S2350&S5300&S6300 V200R003 (C00&C02) Typical Configuration Examples 04

S2350&S5300&S6300 Series Ethernet Switches
V200R003(C00&C02)
Typical Configuration Examples
Issue 04
Date 2013-11-06
HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written
consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the
customer. All or part of the products, services and features described in this document may not be within the
purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information,
and recommendations in this document are provided "AS IS" without warranties, guarantees or representations
of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.

Address: Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China
Website: http://www.huawei.com
Email: support@huawei.com
Issue 04 (2013-11-06) Huawei Proprietary and Confidential i

Copyright © Huawei Technologies Co., Ltd.
Typical Configuration Examples About This Document
About This Document
This document provides the typical configuration examples supported by the

S2350&S5300&S6300 device.
This document is intended for:
l Data configuration engineers

l Commissioning engineers
l Network monitoring engineers
l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation

which, if not avoided, will result in death or
serious injury.
Indicates a potentially hazardous situation

which, if not avoided, could result in death or
serious injury.

which, if not avoided, may result in minor or
moderate injury.

which, if not avoided, could result in
equipment damage, data loss, performance
deterioration, or unanticipated results.
NOTICE is used to address practices not
related to personal injury.
Issue 04 (2013-11-06) Huawei Proprietary and Confidential ii

Symbol Description
NOTE Calls attention to important information, best

practices and tips.
NOTE is used to address information not
related to personal injury, equipment damage,
and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention Description
Boldface The keywords of a command line are in boldface.
Italic Command arguments are in italics.
[] Items (keywords or arguments) in brackets [ ] are optional.
{ x | y | ... } Optional items are grouped in braces and separated by

vertical bars. One item is selected.
[ x | y | ... ] Optional items are grouped in brackets and separated by

vertical bars. One item is selected or no item is selected.
{ x | y | ... }* Optional items are grouped in braces and separated by

vertical bars. A minimum of one item or a maximum of all
items can be selected.
[ x | y | ... ]* Optional items are grouped in brackets and separated by

vertical bars. Several items or no item can be selected.
&<1-n> The parameter before the & sign can be repeated 1 to n times.
# A line starting with the # sign is comments.
Interface Numbering Conventions

Interface numbers used in this manual are examples. In device configuration, use the existing
interface numbers on devices.
Security Conventions
l Password setting
Issue 04 (2013-11-06) Huawei Proprietary and Confidential iii

– When configuring a password in plain text, the password is saved in the configuration
file in plain text. The plain text has high security risks. The cipher text is recommended.
To ensure device security, change the password periodically.
– When you configure a password in cipher text that starts and ends with %@%@ (the
password can be decrypted by the device), the password is displayed in the same manner
as the configured one in the configuration file. Do not use this setting.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: DES, AES, SHA-1, SHA-2,
and MD5. DES and AES are reversible, and SHA-1, SHA-2, and MD5 are irreversible.
The encryption algorithm depends on actual networking. If protocols are used for
interconnection, the locally stored password must be reversible. It is recommended that the
irreversible encryption algorithm be used for the administrator password.
l Personal data
Some personal data may be obtained or used during operation or fault location of your
purchased products, services, features, so you have an obligation to make privacy policies
and take measures according to the applicable law of the country to protect personal data.
Mappings between Product Software Versions and NMS

Versions
The mappings between product software versions and NMS versions are as follows.
Product Software Version iManager U2000
V200R003C00 V100R009C00
V200R003C02 V100R009C10
Change History
Changes between document issues are cumulative. The latest document issue contains all the
changes made in earlier issues.
Changes in Issue 04 (2013-11-06) V200R003(C00&C02)

This version has the following updates:
l Some contents are modified according to updates in the product such as features and
commands.
l Output information of some commands is modified.
Changes in Issue 03 (2013-09-30) V200R003(C00&C02)

Issue 04 (2013-11-06) Huawei Proprietary and Confidential iv

commands.
Changes in Issue 02 (2013-07-25) V200R003C00

commands.
Changes in Issue 01 (2013-05-30) V200R003C00

Initial commercial release.
Issue 04 (2013-11-06) Huawei Proprietary and Confidential v

Typical Configuration Examples Contents
Contents
About This Document.....................................................................................................................ii

1 Basic Configuration.......................................................................................................................1
1.1 CLI Overview.................................................................................................................................................................2
1.1.1 Example for Using Tab................................................................................................................................................2
1.2 Logging In to the System for the First Time..................................................................................................................3
1.2.1 Example for Performing Basic Configuration on the Device at First Login...............................................................3
1.2.2 Example of Configuring the Console User Interface..................................................................................................5
1.2.3 Example of Configuring a VTY User Interface..........................................................................................................6
1.3 Configuring User Login..................................................................................................................................................8
1.3.1 Example for Logging In to the Device Through a Console Port.................................................................................8
1.3.2 Example for Logging In to the Device Through Telnet............................................................................................10
1.3.3 Example for Logging In to the Device Through STelnet..........................................................................................12
1.3.4 Example for Logging In to the Device Through the Web System............................................................................22
1.3.5 Example for Logging In to the Device Through the Safe Web System....................................................................25
1.3.6 Example for Configuring the Device as the Telnet Client to Log In to Another Device..........................................28
1.3.7 Example for Configuring the Device as the STelnet Client to Log In to Another Device........................................30
1.3.8 Example for Configuring the Public SSH Client to Log In to the Private SSH Server.............................................36
1.3.9 Example for Configuring RADIUS Authentication for SSH Users..........................................................................42
1.4 File Management..........................................................................................................................................................46
1.4.1 Example of Logging In to the Device to Manage Files.............................................................................................46
1.4.2 Example for Managing Files When the Device Functions as an FTP Server...........................................................47
1.4.3 Example for Managing Files Using SFTP When the Device Functions as an SSH Server......................................49
1.4.4 Example for Managing Files When the Device Functions as an FTPS Server.........................................................51
1.4.5 Example for Managing Files When the Device Functions as a TFTP Client............................................................54
1.4.6 Example for Managing Files When the Device Functions as an FTP Client............................................................56
1.4.7 Example for Managing Files When the Device Functions as an SFTP Client..........................................................57
1.4.8 Example for Managing Files When the Device Functions as an FTPS Client..........................................................63
1.4.9 Example for Managing Files When the Device Functions as an SCP Client............................................................67
1.5 Configuring System Startup.........................................................................................................................................69
1.5.1 Example for Backing Up the Configuration File.......................................................................................................69
1.5.2 Example for Recovering the Configuration File.......................................................................................................70
1.5.3 Example of Configuring System Startup...................................................................................................................71
Issue 04 (2013-11-06) Huawei Proprietary and Confidential vi

2 Interface Management................................................................................................................75
2.1 Ethernet Interfaces Configuration.................................................................................................................................76
2.1.1 Example for Configuring Interface Isolation.............................................................................................................76
3 Ethernet..........................................................................................................................................78
3.1 Link Aggregation Configuration..................................................................................................................................80
3.1.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode.......................................................80
3.1.2 Example for Configuring Link Aggregation in LACP Mode....................................................................................82
3.2 VLAN Configuration....................................................................................................................................................86
3.2.1 Example for Assigning VLANs Based on Ports.......................................................................................................86
3.2.2 Example for Assigning VLANs based on MAC Addresses......................................................................................88
3.2.3 Example for Assigning VLANs Based on IP Subnets..............................................................................................90
3.2.4 Example for Assigning VLANs Based on Protocols.................................................................................................93
3.2.5 Example for Implementing Inter-VLAN Communication Using VLANIF Interfaces.............................................96
3.2.6 Example for Configuring VLAN Aggregation..........................................................................................................98
3.2.7 Example for Configuring MUX VLAN on the Access Layer Device.....................................................................100
3.2.8 Example for Configuring the MUX VLAN on the Aggregation Device................................................................103
3.3 VLAN Mapping Configuration..................................................................................................................................105
3.3.1 Example for Configuring VLAN ID-based 1 to 1 VLAN Mapping.......................................................................105
3.3.2 Example for Configuring VLAN ID-based N to 1 VLAN Mapping......................................................................109
3.3.3 Example for Configuring VLAN ID-based 2 to 1 VLAN Mapping.......................................................................110
3.4 Voice VLAN Configuration.......................................................................................................................................115
3.4.1 Example for Configuring a Voice VLAN in Auto Mode........................................................................................115
3.4.2 Example for Configuring a Voice VLAN in Manual Mode....................................................................................117
3.5 QinQ Configuration....................................................................................................................................................120
3.5.1 Example for Configuring basic QinQ......................................................................................................................120
3.5.2 Example for Configuring Selective QinQ...............................................................................................................123
3.5.3 Example for Configuring Selective QinQ with VLAN Mapping............................................................................126
3.5.4 Example for Configuring VLL Access Through Dot1q Sub-interfaces..................................................................128
3.5.5 Example for Configuring a QinQ Sub-interface to Access a VLL Network...........................................................135
3.5.6 Example for Configuring a Single-tagged VLAN Mapping Sub-interface to Access a VLL network...................143
3.5.7 Example for Configuring a Double-tagged VLAN Mapping Sub-interface to Access a VLL Network................150
3.5.8 Example for Configuring a VLAN Stacking Sub-interface to Access a VLL Network.........................................157
3.5.9 Example for Configuring a Sub-interface for Dot1q VLAN Tag Termination to Access a VPLS Network..........165
3.5.10 Example for Configuring a Sub-interface for QinQ VLAN Tag Termination to Access a VPLS Network.........172
3.5.11 Example for Configuring a Single-tagged VLAN Mapping Sub-interface to Access a VPLS Network..............180
3.5.12 Example for Configuring a Double-tagged VLAN Mapping Sub-interface to Access a VPLS Network............187
3.5.13 Example for Configuring a VLAN Stacking Sub-interface to Access a VPLS Network.....................................195
3.5.14 Example for Configuring QinQ Stacking on a VLANIF Interface.......................................................................203
3.6 GVRP Configuration..................................................................................................................................................206
3.6.1 Example for Configuring GVRP.............................................................................................................................206
3.7 MAC Address Table Configuration...........................................................................................................................209
Issue 04 (2013-11-06) Huawei Proprietary and Confidential vii

3.7.1 Example for Configuring the MAC Address Table.................................................................................................209

3.7.2 Example for Configuring MAC Address Learning in a VLAN..............................................................................211
3.7.3 Example for Configuring Port Security...................................................................................................................213
3.7.4 Example for Configuring MAC Address Anti-flapping..........................................................................................215
3.7.5 Example for Configuring MAC Address Flapping Detection.................................................................................217
3.8 STP/RSTP Configuration...........................................................................................................................................219
3.8.1 Example for Configuring Basic STP Functions......................................................................................................219
3.8.2 Example for Configuring Basic RSTP Functions....................................................................................................223
3.9 MSTP Configuration..................................................................................................................................................228
3.9.1 Example for Configuring MSTP.............................................................................................................................228
3.9.2 Example for Configuring MSTP + VRRP Network................................................................................................236
3.9.3 Example for Connecting CEs to the VPLS in Dual-Homing Mode Through MSTP..............................................246
3.9.4 Example for Configuring MSTP Multi-Process for Layer 2 Single-Access Rings and Layer 2 Multi-Access Rings
..........................................................................................................................................................................................259
3.10 SEP Configuration....................................................................................................................................................266
3.10.1 Example for Configuring SEP on a Closed Ring Network...................................................................................266
3.10.2 Example for Configuring SEP on a Multi-Ring Network.....................................................................................273
3.10.3 Example for Configuring a Hybrid SEP+MSTP Ring Network...........................................................................285
3.10.4 Example for Configuring a Hybrid SEP+RRPP Ring Network............................................................................294
3.10.5 Example for Configuring SEP Multi-Instance......................................................................................................306
3.10.6 Example for Configuring Association Between SEP and VPLS (Reporting Topology Changes of a Lower-Layer
Network)...........................................................................................................................................................................314
3.11 Layer 2 Protocol Transparent Transmission Configuration.....................................................................................326
3.11.1 Example for Configuring Interface-based Layer 2 Protocol Transparent Transmission.......................................327
3.11.2 Example for Configuring VLAN-based Layer 2 Protocol Transparent Transmission..........................................331
3.11.3 Example for Configuring QinQ-based Layer 2 Protocol Transparent Transmission............................................337
3.12 Loopback Detection Configuration..........................................................................................................................343
3.12.1 Example for Configuring Loopback Detection to Detect Loops on the Downstream Network...........................344
3.13 VoIP Access Configuration......................................................................................................................................345
3.13.1 Example for Configuring LLDP on a Switch to Provide VoIP Access.................................................................345
3.13.2 Example for Configuring a DHCP Server on a Switch to Provide VoIP Access..................................................348
3.13.3 Example for Configuring MAC Address-based VLAN Assignment on a Switch to Provide VoIP Access.........350
3.13.4 Example for Configuring an ACL on a Switch to Provide VoIP Access..............................................................352
3.13.5 Example for Configuring an Simplified ACL on a Switch to Provide VoIP Access............................................354
4 IP Service.....................................................................................................................................357
4.1 IP Address Configuration...........................................................................................................................................359
4.1.1 Example for Configuring IP Addresses for an Interface.........................................................................................359
4.1.2 Example for Configuring an IP Unnumbered Interface..........................................................................................360
4.2 ARP Configuration.....................................................................................................................................................365
4.2.1 Example for Configuring ARP................................................................................................................................365
4.2.2 Example for Configuring Routed Proxy ARP.........................................................................................................367
4.2.3 Example for Configuring Intra-VLAN Proxy ARP................................................................................................369
Issue 04 (2013-11-06) Huawei Proprietary and Confidential viii

4.2.4 Example for Configuring Inter-VLAN Proxy ARP................................................................................................371

4.2.5 Example for Configuring Layer 2 Topology Detection..........................................................................................374
4.2.6 Example for Configuring ARP Packet Forwarding Between Isolated Interfaces...................................................376
4.3 DHCP Configuration..................................................................................................................................................380
4.3.1 Example for Configuring a DHCP Server Based on the Global Address Pool.......................................................380
4.3.2 Example for Configuring a DHCP Server Based on the Interface Address Pool....................................................383
4.3.3 Example for Configuring a DHCP Server and a DHCP Relay Agent.....................................................................387
4.3.4 Example for Configuring the DHCP Clients...........................................................................................................390
4.3.5 Example for Configuring the BOOTP Clients........................................................................................................393
4.4 DHCP Policy VLAN Configuration...........................................................................................................................397
4.4.1 Example for Configuring DHCP Policy VLAN Based on MAC Addresses..........................................................397
4.4.2 Example for Configuring DHCP Policy VLAN Based on Interfaces.....................................................................399
4.5 DHCPv6 Configuration..............................................................................................................................................400
4.5.1 Example for Configuring a DHCPv6 Server...........................................................................................................400
4.5.2 Example for Configuring a DHCPv6 PD Server.....................................................................................................402
4.5.3 Example for Configuring a DHCPv6 Relay to Assign IPv6 Addresses to the Clients in One Network Segment
Connected to the Relay.....................................................................................................................................................405
4.6 IP Performance Configuration....................................................................................................................................407
4.6.1 Example for Configuring ICMP Redirection Packets.............................................................................................407
4.6.2 Example for Configuring ICMP Host Unreachable Packets...................................................................................410
4.6.3 Example for Optimizing System Performance by Discarding Certain ICMP Packets............................................414
4.7 DNS Configuration.....................................................................................................................................................415
4.7.1 Example for Configuring the DNS Client...............................................................................................................415
4.8 Basic IPv6 Configurations..........................................................................................................................................419
4.8.1 Example for Configuring IPv6 Addresses for Interfaces........................................................................................419
4.9 IPv6 DNS configuration.............................................................................................................................................423
4.9.1 Example for Configuring IPv6 DNS Client............................................................................................................423
4.10 IPv6 over IPv4 Tunnel Configuration......................................................................................................................426
4.10.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel.................................................................................426
4.10.2 Example for Configuring a 6to4 Tunnel................................................................................................................431
4.10.3 Example for Configuring an ISATAP Tunnel.......................................................................................................436
5 IP Routing...................................................................................................................................440
5.1 IP Routing Basic Configuration.................................................................................................................................442
5.1.1 Example for Configuring IP FRR on the Public Network.......................................................................................442
5.2 Static Route Configuration.........................................................................................................................................446
5.2.1 Example for Configuring IPv4 Static Routes..........................................................................................................446
5.2.2 Example for Configuring IPv6 Static Routes..........................................................................................................450
5.2.3 Example for Configuring Static BFD for IPv4 Static Routes.................................................................................454
5.3 RIP Configuration.......................................................................................................................................................457
5.3.1 Example for Configuring Basic RIP Functions.......................................................................................................457
5.3.2 Example for Configuring RIP to Import Routes.....................................................................................................461
Issue 04 (2013-11-06) Huawei Proprietary and Confidential ix

5.3.3 Example for Configuring One-Arm Static BFD for RIP.........................................................................................465

5.3.4 Example for Configuring Dynamic BFD for RIP...................................................................................................471
5.4 RIPng Configuration...................................................................................................................................................476
5.4.1 Example for Configuring RIPng to Filter the Received Routes..............................................................................476
5.5 OSPF Configuration...................................................................................................................................................480
5.5.1 Example for Configuring Basic OSPF Functions....................................................................................................480
5.5.2 Example for Configuring a Stub Area of OSPF......................................................................................................487
5.5.3 Example for Configuring an OSPF NSSA Area.....................................................................................................491
5.5.4 Example for Configuring DR Election of an OSPF Process...................................................................................495
5.5.5 Example for Configuring OSPF Load Balancing....................................................................................................500
5.5.6 Example for Configuring OSPF GR........................................................................................................................505
5.5.7 Example for Configuring OSPF-BGP.....................................................................................................................508
5.5.8 Example for Configuring OSPF GTSM..................................................................................................................517
5.5.9 Example for Configuring BFD for OSPF................................................................................................................523
5.6 OSPFv3 Configuration...............................................................................................................................................528
5.6.1 Example for Configuring OSPFv3 Areas................................................................................................................528
5.6.2 Example for Configuring DR Election Through OSPFv3.......................................................................................534
5.6.3 Example for Configuring the OSPFv3 Virtual Link...............................................................................................539
5.6.4 Example for Configuring OSPFv3 GR....................................................................................................................543
5.7 IPv4 IS-IS Configuration............................................................................................................................................547
5.7.1 Example for Configuring Basic IS-IS Functions.....................................................................................................547
5.7.2 Example for Configuring IS-IS Route Aggregation................................................................................................554
5.7.3 Example for Configuring the DIS Election.............................................................................................................558
5.7.4 Example for Configuring IS-IS Load Balancing.....................................................................................................563
5.7.5 Example for Configuring Static BFD for IS-IS.......................................................................................................568
5.7.6 Example for Configuring Dynamic BFD for IS-IS.................................................................................................572
5.7.7 Example for Configuring IS-IS GR.........................................................................................................................579
5.8 IPv6 IS-IS Configuration............................................................................................................................................582
5.8.1 Example for Configuring Basic IS-IS IPv6 Functions............................................................................................582
5.9 BGP Configuration.....................................................................................................................................................588
5.9.1 Example for Configuring Basic BGP Functions.....................................................................................................589
5.9.2 Example for Configuring Basic BGP4+ Functions.................................................................................................594
5.9.3 Example for Configuring Basic MBGP Functions..................................................................................................600
5.9.4 Example for Configuring BGP to Interact With an IGP.........................................................................................608
5.9.5 Example for Configuring AS-Path Filter.................................................................................................................613
5.9.6 Example for Configuring MED Attributes to Control BGP Route Selection.........................................................618
5.9.7 Example for Configuring a BGP Route Reflector...................................................................................................623
5.9.8 Example for Configuring a BGP4+ Route Reflection.............................................................................................629
5.9.9 Example for Configuring a BGP Confederation.....................................................................................................634
5.9.10 Example for Configuring the BGP Community Attribute.....................................................................................641
5.9.11 Example for Configuring BGP Load Balancing....................................................................................................646
Issue 04 (2013-11-06) Huawei Proprietary and Confidential x

5.9.12 Example for Associating BGP with BFD..............................................................................................................651

5.9.13 Example for Configuring BGP GTSM..................................................................................................................656
5.10 Routing Policy Configuration...................................................................................................................................665
5.10.1 Example for Filtering the Routes to Be Received or Advertised..........................................................................665
5.10.2 Example for Applying a Routing Policy for Importing Routes.............................................................................670
6 IP Multicast.................................................................................................................................676
6.1 IGMP Configuration...................................................................................................................................................678
6.1.1 Example for Configuring Basic IGMP Functions...................................................................................................678
6.1.2 Example for Configuring a Static Multicast Group on an Interface........................................................................682
6.1.3 Example for Configuring IGMP SSM Mapping.....................................................................................................687
6.1.4 Example for Configuring IGMP Limit....................................................................................................................693
6.2 PIM-DM (IPv4) Configuration...................................................................................................................................698
6.2.1 Example for Configuring Basic PIM-DM Functions..............................................................................................698
6.3 PIM-SM (IPv4) Configuration...................................................................................................................................705
6.3.1 Example for Configuring PIM-SM in the ASM Model..........................................................................................705
6.3.2 Example for Configuring PIM-SM in the SSM Model...........................................................................................714
6.3.3 Example for Configuring PIM BFD........................................................................................................................723
6.4 MSDP Configuration..................................................................................................................................................726
6.4.1 Example for Configuring PIM-SM Inter-domain Multicast Using MSDP.............................................................726
6.4.2 Example for Configuring Inter-AS Multicast Using Static RPF Peers...................................................................736
6.4.3 Example for Configuring Anycast RP in a PIM-SM Domain.................................................................................745
6.4.4 Example for Configuring SA Message Filtering.....................................................................................................752
6.5 Multicast Route Management (IPv4) Configuration..................................................................................................760
6.5.1 Example for Configuring a Multicast Static Route to Change the RPF Route.......................................................760
6.5.2 Example for Configuring Multicast Static Routes to Connect RPF Routes............................................................765
6.5.3 Example for Configuring Multicast Load Splitting.................................................................................................771
6.6 VLAN-based IGMP Snooping Configuration............................................................................................................779
6.6.1 Example for Configuring VLAN-based IGMP Snooping.......................................................................................779
6.6.2 Example for Configuring VLAN-based Layer 2 Multicast Through Static Interfaces...........................................782
6.6.3 Example for Configuring an VLAN-based IGMP Snooping Querier.....................................................................786
6.6.4 Example for Configuring VLAN-based IGMP Snooping Proxy............................................................................790
6.6.5 Example for Configuring VLAN-based IGMP Snooping SSM Mapping..............................................................792
6.7 Configuring VSI-based IGMP Snooping...................................................................................................................795
6.7.1 Example for Configuring IGMP Snooping in a VSI...............................................................................................795
6.8 Static Multicast MAC Address Configuration...........................................................................................................801
6.9 Multicast VLAN Replication Configuration..............................................................................................................802
6.9.1 Example for Configuring 1-to-N Multicast Replication Based on User VLANs....................................................802
6.9.2 Example for Configuring N-to-N Multicast VLAN Replication Based on User VLANs.......................................804
6.9.3 Example for Configuring Interface-based Multicast VLAN Replication................................................................807
6.10 Controllable Multicast Configuration.......................................................................................................................810
6.10.1 Example for Configuring Controllable Multicast..................................................................................................810
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xi

6.11 MLD Configuration..................................................................................................................................................814

6.11.1 Example for Configuring Basic MLD Functions..................................................................................................814
6.11.2 Example for Configuring the MLD Limit.............................................................................................................818
6.12 PIM-DM (IPv6) Configuration.................................................................................................................................821
6.12.1 Example for Configuring Basic PIM-DM (IPv6) Functions.................................................................................821
6.13 PIM-SM (IPv6) Configuration.................................................................................................................................828
6.13.1 Example for Configuring PIM-SM (IPv6) in the ASM Model.............................................................................828
6.13.2 Example for Configuring PIM-SM (IPv6) in the SSM Model..............................................................................838
6.14 Multicast Route Management (IPv6) Configuration................................................................................................847
6.14.1 Example for Configuring IPv6 Multicast Load Splitting......................................................................................847
6.15 MLD Snooping Configuration..................................................................................................................................856
6.15.1 Example for Configuring MLD Snooping.............................................................................................................856
6.15.2 Example for Configuring a Static Interface to Implement Layer 2 Multicast.......................................................859
6.15.3 Example for Configuring the MLD Snooping Querier.........................................................................................862
6.15.4 Example for Configuring MLD Snooping Proxy..................................................................................................866
6.15.5 Example for Configuring Prompt Leave for Interfaces.........................................................................................868
6.15.6 Example for Configuring MLD Snooping to Respond to Network Topology Change.........................................870
7 QoS...............................................................................................................................................878
7.1 Priority Mapping Configuration on the S5300HI, S5306, S5310EI, and S6300........................................................879
7.1.1 Example for Configuring Priority Mapping............................................................................................................879
7.2 Priority Mapping Configuration on S2350, S5300SI, S5300EI, and S5300LI..........................................................881
7.2.1 Example for Configuring Priority Mapping............................................................................................................881
7.3 Traffic Policing and Traffic Shaping Configurations.................................................................................................885
7.3.1 Example for Configuring Interface-based Traffic Policing.....................................................................................885
7.3.2 Example for Configuring Flow-based Traffic Policing...........................................................................................888
7.3.3 Example for Configuring Hierarchical Traffic Policing on the S5300HI, S5306, and S5310EI............................892
7.3.4 Example for Configuring Traffic Shaping on the S2350, S5300SI, S5300LI, and S5300EI..................................897
7.4 Congestion Avoidance and Congestion Management Configuration........................................................................900
7.4.1 Example for Configuring Congestion Management on the S2350, S5300SI, and S5300LI...................................900
7.4.2 Example for Configuring Congestion Avoidance and Congestion Management on the S5300EI..........................903
7.4.3 Example for Configuring Congestion Avoidance and Congestion Management on the S5300HI, S5306, and S6300
..........................................................................................................................................................................................906
7.5 MQC Configuration....................................................................................................................................................910
7.5.1 Example for Configuring Traffic Statistics.............................................................................................................910
7.5.2 Example for Configuring Priority Re-marking Based on Complex Traffic Classification.....................................913
7.5.3 Example for Configuring PBR................................................................................................................................917
7.5.4 Example for Configuring Packet Filtering..............................................................................................................921
8 Security........................................................................................................................................925
8.1 AAA Configuration....................................................................................................................................................927
8.1.1 Example for Configuring RADIUS Authentication and Accounting......................................................................927
8.1.2 Example for Configuring HWTACACS Authentication, Accounting, and Authorization.....................................930
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xii

8.1.3 Example for Configuring Domain-based User Management..................................................................................933

8.2 NAC Configuration....................................................................................................................................................939
8.2.1 Example for Configuring 802.1x Authentication....................................................................................................939
8.2.2 Example for Configuring MAC Address Authentication........................................................................................943
8.2.3 Example for Configuring Portal Authentication.....................................................................................................946
8.3 ACL Configuration.....................................................................................................................................................951
8.3.1 Example for Configuring a Basic ACL to Limit Access to the FTP Server............................................................951
8.3.2 Example for Using an Advanced ACL to Configure Traffic Classifiers.................................................................953
8.3.3 Example for Using a Layer 2 ACL to Configure a Traffic Classifier.....................................................................958
8.3.4 Example for Using a User-defined ACL to Configure a Traffic Classifier.............................................................960
8.3.5 Example for Using an ACL6 to Configure a Traffic Classifier...............................................................................963
8.4 DHCP Snooping Configuration..................................................................................................................................965
8.4.1 Example for Configuring DHCP Snooping Attack Defense...................................................................................966
8.5 Local Attack Defense Configuration..........................................................................................................................970
8.5.1 Example for Configuring Local Attack Defense.....................................................................................................970
8.6 Attack Defense Configuration....................................................................................................................................973
8.6.1 Example for Configuring Attack Defense...............................................................................................................973
8.7 IPSG Configuration....................................................................................................................................................975
8.7.1 Example for Configuring IPSG...............................................................................................................................975
8.8 URPF Configuration...................................................................................................................................................977
8.8.1 Example for Configuring URPF..............................................................................................................................977
8.9 ARP Security Configuration.......................................................................................................................................979
8.9.1 Example for Configuring ARP Security Functions.................................................................................................979
8.9.2 Example for Configuring Defense Against ARP MITM Attacks...........................................................................983
8.10 MFF Configuration...................................................................................................................................................986
8.10.1 Example for Configuring MFF to Implement Layer 2 Isolation and Layer 3 Connection of Users.....................986
8.11 Traffic Suppression and Storm Control Configuration............................................................................................991
8.11.1 Example for Configuring Traffic Suppression......................................................................................................991
8.11.2 Example for Configuring Storm Control...............................................................................................................992
8.12 PPPoE+ Configuration.............................................................................................................................................994
8.12.1 Example for Configuring PPPoE+........................................................................................................................994
8.13 Keychain Configuration...........................................................................................................................................996
8.13.1 Example for Applying the Keychain to RIP..........................................................................................................997
8.13.2 Example for Applying the Keychain to BGP......................................................................................................1000
8.14 ND Snooping Configuration...................................................................................................................................1004
8.14.1 Example for Configuring ND Snooping..............................................................................................................1005
8.15 SAVI Configurations.............................................................................................................................................. 1008
8.15.1 Example for Configuring the SAVI Function in a DHCPv6-Only Scenario......................................................1008
8.15.2 Example for Configuring the SAVI Function in an SLAAC-Only Scenario......................................................1011
8.15.3 Example for Configuring the SAVI Function in a DHCPv6+SLAAC Scenario................................................1014
9 Reliability..................................................................................................................................1019
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xiii

9.1 BFD Configuration...................................................................................................................................................1021

9.1.1 Example for Configuring Single-hop BFD for Detecting Faults on a Layer 2 Link.............................................1021
9.1.2 Example for Configuring Single-Hop BFD on a VLANIF Interface....................................................................1023
9.1.3 Example for Configuring Multi-Hop BFD............................................................................................................1026
9.1.4 Example for Associating the BFD Session Status with the Interface Status.........................................................1030
9.1.5 Example for Configuring Association Between a BFD Session and an Interface................................................1034
9.1.6 Example for Configuring the BFD Echo Function................................................................................................1041
9.2 VRRP Configuration................................................................................................................................................1044
9.2.1 Example for Configuring a VRRP Group in Active/Standby Mode.....................................................................1044
9.2.2 Example for Configuring a VRRP Group in Load Balancing Mode....................................................................1051
9.2.3 Example for Configuring Association Between VRRP and BFD to Implement a Rapid Active/Standby Switchover
........................................................................................................................................................................................1056
9.2.4 Example for Configuring a VRRP6 Group in Active/Standby Mode...................................................................1062
9.2.5 Example for Configuring a VRRP6 Group in Load Balancing Mode..................................................................1069
9.3 DLDP Configuration................................................................................................................................................1075
9.3.1 Example for Configuring DLDP to Detect a Disconnected Optical Fiber Link....................................................1075
9.3.2 Example for Configuring DLDP to Detect Cross-Connected Optical Fibers........................................................1077
9.4 Smart Link Configuration.........................................................................................................................................1080
9.4.1 Example for Configuring Load Balancing on a Smart Link Instance...................................................................1080
9.4.2 Example for Configuring the Integrated Application of Monitor Link and Smart Link.......................................1085
9.5 MAC Swap Loopback Configuration.......................................................................................................................1090
9.5.1 Example for Configuring Local MAC Swap Loopback........................................................................................1090
9.5.2 Example for Configuring Remote MAC Swap Loopback....................................................................................1092
9.6 EFM Configuration...................................................................................................................................................1094
9.6.1 Example for Configuring Basic EFM Functions...................................................................................................1094
9.6.2 Example for Configuring Association Between an EFM Module and an Interface..............................................1098
9.6.3 Example for Configuring Association Between EFM Modules............................................................................1100
9.7 CFM Configuration..................................................................................................................................................1103
9.7.1 Example for Configuring VLAN-based Ethernet CFM on a Layer 2 Network....................................................1104
9.7.2 Example for Associating Ethernet CFM with an Interface...................................................................................1108
9.7.3 Example for Configuring Association Between CFM Modules...........................................................................1115
9.7.4 Example for Configuring Association Between CFM and EFM..........................................................................1119
9.8 Y.1731 Configuration...............................................................................................................................................1124
9.8.1 Example for Configuring One-way Frame Delay Measurement in a VLAN........................................................1124
9.8.2 Example for Configuring Two-way Frame Delay Measurement in a VLAN.......................................................1127
9.8.3 Example for Configuring AIS...............................................................................................................................1130
9.9 ERPS (G.8032) Configuration..................................................................................................................................1136
9.9.1 Example for Configuring ERPS............................................................................................................................1136
9.9.2 Example for Configuring ERPS Multi-Instance....................................................................................................1142
9.10 RRPP Configuration...............................................................................................................................................1150
9.10.1 Example for Configuring a Single RRPP Ring with a Single Instance...............................................................1150
9.10.2 Example for Configuring Intersecting RRPP Rings with a Single Instance.......................................................1155
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xiv

9.10.3 Example for Configuring Tangent RRPP Rings..................................................................................................1165

9.10.4 Example for Configuring a Single RRPP Ring with Multiple Instances............................................................1174
9.10.5 Example for Configuring Intersecting RRPP Rings with Multiple Instances.....................................................1183
9.10.6 Example for Configuring Tangent RRPP Rings with Multiple Instances...........................................................1200
10 Device Management.............................................................................................................1212
10.1 Energy-Saving Management..................................................................................................................................1214
10.1.1 Example for Configuring ALS............................................................................................................................1214
10.1.2 Example for Configuring Device Dormancy.......................................................................................................1215
10.2 Information Center Configuration..........................................................................................................................1218
10.2.1 Example for Outputting Logs to a Log Host.......................................................................................................1218
10.2.2 Example for Outputting Traps to the SNMP Agent............................................................................................1220
10.2.3 Example for Outputting Traps to the Console.....................................................................................................1223
10.3 USB-based Deployment Configuration..................................................................................................................1224
10.3.1 Example for Configuring USB-based Deployment.............................................................................................1224
10.4 EasyDeploy Configuration.....................................................................................................................................1225
10.4.1 Example for Deploying Unconfigured Devices Through the Commander.........................................................1226
10.4.2 Example for Replacing Faulty Devices Through the Commander......................................................................1230
10.4.3 Example for Implementing a Batch Upgrade Through the Commander.............................................................1233
10.4.4 Example for Deploying Unconfigured Devices Through Option Fields.............................................................1238
10.4.5 Example for Deploying Unconfigured Devices Through an Intermediate File..................................................1240
10.5 NAP Configuration.................................................................................................................................................1244
10.5.1 Example for Configuring NAP-based Remote Deployment...............................................................................1244
10.6 Mirroring Configuration.........................................................................................................................................1246
10.6.1 Example for Configuring Local Port Mirroring..................................................................................................1246
10.6.2 Example for Configuring Layer 2 Remote Port Mirroring..................................................................................1247
10.6.3 Example for Configuring Local Traffic Mirroring..............................................................................................1250
10.6.4 Example for Configuring Local VLAN Mirroring..............................................................................................1252
10.6.5 Example for Configuring Local MAC Address Mirroring..................................................................................1254
10.7 PoE Configuration..................................................................................................................................................1255
10.7.1 Example for Configuring PoE.............................................................................................................................1255
10.8 iStack Configuration...............................................................................................................................................1257
10.8.1 Example for Configuring the iStack Function.....................................................................................................1258
10.8.2 Example for Configuring MAD in Direct Mode.................................................................................................1261
10.8.3 Example for Configuring MAD in Relay Mode..................................................................................................1263
10.9 Configuring a Monitoring Interface.......................................................................................................................1265
10.9.1 Example for Configuring a Monitoring Interface................................................................................................1265
11 Network Management..........................................................................................................1268
11.1 SNMP Configuration..............................................................................................................................................1270
11.1.1 Example for Configuring a Switch to Communicate with NMSs Using SNMPv1.............................................1270
11.1.2 Example for Configuring a Switch to Communicate with an NMS Using SNMPv2c........................................1273
11.1.3 Example for Configuring a Switch to Communicate with an NMS Using SNMPv3.........................................1276
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xv

11.2 RMON Configuration.............................................................................................................................................1280

11.2.1 Example for Configuring RMON........................................................................................................................1280
11.3 NTP Configuration.................................................................................................................................................1284
11.3.1 Example for Configuring Authenticated NTP Unicast Server/Client Mode.......................................................1285
11.3.2 Example for Configuring NTP Symmetric Peer Mode.......................................................................................1289
11.3.3 Example for Configuring Authenticated NTP Broadcast Mode..........................................................................1292
11.3.4 Example for Configuring NTP Multicast Mode..................................................................................................1297
11.4 Ping and Tracert Configuration..............................................................................................................................1301
11.4.1 Example for Performing Ping and Tracert Operations........................................................................................1301
11.5 NQA Configuration................................................................................................................................................1302
11.5.1 Example for Configuring a DNS Test Instance...................................................................................................1303
11.5.2 Example for Configuring an FTP Download Test Instance................................................................................1304
11.5.3 Example for Configuring an FTP Upload Test Instance.....................................................................................1307
11.5.4 Example for Configuring an HTTP Test Instance...............................................................................................1309
11.5.5 Example for Configuring an ICMP Test Instance...............................................................................................1311
11.5.6 Example for Configuring an ICMP Jitter Test Instance......................................................................................1313
11.5.7 Example for Configuring an SNMP Query Test Instance...................................................................................1315
11.5.8 Example for Configuring a TCP Test Instance...................................................................................................1318
11.5.9 Example for Configuring a Trace Test Instance..................................................................................................1320
11.5.10 Example for Configuring a UDP Test Instance.................................................................................................1322
11.5.11 Example for Configuring a UDP Jitter Test Instance........................................................................................1325
11.5.12 Example for Configuring the MAC Ping Test...................................................................................................1327
11.5.13 Example for Configuring MAC Ping to Detect the Connectivity of a VLAN network....................................1330
11.5.14 Example for Configuring the LSP Ping Test for a Common Tunnel................................................................1333
11.5.15 Example for Configuring the LSP Jitter Test for a Common Tunnel...............................................................1337
11.5.16 Example for Configuring the LSP Jitter Test for the MPLS TE Tunnel...........................................................1340
11.5.17 Example for Configuring the LSP Trace Test for the TE Tunnel.....................................................................1343
11.5.18 Example for Configuring the LSP Trace Test for Checking the CR-LSP Hotstandby Tunnel.........................1347
11.5.19 Example for Configuring the PWE3 Ping Test on a Single-Hop PW...............................................................1352
11.5.20 Example for Configuring the PWE3 Ping Test on a Multi-Hop PW................................................................1357
11.5.21 Example for Configuring the PWE3 Trace Test on a Single-Hop PW.............................................................1363
11.5.22 Example for Configuring the PWE3 Trace Test on a Multi-Hop PW...............................................................1367
11.5.23 Example for Sending Trap Massages to the NMS When the Threshold Is Exceeded......................................1374
11.6 LLDP Configuration...............................................................................................................................................1378
11.6.1 Example for Configuring LLDP on the Device That Has a Single Neighbor.....................................................1378
11.6.2 Example for Configuring LLDP on the Device That Has Multiple Neighbors...................................................1384
11.6.3 Example for Configuring LLDP on the Network with link aggregation configured..........................................1392
11.6.4 Example for Configuring CDP-Compatible LLDP.............................................................................................1398
11.6.5 Example for Configuring the Voice VLAN Capability of LLDP to Provide VoIP Service...............................1400
11.7 sFlow Overview......................................................................................................................................................1404
11.7.1 Example for Configuring sFlow..........................................................................................................................1404
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xvi

11.8 Packet Capture Configuration................................................................................................................................1407

11.8.1 Example for Configuring Packet Capture Function............................................................................................1408
12 MPLS........................................................................................................................................1411
12.1 Static LSPs Configuration......................................................................................................................................1412
12.1.1 Example for Configuring Static LSPs.................................................................................................................1412
12.1.2 Example for Configuring Static BFD to Monitor Static LSPs............................................................................1419
12.2 MPLS LDP Configuration......................................................................................................................................1428
12.2.1 Example for Configuring Local LDP Sessions...................................................................................................1428
12.2.2 Example for Configuring Remote MPLS LDP Sessions.....................................................................................1432
12.2.3 Example for Configuring Automatic Triggering of a Request for a Label Mapping Message in DoD Mode
........................................................................................................................................................................................1436
12.2.4 Example for Configuring a Policy for Triggering LSP Establishment...............................................................1442
12.2.5 Example for Configuring a Policy for Triggering Transit LSP Establishment...................................................1446
12.2.6 Example for Disabling Devices from Distributing LDP Labels to Remote Peers..............................................1451
12.2.7 Example for Configuring Static BFD to Detect LDP LSPs................................................................................1459
12.2.8 Example for Configuring Dynamic BFD to Detect LDP LSPs...........................................................................1466
12.2.9 Example for Configuring Synchronization Between LDP and IGP....................................................................1471
12.2.10 Example for Configuring LDP GR....................................................................................................................1478
12.2.11 Example for Configuring LDP GTSM..............................................................................................................1483
12.2.12 Example for Configuring LDP Extension for Inter-Area LSP..........................................................................1486
12.2.13 Example for Configuring MPLS QoS...............................................................................................................1493
12.3 MPLS TE Configuration........................................................................................................................................1505
12.3.1 Example for Configuring a Static MPLS TE Tunnel..........................................................................................1505
12.3.2 Example for Configuring a Dynamic MPLS TE Tunnel.....................................................................................1510
12.3.3 Example for Setting Up CR-LSPs Using CR-LSP Attribute Templates.............................................................1516
12.3.4 Example for Configuring IGP Shortcut to Direct Traffic to an MPLS TE Tunnel.............................................1529
12.3.5 Example for Configuring Forwarding Adjacency to Direct Traffic to an MPLS TE Tunnel.............................1536
12.3.6 Example for Setting Attributes for an MPLS TE Tunnel....................................................................................1544
12.3.7 Example for Configuring Srefresh Based on Manual TE FRR...........................................................................1553
12.3.8 Example for Configuring RSVP Authentication.................................................................................................1561
12.3.9 Example for Configuring RSVP Authentication Based on Manual TE FRR......................................................1566
12.3.10 Example for Configuring SRLG Based on Auto TE FRR................................................................................1574
12.3.11 Example for Configuring SRLG Based on CR-LSP Hot Standby....................................................................1586
12.3.12 Example for Configuring CR-LSP Hot Standby...............................................................................................1596
12.3.13 Example for Configuring Manual TE FRR.......................................................................................................1606
12.3.14 Example for Configuring Auto TE FRR...........................................................................................................1618
12.3.15 Example for Configuring Association Between TE FRR and CR-LSP Backup...............................................1631
12.3.16 Example for Configuring an MPLS TE Tunnel Protection Group....................................................................1643
12.3.17 Example for Configuring Dynamic BFD for an MPLS TE Tunnel Protection Group......................................1651
12.3.18 Example for Configuring Static BFD for CR-LSPs..........................................................................................1657
12.3.19 Example for Configuring Dynamic BFD for CR-LSPs.....................................................................................1665
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xvii

12.3.20 Example for Configuring RSVP GR.................................................................................................................1671
13 VPN..........................................................................................................................................1678
13.1 BGP MPLS IP VPN Configuration........................................................................................................................1679
13.1.1 Example for Configuring BGP/MPLS IP VPN...................................................................................................1679
13.1.2 Example for Configuring BGP/MPLS IP VPNs with Overlapping Address Spaces..........................................1691
13.1.3 Example for Configuring Communication Between Local VPNs......................................................................1702
13.1.4 Example for Configuring Hub and Spoke...........................................................................................................1707
13.1.5 Example for Configuring Inter-AS VPN Option A.............................................................................................1717
13.1.6 Example for Configuring an MCE......................................................................................................................1729
13.1.7 Example for Configuring an OSPF Sham Link...................................................................................................1742
13.1.8 Example for Configuring BGP AS Number Substitution...................................................................................1753
13.1.9 Example for Configuring CE Dual-Homing.......................................................................................................1760
13.1.10 Example for Configuring VPN FRR.................................................................................................................1776
13.1.11 Example for Configuring IP FRR for VPN Routes...........................................................................................1785
13.1.12 Example for Configuring Double RRs to Optimize the VPN Backbone Layer................................................1791
13.1.13 Example for Connecting a VPN to the Internet.................................................................................................1802
13.1.14 Example for Configuring a Tunnel Policy for an L3VPN.................................................................................1811
13.2 BGP/MPLS IPv6 VPN Configuration....................................................................................................................1824
13.2.1 Example for Configuring Basic BGP/MPLS IPv6 VPN.....................................................................................1824
13.2.2 Example for Configuring Hub and Spoke (Using BGP4+ Between the PE and CE).........................................1837
13.2.3 Example for Configuring Hub and Spoke (Using a Default Route Between Hub-PE and Hub-CE)..................1849
13.2.4 Example for Configuring Inter-AS IPv6 VPN Option A....................................................................................1861
13.2.5 Example for Configuring CE Dual-Homing.......................................................................................................1873
13.2.6 Example for Configuring a VPNv6 RR...............................................................................................................1890
13.3 VLL Configuration.................................................................................................................................................1898
13.3.1 Example for Configuring a Local CCC Connection...........................................................................................1898
13.3.2 Example for Configuring a Remote CCC Connection........................................................................................1901
13.3.3 Example for Configuring a VLL Connection in SVC Mode...............................................................................1907
13.3.4 Example for Configuring a VLL Connection in Martini Mode..........................................................................1913
13.3.5 Example for Configuring a Local VLL Connection in Kompella Mode.............................................................1919
13.3.6 Example for Configuring a Remote VLL Connection in Kompella Mode.........................................................1923
13.3.7 Example for Configuring Inter-AS Martini VLL (Option A).............................................................................1930
13.3.8 Example for Configuring Inter-AS Kompella VLL (Option A)..........................................................................1938
13.3.9 Example for Configuring Martini VLL FRR (Asymmetrically Connected CEs)...............................................1948
13.4 PWE3 Configuration..............................................................................................................................................1965
13.4.1 Example for Configuring a Dynamic Single-hop PW.........................................................................................1965
13.4.2 Example for Configuring a Static Multi-hop PW................................................................................................1972
13.4.3 Example for Configuring a Dynamic Multi-hop PW..........................................................................................1980
13.4.4 Example for Configuring a Mixed Multi-hop PW..............................................................................................1991
13.4.5 Example for Configuring Static BFD for PWs....................................................................................................2000
13.4.6 Example for Configuring Dynamic BFD for a Single-hop PW..........................................................................2017
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xviii

13.4.7 Example for Configuring Dynamic BFD for a Multi-hop PW............................................................................2028

13.4.8 Example for Configuring Inter-AS PWE3-Option A..........................................................................................2041
13.5 VPLS Configuration...............................................................................................................................................2050
13.5.1 Example for Configuring Martini VPLS.............................................................................................................2050
13.5.2 Example for Configuring Kompella VPLS.........................................................................................................2057
13.5.3 Example for Configuring BGP AD VPLS..........................................................................................................2064
13.5.4 Example for Configuring VPLS over TE in Martini Mode.................................................................................2074
13.5.5 Example for Configuring LDP HVPLS...............................................................................................................2085
13.5.6 Example for Configuring Static VLLs to Access a VPLS Network...................................................................2093
13.5.7 Example for Configuring Dynamic VLLs to Access a VPLS Network..............................................................2105
13.5.8 Example for Configuring CE Dual-Homed Kompella VPLS.............................................................................2115
13.5.9 Example for Configuring Inter-AS Martini VPLS in OptionA Mode.................................................................2125
13.5.10 Example for Configuring Inter-AS Kompella VPLS in OptionA Mode...........................................................2134
14 Miscellaneous Configuration Examples...........................................................................2144

14.1 Example for Configuring MSTP and VRRP..........................................................................................................2145
14.2 Example for Configuring SEP and MSTP in Hybrid Networking.........................................................................2156
14.3 Example for Configuring a QinQ Termination Sub-interface to Access a VLL Network.....................................2164
14.4 Example for Configuring Users in a Super-VLAN to Request IP Addresses from DHCP Servers.......................2172
14.5 Example for Associating the BFD Session Status with the Interface Status..........................................................2183
14.6 Example for Configuring Load Balancing Between Active and Standby Links of a Smart Link Group..............2188
14.7 Example for Configuring Association Between VRRP and the Interface Status...................................................2193
14.8 Example for Configuring RRPP Snooping.............................................................................................................2203
14.9 Example for Deploying BGP/MPLS IP VPN and VPLS on One ISP Network.....................................................2211
14.10 Example for Deploying a High-Reliability Multi-Service VPN Network...........................................................2229
14.11 Example for Configuring a CSS to Transmit VoD and IPTV Data.....................................................................2245
14.12 Example for Configuring VRRP to Ensure Reliable Multicast Data Transmission.............................................2254
14.13 Example for Configuring Multicast VPN Access Through an MCE Device.......................................................2269
14.14 Example for Configuring Unicast and Multicast VLANs....................................................................................2284
Issue 04 (2013-11-06) Huawei Proprietary and Confidential xix

Typical Configuration Examples 1 Basic Configuration
1 Basic Configuration
About This Chapter
This document describes methods to use command line interface and to log in to the device, file
operations, and system startup configurations.
1.1 CLI Overview

Users perform configuration and routine maintenance on devices by running commands.
1.2 Logging In to the System for the First Time

This section describes how to log in to a new device to configure the device. You can log in
through the console port or mini USB port.
1.3 Configuring User Login

Users can log in to the device through a console port, Telnet, STelnet, or web to perform local
or remote device maintenance.
1.4 File Management

All files on the device are stored in storage devices and can be managed in multiple modes. The
current device can function as a client to access files on other devices.
1.5 Configuring System Startup

When the device is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the device, manage system software and configuration files efficiently.
Issue 04 (2013-11-06) Huawei Proprietary and Confidential 1

1.1 CLI Overview

Users perform configuration and routine maintenance on devices by running commands.
1.1.1 Example for Using Tab
Networking Requirements
The user wants to enter commands in fast and convenient mode to facilitate completion of service
configurations. The device supports the function that the user enters the first character or first
several characters of the keyword and presses Tab to complete the keyword, which improves
input efficiency.
Configuration Roadmap
The configuration roadmap is as follows:
1. If there is only one match for the incomplete keyword, enter the incomplete keyword and
press Tab.
2. If there are several matches for the keyword, enter the incomplete keyword and press
Tab repeatedly until the desired keyword is displayed.
3. Enter the incorrect keyword and press Tab. In this case, the incorrect keyword remains
unchanged.
Use Tab if:
There Is Only One Match for an Incomplete Keyword
1. Enter an incomplete keyword.

[HUAWEI] info-
2. Press Tab.
The system replaces the entered keyword and displays it in a new line with the complete
keyword followed by a space.
[HUAWEI] info-center
There Are Several Matches for an Incomplete Keyword
# The keyword info-center can be followed by the following keywords. (The command output
provided here is used for reference only. The actual output information may differ from the
following information.)
[HUAWEI] info-center ?
channel Set the name of information channel
console Setting of console configuration
enable Enable the information center
filter-id Specify the configuration of the ID filtering table
local Setting of logging configuraitons except loghost
logbuffer Setting of log buffer configuration
loghost Setting of logging host configuration
monitor Setting of monitor configuration
rate-limit Specify the rate at which the information center
processes information
snmp Setting of snmp configuration

source Informational source setting

statistic-suppress Suppression that the first occurrence of an event is
always logged immediately, but subsequence identical
messages are suppressed
timestamp Set the time stamp type of information
trapbuffer Setting of trap buffer configuration
1. Enter an incomplete keyword.

[HUAWEI] info-center log
2. Press Tab.
The system displays the prefixes of all the matched keywords. In this example, the prefix
is log.
[HUAWEI] info-center loghost
Press Tab to switch from one matched keyword to another. In this case, the cursor closely
follows the end of a word.
[HUAWEI] info-center logbuffer
Stop pressing Tab when the desired keyword is displayed.
An Incorrect keyword Is Entered
1. Enter an incorrect keyword.

[HUAWEI] info-center loglog
2. Press Tab.
[HUAWEI] info-center loglog
The system displays information in a new line, but the keyword loglog remains unchanged
and there is no space between the cursor and the keyword, indicating that this keyword
does not exist.
1.2 Logging In to the System for the First Time

This section describes how to log in to a new device to configure the device. You can log in
through the console port or mini USB port.
NOTE
Only the S5300LI and S5310EI support login through the mini USB port. The S5300-28P-LI-BAT and
S5300-28P-LI-24S-BAT in the S5300LI series do not provide mini USB ports; therefore, they do not
support login through the mini USB port.
1.2.1 Example for Performing Basic Configuration on the Device at

First Login
After logging in to the device through the console port, perform basic device configuration, and
set the user level to 15 and authentication mode to AAA for users 0-4 who perform remote login
through Telnet.

Figure 1-1 Networking diagram for configuring the device through the console port
Console
Network
PC1 Switch PC2
1. Log in to the device through the console port.
NOTE
The HyperTerminal of Windows XP can be used as the terminal emulation software on the PC.
2. Configure the device.
Procedure
Step 1 Log in to the device from PC1 through the console port. For details, see Logging In Through
the Console Port.
Step 2 Configure the device.
# Set the system date, time, and time zone.

<HUAWEI> clock timezone BJ add 08:00:00
<HUAWEI> clock datetime 20:10:0 2012-07-26
# Set the device name and IP address of the management interface.

<HUAWEI> system-view
[HUAWEI] sysname Server
[Server] interface meth 0/0/1
[Server-MEth0/0/1] ip address 10.137.217.177 24
[Server-MEth0/0/1] quit
# Configure a default route for the device supposing that the device gateway address is
10.137.217.1.
[HUAWEI] ip route-static 0.0.0.0 0 10.137.217.1
# Set the user level and authentication mode for Telnet users.
[Server] user-interface vty 0 4
[Server-ui-vty0-4] user privilege level 15
[Server-ui-vty0-4] authentication-mode aaa
[Server-ui-vty0-4] quit
[Server] aaa
[Server-aaa] local-user admin1234 password cipher Helloworld@6789
[Server-aaa] local-user admin1234 privilege level 15
[Server-aaa] local-user admin1234 service-type telnet
[Server-aaa] quit
Step 3 Verify the configuration.
When completing the configuration, you can log in to the device through Telnet on PC2.
Access the command line interface of Windows XP and log in to the device through Telnet.

C:\Documents and Settings\Administrator> telnet 10.137.217.177
Press Enter. On the displayed login page, enter the user name and password. If the authentication
succeeds, the command line interface for the user view is displayed. (The following information
is only for reference.)
Login authentication
Username:admin1234
Password:
Info: The max number of VTY users is 20, and the number
of current VTY users on line is 1.
The current login time is 2012-07-26 20:10:05+08:00.
<Server>
----End
Configuration Files
Configuration file of the device
#
sysname Server
#
clock timezone BJ add 08:00:00
#
aaa
local-user admin1234 password cipher %@%@#N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-
ywBaSmj:\@.d>,%@%@
local-user admin1234 privilege level 15
local-user admin1234 service-type telnet
#
interface MEth0/0/1
ip address 10.137.217.177 255.255.255.0
#
ip route-static 0.0.0.0 0.0.0.0 10.137.217.1
#
user-interface vty 0 4
authentication-mode aaa
user privilege level 15
#
return
1.2.2 Example of Configuring the Console User Interface
Before logging in to the device using the console user interface to maintain the device locally,
a user can configure the attributes of the console user interface to ensure device security.
In this example, the level of console users is 15. The password authentication mode and
authentication password Helloworld@6789 are configured for console users to log in to the
device.
1. Configure the user level on the console user interface.

2. Configure the authentication mode and password on the console user interface.
Procedure
Step 1 Configure the user level on the console user interface.
[HUAWEI] user-interface console 0
[HUAWEI-ui-console0] user privilege level 15
Step 2 Configure the authentication mode and password on the console user interface.
[HUAWEI-ui-console0] authentication-mode password
[HUAWEI-ui-console0] set authentication password cipher Helloworld@6789
[HUAWEI-ui-console0] quit
After the console user interface is configured, users can use the console interface to log in to the
device in the password authentication mode to maintain the device locally. For details on how
to log in to the device see Logging In to the Device Through a Console Port.

# Run the quit command to disconnect the terminal from the device, connect the terminal to the
device using a console cable, and verify that the new password is valid.
# Run the user-interface console 0 command to enter the console interface view, and run the
display this command to check the configurations on the console interface.
[HUAWEI-ui-console0] display this
#
user-interface con 0
authentication-mode password
set authentication password cipher %@%@#N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-ywBaSmj:
\@.d>,%@%@
#
return
----End
Configuration File
#
\@.d>,%@%@
#
return
1.2.3 Example of Configuring a VTY User Interface
A user can use the VTY interface to log in to a remote device using Telnet. The device
administrator can configure the attributes of the VTY user interface to ensure device security.
In this example, the level of VTY users is 2. The password authentication mode and
authentication password Helloworld@6789 are configured for VTY users to log in to the device.
Only the user whose IP address is 10.1.1.1 can log in to the device.

If a user logs in to the device and does not perform an operation within 30 minutes, the user's
terminal disconnects from the device.
1. Configure the maximum number of concurrent VTY user interfaces to 8.

2. Configure restrictions on call-in and call-out permissions on the VTY user interface to
allow users at a specified address or address segment to log in to the device.
3. Configure terminal attributes on the VTY user interface.
4. Configure the user level on the VTY user interface.
5. Configure the authentication mode and password of the VTY user interface.
Procedure
Step 1 Configure the maximum number of concurrent VTY user interfaces.
[HUAWEI] user-interface maximum-vty 8
Step 2 Configure restrictions on call-in and call-out permissions on the VTY user interface.
[HUAWEI] acl 2000
[HUAWEI-acl-basic-2000] rule deny source 10.1.1.1 0
[HUAWEI-acl-basic-2000] rule permit source any
[HUAWEI-acl-basic-2000] quit
[HUAWEI] user-interface vty 0 7
[HUAWEI-ui-vty0-7] acl 2000 inbound
Step 3 Configure terminal attributes on the VTY user interface.

[HUAWEI-ui-vty0-7] shell
[HUAWEI-ui-vty0-7] idle-timeout 30
[HUAWEI-ui-vty0-7] screen-length 30
[HUAWEI-ui-vty0-7] history-command max-size 20
Step 4 Configure the user level on the VTY user interface.

[HUAWEI-ui-vty0-7] user privilege level 2
Step 5 Configure the authentication mode and password of the VTY user interface.
[HUAWEI-ui-vty0-7] authentication-mode password
[HUAWEI-ui-vty0-7] set authentication password cipher Helloworld@6789
[HUAWEI-ui-vty0-7] quit
After the VTY user interface is configured, users can log in to the device in the password
authentication mode using Telnet to maintain the device locally or remotely. For details on how
to log in to the device see Logging In to the Device Through Telnet.

# Connect the terminal to the device using Telnet, and verify that the new password is valid.
# Use 10.1.1.1 to log in to the device using Telnet. The login fails.
# Run the user-interface vty 0 7 command to enter the VTY interface view, and run the display
this command to check the configurations on the VTY interface.
[HUAWEI-ui-vty0-7] display this
#
user-interface maximum-vty 8

acl 2000 inbound

\@.d>,%@%@
history-command max-size 20
idle-timeout 30 0
screen-length 30
#
return
----End
Configuration File
#
acl number 2000
rule 5 deny source 10.1.1.1 0
rule 10 permit
#
acl 2000 inbound
\@.d>,%@%@
idle-timeout 30 0
screen-length 30
#
return
1.3 Configuring User Login

Users can log in to the device through a console port, Telnet, STelnet, or web to perform local
or remote device maintenance.
1.3.1 Example for Logging In to the Device Through a Console Port

When you cannot remotely log in to the device, you can perform local login through a console
port. If you log in to the device through a console port, only password authentication is required.
To improve security, use AAA on the console user interface.
Figure 1-2 Networking diagram of user login through a console port
PC Switch

1. Use the terminal simulation software to log in to the device through a console port.
2. Configure the authentication mode of the console user interface.
Procedure
Step 1 Use the terminal simulation software to log in to the device through a console port.
1. Insert the DB9 connector of the console cable delivered with the product to the 9-pin serial
port on the PC, and insert the RJ45 connector to the console port of the device, as shown
in Figure 1-3.
Figure 1-3 Connecting to the device through the console port
2. Start the terminal simulation software on the PC. Establish a connection, and set the
connected port and communication parameters.
NOTE
A PC may have multiple connection ports; therefore, the port connected through the console cable
is selected in this example. Generally, COM1 is selected.
If the serial port communication parameters of the device are modified, modify the communication
parameters on the PC accordingly (ensure that the parameter values are the same) and re-establish
the connection.
3. Press Enter until the system prompts you to enter the password. (The system will prompt
you to enter the user name and password in AAA authentication. The following information
is only for reference.)
Password:
You can run commands to configure the device. Enter a question mark (?) whenever you
need help.
Step 2 Configure the authentication mode of the console user interface.

[HUAWEI-ui-console0] authentication-mode aaa
[HUAWEI-ui-console0] user privilege level 15
[HUAWEI-ui-console0] quit
[HUAWEI] aaa

[HUAWEI-aaa] local-user admin1234 password cipher Helloworld@6789

[HUAWEI-aaa] local-user admin1234 privilege level 3
[HUAWEI-aaa] local-user admin1234 service-type terminal
After the preceding operations, you can re-log in to the device on the console user interface only
by entering the user name admin1234 and password Helloworld@6789.
----End
Configuration Files
#
aaa
ywBaSmj:\@.d>,%@%@
local-user admin1234 service-type terminal
#
#
return
1.3.2 Example for Logging In to the Device Through Telnet
As shown in Figure 1-4, the PC and the server (Huawei device) are reachable to each other. To
implement easy remote configuration and management of the device, configure AAA
authentication for Telnet users on the server and configure a security policy that allows only the
administrator to log in to the device.
Figure 1-4 Networking diagram of logging in to the device through Telnet
10.1.1.1/32 10.137.217.177/24
Network
PC Telnet Server
1. Configure the Telnet login mode to implement remote network device maintenance.
2. Configure the administrator's user name and password and the AAA authentication mode
to ensure that only the administrator can log in to the device.
3. Configure a security policy to ensure that the administrator's PC can be used to log in to
the device.

Procedure
Step 1 Set the server listening port number and enable the server function.
[HUAWEI] sysname Telnet Server
[Telnet Server] telnet server enable
[Telnet Server] telnet server port 1025
Step 2 Set the VTY user interface parameters.
# Set the maximum number of VTY user interfaces.

[Telnet Server] user-interface maximum-vty 8
# Set the IP address of the device to which the user is allowed to log in.
[Telnet Server] acl 2001
[Telnet Server-acl-basic-2001] rule permit source 10.1.1.1 0
[Telnet Server-acl-basic-2001] quit
[Telnet Server] user-interface vty 0 7
[Telnet Server-ui-vty0-7] acl 2001 inbound
# Configure the terminal attributes of the VTY user interface.

[Telnet Server-ui-vty0-7] shell
[Telnet Server-ui-vty0-7] idle-timeout 20
[Telnet Server-ui-vty0-7] screen-length 30
[Telnet Server-ui-vty0-7] history-command max-size 20
# Configure the user authentication mode of the VTY user interface.

[Telnet Server-ui-vty0-7] authentication-mode aaa
[Telnet Server-ui-vty0-7] quit
Step 3 Configure the login user information.
# Configure the login authentication mode.

[Telnet Server] aaa
[Telnet Server-aaa] local-user admin1234 password cipher Helloworld@6789
[Telnet Server-aaa] local-user admin1234 service-type telnet
[Telnet Server-aaa] local-user admin1234 privilege level 3
[Telnet Server-aaa] quit
Step 4 Configure the client login.
Enter commands at the command line prompt to log in to the device through Telnet.
C:\Documents and Settings\Administrator> telnet 10.137.217.177 1025
Press Enter, and enter the user name and password in the login window. If the authentication
is successful, the command line prompt of the user view is displayed. The user view
configuration environment is displayed.
Username:admin1234
Password:
<Telnet Server>
----End

Configuration Files
Telnet server configuration file
#
sysname Telnet Server
#
telnet server port 1025
#
acl number 2001
rule 5 permit source 10.1.1.1 0
#
aaa
ywBaSmj:\@.d>,%@%@
local-user admin1234 service-type telnet
#
acl 2001 inbound
idle-timeout 20 0
screen-length 30
#
return
1.3.3 Example for Logging In to the Device Through STelnet
As shown in Figure 1-5, users require secure remote login, but Telnet cannot provide a secure
authentication method. In this scenario, STelnet can be configured to ensure security of remote
login. PC1 and PC2 have reachable routes to the SSH server, and 10.137.217.203 is the IP address
of the management interface on the SSH server. Two login users client001 and client002 need
to be configured on the SSH server. PC1 uses the account of client001 to log in to the SSH server
through password authentication; PC2 uses the account of client002 to log in to the SSH server
through RSA authentication.
Figure 1-5 Networking diagram of logging in to the device through STelnet
10.137.217.203/16
Network Network
SSH Server PC2

PC1
1. Install the SSH server software on PC1. Install the key pair generation software, public key
conversion software, and SSH server login software on PC2.

2. Generate a local key pair on the SSH server to implement secure data exchange between
the server and client.
3. Configure different authentication modes for the SSH users client001 and client002 on the
SSH server.
4. Enable the STelnet service on the SSH server.
5. Configure the STelnet server type for the SSH users client001 and client002 on the SSH
server.
6. Log in to the SSH server as the client001 and client002 users through STelnet.
Procedure
Step 1 Generate a local key pair on the server.
[HUAWEI] sysname SSH Server
[SSH Server] rsa local-key-pair create
The key name will be: SSH Server_Host
The range of public key size is (512 ~ 2048).
NOTES: If the key modulus is greater than 512,
it will take a few minutes.
Input the bits in the modulus[default = 2048]:1024
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
Step 2 Create an SSH user on the server.
# Configure the VTY user interface.

[SSH Server] user-interface vty 0 4
[SSH Server-ui-vty0-4] authentication-mode aaa
[SSH Server-ui-vty0-4] protocol inbound all
[SSH Server-ui-vty0-4] user privilege level 5
[SSH Server-ui-vty0-4] quit
l Create an SSH user named client001.

# Create an SSH user named client001 and configure the password authentication mode for
the user.
[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher Huawei@123
[SSH Server-aaa] local-user client001 privilege level 3
[SSH Server-aaa] local-user client001 service-type ssh
[SSH Server-aaa] quit
[SSH Server] ssh user client001 authentication-type password

# Create an SSH user named client002 and configure the RSA authentication mode for the
user.
[SSH Server] ssh user client002 authentication-type rsa
# Generate a local key pair of the client on PC2.
1. Run puttygen.exe on the client. It is used to generate the public and private key files.
Select SSH2 RSA and click Generate. By moving the cursor in the blank area, you can
find that the key is being generated.

Figure 1-6 PuTTY Key Generate page (1)
After the key is generated, click save public key to save the key in the key.pub file.

Click save private key. The PuTTYgen Warning dialog box is displayed. Click
Yes. The private key is saved in the private.ppk file.

2. Run sshkey.exe on the client. Convert the generated public key to the character string
required for the device.
Open the key.pub file.
Figure 1-9 ssh key converter page (1)
Click Convert(C). You can see the public keys before and after conversion.

Figure 1-10 ssh key converter page (2)
# Enter the RSA public key generated on PC2 to the SSH server.
[SSH Server] rsa peer-public-key rsakey001
Enter "RSA public key" view, return system view with "peer-public-key end".
[SSH Server-rsa-public-key] public-key-code begin
Enter "RSA key code" view, return last view with "public-key-code end".
[SSH Server-rsa-key-code] 30818702 818100CD 1ACDD096 5E779319 F6A88F9E E7669F0A
[SSH Server-rsa-key-code] 5F898844 09961F38 7215B1D6 98380C6E B4A52BEF B421023D
[SSH Server-rsa-key-code] 3E6F9732 69FB08B8 2713BE30 8F587C07 80B37D5C 5D3D4E61
[SSH Server-rsa-key-code] 8F30F514 AEC917F8 F6D91F90 948D89CD F5E4ED58 E24AE5E7
[SSH Server-rsa-key-code] 6CA9CB13 713680AC C24265DA 33D4E7B2 B80A4CD9 FE897BC5
[SSH Server-rsa-key-code] 457A8D31 23B82692 93F3D7CE EFE74102 0125
[SSH Server-rsa-key-code] public-key-code end
[SSH Server-rsa-public-key] peer-public-key end
# Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.
[SSH Server] ssh user client002 assign rsa-key rsakey001
Step 3 Enable the STelnet service on the SSH server.
# Enable the STelnet service.

[SSH Server] stelnet server enable
Step 4 Configure the STelnet service type for the client001 and client002 users.
[SSH Server] ssh user client001 service-type stelnet

l Log in to the SSH server as the client001 user from PC1 using the password authentication
mode.
# Use the PuTTY software to log in to the device, enter the device IP address, and select the
SSH protocol type.
Figure 1-11 PuTTY Configuration page - password authentication mode
# Click Open. Enter the user name and password at the prompt, and press Enter. You have
logged in to the SSH server.
login as: client001
Sent username "client001"
client001@10.137.217.203's password:


The current login time is 2012-08-06 09:35:28.
<SSH Server>
l Log in to the SSH server as the client002 user from PC2 using the RSA authentication mode.
# Use the PuTTY software to log in to the device, enter the device IP address, and select the
SSH protocol type.
Figure 1-12 PuTTY Configuration page - RSA authentication mode (1)
# Choose Connection > SSH in the navigation tree. The page shown in Figure 1-13 is
displayed. Select 2 for Preferred SSH protocol version

# Choose Connection > SSH > Auth in the navigation tree. The page shown in Figure
1-14 is displayed. Select the private.ppk file corresponding to the public key configured on
the server.

# Click Open. Enter the user name at the prompt, and press Enter. You have logged in to
the SSH server.
login as: client002
Authenticating with public key "rsa-key"

<SSH Server>
----End
Configuration Files
SSH server configuration file
#
sysname SSH Server
#
rsa peer-public-key rsakey001
public-key-code begin
308186

028180
CD1ACDD0 965E7793 19F6A88F 9EE7669F 0A5F8988 4409961F 387215B1 D698380C
6EB4A52B EFB42102 3D3E6F97 3269FB08 B82713BE 308F587C 0780B37D 5C5D3D4E
618F30F5 14AEC917 F8F6D91F 90948D89 CDF5E4ED 58E24AE5 E76CA9CB 13713680
ACC24265 DA33D4E7 B2B80A4C D9FE897B C5457A8D 3123B826 9293F3D7 CEEFE741
0201
25
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %@%@~)5r!#>ZoLU0T^*IoFR'i_^*%@%@
local-user client001 privilege level 3
local-user client001 service-type ssh
#
stelnet server enable
ssh user client001
ssh user client001 authentication-type password
ssh user client001 service-type stelnet
ssh user client002
ssh user client002 authentication-type rsa
ssh user client002 assign rsa-key rsakey001
#
protocol inbound ssh
#
return
1.3.4 Example for Logging In to the Device Through the Web System
As shown in Figure 1-15, the device is logged in through HTTP from a PC and the device works
as the web server to implement the graphical user management and device maintenance.
Figure 1-15 Networking diagram of logging in to the device through HTTP
192.168.0.1/24
Network
PC HTTP Server
1. Upload the web page file.

2. Load the web page file.
3. Enable the HTTPS/HTTP service and configure an HTTP user.
4. Log in to the web system.

Procedure
Step 1 Upload the web page file.
# Enable the FTP service.
[HUAWEI] sysname HTTP-Server
[HTTP-Server] ftp server enable
# Configure the FTP user verification information, and authentication mode and directory.
[HTTP-Server] aaa
[HTTP-Server-aaa] local-user huawei password cipher hello@123
[HTTP-Server-aaa] local-user huawei service-type ftp
[HTTP-Server-aaa] local-user huawei privilege level 15
[HTTP-Server-aaa] local-user huawei ftp-directory flash:
[HTTP-Server-aaa] quit
[HTTP-Server] quit
# Upload the web page file to the HTTP server from the user terminal. (The operation details
are not provided here.)
After the preceding operations are completed, run the dir command on the HTTP server to check
the web page file that have been uploaded.
<HTTP-Server> dir
Directory of flash:/
Idx Attr Size(Byte) Date Time FileName

0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt
1 -rw- 1,302 Apr 14 2011 19:22:30 back_time_a
2 -rw- 951 Apr 14 2011 19:22:35 back_time_b
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 webtest.7z
6 drw- - Apr 10 2011 01:35:54 logfile
7 -rw- 4 Apr 14 2011 04:56:35 snmpnotilog.txt
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam
...
65,233 KB total (7,289 KB free)
Step 2 Load the web page file.

<HTTP-Server> system-view
[HTTP-Server] http server load webtest.7z
Step 3 Enable the HTTPS/HTTP service and configure an HTTP user.

# Enable the HTTPS and HTTP services.
[HTTP-Server] http secure-server enable
[HTTP-Server] http server enable
# Configure an HTTP user.

[HTTP-Server] aaa
[HTTP-Server-aaa] local-user admin password cipher huawei
[HTTP-Server-aaa] local-user admin privilege level 15
[HTTP-Server-aaa] local-user admin service-type http
[HTTP-Server-aaa] quit
Step 4 Log in to the web system.

Open the web browser on the PC, enter http://192.168.0.1 in the address box, and press
Enter. The Login dialog box is displayed, as shown in Figure 1-16.

Figure 1-16 Login page
Enter the correct HTTP user name, password, and verification code, and click Login or press
Enter. The home page of the web system is displayed.
# Run the display http server command on the HTTP server to check the HTTP server status.
[HTTP-Server] display http server
HTTP Server Status : enabled
HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 1
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : Default
----End
Configuration Files of the HTTP Server

#
sysname HTTP-Server
#
FTP server enable
#
http server load webtest.7z
#
aaa
local-user admin password cipher %@%@#N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-ywBaSmj:
\@.d>,%@%@
local-user admin privilege level 15
local-user admin service-type http
local-user huawei password cipher %@%@d!<oHRKqQUj}R[>jpxNT\E)>%@%@
local-user huawei privilege level 15
local-user huawei ftp-directory flash:
local-user huawei service-type ftp
#
return

1.3.5 Example for Logging In to the Device Through the Safe Web
System
HTTP enables the device supporting the web system to function as a web server. You can log
in to this device using HTTP and manage the device on web pages. HTTP cannot authenticate
web servers or encrypt data, so it cannot protect data privacy or security. HTTPS is used on
devices to provide encrypted communication and secure identification of web servers.
As shown in Figure 1-17, an SSL policy is configured on the device that works as an HTTP
server. After the digital certificate is loaded and the HTTPS service is enabled on the device,
you can log in to the device through HTTPS and manage the device on web pages.(Use the
certificate form the CA and manually configure an SSL policy.)
Figure 1-17 Networking diagram of logging in to the device through HTTPS
192.168.0.1/24
Network
PC HTTPS Server
1. Upload the digital certificate and web page file saved in the PC to the device that works as
the HTTPS server.
2. Copy the digital certificate from the root directory on the HTTPS server to the security
subdirectory, configure the SSL policy, and load the digital certificate.
3. Load the web page file.
4. Enable the HTTPS service and configure an HTTP user.
5. Log in to the web system.
Procedure
Step 1 Upload the digital certificate and web page file.
# Enable the FTP service.
[HUAWEI] sysname HTTPS-Server
[HTTPS-Server] ftp server enable
# Configure the FTP user verification information, and authentication mode and directory.
[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user huawei password cipher hello@123
[HTTPS-Server-aaa] local-user huawei service-type ftp
[HTTPS-Server-aaa] local-user huawei privilege level 15
[HTTPS-Server-aaa] local-user huawei ftp-directory flash:

[HTTPS-Server-aaa] quit
[HTTPS-Server] quit
# Open the command line window on the PC, run the ftp 192.168.0.1 command to set up an FTP
connection with the device, and then run the put command to upload the digital certificate and
web page file to the device.
You can run the dir command on the HTTP server to check the digital certificate and web page
file that have been uploaded.
<HTTPS-Server> dir

0 -rw- 524,558 Apr 14 2011 16:24:39 private-data.txt
1 -rw- 1,302 Apr 14 2011 19:22:30 1_servercert_pem_rsa.pem
2 -rw- 951 Apr 14 2011 19:22:35 1_serverkey_pem_rsa.pem
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web001.7z
6 drw- - Apr 10 2011 01:35:54 logfile
8 drw- - Apr 11 2011 16:18:53 security
9 drw- - Apr 13 2011 11:37:40 lam
...
Step 2 Configure the SSL policy and load the digital certificate.
# Create the security subdirectory and copy the certificates from the CA to the subdirectory.
<HTTPS-Server> mkdir security/
<HTTPS-Server> copy 1_servercert_pem_rsa.pem security/
<HTTPS-Server> copy 1_serverkey_pem_rsa.pem security/
You can run the dir command in the security subdirectory to check the digital certificate.
<HTTPS-Server> cd security/
<HTTPS-Server> dir
Directory of flash:/security/

0 -rw- 1,302 Apr 13 2011 14:29:31 1_servercert_pem_rsa.pem
1 -rw- 951 Apr 13 2011 14:29:49 1_serverkey_pem_rsa.pem
# Create the SSL policy and load the digital certificate in the PEM format.
<HTTPS-Server> system-view
[HTTPS-Server] ssl policy http_server
[HTTPS-Server-ssl-policy-http_server] certificate load pem-cert
1_servercert_pem_rsa.pem key-pair rsa key-file 1_serverkey_pem_rsa.pem auth-code
cipher 123456
[HTTPS-Server-ssl-policy-http_server] quit
You can run the display ssl policy command on the HTTPS server to check the details about
the digital certificate that has been loaded.
[HTTPS-Server] display ssl policy
SSL Policy Name: http_server
Policy Applicants:
Key-pair Type: RSA
Certificate File Type: PEM
Certificate Type: certificate
Certificate Filename: 1_servercert_pem_rsa.pem

Key-file Filename: 1_serverkey_pem_rsa.pem

Auth-code: 123456
MAC:
CRL File:
Trusted-CA File:
Step 3 Load the web page file.

[HTTPS-Server] http server load web001.7z
Step 4 Enable the HTTPS service and configure an HTTP user.

# Enable the HTTPS service.
[HTTPS-Server] http secure-server ssl-policy http_server
[HTTPS-Server] http secure-server enable
# Configure an HTTP user.

[HTTPS-Server] aaa
[HTTPS-Server-aaa] local-user admin password cipher huawei
[HTTPS-Server-aaa] local-user admin privilege level 15
[HTTPS-Server-aaa] local-user admin service-type http
[HTTPS-Server-aaa] quit
Step 5 Log in to the web system.

Open the web browser on the PC, enter https://192.168.0.1 in the address box, and press
Enter. The Login dialog box is displayed, as shown in Figure 1-18.
Figure 1-18 Login page
Enter the correct HTTP user name, password, and verification code, and click Login or press
Enter. The home page of the web system is displayed.
# Run the display http server command on the HTTPS server to check the SSL policy name
and HTTPS server status.
[HTTPS-Server] display http server

HTTP Server Status : disabled

HTTP Server Port : 80(80)
HTTP Timeout Interval : 20
Current Online Users : 1
Maximum Users Allowed : 5
HTTP Secure-server Status : enabled
HTTP Secure-server Port : 443(443)
HTTP SSL Policy : http_server
----End
Configuration Files of the HTTPS Server

#
sysname HTTPS-Server
#
FTP server enable
#
http server load web001.7z
http secure-server ssl-policy http_server
#
aaa
\@.d>,%@%@
local-user huawei password cipher %@%@d!<oHRKqQUj}R[>jpxNT\E)>%@%@
#
ssl policy http_server
certificate load pem-cert 1_servercert_pem_rsa.pem key-pair rsa key-file
1_serverkey_pem_rsa.pem auth-code cipher %@%@"DlqKik*GE*~ù4H+LFJ(K-=%@%@
#
return
1.3.6 Example for Configuring the Device as the Telnet Client to Log
In to Another Device
As shown in Figure 1-19, the PC and Switch1 have reachable routes to each other; Switch1 and
Switch2 have reachable routes to each other. The user needs to manage and maintain Switch2
remotely. However, the PC cannot directly log in to Switch2 through Telnet because it has no
reachable route to Switch2. The user can log in to Switch1 through Telnet, and then log in to
Switch2 from Switch1. To prevent unauthorized devices from logging in to Switch2 through
Telnet, an ACL needs to be configured to allow only the Telnet connection from Switch1 to
Switch2.

Figure 1-19 Networking diagram of configuring the device as the Telnet client to log in to
another device
Session Session
1.1.1.1/24 2.1.1.1/24
Network Network
PC Switch1 Switch2
1. Configure the Telnet authentication mode and password on Switch2.

2. Configure the Switch2 to allow Switch1 access with ACL.
3. Log in to Switch2 from Switch1 through Telnet.
Procedure
Step 1 Configure the Telnet authentication mode and password on Switch2.
[HUAWEI] sysname Switch2
[Switch2] user-interface vty 0 4
[Switch2-ui-vty0-4] user privilege level 15
[Switch2-ui-vty0-4] authentication-mode password
[Switch2-ui-vty0-4] set authentication password cipher huawei2012
[Switch2-ui-vty0-4] quit
Step 2 Configure the Switch2 to allow Switch1 access with ACL.

[Switch2] acl 2000
[Switch2-acl-basic-2000] rule permit source 1.1.1.1 0
[Switch2-acl-basic-2000] quit
[Switch2] user-interface vty 0 4
[Switch2-ui-vty0-4] acl 2000 inbound
[Switch2-ui-vty0-4] quit
NOTE
It is optional to configure an ACL for Telnet services.
# After the preceding configuration, you can log in to Switch2 from Switch1 through Telnet.
You cannot log in to Switch2 from other devices.
[Switch1] quit
<Switch1> telnet 2.1.1.1
Trying 2.1.1.1 ...
Press CTRL+K to abort
Connected to 2.1.1.1 ...

Password:
The current login time is 2012-10-05 02:46:05-05:13.
<Switch2>
----End
Configuration Files
Switch2 configuration file
#
sysname Switch2
#
acl number 2000
#
acl 2000 inbound
\@.d>,%@%@
#
return
1.3.7 Example for Configuring the Device as the STelnet Client to

Log In to Another Device
The enterprise requires that secure data exchange should be performed between the server and
client. As shown in Figure 1-20, two login users client001 and client002 are configured and
they use the password and RSA authentication modes respectively to log in to the SSH server.
A new port number is configured and the default port number is not used.
Figure 1-20 Networking diagram of logging in to another device through STelnet

SSH Server
10.1.1.1/16
10.1.2.2/16 10.1.3.3/16
Client001 Client002

2. Configure different authentication modes for the SSH users client001 and client002 on the
SSH server.
3. Enable the STelnet service on the SSH server.
4. Configure the STelnet server type for the SSH users client001 and client002 on the SSH
server.
5. Set the SSH server listening port number on the SSH server to prevent attackers from
accessing the SSH service standard port and ensure security.
6. Log in to the SSH server as the client001 and client002 users through STelnet.
Procedure
Step 1 Generate a local key pair on the server.
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
Step 2 Create an SSH user on the server.


# Create an SSH user named client001 and configure the password authentication mode for
the user.
[SSH Server] aaa
[SSH Server] ssh user client001

# Create an SSH user named client002 and configure the RSA authentication mode for the
user.
# Generate a local key pair for Client002.

[HUAWEI] sysname client002

[client002] rsa local-key-pair create

The key name will be: client002_Host
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
# Check the public key in the RSA key pair generated on the client.
[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 2012-05-03 17:07:29+00:00
Key name: client002_Host
Key type: RSA encryption Key
=====================================================
Key code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203
010001
Host public key for PEM format code:

---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQDOA7vPdHr+mR9lCZXI8loF3ws7eewGCPcB
r2tt9HlGdXKY5waGdDwgJMtvI+5B7/9bZb+tADLHiubqAVLwDpf5
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDOA7vPdHr
+mR9lCZXI8loF3ws7eewGCPcBr2tt9HlG
dXKY5waGdDwgJMtvI+5B7/9bZb+tADLHiubqAVLwDpf5 rsa-key
=====================================================
Time of Key pair created: 2012-05-03 17:07:45+00:00
Key name: client002_Server
=====================================================
Key code:
3067
0260
D1792921 5DFF9F87 EB606267 227BD303 379EF5F9
E987B7BC A408A692 14E71149 FC32F8FB A790684E
0441DFB0 1C3125D8 4E097F47 76E57B18 65CF46FC
914DBF53 43F5AAA3 BAB1A6D9 5C0EBA4F 16DC4A36
D54EE51E C91E08E4 93127550 874EA1BB
0203
010001
# Configure the RSA public key on the SSH server. (Information in bold in the display
command output is the RSA public key. Copy the information to the server.)
[SSH Server-rsa-key-code] 308188

[SSH Server-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB

[SSH Server-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[SSH Server-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[SSH Server-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[SSH Server-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[SSH Server-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[SSH Server-rsa-key-code] 171896FB 1FFC38CD
# Bind the RSA public key of the STelnet client to the SSH user client002 on the SSH server.
Step 3 Enable the STelnet service on the SSH server.
# Enable the STelnet service.

[SSH Server] stelnet server enable
Step 4 Configure the STelnet service type for the client001 and client002 users.
Step 5 Configure a new listening port number on the SSH server.

[SSH Server] ssh server port 1025
Step 6 Connect the STelnet client to the SSH server.
# Enable the first authentication function on the SSH client upon the first login.
Enable the first authentication function for Client001.

[client001] ssh client first-time enable
Enable the first authentication function for Client002.

# Log in to the SSH server from Client001 in password authentication mode by entering the user
name and password.
[client001] stelnet 10.1.1.1 1025
Please input the username:client001
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it?[Y/N]:y
Save the server's public key?[Y/N]:y
The server's public key will be saved with the name 10.1.1.1. Please wait...
Enter password:
Enter the password. The following information indicates that you have logged in successfully:
<SSH Server>
# Log in to the SSH server from Client002 in RSA authentication mode.

[client002] stelnet 10.1.1.1 1025

Please input the username: client002

Trying 10.1.1.1 ...

<SSH Server>
If the user view is displayed, you have logged in successfully. If the message "Session is
disconnected" is displayed, the login fails.
Attackers fail to log in to the SSH server using the default listening port number 22.
[client002] stelnet 10.1.1.1
Please input the username:client002
Trying 10.1.1.1 ...
Error: Failed to connect to the remote host.
Run the display ssh server status and display ssh server session commands. You can see that
the STelnet service has been enabled and the STelnet clients have logged in to the server
successfully.
# Check the status of the SSH server.
[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Disable
Stelnet server :Enable
Scp server :Disable
SSH server port :1025
SSH server source :0.0.0.0
# Check the SSH server connections.

[SSH Server] display ssh server session
Session 1:
Conn : VTY 3
Version : 2.0
State : started
Username : client001
Retry : 1
CTOS Cipher : aes128-cbc
STOC Cipher : aes128-cbc
CTOS Hmac : hmac-sha1-96
STOC Hmac : hmac-sha1-96
CTOS Compress : none
STOC Compress : none
Kex : diffie-hellman-group1-sha1
Public Key : rsa
Service Type : stelnet
Authentication Type : password
Session 2:
Conn : VTY 4
Version : 2.0
State : started

Retry : 1
Public Key : rsa
Authentication Type : rsa
# Check information about SSH users.

[SSH Server] display ssh user-information
User 1:
User Name : client001
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : -
Service-type : stelnet
Authorization-cmd : No
User 2:
Authentication-type : rsa
User-public-key-name : rsakey001
User-public-key-type : rsa
Sftp-directory : -
Service-type : stelnet
----End
Configuration Files
l SSH server configuration file
#
sysname SSH Server
#
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
aaa
local-user client001 password cipher %@%@#N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-
ywBaSmj:\@.d>,%@%@
#
ssh server port 1025
ssh user client001
ssh user client002


#
#
return
l Client001 configuration file

#
sysname client001
#
ssh client first-time enable
#
return
l Client002 configuration file

#
sysname client002
#
#
return
1.3.8 Example for Configuring the Public SSH Client to Log In to

the Private SSH Server
The VPN multi-instance function enables an SSH client on the public network to log in to the
device that works as the SSH server on the private network. An IP address can be duplicate in
different VPN instances. Before logging in to a certain device, you must specify a VPN instance
for the device.
As shown in Figure 1-21, the PE3 user on the public network can perform secure login to CE1
and CE2 that enable the SSH service in the VPN. The PE3 user creates two VPN instance VPN1
and VPN2, and the VPN instances on the public and private networks are connected.
Figure 1-21 Networking diagram of configuring the public SSH client to log in to the private
SSH server
SSH Server2
VPN 1 10.1.2.2/24
CE2 VPN 2
Site CE3 MPLS backbone Site
P P
PE2
PE3
SSH Client
10.1.3.3/24
PE1
P VPN 1
VPN 2 CE4 P CE1 Site
Site SSH Server1
10.1.1.1/24

1. Generate a local key pair on SSH Server1. Create an SSH user user1 and configure the
password authentication mode for the user to implement secure data exchange on the server
and client.
2. Enable the STelnet service on SSH Server1.
3. Configure the STelnet service type for the SSH user on SSH Server1.
4. Generate a local key pair on SSH Server2. Create an SSH user user2 and configure the
RSA authentication mode for the user to implement secure data exchange on the server and
client.
5. Enable the STelnet service on SSH Server2.
6. Configure the STelnet service type for the SSH user on SSH Server2.
7. Enable the first authentication function on SSH Client to ensure that the first-time
connection is successful.
8. Log in to the SSH server on the private network through STelnet from SSH Client on the
public network.
Procedure
Step 1 Generate a key pair on SSH Server1. Create an SSH user user1 and configure the password
authentication mode for the user.
[HUAWEI] sysname SSH Server1
[SSH Server1] rsa local-key-pair create
The key name will be: SSH Server1_Host
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
[SSH Server1] user-interface vty 0 4
[SSH Server1-ui-vty0-4] authentication-mode aaa
[SSH Server1-ui-vty0-4] protocol inbound ssh
[SSH Server1-ui-vty0-4] user privilege level 5
[SSH Server1-ui-vty0-4] quit
[SSH Server1] ssh user user1
[SSH Server1] ssh user user1 authentication-type password
[SSH Server1] aaa
[SSH Server1-aaa] local-user user1 password cipher huawei@123
[SSH Server1-aaa] local-user user1 privilege level 3
[SSH Server1-aaa] local-user user1 service-type ssh
[SSH Server1-aaa] quit
Step 2 Enable the STelnet service on SSH Server1.

[SSH Server1] stelnet server enable
Step 3 Configure the STelnet service type for the SSH user on SSH Server1.
[SSH Server1] ssh user user1 service-type stelnet

Step 4 Generate a key pair on SSH Server2. Create an SSH user user2 and configure the RSA
authentication mode for the user.
[HUAWEI] sysname SSH Server2
[SSH Server2] rsa local-key-pair create
The key name will be: SSH Server2_Host
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
[SSH Server2] user-interface vty 0 4
[SSH Server2-ui-vty0-4] authentication-mode aaa
[SSH Server2-ui-vty0-4] protocol inbound ssh
[SSH Server2-ui-vty0-4] user privilege level 5
[SSH Server2-ui-vty0-4] quit
[SSH Server2] ssh user user2 authentication-type rsa
# Generate a local key pair for the STelnet client.

[HUAWEI] sysname client
[client] rsa local-key-pair create
The key name will be: client_Host
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
# Check the public key in the RSA key pair generated on the STelnet client.
[client] display rsa local-key-pair public
=====================================================
Time of Key pair created: 17:53:29

2012/8/7
Key name:
client002_Host
Key type: RSA encryption

Key
=====================================================
Key
code:
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
171896FB 1FFC38CD
0203

010001
Host public key for PEM format

code:
---- BEGIN SSH2 PUBLIC KEY

----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQDOA7vPdHr
+mR9lCZXI8loF3ws7eewGCPcB
r2tt9HlGdXKY5waGdDwgJMtvI+5B7/9bZb
+tADLHiubqAVLwDpf5
---- END SSH2 PUBLIC KEY

----
Public key code for pasting into OpenSSH authorized_keys

file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQDOA7vPdHr+mR9lCZXI8loF3ws7eewGCPcBr2tt9HlG
dXKY5waGdDwgJMtvI+5B7/9bZb+tADLHiubqAVLwDpf5 rsa-key
=====================================================
Time of Key pair created: 17:53:36

2012/8/7
Key name:
client002_Server
Key type: RSA encryption

Key
=====================================================
Key
code:
3067
0260
D1792921 5DFF9F87 EB606267 227BD303

379EF5F9
E987B7BC A408A692 14E71149 FC32F8FB
A790684E
0441DFB0 1C3125D8 4E097F47 76E57B18
65CF46FC
914DBF53 43F5AAA3 BAB1A6D9 5C0EBA4F
16DC4A36
D54EE51E C91E08E4 93127550
874EA1BB
0203
010001
# Configure the RSA public key generated on the STelnet client to SSH Server2.

[SSH Server2] rsa peer-public-key rsakey001

[SSH Server2-rsa-public-key] public-key-code begin
[SSH Server2-rsa-key-code] 308188
[SSH Server2-rsa-key-code] B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB
[SSH Server2-rsa-key-code] A443130F 7CDB95D8 4A4AE2F3 D94A73D7 36FDFD5F
[SSH Server2-rsa-key-code] 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B
[SSH Server2-rsa-key-code] 40A35DE6 2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5
[SSH Server2-rsa-key-code] 1987178B 8C364D57 DD0AA24A A0C2F87F 474C7931
[SSH Server2-rsa-key-code] A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2
[SSH Server2-rsa-key-code] 171896FB 1FFC38CD
[SSH Server2-rsa-key-code] public-key-code end
[SSH Server2-rsa-public-key] peer-public-key end
# Bind the RSA public key of the STelnet client to the SSH user user2 on SSH Server2.
[SSH Server2] ssh user user2 assign rsa-key rsakey001
Step 5 Enable the STelnet service on SSH Server2.

[SSH Server2] stelnet server enable
Step 6 Configure the STelnet service type for the SSH user on SSH Server2.
[SSH Server2] ssh user user2 service-type stelnet
Step 7 Enable the first authentication function on SSH Client.

[client] ssh client first-time enable
Step 8 Log in to the SSH server on the private network through STelnet from SSH Client on the public
network.
# Use the password authentication mode to connect the STelnet client to SSH Server1 in VPN1.
[client] stelnet 10.1.1.1 -vpn-instance vpn1
Please input the username:user1
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it?(Y/N):y
Save the server's public key?(Y/N):y
Enter password:
Info: The max number of VTY users is 20, and the
number
of current VTY users on line is
8.
<SSH Server1>
# Use the RSA authentication mode to connect the STelnet client to SSH Server2 in VPN2.
[client] stelnet 10.1.2.2 -vpn-instance vpn2
Please input the username: user2
Trying 10.1.1.2 ...


number
8.
<SSH Server2>
# Check the SSH Server1 connections.

[SSH Server1] display ssh server session
Session 1:
Conn : VTY 0
Version : 2.0
State : started
Username : user1
Retry : 1
Public Key : rsa
# Check the SSH Server2 connections.

[SSH Server2] display ssh server session
Session 1:
Conn : VTY 0
Version : 2.0
State : started
Username : user2
Retry : 1
Public Key : rsa
----End
Configuration Files
l SSH Server1 configuration file
#
sysname SSH Server1
#
ssh user user1
ssh user user1 authentication-type password
ssh user user1 service-type stelnet
#
aaa
local-user user1 password %$%$bn[j7'Fn>3x[kk-R+jx%f*!u%$%$
local-user user1 privilege level 3
local-user user1 service-type ssh

#
#
return
l SSH Server2 configuration file

#
sysname SSH Server2
#
308188
028180
B21315DD 859AD7E4 A6D0D9B8 121F23F0 006BB1BB A443130F 7CDB95D8 4A4AE2F3
D94A73D7 36FDFD5F 411B8B73 3CDD494A 236F35AB 9BBFE19A 7336150B 40A35DE6
2C6A82D7 5C5F2C36 67FBC275 2DF7E4C5 1987178B 8C364D57 DD0AA24A A0C2F87F
474C7931 A9F7E8FE E0D5A1B5 092F7112 660BD153 7FB7D5B2 171896FB 1FFC38CD
0203
010001
public-key-code end
peer-public-key end
#
ssh user user2
ssh user user2 assign rsa-key rsakey001
ssh user user2 authentication-type rsa
ssh user user2 service-type stelnet
#
#
return
l SSH Client configuration file

#
sysname client
#
#
return
1.3.9 Example for Configuring RADIUS Authentication for SSH

Users
If a RADIUS user connects to the SSH server, the SSH server sends the user name and password
of the SSH client to the RADIUS server (compatible with the TACACS server for SSH
authentication).
The RADIUS server authenticates the user and sends the authentication result (containing the
user level if the authentication is successful) to the SSH server. The SSH server determines
whether to establish a connection with the SSH client according to the authentication result.
As shown in Figure 1-22, the routes between SSH Client and SSH Server and between SSH
Server and Radius Server are reachable.

Figure 1-22 Networking diagram of configuring RADIUS authentication for SSH users
10.1.1.1/24 10.1.2.2/24 10.1.3.3/24 10.1.4.4/24

Network Network Radius Server
SSH Client SSH Server
2. Create an SSH user.
3. Configure the AAA scheme and RADIUS template to prepare for RADIUS authentication.
4. Configure a domain to authenticate login users and manage rights.
5. Log in to the SSH server through STelnet.
Procedure
Step 1 Generate a local key pair on the SSH server.
[HUAWEI] rsa local-key-pair create
The key name will be: HUAWEI_Host
Generating keys...
......................++++++++
........................................................++++++++
........+++++++++
.....+++++++++
Step 2 Create an SSH user.
Create a user named ssh1@ssh.com on the RADIUS server. Specify the NAS IP address to
10.1.2.2 and the key to huawei. The NAS IP address is the IP address of the SSH server connected
to the RADIUS server.
# Configure the VTY user interface on the SSH server.

[HUAWEI-ui-vty0-4] authentication-mode aaa
[HUAWEI-ui-vty0-4] protocol inbound ssh
[HUAWEI-ui-vty0-4] user privilege level 5
# Create an SSH user named ssh1@ssh.com on the SSH server and specify the authentication
mode.
[HUAWEI] ssh user ssh1@ssh.com authentication-type password
[HUAWEI] ssh user ssh1@ssh.com service-type stelnet

Step 3 Configure the AAA scheme and RADIUS template.
# Configure an authentication scheme newscheme and the RADIUS authentication mode.

[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme newscheme
[HUAWEI-aaa-authen-newscheme] authentication-mode radius
[HUAWEI-aaa-authen-newscheme] quit
# Configure a RADIUS server template ssh on the SSH server.

[HUAWEI] radius-server template ssh
# Set the IP address 10.1.4.4 and port 1812 for the RADIUS server.
[HUAWEI-radius-ssh] radius-server authentication 10.1.4.4 1812
# Set the RADIUS server key to huawei.

[HUAWEI-radius-ssh] radius-server shared-key cipher huawei
[HUAWEI-radius-ssh] quit
Step 4 Configure a domain.
# Set the RADIUS domain name to ssh.com and apply the authentication scheme newscheme
and RADIUS server template ssh to the RADIUS domain.
[HUAWEI] aaa
[HUAWEI-aaa] domain ssh.com
[HUAWEI-aaa-domain-ssh.com] authentication-scheme newscheme
[HUAWEI-aaa-domain-ssh.com] radius-server ssh
[HUAWEI-aaa-domain-ssh.com] quit
[HUAWEI-aaa] quit
Step 5 Connect the SSH client and the SSH server.
# Enable the STelnet service on the SSH server.

[HUAWEI] stelnet server enable
# Enable the first authentication function on the SSH client upon the first login.
[HUAWEI] sysname client
[client] ssh client first-time enable
# Log in to the SSH server from the STelnet client in RADIUS authentication mode.
[client] stelnet 10.1.2.2
Please input the username:ssh1@ssh.com
Trying 10.1.2.2 ...
Enter password:
number
8.
<HUAWEI>

Run the display radius-server configuration and display ssh server session commands on the
SSH server to check the RADIUS server configuration. The command output shows that the
SSH client has successfully connected to the SSH server.
# Check the RADIUS server configuration.

<HUAWEI> display radius-server configuration
------------------------------------------------------------------------------
Server-template-name : ssh
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : %$%$]*6iWr7EVM|uc:"B/A=FF}tk%$%
$
Timeout-interval(in second) : 5
Primary-authentication-server : 10.1.4.4 :
1812 :-
LoopBack:NULL Source-IP:0.0.0.0
Primary-accounting-server : 0.0.0.0 :0 :-
Secondary-authentication-server : 0.0.0.0 :0 :-
Secondary-accounting-server : 0.0.0.0 :0 :-
Retransmission : 3
EndPacketSendTime : 0
Dead time(in minute) : 5
Domain-included : YES
NAS-IP-Address : 10.1.2.2
NAS-IPv6-Address : ::
Calling-station-id MAC-format : xxxx-xxxx-xxxx
------------------------------------------------------------------------------
Total of radius template :1
# Check the SSH server connections.

[HUAWEI] display ssh server session
Session 1:
Conn : VTY 0
Version : 2.0
State : started
Username : ssh1@ssh.com
Retry : 1
Public Key : rsa
----End
Configuration Files
SSH server configuration file
#
radius-server template ssh
radius-server shared-key cipher %$%$]*6iWr7EVM|uc:"B/A=FF}tk%$%$
radius-server authentication 10.1.4.4 1812

#
aaa
authentication-scheme newscheme
authentication-mode radius
domain ssh.com
authentication-scheme newscheme
radius-server ssh
#
ssh user ssh1@ssh.com authentication-type password
ssh user ssh1@ssh.com service-type stelnet
#
#
return
1.4 File Management

All files on the device are stored in storage devices and can be managed in multiple modes. The
current device can function as a client to access files on other devices.
1.4.1 Example of Logging In to the Device to Manage Files
Configuration Requirements
After logging in to the device through the console interface, Telnet, or STelnet, perform the
following operations:
l View files and subdirectories in the current directory.

l Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip as
backup.zip.
l View files in the test directory.
Procedure
Step 1 View files and subdirectories in the current directory.
<HUAWEI> dir

0 -rw- 889 Mar 01 2012 14:41:56 private-data.txt
1 -rw- 6,311 Feb 17 2012 14:05:04 backup.cfg
2 -rw- 2,393 Mar 06 2012 17:20:10 vrpcfg.zip
3 -rw- 812 Dec 12 2011 15:43:10 hostkey
4 drw- - Mar 01 2012 14:41:46 compatible
5 -rw- 540 Dec 12 2011 15:43:12 serverkey
...
Step 2 Create the test directory, copy the vrpcfg.zip file to test, and rename vrpcfg.zip as
backup.zip.
# Create the test directory.

<HUAWEI> mkdir test

Info: Create directory flash:/test......Done.
# Copy the vrpcfg.zip file to test and rename vrpcfg.zip as backup.zip.

<HUAWEI> copy vrpcfg.zip flash:/test/backup.zip
Copy flash:/vrpcfg.zip to flash:/test/backup.zip?[Y/N]:y
100% complete.
Info: Copied file flash:/vrpcfg.zip to flash:/test/backup.zip...Done.
NOTE
If no destination file name is specified, the destination file is set to the source file name by default.
Step 3 View files in the test directory.
# Access the test directory.

<HUAWEI> cd test
# View the current working directory.

<HUAWEI> pwd
flash:/test
# View files in the test directory.

<HUAWEI> dir
Directory of flash:/test/

0 -rw- 2,399 Mar 12 2012 11:16:44 backup.zip
----End
Configuration File
None
1.4.2 Example for Managing Files When the Device Functions as an

FTP Server
As shown in Figure 1-23, routes between the PC and the device functioning as an FTP server
are reachable. 10.136.23.5 is the management IP address on the FTP server. To upgrade the
device, you must upload the system software devicesoft.cc to and download the configuration
file vrpcfg.zip from the FTP server.
Figure 1-23 Network for managing files when the device functions as an FTP server
10.136.23.5/24
Network
PC FTP Server

1. Configure the FTP function and FTP user information including user name, password, user
level, service type, and authorized directory on the FTP server.
2. Save the vrpcfg.zip file on the FTP server.
3. Connect to the FTP server on the PC.
4. Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.
Procedure
Step 1 Configure the FTP function and FTP user information on the FTP server.
[HUAWEI] ftp server enable
[HUAWEI] aaa
[HUAWEI-aaa] local-user admin1234 password cipher Helloworld@6789
[HUAWEI-aaa] local-user admin1234 privilege level 15
[HUAWEI-aaa] local-user admin1234 service-type ftp
[HUAWEI-aaa] local-user admin1234 ftp-directory flash:
[HUAWEI-aaa] quit
Step 2 Save the vrpcfg.zip file on the FTP server.

<HUAWEI> save
Step 3 Connect to the FTP server on the PC as the admin1234 user whose password is
Helloworld@6789.
Assume that the PC runs the Window XP operating system.

C:\Documents and Settings\Administrator> ftp 10.136.23.5
Connected to 10.136.23.5.
220 FTP service ready.
User (10.136.23.5:(none)): admin1234
331 Password required for admin1234.
Password:
230 User logged in.
ftp> binary
200 Type set to I.
ftp>
Step 4 Upload devicesoft.cc to and download vrpcfg.zip from the FTP server.
# Upload the devicesoft.cc file to the FTP server.

ftp> put devicesoft.cc
200 Port command okay.
150 Opening BINARY mode data connection for devicesoft.cc
226 Transfer complete.
ftp: 23876556 bytes sent in 25.35Seconds 560.79Kbytes/sec.
# Download the vrpcfg.zip file.

ftp> get vrpcfg.zip
200 Port command okay.
150 Opening BINARY mode data connection for vrpcfg.zip.
226 Transfer complete.
ftp: 1257 bytes received in 0.03Seconds 40.55Kbytes/sec.

NOTE
The devicesoft.cc file to upload and the vrpcfg.zip file to download are stored in the local directory on the
FTP client. Before uploading and downloading files, obtain the local directory on the client. The default
FTP user's local directory on the Windows XP operating system is C:\Documents and Settings
\Administrator.

# Run the dir command on the FTP server to check the devicesoft.cc file.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
2 -rw- 4 Nov 17 2011 09:33:58 snmpnotilog.txt
3 -rw- 11,238 Mar 12 2012 21:15:56 private-data.txt
4 -rw- 1,257 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
6 -rw- 23,876,556 Mar 13 2012 14:24:24 devicesoft.cc
7 drw- - Oct 31 2011 10:20:28 sysdrv
8 drw- - Feb 21 2012 17:16:36 compatible
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 23,496 Dec 15 2011 20:59:36 20111215.zip
12 -rw- 588 Nov 04 2011 13:54:04 servercert.der
13 -rw- 320 Nov 04 2011 13:54:26 serverkey.der
14 drw- - Nov 04 2011 13:58:36 security
...
# Access the FTP user's local directory on the PC and check the vrpcfg.zip file.
----End
Configuration File
#
sysname HUAWEI
#
FTP server enable
#
aaa
ywBaSmj:\@.d>,%@%@

local-user admin1234 ftp-directory flash:/
local-user admin1234 service-type ftp
#
interface MEth0/0/1
ip address 10.136.23.5 255.255.255.0
#
return
1.4.3 Example for Managing Files Using SFTP When the Device
Functions as an SSH Server
As shown in Figure 1-24, routes between the PC and the device functioning as an SSH server
are reachable. 10.136.23.4 is the management IP address on the SSH server. Configure the device

as an SSH server so that the server can authenticate the client and encrypt data in bidirectional
mode, preventing man-in-middle attacks and MAC/IP address spoofing to ensure secure file
transfer.
Figure 1-24 Network for managing files using SFTP when the device functions as an SSH server
10.136.23.4/24
Network
PC SSH Server
1. Generate a local key pair and enable the SFTP server function on the SSH server so that
the server and client can securely exchange data.
2. Configure the VTY user interface on the SSH server.
3. Configure SSH user information including the authentication mode, service type,
authorized directory, user name, and password.
4. Connect to the SSH server using the third-party software OpenSSH on the PC.
Procedure
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
[SSH Server] sftp server enable
Step 2 Configure the VTY user interface on the SSH server.

Step 3 Configure SSH user information including the authentication mode, service type, authorized
directory, user name, and password.
[SSH Server] ssh user client001 service-type sftp
[SSH Server] ssh user client001 sftp-directory flash:
[SSH Server] aaa


Step 4 Connect to the SSH server using the third-party software OpenSSH on the PC.
The Windows CLI can identify OpenSSH commands only when the OpenSSH is installed on
the PC.
Figure 1-25 Connecting to the SSH server
After connecting to the SSH server, the SFTP view is displayed. Users can run SFTP commands
to perform file-related operations in the SFTP view.
----End
Configuration File
#
sysname SSH Server
#
aaa
ywBaSmj:\@.d>,%@%@
#
sftp server enable
ssh user client001
ssh user client001 service-type sftp
ssh user client001 sftp-directory flash:
#
protocol inbound all
#
return

FTPS Server

As shown in Figure 1-26, routes between the PC and the device functioning as an FTPS server
are reachable. 10.137.217.201 is the management IP address on the FTPS server.
The FTP server function does not provide security mechanisms. Data are transmitted in plain
text, which cannot prevent man-in-middle attacks and MAC/IP address spoofing. To overcome
this limitation, configure the SSL policy, data encryption, user identity authentication, and
message integrity check mechanisms on the FTPS server to ensure secure file transfer. SSL
ensures secure connection based on the FTP server function.
Figure 1-26 Network for managing files when the device functions as an FTPS server
10.137.217.201/24
Network
PC FTPS Server
1. Configure the FTP server function on the device and upload the digital certificate to the
root directory on the device.
2. On the device, copy the digital certificate to the security directory, configure the SSL
policy, and load the digital certificate so that the client can authenticate the server.
3. Enable the FTPS server function and configure the local FTP user.
4. Connect to the FTPS server using a third-party software.
Procedure
Step 1 Configure the FTP server function on the server and upload the digital certificate to the server.
# Enable the FTP server function and configure FTP user information.
[HUAWEI] sysname FTPS-Server
[FTPS-Server] ftp server enable
[FTPS-Server] aaa
[FTPS-Server-aaa] local-user admin password cipher huawei@123
[FTPS-Server-aaa] local-user admin service-type ftp
[FTPS-Server-aaa] local-user admin privilege level 3
[FTPS-Server-aaa] local-user admin ftp-directory flash:
[FTPS-Server-aaa] quit
[FTPS-Server] quit
# Access the Windows CLI and run the ftp FTP server IP address command to connect to the
FTP server. Enter the correct user name and password to connect to the FTP server. Upload the
digital certificate and private key to the FTP server.
Run the dir command on the FTP server to check the digital certificate and private key.
<FTPS-Server> dir


0 drw- - May 10 2011 05:05:40 src
1 -rw- 524,575 May 10 2011 05:05:53 private-data.txt
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 May 10 2011 05:32:05 servercert.der
4 -rw- 951 May 10 2011 05:32:44 serverkey.der
...
Step 2 Configure the SSL policy and load the digital certificate.
# Create the security directory and copy the digital certificate to the security directory.
<FTPS-Server> mkdir security/
<FTPS-Server> move servercert.der security/
<FTPS-Server> move serverkey.der security/
Run the dir command in the security directory to check the digital certificate and private key.
<FTPS-Server> cd security/
<FTPS-Server> dir

0 -rw- 1,302 May 10 2011 05:44:34 servercert.der
1 -rw- 951 May 10 2011 05:45:22 serverkey.der
# Configure the SSL policy and load the digital certificate in the ASN1 format.
<FTPS-Server> system-view
[FTPS-Server] ssl policy ftp_server
[FTPS-Server-ssl-policy-ftp_server] certificate load asn1-cert servercert.der key-
pair rsa key-file serverkey.der
[FTPS-Server-ssl-policy-ftp_server] quit
Step 3 Enable the FTPS server function and configure the local FTP user.
# Enable the FTPS server function.
NOTE
Disable the FTP server function before enabling the FTPS server function.
[FTPS-Server] undo ftp server
[FTPS-Server] ftp secure-server ssl-policy ftp_server
[FTPS-Server] ftp secure-server enable
# Configure the local FTP user.
Use the admin user configured in the preceding step.
Step 4 Connect to the FTPS server using a third-party software.

For details, see the appropriate third-party documentation.
Step 5 Verify the configurations.
# Run the display ssl policy command on the FTPS server to view detailed certificate
information.
[FTPS-Server] display ssl policy
SSL Policy Name: ftp_server
Policy Applicants:
Key-pair Type: RSA
Certificate File Type: ASN1
Certificate Filename: servercert.der
Key-file Filename: serverkey.der

Auth-code:
MAC:
CRL File:
Trusted-CA File:
# Run the display ftp-server command on the FTPS server to view the SSL policy name and
the FTPS server status.
[FTPS-Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30
Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running
The FTP server supporting SSL can securely connect to the FTPS server, upload files, and
download files.
----End
Configuration File on the FTPS Server

#
sysname FTPS-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
aaa
\@.d>,%@%@
local-user admin ftp-directory flash:
local-user admin service-type ftp
#
ssl policy ftp_server
certificate load asn1-cert servercert.der key-pair rsa key-file serverkey.der
#
return
1.4.5 Example for Managing Files When the Device Functions as a

TFTP Client
As shown in Figure 1-27, the remote device at 10.1.1.1/24 functions as the TFTP server. The
device at 10.2.1.1/24 functions as the TFTP client. Routes between the device and the server are
reachable.
The device needs to be upgraded. To upgrade the device, you must download system software
devicesoft.cc from and upload the configuration file vrpcfg.zip to the TFTP server.

Figure 1-27 Network for managing files when the device functions as a TFTP client
10.2.1.1/24 10.1.1.1/24
Network
TFTP Client TFTP Server
1. Run the TFTP software on the TFTP server and configure the working directory.
2. Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to the TFTP
server.
Procedure
Step 1 Run the TFTP software on the TFTP server and configure the working directory. (For details,
see the appropriate third-party documentation.)
Step 2 Run TFTP commands to download devicesoft.cc from and upload vrpcfg.zip to the TFTP
server.
<HUAWEI> tftp 10.1.1.1 get devicesoft.cc
Info: Transfer file in binary mode.
Downloading the file from the remote TFTP server. Please wait...\
TFTP: Downloading the file successfully.
23876556 bytes received in 199 seconds.
<HUAWEI> tftp 10.1.1.1 put vrpcfg.zip
Info: Transfer file in binary mode.
Uploading the file to the remote TFTP server. Please wait...|
TFTP: Uploading the file successfully.
7717 bytes send in 1 second.

# Run the dir command on the TFTP client to check the devicesoft.cc file.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...

# Access the working directory on the TFTP server and check the vrpcfg.zip file.
----End
Configuration File
None

FTP Client
As shown in Figure 1-28, the remote device at 10.1.1.1/24 functions as the FTP server. The
device at 10.2.1.1/24 functions as the FTP client. Routes between the device and the server are
reachable.
The device needs to be upgraded. To upgrade the device, you must download system software
devicesoft.cc from and upload the configuration file vrpcfg.zip to the FTP server.
Figure 1-28 Network for managing files when the device functions as an FTP client
10.2.1.1/24 10.1.1.1/24
Network
FTP Client FTP Server
1. Run the FTP software on the FTP server and configure FTP user information.
2. Connect to the FTP server.
3. Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the FTP
server.
Procedure
Step 1 Run the FTP software on the FTP server and configure FTP user information. (For details, see
the appropriate third-party documentation.)
Step 2 Connect to the FTP server.

<HUAWEI> ftp 10.1.1.1
Trying 10.1.1.1 ...


User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
Step 3 Run FTP commands to download devicesoft.cc from and upload vrpcfg.zip to the FTP server.
[ftp] binary
[ftp] get devicesoft.cc
[ftp] put vrpcfg.zip
[ftp] quit

# Run the dir command on the FTP client to check the devicesoft.cc file.
<HUAWEI> dir

0 -rw- 14 Mar 13 2012 14:13:38 back_time_a
1 drw- - Mar 11 2012 00:58:54 logfile
4 -rw- 7,717 Mar 12 2012 21:15:54 vrpcfg.zip
5 -rw- 14 Mar 13 2012 14:13:38 back_time_b
7 drw- - Oct 31 2011 10:20:28 sysdrv
9 drw- - Feb 09 2012 14:20:10 selftest
10 -rw- 19,174 Feb 20 2012 18:55:32 backup.cfg
11 -rw- 43,496 Dec 15 2011 20:59:36 20111215.zip
14 drw- - Nov 04 2011 13:58:36 security
...
# Access the working directory on the FTP server and check the vrpcfg.zip file.
----End
Configuration File
None

SFTP Client
SSH secures file transfer on a traditional insecure network by authenticating the client and
encrypting data in bidirectional mode. The client uses SFTP to securely connect to the SSH
server and transfer files.
As shown in Figure 1-29, routes between the SSH server and clients client001 and client002
are reachable. In this example, Huawei device functions as an SSH server.
Client001 connects to the SSH server using the password authentication mode, and client002
using the RSA authentication mode.

Figure 1-29 Example for managing files when the device functions as an SFTP client
10.2.1.1/24
client001 10.1.1.1/24
Network
SSH Server
10.3.1.1/24
client002
1. Generate a local key pair and enable the SFTP server function on the SSH server so that
the server and client can securely exchange data.
2. Create users client001 and client002 and set their authentication modes on the SSH server.
3. Generate a local key pair on client002 and configure the RSA public key of client002 on
the SSH server so that the server can authenticate the client when the client connects to the
server.
4. Log in to the SSH server as users client001 and client002 using SFTP and manage files.
Procedure
Step 1 Generate a local key pair and enable the SFTP server function on the SSH server.
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
[SSH Server] sftp server enable
Step 2 Create SSH users on the SSH server.

# Create the client001 user and set the authentication mode to password for the user.
[SSH Server] aaa


# Create an SSH user named client002 and set the authentication mode to rsa for the user.
Step 3 Generate a local key pair on client002 and configure the RSA public key of client002 on the
SSH server.
# Generate a local key pair on client002.

[client002] rsa local-key-pair create
The key name will be: client002_Host
Generating keys...
...........++++++++++++
..................++++++++++++
...++++++++
...........++++++++
# Check the RSA public key of the client.

[client002] display rsa local-key-pair public
=====================================================
Time of Key pair created: 2012-05-03 17:07:45
Key name: client002_Host
=====================================================
Key code:
3048
0241
009C6217 C9B04540 656E55A8 9D8BC81A 89D46DA8
436065F4 6087345D 7294CFA7 DFE19D71 8E7EE0E3
F5B5CBE1 E1D97852 B98561C9 626A27E3 9A73348B
622E9797 D8A43EB0 EC3394E2 FB33EC51 748E79E7
D1D5F4AE B6F5891C 739FB235 76E51B1C 69
0203
010001
Host public key for PEM format code:
---- BEGIN SSH2 PUBLIC KEY ----
AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7
yP3y98tnTlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b
---- END SSH2 PUBLIC KEY ----
Public key code for pasting into OpenSSH authorized_keys file :
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAQQC/815LxhvXhvkHtd59Z3DD5f0XqyA8j8u7yP3y98tn
TlGehBkPa5eo6pH8S7nhiDZedL/VTGh3Z6ica0Mdfj4b rsa-key
=====================================================
Time of Key pair created: 2012-05-03 17:07:45
Key name: client002_Server
=====================================================
Key code:
3067

0260
BCFAC085 49A2E70E 1284F901 937D7B63 D7A077AB
D2797280 4BCA86C0 4CD18B70 5DFAC9D3 9A3F3E74
9B2AF4CB 69FA6483 E87DA590 7B47721A 16391E27
1C76ABAB 743C568B 1B35EC7A 8572A096 BCA9DF0E
BC89D3DB 5A83698C 9063DB39 A279DD89
0203
010001
# Configure the RSA public key of client002 on the SSH server. (Information in bold in the
display command output is the RSA public key of client002. Copy the information to the server.)
[SSH Server-rsa-key-code] 009C6217 C9B04540 656E55A8 9D8BC81A 89D46DA8
[SSH Server-rsa-key-code] 436065F4 6087345D 7294CFA7 DFE19D71 8E7EE0E3
[SSH Server-rsa-key-code] F5B5CBE1 E1D97852 B98561C9 626A27E3 9A73348B
[SSH Server-rsa-key-code] 622E9797 D8A43EB0 EC3394E2 FB33EC51 748E79E7
[SSH Server-rsa-key-code] D1D5F4AE B6F5891C 739FB235 76E51B1C 69
# Bind the client002 user to the RSA public key of client002.

Step 4 Connect SFTP clients to the SSH server.
# If the clients connect to the SSH server for the first time, enable the initial authentication
function on the clients.
Enable the initial authentication function on client001.

Enable the initial authentication function on client002.

# Log in to the SSH server from client001 in password authentication mode.

<client001> system-view
[client001] sftp 10.1.1.1
Trying 10.1.1.1 ...
The server's public key will be saved with the name 10.1.1.1. Please wait.
..
Enter password:
sftp-client>
# Log in to the SSH server from client002 in RSA authentication mode.

<client002> system-view
[client002] sftp 10.1.1.1

Trying 10.1.1.1 ...

The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
..
sftp-client>
Run the display ssh server status and display ssh server session commands. You can see that
the SFTP service has been enabled, and the SFTP clients have connected to the server
successfully. Run the display ssh user-information command. Information about the
configured SSH users is displayed.
# Check the SSH server status.

[SSH Server] display ssh server status
SSH version :1.99
SSH connection timeout :60 seconds
SSH server key generating interval :0 hours
SSH authentication retries :3 times
SFTP server :Enable
Stelnet server :Disable
Scp server :Disable
SSH server source :0.0.0.0
# Check the SSH session status.

[SSH Server] display ssh server session
Session 1:
Conn : VTY 1
Version : 2.0
State : started
Retry : 1
Public Key : rsa
Service Type : sftp
Session 2:
Conn : VTY 2
Version : 2.0
State : started
Retry : 1
Public Key : rsa
Service Type : sftp
# Check information about SSH users.

[SSH Server] display ssh user-information

User 1:
Authentication-type : password
User-public-key-name : -
User-public-key-type : -
Sftp-directory : flash:
Service-type : sftp
User 2:
Authentication-type : rsa
User-public-key-name : rsakey001
User-public-key-type : rsa
Sftp-directory : flash:
Service-type : sftp
----End
Configuration Files
l Configure file on the SSH server
#
sysname SSH Server
#
3048
0241
DD9A793D 4B231FDB 7BEF8545 0B466FB5 1A1EA9CE F345E468 56948790 18244678
D2264734 AA8135BE 7F8FA0BC 2A4F600E C8622818 A994698F 0F45E870 8EC551DA
EC77948C AE191111 316F5604 F45F3301 F1F92C38 84484F3F D97B3F01 1FC2C9CE
1367AE88 3DC1B47A BDE05F28 DC400CEE B773C580 13313DB0 33D297E9 538FC459
4B
0203
010001
public-key-code end
peer-public-key end
#
aaa
ywBaSmj:\@.d>,%@%@
#
sftp server enable
ssh user client001
ssh user client002
#
#
return
l Configuration file on client001

#
sysname client001
#
#
return
l Configuration file on client002

#
sysname client002
#
#
return

FTPS Client
The FTP server function does not provide security mechanisms. Data are transmitted in plain
text, which cannot prevent man-in-middle attacks and MAC/IP address spoofing. To overcome
this limitation, configure the SSL policy, data encryption, user identity authentication, and
message integrity check mechanisms on the FTPS server to ensure secure file transfer. SSL
ensures secure connection based on the FTP server function.
As shown in Figure 1-30, routes between the device functioning as the FTPS client and the
FTPS server are reachable. The FTPS client can securely connect to the FTPS server and manage
files.
l On the FTPS client, configure the SSL policy and load the CA certificate to check the
owner's identity.
l On the FTPS server, configure the SSL policy, load the digital certificate to check the
owner's identity, and enable the FTPS server function.
Obtain required certificates for the FTPS client and server from the CA. In this example, Huawei
device functions as the FTPS server.
Figure 1-30 Network for managing files when the device functions as an FTPS client
10.2.1.1/24 10.1.1.1/24
Network
PC FTPS Client FTPS Server
1. Upload the certificates.

l Upload the digital certificate and private key to the root directory on the FTPS server.
l Upload the CA certificate to the root directory on the FTPS client.
2. Load the certificates and configure SSL policies.
l On the FTPS server, copy the digital certificate to the security directory, configure the
SSL policy, and load the digital certificate.
l On the FTPS client, copy the CA certificate to the security directory, configure the SSL
policy, and load the digital certificate.
3. Enable the FTPS server function and configure the local FTP user.
4. Run the FTP command to connect to the FTPS server and remotely manage files.
Procedure
Step 1 Upload the certificates.
l Configure the FTP function on the client and server and upload the certificates to the client
and server. For details, see Managing Files When the Device Functions as an FTP Server.
# Run the dir command on the FTPS server to check the digital certificate and private key.
[HUAWEI] sysname FTPS-Server
[FTPS-Server] quit
<FTPS-Server> dir

0 drw- - May 10 2011 05:05:40 src
2 -rw- 446 May 10 2011 05:05:51 vrpcfg.zip
3 -rw- 1,302 Mar 13 2012 18:23:28 servercert.der
4 -rw- 951 Mar 13 2012 18:30:20 serverkey.der
...
# Run the dir command on the client to check the CA certificate.

[HUAWEI] sysname FTPS-Client
[FTPS-Client] quit
<FTPS-Client> dir

1 -rw- 1,237 Mar 14 2012 07:46:24 cacert.der
2 -rw- 1,241 Mar 14 2012 07:46:20 rootcert.der
3 drw- - Apr 09 2011 19:46:14 src
4 -rw- 421 Apr 09 2011 19:46:14 vrpcfg.zip
5 -rw- 1,308,478 Apr 14 2011 19:22:45 web.zip
6 drw- - Apr 10 2011 01:35:54 logfile
8 drw- - Apr 13 2011 11:37:40 lam
...
Step 2 Configure the SSL policy and load the certificates.

l Perform the following operations on the FTPS server.
# Create the security directory and move the digital certificate to the security directory.

<FTPS-Server> mkdir security/

<FTPS-Server> move servercert.der security/
<FTPS-Server> move serverkey.der security/
# Run the dir command in the security directory to check the digital certificate and private
key.
<FTPS-Server> cd security/
<FTPS-Server> dir

0 -rw- 1,302 Mar 13 2012 18:23:28 servercert.der
1 -rw- 951 Mar 13 2012 18:30:20 serverkey.der
# Configure the SSL policy and load the digital certificate in the ASN1 format.
<FTPS-Server> system-view
[FTPS-Server] ssl policy ftp_server
[FTPS-Server-ssl-policy-ftp_server] certificate load asn1-cert servercert.der
key-pair rsa key-file serverkey.der
[FTPS-Server-ssl-policy-ftp_server] quit
# Run the display ssl policy command on the FTPS server to view detailed certificate
information.
[FTPS-Server] display ssl policy
SSL Policy Name: ftp_server
Policy Applicants:
Key-pair Type: RSA
Certificate File Type: ASN1
Certificate Filename: servercert.der
Key-file Filename: serverkey.der
Auth-code:
MAC:
CRL File:
Trusted-CA File:
l Perform the following operations on the FTPS client:

# Create the security directory and move the CA certificate to the security directory.
<FTPS-Client> mkdir security/
<FTPS-Client> move cacert.der security/
<FTPS-Client> move rootcert.der security/
# When the CA certificate is copied to the security directory, run the dir command in the
security directory to check the CA certificate.
<FTPS-Client> cd security/
<FTPS-Client> dir

0 -rw- 1,237 Mar 14 2012 07:46:24 cacert.der
1 -rw- 1,241 Mar 14 2012 07:46:20 rootcert.der
# Configure the SSL policy and load the CA certificate.

<FTPS-Client> system-view
[FTPS-Client] ssl policy ftp_client
[FTPS-Client-ssl-policy-ftp_client] trusted-ca load asn1-ca cacert.der
[FTPS-Client-ssl-policy-ftp_client] trusted-ca load asn1-ca rootcert.der
[FTPS-Client-ssl-policy-ftp_client] quit
# Run the display ssl policy command on the FTPS client to view detailed certificate
information.

[FTPS-Client] display ssl policy

SSL Policy Name: ftp_client
Policy Applicants:
Key-pair Type:
Certificate File Type:
Certificate Type:
Certificate Filename:
Key-file Filename:
Auth-code:
MAC:
CRL File:
Trusted-CA File:
Trusted-CA File 1: Format = ASN1, Filename = cacert.der
Trusted-CA File 2: Format = ASN1, Filename = rootcert.der
Step 3 Enable the FTPS server function and configure the local FTP user.
# Enable the FTPS server function.
NOTE
Disable the FTP server function before enabling the FTPS server function.
[FTPS-Server] undo ftp server
[FTPS-Server] ftp secure-server ssl-policy ftp_server
[FTPS-Server] ftp secure-server enable
# Configure the local FTP user.

[FTPS-Server] aaa
[FTPS-Server-aaa] local-user admin password cipher huawei@123
[FTPS-Server-aaa] local-user admin service-type ftp
[FTPS-Server-aaa] local-user admin privilege level 3
[FTPS-Server-aaa] local-user admin ftp-directory flash:
[FTPS-Server-aaa] quit
[FTPS-Server] quit
You can use the user who uploads the certificates or create a new user.
Step 4 On the FTPS client, run the FTP command to connect to the FTPS server and remotely manage
files.
<FTPS-Client> ftp ssl-policy ftp_client 10.1.1.1
Trying 10.1.1.1 ...
234 AUTH command successfully, Security mechanism accepted.
200 PBSZ is ok.
200 Data channel security level is changed to private.
User(10.1.1.1:(none)):admin
331 Password required for admin.
Enter password:
230 User logged in.
[ftp]
To connect to the FTPS server, enter the correct user name and password.
# Run the display ftp-server command on the FTPS server to view the SSL policy name and
the FTPS server status.
[FTPS-Server] display ftp-server
FTP server is stopped
Max user number 5
User count 1
Timeout value(in minute) 30

Listening port 21
Acl number 0
FTP server's source address 0.0.0.0
FTP SSL policy ftp_server
FTP Secure-server is running
Manage files remotely on the FTPS client.
----End
Configuration File
l Configuration file on the FTPS server
#
sysname FTPS-Server
#
FTP secure-server enable
ftp secure-server ssl-policy ftp_server
#
aaa
local-user admin password cipher %@%@#N&)XdgB87~RcnU9upv6,.d;,uXe*#IeE-
ywBaSmj:\@.d>,%@%@
local-user admin ftp-directory flash:
local-user admin service-type ftp
#
ssl policy ftp_server
certificate load asn1-cert servercert.der key-pair rsa key-file serverkey.der
#
return
l Configuration file on the FTPS client

#
sysname FTPS-Client
#
ssl policy ftp_client
trusted-ca load asn1-ca cacert.der
trusted-ca load asn1-ca rootcert.der
#
return

SCP Client
Compared to the SFTP protocol, the SCP protocol combines the process of authenticating user
identity and transferring files, improving configuration efficiency.
As shown in Figure 1-31, routes between the device functioning as the SCP client and the SSH
server are reachable. The SCP client can download files from the SSH server.
Figure 1-31 Network for managing files when the device functions as an SCP client
10.2.1.1/24 10.1.1.1/24
Network
PC SCP Client SSH Server

1. Generate a local key pair on the SSH server.

2. Create an SSH user on the SSH server.
3. Enable the SCP function on the SSH server.
4. Download the backup.cfg file from the SSH server.
Procedure
Input the bits in the modulus[default = 2048]: 1024
Generating keys...
.....++++++++++++
....++++++++++++
......++++++++
................................++++++++
Step 2 Create an SSH user on the SSH server.

[SSH Server-ui-vty0-4] protocol inbound ssh
# Create an SSH user named client001 and set the authentication mode to password and service
type to all.
[SSH Server] ssh user client001 service-type all
# Set the password of the client001 user to huawei@123.

[SSH Server] aaa
[SSH Server-aaa] local-user client001 password cipher huawei@123
Step 3 Enable the SCP function on the SSH server.

[SSH Server] scp server enable
Step 4 Download the backup.cfg file from the SSH server.
# If the client connects to the SSH server for the first time, enable the initial authentication
function on the client.

[HUAWEI] sysname SCP Client
[SCP Client] ssh client first-time enable
# Use the 3des encryption algorithm to download the backup.cfg file from the SSH server to
the local user's directory.
[SCP Client] scp -cipher 3des client001@10.1.1.1:backup.cfg backup.cfg
Trying 10.1.1.1 ...
The server is not authenticated. Continue to access it? [Y/N] :y
Save the server's public key? [Y/N] :y
..
Enter password:
backup.cfg 100% 19174Bytes 7Kb/s
----End
Configuration File
l Configuration file on the SSH server
#
sysname SSH Server
#
aaa
ywBaSmj:\@.d>,%@%@
#
scp server enable
ssh user client001
ssh user client001 service-type all
#
#
return
l Configuration file on the SCP client

#
sysname SCP Client
#
#
return
1.5 Configuring System Startup

When the device is powered on, system software starts and configuration files are loaded. To
ensure smooth running of the device, manage system software and configuration files efficiently.
1.5.1 Example for Backing Up the Configuration File

As shown in Figure 1-32, a user logs in to the device and backs up the configuration file to the
TFTP server. So the configuration file can be recovered in case that the device is damaged.
Figure 1-32 Networking diagram of backing up the configuration file

Switch TFTP Server
Network
1. Save the configuration file.
2. Back up the configuration file through TFTP.
Procedure
Step 1 Save configurations to the config.cfg file.
<HUAWEI> save config.cfg
Step 2 Back up the configuration file through TFTP.

1. Start the TFTP server program.
Start the TFTP server program on the PC. Set the path for transmitting the configuration
file, and the IP address and port number of the TFTP server.
2. Transfer the configuration file.
Run the tftp command in the user view to back up the specified configuration file.
<HUAWEI> tftp 10.110.24.254 put flash:/config.cfg backup.cfg
----End
1.5.2 Example for Recovering the Configuration File
As shown in Figure 1-33, a user logs in to the device and finds that some incorrect configurations
cause errors in the system. To recover the original configuration, the user downloads the
configuration file saved in the TFTP server to the device and specifies the configuration file for
the next startup.
Figure 1-33 Network diagram of recovering the configuration file

Switch TFTP Server
Network

1. Recover the configuration file that is backed up on the PC through TFTP.

2. Specify the recovered configuration file for the next startup.
Procedure
Step 1 Recover the configuration file that is backed up on the PC through TFTP.
1. Start the TFTP server program.
Start the TFTP server program on the PC. Set the path for transmitting the configuration
file, and the IP address and port number of the TFTP server.
2. Transfer the configuration file.
Run the tftp command in the user view.

<HUAWEI> tftp 10.110.24.254 get backup.cfg config.cfg
Step 2 Specify the recovered configuration file for the next startup.
<HUAWEI> startup saved-configuration config.cfg
----End
1.5.3 Example of Configuring System Startup
As shown in Figure 1-34, the current system software cannot meet user needs. The device must
load new software version with more features. Then the device software needs to be upgraded
remotely.
Figure 1-34 Configuring System Startup Networking
10.1.1.1/24
Network
PC Switch
1. Upload the new system software to the root directory of the device.
2. Save the current configuration so that it remains active after upgrade.

3. Specify the system software for next startup.

4. Specify the configuration file for next startup of the device.
5. Restart the device to complete upgrade.
Procedure
Step 1 Upload the new system software to the root directory of the device.
Before configuration, run the display startup command to view the files for next startup.
<HUAWEI> display startup
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/basicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup paf file: NULL
Next startup paf file: NULL
Startup license file: NULL
Next startup license file: NULL
Startup patch package: NULL
Next startup patch package: NULL
Upload the new system software to the device. This example uses FTP to transfer the system
software. Configure the device as an FTP server and upload the system software to the device
from the FTP client. Make sure there is enough space in the storage device before uploading
files. If the space is insufficient, delete unnecessary files to free up space in the storage device.
[HUAWEI] ftp server enable
[HUAWEI] aaa
[HUAWEI-aaa] local-user huawei password cipher Huawei@123
[HUAWEI-aaa] local-user huawei service-type ftp
[HUAWEI-aaa] local-user huawei ftp-directory flash:
[HUAWEI-aaa] local-user huawei privilege level 15
[HUAWEI-aaa] quit
[HUAWEI] quit
Run the ftp 10.1.1.1 command in the command line window of the PC to set up an FTP
connection with the device. Run the put command to upload new system software
newbasicsoft.cc. After the upload completes, run the dir command to check the system software.
<HUAWEI> dir

0 -rw- 515,160 Oct 01 2008 00:06:14 bootrom.bin
1 -rw- 1,799 Jan 01 2012 00:22:58 private-data.txt
2 drw- - Jan 01 2012 00:25:20 syslogfile
3 drw- - Jan 29 2012 00:00:54 resetinfo
4 -rw- 26,493,884 Dec 31 2011 23:46:52 basicsoft.cc
5 -rw- 1,111 Nov 29 2011 19:43:54 vrpcfg.zip
6 drw- 27,403,824 Jul 16 2012 19:14:26 newbasicsoft.cc
...
Step 2 Save the current configuration.

<HUAWEI> save

The system displays a message indicating that the current configuration will be saved and asks
you whether to continue. Enter y and the configuration will be saved to the device.
Step 3 Specify the system software to be loaded for next startup.

<HUAWEI> startup system-software newbasicsoft.cc
Step 4 Specify the configuration file for next startup.

<HUAWEI> startup saved-configuration vrpcfg.zip
NOTE
In step 1, you can run the display startup command to check the configuration file for next startup. The
message "Next startup saved-configuration file: flash:/vrpcfg.zip" will be displayed. This means the
vrpcfg.zip configuration file has been specified for next startup, so you do not need to perform this step.
To specify another file for next startup, perform this step.
Step 5 Checking the configuration
Run the following command to view the system software and configuration file for next startup.
MainBoard:
Configured startup system software: flash:/basicsoft.cc
Startup system software: flash:/basicsoft.cc
Next startup system software: flash:/newbasicsoft.cc
Startup saved-configuration file: flash:/vrpcfg.zip
Next startup saved-configuration file: flash:/vrpcfg.zip
Startup patch package: NULL
Next startup patch package: NULL
Step 6 Restart the device.
# Since the configuration file has been saved, run the reboot fast command to restart the device
quickly.
<HUAWEI> reboot fast
When the system asks you whether to start the device, enter y.
# Wait for several minutes until the device restart is complete. Run the display version command
to check the current system version. If the current system software is new, the upgrading has
succeeded.
The display version command output is not provided here.
----End
Configuration File
#
sysname HUAWEI
#
FTP server enable
#
vlan batch 10
#
aaa
local-user huawei password cipher %@%@gVq*NB}t==u!hl<vesQ+%W@}%@%@


#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 10
#
return

Typical Configuration Examples 2 Interface Management
2 Interface Management
About This Chapter
This document describes configuration examples of interfaces supported by the

S2350&S5300&S6300.
2.1 Ethernet Interfaces Configuration

Ethernet is flexible, simple, and easy to implement, and therefore it becomes an important local
area network (LAN) networking technology. You need to configure Ethernet interfaces when
using Ethernet technology to establish LANs.

2.1 Ethernet Interfaces Configuration

Ethernet is flexible, simple, and easy to implement, and therefore it becomes an important local
area network (LAN) networking technology. You need to configure Ethernet interfaces when
using Ethernet technology to establish LANs.
2.1.1 Example for Configuring Interface Isolation
As shown in Figure 2-1, PC1, PC2, and PC3 belong to VLAN 10. PC1 and PC2 are not allowed
to communicate with each other in VLAN 10 but are allowed to communicate with PC3.
Figure 2-1 Networking diagram of interface isolation configuration

Switch
GE0/0/1 GE0/0/3
GE0/0/2
PC1 PC2 PC3

10.10.10.1/24 10.10.10.2/24 10.10.10.3/24
VLAN10
1. By default, interfaces are isolated at Layer 2 but can communicate at Layer 3. You can add
interfaces to an isolation group to implement Layer 2 isolation between these interfaces.
Procedure
Step 1 Configure interface isolation.
# Configure interface isolation for GE0/0/1.
[HUAWEI] vlan 10
[HUAWEI-vlan10] quit
[HUAWEI] interface gigabitethernet 0/0/1

[HUAWEI-GigabitEthernet0/0/1] port link-type access

[HUAWEI-GigabitEthernet0/0/1] port default vlan 10
[HUAWEI-GigabitEthernet0/0/1] port-isolate enable
[HUAWEI-GigabitEthernet0/0/1] quit
# Configure interface isolation for GE0/0/2.

# Add interface GE0/0/3 to VLAN10.

# PC1 and PC2 cannot ping each other.
# PC1 and PC3 can ping each other.
# PC2 and PC3 can ping each other.
----End
Configuration Files
Configuration file of Switch
#
vlan batch 10
#
port link-type access
port default vlan 10
port-isolate enable group 1
#
#
#
return

Typical Configuration Examples 3 Ethernet
3 Ethernet
About This Chapter
This document provides configuration examples of Ethernet.
3.1 Link Aggregation Configuration

Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
3.2 VLAN Configuration

VLANs have advantages of broadcast domain isolation, security hardening, flexible networking,
and good extensibility.
3.3 VLAN Mapping Configuration

VLAN mapping is configured on the edge device of the public network so that the VLANs of
private networks are isolated from S-VLANs. This saves S-VLAN resources.
3.4 Voice VLAN Configuration

This chapter describes voice VLAN concepts and how to configure voice VLAN.
3.5 QinQ Configuration

This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),
and provides configuration examples.
3.6 GVRP Configuration

This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
3.7 MAC Address Table Configuration

This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
3.8 STP/RSTP Configuration

This chapter describes the concepts and configuration procedure of STP/RSTP, and provides
configuration examples.
3.9 MSTP Configuration

This chapter describes the concepts and configuration procedure of MSTP, and provides

3.10 SEP Configuration

Smart Ethernet Protection (SEP) is a ring network protocol specially used for the Ethernet link
layer. It blocks redundant links to prevent logical loops on a ring network.
3.11 Layer 2 Protocol Transparent Transmission Configuration

This chapter describes the concept, configuration procedure, and configuration examples of
Layer 2 protocol transparent transmission.
3.12 Loopback Detection Configuration

Loopback detection can detect loops on the network connected to the device and reduce impacts
on the network.
3.13 VoIP Access Configuration

3.1 Link Aggregation Configuration

Link aggregation is a technology that bundles multiple Ethernet links into a logical link to
increase bandwidth, improve reliability, and load balance traffic.
3.1.1 Example for Configuring Link Aggregation in Manual Load

Balancing Mode
As shown in Figure 3-1, SwitchA and SwitchB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between SwitchA and SwitchB.
SwitchA and SwitchB can provide higher link bandwidth to implement inter-VLAN
communication. Reliability of data transmission needs to be ensured.
Figure 3-1 Networking diagram for configuring link aggregation in manual load balancing mode
VLAN10 VLAN10
GE0/0/4 GE0/0/1 GE0/0/4

GE0/0/1
SwitchA GE0/0/2 Eth-Trunk GE0/0/2 SwitchB
GE0/0/3 GE0/0/3
GE0/0/5 Eth-Trunk 1 Eth-Trunk 1 GE0/0/5
VLAN20 VLAN20
1. Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link
bandwidth.
NOTE
An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface or
remove the interface from VLAN1 before adding it to an Eth-Trunk interface.
2. Create VLANs and add interfaces to the VLANs.
3. Set the load balancing mode to ensure that traffic is load balanced between member
interfaces of the Eth-Trunk.

Procedure
Step 1 Create an Eth-Trunk on SwitchA and add member interfaces to the Eth-Trunk. The configuration
of SwitchB is similar to the configuration of SwitchA, and the configuration details are not
mentioned here.
[HUAWEI] sysname SwitchA
[SwitchA] interface Eth-Trunk1
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 0/0/1 to 0/0/3
[SwitchA-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs. The configuration of SwitchB is similar to the
configuration of SwitchA, and the configuration details are not mentioned here.
# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.
[SwitchA] vlan batch 10 20
[SwitchA] interface gigabitethernet 0/0/4
[SwitchA-GigabitEthernet0/0/4] port link-type trunk
[SwitchA-GigabitEthernet0/0/4] port trunk allow-pass vlan 10
[SwitchA-GigabitEthernet0/0/4] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.
[SwitchA] interface Eth-Trunk1
[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Set the load balancing mode of Eth-Trunk 1. The configuration of SwitchB is similar to the
configuration of SwitchA, and the configuration details are not mentioned here.
[SwitchA-Eth-Trunk1] load-balance src-dst-mac
Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created
and whether member interfaces are added.
[SwitchA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SA-XOR-DA
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Port In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
GigabitEthernet0/0/1 Up 1
The preceding command output shows that Eth-Trunk 1 has three member interfaces:
GigabitEthernet0/0/1, GigabitEthernet0/0/2, and GigabitEthernet0/0/3. The member interfaces
are both in Up state.
----End
Configuration Files
l Configuration file of SwitchA

#
sysname SwitchA
#
vlan batch 10 20
#
interface Eth-Trunk1
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
l Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 10 20
#
load-balance src-dst-mac
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
#
#
return
3.1.2 Example for Configuring Link Aggregation in LACP Mode
To improve bandwidth and connection reliability, configure a link aggregation group on two
directly connected Switches, as shown in Figure 3-2. The requirements are as follows:

l Two active links implement load balancing.

l One link function as the backup link. When a fault occurs on an active link, the backup link
replaces the faulty link to maintain reliable data transmission.
Figure 3-2 Networking diagram for configuring link aggregation in LACP mode
SwitchA SwitchB
GE0/0/1 GE0/0/1
GE0/0/2 Eth-Trunk GE0/0/2
GE0/0/3 GE0/0/3
Eth-Trunk 1 Eth-Trunk 1
Active link
Backup link
1. Create an Eth-Trunk and configure the Eth-Trunk to work in LACP mode to implement
link aggregation.
2. Add member interfaces to the Eth-Trunk.
NOTE
An interface is added to VLAN1 by default. To avoid broadcast strom, shut down the interface or
remove the interface from VLAN1 before adding it to an Eth-Trunk interface.
3. Set the system priority and determine the Actor so that the Partner selects active interfaces
based on the Actor interface priority.
4. Set the upper threshold for the number of active interfaces to improve reliability.
5. Set interface priorities and determine active interfaces so that interfaces with higher
priorities are selected as active interfaces.
Procedure
Step 1 Create Eth-Trunk 1 on SwitchA and configure Eth-Trunk 1 to work in LACP mode. The
configuration of SwitchB is similar to the configuration of SwitchA, and the configuration details
are not mentioned here.
[SwitchA] interface eth-trunk 1
[SwitchA-Eth-Trunk1] mode lacp
Step 2 Add member interfaces to Eth-Trunk 1 on SwitchA. The configuration of SwitchB is similar to
the configuration of SwitchA, and the configuration details are not mentioned here.
[SwitchA-GigabitEthernet0/0/1] eth-trunk 1

Step 3 Set the system priority on SwitchA to 100 so that SwitchA becomes the Actor.
[SwitchA] lacp priority 100
Step 4 On SwitchA, set the upper threshold for the number of active interfaces to 2.
[SwitchA-Eth-Trunk1] max active-linknumber 2
Step 5 Set the priority of the interface and determine active links on SwitchA.
[SwitchA-GigabitEthernet0/0/1] lacp priority 100
[SwitchA-GigabitEthernet0/0/2] lacp priority 100

# Check information about the Eth-Trunk of the Switchs and check whether negotiation is
successful on the link.
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
--------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
GigabitEthernet0/0/1 Selected 1GE 100 6145 2865
11111100 1
11111100 1
GigabitEthernet0/0/3 Unselect 1GE 32768 6147 2865
11100000 1
Partner:
------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
GigabitEthernet0/0/1 32768 00e0-fca6-7f85 32768 6145 2609
11111100
11111100
11110000
[SwitchB] display eth-trunk 1
Local:
LAG ID: 1 WorkingMode: LACP
Preempt Delay: Disabled Hash arithmetic: According to SIP-XOR-DIP
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey
PortState Weight
11111100 1
11111100 1
GigabitEthernet0/0/3 Unselect 1GE 32768 6147 2609
11100000 1

Partner:
------------------------------------------------------------------------------
ActorPortName SysPri SystemID PortPri PortNo PortKey
PortState
GigabitEthernet0/0/1 100 00e0-fca8-0417 100 6145 2865
11111100
11111100
11110000
The preceding information shows that the system priority of SwitchA is 100, which is higher
than the system priority of SwitchB. Member interfaces GigabitEthernet0/0/1 and
GigabitEthernet0/0/2 become the active interfaces and are in Selected state. Interface
GigabitEthernet0/0/3 is in Unselect state. Two links are active and working in load balancing
mode, and one link is the backup links.
----End
Configuration Files
#
sysname SwitchA
#
lacp priority 100
#
mode lacp
max active-linknumber 2
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
lacp priority 100
#
eth-trunk 1
#
return

#
sysname SwitchB
#
mode lacp
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return

3.2 VLAN Configuration

VLANs have advantages of broadcast domain isolation, security hardening, flexible networking,
and good extensibility.
3.2.1 Example for Assigning VLANs Based on Ports
As shown in Figure 3-3, multiple user terminals are connected to switches in an enterprise.
Users who use the same service access the enterprise network using different devices.
To ensure the communication security and avoid broadcast storms, the enterprise wants to allow
users who use the same service to communicate with each other but isolate users who use
different services.
Configure port-based VLANs on the switch and add ports connecting to terminals of users who
use the same service to the same VLAN. Users in different VLANs cannot perform Layer 2
communication. Users in the same VLAN can communicate directly.
Figure 3-3 Networking diagram for assigning VLANs based on ports

GE0/0/3 GE0/0/3
SwitchA SwitchB
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
User1 User3 User2 User4

VLAN2 VLAN3 VLAN2 VLAN3
1. Create VLANs and add ports connecting to user terminals to VLANs to isolate Layer 2
traffic between users who use different services.
2. Configure the type of link between SwitchA and SwitchB and VLANs to allow users who
use the same service to communicate.
Procedure
Step 1 Create VLAN2 and VLAN3 on SwitchA, and add ports connecting to user terminals to different
VLANs. Configuration of SwitchB is similar to that of SwitchA.
[SwitchA-GigabitEthernet0/0/1] port link-type access

[SwitchA-GigabitEthernet0/0/1] port default vlan 2

Step 2 Configure the type of port connecting to SwitchB on SwitchA and VLANs. Configuration of
SwitchB is similar to that of SwitchA.

[SwitchA-GigabitEthernet0/0/3] port trunk allow-pass vlan 2 3

Add User1 and User2 to the same IP address segment, for example, 192.168.100.0/24. Add
User3 and User4 to the same IP address segment, for example, 192.168.200.0/24.
Only User1's and User2's terminals can ping each other. Only User3's and User4's terminals can
ping each other.
----End
Configuration Files
Configuration file of SwitchA
#
sysname SwitchA
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#
port trunk allow-pass vlan 2 to 3
#
return
Configuration file of SwitchB

#
sysname SwitchB
#
vlan batch 2 to 3
#
port default vlan 2
#
port default vlan 3
#

#
return
3.2.2 Example for Assigning VLANs based on MAC Addresses
On a company intranet, the network administrator adds the PCs in a department to the same
VLAN. To improve information security, only employees in this department are allowed to
access the intranet.
As shown in Figure 3-4, only PC1, PC2, and PC3 are allowed to access the intranet through
Switch.
You can assign VLANs based on MAC addresses and associate MAC addresses of PCs with the
specified VLAN.
Figure 3-4 Networking diagram for assigning VLANs based on MAC addresses
Enterprise
network
GE0/0/1
Switch
GE0/0/2 GE0/0/4
GE0/0/3
MAC:22-22-22 MAC:33-33-33 MAC:44-44-44

User1 User2 User3
VLAN 10
1. Create VLANs and determine which VLAN the PCs of employees belong to.
2. Add Ethernet interfaces to VLANs so that packets of the VLANs can pass through the
interfaces.
3. Associate MAC addresses of PC1, PC2, and PC3 with the specified VLAN so that the
VLAN of the packet can be determined based on the source MAC address.

Procedure
Step 1 Configure the Switch.
# Create VLANs.
[HUAWEI] sysname Switch
[Switch] vlan batch 10
# Add interfaces to the VLANs. The configuration of GE0/0/3 or GE0/0/4 is similar to the
configuration of GE0/0/2 and the configuration details are not mentioned here.
[Switch] interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[Switch-GigabitEthernet0/0/1] quit
[Switch-GigabitEthernet0/0/2] port hybrid untagged vlan 10
# Associate MAC addresses of PC1, PC2, and PC3 with VLAN 10.
[Switch] vlan 10
[Switch-vlan10] mac-vlan mac-address 22-22-22
[Switch-vlan10] quit
# Enable MAC address-based VLAN assignment on GE0/0/2. The configuration of GE0/0/3 or

GE0/0/4 is similar to the configuration of GE0/0/2 and the configuration details are not
mentioned here.
[Switch-GigabitEthernet0/0/2] mac-vlan enable

PC1, PC2, and PC3 can access the intranet, whereas other PCsUsers cannot access the intranet.
----End
Configuration Files
Configuration file of the Switch
#
sysname Switch
#
vlan batch 10
#
vlan 10
mac-vlan mac-address 0022-0022-0022 priority 0
#
port hybrid tagged vlan 10
#
port hybrid untagged vlan 10
mac-vlan enable
#

mac-vlan enable
#
mac-vlan enable
#
return
3.2.3 Example for Assigning VLANs Based on IP Subnets
A company has multiple services, including IPTV, VoIP, and Internet access. Each service uses
a unique IP subnet. Packets of the same service must be transmitted in the same VLAN, and
packets of different services must be transmitted in different VLANs.
On the network shown in Figure 3-5, the Switch receives Internet, IPTV, and voice services
from users with diverse IP subnets. Packets of different services need to be transmitted in
different VLANs, and packets of each service need to be sent to a specified remote server.
Figure 3-5 Networking diagram for assigning VLANs based on IP subnets
IPTV
server Voice
Internet Network
RouterB
RouterA GE0/0/3 RouterC
GE0/0/2 GE0/0/4
Switch
GE0/0/5 GE0/0/7
GE0/0/6
192.168.1.2 192.168.3.2
/24 192.168.2.2 /24
/24
1. Create VLANs and determine which VLAN each service belongs to.

2. Associate IP subnets with VLANs so that VLANs of packets can be determined based on
the source IP addresses or specified network segments.
3. Add interfaces to VLANs so that packets of the IP subnet-based VLANs can pass through
the interfaces.
4. Enable IP subnet-based VLAN assignment.
Procedure
Step 1 Create VLANs.
# Create VLAN 100, VLAN 200, and VLAN 300 on the Switch.
[HUAWEI] vlan batch 100 200 300
Step 2 Configure interfaces.
# Set the link type of GE0/0/5,GE0/0/6, and GE0/0/7 to hybrid and add it to VLAN 100, VLAN
200, and VLAN 300 respectively in untagged mode. And enable IP subnet-based VLAN
assignment on GE0/0/5,GE0/0/6, and GE0/0/7.
[HUAWEI-GigabitEthernet0/0/5] port link-type hybrid
[HUAWEI-GigabitEthernet0/0/5] port hybrid untagged vlan 100
[HUAWEI-GigabitEthernet0/0/5] ip-subnet-vlan enable
# Add GE0/0/2 of the Switch to VLAN 100.

[HUAWEI-GigabitEthernet0/0/2] port link-type trunk
[HUAWEI-GigabitEthernet0/0/2] port trunk allow-pass vlan 100


Step 3 Configure IP subnet-based VLAN assignment.
# Associate 192.168.1.2/24 to VLAN 100 and set the 802.1p priority of VLAN 100 to 2.

[HUAWEI] vlan 100

[HUAWEI-vlan100] ip-subnet-vlan 1 ip 192.168.1.2 24 priority 2
# Associate 192.168.2.2/24 to VLAN 200 and set the 802.1p priority of VLAN 200 to 3.
[HUAWEI] vlan 200
# Associate IP subnet 192.168.3.2/24 to VLAN 100 and set the 802.1p priority of VLAN 300
to 4.
[HUAWEI] vlan 300

Run the display ip-subnet-vlan vlan all command on the Switch. The following information
is displayed:
[HUAWEI] display ip-subnet-vlan vlan all
----------------------------------------------------------------
Vlan Index IpAddress SubnetMask Priority
----------------------------------------------------------------
100 1 192.168.1.2 255.255.255.0 2
200 1 192.168.2.2 255.255.255.0 3
300 1 192.168.3.2 255.255.255.0 4
----------------------------------------------------------------
ip-subnet-vlan count: 3 total count: 3
----End
Configuration Files
l Configuration file of the Switch
#
sysname HUAWEI
#
vlan batch 100 200 300
#
vlan 100
ip-subnet-vlan 1 ip 192.168.1.2 255.255.255.0 priority 2
vlan 200
vlan 300
#
#
#
#
ip-subnet-vlan enable
#


#
#
return
3.2.4 Example for Assigning VLANs Based on Protocols
A company has multiple services, including IPTV, VoIP, and Internet access. Each service uses
a unique protocol. To facilitate network management, each service is added to a different VLAN.
As shown in Figure 3-6, Swithc1 receives packets of multiple services that use different
protocols. Users in VLAN 10 use IPv4 to communicate with remote users, and users in VLAN
20 use IPv6 to communicate with the servers. Switch1 needs to assign VLANs to packets of
different services and transmit packets with different VLAN IDs to different servers.
Figure 3-6 Networking diagram for assigning VLANs based on protocols
Voice
Network Internet
RouterA RouterB
GE0/0/2 GE0/0/3
Switch
GE0/0/1
GE0/0/1
Switch1
GE0/0/2 GE0/0/3
IPv4 IPv6
VLAN 10 VLAN 20
1. Create VLANs and determine which VLAN each service belongs to.

2. Associate protocols with VLANs so that VLAN IDs that received packets belong to can
be assigned based on the protocol types.
3. Add interfaces to VLANs so that packets of the protocol-based VLANs can pass through
the interfaces.
4. Associate ports with VLANs.
After the Switch receives a frame of a specified protocol, it assigns the VLAN ID associated
with the protocol to the frame.
Procedure
[Switch1] vlan batch 10 20
Step 2 Configure protocol-based VLANs.

# Associate IPv4 with VLAN 10 on Switch1.
[Switch1] vlan 10
[Switch1-vlan10] protocol-vlan ipv4
[Switch1-vlan10] quit
# Associate IPv6 with VLAN 20 on Switch1.

[Switch1] vlan 20
[Switch1-vlan20] protocol-vlan ipv6
Step 3 Associate interfaces with protocol-based VLANs.

# Associate GE0/0/2 with VLAN 10 and set the 802.1p priority of VLAN 10 to 5 on Switch1.
[Switch1] interface gigabitethernet 0/0/2
[Switch1-GigabitEthernet0/0/2] protocol-vlan vlan 10 all priority 5
[Switch1-GigabitEthernet0/0/2] quit
# Associate GE0/0/3 with VLAN 20 and set the 802.1p priority of VLAN 20 to 6 on Switch1.
[Switch1] interface gigabitethernet 0/0/3
[Switch1-GigabitEthernet0/0/3] protocol-vlan vlan 20 all priority 6
Step 4 Configure interfaces.

# Add GE0/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch1.
[Switch-GigabitEthernet0/0/1] port link-type trunk
[Switch-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 20
# Add GE0/0/2 to VLAN 10 in untagged mode on Switch1.

[Switch-GigabitEthernet0/0/2] port link-type hybrid
# Add GE0/0/3 to VLAN 20 in untagged mode on Switch1.

[Switch-GigabitEthernet0/0/3] port link-type hybrid


# Add GE0/0/1 to VLAN 10 and VLAN 20 in trunk mode on Switch.

# Add GE0/0/2 to VLAN 10 in trunk mode on Switch.

[Switch-GigabitEthernet0/0/2] port trunk allow-pass vlan 10
# Add GE0/0/3 to VLAN 20 in trunk mode on Switch.

[Switch-GigabitEthernet0/0/3] return

After you complete the configuration, run the display protocol-vlan interface all command on
Switch1 to view the protocol-based VLAN assignment.
<Switch1> display protocol-vlan interface all
-------------------------------------------------------------------------------
Interface VLAN Index Protocol Type Priority
-------------------------------------------------------------------------------
GigabitEthernet0/0/2 10 0 IPv4 5
GigabitEthernet0/0/3 20 0 IPv6 6
----End
Configuration Files
l Configuration file of the Switch1
#
sysname Switch1
#
vlan batch 10 20
#
vlan 10
protocol-vlan 0 ipv4
vlan 20
protocol-vlan 0 ipv6
#
#
protocol-vlan vlan 10 0 priority 5
#
protocol-vlan vlan 20 0 priority 6
#
return

#
sysname Switch
#
#
#
#
return
3.2.5 Example for Implementing Inter-VLAN Communication

Using VLANIF Interfaces
Users in an enterprise use different services and locate at different network segments. Users who
use the same service belong to different VLANs and they want to communicate with each other.
As shown in Figure 3-7, User 1 and User 2 use the same service but belong to different VLANs
and locate at different network segments. User 1 wants to communicate with User 2.
Figure 3-7 Networking diagram for implementing inter-VLAN communication using VLANIF
interfaces
Switch
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
10.10.10.2/24 20.20.20.2/24
VLAN 10 VLAN 20
User1 User2
10.10.10.3/24 20.20.20.3/24
1. Create VLANs on the switches for different users.

2. Add interfaces to VLANs so that packets of the VLANs can pass through the interfaces.
3. Create VLANIF interfaces and configure IP addresses for the VLANIF interfaces to
implement Layer 3 communication.

NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the
corresponding VLANIF interface as the gateway address.
Procedure
# Create VLANs.
[Switch] vlan batch 10 20
# Add interfaces to VLANs.

[Switch-GigabitEthernet0/0/1] port link-type access
[Switch-GigabitEthernet0/0/1] port default vlan 10
# Assign IP addresses to the VLANIF interfaces.

[Switch] interface vlanif 10
[Switch-Vlanif10] ip address 10.10.10.2 24
[Switch-Vlanif10] quit

Configure the IP address 10.10.10.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 10.10.10.2/24 as the gateway address.
Configure the IP address 20.20.20.3/24 on user 1's host, configure the VLANIF 10 interface IP
address 20.20.20.2/24 as the gateway address.
After the preceding configurations are complete, User 1 in VLAN 10 and User 2 in VLAN 20
can communicate.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.10.10.2 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.2 255.255.255.0
#


#
#
return
3.2.6 Example for Configuring VLAN Aggregation
Multiple departments in an enterprise locate at the same network segment. To improve the
service security, assign departments to different VLANs. Some departments need to
communicate.
As shown in Figure 3-8, departments in VLAN 2 and VLAN 3 want to communicate with each
other.
You can configure VLAN aggregation on the switch to isolate VLAN 2 from VLAN 3 at Layer
2 and allow them to communicate at Layer 3. VLAN 2 and VLAN 3 use the same subnet segment,
saving IP addresses.
NOTE
The S2350, S5306 and S5300LI do not support VLAN aggregation.
Figure 3-8 Networking diagram for configuring VLAN aggregation
Switch
GE0/0/1 GE0/0/3
GE0/0/2 GE0/0/4
VLAN2 VLAN3
VLAN4
VLANIF4:100.1.1.12/24
VLAN 2 VLAN 3
1. Add interfaces of the Switch to sub-VLANs to isolate sub-VLANs at Layer 2.

2. Add the sub-VLANs to a super-VLAN.

3. Configure the IP address for the VLANIF interface.
4. Configure proxy ARP for the super-VLAN to allow sub-VLANs to communicate at Layer
3.
Procedure
Step 1 Set the interface type.
# Configure GE 0/0/1 as an access interface.

Configurations of GE0/0/2, GE0/0/3, and GE0/0/4 are the same as that of GE0/0/1.
Step 2 Create VLAN 2 and add GE0/0/1 and GE0/0/2 to VLAN 2.

[Switch] vlan 2
[Switch-vlan2] port gigabitethernet 0/0/1 0/0/2
[Switch-vlan2] quit
Step 3 Create VLAN 3 and add GE0/0/3 and GE0/0/4 to VLAN 3.

[Switch] vlan 3
[Switch-vlan3] port gigabitethernet 0/0/3 0/0/4
[Switch-vlan3] quit
Step 4 Configure VLAN 4.
# Configure the super-VLAN.

[Switch] vlan 4
[Switch-vlan4] aggregate-vlan
[Switch-vlan4] access-vlan 2 to 3
[Switch-vlan4] quit
# Configure the VLANIF interface.

[Switch-Vlanif4] ip address 100.1.1.12 255.255.255.0
Step 5 Configure the PCs.
Configure an IP address for each PC. Ensure that the PC IP addresses are in the same network
segment as VLAN 4.
When the configuration is complete, the PCs and the Switch can ping each other, but the PCs in
VLAN 2 and the PCs in VLAN 3 cannot ping each other. You need to configure proxy ARP on
the switch.
Step 6 Configure proxy ARP.

[Switch-Vlanif4] arp-proxy inter-sub-vlan-proxy enable

When the configuration is complete, the PCs in VLAN 2 and VLAN 3 can ping each other.
----End
Configuration Files
#
sysname switch
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 to 3
#
interface Vlanif4
ip address 100.1.1.12 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
port default vlan 3
#
port default vlan 3
#
return
3.2.7 Example for Configuring MUX VLAN on the Access Layer

Device
On an enterprise network, all users can access the enterprise server. Some users need to
communicate with each other, whereas some users must be isolated each other.
As shown in Figure 3-9, MUX VLAN can be configured on the Switch to meet the enterprise's
requirements using fewer VLAN IDs. In addition, MUX VLAN reduces the configuration
workload of the network administrator, and facilitates network maintenance.

Figure 3-9 MUX VLAN configuration

Switch
GE0/0/1 Server
VLAN2
(Principal VLAN)
GE0/0/2 GE0/0/5
GE0/0/3 GE0/0/4
HostB HostC HostD HostE

VLAN3(Group VLAN) VLAN4(Separate VLAN)
1. Configure the principal VLAN.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4.
# Configure the Group VLAN and Separate VLAN in the MUX VLAN.
[HUAWEI] vlan 2
[HUAWEI-vlan2] mux-vlan
[HUAWEI-vlan2] subordinate group 3
[HUAWEI-vlan2] subordinate separate 4
[HUAWEI-vlan2] quit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
[HUAWEI-GigabitEthernet0/0/1] port mux-vlan enable vlan 2


The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
port default vlan 2
port mux-vlan enable vlan 2
#
port default vlan 3
#
port default vlan 3
#
port default vlan 4
#
port default vlan 4
#
return

3.2.8 Example for Configuring the MUX VLAN on the Aggregation

Device
All employees of an enterprise can access the server on the enterprise network. The enterprise
allows some employees to communicate but expects to isolate some employees.
As shown in Figure 3-10, Switch1 is deployed at the aggregation layer and used as the gateway
of downstream terminals. Switch2, Switch3, Switch4, Switch5, and Switch6 are access layer
devices. You can configure MUX VLAN on Switch1. This saves VLAN IDs on the enterprise
network and facilitates network management.
Figure 3-10 Network of MUX VLAN
Internet
Switch2
Switch1 GE0/0/2 Server
GE0/0/3 GE0/0/6 VLAN2

GE
(Principal VLAN)
4 /
0/0
0/0
GE
/5
Switch3 Switch4 Switch5 Switch6
HostB HostC HostD HostE

VLAN3(Group VLAN) VLAN4(Separate VLAN)
1. Configure the principal VLAN and a VLANIF interface. The IP address of the VLANIF
interface is used as the gateway IP address of downstream hosts and server.
2. Configure the group VLAN.
3. Configure the separate VLAN.
4. Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.

5. Add interfaces of access layer devices to VLANs.
Procedure
Step 1 Configure the MUX VLAN.
# Create VLAN 2, VLAN 3, and VLAN 4, and a VLANIF interface for VLAN 2. The IP address
of the VLANIF interface is used as the gateway IP address of downstream hosts and server.
[HUAWEI] interface vlanif 2
[HUAWEI-Vlanif2] ip address 192.168.100.100 24
[HUAWEI-Vlanif2] quit
# Configure the group VLAN and separate VLAN.

[HUAWEI] vlan 2
[HUAWEI-vlan2] mux-vlan
[HUAWEI-vlan2] subordinate group 3
[HUAWEI-vlan2] subordinate separate 4
[HUAWEI-vlan2] quit
# Add interfaces to the VLANs and enable the MUX VLAN function on the interfaces.
Step 2 Add interfaces of access layer switches to VLANs. The configuration details are not mentioned
here.
The server can communicate with HostB, HostC, HostD, and HostE at Layer 2.
HostB can communicate with HostC at Layer 2.
HostD cannot communicate with HostE at Layer 2.
HostB and HostC cannot communicate with HostD and HostE at Layer 2.
----End

Configuration Files
Configuration file of Switch1
#
sysname HUAWEI
#
vlan batch 2 to 4
#
vlan 2
mux-vlan
subordinate separate 4
subordinate group 3
#
interface Vlanif2
ip address 192.168.100.100 255.255.255.0
#
#
#
#
#
#
return
3.3 VLAN Mapping Configuration

VLAN mapping is configured on the edge device of the public network so that the VLANs of
private networks are isolated from S-VLANs. This saves S-VLAN resources.
3.3.1 Example for Configuring VLAN ID-based 1 to 1 VLAN

Mapping
Users in different communities use same services, such as the web, IPTV, and VoIP services.
To facilitate management, the network administrator of each community adds different services
to different VLANs. Communities in different VLANs need to use the same service, so
communication between VLANs must be implemented.

As shown in Figure 3-11, community 1 and community 2 have the same services, but belong
to different VLANs. Communication between community 1 and community 2 needs to be
implemented with low costs.
Figure 3-11 Networking diagram for configuring 1 to 1 VLAN mapping
PE1 PE2
GE0/0/1 ISP GE0/0/1
VLAN10
CE1 GE0/0/3 GE0/0/3 CE2
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Community1 Community2
VLAN6 VLAN5
172.16.0.2/16 172.16.0.6/16
172.16.0.1/16 172.16.0.3/16 172.16.0.5/16 172.16.0.7/16
IP addresses of devices in the VLAN5 and VLAN6 must be in the same network segment.
1. Add the switch port connecting to community 1 to VLAN6 and add the switch port
connecting to community 2 to VLAN5.
2. Configure VLAN mapping on GE0/0/1 of PE1 and PE2 and map C-VLAN IDs to S-VLAN
IDs so that users in different VLANs can communicate with each other.
Procedure
Step 1 Add downlink interfaces on switches to specified VLANs.
# Configure CE1.
[HUAWEI] sysname CE1
[CE1] vlan 6
[CE1-vlan6] quit
[CE1] interface gigabitethernet 0/0/1
[CE1-GigabitEthernet0/0/1] port link-type access
[CE1-GigabitEthernet0/0/1] port default vlan 6
[CE1-GigabitEthernet0/0/1] quit
[CE1-GigabitEthernet0/0/3] port link-type trunk

[CE1-GigabitEthernet0/0/3] port trunk allow-pass vlan 6

# Configure CE2.
[CE2] vlan 5
[CE2-vlan5] quit
Step 2 Configure VLAN mapping on the GE0/0/1 of PE1 and PE2.
# Configure PE1.
[HUAWEI] sysname PE1
[PE1] vlan 10
[PE1-vlan10] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[PE1-GigabitEthernet0/0/1] qinq vlan-translation enable
[PE1-GigabitEthernet0/0/1] port vlan-mapping vlan 6 map-vlan 10
[PE1-GigabitEthernet0/0/1] quit
# Configure PE2.
[PE2] vlan 10
[PE2-vlan10] quit
[PE2-GigabitEthernet0/0/1] port vlan-mapping vlan 5 map-vlan 10
Verify that users in community 1 and community 2 can communicate each other.
----End
Configuration Files
l Configuration file of CE1
#
sysname CE1
#
vlan batch 6
#

port default vlan 6

#
port default vlan 6
#
#
return

#
sysname CE2
#
vlan batch 5
#
port default vlan 5
#
port default vlan 5
#
#
return
l Configuration file of PE1

#
sysname PE1
#
vlan batch 10
#
qinq vlan-translation enable
port vlan-mapping vlan 6 map-vlan 10
#
return

#
sysname PE2
#
vlan batch 10
#
port vlan-mapping vlan 5 map-vlan 10
#
return

3.3.2 Example for Configuring VLAN ID-based N to 1 VLAN

Mapping
As shown in Figure 3-12, a large number of switches need to be deployed at the corridor so that
the same service used by different users can be sent on different VLANs. To save VLAN
resources, configure the VLAN aggregation function (N to 1) on the switches so that same
services are sent on the same VLAN.
Figure 3-12 Networking diagram for configuring N to 1 VLAN mapping
Internet
Switch GE0/0/1
VLAN100~200
SwitchA
…… …… ……
SwitchB SwitchC SwitchD SwitchE
1. Create the original VLAN and the translated VLAN on the Switch and add GE0/0/1 to the
VLANs in the tagged mode.
2. Configure VLAN mapping on GE0/0/1 on the Switch.
Procedure

# Create a VLAN.
[HUAWEI] vlan batch 10 100 to 200
# Add GE0/0/1 to the VLAN.

[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 10 100 to 200
# Configure VLAN mapping on GE0/0/1.

[HUAWEI-GigabitEthernet0/0/1] qinq vlan-translation enable
[HUAWEI-GigabitEthernet0/0/1] port vlan-mapping vlan 100 to 200 map-vlan 10
Verify that users in VLAN 100 to VLAN 200 can connect to the Internet through the Switch.
----End
Configuration Files
l Configuration file of Switch
#
sysname HUAWEI
#
vlan batch 10 100 to 200
#
interface gigabitethernet0/0/1
port hybrid tagged vlan 10 100 to 200
port vlan-mapping vlan 100 to 200 map-vlan 10
#
return
3.3.3 Example for Configuring VLAN ID-based 2 to 1 VLAN

Mapping
As shown in Figure 3-13, Residential Gateway, Corridor Switch, and Community Switch allow
users to connect to the aggregation layer. To save VLAN resources and isolate same services
used by different users, configure the QinQ function on the Corridor Switch and configure VLAN
mapping on the Community Switch.

Figure 3-13 Networking diagram for configuring 2 to 1 VLAN mapping
Internet
Aggregate switch of carrier
Community GE0/0/3
Switch IP 2 ~3 501
S5
GE0/0/2 GE0/0/1 IP 4 501
S3 GE0/0/2 GE0/0/2 IP 2 ~3 201

Corridor S4
GE0/0/1 GE0/0/1 IP 4 401
Switch
S1 GE0/0/4 GE0/0/4 S2
Residential
GE
GE
Gateway
1
1
GE0/0/2
/
/
GE0/0/2
0/0
0/0
0
/ 0/
/ 0/
GE
GE
PC VoIP IPTV PC VoIP IPTV

VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4
1. Add switch ports connecting to users to specified VLANs to distinguish different services.
2. Configure the QinQ function on the Corridor Switch to distinguish users and services.
3. Configure VLAN mapping on the Community Switch to save VLAN resources.
Procedure
Step 1 Add downlink interfaces of S1 and S2 to specified VLANs.
# Configure S1.
[HUAWEI] sysname S1
[S1] vlan batch 2 to 4
[S1] interface gigabitethernet 0/0/1
[S1-GigabitEthernet0/0/1] port link-type access
[S1-GigabitEthernet0/0/1] port default vlan 2

[S1-GigabitEthernet0/0/1] quit
[S1-GigabitEthernet0/0/4] port link-type trunk
[S1-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4
# Configure S2.
[HUAWEI] sysname S2
[S2] vlan batch 2 to 4
[S2-GigabitEthernet0/0/4] port trunk allow-pass vlan 2 to 4
Step 2 Configure the QinQ function on the Corridor Switch to allow the Corridor Switch to send double-
tagged packets to the Community Switch.
# Configure S3.
[HUAWEI] sysname S3
[S3] vlan batch 201 401
[S3-GigabitEthernet0/0/1] port trunk allow-pass vlan 201 401
[S3-GigabitEthernet0/0/1] port vlan-stacking vlan 2 to 3 stack-vlan 201
[S3-GigabitEthernet0/0/1] port vlan-stacking vlan 4 stack-vlan 401
# Configure S4.
[HUAWEI] sysname S4
[S4] vlan batch 201 401
[S4-GigabitEthernet0/0/1] port vlan-stacking vlan 2 to 3 stack-vlan 201
[S4-GigabitEthernet0/0/1] port vlan-stacking vlan 4 stack-vlan 401


Step 3 Configure VLAN mapping on S5.

[HUAWEI] sysname S5
[S5] vlan batch 501
[S5-GigabitEthernet0/0/1] port trunk allow-pass vlan 501
[S5-GigabitEthernet0/0/1] port vlan-mapping vlan 201 to 401 map-vlan 501
[S5-GigabitEthernet0/0/2] port vlan-mapping vlan 201 to 401 map-vlan 501
Verify that users can connect to the network and that same services are sent on the same VLAN.
----End
Configuration Files
l Configuration file of S1
#
sysname S1
#
vlan batch 2 to 4
#
port default vlan 2
#
port default vlan 3
#
port default vlan 4
#
#
return
#
sysname S2
#
vlan batch 2 to 4
#
port default vlan 2
#

port default vlan 3
#
port default vlan 4
#
#
return
#
sysname S3
#
vlan batch 201 401
#
port vlan-stacking vlan 2 to 3 stack-vlan 201
port vlan-stacking vlan 4 stack-vlan 401
#
#
return
#
sysname S4
#
vlan batch 201 401
#
#
#
return
#
sysname S5
#
vlan batch 501
#
#
#


#
return
3.4 Voice VLAN Configuration

This chapter describes voice VLAN concepts and how to configure voice VLAN.
3.4.1 Example for Configuring a Voice VLAN in Auto Mode
As shown in Figure 3-14, data flows of the HSI, VoIP, and IPTV services are transmitted on
the network. Users require high quality of the VoIP service. Therefore, voice data flows must
be transmitted with a high priority. Voice packets are transmitted in VLAN 2, and other packets
are transmitted in VLAN 6. IP phones can obtain voice VLAN information through LLDP.
Figure 3-14 Configuring a voice VLAN in auto mode
DHCP Server
Internet
Switch
GE0/0/1
HG
HSI VoIP IPTV
1. Create VLANs and VLANIF interfaces on Switch and configure interfaces so that users
can access the WAN.
2. Configure a voice VLAN and set the mode in which interfaces are added to the voice VLAN
to auto so that voice data packets are transmitted in the voice VLAN with a high priority.

