is used as the user name and
password for MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit
Step 8 Configure the authentication profile p1.

[AC] authentication-profile name p1
[AC-authen-profile-p1] mac-access-profile m1
[AC-authen-profile-p1] access-domain huawei.com mac-authen force
[AC-authen-profile-p1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC] wlan
# Create VAP profile wlan-vap, configure the data forwarding mode and service
VLANs, and apply the security profile, SSID profile, and authentication profile to
the VAP profile.
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-id 101
[AC-wlan-vap-prof-wlan-vap] authentication-profile p1
radio 1 of the AP.

After dumb terminals associate with the WLAN, authentication is performed

automatically. Users can directly access the network after being authenticated.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname AC
#
#
authentication-profile name p1
mac-access-profile m1
access-domain huawei.com mac-authen force
#
dhcp enable
#
radius-server shared-key cipher %^%#Oc6_BMCw#9gZ2@SMVtk!PAC6>Ou*eLW/"qLp+f#$%^%#
#
mac-access-profile name m1
#
aaa
domain huawei.com
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
ip route-static 10.23.200.0 255.255.255.0 10.23.101.2
#
#
wlan
security open
ssid wlan-net
forward-mode tunnel
authentication-profile p1
radio 0
radio 1
ap-id 0 ap-mac 00e0-fc11-1111
ap-name area_1
ap-group ap-group1
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Wireless Side (on a Layer 2 Network)
Portal authentication is also called web authentication. Generally, Portal
authentication websites are also called Portal websites. When users go online,
they must be authenticated on Portal websites. The users can use network
resources only after they pass the authentication.
redirects the user to the Portal authentication website for Portal authentication.
This mode is called forcible authentication.
Configuration Notes
capability.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

management VLAN.
Users in the guest area of a company want to access the company's intranet
through an AP. The company needs to deploy an identity authentication system
for access control of users who attempt to connect to the network, preventing
unauthorized access.
Because visitors move frequently, Portal authentication is configured and the
RADIUS server is used to authenticate users.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

wireless side (on a Layer 2 network)
Data Plan
Item Data

server and STAs.
IP address 10.23.1.2 to 10.23.1.254/24

pool for
APs
IP address 10.23.2.2 to 10.23.2.254/24

pool for
STAs
IP address VLANIF100: 10.23.1.1/24

of the AC's
source
interface
RADIUS Name of the RADIUS authentication scheme: abc

authentica Name of a RADIUS server template: rd1
tion

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
Portal ● Name: abc

server ● IP address: 10.23.2.30
template
● Destination port number in the packets that the AC sends to the
Portal server: 50200
● Portal shared key: Example@123
Portal ● Name: web1

access ● Referenced profile: Portal server template abc
profile
Authentica ● Name: default_free_rule

tion-free ● Authentication-free resource: DNS server with IP address
rule 10.23.3.1
template
tion ● Referenced profiles: Portal access profile web1
profile
● Forcible authentication domain for users: huawei.com


profile


profile ● Security policy: open system authentication

wlan-security
1. Configure basic WLAN services so that the AC can communicate with
upstream and downstream network devices, and the AP can go online.
2. Configure AAA on the AC to implement identity authentication on access
users through the RADIUS server. The configuration includes configuring a
RADIUS server template, an AAA scheme, and an authentication domain, and
binding the RADIUS server template and AAA scheme to the authentication
domain.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Configure Portal authentication. The configuration includes configuring a

Portal server template, a Portal access profile, an authentication-free rule
profile, and an authentication profile, and binding the authentication profile
to an interface.
Procedure
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC
to the management VLAN 100.
# Add GE1/0/1 of the AC connected to SwitchA to VLAN 100.

[HUAWEI] sysname AC
Step 2 Configure the AC to communicate with upper-layer network devices.

NOTE
Configure the AC's upstream interfaces to transparently transmit service VLAN packets and
communicate with upstream network devices.
# Add GE1/0/2 of the AC connected to an upper-layer device to VLAN 101 (service

VLAN).
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
address pool view.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
[AC] wlan
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. In this
example, the AP's MAC address is 00e0-fc12-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is
located. For example, if the AP with MAC address 00e0-fc12-e360 is deployed in
area 1, name the AP area_1.
NOTE
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency
band.
[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
the State field is nor, the AP has gone online.
[AC] display ap all
nor : normal [1]
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
0 00e0-fc12-e360 area_1 ap-group1 10.23.1.254 AP6010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1
Step 5 Configure AAA.
# Create and configure the RADIUS server template rd1.

[AC] radius-server template rd1
[AC-radius-rd1] radius-server authentication 10.23.2.30 1812
[AC-radius-rd1] radius-server shared-key cipher Example@123
[AC-radius-rd1] quit
# Create the AAA authentication scheme abc and set the authentication mode to
RADIUS.
[AC] aaa
[AC-aaa] authentication-scheme abc
[AC-aaa-authen-abc] authentication-mode radius
[AC-aaa-authen-abc] quit
# Create the authentication domain huawei.com, and bind the AAA

authentication scheme abc and RADIUS server template rd1 to the domain.
[AC-aaa-domain-huawei.com] authentication-scheme abc
[AC-aaa-domain-huawei.com] radius-server rd1
[AC-aaa] quit
# Check whether a user can pass RADIUS authentication. (The test user test and
password Example@123 have been configured on the RADIUS server.)
[AC] test-aaa test Example@123 radius-template rd1
# Configure the Portal server template abc.

[AC] web-auth-server abc
[AC-web-auth-server-abc] server-ip 10.23.2.30
[AC-web-auth-server-abc] port 50200
[AC-web-auth-server-abc] url http://10.23.2.30:8080/webagent
[AC-web-auth-server-abc] shared-key cipher Example@123
[AC-web-auth-server-abc] quit
# Configure the Portal access profile web1.

[AC] portal-access-profile name web1
[AC-portal-acces-profile-web1] web-auth-server abc direct
[AC-portal-acces-profile-web1] quit
# Configure the authentication-free rule profile default_free_rule.

[AC] free-rule-template name default_free_rule
[AC-free-rule-default_free_rule] free-rule 1 destination ip 10.23.3.1 mask 32
[AC-free-rule-default_free_rule] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the authentication profile p1, bind the Portal access profile web1, and
authentication-free rule profile default_free_rule to the authentication profile,
specify the domain huawei.com as the forcible authentication domain in the
authentication profile, set the user access mode to multi-authen, and set the
maximum number of access users to 100.
[AC-authen-profile-p1] portal-access-profile web1
[AC-authen-profile-p1] free-rule-template default_free_rule
[AC-authen-profile-p1] access-domain huawei.com force
[AC-authen-profile-p1] authentication mode multi-authen max-user 100

[AC] wlan
# Create the VAP profile wlan-vap, configure the data forwarding mode and
service VLANs, and bind the security profile, authentication profile, and SSID
profile to the VAP profile.
# Bind the VAP profiles to the AP group and apply the VAP profiles to radio 0 and
radio 1 of the APs.


● The WLAN with the SSID wlan-net is available for STAs after the
configuration is complete.
● The STAs obtain IP addresses when they successfully associate with the
WLAN.
● When a user opens the browser and attempts to access the network, the user
is automatically redirected to the authentication page provided by the Portal
server. After entering the correct user name and password on the page, the
user can access the network.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
portal-access-profile web1
free-rule-template default_free_rule
authentication mode multi-authen max-user 100
access-domain huawei.com force
#
dhcp enable
#
radius-server template rd1
radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%^%#
#
free-rule-template name default_free_rule
free-rule 1 destination ip 10.23.3.1 mask 255.255.255.255
#
web-auth-server abc
port 50200
shared-key cipher %^%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%^%#
url http://10.23.2.30:8080/webagent
#
portal-access-profile name web1
web-auth-server abc direct
#
aaa
authentication-scheme abc
domain huawei.com
radius-server rd1
#
interface Vlanif100
ip address 10.23.1.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.2.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
wlan
security open
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return

Wireless Side (on a Layer 3 Network)
Portal authentication is also called web authentication. Generally, Portal
authentication websites are also called Portal websites. When users go online,
they must be authenticated on Portal websites. The users can use network
resources only after they pass the authentication.
redirects the user to the Portal authentication website for Portal authentication.
This mode is called forcible authentication.
Configuration Notes
capability.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

management VLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

wireless side (on a Layer 3 Network)
Data Plan

Item Data
Management VLANs for APs VLAN 10 and VLAN 100
Service VLAN for STAs VLAN pool

● Name: sta-pool
● VLANs in the VLAN pool: VLAN 101
and VLAN 102
DHCP server The AC functions as a DHCP server to

assign IP addresses to APs and STAs.
IP address pool for APs 10.23.10.2 to 10.23.10.254/24
IP address pool for STAs 10.23.101.3 to 10.23.101.254/24

10.23.102.3 to 10.23.102.254/24
AC's source interface address VLANIF100: 10.23.100.1/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
RADIUS authentication parameters Name of the RADIUS authentication

scheme: abc
Name of a RADIUS server template:
rd1
● IP address: 10.23.200.1
Portal server template ● Name: abc

● IP address: 10.23.200.1
● Destination port number in the
packets that the AC sends to the
Portal access profile ● Name: web1

● Referenced profile: Portal server
template abc
Authentication-free rule template ● Name: default_free_rule

● Authentication-free resource: DNS
server with IP address 10.23.201.1
Authentication profile ● Name: p1

● Referenced profiles: Portal access
profile web1
● Forcible authentication domain for
users: huawei.com

● Referenced profiles: VAP profile
wlan-vap and regulatory domain
profile default
Regulatory domain profile ● Name: default

● Country code: CN
SSID profile ● Name: wlan-ssid

● SSID name: wlan-net
Security profile ● Name: wlan-security

● Security policy: open system
authentication

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
VAP profile ● Name: wlan-vap

● Forwarding mode: tunnel
forwarding
● Service VLAN: VLANs in the VLAN
pool
● Referenced profiles: SSID profile
wlan-ssid and security profile lan-
security
domain.
3. Configure Portal authentication. The configuration includes configuring a
Portal server template, a Portal access profile, an authentication-free rule
profile, and an authentication profile, and binding the authentication profile
to an interface.
Procedure
Step 1 Configure the network devices.
# Add GE0/0/1 and GE0/0/2 on SwitchA (access switch) to VLAN 10. The default
VLAN of GE0/0/1 is VLAN 10.
# Add GE0/0/1 on SwitchB (aggregation switch) to VLAN 10, and GE0/0/2 to

VLAN 100. Create VLANIF 100 and set the IP address of VLANIF 100 to
10.23.100.2/24.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# On Router, add GE1/0/0 to VLAN 101 and VLAN 102. Create VLANIF 101 and
VLANIF 102 and set the IP address of VLANIF 101 to 10.23.101.2/24 and the IP
address of VLANIF 102 to 10.23.102.2/24.
[Router] vlan batch 101 102
[Router-GigabitEthernet1/0/0] port trunk allow-pass vlan 101 102
Step 2 Configure the AC to communicate with the network devices.
# Configure GE1/0/1 on the AC to VLAN 100, and GE1/0/2 to VLAN 101 and VLAN
102. Create VLANIF 100 and set the IP address of VLANIF 100 to 10.23.100.1/24.
[HUAWEI] sysname AC
[AC] vlan batch 100 101 102
[AC-Vlanif100] quit
# Configure a route from the AC to the APs with the next hop as SwitchB's VLANIF
100.
[AC] ip route-static 10.23.10.0 24 10.23.100.2
Step 3 Configure the DHCP servers to assign IP addresses to APs and STAs.
# Configure DHCP relay on SwitchB.

[SwitchB-Vlanif10] dhcp select relay
[SwitchB-Vlanif10] dhcp relay server-ip 10.23.100.1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create VLANIF 101 and VLANIF 102 on the AC to assign IP addresses to STAs,
and specify the default gateway.
NOTE
address pool view.
[AC] dhcp enable
[AC-Vlanif101] dhcp server gateway-list 10.23.101.2
[AC-Vlanif101] quit
[AC-Vlanif102] dhcp server gateway-list 10.23.102.2
[AC-Vlanif102] quit
# On the AC, create a global IP address pool to allocate IP addresses to APs.

[AC] ip pool huawei
[AC-ip-pool-huawei] network 10.23.10.0 mask 24
[AC-ip-pool-huawei] gateway-list 10.23.10.1
[AC-ip-pool-huawei] option 43 sub-option 3 ascii 10.23.100.1
[AC-ip-pool-huawei] quit
Step 4 Configure a VLAN pool for service VLANs.

# On the AC, create a VLAN pool, add VLAN 101 and VLAN 102 to the pool, and
set the VLAN assignment algorithm to hash in the VLAN pool.
NOTE
This example uses the VLAN assignment algorithm hash (default) as an example. If the default
setting is not changed before, you do not need to run the assignment hash command.
In this example, only VLAN 101 and VLAN 102 are added to the VLAN pool. You can use the
similar method to add multiple VLANs to a VLAN pool.
[AC] vlan pool sta-pool
[AC-vlan-pool-sta-pool] vlan 101 102
[AC-vlan-pool-sta-pool] assignment hash
[AC-vlan-pool-sta-pool] quit
Step 5 Configure an AP to go online.

# Create an AP group to which the APs with the same configuration can be added.
[AC] wlan
[AC-wlan-view] regulatory-domain-profile name default
[AC-wlan-regulate-domain-default] country-code cn
[AC-wlan-regulate-domain-default] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile default
restart APs. Continue?[Y/N]:y [AC-wlan-ap-group-ap-group1] quit
[AC-wlan-view] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Import the AP offline on the AC and add the AP to AP group ap-group1.

Assume that the AP's MAC address is 00e0-fc12-e360. Configure a name for the
1.
NOTE
In this example, the AP5030DN is used and has two radios: radio 0 (2.4 GHz radio) and radio 1
(5 GHz radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
# After the AP is powered on, run the display ap all command to check the AP
state. If the State field is displayed as nor, the AP goes online successfully.
[AC] display ap all
Total AP information:nor : normal [1]
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
0 00e0-fc12-e360 area_1 ap-group1 10.23.10.254 AP5030DN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1

RADIUS.
[AC] aaa

[AC-aaa] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and



[AC-portal-acces-profile-web1] web-auth-server abc layer3

# Configure the authentication profile p1, bind the Portal access profile web1, and
authentication-free rule profile default_free_rule to the authentication profile,
specify the domain huawei.com as the forcible authentication domain in the
authentication profile, set the user access mode to multi-authen, and set the
maximum number of access users to 100.

[AC] wlan
[AC-wlan-vap-prof-wlan-vap] service-vlan vlan-pool sta-pool
radio 1 of the APs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and



● The WLAN with the SSID wlan-net is available for STAs after the
configuration is complete.
● The STAs obtain IP addresses when they successfully associate with the
WLAN.
● When a user opens the browser and attempts to access the network, the user
is automatically redirected to the authentication page provided by the Portal
server. After entering the correct user name and password on the page, the
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
#
return

#
sysname SwitchB
#
vlan batch 10 100
#
dhcp enable
#
interface Vlanif10
ip address 10.23.10.1 255.255.255.0
dhcp select relay
#
interface Vlanif100
ip address 10.23.100.2 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
return
#
sysname Router
#
#
interface Vlanif101
ip address 10.23.101.2 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
return
#
sysname AC
#
#
#
vlan pool sta-pool
vlan 101 to 102
#
dhcp enable
#
radius-server shared-key cipher %^%#FQV~Lp0}JS<[2z:d"$x3f[D7U4cUr9_zs)~DgufB%^
%#
#
#
web-auth-server abc
server-ip 10.23.200.1
port 50200
shared-key cipher %^%#lOs#%4N$!'<=NfH!FUeI;)FY1Uc~H,@0;P<s!9>C%^%#
#
web-auth-server abc layer3
#
ip pool huawei
network 10.23.10.0 mask 255.255.255.0
option 43 sub-option 3 ascii 10.23.100.1
#
aaa
domain huawei.com
radius-server rd1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp server gateway-list 10.23.101.2
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp server gateway-list 10.23.102.2
#
#
#
ip route-static 10.23.10.0 255.255.255.0 10.23.100.2
#
#
wlan
security open
ssid wlan-net
forward-mode tunnel
service-vlan vlan-pool sta-pool
regulatory-domain-profile name default
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
return
3.12.10 Example for Configuring MAC Address-prioritized

Portal Authentication
MAC Address-Prioritized Portal Authentication

In MAC address-prioritized Portal authentication, when the Portal server needs to
authenticate a user, the access device first sends the user terminal's MAC address
to the Portal server for identity authentication. If the authentication fails, the
Portal server pushes the Portal authentication page to the terminal, and the user
must enter their user name and password. The RADIUS server caches a terminal's
MAC address during its first authentication. If the terminal is disconnected and
then connected to the network within the MAC address validity period, the
RADIUS server uses the terminal's cached MAC address for authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
capability.
● In this example, MAC address authentication is used. To ensure network
security, configure an appropriate security policy according to your network
requirements.
management VLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

To facilitate network access, the company decides to configure MAC address-
prioritized Portal authentication. If a user first goes offline after passing Portal
authentication, the user can go online again within a certain period (1 hour for
example) without re-entering their user name and password.
Figure 3-168 Networking for MAC address-prioritized portal authentication

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
Item Data

server and STAs.
IP address 10.23.1.2 to 10.23.1.254/24

pool for
APs
IP address 10.23.2.2 to 10.23.2.254/24

pool for
STAs

of the AC's
source
interface
RADIUS Name of the RADIUS authentication scheme: abc

authentica Name of a RADIUS server template: rd1
tion
Portal ● Name: abc

server ● IP address: 10.23.2.30
template
● Destination port number in the packets that the AC sends to the
Portal ● Name: web1

access ● Referenced profile: Portal server template abc
profile
MAC ● Name: m1
access ● User name and password for MAC address authentication: MAC
profile addresses without hyphens (-)
Authentica ● Name: default_free_rule

tion-free ● Authentication-free resource: DNS server with IP address
rule 10.23.3.1
template
tion ● Referenced profiles: Portal access profile web1 and MAC access
profile profile m1
● Forcible authentication domain for users: huawei.com

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data


profile


profile ● Security policy: open system authentication

wlan-security

domain.
4. Configure MAC address-prioritized Portal authentication. The configuration
includes configuring a Portal server template, a Portal access profile, a MAC
access profile, an authentication-free rule profile, and an authentication
profile, and binding the authentication profile to an interface.
6. Configure the Agile Controller.
Procedure
# On SwitchA, add GE0/0/1 connected to the AP and GE0/0/2 connected to the AC

to the management VLAN 100.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Add GE1/0/1 of the AC connected to SwitchA to VLAN 100.

[HUAWEI] sysname AC
Step 2 Configure the AC to communicate with upper-layer network devices.

NOTE
Configure the AC's upstream interfaces to transparently transmit service VLAN packets and
communicate with upstream network devices.
# Add GE1/0/2 of the AC connected to an upper-layer device to VLAN 101 (service

VLAN).
Step 3 Configure the AC as a DHCP server to assign IP addresses to the AP and STAs.
NOTE
address pool view.
[AC-Vlanif100] quit
[AC-Vlanif101] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[AC] wlan
[AC-wlan-view] quit

# Import the AP offline on the AC and add the AP to AP group ap-group1. In this
example, the AP's MAC address is 00e0-fc12-e360. Configure a name for the AP
based on the AP's deployment location, so that you can know where the AP is
located. For example, if the AP with MAC address 00e0-fc12-e360 is deployed in
area 1, name the AP area_1.
NOTE
In this example, the AP5030DN is used and has two radios: radio 0 and radio 1. Radio 0 of the
AP5030DN works on the 2.4 GHz frequency band and radio 1 works on the 5 GHz frequency
band.
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-view] quit
the State field is nor, the AP has gone online.
[AC] display ap all
nor : normal [1]
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
0 00e0-fc12-e360 area_1 ap-group1 10.23.1.254 AP6010DN-AGN nor 0 10S
-------------------------------------------------------------------------------------
Total: 1


S300, S500, S2700, S3700, S5700, S6700, S7700, and

RADIUS.
[AC] aaa

[AC-aaa] quit
Step 6 Configure MAC address-prioritized Portal authentication.


[AC-portal-acces-profile-web1] web-auth-server abc direct
# Configure the MAC access profile m1.

NOTE
password for MAC address authentication.
[AC] mac-access-profile name m1
[AC-mac-access-profile-m1] quit

# Configure the authentication profile p1, bind the Portal access profile web1,
MAC access profile m1, and authentication-free rule profile default_free_rule to
the authentication profile, specify the domain huawei.com as the forcible
authentication domain in the authentication profile, set the user access mode to
multi-authen, and set the maximum number of access users to 100.
[AC-authen-profile-p1] mac-access-profile m1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

By default, the security policy is set to open system.
[AC] wlan
radio 1 of the APs.

Step 9 Configure the Agile Controller.
For details on how to log in to the Agile Controller, add user accounts and
switches to the Agile Controller, and configure authorization results and
authorization rules on the Agile Controller, see 3.14.2.1 Configuring Portal
Authentication for Access Users on Huawei Agile Controller-Campus
(Authentication Point on Core Switch). The configurations are not described
here.
In addition to the preceding configurations, you need to enable MAC address-

prioritized Portal authentication on the Agile Controller. The procedure is as
follows:
1. Choose System > Terminal Configuration > Global Parameters.
2. On the MAC Address-Prioritized Portal Authentication tab page, enable
MAC Address-Prioritized Portal Authentication, and set Validity Period of
MAC Address to 60.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Click OK.
Item Expected Result
User ● Before successful authentication, a user can only access the

authenticat Agile Controller server and DNS server before successful
ion authentication.
● When the user attempts to visit a website, the user
authentication page is pushed to them. After the user enters
the correct user name and password, the requested web page is
displayed.
● After the authentication succeeds, run the display access-user
command on the AC to view information about online users.
A user The authentication is completed automatically. The user connects

disconnect to the Internet directly without entering their user name and
s from the password.
wireless
network
and
reconnects
to the
network 5
minutes
later.
A user When the user attempts to visit a website, the user authentication
disconnect page is pushed to them. After the user enters the correct user
s from the name and password, the requested web page is displayed.
wireless
network
and
reconnects
to the
network 65
minutes
later.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#
#
return
#
sysname AC
#
vlan batch 100 101
#
#
radius-server shared-key cipher %^%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%^%#
#
#
web-auth-server abc
port 50200
shared-key cipher %^%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%^%#
#
#
aaa
domain huawei.com
radius-server rd1
#
interface Vlanif100
ip address 10.23.1.1 255.255.255.0
#
interface Vlanif101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.23.2.1 255.255.255.0

#
#
#
wlan
ssid wlan-net
forward-mode tunnel
radio 0
radio 1
ap-name area_1
ap-group ap-group1
#
#
return
3.12.11 Configuring Radio Calibration
3.12.11.1 Example for Configuring Radio Calibration
Radio Calibration Overview

Radio calibration can dynamically adjust channels and power of APs managed by
the same AC to ensure that the APs work optimally. On a WLAN, the operating
status of APs is affected by the radio environment. For example, signal
interference occurs if adjacent APs managed by the same AC work on overlapping
channels or an AP has high power. In this case, you can configure radio calibration
on the AC.
Typical application scenarios of radio calibration are as follows:
● During AP deployment, configure radio calibration to enable APs to
automatically select the optimal channels.
● When new APs are added to a network or the network environment changes,
configure radio calibration so that APs can adjust channels and power at
scheduled time to work optimally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● For details about radio configuration notes, see 3.12.1.4 Radio Configuration
Suggestion.
configurations.
same.
management VLAN.
● When configuring radio calibration, set the channel mode and power mode of
an AP that needs radio calibration to auto.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-169, a large number of APs are deployed in an office
building. The APs connect to the AC through Switch_A to provide wireless services
for users.
Manually configuring radio parameters (such as the channel) for the APs one by
one would be time-consuming. To simplify network deployment, the IT
department requires that the AC automatically allocate channels to the APs based
on radio environments.

Figure 3-169 Networking diagram for configuring radio calibration
Data Planning
Item Data

server and STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

of the AC's
source
interface

● Referenced profiles: VAP profile wlan-vap, regulatory domain
profile domain1, 5G radio profile radio5g, and 2G radio profile
radio2g

profile



● Service VLAN: VLANs in the VLAN pool
wlan-security
5G radio ● Name: radio5g

profile ● Referenced profiles: RRM profile wlan-net and air scan profile
wlan-airscan

profile ● Referenced profiles: RRM profile wlan-net and air scan profile
wlan-airscan
RRM Name: wlan-net

profile

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
Air scan ● Name: wlan-airscan

profile ● Air scan channel set: all channels supported by the
corresponding country code of an AP
● Air scan interval: 80000 ms
● Air scan duration: 80 ms
other.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
3. Configure a VLAN pool for service VLANs.
4. Configure the APs to go online.
interface used by the AC to communicate with the APs.
c. Configure the AP authentication mode and import the APs offline to
allow the APs to go online.
6. Configure radio calibration so that the AC can automatically allocate the
optimal working channels to the APs.
Procedure
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100 (management
VLAN).

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Add GE0/0/4 that connects the SwitchA to the AC to VLAN 100.


[HUAWEI] sysname AC

NOTE


NOTE
address pool view.
[AC-Vlanif100] quit
[AC-Vlanif101] quit
Step 4 Configure the APs to go online.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC] wlan
[AC-wlan-view] quit

# Import APs offline on the WLAN AC and add APs area_1 and area_2 to AP
group ap-group1. Configure a name for the AP based on the AP's deployment
location, so that you can know where the AP is deployed from its name. For
example, name the AP area_1 if it is deployed in area 1.
NOTE
Each AP used in this example has two radios: radio 0 (2.4 GHz radio) and radio 1 (5 GHz radio).
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
0 00e0-fc76-e360 area_1 ap-group1 10.23.101.253 AP5030DN nor 0 5M:2S
1 00e0-fc74-9640 area_2 ap-group1 10.23.101.254 AP5030DN nor 0 5M:4S
---------------------------------------------------------------------------------------
Total: 2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE

is 1.
radio 1 of the AP.
Step 6 Configure radio calibration.
# Create the RRM profile wlan-net and enable automatic channel selection and
automatic transmit power selection in the RRM profile. By default, automatic
channel selection and automatic transmit power selection are enabled.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] undo calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] undo calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
NOTE
channel and transmit power selection modes of radio 0 of APs in AP group 1 to automatic:
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-channel-select disable
[AC-wlan-group-radio-ap-group1/0] undo calibrate auto-txpower-select disable
In V200R019C00 and later versions, the format of commands for configuring the channel
and transmit power selection modes is changed as follows:
[AC-wlan-group-radio-ap-group1/0] calibrate auto-channel-select enable
[AC-wlan-group-radio-ap-group1/0] calibrate auto-txpower-select enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create the air scan profile wlan-airscan and configure the scan channel set,
scan interval, and scan duration. By default, an air scan channel set contains all
channels supported by the corresponding country code of an AP.
[AC-wlan-view] air-scan-profile name wlan-airscan
[AC-wlan-air-scan-prof-wlan-airscan] scan-channel-set country-channel
[AC-wlan-air-scan-prof-wlan-airscan] scan-period 80
[AC-wlan-air-scan-prof-wlan-airscan] scan-interval 80000
[AC-wlan-air-scan-prof-wlan-airscan] quit
# Create the 2G radio profile radio2g and bind the RRM profile wlan-net and air
scan profile wlan-airscan to the 2G radio profile.
[AC-wlan-view] radio-2g-profile name radio2g
[AC-wlan-radio-2g-prof-radio2g] rrm-profile wlan-net
[AC-wlan-radio-2g-prof-radio2g] air-scan-profile wlan-airscan
[AC-wlan-radio-2g-prof-radio2g] quit
# Create the 5G radio profile radio5g and bind the RRM profile wlan-net and air
scan profile wlan-airscan to the 5G radio profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile wlan-net
[AC-wlan-radio-5g-prof-radio5g] air-scan-profile wlan-airscan
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group
ap-group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g // //In V200R010C00 and later versions, you need
to specify the radio ID using the radio-5g-profile radio5g radio 1 command.
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g //In V200R010C00 and later versions, you need to
specify the radio ID using the radio-2g-profile radio2g radio 0 command.
# Set the radio calibration mode to schedule, configure the AC to start radio
calibration at 3:00 a.m. every day.


● Connect STAs to the WLAN with SSID wlan-net and enter the password
net.
----------------------------------------------------------------------------------------
----------------------------------------------------------------------------------------
00e0-fc00-0001 0 area_1 0/1 2.4G 11n 65/38 -29 101 10.23.101.253
00e0-fc00-0002 1 area_2 0/1 2.4G 11n 78/43 -33 101 10.23.101.254
----------------------------------------------------------------------------------------
Total: 2 2.4G: 2 5G: 0
● # Run the display radio all command on the AC to check radio calibration
results.
[AC-wlan-view] display radio all
CH/BW:Channel/Bandwidth

S300, S500, S2700, S3700, S5700, S6700, S7700, and
CE:Current EIRP (dBm)

ME:Max EIRP (dBm)
CU:Channel utilization
ST:Status
----------------------------------------------------------------------
AP ID Name RfID Band Type ST CH/BW CE/ME STA CU
----------------------------------------------------------------------
1 area_2 0 2.4G bgn on 1/20M 28/28 1 10%
1 area_2 1 5G an on 149/20M 29/29 0 15%
0 area_1 0 2.4G bgn on 6/20M 28/28 1 15%
0 area_1 1 5G an on 153/20M 29/29 0 49%
----------------------------------------------------------------------
Total:4
● # Radio calibration is complete half an hour after the radio calibration is

manually triggered. The following configuration steps are not provided in the
configuration file. After that, you can perform either of the configurations:
– (Recommended) Set the radio calibration mode to scheduled. Configure
the APs to perform radio calibration in off-peak hours, for example,
between 00:00 am and 06:00 am.
– Manually fix the working channels of APs: disable automatic channel

selection and automatic transmit power selection in the RRM profile.
Manually trigger radio calibration when new APs are added to the
network.
[AC-wlan-view] rrm-profile name wlan-net
[AC-wlan-rrm-prof-wlan-net] calibrate auto-channel-select disable
[AC-wlan-rrm-prof-wlan-net] calibrate auto-txpower-select disable
[AC-wlan-rrm-prof-wlan-net] quit
[AC-wlan-view] calibrate enable manual
[AC-wlan-view] calibrate manual startup
NOTE
In V200R012 and later versions, the commands for configuring the channel
selection and transmit power selection modes are executed in the AP group radio
view or AP radio view instead of in the RRM profile view. For example, run the
following commands to set the channel and transmit power selection modes of
radio 0 of APs in AP group 1 to fixed:
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
calibrate enable schedule time 03:00:00
ssid wlan-net
forward-mode tunnel
air-scan-profile name wlan-airscan
scan-period 80
scan-interval 80000

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rrm-profile name wlan-net

radio-2g-profile name radio2g
rrm-profile wlan-net
air-scan-profile wlan-airscan
rrm-profile wlan-net
air-scan-profile wlan-airscan
radio 0
radio-2g-profile radio2g
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
3.12.11.2 Example for Configuring Static Load Balancing
Static Load Balancing Overview

bandwidth for each STA and to prevent a heavy load on a single AP. In static load
balancing, APs are manually added to a load balancing group. When a STA wants
to connect to an AP in this load balancing group, the AC uses a load balancing
algorithm to determine whether to allow the STA to connect to the AP. If the
connection is not allowed, the STA connects to a different AP with a lighter load.
Static load balancing can be used in scenarios such as conference rooms. For
example, if two APs are deployed in a conference room, you can add the two APs
to a load balancing group to prevent heavy load on a single AP.
Configuration Notes
● AP load balancing is not recommended.
After AP load balancing is configured, APs in the load balancing group
forward received Probe packets to the AC. The AC then determines the APs
from which STAs can access the WLAN. Too many Probe packets may degrade
AC performance. Therefore, it is recommended that the AP load balancing
function be disabled, unless otherwise required.
configurations.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

same.
management VLAN.
● Each load balancing group supports a maximum of three APs.
● A load balancing group is a set of radios, and each radio can join only one
load balancing group. If dual-band APs are used, traffic is load balanced
among APs working on the same frequency band. That is, a dual-band AP can
join two load balancing groups.
● All APs in a load balancing group work on the same frequency band (2.4 GHz
or 5 GHz). AP radios in a load balancing group must have different channels
configured and work on different channels.
As shown in Figure 3-170, the AC connects to the upper layer network and
manages the APs through the access and aggregation switches.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
AP area_1 and AP area_2 are deployed in the same conference room. Traffic must
be balanced on AP radios to prevent one AP radio from being heavily loaded.

Figure 3-170 Networking diagram for configuring static load balancing
Data Planning
Item Data
DHCP The AC functions as the DHCP server to assign IP addresses to the

server APs and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.2-10.23.101.254/24
pool for
the STAs

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data

of the AC's
source
interface


profile



● Service VLAN: VLANs in the VLAN pool
wlan-security
Static load ● Name: wlan-static

balancing ● Start threshold for load balancing (based on the number of
group users): 15
● Load difference threshold for load balancing: 25%
other.
2. Configure the AC as a DHCP server to assign IP addresses to APs and STAs.
a. Create an AP group and add APs that require the same configuration to
the group for unified configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

6. Configure static load balancing to prevent one AP from being heavily loaded.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels. This example configures the radio calibration function.
Procedure
# Add GE0/0/1 to GE0/0/3 on SwitchA to the management VLAN 100.
[SwitchA-gigabitethernet0/0/3] port link-type trunk
[SwitchA-gigabitethernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-gigabitethernet0/0/3] quit

[HUAWEI] sysname AC
[AC] vlan batch 100

[AC-Vlanif101] quit
[AC-Vlanif102] quit


S300, S500, S2700, S3700, S5700, S6700, S7700, and


pool.
[AC] dhcp enable
[AC-Vlanif100] quit
the AC.
[AC-Vlanif101] quit
NOTE
address pool view.
[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] quit

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit
nor : normal [2]
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
Total: 2

NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
is 1.
radio 1 of the AP.
Step 6 Configure static load balancing.
# Create the static load balancing group and set the start threshold for static load
balancing to 15 and the load difference threshold to 25%.
[AC-wlan-view] sta-load-balance static-group name wlan-static //Create load balancing group wlan-
static.
[AC-wlan-sta-lb-static-wlan-static] start-threshold 15 //Set the start threshold for load balancing (based
on the number of users) to 15. The default value is 10.
[AC-wlan-sta-lb-static-wlan-static] gap-threshold 25 //Set the load difference threshold for load balancing
(based on the number of users) to 25%. The default value is 20%.
NOTE
From V200R011C00 to V200R019C00, the device supports static load balancing based on
channel usage. Configure static load balancing based on the number of users as follows:
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] mode sta-number //Configure static load balancing based on the
number of users. By default, static load balancing based on the number of users is used.
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold 25 //In V200R011C10 and later
versions, the format is changed to sta-number gap-threshold percentage 25.
In V200R019C10 and later versions, the device does not support static load balancing based
on channel usage. Configure static load balancing based on the number of users as follows:
[AC-wlan-view] sta-load-balance static-group name wlan-static
[AC-wlan-sta-lb-static-wlan-static] sta-number start-threshold 15
[AC-wlan-sta-lb-static-wlan-static] sta-number gap-threshold percentage 25
# Add AP area_1 and AP area_2 to the static load balancing group.

[AC-wlan-sta-lb-static-wlan-static] member ap-name area_1 //Add AP area_1 to load balancing group
wlan-static.
[AC-wlan-sta-lb-static-wlan-static] member ap-name area_2
[AC-wlan-sta-lb-static-wlan-static] quit


S300, S500, S2700, S3700, S5700, S6700, S7700, and

net.
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
00e0-fc00-0001 0 area_1 0/1 2.4G 11n 65/38 -29 101 10.23.101.253
00e0-fc00-0002 1 area_2 0/1 2.4G 11n 78/43 -33 101 10.23.101.254
-------------------------------------------------------------------------------------
Total: 2 2.4G: 2 5G: 0
● Run the display sta-load-balance static-group name wlan-static command

on the AC to check the static load balancing configuration.
[AC-wlan-view] display sta-load-balance static-group name wlan-static
------------------------------------------------------------
Group name : wlan-static
Load-balance status : balance
Start threshold : 15
Gap threshold(%) : 25
Deny threshold :3
------------------------------------------------------------
RfID: Radio ID
CurEIRP: Current EIRP (dBm)
Act CH: Actual channel, Cfg CH: Config channel
------------------------------------------------------------
AP ID AP Name RfID Act CH/Cfg CH CurEIRP/MaxEIRP Client
------------------------------------------------------------
0 area_1 0 6/- 20/28 1
0 area_1 1 153/- 29/29 0
1 area_2 0 1/- 20/28 1
1 area_2 1 149/- 29/29 0
------------------------------------------------------------
Total: 4
● When a new STA requests to connect to AP area_1, the AC uses a static load
balancing algorithm to redirect the STA to a lightly loaded AP in the same
load balancing group.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
return
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1
#
#
wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

ssid wlan-net
forward-mode tunnel
sta-load-balance static-group name wlan-static
gap-threshold 25
member ap-name area_1 radio 0
start-threshold 15
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
3.12.11.3 Example for Configuring Dynamic Load Balancing
Dynamic Load Balancing Overview

bandwidth for each STA. When a STA joins the network, the AC adds the APs that
report the STA to a load balancing group, and then uses a load balancing
algorithm to determine whether to allow access from the STA.
Dynamic load balancing applies to high-density wireless environments, such as
stadiums and stations.
Static load balancing supports a limited number of group members, and all
members must be manually added to the group and work on the same frequency
band. Dynamic load balancing overcomes these limitations and better ensures
bandwidth for each STA.
Configuration Notes
● AP load balancing is not recommended.
After AP load balancing is configured, APs in the load balancing group
forward received Probe packets to the AC. The AC then determines the APs
from which STAs can access the WLAN. Too many Probe packets may degrade
AC performance. Therefore, it is recommended that the AP load balancing
function be disabled, unless otherwise required.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

configurations.
same.
management VLAN.
● Radio traffic statistics packets are sent and received together with Echo
packets. In this example, traffic-based dynamic load balancing is used. You are
advised to set the CAPWAP heartbeat detection interval to between 30s and
60s so that the radio traffic statistics can be updated in a timely manner.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-171, the AC connects to the upper-layer network and
manages the APs through the access and aggregation switches.
When a large number of STAs access the Internet through the same AP, the AP is
heavily loaded, degrading user experience. The enterprise requires that data traffic
be balanced on AP radios to prevent one AP radio from being heavily loaded.
Figure 3-171 Networking diagram for configuring dynamic load balancing
Data Planning
Item Data

server and STAs.
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
IP address 10.23.101.2-10.23.101.254/24
pool for
STAs

of the AC's
source
interface

● Referenced profiles: VAP profile wlan-vap, regulatory domain
profile domain1, 5G radio profile radio5g, and 2G radio profile
radio2g

profile



wlan-security

profile ● Referenced profile: RRM profile loadbalance-dynamic

profile ● Referenced profile: RRM profile loadbalance-dynamic
RRM ● Name: loadbalance-dynamic

profile ● Start threshold for dynamic load balancing (based on the
number of users): 15
● Load difference threshold for dynamic load balancing: 25%
other.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Configure the AC as a DHCP server to assign IP addresses to the APs from an

6. Configure dynamic load balancing to prevent one AP from being heavily
loaded.
NOTE
During AP deployment, you can manually specify the working channels of the APs according to
network planning or configure the radio calibration function to enable the APs to automatically
select the optimal channels. This example configures the radio calibration function.
Procedure
# Add GE0/0/1, GE0/0/2, and GE0/0/3 on SwitchA to VLAN 100 (management

VLAN).
[SwitchA-gigabitethernet0/0/3] port link-type trunk
[SwitchA-gigabitethernet0/0/3] port trunk allow-pass vlan 100
[SwitchA-gigabitethernet0/0/3] quit

[HUAWEI] sysname AC
[AC] vlan batch 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[AC-Vlanif101] quit
[AC-Vlanif102] quit


pool.
[AC] dhcp enable
[AC-Vlanif100] quit
the AC.
[AC-Vlanif101] quit
NOTE
address pool view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


[AC] wlan
[AC-wlan-view] quit

NOTE
[AC] wlan
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
nor : normal [2]

---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
---------------------------------------------------------------------------------------
Total: 2

NOTE
is 1.
radio 1 of the AP.
Step 6 Configure dynamic load balancing.

# Create the RRM profile loadbalance-dynamic and enable dynamic load
balancing in the RRM profile loadbalance-dynamic and set the start threshold for
dynamic load balancing to 15 and load difference threshold to 25%.
[AC-wlan-view] rrm-profile name loadbalance-dynamic
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic enable
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic start-threshold 15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic gap-threshold 25
[AC-wlan-rrm-prof-loadbalance-dynamic] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
From V200R011C00 to V200R019C00, the device supports dynamic load balancing based on
channel utilization. Configure dynamic load balancing based on the number of STAs as
follows:
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic enable //In V200R013C00 and
later versions, the format is changed to undo sta-load-balance dynamic disable.
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance mode sta-number //Configure dynamic
load balancing based on the number of STAs.
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number start-threshold 15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number gap-threshold
25 //The command changes to sta-load-balance dynamic sta-number gap-threshold percentage 25
in V200R011C10 and later versions.
In V200R019C10 and later versions, the device does not support dynamic load balancing
based on channel utilization. Configure dynamic load balancing based on the number of
STAs as follows:
[AC-wlan-rrm-prof-loadbalance-dynamic] undo sta-load-balance dynamic disable
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number start-threshold 15
[AC-wlan-rrm-prof-loadbalance-dynamic] sta-load-balance dynamic sta-number gap-threshold
percentage 25
# Create the 2G radio profile radio2g and bind the RRM profile loadbalance-
dynamic to the 2G radio profile.
[AC-wlan-radio-2g-prof-radio2g] rrm-profile loadbalance-dynamic
# Create the 5G radio profile radio5g and bind the RRM profile loadbalance-
dynamic to the 5G radio profile.
[AC-wlan-radio-5g-prof-radio5g] rrm-profile loadbalance-dynamic
# Bind the 5G radio profile radio5g and 2G radio profile radio2g to the AP group
ap-group1.
[AC-wlan-ap-group-ap-group1] radio-5g-profile radio5g
[AC-wlan-ap-group-ap-group1] radio-2g-profile radio2g


net.
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
00e0-fc00-0001 0 area_1 0/1 2.4G 11n 65/38 -29 101 10.23.101.253
00e0-fc00-0002 1 area_2 0/1 2.4G 11n 78/43 -33 101 10.23.101.254

S300, S500, S2700, S3700, S5700, S6700, S7700, and
-------------------------------------------------------------------------------------
Total: 2 2.4G: 2 5G: 0
● Run the display rrm-profile name loadbalance-dynamic command on the

AC to check the dynamic load balancing configuration.
[AC-wlan-view] display rrm-profile name loadbalance-dynamic
------------------------------------------------------------
...
Station load balance : enable
Station load balance start threshold : 15
Station load balance gap threshold(%) : 25
...
------------------------------------------------------------
● (Applicable to versions V200R009 to V200R012) Run the display station

load-balance sta-mac 00e0-fc00-0001 command on the AC to check AP
radios participating in dynamic load balancing.
[AC-wlan-view] display station load-balance sta-mac 00e0-fc00-0001
Station load balance status: balance
------------------------------------------------------------------------------
AP name Radio ID
------------------------------------------------------------------------------
area_1 1
area_1 0
area_2 1
area_2 0
------------------------------------------------------------------------------
Total: 4
● (Applicable to V200R013 and later versions) Run the display station

neighbor sta-mac 00e0-fc00-0001 command on the AC to check AP radios
participating in dynamic load balancing.
[AC-wlan-view] display station neighbor sta-mac 00e0-fcc7-1e08
-----------------------------------------------------------------------------------------------------------------------
---------
Device MAC Device ID Device Name Radio ID Probe info(RSSI/HH:MM:SS) 11k
info[RCPI/RSNI/HH:MM:SS]
-----------------------------------------------------------------------------------------------------------------------
---------
00e0-fc74-9640 1 area_2 0 -48/16:28:24 205/45/16:28:24
-----------------------------------------------------------------------------------------------------------------------
---------
Total neighbors: 1, total records: 1
● When a new STA requests to connect to AP area_1, the AC uses a dynamic

load balancing algorithm to redirect the STA to a lightly loaded AP in the
same load balancing group.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
return
#
sysname Router
#
vlan batch 102
#
dhcp enable
#
ip pool sta
network 10.23.101.0 mask 255.255.255.0
#
interface Vlanif102
ip address 10.23.102.1 255.255.255.0
dhcp select global
#
#
ip route-static 10.23.101.0 255.255.255.0 10.23.102.2
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
dhcp select relay
#
interface Vlanif102
ip address 10.23.102.2 255.255.255.0
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip route-static 0.0.0.0 0.0.0.0 10.23.102.1

#
#
wlan
ssid wlan-net
forward-mode tunnel
rrm-profile name loadbalance-dynamic
sta-load-balance dynamic enable
sta-load-balance dynamic start-threshold 15
sta-load-balance dynamic gap-threshold 25
rrm-profile loadbalance-dynamic
rrm-profile loadbalance-dynamic
radio 0
radio 1
ap-name area_1
ap-group ap-group1
ap-name area_2
ap-group ap-group1
#
return
3.12.12 Configuring WLAN Roaming
3.12.12.1 Example for Configuring Intra-AC Roaming
WLAN Roaming Overview

WPA2-802.1X security policy. If a STA uses WPA2-802.1X or WPA3-802.1X but does
not support fast roaming, the STA still needs to complete 802.1X authentication
before roaming between two APs. When the user uses the WPA2-802.1X security
policy or the WPA3-802.1X security policy and supports fast roaming, the user
does not need to perform 802.1X authentication again during roaming and only
needs to perform key negotiation. Fast roaming reduces roaming delay and
improves service experience.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
● Enabling smart roaming based on scenarios.
On a traditional WLAN, when a STA is moving away from an AP, the STA's
access rate becomes lower, but the STA still associates with the AP instead of
re-initiating a connection with the AP or roaming to another AP. This
degrades user experience. The smart roaming function can address this issue.
When detecting that the signal-to-noise ratio (SNR) or access rate of a STA is
lower than the specified threshold, the AP sends a Disassociation packet to
the STA so that the STA can reconnect to the AP or roam to another AP.
This function applies to high-density static scenarios, for example, lecture
halls. This function is not recommended in scenarios where STAs move
frequently, such as wireless cities. If this function is enabled, you are advised
to retain the default roaming threshold.
configurations.
configurations.
same.
management VLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

A small enterprise needs to provide WLAN services for employees. One AC is
deployed to manage APs. To differentiate department management, employees
are assigned different subnets by department. The enterprise wants to allow
employees to roam with nonstop service transmission.
As shown in Figure 3-172, an AC provides services for the employees. It connects
to AP_1 and AP_2 through Switch_1 and Switch_2 respectively.
Figure 3-172 Configuring intra-AC roaming

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data planning
Item Data
DHCP The AC functions as a DHCP server to assign IP addresses to the

server STAs and APs.
IP address 10.23.100.2-10.23.100.254/24
pool for
the APs
IP address 10.23.101.2-10.23.101.254/24
pool for
the STAs
AC's VLANIF 100: 10.23.100.1/24

source
interface
address

● Referenced profiles: VAP profile wlan-vap1 and regulatory
domain profile domain
Regulatory ● Name: domain

profile


VAP ● Name: wlan-vap1

wlan-security
2. Configure the AC to function as a DHCP server to assign IP addresses to the
STAs and APs.
3. Configure basic WLAN services so that users can connect to the wireless
network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Configure the switches and the AC so that the AC can communicate with the APs.
# On Switch_1, create VLAN 100 (management VLAN). Add GE0/0/1 connected to
AP_1 and GE0/0/2 connected to AC to VLAN 100.
[Switch_1-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_1-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_1-GigabitEthernet0/0/1] stp edged-port enable
[Switch_1-GigabitEthernet0/0/1] port-isolate enable
# On Switch_2, create VLAN 100 (management VLAN). Add GE0/0/1 connected to

AP_2 and GE0/0/2 connected to AC to VLAN 100.
[Switch_2-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_2-GigabitEthernet0/0/1] stp edged-port enable
[Switch_2-GigabitEthernet0/0/1] port-isolate enable
# On the AC, add GE0/0/1 connected to Switch_1 and GE0/0/2 connected to

Switch_2 to VLAN 100.
[HUAWEI] sysname AC
# Configure the AC as a DHCP server based on interface address pools. Configure
VLANIF 100 to assign IP addresses to APs and VLANIF 101 to assign IP addresses
to STAs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
address pool view.
[AC] dhcp enable
[AC-Vlanif100] ip address 10.23.100.1 255.255.255.0
[AC-Vlanif100] quit
[AC-Vlanif101] ip address 10.23.101.1 255.255.255.0
[AC-Vlanif101] quit
[AC] wlan
[AC-wlan-view] regulatory-domain-profile name domain
[AC-wlan-regulate-domain-domain] country-code cn
[AC-wlan-regulate-domain-domain] quit
[AC-wlan-ap-group-ap-group1] regulatory-domain-profile domain

# Import APs offline on the AC and add APs to AP group ap-group1. Assume that
the type of AP_1 and AP_2 is AP6010DN-AGN, and their MAC addresses are 00e0-
fc76-e360 and 00e0-fc04-b500, respectively.
NOTE
In this example, the AP6010DN-AGN is used and has two radios: radio 0 and radio 1.
[AC] wlan
[AC-wlan-ap-0] ap-name ap1
[AC-wlan-ap-0] quit
[AC-wlan-ap-1] ap-name ap2
[AC-wlan-ap-1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
nor : normal [2]
--------------------------------------------------------------------------------------
--------------------------------------------------------------------------------------
0 00e0-fc76-e360 ap1 ap-group1 10.23.100.254 AP6010DN-AGN nor 0 15S
1 00e0-fc04-b500 ap2 ap-group1 10.23.100.253 AP6010DN-AGN nor 0 10S
--------------------------------------------------------------------------------------
Total: 2
Step 4 Configure basic WLAN services on the AC.

NOTE

[AC-wlan-sec-prof-wlan-security] security wpa2 psk pass-phrase YsHsjx_202206 aes
# Create VAP profiles wlan-vap1, set the data forwarding mode and service
VLANs, and apply the security profile wlan-security and SSID profile wlan-ssid to
the VAP profiles.
[AC-wlan-vap-prof-wlan-vap1] forward-mode tunnel
[AC-wlan-vap-prof-wlan-vap1] service-vlan vlan-id 101
# Bind VAP profile wlan-vap1 to AP group ap-group1, and apply the VAP profiles
to radio 0 and radio 1 of the APs.


The AC automatically delivers WLAN service configuration to the APs. After the
service configuration is complete, run the display vap ssid wlan-net command to
check VAP information. In the command output, if Status is ON, the VAPs have
been successfully created on AP radios.
WID : WLAN ID
--------------------------------------------------------------------------------------

S300, S500, S2700, S3700, S5700, S6700, S7700, and
--------------------------------------------------------------------------------------
0 ap1 0 1 00E0-FC76-E360 ON WPA2-PSK 0 wlan-net
0 ap1 1 1 00E0-FC76-E370 ON WPA2-PSK 0 wlan-net
0 ap2 0 1 00E0-FC04-B500 ON WPA2-PSK 0 wlan-net
0 ap2 1 1 00E0-FC04-B510 ON WPA2-PSK 0 wlan-net
---------------------------------------------------------------------------------------
Total: 2
In the coverage area of AP_1, connect the STA to the wireless network with SSID
wlan-net and enter the password YsHsjx_202206. After the STA successfully
associates with the network, run the display station ssid wlan-net command on
the AC. The command output shows that the STA with MAC address 00e0-
fcc7-1e08 has associated with AP_1.
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
00e0-fcc7-1e08 0 ap1 1/1 5G 11n 46/59 -57 101 10.23.101.254
------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
After the STA moves from the coverage area of AP_1 to that of AP_2, run the
display station ssid wlan-net command on AC. The command output shows that
the STA has associated with AP_2.
------------------------------------------------------------------------------------
------------------------------------------------------------------------------------
00e0-fcc7-1e08 1 ap2 1/1 5G 11n 46/59 -58 101 10.23.101.254
------------------------------------------------------------------------------------
Total: 1 2.4G: 0 5G: 1
Run the display station roam-track sta-mac e019-1dc7-1e08 command on AC

to check the STA roaming track.
[AC-wlan-view] display station roam-track sta-mac e019-1dc7-1e08
Access SSID:wlan-net
------------------------------------------------------------------------------
L2/L3 AC IP AP name Radio ID
BSSID TIME In/Out RSSI Out Rx/Tx
------------------------------------------------------------------------------
-- 10.23.100.1 ap1 1
00e0-fc76-e360 2016/02/07 17:48:30 -57/-58 46/65
L2 10.23.100.1 ap2 1
00e0-fc04-b500 2016/02/07 17:54:50 -58/- -/-
------------------------------------------------------------------------------
Number: 1
----End
Configuration Files
#
sysname Switch_1
#
vlan batch 100
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
#
sysname Switch_2
#
vlan batch 100
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
wlan
security wpa2 psk pass-phrase %^%#]:krYrz_r<ee}|Cq@9V(W{ZD$"\-R-HD_y.4#U4,%^%# aes
ssid wlan-net
forward-mode tunnel

S300, S500, S2700, S3700, S5700, S6700, S7700, and
regulatory-domain-profile name domain

regulatory-domain-profile domain
radio 0
radio 1
ap-id 0 ap-mac 00e0-fc76-e360
ap-name ap1
ap-group ap-group1
ap-id 1 ap-mac 00e0-fc04-b500
ap-name ap2
ap-group ap-group1
#
return

WDS Technology
WDS Overview
A wireless distribution system (WDS) connects two or more wired or wireless LANs
using wireless links to establish a large network.

However, wired connections are difficult or costly to implement in areas where
network cables are difficult to deploy, such as tunnels and docks. WDS technology
connects APs to an AP using wireless links to facilitate WLAN deployment in
complex geographical environments, reduce network deployment cost, allow
flexible networking, and make the network easy to expand.
APs on a WDS network work in any of the following modes:

● Root: A root AP connects to an AC using a wired link and connects to a
middle or leaf AP using a wireless uplink.
● Middle: A middle AP is an intermediate node using wireless links to connect
an upstream root AP and a downstream leaf AP.
● Leaf: A leaf AP connects to a root or middle AP using an uplink wireless link.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE
Among all WDS- and mesh-capable APs, only the AP1050DN-S, AP4050DN, AP4051DN,
AP4151DN, AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP8130DN-W, AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN,
AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN,
AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are
802.11ac APs.
● When planning a WDS network, pay attention to the following:
– The back-to-back WDS networking involves two WDS networks. A single
WDS network cannot form a back-to-back WDS network.
– Only one root node exists on the WDS network.
– A middle node sets up WDS links only with the leaf node and root node.
Middle nodes do not set up WDS links between each other.
– Three hops are recommended for each WDS link (a 3-hop WDS link
includes a root node, a middle node, and a leaf node).
– Each node on the WDS link supports a maximum of six subnodes.
NOTE
APs supporting WDS can be interconnected. APs with 802.11ac and 802.11n chips are
not subject to interoperation constraints.
WDS is not supported by the Central AP(including the mapping RUs),
AP7060DN, AP6310SN-GN, AP2010DN, AP2030DN, AP2050DN, AP2050DN-E,
AP2050DN-S, AP1010SN, AP7030DE, AP9330DN, AP2030DN-S, AP2051DN,
AP2051DN-S, AP2051DN-L-S, AP5510-W-GP, AirEngine 5760-10, WA375DD-
CE, and AP6310SN-GN.
An enterprise has three areas: Area A, Area B, and Area C. In the office
environment, AP_1 in Area A can be connected to the AC through a network cable;
AP_2 and AP_3 in Area B can be connected through a cable but cannot be
connected to the AC in wired mode; Area C is near Area B but AP_4 in Area C
cannot be connected to the AC through a network cable either. The enterprise
requires that APs be connected to each other in back-to-back WDS mode and go
online on the AC to provide network services for PCs in VLAN 101, as shown in
Figure 3-173:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-173 Networking for configuring back-to-back WDS
Data Planning
Before configuring the WDS service, determine the types and MAC addresses of
the APs used as WDS bridges. The following table provides the data plan for this
example.
NOTE
AP Type MAC
AP_1 AP6010DN-AGN 00e0-fc74-9640
AP_2 AP6010DN-AGN 00e0-fc04-b500
AP_3 AP6010DN-AGN 00e0-fcf6-76a0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
AP Type MAC
AP_4 AP6010DN-AGN 00e0-fc76-e360

Item Data
VLAN Management VLAN: VLAN 100
Service VLAN: VLAN 101

of the
AC's
source
interface
WDS ● wds-net1 (WDS profile used by AP_1): WDS mode root,

profile referenced WDS whitelist wds-list1, permitting access only from
AP_2
● wds-net2 (WDS profile used by AP_3): WDS mode root,
referenced WDS whitelist wds-list2, permitting access only from
AP_4
● wds-net3 (WDS profile used by AP_2 and AP_4): referencing no
WDS whitelist
WDS role ● AP_1: root

● AP_2: leaf
● AP_3: root
● AP_4: leaf
WDS wds-net
name
WDS ● wds-list1: contains MAC address of AP_2 and is bound to AP_1.

whitelist ● wds-list2: contains MAC address of AP_4 and is bound to AP_3.
Radio Radio 1 (AP_1 and AP_2):

used by ● Bandwidth: 40mhz-plus
WDS
● Channel: 157
● Radio coverage distance parameter: 4 (unit: 100 m)
Radio 1 (AP_3 and AP_4):
● Bandwidth: 40mhz-plus
● Channel: 149

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
Security ● Name: wds-sec

● Password type: PASS-PHRASE
AP group ● wds-root1: AP_1

● wds-root2: AP_3
● wds-leaf1: AP_2
● wds-leaf2: AP_4. The wired interface of AP_4 is connected to a
PC, and a wired port profile needs to be configured for AP_4.
Therefore, AP_2 and AP_4 are added to two separate AP groups.
1. Configure WDS links in Area A and Area B so that AP_1 and AP_2 can go
online on the AC.
2. Configure Switch_C to enable AP_2 and AP_3 to communicate through the
wired network.
3. Configure WDS links in Area B and Area C so that AP_4 can go online on the
AC.
Procedure
Step 1 Configure the AC to communicate with AP_1 and AP_2 to communicate with AP_3.
# Configure access switch Switch_B. Add GE0/0/1 of Switch_B to VLAN 100
(management VLAN) and set the PVID of the interface to VLAN 100. Configure
GE0/0/1 and GE0/0/2 to allow packets from VLAN 100 and VLAN 101 to pass
through.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100 to 101
[Switch_B] interface gigabitEthernet 0/0/1
[Switch_B-GigabitEthernet0/0/1] port link-type trunk
[Switch_B-GigabitEthernet0/0/1] port trunk pvid vlan 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_B-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_B-GigabitEthernet0/0/1] stp edged-port enable
[Switch_B-GigabitEthernet0/0/1] port-isolate enable
[Switch_B-GigabitEthernet0/0/1] quit
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
# Configure aggregation switch Switch_A. Configure GE0/0/1 to allow packets

from VLAN 100 and VLAN 101 to pass through, GE0/0/2 to allow packets from
VLAN 100 to pass through, and GE0/0/3 to allow packets from VLAN 101 to pass
through.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch_A] vlan batch 100 to 101
[Switch_A] interface gigabitEthernet 0/0/1
[Switch_A-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_A-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
# Configure GE1/0/1 of the AC to allow packets from VLAN 100 to pass through.
[HUAWEI] sysname AC
# Configure access switch Switch_C. Configure GE0/0/1 and GE0/0/2 to allow

packets from the service and management VLANs to pass through.
[HUAWEI] sysname Switch_C
[Switch_C] vlan batch 100 to 101
[Switch_C] interface gigabitEthernet 0/0/1
[Switch_C-GigabitEthernet0/0/1] port link-type trunk
[Switch_C-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/1] undo port trunk allow-pass vlan 1
[Switch_C-GigabitEthernet0/0/1] stp edged-port enable
[Switch_C-GigabitEthernet0/0/1] port-isolate enable
[Switch_C-GigabitEthernet0/0/1] quit
[Switch_C] interface gigabitEthernet 0/0/2
[Switch_C-GigabitEthernet0/0/2] port link-type trunk
[Switch_C-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 101
[Switch_C-GigabitEthernet0/0/2] undo port trunk allow-pass vlan 1
[Switch_C-GigabitEthernet0/0/2] quit
Step 2 Configure Switch_A to assign IP addresses to PCs and the AC to assign IP

addresses to APs.
# Configure Switch_A as a DHCP server to assign IP addresses to PCs from an
NOTE
address pool view.
[Switch_A] dhcp enable
[Switch_A] interface vlanif 101
[Switch_A-Vlanif101] ip address 10.23.101.1 24
[Switch_A-Vlanif101] dhcp select interface
[Switch_A-Vlanif101] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Enable the DHCP function on the AC to allow it to assign IP addresses to APs

from an interface address pool.
[AC] dhcp enable
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP group wds-root1 and AP group wds-root2 for root APs and AP group
wds-leaf1 and AP group wds-leaf2 for leaf APs.
[AC] wlan
[AC-wlan-view] ap-group name wds-root1
[AC-wlan-ap-group-wds-root1] quit
[AC-wlan-view] ap-group name wds-leaf1
[AC-wlan-ap-group-wds-leaf1] quit
[AC-wlan-ap-group-wds-root1] regulatory-domain-profile domain1
[AC-wlan-ap-group-wds-root2] regulatory-domain-profile domain1
[AC-wlan-ap-group-wds-leaf1] regulatory-domain-profile domain1
[AC-wlan-ap-group-wds-leaf2] regulatory-domain-profile domain1
[AC-wlan-view] quit

# Add AP_1 to AP group wds-root1, AP_3 to AP group wds-root2, AP_2 to AP

group wds-leaf1, and AP_4 to AP group wds-leaf2.
NOTE
[AC] wlan

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-ap-1] ap-name AP_1

[AC-wlan-ap-1] ap-group wds-root1
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group wds-leaf1
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 00e0-fcf6-76a0
[AC-wlan-ap-3] ap-group wds-root2
[AC-wlan-ap-3] quit
[AC-wlan-ap-4] ap-group wds-leaf2
[AC-wlan-ap-4] quit
Step 4 Configure WDS service parameters.

