DPtech LSW6600 Series Ethernet Switches Command Configuration Manual v3.0

DPtech LSW6600 Series Ethernet
Switches Command Configuration

Manual
Manual version: v3.0

Software version: LSW6600-S111C011D007
Released date: 2019-06-10
DPtech LSW6600 Series Ethernet Switches Command Configuration Manual v3.0.docx
Declaration
Copyright © 2008-2019 Hangzhou DPtech Technologies Co., Ltd. All rights reserved.
No Part of the manual can be extracted or copied by any company or individuals without
written permission, and cannot be transmitted by any means.
is the trade mark of Hangzhou DPtech Technologies Co., Ltd.

All other trademarks that may be mentioned in this manual are the property of their respective
owners.
Owing to product upgrading or other reasons, information in this manual is subject to change.
Hangzhou DPtech Technologies Co., Ltd. has the right to modify the content in this manual,
as it is a user guides, Hangzhou DPtech Technologies Co., Ltd. made every effort in the
preparation of this document to ensure accuracy of the contents, but all statements,
information, and recommendations in this document do not constitute the warranty of any
kind express or implied.
Hangzhou DPtech Technologies Co., Ltd.

Address: 6th floor, Zhongcai Mansion, 68 Tonghelu, Binjiangqu, Hangzhou
Zip code: 310051
Website: http://www.dptech.com
Technical forum: http://forum.dptech.com
7x24 hour technical service hotline: 400-6100-598
Conventions
Command conventions
Convention Description
The keywords of a command line are in Boldface. (It must be entered and cannot be
Boldface
changed).
italic Command arguments are in italic. (It must be substitute by real value in command line).
[] Items (keywords and arguments) in square brackets [ ] are optional.
{} Items (keywords and arguments) in braces { } emerges one time or several times.
Alternative items are grouped in parentheses and separated by vertical bars. One is
(x|y|…)
selected.
# A line starting with the # sign is comments.
Sign conventions
Convention Description
An alert that calls attention to important information that if not understood or followed can
result in data loss, data corruption, or damage to hardware or software.
An alert that contains additional or supplementary information.

Contents
1 Common Maintenance Commands Introduction .................................................................................. 1-1
1.1 Log in to the device ........................................................................................................................... 1-1
1.2 Viewing device information ................................................................................................................ 1-2
1.3 Software version upgrade .................................................................................................................. 1-3
1.4 Clear configuration ............................................................................................................................ 1-9
2 Basic Layer 2/3 Forwarding Configuration Example ............................................................................ 2-1
2.1 Introduction to Layer 2 forwarding ..................................................................................................... 2-1
2.2 Introduction to Layer 3 forwarding ..................................................................................................... 2-2
3 Port Aggregation Configuration Example ............................................................................................. 3-1
3.1 Introduction to port aggregation ......................................................................................................... 3-1
3.2 Dynamic port aggregation configuration example ............................................................................. 3-3
4 Port Mirroring Configuration Example .................................................................................................. 4-1
4.1 Introduction to port mirroring ............................................................................................................. 4-1
4.2 Local port mirroring configuration example ....................................................................................... 4-2
4.3 Remote port mirroring configuration case implemented by the reflection port .................................. 4-4
4.4 Remote port mirroring for outbound port implementation ................................................................. 4-8
5 Port Rate limiting Configuration Example ............................................................................................ 5-1
5.1 Port rate limiting introduction ............................................................................................................. 5-1
5.2 Configuration example ....................................................................................................................... 5-1
6 Port Isolation Configuration Example ................................................................................................... 6-1
6.1 Introduction to port isolation .............................................................................................................. 6-1
7 MAC/IP/Port Binding Configuration Example ....................................................................................... 7-1
7.1 Introduction to MAC/IP/Port binding .................................................................................................. 7-1
8 PVLAN Configuration Example ............................................................................................................ 8-1
8.1 PVLAN introduction ........................................................................................................................... 8-1
9 QinQ Configuration Example ................................................................................................................ 9-1
9.1 QinQ introduction ............................................................................................................................... 9-1
9.2 Basic QinQ configuration example .................................................................................................... 9-1
9.3 Flexible QinQ configuration example................................................................................................. 9-4
10 ARP Protection Configuration Example ............................................................................................ 10-1
Copyright © Hangzhou DPtech Technologies Co., Ltd. I

10.1 ARP protection introduction ........................................................................................................... 10-1

10.2 ARP packet consistency detection configuration example ............................................................ 10-2
10.3 ARP user legality configuration example ....................................................................................... 10-4
10.4 ARP gateway protection configuration example ............................................................................ 10-6
11 Routing Protocol Configuration Example.......................................................................................... 11-1
11.1 Introduction to routing protocols .................................................................................................... 11-1
11.2 Static route configuration example ................................................................................................ 11-2
11.3 RIP route configuration example.................................................................................................... 11-4
11.4 OSPF configuration example ......................................................................................................... 11-6
11.5 OSPF multi-process configuration example .................................................................................. 11-9
12 DHCP Configuration Example .......................................................................................................... 12-1
12.1 DHCP introduction ......................................................................................................................... 12-1
12.2 DHCP Server configuration example ............................................................................................. 12-2
12.3 DHCP relay configuration example ................................................................................................ 12-4
12.4 DHCP Snooping configuration example ........................................................................................ 12-6
13 QoS Configuration Example ............................................................................................................. 13-1
13.1 QoS introduction ............................................................................................................................ 13-1
13.2 Configuration example ................................................................................................................... 13-2
14 802.1x Configuration Example ......................................................................................................... 14-1
14.1 802.1x introduction ........................................................................................................................ 14-1
14.2 802.1x local authentication configuration example ........................................................................ 14-2
14.3 802.1x Radius authentication configuration example .................................................................... 14-4
15 MAC Authentication Configuration Example .................................................................................... 15-1
15.1 Introduction to MAC address authentication .................................................................................. 15-1
15.2 MAC address local authentication configuration example ............................................................. 15-2
15.3 MAC address Radius authentication configuration example ......................................................... 15-3
16 Portal Configuration Example ........................................................................................................... 16-1
16.1 Introduction to Portal authentication .............................................................................................. 16-1
16.2 Portal authentication configuration example .................................................................................. 16-2
17 Spanning Tree Configuration Example ............................................................................................. 17-1
17.1 Introduction to spanning tree ......................................................................................................... 17-1
17.2 STP configuration example ............................................................................................................ 17-2
17.3 RSTP configuration example ......................................................................................................... 17-6
17.4 MSTP configuration example ......................................................................................................... 17-8
18 VRRP Configuration Example .......................................................................................................... 18-1
18.1 VRRP introduction ......................................................................................................................... 18-1
Copyright © Hangzhou DPtech Technologies Co., Ltd. II

18.2 VRRP configuration example ......................................................................................................... 18-1

19 VSM Configuration Example ............................................................................................................ 19-1
19.1 VSM introduction ........................................................................................................................... 19-1
19.2 VSM active and standby election................................................................................................... 19-2
19.3 VSM configuration synchronization ............................................................................................... 19-2
19.4 VSM maintenance ......................................................................................................................... 19-2
19.5 VSM configuration example ........................................................................................................... 19-3
20 OVC Configuration Example ............................................................................................................ 20-1
20.1 OVC introduction ........................................................................................................................... 20-1
20.2 Management plane virtualization ................................................................................................... 20-2
20.3 Control plane virtualization ............................................................................................................ 20-3
20.4 Data plane virtualization ................................................................................................................ 20-3
20.5 OVC configuration example ........................................................................................................... 20-4
21 VRF Configuration Example ............................................................................................................. 21-1
21.1 VRF introduction ............................................................................................................................ 21-1
21.2 MPLS VPN introduction ................................................................................................................. 21-1
21.3 VRF configuration example ........................................................................................................... 21-2
Copyright © Hangzhou DPtech Technologies Co., Ltd. III

1 Common Maintenance
Commands Introduction
1.1 Log in to the device
1.1.1 SSH login
After SSH is enabled on the switch, you can log in to the device by entering the management
address, user name (initial user name admin), and password (initial password admin_default) on
the serial terminal.
<DPTECH>conf-mode
[DPTECH]ssh enable
[DPTECH]
1.1.2 Telnet login
 Use password to log in

<DPTECH>conf-mode
[DPTECH]telnet enable
[DPTECH]
After Telnet is enabled on the switch, you can log in to the device by entering the management
address and password of the device on the serial terminal. The terminal information is displayed
as follows:
User Access Verification
Password:
<DPTECH>
 Use username and password to log in

<DPTECH>conf-mode
[DPTECH]line vty
[DPTECH]authentication mode username
Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-1

After Telnet is enabled on the switch, you can log in to the device through the management
address, user name (initial user name admin), and password (initial password admin_default) of
the serial terminal input device. The terminal information is displayed as follows:
User Access Verification
Username:admin
Password:admin_default
<DPTECH>
1.2 Viewing device information

Table 1-1 Device information
Item Description
Enter the configuration view <DPTECH>conf-mode
View the currently executable commands

<DPTECH>？
and type "?"
Return to the previous view from the current [DPTECH]exit

view <DPTECH>exit
View current usage version <DPTECH>show version
View the current configuration of the device <DPTECH> show running-config
View created VLANs <DPTECH>show vlan
View vlan-if port <DPTECH>show ip interface brief
View boot-file <DPTECH>show boot-file
Reboot the device <DPTECH>reboot
Turn SSH on and off [DPTECH]ssh enable

[DPTECH]no ssh enable
Turn Telnet on and off [DPTECH]telnet enable

[DPTECH]no telnet enable
Enable and disable the Telnet username [DPTECH]line vty

and password mode. [DPTECH-line]authentication mode username
[DPTECH-line] authentication mode none

1.3 Software version upgrade
1.3.1 Operation in Conboot mode
Ensure that the user terminal and the switch are properly connected before upgrading the
version: connect the serial port cable configured by the host to the console port of the switch, and
use the network cable to connect the host's network card to the physical port of the switch. Open
the TFTP server on the host.
When the device is powered on or restarted, the following message will be displayed on the
terminal. When printing to will boot in 3, it prompts us whether to enter the Conboot menu and
provides 3 seconds of waiting time. Type <Ctrl+B> in this second and the system will prompt:
please enter the password:
After entering the correct password, you can enter the boot menu. The switch does not set a
password by default. After entering Enter, the Conboot menu is displayed. Then you can upgrade
the software version of the device according to the following prompts.
 Upgraded version in Conboot mode.

<DPTECH>reboot
System configuration has been modified. Save? (Y/N) [N]: y
Proceed with reboot? (Y/N) [N]: y
System reboot...
The system is going down NOW!
Sent SIGTERM to all processes
Sent SIGKILL to all processes
Requesting system reboot
System start booting...

Booting Basic ConBoot....
*********************************************************
* *
* ConBoot, basic Version 1.25.05 *
* *
*********************************************************
Power On reset config = 0x0000000000D4093B
Compiled Date:Compiled on Wed, 23 Dec 2015 00:43:03 +0800
Type [CTRL+F] to enter board setup 0
Trying configuration: CMD:0x18
Dram page thrash test PASSED.

Running DRAM mats

Press Ctrl+E to enter Basic boot menu...
Checking system image...
Booting Normal Extend ConBoot....,180000
*********************************************************
* *
* ConBoot, extend Version 1.25.05 *
* *
*********************************************************
Compiled Date: Compiled on Wed, 23 Dec 2015 00:43:37 +0800
Detected CPU Rev B1 [Revision ID 0x3]
Detected CPU XLS408B [CPU ID 0x4e]
Bridge Device Mask: fff0f907
Capacity of DDRII Memory:1024MB
CPU Frequency = 1000.000000MHz
Detected 8 online CPU(s), map = 0xff
CPLD Version :3.0 2014-12-24
PCB Version :B
NAND device: Manufacturer ID: 0xad, Chip ID: 0xdc (Hynix NAND 512MiB 3,3V 8-bit)
Scanning JFFS2 FS: . done.
configuring gmac0 in byte mode @ 125MHz (1000Mbps): full duplex mode

configuring gmac1 in byte mode @ 125MHz (1000Mbps): full duplex mode
B1_XLS408B @ ATX_I $
Press Ctrl+B to enter extend boot menu...
conplat will boot in 2-------------------> The device boots up here, Press Ctrl+B to
interrupt within 3 seconds.
please enter the password: --------------------------------------> Enter key to enter the
main menu below.
====================<EXTEND-ConBoot-MENU>====================
<1> Boot System
<2> Enter Serial SubMenu
<3> Enter Ethernet SubMenu
<4> File Control
<5> Modify ConBoot Password
<6> Skip Current System Configuration
<7> ConBoot Operation Menu
<8> Skip Current System Password
<0> reboot
=============================================================

enter your choice (0 - 7):3-------------------------------------------> Type 3 to enter the

submenu
=====================<GIGEERNET SUB-MENU>=====================
<1> Download Application Program To SDRAM And Run
<2> Modify Gigeernet Parameter
<3> Update Main Application File
<4> Update Backup Application File
<0> Exit To Main Menu
=============================================================
enter your choice (0 - 4):2---------------------------------------------> Type 2 to modify
the parameters
===============<GIGEERNET PARAMETER SET>======================
note:
'+'=go to next field
'-' = Go to previous field.
Ctrl+D = Quit.
=============================================================
Load File Name: LSW6600-S111C011D007.bin --------------------------------> Version name to
be upgraded
Server IP Address:10.24.9.99 --------------------------------------> Store the host
address of the above version.
Local IP Address:10.24.14.15 -------------------------------------> The address of the
network segment where the device is located can be.
Gateway IP Address:10.24.0.1 --------------------------------------------> Device gateway
address
Net Mask:255.255.0.0 ---------------------------------------------------------> Host mask
change successfully!
====================<GIGEERNET SUB-MENU>=====================
=============================================================
enter your choice (0 - 4):3--------------------------------------------> Type 3, upgrade
version
Downloading [LSW6600-S111C011D007.bin].
Server IP : 10.24.17.1
Bytes downloaded: 45386636
tftpc: download done. Size [45386636] @ Addr [0x20000000]

Checking system image...

System updating, please don't power off!
Writing:*..............................................................................
.......................................................................................
.......................................................................................
.......................................................................................
........................
writtenlen = 45386636
update successfully
=====================<GIGEERNET SUB-MENU>=====================
=============================================================
enter your choice (0 - 4):0-------------------------------> After the upgrade is successful,
type 0 to return to the main menu
<1> Boot System
<4> File Control
<0> reboot
=============================================================
enter your choice (0 - 7):0------------> Type 0 to restart the device. The version used after
the device is up is the upgraded version.
 Set the main boot version in Conboot mode.

When multiple versions are stored in the device, you can set the version to be the main startup
version, so that the device will use the version the next time it starts.
<1> Boot System
<4> File Control


<0> reboot
=============================================================
enter your choice (0 - 7):4-----------------------------> Type 4 in the main menu mode to
enter the file control menu.
=======================<File CONTROL>========================
<1> Display All File(s)
<2> Set Application File type
<3> Delete File
<4> Format Partition
=============================================================
enter your choice (0 - 4):2------------------------------------------------------> Type 2
Display all file(s) in nand0:
'M'= main 'B'=backup
=============================================================
NO. filename size type
-------------------------------------------------------------
1: LSW6600-S111C008D010P26P04.bin 39452524
2: LSW6600-S111C008D010.bin 39374096 M
=============================================================
enter your chioce:1--------------------------------------------------------> Type the
version number
=============================================================
Modify the file attribute:
<1> +Main
<2> -Main
<3> +Backup
<4> -Backup
<0> Exit
=============================================================
Enter your choice(0-4):1-------------------------> Set the selected version to be the main
one, use it at the next startup.
change successfully!
=======================<File CONTROL>========================
<3> Delete File


=============================================================
enter your choice (0 - 4):0-----------------------------------------> Type 0 to fall back
to the main menu
 Remove the version in Conboot mode.