Procedure
Step 1 Create VLANs and configure the interface on the Switch.
# Create VLAN 2 and VLAN 6.
[HUAWEI] vlan batch 2 6
# Enable LLDP.
[HUAWEI] lldp enable
# Configure the link type and default VLAN of the interface.

[HUAWEI-GigabitEthernet0/0/1] port hybrid pvid vlan 6
Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.
[HUAWEI-GigabitEthernet0/0/1] voice-vlan 2 enable
[HUAWEI-GigabitEthernet0/0/1] voice-vlan remark-mode mac-address
# Set the voice VLAN mode to auto so that the interface can be automatically added to or deleted
from the voice VLAN.
[HUAWEI-GigabitEthernet0/0/1] voice-vlan mode auto
# Set the OUI of the voice VLAN.

[HUAWEI] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the working mode of the voice VLAN.

[HUAWEI-GigabitEthernet0/0/1] voice-vlan security enable

Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<HUAWEI> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check the voice VLAN mode, voice security
mode, and voice VLAN aging time.
<HUAWEI> display voice-vlan 2 status
Voice VLAN Configurations:
---------------------------------------------------
Voice VLAN ID : 2
Voice VLAN status : Enable
Voice VLAN aging time : -
Voice VLAN 8021p remark : 6
Voice VLAN dscp remark : 46
----------------------------------------------------------
Port Information:
-------------------------------------------------------------------------------

Port Add-Mode Security-Mode Legacy PribyVLAN Untag

-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Auto Security Disable Disable Disable
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 6
#
lldp enable
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
voice-vlan 2 enable
voice-vlan remark-mode mac-address
voice-vlan mode auto
voice-vlan security enable
port hybrid pvid vlan 6
#
return
3.4.2 Example for Configuring a Voice VLAN in Manual Mode
As shown in Figure 3-15, data flows of the HSI, VoIP, and IPTV services are transmitted on
the network. Users require high quality of the VoIP service. Therefore, voice data flows must
be transmitted with a high priority. Voice packets are transmitted in VLAN 2, and other packets
are transmitted in VLAN 6. IP phones can obtain voice VLAN information through LLDP.

Figure 3-15 Configuring a voice VLAN in manual mode

DHCP Server
Internet
Switch
GE0/0/1
HG
HSI VoIP IPTV
1. Create VLANs and VLANIF interfaces on Switch and configure interfaces so that users
can access the WAN.
2. Configure a voice VLAN and set the mode in which interfaces are added to the voice VLAN
to manual so that voice data packets are transmitted in the voice VLAN with a high priority.
Procedure
Step 1 Create VLANs and configure the interface on the Switch.

# Enable LLDP.
# Configure the link type and default VLAN of the interface.

Step 2 Configure the voice VLAN on the Switch.

# Configure the voice VLAN on the interface.

[HUAWEI-GigabitEthernet0/0/1] voice-vlan remark-mode mac-address
# Set the voice VLAN mode to manual and add the interface to the voice VLAN.
[HUAWEI-GigabitEthernet0/0/1] voice-vlan mode manual
[HUAWEI-GigabitEthernet0/0/1] port hybrid tagged vlan 2
# Set the OUI of the voice VLAN.

[HUAWEI] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
# Set the working mode of the voice VLAN.

[HUAWEI-GigabitEthernet0/0/1] voice-vlan security enable
Run the display voice-vlan oui command to check the OUI of the voice VLAN.
<HUAWEI> display voice-vlan oui
---------------------------------------------------
OuiAddress Mask Description
---------------------------------------------------
0011-2200-0000 ffff-ff00-0000
Run the display voice-vlan 2 status command to check the voice VLAN mode, voice security
mode, and voice VLAN aging time.
---------------------------------------------------
Voice VLAN ID : 2
----------------------------------------------------------
Port Information:
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Manual Security Disable Disable Disable
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 6
#
lldp enable
#
voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000
#
voice-vlan 2 enable

voice-vlan remark-mode mac-address

voice-vlan security enable
#
return
3.5 QinQ Configuration

This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ),
and provides configuration examples.
3.5.1 Example for Configuring basic QinQ
As shown in Figure 3-16, there are two enterprises on the network, Enterprise 1 and Enterprise
2. Enterprise 1 has two office locations, and Enterprise 2 has 2 office locations. The office
locations of the two enterprises access SwitchA and SwitchB of the ISP network. A non-Huawei
device with the TPID value 0x9100 exists on the public network.
The requirements are as follows:

l Enterprise 1 and Enterprise 2 plans their VLANs independently.
l Traffic of the two branches is transparently transmitted on the public network. Users using
the same services in the two branches are allowed to communicate and users using different
services are isolated.
You can configure QinQ to meet the preceding requirements. VLAN 100 provided by the public
network can be used to implement communication of Enterprise 1 in the two branches and VLAN
200 is used for Enterprise 2. You can set the TPID value in the outer VLAN on the interface that
connects the non-Huawei device to implement communication between devices.

Figure 3-16 Configuring basic QinQ
ISP
VLAN 100,200
TPID=0x9100
GE0/0/3 GE0/0/3
Switch A Switch B
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Enterprise 1 Enterprise 2 Enterprise 1 Enterprise 2

VLAN 10 to 50 VLAN 20 to 60 VLAN 10 to 50 VLAN 20 to 60
1. Configure VLAN 100 and VLAN 200 on both SwitchA and SwitchB. Set the link type of
the interface to QinQ and add the interfaces to VLAN. In this way, different outer VLAN
tags are added to different services.
2. Add interfaces connecting to the public network on SwitchA and SwitchB to VLAN 100
and VLAN 200 to permit packets from these VLANs to pass through.
3. Set the TPID values in the outer VLAN tag on interfaces connecting to the public network
on SwitchA and SwitchB to implement communication between the device with devices
from other vendors.
Procedure
# Create VLAN 100 and VLAN 200 on SwitchA.

# Create VLAN 100 and VLAN 200 on SwitchB.

[HUAWEI] sysname SwitchB
[SwitchB] vlan batch 100 200

Step 2 Set the link type of the interface to QinQ.

# Configure GE0/0/1 and GE0/0/2 of SwitchA as QinQ interfaces. Set the VLAN of GE0/0/1
to VLAN 100 and the VLAN of GE0/0/2 to VLAN 200.
[SwitchA-GigabitEthernet0/0/1] port link-type dot1q-tunnel
[SwitchA-GigabitEthernet0/0/2] port link-type dot1q-tunnel
# Configure GE0/0/1 and GE0/0/2 of SwitchB as QinQ interfaces. Set the VLAN of GE0/0/1 to
VLAN 100 and the VLAN of GE0/0/2 to VLAN 200. The configuration procedure of SwitchB
is the same as that of SwitchA.
Step 3 Configure the interface connecting to the public network on the switch.
# Add GE0/0/3 of SwitchA to VLAN 100 and VLAN 200.
# Add GE0/0/3 of SwitchB to VLAN 100 and VLAN 200. The configuration procedure of
SwitchB is the same as that of SwitchA.
Step 4 Configure the TPID value for an outer VLAN tag
# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchA.
[SwitchA-GigabitEthernet0/0/3] qinq protocol 9100
# Set the TPID value of an outer VLAN tag to 0x9100 on SwitchB.

[SwitchB] interface gigabitethernet 0/0/3
[SwitchB-GigabitEthernet0/0/3] qinq protocol 9100

In Enterprise 1, ping a PC of a VLAN in a branch from a PC of the same VLAN in another
branch. If the two PCs can ping each other, internal users of Enterprise 1 can communicate.
In Enterprise 2, ping a PC of a VLAN in a branch from a PC of the same VLAN in another
branch. If the two PCs can ping each other, internal users of Enterprise 2 can communicate.
Ping a PC in a VLAN of Enterprise 2 in a branch from a PC in the same VLAN of Enterprise 1
in either branch. If the two PCs cannot ping each other, users in Enterprise 1 and Enterprise 2
are isolated.
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 100 200
#
port link-type dot1q-tunnel
#
#
qinq protocol 9100
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
#
#
qinq protocol 9100
#
return
3.5.2 Example for Configuring Selective QinQ
As shown in Figure 3-17, Internet access users (using PCs) and VoIP users (using VoIP
terminals) connect to the ISP network through SwitchA and SwitchB and communicate with
each other through the ISP network.
It is required that packets of PCs and VoIP terminals be tagged VLAN 2 and VLAN 3 when the
packets are transmitted through the ISP network.

Figure 3-17 Networking diagram for configuring selective QinQ
SwitchA SwitchB
GE0/0/2 GE0/0/2
Network
GE0/0/1 GE0/0/1
PC VoIP VoIP PC
1. Create VLANs on SwitchA and SwitchB.

2. Configure link types of interfaces on SwitchA and SwitchB and add interfaces to VLANs.
3. Configure selective QinQ on the interfaces of SwitchA and SwitchB.
Procedure
# On SwitchA, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
# On SwitchB, create VLAN 2 and VLAN 3, that is, VLAN IDs of the outer VLAN tag to be
added.
Step 2 Configure selective QinQ on interfaces.
# Configure GE0/0/1 on SwitchA.

[SwitchA-GigabitEthernet0/0/1] port link-type hybrid
[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SwitchA-GigabitEthernet0/0/1] qinq vlan-translation enable
[SwitchA-GigabitEthernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2

# Configure GE0/0/1 on SwitchB.

[SwitchB-GigabitEthernet0/0/1] port link-type hybrid
[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 2 3
[SwitchB-GigabitEthernet0/0/1] qinq vlan-translation enable
[SwitchB-GigabitEthernet0/0/1] port vlan-stacking vlan 100 stack-vlan 2
[SwitchB-GigabitEthernet0/0/1] port vlan-stacking vlan 300 stack-vlan 3
[SwitchB-GigabitEthernet0/0/1] quit
Step 3 Configure other interfaces.

# Add GE0/0/2 to VLAN 2 and VLAN 3 on SwitchA.
# Add GE0/0/2 to VLAN 2 and VLAN 3 on SwitchB.

[SwitchB-GigabitEthernet0/0/2] port link-type trunk
[SwitchB-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 3

If the configurations on SwitchA and SwitchB are correct:
l PCs can communicate with each other through the ISP network.
l VoIP terminals can communicate with each other through the ISP network.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 3
#
port hybrid untagged vlan 2 to 3
#
#
return

#
sysname SwitchB
#
vlan batch 2 to 3
#


#
#
return
3.5.3 Example for Configuring Selective QinQ with VLAN

Mapping
As shown in Figure 3-18, the Internet access, IPTV, and VoIP services are provided for users
through home gateways.
The corridor switches allocate VLANs to the services as follows:
l VLANs for the Internet access service of different users: VLAN 1000 to VLAN 1100
l Shared VLAN for the IPTV service: VLAN 1101
l Shared VLAN for the VoIP service: VLAN 1102
l Shared VLAN for home gateways: VLAN 1103
Each community switch is connected to 50 downstream corridor switches, and maps the VLAN
IDs in the Internet access service packets from the corridor switches to VLAN 101 to VLAN
150.
The aggregate switch of the carrier is connected to 50 downstream community switches, and
adds outer VLAN IDs 21 to 70 to the packets sent from the community switches.
Figure 3-18 Networking diagram for configuring selective QinQ-VLAN mapping
ME60
Internet
Aggregate switch of carrier SwitchA

GE0/0/1
…… ……
GE0/0/2
Community SwitchB
switch GE0/0/1
…… …… …… ……
Corridor
switch
…… …… …… ……
Home
gateway

1. Create VLANs on SwitchA and SwitchB.

2. Configure VLAN mapping on SwitchB and add GE 0/0/1 and GE 0/0/2 to the VLANs.
3. Configure selective QinQ on SwitchA and add GE 0/0/1 to VLANs.
4. Add other downlink interfaces of SwitchA and SwitchB to the VLANs. The configurations
are similar to the configurations of their GE 0/0/1 interfaces
5. Configure other community switches. The configuration is similar to the configuration on
SwitchB.
Procedure
Step 1 Configure SwitchA.
# Create VLANs.
[SwitchA] vlan batch 21 to 70 1101 to 1103

[SwitchA-GigabitEthernet0/0/1] port hybrid untagged vlan 21
[SwitchA-GigabitEthernet0/0/1] port hybrid tagged vlan 1101 to 1103
# Configure selective QinQ on interfaces.

[SwitchA-GigabitEthernet0/0/1] port vlan-stacking vlan 101 to 150 stack-vlan 21
Step 2 Configure SwitchB.
# Create VLANs.
[SwitchB] vlan batch 101 to 150 1000 to 1103

[SwitchB-GigabitEthernet0/0/1] port hybrid tagged vlan 101 1000 to 1103
[SwitchB-GigabitEthernet0/0/2] port hybrid tagged vlan 101 to 150 1101 to 1103
# Configure VLAN mapping on interfaces.

[SwitchB-GigabitEthernet0/0/1] qinq vlan-translation enable
[SwitchB-GigabitEthernet0/0/1] port vlan-mapping vlan 1000 to 1100 map-vlan 101

The Internet access service, IPTV service, and VoIP service can be used.
----End
Configuration Files
Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 21 to 70 1101 to 1103
#
port hybrid tagged vlan 1101 to 1103
#
return
Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 101 to 150 1000 to 1103
#
#
port hybrid tagged vlan 101 to 150 1101 to 1103
#
return
3.5.4 Example for Configuring VLL Access Through Dot1q Sub-

interfaces
As shown in Figure 3-19, CE1 and CE2 are connected to PE1 and PE2 respectively through
VLANs.
A Martini VLL is created between CE1 and CE2 so that user networks connected to CE1 and
CE2 can communicate.
NOTE
Only the S5310EI and S5300HI support this configuration.

Figure 3-19 Networking diagram for configuring a sub-interface for dot1q VLAN tag
termination to access a VLL network
Loopback1 Loopback1 Loopback1
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 0/0/2 GE 0/0/1
PE 1 PE 2
GE 0/0/2 GE0/0/1
GE0/0/1 GE 0/0/2
P
GE0/0/1 GE 0/0/1
Martini
CE 1 CE 2
Switch Interface VLANIF Interface IP Address
PE1 GigabitEthernet0/0/1 GigabitEthernet0/0/1.1 -
- GigabitEthernet0/0/2 VLANIF 20 10.1.1.1/24
- Loopback1 - 1.1.1.9/32
PE2 GigabitEthernet0/0/1 VLANIF 30 10.2.2.1/24
- GigabitEthernet0/0/2 GigabitEthernet0/0/2.1 -
- Loopback1 - 3.3.3.9/32
P GigabitEthernet0/0/1 VLANIF 30 10.2.2.2/24
- Loopback1 - 2.2.2.9/32
CE1 GigabitEthernet0/0/1 VLANIF 10 100.1.1.1/24
1. Configure the routing protocol on devices (PE and P) of the backbone network to implement
interworking, and enable MPLS.
2. Use the default tunnel policy to create an LSP and configure the LSP as the tunnel for data
transmission.
3. Enable MPLS L2VPN and create VC connections on the PEs.
4. Configure the dot1q sub-interfaces on the PE interfaces connecting to CEs to implement
VLL access.

Procedure
Step 1 Configure the VLANs to which interfaces of CEs, PEs and P belong according to Figure
3-19, and assign IP addresses to VLANIF interfaces.
Packets sent from CEs to PEs carry a VLAN tag.
The configuration details are not mentioned here.
Step 2 Configure an IGP protocol on the MPLS backbone network. In this example, OSPF is used.
When configuring OSPF, advertise the 32-bit addresses of loopback interfaces on PE1, P, and
PE2. The loopback interface addresses are the LSR IDs.
After the configuration is complete, OSPF neighbor relationships can be set up among PE1, P,
and PE2. Run the display ospf peer command. You can see that the neighbor status is Full. Run
the display ip routing-table command. You can see that the PEs learn the route to each other's
Loopback1 interface.
Step 3 Configure basic MPLS functions and LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls lsr-id 1.1.1.9
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1] interface vlanif 20
[PE1-Vlanif20] mpls
[PE1-Vlanif20] mpls ldp
[PE1-Vlanif20] quit
# Configure P.
[P] mpls lsr-id 2.2.2.9
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P] interface vlanif 20
[P-Vlanif20] mpls
[P-Vlanif20] mpls ldp
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 4 Create remote LDP sessions between PEs.

# Configure PE1.
[PE1] mpls ldp remote-peer 3.3.3.9
[PE1-mpls-ldp-remote-3.3.3.9] remote-ip 3.3.3.9
[PE1-mpls-ldp-remote-3.3.3.9] quit
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 to view
the setup of the LDP session. You can see that an LDP session is set up between PE1 and PE2.
The display on PE1 is used as an example.
<PE1> display mpls ldp session
LDP Session(s) in Public Network

Codes: LAM(Label Advertisement Mode), SsnAge Unit(DDDD:HH:MM)
A '*' before a session means the session is being deleted.
------------------------------------------------------------------------------
PeerID Status LAM SsnRole SsnAge KASent/Rcv
------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Passive 000:15:29 3717/3717
------------------------------------------------------------------------------
TOTAL: 2 session(s) Found.
Step 5 Enable MPLS L2VPN on the PEs and establish VC connections.

# Configure PE1: Create a VC connection on GigabitEthernet0/0/1.1 that is connected to CE1.
[PE1] mpls l2vpn
[PE1-l2vpn] mpls l2vpn default martini
[PE1-l2vpn] quit
[PE1] interface gigabitethernet0/0/1.1
[PE1-GigabitEthernet0/0/1.1] dot1q termination vid 10
[PE1-GigabitEthernet0/0/1.1] mpls l2vc 3.3.3.9 101
[PE1-GigabitEthernet0/0/1.1] quit

[PE2] mpls l2vpn
[PE2-l2vpn] quit

Check the L2VPN connections on PEs. You can see that an L2VC connection is set up and is
in the Up state.
<PE1> display mpls l2vc interface gigabitethernet0/0/1.1
*client interface : gigabitethernet0/0/1.1 is up
Administrator PW : no
session state : up
AC status : up
VC state : up
Label state : 0

Token state : 0
VC ID : 101
VC type : VLAN
destination : 3.3.3.9
local group ID : 0 remote group ID : 0
local VC label : 23552 remote VC label : 23552
local AC OAM State : up
local PSN OAM State : up
local forwarding state : forwarding
local status code : 0x0
remote AC OAM state : up
remote PSN OAM state : up
remote forwarding state: forwarding
remote status code : 0x0
ignore standby state : no
BFD for PW : unavailable
VCCV State : up
manual fault : not set
active state : active
forwarding entry : exist
OAM Protocol : --
OAM Status : --
OAM Fault Type : --
PW APS ID : 0
PW APS Status : --
TTL Value : 1
link state : up
local VC MTU : 1500 remote VC MTU : 1500
local VCCV : alert ttl lsp-ping bfd
remote VCCV : alert ttl lsp-ping bfd
local control word : disable remote control word : disable
tunnel policy name : --
PW template name : --
primary or secondary : primary
load balance type : flow
Access-port : false
Switchover Flag : false
VC tunnel/token info : 1 tunnels/tokens
NO.0 TNL type : lsp , TNL ID : 0x10031
Backup TNL type : lsp , TNL ID : 0x0
create time : 1 days, 22 hours, 15 minutes, 9 seconds
up time : 0 days, 22 hours, 54 minutes, 57 seconds
last change time : 0 days, 22 hours, 54 minutes, 57 seconds
VC last up time : 2010/10/09 19:26:37
VC total up time : 1 days, 20 hours, 42 minutes, 30 seconds
CKey : 8
NKey : 3
PW redundancy mode : --
AdminPw interface : --
AdminPw link state : --
Diffserv Mode : uniform
Service Class : --
Color : --
DomainId : --
Domain Name : --
CE1 and CE2 can ping each other.

The display on CE1 is used as an example.
<CE1> ping 100.1.1.2
PING 100.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 100.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms

--- 100.1.1.2 ping statistics ---

5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 2/15/31 ms
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
mpls l2vpn default martini
#
mpls ldp
#
mpls ldp remote-peer 3.3.3.9
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface GigabitEthernet0/0/1.1
dot1q termination vid 10
mpls l2vc 3.3.3.9 101
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

l Configuration file of P
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#

#
mpls l2vc 1.1.1.9 101
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.0
#
#
return
3.5.5 Example for Configuring a QinQ Sub-interface to Access a

VLL Network
VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 is connected to CE1 and PE1.
You are required to configure selective QinQ on the interfaces connected to CEs so that
Switch adds the VLAN tags specified by the carrier to the packets sent from CEs.
When Switch is connected to multiple CEs, Switch can add the same VLAN tags to the packets
from different CEs, which saves VLAN IDs on the public network.
NOTE

Figure 3-20 Networking diagram for configuring a QinQ sub-interface to access a VLL network

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32
1. Configure the routing protocol on devices on the backbone network (PE and P) to
implement interworking, and enable MPLS.
transmission.

4. Configure QinQ sub-interfaces on the PE interfaces connected to the switches to implement

VLL access.
5. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
Step 1 Specify the VLANs that the interfaces of CEs, PEs, and P belong to and set the IP addresses of
the corresponding VLANIF interfaces according to Figure 3-20.
After the configuration is complete, the packets sent from a CE to Switch must contain a VLAN
tag.
Step 2 Configure selective QinQ on the interfaces of Switch and specify the VLANs allowed by the
interfaces.
# Configure Switch1.
[Switch1] vlan 100
[Switch1] interface gigabitethernet0/0/2
[Switch1-GigabitEthernet0/0/2] port hybrid tagged vlan 100
[Switch1-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch1-GigabitEthernet0/0/1] port vlan-stacking vlan 10 stack-vlan 100
[Switch2] vlan 100
Step 3 Configure an IGP protocol on the MPLS backbone network. OSPF is used as an example.
When configuring OSPF, advertise 32-bit addresses of loopback interfaces on PE1, P, and PE2,
which are used as the LSR IDs.
Step 4 Enable basic MPLS functions and MPLS LDP on the MPLS backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit


[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
Step 5 Set up a remote LDP session between PEs.
# Configure PE1.
# Configure PE2.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

# Configure PE1. Create a VC connection on GigabitEthernet0/0/1.1 that is connected to

Switch1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq termination pe-vid 100 ce-vid 10

Switch2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
in the Up state.

session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
OAM Protocol : --
OAM Status : --
OAM Fault Type : --
PW APS ID : 0
PW APS Status : --
TTL Value : 1
link state : up


Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return
l Configuration file of Switch1

#
sysname Switch1

#
vlan batch 100
#
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq termination pe-vid 100 ce-vid 10
mpls l2vc 3.3.3.9 101
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0

mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.9 101
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255

#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.0
#
#
return
3.5.6 Example for Configuring a Single-tagged VLAN Mapping

Sub-interface to Access a VLL network
As shown in Figure 3-21, CE1 and CE2 are respectively connected to PE1 and PE2 through
VLANs.
A Martini VLL is set up between PE1 and PE2.
NOTE

Figure 3-21 Networking diagram for configuring a single-tagged VLAN Mapping sub-interface
to access a VLL network

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 0/0/2 GE 0/0/1
PE 1 PE 2
GE 0/0/2 GE0/0/1
GE0/0/1 P GE 0/0/2
GE0/0/1 GE 0/0/1
Martini
CE 1 CE 2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32
transmission.
4. Create a sub-interface on the PE1 interface connected to CE1, configure VLAN mapping
of a single tag on sub-interface, and connect the sub-interface to the VLL network.
5. Configure dot1q sub-interfaces on the PE2 interface connected to CE2 to connect the dot1q
sub-interfaces to the VLL network.

Procedure
Step 1 Add interfaces of CEs, PEs, and P to VLANs and set the IP addresses of the corresponding
VLANIF interfaces according to Figure 3-21.
After the configuration, the packets sent from a CE to a switch should contain a VLAN tag.
When configuring OSPF, advertise 32-bit addresses of loopback interfaces on PEs and P, which
are used as the LSR IDs.
For the configuration procedure, see the S2350&S5300&S6300 Series Ethernet Switches
Configuration Guide - IP Routing.
After the configuration is complete, OSPF neighbor relationships are established between PE1,
P, and PE2. Run the display ospf peer command to verify that the status of the OSPF neighbor
relationships is Full. Run the display ip routing-table command to verify that the PEs can learn
the routes of each other's Loopback1 interface.
Step 3 Enable the basic MPLS functions and MPLS LDP on the MPLS network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit

# Configure PE1.


# Configure PE2.
the LDP session status. You can see that an LDP session has been set up between PE1 and PE2.
The output on PE1 is used as an example:

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on the PEs and create VC connections.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq mapping vid 10 map-vlan vid 20

[PE2] mpls l2vpn
[PE2-l2vpn] quit

On PEs, check the L2VPN connections. You can see that an L2VC connection has been set up
and is in Up state.
session state : up
AC state : up
VC state : up
VC ID : 101
VC type : VLAN


local PSN State : up
forwarding entry : not exist
link state : up
local VCCV : Disable
remote VCCV : none
local control word : disable remote control word : none
traffic behavior name : --
The output on CE1 is used as an example:

<CE1> ping 100.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls

#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping vid 10 map-vlan vid 20
mpls l2vc 3.3.3.9 101
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#

#

#
interface LoopBack1

ip address 2.2.2.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#

#
#
mpls l2vc 1.1.1.9 101
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif 20
ip address 100.1.1.2 255.255.255.0
#

#
return
3.5.7 Example for Configuring a Double-tagged VLAN Mapping

Sub-interface to Access a VLL Network
VLANs.
A Martini VLL is set up between PE1 and PE2.
Selective QinQ is configured on the switch interfaces connected to CEs so that the switches add
the VLAN tags specified by the carrier to the packets sent from CEs.
When Switch1 and Switch2 add different VLAN tags to packets, you must configure VLAN
Mapping of double tags on PE sub-interfaces, and connect the sub-interfaces to the VLL network.
Then CE1 and CE2 can communicate with each other.
When a switch is connected to multiple CEs, it can add the same VLAN tag to the packets from
different CEs. This saves VLAN IDs on the public network.
NOTE
Figure 3-22 Networking diagram for configuring a double-tagged VLAN Mapping sub-
interface to access a VLL network
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
Switch Interface VLANIF Interface IP address

- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32
transmission.
4. Create a sub-interface on the PE1 interface connected to Switch1, configure VLAN
Mapping of double tags, and connect the QinQ sub-interface to a VLL network.
5. Create a sub-interface on the PE2 interface connected to Switch2, and connect the QinQ
sub-interface to a VLL network.
6. Configure selective QinQ on the switch interfaces connected to CEs.
Procedure
After the configuration is complete, the packets sent from a CE to a switch should contain a
VLAN tag.
Step 2 Configure selective QinQ on the switch interfaces and specify the VLANs allowed by the
interfaces.
[Switch1] vlan 100


[Switch2] vlan 200
When configuring OSPF, advertise 32-bit addresses of loopback interfaces on PEs and P, which
are used as the LSR IDs.
After the configuration, OSPF neighbor relationships can be set up among PE1, P, and PE2. Run
the display ospf peer command, and you can view that the neighbor status is Full. Run the
display ip routing-table command, and you can view that the PEs learn the route to each other's
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit

[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
# Configure PE1.
# Configure PE2.
the LDP session status. You can see that an LDP session has been set up between PE1 and PE2.


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on the PEs and create VC connections.

[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
# Configure PE2: Create a VC connection on GigabitEthernet0/0/2.1 that is connected to

Switch2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
Check the L2VPN connections on the PEs. You can see that an L2VC connection has been set
up and is in Up state.


session state : up
AC state : up
VC state : up
VC ID : 101
VC type : VLAN
local PSN State : up
forwarding entry : not exist
link state : up
local VCCV : Disable
remote VCCV : none
local control word : disable remote control word : none
traffic behavior name : --
The output on CE1 is used as an example:

<CE1> ping 100.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#

#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
mpls l2vc 3.3.3.9 101
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9

mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.9 101
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname Switch2
#
vlan batch 200
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.0
#
#
return
3.5.8 Example for Configuring a VLAN Stacking Sub-interface to

Access a VLL Network
As shown in Figure 3-23, CE1 and CE2 are respectively connected to PE1 and PE2 through
VLANs.
A Martini VLL is set up between CE1 and CE2.
Switch1 forwards the packets sent from CE1 without changing the VLAN tags.
Selective QinQ is configured on the interface connected to CE2 so that Switch2 adds the VLAN
tag specified by the carrier to the packets sent from CE2.
The packets sent from Switch1 to PE1 contain only one VLAN tag, and the packets sent from
Switch2 to PE2 contain two VLAN tags. To enable CE1 and CE2 can communicate to each
other, configure VLAN stacking on the sub-interface of PE1 connected to Switch1, and connect
the sub-interface to a VLL network.

When a switch is connected to multiple CEs, it can add the same VLAN tag to the packets from
different CEs. This saves VLAN IDs on the public network.
NOTE
Figure 3-23 Networking diagram for a VLAN stacking sub-interface to access a VLL network

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/1
PE1 PE2
GE0/0/2 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32

transmission.
4. On PE1, configure VLAN stacking on the sub-interface connected to Switch1, and connect
the sub-interface to a VLL network.
5. On PE2, configure a QinQ sub-interface on the interface connected to Switch2, and connect
the QinQ sub-interface to a VLL network.
6. On Switch1, add the interface connected to CE1 to a specified VLAN.
7. On Switch2, configure selective QinQ on the interface connected to CE2.
Procedure
After the configuration is complete, the packets sent from a CE to a switch should contain a
VLAN tag.
Step 2 Configure selective QinQ on the interfaces of the switches and specify the VLANs allowed by
the interfaces.
[Switch1] vlan 10
[Switch2] vlan 100
When configuring OSPF, advertise 32-bit addresses of loopback interfaces on PE1, P, and PE2,
which are used as the LSR IDs.

# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif30] mpls
[PE2-Vlanif30] quit
# Configure PE1.
# Configure PE2.
The output on PE1 is used as an example.


------------------------------------------------------------------------------


------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 6 Enable MPLS L2VPN on PEs and set up VC connections.

Switch1.
[PE1] mpls l2vpn
[PE1-l2vpn] quit
[PE1-GigabitEthernet0/0/1.1] qinq stacking vid 10 pe-vid 100

Switch2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit

in the Up state.
session state : up
AC status : up
VC state : up
Label state : 0
Token state : 0
VC ID : 101
VC type : VLAN
VCCV State : up
OAM Protocol : --
OAM Status : --

OAM Fault Type : --

PW APS ID : 0
PW APS Status : --
TTL Value : 1
link state : up
Access-port : false
VC last up time : 2010/10/09 19:26:37
CKey : 8
NKey : 3
Service Class : --
Color : --
DomainId : --
Domain Name : --

<CE1> ping 100.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
#


#
return

#
sysname Switch1
#
vlan batch 10
#
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq stacking vid 10 pe-vid 100
mpls l2vc 3.3.3.9 101
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#

mpls lsr-id 2.2.2.9

mpls
#
mpls ldp
#
interface Vlanif 20
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 30
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif 30
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
mpls l2vc 1.1.1.9 101
#
interface LoopBack1

ip address 3.3.3.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif 10
ip address 100.1.1.2 255.255.255.0
#
#
return
3.5.9 Example for Configuring a Sub-interface for Dot1q VLAN Tag

Termination to Access a VPLS Network
As shown in Figure 3-24, VPLS is enabled on PE1 and PE2. CE1 is connected to PE1 and CE2
is connected to PE2. CE1 and CE2 are on the same VPLS network. PWs are established by using
LDP as the VPLS signaling protocol, and VPLS is configured to connect CE1 and CE2.
NOTE

Figure 3-24 Networking diagram for configuring a sub-interface for dot1q VLAN tag
termination to access a VPLS network

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 0/0/1 GE 0/0/2
PE 1 PE 2
GE 0/0/2 GE0/0/1
GE0/0/1 P GE 0/0/2
GE0/0/1 GE 0/0/1
Martini
CE 1 CE 2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32
1. Configure a routing protocol on the backbone network to implement the interworking

between devices.
2. Configure dot1q sub-interfaces on the PE interfaces connected to CEs to connect the dot1q
sub-interfaces to the VPLS network.
3. Set up a remote LDP session between PEs.
4. Establish tunnels between PEs for transmitting service data.
5. Enable MPLS L2VPN on PEs.
6. Create VSIs on PEs, specify the signaling protocol as LDP.

Procedure
Step 1 Configure the VLAN to which each interface belongs according to Figure 3-24.
NOTE
l The AC-side physical interface and PW-side physical interface of a PE cannot be added to the same
VLAN; otherwise, a loop occurs.
l After the configuration is complete, the packets sent from a CE to a PE must contain a VLAN tag.
Step 2 Configure IGP. OSPF is used as an example.
When configuring OSPF, advertise 32-bit loopback interface addresses of PE1, P, and PE2,
which are used as LSR IDs.
After the configuration is complete, run the display ip routing-table command on PE1, P, and
PE2. You can view the routes learned by PE1, P, and PE2 from each other.
Step 3 Configure the basic MPLS functions and MPLS LDP.
After the configuration is complete, run the display mpls ldp session command on PE1, P and
PE2. You can see that the peer relationship is set up between PE1 and P, and between P and
PE2. The status of the peer relationship is Operational. Run the display mpls lsp command to
view the configuration results.
# Configure PE1.
# Configure PE2.
After the configuration is complete, run the display mpls ldp session command on PE1 or PE2.
You can see that the status of the peer relationship between PE1 and PE2 is Operational. That
is, the peer relationship is set up.
Step 5 Enable MPLS L2VPN on PEs.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn]quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn]quit
Step 6 Configure a VSI on PEs.

# Configure PE1.
[PE1] vsi a2 static
[PE1-vsi-a2] pwsignal ldp
[PE1-vsi-a2-ldp] vsi-id 2
[PE1-vsi-a2-ldp] peer 3.3.3.9
# Configure PE2.
[PE2] vsi a2 static
Step 7 Bind the interface to the VSI on the PE.
# Configure PE1.
[PE1-GigabitEthernet0/0/1.1] l2 binding vsi a2
# Configure PE2.
Step 8 Specify an IP address for each VLANIF interface on CEs.
# Configure CE1.
<HUAWEI> sysname CE1
[CE1] interface vlanif 10
[CE1-Vlanif10] ip address 10.1.1.1 255.255.255.0
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif10] quit
After the configuration is complete, run the display vsi name a2 verbose command on PE1.
You can see that VSI a2 sets up a PW to PE2, and the status of the VSI is Up.
<PE1> display vsi name a2 verbose
***VSI Name : a2
Administrator VSI : no
Isolate Spoken : disable
VSI Index : 0
PW Signaling : ldp
Member Discovery Style : static
PW MAC Learn Style : unqualify
Encapsulation Type : vlan
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
Ignore AcState : disable

P2P VSI : disable

Create Time : 0 days, 0 hours, 5 minutes, 1 seconds
VSI State : up
VSI ID : 2
*Peer Router ID : 3.3.3.9
ignore-standby-state : no
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x20021
Broadcast Tunnel ID : 0x20021
Broad BackupTunnel ID : 0x0
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0
Interface Name : gigabitethernet0/0/1.1

State : up
Access port : false
Last Up Time : 2010/12/30 11:31:18
Total Up Time : 0 days, 0 hours, 1 minutes, 35 seconds
**PW Information:
*Peer Ip Address : 3.3.3.9

PW State : up
Local VC Label : 23552
Remote VC Label : 23552
PW Type : label
Tunnel ID : 0x20021
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x20021
Slave PW Token : 0x0
Tnl Type : LSP
OutInterface : Vlanif20
Backup OutInterface :
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03
PW Total Up Time : 0 days, 0 hours, 0 minutes, 50 seconds
CE1 (10.1.1.1) can ping CE2 (10.1.1.2) successfully.

<CE1> ping 10.1.1.2
0.00% packet loss
----End
Configuration Files

#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#

remote-ip 1.1.1.9
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
3.5.10 Example for Configuring a Sub-interface for QinQ VLAN

Tag Termination to Access a VPLS Network
As shown in Figure 3-25, VPLS is enabled on PE1 and PE2. CE1 connects to PE1 through
Switch1 and CE2 connects to PE2 through Switch2. CE1 and CE2 are on the same VPLS
network. PWs are established by using LDP as the VPLS signaling protocol, and VPLS is
configured to connect CE1 and CE2.
NOTE

Figure 3-25 Networking diagram for configuring a sub-interface for QinQ VLAN tag
termination to access a VPLS network
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/2
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32

between devices.
2. Configure selective QinQ on Switch interfaces connected to CEs.


7. Configure QinQ sub-interfaces on the PE interfaces connected to Switch to connect the
QinQ interfaces to the VPLS network.
Procedure
NOTE
l After the configuration is complete, the packets sent from a CE to Switch must contain a VLAN tag.
interfaces.
[Switch1] vlan 100
[Switch2] vlan 100

# Configure PE1.
# Configure PE2.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn]quit
# Configure PE2.
[PE2] mpls l2vpn
[PE12-l2vpn]quit
# Configure PE1.
[PE1] vsi a2 static
# Configure PE2.
[PE2] vsi a2 static
# Configure PE1.
# Configure PE2.

# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif10] quit
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
Tunnel ID : 0x20021,
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0

State : up
Access port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label

Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2
0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname CE2

#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1
#
vlan batch 100
#
#
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp

#
#
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30
#

mpls lsr-id 3.3.3.9

mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
3.5.11 Example for Configuring a Single-tagged VLAN Mapping

Sub-interface to Access a VPLS Network
As shown in Figure 3-26, VPLS is enabled on PE1 and PE2. CE1 is connected to PE1 and CE2
is connected to PE2. CE1 and CE2 are on the same VPLS network. PWs are established by using
LDP as the VPLS signaling protocol, and VPLS is configured to connect CE1 and CE2.
NOTE

Figure 3-26 Networking diagram for configuring a single-tagged VLAN mapping sub-interface
to access a VPLS network

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE 0/0/1 GE 0/0/2
PE 1 PE 2
GE 0/0/2 GE0/0/1
GE0/0/1 GE 0/0/2
P
GE0/0/1 GE 0/0/1
Martini
CE 1 CE 2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32

between devices.
6. Configure single-tagged VLAN mapping on the sub-interface connected to CE1 on PE1
and connect the sub-interface to the VPLS network.

7. Configure dot1q sub-interfaces on the PE2 interface connected to CE2 to connect the dot1q
sub-interfaces to the VPLS network.
Procedure
NOTE
l After the configuration is complete, the packets sent from a CE to a PE must contain a VLAN tag.
# Configure PE1.
# Configure PE2.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn]quit
# Configure PE2.

[PE2] mpls l2vpn

[PE2-l2vpn]quit
# Configure PE1.
[PE1] vsi a2 static
# Configure PE2.
[PE2] vsi a2 static
# Configure PE1.

[PE1-GigabitEthernet0/0/1.1] qinq mapping vid 10 map-vlan vid 20
# Configure PE2.
# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif20] quit
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp

MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0

State : up
Access port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label
Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2
0.00% packet loss
----End

Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping vid 10 map-vlan vid 20
l2 binding vsi a2
#

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#

mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
3.5.12 Example for Configuring a Double-tagged VLAN Mapping

Sub-interface to Access a VPLS Network
When Switch1 and Switch2 add different VLAN tags to packets, you need to configure double-
tagged VLAN mapping on a sub-interface and connect the sub-interface to the VPLS. Then CE1
and CE2 can communicate with each other.
NOTE

Figure 3-27 Networking diagram for configuring a double-tagged VLAN mapping sub-interface
to access a VPLS network

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/2
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32

between devices.
2. Configure selective QinQ on Switch interfaces connected to CEs.


7. Configure double-tagged VLAN mapping on the sub-interface connected to Switch1 on
PE1 and connect the sub-interface to the VPLS network.
8. Configure a QinQ sub-interface on the interface connected to Switch2 on PE2 and connect
the sub-interface to the VPLS network.
Procedure
NOTE
l After the configuration is complete, the packets sent from a CE to Switch must contain a VLAN tag.
interfaces.
[Switch1] vlan 100
[Switch2] vlan 200


# Configure PE1.
# Configure PE2.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn]quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn]quit
# Configure PE1.
[PE1] vsi a2 static
# Configure PE2.
[PE2] vsi a2 static
# Configure PE1.
[PE1-GigabitEthernet0/0/1.1] qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
# Configure PE2.

# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif10] quit
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0

State : up
Access port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label

Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1

#
vlan batch 100
#
#
#
return

#
sysname Switch2
#
vlan batch 200
#
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq mapping pe-vid 100 ce-vid 10 map-vlan vid 200
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1

area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
#

interface Vlanif30
ip address 169.1.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
3.5.13 Example for Configuring a VLAN Stacking Sub-interface to

Access a VPLS Network
Switch1 forwards the packets sent from CE1 without changing the VLAN tags of the packets.
You are required to configure selective QinQ on the interfaces connected to CE2 so that
Switch2 adds the VLAN tag specified by the carrier to the packets sent from CE.
The packets sent from Switch1 to PE1 contain only one VLAN tag, and the packets sent
fromSwitch2 to PE2 contain double VLAN tags. Therefore, you need to configure VLAN
stacking on the sub-interface of PE1 connected to Switch1 and connect the sub-interface to the
VPLS network. Then CE1 and CE2 can communicate with each other.
NOTE

Figure 3-28 Networking diagram for a VLAN stacking sub-interface to access a VPLS network
1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/2
PE1 PE2
GE0/0/1 GE0/0/1
GE0/0/1 P GE0/0/2
GE0/0/2 GE0/0/2
Switch1 Switch2
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
- Loopback1 - 1.1.1.9/32
- Loopback1 - 3.3.3.9/32
- Loopback1 - 2.2.2.9/32

between devices.
2. Add the interface connected to CE1 on Switch1 to a specified VLAN.
3. Configure selective QinQ on interfaces connected to CE2 on Switch2.


8. Configure a VLAN stacking sub-interface connected to Switch1 on PE1 and connect the
sub-interface to the VPLS network.
9. Configure a QinQ sub-interface on the interface connected to Switch2 on PE2 and connect
the sub-interface to the VPLS network.
Procedure
NOTE
l After the configuration, the packets sent from a CE to Switch must contain a VLAN tag.
interfaces.
[Switch1] vlan 10
[Switch2] vlan 100


# Configure PE1.
# Configure PE2.
# Configure PE1.
[PE1] mpls l2vpn
[PE1-l2vpn]quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn]quit
# Configure PE1.
[PE1] vsi a2 static
# Configure PE2.
[PE2] vsi a2 static
# Configure PE1.
[PE1-GigabitEthernet0/0/1.1] qinq stacking vid 10 pe-vid 100
# Configure PE2.

# Configure CE1.
[CE1-Vlanif10] quit
# Configure CE2.
[CE2-Vlanif10] quit
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 0
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 2
VC Label : 23552
Peer Type : dynamic
Session : up
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0

State : up
Access port : false
Last Up Time : 2010/12/30 11:31:18
**PW Information:

PW State : up
PW Type : label

Ckey : 0x2
Nkey : 0x1
Tnl Type : LSP
OutInterface : Vlan20
Stp Enable : 0
PW Last Up Time : 2010/12/30 11:32:03

<CE1> ping 10.1.1.2

0.00% packet loss
----End
Configuration Files
#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
return

#
sysname CE2
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return

#
sysname Switch1

#
vlan batch 10
#
#
#
return

#
sysname Switch2
#
vlan batch 100
#
#
#
return

#
sysname PE1
#
vlan batch 20
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 3.3.3.9
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif20
ip address 168.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
qinq stacking vid 10 pe-vid 100
l2 binding vsi a2
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0

network 1.1.1.9 0.0.0.0

network 168.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 20 30
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 168.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 169.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 168.1.1.0 0.0.0.255
network 169.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.9
#
mpls ldp
#
remote-ip 1.1.1.9
#
interface Vlanif30

ip address 169.1.1.2 255.255.255.0

mpls
mpls ldp
#
#
#
l2 binding vsi a2
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 169.1.1.0 0.0.0.255
#
return
3.5.14 Example for Configuring QinQ Stacking on a VLANIF

Interface
The management VLAN is deployed on the remote SwitchB and the VLAN ID of SwitchA is
the same as the management VLAN ID. However, the VLAN ID provided by the carrier is
different from the management VLAN ID. To remotely log in to the remote SwitchB on SwitchA,
you can configure VLAN stacking according to this example. As shown in Figure 3-29, SwitchA
is connected to the remote SwitchB through the third-party network. The management VLAN
is deployed on the remote SwitchB and the VLAN ID of SwitchA is the same as the management
VLAN ID. However, the VLAN ID provided by the carrier is different from the management
VLAN ID.
Figure 3-29 Networking diagram for configuring QinQ stacking on the VLANIF interface
20 10 IP
SwitchB
GE0/0/2 GE0/0/2
Internet
SwitchA GE0/0/1
10 IP GE0/0/2
GE0/0/1 SwitchC
user1
VLAN 10

To remotely log in to the remote SwitchB for managing VLAN services on SwitchA, you can
configure QinQ stacking on the VLANIF interface corresponding to the management VLAN on
SwitchB.
NOTE
When configuring QinQ stacking on a VLANIF interface, ensure that the VLANIF interface corresponds
to the management VLAN. VLANIF interfaces corresponding to other VLANs do not support QinQ
stacking.
1. Configure QinQ on SwitchA.

2. Do as follows on the remote SwitchB:
a. Create VLAN 10 and configure VLAN 10 as the management VLAN.
b. Create a VLANIF interface on VLAN 10.
c. Configure QinQ stacking on the VLANIF interface.
Procedure
Step 1 Configure SwitchC.
# Allow packets from VLAN 10 to pass through GE0/0/1 and GE0/0/2.

[HUAWEI] sysname SwitchC
[SwitchC] vlan batch 10
[SwitchC] interface gigabitethernet 0/0/1
[SwitchC-GigabitEthernet0/0/1] port link-type hybrid
[SwitchC-GigabitEthernet0/0/1] port hybrid tagged vlan 10
[SwitchC-GigabitEthernet0/0/1] quit
[SwitchC-GigabitEthernet0/0/2] port link-type hybrid
# Configure QinQ so that the packets sent from SwitchA to the remote SwitchB carry double
tags.
[SwitchA] vlan batch 20
[SwitchA-GigabitEthernet0/0/2] port hybrid tagged vlan 20
Step 3 Configure the remote SwitchB.

# Permit packets from VLAN 20 to pass through GE0/0/2.

[SwitchB-GigabitEthernet0/0/2] port hybrid tagged vlan 10 20
# Configure QinQ stacking.

[SwitchB] vlan 10
[SwitchB-vlan10] management-vlan
[SwitchB-vlan10] quit
[SwitchB] interface vlanif 10
[SwitchB-Vlanif10] undo icmp host-unreachable send
[SwitchB-Vlanif10] qinq stacking vlan 20
[SwitchB-Vlanif10] ip address 10.10.10.1 24
[SwitchB-Vlanif10] quit

You can log in to the remote SwitchB for managing VLAN services on SwitchA.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20
#
#
#
return
l Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 10
#
#
#
return
l Configuration file of the remote SwitchB

#
sysname SwitchB
#
vlan batch 10 20
#
vlan 10

management-vlan
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
undo icmp host-unreachable send
qinq stacking vlan 20
#
port hybrid tagged vlan 10 20
#
return
3.6 GVRP Configuration

This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes
with a GVRP configuration example.
3.6.1 Example for Configuring GVRP
As shown in Figure 3-30, company A, a branch of company A, and company B are connected
using switches. To implement dynamic VLAN registration, enable GVRP. The branch of
company A can communicate with the headquarters using SwitchA and SwitchB. Company B
can communicate with company A using SwitchB and SwitchC. Interfaces connected to
company A allow only the VLAN to which company B belongs to pass.
Figure 3-30 Configuring GVRP

SwitchB
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/1 SwitchC
SwitchA
Company A
GE0/0/2 GE0/0/2
Branch of
Company B
company A
1. Enable GVRP to implement dynamic VLAN registration.

2. Configure GVRP on all switches of company A and set the registration mode to normal for
the interfaces to simplify configurations.

3. Configure GVRP on all switches of company A and set the registration mode to fixed for
the interfaces connecting to company A to allow only the VLAN to which company B
belongs to pass.
Procedure
# Enable GVRP globally.
[SwitchA] gvrp
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan all
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP and set the registration mode on the interfaces.

[SwitchA-GigabitEthernet0/0/1] gvrp
[SwitchA-GigabitEthernet0/0/1] gvrp registration normal
[SwitchA-GigabitEthernet0/0/2] gvrp
[SwitchA-GigabitEthernet0/0/2] gvrp registration normal
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
# Create VLAN 101 to VLAN 200.
[SwitchC] vlan batch 101 to 200
# Enable GVRP globally.

[SwitchC] gvrp
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and configure the interfaces to allow all
VLANs to pass through.
[SwitchC-GigabitEthernet0/0/1] port link-type trunk
[SwitchC-GigabitEthernet0/0/1] port trunk allow-pass vlan all
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan all
# Enable GVRP and set the registration mode on the interfaces.


[SwitchC-GigabitEthernet0/0/1] gvrp
[SwitchC-GigabitEthernet0/0/1] gvrp registration fixed
[SwitchC-GigabitEthernet0/0/2] gvrp
[SwitchC-GigabitEthernet0/0/2] gvrp registration normal

After the configuration is complete, the branch of Company A can communicate with the
headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with users
in Company B.
Run the display gvrp status command on SwitchA to check whether GVRP is enabled globally.
The following information is displayed:
<SwitchA> display gvrp status
Info:GVRP is enabled
Run the display gvrp statistics command on SwitchA to view GVRP statistics on GVRP
interfaces, including the GVRP state of each interface, number of GVRP registration failures,
source MAC address of the last GVRP PDU, and registration mode of each interface.
<SwitchA> display gvrp statistics
GVRP statistics on port GigabitEthernet0/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
GVRP statistics on port GigabitEthernet0/0/2

GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0000-0000-0000
GVRP registration type : Normal
Verify the configurations of SwitchB and SwitchC in the same way.
----End
Configuration Files
#
sysname SwitchA
#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchB

#
gvrp
#
gvrp
#
gvrp
#
return

#
sysname SwitchC
#
vlan batch 101 to 200
#
gvrp
#
gvrp
gvrp registration fixed
#
gvrp
#
return
3.7 MAC Address Table Configuration

This chapter provides the basics for MAC address table configuration, configuration procedure,
and configuration examples.
3.7.1 Example for Configuring the MAC Address Table
As shown in Figure 3-31, the MAC address of the user host PC1 is 0002-0002-0002 and that
of the user host PC2 is 0003-0003-0003. PC1 and PC2 are connected to the Switch through the
LSW. The LSW is connected to GE0/0/1 of the Switch, which belongs to VLAN 2. The MAC
address of the server is 0004-0004-0004. The server is connected to GE0/0/2 of the Switch.
GE0/0/2 belongs to VLAN 2.
l To prevent hackers from using MAC addresses to attack the network, configure two static
MAC address entries for each user host on the Switch.
l To prevent hackers from stealing user information by forging the MAC address of the
server, configure a static MAC address entry on the Switch for the server.

Figure 3-31 Configuring the MAC address table
Network Server
Switch MAC address: 4-4-4

GE0/0/2
GE0/0/1
LSW
PC1 PC2
MAC address: 2-2-2 MAC address: 3-3-3
1. Create a VLAN and add an interface to the VLAN to implement Layer 2 forwarding.
2. Configure static MAC address entries to prevent MAC address attacks.
3. Configure the aging time of dynamic MAC address entries to update the entries.
Procedure
Step 1 Configure static MAC address entries.
# Create VLAN 2 and add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.

[Switch] vlan 2
[Switch-vlan2] quit
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 2
# Configure a static MAC address entry.

[Switch] mac-address static 2-2-2 GigabitEthernet 0/0/1 vlan 2
Step 2 Set the aging time of a dynamic MAC address entry.

[Switch] mac-address aging-time 500

# Run the display mac-address static command in any view to check whether the static MAC
address entries are successfully added to the MAC address table.
[Switch] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/VSI Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- GE0/0/1 static
0003-0003-0003 2/- GE0/0/1 static
0004-0004-0004 2/- GE0/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 3
# Run the display mac-address aging-time command in any view to check whether the aging
time of dynamic entries is set successfully.
[Switch] display mac-address aging-time
Aging time: 500 second(s)
----End
Configuration Files
#
sysname Switch
#
vlan batch 2
#
mac-address aging-time 500
#
#
#
mac-address static 0002-0002-0002 GigabitEthernet0/0/1 vlan 2
#
return
3.7.2 Example for Configuring MAC Address Learning in a VLAN
As shown in Figure 3-32, user network 1 is connected to Switch on the GigabitEthernet0/0/1
through an LSW. User network 2 is connected to Switch on the GigabitEthernet0/0/2 through
another LSW. Both GigabitEthernet0/0/1 and GigabitEthernet0/0/2 belong to VLAN 2. To
prevent MAC address attacks and limit the number of access users on the device, limit MAC
address learning on all the interfaces in VLAN 2.

Figure 3-32 Networking diagram for MAC address limiting in a VLAN
Network
Switch
GE0/0/1 GE0/0/2
LSW LSW
User User
network 1 VLAN 2 network 2
2. Limit MAC address learning on all the interfaces in the VLAN to prevent MAC address
attacks and limit the number of access users.
Procedure
Step 1 Limit MAC address learning.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 2.

[Switch] vlan 2
[Switch-vlan2] quit
# Configure the following MAC address limiting rule in VLAN 2: A maximum of 100 MAC
addresses can be learned. When the number of learned MAC addresses reaches the limit, the
device and sends an alarm.
[Switch] vlan 2
[Switch-vlan2] mac-limit maximum 100 alarm enable
[Switch-vlan2] quit

# Run the display mac-limit command in any view to check whether the MAC address limiting
rule is successfully configured.
<Switch> display mac-limit
MAC Limit is enabled
Total MAC Limit rule count : 1
PORT VLAN/VSI SLOT Maximum Rate(ms) Action Alarm

----------------------------------------------------------------------------
- 2 - 100 - forward enable
----End
Configuration Files
The following lists only the configuration file of Switch.
#
sysname Switch
#
vlan batch 2
#
vlan 2
mac-limit maximum 100
#
#
#
return
3.7.3 Example for Configuring Port Security
As shown in Figure 3-33, a company wants to prevent computers of non-employees from
accessing the intranet of the company to protect information security. To achieve this goal, the
company needs to enable port security on the interface connected to computers of employees
and set the maximum number of MAC addresses learned by the interface to be the same as the
number of trusted computers.

Figure 3-33 Network diagram of port security
Intranet
Switch
GE0/0/1
VLAN 10
SwitchA
PC1 PC2 PC3
1. Configure a VLAN to implement Layer 2 forwarding.
2. Configure port security to prevent the learned MAC addresses from aging.
Procedure
Step 1 Create a VLAN and set the link type of the interface.
[Switch] vlan 10
Step 2 Configure port security.

# Enable port security.
[Switch-GigabitEthernet0/0/1] port-security enable
# Enable the sticky MAC function.

[Switch-GigabitEthernet0/0/1] port-security mac-address sticky
# Configure the security protection action.

[Switch-GigabitEthernet0/0/1] port-security protect-action protect
# Set the limit on the number of MAC addresses that can be learned on the interface.
[Switch-GigabitEthernet0/0/1] port-security max-mac-num 4
To enable the port security function on other interfaces, repeat the preceding steps.

NOTE
Assume that MAC addresses of four devices (three PCs and one access switch) connected to the Switch
have been learned. The maximum number of MAC addresses to be learned is 4.
If PC1 is replaced by another device, the device cannot access the intranet of the company.
----End
Configuration Files
Configuration file of the switch
#
sysname Switch
#
vlan batch 10
#
port-security enable
port-security protect-action protect
port-security max-mac-num 4
port-security mac-address sticky
#
return
3.7.4 Example for Configuring MAC Address Anti-flapping
Employees of an enterprise need to access the enterprise server. If an attacker uses the server
MAC address as the source MAC address to send packets to another interface, the server MAC
address is learned on the interface. Packets sent to the server are sent to unauthorized users. In
this case, employees cannot access the server, and important data will be intercepted by the
attacker.
As shown in Figure 3-34, MAC address anti-flapping can be configured to protect the server
from attacks.

Figure 3-34 Networking diagram of MAC address anti-flapping
Server
MAC:11-22-33
GE0/0/1 VLAN 10
Switch
GE0/0/2 PC4
MAC:11-22-33
LSW
PC1 PC2 PC3
VLAN10
2. Configure MAC address anti-flapping on the server-side interface.
Procedure
Step 1 Create a VLAN and add the interfaces to the VLAN.
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to VLAN 10.

[Switch] vlan 10
Step 2 # Set the MAC address learning priority of GigabitEthernet0/0/1 to 2.

[Switch-GigabitEthernet0/0/1] mac-learning priority 2
# Run the display current-configuration command in any view to check whether the MAC
address learning priority of the interface is set correctly.

[Switch] display current-configuration interface gigabitethernet 0/0/1

#
mac-learning priority 2
#
return
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mac-learning priority 2
#
#
return
3.7.5 Example for Configuring MAC Address Flapping Detection
As shown in Figure 3-35, a loop occurs on a user network because network cables between two
LSWs are incorrectly connected. The loop causes MAC address flapping and bridge table
flapping.
You can enable MAC address flapping detection on the Switch to detect MAC address flapping
and discover loops.

Figure 3-35 Networking diagram of MAC address flapping detection
Network
Switch
GE0/0/1 GE0/0/2
LSW1 LSW2
Incorrect connection
1. Enable MAC address flapping detection.

2. Set the aging time of flapping MAC addresses.
3. Configure the action performed on the interface when MAC address flapping is detected
on the interface to prevent loops.
Procedure
Step 1 Enable MAC address flapping detection.
[Switch] mac-address flapping detection
Step 2 Set the aging time of flapping MAC addresses.

[Switch] mac-address flapping aging-time 500
Step 3 Shut down GE0/0/1 and GE0/0/2 when MAC address flapping is detected.
[Switch-GigabitEthernet0/0/1] mac-address flapping action error-down
[Switch-GigabitEthernet0/0/2] mac-address flapping action error-down
Step 4 Configure automatic recovery and set the automatic recovery time for the shutdown interface.
[Switch] error-down auto-recovery cause mac-address-flapping interval 500
After the configuration is complete, when the MAC address on GE0/0/1 flaps to GE0/0/2,
GE0/0/2 is shut down. Run the display mac-address flapping record command to view the
flapping records.

<Switch> display mac-address flapping record

S : start time
E : end time
(Q) : quit vlan
(D) : error down
-------------------------------------------------------------------------------
Move-Time VLAN MAC-Address Original-Port Move-Ports
MoveNum
-------------------------------------------------------------------------------
S:2012-04-01 17:22:36 1 0000-0000-0007 GE0/0/1 GE0/0/2(D) 83
E:2012-04-01 17:22:44
-------------------------------------------------------------------------------
Total items on slot 0: 1
----End
Configuration Files
#
sysname Switch
#
error-down auto-recovery cause mac-address-flapping interval 500
#
mac-address flapping aging-time 500
#
mac-address flapping action error-down
#
mac-address flapping action error-down
#
return
3.8 STP/RSTP Configuration

This chapter describes the concepts and configuration procedure of STP/RSTP, and provides
3.8.1 Example for Configuring Basic STP Functions

Network designers tend to deploy multiple physical links between two devices (one link is the
master and the others are backups) to fulfill network redundancy requirements. Loops are bound
to occur on such types of complex networks.
Loops will cause broadcast storms, which exhaust network resources and paralyze the network.
Loops also cause MAC address flapping that damages MAC address entries.
STP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 3-36, after SwitchA, SwitchB, SwitchC, and SwitchD running STP discover
loops by exchanging information, they trim the ring topology into a loop-free tree topology by
blocking a certain port. STP prevents replication and circular propagation of packets on the
network and the release the switching devices from processing duplicate packets, improving
their processing performance.

Figure 3-36 Configuring basic STP functions
Network
GE0/0/3 GE0/0/3
Root
SwitchD GE0/0/1 GE0/0/1
Bridge
GE0/0/2 GE0/0/2 SwitchA
STP
GE0/0/3 GE0/0/3
SwitchC SwitchB
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
PC1 PC2
Blocked port
1. Configure basic STP functions, including:
a. Configure the STP mode for the ring network.
b. Configure primary and secondary root bridges.
c. Set path costs for ports to block certain ports.
d. Enable STP to eliminate loops.
NOTE
STP is not required on the interfaces connected to terminals because these interfaces do not
need to participate in STP calculation.
Procedure
Step 1 Configure basic STP functions.
1. Configure the STP mode for the devices on the ring network.
# Configure the STP mode on SwitchA.
[SwitchA] stp mode stp

# Configure the STP mode on SwitchB.

[SwitchB] stp mode stp
# Configure the STP mode on SwitchC.

[SwitchC] stp mode stp
# Configure the STP mode on SwitchD.

[HUAWEI] sysname SwitchD
[SwitchD] stp mode stp
2. Configure primary and secondary root bridges.

# Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3. Set path costs for ports in each spanning tree to block certain ports.
NOTE
l The values of path costs depend on the path-cost calculation method. Huawei calculation method
is used in this example, and the path cost of the blocked port is set to 20000 (the highest value
in the range).
l All switching devices on a network must use the same path cost calculation method.
# On Switch A, configure the path cost calculation method as the Huawei calculation
method.
[SwitchA] stp pathcost-standard legacy
# On Switch B, configure the path cost calculation method as the Huawei calculation
method.
[SwitchB] stp pathcost-standard legacy
# Set the path cost of GigabitEthernet0/0/1 on SwitchC to 20000.

[SwitchC] stp pathcost-standard legacy
[SwitchC-GigabitEthernet0/0/1] stp cost 20000
# On SwitchD, configure the path cost calculation method as the Huawei calculation
method.
[SwitchD] stp pathcost-standard legacy
4. Enable STP to eliminate loops.

l Disable STP on interfaces connected to PCs.
# Disable STP on GigabitEthernet 0/0/2 on SwitchB.
[SwitchB-GigabitEthernet0/0/2] stp disable
# Disable STP on GigabitEthernet 0/0/2 on SwitchC.

[SwitchC-GigabitEthernet0/0/2] stp disable
l Enable STP globally.

# Enable STP globally on SwitchA.

[SwitchA] stp enable
# Enable STP globally on SwitchB.

[SwitchB] stp enable
# Enable STP globally on SwitchC.

[SwitchC] stp enable
# Enable STP globally on SwitchD.

[SwitchD] stp enable

After the previous configurations, run the following commands to verify the configuration when
the network is stable:
# Run the display stp brief command on SwitchA to view the interface status and protection
type. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet0/0/1 DESI FORWARDING NONE
After SwitchA is configured as a root bridge, GigabitEthernet 0/0/2 and GigabitEthernet 0/0/1
connected to SwitchB and SwitchD respectively are elected as designated ports in spanning tree
calculation.
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view status
of GigabitEthernet 0/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
GigabitEthernet 0/0/1 is elected as a designated port in spanning tree calculation and is in the
Forwarding state.
# Run the display stp brief command on SwitchC to view the interface status and protection
[SwitchC] display stp brief
0 GigabitEthernet0/0/1 ALTE DISCARDING NONE
0 GigabitEthernet0/0/3 ROOT FORWARDING NONE
GigabitEthernet 0/0/3 is elected as a root port in spanning tree calculation and is in the
Forwarding state.
GigabitEthernet 0/0/1 is elected as an alternate port in spanning tree calculation and is in the
Discarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy

stp enable
#
return

#
sysname SwitchB
#
stp mode stp
stp enable
#
stp disable
#
return

#
sysname SwitchC
#
stp mode stp
stp enable
#
stp instance 0 cost 20000
#
stp disable
#
return
l Configuration file of SwitchD

#
sysname SwitchD
#
stp mode stp
stp instance 0 root secondary
stp enable
#
return
3.8.2 Example for Configuring Basic RSTP Functions

On a complex network, loops are inevitable. With the requirement for network redundancy
backup, network designers tend to deploy multiple physical links between two devices, one of
which is the master and the others are the backup. Loops are likely or bound to occur in such a
situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the
network. Loops also cause flapping of MAC address tables and damage MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. On the network
shown in Figure 3-37, after SwitchA, SwitchB, SwitchC, and SwitchD running RSTP discover
loops on the network by exchanging information with each other, they trim the ring topology
into a loop-free tree topology by blocking a certain port. In this manner, replication and circular
propagation of packets are prevented on the network and the switching devices are released from
processing duplicated packets, thereby improving their processing performance.

Figure 3-37 Configuring basic RSTP configurations
Network
GE0/0/3 GE0/0/3
Root
SwitchD GE0/0/1 GE0/0/1
Bridge
RSTP
GE0/0/3 GE0/0/3
SwitchC SwitchB
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
PC1 PC2
Blocked port
1. Configure basic RSTP functions, including:
a. Configure the RSTP mode for the ring network.
b. Configure primary and secondary root bridges.
c. Set path costs for ports in each MSTI to block certain ports.
d. Enable RSTP to eliminate loops.
NOTE
The port connected to the PC does not participate in RSTP calculation, so it is configured as
an edge port and BPDU filter port.
2. Configure RSTP protection functions, for example, root protection on a designated port of
a root bridge in each MSTI.
Procedure
Step 1 Configure basic RSTP functions.
1. Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on SwitchA.

[SwitchA] stp mode rstp
# Configure the RSTP mode on SwitchB.

[SwitchB] stp mode rstp
# Configure the RSTP mode on SwitchC.

[SwitchC] stp mode rstp
# Configure the RSTP mode on SwitchD.

[SwitchD] stp mode rstp
2. Configure primary and secondary root bridges.

# Configure SwitchA as a primary root bridge.
[SwitchA] stp root primary
# Configure SwitchD as a secondary root bridge.

[SwitchD] stp root secondary
3. Set path costs for ports in each MSTI to block certain ports.
NOTE
l The values of path costs depend on path cost calculation methods. Use the Huawei calculation
method as an example to set the path costs of the ports to be blocked to 20000.
# On Switch A, configure the path cost calculation method as the Huawei calculation
method.
# On Switch B, configure the path cost calculation method as the Huawei calculation
method.
# Set the path cost of GigabitEthernet0/0/1 on SwitchC to 20000.

[SwitchC-GigabitEthernet0/0/1] stp cost 20000
# On SwitchD, configure the path cost calculation method as the Huawei calculation
method.
4. Enable RSTP to eliminate loops.

l Configure the port connected to the PC as an edge port and BPDU filter port.
# Configure GigabitEthernet0/0/2 on SwitchB as an edge port and BPDU filter port.
[SwitchB-GigabitEthernet0/0/2] stp edged-port enable
[SwitchB-GigabitEthernet0/0/2] stp bpdu-filter enable
# Configure GigabitEthernet0/0/2 on SwitchC as an edge port and BPDU filter port.

[SwitchC-GigabitEthernet0/0/2] stp edged-port enable

[SwitchC-GigabitEthernet0/0/2] stp bpdu-filter enable

l Enable RSTP globally.

# Enable RSTP globally on SwitchA.
# Enable RSTP globally on SwitchB.

# Enable RSTP globally on SwitchC.

# Enable RSTP globally on SwitchD.

Step 2 Configure RSTP protection functions, for example, root protection on a designated port of a root
bridge in each MSTI.
# Enable root protection on GE 0/0/1 on SwitchA.

[SwitchA-GigabitEthernet0/0/1] stp root-protection
# Enable root protection on GE 0/0/2 on SwitchA.

the network is stable:
# Run the display stp brief command on SwitchA to view the interface status and protection
0 GigabitEthernet0/0/1 DESI FORWARDING ROOT
After SwitchA is configured as a root bridge, GigabitEthernet0/0/2 and GigabitEthernet0/0/1

connected to SwitchB and SwitchD respectively are elected as designated ports in spanning tree
calculation. The root protection function is enabled on the designated ports.
# Run the display stp interface gigabitethernet 0/0/1 brief command on SwitchB to view status
of GigabitEthernet0/0/1. The displayed information is as follows:
[SwitchB] display stp interface gigabitethernet 0/0/1 brief
GigabitEthernet0/0/1 is elected as a designated port in spanning tree calculation and is in the

Forwarding state.
# Run the display stp brief command on SwitchC to view the interface status and protection
[SwitchC] display stp brief


GE0/0/1 is elected as an alternate port in spanning tree calculation and is in the Discarding state.
GE0/0/3 is elected as a root port in spanning tree calculation and is in the Forwarding state.
----End
Configuration Files
#
sysname SwitchA
#
stp mode rstp
stp enable
#
stp root-protection
#
stp root-protection
#
return

#
sysname SwitchB
#
stp mode rstp
stp enable
#
stp bpdu-filter enable
stp edged-port enable
#
return

#
sysname SwitchC
#
stp mode rstp
stp enable
#
#
stp bpdu-filter enable
stp edged-port enable
#
return

#
sysname SwitchD
#
stp mode rstp

stp enable
#
return
3.9 MSTP Configuration

This chapter describes the concepts and configuration procedure of MSTP, and provides
3.9.1 Example for Configuring MSTP
On a complex network, to implement redundancy, network designers tend to deploy multiple
physical links between two devices, one of which is the master and the others are the backup.
Loops occur, causing broadcast storms or damaging MAC addresses. After the network designer
plans a network, you can deploy MSTP on the network to prevent loops. MSTP blocks redundant
links and prunes a network into a tree topology free from loops.
As shown in Figure 3-38,SwitchA, SwitchB, SwitchC, and SwitchD run MSTP. to load balance
traffic from VLANs 2 to 10 and VLANs 11 to 20, use MSTP multi-instance. You can configure
a VLAN mapping table to associate VLANs with MSTIs.

Figure 3-38 Networking diagram of MSTP configuration
Network
RG1
SwitchA SwitchB
GE0/0/2
GE0/0/2
GE0/0/1 GE0/0/1
GE0/0/3 GE0/0/3
GE0/0/2
SwitchC SwitchD
GE0/0/2
GE0/0/1 GE0/0/1
VLAN2~10 MSTI1
VLAN11~20 MSTI2
MSTI1:
Root Switch:SwitchA
Blocked port
MSTI2:
Root Switch:SwitchB
Blocked port
1. Configure basic MSTP functions on the switching device on the ring network.
2. Configure protection functions to protect devices or links. You can configure root
protection on the designated port of the root bridge.

3. Configure Layer 2 forwarding.
Procedure
Step 1 Configure basic MSTP functions.
1. Configure SwitchA, SwitchB, SwitchC, and SwitchD in the same MST region named
RG1 and create MSTI 1 and MSTI 2.
NOTE
Two switching devices belong to the same MST region when they have the same:
l Name of the MST region
l Mapping between VLANs and MSTIs
l Revision level of the MST region
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2 to 10
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure an MST region on SwitchB.

[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1
[SwitchB-mst-region] instance 1 vlan 2 to 10
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure an MST region on SwitchC.

[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2 to 10
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
# Configure an MST region on SwitchD.

[SwitchD] stp region-configuration
[SwitchD-mst-region] region-name RG1
[SwitchD-mst-region] instance 1 vlan 2 to 10
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
2. In the MST region RG1, configure the root bridge and secondary root bridge in MSTI 1
and MSTI 2.
l Configure the root bridge and secondary root bridge in MSTI 1.
# Configure SwitchA as the root bridge in MSTI 1.
[SwitchA] stp instance 1 root primary
# Configure SwitchB as the secondary root bridge in MSTI 1.

[SwitchB] stp instance 1 root secondary
l Configure the root bridge and secondary root bridge in MSTI 2.

# Configure SwitchB as the root bridge in MSTI 2.
[SwitchB] stp instance 2 root primary
# Configure SwitchA as the secondary root bridge in MSTI 2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the ports to be blocked in MSTI 1 and MSTI 2 to be greater than the
default value.
NOTE
l The values of path costs depend on path cost calculation methods. This example uses the Huawei
calculation method as an example to set the path costs of the ports to be blocked to 20000.
# Configure SwitchA to use Huawei calculation method to calculate the path cost.
# Configure SwitchB to use Huawei calculation method to calculate the path cost.
# Configure SwitchC to use Huawei calculation method to calculate the path cost, and set
the path cost of GE0/0/2 in MSTI 2 to 20000.
[SwitchC-GigabitEthernet0/0/2] stp instance 2 cost 20000
# Configure SwitchD to use Huawei calculation method to calculate the path cost, and set
the path cost of GE0/0/2 in MSTI 1 to 20000.
[SwitchD] interface gigabitethernet 0/0/2
[SwitchD-GigabitEthernet0/0/2] stp instance 1 cost 20000
[SwitchD-GigabitEthernet0/0/2] quit
4. Enable MSTP to eliminate loops.

l Enable MSTP globally.
# Enable MSTP on SwitchA.
# Enable MSTP on SwitchB.

# Enable MSTP on SwitchC.

# Enable MSTP on SwitchD.

l Disable MSTP on the interface connected to the terminal.

# Disable STP on GE0/0/1 of SwitchC.
# Disable STP on GE0/0/1 of SwitchD.

[SwitchD-GigabitEthernet0/0/1] stp disable

Step 2 Configure root protection on the designated port of the root bridge.
# Enable root protection on GE0/0/1 of SwitchA.
# Enable root protection on GE0/0/1 of SwitchB.

[SwitchB-GigabitEthernet0/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on devices on the ring network.

l Create VLANs 2 to 20 on SwitchA, SwitchB, SwitchC, and SwitchD.
# Create VLANs 2 to 20 on SwitchA.
[SwitchA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchB.

[SwitchB] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchC.

# Create VLANs 2 to 20 on SwitchD.

[SwitchD] vlan batch 2 to 20
l Add ports on switching devices to VLANs.

# Add GE0/0/1 on SwitchA to a VLAN.
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add GE0/0/2 on SwitchA to a VLAN.

# Add GE0/0/1 on SwitchB to a VLAN.

[SwitchB-GigabitEthernet0/0/1] port trunk allow-pass vlan 2 to 20
# Add GE0/0/2 on SwitchB to a VLAN.

# Add GE0/0/1 on SwitchC to a VLAN.

[SwitchC-GigabitEthernet0/0/1] port link-type access
[SwitchC-GigabitEthernet0/0/1] port default vlan 2

[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 to 20


# Add GE0/0/1 on SwitchD to a VLAN.

[SwitchD-GigabitEthernet0/0/1] port link-type access
[SwitchD-GigabitEthernet0/0/1] port default vlan 11

[SwitchD-GigabitEthernet0/0/2] port link-type trunk
[SwitchD-GigabitEthernet0/0/2] port trunk allow-pass vlan 2 to 20


After the preceding configurations are complete and the network topology becomes stable,
perform the following operations to verify the configuration.
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to focus on the interface status in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and protection type on the
ports. The displayed information is as follows:

In MSTI 1, GE0/0/1 and GE0/0/2 are designated ports because SwitchA is the root bridge. In
MSTI 2, GE0/0/1 on SwitchA is the designated port and GE0/0/2 is the root port.
# Run the display stp brief command on SwitchB. The displayed information is as follows:
[SwitchB] display stp brief
In MSTI 2, GE0/0/1 and GE0/0/2 are designated ports because SwitchB is the root bridge. In
MSTI 1, GE0/0/1 on SwitchB is the designated port and GE0/0/2 is the root port.
# Run the display stp interface brief commands on SwitchC. The displayed information is as
follows:

[SwitchC] display stp interface gigabitethernet 0/0/3 brief

GE0/0/3 on SwitchC is the root port in MSTI 1 and MSTI 2. GE0/0/2 on SwitchC is the
designated port in MSTI 1 but is blocked in MSTI 2.
# Run the display stp interface brief commands on SwitchD. The displayed information is as
follows:
[SwitchD] display stp interface gigabitethernet 0/0/3 brief
[SwitchD] display stp interface gigabitethernet 0/0/2 brief
GE0/0/3 on SwitchD is the root port in MSTI 1 and MSTI 2. GE0/0/2 on SwitchD is the blocked
port in MSTI 1 and is the designated port in MSTI 2.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 20
#
stp enable
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
active region-configuration
#
stp root-protection
#
#
return

#
sysname SwitchB

#
vlan batch 2 to 20
#
stp enable
#
region-name RG1
#
stp root-protection
#
#
return

#
sysname SwitchC
#
vlan batch 2 to 20
#
stp enable
#
region-name RG1
#
port default vlan 2
stp disable
#
#
#
return

#
sysname SwitchD
#
vlan batch 2 to 20
#
stp enable
#
region-name RG1

#
stp disable
#
#
#
return
3.9.2 Example for Configuring MSTP + VRRP Network
As shown in Figure 3-39, hosts connect to Switch C, and Switch C connects to the Internet
through Switch A and Switch B. To improve access reliability, the user configures redundant
links. The redundant links causes a network loop, which leads to broadcast storm and destroy
MAC address entries.
It is required that the network loop be prevented when redundant links are deployed, traffic be
switched to another link when one link is broken, and network bandwidth be effectively used.
MSTP can be configured on the network to prevent loops. MSTP blocks redundant links and
prunes a network into a tree topology free from loops. In addition, VRRP needs to be configured
on Switch A and Switch B. Host A connects to the Internet by using Switch A as the default
gateway and Switch B as the secondary gateway. Host B connects to the Internet by using Switch
B as the default gateway and Switch A as the secondary gateway. Traffic is thus load balanced
and communication reliability is improved.

Figure 3-39 MSTP + VRRP network

VRRP VRID 1 SwitchA
Virtual IP Address: VRID 1:Master
HostA
10.1.2.100 VRID 2:Backup
VLAN2
10.1.2.101/24 /1 GE
E 0/0 0/0
G / 3 RouterA
GE
GE0/0/2
0/0 1
/2 0 /0/
GE
SwitchC MSTP Internet
GE0/0/2
GE
3
0 /0/ 0/0
/ 4
GE
GE RouterB
HostB 0/0 /0 /3
/1 GE0
VLAN3
10.1.3.101/24 SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.3.100
VLAN2 MSTI1 VLAN3 MSTI2
MSTI1: MSTI2:
Root Switch:SwitchA Root Switch:SwitchB

Blocked port Blocked port
Device Interface VLANIF Interface IP Address
SwitchA GE0/0/1 and VLANIF 2 10.1.2.102/24

GE0/0/2
GE0/0/1 and VLANIF 3 10.1.3.102/24

GE0/0/2
GE0/0/3 VLANIF 4 10.1.4.102/24
SwitchB GE0/0/1 and VLANIF 2 10.1.2.103/24

GE0/0/2
GE0/0/1 and VLANIF 3 10.1.3.103/24

GE0/0/2
GE0/0/3 VLANIF 5 10.1.5.103/24

1. Configure basic MSTP on the switches, including:
a. Configure MST and create multi-instance, map VLAN 2 to MSTI1, and map VLAN
3 to MSTI2 to load balance traffic.
b. Configure the root bridge and backup bridge in the MST region.
c. Configure the path cost on an interface so that the interface can be blocked.
d. Enable MSTP to prevent loops:
l Enable MSTP on all interfaces except the interfaces connecting to hosts.
NOTE
The interfaces connecting to hosts do not participate in MSTP calculation.

2. Enable the protection function to protect devices or links. For example, enable the
protection function on the root bridge of each instance to protect roots.
3. Configure Layer 2 forwarding.
4. Assign an IP address to each interface and configure the routing protocol on each device
to ensure network connectivity.
NOTE
SwitchA and SwitchB must support VRRP and OSPF. For details about models supporting VRRP
and OSPF, see relevant documentation.
5. Create VRRP group 1 and VRRP group 2 on Switch A and Switch B. Configure Switch A
as the master device and Switch B as the backup device of VRRP group 1. Configure Switch
B as the master device and Switch A as the backup device of VRRP group 2.
Procedure
1. Add Switch A, Switch B, and Switch C to region RG1, and create instances MSTI1 and
MSTI2.
# Configure an MST region on Switch A.
[SwitchA-mst-region] instance 1 vlan 2
# Configure an MST region on Switch B.

[SwitchB-mst-region] instance 1 vlan 2
[SwitchB-mst-region] instance 2 vlan 3
# Configure an MST region on Switch C.

[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2
[SwitchC-mst-region] instance 2 vlan 3
2. Configure the root bridges and backup bridges for MSTI1 and MSTI2 in RG1.
l Configure the root bridge and backup bridge for MSTI1.
# Set Switch A as the root bridge of MSTI1.
[SwitchA] stp instance 1 root primary
# Set Switch B as the backup bridge of MSTI1.

[SwitchB] stp instance 1 root secondary
l Configure the root bridge and backup bridge for MSTI2.

# Set Switch B as the root bridge of MSTI2.
[SwitchB] stp instance 2 root primary
# Set Switch A as the backup bridge of MSTI2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the interfaces that you want to block on MSTI1 and MSTI2 to be
greater than the default value.
NOTE
l The path cost range is decided by the calculation method. The Huawei calculation method is used
as an example. Set the path costs of the interfaces to 20000.
l The switches on the same network must use the same calculation method to calculate path costs.
# Set the path cost calculation method on Switch A to Huawei calculation method.
# Set the path cost calculation method on Switch B to Huawei calculation method.
# Set the path cost calculation method on Switch C to Huawei calculation method. Set the
path cost of GE0/0/1 in MSTI2 to 20000; set the path cost of GE0/0/4 in MSTI1 to 20000.
4. Enable MSTP to prevent loops.

# Enable MSTP on Switch A.
# Enable MSTP on Switch B.

# Enable MSTP on Switch C.

l Disable MSTP on the interfaces connecting to hosts.

# Disable STP on GE0/0/2 and GE0/0/3 of Switch C.


Step 2 Enable the protection function on the designated interfaces of each root bridge.
# Enable root protection on GE0/0/1 of Switch A.

# Enable root protection on GE0/0/1 of Switch B.

Step 3 Configure Layer 2 forwarding on the switches in the ring.

l Create VLANs 2 and 3 on Switch A, Switch B, and Switch C.
# Create VLANs 2 and 3 on Switch A.
# Create VLANs 2 and 3 on Switch B.

# Create VLANs 2 and 3 on Switch C.

l Add the interfaces connecting to the loops to VLANs.

# Add GE0/0/1 of Switch A to VLANs.
# Add GE0/0/2 of Switch A to VLANs.

# Add GE0/0/1 of Switch B to VLANs.

# Add GE0/0/2 of Switch B to VLANs.

# Add GE0/0/1 of Switch C to VLANs.

# Add GE0/0/2 of Switch C to VLAN 2.


# Add GE0/0/3 of Switch C to VLAN 3.

# Add GE0/0/4 of Switch C to VLANs.

perform the following operations to verify the configuration.
NOTE
MSTI 1 and MSTI 2 are used as examples. You do not need to focus on the interface status in MSTI 0.
# Run the display stp brief command on Switch A to view the status and protection type on
interfaces. The displayed information is as follows:
In MSTI1, GE0/0/2 and GE0/0/1 of Switch A are set as designated interfaces because Switch A
is the root bridge of MSTI1. In MSTI2, GE0/0/1 of Switch A is set as the designated interface
and GE0/0/2 is set as the root interface.
# Run the display stp brief command on Switch B. The displayed information is as follows:
[SwitchB] display stp brief
In MSTI2, GE0/0/1 and GE0/0/2 of Switch B are set as designated interfaces because Switch B
is the root bridge of MSTI2. In MSTI1, GE0/0/1 of Switch B is set as the designated interface
and GE0/0/2 is set as the root interface.
# Run the display stp interface brief command on Switch C. The displayed information is as
follows:


GE0/0/1 of Switch C is the root interface of MSTI1, and is blocked in MSTI2. GE0/0/4 of Switch
C is the root interface of MSTI2, and is blocked in MSTI1.
Step 5 Connect devices.
# Assign an IP address to each interface, for example, the interfaces on SwitchA. The
configurations on SwitchB are similar to the configurations on SwitchA. For details, see the
configuration file.
[SwitchA] interface vlanif 2
[SwitchA-Vlanif2] ip address 10.1.2.102 24
[SwitchA-Vlanif2] quit
# Run OSPF on SwitchA, SwitchB, and routers. The configurations on SwitchA are used as an
example. The configurations on SwitchB are similar to the configurations on SwitchA. For
details, see the configuration file.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.2.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 6 Configure VRRP groups.

# Create VRRP group 1 on SwitchA and SwitchB. Set SwitchA as the master device, priority
to 120, and preemption delay to 20 seconds. Set SwitchB as the backup device and retain the
default priority.
[SwitchA-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
[SwitchA-Vlanif2] vrrp vrid 1 priority 120
[SwitchA-Vlanif2] vrrp vrid 1 preempt-mode timer delay 20
[SwitchB-Vlanif2] vrrp vrid 1 virtual-ip 10.1.2.100
# Create VRRP group 2 on SwitchA and SwitchB. Set SwitchB as the master device, priority to
120, and preemption delay to 20 seconds. Set SwitchA as the backup device and retain the default
priority.
[SwitchB-Vlanif3] vrrp vrid 2 priority 120
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20

# Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of Host A, and
the virtual IP address 10.1.3.100 of VRRP group 2 as the default gateway of Host B.
# After completing the preceding configurations, run the display vrrp command on SwitchA.
SwitchA's VRRP status is master in VRRP group 1 and backup in VRRP group 2.
<SwitchA> display vrrp
Vlanif2 | Virtual Router 1
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-05-11 11:39:18 UTC
+08:00
Last change time : 2012-05-26 11:38:58 UTC+08:00

State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18 UTC
+08:00
# Run the display vrrp command on SwitchB. SwitchB's VRRP status is backup in VRRP group
1 and master in VRRP group 2.
<SwitchB> display vrrp
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE

Virtual MAC : 0000-5e00-0101

Check TTL : YES
Create time : 2012-05-11 11:39:18 UTC
+08:00

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18 UTC
+08:00
----End
Configuration File
l Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 2 to 4
#
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.2.100
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
stp root-protection
#

#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return
l Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

l Configuration file of Switch C

#
sysname SwitchC
#
vlan batch 2 to 3
#
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
#
port default vlan 2
stp disable
#
port default vlan 3
stp disable
#
#
return
3.9.3 Example for Connecting CEs to the VPLS in Dual-Homing

Mode Through MSTP
As shown in Figure 3-40, each CE is dual-homed to PEs. The PEs establish a VPLS full mesh.
The CEs and PEs run the MSTP protocol. Generally, traffic is forwarded through the primary
link. When the primary link fails, traffic is switched to the secondary link.
NOTE

Figure 3-40 Network diagram for connecting CEs to the VPLS in dual-homing mode
1.1.1.1/32 2.2.2.2/32
PE1 PE2
GE0/0/1 GE0/0/2 GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/3 GE0/0/3 GE0/0/1
GE0/0/2 VPLS GE0/0/2
CE1 GE0/0/3 GE0/0/2 CE2
PC1 GE0/0/4 GE0/0/2 GE0/0/3 GE0/0/4 PC2
10.1.1.1/24 GE0/0/1 GE0/0/1 10.1.1.2/24
PE4 PE3
4.4.4.4/32 3.3.3.3/32
Switch Interface VLANIF interface IP address
GigabitEthernet0/0/2 VLANIF 10 172.1.1.1/24
Loopback1 - 1.1.1.1/32
Loopback1 - 2.2.2.2/32
Loopback1 - 3.3.3.3/32
Loopback1 - 4.4.4.4/32
CE1 GigabitEthernet0/0/1 VLANIF 100 -
GigabitEthernet0/0/4 VLANIF 100 -
CE2 GigabitEthernet0/0/1 VLANIF 100 -

1. Configure the routing protocol on the backbone network to implement interworking.
2. Set up a remote LDP session between the PEs.
3. Establish a VPLS full mesh between PEs.
4. Configure MSTP. Configure PE1 and PE2 as the primary roots, and configure PE3 and
PE4 as the secondary roots.
Procedure
NOTE
l Do not add the AC-side physical interface and PW-side physical interface of a PE to the same VLAN;
otherwise, a loop occurs.
l Packets sent from the CEs to the PEs must contain VLAN tags.
Step 2 Configure the IGP protocol. OSPF is used in this example.

When configuring OSPF, advertise 32-bit loopback interface addresses (LSR IDs) of PE1, PE2,
PE3, and PE4.
For the configuration procedure, see the S2350&S5300&S6300 Series Ethernet Switches
Configuration Guide - IP Routing.
PE2. The command output shows that PE1, P, and PE2 have learned routes from each other.
Step 3 Configure basic MPLS functions and LDP.
For the configuration details, see the S2350&S5300&S6300 Series Ethernet Switches
Configuration Guide - MPLS.
PE2. The command output shows that the peer relationships have been set up between PE1 and
P, and between P and PE2, and the status of the peer relationships is Operational. Run the display
mpls lsp command to view the information about the established LSP.
Step 4 Create a remote LDP session between PEs.
# Configure PE1.
# Configure PE2.
# Configure PE3.

# Configure PE4.
After the configuration is complete, run the display mpls ldp session command on the PEs. The
command output shows that the status of the remote LDP peer relationship is Operational,
indicating that remote LDP sessions have been set up. The output on PE1 is used as an example:
[PE1] display mpls ldp session
Codes: LAM(Label Advertisement Mode)
SsnAge Unit(DDDD:HH:MM)
A "*" before a session means the session is being deleted.
------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 5 Enable MPLS L2VPN on PE1.
# Configure PE1.
[PE1] mpls l2vpn
# Configure PE2.
[PE2] mpls l2vpn
# Configure PE3.
[PE3] mpls l2vpn
# Configure PE4.
[PE4] mpls l2vpn
Step 6 Configure a VSI on the PEs.
# Configure PE1.
[PE1] vsi a2 static
# Configure PE2.
[PE2] vsi a2 static
Configuration of PE3 and PE3 is similar to configuration of PE1 and PE2.
Step 7 Bind the VSI to interfaces on the PEs.
# Configure PE1.

[PE1] interface gigabitethernet 0/0/1.1

# Configure PE2.
# Configure PE3.
# Configure PE4.
Step 8 Configure STP.

1. Configure the MST region and activate the region.
# Configure PE1.
[PE1] stp region-configuration
[PE1-mst-region] region-name RG1
[PE1-mst-region] active region-configuration
[PE1-mst-region] quit
# Configure PE4.
# Configure CE1.
[CE1] stp region-configuration
[CE1-mst-region] region-name RG1
[CE1-mst-region] active region-configuration
[CE1-mst-region] quit
# Configure PE2.
# Configure PE3.
# Configure CE2.
[CE2-mst-region] region-name RG1
2. Configure the priorities of the PEs to make PE1 and PE2 the primary roots and PE3 and
PE4 the secondary roots.

# Configure PE1.
[PE1] stp instance 0 priority 0
# Configure PE2.
# Configure PE3.
# Configure PE4.
3. Enable association between MSTP and VPLS on the CEs and PEs, and configure root
protection on the secondary roots.
# Configure CE1.
[CE1] stp enable
[CE1-GigabitEthernet0/0/4] stp enable
# Configure CE2.
[CE2] stp enable
# Configure PE1.
[PE1] stp enable
[PE1-GigabitEthernet0/0/1] stp vpls-subinterface enable
[PE1-GigabitEthernet0/0/1] stp enable
[PE1-GigabitEthernet0/0/2] stp disable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
[PE3-GigabitEthernet0/0/1] stp root-protection


# Configure PE4.
[PE4] stp enable
[PE4-GigabitEthernet0/0/1] stp root-protection
Run the display vsi name a2 verbose command on PE1. The command output shows that the
VSI state is Up.
***VSI Name : a2
VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mode : uniform
Service Class : --
Color : --
DomainId : 0
Domain Name :
VSI State : up
VSI ID : 2
VC Label : 27648
Peer Type : dynamic
Session : up
VC Label : 27649
Peer Type : dynamic
Session : up
VC Label : 27650
Peer Type : dynamic
Session : up
Interface Name : GigabitEthernet 0/0/1.1

State : up
**PW Information:

PW State : up
PW Type : label
PW State : up
PW Type : label
PW State : up
PW Type : label
PC1 (10.1.1.1) can ping PC2 (10.1.1.2).

<PC1> ping 10.1.1.2
0.00% packet loss
When the link between CE1 and PE1 fails or PE1 is faulty, PE4 becomes the primary root. In
this case, PC1 and PE2 can still ping each other.
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp enable
#
interface Vlanif100
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
interface GigabitEthernet 0/0/1
#

#


#
return

#
sysname CE2
#
vlan batch 100
#
stp enable
#
interface Vlanif100
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
#

#
#
return

#
sysname PE1
#
vlan batch 10 40
#
stp instance 0 priority 0
stp enable
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 2.2.2.2
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp

#
remote-ip 3.3.3.3
#
interface Vlanif 10
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif 40
ip address 172.4.1.2 255.255.255.0
mpls
mpls ldp
#
stp vpls-subinterface enable

#
interface GigabitEthernet 0/0/1.1
l2 binding vsi a2
#

stp disable
#

stp disable
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 10 20
#
stp enable
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi a2 static

pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 3.3.3.3
peer 4.4.4.4
#
mpls ldp
#
remote-ip 4.4.4.4
#
interface Vlanif10
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#

#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
return

#
sysname PE3
#
vlan batch 20 30
#
stp enable
#
stp region-
configuration
region-name
RG1
active region-
configuration
#
mpls lsr-id 3.3.3.3

mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 4.4.4.4
#
mpls ldp
#
remote-ip 1.1.1.1
#
interface Vlanif20
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 172.3.1.1 255.255.255.0
mpls
mpls ldp
#
stp root-protection
#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 172.3.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
#
return

#
sysname PE4
#
vlan batch 30 40
#
stp enable
#
stp region-
configuration

region-name
RG1
active region-
configuration
#
mpls lsr-id 4.4.4.4
mpls
#
mpls l2vpn
#
vsi a2 static
pwsignal ldp
vsi-id 2
peer 1.1.1.1
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
remote-ip 2.2.2.2
#
interface Vlanif30
ip address 172.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 172.4.1.1 255.255.255.0
mpls
mpls ldp
#
stp root-protection
#
l2 binding vsi a2
#
stp disable
#
stp disable
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.3.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
network 4.4.4.4 0.0.0.0
#
return

3.9.4 Example for Configuring MSTP Multi-Process for Layer 2

Single-Access Rings and Layer 2 Multi-Access Rings
On the network with both Layer 2 single-access rings and multi-access rings deployed, switching
devices transmit both Layer 2 and Layer 3 services. To enable different rings to transmit different
services, configure MSTP multi-process. Spanning trees of different processes are calculated
independently.
As shown in Figure 3-41, both Layer 2 single-access rings and dual-access rings are deployed
and switches A and B carry both Layer 2 and Layer 3 services. Switches A and B connected to
dual-access rings are also connected to a single-access ring.
NOTE
In the ring where MSTP multi-process is configured, you are advised not to block the interface directly
connected to the root protection-enabled designated port.
Figure 3-41 MSTP multi-process for Layer 2 single-access rings and multi-access rings
Network
SwitchC
GE0/0/5 GE0/0/5
Region name:RG1
PE2
PE1 SwitchB
SwitchA
CE CE
GE0/0/4 GE0/0/1 GE0/0/4
GE0/0/1
GE0/0/3 GE0/0/3
GE0/0/2 GE0/0/2
CE
CE
Instance1:VLAN2~100 Instance3:VLAN201~300
Process 1
Process 3
CE CE
Instance2:VLAN101~200
Process 2

1. Configure basic MSTP functions, add devices to MST regions, and create MSTIs.
NOTE
l Each ring can belong to only one region.

l Each CE can join only one ring.
2. Configure multiple MSTP processes:
a. Create multiple MSTP processes and add interfaces to these processes.
b. Configure a shared link.
3. Configure MSTP protection functions:
l Configure priorities of MSTP processes and enable root protection.
l Configure shared link protection.
4. Configure the Layer 2 forwarding function on devices.
Procedure
Step 1 Configure basic MSTP functions, add devices to an MST region, and create MSTIs.
1. Configure MST regions and create MSTIs.
# Configure an MST region and create MSTIs on SwitchA.
# Configure an MST region and create MSTIs on SwitchB.

2. Enable MSTP.
# Configure SwitchA.
# Configure SwitchB.
Step 2 Configure multiple MSTP processes.

1. Create multiple MSTP processes and add interfaces to these processes.
# Create MSTP processes 1 and 2 on SwitchA.
[SwitchA] stp process 1
[SwitchA-mst-process-1] quit
# Create MSTP processes 2 and 3 on SwitchB.

[SwitchB] stp process 2

[SwitchB-mst-process-2] quit
[SwitchB-mst-process-3] quit
# Add GE 0/0/3 and GE 0/0/4 on SwitchA to MSTP process 1 and GE 0/0/2 to MSTP
process 2.
[SwitchA-GigabitEthernet0/0/4] stp enable
[SwitchA-GigabitEthernet0/0/4] bpdu enable
[SwitchA-GigabitEthernet0/0/4] stp binding process 1
# Add GE 0/0/3 and GE 0/0/4 on SwitchB to MSTP process 3 and GE 0/0/2 to MSTP
process 2.
[SwitchB-GigabitEthernet0/0/4] stp enable
[SwitchB-GigabitEthernet0/0/4] bpdu enable
[SwitchB-GigabitEthernet0/0/4] stp binding process 3
2. Configure a shared link.

[SwitchA-GigabitEthernet0/0/1] stp binding process 2 link-share
[SwitchB-GigabitEthernet0/0/1] stp binding process 2 link-share
3. Enable the MSTP function in MSTP multi-process.

[SwitchA-stp-process-1] stp enable
[SwitchA-stp-process-1] quit
[SwitchA-stp-process-2] stp enable


[SwitchB-stp-process-3] stp enable
[SwitchB-stp-process-3] quit
[SwitchB-stp-process-2] stp enable
Step 3 Configure MSTP protection functions.

l Configure priorities of MSTP processes and enable root protection.
[SwitchA-mst-process-1] stp instance 0 root primary
[SwitchB-stp-process-3] stp instance 0 root primary
[SwitchB-stp-process-3] stp instance 3 root primary
[SwitchB-stp-process-2] stp instance 0 root secondary
[SwitchB-stp-process-2] stp instance 2 root secondary
NOTE
l In each ring, the priority of the MSTP process on the downstream CE must be lower than the priority
of the MSTP process on the switching device.
l For switches A and B on the dual-access ring, you are recommended to configure them as the
primary root bridges of different MSTIs.
l Configure shared link protection.
[SwitchA-stp-process-2] stp link-share-protection
[SwitchB-stp-process-2] stp link-share-protection
Step 4 Create VLANs and add interfaces to VLANs.

# Create VLANs 2 to 200 on SwitchA. Add GE 0/0/3 and GE 0/0/4 to VLANs 2 to 100, and add
GE 0/0/1 and GE 0/0/2 to VLANs 101 to 200.


# Create VLANs 101 to 300 on SwitchB. Add GE 0/0/3 and GE 0/0/4 to VLANs 201 to 300,
and add GE 0/0/1 and GE 0/0/2 to VLANs 101 to 200.

l Run the display stp interface brief command on SwitchA.
# GE 0/0/4 is a designated port in the CIST of MSTP process 1 and in MSTI 1.
[SwitchA] display stp process 1 interface GiabitEthernet 0/0/4 brief

[SwitchA] display stp process 2 interface giabitethernet 0/0/2 brief
l Run the display stp interface brief command on SwitchB.

[SwitchB] display stp process 3 interface giabitethernet 0/0/4 brief

[SwitchB] display stp process 2 interface giabitethernet 0/0/2 brief
----End

Configuration Files
Only the MSTP-related configuration files are provided.

#
sysname
SwitchA
#
vlan batch 2 to
300
#
stp enable
#
stp region-
configuration
region-name
RG1
instance 1 vlan 2 to
100
200
300
active region-
configuration
#
stp process
1
stp instance 0 root
primary
stp instance 1 root
primary
stp
enable
stp process
2
stp instance 0 root
primary
stp instance 2 root
primary
stp link-share-
protection
stp
enable
#
interface
GigabitEthernet0/0/1
port trunk allow-pass vlan 101 to
200
stp binding process 2 link-share
#
interface
200
stp binding process
2
stp root-
protection
#

100
stp binding process
1
#
100
stp binding process 1
#
return

#
sysname
SwitchB
#
vlan batch 2 to
300
#
stp enable
#
stp region-
configuration
region-name
RG1
100
200
300
active region-
configuration
#
stp process
2
stp instance 0 root
secondary
stp instance 2 root
secondary
stp link-share-
protection
stp
enable
stp process
3
stp instance 0 root
primary
stp instance 3 root
primary
stp
enable
#
200
stp binding process 2 link-
share
#
200
stp binding process
2

stp root-
protection
#
300
stp binding process
3
#
300
stp binding process
3
#
return
3.10 SEP Configuration

Smart Ethernet Protection (SEP) is a ring network protocol specially used for the Ethernet link
layer. It blocks redundant links to prevent logical loops on a ring network.
3.10.1 Example for Configuring SEP on a Closed Ring Network
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer
network to provide link backup and enhance network reliability. The use of redundant links,
however, may produce loops, causing broadcast storms and rendering the MAC address table
unstable. As a result, communication quality deteriorates, and services may even be interrupted.
SEP can be deployed on the ring network to eliminate loops and restore communication if a link
fault occurs.
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple Layer
2 switching devices. The two edge devices connected to the upper-layer Layer 2 network are
directly connected to each other. The closed ring network is deployed at the aggregation layer
to transparently transmit Layer 2 unicast and multicast packets. SEP runs at the aggregation layer
to implement link redundancy.
As shown in Figure 3-42, Layer 2 switching devices LSW1 to LSW5 form a ring network.
SEP runs at the aggregation layer.

l When there is no faulty link on a ring network, SEP can eliminate loops on the network.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes on the network.

Figure 3-42 Networking diagram of a closed ring SEP network
Core
IP/MPLS Core
GE0/0/2 GE0/0/3 GE0/0/2

LSW1 LSW5
GE0/0/3
GE0/0/1 GE0/0/1
Aggregation
SEP
Segment1
GE0/0/1 GE0/0/1
LSW2 LSW4
LSW3
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/2
GE0/0/3
GE0/0/1
Access
Primary Edge Port

CE1
Secondary Edge Port
VLAN
100 Block Port
1. Configure basic SEP functions.
a. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
b. Add all devices on the ring to SEP segment 1, and configure the roles of GE0/0/1 and
GE0/0/3 of LSW1 in SEP segment 1.
c. On the device where the primary edge interface is located, specify the interface with
the highest priority to block.
d. Set priorities of the interfaces in the SEP segment.

Set the highest priority for GE0/0/2 of LSW3 and retain the default priority of the
other interfaces so that GE0/0/2 of LSW3 will be blocked.
e. Configure delayed preemption on the device where the primary edge interface is
located.
2. Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
Procedure
Step 1 Configure basic SEP functions.
1. Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the control VLAN
of SEP segment 1.
# Configure LSW1.
[HUAWEI] sysname LSW1
[LSW1] sep segment 1
[LSW1-sep-segment1] control-vlan 10
[LSW1-sep-segment1] protected-instance all
[LSW1-sep-segment1] quit
# Configure LSW2.
# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
NOTE
l The control VLAN must be a VLAN that has not been created or used, but the configuration file
automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2. Add all devices on the ring to SEP segment 1 and configure interface roles on the devices.

NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.
# On LSW1, configure GE0/0/1 as the primary edge interface and GE0/0/3 as the secondary
edge interface.
[LSW1] interface gigabitethernet 0/0/1
[LSW1-GigabitEthernet0/0/1] stp disable

[LSW1-GigabitEthernet0/0/1] sep segment 1 edge primary
[LSW1-GigabitEthernet0/0/1] quit

[LSW1-GigabitEthernet0/0/3] sep segment 1 edge secondary
# Configure LSW2.

[LSW2-GigabitEthernet0/0/1] sep segment 1

# Configure LSW3.


# Configure LSW4.


# Configure LSW5.


3. Specify an interface to block.

# On LSW1 where the primary edge interface is located, specify the interface with the
highest priority to block.
[LSW1-sep-segment1] block port optimal
4. Set the priority of GE0/0/2 on LSW3.

[LSW3-GigabitEthernet0/0/2] sep segment 1 priority 128
5. Configure the preemption mode.

# Configure delayed preemption on LSW1.
[LSW1-sep-segment1] preempt delay 30
NOTE
l You must set the preemption delay when delayed preemption is used because there is no default
delay time.
l When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the fault.
For example:
Run the shutdown command on GE0/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE0/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and LSW1 to LSW5.
For details about the configuration, see the configuration files.

l Run the shutdown command on GE0/0/1 of LSW3 to simulate an interface fault, and then
run the display sep interface command on LSW3 to check whether GE0/0/2 of LSW3 has
switched from the Discarding state to the Forwarding state.
<LSW3> display sep interface gigabitethernet 0/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE0/0/2 common up forwarding
----End
Configuration Files
l Configuration file of LSW1
#
sysname LSW1
#
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 48
#


stp disable
sep segment 1 edge primary
#

#
port hybrid tagged vlan 10 100 200

stp disable
sep segment 1 edge secondary
#
return

#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#

stp disable
sep segment 1
#

stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#

stp disable
sep segment 1
#

stp disable
sep segment 1
sep segment 1 priority 128
#


#
return

#
sysname LSW4
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#

stp disable
sep segment 1
#

stp disable
sep segment 1
#
return

#
sysname LSW5
#
#
sep segment 1
control-vlan 10
#

stp disable
sep segment 1
#

#

stp disable
sep segment 1
#
return

#
sysname CE1
#
vlan batch 100
#


#
return
3.10.2 Example for Configuring SEP on a Multi-Ring Network
fault occurs.
In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed
at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to
implement link redundancy.
As shown in Figure 3-43, multiple Layer 2 switching devices form ring networks at the access
layer and aggregation layer.
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring network,
SEP can eliminate loops on the network. When a link fails on the ring network, SEP can rapidly
restore communication between nodes on the network.

Figure 3-43 Networking diagram of a multi-ring SEP network
Core
IP/MPLS Core
GE0/0/2 GE0/0/2
LSW1 GE0/0/3 GE0/0/3 LSW5

GE0/0/1 GE0/0/1
Aggregation
SEP
GE0/0/1 Segment 1 GE0/0/3
LSW4
LSW2 G GE0/0/1
E0 GE0/0/2
GE0/0/2 /0 LSW3
/3
GE0/0/4
GE0/0/1 GE0/0/2 GE0/0/1 GE0/0/2
Se S
t2
gm EP
gm E P
en
Se S
LSW6 GE0/0/2 en LSW11

GE0/0/2 LSW8 t3
GE0/0/1
GE0/0/1 GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/2 LSW9 GE0/0/1
LSW7 GE0/0/3 LSW10 GE0/0/3
Access
GE0/0/1 GE0/0/1
CE2
CE1
VLAN VLAN
200 100
Primary Edge Port Control VLAN 10

Secondary Edge Port Control VLAN 20
Block Port Control VLAN 30


a. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30
as their respective control VLANs.
l Configure SEP segment 1 on LSW1 to LSW5 and configure VLAN 10 as the
control VLAN of SEP segment 1.
l Configure SEP segment 2 on LSW2, LSW3, and LSW6 to LSW8, and configure
VLAN 20 as the control VLAN of SEP segment 2.
l Configure SEP segment 3 on LSW3, LSW4, and LSW9 to LSW11, and configure
VLAN 30 as the control VLAN of SEP segment 3.
b. Add devices on the rings to the SEP segments and configure interface roles on the
edge devices of the SEP segments.
l On LSW1 to LSW5, add the interfaces on the ring at the access layer to SEP
segment 1. Configure the roles of GE0/0/1 and GE0/0/3 of LSW1 in SEP segment
1.
l Add GE0/0/2 of LSW2, GE0/0/1 and GE0/0/2 of LSW6 to LSW8, and GE0/0/2
of LSW3 to SEP segment 2. Configure the roles of GE0/0/2 of LSW2 and
GE0/0/2 of LSW3 in SEP segment 2.
l Add GE0/0/1 of LSW3, GE0/0/1 and GE0/0/2 of LSW9 to LSW11, and
GE0/0/1 of LSW4 to SEP segment 3. Configure the roles of GE0/0/1 of LSW3
and GE0/0/1 of LSW4 in SEP segment 3.
c. Specify an interface to block on the device where the primary edge interface is located.
l In SEP segment 1, specify the interface with the highest priority to block.
l In SEP segment 2, specify the device and interface names to block the specified
interface.
l In SEP segment 3, specify the blocked interface based on the configured hop count.
d. Configure the preemption mode on the device where the primary edge interface is
located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP
segment 2 and SEP segment 3.
e. Configure the topology change notification function on the edge devices between SEP
segments, namely, LSW2, LSW3, and LSW4.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW11.
Procedure
1. Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their
respective control VLANs, as shown in Figure 3-43.
# Configure LSW1.
# Configure LSW2.

# Configure LSW3.
# Configure LSW4.
# Configure LSW5.
# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to
LSW5 except for the control VLANs of different SEP segments.
NOTE
VLAN.
2. Add devices on the rings to the SEP segments and configure interface roles according to
Figure 3-43.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment,
disable STP on the interface.

edge interface.


# Configure LSW2.



[LSW2-sGigabitEthernet0/0/2] sep segment 2 edge primary
# Configure LSW3.




# Configure LSW4.




# Configure LSW5.


# Configure LSW6 to LSW11.

The configurations of LSW6 to LSW11 are similar to the configurations of LSW1 to
LSW5 except for the interface roles.
# On LSW1 where the primary edge interface of SEP segment 1 is located, specify the
interface with the highest priority to block.
[LSW1-sep-segment1] block port optimal
# On LSW3, set the priority of GE0/0/4 to 128, which is the highest priority among the
interfaces so that GE0/0/4 will be blocked.
Retain the default priority of the other interfaces in SEP segment 1.

# On LSW2 where the primary edge interface of SPE segment 2 is located, specify the
device and interface names so that the specified interface will be blocked.
Before specifying the interface to block, use the display sep topology command to view
the current topology information and obtain information about all the interfaces in the
topology. Then specify the device and interface names.
[LSW2-sep-segment2] block port sysname LSW7 interface gigabitethernet 0/0/1
# On LSW4 where the primary edge interface of SEP segment 3 is located, specify the
blocked interface based on the configured hop count.
[LSW4-sep-segment3] block port hop 5
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge
interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of
the primary interface.
# Configure delayed preemption on LSW1.

NOTE
l You must set the preemption delay when delayed preemption is used because there is no default
delay time.
l When the last faulty interface recovers, edge interfaces do not receive any fault notification
packet. If the primary edge interface does not receive any fault notification packet, it starts the
delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface
preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the fault.
For example:
Run the shutdown command on GE0/0/1 of LSW2 to simulate an interface fault, and then run
the undo shutdown command on GE0/0/2 to rectify the fault.
# Configure manual preemption on LSW2.
[LSW2-sep-segment2] preempt manual
# Configure the manual preemption mode on LSW4.

5. Configure the topology change notification function.

# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.
# Configure LSW2.
[LSW2-sep-segment2] tc-notify segment 1
# Configure LSW3.
# Configure SEP segment 3 to notify SEP segment 1 of topology changes.

# Configure LSW3.
# Configure LSW4.
NOTE
The topology change notification function is configured on edge devices between SEP segments so
that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and LSW1 to LSW11.
After completing the preceding configurations, verify the configuration. LSW1 is used as an
example.


SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 30
#

stp disable
#

#
port hybrid tagged vlan 10 100 200 300

stp disable
#
return

#
sysname LSW2
#
vlan batch 10 20 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
block port sysname LSW7 interface GigabitEthernet0/0/1
tc-notify segment 1
#

stp disable
sep segment 1
#


stp disable
#

stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 20 30 100 200
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 20
tc-notify segment 1
sep segment 3
control-vlan 30
tc-notify segment 1
#

stp disable
#

stp disable
#

stp disable
sep segment 1
#

stp disable
sep segment 1
#
return

#
sysname LSW4
#
vlan batch 10 30 100 200
#
sep segment 1
control-vlan 10
sep segment 3

control-vlan 30
block port hop 5
tc-notify segment 1
#

stp disable
#

stp disable
sep segment 1
#

stp disable
sep segment 1
#
return

#
sysname LSW5
#
vlan batch 10 100 200 300
#
sep segment 1
control-vlan 10
#

stp disable
sep segment 1
#

#
port hybrid tagged vlan 10 100 200 300

stp disable
sep segment 1
#
return

#
sysname LSW6
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#


stp disable
sep segment 2
#

stp disable
sep segment 2
#
return

#
sysname LSW7
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#

stp disable
sep segment 2
#

stp disable
sep segment 2
#

#
return

#
sysname LSW8
#
vlan batch 20 200
#
sep segment 2
control-vlan 20
#

stp disable
sep segment 2
#

stp disable
sep segment 2
#
return

#
sysname LSW9

#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#

stp disable
sep segment 3
#

stp disable
sep segment 3
#
return

#
sysname LSW10
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#

stp disable
sep segment 3
#

stp disable
sep segment 3
#

#
return

#
sysname LSW11
#
vlan batch 30 100
#
sep segment 3
control-vlan 30
#

stp disable
sep segment 3
#


stp disable
sep segment 3
#
return

#
sysname CE1
#
vlan batch 100
#

#
return

#
sysname CE2
#
vlan batch 200
#

#
return
3.10.3 Example for Configuring a Hybrid SEP+MSTP Ring Network
fault occurs.
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 3-44, multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the
access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the
topology change notification function on an edge device in a SEP segment. This function enables
an upper-layer network to detect topology changes in a lower-layer network in time.
l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between
nodes.
l The topology change notification function must be configured on an edge device in a SEP
segment. This enables an upper-layer network to detect topology changes in a lower-layer
network in time.

After receiving a message indicating the topology change in a lower-layer network, a device on
an upper-layer network sends TC packets to instruct other devices to delete original MAC
addresses and learn new MAC addresses after the topology of the lower-layer network changes.
This ensures uninterrupted traffic forwarding.
Figure 3-44 Networking diagram of a hybrid-ring SEP network
IP/MPLS Core
Core
GE0/0/2
GE0/0/3 GE0/0/3
GE0/0/2
Aggregation
PE3 PE4
GE0/0/1
GE0/0/1
MSTP
GE0/0/2 PE1 PE2 GE0/0/2
GE0/0/3
GE0/0/1 Do not Support SEP GE0/0/1
GE0/0/1 GE0/0/1
SEP
LSW1 Segment1 LSW2
GE0/0/2 GE0/0/2
GE0/0/2 GE0/0/1
Access
GE0/0/3 LSW3
GE0/0/1
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(MSTP)


a. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
b. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles on the edge
devices (LSW1 and LSW2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of LSW1 and LSW2
connected to the PEs must be no-neighbor edge interfaces.
c. On the device where the no-neighbor primary edge interface is located, specify the
interface in the middle of the SEP segment as the interface to block.
d. Configure manual preemption.
e. Configure the topology change notification function so that the upper-layer network
running MSTP can be notified of topology changes in the SEP segment.
2. Configure basic MSTP functions.
a. Add LSW1, LSW2, PE1 to PE4 to an MST region RG1.
b. Create VLANs on LSW1, LSW2, PE1 to PE4 and add interfaces on the STP ring to
the VLANs.
c. Configure PE3 as the root bridge and PE4 as the backup root bridge.
3. Configure the Layer 2 forwarding function on CE and LSW1 to LSW3.
Procedure
1. Configure SEP segment 1 on LSW1 to LSW3 and configure VLAN 10 as the control VLAN
of SEP segment 1.
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.

NOTE
VLAN.
2. Add LSW1 to LSW3 to SEP segment 1 and configure interface roles.
# Configure LSW1.
[LSW1-GigabitEthernet0/0/1] sep segment 1 edge no-neighbor primary


# Configure LSW2.
[LSW2-GigabitEthernet0/0/1] sep segment 1 edge no-neighbor secondary


# Configure LSW3.



# On LSW1 where the no-neighbor primary edge interface of SEP segment 1 is located,
specify the interface in the middle of the SEP segment as the interface to block.
[LSW1-sep-segment1] block port middle

# Configure the manual preemption mode on LSW1.

# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
# Configure LSW1.
[LSW1-sep-segment1] tc-notify stp
# Configure LSW2.


[LSW2-sep-segment1] tc-notify stp

1. Configure an MST region.
# Configure PE1.
# Configure PE2.
# Configure PE3.
# Configure PE4.
# Configure LSW1.
[LSW1] stp region-configuration
[LSW1-mst-region] region-name RG1
[LSW1-mst-region] active region-configuration
[LSW1-mst-region] quit
# Configure LSW2.
[LSW2-mst-region] region-name RG1
2. Create VLANs and add interfaces to VLANs.

# On PE1, create VLAN 100 and add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1-GigabitEthernet0/0/1] port hybrid tagged vlan 100




# On PE2, PE3, and PE4, create VLAN 100 and add GE0/0/1, GE0/0/2, and GE0/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
# On LSW1 and LSW2, create VLAN 100 and add GE0/0/1 to VLAN 100. The
configurations of LSW1 and LSW2 are similar to the configuration of PE1. For details
about the configuration, see the configuration files.
3. Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure LSW1.
[LSW1] stp enable
# Configure LSW2.
[LSW2] stp enable
4. Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTI0 to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTI0 to ensure that PE4 functions as the backup root
bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and LSW1 to LSW3.
After the configurations are complete and network becomes stable, run the following commands
to verify the configuration. LSW1 is used as an example.
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End

Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
stp enable
#
region-name RG1
#
sep segment 1
control-vlan 10
block port middle
tc-notify stp
#

sep segment 1 edge no-neighbor primary
#

stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
stp enable
#
region-name RG1
#
sep segment 1
control-vlan 10
tc-notify stp
#

sep segment 1 edge no-neighbor secondary
#

stp disable
sep segment 1
#
return

#
sysname LSW3
#

vlan batch 10 100

#
sep segment 1
control-vlan 10
#

stp disable
sep segment 1
#

stp disable
sep segment 1
#
port hybrid tagged vlan vlan 100

#
return

#
sysname PE1
#
vlan batch 100
#
stp enable
#
region-name RG1
#

#

#

#
return

#
sysname PE2
#
vlan batch 100
#
stp enable
#
region-name RG1
#

#


#

#
return

#
sysname PE3
#
vlan batch 100 200
#
stp enable
#
region-name RG1
#

#

#

#
return

#
sysname PE4
#
vlan batch 100 200
#
stp enable
#
region-name RG1
#

#

#

#
return

l Configuration file of CE
#
sysname CE
#
vlan batch 100
#

#
return
3.10.4 Example for Configuring a Hybrid SEP+RRPP Ring Network

In the networking of this example, you can configure SEP at the access layer to implement
redundancy protection switching and configure the topology change notification function on an
edge device in a SEP segment. This enables an upper-layer network to detect topology changes
in a lower-layer network in time.
fault occurs.

Figure 3-45 Hybrid rings running SEP and RRPP
Network
NPE1 NPE2
GE0/0/2
GE0/0/3 GE0/0/3
GE0/0/2
Aggregation
PE3 PE4
GE0/0/1
GE0/0/1
RRPP
GE0/0/2 PE1 PE2 GE0/0/2
GE0/0/3
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
SEP
LSW1 Segment1 LSW2
GE0/0/2 GE0/0/2
GE0/0/2 GE0/0/1
Access
GE0/0/3LSW3
GE0/0/1
CE
Primary Edge Port
Secondary Edge Port
VLAN100
Block Port(SEP)
Block Port(RRPP)
As shown in Figure 3-45, multiple Layer 2 switching devices at the access layer and aggregation
layer form a ring network to access the core layer. RRPP has been configured at the aggregation
layer to eliminate loops. In this case, SEP needs to run at the access layer to implement the
following functions:
l Eliminates loops when there is no faulty link on the ring network.
l Rapidly restores communication between nodes when a link fault occurs on the ring
network.
l Provides the topology change notification function on an edge device in a SEP segment.
This function enables an upper-layer network to detect topology changes in a lower-layer
network in time.

After receiving a message indicating the topology change in a lower-layer network, a device
on an upper-layer network sends TC packets to instruct other devices to delete original
MAC addresses and learn new MAC addresses after the topology of the lower-layer
network changes. This ensures uninterrupted traffic forwarding.

a. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN
10 as the control VLAN of SEP segment 1.
b. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1, and configure interface roles
on edge devices (PE1 and PE2) of the SEP segment.
c. Set an interface blocking mode on the device where a primary edge interface is located
to specify an interface to block.
d. Configure the preemption mode to ensure that the specified interface is blocked when
a fault is rectified.
e. Configure the topology change notification function so that the topology change in
the local SEP segment can be notified to the upper-layer network where RRPP is
enabled.
2. Configure basic RRPP functions.
a. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and
configure a protected VLAN.
b. Configure PE1 as the master node and PE2 to PE4 as transit nodes on the major ring,
and configure the primary and secondary interfaces of the major ring.
c. Create a VLAN on PE1 to PE4, and add the interfaces on the RRPP ring network to
the VLAN.
3. Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
Procedure
1. Configure SEP segment 1 on PE1, PE2, and LSW1 to LSW3 and configure VLAN 10 as
the control VLAN of SEP segment 1.
# Configure PE1.
[PE1] sep segment 1
[PE1-sep-segment1] control-vlan 10
[PE1-sep-segment1] protected-instance all
[PE1-sep-segment1] quit
# Configure PE2.
[PE2] sep segment 1

# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
2. Add PE1, PE2, and LSW1 to LSW3 to SEP segment 1 and configure interface roles.
NOTE
By default, STP is enabled on an interface. Before adding an interface to a SEP segment, disable STP
on the interface.
# Configure PE1.
[PE1-GigabitEthernet0/0/1] sep segment 1 edge primary
# Configure LSW1.
# Configure LSW2.
# Configure LSW3.
# Configure PE2.


[PE2-GigabitEthernet0/0/1] sep segment 1 edge secondary
After completing the preceding configurations, run the display sep topology command on
PE1 to view the topology of the SEP segment. The command output shows that the blocked
interface is one of the two interfaces that complete neighbor negotiations last.
[PE1] display sep topology
SEP segment 1
-----------------------------------------------------------------
System Name Port Name Port Role Port Status
-----------------------------------------------------------------
PE1 GE0/0/1 primary forwarding
LSW1 GE0/0/1 common forwarding
PE2 GE0/0/1 secondary discarding
3. Set an interface blocking mode.

# In SEP segment 1, block the interface in the middle of the SEP segment on PE1 where
the primary edge interface resides.
[PE1] sep segment 1
[PE1-sep-segment1] block port middle
4. Set the preemption mode.

# In SEP segment 1, set manual preemption on PE1 where the primary edge interface
resides.
[PE1-sep-segment1] preempt manual

# Configure devices in SEP segment 1 to notify topology changes to the RRPP ring network.
# Configure PE1.
[PE1-sep-segment1] tc-notify rrpp
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify rrpp
After the preceding configurations are successful, perform the following operations to verify the
configurations. PE1 is used as an example.
l Run the display sep topology command on PE1 to view the topology of the SEP segment.
The command output shows that the status of GE 0/0/2 on LSW3 is discarding and the status
of the other interfaces is forwarding.
SEP segment 1
-----------------------------------------------------------------
-----------------------------------------------------------------
LSW3 GE0/0/2 common discarding


PE2 GE0/0/1 secondary forwarding
l Run the display sep interface verbose command on PE1 to view detailed information about
the interfaces added to the SEP segment.
[PE1] display sep interface verbose
SEP segment 1
Control-vlan :10
Preempt Delay Timer :0
TC-Notify Propagate to :rrpp
----------------------------------------------------------------
Interface :GE0/0/1
Port Role :Config = primary / Active = primary
Port Priority :64
Port Status :forwarding
Neighbor Status :up
Neighbor Port :LSW1 - GE0/0/1 (00e0-0829-7c00.0000)
NBR TLV rx :2124 tx :2126
LSP INFO TLV rx :2939 tx :135
LSP ACK TLV rx :113 tx :768
PREEMPT REQ TLV rx :0 tx :3
PREEMPT ACK TLV rx :3 tx :0
TC Notify rx :5 tx :3
EPA rx :363 tx :397
Step 2 Configure basic RRPP functions.

1. Add PE1 to PE4 to RRPP domain 1, create control VLAN 5 on PE1 to PE4, and configure
a protected VLAN.
# Configure PE1.
[PE1-mst-region] instance 1 vlan 5 6 100
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] control-vlan 5
[PE1-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure PE2.
[PE2] rrpp domain 1
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.
[PE4] rrpp domain 1

2. Create a VLAN and add interfaces on the ring network to the VLAN.
# Create VLAN 100 on PE1, and add GE 0/0/1, GE 0/0/2, and GE 0/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
# Create VLAN 100 on PE2, and add GE 0/0/1, GE 0/0/2, and GE 0/0/3 to VLAN 100.
[PE2] vlan 100
[PE2-vlan100] quit
# Create VLAN 100 on PE3, and add GE 0/0/1 and GE 0/0/2 to VLAN 100.
[PE3] vlan 100
[PE3-vlan100] quit
# Create VLAN 100 on PE4, and add GE 0/0/1 and GE 0/0/2 to VLAN 100.
[PE4] vlan 100
[PE4-vlan100] quit

3. Configure PE1 as the master node and PE2 to PE4 as transit nodes of the major ring, and
configure the primary and secondary interfaces of the major ring.
# Configure PE1.
[PE1] rrpp domain 1
[PE1-rrpp-domain-region1] ring 1 node-mode master primary-port
gigabitethernet0/0/2 secondary-port gigabitethernet0/0/3 level 0
[PE1-rrpp-domain-region1] ring 1 enable
# Configure PE2.
[PE2] rrpp domain 1
[PE2-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure PE3.
[PE3] rrpp domain 1
# Configure PE4.
[PE4] rrpp domain 1
4. Enable RRPP.
# Configure PE1.
[PE1] rrpp enable
# Configure PE2.
[PE2] rrpp enable
# Configure PE3.
[PE3] rrpp enable
# Configure PE4.
[PE4] rrpp enable
After completing the preceding configurations, run the display rrpp brief or display rrpp
verbose domain command on PE1 to check the RRPP configuration.
[PE1] display rrpp brief
Abbreviations for Switch Node Mode :
M - Master , T - Transit , E - Edge , A - Assistant-Edge
RRPP Protocol Status: Enable

RRPP Working Mode: HW
RRPP Linkup Delay Timer: 0 sec (0 sec default)
Number of RRPP Domains: 1
Domain Index : 1
Control VLAN : major 5 sub 6
Protected VLAN : Reference Instance 1
Hello Timer : 1 sec(default is 1 sec) Fail Timer : 6 sec(default is 6 sec)
Ring Ring Node Primary/Common Secondary/Edge Is
ID Level Mode Port Port Enabled
----------------------------------------------------------------------------
1 0 M GigabitEthernet0/0/2 GigabitEthernet0/0/3 Yes
The command output shows that RRPP is enabled on PE1. In domain 1, VLAN 5 is the major
control VLAN, VLAN 6 is the sub-control VLAN, Instance 1 is the protected VLAN, and PE1

is the master node in major ring 1 with the primary and secondary interfaces as
GigabitEthernet0/0/2 and GigabitEthernet0/0/3 respectively.
[PE1] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Ring State : Complete
Is Enabled : Enable Is Active: Yes
Primary port : GigabitEthernet0/0/2 Port status: UP
Secondary port : GigabitEthernet0/0/3 Port status: BLOCKED
The command output shows that in domain 1, VLAN 5 is the major control VLAN, VLAN 6 is
the sub-control VLAN, Instance 1 is the protected VLAN, PE1 is the master node in major ring
1 with the primary and secondary interfaces as GigabitEthernet0/0/2 and GigabitEthernet0/0/3
respectively, and the node status is Complete.
Step 3 Configure the Layer 2 forwarding function on the CE, LSW1 to LSW3, and PE1 to PE4.
For the configuration details, see the configuration files.
the network is stable. LSW1 is used as an example.
run the display sep interface command on LSW3 to check whether the status of GE0/0/2
changes from blocked to forwarding.
[LSW3] display sep interface gigabitethernet 0/0/2
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
----End
Configuration Files
#
sysname LSW1
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#


stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW3
#
vlan batch 10 100
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return

#
sysname PE1
#
vlan batch 5 to 6 10 100
#
rrpp enable
#

instance 1 vlan 5 to 6 100

#
rrpp domain 1
control-vlan 5
protected-vlan reference-instance 1
ring 1 node-mode master primary-port GigabitEthernet 0/0/2 secondary-port
GigabitEthernet 0/0/3 level 0
ring 1 enable
#
sep segment 1
control-vlan 10
block port middle
tc-notify rrpp
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100
stp disable
#
stp disable
#
return

#
sysname PE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 node-mode transit primary-port GigabitEthernet 0/0/2 secondary-port
ring 1 enable
#
sep segment 1
control-vlan 10
tc-notify rrpp
#
stp disable
#

stp disable
#
stp disable
#
return

#
sysname PE3
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#
stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#

#
return

#
sysname PE4
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
#

stp disable
#
port trunk allow-pass vlan 5 to 6 100 200
stp disable
#

#
return

#
sysname CE1
#
vlan batch 100
#
#
return
3.10.5 Example for Configuring SEP Multi-Instance

On a closed ring network, two SEP segments are configured to process different VLAN services,
implement load balancing, and provide link backup.
In common SEP networking, a physical ring can be configured with only one SEP segment in
which only one interface can be blocked. If an interface in a complete SEP segment is blocked,
all service data is transmitted only along the path where the primary edge interface is located.
The path where the secondary edge interface is located remains idle, wasting bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP
multi-instance.

Figure 3-46 SEP multi-instance on a closed ring network
IP/MPLS Core
Core NPE1 NPE2
/ 0 /3 GE0
/0/3
GE0/0/2 GE0 GE0/0/2
LSW1 LSW4
GE0/0/1
GE0/0/1
Aggregation
P2 P1 GE0/0/1
GE0/0/1
LSW2 GE LSW3
0 /0 / 0 /2
GE0/0/3 /2 GE0 GE0/0/3
GE0/0/1 GE0/0/1
Access
CE1 CE2
Instance1: Instance2:
VLAN VLAN
100~300 301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 3-46, a ring network comprising Layer 2 switches (LSW1 to LSW5) is
connected to the network. SEP runs at the aggregation layer. SEP multi-instance is configured
on LSW1 to LSW4 to allow for two SEP segments to improve bandwidth efficiency, implement
load balancing, and provide link backup.

a. Create two SEP segments and a control VLAN on LSW1 to LSW4.

Different SEP segments can use the same control VLAN.
b. Configure SEP protected instances, and set mappings between SEP protected
instances and user VLANs to ensure that topology changes affect only corresponding
VLANs.
c. Add all the devices on the ring network to the SEP segments, and configure
GE0/0/1 as the primary edge interface and GE0/0/3 as the secondary edge interface
on LSW1.
d. Configure an interface blocking mode on the device where the primary edge interface
resides.
e. Configure the preemption mode to ensure that the specified interface is blocked when
a fault is rectified.
2. Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
Procedure
l Configure SEP segment 1 and control VLAN 10.
# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment1
# Configure LSW3.
# Configure LSW4.
l Configure SEP segment 2 and control VLAN 10.

# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment2
# Configure LSW3.

# Configure LSW4.
NOTE
l The control VLAN must be a new one.

l The command used to create a common VLAN is automatically displayed in a configuration file.
l Each SEP segment must be configured with a control VLAN. After being added to a SEP segment
configured with a control VLAN, an interface is added to the control VLAN automatically. You do
not need to run the port trunk allow-pass vlan command. In the configuration file, the port trunk
allow-pass vlan command, however, is displayed in the view of the interface added to the SEP segment.
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances
and user VLANs.
# Configure LSW1.
[LSW1] vlan batch 100 to 500
[LSW1-sep-segment1] protected-instance 1
[LSW1-sep-segment2] protected-instance 2
[LSW1-mst-region] instance 1 vlan 100 to 300
[LSW1-mst-region] instance 2 vlan 301 to 500
The configurations of LSW2 to LSW4 are similar to that of LSW1, and are not mentioned here.
For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
edge interface.
# Configure LSW2.


# Configure LSW3.
# Configure LSW4.
Step 4 Specify an interface to block.

# Configure delayed preemption and block an interface based on the device and interface names
on LSW1 where the primary edge interface is located.
NOTE
l In this configuration example, an interface fault needs to be simulated and then rectified to implement
delayed preemption. To ensure that delayed preemption takes effect on the two SEP segments, simulate
an interface fault in the two SEP segments. For example:
l In SEP segment 1, run the shutdown command on GE 0/0/1 of LSW2 to simulate an interface
fault. Then, run the undo shutdown command on GE0/0/1 to simulate interface fault recovery.
l In SEP segment 2, run the shutdown command on GE 0/0/1 of LSW3 to simulate an interface
fault. Then, run the undo shutdown command on GE0/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW4.
The configuration details are not mentioned here. For details, see the configuration files.
Simulate a fault, and then check whether the status of the blocked interface changes from blocked
to forwarding.
Run the shutdown command on GE0/0/1 of LSW2 to simulate an interface fault.
Run the display sep interface command on LSW3 to check whether the status of GE0/0/1 in
SEP segment 1 changes from blocked to forwarding.

[LSW3] display sep interface gigabitethernet 0/0/1

SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
SEP segment 2
----------------------------------------------------------------
----------------------------------------------------------------
The preceding command output shows that the status of GE0/0/1 changes from blocked to
forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding
path in SEP segment 2.
----End
Configuration Files
#
sysname LSW1
#
#
#
sep segment 1
control-vlan 10
preempt delay 15
protected-instance 1
sep segment 2
control-vlan 10
preempt delay 15
#

stp disable
#

stp disable
#
return

#
sysname LSW2
#
#


#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#

stp disable
sep segment 1
sep segment 2
#

stp disable
sep segment 1
sep segment 2
#

#
return

#
sysname LSW3
#
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#

stp disable
sep segment 1
sep segment 2
#

stp disable
sep segment 1
sep segment 2
#

#
return

#
sysname LSW4
#
vlan batch 10 60 100 to 500
#
#
sep segment 1
control-vlan 10
sep segment 2
control-vlan 10
#

stp disable
sep segment 1
sep segment 2
#

stp disable
sep segment 1
sep segment 2
#
return

#
sysname CE1
#
#

#
return

#
sysname CE2
#
#

#
return

3.10.6 Example for Configuring Association Between SEP and VPLS

(Reporting Topology Changes of a Lower-Layer Network)
As shown in Figure 3-47, CE1 is connected to a VPLS network through an open ring. SEP is
enabled on the open ring network to eliminate redundant links. When a link on the ring network
becomes faulty, SEP can immediately restore the communication between nodes on the ring
network. The traffic between CEs, however, is still interrupted.
To solve the problem, association between SEP and VPLS must be enabled on PE1 and PE2.
With association between SEP and VPLS, PE1 and PE2 can detect topology changes of the SEP
network immediately after a fault occurs on the SEP network. This ensures reliable traffic
transmission.
NOTE
Only the S5300HI and S5310EI support this configuration.

Figure 3-47 Networking diagram for configuring association between SEP and VPLS
PE3 CE2
GE0/0/3
GE0/0/2
GE0/0/1 GE0/0/2
GE0/0/1
GE0/0/3 GE0/0/3 VLAN100

GE0/0/1 GE0/0/1
PE1 GE0/0/2 GE0/0/2 PE2
GE0/0/2 GE0/0/2
LSW1 SEP LSW3
Segment1
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/2
LSW2 GE0/0/3
GE0/0/2
CE1
GE0/0/1
Primary Edge Node

VLAN100
Secondary Edge Node
Block Port
PE1 GE 0/0/1 VLANIF 20 10.1.1.1 30
GE 0/0/2 VLANIF 100 -
GE 0/0/3 VLANIF 30 20.1.1.1 30
Loopback1 - 1.1.1.9 32
PE2 GE 0/0/1 VLANIF 20 10.1.1.2 30
GE 0/0/2 VLANIF100 -
GE 0/0/3 VLANIF 40 30.1.1.1 30
Loopback1 - 2.2.2.9 32
PE3 GE 0/0/1 VLANIF 30 20.1.1.2 30
GE 0/0/2 VLANIF 40 30.1.1.2 30
GE 0/0/3 VLANIF 100 -
Loopback1 - 3.3.3.9 32

a. Create a SEP segment and a control VLAN.
b. Add all the devices on the ring network to the SEP segment and configure a role for
each interface added to the SEP segment.
NOTE
When being added to multiple SEP segments, an interface must be configured with the same
role. Otherwise, SEP multi-instance fails to be configured.
c. Enable the function of specifying an interface to block on the device where the primary
edge interface resides.
d. Configure the SEP preemption mode to ensure that the specified blocked interface
takes effect when a fault is rectified.
2. Configure VPLS on PE1, PE2, and PE3.
3. Configure association between SEP and VPLS on the devices connecting the SEP network
and the VPLS network.
4. Configure the Layer 2 forwarding function on CE1, CE2, LSW1 to LSW3, and PE1 to PE3.
Procedure
1. Create a SEP segment and a control VLAN.
# Configure PE1.
[PE1] sep segment 1
# Configure LSW1.
# Configure LSW2.
[LSW2] sep segment1
# Configure LSW3.

# Configure PE2.
[PE2] sep segment 1
NOTE
l The control VLAN must be a new one.

l After the control VLAN is created successfully, the command used to create a common VLAN
will be displayed in the configuration file.
Each SEP segment must be configured with a control VLAN. After an interface is added to a
SEP segment configured with a control VLAN, the interface will be automatically added to the
control VLAN.
l If the interface type is Trunk, in the configuration file, the port trunk allow-pass vlan
command is displayed in the view of the interface added to the SEP segment.
l If the interface type is Hybrid, in the configuration file, the port hybrid tagged vlan
command is displayed in the view of the interface added to the SEP segment.
2. Add all the devices on the ring network to the SEP segment and configure a role for each
interface added to the SEP segment.
Configure GE 0/0/2 on PE1 as a primary edge interface, GE 0/0/2 on PE2 as a secondary
edge interface, and other interfaces as common interfaces.
# Configure PE1.
[PE1-GigabitEthernet0/0/2] sep segment 1 edge primary
# Configure PE2.
[PE2-GigabitEthernet0/0/2] sep segment 1 edge secondary
# Configure LSW1.
[LSW1-GigabitEthernet0/0/1] port link-type trunk
# Configure LSW2.
# Configure LSW3.


After completing the preceding configurations, run the display sep topology command on
PE1 to view the topology of the SEP segment. You can see that the blocked interface is the
one of the last two interfaces that complete neighbor negotiation.
SEP segment 1
-----------------------------------------------------------------
-----------------------------------------------------------------
PE2 GE0/0/2 secondary discarding

l Configure an interface blocking mode.
# Configure the interface priority-based interface blocking mode on PE1 where the
primary edge interface resides in SEP segment 1, and block the interface with the highest
priority.
[PE1] sep segment 1
[PE1-sep-segment1] block port optimal
# On LSW2, set the priority of GE 0/0/2 to 128 and allow the other interfaces to use the
default priority.
l Configure the preemption mode.

# Set the preemption mode on PE1 where the primary edge interface resides as delayed
preemption.
[PE1-sep-segment1] preempt delay 600
NOTE
l The preemption delay has no default value. Therefore, you must run the related command to set
the preemption delay.
l When the last faulty edge interface recovers, it does not receive any fault advertisement packet.
If the primary edge interface does not receive any fault advertisement packet within three seconds,
it immediately starts the delay timer. After the delay timer expires, the nodes on the SEP segment
block a specified interface.
Therefore, in this example, an interface fault is simulated and then rectified to implement delayed
preemption. For example:
Run the shutdown command on GE 1/0/2 of LSW2 to simulate an interface fault. Then, run the
undo shutdown command on GE 1/0/2 to rectify the fault.

After completing the preceding operations, view the topology of the SEP segment. Use the
display on PE1 as an example.
Run the display sep topology command on PE1 to view the information about the topology
of the SEP segment.
SEP segment 1
-----------------------------------------------------------------
-----------------------------------------------------------------
LSW2 GE0/0/2 common discarding
PE2 GE0/0/2 secondary forwarding
The preceding command output shows that the status of GE 0/0/2 is discarding and the
status of the other interfaces is forwarding on LSW2 in SEP segment 1.
Step 2 Configure a VPLS network.
1. Configure an IP address for each interface and an IGP on the VPLS backbone network. In
this example, IS-IS is used as an IGP.
Configure VPLS connections between the PEs (the VPLS connections use the LDP
signaling, and the VSI name is ldp1). The configuration details are not provided here. For
details, see the chapter "VPLS Configuration" in the S2350&S5300&S6300 Configuration
Guide - VPN or configuration files in this example.
After the preceding configurations are complete, the PEs ping each other successfully.
[PE3] ping 10.1.1.1

0.00% packet loss
[PE1] ping 2.2.2.9

0.00% packet loss
2. Bind the VLANIF interfaces at the user side on the PEs to the same VSI.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit


[PE1] interface Vlanif 100
[PE1-Vlanif100] l2 binding vsi ldp1
[PE1-Vlanif100] quit
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
# Configure PE3.
[PE3] vlan 100
[PE3-vlan100] quit
After completing the preceding configurations, run the display vsi name ldp1 verbose
command on PE1. You can see that PE1 in a VSI named ldp1 in the Up state sets up a PW
to PE2 and another PW to PE3.
[PE1] display vsi name ldp1 verbose
***VSI Name : ldp1

VSI Index : 0
PW Signaling : ldp
MTU : 1500
Mpls Exp : --
DomainId : 255
Domain Name :
P2P VSI : disable
VSI State : up
VSI ID : 1
VC Label : 1026
Peer Type : dynamic
Session : up
Tunnel ID : 0x5
CKey : 2
NKey : 1
StpEnable : 0
PwIndex : 0
VC Label : 1027
Peer Type : dynamic
Session : up
Tunnel ID : 0x6


CKey : 4
NKey : 3
StpEnable : 0
PwIndex : 0
Interface Name : Vlanif100

State : up
Access Port : false
Last Up Time : 2010/07/05 19:59:31
**PW Information:

PW State : up
PW Type : label
Tunnel ID : 0x5
Ckey : 0x2
Nkey : 0x1
Main PW Token : 0x5
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/07/05 20:00:21
PW State : up
PW Type : label
Tunnel ID : 0x6
Ckey : 0x4
Nkey : 0x3
Main PW Token : 0x6
Tnl Type : LSP
Stp Enable : 0
PW Last Up Time : 2010/07/05 20:09:01
Step 3 Configure association between SEP and VPLS.
# Configure PE1.
[PE1] sep segment 1
[PE1-sep-segment1] tc-notify vpls
# Configure PE2.
[PE2] sep segment 1
[PE2-sep-segment1] tc-notify vpls
Step 4 Configure the Layer 2 forwarding function on CE1, CE2, and LSW1 to LSW3.

The configuration details are not provided here. For details, see configuration files in this
example.
Simulate a fault, and then check whether the status of the blocked interface changes from blocked
to forwarding.
Run the shutdown command on GE 0/0/1 of LSW2 to simulate an interface fault.
l Run the display sep interface command on LSW2 to check whether the status of GE 0/0/2
in SEP segment 1 changes from blocked to forwarding.
[LSW2] display sep interface GigabitEthernet 0/0/2
SEP segment 1
----------------------------------------------------------------
----------------------------------------------------------------
l The CEs can ping each other successfully.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20 30 100
#
sep segment 1
control-vlan 10
block port optimal
preempt delay 600
tc-notify vpls
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 2.2.2.9
peer 3.3.3.9
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0010.0100.1009.00
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
ip address 20.1.1.1 255.255.255.252
isis enable 1

mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#

#

stp disable
#

#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
return

#
sysname PE2
#
vlan batch 10 20 40 100
#
sep segment 1
control-vlan 10
tc-notify vpls
#
mpls lsr-id 2.2.2.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.9
peer 3.3.3.9
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0020.0200.2009.00
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 30.1.1.1 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100

l2 binding vsi ldp1

#

#

stp disable
#

#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return

#
sysname PE3
#
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
vsi ldp1 static
pwsignal ldp
vsi-id 1
peer 1.1.1.9
peer 2.2.2.9
#
mpls ldp
#
isis 1
is-level level-2
network-entity 49.0030.0300.3009.00
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif40
ip address 30.1.1.2 255.255.255.252
isis enable 1
mpls
mpls ldp
#
interface Vlanif100
l2 binding vsi ldp1
#

#

#

#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
return

#
sysname LSW1
#
vlan batch 10
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname LSW2
#
vlan batch 10
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
#
return

#
sysname LSW3

#
vlan batch 10
#
sep segment 1
control-vlan 10
#
stp disable
sep segment 1
#
stp disable
sep segment 1
#
return

#
sysname CE1
#
vlan batch 100
#
#
#
return

#
sysname CE2
#
vlan batch 100
#
#
#
return
3.11 Layer 2 Protocol Transparent Transmission

Configuration
This chapter describes the concept, configuration procedure, and configuration examples of
Layer 2 protocol transparent transmission.

3.11.1 Example for Configuring Interface-based Layer 2 Protocol

Transparent Transmission
As shown in Figure 3-48, CEs are edge devices on two private networks of an enterprise located
in different areas, and PE1 and PE2 are edge devices on the ISP network. The two private
networks of the enterprise are Layer 2 networks and they are connected through the ISP network.
STP is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only
on the private networks so that spanning trees can be generated correctly.
Figure 3-48 Networking diagram for configuring interface-based Layer 2 protocol transparent
transmission
ISP
network
PE2
GE0/0/1
GE0/0/1
PE1 GE0/0/1
CE1 GE0/0/1
CE2
User A User A
network1 network2
1. Configure STP on CEs to prevent loops on Layer 2 networks.

2. Add PE interfaces connected to CEs to specified VLANs so that PEs forward packets from
the VLANs.
3. Configure interface-based Layer 2 protocol transparent transmission on PEs so that STP
packets are not sent to the CPUs of PEs for processing.
Procedure
Step 1 Enable STP on CEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1] stp enable


[CE1-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[CE1-GigabitEthernet0/0/1] port hybrid untagged vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
[CE2] stp enable
[CE2-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[CE2-GigabitEthernet0/0/1] port hybrid untagged vlan 100
Step 2 Add GE0/0/1 on PE1 and PE2 to VLAN 100 and enable Layer 2 protocol transparent
transmission on PEs.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[PE1-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[PE1-GigabitEthernet0/0/1] l2protocol-tunnel stp enable
# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[PE2-GigabitEthernet0/0/1] l2protocol-tunnel stp enable
Step 3 Configure PEs to replace the destination MAC address of STP packets received from CEs.
# Configure PE1.
[PE1] l2protocol-tunnel stp group-mac 0100-5e00-0011
# Configure PE2.

After the configuration is complete, run the display l2protocol-tunnel group-mac command
on PEs. You can view the protocol type or name, multicast destination MAC address, group
MAC address, and priority of Layer 2 protocol packets to be transparently transmitted.
[PE1] display l2protocol-tunnel group-mac stp
Protocol EncapeType ProtocolType Protocol-MAC Group-MAC Pri
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42

Run the display stp command on CE1 and CE2 to view the root in the MSTP region. You can
find that a spanning tree is calculated between CE1 and CE2. GE0/0/1 on CE1 is the root port
and GE0/0/1 on CE2 is the designated port.
[CE1] display stp
-------[CIST Global Info] [Mode MSTP] -------
CIST Bridge :32768.00e0-fc9f-3257
Bridge Times :Hello 2s MaxAge 20s FwDly 15s MaxHop 20
CIST Root/ERPC :32768.00e0-fc9a-4315 / 199999
CIST RegRoot/IRPC :32768.00e0-fc9f-3257 / 0
CIST RootPortId :128.82
BPDU-Protection :Disabled
TC or TCN received :6
TC count per hello :6
STP Converge Mode :
Time since last TC :0 days 2h:24m:36s
----[Port1(GigabitEthernet0/0/1)] [FORWARDING] ----
Port Protocol :Enabled
Port Role :Root Port
Port Priority :128
Port Cost(Dot1T ) :Config=auto / Active=200000000
Designated Bridge/Port :32768.00e0-fc9a-4315 / 128.82
Port Edged :Config=disabled / Active=disabled
Point-to-point :Config=auto / Active=true
Transit Limit :147 packets/hello-time
Protection Type :None
Port STP Mode :MSTP
Port Protocol Type :Config=auto / Active= dot1s
PortTimes :Hello 2s MaxAge 20s FwDly 15s RemHop 20
TC or TCN send :0
BPDU Sent :6
TCN: 0, Config: 0, RST: 0, MST: 6
BPDU Received :4351
[CE2] display stp
-------[CIST Global Info] [Mode MSTP] -------
CIST Bridge :32768.00e0-fc9a-4315
CIST RegRoot/IRPC :32768.00e0-fc9a-4315 / 0
BPDU-Protection :Disabled
STP Converge Mode :
----[Port1(GigabitEthernet0/0/1)] [FORWARDING] ----
Port Role :Designated Port
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :4534
BPDU Received :6

----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp enable
#
#
return

#
sysname CE2
#
vlan batch 100
#
stp enable
#
#
return

#
sysname PE1
#
vlan batch 100
#
l2protocol-tunnel stp group-mac 0100-5e00-0011
#
l2protocol-tunnel stp enable
#
return

#
sysname PE2
#
vlan batch 100
#
#
l2protocol-tunnel stp enable
#
return

3.11.2 Example for Configuring VLAN-based Layer 2 Protocol

in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN
200 are Layer 2 networks for different users and are connected through the ISP network. STP
is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only on
the private networks so that spanning trees can be generated correctly.
l All the devices in VLAN 100 participate in calculation of a spanning tree.
Figure 3-49 Networking diagram for configuring VLAN-based Layer 2 protocol transparent
transmission
PE1 PE2
ISP
network
GE0/0/2 GE0/0/3 GE0/0/2 GE0/0/3
GE0/0/1 GE0/0/1 GE0/0/1

GE0/0/1
CE1 CE2 CE4
CE3
VLAN 100 VLAN 200

VLAN 100 VLAN 200
User A User B
User A User B
2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.
3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP
Procedure
# Configure CE1.
[CE1] stp enable

# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
[CE1-GigabitEthernet0/0/1] port hybrid tagged vlan 100
[CE1-GigabitEthernet0/0/1] stp bpdu vlan 100
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit
Step 3 Configure PE interfaces to transparently transmit STP packets of CEs to the peer ends.
# Configure PE1.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] vlan 200
[PE1-vlan200] quit

[PE1-GigabitEthernet0/0/2] l2protocol-tunnel stp vlan 100

# Configure PE2.
[PE2] vlan 100
[PE2-vlan100] quit
[PE2] vlan 200
[PE2-vlan200] quit
# Configure PE1.
# Configure PE2.

[PE1] display l2protocol-tunnel group-mac stp
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42
[CE1] display stp
-------[CIST Global Info][Mode MSTP]-------
CIST Bridge :32768.000b-09f0-1b91
CIST Root/ERPC :32768.000b-09d4-b66c / 199999
CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0
BPDU-Protection :disabled
STP Converge Mode :
Share region-configuration :enabled
Port Priority :128


Designated Bridge/Port :32768.000b-09d4-b66c / 128.82
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :237
BPDU Received :9607
<CE2> display stp
CIST Bridge :32768.000b-09d4-b66c
CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0
STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7095
BPDU Received :2
<CE3> display stp
STP Converge Mode :
Port Priority :128


Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :238
BPDU Received :9745
<CE4> display stp
STP Converge Mode :
Port Protocol :enabled
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7171
BPDU Received :2
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp enable
#
stp bpdu vlan 100
#
return

#
sysname CE2
#

vlan batch 100

#
stp enable
#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp enable
#
stp bpdu vlan 200
#
return

#
sysname CE4
#
vlan batch 200
#
stp enable
#
stp bpdu vlan 200
#
Return

#
sysname PE1
#
vlan batch 100 200
#
#
l2protocol-tunnel stp vlan 100
#
#
return

#
sysname PE2
#
vlan batch 100 200
#
#

#
#
return
3.11.3 Example for Configuring QinQ-based Layer 2 Protocol

in different areas, and PE1 and PE2 are edge devices on the ISP network. VLAN 100 and VLAN
200 are Layer 2 networks for different users and are connected through the ISP network. STP
is run on the Layer 2 networks to prevent loops. Enterprise users require that STP run only on
the private networks so that spanning trees can be generated correctly.

Because of shortage of public VLAN resources, VLAN IDs on carrier networks must be saved.
Figure 3-50 Networking diagram for configuring QinQ-based Layer 2 protocol transparent
transmission
User A User A
VLAN100 VLAN100
GE0/0/1
GE0/0/1
GE0/0/2
GE0/0/2
CE1 CE2
ISP
PE1 Network PE2
CE3 GE0/0/3 GE0/0/3

CE4
GE0/0/1
User B GE0/0/1
User B
VLAN200 VLAN200

2. Configure CEs to send STP packets with specified VLAN tags to PEs so that calculation
of a spanning tree is complete independently in VLAN 100 and VLAN 200.

3. Configure VLAN-based Layer 2 protocol transparent transmission on PEs so that STP

4. Configure QinQ (VLAN stacking) on PEs so that PEs add outer VLAN tag 10 to STP
packets sent from CEs, saving public network VLAN IDs.
Procedure
# Configure CE1.
[CE1] stp enable
# Configure CE2.
[CE2] stp enable
# Configure CE3.
[CE3] stp enable
# Configure CE4.
[CE4] stp enable
Step 2 Configure CE1 and CE2 to send STP packets with VLAN tag 100 to PEs, and configure CE3
and CE4 to send STP packets with VLAN tag 200 to PEs.
# Configure CE1.
[CE1] vlan 100
[CE1-vlan100] quit
# Configure CE2.
[CE2] vlan 100
[CE2-vlan100] quit
# Configure CE3.
[CE3] vlan 200
[CE3-vlan200] quit
# Configure CE4.
[CE4] vlan 200
[CE4-vlan200] quit

Step 3 Configure QinQ-based Layer 2 protocol transparent transmission on PEs so that STP packets
with VLAN tags 100 and 200 are tagged with outer VLAN 10 by PEs and can be transmitted
on the ISP network.
# Configure PE1.
[PE1] vlan 10
[PE1-Vlan10] quit
[PE1-GigabitEthernet0/0/2] port vlan-stacking vlan 100 stack-vlan 10
# Configure PE2.
[PE2] vlan 10
[PE2-Vlan10] quit
# Configure PE1.
# Configure PE2.

<PE1> display l2protocol-tunnel group-mac stp
-----------------------------------------------------------------------------
stp llc dsap 0x42 0180-c200-0000 0100-5e00-0011 0
ssap 0x42

<CE1> display stp

CIST Bridge :32768.000b-09f0-1b91
CIST RegRoot/IRPC :32768.000b-09f0-1b91 / 0
STP Converge Mode :
----[Port17(GigabitEthernet0/0/1)][FORWARDING]----
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :237
BPDU Received :9607
<CE2> display stp
CIST Bridge :32768.000b-09d4-b66c
CIST RegRoot/IRPC :32768.000b-09d4-b66c / 0
STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7095
BPDU Received :2

<CE3> display stp

STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :238
BPDU Received :9745
<CE4> display stp
STP Converge Mode :
Port Priority :128
Port STP Mode :MSTP
TC or TCN send :0
BPDU Sent :7171
BPDU Received :2
Run the display vlan command on PEs to view the QinQ configuration.
<PE1> display vlan 10 verbose

* : Management-VLAN
---------------------
VLAN ID : 10
VLAN Type : Common
Description : VLAN 0010
Status : Enable
Broadcast : Enable
MAC learning : Enable
Statistics : Disable
Property : Default
VLAN State : Up
----------------
Untagged Port: GigabitEthernet0/0/2 GigabitEthernet0/0/3
----------------
Active Untag Port: GigabitEthernet0/0/2 GigabitEthernet0/0/3
----------------
QinQ-stack Port: GigabitEthernet0/0/2 GigabitEthernet0/0/3
----------------
Interface Physical
GigabitEthernet0/0/2 UP
GigabitEthernet0/0/3 UP
----End
Configuration Files
#
sysname CE1
#
vlan batch 100
#
stp enable
#
stp bpdu vlan 100
#
return

#
sysname CE2
#
vlan batch 100
#
stp enable
#
stp bpdu vlan 100
#
return

#
sysname CE3
#
vlan batch 200
#
stp enable
#
stp bpdu vlan 200
#

return

#
sysname CE4
#
vlan batch 200
#
stp enable
#
stp bpdu vlan 200
#
return

#
sysname PE1
#
vlan batch 10
#
#
#
#
return

#
sysname PE2
#
vlan batch 10
#
#
#
#
return
3.12 Loopback Detection Configuration

Loopback detection can detect loops on the network connected to the device and reduce impacts
on the network.

3.12.1 Example for Configuring Loopback Detection to Detect

Loops on the Downstream Network
As shown in Figure 3-51, if there is a loop on the network connected to the GE0/0/1 interface,
broadcast storms will occur on the Switch or even the entire network.
To detect loops on the network connected to the switch and disabled downlink interfaces to
reduce impacts on the switch and other networks, enable loopback detection on the Switch.
Figure 3-51 Loopback detection network diagram

Switch
GE0/0/1
1. Enable loopback detection on the interface to detect loops on downlink networks.

2. Specify the VLAN ID for loopback detection packets.
3. Set loopback detection parameters to enable the interface automatic recovery.
Procedure
Step 1 Enable loopback detection on the interface.
[Switch-GigabitEthernet0/0/1] loopback-detect enable
Step 2 Specify the VLAN ID for loopback detection packets.

[Switch] vlan 100

[Switch-GigabitEthernet0/0/1] port hybrid tagged vlan 100

[Switch-GigabitEthernet0/0/1] loopback-detect packet vlan 100
Step 3 Set loopback detection parameters.
# Configure the action the interface when a loopback is detected.

[Switch-GigabitEthernet0/0/1] loopback-detect action block
# Set the interface recovery time after a loop is removed.

[Switch-GigabitEthernet0/0/1] loopback-detect recovery-time 30
# Set the interval between sending loopback detection packets.

[Switch] loopback-detect packet-interval 10
Step 4 Check the configuration.
Run the display loopback-detect command to check the configuration.

<Switch> display loopback-detect
Loopback-detect sending-packet interval:10
Interface RecoverTime Action Status

--------------------------------------------------------------------------------
GigabitEthernet0/0/1 30 block NORMAL
When loops occur on the GigabitEthernet0/0/1 interface, the interface is blocked. The interface
will recover 30s after no loopback packets are detected.
----End
Configuration Files
#
sysname Switch
#
vlan batch 100
#
loopback-detect packet-interval 10
#

loopback-detect recovery-time 30
loopback-detect packet vlan 100
loopback-detect enable
loopback-detect action block
#
return
3.13 VoIP Access Configuration
3.13.1 Example for Configuring LLDP on a Switch to Provide VoIP

Access

Flows of the HSI, VoIP, and IPTV services are transmitted on the network. Users require high
quality of the VoIP service. Therefore, voice data flows must be transmitted with a high priority.
If a voice device supports LLDP and has a high 802.1p priority (for example, 5), you can
configure LLDP and Voice VLAN on the switch. Then the switch uses the LLDP protocol to
deliver the Voice VLAN ID to the voice device and does not change the packet priority.
As shown in Figure 3-52, after a Voice VLAN is configured on the Switch, the voice device
learns the Voice VLAN ID using LLDP.
Figure 3-52 Configuring LLDP to provide VoIP access
DHCP Server
Internet
Switch
GE0/0/1
HG
HSI VoIP IPTV
1. Create VLANs.
2. Configure the link type and default VLAN of the interface connected to the IP phone.
3. Enable the Voice VLAN function on the interface.
4. Configure the interface to join the Voice VLAN in manual mode.
5. Set the working mode of the Voice VLAN.
6. Configure the interface to trust the 802.1p priority of packets.
7. Enable LLDP globally and on the interface.

Procedure
Step 1 Configure VLANs and interface on the Switch.
# Configure the link type and default VLAN of GigabitEthernet0/0/1.

Step 2 Configure the Voice VLAN on the Switch.

# Enable the Voice VLAN on GigabitEthernet0/0/1.
# Configure the mode in which GigabitEthernet0/0/1 is added to the Voice VLAN.

[HUAWEI-GigabitEthernet0/0/1] voice-vlan mode manual
# Configure the working mode of the Voice VLAN.

[HUAWEI-GigabitEthernet0/0/1] undo voice-vlan security enable
Step 3 Configure the interface to trust the 802.1p priority of packets.

[HUAWEI-GigabitEthernet0/0/1] trust 8021p (inner)
NOTE
The format of the trust 8021p (inner) command varies depending on the device model.
Step 4 Enable LLDP.

[HUAWEI-GigabitEthernet0/0/1] lldp enable
[HUAWEI-GigabitEthernet0/0/1] return

Run the display voice-vlan 2 status command to check the Voice VLAN configuration,
including the mode in which the interface is added to the Voice VLAN, working mode, and
aging time of the Voice VLAN.
---------------------------------------------------
Voice VLAN ID : 2
----------------------------------------------------------
Port Information:
-----------------------------------------------------------
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Auto Normal Disable Disable Disable
----End

Configuration Files
#
sysname HUAWEI
#
vlan batch 2 6
#
lldp enable
#
voice-vlan 2 enable
trust 8021p (inner)
#
return
3.13.2 Example for Configuring a DHCP Server on a Switch to

Provide VoIP Access
If a voice device supports DHCP and has a high 802.1p priority (for example, 5), you can
configure DHCP and Voice VLAN on the switch. Then the switch uses the DHCP protocol to
deliver the Voice VLAN ID to the voice device and does not change the packet priority.
As shown in Figure 3-53, the voice device does not support VLAN configuration. In this case,
you can configure the DHCP option so that the DHCP server can deliver the voice VLAN ID to
the voice device.
Figure 3-53 Configuring a DHCP server to provide VoIP access
Internet
Switch DHCP Server
GE0/0/1
HG
HSI VoIP IPTV

1. Create VLANs.
2. Configure the link type and default VLAN of the interface connected to the IP phone.
3. Configure the interface to trust the 802.1p priority of packets.
4. Configure an IP address pool.
5. Configure Option in the address pool.
6. Enable DHCP globally and configure the DHCP server on the VLANIF interface to allocate
IP addresses using the global IP address pool.
Procedure

# Configure the link type and default VLAN of GigabitEthernet0/0/1.

Step 2 Configure an IP address pool on the Switch.
# Create an IP address pool.

[HUAWEI] ip pool ip_access
# Configure the address range in the IP address pool.

[HUAWEI-ip-pool-ip_access] network 192.168.10.0 mask 24
[HUAWEI-ip-pool-ip_access] gateway-list 192.168.10.254
[HUAWEI-ip-pool-ip_access] option184 voice-vlan 6
[HUAWEI-ip-pool-ip_access] quit
NOTE
The DHCP option is configured to enable the DHCP server to deliver the voice VLAN ID to the voice
device. Option184 is used as an example here. IP phones from different vendors may use different options.
For the specific option used by an IP phone, see the user manual of the IP phone. For details on how to
configure the option, see the option command in S2350&S5300&S6300 Series Ethernet Switches IP
Service Commands - DHCP Configuration Commands.
Step 3 Configure the interface to trust the 802.1p priority of packets.

[HUAWEI-GigabitEthernet0/0/1] trust 8021p (inner)
NOTE
The format of the trust 8021p (inner) command varies depending on the device model.

Step 4 Enable DHCP globally,

[HUAWEI] dhcp enable
Step 5 Create the VLANIF interface corresponding to the default VLAN of GigabitEthernet0/0/1.
Configure the DHCP server on the VLANIF interface to allocate IP addresses using the global
address pool.
[HUAWEI] interface Vlanif2
[HUAWEI-Vlanif2] ip address 192.168.10.1 255.255.255.0
[HUAWEI-Vlanif2] dhcp select global
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 6
#
dhcp enable
#
ip pool ip_access
gateway-list 192.168.10.254
network 192.168.10.0 mask 255.255.255.0
option184 voice-vlan 6
#
interface Vlanif2
ip address 192.168.10.1 255.255.255.0
dhcp select global
#
trust 8021p
#
return
3.13.3 Example for Configuring MAC Address-based VLAN

Assignment on a Switch to Provide VoIP Access
If a voice device does not support LLDP or DHCP, you can configure MAC address-based
VLAN assignment on the switch. Then the switch can assign a VLAN to the voice device based
on the MAC address of the voice device.
As shown in Figure 3-54, the IP phone sends untagged packets. To ensure high-quality VoIP
service, the Switch associates the MAC address of the IP phone with VLAN 100, of which the
priority is 7.

Figure 3-54 Configuring MAC address-based VLAN assignment to provide VoIP access
DHCP Server
Internet
Switch
GE0/0/1
HG
HSI VoIP IPTV
1. Create VLAN 100 for voice flows.
2. Enable MAC address-based assignment on the interface.
3. Associate the MAC address of the IP phone with a VLAN.
Procedure
Create VLAN 100 and VLAN 200.

[HUAWEI] vlan batch 100
Step 2 Associate the MAC address of the IP phone with VLAN 100 and set the priority of VLAN 100
to7.
[HUAWEI] vlan 100
[HUAWEI-vlan100] mac-vlan mac-address 1234-1234-1234 ffff-ff00-0000 priority 7
Step 3 Enable MAC address-based VLAN assignment.


[HUAWEI-GigabitEthernet0/0/1] mac-vlan enable
Run the display mac-vlan mac-address all command to verify the configuration of MAC
address-based VLAN assignment.
<HUAWEI> display mac-vlan mac-address all
---------------------------------------------------
MAC Address MASK VLAN Priority
---------------------------------------------------
1234-1234-1234 ffff-ff00-0000 100 7
Total MAC VLAN address count: 1
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 100
#
vlan 100
mac-vlan mac-address 1234-1234-1234 ffff-ff00-0000 priority 7
#
mac-vlan enable
#
return
3.13.4 Example for Configuring an ACL on a Switch to Provide VoIP

Access
NOTE
This example does not apply to S5300SI, S2350 or S5300LI.
If a voice device connected to a switch does not support LLDP or DHCP, you can configure an
ACL on the switch to implement VoIP access.
As shown in Figure 3-55, the voice device sends untagged packets. To ensure high-quality VoIP
service, the Switch identifies voice data packets based on the source MAC address, tags the
voice data packets with VLAN 200, and sets the priority of the voice data packets to 7.

Figure 3-55 Configuring an ACL to provide VoIP access
DHCP Server
Internet
Switch
GE0/0/1
HG
HSI VoIP IPTV
1. Create VLAN 100 for data flows and VLAN 200 for voice flows.
2. Configure the link type and default VLAN of the interface connected to the voice device.
3. Configure an ACL rule to match the MAC address of the voice device.
4. Configure the Switch to add an outer VLAN tag to the packets matching the ACL rule and
change the priority of these packets.
Procedure
Step 1 Configure VLAN and interface on the Switch.

# Configure the link type and default VLAN of the interface connected to the voice device.
[HUAWEI-GigabitEthernet0/0/1] port hybrid untagged vlan 100 200
Step 2 Configure an ACL.

[HUAWEI] acl 4000

[HUAWEI-acl-L2-4000] rule permit source-mac 1234-1234-1234 ffff-ffff-ff00
[HUAWEI-acl-L2-4000] quit
Step 3 Apply the ACL to GE0/0/1.

[HUAWEI-GigabitEthernet0/0/1] port add-tag acl 4000 vlan 200 remark-8021p 7
Run the display acl 4000 command to check the ACL configuration.
<HUAWEI> display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 permit source-mac 1234-1234-1200 ffff-ffff-ff00
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 100 200
#
acl number 4000
#
200
port add-tag acl 4000 vlan 200 remark-8021p 7
#
return
3.13.5 Example for Configuring an Simplified ACL on a Switch to

Provide VoIP Access
If a voice device connected to a switch does not support LLDP or DHCP, you can configure an
ACL on the switch to implement VoIP access.
As shown in Figure 3-56, the voice device sends untagged packets. To ensure high-quality VoIP
service, the Switch identifies voice data packets based on the source MAC address, tags the
voice data packets with VLAN 200, and sets the priority of the voice data packets to 7.

Figure 3-56 Configuring an ACL to provide VoIP access
DHCP Server
Internet
Switch
GE0/0/1
HG
HSI VoIP IPTV
1. Create a VLAN.
2. Configure the link type and default VLAN of the interface connected to the voice device.
3. Configure an ACL rule to match the MAC address of the voice device.
4. Configure the Switch to change the priority of the packets matching the ACL rule.
Procedure
Step 1 Configure VLAN and interface on the Switch.
# Create VLAN 200.

[HUAWEI] vlan 200

[HUAWEI] acl 4000

[HUAWEI-acl-L2-4000] rule permit source-mac 1234-1234-1234 ffff-ffff-ff00
Step 3 Apply the ACL to GE0/0/1 and re-mark the priority of the packets matching the ACL.
[HUAWEI-GigabitEthernet0/0/1] traffic-remark inbound acl 4000 8021p 7
[HUAWEI-GigabitEthernet0/0/1] traffic-remark inbound acl 4000 dscp ef
Run the display acl 4000 command to check the ACL configuration.
<HUAWEI> display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 200
#
acl number 4000
#
traffic-remark inbound acl 4000 8021p 7
traffic-remark inbound acl 4000 dscp ef
#
return

Typical Configuration Examples 4 IP Service
4 IP Service
About This Chapter
This document describes configuration of IP Service supported by the device and provides
4.1 IP Address Configuration
Network devices can communicate at the network layer only after they are configured with IP
addresses.
4.2 ARP Configuration
The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that Ethernet
frames can be transmitted on a physical network.
4.3 DHCP Configuration
DHCP dynamically manages and configures clients in a concentrated manner. It ensures proper
IP address allocation and improves IP address use efficiency.
4.4 DHCP Policy VLAN Configuration
This chapter describes the concept, operating mode, and configuration of Dynamic Host
Configuration Protocol (DHCP) policy Virtual Local Area Network (VLAN), and provides
4.5 DHCPv6 Configuration
This section describes how to configure the DHCPv6 function. Currently, the switch can function
as the DHCPv6 server, DHCPv6 PD server, DHCPv6 relay on the IPv6 network.
4.6 IP Performance Configuration
You can optimize IP performance by adjusting parameters on the network.
4.7 DNS Configuration
This chapter describes the principles, basic functions and configuration procedures of DNS on
the switch, and provides configuration examples.
4.8 Basic IPv6 Configurations
The IPv6 protocol stack supports routing protocols and application protocols on an IPv6 network.
4.9 IPv6 DNS configuration
This section describes how to configure IPv6 DNS so that devices can use domain names to
communicate.

4.10 IPv6 over IPv4 Tunnel Configuration

IPv6 over IPv4 tunnel technology enables transition from the IPv4 network to the IPv6 network.

4.1 IP Address Configuration

Network devices can communicate at the network layer only after they are configured with IP
addresses.
4.1.1 Example for Configuring IP Addresses for an Interface
As shown in Figure 4-1, the Switch has only one idle interface GE0/0/1 to connect to a LAN.
The hosts on the LAN are located on two network segments: 172.16.1.0/24 and 172.16.2.0/24.
The interface must be configured with two interfaces to provide access for hosts on the two
network segments.
Figure 4-1 Network diagram for IP addresses configuration
172.16.1.1/24 172.16.1.2/24 Switch
GE0/0/1
VLANIF100
172.16.1.1/24
172.16.2.1/24 sub
172.16.2.1/24 172.16.2.2/24
Configure a primary IP address and a secondary IP address for the interface.
Procedure
Step 1 Add GE0/0/1 to VLAN 100, and configure a primary IP address and a secondary IP address for
VLANIF100.
[HUAWEI] vlan 100
[HUAWEI-Vlan100] quit


[HUAWEI-Vlanif100] ip address 172.16.2.1 24 sub
[HUAWEI] quit

# Ping a host on network segment 172.16.1.0 from the Switch. The ping operation succeeds.
<HUAWEI> ping 172.16.1.2
0.00% packet loss
# Ping a host on network segment 172.16.2.0 from the Switch. The ping operation succeeds.
0.00% packet loss
----End
Configuration Files
#
vlan batch 100
#
interface Vlanif100
ip address 172.16.1.1 255.255.255.0
ip address 172.16.2.1 255.255.255.0 sub
#
#
return
4.1.2 Example for Configuring an IP Unnumbered Interface

As shown in Figure 4-2, Tunnel interfaces (Tunnel1) of SwitchA and SwitchC are seldom used,
so they have no IP address configured. IP unnumbered need to be configured on the tunnel
interfaces so that the two switches can communicate through the tunnel.

Figure 4-2 Network diagram for IP unnumbered interface configuration

SwitchB
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
20.1.1.2/24 30.1.1.1/24
GE0/0/1 GE0/0/1
SwitchA
116.116.116.1/24
VLANIF10 VLANIF10 SwitchC
LoopBack 0
LoopBack 0
20.1.1.1/24 30.1.1.2/24
9.9.9.1/24
Tunnel
Tunnel 1 Tunnel 1
PC 1 PC 2
1. Create tunnel interfaces on SwitchA and SwitchC, set up a GRE tunnel between them, and
specify the source and destination addresses of the tunnel interfaces.
2. On SwitchA and SwitchC, configure an IP address for a loopback interface and configure
the tunnel interface to borrow the IP address from this loopback interface.
Procedure
Step 1 Configure public IP and the IP address of interface Loopback0
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface loopback 0
[SwitchA-LoopBack0] ip address 116.116.116.1 24
[SwitchA-LoopBack0] quit

[SwitchB-GigabitEthernet0/0/1] port link-type access

[SwitchB-GigabitEthernet0/0/1] port default vlan 10
# Configure SwitchC.
[SwitchC] vlan 10
[SwitchC-vlan10] quit
[SwitchC] interface vlanif 10
[SwitchC-Vlanif10] ip address 30.1.1.2 24
[SwitchC-Vlanif10] quit
[SwitchC] interface loopback 0
[SwitchC-LoopBack0] ip address 9.9.9.1 24
[SwitchC-LoopBack0] quit
Step 2 Configure OSPF on the devices

[SwitchA] ospf 1
[SwitchB] ospf 1
[SwitchB-ospf-1] area 0
[SwitchB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[SwitchB-ospf-1-area-0.0.0.0] quit
[SwitchB-ospf-1] quit
[SwitchC] ospf 1
[SwitchC-ospf-1] area 0
[SwitchC-ospf-1-area-0.0.0.0] network 30.1.1.0 0.0.0.255
[SwitchC-ospf-1-area-0.0.0.0] quit
[SwitchC-ospf-1] quit
Step 3 Configure Tunnel1 to borrow the IP address from Loopback0 and configure the gre tunnel.
[SwitchA] interface tunnel 1
[SwitchA-Tunnel1] tunnel-protocol gre
[SwitchA-Tunnel1] ip address unnumbered interface loopback 0
[SwitchA-Tunnel1] source 20.1.1.1
[SwitchA-Tunnel1] destination 30.1.1.2
[SwitchA-Tunnel1] quit

[SwitchC] interface tunnel 1
[SwitchC-Tunnel1] tunnel-protocol gre
[SwitchC-Tunnel1] ip address unnumbered interface loopback 0
[SwitchC-Tunnel1] source 30.1.1.2
[SwitchC-Tunnel1] destination 20.1.1.1
[SwitchC-Tunnel1] quit
Step 4 Configure static routes.
[SwitchA] ip route-static 9.9.9.0 255.255.255.0 tunnel 1
[SwitchC] ip route-static 116.116.116.0 255.255.255.0 tunnel 1
# Ping 9.9.9.1 from SwitchA. The ping operation succeeds.

[SwitchA] ping 9.9.9.1

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
#
interface LoopBack0
ip address 116.116.116.1 255.255.225.0
#
interface Tunnel1
ip address unnumbered interface LoopBack0
tunnel-protocol gre
source 20.1.1.1
destination 30.1.1.2
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255

#
ip route-static 9.9.9.0 255.255.255.0 Tunnel1
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 30.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 10
#
interface Vlanif10
ip address 30.1.1.2 255.255.255.0
#
#
interface LoopBack0
ip address 9.9.9.1 255.255.225.0
#
interface Tunnel1
tunnel-protocol gre
source 30.1.1.2
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
#
ip route-static 116.116.116.0 255.255.255.0 Tunnel1
#
return

4.2 ARP Configuration

The Address Resolution Protocol (ARP) maps IP addresses to MAC addresses so that Ethernet
frames can be transmitted on a physical network.
4.2.1 Example for Configuring ARP
As shown in Figure 4-3, GE0/0/1 on the switch connects to hosts through the LAN Switch
(LSW). GE0/0/2 connects to a server through the Router. Requirements are as follows:
l GE0/0/1 belongs to VLAN2 and GE0/0/2 belongs to VLAN3.
l Dynamic ARP parameters should be configured for VLANIF2 of the switch so that packets
are transmitted correctly regardless of network typology change.
l A static ARP entry should be configured on GE0/0/2 of the switch to ensure secure
communication with the server and prevent illegal ARP packets. The IP address of the
router should be 10.2.2.3 and the corresponding MAC address is 00e0-fc01-0000.
Figure 4-3 Networking diagram for configuring ARP

Server
Internet
Router
VLANIF3
GE0/0/2 10.2.2.2/24
Switch
GE0/0/1 VLANIF2
2.2.2.2/24
LSW
PC1
Internet
PC3
PC2


2. Set dynamic ARP parameters for the user-side VLANIF interface.
3. Configure a static ARP entry.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs.
# Create VLAN2 and VLAN3.

# Add GE0/0/1 to VLAN2 and GE0/0/2 to VLAN3.

Step 2 Set dynamic ARP parameters for the VLANIF interface.
# Create VLANIF2.
# Configure an IP address for VLANIF2.

# Set the aging time of ARP entries to 60s.

[HUAWEI-Vlanif2] arp expire-time 60
# Set the number of probes to ARP entries to 2.

[HUAWEI-Vlanif2] arp detect-times 2
# Create VLANIF3.