# Configure radio parameters for WDS nodes. This example uses radio 1 of the
AP6010DN-AGN. coverage distance is the radio coverage distance parameter,
which is 3 (unit: 100 m) by default. In this example, the radio coverage distance is
set to 4. You can configure the parameter as required.
[AC-wlan-ap-group-wds-root1] radio 1
[AC-wlan-group-radio-wds-root1/1] channel 40mhz-plus 157 //Configure the channel and bandwidth
for WDS links. All WDS links on the same WDS network must be configured with the same channel and
bandwidth.
[AC-wlan-group-radio-wds-root1/1] coverage distance 4 //After the radio coverage distance parameter
is configured based on distances between APs, the APs will automatically adjust the values of slottime,
acktimeout, and ctstimeout based on the configured distance parameter.
[AC-wlan-group-radio-wds-root1/1] quit
[AC-wlan-group-radio-wds-root2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-root2/1] coverage distance 4
[AC-wlan-ap-group-wds-leaf1] radio 1
[AC-wlan-group-radio-wds-leaf1/1] channel 40mhz-plus 157
[AC-wlan-group-radio-wds-leaf1/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf1/1] quit
[AC-wlan-ap-group-wds-leaf2] radio 1
[AC-wlan-group-radio-wds-leaf2/1] channel 40mhz-plus 149
[AC-wlan-group-radio-wds-leaf2/1] coverage distance 4
[AC-wlan-group-radio-wds-leaf2/1] quit
# Configure the security profile wds-sec used by WDS links. The wds-sec uses the
security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name wds-sec
[AC-wlan-sec-prof-wds-sec] security wpa2 psk pass-phrase YsHsjx_202206 aes
[AC-wlan-sec-prof-wds-sec] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure a WDS whitelist. Configure the WDS whitelist wds-list1 bound to

AP_1 to permit access only from AP_2 and the WDS whitelist wds-list2 bound to
AP_3 to permit access only from AP_4.
[AC-wlan-view] wds-whitelist-profile name wds-list1
[AC-wlan-wds-whitelist-wds-list1] peer-ap mac 00e0-fc04-b500
[AC-wlan-wds-whitelist-wds-list1] quit
[AC-wlan-view] wds-whitelist-profile name wds-list2
[AC-wlan-wds-whitelist-wds-list2] peer-ap mac 00e0-fc76-e360
[AC-wlan-wds-whitelist-wds-list2] quit
# Configure the WDS profile wds-net1. Set the WDS name to wds-net and WDS
mode to root. Apply the security profile wds-sec and allow packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-view] wds-profile name wds-net1
[AC-wlan-wds-prof-wds-net1] wds-name wds-net //Only WDS VAPs with the same WDS name can set
up WDS links.
[AC-wlan-wds-prof-wds-net1] wds-mode root
[AC-wlan-wds-prof-wds-net1] security-profile wds-sec
[AC-wlan-wds-prof-wds-net1] vlan tagged 101
[AC-wlan-wds-prof-wds-net1] quit
mode to root. Apply the security profile wds-sec and allow packets from service
VLAN 101 to pass through in tagged mode.
[AC-wlan-wds-prof-wds-net2] wds-name wds-net
[AC-wlan-wds-prof-wds-net2] wds-mode root
mode to leaf. Bind the security profile wds-sec to the WDS profile, allowing
packets from service VLAN 101 to pass through in tagged mode.
[AC-wlan-wds-prof-wds-net3] wds-name wds-net
[AC-wlan-wds-prof-wds-net3] wds-mode leaf
# Bind the WDS whitelist wds-list1 to radio 1 in AP group wds-root1 to permit

access only from AP_2. Bind the WDS whitelist wds-list2 to radio 1 in AP group
wds-root2 to permit access only from AP_4.
[AC-wlan-group-radio-wds-root1/1] wds-whitelist-profile wds-list1
[AC-wlan-group-radio-wds-root2/1] wds-whitelist-profile wds-list2
Step 5 Configure the wired port profile used by the wired interface of AP_4 and set the
wired interface mode to endpoint. In this example, the PVID of the wired interface
is set to VLAN 101 and the wired interface is added to VLAN 101 in untagged
mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] mode endpoint

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-wired-port-wired-port] vlan pvid 101

[AC-wlan-wired-port-wired-port] vlan untagged 101
[AC-wlan-wired-port-wired-port] quit
Step 6 Bind required profiles to the AP groups to make WDS services take effect.
# Configure the AP group wds-root1 and bind the WDS profile wds-net1 to the
group.
[AC-wlan-ap-group-wds-root1] wds-profile wds-net1 radio 1
# Configure the AP group wds-root2 and bind the WDS profile wds-net2 to the
group.
[AC-wlan-ap-group-wds-root2] wds-profile wds-net2 radio 1
# Configure the AP group wds-leaf1 and bind the WDS profile wds-net3 to the
group.
[AC-wlan-ap-group-wds-leaf1] wds-profile wds-net3 radio 1
# Configure the AP group wds-leaf2, and bind the WDS profile wds-net3 and
wired port profile wired-port to the group.
[AC-wlan-ap-group-wds-leaf2] wds-profile wds-net3 radio 1
[AC-wlan-ap-group-wds-leaf2] wired-port-profile wired-port gigabitethernet 0

Step 8 Verify the WDS service configuration.

# After the configuration is complete, run the display ap all command to check
whether WDS nodes go online successfully. If State is nor, the APs have gone
online.
nor : normal [4]
--------------------------------------------------------------------------------
------
ID MAC Name Group IP Type State STA Upt
ime
--------------------------------------------------------------------------------
------
1 00e0-fc74-9640 AP_1 wds-root1 10.23.100.250 AP6010DN-AGN nor 0
20M:16S
4 00e0-fc76-e360 AP_4 wds-leaf2 10.23.100.251 AP6010DN-AGN nor 0
17S
2 00e0-fc04-b500 AP_2 wds-leaf1 10.23.100.253 AP6010DN-AGN nor 0
3M:55S
3 00e0-fcf6-76a0 AP_3 wds-root2 10.23.100.252 AP6010DN-AGN nor 0
2M:55S
--------------------------------------------------------------------------------
----
Total: 4
Run the display wlan wds link all command to check information about the WDS
links.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-view] display wlan wds link all

Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
WDS : WDS mode Re : retry ratio(%)
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)
--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch WDS P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
AP_1 AP_2 1 3 157 root normal -44 -40 0 3 50
45/49/-
AP_2 AP_1 1 3 157 leaf normal -38 -36 0 49 57
36/31/57
AP_3 AP_4 1 3 149 root normal -11 -7 0 1 83
81/80/-
AP_4 AP_3 1 3 149 leaf normal -4 -4 0 0 91
90/85/-
--------------------------------------------------------------------------------
-----------------
Total: 4
----End
Configuration Files
● Switch_A configuration file
#
sysname Switch_A
#
#
dhcp enable
#
interface Vlanif101
ip address 10.23.101.1 255.255.255.0
#
#
#
#
return
● Switch_B configuration file

#
sysname Switch_B
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
● Switch_C configuration file
#
sysname Switch_C
#
#
#
#
return
#
sysname AC
#
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name wds-sec
security wpa2 psk pass-phrase %^%#n}5+DgC3wLB.hJ34j5;*QMv<8"9#{Bq@ghBI3L9K%^%# aes
wds-whitelist-profile name wds-list1
peer-ap mac 00e0-fc04-b500
wds-whitelist-profile name wds-list2
peer-ap mac 00e0-fc76-e360
wds-profile name wds-net1
security-profile wds-sec
vlan tagged 101
wds-name wds-net
wds-mode root
vlan tagged 101
wds-name wds-net
wds-mode root
vlan tagged 101
wds-name wds-net

S300, S500, S2700, S3700, S5700, S6700, S7700, and

wired-port-profile name wired-port
mode endpoint
vlan pvid 101
vlan untagged 101
ap-group name wds-leaf1
radio 1
wds-profile wds-net3
channel 40mhz-plus 157
coverage distance 4
ap-group name wds-leaf2
wired-port-profile wired-port gigabitethernet 0
radio 1
coverage distance 4
ap-group name wds-root1
radio 1
wds-whitelist-profile wds-list1
coverage distance 4
ap-group name wds-root2
radio 1
wds-whitelist-profile wds-list2
coverage distance 4
ap-name AP_1
ap-group wds-root1
ap-id 2 type-id 19 ap-mac 00e0-fc04-b500 ap-sn 210235555310CC000094
ap-name AP_2
ap-group wds-leaf1
ap-id 3 type-id 19 ap-mac 00e0-fcf6-76a0 ap-sn 210235419610D2000097
ap-name AP_3
ap-group wds-root2
ap-id 4 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235557610DB000046
ap-name AP_4
ap-group wds-leaf2
#
return

Mesh Technology
Mesh Overview
Mesh is short for wireless mesh network (WMN), which consists of APs wirelessly
connected in a mesh topology.
Wired network deployment is costly in areas where network cables are difficult to
deploy, for example, tunnels and docks. In these areas, the mesh technology can
be used to deploy a wireless network quickly. A mesh network supports dynamic
and automatic configuration, allowing you to add or remove mesh nodes flexibly.
In addition, the mesh technology supports link redundancy so that the failure of a
single node will not affect the entire network. This makes networks more robust.
A mesh network has two types of nodes:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Mesh portal point (MPP): a mesh point that provides the portal function to
connect the mesh network to other types of networks for communication.
● Mesh point (MP): a mesh-capable node that uses IEEE 802.11 MAC and
physical layer protocols for wireless communication. This node supports
automatic topology discovery, automatic route discovery, and data packet
forwarding. MPs can provide both mesh service and user access service.
Configuration Notes
NOTE
Among all WDS- and mesh-capable APs, only the AP1050DN-S, AP4050DN, AP4051DN,
AP4151DN, AP8050DN, AP8150DN, AP5030DN, AP5130DN, AP8130DN, AP8030DN,
AP8130DN-W, AP4030DN, AP4130DN, AP9131DN, AP9132DN, AP6050DN, AP6150DN,
AP7050DE, AP7050DN-E, AP4030TN, AP4050DN-E, AP4050DN-HD, AP4051TN, AP6052DN,
AP7052DN, AP7152DN, AP7052DE, AP8050TN-HD, AP8082DN, and AP8182DN are
802.11ac APs.
● It is recommended that you deploy no more than 40 mesh nodes on a mesh
network.
view.
view.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Mesh is not supported by the AP7060DN, AP6310SN-GN, AP2010DN,

AP2030DN, AP2050DN, AP2050DN-E, AP2050DN-S, AP1010SN, AP7030DE,
AP9330DN, AP2030DN-S, AP2051DN, AP2051DN-S, AP2051DN-L-S,
AP2051DN-E, AP5510-W-GP, and WA375DD-CE.
An enterprise has three areas: Area A, Area B, and Area C. Restricted by
geographical locations, the AP in Area A can be deployed in wired mode, but
wired deployment of APs is costly in Area B and Area C. The enterprise requires
that APs be deployed in Area B and Area C at low cost.
As shown in Figure 3-174, a mesh network is deployed to connect AP_2 and AP_3
to AP_1 through mesh links, which can reduce network construction cost.
Figure 3-174 Mesh networking
Data Plan
Before configuring the mesh service, determine the types and MAC addresses of
the APs used as mesh nodes. The following table provides the data plan for this
example.
NOTE

AP Type MAC
AP_1 AP6010DN-AGN 00e0-fc74-9640
AP_2 AP6010DN-AGN 00e0-fc76-e360
AP_3 AP6010DN-AGN 00e0-fcf6-76a0

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Item Data
Managem VLAN 100

ent VLAN
for APs
DHCP The AC functions as a DHCP server to allocate IP addresses to APs.

server Address pool: 10.23.100.2-10.23.100.254/24
AC's VLANIF 100: 10.23.100.1/24

source
interface
Mesh Name: mesh-net

profile
name
Mesh role ● AP_1: Mesh-portal (MPP)

● AP_2: Mesh-node (MP)
● AP_3: Mesh-node (MP)
Mesh ID Name: mesh-net
Mesh Name: mesh-list

whitelist
AP system Name: mesh-sys

profile
Radio Radio 1:
used by ● Bandwidth: 40mhz-plus
Mesh
services ● Channel: 157
Security ● Name: mesh-sec

● Password type: PASS-PHRASE
AP group ● mesh-mpp: AP_1

● mesh-mp: AP_2 and AP_3
1. Configure network connectivity and enable the AP (MPP) in Area A to go
online on the AC in wired mode.
2. Configure Mesh services to enable APs (MPs) in Area B and Area C to go
online on the AC through Mesh links.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Configure the AC to communicate with AP_1.
# Configure access switch Switch_A. Add GE0/0/1 to VLAN 100 (management
VLAN) and set the PVID of the interface to VLAN 100. Configure GE0/0/1 and
GE0/0/2 to allow packets from VLAN 100 to pass through.
[Switch_A] vlan batch 100
[Switch_A-GigabitEthernet0/0/1] stp edged-port enable
# Configure aggregation switch Switch_B. Configure GE0/0/1 and GE0/0/2 to

allow packets from VLAN 100 to pass through.
[HUAWEI] sysname Switch_B
[Switch_B] vlan batch 100
[Switch_B-GigabitEthernet0/0/1] port trunk allow-pass vlan 100
[Switch_B-GigabitEthernet0/0/2] port trunk allow-pass vlan 100
# Configure GE1/0/1 that connects the AC to the aggregation switch to allow

packets from VLAN 100 to pass through.
[HUAWEI] sysname AC
[AC] vlan batch 100
Step 2 Configure the AC as a DHCP server to assign IP addresses to APs.

[AC] dhcp enable
[AC-Vlanif100] quit
Step 3 Configure the AP groups, country code, and AC's source interface.
# Create AP groups for MPPs and MPs respectively.
[AC] wlan
[AC-wlan-view] ap-group name mesh-mpp //Configure an AP group for MPPs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC-wlan-ap-group-mesh-mpp] quit
[AC-wlan-view] ap-group name mesh-mp //Configure an AP group for MPs.
[AC-wlan-ap-group-mesh-mp] quit
[AC-wlan-view] ap-group name mesh-mpp
[AC-wlan-ap-group-mesh-mpp] regulatory-domain-profile domain1
[AC-wlan-view] ap-group name mesh-mp
[AC-wlan-ap-group-mesh-mp] regulatory-domain-profile domain1
[AC-wlan-view] quit

# Add AP_1 to the AP group mesh-mpp and AP_2 and AP_3 to the AP group
mesh-mp.
NOTE
[AC] wlan
[AC-wlan-ap-1] ap-group mesh-mpp
[AC-wlan-ap-1] quit
[AC-wlan-ap-2] ap-group mesh-mp
[AC-wlan-ap-2] quit
[AC-wlan-view] ap-id 3 ap-mac 00e0-fcf6-76a0
[AC-wlan-ap-3] ap-group mesh-mp
[AC-wlan-ap-3] quit
Step 4 Configure mesh parameters.
# Configure radio parameters for mesh nodes. Radio 1 of the AP6010DN-AGN is

used as an example. coverage distance is the radio coverage distance parameter,
which is 3 (unit: 100 m) by default. In this example, the radio coverage distance is
set to 4. You can configure the parameter as required.
[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] channel 40mhz-plus 157 //Configure the channel and bandwidth
for mesh links. All mesh links on the same mesh network must be configured with the same channel and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
bandwidth.
[AC-wlan-group-radio-mesh-mpp/1] coverage distance 4 //After the radio coverage distance parameter
is configured based on distances between APs, the APs will automatically adjust the values of slottime,
acktimeout, and ctstimeout based on the configured distance parameter.
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] channel 40mhz-plus 157
[AC-wlan-group-radio-mesh-mp/1] coverage distance 4
[AC-wlan-group-radio-mesh-mp/1] quit
# Set parameters for the APs' wired interfaces. This example assumes that the
service VLAN is VLAN 101. Wired interfaces of all mesh nodes are therefore added
to VLAN 101 in tagged mode.
[AC-wlan-view] wired-port-profile name wired-port
[AC-wlan-wired-port-wired-port] vlan tagged 101
[AC-wlan-wired-port-wired-port] quit
# Configure the security profile mesh-sec used by mesh links. The mesh network
supports only the security policy WPA2+PSK+AES.
[AC-wlan-view] security-profile name mesh-sec
[AC-wlan-sec-prof-mesh-sec] security wpa2 psk pass-phrase YsHsjx_202206 aes
[AC-wlan-sec-prof-mesh-sec] quit
# Configure a mesh whitelist.

[AC-wlan-view] mesh-whitelist-profile name mesh-list
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 00e0-fc74-9640
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 00e0-fc76-e360
[AC-wlan-mesh-whitelist-mesh-list] peer-ap mac 00e0-fcf6-76a0
[AC-wlan-mesh-whitelist-mesh-list] quit
# Configure mesh roles. Set the mesh role of AP_1 to mesh-portal. AP_2 and AP_3
use the default mesh role mesh-node. Mesh roles are configured through the AP
system profile.
[AC-wlan-view] ap-system-profile name mesh-sys
[AC-wlan-ap-system-prof-mesh-sys] mesh-role mesh-portal
[AC-wlan-ap-system-prof-mesh-sys] quit
# Configure a mesh profile. Set the mesh network ID to mesh-net, aging time of
mesh links to 30s, and bind the security profile and mesh whitelist to the mesh
profile.
[AC-wlan-view] mesh-profile name mesh-net
[AC-wlan-mesh-prof-mesh-net] mesh-id mesh-net //Only mesh VAPs with the same mesh network
ID can set up mesh links.
[AC-wlan-mesh-prof-mesh-net] link-aging-time 30
[AC-wlan-mesh-prof-mesh-net] security-profile mesh-sec
[AC-wlan-mesh-prof-mesh-net] quit
# Bind the mesh whitelist profile to the AP radio.

[AC-wlan-ap-group-mesh-mpp] radio 1
[AC-wlan-group-radio-mesh-mpp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mpp/1] quit
[AC-wlan-ap-group-mesh-mp] radio 1
[AC-wlan-group-radio-mesh-mp/1] mesh-whitelist-profile mesh-list
[AC-wlan-group-radio-mesh-mp/1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 5 Bind required profiles to the AP groups to make mesh services take effect.
# Bind the AP wired port profile wired-port to AP groups mesh-mpp and mesh-
mp to make AP wired port parameters take effect on mesh nodes. This example
assumes that all APs connect to Switch_A through GE0.
[AC-wlan-ap-group-mesh-mpp] wired-port-profile wired-port gigabitethernet 0
[AC-wlan-ap-group-mesh-mp] wired-port-profile wired-port gigabitethernet 0
# Bind the AP system profile mesh-sys to the AP group mesh-mpp to make the
MPP role take effect on AP_1.
[AC-wlan-ap-group-mesh-mpp] ap-system-profile mesh-sys
# Bind the mesh profile mesh-net to AP groups mesh-mpp and mesh-mp to

make the mesh services take effect.
[AC-wlan-ap-group-mesh-mpp] mesh-profile mesh-net radio 1
[AC-wlan-ap-group-mesh-mp] mesh-profile mesh-net radio 1

Step 7 Verify the mesh service configuration.

# After the configuration is complete, run the display ap all command to check
whether mesh nodes go online successfully. If State is nor, the APs have gone
online.
nor : normal [3]
--------------------------------------------------------------------------------
----------
ID MAC Name Group IP Type State STA Upt
ime
--------------------------------------------------------------------------------
----------
1 00e0-fc74-9640 AP_1 mesh-mpp 10.23.100.254 AP6010DN-AGN nor 0
13M:45S
2 00e0-fc76-e360 AP_2 mesh-mp 10.23.100.251 AP6010DN-AGN nor 0
5M:22S
3 00e0-fcf6-76a0 AP_3 mesh-mp 10.23.100.253 AP6010DN-AGN nor 0
4M:14S
--------------------------------------------------------------------------------
---
Total: 3
# After mesh services take effect, run the display wlan mesh link all command
to check mesh link information.
[AC-wlan-view] display wlan mesh link all
Rf : radio ID Dis : coverage distance(100m)
Ch : channel Per : drop percent(%)
TSNR : total SNR(dB) P- : peer
Mesh : Mesh mode Re : retry ratio(%)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
RSSI : RSSI(dBm) MaxR : max RSSI(dBm)

--------------------------------------------------------------------------------
-----------------
APName P-APName Rf Dis Ch Mesh P-Status RSSI MaxR Per Re TS
NR SNR(Ch0~2:dB)
--------------------------------------------------------------------------------
-----------------
AP_1 AP_2 1 4 157 portal normal -30 -27 0 12 67
62/65/-
AP_1 AP_3 1 4 157 portal normal -26 -24 0 12 71
67/68/-
AP_3 AP_2 1 4 157 node normal -19 -3 0 5 77
66/76/-
AP_3 AP_1 1 4 157 node normal -32 -4 0 26 64
55/63/-
AP_2 AP_1 1 4 157 node normal -32 -4 0 12 64
62/61/-
AP_2 AP_3 1 4 157 node normal -14 -12 0 4 82
71/82/-
--------------------------------------------------------------------------------
-----------------
Total: 6
----End
Configuration Files
● Switch_A configuration file
#
sysname Switch_A
#
vlan batch 100
#
#
#
return
● Switch_B configuration file

#
sysname Switch_B
#
vlan batch 100
#
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname AC
#
vlan batch 100
#
dhcp enable
#
interface Vlanif100
ip address 10.23.100.1 255.255.255.0
#
#
#
wlan
security-profile name mesh-sec
security wpa2 psk pass-phrase %^%#WXq~51G1^G;~|`C\G$v-`XoiIe4z$CNAM#@TeN^+%^%#
aes
mesh-whitelist-profile name mesh-list
peer-ap mac 00e0-fc74-9640
peer-ap mac 00e0-fc76-e360
peer-ap mac 00e0-fcf6-76a0
mesh-profile name mesh-net
security-profile mesh-sec
mesh-id mesh-net
link-aging-time 30
ap-system-profile name mesh-sys
mesh-role mesh-portal
wired-port-profile name wired-port
vlan tagged 101
ap-group name mesh-mp
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
coverage distance 4
ap-group name mesh-mpp
ap-system-profile mesh-sys
radio 1
mesh-profile mesh-net
mesh-whitelist-profile mesh-list
coverage distance 4
ap-name AP_1
ap-group mesh-mpp
ap-id 2 type-id 19 ap-mac 00e0-fc76-e360 ap-sn 210235557610DB000046
ap-name AP_2
ap-group mesh-mp
ap-id 3 type-id 19 ap-mac dcd2-fcf6-76a0 ap-sn 210235419610D2000097
ap-name AP_3
ap-group mesh-mp
#
return
3.12.15 Common Misconfigurations

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.12.15.1 Multicast Packet Suppression Is Not Configured, Causing Slow

Network Access of STAs
Symptom
No ACK mechanism is provided for multicast packet transmission on air interfaces,
and wireless links are unstable. To ensure stable transmission of multicast packets,
they are usually sent at low rates. Heavy multicast traffic received on the network
side may congest air interfaces, causing STAs' network access to slow down. You
are advised to configure multicast packet suppression to reduce this impact.
Exercise caution when configuring the rate limit; otherwise, the multicast services
may be affected.
● In direct forwarding mode, configure multicast packet suppression on switch
interfaces connected to APs.
● In tunnel forwarding mode, configure multicast packet suppression on the
traffic profile of the AC.
Procedure
● Configure multicast packet suppression in direct forwarding mode.
[SwitchA] traffic classifier test
[SwitchA-classifier-test] if-match destination-mac 0100-5e00-0000 mac-address-mask ffff-
[SwitchA-classifier-test] quit
[SwitchA] traffic behavior test
[SwitchA-behavior-test] statistic enable
[SwitchA-behavior-test] car cir 100 //Set the rate limit to 100 kbit/s. If multicast services are
[SwitchA-behavior-test] quit
[SwitchA] traffic policy test
[SwitchA-trafficpolicy-test] classifier test behavior test
[SwitchA-trafficpolicy-test] quit
d. Apply the traffic policy to inbound and outbound directions of interfaces.
[SwitchA-GigabitEthernet0/0/1] traffic-policy test inbound
[SwitchA-GigabitEthernet0/0/1] traffic-policy test outbound
● Configure multicast packet suppression in tunnel forwarding mode.
a. Create the traffic profile test and set the maximum traffic volume of
multicast packets in the profile.
[HUAWEI] sysname AC
[AC] wlan
[AC-wlan-view] traffic-profile name test
[AC-wlan-traffic-prof-test] traffic-optimize multicast-suppression packets 100 //Set the
maximum traffic volume of multicast packets to 100 pps. If multicast services are available, you
are advised to set the rate limit according to the service traffic.
[AC-wlan-traffic-prof-test] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
b. Bind the traffic profile to the VAP profile.

[AC-wlan-view] vap-profile name test
[AC-wlan-vap-prof-test] traffic-profile test
[AC-wlan-vap-prof-test] quit
----End
3.13 Typical Reliability Configuration
3.13.1 Typical BFD Configuration
3.13.1.1 Example for Associating the BFD Session Status with the Interface
Status
BFD Overview
A network device must detect a communication fault between adjacent devices
quickly so that measures can be taken immediately and service interruptions can
be prevented. In practice, hardware detection is used to detect link faults. For
example, Synchronous Digital Hierarchy (SDH) alarms are used to report link
faults. However, not all media can provide the hardware detection mechanism.
Applications use the Hello mechanism of the upper-layer routing protocol to
detect faults. Detection using this mechanism takes more than 1 second, which is
too long for some applications. On a Layer 3 network, the Hello packet detection
mechanism cannot detect faults for all routes, such as static routes. This means
that a fault between interconnected systems is difficult to locate.
BFD provides fast fault detection independent of media and routing protocols.
With the millisecond-level fault detection and switching, BFD is suitable for
scenarios that are sensitive to the packet loss and delay.
Configuration Notes
● The local discriminator of the local system and the remote discriminator of
the remote system must be the same. If the local discriminator of the local
system and the remote discriminator of the remote system are different, a
static BFD session cannot be set up. After the local discriminator and the
remote discriminator are configured, you cannot modify them.
● If a BFD session is bound to the default multicast address, the local
discriminator and the remote discriminator must be different.
● If the WTR time is set, set the same WTR time on both devices. Otherwise,
when the BFD session status changes on one device, applications on both
devices detect different BFD session statuses.
– S3700-EI, S3700-HI
– S5720-SI, S5720S-SI, S5720I-SI, S5700-EI, S5700-HI, S5710-EI, S5720-EI,
S5710-HI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S5735-S-I, S5735S-H, S5736-S, S5735-S,
S5735S-S

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– S6720-SI, S6720S-SI, S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H,

S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

In Figure 3-175, SwitchA is directly connected to SwitchB at the network layer and
Layer 2 transmission devices, SwitchC and SwitchD, are deployed between them. It
is required that SwitchA and SwitchB quickly detect link faults of the Layer 2
transmission devices to trigger fast route convergence.
Figure 3-175 Associating the BFD session status with the interface status
1. Configure a BFD session on SwitchA and SwitchB to detect faults on the link
between SwitchA and SwitchB.
2. Configure association between the BFD session status and interface status on
SwitchA and SwitchB after the BFD session becomes Up.
Procedure
Step 1 Set IP addresses of the directly connected interfaces on SwitchA and SwitchB.
# Assign an IP address to the interface of SwitchA.
[SwitchA] vlan 10
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default
link type of an interface is not hybrid, you need to configure it manually.
# Assign an IP address to the interface of SwitchB.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchB] vlan 10
[SwitchA-GigabitEthernet1/0/1] port link-type hybrid //In V200R005C00 and later versions, the default
link type of an interface is not hybrid, you need to configure it manually.
[SwitchB-GigabitEthernet1/0/1] port hybrid pvid vlan 10
[SwitchB-GigabitEthernet1/0/1] port hybrid untagged vlan 10
Step 2 Configure single-hop BFD.

# Enable BFD on SwitchA and establish a BFD session named atob between
SwitchA and SwitchB.
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a BFD session
named atob.
[SwitchA-bfd-session-atob] discriminator local 10 //Configure the local discriminator of the BFD session.
The local discriminator on SwitchA must be the same as the remote discriminator on SwitchB.
[SwitchA-bfd-session-atob] discriminator remote 20 //Configure the remote discriminator of the BFD
session. The remote discriminator on SwitchA must be the same as the local discriminator on SwitchB.
[SwitchA-bfd-session-atob] commit //Commit the BFD session to make the configuration take effect.
[SwitchA-bfd-session-atob] quit
# Enable BFD on SwitchB and establish a BFD session named btoa between
SwitchB and SwitchA.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 1/0/1 //Configure a BFD session
named btoa.
[SwitchB-bfd-session-btoa] discriminator local 20
[SwitchB-bfd-session-btoa] discriminator remote 10
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
# After the configuration is complete, run the display bfd session all verbose
command on SwitchA and SwitchB. You can see that a single-hop BFD session is
set up and its status is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Bind Peer Ip Address : 224.0.0.184
Proc interface status : Disable Process PST : Disable
WTR Interval (ms) :-
Active Multi :3
Bind Application : No Application Bind
Session TX TmrID :- Session Detect TmrID : -

S300, S500, S2700, S3700, S5700, S6700, S7700, and

--------------------------------------------------------------------------------
Step 3 Configuring association between BFD session status and interface status.
# Configure association between the BFD session status and the interface status
on SwitchA.
[SwitchA] bfd atob
[SwitchA-bfd-session-atob] process-interface-status
# Configure association between the BFD session status and the interface status
on SwitchB.
[SwitchB] bfd btoa
[SwitchB-bfd-session-btoa] process-interface-status

After the configuration is complete, run the display bfd session all verbose
command on SwitchA and SwitchB. You can see that the Proc interface status
field is Enable.
The display on SwitchA is used as an example.
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Proc interface status : Enable Process PST : Disable
Active Multi :3
--------------------------------------------------------------------------------
Run the shutdown command on GE1/0/1 of SwitchB to make the BFD session go
Down.
[SwitchB-GigabitEthernet1/0/1] shutdown

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Run the display bfd session all verbose and display interface gigabitethernet
1/0/1 commands on SwitchA. You can see that the BFD session status is Down,
and the status of GE1/0/1 is UP (BFD status down).
--------------------------------------------------------------------------------
Session MIndex : 16384 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------
Proc interface status : Enable Process PST : Disable
Active Multi :3
Last Local Diagnostic : Control Detection Time Expired
--------------------------------------------------------------------------------

[SwitchA] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state : UP
Line protocol current state : UP(BFD status down)
...
NOTE
Only important information is listed under the display interface gigabitethernet 1/0/1
command, and "..." indicates that information is omitted.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip default-ip interface GigabitEthernet1/0/1
process-interface-status

S300, S500, S2700, S3700, S5700, S6700, S7700, and
commit
#
return

#
sysname SwitchB
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
port hybrid untagged vlan10
#
bfd btoa bind peer-ip default-ip interface GigabitEthernet1/0/1
process-interface-status
commit
#
return
3.13.2 Typical VRRP Configuration
3.13.2.1 Example for Configuring a VRRP Group in Active/Standby Mode
VRRP Active/Standby Overview

Generally, all hosts on the same network segment have the gateway address as
the next hop address for the default route. The hosts use the default route to send
packets to the gateway and the gateway forwards the packets to other network
segments. When the gateway fails, the hosts with the same default route cannot
communicate with external networks. Configuring multiple egress gateways is a
common method to improve system reliability. However, route selection among
the gateways becomes an issue.
VRRP solves this problem. VRRP virtualizes multiple routing devices into a virtual
the default gateway address to implement gateway backup. When the gateway
becomes faulty, VRRP selects a new gateway to transmit service traffic to ensure
reliable communication.
It is recommended that you set the preemption delay of the backup in a VRRP
group to 0, configure the master in preemption mode, and set the preemption
delay to be longer than 15s. These settings allow a period of time for status
synchronization between the uplink and downlink on an unstable network. If the
preceding settings are not used, two masters may coexist and user devices may
learn an incorrect address of the master. As a result, traffic is interrupted.
● Preemption mode: A backup preempts to be the master when its priority is
higher than the master.
● Non-preemption mode: As long as the master is working properly, the backup
with a higher priority cannot become the master.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
interface.
VRID.
– S2730S-S
– S3700-EI, S3700-HI
S5731-H, S5731-S, S5731S-S, S5731S-H, S5732-H, S5735-L-I, S5735-L1,
S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S-I, S5735S-H,
S5736-S, S5735-S, S500, S5735S-S
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

In Figure 3-176, HostA is dual-homed to SwitchA and SwitchB through the switch.
To ensure nonstop service transmission, a VRRP group in active/standby mode
needs to be configured on SwitchA and SwitchB.
● The host uses SwitchA as the default gateway to connect to the Internet.
When SwitchA becomes faulty, SwitchB functions as the gateway. This
implements gateway backup.
● After SwitchA recovers, it preempts to be the master to transmit data after a
preemption delay of 20s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Figure 3-176 Networking for configuring a VRRP group in active/standby mode
2. Configure a VRRP group on SwitchA and SwitchB. Set a higher priority for
SwitchA so that SwitchA functions as the master to forward traffic, and set
Procedure
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA,
and are not mentioned here. For details, see the configuration files.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure Layer 2 forwarding on the switch.

[Switch] vlan 100
# Configure OSPF on SwitchA, SwitchB, and SwitchC. SwitchA is used as an

[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP group
is 100. Change the priority of the master to be higher than that of the backup.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //A device in a VRRP group uses
immediate preemption by default. Change the preemption delay of the master to prevent service
interruptions on an unstable network where devices in the VRRP group preempt to be the master.
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.


# After the configuration is complete, run the display vrrp command on SwitchA
and SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup
state.
State : Master

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# Run the display ip routing-table command on SwitchA and SwitchB. The

command output shows that a direct route to the virtual IP address exists in the
routing table of SwitchA and an OSPF route to the virtual IP address exists in the
routing table of SwitchB. The command output on SwitchA and SwitchB is as
follows:
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.16.1.0/24 OSPF 10 2 D 192.168.1.2 Vlanif300
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif300
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
192.168.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif100
OSPF 10 2 D 192.168.1.2 Vlanif300
[SwitchB] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 OSPF 10 2 D 10.1.1.1 Vlanif100

S300, S500, S2700, S3700, S5700, S6700, S7700, and

172.16.1.0/24 OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.1.0/24 OSPF 10 2 D 10.1.1.1 Vlanif100
OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif200
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif200

# Run the display vrrp command on SwitchB to view the VRRP status. The
command output shows that SwitchB is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:18:40

# After 20s, run the display vrrp command on SwitchA to view the VRRP status.
The command output shows that SwitchA is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchC
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname Switch
#
vlan batch 100
#
#
#
return
Video
Configuring VRRP
3.13.2.2 Example for Configuring a VRRP Group in Load Balancing Mode
VRRP Load Balancing Overview

In load balancing mode, multiple devices transmit service traffic simultaneously.
Therefore, the load balancing mode requires two or more virtual routers. Each
virtual router contains one master and multiple backups, and the master in each
virtual router can be different.
The load balancing mode differs from the active/standby mode in the following
ways:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Multiple VRRP groups need to be created, and the master in each VRRP group
can be different.
● A VRRP device can join multiple VRRP groups and has different priorities in
different VRRP groups.
Configuration Notes
interface.
VRID.
– S3700-EI, S3700-HI
S5735S-H, S5736-S, S5735-S, S500, S5735S-S
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

In Figure 3-177, HostA and HostC are dual-homed to SwitchA and SwitchB
through the switch. To reduce the load of data traffic on SwitchA, HostA uses
SwitchA as the default gateway to connect to the Internet, and SwitchB functions
as the backup gateway. HostC uses SwitchB as the default gateway to connect to
the Internet, and SwitchA functions as the backup gateway. This implements load
balancing.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Figure 3-177 Networking diagram for configuring a VRRP group in load balancing
mode
A VRRP group in load balancing mode is used to implement load balancing. The
2. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP group 2,
configure SwitchB as the master and SwitchA as the backup.
Procedure
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA,
and are not mentioned here. For details, see the configuration files.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Configure OSPF on SwitchA, SwitchB, and SwitchC. SwitchA is used as an

[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to
120 and the preemption delay to 20s, and set the default priority for SwitchB.
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP group is
100. Change the priority of the master to be higher than that of the backup.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif500] vrrp vrid 2 priority 120 //The default priority of a device in a VRRP group is
[SwitchB-Vlanif500] vrrp vrid 2 preempt-mode timer delay 20 //A device in a VRRP group uses

S300, S500, S2700, S3700, S5700, S6700, S7700, and

You can see that SwitchA is the master in VRRP group 1 and the backup in VRRP
group 2.
State : Master
Virtual IP : 10.1.10.111
Master IP : 10.1.10.1
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Backup
Virtual IP : 10.1.50.111
Master IP : 10.1.50.2
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# After the configuration is complete, run the display vrrp command on SwitchB.
You can see that SwitchB is the backup in VRRP group 1 and the master in VRRP
group 2.
State : Backup
Virtual IP : 10.1.10.111
Master IP : 10.1.10.1
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Master
Virtual IP : 10.1.50.111
Master IP : 10.1.50.2
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
#
interface Vlanif100
ip address 10.1.10.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif500
ip address 10.1.50.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
#
interface Vlanif100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.1.10.2 255.255.255.0

#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif500
ip address 10.1.50.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.10.0 0.0.0.255
network 10.1.50.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname Switch
#
vlan batch 100 500
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
return
3.13.2.3 Example for Configuring Association Between VRRP and BFD to

Implement a Rapid Active/Standby Switchover
Overview of Association Between VRRP and BFD

A VRRP group sends and receives VRRP Advertisement packets to determine the
master and backup states, thereby implementing redundancy. If links connected to
a VRRP group fail, VRRP Advertisement packets cannot be sent for negotiation. A
backup will switch to the master after a period of time three times that of the
interval during which VRRP Advertisement packets are sent. During the switchover
period, service traffic is still sent to the original master, causing user traffic loss.
BFD can rapidly detect connectivity of links and routes on the network.
Association between VRRP and BFD implements a fast active/standby switchover
within 1 second. A BFD session is set up between the master and backup and is
bound to a VRRP group. BFD detects faults of the VRRP group. When a fault
occurs, BFD notifies the VRRP group that an active/standby switchover is being
performed, greatly reducing the service interruption time.
Configuration Notes
interface.
VRID.
● Multiple VRRP groups can monitor a BFD session, and a VRRP group can
monitor a maximum of eight BFD sessions simultaneously.
– S3700-EI, S3700-HI
S5735S-S

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

In Figure 3-178, hosts on a LAN are dual-homed to SwitchA and SwitchB through
the switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is
the master.
When SwitchA or a link between SwitchA and SwitchB is faulty, VRRP packets are
sent after VRRP negotiation is complete. To speed up link switchovers, deploy a
BFD session on the link and associate the VRRP group with the BFD session. When
the interface on the master or the link fails, the BFD session rapidly detects the
fault and notifies the VRRP group of the fault. After receiving the notification, the
VRRP group performs a rapid active/standby switchover. The backup becomes the
Master and takes over traffic. This reduces the impact of the fault on service
transmission.
NOTE
Figure 3-178 Association between VRRP and BFD to implement a rapid active/
standby switchover

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Association between VRRP and BFD is used to implement a rapid active/standby
switchover. The configuration roadmap is as follows:

2. Configure a VRRP group on SwitchA and SwitchB. SwitchA functions as the
master, its priority is 120, and the preemption delay is 20s. SwitchB functions
as the backup and uses the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of
the VRRP group.
4. Configuration association between BFD and VRRP on SwitchB. When the link
is faulty, an active/standby switchover can be performed rapidly.
Procedure

configuration of SwitchB is similar to that of SwitchA.
[SwitchA] vlan 100

[Switch] vlan 100
# Configure OSPF between SwitchA and SwitchB. SwitchA is used as an example.

The configuration of SwitchB is similar to that of SwitchA.
[SwitchA] ospf 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //The default priority of a device in a VRRP group is
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

Step 3 Configure a static BFD session.
# Create a BFD session on SwitchA.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 10.1.1.2 interface vlanif 100 //Configure a static BFD session to monitor
the link of the VRRP group.
[SwitchA-bfd-session-atob] discriminator local 1 //Configure the local discriminator of the BFD session.
The local discriminator on SwitchA must be the same as the remote discriminator on SwitchB.
[SwitchA-bfd-session-atob] discriminator remote 2 //Configure the remote discriminator of the BFD
session. The remote discriminator on SwitchA must be the same as the local discriminator on SwitchB.
[SwitchA-bfd-session-atob] min-rx-interval 100 //Configure the minimum interval for receiving BFD
packets.
[SwitchA-bfd-session-atob] min-tx-interval 100 //Configure the minimum interval for sending BFD packets.
[SwitchA-bfd-session-atob] commit //Commit the BFD session to make the configuration take effect.
# Create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 10.1.1.1 interface vlanif 100
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1
[SwitchB-bfd-session-btoa] min-rx-interval 100
[SwitchB-bfd-session-btoa] min-tx-interval 100
[SwitchB-bfd-session-btoa] commit
Run the display bfd session command on SwitchA and SwitchB. You can see that
the BFD session is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Step 4 Configuration association between BFD and VRRP.
# Configure association between VRRP and BFD on SwitchB. When the BFD
session becomes Down, the priority of SwitchB increases by 40.
[SwitchB-Vlanif100] vrrp vrid 1 track bfd-session 2 increased 40 //The value 2 indicates the local
discriminator.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# After the configuration is complete, run the display vrrp command on SwitchA
and SwitchB. SwitchA is the master, SwitchB is the backup, and the associated BFD
session is in Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track BFD : 2 Priority increased : 40
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

SwitchA is in Initialize state, SwitchB becomes the master, and the associated BFD
session becomes Down.
State : Initialize
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Master
PriorityRun : 140
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

that SwitchA is restored as the master, SwitchB is restored as the backup, and the
associated BFD session is in Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 track bfd-session 2 increased 40
#
#
bfd btoa bind peer-ip 10.1.1.1 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
3.13.2.4 Example for Configuring an Eth-Trunk and Association Between

VRRP and the Interface Status
Association Between VRRP and the Interface Status

Additional technologies are required to enhance the VRRP active/standby function.
For example, when the link from the master to a network is disconnected, VRRP
cannot detect the fault and an active/standby switchover cannot be performed. As
a result, hosts cannot remotely access the network through the master. To address
this issue, you can configure association between VRRP and the interface status.
When the master detects that the uplink interface fails, the master reduces its
priority to be lower than the priority of the backup and immediately sends VRRP
packets. After the backup receives the VRRP packets, it detects that the priority in
the VRRP packets is lower than its priority and switches to the master. This ensures
correct traffic forwarding.
Configuration Notes
interface.
VRID.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● A VRRP group can be associated with a maximum of eight interfaces.

Association between a VRRP group and the interface status cannot be
configured on the device as the IP address owner.
– S3700-EI, S3700-HI
S5735S-H, S5736-S, S5735-S, S500, S5735S-S
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

As shown in Figure 3-179, the user hosts are dual-homed to SwitchA and SwitchB
through the switch. The requirements are as follows:
● The hosts use SwitchA as the default gateway to connect to the Internet.
When SwitchA or the downlink/uplink fails, SwitchB functions as the gateway
to implement gateway backup.
● The bandwidth of the link between SwitchA and SwitchB is increased to
implement link backup and improve link reliability.
● After SwitchA recovers, it becomes the gateway within 20s.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-179 Networking of association between VRRP and the interface status
2. Configure VLAN aggregation on SwitchA and SwitchB to implement Layer 2
isolation and Layer 3 connectivity of VLANs 101 to 180 and save IP addresses.
3. Create an Eth-Trunk on SwitchA and SwitchB and add member interfaces to
the Eth-Trunk to increase the link bandwidth and implement link backup.
4. Configure a VRRP group between SwitchA and SwitchB. Set a higher priority
for SwitchA so that SwitchA functions as the master to forward traffic, and set
5. Associate VRRP with GE1/0/1 and GE1/0/2 on SwitchA so that the VRRP group
can detect the fault of the master and perform an active/standby switchover
immediately.
NOTE
SwitchA and SwitchB are core switches, and the switch is an aggregation switch.
Procedure
# Assign an IP address to each interface on core devices. SwitchA is used as an
example. The configuration of SwitchB is similar to the configuration of SwitchA,
and is not mentioned here. For details, see the configuration files.
[SwitchA] vlan batch 11 to 15 101 to 180 301 to 305 400

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan batch 11 to 15 101 to 180
# Configure OSPF on SwitchA, SwitchB, and switch. SwitchA is used as an

[SwitchA] ospf 1
Step 2 Configure a super-VLAN on SwitchA and SwitchB.

# Configure a super-VLAN on SwitchA. The configuration of SwitchB is similar to
the configuration of SwitchA, and is not mentioned here. For details, see the
[SwitchA] vlan 11

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchA] vlan 12
[SwitchA] vlan 13
[SwitchA] vlan 14
[SwitchA] vlan 15
Step 3 Configure link aggregation on SwitchA and SwitchB.

# Create Eth-Trunk 1 in LACP mode on SwitchA. The configuration of SwitchB is
similar to the configuration of SwitchA, and is not mentioned here. For details, see
[SwitchA-Eth-Trunk1] mode lacp
[SwitchA-Eth-Trunk1] undo port trunk allow-pass vlan 1
# Add member interfaces on SwitchA to Eth-Trunk 1. The configuration of SwitchB

is similar to the configuration of SwitchA, and is not mentioned here. For details,
see the configuration files.
Step 4 Configure VRRP groups on SwitchA and SwitchB.

# Configure a VRRP group on SwitchA, and set the priority of SwitchA to 120 and
[SwitchA-Vlanif11] vrrp vrid 1 priority 120 //The default priority of the device
in a VRRP group is 100. Change the priority of the master to be higher than that of the backup.
[SwitchA-Vlanif11] vrrp vrid 1 preempt-mode timer delay 20 //The device in a VRRP
group uses the immediate preemption mode by default. Change the preemption delay of the master to
prevent traffic interruptions when the master and backup frequently preempt the bandwidth on an
unstable network.
group with the uplink interface. Set the decreased priority to ensure that the priority of the backup is higher
than the priority of the master. Then an active/standby switchover can be triggered.
group with the downlink interface. Set the decreased priority to ensure that the priority of the backup is
higher than the priority of the master. Then an active/standby switchover can be triggered.
[SwitchA-Vlanif11] vrrp advertise send-mode 301 //Specify VLAN 301 where
VRRP packets are transmitted to save the network bandwidth.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure a VRRP group on SwitchB. SwitchB uses the default priority of 100.
Step 5 Disable STP on SwitchA, SwitchB, SwitchC, and Switch.

# Disable global STP on SwitchA, SwitchB, SwitchC, and Switch. SwitchA is used as
an example. The configurations of SwitchB, SwitchC, and the switch are similar to
the configuration of SwitchA, and are not mentioned here. For details, see the
[SwitchA] stp disable
Warning: The global STP state will be changed. Continue?[Y/N]:y

You can see that SwitchA is the master in VRRP group 1. VRRP group 1 is used as
an example. Information of other VRRP groups is similar to information of VRRP
group 1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58
# Run the display vrrp command on SwitchB. You can see that SwitchB is the
backup. VRRP group 1 is used as an example.
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

SwitchA is in Backup state, SwitchB enters the Master state, and the associated
interface becomes Down.
State : Backup
PriorityRun : 20
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Check TTL : YES

IF state : DOWN
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38
State : Master
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:12:38

that SwitchA is restored as the master and SwitchB is restored as the backup, and
the associated interface is in Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IF state : UP
IF state : UP
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
State : Backup
PriorityRun : 100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 14:17:36
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 11 to 15 101 to 180 301 to 305 400
#
stp disable #
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif14

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.1.4.2 255.255.255.0

#
interface Vlanif15
ip address 10.1.5.2 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.1 255.255.255.0
#
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 11 to 15 101 to 180 200 301 to 305
#
stp disable #
vlan 11
aggregate-vlan
vlan 12
aggregate-vlan
vlan 13
aggregate-vlan
vlan 14

S300, S500, S2700, S3700, S5700, S6700, S7700, and
aggregate-vlan
vlan 15
aggregate-vlan
#
interface Vlanif11
ip address 10.1.1.3 255.255.255.0
#
interface Vlanif12
ip address 10.1.2.3 255.255.255.0
#
interface Vlanif13
ip address 10.1.3.3 255.255.255.0
#
interface Vlanif14
ip address 10.1.4.3 255.255.255.0
#
interface Vlanif15
ip address 10.1.5.3 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
mode lacp
#
#
#
eth-trunk 1
#
eth-trunk 1
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchC

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
stp disable #
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif400
ip address 192.168.1.2 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname Switch
#
#
stp disable #
#
#
return
3.13.2.5 Example for Configuring VRRP to Ensure Reliable Multicast Data

Transmission
VRRP Overview
Generally, all hosts on the same network segment have the same default route
with the gateway address as the next hop address. The hosts use the default route
to send packets to the gateway and the gateway forwards the packets to other
network segments. When the gateway fails, the hosts with the same default route
cannot communicate with external networks. Configuring multiple egress

S300, S500, S2700, S3700, S5700, S6700, S7700, and
gateways is a commonly used method to improve system reliability. However,

route selection between the gateways becomes an issue.
VRRP solves the problem. VRRP virtualizes multiple routing devices into a virtual
the default gateway address to implement gateway backup. When the gateway
fails, VRRP selects a new gateway to transmit service traffic to ensure reliable
communication.
Configuration Notes
VRID.
● In V200R003C00 and earlier versions, only the VLANIF interface supports
VRRP. In V200R005C00 and later versions, VLANIF and Layer 3 Ethernet
interfaces support VRRP.
– S3700-EI, S3700-HI
S500, S5735S-S
S6730S-H, S6730-S, S6730S-S
– S7703, S7706, S7712, S7703 PoE, S7706 PoE
– S9703, S9706, S9712
NOTE

As shown in Figure 3-180, SwitchA and SwitchB are egress gateways of the
campus network; SwitchC and SwitchD are core switches. The multicast source
connects to the campus network through a router. Key nodes on the network work
in redundancy mode to improve network reliability, and the egress gateways and
core switches are fully meshed to implement link redundancy. The egress
gateways and core switches must be configured to enable multicast data to be
reliably transmitted to the downstream network.
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-180 Transmitting multicast data over a VRRP network
D Interface VLA VLANIF De Interface VLAN VLANIF

e N Interfac vic Interfac
vi e IP e e IP
c Address Address
e
S GE1/0/0 VLA 10.1.1.1/ Swi GE1/0/0 VLAN 10.1.6.1/

w N 24 tch 400 24
it 100 C
c
h
A

S300, S500, S2700, S3700, S5700, S6700, S7700, and
D Interface VLA VLANIF De Interface VLAN VLANIF

e N Interfac vic Interfac
vi e IP e e IP
c Address Address
e
Eth-trunk 1 VLA No Eth-trunk VLAN No

(with N VLANIF 1(with 400, VLANIF
member 100, 200 member VLAN 500
interfaces VLA interface interfaces 500 interfac
GE2/0/1, N GE2/0/1, e
GE2/0/2, and 200 GE2/0/2, and
GE2/0/3) GE2/0/3)
GE3/0/1 VLA 10.1.2.1/ GE3/0/1 VLAN 10.1.2.2/

N 24 301 24
301
GE3/0/2 VLA 10.1.3.1/ GE3/0/2 VLAN 10.1.5.2/

N 24 304 24
302
S GE1/0/0 VLA 10.1.1.2/ Swi GE1/0/0 VLAN 10.1.6.2/

w N 24 tch 400 24
it 100 D
c
h Eth-trunk 1 VLA No Eth-trunk VLAN No
B (with N VLANIF 1(with 400, VLANIF
member 100, 200 member VLAN 500
interfaces VLA interface interfaces 500 interfac
GE2/0/1, N GE2/0/1, e
GE2/0/2, and 200 GE2/0/2, and
GE2/0/3) GE2/0/3)
GE3/0/1 VLA 10.1.4.1/ GE3/0/1 VLAN 10.1.4.2/

N 24 303 24
303
GE3/0/2 VLA 10.1.5.1/ GE3/0/2 VLAN 10.1.3.2/

N 24 302 24
304
To ensure reliable multicast data transmission, configure the Virtual Router
Redundancy Protocol (VRRP) and Bidirectional Forwarding Detection (BFD) on the
egress gateways and core switches. To ensure normal multicast forwarding,
configure a multicast protocol on the egress gateways and core switches.
1. Configure link aggregation groups between SwitchA and SwitchB, and
between SwitchC and SwitchD to ensure fast and reliable exchange of VRRP
packets.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Create VLANs on the switches and add their interfaces to respective VLANs.
Configure IP addresses for the corresponding VLANIF interfaces to make local
network segments reachable.
3. Configure the Open Shortest Path First (OSPF) protocol on the switches to
ensure reachable routes between them. OSPF routes load balance unicast
traffic between the egress gateways and core switches to reduce loads of links
that transmit multicast and unicast data simultaneously.
4. Configure a VRRP group between SwitchA and SwitchB and a VRRP group
between SwitchC and SwitchD to ensure reliable multicast forwarding. The
VRRP groups implement load balancing for unicast traffic to reduce loads of
links that transmit multicast and unicast data simultaneously.
5. Configure a multicast protocol on the switches to ensure normal multicast
data forwarding.
6. Configure BFD for OSPF and BFD for PIM on the switches to enable the
switches to quickly detect link failures, realizing fast convergence of unicast
and multicast routes.
Procedure
1. Configure link aggregation groups on the switches.
# Create Eth-Trunks and add member interfaces to the Eth-Trunks on the
campus egress gateway and core devices.
[SwitchA] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
<SwitchB> system-view
[SwitchB] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
<SwitchC> system-view
[SwitchC] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchC-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
<SwitchD> system-view
[SwitchD] interface Eth-Trunk1 //Create Eth-Trunk1 and bind member interfaces GE2/0/1 through
GE2/0/3 to it.
[SwitchD-Eth-Trunk1] trunkport gigabitethernet 2/0/1 to 2/0/3
By default, an Eth-Trunk works in manual load balancing mode, and all active
interfaces load balance traffic.
2. Create VLANs, add interfaces to respective VLANs, and configure IP addresses
for corresponding VLANIF interfaces.
a. Create VLANs and add interfaces to the VLANs on the campus egress
gateway and core devices. The configurations on SwitchB, SwitchC, and
SwitchD are similar to the configuration on SwitchA, and are not
mentioned here.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
The Spanning Tree Protocol (STP) is enabled on Layer 2 interfaces of a switch by

default. On a Layer 2 ring network, STP blocks an interface to prevent loops. In
this example, SwitchC, SwitchD, and the downstream Layer 2 switch form a Layer
2 ring network. To enable unicast traffic to be loaded balanced among OSPF
routes, you are advised to disable STP on 's Layer 2 interfaces connected to the
Layer 2 switch. Additionally, you can configure Smart Link on the Layer 2 switch
to implement load balancing between uplinks while preventing broadcast storms
on the Layer 2 ring network.
[SwitchA] vlan batch 100 200 301 302
[SwitchA-GigabitEthernet1/0/0] port link-type trunk //Set the link type of the interface to
trunk, which is not the default link type.
[SwitchA-Eth-Trunk1] port link-type trunk //Set the link type of the interface to trunk,
b. Configure IP addresses for Layer 3 interfaces on the campus egress

gateway and core devices. The configurations on SwitchB, SwitchC, and
SwitchD are similar to the configuration on SwitchA, and are not
mentioned here.
[SwitchA] interface vlanif 100 //Create VLANIF100.
[SwitchA] interface loopback 1 //Create LoopBack1.
[SwitchA-LoopBack1] ip address 10.10.1.1 32
[SwitchA-LoopBack1] quit
3. Configure OSPF.
# Enable OSPF on the campus egress gateway and core devices, add the
devices to area 0, and advertise local network segments in area 0. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the
configuration on SwitchA, and are not mentioned here.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255 //Specify that the interface running
[SwitchA-ospf-1-area-0.0.0.0] network 10.10.1.1 0.0.0.0 //Specify that the interface running OSPF

S300, S500, S2700, S3700, S5700, S6700, S7700, and
4. Configure VRRP groups.
a. Create VRRP group 1 on campus egress gateway devices SwitchA and
SwitchB. Set the priority of SwitchA to 120 and the preemption delay to
20 seconds. Retain the default priority of SwitchB. Therefore, SwitchA
becomes the master device and SwitchB becomes the backup device of
VRRP group 1.
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP group 1 on VLANIF100
and set the virtual IP address of the VRRP group to 10.1.1.253.
[SwitchA-Vlanif100] vrrp vrid 1 priority 120 //Set the priority of VLANIF100 in VRRP group 1
to 120.
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20 //Set the preemption delay
of VLANIF100 in VRRP group 1 to 20 seconds.
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.253 //Create VRRP group 1 on VLANIF100
b. Create VRRP group 2 on campus egress gateway devices SwitchA and
SwitchB. Set the priority of SwitchB to 120 and the preemption delay to
20 seconds. Retain the default priority of SwitchA. Therefore, SwitchB
becomes the master device and SwitchA becomes the backup device of
VRRP group 1.
[SwitchA-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP group 2 on VLANIF100
[SwitchB-Vlanif100] vrrp vrid 2 virtual-ip 10.1.1.254 //Create VRRP group 2 on VLANIF100
[SwitchB-Vlanif100] vrrp vrid 2 priority 120 //Set the priority of VLANIF100 in VRRP group 2
to 120.
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20 //Set the preemption delay
of VLANIF100 in VRRP group 2 to 20 seconds.
The configurations on SwitchC and SwitchD are similar to the configurations

on SwitchA and SwitchB, and are not mentioned here.
5. Configure a multicast protocol.
a. Enable multicast routing on the campus egress gateway and core devices,
and enable PIM-SM on their Layer 3 interfaces. Enable IGMP on user-side
interfaces of the core devices.
[SwitchA] multicast routing-enable //Enable multicast routing globally.
[SwitchA-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchA] interface loopback 1
[SwitchA-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchB] multicast routing-enable //Enable multicast routing globally.
[SwitchB-Vlanif100] pim sm //Enable PIM-SM on VLANIF100.
[SwitchB] interface loopback 1
[SwitchB-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchB-LoopBack1] quit
[SwitchC] multicast routing-enable //Enable multicast routing globally.
[SwitchC] interface vlanif 400
[SwitchC-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchC-Vlanif400] igmp enable //Enable PIM-SM on VLANIF400.
[SwitchC-Vlanif400] quit
[SwitchC] interface loopback 1
[SwitchC-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchC-LoopBack1] quit
[SwitchD] multicast routing-enable //Enable multicast routing globally.
[SwitchD] interface vlanif 400
[SwitchD-Vlanif400] pim sm //Enable PIM-SM on VLANIF400.
[SwitchD-Vlanif400] igmp enable //Enable IGMP on VLANIF400.
[SwitchD-Vlanif400] quit
[SwitchD] interface loopback 1
[SwitchD-LoopBack1] pim sm //Enable PIM-SM on LoopBack1.
[SwitchD-LoopBack1] quit
b. Configure dynamic RP function on the core devices SwitchC and SwitchD

that aggregate multicast traffic.
# Configure Loopback1 of SwitchC as a C-BSR and a C-RP.
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 1 //Configure Loopback1 as a C-BSR interface.
[SwitchC-pim] c-rp loopback 1 //Configure Loopback1 as a C-RP interface.
[SwitchC-pim] quit
# Configure Loopback1 of SwitchD as a C-BSR and a C-RP.

[SwitchD] pim
[SwitchD-pim] c-bsr loopback 1 //Configure Loopback1 as a C-BSR interface.
[SwitchD-pim] c-rp loopback 1 //Configure Loopback1 as a C-RP interface.
[SwitchD-pim] quit
6. Configure BFD.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
a. Enable global BFD on the campus egress gateway and core devices.
Global BFD must be enabled before you configure BFD for OSPF and BFD
for PIM. The configurations on SwitchB, SwitchC, and SwitchD are similar
to the configuration on SwitchA, and are not mentioned here.
[SwitchA-bfd] quit
b. Enable BFD for OSPF on the campus egress gateway and core devices.
The configurations on SwitchB, SwitchC, and SwitchD are similar to the
[SwitchA-Vlanif100] ospf bfd enable //Enable BFD for OSPF on VLANIF100.
c. Enable BFD for PIM on the campus egress gateway and core devices. The
configurations on SwitchB, SwitchC, and SwitchD are similar to the
[SwitchA-Vlanif100] pim bfd enable //Enable BFD for PIM on VLANIF100.
7. Verify the configuration.
– Verify the configuration of link aggregation.
# Run the display eth-trunk 1 command on SwitchA. The command
output shows that Eth-Trunk 1 has three member interfaces:
GigabitEthernet2/0/1, GigabitEthernet2/0/2, and GigabitEthernet2/0/3. All
the member interfaces are Up.
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
The display eth-trunk 1 command outputs on SwitchB, SwitchC, and
SwitchD are similar to the command output on SwitchA.
– Verify the VRRP configuration.
# Run the display vrrp command on SwitchA. The command output
shows that SwitchA is the master device in VRRP group 1 and the backup
device in VRRP group 2.
State : Master
Virtual IP : 10.1.1.253
PriorityRun : 120

S300, S500, S2700, S3700, S5700, S6700, S7700, and
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-12-31 10:34:23 UTC-08:00
Last change time : 2012-12-31 10:34:26 UTC-08:00

State : Backup
Virtual IP : 10.1.1.254
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-12-31 10:35:39 UTC-08:00
# Run the display vrrp command on SwitchB. The command output

shows that SwitchB is the backup device in VRRP group 1 and the master
device in VRRP group 2.
State : Backup
Virtual IP : 10.1.1.253
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-12-31 10:34:23 UTC-08:00

State : Master
Virtual IP : 10.1.1.254
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Create time : 2012-12-31 10:35:39 UTC-08:00

The display vrrp command outputs on SwitchC and SwitchD are similar
to the command outputs on SwitchA and SwitchB.
– Verify the OSPF configuration.
# Run the display ip routing-table command on SwitchA. The command
output shows that there are two IP routes to 10.1.6.0/24, implementing
load balancing of unicast traffic.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.253/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.254/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif301
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif301
10.1.3.0/24 Direct 0 0 D 10.1.3.1 Vlanif302
10.1.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif302
10.1.4.0/24 OSPF 10 2 D 10.1.3.2 Vlanif302
10.1.5.0/24 OSPF 10 2 D 10.1.2.2 Vlanif301
10.1.6.0/24 OSPF 10 2 D 10.1.2.2 Vlanif301
OSPF 10 2 D 10.1.3.2 Vlanif302
10.1.6.253/32 OSPF 10 2 D 10.1.2.2 Vlanif301
OSPF 10 2 D 10.1.3.2 Vlanif302
10.1.6.254/32 OSPF 10 2 D 10.1.3.2 Vlanif302
OSPF 10 2 D 10.1.2.2 Vlanif301
The display ip routing-table command outputs on SwitchB, SwitchC, and
– Verify PIM-SM configuration.
Multicast source 10.100.1.1 sends multicast data to group 225.0.0.10, and
user hosts have joined group 225.0.0.10.
# Run the display pim routing-table command on SwitchB and SwitchD.
The command output shows that PIM routing entries have been created
for group 225.0.0.10.
NOTE
SwitchB and SwitchD implement multicast routing as follows:

● According to the dynamic RP election rules, C-RP interfaces have the same IP
address mask, priority, and hash calculation result, the C-RP interface with a
larger IP address becomes the RP. Therefore, Loopback1 of SwitchD becomes
the RP interface.
● According to the reverse path check (RPF) rules, if two equal-cost optimal
routes are available in the IP routing table, the one with a larger next hop
address is selected as the RPF route. Therefore, SwitchD selects the route with
the next hop address 10.1.5.1 as the RPF route to the destination network
segment 10.1.1.0/24.
[SwitchB] display pim routing-table
(10.100.1.1, 225.0.0.10)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
1: Vlanif303
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
[SwitchD] display pim routing-table
(10.100.1.1, 225.0.0.10)
RP: 10.4.4.4
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
1: Vlanif400
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
– Verify the BFD configuration.