<1> Boot System
<4> File Control
<0> reboot
=============================================================
enter your choice (0 - 7):4----------------------------> Type 4 in the main menu mode to
enter the file control menu.
=======================<File CONTROL>========================
<3> Delete File
=============================================================
enter your choice (0 - 4):3-------------------------------------> Type 3 to enter the delete
version interface.
Display all file(s) in nand0:
'M'= main 'B'=backup
=============================================================
NO. filename size type
-------------------------------------------------------------
1: LSW6600-S111C010D003.bin 45381504
2: LSW6600-S111C011D007.bin 45386636 M
=============================================================
enter your chioce:2------------------------------------------------> Select the version
number to delete.
=======================<File CONTROL>========================

<3> Delete File

=============================================================
enter your choice (0 - 4):0-------------------------------> After deleting successfully,
type 0 to fall back to the main menu.
1.3.2 Command line operation
Before upgrading the version, ensure that the physical ports of the host NIC and the switch are
correctly connected. The host and the device can communicate normally, and the TFTP server is
enabled on the host. Use the terminal to log in to the serial port of the device and follow the
prompts below to upgrade the version.
 Upgrade version in command line mode.

[DPTECH]boot-file get LSW6600-S111C008D010P26P04.bin tftp 10.24.9.99
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 37.6M 100 37.6M 0 0 306k 0 0:02:05 0:02:05 --:--:-- 312k
Download successfully!
[DPTECH]
 Set the main boot version in command line mode.

[DPTECH]boot-file main LSW6600-S111C011D007.bin
[DPTECH]
 Set the backup version in the command line mode. When the main version is deleted, the
standby version is used after the device is restarted.
[DPTECH]boot-file backup LSW6600-S111C011D007.bin
[DPTECH]
 Delete version in command line mode.

[DPTECH]boot-file delete LSW6600-S111C011D007.bin
[DPTECH]
1.4 Clear configuration

When the new version of the device and the old version span a large span, the configuration may
be incompatible. In this case, you need to clear the previous configuration of the device and
replace it with the new one.
<DPTECH>configuration clear-all

2 Basic Layer 2/3 Forwarding

Configuration Example
2.1 Introduction to Layer 2 forwarding
Layer 2 forwarding is based on the MAC address forwarding, and the internal chip performs data
forwarding. The forwarding speed is fast and the performance is high. The Layer 2 forwarding is
forwarded by maintaining the MAC address table. When the packet is received, the mapping
between the source MAC address and the port is written in the MAC table as the basis for Layer
2 forwarding. When forwarding, the MAC table is searched according to the destination MAC
address of the packet. Forward. Layer 2 packets can only be forwarded through Layer 2 in the
same VLAN.
2.1.1 Configuration requirements
The company's internal network is divided into multiple different VLANs, and users in the same
VLAN can use Layer 2 forwarding for communication.
2.1.2 Network topology
Figure 2-1 Network diagram for Layer 2 forwarding
MAC A Vlan2 MAC B
gige0_1 gige0_2
HostA SW HostB
2.1.3 Configuration process
(1) Create VLAN2 on the SW;
(2) Add gige0_1, gige0_2 to VLAN2;

(3) Verify the configuration.
2.1.4 Configuration procedure
(1) Create VLAN 2 on the SW.

<DPTECH>conf-mode
[DPTECH]vlan 2
(2) Add gige0_1, gige0_2 to VLAN 2.

<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_1
You can use the show mac-address-table slot 0 all command to view the MAC address table,
which contains the mapping between MAC A and MAC B. Host A and Host B can communicate
with each other after the address of the same network segment is configured.
2.2 Introduction to Layer 3 forwarding

The Layer 3 forwarding is mainly performed by the chip and the CPU. The chip is mainly
responsible for the forwarding function. The CPU has two Layer 2 MAC entries and Layer 3
forwarding entries. The CPU is mainly used for forwarding control, maintenance entries, and
Layer 3 forwarding entries. Released to the chip. When no forwarding entry is set up on the
switch, the PCs on different network segments cannot communicate directly through the chip
forwarding. The CPU is required to establish Layer 3 forwarding entries on the Layer 3 switch
chip. After the entry is complete, the switch forwards the packet to the destination host according
to the process of querying the MAC address table--> querying the Layer 3 forwarding entry.
There are multiple different VLANs in the company, and the VLANs are isolated at the second
layer. Users in different VLANs want to communicate, and can only be implemented through
Layer 3 forwarding.

Figure 2-2 Networking diagram of Layer 3 forwarding
1.1.1.2/24 Vlan-if2 Vlan-if3 Vlan-if2 Vlan-if3 3.3.3.2/24

1.1.1.1/24 2.2.2.1/24 2.2.2.2/24 3.3.3.1/24
gige0_1 gige0_2 gige0_1 gige0_2
HostA SW1 SW2 HostB
Layer 3 forwarding needs to ensure that the routes of the 1.1.1.0 network segment and the
3.3.3.0 network segment are reachable. You can configure static routes on SW1 and SW2 or use
routing protocols such as RIP and OSFP.
(1) Create VLAN 2 and VLAN 3 on SW1 and add interfaces to the corresponding VLANs.
(2) Configure the IP address and static route of the vlan-if interface on SW1.
2.2.4 Configuration procedure
(1) Create VLAN 2 and VLAN 3 on SW1. Add an interface to the corresponding VLAN and
configure the IP address of the vlan-if interface.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH]interface vlan-if2
[DPTECH-vlan-if2]ip address 1.1.1.1/24
[DPTECH-vlan-if2]exit


[DPTECH]ip route 3.3.3.0 255.255.255.0 2.2.2.2
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH]ip route 1.1.1.0 255.255.255.0 2.2.2.1
(5) Verify the configuration
After HostA and HostB are configured with the IP addresses of the corresponding network
segments, they can communicate normally.

3 Port Aggregation
3.1 Introduction to port aggregation
Port aggregation is also called link aggregation. It is a logical link by binding multiple physical
links. This not only increases the bandwidth of the link, but also forms a dynamic backup of the
bundled links, which effectively improves the reliability of the link. When the switch detects that
the link of a member port in the port aggregation is faulty, the switch stops sending packets on the
port and distributes the original load on the faulty link to the remaining link according to the load
balancing policy. After the faulty link is restored, the packet is restarted.
3.1.1 Basic concept
Aggregation group and member port
Table 3-1 Aggregation group and member port
Item Description
Aggregation group Combination of multiple Ethernet interfaces bundled together.
The bundled Ethernet interface is called the member port of the aggregation
Member port
group.
Member port state
Member ports in an aggregation group have the following state:
Table 3-2 Status of member port
Item Description
Selected state Member ports can participate in the forwarding of user data when they are in
this state.
Unselected state When a member port is in this state, it cannot participate in the forwarding of
user data.

Item Description
Master port (Master) The port in the Selected state with the smallest port number is called the
Master Port.
3.1.2 Aggregation mode
There are two modes for port aggregation: static aggregation and dynamic aggregation.
Table 3-3 Aggregation mode
Item Description
In static aggregation mode, the establishment of an aggregation port and the joining
Static aggregation of member ports are completely configured manually. There is no port aggregation
control protocol involved.
In dynamic aggregation mode, the establishment of an aggregation port and the

joining of member ports are all configured by the administrator. The static aggregation
mode is that the LACP protocol packets participate in the active interface selection in
the dynamic aggregation mode. After a group of ports is added to an aggregation
Dynamic aggregation group, whether the ports are in the selected state and participate in data forwarding
must be determined through negotiation of LACP packets. Only ports with the same
rate and duplex attributes, connected to the same device, and the same basic
configuration can be dynamically aggregated. A port can also create dynamic
aggregates called single-port aggregates.
3.1.3 Load sharing type
Currently, port aggregation load balancing of a switch supports the following types:
 Load balancing based on the source IP address.

 Load sharing based on the destination IP address;
 Perform load balancing based on the source IP address and destination IP address.
 Load balancing based on the source MAC address;
 Perform load sharing based on the destination MAC address.
 Load balancing based on the source MAC address and the destination MAC address.
 Load sharing is performed according to the port (enhanced).
 Load balancing is performed according to user-defined methods.

Currently, the load balancing type supported by the switch is based on the source IP address, the
destination IP address, the source IP address, the destination IP address, the source MAC
address, the destination MAC address, the source MAC address, the destination MAC address,
and the enhanced port. users can select the appropriate type of the device according to the actual
application requirements.
3.2 Dynamic port aggregation configuration example
The logical link bandwidth generated after the port is aggregated is equal to the total bandwidth of
the physical link, and multiple links are backed up each other, which effectively improves the
reliability of the link. Can be used on some important links of the enterprise to make the network
more secure.
Figure 3-1 Network diagram for port aggregation
vlan2 vlan2
gige0_4 gige0_4
gige0_1 gige0_1
SW1 SW2
gige0_2 gige0_2
gige0_5 bond1 gige0_5
vlan3 vlan3
(1) Create bond1 on SW1 and SW2 respectively, configure the aggregation group type as
dynamic aggregation, and the outbound port algorithm as the source IP address and
destination IP address, and add the aggregation member ports gige0_1 and gige0_2.

(2) Create VLAN2-3 in SW1 and SW2 respectively, configure the bond1 port as a trunk, and
allow VLAN2-3 to pass.
3.2.4 Configuration step
(1) Create bond1 on SW1 and SW2, set the aggregation group type to dynamic aggregation, the
outbound port algorithm as the source IP address and destination IP address, and add the
aggregation member ports gige0_1 and gige0_2.
[DPTECH]interface bond 1
[DPTECH-bond1]bond mode dynamic
[DPTECH-bond1]bond load-sharing mode source-destination-ip
[DPTECH-bond1]exit
[DPTECH]interface gige0_1
[DPTECH-gige0_1]bond group 1
[DPTECH-gige0_1]exit
(2) Create VLAN2-3 in SW1 and SW2 respectively, configure the bond1 port as a trunk, and
allow VLAN2-3 to pass.
[DPTECH]vlan 2 to 3
[DPTECH]interface bond1
[DPTECH-bond1]switchport mode trunk
[DPTECH-bond1]switchport trunk allowed vlan 2-3
[DPTECH-bond1]switchport trunk native vlan 3
# View the SW1 port aggregation status.

<DPTECH>show bond 1 summary
bond listing:
-------------
bond: 1
--------
Bond state : L2
MII Status : up
Bond mode : dynamic
Load sharing : source-destination-ip
Bond description:

Minimum Links :
Maxports : 8
Protocol : LACP
Select mode : speed
System-priority : 32768
System-id : 00:24:AC:71:AD:F1
Par system-id : 00:24:AC:B5:47:12
Minimum port : gige0_1
Select port : gige0_1,gige0_2
Unselect port :
# View the SW2 port aggregation status.

<DPTECH>show bond 1 summary
bond listing:
-------------
bond: 1
--------
Bond state : L2
MII Status : up
Bond mode : dynamic
Load sharing : source-destination-ip
Bond description:
Minimum Links :
Maxports : 8
Protocol : LACP
Select mode : speed
System-priority : 32768
System-id : 00:24:AC:B5:47:12
Par system-id : 00:24:AC:71:AD:F1
Minimum port : gige0_1
Select port : gige0_1,gige0_2
Unselect port :
The aggregation group status information indicates that the aggregation group 1 is a dynamic
aggregation group that performs load sharing based on the source IP address and the destination
IP address. When the data traffic of VLAN 2 and VLAN 3 is aggregated, load balancing and link
backup can be implemented, which increases the reliability of the link.

4 Port Mirroring Configuration

Example
4.1 Introduction to port mirroring
The main function of port mirroring is to copy the packets of the source port to the destination port
for network monitoring and troubleshooting. In the actual application, the destination port is
connected to the server and the PC. You can view the inbound and outbound packets of the
source port on the server to monitor the source port. When the network is faulty, you can use the
notebook to connect to the destination port. Packets can be sent to and from the source port to
help locate problems.
4.1.1 Basic concept of port mirroring
Source port and destination port of the port mirroring group
Table 4-1 Source port and destination port of the port mirroring group
Item Description
Source port The monitored port allows users to copy packets passing through the port to the
destination for monitoring and analysis.
Destination port Monitors the port and receives the packets copied from the source port and forwards the
packets to the server for monitoring and analyzing packets.
Reflective port Remote port mirroring a special port in the source mirroring group. This port uses a single
VLAN and the port does not need to be connected to the network cable.
4.1.2 Mirroring direction
The direction of port mirroring is divided into three types:
Table 4-2 Direction of port mirroring
Item Description
Inbound direction Only mirror packets received from the source port。

Item Description
Outbound direction Only mirror packets forwarded from the source port.
Bidirectional Mirroring messages received and sent from the source port。
4.1.3 Port mirroring classification
Port mirroring is divided into two categories: local port mirroring and remote port mirroring.
Table 4-3 Port mirroring
Item Description
Both the source port and the destination port are on the same device, and the source
Local port mirroring
port packets are copied to the destination port.
The source port and the destination port are on different devices. The two devices are
Remote port mirroring connected through the Layer 2 network. The mirrored packets are forwarded to the
destination port through the Layer 2 network.
A port can be added to only one mirroring group. The source port cannot be configured as the
destination port of the mirroring group or other mirroring group.
4.2 Local port mirroring configuration example
Local port mirroring is mainly used to monitor and analyze the packets entering and leaving the
port of the device. When you need to monitor the packets of a port, configure the port as the
source port and connect to the server on the destination port to perform real-time monitoring.
When the network is faulty and you need to check the device, configure the suspicious port as the
source port and connect the packet capture analysis on the destination port.

Figure 4-1 Network diagram for local port mirroring
(1) Create VLAN 2, VLAN 3, and VLAN 4 on the SW.
(2) Add gige0_1 to VLAN2, gige0_2 to VLAN3, gige0_3 to VLAN4.
(3) Create local mirroring group 1 on the SW. The source port is gige0_1 and gige0_2, and the
destination port is gige0_3. The direction is bidirectional.
(1) Create VLAN 2, VLAN 3, and VLAN 4 on the SW.

<DPTECH>conf-mode
[DPTECH]vlan 2 to 4
[DPTECH]
(2) Add gige0_1 to VLAN2, gige0_2 to VLAN3, gige0_3 to VLAN4.

[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3

[DPTECH-vlan3]exit
[DPTECH]vlan 4
[DPTECH-vlan4]exit
[DPTECH]
(3) Create local mirroring group 1 on the SW. The source port is gige0_1 and gige0_2, and the
destination port is gige0_3. The direction is bidirectional.
[DPTECH] mirror 1 source interface gige0_1 gige0_2 both
[DPTECH] mirror 1 destination interface gige0_3
# View mirror group 1

<DPTECH>show mirror local
--------------------Local mirror groups information-------------
Slot Group-id Mirroring-ports Direction Monitor-ports Description
0 1 gige0_1,gige0_2 both gige0_3
The above information indicates that the mirroring group is local mirroring, the mirroring group ID
is 1, the source port is gige0_1, gige0_2, the destination port is gige0_3, and the mirroring
direction is bidirectional. When packets are sent in and out of gige0_1 and gige0_2, all messages
can be monitored on the server.
4.3 Remote port mirroring configuration case implemented by

the reflection port
A company internally interconnects departments through switches. The network environment is

described as follows:
 Department 1 accesses SwitchA through port gige0_1.

 Port gige0_3 of SwitchA is connected to port gige0_1 of SwitchB.
 Port gige0_2 of SwitchB is connected to port gige0_1 of SwitchC.
 The monitoring device server is connected to port gige0_2 of SwitchC.
The network administrator system monitors the packets sent and received by department 1 and

department 2 through the monitoring device server, and uses remote port mirroring to implement
the requirement.
Figure 4-2 Network diagram for remote port mirroring implemented by the reflector port
4.3.2 Configuration idea
(1) Switch A is the source device, Switch B is the intermediate device, and Switch C is the
destination device.
(2) Create vlan2 vlan3 on SW1, add gige0_1 port to vlan2, add gige0_2 port to vlan3, configure
gige0_3 to allow vlan10 to pass.
(3) On the SwitchA, configure vlan 10 as the remote mirroring VLAN, port gige0_1 and port
gige0_2 as the mirroring source port, and port gige0_5 as the mirroring port.
(4) Configure the port gige0_3 on SwitchA, the ports gige0_1 and gige0_2 on SwitchB, and the
port gige0_1 on SwitchC as trunk ports, and allow packets from vlan10 to pass.
(5) Configure vlan10 as the remote mirroring VLAN on SwitchC and the port gige0_2 connected
to the data monitoring device as the mirroring destination port.
(1) Create vlan2 and vlan3 on SwitchA.