Step 3 Configure a static ARP entry.
# Configure a static ARP entry with IP address 10.2.2.3, MAC address 00e0-fc01-0000, VLAN
ID 3, and outbound interface GE0/0/2.
[HUAWEI] arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface gigabitethernet 0/0/2
[HUAWEI] quit

# Run the display current-configuration command to check the aging time, number of probes,
and ARP mapping entries.
<HUAWEI> display current-configuration | include arp
arp detect-times 2
arp expire-time 60
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 to 3
#
interface Vlanif2
arp detect-times 2
arp expire-time 60
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif3
ip address 10.2.2.2 255.255.255.0
#
#
#
arp static 10.2.2.3 00e0-fc01-0000 vid 3 interface GigabitEthernet0/0/2
#
return
4.2.2 Example for Configuring Routed Proxy ARP
In Figure 4-4, Ethernet interfaces GE0/0/1 and GE0/0/2 connect to two LANs respectively. The
two LANs are at the same network segment 172.16.0.0/16. HostA and HostB have no default
gateway. Routed proxy ARP is required to be configured on the switch so that hosts on two
LANs can communicate.
Figure 4-4 Networking diagram for configuring routed proxy ARP

Host A Host B
172.16.1.2/16 172.16.2.2/16
0000-5e33-ee20 0000-5e33-ee10
GE0/0/1 GE0/0/2
172.16.1.1/24 172.16.2.1/24
VLAN2 VLAN3
Switch
Ethernet A Ethernet B

1. Configure IP addresses for interfaces.

2. Enable routed proxy ARP on interfaces.
Procedure
Step 1 Create VLAN2 and add GE0/0/1 to VLAN2.
[HUAWEI] vlan 2
[HUAWEI-vlan2] quit
Step 2 Create and configure VLANIF2.

Step 3 Enable routed proxy ARP on VLANIF2.

[HUAWEI-Vlanif2] arp-proxy enable
Step 4 Create VLAN3 and add GE0/0/2 to VLAN3.

[HUAWEI] vlan 3
[HUAWEI-vlan3] quit

Step 6 Enable routed proxy ARP on VLANIF3.

[HUAWEI-Vlanif3] arp-proxy enable
Step 7 Configure hosts.
# Configure IP address 172.16.1.2/16 for HostA.
# Configure IP address 172.16.2.2/16 for HostB.
# Ping Host B from Host A. Host A can ping Host B successfully.
----End
Configuration Files

#
sysname HUAWEI
#
vlan batch 2 to 3
#
interface Vlanif2
ip address 172.16.1.1 255.255.255.0
arp-proxy enable
#
interface Vlanif3
ip address 172.16.2.1 255.255.255.0
arp-proxy enable
#
port default vlan 2
#
port default vlan 3
#
return
4.2.3 Example for Configuring Intra-VLAN Proxy ARP
As shown in Figure 4-5, GE0/0/2 and GE0/0/1 on the switch belong to sub-VLAN2. Sub-
VLAN2 belongs to super-VLAN3. Requirements are as follows:
l HostA and HostB in VLAN2 should be isolated at Layer 2.
l HostA and HostB can communicate at Layer 3 using intra-VLAN proxy ARP.
The IP address of the VLANIF interface corresponding to the super-VLAN is 10.10.10.1 and
the mask is 255.255.255.0.
Figure 4-5 Networking diagram for configuring intra-VLAN proxy ARP
Internet
Switch
GE0/0/2 GE0/0/1
hostB hostA
10.10.10.3/24 10.10.10.2/24
00-e0-fc-00-00-03 00-e0-fc-00-00-02
sub-VLAN2

1. Create and configure a super-VLAN and a sub-VLAN.

2. Add interfaces to the sub-VLAN.
3. Create a VLANIF interface corresponding to the super-VLAN and assign an IP address to
the VLANIF interface.
4. Enable intra-VLAN proxy ARP on the VLANIF interface.
Procedure
Step 1 Configure a super-VLAN and a sub-VLAN.
# Configure sub-VLAN2.
[HUAWEI] vlan 2
[HUAWEI-vlan2] quit
# Enable interface isolation on GE0/0/1 and GE0/0/2.

[HUAWEI] port-isolate mode l2
# Add GE0/0/1 and GE0/0/2 to sub-VLAN2.

# Configure super-VLAN3 and add sub-VLAN2 to super-VLAN3.

[HUAWEI] vlan 3
[HUAWEI-vlan3] aggregate-vlan
[HUAWEI-vlan3] access-vlan 2
[HUAWEI-vlan3] quit
# Create VLANIF3.

Step 3 Enable intra-VLAN proxy ARP on VLANIF3.

[HUAWEI-Vlanif3] arp-proxy inner-sub-vlan-proxy enable

# Run the display current-configuration command to check configurations of the super-

VLAN, sub-VLAN, and VLANIF interface. The output of the command is displayed in the
following configuration file.
# hostA and hostB can ping each other.
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 to 3
#
vlan 3
aggregate-vlan
access-vlan 2
#
interface Vlanif3
ip address 10.10.10.1 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2
#
return
4.2.4 Example for Configuring Inter-VLAN Proxy ARP
As shown in Figure 4-6, VLAN2 and VLAN3 belong to super-VLAN4. Requirements are as
follows:
l Hosts in VLAN2 and VLAN3 cannot ping each other.
l Hosts in VLAN2 and VLAN3 can communicate after inter-VLAN proxy ARP is
configured.

Figure 4-6 Networking diagram for configuring inter-VLAN proxy ARP

Switch
GE0/0/1 GE0/0/3
GE0/0/2 GE0/0/4
VLAN2 VLAN3
VLAN4
VLAN2 VLAN3
1. Configure a super-VLAN and sub-VLANs.

2. Add interfaces to the sub-VLANs.
3. Create a VLANIF interface corresponding to the super-VLAN and assign an IP address to
the VLANIF interface.
4. Enable inter-VLAN proxy ARP.
Procedure
Step 1 Configure a super-VLAN and sub-VLANs.
[HUAWEI] vlan 2
[HUAWEI-vlan2] quit

[HUAWEI] vlan 3
[HUAWEI-vlan3] quit


# Configure super-VLAN4, then add sub-VLAN2 and sub-VLAN3 to super-VLAN4.

[HUAWEI] vlan 4
[HUAWEI-vlan4] aggregate-vlan
[HUAWEI-vlan4] quit
# Create VLANIF4.

Step 3 Enable inter-VLAN proxy ARP on VLANIF4.

[HUAWEI-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
# Run the display current-configuration command to check configurations of the super-

VLAN, sub-VLANs, and VLANIF interface. The output of the command is displayed in the
following configuration file.
# Hosts in VLAN2 and VLAN3 can communicate after inter-VLAN proxy ARP is configured.
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 2 to 4
#
vlan 4
aggregate-vlan
access-vlan 2 3
#
interface Vlanif4
ip address 10.10.10.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
#
port default vlan 2
#
port default vlan 2

#
port default vlan 3
#
port default vlan 3
#
return
4.2.5 Example for Configuring Layer 2 Topology Detection
As shown in Figure 4-7, two GE interfaces are added to VLAN100. IP addresses of the switch
that two GE interfaces connect.
Figure 4-7 Networking diagram for configuring Layer 2 topology detection

Switch
GE0/0/1 GE0/0/2
VLANIF100
10.1.1.2/24
PC A PC B
10.1.1.1/24 VLAN100 10.1.1.3/24
1. Add two GE interfaces to VLAN100.

2. Enable Layer 2 topology detection to view changes of ARP entries.
Procedure
Step 1 Create VLAN100 and add two GE interfaces on the switch to VLAN100.
# Create VLAN100 and configure an IP address for the VLANIF interface.

[HUAWEI] vlan 100
# Add two GE interfaces to VLAN100.


Step 2 Enable Layer 2 topology detection.

[HUAWEI] l2-topology detect enable
Step 3 Restart GE0/0/1 and view changes of ARP entries and aging time.
# View ARP entries on the switch. You can find the switch has learnt the MAC address of the
PC.
[HUAWEI] display arp all
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-
INSTANCE
VLAN
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 GE0/0/1
100/-
10.1.1.3 00e0-de24-bf04 20 D-0 GE0/0/2
100/-
-----------------------------------------------------------------------------
Total:3 Dynamic:2 Static:0 Interface:1
# Run the shutdown and undo shutdown commands on GE0/0/1 and view the aging time of
ARP entries.
l Run the shutdown command on GE0/0/1 to view the aging time of ARP entries.
[HUAWEI-GigabitEthernet0/0/1] shutdown
[HUAWEI-GigabitEthernet0/0/1] display arp all
INSTANCE
VLAN
----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I -
Vlanif100
10.1.1.3 00e0-de24-bf04 18 D-0 GE0/0/2
100/-
------------------------------------------------------------------------------
l Run the undo shutdown command on GE0/0/1 to view the aging time of ARP entries.
[HUAWEI-GigabitEthernet0/0/1] undo shutdown
[HUAWEI-GigabitEthernet0/0/1] display arp all
INSTANCE
VLAN
-----------------------------------------------------------------------------
10.1.1.2 00e0-c01a-4900 I - Vlanif100
10.1.1.1 00e0-c01a-4901 20 D-0 GE0/0/1
100/-
10.1.1.3 00e0-de24-bf04 20 D-0 GE0/0/2
100/-
-----------------------------------------------------------------------------

NOTE
The preceding command output shows that the ARP entries learned from GE 0/0/1 are deleted after GE
0/0/1 is shut down. After the undo shutdown command is run on GE 0/0/1 and GE 0/0/1 goes Up, the ARP
entry learned from GE 0/0/2 is aged, and then the device sends an ARP probe packet for updating ARP
entry. After the entry is updated, the aging time restores the default value, 20 minutes.
----End
Configuration Files
#
sysname HUAWEI
#
l2-topology detect enable
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
#
return
4.2.6 Example for Configuring ARP Packet Forwarding Between

Isolated Interfaces
As shown in Figure 4-8, SwitchB connects to SwitchA (DHCP server) through GE0/0/3 and
connects to UserA and UserB through interfaces GE0/0/1 and GE0/0/2 respectively. UserA and
UserB obtain IP addresses using DHCP. GE0/0/3 of SwitchA, GE0/0/1, GE0/0/2, GE0/0/3 of
SwitchB belong to VLAN 2. The administrator has the following requirements:
l UserA and UserB in VLAN 2 are isolated at Layer 2 and communicate at Layer 3.
l SwitchB does not broadcast ARP Request packets in the VLAN to reduce traffic volume
in the VLAN.

Figure 4-8 Networking diagram for configuring ARP packet forwarding between isolated
interfaces
SwitchA
DHCP Sever VLAN2

VLANIF2
GE0/0/3
10.10.10.12/24
GE0/0/3
SwitchB
GE0/0/1 GE0/0/2
UserB UserA
10.10.10.3/24 10.10.10.2/24
00-e0-fc-00-00-03 00-e0-fc-00-00-02
VLAN2
1. Configure port isolation on GE0/0/1 and GE0/0/2 of SwitchB and enable intra-VLAN ARP
proxy on SwitchA so that UserA and UserB are isolated at Layer 2 and communicate at
Layer 3.
2. Enable DHCP snooping and EAI on SwitchB so that SwitchB matches the destination IP
addresses of received ARP Request packets with the dynamic DHCP snooping binding
entries to determine the outbound interfaces, preventing ARP Request packets from being
broadcast in a VLAN.
3. Enable ARP packet forwarding between isolated interfaces on SwitchB so that UserA and
UserB can be isolated at Layer 2 and communicate at Layer 3 after EAI is enabled on the
outbound interface.
Procedure
Step 1 Enable DHCP on SwitchA.
[SwitchA] dhcp enable
Step 2 Create a VLAN on SwitchA, add the interface to the VLAN, and create a VLANIF interface.
# Create VLAN 2 and add GE0/0/3 to VLAN 2.
[SwitchA] vlan 2
# Create VLANIF2, configure an IP address for VLANIF2, and enable DHCP on VLANIF2.


[SwitchA-Vlanif2] dhcp select interface
Step 3 Create a VLAN on SwitchB and add interfaces to the VLAN.
# Create VLAN 2 and add GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 2.

[SwitchB] vlan 2
[SwitchB-GigabitEthernet0/0/3] port trunk allow-pass vlan 2
Step 4 Enable DHCP snooping on SwitchB.
# Enable DHCP snooping globally and in VLAN 2.

[SwitchB] dhcp enable
[SwitchB] dhcp snooping enable
[SwitchB] vlan 2
[SwitchB-vlan2] dhcp snooping enable
# Configure GE0/0/3 as the trusted interface.

[SwitchB-GigabitEthernet0/0/3] dhcp snooping trusted
After the configuration is complete, UserA and UserB can go online using DHCP, and UserA
and UserB can ping each other. Dynamic DHCP snooping binding entries are generated on
SwitchB.
Step 5 Configure port isolation on SwitchB.
# Configure Layer 2 isolation and Layer 3 communication.

[SwitchB] port-isolate mode l2
# Configure port isolation on GE0/0/1 and GE0/0/2.

[SwitchB-GigabitEthernet0/0/1] port-isolate enable
[SwitchB-GigabitEthernet0/0/2] port-isolate enable
After the configuration is complete, UserA and UserB cannot ping each other, indicating that
UserA and UserB are isolated at Layer 2.
Step 6 Enable intra-VLAN proxy ARP on SwitchA.
# Enable intra-VLAN proxy ARP on VLANIF2.

[SwitchA-Vlanif2] arp-proxy inner-sub-vlan-proxy enable

After the configuration is complete, UserA and UserB can ping each other, indicating that UserA
and UserB can communicate at Layer 3.
Step 7 Enable EAI on the outbound interface of SwitchB.
# Enable EAI on the outbound interface in VLAN 2.

[SwitchB] vlan 2
[SwitchB-vlan2] dhcp snooping arp security enable
After the configuration is complete, if ARP entries corresponding to UserA and UserB have
aged, UserA sends an ARP Request packet to UserB before performing the ping operation.
After EAI is enabled, SwitchB matches the destination IP addresses of received ARP Request
packets with the dynamic DHCP snooping binding entries to determine the outbound interface.
SwitchB then forwards ARP Request packets to GE0/0/1. Intra-VLAN ARP proxy on SwitchA
does not take effect when ARP packets are forwarded to SwitchA through GE0/0/3. The
outbound interface GE0/0/1 with EAI enabled and the inbound interface GE0/0/2 are configured
with port isolation. Therefore, SwitchB discards the ARP Request packet, and UserA fails to
learn ARP entries.
UserA and UserB cannot ping each other.
Step 8 Configure ARP packet forwarding between isolated interfaces on SwitchB.
# Configure ARP packet forwarding between isolated interfaces in VLAN 2.

[SwitchB-vlan2] dhcp snooping arp security isolate-forwarding-trust
[SwitchB] quit
After the configuration is complete, SwitchB forwards ARP Request packets sent from UserA
to the trusted interface GE0/0/3. SwitchA with intra-VLAN ARP proxy enabled allows UserA
and UserB to ping each other. ARP packet forwarding between isolated interfaces is configured
successfully.
Run the display current-configuration command on SwitchA and SwitchB to check the
configuration. The command output is displayed in the following configuration files.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2
#
dhcp enable
#
interface Vlanif2
ip address 10.10.10.12 255.255.255.0
arp-proxy inner-sub-vlan-proxy enable
dhcp select interface
#


#
return

#
sysname SwitchB
#
vlan batch 2
#
dhcp
enable
#
dhcp snooping
enable
#
vlan
2
dhcp snooping
enable
dhcp snooping arp security
enable
dhcp snooping arp security isolate-forwarding-trust
#
port default vlan 2
#
port default vlan 2
#
port link-type
trunk
port trunk allow-pass vlan
2
dhcp snooping trusted
#
return
4.3 DHCP Configuration

DHCP dynamically manages and configures clients in a concentrated manner. It ensures proper
IP address allocation and improves IP address use efficiency.
4.3.1 Example for Configuring a DHCP Server Based on the Global

Address Pool
As shown in Figure 4-9, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/25 and added to VLAN 10. Hosts
in Office1 only use the DNS service with a lease of ten days. All the hosts in Office2 are on the

network segment 10.1.1.128/25 and added to VLAN 20. Hosts in Office2 use the DNS service
and NetBIOS service with a lease of two days.
You can configure a global address pool on SwitchA and enable the server to dynamically assign
IP addresses to hosts in the two offices.
Figure 4-9 Networking diagram for configuring a DHCP server based on the global address
pool
NetBIOS DHCP DHCP DHCP
server client client client
10.1.1.4/25
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
10.1.1.1/25 10.1.1.129/25
SwtichB SwtichC
SwtichA
DHCP server
10.1.1.2/25 DNS DHCP DHCP DHCP

server client client client
Network: 10.1.1.0/25 Network: 10.1.1.128/25
1. Create two global address pools on the SwitchA and set attributes of the pools. Assign IP
addresses to Office1 and Office2 as required.
2. Configure VLANIF interfaces to use the global address pool to assign IP addresses to
clients.
Procedure
Step 1 Enable DHCP
Step 2 Create address pools and set the attributes of the address pools
# Set the attributes of IP address pool 1, including the address pool range, DNS server address,
gateway address, and address lease.
[SwitchA] ip pool 1
[SwitchA-ip-pool-1] network 10.1.1.0 mask 255.255.255.128
[SwitchA-ip-pool-1] dns-list 10.1.1.2
[SwitchA-ip-pool-1] gateway-list 10.1.1.1
[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.2

[SwitchA-ip-pool-1] excluded-ip-address 10.1.1.4

[SwitchA-ip-pool-1] lease day 10
[SwitchA-ip-pool-1] quit
# Set the attributes of IP address pool 2, including the address pool range, DNS server address,
egress gateway address, NetBIOS server address, and address lease
[SwitchA] ip pool 2
[SwitchA-ip-pool-2] network 10.1.1.128 mask 255.255.255.128
[SwitchA-ip-pool-2] dns-list 10.1.1.2
[SwitchA-ip-pool-2] nbns-list 10.1.1.4
[SwitchA-ip-pool-2] gateway-list 10.1.1.129
[SwitchA-ip-pool-2] lease day 2
[SwitchA-ip-pool-2] quit
Step 3 Set the address assignment mode on the VLANIF interfaces
# Add GigabitEthernet0/0/1 and GigabitEthernet0/0/2 to the corresponding VLANs.

[SwitchA-GigabitEthernet0/0/1] port hybrid pvid vlan 10
# Configure clients on VLANIF 10 to obtain IP addresses from the global address pool.
[SwitchA-Vlanif10] ip address 10.1.1.1 255.255.255.128
[SwitchA-Vlanif10] dhcp select global
# Configure clients on VLANIF 20 to obtain IP addresses from the global address pool.
[SwitchA-Vlanif20] dhcp select global
Step 4 Verify the configuration
Run the display ip pool command on the SwitchA to view the IP address pool configuration.
[SwitchA] display ip pool
-----------------------------------------------------------------------
Pool-name : 1
Pool-No : 0
Position : Local Status : Unlocked
Gateway-0 : 10.1.1.1
Mask : 255.255.255.128
VPN instance : --
-----------------------------------------------------------------------
Pool-name : 2
Pool-No : 1
Gateway-0 : 10.1.1.129
Mask : 255.255.255.128
VPN instance : --
IP address Statistic
Total :250

Used :6 Idle :242

Expired :0 Conflict :0 Disable :2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
dhcp enable
#
ip pool 1
network 10.1.1.0 mask 255.255.255.128
excluded-ip-address 10.1.1.2
excluded-ip-address 10.1.1.4
lease day 10 hour 0 minute 0
dns-list 10.1.1.2
#
ip pool 2
network 10.1.1.128 mask 255.255.255.128
lease day 2 hour 0 minute 0
dns-list 10.1.1.2
nbns-list 10.1.1.4
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.128
dhcp select global
#
interface Vlanif20
ip address 10.1.1.129 255.255.255.128
dhcp select global
#
#
#
return
4.3.2 Example for Configuring a DHCP Server Based on the

Interface Address Pool
As shown in Figure 4-10, an enterprise has two offices on the same network segment. To reduce
network construction cost, the enterprise uses one DHCP server to assign IP addresses for hosts
in the two offices.
All the hosts in Office1 are on the network segment 10.1.1.0/24 and added to VLAN 10. Hosts
in Office1 use the DNS service and NetBIOS service with a lease of thirty days. All the hosts
in Office2 are on the network segment 10.1.2.0/24 and added to VLAN 11. Hosts in Office2 do
not use the DNS service or NetBIOS service. The lease of the IP address is tweenty days.

Figure 4-10 Networking diagram for configuring a DHCP server based on the VLANIF interface
address pool
NetBIOS Server DHCP DNS Server
10.1.1.3/24 Client 10.1.1.2/24
VLANIF10
10.1.1.1/24
SwitchB
GE0/0/1
SwitchA
GE0/0/2 DHCP
SwitchC VLANIF11 Server
10.1.2.1/24
DHCP DHCP DHCP

Client Client Client
1. Create two interface address pools on the SwitchA and set attributes of the address pool.
Configure the interface address pools to enable the DHCP server to assign IP addresses and
configuration parameters to hosts from different interface address pools.
2. Configure VLANIF interfaces to assign IP addresses to hosts from the interface address
pool.
Procedure
Step 1 Enable DHCP
Step 2 Adds the interface to the VLAN
# Add GE0/0/1 to VLAN 10.

# Add GE0/0/2 to VLAN 11.



Step 3 Assign IP addresses to VLANIF interfaces
# Assign an IP address to VLANIF 10.

# Allocate an IP address to VLANIF 11.

Step 4 Enable the VLANIF interface address pool
# Configure clients on VLANIF 10 to obtain IP addresses from the interface address pool.
# Configure clients on VLANIF 11 to obtain IP addresses from the interface address pool.
Step 5 Configure the DNS service and NetBIOS service for the interface address pool
# Configure the DNS service and NetBIOS service for the interface address pool on VLANIF
10.
[SwitchA-Vlanif10] dhcp server domain-name huawei.com
[SwitchA-Vlanif10] dhcp server dns-list 10.1.1.2
[SwitchA-Vlanif10] dhcp server nbns-list 10.1.1.3
[SwitchA-Vlanif10] dhcp server excluded-ip-address 10.1.1.2
[SwitchA-Vlanif10] dhcp server excluded-ip-address 10.1.1.3
[SwitchA-Vlanif10] dhcp server netbios-type b-node
Step 6 Set IP address leases of IP address pools
# Set the IP address lease of VLANIF 10 address pool to 30 days.

[SwitchA-Vlanif10] dhcp server lease day 30
# Set the IP address lease of VLANIF 11 address pool to 20 days.

[SwitchA-Vlanif11] dhcp server lease day 20
Run the display ip pool command on SwitchA to view interface address pool configuration.
[SwitchA] display ip pool interface Vlanif10
Pool-name : Vlanif10
Pool-No : 0
Lease : 30 Days 0 Hours 0 Minutes

Domain-name : huawei.com
DNS-server0 : 10.1.1.2
NBNS-server0 : 10.1.1.3
Netbios-type : b-node
Position : Interface Status : Unlocked
Gateway-0 : 10.1.1.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.1.1 10.1.1.254 253 1 250(0) 0 2
-----------------------------------------------------------------------------
[SwitchA] display ip pool interface Vlanif11
Pool-name : Vlanif11
Pool-No : 1
Lease : 20 Days 0 Hours 0 Minutes
Domain-name : -
DNS-server0 : -
NBNS-server0 : -
Netbios-type : -
Position : Interface Status : Unlocked
Gateway-0 : 10.1.2.1
Mask : 255.255.255.0
VPN instance : --
-----------------------------------------------------------------------------
Start End Total Used Idle(Expired) Conflict Disable
-----------------------------------------------------------------------------
10.1.2.1 10.1.2.254 253 3 250(0) 0 0
-----------------------------------------------------------------------------
----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 10 to 11
#
dhcp enable
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
dhcp server excluded-ip-address 10.1.1.2 10.1.1.3
dhcp server lease day 30 hour 0 minute 0
dhcp server dns-list 10.1.1.2
dhcp server netbios-type b-node
dhcp server nbns-list 10.1.1.3
dhcp server domain-name huawei.com
#
interface Vlanif11
ip address 10.1.2.1 255.255.255.0
dhcp server lease day 20 hour 0 minute 0
#
#

#
return
4.3.3 Example for Configuring a DHCP Server and a DHCP Relay

Agent
When the DHCP server and clients are on different network segments, a DHCP relay agent is
required.
As shown in Figure 4-11, an enterprise has multiple offices, which are distributed in different
office buildings. The offices in different buildings belong to different VLANs. The enterprise
uses SwitchB, which functions as the DHCP server, to assign IP addresses to hosts in different
offices.
Hosts in OfficeA are on 20.20.20.0/24 and the DHCP server is on 100.10.10.0/24. By using
SwitchA enabled with DHCP relay, the DHCP clients can obtain IP addresses from the DHCP
server.
On SwitchA, the public address of VLANIF200 is 100.10.20.1/24 and the interface address of
SwitchA connected to the carrier device is 100.10.20.2/24.
On SwitchB, the public address of VLANIF300 is 100.10.10.1/24 and the interface address of
SwitchB connected to the carrier device is 100.10.10.2/24.
Figure 4-11 DHCP relay agent

SwitchB
VLANIF300
Internet DHCP Server

100.10.10.1/24
VLANIF200
100.10.20.1/24
DHCP Relay SwitchA

GE0/0/2 VLANIF100
20.20.20.1/24
DHCP DHCP DHCP

Client Client Client
VLAN100
OfficeA

1. Configure DHCP relay on SwitchA to enable SwitchA to forward DHCP messages from
different network segments.
2. Configure a global address pool at 20.20.20.0/24 to enable the DHCP server to assign IP
address to clients on different network segments.
Procedure
Step 1 Configure DHCP relay on SwitchA.
1. Create a DHCP server group and add DHCP servers to the group.
# Create a DHCP server group.

[SwitchA] dhcp server group dhcpgroup1
# Add a DHCP server to the DHCP server group.

[SwitchA-dhcp-server-group-dhcpgroup1] dhcp-server 100.10.10.1
[SwitchA-dhcp-server-group-dhcpgroup1] quit
2. Enable DHCP relay on the interface.
# Create a VLAN and add GE0/0/2 to the VLAN.

# Enable DHCP globally and DHCP relay on the interface.

[SwitchA-Vlanif100] dhcp select relay
3. Bind an interface to a DHCP server group.
# Assign IP addresses to interfaces.

Bind the interface to the DHCP server group.

[SwitchA-Vlanif100] dhcp relay server-select dhcpgroup1
Step 2 Configure a default route on SwitchA.

[SwitchA] ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
Step 3 Configure the DHCP server based on the global address pool on SwitchB.

# Enable DHCP.
# Configure VLANIF300 to use the global address pool.

[SwitchB] vlan 300
[SwitchB-Vlanif300] dhcp select global
Create an address pool and set the attributes of the address pool.
[SwitchB] ip pool pool1
[SwitchB-ip-pool-pool1] network 20.20.20.0 mask 24
[SwitchB-ip-pool-pool1] gateway-list 20.20.20.1
[SwitchB-ip-pool-pool1] quit
Step 4 Configure a default route on SwitchB.

[SwitchB] ip route-static 0.0.0.0 0.0.0.0 100.10.10.2
# Run the display dhcp relay interface vlanif 100 command on SwitchA to view the DHCP
relay configuration on the interface.
[SwitchA] display dhcp relay interface vlanif 100
DHCP relay agent running information of interface Vlanif100 :
Server group name : dhcpgroup1
Gateway address in use : 20.20.20.1
# Run the display ip pool command on SwitchB to view the IP address pool configuration.
[SwitchB] display ip pool
-----------------------------------------------------------------------
Pool-name : pool1
Pool-No : 0
Gateway-0 : 20.20.20.1
Mask : 255.255.255.0
VPN instance : --
IP address Statistic
Total :253
Used :2 Idle :251
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 200
#
dhcp enable
#
dhcp server group dhcpgroup1

dhcp-server 100.10.10.1 0
#
interface Vlanif100
ip address 20.20.20.1 255.255.255.0
dhcp select relay
dhcp relay server-select dhcpgroup1
#
interface Vlanif200
ip address 100.10.20.1 255.255.255.0
#
#
ip route-static 0.0.0.0 0.0.0.0 100.10.20.2
#
return

#
sysname SwitchB
#
vlan batch 300
#
dhcp enable
#
ip pool pool1
network 20.20.20.0 mask 255.255.255.0
#
interface Vlanif300
ip address 100.10.10.1 255.255.255.0
dhcp select global
#
ip route-static 0.0.0.0 0.0.0.0 100.10.10.2
#
return
4.3.4 Example for Configuring the DHCP Clients

As shown in Figure 4-12, SwitchA functions as a DHCP client, and SwitchB functions as a
DHCP server. SwitchA dynamically obtains an IP address, a DNS server address, and a gateway
address from SwitchB.
Figure 4-12 Networking diagram for configuring DHCP clients
Gateway
192.168.1.126/24
GE0/0/1
VLANIF10 GE0/0/1
192.168.1.1/24 192.168.1.2/24 VLANIF10
SwitchB SwitchA
DHCP Server DNS Server DHCP Client

1. Enable the DHCP client function on SwitchA so that SwitchA can dynamically obtains an
IP address from the DHCP server.
2. Create a global address pool on SwitchB and configure related attributes.
Procedure
l Configure the DHCP client function on SwitchA
# Enable the DHCP service
# Create VLAN10 and add GE0/0/1 to VLAN10

[SwitchA] vlan 10
# Enable the DHCP client function on VLANIF10

[SwitchA-Vlanif10] ip address dhcp-alloc
l Create a global address pool on SwitchB and configure related attributes

1. Enable the DHCP service
2. Create VLAN10 and add GE0/0/1 to VLAN10

[SwitchB] vlan 10
3. Configure VLANIF10 to select a global address pool for IP address allocation

4. Create an address pool and configure related attributes

[SwitchB-ip-pool-pool1] dns-list 192.168.1.2
l Verify the configuration

# Run the display current-configuration command on SwitchA to view the configuration
of the DHCP client function

[SwitchA] display current-configuration

...
#
interface Vlanif 10
ip address dhcp-alloc
#
...
# After VLANIF10 obtains an IP address, run the display dhcp client command on
SwitchA to check the status of the DHCP client on VLANIF10
[SwitchA] display dhcp client
DHCP client lease information on interface
Vlanif10 :
Current machine state :
Bound
Internet address assigned via :
DHCP
Physical address :
0018-8201-0987
IP address :
192.168.1.254
Subnet mask :
255.255.255.0
Gateway ip address :
192.168.1.126
DHCP server :
192.168.1.1
Lease obtained at : 2008-11-06
02:48:09
Lease expires at : 2008-11-06
03:48:09
Lease renews at : 2008-11-06
03:18:09
Lease rebinds at : 2008-11-06
03:40:39
DNS : 192.168.1.2
# Run the display ip pool command on SwitchB. You can view the configuration about
the IP address pool of SwitchB
-----------------------------------------------------------------------
Pool-name :
pool1
Pool-No :
0
Position : Local Status :
Unlocked
Gateway-0 :
192.168.1.126
Mask :
255.255.255.0
VPN instance :
--
IP address
Statistic
Total :
253
Used :1 Idle :
252
----End

Example
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
interface
Vlanif10
ip address dhcp-
alloc
#
interface
port link-type
trunk
10
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
dns-list 192.168.1.2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
interface
port link-type
trunk
10
#
return
4.3.5 Example for Configuring the BOOTP Clients
As shown in Figure 4-13, SwitchA functions as a BOOTP client, and SwitchB functions as a
DHCP server. SwitchA obtains an IP address from an IP-MAC binding entry, a DNS server
address, and a gateway address from SwitchB functioning as a DHCP server.

Figure 4-13 Networking diagram for configuring BOOTP clients
Gateway
192.168.1.126/24
GE0/0/1
VLANIF10 GE0/0/1
192.168.1.1/24 192.168.1.2/24 VLANIF10
SwitchB SwitchA
DNS Server
DHCP Server BOOTP Client
1. Enable the DHCP client function on SwitchA so that SwitchA can dynamically obtains an
IP address from the DHCP server.
2. Create a global address pool on SwitchB and configure related attributes.
Procedure
l Configure the DHCP client function on SwitchA
# Enable the DHCP service.

# Create VLAN10 and add GE0/0/1 to VLAN10

[SwitchA] vlan 10
# Enable the BOOTP client function on VLANIF10 interface

[SwitchA-Vlanif10] ip address bootp-alloc
l Create a global address pool on SwitchB and configure related attributes

1. Enable the DHCP service.
[SwitchB] dhcp server bootp
[SwitchB] dhcp server bootp automatic
2. Create VLAN10 and add GE0/0/1 to VLAN10

[SwitchB] vlan 10
[SwitchB-Vlan10] quit
3. Configure VLANIF10 to select a global address pool for IP address allocation

4. Create an address pool and configure related attributes

[SwitchB-ip-pool-pool1] dns-list 192.168.1.2
l Verify the configuration.
# Run the display current-configuration command on SwitchA. You can view the
configurations of the DHCP client function
[SwitchA] display current-configuration
...
#
interface Vlanif10
ip address bootp-alloc
#
...
# After VLANIF10 obtains an IP address, run the display dhcp client command on
SwitchA to check the status of the DHCP client on VLANIF10
[SwitchA] display dhcp client
BOOTP client lease information on interface
Vlanif10 :
Current machine state :
Bound
Internet address assigned via :
BOOTP
Physical address :
0018-8201-0987
IP address :
192.168.1.254
Subnet mask :
255.255.255.0
Gateway ip address :
192.168.1.126
Lease obtained at : 2008-11-06
23:04:47
DNS : 192.168.1.2
# Run the display ip pool command on SwitchB. You can view the configuration about
the IP address pool of SwitchB
-----------------------------------------------------------------------
Pool-name :
pool1
Pool-No :
0
Position : Local Status :
Unlocked

Gateway-0 :
192.168.1.126
Mask :
255.255.255.0
VPN instance :
--
IP address
Statistic
Total :
253
Used :1 Idle :
252
----End
Example
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
interface
Vlanif10
ip address bootp-
alloc
#
interface
port link-type
trunk
10
#
return

#
sysname SwitchB
#
vlan batch 10
#
dhcp enable
#
dhcp server
bootp
dhcp server bootp
automatic
#
ip pool pool1
network 192.168.1.0 mask 255.255.255.0
dns-list 192.168.1.2
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
dhcp select global
#
interface

port link-type
trunk
10
#
return
4.4 DHCP Policy VLAN Configuration

This chapter describes the concept, operating mode, and configuration of Dynamic Host
Configuration Protocol (DHCP) policy Virtual Local Area Network (VLAN), and provides
4.4.1 Example for Configuring DHCP Policy VLAN Based on MAC

Addresses
As shown in Figure 4-14, on the S2350&S5300&S6300, GE 0/0/2 connects to PC1 and PC2
that access the network for the first time; GE 0/0/4 connects to the DHCP server that belongs to
VLAN 100. The MAC address of PC1 is 001E-9089-C65A; the MAC address of PC2 is
00E0-4C84-0B44.
Figure 4-14 Networking for configuring DHCP policy VLAN based on MAC addresses
PC1
001E-9089-C65A Switch
GE 0/0/4
VLAN100
GE 0/0/2
DHCP Server
192.168.31.251/16
PC2
00E0-4C84-0B44
1. Enable DHCP globally.

2. Determine to which VLAN the DHCP server belongs.

3. Configure DHCP policy VLAN based on MAC addresses.
Configuration Procedure
1. Configure the Switch
# Enable DHCP globally. Configure GE 0/0/2 and GE 0/0/4 on the Switch as a hybrid
interface, and configure frames from VLAN 100 to pass through GE 0/0/2 in untagged
mode.
[HUAWEI-GigabitEthernet0/0/2] port hybrid untagged vlan 2 to 100
# Configure DHCP policy VLAN based on MAC addresses.

[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp policy-vlan mac-address 001E-9089-C65A priority 5
[HUAWEI-vlan100] dhcp policy-vlan mac-address 00E0-4C84-0B44 priority 5
2. Verify the configuration

# After PC1 and PC2 go online and obtain IP addresses, ping the DHCP server from PC1
and PC2. The ping operations are successful.
C:\>ping 192.168.31.251
Pinging 192.168.31.251 with 32 bytes of data:
Reply from 192.168.31.251: bytes=32 time=126ms TTL=255

Ping statistics for 192.168.31.251:

Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 2ms, Maximum = 126ms, Average = 33ms
Configuration Files
The following lists the configuration file of the S2350&S5300&S6300
#
dhcp enable
#
#
#
vlan 100
dhcp policy-vlan mac-address 001e-9089-c65a priority 5
dhcp policy-vlan mac-address 00e0-4c84-0b44 priority 5
#
return

4.4.2 Example for Configuring DHCP Policy VLAN Based on

Interfaces
As shown in Figure 4-15, on the S2350&S5300&S6300, GE 0/0/2 connects to an access switch;
GE 0/0/1 connects to the DHCP server that belongs to VLAN 100; the access switch connects
to 10 hosts.
Figure 4-15 Networking for configuring DHCP policy VLAN based on interfaces
Switch
GE 0/0/1
VLAN100
GE 0/0/2
DHCP Server
192.168.31.251/16
...
PC1 PC10
1. Enable DHCP globally.
2. Determine to which VLAN the DHCP server belongs.
3. Configure DHCP policy VLAN based on interfaces.
1. Configure the S2350&S5300&S6300
# Enable DHCP globally. Configure GE 0/0/1 and GE 0/0/2 on the
S2350&S5300&S6300 as hybrid interfaces, and configure frames from VLAN 100 to pass
through GE 0/0/2 in untagged mode.


2. # Configure DHCP policy VLAN based on interfaces

[HUAWEI] vlan 100
[HUAWEI-vlan100] dhcp policy-vlan port gigabitethernet 0/0/2 priority 5
Configuration Files
The following lists the configuration file of the S2350&S5300&S6300
#
dhcp enable
#
#
#
vlan 100
dhcp policy-vlan port GigabitEthernet 0/0/2 priority 5
#
return
4.5 DHCPv6 Configuration

This section describes how to configure the DHCPv6 function. Currently, the switch can function
as the DHCPv6 server, DHCPv6 PD server, DHCPv6 relay on the IPv6 network.
4.5.1 Example for Configuring a DHCPv6 Server
If a large number of IPv6 addresses need to be manually configured, the workload on
configuration will be huge, and the manually configured addresses have poor manageability.
The administrator requires that IPv6 addresses and network configuration parameters be
obtained automatically to facilitate centralized management and hierarchical IPv6 network
deployment.
Figure 4-16 Networking diagram for configuring the DHCPv6 server
VLANIF100 Switch A
3000::1/64
GE0/0/1
DHCPv6 Client DHCPv6 Server

1. Enable IPv6 functions on the interface so that devices can communicate using IPv6.
2. Enable the DHCPv6 PD Server function so that devices can obtain IPv6 address prefixes
using DHCPv6.
Procedure
Step 1 Enable the DHCP service
[HUAWEI] sysname Switch A
[Switch A] dhcp enable
Step 2 Configure the ipv6 function on interfaces

[Switch A] ipv6
[Switch A] vlan 100
[Switch A-vlan100] quit
[Switch A] interface gigabitethernet 0/0/1
[Switch A-GigabitEthernet0/0/1] port link-type access
[Switch A-GigabitEthernet0/0/1] port default vlan 100
[Switch A-GigabitEthernet0/0/1] quit
[Switch A] interface vlanif 100
[Switch A-Vlanif100] ipv6 enable
[Switch A-Vlanif100] ipv6 address 3000::1/64
[Switch A-Vlanif100] quit
Step 3 Configure a DHCPv6 server

[Switch A] dhcpv6 pool pool1
[Switch A-dhcpv6-pool-pool1] address prefix 3000::2/64
[Switch A-dhcpv6-pool-pool1] dns-server 4000::1
[Switch A-dhcpv6-pool-pool1] quit
Step 4 Enable the DHCPv6 server function on the interface
# Enable the DHCPv6 server function on Vlanif100.

[Switch A-Vlanif100] dhcpv6 server pool1
Run the display dhcpv6 pool command on the switch to check information about the DHCPv6
address pool.
<Switch A> display dhcpv6 pool
DHCPv6 pool: pool1
Address prefix: 3000::/64
lifetime valid 172800 seconds, preferred 86400 seconds
0 in use, 0 conflicts
Information refresh time: 86400
DNS server address: 4000::1
Conflict-address expire-time: 172800
Active normal clients: 0
Run the display dhcpv6 server command on the switch to check information about the DHCPv6
server.

<Switch A> display dhcpv6 server

Interface DHCPv6 pool
Vlanif100 pool1
----End
Configuration File
#
sysname Switch A
#
ipv6
#
vlan batch 100
#
dhcp enable
#
dhcpv6 pool pool1
address prefix 3000::2/64
dns-server 4000::1
#
port default vlan
100
#
interface Vlanif100
ipv6 enable
ipv6 address 3000::1/64
dhcpv6 server pool1
#
return
4.5.2 Example for Configuring a DHCPv6 PD Server
As shown in Figure 4-17, RouterB and SwitchA are directly connected and on the same link.
RouterB cannot communicate with other devices because it has no IPv6 address and other
network configuration parameters. The Switch A needs to be configured as a DHCPv6 PD server
to assign IPv6 addresses and other network configuration parameters to DHCPv6 clients. This
facilitates centralized management and layered IPv6 network deployment.

Figure 4-17 Networking diagram of configuring the DHCPv6 PD server

IPv6 HostC
RouterB VLANIF100 SwitchA

GE0/0/1 3000::1/64
GE0/0/1
DHCPv6 PD Client
DHCPv6 PD Server
IPv6 HostA IPv6 HostB
1. Enable IPv6 on interfaces so that devices can communicate using IPv6.
2. Enable the DHCPv6 PD server function so that DHCPv6 PD server can assign IPv6
addresses using DHCPv6.
Procedure
Step 1 Enable the DHCP service
[HUAWEI] sysname Switch A
[Switch A] dhcp enable
Step 2 Configure IPv6 functions on interfaces

[Switch A] ipv6
[Switch A] vlan 100
[Switch A-vlan100] quit
[Switch A] interface gigabitethernet 0/0/1
[Switch A-GigabitEthernet0/0/1] port link-type access
[Switch A-GigabitEthernet0/0/1] port default vlan 100
[Switch A-GigabitEthernet0/0/1] quit
[Switch A-Vlanif100] ipv6 enable
[Switch A-Vlanif100] ipv6 address 3000::1/64
Step 3 Configure a DHCPv6 PD server

[Switch A] dhcpv6 pool pool1
[Switch A-dhcpv6-pool-pool1] prefix-delegation 3000::/60 64
[Switch A-dhcpv6-pool-pool1] dns-server 4000::1
[Switch A-dhcpv6-pool-pool1] quit
Step 4 Enable the DHCPv6 PD server function on an interface
# Enable the DHCPv6 PD server function on VLANIF 100.

[Switch A-Vlanif100] dhcpv6 server pool1

[Switch A] quit
Run the display dhcpv6 pool command on the switch to check information about the DHCPv6
address pool.
<Switch A> display dhcpv6 pool
DHCPv6 pool: pool1
Prefix delegation: 3000::/60 64
lifetime valid 172800 seconds, preferred 86400 seconds
0 in use
Information refresh time: 86400
DNS server address: 4000::1
Conflict-address expire-time: 172800
Active pd clients: 0
Run the display dhcpv6 server command on the switch to check information about the DHCPv6
PD server.
<Switch A> display dhcpv6 server
Interface DHCPv6 pool
Vlanif100 pool1
----End
Configuration File
#
sysname Switch A
#
ipv6
#
vlan batch 100
#
dhcp enable
#
dhcpv6 pool pool1
prefix-delegation 3000::/60 64
dns-server 4000::1
#
port default vlan
100
#
interface Vlanif100
ipv6 enable
dhcpv6 server pool1
#
return

4.5.3 Example for Configuring a DHCPv6 Relay to Assign IPv6

Addresses to the Clients in One Network Segment Connected to
the Relay
As shown in Figure 4-18, the DHCPv6 client address is 2000::/64 and the DHCPv6 server
address is 3000::3/64. The DHCPv6 client and server are on different links; therefore, a DHCPv6
relay agent is required to forward DHCPv6 packets.
The Switch needs to function as the DHCPv6 relay agent to forward DHCPv6 packets between
the DHCPv6 client and server. In addition, the Switch functions as the gateway device of the
network at 2000::/64. The M flag bit and O flag bit in RA messages allow hosts on the network
to obtain IPv6 addresses and other network configuration parameters through DHCPv6.
Figure 4-18 Networking diagram of configuring a DHCPv6 relay agent

DHCPv6 client DHCPv6 client
GE0/0/1 GE0/0/2
VLANIF10 Switch VLANIF20
2000::1/64 3000::1/64
DHCPv6 relay agent 3000::3/64

DHCPv6 server
DHCPv6 client DHCPv6 client
1. Enable IPv6 on interfaces so that devices can communicate using IPv6.
2. Enable the DHCPv6 relay function so that the DHCPv6 server and client on different links
can transmit packets.
Procedure
Step 1 Enable the DHCPv6 service
Step 2 Adding interfaces to VLANs
# Add GigabitEthernet0/0/1 to VLAN 10.



# Add GigabitEthernet0/0/2 to VLAN 20.

Step 3 Assign IPv6 addresses to VLANIF interfaces

# Enable the IPv6 packet forwarding function.
[HUAWEI] ipv6
# Assign an IPv6 address to VLANIF 10.

[HUAWEI-Vlanif10] ipv6 enable
[HUAWEI-Vlanif10] ipv6 address 2000::1 64
# Assign an IPv6 address to VLANIF 20.

[HUAWEI-Vlanif20] ipv6 address 3000::1 64
Step 4 Enable the DHCPv6 relay function

# Enable the DHCPv6 relay function on VLANIF 10 and specify the IPv6 address of the DHCPv6
server.
[HUAWEI-Vlanif10] dhcpv6 relay destination 3000::3
Step 5 Configure the Switch as the gateway

# Configure the Switch to send RA messages and configure M and O flag bits.
[HUAWEI-Vlanif10] undo ipv6 nd ra halt
[HUAWEI-Vlanif10] ipv6 nd autoconfig managed-address-flag
[HUAWEI-Vlanif10] ipv6 nd autoconfig other-flag

Run the display dhcpv6 relay command on the Switch, and you can view the DHCPv6 relay
configuration.
[HUAWEI] display dhcpv6 relay
Interface Mode Destination
------------------------------------------------------------------
Vlanif10 Relay 3000::3
------------------------------------------------------------------
Run the display dhcpv6 relay statistics command on the Switch, and you can view statistics
about DHCPv6 packets passing through the DHCPv6 relay agent.
[HUAWEI] display dhcpv6 relay statistics
MessageType Receive Send Error
Solicit 0 0 0
Advertise 0 0 0
Request 0 0 0
Confirm 0 0 0

Renew 0 0 0
Rebind 0 0 0
Reply 0 0 0
Release 0 0 0
Decline 0 0 0
Reconfigure 0 0 0
Information-request 0 0 0
Relay-forward 0 0 0
Relay-reply 0 0 0
UnknownType 0 0 0
----End
Configuration File
#
sysname HUAWEI
#
vlan batch 10 20
#
ipv6
#
dhcp enable
#
interface Vlanif10
ipv6 enable
undo ipv6 nd ra halt
ipv6 nd autoconfig managed-address-flag
ipv6 nd autoconfig other-flag
dhcpv6 relay destination 3000::3
#
interface Vlanif20
ipv6 enable
#
#
#
return
4.6 IP Performance Configuration

You can optimize IP performance by adjusting parameters on the network.
4.6.1 Example for Configuring ICMP Redirection Packets
In Figure 4-19, SwitchA, SwitchB, and SwitchC are connected to the Internet through GE
interfaces. When SwitchB detects that SwitchA uses a non-optimal route, it sends an ICMP
redirection packet to SwitchA, requesting SwitchA to change the route. To prevent SwitchB
from sending ICMP packets, the function of sending ICMP redirection packets is required to be

disabled. Ping SwitchB from SwitchA to check whether SwitchB is disabled from sending ICMP
redirection packets.
Figure 4-19 Network diagram for configuring ICMP redirection packets

SwitchA
GE0/0/1
VLANIF100
1.1.1.1/24
Internet
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
2.2.2.2/24 1.1.1.2/24
SwitchC SwitchB
Disable the function of sending ICMP redirection packets on VLANIF100 on SwithB. Ping
SwitchB from SwitchA. SwitchB does not send ICMP redirection packets.
Procedure
Step 1 Configure an IP address for the VLANIF interface.
[SwitchA] vlan 100
[SwitchA-Vlan100] quit
[SwitchB] vlan 100
[SwitchB-Vlan100] quit
[SwitchB-GigabitEthernet0/0/1] port hybrid tagged vlan 100

[SwitchC] vlan 100
[SwitchC-Vlan100] quit

Step 3 Disable the function of sending ICMP redirection packets on VLANIF100 on SwitchB.
[SwitchB-Vlanif100] undo icmp redirect send

# Enable ICMP packet debugging on SwitchB.
<SwitchB> debugging ip icmp
<SwitchA> terminal monitor
<SwitchA> terminal debugging
# Ping SwitchB from SwitchA. SwitchB does not send ICMP redirection packets.
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#

interface Vlanif100
ip address 1.1.1.1 255.255.255.0
#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 1.1.1.2 255.255.255.0
undo icmp redirect send
#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.1
#
return
l Configuration of SwitchC
#
sysname SwitchC
#
vlan batch 100
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
#
return
4.6.2 Example for Configuring ICMP Host Unreachable Packets
In Figure 4-20, SwitchA, SwitchB, and SwitchC are connected to each other through GE
interfaces. To check the sending of ICMP host unreachable packets.

Figure 4-20 Network diagram for configuring ICMP host unreachable packets
GE0/0/2 GE0/0/2
VLANIF11 VLANIF11
2.2.2.2/24 2.2.2.1/24
SwitchB
SwitchC GE0/0/1
VLANIF10
1.1.1.2/24
GE0/0/1
VLANIF10
1.1.1.1/24
SwitchA
Disable the function of sending ICMP host unreachable packets on SwitchB. Ping 2.2.2.2 on
SwitchA. SwitchA can not receive ICMP host unreachable packets sent from SwitchB.
NOTE
By default, the function of sending ICMP host unreachable packets is enabled in both the system and the
interface view. If the configuration is not modified, you do not need to use a command to enable the function
of sending ICMP host unreachable packets.
Procedure
# Configure an IP address for VLANIF 10.
[SwitchA] vlan 10
# Configure static routes on SwitchA.

[SwitchA] ip route-static 2.2.2.0 24 1.1.1.2

# Configure an IP address for VLANIF 10 on SwitchB and disable the function of sending ICMP
host unreachable packets.

[SwitchB] undo icmp host-unreachable send

[SwitchB] vlan 10
[SwitchB] vlan 11
[SwitchB-Vlanif11] undo icmp host-unreachable send

# Configure an IP address for VLANIF 11 on SwitchC.
[SwitchC] vlan 11
# Configure static routes on SwitchC.

[SwitchC] ip route-static 1.1.1.0 24 2.2.2.1

# Enable ICMP packet debugging on SwitchA.
<SwitchA> debugging ip icmp
# Ping 2.2.2.2 on SwitchA.

0.00% packet loss
# Run the display icmp statistics, If you can view that the statistics of destination
unreachable is 0, it proved that SwitchB does not send the host unreachable packets, it means
that the configuration succeeds.
<SwitchA> display icmp statistics
Input: bad format 0 bad checksum 0
echo 0 destination unreachable 0

source quench 0 redirects 0

echo reply 0 parameter problem 0
timestamp 0 information request 0
mask requests 0 mask replies 0
time exceeded 0 other 0
Mping request 0 Mping reply 0
Output: echo 0 destination unreachable 0
source quench 0 redirects 0
echo reply 0 parameter problem 0
timestamp 0 information reply 0
mask requests 0 mask replies 0
time exceeded 0
Mping request 0 Mping reply 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif 10
ip address 1.1.1.1 255.255.255.0
#
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 to 11
#
#
interface Vlanif 10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif 11
ip address 2.2.2.1 255.255.255.0
#
#
#
return
l Configuration of SwitchC
#
sysname SwitchC
#
vlan batch 11
#
interface Vlanif 11
ip address 2.2.2.2 255.255.255.0
#

#
ip route-static 1.1.1.0 24 2.2.2.1
#
return
4.6.3 Example for Optimizing System Performance by Discarding

Certain ICMP Packets
The switch in Figure 4-21 functions as the aggregation device. Enterprise users, individual users,
and DSLAMs are attached to the switch and the switch is connected to the Internet through a
BRAS. When a large amount of information is exchanged on the network or the network is
attacked, lots of ICMP packets are forwarded and the network performance is degraded. In this
case, some ICMP packets are required to be discarded to reduce the burden on the switch.
Figure 4-21 Networking diagram for configuring ICMP security function
Internet
BRAS
Swtich
DSLAM
User
network
Enterprise Individual
user user
Configure the function of discarding ICMP packets whose TTL value is 1, ICMP packets that
carry options, and ICMP destination unreachable packets to reduce the burden of the device in
processing a large number of ICMP packets.

Procedure
Step 1 Configure the device to discard certain ICMP packets.
# Configure the device to discard ICMP packets whose TTL value is 1.

[HUAWEI] icmp ttl-exceeded drop all
# Configure the device to discard ICMP packets that carry options.

[HUAWEI] icmp with-options drop all
# Configure the device to discard ICMP packets whose destination addresses are unreachable.
[HUAWEI] icmp unreachable drop
# Run the display this command in the system view to view the ICMP security configurations.
[HUAWEI] display this
#
icmp unreachable drop
icmp ttl-exceeded drop slot 0
icmp with-options drop slot 0
----End
Configuration Files
#
sysname HUAWEI
#
icmp unreachable drop
icmp ttl-exceeded drop slot 0
icmp with-options drop slot 0
#
return
4.7 DNS Configuration

This chapter describes the principles, basic functions and configuration procedures of DNS on
the switch, and provides configuration examples.
4.7.1 Example for Configuring the DNS Client
Compared with an IP address, the URL is easy to remember. Users want to access network
servers using domain names. It is required that the DNS server can resolve a domain name after
a user enters some fields of the domain name. For example, when a user attempts to access the
host huawei.com, the user only needs to enter huawei. It is required that the DNS server can
fast resolve common domain names.

Figure 4-22 Networking diagram for configuring the DNS client
Host B Host C
Loopback0 Loopback0
4.1.1.1/32 4.1.1.2/32
GE0/0/1 GE0/0/2
VLANIF 101 SwitchB SwitchC
VLANIF 101
1.1.1.2/16 3.1.1.1/16
GE0/0/1 GE0/0/1
DNS Client GE0/0/2 VLANIF 100
VLANIF 101 VLANIF 100 DNS Server
SwitchA 2.1.1.1/16 2.1.1.2/16
1.1.1.1/16 3.1.1.2/16
huawei.com
2.1.1.3/16
1. Configure static DNS entries on Switch A to access HostB and HostC.

2. Configure the dynamic DNS resolution on SwitchA to access the network server.
3. Configure the domain name suffix on SwitchA to support a domain name suffix list.
4. Configure OSPF on switches to ensure routes among all devices are reachable.
Procedure

[SwitchA] vlan 101
# Configure OSPF.
[SwitchA] ospf
# Configure static DNS entries.

[SwitchA] ip host hostB 4.1.1.1

[SwitchA] ip host hostC 4.1.1.2
# Enable DNS resolution.

[SwitchA] dns resolve
# Configure an IP address for the DNS server.

[SwitchA] dns server 3.1.1.2
# Set the domain name suffix to ".net".

[SwitchA] dns domain net
# Set the domain name suffix to ".com".

[SwitchA] dns domain com
[SwitchA] quit
NOTE
You need to configure OSPF on SwitchB and SwitchC to ensure reachable routes between them. For details
about OSPF configurations on SwitchB and SwitchC, see the configuration files.
# Run the ping hostB command on SwitchA. You can see that the ping operation succeeds and
the destination IP address is 4.1.1.1.
<SwitchA> ping hostB
PING hostB (4.1.1.1): 56 data bytes, press CTRL_C to break
--- hostB ping statistics ---

0.00% packet loss
# Run the ping huawei.com command on SwitchA. You can see that the ping operation succeeds
and the destination IP address is 2.1.1.3.
<SwitchA> ping huawei.com
PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break
--- huawei.com ping statistics ---

0.00% packet loss
# Run the ping huawei command on SwitchA. You can see that the ping operation succeeds,
the domain name changes to huawei.com, and the destination IP address is 2.1.1.3.
<SwitchA> ping huawei
PING huawei.com (2.1.1.3): 56 data bytes, press CTRL_C to break



0.00% packet loss
Run the display ip host command on SwitchA. You can view mappings between host names
and IP addresses in static DNS entries.
<SwitchA> display ip host
Host Age Flags Address
hostB 0 static 4.1.1.1
hostC 0 static 4.1.1.2
# Run the display dns dynamic-host command on SwitchA. You can view information about
dynamic DNS entries saved in the cache.
<SwitchA> display dns dynamic-host
No Domain-name IpAddress TTL Alias
1 huawei.com 2.1.1.3 114
----End
Configuration File
#
sysname SwitchA
#
vlan batch 101
#
ip host hostB 4.1.1.1
ip host hostC 4.1.1.2
#
dns resolve
dns server 3.1.1.2
dns domain net
dns domain com
#
interface Vlanif101
ip address 1.1.1.2 255.255.0.0
#
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
#
return

#
sysname SwitchB
#
vlan batch 100 101
#

interface LoopBack0
ip address 4.1.1.1 255.255.255.255
#
interface Vlanif101
ip address 1.1.1.1 255.255.0.0
#
interface Vlanif100
ip address 2.1.1.1 255.255.0.0
#
#
#
ospf 1
area 0.0.0.0
network 1.1.0.0 0.0.255.255
network 2.1.0.0 0.0.255.255
network 4.1.1.1 0.0.0.0
#
return
Configuration file of SwitchC

#
sysname SwitchC
#
vlan batch 100 101
#
interface LoopBack0
ip address 4.1.1.2 255.255.255.255
#
interface Vlanif101
ip address 3.1.1.1 255.255.0.0
#
interface Vlanif100
ip address 2.1.1.2 255.255.0.0
#
#
#
ospf 1
area 0.0.0.0
network 2.1.0.0 0.0.255.255
network 3.1.0.0 0.0.255.255
network 4.1.1.2 0.0.0.0
#
return
4.8 Basic IPv6 Configurations

The IPv6 protocol stack supports routing protocols and application protocols on an IPv6 network.
4.8.1 Example for Configuring IPv6 Addresses for Interfaces

As shown in Figure 4-23, GE0/0/1 of SwitchA connects to GE0/0/1 of SwitchB. The two
interfaces correspond to their VLANIF interfaces (VLANIF 100). You need to configure IPv6
global unicast addresses for the VLANIF interfaces and check the Layer 3 interconnection
between the interfaces.
IPv6 global unicast addresses for the VLANIF interfaces are 3001::1/64 and 3001::2/64.
Figure 4-23 Networking diagram for configuring IPv6 addresses for interfaces
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
3001::1/64 3001::2/64
1. Enable the IPv6 forwarding function on SwitchA and SwitchB.
2. Configure IPv6 global unicast addresses for the interfaces.
Procedure
Step 1 Enable the IPv6 forwarding function on switches.
[SwitchA] ipv6
[SwitchB] ipv6
Step 2 Configure global unicast addresses for interfaces.

[SwitchA] vlan 100
[SwitchA-Vlanif100] ipv6 enable
[SwitchA-Vlanif100] ipv6 address 3001::1/64

[SwitchB] vlan 100

[SwitchB-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[SwitchB-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[SwitchB-Vlanif100] ipv6 enable
[SwitchB-Vlanif100] ipv6 address 3001::2/64
If the preceding configurations are successful, you can view the configured global unicast
addresses. The interface status and the IPv6 protocol are Up.
# Check interface information on SwitchA.

[SwitchA] display ipv6 interface vlanif 100
Vlanif100 current state : UP
IPv6 protocol current state : UP
IPv6 is enabled, link-local address is FE80::218:20FF:FE00:83
Global unicast address(es):
3001::1, subnet is 3001::/64
Joined group address(es):
FF02::1:FF00:1
FF02::1:FF00:83
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND retransmit interval is 1000 milliseconds
Hosts use stateless autoconfig for addresses
# Check interface information on SwitchB.

[SwitchB] display ipv6 interface vlanif 100
Vlanif100 current state : UP
IPv6 is enabled, link-local address is FE80::2E0:FCFF:FE33:11
3001::2, subnet is 3001::/64
FF02::1:FF00:2
FF02::1:FF33:11
FF02::2
FF02::1
MTU is 1500 bytes
ND DAD is enabled, number of DAD attempts: 1
# Ping the link-local address of SwitchB from SwitchA. You need to use the parameter -i to
specify the interface of the link-local address.
[SwitchA] ping ipv6 FE80::2E0:FCFF:FE33:11 -i vlanif 100
PING FE80::2E0:FCFF:FE33:11 : 56 data bytes, press CTRL_C to break
Reply from FE80::2E0:FCFF:FE33:11
bytes=56 Sequence=1 hop limit=64 time = 7 ms


--- FE80::2E0:FCFF:FE33:11 ping statistics ---

0.00% packet loss
# Ping the IPv6 global unicast address of SwitchB from SwitchA.

[SwitchA] ping ipv6 3001::2
PING 3001::2 : 56 data bytes, press CTRL_C to break
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
Reply from 3001::2
--- 3001::2 ping statistics ---

0.00% packet loss
----End
Configuration File
#
sysname SwitchA
#
ipv6
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 100
#
interface Vlanif100
ipv6 enable
#


#
return
4.9 IPv6 DNS configuration

This section describes how to configure IPv6 DNS so that devices can use domain names to
communicate.
4.9.1 Example for Configuring IPv6 DNS Client
As shown in Figure 4-24, SwitchA, functioning as the IPv6 DNS client and working jointly
with IPv6 DNS server, can access the host with the IPv6 address as 2002::1/64 based on the
domain name huawei.com.
On SwitchA, the static IPv6 DNS entries of SwitchB and SwitchC are configured. This ensures
that SwitchA can manage both the devices based on the domain names SwitchB and SwitchC.
Figure 4-24 Networking diagram of IPv6 DNS configurations

Loopback0 Loopback0
4.1.1.1/32 4.1.1.2/32
GE0/0/1
GE0/0/1
VLANIF101 SwitchB SwitchC
VLANIF101
2001::1/64 2003::1/64
GE0/0/2 GE0/0/2
GE0/0/1 VLANIF100
DNS client VLANIF101 VLANIF100 DNS server
2002::2/64 2002::3/64
SwitchA 2001::2/64 2003::2/64
huawei.com
2002::1/64
1. Configure static DNS entries on SwitchA to access SwitchB and SwitchC using the domain
name.
2. Configure dynamic DNS resolution on SwithcA to enable SwitchA to access the web server
by querying dynamic DNS entries.
3. Configure domain name suffixes on SwitchA so that SwitchA can filter domain names
using the domain name suffix list.
4. Configure OSPF on the switches to ensure reachable routes between them.

Procedure
# Configure IPv6 function.

[SwitchA] ipv6
[SwitchA] vlan 101
# Configure static IPv6 DNS entries.

[SwitchA] ipv6 host SwitchB 2001::2
[SwitchA] ipv6 host SwitchC 2002::3
# Enable the DNS resolution function.

# Configure the IPv6 address of the IPv6 DNS server.

[SwitchA] dns server ipv6 2003::2
# Set the domain name suffix to ".net".

[SwitchA] dns domain net
# Set the domain name suffix to ".com".

[SwitchA] dns domain com
[SwitchA] quit
NOTE
To resolve the domain name, you also need to configure the route from Switch A to the IPv6 DNS server.
For details of how to configure the route, see Configuration example of IP static route in the
S2350&S5300&S6300 Series Ethernet Switches Configuration Guide: IP Routing.
# Run the ping ipv6 huawei.com command on Switch A. You can find that the Ping operation
succeeds, and the destination IPv6 address is 2002::1.
<SwitchA> ping ipv6 huawei.com
Resolved Host ( huawei.com -> 2002::1)
PING huawei.com : 56 data bytes, press CTRL_C to break
Reply from 2002::1: bytes=56 Sequence=1 ttl=126 time=6 ms

0.00% packet loss

# Run the display ipv6 host command on SwitchA. You can view the mapping relationships
between the host names and the IPv6 addresses in IPv6 static DNS entries.
<SwitchA> display ipv6 host
Host Age Flags IPv6Address (es)
SwitchB 0 static 2001::2
SwitchC 0 static 2002::3
Run the display dns ipv6 dynamic-host command on SwitchA. You can view information about
IPv6 dynamic DNS entries in the dynamic cache.
<SwitchA> display dns ipv6 dynamic-host
No Domain-name Ipv6address TTL
1 huawei.com 2002::1 3579
NOTE
TTL in the command output indicates the life time of the entry, in seconds.
----End
Configuration Files
l #
sysname SwitchA
#
vlan batch 101
#
ipv6
#
ipv6 host SwitchB 2001::2
ipv6 host SwitchC 2002::3
#
dns resolve
dns server ipv6 2003::2
dns domain net
dns domain com
#
#
interface Vlanif101
ipv6 enable
#
return

#
sysname SwitchB
#
#
ipv6
#
#
#
interface Vlanif100

ipv6 enable
#
interface Vlanif101
ipv6 enable
#
return

#
sysname SwitchC
#
#
ipv6
#
#
#
interface Vlanif100
ipv6 enable
#
interface Vlanif101
ipv6 enable
#
return
4.10 IPv6 over IPv4 Tunnel Configuration

IPv6 over IPv4 tunnel technology enables transition from the IPv4 network to the IPv6 network.
NOTE
S2350, S5306 and S5300LI do not support IPv6 over IPv4 tunnel functions.
4.10.1 Example for Configuring a Manual IPv6 over IPv4 Tunnel
As shown in Figure 4-25, two IPv6 networks connect to SwitchB on an IPv4 backbone network
respectively through SwitchA and SwitchC. A manual IPv6 over IPv4 tunnel needs to be set up
between SwitchA and SwitchC so that hosts on the two IPv6 networks can communicate.

Figure 4-25 Networking diagram for configuring a manual IPv6 over IPv4 tunnel
IPv4
network
GE0/0/1 GE0/0/2
VLANIF100 VLANIF200
192.168.50.1/24 192.168.51.1/24
GE0/0/1 GE0/0/1
VLANIF100 VLANIF200
192.168.50.2/24 SwitchB 192.168.51.2/24
Dual Dual
IPv6 IPv6
stack stack
SwitchA SwitchC
1. Configure IP addresses for interfaces so that devices can communicate on the IPv4
backbone network.
2. Configure IPv6 addresses, source interfaces, and destination addresses for tunnel interfaces
so that devices can communicate with hosts on the two IPv6 networks.
3. Set the tunnel protocol to IPv6-IPv4 so that hosts on the two IPv6 networks can
communicate through the IPv4 backbone network.
Procedure
# Enable the service loopback function on an Eth-Trunk.
NOTICE
The interface must be idle. That is, the interface does not transmit services.
[SwitchA-Eth-Trunk1] service type tunnel
# Configure an IP address for an interface.

[SwitchA] ipv6
[SwitchA] vlan 100

# Set the tunnel protocol to IPv6-IPv4.

[SwitchA-Tunnel1] tunnel-protocol ipv6-ipv4
[SwitchA-Tunnel1] eth-trunk 1
# Configure an IPv6 address and a destination address for the tunnel interface.
[SwitchA-Tunnel1] ipv6 enable
[SwitchA-Tunnel1] ipv6 address 3001::1 64
[SwitchA-Tunnel1] source vlanif 100
[SwitchA-Tunnel1] destination 192.168.51.2
# Configure a static route.

# Configure IP addresses for interfaces.

[SwitchB] ipv6
[SwitchB] vlan 100
[SwitchB] vlan 200
[SwitchB-Vlanif100] ip address 192.168.50.1 255.255.255.0
[SwitchB-Vlanif200] ip address 192.168.51.1 255.255.255.0
NOTICE

[SwitchC] interface eth-trunk 1

[SwitchC-Eth-Trunk1] service type tunnel
[SwitchC-Eth-Trunk1] quit
[SwitchC-GigabitEthernet0/0/3] eth-trunk 1
# Configure an IP address for an interface.

[SwitchC] ipv6
[SwitchC] vlan 200
[SwitchC] interface gigabitethernet0/0/1
[SwitchC-GigabitEthernet0/0/1] port hybrid pvid vlan 200
[SwitchC-GigabitEthernet0/0/1] port hybrid untagged vlan 200
[SwitchC-Vlanif200] ip address 192.168.51.2 255.255.255.0
# Set the tunnel protocol to IPv6-IPv4.

[SwitchC] interface tunnel 1
[SwitchC-Tunnel1] tunnel-protocol ipv6-ipv4
[SwitchC-Tunnel1] eth-trunk 1
# Configure an IPv6 address and a destination address for the tunnel interface.
[SwitchC-Tunnel1] ipv6 enable
[SwitchC-Tunnel1] ipv6 address 3001::2 64
[SwitchC-Tunnel1] source vlanif 200
[SwitchC-Tunnel1] destination 192.168.50.2
[SwitchC-Tunnel1] quit
# Configure a static route.

[SwitchC] ip route-static 192.168.50.2 255.255.255.0 192.168.51.1
# Ping the IPv4 address of VLANIF 100 on SwitchA from SwitchC. SwitchC can receive a
Reply packet from SwitchA.
[SwitchC] ping 192.168.50.2
--- 192.168.50.2 ping statistics ---

0.00% packet loss
# Ping the IPv6 address of Tunnel0/0/1 on SwitchA from SwitchC. SwitchC can receive a Reply
packet from SwitchA.
[SwitchC] ping ipv6 3001::1
Reply from 3001::1
Reply from 3001::1
Reply from 3001::1


Reply from 3001::1
Reply from 3001::1
0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100
#
interface Vlanif100
ip address 192.168.50.2 255.255.255.0
#
service type tunnel
#
#
eth-trunk 1
#
interface Tunnel1
ipv6 enable
tunnel-protocol ipv6-ipv4
source Vlanif100
eth-trunk 1
#
ip route-static 192.168.51.0 255.255.255.0 192.168.50.1
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
interface Vlanif100
ip address 192.168.50.1 255.255.255.0
#
interface Vlanif200
ip address 192.168.51.1 255.255.255.0
#
#

#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 200
#
interface Vlanif200
ip address 192.168.51.2 255.255.255.0
#
service type tunnel
#
#
eth-trunk 1
#
interface Tunnel1
ipv6 enable
tunnel-protocol ipv6-ipv4
source Vlanif200
eth-trunk 1
#
ip route-static 192.168.50.0 255.255.255.0 192.168.51.1
#
return
4.10.2 Example for Configuring a 6to4 Tunnel
As shown in Figure 4-26, the IPv6 network-side interface of 6to4 SwitchA connects to a 6to4
network. SwitchB is a 6to4 relay agent and connects to the IPv6 Internet (2002::/64). SwitchA
and SwitchB are connected through an IPv4 backbone network. A 6to4 tunnel needs to be set
up between SwitchA and SwitchB so that hosts on the 6to4 network and the IPv6 network can
communicate.

Figure 4-26 Networking diagram for configuring a 6to4 tunnel
IPv4
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
2.1.1.1 2.1.1.2
SwitchA SwitchB
GE0/0/2 GE0/0/2
VLANIF200 VLANIF200
2002:201:101:1::1/64 2002:201:102:1::1/64
Tunnel1 Tunnel1
2002:201:101::1/64 2002:201:102::1/64
PC1 2002:201:101:1::2 2002:201:102:1::2 PC2

IPv6 IPv6
1. Configure an IPv4/IPv6 dual stack on SwitchA and SwitchB so that they can access the
IPv4 network and the IPv6 network.
2. Configure a 6to4 tunnel on SwitchA and SwitchB to connect IPv6 networks through the
IPv4 backbone network.
3. Configure a static route between SwitchA and SwitchB so that they can be connected
through the IPv4 backbone network.
Procedure
NOTICE
[SwitchA-Eth-Trunk1] service type tunnel
# Configure an IPv4/IPv6 dual stack.

[SwitchA] ipv6
[SwitchA-Vlanif200] ipv6 address 2002:0201:0101:1::1/64
# Configure a 6to4 tunnel.

[SwitchA-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[SwitchA-Tunnel1] eth-trunk 1
[SwitchA-Tunnel1] ipv6 enable
[SwitchA-Tunnel1] ipv6 address 2002:0201:0101::1/64
[SwitchA-Tunnel1] source vlanif 100
# Configure a route to the other 6to4 network.

[SwitchA] ipv6 route-static 2002:: 16 tunnel 1
NOTICE
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] service type tunnel
[SwitchB-Eth-Trunk1] quit
[SwitchB-GigabitEthernet0/0/3] eth-trunk 1
# Configure an IPv4/IPv6 dual stack.

[SwitchB] ipv6
[SwitchB] interface gigabitethernet0/0/1

[SwitchB-Vlanif200] ipv6 address 2002:0201:0102:1::1/64
# Configure a 6to4 tunnel.

[SwitchB] interface tunnel 1
[SwitchB-Tunnel1] eth-trunk 1
[SwitchB-Tunnel1] tunnel-protocol ipv6-ipv4 6to4
[SwitchB-Tunnel1] ipv6 enable
[SwitchB-Tunnel1] ipv6 address 2002:0201:0102::1/64
[SwitchB-Tunnel1] source vlanif 100
[SwitchB-Tunnel1] quit
# Configure a route to the other 6to4 network.

[SwitchB] ipv6 route-static 2002:: 16 tunnel 1
NOTE
There must be a reachable route between SwitchA and SwitchB. In this example, a routing protocol needs
to be configured on VLANIF 100 of SwitchA and SwitchB. For details, see the S2350&S5300&S6300
Series Ethernet Switches Configuration Guide - IP Routing
# Check the IPv6 status of Tunnel1 on SwitchA. You can see that the tunnel status is Up.
[SwitchA] display ipv6 interface tunnel 1
Tunnel1 current state : UP
IPv6 is enabled, link-local address is FE80::201:101
2002:201:101::1, subnet is 2002:201:101::/64
FF02::1:FF01:101
FF02::1:FF00:1
FF02::2
FF02::1
MTU is 1500 bytes
# Ping the 6to4 address of VLANIF200 on SwitchB from SwitchA. The 6to4 address can be
pinged successfully.
[SwitchA] ping ipv6 2002:0201:0102:1::1
PING 2002:0201:0102:1::1 : 56 data bytes, press CTRL_C to break
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
Reply from 2002:201:102:1::1
--- 2002:0201:0102:1::1 ping statistics ---


0.00% packet loss

----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 200
#
interface Vlanif100
ip address 2.1.1.1 255.0.0.0
#
interface Vlanif200
ipv6 enable
ipv6 address 2002:201:101:1::1/64
#
service type tunnel
#
#
#
eth-trunk 1
#
interface Tunnel1
ipv6 enable
ipv6 address 2002:201:101::1/64
tunnel-protocol ipv6-ipv4 6to4
source vlanif100
eth-trunk 1
#
ipv6 route-static 2002:: 16 Tunnel1
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
interface Vlanif100
ip address 2.1.1.2 255.0.0.0
#
interface Vlanif200
ipv6 enable
ipv6 address 2002:201:102:1::1/64
#
service type tunnel
#


#
#
eth-trunk 1
#
interface Tunnel1
ipv6 enable
ipv6 address 2002:201:102::1/64
tunnel-protocol ipv6-ipv4 6to4
source vlanif100
eth-trunk 1
#
ipv6 route-static 2002:: 16 Tunnel1
#
return
4.10.3 Example for Configuring an ISATAP Tunnel
As shown in Figure 4-27, an IPv6 host on the IPv4 network runs Windows XP. The IPv6 host
needs to be connected to the IPv6 network through a border device. The IPv6 host and border
device support ISATAP. An ISATAP tunnel needs to be set up between the IPv6 host and the
border device.
Figure 4-27 Networking diagram for configuring an ISATAP tunnel
ISATAP
IPv6 IPv4
network network
IPv6 host Switch

ISATAP host
3001::2 GE0/0/1 GE0/0/2
FE80::5EFE:0201:0102
VLANIF100 VLANIF200 2.1.1.2
3001::1/64 2.1.1.1/8 2001::5EFE:0201:0102
1. Configure an IPv4/IPv6 dual stack on the switch so that the switch can access the IPv4
network and IPv6 network.
2. Configure an ISATAP tunnel on the switch so that IPv6 hosts on the IPv4 network can
communicate with IPv6 hosts on the IPv6 network.
3. Configure a static route from the IPv6 host to the ISATAP host so that the IPv6 host can
forward packets directly over the tunnel.

Procedure
Step 1 Configure the ISATAP border device.
NOTICE
[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] service type tunnel
[HUAWEI-Eth-Trunk1] quit
[HUAWEI-GigabitEthernet0/0/3] eth-trunk 1
# Enable the IPv4/IPv6 dual stack and configure an IP address for each interface.
[HUAWEI] ipv6
[HUAWEI-Vlanif100] ipv6 address 3001::1/64
# Configure an ISATAP tunnel.

[HUAWEI] interface tunnel 1
[HUAWEI-Tunnel1] tunnel-protocol ipv6-ipv4 isatap
[HUAWEI-Tunnel1] eth-trunk 1
[HUAWEI-Tunnel1] ipv6 enable
[HUAWEI-Tunnel1] ipv6 address 2001::/64 eui-64
[HUAWEI-Tunnel1] source vlanif 200
[HUAWEI-Tunnel1] undo ipv6 nd ra halt
[HUAWEI-Tunnel1] quit
Step 2 Configure the ISATAP host.

NOTE
The ISATAP host needs to run IPv6 and be enabled with the IPv6 function.
# Run the following command to add a static route to the border device. The number of the
pseudo interface on the host is 2. You can run the ipv6 if command to check the interface
corresponding to Automatic Tunneling Pseudo-Interface.
C:\> netsh interface ipv6 isatap set router 2.1.1.1
Step 3 Configure the IPv6 host.

# Configure a static route to the border device on the IPv6 host so that PCs on two different
networks can communicate through the ISATAP tunnel.
C:\> netsh interface ipv6 set route 2001::/64 3001::1
# Check the IPv6 status of Tunnel1 on the ISATAP device. You can see that the tunnel status is
Up.
[HUAWEI] display ipv6 interface tunnel 1
IPv6 is enabled, link-local address is FE80::5EFE:201:101
2001::5EFE:201:101, subnet is 2001::/64
FF02::1:FF01:101
FF02::2
FF02::1
MTU is 1500 bytes
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisement max interval 600 seconds, min interval 200 seconds
ND router advertisements live for 1800 seconds
# Ping the global unicast address of the tunnel interface on the ISATAP host from the ISATAP
device.
[HUAWEI] ping ipv6 2001::5efe:2.1.1.2
PING 2001::5efe:2.1.1.2 : 56 data bytes, press CTRL_C to break
Reply from 2001::5EFE:201:102
--- 2001::5efe:2.1.1.2 ping statistics ---

0.00% packet loss
# Ping the global unicast address of the ISATAP device from the ISATAP host.
C:\> ping6 2001::5efe:2.1.1.1
Pinging 2001::5efe:2.1.1.1
from 2001::5efe:2.1.1.2 with 32 bytes of data:
Reply from 2001::5efe:2.1.1.1: bytes=32 time=1ms

Ping statistics for 2001::5efe:2.1.1.1:

# Ping the IPv6 host from the ISATAP host. They can ping each other.
C:\> ping6 3001::2
Pinging 3001::2 with 32 bytes of data:
Reply from 3001::2: time<1ms

Ping statistics for 3001::2:

----End
Configuration Files
#
sysname HUAWEI
#
vlan batch 100 200
#
ipv6
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ip address 2.1.1.1 255.0.0.0
#
service type tunnel
#
interface Tunnel1
ipv6 enable
ipv6 address 2001::/64 eui-64
undo ipv6 nd ra halt
tunnel-protocol ipv6-ipv4 isatap
source Vlanif200
eth-trunk 1
#
#
#
eth-trunk 1
#
return

Typical Configuration Examples 5 IP Routing
5 IP Routing
About This Chapter
This document describes the IP routing features of the device and provides the configuration
examples of these features.
5.1 IP Routing Basic Configuration

You can configure IP routing to learn about basic parameters for IP routing.
5.2 Static Route Configuration
Static routes apply to simple networks. Proper static routes can improve network performance
and ensure bandwidth for important applications.
5.3 RIP Configuration
Routing Information Protocol(RIP) is widely used on small-sized networks to discover routes
and generate routing information.
5.4 RIPng Configuration
RIPng is widely used on small-sized networks to discover routes and generate routing
information.
5.5 OSPF Configuration
By building OSPF networks, you can enable OSPF to discover and calculate routes in ASs.
OSPF is applicable to a large-scale network that consists of hundreds of devices.
5.6 OSPFv3 Configuration
By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of switches.
5.7 IPv4 IS-IS Configuration
You can build an IPv4 IS-IS network to allow IS-IS to discover and calculate routes in an
autonomous system (AS).
autonomous system (AS). IS-IS applies to large and medium networks.
5.9 BGP Configuration

The Border Gateway Protocol (BGP) is used between Autonomous Systems (ASs) to transmit
routing information. BGP applies to large and complex networks.
5.10 Routing Policy Configuration

Routing policies are applied to routing information to change the path through which network
traffic passes.

5.1 IP Routing Basic Configuration

You can configure IP routing to learn about basic parameters for IP routing.
5.1.1 Example for Configuring IP FRR on the Public Network

As shown in Figure 5-1, RouterB and RouterC are egress routers on the Internet. SwitchA is
connected to two core switches SwitchB and SwitchC through two GE interfaces. Each of
SwitchB and SwitchC is connected to the two egress routers through two GE interfaces. When
a fault occurs on the link between SwitchB and RouterB, SwitchB must rapidly respond to the
link fault and use a backup route for data forwarding to ensure that services are forwarded
correctly.
Figure 5-1 Networking diagram of configuring IP FRR on the public network
Internet
192.168.1.1/24 100.55.1.1/24
RouterC RouterB
GE0/0/2 GE0/0/2
GE0/0/1 VLANIF20 GE0/0/1
VLANIF40
VLANIF30 20.1.1.2/24 VLANIF10
40.1.1.1/24
30.1.1.1/24 10.1.1.2/24
SwitchC SwitchB
GE0/0/3 GE0/0/3
GE0/0/4 VLANIF70 VLANIF70 GE0/0/4
VLANIF50 70.1.1.1/24 70.1.1.2/24 VLANIF60
50.1.1.1/24 60.1.1.1/24
GE0/0/1 GE0/0/2
VLANIF50 VLANIF60
50.1.1.2/24 60.1.1.2/24
SwitchA

1. Configure static routes on SwitchA to ensure that packets destined for 192.168.1.1/24 are
forwarded by SwitchC and packets destined for 100.55.1.1/24 are forwarded by SwitchB.
2. Configure a route-policy on SwitchB and apply this route-policy for IP FRR on the public
network so that services can be rapidly switched to the backup link SwitchB→SwitchC→
RouterB when the primary link SwitchB→RouterB fails.
Procedure
The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA, and
Step 2 Assign IPv4 addresses to VLANIF interfaces.

Step 3 Configure basic OSPF functions on SwitchB and SwitchC.
[SwitchB] ospf
[SwitchC] ospf
Step 4 Configure IPv4 addresses and basic OSPF functions on RouterB and RouterC to ensure that
there are reachable routes between RouterB, RouterC, SwitchB, and SwitchC.

Step 5 Configure static routes on SwitchA to ensure that packets destined for 192.168.1.1/24 are
forwarded by SwitchC and packets destined for 100.55.1.1/24 are forwarded by SwitchB.
<SwitchA> system-view
[SwitchA] ip route-static 100.55.1.1 24 vlanif 60 60.1.1.1
[SwitchA] ip route-static 192.168.1.1 24 vlanif 50 50.1.1.1
Step 6 Configure a route-policy and enable IP FRR on the public network.

# Configure an IP prefix list on SwitchB.
<SwitchB> system-view
[SwitchB] ip ip-prefix ip_frr_pre index 10 permit 100.55.1.0 24
# On SwitchB, configure a route-policy, backup next hop, and backup outbound interface.
[SwitchB] route-policy ip_frr_rp permit node 10
[SwitchB-route-policy] if-match ip-prefix ip_frr_pre
[SwitchB-route-policy] apply backup-nexthop 70.1.1.1
[SwitchB-route-policy] apply backup-interface vlanif 70
[SwitchB-route-policy] quit
# On SwitchB, enable IP FRR on the public network.

[SwitchB] ip frr route-policy ip_frr_rp
Step 7 Check information about the backup outbound interface and backup next hop.
# Check information about the backup outbound interface and backup next hop on SwitchB.
[SwitchB] display ip routing-table verbose
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 1 Routes : 1
Destination: 100.55.1.1/32
Protocol: OSPF Process ID: 1
Preference: 10 Cost: 2
NextHop: 10.1.1.1 Neighbour: 0.0.0.0
State: Active Adv Relied Age:
1d17h58m22s
Tag: 0 Priority:
medium
Label: NULL QoSInfo:
0x0
IndirectID: 0x80000001
RelayNextHop: 0.0.0.0 Interface: Vlanif10
TunnelID: 0x0 Flags: RD
BkNextHop: 70.1.1.1 BkInterface: Vlanif70
BkLabel: NULL SecTunnelID: 0x0
BkPETunnelID: 0x0 BkPESecTunnelID: 0x0
BkIndirectID: 0x0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 50 60
#

interface Vlanif50
ip address 50.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 60.1.1.2 255.255.255.0
#
#
#
ip route-static 100.55.1.0 255.255.255.0 vlanif 60
60.1.1.1
ip route-static 192.168.1.0 255.255.255.0 vlanif 50 50.1.1.1
#
return

#
sysname SwitchB
#
vlan batch 10 20 60 70
#
ip frr route-policy ip_frr_rp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 60.1.1.1 255.255.255.0
#
interface Vlanif70
ip address 70.1.1.2 255.255.255.0
#
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
network 60.1.1.0 0.0.0.255
network 70.1.1.0 0.0.0.255
#
ip ip-prefix ip_frr_pre index 10 permit 100.55.1.0 24
#
route-policy ip_frr_rp permit node 10
if-match ip-prefix ip_frr_pre

apply backup-nexthop 70.1.1.1

apply backup-interface Vlanif70
#
return

#
sysname SwitchC
#
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 40.1.1.1 255.255.255.0
#
interface Vlanif50
ip address 50.1.1.1 255.255.255.0
#
interface Vlanif70
ip address 70.1.1.1 255.255.255.0
#
#
#
#
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
network 70.1.1.0 0.0.0.255
#
return
5.2 Static Route Configuration

Static routes apply to simple networks. Proper static routes can improve network performance
and ensure bandwidth for important applications.
5.2.1 Example for Configuring IPv4 Static Routes
As shown in Figure 5-2, hosts on different network segments are connected using several
Switchs. Each two hosts on different network segments can communicate with each other
without using dynamic routing protocols.

Figure 5-2 Networking diagram of configuring IPv4 static routes
PC2
1.1.2.2/24
GE0/0/3
VLANIF40
1.1.2.1/24
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
1.1.4.2/30 1.1.4.5/30
SwitchB
SwitchA SwitchC
GE0/0/1 GE0/0/1
VLANIF10 VLANIF20
1.1.4.1/30 1.1.4.6/30
GE0/0/2 GE0/0/2
VLANIF30 VLANIF50
1.1.1.1/24 1.1.3.1/24
PC1 PC3
1.1.1.2/24 1.1.3.2/24
1. Create VLANs, add interfaces to the VLANs, and assign IPv4 addresses to VLANIF
interfaces so that neighboring devices can communicate with each other.
2. Configure the IPv4 default gateway on each host, and configure IPv4 static routes or default
static routes on each Switch so that hosts on different network segments can communicate
with each other.
Procedure
Step 2 Assign IPv4 addresses to the VLANIF interfaces.


Step 3 Configure hosts.
Set the default gateway addresses of PC1, PC2, and PC3 to 1.1.1.1, 1.1.2.1, and 1.1.3.1
respectively.
# Configure a default IPv4 route on SwitchA.

# Configure two IPv4 static routes on SwitchB.

# Configure a default IPv4 route on SwitchC.

[SwitchC] ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
# Check the routing table on SwitchA.

[SwitchA] display ip routing-table
------------------------------------------------------------------------------
Destination/Mask Proto Pre Cost Flags NextHop Interface
0.0.0.0/0 Static 60 0 RD 1.1.4.2 Vlanif10

1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif30
1.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
1.1.4.0/30 Direct 0 0 D 1.1.4.1 Vlanif10
1.1.4.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
# Run the ping command to verify the connectivity.


0.00% packet loss
# Run the tracert command to verify the connectivity.

[SwitchA] tracert 1.1.3.1
traceroute to 1.1.3.1(1.1.3.1), max hops: 30 ,packet length: 40,press CTRL_C to
break

1 1.1.4.2 31 ms 32 ms 31 ms
2 1.1.4.6 62 ms 63 ms 62 ms
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 1.1.4.1 255.255.255.252
#
interface Vlanif30
ip address 1.1.1.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.2
#
return

#
sysname SwitchB
#
vlan batch 10 20 40
#
interface Vlanif10
ip address 1.1.4.2 255.255.255.252
#
interface Vlanif20
ip address 1.1.4.5 255.255.255.252
#
interface Vlanif40
ip address 1.1.2.1 255.255.255.0
#
#
#
#
ip route-static 1.1.1.0 255.255.255.0 1.1.4.1
ip route-static 1.1.3.0 255.255.255.0 1.1.4.6
#
return

#
sysname SwitchC

#
vlan batch 20 50
#
interface Vlanif20
ip address 1.1.4.6 255.255.255.252
#
interface Vlanif50
ip address 1.1.3.1 255.255.255.0
#
#
#
ip route-static 0.0.0.0 0.0.0.0 1.1.4.5
#
return
5.2.2 Example for Configuring IPv6 Static Routes
Networking requirements
As shown in Figure 5-3, on an IPv6 network, hosts on different network segments are connected
using several Switchs. Each two hosts on different network segments can communicate with
each other without using dynamic routing protocols.
Figure 5-3 Networking diagram of configuring IPv6 static routes

PC2
2::2/64
GE0/0/3
VLANIF30
GE0/0/1 2::1/64
GE0/0/2
VLANIF20
VLANIF40
10::2/64
20::1/64
SwitchA SwitchB
SwitchC
GE0/0/1 GE0/0/1
VLANIF20 VLANIF40
10::1/64 20::2/64
GE0/0/2 GE0/0/2
VLANIF10 VLANIF50
1::1/64 3::1/64
PC1 PC3
1::2/64 3::2/64
1. Create VLANs, add interfaces to the VLANs, and assign IPv6 addresses to VLANIF
interfaces so that neighboring devices can communicate with each other.

2. Configure the IPv6 default gateway on each host, and configure IPv6 static routes or default
static routes on each Switch so that hosts on different network segments can communicate
with each other.
Procedure
Step 1 Add interfaces to VLANs.
[SwitchA] interface gigabitethernet0/0/1

[SwitchA] ipv6
Step 3 Configure host addresses and default gateway addresses.
Assign IPv6 addresses to the hosts, and set the default gateway address of PC1, PC2, and PC3
to 1::1, 2::1, and 3::1 respectively.
Step 4 Configure static IPv6 routes.
# Configure a default IPv6 route on SwitchA.

[SwitchA] ipv6 route-static :: 0 vlanif20 10::2
# Configure two IPv6 static routes on SwitchB.

[SwitchB] ipv6 route-static 1:: 64 vlanif20 10::1
[SwitchB] ipv6 route-static 3:: 64 vlanif40 20::2
# Configure an IPv6 default route on SwitchC.

[SwitchC] ipv6 route-static :: 0 vlanif40 20::1
# Check the IPv6 routing table on SwitchA.

[SwitchA] display ipv6 routing-table
Routing Table : Public

Destination : :: PrefixLength : 0
NextHop : 10::2 Preference : 60
Cost : 0 Protocol : Static
RelayNextHop : :: TunnelID : 0x0
Interface : Vlanif20 Flags : D
Destination : ::1 PrefixLength : 128

NextHop : ::1 Preference : 0
Cost : 0 Protocol : Direct
Interface : InLoopBack0 Flags : D
Destination : 1:: PrefixLength : 64

NextHop : 1::1 Preference : 0
Destination : 1::1 PrefixLength : 128

NextHop : ::1 Preference : 0
Destination : FE80:: PrefixLength : 10

NextHop : :: Preference : 0
Interface : NULL0 Flags : D
# Run the ping command to verify the connectivity.

[SwitchA] ping ipv6 3::1
Reply from 3::1
Reply from 3::1
Reply from 3::1
Reply from 3::1
Reply from 3::1

0.00% packet loss
# Run the tracert command to verify the connectivity.

[SwitchA] tracert ipv6 3::1
traceroute to 3::1 30 hops max,60 bytes packet
1 2::1 31 ms 32 ms 31 ms
2 3::1 62 ms 63 ms 62 ms
----End
Configuration Files
#
sysname SwitchA

#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
#
interface Vlanif20
ipv6 enable
#
#
#
ipv6 route-static :: 0 vlanif20 10::2
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20 30 40
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#
#
#
ipv6 route-static 1:: 64 Vlanif20 10::1
ipv6 route-static 3:: 64 Vlanif40 20::2
#
return

#
sysname SwitchC
#
ipv6

#
vlan batch 40 50
#
interface Vlanif40
ipv6 enable
#
interface Vlanif50
ipv6 enable
#
#
#
ipv6 route-static :: 0 Vlanif40 20::1
#
return
5.2.3 Example for Configuring Static BFD for IPv4 Static Routes
As shown in Figure 5-4, SwitchA is connected to the network management system (NMS)
through SwitchB. You need to configure static routes on SwitchA so that SwitchA can
communicate with the NMS. Link fault detection between SwitchA and SwitchB must be at the
millisecond level to improve convergence speed.
Figure 5-4 Networking diagram of configuring static BFD for IPv4 static routes
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
1.1.1.1/24 2.2.2.2/24
GE0/0/1 2.2.2.1/24
SwitchA VLANIF10 SwitchB NMS
1.1.1.2/24
1. Configure a BFD session between SwitchA and SwitchB to implement link fault detection
at the millisecond level.
2. Configure a static route from SwitchA to the NMS and bind a BFD session to the static
route. This configuration can implement link fault detection at the millisecond level and
improve convergence speed of static routes.
Procedure
Step 1 Add interfaces to the VLANs.

[SwitchA] vlan 10
The configurations of SwitchB are similar to the configuration of SwitchA, and are not
mentioned here.
Step 2 Assign IP addresses to the VLANIF interfaces.
The configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned
here.
Step 3 Configure a BFD session between SwitchA and SwitchB.
# Create a BFD session on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd aa bind peer-ip 1.1.1.2
[SwitchA-bfd-session-aa] discriminator local 10
[SwitchA-bfd-session-aa] discriminator remote 20
[SwitchA-bfd-session-aa] commit
[SwitchA-bfd-session-aa] quit
# Create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd bb bind peer-ip 1.1.1.1
[SwitchB-bfd-session-bb] discriminator local 20
[SwitchB-bfd-session-bb] discriminator remote 10
[SwitchB-bfd-session-bb] commit
[SwitchB-bfd-session-bb] quit
Step 4 Configure a static route and bind the route to the BFD session.
# Configure a default static route to the external network on SwitchA and bind the static route
to the BFD session named aa.
[SwitchA]ip route-static 2.2.2.0 24 1.1.1.2 track bfd-session aa

# After the configuration is complete, run the display bfd session all command on SwitchA and
SwitchB. You can view that the BFD session is established and its status is Up.
Take the display on SwitchA as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
10 20 1.1.1.2 Up S_IP_PEER -
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
# Check the IP routing table on SwitchA, and you can find that the static route exists in the
routing table.


------------------------------------------------------------------------------
1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10

1.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
2.2.2.0/24 Static 60 0 RD 1.1.1.2 Vlanif10
# Run the shutdown command on GE 0/0/1 of SwitchB to simulate a link fault.

[SwitchB-GigabitEthernet0/0/1] shutdown
# Check the routing table on SwitchA, and you can find that default route 2.2.2.0/24 does not
exist. The reason is that the default static route is bound to a BFD session, and BFD immediately
notifies that the bound static route is unavailable when a fault is detected.
[SwitchA]display ip routing-table
------------------------------------------------------------------------------

# Run the undo shutdown command on GE0/0/1 of SwitchB to simulate link recovery.
[SwitchB-GigabitEthernet0/0/1]undo shutdown
# Check the routing table on SwitchA, and you can find default route 2.2.2.0/24 in the routing
table. After detecting link recovery, BFD immediately notifies that the bound static route is
reachable.
------------------------------------------------------------------------------
1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10

1.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
2.2.2.0/24 Static 60 0 RD 1.1.1.2 Vlanif10
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10

#
bfd
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
#
bfd aa bind peer-ip 1.1.1.2
discriminator local 10
discriminator remote 20
commit
#
ip route-static 2.2.2.0 255.255.255.0 1.1.1.2 track bfd-session aa
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 2.2.2.2 255.255.255.0
#
#
#
bfd bb bind peer-ip 1.1.1.1
commit
#
return
5.3 RIP Configuration

Routing Information Protocol(RIP) is widely used on small-sized networks to discover routes
and generate routing information.
5.3.1 Example for Configuring Basic RIP Functions
As shown in Figure 5-5, SwitchA, SwitchB, SwitchC, and SwitchD are located on a small-sized
network, and they need to communicate with each other.

Figure 5-5 Networking diagram for configuring the RIP version

SwitchC
GE0/0/2
VLANIF20
172.16.1.2/24
GE0/0/2
GE0/0/1 VLANIF20 GE0/0/3
VLANIF10 172.16.1.1/24 VLANIF30
192.168.1.1/24 10.1.1.2/24
GE0/0/1 GE0/0/3
SwitchA VLANIF10 SwitchB VLANIF30 SwitchD
192.168.1.2/24 10.1.1.1/24
The network size is small, so RIP-2 is recommended. The configuration roadmap is as follows:
1. Configure VLAN and IP address for each interface to ensure network reachability.
2. Enable RIP on each switch to implement network connections between processes.
3. Configure RIP-2 on each switch to improve RIP performance.
Procedure
Step 1 Configure VLANs that the related interfaces belong to.
[SwitchA] vlan 10
The configurations of Switch B, Switch C, and Switch D are similar to the configuration of
Switch A, and are not mentioned here.
Step 2 Configure an IP address to each VLANIF interface.
Step 3 Configure the basic RIP functions.
# Configure Switch A.
[SwitchA] rip
[SwitchA-rip-1] network 192.168.1.0
[SwitchA-rip-1] quit

# Configure Switch B.
[SwitchB] rip
[SwitchB-rip-1] network 192.168.1.0
[SwitchB-rip-1] quit
# Configure Switch C.
[SwitchC] rip
[SwitchC-rip-1] network 172.16.0.0
[SwitchC-rip-1] quit
# Configure Switch D.
[SwitchD] rip
[SwitchD-rip-1] network 10.0.0.0
[SwitchD-rip-1] quit
# Check the RIP routing table of Switch A.

[SwitchA] display rip 1 route
Route Flags: R - RIP
A - Aging, G - Garbage-collect
-------------------------------------------------------------------------
Peer 192.168.1.2 on Vlanif10
Destination/Mask Nexthop Cost Tag Flags Sec
10.0.0.0/8 192.168.1.2 1 0 RA 14
172.16.0.0/16 192.168.1.2 1 0 RA 14
From the routing table, you can find that the routes advertised by RIP-1 use natural masks.
Step 4 Configure the RIP version.
# Configure RIPv2 on Switch A.
[SwitchA] rip
[SwitchA-rip-1] version 2
# Configure RIPv2 on Switch B.

[SwitchB] rip
[SwitchB-rip-1] version 2
# Configure RIPv2 on Switch C.

[SwitchC] rip
[SwitchC-rip-1] version 2
# Configure RIPv2 on Switch D.

[SwitchD] rip
[SwitchD-rip-1] version 2

# Check the RIP routing table of Switch A.
[SwitchA] display rip 1 route
Route Flags: R - RIP
-------------------------------------------------------------------------
Peer 192.168.1.2 on Vlanif10

Destination/Mask Nexthop Cost Tag Flags Sec

10.1.1.0/24 192.168.1.2 1 0 RA 32
172.16.1.0/24 192.168.1.2 1 0 RA 32
From the routing table, you can find that the routes advertised by RIP-2 contain more accurate
subnet masks.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
rip 1
version 2
network 192.168.1.0
#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 172.16.1.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.1.1 255.255.255.0
#
#
#
#
rip 1
version 2
network 10.0.0.0
network 172.16.0.0
network 192.168.1.0
#
return


#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return
l Configuration file of Switch D

#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 10.1.1.2 255.255.255.0
#
#
rip 1
version 2
network 10.0.0.0
#
return
5.3.2 Example for Configuring RIP to Import Routes

As shown in Figure 5-6, two RIP processes, RIP100 and RIP200, run on SwitchB. SwitchA
needs to communicate with network segment 192.168.3.0/24.
Figure 5-6 Network diagram of configuring RIP to import external routes
GE0/0/1 GE0/0/2
VLANIF50 VLANIF30
192.168.0.1/24 192.168.3.1/24
GE0/0/2 GE0/0/1
VLANIF10 VLANIF20
192.168.2.1/24 GE0/0/3
192.168.1.2/24
GE0/0/2 GE0/0/1 VLANIF40
VLANIF10 VLANIF20 192.168.4.1/24
SwitchA 192.168.1.1/24 SwitchB 192.168.2.2/24 SwitchC
RIP 100 RIP 200

2. Import routes between RIP100 and RIP200 on SwitchB and set the default metric of routes
imported from RIP200 to 3.
3. Configure an ACL on SwitchB to filter route 192.168.4.0/24 imported from RIP200 so that
SwitchA can only communicate with network segment 192.168.3.0/24.
Procedure
[SwitchA] vlan bath 10 50
The configurations of Switch B, and Switch C are similar to the configuration of Switch A, and
The configurations of Switch B, and Switch C are similar to the configuration of Switch A, and
Step 3 Configure the basic RIP functions.
# Enable RIP process 100 on SwitchA.
[SwitchA] rip 100
# Enable RIP processes 100 and 200 on SwitchB.

[SwitchB] rip 100
[SwitchB] rip 200
# Enable RIP process 200 on SwitchC.

[SwitchC] rip 200


# View the routing table on SwitchA.

------------------------------------------------------------------------------
192.168.0.0/24 Direct 0 0 D 192.168.0.1 Vlanif50
192.168.0.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
The routing table of SwitchA does not contain the routes imported from other processes.
Step 4 Configure RIP to import external routes.
# On SwitchB, set the default metric of imported routes to 3 in RIP 100 process and configure
the RIP processes to import routes into each other's routing table.
[SwitchB] rip 100
[SwitchB-rip-100] default-cost 3
[SwitchB-rip-100] import-route rip 200
[SwitchB] rip 200
[SwitchB-rip-200] import-route rip 100
# View the routing table of SwitchA after the routes are imported.
------------------------------------------------------------------------------
192.168.0.0/24 Direct 0 0 D 192.168.0.1 Vlanif50
192.168.0.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
192.168.3.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
192.168.4.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
The routing table of SwitchA contains routes 192.168.2.0/24, 192.168.3.0/24, and

192.168.4.0/24, which are learned by RIP200 on SwitchB.
Step 5 Configure RIP to filter imported routes.
# Configure an ACL on SwitchB and add a rule to the ACL. The rule denies the packets sent
from 192.168.4.0/24.
[SwitchB] acl 2000
[SwitchB-acl-basic-2000] rule deny source 192.168.4.0 0.0.0.255
[SwitchB-acl-basic-2000] rule permit
[SwitchB-acl-basic-2000] quit
# Configure SwitchB to filter route 192.168.4.0/24 imported from RIP200.

[SwitchB] rip 100

[SwitchB-rip-100] filter-policy 2000 export


# Display the RIP routing table of SwitchA after the routes are filtered.
------------------------------------------------------------------------------
192.168.0.0/24 Direct 0 0 D 192.168.0.1 Vlanif50
192.168.0.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif10
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
192.168.3.0/24 RIP 100 4 D 192.168.1.2 Vlanif10
The routing table of SwitchA does not contain the route originating from 192.168.4.0/24.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 50
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
interface Vlanif50
ip address 192.168.0.1 255.255.255.0
#
#
#
rip 100
network 192.168.0.0
network 192.168.1.0
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
acl number 2000
rule 5 deny source 192.168.4.0 0.0.0.255
rule 10 permit
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0

#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
#
#
rip 100
default-cost 3
network 192.168.1.0
filter-policy 2000 export
import-route rip 200
#
rip 200
network 192.168.2.0
import-route rip 100
#
return

#
sysname SwitchC
#
vlan batch 20 30 40
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.3.1 255.255.255.0
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
#
#
#
#
rip 200
network 192.168.2.0
network 192.168.3.0
network 192.168.4.0
#
return
5.3.3 Example for Configuring One-Arm Static BFD for RIP
As shown in Figure 5-7, there are four switches that communicate using RIP on a small-sized
network. Services are transmitted through the primary link SwitchA→SwitchB→SwitchD.

Reliability must be improved for data transmitted from SwitchA to SwitchB so that services can
be rapidly switched to another path for transmission when the primary link fails.
Figure 5-7 Networking diagram for One-Arm static BFD for RIP
GE0/0/1 GE0/0/1 GE0/0/3
SwitchA VLANIF10 VLANIF10 SwitchB VLANIF40 SwitchD
2.2.2.1/24 2.2.2.2/24 172.16.1.1/24
GE0/0/1
VLANIF20 VLANIF30 172.16.1.2/24
3.3.3.1/24 4.4.4.1/24
GE0/0/2 GE0/0/1
VLANIF20 VLANIF30
3.3.3.2/24 SwitchC 4.4.4.2/24
1. Configure IP address for each interface to ensure network reachability.
3. Configure One-Arm static BFD on SwitchA. BFD can rapidly detect the link status and
help RIP speed up route convergence to implement fast link switching.
Procedure
Step 3 Configure basic RIP functions.

[SwitchA] rip 1
[SwitchB] rip 1
[SwitchC] rip 1
[SwitchD] rip 1
# After completing the preceding operations, run the display rip neighbor command. The
command output shows that Switchs A, B, and C have established neighbor relationships with
each other. In the following example, the display on Switch A is used.
[SwitchA] display rip 1 neighbor
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
2.2.2.2 Vlanif10 RIP 0:0:10
Number of RIP routes : 2
3.3.3.2 Vlanif20 RIP 0:0:8
# Run the display ip routing-table command. The command output shows that the devices have
imported routes from each other. In the following example, the display on Switch A is used.
------------------------------------------------------------------------------
2.2.2.0/24 Direct 0 0 D 2.2.2.1 Vlanif10

2.2.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20
3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
4.4.4.0/24 RIP 100 1 D 3.3.3.2 Vlanif20
RIP 100 1 D 2.2.2.2 Vlanif10
172.16.1.0/24 RIP 100 1 D 2.2.2.2 Vlanif10

The preceding command output shows that the next-hop address and outbound interface of the
route to destination 172.16.1.0/24 are 2.2.2.2 and VLANIF10 respectively, and traffic is
transmitted over the active link Switch A->Switch B.
Step 4 Configure One-Arm static BFD on Switch A.
# Configure one-arm BFD on Switch A.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd 1 bind peer-ip 2.2.2.2 interface vlanif 10 source-ip 1.1.1.1 one-arm-
echo
[SwitchA-session-1] discriminator local 1
[SwitchA-session-1] min-echo-rx-interval 200
[SwitchA-session-1] commit
[SwitchA-session-1] quit
# Enable static BFD on VLANIF 10.

[SwitchA-Vlanif10] rip bfd static
# After the configurations are completed, run the display bfd sessionall command on Switch A
and you can see that a static BFD session is set up.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
1 - 2.2.2.2 Up S_IP_IF Vlanif10
--------------------------------------------------------------------------------
# Run the shutdown command on GE 0/0/1 of Switch B to simulate a fault in the active link.
NOTE
The link fault is simulated to verify the configuration. In actual situations, the operation is not required.
# Check the routing table of Switch A.

------------------------------------------------------------------------------
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20

3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
4.4.4.0/24 RIP 100 1 D 3.3.3.2 Vlanif20
172.16.1.0/24 RIP 100 2 D 3.3.3.2 Vlanif20

The preceding command output shows that the standby link Switch A->Switch C->Switch B is
used after the active link fails, and the next-hop address and outbound interface of the route to
destination 172.16.1.0/24 are 3.3.3.2 and VLANIF20 respectively.
----End
Configuration files
#
sysname SwitchA
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 2.2.2.1 255.255.255.0
rip bfd static
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
#
#
#
bfd 1 bind peer-ip 2.2.2.2 interface Vlanif10 source-ip 1.1.1.1 one-arm-echo
min-echo-rx-interval 200
commit
#
rip 1
version 2
network 2.0.0.0
network 3.0.0.0
#
return

#
sysname SwitchB
#
vlan batch 10 30 40
#
bfd
#
interface Vlanif10
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#


#
#
rip 1
version 2
network 2.0.0.0
network 4.0.0.0
network 172.16.0.0
#
return

#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.2 255.255.255.0
#
#
#
rip 1
version 2
network 3.0.0.0
network 4.0.0.0
#
return

#
sysname SwitchD
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return

5.3.4 Example for Configuring Dynamic BFD for RIP
As shown in Figure 5-8, there are four switches that communicate using RIP on a small-sized
network. Services are transmitted through the primary link Switch A→Switch B→Switch D.
Reliability must be improved for data transmitted from Switch A to Switch B so that services
can be rapidly switched to another path for transmission when the primary link fails.
Figure 5-8 Networking diagram for configuring BFD for RIP

GE0/0/1 GE0/0/1 GE0/0/3
SwitchA VLANIF10 VLANIF10 SwitchB VLANIF40 SwitchD
2.2.2.1/24 2.2.2.2/24 172.16.1.1/24
GE0/0/1
VLANIF20 VLANIF30 172.16.1.2/24
3.3.3.1/24 4.4.4.1/24
GE0/0/2 GE0/0/1
VLANIF20 VLANIF30
3.3.3.2/24 SwitchC 4.4.4.2/24
1. Configure IP address for each interface to ensure network reachability.

3. Configure BFD for RIP on interfaces at both ends of the link between Switch A and
Switch B. BFD can rapidly detect the link status and help RIP speed up route convergence
to implement fast link switching.
Procedure



[SwitchA] rip 1
[SwitchB] rip 1
[SwitchC] rip 1
[SwitchD] rip 1
# After completing the preceding operations, run the display rip neighbor command. The
command output shows that Switch A, Switch B, and Switch C have established neighbor
relationships with each other. In the following example, the display on Switch A is used.
[SwitchA] display rip 1 neighbor
---------------------------------------------------------------------
IP Address Interface Type Last-Heard-Time
---------------------------------------------------------------------
2.2.2.2 Vlanif10 RIP 0:0:14
3.3.3.2 Vlanif20 RIP 0:0:19
# Run the display ip routing-table command. The command output shows that the switchs have
imported routes from each other. In the following example, the display on Switch A is used.
------------------------------------------------------------------------------
2.2.2.0/24 Direct 0 0 D 2.2.2.1 Vlanif10

2.2.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif10

3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20

3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
4.4.4.0/24 RIP 100 1 D 3.3.3.2 Vlanif20
RIP 100 1 D 2.2.2.2 Vlanif10
172.16.1.0/24 RIP 100 1 D 2.2.2.2 Vlanif10
The preceding command output shows that the next-hop address and outbound interface of the
route to destination 172.16.1.0/24 are 2.2.2.2 and VLANIF10 respectively, and traffic is
transmitted over the active link Switch A->Switch B.
Step 4 Configure BFD in RIP processes.
# Configure BFD on all interfaces of Switch A.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] rip 1
[SwitchA-rip-1] bfd all-interfaces enable
[SwitchA-rip-1] bfd all-interfaces min-rx-interval 100 min-tx-interval 100 detect-
multiplier 10
The configuration of Switch B is similar to that of Switch A, and is not provided here.
# After completing the preceding operations, run the display rip bfd session command on
Switch A. The command output shows that Switch A and Switch B have established a BFD
session and the BFDState field value is displayed as Up. In the following example, the display
on Switch A is used.
[SwitchA] display rip 1 bfd session all
LocalIp :2.2.2.1 RemoteIp :2.2.2.2 BFDState :Up
TX :100 RX :100 Multiplier:3
BFD Local Dis :8194 Interface :Vlanif10
Diagnostic Info:No diagnostic information
LocalIp :3.3.3.1 RemoteIp :3.3.3.2 BFDState :Down

TX :2800 RX :2800 Multiplier:0
BFD Local Dis :8192 Interface :Vlanif20
Diagnostic Info:No diagnostic information
# Run the shutdown command on GE 0/0/1 of Switch B to simulate a fault in the active link.
NOTE
The link fault is simulated to verify the configuration. In actual situations, the operation is not required.
# Check the routing table of Switch A.

------------------------------------------------------------------------------
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20

3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
4.4.4.0/24 RIP 100 1 D 3.3.3.2 Vlanif20


172.16.1.0/24 RIP 100 2 D 3.3.3.2 Vlanif20
The preceding command output shows that the standby link Switch A->Switch C->Switch B is
used after the active link fails, and the next-hop address and outbound interface of the route to
destination 172.16.1.0/24 are 3.3.3.2 and VLANIF20 respectively.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 2.2.2.1 255.255.255.0
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
#
#
#
rip 1
version 2
network 2.0.0.0
network 3.0.0.0
bfd all-interfaces enable
bfd all-interfaces min-tx 100 min-rx-interval 100 detect-multiplier 10
#
return

#
sysname SwitchB
#
vlan batch 10 30 40
#
bfd
#
interface Vlanif10
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#


#
#
rip 1
version 2
network 2.0.0.0
network 4.0.0.0
network 172.16.0.0
bfd all-interfaces min-tx-interval 100 min-rx-interval 100 detect-multiplier
10
#
return

#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
#
interface Vlanif30
ip address 4.4.4.2 255.255.255.0
#
#
#
rip 1
version 2
network 3.0.0.0
network 4.0.0.0
#
return

#
sysname SwitchD
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
rip 1
version 2
network 172.16.0.0
#
return

5.4 RIPng Configuration

RIPng is widely used on small-sized networks to discover routes and generate routing
information.
5.4.1 Example for Configuring RIPng to Filter the Received Routes
As shown in Figure 5-9, the prefix length of all the IPv6 addresses is 64 bits. In addition, the
VLANIF interfaces between the neighboring Switches are assigned IPv6 link-local addresses.
All the Switches must learn IPv6 routing information on the network through RIPng. SwitchB
should filter the routes received from SwitchC (3::/64). That is, SwitchB does not add the routes
to its own routing table or advertise the routes to SwitchA.
Figure 5-9 Networking diagram for configuring RIPng to filter the received routes
SwitchB
GE0/0/1 GE0/0/2
VLANIF20 VLANIF30
SwitchA SwitchC GE0/0/2

VLANIF40
GE0/0/1 GE0/0/1 2::1/64
VLANIF20 VLANIF30
GE0/0/2 GE0/0/3
VLANIF10 VLANIF50
1::1/64 3::1/64
1. Enable RIPng on each Switch so that the Switches can communicate with each other.
2. Configure an ACL on SwitchB to filter the received routes.
Procedure
[SwitchA] vlan 10


[SwitchA] vlan 20
The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA and are
not mentioned here.

[SwitchA] ipv6
[SwitchA-Vlanif20] ipv6 address auto link-local
not mentioned here.
Step 3 Configure the basic RIPng functions.
[SwitchA] ripng 1
[SwitchA-ripng-1] quit
[SwitchA-Vlanif10] ripng 1 enable
[SwitchA-Vlanif20] ripng 1 enable
[SwitchB] ripng 1
[SwitchB-ripng-1] quit
[SwitchB] interface vlaif 20
[SwitchB-Vlanif20] ripng 1 enable
[SwitchB-Vlanif30] ripng 1 enable
[SwitchC] ripng 1
[SwitchC-ripng-1] quit
[SwitchC-Vlanif30] ripng 1 enable
# Display the RIPng routing table of SwitchB.

[SwitchB] display ripng 1 route

Route Flags: R - RIPng
----------------------------------------------------------------
Peer FE80::F54C:0:9FDB:1 on Vlanif30

Dest 2::/64,
via FE80::F54C:0:9FDB:1, cost 1, tag 0, RA, 3 Sec
Dest 3::/64,
Peer FE80::D472:0:3C23:1 on Vlanif20

Dest 1::/64,
via FE80::D472:0:3C23:1, cost 1, tag 0, RA, 4 Sec
The preceding information shows that the RIPng routing table of SwitchB contains the routes
of network segment 3::/64.
# Display the RIPng routing table of SwitchA.

[SwitchA] display ripng 1 route
----------------------------------------------------------------
Peer FE80::476:0:3624:1 on Vlanif20

Dest 2::/64,
via FE80::476:0:3624:1, cost 2, tag 0, RA, 21 Sec
Dest 3::/64,
The preceding information shows that the RIPng routing table of SwitchA contains the routes
of network segment 3::/64 advertised by SwitchB.
Step 4 Configure SwitchB to filter the received routes.

[SwitchB] acl ipv6 number 2000
[SwitchB-acl6-basic-2000] rule deny source 3:: 64
[SwitchB-acl6-basic-2000] rule permit
[SwitchB-acl6-basic-2000] quit
[SwitchB] ripng 1
[SwitchB-ripng-1] filter-policy 2000 import
[SwitchB-ripng-1] quit

NOTE
After the aging time of the filtered routing entry expires, check the verification result. The default aging time is
180 seconds.
# Check the RIPng routing table of SwitchB. The RIPng routing table should not contain the
routes of network segment 3::/64.
[SwitchB] display ripng 1 route
----------------------------------------------------------------
Peer FE80::F54C:0:9FDB:1 on Vlanif30

Dest 2::/64,
Peer FE80::D472:0:3C23:1 on Vlanif20

Dest 1::/64,
via FE80::D472:0:3C23:1, cost 1, tag 0, RA, 25 Sec

# Check the RIPng routing table of SwitchA. The RIPng routing table should not contain the
routes of network segment 3::/64.
[SwitchA] display ripng 1 route
----------------------------------------------------------------
Peer FE80::476:0:3624:1 on Vlanif20

Dest 2::/64,
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
ripng 1 enable
#
interface Vlanif20
ipv6 enable
ipv6 address auto link-local
ripng 1 enable
#
#
#
ripng 1
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20 30
#
acl ipv6 number 2000
rule 0 deny source 3::/64
rule 1 permit
#
interface Vlanif20
ipv6 enable
ripng 1 enable
#
interface Vlanif30
ipv6 enable

ripng 1 enable
#
#
#
ripng 1
filter-policy 2000 import
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 30 40 50
#
interface Vlanif30
ipv6 enable
ripng 1 enable
#
interface Vlanif40
ipv6 enable
ripng 1 enable
#
interface Vlanif50
ipv6 enable
ripng 1 enable
#
#
#
#
ripng 1
#
return
5.5 OSPF Configuration

By building OSPF networks, you can enable OSPF to discover and calculate routes in ASs.
OSPF is applicable to a large-scale network that consists of hundreds of devices.
5.5.1 Example for Configuring Basic OSPF Functions

As shown in Figure 5-10, all switches run OSPF, and the entire AS is partitioned into three
areas. Switch A and Switch B serve as ABRs to forward routes between areas.
After the configuration, each Switch should learn the routes to all network segments from the
AS.
Figure 5-10 Networking diagram of basic OSPF configurations
Switch A Area 0 Switch B

GE 0/0/1
GE 0/0/2 GE 0/0/2
GE 0/0/1
Switch C Switch D
GE 0/0/1 GE 0/0/1
Area 1 Area 2
GE 0/0/2 GE 0/0/2
GE 0/0/1 GE 0/0/1
Switch E Switch F
Switch A GigabitEthernet 0/0/1 VLANIF 10 192.168.0.1/24
Switch A GigabitEthernet 0/0/2 VLANIF 20 192.168.1.1/24
Switch B GigabitEthernet 0/0/1 VLANIF 10 192.168.0.2/24
Switch B GigabitEthernet 0/0/2 VLANIF 30 192.168.2.1/24
Switch C GigabitEthernet 0/0/1 VLANIF 20 192.168.1.2/24
Switch C GigabitEthernet 0/0/2 VLANIF 40 172.16.1.1/24
Switch D GigabitEthernet 0/0/1 VLANIF 30 192.168.2.2/24
Switch D GigabitEthernet 0/0/2 VLANIF 50 172.17.1.1/24
Switch E GigabitEthernet 0/0/1 VLANIF 40 172.16.1.2/24
Switch F GigabitEthernet 0/0/1 VLANIF 50 172.17.1.2/24
1. Create the ID of a VLAN to which each interface belongs.

2. Assign an IP address to each VLANIF interface.
3. Enable OSPF on each Switch and specify network segments in different areas.

4. Check the routing table and LSDB.
1. Create a VLAN to which each interface belongs.
2. Assign an IP address to each interface.
3. Configuring Basic OSPF Functions.
[SwitchA] router id 1.1.1.1
[SwitchA] ospf
[SwitchB] router id 2.2.2.2
[SwitchB] ospf
[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchD] router id 4.4.4.4
[SwitchD] ospf
[SwitchD-ospf-1] area 2
[SwitchD-ospf-1-area-0.0.0.2] network 192.168.2.0 0.0.0.255
[SwitchD-ospf-1-area-0.0.0.2] quit
[SwitchD-ospf-1] quit
# Configure Switch E.
[SwitchE] router id 5.5.5.5
[SwitchE] ospf
[SwitchE-ospf-1] area 1
[SwitchE-ospf-1-area-0.0.0.1] network 172.16.1.0 0.0.0.255
[SwitchE-ospf-1-area-0.0.0.1] quit
[SwitchE-ospf-1] quit
# Configure Switch F.
[SwitchF] router id 6.6.6.6
[SwitchF] ospf
[SwitchF-ospf-1] area 2
[SwitchF-ospf-1-area-0.0.0.2] network 172.17.1.0 0.0.0.255

[SwitchF-ospf-1-area-0.0.0.2] quit
[SwitchF-ospf-1] quit
4. Verify the configuration.

# Check OSPF neighbors of Switch A.
[SwitchA] display ospf peer
OSPF Process 1 with Router ID 1.1.1.1
Neighbors
Area 0.0.0.0 interface 192.168.0.1(Vlanif10)'s neighbors

Router ID: 2.2.2.2 Address: 192.168.0.2
State: Full Mode:Nbr is Master Priority: 1
DR: 192.168.0.1 BDR: 192.168.0.2 MTU: 0
Dead timer due in 36 sec
Retrans timer interval: 5
Neighbor is up for 00:15:04
Authentication Sequence: [ 0 ]
Neighbors

DR: 192.168.1.1 BDR: 192.168.1.2 MTU: 0
# Check OSPF routing information of Switch A.

[SwitchA] display ospf routing

Routing Tables
Routing for Network

Destination Cost Type NextHop AdvRouter Area
172.16.1.0/24 2 Transit 192.168.1.2 3.3.3.3 0.0.0.1
172.17.1.0/24 3 Inter-area 192.168.0.2 2.2.2.2 0.0.0.0
192.168.0.0/24 1 Transit 192.168.0.1 1.1.1.1 0.0.0.0
192.168.1.0/24 1 Transit 192.168.1.1 1.1.1.1 0.0.0.1
192.168.2.0/24 2 Inter-area 192.168.0.2 2.2.2.2 0.0.0.0
Total Nets: 5
Intra Area: 3 Inter Area: 2 ASE: 0 NSSA: 0
# View the LSDB of Switch A.

[SwitchA] display ospf lsdb

Link State Database
Area: 0.0.0.0
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 2.2.2.2 2.2.2.2 317 48 80000003 1
Router 1.1.1.1 1.1.1.1 316 48 80000002 1
Network 192.168.0.1 1.1.1.1 316 32 80000001 0
Sum-Net 172.16.1.0 1.1.1.1 250 28 80000001 2
Sum-Net 172.17.1.0 2.2.2.2 203 28 80000001 2
Sum-Net 192.168.2.0 2.2.2.2 237 28 80000002 1
Sum-Net 192.168.1.0 1.1.1.1 295 28 80000002 1
Area: 0.0.0.1
Type LinkState ID AdvRouter Age Len Sequence Metric
Router 5.5.5.5 5.5.5.5 214 36 80000004 1
Router 3.3.3.3 3.3.3.3 217 60 80000008 1
Router 1.1.1.1 1.1.1.1 289 48 80000002 1

Network 192.168.1.1 1.1.1.1 202 28 80000002 0

Network 172.16.1.1 3.3.3.3 670 32 80000001 0
Sum-Net 172.17.1.0 1.1.1.1 202 28 80000001 3
Sum-Net 192.168.2.0 1.1.1.1 242 28 80000001 2
Sum-Net 192.168.0.0 1.1.1.1 300 28 80000001 1
# Check the routing table of Switch D and perform the ping operation to test the
connectivity.
[SwitchD] display ospf routing

Routing Tables
Routing for Network

172.16.1.0/24 4 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
172.17.1.0/24 1 Transit 172.17.1.1 4.4.4.4 0.0.0.2
192.168.0.0/24 2 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.1.0/24 3 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.2.0/24 1 Transit 192.168.2.2 4.4.4.4 0.0.0.2
Total Nets: 5
[SwitchD] ping 172.16.1.1


0.00% packet loss
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1

network 192.168.1.0 0.0.0.255

#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
router id 4.4.4.4

#
vlan batch 30 50
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
l Configuration file of Switch E

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
return
l Configuration file of Switch F

#
sysname SwitchF
#
router id 6.6.6.6
#
vlan batch 50
#
interface Vlanif50
ip address 172.17.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
return

5.5.2 Example for Configuring a Stub Area of OSPF
As shown in Figure 5-11, OSPF is enabled on all Switches and the entire AS is partitioned into
three areas. SwitchA and SwitchB function as ABRs to forward routes between areas. SwitchD
functions as the ASBR to import static routes.
The requirement is to configure Area 1 as the stub area, thus reducing the LSAs advertised to
this area without affecting the route reachability.
Figure 5-11 Configuring OSPF stub areas

GE 0/0/1
GE 0/0/2 GE 0/0/2
GE 0/0/1
Switch C Switch D
GE 0/0/1 GE 0/0/1
Area 1 Area 2
GE 0/0/2 GE 0/0/2
GE0/0/1 GE0/0/1
Switch E Switch F
S-switch Interface VLANIF Interface IP Address
SwitchA GigabitEthernet 0/0/1 VLANIF 10 192.168.0.1/24
SwitchB GigabitEthernet 0/0/1 VLANIF 10 192.168.0.2/24
SwitchC GigabitEthernet 0/0/1 VLANIF 20 192.168.1.2/24
SwitchD GigabitEthernet 0/0/1 VLANIF 30 192.168.2.2/24
SwitchE GigabitEthernet 0/0/1 VLANIF 40 172.16.1.2/24
SwitchF GigabitEthernet 0/0/1 VLANIF 50 172.17.1.2/24

1. Enable OSPF on each Switch and configure basic OSPF functions.

2. Configure static routes on SwitchD and import them.
3. Configure Area 1 as a stub area. You need to run the stub command on all Switches in
Area 1.
4. Do not advertise Type3 LSAs to the stub area on SwitchA.
1. 5.5.1 Example for Configuring Basic OSPF Functions.
2. Configure SwitchD to import static routes.
# Import static routes on SwitchD, as follows:
[SwitchD] ip route-static 200.0.0.0 8 null 0
[SwitchD] ospf
[SwitchD-ospf-1] import-route static type 1
# Display the ABR or ASBR of SwitchC.

[SwitchC] display ospf abr-asbr

Routing Table to ABR and ASBR
Type Destination Area Cost Nexthop RtType

Intra-area 1.1.1.1 0.0.0.1 1 192.168.1.1 ABR
Inter-area 4.4.4.4 0.0.0.1 3 192.168.1.1 ASBR
# Check the routing table of an OSPF process of SwitchC.

[SwitchC] display ospf routing

Routing Tables
Routing for Network

172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
172.17.1.0/24 4 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
192.168.2.0/24 3 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
Routing for ASEs

Destination Cost Type Tag NextHop AdvRouter
200.0.0.0/8 4 Type1 1 192.168.1.1 4.4.4.4
Total Nets: 6
If the area where SwitchC resides is the common area, you can view that AS external routes
exist in the routing table.
3. Configure Area 1 as a stub area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] stub
[SwitchC] ospf

[SwitchC-ospf-1-area-0.0.0.1] stub
# Configure SwitchE.
[SwitchE] ospf
[SwitchE-ospf-1-area-0.0.0.1] stub
# Check the routing table of SwitchC.


Routing Tables
Routing for Network

0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
172.17.1.0/24 4 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.0.0/24 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
192.168.2.0/24 3 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
Total Nets: 6
When the area where SwitchC resides is configured as a stub area, you may not find the
AS external route but a default route external to the AS.
# Disable Router A from advertising Type3 LSAs to the stub area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] stub no-summary

# Check the OSPF routing table of SwitchC.

Routing Tables
Routing for Network

0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
Total Nets: 3
After the advertisement of Summary-LSA to the stub area is disabled, the route entries are
further reduced. The AS external routes are invisible in the routing table. Instead, there is
a default route.
Configuration Files
#
sysname SwitchA
#

router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
stub no-summary
#
return
NOTE
Configuration files of SwitchB and SwitchF are the same as the configuration file of SwitchA, and
#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
stub
#
return

#
sysname SwitchD
#
vlan batch 30 50
#

router id 4.4.4.4
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
import-route static type 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
ip route-static 200.0.0.0 255.0.0.0 NULL0
#
return
l Configuration file of SwitchE

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
stub
#
return
5.5.3 Example for Configuring an OSPF NSSA Area
As shown in Figure 5-12, OSPF is enabled on all Switches and the entire AS is partitioned into
three areas. SwitchA and SwitchB function as ABRs to forward routes between areas. SwitchD
functions as the ASBR to import external routes (static routes).
The requirement is to configure Area 1 as an NSSA area and configure SwitchC as an ASBR to
import external routes (static routes). The routing information can be transmitted correctly in
the AS.

Figure 5-12 Configuring OSPF NSSA areas

GE 0/0/1
GE 0/0/2 GE 0/0/1 GE 0/0/2
Switch C GE 0/0/1 GE 0/0/1 Switch D
Area 1 Area 2
GE 0/0/2 GE 0/0/2
GE 0/0/1 GE 0/0/1
Switch E Switch F
S-switch Interface VLANIF Interface IP Address
SwitchF GigabitEthernet 0/0/1 VLANIF 50 172.17.1.2/24
1. Enable OSPF on each Switch and configure basic OSPF functions.

2. Configure static routes on SwitchD and import them into OSPF.
3. Configure Area 1 as an NSSA area (run the nssa command on all routers in Area 1) and
check the OSPF routing information of SwitchC.
4. Configure static routes on SwitchC, import them into OSPF, and check the OSPF routing
information of SwitchD.

2. Configure SwitchD to import static routes. See 5.5.2 Example for Configuring a Stub
Area of OSPF.
3. Configure Area 1 as an NSSA area.
[SwitchA] ospf
[SwitchA-ospf-1-area-0.0.0.1] nssa default-route-advertise no-summary
[SwitchC] ospf
[SwitchC-ospf-1-area-0.0.0.1] nssa
[SwitchE] ospf
[SwitchE-ospf-1-area-0.0.0.1] nssa
NOTE
You should run the default-route-advertise no-summary command on SwitchA. In this manner,
the size of the routing table of devices in the NSSA area can be reduced. For other devices in the
NSSA area, you need to use only the nssa command.
# Check the OSPF routing table of SwitchC.

Routing Tables
Routing for Network

0.0.0.0/0 2 Inter-area 192.168.1.1 1.1.1.1 0.0.0.1
172.16.1.0/24 1 Transit 172.16.1.1 3.3.3.3 0.0.0.1
192.168.1.0/24 1 Transit 192.168.1.2 3.3.3.3 0.0.0.1
Total Nets: 3
4. Configure SwitchC to import static routes.

# Import static routes on SwitchC, as follows:
[SwitchC]ip route-static 100.0.0.0 8 null 0
[SwitchC] ospf
[SwitchC-ospf-1] import-route static

# Check the OSPF routing table of SwitchD.
[SwitchD] display ospf routing

Routing Tables
Routing for Network

172.16.1.0/24 4 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
172.17.1.0/24 1 Transit 172.17.1.1 4.4.4.4 0.0.0.2

192.168.0.0/24 2 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2

192.168.1.0/24 3 Inter-area 192.168.2.1 2.2.2.2 0.0.0.2
192.168.2.0/24 1 Transit 192.168.2.2 4.4.4.4 0.0.0.2
Routing for ASEs
100.0.0.0/8 1 Type2 1 192.168.2.1 1.1.1.1
Total Nets: 6
You can view one imported AS external route on SwitchD in the NSSA area.
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
nssa default-route-advertise no-summary
#
return
NOTE
Configuration files of SwitchB, SwitchD, and SwitchF are the same as the configuration file of
SwitchA, and are not mentioned here.
#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#

#
ospf 1
import-route static
area 0.0.0.1
network 192.168.1.0 0.0.0.255
network 172.16.1.0 0.0.0.255
nssa
#
#
return

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
nssa
#
return
5.5.4 Example for Configuring DR Election of an OSPF Process
As shown in Figure 5-13, Switch A has the highest priority of 100 in the network and is selected
as DR. Switch C has the second highest priority, and is selected as BDR. The priority of Switch
B is 0, so Switch B cannot be selected as DR. The priority of Switch D is not configured and its
default value is 1.

Figure 5-13 Networking diagram for configuring DR election of an OSPF process

Switch A Switch B
GE 0/0/1 GE 0/0/1
GE 0/0/1 GE 0/0/1
Switch C Switch D
Switch Interface VLANIF IP address
1. Create the ID of a VLAN to which each interface belongs.

2. Assign an IP address to each VLANIF interface.
3. Configure the router ID of each Switch, enable OSPF, and specify network segments.
4. Check the DR or BDR status of each Switch.
5. Set the DR priority of the interface and check the DR or BDR status.
[SwitchA] ospf
[SwitchB] router id 2.2.2.2
[SwitchB] ospf

[SwitchC] router id 3.3.3.3
[SwitchC] ospf
[SwitchD] router id 4.4.4.4
[SwitchD] ospf
[SwitchD-ospf-1] area 0
[SwitchD-ospf-1-area-0.0.0.0] quit
# Check the DR or BDR status.


Neighbors

State: 2-Way Mode:Nbr is Master Priority: 1
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
Check information about the neighbor of Switch A. You can view the DR priority and
neighbor status. By default, the DR priority is 1. Now Switch D is a DR and Switch C is a
BDR.
NOTE
When the priority is the same, the Switch with a higher router ID is selected as DR. If one Ethernet
interface of the Switch becomes DR, the other broadcast interfaces of the Switch have a high priority
of being selected as DRs in future DR selection. That is, select the DR Switch as DR. DR cannot be
preempted.
4. Configure DR priorities on the interfaces.

[SwitchA-Vlanif10] ospf dr-priority 100

[SwitchB-Vlanif10] ospf dr-priority 0
[SwitchC-Vlanif10] ospf dr-priority 2
# View the DR or BDR status.

[SwitchD] display ospf peer

Neighbors

State: Full Mode:Nbr is Slave Priority: 100
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.4 BDR: 192.168.1.3 MTU: 0
NOTE
The DR priority on the interface is invalid after it is configured.

5. Restart OSPF processes.
On each Switch, run the reset ospf 1 process command in the user view to restart the OSPF
process.
# Check the status of OSPF neighbors.
[SwitchD] display ospf peer

Neighbors

DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0


State: 2-Way Mode:Nbr is Slave Priority: 0
DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0

DR: 192.168.1.1 BDR: 192.168.1.3 MTU: 0
# Check the status of an interface enabled with OSPF.

[SwitchA] display ospf interface

Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
192.168.1.1 Broadcast DR 1 100 192.168.1.1 192.168.1.3
[SwitchB] display ospf interface

Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
192.168.1.2 Broadcast DROther 1 0 192.168.1.1 192.168.1.3
All neighbors are in the full state. This indicates that SwitchA sets up neighbor relationships
with all its neighbors. If the neighbor remains "2-Way", it indicates both of them are not
DRs or BDRs. Thus, they need not exchange LSAs.
All other neighbors are DR Others. This indicates that they are neither DRs nor BDRs.
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
ospf dr-priority 100
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return


#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
ospf dr-priority 0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.3 255.255.255.0
ospf dr-priority 2
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.4 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return
5.5.5 Example for Configuring OSPF Load Balancing

As shown in Figure 5-14:
l SwitchA, SwitchB, SwitchC, and SwitchD connect to each other through OSPF.
l SwitchA, SwitchB, SwitchC, and SwitchD belong to Area 0.
l Load balancing is performed between SwitchB and SwitchC. The traffic of SwitchA is sent
to SwitchD by SwitchB and SwitchC.
Figure 5-14 Networking diagram for configuring OSPF load balancing
SwitchB
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/1 SwitchD

GE0/0/3 GE0/0/3
Area 0
SwitchA GE0/0/2
GE0/0/2
GE0/0/1 GE0/0/2
SwitchC
1. Enable OSPF on each Switch to implement interconnection.

2. Cancel load balancing and check the routing table.

3. (Optional) Set the preferences for equal-cost routes on SwitchA.
4. Cancel load balancing on SwitchA.
[SwitchA] ospf
[SwitchA-ospf-1] maximum load-balancing 1
# Check the routing table of SwitchA.

------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, when the maximum number of the equal-cost routes is 1,
the next hop to the destination network segment 172.17.1.0 is 10.1.1.2.
NOTE
In the preceding example, 10.1.1.2 is selected as the optimal next hop. This is because OSPF selects
the next hop of the equal-cost route randomly.
5. Restore the default number of routes for load balancing on SwitchA.
[SwitchA] ospf
[SwitchA-ospf-1] undo maximum load-balancing

----------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0

127.0.0.1/32 Direct 0 0 D 127.0.0.1

InLoopBack0
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
OSPF 10 3 D 10.1.2.2 Vlanif20
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, when the default setting of load balancing is restored, the
next hops of SwitchA, that is, 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC), become valid
routes. This is because the default number of equal-cost routes is 8.
6. (Optional) Set the preferences for equal-cost routes on SwitchA.
If you need not perform load balancing between SwitchB and SwitchC, set the preferences
for equal-cost routes and specify the next hop.
[SwitchA] ospf
[SwitchA-ospf-1] nexthop 10.1.2.2 weight 1

------------------------------------------------------------------------------

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1
InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1
InLoopBack0
172.16.1.0/24 Direct 0 0 D 172.16.1.1 Vlanif50
172.16.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif50
172.17.1.0/24 OSPF 10 3 D 10.1.2.2 Vlanif20
192.168.0.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
192.168.1.0/24 OSPF 10 2 D 10.1.2.2 Vlanif20
As shown in the routing table, OSPF selects the next hop 10.1.2.2 as the unique optimal
route. This is because the preference of the next hop 10.1.2.2 (SwitchC) is higher than that
of the next hop 10.1.1.2 (SwitchB) after the preferences of the equal-cost routes are set.
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 50
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
#


#
#
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.0.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
#
#
#
area 0.0.0.0
network 10.1.2.0 0.0.0.255

network 192.168.1.0 0.0.0.255

#
return

#
sysname SwitchD
#
vlan batch 30 40 60
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
#
#
#
#
area 0.0.0.0
network 192.168.0.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
return
5.5.6 Example for Configuring OSPF GR
As shown in Figure 5-15, Switch A and Switch B have two main control boards, which work
in active/standby mode. Switch A and Switch B belong to Area 0 and are connected through
OSPF. They also provide the GR feature.

Figure 5-15 Networking diagram for configuring OSPF GR
SwitchA SwitchB
GE0/0/1
GE0/0/1
Area 0
Switch A GigabitEthernet0/0/1 VLANIF 10 1.1.1.1/24
Switch B GigabitEthernet0/0/1 VLANIF 10 1.1.1.2/24
1. Configure the basic OSPF functions on each Switch to implement interconnection.

2. Enable the Opaque LSA function.
3. Configure GR on each Switch.
Procedure
Step 1 Configure the basic OSPF functions. See 5.5.1 Example for Configuring Basic OSPF
Functions.
Step 2 Configure the Opaque LSA function.
[SwitchA] ospf
[SwitchA-ospf-1] opaque-capability enable
[SwitchB] ospf
[SwitchB-ospf-1] opaque-capability enable
Step 3 Configure the OSPF GR feature.
[SwitchA] ospf
[SwitchA-ospf-1] graceful-restart
[SwitchB] ospf
[SwitchB-ospf-1] graceful-restart

# View the GR status of Switch A.

[SwitchA] display ospf graceful-restart

Graceful-restart capability : enabled
Graceful-restart support : planned and un-planned, totally
Helper-policy support : planned and un-planned, strict lsa check
Current GR state : normal
Graceful-restart period : 120 seconds
Number of neighbors under helper:

Normal neighbors : 0
Virtual neighbors : 0
Sham-link neighbors : 0
Total neighbors : 0
Number of restarting neighbors : 0
Last exit reason:

On graceful restart : none
On Helper : none
# Verify the GR feature of Switch A.

[SwitchA] quit
<SwitchA> reset ospf process graceful-restart
# View the neighbor status on SwitchB.

[SwitchB] display ospf peer

Neighbors

Router ID: 1.1.1.1 Address: 1.1.1.1 GR State: Doing GR
DR: 1.1.1.2 BDR: 1.1.1.1 MTU: 0
The status of the neighbor is Full.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
#
ospf 1

opaque-capability enable
graceful-restart
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
#
ospf 1
graceful-restart
area 0.0.0.0
network 1.1.1.0 0.0.0.255
#
return
5.5.7 Example for Configuring OSPF-BGP
Network Requirements
As shown in Figure 5-16, all switches run BGP. An EBGP connection is established between
Switch D and Switch E. IBGP full connections are established between partial switches in AS
10, and OSPF is used as an IGP protocol.
It is required to enable OSPF-BGP linkage on Switch B so that the traffic from Switch A to AS
20 is not interrupted after Switch B restarts.

Figure 5-16 Networking diagram for configuring OSPF-BGP linkage
Loopback0
3.3.3.3/32
GE0/0/2 GE0/0/1
10.1.2.2/30 10.1.4.1/30
GE0/0/2 SwitchC Loopback0 GE0/0/2

10.1.2.1/30 4.4.4.4/32 10.3.1.1/30
GE0/0/1
SwitchE
Loopback0
1.1.1.1/32
10.1.4.2/30
SwitchA SwitchD EBGP
GE0/0/2
10.1.3.2/30 GE0/0/3 GE0/0/1
GE0/0/1
10.2.1.1/30 10.2.1.2/30
10.1.1.1/30 SwitchB Loopback0
GE0/0/1 GE0/0/2 5.5.5.5/32
10.1.1.2/30 10.1.3.1/30
Loopback0
2.2.2.2/32 AS 10 AS 20
1. Enable OSPF on Switch A, Switch B, Switch C, and Switch D (except 10.2.1.1/30) and
specify the same area for all OSPF interfaces.
2. Establish IBGP full connections between Switch A, Switch B, Switch C, and Switch D
(except 10.2.1.1/30).

3. Set the OSPF cost on Switch C.

4. Establish the EBGP connection between Switch D and Switch E.
5. Configure the OSPF process and configure BGP to import directly connected routes on
Switch D.
6. Configure BGP on Switch E.
Procedure
Step 1 Configure VLANs that interfaces belong to.
The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are similar to the configuration
of SwitchA, and are not mentioned here.
Step 2 Assign an IP address to each VLANIF interface and Loopback interface.

The configurations of SwitchB, SwitchC, SwitchD, and SwitchE are similar to the configuration
Step 3 Configure basic OSPF functions.

[SwitchA] ospf 1
The configurations of SwitchB, SwitchC, and SwitchD are similar to the configuration of
Step 4 Configure an IBGP full connection.
[SwitchA] bgp 10
[SwitchA-bgp] peer 2.2.2.2 as-number 10
[SwitchA-bgp] peer 2.2.2.2 connect-interface LoopBack 0


[SwitchA-bgp] quit
[SwitchB] bgp 10
[SwitchB-bgp] peer 1.1.1.1 as-number 10
[SwitchB-bgp] peer 1.1.1.1 connect-interface LoopBack 0
[SwitchB-bgp] quit
[SwitchC] bgp 10
[SwitchC-bgp] peer 1.1.1.1 as-number 10
[SwitchC-bgp] peer 1.1.1.1 connect-interface LoopBack 0
[SwitchC-bgp] quit
[SwitchD] bgp 10
[SwitchD-bgp] peer 1.1.1.1 as-number 10
[SwitchD-bgp] peer 1.1.1.1 connect-interface LoopBack 0
[SwitchD-bgp] quit
Step 5 Configure an EBGP connection.

[SwitchD] bgp 10
[SwitchD-bgp] import-route direct
[SwitchD-bgp] import-route ospf 1
[SwitchD-bgp] quit
# Configure Switch E.
[SwitchE] bgp 20
[SwitchE] router-id 5.5.5.5
[SwitchE-bgp] peer 10.2.1.1 as-number 10
[SwitchE-bgp] ipv4-family unicast
[SwitchE-bgp-af-ipv4] network 10.3.1.0 30
[SwitchE-bgp-af-ipv4] quit
[SwitchE-bgp] quit
Step 6 Set the cost of OSPF on Switch C.

[SwitchC-Vlanif20] ospf cost 2
[SwitchC-Vlanif30] ospf cost 2
NOTE
After the cost of OSPF on Switch C is set to 2, Switch A chooses only Switch B as the intermediate router
to the network segment 10.2.1.0. Switch C becomes the backup router of Switch B.

# View the routing table of Switch A. As shown in the routing table, the route to the network
segment 10.3.1.0 can be learned through BGP, and the outgoing interface is Vlanif10.
------------------------------------------------------------------------------
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
2.2.2.2/32 OSPF 10 1 D 10.1.1.2 Vlanif10
3.3.3.3/32 OSPF 10 1 D 10.1.2.2 Vlanif20
4.4.4.4/32 OSPF 10 2 D 10.1.1.2 Vlanif10
10.1.1.0/30 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/30 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.1.3.0/30 OSPF 10 2 D 10.1.1.2 Vlanif10
10.1.4.0/30 OSPF 10 3 D 10.1.2.2 Vlanif20
OSPF 10 3 D 10.1.1.2 Vlanif10
10.2.1.0/30 IBGP 255 0 RD 4.4.4.4 Vlanif10
10.3.1.0/30 IBGP 255 0 RD 10.2.1.2 Vlanif10
# View the routing table of Switch B.

[SwitchB] display ip routing-table
------------------------------------------------------------------------------
1.1.1.1/32 OSPF 10 1 D 10.1.1.1 Vlanif10
3.3.3.3/32 OSPF 10 2 D 10.1.1.1 Vlanif10
OSPF 10 2 D 10.1.3.2 Vlanif40
4.4.4.4/32 OSPF 10 1 D 10.1.3.2 Vlanif40
10.1.1.0/30 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/30 OSPF 10 2 D 10.1.1.1 Vlanif10
10.1.3.0/30 Direct 0 0 D 10.1.3.1 Vlanif40
10.1.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
10.1.4.0/30 OSPF 10 2 D 10.1.3.2 Vlanif40
10.2.1.0/30 IBGP 255 0 RD 4.4.4.4 Vlanif40
10.3.1.0/30 IBGP 255 0 RD 10.2.1.2 Vlanif40
As shown in the routing table, Switch B learns the route to the network segment 10.3.1.0 through
BGP, and the outgoing interface is Vlanif40. The routes to the network segments 10.1.2.0 and
10.1.4.0 respectively can be learned through OSPF. The costs of the two routes are 2.
Step 7 Enable OSPF-BGP linkage on Switch B.

[SwitchB] ospf 1
[SwitchB-ospf-1] stub-router on-startup
[SwitchB] quit
# Restart Switch B.

NOTE
Confirm the action before you use the command because the command leads to the breakdown of the
network in a short time. In addition, when restarting a switch, ensure that the configuration file of the
switch is saved.
<SwitchB> reboot
System will reboot! Continue?[Y/N] y
# View the routing table of Switch A. As shown in the routing table, the route to the network
10.3.1.0 can be learned through BGP, and the outgoing interface is Vlanif20.
------------------------------------------------------------------------------
3.3.3.3/32 OSPF 10 1 D 10.1.2.2 Vlanif20
4.4.4.4/32 OSPF 10 3 D 10.1.2.2 Vlanif20
10.1.2.0/30 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.1.4.0/30 OSPF 10 3 D 10.1.2.2 Vlanif20
10.2.1.0/30 IBGP 255 0 RD 4.4.4.4 Vlanif20
10.3.1.0/30 IBGP 255 0 RD 10.2.1.2 Vlanif20
# View the routing table of Switch B. As shown in the routing table, only OSPF routes exist in
the routing table temporarily and their costs are equal to or greater than 65535. This is because
IGP route convergence is faster than BGP route convergence.
------------------------------------------------------------------------------
1.1.1.1/32 OSPF 10 65535 D 10.1.1.1 Vlanif10
3.3.3.3/32 OSPF 10 65536 D 10.1.1.1 Vlanif10
4.4.4.4/32 OSPF 10 65538 D 10.1.1.1 Vlanif10
10.1.1.0/30 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/30 OSPF 10 65536 D 10.1.1.1 Vlanif10
10.1.3.0/30 Direct 0 0 D 10.1.3.1 Vlanif40
10.1.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
10.1.4.0/30 OSPF 10 65538 D 10.1.1.1 Vlanif10
# View the routing table of Switch B.

------------------------------------------------------------------------------
1.1.1.1/32 OSPF 10 1 D 10.1.1.1 Vlanif10
3.3.3.3/32 OSPF 10 2 D 10.1.1.1 Vlanif10
OSPF 10 2 D 10.1.3.2 Vlanif40
4.4.4.4/32 OSPF 10 1 D 10.1.3.2 Vlanif40
10.1.1.0/30 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10

10.1.2.0/30 OSPF 10 2 D 10.1.1.1 Vlanif10

10.1.3.0/30 Direct 0 0 D 10.1.3.1 Vlanif40
10.1.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
10.1.4.0/30 OSPF 10 2 D 10.1.3.2 Vlanif40
10.2.1.0/30 IBGP 255 0 RD 4.4.4.4 Vlanif40
10.3.1.0/30 IBGP 255 0 RD 10.2.1.2 Vlanif40
As shown in the routing table, after BGP route convergence on Switch B is complete, the contents
of the routing information are the same as those before the switch restarts.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.252
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.252
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
bgp 10
peer 2.2.2.2 as-number 10
peer 2.2.2.2 connect-interface LoopBack0
#
ipv4-family unicast
undo synchronization
peer 2.2.2.2 enable
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.1.2.0 0.0.0.3
#
return

#
sysname SwitchB

#
router id 2.2.2.2
#
vlan batch 10 40
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.252
#
interface Vlanif40
ip address 10.1.3.1 255.255.255.252
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
bgp 10
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 3.3.3.3 enable
peer 4.4.4.4 enable
#
ospf 1
stub-router on-startup
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.3.0 0.0.0.3
network 10.1.1.0 0.0.0.3
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 30
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.252
ospf cost 2
#
interface Vlanif30
ip address 10.1.4.1 255.255.255.252
ospf cost 2
#
#


#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
bgp 10
#
ipv4-family unicast
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 4.4.4.4 enable
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.2.0 0.0.0.3
network 10.1.4.0 0.0.0.3
#
return

#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 30 40 50
#
interface Vlanif30
ip address 10.1.4.2 255.255.255.252
#
interface Vlanif40
ip address 10.1.3.2 255.255.255.252
#
interface Vlanif50
ip address 10.2.1.1 255.255.255.252
#
#
#
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
bgp 10

#
ipv4-family unicast
import-route direct
import-route ospf 1
peer 1.1.1.1 enable
peer 2.2.2.2 enable
peer 3.3.3.3 enable
peer 10.2.1.2 enable
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.1.3.0 0.0.0.3
network 10.1.4.0 0.0.0.3
#
return

#
sysname SwitchE
#
vlan batch 50 60
#
interface Vlanif50
ip address 10.2.1.2 255.255.255.252
#
interface Vlanif60
ip address 10.3.1.1 255.255.255.252
#
#
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
#
bgp 20
router-id 5.5.5.5
#
ipv4-family unicast
network 10.3.1.0 255.255.255.252
#
return
5.5.8 Example for Configuring OSPF GTSM
As shown in Figure 5-17, OSPF is run between switches, and GTSM is enabled on Switch C.
The following are the valid TTL ranges of the packets sent from each switch to Switch C:
l Switch A and Switch E are the neighboring switches of Switch C. The valid TTL range of
packets is [255, 255].

l The valid TTL ranges of the packets sent from Switch B, Switch D, and Switch F to Switch
C are [254, 255], [253, 255], and [252, 255] respectively.
Figure 5-17 Networking diagram for configuring OSPF GTSM
Area0 Switch B
Switch A GE0/0/1 GE0/0/1
192.168.0.1/24 192.168.0.2/24
GE0/0/2 GE0/0/2
192.168.1.1/24 192.168.2.1/24
GE0/0/1 GE0/0/1
192.168.1.2/24 192.168.2.2/24
Switch C Switch D
GE0/0/2 GE0/0/2
172.16.1.1/24 172.17.1.1/24
GE0/0/2 GE0/0/2
172.16.1.2/24 172.17.1.2/24
Switch E Switch F
Area1 PC Area2
SwitchA GigabitEthernet0/0/1 VLANIF 10 192.168.0.1/24
SwitchA GigabitEthernet0/0/2 VLANIF 20 192.168.1.1/24
SwitchB GigabitEthernet0/0/1 VLANIF 10 192.168.0.2/24
SwitchB GigabitEthernet0/0/2 VLANIF 30 192.168.2.1/24
SwitchC GigabitEthernet0/0/1 VLANIF 20 192.168.1.2/24
SwitchC GigabitEthernet0/0/2 VLANIF 40 172.16.1.1/24
SwitchD GigabitEthernet0/0/1 VLANIF 30 192.168.2.2/24
SwitchD GigabitEthernet0/0/2 VLANIF 50 172.17.1.1/24
SwitchE GigabitEthernet0/0/2 VLANIF 40 172.16.1.2/24
SwitchF GigabitEthernet0/0/2 VLANIF 50 172.17.1.2/24
1. Configure basic OSPF functions.

2. Enable GTSM on each switch and specify the valid TTL range of packets.

Procedure
The configurations of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are similar to the
configuration of SwitchA, and are not mentioned here.
Step 2 Assign an IP address to each VLANIF interface.
The configurations of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are similar to the
Step 3 Configure basic OSPF functions. The configuration details see 5.5.1 Example for Configuring
Basic OSPF Functions.
Step 4 Configure OSPF GTSM.
# Configure the valid TTL range of packets from Switch C to other switches as [252, 255].
[SwitchC] ospf valid-ttl-hops 4
# Configure the valid TTL range of packets from Switch A to Switch C as [255, 255].
[SwitchA] ospf valid-ttl-hops 1
# Configure the valid TTL range of packets from Switch B to Switch C as [254, 255].
[SwitchB] ospf valid-ttl-hops 2
# Configure the valid TTL range of packets from Switch D to Switch C as [253, 255].
[SwitchD] ospf valid-ttl-hops 3
# Configure the valid TTL range of packets from Switch E to Switch C as [255, 255].
[SwitchE] ospf valid-ttl-hops 1
# Configure the valid TTL range of packets from Switch F to Switch C as [252, 255].
[SwitchF] ospf valid-ttl-hops 4

# Check whether OSPF neighbors between switches are established normally. Take Switch A
as an example. You can view the status of the neighbor relationship is Full, that is, neighbors
are established normally.


Neighbors
DR: 192.168.0.1 BDR: 192.168.0.2 MTU: 0
Neighbors
DR: 192.168.1.1 BDR: 192.168.1.2 MTU: 0
# Run the display gtsm statistics all command on Switch C. You can view the GTSM statistics.
If the default action performed on packets is "pass" and all the packets are valid, the number of
dropped packets is 0.
<SwitchC> display gtsm statistics all
GTSM Statistics Table
----------------------------------------------------------------
SlotId Protocol Total Counters Drop Counters Pass Counters
----------------------------------------------------------------
0 BGP 0 0 0
0 BGPv6 0 0 0
0 OSPF 0 0 0
0 LDP 0 0 0
----------------------------------------------------------------
----------------------------------------------------------------
If the host simulates the OSPF packets of Switch A to attack Switch C, the packets are dropped
because the TTL value is not 255 when the packets reach Switch C. In the GTSM statistics of
Switch C, the number of dropped packets also increases.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.0.1 255.255.255.0
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
#
#

#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.1
network 192.168.1.0 0.0.0.255
#
ospf valid-ttl-hops 1
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 10 30
#
interface Vlanif10
ip address 192.168.0.2 255.255.255.0
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.0.0 0.0.0.255
area 0.0.0.2
network 192.168.2.0 0.0.0.255
#
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 20 40
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.1

network 192.168.1.0 0.0.0.255

network 172.16.1.0 0.0.0.255
#
#
return

#
sysname SwitchD
#
router id 4.4.4.4
#
vlan batch 30 50
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif50
ip address 172.17.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.2
network 192.168.2.0 0.0.0.255
network 172.17.1.0 0.0.0.255
#
#
return

#
sysname SwitchE
#
router id 5.5.5.5
#
vlan batch 40
#
interface Vlanif40
ip address 172.16.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.1
network 172.16.1.0 0.0.0.255
#
#
return
l Configuration file of Switch F

#
sysname SwitchF
#
router id 6.6.6.6
#

vlan batch 50
#
interface Vlanif50
ip address 172.17.1.2 255.255.255.0
#
#
ospf 1
area 0.0.0.2
network 172.17.1.0 0.0.0.255
#
#
return
5.5.9 Example for Configuring BFD for OSPF
As shown in Figure 5-18, the networking requirements are as follows:
l Switch A, Switch B, and Switch C run OSPF.

l BFD for OSPF is enabled on Switch A, Switch B, and Switch C.
l Service traffic is transmitted on the main link Switch A→Switch B. Link Switch A→Switch
C→Switch B is a backup link.
l BFD is configured on the interfaces between Switch A and Switch B. When a fault occurs
on the link between the Switch s, BFD can quickly detect the fault and notify OSPF of the
fault. Then, the service flow is transmitted on the backup link.
Figure 5-18 Networking diagram for configuring BFD for OSPF
SwitchA SwitchB
GE0/0/2 GE0/0/3
GE0/0/2
GE0/0/1
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/2
SwitchC

Switch C GigabitEthernet0/0/1 VLANIF 10 1.1.1.2/24
Switch C GigabitEthernet0/0/2 VLANIF 30 2.2.2.1/24
1. Configure the basic OSPF functions on the Switch s.
2. Enable the BFD feature globally.
3. Enable BFD for OSPF on Switch A and Switch B.
Procedure
Step 1 Create VLANs and add corresponding interfaces to the VLANs.
[SwitchA] vlan 10
[SwitchA] vlan 20
[SwitchA] interface GigabitEthernet 0/0/1
[SwitchA] interface GigabitEthernet 0/0/2
The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
The configurations of Switch B and Switch C are similar to the configuration of Switch A, and
Step 3 Configure the basic OSPF functions. See 5.5.1 Example for Configuring Basic OSPF
Functions.
Step 4 Configure BFD for OSPF.
# Enable BFD globally on Switch A.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] ospf
[SwitchA-ospf-1] bfd all-interfaces enable

# Enable BFD globally on Switch B.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] ospf
[SwitchB-ospf-1] bfd all-interfaces enable
# Enable BFD globally on Switch C.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] ospf
[SwitchC-ospf-1] bfd all-interfaces enable
# Run the display ospf bfd session all command on Switch A or Switch B. You can see that the
BFD state is Up.
Take Switch A for example. The display is as follows:

[SwitchA] display ospf bfd session all
Area 0.0.0.0 interface 3.3.3.1(Vlanif20)'s BFD Sessions
NeighborId:2.2.2.2 AreaId:0.0.0.0 Interface:Vlanif20

BFDState:up rx :1000 tx :1000
Multiplier:3 BFD Local Dis:8195 LocalIpAdd:3.3.3.1
RemoteIpAdd:3.3.3.2 Diagnostic Info:No diagnostic information
NeighborId:3.3.3.3 AreaId:0.0.0.0 Interface:Vlanif10

Multiplier:3 BFD Local Dis:8194 LocalIpAdd1:1.1.1.1
Step 5 Configure the BFD feature of interfaces.
# Configure BFD on VLANIF 20 of Switch A, set the minimum interval for sending the packets
and the minimum interval for receiving the packets to 100 ms, and set the local detection time
multiplier to 4.
[SwitchA-Vlanif20] ospf bfd enable
[SwitchA-Vlanif20] ospf bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# Configure BFD on VLANIF20 of Switch B and set the minimum interval for sending the
packets and the minimum interval for receiving the packets to 100 ms and the local detection
time multiplier to 4.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif20] ospf bfd enable
[SwitchB-Vlanif20] ospf bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# Run the display ospf bfd session all command on Switch A or Switch B. You can see that the
BFD state is Up.
Take Switch B for example. The display is as follows:

[SwitchB] display ospf bfd session all

NeighborId:1.1.1.1 AreaId:0.0.0.0 Interface: Vlanif20

NeighborId:3.3.3.3 AreaId:0.0.0.0 Interface: Vlanif30

# Run the shutdown command on VLANIF 20 of Switch B to simulate a link fault.

[SwitchB-Vlanif20] shutdown
# View the routing table of Switch A.

<SwitchA> display ospf routing

Routing Tables
Routing for Network

172.16.1.1/24 3 Stub 1.1.1.2 2.2.2.2 0.0.0.0
3.3.3.0/24 1 Stub 3.3.3.1 1.1.1.1 0.0.0.0
2.2.2.0/24 2 Transit 1.1.1.2 3.3.3.3 0.0.0.0
1.1.1.0/24 1 Transit 1.1.1.1 1.1.1.1 0.0.0.0
Total Nets: 4
As shown in the OSPF routing table, the backup link Switch A→Switch C→Switch B takes
effect after the main link fails. The next hop address of the route to 172.16.1.0/24 becomes
1.1.1.2.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 3.3.3.1 255.255.255.0
ospf bfd enable

ospf bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4

#
#
#
ospf 1
bfd all-interface enable
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 1.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 20 30 40
#
bfd
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
ospf bfd enable
#
interface Vlanif30
ip address 2.2.2.2 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 2.2.2.0 0.0.0.255
network 172.16.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10 30

#
bfd
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 2.2.2.1 255.255.255.0
ospf bfd enable
#
#
#
ospf 1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 2.2.2.0 0.0.0.255
#
return
5.6 OSPFv3 Configuration

By building Open Shortest Path First Version 3 (OSPFv3) networks, you can enable OSPFv3
to discover and calculate routes in ASs. OSPFv3 is applicable to a large-scale network that
consists of hundreds of switches.
5.6.1 Example for Configuring OSPFv3 Areas
As shown in Figure 5-19, OSPFv3 is enabled on all Switches and the AS is divided into three
areas. SwitchB and SwitchC serve as ABRs to forward the inter-area routes.
You need to configure Area 2 as a stub area. The LSAs advertised to this area can thus be reduced,
without affecting the reachability of routes.

Figure 5-19 Networking diagram for configuring an OSPFv3 area
SwitchB Area 0
SwitchC
VLANIF30 VLANIF30
1000::1/64 1000::2/64
GE0/0/1 GE0/0/2 GE0/0/2
GE0/0/1
VLANIF20 VLANIF40
1001::1/64 1002::1/64
GE0/0/1 GE0/0/2
VLANIF20 VLANIF40
1001::2/64 1002::2/64
SwitchA SwitchD
GE0/0/3
VLANIF10 Area 2
2000::1/64
Stub
Area 1
1. Configure IPv6 addresses for interfaces.

2. Enable the basic OSPFv3 functions on each Switch.
3. Configure Area 2 as a stub area by running the stub command on all the Switches in Area
2 and check the OSPFv3 routing table of SwitchD.
4. Configure the Area 2 as a totally stub area and check the OSPFv3 routing table of
SwitchD.
Procedure
[SwitchA] vlan 10
[SwitchA] vlan 20
The configurations of SwitchB, SwitchC, SwitchD are similar to the configuration of SwitchA
and are not mentioned here.

[SwitchA] ipv6
Step 3 Configure the basic OSPFv3 functions.
[SwitchA] ospfv3
[SwitchA-ospfv3-1] router-id 1.1.1.1
[SwitchA-ospfv3-1] quit
[SwitchA-Vlanif10] ospfv3 1 area 1
[SwitchB] ospfv3
[SwitchB-ospfv3-1] router-id 2.2.2.2
[SwitchB-ospfv3-1] quit
[SwitchB-Vlanif20] ospfv3 1 area 1
[SwitchC] ospfv3
[SwitchC-ospfv3-1] router-id 3.3.3.3
[SwitchC-ospfv3-1] quit
[SwitchC-Vlanif30] ospfv3 1 area 0
# Configure SwitchD.
[SwitchD] ospfv3
[SwitchD-ospfv3-1] router-id 4.4.4.4
[SwitchD-ospfv3-1] quit
[SwitchD] interface vlanif 40
[SwitchD-Vlanif40] ospfv3 1 area 2
[SwitchD-Vlanif40] quit
# View the status of the OSPFv3 neighbors of SwitchB.

[SwitchB] display ospfv3 peer
OSPFv3 Process (1)

OSPFv3 Area (0.0.0.1)
Neighbor ID Pri State Dead Time Interface Instance ID

1.1.1.1 1 Full/DR 00:00:34 Vlanif20 0

3.3.3.3 1 Full/Backup 00:00:32 Vlanif30 0
# View the status of the OSPFv3 neighbors of SwitchC.

[SwitchC] display ospfv3 peer
OSPFv3 Process (1)

Area (0.0.0.0)
2.2.2.2 1 Full/DR 00:00:37 Vlanif30 0
# View the OSPFv3 routing table of SwitchD.

[SwitchD] display ospfv3 routing
Codes : E2 - Type 2 External, E1 - Type 1 External, IA - Inter-Area,
N - NSSA, U - Uninstalled
OSPFv3 Process (1)
Destination Metric
Next-hop
IA 1000::/64 2
via FE80::1572:0:5EF4:1, Vlanif40
IA 1001::/64 3
via FE80::1572:0:5EF4:1, Vlanif40
1002::/64 1
directly-connected, Vlanif40
IA 2000::/64 4
via FE80::1572:0:5EF4:1, Vlanif40
Step 4 Configure the stub areas.

# Configure the stub area of SwitchD.
[SwitchD] ospfv3
[SwitchD-ospfv3-1] area 2
[SwitchD-ospfv3-1-area-0.0.0.2] stub
[SwitchD-ospfv3-1-area-0.0.0.2] quit
# Configure the stub area of SwitchC, and set the cost of the default route advertised to the stub
area to 10.
[SwitchC] ospfv3
[SwitchC-ospfv3-1] area 2
[SwitchC-ospfv3-1-area-0.0.0.2] stub
[SwitchC-ospfv3-1-area-0.0.0.2] default-cost 10
[SwitchC-ospfv3-1-area-0.0.0.2] quit
# View the OSPFv3 routing table of SwitchD, and you can see a new default route in the routing
table. The cost of the default route is the sum of the cost of the directly connected routes and the
configured cost.
OSPFv3 Process (1)
Destination Metric
Next-hop
IA ::/0 11
via FE80::1572:0:5EF4:1, vlanif40
IA 1000::/64 2
via FE80::1572:0:5EF4:1, vlanif40
IA 1001::/64 3

via FE80::1572:0:5EF4:1, vlanif40

1002::/64 1
directly-connected, vlanif40
IA 2000::/64 4
via FE80::1572:0:5EF4:1, vlanif40
Step 5 Configure the totally sub area.
# On SwitchC, configure Area 2 as the totally stub area.

[SwitchC] ospfv3
[SwitchC-ospfv3-1-area-0.0.0.2] stub no-summary
[SwitchC-ospfv3-1-area-0.0.0.2] quit
# View the OSPFv3 routing table of SwitchD, and you can see that the entries in the routing
table are reduced; other non-directly connected routes are suppressed; only the default route is
reserved.
OSPFv3 Process (1)
Destination Metric
Next-hop
IA ::/0 11
via FE80::1572:0:5EF4:1, vlanif40
1002::/64 1
directly-connected, vlanif40
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
ospfv3 1 area 0.0.0.1
#
interface Vlanif20
ipv6 enable
#
#
#
ospfv3 1
router-id 1.1.1.1

#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20 30
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30
ipv6 enable
#
#
#
ospfv3 1
router-id 2.2.2.2
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 30 40
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#
#
ospfv3 1
router-id 3.3.3.3
area 0.0.0.2
stub no-summary
default-cost 10
#
return


#
sysname SwitchD
#
ipv6
#
vlan batch 40
#
interface Vlanif40
ipv6 enable
#
#
ospfv3 1
router-id 4.4.4.4
area 0.0.0.2
stub
#
return
5.6.2 Example for Configuring DR Election Through OSPFv3
As shown in Figure 5-20, the priority of SwitchA is 100, which is the highest priority on the
network; therefore, SwitchA is elected as the DR. SwitchC, which has the second highest
priority, is elected as the BDR. The priority of SwitchB is 0, which means that it cannot become
the DR. SwitchD is not configured with a priority, that is, SwitchD uses the default priority,
namely, 1.
Figure 5-20 Networking diagram for configuring DR election through OSPFv3
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLANIF10 VLANIF10
1001::1/64 1001::2/64
GE0/0/1 GE0/0/1
VLANIF10 VLANIF10
1001::3/64 1001::4/64
SwitchC SwitchD


2. Configure the router ID of each Switch, enable OSPFv3, and specify the network segments.
3. Check the DR/BDR status of each Switch when the default priority is used.
4. Set the DR priority of the interface on each Switch and check whether the Switch becomes
the DR or BDR.
Procedure
[SwitchA] vlan 10

[SwitchA] ipv6
# On SwitchA, enable OSPFv3 and set the router ID to 1.1.1.1.

[SwitchA] ospfv3
# On SwitchB, enable OSPFv3 and set the router ID to 2.2.2.2.

[SwitchB] ospfv3
# On SwitchC, enable OSPFv3 and set the router ID to 3.3.3.3.

[SwitchC] ospfv3
# On SwitchD, enable OSPFv3 and set the router ID to 4.4.4.4.

[SwitchD] ospfv3
Check the neighbors of SwitchA. You can view the DR priority and the neighbor status. By
default, the DR priority is 1. Now SwitchD functions as the DR and SwitchC functions as the
BDR.
NOTE
When the priorities of two Switches are the same, the Switch that has a greater router ID is elected as the
DR. If the VLANIF interface of an Switch becomes the DR, the other broadcast interfaces of this Switch
have a high priority in the future DR election. That is, the Switch still functions as the DR. The DR cannot
be preempted.
[SwitchA] display ospfv3 peer
OSPFv3 Process (1)

2.2.2.2 1 2-Way/DROther 00:00:32 Vlanif10 0
4.4.4.4 1 Full/DR 00:00:38 Vlanif10 0
# View the neighbors of SwitchD, and you can see that the status of the neighbor relationship
between SwitchD and other devices is Full.
[SwitchD] display ospfv3 peer
OSPFv3 Process (1)

1.1.1.1 1 Full/DROther 00:00:32 Vlanif10 0
Step 4 Configure the DR priorities of interfaces.

# Configure the DR priority of SwitchA to 100.
[SwitchA-Vlanif10] ospfv3 dr-priority 100
# Configure the DR priority of SwitchB to 0.

[SwitchB-Vlanif10] ospfv3 dr-priority 0
# Configure the DR priority of SwitchC to 2.

[SwitchC-Vlanif10] ospfv3 dr-priority 2
# View the neighbors of SwitchA, and you can see that the other DR priority is updated but the
DR and BDR are unchanged.
OSPFv3 Process (1)



4.4.4.4 1 Full/DR 00:00:31 Vlanif10 0
# View the neighbors of SwitchD, and you can see that the other DR priority is updated.
OSPFv3 Process (1)

Step 5 Perform DR/BDR election again.

# Restart all Switches (or run the shutdown and undo shutdown commands on the VLANIF
interface that establishes the OSPFv3 neighbor relationship) to re-elect the DR and BDR.
# View the neighbors of SwitchA, and you can see that SwitchC is the BDR.
OSPFv3 Process (1)

# View the neighbors of SwitchD, and you can see that SwitchA is the DR.
OSPFv3 Process (1)

1.1.1.1 100 Full/DR 00:00:39 Vlanif10 0
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
ospfv3 dr-priority 100
#
#

ospfv3 1
router-id 1.1.1.1
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
#
#
ospfv3 1
router-id 2.2.2.2
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
#
#
ospfv3 1
router-id 3.3.3.3
#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
#

#
ospfv3 1
router-id 4.4.4.4
#
return
5.6.3 Example for Configuring the OSPFv3 Virtual Link
As shown in Figure 5-21, OSPFv3 is enabled on all Switches and the AS is divided into three
areas. SwitchB and SwitchC serve as ABRs to forward the inter-area routes. Area 2 is not directly
connected to the backbone area, Area 0. Area 1 is the area between Area 0 and Area 2.
You need to configure a virtual link in Area 1 where SwitchB and SwitchC are located so that
SwitchA and SwitchD can communicate with each other.
Figure 5-21 Networking diagram for configuring OSPFv3 virtual links
Area 2 Area 1 Area 0
VLANIF10 VLANIF20 VLANIF30

1001::2/64 1000::2/64 1002::2/64
GE0/0/1 GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/2 GE0/0/1
1001::1/64 1000::1/64 1002::1/64
SwitchA SwitchB SwitchC SwitchD

3. Configure a virtual link between SwitchB and SwitchC to connect the non-backbone areas
to the backbone area.
Procedure

[SwitchA] ipv6
[SwitchA] ospfv3

[SwitchB] ospfv3

[SwitchC] ospfv3
# On SwitchD, enable OSPFv3 and set the router ID to 4.4.4.4.

[SwitchD] ospfv3
# View the OSPFv3 routing table of SwitchC, and you can see that the routing table of
SwitchC does not contain the routes of Area 2 because Area 2 is not directly connected to Area
0.
[SwitchC] display ospfv3 routing
OSPFv3 Process (1)
Destination Metric

Next-hop
1000::/64 1
directly connected, Vlanif20
1002::/64 1
Step 4 Configure a vritual link in Area 1 where SwitchB and SwitchC are located.
[SwitchB] ospfv3
[SwitchB-ospfv3-1] area 1
[SwitchB-ospfv3-1-area-0.0.0.1] vlink-peer 3.3.3.3
[SwitchB-ospfv3-1-area-0.0.0.1] return
[SwitchC] ospfv3
[SwitchC-ospfv3-1-area-0.0.0.1] vlink-peer 2.2.2.2
[SwitchC-ospfv3-1-area-0.0.0.1] return
# Check the OSPFv3 routing table of SwitchC.

<SwitchC> display ospfv3 routing
OSPFv3 Process (1)
Destination Metric
Next-hop
1000::/64 1
1000::1/128 1
via FE80::4D67:0:EB7D:2, Vlanif20
1000::2/128 0
IA 1001::/64 2
via FE80::4D67:0:EB7D:2, Vlanif20
1002::/64 1
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
#
#
ospfv3 1
router-id 1.1.1.1

#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
#
interface Vlanif20
ipv6 enable
#
#
#
ospfv3 1
router-id 2.2.2.2
area 0.0.0.1
vlink-peer 3.3.3.3
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 20 30
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30
ipv6 enable
#
#
#
ospfv3 1
router-id 3.3.3.3
area 0.0.0.1
vlink-peer 2.2.2.2

#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 30
#
interface Vlanif30
ipv6 enable
#
#
ospfv3 1
router-id 4.4.4.4
#
return
5.6.4 Example for Configuring OSPFv3 GR
As shown in Figure 5-22, SwitchA, SwitchB, and SwitchC belong to the same OSPFv3 area.
They communicate with each other through the OSPFv3 protocol and are enabled with GR.
When OSPFv3 adjacencies are established between SwitchA, SwitchC, and SwitchB, the three
switches can exchange routing information. If the OSPFv3 protocol restarts on SwitchA,
SwitchA synchronizes data with the neighboring switches through GR.
Figure 5-22 Networking diagram for configuring OSPFv3 GR
VLANIF10 VLANIF10 VLANIF20 VLANIF20

1000::1/64 1000::2/64 2000::1/64 2000::2/64
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
SwitchA SwitchB SwitchC

1.1.1.1 2.2.2.2 3.3.3.3

3. Enable the OSPFv3 helper in the OSPFv3 view of SwitchB.
4. Enable the OSPFv3 GR in the OSPFv3 view of SwitchA.

Procedure
[SwitchA] vlan 10
not mentioned here.

[SwitchA] ipv6
not mentioned here.

[SwitchA] ospfv3 100

[SwitchB] ospfv3 100

[SwitchC] ospfv3 100
Step 4 Enable OSPFv3 GR for SwitchA.

[SwitchA-ospfv3-100] graceful-restart
Step 5 Enable OSPFv3 helper for SwitchB.

[SwitchB] ospfv3 100

[SwitchB-ospfv3-100] helper-role

# Run the display ipv6 fib command on SwitchA to view the FIB information.
<SwitchA> display ipv6 fib
IPv6 FIB Table:
Total number of Routes : 5
Destination: ::1 PrefixLength: 128
NextHop : ::1 Flag : HU
Interface : InLoopBack0 Tunnel ID : 0x0
TimeStamp : 2007-06-25 17:31:46
Destination: FE80:: PrefixLength: 10
NextHop : :: Flag : BU
Interface : NULL0 Tunnel ID : 0x0
TimeStamp : 2007-06-25 17:31:46
Destination: 1000::1 PrefixLength: 128
TimeStamp : 2007-06-25 17:31:46
Destination: 1000:: PrefixLength: 64
NextHop : 1000::1 Flag : U
Interface : Vlanif10 Tunnel ID : 0x0
TimeStamp : 2007-06-25 17:31:46
NextHop : FE80::200:1FF:FE00:200 Flag : DGU
TimeStamp : 2007-06-25 17:31:46
# Restart OSPFv3 process 100 on SwitchA without using the GR mechanism.