# Run the display ospf bfd session all command on SwitchA. The
command output shows that OSPF BFD sessions have been successfully
set up.
[SwitchA] display ospf bfd session all
NeighborId:10.2.2.2 AreaId:0.0.0.0 Interface: Vlanif100




The display ospf bfd session all command outputs on SwitchB, SwitchC,
and SwitchD are similar to the command output on SwitchA.
# Run the display pim bfd session command on SwitchA. The command
output shows that PIM BFD sessions have been successfully set up.
[SwitchA] display pim bfd session

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Total 4 BFD session Created
Vlanif100 (10.1.1.1): Total 2 BFD session Created
Neighbor ActTx(ms) ActRx(ms) ActMulti Local/Remote State

10.1.1.2 1000 1000 3 8192/8192 Up
10.1.1.3 1000 1000 3 8191/8191 Up

10.1.2.2 1000 1000 3 8193/8193 Up

10.1.3.2 1000 1000 3 8194/8194 Up
The display pim bfd session command outputs on SwitchB, SwitchC, and
Configuration Files
● Configuration file of campus egress gateway SwitchA
#
sysname SwitchA
#
vlan batch 100 200 301 to 302
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif301
ip address 10.1.2.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif302
ip address 10.1.3.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
#
#
eth-trunk 1
#
eth-trunk 1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.10.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.10.1.1 0.0.0.0
#
return
● Configuration file of campus egress gateway SwitchB
#
sysname SwitchB
#
vlan batch 100 200 303 to 304
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.1 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
#
#
eth-trunk 1
#
eth-trunk 1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.2.2.2 0.0.0.0
#
return
● Configuration file of core device SwitchC
#
sysname SwitchC
#
vlan batch 301 304 400 500
#
#
bfd
#
interface Vlanif301
ip address 10.1.2.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif304
ip address 10.1.5.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.1 255.255.255.0
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
#
stp disable
#
eth-trunk 1
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
eth-trunk 1
#
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.5.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.3.3.3 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
● Configuration file of core device SwitchD
#
sysname SwitchD
#
vlan batch 302 to 303 400 500
#
#
bfd
#
interface Vlanif302
ip address 10.1.3.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif303
ip address 10.1.4.2 255.255.255.0
pim sm
pim bfd enable
ospf bfd enable
#
interface Vlanif400
ip address 10.1.6.2 255.255.255.0
pim sm
pim bfd enable
igmp enable
ospf bfd enable
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
stp disable
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
interface LoopBack1
ip address 10.4.4.4 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
network 10.1.6.0 0.0.0.255
network 10.4.4.4 0.0.0.0
#
pim
c-bsr LoopBack1
c-rp LoopBack1
#
return
3.14 Typical User Access and Authentication

Configuration
If NAC authentication is enabled on an interface, the following commands cannot
be used on the same interface. If the following commands are configured on an
interface, NAC authentication cannot be used on the same interface.
Command Function
mac-limit Sets the maximum number of MAC

addresses that can be learned by an
interface.
mac-address learning disable Disables MAC address learning on

an interface.
port link-type dot1q-tunnel Sets the link type of an interface to

QinQ.
port vlan-mapping vlan map-vlan Configures VLAN mapping on an

port vlan-mapping vlan inner-vlan interface.
port vlan-stacking Configures selective QinQ.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Command Function
port-security enable Enables interface security.

NOTE
The restriction applies only to devices of
versions earlier than V200R012C00. For
devices running V200R012C00 or a later
version, you can run this command on an
interface even if NAC authentication is
enabled on the interface, or enable NAC
authentication on an interface even if this
command is run.
mac-vlan enable Enables MAC address-based VLAN

assignment on an interface.
ip-subnet-vlan enable Enables IP subnet-based VLAN

assignment on an interface.
user-bind ip sticky-mac Enables the device to generate

snooping MAC entries.
3.14.1 Typical AAA Configuration
3.14.1.1 Notice to Be Taken When the Device Connects to Non-Huawei

RADIUS Servers
Notice to Be Taken When the Device Connects to an H3C iMC RADIUS Server
When the device connects to an H3C iMC RADIUS server to perform
authentication, authorization, or accounting for 802.1X users, configure security
check policies (for example, check whether the 802.1X client has two network
cards and whether the 802.1X client version is correct) on the RADIUS server to
improve security. In addition, perform the following operations on the device:
1. Configure RADIUS accounting.
2. Run the dot1x authentication-method eap command to configure EAP relay
authentication for 802.1X users.
3. Run the dot1x eap-notify-packet eap-code 10 data-type 25 command to
configure the device to return the EAP packets with type value of 10 and data
type of 25 to the RADIUS server.
4. Run the radius-attribute translate HW-Up-Priority HW-User-Information
receive command to convert the HW-Up-Priority attribute in the received
RADIUS packets into HW-User-Information.
5. If the RADIUS server needs to dynamically authorize AAA users, the attributes
delivered by security check policy may be different from the attributes
delivered by dynamic authorization. Therefore, run the authorization-modify
mode modify command to set the update mode for user authorization
information delivered by the RADIUS server to Modify. After the command is

S300, S500, S2700, S3700, S5700, S6700, S7700, and
executed, the attributes delivered by dynamic authorization will not overwrite

the attributes delivered by security check policy.
6. (V200R010C00 and later versions) To use the session management function,
run the radius-server session-manage ip-address shared-key cipher share-
key command to enable session management on the RADIUS server and set
the IP address and shared key of the RADIUS session management server.
If the active server fails, the switch sends the authentication request packets to the
standby server. The timeout interval of the security check session on iNode is
short. Therefore, you are advised to run the following command to ensure non-
stop service:
Run the radius-server retransmit retry-times timeout time-value command to

set the number of times RADIUS request packets are retransmitted to 1 and
timeout interval to be shorter than 5s.
Notice to Be Taken When the Device Connects to a Ruijie RADIUS Server

If you want to view the MAC addresses or IP addresses of online users on a Ruijie
RADIUS server, set the device type to H3C or Digital China on the RADIUS server
Notice to Be Taken When the Device Connects to a Leagsoft RADIUS Server

When the NAS-IP of the RADIUS client (device) is configured on the Leagsoft
RADIUS server, the MAC address of the device also needs to be configured.
Notice to Be Taken When the Device Connects to a Symantec RADIUS Server

● The Symantec RADIUS server can only be used as an authentication server,
but cannot be used as an authorization or accounting server. When the device
connects to a Symantec RADIUS server, ensure that the RADIUS server is not
configured as an authorization or accounting server.
● When the Symantec RADIUS server performs 802.1X authentication for users,
perform the following configurations on the device:
– Run the undo dot1x handshake command to disable handshake
between the device and 802.1X online users.
– Run the dot1x authentication-method eap command to configure EAP
relay authentication for 802.1X users.
3.14.1.2 Example for Configuring Authentication for Telnet Login Users (AAA
Local Authentication)
AAA Local Authentication Overview

Users are locally authenticated through AAA. To log in to a device, a user must
enter the correct user name and password. User information is configured on the
local device. There is no need to deploy an authentication server on the network.
Therefore, AAA local authentication is fast and inexpensive. However, how much
user information can be stored depends on the hardware capacity of the device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
This configuration example applies to all switches running all versions.
As shown in Figure 3-181, administrator needs to remotely manage the device in
a simplified and secure manner. The specific requirements are as follows:
1. The administrator must enter correct user name and password to log in to the
device through Telnet.
2. After logging in to the device through Telnet, the administrator can run the
commands at levels 0-3.
Figure 3-181 Configuring authentication for Telnet login users (AAA local
authentication)
1. Enable the Telnet service.
2. Set the authentication method for Telnet login users to AAA.
3. Configure AAA local authentication, including creating a local user, setting the
user access type to Telnet, and setting the user level to 15.
Procedure
Step 1 Configure interfaces and assign IP addresses.
[Switch] interface gigabitethernet1/0/1
Step 2 Enable the Telnet server.

[Switch] telnet server enable
Step 3 Set the authentication method for the VTY user interface to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY login uses to 15 (The value
range varies according to product versions and models). By default, the maximum number of Telnet users is

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication method for the VTY user view to
AAA.
Step 4 Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher YsHsjx_202206 //Create local user user1 and
set the password. The password is displayed in cipher text in the configuration file, so remember the
password. If you forget the password, run this command again to reconfigure the password (the command
is local-user user-name password cipher password in V200R002 and earlier versions).
[Switch-aaa] local-user user1 service-type telnet //Set the access type of user1 to Telnet. The user can
log in through only Telnet (by default, users can log in through any method in versions earlier than
V200R007 and cannot log in through any method in V200R007 and later versions).
[Switch-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15. The user can use the
commands of level 3 and lower levels.
[Switch-aaa] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the
user using the default administrative domain default_admin. By default, the default
administrative domain uses the authentication scheme default and accounting scheme default.
● Authentication scheme default: local authentication
● Accounting scheme default: non-accounting

Choose Start > Run on your computer and enter cmd to open the cmd window.
Run the telnet command and enter the user name user1 and password
YsHsjx_202206 to log in to the device through Telnet.
Username:user1
Password:***********
<Switch>//The administrator successfully logs in.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
aaa
local-user user1 password irreversible-cipher %^%#.)P`(ahmeXKljES$}IC%OdjjC$m)cA#}T(8z4*ZK!_Z
+GSo<7C*O8WO,!rt;%^%#
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
user-interface maximum-vty 15
#
return
3.14.1.3 Example for Configuring Authentication for Telnet Login Users

(RADIUS Authentication)
RADIUS Authentication Overview

When a RADIUS authentication server is deployed on a network, users can be
authenticated through RADIUS. User information is created and maintained by the
RADIUS authentication server. A user can successfully log in to the device only
when the entered user name and password are the same as those configured on
the RADIUS server. Generally, RADIUS authentication is configured on the network
requiring high security, for example, financial, government, and
telecommunication carrier networks.
Configuration Notes
As shown in Figure 3-182, a RADIUS server is deployed on a network. The
administrator is authenticated through RADIUS and Telnet to the device to
remotely manage it. The specific requirements are as follows:
Figure 3-182 Configuring authentication for Telnet login users (RADIUS

authentication)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Configure RADIUS authentication, including creating a RADIUS server
template, an AAA authentication scheme, and a service scheme, and applying
the schemes to a domain.
4. Configure the domain to which the administrator belongs as the default
administrative domain so that the administrator does not need to enter the
domain name when logging in.
NOTE
This example only provides the configurations on the device. Ensure that the required
parameters have been set on the RADIUS server, for example, device's IP address, shared key,
and the creating user.
Procedure

5.
AAA.

# Configure the RADIUS server template to implement communication between
the device and the RADIUS server.
[Switch] radius-server template 1
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP address and port number of

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the RADIUS authentication server.

[Switch-radius-1] radius-server shared-key cipher YsHsjx_202206 //Specify the shared key of the RADIUS
server, which must be the same as that configured on the RADIUS server.
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo
radius-server user-name domain-included command on the device so that the packets sent
from the device to the RADIUS server do not contain domain names.
# Configure an AAA authentication scheme and set the authentication mode to

RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme sch1
[Switch-aaa-authen-sch1] authentication-mode radius
# Configure a service scheme and set the user level to 15.

[Switch-aaa] service-scheme sch1
[Switch-aaa-service-sch1] admin-user privilege level 15
[Switch-aaa-service-sch1] quit
# Apply the AAA authentication scheme, RADIUS server template, and service
scheme to the domain.
[Switch-aaa] domain huawei.com
[Switch-aaa-domain-huawei.com] authentication-scheme sch1
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa] quit
Step 5 Configure the domain to which the administrator belongs as the default
administrative domain so that the administrator does not need to enter the
domain name when logging in to the device through Telnet.

# Run the test-aaa command on the device to test whether the administrator can
pass the authentication.
[Switch] test-aaa user1 YsHsjx_202207 radius-template 1 //Enter the user account for logging in to the
device configured on the RADIUS server. In this example, the user name is user1 and the password is
YsHsjx_202207.
# Choose Start > Run on your computer running Windows operating system and
enter cmd to open the cmd window. Run the telnet command and enter the user
name user1 and password YsHsjx_202207 to log in to the device through Telnet.
Username:user1
----End
Configuration Files
#
sysname Switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 10 20
#
#
#
radius-server shared-key cipher %^%#Zh-H!i<+2RUI,E4_q<''+[14Fmj4@>Aa0pM0H}@D%^%#
#
aaa
service-scheme sch1
admin-user privilege level 15
domain huawei.com
service-scheme sch1
radius-server 1
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
#
#
#
return

(Using the Secure ACS as a RADIUS Authentication Server)
RADIUS Authentication Overview

When a RADIUS authentication server is deployed on a network, users can be
authenticated through RADIUS. User information is created and maintained by the
RADIUS authentication server. A user can successfully log in to the device only
when the entered user name and password are the same as those configured on
the RADIUS server. Generally, RADIUS authentication is configured on the network
requiring high security, for example, financial, government, and
telecommunication carrier networks.
Configuration Notes
In this example, the RADIUS authentication server is the secure ACS running
version 5.2.0.26.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-183, on an enterprise network, an administrator connects to
the switch through a management network and an 802.1X user connects to the
switch through an access network. The enterprise uses ACS to create and maintain
user information. The administrator can log in to the ACS through web.
The administrator and 802.1X user are allocated different accounts and rights to
improve security. The requirements are as follows:
1. The administrator can Telnet to the switch only after entering the user name
and password, and can use the commands from level 0 to level 15 after login.
2. To access the switch, the 802.1X user needs to start the 802.1X client, enter
the user name and password, and be authenticated.
After the 802.1X user accesses the switch:
– The user can use the commands at level 0 to level 2.
– The ACS delivers VLAN 100 and ACL 3000 to the user.
3. The administrator is authenticated in the default domain, and the 802.1X user
is authenticated in the huawei.com domain.
Figure 3-183 Networking of Telnet login user authentication (Using the Secure
ACS as a RADIUS Authentication Server)
Preparations
Table 3-96 Data used to connect the switch to ACS
Item Data
Administrator's user name User name: acsadmin

and password of the ACS Password: YsHsjx_2022061
client
Administrator's user name User name: admin1

and password of the switch Password: YsHsjx_2022062

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Item Data
User name and password of User name: user1@huawei.com

the 802.1X user Password: YsHsjx_2022063
Switch name and the IP Switch name: Switch

address of the interface IP address: 10.1.6.10
connected to the ACS
Shared password of switch YsHsjx_2022064

and ACS
1. Configure the switch.
a. Configure interfaces and allocate IP addresses to them, so that the switch
can communicate with the ACS.
b. Create a VLAN and an ACL that the ACS will deliver.
c. Enable the Telnet service.
d. Configure AAA authentication for the administrator to Telnet to the
switch.
e. Configure RADIUS authentication, including creating the RADIUS server
template and AAA authentication scheme and applying them to the
default_admin and huawei.com domains.
f. Enable 802.1X authentication on the interface that the 802.1X user
accesses.
2. Configure the ACS, add access devices and users, and configure an
authentication and authorization profile. Add access policies and bind users to
the authentication and authorization profile.
NOTE
Ensure that the Switch and ACS can communicate with each other.
Procedure
Step 1 Configure the switch.
1. Configure interfaces and allocate IP addresses to them, so that the switch can
communicate with the ACS.
[Switch] vlan batch 10 20 30
[Switch-Vlanif10] ip address 10.1.6.10 24 //Configure the IP address used to communicate with the
ACS.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch] interface gigabitethernet1/0/1 //Configure the interface used to connect to administrators.
[Switch] interface gigabitethernet1/0/3 //Configure the interface used to connect to 802.1X users.
[Switch-GigabitEthernet1/0/3] port link-type hybrid //If the AAA server needs to deliver VLAN or
ACL to access users, the user access interface (with authentication enabled) on the switch must be a
hybrid interface.
2. Create a VLAN and an ACL that the ACS will deliver to access users.
Only the VLAN or ACL that is the same as that configured on the AAA server
can be delivered.
[Switch] vlan 100
[Switch] acl 3000
3. Enable the Telnet server.
[Switch] telnet server-source -i Vlanif 20 //Configure the source interface of the server as the
interface corresponding to 10.1.2.10. Assume that the interface is Vlanif 20.
4. Set the authentication mode for VTY users to AAA.
[Switch] user-interface maximum-vty 15 //Set the maximum number of VTY users to 15 (this
value varies with versions and models). By default, a maximum of five Telnet users are supported.
[Switch] user-interface vty 0 14 //Enter the VTY 0-14 user interface view.
[Switch-ui-vty0-14] authentication-mode aaa //Set the authentication mode for VTY users to AAA.
[Switch-ui-vty0-14] protocol inbound telnet //Configure the VTY user interface to support Telnet.
By default, switches in V200R006 and earlier versions support Telnet, and switches in V200R007 and
later versions support SSH.
5. Configure RADIUS authentication for access users on the switch.
# Configure a RADIUS server template so that the switch and ACS can
communicate through RADIUS.
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP address and port
number of the ACS.
[Switch-radius-1] radius-server shared-key cipher YsHsjx_2022063 //Set the ACS shared key, which
must be the same as that configured on the ACS.
NOTE
If the user name stored on the AAA server does not contain a domain name, run the undo
radius-server user-name domain-included command. After this command is executed,
the user names in the packets sent from the switch to RADIUS server do not contain
domain names.
# Create an AAA authentication scheme and set the authentication mode to

RADIUS.
[Switch] aaa
# Apply the AAA authentication scheme and RADIUS server template to the
default administrative domain.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Administrators (users accessing the switch through Telnet, SSH, FTP, HTTP, or terminal) are
authenticated in the default administrative domain.
By default, the administrative domain is default_admin.
[Switch-aaa] domain default_admin
[Switch-aaa-domain-default_admin] radius-server 1
[Switch-aaa-domain-default_admin] authentication-scheme sch1
[Switch-aaa-domain-default_admin] quit
# Apply the AAA authentication scheme and RADIUS server template to the
huawei.com domain.
[Switch-aaa-domain-huawei.com] radius-server 1
[Switch-aaa] quit
6. Enable 802.1X authentication on an interface.
# Set the NAC mode to unified mode.

[Switch] authentication unified-mode
NOTE
After a switching between common mode and unified mode, the device automatically
restarts.
# Enable 802.1X authentication on interface GE1/0/3.

[Switch-GigabitEthernet1/0/3] authentication dot1x
[Switch-GigabitEthernet1/0/3] dot1x authentication-method eap //This step is recommended
because most 802.1X clients use EAP relay authentication.
Step 2 Configure the secure ACS.

1. Log in to the ACS client and enter the user name and password to open the
homepage.
Enter the uniform resource locator (URL) address of the ACS and press Enter
to open the ACS login page. Enter the user name and password, and click
Login.
NOTE
The ACS's URL address is in the format http://IP/ or https://IP/, for example, http://
10.13.1.1/ or https://10.13.1.1/.
After you log in to the ACS, the homepage is displayed.
Table 3-97 Navigation areas on the ACS client
Navigation Area Description
My Workspace Includes welcome page, configuration instruction

of common tasks, and account information.
To change the administrator password, choose My
Workspace > My Account.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Navigation Area Description
Network Resources Configures network devices, including AAA clients

and network device groups.
Users and Identity Configures the users and identities.

Stores
Policy Elements Configures the authentication and authorization

profiles, including the matching conditions and
results of access policies.
Access Policies Configures access policies and associates users

with authentication and authorization profiles.
Monitoring and Displays log information.

Reports
System Administration Manages and maintains ACS.
2. Add an access device.

a. Choose Network Resources > Network Devices and AAA clients >
Create, as shown in Figure 3-184.
Figure 3-184 Configuring network device and AAA client
b. Enter the switch name and IP address, set the authentication mode
between the switch and ACS to RADIUS, enter the shared secret and CoA
port number, and click Submit, as shown in Figure 3-185.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-185 Adding network device and AAA client
3. Add a user.
a. Choose Users and Identity Stores > Internal Identity Stores > Users >
Create, as shown in Figure 3-186.
Figure 3-186 Configuring access user
b. Enter the user name, password, and confirm password, and click Submit,
as shown in Figure 3-187.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-187 shows the page for adding an 802.1X user. After adding the
access user, add an administrator according to the administrator
parameters.
Figure 3-187 Adding a user
4. Add an authentication and authorization profile.

a. Choose Policy Elements > Authorization and Permissions > Network
Access > Authorization Profiles > Create to add an authentication and
authorization profile, as shown in Figure 3-188.
NOTE
When you use the RADIUS protocol, it is recommended that you choose Policy
Elements > Authorization and Permissions > Network Access.
When you use the TACACS+ protocol, it is recommended that you choose Policy
Elements > Authorization and Permissions > Authorization Profiles.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-188 Add an authentication and authorization profile
b. Add the authentication and authorization profile for the administrator to

specify that the administrator can only log in through Telnet and has a
user privilege of 15.
The settings on the General tab page are shown in Figure 3-189.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-189 Setting general parameters for the administrator's

authentication and authorization profile
The settings on the RADIUS Attributes tab page are shown in Figure
3-190. Click Submit to commit the profile configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-190 Setting RADIUS attribute parameters for the administrator's

c. Add an authentication and authorization profile for an 802.1X user to

specify that the user can only log in through 802.1X and has a user
privilege of 2 and ACS delivers ACL 3000 and VLAN 100, as shown in
Figure 3-191, Figure 3-192, and Figure 3-193. Click Submit to commit
the profile configuration.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-191 Setting general parameters for the 802.1X user's


S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-192 Setting common task parameters for the 802.1X user's
Figure 3-193 Setting RADIUS attribute parameters for the 802.1X user's

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5. Add an access policy to bind the user to an authentication and authorization

profile.
a. Create an access service and choose Access Policies > Access Services >
Create.
b. Configure the access service. Set the communication mode to Network
Access and specify the user access protocol, as shown in Figure 3-194
and Figure 3-195.
Figure 3-194 Setting the communication mode to Network Access
NOTE
The S series switches support the first five user access protocols.
Figure 3-195 User access protocols
c. Choose Access Policies > Access Services > Service Selection Rules to
create a rule, as shown in Figure 3-196.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-196 Creating a rule
d. Configure the rule. Set the authentication mode to RADIUS and add
attributes according to Figure 3-197.
You can choose Access Policies > Access Services > Service Selection
Rules to prepare the attributes that you want to add.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-197 Configuring the rule
Click OK, and then click Save Changes.

e. Select the created access service and click Identity to add an Identity
rule, as shown in Figure 3-198.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-198 Creating an Identity rule
f. Configure the rule, as shown in Figure 3-199.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-199 Configuring the Identity rule
Click OK, and then click Save Changes.

g. Select the created access service and click Authorization. Configure the
authentication rule for the administrator according to Figure 3-200 or for
the 802.1 user according to Figure 3-201.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-200 Configuring authentication rule for administrator

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-201 Configuring authentication rule for 802.1X user
h. Click OK, and then click Save Changes.

6. Complete the configuration.
● An administrator logs in to the switch through Telnet.
# Choose Start > Run on your PC and enter cmd to open the Windows
command line interface. Run telnet, and enter the user name admin1 and
password YsHsjx_2022062 to Telnet to the switch.
Username:admin1
Password:**********
<Switch> //You can log in successfully.
# Run the display access-user username admin1 command to view the
granted right.
● An 802.1X user logs in to the switch.
# Run the test-aaa command on the switch to test whether the user can pass
RADIUS authentication.
[Switch] test-aaa user1@huawei.com YsHsjx_2022063 radius-template 1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# The 802.1X user starts the 802.1X client on the PC, and enters the user
name user1@huawei.com and password YsHsjx_2022063. If the user name
and password are correct, the client displays a successful authentication
message. The user can access the network.
# After the 802.1X user goes online, run the display access-user access-type
dot1x command on the switch to view the user information. The Dynamic
VLAN and Dynamic ACL number(Effective) fields indicate the VLAN and
ACL delivered by the RADIUS server.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 100
#
#
acl number 3000
#
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
#
aaa
domain default_admin
radius-server 1
domain huawei.com
radius-server 1
#
interface Vlanif10
ip address 10.1.6.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.10 255.255.255.0
#
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

(HWTACACS and Local Authentication)
HWTACACS and Local Authentication Overview

When an HWTACACS authentication server is deployed on a network, users can be
authenticated through HWTACACS. User information is created and maintained by
the HWTACACS authentication server. A user can successfully log in to the device
only when the entered user name and password are the same as those configured
on the HWTACACS server. Compared with RADIUS, HWTACACS is more reliable in
transmission and encryption, and is more suitable for security control. Generally,
HWTACACS authentication is configured on the network requiring high security,
for example, financial, government, and telecommunication carrier networks.
Both HWTACACS authentication and local authentication are configured on a
device, when the HWTACACS server does not respond, the device performs local
authentication. If only HWTACACS authentication is configured, users fail the
authentication when the device cannot connect to the HWTACACS server.
Configuration Notes
As shown in Figure 3-202, an HWTACACS server is deployed on a network, and
the administrator Telnets to the device to remotely manage it. The specific
requirements are as follows:
2. The device performs HWTACACS authentication for the administrator first. If
the HWTACACS server does not respond, the device performs local
authentication.
Figure 3-202 Configuring authentication for Telnet login users (HWTACACS and
local authentication)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Configure AAA local authentication, including creating a local user, setting the
user access type to Telnet, and setting the user level to 15.
4. Configure HWTACACS authentication, including creating an HWTACACS server
template, an AAA authentication scheme, and a service scheme, and applying
the schemes to a domain.
NOTE
parameters have been set on the HWTACACS server, for example, device's IP address, shared key,
and user information.
Procedure

5.
AAA.
Step 4 Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1@huawei.com password irreversible-cipher YsHsjx_2022071 //Create the
local user user1@huawei.com and set password. The password is displayed in cipher text in the
configuration file, so remember the password. If you forget the password, run this command again to
reconfigure the passwordThe command is local-user user-name password cipher password in V200R002

S300, S500, S2700, S3700, S5700, S6700, S7700, and
and earlier versions.

[Switch-aaa] local-user user1@huawei.com service-type telnet //Set the access type of
user1@huawei.com to Telnet. The user can log in through only Telnet (By default, users can log in through
any method in versions earlier than V200R007 and cannot log in through any method in V200R007 and
later versions).
[Switch-aaa] local-user user1@huawei.com privilege level 15 //Set the user level of user1@huawei.com
to 15. The user can use the commands of level 15 and lower levels.
[Switch-aaa] quit
Step 5 Configure HWTACACS authentication.

# Configure an HWTACACS server template to implement communication
between the device and the HWTACACS server.
[Switch] hwtacacs-server template 1
[Switch-hwtacacs-1] hwtacacs-server authentication 10.1.6.6 49 //Specify the IP address and port
number of the HWTACACS authentication server.
[Switch-hwtacacs-1] hwtacacs-server shared-key cipher YsHsjx_202206 //Specify the shared key of the
HWTACACS authentication server, which must be the same as that configured on the HWTACACS server.
[Switch-hwtacacs-1] quit
# Configure an AAA authentication scheme, set the authentication methods to

HWTACACS and local authentication.
[Switch] aaa
[Switch-aaa-authen-sch1] authentication-mode hwtacacs local

# Apply the AAA authentication scheme, HWTACACS server template, and service
scheme to the domain.
[Switch-aaa-domain-huawei.com] hwtacacs-server 1
[Switch-aaa-domain-huawei.com] service-scheme sch1
[Switch-aaa] quit

name user1@huawei.com and password YsHsjx_2022071 to log in to the device
through Telnet.
Username:user1@huawei.com
# Shut down the interface connected to the HWTACACS authentication server, to

disconnect the device from the HWTACACS server. Choose Start > Run on your
computer and enter cmd to open the cmd window. Run the telnet command and
enter the user name user1@huawei.com and password YsHsjx_2022071 to log in
to the device through Telnet. You can successfully log in to the device, indicating
that the device performs local authentication when the HWTACACS server does
not respond.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
hwtacacs-server template 1
hwtacacs-server authentication 10.1.6.6
hwtacacs-server shared-key cipher %^%#q(P3<qAXm=Pq).G8bgq@"sbFOf%0k%umgQJ3#MF3%^%#
#
aaa
authentication-mode hwtacacs local
service-scheme sch1
domain huawei.com
service-scheme sch1
hwtacacs-server 1
local-user user1@huawei.com password irreversible-cipher %^%#+bxGT|w}~J-FHdDG"R8"($BX%XF/
R1uba0UwL0).&r"Z#zbz*2G1$%6)Rd/V%^%#
local-user user1@huawei.com privilege level 15
local-user user1@huawei.com service-type telnet
#
interface Vlanif10
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.6.10 255.255.255.0
#
#
#
#
return
3.14.1.6 Example for Configuring Default Domain-based User Management
Domain and Default Domain Overview

The device manages access users based on domains. Each access user belongs to a
domain.
The authentication, authorization, and accounting schemes can be bound to
domain views. The device manages the access users in the same domain in the
same manner, for example, using the same authentication, authorization, and
accounting scheme.
As shown in Figure 3-203, the users are authenticated in the specified domain
when entered user names contain domain names or in the default domain when

S300, S500, S2700, S3700, S5700, S6700, S7700, and
entered user names do not contain domain names. If a user name contains a
domain name, the user belongs to this domain; otherwise, the user belongs to the
default domain. If most users on a network belong to the same domain, you can
configure this domain as the default domain so that these users do not need to
enter the domain name when logging in to the device.
Default domains fall into default administrative domain and default common
domain.
● The administrator (logging in through Telnet, SSH, FTP, HTTP, or Terminal) is
authenticated in the default administrative domain.
By default, the default administrative domain is default_admin.
● The common users (logging in through MAC, Portal, or 802.1X authentication,
or PPP authentication in V200R005) are authenticated in the default common
domain.
By default, the default common domain is default.
Figure 3-203 User domains
NOTE
You can modify the configuration of the default domains by default, but cannot delete the
default domains by default.
Configuration Notes
As shown in Figure 3-204, the administrator Telnets to the device and remotely
manages the device after passing AAA local authentication, and 802.1X users log
in to the device through 802.1X clients after passing RADIUS authentication.
Therefore, both AAA local authentication and RADIUS authentication need to be
configured on the device.
1. The administrator must enter correct user name and password to Telnet to
the device. After logging in to the device, the administrator can run all the
2. 802.1X users must enter correct user names and passwords to log in to the
device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. The administrator and 802.1X users do not need to enter domain names when
logging in.
Figure 3-204 Configuring default domain-based user management
1. Allow the administrator to Telnet to the device.
a. Enable the Telnet service.
b. Set the authentication method for Telnet login users to AAA.
c. Configure AAA local authentication, including creating a local user,
setting the user access type to Telnet, and setting the user level to 15.
2. Allow 802.1X users to log in to the device through RADIUS authentication.
a. Enable 802.1X authentication on the interface.
b. Configure RADIUS authentication, including creating a RADIUS server
template, an AAA authentication scheme, and a service scheme, and
applying the schemes to the default common domain.
NOTE
parameters have been set on the RADIUS server, for example, device's IP address, shared key,
and the creating user.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Configure AAA local authentication for the administrator to Telnet to the device.
# Enable the Telnet server.
# Set the authentication method for the VTY user interface to AAA.
5.
AAA.
# Configure AAA local authentication.

[Switch] aaa
[Switch-aaa] local-user user1 password irreversible-cipher YsHsjx_202206 //Create local user user1 and
set the password. The password is displayed in cipher text in the configuration file, so remember the
password. If you forget the password, run this command again to reconfigure the password (the command
is local-user user-name password cipher password in V200R002 and earlier versions).
[Switch-aaa] local-user user1 service-type telnet //Set the access type of user1 to Telnet. The user can
log in through only Telnet (by default, users can log in through any method in versions earlier than
V200R007 and cannot log in through any method in V200R007 and later versions).
[Switch-aaa] local-user user1 privilege level 15 //Set the user level of user1 to 15. The user can use the
commands of level 3 and lower levels.
[Switch-aaa] quit
NOTE
When the entered user name does not contain a domain name, the device authenticates the
user using the default administrative domain default_admin. By default, the default
administrative domain uses the authentication scheme default and accounting scheme default.
● Authentication scheme default: local authentication
● Accounting scheme default: non-accounting
Step 3 Configure RADIUS authentication for 802.1X users to log in to the device.
# Configure the RADIUS server template to implement communication between
the device and the RADIUS server.
[Switch-radius-1] radius-server authentication 10.1.6.6 1812 //Specify the IP address and port number of

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the RADIUS authentication server.

[Switch-radius-1] radius-server shared-key cipher YsHsjx_202206 //Specify the shared key of the RADIUS
server, which must be the same as that configured on the RADIUS server.
NOTE
If the RADIUS server does not accept the user names containing domain names, run the undo
radius-server user-name domain-included command on the device so that the packets sent
from the device to the RADIUS server do not contain domain names.
# Configure an AAA authentication scheme and set the authentication mode to

RADIUS.
[Switch] aaa

# Apply the AAA authentication scheme, RADIUS server template, and service
scheme to the default common domain.
[Switch-aaa] domain default
[Switch-aaa-domain-default] authentication-scheme sch1
[Switch-aaa-domain-default] service-scheme sch1
[Switch-aaa-domain-default] radius-server 1
[Switch-aaa-domain-default] quit
[Switch-aaa] quit
# Set the NAC mode to unified (this step is required in V200R005 and later
versions).
NOTE
After the common mode is changed to unified mode, the device automatically restarts. By
default, the unified mode is used.
# Enable 802.1X authentication on the interface.
● In the versions earlier than V200R009:

● In V200R009 and later versions:

[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] quit
[Switch] authentication-profile name p1
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] authentication mode multi-authen max-user 100
[Switch-authen-profile-p1] quit
[Switch-GigabitEthernet1/0/3] authentication-profile p1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
name user1 and password YsHsjx_2022064 to log in to the device through Telnet.
Username:user1
# Run the test-aaa command to test whether an 802.1X user can pass the
authentication.
[Switch] test-aaa liming YsHsjx_202206 radius-template 1
# A user starts the 802.1X client on a terminal, and enters the user name liming
and password YsHsjx_202206 for authentication. If the user name and password
are correct, an authentication success message is displayed on the client page. The
# After the user goes online, you can run the display access-user access-type
dot1x command to check online 802.1X user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
#
authentication-profile name p1 //Available only in V200R009 and later versions
dot1x-access-profile d1
#
radius-server shared-key cipher %^%#9nP3;sDW-AN0f@H@S*l&\f{V=V_auKe|^YXy7}bU%^%#
#
aaa
service-scheme sch1
domain default
service-scheme sch1
radius-server 1
local-user user1 password irreversible-cipher $1a$BKfS8Ml4qP$1\a5RWc)oTIuB0'wN;p090;>{APtaL8/x/T.$
local-user user1 privilege level 15
local-user user1 service-type telnet
#
interface Vlanif10
ip address 10.1.3.10 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.10 255.255.255.0
#
interface Vlanif30
ip address 10.1.6.10 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
authentication dot1x //Available only in the versions earlier than V200R009
authentication-profile p1 //Available only in V200R009 and later versions
#
#
dot1x-access-profile name d1 //Available only in V200R009 and later versions
#
return
3.14.2 Typical NAC Configuration (Unified Mode) (the Agile

Controller-Campus as the Authentication Server)
(V200R009C00 and Later Versions)
3.14.2.1 Configuring Portal Authentication for Access Users on Huawei Agile

Controller-Campus (Authentication Point on Core Switch)
This section includes the following content:
● Introduction to Portal authentication
● Networking Requirements
● Configuration Logic
● Configuration Notes
● Data Plan
● Procedure
● Configuration Files
Introduction to Portal authentication

Portal authentication is also called web authentication, when a user accesses the
network, the user must be first authenticated on the Portal website. If the
authentication fails, the user can access only certain network resources. After the
authentication succeeds, the user can access other network resources. Portal
authentication has the following advantages:
● Ease of use: In most cases, Portal authentication does not require the client to
have additional software installed and allows the client to be directly
authenticated on a web page.
● Convenient operations: Portal authentication achieves service expansion on
the Portal page, including advertisement push, responsibility announcement,
and enterprise publicity.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Mature technology: Portal authentication has been widely used in networks of

carriers, fast food chains, hotels, and schools.
● Flexible deployment: Portal authentication implements access control at the
access layer or at the ingress of key data.
● Flexible user management: Portal authentication can be performed on users
based on the combination of user names and any one of VLANs, IP addresses,
and MAC addresses.
Enterprises often choose Portal authentication for guests because they move
frequently.
An enterprise needs to deploy an identity authentication system to control
employees' network access rights and allow only authorized users to access the
network. The enterprise has the following requirements:
● The authentication operations should be simple. The authentication system
only performs access authorization. Minimum client software is installed on
user terminals.
● To facilitate network reconstruction and reduce investments, the enterprise
requires the authentication point be deployed on the core switch.
● A unified identity authentication mechanism is used to authenticate all
terminals accessing the campus network and deny access from unauthorized
terminals.
● R&D employees can connect only to public servers (such as the web and DNS
servers) of the enterprise before the authentication, and can connect to both
the intranet (code library and issue tracking system) and Internet after being
authenticated.
● Marketing employees can connect only to public servers (such as the web and
DNS servers) of the enterprise before the authentication, and can connect
only to the Internet after being authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-205 Portal authentication deployed at the core layer
Configuration Logic
Figure 3-206 Configuration logic of Huawei switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-98 Configuration logic of Huawei Agile Controller-Campus

Item Description
Creating a department and -

an account
Adding switches Set parameters for switches connected to the

Agile Controller-Campus.
(Optional) adding an Configure the conditions for users to pass the

authentication rule authentication. If no authentication rule is
created, the default authentication rule (that
allows all users to pass the authentication) of the
Agile Controller-Campus is used.
Adding an authorization Create network access right profiles so that users

result granted with different profiles have different
network access rights.
Adding an authorization Select network access right profiles and users in

rule an authorization rule so that specified network
access rights are granted to specific users.
Configuration Notes
● This configuration example applies to all switches running V200R009C00 or a
later version.
● Huawei's Agile Controller-Campus in V100R001 functions as the Portal server
and RADIUS server in this example. For the Agile Controller-Campus, the
version required is V100R001, V100R002, V100R003.
● The RADIUS authentication and accounting shared keys and Portal shared key
on the switch must be the same as those on the Agile Controller-Campus
server.
● By default, the switch allows the packets from RADIUS and Portal servers to
pass. You do not need to configure authentication-free rules for the two
servers on the switch.
Data Plan

VLAN ID Function
101 VLAN for R&D employees
102 VLAN for marketing employees
103 VLAN for connection between the

aggregation switch and core switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN ID Function
104 VLAN to which interfaces connecting

to the servers belong
Table 3-100 Network data plan

Access switch Interface number: GE0/0/1 Connects to employees'

(connecting to the VLAN: 101 PCs.
R&D department)
Interface number: GE0/0/2 Connects to the
VLAN: 101 aggregation switch.

marketing
department) Interface number: GE0/0/2 Connects to the
Aggregation switch Interface number: GE1/0/1 Connects to the access

VLAN: 101 switch of the R&D
department.
VLANIF101 IP address:
192.168.0.1 Functions as the gateway
for R&D employees.
Interface number: GE1/0/2 Connects to the access

VLAN: 102 switch of the marketing
department.
for marketing employees.
Interface number: GE1/0/3 Connects to the core

VLAN: 103 switch.
172.16.2.1
Core switch Interface number: GE1/0/1 Connects to the

172.16.2.2
Interface number: GE1/0/2 Connects to the server

VLAN: 104 area and functions as the
gateway for the servers.
172.16.1.254

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Server Agile IP address: 172.16.1.1 -

Controller
-Campus
(RADIUS
server +
Portal
server)
DNS IP address: 172.16.1.2 -

server
Web IP address: 172.16.1.3 -

server
Code IP address: 172.16.1.4 -

library
Issue IP address: 172.16.1.5 -

tracking
system
Table 3-101 Service data plan
Core switch Number of the ACL for R&D You need to enter this ACL
employees' post- number when configuring
authentication domain: 3001 authorization rules and results
on the Agile Controller-
Campus.
Number of the ACL for You need to enter this ACL

marketing employees' post- number when configuring
Campus.
Authentication server: ● The Service Controller (SC)

● IP address: 172.16.1.1 of the Agile Controller-
Campus integrates the
● Port number: 1812 RADIUS server and Portal
● RADIUS shared key: server. Therefore, IP
YsHsjx_202206 addresses of the
● IP address: 172.16.1.1 authorization server, and
● Port number: 1813 Portal server are the SC's IP
address.
● RADIUS shared key:
YsHsjx_202206 ● Configure a RADIUS
accounting server to collect
● Accounting interval: 15

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal server: user login and logout

● IP address: 172.16.1.1 information. The port
numbers of the
● Port number that the authentication server and
switch uses to process accounting server must be
Portal protocol packets: the same as the
2000 authentication and
● Destination port number in accounting port numbers
the packets that the switch of the RADIUS server.
sends to the Portal server: ● Configure an authorization
50200 server to enable the
● Portal authentication RADIUS server to deliver
shared key: YsHsjx_202206 authorization rules to the
switch. The RADIUS shared
key of the authorization
server must be the same as
those of the authentication
server and accounting
server.
Agile Host name: Users can use the domain

Controller- access.example.com name to access the Portal
Campus server.
Device IP address: -
172.16.1.254
Authentication port: 1812 -
Accounting port: 1813 -
RADIUS shared key: The RADIUS shared key must

YsHsjx_202206 be the same as that
configured on the switch.
Port number that the Portal -

server uses to receive packets:
50200
Portal shared key: It must be the same as the

YsHsjx_202206 Portal authentication shared
key configured on the switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Department: R&D Two departments and two

● User: A corresponding accounts have
been created on the Agile
● Account: A-123 Controller-Campus: R&D
● Password: YsHsjx_202207 department and an R&D
Department: Marketing employee account A-123;
Marketing department and a
● User: B marketing employee account
● Account: B-123 B-123.
Pre- Agile Controller-Campus -

authentication (including RADIUS server and
domain Portal server), DNS server, and
web server
Post- ● R&D employees: code -

authentication library, issue tracking
domain system, and Internet
● Marketing employees:
Internet
Procedure
Step 1 Configure the access switch to ensure network connectivity.
The following provides the configuration for SwitchA, the access switch connecting
to the R&D department. The configuration for SwitchB, the access switch
connecting to the marketing department, is similar to that for SwitchA.
[SwitchA] vlan 101
[SwitchA] interface gigabitethernet 0/0/1 //Interface connected to the R&D department
[SwitchA] interface gigabitethernet 0/0/2 //Interface connected to the aggregation switch
Step 2 Configure the core switch.

1. Create VLANs and configure the VLANs allowed by interfaces so that packets
can be forwarded.
[SwitchD] interface gigabitethernet 1/0/1 //Interface connected to the aggregation switch
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchD] interface gigabitethernet 1/0/2 //Interface connected to the server area
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0 //Configure the gateway address for
the server area.
[SwitchD] ip route-static 192.168.0.0 255.255.255.0 172.16.2.1 //Configure routes to the network
segment assigned to the R&D department.
segment assigned to the marketing department.
2. Configure network access rights for users after successful authentication.
[SwitchD] acl 3001 //Configure the post-authentication domain for R&D employees.
[SwitchD-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access all resources.
[SwitchD-acl-adv-3001] quit
[SwitchD] acl 3002 //Configure the post-authentication domain for marketing employees.
[SwitchD-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent marketing employees
from accessing the code library.
from accessing the issue tracking system.
[SwitchD-acl-adv-3002] rule 3 permit ip //Allow marketing employees to access other resources.
3. Configure parameters for connecting to the RADIUS server.
[SwitchD] radius-server template policy //Create the RADIUS server template policy.
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812 //Configure the IP address
[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813 //Configure the IP address and
[SwitchD-radius-policy] radius-server shared-key cipher YsHsjx_202206 //Set the authentication
key and accounting key to YsHsjx_202206.
[SwitchD-radius-policy] quit
[SwitchD] aaa //Enter the AAA view.
[SwitchD-aaa] authentication-scheme auth //Configure the authentication scheme auth.
[SwitchD-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS.
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco //Configure the accounting scheme acco.
[SwitchD-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to RADIUS.
[SwitchD-aaa-accounting-acco] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal //Configure a domain.
[SwitchD-aaa-domain-portal] authentication-scheme auth //Bind the authentication scheme auth
to the domain.
[SwitchD-aaa-domain-portal] accounting-scheme acco //Bind the accounting scheme acco to the
domain.
[SwitchD-aaa-domain-portal] radius-server policy //Bind the RADIUS server template policy to the
domain.
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal //Configure portal as the global default domain.
4. Configure parameters for connecting to the Portal server.
[SwitchD] web-auth-server portal_huawei //In V200R020C10SPC100 and later versions, you must
also run the web-auth-server server-source or server-source command to configure the local
gateway address used to receive and respond to the packets sent by the Portal server, so as to
implement Portal authentication.
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the Portal server IP address.
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the IP address that the
switch uses to communicate with the Portal server.
[SwitchD-web-auth-server-portal_huawei] port 50200 //Set the destination port number in the
packets that the switch sends to the Portal server to 50200, which is the same as the port number
that the Portal server uses to receive packets. The default destination port number on the switch is
50100, and you must change it to 50200 manually, so that it matches the port number on the Portal
server.
[SwitchD-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
shared key for communication with the Portal server, which must be the same as that configured on

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the Portal server.

[SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //Configure
the URL for the Portal authentication page, in which access.example.com indicates the host name of
the Portal server. The domain name is recommended in the URL so that the Portal authentication
page can be pushed to users faster and more securely. To use the domain name in the URL, you must
configure the mapping between this domain name access.example.com and Portal server IP address
on the DNS server in advance.
[SwitchD-web-auth-server-portal_huawei] quit
[SwitchD] web-auth-server listening-port 2000 //Configure the port number that the switch uses
to process Portal protocol packets. The default port number is 2000. If the port number is changed on
the server, change it accordingly on the switch.
[SwitchD] portal quiet-period //Enable the quiet function for Portal authentication users. If the
number of times that a Portal authentication user fails to be authenticated within 60 seconds exceeds
the specified value, the device discards the user's Portal authentication request packets for a period to
prevent impact of frequent authentication failures on the system.
[SwitchD] portal quiet-times 5 //Configure the maximum number of authentication failures within
60 seconds before the device quiets a Portal authentication user.
[SwitchD] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
5. Enable Portal authentication.

# Set the NAC mode to unified.
[SwitchD] authentication unified-mode //Set the NAC mode to unified. By default, the switch
works in unified mode. After changing the NAC mode from common to unified, save the
configuration and restart the switch to make the configuration take effect.
# Configure a Portal access profile.

[SwitchD] portal-access-profile name web1
[SwitchD-portal-acces-profile-web1] web-auth-server portal_huawei layer3
[SwitchD-portal-acces-profile-web1] quit
# Configure an authentication-free rule profile and specify resources that

users can access without authentication.
NOTE
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by
DNS and the DNS server is on the upstream network of the NAS device, you also need to
create authentication-free rules and ensure that the DNS server is included in the
authentication-free rules. In V200R012C00 and later versions, the NAS device automatically
allows DNS packets to pass through and no authentication-free rule is required in Portal
authentication.
[SwitchD] free-rule-template name default_free_rule
[SwitchD-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask
255.255.255.255 //Configure authentication-free rules for Portal authentication users, so that these
users can access the DNS server before the authentication.
[SwitchD-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask
users can access the web server before the authentication.
[SwitchD-free-rule-default_free_rule] quit
# Configure an authentication profile.

[SwitchD] authentication-profile name p1
[SwitchD-authen-profile-p1] portal-access-profile web1 //Bind the Portal access profile web1.
[SwitchD-authen-profile-p1] quit
# Enable Portal authentication.

[SwitchD-Vlanif103] authentication-profile p1
Step 3 Configure the Agile Controller-Campus.

1. Log in to the Agile Controller-Campus.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
a. Open the Internet Explorer, enter the Agile Controller-Campus address in

the address box, and press Enter.
The following table provides two types of Agile Controller-Campus
addresses.
Address Format Description
https://Agile Controller- In the address, Agile Controller-Campus-

Campus-IP:8443 IP indicates the Agile Controller-Campus
IP address.
Agile Controller-Campus IP If port 80 is enabled during installation,

address you can access the Agile Controller-
Campus by simply entering its IP address
without the port number. The Agile
Controller-Campus address will
automatically change to https://Agile
Controller-Campus-IP:8443.
b. Enter the administrator account and password.

2. Create departments and accounts. The following describes how to create the
R&D department. Create the Marketing department similarly.
a. Choose Resource > User > User Management.
b. Click the Department tab in the operation area on the right. Then click
Add under the Department tab, and add the department R&D.
c. Click the User tab in the operation area on the right. Then click Add
under the User tab, and add the user A.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Click in the Operation column on the right of user A. The Account

Management page is displayed. Click Add, and create a common
account A-123 with the password YsHsjx_202207.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
e. On the User tab page, select user A and click Transfer to add user A to
the R&D department.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Add a switch to the Agile Controller-Campus and configure related

parameters to ensure normal communication between the Agile Controller-
Campus and switch.
a. Choose Resource > Device > Device Management.
b. Click Add.
c. Configure parameters for the switch.
Parameter Value Description
Name SW -
IP Address 172.16.1.254 The interface must be able to

communicate with the SC.
Device Huawei -
series Quidway
Series
Authenticat YsHsjx_202206 It must be the same as the shared key

ion Key of the RADIUS authentication server
Charging YsHsjx_202206 It must be the same as the shared key

Key of the RADIUS accounting server
Real-time 15 It must be the same as the real-time

charging accounting interval configured on the
interval switch.
(minute)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Port 2000 This is the port that the switch uses to

communicate with the Portal server.
Retain the default value.
Portal Key YsHsjx_202206 It must be the same as the Portal

shared key configured on the switch.
Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Click OK.
4. Configure employee authorization. This example describes how to configure
R&D employee authorization. The configuration procedure for marketing
employees is the same, except that the network resources the two types of
employees can access are different.
a. Choose Policy > Permission Control > Authentication and
Authorization > Authorization Result, and configure resources that
R&D employees can access after authentication and authorization.
Name R&D employee post- -

authentication domain
Service Type Access Service -
ACL 3001 The ACL number must be

Number/AA the same as the number of
A User the ACL configured for
Group R&D employees on the
switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
b. Choose Policy > Permission Control > Authentication and

Authorization > Authorization Rule, and specify the authorization
conditions for R&D employees.
Name R&D employee -

authorization rule
Service Type Access User -
Department R&D -
Authorization R&D employee post- -

Result authentication
domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and

● Employees can access only the Agile Controller-Campus, DNS, and web
servers before authentication.
● The Portal authentication page is pushed to an employee when the employee
attempts to visit an Internet website. After the employee enters the correct
account and password, the requested web page is displayed.
● R&D employee A can access the Internet, code library, and issue tracking
system after authentication. Marketing employee B can access the Internet
but not the code library and issue tracking system after authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● After an employee is authenticated, run the display access-user command on

the switch. The command output shows that the employee is online.
----End
Configuration Files
# Configuration file of the access switch for the employee department (The
configuration file of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
#
#
return
# Configuration file of the aggregation switch

#
sysname SwitchC
#
#
dhcp enable
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
dhcp server dns-list 172.16.1.2
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.2.1 255.255.255.0
#
#
#
#
ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
#
return
# Configuration file of the core switch

#
sysname SwitchD
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
domain portal
#
radius-server template policy
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 1 deny ip destination 172.16.1.4 0
rule 3 permit ip
#
#
web-auth-server portal_huawei
port 50200
shared-key cipher %#%#q9a^<=Ct5'=0n40/1g}/m6Mo,U9u5!s(GYM}Z{<~%#%#
url http://access.***.com:8080/portal
source-ip 172.16.1.254
#
web-auth-server portal_huawei layer3
#
aaa
authentication-scheme auth
accounting-scheme acco
domain portal
radius-server policy
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
#
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
portal quiet-period
portal timer quiet-period 240
portal quiet-times 5
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.14.2.2 Configuring Portal Authentication for Access Users on Huawei Agile

Controller-Campus (Authentication Point on Aggregation Switch)
● Introduction to Portal authentication
● Data Plan
● Procedure
Introduction to Portal authentication

Portal authentication is also called web authentication, when a user accesses the
network, the user must be first authenticated on the Portal website. If the
authentication fails, the user can access only certain network resources. After the
authentication succeeds, the user can access other network resources. Portal
authentication has the following advantages:
● Ease of use: In most cases, Portal authentication does not require the client to
have additional software installed and allows the client to be directly
authenticated on a web page.
● Convenient operations: Portal authentication achieves service expansion on
the Portal page, including advertisement push, responsibility announcement,
and enterprise publicity.
● Mature technology: Portal authentication has been widely used in networks of
carriers, fast food chains, hotels, and schools.
● Flexible deployment: Portal authentication implements access control at the
access layer or at the ingress of key data.
● Flexible user management: Portal authentication can be performed on users
based on the combination of user names and any one of VLANs, IP addresses,
and MAC addresses.
Enterprises often choose Portal authentication for guests because they move
frequently.
user terminals.
● Moderate security control is required. To facilitate maintenance, a moderate
number of authentication points need to be deployed on the aggregation
switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

terminals.
authenticated.
Figure 3-207 Portal authentication deployed at the aggregation layer

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Logic

Item Description

an account





S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
later version.
server.
● When you run the access-user arp-detect command to configure the IP
address and MAC address of the user gateway as the source IP address and
source MAC address of user offline detection packets, ensure that the MAC
address of the gateway remains unchanged, especially in active/standby
switchover scenarios. If the gateway MAC address is changed, ARP entries of
terminals will be incorrect on the device, and the terminals cannot
communicate with the device.
Data Plan
VLAN ID Function


R&D department)

marketing

S300, S500, S2700, S3700, S5700, S6700, S7700, and

department.
for R&D employees.

department.
Interface number: GE1/0/3 Connects to the enterprise

VLAN: 103 server area.
VLANIF103 IP address: Functions as the gateway
172.16.1.254 for servers.

Controller
-Campus
(RADIUS
server +
Portal
server)

server

server

library

tracking
system

Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post- number when configuring
Campus.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Campus.

address.
● Accounting interval: 15 user login and logout
Portal server: information. The port
numbers of the
● IP address: 172.16.1.1 authentication server and
● Port number that the accounting server must be
switch uses to process the same as the
Portal protocol packets: authentication and
2000 accounting port numbers
● Destination port number in of the RADIUS server.
the packets that the switch ● Configure an authorization
sends to the Portal server: server to enable the
50200 RADIUS server to deliver
● Portal authentication authorization rules to the
shared key: YsHsjx_202206 switch. The RADIUS shared
server.

Campus server.
172.16.1.254

S300, S500, S2700, S3700, S5700, S6700, S7700, and


50200


● Account: B-123 B-123.

web server

Internet
Procedure
connecting to the marketing department, is similar.
[SwitchA] vlan 101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Configure the aggregation switch.

can be forwarded.
[SwitchC] dhcp enable //Enable the DHCP service.
[SwitchC] interface gigabitethernet 1/0/1 //Interface of the access switch connected to the R&D
department
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 101
[SwitchC-Vlanif101] ip address 192.168.0.1 255.255.255.0 //IP address segment assigned to R&D
employees
[SwitchC-Vlanif101] dhcp select interface
[SwitchC-Vlanif101] dhcp server dns-list 172.16.1.2
[SwitchC] interface gigabitethernet 1/0/2 //Interface of the access switch connected to the
marketing department
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0 //IP address segment assigned to
marketing employees.
[SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the server area
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0 //Configure the gateway address for
the server area.

[SwitchC] acl 3001 //Configure the post-authentication domain for R&D employees.
[SwitchC-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access all resources.
[SwitchC-acl-adv-3001] quit
[SwitchC] acl 3002 //Configure the post-authentication domain for marketing employees.
[SwitchC-acl-adv-3002] rule 1 deny ip destination 172.16.1.4 0 //Prevent marketing employees
[SwitchC-acl-adv-3002] rule 3 permit ip //Allow marketing employees to access other resources.

[SwitchC] radius-server template policy //Create the RADIUS server template policy.
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source ip-address
172.16.1.254 //Configure the IP address and port number of the RADIUS authentication server.
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-address
172.16.1.254 //Configure the IP address and port number of the RADIUS accounting server.
[SwitchC-radius-policy] radius-server shared-key cipher YsHsjx_202206 //Set the authentication
[SwitchC-radius-policy] quit
[SwitchC] aaa //Enter the AAA view.
[SwitchC-aaa] authentication-scheme auth //Configure the authentication scheme auth.
[SwitchC-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS.
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco //Configure the accounting scheme acco.
[SwitchC-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to RADIUS.
[SwitchC-aaa-accounting-acco] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchC-aaa-accounting-acco] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchC-aaa] domain portal //Configure a domain.

[SwitchC-aaa-domain-portal] authentication-scheme auth //Bind the authentication scheme auth
to the domain.
[SwitchC-aaa-domain-portal] accounting-scheme acco //Bind the accounting scheme acco to the
domain.
[SwitchC-aaa-domain-portal] radius-server policy //Bind the RADIUS server template policy to the
domain.
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal //Configure portal as the global default domain.

[SwitchC] web-auth-server portal_huawei //Configure the Portal server template
portal_huawei.In V200R020C10SPC100 and later versions, you must also run the web-auth-server
server-source or server-source command to configure the local gateway address used to receive and
respond to the packets sent by the Portal server, so as to implement Portal authenticatio
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the Portal server IP address.
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the IP address that the
[SwitchC-web-auth-server-portal_huawei] port 50200 //Set the destination port number in the
server.
[SwitchC-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
the Portal server.
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //Configure
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000 //Configure the port number that the switch uses
[SwitchC] portal quiet-period //Enable the quiet function for Portal authentication users. If the
[SwitchC] portal quiet-times 5 //Configure the maximum number of authentication failures within
[SwitchC] portal timer quiet-period 240 //Set the quiet period to 240 seconds.
5. Enable Portal authentication and configure network access rights for users in
the pre-authentication domain and post-authentication domain.
[SwitchC] authentication unified-mode //Set the NAC mode to unified. By default, the switch
works in unified mode. After changing the NAC mode from common to unified, save the
configuration and restart the switch to make the configuration take effect.
# Configure a Portal access profile.

[SwitchC] portal-access-profile name web1
[SwitchC-portal-acces-profile-web1] web-auth-server portal_huawei direct
[SwitchC-portal-acces-profile-web1] quit
# Configure an authentication-free rule profile and specify resources that

users can access without authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by
DNS and the DNS server is on the upstream network of the NAS device, you also need to
create authentication-free rules and ensure that the DNS server is included in the
authentication-free rules. In V200R012C00 and later versions, the NAS device automatically
allows DNS packets to pass through and no authentication-free rule is required in Portal
authentication.
[SwitchC] free-rule-template name default_free_rule
[SwitchC-free-rule-default_free_rule] free-rule 1 destination ip 172.16.1.2 mask
users can access the DNS server before the authentication.
[SwitchC-free-rule-default_free_rule] free-rule 2 destination ip 172.16.1.3 mask
users can access the web server before the authentication.
[SwitchC-free-rule-default_free_rule] quit

[SwitchC] authentication-profile name p1
[SwitchC-authen-profile-p1] portal-access-profile web1 ///Bind the Portal access profile web1.
[SwitchC-authen-profile-p1] quit

[SwitchC-Vlanif101] authentication-profile p1 //Enable Portal authentication on the interface
connecting to the R&D department.
[SwitchC-Vlanif102] authentication-profile p1 //Enable Portal authentication on the interface
connecting to the marketing department.
# (Recommended) Configure the source IP address and source MAC address

for offline detection packets in a specified VLAN. You are advised to set the
user gateway IP address and its corresponding MAC address as the source IP
address and source MAC address of offline detection packets. This function
does not take effect for users who use Layer 3 Portal authentication.
[SwitchC] access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 00e0-fc12-3456

addresses.

IP address.

S300, S500, S2700, S3700, S5700, S6700, S7700, and



S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
the R&D department.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Campus and switch.
b. Click Add.
Name SW -

Device Huawei -
series Quidway
Series



interval switch.
(minute)

S300, S500, S2700, S3700, S5700, S6700, S7700, and


Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Click OK.


switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Name R&D employee -

authorization rule
Department R&D -

domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and

----End
Configuration Files
# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
#
#
return
# Configuration file of the access switch for the marketing department

#
sysname SwitchB
#
vlan batch 102
#
#
#
return

#
sysname SwitchC
#
#
#
domain portal
#
access-user arp-detect vlan 101 ip-address 192.168.0.1 mac-address 00e0-fc12-3456
#
dhcp enable
#
radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 3 permit ip
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
port 50200
source-ip 172.16.1.254
#
web-auth-server portal_huawei direct
#
aaa
domain portal
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.1.254 255.255.255.0
#
#
#
#
portal quiet-period
#
return
3.14.2.3 Configuring 802.1X and MAC Address Authentication for Access

Users on Huawei Agile Controller-Campus
● Overview

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Data Plan
● Procedure
Overview
On a NAC network, the 802.1X, MAC address, and Portal authentication modes
are configured on the user access interfaces of a device to meet various
authentication requirements. Users can access the network using any
authentication mode.
If multiple authentication modes are enabled, the authentication modes take
effect in the sequence they are configured. In addition, after multiple
authentication modes are deployed, users can be authenticated in different modes
by default and assigned different network rights accordingly by the device.
Enterprises have high requirements on network security. To prevent unauthorized
access and protect information security, an enterprise requests users to pass
identity authentication and security check before they access the enterprise
network. Only authorized users are allowed to access the enterprise network.
In addition, dumb terminals, such as IP phones and printers, can access the
enterprise network only after passing authentication.
The enterprise network has the following characteristics:
● The access switches on the network do not support 802.1X authentication.
● The enterprise network has a small size and does not have branch networks.
● The enterprise has no more than 1000 employees. A maximum of 2000 users,
including guests, access the network every day.
● Dumb terminals, such as IP phones and printers, are connected to the
enterprise network.
To reduce network reconstruction investment, you are advised to configure the
802.1X authentication function on the aggregation switch and connect a single
centralized authentication server to the aggregation switch in bypass mode. MAC
address authentication needs to be configured for dumb terminals.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-209 Wired access networking diagram

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Logic

Item Description

an account

Adding an authentication Configure the conditions for users to pass the

rule authentication.



S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
This configuration example applies to all switches running V200R009C00 or a later
version, Huawei Agile Controller-Campus in V100R001 functions as the RADIUS
server. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
The RADIUS authentication and accounting shared keys and Portal shared key on
the switch must be the same as those on the Agile Controller-Campus server.
By default, the switch allows the packets from RADIUS server to pass. You do not
need to configure authentication-free rules for the server on the switch.
When you run the access-user arp-detect command to configure the IP address
and MAC address of the user gateway as the source IP address and source MAC
address of user offline detection packets, ensure that the MAC address of the
gateway remains unchanged, especially in active/standby switchover scenarios. If
the gateway MAC address is changed, ARP entries of terminals will be incorrect on
the device, and the terminals cannot communicate with the device.
Data Plan

Item Data
Agile Controller-Campus IP address: 192.168.100.100
Post-authentication domain IP address: 192.168.102.100

server
Aggregation switch ● VLAN to which 0/0/6 connected to the server

(SwitchA) belongs: VLAN 100
● VLAN to which downstream interfaces
GE0/0/1 and GE0/0/2 belong: VLAN 200
Access switch (SwitchC) User VLAN ID: 200
Access switch (SwitchD) User VLAN ID: 200

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-108 Aggregation switch service data plan

Item Data
RADIUS scheme ● Authentication server IP address:

192.168.100.100
● Authentication server port number: 1812
● Accounting server IP address:
192.168.100.100
● Accounting server port number: 1813
● Shared key for the RADIUS server:
YsHsjx_202206
● Accounting interval: 15 minutes
● Authentication domain: isp
ACL number of the post- 3002

Table 3-109 Agile Controller-Campus service data plan

Item Data
Department R&D department
Access user User name: A

Wired access account: A-123
Password: YsHsjx_202207
Device group Wired device group: Switch
Switch IP address SwitchA: 192.168.10.10
RADIUS authentication key YsHsjx_202206
Charging Key YsHsjx_202206
Procedure
Step 1 Configure the access switches.
can be forwarded. This example uses SwitchC to describe the configuration.
The configuration on SwitchD is the same as that on SwitchC.
# Create VLAN 200.
[SwitchC] vlan batch 200
# Configure the interface connected to users as an access interface and add

the interface to VLAN 200.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure the interface connected to the upstream network as a trunk

interface and configure the interface to allow VLAN 200.
2. Configure the device to transparently transmit 802.1X packets. This example
uses SwitchC to describe the configuration. The configuration on SwitchD is
the same as that on SwitchC.
NOTE
In this example, SwitchC and SwitchD are deployed between the authentication switch
SwitchA and users. 802.1X packet transparent transmission needs to be configured on
SwitchC and SwitchD so that SwitchA can perform 802.1X authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1X protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1X enable
[SwitchC-GigabitEthernet0/0/1] bpdu enable
– Method 2: This method is recommended when a large number of users
exist or high network performance is required. Only the S5720-EI, S5720-
HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-
HI, S6720S-EI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S
support this method.
[SwitchC] undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to
method 2.
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-protocol 802.1X enable

can be forwarded.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] interface gigabitethernet 0/0/1 //Configure the interface connected to SwitchC.
[SwitchA] interface gigabitethernet 0/0/2 //Configure the interface connected to SwitchD.
[SwitchA] interface gigabitethernet 0/0/6 //Configure the interface connected to the server.
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management IP address for
SwitchA. This IP address is used when SwitchA is added to Agile Controller-Campus.
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway address for terminal
users.
[SwitchA] ip route-static 192.168.100.0 255.255.255.0 192.168.100.100 //Configure a route to the
network segment where the pre-authentication domain resides.
network segment where the post-authentication domain resides.