<SwitchA>conf-mode
[SwitchA]vlan 2 to 3

(2) Add gige0_1 port to vlan2 on SwitcheA, add gige0_2 port to vlan3, and configure gige0_3 to
allow VLAN 10 to pass.
[SwitchA]vlan 2
[SwitchA-vlan2]port gige0_1
[SwitchA-vlan2]exit
[SwitchA]vlan 3
[SwitchA-vlan3]exit
[SwitchA]interface gige0_3
[SwitchA-gige0_3]switchport mode trunk
[SwitchA-gige0_3]switchport trunk allowed vlan 10
(3) Configure the remote mirroring VLAN, source port, and egress port on SwitcheA.
<SwitchA>conf-mode
[SwitchA]mirror 1000 source interface gige0_1 gige0_2 both
[SwitchA]mirror 1000 destination remote-vlan 10 reflector-port gige0_5
(4) Configure the port trunk port on SwitcheB to allow packets from vlan10 to pass.
<SwitchB>conf-mode
[SwitchB]interface gige 0_1
[SwitchB-gige0_1]switchport mode trunk
[SwitchB-gige0_1]switchport trunk allowed vlan 10
[SwitchB-gige0_1]exit
(5) Configure the port type of port gige0_1 as the trunk port on Switche C and allow vlan10
packets to pass.
<SwitchC>conf-mode
[SwitchC]interface gige 0_1
[SwitchC-gige0_1]switchport mode trunk
[SwitchC-gige0_1]switchport trunk allowed vlan 10
(6) Configure the remote mirroring vlan and destination port of the destination device on
SwitcheC.
<SwitchC>conf-mode
[SwitchC]vlan 10
[SwitchC-vlan10]port gige0_2
[SwitchC-vlan10]exit
[SwitchC]mirror 2000 source remote-vlan 10

4.3.4 Verify the configuration
(1) View the remote source mirroring group on SwitchA.

[SwitchA]show mirror 1000
Mirror ID: 1000
---------
Mirror Type: remote mirror
Mirror Direction: Both
Source Ports: gige0_1,gige0_2
Reflector Port: gige0_5
Remote Vlan: 10
Mirror Description: None
(2) View the remote destination mirroring group on SwitchC.

[SwitchC]show mirror 2000
Mirror ID: 2000
---------
Remote Vlan: 10
(3) The packet capture tool can be used to capture packets from the mirroring source port.
4.3.5 Configuration file
(1) Configuration file of SwitchA

mirror 1000 source interface gige0_1,gige0_2 both
mirror 1000 destination remote-vlan 10 reflector-port gige0_5
vlan 1 to 3
!
interface gige0_1
switchport access vlan 2
!
interface gige0_2
!
interface gige0_3
switchport mode trunk
switchport trunk allowed vlan 10
!
interface gige0_5

(2) Configuration file of SwitchB

interface gige0_1
! !
interface gige0_2
(3) SwitchC configuration file

mirror 2000 source remote-vlan 10
vlan 10
!
interface gige0_1
!
interface gige0_2
4.4 Remote port mirroring for outbound port implementation
A company internally interconnects departments through switches. The network environment is

described as follows:

 Port gige0_3 of SwitchA is connected to port gige0_1 of SwitchB.
 Port gige0_2 of SwitchB is connected to port gige0_1 of SwitchC.
 The monitoring device server is connected to port gige0_2 of SwitchC.
The network administrator system monitors the packets sent and received by department 1 and
department 2 through the monitoring device server, and uses remote port mirroring to implement
the requirement.

Figure 4-3 Network diagram for remote port mirroring on the outbound port
4.4.2 Configuration idea
(1) Switch A is the source device, Switch B is the intermediate device, and Switch C is the
destination device.
(2) Create vlan2 vlan3 on SW1, add gige0_1 port to vlan2, add gige0_2 port to vlan3, configure
gige0_3 to allow vlan10 to pass;
(3) On the SwitchA, configure vlan 10 as the remote mirroring VLAN, port gige0_1 and port
gige0_2 as the mirroring source port, and port gige0_3 as the outbound port.
(4) Configure the port gige0_3 on SwitchA, the ports gige0_1 and gige0_2 on SwitchB, and the
port gige0_1 on SwitchC as trunk ports, and allow packets from vlan10 to pass.
(5) Configure vlan10 as the remote mirroring VLAN on SwitchC and gige0_2 on the data
monitoring device as the mirroring destination port.
(1) Create vlan2 and vlan3 on SwitchA.

<SwitchA>conf-mode
[SwitchA]vlan 2 to 3
(2) Add gige0_1 port to vlan2 on SwitchA, add gige0_2 port to vlan3, and configure gige0_3 to
allow VLAN 10 to pass.

[SwitchA]vlan 2
[SwitchA-vlan2]exit
[SwitchA]vlan 3
[SwitchA-vlan3]exit
[SwitchA]interface gige0_3
[SwitchA-gige0_3]switchport mode trunk
[SwitchA-gige0_3]switchport trunk allowed vlan 10
(3) Configure the remote mirroring VLAN, source port, and egress port on SwitchA.
<SwitchA>conf-mode
[SwitchA]mirror 1000 source interface gige0_1 gige0_2 both
[SwitchA]mirror 1000 destination remote-vlan 10 out-port gige0_3
(4) Configure the port trunk port on SwitchB to allow packets from vlan10 to pass.
<SwitchB>conf-mode
[SwitchB-gige0_1]exit
(5) Configure the port type of port gige0_1 as the trunk interface on SwitchC to allow vlan10
packets to pass.
<SwitchC>conf-mode
[SwitchC]interface gige 0_1
[SwitchC-gige0_1]switchport mode trunk
[SwitchC-gige0_1]switchport trunk allowed vlan 10
(6) Configure the remote mirroring vlan and destination port of the destination device on
SwitchC.
<SwitchC>conf-mode
[SwitchC]vlan 10
[SwitchC-vlan10]port gige0_2
[SwitchC-vlan10]exit
[SwitchC]mirror 2000 source remote-vlan 10

4.4.4 Verify the configuration
(1) View the remote source mirroring group on SwitchA.

[SwitchA]show mirror 1000
Mirror ID: 1000
---------
Mirror Type: remote mirror
Mirror Direction: Both
Source Ports: gige0_1,gige0_2
Out Port: gige0_3
Remote Vlan: 10
(2) View the remote destination mirroring group on SwitchC.

[SwitchC]show mirror 2000
Mirror ID: 2000
---------
Remote Vlan: 10
(3) The packet capture tool can be used to capture packets from the mirroring source port.
4.4.5 Configuration file
(1) Configuration file of SwitchA

mirror 1000 source interface gige0_1,gige0_2 both
mirror 1000 destination remote-vlan 10 out-port gige0_3
vlan 1 to 3
!
interface gige0_1
!
interface gige0_2
!
interface gige0_3
(2) Configuration file of SwitchB

interface gige0_1
!
interface gige0_2
(3) SwitchC configuration file

mirror 2000 source remote-vlan 10
vlan 10
!
interface gige0_1
!
interface gige0_2

5 Port Rate Limiting

5.1 Port rate limiting introduction
The port rate limiting is the total rate of packet forwarding on a port. It is divided into two
directions: inbound and outbound.
Table 5-1 Port rate limiting
Item Description
Inbound port rate limiting Rate limiting on the port where the packet enters
Outbound port rate limiting Limit the rate on the port forwarded by the packet.
5.2 Configuration example
When an enterprise wants to limit the rate at which a department accesses resources such as
external networks and servers, it can be implemented through the port rate limiting function.
Figure 5-1 Network diagram for port rate limiting

(1) Create VLAN 2 on the SW and add gige0_1 and gige0_2 to VLAN 2.
(2) Configure the inbound port rate limiting on the SW. The ingress port is gige0_1, the rate
limiting is 10 Mbits/s, and the burst traffic is 1024 Kbits.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]
(2) Configure the inbound port rate limiting on the SW. The ingress port is gige0_1, the rate
limiting is 10 Mbits/s, and the burst traffic is 1024 Kbits.
[DPTECH-gige0_1]rate-limit input 10000 burst-bucket 1024
[DPTECH]
After the rate limiting is configured on the port, the total bandwidth of the R&D department
accessing the external network is 10 Mbits/s.

6 Port Isolation Configuration

Example
6.1 Introduction to port isolation
Port isolation is a Layer 2 isolation function. Layer 2 isolation can be implemented on two
interfaces in the same VLAN. You only need to configure the two interfaces in the same VLAN as
port isolation. The unicast, multicast, and broadcast ports cannot be forwarded between the
isolated port and the isolated port. If the isolated port and the isolated port need to communicate
with each other, they must be forwarded through Layer 3 devices. Compared to the isolation
between VLANs, port isolation avoids the waste of limited VLAN resources. It is a more practical
two-layer isolation technology.
Port isolation enables Layer 2 packet isolation in the same VLAN. When users need to restrict
access between different departments in the same VLAN and ensure that each department can
access resources such as servers and extranets, users only need to These departments can be
added to the isolation group.

Figure 6-1 Network diagram for port isolation
(1) Create VLAN2 in SW, add gige0_1, gige0_2, and gige0_3 to VLAN2。
(2) Add gige0_1 and gige0_2 to the SW group member port.
(1) Create VLAN 2 in SW and add gige0_1, gige0_2, and gige0_3 to VLAN 2.
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]
(2) Add gige0_1, gige0_2 to the isolation group on the SW.

[DPTECH-gige0_1]switchport protected
[DPTECH-gige0_1]interface gige0_2
[DPTECH-gige0_2]switchport protected
[DPTECH-gige0_2]
Interfaces with port isolation enabled, "false" if "Protected" is "true" in the show interface.
<DPTECH>show interface gige0_1
Interface gige0_1
administration state is UP, line state is UP
LAN mode
Media type is copper
Layer2 interface
Description: gige0_1
flow control disable
MTU : 1500
Protected: true
Input speed: 0 pps, 0 bps
Output speed: 0 pps, 0 bps
Input(normal): 21 packets and 0.00% rxpackets lost, 1,692 bytes, 3 broadcasts, 6
multicasts
Input: 0 input errors, 0 length_errors, 0 over_errors, 0 crc_errors, 0 frame_errors,
0 fifo_errors, 0 missed_errors
Output(normal): 18 packets and 0.00% txpackets lost, 1,486 bytes, 3 broadcasts, 3
multicasts
Output: 0 output errors, 0 aborted_errors, 0 carrier_errors, 0 fifo_errors, 0
heartbeat_errors, 0 window_errors
1000Mbps-speed mode, full-duplex mode
Link speed type is autonegotiation, link duplex type is autonegotiation
Layer2 port type access
vlan belong 456
pvid 456
Tr mode: Normal mode
Broadcast Is Not Set
Unicast Is Not Set
Multicast Is Not Set
Long frame Length 1536 B
Virtual machine support: Disable
<DPTECH>

After the port isolation function is enabled, both the administration and the marketing department
can access the server, but the administrative department and the marketing department cannot
access each other.

7 MAC/IP/Port Binding
7.1 Introduction to MAC/IP/Port binding
MAC/IP/port binding refers to binding the MAC address and IP address of the user host to the
connected switch port. If the packet received on the port matches the binding entry, the packet will
be forwarded. Otherwise, the packet will be discarded. This prevents the user from modifying the
host IP address at will, resulting in inconvenient management.
The company wants certain employees to use a fixed IP address, and cannot modify it at will. If
the address is modified at will, the employee cannot access resources such as servers and
extranets.

Figure 7-1 MAC/IP/port binding network diagram
(1) Configure the host MAC address and IP address on the SW to be bound to the gige0_1 port.
The packets matching the binding are forwarded. Otherwise, packets are lost.
(1) Configure the host MAC address and IP address on the interface to be bound to the gige0_1
port. The packets matching the binding entry are forwarded. Otherwise, packets are lost.
[DPTECH]acl mode mac-ipv4 type icap
[DPTECH-acl-mac-ipv4-icap]rule-name 1 source-mac 00:24:AC:be:00:01 source-ipv4
192.168.0.1 physical-ports gige0_1 action permit
[DPTECH-acl-mac-ipv4-icap]rule-name 2 physical-ports gige0_1 action drop
The Host uses the original IP address and remains connected to the gige0_1 interface of SW1 to
access the external network. When the host changes the IP address or changes the interface
connected to the SW and cannot access the external network, the MAC/IP/port binding takes
effect.

8 PVLAN Configuration
Example
8.1 PVLAN introduction
PVLAN (Private VLAN), which is a private VLAN. With the two-layer VLAN isolation technology,
the upper VLAN is visible globally and the lower VLANs are isolated from each other. PVLANs are
commonly used on intranets to prevent communication between network devices connected to
certain interfaces or interface groups, but allow communication with the default gateway.
Although each device is in a different PVLAN, they can use the same IP subnet.
VLAN type of PVLAN:
Table 8-1 VLAN type
Item Description
Primary VLAN Can isolate VLAN communication with all associated community VLANs
Community Ports in the same community VLAN can communicate with each other or with the primary
VLAN VLAN.
The ports in the isolated VLAN cannot communicate with each other. They can only
Isolated VLAN communicate with the ports in the primary VLAN. There can be only one isolated VLAN in
each primary VLAN.
There are mobile users in the intranet of a company, and there are several servers. To isolate
servers from communication, and mobile users cannot communicate with company intranet
employees, all users and servers can connect to the Internet.

Figure 8-1 PVLAN network diagram
You can use the PVLAN function to assign mobile users and employee users to community VLAN
10 and VLAN 11, respectively, and the server is assigned to isolated VLAN 12, which can be
connected to the external network through the primary VLAN 100.
(1) Configure PVLAN, VLAN 100 is the primary VLAN, VLAN 10 and VLAN 11 are the
community VLANs, and VLAN 12 is the isolated VLAN.
(2) Divide the port into the corresponding VLAN.

(1) Configure the PVLAN, vlan100 is the primary VLAN, vlan10 and vlan11 are the community
vlan, and vlan12 is the isolated VLAN.
[DPTECH]pvlan primary-vlan 100 isolate-vlan 12 community-vlan-range 10-11
(2) Add the interface to the VLAN and enable the PVLAN.
[DPTECH]interface gige 0_0
[DPTECH-gige0_0]pvlan promisc-association primary-vlan 100
[DPTECH-gige0_1]pvlan host-association secondary-vlan 10
HostA can communicate with HostB, PCA can communicate with PCB, HostA and PCA can't
communicate; ServerA and ServerB can't communicate, all Host, PC and Server can connect to
the external network.

9 QinQ Configuration Example

9.1 QinQ introduction
QinQ is a Layer 2 tunneling protocol. It encapsulates the private network packets of the user with
the outer VLAN tag and carries the two VLAN tags to traverse the public network. This provides a
simple Layer 2 VPN tunnel technology. . The implementation of QinQ can be divided into two
types: basic QinQ and flexible QinQ.
Table 9-1 QinQ introduction
Item Description
The port configured with the basic QinQ function adds a layer of the default VLAN tag of
Basic QinQ
the local port to the received packets.
It is implemented based on the combination of port and VLAN. By matching the traffic
Flexible QinQ classifier, you can add different outer VLAN tags to the traffic of different VLANs on the
same port.
9.2 Basic QinQ configuration example
When the operator's network needs to carry the traffic of company A and company B, and the two
companies have branches in different areas, the operator needs to assign different VLANs to
company A and company B, so that the traffic of the two companies is separated and Ensure that
branch offices of the same company can communicate with each other. Operators can use basic
QinQ functions on devices connected to users.