<SwitchA> reset ospfv3 100
# Run the display ipv6 fib command on SwitchA immediately to view the FIB information.
IPv6 FIB Table:
TimeStamp : 2007-06-25 17:31:46
TimeStamp : 2007-06-25 17:31:46
TimeStamp : 2007-06-25 17:31:46
TimeStamp : 2007-06-25 17:31:46
The preceding information shows that the FIB information on SwitchA is modified and the
forwarding service is affected.
# Restart OSPFv3 process 100 on SwitchA by using the GR mechanism.
<SwitchA> reset ospfv3 100 graceful-restart
# Run the display ipv6 fib command on SwitchA immediately to view the FIB information.
Check whether GR functions normally. If GR functions normally, the FIB information is not

modified and the forwarding is not affected when you restart the OSPFv3 process through GR
on SwitchA.
IPv6 FIB Table:
TimeStamp : 2007-06-25 17:31:46
TimeStamp : 2007-06-25 17:31:46
TimeStamp : 2007-06-25 17:31:46
TimeStamp : 2007-06-25 17:31:46
NextHop : FE80::200:1FF:FE00:200 Flag : DGU
TimeStamp : 2007-06-25 17:31:46
The preceding information shows that the FIB information on SwitchA is not modified and the
forwarding is not affected.
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10
#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
#
#
ospfv3 100
router-id 1.1.1.1
graceful-restart
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 10 20

#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
#
interface Vlanif20
ipv6 enable
ospfv3 100 area 0.0.0.0
#
#
#
ospfv3 100
router-id 2.2.2.2
helper-role
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 20
#
interface Vlanif20
ipv6 enable
ospfv3 100 area 0.0.0.0
#
#
ospfv3 100
router-id 3.3.3.3
#
return

autonomous system (AS).
5.7.1 Example for Configuring Basic IS-IS Functions

As shown in Figure 5-23, there are four switches (SwitchA, SwitchB, SwitchC, and SwitchD)
on the network. The four switches need to communicate with each other. SwitchA and SwitchB
can only process a small amount of data because they have lower performance than the other
two switches.

Figure 5-23 Networking diagram of configuring basic IS-IS functions
SwitchA
L1
GE0/0/1
VLANIF10
10.1.1.2/24
GE0/0/2
SwitchC GE0/0/1 VLANIF40
GE0/0/1
VLANIF10 L1/2 VLANIF30 172.16.1.1/24
10.1.1.1/24 192.168.0.2/24
IS-IS
Area 10 GE0/0/2 GE0/0/3
VLANIF20 VLANIF30 SwitchD
10.1.2.1/24 192.168.0.1/24 L2
GE0/0/1 IS-IS
VLANIF20 Area 20
10.1.2.2/24
SwitchB
L1
1. Enable IS-IS on each switch so that the switches can be interconnected. Configure SwitchA
and SwitchB as Level-1 devices to enable them to maintain less data.
Procedure

Step 3 Run the IS-IS progress on each Switch, specify the network entity title, and configure the level.
[SwitchA] isis 1
[SwitchA-isis-1] is-level level-1

[SwitchA-isis-1] network-entity 10.0000.0000.0001.00

[SwitchA-isis-1] quit
[SwitchB] isis 1
[SwitchB-isis-1] is-level level-1
[SwitchB-isis-1] network-entity 10.0000.0000.0002.00
[SwitchB-isis-1] quit
[SwitchC] isis 1
[SwitchC-isis-1] network-entity 10.0000.0000.0003.00
[SwitchC-isis-1] quit
[SwitchD] isis 1
[SwitchD-isis-1] is-level level-2
[SwitchD-isis-1] network-entity 20.0000.0000.0004.00
[SwitchD-isis-1] quit
Step 4 Enable the IS-IS progress on each interface.
[SwitchA-Vlanif10] isis enable 1
[SwitchB-Vlanif20] isis enable 1
[SwitchC-Vlanif10] isis enable 1
[SwitchD-Vlanif30] isis enable 1
# View the IS-IS LSDB of each Switch.

[SwitchA] display isis lsdb
Database information for ISIS(1)

--------------------------------
Level-1 Link State Database
LSPID Seq Num Checksum Holdtime Length ATT/P/OL

-------------------------------------------------------------------------------
0000.0000.0001.00-00* 0x0000006e 0x953e 862 68 0/0/0
0000.0000.0002.00-00 0x0000006a 0xc015 766 68 0/0/0
0000.0000.0002.01-00 0x00000008 0xccb6 766 55 0/0/0

0000.0000.0003.00-00 0x00000086 0x529e 1155 111 1/0/0

0000.0000.0003.01-00 0x0000005e 0xf238 1155 55 0/0/0
Total LSP(s): 5
*(In TLV)-Leaking Route, *(By LSPID)-Self LSP, +-Self LSP(Extended),
ATT-Attached, P-Partition, OL-Overload
[SwitchB] display isis lsdb

--------------------------------

-------------------------------------------------------------------------------
0000.0000.0001.00-00 0x0000006e 0x953e 899 68 0/0/0
0000.0000.0002.00-00* 0x0000006a 0xc015 808 68 0/0/0
0000.0000.0002.01-00* 0x00000008 0xccb6 808 55 0/0/0
0000.0000.0003.00-00 0x00000086 0x529e 1195 111 1/0/0
0000.0000.0003.01-00 0x0000005e 0xf238 1195 55 0/0/0
Total LSP(s): 5
[SwitchC] display isis lsdb

--------------------------------

-------------------------------------------------------------------------------
0000.0000.0001.00-00 0x0000006e 0x953e 953 68 0/0/0
0000.0000.0002.00-00 0x0000006a 0xc015 859 68 0/0/0
0000.0000.0002.01-00 0x00000008 0xccb6 859 55 0/0/0
0000.0000.0003.00-00* 0x00000085 0x549d 937 111 1/0/0
0000.0000.0003.01-00* 0x0000005d 0xf437 937 55 0/0/0
Total LSP(s): 5

-------------------------------------------------------------------------------
0000.0000.0003.00-00* 0x0000008a 0x513c 876 100 0/0/0
0000.0000.0004.00-00 0x00000063 0x48ad 761 84 0/0/0
0000.0000.0004.01-00 0x0000005b 0x3aef 761 55 0/0/0
Total LSP(s): 3
[SwitchD] display isis lsdb

--------------------------------

-------------------------------------------------------------------------------

0000.0000.0003.00-00 0x0000008a 0x513c 901 100 0/0/0

0000.0000.0004.00-00* 0x00000063 0x48ad 789 84 0/0/0
0000.0000.0004.01-00* 0x0000005b 0x3aef 789 55 0/0/0
Total LSP(s): 3
# View the IS-IS routing table of each Switch. A default route is available in the routing table
of the Level-1 devices and the next hop is a Level-1-2 device. The routing table of the Level-2
device contains all Level-1 and Level-2 routes.
[SwitchA] display isis route
Route information for ISIS(1)

-----------------------------
ISIS(1) Level-1 Forwarding Table

--------------------------------
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags

-------------------------------------------------------------------------------
0.0.0.0/0 10 NULL Vlanif10 10.1.1.1 A/-/-/-
192.168.0.0/24 20 NULL Vlanif10 10.1.1.1 A/-/-/-
10.1.1.0/24 10 NULL Vlanif10 Direct D/-/L/-
10.1.2.0/24 20 NULL Vlanif10 10.1.1.1 A/-/-/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
[SwitchB] display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
0.0.0.0/0 10 NULL Vlanif20 10.1.2.1 A/-/-/-
192.168.0.0/24 20 NULL Vlanif20 10.1.2.1 A/-/-/-
10.1.1.0/24 20 NULL Vlanif20 10.1.2.1 A/-/-/-
U-Up/Down Bit Set
[SwitchC] display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
U-Up/Down Bit Set

--------------------------------

-------------------------------------------------------------------------------

172.16.1.0/24 20 NULL Vlanif30 192.168.0.2 A/-/-/-

U-Up/Down Bit Set
[SwitchD] display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------------
10.1.1.0/24 20 NULL Vlanif30 192.168.0.1 A/-/-/-
10.1.2.0/24 20 NULL Vlanif30 192.168.0.1 A/-/-/-
U-Up/Down Bit Set
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchB
#
vlan batch 20
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
#

#
return

#
sysname SwitchC
#
vlan batch 10 20 30
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#
Return

5.7.2 Example for Configuring IS-IS Route Aggregation
As shown in Figure 5-24, three switches run IS-IS to communicate with each other. SwitchA
is a Level-2 device, SwitchB is a Level-1-2 device, and SwitchC is a Level-1 device. SwitchA
is heavily loaded because there are too many routing entries on the IS-IS network. Therefore,
system resource consumption of SwitchA needs to be reduced.
Figure 5-24 Networking diagram for configuring IS-IS route aggregation
GE0/0/2
Network1 VLANIF20
172.1.1.0/24 172.1.1.1/24
SwitchB
SwitchC GE0/0/1 SwitchA
GE0/0/3 GE0/0/1 L1/L2
L1 VLANIF50 L2
VLANIF30 VLANIF10
172.1.2.1/24 172.1.4.2/24 172.2.1.1/24
Network2
172.1.2.0/24 GE0/0/1 GE0/0/2
VLANIF10 VLANIF50
172.1.4.1/24 172.2.1.2/24
Area20
GE0/0/4 Area10
VLANIF40
Network3
172.1.3.1/24
172.1.3.0/24
1. Configure IP addresses for interfaces and enable IS-IS on each switch so that the switches
can be interconnected.
2. Configure route summarization on SwitchB to reduce the routing table size of SwitchA
without affecting data forwarding so that the system resource consumption of SwitchA can
be reduced.
Procedure


Step 3 Configure the basic IS-IS functions.
[SwitchA] isis 1
[SwitchB] isis 1
[SwitchC] isis 1
[SwitchC-isis-1] is-level level-1
The configurations of the VLANIF 20, VLANIF 30, and VLANIF 40 interfaces are similar to
the configuration of VLANIF 10, and are not mentioned here.
Step 4 Check the IS-IS routing table of SwitchA.

[SwitchA]display isis route

-----------------------------

--------------------------------

-------------------------------------------------------------------------
172.1.1.0/24 30 NULL Vlanif50 172.2.1.2 A/-/-/-
172.1.2.0/24 30 NULL Vlanif50 172.2.1.2 A/-/-/-
172.1.3.0/24 30 NULL Vlanif50 172.2.1.2 A/-/-/-
172.1.4.0/24 20 NULL Vlanif50 172.2.1.2 A/-/-/-


U-Up/Down Bit Set
Step 5 Configure route aggregation on SwitchB.
# Aggregate 172.1.1.0/24, 172.1.2.0/24, 172.1.3.0./24, and 172.1.4.0/24 as 172.1.0.0/16 on

SwitchB.
[SwitchB] isis 1
[SwitchB-isis-1] summary 172.1.0.0 255.255.0.0 level-1-2
# Check the routing table of SwitchA, and you can find that 172.1.1.0/24, 172.1.2.0/24,
172.1.3.0./24 and 172.1.4.0/24 are aggregated as 172.1.0.0/16.

-----------------------------

--------------------------------

-------------------------------------------------------------------------
172.1.0.0/16 20 NULL Vlanif50 172.2.1.2 A/-/-/-

U-Up/Down Bit Set
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 50
#
isis 1
is-level level-2
network-entity 20.0000.0000.0001.00
#
interface Vlanif50
ip address 172.2.1.1 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchB
#
vlan batch 10 50
#
isis 1
network-entity 10.0000.0000.0002.00

summary 172.1.0.0 255.255.0.0 level-1-2

#
interface Vlanif10
ip address 172.1.4.2 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.2.1.2 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchC
#
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 172.1.4.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 172.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 172.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.1.3.1 255.255.255.0
isis enable 1
#
#
#
#
#
return

5.7.3 Example for Configuring the DIS Election
As shown in Figure 5-25, four switches on the broadcast network communicate using IS-IS.
SwitchA and SwitchB are Level-1-2 devices, SwitchC is a Level-1 device, and SwitchD is a
Level-2 device. SwitchA with high performance needs to be configured as a Level-2 DIS.
Figure 5-25 Networking diagram for configuring the DIS election
SwitchA SwitchB
L1/L2 L1/L2
GE0/0/1 GE0/0/1
VLANIF10 VLANIF10
10.1.1.1/24 10.1.1.2/24
GE0/0/1 GE0/0/1
VLANIF10 VLANIF10
10.1.1.3/24 10.1.1.4/24
SwitchC SwitchD
L1 L2
1. Configure IS-IS to enable network interconnectivity.

2. Configure the DIS priority of Switch A to 100 so that SwitchA can be elected as a Level-2
DIS.
Procedure


Step 3 View the MAC address of the VLANIF 10 interface on each Switch.
# View the MAC address of the VLANIF 10 interface on SwitchA.

[SwitchA] display arp interface vlanif 10
IP ADDRESS MAC ADDRESS EXPIRE(M) TYPE INTERFACE VPN-INSTANCE
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.1 00e0-fc10-afec I - Vlanif10
------------------------------------------------------------------------------
# View the MAC address of the VLANIF 10 interface on SwitchB.

[SwitchB] display arp interface vlanif 10
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.2 00e0-fccd-acdf I - Vlanif10
------------------------------------------------------------------------------
# View the MAC address of the VLANIF 10 interface on SwitchC.

[SwitchC] display arp interface vlanif 10
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.3 00e0-fc50-25fe I - Vlanif10
------------------------------------------------------------------------------
# View the MAC address of the VLANIF 10 interface on SwitchD.

[SwitchD] display arp interface vlanif 10
VLAN/CEVLAN PVC
------------------------------------------------------------------------------
10.1.1.4 00e0-fcfd-305c I - Vlanif10
------------------------------------------------------------------------------
Step 4 Configure the basic IS-IS functions.
[SwitchA] isis 1
[SwitchB] isis 1
[SwitchC] isis 1


[SwitchD] isis 1
# View information about the IS-IS neighbors of SwitchA.

[SwitchA] display isis peer
Peer information for ISIS(1)

System Id Interface Circuit Id State HoldTime Type
PRI
----------------------------------------------------------------------------------
---
0000.0000.0002 Vlanif10 0000.0000.0002.01 Up 9s L1(L1L2)
64
0000.0000.0003 Vlanif10 0000.0000.0002.01 Up 27s L1
64
0000.0000.0002 Vlanif10 0000.0000.0004.01 Up 28s L2(L1L2)
64
0000.0000.0004 Vlanif10 0000.0000.0004.01 Up 8s L2
64
Total Peer(s): 4
# View information about the IS-IS interface of SwitchA.

[SwitchA] display isis interface
Interface information for ISIS(1)

---------------------------------
Interface Id IPV4.State IPV6.State MTU Type DIS
Vlanif10 001 Up Down 1497 L1/L2 No/No
# View information about the IS-IS interface of SwitchB.

[SwitchB] display isis interface

---------------------------------
Vlanif10 001 Up Down 1497 L1/L2 Yes/No
# View information about the IS-IS interface of SwitchD.

[SwitchD] display isis interface

---------------------------------
Vlanif10 001 Up Down 1497 L1/L2 No/Yes
NOTE
When the default DIS priority is used, the interface on SwitchB has the greatest MAC address among all
the interfaces on the Level-1 Switches. Therefore, SwitchB is elected as the Level-1 DIS. The interface on
SwitchD has the greatest MAC address among all the interfaces on the Level-2 Switches. Therefore,
SwitchD is elected as the Level-2 DIS. The Level-1 pseudonode is 0000.0000.0002.01. The Level-2
pseudonode is 0000.0000.0004.01.

Step 5 Set the DIS priority of SwitchA.

[SwitchA-Vlanif10] isis dis-priority 100
# View information about the IS-IS neighbors of SwitchA.


PRI
----------------------------------------------------------------------------------
----
0000.0000.0002 Vlanif10 0000.0000.0001.01 Up 21s L1(L1L2)
64
0000.0000.0003 Vlanif10 0000.0000.0001.01 Up 27s L1
64
0000.0000.0002 Vlanif10 0000.0000.0001.01 Up 28s L2(L1L2)
64
0000.0000.0004 Vlanif10 0000.0000.0001.01 Up 30s L2
64
Total Peer(s): 4

# View information about the IS-IS interface of SwitchA.
[SwitchA] display isis interface

---------------------------------
Vlanif10 001 Up Down 1497 L1/L2 Yes/Yes
As shown in the output information, after the DIS priority of the IS-IS interface is changed,
SwitchA immediately becomes a Level-1 and Level-2 DIS and its pseudonode is
0000.0000.0001.01.
# View information about the IS-IS neighbors and IS-IS interfaces on SwitchB.
[SwitchB] display isis peer

PRI
----------------------------------------------------------------------------------
----
0000.0000.0001 Vlanif10 0000.0000.0001.01 Up 7s L1(L1L2)
100
0000.0000.0003 Vlanif10 0000.0000.0001.01 Up 25s L1
64
0000.0000.0001 Vlanif10 0000.0000.0001.01 Up 7s L2(L1L2)
100
0000.0000.0004 Vlanif10 0000.0000.0001.01 Up 25s L2
64
Total Peer(s): 4
[SwitchB] display isis interface

---------------------------------
# View information about the IS-IS neighbors and IS-IS interfaces on SwitchD.
[SwitchD] display isis peer


PRI
----------------------------------------------------------------------------------
----
0000.0000.0001 Vlanif10 0000.0000.0001.01 Up 9s L2
100
0000.0000.0002 Vlanif10 0000.0000.0001.01 Up 28s L2 64
Total Peer(s): 2
[SwitchD] display isis interface

---------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
isis dis-priority 100
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
isis 1

is-level level-1
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 10.1.1.3 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
interface Vlanif10
ip address 10.1.1.4 255.255.255.0
isis enable 1
#
#
return
5.7.4 Example for Configuring IS-IS Load Balancing
As shown in Figure 5-26, switches run IS-IS to implement IP interworking. Congestion of the
network from SwitchA to destination address 172.17.1.0/24 needs to be relieved to improve
network resource efficiency.
Figure 5-26 Networking diagram for configuring IS-IS load balancing
GE0/0/1 GE0/0/2
VLANIF10 VLANIF30
10.1.1.2/24 192.168.0.1/24
GE0/0/1 SwitchB GE0/0/1
VLANIF10 L2 VLANIF30
GE0/0/3 10.1.1.1/24 192.168.0.2/24 GE0/0/3
VLANIF50 VLANIF60
172.16.1.1/24 SwitchA Area 10 SwitchD 172.17.1.1/24
L2 L2
GE0/0/2 GE0/0/2
VLANIF20 VLANIF40
SwitchC 192.168.1.2/24
10.1.2.1/24
L2 GE0/0/2
GE0/0/1
VLANIF20 VLANIF40
10.1.2.2./24 192.168.1.1/24

1. Configure basic IS-IS functions on each switch to implement IP interworking.
2. Configure load balancing to balance traffic from SwitchA to SwitchD between SwitchB
and SwitchC.
Procedure
[SwitchA] vlan batch 10 20 50

Step 3 Configure basic IS-IS functions.
[SwitchA] isis 1

Step 4 Set the number of equal-cost routes for load balancing to 1 on SwitchA.
[SwitchA] isis 1
[SwitchA-isis-1] maximum load-balancing 1
# View the routing table of SwitchA.


-----------------------------

--------------------------------

-------------------------------------------------------------------------
192.168.1.0/24 20 NULL Vlanif20 10.1.2.2 A/-/-/-
172.17.1.0/24 30 NULL Vlanif10 10.1.1.2 A/-/-/-
192.168.0.0/24 20 NULL Vlanif10 10.1.1.2 A/-/-/-

U-Up/Down Bit Set
As shown in the routing table, when the maximum number of equal-cost routes for load balancing
is set to 1, IS-IS selects 10.1.1.2 as the next hop to the destination network 172.17.1.0. This is
because SwitchB has a smaller system ID.
Step 5 Restore the default number of equal-cost routes for load balancing on SwitchA.
[SwitchA] isis 1
[SwitchA-isis-1] undo maximum load-balancing


-----------------------------

--------------------------------

-------------------------------------------------------------------------
192.168.1.0/24 20 NULL Vlanif20 10.1.2.2 A/-/-/-
172.17.1.0/24 30 NULL Vlanif10 10.1.1.2 A/-/-/-
Vlanif20 10.1.2.2
192.168.0.0/24 20 NULL Vlanif10 10.1.1.2 A/-/-/-

U-Up/Down Bit Set
As shown in the routing table, the number of equal-cost routes for load balancing is restored to
the default value 8. Both the next hops of SwitchA, 10.1.1.2 (SwitchB) and 10.1.2.2 (SwitchC)
now become valid.

Step 6 (Optional) Set the preference for equal-cost routes on SwitchA.

[SwitchA] isis
[SwitchA-isis-1] nexthop 10.1.2.2 weight 1

-----------------------------

--------------------------------

--------------------------------------------------------------------------------
192.168.1.0/24 20 NULL Vlanif20 10.1.2.2 A/-/-/-
172.17.1.0/24 30 NULL Vlanif20 10.1.2.2 A/-/-/-
192.168.0.0/24 20 NULL Vlanif10 10.1.1.2 A/-/-/-

U-Up/Down Bit Set
As shown in the routing table, the preference of the next hop 10.1.2.2 (SwitchC) with the weight
as 1, is higher than that of 10.1.1.2 (SwitchB), after the weight is set for equal-cost routes.
Therefore, IS-IS selects route with the next hop 10.1.2.2 as the optimal route.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 50
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
nexthop 10.1.2.2 weight 1
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#

#
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 192.168.0.1 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 192.168.1.1 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchD
#
vlan batch 30 40 60

#
isis 1
is-level level-2
network-entity 10.0000.0000.0004.00
#
interface Vlanif30
ip address 192.168.0.2 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 192.168.1.2 255.255.255.0
isis enable 1
#
interface Vlanif60
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
#
#
#
return
5.7.5 Example for Configuring Static BFD for IS-IS

As shown in Figure 5-27, three routers are interconnected using IS-IS, and SwitchA and SwitchB
communicate with each other through a Layer 2 switch. When the link between SwitchA and
SwitchB is faulty, the two routers need to rapidly respond to the fault and reestablish a neighbor
relationship.
Figure 5-27 Networking diagram of configuring static BFD for IS-IS

GE0/0/1 GE0/0/1 GE0/0/2
100.1.1.1/24 100.1.1.2/24 100.2.1.1/24
GE0/0/1
SwitchA SwitchB VLANIF30 SwitchC
100.2.1.2/24
NOTE
BFD for IS-IS cannot be used to detect the multi-hop link between SwitchA and SwitchC, because the IS-
IS neighbor relationship cannot be established between SwitchA and SwitchC.

1. Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable
routes between the routers.
2. Enable static BFD for IS-IS on SwitchA and SwitchB so that routers can rapidly detect link
faults.
Procedure
Step 1 Configure VLANs that each interface belongs to.
Step 2 Assign the IP addresses for VLANIF interfaces.
[SwitchA] isis 1
[SwitchA-isis-1] network-entity aa.1111.1111.1111.00
[SwitchB] isis 1
[SwitchB-isis-1] network-entity aa.2222.2222.2222.00
[SwitchC] isis 1
[SwitchC-isis-1] network-entity aa.3333.3333.3333.00
# After the preceding configurations, you can see that the neighbor relationship is established
between SwitchA and SwitchB.


System Id Interface Circuit Id State HoldTime Type PRI
-----------------------------------------------------------------------------
2222.2222.2222 Vlanif10 2222.2222.2222.01 Up 23s L2 64
The IS-IS routing table of SwitchA contains the routes to SwitchB and SwitchC.
-----------------------------
--------------------------------
-------------------------------------------------------------------------
100.2.1.0/24 20 NULL Vlanif10 100.1.1.2 A/-/L/-
U-Up/Down Bit Set
Step 4 Configure BFD.
# Enable BFD on SwitchA and configure a BFD session.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 100.1.1.2 interface vlanif 10
[SwitchA-bfd-session-atob] discriminator local 1
[SwitchA-bfd-session-atob] discriminator remote 2
[SwitchA-bfd-session-atob] commit
[SwitchA-bfd-session-atob] quit
# Enable BFD on SwitchB and configure a BFD session.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 100.1.1.1 interface vlanif 10
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
After the preceding configurations, run the display bfd session command on SwitchA or
SwitchB, and you can see that the status of the BFD session is Up.
The following uses the display on SwitchA as an an example.

------------------------------------------------------------------------
------------------------------------------------------------------------
1 2 100.1.1.2 Up S_IP_IF Vlanif10
------------------------------------------------------------------------
Step 5 Enable IS-IS fast detect.
[SwitchA-Vlanif10] isis bfd static


[SwitchB-Vlanif10] isis bfd static
# Enable log information display on SwitchA.

[SwitchA] info-center source bfd channel 1 log level debugging state on
[SwitchA] quit
<SwitchA> debugging isis circuit-information
<SwitchA> terminal logging
# Run the shutdown command on GigabitEthernet0/0/1 on SwitchB to simulate a link fault.

# On SwitchA, you can view the following log and debugging information, which indicates that
IS-IS deletes the neighbor relationship with SwitchB after being notified by BFD of the fault.
Sep 12 2007 11:32:18 RT2 %%01ISIS/4/PEER_DOWN_BFDDOWN(l): IS-IS process id 1 nei
ghbor 2222.2222.2222 is down on the interface Vlanif10 because BFD node is Down.
The last Hello packet is received at 11:32:10. The maximum interval for sending
Hello packets is 9247. The local router sends 426 Hello packets and receives 61
Hello packets. The Hello packet type is Lan Level-2.
*0.481363988 RT2 ISIS/6/ISIS:
ISIS-1-FastSense: Deleting Neighbour by IP Address 100.1.1.2 On Vlanif10(IS01_1048)
Run the display isis route command or the display isis peer command on SwitchA, and you
can see that no information is displayed. This indicates that the IS-IS neighbor relationship
between SwitchA and SwitchB is deleted.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
info-center source BFD channel 1 log level debugging
#
bfd
#
isis 1
is-level level-2
network-entity aa.1111.1111.1111.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
isis enable 1
isis bfd static
#
bfd atob bind peer-ip 100.1.1.2 interface Vlanif10
commit
#

#
return

#
sysname SwitchB
#
vlan batch 10 30
#
bfd
#
isis 1
is-level level-2
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.0
isis enable 1
isis bfd static
#
interface Vlanif30
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
bfd btoa bind peer-ip 100.1.1.1 interface Vlanif10
commit
#
#
#
return

#
sysname SwitchC
#
vlan batch 30
#
isis 1
is-level level-2
#
interface Vlanif30
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
#
return
5.7.6 Example for Configuring Dynamic BFD for IS-IS

As shown in Figure 5-28, three routers are interconnected using IS-IS, and SwitchA and SwitchB
communicate with each other through a Layer 2 switch. When the link that passes through the

switch between SwitchA and SwitchB fails, the two routers need to rapidly respond to the fault,
and traffic can be switched to the link that passes through SwitchC for forwarding.
Figure 5-28 Networking diagram of configuring dynamic BFD for IS-IS

GE0/0/2 GE0/0/2 GE0/0/3
Switch A VLANIF20 VLANIF20 SwitchB VLANIF40
3.3.3.1/24 3.3.3.2/24 172.16.1.1/24
GE0/0/1 GE0/0/1
VLANIF10 VLANIF50
1.1.1.1/24 2.2.2.2/24
GE0/0/1 GE0/0/2
VLANIF10 VLANIF50
1.1.1.2/24 2.2.2.1/24
SwitchC
1. Configure IP addresses for interfaces and enable IS-IS on each router to ensure reachable
routes between the routers.
2. Set the IS-IS interface cost to control route selection of the routers to make the link that
passes through the switch from SwitchA to SwitchB as the primary link and the link that
passes through SwitchC as the backup link.
3. Configure dynamic BFD for IS-IS on SwitchA, SwitchB, and SwitchC so that link faults
can be detected rapidly and traffic can be switched to the backup link for forwarding.
Procedure
Step 1 Configure VLANs that each interface belongs to.
Step 2 Assign the IP addresses for VLANIF interfaces.

[SwitchA] isis
[SwitchA] interface vlanif10
[SwitchB] isis
[SwitchC] isis
# After the preceding configurations, run the display isis peer command. You can see that the
neighbor relationships are established between SwitchA and SwitchB, and between SwitchA
and SwitchC. The following uses the configuration of SwitchA as an example.
----------------------------
0000.0000.0002 Vlanif20 0000.0000.0002.01 Up 9s L2 64
0000.0000.0003 Vlanif10 0000.0000.0001.02 Up 21s L2 64
Total Peer(s): 2
# Switchs have learned routes from each other. The following uses the routing table of
SwitchA as an example.


Route Flags: R - relied, D - download to fib
------------------------------------------------------------------------------

1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10
1.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
2.2.2.0/24 ISIS-L2 15 20 D 3.3.3.2 Vlanif20
ISIS-L2 15 20 D 1.1.1.2 Vlanif10
3.3.3.0/24 Direct 0 0 D 3.3.3.1 Vlanif20
3.3.3.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
172.16.1.0/24 ISIS-L2 15 20 D 3.3.3.2 Vlanif20
As shown in the routing table, the next-hop address of the route to 172.16.1.0/24 is 3.3.3.2, and
traffic is transmitted on the primary link SwitchA→SwitchB.
Step 4 Set the interface cost.
[SwitchA-Vlanif20] isis cost 5
[SwitchB-Vlanif20] isis cost 5
Step 5 Configure BFD for IS-IS processes.
# Enable BFD for IS-IS on SwitchA.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] isis
[SwitchA-isis-1] bfd all-interfaces enable
# Enable BFD for IS-IS on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] isis
[SwitchB-isis-1] bfd all-interfaces enable
# Enable BFD for IS-IS on SwitchC.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] isis
[SwitchC-isis-1] bfd all-interfaces enable
# After the preceding configurations, run the display isis bfd session all command on SwitchA,
SwitchB, and SwitchC. You can see that the BFD session status is Up.
The following uses the display on SwitchA as an example.

[SwitchA] display isis bfd session all

BFD session information for ISIS(1)

-----------------------------------
Peer System ID : 0000.0000.0002 Interface : Vlanif20

TX : 1000 BFD State : up Peer IP Address : 3.3.3.2
RX : 1000 LocDis : 8192 Local IP Address: 3.3.3.1
Multiplier : 3 RemDis : 8192 Type : L2
Diag : No diagnostic information

Total BFD session(s): 2
As shown in the preceding display, the status of the BFD session between SwitchA and
SwitchB and that between SwitchA and SwitchC is Up.
Step 6 Configure BFD for IS-IS interfaces.
# Configure BFD on VLANIF20 of SwitchA, set the minimum interval for sending packets to
100 ms, the minimum interval for receiving packets to 100 ms, and the local detection multiplier
to 4.
[SwitchA-Vlanif20] isis bfd enable
[SwitchA-Vlanif20] isis bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# Configure BFD on VLANIF20 of SwitchB, set the minimum interval for sending packets to
100 ms, the minimum interval for receiving packets to 100 ms, and the local detection multiplier
to 4.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif20] isis bfd enable
[SwitchB-Vlanif20] isis bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# After the preceding configurations, run the display isis bfd session all command on SwitchA
or SwitchB. You can see that the BFD parameters have taken effect. The following uses the
display on SwitchB as an example.
[SwitchB] display isis bfd session all

-----------------------------------




# Run the shutdown command on GigabitEthernet0/0/2 of SwitchB to simulate a primary link
failure.
Step 8 # View the routing table of SwitchA.

------------------------------------------------------------------------------
1.1.1.0/24 Direct 0 0 D 1.1.1.1 Vlanif10
1.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
2.2.2.0/24 ISIS-L2 15 20 D 1.1.1.2 Vlanif10
172.16.1.0/24 ISIS-L2 15 30 D 1.1.1.2 Vlanif10
As shown in the routing table, the backup link SwitchA→SwitchC→SwitchB takes effect after
the primary link fails, and the next-hop address of the route to 172.16.1.0/24 becomes 1.1.1.2.
# Run the display isis bfd session all command on SwitchA. You can see that the status of the
BFD session between SwitchA and SwitchC is Up.
[SwitchA] display isis bfd session all

-----------------------------------

----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 1.1.1.1 255.255.255.0
isis enable 1
#

interface Vlanif20
ip address 3.3.3.1 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
#
#
return

#
sysname SwitchB
#
vlan batch 20 40 50
#
bfd
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif50
ip address 2.2.2.2 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 3.3.3.2 255.255.255.0
isis enable 1
isis cost 5
isis bfd enable
isis bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier 4
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 10 50
#
bfd
#

isis 1
is-level level-2
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 1.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 2.2.2.1 255.255.255.0
isis enable 1
#
#
#
return
5.7.7 Example for Configuring IS-IS GR

As shown in Figure 5-29, SwitchA, SwitchB, and SwitchC belong to the same autonomous
system .They run the IS-IS protocol to implement interworking and provide the GR
mechanism.When IS-IS is restarted on SwitchA, SwitchA resends connection requests to
neighbors to synchronize the LSDB.
Figure 5-29 Networking diagram of IS-IS GR configuration

SwitchA SwitchC SwitchB
GE0/0/1 GE0/0/2
L1 VLANIF10 L1/L2 VLANIF20 L2
100.1.1.1/24 100.2.1.1/24
GE0/0/1 GE0/0/1
VLANIF10 VLANIF20
100.1.1.2/24 100.2.1.2/24
1. Enable IS-IS on each Switch so that the Switches can be interconnected.
2. Configure GR in the IS-IS view on each Switch and configure the same interval for the
restart.
Procedure
[SwitchA] vlan 10
[SwitchA-Vlan10] quit



Step 3 Configure the basic function of IS-IS. The configuration procedure is not mentioned here.
See 5.7.1 Example for Configuring Basic IS-IS Functions
Step 4 Configure IS-IS GR.
# Enable IS-IS GR on SwitchA and set the restart interval. The configurations on SwitchB and
SwitchC are the same as the configurations on SwitchA. SwitchA is taken as an example here.
[SwitchA] isis 1
[SwitchA-isis-1] graceful-restart
[SwitchA-isis-1] graceful-restart interval 150
[SwitchA] quit
# Run the display fib command on SwitchA to view the Forwarding Information Base (FIB)
table.
<SwitchA> display fib
Route Flags: G - Gateway Route, H - Host Route, U - Up Route
S - Static Route, D - Dynamic Route, B - Black Hole Route
FIB Table:
Destination/Mask Nexthop Flag TimeStamp Interface TunnelID

127.0.0.1/32 127.0.0.1 HU t[21] InLoop0 0x0
127.0.0.0/8 127.0.0.1 U t[21] InLoop0 0x0
100.1.1.1/32 127.0.0.1 HU t[20678] InLoop0 0x0
100.1.1.0/24 100.1.1.1 U t[20678] Vlanif10 0x0
100.2.1.0/24 100.1.1.2 DGU t[79388] Vlanif10 0x0
# Reset the IS-IS process by using the GR method on SwitchA.

<SwitchA> reset isis all graceful-restart
NOTE
The Switch restarts an IS-IS process in GR mode only when GR is enabled for the IS-IS process.
# Run the display fib command on SwitchA and view the FIB table to check whether GR works
normally. If GR works normally, the FIB table does not change and the forwarding service is
not affected when SwitchA restarts the IS-IS process in GR mode.
FIB Table:


127.0.0.1/32 127.0.0.1 HU t[21] InLoop0 0x0
127.0.0.0/8 127.0.0.1 U t[21] InLoop0 0x0
100.1.1.1/32 127.0.0.1 HU t[20678] InLoop0 0x0
100.1.1.0/24 100.1.1.1 U t[20678] Vlanif10 0x0
100.2.1.0/24 100.1.1.2 DGU t[79388] Vlanif10 0x0
As shown in the display, the FIB table on SwitchA does not change and the forwarding service
is not affected.
# Disable IS-IS GR on SwitchA.
[SwitchA] isis 1
[SwitchA-isis-1] undo graceful-restart
# Reset the IS-IS process on SwitchA.

<SwitchA> reset isis all
# Run the display fib command on SwitchA to view the FIB table.
FIB Table:

127.0.0.1/32 127.0.0.1 HU t[21] InLoop0 0x0
127.0.0.0/8 127.0.0.1 U t[21] InLoop0 0x0
100.1.1.1/32 127.0.0.1 HU t[20678] InLoop0 0x0
100.1.1.0/24 100.1.1.1 U t[20678] Vlanif10 0x0
As shown in the display, the FIB table on SwitchA changes and the forwarding service is affected.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
isis 1
graceful-restart
graceful-restart interval 150
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 100.1.1.1 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchB
#

vlan batch 20
#
isis 1
graceful-restart
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 100.2.1.2 255.255.255.0
isis enable 1
#
#
return

#
sysname SwitchC
#
vlan batch 10 20
#
isis 1
graceful-restart
network-entity 10.0000.0000.0003.00
#
interface Vlanif10
ip address 100.1.1.2 255.255.255.0
isis enable 1
#
interface Vlanif20
ip address 100.2.1.1 255.255.255.0
isis enable 1
#
#
#
return

autonomous system (AS). IS-IS applies to large and medium networks.
5.8.1 Example for Configuring Basic IS-IS IPv6 Functions
As shown in Figure 5-30, there are four switches on the IPv6 topology network. The four
switches need to communicate with each other. In addition, SwitchA and SwitchB can only
process less data.

Figure 5-30 Networking diagram of basic IS-IS IPv6 feature
GE0/0/1
VLANIF10
SwitchA 10:1::2/64
L1
GE0/0/2
GE0/0/1 SwitchC VLANIF40
VLANIF10 L1/L2 20::1/64
10:1::1/64
IS-IS GE0/0/2
Area10 VLANIF20 GE0/0/1
GE0/0/3 VLANIF30 SwitchD
10:2::1/64 VLANIF30 30::2/64 L2
30::1/64 IS-IS
SwitchB Area20
L1 GE0/0/1
VLANIF20
10:2::2/64
1. Configure IPv6 addresses on interfaces of each switch so that the switches can be
interconnected.
2. Enable IS-IS on each switch so that the switches can be interconnected. Configure SwitchA
and SwitchB as Level-1 switches to enable them to maintain less data.
Procedure
The configurations of SwitchB, SwitchC and SwitchD are similar to the configuration of
SwitchA. The detailed configurations are not mentioned here.
Step 2 Enable the capability of IPv6 forwarding, and configure IPv6 address for each interface. Take
the display on SwitchA as an example. The configurations of SwitchB, SwitchC and SwitchD
are similar to that of SwitchA. The detailed configurations are not mentioned here.

[SwitchA] ipv6
[SwitchA-Vlanif10] ipv6 address 10:1::2/64
Step 3 Configure IS-IS.

[SwitchA] isis 1
[SwitchA-isis-1] ipv6 enable
[SwitchA-Vlanif10] isis ipv6 enable 1
[SwitchB] isis 1
[SwitchB-isis-1] ipv6 enable
[SwitchB-Vlanif20] isis ipv6 enable 1
[SwitchC] isis 1
[SwitchC-isis-1] ipv6 enable
[SwitchC-Vlanif10] isis ipv6 enable 1
[SwitchC-Vlanif30] isis circuit-level level-2
[SwitchD] isis 1
[SwitchD-isis-1] ipv6 enable
[SwitchD-Vlanif30] isis ipv6 enable 1
[SwitchD] interface vlanif40
[SwitchD-Vlanif40] isis ipv6 enable 1

# Display the IS-IS routing table of SwitchA.

-----------------------------


--------------------------------
IPV6 Dest. ExitInterface NextHop Cost Flags

-------------------------------------------------------------------------------
10:1::/64 Vlanif10 Direct 10 D/L/-
10:2::/64 Vlanif10 FE80::4E1F:CCFF:FE06:5947 20 A/-/-

U-Up/Down Bit Set
# Display the IS-IS neighbors of SwitchC.

[SwitchC] display isis peer verbose

0000.0000.0001 Vlanif10 0000.0000.0003.01 Up 24s L1 --
MT IDs supported : 0(UP)
Local MT IDs : 0
Area Address(es) : 10
Peer IPv6 Address(es): FE80::996B:0:9419:1
Uptime : 00:44:43
Adj Protocol : IPV6
Restart Capable : YES
Suppressed Adj : NO
0000.0000.0002 Vlanif20 0000.0000.0003.01 Up 28s L1 --
Local MT IDs : 0
Peer IPv6 Address(es): FE80::DC40:0:47A9:1
Uptime : 00:46:13
Adj Protocol : IPV6
Suppressed Adj : NO
0000.0000.0003 Vlanif30 0000.0000.0003.01 Up 24s L2 --

Local MT IDs : 0
Peer IPv6 Address(es): FE80::F81D:0:1E24:2
Uptime : 00:53:18
Adj Protocol : IPV6
Suppressed Adj : NO
Total Peer(s): 3
# Display the IS-IS LSDB of SwitchC.

[SwitchC] display isis lsdb verbose

--------------------------------

-------------------------------------------------------------------------
0000.0000.0001.00-00 0x0000000c 0x4e06 1117 113 0/0/0

SOURCE 0000.0000.0001.00
NLPID IPV6
AREA ADDR 10
INTF ADDR V6 10:1::2
Topology Standard
NBR ID 0000.0000.0003.00 COST: 10
IPV6 10:1::/64 COST: 10

0000.0000.0002.00-00 0x00000009 0x738c 1022 83 0/0/0

SOURCE 0000.0000.0002.00
NLPID IPV6
AREA ADDR 10
Topology Standard
NBR ID 0000.0000.0003.00 COST: 10
IPV6 10:2::/64 COST: 10
0000.0000.0003.00-00* 0x00000020 0x6b10 771 140 1/0/0

SOURCE 0000.0000.0003.00
NLPID IPV6
AREA ADDR 10
INTF ADDR V6 30::1
Topology Standard
NBR ID 0000.0000.0002.00 COST: 10
NBR ID 0000.0000.0001.00 COST: 10
IPV6 10:2::/64 COST: 10
IPV6 10:1::/64 COST: 10
Total LSP(s): 3

-------------------------------------------------------------------------
0000.0000.0003.00-00* 0x00000017 0x61b4 771 157 0/0/0

SOURCE 0000.0000.0003.00
NLPID IPV6
AREA ADDR 10
INTF ADDR V6 30::1
Topology Standard
NBR ID 0000.0000.0004.00 COST: 10
IPV6 30::/64 COST: 10
IPV6 10:2::/64 COST: 10
IPV6 10:1::/64 COST: 10
0000.0000.0004.00-00 0x0000000b 0x6dfa 1024 124 0/0/0

SOURCE 0000.0000.0004.00
NLPID IPV6
AREA ADDR 20
INTF ADDR V6 30::2
INTF ADDR V6 20::1
Topology Standard
NBR ID 0000.0000.0003.00 COST: 10
NBR ID 0000.0000.0005.00 COST: 10
IPV6 30::/64 COST: 10
IPV6 20::/64 COST: 10
Total LSP(s): 2
----End
Configuration Files
#
sysname SwitchA

#
ipv6
#
vlan batch 10
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
ipv6 enable topology standard
#
#
interface Vlanif10
ipv6 enable
ipv6 address 10:1::2/64
isis ipv6 enable 1
#
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
#
#
interface Vlanif20
ipv6 enable
isis ipv6 enable 1
#
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 10 20 30
#
isis 1
network-entity 10.0000.0000.0003.00
#
#
#
interface Vlanif10
ipv6 enable
isis ipv6 enable 1

#
interface Vlanif20
ipv6 enable
isis ipv6 enable 1
#
interface Vlanif30
ipv6 enable
isis ipv6 enable 1
isis circuit-level level-2
#
#
#
#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 30 40
#
isis 1
is-level level-2
network-entity 20.0000.0000.0004.00
#
#
#
interface Vlanif40
ipv6 enable
isis ipv6 enable 1
#
interface Vlanif30
ipv6 enable
isis ipv6 enable 1
#
#
#
return
5.9 BGP Configuration

The Border Gateway Protocol (BGP) is used between Autonomous Systems (ASs) to transmit
routing information. BGP applies to large and complex networks.

5.9.1 Example for Configuring Basic BGP Functions

As shown in Figure 5-31, BGP runs between Switches; an EBGP connection is established
between SwitchA and SwitchB; IBGP full-mesh connections are established between SwitchB,
SwitchC, and SwitchD.
Figure 5-31 Networking diagram for configuring basic BGP functions

SwitchC
GE0/0/1
VLANIF20
9.1.3.2/24
GE0/0/2 GE0/0/2
VLANIF50 VLANIF20 GE0/0/2
GE0/0/1 9.1.3.1/24
8.1.1.1/8 VLANIF10 VLANIF40
200.1.1.1/24 9.1.2.1/24
AS65009
GE0/0/1 SwitchB GE0/0/2
SwitchA VLANIF10 GE0/0/3 VLANIF40
200.1.1.2/24 VLANIF30 9.1.2.2/24
9.1.1.1/24
AS65008 GE0/0/1
VLANIF30
9.1.1.2/24 SwitchD
1. Configure IBGP connections between SwitchB, SwitchC, and SwitchD.
2. Configure an EBGP connection between SwitchA and SwitchB.
Procedure
Step 1 Create VLANs and add interfaces to the corresponding VLANs.
The configurations of SwitchB, SwitchC, and SwitchD are the same as the configuration of

The configurations of SwitchB, SwitchC, and SwitchD are the same as the configuration of
Step 3 Configure IBGP connections.
[SwitchB] bgp 65009
[SwitchB-bgp] router-id 2.2.2.2
[SwitchC] bgp 65009
[SwitchC-bgp] router-id 3.3.3.3
[SwitchC-bgp] quit
[SwitchD] bgp 65009
[SwitchD-bgp] router-id 4.4.4.4
[SwitchD-bgp] quit
Step 4 Configure EBGP connections.
[SwitchA] bgp 65008
[SwitchA-bgp] router-id 1.1.1.1
[SwitchB] bgp 65009
[SwitchB-bgp] quit
# Check the status of BGP connections.

[SwitchB] display bgp peer
BGP local router ID : 2.2.2.2

Local AS number : 65009
Total number of peers : 3 Peers in established state : 3
Peer V AS MsgRcvd MsgSent OutQ Up/Down State PrefRcv
9.1.1.2 4 65009 49 62 0 00:44:58 Established 0

9.1.3.2 4 65009 56 56 0 00:40:54 Established 0
200.1.1.2 4 65008 49 65 0 00:44:03 Established 1
You can view that the BGP connections between SwitchB and all the other Switches are set up.
Step 5 Configure SwitchA to advertise route 8.0.0.0/8.
# Configure SwitchA to advertise routes.

[SwitchA] bgp 65008

[SwitchA-bgp] ipv4-family unicast
[SwitchA-bgp-af-ipv4] network 8.0.0.0 255.0.0.0
[SwitchA-bgp-af-ipv4] quit
[SwitchA-bgp] quit

[SwitchA] display bgp routing-table
BGP Local router ID is 1.1.1.1

Status codes: * - valid, > - best, d - damped,
h - history, i - internal, s - suppressed, S - Stale
Origin : i - IGP, e - EGP, ? - incomplete
Total Number of Routes: 1

Network NextHop MED LocPrf PrefVal Path/Ogn
*> 8.0.0.0 0.0.0.0 0 0 i
# Check the routing table of SwitchB.

[SwitchB] display bgp routing-table

*> 8.0.0.0 200.1.1.2 0 0 65008i

[SwitchC] display bgp routing-table

i 8.0.0.0 200.1.1.2 0 100 0 65008i
According to the routing table, you can view that SwitchC has learned the route to the destination
8.0.0.0 in AS 65008, but the next hop 200.1.1.2 is unreachable. Therefore, this route is invalid.
Step 6 Configure BGP to import direct routes.
[SwitchB] bgp 65009
[SwitchB-bgp] ipv4-family unicast
[SwitchB-bgp-af-ipv4] import-route direct
[SwitchB-bgp-af-ipv4] quit
[SwitchB-bgp] quit
# Check the BGP routing table of SwitchA.




*> 8.0.0.0 0.0.0.0 0 0 i

*> 9.1.1.0/24 200.1.1.1 0 0 65009?
*> 9.1.3.0/24 200.1.1.1 0 0 65009?
200.1.1.0 200.1.1.1 0 0 65009?


*>i 8.0.0.0 200.1.1.2 0 100 0 65008i

*>i 9.1.1.0/24 9.1.3.1 0 100 0 ?
i 9.1.3.0/24 9.1.3.1 0 100 0 ?
*>i 200.1.1.0 9.1.3.1 0 100 0 ?
You can view that the route destined for 8.0.0.0 becomes valid, and the next hop is the address
of SwitchA.
# Perform the ping operation to verify the configuration.
[SwitchC] ping 8.1.1.1

0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 50
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif50
ip address 8.1.1.1 255.0.0.0
#
#

#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
network 8.0.0.0
#
return

#
sysname SwitchB
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 9.1.3.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
import-route direct
peer 9.1.1.2 enable
peer 9.1.3.2 enable
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 9.1.3.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.1 255.255.255.0
#


#
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
peer 9.1.2.2 enable
peer 9.1.3.1 enable
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
interface Vlanif40
ip address 9.1.2.2 255.255.255.0
#
#
#
bgp 65009
router-id 4.4.4.4
#
ipv4-family unicast
peer 9.1.1.1 enable
peer 9.1.2.1 enable
#
return
5.9.2 Example for Configuring Basic BGP4+ Functions
As shown in Figure 5-32, there are two ASs: 65008 and 65009. SwitchA belongs to AS 65008,
and SwitchB, SwitchC, and SwitchD belong to AS 65009. Routing Protocol is required to
exchange the routing information between the two ASs.

Figure 5-32 Networking diagram for configuring basic BGP4+ functions
G
VL E
9:3 NIF 3
0
/64 0
A
9: N /0/
/
3
VL E0/0
AS 65008 AS 65009 2 : IF 2
:1 5
::2
/6 0
G
A
SwitchC 4 G
VL E0
9: AN /0/
9:3 NIF 3
::1 30
/
2 : IF 2
VL E0/0
/64
GE0/0/1 :2 5
/6 0
VLANIF10 4
G
GE0/0/2 GE0/0/2
A
GE0/0/1 GE0/0/1
8::1/64 VLANIF20 VLANIF20 VLANIF40 VLANIF40
10::2/64 10::1/64 9:1::1/64 9:1::2/64
SwitchA SwitchB SwitchD
1. Configure IBGP connections between SwitchB, SwitchC, and SwitchD.

2. Configure an EBGP connection between SwitchA and SwitchB.
Procedure
[SwitchA]interface gigabitethernet 0/0/2
SwitchA and are not mentioned here.
Step 2 Enable the IPv6 forwarding capability, and assign an IPv6 address for each interface. The
following is the configuration of SwitchA. The configurations of other Switches are similar to
the configuration of SwitchA and are not mentioned here.
[SwitchA] ipv6
Step 3 Configure IBGP.

[SwitchB] bgp 65009
[SwitchB-bgp] peer 9:1::2 as-number 65009
[SwitchB-bgp] peer 9:3::2 as-number 65009
[SwitchB-bgp-af-ipv6] peer 9:1::2 enable
[SwitchB-bgp-af-ipv6] peer 9:3::2 enable
[SwitchB-bgp-af-ipv6] network 9:1:: 64
[SwitchB-bgp-af-ipv6] network 9:3:: 64
[SwitchC] bgp 65009
[SwitchC-bgp] peer 9:3::1 as-number 65009
[SwitchC-bgp] peer 9:2::2 as-number 65009
[SwitchC-bgp] ipv6-family unicast
[SwitchC-bgp-af-ipv6] peer 9:3::1 enable
[SwitchC-bgp-af-ipv6] peer 9:2::2 enable
[SwitchC-bgp-af-ipv6] network 9:3:: 64
[SwitchC-bgp-af-ipv6] network 9:2:: 64
[SwitchD] bgp 65009
[SwitchD-bgp] peer 9:1::1 as-number 65009
[SwitchD-bgp] peer 9:2::1 as-number 65009
[SwitchD-bgp] ipv6-family unicast
[SwitchD-bgp-af-ipv6] peer 9:1::1 enable
[SwitchD-bgp-af-ipv6] peer 9:2::1 enable
[SwitchD-bgp-af-ipv6] network 9:2:: 64
[SwitchD-bgp-af-ipv6] network 9:1:: 64
Step 4 Configure the EBGP connection.
[SwitchA] bgp 65008
[SwitchA-bgp] peer 10::1 as-number 65009
[SwitchA-bgp-af-ipv6] peer 10::1 enable
[SwitchA-bgp-af-ipv6] network 10:: 64
[SwitchB] bgp 65009
[SwitchB-bgp] peer 10::2 as-number 65008
[SwitchB-bgp-af-ipv6] peer 10::2 enable
[SwitchB-bgp-af-ipv6] network 10:: 64
# View the status of the BGP4+ peers.

[SwitchB] display bgp ipv6 peer

9:1::2 4 65009 8 9 0 00:05:37 Established 2

9:3::2 4 65009 2 2 0 00:00:09 Established 2

10::2 4 65008 9 7 0 00:05:38 Established 2
The preceding information shows that the BGP4+ connections between SwitchB and other
Switches are set up.
# Display the routing table of SwitchA.

[SwitchA] display bgp ipv6 routing-table

*> Network : 8:: PrefixLen : 64

NextHop : :: LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
*> Network : 9:1:: PrefixLen : 64

NextHop : 10::1 LocPrf :
MED : 0 PrefVal : 0
Label :
Path/Ogn : 65009 i

MED : PrefVal : 0
Label :
Path/Ogn : 65009 i

MED : 0 PrefVal : 0
Label :
Path/Ogn : 65009 i

MED : 0 PrefVal : 0
Label :
Path/Ogn : i

MED : 0 PrefVal : 0
Label :
Path/Ogn : 65009 i
The routing table shows that SwitchA has learned the route from AS 65009. AS 65008 and AS
65009 can exchange their routing information.
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#

vlan batch 10 20
#
interface Vlanif10
ipv6 enable
#
interface Vlanif20
ipv6 enable
#
#
#
bgp 65008
router-id 1.1.1.1
peer 10::1 as-number 65009
#
ipv4-family unicast
#
ipv6-family unicast
network 8:: 64
network 10:: 64
peer 10::1 enable
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20 30 40
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#
#
#
bgp 65009
router-id 2.2.2.2

peer 9:1::2 as-number 65009

#
ipv4-family unicast
#
ipv6-family unicast
network 9:1:: 64
network 9:3:: 64
network 10:: 64
peer 9:1::2 enable
peer 9:3::2 enable
peer 10::2 enable
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 30 50
#
interface Vlanif30
ipv6 enable
#
interface Vlanif50
ipv6 enable
#
#
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
#
ipv6-family unicast
network 9:2:: 64
network 9:3:: 64
peer 9:2::2 enable
peer 9:3::1 enable
#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 40 50
#

interface Vlanif40
ipv6 enable
#
interface Vlanif50
ipv6 enable
#
#
#
bgp 65009
router-id 4.4.4.4
#
ipv4-family unicast
#
ipv6-family unicast
network 9:1:: 64
network 9:2:: 64
peer 9:1::1 enable
peer 9:2::1 enable
#
return
5.9.3 Example for Configuring Basic MBGP Functions
As shown in Figure 5-33, the receiver receives VoD information in multicast mode. The receiver
and the source reside in different ASs. Multicast routing information needs to be transmitted
between ASs.

Figure 5-33 Networking diagram of MBGP configuration
AS100 AS200
SwitchD
Loopback0
Source SwitchA SwitchB
Loopback0 Loopback0
SwitchC Loopback0
Receiver
MBGP peers
Interface and IP Address Interface and IP Address
GE0/0/2 GE0/0/1
GE0/0/1
10.10.10.1/24 192.1.1.1/24 VLANIF200
VLANIF100
194.1.1.2/24
192.1.1.2/24
SwitchA GE0/0/3
SwitchB VLANIF300
Loopback0 193.1.1.2/24
1.1.1.1/32
Loopback0
2.2.2.2/32
Loopback0
4.4.4.4/32
SwitchD
GE0/0/1
GE0/0/3
VLANIF400
VLANIF300 GE0/0/2
195.1.1.1/24
193.1.1.1/24 VLANIF200
194.1.1.1/24 GE0/0/1
SwitchC
VLANIF400
GE0/0/2 Loopback0 195.1.1.2/24
VLANIF102 3.3.3.3/32
22.22.22.1/24

1. Configure MBGP peers for inter-AS multicast transmission.

2. Configure the routes advertised by MBGP.
3. Enable the multicast function on each switch.
4. Configure basic PIM-SM functions on each switch in ASs and enable IGMP on receiver-
side interfaces.
5. Configure a BSR boundary on the interfaces that connect to two ASs.
6. Configure MSDP peers to transmit inter-domain multicast source information.
Procedure
Step 1 Configure the IP addresses for the interfaces on each Switch and the OSPF protocol in the ASs.
# Configure IP addresses and masks for the interfaces on each switch according to Figure
5-33 and configure OSPF on the switches in ASs. Ensure that Switch B, Switch C, Switch D
can communicate with the receiver at the network layer, learn routes to the loopback interfaces
of each other, and dynamically update routes using a unicast routing protocol. Configure OSPF
process 1. The configuration procedure is not mentioned here.
Step 2 Configure BGP, enable the MBGP protocol, and configure the MBGP peers.
# Configure BGP and the MBGP peer on SwitchA.
[SwitchA] bgp 100
[SwitchA-bgp] ipv4-family multicast
[SwitchA-bgp-af-multicast] peer 192.1.1.2 enable
[SwitchA-bgp-af-multicast] quit
[SwitchA-bgp] quit
# Configure BGP and the MBGP peer on SwitchB.

[SwitchB] bgp 200
[SwitchB-bgp] ipv4-family multicast
[SwitchB-bgp-af-multicast] peer 192.1.1.1 enable
[SwitchB-bgp-af-multicast] quit
[SwitchB-bgp] quit
# Configure BGP and the MBGP peer on SwitchC.

[SwitchC] bgp 200
[SwitchC-bgp] ipv4-family multicast
[SwitchC-bgp-af-multicast] peer 193.1.1.2 enable
[SwitchC-bgp-af-multicast] peer 195.1.1.2 enable
[SwitchC-bgp-af-multicast] quit
[SwitchC-bgp] quit
# Configure BGP and the MBGP peer on SwitchD.

[SwitchD] bgp 200
[SwitchD-bgp] ipv4-family multicast
[SwitchD-bgp-af-multicast] peer 194.1.1.2 enable
[SwitchD-bgp-af-multicast] peer 195.1.1.1 enable

[SwitchD-bgp-af-multicast] quit
[SwitchD-bgp] quit
Step 3 Configure the routes to be advertised.

# Configure the routes to be advertised on SwitchA.
[SwitchA] bgp 100
[SwitchA-bgp] import-route direct
[SwitchA-bgp] ipv4-family multicast
[SwitchA-bgp-af-multicast] import-route direct
[SwitchA-bgp-af-multicast] quit
[SwitchA-bgp] quit
# Configure the routes to be advertised on SwitchB.

[SwitchB] bgp 200
[SwitchB-bgp] import-route direct
[SwitchB-bgp] import-route ospf 1
[SwitchB-bgp] ipv4-family multicast
[SwitchB-bgp-af-multicast] import-route direct
[SwitchB-bgp-af-multicast] import-route ospf 1
[SwitchB-bgp-af-multicast] quit
[SwitchB-bgp] quit
Step 4 Enable multicast on each Switch and the interfaces that are connected.
[SwitchA] multicast routing-enable
[SwitchA-Vlanif100] pim sm
[SwitchB] multicast routing-enable
[SwitchB-Vlanif100] pim sm
[SwitchC] multicast routing-enable
[SwitchC-Vlanif400] pim sm
[SwitchC-Vlanif102] igmp enable
[SwitchD] multicast routing-enable

[SwitchD-Vlanif400] pim sm
Step 5 Configure BSR and RP within each AS.
[SwitchA] interface LoopBack 0
[SwitchA-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchA-LoopBack0] pim sm
[SwitchA] pim
[SwitchA-pim] c-bsr LoopBack 0
[SwitchA-pim] c-rp LoopBack 0
[SwitchA-pim] quit
[SwitchB] interface LoopBack 0
[SwitchB-LoopBack0] ip address 2.2.2.2 255.255.255.255
[SwitchB-LoopBack0] pim sm
[SwitchB-LoopBack0] quit
[SwitchB] pim
[SwitchB-pim] c-bsr LoopBack 0
[SwitchB-pim] c-rp LoopBack 0
[SwitchB-pim] quit
Step 6 Configure the BSR boundary on the interfaces connecting two ASs.
[SwitchA-Vlanif100] pim bsr-boundary
[SwitchB-Vlanif100] pim bsr-boundary
Step 7 Configure MSDP peers.
[SwitchA] msdp
[SwitchA-msdp] peer 192.1.1.2 connect-interface Vlanif100
[SwitchA-msdp] quit
[SwitchB] msdp
[SwitchB-msdp] peer 192.1.1.1 connect-interface Vlanif100
[SwitchB-msdp] quit
# Run the display bgp multicast peer command to view the MBGP peer relationship between
switches. For example, the following information shows the MBGP peer relationship on
SwitchA:
[SwitchA] display bgp multicast peer


192.1.1.2 4 200 82 75 0 00:30:29 Established 17
# Run the display msdp brief command to view information about the MSDP peer relationship
between switches. For example, the following information shows the MBGP peer relationship
on SwitchB:
[SwitchB] display msdp brief
MSDP Peer Brief Information
Configured Up Listen Connect Shutdown Down
1 1 0 0 0 0
Peer's Address State Up/Down time AS SA Count Reset Count

192.1.1.1 Up 00:07:17 100 1 0
----End
Configuration Files
#
sysname SwitchA
#
#
multicast routing-enable
#
interface Vlanif100
ip address 192.1.1.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif101
ip address 10.10.10.1 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
bgp 100
#
ipv4-family unicast
import-route direct
#
ipv4-family multicast
#
msdp

peer 192.1.1.2 connect-interface Vlanif100

#
return

#
sysname SwitchB
#
#
#
interface Vlanif100
ip address 192.1.1.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif200
ip address 194.1.1.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 193.1.1.2 255.255.255.0
pim sm
#
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
ospf 1
area 0.0.0.0
network 193.1.1.0 0.0.0.255
network 194.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
#
bgp 200
#
ipv4-family unicast
import-route direct
import-route ospf 1
#
import-route direct

import-route ospf 1
#
msdp
#
return

#
sysname SwitchC
#
#
#
interface Vlanif102
ip address 22.22.22.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif300
ip address 193.1.1.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 195.1.1.1 255.255.255.0
pim sm
#
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 22.22.22.0 0.0.0.255
network 193.1.1.0 0.0.0.255
network 195.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
#
bgp 200
#
ipv4-family unicast
#

#
return

#
sysname SwitchD
#
vlan batch 200 400
#
#
interface Vlanif200
ip address 194.1.1.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 195.1.1.2 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 194.1.1.0 0.0.0.255
network 195.1.1.0 0.0.0.255
network 4.4.4.4 0.0.0.0
#
bgp 200
#
ipv4-family unicast
#
#
return
5.9.4 Example for Configuring BGP to Interact With an IGP
The network shown in Figure 5-34 is divided into AS 65008 and AS 65009. In AS 65009, an
IGP is used to calculate routes. In this example, OSPF is used as an IGP. The two ASs need to
communicate with each other.

Figure 5-34 Networking diagram for configuring BGP to interact with an IGP
GE0/0/2 GE0/0/2
VLANIF30 GE0/0/1 GE0/0/1 VLANIF40
8.1.1.1/24 VLANIF10 VLANIF20 9.1.2.1/24
3.1.1.1/24 9.1.1.2/24
GE0/0/1 GE0/0/2
Switch A VLANIF10 Switch B VLANIF20 Switch C
3.1.1.2/24 9.1.1.1/24
AS65008 AS65009
1. Configure OSPF on SwitchB and SwitchC so that these devices can access each other.
2. Establish an EBGP connection between SwitchA and SwitchB so that these devices can
exchange routing information.
3. Configure BGP and OSPF to import routes from each other on SwitchB so that the two
ASs can communicate with each other.
4. (Optional) Configure BGP route summarization on SwitchB to simplify the BGP routing
table.
Procedure
The configurations of SwitchB and SwitchC are the same as the configuration of SwitchA, and

Step 3 Configure OSPF.

[SwitchB] ospf 1
[SwitchC] ospf 1

[SwitchA] bgp 65008
[SwitchA-bgp] quit
[SwitchB] bgp 65009
Step 5 Configure BGP to interact with an IGP.

# On SwitchB, configure BGP to import OSPF routes.
[SwitchB-bgp-af-ipv4] import-route ospf 1
[SwitchB-bgp] quit



*> 8.1.1.0/24 0.0.0.0 0 0 i
*> 9.1.1.0/24 3.1.1.1 0 0 65009?
*> 9.1.2.0/24 3.1.1.1 2 0 65009?
# On SwitchB, configure OSPF to import BGP routes.

[SwitchB] ospf
[SwitchB-ospf-1] import-route bgp

[SwitchC] display ip routing-table

------------------------------------------------------------------------------
8.1.1.0/24 O_ASE 150 1 D 9.1.1.1 Vlanif20

9.1.1.0/24 Direct 0 0 D 9.1.1.2 Vlanif20
9.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
9.1.2.0/24 Direct 0 0 D 9.1.2.1 Vlanif40
9.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
Step 6 Configure automatic aggregation.
[SwitchB] bgp 65009
[SwitchB-bgp-af-ipv4] summary automatic
[SwitchB-bgp] quit
# Check the BGP routing table of SwitchA.



*> 8.1.1.0/24 0.0.0.0 0 0 i

*> 9.0.0.0 3.1.1.1 0 65009?
# Perform the ping operation to verify the configuration.

[SwitchA] ping -a 8.1.1.1 9.1.2.1
0.00% packet loss
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
interface Vlanif10
ip address 3.1.1.2 255.255.255.0

#
interface Vlanif30
ip address 8.1.1.1 255.255.255.0
#
#
#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
network 8.1.1.0 255.255.255.0
peer 3.1.1.1 enable
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
summary automatic
import-route ospf 1
peer 3.1.1.2 enable
#
ospf 1
import-route bgp
area 0.0.0.0
network 9.1.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20

ip address 9.1.1.2 255.255.255.0

#
interface Vlanif40
ip address 9.1.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 9.1.1.0 0.0.0.255
network 9.1.2.0 0.0.0.255
#
return
5.9.5 Example for Configuring AS-Path Filter
On the network shown in Figure 5-35, SwitchB establish EBGP connections with SwitchA and
SwitchC. The user wants to disable the devices in AS 10 from communicating with devices in
AS 30.
Figure 5-35 Networking diagram for configuring the AS-Path filter
AS 10 GE0/0/1
VLANIF10
9.1.1.1/24
GE0/0/2
VLANIF20
200.1.2.1/24 SwitchA
EBGP
GE0/0/2
VLANIF20 GE0/0/2 GE0/0/1
200.1.2.2/24 EBGP
VLANIF30 VLANIF40
200.1.3.2/24 10.1.1.1/24
GE0/0/1
SwitchB SwitchC
VLANIF30
AS 20 200.1.3.1/24 AS 30

1. Establish EBGP connections between SwitchA and SwitchB and between SwitchB and
SwitchC and configure these devices to import direct routes so that the ASs can
communicate with each other through these EBGP connections.
2. Configure AS_Path filters on SwitchB and use filtering rules to prevent AS 20 from
advertising routes of AS 30 to AS 10 or routes of AS 10 to AS 30.
Procedure

Step 3 Configure EBGP connections.
[SwitchA] bgp 10
[SwitchA-bgp] import-route direct
[SwitchA-bgp] quit
[SwitchB] bgp 20
[SwitchB-bgp] import-route direct
[SwitchB-bgp] quit
[SwitchC] bgp 30
[SwitchC-bgp] import-route direct
[SwitchC-bgp] quit

# Check the routing table advertised by SwitchB to peer 200.1.3.2. Take the routing table
advertised by SwitchB to SwitchC as an example. You can find that SwitchB advertises the
routes destined to the network segment between SwitchA and SwitchC.
[SwitchB] display bgp routing-table peer 200.1.3.2 advertised-routes


*> 9.1.1.0/24 200.1.3.1 0 20 10?

*> 10.1.1.0/24 200.1.3.1 0 20 30?
*> 200.1.2.0 200.1.3.1 0 0 20?
*> 200.1.3.0 200.1.3.1 0 0 20?
Check the routing table of SwitchC. You can find that SwitchC learns the advertised by
SwitchB.


*> 9.1.1.0/24 200.1.3.1 0 20 10?

*> 10.1.1.0/24 0.0.0.0 0 0 ?
*> 10.1.1.1/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
*> 200.1.2.0 200.1.3.1 0 0 20?
*> 200.1.3.0 0.0.0.0 0 0 ?
200.1.3.1 0 0 20?
*> 200.1.3.2/32 0.0.0.0 0 0 ?
Step 4 Configure the AS-Path filter on SwitchB and apply the filter on the outbound interface of
SwitchB.
# Create AS-Path filter 1, denying the passing of routes carrying AS 30. The regular expression
"_30_" indicates any AS list that contains AS 30 and ".*" matches any character.
[SwitchB] ip as-path-filter path-filter1 deny _30_
[SwitchB] ip as-path-filter path-filter1 permit .*
# Create AS-Path filter 2, denying the passing of routes carrying AS 10.

[SwitchB] ip as-path-filter path-filter2 deny _10_
[SwitchB] ip as-path-filter path-filter2 permit .*
# Apply the AS-Path filter on two outbound interfaces of SwitchB.

[SwitchB] bgp 20
[SwitchB-bgp] peer 200.1.2.1 as-path-filter path-filter1 export
[SwitchB-bgp] peer 200.1.3.2 as-path-filter path-filter2 export
[SwitchB-bgp] quit

Step 5 Check the routing table advertised by SwitchB, and you can find that the advertised routes to
the network segment between SwitchA and SwitchC do not exist. Take the route advertised by
SwitchB to SwitchC as an example.


*> 200.1.2.0 200.1.3.1 0 0 20?

*> 200.1.3.0 200.1.3.1 0 0 20?
Similarly, the BGP routing table of SwitchC does not have the two routes.


*> 10.1.1.0/24 0.0.0.0 0 0 ?

*> 10.1.1.1/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
*> 200.1.2.0 200.1.3.1 0 0 20?
*> 200.1.3.0 0.0.0.0 0 0 ?
200.1.3.1 0 0 20?
*> 200.1.3.2/32 0.0.0.0 0 0 ?
Check the routing table advertised by SwitchB, and you can find that advertised routes directly
connected to SwitchA and SwitchC do not exist. Take the route advertised by SwitchB to


*> 200.1.2.0 200.1.2.2 0 0 20?

*> 200.1.3.0 200.1.2.2 0 0 20?
Similarly, the BGP routing table of SwitchA does not have the two routes.


*> 9.1.1.0/24 0.0.0.0 0 0 ?

*> 9.1.1.1/32 0.0.0.0 0 0 ?
*> 127.0.0.0 0.0.0.0 0 0 ?
*> 127.0.0.1/32 0.0.0.0 0 0 ?
*> 200.1.2.0 0.0.0.0 0 0 ?
200.1.2.2 0 0 20?
*> 200.1.2.1/32 0.0.0.0 0 0 ?
*> 200.1.3.0 200.1.2.2 0 0 20?
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 9.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
#
#
bgp 10
router-id 1.1.1.1
#
ipv4-family unicast
import-route direct
#
return

#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif30
ip address 200.1.3.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
#
#

bgp 20
router-id 2.2.2.2
#
ipv4-family unicast
import-route direct
peer 200.1.2.1 as-path-filter path-filter1 export
peer 200.1.3.2 as-path-filter path-filter2 export
#
ip as-path-filter path-filter1 deny _30_
ip as-path-filter path-filter1 permit .*
ip as-path-filter path-filter2 deny _10_
ip as-path-filter path-filter2 permit .*
#
return

#
sysname SwitchC
#
vlan batch 30 40
#
interface Vlanif30
ip address 200.1.3.2 255.255.255.0
#
interface Vlanif40
ip address 10.1.1.1 255.255.255.0
#
#
#
bgp 30
router-id 3.3.3.3
#
ipv4-family unicast
import-route direct
#
return
5.9.6 Example for Configuring MED Attributes to Control BGP

Route Selection
As shown in Figure 5-36, BGP is configured on all switches; Switch A resides in AS 65008;
Switch B and Switch C reside in AS 65009. EBGP connections are established between
Switch A and Switch B, and between Switch A and Switch C. An IBGP connection is established
between Switch B and Switch C. After a period, traffic from AS 65008 to AS 65009 needs to
first pass through SwitchC.

Figure 5-36 Networking diagram for configuring MED attributes of routes to control route
selection
GE0/0/1
VLANIF10
200.1.1.1/24
SwitchB
GE0/0/1 EBGP
VLANIF10 GE0/0/2
AS 65008 200.1.1.2/24 VLANIF30
AS 65009 9.1.1.1/24
SwitchA IBGP
GE0/0/2
GE0/0/2
VLANIF30
VLANIF20
EBGP 9.1.1.2/24
200.1.2.2/24
SwitchC
GE0/0/1
VLANIF20
200.1.2.1/24
1. Establish EBGP connections between SwitchA and SwitchB and between SwitchA and
SwitchC, and establish an IBGP connection between SwitchB and SwitchC.
2. Apply a routing policy to increase the MED value of the route sent by SwitchB to
SwitchA so that SwitchA will send traffic to AS 65009 through SwitchC.
Procedure


Step 3 Establish an BGP connection.
[SwitchA] bgp 65008
[SwitchA-bgp] quit
[SwitchB] bgp 65009
[SwitchB-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchB-bgp] quit
[SwitchC] bgp 65009
[SwitchC-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchC-bgp-af-ipv4] quit
[SwitchC-bgp] quit



*> 9.1.1.0/24 200.1.1.1 0 0 65009i

* 200.1.2.1 0 0 65009i
According to the routing table, you can view that there are two valid routes destined for
9.1.1.0/24. The route whose next hop is 200.1.1.1 is the optimal route because the router ID of
SwitchB is smaller.
Step 4 Configure load balancing.
[SwitchA] bgp 65008
[SwitchA-bgp-af-ipv4] maximum load-balancing 2
[SwitchA-bgp] quit



*> 9.1.1.0/24 200.1.1.1 0 0 65009i

*> 200.1.2.1 0 0 65009i
According to the routing table, you can view that the BGP route 9.1.1.0/24 has two next hops
that are 200.1.1.1 and 200.1.2.1. Both of them are optimal routes.
Step 5 Set the MED.
# Set the MED sent from SwitchB to SwitchA through the policy.
[SwitchB] route-policy 10 permit node 10
[SwitchB-route-policy] apply cost 100
[SwitchB] bgp 65009
[SwitchB-bgp] peer 200.1.1.2 route-policy 10 export


*> 9.1.1.0/24 200.1.2.1 0 0 65009i

* 200.1.1.1 100 0 65009i
According to the routing table, you can view that the MED of the next hop 200.1.1.1 (SwitchB)
is 100, and that of the next hop 200.1.2.1 is 0. Therefore, the route with the smaller MED is
selected.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
#


#
bgp 65008
router-id 1.1.1.1
#
ipv4-family unicast
maximum load-balancing 2
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 65009
router-id 2.2.2.2
#
ipv4-family unicast
default med 100
network 9.1.1.0 255.255.255.0
peer 9.1.1.2 enable
peer 200.1.1.2 route-policy 10 export
#
route-policy 10 permit node 10
apply cost 100
#
return

#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#


#
#
bgp 65009
router-id 3.3.3.3
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 9.1.1.1 enable
#
return
5.9.7 Example for Configuring a BGP Route Reflector
As shown in Figure 5-37, eight Switches need to form an IBGP network. Full-mesh BGP
connections have been established between SwitchB, SwitchD, and SwitchE. Users require that
the IBGP network be formed without interrupting full-mesh BGP connections between
SwitchB, SwitchD, and SwitchE and require simplified device configuration and management.
Figure 5-37 Networking diagram for configuring a BGP RR
SwitchA
AS 65010
SwitchC SwitchH
SwitchB
Cluster1 Cluster2
SwitchD SwitchE SwitchF SwitchG

Interface and IP Address Interface and IP Address

GE0/0/3 GE0/0/1
VLANIF100 VLANIF10
9.1.1.1/24 SwitchA 10.1.1.1/24
GE0/0/1 GE0/0/2
VLANIF10 VLANIF30 SwitchB
GE0/0/2
10.1.1.2/24 10.1.3.2/24 GE0/0/3
VLANIF20
VLANIF40 GE0/0/4 10.1.2.1/24
10.1.4.1/24 VLANIF50
10.1.5.1/24
GE0/0/1
GE0/0/1 VLANIF40
GE0/0/5
VLANIF30 10.1.4.2/24
SwitchC VLANIF90 GE0/0/2
10.1.3.1/24 VLANIF60
10.1.9.1/24
GE0/0/2 10.1.6.1/24
GE0/0/4
VLANIF20 VLANIF80
10.1.2.2/24 10.1.8.1/24 SwitchD
GE0/0/3
VLANIF70
10.1.7.1/24
GE0/0/1 GE0/0/1
VLANIF50 VLANIF70
GE0/0/2
10.1.5.2/24 10.1.7.2/24
VLANIF60
10.1.6.2/24
SwitchE SwitchF
SwitchH
GE0/0/1
VLANIF80
10.1.8.2/24 GE0/0/1
VLANIF90
SwitchG
10.1.9.2/24
1. Configure SwitchB as the route reflector of Cluster1 and SwitchD and SwitchE as the clients
of SwitchB. Prohibit communication between the clients to form an IBGP network without
interrupting full-mesh BGP connections between SwitchB, SwitchD, and SwitchE.
2. Configure SwitchC as the route reflector of Cluster2 and SwitchF, SwitchG, and SwitchH
as the clients of SwitchC to simplify device configuration and management.
Procedure


The configurations of SwitchB, SwitchC, SwitchD, SwitchE, SwitchF, SwitchG, and SwitchH
are the same as the configuration of SwitchA, and are not mentioned here.

Step 3 Establish IBGP connections between the clients and the RR, and between the non-clients and
the RR. The configuration details are not mentioned here.
Step 4 Configure SwitchA to advertise the local network route 9.1.1.0/24. The configuration details are
not mentioned here.
Step 5 Configure the RR.
[SwitchB] bgp 65010
[SwitchB–bgp] router-id 2.2.2.2
[SwitchB–bgp] group in_rr internal
[SwitchB–bgp] peer 10.1.4.2 group in_rr
[SwitchB–bgp] peer 10.1.5.2 group in_rr
[SwitchB–bgp] ipv4-family unicast
[SwitchB–bgp-af-ipv4] peer in_rr reflect-client
[SwitchB–bgp-af-ipv4] undo reflect between-clients
[SwitchB–bgp-af-ipv4] reflector cluster-id 1
[SwitchB–bgp-af-ipv4] quit
[SwitchB-bgp] quit
[SwitchC] bgp 65010
[SwitchC-bgp] group in_rr internal
[SwitchC-bgp] peer 10.1.7.2 group in_rr
[SwitchC-bgp-af-ipv4] peer in_rr reflect-client
[SwitchC-bgp-af-ipv4] reflector cluster-id 2
[SwitchC-bgp-af-ipv4] quit
[SwitchC-bgp] quit
# Check the routing table of SwitchD.

[SwitchD] display bgp routing-table 9.1.1.0

Paths: 1 available, 0 best, 0 select
BGP routing table entry information of 9.1.1.0/24:

From: 10.1.4.1 (2.2.2.2)

Route Duration: 01h04m30s
Relay IP Nexthop: 0.0.0.0
Relay IP Out-Interface:
Original nexthop: 10.1.1.2
Qos information : 0x0
AS-path Nil, origin igp, MED 0, localpref 100, pref-val 0, internal, pre 255
Originator: 1.1.1.1
Cluster list: 0.0.0.1
Not advertised to any peers yet
According to the routing table, you can view that SwitchD has learned the route advertised by
SwitchA from SwitchB. You can also view the Originator and Cluster_ID of the route.
----End
Configuration Files
#
sysname SwitchA
#
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif100
ip address 9.1.1.1 255.255.255.0
#
#
#
#
bgp 65010
router-id 1.1.1.1
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
#
return

#
sysname SwitchB
#
#
interface Vlanif10

ip address 10.1.1.1 255.255.255.0

#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
#
#
#
#
#
bgp 65010
router-id 2.2.2.2
group in_rr internal
peer 10.1.4.2 group in_rr
#
ipv4-family unicast
undo reflect between-clients
reflector cluster-id 1
peer in_rr enable
peer in_rr reflect-client
#
return

#
sysname SwitchC
#
vlan batch 20 30 70 80 90
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif70
ip address 10.1.7.1 255.255.255.0
#

interface Vlanif80
ip address 10.1.8.1 255.255.255.0
#
interface Vlanif90
ip address 10.1.9.1 255.255.255.0
#
#
#
#
#
#
bgp 65010
router-id 3.3.3.3
group in_rr internal
#
ipv4-family unicast
reflector cluster-id 2
peer in_rr enable
peer in_rr reflect-client
#
return

#
sysname SwitchD
#
vlan batch 40 60
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif60
ip address 10.1.6.1 255.255.255.0
#


#
#
bgp 65010
router-id 4.4.4.4
#
ipv4-family unicast
#
return
NOTE
The configuration files of other Switches are similar to the configuration file of SwitchD, and are not
mentioned here.
5.9.8 Example for Configuring a BGP4+ Route Reflection
As shown in Figure 5-38, four devices belong to two ASs. You are required to perform simplified
configuration to ensure that the two ASs communicate with each other.
Figure 5-38 Networking diagram for configuring the BGP4+ route reflectors
G
AS 200 VL E
AS 100 10 AN 0/0/
6 1 AN /2
0
01 IF3
2/9 VL E0/0
2: IF 1
/96
:1 4
SwitchC /96 0
::1
10 NIF 1 G
G
VL E
10 AN 0/0/
30
/
VL E0/0
GE0/0/1 2 : IF 1
VLANIF10 GE0/0/2 GE0/0/2 :2 4 0
/9
G
A
1::
1::1/64 VLANIF20 VLANIF20 6

100::1/96 100::2/96
SwitchA SwitchB SwitchD
1. Configure basic BGP4+ functions to allow BGP neighbors to communicate.

2. Configure SwitchC as a route reflector so that no IBGP connection needs to be established
between SwitchB and SwitchD. This simplifies the configuration.

Procedure
[SwitchA]interface gigabitethernet 0/0/2
Step 2 Enable the IPv6 forwarding capability, and assign an IPv6 address for each interface. The
following is the configuration of SwitchA. The configurations of other Switches are similar to
the configuration of SwitchA and are not mentioned here.
[SwitchA] ipv6
Step 3 Configure the basic BGP4+ functions.
[SwitchA] bgp 100
[SwitchA–bgp] peer 100::2 as-number 200
[SwitchA-bgp-af-ipv6] peer 100::2 enable
[SwitchB] bgp 200
[SwitchC] bgp 200
[SwitchC-bgp] peer 101::2 as-number 200
[SwitchC-bgp] peer 102::2 as-number 200
[SwitchC-bgp-af-ipv6] peer 101::2 enable
[SwitchC-bgp-af-ipv6] peer 102::2 enable
[SwitchC-bgp-af-ipv6] network 101:: 96
[SwitchC-bgp-af-ipv6] network 102:: 96

[SwitchD] bgp 200
[SwitchD-bgp] peer 102::1 as-number 200
[SwitchD-bgp-af-ipv6] peer 102::1 enable
[SwitchD-bgp-af-ipv6] network 102:: 96
Step 4 Configure the route reflector.

# Configure SwitchC as the route reflector and SwitchB and SwitchD as the clients.
[SwitchC-bgp-af-ipv6] peer 101::2 reflect-client
[SwitchC-bgp-af-ipv6] peer 102::2 reflect-client
# View the routing table of SwitchB.

[SwitchB] display bgp ipv6 routing-table

MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 i
MED : 0 PrefVal : 0
Label :
Path/Ogn : i

MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 i
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
i
NextHop : 101::1 LocPrf : 100
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
*>i Network : 102:: PrefixLen : 96
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
# View the routing table of SwitchD.

[SwitchD] display bgp ipv6 routing-table




MED : 0 PrefVal : 0
Label :
Path/Ogn : 100 i
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
i
MED : 0 PrefVal : 0
Label :
Path/Ogn : i
The routing tables show that SwitchD and SwitchB have learned the routing information
advertised by SwitchA from SwitchC.
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20
#
interface Vlanif10
ipv6 enable
#
interface Vlanif20
ipv6 enable
#
#
#
bgp 100
router-id 1.1.1.1
#
ipv4-family unicast
#
ipv6-family unicast
network 1:: 64

network 100:: 96
peer 100::2 enable
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 20 30
#
interface Vlanif20
ipv6 enable
#
interface Vlanif30
ipv6 enable
#
#
#
bgp 200
router-id 2.2.2.2
#
ipv4-family unicast
#
ipv6-family unicast
network 100:: 96
network 101:: 96
peer 100::1 enable
peer 101::1 enable
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 30 40
#
interface Vlanif30
ipv6 enable
#
interface Vlanif40
ipv6 enable
#
#


#
bgp 200
router-id 3.3.3.3
#
ipv4-family unicast
#
ipv6-family unicast
network 101:: 96
network 102:: 96
peer 101::2 enable
peer 101::2 reflect-client
peer 102::2 enable
peer 102::2 reflect-client
#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 40
#
interface Vlanif40
ipv6 enable
#
#
bgp 200
router-id 4.4.4.4
#
ipv4-family unicast
#
ipv6-family unicast
network 102:: 96
peer 102::1 enable
#
return
5.9.9 Example for Configuring a BGP Confederation
As shown in Figure 5-39, there are multiple BGP switches in AS 200. It is required that the
number of IBGP connections be reduced.

Figure 5-39 Networking diagram for configuring a BGP confederation

AS 200
SwitchB SwitchC
AS 65002 GE0/0/1
VLANIF20
GE0/0/1 10.1.2.2/24
VLANIF10 AS 65003
10.1.1.2/24
AS 100
GE0/0/2 AS 65001
GE0/0/1
VLANIF70 VLANIF10
9.1.1.1/24 GE0/0/1 GE0/0/2 GE0/0/1
VLANIF60 10.1.1.1/24 VLANIF20 VLANIF30
200.1.1.2/24 SwitchA 10.1.2.1/24 10.1.3.2/24
GE0/0/5 GE0/0/3
SwitchD
SwitchF VLANIF60 VLANIF30 GE0/0/2
200.1.1.1/24 GE0/0/4 10.1.3.1/24 VLANIF50
VLANIF40 10.1.5.1/24
10.1.4.1/24 GE0/0/2
VLANIF50
GE0/0/1
10.1.5.2/24
VLANIF40
10.1.4.2/24
SwitchE
1. Configure a BGP confederation on each switch in AS 200 to divide AS 200 into three sub-
ASs: AS 65001, AS 65002, and AS 65003. Three switches in AS 65001 establish full-mesh
IBGP connections to reduce the number of IBGP connections.
Procedure
[SwitchA] vlan batch 10 20 30 40 60


The configurations of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are the same as the

The configurations of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are the same as the
Step 3 Configure the BGP confederation.
[SwitchA] bgp 65001
[SwitchA-bgp] confederation id 200
[SwitchA-bgp] confederation peer-as 65002 65003
[SwitchA-bgp-af-ipv4] peer 10.1.1.2 next-hop-local
[SwitchA-bgp] quit
[SwitchB] bgp 65002
[SwitchB-bgp] confederation id 200
[SwitchB-bgp] confederation peer-as 65001 65003
[SwitchB-bgp] quit
[SwitchC] bgp 65003
[SwitchC-bgp] confederation id 200
[SwitchC-bgp] confederation peer-as 65001 65002
[SwitchC-bgp] quit
Step 4 Establish IBGP connection in AS 65001.

[SwitchA] bgp 65001

[SwitchD] bgp 65001
[SwitchD-bgp] quit
[SwitchE] bgp 65001
[SwitchE-bgp] router-id 5.5.5.5
[SwitchE-bgp] quit
Step 5 Establish an EBGP connection between AS 100 and AS 200.

[SwitchA] bgp 65001
[SwitchA-bgp] quit
# Configure SwitchF.
[SwitchF] bgp 100
[SwitchF-bgp] router-id 6.6.6.6
[SwitchF-bgp] peer 200.1.1.1 as-number 200
[SwitchF-bgp] ipv4-family unicast
[SwitchF-bgp-af-ipv4] network 9.1.1.0 255.255.255.0
[SwitchF-bgp-af-ipv4] quit
[SwitchF-bgp] quit

# Check the BGP routing table of SwitchB.
[SwitchB] display bgp routing-table

*>i 9.1.1.0/24 10.1.1.1 0 100 0 (65001) 100i

[SwitchB] display bgp routing-table 9.1.1.0

From: 10.1.1.1 (1.1.1.1)
Relay IP Out-Interface: Vlanif10


AS-path (65001) 100, origin igp, MED 0, localpref 100, pref-val 0, valid, exter
nal-confed, best,select, active, pre 255
Not advertised to any peer yet
# Check the BGP routing table of SwitchD.

[SwitchD] display bgp routing-table


*>i 9.1.1.0/24 10.1.3.1 0 100 0 100i

[SwitchD] display bgp routing-table 9.1.1.0

From: 10.1.3.1 (1.1.1.1)
Relay IP Out-Interface: Vlanif30
AS-path 100, origin igp, MED 0, localpref 100, pref-val 0, valid, internal,
best,select, active, pre 255
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30 40 60
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
#
interface Vlanif60
ip address 200.1.1.1 255.255.255.0
#
#


#
#
#
#
bgp 65001
router-id 1.1.1.1
confederation id 200
confederation peer-as 65002 65003
#
ipv4-family unicast
peer 10.1.1.2 next-hop-local
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
bgp 65002
router-id 2.2.2.2
#
ipv4-family unicast
#
return

#
sysname SwitchC
#

vlan batch 20
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
#
#
bgp 65003
router-id 3.3.3.3
#
ipv4-family unicast
#
return

#
sysname SwitchD
#
vlan batch 30 50
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.1 255.255.255.0
#
#
#
bgp 65001
router-id 4.4.4.4
#
ipv4-family unicast
#
return

#
sysname SwitchE
#
vlan batch 40 50
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
#
interface Vlanif50
ip address 10.1.5.2 255.255.255.0
#


#
#
bgp 65001
router-id 5.5.5.5
#
ipv4-family unicast
#
return
l Configuration file of SwitchF

#
sysname SwitchF
#
vlan batch 60 70
#
interface Vlanif60
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif70
ip address 9.1.1.1 255.255.255.0
#
#
#
bgp 100
router-id 6.6.6.6
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
#
return
5.9.10 Example for Configuring the BGP Community Attribute
As shown in Figure 5-40, EBGP connections are established between SwitchB and SwitchA,
and between SwitchB and SwitchC. It is required that AS 20 not advertise the routes advertised
by AS 10 to AS 30.

Figure 5-40 Networking diagram for configuring the BGP community
AS 10 GE0/0/1
VLANIF10
GE0/0/2 9.1.1.1/24
VLANIF20
200.1.2.1/24
SwitchA
EBGP
GE0/0/2 AS 20 AS 30
VLANIF20 GE0/0/3
200.1.2.2/24 VLANIF30
EBGP 200.1.3.2/24
GE0/0/3
SwitchB VLANIF30 SwitchC
200.1.3.1/24
1. Configure a route-policy on SwitchA to advertise the No_Export attribute so that AS 20

does not advertise the routes advertised by AS 10 to AS 30.
Procedure


Step 3 Configure EBGP.

# ConfigureSwitchA.
[SwitchA] bgp 10
[SwitchA-bgp] quit
[SwitchB] bgp 20
[SwitchB-bgp] quit
[SwitchC] bgp 30
[SwitchC-bgp] quit


From: 200.1.2.1 (1.1.1.1)
Direct Out-interface: Vlanif20
AS-path 10, origin igp, MED 0, pref-val 0, valid, external, best, select, activ
e, pre 255
Advertised to such 2 peers:
200.1.2.1
200.1.3.2
You can view that SwitchB advertises the received routes to SwitchC in AS 30.

*> 9.1.1.0/24 200.1.3.1 0 20 10i
You can find that SwitchC has learned a route to the destination 9.1.1.0/24 from SwitchB.
Step 4 Configure BGP community attributes.
# Configure the routing policy on SwitchA to enable SwitchB not to advertise the routes
advertised by SwitchA to any other AS.

[SwitchA] route-policy comm_policy permit node 10

[SwitchA-route-policy] apply community no-export
[SwitchA-route-policy] quit
# Apply routing policies.

[SwitchA] bgp 10
[SwitchA-bgp-af-ipv4] peer 200.1.2.2 route-policy comm_policy export
[SwitchA-bgp-af-ipv4] peer 200.1.2.2 advertise-community


From: 200.1.2.1 (1.1.1.1)
Community:no-export
AS-path 10, origin igp, MED 0, pref-val 0, valid, external, best, select, activ
e, pre 255
You can view the configured community attribute in the BGP routing table of SwitchB. At this
time, there are no routes to the destination 9.1.1.0/24 in the BGP routing table of SwitchC.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 9.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
#
#
bgp 10
router-id 1.1.1.1
#
ipv4-family unicast
network 9.1.1.0 255.255.255.0
peer 200.1.2.2 route-policy comm_policy export
peer 200.1.2.2 advertise-community

#
route-policy comm_policy permit node 10
apply community no-export
#
return

#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
interface Vlanif30
ip address 200.1.3.1 255.255.255.0
#
#
#
bgp 20
router-id 2.2.2.2
#
ipv4-family unicast
#
return

#
sysname SwitchC
#
vlan 30
#
interface Vlanif30
ip address 200.1.3.2 255.255.255.0
#
#
bgp 30
router-id 3.3.3.3
#
ipv4-family unicast
#
return

5.9.11 Example for Configuring BGP Load Balancing
On the network shown in Figure 5-41, BGP is configured on all switches. SwitchA is in AS
100. SwitchB and SwitchC are in AS 300. SwitchD is in AS 200. Network congestion from
SwitchA to destination address 8.1.1.0/24 needs to be relieved and network resources need to
be fully utilized.
Figure 5-41 Networking diagram of configuring BGP load balancing
SwitchA AS100
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
200.1.1.1/24 200.1.2.1/24
GE0/0/1 GE0/0/2
VLANIF10 VLANIF20
200.1.1.2/24 200.1.2.2/24
SwitchB SwitchC
AS300
GE0/0/2 GE0/0/1
VLANIF30 VLANIF40
200.1.3.2/24 200.1.4.2/24
GE0/0/2 GE0/0/1
VLANIF30 VLANIF40
200.1.3.1/24 200.1.4.1/24
SwitchD GE0/0/3
VLANIF50
AS200
8.1.1.1/24
1. Establish EBGP connections between SwitchA and SwitchB and between SwitchA and
SwitchC, between SwitchD and SwitchB and between SwitchD and SwitchC to enable ASs
to communicate with each other using BGP.
2. Configuring load balancing on SwitchA so that SwitchA can send traffic to SwitchD
through either SwitchB or SwitchC.

Procedure

Step 3 Establish BGP connections.
# Configure RouterA.
[SwitchA] bgp 100
[SwitchA-bgp] quit
# Configure RouterB.
[SwitchB] bgp 300
[SwitchB-bgp] quit
# Configure RouterC.
[SwitchC] bgp 300
[SwitchC-bgp] quit
# Configure RouterD.
[SwitchD] bgp 200
[SwitchD-bgp-af-ipv4] network 8.1.1.0 255.255.255.0
[SwitchD-bgp-af-ipv4] quit
[SwitchD-bgp] quit


[SwitchA] display bgp routing-table 8.1.1.0 24

Paths : 2 available, 1 best, 1 select
From: 200.1.1.2 (2.2.2.2)
Route Duration: 0d00h00m50s
AS-path 200 300, origin igp, pref-val 0, valid, external, best, select, active,
pre 255
Advertised to such 2 peers:
200.1.1.2
200.1.2.2

From: 200.1.2.2 (3.3.3.3)
AS-path 200 300, origin igp, pref-val 0, valid, external, pre 255, not preferred
for router ID
The preceding command output shows that there are two valid routes from SwitchA to
destination 8.1.1.0/24. The route with the next-hop address of 200.1.1.2 is the optimal route
because the router ID of SwitchB is smaller.
Step 4 Configure BGP load balancing.
# Configure load balancing on SwitchA.
[SwitchA] bgp 100
[SwitchA-bgp-af-ipv4] maximum load-balancing 2
[SwitchA-bgp] quit

[SwitchA] display bgp routing-table 8.1.1.0 24

Paths : 2 available, 1 best, 2 select
From: 200.1.1.2 (2.2.2.2)
AS-path 200 300, origin igp, pref-val 0, valid, external, best, select, active,
pre 255
Advertised to such 2 peers
200.1.1.2
200.1.2.2

From: 200.1.2.2 (3.3.3.3)


AS-path 200 300, origin igp, pref-val 0, valid, external, select, pre 255, not
preferred for router ID
The preceding command output shows that BGP route 8.1.1.0/24 has two next hops: 200.1.1.2
and 200.1.2.2. Both of them are optimal routes.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 200.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.2.1 255.255.255.0
#
#
#
bgp 100
router-id 1.1.1.1
#
ipv4-family unicast
maximum load-balancing 2
#
return

#
sysname SwitchB
#
vlan batch 10 30
#
interface Vlanif10
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 200.1.3.2 255.255.255.0
#
#
#

bgp 300
router-id 2.2.2.2
#
ipv4-family unicast
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
interface Vlanif20
ip address 200.1.2.2 255.255.255.0
#
interface Vlanif40
ip address 200.1.4.2 255.255.255.0
#
#
#
bgp 300
router-id 3.3.3.3
#
ipv4-family unicast
#
return

#
sysname SwitchD
#
vlan batch 30 40 50
#
interface Vlanif30
ip address 200.1.3.1 255.255.255.0
#
interface Vlanif40
ip address 200.1.4.1 255.255.255.0
#
interface Vlanif50
ip address 8.1.1.1 255.255.255.0
#
#
#

#
bgp 200
router-id 4.4.4.4
#
ipv4-family unicast
network 8.1.1.0 255.255.255.0
#
return
5.9.12 Example for Associating BGP with BFD
As shown in Figure 5-42, SwitchA belongs to AS 100, SwitchB and SwitchC belong to AS 200.
EBGP connections are established between SwitchA and SwitchB, and between SwitchA and
SwitchC.
Service traffic is transmitted along the primary link SwitchA→SwitchB. The link SwitchA→
SwitchC→SwitchB functions as the backup link. Fast fault detection is required to allow traffic
to be fast switched from the primary link to the backup link.
Figure 5-42 Networking diagram for configuring BFD for BGP
SwitchB GE0/0/3
GE0/0/2 VLANIF40
VLANIF20 172.16.1.1/24
200.1.1.2/24
GE0/0/2 GE0/0/1
VLANIF20 EBGP VLANIF30
200.1.1.1/24 9.1.1.1/24
SwitchA IBGP
GE0/0/1 GE0/0/1
VLANIF10 VLANIF30
200.1.2.1/24 EBGP
9.1.1.2/24
GE0/0/1
VLANIF10
AS 100 200.1.2.2/24 AS 200
SwitchC
1. Configure basic BGP functions on each switch.

2. Configure the MED attribute to control route selection.

3. Enable BFD on SwitchA and SwitchB.

NOTE
If two switches establish an EBGP peer relationship over a direct link, BFD for BGP does not need to be
configured. This is because the ebgp-interface-sensitive command is enabled by default for directly-
connected EBGP peers.
Procedure
Step 3 Configure basic BGP functions. Establish EBGP peer relationships between Switch A and
Switch B, and between Switch A and Switch C and an IBGP peer relationship between
Switch B and Switch C.
[SwitchA] bgp 100
[SwitchA-bgp] peer 200.1.1.2 ebgp-max-hop
[SwitchA-bgp] peer 200.1.2.2 ebgp-max-hop
[SwitchA-bgp] quit
[SwitchB] bgp 200
[SwitchB-bgp] peer 200.1.1.1 ebgp-max-hop
[SwitchB-bgp] network 172.16.1.0 255.255.255.0
[SwitchB-bgp] quit
[SwitchC] bgp 200


[SwitchC-bgp] peer 200.1.2.1 ebgp-max-hop
[SwitchC-bgp] import-route direct
[SwitchC-bgp] quit
# Check the status of BGP peer relationships on Switch A. The command output shows that the
BGP peer relationships are in the Established state.
[SwitchA] display bgp peer
200.1.1.2 4 200 2 5 0 00:01:25 Established 0

200.1.2.2 4 200 2 4 0 00:00:55 Established 0
Step 4 Set the MED.

Set the MED sent from SwitchB to SwitchC through the policy.
[SwitchB] route-policy 10 permit node 10
[SwitchB] bgp 200
[SwitchB-bgp] peer 200.1.1.1 route-policy 10 export
[SwitchC] route-policy 10 permit node 10
[SwitchC-route-policy] apply cost 150
[SwitchC-route-policy] quit
[SwitchC] bgp 200
[SwitchC-bgp] peer 200.1.2.1 route-policy 10 export
# View all BGP routing information on SwitchA.



*> 9.1.1.0/24 200.1.2.2 150 0 200?
*> 172.16.1.0/24 200.1.1.2 100 0 200i
* 200.1.2.2 150 0 200i
*> 200.1.2.0 200.1.1.2 100 0 200?
200.1.2.2 150 0 200?
According to the BGP routing table, the next hop address of the route destined for 172.16.1.0/24
is 200.1.1.2 and service flow is transmitted on the active link SwitchA → SwitchB.
Step 5 Configure BFD, and set the interval for transmitting BFD packets, the interval for receiving BFD
packets, and the local detection multiplier.
# Enable BFD on Switch A. Set the minimum intervals for transmitting and receiving BFD
packets to 100 ms and the local detection multiplier to 4.
[SwitchA] bfd
[SwitchA-bfd] quit

[SwitchA] bgp 100

[SwitchA-bgp] peer 200.1.1.2 bfd enable
[SwitchA-bgp] peer 200.1.1.2 bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# Enable BFD on Switch B. Set the minimum intervals for transmitting and receiving BFD
packets to 100 ms and the local detection multiplier to 4.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bgp 200
[SwitchB-bgp] peer 200.1.1.1 bfd enable
[SwitchB-bgp] peer 200.1.1.1 bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplier 4
# Display all BFD sessions on Switch A.

[SwitchA] display bgp bfd session all
Local_Address Peer_Address LD/RD Interface
200.1.1.1 200.1.1.2 8201/8201 Vlanif20
Tx-interval(ms) Rx-interval(ms) Multiplier Session-State
100 100 4 Up
Wtr-interval(m)
0
# Run the shutdown command on VLANIF20 of SwitchB to simulate faults on the active link.
[SwitchB-Vlanif20] shutdown
# Check the BGP routing table on SwitchA.



*> 9.1.1.0/24 200.1.2.2 150 0 200?
*> 172.16.1.0/24 200.1.2.2 150 0 200i
200.1.2.0 200.1.2.2 150 0 200?
According to the BGP routing table, the standby link SwitchA → SwitchC → SwitchB takes
effect after the active link fails. The next hop address of the route destined for 172.16.1.0/24
becomes 200.1.2.2.
----End
Configuration Files
#
sysname SwitchA
#
router id 1.1.1.1
#
vlan batch 10 20
#
bfd
#

interface Vlanif10
ip address 200.1.2.1 255.255.255.0
#
interface Vlanif20
ip address 200.1.1.1 255.255.255.0
#
#
#
bgp 100
router-id 1.1.1.1
peer 200.1.1.2 bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier
4
peer 200.1.1.2 bfd enable
#
ipv4-family unicast
#
return

#
sysname SwitchB
#
router id 2.2.2.2
#
vlan batch 20 30 40
#
bfd
#
interface Vlanif20
ip address 200.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 172.16.1.1 255.255.255.0
#
#
#
#
bgp 200
router-id 2.2.2.2
peer 200.1.1.1 bfd min-tx-interval 100 min-rx-interval 100 detect-multiplier
4
peer 200.1.1.1 bfd enable

#
ipv4-family unicast
network 172.16.1.0 255.255.255.0
peer 9.1.1.2 enable
#
apply cost 100
#
return

#
sysname SwitchC
#
router id 3.3.3.3
#
vlan batch 10 30
#
bfd
#
interface Vlanif10
ip address 200.1.2.2 255.255.255.0
#
interface Vlanif30
ip address 9.1.1.2 255.255.255.0
#
#
#
bgp 200
router-id 3.3.3.3
#
ipv4-family unicast
import-route direct
peer 9.1.1.1 enable
#
apply cost 150
#
return
5.9.13 Example for Configuring BGP GTSM
As shown in Figure 5-43, SwitchA belongs to AS 10, and SwitchB, SwitchC, and SwitchD
belong to AS 20. BGP is run in the network .To protect a device against the attacks of forged
BGP packets, you can configure GTSM to check whether the TTL value in the IP packet header
is within the specified range.

Figure 5-43 Networking diagram for configuring BGP GTSM
GE0/0/1 SwitchB GE0/0/1 GE0/0/1

VLANIF20 VLANIF20 SwitchC
VLANIF10
10.1.1.2/24 20.1.1.1/24 20.1.1.2/24
IBGP
EBGP Lo GE0/0/1
SwitchA o VLANIF30
3. p
Loopback0 3. ba IBGP 20.1.2.1/24
2.2.2.9/32 3. c
IB 9 / k0
GP 32 GE0/0/1
GE0/0/1 VLANIF30
VLANIF10 20.1.2.2/24
10.1.1.1/24
AS10
AS20 PC SwitchD
Loopback0
4.4.4.9/32
1. Configure OSPF on SwitchB, SwitchC, and SwitchD to implement interworking in AS 20.

2. Set up an EBGP connection between SwitchA and SwitchB, and set up IBGP connections
between SwitchB, SwitchC, and SwitchD through loopback interfaces.
3. Configure GTSM on SwitchA, SwitchB, SwitchC, and SwitchD so that it can protect
SwitchB against CPU-utilization attacks.
Procedure

Step 3 Configure OSPF.

[SwitchB] ospf
[SwitchB-ospf-1] area 0.0.0.0

The configurations of SwitchC and SwitchD are similar to the configuration of SwitchB, and
Step 4 Configure an IBGP connection.
[SwitchB] bgp 20
[SwitchB-bgp] peer 3.3.3.9 connect-interface LoopBack0
[SwitchB-bgp] peer 3.3.3.9 next-hop-local
[SwitchB-bgp] peer 4.4.4.9 connect-interface LoopBack0
[SwitchB-bgp] peer 4.4.4.9 next-hop-local
[SwitchC] bgp 20
[SwitchC-bgp] peer 2.2.2.9 connect-interface LoopBack0
[SwitchC-bgp] peer 4.4.4.9 connect-interface LoopBack0
[SwitchD] bgp 20
[SwitchD-bgp] peer 2.2.2.9 connect-interface LoopBack0
[SwitchD-bgp] peer 3.3.3.9 connect-interface LoopBack0
[SwitchA] bgp 10
# Display the connection status of the BGP peers.

[SwitchB] display bgp peer

3.3.3.9 4 20 8 7 0 00:05:06 Established 0

4.4.4.9 4 20 8 10 0 00:05:33 Established 0
10.1.1.1 4 10 7 7 0 00:04:09 Established 0
You can view that SwitchB has set up BGP connections with other routers.

Step 6 Configure GTSM on SwitchA and SwitchB. SwitchA and SwitchB are directly connected, so
the range of the TTL value between the two switches is [255, 255]. The value of valid-ttl-
hops is 1.
# Configure GTSM on SwitchA.
[SwitchA-bgp] peer 10.1.1.2 valid-ttl-hops 1
# Configure GTSM of the EBGP connection on SwitchB.

[SwitchB-bgp] peer 10.1.1.1 valid-ttl-hops 1
# Check the GTSM configuration.

[SwitchB] display bgp peer 10.1.1.1 verbose
BGP Peer is 10.1.1.1, remote AS 10

Type: EBGP link
BGP version 4, Remote router ID 1.1.1.9
Update-group ID : 0
BGP current state: Established, Up for 00h49m35s
BGP current event: RecvKeepalive
BGP last state: OpenConfirm
BGP Peer Up count: 1
Received total routes: 0
Received active routes total: 0
Advertised total routes: 0
Port: Local - 179 Remote - 52876
Configured: connect-retry Time: 32 sec
Configured: Active Hold Time: 180 sec Keepalive Time:60 sec
Received : Active Hold Time: 180 sec
Negotiated: Active Hold Time: 180 sec Keepalive Time:60 sec
Peer optional capabilities:
Peer supports bgp multi-protocol extension
Peer supports bgp route refresh capability
Peer supports bgp 4-byte-as capability
Address family IPv4 Unicast: advertised and received
Received: Total 59 messages
Update messages 0
Open messages 2
KeepAlive messages 57
Notification messages 0
Refresh messages 0
Sent: Total 79 messages
Update messages 5
Open messages 2
Refresh messages 0
Authentication type configured: None
Last keepalive received: 2009-02-20 13:54:58+00:00
Minimum route advertisement interval is 30 seconds
Optional capabilities:
Route refresh capability has been enabled
4-byte-as capability has been enabled
GTSM has been enabled, valid-ttl-hops: 1
Peer Preferred Value: 0
Routing policy configured:
No routing policy is configured
You can view that GTSM is enabled, the valid hop count is 1, and the BGP connection is in the
Established state.
Step 7 Configure GTSM on SwitchB and SwitchC. SwitchB and SwitchC are directly connected, so
hops is 1.

# Configure GTSM on SwitchB.

# Configure GTSM of the IBGP connection on SwitchC.

[SwitchC-bgp] peer 2.2.2.9 valid-ttl-hops 1
# View the GTSM configuration.


Type: IBGP link
Update-group ID : 1
BGP current event: KATimerExpired
Update messages 0
Open messages 1
Refresh messages 0
Update messages 10
Open messages 1
Refresh messages 0
Nexthop self has been configured
Connect-interface has been configured
Established state.
Step 8 Configure GTSM on SwitchC and SwitchD. SwitchC and SwitchD are directly connected, so
hops is 1.
# Configure GTSM of the IBGP connection on SwitchC.

[SwitchC-bgp] peer 4.4.4.9 valid-ttl-hops 1
# Configure GTSM of the IBGP connection on SwitchD.

[SwitchD-bgp] peer 3.3.3.9 valid-ttl-hops 1

[SwitchC] display bgp peer 4.4.4.9 verbose

Type: IBGP link
Update-group ID : 1
BGP current event: KATimerExpired
Update messages 0
Open messages 1
Refresh messages 0
Update messages 0
Open messages 2
Refresh messages 0
Established state.
Step 9 Configure GTSM on SwitchB and SwitchD. SwitchB and SwitchD are connected by SwitchC,
so the range of the TTL value between the two switches is [254, 255]. The value of valid-ttl-
hops is 2.
# Configure GTSM of the IBGP connection on SwitchB.
# Configure GTSM on SwitchD.

[SwitchD-bgp] peer 2.2.2.9 valid-ttl-hops 2


Type: IBGP link
Update-group ID : 1
Update messages 0
Open messages 1
Refresh messages 0
Update messages 10
Open messages 1
Refresh messages 0
Nexthop self has been configured
You can view that GTSM is configured, the valid hop count is 2, and the BGP connection is in
the Established state.
NOTE
l In this example, if the value of valid-ttl-hops of either SwitchB or SwitchD is smaller than 2, the IBGP
connection cannot be set up.
l GTSM must be configured on the two ends of the BGP connection.

# Run the display gtsm statistics all command on SwitchB to check the GTSM statistics of
SwitchB. By default, SwitchB does not discard any packet when all packets match the GTSM
policy.

[SwitchB] display gtsm statistics all

GTSM Statistics Table
----------------------------------------------------------------
SlotId Protocol Total Counters Drop Counters Pass Counters
----------------------------------------------------------------
0 BGP 17 0 17
0 BGPv6 0 0 0
0 OSPF 0 0 0
0 LDP 0 0 0
----------------------------------------------------------------
If the host simulates the BGP packets of SwitchA to attack SwitchB, the packets are discarded
because their TTL value is not 255 when reaching SwitchB. In the GTSM statistics of
SwitchB, the number of dropped packets increases accordingly.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bgp 10
router-id 1.1.1.9
peer 10.1.1.2 valid-ttl-hops 1
#
ipv4-family unicast
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255

#
bgp 20
router-id 2.2.2.9
#
ipv4-family unicast
import-route ospf 1
peer 3.3.3.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname SwitchC
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 20.1.2.1 255.255.255.0
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
bgp 20
router-id 3.3.3.9
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 4.4.4.9 enable
#
ospf 1
area 0.0.0.0

network 20.1.2.0 0.0.0.255

network 20.1.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

#
sysname SwitchD
#
vlan batch 30
#
interface Vlanif30
ip address 20.1.2.2 255.255.255.0
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
bgp 20
router-id 4.4.4.9
#
ipv4-family unicast
peer 2.2.2.9 enable
peer 3.3.3.9 enable
#
ospf 1
area 0.0.0.0
network 20.1.2.0 0.0.0.255
network 4.4.4.9 0.0.0.0
#
return
5.10 Routing Policy Configuration

Routing policies are applied to routing information to change the path through which network
traffic passes.
5.10.1 Example for Filtering the Routes to Be Received or Advertised
As shown in Figure 5-44, on the network where OSPF runs, SwitchA receives routes from the
Internet, and provides these routes for the OSPF network. Users want devices on the OSPF
network to access only the network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24,
and SwitchC to access only the network segment 172.1.18.0/24.

Figure 5-44 Networking diagram for filtering the received and advertised routes
172.1.16.0/24
172.1.17.0/24
GE0/0/1 GE0/0/1 172.1.18.0/24
172.1.19.0/24
GE0/0/2 GE0/0/1 172.1.20.0/24
SwitchC SwitchB SwitchA
OSPF
SwitchA GE0/0/1 VLANIF10 192.168.1.1/24
SwitchB GE0/0/1 VLANIF10 192.168.1.2/24
SwitchC GE0/0/1 VLANIF20 192.168.2.2/24
1. Configure a routing policy on SwitchA and apply the routing policy during route
advertisement. When routes are advertised, the routing policy allows SwitchA to provide
routes from network segments 172.1.17.0/24, 172.1.18.0/24, and 172.1.19.0/24 for
SwitchB, and allows devices on the OSPF network to access these three network segments.
2. Configure a routing policy on SwitchC and apply the routing policy during route importing.
When routes are imported, the routing policy allows SwitchC to receive only the routes
from the network segment 172.1.18.0/24 and access this network segment.
Procedure

Step 3 Configure the basic OSPF functions.
[SwitchA] ospf
[SwitchB] ospf
[SwitchC] ospf
Step 4 Configure five static routes on SwitchA and import these routes into OSPF.
[SwitchA] ip route-static 172.1.16.0 24 NULL 0
[SwitchA] ospf
[SwitchA-ospf-1] import-route static
# Check the routing table on SwitchB. You can find that the five static routes are imported into
OSPF.
------------------------------------------------------------------------------
172.1.16.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.17.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.18.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.19.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.20.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
Step 5 Configure a policy for advertising routes.
# Set an IP prefix list named a2b on SwitchA.

[SwitchA] ip ip-prefix a2b index 10 permit 172.1.17.0 24

# Configure a policy for advertising routes on SwitchA, and use the IP prefix list named a2b to
filter routes.
[SwitchA] ospf
[SwitchA-ospf-1] filter-policy ip-prefix a2b export static
# Check the routing table on SwitchB. You can find that SwitchB receives only three routes
defined in a2b.
------------------------------------------------------------------------------

172.1.17.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.18.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
172.1.19.0/24 O_ASE 150 1 D 192.168.1.1 Vlanif10
192.168.1.0/24 Direct 0 0 D 192.168.1.2 Vlanif10
192.168.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif20
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
Step 6 Configure a policy for receiving routes.

# Set an IP prefix list named in on SwitchC.
[SwitchC] ip ip-prefix in index 10 permit 172.1.18.0 24
# Set a policy for receiving routes on SwitchC, and use in to filter routes.
[SwitchC] ospf
[SwitchC-ospf-1] filter-policy ip-prefix in import
# Check the routing table on SwitchC. You can find that SwitchC in the local routing table
receives only one route defined in in.
[SwitchC] display ip routing-table
------------------------------------------------------------------------------

172.1.18.0/24 O_ASE 150 1 D 192.168.2.1 Vlanif20
192.168.2.0/24 Direct 0 0 D 192.168.2.2 Vlanif20
192.168.2.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
----End
Configuration Files
#
sysname SwitchA

#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
ospf 1
filter-policy ip-prefix a2b export static
import-route static
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
ip ip-prefix a2b index 10 permit 172.1.17.0 24
#
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 20
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
#
#

ospf 1
filter-policy ip-prefix in import
area 0.0.0.0
network 192.168.2.0 0.0.0.255
#
ip ip-prefix in index 10 permit 172.1.18.0 24
#
return
5.10.2 Example for Applying a Routing Policy for Importing Routes
As shown in Figure 5-45, SwitchB exchanges routing information with SwitchA through OSPF
and with SwitchC through IS-IS. Users want SwitchB to import IS-IS routes into the OSPF
network. Users also want that the route to 172.17.1.0/24 on the OSPF network has a low
preference and the route to 172.17.2.0/24 has a tag, which makes it easy to reference by a routing
policy.
Figure 5-45 Networking diagram for applying a routing policy for importing routes
OSPF IS-IS
GE0/0/2
GE0/0/1 GE0/0/1 GE0/0/3

GE0/0/1 GE0/0/2
SwitchB
SwitchA GE0/0/1 VLANIF10 192.168.1.1/24
1. Configure a routing policy on SwitchB, set the cost of the route to 172.17.1.0/24 to 100,
and apply the routing policy when OSPF imports IS-IS routes. The routing policy allows
the route to 172.17.1.0/24 have a low preference.

2. Configure a routing policy on SwitchB, set the tag of the route to 172.17.2.0/24 is 20, and
apply the routing policy when OSPF imports IS-IS routes. In this way, the tag of the route
to 172.17.2.0/24 can take effect, which makes it easy to reference by a routing policy.
Procedure
Step 3 Configure IS-IS.
[SwitchC] isis
[SwitchC-Vlanif20] isis enable
[SwitchB] isis
[SwitchB-Vlanif20] isis enable
Step 4 Configure OSPF and import routes.

# Configure SwitchA and enable OSPF.
[SwitchA] ospf

# Configure SwitchB, enable OSPF, and import IS-IS routes.

[SwitchB] ospf
[SwitchB-ospf-1] import-route isis 1
# Check the OSPF routing table on SwitchA. You can find the imported routes.

Routing Tables
Routing for Network

192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0
Routing for ASEs

172.17.1.0/24 1 Type2 1 192.168.1.2 192.168.1.2
172.17.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2
172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.1.2
192.168.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2
Total Nets: 5
Step 5 Set the filtering list.
# Set ACL 2002 to match 172.17.2.0/24.

[SwitchB] acl number 2002
[SwitchB-acl-basic-2002] rule permit source 172.17.2.0 0.0.0.255
[SwitchB-acl-basic-2002] quit
# Set an IP prefix list named prefix-a to match 172.17.1.0/24.

[SwitchB] ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
Step 6 Configure a routing policy.

[SwitchB] route-policy isis2ospf permit node 10
[SwitchB-route-policy] if-match ip-prefix prefix-a
[SwitchB-route-policy] if-match acl 2002
[SwitchB-route-policy] apply tag 20
Step 7 Apply the routing policy when routes are imported.
# Configure SwitchB and apply the routing policy when routes are imported.
[SwitchB] ospf
[SwitchB-ospf-1] import-route isis 1 route-policy isis2ospf

# Check the OSPF routing table on SwitchA. You can find that the cost of the route to
172.17.1.0/24 is 100; the tag of the route to 172.17.2.0/24 is 20; other route attributes remain
unchanged.

Routing Tables
Routing for Network
192.168.1.0/24 1 Transit 192.168.1.1 192.168.1.1 0.0.0.0
Routing for ASEs

172.17.1.0/24 100 Type2 1 192.168.1.2 192.168.1.2
172.17.2.0/24 1 Type2 20 192.168.1.2 192.168.1.2
172.17.3.0/24 1 Type2 1 192.168.1.2 192.168.1.2
192.168.2.0/24 1 Type2 1 192.168.1.2 192.168.1.2
Total Nets: 5
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
acl number 2002
rule 5 permit source 172.17.2.0 0.0.0.255
#
isis 1
is-level level-2
network-entity 10.0000.0000.0002.00
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.2 255.255.255.0
isis enable 1
#


#
#
ospf 1
import-route isis 1 route-policy isis2ospf
area 0.0.0.0
network 192.168.1.0 0.0.0.255
#
route-policy isis2ospf permit node 10
if-match ip-prefix prefix-a
apply cost 100
#
if-match acl 2002
apply tag 20
#
#
ip ip-prefix prefix-a index 10 permit 172.17.1.0 24
#
return

#
sysname SwitchC
#
#
isis 1
is-level level-2
network-entity 10.0000.0000.0001.00
#
interface Vlanif20
ip address 192.168.2.1 255.255.255.0
isis enable 1
#
interface Vlanif30
ip address 172.17.1.1 255.255.255.0
isis enable 1
#
interface Vlanif40
ip address 172.17.2.1 255.255.255.0
isis enable 1
#
interface Vlanif50
ip address 172.17.3.1 255.255.255.0
isis enable 1
#
#
#
#

#
return

Typical Configuration Examples 6 IP Multicast
6 IP Multicast
About This Chapter
This document describes configuration of IP Multicast supported by the device and provides
6.1 IGMP Configuration

You can manage multicast group members by configuring IGMP on multicast device interfaces
connected to user networks.
6.2 PIM-DM (IPv4) Configuration

The PIM protocol implements multicast routing and data forwarding in a domain. The PIM-DM
protocol is a multicast routing protocol in dense mode and applies to small-scale networks with
densely-distributed group members.
6.3 PIM-SM (IPv4) Configuration

The PIM protocol implements multicast routing and data forwarding in a domain. The PIM-SM
protocol is a multicast routing protocol in sparse mode. It applies to a large-scale network with
sparsely-distributed group members.
6.4 MSDP Configuration

The MSDP protocol is used to implement multicast routing and data forwarding between PIM-
SM domains and anycast RP in a PIM-SM domain.
6.5 Multicast Route Management (IPv4) Configuration

The switch can run multiple multicast routing protocols to control multicast routing and
forwarding through message exchange between the control plane and forwarding plane.
6.6 VLAN-based IGMP Snooping Configuration

VLAN-based IGMP snooping enables a Layer 2 multicast device to create and maintain a Layer
2 multicast forwarding table by analyzing IGMP messages exchanged between the upstream
Layer 3 device and user hosts. This technology implements on-demand multicast data
transmission at the data link layer.
6.7 Configuring VSI-based IGMP Snooping

This section describes the procedures for configuring VSI-based IGMP Snooping.
6.8 Static Multicast MAC Address Configuration

You can manually configure mappings between multicast MAC addresses and interfaces on the
Layer 2 devices. Multicast packets destined for the specified multicast MAC address are
forwarded to these interfaces. This reduces broadcast packets on a Layer 2 network.
6.9 Multicast VLAN Replication Configuration

After multicast VLAN replication is configured on a device, the upstream device only needs to
transmit multicast data to a multicast VLAN. This function saves bandwidth because the
upstream device does not need to send a copy of multicast data to each user VLAN.
6.10 Controllable Multicast Configuration

Controllable multicast flexibly controls user rights to join multicast groups and meets the
requirements of IPTV services.
6.11 MLD Configuration

On an IPv6 network, you can manage local multicast group members by configuring MLD on
multicast device interfaces connected to user networks.

The PIM (IPv6) protocol implements multicast routing and data forwarding in a domain. The
PIM-DM (IPv6) protocol is an IPv6 multicast routing protocol in dense mode and applies to
small-scale networks with densely-distributed group members.

The PIM-SM (IPv6) protocol implements intra-domain multicast routing and data forwarding
on an IPv6 network. The PIM-SM (IPv6) protocol is a multicast routing protocol in sparse mode.
It applies to a large-scale network with sparsely-distributed group members.

The switch can run multiple IPv6 multicast routing protocols to control IPv6 multicast routing
and forwarding through message exchange between the control plane and forwarding plane.
6.15 MLD Snooping Configuration

MLD snooping is configured on Layer 2 multicast devices to resolve the MLD packets between
Layer 3 devices and users. It generates and maintains IPv6 Layer 2 multicast forwarding tables
to distribute multicast data to only the receivers at the data link layer.

6.1 IGMP Configuration

You can manage multicast group members by configuring IGMP on multicast device interfaces
connected to user networks.
6.1.1 Example for Configuring Basic IGMP Functions
As shown in Figure 6-1, users receive data in multicast mode. User hosts are located on two
network segments: N1 and N2. Receivers HostA and HostC are located on the two network
segments respectively. The source sends multicast data to group addresses 225.1.1.1 to 225.1.1.5.
HostA orders only the program of group 225.1.1.1, and HostC can receive all the programs.
Figure 6-1 Networking diagram for basic IGMP configuration
PIM network Receiver

SwitchA
1
2 /2
4 I F1 GE0/0/1 N1 HostA
8 .1 . L AN /2 VLANIF10
1 6 1 1 V 0 / 0 4
9 2 . NI F G E .1 /2 10.110.1.1/24
1 A /1 .1
SwitchD VLE0/0 68
G 9 2 .1
1 HostB
GE0/0/4 VLAN SwitchB 10.110.2.1/24
VLANIF40 I F 21 GE0
G 0 VLANIF20
192.168.4.1/24 192E . 168
/0/2
VLAN
/0/2
GE0/0/1
19 V G . Receiver
2 .2/24 1 I
2.1 LA E0
68 NI /0/3 9 2 . 1 F2 1
.3. F3 68. 2
2 /2 1 .1/24
4
SwitchC 10.110.2.2/24 N2 HostC
G
1 9 VL A E0 /0 VLANIF20
2 .1 N I /2 GE0/0/1
68 F31
.3 .
1/2
4 HostD
To meet the preceding requirements, configure basic IGMP functions and limit the range of
multicast groups on the interface connected to the network segment of HostA. The configuration
roadmap is as follows:
1. Configure a unicast routing protocol to implement IP interworking.

Configure IP addresses for interfaces and configure a unicast routing protocol on each
switch. Multicast routing protocols depend on unicast routing protocols.
2. Configure basic multicast functions to enable multicast data to be forwarded on the network.
Enable PIM-SM and configure an RP on each switch. Enable IGMP on the interfaces
connected to the receiver network segments.

3. Control the multicast data that HostA can receive.

Configure an ACL on the interface of SwitchA connected to the network segment of HostA
to filter multicast data sent to HostA.
Procedure
Step 1 Configure IP addresses for interfaces and configure a unicast routing protocol on each switch.
Configure an IP address and mask for each interface according to Figure 6-1. Configure OSPF
on each switch to ensure IP connectivity between them, and enable them to dynamically update
routing information. The configuration details are not mentioned here.
Step 2 Enable IP multicast routing on each switch and enable PIM-SM on all interfaces.
# On SwitchA, enable multicast routing in the system view, enable PIM-SM on all interfaces,
and configure VLANIF40 of SwitchD as a static RP. The configurations of SwitchB, SwitchC
and SwitchD are similar to the configuration of SwitchA, and are not mentioned here.

[SwitchA] pim
[SwitchA-pim] static-rp 192.168.4.1
[SwitchA-pim] quit
Step 3 On SwitchA, SwitchB, and SwitchC, enable IGMP on the interfaces connected to the receiver
network segments.
# Enable IGMP on VLANIF10 of SwitchA. The configurations of SwitchB and SwitchC are
similar to the configuration of SwitchA, and are not mentioned here.

[SwitchA-Vlanif10] igmp enable
Step 4 Allow VLANIF10 of SwitchA to join only multicast group 225.1.1.1.
# On SwitchA, create an ACL, configure a rule that permits only packets of multicast group
225.1.1.1, and then apply the ACL to VLANIF10.
[SwitchA] acl number 2001

[SwitchA-acl-basic-2001] rule permit source 225.1.1.1 0
[SwitchA-acl-basic-2001] quit
[SwitchA-Vlanif10] igmp group-policy 2001
# Run the display igmp interface command to check the IGMP configuration and running status
on each interface. The following is the IGMP information on VLANIF10 of SwitchA:
<SwitchA> display igmp interface vlanif 10
Interface information
Vlanif 10 (10.110.1.1):

IGMP is enabled
Current IGMP version is 2
IGMP state: up
IGMP group policy: 2001
IGMP limit: -
Value of query interval for IGMP (negotiated): -
Value of query interval for IGMP (configured): 60 s
Value of other querier timeout for IGMP: 0 s
Value of maximum query response time for IGMP: 10 s
Querier for IGMP: 10.110.1.1 (this router)
Total 1 IGMP Group reported
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 11
#
#
acl number 2001
#
interface Vlanif10
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp group-policy 2001
#
interface Vlanif11
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchB
#
vlan batch 20 21
#
#
interface Vlanif20
ip address 10.110.2.1 255.255.255.0
pim sm

igmp enable
#
interface Vlanif21
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchC
#
vlan batch 20 31
#
#
interface Vlanif20
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif31
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchD
#
#
#

interface Vlanif11
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return
6.1.2 Example for Configuring a Static Multicast Group on an

Interface
As shown in Figure 6-2, users receive data in multicast mode. User hosts are located on two
network segments: N1 and N2. Receiver HostA is located on N1, and receivers HostC and HostD
are located on N2. HostA wants to receive data of multicast group 225.1.1.3 for a long time,
while HostC and HostD do not have such requirements.

Figure 6-2 Networking diagram for static multicast group configuration

SwitchA
4 1 1
2 /2 IF GE0/0/1 N1 HostA
8 .1 . L AN /2 VLANIF10
6 1 V /
0 24 0
2 .1 IF 1 G E .1 .1 / 10.110.1.1/24
19 LAN0/1
SwitchD V E0/ 68
G 9 2 .1
1 HostB
GE0/0/4 VLAN SwitchB 10.110.2.1/24
VLANIF40 I F 2 1 GE0
GE0 /0 VLANIF20
192.168.4.1/24 19 /0/2 / 2
1 9 V G 2. 168. 2. VLAN
I F
GE0/0/1 Receiver
2.1 LA E0 2 /24 192 2
68 NI /0/3 . 168 1
.3. F3 .2.1/2
2 /2 1 4
4
G
2 .1 N I /2 GE0/0/1
68 F31
.3 .
1/2
4 HostD
To meet the preceding requirements, configure static multicast group 225.1.1.3 on the interface
connected to the network segment of HostA. The configuration roadmap is as follows:

Enable PIM-SM and configure a rendezvous point (RP) on each switch. Enable IGMP on
the interfaces connected to the receiver network segments.
3. Enable HostA to receive data of multicast group 225.1.1.3 for a long time.
On SwitchA, statically bind the interface connected to the network segment of HostA to
group 225.1.1.3.
Procedure


[SwitchA] pim
[SwitchA-pim] quit
network segments.
Step 4 Configure static multicast group 225.1.1.3 on VLANIF10 of SwitchA.

[SwitchA-Vlanif10] igmp static-group 225.1.1.3
# Run the display igmp group static command to check the static multicast group configuration.
The command output shows that static multicast group 225.1.1.3 has been configured on
VLANIF10.
<SwitchA> display igmp group static
Static join group information
Total 1 entry, Total 1 active entry
Group Address Source Address Interface State Expires
225.1.1.3 0.0.0.0 Vlanif10 UP never
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 11
#
#
interface Vlanif10
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp static-group 225.1.1.3
#
interface Vlanif11
ip address 192.168.1.1 255.255.255.0
pim sm
#
#


#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchB
#
vlan batch 20 21
#
#
interface Vlanif20
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif21
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchC
#
vlan batch 20 31
#
#
interface Vlanif20
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif31
ip address 192.168.3.1 255.255.255.0
pim sm
#


#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchD
#
#
#
interface Vlanif11
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

6.1.3 Example for Configuring IGMP SSM Mapping
As shown in Figure 6-3, the multicast network runs PIM-SM, and uses ASM and SSM models
to provide multicast services. The switch interface connected to the receiver network segment
runs IGMPv3, whereas the receiver runs IGMPv2 and does not support IGMPv3. Therefore, the
receiver cannot specify a multicast source from which it wants to receive multicast data when
joining a multicast group.
The range of SSM group addresses on the network is 232.1.1.0/24. Source 1, Source 2, and
Source 3 all send multicast data to the multicast groups in this range. However, the receiver only
wants to receive multicast data from Source 1 and Source 3.
Figure 6-3 Networking diagram for the SSM mapping configuration
PIM-SM
Source2 Source3
10.10.2.2/24 192.168.2.2/24
GE0/0/1 GE0/0/3 GE0/0/3 GE0/0/1
192.168.2.1/24 10.10.3.2/24
SwitchB GE0/0/2 GE0/0/2
10.10.2.1/24 VLANIF20 VLANIF21 SwitchC 10.10.3.1/24
192.168.1.2/24 192.168.3.1/24
Source1 192.168.1.1/24 192.168.3.2/24
VLANIF20 VLANIF21 Receiver
GE0/0/2 GE0/0/2 SwitchD
SwitchA
GE0/0/1 GE0/0/3 GE0/0/3 GE0/0/1
10.10.1.2/24 192.168.4.2/24 192.168.4.1/24
10.10.1.1/24 10.10.4.2/24 10.10.4.1/24
To meet the preceding requirements, configure basic multicast functions on the switches, and
then configure SSM mapping on SwitchD. The configuration roadmap is as follows:

Enable PIM-SM on each switch and configure a rendezvous point (RP). Enable IGMP on
the interface connected to the receiver network segment.
3. Configure SSM mapping to enable the receiver to select multicast sources.
Enable SSM mapping on the interface of SwitchD connected to the receiver network
segment, and configure SSM mapping rules on SwitchD.

Procedure
Step 2 Enable IP multicast routing on each switch, and enable PIM-SM and IGMP on interfaces.
# On SwitchD, enable IP multicast routing in the system view and enable PIM-SM on all
interfaces. Enable IGMP on VLANIF13 and set the IGMP version to v3.
[SwitchD] multicast routing-enable

[SwitchD-Vlanif13] igmp enable
[SwitchD-Vlanif13] igmp version 3
# On SwitchA, enable IP multicast routing in the system view and enable PIM-SM on all
interfaces. The configurations of SwitchB and SwitchC are similar to the configuration of

# Configure VLANIF30 as a C-BSR and C-RP on SwitchD.
[SwitchD] pim
[SwitchD-pim] c-bsr vlanif 30
[SwitchD-pim] c-rp vlanif 30
[SwitchD-pim] quit
Step 3 Enable SSM mapping on the interface connected to the receiver network segment.
# Enable SSM mapping on VLANIF13 of SwitchD.

[SwitchD-Vlanif13] igmp ssm-mapping enable
Step 4 Configure the range of SSM group addresses on all Switches.

# Set the range of SSM group addresses to 232.1.1.0/24 on SwitchA. The configurations of
SwitchB, SwitchC, and SwitchD are similar to the configuration of SwitchA, and are not
mentioned here.


[SwitchA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255
[SwitchA] pim
[SwitchA-pim] ssm-policy 2000
[SwitchA-pim] quit
Step 5 Configure SSM mapping rules on SwitchD.

# Map the multicast groups in the range of 232.1.1.0/24 to Source 1 and Source 3.
[SwitchD] igmp
[SwitchD-igmp] ssm-mapping 232.1.1.0 24 10.10.1.1
[SwitchD-igmp] ssm-mapping 232.1.1.0 24 10.10.3.1
[SwitchD-igmp] quit

# Check the SSM mapping entries on SwitchD.
<SwitchD> display igmp ssm-mapping group
IGMP SSM-Mapping conversion table
Total 2 entries 2 entries matched
00001. (10.10.1.1, 232.1.1.0/24)
00002. (10.10.3.1, 232.1.1.0/24)
Total 2 entries matched
# The receiver joins group 232.1.1.1.

# Run the display igmp group ssm-mapping command on SwitchD to view information about
the group memberships established with SSM mapping. The command output is as follows:
<SwitchD> display igmp group ssm-mapping
IGMP SSM mapping interface group report information
Limited entry of this VPN-Instance: -

Vlanif13 (10.10.4.2):
Total 1 IGMP SSM-Mapping Group reported
Group Address Last Reporter Uptime Expires
232.1.1.1 10.10.4.1 00:01:44 00:00:26
<SwitchD> display igmp group ssm-mapping verbose

Interface group report information
Limited entry of this VPN-Instance: -
Vlanif13 (10.10.4.2):
Total entry on this interface: 1
Limited entry on this interface: -
Total 1 IGMP SSM-Mapping Group reported
Group: 232.1.1.1
Uptime: 00:01:52
Expires: 00:00:18
Last reporter: 10.10.4.1
Last-member-query-counter: 0
Last-member-query-timer-expiry: off
Group mode: exclude
Version1-host-present-timer-expiry: off
Version2-host-present-timer-expiry: 00:01:55
# Run the display pim routing-table command on SwitchD to view the PIM-SM multicast
routing table. The command output is as follows:
<SwitchD> display pim routing-table
VPN-Instance: public net

Total 2 (S, G) entries

(10.10.1.1, 232.1.1.1)
Protocol: pim-ssm, Flag: SG_RCVR
UpTime: 00:19:40
Upstream interface: Vlanif30
Upstream neighbor: 192.168.4.2
RPF prime neighbor: 192.168.4.2
Downstream interface(s) information:
Total number of downstreams: 1
1: Vlanif13
Protocol: ssm-map, UpTime: 00:19:40, Expires: -
(10.10.3.1, 232.1.1.1)
Protocol: pim-ssm, Flag: SG_RCVR
UpTime: 00:19:40
1: Vlanif13
Protocol: ssm-map, UpTime: 00:19:40, Expires: -
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
acl number 2000
#
interface Vlanif10
ip address 10.10.1.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 192.168.4.2 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.10.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255

network 192.168.4.0 0.0.0.255

#
pim
ssm-policy 2000
#
return

#
sysname SwitchB
#
vlan batch 11 20 31
#
#
acl number 2000
#
interface Vlanif11
ip address 10.10.2.2 255.255.255.0
pim sm
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.10.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchC
#
vlan batch 12 21 31
#
#
acl number 2000
#
interface Vlanif12
ip address 10.10.3.2 255.255.255.0
pim sm

#
interface Vlanif21
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.10.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchD
#
vlan batch 13 21 30
#
#
acl number 2000
#
interface Vlanif13
ip address 10.10.4.2 255.255.255.0
pim sm
igmp enable
igmp version 3
igmp ssm-mapping enable
#
interface Vlaniaf21
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif30
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#


#
ospf 1
area 0.0.0.0
network 10.10.4 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
igmp
ssm-mapping 232.1.1.0 255.255.255.0 10.10.1.1
ssm-mapping 232.1.1.0 255.255.255.0 10.10.3.1
#
pim
c-bsr vlanif 30
c-rp vlanif 30
ssm-policy 2000
#
return
6.1.4 Example for Configuring IGMP Limit
As shown in Figure 6-4, user hosts on the network receive video streams in multicast mode.
During prime time, many users may watch video programs at the same time, consuming a lot of
bandwidth. As a result, performance of network devices degrades, and multicast data cannot be
sent to user hosts stably.
HostA on the network segment connecting to SwitchA orders the program of group 225.1.1.3.
IGMP limit needs to be configured on SwitchA, SwitchB, and SwitchC to properly allocate
network resources and flexibly control the number of IGMP group memberships. When the
number of programs ordered by users reaches the limit, users cannot order new programs, which
ensures the quality of ordered programs.
Figure 6-4 Networking diagram for IGMP limit configuration

SwitchA
1
2 /2
4 I F1 GE0/0/1 N1 HostA
8 .1 . L AN /2 VLANIF10
6 1 1 V 0 / 0 4
9 2 . 1 NI F G E .1 /2 10.110.1.1/24
1 A /1 .1
SwitchD VLE0/0 68
G 9 2 .1
1 HostB
GE0/0/4 VLAN SwitchB 10.110.2.1/24
VLANIF40 I F 21 GE0
G 0 VLANIF20
192.168.4.1/24 192E . 168
/0/2
VLAN
/0/2
GE0/0/1
19 V G . Receiver
2.1 LA E0 2 .2/24 1 I F2 1
68 NI 0/3/ 9 2 . 168
.3. F3 .2.1/2
2 /2 1 4
4
G
2 .1 N I /2 GE0/0/1
68 F31
.3 .
1/2
4 HostD


switch. Multicast routing protocols work depending on unicast routing protocols.
Enable PIM-SM and configure a rendezvous point (RP) on each switch. Enable IGMP on
the interfaces connected to the receiver network segments.
3. Enable HostA to steadily receive multicast data of group 225.1.1.3 for a long time.
On SwitchA, statically bind the interface connected to the network segment of HostA to
group 225.1.1.3.
4. Configure IGMP limit on each switch to control the number of programs users can order.
IGMP limit ensures the program receive quality and does not limit the number of static
multicast groups on the interface.
Procedure

[SwitchA] pim
[SwitchA-pim] quit
network segments.
Step 4 On SwitchA, manually bind the interface connected to the receiver to group 225.1.1.3 so that
the receiver can receive data sent to 225.1.1.3 for a long period.

[SwitchA-Vlanif10] igmp static-group 225.1.1.3

Step 5 Set the maximum number of IGMP entries on the last-hop switches.
# Set the maximum number of IGMP entries on SwitchA to 50.
[SwitchA] igmp global limit 50
# Set the maximum number of IGMP entries on VLANIF 10 to 30. (Physical interface
GE0/0/1 belongs to VLAN 10.)
[SwitchA-Vlanif10] igmp limit 30
# Run the display igmp interface command to check the IGMP configuration and running status
on switch interfaces. The following is the IGMP information on VLANIF10 of SwitchA:
<SwitchA> display igmp interface vlanif 10
vlanif10(10.110.1.1):
IGMP is enabled
Current IGMP version is 2
IGMP state: up
IGMP group policy: none
IGMP limit: 30
Value of query interval for IGMP (negotiated): -
Value of query interval for IGMP (configured): 60 s
Value of other querier timeout for IGMP: 0 s
Value of maximum query response time for IGMP: 10 s
Querier for IGMP: 10.110.1.1 (this router)
The command output shows that a maximum of 30 IGMP entries can be created on VLANIF10
of SwitchA.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 11
#
igmp global limit 50
#
#
interface Vlanif10
ip address 10.110.1.1 255.255.255.0
pim sm
igmp enable
igmp limit 30
#
interface Vlanif11
ip address 192.168.1.1 255.255.255.0
pim sm

#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchB
#
vlan batch 20 21
#
#
#
interface Vlanif20
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
igmp limit 30
#
interface Vlanif21
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchC
#
vlan batch 20 31
#
#
#

interface Vlanif20
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
igmp limit 30
#
interface Vlanif31
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

#
sysname SwitchD
#
#
#
interface Vlanif11
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif21
ip address 192.168.2.2 255.255.255.0
pim sm
#
interface Vlanif31
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
#

#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.1
#
return

The PIM protocol implements multicast routing and data forwarding in a domain. The PIM-DM
protocol is a multicast routing protocol in dense mode and applies to small-scale networks with
densely-distributed group members.
6.2.1 Example for Configuring Basic PIM-DM Functions
Figure 6-5 shows a small-scale network with densely distributed users. HostA and HostB need
to receive multicast data from Source.
Figure 6-5 Configuring basic PIM-DM functions
SwitchA
PIM-DM 10.110.1.1/24
/0 30 /24
VLANIF20
E0 IF .1
GE0/0/2
G N 8.1
/3
VL .16
GE0/0/1
2
A
VLANIF10 HostA
19
192.168.5.1/24 Receiver
24
/3 0 2/
/0 IF3 .1.
192.168.5.2/24
E0 N 68
Source VLANIF10
G LA 2.1
GE0/0/1 SwitchB
V 9
192.168.4.2/24
1
SwitchD 192.168.2.2/24
VLANIF60 VLANIF80 10.110.2.1/24
GE0/0/1 GE0/0/4 GE0/0/1 GE0/0/2
VLANIF70 VLANIF60 SwitchE VLANIF80
10.110.3.1/24 192.168.4.1/24 GE0/0/2 192.168.2.1/24
VLANIF50 HostB
192.168.3.2/24 Receiver
192.168.3.1/24
VLANIF50
GE0/0/2
GE0/0/1
SwitchC VLANIF40
10.110.2.2/24

Since users are densely distributed on the network, PIM-DM can be deployed on the network
to provide multicast services for the user hosts. After PIM-DM is configured on the network, all
user hosts in a multicast group can receive multicast data sent from the multicast source to the
group.
1. Configure IP addresses for interfaces and configure a unicast routing protocol on each
switch. PIM is an intra-domain multicast routing protocol that depends on a unicast routing
protocol. The multicast routing protocol can work normally only when the unicast routing
protocol works normally.
2. Enable multicast routing on all the switches providing multicast services. Multicast routing
is the prerequisite for PIM-DM configuration.
3. Enable PIM-DM on all switch interfaces. Other PIM-DM functions can be configured only
after PIM-DM is enabled.
4. Enable IGMP on the interfaces connected to user network segments. The IGMP protocol
maintains group memberships. The leaf switches maintain group memberships using
IGMP.
NOTE
If PIM-DM and IGMP need to be enabled on the same user-side interface, enable PIM-DM and then
IGMP.
Procedure
Step 1 Configure IP addresses for interfaces and configure a unicast routing protocol on the switches.
# Configure IP addresses and masks for switch interfaces. Configure OSPF on the switches to
implement IP interworking between the switches and enable the switches to dynamically update
routes. (The configurations of the other switches are similar to the configuration of SwitchA.)
[SwitchA] ospf


Step 2 Enable multicast routing on all the switches and enable PIM-DM on all interfaces.
# Enable multicast routing on all the switches and enable PIM-DM on all interfaces. (The
configurations of the other switches are similar to the configuration of SwitchA.)
[SwitchA-Vlanif10] pim dm
Step 3 Enable IGMP on the interfaces connected to user hosts.
# Enable IGMP on the user-side interface (VLANIF20) of SwitchA. (The configurations of

SwitchB and SwitchC are similar to the configuration of SwitchA.)
# Run the display pim interface command to check the PIM configuration and running status
on switch interfaces. The following is the command output on SwitchC, indicating that PIM is
running on the interfaces.
<SwitchC> display pim interface
Interface State NbrCnt HelloInt DR-Pri DR-Address
Vlanif40 up 0 30 1 10.110.2.2 (local)
Vlanif50 up 1 30 1 192.168.3.1 (local)
# Run the display pim routing-table command to check the PIM routing tables on the switches.
You can see from the PIM routing tables that multicast source (10.110.3.100/24) to group
(225.1.1.1/24), and HostA and HostB have joined group (225.1.1.1/24). The PIM routing tables
of the switches are as follows:
[SwitchA] display pim routing-table
Total 1 (*, G) entry; 1 (S, G) entry
(*, 225.1.1.1)
Protocol: pim-dm, Flag: WC
UpTime: 00:00:29
Upstream interface: NULL
Upstream neighbor: NULL
RPF prime neighbor: NULL
1: vlanif20
Protocol: igmp, UpTime: 00:00:29, Expires:never
(10.110.3.100, 225.1.1.1)
Protocol: pim-dm, Flag: ACT
UpTime: 00:00:29
Upstream interface: vlanif30


1: vlanif20
Protocol: pim-dm, UpTime: 00:00:29, Expires:-
[SwitchB] display pim routing-table
(*, 225.1.1.1)
UpTime: 00:00:29
1: vlanif40
(10.110.3.100, 225.1.1.1)
UpTime: 00:00:29
1: vlanif40
[SwitchC] display pim routing-table
(*, 225.1.1.1)
UpTime: 00:00:29
1: vlanif40
(10.110.3.100, 225.1.1.1)
UpTime: 00:01:25
1: vlanif40
[SwitchD] display pim routing-table
(10.110.3.100, 225.1.1.1)
UpTime: 00:00:29

1: vlanif30
1: vlanif60
[SwitchE] display pim routing-table
(10.110.3.100, 225.1.1.1)
UpTime: 00:01:22
1: vlanif80
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
interface Vlanif10
ip address 192.168.5.1 255.255.255.0
pim dm
#
interface Vlanif20
ip address 10.110.1.1 255.255.255.0
pim dm
igmp enable
#
interface Vlanif30
ip address 192.168.1.1 255.255.255.0
pim dm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
return

#
sysname SwitchB

#
#
vlan batch 40 80
#
interface Vlanif40
ip address 10.110.2.1 255.255.255.0
pim dm
igmp enable
#
interface Vlanif80
ip address 192.168.2.1 255.255.255.0
pim dm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 40 50
#
#
interface Vlanif40
ip address 10.110.2.2 255.255.255.0
pim dm
igmp enable
#
interface Vlanif50
ip address 192.168.3.1 255.255.255.0
pim dm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return

#
sysname SwitchD
#
vlan batch 30 60 70
#

#
interface Vlanif30
ip address 192.168.1.2 255.255.255.0
pim dm
#
interface Vlanif60
ip address 192.168.4.1 255.255.255.0
pim dm
#
interface Vlanif70
ip address 10.110.3.1 255.255.255.0
pim dm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
return

#
sysname SwitchE
#
#
#
interface Vlanif10
ip address 192.168.5.2 255.255.255.0
pim dm
#
interface Vlanif50
ip address 192.168.3.2 255.255.255.0
pim dm
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
pim dm
#
interface Vlanif80
ip address 192.168.2.2 255.255.255.0
pim dm
#
#
#


#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
return

The PIM protocol implements multicast routing and data forwarding in a domain. The PIM-SM
protocol is a multicast routing protocol in sparse mode. It applies to a large-scale network with
sparsely-distributed group members.
6.3.1 Example for Configuring PIM-SM in the ASM Model
As shown in Figure 6-6, the shared network segment is connected to the Internet. HostA and
HostB want to receive multicast data from Source.
Figure 6-6 Networking diagram for configuring PIM-SM in the ASM model
SwitchA
PIM-SM 10.110.1.1/24
/0 30 /24
VLANIF20
E0 IF .1
GE0/0/2
G N 8.1
/3
VL .16
GE0/0/1
2
A
VLANIF10 HostA
19
192.168.5.1/24 Receiver
24
/3 0 2/
/0 IF3 .1.
192.168.5.2/24
E0 N 68
Source VLANIF10
G LA 2.1
GE0/0/1 SwitchB
V 9
192.168.4.2/24
1
SwitchD 192.168.2.2/24
VLANIF60 VLANIF90 10.110.2.1/24
GE0/0/1 GE0/0/4 GE0/0/1 GE0/0/2
10.110.3.1/24 192.168.4.1/24 GE0/0/2 192.168.2.1/24
GE0/0/2 VLANIF50 HostB
VLANIF70 192.168.3.2/24 Receiver
10.110.4.1/24
192.168.3.1/24
VLANIF50
GE0/0/2
GE0/0/1
SwitchC VLANIF40
10.110.2.2/24

Configure the PIM-SM protocol on the switches to enable them to provide the ASM service for
user hosts on the network. Then all the hosts in a multicast group can receive multicast data sent
from any sources to this group.
1. Configure an IP address for each interface and a unicast routing protocol. PIM is an intra-
domain multicast routing protocol that depends on unicast routing protocols.
2. Enable the multicast function on all switches providing multicast services. Before
configuring PIM-SM, you must enable the multicast function.
3. Enable PIM-SM on all interfaces. You can configure other PIM-SM functions only after
PIM-SM is enabled.
4. Enable IGMP on interfaces that connect the switch and hosts. A receiver can join and leave
a multicast group by sending IGMP messages. The leaf switches maintain the multicast
member relationship through IGMP.
NOTE
If both PIM-SM and IGMP need to be configured on interfaces that connect the switch and hosts,
you must configure PIM-SM first, and then configure IGMP.
5. Enable PIM silent on interfaces that connect the switch and hosts to prevent malicious hosts
from simulating sending PIM Hello packets. In this manner, security of PIM-SM domain
is ensured.
NOTE
If the user host network segment connects to multiple switches, do not enable PIM silent on interfaces
that connect these switches and user hosts. For example, PIM Silent cannot be enabled on SwitchB
and SwitchC in the figure.
6. Configure the RP. In PIM-SM domain, RP is essential in providing ASM services and helps
forward multicast data. You are advised to configure RP on switches that have more
multicast flows. For example, you can configure RP on SwitchE in the figure.
7. Configure the BSR boundary on interfaces connected to the Internet. The Bootstrap
message cannot pass through the BSR boundary; therefore, the BSR serves only this PIM-
SM domain. In this manner, multicast services can be controlled effectively.
Procedure
Step 1 Configure an IP address for each interface and a unicast routing protocol.
# Configure the IP address and mask for each interface shown in Figure 6-6, and configure
OSPF on each switch to ensure that switches can communicate at the network layer and can
dynamically update routes through the unicast routing protocol. The configuration of SwitchB,
SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and are not
provided here.

[SwitchA] ospf
Step 2 Enable multicast, and enable PIM-SM on all interfaces.

# Enable multicast on all switches and PIM-SM on all interfaces. The configuration of SwitchB,
SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and are not
provided here.
Step 3 Enable IGMP on interfaces that connect the switch and hosts.
# Enable IGMP on interfaces that connect SwitchA and user hosts. The configuration of SwitchB
and SwitchC are similar to the configuration of SwitchA, and are not provided here.
Step 4 Enable PIM silent on interfaces on SwitchA.

[SwitchA-Vlanif20] pim silent
Step 5 Configure the RP.

NOTE
RP can be configured in two modes: static RP and dynamic RP. The static RP can be configured together
with the dynamic RP. You can also configure only the static RP or the dynamic RP. When the static RP
and the dynamic RP are configured simultaneously, you can adjust parameters to specify the preferred RP.
This example shows how to configure both the static RP and the dynamic RP and to specify the
dynamic RP as the preferred RP and the static RP as the standby RP.
# Configure the dynamic RP. Configure C-RP and C-BSR on one or more switches in the PIM-
SM domain. In this example, specify SwitchE as both the C-RP and the C-BSR. Configure the
address range of the multicast group that the RP serves on SwitchE and configure the C-BSR
and C-RP on the interface.

[SwitchE] acl number 2008

[SwitchE-acl-basic-2008] rule permit source 225.1.1.0 0.0.0.255
[SwitchE-acl-basic-2008] quit
[SwitchE] pim
[SwitchE-pim] c-bsr vlanif 90
[SwitchE-pim] c-rp vlanif 90 group-policy 2008
# Configure the static RP. Specify the address of static RP on all interfaces. Perform the following
configurations on SwitchA. The configuration of SwitchB, SwitchC, SwitchD, and SwitchE are
similar to the configuration of SwitchA, and are not provided here.
NOTE
If you enter preferred in the static-rp X.X.X.X command, the static RP is selected as the RP in the PIM-
SM domain.
[SwitchA] pim
Step 6 Configure the BSR boundary on interfaces that connect SwitchD to the Internet.
[SwitchD-Vlanif70] pim bsr-boundary
# Run the display pim interface command to check the PIM configuration and status. In this
example, the PIM information on SwitchC is displayed as follows:
Vlanif40 up 1 30 1 10.110.2.2 (local)
Vlanif50 up 1 30 1 192.168.3.2
# Run the display pim bsr-info command to check information about the BSR selection on the
switch. For example, BSR information on SwitchA and SwitchE is displayed as follows (C-BSR
information is also displayed on SwitchE).
<SwitchA> display pim bsr-info
Elected AdminScoped BSR Count: 0
Elected BSR Address: 192.168.2.2
Priority: 0
Hash mask length: 30
State: Accept Preferred
Scope: Not scoped
Uptime: 01:40:40
Expires: 00:01:42
C-RP Count: 1
<SwitchE> display pim bsr-info

Elected BSR Address: 192.168.2.2
Priority: 0
Hash Mask length: 30
State: Elected
Scope: Not scoped
Uptime: 00:00:18
Next BSR message scheduled at :00:01:42
C-RP Count: 1
Candidate AdminScoped BSR Count: 0
Candidate BSR Address: 192.168.2.2
Priority: 0

State:Elected
Scope: Not scoped
Wait to be BSR: 0
# Run the display pim rp-info command to check the RP information on SwitchA. In this
example, the RP information on SwitchA is displayed as follows:
<SwitchA> display pim rp-info
PIM-SM BSR RP Number:1
Group/MaskLen: 225.1.1.0/24
RP: 192.168.2.2
Priority: 0
Uptime: 00:45:13
Expires: 00:02:17
PIM SM static RP Number:1
Static RP: 192.168.4.2
# Run the display pim routing-table command to view the PIM routing table. The multicast
source 10.110.3.100/24 sends message to the multicast group 225.1.1.1/24. Host A and Host B
join the multicast group 225.1.1.1/24. Detailed information is displayed as follows:
NOTE
By default, after the receiver's DR receives the first multicast data, an SPT switchover is performed and
(S, G) routing entries are created. Therefore, (S, G) routing entries displayed on the switch are (S, G) entries
after the SPT switchover.
(*, 225.1.1.1)
RP: 192.168.2.2
Protocol: pim-sm, Flag: WC
UpTime: 00:13:46
Upstream interface: Vlanif10,
1: Vlanif20
Protocol: igmp, UpTime: 00:13:46, Expires:-
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
Protocol: pim-sm, Flag: SPT ACT
UpTime: 00:00:42
1: Vlanif20
Protocol: pim-sm, UpTime: 00:00:42, Expires:-
(*, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:10:12

Total number of downstreams: None
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
Protocol: pim-sm, Flag: ACT
UpTime: 00:00:42

(*, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:01:25
1: Vlanif40
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:01:25
1: Vlanif40

(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
Protocol: pim-sm, Flag: SPT LOC ACT
UpTime: 00:00:42
1: Vlanif30
2: Vlanif60

(*, 225.1.1.1)
RP: 192.168.2.2 (local)
UpTime: 00:13:16
Upstream interface: Register


1: Vlanif10
Protocol: pim-sm, UpTime: 00:12:13, Expires: 00:02:21
2: Vlanif50
(10.110.3.100, 225.1.1.1)
RP: 192.168.2.2
UpTime: 00:01:22
1: Vlanif50
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
interface Vlanif10
ip address 192.168.5.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.110.1.1 255.255.255.0
pim silent
pim sm
igmp enable
#
interface Vlanif30
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim

static-rp 192.168.4.2
#
return

#
sysname SwitchB
#
#
vlan batch 40 90
#
interface Vlanif40
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif90
ip address 192.168.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
static-rp 192.168.4.2
#
return

#
sysname SwitchC
#
vlan batch 40 50
#
#
interface Vlanif40
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
#
interface Vlanif50
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255

network 192.168.3.0 0.0.0.255

#
pim
static-rp 192.168.2.2
#
return

#
sysname SwitchD
#
#
#
interface Vlanif30
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 192.168.4.1 255.255.255.0
pim sm
#
interface Vlanif70
ip address 10.110.4.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif80
ip address 10.110.3.1 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 10.110.4.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
static-rp 192.168.4.2
#
return

#
sysname SwitchE
#
#

#
acl number 2008
#
interface Vlanif10
ip address 192.168.5.2 255.255.255.0
pim sm
#
interface Vlanif50
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif90
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
c-bsr Vlanif90
c-rp Vlanif90 group-policy 2008
static-rp 192.168.4.2
#
return
6.3.2 Example for Configuring PIM-SM in the SSM Model
As shown in Figure 6-7, HostA wants to receive multicast data from S1 and S2, while HostB
wants to receive multicast data from S2.

Figure 6-7 Networking diagram for configuring PIM-SM in the SSM model
PIM-SM
SwitchA
10.110.4.1/24 192.168.1.1/24 10.110.1.1/24
GE0/0/1 GE0/0/2 GE0/0/3
GE0/0/2
S1 VLANIF30
GE0/0/1
SwitchF 192.168.1.2/24 HostA
Source VLANIF10
192.168.5.1/24 Receiver
SwitchE 192.168.5.2/24
VLANIF10
10.110.3.1/24 192.168.4.2/24 GE0/0/1 192.168.2.1/24 10.110.2.1/24
GE0/0/1 GE0/0/4 GE0/0/1 GE0/0/2
GE0/0/4 GE0/0/3
S2 VLANIF60 VLANIF90
SwitchD 192.168.4.1/24 GE0/0/2 SwitchB
VLANIF50 192.168.2.2/24
Source
192.168.3.2/24 HostB
192.168.3.1/24 Receiver
VLANIF50
GE0/0/2
SwitchC
GE0/0/1
VLANIF40
10.110.2.2/24
Configure the PIM-SM protocol on the switches to enable them to provide the SSM service for
user hosts on the network. Then hosts in a multicast group can receive multicast data sent from
specified sources to this group.
1. Configure an IP address for each interface and a unicast routing protocol. PIM is an intra-
domain multicast routing protocol that depends on unicast routing protocols.
2. Enable the multicast function on switches providing multicast services. Before configuring
PIM-SM, you must enable the multicast function.
3. Enable PIM-SM on all interfaces. You can configure other PIM-SM functions only after
PIM-SM is enabled.
4. Enable IGMP on interfaces that connect the switch and hosts and set the IGMP version to
IGMPv3. A receiver can join and leave a multicast group of a specified source by sending
IGMP messages. The leaf switches maintain the multicast member relationship through
IGMP.
NOTE
If both PIM-SM and IGMP need to be configured on interfaces that connect the switch and hosts,
you must configure PIM-SM first, and then configure IGMP.
5. Enable PIM silent on interfaces that connect the switch and hosts to prevent malicious hosts
from simulating sending PIM Hello packets. In this manner, security of PIM-SM domain
is ensured.

NOTE
If the user host network segment connects to multiple switches, do not enable PIM silent on interfaces
that connect these switches and user hosts. For example, PIM silent cannot be enabled on SwitchB
and Switch C.
6. Configure the address range for SSM groups on each switch. Ensure that switches in the
PIM-SM domain provide services only for multicast groups in the range of SSM group
addresses. In this manner, multicast can be controlled effectively.
NOTE
SSM group address range configured on each switch must be the same.
Procedure
Step 1 Configure an IP address for each interface and a unicast routing protocol.
# Configure the IP address and mask for each interface shown in Figure 6-7, and configure
OSPF on each switch to ensure that switches can communicate at the network layer and can
dynamically update routes through the unicast routing protocol. The configuration details are
not provided here. The configuration of SwitchB, SwitchC, SwitchD, SwitchE, and SwitchF are
similar to the configuration of SwitchA, and are not mentioned.
[SwitchA] ospf
Step 2 Enable multicast, and enable PIM-SM on all interfaces.
# Enable multicast on all switches and PIM-SM on all interfaces. The configuration of SwitchB,
SwitchC, SwitchD,SwitchE, and SwitchF are similar to the configuration of SwitchA, and are
not mentioned.


Step 3 Enable IGMP on interfaces that connect the switch and hosts and set the IGMP version to
IGMPv3.
# Enable IGMP on interfaces that connect SwitchA and user hosts. The configuration of SwitchB
and SwitchC are similar to the configuration of SwitchA, and are not mentioned here.
[SwitchA-Vlanif20] igmp version 3
Step 4 Enable PIM silent on interfaces on SwitchA.

[SwitchA-Vlanif20] pim silent
Step 5 Configure the address range for SSM groups.

# Set the address of SSM group to range from 232.1.1.0 to 232.1.1.255 on all switches. The
configuration of SwitchB, SwitchC, SwitchD, SwitchE and SwitchF are similar to the
[SwitchA-acl-basic-2000] rule permit source 232.1.1.0 0.0.0.255
[SwitchA] pim
[SwitchA-pim] ssm-policy 2000

# Run the display pim interface command to check the PIM configuration and status. The PIM
information on SwitchC is displayed as follows:
Vlanif40 up 1 30 1 10.110.2.2 (local)
Vlanif50 up 1 30 1 192.168.3.2
# Run the display pim routing-table command to view the PIM routing table. HostA receives
information sent from multicast source 10.110.3.100/24 and 10.110.4.100/24 to the multicast
group 232.1.1.1/24. HostB receives information sent from multicast source 10.110.3.100/24 to
multicast group 232.1.1.1/24. The following information is displayed.
Total 2 (S, G) entry
(10.110.3.100, 232.1.1.1)
Protocol: pim-ssm, Flag: SG_RCVCR
UpTime: 00:13:46
1: Vlanif20
(10.110.4.100, 232.1.1.1)


UpTime: 00:00:42
1: Vlanif20
(10.110.3.100, 232.1.1.1)
UpTime: 00:10:12

(10.110.3.100, 232.1.1.1)
Protocol: pim-ssm, Flag:
UpTime: 00:01:25
1: Vlanif40
Protocol: pim-ssm, UpTime: 00:01:25, Expires:-

(10.110.3.100, 232.1.1.1)
Protocol: pim-ssm, Flag: LOC
UpTime: 00:00:42
1: Vlanif60

(10.110.3.100, 232.1.1.1)
UpTime: 00:13:16
Upstream interface: Vlanif 60
1: Vlanif10
Protocol: pim-ssm, UpTime: 00:13:16, Expires: 00:02:21
2: Vlanif50


3: Vlanif90
[SwitchF] display pim routing-table

(10.110.4.100, 232.1.1.1)
UpTime: 00:13:16
Upstream interface: Vlanif 70
1: Vlanif30
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
acl number 2000
#
interface Vlanif10
ip address 192.168.5.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.110.1.1 255.255.255.0
pim silent
pim sm
igmp enable
igmp version 3
#
interface vlanif 30
ip address 192.168.1.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.5.0 0.0.0.255

#
pim
ssm-policy 2000
#
return

#
sysname SwitchB
#
#
vlan batch 40 90
#
acl number 2000
#
interface Vlanif40
ip address 10.110.2.1 255.255.255.0
pim sm
#
interface Vlanif90
ip address 192.168.2.1 255.255.255.0
pim sm
igmp enable
igmp version 3
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchC
#
vlan batch 40 50
#
#
acl number 2000
#
interface Vlanif40
ip address 10.110.2.2 255.255.255.0
pim sm
igmp enable
igmp version 3
#
interface Vlanif50
ip address 192.168.3.1 255.255.255.0
pim sm
#


#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchD
#
vlan batch 60 80
#
#
acl number 2000
#
interface Vlanif60
ip address 192.168.4.1 255.255.255.0
pim sm
#
interface Vlanif80
ip address 10.110.3.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchE
#
#
#
acl number 2000
#
interface Vlanif10
ip address 192.168.5.2 255.255.255.0

pim sm
#
interface Vlanif50
ip address 192.168.3.2 255.255.255.0
pim sm
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif90
ip address 192.168.2.2 255.255.255.0
pim sm
#
#
#
#
#
ospf 1
area 0.0.0.0
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
ssm-policy 2000
#
return

#
sysname SwitchF
#
vlan batch 30 70
#
#
acl number 2000
#
interface Vlanif30
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif70
ip address 10.110.4.1 255.255.255.0
pim sm
#
#


#
ospf 1
area 0.0.0.0
network 10.110.4.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
ssm-policy 2000
#
return
6.3.3 Example for Configuring PIM BFD
In Figure 6-8, basic PIM-SM configuration has been completed on the Switches. User hosts
receive multicast data from the multicast source. SwitchA is the source DR. SwitchB and
SwitchC are connected to the user host network segment. When the receiver DR changes, other
switches are required to fast respond to the change.
You can set up BFD sessions on the user host network segment so that switches can fast respond
to the change of the DR. In addition, you can configure the DR switchover delay. When a
Switch is added to the network segment and may become a DR, the multicast routing table of
the original DR is reserved until routing entries of the new DR are created. Therefore, the packet
loss due to the delay in creating multicast entries is prevented.
NOTE
After the DR switchover delay is configured, the downstream receivers may receive two copies of the same
data during the DR switchover, which will trigger the assert mechanism. To prevent triggering the assert
mechanism, it is recommended that DR switchover delay is not configured.
Figure 6-8 Networking diagram for configuring PIM BFD on the shared network segment
SwitchA
Source
10.1.7.1/24 PIM-SM
10.1.3.1/24
VLANIF200
GE0/0/1
10.1.2.1/24
VLANIF200 SwitchC
GE0/0/1
SwitchB GE0/0/2
VLANIF100
GE0/0/2 10.1.1.2/24
VLANIF100
10.1.1.1/24
VLAN 100
HostA HostB

1. Configure PIM BFD on interfaces that connect the Switch to the user host network segment.
2. Configure the PIM DR switchover delay on interfaces that connect the Switch to the user
host network segment.
NOTE
This configuration example describes only relevant PIM-SM BFD commands.
Procedure
Step 1 Enable BFD globally and configure PIM BFD in the interface view.
Enable BFD globally on SwitchB and SwitchC and enable PIM BFD on interfaces connecting
to the user host network segment and configure PIM BFD parameters. The configuration of
SwitchC is similar to the configuration of SwitchB, and is not mentioned here.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-Vlanif100] pim bfd enable
[SwitchB-Vlanif100] pim bfd min-tx-interval 100 min-rx-interval 100 detect-
multiplie 3
Step 2 Configure the PIM DR switchover delay.
# Configure the PIM DR delay on SwitchB and SwitchC. The configuration of SwitchC is similar
to the configuration of SwitchB, and is not mentioned.
[SwitchB-Vlanif100] pim timer dr-switch-delay 20
Run the display pim interface verbose command to check information on the PIM-enabled
interface. The information about the PIM-enabled interface on SwitchB indicates that the DR
on the host network segment is SwitchC. PIM BFD is enabled on the interface and the switchover
delay is configured.
<SwitchB> display pim interface vlanif100 verbose
Interface: Vlanif100, 10.1.1.1
PIM version: 2
PIM mode: Sparse
PIM state: up
PIM DR: 10.1.1.2
PIM DR Priority (configured): 1
PIM neighbor count: 1
PIM hello interval: 30 s
PIM LAN delay (negotiated): 500 ms
PIM LAN delay (configured): 500 ms
PIM hello override interval (negotiated): 2500 ms
PIM hello override interval (configured): 2500 ms
PIM Silent: disabled
PIM neighbor tracking (negotiated): disabled
PIM neighbor tracking (configured): disabled
PIM generation ID: 0XF5712241
PIM require-GenID: disabled

PIM hello hold interval: 105 s

PIM assert hold interval: 180 s
PIM triggered hello delay: 5 s
PIM J/P interval: 60 s
PIM J/P hold interval: 210 s
PIM BSR domain border: disabled
PIM BFD: enable
PIM BFD min-tx-interval: 100 ms
PIM BFD min-rx-interval: 100 ms
PIM BFD detect-multiplier: 3
PIM dr-switch-delay timer : 20 s
Number of routers on link not using DR priority: 0
Number of routers on link not using LAN delay: 0
Number of routers on link not using neighbor tracking: 2
ACL of PIM neighbor policy: -
ACL of PIM ASM join policy: -
ACL of PIM SSM join policy: -
ACL of PIM join policy: -
# Run the display pim bfd session command to check information about the BFD session on
each Switch. You can check whether the BRD session is set up.
<SwitchB> display pim bfd session
Total 1 BFD session Created
Vlanif100 (10.1.1.1): Total 1 BFD session Created
Neighbor ActTx(ms) ActRx(ms) ActMulti Local/Remote State

10.1.1.2 100 100 3 8192/8192 Up
# Run the display pim routing-table command to view the PIM routing table. SwitchC functions
as the DR. The (S, G) and (*, G) entries exist. The following information is displayed.
<SwitchC> display pim routing-table
(*, 225.1.1.1)
RP: 10.1.5.2
UpTime: 00:13:46
1: Vlanif100,
(10.1.7.1, 225.1.1.1)
RP: 10.1.5.2
UpTime: 00:00:42
1: Vlanif100
----End

Configuration Files
l SwitchA needs to be configured with only basic PIM SM functions. The configuration file
is not provided here.
l SwitchB has the following configuration file. The configuration file of SwitchC is similar
to that of SwitchB and is not provided here.
#
sysname SwitchB
#
vlan batch 100 200
#
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
pim timer dr-switch-delay 20
pim sm
pim bfd enable
pim bfd min-tx-interval 100 min-rx-interval 100
igmp enable
#
interface Vlanif200
ip address 10.1.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
return
6.4 MSDP Configuration

The MSDP protocol is used to implement multicast routing and data forwarding between PIM-
SM domains and anycast RP in a PIM-SM domain.
6.4.1 Example for Configuring PIM-SM Inter-domain Multicast

Using MSDP
As shown in Figure 6-9, two ASs exist on the network. Each AS contains at least one PIM-SM
domain and each PIM-SM domain may contain no or one multicast source and receiver. The
receiver in PIM-SM2 domain wants to receive the multicast data sent by both S3 in PIM-SM3
and S1 in PIM-SM1.

Figure 6-9 Networking diagram of PIM-SM inter-domain multicast
AS100 AS200
Receiver
Loopback0
Loopback0 PIM-SM2
GE0/0/2 GE0/0/1 GE0/0/1 GE0/0/2
GE0/0/2 GE0/0/2
GE0/0/1 SwitchB GE0/0/3 SwitchD
PIM-SM1
SwitchF
S1 GE0/0/3
GE0/0/2
GE0/0/2
GE0/0/1
SwitchE
PIM-SM3
Loopback0 S3
MSDP peer
Switch Interfaces and IP Addresses Switch Interfaces and IP Addresses
SwitchA SwitchA SwitchB Loopback0

GE0/0/2
1.1.1.1/32
VLANIF100
192.168.1.1/24
GE0/0/2 GE0/0/1
GE0/0/1 VLANIF100 VLANIF200
VLANIF101 192.168.1.2/24 192.168.2.1/24
10.110.1.1/24
SwitchB
SwitchC Loopback0 SwitchD

2.2.2.2/32 GE0/0/1
192.168.3.1/24 VLANIF102
VLANIF300 10.110.2.1/24
GE0/0/2 GE0/0/2
GE0/0/1 VLANIF300
VLANIF200 192.168.3.2/24
192.168.2.2/24 GE0/0/3
VLANIF400 SwitchD
192.168.4.1/24
SwitchC

SwitchE SwitchF SwitchF

GE0/0/3
VLANIF400 GE0/0/2
192.168.4.2/24 VLANIF500
GE0/0/2 192.168.5.2/24 GE0/0/1
SwitchE VLANIF103
VLANIF500
192.168.5.1/24 10.110.3.1/24
Loopback0
3.3.3.3/32
Configure MSDP, and set up MSDP peer relationships between RPs in PIM-SM domains to
implement inter-domain multicast.
1. Configure IP addresses for the interfaces on each switch. Configure OSPF in the ASs to
ensure route reachability within each AS.
2. Configure EBGP peers between ASs and import BGP and OSPF routes into each other's
routing table to ensure route reachability between ASs.
3. Enable multicast routing and PIM-SM on each interface. Configure a BSR boundary to
divide the PIM-SM domain and enable IGMP on interfaces connected to network segments
of receiver hosts.
4. Configure C-BSRs and C-RPs. Configure the RPs in PIM-SM1 and PIM-SM2 on the
ASBRs.
5. Set up MSDP peer relationships between RPs in PIM-SM domains. According to the RPF
rule, switches receive SA messages from the next hop destined for the source RP.
Procedure
# According to Figure 6-9, configure IP addresses and masks for the interfaces on each
switch. Configure OSPF between switches. Ensure network connectivity in each AS and enable
each switch to update routes using the unicast routing protocol. The configuration details are
not mentioned here.
Step 2 Configure EBGP peers between ASs and import routes of BGP and OSPF into each other's
routing table.
# Configure EBGP on SwitchB and import OSPF routes to BGP.

[SwitchB] bgp 100
[SwitchB-bgp] import-route ospf 1
[SwitchB-bgp] quit
# Configure EBGP on SwitchC and import OSPF routes to BGP.

[SwitchC] bgp 200

[SwitchC-bgp] import-route ospf 1

[SwitchC-bgp] quit
# Import BGP routes to OSPF on SwitchB. The configuration on SwitchC is similar to the
configuration on SwitchB, and is not mentioned here.
[SwitchB] ospf 1
[SwitchB-ospf-1] import-route bgp
Step 3 Enable multicast routing, enable PIM-SM on all interfaces. Configure a BSR boundary to divide
the PIM-SM domain and enable IGMP on interfaces connected to network segments of receiver
hosts.
# Enable multicast routing on SwitchB and enable PIM-SM on each interface. The configurations
on other switches are similar to the configuration on SwitchB, and are not mentioned here.
# Configure a BSR boundary on VLANIF200 of SwitchB.

[SwitchB-Vlanif200] pim bsr-boundary
# Configure BSR boundaries on VLANIF200 and VLANIF400 of SwitchC. Configure a BSR

boundary on VLANIF400 of SwitchE. The configurations on SwitchC and SwitchE are similar
to the configuration on SwitchB, and are not mentioned here.
# Enable IGMP on the interface connecting to SwitchD to the user network segment.
[SwitchD-Vlanif102] igmp enable
Step 4 Configure C-BSRs and C-RPs.
# Create a Loopback0 interface, and then configure the C-BSR and C-RP on Loopback0 of
SwitchB. The configurations on SwitchC and SwitchE are similar to the configuration on
SwitchB, and are not mentioned here.
[SwitchB] interface loopback 0
[SwitchB-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchB-LoopBack0] pim sm
[SwitchB] pim
[SwitchB-pim] c-bsr loopback 0
[SwitchB-pim] c-rp loopback 0
[SwitchB-pim] quit
# Configure an MSDP peer on SwitchB.

[SwitchB] msdp
[SwitchB-msdp] peer 192.168.2.2 connect-interface vlanif200
[SwitchB-msdp] quit
# Configure MSDP peers on SwitchC.

[SwitchC] msdp
[SwitchC-msdp] peer 192.168.2.1 connect-interface vlanif200
[SwitchC-msdp] quit
# Configure an MSDP peer on SwitchE.

[SwitchE] msdp
[SwitchE-msdp] peer 192.168.4.1 connect-interface vlanif400
[SwitchE-msdp] quit
# Run the display bgp peer command to view the BGP peer relationships among switches. The
following output shows the BGP peers of SwitchB and SwitchC:
<SwitchB> display bgp peer

Peer V AS MsgRcvd MsgSent OutQ Up/Down State

PrefRcv
192.168.2.2 4 200 24 21 0 00:13:09 Established 6
<SwitchC> display bgp peer


PrefRcv
192.168.2.1 4 100 18 16 0 00:12:04 Established 1
# Run the display bgp routing-table command to view the BGP routing table on a switch. The
following output shows the BGP routing table on SwitchC:
<SwitchC> display bgp routing-table


*> 1.1.1.1/32 192.168.2.1 0 0 100?