[SwitchA] acl 3002
[SwitchA-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchA-acl-adv-3002] rule 2 deny ip destination any
[SwitchA-acl-adv-3002] quit
3. Create and configure a RADIUS server template, an AAA authentication

scheme, and an authentication domain.

[SwitchA] radius-server template rd1
[SwitchA-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchA-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchA-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[SwitchA-radius-rd1] quit
# Create an AAA authentication scheme abc and set the authentication mode
to RADIUS.
[SwitchA] aaa
[SwitchA-aaa] authentication-scheme abc
[SwitchA-aaa-authen-abc] authentication-mode radius
[SwitchA-aaa-authen-abc] quit
# Configure an accounting scheme acco1. Set the accounting mode to

RADIUS so that the RADIUS server can maintain account status, such as login,
log-off and forced log-off.
[SwitchA-aaa] accounting-scheme acco1
[SwitchA-aaa-accounting-acco1] accounting-mode radius
[SwitchA-aaa-accounting-acco1] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchA-aaa-accounting-acco1] quit
# Create an authentication domain isp, and bind the AAA authentication

scheme abc, accounting scheme acco1, and RADIUS server template rd1 to
the domain.
[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
# Configure the global default domain isp. During access authentication,

enter a user name in the format user@isp to perform AAA authentication in
the domain isp. If the user name does not contain a domain name or contains
an invalid domain name, the user is authenticated in the default domain.
[SwitchA] domain isp
4. Enable 802.1X and MAC address authentication.

[SwitchA] authentication unified-mode
NOTE
By default, the unified mode is enabled. After the NAC mode is changed, the device
automatically restarts.
# Configure an 802.1X access profile.

NOTE
By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the
RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication
request packets.
[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] dot1x authentication-method eap
[SwitchA-dot1x-access-profile-d1] dot1x timer client-timeout 30
[SwitchA-dot1x-access-profile-d1] quit
# Configure a MAC access profile.

[SwitchA] mac-access-profile name m1
[SwitchA-mac-access-profile-m1] mac-authen username fixed A-123 password cipher
Huawei123 //Set the user name mode for MAC address authentication to fixed user name. Set the
user name to A-123 and password to Huawei123.
[SwitchA-mac-access-profile-m1] quit

[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] mac-access-profile m1 //Bind the MAC access profile m1.
[SwitchA-authen-profile-p1] dot1x-access-profile d1 //Bind the 802.1X access profile d1.
[SwitchA-authen-profile-p1] quit
# Enable 802.1X authentication and MAC address authentication on GE0/0/1

and GE0/0/2.
[SwitchA-Gigabitethernet0/0/1] authentication-profile p1 //Bind the authentication profile p1 and
enable 802.1X + MAC address combined authentication.
[SwitchA-Gigabitethernet0/0/1] quit
[SwitchA-Gigabitethernet0/0/2] authentication-profile p1 //Bind the authentication profile p1 and
enable 802.1X + MAC address combined authentication.

address and source MAC address of offline detection packets.
[SwitchA] access-user arp-detect vlan 200 ip-address 192.168.200.1 mac-address 00e0-fc12-3456


S300, S500, S2700, S3700, S5700, S6700, S7700, and

addresses.

IP address.


2. Create a department and an account.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
the R&D department.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3. Add switches to the Agile Controller-Campus so that the switches can

communicate with the Agile Controller-Campus.
b. Click Permission Control Device Group in the navigation tree, and click
and Add SubGroup to create a device group Switch.
c. Click the device group in the navigation tree and select ALL Device. Click
Add to add network access devices.
d. Set connection parameters on the Add Device page.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Name SwitchA -
IP Address 192.168.10.10 The interface on the switch must

communicate with the Agile Controller-
Campus.
Device Huawei -
Series Quidway
series switch



interval switch.
(minute)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
e. Click Permission Control Device Group in the navigation tree, select

SwitchC, and click Move to move SwitchA to the Switch group. The
configuration on SwitchD is the same as that on SwitchC.
4. Add an authentication rule.
Authorization > Authentication Rule and click Add to create an
authentication rule.
b. Configure basic information for the authentication rule.
Name Access -
authentication
rule

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service Access service -

Type
Authenticat Device group Customize authentication rules based

ion Switch on the requirements of your network.
Condition
Please
select the
▪ PAP
-
allowed ▪ CHAP
authenticati
on protocol ▪ EAP-MD5
▪ EAP-PEAP-
MSCHAPv2
▪ EAP-TLS
▪ EAP-PEAP-
GTC
▪ EAP-TTLS-
PAP

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5. Add an authorization result.

Authorization > Authorization Result and click Add to create an
authorization result.
b. Configure basic information for the authorization result.
Name Post-authentication -
domain
Service Type Access service -

switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
6. Add an authorization rule.
After a user passes the authentication, authorization phase starts. The Agile
Controller-Campus grants the user access rights based on the authorization
rule.

Authorization > Authorization Rule and click Add to create an
authorization rule.
b. Configure basic information for the authorization rule.
Name Authorization rule -

for R&D employees
Access Device Switch -

Group
Authorization Post-authentication -
Result domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● An employee can only access the Agile Controller-Campus server before

passing the authentication.
● After passing the authentication, the employee can access resources in the
post-authentication domain.
● After the employee passes the authentication, run the display access-user
command on the switch. The command output shows information about the
online employee.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
#
domain isp
#
#
radius-server shared-key cipher %#%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%#%#
#
dot1x-access-profile name d1
#
mac-authen username fixed A-123 password cipher %#%#'Fxw8E,G-81(A3U<^HH9Sj
\:&hTdd>R>HILQYLtW%#%#
#
acl number 3002
rule 1 permit ip destination 192.168.102.100 0
rule 2 deny ip
#
aaa
accounting-scheme acco1
domain isp
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
#
#
#
ip route-static 192.168.100.0 255.255.255.0 192.168.10.10
ip route-static 192.168.102.0 255.255.255.0 192.168.10.10
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#
l2protocol-tunnel user-defined-protocol 802.1x enable
#
#
#
return
3.14.2.4 Delivering VLANs or ACLs to Successfully Authenticated Users on

Huawei Agile Controller-Campus
● Overview
● Data Plan
● Procedure
● Configuration File
Overview
After an 802.1X user is successfully authenticated on a RADIUS server, the server
sends authorization information to the access device of the user. When the Agile
Controller-Campus functions as the RADIUS server, it can deliver multiple
authorization parameters.
● ACL-based authorization is classified into:
– ACL description-based authorization: If ACL description-based
authorization is configured on the server, authorization information
includes the ACL description. The device matches ACL rules based on the
ACL description authorized by the server to control user rights. The ACL
number, corresponding description, and ACL rule must be configured on
the device.
The standard RADIUS attribute (011) Filter-Id is used.
– Dynamic ACL-based authorization: The server authorizes rules in an ACL
to the device. Users can access network resources controlled using this
ACL. The ACL and ACL rules must be configured on the server. The ACL
does not need to be configured on the device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The Huawei proprietary RADIUS attribute (26-82) HW-Data-Filter is used.

● Dynamic VLAN: If dynamic VLAN delivery is configured on the server,
authorization information includes the delivered VLAN attribute. After the
device receives the delivered VLAN attribute, it changes the VLAN of the user
to the delivered VLAN.
The delivered VLAN does not change or affect the interface configuration. The
delivered VLAN, however, takes precedence over the VLAN configured on the
interface. That is, the delivered VLAN takes effect after the authentication
succeeds, and the configured VLAN takes effect after the user goes offline.
The following standard RADIUS attributes are used for dynamic VLAN
delivery:
– (064) Tunnel-Type (It must be set to VLAN or 13.)
– (065) Tunnel-Medium-Type (It must be set to 802 or 6.)
– (081) Tunnel-Private-Group-ID (For devices running versions earlier than
V200R012C00, it can be the VLAN ID or VLAN description. For devices
running V200R012C00 and later versions, it can be the VLAN ID, VLAN
description, VLAN name, or VLAN pool.)
To ensure that the RADIUS server delivers VLAN information correctly, all the
three RADIUS attributes must be used. In addition, the Tunnel-Type and
Tunnel-Medium-Type attributes must be set to the specified values.
NOTE
The following uses ACL number and dynamic VLAN delivery as an example. The configuration
differences between ACL number delivery and dynamic ACL delivery are described in notes.
As shown in Figure 3-211, a large number of employees' terminals in a company
connect to the intranet through GE0/0/1 on SwitchA. To ensure network security,
the administrator needs to control network access rights of terminals. The
● Before passing authentication, terminals can access the public server (with IP
address 192.168.40.1), and download the 802.1X client or update the antivirus
database.
● After passing authentication, terminals can access the service server (with IP
address 192.168.50.1) and devices in the laboratory (with VLAN ID 20 and IP
address segment 192.168.20.10-192.168.20.100).

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Logic

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Item Description

an account




Configuration Notes
This configuration example applies to all switches running V200R009C00 or a later
version, Huawei Agile Controller-Campus in V100R001 functions as the RADIUS
server. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
When the device supports UCL groups, using UCL groups to configure
authorization rules is recommended. For details, see section "AAA Configuration"
> "Configuring Authorization Rules" in the Configuration Guide - User Access and
Authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
Table 3-111 Service data plan for the access switch

Item Data
RADIUS scheme ● Authentication server IP address: 192.168.30.1

● Accounting server IP address: 192.168.30.1
YsHsjx_202206
● Authentication domain: huawei
Resources accessible to users Access rights to the public server are configured
before authentication using an authentication-free rule. The name of
the authentication-free rule profile is
default_free_rule.
Resources accessible to users Access rights to the laboratory are granted using
after authentication a dynamic VLAN. The VLAN ID is 20.
Access rights to the service server are granted
using an ACL number. The ACL number is 3002.
Table 3-112 Service data plan for the Agile Controller-Campus

Item Data

RADIUS accounting key YsHsjx_202206
Procedure
Step 1 Configure access switch SwitchA.
1. Create VLANs and configure the allowed VLANs on interfaces to ensure
network connectivity.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] interface gigabitethernet 0/0/1 //Configure the interface connecting to employees'

terminals.
[SwitchA] interface gigabitethernet 0/0/2 //Configure the interface connecting to the laboratory.
[SwitchA] interface gigabitethernet 0/0/3 //Configure the interface connecting to SwitchB.
[SwitchA] interface loopback 1
[SwitchA-LoopBack1] ip address 10.10.10.1 24 //Configure an IP address for communication with
the Agile Controller-Campus.

NOTE
In dynamic ACL mode, this step does not need to be configured on the device.
[SwitchA] acl 3002

# Create the AAA authentication scheme abc and set the authentication
mode to RADIUS.
[SwitchA] aaa
# Configure the accounting scheme acco1 and set the accounting mode to
RADIUS.
[SwitchA-aaa-accounting-acco1] accounting realtime 15
# Create the authentication domain huawei, and bind the AAA

authentication scheme abc, accounting scheme acco1, and RADIUS server
template rd1 to the domain.
[SwitchA-aaa] domain huawei
[SwitchA-aaa-domain-huawei] authentication-scheme abc
[SwitchA-aaa-domain-huawei] accounting-scheme acco1
[SwitchA-aaa-domain-huawei] radius-server rd1
[SwitchA-aaa-domain-huawei] quit
[SwitchA-aaa] quit
4. Enable 802.1X authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE
By default, the unified mode is enabled. Before changing the NAC mode, you must save
the configuration. After the mode is changed and the device is restarted, functions of the
newly configured mode take effect.
# Configure the 802.1X access profile d1.

[SwitchA] dot1x-access-profile name d1
[SwitchA-dot1x-access-profile-d1] dot1x timer client-timeout 30
[SwitchA-dot1x-access-profile-d1] quit
# Configure an authentication-free rule profile.

[SwitchA] free-rule-template name default_free_rule
[SwitchA-free-rule-default_free_rule] free-rule 10 destination ip 192.168.40.0 mask 24
[SwitchA-free-rule-default_free_rule] quit
# Configure the authentication profile p1, bind the 802.1X access profile d1
and authentication-free rule profile default_free_rule to the authentication
profile, specify the domain huawei as the forcible authentication domain in
the authentication profile, and set the user access mode to multi-authen.
[SwitchA] authentication-profile name p1
[SwitchA-authen-profile-p1] dot1x-access-profile d1
[SwitchA-authen-profile-p1] free-rule-template default_free_rule
[SwitchA-authen-profile-p1] access-domain huawei force
[SwitchA-authen-profile-p1] authentication mode multi-authen
[SwitchA-authen-profile-p1] quit
# Bind the authentication profile p1 to GE0/0/1 and enable 802.1X

authentication on the interface.
[SwitchA-GigabitEthernet0/0/1] authentication-profile p1

address and source MAC address of offline detection packets.
[SwitchA] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456

a. Open the Internet Explorer, enter the Agile Controller-Campus access
address in the address bar, and press Enter.
The following table describes addresses for accessing the Agile Controller-
Campus.
Access Mode Description
https://Agile Controller- Agile Controller-Campus-IP specifies the

Campus-IP:8443 IP address of the Agile Controller-
Campus.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Access Mode Description
IP address of the Agile If port 80 is enabled during installation,

Controller-Campus you can access the Agile Controller-
Campus by entering its IP address without
the port number. The Agile Controller-
Campus URL will automatically change to
https://Agile Controller-Campus-IP:8443.
b. Enter the administrator user name and password.

b. Click the Department tab in the operation area on the right, and then
click Add under the Department tab to add a department R&D.
c. Click the User tab in the operation area on the right, and then click Add
under the User tab to add a user A.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Click next to user A in Operation to access Account Management.

Click Add. Create a common account A-123 and set the password to
YsHsjx_202207.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
e. In the User tab, select user A. Click Transfer to add user A to the
department R&D.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Choose Resource > Device > Device Management. Click Add in the
operation area on the right. Set connection parameters on the Add Device
page.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE
Perform this step for ACL number and VLAN delivery.

Authorization > Authorization Result, and click Add to create an
Name Authorization info for -

authenticated users
Service type Access service -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN 20 The VLAN must be the

same as the VLAN
configured for R&D
employees on the switch.

number/AA the same as the number of
A user group the ACL configured for
R&D employees on the
switch.

NOTE
Perform this step for dynamic ACL and VLAN delivery.

a. Add a dynamic ACL.
i. Choose Policy > Permission Control > Policy Element > Dynamic
ACL.
ii. Click Add.
iii. Configure basic information for the dynamic ACL and click Add in
Rule List.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
iv. Configure attributes contained in the dynamic ACL.

Authorization > Authorization Result, and click Add to create an
c. Configure basic information for the authorization result.
Name Authorization information -

for users who pass
authentication
VLAN 20 The VLAN ID must be the

same as the VLAN ID
configured for R&D
employees on the switch.
Dynamic 3002 -
ACL

S300, S500, S2700, S3700, S5700, S6700, S7700, and

After a user passes authentication, authorization phase starts. The Agile
rule.
authorization rule.

for authenticated
users
Department R&D department -

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Authorization Authorization info -

result for authenticated
users

● An employee can only access the Agile Controller-Campus server and public
server before passing authentication.
● An employee can access the Agile Controller-Campus server, public server,
service server, and laboratory after passing authentication.
● After the employee passes authentication, run the display access-user
online employee.
----End
Configuration File
#
sysname SwitchA
#
vlan batch 10 20
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
access-domain huawei force

#
#
radius-server shared-key cipher %^%#FP@&C(&{$F2HTlPxg^NLS~KqA/\^3Fex;T@Q9A](%^%#
#
acl number 3002
rule 3 deny ip
#
#
aaa
domain huawei
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
#
#
#
interface LoopBack1
ip address 10.10.10.1 255.255.255.0
#
#
return
3.14.2.5 Identifying Types of Terminals Accessing the Network on Huawei

Agile Controller-Campus
● Context
● Data Plan
● Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Context
As an increasing number of smart terminals are used, Bring Your Own Device
(BYOD), a new working style for enterprises, has become a trend. When an
enterprise uses the BYOD solution, the administrator must determine the users
and terminals that can connect to the enterprise network, where users can
connect to the enterprise network, and access rights of different terminals. All
these require terminal type identification.
Two terminal type identification methods are available:
● Local identification
A switch identifies terminal types by analyzing MAC addresses, DHCP option
information, and user agent (UA) information of terminals and then controls
terminal access and grants access rights to terminals accordingly. The switch
can also send identified terminal type information to a server, which then
controls terminal access and grants access rights to terminals accordingly.
● Remote identification
A switch obtains MAC addresses, DHCP option information, and UA
information of terminals and sends the information to a server, which then
controls terminal access and grants access rights to terminals accordingly.
In Figure 3-213, to meet service requirements, an enterprise needs to deploy an
identity authentication system to implement access control on users who attempt
to access the enterprise network. Only authorized users can access the enterprise
network.
The enterprise has the following requirements:

only performs access authorization and does not require any client software
on user terminals.
● To facilitate future network reconstruction and save investment, the
authentication control point must be deployed on a core switch.
terminals accessing the campus network and deny accesses from
unauthorized terminals. This mechanism identifies the terminals, records
information about devices accessing the network, and automatically groups
the devices by the device type to facilitate tracing of accidental information
disclosure.
● R&D employees can only access public servers (such as the public web and
DNS servers) of the company before authentication, and can access both the
intranet (code base and issue tracking system) and Internet after passing
authentication.
● Marketing employees can only access public servers (such as the public web
and DNS servers) of the company before authentication, and can only access
the Internet after passing authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-213 Configuring terminal type identification through a server
Configuration Logic
1. Perform Portal authentication configuration. For details, see 3.14.2.1
Configuring Portal Authentication for Access Users on Huawei Agile
Controller-Campus (Authentication Point on Core Switch).
2. Configure the terminal type awareness function so that the switch can
identify terminal types based on the packets sent by terminals.
3. Enable the UA function so that the switch can obtain UA information from
the packets sent by terminals.
Configuration Notes
The authentication control point in this example must be deployed on the S5720-
HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-HI, S5732-H, S6730-
H, S6730S-H, S6730-S, or S6730S-S fixed switch or X series card of modular switch
running V200R009C00 or a later version.
Huawei Agile Controller-Campus in V100R001 functions as the Portal server and

RADIUS server in this example. For the Agile Controller-Campus, the version
required is V100R001, V100R002, V100R003.
By default, the switch allows the packets from RADIUS and Portal servers to pass.
You do not need to configure authentication-free rules for the two servers on the
switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
This example provides only the configuration of terminal type identification. For
details about VLAN planning, network data planning, and service data planning,
see 3.14.2.1 Configuring Portal Authentication for Access Users on Huawei
Agile Controller-Campus (Authentication Point on Core Switch).
In this example, the administrator user name and password are admin and
Admin_123, and the user name and password of Portal users are Jason and
Admin_1234.
Procedure
# Configure the core switch to send DHCP option and UA information to the Agile
Controller-Campus, which then uses the information as original information to
identify terminals.
[SwitchD] dhcp enable
[SwitchD] dhcp snooping enable
[SwitchD] device-sensor dhcp option 12 55 60
[SwitchD] http parse user-agent enable
NOTE
For wireless users, you can configure attributes for APs when the switch works as an AC. In
versions earlier than V200R011C10, the configurations are not delivered to APs in real time,
and are delivered to APs only after you run the commit command in the WLAN view. In
V200R011C10 and later versions, the commit command is deleted, the switch delivers the
configurations to APs every 5 seconds.

1. Log in to the Agile Controller-Campus client, AnyOffice Agent, enter the
administrator user name and password to open the system homepage.
2. Enable the terminal type identification function.
a. Choose Resource > Terminal > Parameter Setting.
b. In Terminal Identification, select Enable. The system automatically
identifies terminals based on the probe messages. In Manual
Terminal Registration, select Enable. The system allows manual
registration of terminals. Retain default values for other parameters,
and then click OK.
Figure 3-214 Enabling the terminal type identification function
3. Identify terminals based on the DHCP option and UA information.
The following uses a terminal, a local account, and Portal authentication as

an example (based on UA information).

S300, S500, S2700, S3700, S5700, S6700, S7700, and
a. Open a web browser to access a web server in the post-authentication

domain.
b. Enter the user name and password requested from the administrator.
Figure 3-215 Entering the user name and password
Step 3 Check the configuration.

Check terminal type identification results.
1. Choose Resource > Terminal > Registered Device List.
2. Check whether the terminal is in the device list.
If the terminal is in the device list, its terminal type has been identified.
----End
Configuration Files
# Core switch configuration file
#
sysname SwitchD
#
device-sensor dhcp option 12 55 60
#
dhcp enable
#
dhcp snooping enable
#
http parse user-agent enable
#
return
3.14.3 Typical NAC Configuration (Unified Mode)

(V200R009C00 and Later Versions)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.14.3.1 Example for Configuring 802.1X Authentication to Control User

Access
802.1X Authentication Overview

802.1X is a port-based network access control protocol and 802.1X authentication
is one of NAC authentication modes. 802.1X authentication ensures security of
enterprise intranets.
802.1X authentication ensures high security; however, it requires that 802.1X client
software be installed on user terminals, resulting in inflexible network
deployment. Another two NAC authentication methods have their advantages and
disadvantages: MAC address authentication does not require client software
installation, but MAC addresses must be registered on an authentication server.
Portal authentication also does not require client software installation and
provides flexible deployment, but it has low security.
As a result, 802.1X authentication is applied to scenarios with new networks,
centralized user distribution, and strict information security requirements.
Configuration Notes
As shown in Figure 3-216, terminals in a company's offices are connected to the
company's internal network through the Switch. Unauthorized access to the
internal network can damage the company's service system and cause leakage of
key information. Therefore, the administrator requires that the Switch should
control users' network access rights to ensure internal network security.
The 802.1X authentication is configured and the RADIUS server is used to
authenticate user identities, to meet the company's high security requirements.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-216 Networking diagram for configuring 802.1X authentication
1. Configure network interoperation.
2. Configure AAA on the Switch to implement identity authentication on access
domain.
3. Configure 802.1X authentication to control network access rights of the
employees in the offices. The configuration includes:
a. Configure an 802.1X access profile.
b. Configure an authentication profile.
c. Enable 802.1X authentication on an interface.
● Before performing operations in this example, ensure that user access
terminals and the server can communicate.
● This example only provides the configuration of the Switch. The
configurations of the LAN Switch and server are not provided here.
● In this example, the LAN switch exists between the access switch Switch and
users. To ensure that users can pass 802.1X authentication, you must
configure the EAP packet transparent transmission function on the LAN
switch.
– Method 1: The S5700-LI is used as an example of the LAN switch.
Perform the following operations:
i. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-
mac 0180-c200-0003 group-mac 0100-0000-0002 command in the
system view of the LAN switch to configure the LAN switch to
transparently transmit EAP packets.
ii. Run the l2protocol-tunnel user-defined-protocol 802.1x enable
command on the interface connecting to users and the interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and
connecting to the access switch to enable the Layer 2 protocol

tunneling function.
HI, S5730-HI, S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-
HI, S6720S-EI, S5732-H, S6730-H, S6730S-H, S6730-S, and S6730S-S
support this method.
i. Run the following commands in the system view:
○ undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
○ bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
○ bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
○ bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
○ bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
ii. (This step is mandatory when you switch from method 1 to method
2.) Run the undo l2protocol-tunnel user-defined-protocol 802.1x
enable command in the interface view to delete the configuration of
transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by interfaces so that packets can
be forwarded.
# Create VLAN 10 and VLAN 20.
# Configure GE1/0/1 connecting the Switch to users as an access interface and

add the interface to VLAN 10.
# Configure GE1/0/2 connecting the Switch to the RADIUS server as an access

interface and add the interface to VLAN 20.

[Switch] radius-server template rd1
[Switch-radius-rd1] radius-server authentication 192.168.2.30 1812
[Switch-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[Switch-radius-rd1] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
RADIUS.
[Switch] aaa
[Switch-aaa] authentication-scheme abc
[Switch-aaa-authen-abc] authentication-mode radius
[Switch-aaa-authen-abc] quit

[Switch-aaa-domain-huawei.com] authentication-scheme abc
[Switch-aaa-domain-huawei.com] radius-server rd1
[Switch-aaa] quit
# Check whether a user can pass RADIUS authentication. The test user test and
password YsHsjx_202206 have been configured on the RADIUS server.
[Switch] test-aaa test YsHsjx_202206 radius-template rd1
Info: Account test succeeded.
Step 3 Configure 802.1X authentication.

NOTE
● By default, the unified mode is used.

● After changing the NAC mode from common to unified, save the configuration and restart
the device to make the configuration take effect.
# Configure the 802.1X access profile d1.

NOTE
By default, an 802.1X access profile uses the EAP authentication mode. Ensure that the
RADIUS server supports EAP; otherwise, the server cannot process 802.1X authentication
request packets.
[Switch] dot1x-access-profile name d1
[Switch-dot1x-access-profile-d1] dot1x timer client-timeout 30
[Switch-dot1x-access-profile-d1] quit
# Configure the authentication profile p1, bind the 802.1X access profile d1 to the
authentication profile, specify the domain huawei.com as the forcible
[Switch-authen-profile-p1] dot1x-access-profile d1
[Switch-authen-profile-p1] access-domain huawei.com force
# Bind the authentication profile p1 to GE1/0/1 and enable 802.1x authentication

on the interface.
# (Recommended) Configure the source IP address and source MAC address for
offline detection packets in a specified VLAN. You are advised to set the user

S300, S500, S2700, S3700, S5700, S6700, S7700, and
gateway IP address and its corresponding MAC address as the source IP address
and source MAC address of offline detection packets.
[Switch] access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456

1. A user starts the 802.1X client on a terminal, and enters the user name and
password for authentication.
2. If the user name and password are correct, an authentication success
message is displayed on the client page. The user can access the network.
3. After users go online, you can run the display access-user access-type dot1x
command on the device to view information about online 802.1X
authentication users.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
#
radius-server shared-key cipher %#%#4*SO-2u,Q.\1C~%[eiB77N/^2wME;6t%6U@qAJ9:%#%#
#
#
aaa
domain huawei.com
radius-server rd1
#
#
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.14.3.2 Example for Configuring MAC Address Authentication to Control

User Access
MAC Address Authentication Overview

As one of NAC authentication modes, MAC address authentication controls a
user's network access rights based on the user's interface and MAC address. The
user does not need to install any client software. MAC address authentication
ensures security of enterprise intranets.
In MAC address authentication, client software does not need to be installed on
user terminals, but MAC addresses must be registered on servers, resulting in
complex management. Another two NAC authentication methods have their
advantages and disadvantages: 802.1X authentication ensures high security, but it
requires that 802.1X client software be installed on user terminals, causing
inflexible network deployment. Portal authentication also does not require client
software installation and provides flexible deployment, but it has low security.
MAC address authentication is applied to access authentication scenarios of dumb
terminals such as printers and fax machines.
Configuration Notes
As shown in Figure 3-217, terminals in a company's physical access control
department are connected to the company's internal network through the Switch.
Unauthorized access to the internal network can damage the company's service
system and cause leakage of key information. Therefore, the administrator
requires that the Switch should control users' network access rights to ensure
internal network security.
Because dumb terminals (such as printers) in the physical access control
department cannot have the authentication client installed, MAC address
authentication needs to be configured on the Switch. MAC addresses of terminals
are used as user information and sent to the RADIUS server for authentication.
When users connect to the network, authentication is not required.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-217 Networking diagram for configuring MAC address authentication

domain.
3. Configure MAC address authentication so that the Switch can control network
access rights of the dumb terminals in the physical access control department.
The configuration includes:
a. Configure a MAC access profile.
b. Configure an authentication profile.
c. Enable MAC address authentication on an interface.
NOTE
● Before performing operations in this example, ensure that user access terminals and the
server can communicate.
● This example only provides the configuration of the Switch. The configurations of the
LAN Switch and server are not provided here.
Procedure
be forwarded.


S300, S500, S2700, S3700, S5700, S6700, S7700, and



RADIUS.
[Switch] aaa

[Switch-aaa] quit
Step 3 Configure MAC address authentication.

NOTE

# Configure the MAC access profile m1.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
password for MAC address authentication. Ensure that the formats of the user name and
password for MAC address authentication configured on the RADIUS server are the same as
those configured on the access device.
[Switch] mac-access-profile name m1
[Switch-mac-access-profile-m1] quit
# Configure the authentication profile p1, bind the MAC access profile m1 to the
authentication profile, specify the domain huawei.com as the forcible
[Switch-authen-profile-p1] mac-access-profile m1
# Bind the authentication profile p1 to GE1/0/1 and enable MAC address

authentication on the interface.

1. After a user starts a terminal, the device automatically obtains the user
terminal's MAC address as the user name and password for authentication.
2. Users can access the network after being authenticated successfully.
3. After users go online, you can run the display access-user access-type mac-
authen command on the device to view information about online MAC
address authentication users.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
aaa
domain huawei.com
radius-server rd1
#
#
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
return
3.14.3.3 Example for Configuring Portal Authentication to Control User

Access
Portal Authentication Overview

As one of NAC authentication modes, Portal authentication is also called web
authentication. Generally, Portal authentication websites are also called Portal
websites. When users go online, they must be authenticated on Portal websites.
The users can use network resources only after they pass the authentication.
Portal authentication cannot ensure high security, but it does not require client
software installation and provides flexible deployment. Another two NAC
authentication methods have their advantages and disadvantages: 802.1X
authentication ensures high security, but it requires that 802.1X client software be
installed on user terminals, causing inflexible network deployment. MAC address
authentication does not require client software installation, but MAC addresses
must be registered on an authentication server, resulting in complex management.
Portal authentication is applied to scenarios where a large number of scattered
users such as company visitors move frequently.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-218, terminals in a company's visitor area are connected to
the company's internal network through the Switch. Unauthorized access to the
control users' network access rights to ensure internal network security.

RADIUS server is used to authenticate user identities.
Figure 3-218 Networking diagram for configuring Portal authentication

domain.
3. Configure Portal authentication to control network access rights of the visitors
in the visitor area. The configuration includes:
a. Configure a Portal server template
b. Configure a Portal access profile.
c. Configure an authentication profile.
d. Enable Portal authentication on an interface.
NOTE
● Before performing operations in this example, ensure that user access terminals and the
server can communicate.
● This example only provides the configuration of the Switch. The configurations of the LAN
Switch and server are not provided here.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
be forwarded.



RADIUS.
[Switch] aaa

[Switch-aaa] quit


S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE


[Switch] web-auth-server abc //In V200R020C10SPC100 and later versions, you must also run the web-
auth-server server-source or server-source command to configure the local gateway address used to
receive and respond to the packets sent by the Portal server, so as to implement Portal authentication.
[Switch-web-auth-server-abc] server-ip 192.168.2.30
[Switch-web-auth-server-abc] port 50200
[Switch-web-auth-server-abc] url http://192.168.2.30:8080/portal
[Switch-web-auth-server-abc] shared-key cipher YsHsjx_202206
[Switch-web-auth-server-abc] quit
NOTE
Ensure that the port number configured on the device is the same as the port number used by
the Portal server.

[Switch] portal-access-profile name web1
[Switch-portal-acces-profile-web1] web-auth-server abc direct
[Switch-portal-acces-profile-web1] quit
# Configure the authentication profile p1, bind the Portal access profile web1 to
the authentication profile, specify the domain huawei.com as the forcible
[Switch-authen-profile-p1] portal-access-profile web1
NOTE
In this example, users are allocated static IP addresses. If the users obtain IP addresses through
DHCP and the DHCP server is on the upstream network of the NAS device, use the free-rule
command to create authentication-free rules and ensure that the DHCP server is included in the
authentication-free rules.
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS
and the DNS server is on the upstream network of the NAS device, you also need to create
authentication-free rules and ensure that the DNS server is included in the authentication-free
rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to
pass through and no authentication-free rule is required in Portal authentication.
# Bind the authentication profile p1 to GE1/0/1 and enable Portal authentication

on the interface.
and source MAC address of offline detection packets. This function does not take
effect for users who use Layer 3 Portal authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

1. After a user opens the browser and enters any website address, the user is
redirected to the Portal authentication page. The user then can enter the user
name and password for authentication.
message is displayed on the Portal authentication page. The user can access
the network.
3. After users go online, you can run the display access-user access-type portal
command on the device to view information about online Portal
authentication users.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
#
#
web-auth-server abc
server-ip 192.168.2.30
port 50200
shared-key cipher %#%#CR@WPM9Q30%]A}9]g4hUqe1u~4Fz}PlU)QPL;73#%#
%#
url http://192.168.2.30:8080/portal
#
#
aaa
domain huawei.com
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.10 255.255.255.0
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
return
3.14.4 Typical NAC Configuration (Unified Mode) (the Agile

Controller-Campus as the Authentication Server)
(V200R005C00 to V200R008C00)

Access to the Enterprise Network (Authentication Point on Core Switch)

Portal authentication is a Network Access Control (NAC) method. Portal
authentication is also called web authentication. Generally, Portal authentication
websites are referred to as Portal websites. Users must be authenticated by the
Portal websites before they can use network services.
Portal authentication is insecure, but allows flexible networking as no client

software is required on users' terminals. 802.1X authentication is another NAC
method. It is more secure than Portal authentication, but requires the installation
of client software on users' terminals, resulting in networking inflexibility. Like
Portal authentication, MAC address authentication also does not require the
installation of client software, but user terminals' MAC addresses must be
registered on the authentication server. Network configuration and management
is complex.
Portal authentication applies to the users who are sparsely distributed and move
frequently, for example, guests of a company.
Configuration Notes
Huawei's Agile Controller-Campus in V100R001 functions as the Portal server and

RADIUS server in this example. For the Agile Controller-Campus, the version
required is V100R001, V100R002, V100R003.
By default, the switch allows the packets from RADIUS and Portal servers to pass.
You do not need to configure authentication-free rules for the two servers on the
switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

user terminals.
● To facilitate network reconstruction and reduce investments, the enterprise
requires the authentication point be deployed on the core switch.
terminals.
authenticated.
Figure 3-219 Portal authentication deployed at the core layer
Data Plan
VLAN ID Function

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN ID Function
103 VLAN for connection between the

aggregation switch and core switch



R&D department)

marketing

department.
for R&D employees.

department.
Interface number: GE1/0/3 Connects to the core

VLAN: 103 switch.
172.16.2.1
Core switch Interface number: GE1/0/1 Connects to the

172.16.2.2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Interface number: GE1/0/2 Connects to the server

VLAN: 104 area and functions as the
gateway for the servers.
172.16.1.254

Controller
-Campus
(RADIUS
server +
Portal
server)

server

server

library

tracking
system

Core switch Number of the ACL for R&D You need to enter this ACL
employees' post- number when configuring
Campus.

Campus.

accounting server,

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Accounting server: authorization server, and

● IP address: 172.16.1.1 Portal server are the SC's IP
address.
● Port number: 1813
● Configure a RADIUS
YsHsjx_202206
user login and logout
● Accounting interval: 15 information. The port
numbers of the
Portal server:
authentication server and
● IP address: 172.16.1.1 accounting server must be
● Port number that the the same as the
switch uses to process authentication and
Portal protocol packets: accounting port numbers
2000 of the RADIUS server.
● Destination port number in ● Configure an authorization
the packets that the switch server to enable the
sends to the Portal server: RADIUS server to deliver
50200 authorization rules to the
switch. The RADIUS shared
● Portal authentication
shared key: YsHsjx_202206
server.

Campus server.
172.16.1.254


50200


S300, S500, S2700, S3700, S5700, S6700, S7700, and

● Account: B-123 B-123.

web server

Internet
1. Configure the access switch, aggregation switch, and core switch to ensure
network connectivity.
2. Configure Portal authentication on the core switch to implement user access
control. Configure parameters for connecting to the RADIUS server and those
for connecting to the Portal server, enable Portal authentication, and
configure network access rights for the pre-authentication domain and post-
authentication domain.
3. Configure the Agile Controller-Campus:
a. Log in to the Agile Controller-Campus.
b. Add user accounts to the Agile Controller-Campus.
c. Add a switch to the Agile Controller-Campus and configure related
parameters to ensure normal communication between the Agile
Controller-Campus and switch.
d. Add authorization results and authorization rules to the Agile Controller-
Campus to grant different access rights to R&D employees and marketing
employees after they are successfully authenticated.
Procedure
connecting to the marketing department, is similar to that for SwitchA.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] vlan 101
Step 2 Configure the aggregation switch to ensure network connectivity.

department
employees
[SwitchC] interface gigabitethernet 1/0/2 //Interface of the access switch connected to the marketing
department
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0 //IP address segment assigned to marketing
employees
[SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the core switch
[SwitchC-Vlanif103] ip address 172.16.2.1 255.255.255.0
[SwitchC] ip route-static 172.16.1.0 255.255.255.0 172.16.2.2 //Configure routes to the network
segment in which the authentication server resides.

can be forwarded.
[SwitchD] interface gigabitethernet 1/0/1 //Interface connected to the aggregation switch
[SwitchD-GigabitEthernet1/0/1] port trunk allow-pass vlan 103
[SwitchD-Vlanif103] ip address 172.16.2.2 255.255.255.0
[SwitchD] interface gigabitethernet 1/0/2 //Interface connected to the server area

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchD-Vlanif104] ip address 172.16.1.254 255.255.255.0 //Configure the gateway address for

the server area.
segment assigned to the R&D department.
segment assigned to the marketing department.
[SwitchD] radius-server template policy //Create the RADIUS server template policy.
[SwitchD-radius-policy] radius-server authentication 172.16.1.1 1812 //Configure the IP address
[SwitchD-radius-policy] radius-server accounting 172.16.1.1 1813 //Configure the IP address and
[SwitchD-radius-policy] radius-server shared-key cipher YsHsjx_202206 //Set the authentication
[SwitchD-radius-policy] quit
[SwitchD] aaa //Enter the AAA view.
[SwitchD-aaa] authentication-scheme auth //Configure the authentication scheme auth.
[SwitchD-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS.
[SwitchD-aaa-authen-auth] quit
[SwitchD-aaa] accounting-scheme acco //Configure the accounting scheme acco.
[SwitchD-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to RADIUS.
[SwitchD-aaa-accounting-acco] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchD-aaa-accounting-acco] quit
[SwitchD-aaa] domain portal //Configure a domain.
[SwitchD-aaa-domain-portal] authentication-scheme auth //Bind the authentication scheme auth
to the domain.
[SwitchD-aaa-domain-portal] accounting-scheme acco //Bind the accounting scheme acco to the
domain.
[SwitchD-aaa-domain-portal] radius-server policy //Bind the RADIUS server template policy to the
domain.
[SwitchD-aaa-domain-portal] quit
[SwitchD-aaa] quit
[SwitchD] domain portal //Configure portal as the global default domain.
[SwitchD] web-auth-server portal_huawei //In V200R020C10SPC100 and later versions, you must
also run the web-auth-server server-source or server-source command to configure the local
gateway address used to receive and respond to the packets sent by the Portal server, so as to
implement Portal authentication.
[SwitchD-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the Portal server IP address.
[SwitchD-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the IP address that the
[SwitchD-web-auth-server-portal_huawei] port 50200 //Set the destination port number in the
server.
[SwitchD-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
the Portal server.
[SwitchD-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //Configure
[SwitchD-web-auth-server-portal_huawei] quit
[SwitchD] web-auth-server listening-port 2000 //Configure the port number that the switch uses
[SwitchD] portal quiet-period //Enable the quiet function for Portal authentication users. If the
[SwitchD] portal quiet-times 5 //Configure the maximum number of authentication failures within
[SwitchD] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[SwitchD] authentication unified-mode //Set the NAC mode to unified. By default, the unified
mode is enabled. After the NAC mode is changed, save the configuration and restart the device to
make the configuration take effect.
[SwitchD-Vlanif103] authentication portal //Enable Portal authentication on the interface.
[SwitchD-Vlanif103] web-auth-server portal_huawei layer3 //Bind the Portal server template to
the interface, so the interface can control user access to the enterprise network. If user terminals and
the switch are connected through a Layer 2 network, set the Portal authentication mode to direct. If
user terminals and the switch are connected through a Layer 3 network, set the Portal authentication
mode to layer3.
5. Configure network access rights for the pre-authentication domain and post-
[SwitchD] authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255 //
Configure authentication-free rules for Portal authentication users, so that these users can access the
DNS server before the authentication.
[SwitchD] authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255 //
web server before the authentication.
[SwitchD] acl 3001 //Configure the post-authentication domain for R&D employees.
[SwitchD-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access all resources.
[SwitchD] acl 3002 //Configure the post-authentication domain for marketing employees.
[SwitchD-acl-adv-3002] rule 3 permit ip //Allow marketing employees to access other resources.

addresses.

IP address.



S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
the R&D department.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Campus and switch.
b. Click Add.
Name SW -

Device Huawei -
series Quidway
Series



interval switch.
(minute)

S300, S500, S2700, S3700, S5700, S6700, S7700, and


Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Click OK.


switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Name R&D employee -

authorization rule
Department R&D -

domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and

----End
Configuration Files
# Configuration file of the access switch for the employee department (The
configuration file of the access switch for the marketing department is similar.)
#
sysname SwitchA
#
vlan batch 101
#
#
#
return

#
sysname SwitchC
#
#
dhcp enable
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.2.1 255.255.255.0
#
#
#
#
ip route-static 172.16.1.0 255.255.255.0 172.16.2.2
#
return
# Configuration file of the core switch

#
sysname SwitchD
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
domain portal
#
radius-server shared-key cipher %#%#1*yT+0O\X;V}hP,G^TMN7mTXA^mIz)SoR:86;lNK%#%#
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 3 permit ip
#
port 50200
source-ip 172.16.1.254
#
aaa
domain portal
#
interface Vlanif103
ip address 172.16.2.2 255.255.255.0
web-auth-server portal_huawei layer3
#
interface Vlanif104
ip address 172.16.1.254 255.255.255.0
#
#
#
ip route-static 192.168.0.0 255.255.255.0 172.16.2.1
ip route-static 192.168.1.0 255.255.255.0 172.16.2.1
#
authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255
portal quiet-period
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Access to the Enterprise Network (Authentication Point on Aggregation
Switch)

Portal authentication is a Network Access Control (NAC) method. Portal
authentication is also called web authentication. Generally, Portal authentication
websites are referred to as Portal websites. Users must be authenticated by the
Portal websites before they can use network services.
Portal authentication is insecure, but allows flexible networking as no client
software is required on users' terminals. 802.1X authentication is another NAC
method. It is more secure than Portal authentication, but requires the installation
of client software on users' terminals, resulting in networking inflexibility. Like
Portal authentication, MAC address authentication also does not require the
installation of client software, but user terminals' MAC addresses must be
registered on the authentication server. Network configuration and management
is complex.
Portal authentication applies to the users who are sparsely distributed and move
frequently, for example, guests of a company.
Configuration Notes
later version.
server.
● When you run the access-user arp-detect command to configure the IP
address and MAC address of the user gateway as the source IP address and
source MAC address of user offline detection packets, ensure that the MAC
address of the gateway remains unchanged, especially in active/standby
switchover scenarios. If the gateway MAC address is changed, ARP entries of
terminals will be incorrect on the device, and the terminals cannot
communicate with the device.
user terminals.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

switch.
terminals.
authenticated.
Figure 3-220 Portal authentication deployed at the aggregation layer
Data Plan
VLAN ID Function

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN ID Function



R&D department)

marketing

department.
for R&D employees.

department.
Interface number: GE1/0/3 Connects to the enterprise

VLAN: 103 server area.
VLANIF103 IP address: Functions as the gateway
172.16.1.254 for servers.

Controller
-Campus
(RADIUS
server +
Portal
server)

server

server

S300, S500, S2700, S3700, S5700, S6700, S7700, and

library

tracking
system

Aggregation Number of the ACL for R&D You need to enter this ACL
switch employees' post- number when configuring
Campus.

Campus.

address.
● Accounting interval: 15 user login and logout
information. The port
numbers of the
authentication server and
accounting server must be
the same as the
authentication and
accounting port numbers
of the RADIUS server.
● Configure an authorization
server to enable the
RADIUS server to deliver
authorization rules to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal server: switch. The RADIUS shared

● IP address: 172.16.1.1 key of the authorization
● Port number that the those of the authentication
switch uses to process server and accounting
Portal protocol packets: server.
2000
● Destination port number in
the packets that the switch
sends to the Portal server:
50200
● Portal authentication
shared key: YsHsjx_202206

Campus server.
172.16.1.254


50200


● Account: B-123 B-123.

web server

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Internet
1. Configure the access switch and aggregation switch to ensure network
connectivity.
2. Configure Portal authentication on the aggregation switch to implement user
access control. Configure parameters for connecting to the RADIUS server and
those for connecting to the Portal server, enable Portal authentication, and
configure network access rights for the pre-authentication domain and post-
b. Add user accounts to the Agile Controller-Campus.
c. Add a switch to the Agile Controller-Campus and configure related
parameters to ensure normal communication between the Agile
Controller-Campus and switch.
d. Add authorization results and authorization rules to the Agile Controller-
Campus to grant different access rights to R&D employees and marketing
Procedure
connecting to the marketing department, is similar.
[SwitchA] vlan 101

can be forwarded.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

department
employees
[SwitchC] interface gigabitethernet 1/0/2 //Interface of the access switch connected to the
marketing department
[SwitchC-Vlanif102] ip address 192.168.1.1 255.255.255.0 //IP address segment assigned to
marketing employees.
[SwitchC] interface gigabitethernet 1/0/3 //Interface connected to the server area
[SwitchC-Vlanif103] ip address 172.16.1.254 255.255.255.0 //Configure the gateway address for
the server area.
[SwitchC] radius-server template policy //Create the RADIUS server template policy.
[SwitchC-radius-policy] radius-server authentication 172.16.1.1 1812 source ip-address
172.16.1.254 //Configure the IP address and port number of the RADIUS authentication server.
[SwitchC-radius-policy] radius-server accounting 172.16.1.1 1813 source ip-address
172.16.1.254 //Configure the IP address and port number of the RADIUS accounting server.
[SwitchC-radius-policy] radius-server shared-key cipher YsHsjx_202206 //Set the authentication
[SwitchC-radius-policy] quit
[SwitchC] aaa //Enter the AAA view.
[SwitchC-aaa] authentication-scheme auth //Configure the authentication scheme auth.
[SwitchC-aaa-authen-auth] authentication-mode radius //Set the authentication mode to RADIUS.
[SwitchC-aaa-authen-auth] quit
[SwitchC-aaa] accounting-scheme acco //Configure the accounting scheme acco.
[SwitchC-aaa-accounting-acco] accounting-mode radius //Set the accounting mode to RADIUS.
[SwitchC-aaa-accounting-acco] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchC-aaa-accounting-acco] quit
[SwitchC-aaa] domain portal //Configure a domain.
[SwitchC-aaa-domain-portal] authentication-scheme auth //Bind the authentication scheme auth
to the domain.
[SwitchC-aaa-domain-portal] accounting-scheme acco //Bind the accounting scheme acco to the
domain.
[SwitchC-aaa-domain-portal] radius-server policy //Bind the RADIUS server template policy to the
domain.
[SwitchC-aaa-domain-portal] quit
[SwitchC-aaa] quit
[SwitchC] domain portal //Configure portal as the global default domain.
[SwitchC] web-auth-server portal_huawei //Configure the Portal server template
portal_huawei.In V200R020C10SPC100 and later versions, you must also run the web-auth-server
server-source or server-source command to configure the local gateway address used to receive and
respond to the packets sent by the Portal server, so as to implement Portal authenticatio
[SwitchC-web-auth-server-portal_huawei] server-ip 172.16.1.1 //Set the Portal server IP address.
[SwitchC-web-auth-server-portal_huawei] source-ip 172.16.1.254 //Set the IP address that the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchC-web-auth-server-portal_huawei] port 50200 //Set the destination port number in the

server.
[SwitchC-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
the Portal server.
[SwitchC-web-auth-server-portal_huawei] url http://access.example.com:8080/portal //Configure
[SwitchC-web-auth-server-portal_huawei] quit
[SwitchC] web-auth-server listening-port 2000 //Configure the port number that the switch uses
[SwitchC] portal quiet-period //Enable the quiet function for Portal authentication users. If the
[SwitchC] portal quiet-times 5 //Configure the maximum number of authentication failures within
[SwitchC] portal timer quiet-period 240 //Set the quiet period to 240 seconds.

[SwitchC] authentication unified-mode //Set the NAC mode to unified. By default, the unified
mode is enabled. After the NAC mode is changed, save the configuration and restart the device to
make the configuration take effect.
[SwitchC-Vlanif101] authentication portal //Enable Portal authentication on the interface.
[SwitchC-Vlanif101] web-auth-server portal_huawei direct //Bind the Portal server template to
mode to layer3.
[SwitchC-Vlanif102] authentication portal //Enable Portal authentication on the interface
connecting to the marketing department.
[SwitchC-Vlanif102] web-auth-server portal_huawei direct //Bind the Portal server template to
mode to layer3.

address and source MAC address of offline detection packets. This function
does not take effect for users who use Layer 3 Portal authentication.
5. Configure network access rights for the pre-authentication domain and post-
[SwitchC] authentication free-rule 1 destination ip 172.16.1.2 mask 255.255.255.255 //
DNS server before the authentication.
[SwitchC] authentication free-rule 2 destination ip 172.16.1.3 mask 255.255.255.255 //
web server before the authentication.
[SwitchC] acl 3001 //Configure the post-authentication domain for R&D employees.
[SwitchC-acl-adv-3001] rule 1 permit ip //Allow R&D employees to access all resources.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchC] acl 3002 //Configure the post-authentication domain for marketing employees.
[SwitchC-acl-adv-3002] rule 3 permit ip //Allow marketing employees to access other resources.

addresses.

IP address.



S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
the R&D department.

Campus and switch.
b. Click Add.
Name SW -

Device Huawei -
series Quidway
Series



S300, S500, S2700, S3700, S5700, S6700, S7700, and

interval switch.
(minute)


Allowed IP 192.168.0.1/24 -
Addresses ;
192.168.1.1/24

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Click OK.


switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Name R&D employee -

authorization rule
Department R&D -

domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and

----End
Switch Configuration File

# Configuration file of the access switch for the R&D department
#
sysname SwitchA
#
vlan batch 101
#
#
#
return
# Configuration file of the access switch for the marketing department

#
sysname SwitchB
#
vlan batch 102
#
#
#
return

#
sysname SwitchC
#
#
domain portal
#
#
dhcp enable
#
radius-server shared-key cipher %#%#lJIB8CQ<:A;x$h2V5+;+C>HwC+@XAL)ldpQI}:$X%#%#
#
acl number 3001
rule 1 permit ip
acl number 3002
rule 3 permit ip
#
port 50200

S300, S500, S2700, S3700, S5700, S6700, S7700, and

source-ip 172.16.1.254
#
aaa
domain portal
#
interface Vlanif101
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif102
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif103
ip address 172.16.1.254 255.255.255.0
#
#
#
#
portal quiet-period
#
return
3.14.4.3 Example for Configuring 802.1X and MAC Address Authentication to

Control User Access to the Enterprise Network (Authentication Point on
Access Switch)
Overview
802.1X authentication and MAC address authentication are two methods used for
Network Access Control (NAC). 802.1X authentication is implemented based on
interfaces and MAC address authentication is implemented based on interfaces
and MAC addresses. Both protocols can protect security for enterprise networks.
802.1X authentication is more secure than MAC address authentication; however,
it requires that 802.1X client software be installed on all user terminals, allowing

S300, S500, S2700, S3700, S5700, S6700, S7700, and
low networking flexibility. 802.1X authentication is applicable to the networks

requiring high information security.
MAC address authentication does not need 802.1X client software, but user
terminals' MAC addresses must be registered on the authentication server.
Network configuration and management is complex. MAC address authentication
is applicable to dumb terminals such as printers and fax machine.
Configuration Notes
Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in
this example. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
● All access switches support 802.1X authentication.
enterprise network.
To provide high security for the network, you are advised to configure the 802.1X
authentication function on access switches and connect a single centralized
authentication server to the aggregation switch in bypass mode. MAC address
authentication needs to be configured for dumb terminals.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan

Item Data

server
Aggregation switch Management IP address: 192.168.10.10

(SwitchA)
Access switch (SwitchC) ● User VLAN ID: 10

● Management IP address: 192.168.30.30
Access switch (SwitchD) ● User VLAN ID: 20

● Management IP address: 192.168.40.40

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-120 Access switch service data plan
Item Data

192.168.100.100
192.168.100.100
YsHsjx_202206

Item Data

Switch IP address ● SwitchC: 192.168.30.30

● SwitchD: 192.168.40.40
RADIUS accounting key YsHsjx_202206
1. Configure the access switches, including the VLANs interfaces belong to,
parameters for connecting to the RADIUS server, enabling NAC
authentication, and access right to the post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD),
aggregation switch (SwitchA), and Agile Controller-Campus server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
b. Add an account to the Agile Controller-Campus.

c. Add switches to the Agile Controller-Campus.
d. Configure authentication rules, authorization results, and authorization
rules on the Agile Controller-Campus.
Procedure
Step 1 Configure the access switches. This example uses SwitchC to describe the
configuration. The domain configuration on SwitchD is the same as that on
SwitchC.
can be forwarded.
[SwitchC] interface gigabitethernet 0/0/1 //Configure the interface connected to fixed terminals.
[SwitchC] interface gigabitethernet 0/0/2 //Configure the interface connected to dumb terminals.
[SwitchC] interface gigabitethernet 0/0/3 //Configure the interface connected to SwitchA.
[SwitchC-Vlanif10] ip address 192.168.30.30 24 //Configure the IP address used to communicate
with the Controller.
[SwitchC] radius-server template rd1
[SwitchC-radius-rd1] radius-server authentication 192.168.100.100 1812
[SwitchC-radius-rd1] radius-server accounting 192.168.100.100 1813
[SwitchC-radius-rd1] radius-server shared-key cipher YsHsjx_202206
[SwitchC-radius-rd1] quit
to RADIUS.
[SwitchC] aaa
[SwitchC-aaa] authentication-scheme abc
[SwitchC-aaa-authen-abc] authentication-mode radius
[SwitchC-aaa-authen-abc] quit
# Configure the accounting scheme acco1 and set the accounting mode to
RADIUS.
[SwitchC-aaa] accounting-scheme acco1
[SwitchC-aaa-accounting-acco1] accounting-mode radius
[SwitchC-aaa-accounting-acco1] accounting realtime 15 //Set the real-time accounting interval to
15 minutes.
[SwitchC-aaa-accounting-acco1] quit

the domain.
[SwitchC-aaa] domain isp
[SwitchC-aaa-domain-isp] authentication-scheme abc
[SwitchC-aaa-domain-isp] accounting-scheme acco1
[SwitchC-aaa-domain-isp] radius-server rd1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchC-aaa-domain-isp] quit
[SwitchC-aaa] quit
# Configure isp as the global default domain. During access authentication,

[SwitchC] domain isp

[SwitchC] authentication unified-mode
NOTE
# Enable 802.1X authentication on GE0/0/1.

[SwitchC] interface gigabitEthernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] authentication dot1x
# Enable MAC address authentication on GE0/0/2.

[SwitchC] interface gigabitEthernet 0/0/2
[SwitchC-GigabitEthernet0/0/2] authentication mac-authen
[SwitchC-GigabitEthernet0/0/2] mac-authen username fixed A-123 password cipher
YsHsjx_202207 //Set the user name mode for MAC address authentication to fixed user name. Set
the user name to A-123 and password to YsHsjx_202207.
4. Configure ACL 3002 for the post-authentication domain.

[SwitchC] acl 3002
[SwitchC-acl-adv-3002] rule 1 permit ip destination 192.168.102.100 0
[SwitchC-acl-adv-3002] rule 2 deny ip destination any

addresses.

IP address.


S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Create a department and account.


S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
the R&D department.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

This example uses SwitchC to describe the configuration procedure. The
configuration on SwitchD is the same as that on SwitchC except that the
IP addresses are different.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Name SwitchC -

Campus.
Device Huawei -
Series Quidway
series switch



interval switch.
(minute)

S300, S500, S2700, S3700, S5700, S6700, S7700, and

SwitchC, and click Move to move SwitchC to the Switch group. The
Name Access -
authentication
rule

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Type

Condition
Please
select the
▪ PAP
-
allowed ▪ CHAP
authenticati
▪ EAP-PEAP-
MSCHAPv2
▪ EAP-TLS
▪ EAP-PEAP-
GTC
▪ EAP-TTLS-
PAP

S300, S500, S2700, S3700, S5700, S6700, S7700, and

domain

switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rule.

authorization rule.

for R&D employees

Group
Result domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and

online employee.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Switch Configuration File

#
sysname SwitchC
#
vlan batch 10
#
domain isp
#
#
acl number 3002
rule 2 deny ip
#
aaa
domain isp
radius-server rd1
#
interface Vlanif10
ip address 192.168.30.30 255.255.255.0
#
#
authentication mac-authen
mac-authen username fixed A-123 password cipher %^%#7JxKWaX6c0\X4RHfJ$M6|
duQ*k{7uXu{J{S=zx-3%^%#
#
#
return
3.14.4.4 Example for Configuring 802.1X and MAC Address Authentication to

Control User Access to the Enterprise Network (Authentication Point on
Aggregation Switch)
Overview
On a NAC network, the 802.1X, MAC address, and Portal authentication modes
are configured on the user access interfaces of a device to meet various
authentication requirements. Users can access the network using any
authentication mode.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
Huawei's Agile Controller-Campus in V100R001 functions as the RADIUS server in
this example. For the Agile Controller-Campus, the version required is V100R001,
V100R002, V100R003.
● The access switches on the network do not support 802.1X authentication.
enterprise network.
To reduce network reconstruction investment, you are advised to configure the
802.1X authentication function on the aggregation switch and connect a single
centralized authentication server to the aggregation switch in bypass mode. MAC
address authentication needs to be configured for dumb terminals.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan

Item Data

server
Aggregation switch ● VLAN to which 0/0/6 connected to the server

(SwitchA) belongs: VLAN 100
● VLAN to which downstream interfaces
GE0/0/1 and GE0/0/2 belong: VLAN 200
Access switch (SwitchC) User VLAN ID: 200
Access switch (SwitchD) User VLAN ID: 200

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-123 Aggregation switch service data plan
Item Data

192.168.100.100
192.168.100.100
YsHsjx_202206

Item Data

Charging Key YsHsjx_202206
1. Configure the aggregation switch, including the VLANs interfaces belong to,
parameters for connecting to the RADIUS server, enabling NAC
authentication, and access right to the post-authentication domain.
NOTE
Ensure the reachable routes between the access switches (SwitchC and SwitchD),
aggregation switch (SwitchA), and Agile Controller-Campus server.
2. Configure the access switches, including the VLANs and 802.1X transparent
transmission.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

b. Add an account to the Agile Controller-Campus.
c. Add switches to the Agile Controller-Campus.
d. Configure authentication rules, authorization results, and authorization
rules on the Agile Controller-Campus.
Procedure
can be forwarded.
[SwitchA] interface gigabitethernet 0/0/1 //Configure the interface connected to SwitchC.
[SwitchA] interface gigabitethernet 0/0/2 //Configure the interface connected to SwitchD.
[SwitchA] interface gigabitethernet 0/0/6 //Configure the interface connected to the server.
[SwitchA-Vlanif100] ip address 192.168.10.10 24 //Configure the management IP address for
SwitchA. This IP address is used when SwitchA is added to Agile Controller-Campus.
[SwitchA-Vlanif200] ip address 192.168.200.1 24 //Configure the gateway address for terminal
users.
network segment where the pre-authentication domain resides.
network segment where the post-authentication domain resides.


to RADIUS.
[SwitchA] aaa
# Configure an accounting scheme acco1. Set the accounting mode to

RADIUS so that the RADIUS server can maintain account status, such as login,
log-off and forced log-off.
[SwitchA-aaa-accounting-acco1] accounting realtime 15 //Set the real-time accounting interval to

S300, S500, S2700, S3700, S5700, S6700, S7700, and
15 minutes.

the domain.
[SwitchA-aaa] domain isp
[SwitchA-aaa-domain-isp] authentication-scheme abc
[SwitchA-aaa-domain-isp] accounting-scheme acco1
[SwitchA-aaa-domain-isp] radius-server rd1
[SwitchA-aaa-domain-isp] quit
[SwitchA-aaa] quit
# Configure the global default domain isp. During access authentication,

[SwitchA] domain isp
NOTE
# Enable 802.1X and MAC address authentication on GE0/0/1 and GE0/0/2.

[SwitchA-Gigabitethernet0/0/1] authentication dot1x mac-authen //Configure a combination of
802.1X and MAC address authentication.
[SwitchA-Gigabitethernet0/0/1] mac-authen username fixed A-123 password cipher
[SwitchA-Gigabitethernet0/0/2] authentication dot1x mac-authen //Configure a combination of
802.1X and MAC address authentication.
[SwitchA-Gigabitethernet0/0/2] mac-authen username fixed A-123 password cipher
[SwitchA] acl 3002
Step 2 Configure the access switches.

can be forwarded. This example uses SwitchC to describe the configuration.
The configuration on SwitchD is the same as that on SwitchC.
# Create VLAN 200.
# Configure the interface connected to users as an access interface and add

the interface to VLAN 200.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the interface connected to the upstream network as a trunk

interface and configure the interface to allow VLAN 200.
2. Configure the device to transparently transmit 802.1X packets. This example

uses SwitchC to describe the configuration. The configuration on SwitchD is
the same as that on SwitchC.
NOTE
In this example, SwitchC and SwitchD are deployed between the authentication switch
SwitchA and users. EAP packet transparent transmission needs to be configured on SwitchC
and SwitchD so that SwitchA can perform 802.1X authentication for users.
– Method 1:
[SwitchC] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002
[SwitchC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x enable

HI, and S6720-EI support this method.
[SwitchC] undo bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFF0
[SwitchC] bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
[SwitchC] bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
[SwitchC] bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
[SwitchC] bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
This following step is mandatory when you switch from method 1 to

method 2.
[SwitchC-GigabitEthernet0/0/1] undo l2protocol-tunnel user-defined-protocol 802.1x enable


S300, S500, S2700, S3700, S5700, S6700, S7700, and

addresses.

IP address.