Figure 9-1 Basic QinQ network diagram
(1) Create VLAN2-4 on SW1 and SW2 respectively.
(2) Configure gige0_1 as trunk on SW1 and SW2 to allow VLAN 2, 5-20 to pass, pvid to 2;
gige0_2 as trunk to allow VLAN 3, VLAN 10-20 to pass, pvid to 3; configure gige0_3 as trunk,
allow VLAN2- 4 passes, pvid is 4.
(3) Enable the basic QinQ function on gige0_1 and gige0_2 on SW1 and SW2 respectively.
(1) Create VLANs on SW1 and SW2 respectively.

[DPTECH]vlan 2 to 4
[DPTECH]

(2) Configure gige0_1 as a trunk on SW1 and SW2, allow VLAN 2 to pass, and set the native
VLAN ID to 2; configure gige0_2 as a trunk, allow VLAN 3 to pass, and set the native VLAN
ID to 3. Configure gige0_3 as a trunk and allow VLAN 2-4 to pass. The Native VLAN ID is 4.
[DPTECH-gige0_1] switchport mode trunk
[DPTECH-gige0_1] switchport trunk allowed vlan 2
[DPTECH-gige0_1] switchport trunk native vlan 2
[DPTECH-gige0_2] switchport trunk allowed vlan 3
[DPTECH-gige0_3] switchport trunk allowed vlan 2-4
[DPTECH]
(3) Enable the basic QinQ function on gige0_1 and gige0_2 on SW1 and SW2 respectively.
[DPTECH-gige0_1]qinq enable
[DPTECH-gige0_2]qinq enable

<DPTECH>show qinq
QinQ is enabled on following ports:
gige0_1
gige0_2
The above information indicates that the basic QinQ function is enabled on the gige0_1 and
gige0_2 ports. Company A and Company B can use operators to assign different VLANs to
communicate with different departments.

9.3 Flexible QinQ configuration example
When the carrier's network needs to carry the traffic of a company, and the company's
department A and department B are in different VLANs, the departments A and B have branches
in a far place, and need to communicate through the public network, the operator can Enable the
flexible QinQ function on the edge device connected to the user to identify the tag of the packets
sent by different departments and encapsulate different outer tags.
Figure 9-2 Flexible QinQ network diagram
(1) Create VLAN2-4 on SW1 and SW2 respectively.
(2) Configure gige0_1 as the hybrid on SW1 and SW2, allow VLAN 2 and VLAN 3 to pass,
configure gige0_2 as the trunk, allow VLAN 2-4 to pass, and set the native VLAN ID to 4.
(3) Enable the selective QinQ function on the gige0_1 interface on SW1 and SW2. When the
received packet VLAN tag is 20, the outer VLAN tag is encapsulated. When the received
packet VLAN tag is 30, the packet is encapsulated. Outer Tag VLAN3.

(1) Create VLANs on SW1 and SW2 respectively.

[DPTECH]vlan 2 to 4
(2) Configure gige0_1 as the Hybrid on SW1 and SW2, allow VLAN 2 and VLAN 3 to pass,
configure gige0_2 as the trunk, allow VLAN 2-4 to pass, and set the Native VLAN ID to 4.
[DPTECH-gige0_1]switchport mode hybrid
[DPTECH-gige0_1]switchport hybrid allowed vlan 2-3 untagged [DPTECH-gige0_1]switchport
hybrid native vlan 2
[DPTECH-gige0_2]switchport mode trunk
[DPTECH-gige0_2]switchport trunk allowed vlan 2-4
[DPTECH-gige0_2]switchport trunk native vlan 4
(3) Enable the selective QinQ function on the gige0_1 interface on SW1 and SW2. When the
received packet VLAN tag is 20, the outer VLAN tag is encapsulated. When the received
packet VLAN tag is 30, the packet is encapsulated. Outer Tag VLAN3.
[DPTECH-gige0_1]qinq inner-vid 20 outer-vid 2 outer-priority 0
[DPTECH-gige0_1]qinq inner-vid 30 outer-vid 3 outer-priority 0
The flexible QinQ function is enabled on the gige0_1 of SW1 and SW2, and different outer tags
are applied to departments A and B. Departments A and B located in different locations can use
the different VLANs assigned by the operator for normal communication.

10 ARP Protection
10.1 ARP protection introduction
10.1.1 ARP packet validity check
To prevent ARP packet attacks, you can use the ARP packet validity check function to detect the
ARP packets received by the device, discard the invalid ARP packets, and process the legal ARP
packets. The ARP trusted port is not checked. For an ARP untrusted port, packets with invalid
MAC addresses and IP addresses need to be filtered. Check mode active MAC address,
destination MAC address or IP address mode
Table 10-1 Check mode
Item Description
Check whether the source MAC address in the ARP packet is the same as the source
Source MAC
MAC address in the Ethernet packet header. If the packet is valid, the packet is
check mode
processed. Otherwise, the packet is discarded.
Check whether the destination MAC address in the ARP reply packet is all 0s or all 1s,
Destination MAC
and it is consistent with the destination MAC address in the Ethernet packet header. All 0,
check mode
all 1, and inconsistent packets are regarded as invalid packets and discarded directly.
Check the source and destination IP addresses of the ARP packets. The multicast
IP address check address, all 0s, and all 1s are invalid. The ARP reply packet needs to check the source IP
mode address and the destination IP address. The ARP request packet only checks the source
IP address.
10.1.2 ARP user legality check
A network attacker masquerades as a legitimate user using the IP address of a legitimate user,
accesses network resources, and communicates with legitimate users on the network, resulting
in network information transmission errors and leakage of important information. ARP user
legality detection can identify illegal users and discard illegal packets. For the ARP trusted port,
the user validity check is not performed. For the ARP untrusted port, the user validity check is
required to prevent the counterfeit user from attacking.

The user validity check is based on the source IP address and the source MAC address of the
ARP packet. Check whether the user is a valid user on the port where the VLAN belongs. The
check is based on the static ARP entry check and the DHCP snooping security entry. Check the
DHCP snooping entries after checking the static ARP entries.
Table 10-2 Checking static ARP entries and DHCP snooping entries
Item Description
If the source IP address and source MAC address of the ARP packet match the static ARP
Check based entry, the user is considered to be legal and forwarded to send ARP packets. If the source IP
on static ARP address does not match the source MAC address, the user is considered to be illegal and the
entries ARP packet sent by the user is discarded. If the source IP address and the source MAC
address do not match, continue to search for DHCP snooping security entries.
DHCP After the static ARP entry is checked, the DHCP snooping security entry is checked. The
snooping entry ARP packet is considered to be valid and forwarded. If no match is found for all the check,
check the device considers it to be an illegal packet and discards it directly.
10.1.3 ARP gateway protection
The ARP gateway protection function prevents the forged gateway attack. After the port is
enabled with the function, the port checks whether the source IP address of the packet is the
same as the protected gateway IP address. If the packet is the same, the packet is considered
illegal and discarded. Otherwise, the packet is considered legal and processed.
10.2 ARP packet consistency detection configuration example
ARP packet consistency detection is enabled on the access layer of the company to prevent the
attacks of counterfeit users.

Figure 10-1 Figure 10-1 Network diagram of ARP packet consistency detection
gige0_1 gige0_2
Vlan2
HostA SW HostB
(2) Enable ARP packet consistency on VLAN 2 of the SW.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]
(2) Enable ARP packet consistency on VLAN 2 of the SW.

[DPTECH]arp inspection vlan 2 untrust interface gige0_1 gige0_2
After receiving the ARP packet, the gige0_1 and gige0_2 on the SW will detect whether the
source MAC address of the ARP packet is the same as the source MAC address of the Ethernet
header. If they are the same, the packet is forwarded. Otherwise, the packet is discarded.

10.3 ARP user legality configuration example
After the ARP user validity check is enabled on the access switch of the company, the device will
query the static ARP entries and DHCP snooping entries in sequence after receiving the ARP
packets. If no matching user is found, the ARP packet is considered to be sent by an
unauthorized user, and the ARP packet is discarded.
Figure 10-2 Network diagram of ARP user legality detection
DHCP Server
SW1
gige0_1 Vlan-if2
1.1.1.1/24
1.1.1.11/24 1.1.1.10/24
gige0_3
gige0_1 gige0_2
Vlan2
HostA SW2 HostB
DHCP client DHCP Snooping DHCP client
(1) Create vlan-if2 on SW1 and configure the IP address and DHCP address pool.
(2) Create VLAN 2 on SW2 and add ports gige0_1, gige0_2, and gige0_3 to VLAN 2.
(3) Enable DHCP snooping on SW2 and enable the function of recording IP MAC addresses.
(4) Enable ARP detection on SW2 and set gige0_1 and gige0_2 as untrusted ports.

(1) Create vlan-if2 on SW1 and configure the IP address and DHCP address pool.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH-vlan-if2]ip add 1.1.1.1/24
[DPTECH]dhcp server pool test
[DPTECH-dhcp-pool-test]address range 1.1.1.10 1.1.1.100 24
[DPTECH-dhcp-pool-test]default-router 1.1.1.1
[DPTECH-dhcp-pool-test]exit
[DPTECH]dhcp server enable
[DPTECH]
<DPTECH>conf-mode
[DPTECH]vlan 2
(3) Enable DHCP snooping on SW2.

[DPTECH-gige0_3]dhcp snooping trust
[DPTECH]dhcp snooping enable
(4) Enable ARP detection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
[DPTECH]arp inspection vlan 2 untrust interface gige0_1 gige0_2
(5) Verify the configuration。
DHCP snooping is enabled on SW2. After obtaining the address, HostA and HostB form a
Snooping information list on SW2, which records the MAC address, IP address, and
corresponding port of the client. After receiving the ARP packet, the gige0_1 and gige0_2 of the
SW2 will query the DHCP snooping entry. If the matching user is found, the ARP packet will be
forwarded. Otherwise, the device will discard the ARP packet.

10.4 ARP gateway protection configuration example
The risk of a gateway attack may exist in the user's network. The ARP gateway protection
function effectively prevents the gateway attack.
Figure 10-3 Network diagram of ARP gateway protection
(2) Enable ARP gateway protection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
<DPTECH>conf-mode

[DPTECH]vlan 2
(2) Enable ARP gateway protection on SW2 and set gige0_1 and gige0_2 as untrusted ports.
[DPTECH]arp inspection vlan 2 untrust interface gige0_1 gige0_2 filter source 1.1.1.1
After you configure the gateway protection on SW2, the gige0_2 interface receives the ARP
packet from the forged gateway sent by HostB will be discarded. This prevents HostA from
learning the MAC address of the fake gateway and prevents the packets wrongly sent to HostB
communicate with the gateway device SW1.

11 Routing Protocol
11.1 Introduction to routing protocols
11.1.1 Introduction to static route
A static route is a route that is manually configured on a switch and does not pass routing
information to other devices. Static routes are generally applicable to a relatively simple network
environment. In such an environment, the network administrator can easily understand the
topology of the network and set up correct routing information.
11.1.2 Introduction to RIP
RIP (Routing Information Protocol) is a relatively simple Interior Gateway Protocol (IGP). RIP is
the earliest distance vector routing protocol. Although RIP lacks the complex functions of many
more advanced routing protocols, the simplicity and breadth of its use make it very viable. RIP is
generally applicable to the delivery of routing information within an autonomous system (AS) of a
small homogeneous network.
11.1.3 Introduction to OSPF
OSPF (Open Shortest Path First) is a typical link-state routing protocol. OSPF routers exchange
and store link information of the entire network to master the topology of the entire network and
calculate routes independently. As an internal gateway protocol (IGP), OSPF is used to advertise
routing information between routers in the same autonomous domain (AS). Different from the
distance vector protocol (RIP), OSPF has the advantages of supporting large networks, fast route
convergence, and occupying less network resources, and occupies a very important position in
the currently applied routing protocols.
OSPF supports multi-process configuration. Multiple OSPF processes can be run on the same
device. The processes do not affect each other and are independent of each other. Route
interaction between different OSPF processes is equivalent to routing interaction between
different routing protocols. Supports multiple OSPF processes to share a single RID. An interface

of a router can belong to only one OSPF process.
11.2 Static route configuration example
A company has only a few switches on its intranet. The networking is relatively simple. You need
to implement communication between network segments.
Figure 11-1 Network diagram of static route
Vlan-if2 gige0_1 Vlan-if2

gige0_1 1.1.1.1 3.1.1.1
gige0_0 gige0_0
Vlan-if10
Vlan-if10
2.1.1.1
SW1 2.1.1.2 SW2
(1) Add VLAN 2 and VLAN 10 to SW1 and SW2, assign the port to the corresponding VLAN, and
configure the IP address of the vlan-if.
(2) Configure static routes on SW1 and SW2.
(1) Configure VLANs and ports on SW1 and SW2.
# Configure on SW1.

<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan 2]exit
[DPTECH]vlan 10
[DPTECH-vlan 10]exit
[DPTECH-gige0_0] switchport access vlan 10
[DPTECH] interface gige0_1
[DPTECH-vlan-if10]
# Configure on SW2.
[DPTECH]vlan 2
[DPTECH-vlan 2]exit
[DPTECH]vlan 10
[DPTECH-vlan 2]exit
[DPTECH] interface vlan-if10
[DPTECH-vlan-if10]
(2) Configure static routes on SW1 and SW2.
# Configure on SW1.
[DPTECH]ip route 3.1.1.0 255.255.255.0 2.1.1.2
[DPTECH]
# Configure on SW2.
[DPTECH]ip route 1.1.1.0 255.255.255.0 2.1.1.1

[DPTECH]
(3) Verify the configuration。

<DPTECH>show ip route
1.1.1.0 network segment and 3.1.1.0 network segment can communicate normally.
11.3 RIP route configuration example
A company's intranet is small in scale and simple in structure and equipment. It is easier to use
RIP routing protocol for route management.
Figure 11-2 Network diagram of RIP
vlan-if2 gige0_1 gige0_0 vlan-if2

1.1.1.1 4.1.1.1
vlan-if10 vlan-if10 vlan-if11 vlan-if11
2.1.1.1 2.1.1.2 3.1.1.1 3.1.1.2
SW1 SW2 SW3
(1) Create the corresponding VLAN on SW1, SW2, and SW3, assign the port to the
corresponding VLAN, and configure the IP address of the vlan-if.
(2) Configure RIP routes on SW1, SW2, and SW3.
# Configure on SW1.
[DPTECH]vlan 2
[DPTECH-vlan2]exit

[DPTECH]vlan 10
[DPTECH-vlan10]exit
[DPTECH-gige0_0]switchport access vlan 10
[DPTECH-vlan-if10]
# Configure on SW2.
[DPTECH]vlan 10
[DPTECH-vlan10]exit
[DPTECH]vlan 11
[DPTECH-vlan11]exit
[DPTECH-vlan-if11]
# Configure on SW3.
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 11
[DPTECH-vlan11]exit

[DPTECH-vlan-if11]
(2) Configure RIP routing on SW1, SW2, and SW3.
# Configure on SW1.
[DPTECH]router rip
[DPTECH-rip]network 1.1.1.0/24
[DPTECH-rip]
# Configure on SW2.
[DPTECH]router rip
[DPTECH-rip]
# Configure on SW3.
[DPTECH]router rip
[DPTECH-rip]

<DPTECH>show ip rip
The 1.1.1.0 network segment and the 4.1.1.0 network segment can communicate normally.
11.4 OSPF configuration example
A new planning department in a company adds three switches and has four network segments.
The entire network uses OSPF routing protocol networking. The newly added switches join the
intranet, requiring each network segment to communicate with the intranet.