*> 2.2.2.2/32 0.0.0.0 0 0 ?
*> 192.168.2.0 0.0.0.0 0 0 ?
*> 192.168.2.1/32 0.0.0.0 0 0 ?
*> 192.168.2.2/32 0.0.0.0 0 0 ?
# Run the display msdp brief command to view the status of the MSDP peers on switches. The
following output shows summary information about MSDP peers on SwitchB, SwitchC and
SwitchE:
<SwitchB> display msdp brief
1 1 0 0 0 0


192.168.2.2 Up 00:12:27 200 13 0
<SwitchC> display msdp brief
2 2 0 0 0 0

192.168.2.1 Up 01:07:08 100 8 0
192.168.4.2 Up 00:06:39 ? 13 0
<SwitchE> display msdp brief
1 1 0 0 0 0
192.168.4.1 Up 00:15:32 ? 8 0
# Run the display msdp peer-status command to view the details about MSDP peers on
switches. The following output shows the details about the MSDP peer of SwitchB:
<SwitchB> display msdp peer-status
MSDP Peer 192.168.2.2, AS 200
Description:
Information about connection status:
State: Up
Up/down time: 00:15:47
Resets: 0
Connection interface: vlanif200 (192.168.2.1)
Number of sent/received messages: 16/16
Number of discarded output messages: 0
Elapsed time since last connection or counters clear: 00:17:51
Information about (Source, Group)-based SA filtering policy:
Import policy: none
Export policy: none
Information about SA-Requests:
Policy to accept SA-Request messages: none
Sending SA-Requests status: disable
Minimum TTL to forward SA with encapsulated data: 0
SAs learned from this peer: 0, SA-cache maximum for the peer: none
Input queue size: 0, Output queue size: 0
Counters for MSDP message:
Count of RPF check failure: 0
Incoming/outgoing SA messages: 0/0
Incoming/outgoing SA requests: 0/0
Incoming/outgoing SA responses: 0/0
Incoming/outgoing data packets: 0/0
Peer authentication: unconfigured
Peer authentication type: none
# Run the display pim routing-table command to view the PIM routing table on a switch. When
S1 (10.110.1.2/24) in PIM-SM1 and S3 (10.110.3.2/24) in PIM-SM3 send multicast data to
multicast group G (225.1.1.1), Receiver (10.110.2.2/24) in PIM-SM2 receives the multicast data
sent to G. The following output shows the PIM routing tables on SwitchB and SwitchC:
<SwitchB> display pim routing-table
(10.110.1.2, 225.1.1.1)
RP: 1.1.1.1(local)
Protocol: pim-sm, Flag: SPT EXT ACT
UpTime: 00:00:42

1: vlanif200
Total 1 (*, G) entry; 2 (S, G) entries
(*, 225.1.1.1)
RP: 2.2.2.2(local)
Protocol: pim-sm, Flag: WC RPT
UpTime: 00:13:46
Upstream interface: NULL,
1: vlanif300,
(10.110.1.2, 225.1.1.1)
RP: 2.2.2.2
Protocol: pim-sm, Flag: SPT MSDP ACT
UpTime: 00:00:42
1: vlanif300
(10.110.3.2, 225.1.1.1)
RP: 2.2.2.2
Protocol: pim-sm, Flag: SPT MSDP ACT
UpTime: 00:00:42
1: vlanif300
----End
Configuration Files
#
sysname SwitchA
#
#
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif101
ip address 10.110.1.1 255.255.255.0
pim sm
#
#


#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
#
#
bgp 100
router-id 1.1.1.1
#
ipv4-family unicast
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
#
return

#
sysname SwitchC
#

#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 192.168.4.1 255.255.255.0
pim bsr-boundary
pim sm
#
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
bgp 200
router-id 2.2.2.2
#
ipv4-family unicast
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.3.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
#
return

#
sysname SwitchD
#
vlan batch 102 300
#
#

interface Vlanif102
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return

#
sysname SwitchE
#
vlan batch 400 500
#
#
interface Vlanif400
ip address 192.168.4.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif500
ip address 192.168.5.1 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
#
return


#
sysname SwitchF
#
vlan batch 103 500
#
#
interface Vlanif103
ip address 10.110.3.1 255.255.255.0
pim sm
#
interface Vlanif500
ip address 192.168.5.2 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
return
6.4.2 Example for Configuring Inter-AS Multicast Using Static RPF

Peers
As shown in Figure 6-10, two ASs exist on the network. Each AS contains at least one PIM-
SM domain and each PIM-SM domain may contain no or one multicast source and receiver.
Source information needs to be transmitted across PIM-SM domains without changing unicast
topology.

Figure 6-10 Networking diagram of inter-AS multicast using static RPF peers
AS100 AS200
Loopback0
SwitchE
GE0/0/1
GE0/0/2 GE0/0/1
Loopback0
GE0/0/3 SwitchD
SwitchC GE0/0/2 PIM-SM2
GE0/0/1 Receiver
GE0/0/1
GE0/0/2 SwitchB Receiver
PIM-SM1 Loopback0
GE0/0/2
SwitchG GE0/0/3
GE0/0/1 GE0/0/1 GE0/0/2
GE0/0/3
SwitchF GE0/0/2
S1 SwitchA GE0/0/1
PIM-SM3
S2
BGP peers
SwitchA GE0/0/2 SwitchB GE0/0/1 GE0/0/2

VLANIF400
VLANIF100 VLANIF200
192.168.4.2/24
192.168.1.2/24 192.168.2.2/24
SwitchB
GE0/0/3 GE0/0/1
VLANIF101 VLANIF500
10.110.1.1/24 192.168.5.2/24
SwitchA

SwitchC Loopback0 SwitchD Loopback0

1.1.1.1/32 2.2.2.2/32
GE0/0/1 GE0/0/1
SwitchC
VLANIF100 VLANIF300
192.168.1.1/24 192.168.3.2/24
GE0/0/2 SwitchD
VLANIF400
192.168.4.1/24
SwitchE SwitchE 192.168.3.1/24

SwitchF Loopback0
VLANIF300 3.3.3.3/32
GE0/0/2 GE0/0/1
VLANIF200
192.168.2.1/24 GE0/0/1 GE0/0/2
GE0/0/3
10.110.2.1/24 192.168.5.1/24 192.168.6.1/24
SwitchF
SwitchG
GE0/0/3
VLANIF104
10.110.4.1/24
GE0/0/2
SwitchG
VLANIF600
192.168.6.2/24
GE0/0/1
VLANIF103
10.110.3.1/24
Configure an MSDP peer on the RP in each PIM-SM domain and specify static RPF peers for
the MSDP peers to transmit source information across PIM-SM domains without changing
unicast topology.
1. Configure IP addresses for the interfaces on each switch, configure OSPF in the ASs,
configure EBGP between ASs, and import BGP and OSPF routes into each other's routing
table.
2. Enable multicast on all switches and PIM-SM on all interfaces, and enable IGMP on
interfaces connected to network segments of receiver hosts. Configure Loopback0
interfaces, C-BSRs, and C-RPs on switches. Configure Loopback0 interfaces on SwitchC,
SwitchD, and SwitchF as the C-BSR and the C-RP of each PIM-SM domain.
3. Set up MSDP peer relationships between RPs in PIM-SIM domains. Set up the MSDP peer
relationship between SwitchC and SwitchD, and between SwitchC and SwitchF.

4. Specify static RPF peers for the MSDP peers. Specify SwitchD and SwitchF as the static
RPF peers of SwitchC. Specify SwitchC as the only static RPF peer of SwitchD and
SwitchF. According to RPF rules, switches accept SA messages from static RPF peers.
Procedure
# According to Figure 6-10, configure IP addresses and masks for the interfaces on each
switch. Configure OSPF in the ASs. Configure EBGP between SwitchA and SwitchF, and
between SwitchB and SwitchE. Import BGP and OSPF routes into each other's routing table.
Ensure network connectivity between switches and enable switches to update routes using the
unicast routing protocol. The configuration details are not mentioned here.
Step 2 Enable multicast routing on all switches and PIM-SM on all interfaces, and enable IGMP on
interfaces connected to network segments of receiver hosts. In addition, configure the BSR
boundary on the interfaces of switches on the AS boundary.
# Enable multicast routing on switches and enable PIM-SM on each interface. The configurations
on other switches are similar to the configuration on SwitchC, and are not mentioned here.
# Enable IGMP on VLANIF102 of SwitchE. The configuration on SwitchG is similar to the

configuration on SwitchE, and is not mentioned here.
[SwitchE] interface vlanif 102
[SwitchE-Vlanif102] igmp enable
[SwitchE-Vlanif102] quit
# Configure a BSR boundary on VLANIF500 of SwitchA, VLANIF200 of SwitchB,

VLANIF200 of SwitchE, and VLANIF500 of SwitchF. The configurations on SwitchB,
SwitchE, and SwitchF are similar to the configuration on SwitchA, and are not mentioned here.
[SwitchA-Vlanif500] pim bsr-boundary
Step 3 Configure Loopback0 interfaces, C-BSRs, and C-RPs on switches.

# Configure Loopback0 interfaces on SwitchC, SwitchD, and SwitchF. Configure Loopback0
interfaces as C-BSRs and C-RPs. The configurations on SwitchD and SwitchF are similar to the
configuration on SwitchC, and are not mentioned here.
[SwitchC-LoopBack0] ip address 1.1.1.1 255.255.255.255
[SwitchC-LoopBack0] pim sm
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 0
[SwitchC-pim] c-rp loopback 0
[SwitchC-pim] quit
Step 4 Configure static RPF peers.

# Configure SwitchD and SwitchF as the static RPF peers of SwitchC.

[SwitchC] ip ip-prefix list-df permit 192.168.0.0 16 greater-equal 16 less-equal

32
[SwitchC] msdp
[SwitchC-msdp] static-rpf-peer 192.168.3.2 rp-policy list-df
[SwitchC-msdp] static-rpf-peer 192.168.5.1 rp-policy list-df
[SwitchC-msdp] quit
# Configure SwitchC as the only static RPF peer of SwitchD and SwitchF. The configuration
on SwitchF is similar to the configuration on SwitchD, and is not mentioned here.
[SwitchD] ip ip-prefix list-c permit 192.168.0.0 16 greater-equal 16 less-equal 32
[SwitchD] msdp
[SwitchD-msdp] peer 192.168.1.1 connect-interface vlanif300
[SwitchD-msdp] static-rpf-peer 192.168.1.1 rp-policy list-c
[SwitchD-msdp] quit
# Run the display bgp peer command to view the BGP peer relationships among switches. No
command output is displayed on SwitchC, which indicates that no BGP peer relationship is set
up between SwitchC and SwitchD, or between SwitchC and SwitchF.
# Run the display msdp brief command to view the status of the MSDP peers on switches.
When S1 in the PIM-SM1 domain sends multicast data, the receivers in PIM-SM2 and PIM-
SM3 domains can receive the data. The following output shows summary information about
MSDP peers on SwitchC, SwitchD and SwitchF:
2 2 0 0 0 0

192.168.3.2 Up 01:07:08 ? 8 0
192.168.5.1 Up 00:16:39 ? 13 0
<SwitchD> display msdp brief
1 1 0 0 0 0

192.168.1.1 Up 01:07:09 ? 8 0
<SwitchF> display msdp brief
1 1 0 0 0 0

192.168.4.1 Up 00:16:40 ? 13 0
----End
Configuration Files
l SwitchConfiguration file of A
#
sysname SwitchA
#
#
#

interface Vlanif101
ip address 10.110.1.1 255.255.255.0
pim sm
#
interface Vlanif400
ip address 192.168.4.2 255.255.255.0
pim sm
#
interface Vlanif500
ip address 192.168.5.2 255.255.255.0
pim bsr-boundary
pim sm
#
#
#
#
bgp 100
router-id 1.1.1.3
#
ipv4-family unicast
import-route ospf 1
#
ospf 1
import-route bgp
network 10.110.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
network 192.168.5.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
pim bsr-boundary
pim sm
#
#
#

bgp 100
router-id 1.1.1.2
#
ipv4-family unicast
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 100 400
#
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif 400
ip address 192.168.4.1 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.4.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
ip ip-prefix list-df index 10 permit 192.168.0.0 16 greater-equal 16 less-equal
32
#
msdp
static-rpf-peer 192.168.3.2 rp-policy list-df
static-rpf-peer 192.168.5.1 rp-policy list-df
#
return

#
sysname SwitchD
#
vlan batch 300
#
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 192.168.3.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
ip ip-prefix list-c index 10 permit 192.168.0.0 16 greater-equal 16 less-equal
32
#
msdp
static-rpf-peer 192.168.1.1 rp-policy list-c
#
return

#
sysname SwitchE
#
#
#
interface Vlanif102
ip address 10.110.2.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#

#
bgp 200
router-id 2.2.2.1
#
ipv4-family unicast
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return

#
sysname SwitchF
#
vlan batch 500 600
#
#
interface Vlanif500
ip address 192.168.5.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif600
ip address 192.168.6.1 255.255.255.0
pim sm
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
bgp 200
router-id 3.3.3.3
#
ipv4-family unicast
import-route ospf 1
#
ospf 1
import-route bgp
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 192.168.5.0 0.0.0.255
network 192.168.6.0 0.0.0.255
#

pim
c-bsr LoopBack0
c-rp LoopBack0
#
ip ip-prefix list-c index 10 permit 192.168.0.0 16 greater-equal 16 less-equal
32
#
msdp
static-rpf-peer 192.168.4.1 rp-policy list-c
#
return
l Configuration file of SwitchG

#
sysname SwitchG
#
vlan batch 103 to 104 600
#
#
interface Vlanif103
ip address 10.110.3.1 255.255.255.0
pim sm
#
interface Vlanif104
ip address 10.110.4.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif600
ip address 192.168.6.2 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.110.3.0 0.0.0.255
network 10.110.4.0 0.0.0.255
network 192.168.6.0 0.0.0.255
#
return
6.4.3 Example for Configuring Anycast RP in a PIM-SM Domain
As shown in Figure 6-11, a PIM-SM domain contains multiple multicast sources and receivers.
RPs in a PIM-SM domain need to be configured as MSDP peers to perform load balancing.

Figure 6-11 Networking diagram of anycast RP
PIM-SM
User2 SwitchB
GE0/0/2
10 LA E0/0
S1 VLANIF102
V G
.1 NI /1
10 F1
10.110.2.2/24
.6 06
.1
10.110.3.1/24 10.1.1.1/32
/2
4
10.110.5.1/24 VLANIF103 Loopback10 10.110.2.1/24
VLANIF105 GE0/0/3 VLANIF102
GE0/0/1 GE0/0/2
Loopback1
4.4.4.4/32 SwitchD
SwitchA
GE0/0/2 GE0/0/1
VLANIF101 VLANIF300 S2
10.110.1.2/24 192.168.3.1/24
Loopback0
1.1.1.1/32 2.2.2.2/32
10.110.1.1/24 Loopback0 192.168.3.2/24
VLANIF101 VLANIF300
GE0/0/2 192.168.1.1/24 GE0/0/1
VLANIF100
Loopback1 GE0/0/1 GE0/0/2
3.3.3.3/32 VLANIF100
GE0/0/3 192.168.1.2/24
SwitchC VLANIF104 SwitchE
Loopback10 10.110.4.1/24
10.1.1.1/32
User1
MSDP peers
Configure anycast RPs using MSDP so that the receiver sends a Join message to the closest RP
and the multicast source sends a Register message to the nearest RP. RPs implement load
balancing.
1. Configure IP addresses for the interfaces on each switch and configure OSPF in the PIM-
SM domain.
2. Enable multicast on all switches and PIM-SM on all interfaces, and enable IGMP on
interfaces connected to network segments of receiver hosts.
3. Configure the same Loopback10 address on SwitchC and SwitchD. Configure C-RPs on
Loopback10 interfaces, and configure C-BSRs on Loopback1 interfaces.
4. Configure MSDP peers on Loopback0 interfaces of SwitchC and SwitchD. According to
RPF rules, the switches receive SA messages from the source RP.
Procedure

# According to Figure 6-11, configure IP addresses and masks for the interfaces in the PIM-SM
domain. Configure OSPF between switches. The configuration details are not mentioned here.
Step 2 Enable multicast routing and configure PIM-SM.
# Enable multicast routing on all switches and PIM-SM on all interfaces. Enable IGMP on
interfaces connected to network segments of receiver hosts. The configurations on other
switches are similar to the configuration on SwitchC, and are not mentioned here.
Step 3 Configure Loopback1 interfaces, Loopback10 interfaces, C-BSRs, and C-RPs.
# Configure Loopback1 addresses and the same Loopback10 address for SwitchC and
SwitchD. Configure C-BSRs on Loopback1 interfaces and C-RPs on Loopback10 interfaces.
The configuration on SwitchD is similar to the configuration on SwitchC, and is not mentioned
here.
[SwitchC] pim
[SwitchC-pim] c-bsr loopback 1
[SwitchC-pim] c-rp loopback 10
[SwitchC-pim] quit
Step 4 Configure MSDP peers on Loopback0 interfaces.
# Configure an MSDP peer on Loopback0 of SwitchC.

[SwitchC] msdp
[SwitchC-msdp] originating-rp loopback0
[SwitchC-msdp] peer 2.2.2.2 connect-interface loopback0
[SwitchC-msdp] quit
# Configure an MSDP peer on Loopback0 of SwitchD.

[SwitchD] interface loopback 0
[SwitchD-LoopBack0] ip address 2.2.2.2 255.255.255.255
[SwitchD-LoopBack0] pim sm
[SwitchD-LoopBack0] quit
[SwitchD] msdp
[SwitchD-msdp] originating-rp loopback0
[SwitchD-msdp] peer 1.1.1.1 connect-interface loopback0
[SwitchD-msdp] quit


# Run the display msdp brief command to view the status of the MSDP peers on switches. The
following output shows summary information about MSDP peers on SwitchC and SwitchD:
1 1 0 0 0 0
2.2.2.2 Up 00:10:17 ? 0 0
<SwitchD> display msdp brief
1 1 0 0 0 0
1.1.1.1 Up 00:10:18 ? 0 0
# Run the display pim routing-table command to view the PIM routing table on a switch. When
S1 (10.110.5.100/24) in the PIM-SM domain sends multicast data to G (225.1.1.1), User1
(Receiver) joins G and receives the multicast data sent to G. Comparing information about the
PIM routing tables on SwitchC and SwitchD, you can find that SwitchC is the valid RP. S1
registers to SwitchC, and User1 sends a Join message to SwitchC.
(*, 225.1.1.1)
RP: 10.1.1.1 (local)
UpTime: 00:28:49
1: vlanif104
Protocol: static, UpTime: 00:28:49, Expires: -
(10.110.5.1, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: SPT 2MSDP ACT
UpTime: 00:02:26
1: vlanif104
Protocol: pim-sm, UpTime: 00:02:26, Expires: -
Not output is displayed.

# User1 exits from G, and S1 stops sending multicast data to G. You can run the reset multicast
routing-table all and reset multicast forwarding-table all commands to clear multicast routing
entries and multicast forwarding entries on SwitchC.
<SwitchC> reset multicast routing-table all
<SwitchC> reset multicast forwarding-table all
# User2 joins G, and S2 (10.110.6.100/24) sends multicast dat to G. Comparing information

about the PIM routing tables on SwitchC and SwitchD, you can find that SwitchD is the valid
RP. S2 registers to SwitchD, and User2 sends a Join message to SwitchD.

Not output is displayed.

VPN–Instance: public net
(*, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: WC RPT
UpTime: 00:07:23
Upstream interface: NULL,
1: vlanif103,
(10.110.6.100, 225.1.1.1)
RP: 10.1.1.1 (local)
Protocol: pim-sm, Flag: SPT 2MSDP ACT
UpTime: 00:10:20
1: vlanif103
----End
Configuration Files
l SwitchConfiguration file of A
#
sysname SwitchA
#
vlan batch 101 105
#
#
interface Vlanif101
ip address 10.110.1.2 255.255.255.0
pim sm
#
interface Vlanif105
ip address 10.110.5.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.1.0 0.0.0.255
network 10.110.5.0 0.0.0.255
#
return


#
sysname SwitchB
#
vlan batch 102 106
#
#
interface Vlanif102
ip address 10.110.2.2 255.255.255.0
pim sm
#
interface Vlanif106
ip address 10.110.6.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 10.110.6.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
#
interface Vlanif100
ip address 192.168.1.1 255.255.255.0
pim sm
#
interface Vlanif101
ip address 10.110.1.1 255.255.255.0
pim sm
#
interface Vlanif104
ip address 10.110.4.1 255.255.255.0
pim sm
igmp enable
#
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm

#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
pim sm
#
interface LoopBack10
ip address 10.1.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.110.1.0 0.0.0.255
network 10.110.4.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
c-bsr LoopBack1
c-rp LoopBack10
#
msdp
originating-rp LoopBack0
#
return

#
sysname SwitchD
#
#
#
interface Vlanif102
ip address 10.110.2.1 255.255.255.0
pim sm
#
interface Vlanif103
ip address 10.110.3.1 255.255.255.0
pim sm
igmp enable
#
interface Vlanif300
ip address 192.168.3.1 255.255.255.0
pim sm
#
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
pim sm
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255

pim sm
#
interface LoopBack10
ip address 10.1.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.1.1.1 0.0.0.0
network 10.110.2.0 0.0.0.255
network 10.110.3.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
pim
c-bsr LoopBack1
c-rp LoopBack10
#
msdp
originating-rp LoopBack0
#
return

#
sysname SwitchE
#
vlan batch 100 300
#
#
interface Vlanif100
ip address 192.168.1.2 255.255.255.0
pim sm
#
interface Vlanif300
ip address 192.168.3.2 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.3.0 0.0.0.255
#
return
6.4.4 Example for Configuring SA Message Filtering
As shown in Figure 6-12, service data is transmitted in multicast mode on the network that is
divided into three PIM-SM domains. The multicast source Source1 sends multicast data to
multicast groups 225.1.1.0/30 and 226.1.1.0/30, and Source2 sends multicast data to the
multicast group 227.1.1.0/30. According to service requirements, HostA and HostB need to

receive only multicast data that is sent to multicast groups 225.1.1.0/30 and 226.1.1.0/30, and
HostC needs to receive only multicast data that is sent to multicast groups 226.1.1.0/30 and
227.1.1.0/30.
Figure 6-12 Networking diagram for configuring SA message filtering
PIM-SM1 Loopback0
PIM-SM2
GE0/0/1 GE0/0/3 Loopback0

Receiver
GE0/0/3 HostB
HostA SwitchA GE0/0/2 GE0/0/1
Receiver
/0/4
GE0/0/2 G E0
GE0/0/1 SwitchC
/0 /3
GE0 GE0/0/2
SwitchB
Source1
GE0/0/2
Loopback0
GE0/0/3 GE0/0/1
SwitchD
Source2 HostC
Receiver
MSDP peers PIM-SM3
SwitchA 1.1.1.1/32 SwitchB GE0/0/2

Loopback0 VLANIF102
10.110.2.2/24
192.168.1.1/24
VLANIF101
GE0/0/1 GE0/0/3 GE0/0/1 GE0/0/3
VLANIF100
10.110.1.1/24 VLANIF200 VLANIF103
GE0/0/2 10.110.3.1/24 192.168.2.1/24
VLANIF102
SwitchA 10.110.2.1/24
SwitchB

SwitchC Loopback0 SwitchD

2.2.2.2/32 10.110.5.2/24
Loopback0 VLANIF104
3.3.3.3/32 GE0/0/2
10.110.4.1/24
GE0/0/3 VLANIF300
VLANIF101 GE0/0/1
192.168.1.2/24 SwitchD GE0/0/1
VLANIF500
GE0/0/4 GE0/0/2 GE0/0/3 10.110.7.1/24
192.168.2.2/24 10.110.5.1/24 10.110.6.1/24
SwitchC
Configure MSDP to implement multicast source information sharing among domains. Configure
SA message filtering so that the receivers receive only required multicast data.
1. Configure IP addresses for the interfaces on each switch and configure OSPF in the PIM-
SM domain.
2. Enable multicast and PIM-SM on each interface. Configure a BSR boundary to divide the
PIM-SM domain and enable IGMP on interfaces connected to network segments of receiver
hosts.
3. Configure Loopback0 interfaces on SwitchA, SwitchC, and SwitchD as the C-BSR and the
C-RP of each PIM-SM domain.
4. Set up MSDP peer relationships between RPs in PIM-SIM domains. Set up the MSDP peer
relationship between SwitchA and SwitchC, and between SwitchC and SwitchD.
5. Configure rules for filtering SA messages. Prohibit SwitchC from forwarding SA messages
carrying (Source1, 225.1.1.0/30) entries to SwitchD. Prohibit SwitchD from creating SA
messages carrying Source2 information.
Procedure
# According to Figure 6-12, configure IP addresses and masks for the interfaces in the PIM-SM
domain. Configure OSPF between switches. The configuration details are not mentioned here.
Step 2 Enable multicast routing and configure PIM-SM.
# Enable multicast routing on all switches and PIM-SM on all interfaces. Enable IGMP on
interfaces connected to network segments of receiver hosts. The following information shows
the configuration on SwitchA. The configurations on other switches are similar to the
configuration on SwitchA, and are not mentioned here.

Step 3 Configure a BSR boundary to divide the PIM-SM domain.
# Configure a BSR boundary on SwitchC. The configurations on SwitchA, SwitchB, and

SwitchD are similar to the configuration on SwitchC, and are not mentioned here.
[SwitchC-Vlanif101] pim bsr-boundary
Step 4 Configure C-BSRs and C-RPs.
# Configure the C-BSR and C-RP on the Loopback0 interface of SwitchA. The configurations
on SwitchC and SwitchD are similar to the configuration on SwitchA, and are not mentioned
here.
[SwitchA] pim
[SwitchA-pim] c-bsr loopback0
[SwitchA-pim] c-rp loopback0
[SwitchC-pim] quit
# Configure an MSDP peer on SwitchA.

[SwitchA] msdp
[SwitchA-msdp] peer 192.168.1.2 connect-interface vlanif 101
[SwitchA-msdp] quit
# Configure MSDP peers on SwitchC.

[SwitchC] msdp
[SwitchC-msdp] peer 192.168.1.1 connect-interface vlanif 101
[SwitchC-msdp] peer 10.110.5.2 connect-interface vlanif 104
[SwitchC-msdp] quit
# Configure an MSDP peer on SwitchD.

[SwitchD] msdp
[SwitchD-msdp] peer 10.110.5.1 connect-interface vlanif 104
[SwitchD-msdp] quit
Step 6 Configure rules for filtering SA messages.
# Prohibit SwitchC from forwarding SA messages carrying (Source1, 225.1.1.0/30) entries to

SwitchD.
[SwitchC] acl number 3001
[SwitchC-acl-adv-3001] rule deny ip source 10.110.3.100 0 destination 225.1.1.0
0.0.0.3
[SwitchC-acl-adv-3001] rule permit ip source any destination any
[SwitchC-acl-adv-3001] quit
[SwitchC] msdp

[SwitchC-msdp] peer 10.110.5.2 sa-policy export acl 3001

[SwitchC-msdp] quit
# Prohibit SwitchD from creating SA messages carrying Source2 information.

[SwitchD] acl number 2001
[SwitchD-acl-basic-2001] rule deny source 10.110.6.100 0
[SwitchD-acl-basic-2001] quit
[SwitchD] msdp
[SwitchD-msdp] import-source acl 2001
[SwitchD-msdp] quit

# Run the display msdp sa-cache command to view information about the (S, G) entries in the
SA cache on switches. The following output shows information about the (S, G) entries in the
SA cache on SwitchC and SwitchD.
<SwitchC> display msdp sa-cache
MSDP Source-Active Cache Information
MSDP Total Source-Active Cache - 8 entries
MSDP matched 8 entries
(Source, Group) Origin RP Pro AS Uptime Expires

(10.110.3.100, 225.1.1.0) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 225.1.1.1) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 225.1.1.2) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 225.1.1.3) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 226.1.1.0) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 226.1.1.1) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 226.1.1.2) 1.1.1.1 ? ? 02:03:30 00:05:31
(10.110.3.100, 226.1.1.3) 1.1.1.1 ? ? 02:03:30 00:05:31
<SwitchD> display msdp sa-cache
MSDP Source-Active Cache Information
MSDP Total Source-Active Cache - 4 entries
MSDP matched 4 entries
(Source, Group) Origin RP Pro AS Uptime Expires

(10.110.3.100, 226.1.1.0) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 226.1.1.1) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 226.1.1.2) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 226.1.1.3) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 227.1.1.0) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 227.1.1.1) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 227.1.1.2) 1.1.1.1 ? ? 00:32:53 00:05:07
(10.110.3.100, 227.1.1.3) 1.1.1.1 ? ? 00:32:53 00:05:07
The preceding output shows that only multicast data to multicast groups 225.1.1.0/30 and
226.1.1.0/30 exists in the SA cache on SwitchC, and only multicast data to the multicast groups
226.1.1.0/30 and 227.1.1.0/30 exists in the SA cache on SwitchD.
----End
Configuration Files
#
sysname SwitchA
#
#
#
interface Vlanif100
ip address 10.110.1.1 255.255.255.0

pim sm
igmp enable
#
interface Vlanif101
ip address 192.168.1.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif102
ip address 10.110.2.1 255.255.255.0
pim sm
#
#
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.110.1.0 0.0.0.255
network 10.110.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
#
return

#
sysname SwitchB
#
#
#
interface Vlanif102
ip address 10.110.2.2 255.255.255.0
pim sm
#
interface Vlanif103
ip address 192.168.2.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif200
ip address 10.110.3.1 255.255.255.0
pim sm
#


#
#
#
ospf 1
area 0.0.0.0
network 10.110.2.0 0.0.0.255
network 10.110.3.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 101 103 to 104 300
#
#
acl number 3001
rule 5 deny ip source 10.110.3.100 0 destination 225.1.1.0 0.0.0.3
rule 10 permit ip
#
interface Vlanif101
ip address 192.168.1.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif103
ip address 192.168.2.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif104
ip address 10.110.5.1 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif300
ip address 10.110.4.1 255.255.255.0
pim sm
igmp enable
#
#
#
#
#
interface LoopBack0

ip address 2.2.2.2 255.255.255.255

pim sm
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.110.4.0 0.0.0.255
network 10.110.5.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
peer 10.110.5.2 sa-policy export acl 3001
#
return

#
sysname SwitchD
#
#
#
acl number 2001
#
interface Vlanif104
ip address 10.110.5.2 255.255.255.0
pim bsr-boundary
pim sm
#
interface Vlanif400
ip address 10.110.6.1 255.255.255.0
pim sm
#
interface Vlanif500
ip address 10.110.7.1 255.255.255.0
pim sm
igmp enable
#
#
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
pim sm
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.110.5.0 0.0.0.255

network 10.110.6.0 0.0.0.255

network 10.110.7.0 0.0.0.255
#
pim
c-bsr LoopBack0
c-rp LoopBack0
#
msdp
import-source acl 2001
#
return

The switch can run multiple multicast routing protocols to control multicast routing and
forwarding through message exchange between the control plane and forwarding plane.
6.5.1 Example for Configuring a Multicast Static Route to Change

the RPF Route
As shown in Figure 6-13, SwitchA, SwitchB, and SwitchC run OSPF to implement IP
interworking, and switch interfaces use PIM-SM to provide multicast services. Data sent from
the multicast source (Source) is forwarded to the receiver host (Receiver) through SwitchA and
SwitchB. The link between SwitchA and SwitchB transmits unicast and multicast services
simultaneously. To reduce the loads on this link, multicast data needs to be transmitted along
the path SwitchA→SwitchC→SwitchB.

Figure 6-13 Configuring a static route to change the RPF route
SwitchC
GE0/0/3 GE0/0/2
VLANIF30 VLANIF40
12.1.1.2/24 13.1.1.2/24
12.1.1.1/24 13.1.1.1/24
VLANIF30 PIM-SM VLANIF40
GE0/0/3 GE0/0/2
SwitchA SwitchB
GE0/0/1 GE0/0/1
9.1.1.1/24 9.1.1.2/24 GE0/0/3
VLANIF20 VLANIF50
8.1.1.1/24 7.1.1.1/24
8.1.1.2/24 7.1.1.2/24
Source Receiver
Multicast static route
The RPF interface used to receive multicast data can be changed by configuring a multicast static
route. After the RPF route is changed, multicast and unicast services are transmitted through
different links so that the load on a single link is reduced. The configuration roadmap is as
follows:
1. Configure IP addresses for interfaces and configure a unicast routing protocol (OSPF in
this example) on each switch. Multicast routing protocols depend on unicast routing
protocols.
2. Enable multicast routing on all switches and PIM-SM on all Layer 3 interfaces. Configure
a static RP and specify the static RP address an all the switches. Enable IGMP on the
interface connected to the network segment of the receiver host. After these basic multicast
functions are configured, the switches can establish a multicast distribution tree using
default parameter settings. Then multicast data can be forwarded to Receiver along the
multicast distribution tree.
3. Configure a multicast RPF static route on SwitchB and specify SwitchC as the RPF
neighbor.
Procedure
Step 1 Configure IP addresses for interfaces and configure OSPF on each switch.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (The
configurations of the other switches are similar to the configuration of SwitchB.)

[SwitchB] vlan batch 10 40 50

# Configure IP addresses and masks for Layer 3 VLANIF interfaces on the switches. (The
# Configure OSPF on the switches. (The configurations of the other switches are similar to the
configuration of SwitchB.)
[SwitchB] ospf
Step 2 Enable multicast routing on the switches and enable PIM-SM on all Layer 3 interfaces.
# Enable multicast routing on all the switches and enable PIM-SM on all Layer 3 interfaces.
Enable IGMP on the interface connected to the network segment of the receiver host. (The
configurations on the other switches are similar to the configuration on SwitchB.)
[SwitchB-Vlanif50] igmp enable
# Configure the IP address of VLANIF30 of SwitchC as a static RP address. (The configurations

on the other switches are similar to the configuration on SwitchB.)
[SwitchB] pim
[SwitchB-pim] static-rp 12.1.1.2
[SwitchB] quit
# Run the display multicast rpf-info command on SwitchB to check the RPF route to Source.
The following command output shows that the RPF route is originated from a unicast routing
protocol, and the RPF neighbor is SwitchA.

[SwitchB] display multicast rpf-info 8.1.1.2

RPF information about source 8.1.1.2:
RPF interface: vlanif10, RPF neighbor: 9.1.1.1
Referenced route/mask: 8.1.1.0/24
Referenced route type: unicast
Route selection rule: preference-preferred
Load splitting rule: disable
Step 3 Configure a multicast static route.
# Configure a multicast RPF static route to Source on SwitchB, and configure SwitchC as the
RPF neighbor.
[SwitchB] ip rpf-route-static 8.1.1.0 255.255.255.0 13.1.1.2
# Run the display multicast rpf-info command on SwitchB to check the RPF route to Source.
The following information is displayed, indicating that the unicast RPF route has been replaced
by the multicast static route and the RPF neighbor has changed to SwitchC.
Referenced route type: mstatic
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 30
#
#
interface Vlanif10
ip address 9.1.1.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 8.1.1.1 255.255.255.0
pim sm
#
interface Vlanif30
ip address 12.1.1.1 255.255.255.0
pim sm
#
#
#


#
ospf 1
area 0.0.0.0
network 8.1.1.0 0.0.0.255
network 9.1.1.0 0.0.0.255
network 12.1.1.0 0.0.0.255
#
pim
static-rp 12.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 40 50
#
#
interface Vlanif10
ip address 9.1.1.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 13.1.1.1 255.255.255.0
pim sm
#
interface Vlanif50
ip address 7.1.1.1 255.255.255.0
pim sm
igmp enable
#
#
#
#
ospf 1
area 0.0.0.0
network 7.1.1.0 0.0.0.255
network 9.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
#
pim
static-rp 12.1.1.2
#
ip rpf-route-static 8.1.1.0 24 13.1.1.2
#
return

#
sysname SwitchC
#
vlan batch 30 40
#
#

interface Vlanif30
ip address 12.1.1.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 13.1.1.2 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 12.1.1.0 0.0.0.255
network 13.1.1.0 0.0.0.255
#
pim
static-rp 12.1.1.2
#
return
6.5.2 Example for Configuring Multicast Static Routes to Connect

RPF Routes
As shown in Figure 6-14, SwitchB and SwitchC run OSPF to implement IP interworking, but
they have no unicast route to SwitchA. Switch interfaces need to run PIM-SM to provide
multicast services. The receiver host (Receiver) can receive data from Source1. Now Receiver
needs to receive data from Source2.

Figure 6-14 Configuring multicast static routes to connect RPF routes
Source1
10.1.3.2/24
10.1.3.1/24 10.1.4.1/24
VLANIF13 VLANIF40
SwitchB
GE0/0/3
GE0/0/1 VLANIF40
PIM-SM 10.1.4.2/24 GE0/0/1
VLANIF20
10.1.2.2/24 VLANIF11
10.1.2.1/24 10.1.5.1/24
VLANIF20
OSPF GE0/0/1
SwitchC
GE0/0/2
VLANIF12
10.1.1.1/24
Source2
10.1.5.2/24
Receiver
Multicast static route
An RPF route to Source2 can be established on the path SwitchC→SwitchB→SwitchA by
configuring multicast static routes on SwitchB and SwitchC. The configuration roadmap is as
follows:
1. Configure IP addresses for interfaces of the switches. Configure OSPF on SwitchB and
SwitchC but not on SwitchA, so that SwitchB and SwitchC have no unicast route to
SwitchA.
2. Enable multicast routing on all switches and PIM-SM on all Layer 3 interfaces. Configure
a static RP and specify the static RP address an all the switches. Enable IGMP on the
interface connected to the network segment of the receiver host. After these basic multicast
functions are configured, the switches can establish a multicast distribution tree using
default parameter settings. Then multicast data can be forwarded to Receiver along the
multicast distribution tree.
3. Configure multicast static routes to Source2 on SwitchB and SwitchC.

Procedure
Step 1 Configure IP addresses for interfaces and configure OSPF on each switch.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (The
[SwitchB] vlan batch 13 20 40
# Configure IP addresses and masks for Layer 3 VLANIF interfaces on the switches. (The
# Configure OSPF on SwitchB and SwitchC. (The configuration of SwitchC is similar to the
configuration of SwitchB.)
[SwitchB] ospf
Step 2 Enable multicast routing on the switches and enable PIM-SM on all Layer 3 interfaces.
# Enable multicast routing on all the switches and enable PIM-SM on all Layer 3 interfaces.
Enable IGMP on the interface connected to the network segment of the receiver host. (The
configurations on the other switches are similar to the configuration on SwitchA.)
Configure SwitchA.
Configure SwitchB.

Configure SwitchC.
# Configure the IP address of VLANIF20 of SwitchB as a static RP address. (The configurations

on the other switches are similar to the configuration on SwitchA.)
[SwitchB] pim
[SwitchB-pim] static-rp 10.1.2.2
[SwitchB] quit
# Source1 (10.1.3.2/24) and Source2 (10.1.5.2/24) send multicast data to group G (225.1.1.1).
After Receiver joins group G, it receives the multicast data sent by Source1 but cannot receive
the multicast data sent by Source2.
# Run the display multicast rpf-info 10.1.5.2 command on SwitchB and SwitchC. No
information is displayed, indicating that SwitchB and SwitchC have no RPF route to Source2.
Step 3 Configure multicast static routes.
# Configure a multicast RPF static route to Source2 on SwitchB, and configure SwitchA as the
RPF neighbor.
[SwitchB] ip rpf-route-static 10.1.5.0 255.255.255.0 10.1.4.2
# Configure a multicast RPF static route to Source2 on SwitchC, and configure SwitchB as the
RPF neighbor.
[SwitchC] ip rpf-route-static 10.1.5.0 255.255.255.0 10.1.2.2

# Run the display multicast rpf-info 10.1.5.2 command on SwitchB and SwitchC to check the
RPF route to Source2. The following information is displayed:
RPF information about source: 10.1.5.2
Route selecting rule: preference-preferred
[SwitchC] display multicast rpf-info 10.1.5.2

# Run the display pim routing-table command on SwitchC to check the PIM routing table.
SwitchC has multicast entries of Source2, indicating that Receiver can receive multicast data
from Source2.
(*, 225.1.1.1)
RP: 10.1.2.2
UpTime: 03:54:19
1: Vlanif12
Protocol: pim-sm, UpTime: 01:38:19, Expires: never
(10.1.3.2, 225.1.1.1)
RP: 10.1.2.2
UpTime: 00:00:44
1: Vlanif12
(10.1.5.2, 225.1.1.1)
RP: 10.1.2.2
UpTime: 00:00:44
1: Vlanif12
----End
Configuration Files
#
sysname SwitchA
#
#
vlan batch 11 40
#
interface Vlanif11
ip address 10.1.5.1 255.255.255.0
pim sm
#
interface Vlanif40
ip address 10.1.4.2 255.255.255.0
pim sm
#


#
#
pim
static-rp 10.1.2.2
#
return

#
sysname SwitchB
#
vlan batch 13 20 40
#
#
interface Vlanif13
ip address 10.1.3.1 255.255.255.0
pim sm
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
pim sm
#
interface Vlanif40
ip address 10.1.4.1 255.255.255.0
pim sm
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
#
pim
static-rp 10.1.2.2
#
#
return

#
sysname SwitchC
#
vlan batch 12 20
#
#
interface Vlanif12
ip address 10.1.1.1 255.255.255.0
pim sm

igmp enable
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
pim sm
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
#
pim
static-rp 10.1.2.2
#
#
return
6.5.3 Example for Configuring Multicast Load Splitting
As shown in Figure 6-15, SwitchE connects to HostA and has three equal-cost routes to the
multicast source (Source). According to the default RPF check policy, SwitchE will select one
of equal-cost routes to transmit multicast data. When the rate of multicast traffic is high, the
network may be congested, degrading the quality of multicast services. To ensure the quality of
multicast services, configure multicast load splitting so that multicast data can be transmitted
through multiple equal-cost routes.

Figure 6-15 Networking diagram of multicast load splitting
Source
24 19
. 1 .2 / 2 0 VL 2 . 1 6
68 IF /1 GE AN 8.4
2 .1 A N /0 0/0 IF6 .1/2
1 9 VL GE0 /2 0 4
SwitchB
4 19
1 /2 2 .1
8 .1 . 6
1 6 0 VL 8.4.
9 2 . I F2 PIM-SM G A 2/
1 N 1 E0NIF6 24
10.110.1.2/24 VLA0/0/ /0 / 0
VLANIF10 GE 192.168.2.1/24 SwitchC 1
GE0/0/4 192.168.5.2/24 SwitchE
VLANIF30 VLANIF80
GE0/0/2 GE0/0/2
SwitchA GE0/0/1 GE0/0/2
VLANIF30 VLANIF80
GE /3 GE0/0/4
0/0100 10.110.2.2/24
0 192.168.2.2/24 192.168.5.1/24
VL 0/3/ E
19 AN G NIF /24 VLANIF140
2.1 IF4 A .2
68 0 VL 68.6
.3 . 2. 1
1/2 19
Loopback0 4 GE 2 0
/ 0 4
1.1.1.1/32 19
2.1 VLA 0/0/1 0/0 IF1 .1/2
6 8 N IF GELAN 68.6
.3 . 4 0 V 2 .1
2/2 19
4
SwitchD
HostA
1. Configure IP addresses for interfaces on the switches.

2. Configure a unicast routing protocol (IS-IS in this example) to implement interworking
among all the switches and ensure that route costs are the same.
3. Enable multicast routing on all the switches and enable PIM-SM on all the Layer 3
interfaces. Configure the loopback interface on SwitchA as a C-BSR and C-RP.
4. On SwitchE, configure stable-preferred multicast load splitting to ensure stable
transmission of multicast services.
5. On SwitchE, configure static multicast groups on the interface connected to the network
segment of HostA, because HostA needs to receive data of these groups for a long time.
6. On SwitchE, configure different multicast load splitting weights for the interfaces
connected to the upstream switches to implement unbalanced load splitting, because HostA
needs to receive multicast data of new groups.
Procedure
Step 1 Configure IP addresses for interfaces on the switches.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (Configurations
of the other switches are similar to the configuration of SwitchA.)
[SwitchA] vlan batch 10 20 30 40


# Configure IP addresses and masks for Layer 3 interfaces on the switches. (Configurations of
the other switches are similar to the configuration of SwitchA.)
[SwitchA] interface loopback0
Step 2 Configure IS-IS to implement interworking among all the switches and ensure that route costs
are the same.
# Configure SwitchA. (Configurations of the other switches are similar to the configuration of
SwitchA.)
[SwitchA] isis
[SwitchA-Vlanif10] isis enable
[SwitchA-LoopBack0] isis enable
Step 3 Enable multicast routing on all the switches and enable PIM-SM on all the Layer 3 interfaces.
SwitchA.)

Step 4 On all the switches, specify the IP address of Loopback0 on SwitchA as a static RP address.
SwitchA.)
[SwitchA] pim
[SwitchA-pim] quit
Step 5 Configure stable-preferred multicast load splitting on SwitchE.

[SwitchE] multicast load-splitting stable-preferred
Step 6 Configure static multicast groups on the interface of SwitchE connected to the network segment
of HostA.
# Configure static multicast groups 225.1.1.1 to 225.1.1.3 on VLANIF140.

[SwitchE] interface Vlanif140
[SwitchE-Vlanif140] igmp static-group 225.1.1.1 inc-step-mask 32 number 3
Step 7 Verify the configuration of stable-preferred multicast load splitting.
# Source (10.110.1.1/24) sends multicast data to multicast groups 225.1.1.1 to 225.1.1.3. HostA
can receive multicast data from Source. Check brief information about the PIM routing table on
SwitchE.
<SwitchE> display pim routing-table brief
Total 3 (*, G) entries; 3 (S, G) entries
00001.(*, 225.1.1.1)
Upstream interface:Vlanif100
Number of downstream:1
00002.(10.110.1.1, 225.1.1.1)
00003.(*, 225.1.1.2)
00004.(10.110.1.1, 225.1.1.2)
00005.(*, 225.1.1.3)
00006.(10.110.1.1, 225.1.1.3)

(*, G) and (S, G) entries are evenly distributed on the three equal-cost routes. The upstream
interfaces of the routes are VLANIF100, VLANIF80, and VLANIF60 respectively.
NOTE
The load splitting algorithm processes (*, G) and (S, G) entries separately using the same rule.
Step 8 Set different multicast load splitting weights for upstream interfaces of SwitchE to implement
uneven multicast load splitting.
# Set the multicast load splitting weight of VLANIF60 to 3.
[SwitchE-Vlanif60] multicast load-splitting weight 3

[SwitchE-Vlanif80] multicast load-splitting weight 2
Step 9 Configure new static multicast groups on the interface of SwitchE connected to the network
segment of HostA.
# Configure static multicast groups 225.1.1.4 to 225.1.1.6 on VLANIF140.
[SwitchE-Vlanif140] igmp static-group 225.1.1.4 inc-step-mask 32 number 3
Step 10 Verify the configuration of uneven multicast load splitting.

# Source (10.110.1.1/24) sends multicast data to multicast groups 225.1.1.1 to 225.1.1.6. HostA
can receive multicast data from Source. Check brief information about the PIM routing table on
SwitchE.
<SwitchE> display pim routing-table brief
00001.(*, 225.1.1.1)
00002.(10.110.1.1, 225.1.1.1)
00003.(*, 225.1.1.2)
00004.(10.110.1.1, 225.1.1.2)
00005.(*, 225.1.1.3)
00006.(10.110.1.1, 225.1.1.3)
00007.(*, 225.1.1.4)
00008.(10.110.1.1, 225.1.1.4)
00009.(*, 225.1.1.5)

00010.(10.110.1.1, 225.1.1.5)
00011.(*, 225.1.1.6)
00012.(10.110.1.1, 225.1.1.6)
The upstream interfaces of existing (*, G) and (S, G) entries remain unchanged. VLANIF60 has
a larger multicast load splitting weight (3) than VLANIF80 (2). Therefore, more new (*, G) and
(S, G) entries are distributed to the route with VLANIF60 as the upstream interface. The multicast
load splitting weight of VLANIF100 is 1 (default value), smaller than the weights of VLANIF60
and VLANIF80. Therefore, the route with VLANIF100 as the upstream interface does not have
new entries.
----End
Configuration Files
#
sysname SwitchA
#
#
#
isis 1
network-entity 10.0000.0000.0001.00
#
interface Vlanif10
ip address 10.110.1.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif20
ip address 192.168.1.1 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif30
ip address 192.168.2.1 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif40
ip address 192.168.3.1 255.255.255.0
isis enable 1
pim sm
#
#
#


#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
pim sm
#
pim
static-rp 1.1.1.1
#
return

#
sysname SwitchB
#
vlan batch 20 60
#
#
isis 1
network-entity 10.0000.0000.0002.00
#
interface Vlanif20
ip address 192.168.1.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif60
ip address 192.168.4.1 255.255.255.0
isis enable 1
pim sm
#
#
#
pim
static-rp 1.1.1.1
#
return

#
sysname SwitchC
#
vlan batch 30 80
#
#
isis 1
network-entity 10.0000.0000.0003.00
#
interface Vlanif30
ip address 192.168.2.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif80

ip address 192.168.5.1 255.255.255.0

isis enable 1
pim sm
#
#
#
pim
static-rp 1.1.1.1
#
return

#
sysname SwitchD
#
vlan batch 40 100
#
#
isis 1
network-entity 10.0000.0000.0004.00
#
interface Vlanif40
ip address 192.168.3.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif100
ip address 192.168.6.1 255.255.255.0
isis enable 1
pim sm
#
#
#
pim
static-rp 1.1.1.1
#
return

#
sysname SwitchE
#
vlan batch 60 80 100 140
#
multicast load-splitting stable-preferred
#
isis 1
network-entity 10.0000.0000.0005.00
#
interface Vlanif60
ip address 192.168.4.2 255.255.255.0
isis enable 1
pim sm

multicast load-splitting weight 3

#
interface Vlanif80
ip address 192.168.5.2 255.255.255.0
isis enable 1
pim sm
multicast load-splitting weight 2
#
interface Vlanif100
ip address 192.168.6.2 255.255.255.0
isis enable 1
pim sm
#
interface Vlanif140
ip address 10.110.2.2 255.255.255.0
isis enable 1
pim sm
igmp static-group 225.1.1.1 inc-step-mask 0.0.0.1 number 3
igmp static-group 225.1.1.4 inc-step-mask 0.0.0.1 number 3
#
#
#
#
#
pim
static-rp 1.1.1.1
#
return
6.6 VLAN-based IGMP Snooping Configuration

VLAN-based IGMP snooping enables a Layer 2 multicast device to create and maintain a Layer
2 multicast forwarding table by analyzing IGMP messages exchanged between the upstream
Layer 3 device and user hosts. This technology implements on-demand multicast data
transmission at the data link layer.
6.6.1 Example for Configuring VLAN-based IGMP Snooping
As shown in Figure 6-16, Router connects to user hosts through a Layer 2 Switch and Router
runs IGMPv2. The multicast source sends data to multicast groups 225.1.1.1 to 225.1.1.5. On
the network, there are three receivers HostA, HostB, and HostC and the three hosts only want
to receive data of multicast groups 225.1.1.1 to 225.1.1.3.

Figure 6-16 Networking diagram for IGMP snooping configuration

Source
PIM network
Router
VLAN10
GE0/0/3
GE0/0/1 GE0/0/2
Switch
HostA HostB HostC
To meet the preceding requirements, configure basic IGMP snooping functions and a multicast
group policy on the Layer 2 Switch. The configuration roadmap is as follows:
1. On the Switch, create a VLAN and add interfaces to the VLAN.

2. Enable IGMP snooping globally and in the VLAN.
3. Configure a multicast group policy and apply this policy to the VLAN.
Procedure
Step 1 Create a VLAN and add interfaces to the VLAN.
[Switch] vlan 10

Step 2 Enable IGMP snooping.
# Enable IGMP snooping globally.

[Switch] igmp-snooping enable
# Enable IGMP snooping in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] igmp-snooping enable
Step 3 Configure a multicast group policy and apply this policy.
# Configure a multicast group policy.

[Switch] acl 2000
[Switch-acl-basic-2000] rule permit source 225.1.1.1 0
[Switch-acl-basic-2000] quit
# Apply the multicast group policy in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] igmp-snooping group-policy 2000
# Check the interface information on the Switch.

<Switch> display igmp-snooping port-info vlan 10
-----------------------------------------------------------------------
(Source, Group) Port Flag
Flag: S:Static D:Dynamic M: Ssm-mapping
-----------------------------------------------------------------------
VLAN 10, 3 Entry(s)
(*, 225.1.1.1) GE0/0/1 -D-
GE0/0/2 -D-
2 port(s)
(*, 225.1.1.2) GE0/0/1 -D-
GE0/0/2 -D-
2 port(s)
(*, 225.1.1.3) GE0/0/1 -D-
GE0/0/2 -D-
2 port(s)
-----------------------------------------------------------------------
The command output shows that multicast groups 225.1.1.1 to 225.1.1.3 have dynamically
generated member ports GE0/0/1 and GE0/0/2 on the Switch.
# Check the Layer 2 multicast forwarding table on the Switch.

<Switch> display l2-multicast forwarding-table vlan 10
VLAN ID : 10, Forwarding Mode : IP
------------------------------------------------------------------------
(Source, Group) Interface Out-Vlan
------------------------------------------------------------------------
Router-port GigabitEthernet0/0/3 10
(*, 225.1.1.1) GigabitEthernet0/0/1 10
GigabitEthernet0/0/2 10

----------------------------------------------------------------------
Total Group(s) : 3
The command output shows that the forwarding table contains only information about multicast
groups 225.1.1.1 to 225.1.1.3. The multicast groups 225.1.1.4 to 225.1.1.5 do not forward data
to the hosts.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
igmp-snooping enable
#
acl number 2000
#
vlan 10
igmp-snooping group-policy 2000
#
#
#
#
return
6.6.2 Example for Configuring VLAN-based Layer 2 Multicast

Through Static Interfaces
As shown in Figure 6-17, Router connects to user hosts through a Layer 2 swtich. The user-side
VLANIF interface of Router has static groups 225.1.1.1 to 225.1.1.5 configured and does not
run IGMP. There are four receivers on the network: HostA, HostB, HostC, and HostD. HostA
and HostB expect to receive data of multicast groups 225.1.1.1 to 225.1.1.3 for long time. HostC
and HostD expect to receive data of multicast groups 225.1.1.4 to 225.1.1.5.

Figure 6-17 Networking diagram for Layer 2 multicast configuration through static interfaces
Source
PIM network
Router
VLAN10
GE0/0/3
GE0/0/1 GE0/0/2
Switch
HostA HostB HostC HostD
Source
PIM network
Router
VLAN10
GE0/0/3
GE0/0/1 GE0/0/2
Switch
HostA HostB HostC HostD

To meet the preceding requirements, configure a static router port and static member ports of
IGMP snooping on the Layer 2 Switch. The configuration roadmap is as follows:
3. Configure a static router port.
4. Configure static member ports.
Procedure
[Switch] vlan 10


[Switch] vlan 10
Step 3 Configure a static router port.

[Switch-GigabitEthernet0/0/3] igmp-snooping static-router-port vlan 10
Step 4 Configure static member ports.

[Switch-GigabitEthernet0/0/1] l2-multicast static-group group-address 225.1.1.1 to
225.1.1.3 vlan 10
[Switch-GigabitEthernet0/0/2] l2-multicast static-group group-address 225.1.1.4 to
225.1.1.5 vlan 10

# Check the router port information on the Switch.
<Switch> display igmp-snooping router-port vlan 10
Port Name UpTime Expires Flags

---------------------------------------------------------------------
VLAN 10, 1 router-port(s)
GE0/0/3 00:20:09 -- STATIC
The command output shows that GE0/0/3 has been configured as static router port.
# Check the member port information on the Switch.

<Switch> display igmp-snooping port-info vlan 10
-----------------------------------------------------------------------
-----------------------------------------------------------------------
VLAN 10, 5 Entry(s)
(*, 225.1.1.1) GE0/0/1 S--
1 port(s)
(*, 225.1.1.2) GE0/0/1 S--
1 port(s)
(*, 225.1.1.3) GE0/0/1 S--
1 port(s)
(*, 225.1.1.4) GE0/0/2 S--
1 port(s)
(*, 225.1.1.5) GE0/0/2 S--
1 port(s)
-----------------------------------------------------------------------
The command output shows that multicast groups 225.1.1.1 to 225.1.1.3 have a static member
port GE0/0/1 on the Switch and multicast groups 225.1.1.4 to 225.1.1.5 have a static member
port GE0/0/2 on the Switch.
# Check the Layer 2 multicast forwarding table on the Switch.

---------------------------------------------------------------------------
---------------------------------------------------------------------------
--------------------------------------------------------------------------
Total Group(s) : 5
The command output shows that multicast groups 225.1.1.1 to 225.1.1.5 have a forwarding table
on the Switch.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#

#
vlan 10
#
l2-multicast static-group group-address 225.1.1.1 to 225.1.1.3 vlan 10
#
l2-multicast static-group group-address 225.1.1.4 to 225.1.1.5 vlan 10
#
igmp-snooping static-router-port vlan 10
#
return
6.6.3 Example for Configuring an VLAN-based IGMP Snooping

Querier
As shown in Figure 6-18, on a pure Layer 2 network, multicast sources Source1 and Source2
send multicast data to multicast groups 224.1.1.1 and 225.1.1.1. HostA and HostC expect to
receive data of multicast group 224.1.1.1 for long time, while HostB and HostD expect to receive
data of multicast group 225.1.1.1 for long time. All the hosts run IGMPv2.
Figure 6-18 Networking diagram for IGMP snooping querier configuration
Source1 Source2
VLAN10
GE0/0/3 GE0/0/4
GE0/0/1 GE0/0/2 GE0/0/3
GE0/0/2
HostA SwitchA SwitchB GE0/0/1 HostB
GE0/0/1
GE0/0/1 GE0/0/2
GE0/0/2 GE0/0/3
HostD SwitchD SwitchC HostC

To meet the preceding requirements, enable IGMP snooping on the four switches and configure
an IGMP snooping querier. Enable all the switches to discard unknown multicast packets to
prevent the switches from broadcasting multicast data in the VLAN when there are no Layer 2
multicast forwarding entries on the switches. The configuration roadmap is as follows:
1. On all the switches, create a VLAN and add interfaces to the VLAN according to Figure
6-18.
2. Enable IGMP snooping globally and in the VLAN on all the switches.
3. Configure SwitchA as an IGMP snooping querier.
4. Enable all the Switches to discard unknown multicast packets.
Procedure
Step 1 On all the switches, create a VLAN and add interfaces to the VLAN.
[SwitchA] vlan 10
# The configurations of SwitchB, SwitchC and SwitchD are similar to the configuration of
SwitchA, and the configurations are not provided here.
Step 2 Enable IGMP snooping globally and in the VLAN on all the switches.
[SwitchA] igmp-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] igmp-snooping enable
Step 3 Configure SwitchA as an IGMP snooping querier.

[SwitchA] vlan 10
[SwitchA-vlan10] igmp-snooping querier enable
Step 4 Enable all the switches to discard unknown multicast packets.

[SwitchA] vlan 10
[SwitchA-vlan10] multicast drop-unknown

# When the IGMP snooping querier begins to work, all the switches except the IGMP snooping
querier receive IGMP General Query messages. Run the display igmp-snooping statistics vlan
10 command on SwitchB to view IGMP message statistics. The command output is as follows:
<SwitchB> display igmp-snooping statistics vlan 10
IGMP Snooping Packets Counter
Statistics for VLAN 10
Recv V1 Report 0
Recv V2 Report 32
Recv V3 Report 0
Recv V1 Query 0
Recv V2 Query 30
Recv V3 Query 0
Recv Leave 0
Recv Pim Hello 0
Send Query(S=0) 0
Send Query(S!=0) 0
Suppress Report 0
Suppress Leave 0
Proxy Send General Query 0
Proxy Send Group-Specific Query 0
Proxy Send Group-Source-Specific Query 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
vlan 10
multicast drop-unknown
igmp-snooping querier enable
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#

#
vlan 10
#
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
#
vlan 10
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
#
vlan 10
#
#


#
return
6.6.4 Example for Configuring VLAN-based IGMP Snooping Proxy
As shown in Figure 6-19, Router connects to user hosts through a Layer 2 Switch and Router
runs IGMPv3. There are multiple receiver hosts on the network, and the administrator expects
that exchange of IGMP messages will not be a burden to Router.
Figure 6-19 Networking diagram for the IGMP snooping proxy configuration
Source
PIM network
Router
VLAN10 GE0/0/3
GE0/0/1 GE0/0/2
Switch
… …
HostA HostG HostH HostN
To meet the preceding requirements, configure IGMP snooping proxy on the Switch. The
configuration roadmap is as follows:
1. Create a VLAN and add interfaces to the VLAN.

3. Configure IGMP snooping proxy on the Switch to reduce packet exchange between the
Switch and Router.

4. Disable the Switch from sending IGMP Query messages to the upstream Router to prevent
election of the IGMP querier.
Procedure
[Switch] vlan 10


[Switch] vlan 10
# Configure IGMPv3 snooping to enable the Switch to process IGMP messages of all versions.
[Switch-vlan10] igmp-snooping version 3
Step 3 Enable IGMP snooping proxy.

[Switch-vlan10] igmp-snooping proxy
Step 4 Disable the Switch from sending IGMP Query messages to the upstream Router.
[Switch-GigabitEthernet0/0/3] igmp-snooping proxy-uplink-port vlan 10

# Check IGMP message statistics on the Switch.
<Switch> display igmp-snooping statistics vlan 10
IGMP Snooping Packets Counter
Recv V1 Report 0
Recv V2 Report 121
Recv V3 Report 0
Recv V1 Query 0
Recv V2 Query 0
Recv V3 Query 0
Recv Leave 82
Recv Pim Hello 0
Send Query(S=0) 0
Send Query(S!=0)0
Suppress Report 0

Suppress Leave 0
Proxy Send General Query 135
Proxy Send Group-Specific Query 95
Proxy Send Group-Source-Specific Query 0
The command output shows that the IGMP snooping proxy takes effect as the Switch functions
as a proxy to send IGMP General Query messages.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
vlan 10
igmp-snooping version 3
igmp-snooping proxy
#
#
#
igmp-snooping proxy-uplink-port vlan 10
#
return
6.6.5 Example for Configuring VLAN-based IGMP Snooping SSM

Mapping
As shown in Figure 6-20, Router connects to user hosts through a Layer 2 Switch. Router runs
IGMPv3 and uses the ASM mode and SSM mode to provide multicast services. User hosts
HostA, HostB, and HostC on the network run IGMPv2 and do not support IGMPv3. The
multicast sources Source1 and Source2 send multicast data to the multicast group 225.1.1.1, but
the user hosts want to receive only the multicast data sent from Source1.

Figure 6-20 Networking diagram for the SSM mapping configuration
PIM network Source2

10.10.2.1
Source1
10.10.1.1
Router
VLAN10
GE0/0/3
Switch
GE0/0/1
HostA HostB HostC
To meet the preceding requirements, configure SSM mapping on the Switch. The configuration

3. Configure an IGMP snooping SSM policy to add the multicast address of the ASM mode
to the SSM group address range.
4. Configure SSM mapping to allow the users to receive only multicast data sent from the
specified source.
Procedure
[Switch] vlan 10



[Switch] vlan 10
Step 3 Configure an IGMP snooping SSM policy.
# Create an ACL, and configure a rule that allows hosts to receive data of multicast group
225.1.1.1.
[Switch] acl number 2008
[Switch-acl-basic-2008] rule 5 permit source 225.1.1.1 0
# Apply the SSM mapping policy in the VLAN and treat the multicast group 225.1.1.1 as a
member in the SSM groups.
[Switch] vlan 10
[Switch-vlan10] igmp-snooping ssm-policy 2008
Step 4 Enable SSM mapping.
# Configure the Switch to run IGMPv3, enable SSM mapping, and configure a mapping between
the multicast group 225.1.1.1 and the source IP address 10.10.1.1.
[Switch-vlan10] igmp-snooping version 3
[Switch-vlan10] igmp-snooping ssm-mapping enable
[Switch-vlan10] igmp-snooping ssm-mapping 225.1.1.1 32 10.10.1.1
# Check the IGMP snooping configuration in the VLAN.

<Switch> display igmp-snooping vlan configuration
IGMP Snooping Configuration for VLAN 10
igmp-snooping ssm-mapping enable
igmp-snooping ssm-policy 2008
igmp-snooping ssm-mapping 225.1.1.1 255.255.255.255 10.10.1.1
An SSM mapping policy has been configured in VLAN 10.
# Check the Layer 2 multicast forwarding table.

----------------------------------------------------------------------------
----------------------------------------------------------------------------
(10.10.1.1, 225.1.1.1) GigabitEthernet0/0/1 10
(10.10.2.1, 225.1.1.1) Stream 10
----------------------------------------------------------------------------
Total Group(s) : 1

The command output shows that a mapping entry (10.10.1.1, 225.1 .1.1) has been generated on
the Switch. The mapping entry indicates that the data is sent by Source1.
NOTE
The preceding stream entries are triggered by unknown streams that are generated because user hosts have
no order for services delivered from multicast source 10.10.2.1.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
#
acl number 2008
#
vlan 10
igmp-snooping ssm-mapping enable
igmp-snooping ssm-policy 2008
igmp-snooping ssm-mapping 225.1.1.1 255.255.255.255 10.10.1.1
#
#
#
return
6.7 Configuring VSI-based IGMP Snooping

This section describes the procedures for configuring VSI-based IGMP Snooping.
6.7.1 Example for Configuring IGMP Snooping in a VSI
On a VPLS network shown in Figure 6-21, PE1 is a superstratum PE (SPE) device; PE2 and
PE3 are underlayer PE (UPE) device. If VSI on the PE devices does not support IGMP snooping,
multicast data packets are broadcast in the VSI, resulting in a waste of network resources.
After IGMP snooping is configured in the VSI, multicast data packets are sent only to the devices
connected to receiver hosts, conserving network resources.
If the network topology is stable, configure the PW on PE2 as a static router port in the VSI so
that receivers can always receive multicast data packets.

Figure 6-21 IGMP snooping over VPLS networking
VPLS Loopback1
CE3
GE0/0/1
GE0/0/2 Site3
Source Loopback1
PE3
CE1 GE0/0/3
Site1 GE0/0/1
PE1 GE0/0/2
PE2 CE2
GE0/0/2 GE0/0/1 Site2
Loopback1 Receiver
Switch Interface and IP Address Remarks
PE1 1.1.1.1/32 No IP
Loopback1 address is
20.1.1.1/30 configured
VLANIF20 for
GE0/0/3
GE0/0/1 VLANIF40
VLANIF40 because it is
GE0/0/2
PE1 VLANIF10 bound to a
10.1.1.1/30
VSI.
PE2 No IP
10.1.1.2/30
VLANIF10 address is
GE0/0/2 VLANIF50 configured
GE0/0/1
PE2 for
VLANIF50
because it is
Loopback1 bound to a
2.2.2.2/32
VSI.
PE3 3.3.3.3/32 No IP
Loopback1 address is
configured
VLANIF60
PE3 GE0/0/1 for
VLANIF60
GE0/0/2 because it is
VLANIF20
20.1.1.2/30 bound to a
VSI.

1. Configure basic VPLS functions.

2. Enable IGMP snooping on the PE devices.
Procedure
Step 1 Configure IP address for PE interfaces, and add physical interfaces to specified VLANs. The
configuration details are not mentioned here.
Step 2 Configure OSPF to advertise the network segments connected to VLANIF interfaces and the
host route of the LSR IDs. The configuration details are not mentioned here.
Step 3 Configure basic MPLS functions and LDP.
# Configure PE1.
<PE1> system-view
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10]quit
[PE1-Vlanif20] mpls
[PE1-Vlanif20] quit
# Configure PE2.
<PE2> system-view
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif10] mpls
[PE2-Vlanif10] quit
# Configure PE3.
<PE3> system-view
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-Vanif20] mpls
[PE3-Vanif20] mpls ldp
[PE3-Vanif20]quit
Step 4 Enable MPLS L2VPN and configure a VSI.
# Configure PE1.

[PE1] mpls l2vpn

[PE1-l2vpn] quit
[PE1] vsi v123 static
[PE1-vsi-v123] pwsignal ldp
[PE1-vsi-v123-ldp] vsi-id 123
[PE1-vsi-v123-ldp] peer 2.2.2.2
[PE1-vsi-v123-ldp] quit
[PE1-vsi-v123] quit
# Configure PE2.
[PE2] mpls l2vpn
[PE2-l2vpn] quit
[PE2-vsi-v123] quit
# Configure PE3.
[PE3] mpls l2vpn
[PE3-l2vpn] quit
[PE3-vsi-v123] quit
Step 5 Bind the VSI to PE interfaces.
# Configure PE1.
[PE1-Vlanif40] l2 binding vsi v123
[PE1-Vlanif40] quit
# Configure PE2.
[PE2-Vlanif50] quit
# Configure PE3.
[PE3-Vlanif60] quit
Step 6 Enable IGMP snooping on PE1, PE2, and PE3.
# Configure PE1.
[PE1] igmp-snooping enable
[PE1] igmp-snooping over-vpls enable
[PE1] vsi v123
[PE1-vsi-v123] igmp-snooping enable
[PE1-vsi-v123] quit
# Configure PE2.
[PE2] vsi v123


[PE2-vsi-v123] quit
# Configure PE3.
[PE3] vsi v123
[PE3-vsi-v123] quit
Step 7 Configure the PW on PE2 as a static router port.

[PE2] vsi v123
[PE2-vsi-v123] igmp-snooping static-router-port remote-peer 1.1.1.1
[PE2-vsi-v123] quit
Run the display igmp-snooping router-port vsi command on PE2 to check whether the static
router port is successfully configured.
[PE2] display igmp-snooping router-port vsi v123
---------------------------------------------------------------------
VSI v123, 1 router-port(s)
PW(1.1.1.1/123) 00:05:16 -- STATIC
STATIC in the command output indicates that the PW (1.1.1.1/123) has been configured as a
static router port.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20 40
#
igmp-snooping over-vpls enable
#
mpls lsr-id 1.1.1.1
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 123
peer 2.2.2.2
peer 3.3.3.3
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.252
mpls

mpls ldp
#
interface Vlanif40
l2 binding vsi v123
#
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
network 20.1.1.0 0.0.0.3
#
return

#
sysname PE2
#
vlan batch 10 50
#
#
mpls lsr-id 2.2.2.2
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 123
peer 1.1.1.1
igmp-snooping static-router-port remote-peer 1.1.1.1
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif50
l2 binding vsi v123
#
#
#

interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

#
sysname PE3
#
vlan batch 20 60
#
#
mpls lsr-id 3.3.3.3
mpls
#
mpls l2vpn
#
vsi v123 static
pwsignal ldp
vsi-id 123
peer 1.1.1.1
#
mpls ldp
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif60
l2 binding vsi v123
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 20.1.1.0 0.0.0.3
#
return
6.8 Static Multicast MAC Address Configuration

You can manually configure mappings between multicast MAC addresses and interfaces on the
Layer 2 devices. Multicast packets destined for the specified multicast MAC address are
forwarded to these interfaces. This reduces broadcast packets on a Layer 2 network.

6.9 Multicast VLAN Replication Configuration

After multicast VLAN replication is configured on a device, the upstream device only needs to
transmit multicast data to a multicast VLAN. This function saves bandwidth because the
upstream device does not need to send a copy of multicast data to each user VLAN.
6.9.1 Example for Configuring 1-to-N Multicast Replication Based

on User VLANs
As shown in Figure 6-22, service VLAN 10 is used to transmit multicast data between RouterA
and SwitchA. HostA, HostB, and HostC belong to VLAN 100, VLAN 200, and VLAN 300
respectively. All of them want to receive multicast data from Source.
You can configure 1-to-N multicast replication based on user VLANs, so that RouterA only
needs to copy multicast data for VLAN 10 to respond to the same multicast data request from
different user hosts. This reduces bandwidth consumption between RouterA and SwitchA.
Figure 6-22 Configuring 1-to-N multicast replication based on user VLANs
Source GE1/0/0 RouterA
VLAN10
GE0/0/1 SwitchA
GE0/0/2 GE0/0/4
GE0/0/3
VLAN100 VLAN200 VLAN300
HostA HostB HostC

Receiver Receiver Receiver
1. Enable IGMP snooping in the system view.

2. Create user VLANs and enable IGMP snooping in the user VLANs.
3. Create a multicast VLAN and enable IGMP snooping in the multicast VLAN.
4. Bind the user VLANs to the multicast VLAN.

5. Add the network-side interface and user-side interfaces to VLANs as hybrid interfaces.
Procedure
Step 1 Enable IGMP snooping in the system view.
Step 2 Create user VLANs and enable IGMP snooping in the user VLANs.
[SwitchA] vlan 100
[SwitchA] vlan 200
[SwitchA] vlan 300
Step 3 Create a multicast VLAN and enable IGMP snooping in the multicast VLAN.
[SwitchA] vlan 10
[SwitchA-vlan10] multicast-vlan enable
Step 4 Bind user VLANs 100, 200, and 300 to multicast VLAN 10.
[SwitchA-vlan10] multicast-vlan user-vlan 100 200 300
Step 5 Add interfaces to VLANs as hybrid interfaces.
# Add GE0/0/1 to multicast VLAN 10.

# Add GE0/0/2, GE0/0/3, and GE0/0/4 to user VLANs 100, 200, and 300 respectively.
NOTE
On S5300LI and S2350 switches, you must add user-side interfaces to both the user VLAN and multicast VLAN
in the same mode.
Step 6 Verify the configuration. View information about the multicast VLAN and user VLANs on
SwitchA.
[SwitchA] display multicast-vlan vlan
Total multicast vlan 1
multicast-vlan user-vlan number snooping-state
----------------------------------------------------------------
10 3 IGMP Enable /MLD Disable

[SwitchA] display user-vlan vlan

Total user vlan 3
user-vlan snooping-state multicast-vlan snooping-state
-----------------------------------------------------------------------------
100 IGMP Enable /MLD Disable 10 IGMP Enable /MLD Disable
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 100 200 300
#
#
vlan 10
multicast-vlan enable
multicast-vlan user-vlan 100 200 300
#
vlan 100
vlan 200
vlan 300
#
#
#
#
#
return
6.9.2 Example for Configuring N-to-N Multicast VLAN Replication

Based on User VLANs
As shown in Figure 6-23, the Switch is connected to RouterA, RouterB, and the Receiver
through GE0/0/1, GE0/0/2, and GE0/0/3 respectively. S1 and S2 are multicast sources provided
by different ISPs.
You can configure N-to-N multicast VLAN replication based on user VLANs and distinguish
ISPs by different multicast VLANs, so that the user host can receive multicast data sent from
S1 to the multicast group 225.1.1.1 and from S2 to the multicast group 225.1.2.1.

Figure 6-23 Configuring N-to-N multicast VLAN replication based on user VLANs
S1 RouterA RouterB S2
MVLAN10 MVLAN20
GE0/0/1 GE0/0/2
GE0/0/3 Switch
VLAN100
Receiver
2. Create a user VLAN and enable IGMP snooping in the user VLAN. Enable the triggering
of the multicast flow in the user VLAN.
3. Create multicast VLANs and enable IGMP snooping in the multicast VLANs.
4. Add the user VLAN to multiple multicast VLANs and configure static multicast flow in
the multicast VLANs.
5. Add the network-side interfaces and user-side interface to VLANs as hybrid interfaces.
Procedure
Step 1 Enable IGMP snooping in the system view.
<Switch> system-view
Step 2 Create user VLAN 100 and enable IGMP snooping in the user VLAN. Enable the triggering of
the multicast flow in the user VLAN.
[Switch] vlan 100
[Switch-vlan100] multicast flow-trigger enable
Step 3 Create multicast VLANs 10 and 20 and enable IGMP snooping in the multicast VLANs.
[Switch] vlan 10
[Switch-vlan10] multicast-vlan enable
[Switch] vlan 20
[Switch-vlan20] multicast-vlan enable
Step 4 Add user VLAN 100 to multicast VLANs 10 and 20 and configure static multicast flow in the
multicast VLANs.

[Switch] vlan 10
[Switch-vlan10] multicast-vlan user-vlan 100
[Switch-vlan10] multicast static-flow 225.1.1.1
[Switch] vlan 20
[Switch-vlan20] multicast-vlan user-vlan 100
[Switch-vlan20] multicast static-flow 225.1.2.1
Step 5 Add interfaces to VLANs as hybrid interfaces.
# Add GE0/0/1 to multicast VLAN 10. Add GE0/0/2 to multicast VLAN 20.
# Add GE0/0/3 to user VLAN 100.

# Run the display user-vlan vlan command on the Switch. You can see that the user VLAN
has been added to multicast VLANs 10 and 20.
[Switch] display user-vlan vlan
Total user vlan 2
user-vlan snooping-state multicast-vlan snooping-state
-----------------------------------------------------------------------------
# Run the display multicast static-flow command. You can see that the static multicast flow in
the multicast VLAN, which indicates that users in the user VLAN can be added to the multicast
group.
[Switch] display multicast static-flow
-------------------------------------------------------------------
Vlan (Source, Group)
-------------------------------------------------------------------
10 (*, 225.1.1.1)
20 (*, 225.1.2.1)
-------------------------------------------------------------------
Total Table(s) : 2
----End
Configuration Files
#
sysname Switch
#
#

#
vlan 10
multicast static-flow 225.1.1.1
multicast-vlan user-vlan 100
#
vlan 20
multicast static-flow 225.1.2.1
multicast-vlan user-vlan 100
#
vlan 100
multicast flow-trigger enable
#
#
#
#
return
6.9.3 Example for Configuring Interface-based Multicast VLAN

Replication
As shown in Figure 6-24, GE0/0/1 of the SwitchA is connected to the Router. GE0/0/2 provides
services for ISP1, and GE0/0/3 provides services for ISP2. ISP1 and ISP2 use multicast VLAN
2 and VLAN 3 respectively to provide multicast services for users. GE0/0/2 and GE0/0/3 have
the same user VLAN (VLAN 10).
To protect interests of the ISPs and ensure that multicast packets of each ISP are sent only to
users of the ISP, the interface-based multicast VLAN replication is required. After the
configuration is complete, multicast data of an ISP will be sent only to the interface connected
to the ISP.

Figure 6-24 Configuring interface-based multicast VLAN replication
Router GE1/0/0
Source
GE0/0/1
GE0/0/2
GE0/0/3
SwitchA
ISP1 ISP2
VLAN10 VLAN10
Receiver Receiver
HostA HostB
Multicast Packet
Multicast VLAN 2
Multicast VLAN 3

2. Create user VLAN 10.
3. Create multicast VLANs 2 and 3 and enable IGMP snooping in the multicast VLANs.
4. Bind user VLAN 10 to multicast VLANs on GE0/0/2 and GE0/0/3 respectively.
5. Add the network-side interface and user-side interfaces to VLANs as hybrid interfaces.
Procedure
Step 1 Create user VLAN 10.
Step 2 Create multicast VLANs 2 and 3 and enable IGMP snooping in the multicast VLANs.
[SwitchA] vlan 2
[SwitchA] vlan 3
Step 3 Bind user VLAN 10 to multicast VLANs on GE0/0/2 and GE0/0/3 respectively.


[SwitchA-GigabitEthernet0/0/2] l2-multicast-bind vlan 10 mvlan 2
[SwitchA-GigabitEthernet0/0/3] l2-multicast-bind vlan 10 mvlan 3
Step 4 Add GE0/0/1 to the multicast VLANs. Add GE0/0/2 and GE0/0/3 to the user VLAN.
# Add GE0/0/1 to multicast VLANs 2 and 3 as a trunk interface.

# Add GE0/0/2 and GE0/0/3 respectively to user VLAN 10 as hybrid interfaces.
NOTE
On S5300LI and S2350 switches, you must add user-side interfaces to both the user VLAN and multicast VLAN
in the same mode.
Run the display l2-multicast-bind command on SwitchA to view binding between the user
VLAN and multicast VLANs.
[SwitchA] display l2-multicast-bind
-------------------------------------------------------------------
Port Startvlan Endvlan Mvlan
-------------------------------------------------------------------
GigabitEthernet0/0/2 10 -- 2
GigabitEthernet0/0/3 10 -- 3
-------------------------------------------------------------------
Total Table(s) : 2
----End
Configuration Files
#
sysname SwitchA
#
#
#
vlan 2
vlan 3
#

#
l2-multicast-bind vlan 10 mvlan 2
#
l2-multicast-bind vlan 10 mvlan 3
#
return
6.10 Controllable Multicast Configuration

Controllable multicast flexibly controls user rights to join multicast groups and meets the
requirements of IPTV services.
6.10.1 Example for Configuring Controllable Multicast
As shown in Figure 6-25, multicast groups G1 (225.0.0.1), G2 (225.0.0.2), G3 (225.0.0.3), and
G4 (225.0.0.4) exist on the network connected to the router. You are required to configure users
in VLAN 10 and VLAN 20 to watch only G1 and G2 and users in VLAN 30 and VLAN 40 to
watch all multicast groups.
NOTE
This example illustrates how to configure controllable multicast on an IPv4 network. Controllable multicast
configuration on an IPv6 network is similar. You only need to replace IGMP snooping with MLD snooping
on the IPv6 network.

Figure 6-25 Configuring controllable multicast

G1(10.1.1.1,225.0.0.1) G3(12.1.1.1,225.0.0.3)
Network
G2(11.1.1.1,225.0.0.2) G4(13.1.1.1,225.0.0.4)
Switch
/1 GE
0/0 0 /0
GE
GE
/4
/2
/0
0 /0
E0
G
/3
VLAN10 VLAN20 VLAN30 VLAN40
You can configure controllable multicast on the switch.The configuration roadmap is as follow:
1. Configure IGMP snooping on the switch.

2. Configure controllable multicast.
l Configure two multicast group lists L1 (G1, G2) and L2 (G3, G4).
l Configure two multicast profiles P1 and P2.
1. Configure user VLANs and add interfaces to these user VLANs.
[Switch] vlan batch 10 20 30 40


2. Configure IGMP snooping.

[Switch] vlan 10
[Switch] vlan 20
[Switch] vlan 30
[Switch] vlan 40
3. Configure controllable multicast.

# Configure multicast groups.
[Switch] btv
[Switch-btv] multicast-group G1 ip-address 225.0.0.1
# Configure multicast group lists.

[Switch-btv] multicast-list L1
[Switch-btv-list-L1] add multicast-group name G1
[Switch-btv-list-L1] quit
[Switch-btv] multicast-list L2
[Switch-btv-list-L2] quit
# Configure multicast profiles.

[Switch-btv] multicast-profile P1
[Switch-btv-profile-P1] add multicast-list name L1 watch
[Switch-btv-profile-P1] quit
[Switch-btv] multicast-profile P2
[Switch-btv-profile-P2] quit
[Switch-btv] quit
# Apply multicast profiles to VLANs.

[Switch] vlan 10
[Switch-vlan10] attach multicast-profile P1
[Switch] vlan 20
[Switch] vlan 30
[Switch] vlan 40

[Switch] display multicast-profile-apply
------------------------------------------------------------------------------
Vlan-id Port SMAC Max-Users

Index Profile-name

------------------------------------------------------------------------------
Vlan10 -- --
8
1 P1
Vlan20 -- --
8
1 P1
Vlan30 -- --
8
2 P2
Vlan40 -- --
8
2 P2
Total: 4
[Switch] display multicast-profile
-----------------------------------------------------------------------------
Index Profile-Name Multicast-list Attach-

User
-----------------------------------------------------------------------------
1 P1 1 2
2 P2 2 2
Total: 2
[Switch] display multicast-list
-------------------------------------------------------------------------
Index Multicast-list-name Multicast-
group
-------------------------------------------------------------------------
1 L1
2
2 L2
2
Total: 2
[Switch] display multicast-group

-------------------------------------------------------------------------
Index Multicast-group-name
Address
-------------------------------------------------------------------------
1 G1 225.0.0.1
2 G2 225.0.0.2
3 G3 225.0.0.3
4 G4 225.0.0.4
Total: 4
Configuration Files
sysname Switch
#
#
#
btv

multicast-group G1 ip-address 225.0.0.1

multicast-list L1
add multicast-group name G1
multicast-list L2
multicast-profile P1
add multicast-list name L1 watch
multicast-profile P2
#
vlan 10
attach multicast-profile P1
#
vlan 20
#
vlan 30
#
vlan 40
#
#
#
#
#
return
6.11 MLD Configuration

On an IPv6 network, you can manage local multicast group members by configuring MLD on
multicast device interfaces connected to user networks.
6.11.1 Example for Configuring Basic MLD Functions
On the IPv6 network shown in Figure 6-26, unicast routes are working properly. The multicast
function needs to be enabled on the network so that hosts can receive multicast data.

Figure 6-26 Networking diagram of configuring basic MLD functions
PIM network Ethernet

HostA
VLANIF100 Receiver
GE0/0/2 3000::12/64 N1
VLANIF101 GE0/0/1
2002::1/64 SwitchA HostB
VLANIF200
3001::10/64 Leaf network
GE0/0/2
VLANIF201 GE0/0/1
2003::1/64 SwitchB HostC
VLANIF200 Receiver
3001::12/64 N2
GE0/0/2 GE0/0/1 HostD
VLANIF301
2004::1/64 SwitchC
Ethernet
1. Enable the IPv6 multicast function so that multicast data can be forwarded on the network.
To achieve this purpose, enable PIM-SM (IPv6) on each switch.
2. Enable MLD on the interfaces connected to hosts so that hosts can receive multicast data.
Procedure
Step 1 Create VLANs and VLANIF interfaces on the switches and assign IPv6 addresses to the
VLANIF interfaces. The configuration details are not mentioned here.
Step 2 Enable the IPv6 multicast function and enable MLD and PIM-SM (IPv6) on the interfaces
connected to hosts.
# Enable the IPv6 multicast function on SwitchA, and enable MLD and PIM-SM (IPv6) on
VLANIF 100.
[SwitchA] multicast ipv6 routing-enable
[SwitchA-Vlanif100] pim ipv6 sm
[SwitchA-Vlanif100] mld enable
# The configurations of SwitchB and SwitchC are similar to the configuration of SwitchA and

# Run the display mld interface command to check information about MLD configuration and
running on each interface of the switches. MLD information about VLANIF 200 on SwitchB is
as follows:
<SwitchB> display mld interface vlanif 200 verbose
Vlanif200(FE80::200:5EFF:FE66:5100):
MLD is enabled
Current MLD version is 2
MLD state: up
MLD group policy: none
MLD limit: -
Value of query interval for MLD (negotiated): 125 s
Value of query interval for MLD (configured): 125 s
Value of other querier timeout for MLD: 0 s
Value of maximum query response time for MLD: 10 s
Value of last listener query time: 2 s
Value of last listener query interval: 1 s
Value of startup query interval: 31 s
Value of startup query count: 2
General query timer expiry (hours:minutes:seconds): 00:00:28
Querier for MLD: FE80::200:5EFF:FE66:5100 (this router)
MLD activity: 0 joins, 0 dones
Robustness (negotiated): 2
Robustness (configured): 2
Require-router-alert: disabled
Send-router-alert: enabled
Ip-source-policy: disabled
Query Ip-source-policy: disabled
Prompt-leave: disabled
SSM-Mapping: disabled
Startup-query-timer-expiry: on
Other-querier-present-timer-expiry: off
The command output shows that SwitchB is a querier. This is because the IPv6 address of
VLANIF 200 on SwitchB is smaller than those of other multicast switches on the same network
segment.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 101
#
ipv6
#
multicast ipv6 routing-enable
#
interface Vlanif100
ipv6 enable
pim ipv6 sm
mld enable
#
interface Vlanif101
ipv6 enable
pim ipv6 sm
#


#
#
return

#
sysname SwitchB
#
vlan batch 200 201
#
ipv6
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
#
interface Vlanif201
ipv6 enable
pim ipv6 sm
#
#
#
return

#
sysname SwitchC
#
vlan batch 200 301
#
ipv6
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
#
interface Vlanif301
ipv6 enable
pim ipv6 sm
#
#

#
return
6.11.2 Example for Configuring the MLD Limit
In Figure 6-27, multicast services are deployed on the network. The MLD limit needs to be
configured for the entire system and an interface on SwitchA, SwitchB, and SwitchC to limit
the number of multicast groups that users can join. When the number of multicast memberships
reaches the MLD limit, no new MLD entry can be created. This configuration ensures that users
in existing multicast groups receive stable multicast data.
Figure 6-27 Networking diagram of configuring the MLD limit
PIM network Ethernet

HostA
VLANIF100 Receiver
GE0/0/2 3000::12/64 N1
VLANIF101 GE0/0/1
2002::1/64 SwitchA HostB
VLANIF200
3001::10/64 Leaf network
GE0/0/2
VLANIF201 GE0/0/1
2003::1/64 SwitchB HostC
VLANIF200 Receiver
3001::12/64 N2
GE0/0/2 GE0/0/1 HostD
VLANIF301
2004::1/64 SwitchC
Ethernet
1. Enable the IPv6 multicast function so that multicast data can be forwarded on the network.
To achieve this purpose, enable PIM-SM (IPv6) on each switch.
2. Enable MLD on the interfaces connected to hosts.
3. Configure the MLD limit on SwitchA, SwitchB, and SwitchC.
Procedure
Step 1 Create VLANs and VLANIF interfaces on the switches and assign IPv6 addresses to the
VLANIF interfaces. The configuration details are not mentioned here.
Step 2 Enable the multicast function and enable MLD and PIM-SM (IPv6) on the interfaces connected
to hosts.

# Enable the IPv6 multicast function on SwitchA, and enable MLD and PIM-SM (IPv6) on
VLANIF 100.
Step 3 Set the MLD limit on the last-hop switch.
# Set the MLD limit on SwitchA to 50.

[SwitchA] mld global limit 50
# Set the MLD limit on VLANIF 100 to 30.

[SwitchA-Vlanif100] mld limit 30
# Run the display mld interface command to check information about MLD configuration and
running on each interface of the switches. MLD information about VLANIF 200 on SwitchB is
as follows:
[SwitchB] display mld interface vlanif 200
Vlanif200(FE80::200:5EFF:FE66:5100):
MLD is enabled
Current MLD version is 2
MLD state: up
MLD group policy: none
MLD limit: 30
Value of query interval for MLD (negotiated): 125 s
Value of query interval for MLD (configured): 125 s
Value of other querier timeout for MLD: 0 s
Value of maximum query response time for MLD: 10 s
Querier for MLD: FE80::200:5EFF:FE66:5100 (this router)
The command output shows that the MLD limit on VLANIF 200 of SwitchB is 30.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 101
#
ipv6

#
mld global limit 50
#
#
interface Vlanif100
ipv6 enable
pim ipv6 sm
mld enable
mld limit 30
#
interface Vlanif101
ipv6 enable
pim ipv6 sm
#
#
#
return

#
sysname SwitchB
#
vlan batch 200 201
#
ipv6
#
mld global limit 50
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
mld limit 30
#
interface Vlanif201
ipv6 enable
pim ipv6 sm
#
#
#
return

#
sysname SwitchC
#
vlan batch 200 301
#

ipv6
#
mld global limit 50
#
#
interface Vlanif200
ipv6 enable
pim ipv6 sm
mld enable
mld limit 30
#
interface Vlanif301
ipv6 enable
pim ipv6 sm
#
#
#
return

The PIM (IPv6) protocol implements multicast routing and data forwarding in a domain. The
PIM-DM (IPv6) protocol is an IPv6 multicast routing protocol in dense mode and applies to
small-scale networks with densely-distributed group members.
6.12.1 Example for Configuring Basic PIM-DM (IPv6) Functions
Figure 6-28 shows a small-scale network with densely distributed users. HostA and HostB need
to receive multicast data from Source.

Figure 6-28 Configuring basic PIM-DM (IPv6) functions
SwitchA
PIM-DM 3001::1/64
VLANIF20
E0 IF 64
G AN ::1/
GE0/0/2
/0 30
/3
1
GE0/0/1
VL 00
2
VLANIF10 HostA
2005::1/64 Receiver
/0 IF3 64
2005::2/64
E0 N 2/
/3 0
Source VLANIF10
G LA 1:: GE0/0/1 SwitchB
V 00
2004::2/64 2002::2/64
2
SwitchD VLANIF60 VLANIF70 4001::1/64

GE0/0/1 GE0/0/4 GE0/0/1 GE0/0/2
5001::1/64 2004::1/64 GE0/0/2 2002::1/64
VLANIF50 HostB
2003::2/64 Receiver
2003::1/64
VLANIF50
GE0/0/2
GE0/0/1
SwitchC VLANIF40
4001::2/64
Since users are densely distributed on the network, PIM-DM (IPv6) can be deployed on the
network to provide multicast services for the user hosts. After PIM-DM (IPv6) is configured on
the network, all user hosts in a multicast group can receive multicast data sent from the multicast
source to the group.
1. Configure IPv6 addresses for interfaces and configure an IPv6 unicast routing protocol on
each switch. PIM (IPv6) is an intra-domain multicast routing protocol that depends on an
IPv6 unicast routing protocol. The IPv6 multicast routing protocol can work normally only
when the IPv6 unicast routing protocol works normally.
2. Enable IPv6 multicast routing on all the switches providing multicast services. IPv6
multicast routing is the prerequisite for PIM-DM (IPv6) configuration.
3. Enable PIM-DM (IPv6) on all switch interfaces. Other PIM-DM (IPv6) functions can be
configured only after PIM-DM (IPv6) is enabled.
4. Enable MLD on the interfaces connected to user network segments. The MLD protocol
maintains group memberships. The leaf switches maintain group memberships using MLD.
NOTE
If PIM-DM (IPv6) and MLD need to be enabled on the same user-side interface, enable PIM-DM
(IPv6) and then MLD.

Procedure
Step 1 Configure IPv6 addresses for interfaces and configure an IPv6 unicast routing protocol on each
switch.
# Configure IPv6 addresses and masks for switch interfaces. Configure OSPFv3 on the switches
to implement IPv6 interworking between the switches and enable the switches to dynamically
update routes. (The configurations of the other switches are similar to the configuration of
SwitchA.)
[SwitchA] ipv6
[SwitchA-Vlanif10] ipv6 address 2005::1 64
Step 2 Enable IPv6 multicast routing on all the switches and enable PIM-DM (IPv6) on all interfaces.
# Enable IPv6 multicast routing on all the switches and enable PIM-DM (IPv6) on all interfaces.
(The configurations of the other switches are similar to the configuration of SwitchA.)
[SwitchA-Vlanif10] pim ipv6 dm
[SwitchA] interface vlanif ipv6 30
Step 3 Enable MLD on the interfaces connected to user hosts.
# Enable MLD on the user-side interface (VLANIF20) of SwitchA. (The configurations of

SwitchB and SwitchC are similar to the configuration of SwitchA.)


# Run the display pim ipv6 interface command to check the PIM (IPv6) configuration and
running status on switch interfaces. The following is the command output on SwitchC, indicating
that PIM (IPv6) is running on the interfaces.
<SwitchC> display pim ipv6 interface
Vlanif40 up 1 30 1 FE80::10B:FF:F301:22(local)
Vlanif50 up 1 30 1 FE80::10B:FF:F301:22(local)
# Run the display pim ipv6 routing-table command to check the PIM (IPv6) routing tables on
the switches. You can see from the PIM (IPv6) routing tables that multicast source
(5001::100/64) to group (FF0E::1/64), and HostA and HostB have joined group (FF0E::1/64).
The PIM (IPv6) routing tables of the switches are as follows:
[SwitchA] display pim ipv6 routing-table
(5001::100, FF0E::1)
UpTime: 00:00:29
Upstream neighbor: 2001::2
RPF prime neighbor: 2001::2
1: vlanif20
[SwitchB] display pim ipv6 routing-table
(5001::100, FF0E::1)
UpTime: 00:00:29
1: vlanif40
[SwitchC] display pim ipv6 routing-table

(5001::100, FF0E::1)
UpTime: 00:01:25
1: vlanif40

[SwitchD] display pim ipv6 routing-table

(5001::100, FF0E::1)
UpTime: 00:00:29
1: vlanif30
1: vlanif60
[SwitchE] display pim ipv6 routing-table

(5001::100, FF0E::1)
UpTime: 00:01:22
1: vlanif70
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20 30
#
#
ospfv3 100
router-id 1.1.1.1
#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
interface Vlanif20
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
mld enable
#
interface Vlanif30
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm

#
#
#
#
return

#
sysname SwitchB
#
ipv6
#
ospfv3 100
router-id 2.2.2.2
#
#
vlan batch 40 70
#
interface Vlanif40
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
mld enable
#
interface Vlanif70
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
#
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 40 50
#
#
ospfv3 100
router-id 3.3.3.3
#
interface Vlanif40
ipv6 enable

ospfv3 100 area 0.0.0.0

pim ipv6 dm
mld enable
#
interface Vlanif50
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
#
#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 30 60 80
#
#
ospfv3 100
router-id 4.4.4.4
#
interface Vlanif30
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
interface Vlanif60
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
interface Vlanif80
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
#
#
#
return

#
sysname SwitchE
#
ipv6
#
#
#
ospfv3 100
router-id 5.5.5.5
#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
interface Vlanif50
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
interface Vlanif60
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
interface Vlanif70
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 dm
#
#
#
#
#
return

The PIM-SM (IPv6) protocol implements intra-domain multicast routing and data forwarding
on an IPv6 network. The PIM-SM (IPv6) protocol is a multicast routing protocol in sparse mode.
It applies to a large-scale network with sparsely-distributed group members.
6.13.1 Example for Configuring PIM-SM (IPv6) in the ASM Model

As shown in Figure 6-29, the shared network segment is connected to the Internet. HostA and
HostB want to receive multicast data from Source.
Figure 6-29 Networking diagram for configuring PIM-SM (IPv6) in the ASM model
SwitchA
PIM-SM 3001::1/64
VLANIF20
E0 IF 4
G AN :1/6
GE0/0/2
/0 30
/3
:
GE0/0/1
VL 002
VLANIF10 HostA
2 2001::1/64 Receiver
/0 IF3 /64
2001::2/64
/3 0
VLANIF10
E0 N 2
Source
G LA 02::
GE0/0/1 SwitchB
V 0
2005::2/64
2
SwitchD 2003::2/64
VLANIF60 VLANIF90 4001::1/64
GE0/0/1 GE0/0/4 GE0/0/1 GE0/0/2
5001::1/64 2005::1/64 GE0/0/2 2003::1/64
GE0/0/2 VLANIF50 HostB
VLANIF70 2004::2/64 Receiver
6001::1/64
2004::1/64
VLANIF50
GE0/0/2
GE0/0/1
SwitchC VLANIF40
4001::2/64
Configure the PIM-SM (IPv6) protocol on the switches to enable them to provide the ASM
service for user hosts on the network. Then all the hosts in a multicast group can receive multicast
data sent from any sources to this group.
1. Configure an IPv6 address for each interface and an IPv6 unicast routing protocol. PIM
(IPv6) is an intra-domain multicast routing protocol that depends on IPv6 unicast routing
protocols.
2. Enable the IPv6 multicast function on all switches to provide IPv6 multicast services.
Before configuring PIM-SM (IPv6), you must enable the IPv6 multicast function.
3. Enable PIM-SM (IPv6) on all interfaces. You can configure other PIM-SM (IPv6) functions
only after PIM-SM (IPv6) is enabled.
4. Enable MLD on interfaces that connect the switch and hosts. A receiver can join and leave
a multicast group by sending MLD messages. The leaf switches maintain the multicast
member relationship through MLD.

NOTE
If both PIM-SM (IPv6) and MLD need to be configured on interfaces that connect the switch and
hosts, you must configure PIM-SM (IPv6) first, and then configure MLD.
5. Enable PIM silent (IPv6) on interfaces that connect the switch and hosts to prevent
malicious hosts from simulating sending Hello packets. In this manner, security of PIM-
SM (IPv6) domain is ensured.
NOTE
If the user host network segment connects to multiple switches, do not enable PIM silent (IPv6) on
interfaces that connect these switches and user hosts. For example, PIM silent (IPv6) cannot be
enabled on SwitchB and SwitchC in the figure.
6. Configure the RP. In PIM-SM (IPv6) domain, RP is essential in providing ASM services
and helps forward multicast data. You are advised to configure RP on switches that have
more multicast flows. For example, you can configure RP on SwitchE in the figure.
7. Configure the BSR boundary on interfaces connected to the Internet. The Bootstrap
message cannot pass through the BSR boundary; therefore, the BSR serves only this PIM-
SM (IPv6) domain. In this manner, multicast services can be controlled effectively.
Procedure
Step 1 Configure an IPv6 address for each interface and an IPv6 unicast routing protocol.
# Configure the IPv6 address and mask for each interface shown in Figure 6-29, and configure
OSPFv3 on each switch to ensure that switches can communicate at the network layer and can
dynamically update routes through the IPv6 unicast routing protocol. The configuration of
SwitchB, SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and are
not provided here.
[SwitchA] ipv6


Step 2 Enable multicast, and enable PIM-SM (IPv6) on all interfaces.

# Enable IPv6 multicast on all switches and PIM-SM (IPv6) on all interfaces. The configuration
of SwitchB, SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and
are not provided here.
Step 3 Enable MLD on interfaces that connect the switch and hosts.
# Enable MLD on interfaces that connect SwitchA and user hosts. The configuration of SwitchB
Step 4 Enable PIM silent (IPv6) on interfaces on SwitchA.

[SwitchA-Vlanif20] pim ipv6 silent
Step 5 Configure the RP.

# Configure the C-RP on SwitchE and specify the group address range served by the C-RP.
[SwitchE] acl ipv6 number 2001
[SwitchE-acl6-basic-2001] rule permit source ff0e::1 64
[SwitchE-acl6-basic-2001] quit
[SwitchE] pim-ipv6
[SwitchE-pim6] c-rp 2005::2 group-policy 2001
# Configure a C-BSR on SwitchE.

[SwitchE-pim6] c-bsr 2005::2
[SwitchE-pim6] quit
Step 6 Configure the BSR boundary on interfaces that connect SwitchD to the Internet.
[SwitchD-Vlanif70] pim ipv6 bsr-boundary

status. In this example, the PIM (IPv6) information on SwitchC is displayed as follows:
Vlanif40 up 0 30 1 FE80::200:FF:FE00:10(local)
# Run the display pim ipv6 bsr-info command to check information about the BSR selection
on the switch. For example, BSR information on SwitchA and SwitchE is displayed as follows
(C-BSR information is also displayed on SwitchE).

<SwitchA> display pim ipv6 bsr-info

Elected BSR Address: 2005::2
Priority: 0
State: Accept Preferred
Scope: Not scoped
Uptime: 01:40:40
Next BSR message scheduled at: 00:01:42
C-RP Count: 1
<SwitchE> display pim ipv6 bsr-info

Elected BSR Address: 2005::2
Priority: 0
Hash Mask length: 126
State: Elected
Scope: Not scoped
Uptime: 00:00:18
Next BSR message scheduled at :00:01:42
C-RP Count: 1
Candidate AdminScoped BSR Count: 0
Candidate BSR Address: 2005::2
Priority: 0
State:Elected
Scope: Not scoped
Wait to be BSR: 0
# Run the display pim ipv6 rp-info command to check the RP information on SwitchA. In this
example, the RP information on SwitchA is displayed as follows:
<SwitchA> display pim ipv6 rp-info
PIM-SM BSR RP Number:1
Group/MaskLen: FF0E::1/64
RP: 2005::2
Priority: 192
Uptime: 00:05:19
Expires: 00:02:11
# Run the display pim ipv6 routing-table command to view the PIM (IPv6) multicast routing
table. Multicast source S (5001::5/64) sends multicast packets to multicast groups FF0E::1/64
and FF0E::2/64. HostA needs to receive data sent to group FF0E::1, and HostB needs to receive
data sent to group FF0E::2.
NOTE
By default, after the receiver's DR receives the first multicast data, an SPT switchover is performed and
(S, G) routing entries are created. Therefore, (S, G) routing entries displayed on the switch are (S, G) entries
after the SPT switchover.
<SwitchA> display pim ipv6 routing-table
(*, FF0E::1)
RP: 2005::2
UpTime: 00:02:15
Upstream neighbor: FE80::9D62:0:FDC5:2
RPF prime neighbor: FE80::9D62:0:FDC5:2

1: Vlanif20
Protocol: mld, UpTime: 00:02:15, Expires: -
(5001::5, FF0E::1)
RP: 2005::2
Protocol: pim-sm, Flag: SPT LOC ACT
UpTime: 00:00:11
Upstream neighbor: FE80::A01:10C:1
RPF prime neighbor: FE80::A01:10C:1
1: Vlanif20
<SwitchB> display pim ipv6 routing-table
(*, FF0E::2)
RP: 2005::2
UpTime: 00:14:44
Upstream neighbor: FE80::33FE:0:852C:2
RPF prime neighbor: FE80::33FE:0:852C:2
1: Vlanif40
Protocol: mld, UpTime: 00:14:44, Expires: -
(5001::5, FF0E::2)
RP: 2005::2
UpTime: 00:2:42
1: Vlanif40
<SwitchC> display pim ipv6 routing-table
(5001::5, FF0E::2)
RP: 2005::2
Protocol: pim-sm, Flag:
UpTime: 00:2:42
Upstream neighbor: FE80::71FE:11:21
RPF prime neighbor: FE80::71FE:11:21
1: Vlanif40
<SwitchD> display pim ipv6 routing-table
(5001::5, FF0E::1)
RP: 2005::2
UpTime: 00:16:56


1: Vlanif30
(5001::5, FF0E::2)
RP: 2005::2
UpTime: 00:02:54
1: Vlanif60
<SwitchE> display pim ipv6 routing-table
(*, FF0E::1)
RP: 2005::2(local)
UpTime: 00:02:15
1: Vlanif10
(5001::5, FF0E::1)
RP: 2005::2(local)
UpTime: 00:16:56
Upstream neighbor: FE80::659:10C:3
RPF prime neighbor: FE80::659:10C:3
1: Vlanif10
(*, FF0E::2)
RP: 2005::2(local)
UpTime: 00:02:15
1: Vlanif90
2: Vlanif50
(5001::5, FF0E::2)
RP: 2004::2(local)
UpTime: 00:02:54
1: Vlanif90

2: Vlanif50
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20 30
#
#
ospfv3 100
router-id 1.1.1.1
#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif20
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 silent
pim ipv6 sm
mld enable
#
interface Vlanif30
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 40 90
#
#
ospfv3 100
router-id 2.2.2.2

#
interface Vlanif40
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
mld enable
#
interface Vlanif90
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 40 50
#
#
ospfv3 100
router-id 3.3.3.3
#
interface Vlanif40
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
mld enable
#
interface Vlanif50
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
return

#
sysname SwitchD
#
ipv6
#

#
#
ospfv3 100
router-id 4.4.4.4
#
interface Vlanif30
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif60
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif70
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 bsr-boundary
pim ipv6 sm
#
interface Vlanif80
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
#
#
return

#
sysname SwitchE
#
ipv6
#
#
#
rule 0 permit source FF0E::1/64
#
ospfv3 100
router-id 5.5.5.5
#
interface Vlanif10
ipv6 enable


ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif50
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif60
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif90
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
#
#
pim-ipv6
c-bsr 2005::2
c-rp 2005::2 group-policy 2001
#
return
6.13.2 Example for Configuring PIM-SM (IPv6) in the SSM Model
As shown in Figure 6-30, HostA wants to receive multicast data from S1 and S2, while HostB
wants to receive multicast data from S2.

Figure 6-30 Networking diagram for configuring PIM-SM (IPv6) in the SSM model
PIM-SM
SwitchA
6001::1/64 2001::1/64 3001::1/64
GE0/0/1 GE0/0/2 GE0/0/3
GE0/0/2
S1 VLANIF30
GE0/0/1
SwitchF 2001::2/64 HostA
Source VLANIF10
2005::1/64 Receiver
SwitchE 2005::2/64
VLANIF10 2002::1/64 4001::1/64
5001::1/64 2004::2/64 GE0/0/1
GE0/0/1 GE0/0/4 GE0/0/1 GE0/0/2
GE0/0/4 GE0/0/3
S2 VLANIF60 VLANIF90
SwitchD 2004::1/64 GE0/0/2 SwitchB
VLANIF50 2002::2/64
Source
2003::2/64 HostB
2003::1/64 Receiver
VLANIF50
GE0/0/2
SwitchC
GE0/0/1
VLANIF40
4001::2/64
Configure the PIM-SM (IPv6) protocol on the switches to enable them to provide the SSM
service for user hosts on the network. Then hosts in a multicast group can receive multicast data
sent from specified sources to this group.
1. Configure an IPv6 address for each interface and an IPv6 unicast routing protocol. PIM
(IPv6) is an intra-domain multicast routing protocol that depends on IPv6 unicast routing
protocols.
2. Enable the IPv6 multicast function on switches providing multicast services. Before
configuring PIM-SM (IPv6), you must enable the IPv6 multicast function.
3. Enable PIM-SM (IPv6) on all interfaces. You can configure other PIM-SM (IPv6) functions
only after PIM-SM (IPv6) is enabled.
4. Enable MLD on interfaces that connect the switch and hosts. A receiver can join and leave
a multicast group of a specified source by sending MLD messages. The leaf switches
maintain the multicast member relationship through MLD.
NOTE
If both PIM-SM (IPv6) and MLD need to be configured on interfaces that connect the switch and
hosts, you must configure PIM-SM (IPv6) first, and then configure MLD.
5. Enable PIM silent (IPv6) on interfaces that connect the switch and hosts to prevent
malicious hosts from simulating sending Hello packets. In this manner, security of PIM-
SM (IPv6) domain is ensured.

NOTE
If the user host network segment connects to multiple switches, do not enable PIM silent (IPv6) on
interfaces that connect these switches and user hosts. For example, PIM (IPv6) silent cannot be
enabled on SwitchB and Switch C.
6. Configure the address range for SSM groups on each switch. Ensure that switches in the
PIM-SM (IPv6) domain provide services only for multicast groups in the range of SSM
group addresses. In this manner, multicast can be controlled effectively.
NOTE
SSM group address range configured on each switch must be the same.
Procedure
Step 1 Configure an IPv6 address for each interface and an IPv6 unicast routing protocol.
# Configure the IPv6 address and mask for each interface shown in Figure 6-30, and configure
OSPFv3 on each switch to ensure that switches can communicate at the network layer and can
dynamically update routes through the IPv6 unicast routing protocol.. The configuration details
are not provided here. The configuration of SwitchB, SwitchC, SwitchD, and SwitchE are similar
to the configuration of SwitchA, and are not mentioned.
[SwitchA] ipv6
Step 2 Enable IPv6 multicast, and enable PIM-SM (IPv6) on all interfaces.
# Enable IPv6 multicast on all switches and PIM-SM (IPv6) on all interfaces. The configuration
of SwitchB, SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and
are not mentioned.


Step 3 Enable MLD on interfaces that connect the switch and hosts.
# Enable MLD on interfaces that connect SwitchA and user hosts. The configuration of SwitchB
Step 4 Enable PIM silent (IPv6) on interfaces on SwitchA.

[SwitchA-Vlanif20] pim ipv6 silent
Step 5 Configure the address range for SSM groups.
# Set the range of SSM group addresses to ff3e::/64 on all the switches. The configurations of
SwitchB, SwitchC, SwitchD, and SwitchE are similar to the configuration of SwitchA, and are
not provided here.
[SwitchA] acl ipv6 number 2000
[SwitchA-acl6-basic-2000] rule permit source ff3e:: 64
[SwitchA-acl6-basic-2000] quit
[SwitchA] pim-ipv6
[SwitchA-pim6] ssm-policy 2000
status. The PIM (IPv6) information on SwitchC is displayed as follows:
# Run the display pim ipv6 routing-table command to view the PIM (IPv6) routing table. HostA
receives information sent from multicast source 5001::100/64 and 6001::100/64 to the multicast
group FF3e::1/64. HostB receives information sent from multicast source 5001::100/64 to
multicast group FF3E::1/64. The following information is displayed.
[SwitchA] display pim ipv6 routing-table
(5001::100, ff3e::1)
Protocol: pim-ssm, Flag: SPT ACT
UpTime: 00:13:46
Upstream interface: vlanif10,
1: vlanif20
Protocol: mld, UpTime: 00:13:46, Expires:-
(6001::100, ff3e::1)


UpTime: 00:00:42
1: vlanif20
[SwitchB] display pim ipv6 routing-table
(5001::100, ff3e::1)
UpTime: 00:10:12
Upstream interface: vlanif90,
Upstream neighbor: FE80::33FE:0:852C:2
RPF prime neighbor: FE80::33FE:0:852C:2
1: vlanif40
[SwitchC] display pim ipv6 routing-table

(5001::100, ff3e::1)
Protocol: pim-ssm, Flag:
UpTime: 00:01:25
1: vlanif40
[SwitchD] display pim ipv6 routing-table

(5001::100, ff3e::1)
UpTime: 00:00:42
Upstream neighbor: FE80::71FE:11:21
RPF prime neighbor: FE80::71FE:11:21
1: vlanif60
[SwitchE] display pim ipv6 routing-table

(5001::100, ff3e::1)
UpTime: 00:13:16
Upstream interface: vlanif 60
1: vlanif10

1: vlanif50
1: vlanif90
[SwitchF] display pim ipv6 routing-table

(6001::100, ff3e::1)
UpTime: 00:13:16
Upstream interface: vlanif 70
1: vlanif30
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 10 20 30
#
#
rule 0 permit source FF3E::/64
#
ospfv3 100
router-id 1.1.1.1
#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif20
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 silent
pim ipv6 sm
mld enable
#
interface vlanif 30
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#

#
#
pim-ipv6
ssm-policy 2000
#
return

#
sysname SwitchB
#
ipv6
#
vlan batch 40 90
#
#
#
ospfv3 100
router-id 2.2.2.2
#
interface Vlanif40
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
mld enable
#
interface Vlanif90
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
pim-ipv6
ssm-policy 2000
#
return

#
sysname SwitchC
#
ipv6
#
vlan batch 40 50
#
#
#
ospfv3 100
router-id 3.3.3.3

#
interface Vlanif40
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
mld enable
#
interface Vlanif50
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
pim-ipv6
ssm-policy 2000
#
return

#
sysname SwitchD
#
ipv6
#
vlan batch 60 80
#
#
#
ospfv3 100
router-id 4.4.4.4
#
interface Vlanif60
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif80
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
pim-ipv6
ssm-policy 2000
#
return


#
sysname SwitchE
#
ipv6
#
#
#
#
ospfv3 100
router-id 5.5.5.5
#
interface Vlanif10
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif50
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif60
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif90
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
#
#
pim-ipv6
ssm-policy 2000
#
return

#
sysname SwitchF
#
ipv6
#

vlan batch 30 70
#
#
#
ospfv3 100
router-id 6.6.6.6
#
interface Vlanif30
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
interface Vlanif70
ipv6 enable
ospfv3 100 area 0.0.0.0
pim ipv6 sm
#
#
#
pim-ipv6
ssm-policy 2000
#
return

The switch can run multiple IPv6 multicast routing protocols to control IPv6 multicast routing
and forwarding through message exchange between the control plane and forwarding plane.
6.14.1 Example for Configuring IPv6 Multicast Load Splitting
On an IPv6 multicast network as shown in Figure 6-31, SwitchE connects to HostA and has
three equal-cost routes to the multicast source (Source). According to the default RPF check
policy, SwitchE will select one of equal-cost routes to transmit multicast data. When the rate of
multicast traffic is high, the network may be congested, degrading the quality of multicast
services. To ensure the quality of multicast services, configure IPv6 multicast load splitting so
that multicast data can be transmitted through multiple equal-cost routes.

Figure 6-31 Networking diagram of multicast load splitting
Source
/64 V 200
2 ::2 IF20/1 GELAN 5::1/
0
20 VLAN 0 /0 0/0 IF6 64
GE SwitchB
/2 0
4 20
1 /6 05
0 2 :: 0 VL ::2/6
20 IF2 PIM-SM GEANI 4
N 1
2001::2/64 VLA0/0/ 0 /0 F 6 0
/1
VLANIF10 GE 2003::1/64 SwitchC 2006::2/64
GE0/0/4 SwitchE
VLANIF30 VLANIF80
GE0/0/2 GE0/0/2
SwitchA GE0/0/1 GE0/0/2
VLANIF30 VLANIF80
GE 2003::2/64 2006::1/64 /3 GE0/0/4
VL 0/0/3 E 0/0100 3001::1/64
A G NIF 4 VLANIF140
2 0 N IF A /6
04 40
::1 V L 7 ::2
0
/6 4 20
Loopback0 GE /2 0 0
2000::1/64
20 VLA 0/0/ 0/0 IF1 64
04 N I 1 GELAN 7::1/
::2 F4 V 00
/6 4 0 2
SwitchD
HostA
1. Configure IPv6 addresses for interfaces on the switches.

2. Configure an IPv6 unicast routing protocol (IS-IS (IPv6) in this example) to implement
interworking among all the switches and ensure that route costs are the same.
3. Enable IPv6 multicast routing on all the switches and enable PIM-SM (IPv6) on all the
Layer 3 interfaces. Configure the loopback interface on SwitchA as a C-BSR and C-RP.
4. On SwitchE, configure stable-preferred IPv6 multicast load splitting to ensure stable
transmission of multicast services.
5. On SwitchE, configure static multicast groups on the interface connected to the network
segment of HostA, because HostA needs to receive data of these groups for a long time.
6. On SwitchE, configure different IPv6 multicast load splitting weights for the interfaces
connected to the upstream switches to implement unbalanced load splitting, because HostA
needs to receive multicast data of new groups.
Procedure
Step 1 Configure IPv6 addresses for interfaces on the switches.
# Create VLANs and add Layer 2 physical interfaces to VLANs on the switches. (Configurations
[SwitchA] vlan batch 10 20 30 40


# Configure IPv6 addresses and masks for Layer 3 interfaces on the switches. (Configurations
[SwitchA] ipv6
[SwitchA-LoopBack0] ipv6 enable
[SwitchA-LoopBack0] ipv6 address 2000::1 64
Step 2 Configure IS-IS (IPv6) to implement interworking among all the switches and ensure that route
costs are the same.
SwitchA.)
[SwitchA] isis
[SwitchA-isis-1] ipv6 enable topology standard
[SwitchA-Vlanif10] isis ipv6 enable
[SwitchA-Loopback0] isis ipv6 enable
[SwitchA-Loopback0] quit

Step 3 Enable IPv6 multicast routing on all the switches and enable PIM-SM (IPv6) on all the Layer 3
interfaces.
SwitchA.)
[SwitchA-LoopBack0] pim ipv6 sm
Step 4 Configure a C-BSR and C-RP on SwitchA.
# Configure Loopback0 on SwitchA as a C-BSR and C-RP.

[SwitchA] pim-ipv6
[SwitchA-pim6] c-bsr 2000::1
[SwitchA-pim6] c-rp 2000::1
[SwitchA-pim6] quit
Step 5 Configure stable-preferred multicast load splitting on SwitchE.

[SwitchE] multicast ipv6 load-splitting stable-preferred
Step 6 Configure static multicast groups on the interface of SwitchE connected to the network segment
of HostA.
# Configure static multicast groups FF13::1 to FF13::3 on VLANIF140.

[SwitchE-Vlanif140] mld static-group ff13::1 inc-step-mask 128 number 3
Step 7 Verify the configuration of stable-preferred multicast load splitting.
# Source (2001::1/64) sends multicast data to multicast groups FF13::1 to FF13::3. HostA can
receive multicast data from Source. Check brief information about the PIM (IPv6) routing table
on SwitchE.
<SwitchE> display pim ipv6 routing-table brief
00001.(*, FF13::1)
00002.(2001::1, FF13::1)
00003.(*, FF13::2)
00004.(2001::1, FF13::2)

00005.(*, FF13::3)
00006.(2001::1, FF13::3)
(*, G) and (S, G) entries are evenly distributed on the three equal-cost routes. The upstream
interfaces of the routes are VLANIF100, VLANIF80, and VLANIF60 respectively.
NOTE
The load splitting algorithm processes (*, G) and (S, G) entries separately using the same rule.
Step 8 Set different multicast load splitting weights for upstream interfaces of SwitchE to implement
uneven multicast load splitting.

[SwitchE-Vlanif60] multicast ipv6 load-splitting weight 3
# Set the multicast load splitting weight of VLANIF80 to 2

[SwitchE-Vlanif80] multicast ipv6 load-splitting weight 2
Step 9 Configure new static multicast groups on the interface of SwitchE connected to the network
segment of HostA.
# Configure static multicast groups FF13::4 to FF13::6 on VLANIF140.

[SwitchE-Vlanif140] mld static-group FF13::4 inc-step-mask 32 number 3
Step 10 Verify the configuration of uneven multicast load splitting.
# Source (2001::1/64) sends multicast data to multicast groups FF13::1 to FF13::9. HostA can
receive multicast data from Source. Check brief information about the PIM (IPv6) routing table
on SwitchE.
<SwitchE>display pim ipv6 routing-table brief
00001.(*, FF13::1)
00002.(2001::1, FF13::1)
00003.(*, FF13::2)
00004.(2001::1, FF13::2)
00005.(*, FF13::3)
00006.(2001::1, FF13::3)

00007.(*, FF13::4)
00008.(2001::1, FF13::4)
00009.(*, FF13::5)
00010.(2001::1, FF13::5)
00011.(*, FF13::6)
00012.(2001::1, FF13::6)
The upstream interfaces of existing (*, G) and (S, G) entries remain unchanged. VLANIF60 has
a larger multicast load splitting weight (3) than VLANIF80 (2). Therefore, more new (*, G) and
(S, G) entries are distributed to the route with VLANIF60 as the upstream interface. The multicast
load splitting weight of VLANIF100 is the default value 1 which is smaller than that of
VLANIF60 and VLANIF80, indicating that VLANIF100 does not load balance new entries.
----End
Configuration Files
#
sysname SwitchA
#
#
ipv6
#
#
isis 1
network-entity 10.0000.0000.0001.00
#
#
#
interface Vlanif10
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif20
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif30
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif40

ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
#
#
#
#
interface LoopBack0
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
pim-ipv6
c-bsr 2000::1
c-rp 2000::1
#
return

#
sysname SwitchB
#
vlan batch 20 60
#
ipv6
#
#
isis 1
network-entity 10.0000.0000.0002.00
#
#
#
interface Vlanif20
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif60
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
#


#
return

#
sysname SwitchC
#
vlan batch 30 80
#
ipv6
#
#
isis 1
network-entity 10.0000.0000.0003.00
#
#
#
interface Vlanif30
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif80
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
#
#
return

#
sysname SwitchD
#
vlan batch 40 100
#
ipv6
#
#
isis 1
network-entity 10.0000.0000.0004.00
#
#
#
interface Vlanif40
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif100
ipv6 enable

isis ipv6 enable 1

pim ipv6 sm
#
#
#
return

#
sysname SwitchE
#
vlan batch 60 80 100 140
#
ipv6
#
multicast ipv6 load-splitting stable-preferred
#
isis 1
network-entity 10.0000.0000.0005.00
#
#
#
interface Vlanif60
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
multicast ipv6 load-splitting weight 3
#
interface Vlanif80
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
multicast ipv6 load-splitting weight 2
#
interface Vlanif100
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
#
interface Vlanif140
ipv6 enable
isis ipv6 enable 1
pim ipv6 sm
mld static-group FF13::1 inc-step-mask 128 number 3
mld static-group FF13::4 inc-step-mask 128 number 3
#
#
#


#
#
return
6.15 MLD Snooping Configuration

MLD snooping is configured on Layer 2 multicast devices to resolve the MLD packets between
Layer 3 devices and users. It generates and maintains IPv6 Layer 2 multicast forwarding tables
to distribute multicast data to only the receivers at the data link layer.
6.15.1 Example for Configuring MLD Snooping
In Figure 6-32, the router connects to the user network through the Layer 2 Switch on an IPv6
network. When the multicast source sends data to multicast group FF16::1 to FF16::5, HostA,
HostB, and HostC on the network only want to receive date of multicast groups FF16::1 to
FF16::3.
Figure 6-32 Networking diagram for configuring MLD snooping
Source
IP/MPLS core
Router
VLAN10
GE0/0/3
GE0/0/1 GE0/0/2
Switch
HostA HostB HostC

To meet the requirement, basic MLD snooping functions and multicast group policy need to be
configured on the Layer 2 device. The configuration roadmap is as follows:
1. Create a VLAN on the Switch and add the interface to the VLAN.
2. Enable MLD snooping globally and in a VLAN.
3. Configure a multicast group policy in a VLAN.
Procedure
[Switch] vlan 10
Step 2 Enable MLD snooping.
# Enable MLD snooping globally.

[Switch] mld-snooping enable
# Enable MLD snooping in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] mld-snooping enable
Step 3 Configure and apply a multicast group policy.
# Configure a multicast group policy.

[Switch] acl ipv6 2000
[Switch-acl6-basic-2000] rule permit source ff16::1 128
[Switch-acl6-basic-2000] quit
# Apply the multicast policy in VLAN 10.

[Switch] vlan 10
[Switch-vlan10] mld-snooping group-policy 2000
# Check the interface on the Switch.

<Switch> display mld-snooping port-info vlan 10
-----------------------------------------------------------------------


-----------------------------------------------------------------------
VLAN 10, 3 Entry(s)
( *, ff16:0:0:0:0:0:0:1)GE0/0/1 -D-
GE0/0/2 -D-
2 port(s)
( *, ff16:0:0:0:0:0:0:2)GE0/0/1 -D-
GE0/0/2 -D-
2 port(s)
( *, ff16:0:0:0:0:0:0:3)GE0/0/1 -D-
GE0/0/2 -D-
2 port(s)
-----------------------------------------------------------------------
The command output shows that GE0/0/1 and GE0/0/2 on the Switch have joined the group
FF16::1 to FF16::3.
# Check the Layer 2 forwarding table on the Switch.

<Switch> display mld-snooping forwarding-table vlan 10
------------------------------------------------------------------------
----------------------------------------------------------------------
(*, ff16:0:0:0:0:0:0:1) GigabitEthernet0/0/3 10
------------------------------------------------------------------------
Total Group(s) : 3
The command output shows that the forwarding table only contains multicast data of FF16::1
to FF16::3. FF16::4 to FF16::5 do not send data to hosts.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mld-snooping enable
#
rule 0 permit source FF16::1/128
#
vlan 10
mld-snooping enable
mld-snooping group-policy 2000
#

#
#
#
return
6.15.2 Example for Configuring a Static Interface to Implement

Layer 2 Multicast
In Figure 6-33, the router connects to the user network through the Layer 2 switch on an IPv6
network. HostA, HostB, and HostC are the receivers. The user-side VLANIF interface of Router
has static groups FF16::1 to FF16::5 configured and does not run MLD. HostA and HostB require
to steadily receive data from FF16::1 to FF16::3 while HostC wants to steadily receive data from
FF16::4 to FF16::5.
Figure 6-33 Networking diagram for configuring a static interface to implement Layer 2
multicast
Source
IP/MPLS core
Router
VLAN10
GE0/0/3
GE0/0/1 GE0/0/2
Switch
HostA HostB HostC

To meet the requirement, MLD snooping static router and member ports need to configured on
the Switch.

2. Enable MLD snooping globally and in a VLAN.
3. Configure a static router port.
4. Configure a static member port.
Procedure
Step 1 Create VLAN 10 and add the interface to VLAN 10.
[Switch] vlan 10
Step 2 Enable MLD snooping globally and in VLAN 10.


[Switch] vlan 10
Step 3 Configure a static router port.

[Switch-GigabitEthernet0/0/3] mld-snooping static-router-port vlan 10
Step 4 Configure a static member port.

[Switch-GigabitEthernet0/0/1] mld-snooping static-group ff16::1 vlan 10
# Check the router port on the Switch.

<HUAWEI> display mld-snooping router-port

Total Number of Router Port on VLAN 10 is 1
GE0/0/3 00:00:06 -- STATIC
The command output shows that GE0/0/3 becomes the static router port.
# Check the member port on the Switch.

<Switch> display mld-snooping port-info vlan 10
-----------------------------------------------------------------------
-----------------------------------------------------------------------
VLAN 10, 5 Entry(s)
( *, ff16:0:0:0:0:0:0:1) GE0/0/1 S--
1 port(s)
( *, ff16:0:0:0:0:0:0:2) GE0/0/1 S--
1 port(s)
( *, ff16:0:0:0:0:0:0:3) GE0/0/1 S--
1 port(s)
( *, ff16:0:0:0:0:0:0:4) GE0/0/2 S--
1 port(s)
( *, ff16:0:0:0:0:0:0:5) GE0/0/2 S--
1 port(s)
-----------------------------------------------------------------------
The command output shows that GE0/0/1 on the Switch joins multicast groups FF16::1 to
FF16::3 and GE0/0/2 on the Switch joins multicast groups FF16::4 to FF16::5.
# Check the Layer 2 forwarding table on the Switch.

<Switch> display mld-snooping forwarding-table vlan 10
----------------------------------------------------------------------------
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Total Group(s) : 5
The command output shows that multicast groups FF16::1 to FF16::5 have generated the
forwarding table on the Switch.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
mld-snooping enable

#
vlan 10
mld-snooping enable
#
mld-snooping static-group ff16:0:0:0:0:0:0:1 vlan 10
#
#
mld-snooping static-router-port vlan 10
#
return
6.15.3 Example for Configuring the MLD Snooping Querier
In Figure 6-34, Source1 and Source2 on a Layer 2 network send multicast data to FF16::1 and
FF16::2. HostA and HostC need to receive data of multicast group FF16::1 and HostB and Host
D need to receive data of multicast group FF16::2.
Figure 6-34 Networking diagram for configuring MLD snooping querier
Source1 Source2
VLAN10
GE0/0/3 GE0/0/4
GE0/0/1 GE0/0/2 GE0/0/3
GE0/0/2
HostA SwitchA SwitchB GE0/0/1 HostB
GE0/0/1
GE0/0/1 GE0/0/2
GE0/0/2 GE0/0/3
HostD SwitchD SwitchC HostC

Enable MLD snooping on each switch in the network and configure MLD snooping querier to
meet the service requirement. Enable each switch to discard unknown multicast packets to
prevent the device from broadcasting multicast packets in a VLAN when there is no
corresponding Layer 2 forwarding entry.
1. According to Figure 6-34, create a VLAN on the switches and add interfaces to the VLAN.
2. Enable MLD snooping globally and in a VLAN on all the switches.
3. Configure SwitchA closest to the multicast source as the MLD snooping querier.
4. Enable all the switches to discard unknown multicast packets.
Procedure
[SwitchA] vlan 10
[SwitchA] mld-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] mld-snooping enable
Step 3 Configure MLD snooping querier.

# Configure SwitchA as the querier.
[SwitchA] vlan 10
[SwitchA-vlan10] mld-snooping querier enable
Step 4 Configure the switches to discard unknown multicast packets.

[SwitchA] vlan 10
[SwitchA-vlan10] multicast drop-unknown

# After the MLD snooping querier is started, all devices except the querier can receive MLD
General Query messages. You can use the following command to check MLD packet statistics.
For example, you can check statistics of received MLD packets on SwitchB.
<SwitchB> display mld-snooping statistics vlan 10
MLD Snooping Packets Counter
Recv V1 Report 316
Recv V2 Report 0
Recv V1 Query 305
Recv V2 Query 0
Recv Done 2
Recv Pim Hello 85
Send Query(S=0) 1
Send Query(S!=0)0
Send General Query 0
Send Group-Specific Query 0
Send Group-Source-Specific Query 0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
mld-snooping querier enable
#
#
#
#
return

#
sysname SwitchB
#
vlan batch 10
#
mld-snooping enable
#
vlan 10

mld-snooping enable
#
#
#
#
#
return

#
sysname SwitchC
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
#
#
#
#
return

#
sysname SwitchD
#
vlan batch 10
#
mld-snooping enable
#
vlan 10
mld-snooping enable
#
#
#
return

6.15.4 Example for Configuring MLD Snooping Proxy
network. MLDv1 runs on the router. There are many receiver hosts in the network. The
administrator requires that many MLD packets exchange should not burden the router.
Figure 6-35 Networking diagram for configuring MLD snooping proxy

Source
IP/MPLS core
Router
VLAN10 GE0/0/3
GE0/0/1 GE0/0/2
Switch
… …
HostA HostG HostH HostN
Enabling MLD snooping proxy on the Switch meets the requirement.
2. Enable MLD snooping globally and in a VLAN so that users can receive multicast data.
3. Configure MLD snooping proxy to reduce packet exchange between the Switch and the
router.
Procedure
Step 1 Create a VLAN and add the interface to the VLAN.
[Switch] vlan 10



[Switch] vlan 10
# Configure the MLD snooping version to v2 to enable the device to process MLD protocol
packets of all versions.
[Switch-vlan10] mld-snooping version 2
Step 3 Enable MLD snooping proxy.

[Switch-vlan10] mld-snooping proxy
# Check MLD packet statistics on the Switch.

<Switch> display mld-snooping statistics vlan 10
MLD Snooping Packets Counter
Recv V1 Report 376
Recv V2 Report 0
Recv V1 Query 0
Recv V2 Query 0
Recv Done 2
Recv Pim Hello 0
Send Query(S=0) 1
Send Query(S!=0)0
Send General Query 398
Send Group-Specific Query 0
The command output shows that the Switch functions as the proxy and sends General Query
messages. The function of MLD snooping proxy takes effect.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10

#
mld-snooping enable
#
vlan 10
mld-snooping enable
mld-snooping version 2
mld-snooping proxy
#
#
#
#
return
6.15.5 Example for Configuring Prompt Leave for Interfaces
network. GE0/0/1 and GE0/0/2 on the Switch respectively connect to only one receiver host.
Therefore, when receiving MLD Done messages from the two interfaces, the Switchdeletes the
forwarding entries of the multicast group that the hosts leave, without waiting for the timeout
of the aging timer. This saves the bandwidth and system resources.
Figure 6-36 Networking diagram for configuring prompt leave for interfaces
Source
IP/MPLS core
Router
VLAN10
GE0/0/3
GE0/0/1 GE0/0/2
Switch
HostA HostB

Enabling MLD snooping and configuring prompt leave for interfaces on the Switch can meet
the requirements.
l Create a VLAN and add interfaces to the VLAN.
l Enable MLD snooping globally and in a VLAN.
l Enable prompt leave for interfaces in a VLAN.
Procedure
Step 1 Create VLAN 10 and add interfaces to VLAN 10.
[Switch] vlan 10
Step 2 Enable MLD snooping globally and in VLAN 10.


[Switch] vlan 10
Step 3 Configure prompt leave for interfaces in VLAN 10.

[Switch-vlan10] mld-snooping prompt-leave

# Run the display mld-snooping command on the Switch to check VLAN 10 configuration.
<Switch> display mld-snooping vlan 10
MLD Snooping Vlan Information for VLAN 10
MLD Snooping is Enabled
MLD Version is Set to default 1
MLD Query Interval is Set to default 125
MLD Max Response Interval is Set to default 10
MLD Robustness is Set to default 2
MLD Last Member Query Interval is Set to default 1
MLD Router Port Aging Interval is Set to 180s or holdtime in hello
MLD Filter Group-Policy is Set to default : Permit All
MLD Prompt Leave Enable
MLD Router Alert is Not Required
MLD Send Router Alert Enable

As shown in the preceding command output, "MLD Prompt Leave enable" indicates that the
configuration of prompt leave for interfaces in VLAN 10 is successful.
----End
Configuration Files
#
sysname Switch
#
mld-snooping enable
#
vlan batch 10
#
vlan 10
mld-snooping enable
mld-snooping prompt-leave
#
#
#
#
return
6.15.6 Example for Configuring MLD Snooping to Respond to

Network Topology Change
On an IPv6 multicast network in Figure 6-37, four switches form a ring network to improve the
network reliability. To prevent routing loops, STP runs on the four switches. HostA and HostB
need to receive multicast data from the multicast source.

Figure 6-37 Networking diagram for configuring MLD snooping to respond to Layer 2 network
topology change
Source
IP/MPLS
core
Router
GE0/0/3 VLAN10
SwitchA
GE0/0/1 GE0/0/2
GE0/0/1 MSTP GE0/0/2

GE0/0/3
SwitchC SwitchD
GE0/0/2 GE0/0/1
SwitchB
HostB
GE0/0/2 GE0/0/1
GE0/0/3
HostA
Enable MLD snooping and configure MLD snooping to respond to Layer 2 network topology
change on the Switch.
1. Configure STP on all Switches.
2. Create VLAN 10 on all Switches and add interfaces to VLAN 10.
3. Enable MLD snooping globally on all Switches and in a VLAN.
4. Enable MLD snooping of SwitchA to respond to the Layer 2 network topology change.
Procedure
Step 1 Configure STP on all Switches.
# Configure STP on SwitchA.

The configurations of other switches are similar to the configuration of SwitchA, and are not
mentioned here.
Step 2 Create VLAN 10 on all Switches and add interfaces to VLAN 10.
# Add interfaces on SwitchA to VLAN 10.
[SwitchA] vlan 10
mentioned here.
Step 3 Enable MLD snooping on all the Switches.
# Enable MLD snooping on SwitchA globally and in VLAN 10.
[SwitchA] mld-snooping enable
[SwitchA] vlan 10
[SwitchA-vlan10] mld-snooping enable
mentioned here.
Step 4 Enable MLD snooping of SwitchA to respond to the Layer 2 network topology change.
[SwitchA] mld-snooping send-query enable
[SwitchA] mld-snooping send-query source-address fe80::1

1. Check whether multicast data is forwarded correctly.
Check forwarding entries on SwitchB and SwitchD.
<SwitchB> display mld-snooping forwarding-table vlan 10
------------------------------------------------------------------------
----------------------------------------------------------------------
------------------------------------------------------------------------
Total Group(s) : 3
<SwitchD> display mld-snooping forwarding-table vlan 10
------------------------------------------------------------------------
----------------------------------------------------------------------

(*, ff16:0:0:0:0:0:0:2)GigabitEthernet0/0/2 10
------------------------------------------------------------------------
Total Group(s) : 3
The command output shows that the router port of SwitchB and SwitchD is GE0/0/2.
# Check MLD packet statistics on the SwitchA.
<SwitchA> display mld-snooping statistics
MLD Snooping Events
Counter
Recv VLAN Up Event Times
0
Recv VLAN Down Event Times
0
Recv VLAN Del Event Times
0
Recv Port Up Event Times
0
Recv Port Down Event Times
0
Recv Port Del Event Times
0
Recv Port Inc Event Times
0
Recv Port Exc Event Times
0
Recv MSTP Block Event Times
0
Recv MSTP Forward Event Times
0
Recv LINK Change Event Times
0
MLD Snooping Packets
Counter
Statistics for VLAN
10
Recv V1 Report
12
Recv V2 Report
0
Recv V1 Query
15
Recv V2 Query
0
Recv Done
0
Recv Pim Hello 3
Send Query(S=0)
0
Send Query(S!=0)
0
Send General Query
0
Send Group-Specific Query
0
The command output shows that SwitchA does not send Query messages.
2. Run the display stp brief command on all Switches to check the interfaces that are blocked
and the transmission path of multicast data.
The command output shows that GE0/0/1 of SwitchB is blocked.

<SwitchB> display stp brief

MSTID Port Role STP State
Protection
0 GigabitEthernet0/0/2 ROOT FORWARDING
NONE
0 GigabitEthernet0/0/3 DESI FORWARDING
NONE
The multicast data is forwarded to HostA over the path: SwitchA-SwitchC-SwitchB and
to HostB over the path: SwitchA-SwitchD.
3. Run the shutdown command on GE0/0/1 of SwitchC to shut down the interface so that the
topology of the STP network changes.
4. Check whether HostA and HostB can still receive multicast data after the network topology
changes.
Check forwarding entries on SwitchB and SwitchD.
<SwitchB> display mld-snooping forwarding-table vlan 10
------------------------------------------------------------------------
----------------------------------------------------------------------
------------------------------------------------------------------------
Total Group(s) : 3
<SwitchD> display mld-snooping forwarding-table vlan 10
------------------------------------------------------------------------
----------------------------------------------------------------------
------------------------------------------------------------------------
Total Group(s) : 3
The command output shows that the router port of SwitchB becomes GE0/0/1.
# Check MLD packet statistics on SwitchA.
<SwitchA> display mld-snooping statistics
MLD Snooping Events
Counter
Recv VLAN Up Event Times
0
Recv VLAN Down Event Times
0
Recv VLAN Del Event Times
0
Recv Port Up Event Times
0
Recv Port Down Event Times
1
Recv Port Del Event Times
0
Recv Port Inc Event Times
1

Recv Port Exc Event Times

2
Recv MSTP Block Event Times
0
Recv MSTP Forward Event Times
1
Recv LINK Change Event Times
70
MLD Snooping Packets
Counter
Statistics for VLAN
10
Recv V1 Report
18
Recv V2 Report
0
Recv V1 Query
15
Recv V2 Query
0
Recv Done
0
Recv Pim Hello
38
Send Query(S=0)
8
Send Query(S!=0)
0
Send General Query
0
Send Group-Specific Query
0
The command output indicates that SwitchA has sent Query messages with source address
0.
----End
Configuration Files
#
sysname SwitchA
#
mld-snooping enable
mld-snooping send-query enable
mld-snooping send-query source-address fe80:0:0:0:0:0:0:1
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#
#
#


#
return

#
sysname SwitchB
#
mld-snooping enable
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#
#
#
#
return

#
sysname SwitchC
#
mld-snooping enable
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#
#
#
return

#
sysname SwitchD
#
mld-snooping enable
#
vlan batch 10
#
stp enable
#
vlan 10
mld-snooping enable
#


#
#
#
return

Typical Configuration Examples 7 QoS
7 QoS
About This Chapter
Quality of service (QoS) defines a service provider's ability to meet the level of service required
by a customers' traffic. The QoS-enabled device controls enterprise network traffic, implements
congestion congestion and congestion avoidance, reduces the packet loss ratio, and provides
dedicated bandwidth for enterprise users or differentiated services.
7.1 Priority Mapping Configuration on the S5300HI, S5306, S5310EI, and S6300
This chapter provides priority mapping configuration method, configuration examples, and
common configuration errors.
7.2 Priority Mapping Configuration on S2350, S5300SI, S5300EI, and S5300LI

7.3 Traffic Policing and Traffic Shaping Configurations

This document describes basic concepts of traffic policing and traffic shaping, and configuration
methods of traffic policing based on a traffic classifier and traffic shaping, and provides
7.4 Congestion Avoidance and Congestion Management Configuration

This chapter describes basic concepts of congestion avoidance and congestion management, and
provides configuration methods and configuration examples of congestion avoidance and
congestion management.
7.5 MQC Configuration

Modular QoS Command-Line Interface (MQC) allows the device to classify traffic based on
rules and associate traffic of the same type with an action so that the device can provide
differentiated services.

7.1 Priority Mapping Configuration on the S5300HI, S5306,

S5310EI, and S6300
7.1.1 Example for Configuring Priority Mapping

The S5300HI is used as an example. After priority mapping is configured, the Switch maps
802.1p priorities of packets to different CoS so that it can provide differentiated services.
As shown in Figure 7-1, GE0/0/3 on the Switch connects to the router. Department 1 and 2
access the Internet through the Switch and router. Department 1 belongs to VLAN 100 and
Department 2 belongs to VLAN 200.
Department 1 requires better QoS guarantee. 802.1p priorities of packets from Departmentes 1
and 2 are both 0. A DiffServ domain needs to be defined to map priorities of packets from
Departmentes 1 and 2 to 4 and 2 respectively so that differentiated services are provided.
Figure 7-1 Networking diagram of priority mapping
Core Network
Router VLAN 300
GE0/0/3
GE0/0/1 GE0/0/2
VLAN 100 Switch VLAN 200
Department 1 Department 2

1. Create VLANs and configure interfaces so that Department 1 and 2 can connect to the
Internet through the Switch.
2. Create DiffServ domains, and map 802.1p priorities to PHBs and colors.
3. Bind DiffServ domains to GE0/0/1 and GE0/0/2 on the Switch respectively.
Procedure
Step 1 Create VLANs and configure interfaces.

[Switch] vlan batch 100 200 300
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, add GE0/0/1 and GE0/0/2 to
VLAN 100 and VLAN 200, and add GE0/0/3 to VLAN 100, VLAN 200, and VLAN 300.
[Switch-GigabitEthernet0/0/3] port trunk allow-pass vlan 100 200 300
# Create VLANIF 300 and set its IP address to 192.168.1.1/24.

NOTE
# On the router, set the IP address of the interface connecting the router and the Switch to 192.168.1.2/24.
Step 2 Create and configure DiffServ domains.
# Create DiffServ domains ds1 and ds2 on the Switch and map 802.1p priorities of packets from
Departmentes 1 and 2 to different CoS.
[Switch] diffserv domain ds1

[Switch-dsdomain-ds1] 8021p-inbound 0 phb af4 green
[Switch-dsdomain-ds1] quit
[Switch-dsdomain-ds2] 8021p-inbound 0 phb af2 green
Step 3 Bind DiffServ domains to interfaces.
# Bind DiffServ domains ds1 and ds2 to interfaces GE0/0/1 and GE0/0/2 respectively.
[Switch-GigabitEthernet0/0/1] trust upstream ds1


----End
Configuration Files
#
sysname Switch
#
#
diffserv domain ds1
8021p-inbound 0 phb af4 green
#
diffserv domain ds2
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
trust upstream ds1
#
trust upstream ds2
#
port trunk allow-pass vlan 100 200 300
#
return
7.2 Priority Mapping Configuration on S2350, S5300SI,

S5300EI, and S5300LI
7.2.1 Example for Configuring Priority Mapping

The S5300EI is used as an example. After priority mapping is configured, the Switch maps
DSCP priorities of packets to new DSCP priorities so that it can provide differentiated services.
As shown in Figure 7-2, SwitchA and SwitchB are connected to the router, and enterprise
branches 1 and 2 can access the network through LSW1 and LSW2. Enterprise branch 1 requires
better QoS guarantee, so DSCP priorities of data packets from enterprise branches 1 and 2 are
mapped to 45 and 30 respectively. The Switch trusts DSCP priorities of packets. When
congestion occurs, the Switch first processes packets of higher DSCP priority.

Figure 7-2 Networking diagram of priority mapping
Core Network
Router
SwitchA SwitchB
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/1
LSW1 LSW2
Enterprise Enterprise
Branches 1 Branches 2
VLAN 100 VLAN 200
1. Create VLANs and configure interfaces so that the enterprise can access the network.
2. Configure priority mapping to map DSCP priorities of data packets from enterprise
branches 1 and 2 to 45 and 30 respectively.
Procedure
# Create VLAN 100.
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and add them to VLAN 100.
# Configure interfaces to trust DSCP priorities of packets.

[SwitchA-GigabitEthernet0/0/1] trust dscp

[SwitchA-GigabitEthernet0/0/2] trust dscp
# Configure priority mapping.

[SwitchA] qos map-table dscp-dscp
[SwitchA-dscp-dscp] input 0 to 63 output 45

# Create VLAN 200.
[SwitchB] vlan batch 200
# Set the link type of GE 0/0/1 and GE 0/0/2 to trunk and add them to VLAN 200.
# Configure interfaces to trust DSCP priorities of packets.

[SwitchB-GigabitEthernet0/0/1] trust dscp
[SwitchB-GigabitEthernet0/0/2] trust dscp
# Configure priority mapping.

[SwitchB] qos map-table dscp-dscp
[SwitchB-dscp-dscp] input 0 to 63 output 30

# View priority mapping information on SwitchA.
[SwitchA] display qos map-table dscp-dscp
Input DSCP DSCP
------------------------
0 45
1 45
2 45
3 45
4 45
......
63 45
# View the interface configuration on SwitchA.

[SwitchA-GigabitEthernet0/0/1] display this
#
trust dscp
#

return
#
trust dscp
#
return
# View priority mapping information on SwitchB.

[SwitchB] display qos map-table dscp-dscp
Input DSCP DSCP
------------------------
0 30
1 30
2 30
3 30
4 30
......
63 30
# View the interface configuration on SwitchB.

[SwitchB-GigabitEthernet0/0/1] display this
#
trust dscp
#
return
[SwitchB-GigabitEthernet0/0/2] display this
#
trust dscp
#
return
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
trust dscp
#
trust dscp
#

qos map-table dscp-dscp

input 0 to 44 output 45
#
return

#
sysname SwitchB
#
vlan batch 200
#
trust dscp
#
trust dscp
#
qos map-table dscp-dscp
#
return
7.3 Traffic Policing and Traffic Shaping Configurations

This document describes basic concepts of traffic policing and traffic shaping, and configuration
methods of traffic policing based on a traffic classifier and traffic shaping, and provides
7.3.1 Example for Configuring Interface-based Traffic Policing
As shown in Figure 7-3, the Switch is connected to a router through GE0/0/3; the enterprise
branches Branch 1 and Branch 2 are connected to the Switch through GE0/0/1 and GE0/0/2 and
access the network through the Switch and router.
Branch 1 and Branch 2 require the guaranteed inbound bandwidth of 8 Mbit/s and 5 Mbit/s
respectively.

Figure 7-3 Networking diagram of interface-based traffic policing
Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
LSW1 LSW2
Branch 1 of Branch 2 of
the enterprise the enterprise
1. Configure interfaces of the Switch so that users can access the network.
2. Configure traffic policing for incoming traffic on GE0/0/1 and GE0/0/2 of the Switch.
Procedure
Step 1 Create VLANs and configure interfaces on the Switch.
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, and configure GE0/0/1 to allow
VLAN 100, GE0/0/2 to allow VLAN 200, and GE0/0/3 to allow VLAN 100, VLAN 200, and
VLAN 300.


# Create VLANIF 300 and set its IP address to 192.168.1.1/24.

NOTE
# Set the IP address of the router interface connected to the Switch to 192.168.1.2/24.
Step 2 Configure interface-based traffic policing.
# Configure traffic policing for incoming traffic on GE0/0/1, and set the guaranteed bandwidth
to 8192 kbit/s.
[Switch-GigabitEthernet0/0/1] qos lr inbound cir 8192
# Configure traffic policing for incoming traffic on GE0/0/2, and set the guaranteed bandwidth
to 5120 kbit/s.
[Switch-GigabitEthernet0/0/2] qos lr inbound cir 5120
# View the traffic policing configuration.

[Switch] display qos lr inbound interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 lr inbound:
cir: 8192 Kbps, cbs: 1024000 Byte
[Switch] display qos lr inbound interface gigabitethernet 0/0/2
GigabitEthernet0/0/2 lr inbound:
cir: 5120 Kbps, cbs: 640000 Byte
----End
Configuration Files
#
sysname Switch
#
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
qos lr inbound cir 8192 cbs 1024000
#
qos lr inbound cir 5120 cbs 640000
#

#
return
7.3.2 Example for Configuring Flow-based Traffic Policing
The Switch is connected to the router by using GE0/0/2; enterprise users can access the network
by using the Switch and the router. In Table 7-1:
l Voice services belong to VLAN 120.

l Video services belong to VLAN 110.
l Data services belong to VLAN 100.
On the Switch, traffic policing needs to be performed on packets of different services to limit
traffic within a proper range and ensure bandwidth of each service.
Voice, video, and data services have QoS requirements in descending order of priority. The
Switch needs to re-mark DSCP priorities in different service packets so that the downstream
router processes them based on priorities, ensuring QoS of different services.
Table 7-1 describes QoS required by different services.
Table 7-1 QoS provided by the Switch for upstream traffic
Traffic Type CIR (kbit/s) PIR (kbit/s) DSCP Priority
Voice 2000 10000 46
Video 4000 10000 30
Data 4000 10000 14
Figure 7-4 Network of flow-based traffic policing
Phone
VLAN 120
VLAN 100 GE0/0/1 GE0/0/2

Enterprise Network
PC
LSW Switch Router
VLAN 110
TV

1. Create VLANs and configure interfaces so that enterprise can access the network through
the Switch.
2. Create traffic classifiers based on VLAN IDs on the Switch.
3. Create traffic behaviors on the Switch to limit the traffic received from the enterprise and
re-mark DSCP priorities of packets.
4. Create a traffic policy on the Switch, bind traffic behaviors to traffic classifiers in the traffic
policy, and apply the traffic policy to the interface between the enterprise and the Switch.
Procedure
# Configure GE0/0/1 and GE0/0/2 as trunk interfaces, and add GE0/0/1 and GE0/0/2 to VLAN
100, VLAN 110, and VLAN 120.
Step 2 Create traffic classifiers.

# Create traffic classifiers c1 to c3 on the Switch to match different service flows from the
enterprise based on VLAN IDs.
[Switch] traffic classifier c1 operator and
[Switch-classifier-c1] if-match vlan-id 120
[Switch-classifier-c1] quit
Step 3 Create traffic behaviors.

# Create traffic behaviors b1 to b3 on the Switch to limit different service flows and re-mark
priorities.
[Switch] traffic behavior b1
[Switch-behavior-b1] car cir 2000 pir 10000 green pass
[Switch-behavior-b1] remark dscp 46
[Switch-behavior-b1] statistic enable
[Switch-behavior-b1] quit


Step 4 Create a traffic policy and apply it to an interface.

# Create a traffic policy p1 on the Switch, bind traffic classifiers to traffic behaviors in the traffic
policy, and apply the traffic policy to GE0/0/1 in the inbound direction to limit the packets
received from the user side and re-mark priorities of these packets.
[Switch] traffic policy p1
[Switch-trafficpolicy-p1] classifier c1 behavior b1
[Switch-trafficpolicy-p1] quit
[Switch-GigabitEthernet0/0/1] traffic-policy p1 inbound

# View the traffic classifier configuration.
[Switch] display traffic classifier user-defined
User Defined Classifier Information:
Classifier: c1
Operator: AND
Rule(s) : if-match vlan-id 120
Classifier: c2
Operator: AND
Classifier: c3
Operator: AND
Total classifier number is 3
# View the traffic policy configuration. Here, the configuration of the traffic policy p1 is
displayed.
[Switch] display traffic policy user-defined p1
User Defined Traffic Policy Information:
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Committed Access Rate:
CIR 2000 (Kbps), CBS 250000 (Byte)
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Yellow Action : pass
Red Action : discard
Marking:
Remark DSCP ef
statistic: enable
Classifier: c2
Operator: AND
Behavior: b2


PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Marking:
Remark DSCP af33
statistic: enable
Classifier: c3
Operator: AND
Behavior: b3
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Marking:
Remark DSCP af13
statistic: enable
Total policy number is 1
# View the configuration of the traffic policy applied to an interface. Here, the configuration of
the traffic policy applied to GE0/0/1 is displayed.
[Switch] display traffic policy statistics interface gigabitethernet 0/0/1
inbound
Interface: GigabitEthernet0/0/1
Traffic policy inbound: p1
Rule number: 3
Current status: OK!
Statistics interval: 300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes:
0
---------------------------------------------------------------------
Car | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
----End
Configuration Files

#
sysname Switch
#
#
traffic classifier c1 operator and
if-match vlan-id 120
#
traffic behavior b1
car cir 2000 pir 10000 cbs 250000 pbs 1250000 green pass yellow pass red
discard
remark dscp ef
statistic enable
traffic behavior b2
discard
remark dscp af33
statistic enable
traffic behavior b3
discard
remark dscp af13
statistic enable
#
traffic policy p1
classifier c1 behavior b1
#
traffic-policy p1 inbound
#
#
return
7.3.3 Example for Configuring Hierarchical Traffic Policing on the

S5300HI, S5306, and S5310EI
The Switch is connected to the router through GE 0/0/2; enterprise users can access the network
through the Switch and the router. In Figure 7-5:
l Voice services belong to VLAN 120.
l Video services belong to VLAN 110.
l Data services belong to VLAN 100.
On the Switch, traffic policing needs to be performed on packets of different services to limit
traffic within a proper range and ensure bandwidth of each service.
Voice, video, and data services have QoS requirements in descending order of priority. The
Switch needs to re-mark DSCP priorities in different service packets so that the downstream
router processes them based on priorities, ensuring QoS of different services.

Table 7-2 describes QoS required by different services.
Table 7-2 QoS provided by the Switch for upstream traffic
Traffic Type CIR (kbit/s) PIR (kbit/s) DSCP Priority
Voice 2000 10000 46
Video 4000 10000 30
Data 4000 10000 14
To ensure services of other users, limit the bandwidth of three services within 9000 kbit/s on
GE0/0/1.
Figure 7-5 Networking of hierarchical traffic policing
Phone
VLAN 120
VLAN 100 GE0/0/1 GE0/0/2

Enterprise Network
PC
LSW Switch Router
VLAN 110
TV
1. Create VLANs and configure interfaces so that enterprise can access the network through
the Switch.
2. Configure a CAR profile.
3. Create traffic classifiers based on VLAN IDs on the Switch.
4. Create traffic behaviors on the Switch to limit the traffic received from the enterprise and
re-mark DSCP priorities of packets.
5. Create a traffic policy on the Switch, bind traffic behaviors to traffic classifiers in the traffic
policy, and apply the traffic policy to the interface between the enterprise and the Switch.
Procedure

# Configure GE 0/0/1 and GE 0/0/2 as trunk interfaces, and add GE0/0/1 and GE 0/0/2 to VLAN
100, VLAN 110, and VLAN 120.
Step 2 Configure a CAR profile.

[Switch] qos car car1 cir 9000
Step 3 Create traffic classifiers.
# Create traffic classifiers c1 to c3 on the Switch to match different service flows from the
enterprise based on VLAN IDs.
Step 4 Create traffic behaviors.
# Create traffic behaviors b1 to b3 on the Switch to limit different service flows and re-mark
priorities.
[Switch-behavior-b1] car car1 share
Step 5 Create a traffic policy and apply it to an interface.
# Create a traffic policy p1 on the Switch, bind traffic classifiers to traffic behaviors in the traffic
policy, and apply the traffic policy to GE 0/0/1 in the inbound direction to limit the packets
received from the user side and re-mark priorities of these packets.



[Switch] display traffic classifier user-defined
Classifier: c2
Operator: AND
Classifier: c3
Operator: AND
Classifier: c1
Operator: AND
# View the traffic policy configuration. Here, the configuration of the traffic policy p1 is
displayed.
[Switch] display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Share car:
Car car1 share
Remark:
Remark DSCP ef
Statistic: enable
Classifier: c2
Operator: AND
Behavior: b2
PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Share
car:
Car car1 share
Remark:
Remark DSCP af33
Statistic: enable
Classifier: c3
Operator: AND
Behavior: b3


PIR 10000 (Kbps), PBS 1250000 (Byte)
Green Action : pass
Share car:
Car car1 share
Remark:
Remark DSCP af13
Statistic: enable
# View the configuration of the traffic policy applied to an interface. Here, the configuration of
the traffic policy applied to GE0/0/1 is displayed.
[Switch] display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Rule number: 3
Current status: OK!
Statistics interval:
300
---------------------------------------------------------------------
Board : 0
---------------------------------------------------------------------
Matched | Packets:
0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Passed | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Dropped | Packets: 0
| Bytes: 0
| Rate(pps): 0
| Rate(bps): 0
---------------------------------------------------------------------
Filter | Packets: 0
| Bytes: 0
---------------------------------------------------------------------
Car | Packets:
0
| Bytes: 0
---------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
#
qos car car1 cir 9000 cbs 1692000
#


#
traffic behavior b1
discard
car car1 share
remark dscp ef
statistic enable
traffic behavior b2
discard
car car1 share
remark dscp af33
statistic enable
traffic behavior b3
discard
car car1 share
remark dscp af13
statistic enable
#
traffic policy p1
#
#
#
return
7.3.4 Example for Configuring Traffic Shaping on the S2350,

S5300SI, S5300LI, and S5300EI
The Switch is connected to GE0/0/2 and the router; the 802.1p priorities of voice, video, and
data services from the Internet are 6, 5, and 2 respectively, and these services can reach users
through the router and Switch, as shown in Figure 7-6. The rate of the traffic from the network
side is greater than the rate of the LSW interface; therefore, a jitter may occur in the outbound
direction of GE0/0/1. To reduce the jitter and ensure the bandwidth of various services, the
requirements are as follows:
l The CIR on the interface is 10000 kbit/s.

l The CIR and PIR for the voice service are 3000 kbit/s and 5000 kbit/s respectively.
l The CIR and PIR for the video service are 5000 kbit/s and 8000 kbit/s respectively.
l The CIR and PIR for the data service are 2000 kbit/s and 3000 kbit/s respectively.

Figure 7-6 Networking diagram for configuring traffic shaping
Phone
802.1p=6
Residential GE0/0/1 GE0/0/2

802.1p=2 network Network
PC LSW Switch Router
802.1p=5
TV
1. Create VLANs and configure each interface so that the residential user can access the
network through the Switch.
2. Configure interfaces to trust 802.1p priorities of packets.
3. Configure traffic shaping on an interface to limit the bandwidth of the interface.
4. Configure traffic shaping in an interface queue to limit the CIRs of voice, video, and data
services.
Procedure
# Create VLAN 10.

# Configure the type of GE0/0/1 and GE0/0/2 as trunk, and then add GE0/0/1 and GE0/0/2 to
VLAN 10.
# Create VLANIF 10 and assign network segment address 10.10.10.1/24 to VLANIF 10.
[Switch-Vlanif10] ip address 10.10.10.1 255.255.255.0

NOTE
Assign IP address 10.10.10.2/24 to the interface connecting the router and Switch.
Step 2 Configure the interface to trust packets.
# Configure the interface to trust 802.1p priorities of packets.

[Switch-GigabitEthernet0/0/2] trust 8021p
Step 3 Configure traffic shaping on an interface.
# Configure traffic shaping on an interface of the Switch and set the CIR to 10000 kbit/s.
[Switch-GigabitEthernet0/0/1] qos lr outbound cir 10000
Step 4 Configure traffic shaping in an interface queue.
# Configure traffic shaping in the interface queues on the Switch, and then set the CIR and PIR
of the voice service to 3000 kbit/s and 5000 kbit/s, the CIR and PIR of the video service to 5000
kbit/s and 8000 kbit/s, and the CIR and PIR of the data service to 2000 kbit/s and 3000 kbit/s.
[Switch-GigabitEthernet0/0/1] qos queue 6 shaping cir 3000 pir 5000
# If the configuration succeeds, the committed bandwidth for the packets transmitted by GE0/0/1
is 10000 kbit/s; the transmission rate of the voice service ranges from 3000 kbit/s to 5000 kbit/
s; the transmission rate of the video service ranges from 5000 kbit/s to 8000 kbit/s; the
transmission rate of the data service ranges from 2000 kbit/s to 3000 kbit/s.
----End
Configuration Files
#
sysname Switch
#
vlan batch 10
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
qos lr outbound cir 10000 cbs 1250000
qos queue 2 shaping cir 2000 pir 3000
#
trust 8021p

#
return
7.4 Congestion Avoidance and Congestion Management

Configuration
This chapter describes basic concepts of congestion avoidance and congestion management, and
provides configuration methods and configuration examples of congestion avoidance and
congestion management.
7.4.1 Example for Configuring Congestion Management on the

S2350, S5300SI, and S5300LI
As shown in Figure 7-7, The Switch is connected to the router through GE 0/0/3. The 802.1p
priorities of voice, video, and data services from the Internet are 7, 5, and 2, and these services
can reach users through the router and Switch. To reduce the impact of network congestion and
ensure bandwidth for high-priority and low-delay services, you need to set the related parameters
according to the following table.
Table 7-3 Congestion management parameters
Service Type CoS WRR
Voice CS7 0
Video EF 20
Data AF2 10

Figure 7-7 Networking diagram for configuring congestion management
Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
PC TV
802.1p=2 LSW LSW 802.1p=5
802.1p=5 802.1p=7 802.1p=2 802.1p=7
TV Phone PC Phone
1. Configure the VLAN for each interface so that devices can communicate with each other
at the link layer.
3. Configure the scheduling template and apply the scheduling template to the interface.
Procedure
Step 1 Configure the VLAN for each interface so that devices can communicate with each other at the
link layer.


Step 2 Configure interfaces to trust 802.1p priorities of packets.

Step 3 Configure congestion management.
# Create a scheduling template and set queue scheduling parameters.

[Switch] qos schedule-profile p1
[Switch-qos-schedule-profile-p1] qos wrr
[Switch-qos-schedule-profile-p1] qos queue 7 wrr weight 0
[Switch-qos-schedule-profile-p1] quit
# Apply the scheduling template to GE 0/0/1 and GE 0/0/2 of the Switch.

[Switch-GigabitEthernet0/0/1] qos schedule-profile p1
[Switch-GigabitEthernet0/0/2] qos schedule-profile p1
# View the scheduling template and queue scheduling parameters.

[Switch] qos schedule-profile p1
[Switch-qos-schedule-profile-p1] display this
#
qos schedule-profile p1
qos queue 2 wrr weight 10
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
#
#
trust 8021p
#


#
return
7.4.2 Example for Configuring Congestion Avoidance and

Congestion Management on the S5300EI
As shown in Figure 7-8, The Switch is connected to the router through GE 0/0/3 and the 802.1p
priorities of voice, video, and data services from the Internet are 7, 5, and 2, and these services
can reach users through the router and Switch. To reduce the impact of network congestion and
ensure bandwidth for high-priority and low-delay services, you need to set the related parameters
according to the following table.
Table 7-4 Congestion avoidance parameters
Service Type Color Lower Threshold Drop Probability
Voice Yellow 1000 0.78125%
Red 500 6.25%
Video Yellow 1000 0.78125%
Red 500 6.25%
Data Yellow 1000 0.78125%
Red 500 6.25%
Service Type CoS WRR
Voice CS7 0
Video EF 20
Data AF2 10

Figure 7-8 Networking diagram for configuring congestion avoidance and congestion
management
Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
PC TV
802.1p=2 LSW 802.1p=5
LSW
802.1p=5 802.1p=7 802.1p=2 802.1p=7
TV Phone PC Phone
1. Configure the VLAN for each interface so that devices can communicate with each other.
3. Set scheduling parameters of queues.
4. Set the drop threshold and drop probability of queues.
Procedure
Step 1 Configure the VLAN for each interface so that devices can communicate with each other.


Step 2 Configure interfaces to trust 802.1p priorities of packets.

Step 3 Configure congestion avoidance.
# Set the drop threshold and drop probability of queues.

[Switch] qos sred queue 2 red 500 discard-probability 1 yellow 1000 discard-
probability 4
probability 4
probability 4
# Set the scheduling mode of each queue on GE0/0/1 and GE0/0/2 on the Switch.
[Switch-GigabitEthernet0/0/1] qos wrr
[Switch-GigabitEthernet0/0/1] qos queue 7 wrr weight 0
[Switch-GigabitEthernet0/0/2] qos wrr
# View the global SRED configuration of the interface queue in the outbound direction.
[Switch] display qos sred
Current sred configuration:
qos sred queue-index 2 red 500 discard-probability 1 yellow 1000 discard-
probability 4
probability 4
probability 4
----End
Configuration Files
#
sysname Switch
#
vlan batch 10 20 30
#
qos sred queue 2 red 500 discard-probability 1 yellow 1000 discard-probability
4
4
4
#

#
#
trust 8021p
#
return
7.4.3 Example for Configuring Congestion Avoidance and

Congestion Management on the S5300HI, S5306, and S6300
The Switch is connected to the router through GE 0/0/3; the 802.1p priorities of voice, video,
and data services on the Internet are 6, 5, and 2 respectively, and these services can reach users
through the router and Switch, as shown in Figure 7-9. The rate of incoming interface GE
0/0/3 on the Switch is greater than the rates of outgoing interfaces GE 0/0/1 and GE 0/0/2;
therefore, congestion may occur on these two outgoing interfaces.
To reduce the impact of network congestion and ensure bandwidth for high-priority and delay-
sensitive services, set the related parameters according to Table 7-6 and Table 7-7.
Table 7-6 Congestion avoidance parameters
Types of Color Lower Upper Drop Percent

Services Threshold (%) Threshold (%)
Voice Green 80 100 10
Video Yellow 60 80 20
Data Red 40 60 40
Type of Services CoS DRR
Voice EF 0
Video AF3 100
Data AF1 50

Figure 7-9 Networking diagram for configuring congestion avoidance and congestion
management
Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
802.1p
=2 802.1p PC
PC
=2
Individual
Individual
user n
user 1
802.1p
802.1p 802.1p 802.1p
=5
=5 =6 =6
TV Phone TV Phone
1. Configure the VLAN for each interface so that devices can communicate with each other.
2. Create and configure a DiffServ domain on the Switch, map packets of 802.1p priorities to
PHBs and colors of packets, and bind the DiffServ domain to an incoming interface on the
Switch.
3. Create a WRED drop profile on the Switch and apply the WRED drop profile on an outgoing
interface.
4. Set scheduling parameters of queues of different CoS on outgoing interfaces of the
Switch.
Procedure
Step 1 Configure the VLAN for each interface so that the devices can communicate with each other.


Step 2 Configure priority mapping based on simple traffic classification.
# Create DiffServ domain ds1, map packets of 802.1p priorities being 6, 5, and 2 to PHBs EF,
AF3, and AF1, and color packets as green, yellow, and red.
[Switch-dsdomain-ds1] 8021p-inbound 6 phb ef green
[Switch-dsdomain-ds1] 8021p-inbound 5 phb af3 yellow
[Switch-dsdomain-ds1] 8021p-inbound 2 phb af1 red
# Bind incoming interface GE 0/0/3 on the Switch to DiffServ domain ds1.

[Switch-GigabitEthernet0/0/3] trust 8021p inner
Step 3 Configure congestion avoidance.
# Create drop profile wred1 on the Switch and set parameters of packets of three colors.
[Switch] drop-profile wred1
[Switch-drop-wred1] color green low-limit 80 high-limit 100 discard-percentage 10
[Switch-drop-wred1] color yellow low-limit 60 high-limit 80 discard-percentage 20
[Switch-drop-wred1] color red low-limit 40 high-limit 60 discard-percentage 40
[Switch-drop-wred1] quit
# Apply drop profile wred1 on outgoing interfaces GE 0/0/1 and GE 0/0/2 of the Switch.
[Switch-GigabitEthernet0/0/1] qos wred wred1
[Switch-GigabitEthernet0/0/1] qos queue 5 wred wred1
[Switch-GigabitEthernet0/0/2] qos wred wred1
# Set scheduling parameters of queues of different CoS on outgoing interfaces GE 0/0/1 and GE
0/0/2 of the Switch.
[Switch-GigabitEthernet0/0/1] qos drr
[Switch-GigabitEthernet0/0/1] qos queue 5 drr weight 0
[Switch-GigabitEthernet0/0/2] qos drr


[Switch] quit

# Check the configuration of DiffServ domain ds1.
[Switch] display diffserv domain name ds1
diffserv domain name:ds1
8021p-inbound 0 phb be green
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-inbound 6 phb ef green
8021p-inbound 7 phb cs7 green
8021p-outbound be green map 0
......
# Check the configuration of drop profile wred1.

[Switch] display drop-profile name wred1
Drop-profile[3]: wred1
Color Low-limit High-limit Discard-percentage
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Green 80 100 10
Yellow 60 80 20
Red 40 60 40
Non-tcp 100 100 100
-----------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
vlan batch 2 5 to 6
#
diffserv domain ds1
8021p-inbound 2 phb af1 red
8021p-inbound 5 phb af3 yellow
8021p-inbound 6 phb ef green
#
drop-profile wred1
color green low-limit 80 high-limit 100 discard-percentage 10
color yellow low-limit 60 high-limit 80 discard-percentage 20
color red low-limit 40 high-limit 60 discard-percentage 40
#
port trunk allow-pass vlan 2 5 to 6
qos drr
qos queue 1 drr weight 50
qos wred wred1
qos queue 1 wred wred1
#

qos drr
qos wred wred1
#
trust upstream ds1
trust 8021p inner
#
return
7.5 MQC Configuration

Modular QoS Command-Line Interface (MQC) allows the device to classify traffic based on
rules and associate traffic of the same type with an action so that the device can provide
differentiated services.
7.5.1 Example for Configuring Traffic Statistics
As shown in Figure 7-10, the MAC address of PC1 is 0000-0000-0003 and PC1 is connected
to GE0/0/1 of the Switch through the switch. The Switch is required to collect statistics on
packets with the source MAC address 0000-0000-0003.
Figure 7-10 Networking for configuring traffic statistics
GE0/0/1 GE0/0/2 Core

Network
20.1.20.1/24
PC1 Switch Router
MAC:0000-0000-0003
You can define the traffic statistics action in a traffic policy. The configuration roadmap is as
follows:
1. Configure interfaces to that the Switch can connect to the router and PC1.
2. Configure an ACL to match packets with the source MAC address 0000-0000-0003.
3. Configure a traffic classifier and reference the ACL in the traffic classifier.
4. Configure a traffic behavior so that the Switch collects statistics on packets matching rules.

5. Configure a traffic policy, bind the traffic policy to the traffic classifier and traffic behavior,
and apply the traffic policy to GE0/0/1 so that the Switch collects statistics on packets with
the source MAC address 0000-0000-0003.
Procedure
# Create VLAN 20 on the Switch.

[Switch] vlan 20
# Configure GE0/0/1 as a access interface and GE0/0/2 as a trunk interface, and add GE0/0/1
and GE0/0/2 to VLAN 20.
# Create VLANIF 20 and configure IP address 20.1.20.2/24 for it.

NOTE
Configure IP address 20.1.20.1/24 for the router interface connected to the Switch.
# Create ACL 4000 (Layer 2 ACL) on the Switch to match packets with the source MAC address
0000-0000-0003.
[Switch] acl 4000
[Switch-acl-L2-4000] rule permit source-mac 0000-0000-0003 ffff-ffff-ffff
[Switch-acl-L2-4000] quit
Step 3 Configure a traffic classifier.
# Create a traffic classifier c1 on the Switch and bind it to ACL 4000.

[Switch-classifier-c1] if-match acl 4000
Step 4 Configure a traffic behavior.
# Create a traffic behavior b1 on the Switch and configure the traffic statistics action in the traffic
behavior.
Step 5 Configure a traffic policy and apply the traffic policy to interfaces.

# Create a traffic policy p1 on the Switch and bind the traffic policy to the traffic classifier and
traffic behavior.
# Apply the traffic policy p1 to GE0/0/1.

# View the ACL configuration.

<Switch> display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 permit source-mac 0000-0000-0003

<Switch> display traffic classifier user-defined
Classifier: c1
Operator: AND
Rule(s) : if-match acl 4000
# View the traffic policy configuration.

<Switch> display traffic policy user-defined p1
Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
statistic: enable
# View the traffic statistics.

<Switch> display traffic policy statistics interface gigabitethernet 0/0/1 inbound
Interface:
Rule number: 1
Current status: OK!
---------------------------------------------------------------------
Board : 0
Item Packets Bytes
---------------------------------------------------------------------
Matched 0 -
+--Passed 0 -
+--Dropped 0 -
+--Filter 0 -
+--URPF - -
+--CAR 0 -
----End

Configuration Files
#
sysname Switch
#
vlan batch 20
#
acl number 4000
rule 5 permit source-mac 0000-0000-0003
#
if-match acl 4000
#
traffic behavior b1
statistic enable
#
traffic policy p1
#
interface Vlanif20
ip address 20.1.20.2 255.255.255.0
#
port link-type
access
traffic-policy p1
inbound
#
port link-type
trunk
20
#
return
7.5.2 Example for Configuring Priority Re-marking Based on

Complex Traffic Classification
As shown in Figure 7-11, Department 1 and Department 2 connect to external network devices
through the Switch. Department 1 belongs to VLAN 100 and Department 2 belongs to VLAN
200. The enterprise requires that QoS guarantee be ensured for data packets from Department
1 so that differentiated services are provided.

Figure 7-11 Networking of the priority re-marking based on complex traffic classification
Core Network
Router
GE0/0/3
GE0/0/1 GE0/0/2
Switch
VLAN100 VLAN200
Department 1 Department 2
802.1p priorities are re-marked to implement differentiated services. The configuration roadmap
is as follows:
1. Create VLANs and configure interfaces on the Switch so that enterprise Departmentes can
access the network through the Switch.
2. Configure traffic classifiers on the Switch to classify packets based on VLAN IDs.
3. Configure traffic behaviors on the Switch to re-mark 802.1p priorities of packets from
Department 1 and Department 2 with 4 and 2 respectively so that packets from Department
1 have higher priority than packets from Department 2.
4. Configure a traffic policy on the Switch, bind the configured traffic behaviors and traffic
classifiers to the traffic policy, and apply the traffic policy to GE0/0/1 and GE0/0/2 in the
outbound direction to implement differentiated services.
Procedure
# Create VLAN 100 and VLAN 200 on the Switch.
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 as trunk interfaces, and add GE0/0/1 to VLAN
100, GE0/0/2 to VLAN 200, and GE0/0/3 to VLAN 100 and VLAN 200.


Step 2 Configure traffic classifiers.

# Create and configure traffic classifiers c1 and c2 on the Switch, and classify packets from
enterprise Departmentes based on VLAN IDs.
Step 3 Configure traffic behaviors.

# Configure traffic behaviors b1 and b2 on the Switch to re-mark priorities in packets.
[Switch-behavior-b1] remark 8021p 4
[Switch-behavior-b2] remark 8021p 2
# Create a traffic policy p1 on the Switch, bind the traffic behaviors and traffic classifiers to the
traffic policy, and apply the traffic policy to GE0/0/1 and GE0/0/2 in the inbound direction to
re-mark priorities in packets.
[Switch-GigabitEthernet0/0/2] return

Classifier: c1
Operator: AND
Classifier: c2
Operator: AND


Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Remark:
Remark 8021p 4
Classifier: c2
Operator: AND
Behavior: b2
Remark:
Remark 8021p 2
----End
Configuration Files
#
sysname Switch
#
vlan batch 100 200
#
#
traffic behavior b1
remark 8021p 4
traffic behavior b2
remark 8021p 2
#
traffic policy p1
#
port link-type
trunk
100
traffic-policy p1
inbound
#
port link-type
trunk
200
traffic-policy p1
inbound
#
#
return

7.5.3 Example for Configuring PBR

As shown in Figure 7-12, enterprise users are dual-homed to external network devices through
Switch. Among the two links, one link is the low-speed link and the gateway address is
20.1.20.1/24, and the other link is the high-speed link and the gateway address is 20.1.30.1/24.
The enterprise requires that outgoing packets with IP priorities 4, 5, 6, and 7 be transmitted on
the high-speed link and outgoing packets with IP priorities 0, 1, 2, and 3 be transmitted on the
low-speed link.
Figure 7-12 PBR networking

20.1.20.1/24
GE0/0/1
Core
Switch Network
GE0/0/3
LSW GE0/0/2
Enterprise 20.1.30.1/24
Redirection is used to implement PBR so that the device can provide differentiated services. The
1. Create VLANs and configure interfaces so that the device can connect to external network
devices.
2. Configure ACL rules to match the packets with IP precedences of 4, 5, 6, and 7 and the
packets with IP precedences of 0, 1, 2, and 3.
3. Configure traffic classifiers and reference ACL rules in the traffic classifiers so that the
HUAWEI can differentiate packets.
4. Configure traffic behaviors to redirect the packets matching traffic classification rules to
20.1.20.1/24 and 20.1.30.1/24.
5. Configure a traffic policy and bind the traffic policy to the traffic classifiers and traffic
behaviors, and apply the traffic policy to GE0/0/3 in the inbound direction to implement
PBR.
Procedure
# Create VLAN 100 and VLAN 200 on the Switch.
# Configure GE0/0/1, GE0/0/2, and GE0/0/3 on the Switch as trunk interfaces and add them to
VLAN 100 and VLAN 200.