S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
the R&D department.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


S300, S500, S2700, S3700, S5700, S6700, S7700, and
Name SwitchA -

Campus.
Device Huawei -
Series Quidway
series switch



interval switch.
(minute)

S300, S500, S2700, S3700, S5700, S6700, S7700, and

SwitchC, and click Move to move SwitchA to the Switch group. The
Name Access -
authentication
rule

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Type

Condition
Please
select the
▪ PAP
-
allowed ▪ CHAP
authenticati
▪ EAP-PEAP-
MSCHAPv2
▪ EAP-TLS
▪ EAP-PEAP-
GTC
▪ EAP-TTLS-
PAP

S300, S500, S2700, S3700, S5700, S6700, S7700, and

domain

switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rule.

authorization rule.

for R&D employees

Group
Result domain

S300, S500, S2700, S3700, S5700, S6700, S7700, and

online employee.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
domain isp
#
#
acl number 3002
rule 2 deny ip
#
aaa
domain isp
radius-server rd1
#
interface Vlanif100
ip address 192.168.10.10 255.255.255.0
#
interface Vlanif200
ip address 192.168.200.1 255.255.255.0
#
authentication dot1x mac-authen
#
authentication dot1x mac-authen
#
#
ip route-static 192.168.100.0 255.255.255.0 192.168.100.100
ip route-static 192.168.102.0 255.255.255.0 192.168.102.100
#
return

#
sysname SwitchC
#
vlan batch 200
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
#
return
3.14.5 Typical NAC Configuration (Unified Mode)

(V200R005C00 to V200R008C00)

Access


centralized user distribution, and strict information security requirements.
Configuration Notes
As shown in Figure 3-223, the terminals in an office are connected to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
control the users' network access rights to ensure internal network security.
Figure 3-223 Configuring 802.1X authentication to control user access
1. Create and configure a RADIUS server template, an AAA scheme, and an
authentication domain. Bind the RADIUS server template and AAA scheme to
the authentication domain so that the Switch can authenticate access users
through the RADIUS server.
2. Enable 802.1X authentication to control network access rights of the
employees in the office.
3. Configure the user access mode to multi-authen and set the maximum
number of access users to 100, so the device can control the network access
rights of each user independently.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Before configuring this example, ensure that devices can communicate with each other in the
network.
In this example, the LAN switch exists between the access switch Switch and users. To ensure
that users can pass 802.1x authentication, you must configure the EAP packet transparent
transmission function on the LAN switch. Method 1: The S5700-LI is used as an example of the
LAN switch. Perform the following operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003
group-mac 0100-0000-0002 command in the system view of the LAN switch to configure
the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command on the interface
connecting to users and the interface connecting to the access switch to enable the Layer 2
protocol tunneling function.
Method 2: This method is recommended when a large number of users exist or high network
performance is required. Only the S5720-EI, S5720-HI, and S6720-EI support this method.
1. Run the following commands in the system view:
● undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
● bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
● bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
● bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
● bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run the undo
l2protocol-tunnel user-defined-protocol 802.1x enable command in the interface view to
delete the configuration of transparent transmission of 802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLANs allowed by the interface to ensure
network communication.
# On the Switch, configure the interface GE1/0/1 connected to users as an access

NOTE
Configure the interface type and VLANs based on the site requirements. In this example,
users are added to VLAN 10.
# On the Switch, configure the interface GE1/0/2 connected to the RADIUS server
as an access interface and add the interface to VLAN 20.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Create and configure a RADIUS server template, an AAA scheme, and an
# Create an AAA authentication scheme abc and configure the authentication

mode to RADIUS.
[Switch] aaa
# Create an authentication domain isp1, and bind the AAA scheme abc and
RADIUS server template rd1 to the domain isp1.
[Switch-aaa] domain isp1
[Switch-aaa-domain-isp1] authentication-scheme abc
[Switch-aaa-domain-isp1] radius-server rd1
[Switch-aaa-domain-isp1] quit
[Switch-aaa] quit
# Configure isp1 as the global default domain. During access authentication,

enter a user name in the format user@isp1 to perform AAA authentication in the
domain isp1. If the user name does not contain the domain name or contains an
invalid domain name, the user is authenticated in the default domain.
[Switch] domain isp1
Step 3 Configure 802.1x authentication on the Switch.

# Switch the NAC mode to unified mode.
NOTE
After the common mode and unified mode are switched, the device automatically restarts.
# Enable 802.1X authentication on the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] authentication mode multi-authen max-user 100

1. Run the display dot1x command to check the 802.1X authentication
configuration. The command output (802.1X protocol is Enabled) shows that
the 802.1X authentication has been enabled on the interface GE1/0/1.
2. The user starts the 802.1X client on the terminal, and enters the user name
and password for authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

4. After the user goes online, you can run the display access-user access-type
dot1x command on the device to check the online 802.1X user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1
#
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456#
radius-server shared-key cipher %^%#Q75cNQ6IF(e#L4WMxP~%^7'u17,]D87GO{"[o]`D%^%#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
#
#
return

User Access


S300, S500, S2700, S3700, S5700, S6700, S7700, and

Configuration Notes
As shown in Figure 3-224, the terminals in the physical access control department
are connected to the company's internal network through the Switch.
requires that the Switch should control the users' network access rights to ensure
Figure 3-224 Configuring MAC address authentication to control user access

2. Enable MAC address authentication so that the Switch can control network

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
Before configuring this example, ensure that devices can communicate with each other on the
network.
Procedure

NOTE

mode to RADIUS.
[Switch] aaa

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch-aaa] quit

Step 3 Configure MAC address authentication on the Switch.

NOTE
# Enable MAC address authentication on the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] authentication mac-authen

1. Run the display mac-authen command to check the MAC address
authentication configuration. The command output (MAC address
authentication is enabled) shows that MAC address authentication has been
enabled on the interface GE1/0/1.
2. After the user starts the terminal, the device automatically obtains the
terminal MAC address and uses it as the user name and password for
authentication.
3. The user can access the network after the authentication succeeds.
mac-authen command on the device to check the online MAC address
authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
domain isp1 #
access-user arp-detect vlan 10 ip-address 192.168.1.10 mac-address 00e0-fc12-3456#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

radius-server authentication 192.168.2.30 1812 weight 80#
aaa
domain isp1
radius-server rd1#
port default vlan 10 authentication mac-authen
authentication mode multi-authen max-user 100 #
port default vlan 20 #
return

Access


Configuration Notes
As shown in Figure 3-225, the terminals in the visitor area are connected to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-225 Configuring Portal authentication to control user access
2. Enable Portal authentication so that the Switch can control network access
rights of the visitors in the visitor areas.
3. Configure a Portal server template so that the device can communicate with
the Portal server.
NOTE
network.
Procedure


S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE

mode to RADIUS.
[Switch] aaa
[Switch-aaa] quit

Step 3 Configure Portal authentication on the Switch.

NOTE
# Enable Portal authentication on the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] authentication portal
# Create and configure a Portal server template abc.


S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch-web-auth-server-abc] url http://192.168.2.20:8080/webagent
NOTE
Ensure that the port number configured on the device is the same as that used by the Portal
server.
# Bind the Portal server template abc to the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] web-auth-server abc direct
NOTE
DHCP and the DHCP server is upstream connected to Switch, use the authentication free-rule
command to create authentication-free rules and ensure that the DHCP server is included in the
In addition, if the URL of Portal server needs to be analyzed by DNS and the DNS server is
upstream connected to Switch, you also need to create authentication-free rules and ensure that
the DNS server is included in the authentication-free rules.

1. Run the display portal and display web-auth-server configuration
commands to check the Portal authentication configuration. The command
output (web-auth-server layer2(direct)) shows that the Portal server
template has been bound to the interface GE1/0/1.
2. After starting the browser and entering any network address, the user is
redirected to the Portal authentication page. The user then enters the user
the network.
portal command on the device to check the online Portal authentication user
information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
domain isp1 #
radius-server authentication 192.168.2.30 1812 weight
80# web-auth-server
abc server-ip 192.168.2.20
port 50200 shared-key cipher %^%#t:hJ@gD7<
+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%# url http://192.168.2.20:8080/
webagent
#
aaa
domain isp1
radius-server rd1#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
port default vlan 10 authentication portal
authentication mode multi-authen max-user 100 web-auth-server abc direct
#
return
3.14.5.4 Example for Configuring Multiple Authentication Modes to Control

User Access
Overview of Multiple Authentication Modes

In NAC network deployment, to provide flexible authentication, the device
supports concurrent deployment of 802.1X authentication, MAC address
authentication, and Portal authentication on the interfaces connected to users. In
this case, the users can access the network using any authentication mode.
Configuration Notes
As shown in Figure 3-226, the terminals in a company are connected to the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-226 Configuring multiple authentication modes to control user access

2. Enable 802.1X authentication, MAC address authentication, and Portal
authentication so that the Switch can control network access rights of the
internal employees, dumb terminals, and visitors. In addition, configure
802.1X authentication to take precedence because there are more employees
than dumb terminals and visitors.
4. Configure a Portal server template so that the device can communicate with
the Portal server.
NOTE
network.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE

mode to RADIUS.
[Switch] aaa
[Switch-aaa] quit

Step 3 Configure 802.1X authentication, MAC address authentication, and Portal

authentication on the Switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
# Enable 802.1X authentication, MAC address authentication, and Portal

authentication on the interface GE1/0/1.
[Switch-GigabitEthernet1/0/1] authentication dot1x mac-authen portal

NOTE
server.
# Bind the Portal server template abc to the interface GE1/0/1.

[Switch-GigabitEthernet1/0/1] web-auth-server abc direct

1. Run the display dot1x, display mac-authen, display portal, and display
web-auth-server configuration commands. The command outputs show
that 802.1X authentication, MAC address authentication, and Portal
authentication have been enabled on GE1/0/1.
2. The user can access the network after passing 802.1X authentication, MAC
address authentication, or Portal authentication.
3. After the user goes online, you can run the display access-user interface
gigabitethernet1/0/1 command on the device to check all online user
information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
domain isp1 #
radius-server authentication 192.168.2.30 1812 weight
80#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
#
aaa
domain isp1
radius-server rd1#
interface Vlanif10
ip address 192.168.1.10 255.255.255.0
#
port default vlan 10 authentication dot1x mac-authen portal
authentication mode multi-authen max-user 100 web-auth-server abc direct
#
return
3.14.6 Typical NAC Configuration (Unified Mode) (iMaster

NCE-Campus Functioning as the Authentication Server)
The configuration examples in this chapter assume that iMaster NCE-Campus
V300R020C10 only provides authentication functions but does not manage
devices, and switches run V200R020C00 or later versions. The GUIs and operation
procedures may vary according to the version of iMaster NCE-Campus. Perform
operations based on the actual version used on the live network. For details about
how iMaster NCE-Campus manages devices, see CloudCampus Solution.
3.14.6.1 Configuring Wired 802.1X Authentication
The user accounts and organization structure of an enterprise are maintained on
the AD server. A wired network access solution is required on the campus network
to meet the non-mobile office requirements. For security purposes, users access
the network using wired 802.1X authentication.
Users can access the Internet only after they are authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
Table 3-125 Wired VLAN plan

VLAN ID Function
101 Service VLAN for wired access
102 VLAN for communication between the

aggregation and core layers

core layer and server zone
Table 3-126 Wired network data plan

Access switch GE 0/0/2 Uplink interface, which

VLAN 101 connects to the
aggregation switch
GE 0/0/1 Downlink interface,

VLAN 101 which connects to
terminal users

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Aggregation switch GE 0/0/2 Uplink interface, which

VLAN 102 connects to the core
switch
VLANIF 102:
192.168.100.100/24

VLAN 101 which connects to the
access switch
VLANIF 101:
172.16.11.254/24 Gateway for terminal
users
Core switch GE 1/0/2 Uplink interface, which

VLAN 200 connects to the server
zone
VLANIF 200:
192.168.11.254/24 Gateway for servers

aggregation switch
VLANIF 102:
192.168.100.200/24
Server ● DNS server: -

192.168.11.1
● iMaster NCE-Campus:
192.168.11.10
● AD server:
192.168.11.100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-127 802.1X service data plan

RADIUS ● RADIUS server: The authentication

iMaster NCE-Campus control device functions
server as a RADIUS client and
● Authentication and iMaster NCE-Campus as
accounting key: a RADIUS server. The
YsHsjx_202206 authentication and
accounting key,
● Authorization key: authorization key, and
YsHsjx_202206 accounting interval must
● Accounting interval: be the same on them.
15 minutes iMaster NCE-Campus
● Authentication port: functioning as the
1812 RADIUS server uses port
● Accounting port: 1813 1812 for authentication
and port 1813 for
accounting.
Pre-authentication DNS server, iMaster NCE- -

domain Campus, and AD server
Post-authentication Internet -
domain
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation
switch, and core switch to ensure network connectivity.
2. Set RADIUS interconnection parameters and wired access service parameters
on the aggregation switch to implement wired 802.1X access.
3. Add an authentication device on iMaster NCE-Campus, and configure
authentication and authorization to assign specified rights to authenticated
users.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network
connectivity.
1. Configure the access switch.
[HUAWEI] sysname ACC
[ACC] vlan 101
[ACC-vlan101] quit
[ACC] interface gigabitethernet 0/0/1
[ACC-GigabitEthernet0/0/1] port link-type access
[ACC-GigabitEthernet0/0/1] port default vlan 101
[ACC-GigabitEthernet0/0/1] quit
[ACC-GigabitEthernet0/0/2] port link-type trunk
[ACC-GigabitEthernet0/0/2] port trunk allow-pass vlan 101

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Configure the aggregation switch.

[AGG] dhcp enable
[AGG] vlan batch 101 to 102
[AGG-Vlanif101] dhcp select interface //Configure the device as a gateway to assign IP addresses
to users.
[AGG-Vlanif101] dhcp server dns-list 192.168.11.1 //Configure a DNS server to resolve Internet
domain names for Internet access.
[AGG-Vlanif101] quit
[AGG] ip route-static 192.168.11.0 255.255.255.0 192.168.100.200 //Configure a route to the
network segment of the authentication server.
3. Configure the core switch.
[Core] vlan batch 102 200
[Core-GigabitEthernet1/0/1] port link-type trunk
[Core-GigabitEthernet1/0/1] port trunk allow-pass vlan 102
[Core] interface vlanif 102
[Core-Vlanif102] ip address 192.168.100.200 255.255.255.0
[Core-Vlanif102] quit
[Core] ip route-static 172.16.11.0 255.255.255.0 192.168.100.100 //Configure a route to the
network segment where terminals reside.
Step 2 [Device] Configure EAP packet transparent transmission to transparently transmit

EAP packets from terminal users to the authentication control device.
(Aggregation-layer authentication)
NOTE
The values of protocol-mac and group-mac cannot be any of the following:

● Reserved multicast MAC addresses: 0180-C200-0000 to 0180-C200-002F
● Special multicast MAC addresses: 0100-0CCC-CCCC and 0100-0CCC-CCCD
● Destination MAC address of Smart Link packets: 010F-E200-0004
● Common multicast MAC addresses that have been used on the device
1. Define Layer 2 transparent transmission of EAP packets.
[ACC] l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac
0100-0000-0002
2. Enable transparent transmission of Layer 2 protocol packets on the uplink and
downlink interfaces of the access switch.
[ACC] interface GigabitEthernet 0/0/1
[ACC-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol dot1x enable

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[ACC-GigabitEthernet0/0/1] bpdu enable

[ACC] interface GigabitEthernet 0/0/2
[ACC-GigabitEthernet0/0/2] l2protocol-tunnel user-defined-protocol dot1x enable
[ACC-GigabitEthernet0/0/2] bpdu enable
Step 3 [Device] Set 802.1X authentication parameters to implement 802.1X

authentication for terminal users.
1. Configure a RADIUS server template, an authentication scheme, and an
accounting scheme.
[AGG] authentication unified-mode //The default value is unified-mode. You can skip this
command if the default mode is currently used.
[AGG] radius-server template radius_huawei
[AGG-radius-radius_huawei] radius-server authentication 192.168.11.10 1812 source ip-address
192.168.100.100
[AGG-radius-radius_huawei] radius-server accounting 192.168.11.10 1813 source ip-address
192.168.100.100
[AGG-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
[AGG-radius-radius_huawei] radius-attribute nas-ip 192.168.100.100
[AGG-radius-radius_huawei] quit
[AGG] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
[AGG] aaa
[AGG-aaa] authentication-scheme auth_scheme //Configure an authentication scheme.
[AGG-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication mode to
RADIUS.
[AGG-aaa-authen-auth_scheme] quit
[AGG-aaa] accounting-scheme acco_scheme //Configure an accounting scheme.
[AGG-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting mode to RADIUS.
[AGG-aaa-accounting-acco_scheme] accounting realtime 15
[AGG-aaa-accounting-acco_scheme] quit
NOTE
Real-time accounting is configured between the authentication control device and

iMaster NCE-Campus to periodically exchange accounting packets, ensuring consistent
online status information. A shorter real-time accounting interval requires higher
performance of the device and RADIUS server. Set the real-time accounting interval
based on the number of users.
Table 3-128 Accounting interval
Number of Users Real-Time Accounting Interval
1 to 99 3 minutes
100 to 499 6 minutes
≥ 1000 ≥ 15 minutes
2. Apply the RADIUS server template, authentication scheme, and accounting

scheme to the global default domain.
[AGG-aaa] domain default
[AGG-aaa-domain-default] authentication-scheme auth_scheme
[AGG-aaa-domain-default] accounting-scheme acco_scheme
[AGG-aaa-domain-default] radius-server radius_huawei
[AGG-aaa-domain-default] quit
[AGG-aaa] quit
3. Configure a global default domain.

[AGG] domain default //Configure a global default domain.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
The global default domain is default. If the domain needs to be changed, create the
required domain in the AAA view and set it as the global default domain.
Step 4 [Device] Configure the bypass function so that services are not affected when
iMaster NCE-Campus is faulty.
1. Configure a service scheme and define resources that users can access when
the bypass path is enabled.
# Run the ucl-group { group-index | name group-name } command to bind a
service scheme to the UCL group.
[AGG] ucl-group 10 name ucl_server_down
[AGG] aaa
[AGG-aaa] service-scheme server_down
[AGG-aaa-service-server_down] ucl-group name ucl_server_down
[AGG-aaa-service-server_down] quit
[AGG-aaa] quit
# Create a user ACL (with a number from 6000 to 9999) in the system view
and specify the service resources that users in the UCL group can access in the
ACL view. When the authentication server is down, users belong to the UCL
group that is bound to the service scheme.
[AGG] acl 6001
[AGG-acl-ucl-6001] rule permit ip source ucl-group name ucl_server_down destination
192.168.11.1 0
192.168.11.10 0
192.168.11.100 0
[AGG-acl-ucl-6001] quit
# Run the traffic-filter inbound acl acl-number command in the system view
to configure ACL-based packet filtering. The UCL group-based rules take
effect only after this command is executed.
[AGG] traffic-filter inbound acl 6001
Step 5 [Device] Configure pre-configuration and post-authentication access resources for

terminal users.
1. Configure pre-authentication domains, which specify resources that users can
access in the server zone without authentication.
[AGG] free-rule-template name default_free_rule
[AGG-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask 255.255.255.255
2. Configure an authentication profile and bind it to an 802.1X access profile.

[AGG] dot1x-access-profile name dot1x_access_profile1
[AGG-dot1x-access-profile-dot1x_access_profile1] quit
[AGG] authentication-profile name dot1x_authen_profile1
[AGG-authen-profile-dot1x_authen_profile1] dot1x-access-profile dot1x_access_profile1
[AGG-authen-profile-dot1x_authen_profile1] free-rule-template default_free_rule
[AGG-authen-profile-dot1x_authen_profile1] authentication event pre-authen action authorize
service-scheme server_down
3. Enable 802.1X authentication.

[AGG] interface GigabitEthernet 0/0/1
[AGG-GigabitEthernet0/0/1] authentication-profile dot1x_authen_profile1
4. Configure post-authentication domains, which specify resources that users can

access after passing ACL-defined authentication.
[AGG] acl 3001
[AGG-acl-adv-3001] rule 1 permit ip
[S6730-H-acl-adv-3001] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 6 [iMaster NCE-Campus] Configure interconnection with an AD server (AD domain

account authentication scenario) by referring to Configuring Interconnection
with an AD/LDAP Server, and synchronize data by referring to Configuring
Synchronization from an AD/LDAP Server.
Step 7 [iMaster NCE-Campus] Add an authentication control device to implement
RADIUS interconnection with the authentication control device.
Choose Admission > Admission Resources > Admission Device, click Create, and
add a switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
iMaster NCE-Campus Parameter Device Command
IP address radius-attribute nas-ip 192.168.100.100
Device Series Huawei Engine
Authentication/Accounting key radius-server shared-key cipher

YsHsjx_202206
Authorization key radius-server authorization 192.168.11.10

shared-key cipher YsHsjx_202206
Accounting interval (min) accounting realtime 15
Step 8 [iMaster NCE-Campus] Configure authentication and authorization. Terminal users

match the rules based on specified conditions.
1. Choose Admission > Admission Policy > Authentication and Authorization.
Click the Authentication Rule tab and modify the default authentication rule
or create an authentication rule.
Add the AD server to Data Source. By default, an authentication rule takes
effect only on the local data source. If the AD server is not added as a data
source, AD accounts will fail to be authenticated.
2. Choose Admission > Admission Policy > Authentication and Authorization,

click the Authorization Result tab, and add an ACL for authorization.
The ACL numbers must be the same as those configured on the
authentication control device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

click the Authorization Rules tab, and create an authorization rule. Associate
the authorization result created in the previous step to the authorization rule
to specify resources that users can access after being authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
----End
Verification
Users use the built-in 802.1X client of the OS for authentication.
1. Fixed terminal users can ping resources in the server zone before successful
authentication.
2. Fixed terminal users can automatically obtain IP addresses on network
segment 172.16.11.0/24 and ping Internet resources after successful
authentication.
3. An administrator can view detailed online user information by running the
display access-user and display access-user user-id user-id commands on
the aggregation switch.
4. RADIUS logs in RADIUS Login and Logout logs under Monitoring > Event
Logs > Terminal Authentication Logs of iMaster NCE-Campus contain
detailed information about fixed terminal users.
Configuration Files
ACC configuration file

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname ACC
#
vlan 101
#
l2protocol-tunnel user-defined-protocol dot1x protocol-mac 0180-c200-0003 group-mac 0100-0000-0002
#
l2protocol-tunnel user-defined-protocol dot1x enable
bpdu enable
#
l2protocol-tunnel user-defined-protocol dot1x enable
bpdu enable
#
return

#
sysname AGG
#
#
dhcp enable
#
authentication-profile name dot1x_authen_profile1
dot1x-access-profile dot1x_access_profile1
authentication event pre-authen action authorize service-scheme server_down
#
dot1x-access-profile name dot1x_access_profile1
#
radius-server shared-key cipher %^%#ANM|Cb!>GNo=U@V~_{E1fQ>;I2#2l(3Q%1~Z.u|R%^%#
radius-attribute nas-ip 192.168.100.100
#
radius-server authorization 192.168.11.10 shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I
$3F)3K]ar/O%^%#
#
aaa
authentication-scheme auth_scheme
accounting-scheme acco_scheme
ucl-group name ucl_server_down
domain default
#
domain default
#
acl 3001
rule 1 permit ip
#
acl 6001
rule permit ip source ucl-group name ucl_server_down destination 192.168.11.1 0
#
traffic-filter inbound acl 6001

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
ucl-group 10 name ucl_server_down
#
interface vlanif 101
ip address 172.16.11.254 255.255.255.0
#
ip address 192.168.100.100 255.255.255.0
#
authentication-profile dot1x_authen_profile1
#
#
ip route-static 192.168.11.0 255.255.255.0 192.168.100.200
#
return
Core configuration file

#
sysname Core
#
vlan 102 200
#
ip address 192.168.100.200 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
#
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100
#
return
3.14.6.2 Configuring Wireless 802.1X Authentication
Configuration Process Overview

Wireless 802.1X access process

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The user accounts and organization structure of an enterprise are maintained on
the AD server. A wireless network access solution is required on the campus
network to meet the mobile office requirements. For security purposes, users
access the network using wireless 802.1X authentication.
Users can access the Internet only after they are authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Data Plan
Table 3-129 Wireless VLAN plan

VLAN ID Function
10 Management VLAN for wireless access
100 Service VLAN for wireless access
Table 3-130 WLAN network data planning

Access switch GE0/0/2 The uplink and downlink

VLAN 10 interfaces allow only
traffic from the
GE0/0/3 management VLAN, and
VLAN 10 the service VLAN is
encapsulated in the
management VLAN.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Aggregation switch GE0/0/1 The downlink interface

VLAN 10 allows only traffic from
the management VLAN,
and the service VLAN is
encapsulated in the
management VLAN.
GE0/0/2 The uplink interface

VLAN 100 allows only traffic from
the service VLAN.
GE0/0/3 Interface of the

VLAN 10 and VLAN 100 aggregation switch for
interworking with the
AC6605 and permitted
VLANs
AC6605 GE0/0/1 The AC6605

VLAN 10 and VLAN 100 communicates with
upstream devices
VLANIF 10: through a service VLAN
10.10.10.254/24 and communicates with
downstream devices
through a management
VLAN.
Gateway for APs.
Core router GE1/0/1 Terminal user gateway.

172.16.21.254/24
Server ● iMaster NCE-Campus: -

192.168.11.10
● AD server:
192.168.11.100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-131 802.1X service data plan


accounting key,
and port 1813 for
accounting.
domain
To ensure unified user traffic control on the WAC, it is recommended that the
tunnel forwarding mode be used to forward packets between the WAC and APs.
1. Configure VLANs, IP addresses, and routes on the access switch, aggregation
switch, and WAC to ensure network connectivity.
2. Configure RADIUS interconnection parameters and wireless access service
parameters on the WAC to implement wireless 802.1X access.
3. Add the WAC on iMaster NCE-Campus and configure the authentication and
authorization rules to assign specified rights to authenticated users.
NOTE
In this example, the core router functions as the user gateway. If the AC6605 needs to
function as the user gateway, you only need to configure dhcp select interface in the
service VLAN on the AC6605.
This example describes only the configurations of the WAC, aggregation switch, and access
switch.
Procedure
Step 1 [Device] Configure IP addresses, VLANs, and routes to implement network
connectivity.
1. Configure the access switch.
[ACC] vlan 10
[ACC-vlan10] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[ACC-GigabitEthernet0/0/3] port trunk pvid vlan 10
2. Configure the aggregation switch.

[AGG] vlan batch 10 100
[AGG-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100
3. Configure the AC6605.

# Configure the interface to allow traffic from the management VLAN and
service VLAN to pass through.
[HUAWEI] sysname AC6605
[AC6605] vlan batch 10 100
[AC6605] interface gigabitethernet 0/0/1
[AC6605-GigabitEthernet0/0/1] port link-type trunk
[AC6605-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100
[AC6605-GigabitEthernet0/0/1] quit
# Configure VLANIF 10 as the gateway for APs to dynamically assign IP

addresses to the APs. If the AC6605 functions as the user gateway, configure
the gateway IP address on the interface of the service VLAN and enable
DHCP.
[AC6605] dhcp enable
[AC6605] interface vlanif 10
[AC6605-Vlanif10] ip address 10.10.10.254 24
[AC6605-Vlanif10] dhcp select interface
[AC6605-Vlanif10] quit
# Configure a default route with the next hop pointing to the core router.
[AC6605] ip route-static 0.0.0.0 0 172.16.21.254
Step 2 [Device] Set related parameters to enable the AP to go online automatically after
the AP connects to the network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
If a Layer 3 network is deployed between the AP and WAC, you need to configure the
DHCP Option 43 field on the DHCP server to carry the WAC's IP address in advertisement
packets, allowing the AP to discover the WAC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address pool
view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to specify
an IP address for the WAC.
3. Run the following command to enable VLANIF 10 to use the global address pool.
[AC6605-Vlanif10] dhcp select global
# Create an AP group, to which APs with the same configuration are added.
[AC6605] wlan
[AC6605-wlan-view] ap-group name ap-group1
[AC6605-wlan-ap-group-ap-group1] quit
# Create a regulatory domain profile, configure the WAC country code in the
profile, and apply the profile to the corresponding AP group.
[AC6605-wlan-view] regulatory-domain-profile name domain1
[AC6605-wlan-regulatory-domain-prof-domain1] country-code cn
[AC6605-wlan-regulatory-domain-prof-domain1] quit
[AC6605-wlan-ap-group-ap-group1] regulatory-domain-profile domain1
antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605-wlan-view] quit
# Configure the WAC's source interface.

[AC] capwap source interface vlanif 10 //Management VLAN interface
# Import an AP to the WAC in offline mode and add the AP to the AP group ap-
group1. Assume that the AP's MAC address is 00e0-fc76-a320. Configure a name
for the AP based on the AP's deployment location, so that you can know where
the AP is deployed from its name. For example, name the AP area_1 if it is
deployed in area 1.
[AC6605] wlan
[AC6605-wlan-view] ap auth-mode mac-auth
[AC6605-wlan-view] ap-id 0 ap-mac 00e0-fc76-a320
[AC6605-wlan-ap-0] ap-name area_1
[AC6605-wlan-ap-0] ap-group ap-group1
antenna gain configurations of the radio, Whether to continue? [Y/N]:y
[AC6605-wlan-ap-0] quit
# After the AP is powered on, run the display ap all command to check the AP
status. If the State field is displayed as nor, the AP goes online normally.
[AC6605] display ap all
nor : normal [1]
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
0 00e0-fc76-a320 area_1 ap-group1 10.10.10.122 AP6010DN-AGN nor 0 10S

S300, S500, S2700, S3700, S5700, S6700, S7700, and
-------------------------------------------------------------------------------------
Total: 1
Step 3 [Device] Set 802.1X authentication parameters to implement 802.1X

authentication for terminal users.
1. Configure a RADIUS server template, an authentication scheme, and an

accounting scheme.
[AC6605] radius-server template radius_template
[AC6605-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-
address 10.10.10.254
[AC6605-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address
10.10.10.254
[AC6605-radius-radius_template] radius-server shared-key cipher YsHsjx_202206
[AC6605-radius-radius_template] called-station-id wlan-user-format ac-mac include-ssid
[AC6605-radius-radius_template] radius-attribute nas-ip 10.10.10.254
[AC6605-radius-radius_template] radius-server user-name original //Configure the device to send
the original user name entered by a user to the RADIUS server.
[AC6605-radius-radius_template] quit
[AC6605] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
[AC6605] aaa
[AC6605-aaa] authentication-scheme auth_scheme //Configure an authentication scheme.
[AC6605-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication mode to
RADIUS.
[AC6605-aaa-authen-auth_scheme] quit
[AC6605-aaa] accounting-scheme acco_scheme //Configure an accounting scheme.
[AC6605-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting mode to
RADIUS.
[AC6605-aaa-accounting-acco_scheme] accounting realtime 15
[AC6605-aaa-accounting-acco_scheme] quit
[AC6605-aaa] quit
NOTE

1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
2. Configure an access profile.

NOTE
The access profile defines the 802.1X authentication protocol and packet processing
parameters. By default, the 802.1X access profile uses EAP authentication.
[AC6605] dot1x-access-profile name acc_dot1x
[AC6605-dot1x-access-profile-acc_dot1x] quit
3. Configure an authentication profile.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The authentication profile specifies the user access mode through the access
profile. Specify RADIUS authentication by binding the RADIUS authentication
scheme, accounting scheme, and RADIUS server template.
[AC6605] authentication-profile name auth_dot1x
[AC6605-authentication-profile-auth_dot1x] dot1x-access-profile acc_dot1x
[AC6605-authentication-profile-auth_dot1x] authentication-scheme auth_scheme
[AC6605-authentication-profile-auth_dot1x] accounting-scheme acco_scheme
[AC6605-authentication-profile-auth_dot1x] radius-server radius_template
[AC6605-authentication-profile-auth_dot1x] quit
4. Configure 802.1X service parameters for wireless users.

# Create a security profile security_dot1x and configure a security policy in
the profile.
[AC6605] wlan
[AC6605-wlan-view] security-profile name security_dot1x
[AC6605-wlan-sec-prof-security_dot1x] security wpa2 dot1x aes
[AC6605-wlan-sec-prof-security_dot1x] quit
# Create an SSID profile wlan-ssid and set the SSID name to dot1x_access.
[AC6605-wlan-view] ssid-profile name wlan-ssid
[AC6605-wlan-ssid-prof-wlan-ssid] ssid dot1x_access
Warning: This action may cause service interruption. Continue?[Y/N]
# Create a VAP profile wlan-vap, configure the data forwarding mode and
service VLAN, and apply the security profile, SSID profile, and authentication
[AC6605-wlan-view] vap-profile name wlan-vap
[AC6605-wlan-vap-prof-wlan-vap] forward-mode tunnel
Warning: This action may cause service interruption. Continue?[Y/N]
[AC6605-wlan-vap-prof-wlan-vap] service-vlan vlan-id 100
[AC6605-wlan-vap-prof-wlan-vap] security-profile security_dot1x
[AC6605-wlan-vap-prof-wlan-vap] ssid-profile wlan-ssid
[AC6605-wlan-vap-prof-wlan-vap] authentication-profile auth_dot1x
[AC6605-wlan-vap-prof-wlan-vap] quit
# Bind a VAP profile wlan-vap to the AP group and apply the profile to radio
0 and radio 1 of the AP.
[AC6605-wlan-ap-group-ap-group1] vap-profile wlan-vap wlan 1 radio all
Step 4 [Device] Configure resources that terminal users can access after passing
authentication.
iMaster NCE-Campus can authorize authenticated terminal users based on static

ACLs, dynamic ACLs, and VLANs. This example uses a static ACL as an example.
For other modes, see Example for Configuring Authorization by VLAN and
Example for Configuring Authorization by Dynamic ACL.
[AC6605] acl 3001
[AC6605-acl-adv-3001] rule 1 permit ip
[AC6605-acl-adv-3001] quit
Step 5 [iMaster NCE-Campus] Configure interconnection with an AD server (AD domain

account authentication scenario) by referring to Configuring Interconnection
with an AD/LDAP Server, and synchronize data by referring to Configuring
Synchronization from an AD/LDAP Server.
Step 6 [iMaster NCE-Campus] Add an authentication control device to implement

RADIUS interconnection with the authentication control device.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Choose Admission > Admission Resources > Admission Device, click Create, and
add the AC6605.
IP address radius-attribute nas-ip 10.10.10.254
Device Series Huawei Engine

S300, S500, S2700, S3700, S5700, S6700, S7700, and
CoA Type Default CoA

CoA allows administrators to change
the permissions of online users or re-
authenticate them through RADIUS.
Default CoA: CoA packets are sent
periodically to update user
authorization information.
No CoA: User authorization
information cannot be updated.
Port Bounce: User authorization
information can be updated when the
interface to which an online user's
terminal connects alternates between
Up and Down.
Reauth: User authorization
information can be updated by
triggering re-authentication for an
online user.
Authentication/Accounting key radius-server shared-key cipher

YsHsjx_202206
Authorization key radius-server authorization

192.168.11.10 shared-key cipher
YsHsjx_202206
Accounting interval (min) accounting realtime 15
Step 7 [iMaster NCE-Campus] Configure authentication and authorization. Terminal users

match the rules based on specified conditions.
1. Choose Admission > Admission Policy > Authentication and Authorization.
Click the Authentication Rule tab and modify the default authentication rule
or create an authentication rule.
Add the AD server to Data Source. By default, an authentication rule takes
effect only on the local data source. If the AD server is not added as a data
source, AD accounts will fail to be authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

click the Authorization Result tab, and add an ACL for authorization.

click the Authorization Rules tab, and create an authorization rule. Associate
the authorization result created in the previous step with the authorization
rule. Specify resources that users can access after being authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
----End
Verification
1. Use a mobile phone to associate the dot1x_access SSID and enter an AD
domain account and password.
2. After successful authentication, you can automatically obtain an IP address in
the 172.16.21.0/24 network segment and access Internet resources.
3. An administrator can view detailed information about online users by running
the display access-user and display access-user user-id user-id commands
on the AC6605.
4. RADIUS logs in RADIUS Login and Logout logs under Monitoring > Event
Logs > Terminal Authentication Logs of iMaster NCE-Campus can be
viewed.
Configuration Files
#
sysname ACC

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan 10
#
#
#
return

#
sysname AGG
#
vlan batch 10 100
#
#
#
#
return
AC6605 configuration file

#
sysname AC6605
#
vlan 10 100
#
dhcp enable
#
dot1x-access-profile name acc_dot1x
#
authentication-profile name auth_dot1x
dot1x-access-profile acc_dot1x
radius-server radius_template
#
radius-server template radius_template
radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254
radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254
radius-server shared-key cipher %^%#{0`>1>"`jKr#a-'_0u/$C2M5$3Oc.-giL;Srow9W%^%#
called-station-id wlan-user-format ac-mac include-ssid
radius-server user-name original
radius-server authorization 192.168.11.10 shared-key cipher %^%#x$`LC*6I3H&~})~8O[$F,,o6FN!+35|H-
E3Wi}Z:%^%#
aaa
#
interface vlanif 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ip address 10.10.10.254 255.255.255.0

#
#
acl 3001
rule 1 permit ip
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100
#
wlan
security-profile name security_dot1x
security wpa2 dot1x aes
ssid dot1x_access
country-code cn
ap auth-mode mac-auth
ap-id 0 ap-mac 00e0-fc76-a320
ap-name area_1
ap-group ap-group1
forward-mode tunnel
security-profile security_dot1x
authentication-profile auth_dot1x
vap-profile wlan-vap wlan 1 radio all
#
capwap source interface vlanif 10
#
ip route-static 0.0.0.0 0 172.16.21.254
#
return
3.14.6.3 Configuring Wired Portal Authentication (Aggregation Layer)
An enterprise needs to deploy an authentication system to implement access
control for employees who attempt to connect to the enterprise network. Only
authenticated users can connect to the enterprise network. All employees'
accounts are maintained on the AD server.
user terminals.
switch.
● The authentication system performs unified identity authentication on all
terminals attempting to access the campus network and denies the access
from unauthorized terminals.
● Terminals can access only public servers (such as the AD and DNS servers) of
the enterprise before authentication, and can access all network resources
after they are successfully authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● A bypass path needs to be configured so that terminals can access the service
system even when the Portal server is unavailable.
Figure 3-229 Networking of Portal authentication on the aggregation layer
Requirement Analysis
● The enterprise does not want to install extra software on terminals. For this,
the Portal access control solution is recommended based on the networking
so that terminals can access the network through web pages.
● Different ACL rules need to be configured on the aggregation switch to
control access rights of employees.
VLAN Plan
Table 3-133 Wired VLAN plan
VLAN ID Function
101 Service VLAN for wired access

aggregation and core layers

core layer and server zone

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Network Data Plan
Table 3-134 Wired network data plan

Access switch GE 0/0/2 Uplink interface, which

VLAN 101 connects to the
aggregation switch

VLAN 101 which connects to
terminal users
Aggregation switch GE 0/0/2 Uplink interface, which

VLAN 102 connects to the core
switch
VLANIF 102:
192.168.100.100/24

access switch
VLANIF 101:
172.16.11.254/24 Gateway for terminal
users
Core switch GE 1/0/2 Uplink interface, which

VLAN 200 connects to the server
zone
VLANIF 200:
192.168.11.254/24 Gateway for servers

aggregation switch
VLANIF 102:
192.168.100.200/24

192.168.11.1
● iMaster NCE-Campus:
192.168.11.10
● AD server:
192.168.11.100

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Service Data Plan
Table 3-135 Portal service data plan


accounting key,
and port 1813 for
accounting.
Portal ● Portal server: iMaster When Portal pages are

NCE-Campus server pushed using a domain
with the domain name, the iMaster NCE-
name Campus server's domain
access.example.com name is required.
● Portal key: iMaster NCE-Campus
YsHsjx_202206 functioning as the Portal
● Portal server port: server uses port 50100
50100 as the Portal server port.
● Port of the When a Huawei switch
authentication control or WAC functions as the
device for associating authentication control
with the Portal server: device to provide Portal
2000 authentication, the
switch or WAC uses port
2000 by default to
associate with the Portal
server.

domain Campus, and AD server
domain
1. Configure the access, aggregation, and core switches to ensure network
connectivity.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. On the aggregation switch, configure a RADIUS server template, configure

authentication, accounting, and authorization schemes in the template, and
specify the IP address of the Portal server. In this way, the aggregation switch
can communicate with iMaster NCE-Campus.
3. Add the switch to iMaster NCE-Campus and configure parameters for the
switch to ensure proper association between iMaster NCE-Campus and the
switch.
4. Add authorization results and rules to grant different access rights to
Prerequisites
All employees' accounts are maintained on the AD server. Therefore, AD/LDAP
synchronization must have been configured so that users can use their AD
accounts to complete authentication on iMaster NCE-Campus. For details about
the configuration, see AD/LDAP Synchronization.
Procedure
1. [Device] Configure the access switch to ensure network connectivity.
[ACC] vlan 101
[ACC-vlan101] quit
2. [Device] Configure the aggregation switch to ensure network connectivity.

[AGG] dhcp enable
[AGG] vlan batch 101 to 102
[AGG-Vlanif101] dhcp select interface //Configure the device as a gateway to assign IP addresses
to users.
[AGG-Vlanif101] dhcp server dns-list 192.168.11.1 //Configure a DNS server to resolve Internet
domain names for Internet access.
[AGG] ip route-static 192.168.11.0 255.255.255.0 192.168.100.200 //Configure a route to the
network segment of the authentication server.
3. [Device] Configure the core switch to ensure network connectivity.

[Core] vlan batch 102 200

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Core] ip route-static 172.16.11.0 255.255.255.0 192.168.100.100 //Configure a route to the
network segment where terminals reside.
4. [Device] On the aggregation switch, configure parameters for connecting to

the RADIUS server and Portal server to ensure association between iMaster
NCE-Campus and the aggregation switch.
a. Configure parameters for connecting to the RADIUS server.
[AGG] authentication unified-mode //The default value is unified-mode. You can skip this
command if the default mode is used.
[AGG] radius-server template radius_huawei
[AGG-radius-radius_huawei] radius-server authentication 192.168.11.10 1812 source ip-
address 192.168.100.100
[AGG-radius-radius_huawei] radius-server accounting 192.168.11.10 1813 source ip-address
192.168.100.100
[AGG-radius-radius_huawei] radius-server shared-key cipher YsHsjx_202206
[AGG-radius-radius_huawei] radius-attribute nas-ip 192.168.100.100
[AGG-radius-radius_huawei] quit
[AGG] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
[AGG] aaa
[AGG-aaa] authentication-scheme auth_scheme //Configure an authentication scheme.
[AGG-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication mode
to RADIUS.
[AGG-aaa-authen-auth_scheme] quit
[AGG-aaa] accounting-scheme acco_scheme //Configure an accounting scheme.
[AGG-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting mode to
RADIUS.
[AGG-aaa-accounting-acco_scheme] accounting realtime 15
[AGG-aaa-accounting-acco_scheme] quit
NOTE
NAC supports the common configuration mode and unified configuration mode.
Compared with the common configuration mode, the unified configuration mode
has the following advantages:
● The command lines are easy to understand and the format design meets user
requirements.
● Similar concepts are deleted from the function design, and the configuration
logic is simpler.
Considering advantages of the unified configuration mode, you are advised to
deploy NAC in unified configuration mode.
NOTE
Real-time accounting is configured between the authentication control device

and iMaster NCE-Campus to periodically exchange accounting packets, ensuring
consistent online status information. A shorter real-time accounting interval
requires higher performance of the device and RADIUS server. Set the real-time
accounting interval based on the number of users.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

1 to 99 3 minutes
≥ 1000 ≥ 15 minutes
b. Apply the RADIUS server template, authentication scheme, and

accounting scheme to the global default domain.
[AGG-aaa] domain default
[AGG-aaa-domain-default] authentication-scheme auth_scheme
[AGG-aaa-domain-default] accounting-scheme acco_scheme
[AGG-aaa-domain-default] radius-server radius_huawei
[AGG-aaa-domain-default] quit
[AGG-aaa] quit
c. Configure a global default domain.
[AGG] domain default //Configure a global default domain.
NOTE
The global default domain is default. If the domain needs to be changed, create
the required domain in the AAA view and set it as the global default domain.
d. Configure parameters for connecting to the Portal server.
[AGG] web-auth-server portal_huawei
[AGG-web-auth-server-portal_huawei] server-source ip-address 192.168.100.100 //Configure
the local gateway address for receiving and responding to the packets sent by the Portal server.
[AGG-web-auth-server-portal_huawei] protocol portal //Set the protocol used in Portal
authentication to Portal.
[AGG-web-auth-server-portal_huawei] server-ip 192.168.11.10 //Configure the IP address of
the Portal server.
[AGG-web-auth-server-portal_huawei] source-ip 192.168.100.100 //Configure the IP address
used by the device to communicate with the Portal server.
[AGG-web-auth-server-portal_huawei] port 50100 //The port number is fixed at 50100 when
iMaster NCE-Campus functions as the Portal server.
[AGG-web-auth-server-portal_huawei] server-detect interval 100 max-times 5 critical-num 0
action log
//Enable the Portal server detection function. After the Portal server detection function is
enabled in the Portal server template, the device detects all Portal servers configured in the
Portal server template.
//If the number of times that the device fails to detect a Portal server exceeds the upper limit,
the status of the Portal server is changed from Up to Down. If the number of Portal servers in
Up state is less than or equal to the minimum number (specified by the critical-num
parameter), the device performs the corresponding operation to allow the administrator to
obtain the real-time Portal server status or ensure that the users have certain network access
rights.
//The recommended detection interval is 100s.
[AGG-web-auth-server-portal_huawei] quit
[AGG] url-template name url_huawei //Configure a URL template.
[AGG-url-template-url_huawei] url https://access.example.com:19008/portal
//access.example.com is the host name of the Portal server. You are advised to push Portal
pages by domain name. In this case, you need to configure the mapping between the domain
name and the iMaster NCE-Campus IP address on the DNS server.
[AGG-url-template-url_huawei] url-parameter device-ip ac-ip device-mac lsw-mac redirect-
url redirect-url user-ipaddress uaddress user-mac umac
//device-mac lsw-mac specifies the MAC address of the device in the URL and sets the
parameter name displayed in the URL.
//redirect-url redirect-url specifies the original URL that a user accesses in the URL and sets
the parameter name displayed in the URL.
//The first ssid indicates that the URL contains the SSID field, and the second ssid indicates the
parameter name. For example, after ssid ssid is configured, the URL redirected to the user

S300, S500, S2700, S3700, S5700, S6700, S7700, and
contains ssid=guest, where ssid indicates the parameter name and guest indicates the SSID
with which the user associates.
//The second ssid represents the transmitted parameter name and cannot be replaced with the
actual user SSID.
[AGG-url-template-url_huawei] url-parameter set device-ip 192.168.100.100 //Bind the device
IP address.
[AGG-url-template-url_huawei] quit
[AGG] web-auth-server portal_huawei
[AGG-web-auth-server-portal_huawei] url-template url_huawei //Bind the URL template.
[AGG-web-auth-server-portal_huawei] quit
[AGG] portal quiet-period //Enable the quiet function for Portal authentication. With this
function enabled, the device discards packets of an authentication user during the quiet period
if the user fails Portal authentication for the specified number of times in 60 seconds. This
function protects the device from being overloaded due to frequent authentications.
[AGG] portal quiet-times 5 //Set the number of authentication failures within 60 seconds
which, when exceeded, causes Portal authentication users to enter the quiet state.
[AGG] portal timer quiet-period 240 //Set the quiet period for Portal authentication users to
240 seconds.
[AGG] web-auth-server listening-port 2000 //The default port number is 2000. If you run this
command to change the port number, set the same port number when adding the Portal device
to iMaster NCE-Campus.
[AGG] portal-access-profile name portal_access_profile1
[AGG-portal-acces-profile-portal_access_profile1] web-auth-server portal_huawei direct
//Configure the Portal server template used by the Portal access profile. If the network between
end users and the WAC is a Layer 2 network, configure the direct mode.
//If the network is a Layer 3 network, configure the layer3 mode.
[AGG-portal-acces-profile-portal_access_profile1] quit
[AGG] free-rule-template name default_free_rule
[AGG-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255
255.255.255.255
255.255.255.255
[AGG-free-rule-default_free_rule] quit
[AGG] authentication-profile name portal_authen_profile1
[AGG-authen-profile-portal_authen_profile1] portal-access-profile portal_access_profile1
[AGG-authen-profile-portal_authen_profile1] free-rule-template default_free_rule
[AGG-authen-profile-portal_authen_profile1] quit
[AGG-Vlanif101] authentication-profile portal_authen_profile1 //Apply the Portal
authentication profile to the interface.
[AGG] acl 3001
[AGG-acl-adv-3001] rule 1 permit ip
[AGG-acl-adv-3001] quit
NOTE
● By default, iMaster NCE-Campus supports only HTTPS, because HTTP may

pose security risks. If the HTTP protocol needs to be used to push Portal
pages, you need to enable the HTTP port on the iMaster NCE-Campus
management plane For details, see (Optional) Enabling the HTTP Port.
Then, run the following command:
[AC-url-template-huawei] url http://access.example.com:8445/portal
//access.example.com is the host name of the Portal server.
● By default, the switch permits resources of the Portal server. Therefore, you do
not need to configure an authentication-free rule for the Portal server.
5. [Device] On the aggregation switch, configure the bypass path. This ensures
that services are not affected when iMaster NCE-Campus becomes faulty.
The bypass path is configured to allow users to access specified resources
when they fail to be authenticated, ensuring service continuity.
In this example, the bypass path is configured on a switch working in unified
mode. The bypass path configuration on a switch working in common mode
is different from that in unified mode. To configure a bypass path on a switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and
working in common mode, configure a critical VLAN using the

authentication critical-vlan command or a VLAN using the authentication
event command.
a. Configure a service scheme and define resources that users can access
when the bypass path is enabled.
i. Run the service-scheme service-scheme-name command in the AAA
view to create the bypass scheme.
ii. In the bypass scheme, define service resources that users can access
when the bypass path is enabled based on ACLs or VLANs.
Table 3-137 Service scheme definition modes

Defi Usage Procedure
niti Scenari
on o
Mo
de
ACL ACL- Run the acl-id acl-number command to bind an

based ACL to the service scheme.
authoriz The ACL specifies resources that users can access
ation is after the bypass path is enabled. To retain
deploye service access permission after the bypass path is
d. enabled, use the same ACL specified in an
authorization result. The bypass path can only
be configured globally. It cannot be enabled for
employees and disabled for guests, or disabled
for employees and enabled for guests.
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme server_down
[HUAWEI-aaa-service-server_down] acl-id 3001
[HUAWEI-aaa-service-server_down] quit
[HUAWEI-aaa] quit
VLA VLAN- Run the user-vlan vlan-id command to bind a

N based VLAN to the service scheme.
authoriz The VLAN specifies resources that users can
ation is access after the bypass path is enabled. To retain
deploye service access permission after the bypass path is
d. enabled, use the same VLAN specified in an
[HUAWEI] aaa
[HUAWEI-aaa] service-scheme server_down
[HUAWEI-aaa-service-server_down] user-vlan 101
[HUAWEI-aaa-service-server_down] quit
[HUAWEI-aaa] quit
b. Configure the bypass path used when the authentication server or the
Portal server is Down.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-138 Bypass scenario

Bypass Scenario Procedure
Users fail to be Run the authentication event authen-server-

authenticated down action authorize service-scheme service-
because the scheme command to assign network access policies
authentication to users through the service scheme when users fail
server (RADIUS to be authenticated because the authentication
server) is Down. server is Down.
Users fail to be Run the authentication event portal-server-down

authenticated action authorize service-scheme service-scheme
because the command to assign network access policies to
Portal server is users through the service scheme when users fail to
Down. be authenticated because the Portal server is
Down.
[HUAWEI] authentication-profile name portal_authen_profile1

[HUAWEI-authen-profile-portal_authen_profile1] authentication event authen-server-down
action authorize service-scheme server_down
[HUAWEI-authen-profile-portal_authen_profile1] quit
[HUAWEI] portal-access-profile name portal_access_profile1
[HUAWEI-portal-acces-profile-portal_access_profile1] authentication event portal-server-
down action authorize service-scheme server_down
6. [iMaster NCE-Campus] Add the switch to ensure proper association between

iMaster NCE-Campus and the switch.
Choose Admission > Admission Resources > Admission Device, click Create,
and add a switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Device SW -
name
IP address 192.168.100.10 The switch interface with this IP address

0 must be able to communicate with the
service controller.
Device Huawei Engine -

Series

S300, S500, S2700, S3700, S5700, S6700, S7700, and
CoA Type Default CoA CoA allows administrators to change the

permissions of online users or re-
periodically to update user authorization
information.
No CoA: User authorization information
cannot be updated.
terminal connects alternates between Up
and Down.
Reauth: User authorization information
can be updated by triggering re-
authentication for an online user.
Authenticati YsHsjx_202206 It must be the same as the RADIUS

on/ accounting key configured on the switch.
Accounting
key
Authorizatio YsHsjx_202206 It must be the same as the RADIUS

n key authentication and authorization key
Accounting 15 It must be the same as the real-time

interval accounting interval configured on the
(min) switch.
Portal Enabled The Portal server can send heartbeat

heartbeat packets to the access device and
verification synchronize user information to the access
device only when Portal heartbeat
verification is enabled. The access device
then periodically detects heartbeat packets
of the Portal server to determine the
Portal server status and synchronize user
information from the Portal server. This
configuration corresponds to the server-
detect and user-sync commands
configured in the Portal server view on the
access device.
Portal key YsHsjx_202206 It must be the same as the Portal shared

Terminal IP 172.16.11.254/ -
address list 24

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal 2000 This is the port that the switch uses to

authenticati communicate with the Portal server. Retain
on port the default value.
7. [iMaster NCE-Campus] Configure authentication and authorization. Terminal

users match the rules based on specified conditions.
a. Choose Admission > Admission Policy > Authentication and
Authorization. Click the Authentication Rule tab and modify the
default authentication rule or create an authentication rule.
Add the AD server to Data Source. By default, an authentication rule
takes effect only on the local data source. If the AD server is not added as
a data source, AD accounts will fail to be authenticated.
b. Choose Admission > Admission Policy > Authentication and

Authorization, click the Authorization Result tab, and add an ACL for
authorization.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
c. Choose Admission > Admission Policy > Authentication and

Authorization, click the Authorization Rules tab, and create an
authorization rule. Associate the authorization result created in the
previous step with the authorization rule. Specify resources that users can
access after being authenticated.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Verification
1. Verify that the terminal user can access only the iMaster NCE-Campus, DNS,
and AD servers before authentication.
2. Verify that the Portal authentication page is pushed to the terminal user
when the terminal user attempts to access the Internet. After the terminal
user enters the correct user name and password, the requested web page is
displayed.
3. Verify that the terminal user can access the Internet only after the
authentication succeeds.
4. After the terminal user is successfully authenticated, run the display access-
user command on the switch. The command output shows information about
the online user.
5. Choose Admission > Admission Policy > Online User Control from the main
menu and click Online User. Information about terminal users is displayed.
6. Choose Monitoring > Event Logs > Terminal Authentication Logs from the
main menu and click Portal Login and Logout logs. The Portal
authentication logs of the terminal user can be viewed.
7. Choose Monitoring > Event Logs > Terminal Authentication Logs from the
main menu and click RADIUS Login and Logout logs. The RADIUS
authentication logs of the terminal user can be viewed.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Summary and Suggestions

● The RADIUS authentication and accounting key, RADIUS authorization key,
and Portal key must be the same on the device and iMaster NCE-Campus.
● Authorization rules are matched in descending order of priority (ascending
order of rule numbers). If the authorization condition of a user matches a
rule, iMaster NCE-Campus does not check the subsequent rules. Therefore, it
is recommended that you set higher priorities for the rules defining more
precise conditions and set lower priorities for the rules defining fuzzy
conditions.
● The RADIUS accounting function is configured on the switch to enable
iMaster NCE-Campus to obtain online user information by exchanging
accounting packets. iMaster NCE-Campus does not support the real
accounting function. If accounting is required, use a third-party accounting
server.
Configuration Files
#
sysname ACC
#
vlan 101
#
#
#
return

#
sysname AGG
#
#
dhcp enable
#
authentication-profile name portal_authen_profile1
portal-access-profile portal_access_profile1
authentication event authen-server-down action authorize service-scheme server_down
#
radius-server shared-key cipher %^%#ANM|Cb!>GNo=U@V~_{E1fQ>;I2#2l(3Q%1~Z.u|R%^%#
#
$3F)3K]ar/O%^%#
#
aaa

S300, S500, S2700, S3700, S5700, S6700, S7700, and
acl-id 3001
domain default
#
domain default
#
acl 3001
rule 1 permit ip
#
server-source ip-address 192.168.100.100
protocol portal
server-ip 192.168.11.10
source-ip 192.168.100.100
port 50100
server-detect interval 100 max-times 5 critical-num 0 action log
#
url-template name url_huawei
url https://access.example.com:19008/portal
url-parameter device-ip ac-ip device-mac lsw-mac redirect-url redirect-url user-ipaddress uaddress user-
mac umac
url-parameter set device-ip 192.168.100.100
#
url-template url_huawei
#
portal-access-profile name portal_access_profile1
authentication event portal-server-down action authorize service-scheme server_down
#
#
portal quiet-period
web-auth-server listening-port 2000
#
#
ip address 172.16.11.254 255.255.255.0
authentication-profile portal_authen_profile1
#
ip address 192.168.100.100 255.255.255.0
#
#
#
ip route-static 192.168.11.0 255.255.255.0 192.168.100.200
#
return
Core configuration file

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname Core
#
vlan batch 102 200
#
ip address 192.168.100.200 255.255.255.0
#
ip address 192.168.11.254 255.255.255.0
#
interface gigabitethernet 1/0/1
#
#
ip route-static 172.16.11.0 255.255.255.0 192.168.100.100
#
return
3.14.6.4 Configuring Wireless MAC Address-Prioritized Portal Authentication
An enterprise has about 1000 employees and needs to deploy an identity
authentication system to implement access control for all the wireless users who
attempt to access the enterprise network. Only authorized users can access the
enterprise network.
only performs access authorization and does not require any client software
on user terminals.
● The authentication system performs unified identity authentication on all
terminals attempting to access the campus network and denies the access
from unauthorized terminals.
● Employees can only access public servers (such as the DHCP and DNS servers)
of the enterprise before authentication, and can access both the enterprise's
service systems and Internet after being authenticated.
● If authenticated employees move out of the wireless signal coverage area and
move in again within a certain period (60 minutes for example), they can
connect to the wireless network directly without entering their user names
and passwords again. This ensures a good network access experience of
employees.
● Guests can only access public servers (such as the DHCP and DNS servers) of
the enterprise before authentication, and can only access the Internet after
being authenticated.
● Different authentication pages are pushed to employees and guests.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-230 Networking of Portal authentication for wireless users
Requirement Analysis
● The enterprise has no specific requirement on terminal security check and
requires simple operations, without a need for authentication client on
wireless terminals. Considering the networking and requirements of the
enterprise, Portal authentication can be used on the campus network.
● To ensure unified user traffic control on the WAC, it is recommended that the
tunnel forwarding mode be used to forward packets between the WAC and
APs.
● To ensure network connectivity, plan VLANs as follows:
– Add employees to VLAN 100 and guests to VLAN 101 to isolate
employees from guests.
– Use VLAN 10 as the management VLAN of the APs.
– Add GE0/0/1, GE0/0/2, and GE0/0/3 of the access switch to VLAN 10 so
that these interfaces can transparently transmit packets from
management VLAN 10 of the APs.
– On the aggregation switch, add GE0/0/1 to management VLAN 10,
GE0/0/3 to management VLAN 10 and service VLANs 100 and 101, and
GE0/0/2 to service VLANs 100 and 101. In this way, these interfaces can
transparently transmit data of the corresponding VLANs.
– Add GE0/0/1 of the WAC to management VLAN 10 and service VLANs
100 and 101 so that the WAC can transparently transmit packets of these
VLANs.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Employees and guests are all authenticated on the web pages pushed by the
Portal server. You need to configure different ACL rules on the WAC to control
access rights of employees and guests.
● Different SSIDs need to be configured for employees and guests so that
different authentication pages can be pushed to them based on their SSIDs.
● Enable MAC address-prioritized Portal authentication to allow employees to
connect to the wireless network without entering user names and passwords
when they move in and out of the wireless coverage area repeatedly within a
period (60 minutes for example).
MAC address-prioritized Portal authentication is a function provided by a
WAC. When the Portal server needs to authenticate a user, the WAC first
sends the user terminal's MAC address to the Portal server for identity
authentication. If the authentication fails, the Portal server pushes the Portal
authentication page to the terminal. The user then enters the account and
password for authentication. The RADIUS server caches a terminal's MAC
address and associated SSID during the first authentication for the terminal. If
the terminal is disconnected and then connected to the network within the
MAC address validity period, the RADIUS server searches for the SSID and
MAC address of the terminal in the cache to authenticate the terminal.
VLAN Plan
Table 3-139 Wireless VLAN plan
VLAN ID Function
10 Management VLAN for wireless access
100 Service VLAN for employees
101 Service VLAN for guests
Network Data Plan
Table 3-140 WLAN network data planning
Access switch GE0/0/1 Connected to the AP in

VLAN 10 the guest area.
GE0/0/2 Connected to the

VLAN 10 aggregation switch.
GE0/0/3 Connected to the AP in

VLAN 10 the employee area.
Aggregation switch GE0/0/1 Connected to the access

VLAN 10 switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
GE0/0/2 Uplink interface that is

VLAN 100 and VLAN 101 connected to the core
router and allows
packets only from the
service VLAN to pass
through.
GE0/0/3 Connected to the

VLAN 10, VLAN 100, and AC6605. The AC6605
VLAN 101 communicates with
upstream devices
through service VLANs
and communicates with
downstream devices
VLAN.
AC 6605 GE0/0/1 The AC6605

VLAN 10, VLAN 100, and communicates with
VLAN 101 upstream devices
through service VLANs
VLANIF 10: and communicates with
10.10.10.254/24 downstream devices
VLAN.
Gateway for APs.
Core router GE1/0/1 The sub-interface

172.16.21.254/24 GE1/0/1.1 functions as
the gateway for
Sub-interface number: employees.
GE1/0/1.1
The sub-interface
Sub-interface IP address: GE1/0/1.2 functions as
172.20.0.1/16 the gateway for guests.
Sub-interface number:
GE1/0/1.2
Sub-interface IP address:
172.21.0.1/16

S300, S500, S2700, S3700, S5700, S6700, S7700, and

192.168.11.1
● iMaster NCE-Campus
southbound address:
192.168.11.10
● AD server:
192.168.11.100
● DHCP server:
192.168.11.2
IP address pool:
– Employee: IP
address pool
(172.20.0.0/16);
DNS server
(192.168.11.1)
– Guest: IP address
pool
(172.21.0.0/16);
DNS server
(192.168.11.1)
● Service system:
192.168.11.200
Service Data Plan
Table 3-141 Portal service data plan


● RADIUS client: WAC iMaster NCE-Campus as
a RADIUS server. The
● Authentication and authentication and
accounting key: accounting key,
YsHsjx_202206 authorization key, and
● Authorization key: accounting interval must
YsHsjx_202206 be the same on them.
● Accounting interval: iMaster NCE-Campus
15 minutes functioning as the
RADIUS server uses port
● Authentication port: 1812 for authentication
1812 and port 1813 for
● Accounting port: 1813 accounting.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Portal ● Portal server: iMaster When Portal pages are

NCE-Campus server pushed using a domain
with the domain name, the iMaster NCE-
name Campus server's domain
access.example.com name is required.
● Portal key: iMaster NCE-Campus
YsHsjx_202206 functioning as the Portal
● Portal server port: server uses port 50100
50100 as the Portal server port.
● Port of the When a Huawei switch
authentication control or WAC functions as the
device for associating authentication control
with the Portal server: device to provide Portal
2000 authentication, the
switch or WAC uses port
2000 by default to
associate with the Portal
server.

domain Campus, AD server, and
DHCP server
Post-authentication Service system and -

domain for employees Internet
domain for guests
1. Configure the access switch, aggregation switch, and WAC to ensure network
connectivity.
2. On the WAC, configure a RADIUS server template, configure authentication,
accounting, and authorization schemes in the template, and specify the IP
address of the Portal server. In this way, the WAC can communicate with the
RADIUS server and Portal server to perform MAC address-prioritized Portal
authentication for employees.
3. Add the WAC on iMaster NCE-Campus and configure parameters for the WAC
to ensure that iMaster NCE-Campus interacts properly with the WAC.
4. Configure authentication and authorization rules to grant different network
access rights to the authenticated employees and guests.
5. Customize different authentication pages for employees and guests, and
configure Portal page push rules to ensure that different web pages are
pushed to employees and guests.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Prerequisites
● You have configured a sub-interface, assigned an IP address to the sub-
interface, and enabled DHCP relay on the core router to enable terminals to
automatically obtain IP addresses from the DHCP server on a different
network segment.
● The SMS server has been interconnected.
Procedure
1. [Device] Configure the access switch to ensure network connectivity.
[ACC] vlan 10
[ACC-vlan10] quit
2. [Device] Configure the aggregation switch to ensure network connectivity.