Figure 11-3 Network diagram of OSPF
Aera0
Vlan-if2 Vlan-if2
gige0_1 1.1.1.1 gige0_0 4.1.1.1/24
Vlan-if10 Vlan-if1 Vlan-if1

Vlan-if10
2.1.1.1 3.1.1.1 3.1.1.2
SW1 2.1.1.2 SW2 SW3
(2) Configure OSPF routes on SW1, SW2, and SW3.
# Configure on SW1.
[DPTECH]vlan 2
[DPTECH]vlan 10


[DPTECH-vlan-if10]
# Configure on SW2.
[DPTECH]vlan 10
[DPTECH]vlan 11
[DPTECH-vlan-if11]
# Configure on SW3.
[DPTECH]vlan 2
[DPTECH]vlan 11
[DPTECH-vlan-if11]
(2) Configure OSPF route on SW1, SW2, and SW3
# Configure on SW1.
[DPTECH]router ospf 1
[DPTECH-ospf-1]network 1.1.1.0/24 area 0
[DPTECH-ospf-1]

# Configure on SW2.
[DPTECH-ospf-1]
# Configure on SW3.
[DPTECH-ospf-1]

<DPTECH>show ip ospf
The 1.1.1.0 network segment and the 4.1.1.0 network segment can communicate normally.
11.5 OSPF multi-process configuration example
When the networking of users is complex and you want to implement partition management so
that devices in certain areas are independent of routing information of other areas, you can use
multiple OSPF processes for routing and partition management. The routing information between
different OSPF processes is isolated. If you want to learn the routing information of other
processes, you can reference the routing information of the process.

Figure 11-4 Network diagram of OSPF multi-process
# Configure on SW1.
[DPTECH]vlan 2
[DPTECH]vlan 10
[DPTECH-vlan-if10]

# Configure on SW2.
[DPTECH]vlan 10
[DPTECH]vlan 11
[DPTECH]
[DPTECH-vlan-if11]
# Configure on SW3.
[DPTECH]vlan 2
[DPTECH]vlan 11
[DPTECH-vlan-if11]
# Configure on SW1.
[DPTECH-ospf-1]
# Configure on SW2.
[DPTECH-ospf-1]exit

[DPTECH-ospf-2]
# Configure on SW3.
[DPTECH-ospf-2]
Process 1 and process 2 are used to isolate the routing information of area 1 and area 2, and the
routing information of the two areas does not affect each other. SW1 and SW3 cannot
communicate with each other, which can achieve the effect of the user to isolate certain special
areas. But when the user wants SW1 to access SW3, he can enter the configuration view of
process 1 on SW2 to refer to the route of process 2:
[DPTECH]route ospf 1
[DPTECH-ospf-1]redistribute ospf 2
Conversely, when the user wants SW3 to access SW1, he can enter the configuration view of
process 2 on SW2 to refer to the route of process 1:
[DPTECH]route ospf 2
[DPTECH-ospf-2]redistribute ospf 1

12 DHCP Configuration
Example
12.1 DHCP introduction
DHCP (Dynamic Host Configuration Protocol) is used to automatically assign an IP address to the
internal network, which is convenient for the user network administrator to manage all the
computers, and also makes the use of the PC and the wireless network more convenient. DHCP
adopts the client/server communication mode. The client actively requests the IP address and
corresponding configuration from the server to dynamically configure the IP address and other
information.
The IP address obtained by the client through dynamic allocation has a lease term. After the
lease expires, the server will reclaim the address. However, if the client wants to continue using
the address, it can obtain the right to use the address by actively renewing the contract. Before
the address lease expires, the client sends a renewal message to the server. If the server
determines that the address can continue to be used by the client, the client reverts to the client
successfully.
The packets sent by the DHCP client are broadcasted in the broadcast mode. They can only be
broadcast on the same network segment. When the client and server are not on a network
segment, the DHCP relay function can be used to obtain IP addresses across network segments.
There are two ways to assign addresses to DHCP:
Table 12-1 DHCP allocation mode
Item Description
Dynamic The IP address assigned by the client from the DHCP server cannot be used permanently.
allocation There is a valid period.
Manual Manually assign a fixed IP address to some clients, statically bind the IP address to the
allocation client, and use it permanently.

12.2 DHCP Server configuration example
When the network size is large and the manual configuration of the client IP address is heavy, the
DHCP server dynamically allocates the IP address to effectively manage the network.
Figure 12-1 DHCP Server network diagram
SW1 Vlan-if2
192.168.0.1/24
gige0_1 gige0_3
gige0_1
gige0_2 SW2
DHCP Server HostB
HostA
(1) Create vlan-if2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
vlan-if2.
(2) Enable the DHCP server on SW1 and create a dynamic address pool and static binding
address.
(3) Create VLAN2 on SW2 and add gige0_1, gige0_2, gige0_3 to VLAN 2.
(1) Create VLAN 2 on SW1, configure the IP address to be 192.168.0.1/24, and add gige0_1 to
VLAN 2.
<DPTECH>conf-mode
[DPTECH]vlan 2

[DPTECH-vlan2]exit
[DPTECH]
(2) Enable the DHCP server on SW1 and create a dynamic address pool and static binding
address.
[DPTECH]dhcp server pool 192
[DPTECH-dhcp-pool-192]address range 192.168.0.10 192.168.0.100 24
[DPTECH-dhcp-pool-192]binding interface vlan-if2
[DPTECH-dhcp-pool-192]lease 1440
[DPTECH-dhcp-pool-192]default-router 192.168.0.1
[DPTECH-dhcp-pool-192]dns-server 172.153.0.1
[DPTECH-dhcp-pool-192]static-bind ip-address 192.168.0.120 mac-address 00:10:94:00:00:01
client-name administrator
[DPTECH-dhcp-pool-192]exit
[DPTECH]
(3) Create VLAN2 on SW2, add gige0_1, gige0_2, gige0_3 to VLAN2.

[DPTECH]vlan 2
View the DHCP server dynamic address pool and static binding address.
<DPTECH>show dhcp server pool 192
Pool 192:
Address range : 192.168.0.10 to 192.168.0.100
Mask : 255.255.255.0
Lease time : 1 days 0 hours 0 mins
Static bind ip address 192.168.0.120 mac address 00:10:94:00:00:01
<DPTECH>
After HostA and HostB take the initiative to apply for an address, the device will display the
address assigned by the DHCP server. When the MAC address of the host that matches the IP
address matches the static binding entry, the host obtains the bound IP address. You can use the
show dhcp-server ip-in-use command to view the IP addresses that have been assigned to the
address pool.

12.3 DHCP relay configuration example
When the DHCP client and the DHCP server are not on the same network segment, the DHCP
server cannot receive the address request packet from the client. In this case, the DHCP relay
function can be enabled on the device between the client and the DHCP server to enable the
relay. The device forwards the mutual notification between the client and the server.
The address request packet of the DHCP client is sent by broadcast and can only be broadcast
on the same network segment. When using the DHCP relay function, you need to ensure that the
routes between the DHCP server and the client are reachable.
Figure 12-2 DHCP relay network diagram
SW1 SW2 Vlan-if3

Vlan-if2 Vlan-if2
192.168.1.1/24
192.168.0.1/24 192.168.0.2/24
gige0_1 gige0_2
gige0_1
DHCP Server DHCP Relay Host
To ensure that the route is reachable between SW1 and the host network segment, you can
configure a static route to the client host network segment on SW1.
vlan-if2.
(2) Enable the DHCP server on SW1, create a dynamic address pool, and configure a static
route.
(3) Create vlan-if2 on SW2, configure IP address to be 192.168.0.2/24, add gige0_1 to vlan-if2,
create vlan-if3, configure IP address to 192.168.1.1/24, add gige0_2 to vlan-if3.
(4) Enable the DHCP relay function on SW2.

(1) Create vlan-if2 on SW1, configure IP address to be 192.168.0.1/24, add gige0_1 to vlan-if2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]
(2) Enable the DHCP server on SW1, create a dynamic address pool, and configure static
routes.
[DPTECH]
[DPTECH]ip route 192.168.1.0 255.255.255.0 192.168.0.2
(3) Create vlan-if2 on SW2, configure IP address to be 192.168.0.2/24, add gige0_1 to vlan2,
create vlan-if3, configure IP address to 192.168.1.1/24, add gige0_2 to vlan-if3.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]

(4) Enable DHCP relay function on SW2.

[DPTECH]interface vlan 3
[DPTECH-vlan-if3]dhcp relay server-address 192.168.0.1
[DPTECH]dhcp relay enable
The client sends an address request message actively. If the corresponding address can be
applied, the DHCP function takes effect.
12.4 DHCP Snooping configuration example
DHCP snooping is a security method. When an illegal DHCP server exists on the network, the
client may obtain the address of the illegal server, causing the network to fail. To ensure that the
DHCP client can obtain the address from a valid DHCP server, you can enable DHCP snooping
on the device between the legal DHCP server and the client. The port connected to the DHCP
server and the DHCP snooping port is set to the trusted port. Is an untrusted port. After the client
obtains the address, the device that enables DHCP snooping can record the correspondence
between the user's IP address and MAC address.

The trusted port can forward all DHCP packets. The untrusted port discards some DHCP packets
to ensure that the client can obtain an IP address from the legal server.
Figure 12-3 DHCP Snooping network diagram
vlan-if2.
(2) Enable the DHCP server on SW1 and create a dynamic address pool.
(4) Enable DHCP snooping on SW2, configure gige0_1 as a trusted port, and the remaining
ports as untrusted ports, and enable the recording of IP MAC addresses.
vlan-if2.

<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]
(2) Enable DHCP server and create a dynamic address pool on SW1.
<DPTECH>conf-mode
[DPTECH]
<DPTECH>conf-mode
[DPTECH]vlan 2
(4) Enable DHCP snooping on SW2, set gige0_1 as a trusted port, and the remaining ports as
untrusted ports.
<DPTECH>conf-mode
[DPTECH-gige0_1]dhcp snooping trust
[DPTECH]dhcp snooping enable
After obtaining the address, the client checks the DHCP snooping information list and records the
mapping between the MAC address and the IP address of the host that obtains the address.
<DPTECH>show dhcp snooping
Dhcp Snooping information
-----------------------------------------------
Port_name Macaddr Ipaddr
gige0_2 00:24:ac:13:14:02 192.168.0.10

13 QoS Configuration
Example
13.1 QoS introduction
QoS (Quality of Service) is a security mechanism of the network and is a technology used to solve
problems such as network delay and congestion. Network bandwidth is always limited, as long as
there is a situation of robbing the network bandwidth, there will be a requirement for quality of
service. QoS can guarantee the highest priority of service bandwidth and make its data forwarded
preferentially.
On our switch, the QoS trust mode supports the following four types:
Table 13-1 QoS trust mode
Item Description
Trust port priority Priority mapping based on the port that the packet enters.
Trust COS priority Perform priority mapping based on the COS priority lookup mapping table carried in
the packet.
Trust DSCP priority Priority mapping based on the DSCP priority lookup mapping table carried in the
packet.
Trust IP priority Priority mapping based on the IP precedence lookup mapping table carried in the
packet.
When multiple ports of a device receive different traffic, you can configure the priority of the port to
forward traffic preferentially on certain ports. When the traffic received by the device carries the
COS, DSCP, and IP precedence, you can configure the mapping between the priority and the
COS queue on the device to implement the forwarding of traffic. There are 8 COS queues on the
switch, which are represented by 0-7, and queues with large COS values have higher priority.
When the traffic is forwarded from the device, the egress port can adjust the traffic forwarding
sequence and the occupied bandwidth ratio in each queue by configuring the queue scheduling
mode and the queue weight value. The queue scheduling mode has three modes: SP, WRR, and
WDRR. In the WRR and WDRR modes, you need to configure the forwarding ratio of different
COS queues, that is, the weight value.

Table 13-2 Queue scheduling mode
Item Description
SP mode In the absolute mode, the queues with the highest priority are queued and
forwarded. The packets with the highest priority are forwarded until the bandwidth is
full. If the bandwidth is exceeded, packets with lower priority will be discarded.
WRR mode In the polling mode, the weights of different COS queues are configured to allow
different queues to forward traffic proportionally.
WDRR mode The traffic forwarding mechanism is similar to the WRR mode.
The network bandwidth allocation in a company is uneven, which causes the finance department
to often break when transmitting data, and it cannot work normally. The switch configuration
function is now required to enable its finance department to transmit data with the highest priority
to ensure normal operation.
Figure 13-1 QoS network diagram
(1) Add ports gige0_0 and gige0_1 to queues 7 and 1, respectively, on the SW.

(2) Configure the QoS in the port gige0_2 on the SW to use the WRR mode. The weight of the
queue 7 is set to 7. The weight of the queue 1 is set to 3.
(1) Add ports gige0_0 and gige0_1 to queues 7 and 1 respectively on SW.
[DPTECH-gige0_0]qos trust port
[DPTECH-gige0_0]qos map port-cos 7
[DPTECH-gige0_0]interface gige0_1
[DPTECH-gige0_1]qos trust port
[DPTECH-gige0_1]qos map port-cos 1
[DPTECH-gige0_1]
(2) Configure the QoS in the port gige0_2 on the SW to use the WRR mode. Set the weight of
queue 7 to 7. Set the weight of queue 1 to 3.
[DPTECH-gige0_2]qos scheduler wrr
[DPTECH-gige0_2]qos wrr queue 7 weight 7
[DPTECH-gige0_2]qos wrr queue 1 weight 3
[DPTECH]
Full bandwidth transmission data under gige0_0 and gige0_1, check bandwidth usage should be
70% bandwidth data forwarding for Finance Department traffic, 30% bandwidth data forwarding
for other departments.

14 802.1x Configuration
Example
14.1 802.1x introduction
With the large-scale development of applications such as mobile office and resident network
operations, service providers need to control and configure user access. In particular, WLAN
applications and LAN access are carried out on a large scale on the telecommunication network.
It is necessary to control the port to achieve user-level access control. 802.lx is IEEE to solve
port-based access control (Port-Based Network Access). Contro1) is a standard defined.
14.1.1 Basic concept
The 802.1x protocol is a client/server-based access control and authentication protocol, and is
also a port-based network access control protocol. After the client access port is authenticated, it
can access external resources.
14.1.2 Authentication method
Figure 14-1 Authentication method
Item Description
Local Authenticate with local username and password.

authentication
Radius certification Use Radius authentication to configure username and password on the Radius server.
LDAP Use LDAP authentication method to authenticate.

authentication

14.1.3 Port access control mode
Figure 14-2 Port access control mode
Item Description
Mandatory
The port can access external resources without authentication.
authorization mode
Forced
The port cannot be authenticated and cannot access external resources.
unauthorized mode
Only one client authentication is required under this port, and other clients can access
Port based mode
external resources normally.
The access clients used on this port need to be authenticated to access external
MAC based mode
resources. The device defaults to MAC mode.
14.1.4 Radius authentication classification
Figure 14-3 Radius authentication classification
Item Description
The EAP is carried in other high-level protocols, such as EAP over Radius, so that
Radius relay mode
the extended authentication protocol packets traverse the complex network to reach
(Relay)
the authentication server.
EAP packets are terminated on the device and mapped to Radius packets. The
Radius termination
standard Radius protocol is used to complete authentication, authorization, and
method (End)
accounting.
14.2 802.1x local authentication configuration example
A company needs to restrict employees and visitors from accessing internal resources and
external networks. Employees must pass account authentication to access resources and
communications. Visitors do not have access to internal resources and external networks.

Figure 14-4 802.1x network diagram
(1) Enable 802.1x authentication on the SW.
(2) Select the local authentication mode on the SW and configure the username and password
locally.
(3) Enable 802.1x authentication on port gige0_0.
(1) Enable 802.1x authentication on the SW globally.

<DPTECH>conf-mode
[DPTECH]dot1x enable
[DPTECH]
(2) Select local authentication mode on the SW and configure the username and password
locally.
[DPTECH] dot1x auth-method local
[DPTECH] dot1x local-user test123
[DPTECH-luser-test123]password cipher test123456
[DPTECH]

[DPTECH-gige0_0]dot1x enable
Install the 802.1x authentication client on the host and use the corresponding username and
password for dial-up authentication. After the authentication is passed, the host can access the

external network. Enter the user view. You can view online users by using the command line show
dot1x users.
14.3 802.1x Radius authentication configuration example
A company needs to restrict employees and visitors from accessing internal resources and
external networks. Employees must pass account authentication to access resources and
communications. Visitors do not have access to internal resources and external networks.
Figure 14-5 Network diagram of 802.1x Radius authentication
(2) Configure the Radius authentication mode on the SW and configure the Radius server using
the relay authentication process.
(4) Configure Radius server information.