NOTE
Configure the interface of the LSW connected to Switch as a trunk interface and add it to VLAN 100 and
VLAN 200.
# Create VLANIF 100 and VLANIF 200 and configure IP addresses for them.
Step 2 Configure ACLs.
# Create advanced ACLs 3001 and 3002 on the Switch. ACL 3001 permits packets with IP
precedences of 0, 1, 2, and 3 and ACL 3002 permits packets with IP precedences of 4, 5, 6, and
7.
[Switch] acl 3001
[Switch-acl-adv-3001] rule permit ip precedence 0
[Switch-acl-adv-3001] quit
[Switch] acl 3002
[Switch-acl-adv-3002] quit
Create traffic classifiers c1 and c2 on the Switch, and bind c1 to ACL 3001 and c2 to ACL 3002.

# Create traffic behaviors b1 and b2 on the Switch that redirect traffic to 20.1.20.1/24 and
20.1.30.1/24 respectively.
[Switch-behavior-b1] redirect ip-nexthop 20.1.20.1

[Switch-behavior-b2] redirect ip-nexthop 20.1.30.1

# Create a traffic policy p1 on the Switch and bind the traffic policy to the traffic classifier and
traffic behavior.
# Apply the traffic policy p1 to GE0/0/3 in the inbound direction.


Advanced ACL 3001, 4 rules
Acl's step is 5
rule 5 permit ip precedence routine (match-counter 0)
rule 10 permit ip precedence priority (match-counter 0)
rule 15 permit ip precedence immediate (match-counter 0)
rule 20 permit ip precedence flash (match-counter 0)
Advanced ACL 3002, 4 rules
Acl's step is 5
rule 5 permit ip precedence flash-override (match-counter 0)
rule 10 permit ip precedence critical (match-counter 0)
rule 15 permit ip precedence internet (match-counter 0)
rule 20 permit ip precedence network (match-counter 0)

Classifier: c1
Operator: AND
Classifier: c2
Operator: AND
Rule(s) :if-match acl 3002

Policy: p1
Classifier: c1
Operator: AND
Behavior: b1
Redirect:
Redirect ip-nexthop (no forced)
20.1.20.1
Classifier: c2
Operator: AND
Behavior: b2

Redirect:
Redirect ip-nexthop (no forced)
20.1.30.1
----End
Configuration Files
#
sysname Switch
#
vlan batch 100 200
#
acl number 3001
rule 5 permit ip precedence routine
rule 10 permit ip precedence priority
rule 15 permit ip precedence immediate
rule 20 permit ip precedence flash
#
acl number 3002
rule 5 permit ip precedence flash-override
rule 10 permit ip precedence critical
rule 15 permit ip precedence internet
rule 20 permit ip precedence network
#
if-match acl 3001
if-match acl 3002
#
traffic behavior b1
redirect ip-nexthop 20.1.20.1
traffic behavior b2
redirect ip-nexthop 20.1.30.1
#
traffic policy p1
#
interface Vlanif100
ip address 20.1.20.2 255.255.255.0
#
interface Vlanif200
ip address 20.1.30.2 255.255.255.0
#
#
#
#
return

7.5.4 Example for Configuring Packet Filtering

As shown in Figure 7-13, enterprise users connect to external network devices through
GE0/0/2 on SwitchA.
Packets of different services are identified by 802.1p priorities on the LSW. When packets reach
the external network through GE0/0/2, it is required that data service packets be filtered and
voice and video services be ensured.
Figure 7-13 Networking for configuring packet filtering

Video
802.1p=5
Data
802.1p=2
GE0/0/1 GE0/0/2 Core
Network
Voice LSW SwitchA Router
802.1p=6
You can define the deny action in a traffic policy to filter packets. The configuration roadmap
is as follows:
1. Configure interfaces so that enterprise users can access the external network through
SwitchA.
2. Configure traffic classifiers to classify packets based on 802.1p priorities.
3. Configure traffic behaviors so that the device permits or rejects packets matching rules.
4. Configure a traffic policy, bind the traffic policy to the traffic classifiers and traffic
behaviors, and apply the traffic policy to GE0/0/1 in the inbound direction to filter packets.
Procedure
# Create VLAN 10 on the Switch.
[SwitchA] vlan 10
# Configure GE0/0/1 and GE0/0/2 on SwitchA as trunk interfaces and add them to VLAN 10.

NOTE
Configure the interface of the LSW connected to SwitchA as a trunk interface and add it to VLAN 10.

NOTE
Configure IP address 192.168.2.2/24 for the router interface connected to the Switch.
# Create and configure traffic classifiers c1, c2, and c3 on SwitchA to classify packets based on
802.1p priorities.
[SwitchA] traffic classifier c1
[SwitchA-classifier-c1] if-match 8021p 2
[SwitchA-classifier-c1] quit
# Configure the traffic behavior b1 on SwitchA and define the deny action.
[SwitchA] traffic behavior b1
[SwitchA-behavior-b1] deny
[SwitchA-behavior-b1] quit
# Configure the traffic behavior b2 and b3 on SwitchA and define the permit action.
[SwitchA-behavior-b2] permit
[SwitchA-behavior-b3] permit
Step 4 Configure a traffic policy and apply the traffic policy to an interface.
# Create a traffic policy p1 on SwitchA, bind the traffic behaviors and traffic classifiers to the
traffic policy, and apply the traffic policy to GE0/0/1 in the inbound direction to filter packets.
[SwitchA] traffic policy p1
[SwitchA-trafficpolicy-p1] classifier c1 behavior b1
[SwitchA-trafficpolicy-p1] quit
[SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound

<SwitchA> display traffic classifier user-defined
Classifier: c1

Operator: AND
Rule(s) : if-match 8021p 2
Classifier: c2
Operator: AND
Classifier: c3
Operator: AND

<Switch> display traffic-policy applied-record p1
-------------------------------------------------
Policy Name: p1
Policy Index: 3
Classifier:c1 Behavior:b1
Classifier:c2
Behavior:b2
Classifier:c3 Behavior:b3
-------------------------------------------------
*interface
slot 0 : success
-------------------------------------------------
Policy total applied times: 1.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
if-match 8021p 2
if-match 8021p 5
if-match 8021p 6
#
traffic behavior b1
deny
traffic behavior b2
permit
traffic behavior b3
permit
#
traffic policy p1
classifier c1 behavior
b1
classifier c2 behavior
b2
#
interface
Vlanif10
ip address 192.168.2.1
255.255.255.0
#
port link-type

trunk
10
traffic-policy p1
inbound
#
port link-type
trunk
10
#
return

Typical Configuration Examples 8 Security
8 Security
About This Chapter
This document describes security features of the switch such as AAA and user management,
DHCP snooping, ARP security, IP source guard, local attack defense, traffic suppression, and
ACL from aspects of function introduction, configuration methods, maintenance, and
8.1 AAA Configuration
The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
8.2 NAC Configuration
This chapter describes NAC principles and configuration methods and provides configuration
examples.
8.3 ACL Configuration
An access control list (ACL) is a set of rules that classify packets into different types. This chapter
explains how to configure an ACL on a Switch to filter packets.
8.4 DHCP Snooping Configuration
This chapter describes the principle and configuration method of DHCP snooping and provides
8.5 Local Attack Defense Configuration
Local attack defense limits the rate of packets sent to the CPU, ensuring device security and
uninterrupted services when attacks occur.
8.6 Attack Defense Configuration
Attack defense is a network security feature. Attack defense allows the device to identify various
types of network attacks and protect itself and the connected network against malicious attacks
to ensure device and network operation.
8.7 IPSG Configuration
You can configure IPSG to enable an interface to filter and control forwarded packets, preventing
invalid packets.
8.8 URPF Configuration
URPF can prevent network attacks based on source IP address spoofing.

8.9 ARP Security Configuration

This chapter describes the principle and configuration methods of ARP security and provides
8.10 MFF Configuration

This chapter provides MAC-Forced Forwarding (MFF) basics, configuration method,
configuration examples, and common configuration errors.
8.11 Traffic Suppression and Storm Control Configuration

This chapter describes basic concepts, configuration procedures and examples, and common
configuration errors.
8.12 PPPoE+ Configuration

Point-to-Point Protocol over Ethernet plus (PPPoE+), also called PPPoE Intermediate Agent,
intercepts PPPoE packets sent by the PPPoE client, adds information about the interface
connecting the PPPoE client to the PPPoE packets, and sends the packets to the PPPoE server.
In this manner, the user account and access interface information are both authenticated, which
prevents user account embezzling.
8.13 Keychain Configuration

A keychain is a widely used application that controls authentication algorithms and key-string
in a centralized way.
8.14 ND Snooping Configuration

This chapter describes the principle and configuration method of ND snooping and provides
8.15 SAVI Configurations

This chapter describes the principle and configuration methods of Source Address Validation
Improvements (SAVI) and provides configuration examples.

8.1 AAA Configuration

The AAA-capable device checks validity of users and assigns rights to authorized users to ensure
network security.
8.1.1 Example for Configuring RADIUS Authentication and

Accounting
As shown in Figure 8-1, users access the network through Switch A and belong to the domain
huawei. Switch B functions as the network access server of the destination network. Request
packets from users need to traverse the network where Switch A and Switch B are located to
reach the authentication server. Users can access the destination network through Switch B only
after being authenticated. The remote authentication on Switch B is described as follows:
l The RADIUS server will authenticate access users for SwitchB. If RADIUS authentication
fails, local authentication is used.
l The RADIUS server at 129.7.66.66/24 functions as the primary authentication and
accounting server. The RADIUS server at 129.7.66.67/24 functions as the secondary
authentication and accounting server. The default authentication port and accounting port
are 1812 and 1813.
Figure 8-1 Networking diagram of RADIUS authentication and accounting
Domain Huawei
Switch A Switch B
129.7.66.66/24
Network
129.7.66.67/24
Destination
Network

1. Configure a RADIUS server template.
2. Configure an authentication scheme and an accounting scheme.
3. Apply the RADIUS server template, authentication scheme, and accounting scheme to the
domain.
NOTE
Perform the following configurations only on Switch B.
Procedure
Step 1 Configure a RADIUS server template.
# Configure a RADIUS template shiva.
[HUAWEI] radius-server template shiva
# Configure the IP address and port numbers of the primary RADIUS authentication and
accounting server.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.66 1812 weight 80
[HUAWEI-radius-shiva] radius-server accounting 129.7.66.66 1813 weight 80
# Configure the IP address and port numbers of the secondary RADIUS authentication and
accounting server.
[HUAWEI-radius-shiva] radius-server authentication 129.7.66.67 1812 weight 40
[HUAWEI-radius-shiva] radius-server accounting 129.7.66.67 1813 weight 40
# Set the key and retransmission count for the RADIUS server, and configure the device not to
encapsulate the domain name in the user name when sending RADIUS packets to a RADIUS
server.
[HUAWEI-radius-shiva] radius-server shared-key cipher hello
[HUAWEI-radius-shiva] radius-server retransmit 2
[HUAWEI-radius-shiva] undo radius-server user-name domain-included
[HUAWEI-radius-shiva] quit
Step 2 Configure authentication and accounting schemes.

# Create an authentication scheme auth. In the authentication scheme, the system performs
RADIUS authentication first, and performs local authentication if RADIUS authentication fails.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme auth
[HUAWEI-aaa-authen-auth] authentication-mode radius local
[HUAWEI-aaa-authen-auth] quit
# Configure the accounting scheme abc that uses RADIUS accounting and the policy that the
device is kept online when accounting fails.
[HUAWEI-aaa] accounting-scheme abc
[HUAWEI-aaa-accounting-abc] accounting-mode radius
[HUAWEI-aaa-accounting-abc] accounting start-fail online
[HUAWEI-aaa-accounting-abc] quit
Step 3 Configure a domain huawei and apply authentication scheme auth, accounting scheme abc,
and RADIUS server template shiva to the domain.

[HUAWEI-aaa] domain huawei

[HUAWEI-aaa-domain-huawei] authentication-scheme auth
[HUAWEI-aaa-domain-huawei] accounting-scheme abc
[HUAWEI-aaa-domain-huawei] radius-server shiva
[HUAWEI-aaa-domain-huawei] quit
NOTE
After the domain huawei is configured, if a user enters the user name in the format of user@huawei, the device
authenticates the user in the domain huawei. If the user name does not contain the domain name or the domain
name in the user name does not exist, the device authenticates the user in the default domain.
The domain that a user belongs to depends on the RADIUS client but not the RADIUS server. After the undo
radius-server user-name domain-included command is executed on SwitchB, SwitchB sends the user name
without the domain name to the RADIUS server when receiving the user name in the format of user@huawei.
However, SwitchB places the user in the domain huawei for authentication.
Run the display radius-server configuration template command on Switch B, and you can
see that the configuration of the RADIUS server template meets the requirements.
<HUAWEI> display radius-server configuration template shiva
------------------------------------------------------------------------------
Server-template-name : shiva
Protocol-version : standard
Traffic-unit : B
Shared-secret-key : %$%$1"y;E[c;<.(_RS/w*!ÌOxof%$%$
Timeout-interval(in second) : 5
Retransmission : 2
EndPacketSendTime : 0
Dead time(in minute) : 5
Domain-included : NO
NAS-IP-Address : 0.0.0.0
Calling-station-id MAC-format : xxxx-xxxx-xxxx
Server algorithm : master-backup
Authentication Server 1 : 129.7.66.66 Port:1812 Weight:80
Vrf:- LoopBack:NULL
Source IP: ::
Authentication Server 2 : 129.7.66.67 Port:1812 Weight:40
Vrf:- LoopBack:NULL
Source IP: ::
Accounting Server 1 : 129.7.66.66 Port:1813 Weight:80
Vrf:- LoopBack:NULL
Source IP: ::
Accounting Server 2 : 129.7.66.67 Port:1813 Weight:40
Vrf:- LoopBack:NULL
Source IP: ::
------------------------------------------------------------------------------
----End
Configuration Files
Configuration files on Switch B
#
radius-server template shiva
radius-server shared-key cipher %$%$1"y;E[c;<.(_RS/w*!ÌOxof%$%$
radius-server authentication 129.7.66.66 1812 weight 80
radius-server accounting 129.7.66.66 1813 weight 80
radius-server accounting 129.7.66.67 1813 weight 40
radius-server retransmit 2
undo radius-server user-name domain-included

#
aaa
authentication-scheme auth
authentication-mode radius local
accounting-scheme abc
accounting-mode radius
accounting start-fail online
domain huawei
radius-server shiva
#
return
8.1.2 Example for Configuring HWTACACS Authentication,

Accounting, and Authorization
As shown in Figure 8-2, the customer requirements are as follows:
l The HWTACACS server will authenticate access users for SwitchB. If HWTACACS
authentication fails, local authentication is used.
l The HWTACACS server will authorize access users for SwitchB. If HWTACACS
authorization fails, local authorization is used.
l HWTACACS accounting is used by SwitchB for access users.
l Real-time accounting is performed every 3 minutes.
l The IP addresses of primary and secondary HWTACACS servers are 129.7.66.66/24 and
129.7.66.67/24. The port number for authentication, accounting, and authorization is 49.
Figure 8-2 Networking diagram of HWTACACS authentication, accounting, and authorization
Domain Huawei
Switch A Switch B
129.7.66.66/24
Network
129.7.66.67/24
Destination
Network

1. Configure an HWTACACS server template.

2. Configure authentication, authorization, and accounting schemes.
3. Apply the HWTACACS server template, authentication scheme, authorization scheme, and
accounting scheme to the domain.
NOTE
Perform the following configurations only on SwitchB.
Procedure
Step 1 Enable HWTACACS.
[HUAWEI] hwtacacs enable
NOTE
The HWTACACS function is enabled by default. If the HWTACACS configuration has not been modified,
you do not need to run this command.
Step 2 Configure an HWTACACS server template.
# Configure the HWTACACS server template ht.

[HUAWEI] hwtacacs-server template ht
# Configure the IP addresses and port numbers of the primary HWTACACS authentication,
authorization, and accounting servers.
[HUAWEI-hwtacacs-ht] hwtacacs-server authentication 129.7.66.66 49
[HUAWEI-hwtacacs-ht] hwtacacs-server authorization 129.7.66.66 49
[HUAWEI-hwtacacs-ht] hwtacacs-server accounting 129.7.66.66 49
# Configure the IP addresses and port numbers of the secondary HWTACACS authentication,
authorization, and accounting servers.
[HUAWEI-hwtacacs-ht] hwtacacs-server authentication 129.7.66.67 49 secondary
[HUAWEI-hwtacacs-ht] hwtacacs-server authorization 129.7.66.67 49 secondary
[HUAWEI-hwtacacs-ht] hwtacacs-server accounting 129.7.66.67 49 secondary
# Configure the shared key of the HWTACACS server.

[HUAWEI-hwtacacs-ht] hwtacacs-server shared-key cipher hello
[HUAWEI-hwtacacs-ht] quit
Step 3 Configure the authentication scheme, authorization scheme, and accounting scheme.
# Create an authentication scheme l-h. In the authentication scheme, the system performs
HWTACACS authentication first, and performs local authentication if HWTACACS
authentication fails.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme l-h
[HUAWEI-aaa-authen-l-h] authentication-mode hwtacacs local
[HUAWEI-aaa-authen-l-h] quit

# Create an authorization scheme hwtacacs. In the authorization scheme, the system performs
HWTACACS authorization first, and performs local authorization if HWTACACS
authorization fails.
[HUAWEI-aaa] authorization-scheme hwtacacs
[HUAWEI-aaa-author-hwtacacs] authorization-mode hwtacacs local
[HUAWEI-aaa-author-hwtacacs] quit
# Create an accounting scheme hwtacacs and set HWTACACS accounting.

[HUAWEI-aaa] accounting-scheme hwtacacs
[HUAWEI-aaa-accounting-hwtacacs] accounting-mode hwtacacs
[HUAWEI-aaa-accounting-hwtacacs] accounting start-fail online
# Set the interval of real-time accounting to 3 minutes.

[HUAWEI-aaa-accounting-hwtacacs] accounting realtime 3
[HUAWEI-aaa-accounting-hwtacacs] quit
Step 4 Configure a domain huawei, and apply the authentication scheme l-h, authorization scheme
hwtacacs, accounting scheme hwtacacs, and the HWTACACS server template ht to the domain.
[HUAWEI-aaa] domain huawei
[HUAWEI-aaa-domain-huawei] authentication-scheme l-h
[HUAWEI-aaa-domain-huawei] authorization-scheme hwtacacs
[HUAWEI-aaa-domain-huawei] accounting-scheme hwtacacs
[HUAWEI-aaa-domain-huawei] hwtacacs-server ht
[HUAWEI-aaa-domain-huawei] quit
[HUAWEI-aaa] quit
[HUAWEI] quit

Run the display hwtacacs-server template command on SwitchB, and you can see that the
configuration of the HWTACACS server template meets the requirements.
<HUAWEI> display hwtacacs-server template ht
---------------------------------------------------------------------------
HWTACACS-server template name : ht
Primary-authentication-server : 129.7.66.66:49:-
Primary-authorization-server : 129.7.66.66:49:-
Primary-accounting-server : 129.7.66.66:49:-
Secondary-authentication-server : 129.7.66.67:49:-
Secondary-authorization-server : 129.7.66.67:49:-
Secondary-accounting-server : 129.7.66.67:49:-
Current-authentication-server : 129.7.66.66:49:-
Current-authorization-server : 129.7.66.66:49:-
Current-accounting-server : 129.7.66.66:49:-
Source-IP-address : 0.0.0.0
Shared-key : ****************
Quiet-interval(min) : 5
Response-timeout-Interval(sec) : 5
Domain-included : Yes
Traffic-unit : B
---------------------------------------------------------------------------
Run the display domain command on SwitchB, and you can see that the configuration of the
domain meets the requirements.
<HUAWEI> display domain name huawei
Domain-name : huawei
Domain-state : Active
Authentication-scheme-name : l-h
Accounting-scheme-name : hwtacacs
Authorization-scheme-name : hwtacacs
Service-scheme-name : -

RADIUS-server-template : -
HWTACACS-server-template : ht
----End
Configuration Files
Configuration files on Switch B
#
hwtacacs-server template ht
hwtacacs-server authentication 129.7.66.66
hwtacacs-server authentication 129.7.66.67 secondary
hwtacacs-server authorization 129.7.66.66
hwtacacs-server authorization 129.7.66.67 secondary
hwtacacs-server accounting 129.7.66.66
hwtacacs-server accounting 129.7.66.67 secondary
hwtacacs-server shared-key cipher %$%$|)&LT+J>dN>=IqD<gO/Fj$xo%$%$
#
aaa
authentication-scheme default
authentication-scheme l-h
authentication-mode hwtacacs local
authorization-scheme default
authorization-scheme hwtacacs
authorization-mode hwtacacs local
accounting-scheme default
accounting-scheme hwtacacs
accounting-mode hwtacacs
accounting realtime 3
accounting start-fail online
domain default
domain default_admin
domain huawei
authentication-scheme l-h
authorization-scheme hwtacacs
accounting-scheme hwtacacs
hwtacacs-server ht
#
return
8.1.3 Example for Configuring Domain-based User Management
As shown in Figure 8-3, enterprise users access the network through SwitchA and SwitchB.
The user names do not contain any domain name.
The enterprise requires that common users should access the network and obtain rights after
passing RADIUS authentication and the administrator user should log in to the device for
management after passing local authentication on SwitchB.

Figure 8-3 Configuring domain-based user management

RADIUS server
Common user 192.168.2.30
……
GE0/0/2
VLANIF11
Common user 192.168.2.29/24
GE0/0/1
Internet
SwitchA SwitchB
Administrator user
1. Create a VLAN and a VLANIF interface so that SwitchB can communicate with the
RADIUS server.
2. Configure authentication and accounting schemes for common users and apply the schemes
to the default domain to authenticate common users such as users using 802.1x or Portal
authentication. The user names of the users do not carry domain names.
3. Configure authentication and authorization schemes for the administrator user and apply
the schemes to the default_admin domain to authenticate the administrator user such as the
user logging in through Telnet, SSH, or FTP. The user name of the administrator user does
not carry the domain name.
NOTE
Ensure that the RADIUS server address, port number, and shared key in the RADIUS server template are
the same as the settings on the RADIUS server.
Ensure that users have been configured on the RADIUS server. In this example, a user with the user name
test1 and password 123456 has been configured on the RADIUS server.
This example provides only the configuration of SwitchB. The configurations of SwitchA and the RADIUS
server are not mentioned here.
Procedure
Step 1 Create a VLAN and configure an interface.
# Create VLAN 11 on SwitchB.


# Configure GE0/0/2 connecting SwitchB and the RADIUS server and add GE0/0/2 to VLAN
11.

[HUAWEI] interface vlanif11
Step 2 Configure RADIUS AAA for common users using 802.1x authentication.
# Create and configure a RADIUS server template rd1.

[HUAWEI] radius-server template rd1
[HUAWEI-radius-rd1] radius-server authentication 192.168.2.30 1812
[HUAWEI-radius-rd1] radius-server accounting 192.168.2.30 1813
[HUAWEI-radius-rd1] radius-server shared-key cipher hello
[HUAWEI-radius-rd1] radius-server retransmit 2
[HUAWEI-radius-rd1] quit
# Create authentication and accounting schemes abc in which the authentication and accounting
modes are both RADIUS.
[HUAWEI] aaa
[HUAWEI-aaa] authentication-scheme abc
[HUAWEI-aaa-authen-abc] authentication-mode radius
[HUAWEI-aaa-authen-abc] quit
[HUAWEI-aaa] accounting-scheme abc
[HUAWEI-aaa-accounting-abc] accounting-mode radius
[HUAWEI-aaa-accounting-abc] quit
# Test the connection between SwitchB and the RADIUS server. The test user test1 with
password 123456 has been configured on the RADIUS server.
[HUAWEI] test-aaa test1 123456 radius-template rd1
Info: Account test succeed.
# Bind authentication and accounting schemes abc, and RADIUS server template rd1 to the
default domain.
[HUAWEI-aaa] domain default
[HUAWEI-aaa-domain-default] authentication-scheme abc
[HUAWEI-aaa-domain-default] accounting-scheme abc
[HUAWEI-aaa-domain-default] radius-server rd1
[HUAWEI-aaa-domain-default] quit
[HUAWEI-aaa] quit
# Enable 802.1x authentication globally and on an interface.

[HUAWEI] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x max-user 20
# Set the global default domain for common users to default. After common users enter their
user names in the format of user@default, the device performs AAA authentication on these

users in the default domain. If a user name does not contain a domain name or the domain name
does not exist, the device authenticates the common user in the default common domain.
[HUAWEI] domain default
Step 3 Configure local authentication and authorization for the administrator user test.
# Configure the device to use AAA for the Telnet user that logs in through the VTY user interface.
[HUAWEI-ui-vty0-14] authentication-mode aaa
# Configure a local user named test with password admin@12345 and user level 3.
[HUAWEI] aaa
[HUAWEI-aaa] local-user test password cipher admin@12345 privilege level 3
# Configure the access type of the user test as Telnet.

[HUAWEI-aaa] local-user test service-type telnet
# Configure local account locking, and set the retry count to 5 minutes, consecutive
authentication failure count to 3, and local account locking duration to 5 minutes.
[HUAWEI-aaa] local-aaa-user wrong-password retry-interval 5 retry-time 3 block-
time 5
# Configure the authentication scheme auth in which local authentication is used.

[HUAWEI-aaa] authentication-scheme auth
[HUAWEI-aaa-authen-auth] authentication-mode local
[HUAWEI-aaa-authen-auth] quit
# Configure the authorization scheme autho in which local authorization is used.

[HUAWEI-aaa] authorization-scheme autho
[HUAWEI-aaa-author-autho] authorization-mode local
[HUAWEI-aaa-author-autho] quit
# Configure the default_admin domain, and apply the authentication scheme auth and
authorization scheme autho to the domain.
[HUAWEI-aaa] domain default_admin
[HUAWEI-aaa-domain-default_admin] authentication-scheme auth
[HUAWEI-aaa-domain-default_admin] authorization-scheme autho
[HUAWEI-aaa-domain-default_admin] quit
[HUAWEI-aaa] quit
# Set the global default domain for administrative users to default_admin. After administrative
users enter their user names in the format of user@default_admin, the device performs AAA
authentication on these users in the default_admin domain. If a user name does not contain a
domain name or the domain name does not exist, the device authenticates the administrative
user in the default administrative domain.
[HUAWEI] domain default_admin admin
[HUAWEI] quit

Run the display dot1x interface command on SwitchB. You can see 802.1x authentication.
<HUAWEI> display dot1x interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled
Port control type is Auto
Authentication mode is MAC-based

Authentication method is CHAP

Reauthentication is disabled
Maximum users: 20
Current users: 0
Guest VLAN is disabled
Critical VLAN is disabled
Restrict VLAN is disabled
Authentication Success: 0 Failure: 0

EAPOL Packets: TX : 0 RX : 0
Sent EAPOL Request/Identity Packets : 0
EAPOL Request/Challenge Packets : 0
Multicast Trigger Packets : 0
EAPOL Success Packets : 0
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 0
EAPOL Response/Challenge Packets: 0
When common users go online and enter the user name test1 and password 123456 on the 802.1x
client, run the display access-user domain and display access-user user-id commands. You
can view the domain that users belong to and the access type.
<HUAWEI> display access-user domain default
------------------------------------------------------------------------------
UserID Username IP address MAC
------------------------------------------------------------------------------
16040 test1 - 00e0-4c97-31f6
------------------------------------------------------------------------------
<HUAWEI> display access-user user-id 16040
Basic:
User id : 16040
User name : test1
Domain-name : default
User MAC : 00e0-4c97-31f6
User IP address : -
User access time : 2009/02/15 19:10:52
User accounting session ID : 255255000000000f910d2016040
Option82 information : -
User access type : 802.1x
AAA:
User authentication type : 802.1x authentication
Current authentication method : RADIUS
Current authorization method : -
Current accounting method : RADIUS
When the user logs in through Telnet and enters the user name test and password
admin@12345, run the display access-user domain and display access-user user-id
commands. You can view the domain that the user belongs to and the access type.
<HUAWEI> display access-user domain default_admin
------------------------------------------------------------------------------
UserID Username IP address MAC
------------------------------------------------------------------------------
16009 test 10.135.18.217 -
------------------------------------------------------------------------------
<HUAWEI> display access-user user-id 16009
Basic:
User id : 16009
User name : test
Domain-name : default_admin
User MAC : -
User IP address : 10.135.18.217

User access time : 2009/02/15 05:10:52

User accounting session ID : HUAWEI255255000000000f910d2016009
Option82 information : -
User access type : Telnet
Idle Timeout : 4294967236(s)
AAA:
User authentication type : Administrator authentication
Current authentication method : Local
Current authorization method : Local
Current accounting method : None
----End
Configuration File
#
vlan batch 10 to 11
#
dot1x enable
#
radius-server template rd1
radius-server shared-key cipher %$%$lrWRXXUmJ/5W\uBqID/6EULC%$%$
radius-server authentication 192.168.2.30 1812
radius-server accounting 192.168.2.30 1813
#
aaa
authentication-scheme abc
authorization-scheme autho
accounting-mode radius
domain isp1
radius-server rd1
domain default
domain default_admin
authorization-scheme autho
local-aaa-user wrong-password retry-interval 5 retry-time 3 block-time 5
local-user admin password cipher %$%$=i~>Xp&aY+*2cEVcS-A23Uwe%$%$
local-user test password cipher %$%$NK\l,"a|M(0+3J)Yl;U%W&;k%$%$
local-user test privilege level 3
local-user test service-type telnet
#
interface Vlanif11
ip address 192.168.2.29 255.255.255.0
#
dot1x enable
dot1x max-user 20
#
#

#
return
8.2 NAC Configuration

This chapter describes NAC principles and configuration methods and provides configuration
examples.
8.2.1 Example for Configuring 802.1x Authentication
As shown in Figure 8-4, many users on a company access network through GE0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, attacks are
detected. The administrator must control network access rights of user terminals to ensure
network security. The Switch allows user terminals to access Internet resources only after they
are authenticated.
Figure 8-4 Networking diagram for configuring 802.1x authentication

User
RADIUS Server
192.168.2.30
……
User
GE0/0/1 GE0/0/2 Intranet
VLAN 10 VLAN 20
LAN Switch Switch
Update Server
VLAN100
Printer
To control the network access permission of users, the administrator can configure 802.1x
authentication on the Switch after the server with the IP address 192.168.2.30 is used as the
RADIUS server.
1. Configure the LAN switch to transparently transmit the EAP packets used for 802.1x
authentication to the Switch.
2. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain on
the Switch. Bind the RADIUS server template and the AAA scheme to the ISP domain.
The Switch can then exchange information with the RADIUS server.

3. Configure 802.1x authentication on the Switch.

a. Enable 802.1x authentication globally and on the interface.
b. Enable MAC address bypass authentication to authenticate terminals (such as printers)
that cannot install 802.1x authentication client software.
c. A maximum of 200 802.1x authentication users are allowed to access an interface,
preventing excessive concurrent access users.
d. Set the maximum number of times that an authentication request packet is sent to a
user to 3 to avoid repeated authentication.
e. Configure VLAN100 as the guest VLAN so that users can access resources in the
guest VLAN without authentication.
Procedure
Step 1 Configure the LAN switch to transparently transmit the EAP packets used for 802.1x
authentication. In this example, the LAN switch is an S5300. The configurations on the LAN
switches of other models are the same as that on the S5300.
# Configure the LAN switch to transparently transmit the EAP packets.

<LAN Switch> system-view
[LAN Switch] l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-
c200-0003 group-mac 0100-0000-0002
# Enable the Layer 2 protocol transparent transmission function on the interface connecting to
users and the interface connecting to the Switch. In this example, the interface connecting to
users is GE0/0/1. Only the configuration on GE0/0/1 is provided here, and the configurations
on other interfaces are the same.
[LAN Switch] interface gigabitethernet 0/0/1
[LAN Switch-GigabitEthernet0/0/1] l2protocol-tunnel user-defined-protocol 802.1x
enable
[LAN Switch-GigabitEthernet0/0/1] bpdu enable
NOTE
The preceding step is performed on the LAN switch, and all the following steps are performed on the
Switch.
Step 2 Create VLANs and configure the VLAN allowed by the interface to ensure network
communication.

# On the Switch, set GE0/0/1 connecting to users as a hybrid interface, and add GE0/0/1 to
VLAN 10.
NOTE
Configure the interface type and VLANs according to the actual situation. In this example, users are added
to VLAN 10.

# On the Switch, set GE0/0/2 connecting to the RADIUS server as an access interface, and add
GE0/0/2 to VLAN 20.
# Create VLANIF10 and VLANIF20 and assign IP addresses to the VLANIF interfaces so that
user terminals, Switch, and internal devices on the enterprise network can set up routes. In this
example, the IP address of VLANIF10 is 192.168.1.20/24 and the IP address of VLANIF20 is
192.168.2.29/24.
Step 3 Create and configure a RADIUS server template, an AAA scheme, and an authentication
domain.
# Create and configure RADIUS server template rd1.

# Create AAA scheme abc and set the authentication mode to RADIUS.
[HUAWEI] aaa
# Create authentication domain isp1, and bind AAA scheme abc and RADIUS server template
rd1 to authentication domain isp1.
[HUAWEI-aaa] domain isp1
[HUAWEI-aaa-domain-isp1] authentication-scheme abc
[HUAWEI-aaa-domain-isp1] radius-server rd1
[HUAWEI-aaa-domain-isp1] quit
[HUAWEI-aaa] quit
# Configure the default domain isp1 in the system view.When a user enters the user name in the
format of user@isp1, the user is authenticated in the authentication domain isp1. If the user name
does not carry the domain name or carries a nonexistent domain name, the user is authenticated
in the default domain.
[HUAWEI] domain isp1
Step 4 Configure 802.1x authentication.
# Enable 802.1x authentication globally and on an interface.

[HUAWEI] dot1x enable
[HUAWEI-GigabitEthernet0/0/1] dot1x enable
# Configure MAC address bypass authentication.

[HUAWEI-GigabitEthernet0/0/1] dot1x mac-bypass

# Set the maximum number of concurrent access users for 802.1x authentication on an interface
to 200.
[HUAWEI-GigabitEthernet0/0/1] dot1x max-user 200
# Set the maximum number of times that an authentication request packet is sent to the user to
3.
[HUAWEI] dot1x retry 3
# Configure VLAN100 as the guest VLAN in 802.1x authentication.

[HUAWEI] authentication guest-vlan 100 interface gigabitethernet 0/0/1
Step 5 View the 802.1x configuration.

<HUAWEI> display dot1x interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 status: UP 802.1x protocol is Enabled[mac-bypass]
Port control type is Auto
Authentication mode is MAC-based
Authentication method is CHAP
Reauthentication is disabled
Maximum users: 200
Current users: 0
Guest VLAN 100 is not effective
Restrict VLAN is disabled
Authentication Success: 0 Failure: 0

EAPOL Packets: TX : 0 RX : 0
Sent EAPOL Request/Identity Packets : 0
EAPOL Request/Challenge Packets : 0
Multicast Trigger Packets : 0
EAPOL Success Packets : 0
EAPOL Failure Packets : 0
Received EAPOL Start Packets : 0
EAPOL Logoff Packets : 0
EAPOL Response/Identity Packets : 0
EAPOL Response/Challenge Packets: 0
----End
Configuration Files
# Configuration file of the LAN Switch
#
l2protocol-tunnel user-defined-protocol 802.1x protocol-mac 0180-c200-0003 group-
mac 0100-0000-0002
#
l2protocol-tunnel user-defined-protocol 802.1x enable
# Configuration file of the Switch

#
#
domain isp1
#
dot1x enable
dot1x retry 3
#


#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
dot1x mac-bypass
dot1x max-user 200
authentication guest-vlan 100
#
#
return
8.2.2 Example for Configuring MAC Address Authentication
As shown in Figure 8-5, many printers on a company access network through GE0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, the
administrator controls the network access rights of the printers to improve network security. The
Switch allows a printer to access Internet resources only after the printer is authenticated.
Figure 8-5 Networking diagram for configuring MAC address authentication

RADIUS Server
192.168.2.30
Printer
……
GE0/0/1 GE0/0/2 Intranet

VLAN 10 VLAN 20
LAN Switch Switch
Update Server
VLAN100
Printer
Printers cannot install and use the 802.1x client. The administrator can configure MAC address
authentication on the Switch to control the network access rights of the printers.

The configuration roadmap is as follows (configured on the Switch):
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain;
bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
can then exchange information with the RADIUS server.
2. Configure MAC address authentication.
a. Enable MAC address authentication globally and on the interface.
b. A maximum of 100 MAC address authentication users are allowed to access an
interface, preventing excessive concurrent access users.
c. Configure VLAN100 as the guest VLAN, so that users can access resources in the
guest VLAN without authentication.
Procedure
communication.

VLAN 10.
NOTE
to VLAN 10.
GE0/0/2 to VLAN 20.
192.168.2.29/24.
domain.


[HUAWEI] aaa
[HUAWEI-aaa] quit
Step 3 Configure MAC address authentication.
# Enable MAC address authentication globally and on the interface.

[HUAWEI] mac-authen
[HUAWEI-GigabitEthernet0/0/1] mac-authen
# Configure the isp1 domain as the authentication domain for MAC address authentication users.
[HUAWEI-GigabitEthernet0/0/1] mac-authen domain isp1
#Set the maximum number of concurrent MAC authentication access users on the interface to
100.
[HUAWEI-GigabitEthernet0/0/1] mac-authen max-user 100
# Configure VLAN100 as the guest VLAN for MAC address authentication.

[HUAWEI] authentication guest-vlan 100 interface gigabitethernet 0/0/1
Step 4 Run the display mac-authen interface command to view the configuration of MAC address
authentication.
[HUAWEI] display mac-authen interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 state: UP. MAC address authentication is enabled
Maximum users: 100
Current users: 0
Current domain is isp1
Authentication Success: 0, Failure: 0
Guest VLAN 100 is not effective
----End

Configuration Files
#
#
domain isp1
#
mac-authen
#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
authentication guest-vlan 100
mac-authen
mac-authen max-user 100
mac-authen domain isp1
#
#
return
8.2.3 Example for Configuring Portal Authentication
As shown in Figure 8-6, many users on a company access network through GE0/0/1 of the
Switch (used as an access device). After the network operates for a period of time, attacks are
detected. The administrator must control network access rights of user terminals to ensure
network security. The Switch allows user terminals to access Internet resources only after they
are authenticated.

Figure 8-6 Networking diagram for configuring Portal authentication
User RADIUS Server

192.168.2.30
GE0/0/1 GE0/0/2
……
Intranet
VLAN 10 VLAN 20
LAN Switch Switch
Portal Server
User 192.168.2.20
To control the network access permission of users, the administrator can configure Portal
authentication on the Switch after the server with the IP address 192.168.2.30 is used as the
RADIUS server, and configure the IP address 192.168.2.20 as the IP address for the Portal server.
The configuration roadmap is as follows (configured on the Switch):
1. Create and configure a RADIUS server template, an AAA scheme, and an ISP domain.
Bind the RADIUS server template and the AAA scheme to the ISP domain. The Switch
can then exchange information with the RADIUS server.
2. Configure Portal authentication.
a. Create and configure a Portal server template to ensure normal information exchange
between the device and the Portal server.
b. Enable Portal authentication to authenticate access users.
c. Configure a shared key that the device uses to exchange information with the Portal
server to improve communication security.
d. Configure the maximum number of concurrent Portal authentication users to prevent
excessive concurrent users.
e. Configure the offline detection period for Portal authentication users to ensure that
the device deletes the information of offline users.
f. Configure the detection and keepalive function of Portal authentication, so that users
can still access networks when the Portal server is faulty.
Procedure
communication.

VLAN 10.


NOTE
to VLAN 10.
GE0/0/2 to VLAN 20.
192.168.2.29/24.
domain.

[HUAWEI] aaa
[HUAWEI-aaa] quit
Step 3 Configure Portal authentication.

# Create and configure Portal server template abc.

[HUAWEI] web-auth-server abc
[HUAWEI-web-auth-server-abc] server-ip 192.168.2.20
[HUAWEI-web-auth-server-abc] url http://192.168.2.30:8080/webagent
[HUAWEI-web-auth-server-abc] quit
# Enable Portal authentication.

[HUAWEI-Vlanif10] web-auth-server abc
# Set the shared key in cipher text to 12345.

[HUAWEI-web-auth-server-abc] shared-key cipher 12345
# Set the maximum number of concurrent Portal users to 100.

[HUAWEI] portal max-user 100
# Set the user offline detection period to 500s.

[HUAWEI] portal timer offline-detect 500
# Configure the detection and keepalive function of Portal authentication.

[HUAWEI-web-auth-server-abc] server-detect action log
[HUAWEI-web-auth-server-abc] user-sync
[HUAWEI] quit
Step 4 # Verify the configuration.
# Run the display portal command to view Portal parameters set in the system view.
<HUAWEI> display portal
Portal timer offline-detect length:500
Portal max-user number:100
Vlanif10 protocol status: up, web-auth-server layer2(direct)
# Run the display portal interface command to view Portal parameters set in the VLANIF
interface view.
<HUAWEI> display portal interface vlanif 10
Vlanif10 protocol status: up, web-auth-server layer2
# Run the display web-auth-server configuration command to check the configuration of the
Portal authentication server.
<HUAWEI> display web-auth-server configuration
Listening port : 2000
Portal : version 1, version 2
Include reply message : enabled
------------------------------------------------------------------------
Web-auth-server Name : abc
IP-address : 192.168.2.20
Shared-key : %$%$qqZ$ZM:$i&]T9sF7KE~Xi%yp%$%$
Source-IP : -
Port / PortFlag : 50100 / NO
URL : http://192.168.2.30:8080/webagent
VPN instance :
Redirection : Enable
Sync : Enable
Sync Seconds : 300
Sync Max-times : 3

Detect : Enable
Detect Seconds : 60
Detect Max-times : 3
Detect Critical-num : 0
Detect Action : log
Bound Vlanif : 10
VPN instance :
------------------------------------------------------------------------
1 Web authentication server(s) in total
----End
Configuration Files
#
vlan batch 10 20
#
domain isp1
#
portal max-user 100
portal timer offline-detect 500
#
web-auth-server abc
server-ip 192.168.2.20
port 50100
shared-key cipher %$%$9|vQ3(`Js#[:m\+~xK:W7cZQ%$%$
url http://192.168.2.30:8080/webagent
server-detect interval 60 max-times 3 critical-num 0 action
log
user-sync
#
#
aaa
domain isp1
radius-server rd1
#
interface Vlanif10
ip address 192.168.1.20 255.255.255.0
web-auth-server abc
#
interface Vlanif20
ip address 192.168.2.29 255.255.255.0
#
#
#
return

8.3 ACL Configuration

An access control list (ACL) is a set of rules that classify packets into different types. This chapter
explains how to configure an ACL on a Switch to filter packets.
8.3.1 Example for Configuring a Basic ACL to Limit Access to the

FTP Server
As shown in Figure 8-7, the Switch functions as an FTP server (172.16.104.110/24). The
l All the users on subnet 1 (172.16.105.0/24) are allowed to access the FTP server at any
time.
l All the users on subnet 2 (172.16.107.0/24) are allowed to access the FTP server only at
the specified period of time.
l Other users are not allowed to access the FTP server.
The routes between the Switch and subnets are reachable. You need to configure the Switch to
limit user access to the FTP server.
Figure 8-7 Configuring a basic ACL to limit user access to the FTP server
PC A
172.16.105.111/24
FTP Server
PC B
Network
172.16.107.111/24
Switch
172.16.104.110/24
PC C
10.10.10.1/24
l Create a basic ACL on the Switch and configure rules in the basic ACL.
l Configure basic FTP functions on the Switch.
l Apply a basic ACL to the Switch to limit user access.

Procedure
Step 1 Configure a time range.
[Switch] time-range ftp-access from 0:0 2009/1/1 to 23:59 2011/12/31
[Switch] time-range ftp-access 14:00 to 18:00 off-day
Step 2 Configure a basic ACL.

[Switch-acl-basic-2001] rule permit source 172.16.105.0 0.0.0.255
[Switch-acl-basic-2001] rule permit source 172.16.107.0 0.0.0.255 time-range ftp-
access
[Switch-acl-basic-2001] rule deny source any
Step 3 Configure basic FTP functions.

[Switch] ftp server enable
[Switch] aaa
[Switch-aaa] local-user huawei password cipher SetUesrPasswd@123
[Switch-aaa] local-user huawei privilege level 15
[Switch-aaa] local-user huawei service-type ftp
[Switch-aaa] local-user huawei ftp-directory flash:
[Switch-aaa] quit
Step 4 Configure access permissions on the FTP server.

[Switch] ftp acl 2001

Run the ftp 172.16.104.110 command on PC A (172.16.105.111/24) in subnet 1. PC A can
connect to the FTP server.
Run the ftp 172.16.104.110 command on PC B (172.16.107.111/24) in subnet 2 on Monday in
2010. PC B cannot connect to the FTP server. Run the ftp 172.16.104.110 command on PC B
(172.16.107.111/24) in subnet 2 at 15:00 on Saturday in 2010. PC B can connect to the FTP
server.
Run the ftp 172.16.104.110 command on PC C (10.10.10.1/24). PC C cannot connect to the FTP
server.
----End
Configuration Files
# Configuration file of the Switch
#
sysname Switch
#
FTP server enable
FTP acl 2001
#
aaa
local-user huawei password cipher %$%$k$Xg7H;w4HZP5nE4-E4(FcZQ%$%$
local-user huawei ftp-directory flash:/
#
time-range ftp-access 14:00 to 18:00 off-day
time-range ftp-access from 00:00 2009/1/1 to 23:59 2011/12/31
#

acl number 2001

rule 10 permit source 172.16.107.0 0.0.0.255 time-range ftp-access
rule 15 deny
#
return
8.3.2 Example for Using an Advanced ACL to Configure Traffic

Classifiers
As shown in Figure 8-8, the departments of the company are connected through the Switch. An
IPv4 ACL needs to be configured to prevent the R&D department and marketing department
from accessing the salary query server from 8:00 to 17:30 and allow the president's office to
access the salary query server at any time.
Figure 8-8 Using an advanced ACL to configure traffic classifiers
Salary query server

10.164.9.9
GE0/0/2 GE0/0/4
GE0/0/1
Switch GE0/0/3
Marketing department
10.164.2.0/24 President's office
10.164.1.0/24
R&D department
10.164.3.0/24
1. Assign IP addresses to interfaces.

2. Configure the time range.
3. Configure ACLs.
4. Configure traffic classifiers.
5. Configure traffic behaviors.
6. Configure traffic policies.
7. Apply traffic policies to interfaces.

Procedure
Step 1 Assign IP addresses to interfaces.
# Add interfaces to VLANs and assign IP addresses to the VLANIF interfaces.
Add GE 0/0/1, GE 0/0/2, and GE 0/0/3 to VLAN 10, VLAN 20, and VLAN 30 respectively,
and add GE 0/0/4 to VLAN 100. The first IP address of a network segment is taken as the address
of the VLANIF interface of the same network segment. The configuration on GE 0/0/1 is used
as an example here. The configurations of other interfaces are similar to the configuration on
GE 0/0/1, and are not mentioned here.
[HUAWEI] vlan batch 10 20 30 100
Step 2 Configure the time range.
# Configure the time range from 8:00 to 17:30.

[HUAWEI] time-range satime 8:00 to 17:30 working-day
Step 3 Configure ACLs.
# Configure the ACL for the marketing department to access the salary query server.
[HUAWEI] acl 3002
[HUAWEI-acl-adv-3002] rule deny ip source 10.164.2.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[HUAWEI-acl-adv-3002] quit
# Configure the ACL for the R&D department to access the salary query server.
[HUAWEI] acl 3003
[HUAWEI-acl-adv-3003] rule deny ip source 10.164.3.0 0.0.0.255 destination
10.164.9.9 0.0.0.0 time-range satime
[HUAWEI-acl-adv-3003] quit
Step 4 Configure ACL-based traffic classifiers.
# Configure the traffic classifier c_market to classify the packets that match ACL 3002.
[HUAWEI] traffic classifier c_market
[HUAWEI-classifier-c_market] if-match acl 3002
[HUAWEI-classifier-c_market] quit
# Configure the traffic classifier c_rd to classify the packets that match ACL 3003.
[HUAWEI] traffic classifier c_rd
[HUAWEI-classifier-c_rd] if-match acl 3003
[HUAWEI-classifier-c_rd] quit
# Configure the traffic behavior b_market to reject packets.

[HUAWEI] traffic behavior b_market
[HUAWEI-behavior-b_market] deny
[HUAWEI-behavior-b_market] quit

# Configure the traffic behavior b_rd to reject packets.

[HUAWEI] traffic behavior b_rd
[HUAWEI-behavior-b_rd] deny
[HUAWEI-behavior-b_rd] quit
Step 6 Configure traffic policies.

# Configure the traffic policy p_market and associate the traffic classifier c_market and the
traffic behavior b_market with the traffic policy.
[HUAWEI] traffic policy p_market
[HUAWEI-trafficpolicy-p_market] classifier c_market behavior b_market
[HUAWEI-trafficpolicy-p_market] quit
# Configure the traffic policy p_rd and associate the traffic classifier c_rd and the traffic
behavior b_rd with the traffic policy.
[HUAWEI] traffic policy p_rd
[HUAWEI-trafficpolicy-p_rd] classifier c_rd behavior b_rd
[HUAWEI-trafficpolicy-p_rd] quit
Step 7 Apply the traffic policy.

# Apply the traffic policy p_market to GE 0/0/2.
[HUAWEI-GigabitEthernet0/0/2] traffic-policy p_market inbound
# Apply the traffic policy p_rd to GE 0/0/3.

[HUAWEI-GigabitEthernet0/0/3] traffic-policy p_rd inbound

# Check the configuration of ACL rules.
# Check the configuration of the traffic classifier.
[HUAWEI] display traffic classifier user-defined
Classifier: c_market
Operator: AND
Classifier: c_rd
Operator: AND
# Check the configuration of the traffic policy.

[HUAWEI] display traffic policy user-defined
Policy: p_market
Classifier:
c_market
Operator: AND
Behavior:
b_market
Deny
Policy: p_rd

Classifier: c_rd
Operator: AND
Behavior: b_rd
Deny
# Check the traffic policy application records.

[HUAWEI] display traffic-policy applied-record
#
-------------------------------------------------
Policy Name:
p_market
Policy Index:
0
Classifier:c_market
Behavior:b_market
-------------------------------------------------
*interface GigabitEthernet0/0/2
traffic-policy p_market
inbound
slot 0 :
success
-------------------------------------------------
Policy total applied times:

1.
-------------------------------------------------
Policy Name:
p_rd
Policy Index:
1
Classifier:c_rd
Behavior:b_rd
-------------------------------------------------
*interface
traffic-policy p_rd
inbound
slot 0 :
success
-------------------------------------------------

1.

----End
Configuration Files
#
acl number 3002
rule 5 deny ip source 10.164.2.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
acl number 3003
rule 5 deny ip source 10.164.3.0 0.0.0.255 destination 10.164.9.9 0 time-range
satime
#
traffic classifier c_market operator and
if-match acl 3002
traffic classifier c_rd operator and
if-match acl 3003
#
traffic behavior b_market
deny
traffic behavior b_rd
deny
#
traffic policy p_market
classifier c_market behavior b_market
traffic policy p_rd
classifier c_rd behavior b_rd
#
interface Vlanif10
ip address 10.164.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.164.2.1 255.255.255.0
#
interface Vlanif30
ip address 10.164.3.1 255.255.255.0
#
interface Vlanif100
ip address 10.164.9.1 255.255.255.0
#
#
traffic-policy p_market inbound
#
traffic-policy p_rd inbound
#
#
return

8.3.3 Example for Using a Layer 2 ACL to Configure a Traffic

Classifier
As shown in Figure 8-9, the Switch that functions as the gateway is connected to PCs. ACL
needs to be configured to prevent the packets with the source MAC address 00e0-f201-0101 and
the destination MAC address 0260-e207-0002 from passing through.
Figure 8-9 Using a Layer 2 ACL to configure a traffic classifier
GE0/0/2 GE0/0/1
IP network
Switch
00e0-f201-0101
1. Configure an ACL.
2. Configure a traffic classifier.
3. Configure a traffic behavior.
4. Configure a traffic policy.
5. Apply the traffic policy to an interface.
Procedure
# Configure a Layer 2 ACL.

[HUAWEI] acl 4000
[HUAWEI-acl-L2-4000] rule deny source-mac 00e0-f201-0101 ffff-ffff-ffff
destination-mac 0260-e207-0002 ffff-ffff-ffff
Step 2 Configure the traffic classifier that is based on the ACL.
# Configure the traffic classifier tc1 to classify packets that match ACL 4000.
[HUAWEI] traffic classifier tc1
[HUAWEI-classifier-tc1] if-match acl 4000
[HUAWEI-classifier-tc1] quit
Step 3 Configure the traffic behavior.

# Configure the traffic behavior tb1 to reject packets.

[HUAWEI] traffic behavior tb1
[HUAWEI-behavior-tb1] deny
[HUAWEI-behavior-tb1] quit
Step 4 Configure the traffic policy.

# Configure the traffic policy tp1 and associate tc1 and tb1 with the traffic policy.
[HUAWEI] traffic policy tp1
[HUAWEI-trafficpolicy-tp1] classifier tc1 behavior tb1
[HUAWEI-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy.

# Apply the traffic policy tp1 to GE 0/0/2.
[HUAWEI-GigabitEthernet0/0/2] traffic-policy tp1 inbound

# Check the configuration of ACL rules.
[HUAWEI] display acl 4000
L2 ACL 4000, 1 rule
Acl's step is 5
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101

Classifier: tc1
Operator: AND

[HUAWEI] display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
# Check the traffic policy application records.

[HUAWEI] display traffic-policy applied-record
#
-------------------------------------------------
Policy Name:
tp1
Policy Index:
2
Classifier:tc1
Behavior:tb1
-------------------------------------------------

*interface
traffic-policy tp1
inbound
slot 0 :
success
-------------------------------------------------

1.
----End
Configuration Files
#
acl number 4000
rule 5 deny destination-mac 0260-e207-0002 source-mac 00e0-f201-0101
#
traffic classifier tc1 operator and
if-match acl 4000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return
8.3.4 Example for Using a User-defined ACL to Configure a Traffic

Classifier
As shown in Figure 8-10, GE 0/0/1 of the Switch is connected to PCs, and GE 0/0/2 is connected
to the upstream router. A user-defined ACL needs to be configured on GE 0/0/1 to deny the
packets of which the bytes from the 14th byte in the Layer 2 header matching 0x0180C200.

Figure 8-10 Using a user-defined ACL to configure a traffic classifier
PC A
GE0/0/1 GE0/0/2
Switch
PC B
1. Configure an ACL.
2. Configure a traffic classifier.
3. Configure a traffic behavior.
4. Configure a traffic policy.
Procedure
# Configure a user-defined ACL.
[HUAWEI] acl 5000
[HUAWEI-acl-user-5000] rule deny l2-head 0x0180C200 0xFFFFFFFF 14
[HUAWEI-acl-user-5000] quit
Step 2 Configure a traffic classifier based on the user-defined ACL.

# Configure the traffic classifier tc1 to classify the packets that match ACL 5000.
[HUAWEI] traffic classifier tc1
[HUAWEI-classifier-tc1] if-match acl 5000
[HUAWEI-classifier-tc1] quit

# Configure the traffic behavior tb1 to deny packets.
[HUAWEI] traffic behavior tb1
[HUAWEI-behavior-tb1] deny
[HUAWEI-behavior-tb1] quit
Step 4 Configure a traffic policy.

# Define the traffic policy and associate the traffic classifier and traffic behavior with the traffic
policy.

[HUAWEI] traffic policy tp1

[HUAWEI-trafficpolicy-tp1] classifier tc1 behavior tb1
[HUAWEI-trafficpolicy-tp1] quit
Step 5 Apply the traffic policy to an interface.
# Apply the traffic policy to GE0/0/1.

[HUAWEI-GigabitEthernet0/0/1] traffic-policy tp1 inbound
# Check the configuration of the ACL rule.

User ACL 5000, 1 rule
Acl's step is 5
rule 5 deny 0x0180c200 0xffffffff 14

Classifier: tc1
Operator: AND

[HUAWEI] display traffic policy user-defined tp1
Policy: tp1
Classifier: tc1
Operator: AND
Behavior: tb1
Deny
----End
Configuration Files
#
acl number 5000
rule 5 deny 0x0180c200 0xffffffff 14
#
traffic classifier tc1 operator and
if-match acl 5000
#
traffic behavior tb1
deny
#
traffic policy tp1
classifier tc1 behavior tb1
#
traffic-policy tp1 inbound
#
return

8.3.5 Example for Using an ACL6 to Configure a Traffic Classifier
As shown in Figure 8-11, SwitchA and SwitchB are connected through GE interfaces. An ACL6
needs to be configured on SwitchA to deny the IPv6 packets with source IP address 3001::2/64
on GE 0/0/1.
Figure 8-11 Configuring ACL6 to filter IPv6 packets

VLAN 10
SwitchA VLANIF 10 VLANIF 10 SwitchB
3001::1/64 3001::2/64 Loopback2
GE0/0/1 GE0/0/1 3002::2/64
1. Configure an ACL6.
2. Configure the traffic classifier.
3. Configure the traffic behavior.
4. Configure the traffic policy.
Procedure
Step 1 Enable IPv6 forwarding capability on SwitchA and SwitchB, and set the parameters for the
interfaces.
[SwitchA] ipv6
# Configure a static route on SwitchA.

[SwitchA] ipv6 route-static 3002:: 64 3001::2
[SwitchB] ipv6

[SwitchB] interface loopback 2

[SwitchB-LoopBack2] ipv6 enable
[SwitchB-LoopBack2] ipv6 address 3002::2 64
[SwitchB-Vlanif10] ipv6 address 3001::2 64
Step 2 Create an ACL6 rule and apply the rule to the interface to deny the IPv6 packets from 3001::2.
[SwitchA] acl ipv6 number 3001
[SwitchA-acl6-adv-3001] rule deny ipv6 source 3001::2/64
[SwitchA-acl6-adv-3001] quit
[SwitchA] traffic classifier class1
[SwitchA-classifier-class1] if-match ipv6 acl 3001
[SwitchA-classifier-class1] quit
[SwitchA] traffic behavior behav1
[SwitchA-behavior-behav1] deny
[SwitchA-behavior-behav1] quit
[SwitchA] traffic policy policy1
[SwitchA-trafficpolicy-policy1] classifier class1 behavior behav1
[SwitchA-trafficpolicy-policy1] quit
[SwitchA-GigabitEthernet0/0/1] traffic-policy policy1 inbound
# Check the configuration of ACL6 rules.

[SwitchA] display acl ipv6 3001
Advanced IPv6 ACL 3001, 1 rule
rule 0 deny ipv6 source 3001::/64 (match-counter 0)

[SwitchA] display traffic classifier user-defined
Classifier: class1
Operator: AND
Rule(s) : if-match ipv6 acl 3001

[SwitchA] display traffic policy user-defined
Policy: policy1
Classifier: class1
Operator: AND
Behavior: behav1
Deny
----End

Configuration Files
#
sysname SwitchA
#
ipv6
#
rule 0 deny ipv6 source 3001::/64
#
traffic classifier class1 operator and
if-match ipv6 acl 3001
#
traffic behavior behav1
deny
#
traffic policy policy1
classifier class1 behavior behav1
#
interface Vlanif10
ipv6 enable
#
traffic-policy policy1 inbound
#
ipv6 route-static 3002:: 64 3001::2
#
return

#
sysname SwitchB
#
ipv6
#
interface Vlanif10
ipv6 enable
#
#
interface LoopBack2
ipv6 enable
#
return
8.4 DHCP Snooping Configuration

This chapter describes the principle and configuration method of DHCP snooping and provides

8.4.1 Example for Configuring DHCP Snooping Attack Defense
In Figure 8-12, SwitchA and SwitchB are access devices, and SwitchC is a DHCP relay agent.
Client1 and Client2 are connected to SwitchA through GE0/0/1 and GE0/0/2 respectively.
Client3 is connected to SwitchB through GE0/0/1. Client1 and Client3 obtain IPv4 addresses
using DHCP, while Client2 uses the static IPv4 address. Attacks from unauthorized users prevent
authorized users from obtaining IP addresses. The administrator needs to enable the device to
defend against DHCP attacks on the network and provide better services to DHCP clients.
Figure 8-12 Networking diagram for configuring DHCP snooping attack defense
DHCP Client1
GE0/0/1
GE0/0/3
IP:10.1.1.1/24
DHCP Server
MAC:0001-0002-0003 GE0/0/2 SwitchA GE0/0/1
GE0/0/2 GE0/0/3
Client2 SwitchC
（DHCP Relay）
GE0/0/2
GE0/0/1
SwitchB
DHCP Client3
1. Enable DHCP snooping and configure the device to process only DHCPv4 messages.
2. Configure an interface as the trusted interface to ensure that DHCP clients obtain IP
addresses from the authorized server.
3. Enable association between ARP and DHCP snooping to enable the device to update the
binding entries when a DHCP user is disconnected.
4. Enable the device to generate static MAC address entries on the interface based on DHCP
snooping binding entries to prevent attacks from non-DHCP users.
5. Enable the device to check DHCP messages against the binding table to prevent bogus
DHCP message attacks.
6. Set the maximum rate of sending DHCP messages to the processing unit to prevent DHCP
flood attacks.
7. Set the maximum number of access DHCP clients and enable the device to check whether
the MAC address in the Ethernet frame header matches the CHADDR field in the DHCP
message to prevent DHCP server DoS attacks.

Procedure
Step 1 Enable DHCP snooping.
# Enable DHCP snooping globally and configure the device to process only DHCPv4 messages.
[SwitchC] dhcp enable
[SwitchC] dhcp snooping enable ipv4
# Enable DHCP snooping on the user-side interface. GE0/0/1 is used as an example. The
configuration on GE0/0/2 is the same as the configuration on GE0/0/1 and is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping enable
Step 2 Configure the interface connected to the DHCP server as the trusted interface.
[SwitchC-GigabitEthernet0/0/3] dhcp snooping trusted
Step 3 Enable association between ARP and DHCP snooping.

[SwitchC] arp dhcp-snooping-detect enable
Step 4 Enable the device to generate static MAC address entries on the interface based on DHCP
snooping binding entries.
# Configure the user-side interface. GE0/0/1 is used as an example. The configuration on

GE0/0/2 is the same as the configuration on GE0/0/1 and is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping sticky-mac
Step 5 Enable the device to check DHCP messages against the DHCP snooping binding table.

[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-request enable
Step 6 Set the maximum rate of sending DHCP messages to the processing unit to 90 pps.
[SwitchC] dhcp snooping check dhcp-rate enable
[SwitchC] dhcp snooping check dhcp-rate 90
Step 7 Enable the device to check whether the GIADDR field in a DHCP Request message is 0.

[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-giaddr enable
Step 8 Set the maximum number of access users allowed on the interface and enable the device to check
the CHADDR field.



[SwitchC-GigabitEthernet0/0/1] dhcp snooping max-user-number 20
[SwitchC-GigabitEthernet0/0/1] dhcp snooping check dhcp-chaddr enable
Step 9 Configure the trap function for the number of discarded messages and the rate limit.
# Enable the trap function for discarding messages and set the alarm threshold. GE0/0/1 is used
as an example. The configuration on GE0/0/2 is the same as the configuration on GE0/0/1 and
is not mentioned here.
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply enable
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-chaddr threshold 120
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-request threshold 120
[SwitchC-GigabitEthernet0/0/1] dhcp snooping alarm dhcp-reply threshold 120
# Enable the trap function for the rate limit and set the alarm threshold.
[SwitchC] dhcp snooping alarm dhcp-rate enable
[SwitchC] dhcp snooping alarm dhcp-rate threshold 500

# Run the display dhcp snooping configuration command to view the DHCP snooping
configuration.
[SwitchC] display dhcp snooping configuration
#
dhcp snooping enable
ipv4
dhcp snooping check dhcp-rate enable
dhcp snooping check dhcp-rate 90
dhcp snooping alarm dhcp-rate enable
dhcp snooping alarm dhcp-rate threshold 500
arp dhcp-snooping-detect enable
#
dhcp snooping check dhcp-giaddr enable
dhcp snooping check dhcp-request
enable
dhcp snooping alarm dhcp-request
enable
dhcp snooping alarm dhcp-request threshold
120
dhcp snooping check dhcp-chaddr enable
dhcp snooping alarm dhcp-chaddr enable
dhcp snooping alarm dhcp-chaddr threshold 120
dhcp snooping alarm dhcp-reply enable
dhcp snooping alarm dhcp-reply threshold 120
dhcp snooping max-user-number 20
#
enable
enable
120


#
#
# Run the display dhcp snooping interface command to view DHCP snooping information on
an interface.
[SwitchC] display dhcp snooping interface gigabitethernet 0/0/1

DHCP snooping running information for interface GigabitEthernet0/0/1 :
DHCP snooping : Enable
Trusted interface : No
Dhcp user max number : 20
Current dhcp and nd user number : 0
Check dhcp-giaddr : Enable
Check dhcp-chaddr : Enable
Alarm dhcp-chaddr : Enable
Alarm dhcp-chaddr threshold : 120
Discarded dhcp packets for check chaddr : 0
Check dhcp-request : Enable
Alarm dhcp-request : Enable
Alarm dhcp-request threshold : 120
Discarded dhcp packets for check request : 0
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 500
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Enable
Alarm dhcp-reply threshold : 120
Discarded dhcp packets for check reply : 0
[SwitchC] display dhcp snooping interface gigabitethernet 0/0/3
DHCP snooping running information for interface GigabitEthernet0/0/3 :
DHCP snooping : Disable (default)
Trusted interface : Yes
Dhcp user max number : 1024 (default)
Current dhcp and nd user number : 0
Check dhcp-giaddr : Disable (default)
Check dhcp-chaddr : Disable (default)
Alarm dhcp-chaddr : Disable (default)
Check dhcp-request : Disable (default)
Alarm dhcp-request : Disable (default)
Check dhcp-rate : Disable (default)
Alarm dhcp-rate : Disable (default)
Alarm dhcp-rate threshold : 500
Discarded dhcp packets for rate limit : 0
Alarm dhcp-reply : Disable (default)
----End
Configuration Files
# Configuration file of the SwitchC
#
sysname SwitchC
#
dhcp enable
#
dhcp snooping enable ipv4
dhcp snooping check dhcp-rate enable

dhcp snooping check dhcp-rate 90

dhcp snooping alarm dhcp-rate enable
dhcp snooping alarm dhcp-rate threshold 500
arp dhcp-snooping-detect enable
#
dhcp snooping sticky-mac
enable
enable
120
#
dhcp snooping sticky-mac
enable
enable
120
#
#
return
8.5 Local Attack Defense Configuration

Local attack defense limits the rate of packets sent to the CPU, ensuring device security and
uninterrupted services when attacks occur.
8.5.1 Example for Configuring Local Attack Defense
As shown in Figure 8-13, users from different LANs connect to the Internet through the
Switch. The Switch is connected to a large number of users, and receives many packets sent to
the CPU. In this case, the CPU of the Switch may be attacked by packets.
l The administrator needs to know about the CPU status in real time and check whether the
CPU is attacked. When potential attacks occur, the device sends alarms to the administrator
to protect the CPU.

l Users on Net1 are forbidden to access the network because they often attack the CPU.
l The CPU usage occupied by ARP Request packets is `reduced because attackers may send
a large number of ARP Request packets to deteriorate CPU performance.
l Stable and reliable data transmission is required between the administrator host and the
Switch.
Figure 8-13 Networking diagram for configuring local attack defense
Net1: 1.1.1.0/24
Internet
Switch
Net2: 2.2.2.0/24
Net3: 3.3.3.0/24
1. Attack source tracing provides traffic analysis and statistics, attack source identification
and alarm function. Enable attack source tracing and its alarm function, and configure attack
source punishment. In this way, the administrator can know about the CPU status in real
time and prevent potential attacks.
2. Add users on Net1 to the blacklist to prevent users on Net1 from accessing the network.
3. Configure the rate limit for ARP Request packets sent to the CPU to reduce the CPU usage
occupied by ARP Request packets.
4. ALP protects session-based application layer data and ensures service reliability and
stability on the application layer. Configure rate limit of FTP packets sent to the CPU when
an FTP connection is set up (by default, ALP is enabled for FTP packets) to ensure data
transmission between the administrator host and the Switch.
Procedure
Step 1 Configure a rule for filtering packets sent to the CPU.
# Define an ACL rule.

[Switch-acl-basic-2001] rule permit source 1.1.1.0 0.0.0.255

Step 2 Configure an attack defense policy.
Create an attack defense policy.

[Switch] cpu-defend policy test1
# Enable attack source tracing.

[Switch-cpu-defend-policy-test1] auto-defend enable
# Enable the alarm function for attack source tracing.

[Switch-cpu-defend-policy-test1] auto-defend alarm enable
# Configure the attack source punishment as discard.

[Switch-cpu-defend-policy-test1] auto-defend action deny
# Configure a blacklist.
[Switch-cpu-defend-policy-test1] blacklist 1 acl 2001
Configure the rate limit for ARP Request packets sent to the CPU.
[Switch-cpu-defend-policy-test1] car packet-type arp-request cir 128
# Set the CIR for sending FTP packets to the CPU when FTP connections are set up.
[Switch-cpu-defend-policy-test1] linkup-car packet-type ftp cir 5000
[Switch-cpu-defend-policy-test1] quit
Step 3 Apply the attack defense policy globally.

[Switch] cpu-defend-policy test1 global
[Switch] quit
# View the attack source tracing configuration.

<Switch> display auto-defend configuration
----------------------------------------------------------------------------
Name : test1
Related slot : <0>
auto-defend : enable
auto-defend attack-packet sample : 16
auto-defend threshold : 128 (pps)
auto-defend alarm : enable
auto-defend alarm threshold : 128 (pps)
auto-defend trace-type : source-mac source-ip source-portvlan
auto-defend protocol : arp icmp dhcp igmp ttl-expired tcp telnet
auto-defend action : deny (Expired time : 300 s)
----------------------------------------------------------------------------
# View information about the configured attack defense policy.

<Switch> display cpu-defend policy test1
Related slot : <0>
Configuration :
Blacklist 1 ACL number : 2001
Car packet-type arp-request : CIR(128) CBS(24064)
Linkup-car packet-type ftp : CIR(5000) CBS(940000)
# View the CAR configuration.

<Switch> display cpu-defend configuration packet-type arp-request
Car Configurations On Slot 0.
----------------------------------------------------------------------
Packet Name Status Cir(Kbps) Cbs(Byte) Queue Port-Type
----------------------------------------------------------------------

arp-request Enabled 128 24064 3 UNI

----------------------------------------------------------------------
----End
Configuration Files
#
sysname Switch
#
acl number 2001
#
cpu-defend policy test1
blacklist 1 acl 2001
car packet-type arp-request cir 128 cbs 24064
linkup-car packet-type ftp cir 5000 cbs 940000
auto-defend enable
auto-defend alarm enable
auto-defend trace-type source-mac source-ip source-portvlan
auto-defend protocol all
auto-defend action deny
#
cpu-defend-policy test1 global
#
return
8.6 Attack Defense Configuration

Attack defense is a network security feature. Attack defense allows the device to identify various
types of network attacks and protect itself and the connected network against malicious attacks
to ensure device and network operation.
8.6.1 Example for Configuring Attack Defense
As shown in Figure 8-14, if a hacker on the LAN initiates malformed packet attacks, packet
fragment attacks, and flood attacks to SwitchA, SwitchA may break down. The administrator
requires that attack defense measures be deployed on SwitchA to provide a secure network
environment and ensure normal services.

Figure 8-14 Networking of attack defense
Campus Network
SwitchA
Attack
Defense
…… ……
User User Hacker
1. Enable defense against malformed packet attacks so that SwitchA can defend against such
attacks.
2. Enable defense against packet fragment attacks so that SwitchA can defend against such
attacks.
3. Enable defense against packet flood attacks so that SwitchA can defend against such
attacks.
Procedure
Step 1 Enable defense against malformed packet attacks.
[SwitchA] anti-attack abnormal enable
Step 2 Enable defense against packet fragment attacks and set the rate limit at which packet fragments
are received to 15000 bit/s.
[SwitchA] anti-attack fragment enable
[SwitchA] anti-attack fragment car cir 15000
Step 3 Enable defense against flood attacks.
# Enable defense against TCP SYN flood attacks and set the rate limit at which TCP SYN flood
packets are received to 15000 bit/s.
[SwitchA] anti-attack tcp-syn enable
[SwitchA] anti-attack tcp-syn car cir 15000
# Enable defense against UDP flood attacks to discard UDP packets sent from specified ports.
[SwitchA] anti-attack udp-flood enable

# Enable defense against ICMP flood attacks and set the rate limit at which ICMP flood packets
are received to 15000 bit/s.
[SwitchA] anti-attack icmp-flood enable
[SwitchA] anti-attack icmp-flood car cir 15000
# After the configuration is complete, run the display anti-attack statistics command to view
attack defense statistics.
<SwitchA> display anti-attack statistics
Packets Statistic Information:
-------------------------------------------------------------------------------
AntiAtkType TotalPacketNum DropPacketNum PassPacketNum
(H) (L) (H) (L) (H) (L)
-------------------------------------------------------------------------------
Abnormal 0 0 0 0 0 0
Fragment 0 0 0 0 0 0
Tcp-syn 0 34 0 28 0 6
Udp-flood 0 0 0 0 0 0
Icmp-flood 0 0 0 0 0 0
-------------------------------------------------------------------------------
On SwitchA, there are statistics on discarded TCP SYN packets, indicating that the attack
defense function takes effect.
----End
Configuration Files
#
sysname SwitchA
#
anti-attack fragment car cir 15000
anti-attack tcp-syn car cir 15000
anti-attack icmp-flood car cir 15000
#
return
8.7 IPSG Configuration

You can configure IPSG to enable an interface to filter and control forwarded packets, preventing
invalid packets.
Support
8.7.1 Example for Configuring IPSG
As shown in Figure 8-15, HostA and HostB are connected to GE0/0/1 and GE0/0/2 on the
Switch respectively. It is required that HostB not forge the IP address and MAC address of HostA
and IP packets from HostA be sent to the server.

Figure 8-15 Networking diagram of configuring IPSG

Server
Switch
GE0/0/1 GE0/0/2
Packets:
SIP:10.0.0.1/24
SMAC:1-1-1
Host A Host B (Attacker)

IP:10.0.0.1/24 IP:10.0.0.2/24
MAC:1-1-1 MAC:2-2-2
Assume that the user is configured with an IP address statically. The configuration roadmap is
as follows:
1. Enable IP packet check on the interfaces connecting HostA and HostB.

2. Configure static binding entries for users statically obtaining IP addresses.
NOTE
This configuration example provides only the commands related to IP source guard.
Procedure
Step 1 Configure IP packet check.
# Enable IP packet check on GE0/0/1 connected to HostA.

[Switch-GigabitEthernet0/0/1] ip source check user-bind enable
# Enable the alarm function of IP packet check and set the alarm threshold on GE0/0/1 connected
to HostA.
[Switch-GigabitEthernet0/0/1] ip source check user-bind alarm enable
[Switch-GigabitEthernet0/0/1] ip source check user-bind alarm threshold 200
# Enable IP packet check on GE0/0/2 connected to HostB.

[Switch-GigabitEthernet0/0/2] ip source check user-bind enable
# Enable the alarm function of IP packet check and set the alarm threshold on GE0/0/2 connected
to HostB.

[Switch-GigabitEthernet0/0/2] ip source check user-bind alarm enable

[Switch-GigabitEthernet0/0/2] ip source check user-bind alarm threshold 200
Step 2 Configure a static binding entry.

# Configure HostA in the static binding table.
[Switch] user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface
gigabitethernet 0/0/1 vlan 10

Run the display dhcp static user-bind all command on Switch to check the binding table.
[Switch] display dhcp static user-bind all
DHCP Static Bind-table:
Flags: O - outer vlan, I - inner vlan, P - map vlan
IP Address MAC Address VSI/VLAN(O/I/P) Interface
--------------------------------------------------------------------------------
10.0.0.1 0001-0001-0001 10 /-- /-- GE0/0/1
--------------------------------------------------------------------------------
Print count: 1 Total count: 1
The command output indicates that HostA has been configured in the static binding table.
----End
Configuration Files
#
sysname Switch
#
user-bind static ip-address 10.0.0.1 mac-address 0001-0001-0001 interface
GigabitEthernet 0/0/1 vlan 10
#
ip source check user-bind enable
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200
#
ip source check user-bind alarm enable
ip source check user-bind alarm threshold 200
#
return
8.8 URPF Configuration

URPF can prevent network attacks based on source IP address spoofing.
8.8.1 Example for Configuring URPF
As shown in Figure 8-16, the Switch is connected to the Internet Service Provider (ISP) router
through GE0/0/2 and connected to user networks through GE0/0/1.The administrator hopes that

the Switch can defend against source address spoofing attacks. If the Switch cannot provide this
function, unauthorized users will occupy too many service resources by sending valid service
requests, and authorized users cannot communicate with each other due to no response.
Figure 8-16 Networking diagram of URPF configuration
GE0/0/1 GE0/0/2
User ISP
network
Switch
Configure URPF on the user-side interface GE0/0/1 of the device and enable allow-default-
route to prevent source IP address spoofing attacks from users.
NOTE
Route symmetry is ensured in this example; so the URPF strict check is used.
Procedure
Step 1 Configure the URPF check mode on the interface.
[Switch-GigabitEthernet0/0/1] urpf strict allow-default-route
Run the display this command on GE0/0/1 to check the URPF configuration.
[Switch-GigabitEthernet0/0/1] display this
#
urpf strict allow-default-route
#
return
----End
Configuration Files
#
sysname Switch
#
urpf strict allow-default-route
#

8.9 ARP Security Configuration

This chapter describes the principle and configuration methods of ARP security and provides
8.9.1 Example for Configuring ARP Security Functions
As shown in Figure 8-17, the switch functioning as the gateway connects to a server using
GE0/0/3 and connects to four users in VLAN 10 and VLAN 20 using GE0/0/1 and GE0/0/2.
The following ARP threats exist on the network:
l Attackers send bogus ARP packets or bogus gratuitous ARP packets to the switch. ARP
entries on the switch are modified, leading to packet sending and receiving failures.
l Attackers send a large number of IP packets with unresolvable destination IP addresses to
the switch, leading to CPU overload.
l User1 sends a large number of ARP packets with fixed MAC addresses but variable source
IP addresses to the switch. As a result, ARP entries on the switch are exhausted and the
CPU is insufficient to process other services.
l User3 sends a large number of ARP packets with fixed source IP addresses to the switch.
As a result, the CPU of the switch is insufficient to process other services.
The administrator wants to prevent the preceding ARP flood attacks and provide users with
stable services on a secure network.
Figure 8-17 Networking for configuring ARP security functions

VLAN 30
VLANIF 30
10.10.10.2/24 10.10.10.3/24
Switch
GE0/0/3
Gateway
GE0/0/1 GE0/0/2
Server
VLANIF 10 VLANIF 20
8.8.8.4/24 9.9.9.4/24
VLAN10 VLAN20
User1 User2 User3 User4

8.8.8.2/24 8.8.8.3/24 9.9.9.2/24 9.9.9.3/24
1-1-1 2-2-2 3-3-3 4-4-4

1. Configure strict ARP learning and ARP entry fixing to prevent ARP entries from being
modified by bogus ARP packets.
2. Configure rate limit on ARP Miss messages based on the source IP address. This function
defends against attacks from ARP Miss messages triggered by a large number of IP packets
with unresolvable IP addresses (ARP Miss packets). At the same time, the switch must
have the capability to process a large number of ARP Miss packets from the server to ensure
network communication.
3. Configure ARP entry limit and rate limit on ARP packets based on the source MAC address.
These functions defend against ARP flood attacks caused by a large number of ARP packets
with fixed MAC addresses but variable IP addresses and prevent ARP entries from being
exhausted and CPU overload.
4. Configure rate limit on ARP packets based on the source IP address. This function defends
against ARP flood attacks from User3 with a fixed IP address and prevents CPU overload.
Procedure
Step 1 Create VLANs, add interfaces to the VLANs, and configure VLANIF interfaces.
# Create VLAN 10, VLAN 20, VLAN 30, and add GE0/0/1 to VLAN 10, GE0/0/2 to VLAN
20, and GE0/0/3 to VLAN 30.
# Create VLANIF 10, VLANIF 20, and VLANIF 30, and assign IP addresses to them.
Step 2 Configure strict ARP learning.

[HUAWEI] arp learning strict
Step 3 Configure ARP entry fixing.

# Set the ARP entry fixing mode to fixed-mac.

[HUAWEI] arp anti-attack entry-check fixed-mac enable
Step 4 Configure rate limit on ARP Miss messages based on the source IP address.
# Set the maximum rate of ARP Miss messages triggered by the server with the IP address
10.10.10.2 to 40 pps, and set the maximum rate of ARP Miss messages triggered by other hosts
to 20 pps.
[HUAWEI] arp-miss speed-limit source-ip maximum 20
[HUAWEI] arp-miss speed-limit source-ip 10.10.10.2 maximum 40
Step 5 Configure interface-based ARP entry limit.
# Configure that GE0/0/1 can dynamically learn a maximum of 20 ARP entries.

[HUAWEI-GigabitEthernet0/0/1] arp-limit vlan 10 maximum 20
Step 6 Configure rate limit on ARP packets based on the source MAC address.
# Set the maximum rate of ARP packets from User1 with the source MAC address 1-1-1 to 10
pps.
[HUAWEI] arp speed-limit source-mac 1-1-1 maximum 10
Step 7 Configure rate limit on ARP packets based on the source IP address.
# Set the maximum rate of ARP packets from User3 with the source IP address 9.9.9.2 to 10
pps.
[HUAWEI] arp speed-limit source-ip 9.9.9.2 maximum 10
# Run the display arp learning strict command to check the global configuration of strict ARP
entry learning.
[HUAWEI] display arp learning strict
The global configuration:arp learning strict
Interface LearningStrictState
------------------------------------------------------------
------------------------------------------------------------
Total:0
Force-enable:0
Force-disable:0
# Run the display arp-limit command to check the maximum number of ARP entries that the
interface can dynamically learn.
[HUAWEI] display arp-limit interface gigabitethernet 0/0/1
Interface LimitNum VlanID LearnedNum(Mainboard)
---------------------------------------------------------------------------
GigabitEthernet0/0/1 20 10 0
---------------------------------------------------------------------------
Total:1
# Run the display arp anti-attack configuration all command to check the configuration of
ARP anti-attack.
[HUAWEI] display arp anti-attack configuration all
ARP anti-attack packet-check configuration:
-------------------------------------------------------------------------------
Sender-mac checking function: disable
Dst-mac checking function: disable

Ip checking function: disable

-------------------------------------------------------------------------------
ARP gateway-duplicate anti-attack function: disabled
ARP anti-attack log-trap-timer: 0 seconds

(The log and trap timer of speed-limit, default is 0 and means disabled.)
ARP anti-attack entry-check mode:

Vlanif Mode
-------------------------------------------------------------------------------
All fixed-mac
-------------------------------------------------------------------------------
ARP rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
ARP miss rate-limit configuration:

-------------------------------------------------------------------------------
Global configuration:
Interface configuration:
Vlan configuration:
-------------------------------------------------------------------------------
ARP speed-limit for source-MAC configuration:

MAC-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
0001-0001-0001 10
Others 0
-------------------------------------------------------------------------------
The number of configured specified MAC address(es) is 1, spec
512.
ARP speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
9.9.9.2 10
Others 0
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is
512.
ARP miss speed-limit for source-IP configuration:

IP-address suppress-rate(pps)(rate=0 means function disabled)
-------------------------------------------------------------------------------
10.10.10.2/32 40
Others 20
-------------------------------------------------------------------------------
The number of configured specified IP address(es) is 1, spec is 512.
# Run the display arp packet statistics command to check statistics on ARP-based packets.
[HUAWEI] display arp packet statistics
ARP Pkt Received: sum 8678904
ARP-Miss Msg Received: sum 183
ARP Learnt Count: sum 37
ARP Pkt Discard For Limit: sum 146
ARP Pkt Discard For SpeedLimit: sum
40529
ARP Pkt Discard For Proxy Suppress: sum 0
ARP Pkt Discard For Other: sum 8367601
ARP-Miss Msg Discard For SpeedLimit: sum 20
ARP-Miss Msg Discard For Other: sum 104

In the preceding command output, the numbers of ARP packets and ARP Miss messages
discarded by the switch is displayed, indicating that the ARP security functions have taken effect.
----End
Configuration File
#
vlan batch 10 20 30
#
arp learning strict
#
arp-miss speed-limit source-ip 10.10.10.2 maximum 40
arp speed-limit source-ip 9.9.9.2 maximum 10
arp speed-limit source-mac 0001-0001-0001 maximum 10
arp anti-attack entry-check fixed-mac enable
#
arp-miss speed-limit source-ip maximum 20
#
interface Vlanif10
ip address 8.8.8.4 255.255.255.0
#
interface Vlanif20
ip address 9.9.9.4 255.255.255.0
#
interface Vlanif30
ip address 10.10.10.3
255.255.255.0
#
arp-limit vlan 10 maximum 20
#
#
#
return
8.9.2 Example for Configuring Defense Against ARP MITM Attacks
As shown in Figure 8-18, SwitchA connects to the DHCP server using GE0/0/4, connects to
DHCP clients UserA and UserB using GE0/0/1 and GE0/0/2, and connects to UserC configured
with a static IP address using GE0/0/3. GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 on SwitchA
all belong to VLAN 10. The administrator wants to prevent ARP MITM attacks and theft on
authorized user information, and learn the frequency and range of ARP MITM attacks.

Figure 8-18 Networking diagram for defending against ARP MITM attacks
SwitchB
DHCP Server
GE0/0/4
SwitchA
GE0/0/1
GE0/0/2 GE0/0/3
UserA UserB UserC
IP:10.0.0.2/24
DHCP Client DHCP Client
MAC:1-1-1
VLAN ID:10
1. Enable DAI so that SwitchA compares the source IP address, source MAC address,
interface number, and VLAN ID of the ARP packet with DHCP snooping binding entries.
This prevents ARP MITM attacks.
2. Enable packet discarding alarm function upon DAI so that SwitchA collects statistics on
ARP packets matching no DHCP snooping binding entry and generates alarms when the
number of discarded ARP packets exceeds the alarm threshold. The administrator learns
the frequency and range of the current ARP MITM attacks based on the alarms and the
number of discarded ARP packets.
3. Enable DHCP snooping and configure a static binding table to make DAI take effect.
Procedure
# Create VLAN 10, and add GE0/0/1, GE0/0/2, GE0/0/3, and GE0/0/4 to VLAN 10.


Step 2 Enable DAI and the packet discarding alarm function.
# Enable DAI and the packet discarding alarm function on GE0/0/1, GE0/0/2, and GE0/0/3.
GE0/0/1 is used as an example. Configurations of other interfaces are similar to the configuration
of GE0/0/1, and are not mentioned here.
[SwitchA-GigabitEthernet0/0/1] arp anti-attack check user-bind enable
[SwitchA-GigabitEthernet0/0/1] arp anti-attack check user-bind alarm enable
Step 3 Configure DHCP snooping.
# Enable DHCP snooping globally.

[SwitchA] dhcp snooping enable
# Enable DHCP snooping in VLAN 10.

[SwitchA] vlan 10
[SwitchA-vlan10] dhcp snooping enable
# Configure GE0/0/4 as a trusted interface.

[SwitchA-GigabitEthernet0/0/4] dhcp snooping trusted
# Configure a static binding table.

[SwitchA] user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001
interface gigabitethernet 0/0/3 vlan 10
# Run the display arp anti-attack configuration check user-bind interface command to check
the DAI configuration on each interface. GE0/0/1 is used as an example.
[SwitchA] display arp anti-attack configuration check user-bind interface
gigabitethernet 0/0/1
arp anti-attack check user-bind enable
arp anti-attack check user-bind alarm enable
# Run the display arp anti-attack statistics check user-bind interface command to check the
number of ARP packets discarded based on DAI. GE0/0/1 is used as an example.
[SwitchA] display arp anti-attack statistics check user-bind interface
Dropped ARP packet number is 966
Dropped ARP packet number since the latest warning is 605
In the preceding command output, the number of discarded ARP packets on GE0/0/1 is
displayed, indicating that the defense against ARP MITM attacks has taken effect.

When you run the display arp anti-attack statistics check user-bind interface command for
multiple times on each interface, the administrator can learn the frequency and range of ARP
MITM attacks based on the number of discarded ARP packets.
----End
Configuration File
#
sysname SwitchA
#
vlan batch 10
#
dhcp enable
#
user-bind static ip-address 10.0.0.2 mac-address 0001-0001-0001 interface
GigabitEthernet0/0/3 vlan 10
#
vlan 10
#
#
#
#
#
return
8.10 MFF Configuration

This chapter provides MAC-Forced Forwarding (MFF) basics, configuration method,
configuration examples, and common configuration errors.
Support
8.10.1 Example for Configuring MFF to Implement Layer 2 Isolation

and Layer 3 Connection of Users

As shown in Figure 8-19, a department of an enterprise uses SwitchA and SwitchB as the access
devices of user hosts, and SwitchC functions as the aggregation device. The administrator
requires that user hosts in VLAN 10 be isolated on the access device and communicate with
each other through gateway. This allows the gateway to monitor user traffic. When a large
number of user hosts exist on the network, a DHCP server is deployed on the network to allocate
IP addresses to the hosts. Forwarding too many traffic between the application server and users
will cause the gateway to overload. Therefore, the administrator configures the application server
(DHCP server) to transparently transmit user traffic.
Figure 8-19 Networking diagram for MFF configuration
GE
0 /0 SwitchA
/1
User
DHCP Server
VLAN 10
……
10.10.10.2
GE0/0/3
2
0 /0/
G E
VLAN 10 Internet
User
Gateway
GE0 SwitchC
/0/1 10.10.10.1
VLAN 10
User GE0/0/3
……
2
0 /0/ SwitchB
GE
User
1. Configure DHCP snooping on SwitchA and SwitchB to provide dynamic user information
such as IP address, MAC address, and VLAN to implement Layer 2 isolation and Layer 3
connection.
2. Configure MFF on SwitchA and SwitchB to redirect user traffic to the gateway so that users
are isolated at Layer 2 and communicate with each other at Layer 3 and the gateway can
monitor user traffic.
3. Configure the DHCP server address on SwitchA and SwitchB so that traffic from the DHCP
server to users can be transparently transmitted at Layer 2. The load on gateway is relieved.

Procedure
# Create VLAN 10 on SwitchA and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN
10.
# Create VLAN 10 on SwitchB and add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN
10.
Step 2 Configure DHCP snooping.

# Enable DHCP snooping globally on SwitchA.
# All user hosts are in VLAN 10, so enable DHCP snooping for VLAN 10 on SwitchA.
[SwitchA] vlan 10
# Configure GE0/0/3 on SwitchA as the DHCP snooping trusted interface.

# Enable DHCP snooping globally on SwitchB.

[SwitchB] dhcp snooping enable
# All user hosts are in VLAN 10, so enable DHCP snooping for VLAN 10 on SwitchB.

[SwitchB] vlan 10
[SwitchB-vlan10] dhcp snooping enable
# Configure GE0/0/3 on SwitchB as the DHCP snooping trusted interface.

[SwitchB-GigabitEthernet0/0/3] dhcp snooping trusted
Step 3 Configure MFF.

# Enable MFF globally on SwitchA.
[SwitchA] mac-forced-forwarding enable
# On SwitchA, configure GE0/0/3 as an MFF network interface.

[SwitchA-GigabitEthernet0/0/3] mac-forced-forwarding network-port
# Enable MFF in VLAN 10 on SwitchA.

[SwitchA] vlan 10
[SwitchA-vlan10] mac-forced-forwarding enable
# Enable MFF globally on SwitchB.

[SwitchB] mac-forced-forwarding enable
# On SwitchB, configure GE0/0/3 as an MFF network interface.

[SwitchB-GigabitEthernet0/0/3] mac-forced-forwarding network-port
# Enable MFF in VLAN 10 on SwitchB.

[SwitchB] vlan 10
[SwitchB-vlan10] mac-forced-forwarding enable
Step 4 Configure an IP address for the DHCP server.

# Configure a DHCP server address on SwitchA.
[SwitchA-vlan10] mac-forced-forwarding server 10.10.10.2
# Configure a DHCP server address on SwitchB.

[SwitchB-vlan10] mac-forced-forwarding server 10.10.10.2

# Run the display mac-forced-forwarding vlan 10 command to view the MFF configuration
in VLAN 10. (SwitchB is used as an example.)
[SwitchB] display mac-forced-forwarding vlan 10
--------------------------------------------------------------------------------
Servers 10.10.10.2
--------------------------------------------------------------------------------
User IP User MAC Gateway IP Gateway MAC
--------------------------------------------------------------------------------
10.10.10.11 00-01-00-01-00-01 10.10.10.1 00-02-00-02-00-01
--------------------------------------------------------------------------------
[Vlan 10] MFF host total count = 1

# Run the display mac-forced-forwarding network-port command to view the MFF network
interface information. (SwitchB is used as an example.)
[SwitchB] display mac-forced-forwarding network-port
--------------------------------------------------------------------------------
VLAN ID Network-
ports
--------------------------------------------------------------------------------
VLAN 10 GigabitEthernet0/0/3
# After the gateway interface connected to SwitchC is shut down, user hosts in VLAN 10 cannot
ping each other. After the gateway interface is recovered, user hosts can ping each other. This
indicates that the users are isolated at Layer 2 and communicate with each other at Layer 3. The
MFF function takes effect.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
mac-forced-forwarding enable
#
dhcp
enable

#
vlan 10
mac-forced-forwarding server 10.10.10.2
#
#
#
mac-forced-forwarding network-port
#
return

#
sysname SwitchB
#
vlan batch 10
#

#
dhcp
enable

#
vlan 10
mac-forced-forwarding server 10.10.10.2
#
#
#
mac-forced-forwarding network-port
#
return
8.11 Traffic Suppression and Storm Control Configuration

This chapter describes basic concepts, configuration procedures and examples, and common
configuration errors.
8.11.1 Example for Configuring Traffic Suppression
As shown in Figure 8-20, Switch A is connected to the Layer 2 network and Layer 3 router.
Switch A prevents broadcast storms caused by a large number of broadcast packets, multicast
packets, or unknown unicast packets forwarded at Layer 2.
Figure 8-20 Networking diagram
GE0/0/1 GE0/0/2
L2 network L3 network
Switch A

The roadmap of configuring traffic suppression is as follows:
1. Configure traffic suppression in the view of GE0/0/1 to prevent broadcast storms caused
by a large number of broadcast packets, multicast packets, or unknown unicast packets
forwarded at Layer 2 and prevent broadcast storms.
Procedure
Step 1 Enter the interface view.
Step 2 Configure traffic suppression for broadcast packets.

[SwitchA-GigabitEthernet0/0/1] broadcast-suppression 80
Step 3 Configure traffic suppression for multicast packets.

[SwitchA-GigabitEthernet0/0/1] multicast-suppression 80
Step 4 Configure traffic suppression for unknown unicast packets.

[SwitchA-GigabitEthernet0/0/1] unicast-suppression 80
Step 5 Check the configuration
Run the display flow-suppression interface command. You can view the traffic suppression
configuration on GE0/0/1.
[SwitchA] display flow-suppression interface gigabitethernet 0/0/1
storm type rate mode set rate value
-------------------------------------------------------------------------------
unknown-unicast percent percent: 80%
multicast percent percent: 80%
broadcast percent percent: 80%
-------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
unicast-suppression 80
multicast-suppression 80
broadcast-suppression 80
#
return
8.11.2 Example for Configuring Storm Control

As shown in Figure 8-21, Switch A is connected to the Layer 2 network and Layer 3 router.
Switch A prevents broadcast storms caused by a large number of broadcast packets, multicast
packets, or unknown unicast packets forwarded at Layer 2
Figure 8-21 Networking diagram
GE0/0/1 GE0/0/2
L2 network L3 network
Switch A
The roadmap of configuring storm control is as follows:
1. Configure storm control in the interface view on GE0/0/1 to prevent broadcast storms
caused by a large number of broadcast packets, multicast packets, or unknown unicast
packets forwarded at Layer 2 and prevent broadcast storms.
Procedure
Step 1 Enter the interface view.
Step 2 Configure storm control for broadcast packets.

[SwitchA-GigabitEthernet0/0/1] storm-control broadcast min-rate 1000 max-rate 2000
Step 3 Configure storm control for multicast packets.

[SwitchA-GigabitEthernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000
Step 4 Configure storm control for unknown unicast packets.

[SwitchA-GigabitEthernet0/0/1] storm-control multicast min-rate 1000 max-rate 2000
Step 5 Set the storm control action to or block.

[SwitchA-GigabitEthernet0/0/1] storm-control action block
Step 6 Enable the function of recording logs during storm control.

[SwitchA-GigabitEthernet0/0/1] storm-control enable log
Step 7 Set the detection interval.

[SwitchA-GigabitEthernet0/0/1] storm-control interval 90
Step 8 Check the configuration
Run the display storm-control interface command. You can view the storm control
configuration on GE0/0/1.

[SwitchA] display storm-control interface gigabitethernet 0/0/1

PortName Type Rate Mode Action Punish- Trap Log Int Last-
(Min/Max) Status Punish-Time
--------------------------------------------------------------------------------
GE0/0/1 Multicast 1000 Pps Block Normal Off On 90 -
/2000
GE0/0/1 Broadcast 1000 Pps Block Normal Off On 90 -
/2000
GE0/0/1 Unicast 1000 Pps Block Normal Off On 90 -
/2000
----End
Configuration Files
#
sysname SwitchA
#
storm-control broadcast min-rate 1000 max-rate 2000
storm-control multicast min-rate 1000 max-rate 2000
storm-control unicast min-rate 1000 max-rate 2000
storm-control interval 90
storm-control action block
storm-control enable log
#
return
8.12 PPPoE+ Configuration

Point-to-Point Protocol over Ethernet plus (PPPoE+), also called PPPoE Intermediate Agent,
intercepts PPPoE packets sent by the PPPoE client, adds information about the interface
connecting the PPPoE client to the PPPoE packets, and sends the packets to the PPPoE server.
In this manner, the user account and access interface information are both authenticated, which
prevents user account embezzling.
8.12.1 Example for Configuring PPPoE+
As shown in Figure 8-22, the Switch is connected to an upstream BRAS and a downstream
PPPoE client. The BRAS functions as a PPPoE server. On networks, unauthorized users listen
to PPPoE packets of authorized users and even embezzle accounts of authorized users. The
administrator wants to prevent these problems and ensure user account security.

Figure 8-22 Networking diagram for configuring PPPoE+
RADIUS Server
Internet
BRAS
PPPoE Server
GE0/0/1
PPPoE+ Switch
GE0/0/2 GE0/0/3
PPPoE client PPPoE client
1. Enable PPPoE+ globally to authenticate the user account and access interface information,
preventing the user account from embezzling.
2. Configure the interface connecting the Switch and the PPPoE server as a trusted interface,
preventing PPPoE packets from being listened by unauthorized users when the packets are
forwarded to non-PPPoE service port.
3. Configure the policy for processing user-side PPPoE packets on the Switch, enabling the
Switch to properly communicate with the PPPoE server.
Procedure
Step 1 Enable PPPoE+.
[Switch] pppoe intermediate-agent information enable
NOTE
After PPPoE+ is enabled globally, PPPoE+ is enabled on all the interfaces.

Step 2 Configure the GE0/0/1 interface as a trusted interface.

[Switch-GigabitEthernet0/0/1] pppoe uplink-port trusted
Step 3 Set the policy for processing original fields in user-side PPPoE packets to replace on all
interfaces, and replace original fields in PPPoE packets with the circuit ID and remote ID of the
Switch.
[Switch] pppoe intermediate-agent information policy replace
Step 4 Set the format of circuit-id to extend.

[Switch] pppoe intermediate-agent information format circuit-id extend
# Run the display pppoe intermediate-agent information policy command to verify the policy
for processing original fields in user-side packets.
[Switch] display pppoe intermediate-agent information policy
The current information Policy :REPLACE
The current ignore-reply Policy:ENABLE
# Run the display pppoe intermediate-agent information format to verify the format of
circuit-id.
[Switch] display pppoe intermediate-agent information format
The current information format :
Circuit ID : EXTEND
Remote ID : COMMON
For example:
interface GigabitEthernet0/0/1 SVLAN:200 CVLAN:100
The PPPOE Intermediate Agent information follow:
Circuit ID:00 04 00 c8 00 00
Remote ID:0022-0033-0044
----End
Configuration Files
#
sysname Switch
#
pppoe intermediate-agent information enable
pppoe intermediate-agent information format circuit-id extend
#
pppoe uplink-port trusted
#
return
8.13 Keychain Configuration

A keychain is a widely used application that controls authentication algorithms and key-string
in a centralized way.
Product Support
S2350 Not Supported

Product Support
S5300 Only supported by the S5310EI and S5300HI
S6300 Not supported
8.13.1 Example for Applying the Keychain to RIP

As shown in Figure 8-23, SwitchA and SwitchB are connected using RIP-2.
The RIP connection needs to be retained during data transmission.
Figure 8-23 Networking diagram of applying the keychain to RIP
Vlanif 10 Vlanif 10
192.168.1.1/24 192.168.1.2/24
GE0/0/1 GE0/0/1
SwitchA SwitchB
To ensure stable RIP connections, RIP protocol packets must be correctly transmitted. You are
advised to authenticate and encrypt the packets to ensure transmission security. In addition, to
prevent unauthorized users from forging algorithms and key strings used in authentication and
encryption, you are advised to dynamically change algorithms and key strings to ensure secure
RIP packet transmission. Therefore, the keychain protocol is used to ensure stability of RIP
connections.
1. Configure basic RIP functions.
2. Configure a keychain.
3. Apply the keychain to RIP.
Procedure
[SwitchA] rip 1


[SwitchB] rip 1
Step 2 Configure a keychain.
[SwitchA] keychain huawei mode absolute
[SwitchA-keychain-huawei] receive-tolerance 100
[SwitchA-keychain-huawei] key-id 1
[SwitchA-keychain-huawei-keyid-1] algorithm md5
[SwitchA-keychain-huawei-keyid-1] key-string plain hello
[SwitchA-keychain-huawei-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[SwitchA-keychain-huawei-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59
2012-3-12
[SwitchA-keychain-huawei-keyid-1] quit
[SwitchA-keychain-huawei] quit
[SwitchB] keychain huawei mode absolute
[SwitchB-keychain-huawei] receive-tolerance 100
[SwitchB-keychain-huawei] key-id 1
[SwitchB-keychain-huawei-keyid-1] algorithm md5
[SwitchB-keychain-huawei-keyid-1] key-string plain hello
[SwitchB-keychain-huawei-keyid-1] send-time utc 0:00 2012-3-12 to 23:59 2012-3-12
[SwitchB-keychain-huawei-keyid-1] receive-time utc 0:00 2012-3-12 to 23:59
2012-3-12
[SwitchB-keychain-huawei-keyid-1] quit
[SwitchB-keychain-huawei] quit
Step 3 Apply the keychain to RIP.
[SwitchA] vlan 10
[SwitchA-Vlanif10] rip authentication-mode md5 nonstandard keychain huawei
[SwitchA] quit
[SwitchB] vlan 10
[SwitchB-Vlanif10] rip authentication-mode md5 nonstandard keychain huawei
[SwitchB] quit

Run the display keychain keychain-name command to check the key-id status of the keychain.
<SwitchA> display keychain huawei
Keychain Information:
----------------------
Keychain Name : huawei
Timer Mode : Absolute
Receive Tolerance(min) : 100
TCP Kind : 254
TCP Algorithm IDs :
HMAC-MD5 : 5
HMAC-SHA1-12 : 2
HMAC-SHA1-20 : 6
HMAC-SHA-256 : 7
SHA-256 : 8
MD5 : 3
SHA1 : 4
Number of Key IDs : 1
Active Send Key ID : 1
Active Receive Key IDs : 01
Default send Key ID : Not configured
Key ID Information:
----------------------
Key ID : 1
Key string : ******
Algorithm : MD5
SEND TIMER :
Start time : 2012-03-12 00:00
End time : 2012-03-12 23:59
Status : Active
RECEIVE TIMER :
Start time : 2012-03-12 00:00
End time : 2012-03-12 23:59
Status : Active
After the keychain is applied to RIP, run the display rip process-id interface verbose command
to check the authentication mode of RIP packets. The display on Switch A is used as an example.
<SwitchA> display rip 1 interface verbose
Vlanif10(192.168.1.1)
State : UP MTU : 500
Metricin : 0
Metricout : 1
Input : Enabled Output : Enabled
Protocol : RIPv2 Multicast
Send version : RIPv2 Multicast Packets
Receive version : RIPv2 Multicast and Broadcast Packets
Poison-reverse : Disabled
Split-Horizon : Enabled
Authentication type : MD5 (Non-standard - Keychain: huawei)
Last Sequence Number Sent : 0x0
Replay Protection : Disabled
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
keychain huawei mode absolute

receive-tolerance 100
key-id 1
algorithm md5
key-string plain hello
send-time utc 00:00 2012-03-12 to 23:59 2012-03-12
receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
rip authentication-mode md5 nonstandard keychain huawei
#
#
rip 1
version 2
network 192.168.1.0
#
return

#
sysname SwitchB
#
vlan batch 10
#
keychain huawei mode absolute
key-id 1
algorithm md5
send-time utc 00:00 2012-03-12 to 23:59 2013-03-12
receive-time utc 00:00 2012-03-12 to 23:59 2012-03-12
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
rip authentication-mode md5 nonstandard keychain huawei
#
#
rip 1
version 2
network 192.168.1.0
#
return
8.13.2 Example for Applying the Keychain to BGP
As shown in Figure 8-24, SwitchA and SwitchB are connected using BGP.
The BGP connection needs to be retained during data transmission.

Figure 8-24 Networking diagram of applying the keychain to BGP
Vlanif 10 Vlanif 10
192.168.1.1/24 192.168.1.2/24
GE0/0/1 GE0/0/1
SwitchA SwitchB
1. Configure the basic keychain functions.

2. Configure a keychain for Switch to authenticate BGP.
Procedure
Step 1 Configure a keychain.
[SwitchA] keychain huawei mode periodic weekly
[SwitchA-keychain-huawei] tcp-kind 182
[SwitchA-keychain-huawei] tcp-algorithm-id md5 17
[SwitchA-keychain-huawei] receive-tolerance 100
[SwitchA-keychain-huawei] key-id 1
[SwitchA-keychain-huawei-keyid-1] algorithm md5
[SwitchA-keychain-huawei-keyid-1] key-string plain hello
[SwitchA-keychain-huawei-keyid-1] send-time day fri sat
[SwitchA-keychain-huawei-keyid-1] receive-time day fri sat
[SwitchA-keychain-huawei-keyid-1] quit
[SwitchA-keychain-huawei] quit
[SwitchB] keychain huawei mode periodic weekly
[SwitchB-keychain-huawei] tcp-kind 182
[SwitchB-keychain-huawei] tcp-algorithm-id md5 17
[SwitchB-keychain-huawei] receive-tolerance 100
[SwitchB-keychain-huawei] key-id 1
[SwitchB-keychain-huawei-keyid-1] algorithm md5
[SwitchB-keychain-huawei-keyid-1] key-string plain hello
[SwitchB-keychain-huawei-keyid-1] send-time day fri sat
[SwitchB-keychain-huawei-keyid-1] receive-time day fri sat
[SwitchB-keychain-huawei-keyid-1] quit
[SwitchB-keychain-huawei] quit
Step 2 Apply the keychain to BGP for authentication and encryption.
[SwitchA] vlan 10


[SwitchA] bgp 1
[SwitchA-bgp] peer 192.168.1.2 keychain huawei
[SwitchA-bgp] quit
[SwitchA] quit
[SwitchB] vlan 10
[SwitchB] bgp 1
[SwitchB-bgp] peer 192.168.1.1 keychain huawei
[SwitchB-bgp] quit
[SwitchB] quit
Run the display keychain keychain-name command to check the key-id status of the keychain.
<SwitchA> display keychain huawei
Keychain Information:
---------------------
Keychain Name : huawei
Timer Mode : Weekly periodic
Receive Tolerance(min) : 100
TCP Kind : 182
TCP Algorithm IDs :
HMAC-MD5 : 5
HMAC-SHA1-12 : 2
HMAC-SHA1-20 : 6
HMAC-SHA-256 : 7
SHA-256 : 8
MD5 : 17
SHA1 : 4
Number of Key IDs : 1
Active Send Key ID : 1
Active Receive Key IDs : 01
Default send Key ID : Not configured
Key ID Information:
-------------------
Key ID : 1
Key string : ******
Algorithm : MD5
SEND TIMER :
Day(s) : Fri Sat
Status : Active
RECEIVE TIMER :
Day(s) : Fri Sat
Status : Active

After the keychain is applied to BGP, run the display bgp peer ipv4-address verbose command
to check authentication information about the BGP peer. The display on Switch A is used as an
example.
<SwitchA> display bgp peer 192.168.1.2 verbose

Type: IBGP link
Update-group ID: 1
Update messages 0
Open messages 1
Refresh messages 0
Update messages 0
Open messages 2
Refresh messages 0
Authentication type configured: Keychain(huawei)
Last keepalive received: 2012/04/20 11:37:27
Last keepalive sent : 2012/04/20 11:37:27
----End
Configuration Files
l # Configuration file of Switch A
#
sysname SwitchA
#
vlan batch 10
#
keychain huawei mode periodic weekly
tcp-kind 182
tcp-algorithm-id md5 17
key-id 1
algorithm md5


send-time day fri sat
receive-time day fri sat
#
interface Vlanif10
ip address 192.168.1.1 255.255.255.0
#
#
bgp 1
router-id 1.1.1.1
peer 192.168.1.2 keychain huawei
#
ipv4-family unicast
#
return
l #Configuration file of Switch B

#
sysname SwitchB
#
vlan batch 10
#
keychain huawei mode periodic weekly
tcp-kind 182
tcp-algorithm-id md5 17
key-id 1
algorithm md5
send-time day fri sat
receive-time day fri sat
#
interface Vlanif10
ip address 192.168.1.2 255.255.255.0
#
#
bgp 1
router-id 2.2.2.2
peer 192.168.1.1 keychain huawei
#
ipv4-family unicast
#
return
8.14 ND Snooping Configuration

This chapter describes the principle and configuration method of ND snooping and provides

8.14.1 Example for Configuring ND Snooping
As shown in Figure 8-25, a switch is located between hosts and the gateway. No DHCPv6 server
is configured on the network, so the hosts obtain IPv6 addresses through stateless address
autoconfiguration. If attackers send bogus NA/NS/RA packets to the switch, the security issues
may occur, for example, users cannot obtain IPv6 addresses, communication is interrupted, and
user accounts and passwords are embezzled.
The network administrator requires that the switch be able to prevent bogus NA/NS/RA packets,
providing secure and stable network service to users. In addition, to manage IPv6 addresses of
users, the network administrator needs to know the prefixes allocated by the gateway to the users.
Figure 8-25 Networking diagram for configuring ND snooping
User A
G
E0
……
/0
/1 Switch Gateway
VLAN 10
GE0/0/2 Internet
GE0/0/3
User B VLAN 10
Attacker
1. Enable the ND snooping function so that the switch can generate the bindings between
addresses, VLANs, and interfaces for ND packet validity check.
2. Configure the interface connecting to the gateway as the trusted interface. Switch generates
a prefix management table based on RA packets received from the trusted interface so that
user addresses can be managed flexibly. Interfaces connecting to hosts are untrusted
interfaces by default. After ND snooping is enabled, Switch filters out RA packets received
from untrusted interfaces to prevent RA attacks.

3. Enable ND packet validity check so that the switch can check the NA/NS packets against
the binding table and filter out invalid NA/NS packets.
4. Configure automatic user status detection for users mapping ND snooping dynamic binding
entries so that mapping entries can be deleted in time when ND users are offline. This
conserves binding entry resources.
5. Set the maximum number of dynamic ND snooping binding entries allowed by an interface.
If the number of entries on an interface is not limited, the switch will consume a lot of entry
resources to process the NS packets when many users go online through this interface. As
a result, other users cannot communicate with each other.
Procedure
Step 1 Create a VLAN and configure interfaces.
# Create VLAN 10 on the switch.
# Add interfaces GE0/0/1, GE0/0/2, and GE0/0/3 to VLAN 10.

Step 2 Enable ND snooping.

# Enable ND snooping globally.
[Switch] nd snooping enable
# Enable ND snooping for VLAN 10.

[Switch] vlan 10
[Switch-vlan10] nd snooping enable
Step 3 # Configure GE0/0/3 as a trusted interface.

[Switch-GigabitEthernet0/0/3] nd snooping trusted
Step 4 Enable ND packet validity check.

[Switch] vlan 10
[Switch-vlan10] nd snooping check ns enable
[Switch-vlan10] nd snooping check na enable
Step 5 Enable automatic user status detection for users mapping ND snooping dynamic binding entries.
# Enable automatic user status detection for users mapping ND snooping dynamic binding entries
and set the number of times and interval for sending NS packets to detect the user status.

[Switch] nd user-bind detect enable

[Switch] nd user-bind detect retransmit 5 interval 600
Step 6 Set the maximum number of ND snooping dynamic binding entries to be learned by an interface.
[Switch] nd snooping max-user-number 200
Run the display this command in the system view. The command output shows that the ND
snooping function and automatic user status detection for users mapping ND snooping dynamic
binding entries have been enabled globally. In addition, the maximum number of dynamic ND
snooping binding entries allowed by the interface is set.
[Switch] display this
nd snooping enable
nd user-bind detect enable
nd user-bind detect retransmit 5 interval 600
nd snooping max-user-number 200
Run the display this command in the VLAN view. The command output shows that ND
snooping and ND packet validity check have been enabled in VLAN 10.
[Switch] vlan 10
[Switch-vlan10] display this
#
vlan 10
nd snooping enable
nd snooping check ns enable
nd snooping check na enable
#
return
Run the display this command to verify that GE0/0/3 has been configured as the trusted
interface.
[Switch-GigabitEthernet0/0/3] display this
#
nd snooping trusted
#
return
[Switch] quit
Run the display nd snooping prefix command to view the prefix management table of ND
users.
<Switch> display nd snooping prefix
prefix-table:
Prefix Length Valid-Time Preferred-Time
--------------------------------------------------------------------------------
3001:: 64 100000 100000
--------------------------------------------------------------------------------
Prefix table total count: 1
Run the display nd snooping user-bind all command to view the ND snooping dynamic binding
table.
<Switch> display nd snooping user-bind all
ND Dynamic Bind-table:
Flags:O - outer vlan ,I - inner vlan ,P - Vlan-

mapping
IP Address MAC Address VSI/VLAN(O/I/P) Lease
--------------------------------------------------------------------------------
3001::E58C:A2E7:AA4C:8E59 00e0-4c7c-af8f 10 /-- /-- 2011.05.06-20:09
--------------------------------------------------------------------------------
print count: 1 total count: 1
If the prefix management table and ND snooping dynamic binding table are generated on Switch,
ND snooping is configured successfully.
----End
Configuration File
#
sysname Switch
#
vlan batch 10
#
nd snooping enable
nd user-bind detect enable
nd user-bind detect retransmit 5 interval 600
nd snooping max-user-number 200
#
vlan 10
nd snooping enable
#
#
#
nd snooping trusted
#
return
8.15 SAVI Configurations

This chapter describes the principle and configuration methods of Source Address Validation
Improvements (SAVI) and provides configuration examples.
8.15.1 Example for Configuring the SAVI Function in a DHCPv6-

Only Scenario
As shown in Figure 8-26, SwitchA functions as an access device to connect to hosts in an
enterprise department. Many hosts exist in the department. To manage IPv6 addresses

efficiently, all hosts in the department obtain IPv6 addresses using DHCPv6. If an attacker sends
a large number of invalid DHCPv6 protocol packets or invalid IPv6 data packets, communication
of authorized users may be interrupted, and user accounts and passwords may be embezzled. To
prevent these problems, the administrator wants to configure SwitchA to defend against invalid
DHCPv6 protocol packets and invalid IPv6 data packets (with invalid source addresses) and
provides users with stable services on a secure network.
Figure 8-26 Networking diagram for configuring the SAVI function in a DHCPv6-Only scenario
DHCPv6 Server
DHCPv6 Client
G
E0
……
/0 Gateway
/1 SwitchA
VLAN 2
GE0/0/2 Campus
Network
DHCPv6 Client VLAN 2
GE0/0/3
Attacker
1. Configure DHCPv6 snooping so that bindings between address and ports can be generated
for validity of the source addresses in DHCPv6 protocol packets and IPv6 data packets.
2. Enable the SAVI function so that the device can check the validity of the source addresses
in DHCPv6 protocol packets based on the DHCPv6 snooping binding entries and filter out
invalid packets.
3. Enable IP source guard so that the device can check the validity of the source addresses in
IPv6 data packets based on the DHCPv6 snooping binding entries and filter out invalid
packets.
Procedure
Step 1 Enable the SAVI function.
[SwitchA] savi enable

Step 2 Create VLAN 2.

Step 3 Add GE0/0/1, GE0/0/2, GE0/0/3 to VLAN 2.

Step 4 Configure DHCPv6 snooping.

# Enable DHCPv6 snooping globally.
# Enable DHCPv6 snooping for VLAN 2.

[SwitchA] vlan 2
# Enable DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table
in VLAN 2.
[SwitchA-vlan2] dhcp snooping check dhcp-request enable
# Configure GE0/0/3 connecting to the DHCP server as a trusted interface.

Step 5 Enable IP source guard for VLAN 2.

[SwitchA] vlan 2
[SwitchA-vlan2] ip source check user-bind enable

# Run the display this command in the system view to verify that the SAVI function and
DHCPv6 snooping are enabled globally.
[SwitchA] display this
#
dhcp enable
#
#
savi enable
#
return
# Run the display this command in the VLAN view. The command output shows that DHCPv6
snooping, DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table,
and IP source guard have been enabled in VLAN 2.
[SwitchA] vlan 2
[SwitchA-vlan2] display this

#
vlan 2
dhcp snooping check dhcp-request enable
ip source check user-bind
enable
#
return
# Run the display this command in the interface view to verify that GE0/0/3 connecting to the
DHCP server are configured as a trusted interface.
#
#
return
----End
Configuration File
Configuration file of SwitchA.
#
sysname SwitchA
#
vlan batch 2
#
dhcp enable
#
#
savi enable
#
vlan 2
#
port default vlan 2
#
port default vlan 2
#
#
return
8.15.2 Example for Configuring the SAVI Function in an SLAAC-

Only Scenario

enterprise department. No DHCPv6 server is deployed on the network, and hosts in the
department can obtain IPv6 addresses using only SLAAC. If an attacker sends a large number
of invalid ND protocol packets or invalid IPv6 data packets, communication of authorized users
may be interrupted, and user accounts and passwords may be embezzled. To prevent these
problems, the administrator wants to configure SwitchA to defend against invalid ND protocol
packets and invalid IPv6 data packets (with invalid source addresses) and provides users with
stable services on a secure network.
Figure 8-27 Networking diagram for configuring the SAVI function in an SLAAC-Only
scenario
Host A
G
E0
……
/0 SwitchA Gateway
/1
VLAN 2
GE0/0/2 Internet
VLAN 2
Host B
GE0/0/3
Attacker
1. Configure ND snooping so that bindings between address and ports can be generated for
validity of the source addresses in ND protocol packets and IPv6 data packets.
in ND protocol packets based on the ND snooping binding entries and filter out invalid
packets.
IPv6 data packets based on the ND snooping binding entries and filter out invalid packets.
Procedure



Step 4 Configure ND snooping.

[SwitchA] nd snooping enable

[SwitchA] vlan 2
[SwitchA-vlan2] nd snooping enable
# Enable validity check for NA and NS packets in VLAN 2.

[SwitchA-vlan2] nd snooping check na enable
[SwitchA-vlan2] nd snooping check ns enable
# Configure GE0/0/3 connecting to the ND server as a trusted interface.

[SwitchA-GigabitEthernet0/0/3] nd snooping trusted

[SwitchA] vlan 2

# Run the display this command in the system view to verify that the SAVI function and ND
snooping are enabled globally.
[SwitchA] display
this
#
nd snooping enable
savi enable
#
return
# Run the display this command in the VLAN view. The command output shows that ND
snooping, ND6 protocol packet validity check, and IP source guard have been enabled in VLAN
2.
[SwitchA] vlan 2

#
vlan 2
nd snooping enable
ip source check user-bind
enable
#
return
# Run the display this command in the interface view to verify that GE0/0/3 connecting to the
ND server are configured as a trusted interface.
#
nd snooping trusted
#
return
----End
Configuration File
#
sysname SwitchA
#
vlan batch 2
#
nd snooping enable
savi enable
#
vlan 2
nd snooping enable
#
port default vlan 2
#
port default vlan 2
#
nd snooping trusted
#
return
8.15.3 Example for Configuring the SAVI Function in a DHCPv6

+SLAAC Scenario

enterprise department. Some hosts in the department obtain IPv6 addresses using SLAAC, and
other hosts obtain IPv6 addresses using DHCPv6. If an attacker sends a large number of invalid
ND protocol packets, invalid DHCPv6 protocol packets, or invalid IPv6 data packets,
communication of authorized users may be interrupted, and user accounts and passwords may
be embezzled. To prevent these problems, the administrator wants to configure SwitchA to
defend against invalid ND protocol packets, invalid DHCPv6 protocol packets, and invalid IPv6
data packets (with invalid source addresses) and provides users with stable services on a secure
network.
Figure 8-28 Networking diagram for configuring the SAVI function in a DHCPv6+SLAAC
scenario
DHCPv6 Server
DHCPv6 Client
G
E0
……
/0 Gateway
/1 SwitchA
VLAN 2
GE0/0/2 Campus
Network
Host VLAN 2
GE0/0/3
Attacker
1. Configure DHCPv6 snooping so that bindings between address and ports can be generated
for validity of the source addresses in DHCPv6 protocol packets and IPv6 data packets.
2. Configure ND snooping so that bindings between address and ports can be generated for
validity of the source addresses in ND protocol packets and IPv6 data packets.
in DHCPv6 protocol packets and ND protocol packets based on the DHCPv6 snooping and
ND snooping binding entries and filter out invalid packets.

IPv6 data packets based on the DHCPv6 snooping and ND snooping binding entries and
filter out invalid packets.
Procedure


Step 4 Configure DHCPv6 snooping.
# Enable DHCPv6 snooping globally.

# Enable DHCPv6 snooping for VLAN 2.

[SwitchA] vlan 2
# Enable DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table
in VLAN 2.
[SwitchA-vlan2] dhcp snooping check dhcp-request enable
# Configure GE0/0/3 connecting to the DHCP server as a trusted interface.

Step 5 Configure ND snooping.

[SwitchA] nd snooping enable

[SwitchA] vlan 2
[SwitchA-vlan2] nd snooping enable
# Enable validity check for NA and NS packets in VLAN 2.

[SwitchA-vlan2] nd snooping check na enable

[SwitchA-vlan2] nd snooping check ns enable
# Configure GE0/0/3 connecting to the ND server as a trusted interface.

[SwitchA-GigabitEthernet0/0/3] nd snooping trusted

[SwitchA] vlan 2
# Run the display this command in the system view to verify that the SAVI function, DHCPv6
snooping, and ND snooping are enabled globally.
[SwitchA] display this
#
dhcp enable
#
#
nd snooping enable
savi enable
#
return
# Run the display this command in the VLAN view. The command output shows that DHCPv6
snooping, DHCPv6 protocol packet validity check against the DHCPv6 snooping binding table,
ND snooping, ND protocol packet validity check, and IP source guard have been enabled in
VLAN 2.
[SwitchA] vlan 2
#
vlan 2
nd snooping enable
#
return
# Run the display this command in the interface view to verify that GE0/0/3 is configures as
the DHCP snooping trusted interface and the ND snooping trusted interface.
#
nd snooping trusted
#
return
----End

Configuration File
#
sysname SwitchA
#
vlan batch 2
#
dhcp enable
#
#
nd snooping enable
savi enable
#
vlan 2
nd snooping enable
#
port default vlan 2
#
port default vlan 2
#
nd snooping trusted
#
return

Typical Configuration Examples 9 Reliability
9 Reliability
About This Chapter
This document describes the configuration of BFD, DLDP, VRRP, SmartLink, RRPP, ERPS,
Ethernet OAM and MAC swap loopback to ensure reliability on the device.
9.1 BFD Configuration

Bidirectional forwarding detection (BFD) allows network devices to quickly detect faults.
9.2 VRRP Configuration

The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP switches
services from the master device to the backup router when the next hop device of the master
device fails. This ensures nonstop service transmission and reliability.
9.3 DLDP Configuration

DLDP can detect unidirectional links of optical fibers or copper twisted pairs.
9.4 Smart Link Configuration

The Smart Link is applicable to dual uplinks and scenarios in which STP is not used, improving
access reliability.
9.5 MAC Swap Loopback Configuration

MAC swap loopback checks Ethernet connectivity and network performance.
9.6 EFM Configuration

Ethernet in the First Mile (EFM) can be enabled on both devices of a point-to-point link to
monitor connectivity and link quality.
9.7 CFM Configuration

Connectivity fault management (CFM) defines OAM functions and applies to large-scale end-
to-end Ethernet networks. It monitors network connectivity and locates connectivity faults.
9.8 Y.1731 Configuration

Y.1731 provides fault detection and fault management on an Ethernet end-to-end link.
9.9 ERPS (G.8032) Configuration

Ethernet ring protection switching (ERPS) is a standard protocol issued by the ITU-T to prevent
loops on ring networks. ERPS features fast convergence speed, ensuring carrier-class reliability.

Huawei and non-Huawei devices on a ring network supporting ERPS can communicate with
each other.
9.10 RRPP Configuration

Rapid Ring Protection Protocol (RRPP) prevents loops and implements fast convergence on ring
networks.

9.1 BFD Configuration

Bidirectional forwarding detection (BFD) allows network devices to quickly detect faults.
9.1.1 Example for Configuring Single-hop BFD for Detecting Faults

on a Layer 2 Link
As shown in Figure 9-1, SwitchA and SwitchB are connected through a Layer 2 interface. Faults
on the link between SwitchA and SwitchB need to be fast detected.
Figure 9-1 Single-hop BFD for detecting faults on a Layer 2 link

GE0/0/1 GE0/0/1
SwitchA SwitchB
Configure BFD sessions on SwitchA and SwitchB to detect faults on the link between
SwitchA and SwitchB.
Procedure
Step 1 Configure single-hop BFD on SwitchA.
# Enable BFD on SwitchA.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip default-ip interface gigabitethernet 0/0/1

Step 2 Configure single-hop BFD on SwitchB.
# Enable BFD on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit


[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 0/0/1

After the configuration is complete, run the display bfd session all verbose command on
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is Up.
The display on SwitchA is used as an example.
<SwitchA> display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 4097 (One Hop) State : Up Name : atob
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : 2
Session Detect Mode : Asynchronous Mode Without Echo Function
BFD Bind Type : Interface(GigabitEthernet0/0/1)
Bind Session Type : Static
Bind Peer IP Address : 224.0.0.184
NextHop Ip Address : 224.0.0.184
Bind Interface : GigabitEthernet0/0/1
FSM Board Id : 0 TOS-EXP : 7
Min Tx Interval (ms) : 1000 Min Rx Interval (ms) : 1000
Actual Tx Interval (ms): 1000 Actual Rx Interval (ms): 1000
Local Detect Multi : 3 Detect Interval (ms) : 3000
Echo Passive : Disable Acl Number : -
Destination Port : 3784 TTL : 255
Proc Interface Status : Disable Process PST : Disable
WTR Interval (ms) : -
Active Multi : 3
Last Local Diagnostic : No Diagnostic
Bind Application : No Application Bind
Session TX TmrID : - Session Detect TmrID : -
Session Init TmrID : - Session WTR TmrID : -
Session Echo Tx TmrID : -
PDT Index : FSM-0 | RCV-0 | IF-0 | TOKEN-0
Session Description : -
--------------------------------------------------------------------------------
# Run the shutdown command on GE0/0/1 of SwitchA to simulate a link fault.

[SwitchA-GigabitEthernet0/0/1] shutdown
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is
Down. The display on SwitchA is used as an example.
--------------------------------------------------------------------------------
Session MIndex : 4097 (One Hop) State : Down Name : atob
--------------------------------------------------------------------------------


Local Detect Multi : 3 Detect Interval (ms) : -
Active Multi : 3
Last Local Diagnostic : Control Detection Time Expired
Session TX TmrID : 16402 Session Detect TmrID : -
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
bfd
#
bfd atob bind peer-ip default-ip interface GigabitEthernet0/0/1
commit
#
return

#
sysname SwitchB
#
bfd
#
bfd btoa bind peer-ip default-ip interface GigabitEthernet0/0/1
commit
#
return
9.1.2 Example for Configuring Single-Hop BFD on a VLANIF

Interface
As shown in Figure 9-2, SwitchA connects to SwitchB through the VLANIF interface. Faults
on the link between SwitchA and SwitchB need to be fast detected.

Figure 9-2 Networking diagram for configuring single-hop BFD on a VLANIF interface
VLANIF100 VLANIF100
10.1.1.5/24 10.1.1.6/24
GE0/0/1 GE0/0/1
SwitchA SwitchB
Configure BFD sessions on SwitchA and SwitchB.
Procedure
Step 1 On SwitchA and SwitchB, create VLANs, configure GE0/0/1 interfaces as hybrid interfaces,
and add GE0/0/1 interfaces to VLANs. The configuration details are not mentioned here.
Step 2 Configure IP addresses for VLANIF interfaces so that SwitchA and SwitchB can communicate
at Layer 3. The configuration details are not mentioned here.
Step 3 Configure single-hop BFD.
# Enable BFD and create a BFD session on SwitchA.

[SwitchA] bfd
[SwitchA-bfd] quit
# Enable BFD and create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
# After the configuration is complete, run the display bfd session all verbose command on
[SwitchA] display bfd session all verbose
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
BFD Bind Type : Interface(Vlanif100)


Bind Interface : Vlanif100
Active Multi : 3
--------------------------------------------------------------------------------
# Run the shutdown command on the GE0/0/1 interface of SwitchA to simulate a link fault.
SwitchA and SwitchB. You can see that a single-hop BFD session is set up and its status is
Down. Take the display on SwitchA as an example.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Active Multi : 3
--------------------------------------------------------------------------------
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.5 255.255.255.0
#
#
commit
#
return

#
sysname SwitchB
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.6 255.255.255.0
#
#
commit
#
return
9.1.3 Example for Configuring Multi-Hop BFD
As shown in Figure 9-3, SwitchA is indirectly connected to SwitchC. Static routes are
configured so that SwitchA can communicate with SwitchC. Faults on the link between
SwitchA and SwitchC need to be fast detected.

Figure 9-3 Networking diagram for configuring multi-hop BFD
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1

10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
VLAN 10 VLAN 20
Configure BFD sessions on SwitchA and SwitchC to detect the multi-hop route.
Procedure
Step 1 Add interfaces to VLANs, create VLANIF interfaces, and assign IP addresses to VLANIF
interfaces. The configuration details are not mentioned here.
Step 2 Configure a reachable static route between SwitchA and SwitchC.

[SwitchA] ip route-static 10.2.1.0 24 10.1.1.2
The configuration of SwitchC is similar to the configuration of SwitchA, and is not mentioned
here.
Step 3 Configure multi-hop BFD.
# Create a BFD session between SwitchA and SwitchC.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atoc bind peer-ip 10.2.1.2
[SwitchA-bfd-session-atoc] discriminator local 10
[SwitchA-bfd-session-atoc] discriminator remote 20
[SwitchA-bfd-session-atoc] commit
[SwitchA-bfd-session-atoc] quit
# Create a BFD session between SwitchC and SwitchA.

[SwitchC] bfd
[SwitchC-bfd] quit
[SwitchC] bfd ctoa bind peer-ip 10.1.1.1
[SwitchC-bfd-session-ctoa] discriminator local 20
[SwitchC-bfd-session-ctoa] discriminator remote 10
[SwitchC-bfd-session-ctoa] commit
[SwitchC-bfd-session-ctoa] quit
After the configuration, run the display bfd session verbose command on SwitchA and
SwitchC. You can see that a BFD session is set up and is in Up state. Take the display on
--------------------------------------------------------------------------------
Session MIndex : 4097 (Multi Hop) State :Up Name : atoc

--------------------------------------------------------------------------------
BFD Bind Type : Peer Ip Address
Bind Interface : -
Active Multi : 3
--------------------------------------------------------------------------------
# Run the shutdown command on the GE0/0/1 interface of SwitchA to simulate a link fault.
After the configuration, run the display bfd session all verbose command on SwitchA and
SwitchB. You can see that a multi-hop BFD session is set up and the status is Down. Take the
display on SwitchA as an example.
--------------------------------------------------------------------------------
Session MIndex : 4097 (Multi Hop) State :Down Name : atoc
--------------------------------------------------------------------------------
Bind Interface : -
Active Multi : 3
--------------------------------------------------------------------------------

----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bfd atoc bind peer-ip 10.2.1.2
commit
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
bfd
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#

#
bfd ctoa bind peer-ip 10.1.1.1
commit
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
9.1.4 Example for Associating the BFD Session Status with the
Interface Status
As shown in Figure 9-4, SwitchA is directly connected to SwitchB and Layer 2 transmission
devices, SwitchC and SwitchD, are deployed between them. It is required that SwitchA and
SwitchB fast detect link faults to trigger fast route convergence.
Figure 9-4 Associating the BFD session status with the interface status
VLAINF10 VLAINF10
10.1.1.1/24 10.1.1.2/24
GE0/0/1 GE0/0/1
SwitchA SwitchC SwitchD SwitchB
1. Configure BFD sessions on SwitchA and SwitchB to detect faults on the link between
2. Configure association between the BFD session status and interface status on SwitchA and
SwitchB after the BFD session becomes Up.
Procedure
Step 1 Set IP addresses of the directly connected interfaces on SwitchA and SwitchB.
# Assign an IP address to the interface of SwitchA.

[SwitchA] vlan 10
# Assign an IP address to the interface of SwitchB.

[SwitchB] vlan 10
Step 2 Configure single-hop BFD.
# Enable BFD on SwitchA and configure the BFD session between SwitchA and SwitchB.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip default-ip interface gigabitethernet 0/0/1
# Enable BFD on SwitchB and set up the BFD session between SwitchA and SwitchB.
[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip default-ip interface gigabitethernet 0/0/1
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Bind Peer Ip Address : 224.0.0.184
Echo Passive : Disable Acl Number : --
Proc interface status : Disable Process PST : Disable
WTR Interval (ms) : --
Active Multi : 3
Session TX TmrID : -- Session Detect TmrID : --
Session Init TmrID : -- Session WTR TmrID : --
Session Description : --
--------------------------------------------------------------------------------

Step 3 Configuring association between BFD session status and interface status.
# Configure association between the BFD session status and the interface status on SwitchA.
[SwitchA] bfd atob
[SwitchA-bfd-session-atob] process-interface-status
# Configure association between the BFD session status and the interface status on SwitchB.
[SwitchB] bfd btoa
[SwitchB-bfd-session-btoa] process-interface-status

SwitchA and SwitchB. You can see that the Proc interface status displays field is Enable.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Proc interface status : Enable Process PST : Disable
Active Multi : 3
Bind Application : IFNET
--------------------------------------------------------------------------------
Run the shutdown command on GE0/0/1 of SwitchB to make the BFD session go Down.
Run the display bfd session all verbose and display interface gigabitethernet 0/0/1 commands
on SwitchA. You can see that the BFD session status is Down, and the status of GE0/0/1 is UP
(BFD status down).
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
Proc interface status : Enable Process PST : Disable
Active Multi : 3
Bind Application : IFNET
--------------------------------------------------------------------------------

[SwitchA] display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : UP
Line protocol current state : UP(BFD status down)
...
NOTE
The output of the display interface gigabitethernet 0/0/1 command displays information that you needs
to concern and "..." indicates that information is omitted.
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip default-ip interface GigabitEthernet0/0/1
process-interface-status
commit
#
return

#
sysname SwitchB
#
vlan batch 10
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
bfd btoa bind peer-ip default-ip interface GigabitEthernet0/0/1
process-interface-status
commit
#
return
9.1.5 Example for Configuring Association Between a BFD Session

and an Interface
As shown in Figure 9-5, CE1 is dual-homed to PE1 and PE2, and CE2 is dual-homed to PE3
and PE4. Traffic is forwarded through the primary path CE1 -> PE1 -> PE3 -> CE2. It is required
that faults on links between PEs be fast detected so that CEs can detect faults and traffic is
switched to the standby path CE1 -> PE2 -> PE4 -> CE2.
NOTE
The CEs must be directly connected to the PEs and no Layer 2 devices are deployed between CE1 and PE1
and between CE2 and PE2.

Figure 9-5 Networking diagram for configuring association between a BFD session and an
interface
GE0/0/2
PE1 Vlanif20 PE3
20.1.1.1/24
GE0/0/2
GE0/0/1 Vlanif30
Vlanif10 GE0/0/1
Vlanif20 30.1.1.1/24
10.1.1.2/24
20.1.1.2/24
GE0/0/1 GE0/0/1
GE0/0/3 CE2 GE0/0/3
Vlanif10 Vlanif30
Vlanif100 Vlanif110
10.1.1.1/24 30.1.1.2/24
100.1.1.1/24 110.1.1.1/24
CE1
GE0/0/2 GE0/0/2
Vlanif40 Vlanif60
40.1.1.1/24 GE0/0/2 60.1.1.1/24
Vlanif50
GE0/0/1 GE0/0/2
50.1.1.1/24
Vlanif40 Vlanif60
40.1.1.2/24 GE0/0/1 60.1.1.2/24
PE2 Vlanif50 PE4
50.1.1.2/24
1. Configure devices to advertise routes through OSPF and set the OSPF cost of VLANIF 40
on CE1 and VLANIF 60 on CE2 to 10 so that traffic is transmitted through the primary
path CE1 -> PE1 -> PE3 -> CE2.
2. Create a BFD session on PE1 to detect the directly connected link between PE1 and PE2.
3. Create a BFD session on PE3 to detect the directly connected link between PE2 and PE1.
4. Associate the BFD session with GE0/0/1 on PE1, and associate the BFD session with
GE0/0/2 on PE3.
Procedure
Step 1 Configure interface IP addresses.
Configure VLANs allowed by interfaces and assign IP addresses to VLANIF interfaces

according to Figure 9-5.
Step 2 Configure a routing protocol.
OSPF is used in this example.
Run OSPF on CEs and PEs. To ensure that traffic is transmitted through the path CE1 -> PE1 -
> PE3 -> CE2, increase the OSPF cost of VLANIF 40 on CE1 and VLANIF 60 on CE2. For
example, change the cost to 10.
# Configure PE1.

[PE1] ospf 1
[PE1-ospf-1] area 0.0.0.0
[PE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[PE1-ospf-1-area-0.0.0.0] quit
[PE1-ospf-1] quit
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1, and are not
mentioned here.
# Configure CE1.
[CE1] ospf 1
[CE1-ospf-1] area 0.0.0.0
[CE1-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[CE1-ospf-1-area-0.0.0.0] quit
[CE1-ospf-1] quit
[CE1-Vlanif40] ospf cost 10
[CE1-Vlanif40] quit
# Configure CE2.
[CE2] ospf 1
[CE2-ospf-1] area 0.0.0.0
[CE2-ospf-1-area-0.0.0.0] quit
[CE2-ospf-1] quit
[CE2-Vlanif60] ospf cost 10
[CE2-Vlanif60] quit
Run the display ip routing-table command on CE1. You can see that the outbound interface
for the route from CE1 to 110.1.1.0/24 is VLANIF 10, indicating that traffic is transmitted along
the primary path.
[CE1] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
20.1.1.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
30.1.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Vlanif40
40.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
50.1.1.0/24 OSPF 10 11 D 40.1.1.2 Vlanif40
60.1.1.0/24 OSPF 10 13 D 10.1.1.2 Vlanif10
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif100
100.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
110.1.1.0/24 OSPF 10 4 D 10.1.1.2 Vlanif10
Step 3 Create BFD sessions.

# Configure PE1.
[PE1] bfd
[PE1-bfd] quit

[PE1] bfd pe1tope3 bind peer-ip 20.1.1.2 interface vlanif 20

[PE1-bfd-session-pe1tope3] discriminator local 1
[PE1-bfd-session-pe1tope3] discriminator remote 2
[PE1-bfd-session-pe1tope3] commit
[PE1-bfd-session-pe1tope3] quit
# Configure PE3.
[PE3] bfd
[PE3-bfd] quit
[PE3] bfd pe3tope1 bind peer-ip 20.1.1.1 interface vlanif 20
Step 4 Associate BFD sessions with interfaces.

Associate the BFD session with GE0/0/1.
# Configure PE1.
[PE1] oam-mgr
[PE1-oam-mgr] oam-bind bfd-session 1 trigger if-down interface gigabitethernet
0/0/1
[PE1-oam-mgr] quit
# Configure PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind bfd-session 2 trigger if-down interface gigabitethernet
0/0/2
[PE3-oam-mgr] quit

Run the shutdown command on GE0/0/1 of PE3 to simulate a link fault. After receiving the
fault notification message encapsulated into a BFD packet sent by the OAM management
module, CE1 can detect the link fault between PE1 and PE3.
Run the display bfd session all verbose command on PE1. You can see that the BFD session
becomes Down and the value of Bind Application is ETHOAM.
[PE1] display bfd session all verbose
--------------------------------------------------------------------------------
Session MIndex : 258 (One Hop) State : Down Name : pe1tope3
--------------------------------------------------------------------------------
Active Multi : 3
Bind Application : ETHOAM


--------------------------------------------------------------------------------
Run the display ip routing table command on CE1 to check the route from CE1 to CE2. The
next hop of 110.1.1.0/24 is 40.1.1.2. That is, the traffic is forwarded through the standby path.
[CE1] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
30.1.1.0/24 OSPF 10 13 D 40.1.1.2 Vlanif40
40.1.1.0/24 Direct 0 0 D 40.1.1.1 Vlanif40
40.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif40
50.1.1.0/24 OSPF 10 11 D 40.1.1.2 Vlanif40
60.1.1.0/24 OSPF 10 12 D 40.1.1.2 Vlanif40
100.1.1.0/24 Direct 0 0 D 100.1.1.1 Vlanif100
100.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
110.1.1.0/24 OSPF 10 13 D 40.1.1.2 Vlanif40
----End
Configuration Files
#
sysname CE1
#
#
bfd
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif40
ip address 40.1.1.1 255.255.255.0
ospf cost 10
#
interface Vlanif100
ip address 100.1.1.1 255.255.255.0
#
#
#
#

ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
network 100.1.1.0 0.0.0.255
#
return

#
sysname CE2
#
#
bfd
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 60.1.1.1 255.255.255.0
ospf cost 10
#
interface Vlanif110
ip address 110.1.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 30.1.1.0 0.0.0.255
network 60.1.1.0 0.0.0.255
network 110.1.1.0 0.0.0.255
#
return

#
sysname PE1
#
vlan batch 10 20
#
bfd
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
#
#

bfd pe1tope3 bind peer-ip 20.1.1.2 interface Vlanif20

commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/1 egress bfd-session 1 trigger
if-down
oam-bind ingress bfd-session 1 trigger if-down egress interface
#
return

#
sysname PE2
#
vlan batch 40 50
#
bfd
#
interface Vlanif40
ip address 40.1.1.2 255.255.255.0
#
interface Vlanif50
ip address 50.1.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 40.1.1.0 0.0.0.255
network 50.1.1.0 0.0.0.255
#
return

#
sysname PE3
#
vlan batch 20 30
#
bfd
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
#


#
bfd pe3tope1 bind peer-ip 20.1.1.1 interface Vlanif20
commit
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/2 egress bfd-session 2 trigger
if-down
oam-bind ingress bfd-session 2 trigger if-down egress interface
#
return

#
sysname PE4
#
vlan batch 50 60
#
bfd
#
interface Vlanif50
ip address 50.1.1.2 255.255.255.0
#
interface Vlanif60
ip address 60.1.1.2 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 50.1.1.0 0.0.0.255
network 60.1.1.0 0.0.0.255
#
return
9.1.6 Example for Configuring the BFD Echo Function
As shown in Figure 9-6, SwitchA connects to SwitchB through a direct link. SwitchA supports
BFD, whereas SwitchB does not support BFD. Faults on the link between SwitchA and
SwitchB need to be fast detected.

Figure 9-6 Networking diagram for configuring the BFD echo function
SwitchA Single-hop SwitchB

BFD session
VLANIF13 VLANIF13
GE0/0/1 GE0/0/1
10.1.1.5/24 10.1.1.6/24
Supporting BFD Not supporting BFD
l Configure the BFD echo function on SwitchA to detect faults on the link between
Procedure
Step 1 On SwitchA and SwitchB, create VLANs, and configure GE0/0/1 interfaces as hybrid interfaces
and add the interfaces to VLANs.
[SwitchA] vlan 13
[SwitchB] vlan 13
Step 2 Set IP addresses of VLANIF interfaces so that SwitchA can communicate with SwitchB at Layer
3.
[SwitchB] interface vlanif13
Step 3 Configure a BFD session supporting the BFD echo function.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 10.1.1.6 interface vlanif13 source-ip 10.1.1.5 one-
arm-echo
[SwitchA-bfd-session-atob] min-echo-rx-interval 100

SwitchA. You can see that a single-hop BFD session is set up and its status is Up.
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Local Discriminator : 1 Remote Discriminator : -
Session Detect Mode : Asynchronous One-arm-echo Mode
Echo Rx Interval (ms) : 100
Active Multi : 3
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 13
#
bfd
#
interface Vlanif13
ip address 10.1.1.5 255.255.255.0
#
#
bfd atob bind peer-ip 10.1.1.6 interface Vlanif13 source-ip 10.1.1.5 one-arm-
echo

min-echo-rx-interval 100
commit
#
return

#
sysname SwitchB
#
vlan batch 13
#
interface Vlanif13
ip address 10.1.1.6 255.255.255.0
#
#
return
9.2 VRRP Configuration

The Virtual Router Redundancy Protocol (VRRP) is a fault-tolerant protocol. VRRP switches
services from the master device to the backup router when the next hop device of the master
device fails. This ensures nonstop service transmission and reliability.
9.2.1 Example for Configuring a VRRP Group in Active/Standby

Mode
As shown in Figure 9-7, HostA is dual-homed to SwitchA and SwitchB through the switch. The
l The host uses SwitchA as the default gateway to connect to the Internet. When SwitchA
becomes faulty, SwitchB functions as the gateway. This implements gateway backup.
l After SwitchA recovers, it becomes the gateway within 20s.

Figure 9-7 Networking diagram for configuring a VRRP group

VRRP VRID 1
Virtual IP Address: SwitchA
10.1.1.111 GE0/0/2 Master
GE0/0/1
10.1.1.1/24
192.168.1.1/24
GE0/0/5 GE0/0/1
GE0/0/1 192.168.1.2/24
GE0/0/3
Switch SwitchC Internet
20.1.1.100/24
HostA GE0/0/2 GE0/0/2
GE0/0/5 192.168.2.2/24
10.1.1.100/24
GE0/0/1
GE0/0/2 192.168.2.1/24
10.1.1.2/24 SwitchB
Backup
SwitchA GE0/0/1 VLANIF 300 192.168.1.1/24
GE0/0/2 VLANIF 100 10.1.1.1/24
GE0/0/5 VLANIF 100 10.1.1.1/24
SwitchB GE0/0/1 VLANIF 200 192.168.2.1/24
GE0/0/2 VLANIF 100 10.1.1.2/24
GE0/0/5 VLANIF 100 10.1.1.2/24
SwitchC GE0/0/1 VLANIF 300 192.168.1.2/24
GE0/0/2 VLANIF 200 192.168.2.2/24
GE0/0/3 VLANIF 400 20.1.1.100/24
1. Assign an IP address to each interface and configure a routing protocol to ensure network
connectivity.
2. Configure a VRRP group on SwitchA and SwitchB, set a higher priority for SwitchA so
that SwitchA functions as the master to forward traffic and set the preemption delay to 20s
on SwitchA, and set a lower priority for SwitchB so that SwitchB functions as the backup.
3. Configure a loop prevention protocol (STP for example) on SwitchA, SwitchB and
Switch.

Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The configurations of

SwitchB and SwitchC are similar to the configuration of SwitchA, and are not mentioned here.
# Configure Layer 2 transparent transmission on the switch.

[Switch] vlan 100
# Configure OSPF between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospf 1
# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and the
preemption delay to 20s.

# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

Enable STP globally on SwitchA, SwitchB and Switch.
# After the configuration is complete, run the display vrrp command on SwitchA and
SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup state.
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
# Run the display ip routing-table command on SwitchA and SwitchB. The command output
shows that a direct route to the virtual IP address exists in the routing table of SwitchA and an
OSPF route to the virtual IP address exists in the routing table of SwitchB. The command output
on SwitchA and SwitchB is as follows:
<SwitchA> display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100

10.1.1.111/32 Direct 0 0 D 127.0.0.1 Vlanif100
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif300
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
192.168.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif100
<SwitchB> display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 OSPF 10 2 D 10.1.1.1 Vlanif100
192.168.1.0/24 OSPF 10 2 D 10.1.1.1 Vlanif100
OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif200
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
# Run the shutdown command on GE0/0/2 and GE0/0/5 of SwitchA to simulate a link fault.
# Run the display vrrp command on SwitchB to view the VRRP status. The command output
shows that SwitchB is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
# Run the undo shutdown command on GE0/0/2 and GE0/0/5 of SwitchA. After 20s, run the
display vrrp command on SwitchA to view the VRRP status. SwitchA restores to be in Master
state.
[SwitchA-GigabitEthernet0/0/2] undo shutdown

[SwitchA] display vrrp

State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
stp enable
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
stp enable

#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 20.1.1.100 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
l Configuration file of the switch

#
sysname Switch
#
vlan batch 100

#
stp enable
#
#
#
return
9.2.2 Example for Configuring a VRRP Group in Load Balancing

Mode
As shown in Figure 9-8, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch. Load balancing is required in this scenario. HostA uses SwitchA as the default
gateway to connect to the Internet, and SwitchB functions as the backup gateway. HostC uses
SwitchB as the default gateway to connect to the Internet, and SwitchA functions as the backup
gateway.
Figure 9-8 Networking diagram for configuring VRRP in load balancing mode
VRRP VRID 1 SwitchA

Virtual IP Address: VRID 1:Master
10.1.1.111 VRID 2:Backup
GE0/0/1
HostA 192.168.1.1/24
10.1.1.100/24
GE0/0/2 GE0/0/1
GE0/0/1 10.1.1.1/24 192.168.1.2/24
Switch GE0/0/3 Internet
SwitchC 20.1.1.100/24
GE0/0/2 GE0/0/2 GE0/0/2
10.1.1.2/24 192.168.2.2/24
HostC GE0/0/1
10.1.1.101/24 192.168.2.1/24
SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.1.112
SwitchA GE0/0/1 VLANIF 300 192.168.1.1/24
GE0/0/2 VLANIF 100 10.1.1.1/24

SwitchB GE0/0/1 VLANIF 200 192.168.2.1/24
GE0/0/2 VLANIF 100 10.1.1.2/24
SwitchC GE0/0/1 VLANIF 300 192.168.1.2/24
GE0/0/2 VLANIF200 192.168.2.2/24
GE0/0/3 VLANIF 400 20.1.1.100/24
connectivity.
2. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP group 2, configure SwitchB
as the master and SwitchA as the backup.
Procedure

[Switch] vlan 100


# Configure OSPF between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospf 1
# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and the
preemption delay to 20s, and set the default priority for SwitchB.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and the
preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20
# After the configuration is complete, run the display vrrp command on SwitchA. You can see
that SwitchA is the master in VRRP group 1 and the backup in VRRP group 2.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00

State : Backup
Virtual IP : 10.1.1.112
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
# After the configuration is complete, run the display vrrp command on SwitchB. You can see
that SwitchB is the backup in VRRP group 1 and the master in VRRP group 2.
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00

State : Master
Virtual IP : 10.1.1.112
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
----End
Configuration Files
#
sysname SwitchA
#

vlan batch 100 300

#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#

interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 20.1.1.100 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
9.2.3 Example for Configuring Association Between VRRP and BFD

to Implement a Rapid Active/Standby Switchover
As shown in Figure 9-9, hosts on a LAN are dual-homed to SwitchA and SwitchB through the
switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is the master.
When SwitchA or the link between SwitchA and the switch is faulty, the switchover period is
within 1s. This reduces the impact of the fault on service transmission.

Figure 9-9 Association between VRRP and BFD to implement a rapid active/standby switchover
VRRP VRID 1
Virtual IP Address:
10.1.1.3/24 GE0/0/1
Master
VLANIF100 SwitchA
10.1.1.1/24
HostA
GE0/0/1
Switch Internet
GE0/0/2
HostB GE0/0/1
VLANIF100 SwitchB
10.1.1.2/24 Backup BFD packets
connectivity.
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA functions as the master, its
priority is 120, and the preemption delay is 20s. SwitchB functions as the backup and uses
the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of the VRRP
group.
4. Association between VRRP and BFD is configured on SwitchB. When the link is faulty,
an active/standby switchover can be performed rapidly.
Procedure
# Assign an IP address to each interface. SwitchA is used as an example. The configuration of

SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] vlan 100

[Switch] vlan 100

# Configure OSPF between SwitchA and SwitchB. SwitchA is used as an example. The
configuration of SwitchB is similar to the configuration of SwitchA, and is not mentioned here.
[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and the
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

Step 3 Configure a static BFD session.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA-bfd-session-atob] min-rx-interval 100
[SwitchA-bfd-session-atob] min-tx-interval 100
[SwitchB-bfd-session-atob] commit

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB-bfd-session-btoa] min-rx-interval 100
[SwitchB-bfd-session-btoa] min-tx-interval 100
Run the display bfd session command on SwitchA and SwitchB. You can see that the BFD
session is Up. The display on SwitchA is used as an example.
<SwitchA> display bfd session all
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Step 4 Associate BFD with VRPP.

# Configure association between VRRP and BFD on SwitchB. When the BFD session becomes
Down, the priority of SwitchB increases by 40.
[SwitchB-Vlanif100] vrrp vrid 1 track bfd-session 2 increased 40

# After the configuration is complete, run the display vrrp command on SwitchA and SwitchB.
SwitchA is the master, SwitchB is the backup, and the associated BFD session is in Up state.
State : Master
Virtual IP : 10.1.1.3
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track BFD : 2 Priority increased : 40

BFD-session state : UP
Create time : 2012-01-12 20:15:46 UTC+08:00
# Run the shutdown command on GE0/0/1 of SwitchA to simulate a link fault. Then run the
display vrrp command on SwitchA and SwitchB. You can see that SwitchA is in Initialize state,
SwitchB becomes the master, and the associated BFD session becomes Down.


State : Initialize
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
State : Master
PriorityRun : 140
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

BFD-session state : DOWN
Create time : 2012-01-12 20:15:46 UTC+08:00
# Run the undo shutdown command on GE0/0/1 of SwitchA. After 20s, run the display vrrp
command on SwitchA and SwitchB. You can see that SwitchA restores to be the master,
SwitchB restores to be the backup, and the associated BFD session is in Up state.

State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46 UTC+08:00


State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

BFD-session state : UP
Create time : 2012-01-12 20:15:46 UTC+08:00
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100
#
bfd
#
interface Vlanif100

ip address 10.1.1.2 255.255.255.0

vrrp vrid 1 track bfd-session 2 increased 40
#
#
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
9.2.4 Example for Configuring a VRRP6 Group in Active/Standby

Mode
As shown in Figure 9-10, HostA is dual-homed to SwitchA and SwitchB through the switch on
the IPv6 network. The requirements are as follows:
l The host uses SwitchA as the default gateway to connect to the Internet. When SwitchA
becomes faulty, SwitchB functions as the gateway. This implements gateway backup.
l After SwitchA recovers, it becomes the gateway within 20s.

Figure 9-10 Networking diagram for a VRRP6 group in active/standby mode

VRRP6 VRID 1
2000::100/64 Master
GE0/0/2 GE0/0/1
2000::1/64 2002::1/64
GE0/0/5
GE0/0/1
GE0/0/1 2002::2/64
SwitchC
GE0/0/3
Switch Internet
2003::2/64
HostA GE0/0/2 GE0/0/2
GE0/0/5 2001::2/64
2000::3/64
GE0/0/1
GE0/0/2 2001::1/64
2000::2/64 SwitchB
Backup
SwitchA GE0/0/1 VLANIF 300 2002::1/64
GE0/0/2 VLANIF 100 2000::1/64
GE0/0/5 VLANIF 100 2000::1/64
SwitchB GE0/0/1 VLANIF 200 2001::1/64
GE0/0/2 VLANIF 100 2000::2/64
GE0/0/5 VLANIF 100 2000::2/64
SwitchC GE0/0/1 VLANIF 300 2002::2/64
GE0/0/2 VLANIF 200 2001::2/64
GE0/0/3 VLANIF 400 2003::2/64
connectivity.
2. Configure a VRRP6 group on SwitchA and SwitchB, set a higher priority for SwitchA so
that SwitchA functions as the master to forward traffic and set the preemption delay to 20s
on SwitchA, and set a lower priority for SwitchB so that SwitchB functions as the backup.
3. Configure a loop prevention protocol (STP for example) on SwitchA, SwitchB and
Switch.

Procedure

[SwitchA] ipv6

[Switch] vlan 100
# Configure OSPFv3 between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospfv3
Step 2 Configure VRRP6 groups.
# Configure VRRP6 group 1 on SwitchA, and set the priority of SwitchA to 120 and the


[SwitchA-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::1 link-local
[SwitchA-Vlanif100] vrrp6 vrid 1 virtual-ip 2000::100
[SwitchA-Vlanif100] vrrp6 vrid 1 priority 120
[SwitchA-Vlanif100] vrrp6 vrid 1 preempt-mode timer delay 20
# Configure VRRP6 group 1 on SwitchB. SwitchB uses default value 100.

[SwitchB-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::1 link-local
[SwitchB-Vlanif100] vrrp6 vrid 1 virtual-ip 2000::100
Enable STP globally on SwitchA, SwitchB and Switch.
# After the configuration is complete, run the display vrrp6 command on SwitchA and
SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup state.
<SwitchA> display vrrp6
State : Master
Virtual IP : FE80::1
2000::100
Master IP : FE80::218:82FF:FED3:2AF3
PriorityRun : 120
TimerRun : 100 cs
TimerConfig : 100 cs
Virtual MAC : 0000-5e00-0201
Check hop limit : YES
Create time : 2012-01-12 20:15:46 UTC+08:00
<SwitchB> display vrrp6
State : Backup
2000::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00
# Run the shutdown command on GE0/0/2 and GE0/0/5 of SwitchA to simulate a link fault.

# Run the display vrrp6 command on SwitchA and SwitchB. You can see that SwitchA is in
Initialize state and SwitchB is in Master state.
[SwitchA] display vrrp6
State : Initialize
2000::100
Master IP : ::
PriorityRun : 120
MasterPriority : 0
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00
State : Master
2000::100
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00
<SwitchB> display vrrp6 verbose
State : Master
2000::100
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
Preempt : YES Delay Time : 0s Remain : --
TimerRun : 100cs
TimerConfig : 100cs
Virtual MAC : 0000-5e00-0201
Config Type : normal-vrrp
Create Time : 2013-01-12 20:15:46
Last Change Time : 2013-01-12 20:15:46
# Run the undo shutdown command on GE0/0/2 and GE0/0/5 of SwitchA. After 20s, run the
display vrrp6 command on SwitchA and SwitchB. You can see that SwitchA is in Master state
and SwitchB is in Backup state.
[SwitchA] display vrrp6

State : Master
2000::100
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00
State : Backup
2000::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
stp enable
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable
vrrp6 vrid 1 virtual-ip FE80::1 link-local
vrrp6 vrid 1 virtual-ip 2000::100
vrrp6 vrid 1 priority 120
vrrp6 vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ipv6 enable
#

#
#
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
stp enable
#
ospfv3 1
router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
#
#
#
return
#
sysname SwitchC
#
#
ipv6
#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable
#

interface Vlanif400
ipv6 enable
#
#
#
#
return

#
sysname Switch
#
vlan batch 100
#
stp enable
#
#
#
return
9.2.5 Example for Configuring a VRRP6 Group in Load Balancing

Mode
As shown in Figure 9-11, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch on the IPv6 network. Load balancing is required in this scenario. HostA uses
SwitchA as the default gateway to connect to the Internet, and SwitchB functions as the backup
gateway. HostC uses SwitchB as the default gateway to connect to the Internet, and SwitchA
functions as the backup gateway.

Figure 9-11 Networking diagram for a VRRP6 group in load balancing mode
VRRP6 VRID 1
2000::100/64 VRID 1:Master
VRID 2:Backup
HostA GE0/0/1
2000::3/64 2002::1/64
GE0/0/2 GE0/0/1
GE0/0/1 2000::1/64 2002::2/64
Switch SwitchC GE0/0/3 Internet
2003::2/64
GE0/0/2 GE0/0/2 GE0/0/2
2000::2/64 2001::2/64
HostC GE0/0/1
2000::4/64 2001::1/64
SwitchB
VRID 1:Backup
VRID 2:Master
VRRP6 VRID 2
Virtual IP Address:
2000::60/64
SwitchA GE0/0/1 VLANIF 300 2002::1/64
GE0/0/2 VLANIF 100 2000::1/64
SwitchB GE0/0/1 VLANIF 200 2001::1/64
GE0/0/2 VLANIF 100 2000::2/64
SwitchC GE0/0/1 VLANIF 300 2002::2/64
GE0/0/2 VLANIF 200 2001::2/64
GE0/0/3 VLANIF 400 2003::2/64
connectivity.
2. Create VRRP6 groups 1 and 2 on SwitchA and SwitchB. In VRRP6 group 1, configure
SwitchA as the master and SwitchB as the backup. In VRRP6 group 2, configure
SwitchB as the master and SwitchA as the backup.

Procedure

[SwitchA] ipv6

[Switch] vlan 100
# Configure OSPFv3 between SwitchA, SwitchB, and SwitchC. SwitchA is used as an example.
[SwitchA] ospfv3
Step 2 Configure VRRP6 groups.
# Configure VRRP6 group 1 on SwitchA and SwitchB, set the priority of SwitchA to 120 and
the preemption delay to 20s, and set the default priority for SwitchB.


[SwitchA-Vlanif100] vrrp6 vrid 1 priority 120
[SwitchA-Vlanif100] vrrp6 vrid 1 preempt-mode timer delay 20
# Configure VRRP6 group 2 on SwitchA and SwitchB, set the priority of SwitchB to 120 and
the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif100] vrrp6 vrid 2 priority 120
[SwitchB-Vlanif100] vrrp6 vrid 2 preempt-mode timer delay 20
# After the configuration is complete, run the display vrrp6 command on SwitchA. You can
see that SwitchA is the master in VRRP6 group 1 and the backup in VRRP6 group 2.
<SwitchA> display vrrp6
State : Master
2000::100
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00

State : Backup
2000::60
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0202
Create time : 2012-01-12 20:15:46 UTC+08:00

# After the configuration is complete, run the display vrrp6 command on SwitchB. You can
see that SwitchB is the backup in VRRP6 group 1 and the master in VRRP6 group 2.
State : Backup
2000::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46 UTC+08:00

State : Master
2000::60
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0202
Create time : 2012-01-12 20:15:46 UTC+08:00
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable

#
interface Vlanif300
ipv6 enable
#
#
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
ospfv3 1
router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
#
#
return
#
sysname SwitchC
#
#
ipv6
#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable

#
interface Vlanif400
ipv6 enable
#
#
#
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
9.3 DLDP Configuration

DLDP can detect unidirectional links of optical fibers or copper twisted pairs.
9.3.1 Example for Configuring DLDP to Detect a Disconnected

Optical Fiber Link
As shown in Figure 9-12, SwitchA and SwitchB are connected through a pair of optical fibers.
On an optical fiber, Rx indicates the receive end, and Tx indicates the transmit end. The
requirement is to detect unidirectional links.
Figure 9-12 Correct optical fiber connections
GE0/0/1 GE0/0/1
Tx Rx
Switch A Switch B
Rx Tx
1. Configure the interfaces on both ends to work in non-auto-negotiation mode.
2. Enable DLDP to detect unidirectional links between SwitchA and SwitchB.

3. Adjust DLDP parameters to detect unidirectional links more efficiently.
Procedure
Step 1 Configure the interfaces on SwitchA to work in non-auto negotiation mode.
[SwitchA-GigabitEthernet0/0/1] undo negotiation auto
Step 2 Enable DLDP globally.

[SwitchA] dldp enable
Step 3 Enable DLDP on an interface of SwitchA.

[SwitchA-GigabitEthernet0/0/1] dldp enable
Step 4 Set the interval for sending Advertisement packets to 10 seconds on SwitchA.
[SwitchA] dldp interval 10
Step 5 Set the timeout value of the DelayDown timer to 4 seconds on SwitchA.
[SwitchA] dldp delaydown-timer 4
Step 6 Set the authentication mode of DLDP packets to simple password authentication and set the
password to 12345 on SwitchA.
[SwitchA] dldp authentication-mode simple 12345
Perform steps 1 to 6 on SwitchB.

After the configuration is complete, run the display dldp command in the interface view. The
command output shows that the DLDP status of the interface is advertisement.
[SwitchA] display dldp
DLDP global status: enable
DLDP interval: 10s
DLDP work-mode: enhance
DLDP authentication-mode: simple, password is %@%@YwW,EZD+BGEÔnD"qv3#,.A+%@%@
DLDP unidirectional-shutdown: auto
DLDP delaydown-timer: 4s
The number of enabled ports is: 1.
The number of global neighbors is: 1.
Interface GigabitEthernet0/0/1
DLDP port state: advertisement
DLDP link state: up
The neighbor number of the port is: 1.
Neighbor mac address:80fb-0636-792d
Neighbor port index:49
Neighbor state:two way
Neighbor aged time:16
Simulate an optical fiber disconnection by removing the receive optical fiber from SwitchA.
DLDP automatically shuts down GE0/0/1 on SwitchB when a unidirectional link occurs between
SwitchA and GE0/0/1 on SwitchB.
# Run the display dldp command on SwitchA and SwitchB. The command output shows that
the DLDP status of GE0/0/1 on SwitchA is inactive, and the DLDP status of GE0/0/1 on
SwitchB is disable.

[SwitchA] display dldp interface gigabitethernet 0/0/1

DLDP port state: inactive
DLDP link state: down
[SwitchB] display dldp interface gigabitethernet 0/0/1
DLDP port state: disable
DLDP link state: down
----End
Configuration Files
#
sysname SwitchA
#
dldp enable
dldp interval 10
dldp delaydown-timer 4
dldp authentication-mode simple %@%@YwW,EZD+BGEÔnD"qv3#,.A+%@%@
#
undo negotiation auto
dldp enable
#
return

#
sysname SwitchB
#
dldp enable
dldp interval 10
#
dldp enable
#
return
9.3.2 Example for Configuring DLDP to Detect Cross-Connected

Optical Fibers
As shown in Figure 9-13, SwitchA and SwitchB are connected through a pair of optical fibers.
On an optical fiber, Rx indicates the receive end, and Tx indicates the transmit end. Optical
fibers may be cross connected, as shown in Figure 9-14. The requirement is to detect
unidirectional links caused by cross connections of optical fibers.

Figure 9-13 Correct optical fiber connections

GE0/0/1 GE0/0/1
Tx Rx
SwitchA Rx Tx SwitchB
Tx Rx
GE0/0/2 GE0/0/2
Figure 9-14 Cross-connected optical fibers

GE0/0/1 GE0/0/1
Tx Rx
SwitchA Rx Tx SwitchB
Tx Rx
GE0/0/2 GE0/0/2
1. Configure the interfaces on both ends to work in non-auto-negotiation mode.

2. Enable DLDP to detect unidirectional links between SwitchA and SwitchB.
3. Adjust DLDP parameters to detect unidirectional links more efficiently.
Procedure
Step 1 Configure the interfaces on SwitchA to work in non-auto negotiation mode.
Step 2 Enable DLDP globally on SwitchA.

[SwitchA] dldp enable
Step 3 Enable DLDP on an interface of SwitchA.

Step 4 Set the interval for sending Advertisement packets to 10 seconds on SwitchA.
[SwitchA] dldp interval 10
Step 5 Set the timeout value of the DelayDown timer to 4 seconds on SwitchA.
[SwitchA] dldp delaydown-timer 4
Step 6 Set the authentication mode of DLDP packets to simple password authentication and set the
password to 12345 on SwitchA.
[SwitchA] dldp authentication-mode simple 12345

Perform steps 1 to 6 on SwitchB.
After the configuration is complete, run the display dldp command in the interface view. The
command output shows that the DLDP status of the interface is advertisement.
DLDP link state: up
Neighbor mac address:0001-0001-0001
DLDP link state: up
Neighbor mac address:0001-0001-0001
DLDP link state: up
Neighbor mac address:781d-ba57-c24a
DLDP link state: up
Neighbor mac address:781d-ba57-c24a
As shown in Figure 9-14, if a unidirectional link occurs between the interfaces on SwitchA and
SwitchB due to cross connections of optical fibers, DLDP will shut down the interfaces.
Run the display dldp command on SwitchA and SwitchB. The command output shows that the
DLDP status of interfaces on SwitchA and SwitchB is disable.
DLDP link state: up
The neighbor number of the port is: 0
DLDP link state: up
DLDP link state: up

DLDP link state: up
----End
Configuration Files
#
sysname SwitchA
#
dldp enable
dldp interval 10
#
dldp enable
#
dldp enable
#
return

#
sysname SwitchB
#
dldp enable
dldp interval 10
#
dldp enable
#
dldp enable
#
return
9.4 Smart Link Configuration

The Smart Link is applicable to dual uplinks and scenarios in which STP is not used, improving
access reliability.
9.4.1 Example for Configuring Load Balancing on a Smart Link

Instance
As shown in Figure 9-15, the user-side network uses the dual-homing mode to ensure network
reliability. Multiple VLAN data flows exist on the network. To increase the link use efficiency,

the two uplinks both forward the data flows. The service interruption duration is restricted to
millisecond level.
Figure 9-15 Example for configuring load balancing between active and standby links of a Smart
Link group
Core
Network
SwitchB SwitchC
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/1
Smart Link group

GE0/0/1 GE0/0/2
SwitchA Active link
Inactive link
VLAN
100 500
1. Configure a Smart Link group on Switch A and add the corresponding interface to the Smart
Link group.
2. Map VLAN 500 to load balancing Instance 10.
3. Create a Smart Link group on SwitchA and specify interface roles.
4. Configure load balancing on Switch A and forward the data flows from VLANs mapped
to instance 10 through the backup link.
5. Enable revertive switching on Switch A to switch traffic to the original active link.
6. Enable the function of sending Flush packets on Switch A.
7. Enable SwitchB and SwitchC to receive Flush packets on the interfaces.
8. Enable Smart Link on Switch A.
Procedure
Step 1 Create VLANs on SwitchA, and configure interfaces to allow these VLANs.


[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10 100 500
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 10 100 500
not mentioned here.
Step 2 Configure VLAN mapping on SwitchA.

Step 3 Disable STP on uplink interfaces, add the interfaces to the Smart Link group, and specify the
master and slave interfaces.
[SwitchA-GigabitEthernet0/0/1] stp disable
[SwitchA] smart-link group 1
[SwitchA-smlk-group1] port gigabitethernet 0/0/1 master
[SwitchA-smlk-group1] port gigabitethernet 0/0/2 slave
Step 4 Configure load balancing on SwitchA.

[SwitchA-smlk-group1] load-balance instance 10 slave
Step 5 Enable revertive switching and set the WTR time.
[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
Step 6 Enable the function of sending Flush packets.
[SwitchA-smlk-group1] flush send control-vlan 10 password simple 123
Step 7 Enable the function of receiving Flush packets.
[SwitchB-GigabitEthernet0/0/1] smart-link flush receive control-vlan 10 password
simple 123
simple 123
[SwitchC-GigabitEthernet0/0/1] smart-link flush receive control-vlan 10 password
simple 123

[SwitchC-GigabitEthernet0/0/2] smart-link flush receive control-vlan 10 password
simple 123
Step 8 Enable the Smart Link on SwitchA.

[SwitchA-smlk-group1] smart-link enable

# Run the display smart-link group command to view information about the Smart Link group
on SwitchA. If the following information is displayed, it indicates that the configuration is
successful.
l The Smart Link function is enabled.
l The WTR time is 30 seconds.
l The control VLAN ID is 10.
l GE 0/0/1 is the active interface and is in Active state, and GE 0/0/2 is the standby interface
and is in Inactive state. The load balancing function is configured.
<SwitchA> display smart-link group 1
Smart Link group 1 information :
Smart Link group was enabled
Wtr-time is: 30 sec.
Load-Balance Instance: 10
There is no protected-vlan reference-instance
DeviceID: 0018-2000-0083 Control-vlan ID: 10
Member Role State Flush Count Last-Flush-Time
------------------------------------------------------------------------
GigabitEthernet0/0/1 Master Active 0 2009/01/05 10:33:46 UTC
+05:00
GigabitEthernet0/0/2 Slave Inactive 0 0000/00/00 00:00:00 UTC
+05:00
# Run the shutdown command to shut down GE 0/0/1, and you can find that GE 0/0/1 is in
Inactive state and GE 0/0/2 is in Active state.
[SwitchA-GigabitEthernet0/0/1] display smart-link group 1
------------------------------------------------------------------------
GigabitEthernet0/0/1 Master Inactive 0 2009/01/05 10:33:46 UTC
+05:00
GigabitEthernet0/0/2 Slave Active 1 2009/01/05 10:34:46 UTC
+05:00
# Run the undo shutdown command to enable GE 0/0/1 and wait for 30 seconds, and you can
find that GE 0/0/1 is in Active state and GE 0/0/2 is in Inactive state.
[SwitchA-GigabitEthernet0/0/1] display smart-link group 1


------------------------------------------------------------------------
+05:00
+05:00
----End
Configuration Files
#
sysname SwitchA
#
#
instance 10 vlan 500
#
stp disable
#
stp disable
#
smart-link group 1
load-balance instance 10 slave
restore enable
smart-link enable
port GigabitEthernet0/0/1 master
port GigabitEthernet0/0/2 slave
timer wtr 30
flush send control-vlan 10 password simple %@%@wzjzRHlP[0"S{BBVt7o=,.A+%@%@
#
return

#
sysname SwitchB
#
#
smart-link flush receive control-vlan 10 password simple %@%@wzjzRHlP[0"S
{BBVt7o=,.A+%@%@
#
{BBVt7o=,.A+%@%@
#
return

#
sysname SwitchC

#
#
{BBVt7o=,.A+%@%@
#
{BBVt7o=,.A+%@%@
#
return
9.4.2 Example for Configuring the Integrated Application of

Monitor Link and Smart Link
As shown in Figure 9-16, SwitchC on the MAN is connected to user networks. It accesses the
backbone network through upstream devices SwitchA and SwitchB in dual-homing mode.
A monitoring mechanism is required to prevent service interruption caused by uplink faults.

When the uplink fails, the downlink rapidly detects the fault. Therefore, link switching is
performed in a timely manner, which shortens the interruption duration.

Figure 9-16 Example for configuring the integrated application of Smart Link and Monitor Link
IP/MPLS
core
network
Smart Link group

GE0/0/1 GE0/0/1
GE0/0/2
GE0/0/4
Monitor Link group Monitor Link group
GE0/0/4
SwitchA
GE0/0/3 GE0/0/3 SwitchB
Smart Link group GE0/0/1 GE0/0/2
SwitchC
Active link
User1 User2
Inactive link
1. Configure a Smart Link group on SwitchA and SwitchC and add corresponding interfaces
to the Smart Link group.
2. Configure a Monitor Link group on SwitchA and set the Smart Link group as uplinks. Smart
Link and Monitor Link are used together. The Smart Link group improves the uplink
reliability in the Monitor Link group.
3. Configure a Monitor Link group on SwitchB to enable the Smart Link group on SwitchC
to rapidly detect uplink faults. The application scope of Smart Link functions is broadened.
4. Enable the function of sending Flush packets on SwitchA andSwitchC.
5. Enable the function of receiving Flush packets on SwitchA and SwitchB.
Procedure
Step 1 Configure the same control VLAN on SwitchA, SwitchB and SwitchC. Add the interfaces of
the Smart Link group or Monitor Link group to this VLAN.

The configuration procedure is not mentioned here. For details, see "VLAN Configuration" in
S2350&S5300&S6300 Series Ethernet Switches Configuration Guide - Ethernet
Configuration.
Step 2 Create a Smart Link group.
[SwitchA-smlk-group1] quit
[SwitchC] smart-link group 2
[SwitchC-smlk-group2] quit
Step 3 Add interfaces to the Smart Link group and specify the master and slave interfaces.
[SwitchA-smlk-group1] port gigabitethernet 0/0/1 master
[SwitchA-smlk-group1] port gigabitethernet 0/0/2 slave
[SwitchC-smlk-group2] port gigabitethernet 0/0/1 master
[SwitchC-smlk-group2] port gigabitethernet 0/0/2 slave
Step 4 Enable revertive switching and set the WTR time.