[AGG] vlan batch 10 100 101
[AGG-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 101
[AGG-GigabitEthernet0/0/3] port trunk allow-pass vlan 10 100 101
3. [Device] Configure the AC6605 to enable network connectivity.

# Add AC6605's GE0/0/1 connected to the aggregation switch to
management VLAN 10 and service VLANs 100 and 101.
[HUAWEI] sysname AC6605
[AC6605] vlan batch 10 100 101
[AC6605] interface gigabitethernet 0/0/1
[AC6605-GigabitEthernet0/0/1] port link-type trunk
[AC6605-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 101
[AC6605-GigabitEthernet0/0/1] quit
# Configure the AC6605 to assign IP addresses to APs from an interface

address pool.
[AC6605-Vlanif10] dhcp select interface

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure a default route that the AC6605 uses to communicate with

servers. Packets are forwarded to the core router by default.
[AC6605] ip route-static 0.0.0.0 0 172.16.21.254
4. [Device] Configure the AP to go online.

NOTE
If a Layer 3 network is deployed between the AP and WAC, you need to configure the
DHCP Option 43 field on the DHCP server to carry the WAC's IP address in
advertisement packets, allowing the AP to discover the WAC.
1. Run the ip pool ip-pool-name command in the system view to enter the IP address
pool view.
2. Run the option 43 sub-option 2 ip-address AC-ip-address &<1-8> command to
specify an IP address for the WAC.
# Create an AP group, to which APs with the same configuration are added.
[AC6605] wlan
[AC6605-wlan-view] ap-group name employee //Configure an AP group for employees.
[AC6605-wlan-ap-group-employee] quit
[AC6605-wlan-view] ap-group name guest //Configure an AP group for guests.
[AC6605-wlan-ap-group-guest] quit
# Create a regulatory domain profile, configure the WAC country code in the
profile, and apply the profile to the corresponding AP group.
[AC6605-wlan-view] regulatory-domain-profile name domain1
[AC6605-wlan-regulatory-domain-prof-domain1] country-code cn
[AC6605-wlan-regulatory-domain-prof-domain1] quit
[AC6605-wlan-view] ap-group name employee
[AC6605-wlan-ap-group-employee] regulatory-domain-profile domain1
[AC6605-wlan-view] ap-group name guest
[AC6605-wlan-ap-group-guest] regulatory-domain-profile domain1
# Configure the WAC's source interface.

[AC6605] capwap source interface vlanif 10
# Import the AP offline on the WAC and add the AP to the AP group. This
example assumes that the AP model is AP6010DN-AGN, the MAC address of
AP_0 serving employees is 00e0-fc76-a320, and the MAC address of AP_1
serving guests is 00e0-fc76-a330.
[AC6605] wlan
[AC6605-wlan-view] ap auth-mode mac-auth
[AC6605-wlan-ap-0] ap-name ap_0
[AC6605-wlan-ap-0] ap-group employee
[AC6605-wlan-ap-1] ap-name ap_1
[AC6605-wlan-ap-1] ap-group guest
# After the AP is powered on, run the display ap all command to check the
AP status. If the State field is displayed as nor, the AP goes online normally.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC6605] display ap all

nor : normal [2]
-------------------------------------------------------------------------------------
-------------------------------------------------------------------------------------
0 00e0-fc76-a320 ap_0 employee 10.10.10.252 AP6010DN-AGN nor 0 10S
1 00e0-fc76-a330 ap_1 guest 10.10.10.253 AP6010DN-AGN nor 0 20S
-------------------------------------------------------------------------------------
Total: 2
5. [Device] Configure interconnection parameters for the WAC and RADIUS

server as well as the WAC and Portal server, so that the WAC can associate
with the RADIUS and Portal servers.
Figure 3-231 Configuration flow for the Portal authentication service
# Configure a RADIUS server template, and configure authentication,

accounting, and authorization schemes in the template.
[AC6605] radius-server template radius_template
[AC6605-radius-radius_template] radius-server authentication 192.168.11.10 1812 source ip-
address 10.10.10.254
[AC6605-radius-radius_template] radius-server accounting 192.168.11.10 1813 source ip-address
10.10.10.254
[AC6605-radius-radius_template] called-station-id wlan-user-format ac-mac include-ssid
[AC6605-radius-radius_template] radius-server shared-key cipher YsHsjx_202206
[AC6605-radius-radius_template] radius-attribute nas-ip 10.10.10.254
[AC6605-radius-radius_template] radius-server user-name original //Configure the device to send

S300, S500, S2700, S3700, S5700, S6700, S7700, and
the original user name entered by a user to the RADIUS server.

[AC6605-radius-radius_template] quit
[AC6605] radius-server authorization 192.168.11.10 shared-key cipher YsHsjx_202206
[AC6605] aaa
[AC6605-aaa] authentication-scheme auth_scheme //Configure an authentication scheme.
[AC6605-aaa-authen-auth_scheme] authentication-mode radius //Set the authentication mode to
RADIUS.
[AC6605-aaa-authen-auth_scheme] quit
[AC6605-aaa] accounting-scheme acco_scheme //Configure an accounting scheme.
[AC6605-aaa-accounting-acco_scheme] accounting-mode radius //Set the accounting mode to
RADIUS.
[AC6605-aaa-accounting-acco_scheme] accounting realtime 15
[AC6605-aaa-accounting-acco_scheme] quit
[AC6605-aaa] quit
NOTE


1 to 99 3 minutes
≥ 1000 ≥ 15 minutes

a. Configure the URL of the Portal authentication page. When a user
attempts to access a website before authentication, the WAC redirects the
user to the Portal server.
You are advised to configure the URL using a domain name to ensure
secure and fast page pushing. Before configuring the URL using a domain
name, you must first configure the mapping between the domain name
and IP address of the Portal server on the DNS server.
[AC6605] url-template name huawei
[AC6605-url-template-huawei] url https://access.example.com:19008/portal //
access.example.com is the host name of the Portal server.
NOTE
By default, iMaster NCE-Campus supports only HTTPS, because HTTP may pose
security risks. If the HTTP protocol needs to be used to push Portal pages, you
need to enable the HTTP port on the iMaster NCE-Campus management plane
For details, see (Optional) Enabling the HTTP Port. Then, run the following
command:
[AC6605-url-template-huawei] url http://access.example.com:8445/portal //
access.example.com is the host name of the Portal server.
b. Configure parameters carried in the URL, which must be the same as

those on the authentication server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC6605-url-template-huawei] url-parameter device-ip ac-ip redirect-url redirect-url ssid

ssid user-ipaddress uaddress user-mac umac
//device-ip ac-ip specifies the IP address of the device carried in the URL and sets the
parameter name displayed in the URL. In the wireless access scenario, the value of device-ip
carried in the URL is the CAPWAP gateway address.
//redirect-url redirect-url specifies the original URL that a user accesses in the URL and sets
the parameter name displayed in the URL.
//The first ssid indicates that the URL contains the SSID field, and the second ssid indicates the
parameter name.
//For example, after ssid ssid is specified, the redirect URL contains ssid=guest, where ssid
indicates the parameter name and guest indicates the SSID with which the user associates.
//The second ssid represents the transmitted parameter name and cannot be replaced with the
actual user SSID.
[AC6605-url-template-huawei] quit
c. Specify the port number used to process Portal protocol packets. The
default port number is 2000. If you change the port number on the WAC,
set the same port number when you add this WAC to iMaster NCE-
Campus.
[AC6605] web-auth-server listening-port 2000
d. Configure a Portal server template, including configuring the IP address

and port number of the Portal server.
[AC6605] web-auth-server portal_huawei
[AC6605-web-auth-server-portal_huawei] server-source ip-address 10.10.10.254 //Configure
the local gateway address for receiving and responding to the packets sent by the Portal server.
[AC6605-web-auth-server-portal_huawei] protocol portal //Set the protocol used in Portal
authentication to Portal.
[AC6605-web-auth-server-portal_huawei] server-ip 192.168.11.10 //Configure the IP address
of the Portal server.
[AC6605-web-auth-server-portal_huawei] source-ip 10.10.10.254 //Configure the IP address
used by the device to communicate with the Portal server.
[AC6605-web-auth-server-portal_huawei] port 50100 //Set the destination port number in the
packets sent to the Portal server to 50100.
e. Configure the shared key used to communicate with the Portal server,
which must be the same as that on the Portal server.
[AC6605-web-auth-server-portal_huawei] shared-key cipher YsHsjx_202206 //Configure the
shared key used to communicate with the Portal server.
[AC6605-web-auth-server-portal_huawei] url-template huawei //Bind the URL template to
the Portal server template.
f. Enable the Portal server detection function.

After the Portal server detection function is enabled in the Portal server
template, the device detects all Portal servers configured in the Portal
server template. If the number of times that the device fails to detect a
Portal server exceeds the upper limit, the status of the Portal server is
changed from Up to Down. If the number of Portal servers in Up state is
less than or equal to the minimum number (specified by the critical-num
parameter), the device performs the corresponding operation, for
example, sending a trap, reporting a log, or enabling Portal bypass. This
enables the administrator to obtain the real-time Portal server status. The
detection interval cannot be shorter than 15s, and the recommended
value is 100s. Before enabling Portal bypass, you must enable Portal
server detection.
[AC6605-web-auth-server-portal_huawei] server-detect interval 100 max-times 5 critical-
num 0 action log
# Enable the Portal authentication quiet period function. With this function
enabled, the WAC drops packets of an authentication user during the quiet
period if the user fails Portal authentication for the specified number of times
in 60 seconds. This function protects the WAC from being overloaded due to
frequent authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC6605] portal quiet-period

[AC6605] portal quiet-times 5 //Set the number of authentication failures within 60 seconds which,
when exceeded, causes Portal authentication users to enter the quiet state.
[AC6605] portal timer quiet-period 240 //Set the quiet period for Portal authentication users to 240
seconds.
# Create a Portal access profile, and bind the Portal server template to it.
In this example, different Portal bypass solutions need to be configured for
employees and guests. Therefore, configure two Portal access profiles.
[AC6605] portal-access-profile name acc_portal_employee //Create a Portal access profile for
employees.
[AC6605-portal-access-profile-acc_portal_employee] web-auth-server portal_huawei direct
//Configure the Portal server template used by the Portal access profile. If the network between
terminal users and the WAC is a Layer 2 network, configure the direct mode.
//If the network is a Layer 3 network, configure the layer3 mode.
[AC6605-portal-access-profile-acc_portal_employee] quit
[AC6605] portal-access-profile name acc_portal_guest //Create a Portal access profile for guests.
[AC6605-portal-access-profile-acc_portal_guest] web-auth-server portal_huawei direct
[AC6605-portal-access-profile-acc_portal_guest] quit
# Create a MAC access profile so that MAC address-prioritized Portal

authentication is performed on employees.
[AC6605] mac-access-profile name acc_mac
[AC6605-mac-access-profile-acc_mac] quit
# Configure pre-authentication and post-authentication access rules for

employees and guests.
[AC6605] free-rule-template name default_free_rule
[AC6605-free-rule-default_free_rule] free-rule 1 destination ip 192.168.11.1 mask
255.255.255.255 //Configure an authentication-free rule for Portal authentication users, so that they
can connect to the DNS server before authentication.
can connect to the AD server before authentication.
can connect to the DHCP server before authentication.
[AC6605-free-rule-default_free_rule] quit
[AC6605] acl 3001 //Configure the post-authentication domain, including the intranet and Internet,
for employees.
[AC6605] acl 3002 //Configure the post-authentication domain, including the Internet, for guests.
[AC6605-acl-adv-3002] rule 5 deny ip destination 192.168.11.200 255.255.255.255 //
192.168.11.200 is the service system IP address and cannot be accessed by guests.
# Configure different authentication profiles for employees and guests

because MAC address-prioritized Portal authentication needs to be enabled
for employees.
[AC6605] authentication-profile name auth_portal_employee
[AC6605-authentication-profile-auth_portal_employee] mac-access-profile acc_mac //Enable MAC
address-prioritized Portal authentication for employees.
[AC6605-authentication-profile-auth_portal_employee] portal-access-profile acc_portal_employee
[AC6605-authentication-profile-auth_portal_employee] authentication-scheme auth_scheme
[AC6605-authentication-profile-auth_portal_employee] accounting-scheme acco_scheme
[AC6605-authentication-profile-auth_portal_employee] radius-server radius_template
[AC6605-authentication-profile-auth_portal_employee] free-rule-template default_free_rule
[AC6605-authentication-profile-auth_portal_employee] quit
[AC6605] authentication-profile name auth_portal_guest
[AC6605-authentication-profile-auth_portal_guest] portal-access-profile acc_portal_guest
[AC6605-authentication-profile-auth_portal_guest] authentication-scheme auth_scheme
[AC6605-authentication-profile-auth_portal_guest] accounting-scheme acco_scheme
[AC6605-authentication-profile-auth_portal_guest] radius-server radius_template
[AC6605-authentication-profile-auth_portal_guest] free-rule-template default_free_rule
[AC6605-authentication-profile-auth_portal_guest] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Enable terminal type awareness to allow the WAC to send the option fields
containing the terminal type in DHCP packets to the authentication server. In
this way, the authentication server can push correct Portal authentication
pages to users based on terminal types.
[AC6605] dhcp snooping enable
[AC6605] device-sensor dhcp option 12 55 60
# Configure Portal bypass. Configure the device to grant network access
rights of a user group to users when the Portal server is Down so that the
users can access the post-authentication domain. In addition, configure the
device to re-authenticate users when the Portal server changes from Down to
Up.
[AC6605] user-group group1
[AC6605-user-group-group1] acl 3001
[AC6605-user-group-group1] quit
[AC6605] portal-access-profile name acc_portal_employee
[AC6605-portal-access-profile-acc_portal_employee] authentication event portal-server-down
action authorize user-group group1 //Configure the network access permission to be granted to
employees when the Portal server is Down.
[AC6605-portal-access-profile-acc_portal_employee] authentication event portal-server-up action
re-authen //Enable the device to re-authenticate users when the Portal server state changes from
Down to Up.
[AC6605-portal-access-profile-acc_portal_employee] quit
[AC6605] user-group group2
[AC6605-user-group-group2] acl 3002
[AC6605-user-group-group2] quit
[AC6605] portal-access-profile name acc_portal_guest
[AC6605-portal-access-profile-acc_portal_guest] authentication event portal-server-down action
authorize user-group group2 //Configure the network access permission to be granted to guests
when the Portal server is Down.
[AC6605-portal-access-profile-acc_portal_guest] authentication event portal-server-up action re-
authen
[AC6605-portal-access-profile-acc_portal_guest] quit
6. [Device] Set WLAN service parameters.
# Create the security profile security_portal and set the security policy in the
profile.
[AC6605] wlan
[AC6605-wlan-view] security-profile name security_portal
[AC6605-wlan-sec-prof-security_portal] security open
[AC6605-wlan-sec-prof-security_portal] quit
# Create SSID profiles wlan-ssid-employee and wlan-ssid-guest, and set the
SSID names to employee and guest, respectively.
[AC6605-wlan-view] ssid-profile name wlan-ssid-employee
[AC6605-wlan-ssid-prof-wlan-ssid-employee] ssid employee
[AC6605-wlan-ssid-prof-wlan-ssid-employee] quit
[AC6605-wlan-view] ssid-profile name wlan-ssid-guest
[AC6605-wlan-ssid-prof-wlan-ssid-guest] ssid guest
[AC6605-wlan-ssid-prof-wlan-ssid-guest] quit
# Create VAP profiles wlan-vap-employee and wlan-vap-guest, configure
the service data forwarding mode and service VLANs, and apply the security,
SSID, and authentication profiles to the VAP profiles.
[AC6605-wlan-view] vap-profile name wlan-vap-employee
[AC6605-wlan-vap-prof-wlan-vap-employee] forward-mode tunnel
[AC6605-wlan-vap-prof-wlan-vap-employee] service-vlan vlan-id 100
[AC6605-wlan-vap-prof-wlan-vap-employee] security-profile security_portal
[AC6605-wlan-vap-prof-wlan-vap-employee] ssid-profile wlan-ssid-employee
[AC6605-wlan-vap-prof-wlan-vap-employee] authentication-profile auth_portal_employee //Bind
the authentication profile of employees.
[AC6605-wlan-vap-prof-wlan-vap-employee] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[AC6605-wlan-view] vap-profile name wlan-vap-guest

[AC6605-wlan-vap-prof-wlan-vap-guest] forward-mode tunnel
[AC6605-wlan-vap-prof-wlan-vap-guest] service-vlan vlan-id 101
[AC6605-wlan-vap-prof-wlan-vap-guest] security-profile security_portal
[AC6605-wlan-vap-prof-wlan-vap-guest] ssid-profile wlan-ssid-guest
[AC6605-wlan-vap-prof-wlan-vap-guest] authentication-profile auth_portal_guest //Bind the
authentication profile of guests.
[AC6605-wlan-vap-prof-wlan-vap-guest] quit
# Bind the VAP profile to the AP groups, and apply the VAP profile to radio 0
and radio 1 of APs.
[AC6605-wlan-view] ap-group name employee
[AC6605-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 0
[AC6605-wlan-ap-group-employee] vap-profile wlan-vap-employee wlan 1 radio 1
[AC6605-wlan-view] ap-group name guest
[AC6605-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 0
[AC6605-wlan-ap-group-guest] vap-profile wlan-vap-guest wlan 1 radio 1
7. [iMaster NCE-Campus] Add the WAC to iMaster NCE-Campus to ensure that

iMaster NCE-Campus interacts properly with the WAC.
Choose Admission > Admission Resources > Admission Device, click Create,
and add a WAC.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Device WAC -
name
IP address 10.10.10.254 The interface with this IP address on the

AC6605 must be able to communicate
with the service controller.
[AC6605-radius-radius_template] radius-
attribute nas-ip 10.10.10.254
Device Huawei Engine -

Series

S300, S500, S2700, S3700, S5700, S6700, S7700, and
CoA Type Default CoA CoA allows administrators to change the

permissions of online users or re-
periodically to update user authorization
information.
No CoA: User authorization information
cannot be updated.
terminal connects alternates between Up
and Down.
Reauth: User authorization information
can be updated by triggering re-
authentication for an online user.
Authenticati YsHsjx_202206 [AC6605-radius-radius_template] radius-

on/ server shared-key cipher YsHsjx_202206
Accounting
key
Authorizatio YsHsjx_202206 [AC6605] radius-server authorization

n key 192.168.11.10 shared-key cipher
YsHsjx_202206
Accounting 15 [AC6605-aaa-accounting-acco_scheme]
interval accounting realtime 15
(min)
Portal Select The Portal server can send heartbeat

heartbeat packets to the access device and
verification synchronize user information to the access
device only when Portal heartbeat
verification is enabled. The access device
then periodically detects heartbeat packets
of the Portal server to determine the
Portal server status and synchronize user
information from the Portal server. This
configuration corresponds to the server-
detect and user-sync commands
configured in the Portal server view on the
access device.
Portal key YsHsjx_202206 [AC6605-web-auth-server-portal_huawei]

shared-key cipher YsHsjx_202206

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Terminal IP 172.20.0.0/16 You need to add the IP addresses of all the

address list 172.21.0.0/16 terminals that go online through Portal
authentication to the access terminal IP
address list. After the Portal server receives
the account and password submitted by a
terminal user, it searches for an access
control device based on the terminal's IP
address and allows the terminal to go
online from the target access control
device. If the IP address pool of the access
control device does not include the
terminal IP address, the Portal server
cannot find an access control device to
grant network access permission to the
terminal, causing the terminal login
failure.
Port 2000 It is the port that the AC6605 uses to

communicate with the Portal server. Use
the default value.
8. [iMaster NCE-Campus] Configure authentication and authorization.

a. Choose Admission > Admission Policy > Authentication and
Authorization. Click the Authentication Rule tab and modify the
default authentication rule or create an authentication rule.
Add the AD server to Data Source. By default, an authentication rule
takes effect only on the local data source. If the AD server is not added as
a data source, AD accounts will fail to be authenticated.
b. Choose Admission > Admission Policy > Authentication and

Authorization. Click the Authorization Result tab and add authorization
ACLs for employees and guests.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
c. Choose Admission > Admission Policy > Authentication and

Authorization. Click the Authorization Rule tab and bind the
authorization result to specify resources accessible to employees and
guests after successful authentication.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
d. Modify the default authorization rule by changing the authorization

result to Deny Access.
Choose Admission > Admission Policy > Authentication and
Authorization. Click the Authorization Rule tab and click on the
right of Default. Change the value of Authorization result to Deny
Access.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
9. [iMaster NCE-Campus] Customize a Portal authentication page for

employees.
a. Choose Admission > Admission Resources > Page Management. On the
Page Customization tab page, click in the upper left corner.
b. Set Page name, set System template to User Name and Password
Template, and click Create.
c. Customize Authentication Page, Authentication Success Page, and

User Notice Page for mobile phones and PCs as required, and click
Release.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
10. [iMaster NCE-Campus] Customize a Portal authentication page for guests.

a. Choose Admission > Admission Resources > Page Management. On the
Page Customization tab page, click in the upper left corner.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
b. Set Page name, set System template to SMS Template, set the guest
account policy, and click Create.
c. Customize Authentication Page, Authentication Success Page, and

User Notice Page for mobile phones and PCs as required, and click
Release.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
11. [iMaster NCE-Campus] Configure Portal page push rules to ensure that
different authentication pages are pushed to employees and guests.
a. Choose Admission > Admission Resources > Page Management and
click Portal Page Push Policy. Click Create and set the push policy for
employees.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-143 Push policy for employees

Parameter Value
Name Employee Push Policy
Access Mode Wireless
Customized parameter ssid=employee
Push page Employee certification page
First page to push Authentication
Page displayed after successful Continue access

authentication
b. Configure push rules for guests in a similar manner and click OK.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-144 Push rule for guests
Parameter Value
Name Guest Push Policy
Access Mode Wireless
Customized parameter ssid=guest
Push page Guest authentication page
First page to push Authentication
Page displayed after successful Continue access

authentication
12. [iMaster NCE-Campus] Enable MAC address-prioritized Portal authentication

on iMaster NCE-Campus.
a. Choose Admission > Admission Policy > Online User Control. Click User
Control Policy.
b. Click Create. Configure a Portal authentication-free policy, enable Portal
authentication-free, and set the authentication-free period.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
c. Open the created Portal authentication-free policy, assign it to a user

group, bind employees and guests, and click OK.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Verification
Employee ● Employees can access only the iMaster NCE-Campus server,

authenticat DNS server, AD server, and DHCP server before authentication.
ion ● When an employee connects to the Wi-Fi hotspot employee
using a computer and attempts to visit the Internet or service
system, the employee authentication page is pushed to the
employee. After the employee enters the correct user name
and password, the authentication succeeds and the requested
web page is displayed automatically.
● After employees are successfully authenticated, they can access
the Internet and service system.
command on the WAC. Information about online users is
displayed.
● Choose Admission > Admission Policy > Online User Control
from the main menu and click Online User. Information about
online employees is displayed.
● Choose Monitoring > Event Logs > Terminal Authentication
Logs from the main menu. You can see the Portal
authentication logs for employee accounts on the Portal Login
and Logout Logs tab page.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Guest ● Guests can access only the iMaster NCE-Campus server, DNS
authenticat server, and DHCP server before authentication.
ion ● When the guest connects to the Wi-Fi hotspot guest using a
mobile phone and attempts to visit the Internet, the guest
authentication page is pushed to the mobile phone. After the
guest enters the correct user name and password, the
authentication succeeds and the requested web page is
displayed automatically.
● When a guest connects to the Wi-Fi hotspot guest using a PC
or tablet and attempts to visit the Internet, the guest
authentication page is pushed to the PC or tablet. After the
guest enters the correct user name and password, the
authentication succeeds and the requested web page is
displayed automatically.
● After guests are successfully authenticated using the accounts
registered by their mobile numbers, they can access the
Internet but not the service system.
command on the WAC. Information about online guests is
displayed.
● Choose Admission > Admission Policy > Online User Control
from the main menu and click Online User. Information about
online users is displayed.
● Choose Monitoring > Event Logs > Terminal Authentication
Logs from the main menu. You can see the Portal
authentication logs for guest accounts on the Portal Login
and Logout Logs tab page.
The The authentication is completed automatically. The employee can

employee connect to the Internet without entering the user name and
disconnects password.
from the
wireless
network
and
reconnects
to the
network 5
minutes
later.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The The employee authentication page is pushed to the employee

employee when the employee attempts to access the Internet. After the
disconnects employee enters the correct user name and password, the
from the requested web page is displayed.
wireless
network
and
reconnects
to the
network 65
minutes
later.
Summary and Suggestions

● The RADIUS authentication and accounting key, RADIUS authorization key,
and Portal key must be the same on the WAC and iMaster NCE-Campus. The
URL encryption key and accounting interval must also be the same on the
WAC and iMaster NCE-Campus.
● Authorization rules or Portal page push rules are matched in descending
order of priority (ascending order of rule numbers). If the authorization
condition or Portal push condition of a user matches a rule, iMaster NCE-
Campus does not check the subsequent rules. Therefore, it is recommended
that you set higher priorities for the rules defining more precise conditions
and set lower priorities for the rules defining fuzzy conditions.
● The RADIUS accounting function is configured on the WAC to enable iMaster
NCE-Campus to obtain online user information by exchanging accounting
packets with the WAC. iMaster NCE-Campus does not support the real
accounting function. If accounting is required, use a third-party accounting
server.
Configuration Files
#
sysname ACC
#
vlan 10
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return

sysname AGG
#
#
#
#
#
return
AC6605 configuration file

#
sysname AC6605
#
#
dhcp enable
#
device-sensor dhcp option 12 55 60
#
radius-server template radius_template
radius-server shared-key cipher %^%#j7U//99!v(-n+\HtWgD60K@2IFc-I$3F)3K]ar/O%^%#
radius-server authentication 192.168.11.10 1812 source ip-address 10.10.10.254
radius-server accounting 192.168.11.10 1813 source ip-address 10.10.10.254
called-station-id wlan-user-format ac-mac include-ssid
radius-server user-name original
#
$3F)3K]ar/O%^%#
#
aaa
#
url-template name huawei
url https://access.example.com:19008/portal
url-parameter device-ip ac-ip redirect-url redirect-url ssid ssid user-ipaddress uaddress user-mac umac
#
web-auth-server listening-port 2000
#
shared-key cipher %^%#P[n27T`hLB$H1E=siWPS"rhE.uin=.2B}~6*R^:A%^%#
server-source ip-address 10.10.10.254
protocol portal
server-ip 192.168.11.10
source-ip 10.10.10.254
port 50100
url-template huawei
server-detect interval 100 max-times 5 critical-num 0 action log
#
portal quiet-period

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
portal-access-profile name acc_portal_employee
authentication event portal-server-down action authorize user-group group1
authentication event portal-server-up action re-authen
portal-access-profile name acc_portal_guest
authentication event portal-server-down action authorize user-group group2
authentication event portal-server-up action re-authen
#
mac-access-profile name acc_mac
#
authentication-profile name auth_portal_employee
mac-access-profile acc_mac
portal-access-profile acc_portal_employee
authentication-profile name auth_portal_guest
portal-access-profile acc_portal_guest
#
user-group group1
acl 3001
user-group group2
acl 3002
#
#
acl 3001
rule 5 permit ip
acl 3002
rule 5 deny ip destination 192.168.11.200 255.255.255.255
rule 10 permit ip
#
interface vlanif 10
ip address 10.10.10.254 24
#
#
wlan
security-profile name security_portal
security open
ssid-profile name wlan-ssid-employee
ssid employee
ssid-profile name wlan-ssid-guest
ssid guest
country-code cn
vap-profile name wlan-vap-employee
forward-mode tunnel
security-profile security_portal
ssid-profile wlan-ssid-employee
authentication-profile auth_portal_employee
vap-profile name wlan-vap-guest
forward-mode tunnel

S300, S500, S2700, S3700, S5700, S6700, S7700, and

security-profile security_portal
ssid-profile wlan-ssid-guest
authentication-profile auth_portal_guest
ap-group name employee
vap-profile wlan-vap-employee wlan 1 radio 0
vap-profile wlan-vap-employee wlan 1 radio 1
ap-group name guest
vap-profile wlan-vap-guest wlan 1 radio 0
vap-profile wlan-vap-guest wlan 1 radio 1
ap auth-mode mac-auth
ap-name ap_0
ap-group employee
ap-name ap_1
ap-group guest
#
capwap source interface vlanif 10
#
ip route-static 0.0.0.0 0 172.16.21.254
#
return
3.14.7 Typical NAC Configuration (Common Mode)

Access


centralized user distribution, and strict information security requirements. In
addition, 802.1X authentication supports MAC address bypass authentication so
that the dumb terminals on 802.1X authentication networks can be connected
after passing authentication.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and
As shown in Figure 3-232, the terminals in an office are connected to the
Figure 3-232 Networking diagram for configuring 802.1X authentication
2. Configure 802.1X authentication on the Switch.
a. Enable 802.1X authentication to control network access rights of the
employees in the office.
b. Enable MAC address bypass authentication to authenticate terminals
(such as printers) that cannot install 802.1X authentication client
software.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
● Before configuring this example, ensure that devices can communicate with each other
in the network.
● In this example, the LAN switch exists between the access switch Switch and users. To
ensure that users can pass 802.1X authentication, you must configure the EAP packet
transparent transmission function on the LAN switch.
● Method 1: The S5700-LI is used as an example of the LAN switch. Perform the
following operations:
1. Run the l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-
c200-0003 group-mac 0100-0000-0002 command in the system view of the
LAN switch to configure the LAN switch to transparently transmit EAP packets.
2. Run the l2protocol-tunnel user-defined-protocol 802.1x enable command
on the interface connecting to users and the interface connecting to the access
switch to enable the Layer 2 protocol tunneling function.
● Method 2: This method is recommended when a large number of users exist or
high network performance is required. Only the S5720-EI, S5720-HI, S5730-HI,
S5731-H, S5731S-H, S5731-S, S5731S-S, S6720-EI, S6720-HI, S6720S-EI, S5732-H,
S6730-H, S6730S-H, S6730-S, and S6730S-S support this method.
1. Run the following commands in the system view:
● undo bpdu mac-address 0180-c200-0000 ffff-ffff-fff0
● bpdu mac-address 0180-c200-0000 FFFF-FFFF-FFFE
● bpdu mac-address 0180-c200-0002 FFFF-FFFF-FFFF
● bpdu mac-address 0180-c200-0004 FFFF-FFFF-FFFC
● bpdu mac-address 0180-c200-0008 FFFF-FFFF-FFF8
2. (This step is mandatory when you switch from method 1 to method 2.) Run
the undo l2protocol-tunnel user-defined-protocol 802.1x enable command
in the interface view to delete the configuration of transparent transmission of
802.1x protocol packets.
Procedure
Step 1 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.
# On the Switch, set GE1/0/1 connecting to users as an access interface, and add
GE1/0/1 to VLAN 10.
NOTE
Configure the interface type and VLANs according to the actual situation. In this example,
# On the Switch, set GE1/0/2 connecting to the RADIUS server as an access

interface, and add GE1/0/2 to VLAN 20.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch-radius-rd1] radius-server shared-key cipher Huawei@2012
# Create AAA scheme abc and set the authentication mode to RADIUS.
[Switch] aaa
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS
server template rd1 to authentication domain isp1.
[Switch-aaa] quit
# Configure the default domain isp1 in the system view. When a user enters the
user name in the format of user@isp1, the user is authenticated in the
authentication domain isp1. If the user name does not carry the domain name or
carries a nonexistent domain name, the user is authenticated in the default
domain.
Step 3 Configure 802.1X authentication.

# Switch the NAC mode to common mode. This step applies to only switches in
[Switch] undo authentication unified-mode
Warning: Switching the authentication mode will take effect after system restart
. Some configurations are invalid after the mode is switched. For the invalid co
mmands, see the user manual. Save the configuration file and reboot now? [Y/N] y
NOTE
● By default, the NAC unified mode is used.

● After the unified mode is switched to common mode, you must save the configuration and
restart the device to make each function in the new configuration mode take effect. In
versions earlier than V200R007C00, you need to manually run the commands for saving the
configuration and restarting the device.
# Enable 802.1X authentication globally and on an interface.

<Switch> system-view
[Switch] dot1x enable
[Switch-GigabitEthernet1/0/1] dot1x enable
[Switch-GigabitEthernet1/0/1] dot1x authentication-method eap
# Configure MAC address bypass authentication.

[Switch-GigabitEthernet1/0/1] dot1x mac-bypass

S300, S500, S2700, S3700, S5700, S6700, S7700, and

1. Run the display dot1x command to check the 802.1X authentication
configuration. The command output (802.1x protocol is Enabled) shows that
the 802.1X authentication has been enabled on the interface GE1/0/1.
2. The user starts the 802.1X client on the terminal, and enters the user name
and password for authentication.
4. After the user goes online, you can run the display access-user command on
the device to check the online 802.1X user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
undo authentication unified-mode
#
domain isp1
#
dot1x enable
#
#
aaa
domain isp1
radius-server rd1
#
dot1x enable
dot1x mac-bypass
#
#
return

User Access


S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
As shown in Figure 3-233, the terminals in the physical access control department
are connected to the company's internal network through the Switch.
requires that the Switch should control the users' network access rights to ensure
Figure 3-233 Configuring MAC address authentication to control user access

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Enable MAC address authentication so that the Switch can control network
NOTE
network.
Procedure
communication.
GE1/0/1 to VLAN 10.
NOTE

[Switch] aaa
[Switch-aaa] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
domain.
Step 3 Configure MAC address authentication.

NOTE

# Enable MAC address authentication globally and on the interface.

[Switch] mac-authen
[Switch-GigabitEthernet1/0/1] mac-authen

1. Run the display mac-authen command to check the MAC address
authentication configuration. The command output (MAC address
authentication is enabled) shows that MAC address authentication has been
enabled on GE1/0/1.
2. After the user starts the terminal, the device automatically obtains the
terminal MAC address and uses it as the user name and password for
authentication.
3. The user can access the network after the authentication succeeds.
the device to check the online MAC address authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
domain isp1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
mac-authen
#
#
return

Access

Configuration Notes
● S2720-EI, S3700-SI, S3700-EI, S3700-HI
● S5710-C-LI, S5710-X-LI, S5700-SI, S5700-EI, S5710-EI, S5720-EI, S5720-LI,
S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S5700-HI,
S5710-HI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-S, S5731S-H,
S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300, S5735-L, S5735S-L, S5735S-L1,
S6720-HI, S6730-H, S6730S-H, S6730-S, S6730S-S

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
As shown in Figure 3-234, the terminals in the visitor area are connected to the
Figure 3-234 Configuring Portal authentication to control user access

2. Configure Portal authentication so that the device can control network access
rights of the visitors in the visitor areas.
a. Create and configure a Portal server template to ensure normal
information exchange between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with
the Portal server to improve communication security.
NOTE
Before configuring this example, ensure that devices can communicate with each other in the
network.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
communication.

GE1/0/1 to VLAN 10.
NOTE


[Switch] aaa
[Switch-aaa] quit
domain.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE


[Switch] web-auth-server abc
NOTE
server.

[Switch-Vlanif10] web-auth-server abc direct
# Set the shared key in cipher text to YsHsjx_202206.

[Switch] web-auth-server abc
NOTE
DHCP and the DHCP server is upstream connected to Switch, use the portal free-rule command
to create authentication-free rules and ensure that the DHCP server is included in the
In versions earlier than V200R012C00, if the URL of Portal server needs to be analyzed by DNS
and the DNS server is on the upstream network of the NAS device, you also need to create
authentication-free rules and ensure that the DNS server is included in the authentication-free
rules. In V200R012C00 and later versions, the NAS device automatically allows DNS packets to
pass through and no authentication-free rule is required in Portal authentication.

1. Run the display portal and display web-auth-server configuration
commands to check the Portal authentication configuration. The command
output (web-auth-server layer2(direct)) shows that the Portal server
template has been bound to the interface vlanif10.
2. After starting the browser and entering any network address, the user is
redirected to the Portal authentication page. The user then enters the user

S300, S500, S2700, S3700, S5700, S6700, S7700, and

the network.
the device to check the online Portal authentication user information.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
#
domain isp1
#
#
web-auth-server abc
server-ip 192.168.2.20
port 50200
shared-key cipher %^%#t:hJ@gD7<+G&,"Y}Y[VP4\foQ&og/Gg(,J4#\!gD%^%#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
# interface GigabitEthernet1/0/1 port link-type access port default vlan 10
# interface GigabitEthernet1/0/2 port link-type
access port default vlan 20 #
return
3.15 Typical Security Configuration
3.15.1 Typical ACL Configuration
3.15.1.1 Example for Using an ACL to Restrict FTP Access Rights
ACL Overview
An Access Control List (ACL) consists of one rule or a set of rules that describe the
packet matching conditions. These conditions include source addresses,
destination addresses, and port numbers of packets.
An ACL filters packets based on rules. A device with an ACL configured matches
packets based on the rules to obtain the packets of a certain type, and then

S300, S500, S2700, S3700, S5700, S6700, S7700, and
decides to forward or discard these packets according to the policies used by the
service module to which the ACL is applied.
Depending on the rule definition methods, ACLs include basic ACL, advanced ACL,
and Layer 2 ACL. A basic ACL defines rules to filter IPv4 packets based on
information such as source IP addresses, fragment information, and time ranges. If
you only need to filter packets based on source IP addresses, you can configure a
basic ACL.
In this example, a basic ACL is applied to the FTP module to allow only the
specified clients to access the FTP server, improving FTP server security.
Configuration Notes
● In this example, the local user password is in irreversible-cipher mode,
indicating that the password is encrypted using the irreversible algorithm.
Unauthorized users cannot obtain the password through decryption.
Therefore, this algorithm is secure. This password mode only applies to
V200R003C00 and later versions. In versions earlier than V200R003C00, the
local user passwords can only be in cipher mode, indicating that the
passwords are encrypted using the reversible algorithm. Unauthorized users
can obtain the passwords through decryption. This algorithm is less secure.
As shown in Figure 3-235, the Switch functions as an FTP server. The
● All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP
server anytime.
● All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP
server only during the specified period of time.
● Other users are not allowed to access the FTP server.
Reachable routes exist between the Switch and subnets. You need to configure the
Switch to limit user access to the FTP server.
Figure 3-235 Using basic ACLs to restrict FTP access rights

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Configure a time range.
[Switch] time-range ftp-access from 0:0 2014/1/1 to 23:59 2014/12/31 //Create an absolute time range
for an ACL.
[Switch] time-range ftp-access 14:00 to 18:00 off-day //Create a periodic time range for an ACL. The
time range is 14:00-18:00 on every weekend. The validity period of ftp-access is the overlap of the two time
ranges.
Step 2 Configure a basic ACL.

[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255 //Allow users on network segment
172.16.105.0/24 to access the FTP server anytime.
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-access //Allow users
on network segment 172.16.107.0/24 to access the FTP server only in the ftp-access time range.
[Switch-acl-basic-2001] rule deny source any //Prevent other users from accessing the FTP server.
Step 3 Configure basic FTP functions.

[Switch] ftp server enable //Enable the FTP server to allow users to log in to the device through FTP.
[Switch] ftp server-source -i Vlanif 10 //Configure the source interface of the server as the interface
[Switch] aaa
[Switch-aaa] local-user huawei password irreversible-cipher SetUserPassword@123 //Configure the
FTP user name and password. The password in irreversible-cipher mode only applies to V200R003C00 and
later versions. In versions earlier than V200R003C00, only the passwords in cipher mode can be used.
[Switch-aaa] local-user huawei privilege level 15 //Set the FTP user level.
[Switch-aaa] local-user huawei service-type ftp //Set the FTP user service type.
[Switch-aaa] local-user huawei ftp-directory cfcard:/ //Configure the FTP working directory, which must
be configured as flash:/ on a fixed switch.
[Switch-aaa] quit
Step 4 Configure access permissions on the FTP server.

[Switch] ftp acl 2001 //Apply an ACL to the FTP module.

Run the ftp 172.16.104.110 command on PC1 (172.16.105.111/24) in subnet 1.
PC1 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 on
Monday in 2014. PC2 cannot connect to the FTP server. Run the ftp
172.16.104.110 command on PC2 (172.16.107.111/24) in subnet 2 at 15:00 on a
Saturday in 2014. PC2 can connect to the FTP server.
Run the ftp 172.16.104.110 command on PC3 (10.10.10.1/24). PC3 cannot
connect to the FTP server.
----End
Configuration Files
#
sysname Switch
#
FTP server enable
FTP server-source -i Vlanif 10
FTP acl 2001
#
time-range ftp-access 14:00 to 18:00 off-day

S300, S500, S2700, S3700, S5700, S6700, S7700, and
time-range ftp-access from 00:00 2014/1/1 to 23:59 2014/12/31

#
acl number 2001
rule 5 permit source 172.16.105.0 0.0.0.255
rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
aaa
local-user huawei password irreversible-cipher %^%#uM-!TkAaGB5=$$6SQuw$#batog!R7M_d^!
o{*@N9g'e0baw#%^%#
local-user huawei privilege level 15
local-user huawei ftp-directory cfcard:/
local-user huawei service-type ftp
#
return
3.15.1.2 Example for Using ACLs to Control Access to the Specified Server in
the Specified Time Range
ACL Overview
and Layer 2 ACL. An advanced ACL defines rules to filter IPv4 packets based on
source IP addresses, destination addresses, IP protocol types, TCP source/
destination port numbers, UDP source/destination port numbers, fragment
information, and time ranges. Compared with a basic ACL, an advanced ACL is
more accurate, flexible, and provides more functions. For example, if you want to
filter packets based on source and destination IP addresses, configure an advanced
ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the
device can filter the packets sent from users to the specified server and thus
restrict access to the specified server during a time range.
Configuration Notes
NOTE
The following commands and output information are obtained from S7712 running
V200R007C00.
As shown in Figure 3-236, the departments of an enterprise are connected
through the Switch. The R&D and marketing departments cannot access the salary
query server at 10.164.9.9 in work hours (08:00 to 17:30), whereas the president
office can access the server at anytime.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-236 Using ACLs to control access to the specified server in the specified
time range
The following configurations are performed on the Switch. The configuration
1. Configure the time range, advanced ACL, and ACL-based traffic classifier to
filter packets from users to the server in the specified time range. In this way,
you can restrict the access of different users to the server in the specified time
range.
2. Configure a traffic behavior to discard the packets matching the ACL.
3. Configure and apply a traffic policy to make the ACL and traffic behavior take
effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add
GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The
configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The
configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations
on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100
are similar to the configurations on VLANIF 10.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch-Vlanif10] ip address 10.164.1.1 255.255.255.0
Step 2 Configure the time range.

# Configure the time range as 8:00 to 17:30.
[Switch] time-range satime 8:00 to 17:30 working-day //Configure a periodic time range for an ACL.

# Configure an ACL for the marketing department accessing the salary query
server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range
satime //Prevent the marketing department from accessing the salary query server in the time range
satime.
# Configure an ACL for the R&D department accessing the salary query server.
[Switch] acl 3003
[Switch-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0.0.0.0 time-range
satime //Prevent the R&D department from accessing the salary query server in the time range satime.
Step 4 Configure ACL-based traffic classifiers.

# Configure the traffic classifier c_market to classify the packets that match ACL
3002.
[Switch] traffic classifier c_market //Create a traffic classifier.
[Switch-classifier-c_market] if-match acl 3002 //Associate an ACL with the traffic classifier.
[Switch-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[Switch] traffic classifier c_rd //Create a traffic classifier.
[Switch-classifier-c_rd] if-match acl 3003 //Associate an ACL with the traffic classifier.
[Switch-classifier-c_rd] quit

# Configure the traffic behavior b_market to reject packets.
[Switch] traffic behavior b_market //Create a traffic behavior.
[Switch-behavior-b_market] deny //Set the action of the traffic behavior to deny.
[Switch-behavior-b_market] quit
# Configure the traffic behavior b_rd to reject packets.

[Switch] traffic behavior b_rd //Create a traffic behavior.
[Switch-behavior-b_rd] deny //Set the action of the traffic behavior to deny.
[Switch-behavior-b_rd] quit
Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier
c_market and the traffic behavior b_market with the traffic policy.
[Switch] traffic policy p_market //Create a traffic policy.
[Switch-trafficpolicy-p_market] classifier c_market behavior b_market //Associate the traffic classifier
c_market with the traffic behavior b_market.
[Switch-trafficpolicy-p_market] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the
traffic behavior b_rd with the traffic policy.
[Switch] traffic policy p_rd //Create a traffic policy.
[Switch-trafficpolicy-p_rd] classifier c_rd behavior b_rd //Associate the traffic classifier c_rd with the
traffic behavior b_rd.
[Switch-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.

# Packets from the marketing department to the server are received by GE1/0/2;
therefore, apply the traffic policy p_market to the inbound direction of GE1/0/2.
[Switch-GigabitEthernet1/0/2] traffic-policy p_market inbound //Apply the traffic policy to the inbound
direction of an interface.
# Packets from the R&D department to the server are received by GE1/0/3;
therefore, apply the traffic policy p_rd to the inbound direction of GE1/0/3.
[Switch-GigabitEthernet1/0/3] traffic-policy p_rd inbound //Apply the traffic policy to the inbound

# Check the configuration of ACL rules.
[Switch] display acl all
Total nonempty ACL number is 2

Acl's step is 5
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)
(Active)

Acl's step is 5
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime (match-counter 0)
(Active)
# Check the configuration of the traffic classifier.

[Switch] display traffic classifier user-defined
Classifier: c_market
Precedence: 5
Operator: OR
Classifier: c_rd
Precedence: 10
Operator: OR
# Check the configuration of the traffic policy.

[Switch] display traffic policy user-defined
Policy: p_market
Classifier: c_market
Operator: OR
Behavior: b_market
Deny

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Policy: p_rd
Classifier: c_rd
Operator: OR
Behavior: b_rd
Deny
Total policy number is 2
# Check the traffic policy application records.

[Switch] display traffic-policy applied-record
#
-------------------------------------------------
Policy Name: p_market
Policy Index: 0
Classifier:c_market Behavior:b_market
-------------------------------------------------
*interface GigabitEthernet1/0/2
traffic-policy p_market inbound
slot 1 : success
-------------------------------------------------
Policy total applied times: 1.
#
-------------------------------------------------
Policy Name: p_rd
Policy Index: 1
Classifier:c_rd Behavior:b_rd
-------------------------------------------------
traffic-policy p_rd inbound
slot 1 : success
-------------------------------------------------
#
# The R&D and marketing departments cannot access the salary query server in
work hours (08:00 to 17:30).
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 100
#
time-range satime 08:00 to 17:30 working-day
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range satime
#
traffic classifier c_market operator or precedence 5
if-match acl 3002
traffic classifier c_rd operator or precedence 10
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market match-order config
classifier c_market behavior b_market

S300, S500, S2700, S3700, S5700, S6700, S7700, and
traffic policy p_rd match-order config

classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#
traffic-policy p_market inbound
#
traffic-policy p_rd inbound
#

#
return
Related Information
Support Community
ACL Application
3.15.1.3 Example for Using an ACL to Block Network Access of the Specified
Users
ACL Overview
and Layer 2 ACL. A Layer 2 ACL defines rules to filter IPv4 and IPv6 packets based
on Ethernet frame information, such as source MAC addresses, destination MAC
addresses, VLANs, and Layer 2 protocol types. Basic ACLs and advanced ACLs filter
packets based on Layer 3 and Layer 4 information, while Layer 2 ACLs filter

S300, S500, S2700, S3700, S5700, S6700, S7700, and
packets based on Layer 2 information. For example, if you want to filter packets
based on MAC addresses and VLANs, configure a Layer 2 ACL.
In this example, a Layer 2 ACL is applied to the traffic policy module so that the
device can filter the packets sent from users with certain MAC addresses to the
Internet and thus prevent these users from accessing the Internet.
Configuration Notes
NOTE
V200R007C00.
As shown in Figure 3-237, the Switch that functions as the gateway is connected
to PCs, and there are reachable routes to all subnets on Switch. The administrator
wants to block network access of PC1 after detecting that PC1 (00e0-f201-0101)
is an unauthorized user.
Figure 3-237 Using Layer 2 ACLs to block network access of the specified users
1. Configure a Layer 2 ACL and ACL-based traffic classifier to discard packets
from MAC address 00e0-f201-0101 (preventing the user with this MAC
address from accessing the network).
effect.
Procedure
Step 1 Configure an ACL.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure a Layer 2 ACL to meet the preceding requirement.

[Switch] acl 4000
[Switch-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff //Reject the packets from source
MAC address 00e0-f201-0101.
[Switch-acl-L2-4000] quit
Step 2 Configure an ACL-based traffic classifier.

# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[Switch] traffic classifier tc1 //Create a traffic classifier.
[Switch-classifier-tc1] if-match acl 4000 //Associate an ACL with the traffic classifier.
[Switch-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.
[Switch] traffic behavior tb1 //Create a traffic behavior.
[Switch-behavior-tb1] deny //Set the action of the traffic behavior to deny.
[Switch-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[Switch] traffic policy tp1 //Create a traffic policy.
[Switch-trafficpolicy-tp1] classifier tc1 behavior tb1 //Associate the traffic classifier tc1 with the traffic
behavior tb1.
[Switch-trafficpolicy-tp1] quit

# Packets from PC1 to the Internet are received by GE2/0/1; therefore, apply the
traffic policy tp1 to the inbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound

# Check the configuration of the ACL rule.
[Switch] display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny source-mac 00e0-f201-0101

Classifier: tc1
Precedence: 5
Operator: OR

[Switch] display traffic policy user-defined tp1
Policy: tp1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Classifier: tc1
Operator: OR
Behavior: tb1
Deny

#
-------------------------------------------------
Policy Name: tp1
Policy Index: 0
Classifier:tc1 Behavior:tb1
-------------------------------------------------
traffic-policy tp1 inbound
slot 2 : success
-------------------------------------------------
#
# The user with MAC address 00e0-f201-0101 cannot access the Internet.
----End
Configuration Files
#
sysname Switch
#
acl number 4000
rule 5 deny source-mac 00e0-f201-0101
#
traffic classifier tc1 operator or precedence 5
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1 match-order config
classifier tc1 behavior tb1
#
#
return
3.15.1.4 Example for Using Reflective ACL to Implement Unidirectional

Access Control
Reflective ACL Overview

Reflective ACL is a type of dynamic ACL. The device creates a reflective ACL by
swapping the source/destination IP addresses and source/destination port
numbers of an ACL. A reflective ACL has an aging time. If packets passing the
interface match the reflective ACL within the aging time, this reflective ACL is kept
in the next aging time interval. If no packet passing the interface matches the
reflective ACL within the aging time, the reflective ACL is deleted. This mechanism
improves device security.
Reflective ACL implements unidirectional access control. An external host can
access an internal host only after the internal host accesses the external host.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Therefore, reflective ACL protects enterprises' internal networks against attacks

initiated by external users.
In this example, an advanced reflective ACL is used to prevent the servers on the
Internet from actively establishing UDP connections with internal hosts before the
internal hosts connect to the external servers. Reflective ACL implements
unidirectional access control between internal and external networks.
Configuration Notes
This example applies to all versions of modular switches, but does not apply to
fixed switches.
As shown in Figure 3-238, Switch functions as the gateway to connect PCs to the
Internet. There are reachable routes among the devices. To ensure internal
network security, the administrator allows servers on the Internet to establish UDP
connections with internal PCs only after the internal PCs have established UDP
connections with the external servers.
Figure 3-238 Using reflective ACL to implement unidirectional access control
1. Configure an advanced ACL based on which the device will generate a
reflective ACL.
2. Configure the reflective ACL function to allow internal PC1 to establish a UDP
connection with a server on the Internet and prevent the external server from
actively establishing a UDP connection with internal hosts.
Procedure
Step 1 Configure an advanced ACL.
# Create advanced ACL 3000 and configure a rule to permit UDP packets.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch] acl 3000
[Switch-acl-adv-3000] rule permit udp //Allow UDP packets to pass.
Step 2 Configure the reflective ACL function.
# Packets from the Internet are received by GE2/0/1; therefore, configure the
reflective ACL function in the outbound direction of GE2/0/1 so that the Switch
can generate reflective ACL for UDP packets.
[Switch-GigabitEthernet2/0/1] traffic-reflect outbound acl 3000 //Apply the reflective ACL to the
outbound direction of an interface.
Run the display traffic-reflect command to check reflective ACL information.

[Switch] display traffic-reflect outbound acl 3000
Proto SP DP DIP SIP Count Timeout Interface
------------------------------------------------------------------------------
UDP 2 80 192.168.1.2 10.1.1.2 9 300(s) GigabitEthernet2/0/1
------------------------------------------------------------------------------
* Total <1> flows accord with condition, <1> items was displayed.
------------------------------------------------------------------------------
* Proto=Protocol,SIP=Source IP,DIP=Destination IP,Timeout=Time to cutoff,
* SP=Source port,DP=Destination port,Count=Packets count(data).
The preceding information will be displayed only after internal hosts have
established UDP connections with external servers. The preceding information
shows that a reflective ACL has been generated on GE2/0/1 for the UDP packets
between PC1 and server (192.168.1.2), and provides packet statistics.
----End
Configuration Files
#
sysname Switch
#
acl number 3000
rule 5 permit udp
#
traffic-reflect outbound acl 3000
#
return
3.15.1.5 Example for Allowing Certain Users to Access the Internet in the
Specified Time Range
ACL Time Range Overview

An ACL defines many matching conditions to filter most packets transmitted on a
network; however, it cannot filter packets in the specified time range.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
You can configure a time range and associate the time range with an ACL rule to
filter packets based on time. This specifies different policies for users in different
time ranges.
In this example, a basic ACL associated with a time range is applied to the traffic
policy module so that the device can filter packets sent from internal users to the
Internet in the specified time range. As a result, users can access the Internet only
in the specified time range.
Configuration Notes
NOTE
V200R007C00.
through the Switch. The enterprise allows all employees to access the Internet on
work days (Monday to Friday), and only the managers to access the Internet on
weekends (Saturday and Sunday).
Figure 3-239 Allowing certain users to access the Internet in the specified time
range
1. Configure the time range, basic ACL, and ACL-based traffic classifier to filter
packets sent from internal users to the Internet and thus allow only certain
users to access the Internet in the specified time range.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
2. Configure a traffic behavior to permit the packets that match the ACL permit
rule.
effect.
Procedure
Step 1 Configure VLANs and IP addresses for interfaces.

# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them
to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk
interface and add it to both VLAN 10 and VLAN 20.
# Create VLANIF 10 and VLANIF 20 and assign IP addresses to them.

# Configure the periodic time range from Saturday to Sunday.

[Switch] time-range rest-time 0:00 to 23:59 off-day //Configure a periodic time range for an ACL.
# Create basic ACL 2001 and configure rules to allow the R&D and marketing
managers (10.1.1.11 and 10.1.2.12) to access the Internet anytime and prevent
other employees from accessing the Internet on Saturday and Sunday. That is,
only the managers of R&D and marketing departments can access the Internet on
Saturday and Sunday.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.11 0 //Allow the manager of the R&D department to
access the Internet anytime.
[Switch-acl-basic-2001] rule permit source 10.1.2.12 0 //Allow the manager of the marketing department
to access the Internet anytime.
[Switch-acl-basic-2001] rule deny time-range rest-time //Prevent other users from accessing the Internet
On Saturday and Sunday.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 4 Configure the basic ACL-based traffic classifier.


# Configure the traffic behavior tb1 and set the action to permit (default value).
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic
behavior.

# Define the traffic policy and associate the traffic classifier and traffic behavior
with the traffic policy.
behavior tb1.
Step 7 Apply the traffic policy to an interface.

# Packets from internal hosts are forwarded to the Internet through GE2/0/1;
therefore, apply the traffic policy tp1 to the outbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound

Basic ACL 2001, 3 rules
Acl's step is 5
rule 5 permit source 10.1.1.11 0 (match-counter 0)
rule 10 permit source 10.1.2.12 0 (match-counter 0)
rule 15 deny time-range rest-time(match-counter 0) (Inactive)

Classifier: tc1
Precedence: 5
Operator: OR

Policy: tp1
Classifier: tc1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Operator: OR
Behavior: tb1
Permit
# All employees can access the Internet on work days. Only the managers
(10.1.1.11 and 10.1.2.12) of R&D and marketing departments can access the
Internet on weekends.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
time-range rest-time 00:00 to 23:59 off-day
#
acl number 2001
rule 15 deny time-range rest-time
#
if-match acl 2001
#
permit
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
#
#
traffic-policy tp1 outbound
#
return
3.15.1.6 Example for Using ACLs to Restrict Mutual Access Between Network
Segments

S300, S500, S2700, S3700, S5700, S6700, S7700, and
ACL Overview
ACL.
In this example, advanced ACLs are applied to the traffic policy module so that the
device can filter the packets between different network segments and thus restrict
mutual access between network segments.
Configuration Notes
This example applies to all versions and models.
NOTE
V200R007C00.
through the Switch. To facilitate network management, the administrator
allocates the IP addresses on two network segments to the R&D and marketing
departments respectively. The two departments belong to different VLANs. The
mutual access between two network segments must be controlled to ensure
information security.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-240 Using advanced ACLs to restrict mutual access between network
segments
1. Configure an advanced ACL and an ACL-based traffic classifier to filter the

packets exchanged between R&D and marketing departments.
effect.
Procedure

# Configure GE 1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them
to VLAN 10 and VLAN 20 respectively.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Create the advanced ACL 3001, and block packets from one department to
another department. In this example, configure rules for the ACL to block the
packets from the R&D department to the marketing department.
[Switch] acl 3001
[Switch-acl-adv-3001] rule deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 //Prevent the
R&D department from accessing the marketing department.
Step 3 Configure the advanced ACL-based traffic classifier.



behavior tb1.

# Packets from the R&D department are received by GE1/0/1. Therefore, apply the
traffic policy to the inbound direction of GE1/0/1.
[Switch-GigabitEthernet1/0/1] traffic-policy tp1 inbound //Apply the traffic policy to the inbound

Acl's step is 5
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255 (match-counter 0)

Classifier: tc1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Precedence: 5
Operator: OR

Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# The network segments where the R&D and marketing departments reside
cannot access each other, but they can access the network segments of other
departments.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
acl number 3001
rule 5 deny ip source 10.1.1.0 0.0.0.255 destination 10.1.2.0 0.0.0.255
#
if-match acl 3001
#
deny
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
#
#
return
Related Content
Videos
Configure ACL

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.15.1.7 Example for Using an ACL to Prevent Internal Hosts from Accessing
the Internet
ACL Overview
basic ACL.
In this example, a basic ACL is applied to the traffic policy module so that the
device can filter the packets from internal hosts to the Internet and thus prevent
internal hosts from accessing the Internet.
Configuration Notes
This example applies to all versions and models.
NOTE
V200R007C00.
through the Switch. The Switch needs to prevent some hosts of the R&D and
marketing departments from accessing the Internet to protect information security
of the enterprise.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-241 Using an ACL to prevent internal hosts from accessing the Internet
1. Configure a basic ACL and ACL-based traffic classifier to filter packets from
the specified hosts of the R&D and marketing departments.
effect.
Procedure
# Configure GE1/0/1 and GE1/0/2 of the Switch as trunk interfaces and add them
to VLAN 10 and VLAN 20 respectively. Configure GE2/0/1 of the Switch as a trunk
interface and add it to both VLAN 10 and VLAN 20.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Create basic ACL 2001 and configure rules to reject the packets from hosts
10.1.1.11 and 10.1.2.12.
[Switch] acl 2001
[Switch-acl-basic-2001] rule deny source 10.1.1.11 0 //Prevent the host with IP address 10.1.1.11 from
accessing the Internet.
[Switch-acl-basic-2001] rule deny source 10.1.2.12 0 //Prevent the host with IP address 10.1.2.12 from
accessing the Internet.
Step 3 Configure the basic ACL-based traffic classifier.



behavior tb1.