<DPTECH>conf-mode
[DPTECH]dot1x enable
[DPTECH]
(2) Configure the Radius authentication mode on the SW and use the relay authentication
process to configure the Radius server.
[DPTECH] dot1x auth-method radius relay
[DPTECH] dot1x radius-server primary 192.168.0.1 key test123 port 1812

[DPTECH-gige0_0]dot1x enable
(4) Configure Radius server information. Key is configured as test123
After the 802.1x authentication client is installed on the host, the corresponding user name and
password are used for dial-up authentication. After the authentication is passed, the host can
access the external network and enter the user view. Use the show dot1x online-users command
to view the online user.

15 MAC Authentication
15.1 Introduction to MAC address authentication
MAC address authentication is an authentication method that controls user network access
rights. It is authenticated based on port and MAC address, and does not require the user to install
any client software. After the device detects the MAC address of the user for the first time, it starts
the authentication operation for the user. During the authentication process, the user is not
required to manually enter a username or password. After the user is authenticated, the network
resource can be accessed. If the user fails to be authenticated, the device will be added as a
silent MAC address. The device will not process the authentication packet of the user.
15.1.1 Authentication type
Figure 15-1 Authentication type
Item Description
Local authentication Authenticate with a locally configured username and password.
Radius certification Use Radius server to configure username and password for authentication.
15.1.2 Authentication user name format
Figure 15-2 Authentication user name format
Item Description
MAC address
Use the user's MAC address as the authenticated username and password.
username
Fixed username Regardless of the user's MAC address, all users are authenticated using a
pre-configured username and password on the device.

When using Radius authentication with the MAC address username, you only need to configure
the username and password on the Radius server. When using Radius authentication with a fixed
username, you need to configure the username and password on both the local and the Radius
server.
15.2 MAC address local authentication configuration example
A company needs to restrict the connection of the guest to the external network, and the
employee needs to operate transparently. The MAC address authentication function can be used
to authenticate the employee's MAC address. The employee can connect to the external network
without manually entering the user name and password. This restricts the guest user from
connecting to the external network.
Figure 15-3 Network diagram of MAC address local authentication
(1) Enable MAC authentication on the SW globally.
(2) Configure the local authentication mode on the SW, use a fixed username for authentication,
and configure the username and password locally.
(3) Enable MAC address authentication on port gige0_0.

[DPTECH]mac-authentication enable
(2) Configure the local authentication mode on the SW, use a fixed username for authentication,
and configure the username and password locally.
[DPTECH]mac-authentication auth-method local
[DPTECH]mac-authentication auth-username fixed
[DPTECH]mac-authentication local-user zhangsan
[DPTECH-luser-zhangsan]password 123456
[DPTECH-luser-zhangsan]mac-address 11:11:11:11:11:11
[DPTECH-luser-zhangsan]exit

[DPTECH-gige0_0] mac-authentication enable
The host does not need to be installed with the client for authentication. After the authentication is
passed, the host can access the external network. Use show mac-authentication access-user
in the configuration view to view online users.
15.3 MAC address Radius authentication configuration example
A company needs to restrict the connection of the guest to the external network, and the
employee needs to operate transparently. The MAC address authentication function can be used
to authenticate the employee's MAC address. The employee can connect to the external network
without manually entering the user name and password. This restricts the guest user from
connecting to the external network.

Figure 15-4 Network diagram of the MAC address Radius authentication
(2) Configure the Radius authentication mode on the SW, use the MAC address username for
authentication, and configure the Radius server.

[DPTECH]mac-authentication enable
(2) Configure the Radius authentication mode on the SW, use the MAC address username for
authentication, and configure the Radius server.
[DPTECH]mac-authentication auth-method radius
[DPTECH]mac-authentication auth-username mac
[DPTECH] mac-authentication radius-server 192.168.0.1 key test123
[DPTECH]mac-authentication local-user f0:de:f1:ea:7f:5e
[DPTECH-luser-f0:de:f1:ea:7f:5e]password simple f0:de:f1:ea:7f:5e
[DPTECH-luser-f0:de:f1:ea:7f:5e]mac-address f0:de:f1:ea:7f:5e


[DPTECH-gige0_0]mac-authentication enable
The host does not need to add a client for authentication. After the authentication is passed, you
can access the external network and enter the user view. You can use the show macauth users
command to view online users.

16 Portal Configuration
Example
16.1 Introduction to Portal authentication
Portal authentication is a way to restrict users from accessing the Internet. There are two
methods: web authentication and terminal authentication. When the web authentication method
is used, the user opens the web page and is pushed to a specific authentication page. The user
needs to enter the user name and password. After the authentication succeeds, the user can
access the Internet normally. When the terminal authentication mode is used, the user inputs the
corresponding user by using the client. Name and password, the authentication can be
successful before accessing the external network.
Portal authentication is implemented by issuing Portal-acl. Portal-acl can be configured with user
source IP address, destination IP address, port and action (authentication or pass). In this way,
you can flexibly control the source IP to authenticate (or pass) users on a certain network
segment, or you can configure users to go to certain destination IP network segments for
authentication (or pass).
16.1.1 Portal authentication method and mode
Table 16-1 Portal authentication method and mode
Item Description
Web authentication The user uses the web page to enter the username and password to access the
Internet.
Terminal authentication The user uses the client software to enter the username and password to log in to
the Internet.
Local authentication User logs in with the username and password on the device
method
Radius authentication The user logs in using the username and password on the Radius server.
method

16.2 Portal authentication configuration example
A company needs to restrict employees from accessing the Internet. Employees with user name
and password accounts can authenticate to the Internet. If they do not have an account, they can
use the Web login authentication.
Figure 16-1 Web authentication network diagram
vlan-if2
192.168.2.1/24
PC SW
(1) Configure vlan and ip address on the SW.
(2) Enable Portal authentication and configure ACL on the SW.
(3) Add a local user on the SW.
(1) Add vlan2 to the SW, assign it to the port, and configure the vlan-if IP address.
[DPTECH]vlan 2
[DPTECH-vlan2]interface vlan-if 2
[DPTECH-vlan-if2]interface gige 0_2
[DPTECH-gige0_2]
(2) Enable Portal authentication on the SW and configure an ACL.

[DPTECH]web-authentication enable
[DPTECH]portal auth-method local
[DPTECH]portal acl mode ipv4

[DPTECH-portal-acl-mode-ipv4]rule 1 source-ipv4 192.168.2.0/24 destination-ipv4 any

interface gige0_2 action deny
(3) Add local user test on SW.

[DPTECH]portal local-user test
[DPTECH-luser-test]password 12345678
[DPTECH-luser-test]exit
When the PC accesses the external network test, it will push the input user name and password
page. After entering the user name and password, you can access the network normally.

17 Spanning Tree
17.1 Introduction to spanning tree
The Spanning Tree Protocol (Spanning Tree Protocol) is an anti-ring protocol for Layer 2
networks to provide link redundancy. When the spanning tree protocol senses that there is a loop
in the network, it selects an appropriate location on the loop to block the port on the link to prevent
the port from receiving and forwarding packets. In this way, the possible broadcast on the loop is
eliminated. storm. According to the topology structure in the network, the spanning tree protocol
generates a tree topology according to a certain algorithm in the network, thereby avoiding the
existence of loops in the network. When the topology changes in the network, the spanning tree
algorithm recalculates the tree according to the new Network topology to generate a new tree
structure, which provides loop protection.
The work of spanning tree is mainly divided into three parts: election process, topology
calculation, and port behavior determination. After the root bridge is elected, the tree topology is
calculated under the unified command of the root bridge, and the root bridge is extended as the
root of the tree. After the tree topology is calculated, the port role is determined. The root port and
the designated port are involved in packet forwarding. The blocked port does not forward packets.
Figure 17-1 Spanning tree protocol
Item Description
Root bridge Elected or manually designated to direct the work of the entire network device, is the root of
the generated tree structure.
Root port A port that is not optimally configured from the bridge device to the root bridge.
Designated port The ports on the root bridge are all designated ports. The ports on the non-root bridge that
forward data except the root port are designated ports.
The Rapid Spanning Tree Protocol (RSTP) is too long for the STP protocol to converge. The IEEE
defines the 802.1w RSTP protocol. The concept of importing an edge port, replacing a port, and
backing up a port allows the port state change to be switched quickly in some cases, thus
achieving fast convergence of the spanning tree.

Figure 17-2 2 Rapid spanning tree protocol
Item Description
Edge port A specified port is configured to connect to a PC and a downstream switch that does not
need to run STP. When BPDU protection is enabled on an edge port, the port is
automatically closed after receiving a BPDU.
Replace port Is the backup port of the root port. When the root port fails, it can quickly become the new
root port and enter the forwarding state.
Backup port Refers to the port suppressed by the switch.
The MSTP protocol is a multi-spanning tree protocol. Compared with RSTP, it mainly introduces
the concept of instance and domain. The concept of the domain is to divide the network segments
with different configurations in the network, and implement unified configuration inside the
network segment. You can perform independent spanning tree construction in the domain. The
domain uses a single spanning tree to connect all the domains (the spanning tree is called CST,
public spanning tree), ensuring full links and no loops. Multiple spanning tree instances can be
constructed inside a domain, and different VLANs can be mapped to different spanning tree
instances. Inside each domain, there is an instance with an instance ID of 0, which together with
CST forms a CIST (Common Internal Spanning Tree). The spanning tree connects the domain in
the entire network and the bridge devices and network segments inside the domain into a fully
acyclic tree.
Figure 17-3 Multiple spanning tree protocol
Item Description
Instance Is a collection of single or multiple VLANs
Domain Is composed of multiple devices in the switch network and the network segments
between them
17.2 STP configuration example
When the network is complex, the user cannot determine whether there is a loop in the network.
All the packets forwarded by the broadcast in the Layer 2 network may generate storms on the
loop. If a broadcast storm occurs on the loop, it will hardly stop. Unless human intervention
causes the loop to disappear. Enable the spanning tree protocol on the Layer 2 network, and
block the ports on the loop according to a certain algorithm to make the loop disappear and solve
the storm hazard.

Figure 17-4 STP network diagram
SW1 SW3
gige0_2 gige0_2
gige0_1
gige0_1
gige0_1
gige0_2
SW2
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2 to VLAN2, enable STP, set the bridge priority
to 0 (highest priority), and add STP-enabled ports gige0_1 and gige0_2.
(2) Create VLAN 2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable STP, set the
bridge priority to 4096, and add STP-enabled ports gige0_1 and gige0_2.
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2, go to VLAN 2, enable STP, set the bridge
priority to 0 (the highest priority), and add STP-enabled ports gige0_1 and gige0_2.
<DPTECH>conf-mode
[DPTECH]
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree enable
[DPTECH]spanning-tree mode stp
[DPTECH]spanning-tree bridge-priority 0
[DPTECH-gige0_1]

[DPTECH-gige0_1]spanning-tree enable
(2) Create VLAN 2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable STP, and
configure the bridge priority 4096 to add STP-enabled ports gige0_1 and gige0_2.
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree mode stp
[DPTECH] spanning-tree bridge-priority 4096
[DPTECH-gige0_1]
View the STP results.
# SW1 state
<DPTECH>show spanning-tree
MST0
Spanning tree enabled protocol STP
Root ID Priority 0
Address 00:24:AC:71:AD:85
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Bridge ID Priority 0
Configuration Digest Oxac36177f 50283cd4 b83821d8 ab26de62
Interface Role Sts Cost Prio P2p

------------------- ---------- ---------- --------- -------- -----
gige0_1 designated forwarding 20000 128 yes

<DPTECH>
# SW2 state
MST0
Root ID Priority 0
Cost 20000
Port gige0_1


------------------- ---------- ---------- --------- -------- -----
gige0_1 root forwarding 20000 128 yes
gige0_2 alternate blocking 20000 128 yes
<DPTECH>
# SW3 state
MST0
Root ID Priority 0
Cost 20000
Port gige0_1


------------------- ---------- ---------- --------- -------- -----

<DPTECH>
The above information indicates that the spanning tree protocol blocks the gige0_2 port on SW2,
making the original loop into a tree structure, as shown in the following figure:
Figure 17-5 STP tree diagram
17.3 RSTP configuration example
There may be loops in the user's network. If a broadcast storm occurs on the loop, it will hardly
stop. The RSTP and STP protocols can block the ports on the loop according to certain
algorithms, and the loop disappears. The RSTP convergence time is shorter. It is better to use
RSTP when users have higher requirements on convergence time.

Figure 17-6 RSTP network diagram
SW1 SW3
gige0_2 gige0_2
gige0_1
gige0_1
gige0_1
gige0_2
SW2
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2 to VLAN2, enable RSTP, set the bridge
priority to 0 (the highest priority), and add the RSTP-enabled ports gige0_1 and gige0_2.
(2) Create VLAN2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable RSTP, and
configure the bridge priority 4096 to add RSTP-enabled ports gige0_1 and gige0_2.
(1) Create VLAN 2 on SW1, add gige0_1, gige0_2 to VLAN2, enable RSTP, set the bridge
priority to 0 (the highest priority), and add the RSTP-enabled ports gige0_1 and gige0_2.
<DPTECH>conf-mode
[DPTECH]
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree mode rstp
[DPTECH] spanning-tree bridge-priority 0
[DPTECH-gige0_1]

(2) Create VLAN2 on SW2 and SW3, add gige0_1, gige0_2 to VLAN2, enable RSTP, and
configure the bridge priority to 4096 to add RSTP-enabled ports gige0_1 and gige0_2.
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]spanning-tree mode rstp
[DPTECH]spanning-tree bridge-priority 4096
[DPTECH-gige0_1]
Enter the user view. Use the show spanning-tree command to check the RSTP status. The RSTP
protocol blocks a port according to a certain algorithm to make the loop disappear.
17.4 MSTP configuration example
The MSTP protocol is a multi-spanning tree protocol. Compared with STP, MSTP has a short
convergence time and allows the port to be quickly forwarded. Compared with RSTP, MSTP can
divide the network into different domains. Different VLANs are mapped to different instances.
Each instance corresponds to a separate spanning tree. Provide link redundancy and load
sharing. When the user's networking is complex and the convergence time is strict, it is a good
choice to use the MSTP function.

Figure 17-7 MSTP network diagram
SW1 SW4
gige0_3 gige0_3
gige0_2 gige0_2
gige0_1 gige0_1
gige0_1
gige0_1
gige0_2 gige0_2
gige0_3 gige0_3
SW2 SW3
 All of the above switches belong to the same domain.