[SwitchA-smlk-group1] restore enable
[SwitchA-smlk-group1] timer wtr 30
[SwitchC-smlk-group2] restore enable
[SwitchC-smlk-group2] timer wtr 30
Step 5 Enable the function of sending or receiving Flush packets.

[SwitchA-smlk-group1] flush send control-vlan 10 password simple 123
[SwitchA-GigabitEthernet0/0/3] smart-link flush receive control-vlan 10 password
simple 123

[SwitchA-GigabitEthernet0/0/4] smart-link flush receive control-vlan 10 password
simple 123
[B] interface gigabitethernet 0/0/3
simple 123
simple 123
[SwitchC-smlk-group2] flush send control-vlan 10 password simple 123
Step 6 Enable the Smart Link function.
[SwitchA-smlk-group1] smart-link enable
[SwitchC-smlk-group2] smart-link enable
[SwitchC-smlk-group2] quit
Step 7 Create a Monitor Link group and add the uplink and downlink interfaces to the Monitor Link
group.
[SwitchA] monitor-link group 1
[SwitchA-mtlk-group1] smart-link group 1 uplink
[SwitchA-mtlk-group1] port gigabitethernet 0/0/3 downlink 1
[SwitchB] monitor-link group 2
[SwitchB-mtlk-group2] port gigabitethernet 0/0/1 uplink
[SwitchB-mtlk-group2] port gigabitethernet 0/0/3 downlink 1
Step 8 Set the WTR time of a Monitor Link group.
[SwitchA-mtlk-group1] timer recover-time 10
[SwitchB-mtlk-group2] timer recover-time 10

<SwitchA> display smart-link group 1

There is no Load-Balance
------------------------------------------------------------------------
+05:00
+05:00
<SwitchA> display monitor-link group 1
Monitor Link group 1 information :
Recover-timer is 10 sec.
Member Role State Last-up-time Last-down-
time
Smart-link1 UpLk UP 0000/00/00 00:00:00 UTC+05:00 0000/00/00
00:00:00 UTC+05:00
GigabitEthernet0/0/3 DwLk[1] UP 0000/00/00 00:00:00 UTC+05:00 0000/00/00
00:00:00 UTC+05:00
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
stp disable
#
stp disable
#
{BBVt7o=,.A+%@%@
#
{BBVt7o=,.A+%@%@
#
smart-link group 1
restore enable
smart-link enable
timer wtr 30
#
monitor-link group 1
smart-link group 1 uplink
port GigabitEthernet0/0/3 downlink 1
timer recover-time 10
#
return


#
sysname SwitchB
#
vlan batch 10
#
#
{BBVt7o=,.A+%@%@
#
{BBVt7o=,.A+%@%@
#
monitor-link group 2
port GigabitEthernet0/0/1 uplink
port GigabitEthernet0/0/3 downlink 1
timer recover-time 10
#
return

#
sysname SwitchC
#
vlan batch 10
#
stp disable
#
stp disable
#
smart-link group 2
restore enable
smart-link enable
timer wtr 30
#
return
9.5 MAC Swap Loopback Configuration

MAC swap loopback checks Ethernet connectivity and network performance.
9.5.1 Example for Configuring Local MAC Swap Loopback

On SwitchB, GE0/0/1 connects to an Ethernet network and GE0/0/2 connects to users. A local
MAC swap loopback test needs to be performed to test connectivity and performance of the
Ethernet network. The local MAC swap loopback test checks performance of SwitchB.
Figure 9-17 Networking diagram of a local MAC swap loopback test
Tester
Ethernet GE0/0/1 GE0/0/2
Users
SwitchA SwitchB
1. Create a VLAN and add GE0/0/1 and GE0/0/2 to the VLAN.
2. Configure local MAC swap loopback on SwitchB.
3. Enable the MAC swap loopback function on SwitchB to detect network connectivity and
network quality.
Procedure
Step 1 Create VLAN 100 on SwitchB, configure GE0/0/1 as a trunk interface and GE0/0/2 as a hybrid
interface, and add the interfaces to VLAN 100.
Step 2 Configure local MAC swap loopback on GE0/0/2 of SwitchB and specify GE0/0/1 as the
outbound interface of loopback Ethernet frames. Enable the MAC swap loopback function.
[SwitchB-GigabitEthernet0/0/2] loopback local swap-mac source-mac 0018-2000-0085
dest-mac 018-2000-0070 vlan 100 interface gigabitethernet 0/0/1 timeout 80
[SwitchB-GigabitEthernet0/0/2] loopback swap-mac start

# After completing the configuration, run the display loopback swap-mac information
command to verify the configuration. If the configuration is correct, send Ethernet frames from
the tester to test network performance.

[SwitchB] display loopback swap-mac information

Loopback type : local
Loopback state : running
Loopback test time(s) : 80
Loopback interface : GigabitEthernet0/0/2
Loopback output interface : GigabitEthernet0/0/1
Loopback source MAC : 0018-2000-0085
Loopback destination MAC : 0018-2000-0070
Loopback vlan : 100
Loopback inner vlan : 0
Loopback packets : 0
Drop packets : 3
----End
Configuration Files
#
sysname SwitchB
#
vlan batch 100
#
#
loopback local swap-mac source-mac 0018-2000-0085 dest-mac 0018-2000-0070
vlan 100 interface GigabitEthernet0/0/1 timeout 80
#
return
9.5.2 Example for Configuring Remote MAC Swap Loopback
GE0/0/1 on SwitchB connects to an Ethernet network. A remote MAC swap loopback test needs
to be performed to test connectivity and performance of the Ethernet network. The remote MAC
swap loopback test does not check performance of SwitchB.
Figure 9-18 Networking diagram of a remote MAC swap loopback test
Tester
Ethernet GE0/0/1
Users
SwitchA SwitchB

1. Create a VLAN and add GE0/0/1 to the VLAN.

2. Configure remote MAC swap loopback on SwitchB.
3. Enable the MAC swap loopback function on SwitchB to detect network connectivity and
network quality.
Procedure
Step 1 Create VLAN 100 on SwitchB, configure GE0/0/1 as a trunk interface, and add GE0/0/1 to
VLAN 100.
Step 2 Configure remote MAC swap loopback on GE0/0/1 of SwitchB and enable the MAC swap
loopback function.
[SwitchB-GigabitEthernet0/0/1] loopback remote swap-mac source-mac 0018-2000-0085
dest-mac 018-2000-0070 vlan 100 timeout 80
[SwitchB-GigabitEthernet0/0/1] loopback swap-mac start
# After completing the configuration, run the display loopback swap-mac information
command to verify the configuration. If the configuration is correct, send Ethernet frames from
the tester to test network performance.
[SwitchB] display loopback swap-mac information
Loopback type : remote
Loopback state : running
Loopback test time(s) : 80
Loopback interface : GigabitEthernet0/0/1
Loopback output interface : GigabitEthernet0/0/1
Loopback source MAC : 0018-2000-0085
Loopback destination MAC : 0018-2000-0070
Loopback vlan : 100
Loopback inner vlan : 0
Loopback packets : 0
----End
Configuration Files
#
sysname SwitchB
#
vlan batch 100
#
loopback remote swap-mac source-mac 0018-2000-0085 dest-mac 0018-2000-0070

vlan 100 timeout 80

#
return
9.6 EFM Configuration

Ethernet in the First Mile (EFM) can be enabled on both devices of a point-to-point link to
monitor connectivity and link quality.
9.6.1 Example for Configuring Basic EFM Functions
As networks develop quickly, more and more IP networks are used to carry multiple services
such as voice and video services. These services pose high requirements on network reliability
and rapid fault detection.
As shown in Figure 9-19, the network between CE1 and CE3 is newly deployed. The
requirements on the network are as follows:
l Link connectivity and quality on the network are tested before the network is started.
l Link quality is dynamically monitored after links are properly started.
l Traffic is switched to a backup link if the primary link fails.
Figure 9-19 Networking diagram for configuring basic EFM functions

CE2
GE0/0/1
PC CE1 GE0/0/1
Metro
User CE3 Core
Network
GE0/0/2 CE4
GE0/0/1 GE0/0/2
EFM
1. Configure basic EFM functions on CE1 and CE4 to monitor link connectivity.
2. Configure remote loopback on CE1 to test the connectivity and performance of the link
between CE1 and CE4 before the link is used to transmit services.
3. Configure link monitoring on CE1 to monitor the performance and quality of the link
between CE1 and CE4.
4. Configure association between EFM and interfaces on CE4. When the link between CE1
and CE4 becomes faulty, traffic sent from CE4 will not be sent along the link.

Procedure
Step 1 Configure basic EFM functions.
# Enable EFM on CE1 globally.
[CE1] efm enable
# Enable EFM on GE0/0/2 of CE1.

[CE1-GigabitEthernet0/0/2] efm enable

[CE4] efm enable
# Configure the EFM mode to passive on GE0/0/1 of CE4.

[CE4-GigabitEthernet0/0/1] efm mode passive

# Verify the configuration.

If EFM is correctly configured on CE1 and CE4, GE0/0/2 and GE0/0/1 will enter the handshake
phase. Run the display efm session { all | interface interface-type interface-num } command
on CE1 or CE4. The command output shows that the EFM status is detect on GE0/0/2 or GE
0/0/1.
[CE1] display efm session all
Interface EFM State Loopback Timeout
----------------------------------------------------------------------
GigabitEthernet0/0/2 detect --
Step 2 Configure remote loopback.

# Configure remote loopback on CE1.
[CE1-GigabitEthernet0/0/2] efm loopback start
Verify the configuration.

After configuring remote loopback, run the display efm session { all | interface interface-
type interface-num } command on CE1. The command output shows that the EFM status is
loopback (control) on GE0/0/2.
[CE1] display efm session interface gigabitethernet 0/0/2
----------------------------------------------------------------------
GigabitEthernet0/0/2 loopback (control) 20
After configuring remote loopback, run the display efm session { all | interface interface-
type interface-num } command on CE4. The command output shows that the EFM status is
loopback (be controlled) on GE0/0/1.


----------------------------------------------------------------------
GigabitEthernet0/0/1 loopback (be controlled) --
Step 3 Configure CE1 to send test packets to CE4.

[CE1] test-packet start interface gigabitethernet 0/0/2
Please wait..............
Info: The test is completed.
Step 4 Check returned test packets on CE1.

[CE1] display test-packet result
TestResult Value
--------------------------------------------------------
PacketsSend : 5
PacketsReceive : 5
PacketsLost : 0
BytesSend : 480
BytesReceive : 480
BytesLost : 0
StartTime : 03-05-2012 14:28:16 UTC+03:00
EndTime : 03-05-2012 14:29:22 UTC+03:00
Link quality can be evaluated based on data in the preceding command output.
Step 5 Disable remote loopback.

[CE1-GigabitEthernet0/0/2] efm loopback stop
NOTE
By default, the timeout interval for remote loopback is 20 minutes. The remote loopback test stops after
20 minutes. To disable remote loopback, perform the preceding procedures.
After disabling remote loopback, run the display efm session { all | interface interface-type
interface-num } command on CE1 or CE4. The command output shows that the EFM status is
detect on the interfaces at both ends of the link. For example:
----------------------------------------------------------------------
If the link is working properly, perform the following operations to monitor the link in real time.
Step 7 Configure errored code detection, errored frame detection, and errored frame second detection
on GE0/0/2 of CE1.
# Configure errored code detection on GE0/0/2 of CE1.

[CE1-GigabitEthernet0/0/2] efm error-frame period 5
[CE1-GigabitEthernet0/0/2] efm error-frame threshold 5
[CE1-GigabitEthernet0/0/2] efm error-frame notification enable
# Configure errored frame detection on GE0/0/2 of CE1.

[CE1-GigabitEthernet0/0/2] efm error-code period 5
[CE1-GigabitEthernet0/0/2] efm error-code threshold 5
[CE1-GigabitEthernet0/0/2] efm error-code notification enable
# Configure errored frame second detection on GE0/0/2 of CE1.

[CE1-GigabitEthernet0/0/2] efm error-frame-second period 120

[CE1-GigabitEthernet0/0/2] efm error-frame-second threshold 5
[CE1-GigabitEthernet0/0/2] efm error-frame-second notification enable

After the preceding configurations are complete, GE0/0/2 on CE1 and GE0/0/1 on CE4 will
enter the handshake phase. Run the display efm session { all | interface interface-type interface-
num } command on CE1 or CE4. The command output shows that the EFM status is detect on
GE0/0/2 or GE0/0/1.
----------------------------------------------------------------------
After the preceding configurations are complete, run the display efm { all | interface interface-
type interface-number } command to check EFM configurations.
[CE1] display efm interface gigabitethernet 0/0/2
Item Value
----------------------------------------------------
EFM Enable Flag: enable
Mode: active
Loopback IgnoreRequest: no
OAMPDU MaxSize: 128
OAMPDU Timeout: 5000
OAMPDU Interval: 1000
ErrCodeNotification: enable
ErrCodePeriod: 5
ErrCodeThreshold: 5
ErrFrameNotification: enable
ErrFramePeriod: 5
ErrFrameThreshold: 5
ErrFrameSecondNotification:enable
ErrFrameSecondPeriod: 120
ErrFrameSecondThreshold: 5
Hold Up Time: 0
ThresholdEvtTriggerErrDown: disable
TriggerIfDown: disable
TriggerMacRenew: disable
Remote MAC: 0010-0010-0010
Remote EFM Enable Flag: enable
Remote Mode: passive
Remote MaxSize: 128
Remote Loopback IgnoreRequest: no
Remote State: --
ErrFramePeriodNotification: disable
ErrFramePeriodPeriod: 200000
ErrFramePeriodThreshold: 1
Step 9 Configure association between EFM and GE0/0/2 on CE4.

[CE4] oam-mgr
[CE4-oam-mgr] oam-bind efm interface gigabitethernet 0/0/1 trigger if-down
interface gigabitethernet 0/0/2
[CE4-oam-mgr] quit

After the preceding configurations are complete, run the shutdown command on GE0/0/2 of
CE1. The command output shows that the current state field value is TRIGGER DOWN
(3AH) on GE0/0/2 of CE4.
[CE4] display interface gigabitethernet 0/0/2

GigabitEthernet0/0/2 current state : TRIGGER DOWN (3AH)

Line protocol current state : DOWN
...
NOTE
----End
Configuration Files
#
sysname CE1
#
efm enable
#
efm
enable
efm error-frame period
5
efm error-frame threshold
5
efm error-frame notification
enable
efm error-frame-second period
120
efm error-frame-second threshold
5
efm error-frame-second notification
enable
efm error-code period
5
efm error-code threshold
5
efm error-code notification enable
#
return

#
sysname CE4
#
efm enable
#
efm mode passive
efm enable
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/2 egress efm interface
GigabitEthernet0/0/1 trigger if-down
oam-bind ingress efm interface GigabitEthernet0/0/1 trigger if-down egress
#
return
9.6.2 Example for Configuring Association Between an EFM

Module and an Interface

As shown in Figure 9-20, EFM is configured between SwitchB and SwitchC. When
GigabitEthernet0/0/2 on SwitchB becomes Down, EFM reports the fault to
GigabitEthernet0/0/1 on SwitchB through association. Then GigabitEthernet0/0/1 becomes
Down.
Figure 9-20 Association between EFM and an interface

GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/2
EFM OAM
Interface associated with
EFM OAM
1. Configure EFM between SwitchB and SwitchC.

2. Configure association between EFM and GigabitEthernet0/0/1 on SwitchB.
Procedure
Step 1 Configure EFM between SwitchB and SwitchC.
[SwitchB] efm enable
[SwitchB-GigabitEthernet0/0/2] efm mode passive
[SwitchB-GigabitEthernet0/0/2] efm enable
[SwitchC] efm enable
[SwitchC-GigabitEthernet0/0/2] efm enable
Run the display efm session interface command on SwitchB to check the EFM OAM status.
You can see that EFM OAM is in detect state.
[SwitchB] display efm session interface gigabitethernet 0/0/2
----------------------------------------------------------------------
Step 2 Configure association between EFM and an interface.
# Configure GigabitEthernet0/0/1 on SwitchB and EFM between SwitchB and SwitchC to report
faults to each other.

[SwitchB] oam-mgr
[SwitchB-oam-mgr] oam-bind efm interface gigabitethernet 0/0/2 trigger if-down
interface gigabitethernet 0/0/1

Run the shutdown command on GE0/0/2 of SwitchB. EFM OAM reports the fault to
GigabitEthernet0/0/1. Then GigabitEthernet0/0/1 enters the TRIGGER DOWN (3AH) state.
[SwitchB] display interface gigabitethernet 0/0/1
GigabitEthernet0/0/1 current state : TRIGGER DOWN
(3AH)
Line protocol current state : DOWN
...
NOTE
----End
Configuration Files
#
sysname SwitchB
#
efm enable
#
efm mode passive
efm enable
#
oam-mgr
oam-bind ingress interface GigabitEthernet0/0/1 egress efm interface
GigabitEthernet0/0/2 trigger if-down
oam-bind ingress efm interface GigabitEthernet0/0/2 trigger if-down egress
#
return

#
sysname SwitchC
#
efm enable
#
efm enable
#
return
9.6.3 Example for Configuring Association Between EFM Modules
Link detection protocols are usually deployed on a network to detect link connectivity and faults.
A single fault detection protocol cannot detect all faults in all links on a complex network.

Network environments and user requirements need to be analyzed, and various detection
techniques are required to implement rapid link fault detection.
As shown in Figure 9-21, CE1 is dual-homed to CE2 and CE4. The requirements are as follows:
l Connectivity of links between CE1 and CE4, between CE4 and CE3 can be detected.
l When the link between CE1 and CE4 becomes faulty, CE3 can detect the fault.
l When the link between CE1 and CE4 becomes faulty, services are switched to the link
Figure 9-21 Association between EFM modules
CE2
GE0/0/1 GE0/0/2
PC CE1 GE0/0/1 GE0/0/2

CE3 Metro
User
CORE
Network GE0/0/3 CE4 GE0/0/3
GE0/0/1 GE0/0/2
EFM EFM
1. Configure EFM for the link between CE1 and CE4 to monitor connectivity of the link
2. Configure EFM for the link between CE4 and CE3 to monitor connectivity of the link
3. Configure association between EFM modules so that the fault can be transmitted.
4. Configure association between EFM and an interface on CE3. When EFM detects a link
fault between CE1 and CE4, the interface becomes Down.
Procedure

[CE1] efm enable


[CE3] efm enable


[CE4] efm enable
# Enable EFM on 0/0/1 and GE0/0/2 of CE4.

Run the display efm session { all | interface interface-type interface-num } command on each
device. If the EFM status is detect, the EFM configuration on CE3, CE1, and CE4 is correct.

----------------------------------------------------------------------
Step 2 Configure association between EFM modules.
# Configure association between EFM modules on CE4.

[CE4] oam-mgr
[CE4] oam-bind efm interface gigabitethernet 0/0/1 efm interface gigabitethernet
0/0/2
[CE4] quit
Step 3 Configure association between EFM and an interface.
# Configure association between EFM and an interface on CE3.

[CE3-GigabitEthernet0/0/3] efm trigger if-down
After association functions are configured, run the shutdown command on GE0/0/3 of CE1 to
simulate a fault on the link between CE1 and CE4. Run the display interface interface-type
interface-num command on GE0/0/3 of CE3. The command output shows that the Line protocol
current state field value is DOWN (EFM down), indicating that the fault is transmitted from
the link between CE1 and CE4 to the link between CE4 and CE3.
Line protocol current state : DOWN (EFM down)
...

NOTE
----End
Configuration Files
#
sysname CE1
#
efm
enable
#
efm enable
#
return

#
sysname CE3
#
efm
enable
#
efm enable
efm trigger if-
down
#
return

#
sysname CE4
#
efm enable
#
efm
enable
#
efm
enable
#
oam-
mgr
oam-bind ingress efm interface GigabitEthernet0/0/1 egress efm interface
oam-bind ingress efm interface GigabitEthernet0/0/2 egress efm interface
#
return
9.7 CFM Configuration

Connectivity fault management (CFM) defines OAM functions and applies to large-scale end-
to-end Ethernet networks. It monitors network connectivity and locates connectivity faults.

9.7.1 Example for Configuring VLAN-based Ethernet CFM on a

Layer 2 Network
As shown in Figure 9-22, VLANs are configured between devices. UPE2 and UPE3 back up
each other. It is required that connectivity of links between UPE1 and UPE2 and between UPE2
and PE-AGG be detected in real time.
Figure 9-22 Networking for configuring VLAN-based Ethernet CFM on a Layer 2 network
UPE2
GE0/0/1 GE0/0/2
PC UPE1 PE-AGG NPE
GE0/0/2 GE0/0/2
User IP/MPLS
Network GE0/0/1 GE0/0/1 Core
GE0/0/1 GE0/0/2
UPE3
CFM
l Configure VLANs for UPE1, UPE2, UPE3, and PE-AGG to implement Layer 2
connectivity.
l Configure basic CFM functions on UPE1 and PE-AGG to detect connectivity of the link
between UPE1 and PE-AGG.
Procedure
Step 1 Configure VLANs.
# Configure UPE1.
[HUAWEI] sysname UPE1
[UPE1] vlan 2
[UPE1-vlan2] quit
[UPE1] interface gigabitethernet 0/0/1
[UPE1-GigabitEthernet0/0/1] port link-type trunk
[UPE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 2
[UPE1-GigabitEthernet0/0/1] quit
# Configure UPE2.

[UPE2] vlan 2
[UPE2-vlan2] quit
# Configure UPE3.
[UPE3] vlan 2
[UPE3-vlan2] quit
# Configure the PE-AGG.

[HUAWEI] sysname PEAGG
[PEAGG] vlan 2
[PEAGG-vlan2] quit
[PEAGG] interface gigabitethernet 0/0/1
[PEAGG-GigabitEthernet0/0/1] port link-type trunk
[PEAGG-GigabitEthernet0/0/1] port trunk allow-pass vlan 2
[PEAGG-GigabitEthernet0/0/1] quit
[PEAGG] interface gigabitethernet 0/0/2
[PEAGG-GigabitEthernet0/0/2] port link-type trunk
[PEAGG-GigabitEthernet0/0/2] port trunk allow-pass vlan 2
[PEAGG-GigabitEthernet0/0/2] quit
After the configuration is complete, run the display vlan vlan-id command on each device. You
can view VSI and PW information.
<UPE1>display vlan 2
--------------------------------------------------------------------------------
U: Up; D: Down; TG: Tagged; UT: Untagged;
MP: Vlan-mapping; ST: Vlan-stacking;
#: ProtocolTransparent-vlan; *: Management-vlan;
--------------------------------------------------------------------------------
VID Type Ports

--------------------------------------------------------------------------------
2 common TG:GE0/0/1(U) GE0/0/2(U)
VID Status Property MAC-LRN Statistics Description

--------------------------------------------------------------------------------
2 enable default enable disable VLAN 0002
Step 2 Configure basic CFM functions.
# Configure basic CFM functions on UPE1.

[UPE1] cfm version standard
[UPE1] cfm enable
Info: Succeeded in enabling CFM.
[UPE1] cfm md md

[UPE1-md-md] ma ma
[UPE1-md-md-ma-ma] map vlan 2
[UPE1-md-md-ma-ma] mep mep-id 1 interface gigabitethernet 0/0/2 outward
[UPE1-md-md-ma-ma] mep ccm-send mep-id 1 enable
[UPE1-md-md-ma-ma] remote-mep mep-id 2
[UPE1-md-md-ma-ma] remote-mep ccm-receive mep-id 2 enable
# Configure basic CFM functions on the PE-AGG.

[PEAGG] cfm version standard
[PEAGG] cfm enable
Info: Succeeded in enabling CFM.
[PEAGG] cfm md md
[PEAGG-md-md] ma ma
[PEAGG-md-md-ma-ma] map vlan 2
[PEAGG-md-md-ma-ma] mep mep-id 2 interface gigabitethernet 0/0/2 outward
[PEAGG-md-md-ma-ma] mep ccm-send mep-id 2 enable
[PEAGG-md-md-ma-ma] remote-mep mep-id 1
[PEAGG-md-md-ma-ma] remote-mep ccm-receive mep-id 1 enable
After the configuration is complete, run the display cfm remote-mep command on UPE1 and
PE-AGG. You can view MEP information.
<UPE1>display cfm remote-mep
The total number of RMEPs is : 1
The status of RMEPs : 1 up, 0 down, 0 disable
--------------------------------------------------
MD Name : md
Level : 0
MA Name : ma
RMEP ID : 2
VLAN ID : 2
VSI Name : --
L2VC ID : --
MAC : 00e0-0003-0003
CCM Receive : enabled
Trigger-If-Down : disabled
CFM Status : up
Alarm Status : none
----End
Configuration Files
l Configuration file of UPE1
#
sysname UPE1
#
vlan batch
2
#
cfm version standard
cfm
enable
#
interface
port link-type
trunk
2
#
interface
port link-type
trunk


2
#
cfm md
md
ma
ma
map vlan
2
mep mep-id 1 interface GigabitEthernet0/0/2
outward
mep ccm-send mep-id 1
enable
remote-mep mep-id
2
remote-mep ccm-receive mep-id 2
enable
#
return

#
sysname
UPE2
#
vlan batch
2
#
cfm
enable
#
interface
port link-type
trunk
2
#
interface
port link-type
trunk
2
#
return

#
sysname
UPE3
#
vlan batch
2
#
cfm
enable
#
interface
port link-type
trunk
2
#
interface

port link-type
trunk
2
#
return
l Configuration file of the PE-AGG

#
sysname PEAGG
#
vlan batch
2
#
cfm
enable
#
interface
port link-type
trunk
2
#
interface
port link-type
trunk
2
#
cfm md
md
ma
ma
map vlan
2
outward
enable
remote-mep mep-id
1
enable
#
return
9.7.2 Example for Associating Ethernet CFM with an Interface
As shown in Figure 9-23, a user network is connected to an ISP network through SwitchA and
SwitchB. SwitchA functions as the CE, and SwitchB functions as the UPE. The requirements
are as follows:
l The bandwidth for the user network to access the ISP network is 2000 Mbit/s and an inactive
link that serves as a backup is provided.
l When the active link between the user network and the ISP network fails, the LACP module
can detect the fault within 50 ms and stop forwarding data on the active link.

Figure 9-23 Association between CFM with an interface
ISP network
SwitchB
GE0/0/3
GE0/0/1
GE0/0/2
GE0/0/2
GE0/0/1 GE0/0/3
SwitchA
User
network1
Active Link
Inactive Link
Link aggreation group in LACP mode
l Configure a link aggregation group (LAG) in LACP mode with three member interfaces
on SwitchA and SwitchB respectively to increase the bandwidth, implement redundancy,
and improve reliability.
l Configure Ethernet CFM on SwitchA and SwitchB, and set the interval for sending and
detecting CCMs to 100s in each MA so that the LACP module can detect link faults within
50 ms.
l Associate Ethernet CFM with member interfaces of the LAGs in LACP mode on SwitchA
and SwitchB so that member interfaces can fast detect link faults.
Procedure
Step 1 Configure an LAG in static LACP mode.
For details, see 3.1 Link Aggregation Configuration in the S2350&S5300&S6300 Series
Ethernet Switches Configuration Guide - LAN Configuration.
Step 2 Configure Ethernet CFM.
# Enable Ethernet CFM globally on SwitchA.

[SwitchA] cfm enable
# Create MD, MA, MEP and RMEP on SwitchA.

[SwitchA] cfm md md1

[SwitchA-md-md1] ma ma1
[SwitchA-md-md1-ma-ma1] ccm-interval 100
[SwitchA-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/0/1 outward
[SwitchA-md-md1-ma-ma1] remote-mep mep-id 1
[SwitchA-md-md1-ma-ma1] mep ccm-send enable
[SwitchA-md-md1-ma-ma1] remote-mep ccm-receive enable
[SwitchA-md-md1-ma-ma1] quit
[SwitchA-md-md1] quit
# Enable Ethernet CFM globally on SwitchB.

[SwitchB] cfm enable
# Create MD, MA, MEP and RMEP on SwitchB.

[SwitchB] cfm md md1
[SwitchB-md-md1] ma ma1
[SwitchB-md-md1-ma-ma1] ccm-interval 100
[SwitchB-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 0/0/1 outward
[SwitchB-md-md1-ma-ma1] remote-mep mep-id 2
[SwitchB-md-md1-ma-ma1] mep ccm-send enable
[SwitchB-md-md1-ma-ma1] remote-mep ccm-receive enable
[SwitchB-md-md1-ma-ma1] quit
[SwitchB-md-md1] quit
[SwitchB] quit
Run the display cfm mep and display cfm remote-mep commands on SwitchA or SwitchB. If
information about the MEP and RMEP is displayed, the configuration is successful. The
displayed information on SwitchB is as follows:
[SwitchB] display cfm mep md md1
The total number of MEPs is 3
MD Name : md1
MD Name Format : string
Level : 0
MA Name : ma1

MEP ID : 1
VLAN ID : --
VSI Name : --
L2VC ID : --
Interface Name : GigabitEthernet0/0/1
CCM Send : enabled
Direction : outward
MAC Address : 0002-0003-0161
MEP Pe-vid : --
MEP Ce-vid : --
MEP Vid : --
Alarm Status : LOC
Alarm AIS : enabled
Alarm RDI : enabled
MD Name : md1
Level : 0
MA Name : ma2
MEP ID : 3
VLAN ID : --
VSI Name : --
L2VC ID : --
CCM Send : enabled
Direction : outward
MAC Address : 0002-0003-0166
MEP Pe-vid : --
MEP Ce-vid : --
MEP Vid : --
Alarm Status : LOC
Alarm AIS : enabled
Alarm RDI : enabled
MD Name : md3
Level : 0
MA Name : ma1
MEP ID : 5
VLAN ID : --
VSI Name : --
L2VC ID : --
CCM Send : enabled
Direction : outward
MAC Address : 0002-0003-0168
MEP Pe-vid : --
MEP Ce-vid : --
MEP Vid : --
Alarm Status : LOC
Alarm AIS : enabled
Alarm RDI : enabled
[SwitchB] display cfm remote-mep md md1
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
VLAN ID : --
VSI Name : --
L2VC ID : --
MAC : 0200-0000-0208
CFM Status : up
Alarm Status : LOC
Interface TLV : --

MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 4
VLAN ID : --
VSI Name : --
L2VC ID : --
MAC : 0200-0000-0216
CFM Status : up
Alarm Status : LOC
Interface TLV : --
MD Name : md1
Level : 0
MA Name : ma3
RMEP ID : 6
VLAN ID : --
VSI Name : --
L2VC ID : --
MAC : 0200-0000-0219
CFM Status : up
Alarm Status : LOC
Interface TLV : --
Step 3 Associate Ethernet CFM with member interfaces of the LAG in static LACP mode.
# Associate Ethernet CFM with member interfaces of Eth-Trunk 2 on SwitchA.

[SwitchA-GigabitEthernet0/0/1] cfm md md1 ma ma1 remote-mep mep-id 1 trigger if-
down
down
down
# Associate Ethernet CFM with member interfaces of Eth-Trunk 2 on SwitchB.

[SwitchB-GigabitEthernet0/0/1] cfm md md1 ma ma1 remote-mep mep-id 2 trigger if-
down
down
down
Run the display cfm remote-mep command on SwitchA or SwitchB. If the Trigger-If-down
field is displayed as enabled, the configuration is successful.
[SwitchB] display cfm remote-mep md md1

--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
VLAN ID : --
VSI Name : --
L2VC ID : --
MAC : 0200-0000-0208
Trigger-If-Down : enabled
CFM Status : up
Alarm Status : LOC
Interface TLV : --
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 4
VLAN ID : --
VSI Name : --
L2VC ID : --
MAC : 0200-0000-0216
CFM Status : up
Alarm Status : LOC
Interface TLV : --
MD Name : md1
Level : 0
MA Name : ma3
RMEP ID : 6
VLAN ID : --
VSI Name : --
L2VC ID : --
MAC : 0200-0000-0219
CFM Status : up
Alarm Status : LOC
Interface TLV : --
----End
Configuration Files
#
sysname SwitchA
#
cfm enable
#
mode lacp
#
eth-trunk 2
cfm md md1 ma ma1 remote-mep mep-id 1 trigger if-down
#
eth-trunk 2
#
eth-trunk 2
#

cfm md md1
ma ma1
ccm-interval 100
mep mep-id 2 interface GigabitEthernet0/0/1 outward
mep ccm-send mep-id 2 enable
remote-mep mep-id 1
remote-mep ccm-receive mep-id 1 enable
ma ma2
ccm-interval 100
remote-mep mep-id 3
ma ma3
ccm-interval 100
remote-mep mep-id 5
#
return

#
sysname SwitchB
#
lacp priority 100
#
cfm enable
#
mode lacp
max bandwidth-affected-linknumber 2
#
eth-trunk 2
lacp priority 2000
#
eth-trunk 2
lacp priority 2000
#
eth-trunk 2
#
cfm md md1
ma ma1
ccm-interval 100
remote-mep mep-id 2
ma ma2
ccm-interval 100
remote-mep mep-id 4
ma ma3
ccm-interval 100
remote-mep mep-id 6

#
return
9.7.3 Example for Configuring Association Between CFM Modules
As shown in Figure 9-24, SwitchA, SwitchB, and SwitchC are connected at Layer 2. The
l Connectivity of the links between SwitchA and SwitchB and between SwitchB and
SwitchC can be monitored.
l When the link between SwitchA and SwitchB becomes faulty, SwitchC can detect the fault.
Figure 9-24 Networking diagram for configuring association between CFM and CFM
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/2
CFM CFM
MEP in MA1
MEP in MA2
2. Configure CFM between SwitchA and SwitchB and between SwitchB and SwitchC to
monitor link connectivity.
3. Configure association between CFM modules on SwitchB and SwitchC.
Procedure
Step 1 Create VLANs and add interfaces to the VLANs. The configuration details are not mentioned
here.
Step 2 Configure CFM between SwitchA and SwitchB.

[SwitchA-md-md1-ma-ma1] map vlan 10
[SwitchB-md-md1-ma-ma1] map vlan 10
Step 3 Configure CFM between SwitchB and SwitchC.
[SwitchC] cfm enable
[SwitchC] cfm md md1
[SwitchC-md-md1] ma ma2
[SwitchC-md-md1-ma-ma2] map vlan 20
[SwitchC-md-md1-ma-ma2] mep mep-id 2 interface gigabitethernet 0/0/2 outward
[SwitchC-md-md1-ma-ma2] mep ccm-send enable
[SwitchC-md-md1-ma-ma2] remote-mep ccm-receive enable
[SwitchC-md-md1-ma-ma2] quit
[SwitchC-md-md1] quit
Run the display cfm remote-mep command on SwitchB to check the CFM status. You can see
that the CFM status is Up.
[SwitchB] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 1
VLAN ID : 10
VSI Name : --
L2VC ID : --
MAC : 0025-9efb-494a

CFM Status : up
Alarm Status : none
Interface TLV : --
MD Name : md1
Level : 0
MA Name : ma2
RMEP ID : 2
VLAN ID : 20
VSI Name : --
L2VC ID : --
MAC : 0002-0003-0161
CFM Status : up
Alarm Status : none
Interface TLV : --
Step 4 Configure association between CFM modules.
# Associate CFM between SwitchA and SwitchB with CFM between SwitchB and SwitchC in
both directions.
[SwitchB] oam-mgr
[SwitchB-oam-mgr] oam-bind cfm md md1 ma ma1 cfm md md1 ma ma2
Shut down GE0/0/2 on SwitchB. Run the display cfm remote-mep command on SwitchA to
check the CFM status between SwitchA and SwitchB. You can see that the CFM status is Down.
[SwitchA]display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
VLAN ID : 10
VSI Name : --
L2VC ID : --
MAC : 0044-0141-5410
CFM Status : down
Alarm Status : RDI
Interface TLV : --
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
cfm enable
#
#

cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 2
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
cfm enable
#
#
shutdown
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 1
ma ma2
map vlan 20
remote-mep mep-id 2
#
oam-mgr
oam-bind ingress cfm md md1 ma ma1 egress cfm md md1 ma ma2
oam-bind ingress cfm md md1 ma ma2 egress cfm md md1 ma ma1
#
return

#
sysname SwitchC
#
vlan batch 20
#
cfm enable
#
#
cfm md md1
ma ma2
map vlan 20
remote-mep mep-id 1

#
return
9.7.4 Example for Configuring Association Between CFM and EFM
As shown in Figure 9-25, CE1 is dual-homed to PE1 and PE3. The requirements are as follows:
l Connectivity of links between CE1 and PE3, between PE3 and PE4, and between PE4 and
CE2 can be detected.
l If the link between CE1 and PE3 becomes faulty, CE2 can detect the fault, preventing return
traffic from being forwarded to PE4.
l When the link between PE3 and PE4 becomes faulty, CE1 or CE2 can detect the fault.
l When the link between CE1 and PE3 goes faulty, a active/standby link switchover can be
implemented.
Figure 9-25 Association between EFM and CFM
PE1 PE2
GE0/0/2 GE0/0/2
GE0/0/1 GE0/0/1
CE1 CE2
GE0/0/2 GE0/0/2
User User
Network GE0/0/1 GE0/0/1 Network
PE3 PE4
GE0/0/1 GE0/0/1
GE0/0/2 GE0/0/2
EFM
CFM EFM
1. Configure EFM for links between CE1 and PE3 and between CE2 and PE4 to monitor link
connectivity.
2. Configure CFM for the link between PE3 and PE4 to monitor link connectivity.

3. Configure association between EFM and interfaces on CE2. When EFM detects a link fault
between CE1 and PE3, traffic can be switched to the backup link and return traffic is not
forwarded to PE4.
4. Configure association between CFM and EFM on PE3 and PE4 so that CFM and EFM can
notify each other of faults.
Procedure
[CE1] efm enable

[CE2] efm enable
# Enable EFM on PE3 globally.

[PE3] efm enable
# Enable EFM on PE4 globally.

[PE4] efm enable


# Enable EFM on GE0/0/1 of PE3.

[PE3-GigabitEthernet0/0/1] efm enable
# Enable EFM on GE0/0/1 of PE4.

[PE4-GigabitEthernet0/0/1] efm enable

If EFM is correctly configured on PE3, CE1, PE4, and CE2, GE0/0/1 of these devices will enter
the handshake stage. Run the display efm session { all | interface interface-type interface-
num } command on one of these devices. The command output shows that the EFM status on
GE0/0/1 is detect.


----------------------------------------------------------------------
Step 2 Configure basic CFM functions.

An outward-facing MEP in a VLAN is used as an example to describe how to configure basic
CFM functions.
# Configure basic CFM functions on PE3.
[PE3] vlan 2
[PE3-vlan2] quit
[PE3] cfm version standard
[PE3] cfm enable
[PE3] cfm md md1
[PE3-md-md1] ma ma1
[PE3-md-md1-ma-ma1] map vlan 2
[PE3-md-md1-ma-ma1] mep mep-id 1 interface gigabitethernet 0/0/2 outward
[PE3-md-md1-ma-ma1] remote-mep mep-id 2
[PE3-md-md1-ma-ma1] mep ccm-send enable
[PE3-md-md1-ma-ma1] remote-mep ccm-receive enable
[PE3-md-md1-ma-ma1] quit
[PE4-md-md1] quit
# Configure basic CFM functions on PE4.

[PE4] vlan 2
[PE4--vlan2] quit
[PE4] cfm enable
[PE4] cfm md md1
[PE4-md-md1] ma ma1
[PE4-md-md1-ma-ma1] mep mep-id 2 interface gigabitethernet 0/0/2 outward
[PE4-md-md1] quit

Run the display cfm remote-mep command on PE3 or PE4. If the value of the CFM Status
field is up, the CFM configuration is correct.
[PE3] display cfm remote-mep
--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
VLAN ID : 2
VSI Name : --
L2VC ID : --
MAC : --


CFM Status : up
Alarm Status : none
Interface TLV : --
Step 3 Configure association between EFM and CFM.

# Configure association between EFM and CFM on PE3.
[PE3] oam-mgr
[PE3-oam-mgr] oam-bind cfm md md1 ma ma1 efm interface gigabitethernet 0/0/1
[PE3-oam-mgr] quit
# Configure association between EFM and CFM on PE4.

[PE4] oam-mgr
[PE4-oam-mgr] oam-bind cfm md md1 ma ma1 efm interface gigabitethernet 0/0/1
[PE4-oam-mgr] quit
Step 4 Configure association between EFM and an interface on CE2.

[CE2-GigabitEthernet0/0/1] efm trigger if-down

After association functions are configured, run the undo efm enable command on GE0/0/1 of
CE1 to simulate a fault on the link between CE1 and PE3. Run the display interface interface-
type interface-num command on GE0/0/2 of CE2. The command output shows that the Line
protocol current state field value is DOWN (EFM down), indicating that the fault is transmitted
from the link between CE1 and PE3 to the link between PE4 and CE2.
Line protocol current state : DOWN (EFM down)
...
NOTE
----End
Configuration Files
#
sysname CE1
#
efm enable
#
efm enable
#
return

#
sysname PE3
#
vlan batch
2
#

cfm version
standard
cfm
enable
#
efm
enable
#
interface
efm
enable
#
port link-type
trunk
2
#
cfm md
md1
ma
ma1
map vlan
2
enable
remote-mep mep-id
2
enable
#
oam-
mgr
oam-bind ingress efm interface GigabitEthernet0/0/1 egress cfm md md1 ma
ma1
oam-bind ingress cfm md md1 ma ma1 egress efm interface
#
return

#
sysname PE4
#
vlan batch
2
#
cfm version
standard
cfm
enable
#
efm
enable
#
interface
efm
enable
#
interface
port link-type
trunk

2
#
cfm md
md1
ma
ma1
map vlan
2
outward
enable
remote-mep mep-id
1
enable
#
oam-
mgr
oam-bind ingress efm interface GigabitEthernet0/0/1 egress cfm md md1 ma
ma1
oam-bind ingress cfm md md1 ma ma1 egress efm interface
#
return

#
sysname CE2
#
efm enable
#
interface
efm enable
efm trigger if-down
#
return
9.8 Y.1731 Configuration

Y.1731 provides fault detection and fault management on an Ethernet end-to-end link.
9.8.1 Example for Configuring One-way Frame Delay Measurement

in a VLAN
As networks rapidly develop and applications become diversified, various value-added services
such as IPTV, video conferencing and VOIP are widely used. Link connectivity and network
performance determine QoS on bearer networks. Therefore, performance monitoring is
important for service transmission.
As shown in Figure 9-26, CFM is configured between CEs. To provide high-quality video
services, carriers hope to monitor the one-way delay over mobile bearer links in real time, while
monitoring link connectivity. Monitoring the one-way delay over mobile bearer links allows the
carriers to respond quickly to video service quality deterioration.

Figure 9-26 Configuring Y.1731 in a VLAN
PE1 PE2
GE0/0/2 GE0/0/2
VLAN
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
User User
network network
1. Configure on-demand one-way frame delay measurement for the end-to-end link between
the CEs to periodically collect statistics about the delay in frame transmission.
Procedure
Step 1 Configure basic Ethernet CFM functions and specify the MEP type as outward.
Configure basic Ethernet CFM functions on each CE. Specify CFM version as IEEE Standard
802.1ag-2007, create an MD named md3 and an MA named ma3, and bind the MA to the VLAN.
# Configure CE1.
[CE1] vlan 2
[CE1-vlan2] quit
[CE1] cfm enable
[CE1] cfm version standard
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] map vlan 2
[CE1-md-md3-ma-ma3] mep mep-id 3 interface gigabitethernet 0/0/1 outward
[CE1-md-md3-ma-ma3] mep ccm-send mep-id 3 enable
[CE1-md-md3-ma-ma3] remote-mep mep-id 4
[CE1-md-md3-ma-ma3] remote-mep ccm-receive mep-id 4 enable
# Configure CE2.
[CE2] vlan 2
[CE2-vlan2] quit
[CE2-GigabitEthernet0/0/1]port link-type trunk
[CE2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2

[CE2-GigabitEthernet0/0/1]quit
[CE2] cfm enable
[CE2] cfm md md3
[CE2-md-md3] ma ma3
Step 2 Configure CE2 to receive DM frames.
# Configure CE2.
[CE2] cfm md md3
[CE2-md-md3] ma ma3
[CE2-md-md3-ma-ma3] delay-measure one-way receive mep 4
[CE2-md-md3-ma-ma3] quit
[CE2-md-md3] quit
Step 3 Enable one-way frame delay measurement.
# Configure CE1.
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] delay-measure one-way send mep 3 remote-mep 4 interval 1000
count 20
[CE1-md-md3] quit
# After the configuration is complete, run the display y1731 statistic-type oneway-delay md
md3 ma ma3 command on CE2. You can see statistics about the one-way frame delay.
<CE2> display y1731 statistic-type oneway-delay md md3 ma ma3
Latest one-way delay statistics:
--------------------------------------------------------------------------------
Index Delay(usec) Delay variation(usec)
--------------------------------------------------------------------------------
1 10000 -
2 10000 0
3 10000 0
4 10000 0
5 10000 0
6 10000 0
7 10000 0
8 10000 0
9 10000 0
10 10000 0
11 10000 0
12 40000 30000
13 10000 30000
14 10000 0
15 10000 0
16 10000 0
17 10000 0
--------------------------------------------------------------------------------
Average delay(usec) : 11764 Average delay variation(usec) : 3750
Maximum delay(usec) : 40000 Maximum delay variation(usec) : 30000
Minimum delay(usec) : 10000 Minimum delay variation(usec) : 0
----End

Configuration Files
#
sysname CE1
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 4
#
return
#
sysname CE2
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 3
delay-measure one-way receive mep 4
#
return
9.8.2 Example for Configuring Two-way Frame Delay Measurement

in a VLAN
As networks rapidly develop and applications become diversified, various value-added services
such as IPTV, video conferencing and VOIP are widely used. Link connectivity and network
performance determine QoS on bearer networks. Therefore, performance monitoring is
especially important for service transmission.

As shown in Figure 9-27, CFM is configured between CEs. To provide high-quality video
services, carriers hope to monitor the two-way delay over mobile bearer links in real time, while
monitoring link connectivity. Monitoring the two-way delay over mobile bearer links allows the
carriers to respond quickly to video service quality deterioration.
Figure 9-27 Configuring Y.1731 in a VLAN
PE1 PE2
GE0/0/2 GE0/0/2
VLAN
GE0/0/1 GE0/0/1
GE0/0/1 GE0/0/1
CE1 CE2
User User
network network
1. Configure on-demand two-way frame delay measurement for the end-to-end link between
the CEs to periodically collect statistics about the delay in frame transmission.
Procedure
Step 1 Configure basic Ethernet CFM functions and specify the MEP type as outward.
# Configure CE1.
[CE1] vlan 2
[CE1-vlan2] quit
[CE1] cfm enable
[CE1] cfm md md3
[CE1-md-md3] ma ma3
# Configure CE2.

[CE2] vlan 2
[CE2-vlan2] quit
[CE2-GigabitEthernet0/0/1]port link-type trunk
[CE2-GigabitEthernet0/0/1]port trunk allow-pass vlan 2
[CE2-GigabitEthernet0/0/1]quit
[CE2] cfm enable
[CE2] cfm md md3
[CE2-md-md3] ma ma3
Step 2 Configure CE2 to receive DMM frames.
# Configure CE2.
[CE2] cfm md md3
[CE2-md-md3] ma ma3
[CE2-md-md3-ma-ma3] delay-measure two-way receive mep 4
[CE2-md-md3] quit
Step 3 Enable two-way frame delay measurement.
# Configure CE1.
[CE1] cfm md md3
[CE1-md-md3] ma ma3
[CE1-md-md3-ma-ma3] delay-measure two-way send mep 3 remote-mep 4 interval 1000
count 20
[CE1-md-md3] quit
# After the configuration is complete, run the display y1731 statistics-type twoway-delay md
md3 ma ma3 command. You can see the statistics about the two-way frame delay.
<CE1> display y1731 statistic-type twoway-delay md md3 ma ma3
Latest two-way delay statistics:
--------------------------------------------------------------------------------
Index Delay(usec) Delay variation(usec)
--------------------------------------------------------------------------------
1 0 -
2 0 0
3 0 0
4 0 0
5 0 0
6 0 0
7 0 0
8 0 0
9 0 0
10 0 0
--------------------------------------------------------------------------------
Average delay(usec) : 0 Average delay variation(usec) : 0
Maximum delay(usec) : 0 Maximum delay variation(usec) : 0
Minimum delay(usec) : 0 Minimum delay variation(usec) : 0
----End

Configuration Files
#
sysname CE1
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 4
#
return
#
sysname CE2
#
vlan batch 2
#
cfm enable
#
#
cfm md md3
ma ma3
map vlan 2
remote-mep mep-id 3
delay-measure two-way receive mep 4
#
return
9.8.3 Example for Configuring AIS
AIS is used to prevent a MEP in an MD of a higher level from sending the same trap as that sent
by a MEP in an MD of a lower level to the NMS.
As shown in Figure 9-28, CE1 is connected to PE1 and CE2 is connected to PE2 through sub-
interfaces. A VLAN is created between PEs.
AIS is configured on PEs and alarm suppression is enabled on CEs. In MD nesting scenarios, if
a MEP in a low-level MD detects a fault, the MEP sends a trap to the NMS. After a certain

period, a MEP in the MD of a higher level also detects the fault and sends the same trap to the
NMS. In this case, the MEP in the MD of a higher level must be prevented from sending the
same trap to the NMS.
Figure 9-28 Configuring AIS
CE1 PE1 PE2 CE2

GE0/0/1 GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/2 GE0/0/1
MD2 Level 3
MD1 Level 6
1. Add PEs to an MD, add CEs to an MD, and ensure that the level of the MD to which the
PEs belong is lower than that to which CEs belong so that the MEP in the MD of a higher
level is suppressed from sending the same trap to the NMS.
2. Configure alarm suppression to suppress MEPs in MDs of different levels from sending
the same trap to the NMS.
Procedure
Step 1 Configure VLANs.
Configure a VLAN between PE1 and PE2. The configuration details are not mentioned here.
For details, see 3.2 VLAN Configuration in the S2350&S5300&S6300 Series Ethernet Switches
Configuration Guide - LAN Configuration or configuration files in this configuration example.
Step 2 Configure basic Ethernet CFM functions.
Configure basic Ethernet CFM functions on each PE. Specify CFM version as IEEE Standard
# Configure PE1.
[PE1] cfm enable
[PE1] cfm md md1 level 3
[PE1-md-md1] ma ma1
[PE1-md-md1] quit
# Configure PE2.

[PE2] cfm enable
[PE2] cfm md md1 level 3
[PE2-md-md1] ma ma1
[PE2-md-md1] quit
802.1ag-2007, and create an MD named md2 and an MA named ma2.
# Configure CE1.
[CE1] cfm enable
[CE1] cfm md md2 level 6
[CE1-md-md2] ma ma2
[CE1-md-md2] quit
# Configure CE2.
[CE2] cfm enable
[CE2] cfm md md2 level 6
[CE2-md-md2] ma ma2
[CE2-md-md2] quit
Step 3 Create an outward-facing MEP on the AC interface of each PE.
# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] mep mep-id 31 interface gigabitethernet 0/0/1 inward
[PE1-md-md1] quit
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] mep mep-id 32 interface gigabitethernet 0/0/1 inward

[PE2-md-md1] quit
Step 4 Create an outward-facing MEP on each CE.

# Configure CE1.
[CE1] cfm md md2
[CE1-md-md2] ma ma2
[CE1-md-md2-ma-ma2] ccm-interval 10000
[CE1-md-md2-ma-ma2] mep ccm-send enable
[CE1-md-md2-ma-ma2] remote-mep ccm-receive enable
[CE1-md-md2] quit
# Configure CE2.
[CE2] cfm md md2
[CE2-md-md2] ma ma2
[CE2-md-md2-ma-ma2] ccm-interval 10000
[CE2-md-md2-ma-ma2] mep ccm-send enable
[CE2-md-md2-ma-ma2] remote-mep ccm-receive enable
[CE2-md-md2] quit
Step 5 Configure AIS.

# Configure PE1.
[PE1] cfm md md1
[PE1-md-md1] ma ma1
[PE1-md-md1-ma-ma1] ais enable
[PE1-md-md1-ma-ma1] ais link-status interface gigabitethernet 0/0/2
[PE1-md-md1-ma-ma1] ais level 6
[PE1-md-md1-ma-ma1] ais interval 1
[PE1-md-md1-ma-ma1] ais vlan vid 10 mep 31
[PE1-md-md1] quit
# Configure PE2.
[PE2] cfm md md1
[PE2-md-md1] ma ma1
[PE2-md-md1-ma-ma1] ais enable
[PE2-md-md1-ma-ma1] ais link-status interface gigabitethernet 0/0/2
[PE2-md-md1-ma-ma1] ais level 6
[PE2-md-md1-ma-ma1] ais interval 1
[PE2-md-md1-ma-ma1] ais vlan vid 10 mep 32
[PE2-md-md1] quit
Step 6 Enable alarm suppression.

# Configure CE1.
[CE1] cfm md md2
[CE1-md-md2] ma ma2
[CE1-md-md2-ma-ma2] ais enable
[CE1-md-md2-ma-ma2] ais suppress-alarm
[CE1-md-md2] quit
# Configure CE2.
[CE2] cfm md md2
[CE2-md-md2] ma ma2

[CE2-md-md2-ma-ma2] ais enable

[CE2-md-md2-ma-ma2] ais suppress-alarm
[CE2-md-md2] quit

If a fault occurs in the VLAN between PE1 and PE2 after the preceding configuration is
complete, run the display cfm ma md md1 ma ma1 command on PE1. The value of the Sending
Ais Packet field is displayed as Yes in the command output. Run the display cfm ma md md2
ma ma2 command on CE1. The value of the Suppressing Alarms field is displayed as Yes in
the command output.
[PE1] display cfm ma md md1 ma ma1
The total number of MAs is 1
MD Name : md1
Level : 3
MIP Create-type : none
SenderID TLV-type : defer
MA Name : ma1
MA Name Format : string
Interval : 1000
Priority : 4
Vlan ID : 2
VSI Name : --
L2VC ID : --
MEP Number : 31
RMEP Number : 32
Suppressing Alarms : No
Sending Ais Packet : Yes
Interface TLV : disabled
[CE1] display cfm ma md md2 ma ma2
The total number of MAs is 1
MD Name : md2
Level : 6
MIP Create-type : none
SenderID TLV-type : defer
MA Name : ma2
MA Name Format : string
Interval : 10000
Priority : 4
Vlan ID : 10
VSI Name : --
L2VC ID : --
MEP Number : 61
RMEP Number : 62
Suppressing Alarms : Yes
Sending Ais Packet : NO
Interface TLV : disabled
----End
Configuration Files
#
sysname PE1
#
vlan batch 2 10
#
cfm enable
#

#
#
cfm md md1 level 3
ma ma1
map vlan 2
mep mep-id 31 interface GigabitEthernet0/0/1 inward
mep ccm-send enable
remote-mep mep-id 32
remote-mep ccm-receive enable
ais enable
ais link-status interface GigabitEthernet0/0/2
ais level 6
ais interval 1
ais vlan vid 10 mep 31
#
return

#
sysname PE2
#
vlan batch 2 10
#
cfm enable
#
#
#
cfm md md1 level 3
ma ma1
map vlan 2
mep mep-id 32 interface GigabitEthernet0/0/1 inward
mep ccm-send enable
ais enable
ais link-status interface GigabitEthernet0/0/2
ais level 6
ais interval 1
ais vlan vid 10 mep 32
#
return

#
sysname CE1
#
vlan batch 10
#
cfm enable
#

#
cfm md md2 level 6
ma ma2
map vlan 10
ccm-interval 10000
mep ccm-send enable
ais enable
ais suppress-alarm
#
return

#
sysname CE2
#
vlan batch 10
#
cfm enable
#
#
cfm md md2 level 6
ma ma2
map vlan 10
ccm-interval 10000
mep ccm-send enable
ais enable
ais suppress-alarm
#
return
9.9 ERPS (G.8032) Configuration

Ethernet ring protection switching (ERPS) is a standard protocol issued by the ITU-T to prevent
loops on ring networks. ERPS features fast convergence speed, ensuring carrier-class reliability.
Huawei and non-Huawei devices on a ring network supporting ERPS can communicate with
each other.
9.9.1 Example for Configuring ERPS
As shown in Figure 9-29, a ring topology is used at the aggregation layer to improve network
reliability. Switches A to E form a ring network that implements service aggregation at Layer 2
and processes Layer 3 services. Devices on the ring network can be manufactured by different
vendors.

The ring network needs to run a protocol that prevents loops and supports rapid switchover. In
addition, devices of different vendors supporting this protocol must be compatible with each
other.
You can enable ERPS on the nodes of the ring network to prevent loops and support rapid
switchover. ERPS is a standard protocol issued by ITU-T and ensures communication between
devices of different vendors.
Packets belong to VLANs 100 through 200. To prevent loops on the ring network, configure
ERPS on devices. Packets sent from CE1 are forwarded through SwitchB and SwitchA. Packets
sent from CE2 are forwarded through SwitchC, SwitchB, and SwitchA. Packets sent from CE3
are forwarded through SwitchD and SwitchE.
Figure 9-29 ERPS single ring network
Network
NPE1 NPE2
GE0/0/2 SwitchE
SwitchA
GE0/0/1
GE0/0/1 GE0/0/2
GE0/0/2
GE0/0/1 ERPS SwitchD
SwitchB
GE0/0/1
GE0/0/2 RPL
GE0/0/1
GE0/0/2
RPL Owner CE3
CE1 SwitchC
VLAN100-
VLAN100- 200
200 CE2
VLAN100-
200
Blocked Port
Data Flow1
Data Flow2
Data Flow3

1. Configure the basic Layer 2 forwarding function on switches A to E.

2. Create an ERPS ring, and configure a control VLAN and protected instance. The control
VLAN is used to forward RAPS PDUs. The VLAN in which RAPS PDUs and data packets
are transmitted must be mapped to a protected instance so that ERPS forwards or blocks
these packets based on rules.
3. Add Layer 2 ports to the ERPS ring and configure GE0/0/2 of SwitchC as the RPL Owner
port. The port is blocked to prevent loops. When a link on the ring network fails, ERPS
unblocks the interface in a timely manner to perform protection switchover for links and
restore the communication between nodes.
4. Set the Guard timer and WTR timer for the ERPS ring based on the network requirements.
Procedure
Step 1 Create VLANs and add ports to VLANs on Switches A to E to implement Layer 2 forwarding.
# The configurations of SwitchB, SwitchC, SwitchD and SwitchE are similar to the configuration
Step 2 Create an ERPS ring, configure VLAN 10 as the control VLAN to transmit RAPS PDUs, and
bind VLANs 100 through 200 to a protected instance.
[SwitchA] erps ring 1
[SwitchA-erps-ring1] control-vlan 10
[SwitchA-erps-ring1] protected-instance 1
[SwitchA-erps-ring1] quit
[SwitchA-mst-region] instance 1 vlan 10 100 to 200
Step 3 Disable STP on ports and add ports to the ERPS ring and configure GE0/0/2 of SwitchC as the
RPL Owner port.
[SwitchA-GigabitEthernet0/0/1] erps ring 1


[SwitchC-GigabitEthernet0/0/1] erps ring 1
[SwitchC-GigabitEthernet0/0/2] erps ring 1 rpl owner
# The configurations of SwitchB, SwitchD and SwitchE are similar to the configuration of
Step 4 Set the Guard timer and WTR timer for the ERPS ring.
[SwitchA-erps-ring1] wtr-timer 6
[SwitchA-erps-ring1] guard-timer 100
After completing the preceding configurations, perform the following operations to verify the
configuration. SwitchC is used as an example.
l Run the display erps ring 1 command to view brief information about the ERPS ring and
ports of SwitchC that have been added to the ring.
[SwitchC] display erps ring 1
D : Discarding
F : Forwarding
R : RPL Owner
Ring Control WTR Timer Guard Timer Port 1 Port 2
ID VLAN (min) (csec)
-------------------------------------------------------------------------------
-
1 10 6 100 (F)GE0/0/1 (D,R)GE0/0/2
-------------------------------------------------------------------------------
-
l Run the display erps ring 1 verbose command to view detailed information about the ERPS
ring and ports of SwitchC that have been added to the ring.
[SwitchC] display erps ring 1 verbose
Ring ID : 1
Description : Ring 1
Control Vlan : 10
Protected Instance : 1
WTR Timer Setting (min) : 6 Running (s) : 0
Guard Timer Setting (csec) : 100 Running (csec) : 0
Holdoff Timer Setting (deciseconds) : 0 Running (deciseconds) : 0
Ring State : Idle
RAPS_MEL : 7
Time since last topology change : 0 days 0h:33m:4s
-------------------------------------------------------------------------------
-
Port Port Role Port Status Signal Status
-------------------------------------------------------------------------------

-
GE0/0/1 Common Forwarding Non-failed
GE0/0/2 RPL Owner Discarding Non-failed
----End
Configuration Files
#
sysname SwitchA
#
#
instance 1 vlan 10 100 to 200
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return

#
sysname SwitchB
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1

#
return

#
sysname SwitchC
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1 rpl owner
#
return

#
sysname SwitchD
#
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return

#
sysname SwitchE
#


#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable
erps ring 1
#
return
9.9.2 Example for Configuring ERPS Multi-Instance
As shown in Figure 9-30, a ring topology is used at the aggregation layer to improve network
reliability. Switches A to E form a ring network that implements service aggregation at Layer 2
and processes Layer 3 services. Devices on the ring network can be manufactured by different
vendors.
The ring network needs to run a protocol that prevents loops and supports rapid switchover.
Devices of different vendors supporting this protocol must be compatible with each other. In
addition, customers hope that resources on links are fully used to transmit data.
You can enable ERPS on the nodes of the ring network to prevent loops and support rapid
switchover. ERPS is a standard protocol issued by ITU-T and ensures communication between
devices of different vendors. Huawei ERPS protocol also supports multi-instance allowing data
in VLANs to be forwarded along different paths.
User packets belonging to VLANs 100 through 200 and VLANs 300 through 400 are forwarded
to Layer 3 network over this ring network. To prevent loops on the ring network, configure ERPS
on devices. To fully using resources on links, customers require that packets belonging to
VLANs 100 through 200 be forwarded through SwitchC, SwitchB, and SwitchA, and packets
belonging to VLANs 300 through 400 be forwarded through SwitchC, SwitchD, and SwitchE.

Figure 9-30 ERPS multi-instance ring network
Network
NPE1 NPE2
GE0/0/2 SwitchE
SwitchA
GE0/0/1
GE0/0/1 GE0/0/2
GE0/0/2
GE0/0/1 ERPS SwitchD
SwitchB
GE0/0/1
GE0/0/2
GE0/0/1 GE0/0/2
SwitchC Ring1 Blocked Port
CE1 CE2 Ring2 Blocked Port

Data Flow1
Data Flow2
VLAN100-200 VLAN300-400
1. Configure the basic Layer 2 forwarding function on switches A to E.

2. Create ERPS ring 1, and configure a control VLAN and protected instance. VLANs 100
through 200 are bound to the protected instance.
3. Add Layer 2 ports connecting the Switches to ERPS ring 1 and configure GE0/0/2 of
SwitchC as the RPL Owner port. The port is blocked to prevent loops. Packets belonging
to VLANs 100 through 200 are forwarded through SwitchB and SwitchA in ERPS ring 1.
4. Set the Guard timer and WTR timer for ERPS ring 1 based on the network requirements.
5. Create ERPS ring 2, and configure a control VLAN and protected instance. A different
control VLAN must be configured for ERPS ring 2. VLANs 300 through 400 are bound to
the protected instance.
6. Add Layer 2 ports connecting the Switches to ERPS ring 2 and configure GE0/0/1 of
SwitchC as the RPL Owner port. The port is blocked to prevent loops. Packets belonging
to VLANs 300 through 400 are forwarded through SwitchD and SwitchE in ERPS ring 2.

In this way, packets belonging to VLANs 300 through 400 and VLANs 100 through 200
are forwarded along different paths.
7. Set the Guard timer and WTR timer for ERPS ring 2 based on the network requirements.
Procedure
Step 1 Create VLANs and add ports to VLANs on Switches A to E to implement Layer 2 forwarding.
[SwitchA] vlan batch 100 to 200 300 to 400
[SwitchA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 200 300 to 400
[SwitchA-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 200 300 to 400
Step 2 Create ERPS ring 1, configure VLAN 10 as the control VLAN to transmit RAPS PDUs, and
Step 3 Disable STP on ports and add ports to ERPS ring 1 and configure GE0/0/2 of SwitchC as the
RPL Owner port.


Step 4 Set the Guard timer and WTR timer for ERPS ring 1.
Step 5 Create ERPS ring 2, configure VLAN 20 as the control VLAN to transmit RAPS PDUs, and
Step 6 Disable STP on ports and add ports to ERPS ring 2 and configure GE0/0/1 of SwitchC as the
RPL Owner port.
Step 7 Set the Guard timer and WTR timer for ERPS ring 2.


After completing the preceding configurations, perform the following operations to verify the
configuration. SwitchC is used as an example.
l Run the display erps ring 1 command to view brief information about ERPS ring 1 and ports
of SwitchC that have been added to the ring.
D : Discarding
F : Forwarding
R : RPL Owner
-------------------------------------------------------------------------------
-
1 10 6 100 (F)GE0/0/1 (D,R)GE0/0/2
-------------------------------------------------------------------------------
-
l Run the display erps ring 2 command to view brief information about ERPS ring 2 and ports
of SwitchC that have been added to the ring.
D : Discarding
F : Forwarding
R : RPL Owner
-------------------------------------------------------------------------------
-
2 20 6 100 (D,R)GE0/0/1 (F)GE0/0/2
-------------------------------------------------------------------------------
-
l Run the display erps ring 1 verbose command to view detailed information about ERPS
ring 1 and ports of SwitchC that have been added to the ring.
Ring ID : 1
Control Vlan : 10
Ring State : Idle
RAPS_MEL : 7
-------------------------------------------------------------------------------
-
-------------------------------------------------------------------------------
-
l Run the display erps ring 2 verbose command to view detailed information about ERPS
ring 2 and ports of SwitchC that have been added to the ring.


Ring ID : 2
Control Vlan : 20
Ring State : Idle
RAPS_MEL : 7
-------------------------------------------------------------------------------
-
-------------------------------------------------------------------------------
-
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
port trunk allow-pass vlan 10 20 100 to 200 300 to 400
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchB
#
vlan batch 10 20 100 to 200 300 to 400

#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchC
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
#
stp disable

erps ring 2
#
return

#
sysname SwitchD
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#
stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return

#
sysname SwitchE
#
vlan batch 10 20 100 to 200 300 to 400
#
#
erps ring 1
control-vlan 10
wtr-timer 6
guard-timer 100
erps ring 2
control-vlan 20
wtr-timer 6
guard-timer 100
#

stp disable
erps ring 1
erps ring 2
#
stp disable
erps ring 1
erps ring 2
#
return
9.10 RRPP Configuration

Rapid Ring Protection Protocol (RRPP) prevents loops and implements fast convergence on ring
networks.
9.10.1 Example for Configuring a Single RRPP Ring with a Single

Instance
As shown in Figure 9-31, SwitchA, SwitchB, and SwitchC constitute a ring network. The
network is required to prevent loops when the ring is complete and implement fast convergence
to rapidly restore communication between nodes on the ring when the ring fails. You can enable
RRPP on SwitchA, SwitchB, and SwitchC to meet this requirement.
Figure 9-31 Networking diagram of a single RRPP ring

SwitchB
GE0/0/2
GE0/0/1 GE0/0/1
Ring 1
GE0/0/2 GE0/0/2 SwitchC
GE0/0/1
SwitchA
Primary interface
Secondary interface
1. Configure interfaces to be added to the RRPP domain on the devices so that data can pass
through the interfaces. Disable protocols that conflict with RRPP, such as STP.
2. Create an RRPP domain and its control VLAN.

3. Map data that needs to pass through the VLANs on the RRPP ring to Instance 1, including
data VLANs 100 to 300 and control VLANs 20 and 21 (VLAN 21 is the sub-control VLAN
generated by the device).
4. In the RRPP domain, configure a protected VLAN, create an RRPP ring and configure
SwitchA, SwitchB, and SwitchC as nodes on Ring 1 in Domain 1. Configure SwitchA as
the master node on Ring 1, and configure SwitchB and SwitchC as transit nodes on Ring
1.
5. Enable the RRPP ring and RRPP protocol on devices to make RRPP take effect.
NOTE
VLANs that are not mentioned in this example are considered nonexistent. However, interfaces on the device
join VLAN1 by default. You need to remove corresponding interfaces from VLAN1. The removing process is
not provided here.
Procedure
Step 1 Create an RRPP domain and its control VLAN.
# On SwitchA, the master node on Ring 1, create RRPP domain 1 and configure VLAN 20 as
the major control VLAN.
[SwitchA] rrpp domain 1
[SwitchA-rrpp-domain-region1] control-vlan 20
[SwitchA-rrpp-domain-region1] quit
# The configurations on SwitchB and SwitchC are similar to that on SwitchA and not mentioned
here. For details, see the configuration files.
Step 2 Map Instance 1 to control VLANs 20 and 21 and data VLANs 100 to 300. The VLAN creation
process is not provided here.
[SwitchA-mst-region] instance 1 vlan 20 21 100 to 300
Step 3 Configure the interfaces to be added to the RRPP ring as trunk interfaces, allow data VLANs
100 to 300 to pass through the interfaces, and disable STP on the interfaces.

Step 4 Specify a protected VLAN, and create and enable an RRPP ring.
# Configure the protected VLAN on SwitchA and configure SwitchA as the master node on
Ring 1 and specify the primary and secondary interfaces.
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchA-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
0/0/1 secondary-port gigabitethernet 0/0/2 level 0
[SwitchA-rrpp-domain-region1] ring 1 enable
# Configure the protected VLAN on SwitchB and configure SwitchB as a transit node on Ring
1 and specify the primary and secondary interfaces.
[SwitchB] rrpp domain 1
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchB-rrpp-domain-region1] ring 1 node-mode transit primary-port
gigabitethernet 0/0/1 secondary-port gigabitethernet 0/0/2 level 0
[SwitchB-rrpp-domain-region1] ring 1 enable
[SwitchB-rrpp-domain-region1] quit
# Configure the protected VLAN on SwitchC and configure SwitchC as a transit node on Ring
1 and specify the primary and secondary interfaces.
[SwitchC] rrpp domain 1
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchC-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchC-rrpp-domain-region1] ring 1 enable
[SwitchC-rrpp-domain-region1] quit
Step 5 Enable RRPP.
After the RRPP ring configuration is complete, enable RRPP on each node of the ring to activate
the RRPP ring. The configuration procedure is as follows:
# Enable RRPP on SwitchA.

[SwitchA] rrpp enable
# Enable RRPP on SwitchB.

[SwitchB] rrpp enable
# Enable RRPP on SwitchC.

[SwitchC] rrpp enable
After the preceding configurations are complete and the network becomes stable, run the
following commands to verify the configuration. The display on Switch A is used as an example.
l Run the display rrpp brief command on SwitchA. The command output is as follows:
<SwitchA> display rrpp brief

Domain Index : 1



ID Level Mode Port Port
Enabled
-------------------------------------------------------------------------------
-
The command output shows that RRPP is enabled on SwitchA, the major control VLAN of
domain 1 is VLAN 20 and the sub-control VLAN is VLAN 21, and SwitchA is the master
node on Ring 1. The primary interface is GigabitEthernet0/0/1 and the secondary interface
is GigabitEthernet0/0/2.
l Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
S
# Display detailed information about SwitchA in domain 1.
<SwitchA> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Is Enabled : Enable Is Active : Yes
The command output shows that the RRPP ring is complete.
----End
Configuration Files
#
sysname SwitchA
#
#
rrpp enable
#
stp region-
configuration
instance 1 vlan 20 to 21 100 to
300
active region-
configuration
#
rrpp domain 1
control-vlan 20
ring 1 node-mode master primary-port GigabitEthernet0/0/1 secondary-port
GigabitEthernet0/0/2 level 0
ring 1 enable
#


undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 20 to 21 100 to 300
stp disable
#
stp disable
#

#
sysname SwitchB
#
#
rrpp enable
#
stp region-
configuration
300
active region-
configuration
#
rrpp domain 1
control-vlan 20
ring 1 node-mode transit primary-port GigabitEthernet0/0/1 secondary-port
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchC
#
#
rrpp enable
#
stp region-
configuration
300
active region-
configuration
#
rrpp domain 1
control-vlan 20

ring 1 enable
#
stp disable
#
stp disable
#
return
9.10.2 Example for Configuring Intersecting RRPP Rings with a

Single Instance
A metro Ethernet network uses two-layer rings: one is the aggregation layer between aggregation
devices PE-AGGs and the other is the access layer between PE-AGGs and UPEs.
Figure 9-32 Networking diagram of intersecting RRPP rings with a single instance
RRPP Domain
UPE1 PE-AGG2
Edge Master
Sub PE-AGG1
Ring 1
Master
Major P Core Net
Ring S
UPE Sub Block NPE
LANSwitch Ring 2
Assistant
PE-AGG3 PE-AGG：PE-Aggregation
Master NPE：Network Provider Edge
UPE：Underlayer Provider Edge
CE
As shown in Figure 9-32, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer as the major ring and the access layer as the sub-ring, simplifying
the network configuration.
As shown in Figure 9-33, SwitchB, SwitchA, SwitchD, and SwitchC map PE-AGG1, PE-
AGG2, PE-AGG3, and UPE1 in Figure 9-32 respectively. Figure 9-33 is used as an example
to describe how to configure intersecting RRPP rings with a single instance in the RRPP version
defined by Huawei.

Figure 9-33 Networking diagram of intersecting RRPP rings with a single instance (RRPP
defined by Huawei)
SwitchA
GE0/0/3 GE0/0/1
SwitchC GE0/0/2 SwitchB

GE0/0/2 GE0/0/1
sub-ring major ring
GE0/0/1 GE0/0/2
GE0/0/2
GE0/0/3 GE0/0/1
SwitchD
1. Create an RRPP domain and its control VLAN.

2. Map the VLANs that needs to pass through the RRPP ring to Instance 1, including data
VLANs 2 to 9 and control VLANs 10 and 11 (VLAN 11 is the sub-control VLAN generated
by the device).
4. Configure a protected VLAN and create an RRPP ring in the RRPP domain.
a. Configure Ring 1 (major ring) in Domain 1 on SwitchA, SwitchB, and SwitchD.
b. Configure Ring 2 (sub-ring) in Domain 1 on SwitchA, SwitchC, and SwitchD.
c. Configure SwitchB as the master node on the major ring and configure SwitchA and
SwitchD as transit nodes on the major ring.
d. Configure SwitchC as the master node on the sub-ring, configure SwitchA as the edge
node on the sub-ring, and configure SwitchD as the assistant edge node on the sub-
ring.
NOTE
join VLAN1 by default. You need to remove corresponding interfaces from VLAN1.
Procedure
Step 1 Configure SwitchB as the master node on the major ring.
# Create data VLANs 2 to 9 on SwitchB.

Configure instance 1, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.


# Configure Domain 1 on SwitchB. Configure VLAN 10 as the major control VLAN and bind
Instance 1 to the protected VLAN in Domain 1.
[SwitchB-rrpp-domain-region1] control-vlan 10
[SwitchB-rrpp-domain-region1] protected-vlan reference-instance 1
# Configure the RRPP interface as a trunk interface to allow data from VLANs 2 to 9 to pass
through and disable STP on the interface to be added to the RRPP ring.
# Configure the primary interface and secondary interface on the master node of the major ring.
[SwitchB-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
Step 2 Configure SwitchC as the master node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchC.

Configure Instance 1, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# Configure Domain 1 on SwitchC. Configure VLAN 10 as the major control VLAN and bind
[SwitchC-rrpp-domain-region1] control-vlan 10
[SwitchC-rrpp-domain-region1] protected-vlan reference-instance 1
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP interface
as a trunk interface to allow data from VLANs 2 to 9 to pass through.

# Configure the primary interface and secondary interface on the master node of the sub-ring.
[SwitchC-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
Step 3 Configure SwitchA as the transit node on the major ring and the edge node on the sub-ring.
# Create data VLANs 2 to 9 on SwitchA.
interface.
# Configure Domain 1 on SwitchA. Configure VLAN 10 as the major control VLAN and bind
[SwitchA-rrpp-domain-region1] control-vlan 10
[SwitchA-rrpp-domain-region1] protected-vlan reference-instance 1
# Disable STP on the interface to be added to the RRPP ring and configure the RRPP interface
as a trunk interface to allow data from VLANs 2 to 9 to pass through.
# Configure the primary interface and secondary interface on the transit node of the major ring.
[SwitchA-rrpp-domain-region1] ring 1 node-mode transit primary-port
# Configure the common interface and edge interface on the edge node of the sub-ring.


[SwitchA-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet
0/0/2 edge-port gigabitethernet 0/0/3
Step 4 Configure SwitchD as the transit node on the major ring and the assistant edge node on the sub-
ring.
# Create data VLANs 2 to 9 on SwitchD.

[SwitchD] vlan batch 2 to 9
interface.
[SwitchD] stp region-configuration
[SwitchD-mst-region] active region-configuration
[SwitchD-mst-region] quit
# On SwitchD, configure Domain 1. Configure VLAN 10 as the major control VLAN and bind
[SwitchD] rrpp domain 1
[SwitchD-rrpp-domain-region1] control-vlan 10
[SwitchD-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchD-rrpp-domain-region1] quit
# Disable STP on the interface to be added to the RRPP ring, configure the RRPP interface as
a trunk interface, and configure the interfaces to allow service packets of VLAN 2 to VLAN 9
to pass through.
# Configure the primary interface and secondary interface on the transit node of the major ring.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
[SwitchD-rrpp-domain-region1] ring 1 enable
# Configure the common interface and edge interface on the assistant edge node of the sub-ring.
[SwitchD-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port
gigabitethernet 0/0/2 edge-port gigabitethernet 0/0/3

Step 5 Enable RRPP.
the RRPP ring.

# The configurations on SwitchB, SwitchC, and SwitchD are similar to that on SwitchA and not
mentioned here. For details, see the configuration files.
following commands to verify the configuration.
l Run the display rrpp brief command on SwitchB. The command output is as follows:
<SwitchB> display rrpp brief

Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
The command output shows that RRPP is enabled on SwitchB. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11; SwitchB is the master node on the major
ring, with GE0/0/1 as the primary interface and GE0/0/2 as the secondary interface.
l Run the display rrpp verbose domain command on SwitchB. The command output is as
follows:
<SwitchB> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that the ring is in Complete state, and the secondary interface
on the master node is blocked.
l Run the display rrpp brief command on SwitchC. The command output is as follows:

<SwitchC> display rrpp brief


Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
You can find that RRPP is enabled on SwitchC. The major control VLAN is VLAN 10, and
the sub-control VLAN is VLAN 11; SwitchC is the master node on the sub-ring, with
GE0/0/1 as the primary interface and GE0/0/2 as the secondary interface.
l Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
<SwitchC> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 2
Ring Level : 1
Node Mode : Master
The command output shows that the sub-ring is in Complete state, and the secondary interface
on the master node of the sub-ring is blocked.
l Run the display rrpp brief command on SwitchA. The command output is as follows:
<SwitchA> display rrpp brief

Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
1 0 T GigabitEthernet0/0/2 GigabitEthernet0/0/1 Yes
2 1 E GigabitEthernet0/0/2 GigabitEthernet0/0/3 Yes

The command output shows that RRPP is enabled on SwitchA. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchA is the transit node on the major
ring. The primary interface is GE0/0/2 and the secondary interface is GE0/0/1.
SwitchA is also the edge node on the sub-ring, with GE0/0/2 as the common interface and
GE0/0/3 as the edge interface.
l Run the display rrpp verbose domain command on SwitchA. The command output is as
follows:
<SwitchA> display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
Secondary port: GigabitEthernet0/0/1 Port status: UP
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : Linkup
Common port : GigabitEthernet0/0/2 Port status: UP
Edge port : GigabitEthernet0/0/3 Port status: UP
l Run the display rrpp brief command on SwitchD. The command output is as follows:
<SwitchD> display rrpp brief

Domain Index : 1

Enabled
-------------------------------------------------------------------------------
-
2 1 A GigabitEthernet0/0/2 GigabitEthernet0/0/3 Yes
The command output shows that RRPP is enabled on SwitchD. The major control VLAN is
VLAN 10, and the sub-control VLAN is VLAN 11. SwitchD is the transit node on the major
ring, with GE0/0/2 as the primary interface and GE0/0/1 as the secondary interface.
SwitchD is also the assistant edge node on the sub-ring, with GE0/0/2 as the common
interface and GE0/0/3 as the edge interface.
l Run the display rrpp verbose domain command on SwitchD. The command output is as
follows:
<SwitchD> display rrpp verbose domain 1
Domain Index : 1


RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
RRPP Ring : 2
Ring Level : 1
Node Mode : Assistant-edge
Ring State : Linkup
Common port : GigabitEthernet0/0/2 Port status: UP
Edge port : GigabitEthernet0/0/3 Port status: UP
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode edge common-port GigabitEthernet0/0/2 edge-port
ring 2 enable
#
stp disable
#
stp disable
#
stp disable

#
return

#
sysname SwitchB
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchC
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 2 enable
#
stp disable
#


stp disable
#
return

#
sysname SwitchD
#
vlan batch 2 to 11
#
rrpp enable
#
stp region-
configuration
active region-
configuration
#
rrpp domain 1
control-vlan 10
ring 1 enable
ring 2 node-mode assistant-edge common-port GigabitEthernet0/0/2 edge-port
ring 2 enable
#
stp disable
#
stp disable
#
stp disable
#
return
9.10.3 Example for Configuring Tangent RRPP Rings
A metro Ethernet network uses two-layer rings:
l One layer is the aggregation layer between aggregation devices PE-AGGs, such as RRPP
Domain 1 in Figure 9-34.
l The other layer is the access layer between PE-AGGs and UPEs, such as RRPP Domain 2
and RRPP Domain 3 in Figure 9-34.

Figure 9-34 Tangent RRPP rings
Master
UPE1
UPE2 PE-AGG3
RRPP Transit 1
Domain2
Master
PE-AGG1
UPE RRPP P IP/MPLS
Domain1 Core
UPE S
UPE Block NPE
RRPP Transit 2
Domain3
PE-AGG2
Master PE-AGG：PE-Aggregation
UPE NPE：Network Provider Edge
UMG：Universal Media Gateway
UPE：Underlayer Provider Edge
DSLAM：Digital Subscriber Line Access Multiplexer
LANSwitch CE DSLAM UMG
As shown in Figure 9-34, the network is required to prevent loops when the ring is complete
and implement fast convergence to rapidly restore communication between nodes on the ring
when the ring fails. RRPP can meet this requirement. RRPP supports multiple rings. You can
configure the aggregation layer and access layer as RRPP rings and the two rings are tangent,
simplifying the network configuration.
As shown in Figure 9-35, SwitchE, SwitchD, SwitchC, SwitchA, and SwitchB map PE-AGG1,
PE-AGG2, PE-AGG3, UPE 1, and UPE 2 in Figure 9-34 respectively. Figure 9-35 is used as
an example to describe how to configure tangent RRPP rings with a single instance.
Figure 9-35 Networking diagram of tangent RRPP rings
SwtichA SwtichE
GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/3 GE0/0/2 GE0/0/2
Domain 2 Ring 2 SwtichC Ring 1 Domain 1

GE0/0/4 GE0/0/1
GE0/0/2 GE0/0/1
GE0/0/1 GE0/0/2
SwtichB SwtichD

1. Create different RRPP domains and control VLANs to configure an RRPP ring.
2. Map the VLANs that need to pass through Ring 1 to Instance 1, including data VLANs and
control VLANs to configure protected VLANs.
Map the VLANs that need to pass through Ring 2 to Instance 2, including data VLANs and
control VLANs to configure protected VLANs.
3. Configure timers for different RRPP domains.
NOTE
You can configure two timers for tangent points because two tangent rings locate in different domains.
5. Configure protected VLANs and create RRPP rings in RRPP domains.
a. Configure Ring 2 in Domain 2 on SwitchA, SwitchB, and SwitchC.
b. Configure Ring 1 in Domain 1 on SwitchC, SwitchD, and SwitchE.
c. Configure SwitchA as the master node on Ring 2, and configure SwitchB and
SwitchC as transit nodes on Ring 2.
d. Configure SwitchE as the master node on Ring 1, and configure SwitchC and
SwitchD as transit nodes on Ring 1.
NOTE
Procedure
Step 1 Configure instance 2, and map it to the data VLANs and control VLANs allowed by the RRPP
interface.
# The configurations on SwitchB, SwitchC, SwitchD, and SwitchE are similar to that on
SwitchA and not mentioned here. For details, see the configuration files.
Step 2 Create RRPP domains and configure control VLANs and protected VLANs in the domains.
# Configure Domain 1 on SwitchE, which is the master node on Ring 1. Configure VLAN 10
as the major control VLAN in Domain 1, and bind Instance 1 to protected VLANs.
[SwitchE] rrpp domain 1
[SwitchE-rrpp-domain-region1] control-vlan 10
[SwitchE-rrpp-domain-region1] protected-vlan reference-instance 1
[SwitchE-rrpp-domain-region1] quit

# The configurations on SwitchB, SwitchC, and SwitchD are similar to that on SwitchA and not
Step 3 Set the timers of RRPP domains.
# Set the timers for SwitchE, the master node on Ring 1.
[SwitchE-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchD, the transit node on Ring 1.

[SwitchD-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchC, the transit node on Ring 1.

[SwitchC-rrpp-domain-region1] timer hello-timer 2 fail-timer 7
# Set the timers for SwitchA, the master node on Ring 2.

[SwitchA-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchB, the transit node on Ring 2.

[SwitchB-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
# Set the timers for SwitchC, the transit node on Ring 2.

[SwitchC-rrpp-domain-region2] timer hello-timer 3 fail-timer 10
Step 4 Disable STP on the interfaces to be added to the RRPP rings.

# Disable STP on the interfaces to be added to the RRPP ring on SwitchA.
Step 5 Create and enable RRPP rings.
Configure nodes on Ring 2. The configuration procedure is as follows:
# Configure SwitchA as the master node on Ring 2 and specify the primary and secondary
interfaces.
[SwitchA-rrpp-domain-region2] ring 2 node-mode master primary-port gigabitethernet
# Configure SwitchB as a transit node on Ring 2 (major ring) and specify the primary and
secondary interfaces.
[SwitchB-rrpp-domain-region2] ring 2 node-mode transit primary-port


# Configure SwitchC as a transit node on Ring 2 and specify the primary and secondary
interfaces.
Configure nodes on Ring 1. The configuration procedure is as follows:
# Configure SwitchE as the master node on Ring 1 (major ring) and specify the primary and
secondary interfaces.
[SwitchE-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
[SwitchE-rrpp-domain-region1] ring 1 enable
[SwitchE-rrpp-domain-region1] quit
# Configure SwitchC as a transit node on Ring 1 and specify the primary and secondary
interfaces.
# Configure SwitchD as a transit node on Ring 1 and specify the primary and secondary
interfaces.
[SwitchD-rrpp-domain-region1] ring 1 node-mode transit primary-port
Step 6 Enable RRPP.

perform the following operations to verify the configuration. The tangent point SwitchC is used
as an example.
l Run the display rrpp brief command on SwitchC. The command output is as follows:
[SwitchC] display rrpp brief


Domain Index : 1
Enabled
-------------------------------------------------------------------------------
-
Domain Index : 2
Enabled
-------------------------------------------------------------------------------
-
The command output shows that RRPP is enabled on SwitchC. In Domain 1, the major control
VLAN is VLAN 10, and the sub-control VLAN is VLAN 11. SwitchC is the transit node on
the major ring, with GigabitEthernet0/0/1 as the primary interface and
GigabitEthernet0/0/2 as the secondary interface.
In Domain 2, the major control VLAN is VLAN 20, and the sub-control VLAN is VLAN
21. SwitchC is a transit node on Ring 2. GigabitEthernet0/0/3 is the primary interface and
GigabitEthernet0/0/4 is the secondary interface.
l Run the display rrpp verbose domain command on SwitchC. The command output is as
follows:
# Display detailed information about Domain 1 on SwitchC.
[SwitchC] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
Secondary port : GigabitEthernet0/0/2 Port status: UP
# Display detailed information about Domain 2 on SwitchC.

[SwitchC] display rrpp verbose domain 2
Domain Index : 2
Hello Timer : 3 sec(default is 1 sec) Fail Timer : 10 sec(default is 6
sec)

RRPP Ring : 2
Ring Level : 0
Node Mode : Transit
Ring State : Linkup
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-
configuration
21
#
rrpp domain 2
control-vlan 20
timer hello-timer 3 fail-timer 10
ring 2 enable
#
undo port hybrid vlan 1
stp disable
#
stp disable
#

#
sysname SwitchB
#
vlan batch 20 to 21
#
rrpp enable
#
stp region-
configuration
21
#
rrpp domain 2
control-vlan 20
ring 2 enable

#
stp disable
#
stp disable
#
return
#

#
sysname SwitchC
#
#
rrpp enable
#
stp region-
configuration
21
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
rrpp domain 2
control-vlan 20
ring 2 enable
#
stp disable
#
pport hybrid tagged vlan 10 to 11
stp disable
#
stp disable
#
stp disable
#
return


#
sysname SwitchD
#
vlan batch 10 to 11
#
rrpp enable
#
stp region-
configuration
11
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname SwitchE
#
vlan batch 10 to 11
#
rrpp enable
#
stp region-
configuration
11
#
rrpp domain 1
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable

#
return
9.10.4 Example for Configuring a Single RRPP Ring with Multiple

Instances
As shown in Figure 9-36, on a ring network, idle links are required to forward data. In this way,
data in different VLANs are forwarded along different paths, improving network efficiency and
implementing load balancing.
Figure 9-36 Networking diagram of single RRPP ring with multiple instances
UPE B
GE0/0/1 GE0/0/2
CE 1
VLAN 100-300
PE-AGG
GE0/0/1 Ring GE0/0/1
Master 1 Backbone
UPEA 1
network
Master 2
GE0/0/2 GE0/0/2
CE 2
VLAN 100-300
Domain 1 ring 1
GE0/0/2 GE0/0/1
Domain 2 ring 1
UPEC
Table 9-1 shows the mapping between protected VLANs and instances in Domain 1 and Domain
2.
Table 9-1 Mapping between the protected VLAN and instance
Domain Control VLAN ID Data VLAN ID Instance ID

ID
Domain 1 VLANs 5 and 6 VLANs 100 to 200 Instance 1
Table 9-2 shows the master node on each ring and the primary and secondary interfaces on each
master node.

Table 9-2 Master node and its primary and secondary interfaces
Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 PE-AGG GE0/0/1 GE0/0/2
Ring 1 in Domain 2 PE-AGG GE0/0/2 GE0/0/1
1. Create different RRPP domains and control VLANs.
2. Map the VLANs that need to pass through Ring 1 in Domain 1 to Instance 1, including data
VLANs and control VLANs.
Map the VLANs that need to pass through Ring 1 in Domain 2 to Instance 2, including data
VLANs and control VLANs.
a. Add UPEA, UPEB, UPEC, and PE-AGG to Ring 1 in Domain 1. Configure PE-AGG
as the master node on Ring 1 in Domain 1 and configure UPEA, UPEB, and UPEC
as transit nodes.
b. Add UPEA, UPEB, UPEC, and PE-AGG to Ring 1 in Domain 2. Configure PE-AGG
as the master node on Ring 1 in Domain 2 and configure UPEA, UPEB, and UPEC
as transit nodes.
NOTE
Procedure
Step 1 Create instances.
# Create data VLANs 100 to 300 on UPEA.
[HUAWEI] sysname UPEA
[UPEA] vlan batch 100 to 300
# Create Instance 1, and map the control VLANs 5 and 6 and data VLANs 100 to 200 in Domain
1 to Instance 1.
[UPEA] stp region-configuration
[UPEA-mst-region] instance 1 vlan 5 6 100 to 200
# Create Instance 2, and map the control VLANs 10 and 11 and data VLANs 201 to 300 in
Domain 2 to Instance 2.
# Activate the configuration.

[UPEA-mst-region] active region-configuration

[UPEA-mst-region] quit
# The configurations on UPEB, UPEC, and PE-AGG are similar to that on UPEA and not
Step 2 Configure the interfaces to be added into the RRPP rings.
# Configure the RRPP interface as a trunk interface to allow data from VLANs 100 to 300 to
pass through and disable STP on the interface to be added to the RRPP ring.
[UPEA] interface gigabitethernet 0/0/1
[UPEA-GigabitEthernet0/0/1] port link-type trunk
[UPEA-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 300
[UPEA-GigabitEthernet0/0/1] stp disable
[UPEA-GigabitEthernet0/0/1] quit
Step 3 Create RRPP domains and configure protected VLANs and control VLANs.
# Configure the VLANs mapped to Instance 1 as the protected VLANs in Domain 1, and VLAN
5 as the control VLAN.
[UPEA] rrpp domain 1
[UPEA-rrpp-domain-region1] protected-vlan reference-instance 1
[UPEA-rrpp-domain-region1] control-vlan 5
[UPEA-rrpp-domain-region1] quit
Step 4 Create RRPP rings.
# Configure UPEA as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPEA.
[UPEA-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPEA-rrpp-domain-region1] ring 1 enable
interfaces on UPEA.

# Configure UPEB as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPEB.
[UPEB] rrpp domain 1
[UPEB-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPEB-rrpp-domain-region1] ring 1 enable
[UPEB-rrpp-domain-region1] quit
interfaces on UPEB.
# Configure UPEC as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces on UPEC.
[UPEC] rrpp domain 1
[UPEC-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPEC-rrpp-domain-region1] ring 1 enable
[UPEC-rrpp-domain-region1] quit
interfaces on UPEC.
# Configure PE-AGG as the master node on Ring 1 in Domain 1, with GE0/0/1 as the primary
interface and GE0/0/2 as the secondary interface.
[PE-AGG] rrpp domain 1
[PE-AGG-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
[PE-AGG-rrpp-domain-region1] ring 1 enable
[PE-AGG-rrpp-domain-region1] quit
Step 5 Enable RRPP.
l Configure UPEA.
# Enable RRPP.
[UPEA] rrpp enable

l Configure UPEB, UPEC, and PE-AGG.

following commands to verify the configuration. UPEA and PE-AGG are used as examples.
l Run the display rrpp brief command on UPEA. The command output is as follows:
[UPEA] display rrpp brief

Domain Index : 1

--------------------------------------------------------------------------------
Domain Index : 2

--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPEA.

In Domain 1, the major control VLAN is VLAN 5 and the protected VLANs are VLANs mapping
Instance 1. UPEA is a transit node on Ring 1. GigabitEthernet0/0/1 is the primary interface and
In Domain 2, the major control VLAN is VLAN 10 and the protected VLANs are VLANs
mapping Instance 2. UPEA is a transit node on Ring 1. GigabitEthernet0/0/1 is the primary
interface and GigabitEthernet0/0/2 is the secondary interface.
l Run the display rrpp brief command on PE-AGG. The command output is as follows:
[PE-AGG] display rrpp brief

Domain Index : 1



--------------------------------------------------------------------------------
Domain Index : 2
Protected VLAN: Reference Instance 2

--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on PE-AGG.
In Domain 1, the major control VLAN is VLAN 5, the protected VLAN is the VLAN mapped
to Instance 1, and the master node on Ring 1 is PE-AGG. GigabitEthernet0/0/1 is the primary
to Instance 2, and the master node on Ring 1 is PE-AGG. GigabitEthernet0/0/2 is the primary
# Check detailed information about UPEA in Domain 1. Run the display rrpp verbose
domain command on UPEA. The command output is as follows:
[UPEA] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that the control VLAN in Domain 1 is VLAN 5, and the protected
VLANs are the VLANs mapping Instance 1. UPEA is a transit node in Domain 1 and is in
LinkUp state.
# Check detailed information about UPEA in Domain 2.

[UPEA] display rrpp verbose domain 2
Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp

The command output shows that, in Domain 2, the control VLAN is VLAN 10 and the protected
VLAN is the VLAN mapped to Instance 2. UPEA is a transit node in Domain 2 and is in LinkUp
state.
# Run the display rrpp verbose domain command on PE-AGG. The command output is as
follows:
# Check detailed information about PE-AGG in Domain 1.

[PE-AGG] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
Secondary port: GigabitEthernet0/0/2 Port status: BLOCKED
VLANs are the VLANs mapping Instance 1.
PE-AGG is the master node in Domain 1 and is in Complete state.
The primary interface is GigabitEthernet0/0/1 and the secondary interface is

GigabitEthernet0/0/2.

Domain Index : 2
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
The command output shows that, in Domain 2, the control VLAN is VLAN 10, and the protected
VLAN is the VLAN mapped to Instance 2.

----End
Configuration Files
l Configuration file of UPEA
#
sysname UPEA
#

vlan batch 5 to 6 10 to 11 100 to 300

#
rrpp enable
#
instance 1 vlan 5 to 6 100 to 200
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
port trunk allow-pass vlan 5 to 6 10 to 11 100 to 300
stp disable
#
stp disable
#
return
l Configuration file of UPEB

#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable

#
stp disable
#
return
l Configuration file of UPEC

#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of PE-AGG

#
sysname PE-AGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5

ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
9.10.5 Example for Configuring Intersecting RRPP Rings with

Multiple Instances

Figure 9-37 Networking diagram of intersecting RRPP rings with multiple instances
Backbone
network
GE0/0/1 GE0/0/2
PE-AGG
Master 1
GE0/0/1 Master 2 GE0/0/1
UPEA Domain 1 ring 1 UPED
GE0/0/2 Domain 2 ring 1 GE0/0/2
GE0/0/2 Edge Transit Edge Transit

GE0/0/1
UPEB GE0/0/1 UPEC
GE0/0/2
GE0/0/3 GE0/0/3
GE0/0/4 GE0/0/4
Domain 2 ring 2 Domain 2 ring 3

GE0/0/1 GE0/0/2
Master 1 Master 1
Master 2 GE0/0/2 GE0/0/1 Master 2
CE 1 Domain 1 ring 2 Domain 1 ring 3
CE 2
VLAN 100-300 VLAN 100-300
Domain 1
Domain 2
Table 9-3 shows the mapping between protected VLANs and instances in Domain 1 and Domain
2.
Domain ID Control VLAN ID Data VLAN ID Instance ID
Table 9-4 shows the master node on each ring and the primary and secondary interfaces on each
master node.

Ring ID Master Node Primary Port Secondary Port Ring Type
Ring 1 in PE-AGG GE0/0/1 GE0/0/2 Major ring

Domain 1
Ring 1 in PE-AGG GE0/0/2 GE0/0/1 Major ring

Domain 2
Ring 2 in CE1 GE0/0/1 GE0/0/2 Sub ring

Domain 1

Domain 2

Domain 1

Domain 2
Table 9-5 shows the edge nodes, assistant edge nodes, common interface, and edge interfaces
of the sub-rings.
Table 9-5 Edge nodes, assistant edge nodes, common interface, and edge interfaces of the sub-
rings
Ring Edge Common Edge Edge-Assistant Common Edge

ID Node Port Port Node Port Port
Ring 2 UPEB GE0/0/1 GE0/0/3 UPEC GE0/0/2 GE0/0/4

in
Domain
1

in
Domain
1

in
Domain
2

in
Domain
2

2. Map the VLANs that need to pass through Domain 1 to Instance 1, including data VLANs
and control VLANs.
Map the VLANs that need to pass through Domain 2 to Instance 2, including data VLANs
and control VLANs.
a. Add UPEA, UPEB, UPEC, UPED, and PE-AGG to Ring 1 in Domain 1 and Ring 1
in Domain 2.
b. Add CE1, UPEB, and UPEC to Ring 2 in Domain 1 and Ring 2 in Domain 2.
c. Add CE2, UPEB, and UPEC to Ring 3 in Domain 1 and Ring 3 in Domain 2.
d. Configure PE-AGG as the master node and configure UPEA, UPEB, UPEC, and
UPED as transit nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
e. Configure CE1 as the master node, UPEB as an edge node, and UPEC as an assistant
edge node on Ring 2 in Domain 1 and Ring 2 in Domain 2.
f. Configure CE2 as the master node, UPEB as an edge node, and UPEC as an assistant
edge node on Ring 3 in Domain 1 and Ring 3 in Domain 2.
5. To prevent topology flapping, set the LinkUp timer on the master nodes.
6. To reduce the Edge-Hello packets sent on the major ring and increase available bandwidth,
add the four sub-rings to a ring group.
NOTE
Procedure
# Create data VLANs 100 to 300 on CE1.
[CE1] vlan batch 100 to 300
1 to Instance 1.
[CE1-mst-region] instance 1 vlan 5 6 100 to 200
[CE1-mst-region] instance 2 vlan 10 11 201 to 300


# The configurations on CE2, UPEA, UPEB, UPEC, UPED, and PE-AGG are similar to that on
CE1 and not mentioned here. For details, see the configuration files.
# Configure the RRPP interface as a trunk interface to allow data from VLANs 100 to 300 to
pass through and disable STP on the interface to be added to the RRPP ring.
[CE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 100 to 300
[CE1-GigabitEthernet0/0/1] stp disable
[CE1-GigabitEthernet0/0/2] port trunk allow-pass vlan 100 to 300
[CE1-GigabitEthernet0/0/2] stp disable
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] protected-vlan reference-instance 1
[CE1-rrpp-domain-region1] control-vlan 5
[CE1-rrpp-domain-region1] quit
[CE1] rrpp domain 2
[CE1-rrpp-domain-region2] protected-vlan reference-instance 2
[CE1-rrpp-domain-region2] control-vlan 10

interfaces.
interfaces.
# Configure UPED as a transit node on Ring 1 in Domain 1 and specify primary and secondary
interfaces.
[UPED] rrpp domain 1
[UPED-rrpp-domain-region1] ring 1 node-mode transit primary-port gigabitethernet
[UPED-rrpp-domain-region1] ring 1 enable
[UPED-rrpp-domain-region1] quit
interfaces.
interfaces.
interfaces.
# Configure UPEB as an edge node on Ring 2 in Domain 1, with GE0/0/1 as the common
[UPEB-rrpp-domain-region1] ring 2 node-mode edge common-port gigabitethernet 0/0/1
edge-port gigabitethernet 0/0/3


interfaces.
interfaces.
# Configure UPEC as an assistant edge node on Ring 2 in Domain 1, with GE0/0/2 as the common
[UPEC-rrpp-domain-region1] ring 2 node-mode assistant-edge common-port


# Configure CE1 as the master node on Ring 2 in Domain 1, with GE0/0/1 as the primary interface
and GE0/0/2 as the secondary interface.
[CE1] rrpp domain 1
[CE1-rrpp-domain-region1] ring 2 node-mode master primary-port gigabitethernet
[CE1-rrpp-domain-region1] ring 2 enable
[CE1] rrpp domain 2
[CE2] rrpp domain 1
[CE2] rrpp domain 2
Step 5 Enable RRPP.
# Enable RRPP.
[CE1] rrpp enable
Step 6 Configure ring groups.
# Create ring group 1, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3 in Domain
1, Ring 2 in Domain 2, and Ring 3 in Domain 2.

[UPEC] rrpp ring-group 1

[UPEC-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEC-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEC-rrpp-ring-group1] quit
# Create ring group 1, which consists of four sub-rings: Ring 2 in Domain 1, Ring 3 in Domain
1, Ring 2 in Domain 2, and Ring 3 in Domain 2.
[UPEB] rrpp ring-group 1
[UPEB-rrpp-ring-group1] domain 1 ring 2 to 3
[UPEB-rrpp-ring-group1] domain 2 ring 2 to 3
[UPEB-rrpp-ring-group1] quit
Step 7 Set the LinkUp timer.

# Set the LinkUp timer to 1 second.
[CE1] rrpp linkup-delay-timer 1

[CE2] rrpp linkup-delay-timer 1

[PE-AGG] rrpp linkup-delay-timer 1

perform the following operations to verify the configuration. UPEB and PE-AGG are used as
examples.
Run the display rrpp brief command on UPEB. The command output is as follows:
[UPEB] display rrpp brief

RRPP Linkup Delay Timer: 0 sec(0 sec default)
Domain Index : 1
---------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Domain Index : 2
--------------------------------------------------------------------------------


The command output shows that RRPP is enabled on UPEB.
In Domain 1:
The major control VLAN is VLAN 5 and the protected VLANs are the VLANs mapped to
Instance 1.
UPEB is a transit node on Ring 1. The primary interface is GE0/0/1 and the secondary interface
is GE0/0/2.
On Ring 2, UPEB is the edge node. GE0/0/1 is the common interface and GE0/0/3 is the edge
interface.
interface.
In Domain 2:
The major control VLAN is VLAN 10, and the protected VLANs are the VLANs mapped to
Instance 2.
UPEB is a transit node on Ring 1. The primary interface is GE0/0/1 and the secondary interface
is GE0/0/2.
interface.
interface.
Run the display rrpp brief command on PE-AGG. The command output is as follows:
[PE-AGG] display rrpp brief

RRPP Linkup Delay Timer: 1 sec(0 sec default)
Domain Index : 1
--------------------------------------------------------------------------------
Domain Index : 2
--------------------------------------------------------------------------------

The command output shows that RRPP is enabled on PE-AGG, and the LinkUp timer is 2
seconds.
to Instance 1, and the master node on Ring 1 is PE-AGG. The primary interface is GE0/0/1 and
the secondary interface is GE0/0/2.
to Instance 2, and the master node on Ring 1 is PE-AGG. The primary interface is GE0/0/2 and
the secondary interface is GE0/0/1.
Run the display rrpp verbose domain command on UPEB. The command output is as follows:
# Check detailed information about UPEB in Domain 1.

[UPEB] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
UPEB is a transit node on Ring 1 in Domain 1 and is in LinkUp state.
UPEB is the edge node on Ring 2 in Domain 1 and is in LinkUp state. GE0/0/1 is the common
interface and GE0/0/3 is the edge interface.
# Check detailed information about UPEB in Domain 2.

<UPEB> display rrpp verbose domain 2
Domain Index : 2

RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
RRPP Ring : 2
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
RRPP Ring : 3
Ring Level : 1
Node Mode : Edge
Ring State : LinkUp
You can find that, in Domain 2, the control VLAN is VLAN 10, and the protected VLAN is the
VLAN mapped to Instance 2.
UPEB is a transit node on Ring 1 in Domain 2 and is in LinkUp state.
Run the display rrpp verbose domain 1 command on PE-AGG. The command output is as
follows:

Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GE0/0/1 is the primary interface and GE0/0/2 is the secondary interface.

Domain Index : 2


RRPP Ring : 1
Ring Level : 0
Node Mode : Master
GE0/0/2 is the primary interface and GE0/0/1 is the secondary interface.
Run the display rrpp ring-group command on UPEB to check the configuration of the ring
group.
# Check the configuration of ring group 1.

[UPEB] display rrpp ring-group 1
Ring Group 1:
domain 1 ring 2 to 3
domain 1 ring 2 send Edge-Hello packet
----End
Configuration Files
#
sysname CE1
#
#
rrpp enable
rrpp linkup-delay-timer 1
#
#
rrpp domain 1
control-vlan 5
ring 2 enable
rrpp domain 2
control-vlan 10
ring 2 enable
#
port trunk allow-pass vlan 6 11 100 to 300

stp disable
#
stp disable
#
return

#
sysname CE2
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 3 enable
rrpp domain 2
control-vlan 10
ring 3 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5


ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#


stp disable
#
stp disable
#
stp disable
#
stp disable
#
return

#
sysname UPEC
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
ring 2 enable
ring 3 enable
rrpp domain 2
control-vlan 10
ring 1 enable
ring 2 enable
ring 3 enable
#
rrpp ring-group 1
#

stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l Configuration file of UPED

#
sysname UPED
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of PE-AGG

#
sysname PE-AGG
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
9.10.6 Example for Configuring Tangent RRPP Rings with Multiple

Instances

Figure 9-38 Networking diagram of tangent RRPP rings with multiple instances
UPEB UPEE
GE0/0/1 GE0/0/2
GE0/0/1 GE0/0/2
Domain 1 ring 1
CE GE0/0/2 GE0/0/1
GE0/0/3 GE0/0/1 UPEF
Master 1
UPEA
Master 2 UPED Master 3
VLAN 100-300 GE0/0/1 GE0/0/2 GE0/0/4 GE0/0/2
Domain 2 ring 1 Domain 3 ring 1
GE0/0/2 GE0/0/1 GE0/0/2 GE0/0/1
UPEC UPEG
domain 1
domain 2
domain 3
Table 9-6 shows the mapping between protected VLANs and instances in Domain 1, Domain
2, and Domain 3.
Domain ID Control VLAN Data VLAN Instance ID
Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1, Instance 2,

UPED) and Instance 3
Domain 3 (on VLANs 20 and 21 VLANs 100 to 300 Instance 1

UPEE, UPEF,
and UPEG)
Table 9-7 shows the master node on each ring, and its primary and secondary interfaces.
Ring ID Master Node Primary Port Secondary Port
Ring 1 in Domain 1 UPED GE0/0/1 GE0/0/2
Ring 1 in Domain 2 UPED GE0/0/2 GE0/0/1
Ring 1 in Domain 3 UPEF GE0/0/1 GE0/0/2

2. Map the VLANs that need to pass through the domain to the instance.
a. Add UPEA, UPEB, UPEC, and UPED to Ring 1 in Domain 1 and Ring 1 in Domain
2.
b. Add UPED, UPEE, UPEF, and UPEG to Ring 1 in Domain 3.
c. Configure UPED as the master node and configure UPEA, UPEB, and UPEC as transit
nodes on Ring 1 in Domain 1 and Ring 1 in Domain 2.
d. Configure UPEF as the master node and configure UPED, UPEE, and UPEG as transit
nodes on Ring 1 in Domain 3.
NOTE
Procedure
# Create data VLANs 100 to 300 on UPEA.
[HUAWEI] sysname UPEA
[UPEA] vlan batch 100 to 300
1 to Instance 1.
[UPEA] stp region-configuration

[UPEA-mst-region] active region-configuration
[UPEA-mst-region] quit
# The configurations on UPEB, UPEC, UPED, UPEE, UPEF, and UPEG are similar to that on
UPEA and not mentioned here. For details, see the configuration files.
# Disable STP on the interfaces to be added to the RRPP ring on UPEA. Configure the interfaces
to allow data from VLANs 100 to 300 to pass through.


interfaces on UPEA.
interfaces on UPEA.
interfaces on UPEB.
interfaces on UPEB.


interfaces on UPEC.
interfaces on UPEC.
# Configure UPED as the master node on Ring 1 in Domain 1 and specify GE0/0/1 as the primary
interface and GE0/0/2 as the secondary interface on UPED.
[UPED-rrpp-domain-region1] ring 1 node-mode master primary-port gigabitethernet
# Configure UPED as the master node on Ring 1 in Domain 2 and specify GE0/0/2 as the primary
interface and GE0/0/1 as the secondary interface on UPED.
[UPED-rrpp-domain-region2] ring 1 node-mode master primary-port gigabitethernet
interfaces on UPED.
# Configure UPEE as a transit node on Ring 1 in Domain 3 and specify primary and secondary
interfaces on UPEE.
[UPEE] rrpp domain 3
[UPEE-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
[UPEE-rrpp-domain-region3] ring 1 enable
[UPEE-rrpp-domain-region3] quit
# Configure UPEF as the master node on Ring 1 in Domain 3 and specify GE0/0/1 as the primary
interface and GE0/0/2 as the secondary interface on UPEF.
[UPEF] rrpp domain 3

[UPEF-rrpp-domain-region3] ring 1 node-mode master primary-port gigabitethernet


[UPEF-rrpp-domain-region3] ring 1 enable
[UPEF-rrpp-domain-region3] quit
# Configure UPEG as a transit node on Ring 1 in Domain 3 and specify primary and secondary
interfaces.
[UPEG] rrpp domain 3
[UPEG-rrpp-domain-region3] ring 1 node-mode transit primary-port gigabitethernet
[UPEG-rrpp-domain-region3] ring 1 enable
[UPEG-rrpp-domain-region3] quit
Step 5 Enable RRPP.

# Enable RRPP.
[UPEA] rrpp enable
perform the following operations to verify the configuration. UPED is used as an example. Run
the display rrpp brief command on UPED. The command output is as follows:
[UPED] display rrpp brief

Domain Index : 1

--------------------------------------------------------------------------------
Domain Index : 2

--------------------------------------------------------------------------------
Domain Index : 3
Protected VLAN : Reference Instance 1 to 3


--------------------------------------------------------------------------------
The command output shows that RRPP is enabled on UPED.

In Domain 1:
Instance 1.
UPED is the master node on Ring 1. GigabitEthernet0/0/1 is the primary interface and
In Domain 2:
Instance 2.
UPED is the master node on Ring 1. GigabitEthernet0/0/2 is the primary interface and
In Domain 3:
instances 1 to 3.
UPED is a transit node on Ring 1. GigabitEthernet0/0/3 is the primary interface and
Run the display rrpp verbose domain command on UPED. The command output is as follows:
# Check detailed information about UPED in Domain 1.
[UPED] display rrpp verbose domain 1
Domain Index : 1
RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 1 and is in Complete state.
Domain Index : 2

RRPP Ring : 1
Ring Level : 0
Node Mode : Master
UPED is the master node in Domain 2 and is in Complete state.


Domain Index : 3
Protected VLAN : Reference Instance 1 to 3
RRPP Ring : 1
Ring Level : 0
Node Mode : Transit
Ring State : LinkUp
The command output shows that, in Domain 3, the control VLAN is VLAN 20 and the protected
VLANs are the VLANs mapped to instances 1 to 3.
UPED is a transit node in Domain 3 and is in LinkUp state.

----End
Configuration Files
#
sysname UPEA
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5

ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEB
#
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return

#
sysname UPEC
#

#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of UPED

#
sysname UPED
#
vlan batch 5 to 6 10 to 11 20 to 21 100 to 300
#
rrpp enable
#
#
rrpp domain 1
control-vlan 5
ring 1 enable
rrpp domain 2
control-vlan 10
ring 1 enable
rrpp domain 3
control-vlan 20
protected-vlan reference-instance 1 to 3
ring 1 enable

#
stp disable
#
stp disable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEE

#
sysname UPEE
#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEF

#
sysname UPEF
#
#
rrpp enable

#
#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return
l Configuration file of UPEG

#
sysname UPEG
#
#
rrpp enable
#
#
rrpp domain 3
control-vlan 20
ring 1 enable
#
stp disable
#
stp disable
#
return

Typical Configuration Examples 10 Device Management
10 Device Management
About This Chapter
This document describes procedures and provides examples for configuring the Device
Management features of the device.
10.1 Energy-Saving Management

You can configure the energy-saving management function to reduce device power consumption
and save energy.
10.2 Information Center Configuration

The information center works as the information hub. It records system running information in
real time, which helps the network administrator and developers to monitor network operation
and analyze network faults.
10.3 USB-based Deployment Configuration

USB-based deployment simplifies the deployment process, reduces the deployment costs, and
relieves users from software commissioning.
10.4 EasyDeploy Configuration

EasyDeploy is a feature that enables a device to automatically load version files, including
system software, patch files, web page files, and configuration files. This feature simplifies
network configuration, implements remote service deployment, and allows centralized device
management.
10.5 NAP Configuration

Neighbor Access Protocol (NAP) is designed for implementing remote deployment of
unconfigured devices.
10.6 Mirroring Configuration

Packet mirroring copies packets to a specified destination so that you can ayalyze packets to
monitor the network and rectify faults.
10.7 PoE Configuration

PDs, such as wireless telephones and APs, are provided with power when the devices are
configured with PoE.
10.8 iStack Configuration

Multiple switches set up an intelligent stack (iStack) to improve data forwarding capabilities
and network reliability.
10.9 Configuring a Monitoring Interface

You can configure a monitoring interface to monitor the usage environment of the device,
facilitating the maintenance of the device.

10.1 Energy-Saving Management

You can configure the energy-saving management function to reduce device power consumption
and save energy.
10.1.1 Example for Configuring ALS
As shown in Figure 10-1, GigabitEthernet0/0/1 on SwitchA connects to GigabitEthernet0/0/1
on SwitchB through optical fibers.
When a link fails, the laser on the optical module is required to automatically stop sending pulses
and recover pulse sending after the link is recovered.
Figure 10-1 Networking diagram for configuring ALS

GE0/0/1 GE0/0/1
SwitchA SwitchB
1. Enable ALS on the interface so that the laser automatically stops sending pulses when a
link fails.
2. Set the restart mode of the laser to automatic restart mode so that the laser sends pulses
again after the link is recovered.
Procedure
Step 1 Configure ALS on the interface and the restart mode of the laser.
# Enable ALS on interfaces GigabitEthernet0/0/1 of SwitchA and set the restart mode of the
laser to automatic restart.
[SwitchA-GigabitEthernet0/0/1] als enable
[SwitchA-GigabitEthernet0/0/1] undo als restart mode manual
# Enable ALS on interfaces GigabitEthernet0/0/1 of SwitchB and set the restart mode of the
laser to automatic restart.
[SwitchB-GigabitEthernet0/0/1] als enable
[SwitchB-GigabitEthernet0/0/1] undo als restart mode manual

# Check ALS configurations on interfaces of SwitchA and SwitchB.

<SwitchA> display als configuration interface gigabitethernet 0/0/1
-------------------------------------------------------------------------------
Interface ALS Laser Restart Interval(s) Width(s)
Status Status Mode
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Enable On Auto 100 2
-------------------------------------------------------------------------------
<SwitchB> display als configuration interface gigabitethernet 0/0/1
-------------------------------------------------------------------------------
Interface ALS Laser Restart Interval(s) Width(s)
Status Status Mode
-------------------------------------------------------------------------------
GigabitEthernet0/0/1 Enable On Auto 100 2
-------------------------------------------------------------------------------
----End
Configuration file
#
sysname SwitchA
#
als enable
#
return
#
sysname SwitchB
#
als enable
#
return
10.1.2 Example for Configuring Device Dormancy
The office network in Figure 10-2 uses S5300-28P-LI devices for networking.
GigabitEthernet0/0/24 connects to a printer. GigabitEthernet0/0/28 functions as an upstream
interface. Interfaces GigabitEthernet0/0/25 to GigabitEthernet0/0/27 are idle and other
interfaces connect to user hosts.
The working time is from 8:00 am to 6:00 pm and few employees work overtime. The device
dormancy configuration is performed to save power. The device is seldom used from 00:00 am
to 8:00 am and from 18:00 pm to 00:00 am Monday to Friday, so you can configure the device
in dormancy mode during the time range. The device is in dormancy mode at weekends. Some
employees may come early and go later, so the time range is set to 00:00 am to 7:00 am and
19:00 pm to 00:00 am in the working day. At weekends, the time range is set to 00:00 to 00:00.

Figure 10-2 Networking diagram for dormancy configuration
Network
GE0/0/28
GE0/0/24
Switch
1. Configure an energy-saving mode for the device.
2. Apply a time range to the device in dormancy mode to save power.
3. Configure an interface as a non-awakening interface.
Procedure
Step 1 Configure an energy-saving mode.
# Set the energy-saving mode of the switch to deep mode.
[HUAWEI] set power manage mode 4
Warning: This command will enable the device sleep function. The device will ent
er in sleep mode under the conditon specified, and all of service will not be pr
ovided! Continue? [Y/N]:y
Info: Succeeded in setting the configuration.
Info: The system is now comparing the configuration, please wait.
Warning: The configuration has been modified, and it will be saved to the next s
tartup saved-configuration file flash:/vrpcfg.zip. Continue? [Y/N]:y
Now saving the current configuration to the slot 1.
Save the configuration successfully.
Step 2 Configure a dormancy time range.

# Configure three time ranges: 00:00 am to 7:00 am and 19:00 pm to 00:00 am in the working
day from Monday to Friday, and 00:00 to 00:00 in Saturday and Sunday.

[HUAWEI] time-range sleeptime 00:00 to 07:00 working-day

[HUAWEI] time-range sleeptime 19:00 to 00:00 working-day
[HUAWEI] time-range sleeptime 00:00 to 00:00 off-day
# Apply the time ranges in which the device is in dormancy mode.

[HUAWEI] sleep time-range sleeptime
Step 3 Configure non-awakening ports.

# Configure ports GigabitEthernet0/0/24 to GigabitEthernet0/0/28 as non-awakening interfaces.
[HUAWEI] set power manage non-awaken-port interface gigabitethernet 0/0/24 to
[HUAWEI] quit
Step 4 Save the configuration.

<HUAWEI> save
The current configuration will be written to the
device.
Are you sure to continue?[Y/N]
y
Now saving the current configuration to the slot

0.
Save the configuration successfully.
NOTE
The S5300-28P-LI-AC, S5300-28P-LI-DC, S5300-52P-LI-AC, and S5300-52P-LI-DC restart before they
enter the sleeping mode. After the switches awake, unsaved configurations are lost, and the configurations
that require a restart to take effect automatically take effect. Save configurations before a switch enters the
sleeping mode.

# Check device dormancy configurations.
<HUAWEI> display power manage sleep configuration
The device sleep function status:enable
The device sleep timerange name: sleeptime.
-----------------------------------------------
Current time is 22:22:25 1-31-2012 Monday
Time-range: sleeptime ( Active )

00:00 to 07:00 working-day
19:00 to 00:00 working-day
00:00 to 00:00 off-day
-----------------------------------------------
The awaken port state check interval:20 min(default).
The configuration of awaken mode:normal
The configuration of non-awaken port:
-----------------------------------------------
GigabitEthernet0/0/24 GigabitEthernet0/0/25
GigabitEthernet0/0/26 GigabitEthernet0/0/27
-----------------------------------------------
----End
Configuration file
#
set power manage mode 4

sleep time-range sleeptime

set power manage non-awaken-port interface GigabitEthernet0/0/24
#
time-range sleeptime 00:00 to 07:00 working-day
time-range sleeptime 19:00 to 00:00 working-day
time-range sleeptime 00:00 to 00:00 off-day
#
return
10.2 Information Center Configuration

The information center works as the information hub. It records system running information in
real time, which helps the network administrator and developers to monitor network operation
and analyze network faults.
10.2.1 Example for Outputting Logs to a Log Host
As shown in , SwitchA connects to four log hosts. Log hosts are required to have reliability and
receive logs of different types so that the network administrator can monitor logs generated by
different modules on SwitchA.
Figure 10-3 Networking diagram for outputting logs to a log host

10.1.1.2/24 10.1.1.1/24
Server 3 Server1
VLANIF100
172.16.0.1/24
GE0/0/1
SwitchA
Server 4 Server 2
10.2.1.2/24 10.2.1.1/24
1. Enable the information center.

2. Configure SwitchA to send logs of notification generated by the ARP module to Server1,
and specify Server3 as the backup of Server1. Configure SwitchA to send logs of warning
generated by the AAA module to Server2, and specify Server4 as the backup of Server2.
3. Configure the log host on the server so that the network administrator can receive logs
generated by SwitchA on the log host.

Procedure
Step 1 Enable the information center.
[SwitchA] info-center enable
Step 2 Configure a channel and a rule for outputting logs to a log host.
# Name a channel.
[SwitchA] info-center channel 6 name loghost1
[SwitchA] info-center channel 7 name loghost2
# Configure a channel for outputting logs to a log host.

[SwitchA] info-center loghost 10.1.1.1 channel loghost1
# Configure a rule for outputting logs to a log host.

[SwitchA] info-center source arp channel loghost1 log level notification
[SwitchA] info-center source aaa channel loghost2 log level warning
Step 3 Configure an IP address for the interface that sends log information.
[SwitchA] vlan 100
[SwitchA-Vlanif100] return
Step 4 Configure the log host on the server.
The Switch can generate many logs, which may exceed the limited storage space of the
Switch. To address this problem, configure a log server to store all the logs.
The log host can run the Unix or Linux operating system or run third-party log software. For
details about the configuration procedure, see the relevant documentation.
# View the configuration of the log host.

<SwitchA> display info-center
Information Center:enabled
Log host:
10.1.1.1, channel number 6, channel name loghost1,
language English , host facility local7
Console:
channel number : 0, channel name : console
Monitor:
channel number : 1, channel name : monitor

SNMP Agent:
channel number : 5, channel name : snmpagent
Log buffer:
enabled,max buffer size 1024, current buffer size 512,
current messages 26, channel number : 4, channel name : logbuffer
dropped messages 0, overwritten messages 0
Trap buffer:
current messages 11, channel number:3, channel name:trapbuffer
Information timestamp setting:
log - date, trap - date, debug - date millisecond
Sent messages = 273456, Received messages = 284845
IO Reg messages = 2 IO Sent messages = 11389
----End
Configuration Files
#
sysname SwitchA
#
info-center channel 6 name loghost1
info-center channel 7 name loghost2
info-center source ARP channel 6 log level notification
info-center source AAA channel 7 log level warning
info-center loghost 10.1.1.1 channel 6
#
vlan batch 100
#
interface Vlanif100
ip address 172.16.0.1 255.255.255.0
#
#
return
10.2.2 Example for Outputting Traps to the SNMP Agent
As shown in Figure 10-4, SwitchA connects to the NMS station. There is a reachable route
between SwitchA and the NMS station. The network administrator wants to view traps of ARP
module generated by SwitchA on the NMS station to monitor device running and locate faults.
Figure 10-4 Networking diagram for outputting traps to the SNMP agent
NM Station SwitchA
10.1.1.1/24 10.1.1.2/24

2. Configure a channel and a rule for outputting traps to the SNMP agent so that the SNMP
agent can receive traps generated by SwitchA.
3. Configure SwitchA to output traps to the NMS station so that the NMS station can receive
traps generated by SwitchA.
Procedure
Step 1 Configure the VLAN to which the interface connected to the NMS station belongs to. The
configuration details are not mentioned here.
Step 2 Assign an IP address to each VLANIF interface. The configuration details are not mentioned
here.
Step 4 Configure a channel and a rule for outputting traps to the SNMP agent.
# Configure a channel for outputting traps to the SNMP agent.
[SwitchA] info-center snmp channel channel7
# Configure a rule for outputting traps to the SNMP agent.

[SwitchA] info-center source arp channel channel7 trap level informational state on
NOTE
By default, the device uses the SNMP agent to output traps of all modules.
Step 5 Configure the SNMP agent to output traps to the NMS station.
# Enable the SNMP agent and set the SNMP version to SNMPv2c.
[SwitchA] snmp-agent sys-info version v2c
# Configure the trap function.

[SwitchA] snmp-agent trap enable
Warning: All switches of SNMP trap/notification will be open. Continue? [Y/N]:y
[SwitchA] snmp-agent target-host trap address udp-domain 10.1.1.1 params
securityname public v2c
[SwitchA] quit

# View the channel used by the SNMP agent to output traps.
<SwitchA> display info-center
Information Center:enabled
Log host:
Console:
channel number : 0, channel name : console

Monitor:
channel number : 1, channel name : monitor
SNMP Agent:
channel number : 7, channel name : channel7
Log buffer:
current messages 512, channel number : 4, channel name : logbuffer
Trap buffer:
current messages 185, channel number:3, channel name:trapbuffer
Information timestamp setting:
log - date, trap - date, debug - date millisecond
Sent messages = 273514, Received messages = 284905
IO Reg messages = 2 IO Sent messages = 11392
# View traps output through the channel used by the SNMP agent.
<SwitchA> display channel 7
channel number:7, channel name:channel7
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y debugging Y debugging N debugging
416e0000 ARP Y debugging Y informational N debugging
# View traps output to the NMS station by the SNMP agent.

<SwitchA> display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
IP-address : 10.1.1.1
Source interface : -
VPN instance : -
Security name : %@%@kPGB<487}';yky-%O|tY-W+Z%@%@
Port : 162
Type : trap
Version : v2c
Level : No authentication and privacy
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 2
#
interface Vlanif2
ip address 10.1.1.2 255.255.255.0
#
#
info-center source ARP channel 7 trap level informational
info-center snmp channel 7
#
snmp-agent
snmp-agent local-engineid 000007DB7FFFFFFF00003B4C
snmp-agent sys-info version v2c v3

snmp-agent target-host trap address udp-domain 10.1.1.1 params securityname ciph

er %@%@kPGB<487}';yky-%O|tY-W+Z%@%@ v2c
snmp-agent trap enable
#
return
10.2.3 Example for Outputting Traps to the Console
As shown in Figure 10-5, the PC connects to SwitchA through a console interface. It is required
that debugging messages of the ARP module be displayed on the PC.
Figure 10-5 Networking diagram for outputting debugging messages to the console
Console
SwitchA PC

2. Configure a channel and a rule for outputting debugging messages to the console so that
the console can receive debugging messages generated by SwitchA.
3. Enable terminal display so that users can use the terminal to view debugging messages
generated by SwitchA.
Procedure
Step 2 Configure a channel and a rule for outputting debugging messages to the console.
# Configure a channel for outputting debugging messages to the console.

[SwitchA] info-center console channel console
# Configure a rule for outputting debugging messages to the console.

[SwitchA] info-center source arp channel console debug level debugging state on
[SwitchA] quit
Step 3 Enable terminal display.

Info: Current terminal monitor is on.
Info: Current terminal debugging is on.

Step 4 Debug the ARP module.

<SwitchA> debugging arp packet
# View debugging message output.

<SwitchA> display channel 0
channel number:0, channel name:console
MODU_ID NAME ENABLE LOG_LEVEL ENABLE TRAP_LEVEL ENABLE DEBUG_LEVEL
ffff0000 default Y warning Y debugging Y debugging
416e0000 ARP Y warning Y debugging Y debugging
----End
Configuration Files
#
sysname SwitchA
#
info-center source ARP channel 0
#
return
10.3 USB-based Deployment Configuration

USB-based deployment simplifies the deployment process, reduces the deployment costs, and
relieves users from software commissioning.
10.3.1 Example for Configuring USB-based Deployment
To reduce labor costs and save time in device deployment, two new devices need to be
automatically upgraded and configured. The requirements for the upgrade are as follows:
l The devices need to be upgraded at 02:09 a.m. on June 28, 2013.
l The first device S5300SI needs to be upgraded from V200R003C00 to a later version and
does not need to load a new configuration file. The device MAC address is 0018-0303-1234,
and the new system software package is S5300SI-new.CC.
l The second device S5300HI needs to be upgraded from V200R003C00 to a later version.
Its ESN is 020TEA10A9000016 and the new system software package is S5300HI-
new.CC. This device needs to load the configuration file vrpcfg.cfg and path file
patch.pat.
1. Configure an authentication password for the devices.

2. Make an index file usbload_config.txt for USB-based deployment. ENsure that all fields
in the index file are supported by the current system version of the devices.
3. Save the index file and upgrade files to the root directory of the USB flash drive.

4. Connect the USB flash drive to a USB interface of each device to complete automatic
software upgrade.
Procedure
Step 1 Configure an authentication password for the devices.
[HUAWEI] set device usb-deployment password huawei2012
Run the display this command in the system view, and you can see the cipher-text password %
@%@j8ch"BBh<N7e|m!UPOUKL.p`%@%@.
Step 2 Make an index file.

# Create an index file and name it usbload_config.txt. Add the following content in the index
file.
<time-sn=201306280209;/>
<usb-deployment password=%@%@j8ch"BBh<N7e|m!UPOUKL.p`%@%@;/>
<mac=0018-0303-1234; vrpfile=S5300SI-new.CC;/>
<esn=020TEA10A9000016; vrpfile=S5300HI-new.CC; cfgfile=vrpcfg.cfg;
patchfile=patch.pat;/>
Step 3 Save the usbload_config.txt file and upgrade files to the root directory of the USB flash drive.
Step 4 Connect the USB flash drive to the S5300SI to start the deployment process. Observe the SYS
indicator on the switch to monitor the deployment state.
After the switch restarts, the system checks the deployment state. If the SYS indicator blinks
yellow slowly (once every 2s), the USB-based deployment has succeeded. If the SYS indicator
blinks red, the USB-based deployment has failed. View the usbload_error.txt file in the root
directory of the USB flash drive to analyze why the deployment fails.
If the USB-based deployment succeeds, remove the USB flash drive and connect it to the other
device.
Step 5 Connect the USB flash drive to the S5300HI to start the deployment process. Observe the SYS
indicator on the switch to monitor the deployment state.
After the switch restarts, the system checks the deployment state. If the SYS indicator blinks
yellow slowly (once every 2s), the USB-based deployment has succeeded. If the SYS indicator
blinks red, the USB-based deployment has failed. View the usbload_error.txt file in the root
directory of the USB flash drive to analyze why the deployment fails.
If the USB-based deployment succeeds, remove the USB flash drive.
----End
10.4 EasyDeploy Configuration

EasyDeploy is a feature that enables a device to automatically load version files, including
system software, patch files, web page files, and configuration files. This feature simplifies
network configuration, implements remote service deployment, and allows centralized device
management.

10.4.1 Example for Deploying Unconfigured Devices Through the

Commander
On the enterprise network shown in Figure 10-6, Switch1 and Switch2 have reachable routes
to each other. The IP address of VLANIF20 (corresponding to the VLAN to which GE0/0/1
belongs) on Switch1 is 192.168.10.90. On Switch2, the IP address of VLANIF20 (corresponding
to the VLAN to which GE0/0/3 belongs) is 192.168.10.80, and the IP address of VLANIF10
(corresponding to the VLAN to which GE0/0/1 and GE0/0/2 belong) is 192.168.1.6. The IP
address of the file server is 192.168.10.100.
New devices Client1, Client2, and Client3 need to be deployed on the enterprise network. The
new devices are located on a different network segment than he DHCP server. To reduce labor
costs and save time on device deployment, the enterprise wants to realize automatic batch
configuration and maintenance of the new devices.
Table 10-1 lists information about the new devices to be configured.
Table 10-1 Device information
New Device Device Model Files to Be Loaded
Client1 S5300-HI s5300-hi.cfg

User-defined file header1.txt
Client2 S5300-HI s5300-hi.cfg

Client3 S5300-SI s5300-si.cfg


Figure 10-6 Networking diagram for unconfigured device deployment through the commander
Switch1 (DHCP server)
File server
192.168.10.100/24 IP企业网络
Network GE0/0/1
VLANIF20
192.168.10.90/24
GE0/0/3
VLANIF20
192.168.10.80/24
Switch2/DHCP Relay
(Commander)
GE0/0/1
GE0/0/2
VLANIF10
192.168.1.6/24
Client1 Client2
Client3
1. Configure the DHCP server function on Switch1 and configure DHCP relay on Switch2,
so that the new devices can obtain IP addresses of their own and the Commander.
2. Configure the file server and save the files to be loaded on the file server.
3. Configure the Commander on Switch2 so that the new devices can be configured through
the Commander.
l Configure basic functions of the Commander. Enable automatic configuration backup
on the Commander to facilitate replacement of faulty devices in future maintenance.
l Client1 and Client2 are devices of the same type and need to load the same configuration
file. Therefore, you can configure a group based the device type of the two devices.
Client3 needs to load a different configuration file. You can specify the file information
exclusively for Client3 or configure a group based on its device type. To specify the file
information exclusively for Client3, obtain the MAC address or ESN of Client3 first.
l Client3 is connected to Client1 in cascading networking. Therefore, an appropriate
global file activation delay time needs to be configured on the Commander to ensure
that Client3 has enough time to download the required files.
4. Start the unconfigured device deployment process.
Procedure
Step 1 Configure the DHCP service.
# Configure the DHCP service on Switch1.

[HUAWEI] sysname DHCP Server
[DHCP Server] dhcp enable
[DHCP Server] interface vlanif 20
[DHCP Server-Vlanif20] dhcp select global
[DHCP Server-Vlanif20] quit
[DHCP Server] ip pool easy-operation
[DHCP Server-ip-pool-easy-operation] network 192.168.1.0 mask 255.255.255.0
[DHCP Server-ip-pool-easy-operation] gateway-list 192.168.1.6
[DHCP Server-ip-pool-easy-operation] option 148 ascii ipaddr=192.168.1.6;
[DHCP Server-ip-pool-easy-operation] quit
# Configure a static route on Switch1.

[DHCP Server] ip route-static 192.168.1.0 255.255.255.0 192.168.10.80
# Configure DHCP relay on Switch2 (Commander).

[HUAWEI] sysname Commander
[Commander] dhcp enable
[Commander] interface gigabitethernet 0/0/1
[Commander-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[Commander-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[Commander-GigabitEthernet0/0/1] quit
[Commander] interface gigabitethernet 0/0/2
[Commander-GigabitEthernet0/0/2] port hybrid pvid vlan 10
[Commander-GigabitEthernet0/0/2] port hybrid untagged vlan 10
[Commander-GigabitEthernet0/0/2] quit
[Commander] interface vlanif 10
[Commander-Vlanif10] dhcp select relay
[Commander-Vlanif10] dhcp relay server-ip 192.168.10.90
[Commander-Vlanif10] quit
Step 2 Configure the file server.

Configure the file server according to the server manual. Ensure that the file server has reachable
routes to the Commander and clients.
After completing the configuration, save the required files on the file server.
Step 3 Configure basic functions of the Commander.
[Commander] easy-operation commander ip-address 192.168.1.6
[Commander] easy-operation commander enable
[Commander] easy-operation
[Commander-easyoperation] sftp-server 192.168.10.100 username admin password
easyoperation
[Commander-easyoperation] backup configuration interval 2
Step 4 Configure information about files to be downloaded.

# On the Commander, configure a built-in group based on the device type of Client1 and Client2,
and specify information about the files to be downloaded in the group.
[Commander-easyoperation] group build-in S5300-HI
[Commander-easyoperation-group-build-in-S5300-HI] configuration-file s5300-hi.cfg
[Commander-easyoperation-group-build-in-S5300-HI] custom-file header1.txt
[Commander-easyoperation-group-build-in-S5300-HI] quit
# Specify information about the files to be downloaded to Client3.

[Commander-easyoperation] client 3 mac-address 5489-9875-edff
[Commander-easyoperation] client 3 configuration-file s5300-si.cfg custom-file
header2.txt
# In the Easy-Operation view of the Commander, set the file activation delay time to 15 minutes
(900 seconds) based on the size of files that Client3 needs to download.

[Commander-easyoperation] activate-file delay 900

[Commander-easyoperation] quit

# Check global configuration of the Commander.
[Commander] display easy-operation configuration
---------------------------------------------------------------------------
Role : Commander
Commander IP address : 192.168.1.6
Commander UDP port : 60000
IP address of file server : 192.168.10.100
Type of file server : SFTP
Username of file server : admin
Default system-software file : -
Default system-software version: -
Default configuration file : -
Default patch file : -
Default WEB file : -
Default license file : -
Default custom file 1 : -
Auto clear up : Disable
Auto join in : Disable
Activating file time : Immediately
Activating file method : Default
Backup configuration file mode : Default
Backup configuration file interval(hours): 2
---------------------------------------------------------------------------
Step 6 Start the unconfigured device deployment process.

After completing the preceding configuration, power on the new devices.
You can run the display easy-operation download-status command to check the file
downloading progress on the devices.
[Commander] display easy-operation download-status
The total number of client in downloading files is : 3
----------------------------------------------------------------------------
ID Mac address IP address Method Phase Status
----------------------------------------------------------------------------
1 00E0-FC12-A34B 192.168.1.254 zero-touch Config-file UPGRADING
2 00E0-FC34-3190 192.168.1.253 zero-touch Config-file UPGRADING
3 5489-9875-edff 192.168.1.252 zero-touch Config-file UPGRADING
----End
Configuration Files
#
sysname DHCP Server
#
vlan batch 20
#
dhcp enable
#
ip pool easy-operation
network 192.168.1.0 mask 255.255.255.0
option 148 ascii ipaddr=192.168.1.6;
#
interface Vlanif20

ip address 192.168.10.90 255.255.255.0

dhcp select global
#
#
ip route-static 192.168.1.0 255.255.255.0 192.168.10.80
#
return

#
sysname Commander
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 192.168.1.6 255.255.255.0
dhcp select relay
dhcp relay server-ip 192.168.10.90
#
#
#
easy-operation commander ip-address 192.168.1.6
easy-operation commander enable
#
easy-operation
sftp-server 192.168.10.100 username admin password %$%$"lcYC3a9)~67^c$uM%5ZQ>Uc%$%
$
backup configuration interval 2
activate-file delay 900
client 3 mac-address 5489-9875-EDFF
client 3 configuration-file s5300-si.cfg
client 3 custom-file header2.txt
group build-in S5300-HI
configuration-file s5300-hi.cfg
custom-file header1.txt
#
return
10.4.2 Example for Replacing Faulty Devices Through the

Commander
The enterprise network shown in Figure 10-7 supports the EasyDeploy function. Switch1,
Switch2, and the file server have routes to each other. Switch1 functions as a DHCP server, and
the Switch2 functions as a DHCP relay agent and Commander.
Client5 on the network fails, and services of users connected to Client5 are interrupted. To
resume services for users, Client5 must be replaced by a new client. The new client needs to
take over services of Client5 quickly to minimize impact of the fault.

The MAC address of the new client is 0200-0000-0000, and the new client needs to download
the web page file web_1.web.7z.
Figure 10-7 Networking diagram for faulty device replacement through the Commander
Switch1 (DHCP server)
File server
IP Network
Switch2/DHCP Relay
(Commander)
Client1 Client2 Client3
Client5
Client4
1. Specify client replacement information on Switch2 to enable the new client to obtain the
backup configuration file of the faulty client.
2. Start the client replacement process.
Procedure
Step 1 Specify client replacement information on Switch2.
[Commander-easyoperation] client 5 replace mac-address 0200-0000-0000
[Commander-easyoperation] client 5 replace web-file web_1.web.7z
# Check client replacement information.

[Commander] display easy-operation client replace
The total number of replacement information is : 1
-----------------------------------------------------------
ID Replaced Mac Replaced Esn
-----------------------------------------------------------

5 0200-0000-0000 -
-----------------------------------------------------------
Step 3 Start the client replacement process.

After completing the preceding configuration, power on the new client.
You can run the display easy-operation client 5 command to check the status of the new client.
[Commander] display easy-operation client 5
-------------------------------------------------------------------------------
ID Mac address ESN IP address State
-------------------------------------------------------------------------------
5 0200-0000-0000 2102353173107C800132 192.168.1.254 UPGRADING
-------------------------------------------------------------------------------
You can also run the display easy-operation download-status command to check the file
downloading progress on the new client.
-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
5 0200-0000-0000 192.168.1.254 Zero-touch Web-file UPGRADING
----End
Configuration Files
#
sysname DHCP Server
#
vlan batch 20
#
dhcp enable
#
network 192.168.1.0 mask 255.255.255.0
option 148 ascii ipaddr=192.168.1.6;
#
interface Vlanif20
ip address 192.168.10.90 255.255.255.0
dhcp select global
#
#
return

#
sysname Commander
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 192.168.1.6 255.255.255.0

dhcp select relay

#
#
#
#
easy-operation
sftp-server 192.168.10.100 username admin password %$%$"lcYC3a9)~67^c$uM%5ZQ>Uc%$%
$
client 3 replace mac-address 0200-0000-0000
client 3 replace web-file web_1.web.7z
#
return
10.4.3 Example for Implementing a Batch Upgrade Through the

Commander
On the enterprise network shown in Figure 10-8, clients 1 to 6 in office buildings have reachable
routes to the switch and file server. The IP address of the switch is 172.31.20.10/24 and the IP
address of the file server is 172.31.1.90. To reduce labor costs and facilitate later upgrades and
maintenance, the enterprise wants the clients to automatically obtain required files for batch
upgrades.
Table 10-2 lists information about clients 1 to 6 and files that they need to load.
Table 10-2 Client information and files to be loaded
Client Device Type MAC Address IP Address Files to Be

Loaded
Client1 S9300 - 172.31.20.100/2 s9300.cc

4 license.dat
header1.txt
Client2 S5300-HI - – s5300-hi.cc
Client3 S5300-HI - - s5300-hi.cc
Client4 S5300-EI - 172.31.10.10/24 s5300-ei.cc
Client5 S5300-HI - - s5300-hi.cc
Client6 S5300-SI 5489-9875- - web_1.web.7z

ea12 header.txt

Figure 10-8 Networking diagram for a batch upgrade through the Commander
File server
IP企业网络
Network
Client1
Switch (Commander)
Client2 Client4
Client3
Client5 Client6
1. Configure the file server and save the files to be loaded on the file server.
2. Specify the Commander IP address on the clients.
3. Configure the Commander function on the switch to implement a batch upgrade through
the Commander.
l Configure basic functions of the Commander.
l Configure groups for the clients and specify files to be loaded in the groups.
l Enable automatic configuration backup on the Commander to facilitate replacement of
faulty devices in future maintenance.
l Some clients are connected in cascading networking. To ensure that downstream Client5
and Client6 can download required files successfully, configure a specific file activation
time on the Commander. To minimize the impact of the upgrade on services, configure
the clients to active downloaded files at 2:00 a.m.
4. Start the batch upgrade process.
Procedure
Configure the file server according to the server manual.
Step 2 Specify the Commander IP address on the clients.

# Specify the Commander IP address on Client1.

[HUAWEI] easy-operation commander ip-address 172.31.20.10
Specify the Commander IP address on Client2 to Client6 in the same way.
Step 3 Configure basic functions of the Commander.

[Commander] easy-operation commander ip-address 172.31.20.10
[Commander] easy-operation commander enable
[Commander-easyoperation] sftp-server 172.31.1.90 username admin password
easyoperation
[Commander-easyoperation] backup configuration interval 2
Step 4 Enable the client auto-join function on the Commander.

[Commander-easyoperation] client auto-join enable
NOTE
After the auto-join function is enabled, you can view information about the clients and files that the clients
have downloaded on the Commander using the display easy-operation client command.
Step 5 Specify file information and file activation mode on the Commander.
# Configure a group based on the IP address of Client1, and specify the files to be loaded in the
group.
[Commander-easyoperation] group custom ip-address g1
[Commander-easyoperation-group-custom-g1] match ip-address 172.31.20.100 24
[Commander-easyoperation-group-custom-g1] system-software s9300.cc V200R003C00
[Commander-easyoperation-group-custom-g1] license license.dat
[Commander-easyoperation-group-custom-g1] custom-file header1.txt
# Configure a group based on the device type of Client2, Client3, and Client5, and specify the
file to be loaded in the group.
[Commander-easyoperation] group build-in s5300-hi
[Commander-easyoperation-group-build-in-S5300-HI] system-software s5300-hi.cc
V200R003C00
# Configure a group based on the IP address of Client4, and specify the file to be loaded in the
group.
[Commander-easyoperation] group custom ip-address g2
[Commander-easyoperation-group-custom-g2] match ip-address 172.31.10.10 24
[Commander-easyoperation-group-custom-g2] system-software s5300-ei.cc V200R003C00
# Configure a group based on the MAC address of Client6, and specify the files to be loaded in
the group.
[Commander-easyoperation] group custom mac-address g3
[Commander-easyoperation-group-custom-g3] match mac-address 5489-9875-ea12
[Commander-easyoperation-group-custom-g3] web-file web_1.web.7z
[Commander-easyoperation-group-custom-g3] custom-file header.txt
[Commander-easyoperation-group-custom-g3] quit
# In the Easy-Operation view of the Commander, set the file activation mode and time.
[Commander-easyoperation] activate-file in 2:00 reload
[Commander-easyoperation] quit

# Check global configuration of the Commander.

[Commander] display easy-operation configuration
---------------------------------------------------------------------------
Role : Commander
Commander IP address : 172.31.20.10
Commander UDP port : 60000
IP address of file server : 172.31.1.90
Type of file server : SFTP
Username of file server : admin
Default system-software file : -
Default system-software version: -
Default configuration file : -
Default patch file : -
Default WEB file : -
Default license file : -
Default custom file 3 :
-
Auto clear up : Disable
Auto join in : Enable
Activating file time : Immediately
Backup configuration file mode : Default
Backup configuration file interval(hours): 2
---------------------------------------------------------------------------
# Check group configuration on the Commander.

[Commander] display easy-operation group
The total number of group configured is : 4
The number of build-in group is : 1
The number of custom group is : 3
-------------------------------------------------------
Groupname Type MatchType
-------------------------------------------------------
S5300-HI build-in device-type
g1 custom ip-address
g2 custom ip-address
g3 custom mac-address
-------------------------------------------------------
# Check configuration of the group g1 on the Commander.

[Commander] display easy-operation group custom g1
---------------------------------------------------------------------------
Group name : g1
Configuration file : -
System-software file : s9300.cc
Patch file : -
WEB file : -
License file : license.dat
Customs file 1 : header1.txt
Customs file 2 : -
Customs file 3 : -
Activating file time : In 02:00
Ip-address list :
Ip-address Ip-mask
172.31.1.100 255.255.255.0
---------------------------------------------------------------------------
Step 7 Start the batch upgrade process.

[Commander-easyoperation] upgrade group

Warning: This command will start the upgrade process of all groups and clients i
n these groups may reboot. Ensure that configurations of the clients have been s
aved. Continue?[Y/N]:y
You can run the display easy-operation download-status command to check the file
downloading progress on the client.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
1 0011-2233-4455 172.31.20.100 upgrade Sys-file UPGRADING
2 00E0-FC34-3190 172.31.10.15 upgrade Sys-file UPGRADING
4 70F3-950B-1A52 172.31.10.10 upgrade Sys-file UPGRADING
6 5489-9875-ea12 172.31.10.11 upgrade Web-file UPGRADING
----End
Configuration Files
#
sysname Commander
#
#
easy-operation
client auto-join enable
sftp-server 172.31.1.90 username admin password %$%$"lcYC3a9)~67^c$uM%5ZQ>Uc%$%$
activate-file in 2:00 reload
group build-in S5300-HI
system-software s5300-hi.cc V200R003C00
group custom ip-address g1
system-software S9300.cc V200R003C00
license license.dat
custom-file header1.txt
match ip-address 172.31.1.100 255.255.255.0
group custom ip-address g2
match ip-address 172.31.10.10 255.255.255.0
group custom mac-address g3
web-file web_1.web.7z
custom-file header.txt
match mac-address 5489-9875-EA12 FFFF-FFFF-FFFF
#
return
Configuration file of clients 1 to 6

#
#
return

10.4.4 Example for Deploying Unconfigured Devices Through

Option Fields
Figure 10-9 shows the network of a residential community. SwitchD is an aggregation switch
and connects to all devices newly deployed in the community. SwitchA, SwitchB, and
SwitchC are three of the new devices and are used as an example here.
All the new devices in the community need to load the same system software, patch file, and
configuration file. Since many new devices need to be configured, the customer requires batch
configuration of all the new devices to reduce labor costs and device deployment time.
Figure 10-9 Networking diagram for unconfigured device deployment through option fields
VLAN10
SwitchA GE
0/0
/1
GE0/0/4
GE0/0/2 VLAN20
/3
SwitchB E 0/0 SwitchD PC
G
DHCP Server File Server
SwitchC
1. Configure the file server on the PC directly connected to SwitchD. Save the system
software, patch file, and configuration file to the working directory of the file server, so
that the new devices can obtain these files.
2. Configure the DHCP server on SwitchD to assign network configuration information to
new devices. All the new devices require the same system software, patch file, and
configuration file; therefore, configure Option 67 and Option 145 on the DHCP server to
specify information about the files to be downloaded.
3. Power on SwitchA, SwitchB, and SwitchC. They can automatically start the EasyDeploy
process to load the system software, patch file, and configuration file.
Procedure

Step 2 Configure the DHCP server.

[DHCP Server] vlan batch 10 20
[DHCP Server] interface gigabitethernet 0/0/1
[DHCP Server-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[DHCP Server-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[DHCP Server-GigabitEthernet0/0/1] quit
[DHCP Server-Vlanif10] ip address 192.168.2.6 255.255.255.0
[DHCP Server] ip pool auto-config
[DHCP Server-ip-pool-auto-config] network 192.168.2.0 mask 255.255.255.0
[DHCP Server-ip-pool-auto-config] gateway-list 192.168.2.6
[DHCP Server-ip-pool-auto-config] option 67 ascii s_V200R003C00.cfg
[DHCP Server-ip-pool-auto-config] option 141 ascii user
[DHCP Server-ip-pool-auto-config] option 142 ascii huawei
[DHCP Server-ip-pool-auto-config] option 143 ip-address 192.168.1.6
[DHCP Server-ip-pool-auto-config] option 145 ascii
vrpfile=s_V200R003C00.cc;vrpver=V200R003C00;patchfile=s_V200R003C00.pat;
[DHCP Server-ip-pool-auto-config] quit
Step 3 Power on SwitchA, SwitchB, and SwitchC to start the EasyDeploy process.
#After the EasyDeploy process ends, log in to the new devices and run the display startup
command to check the startup system software, configuration file, and patch file. The command
output on SwitchA is used as an example.
MainBoard:
Configured startup system software: flash:/s_V200R003C00.cc
Startup system software: flash:/s_V200R003C00.cc
Next startup system software: flash:/s_V200R003C00.cc
Startup saved-configuration file: flash:/s_V200R003C00.cfg
Next startup saved-configuration file: flash:/s_V200R003C00.cfg
Startup patch package: flash:/s_V200R003C00.pat
Next startup patch package: flash:/s_V200R003C00.pat
----End

Configuration Files
Configuration file of the DHCP server
#
sysname DHCP Server
#
vlan batch 10 20
#
dhcp enable
#
ip pool auto-config
network 192.168.2.0 mask 255.255.255.0
option 67 ascii s_V200R003C00.cfg
option 141 ascii user
option 142 ascii huawei
option 143 ip-address 192.168.1.6
option 145 ascii
vrpfile=s_V200R003C00.cc;vrpver=V200R003C00;patchfile=s_V200R003C00.pat;
#
interface Vlanif10
ip address 192.168.2.6 255.255.255.0
dhcp select global
#
interface Vlanfi20
ip address 192.168.1.1 255.255.255.0
#
#
#
#
#
return
10.4.5 Example for Deploying Unconfigured Devices Through an

Intermediate File
As shown in Figure 10-10, newly delivered devices SwitchA, SwitchB, and SwitchC are
deployed in a branch and connect to GE0/0/1, GE0/0/2, and GE0/0/3 of SwitchD respectively.
SwitchD is the egress gateway of the branch and connects to the headquarters network across a
Layer 3 network.
SwitchA, SwitchB, and SwitchC are different models and need to load different system software
packages, patch files, and configuration files. The enterprise wants the new devices to
automatically download required version files to save labor costs for onsite configuration.
The following lists MAC addresses of SwitchA, SwitchB, and SwitchC and the files that the
switches need to load:

l SwitchA: Its MAC address is 0025-9e1e-773b and it needs to load the system software
package s53si_easy_V200R003C00.cc (version V200R003C00), patch file
s53si_easy_V200R003C00.pat, and configuration file s53si_easy_V200R003C00.cfg.
l SwitchB: Its MAC address is 0025-9e1e-773c and it needs to load the system software
package s53ei_easy_V200R003C00.cc (version V200R003C00), patch file
s53ei_easy_V200R003C00.pat, and configuration file s53ei_easy_V200R003C00.cfg.
l SwitchC: Its MAC address is 0025-9e1e-773d and it needs to load the system software
package s53hi_easy_V200R003C00.cc (version V200R003C00), patch file
s53hi_easy_V200R003C00.pat, and configuration file s53hi_easy_V200R003C00.cfg.
Figure 10-10 Networking diagram for EasyDeploy implementation across a Layer 3 network
SwitchA Headquarters
GE0/0/1~3
Branch
GE0/0/1 GE0/0/2
IP企业网络
Network
SwitchB SwitchD SwitchE PC

DHCP Relay DHCP Server File Server
SwitchC
1. Configure the file server on the PC directly connected to SwitchE.
2. Edit an intermediate file to enable SwitchA, SwitchB, and SwitchC to obtain their system
software packages, configuration files, and patch files according to the intermediate file.
3. Save the intermediate file, system software packages, patch files, and configuration files
in the working directory of the file server, so that the new devices can obtain these files.
4. Configure DHCP relay on the egress gateway (SwitchD) of the branch, and configure the
DHCP server on SwitchE. Then the DHCP server can deliver network configuration to the
unconfigured devices across the Layer 3 network.
5. Power on SwitchA, SwitchB, and SwitchC. They can automatically start the EasyDeploy
process to load their system software, patch files, and configuration files.
Procedure
Step 1 Edit the intermediate file lswnet.cfg.
# Create a file and name it lswnet.cfg. Write the following content in the file:
mac=0025-9e1e-773b;vrpfile=s53si_easy_V200R003C00.cc;vrpver=V200R003C00;patchfile=
s53si_easy_V200R003C00.pat;cfgfile=s53si_easy_V200R003C00.cfg;
mac=0025-9e1e-773c;vrpfile=s53ei_easy_V200R003C00.cc;vrpver=V200R003C00;patchfile=
s53ei_easy_V200R003C00.pat;cfgfile=s53ei_easy_V200R003C00.cfg;

mac=0025-9e1e-773d;vrpfile=s53hi_easy_V200R003C00.cc;vrpver=V200R003C00;patchfile=
s53hi_easy_V200R003C00.pat;cfgfile=s53hi_easy_V200R003C00.cfg;
Step 3 # Configure SwitchD.

# Configure DHCP relay.
[HUAWEI] sysname DHCP Relay
[DHCP Relay] dhcp enable
[DHCP Relay] vlan 10
[DHCP Relay-vlan10] quit
[DHCP Relay] interface gigabitethernet 0/0/1
[DHCP Relay-GigabitEthernet0/0/1] port hybrid pvid vlan 10
[DHCP Relay-GigabitEthernet0/0/1] port hybrid untagged vlan 10
[DHCP Relay-GigabitEthernet0/0/1] quit
[DHCP Relay] interface vlanif 10
[DHCP Relay-Vlanif10] ip address 192.168.1.6 255.255.255.0
[DHCP Relay-Vlanif10] dhcp select relay
[DHCP Relay-Vlanif10] dhcp relay server-ip 192.168.2.6
[DHCP Relay-Vlanif10] quit
# Configure a static route. Set the destination IP address of the route to the PC's IP address, and
the next hop to the IP address of the interface on the Layer 3 network directly connected to
SwitchD.
Step 4 # Configure SwitchE.

# Configure the DHCP server.
[DHCP Server] vlan batch 20 30
[DHCP Server-GigabitEthernet0/0/1] port link-type trunk
[DHCP Server-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
[DHCP Server] ip pool easy-operation
[DHCP Server-ip-pool-easy-operation] network 192.168.1.0 mask 255.255.255.0
[DHCP Server-ip-pool-easy-operation] gateway-list 192.168.1.6
[DHCP Server-ip-pool-easy-operation] option 141 ascii user
[DHCP Server-ip-pool-easy-operation] option 142 ascii huawei
[DHCP Server-ip-pool-easy-operation] option 143 ip-address 192.168.4.6

[DHCP Server-ip-pool-easy-operation] option 146 ascii

opervalue=1;delay=0;netfile=lswnet.cfg;
[DHCP Server-ip-pool-easy-operation] quit
# Configure a static route. Set the destination IP address of the route to the network segment in
the IP address pool configured on SwitchD, and the next hop to the IP address of the interface
on the Layer 3 network directly connected to SwitchE.
Step 5 Power on SwitchA, SwitchB, and SwitchC to start the EasyDeploy process.
#After the EasyDeploy process ends, log in to the new devices and run the display startup
command to check the startup system software, configuration file, and patch file. The command
output on SwitchC is used as an example.
MainBoard:
Configured startup system software: flash:/s53hi_easy_V200R003C00.cc
Startup system software: flash:/s53hi_easy_V200R003C00.cc
Next startup system software: flash:/s53hi_easy_V200R003C00.cc
Startup saved-configuration file: flash:/s53hi_easy_V200R003C00.cfg
Next startup saved-configuration file: flash:/s53hi_easy_V200R003C00.cfg
Startup patch package: flash:/s53hi_easy_V200R003C00.pat
Next startup patch package: flash:/s53hi_easy_V200R003C00.pat
----End
Configuration Files
l Configuration file of the DHCP relay agent
#
sysname DHCP Relay
#
vlan batch 10
#
dhcp enable
#
interface Vlanif10
ip address 192.168.1.6 255.255.255.0
dhcp select relay
#
#
#
#
return
l Configuration file of the DHCP server

#
sysname DHCP Server
#

vlan batch 20 30
#
dhcp enable
#
network 192.168.1.0 mask 255.255.255.0
option 141 ascii user
option 142 ascii huawei
option 143 ip-address 192.168.4.6
option 146 ascii opervalue=1;delay=0;netfile=lswnet.cfg;
#
interface Vlanif20
ip address 192.168.2.6 255.255.255.0
dhcp select global
#
interface Vlanif30
ip address 192.168.4.1 255.255.255.0
#
#
#
return
10.5 NAP Configuration

Neighbor Access Protocol (NAP) is designed for implementing remote deployment of
unconfigured devices.
10.5.1 Example for Configuring NAP-based Remote Deployment

As shown in Figure 10-11, SwitchC and SwitchB are directly connected, but they are located
at equipment rooms far away from each other. SwitchC is a new device on the network and does
not load any configuration file while SwitchB is an existing device on the network.
You want to implement remote deployment for SwitchC on SwitchB to reduce network operation
and maintenance costs.
Figure 10-11 Networking diagram of configuring NAP-based remote deployment
GE0/0/1
Internet
PC SwitchA SwitchB SwitchC

1. Set interface GigabitEthernet0/0/1 of SwitchB to a master NAP interface to establish NAP

neighbor relationship between SwitchB and SwitchC.
2. Use Telnet to log in to SwitchC from SwitchB to configure remote deployment.
3. Disable NAP for all interfaces of SwitchC.
Procedure
Step 1 Set an interface to a master NAP interface.
# Set interface GigabitEthernet0/0/1 on SwitchB to a master NAP interface.

[SwitchB-GigabitEthernet0/0/1] nap port master
# Run the display nap interface command on SwitchB to check whether a NAP neighbor
relationship has been established and whether IP addresses have been assigned to the master and
slave interfaces.
[SwitchB-GigabitEthernet0/0/1] display nap interface
------------------------------------------------------
NAP master port list
Port count : 1
------------------------------------------------------
Port property : Master
Current status : IP-ASSIGNED
Local port : GigabitEthernet0/0/1
Peer port : GigabitEthernet0/0/1
Local IP : 10.167.253.1
Peer IP : 10.167.253.2
Hello time : 3s
Linked time : 00:00:26
------------------------------------------------------
Step 2 Log in to the slave device.
# Log in to SwitchC from SwitchB.

[SwitchB-GigabitEthernet0/0/1] nap login neighbor
Trying 10.167.253.2 ...
Connected to 10.167.253.2 ...
Warning: Telnet is not a secure protocol, and it is recommended to use Stelnet.

An initial password is required for the first login via the vty user-interface.
Set a password and keep it safe! Otherwise you will not be able to login via the
vty user-interface.
Please configure the login password (6-16)

Enter Password:
Confirm Password:
<HUAWEI>
Step 3 Configure deployment on the slave device.

After logging in to SwitchC, you can configure deployment on SwitchC. It is recommended that
you set the IP address, user name, and password and enable the Telnet service on SwitchC so
that you can use Telnet to directly log in to SwitchC.
Step 4 Log in to SwitchC using the configured IP address, user name, and password to disable NAP on
the slave device.
# Disable NAP for all interfaces of SwitchC.

[SwitchC] undo nap slave enable
Warning: The operation will close NAP slave. Continue? [Y/N]:y
----End
Configuration File
None
10.6 Mirroring Configuration

Packet mirroring copies packets to a specified destination so that you can ayalyze packets to
monitor the network and rectify faults.
NOTE
The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are mentioned only
to describe the product's function of communication error or failure detection, and do not involve collection
or processing of any personal information or communication data of users.
10.6.1 Example for Configuring Local Port Mirroring
As shown in Figure 10-12, HostA is connected to GigabitEthernet0/0/1 on SwitchA, and Server
is directly connected to GigabitEthernet0/0/2 on SwitchA.
Users want to use the monitoring device (Server) to monitor packets sent from HostA.
Figure 10-12 Networking diagram of local port mirroring

GE0/0/1 GE0/0/2
HostA SwitchA Server
1. Configure GigabitEthernet0/0/2 on SwitchA as the local observing port so that Server can
receive mirrored packets.

2. Configure GigabitEthernet0/0/1 on SwitchA as the mirrored port to monitor packets passing

through the mirrored port.
Procedure
Step 1 Configure an observing port.
# Configure GigabitEthernet0/0/2 on SwitchA as the local observing port.

[SwitchA] observe-port 1 interface gigabitethernet 0/0/2
Step 2 Configure a mirrored port.
# Configure GigabitEthernet0/0/1 on SwitchA as the mirrored port to monitor packets sent from
HostA.
[SwitchA-GigabitEthernet0/0/1] port-mirroring to observe-port 1 inbound
# Check the observing port configuration.

<SwitchA> display observe-port
---------------------------------------------------------------------------
Index : 1
---------------------------------------------------------------------------
# Check the mirrored port configuration.

<SwitchA> display port-mirroring
Port-mirror:
----------------------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------------------
GigabitEthernet0/0/1 Inbound GigabitEthernet0/0/2
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
observe-port 1 interface GigabitEthernet0/0/2
#
port-mirroring to observe-port 1 inbound
#
return
10.6.2 Example for Configuring Layer 2 Remote Port Mirroring

is connected to GigabitEthernet0/0/1 on SwitchC. SwitchA and SwitchC are connected over a
Layer 2 network.
Users want to use the monitoring device (Server) to remotely monitor packets sent from HostA.
Figure 10-13 Networking diagram of Layer 2 remote port mirroring

SwitchB
VLAN2 VLAN2
GE0/0/1 GE0/0/2
SwitchA SwitchC
GE0/0/1 GE0/0/2
GE0/0/2 GE0/0/1
HostA Server
1. Configure interfaces on SwitchA and SwitchC to implement Layer 2 communication
between them.
2. Configure GigabitEthernet0/0/1 on SwitchA as the remote observing port so that mirrored
packets can be forwarded to Server over the Layer 2 network.
3. Configure GigabitEthernet0/0/2 on SwitchA as the mirrored port to monitor packets passing
through the mirrored port.
Procedure
Step 1 Configure ports so that devices can communicate on Layer 2.
[SwitchA] vlan 3
[SwitchB] vlan 2


[SwitchC] vlan 2
[SwitchC-GigabitEthernet0/0/2] port trunk allow-pass vlan 2
Step 2 Configure a remote observing port.

# Configure GigabitEthernet0/0/1 on SwitchA as the remote observing port.
[SwitchA] observe-port 1 interface gigabitethernet 0/0/1 vlan 2
Step 3 Configure a mirrored port.

# Configure GigabitEthernet0/0/2 on SwitchA as the mirrored port.
[SwitchA-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound

# Check the observing port configuration.
<SwitchA> display observe-port
----------------------------------------------------------------------
Index : 1
Vlan : 2
----------------------------------------------------------------------
# Check the mirrored port configuration.

Port-mirror:
----------------------------------------------------------------------
Mirror-port Direction Observe-port
----------------------------------------------------------------------
GigabitEthernet0/0/2 Inbound GigabitEthernet0/0/1
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan 3
#
observe-port 1 interface GigabitEthernet0/0/1 vlan 2

#
port default vlan 3
port-mirroring to observe-port 1 inbound
#
return

#
sysname SwitchB
#
vlan batch 2
#
#
#
return

#
sysname SwitchC
#
vlan batch 2
#
port default vlan 2
#
#
return
10.6.3 Example for Configuring Local Traffic Mirroring
Users want to use the monitoring device (Server) to monitor packets with the 802.1p priority of
6 sent from HostA.
Figure 10-14 Networking diagram of local traffic mirroring

GE0/0/1 GE0/0/2
HostA SwitchA Server

1. Configure GigabitEthernet0/0/2 on SwitchA as the local observing port so that Server can
receive mirrored packets.
2. Configure a traffic classifier to match packets with the 802.1p priority of 6, and configure
a traffic behavior to mirror packets to the observing port.
3. Configure a traffic policy, bind the traffic classifier and traffic behavior to the traffic policy,
and apply the traffic policy on GigabitEthernet0/0/1.
Procedure
Step 1 Configure an observing port.
# Configure GigabitEthernet0/0/2 on SwitchA as the observing port.
Step 2 Configure a traffic classifier.

# Create a traffic classifier named c1 on SwitchA and set the traffic classification rule that only
packets with the 802.1p priority of 6 can be matched.

# Create a traffic behavior named b1 on SwitchA and configure it.
[SwitchA-behavior-b1] mirroring to observe-port 1
Step 4 Configure a traffic policy and apply the traffic policy to the interface.
# Create a traffic policy named p1 on SwitchA, bind the traffic classifier and traffic behavior to
the traffic policy, and apply the traffic policy to the inbound direction of GigabitEthernet0/0/1
to monitor packets with the 802.1p priority of 6 sent from HostA.
[SwitchA] traffic policy p1
[SwitchA-trafficpolicy-p1] quit
[SwitchA-GigabitEthernet0/0/1] traffic-policy p1 inbound
[SwitchA] quit

<SwitchA> display traffic classifier user-defined c1
Classifier: c1
Operator: AND

<SwitchA> display traffic policy user-defined p1
Policy: p1

Classifier: c1
Operator: AND
Behavior: b1
Mirroring to observe-port 1
----End
Configuration Files
#
sysname SwitchA
#
#
if-match 8021p 6
#
traffic behavior b1
mirroring to observe-port 1
#
traffic policy p1
#
#
return
10.6.4 Example for Configuring Local VLAN Mirroring
As shown in Figure 10-15, HostA and HostB are respectively connected to GigabitEthernet0/0/1
and GigabitEthernet0/0/2 on SwitchA, and HostA and HostB both belong to VLAN 10. Server
Users want to use the monitoring device (Server) to monitor packets sent from all active ports
in VLAN 10.
Figure 10-15 Networking diagram of local VLAN mirroring
HostA
GE0/0/1
GE0/0/3
Server
GE0/0/2
SwitchA
HostB

1. Configure GigabitEthernet0/0/3 on SwitchA as the observing port so that Server can receive
mirrored packets.
2. Configure VLAN 10 as the mirrored VLAN.
Procedure
Step 1 Configure VLANs for the ports.
[Switch] sysname SwitchA
[SwitchA] vlan 10
Step 2 Configure GigabitEthernet0/0/3 as the observing port.

Step 3 Configure VLAN 10 as the mirrored VLAN.

[SwitchA] vlan 10
[SwitchA-vlan10] mirroring to observe-port 1 inbound
Step 4 Checking the Configuration
# Run the display port-mirroring command to check the VLAN mirroring configuration.
Vlan-mirror:
----------------------------------------------------------------------
Mirror-vlan Direction Observe-port
----------------------------------------------------------------------
10 Inbound GigabitEthernet0/0/3
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
vlan 10
mirroring to observe-port 1 inbound
#
#


#
return
10.6.5 Example for Configuring Local MAC Address Mirroring
As shown in Figure 10-16, HostA and HostB are respectively connected to GigabitEthernet0/0/1
and GigabitEthernet0/0/2 on SwitchA, and HostA and HostB both belong to VLAN 10. Server
Users want to monitor incoming packets with the source or destination MAC address of
0001-0001-0001 sent from VLAN 10.
Figure 10-16 Networking diagram of local MAC address mirroring
HostA
GE0/0/1
GE0/0/3
Server
GE0/0/2
SwitchA
HostB
1. Configure GigabitEthernet0/0/3 on SwitchA as the observing port so that Server can receive
mirrored packets.
2. Configure MAC address mirroring in VLAN 10 view.
Procedure
Step 1 Configure VLANs for the ports.
[Switch] sysname SwitchA
[SwitchA] vlan 10
Step 2 Configure GigabitEthernet0/0/3 as the observing port.

Step 3 Configure MAC address mirroring.

[SwitchA] vlan 10
[SwitchA-vlan10] mac-mirroring 0001-0001-0001 to observe-port 1 inbound
Step 4 Checking the Configuration

# Run the display port-mirroring command to check the MAC address mirroring configuration.
[SwitchA] display port-mirroring
Mac-mirror:
----------------------------------------------------------------------
Mirror-mac Vlan Direction Observe-port
----------------------------------------------------------------------
0001-0001-0001 10 Inbound GigabitEthernet0/0/3
----------------------------------------------------------------------
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
#
vlan 10
mac-mirroring 0001-0001-0001 to observe-port 1 inbound
#
#
#
return
10.7 PoE Configuration

PDs, such as wireless telephones and APs, are provided with power when the devices are
configured with PoE.
10.7.1 Example for Configuring PoE

Figure 10-17 shows that switches are deployed at the access layer on the network. The IP phone
connected to the switch is deployed outdoors and the AP is deployed on the external wall of the
office. It is difficult to connect power supplies to these devices. The user wants the switch to
provide power for these devices and save the deployment costs.
As the office network of a bank, AP1 cannot be powered off and should be configured with the
highest power supply priority. IP Phone1 with a large amount of services need to obtain power
supply with high priority and generally cannot be powered off.

Figure 10-17 Networking diagram of the PoE application
Switch
GE0/0/1 GE0/0/2
GE0/0/3 GE0/0/4
IP Phone1 AP1
IP Phone2 AP2
The switch supporting PoE and installed with the PoE power supply is required.
1. Configure the power management mode as automatic mode so that PDs can be flexibly
managed.
2. Configure the power supply priority on GigabitEthernet0/0/2 and GigabitEthernet0/0/1 so
that AP1 and IP phone1 are provided with power preferentially.
3. Configure the maximum output power on GigabitEthernet0/0/1, GigabitEthernet0/0/3, and
GigabitEthernet0/0/2 to limit the power of the corresponding interface and ensure security
of the device.
Procedure
Step 1 Configure the power management mode of the device as automatic mode.
[HUAWEI] poe power-management auto
Step 2 Configure the maximum output power on GigabitEthernet0/0/1, GigabitEthernet0/0/3, and

GigabitEthernet0/0/2 as 15 W, 15 W, and 20 W respectively.
[HUAWEI-GigabitEthernet0/0/1] poe power 15000
NOTE
On the device, the unit of the output power is mW.
Step 3 Configure the power supply priority on GigabitEthernet0/0/2 as critical.


[HUAWEI-GigabitEthernet0/0/2] poe priority critical
Step 4 Configure the power supply priority on GigabitEthernet0/0/1 as high.

[HUAWEI-GigabitEthernet0/0/1] poe priority high

# Display the PoE power supply status of the interface on the device.
[HUAWEI] display poe power-state
PORTNAME POWERON/OFF ENABLED PRIORITY STATUS
--------------------------------------------------------------------------------
GigabitEthernet0/0/1 on enable high Powered
GigabitEthernet0/0/2 on enable Critical Powered
GigabitEthernet0/0/3 on enable Low Powered
GigabitEthernet0/0/4 on enable Low Powered
GigabitEthernet0/0/5 off enable Low Detecting
----End
Configuration Files
#
poe priority high
poe power 15000
#
poe priority critical
poe power 20000
#
poe power 15000
#
return
10.8 iStack Configuration

Multiple switches set up an intelligent stack (iStack) to improve data forwarding capabilities
and network reliability.

10.8.1 Example for Configuring the iStack Function
As shown in Figure 10-18, SwitchA, SwitchB, SwitchC, and SwitchD form a ring stack.
As the network size rapidly increases, the number of access interfaces provided by an access
switch needs to be increased, and the network must be easy to manage and maintain. However,
a single access switch cannot meet these requirements.
In this example, service ports on the S5300LI are used to form a stack.
Figure 10-18 Configuring a stack
SwitchA SwitchB
GE0/0/28
GE0/0/27
GE0/0/27 GE0/0/28
GE0/0/28 GE0/0/27
GE0/0/27
SwitchC SwitchD
GE0/0/28
iStack link
common link
1. Configure physical member ports and add them to a stack port to implement data packet
forwarding. Two physical member ports connected by a stack cable must be added to
different stack ports.
2. Power off all the member switches, connect the switches with SFP+ stack cables according
to Figure 10-18, and then power on the switches.
Procedure
Step 1 Configure stack ports.
# Configure service ports GigabitEthernet0/0/27 and GigabitEthernet0/0/28 on SwitchA as

physical member ports and add them to a stack port.
[SwitchA] interface stack-port 0/1
[SwitchA-stack-port0/1] port interface gigabitethernet 0/0/27 enable

Warning: Enabling stack port cause configuration loss on the interface, continue?[Y/
N]:y
Info: This operation may take a few seconds. Please wait for a moment.......
[SwitchA-stack-port0/1] quit
[SwitchA] interface stack-port 0/2
[SwitchA-stack-port0/2] port interface gigabitethernet 0/0/28 enable
N]:y
[SwitchA-stack-port0/2] quit
# Configure service ports GigabitEthernet0/0/27 and GigabitEthernet0/0/28 on SwitchB as

[SwitchB] interface stack-port 0/1
[SwitchB-stack-port0/1] port interface gigabitethernet 0/0/27 enable
N]:y
[SwitchB-stack-port0/1] quit
[SwitchB] interface stack-port 0/2
[SwitchB-stack-port0/2] port interface gigabitethernet 0/0/28 enable
N]:y
[SwitchB-stack-port0/2] quit
# Configure service ports GigabitEthernet0/0/27 and GigabitEthernet0/0/28 on SwitchC as

[SwitchC] interface stack-port 0/1
[SwitchC-stack-port0/1] port interface gigabitethernet 0/0/27 enable
N]:y
[SwitchC-stack-port0/1] quit
[SwitchC] interface stack-port 0/2
[SwitchC-stack-port0/2] port interface gigabitethernet 0/0/28 enable
N]:y
[SwitchC-stack-port0/2] quit
# Configure service ports GigabitEthernet0/0/27 and GigabitEthernet0/0/28 on SwitchD as

[SwitchD] interface stack-port 0/1
[SwitchD-stack-port0/1] port interface gigabitethernet 0/0/27 enable
N]:y
[SwitchD-stack-port0/1] quit
[SwitchD] interface stack-port 0/2
[SwitchD-stack-port0/2] port interface gigabitethernet 0/0/28 enable
N]:y
[SwitchD-stack-port0/2] quit
Step 2 Configure stack IDs and stack priorities.

# Set the stack priority of SwitchA to 200.

[SwitchA] stack slot 0 priority 200
Warning:Please do not frequently modify Priority, it will make the stack split!
continue?[Y/N]:y
# Set the stack ID of SwitchB to 1.