# Packets from internal hosts are forwarded to the Internet through GE2/0/1;
therefore, apply the traffic policy to the outbound direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy tp1 outbound //Apply the traffic policy to the outbound

Basic ACL 2001, 2 rules
Acl's step is 5
rule 5 deny source 10.1.1.11 0 (match-counter 0)
rule 10 deny source 10.1.2.12 0 (match-counter 0)

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Classifier: tc1
Precedence: 5
Operator: OR

Policy: tp1
Classifier: tc1
Operator: OR
Behavior: tb1
Deny
# The hosts at 10.1.1.11 and 10.1.2.12 cannot access the Internet, and other hosts
can access the Internet.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
acl number 2001
rule 5 deny source 10.1.1.11 0
rule 10 deny source 10.1.2.12 0
#
if-match acl 2001
#
deny
#
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
#
#
traffic-policy tp1 outbound
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.15.1.8 Example for Using an ACL to Prevent External Hosts from Accessing
Internal Servers
ACL Overview
ACL.
In this example, an advanced ACL is applied to the traffic policy module so that
the device can filter the packets sent from external hosts to internal servers and
thus restrict access of external hosts to internal servers.
Configuration Notes
NOTE
V200R007C00.
through the Switch. The enterprise allows only internal hosts to access the finance
server, preventing external hosts from accessing the server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-242 Using an ACL to prevent external hosts from accessing internal
servers
1. Configure an advanced ACL and ACL-based traffic classifier to filter the
packets from external hosts to the finance server and thus prevent external
hosts from accessing this server.
2. Configure a traffic behavior to permit the packets that match the ACL permit
rule.
effect.
Procedure
Step 1 Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
# Add GE 1/0/1 through GE1/0/3 to VLANs 10, 20, and 30 respectively, add
GE2/0/1 to VLAN 100, and assign IP addresses to VLANIF interfaces. The
configurations on GE 1/0/1 and VLANIF 10 are used as an example here. The
configurations on GE1/0/2, GE1/0/3, and GE2/0/1 are similar to the configurations
on GE 1/0/1, and the configurations on VLANIF 20, VLANIF 30, and VLANIF 100
are similar to the configurations on VLANIF 10.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create advanced ACL 3002 and configure rules to allow the packets from the
president's office, R&D department, and marketing department to reach the
finance server and block the packets sent from external hosts to the finance
server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0.0.0.0 //Allow
the president's office to access the finance server.
the marketing department to access the finance server.
the R&D department to access the finance server.
[Switch-acl-adv-3002] rule deny ip destination 10.164.4.4 0.0.0.0 //Prevent other users from accessing
the finance server.
Step 3 Configure an ACL-based traffic classifier.
# Configure the traffic classifier c_network to classify the packets that match ACL
3002.
[Switch] traffic classifier c_network //Create a traffic classifier.
[Switch-classifier-c_network] if-match acl 3002 //Associate an ACL with the traffic classifier.
[Switch-classifier-c_network] quit
Step 4 Configure a traffic behavior.
# Configure the traffic behavior b_network and keep the action set to permit
(default value).
NOTE
Packets matching the ACL are discarded as long as a deny action exists in an ACL rule or traffic
behavior.
[Switch] traffic behavior b_network //Create a traffic behavior.
[Switch-behavior-b_network] quit
# Configure the traffic policy p_network and associate the traffic classifier
c_network and the traffic behavior b_network with the traffic policy.
[Switch] traffic policy p_network //Create a traffic policy.
[Switch-trafficpolicy-p_network] classifier c_network behavior b_network //Associate the traffic classifier
c_network with the traffic behavior b_network.
[Switch-trafficpolicy-p_network] quit
# Packets from internal and external hosts are forwarded to the finance server
through GE2/0/1; therefore, apply the traffic policy p_network to the outbound
direction of GE2/0/1.
[Switch-GigabitEthernet2/0/1] traffic-policy p_network outbound //Apply the traffic policy to the
outbound direction of an interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Acl's step is 5
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0 (match-counter 0)
rule 20 deny ip destination 10.164.4.4 0 (match-counter 0)

Classifier: c_network
Precedence: 5
Operator: OR

Policy: p_network
Classifier: c_network
Operator: OR
Behavior: b_network
Permit

#
-------------------------------------------------
Policy Name: p_network
Policy Index: 0
Classifier:c_network Behavior:b_network
-------------------------------------------------
traffic-policy p_network outbound
slot 2 : success
-------------------------------------------------
#
# The president's office, marketing department, and R&D department can access
the finance server, but external hosts cannot.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 100
#
acl number 3002
rule 5 permit ip source 10.164.1.0 0.0.0.255 destination 10.164.4.4 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
traffic classifier c_network operator or precedence 5
if-match acl 3002
#
traffic behavior b_network
permit
#
traffic policy p_network match-order config
classifier c_network behavior b_network
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.4.1 255.255.255.0
#
#
#
#
traffic-policy p_network outbound
#
return
3.15.1.9 Example for Applying ACLs to SNMP to Filter NMSs
ACL Overview
basic ACL.
In this example, a basic ACL is applied to the SNMP module so that only the
specified NMS can access the switch. This improves switch security.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Notes
NOTE
V200R007C00.
As shown in Figure 3-243, a new switch on the same network segment as the
NMS is added to an enterprise's network, and uses SNMPv3 to communicate with
the NMS. To improve switch security, the switch can only be managed by the
existing NMS on the network.
Figure 3-243 Applying basic ACLs to SNMP to filter NMSs
1. Configure SNMPv3 on the switch so that the NMS running SNMPv3 can
manage the switch.
2. Configure access control so that only the NMS with the specified IP address
can perform read/write operations on the specified MIB objects of the switch.
3. Configure a user group and user based on which the switch permits access of
the NMS.
4. Configure a trap host and enable the switch to automatically send traps to
the NMS.
5. Add the switch to the NMS. The user group and user configured on the switch
must be the same as those used by the NMS; otherwise, the NMS cannot
manage the switch.
Procedure
Step 1 Configure SNMPv3 on the switch so that the NMS running SNMPv3 can manage
the switch.
[Switch] snmp-agent sys-info version v3 //By default, SNMPv3 is supported. If SNMPv3 is not disabled,
skip this command.
Step 2 Configure the interface on the switch to receive and respond to NMS request
packets. This step must be performed in V200R020 and later versions. Otherwise,
the switch cannot connect to the NMS.
[Switch] snmp-agent protocol source-interface vlanif 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 3 Configure access control so that only the NMS with the specified IP address can
perform read/write operations on the specified MIB objects of the switch.
# Configure an ACL to permit only the NMS 10.1.1.1 to access the switch.
[Switch] acl 2001
[Switch-acl-basic-2001] rule permit source 10.1.1.1 0
[Switch-acl-basic-2001] rule deny
# Configure the MIB view to specify the MIB objects that can be accessed by the
NMS.
[Switch] snmp-agent mib-view included isoview iso //Configure the MIB view isoview to access the iso
subtree.
Step 4 Configure a user group and user based on which the switch permits access of the
NMS.
# Configure the user group group001, set the security level to privacy, and
configure access control to restrict the access of NMS to the switch.
[Switch] snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view
isoview acl 2001
# Configure an SNMPv3 user named user001 and add the user to group001.
[Switch] snmp-agent usm-user v3 user001 group group001
# Set the user authentication algorithm to sha (indicating HMAC-SHA-96),

authentication password to Authe@1234.
[Switch] snmp-agent usm-user v3 user001 authentication-mode sha
Please configure the authentication password (8-64)
Enter Password: //Enter the authentication password.
Confirm Password: //Confirm the password.
NOTE
In versions earlier than V200R003C00, the user name is configured using snmp-agent usm-user
v3 user001 group001 authentication-mode sha Authe@1234 privacy-mode des56
Priva@1234.
In V200R019C00, the system software does not support the sha parameter. To use the sha
parameter, you need to install the V200R019SPH007 patch or the SHA1 plug-in. For higher
security purposes, you are advised to specify the sha2-256 parameter, which indicates the more
secure HMAC-SHA2-256-192 algorithm.
You can search for Plug-in Usage Guide at the Huawei technical support website (Enterprise
Network or Carrier), and choose the desired plug-in usage guide based on the switch model
and software version. If you do not have permission to access the website, contact technical
support personnel.
# Set the user encryption algorithm to aes256 (indicating AES-256), and

encryption password to Priva@1234.
[Switch] snmp-agent usm-user v3 user001 privacy-mode aes128
Please configure the privacy password (8-64)
Enter Password: //Enter the encryption password.
Confirm Password: //Confirm the password.
Step 5 Configure a trap host and enable the switch to automatically send traps to the
NMS.
[Switch] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y //Enable all trap functions
on the switch. By default, only some trap functions are enabled. You can run the display snmp-agent trap
all command to check trap status.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch] snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname user001 v3
privacy //Configure a trap host. By default, traps are sent by UDP port 162. The security name must be the
same as the user name; otherwise, the NMS cannot manage the device.
Step 6 Add the switch to the NMS.

# Log in to eSight and choose Resource > Add Resource > Add Resource. Set
SNMP parameters based on Table 3-145 and click OK. A switch is added to and
can be managed by eSight. The switch will proactively send trap messages to
eSight.
Table 3-145 SNMP parameters

Parameter Setting
Select discovery protocol SNMP
IP address 10.1.1.2
SNMP Edit SNMP parameters
Version V3
Security name user001
Port 161
Authentication protocol HMAC_SHA
Authentication password Authe@1234
Privacy protocol AES_128
Encryption password Priva@1234
NOTE
The parameter settings on the NMS and switch must be the same; otherwise, the switch
cannot be added to the NMS.
If authentication is required for remote logins to the switch, Telnet parameters need to be
set so that the NMS can manage the switch. In this example, administrators can remotely
log in to the switch using Telnet, password authentication is used, and the password is
YsHsjx_202206.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
acl number 2001
rule 10 deny
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent sys-info version v3
snmp-agent group v3 group001 privacy read-view isoview write-view isoview notify-view isoview acl 2001
snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname user001 v3 privacy
snmp-agent mib-view included isoview iso
snmp-agent usm-user v3 user001
snmp-agent usm-user v3 user001 group group001
snmp-agent usm-user v3 user001 authentication-mode sha cipher %^%#*2C
%=4LZn1L>ni9xaybHdbXFW&[c_Wv0m!0MpTj!%^%#
snmp-agent usm-user v3 user001 privacy-mode aes128 cipher %^%#i\Fv-cC(u)+x26S2'rEX<.;V+e~nP)*.J
$Ulr($/%^%#
snmp-agent trap enable
snmp-agent protocol source-interface Vlanif10
#
return
3.15.2 Typical ARP Security Configuration
3.15.2.1 Example for Configuring ARP Security Functions
ARP Security Overview

Address Resolution Protocol (ARP) security protects network devices against ARP
attacks by learning ARP entries, limiting ARP packet rate, and checking ARP
packets. In addition to preventing ARP protocol attacks, ARP security also prevents
ARP-based network scanning attacks.
The following are common ARP threats to networks:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. When user hosts directly connect to the gateway, the attacker forges an ARP
packet of the gateway and sends the ARP packet to user hosts. The user hosts
then consider that the attacker is the gateway, and record incorrect gateway
address mappings into their ARP tables. The traffic destined for the gateway is
then received by the attacker. In this way, the attacker intercepts the data sent
by user hosts.
2. A user host sends a large number of IP packets with unresolvable destination
IP addresses (the routing table contains the routing entries matching the
destination IP addresses of the packets but the device does not have the ARP
entries matching the next hop addresses of the routing entries) to the device,
causing the device to generate a large number of ARP Miss packets. The IP
packets (ARP Miss packets) triggering ARP Miss messages are sent to the CPU
for processing. The device generates and delivers many temporary ARP entries
according to the ARP Miss messages, and sends a large number of ARP
request packets to the destination network. This increases CPU usage of the
device and consumes much network bandwidth.
3. The device receives a large number of ARP attack packets and needs to
process all of them. As a result, the device's CPU may be overloaded.
The following ARP security measures can be taken to protect the network against
ARP attacks:
● To prevent the first attack (the attacker poses as the gateway to intercept
host information), configure ARP gateway anti-collision.
● To prevent the second attack, configure ARP Miss rate limiting to reduce CPU
load and save bandwidth on destination network.
● To prevent the third attack, configure ARP packet rate limiting to protect CPU
resources.
Configuration Notes
● This example applies to all modular switch models and versions.
● For the fixed switch models and versions that support this example, see
Applicable Products and Versions.
As shown in Figure 3-244, the switch functioning as the gateway connects to a
server using GE1/0/3 and connects to four users in VLAN 10 and VLAN 20 using
GE1/0/1 and GE1/0/2, respectively. The following ARP threats exist on a network:
● The attacker poses as the gateway to send an ARP packet to the switch, so
user hosts consider that the attacker is the gateway. As a result, traffic
destined for the gateway from user hosts is received by the attacker, and the
attacker intercepts data from user hosts.
● Attackers send a large number of IP packets with unresolvable destination IP
addresses to the switch, leading to CPU overload.
● User1 sends a large number of ARP packets with fixed MAC addresses but
variable source IP addresses to the switch. As a result, the available CPU of
the switch is insufficient to process other services.
● User3 sends a large number of ARP packets with fixed source IP addresses to
the switch. As a result, the available CPU of the switch is insufficient to
process other services.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
The administrator wants to prevent the preceding ARP attacks and provide users
with stable services on a secure network.
Figure 3-244 Networking for configuring ARP security functions
1. Configure ARP gateway anti-collision to prevent attackers from posing as the
gateway to intercept data.
2. Configure ARP Miss rate limiting based on source IP addresses to prevent
user-side attackers from sending a large number of unresolvable IP packets,
triggering ARP Miss messages and forming ARP flood attacks. In addition,
ensure that the switch can process ARP packets from servers because network
communication will be unavailable if such packets are discarded.
3. Configure ARP rate limiting based on source MAC addresses to prevent User1
from sending a large number of ARP packets with different source IP
addresses and a fixed MAC address to form ARP flood attacks. The ARP flood
attacks will overload the switch's CPU.
4. Configure rate limiting on ARP packets based on the source IP address. This
function defends against ARP flood attacks from User3 with a fixed IP address
and prevents CPU overload.
Procedure
Step 1 Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, VLAN 30, and add GE1/0/1 to VLAN 10, GE1/0/2 to
VLAN 20, and GE1/0/3 to VLAN 30.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
Step 2 Configure ARP gateway anti-collision.

[Switch] arp anti-attack gateway-duplicate enable //Configure ARP gateway anti-collision
Step 3 Configure rate limiting on ARP Miss messages based on the source IP address.
# Set the maximum rate of ARP Miss messages triggered by the server with the IP
address 10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages
triggered by other hosts to 20 pps.
[Switch] arp-miss speed-limit source-ip maximum 20 //Configure rate limiting on ARP Miss messages
based on the source IP address
[Switch] arp-miss speed-limit source-ip 10.10.10.2 maximum 40 //Configure rate limiting on ARP Miss
messages based on the source IP address
Step 4 Configure rate limiting on ARP packets based on the source MAC address.
# Set the maximum rate of ARP packets from User1 with the source MAC address
0001-0001-0001 to 10 pps.
[Switch] arp speed-limit source-mac 0001-0001-0001 maximum 10 //Configure rate limiting on ARP
packets based on the source MAC address
Step 5 Configure rate limiting on ARP packets based on the source IP address.
# Set the maximum rate of ARP packets from User3 with the source IP address
10.9.9.2 to 10 pps.
[Switch] arp speed-limit source-ip 10.9.9.2 maximum 10 //Configure rate limiting on ARP packets based
on the source IP address

# Run the display arp anti-attack configuration all command to check the
configuration of ARP anti-attack.
[Switch] display arp anti-attack configuration all
......
ARP anti-attack entry-check mode:
Vlanif Mode

S300, S500, S2700, S3700, S5700, S6700, S7700, and
-------------------------------------------------------------------------------
All disabled
-------------------------------------------------------------------------------
ARP rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
ARP miss rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
ARP speed-limit for source-MAC configuration:

MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
0001-0001-0001 10
Others 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 1, spec is 1024.
ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.9.9.2 10
Others 30
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 1024.
ARP miss speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.10.10.2/32 40
Others 20
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 1024.
# Run the display arp packet statistics command to check statistics on ARP-
based packets.
[Switch] display arp packet statistics
ARP Pkt Received: sum 8678904
ARP-Miss Msg Received: sum 183
ARP Learnt Count: sum 37
ARP Pkt Discard For Limit: sum 146
ARP Pkt Discard For SpeedLimit: sum 40529
ARP Pkt Discard For Proxy Suppress: sum 0
ARP Pkt Discard For Other: sum 8367601
ARP-Miss Msg Discard For SpeedLimit: sum 20
ARP-Miss Msg Discard For Other: sum 104
In the preceding command output, the numbers of ARP packets and ARP Miss
messages discarded by the switch are displayed, indicating that the ARP security
functions have taken effect.
----End
Configuration File
# Configuration file of the Switch
#
sysname Switch

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 10 20 30
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 10.9.9.2 maximum 10
arp speed-limit source-mac 0001-0001-0001 maximum 10
arp anti-attack gateway-duplicate enable
#
arp-miss speed-limit source-ip maximum 20
#
interface Vlanif10
ip address 10.8.8.4 255.255.255.0
#
interface Vlanif20
ip address 10.9.9.4 255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3 255.255.255.0
#
#
#
#
return
Applicable Products and Versions

The fixed switch models and versions to which this example applies are as follows.
Table 3-146 ARP gateway anti-collision

S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2730S-S V200R020C10
S2752EI V100R006C05
S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
S5700-SI V200R001C00, V200R002C00, V200R003C00, V200R005C00
S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02&C03)
S5710-EI V200R002C00, V200R003C00, V200R005(C00&C02)

S300, S500, S2700, S3700, S5700, S6700, S7700, and
S5720-EI V200R007C00, V200R008C00, V200R009C00, V200R010C00,

V200R011C00, V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5720-LI, V200R010C00, V200R011C00, V200R011C10,

S5720S-LI V200R012(C00&C20), V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10, V200R021C00
S5720-SI, V200R008C00, V200R009C00, V200R010C00, V200R011C00,

S5720S-SI V200R011C10, V200R012C00, V200R013C00, V200R019C00,
V200R019C10
S5720I-SI V200R012C00, V200R013C00, V200R019C00, V200R019C10,

V200R020C00, V200R020C10, V200R021C00
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00SPC500&C01&C02)
S5710-HI V200R003C00, V200R005(C00&C02&C03)
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5730-HI V200R012C00, V200R013C00, V200R019C00, V200R019C10
S5730-SI V200R011C10, V200R012C00, V200R013C00, V200R019C00,

V200R019C10
S5730S-EI V200R011C10, V200R012C00, V200R013C00, V200R019C00,

V200R019C10
S5731-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00, V200R021C01
S5731-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5731S-S V200R021C00, V200R021C01
S5731S-H V200R019C00, V200R019C10, V200R020C00, V200R020C10,

V200R021C00, V200R021C01
S5732-H V200R019C00, V200R019C10, V200R019C20, V200R020C00,

V200R020C10, V200R021C00
S5735-L, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5735S-L V200R021C00
S5735- V200R020C10, V200R021C00, V200R021C01

L1,S5735S-L1
S5735-L-I V200R021C00, V200R021C01
S5735S-L-M V200R019C00, V200R019C10, V200R020C00, V200R020C10,

V200R021C00

S300, S500, S2700, S3700, S5700, S6700, S7700, and
S5735-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5735S-S V200R021C00
S300 V200R020C10, V200R021C00, V200R021C01
S500 V200R020C10, V200R021C00, V200R021C01
S5735-S-I V200R019C10, V200R020C00, V200R020C10, V200R020C30,

V200R021C00
S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)
S6720-LI, V200R011C00, V200R011C10, V200R012C00, V200R013C00,

S6720S-LI V200R019C00, V200R019C10

S6720S-SI V200R019C00, V200R019C10

V200R011C10, V200R012C00, V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10, V200R021C00

V200R012C00, V200R013C00, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00
S6730-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S6730S-H V200R019C10, V200R020C00, V200R020C10, V200R021C00
S6730-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S6730S-S V200R021C00
Table 3-147 ARP Miss message rate limiting (based on source IP addresses)
Product Software Version
Model
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2752EI V100R006C05
S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model
S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02&C03)
S5710-EI V200R002C00, V200R003C00, V200R005(C00&C02)

V200R011C00, V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10

V200R019C10

V200R020C00, V200R020C10, V200R021C00
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00SPC500&C01&C02)
S5710-HI V200R003C00, V200R005(C00&C02&C03)
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00, V200R019C10

V200R019C10

V200R019C10
S5731-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00, V200R021C01
S5731-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5731S-S V200R021C00, V200R021C01

V200R021C00, V200R021C01
S5732-H V200R019C00, V200R019C10, V200R019C20, V200R020C00,

V200R020C10, V200R021C00
S5735-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5735S-S V200R021C00
S500 V200R020C10, V200R021C00, V200R021C01

V200R021C00

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model
S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)

S6720S-LI V200R019C00, V200R019C10

S6720S-SI V200R019C00, V200R019C10

V200R011C10, V200R012C00, V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10, V200R021C00

V200R012C00, V200R013C00, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00
S6730-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S6730-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S6730S-S V200R021C00
Table 3-148 ARP packet rate limiting (based on source MAC addresses)
Model
S3700-HI V200R001C00
S5710-EI V200R002C00, V200R003C00, V200R005(C00&C02)

V200R011C00, V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00SPC500&C01&C02)
S5710-HI V200R003C00, V200R005(C00&C02&C03)
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00, V200R019C10

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model
S5731-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00, V200R021C01
S5731-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5731S-S V200R021C00, V200R021C01

V200R021C00, V200R021C01
S5732-H V200R019C00, V200R019C10, V200R019C20, V200R020C00,

V200R020C10, V200R021C00
S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)

V200R011C10, V200R012C00, V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10, V200R021C00

V200R012C00, V200R013C00, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00
S6730-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S6730-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S6730S-S V200R021C00
Table 3-149 ARP packet rate limiting (based on source IP addresses)

Model
S2700-SI V100R006C05
S2700-EI V100R006C05
S2710-SI V100R006C05
S2752EI V100R006C05

V200R012C00, V200R013C00, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00
S2730S-S V200R020C10, V200R021C00

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model
S2750-EI V200R005C00SPC300, V200R006C00, V200R007C00,

V200R008C00, V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00
S3700-SI, V100R006C05
S3700-EI
S3700-HI V200R001C00
S5700-LI V200R005C00SPC300, V200R006C00, V200R007C00,

V200R008C00, V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00
S5700S-LI V200R005C00SPC300, V200R006C00, V200R007C00,

V200R008C00, V200R009C00, V200R010C00, V200R011C00,
V200R011C10, V200R012C00
S5710-X-LI V200R008C00, V200R009C00, V200R010C00, V200R011C00,

V200R011C10, V200R012C00
S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02&C03)
S5710-EI V200R002C00, V200R003C00, V200R005(C00&C02)

V200R011C00, V200R011C10, V200R012C00, V200R013C00,
V200R019C00, V200R019C10
S5720-LI, V200R010C00, V200R011C00, V200R011C10,

S5720S-LI V200R012(C00&C20), V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10, V200R021C00

V200R019C10

V200R020C00, V200R020C10, V200R021C00
S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00SPC500&C01&C02)
S5710-HI V200R003C00, V200R005(C00&C02&C03)
S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,

V200R009C00, V200R010C00, V200R011C00, V200R011C10,
V200R012C00, V200R013C00, V200R019C00, V200R019C10

V200R019C10

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model

V200R019C10
S5731-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00, V200R021C01
S5731-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5731S-S V200R021C00, V200R021C01

V200R021C00, V200R021C01
S5732-H V200R019C00, V200R019C10, V200R019C20, V200R020C00,

V200R020C10, V200R021C00
S5735-L, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5735S-L V200R021C00
S300 V200R020C10, V200R021C00, V200R021C01
S5735-L-I, V200R020C10, V200R021C00, V200R021C01

S5735-
L1,S5735S-L1
S5735S-L-M V200R019C00, V200R019C10, V200R020C00, V200R020C10,

V200R021C00
S5735-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S5735S-S V200R021C00
S500 V200R020C10, V200R021C00, V200R021C01

V200R021C00
S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

V200R005(C00&C01&C02)

S6720S-LI V200R019C00, V200R019C10

S6720S-SI V200R019C00, V200R019C10

V200R011C10, V200R012C00, V200R013C00, V200R019C00,
V200R019C10, V200R020C00, V200R020C10, V200R021C00

V200R012C00, V200R013C00, V200R019C00, V200R019C10,
V200R020C00, V200R020C10, V200R021C00

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Model
S6730-H V200R013C02, V200R019C00, V200R019C10, V200R020C00,

V200R020C10, V200R021C00
S6730-S, V200R019C00, V200R019C10, V200R020C00, V200R020C10,

S6730S-S V200R021C00
NOTE
3.15.2.2 Example for Configuring Defense Against ARP MITM Attacks
DAI Overview
Address Resolution Protocol (ARP) security protects network devices against ARP
attacks by learning ARP entries, limiting ARP packet rate, and checking ARP
packets. In addition to preventing ARP protocol attacks, ARP security also prevents
ARP-based network scanning attacks.
Man-in-the-middle (MITM) attack is a frequently launched ARP attack. The
attacker functions as the "man in the middle" to intercept data.
To defend against MITM attacks, deploy dynamic ARP inspection (DAI) on the
device.
DAI defends against MITM attacks using binding entries. When a device receives
an ARP packet, it compares the source IP address, source MAC address, interface
information, and VLAN ID of the ARP packet with binding entries. If the ARP
packet matches a binding entry, the device considers the ARP packet valid and
allows the packet to pass through. If the ARP packet matches no binding entry,
the device considers the ARP packet invalid and discards the packet.
NOTE
The device enabled with DHCP snooping generates DHCP snooping binding entries when DHCP
users go online. If a user uses a static IP address, you need to manually configure a static
binding entry for the user.
Configuration Notes
In V100R006C05, S2700-SI does not support the DHCP snooping function. This
example applies to all models in other versions.
As shown in Figure 3-245, SwitchA connects to the DHCP server using GE2/0/1,
connects to DHCP clients UserA and UserB using GE1/0/1 and GE1/0/2, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
connects to UserC configured with a static IP address using GE1/0/3. GE1/0/1,

GE1/0/2, GE1/0/3, and GE2/0/1 on SwitchA all belong to VLAN 10. The
administrator wants to prevent ARP MITM attacks and theft on authorized user
information, and learn the frequency and range of ARP MITM attacks.
Figure 3-245 Networking diagram for defending against ARP MITM attacks
1. Enable DHCP snooping and configure a static binding entry.
2. Enable DAI so that SwitchA compares the source IP address, source MAC
address, interface information, and VLAN ID of the ARP packet with binding
entries. This prevents ARP MITM attacks.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
# Create VLAN 10, and add GE1/0/1, GE1/0/2, GE1/0/3, and GE2/0/1 to VLAN 10.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Configure DHCP snooping.
# Enable DHCP snooping globally.

[SwitchA] dhcp snooping enable
# Enable DHCP snooping in VLAN 10.

[SwitchA] vlan 10
[SwitchA-vlan10] dhcp snooping enable
# Configure GE2/0/1 as a trusted interface.

[SwitchA-GigabitEthernet2/0/1] dhcp snooping trusted
# Configure a static binding table.

[SwitchA] user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface gigabitethernet
1/0/3 vlan 10
Step 3 Enable DAI.
# Enable DAI on GE1/0/1, GE1/0/2, and GE1/0/3. GE1/0/1 is used as an example.

Configurations of GE1/0/2 and GE1/0/3 are similar to the configuration of
GE1/0/1, and are not mentioned here.
[SwitchA-GigabitEthernet1/0/1] arp anti-attack check user-bind enable //Enable dynamic ARP
inspection (check ARP packets against a binding table).
# Run the display arp anti-attack configuration check user-bind interface

command to check the DAI configuration on each interface. GE1/0/1 is used as an
example.
[SwitchA] display arp anti-attack configuration check user-bind interface gigabitethernet 1/0/1
arp anti-attack check user-bind enable
# Run the display arp anti-attack statistics check user-bind interface command
to check the number of ARP packets discarded based on DAI. GE1/0/1 is used as
an example.
[SwitchA] display arp anti-attack statistics check user-bind interface gigabitethernet 1/0/1
Dropped ARP packet number is 966
Dropped ARP packet number since the latest warning is 605
In the preceding command output, the number of discarded ARP packets on

GE1/0/1 is displayed, indicating that the defense against ARP MITM attacks has
taken effect.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
When you run the display arp anti-attack statistics check user-bind interface
command for multiple times on each interface, the administrator can learn the
frequency and range of ARP MITM attacks based on the number of discarded ARP
packets.
----End
Configuration File
# Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
user-bind static ip-address 10.0.0.2 mac-address 00e0-fc12-3456 interface GigabitEthernet1/0/3 vlan 10
#
vlan 10
#
#
#
#
dhcp snooping trusted
#
return
3.15.3 Typical DHCP Snooping Configuration
3.15.3.1 Example for Configuring DHCP Snooping to Prevent Bogus DHCP

Server Attacks
DHCP Snooping Overview

During a process in which a DHCP client dynamically obtains an IP address, DHCP
snooping analyzes and filters the DHCP packets between the client and server.
Proper configuration of DHCP snooping implements filtering of unauthorized
servers, preventing clients from obtaining addresses provided by the unauthorized
DHCP server and failing to access the network.
DHCP snooping can be used when DHCP server spoofing attacks occur on the
network. The scenario examples are as follows:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● Some terminals on the network use the Windows Server 2003 or 2008 and is
enabled to allocate IP addresses using DHCP by default.
● Some interfaces at the access layer are connected to the wireless router that
is enabled to allocate IP addresses using DHCP.
You are advised to deploy DHCP snooping at an access switch. The interface
control is accurate if you deploy DHCP snooping on a switch closer to the PC. Each
switch interface should be connected to only one PC. If a certain interface is
connected to multiple PCs through a hub, DHCP snooping attacks occurring on the
hub cannot be prevented because the snooping packets are directly forwarded
between the hub interfaces and cannot be controlled through DHCP snooping
deployed on the access switch.
Configuration Notes
In V100R006C05, the S2700-SI does not support DHCP snooping. All models in
other versions are applicable to this example.
As shown in Figure 3-246, SwitchA is an access switch and its connected PC
obtains an IP address through DHCP. SwitchB as a core switch is deployed with the
DHCP server function. DHCP snooping needs to be configured to prevent
unauthorized DHCP servers such as built-in wireless routers from accessing the
network. If an unauthorized DHCP server is connected to the network, common
users obtain incorrect addresses and cannot access the network or they obtain
conflicting addresses.
Figure 3-246 Networking diagram for configuring DHCP snooping to prevent

bogus DHCP server attacks

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Deploy the DHCP server function on SwitchB.
2. Enable global DHCP snooping on SwitchA, enable DHCP snooping on the
interface connected to the PC, and configure the interface connected to
SwitchB as a trusted interface. (The trusted interface receives the DHCP
response packets from the DHCP server. SwitchA sends the DHCP request
packets from the PC to SwitchB only through the trusted interface.)
Procedure
Step 1 Configure the DHCP server function.
# Configure the DHCP server function on SwitchB.
[SwitchB-Vlanif10] ip address 10.1.1.1 255.255.255.0
[SwitchB-Vlanif10] dhcp select interface //Enable the device to allocate IP addresses based on the
Step 2 Configure DHCP snooping.

# Configure DHCP snooping on SwitchA.
[SwitchA] dhcp snooping enable ipv4 //Enable global DHCP snooping, and configure the device to
process only DHCPv4 packets to save the CPU usage.
[SwitchA-GigabitEthernet0/0/2] dhcp snooping enable //Enable DHCP snooping on the user-side interface.
[SwitchA-GigabitEthernet0/0/3] dhcp snooping enable
[SwitchA-GigabitEthernet0/0/1] dhcp snooping trusted //Configure the interface as a trusted interface so
that the access switch can process only the DHCP server Response packets received from the interface.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Run the display dhcp snooping configuration command on SwitchA to check

the DHCP snooping configuration.
[SwitchA] display dhcp snooping configuration
#
dhcp snooping enable ipv4
#
#
#
#
# Run the display ip pool interface vlanif10 used command on SwitchB to check
the used IP addresses in the address pool.
[SwitchB] display ip pool interface vlanif10 used
Pool-No :1
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Gateway-0 : 10.1.1.1
Network : 10.1.1.0
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 252(0) 0 0
-----------------------------------------------------------------------------
Network section :
-----------------------------------------------------------------------------
Index IP MAC Lease Status
-----------------------------------------------------------------------------
253 10.1.1.254 xxxx-xxxx-xxxx 46 Used
-----------------------------------------------------------------------------
# Run the display dhcp snooping user-bind all command on SwitchA to check
the DHCP snooping binding table.
[SwitchA] display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-mapping
IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease
--------------------------------------------------------------------------------
10.1.1.254 xxxx-xxxx-xxxx 10 /-- /-- GE0/0/2 2014.09.21-09:33
--------------------------------------------------------------------------------
Print count: 1 Total count: 1
The IP addresses obtained by all the subsequent PCs through DHCP can be
allocated only by SwitchB.
----End
Configuration Files
#
sysname SwitchA

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
vlan batch 10
#
dhcp enable
#
dhcp snooping enable ipv4
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return
3.15.4 Typical IPSG Configuration
3.15.4.1 Example for Configuring IPSG to Prevent Hosts with Static IP

Addresses from Changing Their Own IP Addresses
IPSG Overview
As shown in Figure 3-247, a hacker (Host_2) uses the IP and MAC addresses of
Host_1, which belongs to an R&D engineer, to construct IP packets to attack the
intranet. The network administrator thinks the R&D engineer is the attacker. Such
attacks can be prevented by configuring IPSG. On the access switch, after a static
binding table is configured and IP packet check is enabled on the interfaces
connected to terminals, only the packets matching the static binding entries can
access the intranet and the Internet, and the packets not matching the entries are
discarded.
Configuration Notes
This example applies to all versions and models except the following:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● S2700-SI of V100R006C05 does not support IPSG.

● After hardware-based Layer 3 forwarding for IPv4 packets is enabled in the
following versions, the switches do not support IPSG:
– V200R007C00, V200R008C00, V200R011 and later versions: S2750-EI,
S5700-10P-LI-AC, and S5700-10P-PWR-LI-AC
– V200R009C00 and V200R010C00: S2720-EI, S2750-EI, S5700-10P-LI-AC,
and S5700-10P-PWR-LI-AC
As shown in Figure 3-247, the user gateway is configured on the core switch
(Core). An ACL is configured on the Core to allow fixed hosts to access the
Internet. The hosts connected to the access switch (ACC) use statically configured
IP addresses. The administrator requires that the hosts can only use fixed IP
addresses to access the Internet. Users are not allowed to change their own IP
addresses to access the Internet.
Figure 3-247 Configuring IPSG to prevent hosts with static IP addresses from
changing their own IP addresses
Data Plan
To perform the configuration, you need to the following data.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Table 3-150 Data Plan

VLAN ● ACC: None

VLAN ID: 10,
including interfaces
GE0/0/1, GE0/0/2, and
GE0/0/3
● Core:
VLAN ID: 10,
including interface
GE0/0/1
Gateway IP address of VLANIF10: 10.0.0.1/24 None

hosts
IP addresses of the hosts 10.0.0.2, 10.0.0.3 None

allowed to access the
network.
1. Configure an ACL on the user gateway (Core) to allow the hosts with IP
addresses 10.0.0.2 and 10.0.0.3 to access the Internet.
2. Create static binding entries for the hosts on the ACC to fix the mappings
between IP addresses and MAC addresses.
3. Enable IPSG on the ACC's interfaces connected to user hosts so that the hosts
can only use the fixed IP addresses to access the network. Host_1 can access
the Internet, and Host_2 cannot access the Internet, even if it changes its IP
address.
Procedure
[Core] vlan batch 10
[Core] interface vlanif 10 //Configure the gateway address.
[Core] acl number 3001 //Configure an ACL.
[Core-acl-adv-3001] rule permit ip source 10.0.0.2 0
[Core-acl-adv-3001] rule permit ip source 10.0.0.3 0
[Core-acl-adv-3001] rule deny ip source 10.0.0.0 0.0.0.255
[Core-acl-adv-3001] quit
[Core] traffic classifier c1 //Configure an ACL-based traffic classifier.
[Core-classifier-c1] if-match acl 3001
[Core-classifier-c1] quit
[Core] traffic behavior b1 //Configure a traffic behavior.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Core-behavior-b1] permit
[Core-behavior-b1] quit
[Core] traffic policy p1 //Configure a traffic policy.
[Core-trafficpolicy-p1] classifier c1 behavior b1
[Core-trafficpolicy-p1] quit
[Core-GigabitEthernet0/0/2] traffic-policy p1 outbound //Apply the traffic policy.
Step 2 Create static binding entries for the hosts.

[ACC] vlan batch 10 //Configure a VLAN to connect to hosts.
[ACC] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet
0/0/1 //Create a static binding entry for Host_1.
Step 3 Enable IPSG.

# Enable IPSG on GE0/0/1 connected to Host_1.
[ACC-GigabitEthernet0/0/1] ip source check user-bind enable
# Enable IPSG on GE0/0/2 connected to Host_2.

[ACC-GigabitEthernet0/0/2] ip source check user-bind enable

Run the display dhcp static user-bind all command on the ACC to view static
binding entries.
[ACC] display dhcp static user-bind all
DHCP static Bind-table:
IP Address MAC Address VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------
10.0.0.2 0002-0002-0002 -- /-- /-- GE0/0/1
10.0.0.5 0005-0005-0005 -- /-- /-- GE0/0/2
--------------------------------------------------------------------------------
Run the display dhcp static user-bind all verbose command on the ACC to view
IPSG status. If the status is effective, the static entry has taken effect.
[ACC] display dhcp static user-bind all verbose
--------------------------------------------------------------------------------
IP Address : 10.0.0.2
MAC Address : 0002-0002-0002
VSI : --

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN(O/I/P) : -- /-- /--

Interface : GE0/0/1
IPSG Status : effective slot: <0>
--------------------------------------------------------------------------------
IP Address : 10.0.0.5
MAC Address : 0005-0005-0005
VSI : --
VLAN(O/I/P) : -- /-- /--
Interface : GE0/0/2
IPSG Status : effective slot: <0>
--------------------------------------------------------------------------------
Host_1 can access the Internet, and Host_2 cannot access the Internet. After the IP
address of Host_2 is changed to 10.0.0.3, Host_2 cannot access the Internet and
the intranet.
----End
Configuration Files
● Configuration file of the Core
#
sysname Core
#
vlan batch 10
#
acl number 3001
rule 5 permit ip source 10.0.0.2 0
rule 10 permit ip source 10.0.0.3 0
rule 15 deny ip source 10.0.0.0 0.0.0.255
#
if-match acl 3001
#
traffic behavior b1
permit
#
#
interface Vlanif10
ip address 10.0.0.1 255.255.255.0
#
#
traffic-policy p1 outbound
#
return
● Configuration file of the ACC

#
sysname ACC
#
vlan batch 10
#
user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface GigabitEthernet0/0/1
#
ip source check user-bind enable
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
return
Related Content
Videos
Bind IP and MAC Addresses
3.15.4.2 Example for Configuring IPSG to Prevent Hosts with Dynamic IP

Addresses from Changing Their Own IP Addresses
IPSG Overview
IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It
filters IP packets based on the binding table on a switch. An entry in the binding
table contains the IP address, MAC address, VLAN ID, and interface. Binding
entries include static entries and dynamic entries. A static binding table is
manually created, a dynamic binding table is the DHCP snooping binding table.
When hosts obtain dynamic IP addresses, the switch automatically generates the
dynamic binding entries according to the DHCP Reply packets. After a binding
table is built, the switch matches the packets received by IPSG-enabled interfaces
against binding entries. If the packets match binding entries, they are forwarded;
otherwise, they are discarded. The packet matching options can be a combination
of IP address, MAC address, VLAN ID, and interface. For example, the switch
matches only IP addresses, both IP addresses and MAC addresses, or a
combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the
packets.
Therefore, IPSG provides two functions:

● Prevents malicious hosts from stealing authorized hosts' IP addresses to pose
as the authorized hosts.
● Prevents unauthorized hosts from changing their own IP addresses to static IP
addresses to access or attack the network.
For example, on a network where the hosts obtain IP addresses from a DHCP
server, the hosts can access the network by using only the dynamic IP addresses,
and cannot use static IP addresses to access the network, unless the administrator
creates static binding entries for them.
Configuration Notes

S300, S500, S2700, S3700, S5700, S6700, S7700, and

As shown in Figure 3-248, hosts access the intranet through ACC, and the Core
functions as a DHCP server to allocate IP addresses to the hosts. The printer uses a
static IP address. The gateway is the egress device of the intranet. The
administrator does not want the hosts to access the intranet by using the IP
addresses statically configured by themselves.
Figure 3-248 Configuring IPSG to prevent hosts with dynamic IP addresses from
changing their own IP addresses
Data Plan

S300, S500, S2700, S3700, S5700, S6700, S7700, and

VLAN ● ACC: None

VLAN ID: 10,
GE0/0/1, GE0/0/2,
GE0/0/3, and GE0/0/4
● Core:
VLAN ID: 10,
including interface
GE0/0/1
Address pool 10.1.1.0/24 None
Gateway IP address of VLANIF10: 10.1.1.1/24 None

hosts
1. Configure the DHCP server on the Core to allocate IP addresses to hosts.
2. Configure DHCP snooping on the ACC to ensure that the hosts can obtain IP
addresses from the valid DHCP server and the DHCP server can generate
DHCP snooping dynamic binding entries, which record the bindings of IP
addresses, MAC addresses, VLANs, and interfaces of hosts.
3. Create a static binding entry for the printer on the ACC to ensure secure
access of the printer.
4. Enable IPSG in the VLAN to which the hosts belong to on the ACC to prevent
the hosts from accessing the intranet with changed IP addresses.
Procedure
Step 1 Configure the DHCP server on the Core.
[Core] vlan batch 10
[Core] dhcp enable
[Core] ip pool 10
[Core-ip-pool-10] network 10.1.1.0 mask 24
[Core-ip-pool-10] gateway-list 10.1.1.1
[Core-ip-pool-10] quit
[Core-Vlanif10] dhcp select global
Step 2 Configure DHCP snooping on the ACC.

# Specify the VLAN to which the interfaces belong.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[ACC] vlan batch 10
# Enable DHCP snooping and configure GE0/0/4 connected to the DHCP server as
a trusted interface.
[ACC] dhcp enable //Enable DHCP
[ACC] dhcp snooping enable //Enable DHCP Snooping globally
[ACC] vlan 10
[ACC-vlan10] dhcp snooping enable //Enable DHCP Snooping in VLAN 10
[ACC-vlan10] dhcp snooping trusted interface gigabitethernet 0/0/4 //Configure a trusted interface
[ACC-vlan10] quit
Step 3 Create a static binding entry for the printer.

0/0/3 vlan 10
Step 4 Enable IPSG in VLAN 10 on the ACC.

[ACC] vlan 10
[ACC-vlan10] ip source check user-bind enable //Enable IPSG
[ACC-vlan10] quit

After the hosts go online, run the display dhcp snooping user-bind all command
on the ACC to view dynamic binding entries of the hosts.
[ACC] display dhcp snooping user-bind all
DHCP Dynamic Bind-table:
IP Address MAC Address VSI/VLAN(O/I/P) Interface Lease
--------------------------------------------------------------------------------
10.1.1.254 0001-0001-0001 10 /-- /-- GE0/0/1 2014.08.17-07:31
10.1.1.253 0002-0002-0002 10 /-- /-- GE0/0/2 2014.08.17-07:34
--------------------------------------------------------------------------------
Run the display dhcp static user-bind all command on the ACC to view the static
binding entry of the printer.
[ACC] display dhcp static user-bind all
--------------------------------------------------------------------------------
10.1.1.2 0003-0003-0003 10 /-- /-- GE0/0/3
--------------------------------------------------------------------------------
The hosts can access the intranet using the IP addresses dynamically allocated by
the DHCP server. After the dynamic IP addresses of the hosts are changed to

S300, S500, S2700, S3700, S5700, S6700, S7700, and
statically configured IP addresses that are different from the dynamic ones, the
hosts cannot access the intranet.
----End
Configuration Files
● Configuration file of the Core
#
sysname Core
#
vlan batch 10
#
dhcp enable
#
ip pool 10
network 10.1.1.0 mask 255.255.255.0
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp select global
#
#
return
● Configuration file of the ACC
#
sysname ACC
#
vlan batch 10
#
dhcp enable
#
user-bind static ip-address 10.1.1.2 mac-address 0003-0003-0003 interface GigabitEthernet0/0/3 vlan
10
#
vlan 10
dhcp snooping trusted interface GigabitEthernet0/0/4
#
#
#
#
#
return
Related Content
Videos

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.15.4.3 Example for Configuring IPSG Based on the Static Binding Table to
Prevent Unauthorized Hosts from Accessing the Intranet
IPSG Overview
IPSG is a source IP address filtering technology applied to Layer 2 interfaces. It
filters IP packets based on the binding table on a switch. An entry in the binding
table contains the IP address, MAC address, VLAN ID, and interface. Binding
entries include static entries and dynamic entries. A static binding table is
manually created, a dynamic binding table is the DHCP snooping binding table.
When hosts obtain dynamic IP addresses, the switch automatically generates the
dynamic binding entries according to the DHCP Reply packets. After a binding
table is built, the switch matches the packets received by IPSG-enabled interfaces
against binding entries. If the packets match binding entries, they are forwarded;
otherwise, they are discarded. The packet matching options can be a combination
of IP address, MAC address, VLAN ID, and interface. For example, the switch
matches only IP addresses, both IP addresses and MAC addresses, or a
combination of IP addresses, MAC addresses, VLAN IDs, and interfaces of the
packets.
Therefore, IPSG provides two functions:

● Prevents malicious hosts from stealing authorized hosts' IP addresses to pose
as the authorized hosts.
● Prevents unauthorized hosts from changing their own IP addresses to static IP
addresses to access or attack the network.
For example, when all the hosts on an intranet use static IP addresses, they must
use the fixed IP addresses allocated by the network administrator and access the
intranet through fixed interfaces. To ensure intranet security, external hosts cannot
access the intranet without permission.
Configuration Notes
As shown in Figure 3-249, hosts access the enterprise intranet through the switch.
The gateway is the egress device of the enterprise intranet. The hosts use static IP
addresses. The administrator has configured interface rate limiting on the switch,
and requires that the hosts use fixed IP addresses to access the intranet through

S300, S500, S2700, S3700, S5700, S6700, S7700, and
fixed ports. To ensure network security, the administrator does not allow external
hosts to access the intranet without permission.
Figure 3-249 Configuring IPSG based on the static binding table to prevent
unauthorized hosts from accessing the intranet
Data Plan
VLAN ● Switch: None

VLAN ID: 10,
GE0/0/1, GE0/0/2,
GE0/0/3, and GE0/0/4
● Gateway:
VLAN ID: 10
IP addresses of the hosts 10.0.0.1, 10.0.0.2 None

allowed to access the
network.
The requirement of the administrator can be met by configuring IPSG on the
Switch. The configuration roadmap is as follows:

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Specify the VLAN to which the interfaces belong.

2. Configure static binding entries for Host_1 and Host_2 to fix the bindings
between IP addresses, MAC addresses, and interfaces.
3. Configure GE0/0/4 as a trusted interface. The Switch does not perform an
IPSG check on the packets received by this trusted interface, so the packets
returned by the gateway will not be discarded.
4. Enable IPSG in the VLAN connected to user hosts so that Host_1 and Host_2
access the intranet using fixed IP addresses through fixed ports. In addition,
external host Host_3 cannot access the intranet.
Procedure
Step 1 Specify the VLAN to which the interfaces belong.
Step 2 Create static binding entries for Host_1 and Host_2.

[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface gigabitethernet
[Switch] user-bind static ip-address 10.0.0.2 mac-address 0002-0002-0002 interface gigabitethernet
Step 3 Configure the upstream interface GE0/0/4 as a trusted interface.

[Switch] dhcp enable //Enable DHCP
[Switch] dhcp snooping enable //Enable DHCP Snooping globally
[Switch-GigabitEthernet0/0/4] dhcp snooping trusted //Configure a trusted interface
Step 4 Enable IPSG in VLAN 10 connected to hosts.

[Switch] vlan 10
[Switch-vlan10] ip source check user-bind enable

Run the display dhcp static user-bind all command on the Switch to view
binding entries of Host_1 and Host_2.
[Switch] display dhcp static user-bind all
--------------------------------------------------------------------------------
10.0.0.1 0001-0001-0001 -- /-- /-- GE0/0/1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
10.0.0.2 0002-0002-0002 -- /-- /-- GE0/0/2

--------------------------------------------------------------------------------
Host_1 and Host_2 can access the intranet. After the IP addresses of the hosts are
changed or the hosts connect to other interfaces, they cannot access the intranet.
When Host_3 with IP address 10.0.0.3 connects to GE0/0/3, Host_3 cannot access
the intranet, indicating that external hosts cannot access the intranet without
permission. If Host_3 needs to access the intranet, add the entry of Host_3 to the
static binding table.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
dhcp enable
#
#
vlan 10
#
#
#
#
#
return
Related Content
Videos
3.15.5 Example for Configuring Port Security

Port Security Overview
Port security changes the dynamic MAC addresses learned on an interface into
secure MAC addresses (including dynamic and static secure MAC addresses, and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
sticky MAC addresses). This function prevents unauthorized users from

communicating with the switch using this interface. Generally, port security is
configured on access devices to bind users to interfaces and control access users
on interfaces.
Compared with the static MAC address entry and user-bind used to bind users
statically, port security dynamically binds users to interfaces.
Compared with DHCP snooping that also dynamically binds users to interface,
port security is easier to configure. In addition, port security can limit the number
of access users.
Configuration Notes
● After MAC address limiting is configured on an interface, port security cannot
be configured on the interface.
As shown in Figure 3-250, PC1, PC2, and PC3 connect to the company network
through the switch. To improve user access security, port security is enabled on the
interface of the switch so that external users cannot use their PCs to access the
company network.
Figure 3-250 Networking for configuring port security
1. Create a VLAN to implement Layer 2 forwarding.
2. Configure port security and enable the sticky MAC function so that MAC
address entries are not lost after the device configuration is saved and the
device restarts.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Create a VLAN on the switch and add interfaces to the VLAN. The configurations
of GE1/0/2 and GE1/0/3 are similar to the configuration of 1/0/1, and are not
mentioned here.
[Switch-GigabitEthernet1/0/1] port link-type access //The link type of the interface connected to the PC
must be access. The default link type of an interface is not access, so you need to manually configure the
link type of the interface.
Step 2 Configure port security on GE1/0/1. The configurations of GE1/0/2 and GE1/0/3
are similar to the configuration of GE1/0/1, and are not mentioned here.
[Switch-GigabitEthernet1/0/1] port-security enable //Enable port security.
[Switch-GigabitEthernet1/0/1] port-security mac-address sticky //The sticky MAC function can be
enabled only after port security is enabled.
[Switch-GigabitEthernet1/0/1] port-security max-mac-num 1 //After port security is enabled, an
interface can learn only one secure MAC address entry by default. If one user needs to be limited, ignore
this configuration.
NOTE
● An interface can learn only one secure MAC address entry by default. If multiple PCs
connect to the company network using one interface, run the port-security max-mac-
num command to change the maximum number of secure MAC addresses.
● If a PC connects to the switch using an IP phone, set the maximum number of secure
MAC addresses to 3 because the IP phone occupies two MAC address entries and the PC
occupies one MAC address entry. The VLAN IDs in two MAC address entries used by the
IP phone are different. The two VLANs are used to transmit voice and data packets
respectively.

If PC1, PC2, and PC3 are replaced by other PCs, the PCs cannot access the
company network.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
port-security mac-address sticky
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
#
return
3.16 Typical QoS Configuration
3.16.1 Example for Configuring Priority Re-marking and

Queue Scheduling
Overview
The device allocates or modifies priorities of received buckets based on rules, and
schedules services based on allocated or modified priorities.
Priority re-marking enables the device to re-mark packet priorities. You can
manually set or modify packet priorities to control packet scheduling and improve
packet forwarding capability of the device.
Configuration Notes
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5700-HI, S5710-C-LI, S5710-X-
LI, S5710-EI, S5710-HI, S5720-LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-
SI, S5720-EI, S5720-HI, S5730-HI, S5730-SI, S5730S-EI, S5731-H, S5731-S,
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1, S300,
S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S,
S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-251, a company has three services: data query, email processing, and
file transfer. The three services have different priorities. When HostA and HostB
access servers of the three services, the services must be processed in descending
order of priority. Priority re-marking and queue scheduling can achieve this.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-251 Networking of priority re-marking and queue scheduling
1. Configure traffic classifiers to classify packets based on servers' IP addresses.
2. Configure traffic behaviors and define priority re-marking.
3. Configure a traffic policy and bind the traffic policy to the traffic classifiers
and traffic behaviors, and apply the traffic policy to GE1/0/1 in the inbound
direction to re-mark priorities of incoming packets.
4. Configure PQ on GE1/0/2 to schedule packets in descending order of priority.
Procedure
Step 1 Configure ACLs to classify packets based on servers' IP addresses.
# Configure advanced ACL 3001 to classify packets with the destination IP address
of 192.168.1.10.
[SwitchA] acl 3001
[SwitchA-acl-adv-3001] rule permit ip destination 192.168.1.10 0.0.0.0
of 192.168.1.11.
[SwitchA] acl 3002
of 192.168.1.12.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[SwitchA] acl 3003

Step 2 Configure traffic classifiers to classify packets based on destination IP addresses.

# Configure a traffic classifier named dbserver to match packets with the
destination IP address of 192.168.1.10.
[SwitchA] traffic classifier dbserver operator and
[SwitchA-classifier-dbserver] if-match acl 3001 //Configure the device to match packets with the
[SwitchA-classifier-dbserver] quit
# Configure a traffic classifier named mailserver to match packets with the

[SwitchA] traffic classifier mailserver operator and
[SwitchA-classifier-mailserver] if-match acl 3002 //Configure the device to match packets with the
[SwitchA-classifier-mailserver] quit
# Configure a traffic classifier named ftpserver to match packets with the

[SwitchA] traffic classifier ftpserver operator and
[SwitchA-classifier-ftpserver] if-match acl 3003 //Configure the device to match packets with the
[SwitchA-classifier-ftpserver] quit
Step 3 Configure traffic behaviors and define priority re-marking.

# Configure a traffic behavior named dbserver to re-mark packets destined for
192.168.1.10 with 4.
[SwitchA] traffic behavior dbserver
[SwitchA-behavior-dbserver] remark local-precedence 4 //Configure the device to re-mark the local
priority of packets destined for 192.168.1.10 with 4.
[SwitchA-behavior-dbserver] quit
# Configure a traffic behavior named mailserver to re-mark packets destined for

192.168.1.11 with 3.
[SwitchA] traffic behavior mailserver
[SwitchA-behavior-mailserver] remark local-precedence 3 //Configure the device to re-mark the local
[SwitchA-behavior-mailserver] quit
# Configure a traffic behavior named ftpserver to re-mark packets destined for

192.168.1.12 with 2.
[SwitchA] traffic behavior ftpserver
[SwitchA-behavior-ftpserver] remark local-precedence 2 //Configure the device to re-mark the local
[SwitchA-behavior-ftpserver] quit
Step 4 Configure a traffic policy and bind the traffic classifiers and traffic behaviors to the
traffic policy.
[SwitchA] traffic policy policy1
[SwitchA-trafficpolicy-policy1] classifier dbserver behavior dbserver
[SwitchA-trafficpolicy-policy1] classifier mailserver behavior mailserver
[SwitchA-trafficpolicy-policy1] classifier ftpserver behavior ftpserver
[SwitchA-trafficpolicy-policy1] quit
Step 5 Apply the traffic policy to GE1/0/1 to re-mark priorities of incoming packets.
[SwitchA-GigabitEthernet1/0/1] traffic-policy policy1 inbound //Apply the traffic policy in the inbound

S300, S500, S2700, S3700, S5700, S6700, S7700, and
direction.
Step 6 Configure PQ on GE1/0/2 to schedule packets in descending order of priority.

● On the S2700-52P-EI, S2700-52P-PWR-EI, S2710-SI, S3700-EI, S3700-HI,
S3700-SI, S5700-EI, S5700-HI, S5710-EI, S5710-HI, S5720-EI, S5720-HI, S5730-
HI, S5731-H, S5731-S, S5731S-H, S5731S-S, S5732-H, S2730S-S, S5735-L-I,
S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500,
S5735S-S, S5735-S-I, S6700-EI, S6720-EI, S6720-HI, S6720S-EI, S6730-H,
S6730S-H, S6730-S, S6730S-S, S7700, and S9700, perform the following
configurations.
[SwitchA-GigabitEthernet1/0/2] qos pq //Configure PQ scheduling on the interface. In PQ mode, the
device first schedules high-priority packets.
NOTE
This example uses a configuration file containing the qos pq command on a fixed
switch as an example. On a modular switch, an interface queue uses PQ by default,
and the qos pq command is not contained in the configuration file.
● On the S2720-EI, S2750-EI, S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-
X-LI, S5720I-SI, S5720-LI, S5720S-LI, S5720S-SI, S5720-SI, S5730S-EI, S5730-SI,
S5735S-H, S5736-S, S6720-LI, S6720S-LI, S6720S-SI, and S6720-SI, perform
the following configurations.
[SwitchA] qos schedule-profile pqtemplate //Create a scheduling profile.
[SwitchA-qos-schedule-profile-pqtemplate] qos pq //Configure PQ scheduling.
[SwitchA-qos-schedule-profile-pqtemplate] quit
[SwitchA-GigabitEthernet1/0/2] qos schedule-profile pqtemplate //Apply the scheduling profile to
the interface.

[SwitchA] display traffic policy user-defined
Policy: policy1
Classifier: dbserver
Operator: AND
Behavior: dbserver
Remark:
Remark local-precedence af4
Classifier: mailserver
Operator: AND
Behavior: mailserver
Remark:
Classifier: ftpserver
Operator: AND
Behavior: ftpserver
Remark:
# Check the traffic policy record. The traffic policy has been successfully applied to
GE1/0/1.
[SwitchA] display traffic-policy applied-record policy1
-------------------------------------------------
Policy Name: policy1

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Policy Index: 0
Classifier:dbserver Behavior:dbserver
Classifier:mailserver Behavior:mailserver
Classifier:ftpserver Behavior:ftpserver
-------------------------------------------------
traffic-policy policy1 inbound
slot 1 : success
-------------------------------------------------
----End
Configuration Files
● SwitchA configuration file (applicable to the S2700-52P-EI, S2700-52P-PWR-
EI, S2710-SI, S3700-EI, S3700-HI, S3700-SI, S5700-EI, S5700-HI, S5710-EI,
S5710-HI, S5720-EI, S5720-HI, S5730-HI, S5731-H, S5731-S, S5731S-H,
S5731S-S, S5732-H, S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L,
S5735S-L1, S5735S-L-M, S5735-S, S500, S5735S-S, S5735-S-I, S6700-EI, S6720-
EI, S6720-HI, S6720S-EI, S6730-H, S6730S-H, S6730-S, S6730S-S, S7700, and
S9700)
#
sysname SwitchA
#
acl number 3001
acl number 3002
acl number 3003
#
traffic classifier dbserver operator and
if-match acl 3001
traffic classifier ftpserver operator and
if-match acl 3003
traffic classifier mailserver operator and
if-match acl 3002
#
traffic behavior dbserver
remark local-precedence af4
traffic behavior ftpserver
traffic behavior mailserver
#
traffic policy policy1 match-order config
classifier dbserver behavior dbserver
classifier mailserver behavior mailserver
classifier ftpserver behavior ftpserver
#
#
qos pq
#
return
● SwitchA configuration file (applicable to the S2720-EI, S2750-EI, S5700-LI,
S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720I-SI, S5720-LI, S5720S-LI,
S5720S-SI, S5720-SI, S5730S-EI, S5730-SI, S5735S-H, S5736-S, S6720-LI,
S6720S-LI, S6720S-SI, and S6720-SI)
#
sysname SwitchA
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
acl number 3001

acl number 3002
acl number 3003
#
traffic classifier dbserver operator and
if-match acl 3001
traffic classifier ftpserver operator and
if-match acl 3003
traffic classifier mailserver operator and
if-match acl 3002
#
traffic behavior dbserver
traffic behavior ftpserver
traffic behavior mailserver
#
traffic policy policy1
classifier dbserver behavior dbserver
classifier mailserver behavior mailserver
classifier ftpserver behavior ftpserver
#
#
qos schedule-profile pqtemplate
#
qos schedule-profile pqtemplate
qos pq
#
return
3.16.2 Example for Configuring Interface-based Rate Limiting

on a Fixed Switch
Overview
Interface-based rate limiting is easy to configure and limits the rate of all packets
sent or received on an interface regardless of packet type. An interface enabled
with this function can be assigned fixed bandwidth.
Interface-based rate limiting in the inbound and outbound directions can be
configured simultaneously or separately.
Configuration Notes
– S2752EI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-L1,S300,
S5735-S-I, S5735S-H, S5736-S

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
NOTE
In Figure 3-252, the Switch connects to the router through GE0/0/3, and
departments 1 and 2 are connected to the Switch through GE0/0/1 and GE0/0/2
respectively and access the Internet through the Switch and router.
Services are singular, and therefore do not need to be differentiated. With finite
network bandwidth, bandwidth of each department needs to be limited.
Department 1 requires the CIR of 8 Mbit/s in the outbound direction, and
department 2 requires the CIR of 5 Mbit/s in the outbound direction.
Figure 3-252 Networking of interface-based rate limiting
1. Configure interfaces of the Switch so that users can access the Internet.
2. Configure interface-based rate limiting on GE0/0/1 and GE0/0/2 of the Switch
in the inbound direction.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.
# Create VLAN 100, VLAN 200, and VLAN 300.
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, and configure

GE0/0/1 to allow VLAN 100, GE0/0/2 to allow VLAN 200, and GE0/0/3 to allow
VLAN 100, VLAN 200, and VLAN 300.
[Switch-GigabitEthernet0/0/1] port link-type trunk //Set the link type of the interface to trunk. The
default link type of the interface is not trunk.
# Create VLANIF 300 and set its IP address to 192.168.1.1/24.

NOTE
On the router, set the IP address of the interface connected to the Switch to 192.168.1.2/24,
and configure sub-interfaces on the interface to terminate VLANs.
Step 2 Configure interface-based rate limiting.

# Configure rate limiting on GE0/0/1 in the inbound direction and set the CIR to
8192 kbit/s.
[Switch-GigabitEthernet0/0/1] qos lr inbound cir 8192 //Set the CIR of department 1 in the outbound
direction to 8 Mbit/s.
# Configure rate limiting on GE0/0/2 in the inbound direction and set the CIR to
5120 kbit/s.
[Switch-GigabitEthernet0/0/2] qos lr inbound cir 5120 //Set the CIR of department 2 in the outbound
direction to 5 Mbit/s.

# Check the interface-based rate limiting configuration.
[Switch] display qos lr inbound interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 lr inbound:
cir: 8192 Kbps, cbs: 1024000 Byte
[Switch] display qos lr inbound interface gigabitethernet 0/0/2
GigabitEthernet0/0/2 lr inbound:
cir: 5120 Kbps, cbs: 640000 Byte

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# GE0/0/1 on models excluding S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L,

S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500, S5735-S-I, and S5735S-S is used
as an example. When the rate of traffic on the interface in the inbound direction is
larger than 8 Mbit/s, packet loss occurs. The traffic rate is limited within 8 Mbit/s.
[Switch] display qos statistics interface gigabitethernet 0/0/1 inbound
---------------------------------------------------------
Item Value
---------------------------------------------------------
Passed packets 30,715
Passed bytes -
Dropped packets 16,555
Dropped bytes -
---------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
qos lr inbound cir 8192 cbs 1024000
#
qos lr inbound cir 5120 cbs 640000
#
#
return
3.16.3 Example for Configuring Interface-based Rate Limiting

on a Modular Switch
Overview
Interface-based rate limiting is easy to configure and limits the rate of all packets
sent or received on an interface regardless of packet type. An interface enabled
with this function can be assigned fixed bandwidth.
Interface-based rate limiting in the inbound and outbound directions can be
configured simultaneously or separately.
Configuration Notes
● This example applies to all modular switch models and versions.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
In Figure 3-253, the Switch connects to the router through GE2/0/1, and
departments 1 and 2 are connected to the Switch through GE1/0/1 and GE1/0/2
respectively and access the Internet through the Switch and router.
Only data services are transmitted on the network, so services do not need to be
differentiated. With finite network bandwidth, bandwidth of each department
needs to be limited. Department 1 requires the CIR of 8 Mbit/s and PIR of 10
Mbit/s, and department 2 requires the CIR of 5 Mbit/s and PIR of 8 Mbit/s.
Figure 3-253 Networking of interface-based rate limiting
1. Create VLANs and configure interfaces so that users can access the Internet
through the Switch.
2. Create different CAR profiles and configure the CIRs and PIRs in the CAR
profiles, and apply the CAR profiles to GE1/0/1 and GE1/0/2 on the Switch in
the inbound direction to limit the rate of packets from different departments.
Procedure
Step 1 Create VLANs and configure interfaces of the Switch.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Configure GE1/0/1, GE1/0/2, and GE2/0/1 as trunk interfaces, and add GE1/0/1
to VLAN 100, GE1/0/2 to VLAN 200, and GE2/0/1 to VLAN 100 and VLAN 200.
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk. The
default link type of the interface is not trunk.
Step 2 Configure CAR profiles.

# Create CAR profiles car1 and car2 on the Switch to limit the rate of traffic from
departments 1 and 2.
[Switch] qos car car1 cir 8192 pir 10240 //Set the CIR to 8 Mbit/s and PIR to 10 Mbit/s in the CAR profile
car1.
[Switch] qos car car2 cir 5120 pir 8192 //Set the CIR to 5 Mbit/s and PIR to 8 Mbit/s in the CAR profile
car2.
Step 3 Apply the CAR profiles.