 All interfaces in the figure are trunks, allowing VLAN 2-3 to pass.
 The root bridges of Example 1 and Example 2 are SW1 and SW4, respectively.
 VLAN 2 is forwarded along instance 1, and VLAN 3 is forwarded along instance 2.
(1) In SW1 configuration, the protection VLAN of instance 1 is VLAN 2, the bridge priority is 0,
the protection VLAN of instance 2 is VLAN 3, the bridge priority is 4096, and the member
ports are gige0_1, gige0_2, and gige0_3.
(2) Configure the protected VLAN of instance 1 as VLAN 2 and the bridge priority of 4096 on
SW2 and SW3. The protected VLAN of instance 2 is VLAN 3, the bridge priority is 4096, and
the member ports are gige0_1, gige0_2, and gige0_3.
(3) Configure the protection VLAN of instance 1 to be VLAN 2, the priority of the bridge is 4096,
the protection VLAN of instance 2 is VLAN 3, the priority of the bridge is 0, and the member

(1) In SW1 configuration, the protection VLAN of instance 1 is VLAN 2, the bridge priority is 0,
the protection VLAN of instance 2 is VLAN 3, the bridge priority is 4096, and the member
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3
[DPTECH]spanning-tree mode mst
[DPTECH-gige0_1]
[DPTECH]spanning-tree mst configuration
[DPTECH-MSTP]instance 1 vlan 2
[DPTECH]spanning-tree mst 1 bridge-priority 0
[DPTECH]
(2) Configure the protected VLAN of instance 1 as VLAN 2 and the bridge priority of 4096 on
SW2 and SW3 respectively. The protected VLAN of instance 2 is VLAN 3, the bridge priority
is 4096, and the member ports are gige0_1, gige0_2, and gige0_3.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3

[DPTECH-gige0_1]
[DPTECH]
(3) Configure the protected VLAN of instance 1 as VLAN 2, the bridge priority is 4096, the
protected VLAN of instance 2 is VLAN 3, the bridge priority is 0, and the member ports are
gige0_1, gige0_2, and gige0_3.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 3


[DPTECH-gige0_1]
[DPTECH]
(4) View the MSTP results.
# SW1 state
MST0
Spanning tree enabled protocol MSTP
Root ID Priority 32768
Address 00:11:55:44:33:99
Cost 6666
Port bond1

Configuration Digest Oxb41829f9 3a54f b74ef7a8 587ff58d

------------------- ---------- ---------- --------- -------- -----

MST1
Root ID Priority 0

------------------- ---------- ---------- --------- -------- -----
MST2
Root ID Priority 0
Address 00:11:55:44:33:99
Cost 6666
Port bond1


------------------- ---------- ---------- --------- -------- -----
<DPTECH>
# SW2 state
MST0


Address 00:11:55:44:33:99
Cost 6666
Port bond1

Address 00:11:55:44:33:99

------------------- ---------- ---------- --------- -------- -----
MST1
Address 00:24:AC:D4:BB:40
Address 00:24:ac:3a:95:bb

------------------- ---------- ---------- --------- -------- -----
MST2
Root ID Priority 0
Cost 6666
Port bond1


Address 00:11:55:44:33:99

------------------- ---------- ---------- --------- -------- -----
<DPTECH>
# SW3 state
MST0
Address 00:11:55:44:33:99
Cost 6666
Port bond1


------------------- ---------- ---------- --------- -------- -----
MST1
Root ID Priority 0



------------------- ---------- ---------- --------- -------- -----
MST2
Root ID Priority 0
Address 00:11:55:44:33:99
Cost 6666
Port bond1


------------------- ---------- ---------- --------- -------- -----
<DPTECH>
# SW4 state
MST0
Address 00:11:55:44:33:99
Cost 6666
Port bond1




------------------- ---------- ---------- --------- -------- -----
MST1


------------------- ---------- ---------- --------- -------- -----
MST2
Root ID Priority 0
Cost 6666
Port bond1

------------------- ---------- ---------- --------- -------- -----

<DPTECH>
The above results show that in the instance 1, SW1 has the highest priority. As the root of MSTP,
the topology diagram is as follows:
Figure 17-8 Example 1 tree diagram
SW1 SW4
gige0_3 gige0_3
gige0_2
gige0_1
gige0_1 gige0_2
SW2 SW3
The above results show that in Instance 2, SW4 has the highest priority. As the root of MSTP, the
topology diagram is as follows:

Figure 17-9 Instance 2 tree diagram
SW1 SW4
gige0_3
gige0_3
gige0_2 gige0_2
gige0_1
gige0_1
gige0_2 gige0_2
SW2 SW3

18 VRRP Configuration
Example
18.1 VRRP introduction
The Virtual Router Redundancy Protocol (VRRP) is a routing protocol proposed by the IETF to
solve the single-point failure phenomenon of a static gateway configured in a LAN. It is a routing
fault-tolerant protocol, which can also be called a backup routing protocol. All hosts in a local area
network set a default route. When the destination address sent by the host is not on the local
network segment, the packets are sent to the external router through the default route, thus
implementing communication between the host and the external network. When the default router
is down (that is, the port is closed), the internal host will not be able to communicate with the
outside. If the router has VRRP set, then the virtual router will enable the backup router to
implement network-wide communication.
18.2 VRRP configuration example
A company's intranet needs a redundant function of the gateway device. When one device is
broken, the other device can work normally without affecting the company's business operations.

Figure 18-1 VRRP network diagram
SW2
SW1 gige0_1 gige0_1
VLAN-if 10 VLAN-if 10
1.1.1.2 1.1.1.3
gige0_0
gige0_0 V_IP
1.1.1.1
(1) Configure VLAN 10 on SW1 and SW2, and configure the port and vlan-if IP.
(2) Enable VRRP on SW1 and SW2, configure virtual IP, and set priority.
(1) Configure VLAN 10 on SW1 and SW2, and configure the port and vlan-if IP.
# Configure on SW1
[DPTECH]vlan 10
[DPTECH-vlan10]exit
[DPTECH]inter vlan-if10

[DPTECH]
# Configure on SW2
[DPTECH]vlan 10
[DPTECH-vlan10]exit
[DPTECH]inter vlan-if10
[DPTECH-vlan-if10]
(2) Enable VRRP on SW1 and SW2, configure virtual IP, set priority and enforce mode
# Configure on SW1.
[DPTECH-vlan-if10]vrrp 1 ip 1.1.1.1
[DPTECH-vlan-if10]vrrp 1 priority 150
[DPTECH-vlan-if10]vrrp vrid 1 preempt delay 10
# Configure on SW2.
[DPTECH-vlan-if10]vrrp vrid 1 ip 1.1.1.1
[DPTECH-vlan-if10]vrrp vrid 1 priority 100
[DPTECH-vlan-if10]vrrp vrid 1 preempt delay 10

[DPTECH-vlan-if10]show vrrp
The user can set the gateway to 1.1.1.1 and can communicate with the gateway normally.

19 VSM Configuration
Example
19.1 VSM introduction
A Virtual Switch Matrix (VSM) connects two or more devices through physical ports to form a
virtual logical device. Each device in the VSM is called a member device. All the configurations of
the member devices are consistent. The member devices can be classified into two modes
according to their functions: Master and Slave.
Table 19-1 VSM introduction
item Description
Master Responsible for managing the entire VSM.
Slave Running as a backup device for the Master.
When the master fails, the slave will automatically become the new master to take over the
original master. Both the master and the slave are elected by the role. Only one master can exist
in one VSM at the same time. The other member devices are slaves.
Several concepts in VSM:
Table 19-2 Several concepts in VSM
Item Description
VSM identification That is, the VSM ID. In the VSM, each device is uniquely identified by the VSM ID. The
VSM ID is elected through the VSM ID. The VSM ID value on the switch is 0-7.
VSM cascade board It is used to make VSM cascading boards. The switch supports dedicated LSW-2xcx4
cards for cascading boards.
VSM cascade port On the VSM cascading board, the 10M optical port is dedicated to the VSM. The two
devices use the VSM expansion port to form a VSM channel. When multiple physical
ports are used for cascading, the cascading port names of the same device must be the
same.
VSM channel The communication between the two devices and the forwarding of packets across
devices are implemented through the VSM channel.

19.2 VSM active and standby election

A VSM system consists of two or more member devices. Each member device has a certain
mode, that is, a master or a slave. The process of determining the member device mode is called
the active/standby election. When the VSM is first formed, each device is VSM Mode defaults to
Slave. The active and standby elections will be generated when the VSM is established and new
devices are added. The main and standby election rules are as follows:
 There is currently no one member of the Master who does not need an election;
 Elections are made when the Modes of the two devices are the same;
 When the devices in the VSM are all slaves, the device with the smallest VSM ID is the
master, and the others are all slaves.
 When the device in the VSM is the master, the device with the smallest VSM ID is the master,
and the other devices will restart in the slave mode.
19.3 VSM configuration synchronization

VSM configuration synchronization consists of two steps: batch synchronization during
initialization and real-time synchronization during stable operation:
Table 19-3 VSM configuration synchronization
Item Description
Batch synchronization When two devices are combined to form a VSM, the Master device is elected first. The
master device is started with its own startup configuration file. During the startup
process, the device is synchronized to the slave device. The slave device is initialized
and the VSM is formed. During the VSM operation, when a new member device is
added, the batch synchronization is also performed. The new device reboots into the
VSM as a slave, and Mater will batch synchronize the current configuration to the new
device. The new device is initialized with the synchronized configuration.
Real-time After all devices are initialized, the VSM runs as a single network device on the
synchronization network. As the management center of the VSM system, the master device is
responsible for synchronizing the user's configuration to the slave device, so that the
configuration of the devices in the VSM can be highly consistent at any time.
19.4 VSM maintenance

The main function of the VSM is to monitor the joining and leaving of member devices to switch
between the active and standby devices. The new master device is elected to manage the VSM.
(1) Member device join
During the VSM maintenance process, the heartbeat information sent by other devices is
continuously detected. When a new member device is added, different processes are taken
according to the state of the newly added device:

 The newly added device does not form a VSM. For example, if the newly added device is
configured with the VSM function, and then power is disconnected, and then the VSM cable
is used to connect to the existing VSM system and power on and restart, the device will be
selected as Slave.
 The added device has formed a VSM. For example, the newly added device is configured
with the VSM function and has been used as the VSM system. After that, the VSM is
connected to the existing VSM system. In this case, there are two master devices in the
VSM. In general, it is not recommended to use this method to form a VSM). In this case, the
two VSMs perform the active and standby elections. The elections follow the rules of the
active and standby elections. After the slave device is elected, the device rejoins the VSM in
the role of the slave.
Possible reasons for member devices to join are: artificially increasing the members of the VSM
system; when the fault is rectified, the restored device will rejoin the VSM when the device is
faulty or the link is faulty.
(2) Member device departure
The VSM can accurately determine whether a member device is removed or not.
 When the VSM channel between the member devices in the VSM is down, the expansion
port will be down. Other member devices in the VSM will quickly detect that the device is
leaving (you do not wait for the heartbeat information to time out).
 When an abnormality occurs on the VSM channel, all members in the VSM cannot receive
heartbeat information from other members. If the timeout period is exceeded, it is determined
that other devices except the device leave.
The member device that obtains the leaving message will judge whether it is the master or the
slave according to the locally maintained VSM information. If the master is left, the new
active/standby election is triggered, and the local VSM information is updated. If the slave is
leaving, Then directly update the local VSM information. The possible reasons for the member
device to leave are: manually removing the member device; the member device is faulty; the link
is faulty.
19.5 VSM configuration example
The VSM uses a series of redundant backup technologies to ensure the high reliability of the VSM
system. Users can use VSM devices for the access layer, aggregation layer, and data center to
minimize daily maintenance operations and sudden system crashes. The resulting downtime
reduces the impact of network failures.

Figure 19-1 VSM network diagram
 After the VSM is enabled, the port displayed on the device is named VSM ID + slot number +
port number, such as gige0_1_0.
 After the VSM is enabled, the device automatically elects the master. The device with the
smaller VSM ID is elected as the master. You can use the show vsm command to view which
device is the master. All configurations are configured on the master. When the VSM function
is enabled or disabled, the device will clear the configuration restart.
 You need to ensure that the route between SW1 and the gateway is reachable. You can
configure static routes or dynamic routing protocols. For details, see the chapter Routing
Protocols.
(1) Enable the VSM function on SW2 and SW3, set the VSM ID of SW2 to 0, and set the VSM ID
of SW3 to 1.
(2) Create corresponding vlan-if ports on SW1 and SW2 and configure IP addresses.
(3) Configure port aggregation on SW1 and SW2.
(1) Turn on the VSM function on SW2 and SW3 respectively.
# Configure on SW2.

<DPTECH>conf-mode
[DPTECH] vsm enable id 0 uplink-port-list tengige1_0 downlink-port-list null
The configuration will cause rebooting and take effect after that.
Are you sure? (Y/N) [N]: y
# Configuration on SW3.
<DPTECH>conf-mode
[DPTECH]vsm enable id 1 uplink-port-list null downlink-port-list tengige1_0
The configuration will cause rebooting and take effect after that.
Are you sure? (Y/N) [N]: y
(2) Create corresponding vlan-if ports on SW1 and SW2 and configure IP addresses.
# Configure on SW1.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]
# Configure on SW2.
<DPTECH>conf-mode
[DPTECH]vlan 2
[DPTECH-vlan2]port gige0_0_1
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit


[DPTECH]
The configuration of SW3 is synchronized by the configuration of SW2.
(3) Configure port aggregation on SW1 and SW2.
# Configure on SW1.
<DPTECH>conf-mode
[DPTECH-bond1]switchport access vlan 3
[DPTECH-bond1]exit
[DPTECH]
# Configure bond1 on SW2.

<DPTECH>conf-mode
[DPTECH-bond1]exit
[DPTECH]interface gige0_0_1
[DPTECH-gige0_0_1]bond group 1
[DPTECH-gige0_0_1]exit
[DPTECH]
# Configure bond2 on SW2.

<DPTECH>conf-mode

[DPTECH-bond2]exit
[DPTECH]
The master and the slave device can forward packets based on the outbound interface algorithm.
The master can access the external network through the gateway. When the master device fails,
the slave device automatically becomes the master to forward packets. The host can also access
the external network. When the slave device fails, the master bears the packet forwarding, and
the host can still access the external network. This achieves link redundancy and improves
network reliability.

20 OVC Configuration
Example
20.1 OVC introduction
OVC (OS-Level Virtual Context) technology is a virtualization technology that virtualizes one
physical device into multiple logical devices. After the OVC is virtualized, multiple logical devices
on the same physical device have independent hardware, software, forwarding entries,
management planes, and logs. The operation of each logical device does not affect each other.
The OVC technology implements the virtualization of resources and management. After the
physical device resources are virtualized, the rapid deployment and adjustment of services are no
longer limited by the physical devices themselves. This saves construction and operation and
maintenance costs, flexible on-demand deployment, and complete fault isolation. And so on,
effectively solve the problem of multi-service security isolation and resource allocation on
demand. The foundational conditions for the transition to a dynamic and resilient cloud service
model for networks and security.
OVC can be divided into public OVC and ordinary OVC:
Table 20-1 OVC
Item Description
Public OVC The default OVC instance exists in the initial state of the system, called the public OVC, and all
resources are used by the public OVC.
Ordinary Other OVC instances outside the public OVC are referred to as normal OVC. After creating a
OVC normal OVC, any resources in the system that are not mapped to the normal OVC belong to
the public OVC.
OVC technology is an operating system level virtualization technology that enables 1:N
virtualization. Through OS-level virtualization technology, each OVC can be assigned a series of
software and hardware resources such as independent ports, CPU, memory resources, number
of sessions, new, concurrent, throughput, number of routing entries, and number of security
policies. Flexible customization of the actual specifications of the OVC. OVC virtualization
technology enables the system to perform independent process management, memory
management, and disk management for each virtual device. There is no resource consumption
and performance loss caused by switching and scheduling between virtual devices, and support

through operating system virtualization. The OVC can be completely isolated from the
management plane, the control plane, the data plane, and the service plane to form completely
independent logic devices. The operating system kernel completes the scheduling between the
OVC virtual devices and allocates hardware resources for each OVC virtual device according to a
preset resource template.
20.2 Management plane virtualization

As shown in the figure, after OVC implements 1:N virtualization of physical devices, each OVC
can be regarded as a separate device, and the user can access and manage the OVC through a
network interface belonging to each OVC. Each OVC has a separate configuration management
protocol process such as HTTP/CLI/SNMP/SYSLOG. The configuration files are stored
separately and can be restarted and configured and restored independently. Each OVC has a
separate administrator and log file, and the system log and operation log can be independently
output to the log monitoring server. Each OVC is managed by the corresponding administrator,
and each OVC is invisible to each other.
Figure 20-1 OVC configuration management

20.3 Control plane virtualization

Each OVC will initiate its own management process to manage the system resources it owns, and
will also initiate its own protocol processes (such as OSPF, ISIS, BGP, etc.) to maintain their
respective protocols. Each OVC runs an independent protocol process, and each process does
not interfere with each other.
As shown in Figure 23-2, OVC1 has OSPF/ISIS enabled, OVC2 has OSPF/RIP/BGP enabled,
and OVC3 has ISIS/BGP enabled. They have separate processes. Any OVC protocol process
failure will not affect other OVC. The normal operation of the protocol process.
Figure 20-2 Control plane virtualization
The benefit of control plane virtualization is fault isolation between OVCs. As shown in Figure
23-3, the OSPF process in OVC2 crashes, causing the OSPF protocol of the OVC to fail to run
normally. The OSPF processes in other OVCs can still operate normally without being affected.
Figure 20-3 Fault isolation between OVCs
20.4 Data plane virtualization

When the OVC is created, the system divides the interface resources. These interfaces are

managed by their respective virtual data planes, and the different OVCs are completely isolated.
When the traffic enters the system from an interface of the AVC, only the forwarding entries
belonging to the OVC are queried, and only the interfaces belonging to the OVC are forwarded.
The routing protocols can only run on these interface resources. Ensure that each OVC's
forwarding entry contains only the interfaces belonging to this OVC, thus completely separating
the routing and forwarding of different OVCs.
On the security device, the session entry needs to be set up to record some status information. To
ensure complete isolation of each OVC forwarding information, each OVC has an independent
session table. Maintain the session table belonging to this OVC. Each OVC session does not
interfere with each other, ensuring that the address space and forwarding information of each
OVC are completely independent.
20.5 OVC configuration example
When the intranet data of the enterprise needs to be kept secret, the host that can access the
intranet data does not allow access to the external network, but also needs to ensure that other
hosts can access the external network, the enterprise can use the OVC function to isolate it into
two networks, achieving two The networks are independent of each other and do not interfere
with each other.