# Apply the CAR profiles to GE1/0/1 and GE1/0/2 on the Switch in the inbound
direction respectively to limit the rate of traffic from departments 1 and 2.
[Switch-GigabitEthernet1/0/1] qos car inbound car1
[Switch-GigabitEthernet1/0/2] qos car inbound car2
[Switch] quit

# Check the CAR profile configuration.
<Switch> display qos car all
----------------------------------------------------------------
CAR Name : car1
CAR Index : 0
car cir 8192 (Kbps) pir 10240 (Kbps) cbs 1024000 (byte) pbs 1280000 (byte)
----------------------------------------------------------------
CAR Name : car2
CAR Index : 1
car cir 5120 (Kbps) pir 8192 (Kbps) cbs 640000 (byte) pbs 1024000 (byte)
# Send traffic at rates of 6000 kbit/s, 9000 kbit/s, and 11000 kbit/s to GE1/0/1 and
GE1/0/2, and run the display qos car statistics command to view traffic statistics.
When packets are sent to GE1/0/1 and GE1/0/2 at a rate of 6000 kbit/s, all
packets are forwarded. When packets are sent to GE1/0/1 and GE1/0/2 at a rate of
9000 kbit/s, all packets on GE1/0/1 are forwarded and some packets on GE1/0/2
are discarded. When packets are sent to GE1/0/1 and GE1/0/2 at a rate of 11000
kbit/s, some packets on both GE1/0/1 and GE1/0/2 are discarded.
----End

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Configuration Files
#
sysname Switch
#
vlan batch 100 200
#
qos car car1 cir 8192 pir 10240 cbs 1024000 pbs 1280000
qos car car2 cir 5120 pir 8192 cbs 640000 pbs 1024000
#
qos car inbound car1
#
qos car inbound car2
#
#
return
3.16.4 Example for Configuring a Traffic Policy to Implement

Rate Limiting
Overview
In a traffic policy, access control list (ACL) rules can be used to classify packets.
ACLs are classified as basic, advanced, and Layer 2 ACLs. A basic ACL defines rules
based on the source IP address, fragment flag, and time range. Traffic policing is
configured in the traffic behavior to limit the rate of matched packets.
An Access Control List (ACL) consists of one or more rules. The rules determine
whether packets match conditions such as source addresses, destination addresses,
and port numbers of packets.
Configuration Notes
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712

S300, S500, S2700, S3700, S5700, S6700, S7700, and
NOTE
In Figure 3-254, the company has two departments, belonging to VLAN 10 and
VLAN 20, respectively. Some servers are deployed in VLAN 10 and high bandwidth
is required; employees need to access the Internet in VLAN 20 only and there are
no high requirements for bandwidth. The company purchases a 10 Mbit/s leased
line. The company requires the bandwidth for Internet access in VLAN 20 to be
between 2 Mbit/s and 4 Mbit/s, and traffic exceeding 4 Mbit/s is discarded.
Figure 3-254 Configuring a traffic policy to implement rate limiting
Device Interface VLAN Layer 3 IP Address

Interface
SwitchA GigabitEthern VLAN 10 - -

et1/0/1
GigabitEthern VLAN 20 - -
et1/0/2
GigabitEthern VLAN 10 and - -

et1/0/3 VLAN 20
Switch GigabitEthern VLAN 10 and VLANIF 10 VLANIF 10:

et1/0/1 VLAN 20 and VLANIF 192.168.1.1/2
20 4
VLANIF 20:
192.168.2.1/2
4
GigabitEthern VLAN 30 VLANIF 30 10.1.20.2/24

et1/0/2

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Create VLANs, and configure interfaces and a routing protocol to implement
interworking between the company and external network.
2. Configure an ACL on the Switch to match traffic from a specified network
segment.
3. Configure a traffic classifier on the Switch to classify packets based on the
ACL.
4. Configure a traffic behavior on the Switch to limit the rate of matched traffic.
5. Configure a traffic policy on the Switch, bind the traffic policy to the traffic
classifier and traffic behavior, and apply the traffic policy to GE1/0/1
connected to SwitchA in the inbound direction to implement rate limiting.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol.
[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
[Switch-GigabitEthernet1/0/1] port link-type trunk //Set the link type of the interface to trunk.
[Switch-GigabitEthernet1/0/1] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and
VLAN 20.
[Switch-GigabitEthernet1/0/2] port link-type access //Set the link type of the interface to access.
[Switch] interface vlanif 10 //Create a VLANIF interface.
[Switch-Vlanif10] ip address 192.168.1.1 255.255.255.0 //Configure an IP address for the VLANIF
interface. The IP address is the gateway address of network segment 192.168.1.0/24.
[Switch-Vlanif30] ip address 10.1.20.2 255.255.255.0 //Configure an IP address for the VLANIF interface to
connect to the router.
[Switch] ip route-static 0.0.0.0 0 10.1.20.1 //Configure a static route pointing to the external network to
implement interworking.
[SwitchA-GigabitEthernet1/0/1] port link-type access //Set the link type of the interface to access.
[SwitchA-GigabitEthernet1/0/3] port link-type trunk //Set the link type of the interface to trunk.
[SwitchA-GigabitEthernet1/0/3] port trunk allow-pass vlan 10 20 //Add the interface to VLAN 10 and

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN 20.
# Configure the router.

Configure the IP address of 10.1.20.1/24 for the interface of the router connected
to the switch.
# Configure an ACL on the Switch to match traffic from network segment
192.168.2.0/24.
[Switch] acl 3000
Step 3 Configure a traffic classifier.

# Configure a traffic classifier on the Switch to classify packets based on the ACL.
[Switch] traffic classifier c1 operator and

# Configure a traffic behavior on the Switch to limit the rate of matched traffic.
[Switch-behavior-b1] car cir 2048 pir 4096 //Set the CIR to 2 Mbit/s and PIR to 4 Mbit/s.
[Switch-behavior-b1] statistic enable
# Create a traffic policy on the Switch, bind the traffic behavior and traffic
classifier to the traffic policy, and apply the traffic policy to the inbound direction
of GE1/0/1 connected to SwitchA.

Acl's step is 5
rule 5 permit ip source 192.168.2.0 0.0.0.255 (match-counter 0)

[Switch] display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Committed Access Rate:
CIR 2048 (Kbps), PIR 4096 (Kbps), CBS 256000 (byte), PBS 512000 (byte)
Color Mode: color Blind

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Conform Action: pass

Yellow Action: pass
Exceed Action: discard
Statistic: enable
# Check the traffic policy that is applied to the interface. When the rate of packets
from network segment 192.168.2.0/24 is larger than 4 Mbit/s, packet loss occurs.
The rate of packets from the network segment is limited within 4 Mbit/s.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound
Interface: GigabitEthernet1/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: success
Statistics interval: 300
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 82,455
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Passed | Packets: 53,385
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Dropped | Packets: 29,070
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
Car | Packets: 29,070
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
#
traffic classifier c1 operator and precedence 5
if-match acl 3000
#
traffic behavior b1
permit
car cir 2048 pir 4096 cbs 256000 pbs 512000 mode color-blind green pass yellow pass red discard
statistic enable
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return

#
sysname SwitchA
#
vlan batch 10 20
#
#
#
#
return
3.16.5 Example for Configuring Rate Limiting in a Specified

Time Range
Overview
An ACL contains various matching conditions. You can configure a time range and
reference it in ACL rules on the device. This allows the device to match packets
based on the time range, and the administrator can apply different policies to
packets at different time ranges.
In this example, a basic ACL defines a time range and the basic ACL is referenced
by the traffic policy module to limit Internet access rate during the specified time
range.
Configuration Notes
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-255, users connect to external network devices through GE2/0/1 of
the switch.
During work hours from 8:30 to 18:00, the Internet access rate of employees needs
to be limited to 4 Mbit/s.
Figure 3-255 Networking for configuring rate limiting in a specified time range
The traffic policy based on the time range is used to implement rate limiting. The
1. Configure interfaces so that users can access the Internet through the Switch.
2. Configure a time range and reference the time range in an ACL.
3. Configure an ACL to match traffic passing the device in the specified time
range.
4. Configure a traffic policy to limit the rate of packets matching ACL rules.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
5. Apply the traffic policy to GE1/0/1 in the inbound direction.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 10 on the Switch.

[Switch] vlan 10
# Configure GE1/0/1 and GE2/0/1 on the Switch as trunk interfaces and add them
to VLAN 10.
NOTE
Configure the interface of the LSW connected to the Switch as a trunk interface and add it
to VLAN 10.

NOTE
and configure a sub-interface on the interface to terminate the VLAN.
Step 2 Create a periodic time range working_time that defines work hours from 8:30 to
18:00.
[Switch] time-range working_time 08:30 to 18:00 working-day //Define the work hours.
Step 3 Configure ACL 2001 and define three rules to limit the bandwidth of packets from
192.168.1.10, 192.168.1.11, and 192.168.1.12 during work hours.
[Switch] acl number 2001
[Switch-acl-basic-2001] rule permit source 192.168.1.10 0 time-range working_time //Limit the rate of
packets from 192.168.1.10 at work hours.
Step 4 Reference ACL 2001 in a traffic classifier to classify packets.

[Switch] traffic classifier c1
Step 5 Configure a traffic behavior to set the rate limit to 4 Mbit/s.

[Switch-behavior-b1] car cir 4096 //Limit the Internet access rate to 4 Mbit/s at work hours.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 6 Configure a traffic policy and apply the traffic policy to GE1/0/1 in the inbound
direction.

[Switch] display traffic classifier user-defined c1
Classifier: c1
Precedence: 5
Operator: OR

Policy: p1
Classifier: c1
Operator: OR
Behavior: b1
Permit
Yellow Action: pass
Statistic: enable
# Check the traffic policy that is applied to the interface. During work hours, when
the rate of packets from each network segment on GE1/0/1 in the inbound
direction is larger than 4 Mbit/s, packet loss occurs. The rate of packets from each
network segment is limited within 4 Mbit/s.
Rule number: 3
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
| Bytes: -
| Rate(pps): 0

S300, S500, S2700, S3700, S5700, S6700, S7700, and
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
time-range working_time 08:30 to 18:00 working-day
#
acl number 2001
rule 5 permit source 192.168.1.10 0 time-range working_time
#
if-match acl 2001
#
traffic behavior b1
permit
statistic enable
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
#
return
3.16.6 Example for Configuring Rate Limiting Based on VLAN

IDs
Overview
In addition to an ACL, a traffic classifier in MQC defines many Layer 2 and Layer 3
matching rules such as the VLAN ID, 802.1p priority, DSCP priority, source MAC
address, and destination MAC address. You can configure different traffic
classifiers on the device to identify packets and configure actions for them such as
rate limiting, statistics, or mirroring.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
In this example, traffic classifiers are configured based on VLAN IDs and different
CIR values are configured so that the device allocates different bandwidth to
service flows.
Configuration Notes
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-256, the Switch connects to the router through GE2/0/1, and the
enterprise connects to the Internet through the Switch and router.
Voice, video, and data services are transmitted in VLAN 120, VLAN 110, and VLAN
100 respectively.
Traffic policing needs to be configured on the Switch to police packets of different

services so that traffic is limited within a proper range, guaranteeing bandwidth of
each service.
Voice, video, and data services have QoS requirements in descending order of
priority. The Switch needs to re-mark DSCP priorities in different service packets so
that the downstream router processes them based on priorities, ensuring QoS of
different services.
Table 3-153 describes the QoS requirements.
Table 3-153 QoS guarantee for uplink traffic on the Switch
Traffic Type CIR (kbit/s) PIR (kbit/s) DSCP Priority
Voice 2000 10000 46
Video 4000 10000 30
Data 4000 10000 14

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-256 Networking of traffic policing
1. Create a VLAN and configure interfaces so that the enterprise can access the
Internet through the Switch.
2. Configure traffic classifiers on the Switch to classify packets based on VLAN
IDs.
3. Configure traffic behaviors on the Switch to limit the rate of packets and re-
mark DSCP priorities of packets.
4. Configure a traffic policy on the Switch, bind traffic behaviors and traffic
classifiers, and apply the traffic policy to the interface on the Switch
connected to the LSW.
Procedure
Step 1 Create VLANs and configure interfaces.
# Create VLAN 100, VLAN 110, and VLAN 120 on the Switch.
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 100,
VLAN 110, and VLAN 120.

S300, S500, S2700, S3700, S5700, S6700, S7700, and


# Configure traffic classifiers c1, c2, and c3 on the Switch to classify different
service flows based on VLAN IDs.
[Switch-classifier-c1] if-match vlan-id 120 //Configure a matching rule to match packets with VLAN 120.

# Configure traffic behaviors b1, b2, and b3 on the Switch to police service flows
and re-mark priorities of the service flows, and configure traffic statistics.
[Switch-behavior-b1] car cir 2000 pir 10000 green pass //Set the CIR of packets with VLAN 120 to 2000
kbit/s.
[Switch-behavior-b1] remark dscp 46 //Configure the device to re-mark DSCP priorities of packets from
VLAN 120 with 46.
[Switch-behavior-b1] statistic enable //Enable traffic statistics.
[Switch-behavior-b2] car cir 4000 pir 10000 green pass
[Switch-behavior-b2] remark dscp 30
[Switch-behavior-b3] car cir 4000 pir 10000 green pass
[Switch-behavior-b3] remark dscp 14
# Create a traffic policy p1 on the Switch, bind the traffic classifiers and traffic
behaviors to the traffic policy, and apply the traffic policy to GE1/0/1 in the
inbound direction to police packets and re-mark the packet priorities.

Classifier: c2
Precedence: 10
Operator: AND
Rule(s) : if-match vlan-id 110
Classifier: c3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Precedence: 15
Operator: AND
Classifier: c1
Precedence: 5
Operator: AND
# Check the configuration of the traffic policy p1.

Policy: p1
Classifier: c2
Operator: AND
Behavior: b2
Permit
Yellow Action: pass
Remark:
Remark DSCP af33
Statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
Permit
Yellow Action: pass
Remark:
Remark DSCP af13
Statistic: enable
Classifier: c1
Operator: AND
Behavior: b1
Permit
Yellow Action: pass
Remark:
Remark DSCP ef
Statistic: enable
# Check information about the traffic policy that is applied to the interface. Voice
packets on GE1/0/1 are used as an example. When the rate of the packets is larger
than 10000 kbit/s, packet loss occurs. The rate of voice packets is limited within
10000 kbit/s.
[Switch] display traffic policy statistics interface gigabitethernet 1/0/1 inbound verbose classifier-base
class c1
Rule number: 3

S300, S500, S2700, S3700, S5700, S6700, S7700, and
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
| Bytes: -
| Rate(pps): 0
| Rate(bps): -
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: -
---------------------------------------------------------------------
| Bytes: -
---------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
if-match vlan-id 120
#
traffic behavior b1
permit
remark dscp ef
statistic enable
traffic behavior b2
permit
remark dscp af33
statistic enable
traffic behavior b3
permit
remark dscp af13
statistic enable
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
return
3.16.7 Example for Configuring Traffic Shaping (Using

DiffServ Domain-Based Priority Mapping)
Overview
Traffic shaping adjusts the rate of outgoing traffic to ensure even transmission.
Traffic shaping uses the buffer and token bucket to control traffic. When packets
are sent at a high rate, traffic shaping caches packets in the buffer and then
evenly sends these cached packets based on the token bucket.
Traffic shaping is often configured on the downstream device to prevent packet
loss caused by congestion. For example, the headquarters connects to its branch
through a leased line that has finite bandwidth. Traffic policing is configured on
the headquarters edge device to limit the packet sending rate. In this situation,
traffic shaping can be configured on the branch edge device to cache excess
packets, preventing packet loss.
Configuration Notes
S5731-S, S5731S-S, S5731S-H, S5732-H
– S6700-EI, S6720-EI, S6720S-EI, S6720-HI, S6730-H, S6730-S, S6730S-S,
S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-257, the Switch is connected to the router through GE2/0/1. The
802.1p priorities of voice, video, and data services are 6, 5, and 2, respectively, and
these services can reach residential users through the router and Switch. The
transmission rate of traffic from the user LAN is higher than the transmission rate
of traffic from the router; therefore, jitter may occur on GE2/0/1. To prevent jitter
and ensure bandwidth of services, ensure that:
● The CIR of the interface is 10000 kbit/s.
● The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s
respectively.
● The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s
respectively.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
● The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s
respectively.
Figure 3-257 Networking of traffic shaping
1. Create VLANs and configure interfaces so that users can access the Internet
through the Switch.
2. Configure priority mapping to map 802.1p priorities of different service
packets to PHBs.
3. Configure traffic shaping on an interface to limit the total bandwidth of the
interface.
4. Configure traffic shaping on queues of the interface to limit the bandwidth of
voice, video, and data services.
Procedure
# Create VLAN 10.
# Configure GE1/0/1 and GE2/0/1 as trunk interfaces and add them to VLAN 10.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

NOTE
Step 2 Configure priority mapping.
# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, and 2 to PHBs CS7,
EF, and AF2 respectively.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb cs7 //Map 802.l priorities in different service flows to PHBs
so that the service flows enter different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb ef
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af2
[Switch-dsdomain-ds1] quit
[Switch-GigabitEthernet1/0/1] trust upstream ds1
Step 3 Configure traffic shaping on an interface.
# Configure traffic shaping on an interface of the Switch to limit the CIR of the
interface to 10000 kbit/s.
[Switch-GigabitEthernet2/0/1] qos lr cir 10000 outbound //Configure interface-based rate limiting in the
outbound direction to limit the total bandwidth.
Step 4 Configure traffic shaping on queues of the interface.
# Configure traffic shaping on queues of the interface on the Switch to set the CIR
values of voice, video, and data services to 3000 kbit/s, 5000 kbit/s, and 2000
kbit/s respectively and their PIR values to 5000 kbit/s, 8000 kbit/s, and 3000 kbit/s
respectively.
[Switch-GigabitEthernet2/0/1] qos queue 7 shaping cir 3000 pir 5000 //Set the bandwidth of voice
packets entering queue 7 to 3000 kbit/s according to the default mapping between PHBs and local
priorities.
[Switch-GigabitEthernet2/0/1] qos queue 5 shaping cir 5000 pir 8000
[Switch] quit
# Check the configuration of the DiffServ domain ds1.

<Switch> display diffserv domain name ds1
diffserv domain name:ds1
8021p-inbound 0 phb be green
8021p-inbound 1 phb af1 green
8021p-inbound 5 phb ef green
8021p-inbound 6 phb cs7 green
8021p-outbound be green map 0
......

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# After the configuration is complete, the CIR of packets sent from GE2/0/1 is
10000 kbit/s; the CIR of the voice service packets is 3000 kbit/s and PIR is 5000
kbit/s; the CIR of the video service packets is 5000 kbit/s and the PIR is 8000
kbit/s; the CIR of the data service packets is 2000 kbit/s and the PIR is 3000 kbit/s.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
diffserv domain ds1
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
trust upstream ds1
#
qos lr cir 10000 cbs 1250000 outbound
qos queue 2 shaping cir 2000 pir 3000
#
return
3.16.8 Example for Configuring Traffic Shaping (Based on

802.1p Priority Trust)
Overview
Traffic shaping adjusts the rate of outgoing traffic to ensure even transmission.
Traffic shaping uses the buffer and token bucket to control traffic. When packets
are sent at a high rate, traffic shaping caches packets in the buffer and then
evenly sends these cached packets based on the token bucket.
Traffic shaping is often configured on the downstream device to prevent packet

loss caused by congestion. For example, the headquarters connects to its branch
through a leased line that has finite bandwidth. Traffic policing is configured on
the headquarters edge device to limit the packet sending rate. In this situation,
traffic shaping can be configured on the branch edge device to cache excess
packets, preventing packet loss.
Configuration Notes
– S2752EI, S2720-EI, S2750-EI

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– S3700-SI, S3700-EI, S3700-HI

– S5700-LI, S5700S-LI, S5700-SI, S5700-EI, S5710-C-LI, S5710-X-LI, S5720-
LI, S5720S-LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI,
S2730S-S, S5735-L-I, S5735-L1,S300, S5735-L, S5735S-L, S5735S-L1,
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI
NOTE
these services can reach residential users through the router and Switch. The
transmission rate of traffic from the user LAN is higher than the transmission rate
of traffic from the router; therefore, jitter may occur on GE0/0/2. To prevent jitter
and ensure bandwidth of services, ensure that:
● The CIR of the interface is 10000 kbit/s.

● The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s
respectively.
● The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s
respectively.
● The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s
respectively.
Figure 3-258 Networking of traffic shaping

S300, S500, S2700, S3700, S5700, S6700, S7700, and
1. Create a VLAN and configure interfaces so that users can access the Internet
through the Switch.
2. Configure an interface to trust 802.1p priorities of packets.
3. Configure traffic shaping on an interface to limit the bandwidth of the
interface.
4. Configure traffic shaping on queues of the interface to limit the bandwidth of
voice, video, and data services.
Procedure
# Create VLAN 10.

# Configure GE0/0/1 and GE0/0/2 as trunk interfaces and add them to VLAN 10.

NOTE
Step 2 Configure an interface to trust packet priorities.
# Configure an interface to trust 802.1p priorities of packets.

[Switch-GigabitEthernet0/0/1] trust 8021p //Configure the interface to trust 802.1p priorities. That is,
packets enter different queues according to the default mapping between 802.1p priorities and local
priorities.
Step 3 Configure traffic shaping on an interface.
# Configure traffic shaping on an interface of the Switch to limit the CIR of the
interface to 10000 kbit/s.
[Switch-GigabitEthernet0/0/2] qos lr outbound cir 10000 //Configure interface-based rate limiting in the
outbound direction to limit the total bandwidth.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 4 Configure traffic shaping on queues of the interface.

# Configure traffic shaping on queues of the interface on the Switch to set the CIR
values of voice, video, and data services to 3000 kbit/s, 5000 kbit/s, and 2000
kbit/s respectively and their PIR values to 5000 kbit/s, 8000 kbit/s, and 3000 kbit/s
respectively.
[Switch-GigabitEthernet0/0/2] qos queue 6 shaping cir 3000 pir 5000 //Set the CIR of voice packets in
queue 6 to 3000 kbit/s.

# After the configuration is complete, the CIR of packets sent from GE0/0/2 is
10000 kbit/s; the CIR of the voice service packets is 3000 kbit/s and PIR is 5000
kbit/s; the CIR of the video service packets is 5000 kbit/s and the PIR is 8000
kbit/s; the CIR of the data service packets is 2000 kbit/s and the PIR is 3000 kbit/s.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
trust 8021p
#
qos lr outbound cir 10000 cbs 1250000
#
return
3.16.9 Example for Configuring Congestion Management

(Schedule Template Mode)
Overview
Congestion management implements queuing and scheduling when sending
packet flows. The device provides the following congestion management
technologies: Priority Queuing (PQ), Weighted Deficit Round Robin (WDRR),
Weighted Round Robin (WRR), PQ+WDRR, and PQ+WRR. The device has eight
queues on each interface in the outbound direction, which are identified by index
numbers 0 to 7. Based on the mappings between local priorities and queues, the

S300, S500, S2700, S3700, S5700, S6700, S7700, and
device sends the classified packets to queues, and then schedules the packets
using queue scheduling mechanisms.
This example uses PQ+WRR to implement congestion management. In WRR
scheduling, the device performs scheduling in a polling manner according to the
weight of each queue. The number of times packets are scheduled in each queue
is in directly proportional to the weight of the queue. A higher weight indicates
more packet scheduling times.
Configuration Notes
– S2720-EI, S2750-EI
– S5700-LI, S5700S-LI, S5700-SI, S5710-C-LI, S5710-X-LI, S5720-LI, S5720S-
LI, S5720-SI, S5720S-SI, S5720I-SI, S5730-SI, S5730S-EI, S5736-S
– S6720-LI, S6720S-LI, S6720-SI, S6720S-SI
NOTE
these services can reach residential users through the router and Switch. To reduce
the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set parameters according to the following table.
Table 3-154 Congestion management parameters

Service Type CoS Value WRR Weight
Voice CS7 0
Video EF 20
Data AF2 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-259 Networking of congestion management
1. Configure a VLAN for each interface so that devices can communicate with
each other at the link layer.
3. Configure a scheduling profile and apply the scheduling profile to the
interface.
Procedure
Step 1 Configure a VLAN for each interface so that devices can communicate with each
other at the link layer.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Configure an interface to trust 802.1p priorities of packets.

priorities.
Step 3 Configure congestion management.

# Create a scheduling profile and set queue scheduling parameters. By default,
WRR is used.
[Switch] qos schedule-profile p1
[Switch-qos-schedule-profile-p1] qos queue 7 wrr weight 0 //Set the weight of queue 7 to 0 and
configure PQ for queue 7.
[Switch-qos-schedule-profile-p1] qos queue 5 wrr weight 20 //Set the WRR weight of queue 5 to 20.
[Switch-qos-schedule-profile-p1] qos queue 2 wrr weight 10 //Set the WRR weight of queue 2 to 10. The
weight ratio of queue 5 and queue 2 is 2:1.
[Switch-qos-schedule-profile-p1] quit
# Apply the scheduling profile to GE 0/0/1 and GE 0/0/2 of the Switch.

[Switch-GigabitEthernet0/0/1] qos schedule-profile p1 //Apply the scheduling profile to GE0/0/1.
[Switch-GigabitEthernet0/0/2] qos schedule-profile p1 //Apply the scheduling profile to GE0/0/2.

# Check the scheduling profile and queue scheduling parameters.
[Switch] qos schedule-profile p1
[Switch-qos-schedule-profile-p1] display this
#
qos schedule-profile p1
qos queue 2 wrr weight 10
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
#
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
trust 8021p
#
#
return
3.16.10 Example for Configuring Congestion Avoidance and

Congestion Management (Using WRR Scheduling and an
SRED Policy)
Overview
packet flows. The device provides the following congestion management
technologies: Priority Queuing (PQ), Weighted Deficit Round Robin (WDRR),
Weighted Round Robin (WRR), PQ+WDRR, and PQ+WRR. The device has eight
queues on each interface in the outbound direction, which are identified by index
numbers 0 to 7. Based on the mappings between local priorities and queues, the
device sends the classified packets to queues, and then schedules the packets
using queue scheduling mechanisms.
Congestion avoidance is a flow control mechanism. A system configured with

congestion avoidance monitors network resource usage such as queues and
memory buffers. When congestion occurs or aggravates, the system discards
packets. Congestion avoidance uses tail drop and random drop policies to discard
packets. Random drop policies include the Simple Random Early Detection (SRED)
and Weighted Random Early Detection (WRED).
This example uses WRR scheduling to implement congestion management. In

WRR scheduling, the device performs scheduling in a polling manner according to
the weight of each queue. The number of times packets are scheduled in each
queue is directly proportional to the weight of this queue. A higher weight
indicates more times packets are scheduled. SRED is configured to implement
congestion avoidance. The device discards excess traffic according to the
maximum drop probability.
Configuration Notes
– S2752EI, S2710-SI
– S3700-SI, S3700-EI
– S5700-EI
NOTE

S300, S500, S2700, S3700, S5700, S6700, S7700, and
these services can reach residential users through the router and Switch. To reduce
the impact of network congestion and ensure bandwidth for high-priority and
delay-sensitive services, set parameters according to the following table.
Table 3-155 Congestion avoidance parameters

Service Type Color Lower Drop Maximum Drop
Threshold Probability
Voice Yellow 1000 0.78125%
Red 500 6.25%
Video Yellow 1000 0.78125%
Red 500 6.25%
Data Yellow 1000 0.78125%
Red 500 6.25%

Service Type CoS Value WRR Weight
Voice CS7 0
Video EF 20
Data AF2 10

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-260 Networking of congestion avoidance and congestion management
3. Set scheduling parameters of queues.
4. Set SRED drop thresholds and maximum drop probability of queues.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 2 Configure an interface to trust 802.1p priorities of packets.

priorities.
Step 3 Configure congestion avoidance.

# Set SRED drop thresholds and maximum drop probability of queues.
[Switch] qos sred queue 2 red 500 discard-probability 1 yellow 1000 discard-probability 4 //Set the
drop threshold and maximum drop probability for red and yellow packets in queue 2. That is, when there
are more than 500 red packets, the device discards extra red packets according to the ratio of 6.25%. When
there are more than 1000 yellow packets, the device discards extra yellow packets according to the ratio of
0.78125%.
[Switch] qos sred queue 5 red 500 discard-probability 1 yellow 1000 discard-probability 4
[Switch] qos sred queue 7 red 500 discard-probability 1 yellow 1000 discard-probability 4

# Set the scheduling mode of each queue on GE0/0/1 and GE0/0/2 on the Switch.
By default, WRR is used.
[Switch-GigabitEthernet0/0/1] qos queue 7 wrr weight 0 //Set the WRR weight of queue 7 to 0 and use
PQ scheduling.
[Switch-GigabitEthernet0/0/1] qos queue 5 wrr weight 20 //Set the WRR weight of queue 5 to 20.
[Switch-GigabitEthernet0/0/1] qos queue 2 wrr weight 10 //Set the WRR weight of queue 2 to 10. The
device schedules packets in queue 5 and queue 2 according to the ratio of 2:1.
[Switch-GigabitEthernet0/0/2] qos queue 7 wrr weight 0

# Check the global SRED configuration of the interface queue in the outbound
direction.
[Switch] display qos sred
Current sred configuration:
qos sred queue-index 2 red 500 discard-probability 1 yellow 1000 discard-probability 4
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
qos sred queue 2 red 500 discard-probability 1 yellow 1000 discard-probability 4
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
#
trust 8021p
#
return
3.16.11 Example for Configuring Congestion Avoidance and

Congestion Management (Using PQ+WDRR Scheduling and a
WRED Profile)
Overview
packet flows. Based on the queuing and scheduling policies, the device provides
the following congestion management technologies: Priority Queuing (PQ),
Weighted Deficit Round Robin (WDRR), Weighted Round Robin (WRR), PQ
+WDRR, and PQ+WRR. The device has eight queues on each interface in the
outbound direction, which are identified by index numbers 0 to 7. Based on the
mappings between local priorities and queues, the device sends the classified
packets to queues, and then schedules the packets using queue scheduling
mechanisms.
Congestion avoidance is a flow control mechanism. A system configured with

congestion avoidance monitors network resource usage such as queues and
memory buffers. When congestion occurs or aggravates, the system discards
packets. Congestion avoidance uses tail drop and random drop policies to discard
packets. Random drop policies include the Simple Random Early Detection (SRED)
and Weighted Random Early Detection (WRED).
This example uses PQ+WDRR scheduling to implement congestion management.

In WRR scheduling, the number of times packets are scheduled in each queue is
directly proportional to the weight of this queue. A higher weight indicates more
times packets are scheduled. WRR schedules packets based on the number of
packets. That is, large-sized packets are more likely to be scheduled and obtain
more bandwidth. WDRR schedules packets considering the packet length, ensuring
that packets are scheduled with the same probability. WRED is configured to
implement congestion avoidance. The device discards excess traffic according to
the maximum drop probability.
Configuration Notes
– S3700-HI
– S5700-HI, S5710-EI, S5720-EI, S5710-HI

S300, S500, S2700, S3700, S5700, S6700, S7700, and
– S6700-EI, S6720-EI, S6720S-EI

– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
● This example does not apply to X series cards because they do not support
the qos wred command.
NOTE
802.1p priorities of voice, video, and data services from the Internet are 6, 5, and
2, respectively, and these services can reach residential users through the router
and Switch. On the Switch, the rate of GE2/0/1 (inbound interface) is higher than
the rates of GE1/0/1 and GE1/0/2 (outbound interfaces), so congestion may occur
on the two outbound interfaces.
To reduce the impact of network congestion and ensure bandwidth for high-
priority and delay-sensitive services, set parameters according to Table 3-157 and
Table 3-158.
Table 3-157 Congestion avoidance parameters

Service Type Color Lower Drop Upper Drop Maximum
Threshold Threshold Drop
(%) (%) Probability
Voice Green 80 100 10
Video Yellow 60 80 20
Data Red 40 60 40

Service Type CoS Value WDRR
Voice EF 0
Video AF3 100
Data AF1 50

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-261 Networking of congestion avoidance and congestion management
2. Create a DiffServ domain on the Switch to map 802.1p priorities of different
service packets to PHBs and colors, and bind the DiffServ domain to the
inbound interface of the Switch.
3. Configure a WRED profile on the Switch and apply the WRED profile to the
outbound interfaces.
4. Set scheduling parameters of each queue on the outbound interface of the
Switch.
Procedure

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Step 2 Configure priority mapping.

# Create a DiffServ domain ds1 to map 802.1p priorities 6, 5, 2 to PHBs of EF, AF3,
and AF1 and colors of green, yellow, and red respectively.
[Switch] diffserv domain ds1
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green //Create a DiffServ domain to map 802.1p
priorities of different service packets to PHBs so that packets enter different queues.
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
[Switch-dsdomain-ds1] quit
# Bind the DiffServ domain to GE2/0/1 of the Switch.

[Switch-GigabitEthernet2/0/1] trust upstream ds1 //Apply the DiffServ domain to the interface.
[Switch-GigabitEthernet2/0/1] trust 8021p inner //Configure the interface to trust 802.1p priorities.
Step 3 Configure congestion avoidance.

# Create a WRED profile wred1 on the Switch and set scheduling parameters in
the WRED profile.
[Switch] drop-profile wred1
[Switch-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage 10 //Configure a
WRED drop profile, and set the upper and lower drop threshold and maximum drop probability for green
packets.
[Switch-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage 20 //When the
percentage of the yellow packet length to the queue length reaches 60%, the device starts to discard
packets with the maximum drop probability of 20%. When the percentage of the yellow packet length to
the queue length reaches 80%, the device discards all new packets.
[Switch-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40
[Switch-drop-wred1] quit
# Apply the WRED profile wred1 to GE1/0/1 and GE1/0/2 on the Switch.
[Switch-GigabitEthernet1/0/1] qos wred wred1
[Switch-GigabitEthernet1/0/1] qos queue 5 wred wred1
[Switch-GigabitEthernet1/0/2] qos wred wred1

# Set scheduling parameters of each queue on GE1/0/1 and GE1/0/2 of the
Switch.
The following steps are applicable to only the chassis switch.
[Switch-GigabitEthernet1/0/1] qos pq 5 //Configure PQ scheduling for queue 5.
[Switch-GigabitEthernet1/0/1] qos drr 0 to 4 //Configure WDRR scheduling for queues 0 to 4.
[Switch-GigabitEthernet1/0/1] qos queue 3 drr weight 100 //Set the WDRR weight of queue 3 to 100.
[Switch-GigabitEthernet1/0/1] qos queue 1 drr weight 50 //Set the WDRR weight of queue 1 to 50. The

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch-GigabitEthernet1/0/2] qos pq 5
[Switch-GigabitEthernet1/0/2] qos drr 0 to 4
[Switch-GigabitEthernet1/0/2] qos queue 3 drr weight 100
The following steps are applicable to only the box switch.

[Switch-GigabitEthernet1/0/1] qos drr //Configure WDRR on the interface. By default, WRR is used on an
interface.
[Switch-GigabitEthernet1/0/1] qos queue 5 drr weight 0 //Set the WDRR weight of queue 5 to 0 and use
PQ scheduling.
[Switch-GigabitEthernet1/0/1] qos queue 3 drr weight 100 //Set the WDRR weight of queue 3 to 100.
[Switch-GigabitEthernet1/0/1] qos queue 1 drr weight 50 //Set the WDRR weight of queue 1 to 50. The
[Switch-GigabitEthernet1/0/2] qos drr

# Check the configuration of the DiffServ domain ds1.
[Switch] display diffserv domain name ds1
diffserv domain name:ds1
8021p-inbound 0 phb be green
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-outbound be green map 0
......
# Check the WRED profile configuration.

[Switch] display drop-profile name wred1
Drop-profile[1]: wred1
Queue depth : default
Color Low-limit High-limit Discard-percentage
---------------------------------
Green 80 100 10
Yellow 60 80 20
Red 40 60 40
Non-tcp 100 100 100
-----------------------------------------------------------------
----End
Configuration Files
● Switch configuration file (modular switch)
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
qos wred wred1
qos pq 5 to 7 drr 0 to 4
qos queue 1 drr weight 50
qos queue 1 wred wred1
#
qos wred wred1
qos pq 5 to 7 drr 0 to 4
#
trust upstream ds1
trust 8021p inner
#
return
● Switch configuration file (fixed switch)
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
qos drr
qos wred wred1
#
qos drr

S300, S500, S2700, S3700, S5700, S6700, S7700, and

qos wred wred1
#
trust upstream ds1
trust 8021p inner
#
return
3.16.12 Example for Configuring a Traffic Policy to Prevent

Some Users from Accessing the Internet at the Specified Time
Overview
Modular QoS Command-Line Interface (MQC) allows the device to classify traffic
by type, providing the same service for packets of the same type and
differentiated services for packets of different types. Filtering specified type of
packets can be only implemented through MQC.
When packets of a type are considered untrusted, MQC can be used to
differentiate the packets from other types of packets and discard them. When
packets of a type are considered trusted, MQC can be used to differentiate the
packets from other types of packets and permit them to pass through.
Compared with the blacklist, MQC-based packet filtering classifies packets in a
more fine-grained manner and is more flexible to deploy.
Configuration Notes
● On fixed switches except the following switches in specified versions, if the
permit action is configured in the traffic behavior view, CPCAR may become
invalid:
– S5720-HI in V200R006C00 and later versions
– S5720-EI and S6720-EI in V200R008C00 and later versions
– S6720S-EI in V200R009C00 and later versions
– S5730-HI and S6720-HI in V200R012C00 and later versions
– S5731-H and S6730-H in V200R013C02 and later versions
– S5731-S, S5731S-S, S6730-S, S6730S-S, S5731S-H, and S5732-H in
V200R019C00 and later versions
– S6730S-H in V200R019C10 and later versions
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-262, the company has two departments that belong to VLAN 10 and
VLAN 20, respectively. Servers are deployed in VLAN 10 to provide services for
internal and external users, and office services of employees are transmitted in
VLAN 20. The company requires that employees in VLAN 20 access only servers in
VLAN 10 during the working time (8:00 to 18:00).
Figure 3-262 Preventing employees from accessing the Internet at the specified
time

Interface
SwitchA GigabitEthern VLAN 10 - 192.168.1.1/2

et1/0/1 4
GigabitEthern VLAN 20 - 192.168.2.1/2

et1/0/2 4
GigabitEthern VLAN 10 and - 192.168.3.1/2

et1/0/3 VLAN 20 4

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Interface

20 4
VLANIF 20:
192.168.2.1/2
4

et1/0/2

et1/0/3
interworking between the company and external network.
2. On the Switch, configure a time range 8:00-18:00 from Monday to Friday so
that the device can control traffic based on the time range.
3. On the Switch, configure an ACL to match the traffic when employees in
VLAN 20 access servers in VLAN 10 based on the time range.
ACL.
5. Configure a traffic behavior on the Switch to permit matched traffic to pass
through.
classifier and traffic behavior, and apply the traffic policy to the inbound
direction of GE1/0/1 connected to SwitchA so that employees in VLAN 20
cannot access the Internet during the working time and can access the
Internet during the non-working time.
Procedure
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
VLAN 20.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

connect to RouterA.
implement interworking, and configure load balancing.
VLAN 20.
Configure the IP address of 10.1.20.1/24 for the interface of RouterA connected to

the switch.
Configure the IP address of 10.1.30.1/24 for the interface of RouterB connected to

the switch.
# Configure a time range 8:00-18:00 from Monday to Friday on the Switch.

[Switch] time-range worktime 8:00 to 18:00 working-day
# Configure an ACL on the Switch and define rules permit and reject traffic.
[Switch] acl 3000
time-range worktime //Configure an ACL rule to permit users in VLAN 20 to access servers in VLAN 10
during the working time.
[Switch-acl-adv-3000] rule deny ip source 192.168.2.0 0.0.0.255 time-range worktime //Configure an
ACL rule to prevent users in VLAN 20 from accessing the public network during the working time.

S300, S500, S2700, S3700, S5700, S6700, S7700, and

# Configure a traffic behavior on the Switch and define the permit action.
[Switch-behavior-b1] permit

Acl's step is 5
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range worktime
(match-counter 0)(Active)
rule 10 deny ip source 192.168.2.0 0.0.0.255 time-range worktime (match-counter 0)(Active)
NOTE
If the time of the device is within the defined time range, the time range in the ACL rule is
displayed as Active; otherwise, the time range in the ACL rule is displayed as Inactive.

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
# Employees in VLAN 20 cannot access the public network during the working
time, and can access servers in VLAN 10.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30 40
#

S300, S500, S2700, S3700, S5700, S6700, S7700, and
time-range worktime 08:00 to 18:00 working-day

#
acl number 3000
rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255 time-range worktime
rule 10 deny ip source 192.168.2.0 0.0.0.255 time-range worktime
#
if-match acl 3000
#
traffic behavior b1
permit
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
interface Vlanif40
ip address 10.1.30.2 255.255.255.0
#
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
ip route-static 0.0.0.0 0.0.0.0 10.1.30.1
#
return

#
sysname SwitchA
#
vlan batch 10 20
#
#
#
#
return

S300, S500, S2700, S3700, S5700, S6700, S7700, and
3.16.13 Example for Configuring a Traffic Policy to Collect

Statistics on Ping Packets
Overview
During network fault rectification, devices may fail to ping each other. You can
configure the device to collect statistics on ping packets to narrow the search
scope and locate fault points rapidly.
Ping packets are ICMP packets, so you can define ICMP in an advanced ACL to
match ping packets. When a traffic policy is used to collect statistics on ping
packets, an ACL is used to classify packets and the traffic statistics action is
defined for matched packets. The statistics results helps locate faults.
● If the numbers of received and forwarded ping packets on a device are the
same, ping packets are forwarded normally and no packet loss occurs. If the
number of received ping packets is larger than the number of forwarded ping
packets, packet loss occurs on the device.
● If the number of received ping packets is equal to the number of received
ping packets on an interface, ping packets are forwarded normally and no
packet loss occurs on the link of the interface. If the number of sent ping
packets is larger than the number of received ping packets on the interface,
packet loss occurs on the link of the interface. In this case, the remote device
needs to be configured to collect packet statistics for fault location.
Configuration Notes
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI
S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-263, the PC cannot access the server. The device where data flows
pass needs to be configured to collect statistics on ping packets so that the fault
point can be located.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-263 Configuring a traffic policy to collect statistics on ping packets
1. Create VLANs and configure interfaces to ensure network connectivity.
2. Configure ACLs to match ICMP packets exchanged between the PC and server.
3. Configure traffic classifiers to classify packets based on the ACLs.
4. Configure traffic behaviors and define the traffic statistics action.
5. Configure traffic policies, bind the traffic classifiers and traffic behaviors to
the traffic policies, and apply the traffic policies to inbound and outbound
directions of GE1/0/1 and GE1/0/2 of the Switch.
Procedure
# Configure the Switch.

# Configure the PC's gateway address 10.1.1.2/24 for the interface of the router
connected to the Switch, and configure the IP address 10.1.2.1/24 for the interface
of the router connected to the server.
# Configure ACL rules on the Switch to match ICMP packets exchanged between
the PC and server.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit icmp source 10.1.1.1 0 destination 10.1.2.10 0 //Configure an ACL
rule to permit packets from the PC to the server.
[Switch] acl 3002
[Switch-acl-adv-3002] rule permit icmp source 10.1.2.10 0 destination 10.1.1.1 0 //Configure an ACL

S300, S500, S2700, S3700, S5700, S6700, S7700, and
rule to permit packets from the server to the PC.

# Configure traffic classifiers on the Switch to classify packets based on the ACL.
# Configure traffic behaviors on the Switch and define the traffic statistics action
in the traffic behaviors.
Step 5 Configure traffic policies and apply the traffic policies to interfaces.
# Create traffic policies p1 and p2 on the Switch, bind the traffic behaviors and
traffic classifiers to the traffic policies, apply the traffic policy p1 to the inbound
direction of GE1/0/1 and outbound direction of GE1/0/2, and apply the traffic
policy p2 to the outbound direction of GE1/0/1 and inbound direction of GE1/0/2.
[Switch-GigabitEthernet1/0/1] traffic-policy p2 outbound
[Switch-GigabitEthernet1/0/2] traffic-policy p1 outbound
# Check the ACL configuration on the Switch.


Acl's step is 5
rule 5 permit icmp source 10.1.1.1 0 destination 10.1.2.10 0 (match-counter 0)

Acl's step is 5
rule 5 permit icmp source 10.1.2.10 0 destination 10.1.1.1 0 (match-counter 0)
NOTE
In V200R009 and later versions, (match-counter 0) is not displayed in the display acl
command output.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
# Check the traffic policy configuration on the Switch.

Policy: p2
Classifier: c2
Operator: AND
Behavior: b2
Permit
Statistic: enable
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Statistic: enable
# Ping the server from the PC and check the traffic statistics in the inbound and
outbound directions of GE1/0/1 and GE1/0/2 on the Switch. Here, check the traffic
statistics in the inbound direction of GE1/0/1.
Rule number: 1
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic
classifier, and Passed indicates the numbers of forwarded packets and bytes
matching the traffic classifier. The following table describes the traffic statistics.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Traffic Statistics on Traffic Statistics on Description

GigabitEthernet1/0/1 GigabitEthernet1/0/2
display traffic policy display traffic policy ● If the statistics are 0,

statistics interface statistics interface ping request packets
gigabitethernet 1/0/1 gigabitethernet 1/0/2 do not reach the
inbound outbound Switch.
● If the statistics are
consistent and are not
0, ping request
packets are forwarded
normally.
● If the statistics in the
inbound direction of
are more than the
statistics in the
outbound direction of
GigabitEthernet1/0/2,
ping request packets
are discarded on the
Switch and the Switch
is the fault point.
display traffic policy display traffic policy ● If the statistics are 0,

statistics interface statistics interface ping response packets
gigabitethernet 1/0/1 gigabitethernet 1/0/2 do not reach the
outbound inbound Switch.
● If the statistics are
consistent and are not
0, ping response
packets are forwarded
normally.
● If the statistics in the
inbound direction of
are more than the
statistics in the
outbound direction of
GigabitEthernet1/0/1,
ping response packets
are discarded on the
Switch and the Switch
is the fault point.
----End
Configuration Files

S300, S500, S2700, S3700, S5700, S6700, S7700, and
#
sysname Switch
#
vlan batch 10
#
acl number 3001
rule 5 permit icmp source 10.1.1.1 0 destination 10.1.2.10 0
acl number 3002
rule 5 permit icmp source 10.1.2.10 0 destination 10.1.1.1 0
#
if-match acl 3001
if-match acl 3002
#
traffic behavior b1
permit
statistic enable
traffic behavior b2
permit
statistic enable
#
#
#
#
return
3.16.14 Example for Configuring a Traffic Policy to Implement

Traffic Statistics
Overview
After MQC is used to implement traffic statistics, the device collects statistics on
packets and bytes of packets matching traffic classification rules. The statistics on
forwarded and discarded packets after a traffic policy is applied help you check
whether the traffic policy is correctly applied and locate faults.
Interface-based traffic statistics in the inbound and outbound directions can be
configured simultaneously or separately. The device collects traffic statistics in the
inbound and outbound directions separately.
Configuration Notes
– S2752EI, S2710-SI, S2720-EI, S2750-EI
– S3700-SI, S3700-EI, S3700-HI

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S5735-S-I, S5735S-H, S5736-S
S6720-HI, S6730-H, S6730-S, S6730S-S, S6730S-H
– S7703, S7706, S7712, S7703 PoE, S7706 PoE, S9703, S9706, S9712
NOTE
In Figure 3-264, the company has two departments, belonging to VLAN 10 and
VLAN 20, respectively. The network administrator wants to determine whether the
host at 192.168.2.200/24 in VLAN 20 can access the server at 192.168.1.100/24 in
VLAN 10.
Figure 3-264 Configuring a traffic policy to implement traffic statistics

Interface
SwitchA GigabitEthern VLAN 10 - -

et1/0/1
GigabitEthern VLAN 20 - -
et1/0/2
GigabitEthern VLAN 10 and - -

et1/0/3 VLAN 20

20 4
VLANIF 20:
192.168.2.1/2
4

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Interface

et1/0/2
interworking.
2. Configure an ACL on the Switch to match specified traffic.
ACL.
4. Configure a traffic behavior on the Switch to collect statistics on matched
packets.
classifier and traffic behavior, and apply the traffic policy to GE1/0/1
connected to SwitchA in the inbound direction.
Procedure
[Switch] vlan batch 10 20 30 //Create VLAN 10, VLAN 20, and VLAN 30.
VLAN 20.
connect to the router.
implement interworking.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
VLAN 20.

Configure the IP address of 10.1.20.1/24 for the interface of the router connected
to the switch.
# Configure an ACL rule on the Switch to match traffic with the source IP address
of 192.168.2.200 and destination IP address of 192.168.1.100.
[Switch] acl 3000


# Configure a traffic behavior on the Switch and define the traffic statistics action
in the traffic behavior.

Acl's step is 5
rule 5 permit ip source 192.168.2.200 0 destination 192.168.1.100 0 (match-counter 0)

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Permit
Statistic: enable
# Check the traffic statistics.

Rule number: 1
---------------------------------------------------------------------
Board : 1
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Matched indicates the numbers of packets and bytes matching the traffic
classifier, and Passed indicates the numbers of forwarded packets and bytes
matching the traffic classifier. If the values of Matched and Passed are not 0, the
host at 192.168.2.200 in VLAN 20 has accessed the server at 192.168.1.100 in
VLAN 10.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
acl number 3000
rule 5 permit ip source 192.168.2.200 0 destination 192.168.1.100 0
#
if-match acl 3000
#
traffic behavior b1
permit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
statistic enable
#
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.20.2 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 10.1.20.1
#
return

#
sysname SwitchA
#
vlan batch 10 20
#
#
#
#
return
3.16.15 Example for Limiting Access Based on the Flow ID
Overview
When the same traffic classification rules need to be configured and the same
action needs to be taken for packets that match the traffic classification rules on
different interfaces or in different VLANs, to save ACL resources, configure the
device to classify packets based on ACL rules, to re-mark the flow ID of each type
of packets, and then to classify packets based on the flow ID and to process
packets matching the same flow ID in the same manner.
Assume that M ACLs are configured on the device to distinguish services, and each
ACL contains N ACL rules. Traffic classifiers classify packets based on ACL rules,
and the traffic policy containing the ACL rules are applied to X interfaces. If the
action of re-marking flow IDs and matching rules based on the flow IDs are not
configured, applying the traffic policy occupies M*N*X ACL resources. If the action

S300, S500, S2700, S3700, S5700, S6700, S7700, and
of re-marking flow IDs and matching rules based on flow IDs are configured,
applying the traffic policy occupies only M*(N+X) ACL resources.
In this example, the device is configured to re-mark flow IDs of packets matching
ACL rules, to classify packets based on flow IDs, and to permit or deny packets
matching rules to limit the access.
Configuration Notes
– S5720-HI, S5730-HI, S5731-H, S6720-HI, S6730-H: V200R019C00 and
later versions
– S5731-S, S5731S-S, S5731S-H, S5732-H, S2730S-S, S5735-L-I, S5735-
L1,S300, S5735-L, S5735S-L, S5735S-L1, S5735S-L-M, S5735-S, S500,
S5735S-S, S5735-S-I: For the applicable versions, see Table 3-1 in the
section "Applicable Products and Versions."
– S6720-EI, S6720S-EI, S6730-S, S6730S-S, S6730S-H: For the applicable
– S7703, S7706, S7712, S9703, S9706, S9712: V200R008C00 and later
versions
– S7703 PoE, S7706 PoE: For the applicable versions, see Table 3-1 in the
section "Applicable Products and Versions."
NOTE
In Figure 3-265, the Switch connects to SwitchA, and SwitchA connect to the
router. Guests can connect to the enterprise network in guest areas of office
buildings 1, 2, and 3. Guests can access the public file server and the Internet, but
cannot access the confidential file server and financial department server.

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Figure 3-265 Networking of traffic policing

Interface
Switch GigabitEthern VLAN 10 VLANIF 10 10.1.1.1/24

et1/0/1

et1/0/2

et1/0/3

et1/0/4
SwitchA GigabitEthern VLAN 40 VLANIF 40 10.1.4.2/24

et1/0/1

et1/0/2

et1/0/3

et1/0/4

S300, S500, S2700, S3700, S5700, S6700, S7700, and

Interface

et1/0/5
1. Create VLANs, and configure interfaces and a routing protocol so that the
enterprise can access the Internet.
2. Configure ACLs on the Switch to match packets from guest areas.
3. Configure traffic classifiers on the Switch to classify packets based on ACLs.
4. Configure traffic behaviors on the Switch to re-mark flow IDs of packets
matching ACLs.
5. Configure a traffic policy that contains flow ID re-marking on the Switch, bind
the traffic behaviors and traffic classifiers to the traffic policy, and apply the
traffic policy to the Switch globally in the inbound direction.
6. Configure traffic classifiers on the Switch to classify packets from guest areas
based on flow IDs.
7. Configure traffic behaviors on the Switch to permit or reject packets from
guest areas to implement access control.
8. Configure a traffic policy for access control on the Switch, bind the traffic
behaviors and traffic classifiers to the traffic policy, and apply the traffic policy
to the interfaces on the Switch connected to guest areas in the inbound
direction.
Procedure
Step 1 Create VLANs, and configure interfaces and a routing protocol (the static route is
used here).
# Configure the Switch.
[Switch] vlan batch 10 20 30 40 //Create VLAN 10 to VLAN 40.
[Switch-GigabitEthernet1/0/1] port link-type access //Configure the interface as an access interface.
[Switch-GigabitEthernet1/0/4] port link-type trunk //Configure the interface as a trunk interface.
[Switch-GigabitEthernet1/0/4] port trunk allow-pass vlan 10 20 30 40

S300, S500, S2700, S3700, S5700, S6700, S7700, and
[Switch-Vlanif10] ip address 10.1.1.1 255.255.255.0 //Configure an IP address for the VLANIF interface.
[Switch] ip route-static 10.1.5.0 255.255.255.0 10.1.4.2 //Configure a static route.
[Switch] ip route-static 10.1.6.0 255.255.255.0 10.1.4.2
[SwitchA] vlan batch 40 50 60 70 80 //Create VLAN 40 to VLAN 80.
[SwitchA-GigabitEthernet1/0/1] port link-type trunk //Configure the interface as a trunk interface.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 40 50 60 70 80
[SwitchA-GigabitEthernet1/0/2] port link-type access //Configure the interface as an access interface.
[SwitchA] interface vlanif 40 //Create a VLANIF interface.
[SwitchA-Vlanif40] ip address 10.1.4.2 255.255.255.0 //Configure an IP address for the VLANIF interface.
[SwitchA] ip route-static 10.1.1.0 255.255.255.0 10.1.4.1 //Configure a static route.

# Configure an ACL rule to match packets sent from the guest area to the
confidential file server.
[Switch] acl name non-access-file
[Switch-acl-adv-non-access-file] rule permit tcp destination 10.1.5.0 0.0.0.255 destination-port eq 20 //
Configure a rule to permit FTP data packets sent from the guest area to the confidential file server.
[Switch-acl-adv-non-access-file] rule permit tcp destination 10.1.5.0 0.0.0.255 destination-port eq 21 //
Configure a rule to permit FTP protocol packets sent from the guest area to the confidential file server.
[Switch-acl-adv-non-access-file] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
financial department server.
[Switch] acl name non-access-finance
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0 0.0.0.255 destination-port eq
20 //Configure a rule to permit FTP data packets sent from the guest area to the financial department
server.
[Switch-acl-adv-non-access-finance] rule permit tcp destination 10.1.7.0 0.0.0.255 destination-port eq
21 //Configure a rule to permit FTP protocol packets sent from the guest area to the financial department
server.
[Switch-acl-adv-non-access-finance] quit
# Configure an ACL rule to match packets sent from the guest area to the public
file server.
[Switch] acl name access-file
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq 20 //
Configure a rule to permit FTP data packets sent from the guest area to the public file server.
[Switch-acl-adv-access-file] rule permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq 21 //
Configure a rule to permit FTP protocol packets sent from the guest area to the public file server.
[Switch-acl-adv-access-file] quit
external network.
[Switch] acl name access-internet
[Switch-acl-adv-access-internet] rule permit tcp destination-port eq 80
[Switch-acl-adv-access-internet] quit

# Configure traffic classifiers on the Switch to classify packets from guest areas
based on ACLs.
[Switch] traffic classifier non-access-file operator and
[Switch-classifier-non-access-file] if-match acl non-access-file //Configure the device to match packets
sent from the guest area to the confidential file server.
[Switch-classifier-non-access-file] quit
[Switch] traffic classifier non-access-finance operator and
[Switch-classifier-non-access-finance] if-match acl non-access-finance //Configure the device to match
packets sent from the guest area to the financial department server.
[Switch-classifier-non-access-finance] quit
[Switch] traffic classifier access-file operator and
[Switch-classifier-access-file] if-match acl access-file //Configure the device to match packets sent from
the guest area to the public file server.
[Switch-classifier-access-file] quit
[Switch] traffic classifier access-internet operator and
[Switch-classifier-access-internet] if-match acl access-internet //Configure the device to match packets
sent from the guest area to the external network.
[Switch-classifier-access-internet] quit

# Create traffic behaviors on the Switch to re-mark flow IDs of packets.
[Switch] traffic behavior non-access-file
[Switch-behavior-non-access-file] remark flow-id 1 //Configure the device to re-mark the flow ID of
packets sent from the guest area to the confidential file server with 1.
[Switch-behavior-non-access-file] quit
[Switch] traffic behavior non-access-finance
[Switch-behavior-non-access-finance] remark flow-id 2 //Configure the device to re-mark the flow ID of
packets sent from the guest area to the financial department server with 2.
[Switch-behavior-non-access-finance] quit
[Switch] traffic behavior access-file
[Switch-behavior-access-file] remark flow-id 3 //Configure the device to re-mark the flow ID of packets
sent from the guest area to the public file server with 3.
[Switch-behavior-access-file] quit
[Switch] traffic behavior access-internet
[Switch-behavior-access-internet] remark flow-id 4 //Configure the device to re-mark the flow ID of
packets sent from the guest area to the external network with 4.
[Switch-behavior-access-internet] quit

S300, S500, S2700, S3700, S5700, S6700, S7700, and
Step 5 Configure a traffic policy that contains flow ID re-marking and apply the traffic
policy globally in the inbound direction.
# Create the traffic policy flow-id on the Switch, bind the traffic classifiers and
traffic behaviors to the traffic policy, and apply the traffic policy globally in the
inbound direction.
[Switch] traffic policy flow-id
[Switch-trafficpolicy-flow-id] classifier non-access-file behavior non-access-file
[Switch-trafficpolicy-flow-id] classifier non-access-finance behavior non-access-finance
[Switch-trafficpolicy-flow-id] classifier access-file behavior access-file
[Switch-trafficpolicy-flow-id] classifier access-internet behavior access-internet
[Switch-trafficpolicy-flow-id] quit
[Switch] traffic-policy flow-id global inbound

# Configure traffic classifiers on the Switch to classify packets from guest areas
based on flow IDs.
[Switch] traffic classifier flow-id1 operator and
[Switch-classifier-flow-id1] if-match flow-id 1 //Configure the device to match packets with the flow ID of
1, that is, packets sent from the guest area to the confidential file server.
[Switch-classifier-flow-id1] quit
2, that is, packets sent from the guest area to the financial department server.
3, that is, packets sent from the guest area to the public file server.
4, that is, packets sent from the guest area to the external network.

# Create traffic behaviors on the Switch to permit or reject matching packets.
[Switch] traffic behavior flow-id1
[Switch-behavior-flow-id1] deny //Configure the device to reject packets with the flow ID of 1.
[Switch-behavior-flow-id1] quit
[Switch-behavior-flow-id2] deny //Configure the device to reject packets with the flow ID of 2.
[Switch-behavior-flow-id3] permit //Configure the device to permit packets with the flow ID of 3 to pass
through.
[Switch-behavior-flow-id4] permit //Configure the device to permit packets with the flow ID of 4 to pass
through.
Step 8 Configure a traffic policy for access control and apply the traffic policy to an
interface.
# Create the traffic policy access_policy on the Switch, bind the traffic behaviors
and traffic classifiers to the traffic policy, and apply the traffic policy to GE1/0/1,
GE1/0/2, and GE1/0/3 in the inbound direction to limit access of guest areas.
[Switch] traffic policy access_policy
[Switch-trafficpolicy-access_policy] classifier flow-id1 behavior flow-id1

S300, S500, S2700, S3700, S5700, S6700, S7700, and

[Switch-trafficpolicy-access_policy] quit
[Switch-GigabitEthernet1/0/1] traffic-policy access_policy inbound

Advanced ACL access-internet 3996, 1 rule

Acl's step is 5
rule 5 permit tcp destination-port eq www (match-counter 0)
Advanced ACL access-file 3997, 2 rules

Acl's step is 5
rule 5 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp-data (match-counter 0)
rule 10 permit tcp destination 10.1.6.0 0.0.0.255 destination-port eq ftp (match-counter 0)
Advanced ACL non-access-finance 3998, 2 rules

Acl's step is 5
Advanced ACL non-access-file 3999, 2 rules

Acl's step is 5

Classifier: flow-id1
Precedence: 25
Operator: AND
Rule(s) : if-match flow-id 1
Precedence: 30
Operator: AND
Precedence: 35
Operator: AND
Precedence: 40
Operator: AND
Classifier: non-access-file
Precedence: 5
Oper

Feature Typical Configuration Examples

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Feature Typical Configuration Examples

Uploaded by

Copyright:

Available Formats

S300, S500, S2700, S3700, S5700, S6700, S7700, and

S9700 Series Switches

3 Feature Typical Configuration Examples

3.1 Applicable Products and Versions

Issue 35 (2022-10-26) Copyright © Huawei Technologies Co., Ltd. 930

3.1 Applicable Products and Versions

Table 3-1 Applicable product models and software versions

S300 V200R020C10, V200R021C00, V200R021C01

S500 V200R020C10, V200R021C00, V200R021C01

S2720-EI V200R006C10, V200R009C00, V200R010C00,

S2730S-S V200R020C10, V200R021C00

S2750-EI V200R003C00, V200R005C00SPC300, V200R006C00,

S5700-SI V200R001C00, V200R002C00, V200R003C00,

S5700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

S5700-HI V200R001(C00&C01), V200R002C00, V200R003C00,

Issue 35 (2022-10-26) Copyright © Huawei Technologies Co., Ltd. 931

Product Model Software Version

S5700-LI V200R001C00, V200R002C00,

S5700S-LI V200R001C00, V200R002C00, V200R003C00,

S5710-X-LI V200R008C00, V200R009C00, V200R010C00,

S5710-EI V200R001C00, V200R002C00, V200R003C00,

S5720-LI, S5720S-LI V200R010C00, V200R011C00, V200R011C10,

S5720-EI V200R007C00, V200R008C00, V200R009C00,

S5710-HI V200R003C00, V200R005(C00&C02&C03)

S5720-HI V200R006C00, V200R007(C00&C10), V200R008C00,

S5730-HI V200R012C00, V200R013C00, V200R019C00,

S5731-H V200R013C02, V200R019C00, V200R019C10,

S5720-SI, S5720S-SI V200R008C00, V200R009C00, V200R010C00,

S5720I-SI V200R012C00, V200R013C00, V200R019C00,

S5730-SI V200R011C10, V200R012C00, V200R013C00,

Issue 35 (2022-10-26) Copyright © Huawei Technologies Co., Ltd. 932

Product Model Software Version

S5730S-EI V200R011C10, V200R012C00, V200R013C00,

S5731-S, S5731S-S V200R019C00, V200R019C10, V200R020C00,

S5731S-H V200R019C00, V200R019C10, V200R020C00,

S5732-H V200R019C00, V200R019C10, V200R019C20,

S5735-L, S5735S-L V200R019C00, V200R019C10, V200R020C00,

S5735-L-I V200R021C00, V200R021C01

S5735-L1 V200R020C10, V200R021C00, V200R021C01

S5735S-L1 V200R020C10, V200R021C00, V200R021C01

S5735S-L-M V200R019C00, V200R019C10, V200R020C00,

S5735-S, S5735S-S V200R019C00, V200R019C10, V200R020C00,

S5735-S-I V200R019C10, V200R020C00, V200R020C10,

S5735S-H V200R020C00, V200R020C10, V200R021C00,

S5736-S V200R020C00, V200R020C10, V200R020C30,

S6700-EI V200R001(C00&C01), V200R002C00, V200R003C00,

S6720-EI V200R008C00, V200R009C00, V200R010C00,

S6720S-EI V200R009C00, V200R010C00, V200R011C00,

S6720-LI, S6720S-LI V200R011C00, V200R011C10, V200R012C00,

S6720-SI, S6720S-SI V200R011C00, V200R011C10, V200R012C00,

Issue 35 (2022-10-26) Copyright © Huawei Technologies Co., Ltd. 933

Product Model Software Version

S6720-HI V200R012C00, V200R013C00, V200R019C00,

S6730-H V200R013C02, V200R019C00, V200R019C10,

S6730-S, S6730S-S V200R019C00, V200R019C10, V200R020C00,

S6730S-H V200R019C10, V200R020C00, V200R020C10,

S7703, S7706, S7712 V200R001(C00&C01), V200R002C00, V200R003C00,

S7703 PoE V200R013C00, V200R019C00, V200R019C10,

S7706 PoE V200R013C00, V200R019C00, V200R019C10,

S9703, S9706, S9712 V200R001(C00&C01), V200R002C00, V200R003C00,

3.2 Quick Configuration Guide

3.2.1 Before You Start

This document is for switches running V200R003C00 and later.