Figure 20-4 OVC network diagram
(1) Create VLANs on SW1, SW2, SW3, and SW4, and configure VLANs for the corresponding
ports.
(2) Configure the OVC function on SW2 and SW3 respectively.
(3) Create corresponding vlan-if ports on SW2 and SW3 respectively, and configure
corresponding IP addresses.
(4) Configure OSPF routes on SW2 and SW3 respectively.
(1) Create VLANs on SW1, SW2, SW3, and SW4, and configure VLANs for the corresponding
ports.
# Configure on SW1 and SW4 respectively.

<DPTECH>conf-mode

[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]
# Configure on SW2.
<DPTECH>conf-mode
[DPTECH]vlan 2 to 6
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH]vlan 6
[DPTECH-vlan6]exit
# Configure on SW3.


(2) Configure the OVC function on SW2 and SW3 respectively.
# Configure OVC on SW2.

[DPTECH]ovc enable
[DPTECH]ovc ovc1
[DPTECH-ovc-ovc1]exit
[DPTECH]interface vlan-if 2
[DPTECH-vlan-if2]bind ovc ovc1
[DPTECH]ovc ovc2
[DPTECH-ovc-ovc2] exit
[DPTECH]
# Configure OVC on SW3.

[DPTECH]ovc enable
[DPTECH]ovc ovc1
[DPTECH- vlan-if4]exit
[DPTECH]ovc ovc2

[DPTECH]
(3) Configure the IP address of the corresponding vlan-if port in the OVC on SW2 and SW3.
# Configure on SW2.
<DPTECH> switch-ovc ovc1
Now change to new ovc: ovc1.
<DPTECH-ovc1>conf-mode
[DPTECH-ovc1]interface vlan-if2
[DPTECH-vlan-if2-ovc1]ip add 5.5.5.1/24
[DPTECH-vlan-if2-ovc1]exit
[DPTECH-vlan-if5-ovc1]end
<DPTECH-ovc1>exit
Connection closed by foreign host.
# Configure on SW3.
[DPTECH-vlan-if-ovc1] end

<DPTECH-ovc1>exit
[DPTECH-ovc2]
(4) Configure OSPF routes on SW2 and SW3 respectively.
# Configure OSPF on SW2.

[DPTECH-ovc1]route ospf 1
[DPTECH-ospf-1-ovc1]network 5.5.5.0/24 area 0
[DPTECH-ospf-1-ovc1]exit
[DPTECH-ovc1]exit
<DPTECH-ovc1>exit
[DPTECH-ovc2]exit
<DPTECH-ovc2>exit
<DPTECH>


[DPTECH-ovc1]exit
<DPTECH-ovc1>exit
[DPTECH-ovc2]exit
<DPTECH-ovc2>exit
<DPTECH>
# View the configured OVC on SW2.

<DPTECH>show ovc ovc1
VFW : PublicSystem
Manage service: managable
Interface list:
vlan-if2
vlan-if4
VFW : PublicSystem
Interface list:
vlan-if3
vlan-if5
vlan-if6
<DPTECH>
# View the configured OVC on SW3.

VFW : PublicSystem
Interface list:
vlan-if2

vlan-if4
VFW : PublicSystem
Interface list:
vlan-if3
vlan-if5
<DPTECH>
By configuring the OVC function on SW2 and SW3, network A and network B are isolated from
each other and cannot communicate with each other. Host A1 and HostA2 of network A can
access each other and can access Server A, but cannot access the external network. Hosts B1
and HostB2 on the network B can access each other and access the server B. They can also
access the external network.

21 VRF Configuration
Example
21.1 VRF introduction
VRF (Virtual Route Forwarding) is mainly used for route isolation to solve address overlap
problems. Each VRF can be thought of as a virtual switch that includes the following elements:
 An independent routing forwarding table, independent address space;

 a set of interfaces belonging to this VRF;
 A set of routing protocols that are only used for VRF.
One or more VRFs can be maintained on each switch. Multiple VRF instances are independent of
each other and do not interfere with each other. VRF is a technology frequently used in MPLS
VPN, and is closely related to it. Therefore, MPLS VPN will be briefly introduced here.
Two important parameters related to VPN services defined in the VRF are RT and RD:
Table 21-1 VRF introduction
Item Description
It is mainly used to control the publishing and installation strategies of VPN routes. Divided
into import and export two properties, the former indicates that I am interested in those
RT routes, while the latter indicates the attributes of the route I issued. When a route is
advertised by a PE, it is sent to other PEs directly by using the RT export rule of the VRF to
（Route Target） which the route belongs. When receiving the route, the peer PE first receives all the routes
and checks the import rules of the RT configured by the VRF. If the RT attribute matches
the route, the route is added to the corresponding VRF.
It is used to indicate which VPN the route belongs to. In theory, an RD can be configured for
each VRF. It is generally recommended to configure the same RD for each VPN VRF, and
RD（Route to ensure that the RD is globally unique. If the same address exists in the two VRFs, but the
Distinguisher） RDs are different, the two routes are not confusing during the inter-PE publishing process.
The RD and the route are sent together. The peer PE can determine the VPN to which the
route belongs according to the RD. Install the route into the correct VRF.
21.2 MPLS VPN introduction

MPLS VPN is a VPN based on MPLS technology. It is a virtual private network implemented by
MPLS technology applied on routers and switches. It can flexibly meet various service

requirements, such as communication of a company's remote department. At present, MPLS L3

VPN, that is, BGP/MPLS VPN technology is relatively mature, and has formed a standard,
including PE, P, CE, and Site.
Table 21-2 MPLS VPN introduction
Item Description
The edge device of the backbone network is mainly used to store the VRF, learn the route to the
PE directly connected CE, and then exchange the learned VPN routes with other PEs through IBGP.
This is the main implementer of MPLS.
The core device of the backbone network is not directly connected to the CE and is mainly
P
responsible for MPLS forwarding.
A user edge device, usually a switch or router in a VPN Site. The main function is to exchange VPN
CE routing user routing information with the PE, advertise local routes to the PE, and learn remote site
routes from the PE.
Site An isolated IP network in a VPN. Each site is connected through a carrier backbone network.
A user accesses an MPLS VPN. Each site provides one or more CEs and connects to the PEs of
the backbone network. Configure a VRF for the site on the PE and bind the physical interface and
logical interface connected to the PE-CE to the VRF.
21.3 VRF configuration example
When the operator's network carries traffic of several companies (such as company A and
company B), the off-site departments of company A and company B can access each other and
prohibit A and B from mutual visits. At this time, the PE device of the carrier network may
encounter problems such as local route conflicts, the propagation of routes in the network, and
the forwarding of packets from the PE to the CE. The VRF function on the PE device can
effectively solve these problems.

Figure 21-1 Network diagram of VRF and MPLS
CE1 is a switch of Site1, CE2 is a switch of Site2, CE3 is a switch of Site3, and CE4 is a switch of
Site4.
 Site1 and Site3 are the two sites of VPN1, and Site2 and Site4 are the two sites of VPN2.
 The OSFP routing protocol is used between PE, CE, and P.
(1) Create corresponding vlan-if ports on SW1, SW2, SW3, SW4, SW5, SW6, and SW7, and
configure corresponding IP addresses.
(2) Configure VRF on SW3 and SW5 respectively.
(3) Configure OSPF routes on SW1, SW2, SW3, SW4, SW5, SW6, and SW7.
(4) Configure IBGP on SW3 and SW5 and establish VPNv4 neighbors.
(5) Configure MPLS on SW3, SW4, and SW5, respectively.
(1) Create corresponding vlan-if ports on SW1, SW2, SW3, SW4, SW5, SW6, and SW7, and
configure corresponding IP addresses.
# Configure on SW1.

[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]
# Configure on SW2.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]
# Configure on SW3.
[DPTECH]vlan 2 to 4
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]vlan 4
[DPTECH-vlan4]exit


[DPTECH]interface loopback 1
[DPTECH-loopback1]ip add 30.30.30.1/24
[DPTECH-loopback1]exit
[DPTECH]
# Configure on SW4.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]
# Configure on SW5.
[DPTECH]vlan 2 to 4
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]vlan 4
[DPTECH-vlan4]exit

[DPTECH]
# Configure on SW6.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit
[DPTECH]
# Configure on SW7.
[DPTECH]vlan 2 to 3
[DPTECH]vlan 2
[DPTECH-vlan2]exit
[DPTECH]vlan 3
[DPTECH-vlan3]exit

[DPTECH]
(2) Configure VRF on SW3 and SW5 respectively.
# Configure VRF on SW3.

[DPTECH]vrf enable
[DPTECH]vrf vrf1
[DPTECH-vrf-vrf1]rd 100:1
[DPTECH-vrf-vrf1]router-target import 100:2
[DPTECH-vrf-vrf1]router-target export 100:3
[DPTECH-vrf-vrf1]exit
[DPTECH] interface vlan-if 2
[DPTECH-vlan-if2] bind vrf vrf1
[DPTECH-vlan-if2] ip add 1.1.1.2/24
[DPTECH-vlan-if2] exit
[DPTECH]vrf vrf2
[DPTECH]
# Configure VRF on SW5.

[DPTECH]vrf enable
[DPTECH]vrf vrf1
[DPTECH-vrf-vrf1] rd 100:4
[DPTECH]vrf vrf2


[DPTECH]
(3) Configure OSPF routes on SW1, SW2, SW3, SW4, SW5, SW6, and SW7 respectively.

[DPTECH-ospf-1]exit
[DPTECH]

[DPTECH-ospf-1]exit
[DPTECH]

[DPTECH] router ospf 1 vrfname vrf1
[DPTECH-ospf-1]exit
[DPTECH]router ospf 2 vrfname vrf2
[DPTECH-ospf-2]exit
[DPTECH-ospf-3]exit
[DPTECH]

[DPTECH-ospf-1]exit
[DPTECH]


[DPTECH-ospf-1]exit
[DPTECH-ospf-2]exit
[DPTECH-ospf-3]exit
[DPTECH]

[DPTECH-ospf-1]exit
[DPTECH]

[DPTECH-ospf-1]exit
[DPTECH]
(4) Configure IBGP on SW3 and SW5 and establish VPNv4 neighbors.
# Configure IBGP on SW3 and establish VPNv4 neighbors.

[DPTECH]router bgp 1
[DPTECH-bgp]neighbor 50.50.50.1 remote-as 1
[DPTECH-bgp]neighbor 50.50.50.1 update-source loopback1
[DPTECH-bgp]neighbor 50.50.50.1 activate
[DPTECH-bgp]address-family vpnv4 unicast
[DPTECH-bgp-vpnv4]neighbor 50.50.50.1 activate
[DPTECH-bgp-vpnv4]exit
[DPTECH-bgp]address-family ipv4 vrf vrf1
DPTECH(config-router-af-vrf)# redistribute ospf 1
DPTECH(config-router-af-vrf)# exit
[DPTECH-bgp]

# Configure IBGP on SW5 and establish VPNv4 neighbors.

[DPTECH]router bgp 1
[DPTECH-bgp]neighbor 30.30.30.1 remote-as 1
[DPTECH-bgp]neighbor 30.30.30.1 update-source loopback1
[DPTECH-bgp]neighbor 30.30.30.1 activate
[DPTECH-bgp]address-family vpnv4 unicast
[DPTECH-bgp-vpnv4]neighbor 30.30.30.1 activate
[DPTECH-bgp-vpnv4]exit
[DPTECH-bgp]
(5) Configure MPLS on SW3, SW4, and SW5 respectively.
# MPLS Configure MPLS on SW3.

[DPTECH]mpls ip
[DPTECH] mpls ldp router-id 30.30.30.1
[DPTECH-vlan-if4] mpls ip
# Configure MPLS on SW4.

[DPTECH]mpls ip
# Configure MPLS on SW5.

[DPTECH]mpls ip
Hosts in the two sites of VPN1 can access each other but cannot access hosts in VPN2. Similarly,
hosts in the two sites of VPN2 can access each other but cannot access hosts in VPN1. Thereby
achieving logical division and security isolation between the two VPNs.

DPtech LSW6600 Series Ethernet Switches Command Configuration Manual v3.0

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DPtech LSW6600 Series Ethernet Switches Command Configuration Manual v3.0

Uploaded by

Copyright:

Available Formats

DPtech LSW6600 Series Ethernet

Switches Command Configuration

Manual version: v3.0

is the trade mark of Hangzhou DPtech Technologies Co., Ltd.

Hangzhou DPtech Technologies Co., Ltd.

[] Items (keywords and arguments) in square brackets [ ] are optional.

# A line starting with the # sign is comments.

An alert that contains additional or supplementary information.

Copyright © Hangzhou DPtech Technologies Co., Ltd. I

10.1 ARP protection introduction ........................................................................................................... 10-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. II

18.2 VRRP configuration example ......................................................................................................... 18-1

Copyright © Hangzhou DPtech Technologies Co., Ltd. III

1.1.1 SSH login

1.1.2 Telnet login

 Use password to log in

 Use username and password to log in

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-1

1.2 Viewing device information

Enter the configuration view <DPTECH>conf-mode

View the currently executable commands

Return to the previous view from the current [DPTECH]exit

View current usage version <DPTECH>show version

View the current configuration of the device <DPTECH> show running-config

View created VLANs <DPTECH>show vlan

View vlan-if port <DPTECH>show ip interface brief

View boot-file <DPTECH>show boot-file

Reboot the device <DPTECH>reboot

Turn SSH on and off [DPTECH]ssh enable

Turn Telnet on and off [DPTECH]telnet enable

Enable and disable the Telnet username [DPTECH]line vty

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-2

1.3 Software version upgrade

1.3.1 Operation in Conboot mode

 Upgraded version in Conboot mode.

System start booting...

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-3

Running DRAM mats

configuring gmac0 in byte mode @ 125MHz (1000Mbps): full duplex mode

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-4

enter your choice (0 - 7):3-------------------------------------------> Type 3 to enter the

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-5

Checking system image...

 Set the main boot version in Conboot mode.

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-6

<5> Modify ConBoot Password

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-7

<4> Format Partition

 Remove the version in Conboot mode.

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-8

<3> Delete File

1.3.2 Command line operation

 Upgrade version in command line mode.

 Set the main boot version in command line mode.

 Delete version in command line mode.

1.4 Clear configuration

Copyright © Hangzhou DPtech Technologies Co., Ltd. 1-9

2 Basic Layer 2/3 Forwarding

2.1.1 Configuration requirements

2.1.2 Network topology

Figure 2-1 Network diagram for Layer 2 forwarding

MAC A Vlan2 MAC B

2.1.3 Configuration process

(1) Create VLAN2 on the SW;