[SwitchB] stack slot 0 renumber 1
Warning: All the configurations related to the slot ID will be lost after the slot
ID is modified.
Please do not frequently modify slot ID, it will make the stack split. Continue?[Y/
N]:y
Info: Stack configuration has been changed, need reboot to take effect.
# Set the stack ID of SwitchC to 2.

[SwitchC] stack slot 0 renumber 2
ID is modified.
N]:y
# Set the stack ID of SwitchD to 3.

[SwitchD] stack slot 0 renumber 3
ID is modified.
N]:y
Step 3 Power off SwitchA, SwitchB, SwitchC, and SwitchD, connect physical member ports on the
switches with SFP+ stack cables, and then power on the switches.
NOTE
l stack-port 0/1 of one device must be connected to stack-port 0/2 of a neighboring device. Otherwise,
the stack cannot be set up.
l Before powering off a switch, run the save command to save the configuration.
l To ensure that the switches can set up a stack successfully, follow these instructions to connect stack
cables and power on the switches:
1. Power off switches A to D.
2. Connect SwitchA and SwitchB with stack cables.
3. Power on SwitchA and then SwitchB.
4. Connect SwitchD and SwitchB with stack cables, and then power on SwitchD. Connect SwitchC
to SwitchA and SwitchD with stack cables, and then power on SwitchC.
NOTE
To specify a member switch as the master switch, power on the switch first. In this example,
SwitchA becomes the master switch after you complete the preceding operations.

# Check stack information.
<SwitchA> display stack
Stack topology type : Ring
Stack system MAC:0018-82d2-2e85
MAC switch delay time: 10 min
Stack reserved vlan : 4093
Slot of the active management port: --
Slot Role Mac address Priority Device type

-------------------------------------------------------------
0 Master 0018-82d2-2e85 200 S5300-28P-LI-AC
1 Standby 0018-82c6-1f44 100 S5300-28P-LI-AC
2 Slave 0018-82c6-1f4c 100 S5300-28P-LI-AC
3 Slave 0018-82b1-6eb8 100 S5300-28P-LI-AC
----End
Configuration File
None
10.8.2 Example for Configuring MAD in Direct Mode
As shown in Figure 10-19, SwitchA and SwitchB form a stack. The stack IDs of SwitchA and
SwitchB are 0 and 1 respectively.
To ensure stack reliability, MAD in direct mode needs to be configured on GigabitEthernet0/0/5

and GigabitEthernet1/0/5. When the stack splits because of a stack link fault and there are two
devices with the same configuration on the network, you can use MAD to reduce the impact of
a stack split on the network.
Figure 10-19 Networking diagram of MAD in direct mode
Network
SwitchC
iStack
GE0/0/5 GE1/0/5
SwitchA SwitchB
MAD Link
iStack Link
Common Link

1. Configure MAD in direct mode on specified interfaces.
Procedure
Step 1 Configure MAD on interfaces.
# Configure MAD in direct mode on GigabitEthernet0/0/5.

[HUAWEI-GigabitEthernet0/0/5] mad detect mode direct
Warning: This command will block the port, and no other configuration running on
this port is recommended. Continue?[Y/N]:y
# Configure MAD in direct mode on GigabitEthernet1/0/5.

[HUAWEI-GigabitEthernet1/0/5] mad detect mode direct
Warning: This command will block the port, and no other configuration running on
this port is recommended. Continue?[Y/N]:y
# Check detailed MAD configuration of the stack.

<HUAWEI> display mad verbose
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
Mad relay detect interfaces configured:
Excluded ports(configurable):
Excluded ports(can not be configured):
----End
Configuration File
l Configuration file of the stack
#
mad detect mode direct
#
mad detect mode direct
#
return

10.8.3 Example for Configuring MAD in Relay Mode
As shown in Figure 10-20, SwitchA, SwitchB and SwitchC form a stack. SwitchA, SwitchB
and SwitchC connect to SwitchD using Eth-Trunk1.
When the stack splits because of a stack link fault and there are two devices with the same
configuration on the network, you can use MAD to reduce the impact of a stack split on the
network.
Figure 10-20 Networking diagram of MAD in relay mode
Network
SwitchD
GE0/0/1 GE0/0/3
GE0/0/2
Eth-Trunk1
GE0/0/5 iStack GE1/0/5 GE2/0/5

MAD Link
iStack Link
Common Link
1. Configure MAD in relay mode on a specified Eth-Trunk interface.

2. Configure the relay function on the proxy device to allow the proxy device to forward
MAD protocol packets.

Procedure
Step 1 Configure MAD.
# Configure MAD in relay mode.

[HUAWEI] interface eth-trunk 1
[HUAWEI-Eth-Trunk1] mad detect mode relay
[HUAWEI-Eth-Trunk1] quit
Step 2 Configure the relay function.
# Configure the relay function on proxy device SwitchD.

[SwitchD] interface eth-trunk 1
[SwitchD-Eth-Trunk1] mad relay
[SwitchD-Eth-Trunk1] quit
[SwitchD-GigabitEthernet0/0/1] eth-trunk 1
# Check detailed MAD configuration of the stack.

<HUAWEI> display mad verbose
Current MAD domain: 0
Current MAD status: Detect
Mad direct detect interfaces configured:
Mad relay detect interfaces configured:
Eth-Trunk1
Excluded ports(configurable):
Excluded ports(can not be configured):
# Check information about the proxy device SwitchD.

<SwitchD> display mad proxy
Mad relay interfaces configured:
Eth-Trunk1
----End

Configuration File
l Configuration file of the stack
#
mad detect mode relay
#
interface
eth-trunk 1
#
interface
eth-trunk 1
#
interface
eth-trunk 1
#
return

#
sysname SwitchD
#
mad relay
#
interface
eth-trunk 1
#
interface
eth-trunk 1
#
interface
eth-trunk 1
#
return
10.9 Configuring a Monitoring Interface

You can configure a monitoring interface to monitor the usage environment of the device,
facilitating the maintenance of the device.
10.9.1 Example for Configuring a Monitoring Interface
As shown in Figure 10-21, Switch functions as a corridor switch and is deployed in a distant
chassis with a backup power supply inside.Switch Input line 1 and input line 2 are connected to
the cabinet door and backup power supply respectively. Output line 1 and output line 2 are
connected to two audible and visual trap devices.Switch The device connects to the NMS, and
there is a reachable route between the device and the NMS.
Users want the audible and visual trap device to monitor the status of the cabinet door and backup
power supply and send an alarm to the NMS when a fault occurs.

Figure 10-21 Networking diagram for configuring a monitoring interface
Switch
Audible and
Network visual trap
device
NMS
Backup
Cabinet power
door supply
1. Configure the device to send trap messages to the NMS station so that the NMS can receive
trap messages from the Switch.
2. Configure input lines to enable the device to monitor input lines 1 and 2.
3. Configure the output lines to associate output line 1 with input line 1 and output line 2 to
input line 2.
Procedure
Step 1 For details about the configuration, see 11.1 SNMP Configuration in the
S2350&S5300&S6300 Series Ethernet Switches Configuration Guide - Network Management.
Step 2 Configuring an input line
# Enable the monitoring function on input lines 1 to 2.

[HUAWEI] monitor input 1 enable
[HUAWEI] monitor input 2 enable
# Configure the names of input lines 1 to 2 as input1 and input2 and the normal level as high
level.
[HUAWEI] monitor input 1 name input1 normal-state high-level
[HUAWEI] monitor input 2 name input2 normal-state high-level
Step 3 Configuring an output line
# Associate output line 1 with output line 1. When the input line 1 fails, the indicator on input
line 1 is on.
[HUAWEI] monitor output 1
[HUAWEI-monitor-output1] rule 1 match-input 1000 key 1000
[HUAWEI-monitor-output1] quit
# Associate output line 2 with output line 2. When the input line 2 fails, the indicator on input
line 2 is on.

[HUAWEI] monitor output 2

[HUAWEI-monitor-output2] rule 1 match-input 0100 key 0100
[HUAWEI-monitor-output2] quit
# Check whether the configuration takes effect through audible and visual trap devices.
l When input line 1 changes from high level to low level, the trap indicating that input line 1
is abnormal is generated and the indicator of output line 1 is on.
l When input line 2 changes from high level to low level, the trap indicating that input line 2
is abnormal is generated and the indicator of output line 2 is on.
----End
Configuration File
l Switch configurations files
#
monitor input 1 enable
monitor input 1 name input1 normal-state high-level
monitor input 2 enable
monitor input 2 name input2 normal-state high-level
#
monitor output 1
rule 1 match-input 1000 key 1000
#
monitor output 2
rule 1 match-input 0100 key 0100
#
return

Typical Configuration Examples 11 Network Management
11 Network Management
About This Chapter
This document describes procedures and provides examples for configuring the Device
Management features of the device.
11.1 SNMP Configuration
SNMP is a standard network management protocol widely used on TCP/IP networks. It uses a
central computer (a network management station) that runs network management software to
manage network elements. There are three SNMP versions, SNMPv1, SNMPv2c, and SNMPv3.
You can choose to configure one or more versions if needed.
11.2 RMON Configuration
Remote Network Monitoring (RMON), defined by IETF, is a widely used network management
protocol. It provides packet statistics and alarm functions for Ethernet interfaces. The
management devices use RMON to remotely monitor and manage network elements.
11.3 NTP Configuration
Network Time Protocol (NTP) synchronizes time among a set of distributed time servers and
clients.
11.4 Ping and Tracert Configuration
You can use the ping command to check network connectivity, and the tracert command to
check the path from the source to the destination and to locate faults on the network.
11.5 NQA Configuration
This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.
11.6 LLDP Configuration
The Link Layer Discovery Protocol (LLDP) allows you to obtain details about the network
topology, changes in the topology, and detect incorrect configurations on the network.
11.7 sFlow Overview
This section describes how to configure Sampled Flow (sFlow) to monitor traffic on an interface
in real time, detect abnormal traffic, and locate the source of attack traffic, ensuring stable
running of the network.
11.8 Packet Capture Configuration

This section describes the concept and configuration of the packet capture function and provides

11.1 SNMP Configuration

SNMP is a standard network management protocol widely used on TCP/IP networks. It uses a
central computer (a network management station) that runs network management software to
manage network elements. There are three SNMP versions, SNMPv1, SNMPv2c, and SNMPv3.
You can choose to configure one or more versions if needed.
11.1.1 Example for Configuring a Switch to Communicate with

NMSs Using SNMPv1
As shown in Figure 11-1, NMS1 and MNS2 manage devices on the network. Because network
is small and secure, devices on the network use SNMPv1 to communicate with the NMSs.
A new switch is deployed on the network and needs to be managed by an NMS. Users want to
manage the switch using existing network resources and hope that faults on the switch can be
quickly identified and rectified. To meet service requirements, the NMS must manage MIB
objects except ISIS objects of the switch.
Figure 11-1 Communication between a switch and NMS using SNMPv1
NMS1
1.1.1.1/24 GE0/0/1
IP Network 1.1.2.1/24
Switch
NMS2
1.1.1.2/24
Because the network is small and secure, the new switch can use SNMPv1 to communicate with
the NMSs. To reduce loads on the NMSs, configure NMS2 to manage the switch and NMS1 not
to manage the switch.
1. Set the SNMP version on the switch to SNMPv1.

2. Configure the access right to enable NMS2 to manage MIB objects except ISIS objects on
the switch.

3. Configure the trap function on the switch so that the switch can send traps to NMS2. To
help quickly identify faults according to trap messages and reduce useless traps, configure
the switch to send only the traps of the modules enabled by default.
4. Configure NMS2.
Procedure
Step 1 Configure an IP address for the interface of switch.
# Configure an IP address for the interface of switch according to Figure 11-1.

[HUAWEI] vlan 100
Step 2 Configure routing function to ensure reachable routes between switch and NMS2.
[HUAWEI] ospf
[HUAWEI-ospf-1] area 0
[HUAWEI-ospf-1-area-0.0.0.0] network 1.1.2.0 0.0.0.255
[HUAWEI-ospf-1-area-0.0.0.0] quit
[HUAWEI-ospf-1] quit
Step 3 Set the SNMP version on the switch to SNMPv1.

[HUAWEI] snmp-agent sys-info version v1
Step 4 Set the access right for the NMSs.
# Configure an ACL that allows NMS2 to manage the switch and prevents NMS1 from managing
the switch.
[HUAWEI] acl 2001
[HUAWEI-acl-basic-2001] rule 5 permit source 1.1.1.2 0.0.0.0
[HUAWEI-acl-basic-2001] rule 6 deny source 1.1.1.1 0.0.0.0
# Configure the MIB view to allow NMS2 to manage objects except ISIS objects on the
switch.
[HUAWEI] snmp-agent mib-view excluded allextisis 1.3.6.1.3.37
# Configure a community name and reference the ACL and MIB view for the community.
[HUAWEI] snmp-agent community write adminnms2 mib-view allextisis acl 2001
Step 5 Configure the trap function.

[HUAWEI] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname
adminnms2
Step 6 Configure NMS2.
You must set a read-write community name for an NMS running SNMPv1. For details about
the NMS configuration, see the manual of the NMS.

NOTE
The authentication parameter configuration on the NMS must be the same as that on the switch. Otherwise,
the NMS cannot manage the switch.

After completing the configuration, run the following commands to verify that the configurations
have taken effect.
# View the SNMP version.
[HUAWEI] display snmp-agent sys-info version
SNMP version running in the system:
SNMPv1 SNMPv3

Basic ACL 2001, 2 rules
Acl's step is 5
rule 5 permit source 1.1.1.2 0 (match-counter 0)
rule 6 deny source 1.1.1.1 0 (match-counter 0)
# View the MIB view.

[HUAWEI] display snmp-agent mib-view viewname allextisis
View name:allextisis
MIB Subtree:isisMIB
Subtree mask:FC
(Hex)
Storage-type: nonVolatile
View Type:excluded
View status:active
# View the configuration of the target host used to receive traps.

[HUAWEI] display snmp-agent target-host
Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : %$%$n]*J3"Itf@UrL2"B%`$SdrO;%$%
$
Port : 162
Type : trap
Version : v1
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
----End
Configuration Files
#
vlan batch 100
#
acl number 2001
#

interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB03360102101100
snmp-agent community write cipher %$%$`^G,*3SqwTbh0j/Q,1()v!ul%$%$ mib-view
allextisis acl 2001
snmp-agent sys-info version v1 v3
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname cipher %
$%$n]*J3"Itf@UrL2"B%`$SdrO;%$%$
snmp-agent mib-view excluded allextisis isisMIB
#
return
11.1.2 Example for Configuring a Switch to Communicate with an

NMS Using SNMPv2c
As shown in Figure 11-2, NMS1 and MNS2 manage devices on the network. The network is
large and secure but the service traffic volume on the network is high. Therefore, devices on the
network use SNMPv2c to communicate with the NMSs. A new switch is deployed on the
network and needs to be managed by an NMS.
Users want to manage the switch using existing network resources and hope that faults on the
switch can be quickly identified and rectified. To meet service requirements, the NMS must
manage MIB objects except ISIS objects of the switch.
Figure 11-2 Communication between a and NMS using SNMPv2c
NMS1
1.1.1.1/24 GE0/0/1
Switch
NMS2
1.1.1.2/24

The network is large and secure but the service traffic volume on the network is high. Therefore,
the new switch still uses SNMPv2c. To reduce loads on the NMSs, configure NMS2 to manage
the switch and NMS1 not to manage the switch.
1. Set the SNMP version on the switch to SNMPv2c.

the switch.
3. Configure the inform function on the switch so that the switch can send informs to NMS2.
To help quickly identify faults according to trap messages and reduce useless traps,
configure the switch to send only the traps of the modules enabled by default.
4. Configure NMS2.
Procedure

[HUAWEI] vlan 100
[HUAWEI] ospf
Step 3 Set the SNMP version on the switch to SNMPv2c.

[HUAWEI] snmp-agent sys-info version v2c
the switch.
[HUAWEI] acl 2001
# Configure the MIB view to allow NMS2 to manage objects except ISIS objects on the
switch.
[HUAWEI] snmp-agent mib-view excluded allextisis 1.3.6.1.3.37
# Configure a community name and reference the ACL and MIB view for the community.

[HUAWEI] snmp-agent community write adminnms2 mib-view allextisis acl 2001
Step 5 Configure the inform function.

[HUAWEI] snmp-agent target-host inform address udp-domain 1.1.1.2 params
securityname adminnms2 v2c
[HUAWEI] snmp-agent inform timeout 5 resend-times 6 pending 7
You must set a read-write community name for an NMS running SNMPv2c. For details about
the NMS configuration, see the manual of the NMS.
NOTE
have taken effect.

SNMPv2c SNMPv3

Acl's step is 5

MIB Subtree:isisMIB
Subtree mask:FC
(Hex)
View Type:excluded
View status:active

Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : %$%${jI1DLx8W>ZDMs-]i#^Cd"NG%$%$
Port : 162
Type : inform
Version : v2c
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
----End

Configuration Files
#
vlan batch 100
#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent community write cipher %$%$o<0)+Puf0Bl,fq);94]Nv`WN%$%$ mib-view
allextisis acl 2001
snmp-agent sys-info version v2c v3
snmp-agent target-host inform address udp-domain 1.1.1.2 params securityname cipher
%$%${jI1DLx8W>ZDMs-]i#^Cd"NG%$%$ v2c
snmp-agent inform timeout 5
snmp-agent inform resend-times 6
snmp-agent inform pending 7
#
return
11.1.3 Example for Configuring a Switch to Communicate with an

NMS Using SNMPv3
As shown in Figure 11-3, NMS1 and MNS2 manage devices on the network. The network is
large and insecure. Therefore, devices on the network use SNMPv3 to communicate with the
NMSs, and authentication and encryption are configured to enhance security. A new switch is
deployed on the network and needs to be managed by an NMS.
Users want to manage the switch using existing network resources and hope that faults on the
switch can be quickly identified and rectified. To meet service requirements, the NMS must
manage MIB objects except ISIS objects of the switch.

Figure 11-3 Communication between a switch and NMS using SNMPv3
NMS1
1.1.1.1/24 GE0/0/1
Switch
NMS2
1.1.1.2/24
Because the network is large and insecure, the new still uses SNMPv3. To reduce loads on the
NMSs, configure NMS2 to manage the switch and NMS1 not to manage the switch.
1. Set the SNMP version on the switch to SNMPv3.

the switch.
3. Configure the trap function on the switch so that the switch can send traps to NMS2. To
help quickly identify faults according to trap messages and reduce useless traps, configure
the switch to send only the traps of the modules enabled by default.
4. Configure administrator contact information on the switch so that users can contact the
administrator quickly when a fault occurs on the switch.
5. Configure NMS2.
Procedure

[HUAWEI] vlan 100
[HUAWEI] ospf

Step 3 Set the SNMP version on the switch to SNMPv3.

[HUAWEI] snmp-agent sys-info version v3
the switch.
[HUAWEI] acl 2001
# Configure the MIB view.

[HUAWEI] snmp-agent mib-view excluded allextisis 1.3.6.1.4.1.2011.6.7
# Configure a user group and a user. Configure authentication and encryption for data of the
user.
[HUAWEI] snmp-agent usm-user v3 nms2-admin group admin
[HUAWEI] snmp-agent usm-user v3 nms2-admin authentication-mode md5
Please configure the authentication password (8-64)
Enter Password:
Confirm Password:
[HUAWEI] snmp-agent usm-user v3 nms2-admin privacy-mode aes128
Please configure the privacy password (8-64)
Enter Password:
Confirm Password:
[HUAWEI]
[HUAWEI] snmp-agent group v3 admin privacy write-view allextisis acl 2001
Step 5 Configure the trap function.

[HUAWEI] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname
nms2-admin v3 privacy
Step 6 Configure the administrator contact information.

[HUAWEI] snmp-agent sys-info contact call Operator at 010-12345678
On an NMS running SNMPv3, you must set a user name and select a security level. Then set
the authentication mode, authentication password, encryption mode, and encryption key
according to the security level you select. For details about the NMS configuration, see the
manual of the NMS.
NOTE
have taken effect.

SNMPv3

# View user group information.

[HUAWEI] display snmp-agent group admin
Group name: admin
Security model: v3 AuthPriv
Readview: ViewDefault
Writeview: allextisis
Notifyview :<no specified>
Acl:2001
# View user information.

[HUAWEI] display snmp-agent usm-user
User name: nms2-admin
Engine ID: 800007DB0300259E0370C3 active

Acl's step is 5

MIB Subtree:isisMIB
Subtree mask:FC
(Hex)
View Type:excluded
View status:active

Target-host NO. 1
-----------------------------------------------------------
VPN instance : -
Security name : nms2-admin
Port : 162
Type : trap
Version : v3
Level : Privacy
NMS type : NMS
With ext-vb : No
-----------------------------------------------------------
# View the administrator contact information.

[HUAWEI] display snmp-agent sys-info contact
The contact person for this managed node:
call Operator at 010-12345678
----End
Configuration Files
#
vlan batch 100

#
acl number 2001
#
interface Vlanif100
ip address 1.1.2.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.1.2.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB0300259E0370C3
snmp-agent sys-info contact call Operator at 010-12345678
snmp-agent sys-info version v3
snmp-agent group v3 admin privacy write-view allextisis acl 2001
snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname nms2-
admin v3 privacy
snmp-agent usm-user v3 nms2-admin group admin
snmp-agent usm-user v3 nms2-admin authentication-mode md5 cipher %@%@cDjJA|yOjEak%
@M]MO~Rh';<%@%@
snmp-agent usm-user v3 nms2-admin privacy-mode aes128 cipher %@%@Adem8-N9(H/
*WOE2,IIQh'Nw%@%@
#
return
11.2 RMON Configuration

Remote Network Monitoring (RMON), defined by IETF, is a widely used network management
protocol. It provides packet statistics and alarm functions for Ethernet interfaces. The
management devices use RMON to remotely monitor and manage network elements.
11.2.1 Example for Configuring RMON
As shown in Figure 11-4, a subnet connects to the network through GE0/0/1. The NMS monitors
the subnet, including:
l Collecting real-time and history statistics on traffic and each type of packets
l Recording logs when the traffic volume per minute exceeds the threshold
l Monitoring broadcast and multicast traffic volume on the subnet and reporting alarm to the
NMS when the traffic volume exceeds the threshold

Figure 11-4 Networking diagram of RMON configuration
GE0/0/2 GE0/0/1
IP VLANIF20 VLANIF30
Network 20.20.20.1/24 30.30.30.1/24
NMS Switch
10.10.10.1/24
To collect real-time and history statistics on traffic and each type of packets, configure the
RMON statistics function. You can configure the RMON alarm function to enable the device
record logs and report alarms to the NMS when the traffic volume exceeds the threshold.
1. Configure IP addresses for switch interfaces.

2. Configure a reachable route between the switch and NMS.
3. Configure basic SNMP functions and enable the switch to send traps to the NMS.
4. Enable RMON statistics function and configure the statistics table and history control table.
5. Configure the event table, alarm table, and extended alarm table.
Procedure
Step 1 Configure IP addresses for switch interfaces.
[Switch]vlan batch 20 30
[Switch]interface gigabitethernet 0/0/1
[Switch-GigabitEthernet0/0/1]port hybrid pvid vlan 30
[Switch-GigabitEthernet0/0/1]port hybrid untagged vlan 30
[Switch-GigabitEthernet0/0/1]quit
[Switch]interface gigabitethernet 0/0/2
[Switch-GigabitEthernet0/0/2]port hybrid pvid vlan 20
[Switch-GigabitEthernet0/0/2]port hybrid untagged vlan 20
[Switch-GigabitEthernet0/0/2]quit
Step 2 Configure a reachable route between the switch and NMS.

[Switch] ospf
[Switch-ospf-1] area 0
[Switch-ospf-1-area-0.0.0.0] network 20.20.20.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] network 30.30.30.0 0.0.0.255
[Switch-ospf-1-area-0.0.0.0] quit
[Switch-ospf-1] quit
Step 3 Configure basic SNMP functions and enable the switch to send traps to the NMS.
# Configure SNMPv3 on the switch. Configure an SNMP user group admin and add a user nms-
admin to the user group.

[Switch]snmp-agent group v3 admin

[Switch]snmp-agent usm-user v3 nms-admin admin
# Enable SNMP to send traps.

[Switch] snmp-agent trap enable
# Specify the NMS that receives the traps.

[Switch] snmp-agent target-host trap address udp-domain 10.10.10.1 params
securityname nms-admin v3
Step 4 Configure RMON statistics function.

# Enable the RMON statistics function on the interface.
[Switch-GigabitEthernet0/0/1] rmon-statistics enable
# Configure the statistics table.
NOTE
The interface enabled with the statistics function cannot be added to an Eth-Trunk.
[Switch-GigabitEthernet0/0/1] rmon statistics 1 owner Test300
# Configure the history control table. Sample traffic on the subnet every 30 seconds and save
the latest 10 records
[Switch-GigabitEthernet0/0/1] rmon history 1 buckets 10 interval 30 owner Test300
Step 5 Configure RMON alarm function.

# Configure the event table. Configure the switch to record logs for RMON event 1 and send
traps to the NMS for RMON event 2.
[Switch] rmon event 1 log owner Test300
[Switch] rmon event 2 description forUseofPrialarm trap public owner Test300
# Configure the alarm table. Set the sampling interval and the threshold for triggering event 1
(OID is 1.3.6.1.2.1.16.1.1.1.6.1).
[Switch] rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1
falling-threshold 100 1 owner Test300
# Configure the extended alarm table. Sample broadcast and multicast packets every 30 seconds.
When the number of sampled packets exceeds 1000 or decreases to 0, event 2 is triggered. That
is, the device sends a trap to the NMS.
[Switch] rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2 entrytype
forever owner Test300

# View traffic volume on the subnet.
[Switch] display rmon statistics gigabitethernet 0/0/1
Statistics entry 1 owned by Test300 is VALID.
Interface : GigabitEthernet0/0/1<ifEntry.58>
Received :
octets :142915224 , packets :1749151
broadcast packets :11603 , multicast packets:756252
undersize packets :0 , oversize packets:0
fragments packets :0 , jabbers packets :0

CRC alignment errors:0 , collisions :0

Dropped packet (insufficient resources):1795
Packets received according to length (octets):
64 :150183 , 65-127 :150183 , 128-255 :1383
256-511:3698 , 512-1023:0 , 1024-1518:0
# View the sampling records.

[Switch] display rmon history gigabitethernet 0/0/1
History control entry 1 owned by Test300 is VALID
Samples interface :GigabitEthernet0/0/1<ifEntry.58>
Sampling interval : 30(sec) with 10 buckets max
Last Sampling time : 0days 22h:42m:56s.01th
Latest sampled values :
octets :74539 , packets :966
broadcast packets :1 , multicast packets :36
undersize packets :0 , oversize packets :0
CRC alignment errors :0 , collisions :0
Dropped packet: :0 , utilization :0
History record:
Record No.1 (Sample time: 0days 22h:40m:56s.50th)
octets :73926 , packets :963
broadcast packets :0 , multicast packets :36
undersize packets :0 , oversize packets :0
CRC alignment errors :0 , collisions :0
Dropped packet: :0 , utilization :0
# View the RMON event configurations.

[Switch] display rmon event
Event table 1 owned by Test300 is VALID.
Description: null.
Will cause log when triggered, last triggered at 0days 00h:24m:10s.05th.
Description: forUseofPrialarm.
Will cause snmp-trap when triggered, last triggered at 0days 00h:26m:10s.05th.
# View the RMON alarm configurations.

[Switch] display rmon alarm 1
Alarm table 1 owned by Test300 is VALID.
Samples absolute value : 1.3.6.1.2.1.16.1.1.1.6.1 <etherStatsBroadcastPkts.1>
Sampling interval : 30(sec)
Rising threshold : 500(linked with event 1)
Falling threshold : 100(linked with event 1)
When startup enables : risingOrFallingAlarm
Latest value : 1975
# View the RMON extended alarm configurations.

[Switch] display rmon prialarm 1
Prialarm table 1 owned by Test300 is VALID.
Samples delta value : .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
Sampling interval : 30(sec)
Rising threshold : 1000(linked with event 2)
Falling threshold : 0(linked with event 2)
When startup enables : risingOrFallingAlarm
This entry will exist : forever
Latest value : 16
# View the event logs.

[Switch] display rmon eventlog
Generates eventLog 1.1 at 0days 00h:39m:30s.01th.

Description: The 1.3.6.1.2.1.16.1.1.1.6.1 defined in alarm table 1,

less than or equal to 100 with alarm value 0. Alarm sample type is absolute.
----End
Configuration Files
#
sysname Switch
#
vlan batch 20 30
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
interface Vlanif30
ip address 30.30.30.1 255.255.255.0
#
rmon-statistics enable
rmon statistics 1 owner Test300
rmon history 1 buckets 10 interval 30 owner Test300
#
#
rmon event 1 description null log owner Test300
rmon event 2 description forUseofPrialarm trap public owner Test300
rmon alarm 1 1.3.6.1.2.1.16.1.1.1.6.1 30 absolute rising-threshold 500 1 falling-
threshold 100 1 owner Test300
rmon prialarm 1 .1.3.6.1.2.1.16.1.1.1.6.1+.1.3.6.1.2.1.16.1.1.1.7.1
sumofbroadandmulti 30 delta rising-threshold 1000 2 falling-threshold 0 2 entrytype
forever owner Test300
#
ospf 1
area 0.0.0.0
network 20.20.20.0 0.0.0.255
network 30.30.30.0 0.0.0.255
#
snmp-agent
snmp-agent local-engineid 800007DB0300259EFBBE78
snmp-agent group v3 admin
snmp-agent target-host trap address udp-domain 10.10.10.1 params securityname nms-
admin v3
snmp-agent usm-user v3 nms-admin admin
#
return
11.3 NTP Configuration

Network Time Protocol (NTP) synchronizes time among a set of distributed time servers and
clients.

11.3.1 Example for Configuring Authenticated NTP Unicast Server/

Client Mode
As shown in Figure 11-5, SwitchB, SwitchC, and SwitchD are on a local area network (LAN),
and are connected to SwitchA through a network. SwitchA has synchronized its clock to an
authoritative clock, the Global Positioning System (GPS).
As is required by the user, the three devices SwitchB, SwitchC, and SwitchD on the LAN must
synchronize their clocks to the clock of SwitchA to ensure a precise charging service.
Figure 11-5 Networking diagram for configuring NTP unicast client/server mode
GE0/0/1
VLANIF111
1.0.0.2/24
GE0/0/1 GE0/0/1 GE0/0/2
VLANIF100 IP VLANIF110 VLANIF111 GE0/0/1 SwitchC
Network VLANIF111
2.2.2.2/24 1.0.1.1/24 1.0.0.1/24
1.0.0.3/24
SwitchA SwitchB
SwitchD
You can configure the authenticated unicast server/client mode to meet the user's requirement
for clock synchronization on the LAN. The configuration roadmap is as follows:
1. Configure SwitchA as the primary time server.

2. The NTP unicast server/client mode is used to synchronize the clocks of SwitchA and
SwitchB. SwitchA functions as the server, and SwitchB functions as the client.
3. The NTP unicast server/client mode is used to synchronize the clocks of SwitchB,
SwitchC, and SwitchD. SwitchB functions as the server, while SwitchC and SwitchD
function as the clients.
4. SwitchA and SwitchB are connected through the network, which is not secure, so that the
NTP authentication function is enabled.
NOTE
When configuring NTP authentication in the unicast server/client mode, enable the NTP authentication on
the client, and specify the NTP server address and the authentication key sent to the server. Otherwise, the
NTP authentication is not performed, and the NTP client and server are directly synchronized.
Procedure
Step 1 According to Figure 11-5, configure IP addresses, and configure reachable routes between any
two of SwitchA, SwitchB, SwitchC, and SwitchD.

# Configure an IP address on SwitchA. For details about the configurations of SwitchB,

SwitchC, and SwitchD, see "Configuration Files".
[SwitchA] vlan 100
[SwitchA] ospf 1
Step 2 Configure an NTP primary clock on SwitchA and enable the NTP authentication function.
# Specify the local clock of SwitchA as the primary clock, and set the clock stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Enable the NTP authentication function, configure the authentication key, and specify the key
as reliable.
[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[SwitchA] ntp-service reliable authentication-keyid 42
Step 3 Configure an NTP primary clock on SwitchB and enable the NTP authentication function.
# Enable the NTP authentication function on SwitchB, configure the authentication key, and
specify the key as reliable.
[SwitchB] ntp-service authentication enable
[SwitchB] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[SwitchB] ntp-service reliable authentication-keyid 42
# Specify SwitchA as the NTP server of SwitchB, and use the configured authentication key.
[SwitchB] ntp-service unicast-server 2.2.2.2 authentication-keyid 42
Step 4 # Specify on SwitchC that SwitchB functions as the NTP server of SwitchC.
<SwitchC> system-view
[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[SwitchC] ntp-service reliable authentication-keyid 42
[SwitchC] ntp-service unicast-server 1.0.0.1 authentication-keyid 42
Step 5 # Specify on SwitchD that SwitchB functions as the NTP server of SwitchD.
<SwitchD> system-view
[SwitchD] ntp-service authentication enable
[SwitchD] ntp-service authentication-keyid 42 authentication-mode md5 Hello123
[SwitchD] ntp-service reliable authentication-keyid 42
[SwitchD] ntp-service unicast-server 1.0.0.1 authentication-keyid 42
After the preceding configuration is complete, SwitchB can synchronize its clock with the clock
of SwitchA.

# Check the NTP status of SwitchB, and you can find that the clock status is "synchronized",
indicating that the synchronization is complete. The stratum of the clock is 3, which is one
stratum lower than that of the clock of the server SwitchA.
[SwitchB] display ntp-service status
clock status: synchronized
clock stratum: 3
reference clock ID: 2.2.2.2
nominal frequency: 60.0002 Hz
actual frequency: 60.0002 Hz
clock precision: 2^18
clock offset: 3.8128 ms
root delay: 31.26 ms
root dispersion: 74.20 ms
peer dispersion: 34.30 ms
reference time: 11:55:56.833 UTC Mar 2 2006(C7B15BCC.D5604189)
synchronization state: clock set
# Check the NTP status of SwitchC, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of the server SwitchB.
[SwitchC] display ntp-service status
clock stratum: 4
synchronization state: clock set but frequency not determined
# Check the NTP status of SwitchD, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of the server SwitchB.
[SwitchD] display ntp-service status
clock stratum: 4
# Check the NTP status of SwitchA.

[SwitchA] display ntp-service status
clock stratum: 2
reference clock ID: LOCAL(0)
root delay: 0.00 ms


reference time: 12:01:48.377 UTC Mar 2 2012(C7B15D2C.60A15981)
synchronization state: clock synchronized
----End
Configuration Files
#
sysname SwitchA
#
ntp-service authentication enable
ntp-service authentication-keyid 42 authentication-mode md5 cipher %@%@u#z%
D59;g B3Qz02WywR<\D8N%@%@
ntp-service reliable authentication-keyid
42
ntp-service refclock-master 2
#
vlan batch 100
#
interface Vlanif100
ip address 2.2.2.2 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 2.2.2.0 0.0.0.255
#
return

#
sysname SwitchB
#
ntp-service reliable authentication-keyid 42
ntp-service unicast-server 2.2.2.2 authentication-keyid 42
#
#
interface Vlanif110
ip address 1.0.1.1 255.255.255.0
#
interface Vlanif111
ip address 1.0.0.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 1.0.0.0 0.0.0.255
network 1.0.1.0 0.0.0.255
#
return


#
sysname SwitchC
#
#
vlan batch 111
#
interface Vlanif111
ip address 1.0.0.2 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.0.0.0 0.0.0.255
#
return

#
sysname SwitchD
#
#
vlan batch 111
#
interface Vlanif111
ip address 1.0.0.3 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 1.0.0.0 0.0.0.255
#
return
11.3.2 Example for Configuring NTP Symmetric Peer Mode
As shown in Figure 11-6, three devices are on a local area network (LAN).
The clocks of the devices on the LAN need to be synchronized to facilitate device management.
SwitchA has synchronized its clock with an authoritative clock, the Global Positioning System
(GPS), through a network. The user requires SwitchB and SwitchC to synchronize their clocks
to the clock of SwitchA.

Figure 11-6 Networking diagram for configuring the symmetric peer mode
SwitchA
GE0/0/1
VLANIF100
10.0.0.1/24
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
10.0.0.3/24 10.0.0.2/24
S
SwitchB SwitchC
You can configure the NTP protocol to synchronize time, and use the NTP symmetric peer mode
to meet the user's requirement for time synchronization. The configuration roadmap is as follows:
1. Configure the local clock of SwitchA as the NTP primary clock.

2. The NTP unicast server/client mode is used to synchronize the clocks of SwitchB and
SwitchA. SwitchA functions as the server, and SwitchB functions as the client.
3. The symmetric peer mode is used to synchronize the clocks of SwitchB and SwitchC.
SwitchC functions as the symmetric active peer and sends a clock synchronization request
to SwitchB.
Procedure
Step 1 Configure IP addresses for SwitchA, SwitchB and SwitchC.
Configure an IP address for each interface according to Figure 11-6. After the configurations
are complete, the three switches can ping each other.
# Configure an IP address on SwitchA. For details about the configurations of SwitchB and
SwitchC, see "Configuration Files".
[SwitchA] vlan 100
Step 2 Configure the NTP client/server mode.
# Set the local clock of SwitchA as the NTP primary clock, and set the clock stratum to 2.
[SwitchA] ntp-service refclock-master 2
# Specify on SwitchB that SwitchA functions as the NTP server of SwitchB.

[SwitchB] ntp-service unicast-server 10.0.0.1
After the preceding configuration is complete, SwitchB can synchronize its clock with the clock
of SwitchA.
# Check the NTP status of SwitchB, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of SwitchA.
[SwitchB] display ntp-service status
clock stratum: 3
reference time: 06:52:33.465 UTC Mar 7 2006(C7B7AC31.773E89A8)
Step 3 Configure the NTP unicast symmetric peer mode.

# Specify on SwitchC that SwitchB functions as the symmetric passive peer of SwitchC.
[SwitchC] ntp-service unicast-peer 10.0.0.2
Because SwitchC is not configured with a primary clock and its clock stratum is lower than that
of SwitchB, SwitchC synchronizes its clock with the clock of SwitchB.
Monitor the status of SwitchC after the synchronization. The clock of SwitchC is in
"synchronized" status, indicating that the synchronization is complete. The clock stratum of
SwitchC is 4, which is one stratum lower than that of the symmetric passive peer SwitchB.
# Display the clock status of SwitchC.
[SwitchC] display ntp-service status
clock stratum: 4
reference time: 06:55:50.784 UTC Mar 7 2006(C7B7ACF6.C8D002E2)
----End
Configuration Files
#
sysname SwitchA
#

#
vlan batch 100
#
interface Vlanif100
ip address 10.0.0.1 255.255.255.0
#
#
return

#
sysname SwitchB
#
ntp-service unicast-server 10.0.0.1
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.0.2 255.255.255.0
#
#
return

#
sysname SwitchC
#
ntp-service unicast-peer 10.0.0.2
#
vlan batch 100
#
interface Vlanif100
ip address 10.0.0.3 255.255.255.0
#
#
return
11.3.3 Example for Configuring Authenticated NTP Broadcast

Mode
As shown in Figure 11-7, SwitchF, SwitchC, and SwitchD are on a local area network (LAN).
SwitchA directly connects to SwitchF. SwitchC directly synchronizes its clock to an
authoritative clock, the Global Positioning System (GPS), by radio.
To provide charging services, all switches (except SwitchA) in Figure 11-7 are required to
synchronize their clocks to a standard clock. SwitchA is outside the charging range, and does
not need to synchronize its clock to the standard clock.

Figure 11-7 Networking diagram for configuring authenticated NTP broadcast mode
GE0/0/1
VLANIF10
3.0.1.31/24
GE0/0/1 GE0/0/1 GE0/0/2
1.0.1.11/24 1.0.1.2/24 3.0.1.2/24 SwitchC
SwitchA SwitchF GE0/0/1

VLANIF10
3.0.1.32/24
SwitchD
You can configure the NTP protocol to synchronize time, and use the authenticated NTP
broadcast mode to meet the user's requirement. The configuration roadmap is as follows:
1. Configure SwitchC as the primary time server, use the local clock as the NTP primary
clock, and set the clock stratum to 3.
2. Configure SwitchC as the NTP broadcast server that sends broadcast packets from interface
VLANIF10 (the corresponding physical interface is GE0/0/1).
3. Configure SwitchA, SwitchD and SwitchF as NTP broadcast clients. SwitchA uses
VLANIF20 (the corresponding physical interface is GE0/0/1) to listen to the broadcast
packets. SwitchD uses VLANIF10 (the physical interface is GE0/0/1) to listen to the
broadcast packets. SwitchF uses VLANIF10 (the corresponding physical interface is
GE0/0/2) to listen to the broadcast packets.
4. To strengthen the network security, the NTP authentication function is enabled.
Procedure
Step 1 Configure an IP address for each interface according to Figure 11-7, and configure reachable
routes between the switches.
# Configure an IP address for the interface and configure a routing protocol on SwitchA.
[SwitchA] vlan 20
[SwitchA] ospf 1

For details about the configurations of SwitchC, SwitchD, and SwitchF, see "Configuration
Files".
Step 2 Configure the NTP broadcast server, and enable the authentication.
# Configure the local clock of SwitchC as the NTP primary clock, and set the clock stratum to
3.
[SwitchC] ntp-service refclock-master 3
# Enable NTP authentication.

[SwitchC] ntp-service authentication enable
[SwitchC] ntp-service authentication-keyid 16 authentication-mode md5 Hello123
[SwitchC] ntp-service reliable authentication-keyid 16
# Configure SwitchC as the NTP broadcast server that sends NTP broadcast packets from
VLANIF10, and specify the key with the ID 16 for encryption.
[SwitchC-Vlanif10] ntp-service broadcast-server authentication-keyid 16
Step 3 Configure the NTP broadcast client SwitchD on a network segment the same as that of the NTP
server.

[SwitchD] ntp-service authentication enable
[SwitchD] ntp-service authentication-keyid 16 authentication-mode md5 Hello123
[SwitchD] ntp-service reliable authentication-keyid 16
# Configure SwitchD as the NTP broadcast client that listens to the NTP broadcast packets from
interface VLANIF10.
[SwitchD-Vlanif10] ntp-service broadcast-client
After the configuration is complete, SwitchD synchronizes its clock to that of SwitchC. For
details about the configuration of SwitchF, which is similar to that of SwitchD, see the
corresponding configuration file.
Step 4 Configure the NTP broadcast client SwitchA on a network segment different from that of the
server.

[SwitchA] ntp-service authentication enable
[SwitchA] ntp-service authentication-keyid 16 authentication-mode md5 Hello123
[SwitchA] ntp-service reliable authentication-keyid 16
# Configure SwitchA as the NTP broadcast client that listens to the NTP broadcast packets from
interface VLANIF20.
[SwitchA-Vlanif20] ntp-service broadcast-client
After the preceding configuration is complete, SwitchD can synchronize its clock to that of
SwitchC, but SwitchA cannot synchronize its clock to that of SwitchC.
This is because SwitchA is on a network segment different from that of SwitchC, but SwitchD
is on a network segment the same as that of SwitchC.

stratum lower than that of the clock of SwitchC.
clock stratum: 4
root delay: 0.00 ms
reference time: 12:17:21.773 UTC Mar 7 2012(C7B7F851.C5EAF25B)
----End
Configuration Files
#
sysname SwitchA
#
#
vlan batch 20
#
interface Vlanif20
ip address 1.0.1.11 255.255.255.0
ntp-service broadcast-client
#
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.31 255.255.255.0
ntp-service broadcast-server authentication-keyid 16
#


#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.32 255.255.255.0
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return

#
sysname SwitchF
#
#
vlan batch 10 20
#
interface Vlanif10
ip address 3.0.1.2 255.255.255.0
#
interface Vlanif20
ip address 1.0.1.2 255.255.255.0
#
#
#
ospf
1
area

0.0.0.0
network 1.0.1.0 0.0.0.255
network 3.0.1.0 0.0.0.255
#
return
11.3.4 Example for Configuring NTP Multicast Mode

As shown in Figure 11-8, SwitchF, SwitchC, and SwitchD are on a local area network (LAN).
SwitchA directly connects to SwitchF. SwitchC directly synchronizes its clock to an
authoritative clock, the Global Positioning System (GPS), by radio.
To provide charging services, the clocks of all switches on the network need to be synchronized
to the clock of SwitchC.
Figure 11-8 Networking diagram for configuring NTP multicast mode

GE0/0/1
VLANIF10
3.0.1.31/24
GE0/0/1 GE0/0/1 GE0/0/2
1.0.1.11/24 1.0.1.2/24 3.0.1.2/24 SwitchC
SwitchA SwitchF GE0/0/1

VLANIF10
3.0.1.32/24
SwitchD
You can configure the NTP protocol to synchronize time, and use the NTP multicast mode to
meet the user's requirement. The configuration roadmap is as follows:
1. Configure SwitchC as the primary time server, use the local clock as the NTP primary
clock, and set the clock stratum to 3.
2. Configure SwitchC as the NTP multicast server that sends multicast packets from interface
VLANIF10 (the corresponding physical interface is GE0/0/1).
3. Configure SwitchA, SwitchD, and SwitchF as NTP multicast clients. SwitchA uses
VLANIF20 (the corresponding physical interface is GE0/0/1) to listen to the multicast
packets. SwitchD uses VLANIF10 (the corresponding physical interface is GE0/0/1) to
listen to the multicast packets. SwitchF uses VLANIF10 (the physical interface is
GE0/0/2) to listen to the multicast packets.
4. Configure a multicast route, so that SwitchA can receive the multicast packets.
Procedure
Step 1 Configure an IP address for each interface according to Figure 11-8, and configure reachable
routes between the switches.

# Configure an IP address for the interface and configure a routing protocol on SwitchA.
[SwitchA] vlan 20
[SwitchA] ospf 1
For details about the configurations of SwitchC, SwitchD, and SwitchF, see "Configuration
Files".
Step 2 Configure the NTP multicast server.
# Configure the local clock of SwitchC as the NTP primary clock, and set the clock stratum to
2.
[SwitchC] ntp-service refclock-master 2
# Configure SwitchC as the NTP multicast server that sends NTP multicast packets from
interface VLANIF10.
[SwitchC-Vlanif10] ntp-service multicast-server
Step 3 Configure the NTP multicast client SwitchD on a network segment the same as that of the NTP
server.
# Configure SwitchD as the NTP multicast client that listens to the NTP multicast packets from
interface VLANIF10.
[SwitchD-Vlanif10] ntp-service multicast-client
Step 4 Configure the NTP multicast client SwitchA on a network segment different from that of the
server.
# Configure SwitchA as the NTP multicast client that listens to the NTP multicast packets from
interface VLANIF20.
[SwitchA-Vlanif20] ntp-service multicast-client
Step 5 Configure a multicast route, so that SwitchA on a network segment different from that of
SwitchC can receive NTP multicast packets.
# Configure the multicast routing function on SwitchC.
# Configure the multicast routing function on SwitchF.

<SwitchF> system-view
[SwitchF] multicast routing-enable
[SwitchF] interface vlanif 20
[SwitchF-Vlanif20] pim sm
[SwitchF-Vlanif20] igmp enable
[SwitchF-Vlanif20] igmp static-group 224.0.1.1
[SwitchF-Vlanif20] quit
[SwitchF] pim
[SwitchF-pim] c-bsr vlanif 20
[SwitchF-pim] c-rp vlanif 20
[SwitchF-pim] quit
[SwitchF] interface gigabitethernet 0/0/1
[SwitchF-GigabitEthernet0/0/1] l2-multicast static-group group-address 224.0.1.1
vlan 20
[SwitchF-GigabitEthernet0/0/1] quit

After the preceding configuration is complete, SwitchD and SwitchA can synchronize their
clocks to the clock of SwitchC.
stratum lower than that of the clock of the server SwitchC.
clock stratum: 3
root delay: 0.00 ms
# Check the NTP status of SwitchA, and you can find that the clock status is "synchronized",
stratum lower than that of the clock of the server SwitchC.
[SwitchA] display ntp-service status
clock stratum: 3
----End
Configuration Files
#
sysname SwitchA
#

vlan batch 20
#
interface Vlanif20
ip address 1.0.1.11 255.255.255.0
ntp-service multicast-client
#
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 10
#
#
#
interface Vlanif10
ip address 3.0.1.31 255.255.255.0
pim sm
ntp-service multicast-server
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return

#
sysname SwitchD
#
vlan batch 10
#
interface Vlanif10
ip address 3.0.1.32 255.255.255.0
ntp-service multicast-client
#
#
ospf
1
area
0.0.0.0
network 3.0.1.0 0.0.0.255
#
return


#
sysname SwitchF
#
vlan batch 10 20
#
#
interface Vlanif10
ip address 3.0.1.2 255.255.255.0
#
interface Vlanif20
ip address 1.0.1.2 255.255.255.0
pim sm
igmp enable
#
l2-multicast static-group group-address 224.0.1.1 vlan 20
#
#
pim
c-bsr Vlanif20
c-rp Vlanif20
#
ospf
1
area
0.0.0.0
network 1.0.1.0 0.0.0.255
network 3.0.1.0 0.0.0.255
#
return
11.4 Ping and Tracert Configuration

You can use the ping command to check network connectivity, and the tracert command to
check the path from the source to the destination and to locate faults on the network.
11.4.1 Example for Performing Ping and Tracert Operations
As shown in Figure 11-9, after configuring SwitchA, check the link between SwitchA and the
log host. If the link is disconnected, you need to locate the fault.
Figure 11-9 Networking diagram of ping and tracert operations
1.1.1.1/24 1.1.2.1/24 1.1.3.1/24

1.1.1.2/24 1.1.2.2/24 1.1.3.2/24
SwitchA SwitchB SwitchC Log host

1. Run the ping command on SwitchA to check connectivity between SwitchA and the log
host.
2. Run the tracert command to locate the faulty link segment if the link is disconnected.
Procedure
Step 1 Run the ping command.
# Run the ping command on SwitchA to check connectivity between SwitchA and the log host.
Request time out
Request time out
Request time out
Request time out
Request time out

100.00% packet loss
The output on SwitchA shows that the log host is unreachable, which indicates that a fault occurs
on the link between SwitchA and the log host.
Step 2 Run the tracert command.
# Run the tracert command on SwitchA to locate the faulty link segment.
<HUAWEI> tracert 1.1.3.2
traceroute to 1.1.3.2(1.1.3.2), max hops: 30 ,packet length: 40, press CTRL_C to
break
1 1.1.1.2 4 ms 5 ms 5 ms
2 * * *
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
...
The preceding output shows that the ICMP Echo Request packet passes SwitchB but does not
reach SwitchC. This indicates that the link between SwitchB and SwitchC fails. After the link
between SwitchB and SwitchC is recovered, repeat Step 1 and Step 2 to ensure that SwitchA
and the log host can communicate properly.
----End
11.5 NQA Configuration

This chapter describes how to configure the Network Quality Analysis (NQA) to monitor the
network operating status and collect network operation indexes in real time.

11.5.1 Example for Configuring a DNS Test Instance
As shown in Figure 11-10, SwitchA functions as a DNS client to access the host 10.2.1.1/24,
using a domain name server.com.
Figure 11-10 Networking diagram for configuring a DNS test instance

server.com
10.2.1.1/24
SwitchA
GE0/0/1 IP Network
VLANIF100
10.1.1.1/24
DNS Server
10.3.1.1/24
1. Configure SwitchA as an NQA client.

2. Create and start a DNS test instance on the SwitchA to check whether SwitchA can set up
a connection with the DNS server and to obtain the speed of responding to an address
resolution request.
Procedure
Step 1 Configure IP addresses for the interfaces on the SwitchA and ensure reachable routes between
SwitchA and server.com, SwitchA and the DNS server.
[SwitchA] vlan 100
[SwitchA] interface Vlanif 100
[SwitchA] ospf
Step 2 Configure an NQA DNS test instance.


[SwitchA] dns server 10.3.1.1

[SwitchA] nqa test-instance admin dns
[SwitchA-nqa-admin-dns] test-type dns
[SwitchA-nqa-admin-dns] dns-server ipv4 10.3.1.1
[SwitchA-nqa-admin-dns] destination-address url server.com
Step 3 Start the test instance.

[SwitchA-nqa-admin-dns] start now

[SwitchA-nqa-admin-dns] display nqa results test-instance admin dns
NQA entry(admin, dns) :testflag is inactive ,testtype is dns
1 . Test 1 result The test is finished
Send operation times: 1 Receive response times: 1
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:0
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address: 10.3.1.1
Min/Max/Average Completion Time: 1/1/1
Sum/Square-Sum Completion Time: 1/1
Last Good Probe Time: 2012-07-20 16:23:49.1
Lost packet ratio: 0 %
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
dns resolve
dns server 10.3.1.1
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
nqa test-instance admin dns
test-type dns
destination-address url server.com
dns-server ipv4 10.3.1.1
#
return
11.5.2 Example for Configuring an FTP Download Test Instance
As shown in Figure 11-11, the performance of the FTP download function needs to be checked.

Figure 11-11 Networking diagram for configuring an FTP download test instance
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
2. Configure SwitchB as the FTP server. Log in to the FTP server using user name user1 and
password hello123 to download file test.txt.
3. Create and start an FTP test instance on SwitchA to check whether SwitchA can set up a
connection with the FTP server and to obtain duration for downloading the file from the
FTP server.
Procedure
# Configure an IP address for SwitchB.
[SwitchB] vlan 100
[SwitchB] interface Vlanif 100
# Configure SwitchB as the FTP server.

[SwitchB] ftp server enable
[SwitchB] aaa
[SwitchB-aaa] local-user user1 password cipher hello123
[SwitchB-aaa] local-user user1 privilege level 15
[SwitchB-aaa] local-user user1 service-type ftp
[SwitchB-aaa] local-user user1 ftp-directory flash:/
[SwitchB-aaa] quit

# Configure an IP address for SwitchA.
[SwitchA] vlan 100

# Create an NQA FTP test instance on SwitchA.

[SwitchA] nqa test-instance admin ftp
[SwitchA-nqa-admin-ftp] test-type ftp
[SwitchA-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[SwitchA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[SwitchA-nqa-admin-ftp] ftp-operation get
[SwitchA-nqa-admin-ftp] ftp-username user1
[SwitchA-nqa-admin-ftp] ftp-password hello123
[SwitchA-nqa-admin-ftp] ftp-filename test.txt

[SwitchA-nqa-admin-ftp] start now

[SwitchA-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testflag is inactive ,testtype is ftp
SendProbe:1 ResponseProbe:1
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 448 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 438/438/438
DataConnTime Min/Max/Average: 218/218/218
SumTime Min/Max/Average: 656/656/656
Average RTT:656
Lost packet ratio:0 %
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin
ftp
test-type
ftp
destination-address ipv4 10.1.1.2
source-address ipv4 10.1.1.1
ftp-username user1
ftp-password cipher %@%@u+*;8L-vIEWC8=Ti:$wN\$=>%@%@
ftp-filename test.txt
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100

ip address 10.1.1.2 255.255.255.0

#
#
FTP server enable
#
aaa
local-user user1 password cipher %@%@u+*;8L-vIEWC8=Ti:$wN\$=>%@%@
local-user user1 ftp-directory flash:/
local-user user1 service-type ftp
#
return
11.5.3 Example for Configuring an FTP Upload Test Instance
As shown in Figure 11-12, the speed of uploading a file from SwitchA to an FTP server needs
to be tested.
Figure 11-12 Networking diagram for configuring an FTP upload test instance
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
10.1.1.1/24 10.1.1.2/24
1. Configure Switch A as an NQA client as well as an FTP client. Create and start an FTP test
instance on SwitchA to check whether SwitchA can set up a connection with the FTP server
and to obtain the time taken by SwitchA to upload a file to the FTP server.
2. A user named user1 logs in to the FTP server by entering the password hello123 to upload
a file with the size being 10 KB.
Procedure
# Configure an IP address for SwitchB.

[SwitchB] vlan 100
[SwitchB] interface Vlanif 100

# Configure SwitchB as the FTP server.

[SwitchB] ftp server enable
[SwitchB] aaa
[SwitchB-aaa] local-user user1 password cipher hello123
[SwitchB-aaa] local-user user1 privilege level 15
[SwitchB-aaa] local-user user1 service-type ftp
[SwitchB-aaa] local-user user1 ftp-directory flash:/
[SwitchB-aaa] quit
# Configure an IP address for SwitchA.

[SwitchA] vlan 100
# Create an NQA FTP test on SwitchA and create a file of 10 KB for uploading.
[SwitchA] nqa test-instance admin ftp
[SwitchA-nqa-admin-ftp] test-type ftp
[SwitchA-nqa-admin-ftp] destination-address ipv4 10.1.1.2
[SwitchA-nqa-admin-ftp] source-address ipv4 10.1.1.1
[SwitchA-nqa-admin-ftp] ftp-operation put
[SwitchA-nqa-admin-ftp] ftp-username user1
[SwitchA-nqa-admin-ftp] ftp-password hello123
[SwitchA-nqa-admin-ftp] ftp-filesize 10

[SwitchA-nqa-admin-ftp] start now
# Check NQA test results on SwitchA.

[SwitchA-nqa-admin-ftp] display nqa results test-instance admin ftp
NQA entry(admin, ftp) :testflag is inactive ,testtype is ftp
Completion :success RTD OverThresholds number: 0
MessageBodyOctetsSum: 10240 Stats errors number: 0
Operation timeout number: 0 System busy operation number:0
Drop operation number:0 Disconnect operation number: 0
CtrlConnTime Min/Max/Average: 657/657/657
DataConnTime Min/Max/Average: 500/500/500
SumTime Min/Max/Average: 1157/1157/1157
Average RTT:656
Lost packet ratio:0 %
# On SwitchB, you can view that a file named nqa-ftp-test.txt is added. Part of the file on the
SwitchB is displayed.
<SwitchB> dir
0 -rw- 331 Jul 06 2007 18:34:34 private-data.txt

1 -rw- 10,240 Jul 06 2007 18:37:06 nqa-ftp-test.txt

----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ftp
test-type
ftp
source-address ipv4 10.1.1.1
ftp-filesize 10
ftp-username user1
ftp-password cipher %@%@u+*;8L-vIEWC8=Ti:$wN\$=>%@%@
ftp-operation put
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
FTP server enable
#
aaa
local-user user1 password cipher %@%@u+*;8L-vIEWC8=Ti:$wN\$=>%@%@
local-user user1 ftp-directory flash:/
local-user user1 service-type ftp
#
return
11.5.4 Example for Configuring an HTTP Test Instance
As shown in Figure 11-13, SwitchA is connected to the HTTP server over a WAN to test the
speed of SwitchA accessing the HTTP server.

Figure 11-13 Networking diagram for configuring an HTTP test instance
HTTP Server
10.2.1.1/24
Switch A
GE0/0/1 IP Network
VLANIF100
10.1.1.1/24
2. Create and start an HTTP test instance on the SwitchA to check whether SwitchA can set
up a connection with the HTTP server and to check the duration for transferring files
between SwitchA and the HTTP server.
Procedure
Step 1 Configure IP addresses for the interfaces on the SwitchA and ensure reachable routes between
SwitchA and the HTTP server.
[SwitchA] vlan 100
[SwitchA] ospf
Step 2 Enable the NQA client and create an NQA HTTP test instance.
[SwitchA] nqa test-instance admin http
[SwitchA-nqa-admin-http] test-type http
[SwitchA-nqa-admin-http] destination-address ipv4 10.2.1.1
[SwitchA-nqa-admin-http] http-operation get
[SwitchA-nqa-admin-http] http-url www.huawei.com

[SwitchA-nqa-admin-http] start now

[SwitchA-nqa-admin-http] display nqa results test-instance admin http
NQA entry(admin, http) :testflag is inactive ,testtype is http
Completion:success RTD OverThresholdsnumber: 0
MessageBodyOctetsSum: 411 TargetAddress: 10.2.1.1

DNSQueryError number: 0 HTTPError number: 0

TcpConnError number : 0 System busy operation number:0
DNSRTT Sum/Min/Max:0/0/0 TCPConnectRTT Sum/Min/Max: 4/1/2
TransactionRTT Sum/Min/Max: 3/1/1
RTT Sum/Min/Max/Avg: 7/2/3/2
DNSServerTimeout:0 TCPConnectTimeout:0 TransactionTimeout: 0
Lost packet ratio:0%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
nqa test-instance admin http
test-type http
http-url www.huawei.com
#
return
11.5.5 Example for Configuring an ICMP Test Instance
As shown in Figure 11-14, SwitchA functions as an NQA client to test whether SwitchB is
reachable.
Figure 11-14 Networking diagram for configuring an ICMP test instance
SwitchA SwitchB
GE0/0/1 GE0/0/1
VLANIF100 VLANIF100
NQA Client 10.1.1.1/24 10.1.1.2/24
1. Perform the NQA ICMP test function to test whether the packet sent by SwitchA can reach
SwitchB.
2. Perform the NQA ICMP test to obtain the RTT of the packet.

Procedure
Step 1 # Configure an IP address for SwitchA.
[SwitchA] vlan 100
Step 2 # Configure an IP address for SwitchB.

[SwitchB] vlan 100
Step 3 Enable the NQA client and create an NQA ICMP test instance.
[SwitchA] nqa test-instance admin icmp
[SwitchA-nqa-admin-icmp] test-type icmp
[SwitchA-nqa-admin-icmp] destination-address ipv4 10.1.1.2

[SwitchA-nqa-admin-icmp] start now

[SwitchA-nqa-admin-icmp] display nqa results test-instance admin icmp
NQA entry(admin, icmp) :testflag is inactive ,testtype is icmp
Destination ip address:10.1.1.2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100

ip address 10.1.1.1 255.255.255.0

#
#
nqa test-instance admin icmp
test-type icmp
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
#
return
11.5.6 Example for Configuring an ICMP Jitter Test Instance

As shown in Figure 11-15, SwitchA and SwitchB communicate at Layer 3 using VLANIF
interfaces.
SwitchA functions as the NQA client to test the jitter of the network between SwitchA and
SwitchB.
Figure 11-15 Networking diagram for configuring an ICMP jitter test instance
GE0/0/1 GE0/0/1
VLANIF10 VLANIF10
10.1.1.1/24 10.1.1.2/24
SwitchA SwitchB
1. Configure SwitchA as an NQA client and create an ICMP jitter test instance on SwitchA.
Procedure
[SwitchA] vlan 10

[SwitchA] interface gigabitEthernet 0/0/1
[SwitchB] vlan 10
[SwitchB] interface gigabitEthernet 0/0/1
Step 2 Create VLANIF interfaces and assign IP addresses to the VLANIF interfaces.
[SwitchA-Vlanif10] qiut
Step 3 # Enable the NQA client and create an ICMP jitter NQA test instance.
[SwitchA] nqa test-instance admin icmpjitter
[SwitchA-nqa-admin-icmpjitter] test-type icmpjitter
[SwitchA-nqa-admin-icmpjitter] destination-address ipv4 10.1.1.2
Step 4 Start the test instance immediately.

[SwitchA-nqa-admin-icmpjitter] start now

[SwitchA-nqa-admin-icmpjitter] display nqa results test-instance admin icmpjitter
NQA entry(admin, icmpjitter) :testflag is inactive ,testtype is icmpjitter
Completion:success RTD OverThresholds number:0
Min/Max/Avg/Sum RTT:1/160/25/1513 RTT Square Sum:92613
NumOfRTT:60 Drop operation number:0
Operation sequence errors number:0 RTT Stats errors number:0
System busy operation number:0 Operation timeout number:0
Min Positive SD:10 Min Positive DS:10
Max Positive SD:140 Max Positive DS:20
Positive SD Number:13 Positive DS Number:8
Positive SD Sum:510 Positive DS Sum:90
Positive SD Square Sum:37100 Positive DS Square Sum:1100
Min Negative SD:10 Min Negative DS:10
Max Negative SD:50 Max Negative DS:20
Negative SD Number:19 Negative DS Number:7
Negative SD Sum:510 Negative DS Sum:80
Negative SD Square Sum:19500 Negative DS Square Sum:1000
Min Delay SD:0 Min Delay DS:0
Avg Delay SD:12 Avg Delay DS:11
Max Delay SD:80 Max Delay DS:79
Packet Loss SD:0 Packet Loss DS:0
Packet Loss Unknown:0 Average of Jitter:25
Average of Jitter SD:31 Average of Jitter DS:11
Jitter out value:12.5280771 Jitter in value:1.7729331

NumberOfOWD:60 OWD SD Sum:750

OWD DS Sum:703 TimeStamp unit: ms
Packet Rewrite Number: 0 Packet Rewrite Ratio: 0%
Packet Disorder Number: 0 Packet Disorder Ratio: 0%
Fragment-disorder Number: 0 Fragment-disorder Ratio: 0%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin icmpjitter
test-type icmpjitter
#
return

#
sysname SwitchB
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
#
return
11.5.7 Example for Configuring an SNMP Query Test Instance
As shown in Figure 11-16, SNMP agent is enabled on SwitchA and SwitchC. An NQA SNMP
query test needs to be performed to obtain the time from when SwitchA sends an SNMP query
packet to when SwitchA receives an Echo packet.
Figure 11-16 Networking diagram for configuring an SNMP query test instance

GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
SNMP Agent


2. Enable SNMP agent on SwitchA.
3. Create and start an SNMP query test instance on SwitchA.
4. Enable the SNMP agent on SwitchC.
Procedure
Step 1 Configure an IP address for each interface and ensure reachable routes between switches, as
shown in Figure 11-16.
[SwitchA] vlan 100
NOTE
For configurations of SwitchB and SwitchC, see the configuration files.
Step 2 Enable SNMP agent on SwitchC.

[SwitchC] snmp-agent
Step 3 Enable SNMP agent on SwitchA.

[SwitchA] snmp-agent
Step 4 Create an SNMP query test instance on SwitchA.

[SwitchA] nqa test-instance admin snmp
[SwitchA-nqa-admin-snmp] test-type snmp
[SwitchA-nqa-admin-snmp] destination-address ipv4 10.2.1.2

[SwitchA-nqa-admin-snmp] start now

[SwitchA-nqa-admin-snmp] display nqa results test-instance admin snmp
NQA entry(admin, snmp) :testflag is inactive ,testtype is snmp
Min/Max/Average Completion Time:
63/172/109

Sum/Square-Sum Completion Time:

329/42389
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
snmp-agent
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
snmp
test-type
snmp
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
snmp-agent


#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.8 Example for Configuring a TCP Test Instance
As shown in Figure 11-17, an NQA TCP test needs to be performed to obtain the duration for
setting up a TCP connection with SwitchC.
Figure 11-17 Networking diagram for configuring a TCP test instance

GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
NQA Client 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24 NQA Server
1. Configure SwitchA as an NQA client and configure SwitchC as an NQA server.

2. Configure the monitoring port number on the NQA server and create an NQA TCP test
instance on the NQA client.
Procedure
[SwitchA] vlan 100
NOTE
Step 2 Configure an NQA server on SwitchC.

# Configure the IP address and port number for monitoring TCP connections on the NQA server.
[SwitchC] nqa-server tcpconnect 10.2.1.2 9000
Step 3 Configure the NQA client on SwitchA.
# Enable the NQA client and create a TCP test instance.

[SwitchA] nqa test-instance admin tcp
[SwitchA-nqa-admin-tcp] test-type tcp
[SwitchA-nqa-admin-tcp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-tcp] destination-port 9000

[SwitchA-nqa-admin-tcp] start now

[SwitchA-nqa-admin-tcp] display nqa results test-instance admin tcp
NQA entry(admin, tcp) :testflag is inactive ,testtype is tcp
46/63/52
156/8294
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
tcp
test-type
tcp
destination-port 9000
#
return


#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
nqa-server tcpconnect 10.2.1.2 9000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.9 Example for Configuring a Trace Test Instance
As shown in Figure 11-18, a trace test needs to be performed to trace the IP address of
VLANIF110 of SwitchC on SwitchA.
Figure 11-18 Networking diagram for configuring a trace test instance

GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
NQA Client 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24


2. Create and start a trace test instance on SwitchA to obtain statistics about each hop from
SwitchA to SwitchC.
Procedure
[SwitchA] vlan 100
NOTE
Step 2 Create an NQA trace test instance on SwitchA and set the destination IP address to 10.2.1.2.
[SwitchA] nqa test-instance admin trace
[SwitchA-nqa-admin-trace] test-type trace
[SwitchA-nqa-admin-trace] destination-address ipv4 10.2.1.2

[SwitchA-nqa-admin-trace] start now

[SwitchA-nqa-admin-trace] display nqa results test-instance admin trace
NQA entry(admin, trace) :testflag is inactive ,testtype is trace
Completion:success Attempts number:1
Drop operation number:0
Last good path Time:2012-07-17 11:21:27.2
1 . Hop 1
RTD OverThresholds number: 0
2 . Hop 2
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin trace
test-type trace
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.10 Example for Configuring a UDP Test Instance

As shown in Figure 11-19, an NQA UDP test needs to be performed to obtain the RTT of a
UDP packet transmitted between SwitchA and SwitchC.
Figure 11-19 Networking diagram for configuring a UDP test instance

GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24 NQA Server

2. Configure the port number monitored by the NQA server and create an NQA UDP test
instance on the NQA client.
Procedure
[SwitchA] vlan 100
NOTE
# Configure the monitoring IP address and UDP port number on the NQA server.
[SwitchC] nqa-server udpecho 10.2.1.2 6000
Step 3 Configure the NQA client on SwitchA.
# Enable the NQA client and create a UDP test instance.

[SwitchA] nqa test-instance admin udp
[SwitchA-nqa-admin-udp] test-type udp
[SwitchA-nqa-admin-udp] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-udp] destination-port 6000

[SwitchA-nqa-admin-udp] start now


[SwitchA-nqa-admin-udp] display nqa results test-instance admin udp
NQA entry(admin, udp) :testflag is inactive ,testtype is udp
32/109/67
203/16749
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin udp
test-type udp
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return


#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
nqa-server udpecho 10.2.1.2 6000
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.11 Example for Configuring a UDP Jitter Test Instance
As shown in Figure 11-20, a UDP Jitter test needs to be performed to obtain the jitter time of
transmitting a packet from SwitchA to SwitchC.
Figure 11-20 Networking diagram for configuring a jitter test instance

GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
NQA Client 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24 NQA Server
2. Configure the monitoring service type and port number on the NQA server.
3. Create a UDP Jitter test instance on the NQA client.
Procedure
[SwitchA] vlan 100

NOTE

# Configure the monitoring IP address and UDP port number on the NQA server.

# Enable the NQA client and create a UDP Jitter test instance.
[SwitchA] nqa test-instance admin jitter
[SwitchA-nqa-admin-jitter] test-type jitter
[SwitchA-nqa-admin-jitter] destination-address ipv4 10.2.1.2
[SwitchA-nqa-admin-jitter] destination-port 9000

[SwitchA-nqa-admin-jitter] start now

[SwitchA-nqa-admin-jitter] display nqa results test-instance admin jitter
NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter
----End
Configuration Files
#
sysname SwitchA
#

vlan batch 100

#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
nqa test-instance admin jitter
test-type jitter
#
ip route-static 10.2.1.0 255.255.255.0 10.1.1.2
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 110
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 10.2.1.1
#
return
11.5.12 Example for Configuring the MAC Ping Test

l CFM is enabled on Switch A and Switch B.

l MAs and MDs are configured on Switch A and Switch B.
The NQA MAC Ping test is used to test the connectivity between Switch A and Switch B.
Figure 11-21 Networking diagram for configuring the MAC Ping test
NQA Client NQA Server
GE0/0/1 GE0/0/1
SwitchA SwitchB
1. Configure Switch A as the NQA client.

2. Configure Switch B as the NQA server.
3. Create a MAC Ping test on Switch A.
Procedure
Step 1 Configure the MA and MD between Switch A and Switch B.
[SwitchA] cfm md test
[SwitchA-md-test] ma test
[SwitchA-md-test-ma-test] map vlan 11
[SwitchA-md-test-ma-test] mep mep-id 11 interface gigabitethernet0/0/1 outward
[SwitchA-md-test-ma-test] mep ccm-send mep-id 11 enable
[SwitchA-md-test-ma-test] remote-mep mep-id 12 mac 00e0-fc88-aaaa
[SwitchA-md-test-ma-test] remote-mep ccm-receive mep-id 12 enable
[SwitchA-md-test-ma-test] quit
[SwitchA-md-test] quit
[SwitchA]
[SwitchB] cfm md test
[SwitchB-md-test] ma test
[SwitchB-md-test-ma-test] map vlan 11
[SwitchB-md-test-ma-test] mep mep-id 12 interface gigabitethernet0/0/1 outward
[SwitchB-md-test-ma-test] mep ccm-send mep-id 12 enable
[SwitchB-md-test-ma-test] remote-mep mep-id 11 mac 0000-0000-0010
[SwitchB-md-test-ma-test] remote-mep ccm-receive mep-id 11 enable
[SwitchB-md-test-ma-test] quit
[SwitchB-md-test] quit
[SwitchB]
Step 2 # Enable the NQA client and create a MAC Ping test for a common tunnel on Switch A.
[SwitchA]nqa test-instance admin macping
[SwitchA-nqa-admin-macping]test-type macping
[SwitchA-nqa-admin-macping]md test ma test
[SwitchA-nqa-admin-macping]destination-address mac 00e0-fc88-aaaa

Step 3 Perform the test.

[SwitchA-nqa-admin-macping] start now
Step 4 Verify the test result.

[SwitchA-nqa-admin-macping] display nqa results test-instance admin macping
NQA entry(admin, macping) :testFlag is inactive ,testtype is macping
Positive SD Square Sum :0 Positive DS Square Sum :0
Negative SD Square Sum :0 Negative DS Square Sum :0
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 11
#
cfm enable
#
#
cfm md test
ma test
map vlan 11
remote-mep mep-id 12 mac 00e0-fc88-aaaa
#
nqa test-instance admin macping
test-type macping
destination-address mac 00e0-fc88-aaaa
md test ma test

#
return
#
sysname SwitchB
#
vlan batch 11
#
cfm enable
#
#
cfm md test
ma test
map vlan 11
remote-mep mep-id 11 mac 0000-0000-0010
#
return
11.5.13 Example for Configuring MAC Ping to Detect the

Connectivity of a VLAN network
As shown in Figure 11-22, all devices are on a VLAN network and are enabled with basic
Ethernet CFM functions. A MAC ping test instance can be used to detect the connectivity and
locate fault of the VLAN network.
Figure 11-22 Networking diagram of configuring MAC ping for detecting the connectivity of
a VLAN network
VLAN10 VLAN VLAN10
SwitchA SwitchB
1. Configure a VLAN network and the service environment for starting the NQA test instance.
2. Configure Ethernet CFM and establish the mapping relationship between CFM and VLAN.

3. Configure an NQA MAC ping test instance on Switch A, and specify mandatory
configurations for the test instance.
4. Start the NQA MAC ping test instance.
Procedure
Step 1 Configure the IP address. (The detailed procedure is not mentioned here.)
Step 2 Add Switch A and Switch B to VLAN 10.
[SwitchA] vlan 10
# Configure Switch B. Configurations performed on Switch B are similar to those on Switch A

and therefore are not provided here.
Step 3 Enable basic Ethernet CFM functions between Switch A and Switch B, and establish the mapping
relationship between the MA and VLAN 10.
[SwitchA-md-md1-ma-ma1] map vlan 10
[SwitchA-md-md1-ma-ma1] mep ccm-send mep-id 1 enable
[SwitchA-md-md1-ma-ma1] remote-mep ccm-receive mep-id 2 enable
[SwitchB-md-md1-ma-ma1] mep ccm-send mep-id 2 enable
[SwitchB-md-md1-ma-ma1] remote-mep ccm-receive mep-id 1 enable
NOTE
Each interface can be configured with only one MEP and the interface must be a Layer 2 interface.
Run the display cfm remote-mep command on Switch A to view the status of Ethernet CFM.
The command output shows that the status of Ethernet CFM is Up.
[SwitchA] display cfm remote-mep
The status of RMEPS : 1 up, 0 down, 0 disable

--------------------------------------------------
MD Name : md1
Level : 0
MA Name : ma1
RMEP ID : 2
Vlan ID : 10
VSI Name : --
L2VC ID : --
MAC : 00e0-fca4-8ae7
CFM Status : up
Alarm Status : none
Interface TLV : --
Connect Status : up
Step 4 Configure a VLAN MAC Ping test instance and start the test instance.
[SwitchA] nqa test-instance test macping
[SwitchA-nqa-test-macping] test-type macping
[SwitchA-nqa-test-macping] destination-address mac 00e0-fca4-8ae7
[SwitchA-nqa-test-macping] md md1 ma ma1
[SwitchA-nqa-test-macping] mep mep-id 1
# Start the test instance.

[SwitchA-nqa-test-macping] start now

Enter the MAC ping test instance view on Switch A and then run the display nqa results
command. You can see that the test result is "success".
[SwitchA-nqa-test-macping] display nqa results
NQA entry(test, macping) :testFlag is inactive ,testtype is macping
Positive SD Square Sum :0 Positive DS Square Sum :0
Negative SD Square Sum :0 Negative DS Square Sum :0
----End

Configuration Files
#
sysname SwitchA
#
vlan batch 10
#
cfm enable
#
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 2
#
nqa test-instance test macping
test-type macping
destination-address mac 00e0-fca4-8ae7
md md1 ma ma1
mep mep-id 1
#
return

#
sysname SwitchB
#
vlan batch 10
#
cfm enable
#
#
cfm md md1
ma ma1
map vlan 10
remote-mep mep-id 1
remote-mep ccm-receive mep-id 1 enable#
return
11.5.14 Example for Configuring the LSP Ping Test for a Common
Tunnel
l The OSPF protocol runs on Switch A, Switch B, and Switch C. The three Switches learn
the 32-bit host routes on their loopback interfaces.
l MPLS and MPLS LDP are enabled on Switch A, Switch B, and Switch C.

l MPLS and MPLS LDP are enabled on VLANIF interfaces connected to Switch A,
Switch B, and Switch C to trigger the establishment of an LDP LSP.
The NQA LSP Ping test needs to be performed to check the connectivity of the LSP between
Switch A and Switch C.
Figure 11-23 Networking diagram for configuring the LSP Ping test
area 0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/2

SwitchA 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
SwitchC
SwitchB

2. Configure Switch C as the NQA server.
3. Create an LSP Ping test on Switch A.
Procedure
Step 1 Configure reachable routes between Switch A and Switch B, between Switch A and Switch C,
and between Switch B and Switch C. The configuration details are not mentioned here.
Step 2 Configure LDP on SwitchA, SwitchB, and SwitchC. (The detailed procedure is not mentioned
here.)
For the configuration of LDP, refer to the S2350&S5300&S6300 Series Ethernet Switches
Step 3 Configure Switch A.
# Enable the NQA client and create an LSP Ping test for a common tunnel.
[SwitchA] nqa test-instance admin lspping
[SwitchA-nqa-admin-lspping] test-type lspping

[SwitchA-nqa-admin-lspping] lsp-type ipv4

[SwitchA-nqa-admin-lspping] destination-address ipv4 3.3.3.9 lsp-masklen 32

[SwitchA-nqa-admin-lspping] start now

[SwitchA-nqa-admin-lspping] display nqa results test-instance admin lspping
NQA entry(admin, lspping) :testflag is inactive ,testtype is lspping
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
nqa test-instance admin lspping
test-type lspping
destination-address ipv4 3.3.3.9 lsp-masklen 32
#
return

#
sysname SwitchB
#
vlan batch 100 110

#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 110
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return

11.5.15 Example for Configuring the LSP Jitter Test for a Common
Tunnel
l MPLS and MPLS LDP are enabled on Switch A, Switch B, and Switch C.
l MPLS and MPLS LDP are enabled on VLANIF interfaces connected to Switch A,
Switch B, and Switch C to trigger the establishment of an LDP LSP.
The jitter of the network between SwitchA and SwitchC needs to be tested through an NQA LSP
jitter test.
Figure 11-24 Networking diagram for configuring the LSP Jitter test
area 0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1

SwitchA 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
SwitchB SwitchC
3. Create an LSP Jitter test on Switch A.
Procedure
Step 2 Configure LDP on SwitchA, SwitchB, and SwitchC. (The detailed procedure is not mentioned
here.)

For the configuration of LDP, refer to the S2350&S5300&S6300 Series Ethernet Switches
Step 3 Configure Switch A as the NQA client.
# Enable the NQA client and configure the LDP LSP Jitter test.
[SwitchA] nqa test-instance admin lspjitter
[SwitchA-nqa-admin-lspjitter] test-type lspjitter
[SwitchA-nqa-admin-lspjitter] lsp-type ipv4
[SwitchA-nqa-admin-lspjitter] destination-address ipv4 3.3.3.9 lsp-masklen 32 lsp-
loopback 127.0.0.1

[SwitchA-nqa-admin-lspjitter] start now

[SwitchA-nqa-admin-lspjitter] display nqa results test-instance admin lspjitter
NQA entry(admin, lspjitter) :testflag is inactive ,testtype is lspjitter
Min Positive SD:1 Max Positive SD:41
Positive SD Number:9 Positive SD Sum:53
Positive SD Square Sum:1705 Min Negative SD:1
Max Negative SD:41 Negative SD Number:8
Negative SD Sum:53 Negative SD Square Sum:1707
Packet Loss Unknown:0 Average of Jitter SD:6
Jitter out value:1.2086132 Packet Loss Ratio: 0%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0

network 10.1.1.0 0.0.0.255

network 1.1.1.9 0.0.0.0
#
nqa test-instance admin lspjitter
test-type lspjitter
destination-address ipv4 3.3.3.9 lsp-masklen 32 lsp-loopback 127.0.0.1
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 110
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#


#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
11.5.16 Example for Configuring the LSP Jitter Test for the MPLS
TE Tunnel
As shown in Figure 11-25,
l Run OSPF on SwitchA, SwitchB, and SwitchC, and enable the three switches to advertise
host routes of loopback interfaces to each other.
l Enable MPLS, MPLS TE, and MPLS RSVP-TE on SwitchA, SwitchB, and SwitchC.
l Enable MPLS, MPLS TE, and MPLS RSVP-TE on the VLANIF interfaces connecting
SwitchA, SwitchB and SwitchC to set up a TE tunnel from SwitchA and SwitchC.
It is required to perform an NQA LSP Jitter test to check the connectivity of the TE tunnel from
SwitchA to SwitchC.
Figure 11-25 Networking diagram of an LSP jitter test
area 0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/2

SwitchA 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
SwitchB SwitchC
1. Configure SwitchA as the NQA client and create an ICMP jitter test instance on SwitchA.

2. Configure SwitchC as the NQA server.
Procedure
Step 1 Configure routes between SwitchA, SwitchB, and SwitchC. (The detailed procedure is not
mentioned here.)
Step 2 Configure MPLS RSVP-TE on SwitchA, SwitchB, and SwitchC. (The detailed procedure is not
mentioned here.)
Step 3 Set up a TE tunnel from SwitchA to SwitchC. (The detailed procedure is not mentioned here.)
For the configuration of MPLS RSVP-TE, refer to the S2350&S5300&S6300 Series Ethernet
Switches Configuration Guide - MPLS.
Step 4 Create an NQA test on SwitchA.
# Enable the NQA client and create an LSP Jitter test for the TE tunnel.
[SwitchA] nqa test-instance admin lspjitter
[SwitchA-nqa-admin-lspjitter] test-type lspjitter
[SwitchA-nqa-admin-lspjitter] lsp-type te
[SwitchA-nqa-admin-lspjitter] lsp-tetunnel tunnel 1
Step 5 Start the test.

[SwitchA-nqa-admin-lspjitter] start now
Step 6 View the test results.

[SwitchA-nqa-admin-lspjitter] display nqa results test-instance admin lspjitter
NQA entry(admin, lspjitter) :testflag is inactive ,testtype is lspjitter
Completion :success RTD OverThresholds number:0
Min Positive SD:0 Max Positive SD:0
Positive SD Number:0 Positive SD Sum:0
Positive SD Square Sum :0 Min Negative SD:0
Max Negative SD:1 Negative SD Number:1
Negative SD Sum:1 Negative SD Square Sum :1
Packet Loss Unknown:0 Average of Jitter SD:1
Jitter out value:0.0162967 Packet Loss Ratio: 0%
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf

#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
tunnel-protocol mpls te
destination 3.3.3.9
mpls te tunnel-id 100
mpls te commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
mpls-te enable
#
nqa test-instance admin lspjitter
test-type lspjitter
lsp-type te
lsp-tetunnel Tunnel1
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1

ip address 2.2.2.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname SwitchC
#
vlan batch 110
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif110
ip address 10.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return
11.5.17 Example for Configuring the LSP Trace Test for the TE
Tunnel
l MPLS, MPLS TE, and MPLS RSVP-TE are enabled on Switch A, Switch B, and Switch
C.
l MPLS, MPLS TE, and MPLS RSVP-TE are enabled on the VLANIF interfaces connected
to Switch A, Switch B, and Switch C to set up a TE tunnel from Switch A to Switch C.
The NQA LSP trace test is used to test the TE tunnel.

Figure 11-26 Networking diagram for configuring the LSP trace test
area 0

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/2

SwitchA 10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
SwitchC
SwitchB
1. Configure Switch A as the NQA client. Create an LSP trace test on Switch A.
Procedure
Step 2 Enable MPLS RSVP-TE on Switch A, Switch B, and Switch C. The configuration details are
not mentioned here.
Step 3 Configure a TE tunnel on Switch A to connect Switch C. The configuration details are not
mentioned here.
For the configuration of MPLS RSVP-TE, refer to the S2350&S5300&S6300 Series Ethernet
Switches Configuration Guide - MPLS.
Step 4 Create an NQA test on Switch A.
# Enable the NQA client and configure the LSP trace test for the TE tunnel.
[SwitchA] nqa test-instance admin lsptrace
[SwitchA-nqa-admin-lsptrace] test-type lsptrace
[SwitchA-nqa-admin-lsptrace] lsp-type te
[SwitchA-nqa-admin-lsptrace] lsp-tetunnel tunnel 1

[SwitchA-nqa-admin-lsptrace] start now


[SwitchA-nqa-admin-lsptrace] display nqa results test-instance admin lsptrace
NQA entry(admin, lsptrace) :testFlag is inactive ,testtype is lsptrace
1 . Hop 1
2 . Hop 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
destination 3.3.3.9
mpls te commit
#
ospf 1
area 0.0.0.0

network 10.1.1.0 0.0.0.255

network 1.1.1.9 0.0.0.0
mpls-te enable
#
nqa test-instance admin lsptrace
test-type lsptrace
lsp-type te
lsp-tetunnel Tunnel1
#
return

#
sysname SwitchB
#
vlan batch 100 110
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif110
ip address 10.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname SwitchC
#
vlan batch 110
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif110

ip address 10.2.1.2 255.255.255.0

mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
mpls-te enable
#
return
11.5.18 Example for Configuring the LSP Trace Test for Checking
the CR-LSP Hotstandby Tunnel
In the MPLS VPN as shown in Figure 11-27, a TE tunnel with Switch C being the egress is set
up on Switch A, and CR-LSP hot standby is configured on the TE tunnel.
l OSPF is configured on SwitchA, SwitchB, SwitchC, and SwitchD to enable them to learn
the 32-bit host addresses of the loopback interfaces from each other.
l MPLS, MPLS TE, and MPLS RSVP-TE are enabled on SwitchA, SwitchB, SwitchC, and
SwitchD.
l MPLS, MPLS TE, and MPLS RSVP-TE are enabled on the interfaces connected to
Switch A, Switch B, and Switch C. Then, a TE tunnel is set up from SwitchA to SwitchC.
In the preceding configurations:

l The primary CR-LSP is Switch A-Switch B-Switch C.
l The hotstandby CR-LSP is Switch A-Switch D-Switch C.
In this manner, when the primary CR-LSP becomes faulty, traffic can be switched to the hot-
standby CR-LSP. Traffic is switched back to the primary CR-LSP 15 seconds after the fault on
the primary CR-LSP is rectified.
But if the hotstandby CR-LSP is faulty and therefore is unable to carry the traffic that is switched
from the primary CR-LSP, the hotstandby CR-LSP needs to be detected. NQA LSP Trace can
be used to detect the connectivity of the hotstandby CR-LSP. This function can detect the
connectivity of the hotstandby CR-LSP and its performance in real time. This helps detect and
identify faults on the hotstandby CR-LSP.

Figure 11-27 Networking diagram of the LSP Trace test

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1
VLANIF10 VLANIF20
GE0/0/2 10.1.1.1/24 20.1.1.1/24 GE0/0/1
30.1.1.1/24 VLANIF10 VLANIF20 40.1.1.2/24
SwitchA 10.1.1.2/24 SwitchB 20.1.1.2/24 SwitchC
Loopback1
4.4.4.4/32
GE0/0/1 GE0/0/2
VLANIF30 VLANIF40
30.1.1.2/24 40.1.1.1/24
SwitchD
1. Configure SwitchA as the NQA client and create an LSP Trace test instance on Switch A.
2. Configure SwitchC as the NQA server.
Procedure
Step 1 Configure routes among SwitchA, SwitchB, SwitchC, and SwitchD.
For detailed configuration, see the configuration files in this example.
Step 2 Configure MPLS RSVP-TE on SwitchA, SwitchB, SwitchC, and SwitchD.
Step 3 On SwitchA, set up a TE tunnel to SwitchC.
Step 4 Configure an NQA test instance on SwitchA.
# Enable the NQA client and create an LSP Trace test instance for checking the TE tunnel.
[SwitchA] nqa test-instance admin lsptrace
[SwitchA-nqa-admin-lsptrace] test-type lsptrace
[SwitchA-nqa-admin-lsptrace] lsp-type te
[SwitchA-nqa-admin-lsptrace] lsp-tetunnel tunnel 1 hot-standby
Step 5 Start the test.

[SwitchA-nqa-admin-lsptrace] start now

[SwitchA-nqa-admin-lsptrace] display nqa results test-instance admin lsptrace
NQA entry(admin, lsptrace) :testFlag is inactive ,testtype is lsptrace


1 . Hop 1
2 . Hop 2
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 30
#
mpls lsr-id 1.1.1.1
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path backup
next hop 30.1.1.2
next hop 40.1.1.2
next hop 3.3.3.3
#
explicit-path main
next hop 10.1.1.2
next hop 20.1.1.2
next hop 3.3.3.3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#


#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
interface Tunnel1
destination 3.3.3.3
mpls te record-route
mpls te path explicit-path main
mpls te path explicit-path backup secondary
mpls te backup hot-standby mode revertive wtr 15
mpls te backup ordinary best-effort
mpls te commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.1 0.0.0.0
network 30.1.1.0 0.0.0.255
mpls-te enable
#
nqa test-instance admin lsptrace
test-type lsptrace
lsp-type te
lsp-tetunnel Tunnel1 hot-standby
#
return

#
sysname SwitchB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255

#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 2.2.2.2 0.0.0.0
network 20.1.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname SwitchC
#
vlan batch 20 40
#
mpls lsr-id 3.3.3.3
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif40
ip address 40.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 20.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
network 3.3.3.3 0.0.0.0
mpls-te enable
#
return

#
sysname SwitchD
#
vlan batch 30 40
#
mpls lsr-id 4.4.4.4
mpls
mpls te
mpls rsvp-te
mpls te cspf

#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif40
ip address 40.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
mpls-te enable
#
return
11.5.19 Example for Configuring the PWE3 Ping Test on a Single-

Hop PW
As shown in Figure 11-28, CE-A and CE-B are connected to PE-A and PE-B respectively. PE-
A and PE-B are connected through the MPLS backbone network. A dynamic PW needs to be
set up between PE-A and PE-B through the LSP tunnel.
The PWE3 Ping function of the single-hop PW needs to be performed to test the connectivity
of the PW between PE-A and PE-B.

Figure 11-28 Networking diagram for configuring the PWE3 Ping test on the single-hop PW
MPLS Backbone

192.2.2.2/32 192.4.4.4/32 192.3.3.3/32
GE0/0/2 GE0/0/2
VLANIF120 VLANIF130
GE0/0/2
10.1.1.1/24 GE0/0/1 10.2.2.2/24
PE-A
VLANIF110 10.1.1.2/24 P 10.2.2.1/24 VLANIF140 PE-B
PW
GE0/0/1 GE0/0/1
VLANIF110 VLANIF140
100.1.1.1/24 100.1.1.2/24
CE-A CE-B
1. Run the IGP protocol on the backbone network to make the routes between Switches on
the backbone network reachable.
2. Configure the basic MPLS functions on the backbone network and set up an LSP tunnel.
Set up the MPLS LDP peer relationship between the two PE devices on the two ends of
the PW.
3. Create an MPLS L2VC connection between the two PE devices.
4. Configure a PWE3 Ping test on the single-hop PW on PE-A.
Procedure
Step 1 Configure a dynamic single-hop PW.
Configure a dynamic single-hop PW on the MPLS backbone network.
For the detailed configuration procedure, see "PWE3 Configuration" in the

S2350&S5300&S6300 Series Ethernet Switches Configuration Guide - VPN.
Step 2 Configure a PWE3 Ping test of the single-hop PW.
# Configure PE-A.
[HUAWEI] sysname PE-A
[PE-A] nqa test-instance test pwe3ping
[PE-A-nqa-test-pwe3ping] test-type pwe3ping
[PE-A-nqa-test-pwe3ping] local-pw-id 100
[PE-A-nqa-test-pwe3ping] local-pw-type vlan
[PE-A-nqa-test-pwe3ping] label-type control-word

[PE-A-nqa-test-pwe3ping] start now

After running the display nqa results command on the PE device, you can see that the test is
successful.
[PE-A-nqa-test-pwe3ping] display nqa results
NQA entry(test, pwe3ping) :testflag is inactive ,testtype is pwe3ping
OWD DS Sum:0 Attempts number:1
Disconnect operation number:0 Connection fail number:0
----End
Configuration Files
l Configuration file of CE-A
#
sysname CE-A
#
vlan batch 110
#
interface Vlanif110
ip address 100.1.1.1 255.255.255.0
#
#
return
l Configuration file of PE-A

#
sysname PE-A
#
vlan batch 110 120
#
mpls lsr-id 192.2.2.2
mpls
#
mpls l2vpn
#

mpls ldp
#
remote-ip 192.3.3.3
#
interface Vlanif110
mpls l2vc 192.3.3.3 100
#
interface Vlanif120
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 192.2.2.2 0.0.0.0
#
nqa test-instance test pwe3ping
test-type pwe3ping
local-pw-id 100
local-pw-type vlan
#
ospf 1
area 0.0.0.0
network 192.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return
#
sysname P
#
vlan batch 120 130
#
mpls
#
mpls ldp
#
interface Vlanif120
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif130
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 192.4.4.4 255.255.255.255

#
ospf 1
area 0.0.0.0
network 192.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l Configuration file of PE-B

#
sysname PE-B
#
vlan batch 130 140
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.2.2.2
#
interface Vlanif130
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif140
mpls l2vc 192.2.2.2 100
#
#
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return
l Configuration file of CE-B

#
sysname CE-B
#
vlan batch 140
#
interface Vlanif140
ip address 100.1.1.2 255.255.255.0
#
#
return

11.5.20 Example for Configuring the PWE3 Ping Test on a Multi-

Hop PW
As shown in Figure 11-29, CE-A and CE-B are connected to U-PE1 and U-PE2 respectively
through VLAN. U-PE1 and U-PE2 are connected through the MPLS backbone network. The
LSP needs to be used and S-PE is set as the switching node to set up a dynamic multi-hop PW
between U-PE1 and U-PE2.
The PWE3 Ping function of the multi-hop PW needs to be performed to test the connectivity of
the PW between U-PE1 and U-PE2.
Figure 11-29 Networking diagram for configuring the PWE3 Ping test on a multi-hop PW
2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
GE0/0/1 GE0/0/1
P1 VLANIF130 S-PE VLANIF140 P2
20.1.1.2/24 30.1.1.2/24
GE0/0/1 GE0/0/2 GE0/0/2 GE0/0/2
10.1.1.2/24 20.1.1.1/24 30.1.1.1/24 40.1.1.1/24
Loopback0 100 PW Loopback0
1.1.1.9/32 PW 200 5.5.5.9/32
GE0/0/2 GE0/0/2
VLANIF120 VLANIF150 U-PE2
10.1.1.1/24 40.1.1.2/24
GE0/0/1 GE0/0/1
U-PE1 VLANIF110 VLANIF160
GE0/0/1 GE0/0/1
VLANIF110 VLANIF160
100.1.1.1/24 100.1.1.2/24
CE-A CE-B
Set up MPLS LDP peer relations between U-PE1 and S-PE, and between U-PE2 and S-
PE.
3. Create an MPLS L2VC connection between the two U-PEs.
4. Create a switching PW on the switching node S-PE.
5. Configure a PWE3 Ping test on the multi-hop PW on U-PE1.

Procedure
Step 1 Configure a dynamic multi-hop PW.
Configure a dynamic multi-hop PW on the MPLS backbone network.

Step 2 Configure a PWE3 Ping test on a multi-hop PW.
# Configure U-PE1.
[HUAWEI] sysname U-PE1
[U-PE1] nqa test-instance test pwe3ping
[U-PE1-nqa-test-pwe3ping] test-type pwe3ping
[U-PE1-nqa-test-pwe3ping] local-pw-id 100
[U-PE1-nqa-test-pwe3ping] local-pw-type vlan
[U-PE1-nqa-test-pwe3ping] label-type control-word
[U-PE1-nqa-test-pwe3ping] remote-pw-id 200

[U-PE1-nqa-test-pwe3ping] start now
successful.
[U-PE1-nqa-test-pwe3ping] display nqa results
NQA entry(test, pwe3ping) :testFlag is inactive ,testtype is pwe3ping
OWD DS Sum:0 Attempts number:1
Disconnect operation number:0 Connection fail number:0
----End

Configuration Files
#
sysname CE-A
#
vlan batch 110
#
interface Vlanif110
ip address 100.1.1.1 255.255.255.0
#
#
return
l Configuration file of U-PE1

#
sysname U-PE1
#
vlan batch 110 120
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
pw-template pwt
peer-address 3.3.3.9
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif110
mpls l2vc pw-template pwt 100
#
interface Vlanif120
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
nqa test-instance test pwe3ping
test-type pwe3ping
local-pw-id 100
remote-pw-id 200
local-pw-type vlan
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0

#
return
l Configuration file of P1
#
sysname P1
#
vlan batch 120 130
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif120
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif130
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
l Configuration file of S-PE

#
sysname S-PE
#
vlan batch 130 140
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls switch-l2vc 5.5.5.9 200 between 1.1.1.9 100 encapsulation vlan
#
mpls ldp
#
remote-ip 1.1.1.9
#
remote-ip 5.5.5.9
#
interface Vlanif130
ip address 20.1.1.2 255.255.255.0
mpls

mpls ldp
#
interface Vlanif140
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname P2
#
vlan batch 140 150
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif140
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif150
ip address 40.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#

#
sysname U-PE2
#
vlan batch 150 160
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif150
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif160
#
#
#
interface LoopBack0
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return

#
sysname CE-B
#
vlan batch 160
#
interface Vlanif160
ip address 100.1.1.2 255.255.255.0
#
#
return

11.5.21 Example for Configuring the PWE3 Trace Test on a Single-

Hop PW
As shown in Figure 11-30, CE-A and CE-B are respectively connected to PE-A and PE-B
through VLAN. PE-A and PE-B are connected through the MPLS backbone network. A dynamic
PW needs to be set up between PE-A and PE-B through the LSP tunnel.
The PWE3 Trace function of the single-hop PW needs to be performed to test the connectivity
of the PW between PE-A and PE-B.
Figure 11-30 Networking diagram for configuring the PWE3 Trace test on a single-hop PW
MPLS Backbone

192.2.2.2/32 192.4.4.4/32 192.3.3.3/32
GE0/0/2 GE0/0/2
VLANIF120 VLANIF130
10.1.1.1/24 GE0/0/1 GE0/0/2 10.2.2.2/24
10.2.2.1/24
PE-A VLANIF11010.1.1.2/24 P VLANIF140 PE-B
PW
GE0/0/1 GE0/0/1
VLANIF110 VLANIF140
CE-A 100.1.1.1/24 100.1.1.2/24 CE-B
Set up the MPLS LDP peer relationship between the two PE devices on the two ends of
the PW.
3. Create an MPLS L2VC connection between the two PE devices.
4. Configure a PWE3 Trace test on a single-hop PW on PE-A.
Procedure
Step 1 Configure a dynamic single-hop PW.
Configure a dynamic single-hop PW on the MPLS backbone network.


Step 2 Configure a PWE3 Trace test of the single-hop PW.
# Configure PE-A.
[HUAWEI] sysname PE-A
[PE-A] nqa test-instance test pwe3trace
[PE-A-nqa-test-pwe3trace] test-type pwe3trace
[PE-A-nqa-test-pwe3trace] local-pw-type vlan
[PE-A-nqa-test-pwe3trace] local-pw-id 100

[PE-A -nqa-test-pwe3trace] start now
Run the display nqa history command on the PE device, and you can see that the status is
success.
[PE-A-nqa-test-pwe3trace] display nqa history
NQA entry(test, pwe3trace)
history:
Index T/H/P Response Status Address Time
1 1/1/1 4ms success 10.1.1.2 2012-09-30
09:33:03.301
2 1/1/2 5ms success 10.1.1.2 2012-09-30
09:33:03.307
3 1/1/3 3ms success 10.1.1.2 2012-09-30
09:33:03.311
4 1/2/1 6ms success 3.3.3.9 2012-09-30
09:33:03.318
5 1/2/2 6ms success 3.3.3.9 2012-09-30
09:33:03.324
6 1/2/3 6ms success 3.3.3.9 2012-09-30
09:33:03.331
success.
[PE-A-nqa-test-pwe3trace] display nqa results
NQA entry(test, pwe3trace) :testflag is inactive ,testtype is pwe3trace
1 . Hop 1
2 . Hop 2

----End
Configuration Files
#
sysname CE-A
#
vlan batch 110
#
interface Vlanif110
ip address 100.1.1.1 255.255.255.0
#
#
return
l Configuration file of PE-A

#
sysname PE-A
#
vlan batch 110 120
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.3.3.3
#
interface Vlanif110
mpls l2vc 192.3.3.3 100
#
interface Vlanif120
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 192.2.2.2 0.0.0.0
#
nqa test-instance test pwe3trace
test-type pwe3trace
local-pw-id 100
local-pw-type vlan
#
ospf 1
area 0.0.0.0
network 192.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255

#
return
#
sysname P
#
vlan batch 120 130
#
mpls
#
mpls ldp
#
interface Vlanif120
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif130
ip address 10.2.2.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 192.4.4.4 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.4.4.4 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.2.0 0.0.0.255
#
return
l Configuration file of PE-B

#
sysname PE-B
#
vlan batch 130 140
#
mpls
#
mpls l2vpn
#
mpls ldp
#
remote-ip 192.2.2.2
#
interface Vlanif130
ip address 10.2.2.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif140
mpls l2vc 192.2.2.2 100
#

#
#
interface LoopBack0
ip address 192.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 192.3.3.3 0.0.0.0
network 10.2.2.0 0.0.0.255
#
return

#
sysname CE-B
#
vlan batch 140
#
interface Vlanif140
ip address 100.1.1.2 255.255.255.0
#
#
return
11.5.22 Example for Configuring the PWE3 Trace Test on a Multi-

Hop PW
As shown in Figure 11-31, CE-A and CE-B are respectively connected to U-PE1 and U-PE2
through VLAN. U-PE1 and U-PE2 are connected through the MPLS backbone network. The
LSP needs to be used and S-PE is set as the switching node to set up a dynamic multi-hop PW
between U-PE1 and U-PE2.
The PWE3 Trace function of the multi-hop PW needs to be performed to test the connectivity
of the PW between U-PE1 and U-PE2.

Figure 11-31 Networking diagram for configuring the PWE3 Trace test on a multi-hop PW
2.2.2.9/32 3.3.3.9/32 4.4.4.9/32
GE0/0/1 GE0/0/1
P1 VLANIF130 S-PE VLANIF140 P2
20.1.1.2/24 30.1.1.2/24
GE0/0/1 GE0/0/2 GE0/0/2 GE0/0/2
VLANIF130
10.1.1.2/24 30.1.1.1/24 40.1.1.1/24
20.1.1.1/24
Loopback0 Loopback0
1.1.1.9/32 100 PW
200 5.5.5.9/32
PW
GE0/0/2 GE0/0/1
VLANIF120 VLANIF150 U-PE2
10.1.1.1/24 40.1.1.2/24
GE0/0/1 GE0/0/2
U-PE1
VLANIF110 VLANIF160
GE0/0/1 GE0/0/1
VLANIF110 VLANIF160
100.1.1.1/24 100.1.1.2/24
CE-A CE-B
Set up MPLS LDP peer relations between U-PE1 and S-PE, and between U-PE2 and S-
PE.
3. Create an MPLS L2VC connection between the two U-PEs.
4. Create a switching PW on the switching node S-PE.
5. Configure a PWE3 Trace test on the multi-hop PW on U-PE1.
Procedure
Step 1 Configure a dynamic multi-hop PW.
Configure a dynamic multi-hop PW on the MPLS backbone network.

Step 2 Configure a PWE3 Trace test of the multi-hop PW.
# Configure U-PE1.
[HUAWEI] sysname U-PE1

[U-PE1] nqa test-instance test pwe3trace

[U-PE1-nqa-test-pwe3trace] test-type pwe3trace
[U-PE1-nqa-test-pwe3trace] local-pw-id 100
[U-PE1-nqa-test-pwe3trace] local-pw-type vlan
[U-PE1-nqa-test-pwe3trace] label-type control-word
[U-PE1-nqa-test-pwe3trace] remote-pw-id 200

[U-PE1-nqa-test-pwe3trace] start now

After running the display nqa history command on the PE device, you can see that the status
is successful.
[U-PE1-nqa-test-pwe3trace] display nqa history
NQA entry(test, pwe3trace)
history:
Index T/H/P Response Status Address Time
1 1/1/1 4ms success 10.1.1.2 2012-09-30
09:33:03.301
2 1/1/2 5ms success 10.1.1.2 2012-09-30
09:33:03.307
3 1/1/3 3ms success 10.1.1.2 2012-09-30
09:33:03.311
4 1/2/1 6ms success 20.1.1.2 2012-09-30
09:33:03.318
5 1/2/2 6ms success 20.1.1.2 2012-09-30
09:33:03.324
6 1/2/3 6ms success 20.1.1.2 2012-09-30
09:33:03.331
7 1/3/1 6ms success 30.1.1.2 2012-09-30
09:33:03.318
8 1/3/2 6ms success 30.1.1.2 2012-09-30
09:33:03.324
9 1/3/3 6ms success 30.1.1.2 2012-09-30
09:33:03.331
10 1/4/1 6ms success 5.5.5.9 2012-09-30
09:33:03.318
11 1/4/2 6ms success 5.5.5.9 2012-09-30
09:33:03.324
12 1/4/3 6ms success 5.5.5.9 2012-09-30 09:33:03.331
Running the display nqa results command on the PE device, you can see that the test is
successful.
[U-PE1-nqa-test-pwe3trace] display nqa results
NQA entry(test, pwe3trace) :testflag is inactive ,testtype is pwe3trace
1 . Hop 1
Lost packet ratio: 0%
2 . Hop 2


3 . Hop 3
4 . Hop 4
----End
Configuration Files
#
sysname CE-A
#
vlan batch 110
#
interface Vlanif110
ip address 100.1.1.1 255.255.255.0
#
#
return

#
sysname U-PE1
#
vlan batch 110 120
#
mpls lsr-id 1.1.1.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif110
#
interface Vlanif120
ip address 10.1.1.1 255.255.255.0
mpls

mpls ldp
#
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
nqa test-instance test pwe3trace
test-type pwe3trace
local-pw-id 100
remote-pw-id 200
local-pw-type vlan
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
#
sysname P1
#
vlan batch 120 130
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
#
interface Vlanif120
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif130
ip address 20.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
return
l Configuration file of S-PE

#
sysname S-PE
#
vlan batch 130 140
#
mpls lsr-id 3.3.3.9
mpls
#
mpls l2vpn
#
mpls switch-l2vc 5.5.5.9 200 between 1.1.1.9 100 encapsulation vlan
#
mpls ldp
#
remote-ip 1.1.1.9
#
remote-ip 5.5.5.9
#
interface Vlanif130
ip address 20.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif140
ip address 30.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 20.1.1.0 0.0.0.255
network 30.1.1.0 0.0.0.255
#
return
#
sysname P2
#
vlan batch 140 150
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif140
ip address 30.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif150
ip address 40.1.1.1 255.255.255.0

mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 30.1.1.0 0.0.0.255
network 40.1.1.0 0.0.0.255
#

#
sysname U-PE2
#
vlan batch 150 160
#
mpls lsr-id 5.5.5.9
mpls
#
mpls l2vpn
#
pw-template pwt
control-word
#
mpls ldp
#
remote-ip 3.3.3.9
#
interface Vlanif150
ip address 40.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif160
#
#
#
interface LoopBack0
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9 0.0.0.0
network 40.1.1.0 0.0.0.255
#
return


#
sysname CE-B
#
vlan batch 160
#
interface Vlanif160
ip address 100.1.1.2 255.255.255.0
#
#
return
11.5.23 Example for Sending Trap Massages to the NMS When the
Threshold Is Exceeded
A Jitter test needs to be performed to configure a transmission delay threshold and enable the
trap function as shown in Figure 11-32. After the jitter test is complete, SwitchA sends a trap
message to the NMS when the RTT of the test packet exceeds the configured two-way
transmission threshold. According to the traps received by the NMS, network administrators can
easily locate the fault.
Figure 11-32 Networking diagram for sending traps to NMS when the threshold is exceeded
NM Station
20.1.1.2/24
GE0/0/2
VLANIF10
20.1.1.1/24 SwitchB SwitchC
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 30.1.1.1/24 30.1.1.2/24
SwitchA NQA Server
NQA Client
1. Configure SwitchC as the NQA server and configure the host IP address and port number.
2. Configure SwitchA as the NQA client, configure a threshold for the NQA alarm, and enable
the trap function.
3. Create a jitter test instance on SwitchA.

Procedure
NOTE
Step 2 Configure the IP address and port number for monitoring UDP services on SwitchC.
Step 3 Create a jitter test instance on SwitchA.

[SwitchA-nqa-admin-jitter] test-type jitter
[SwitchA-nqa-admin-jitter] destination-address ipv4 30.1.1.2
[SwitchA-nqa-admin-jitter] destination-port 9000
Step 4 Set a threshold on SwitchA.

# Configure the RTD threshold on SwitchA.
[SwitchA-nqa-admin-jitter] threshold rtd 20
Step 5 Enable the trap function on SwitchA.

[SwitchA-nqa-admin-jitter] send-trap rtd
[SwitchA-nqa-admin-jitter] quit
Step 6 Configure traps to be sent to the NMS.

[SwitchA] snmp-agent sys-info version v2c
[SwitchA] snmp-agent community write nsmsecurity
[SwitchA] snmp-agent target-host trap address udp-domain 20.1.1.2 params
securityname switchA
[SwitchA] snmp-agent trap enable

[SwitchA-nqa-admin-jitter] start now
[SwitchA-nqa-admin-jitter] quit
[SwitchA] quit

<SwitchA> display nqa result

NQA entry(admin, jitter) :testflag is inactive ,testtype is jitter

# Check whether traps are generated in the trap buffer.

<SwitchA> display trapbuffer
Trapping buffer configuration and contents : enabled
Allowed max buffer size : 1024
Actual buffer size : 256
Channel number : 3 , Channel name : trapbuffer
Dropped messages : 0
Overwritten messages : 3363
Current messages : 256
#Nov 15 2012 16:57:21+06:00 SwitchA NQA/4/RTDTHRESHOLD:OID

1.3.6.1.4.1.2011.5.25.111.6.16 NQA entry RTD over threshold. (OwnerIndex=admin,
TestName=jitter)
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 10 20
#
interface Vlanif10
ip address 20.1.1.1 255.255.255.0
#
interface Vlanif20
ip address 10.1.1.1 255.255.255.0
#
#

#
snmp-
agent
snmp-agent local-engineid
800007DB0300E009877890
snmp-agent community write cipher %$%$*8GO(h4ev5m'kqN2o(sN&=[`%$%
$
snmp-agent sys-info version v2c
v3
snmp-agent target-host trap address udp-domain 20.1.1.2 params securityname
switchA
#
ip route-static 30.1.1.0 255.255.255.0 10.1.1.2
#
jitter
test-type
jitter
threshold rtd 20
send-trap rtd
#
return

#
sysname SwitchB
#
vlan batch 20 30
#
interface Vlanif20
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
#
#
#
return

#
sysname SwitchC
#
vlan batch 30
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
#
#
#
ip route-static 10.1.1.0 255.255.255.0 30.1.1.1

#
return
11.6 LLDP Configuration

The Link Layer Discovery Protocol (LLDP) allows you to obtain details about the network
topology, changes in the topology, and detect incorrect configurations on the network.
11.6.1 Example for Configuring LLDP on the Device That Has a

Single Neighbor
As shown in Figure 11-33, SwitchA and SwitchB are directly connected; SwitchA and ME are
directly connected; routes between the NMS and SwitchA, and the NMS and SwitchB are
reachable; SNMP is configured.
A network administrator wants to obtain communication information between SwitchA and ME,
and between SwitchA and SwitchB, and alarms of device function changes to know the detailed
network topology and configuration conflicts.
Figure 11-33 Single-neighbor network
Internet
NMS
10.10.10.1 Switch A
GE0/0/1 GE0/0/2
GE0/0/1
10.10.10.2
Switch B ME
The LLDP function can meet the network administrator's requirement. The configuration
1. Enable global LLDP on SwitchA and SwitchB.
2. Configure management IP addresses for SwitchA and SwitchB.
3. Enable the LLDP trap function on SwitchA and SwitchB so that trap messages can be sent
to the NMS in a timely manner.

Procedure
Step 1 Enable global LLDP on SwitchA and SwitchB.
[SwitchA] lldp enable
[SwitchB] lldp enable
Step 2 Configure management IP addresses for SwitchA and SwitchB.

[SwitchA] lldp management-address 10.10.10.1
[SwitchB] lldp management-address 10.10.10.2
Step 3 Enable the LLDP trap function on SwitchA and SwitchB.

[SwitchA] snmp-agent trap enable feature-name lldptrap
[SwitchB] snmp-agent trap enable feature-name lldptrap

l Check SwitchA.
# Check the SwitchA configuration.
[SwitchA] display lldp local
System
information
--------------------------------------------------------------------------
Chassis
type :macAddress
Chassis ID :
00e0-11fc-1710
System name :SwitchA
System description :S5352C-EI
Huawei Versatile Routing Platform Software
VRP (R) software,Version 5.130 (S5300 V200R003C00 )
Copyright (C) 2000-2012 Huawei Technologies Co., Ltd
System capabilities supported :bridge

router
System capabilities enabled :bridge
router
LLDP Up time :2012/5/10
11:40:49
MED system information

--------------------------------------------------------------------------
Device class :Network
Connectivity
(MED inventory information of master
board)
HardwareRev :VER B
FirmwareRev :NA
SoftwareRev :Version 5.130 V200R003C00

SerialNum :NA
Manufacturer name :HUAWEI TECH CO.,
LTD
Model
name :NA
Asset tracking identifier :NA
System configuration
--------------------------------------------------------------------------
LLDP Status :enabled (default is disabled)
LLDP Message Tx Interval :30 (default is 30s)
LLDP Message Tx Hold Multiplier :4 (default is 4)
LLDP Refresh Delay :2 (default is 2s)
LLDP Tx Delay :2 (default is 2s)
LLDP Notification Interval :5 (default is 5s)
LLDP Notification Enable :enabled (default is disabled)
Management Address :IP: 10.10.10.1
Remote Table Statistics:

--------------------------------------------------------------------------
Remote Table Last Change Time :0 days, 5 hours, 57 minutes, 32 seconds
Remote Neighbors Added :15
Remote Neighbors Deleted :13
Remote Neighbors Dropped :0
Remote Neighbors Aged :0
Total Neighbors :2
Port
information:
--------------------------------------------------------------------------
Interface GigabitEthernet0/0/1:
LLDP Enable Status :enabled (default is
disabled)
Total Neighbors :
1
Port ID
subtype :interfaceName
Port ID :GigabitEthernet0/0/1
Port description :GigabitEthernet0/0/1
Port And Protocol VLAN ID(PPVID) don't

supported
Port VLAN ID(PVID) :
1
VLAN name of VLAN 1:
VLAN1
Protocol identity :STP RSTP/MSTP LACP EthOAM
CFM
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
OperMau :speed(1000)/duplex(Full)
Power port
class :PD
PSE power

supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
classification:Unknown
Link aggregation
supported:Yes
Link aggregation
enabled :No
Aggregation port ID :
0
Maximum frame Size :
1526
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Fallback Receive Tw :36
Echo Transmit Tw :36
Echo Receive Tw :36
MED port
information
Media policy
type :Unknown
Unknown
Policy :Yes
VLAN
tagged :No
Media policy VlanID :
0
Media policy L2 priority :
0
Media policy Dscp :
0
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
Port Available power value:0.2
(w)
---- More
----
# Check neighbor information of SwitchA.

[SwitchA] display lldp neighbor interface GigabitEthernet0/0/1
GigabitEthernet0/0/1 has 1 neighbors:
Neighbor index :
1
Chassis
type :macAddress
Chassis ID :
00e0-11fc-1710
Port ID
type :interfaceName

Port description :NA

System
name :SwitchB

router
router
Management address
type :ipV4
Management address :
10.10.10.2
Expired time :
104s

1
VLAN1
Protocol identity :
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
OperMau :speed(1000)/duplex
(Full)
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
Maximum frame Size :9216
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36
MED Device
information
Connectivity
HardwareRev :VER.A

FirmwareRev :NA

SerialNum :NA
LTD
Model
name :NA
Asset tracking
identifier :NA
Media policy type :Voice

Unknown
Policy :Defined
VLAN
tagged :Yes
0
6
Media policy Dscp :
46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
(w)
l Check SwitchB.
Refer to the steps for checking SwitchA.
----End
Configuration Files
#
sysname SwitchA
#
interface MEth0/0/1
ip address 10.10.10.1 255.255.255.0
#
lldp enable
#
snmp-agent trap enable feature-name LLDPTRAP
#
lldp management-address 10.10.10.1
#
return

#
sysname SwitchB
#
interface MEth0/0/1
ip address 10.10.10.2 255.255.255.0
#
lldp enable
#
snmp-agent trap enable feature-name LLDPTRAP
#

#
return
11.6.2 Example for Configuring LLDP on the Device That Has

Multiple Neighbors
As shown in Figure 11-34, SwitchA, SwitchB, SwitchC are interconnected through an unknown
network. The NMS has reachable routes to SwitchA, SwitchB, SwitchC, and SNMP
configuration has been complete.
A network administrator wants to obtain Layer 2 information about SwitchA, SwitchB, and
SwitchC to know the detailed network topology and configuration conflicts.
Figure 11-34 Multiple-neighbor network
NMS SNMP
SNMP
SwitchD SwitchF
LL LLDPDU
D
PD
U
LL
D
U
PD
PD
U
D
LLDPDU
SwitchE
LL
10.10.10.1
10.10.10.2
SwitchA 10.10.10.3
SwitchB SwitchC
LLDP interface SNMP packet
NMS: Network Management System LLDPDU packet
The LLDP function can be used to meet the network administrator's requirement. The
1. Enable global LLDP on SwitchA, SwitchB, and SwitchC.
2. Configure management IP addresses for SwitchA, SwitchB, and SwitchC.
3. Configure LLDP transparent transmission on SwitchD, SwitchE, and SwitchF.

Procedure
Step 1 Enable global LLDP on SwitchA, SwitchB, and SwitchC.
[SwitchC] lldp enable
Step 2 Configure management IP addresses for SwitchA, SwitchB, and SwitchC.
[SwitchC] lldp management-address 10.10.10.3
Step 3 Configure LLDP transparent transmission on SwitchD, SwitchE, and SwitchF.
# Configure SwitchD. The configurations on SwitchE and SwitchF are similar to the
configuration on SwitchD, and are not provided here.
l Enable group MAC function for the transparent transmission of Layer 2 protocol packets
globally.
[SwitchD] l2protocol-tunnel lldp group-mac default-group-mac
l Enable LLDP transparent transmission on interfaces.

Run the l2protocol-tunnel lldp enable command on all the interfaces requiring this function.

l Check SwitchA.
# Check the SwitchA configuration.
<SwitchA> display lldp local
System
information
--------------------------------------------------------------------------
Chassis
type :macAddress
Chassis ID :
00e0-11fc-1710



router
router
11:40:49

--------------------------------------------------------------------------
Connectivity
(MED inventory information of master
board)
HardwareRev :VER B
FirmwareRev :NA
SerialNum :NA
LTD
Model
name :NA
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Total Neighbors :2
Port
information:
--------------------------------------------------------------------------
LLDP Enable Status :enabled (default is
disabled)
Total Neighbors :
1
Port ID
subtype :interfaceName

Port And Protocol VLAN ID(PPVID) don't

supported
1
VLAN1
Protocol identity :STP RSTP/MSTP LACP EthOAM
CFM
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
Maximum frame Size :
1526
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36
MED port
information
Media policy
type :Unknown
Unknown
Policy :Yes
VLAN
tagged :No
0
0
Media policy Dscp :
0
Power
Type :Unknown
PoE PSE power
source :Unknown

Port PSE
Priority :Unknown
(w)
---- More
----

<SwitchA> display lldp neighbor interface GigabitEthernet0/0/1
Neighbor index :
1
Chassis
type :macAddress
Chassis ID :00e0-
fc33-0012
Port ID
type :interfaceName
System
name :SwitchB
VRP (R) software,Version 5.120 (S5300 V200R003C00)
Copyright (C) 2000-2012 Huawei
Technologies Co., Ltd
router
router
Management address
type :ipV4
Management address : 10.10.10.2
Expired time :
104s

1
VLAN1
Protocol identity :
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
(Full)
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation

supported:Yes
Link aggregation
enabled :No
0
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36
MED Device
information
Connectivity
HardwareRev :VER.A
FirmwareRev :NA

SerialNum :NA
LTD
Model
name :NA
Asset tracking
identifier :NA

Unknown
Policy :Defined
VLAN
tagged :Yes
0
6
Media policy Dscp :
46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
(w)
Neighbor index :
2
Chassis
type :macAddress
Chassis ID :00e0-fc33-0013
Port ID
type :interfaceName
System
name :SwitchC
VRP (R) software,Version 5.120 (S5300 V200R003C00)
Copyright (C) 2000-2012 Huawei

Technologies Co., Ltd

router
router
Management address
type :ipV4
Management address :
10.10.10.3
Expired time :
104s

1
VLAN1
Protocol identity :
Auto-negotiation
supported :Yes
Auto-negotiation
enabled :Yes
(Full)
Power port
class :PD
PSE power
supported :No
PSE power
enabled :No
PSE pairs control
ability:No
Power
pairs :Unknown
Port power
Link aggregation
supported:Yes
Link aggregation
enabled :No
0
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36
MED Device
information
Connectivity
HardwareRev :VER.A
FirmwareRev :NA

SerialNum :NA
LTD
Model

name :NA
Asset tracking
identifier :NA

Unknown
Policy :Defined
VLAN
tagged :Yes
0
6
Media policy Dscp :
46
Power
Type :Unknown
PoE PSE power
source :Unknown
Port PSE
Priority :Unknown
(w)
l Check SwitchB.
l Check SwitchC.
----End
Configuration Files
#
sysname SwitchA
#
interface MEth0/0/1
ip address 10.10.10.1 255.255.255.0
#
lldp enable
#
#
return

#
sysname SwitchB
#
interface MEth0/0/1
ip address 10.10.10.2 255.255.255.0
#
lldp enable
#
#
return

#
sysname SwitchC
#

interface MEth0/0/1
ip address 10.10.10.3 255.255.255.0
#
lldp enable
#
#
return
11.6.3 Example for Configuring LLDP on the Network with link

aggregation configured
As shown in Figure 11-35, SwitchA and SwitchB are connected through an Eth-Trunk. Routes
between the NMS and Switches are reachable, and SNMP is configured.
A network administrator wants to obtain Layer 2 information about SwitchA and SwitchB to
know the detailed network topology and configuration conflicts.
Figure 11-35 Network with link aggregation configured

NMS
Network
VLAN 100 VLAN 200
Eth-Trunk 1
Enterprise Switch A Switch B

Enterprise
User 10.10.10.1 10.10.10.2
User
The LLDP function can meet the network administrator's requirement. The configuration
1. Add physical interfaces on SwitchA and SwitchB to the Eth-Trunk.
2. Enable global LLDP on SwitchA and SwitchB.
3. Configure management IP addresses for SwitchA and SwitchB.
Procedure
Step 1 Add physical interfaces on SwitchA and SwitchB to the Eth-Trunk.
[SwitchA-Eth-Trunk1] trunkport gigabitethernet 0/0/1


[SwitchA-Eth-Trunk1] port link-type trunk
[SwitchA-Eth-Trunk1] port trunk allow-pass vlan 100
[SwitchB] interface eth-trunk 1
[SwitchB-Eth-Trunk1] trunkport gigabitethernet 0/0/1
[SwitchB-Eth-Trunk1] port link-type trunk
[SwitchB-Eth-Trunk1] port trunk allow-pass vlan 100
[SwitchB-Eth-Trunk1] quit
Step 2 Enable global LLDP on SwitchA and SwitchB.

Step 3 Configure management IP addresses for SwitchA and SwitchB.


l Check the SwitchA configuration.
# Check whether the physical interfaces are added to Eth-Trunk1.
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber:
8
Operate status: up Number Of Up Port In Trunk:
3
-------------------------------------------------------------------------------
-
PortName Status
Weight
GigabitEthernet0/0/1 Up
1
GigabitEthernet0/0/2 Up
1
# View the LLDP configurations.

<SwitchA> display lldp local
System information
--------------------------------------------------------------------------
Chassis
type :macAddress
Chassis ID :00e0-
fc33-0011



router
router
18:35:45

--------------------------------------------------------------------------
Device class :Network Connectivity
(MED inventory information of master board)
HardwareRev :VER A
FirmwareRev :NA
SerialNum :NA
Manufacturer name :HUAWEI TECH CO.,LTD
Model name :NA
--------------------------------------------------------------------------

--------------------------------------------------------------------------
Total Neighbors :3
Port information:
--------------------------------------------------------------------------
LLDP Enable Status :enabled (default is disabled)
Total Neighbors :1
Port ID subtype :interfaceName

Port And Protocol VLAN ID(PPVID) don't supported

Port VLAN ID(PVID) :1
VLAN name of VLAN 1: VLAN1
Protocol identity :STP RSTP/MSTP LACP EthOAM CFM
Auto-negotiation supported :Yes

Auto-negotiation enabled :Yes
Power port class :PD

PSE power supported :No
PSE power enabled :No

PSE pairs control ability:No

Power pairs :Unknown
Port power classification:Unknown
Link aggregation supported:Yes

Link aggregation enabled :No
Aggregation port ID :1
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36
MED port information
Media policy type :Unknown

Unknown Policy :Yes
VLAN tagged :No
Media policy VlanID :0
Media policy L2 priority :0
Media policy Dscp :0
Power Type :Unknown

PoE PSE power source :Unknown
Port PSE Priority :Unknown
Port Available power value:0.2(w)
Total Neighbors :1





Link aggregation enabled :Yes
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36


Unknown Policy :Yes
VLAN tagged :No
Power Type :Unknown

Total Neighbors :1





Link aggregation enabled :Yes
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36

Unknown Policy :Yes
VLAN tagged :No
Power Type :Unknown


[SwitchA] display lldp neighbor brief
Local Intf Neighbor Dev Neighbor Intf
Exptime

GE0/0/1 SwitchB GE0/0/1 115

l Check the SwitchB configuration.

----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
interface MEth0/0/1
ip address 10.10.10.1 255.255.255.0
#
lldp enable
#
#
port link-type
trunk
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1
#
return

#
sysname SwitchB
#
vlan batch 100
#
interface MEth0/0/1
ip address 10.10.10.2 255.255.255.0
#
lldp enable
#
#
port link-type
trunk
#
eth-trunk 1
#
eth-trunk 1
#
eth-trunk 1

#
return
11.6.4 Example for Configuring CDP-Compatible LLDP
As shown in Figure 11-36, SwitchA (a Huawei device) connects to SwitchB (a non-Huawei
device) through an unknown network. The NMS and the switches have reachable routes to each
other, and the SNMP configuration has been completed.
A network administrator wants to obtain Layer 2 information about SwitchA and SwitchB to
know the detailed network topology and check for configuration conflicts.
Figure 11-36 Configuring CDP-compatible LLDP

NMS
P
SNM
GE0/0/1
SwitchA SwitchB
LLDP interface SNMP packet

NMS: Network Management System CDP packet
1. Enable global LLDP on SwitchA.
2. Enable CDP-compatible LLDP on SwitchA so that SwitchA can discover non-Huawei
neighbors.
Procedure
Step 1 Enable global LLDP on SwitchA.

Step 2 Enable CDP-compatible LLDP on SwitchA.
# Enable CDP-compatible LLDP on GE0/0/1.

[SwitchA-GigabitEthernet0/0/1] lldp compliance cdp receive
[SwitchA] quit
# View the configuration of CDP-compatible LLDP, CDP trap function, and the delay in sending
CDP trap messages.
l View local CDP information on SwitchA.
<SwitchA> display cdp local
--------------------------------------------------------------------------
CDP Notification Interval :5 (default is
5s)
CDP Notification Enable :enabled (default is
enabled)

--------------------------------------------------------------------------
Total Neighbors :1
Port information:
--------------------------------------------------------------------------
CDP Status :enabled (default is
disabled)
Total Neighbors :1
---- More ----
l View neighbor CDP information on SwitchA.

<SwitchA> display cdp neighbor
Neighbor index :
1
Device
ID :ME3400
Port
ID :GigabitEthernet0/4
Version :Cisco IOS Software, ME340x Software (ME340x-METROIPACCESSK9-
M),
Version 12.2(55)SE3, RELEASE SOFTWARE
(fc1)
Technical Support: http://www.cisco.com/
techsupport
Copyright (c) 1986-2011 by Cisco Systems,
Inc.
Compiled Thu 05-May-11 17:37 by
prod_rel_team
Platform :cisco ME-3400EG-2CS-
A

MacAddress :b4a4-e3cf-
e984
Discovered time:0 days, 22 hours, 33 minutes, 36
seconds
Expired time :122
---- More ----
----End
Configuration File
#
sysname SwitchA
#
lldp enable
#
interface Ethernet0/0/0
ip address 10.10.10.1 255.255.255.0
#
lldp compliance cdp receive
#
return
11.6.5 Example for Configuring the Voice VLAN Capability of

LLDP to Provide VoIP Service
Data flows of the HSI, VoIP, and IPTV services are transmitted on a network. Users require
high quality of the VoIP service. Therefore, voice data flows must be transmitted with a high
priority. If voice devices connected to a switch support LLDP, you can configure the voice
VLAN capability of LLDP on the switch to provide the VoIP service. The switch then uses
LLDP to assign a VLAN ID to the voice devices,
As shown in Figure 11-37, after the voice VLAN capability of LLDP is configured on the
Switch, the voice device can learn their VLAN ID using LLDP.

Figure 11-37 Configuring LLDP to provide VoIP service

DHCP Server
Internet
Switch
GE0/0/1
LAN Switch
HSI VoIP IPTV
The configuration roadmap as follows:
1. Creat VLANs, and then configure the link type and default VLAN for the interface
connected to the voice device. Use VLAN 10 as the default VLAN of GE0/0/1 to forward
data flows of the HSI and IPTV services, and use VLAN 20 as the voice VLAN for LLDP
to forward VoIP voice flows.
2. Enable LLDP globally.
3. Configure the voice VLAN capability of LLDP.
Procedure
Step 1 Configure VLANs and the interface connected to the voice device on the Switch.

Step 2 Enable LLDP.


Step 3 Configure the voice VLAN capability of LLDP.

[HUAWEI-GigabitEthernet0/0/1] lldp tlv-enable med-tlv network-policy voice-vlan
vlan 20
[HUAWEI] quit

# Run the display lldp local command to check the configuration of the LLDP's voice VLAN
capability.
<HUAWEI> display lldp local
System information
--------------------------------------------------------------------------
Chassis type :macAddress
Chassis ID :00e0-11fc-1710
System name :HUAWEI

router
router
LLDP Up time :2012/5/10 11:40:49

--------------------------------------------------------------------------
Device class :Network Connectivity
(MED inventory information of master board)
HardwareRev :VER B
FirmwareRev :NA
SerialNum :NA
LTD
Model name :NA
--------------------------------------------------------------------------
LLDP Notification Enable :enabled (default is enabled)

--------------------------------------------------------------------------

Total Neighbors :2
Port information:
--------------------------------------------------------------------------
Total Neighbors :1





Link aggregation enabled :No
EEE support :Yes

Transmit Tw :36
Receive Tw :36
Echo Receive Tw :36

Unknown Policy :Defined
VLAN tagged :Yes
Power Type :Unknown

Total Neighbors :0
---- More ----
----End

Configuration File
#
vlan batch 10 20
#
lldp enable
#
port hybrid tagged vlan
20
lldp tlv-enable med-tlv network-policy voice-vlan vlan 20
#
return
11.7 sFlow Overview

This section describes how to configure Sampled Flow (sFlow) to monitor traffic on an interface
in real time, detect abnormal traffic, and locate the source of attack traffic, ensuring stable
running of the network.
NOTE
The sFlow function conforms to RFC3176 and sFlow.org standard. For security risks, see RFC3954 and
sFlow.org standard. This function involves analyzing the communications information of terminal customers.
Before enabling the function, ensure that it is performed within the boundaries permitted by applicable laws and
regulations. Effective measures must be taken to ensure that information is securely protected.
11.7.1 Example for Configuring sFlow
As shown in Figure 11-38, traffic between Network1 and Network2 is exchanged through
SwitchA. The maintenance personnel need to monitor the traffic on GE0/0/2 and device running
to locate unexpected traffic and ensure normal network operation on the network 1.
Figure 11-38 sFlow networking diagram

sFlow Collector
10.10.10.2/24
GE0/0/1
VLANIF10
Network 1 10.10.10.1/24 SwitchA Network 2
GE0/0/2 GE0/0/3
VLANIF20 VLANIF30
20.20.20.1/24 30.30.30.1/24

To configure sFlow, you can configure SwitchA as an sFlow agent and enable sFlow (including
flow sampling and counter sampling) on GE0/0/2 so that the sFlow agent collects network traffic
statistics. The sFlow agent encapsulates traffic statistics into sFlow packets and sends sFlow
packets from GE0/0/1 to the sFlow collector. The sFlow collector displays the network traffic
statistics based on information in the received sFlow packets. In this way, the sFlow agent can
monitor the network traffic on GE0/0/2.
1. Configure an IP address for each switch interface.

2. Configure sFlow agent and sFlow collector information on the device.
3. Configure flow sampling on the interface.
4. Configure counter sampling on the interface.
Procedure
Step 1 Configure an IP address for the interface of SwitchA.
# Configure an IP address for the interface of SwitchA according to Figure 11-38.

[SwitchA] Vlan batch 10 20 30
Info: This operation may take a few seconds. Please wait for a moment...done.
[SwitchA] interface xgigabitethernetgigabitethernet 0/0/1
Step 2 Configure sFlow agent and sFlow collector information.
# Configure an IP address for the sFlow agent.

[SwitchA] sflow agent ip 10.10.10.1
# Configure sFlow collector information: ID 2, IP address 10.10.10.2, and description netserver

for the sFlow collector.
[SwitchA] sflow collector 2 ip 10.10.10.2 description netserver

Step 3 Configure flow sampling.

# Set the sampling ratio.
[SwitchA-GigabitEthernet0/0/2] sflow flow-sampling rate 4000
# Specify sFlow collector 2 as the target collector to receive sFlow packets sent by the sFlow
agent.
[SwitchA-GigabitEthernet0/0/2] sflow flow-sampling collector 2
Step 4 Configure counter sampling.

# Set the counter sampling interval to 120s.
[SwitchA-GigabitEthernet0/0/2] sflow counter-sampling interval 120
# Specify sFlow collector 2 as the target collector to receive sFlow packets sent by the sFlow
agent.
[SwitchA-GigabitEthernet0/0/2] sflow counter-sampling collector 2

# After the configuration is complete, run the display sflow command in the user view on
SwitchA to check the global sFlow configuration.
<SwitchA> display sflow
sFlow Version 5
Information:
-------------------------------------------------------------------------
Agent
Information:
IP Address:
10.10.10.1
Address family:
IPV4
Vpn-instance: N/
A
--------------------------------------------------------------------------
Collector
Information:
Collector ID:
2
IP Address:
10.10.10.2
Address family:
IPV4
Vpn-instance: N/
A
Port:
6343
Datagram size:
1400
Time out: N/
A
Description:
netserver
--------------------------------------------------------------------------
Port on slot 0
Information:

Interface: GE0/0/2
Flow-sample collector: 2 Counter-sample collector : 2
Flow-sample rate(1/x): 4000 Counter-sample interval(s): 120
Flow-sample maxheader:
128
Flow-sample direction: IN,OUT
----End
Configuration File
l Configuration file of SwitchA.
#
sysname SwitchA
#
vlan batch 10 20 30
#
interface Vlanif10
ip address 10.10.10.1 255.255.255.0
#
interface Vlanif20
ip address 20.20.20.1 255.255.255.0
#
interface Vlanif30
ip address 30.30.30.1 255.255.255.0
#
#
sflow counter-sampling collector 2
sflow counter-sampling interval 120
sflow flow-sampling collector 2
sflow flow-sampling rate 4000
#
#
sflow collector 2 ip 10.10.10.2 description netserver
#
sflow agent ip 10.10.10.1
#
return
11.8 Packet Capture Configuration

This section describes the concept and configuration of the packet capture function and provides
NOTE
Based on your requirements to detect failures in telecom transmission, this feature may collect or store
some communication information about specific customers. Huawei cannot offer services to collect or store
this information unilaterally. Before enabling the function, ensure that it is performed within the boundaries
permitted by applicable laws and regulations. Effective measures must be taken to ensure that information
is securely protected.

11.8.1 Example for Configuring Packet Capture Function

As shown in Figure 11-39, the switch connects to the network through GE0/0/1.
The user needs to capture the packets received by GE0/0/1 and the packets to be sent to the CPU,
and display the captured packets on the terminal.
Figure 11-39 Networking diagram for configuring the packet capture function
GE0/0/1
Internet
Switch
1. Capture service packets sent upstream from GE0/0/1, and display captured packet
information on the terminal.
2. Capture packets sent to the CPU, and display captured packet information on the terminal.
Procedure
Step 1 Capture service packets sent upstream from GE0/0/1, and display captured packet information
on the terminal.
[HUAWEI] capture-packet interface gigabitethernet 0/0/1 destination terminal
packet-len 128
Info: Getted packets will be shown on terminal.
[HUAWEI]
Packet: 1
-------------------------------------------------------
01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
-------------------------------------------------------
Packet: 2
-------------------------------------------------------
01 80 c2 00 00 0a 00 e0 fc 09 bc f9 81 00 00 14
88 a7 00 03 00 00 01 b4 9a 09 00 01 00 0e 00 00
00 00 00 18 82 01 23 45 00 07 00 0d 53 35 33 48
49 2d 32 30 36 00 0f 00 15 53 35 33 30 30 20 56
32 30 30 52 30 30 31 43 30 30 00 12 00 1d 56 65
72 73 69 6f 6e 20 35 2e 31 31 30 20 56 32 30 30

52 30 30 31 43 30 30 00 11 00 1d 56 65 72 73 69
6f 6e 20 35 2e 31 31 30 20 56 32 30 30 52 30 30
-------------------------------------------------------
Packet: 3
-------------------------------------------------------
01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
-------------------------------------------------------
------------------packet getting report-----------------------

file: NULL
packets getting: interface GigabitEthernet0/0/1
acl: -
vlan: - cvlan: -
car: 64kbp timeout: 60s
packets: 100 (expected) 3 (actual)
length: 128 (expected)
-------------------------------------------------------
Step 2 Capture packets sent to the CPU, and display captured packet information on the terminal.
[HUAWEI] capture-packet cpu destination terminal packet-len 128
Info: Getted packets will be shown on terminal.
[HUAWEI]
Packet: 1
-------------------------------------------------------
01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
-------------------------------------------------------
Packet: 2
-------------------------------------------------------
01 80 c2 00 00 0e 00 18 82 01 23 45 81 00 00 14
88 cc 02 07 04 00 18 82 01 23 45 04 15 05 47 69
67 61 62 69 74 45 74 68 65 72 6e 65 74 30 2f 30
2f 31 06 02 00 78 08 00 0a 09 53 35 33 48 49 2d
32 30 36 0c a0 53 35 33 32 38 43 2d 48 49 20 0d
0a 48 75 61 77 65 69 20 56 65 72 73 61 74 69 6c
65 20 52 6f 75 74 69 6e 67 20 50 6c 61 74 66 6f
72 6d 20 53 6f 66 74 77 61 72 65 20 0d 0a 20 56
-------------------------------------------------------
Packet: 3
-------------------------------------------------------
01 80 c2 00 00 0a 00 e0 fc 09 bc f9 81 00 00 14
88 a7 00 03 00 00 01 b4 9a 09 00 01 00 0e 00 00
00 00 00 18 82 01 23 45 00 07 00 0d 53 35 33 48
49 2d 32 30 36 00 0f 00 15 53 35 33 30 30 20 56
32 30 30 52 30 30 31 43 30 30 00 12 00 1d 56 65
72 73 69 6f 6e 20 35 2e 31 31 30 20 56 32 30 30
52 30 30 31 43 30 30 00 11 00 1d 56 65 72 73 69
6f 6e 20 35 2e 31 31 30 20 56 32 30 30 52 30 30
-------------------------------------------------------
------------------packet getting report-----------------------

file: NULL
packets getting:
cpu
acl: -
vlan: - cvlan: -
car: -- timeout: 60s
packets: 100 (expected) 3 (actual)
length: 128 (expected)
-------------------------------------------------------
----End
Configuration Files
None

Typical Configuration Examples 12 MPLS
12 MPLS
About This Chapter
This document describes MPLS configuration examples supported by the device.
12.1 Static LSPs Configuration

You can set up a static LSP by manually allocating labels to LSRs. The static LSP applies to
stable and small-scale networks.
12.2 MPLS LDP Configuration

The Multiprotocol Label Switching Label Distribution Protocol (MPLS LDP) defines the
messages in and procedures for distributing labels. MPLS LDP is used by Label Switching
Routers (LSRs) to negotiate session parameters, distribute labels, and then establish Label
Switched Paths (LSPs).
12.3 MPLS TE Configuration

MPLS TE tunnels transmit MPLS L2VPN (VLL and VPLS) services and MPLS L3VPN services
and provide high security and guarantees reliable QoS for VPN services.

12.1 Static LSPs Configuration

You can set up a static LSP by manually allocating labels to LSRs. The static LSP applies to
stable and small-scale networks.
12.1.1 Example for Configuring Static LSPs
As shown in Figure 12-1, on a simple, stable, and small-scale network, LSRA, LSRB, LSRC,
and LSRD are backbone network devices. A public network tunnel needs to be established on
the backbone network for transmitting L2VPN services. The path from LSRA to LSRD is
LSRA→LSRB→LSRD, and the path from LSRD to LSRA is LSRD→LSRC→LSRA.
Figure 12-1 Networking diagram for establishing static LSPs
Loopback1
2.2.2.9/32
G
/0 /1
0 VL E0/
0 1 10 AN 0/2
GE NIF /24 .2. IF2
V LA .1.2 1.1 0
G
/1 1 /24
0 /0 0 1 0 . VL E0/0
1 LSRB 10 AN /1 Loopback1
Loopback1 GE NIF /24 .2. IF2
A
1.1.1.9/32 VL .1. 1 1.2 0 4.4.4.9/32
0.1 /24
1
G
LSRA VL E0/ 2 LSRD
10 AN 0/2 0/0/ 40
.3. IF3 GE NIF /24
1.1 0 G LSRC A 2
/24 VL E0/0 / 2 VL .4.1.
10 ANI /1 0
0/ 40 10
.3. F3
1.2 0 GE NIF /24
A
/2 4 VL 4.1.1
.
10
Loopback1
3.3.3.9/32
To meet the preceding requirements, configure static LSPs. The configuration roadmap is as
follows:
Configure two static LSPs: LSRA→LSRB→LSRD (LSRA is the ingress node, LSRB is the
transit node, and LSRD is the egress node); LSRD→LSRC→LSRA (LSRD is the ingress node,
LSRC is the transit node, and LSRA is the egress node).

1. Configure MPLS to establish public network LSPs on the backbone network. To implement
the MPLS function, enable global MPLS capability on all nodes and VLANIF interfaces.
2. Configure static LSPs and establish public network LSPs for transmitting L2VPN services.
Perform the following steps:
a. Configure the destination IP address, next hop, value of the outgoing label for the LSP
on the ingress node.
b. Configure the inbound interface, value of the incoming label equivalent to the
outgoing label of the last node, and next hop and value of the outgoing label of the
LSP on the transit node.
c. Configure the inbound interface and value of the incoming label equivalent to the
outgoing label of the last node of the LSP on the egress node.
Procedure
Step 1 Create VLANs and VLANIF interfaces on the switch, configure IP addresses for the VLANIF
interfaces, and add physical interfaces to the VLANs.
# Configure LSRA.
[HUAWEI] sysname LSRA
[LSRA] interface loopback 1
[LSRA-LoopBack1] ip address 1.1.1.9 32
[LSRA-LoopBack1] quit
[LSRA] interface gigabitethernet0/0/1
[LSRA-GigabitEthernet0/0/1] port link-type trunk
[LSRA-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[LSRA-GigabitEthernet0/0/1] quit
[LSRA] vlan batch 10 30
[LSRA] interface vlanif 10
[LSRA-Vlanif10] ip address 10.1.1.1 24
[LSRA-Vlanif10] quit
[LSRA] interface gigabitethernet0/0/2
The configurations of LSRB, LSRC, and LSRD are similar to that of LSRA, and are not
mentioned here.
Step 2 Configure OSPF to advertise the network segments that the interfaces are connected to and the
host route of the LSR ID.
# Configure LSRA.
[LSRA] ospf 1
[LSRA-ospf-1] area 0
[LSRA-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[LSRA-ospf-1-area-0.0.0.0] quit
[LSRA-ospf-1] quit
# Configure LSRB.
[LSRB] ospf 1
[LSRB-ospf-1] area 0

[LSRB-ospf-1-area-0.0.0.0] network 2.2.2.9 0.0.0.0

[LSRB-ospf-1-area-0.0.0.0] quit
[LSRB-ospf-1] quit
# Configure LSRC.
[LSRC] ospf 1
[LSRC-ospf-1] area 0
[LSRC-ospf-1-area-0.0.0.0] network 3.3.3.9 0.0.0.0
[LSRC-ospf-1-area-0.0.0.0] quit
[LSRC-ospf-1] quit
# Configure LSRD.
[LSRD] ospf 1
[LSRD-ospf-1] area 0
[LSRD-ospf-1-area-0.0.0.0] network 4.4.4.9 0.0.0.0
[LSRD-ospf-1-area-0.0.0.0] quit
[LSRD-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on each node,
and you can view that the nodes learn routes from each other.
Use the command output on LSRA as an example.

[LSRA] display ip routing-table
------------------------------------------------------------------------------
2.2.2.9/32 OSPF 10 1 D 10.1.1.2 Vlanif10
3.3.3.9/32 OSPF 10 1 D 10.3.1.2 Vlanif30
4.4.4.9/32 OSPF 10 2 D 10.1.1.2 Vlanif10
OSPF 10 2 D 10.3.1.2 Vlanif30
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.2.1.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
10.3.1.0/24 Direct 0 0 D 10.3.1.1 Vlanif30
10.3.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.4.1.0/24 OSPF 10 2 D 10.3.1.2 Vlanif30
The next hop of the static LSP on 4.4.4.9/32 from LSRA to LSRD is determined by the routing
table. It is shown in boldface. In this example, the next hop IP address is 10.1.1.2/24.
Use the command output on LSRD as an example.

[LSRD] display ip routing-table
------------------------------------------------------------------------------
1.1.1.9/32 OSPF 10 2 D 10.2.1.1 Vlanif20
OSPF 10 2 D 10.4.1.1 Vlanif40
2.2.2.9/32 OSPF 10 1 D 10.2.1.1 Vlanif20
3.3.3.9/32 OSPF 10 1 D 10.4.1.1 Vlanif40

10.1.1.0/24 OSPF 10 2 D 10.2.1.1 Vlanif20

10.2.1.0/24 Direct 0 0 D 10.2.1.2 Vlanif20
10.2.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
10.3.1.0/24 OSPF 10 2 D 10.4.1.1 Vlanif40
10.4.1.0/24 Direct 0 0 D 10.4.1.2 Vlanif40
10.4.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif40
The next hop of the static LSP on 1.1.1.9/32 from LSRD to LSRA is determined by the routing
table. It is shown in boldface. In this example, the next hop IP address is 10.4.1.1/24.
Step 3 Enable basic MPLS functions on each node.
# Configure LSRA.
[LSRA] mpls lsr-id 1.1.1.9
[LSRA] mpls
[LSRA-mpls] quit
# Configure LSRB.
[LSRB] mpls lsr-id 2.2.2.9
[LSRB] mpls
[LSRB-mpls] quit
# Configure LSRC.
[LSRC] mpls lsr-id 3.3.3.9
[LSRC] mpls
[LSRC-mpls] quit
# Configure LSRD.
[LSRD] mpls lsr-id 4.4.4.9
[LSRD] mpls
[LSRD-mpls] quit
Step 4 Enable MPLS on each VLANIF interface.

# Configure LSRA.
[LSRA-Vlanif10] mpls
# Configure LSRB.
[LSRB] interface vlanif 10
[LSRB-Vlanif10] mpls
[LSRB-Vlanif10] quit
# Configure LSRC.
[LSRC] interface vlanif 30
[LSRC-Vlanif30] mpls
[LSRC-Vlanif30] quit
# Configure LSRD.

[LSRD] interface vlanif 20

[LSRD-Vlanif20] mpls
[LSRD-Vlanif20] quit
Step 5 Configure a static LSP from LSRA to LSRD.

# Configure ingress node LSRA.
[LSRA] static-lsp ingress SAtoSD destination 4.4.4.9 32 nexthop 10.1.1.2 out-label
20
# Configure transit node LSRB.

[LSRB] static-lsp transit SAtoSD incoming-interface vlanif 10 in-label 20 nexthop
10.2.1.2 out-label 40
# Configure egress node LSRD.

[LSRD] static-lsp egress SAtoSD incoming-interface vlanif 20 in-label 40
After the configuration is complete, run the display mpls static-lsp command on each node to
check the status of the static LSP. Use the command output on LSRA as an example.
[LSRA] display mpls static-lsp
TOTAL : 1 STATIC LSP(S)
UP : 1 STATIC LSP(S)
DOWN : 0 STATIC LSP(S)
Name FEC I/O Label I/O If Status
SAtoSD 4.4.4.9/32 NULL/20 -/Vlanif10 Up
The LSP is unidirectional, you need to configure a static LSP from LSRD to LSRA.
Step 6 Configure a static LSP from LSRD to LSRA.
# Configure ingress node LSRD.
[LSRD] static-lsp ingress SDtoSA destination 1.1.1.9 32 nexthop 10.4.1.1 out-label
30
# Configure transit node LSRC.

[LSRC] static-lsp transit SDtoSA incoming-interface vlanif 40 in-label 30 nexthop
10.3.1.1 out-label 60
# Configure egress node LSRA.

[LSRA] static-lsp egress SDtoSA incoming-interface vlanif 30 in-label 60

After the configuration is complete, run the display mpls static-lsp or display mpls static-lsp
verbose command on each node to check the status and detailed information about the static
LSP. Use the command output on LSRD as an example.
[LSRD] display mpls static-lsp
SAtoSD -/- 40/NULL Vlanif20/- Up
SDtoSA 1.1.1.9/32 NULL/30 -/Vlanif40 Up
[LSRD] display mpls static-lsp verbose
No : 1
LSP-Name : SAtoSD

LSR-Type : Egress
FEC : -/-
In-Label : 40
Out-Label : NULL
In-Interface : Vlanif20
Out-Interface : -
NextHop : -
Static-Lsp Type: Normal
Lsp Status : Up
No : 2
LSP-Name : SDtoSA
LSR-Type : Ingress
FEC : 1.1.1.9/32
In-Label : NULL
Out-Label : 30
In-Interface : -
Out-Interface : Vlanif40
NextHop : 10.4.1.1
Lsp Status : Up
Run the ping lsp ip 1.1.1.9 32 command on LSRD. The command output shows that the static
LSP can be pinged.
Run the ping lsp ip 4.4.4.9 32 command on LSRA. The command output shows that the static
LSP can be pinged.
----End
Configuration Files
l Configuration file of LSRA
#
sysname LSRA
#
vlan batch 10 30
#
mpls lsr-id 1.1.1.9
mpls
#
interface Vlanif 10
ip address 10.1.1.1 255.255.255.0
mpls
#
interface Vlanif 30
ip address 10.3.1.1 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255

#
static-lsp ingress SAtoSD destination 4.4.4.9 32 nexthop 10.1.1.2 out-label
20
static-lsp egress SDtoSA incoming-interface Vlanif30 in-label 60
#
return
l Configuration file of LSRB

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
static-lsp transit SAtoSD incoming-interface Vlanif10 in-label 20 nexthop
10.2.1.2 out-label 40
#
return
l Configuration file of LSRC

#
sysname LSRC
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
interface Vlanif30
ip address 10.3.1.2 255.255.255.0
mpls
#
interface Vlanif40
ip address 10.4.1.1 255.255.255.0
mpls
#
#

#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
static-lsp transit SDtoSA incoming-interface Vlanif40 in-label 30 nexthop
10.3.1.1 out-label 60
#
return
l Configuration file of LSRD

#
sysname LSRD
#
vlan batch 20 40
#
mpls lsr-id 4.4.4.9
mpls
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
#
interface Vlanif40
ip address 10.4.1.2 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
static-lsp egress SAtoSD incoming-interface Vlanif20 in-label 40
static-lsp ingress SDtoSA destination 1.1.1.9 32 nexthop 10.4.1.1 out-label
30
#
return
12.1.2 Example for Configuring Static BFD to Monitor Static LSPs
As shown in Figure 12-2, static LSPs LSP1 and LSP2 are configured between PE1 and PE2.
LSP1 passes through P1, and LSP2 passes through P2. It takes an interface a long period to

detect a fault on the connected link. The connectivity check on LSP1 is required. If a fault occurs
on LSP1, PE1 can receive a fault report within 500 ms.
Figure 12-2 Networking diagram for establishing static LSPs
Loopback1
MPLS Network
2.2.2.9/32
G
/ 0 /1
0 VL E0/
0 1 10 AN 0/2
GE NIF /24 .2. IF2
V LA .1.2 1.1 0
G
1 1 /24
0 0 /
/ 10 1 0 . VL E0/0
Loopback1 GE NIF /24 P1 10 AN /1 Loopback1
A 1 .2. IF2
1.1.1.9/32 VL .1. 1.2 0 4.4.4.9/32
0 .1 /24
1 Static LSP1
G Static LSP2
PE1 VL E0/ 2 PE2
10 AN 0/2 0 / 0/ 4 0
.3. IF3 GE NIF /24
1 .1 0 G P2 A 2
/2 4 VL E0/0 /2 VL .4.1.
10 ANI /1 0
0/ 40 1 0
.3. F3
1.2 0 GE NIF /24
A 1
/24 VL 4.1.
.
Loopback1 10
3.3.3.9/32
To meet the preceding requirements, configure static BFD to detect static LSPs. The
1. Only static BFD can be configured to detect static LSPs. Configure BFD on PE1 and PE2.
2. Adjust BFD parameters to enable PE1 to receive a fault report within 500 ms.
Procedure
For configuration details, refer to Example for Configuring Static LSPs.
Step 2 Configure OSPF to advertise the network segments that the interfaces are connected to and the
host route of the LSR ID.
For configuration details, refer to Example for Configuring Static LSPs.
Step 3 Enable basic MPLS functions on each node.
# Configure PE1.


[PE1] mpls
[PE1-mpls] quit
# Configure P1.
[P1] mpls lsr-id 2.2.2.9
[P1] mpls
[P1-mpls] quit
# Configure P2.
[P2] mpls
[P2-mpls] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
Step 4 Enable MPLS on each VLANIF interface.

# Configure PE1.
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure P1.
[P1] interface vlanif 10
[P1-Vlanif10] mpls
[P1-Vlanif10] quit
[P1-Vlanif20] mpls
[P1-Vlanif20] quit
# Configure P2.
[P2-Vlanif30] mpls
[P2-Vlanif30] quit
[P2-Vlanif40] mpls
[P2-Vlanif40] quit
# Configure PE2.
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
[PE2-Vlanif40] mpls
[PE2-Vlanif40] quit
Step 5 Create a static LSP named LSP1 with PE1 being the ingress node, P1 being the transit node,
and PE2 being the egress node.
# Configure ingress node PE1.
[PE1] static-lsp ingress LSP1 destination 4.4.4.9 32 nexthop 10.1.1.2 out-label 20
# Configure transit node P1.

[P1] static-lsp transit LSP1 incoming-interface vlanif 10 in-label 20 nexthop

10.2.1.2 out-label 40
# Configure egress node PE2.

[PE2] static-lsp egress LSP1 incoming-interface vlanif 20 in-label 40
Step 6 Create a static LSP named LSP2 with PE1 being the ingress node, P2 being the transit node,
and PE2 being the egress node.
# Configure ingress node PE1.

[PE1] static-lsp ingress LSP2 destination 4.4.4.9 32 nexthop 10.3.1.2 out-label 30
# Configure transit node P2.

[P2] static-lsp transit LSP2 incoming-interface vlanif 30 in-label 30 nexthop
10.4.1.2 out-label 60
# Configure egress node PE2.

[PE2] static-lsp egress LSP2 incoming-interface vlanif 40 in-label 60
After the configuration is complete, run the ping lsp ip 4.4.4.9 32 command on PE1. The
command output shows that the LSP can be pinged.
Run the display mpls static-lsp or display mpls static-lsp verbose command on each node to
check the status and detailed information about the static LSP. Use the command output on PE1
as an example.
[PE1] display mpls static-lsp

LSP1 4.4.4.9/32 NULL/20 Vlanif10/- Up
LSP2 4.4.4.9/32 NULL/30 Vlanif30/- Up
[PE1] display mpls static-lsp verbose
No : 1
LSP-Name : LSP1
LSR-Type : Ingress
FEC : 4.4.4.9/32
In-Label : NULL
Out-Label : 20
In-Interface : -
NextHop : 10.1.1.2
Lsp Status : Up
No : 2
LSP-Name : LSP2
LSR-Type : Ingress
FEC : 4.4.4.9/32
In-Label : NULL
Out-Label : 30
In-Interface : -
NextHop : 10.3.1.2
Lsp Status : Up
Step 7 Configure the BFD session to detect static LSP LSP1.

# On ingress node PE1, configure a BFD session, with the local discriminator of 1, the remote
discriminator of 2, and the intervals for sending and receiving packets of 100 ms. The port state
table (PST) can be modified.
[PE1] bfd
[PE1-bfd] quit
[PE1] bfd pe1tope2 bind static-lsp LSP1
[PE1-bfd-lsp-session-pe1tope2] discriminator local 1
[PE1-bfd-lsp-session-pe1tope2] discriminator remote 2
[PE1-bfd-lsp-session-pe1tope2] min-tx-interval 100
[PE1-bfd-lsp-session-pe1tope2] min-rx-interval 100
[PE1-bfd-lsp-session-pe1tope2] process-pst
[PE1-bfd-lsp-session-pe1tope2] commit
[PE1-bfd-lsp-session-pe1tope2] quit
# On egress node PE2, configure a BFD session to notify PE1 of faults on the static LSP.
[PE2] bfd
[PE2-bfd] quit
[PE2] bfd pe2tope1 bind peer-ip 1.1.1.9
[PE2-bfd-session-pe2tope1] min-tx-interval 100
[PE2-bfd-session-pe2tope1] min-rx-interval 100
# Run the display bfd session all verbose command on PE1 to check the configuration. The
command output shows that the BFD session on PE2 is Up.
--------------------------------------------------------------------------------
Session MIndex : 4096 State : Up Name : pe1tope2
--------------------------------------------------------------------------------
BFD Bind Type : STATIC_LSP
Bind Interface : -
Static LSP name : LSP1 LSP Token : 0x10002
Actual Tx Interval (ms) : 100 Actual Rx Interval (ms) : 100
Proc Interface Status : Disable Process PST : Enable
Active Multi : 3
Bind Application : LSPM | L2VPN | OAM_MANAGER
--------------------------------------------------------------------------------
# Run the display bfd session all verbose command on PE2 to check the configuration.
--------------------------------------------------------------------------------
Session MIndex : 262 (Multi Hop)State : Up Name : pe2tope1
--------------------------------------------------------------------------------


BFD Bind Type : Peer IP Address
Bind Interface : -
Track Interface : -
Active Multi : 3
--------------------------------------------------------------------------------
# Run the shutdown command on VLANIF 20 of P1 to simulate a fault on a static LSP.

[P1-Vlanif20] shutdown
# Run the display bfd session all verbose command on PE to check the status of the BFD
session.
--------------------------------------------------------------------------------
Session MIndex : 262 (Multi Hop)State : Down Name : pe2tope1
--------------------------------------------------------------------------------
Bind Interface : -
Track Interface : -
Destination Port : 3784 TTL :
254
Proc Interface Status : Disable Process PST :
Disable
Active Multi : 3
--------------------------------------------------------------------------------


--------------------------------------------------------------------------------
Session MIndex : 4096 State : Down Name : pe1tope2
--------------------------------------------------------------------------------
BFD Bind Type : STATIC_LSP
Bind Interface : -
Static LSP name : LSP1 LSP Token : 0x10002
Active Multi : 3
Last Local Diagnostic : Neighbor Signaled Session Down
Session Init TmrID : 16408 Session WTR TmrID : -
--------------------------------------------------------------------------------
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 30
#
bfd
#
mpls lsr-id 1.1.1.9
mpls
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
#
interface Vlanif30
ip address 10.3.1.1 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#

bfd pe1tope2 bind static-lsp LSP1

min-tx-interval 100
min-rx-interval 100
process-pst
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
static-lsp ingress LSP1 destination 4.4.4.9 32 nexthop 10.1.1.2 out-label 20
static-lsp ingress LSP2 destination 4.4.4.9 32 nexthop 10.3.1.2 out-label 30
#
return
#
sysname P1
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
static-lsp transit LSP1 incoming-interface Vlanif 10 in-label 20 nexthop
10.2.1.2 out-label 40
#
return
#
sysname P2
#
vlan batch 30 40
#
bfd
#
mpls lsr-id 3.3.3.9

mpls
#
interface Vlanif30
ip address 10.3.1.2 255.255.255.0
mpls
#
interface Vlanif40
ip address 10.4.1.1 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
static-lsp transit LSP2 incoming-interface vlanif 30 in-label 30 nexthop
10.4.1.2 out-label 60
#
return

#
sysname PE2
#
vlan batch 20 40
#
bfd
#
mpls lsr-id 4.4.4.9
mpls
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
#
interface Vlanif40
ip address 10.4.1.2 255.255.255.0
mpls
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
bfd pe2tope1 bind peer-ip 1.1.1.9
min-tx-interval 100
min-rx-interval 100

commit
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
static-lsp egress LSP1 incoming-interface vlanif 20 in-label 40
static-lsp egress LSP2 incoming-interface vlanif 40 in-label 60
#
return
12.2 MPLS LDP Configuration

The Multiprotocol Label Switching Label Distribution Protocol (MPLS LDP) defines the
messages in and procedures for distributing labels. MPLS LDP is used by Label Switching
Routers (LSRs) to negotiate session parameters, distribute labels, and then establish Label
Switched Paths (LSPs).
12.2.1 Example for Configuring Local LDP Sessions
As shown in Figure 12-3, on a complex and unstable network, LSRA, LSRB, and LSRC function
as the backbone devices. A public network tunnel needs to be established on the backbone
network for transmitting Layer 3 Virtual Private Network (L3VPN) services.
Figure 12-3 Networking diagram for configuring local LDP sessions

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
LSRA LSRB LSRC
To meet the preceding requirements, configure local LDP sessions. The configuration roadmap
is as follows:
1. The LDP protocol can be used on this network with complex and unstable topology. To
run LDP on the network, enable global MPLS LDP on each LSR.
2. Configure a local LDP session and create a public network LSP for L3VPN services. Enable
MPLS LDP on interfaces of each LSR.

Procedure
# Configure LSRA.
[LSRA] interface gigabitethernet 0/0/1
[LSRA] vlan 10
[LSRA-vlan10] quit
The configurations of LSRB, and LSRC are similar to the configuration of LSRA, and are not
mentioned here.
Step 2 Configure OSPF to advertise the network segments connecting to interfaces on each node and
to advertise the routes of hosts with LSR IDs.
# Configure LSRA.
[LSRA] ospf 1
[LSRA-ospf-1] quit
# Configure LSRB.
[LSRB] ospf 1
[LSRB-ospf-1] area 0
[LSRB-ospf-1-area-0.0.0.0] quit
[LSRB-ospf-1] quit
# Configure LSRC.
[LSRC] ospf 1
[LSRC-ospf-1] area 0
[LSRC-ospf-1-area-0.0.0.0] quit
[LSRC-ospf-1] quit
After the configuration is complete, run the display ip routing-table command on each node,
and you can view that the nodes learn routes from each other.
Step 3 Enable global MPLS and MPLS LDP on each LSR.
# Configure LSRA.
[LSRA] mpls

[LSRA-mpls] quit
[LSRA] mpls ldp
[LSRA-mpls-ldp] quit
# Configure LSRB.
[LSRB] mpls
[LSRB-mpls] quit
[LSRB] mpls ldp
[LSRB-mpls-ldp] quit
# Configure LSRC.
[LSRC] mpls
[LSRC-mpls] quit
[LSRC] mpls ldp
[LSRC-mpls-ldp] quit
Step 4 Enable MPLS and MPLS LDP on interfaces of each LSR.

# Configure LSRA.
[LSRA-Vlanif10] mpls ldp
# Configure LSRB.
[LSRB-Vlanif10] mpls ldp
# Configure LSRC.
[LSRC-Vlanif20] mpls ldp

# After the configuration is complete, run the display mpls ldp session command. The command
output shows that the status of local LDP sessions between LSRA and LSRB and between LSRB
and LSRC is Operational.
LSRA is used as an example.
[LSRA] display mpls ldp session

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
----End

Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0

network 10.1.1.0 0.0.0.255

network 10.2.1.0 0.0.0.255
#
return

#
sysname LSRC
#
vlan batch 20
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
12.2.2 Example for Configuring Remote MPLS LDP Sessions
As shown in Figure 12-4, on a complex and unstable network, LSRA and LSRC function as
PEs. A public network tunnel needs to be established on the backbone network for transmitting
L2VPN services.
Figure 12-4 Networking diagram for configuring remote LDP sessions

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
LSRA LSRB LSRC
To meet the preceding requirements, configure remote LDP sessions. The configuration

1. The LDP protocol can be used on this network with complex and unstable topology. To
run LDP on the network, enable global MPLS LDP on each LSR.
2. Configure a remote LDP session and create a public network tunnel for L2VPN services.
Specify the name and IP address of the remote peer of a remote LDP session on LSRA and
LSRC.
Procedure
For details, see Example for Configuring Local LDP Sessions.
Step 3 Enable global MPLS and MPLS LDP on each LSR.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] quit
[LSRA] mpls ldp
# Configure LSRB.
[LSRB] mpls
[LSRB-mpls] quit
[LSRB] mpls ldp
# Configure LSRC.
[LSRC] mpls
[LSRC-mpls] quit
[LSRC] mpls ldp
Step 4 Specify the name and IP address of the remote peer on the two LSRs of a remote LDP session.
# Configure LSRA.
[LSRA] mpls ldp remote-peer LSRC
[LSRA-mpls-ldp-remote-lsrc] remote-ip 3.3.3.3
[LSRA-mpls-ldp-remote-lsrc] quit
# Configure LSRC.
[LSRC] mpls ldp remote-peer LSRA
[LSRC-mpls-ldp-remote-lsra] remote-ip 1.1.1.1
[LSRC-mpls-ldp-remote-lsra] quit

# After the configuration is complete, run the display mpls ldp session command on the node.
The command output shows that the status of the remote LDP session between LSRA and LSRC
is Operational.



------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
# Run the display mpls ldp remote-peer command on the two LSRs of the remote LDP session
to view information about the remote peer.
[LSRA] display mpls ldp remote-peer
LDP Remote Entity Information

------------------------------------------------------------------------------
Remote Peer Name: lsrc
Remote Peer IP : 3.3.3.3 LDP ID : 1.1.1.1:0
Transport Address : 1.1.1.1 Entity Status : Active
Configured Keepalive Hold Timer : 45 Sec

Configured Keepalive Send Timer : ----
Configured Hello Hold Timer : 45 Sec
Negotiated Hello Hold Timer : 45 Sec
Configured Hello Send Timer : ----
Configured Delay Timer : 10 Sec
Hello Packet sent/received : 6347/6307
Label Advertisement Mode : Downstream Unsolicited
Remote Peer Deletion Status : No
Auto-config : ---
------------------------------------------------------------------------------
TOTAL: 1 Peer(s) Found.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
mpls ldp remote-peer lsrc
remote-ip 3.3.3.3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
#
interface LoopBack0

ip address 1.1.1.1 255.255.255.255

#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname LSRC
#
vlan batch 20
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
mpls ldp remote-peer lsra
remote-ip 1.1.1.1
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
#
#
interface LoopBack0

ip address 3.3.3.3 255.255.255.255

#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
12.2.3 Example for Configuring Automatic Triggering of a Request

for a Label Mapping Message in DoD Mode
As shown in Figure 12-5, LSRA and LSRD function as PEs. A remote LDP session is set up
between LSRA and LSRD to establish a public network tunnel. To save network resources,
unnecessary IP addresses and MPLS entries need to be reduced.
Figure 12-5 Example for configuring automatic triggering of a request for a Label Mapping
message in DoD mode
Loopback0 Loopback0 Loopback0 Loopback0

1.1.1.1/32 GE0/0/1 2.2.2.2/32 3.3.3.3/32 4.4.4.4/32
GE0/0/2 GE0/0/2
10.1.1.1/24 10.1.2.1/24 10.1.3.1/24
GE0/0/1 GE0/0/1 GE0/0/1
LSRA 10.1.1.2/24 LSRB LSRC 10.1.3.2/24LSRD
10.1.2.2/24
To meet the preceding requirements, configure automatic triggering of a request for a Label
Mapping message in DoD mode. The configuration roadmap is as follows:
1. Configure the label advertisement mode as DoD to reduce Label Mapping messages.
Configure the DoD mode on interfaces of each LSR.
2. Configure LDP extension for inter-area LSP so that LDP searches for a route according to
the longest match rule to establish an LDP LSP. Configure LDP extension for inter-area
LSP on LSRA and LSRD.
3. Configure LDP to automatically trigger a request for a Label Mapping message in DoD
mode. Perform this configuration on LSRA and LSRD.
Procedure
Step 1 Configure IP addresses for interfaces on each node and configure the loopback addresses that
are used as LSR IDs.
# Configure LSRA.


[LSRA] vlan 10
[LSRA-vlan10] quit
The configurations of LSRB, LSRC, and LSRD are similar to the configuration of LSRA, and
Step 2 Configure basic IS-IS functions for backbone devices. Configure static routes for PEs and their
neighbors.
# Configure basic IS-IS functions for LSRB and import a static route.
[LSRB] isis 1
[LSRB-isis-1] network-entity 10.0000.0000.0001.00
[LSRB-isis-1] import-route static
[LSRB-isis-1] quit
[LSRB-Vlanif20] isis enable 1
[LSRB] interface loopback 0
[LSRB-LoopBack0] isis enable 1
[LSRB-LoopBack0] quit
# Configure basic IS-IS functions for LSRC and import a static route.
[LSRC] isis 1
[LSRC-isis-1] network-entity 10.0000.0000.0002.00
[LSRC-isis-1] import-route static
[LSRC-isis-1] quit
[LSRC-Vlanif20] isis enable 1
[LSRC] interface loopback 0
[LSRC-LoopBack0] isis enable 1
[LSRC-LoopBack0] quit
# Configure a default route whose next hop IP address is 10.1.1.2 on LSRA.

[LSRA] ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
# On LSRB, configure a static route to LSRA.

[LSRB] ip route-static 1.1.1.1 255.255.255.255 10.1.1.1
# On LSRC, configure a static route to LSRD.

[LSRC] ip route-static 4.4.4.4 255.255.255.255 10.1.3.2
# Configure a default route whose next hop IP address is 10.1.3.1 on LSRD.

[LSRD] ip route-static 0.0.0.0 0.0.0.0 10.1.3.1
# Run the display ip routing-table command on LSRA to view the configure default route.
------------------------------------------------------------------------------

0.0.0.0/0 Static 60 0 RD 10.1.1.2 Vlanif10

10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
# Run the display ip routing-table command on LSRB to view the route to LSRA.
[LSRB] display ip routing-table
------------------------------------------------------------------------------
1.1.1.1/32 Static 60 0 RD 10.1.1.1 Vlanif10

3.3.3.3/32 ISIS-L1 15 10 D 10.1.2.2 Vlanif20
4.4.4.4/32 ISIS-L2 15 74 D 10.1.2.2 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.2.0/24 Direct 0 0 D 10.1.2.1 Vlanif20
10.1.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
Step 3 Enable MPLS globally and on an interface, and MPLS LDP on each node.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] quit
[LSRA] mpls ldp
Step 4 Configure the label advertisement mode as DoD.
# Configure LSRA.
[LSRA] interface Vlanif 10
[LSRA-Vlanif10] mpls ldp advertisement dod
# Configure LSRB.
[LSRB-Vlanif10] mpls ldp advertisement dod
# Configure LSRC.
[LSRC-Vlanif30] mpls ldp advertisement dod

# Configure LSRD.
[LSRD-Vlanif30] mpls ldp advertisement dod
Step 5 Configure LDP extension for inter-area LSP.

# Run the longest-match command on LSRA to configure LDP to search for a route according
to the longest match rule to establish an inter-area LDP LSP.
[LSRA] mpls ldp
[LSRA-mpls-ldp] longest-match
# Run the longest-match command on LSRD to configure LDP to search for a route according
[LSRD] mpls ldp
[LSRD-mpls-ldp] longest-match
[LSRD-mpls-ldp] quit
Step 6 Configure a remote LDP session and enable LDP to automatically trigger a request for a Label
Mapping message in DoD mode.
# Configure LSRA.
[LSRA] mpls ldp remote-peer lsrd
[LSRA-mpls-ldp-remote-lsrd] remote-ip 4.4.4.4
[LSRA-mpls-ldp-remote-lsrd] remote-ip auto-dod-request
[LSRA-mpls-ldp-remote-lsrd] quit
# Configure LSRD.
[LSRD] mpls ldp remote-peer lsra
[LSRD-mpls-ldp-remote-lsra] remote-ip 1.1.1.1
[LSRD-mpls-ldp-remote-lsra] remote-ip auto-dod-request
[LSRD-mpls-ldp-remote-lsra] quit

# When the configurations are complete, run the display ip routing-table 4.4.4.4 command on
LSRA to view route information.
[LSRA] display ip routing-table 4.4.4.4
------------------------------------------------------------------------------
Summary Count : 1
0.0.0.0/0 Static 60 0 RD 10.1.1.2 Vlanif10
The command output shows that only a default route exists in the routing table and the route
4.4.4.4 does not exist.
# Run the display mpls ldp lsp command on LSRA to view information about the established
LSP.
[LSRA] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
DestAddress/Mask In/OutLabel UpstreamPeer NextHop OutInterface
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 4.4.4.4 127.0.0.1 InLoop0

4.4.4.4/32 NULL/1026 - 10.1.1.2 Vlanif10

-------------------------------------------------------------------------------
TOTAL: 1 Normal LSP(s) Found.
TOTAL: 0 Liberal LSP(s) Found.
TOTAL: 0 Frr LSP(s) Found.
A '*' before an LSP means the LSP is not established
A '*' before a Label means the USCB or DSCB is stale
A '*' before a UpstreamPeer means the session is stale
A '*' before a DS means the session is stale
A '*' before a NextHop means the LSP is FRR LSP
The command output shows that the LSP with the destination address of 4.4.4.4 is established.
LSRA has obtained a Label Mapping message of 4.4.4.4 from LSRB to establish an LSP.
[LSRA] display tunnel-info all
* -> Allocated VC Token
Tunnel ID Type Destination Token
----------------------------------------------------------------------
0x10000001 lsp 4.4.4.4 0
The command output shows that an LSP between LSRA and LSRD is established.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
longest-match
#
mpls ldp remote-peer lsrd
remote-ip 4.4.4.4
remote-ip auto-dod-request
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
mpls ldp advertisement dod
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.1.2
#
return

#
sysname LSRB
#
vlan batch 10 20
#

mpls lsr-id 2.2.2.2

mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0001.00
import-route static
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.1.2.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
ip route-static 1.1.1.1 255.255.255.255 10.1.1.1
#
return

#
sysname LSRC
#
vlan batch 20 30
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
isis 1
network-entity 10.0000.0000.0002.00
import-route static
#
interface Vlanif20
ip address 10.1.2.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
ip address 10.1.3.1 255.255.255.0
mpls
mpls ldp
#

#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
isis enable 1
#
ip route-static 4.4.4.4 255.255.255.255 10.1.3.2
#
return

#
sysname LSRD
#
vlan batch 30
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
longest-match
#
mpls ldp remote-peer lsra
remote-ip 1.1.1.1
remote-ip auto-dod-request
#
interface Vlanif30
ip address 10.1.3.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
#
ip route-static 0.0.0.0 0.0.0.0 10.1.3.1
#
return
12.2.4 Example for Configuring a Policy for Triggering LSP

Establishment
As shown in Figure 12-6, an LDP LSP is automatically established when MPLS LDP is enabled
on interfaces of each LSR. On a large network, establishment of a large number of LSPs wastes
resources. The number of established LSPs needs to be controlled to save system resources.

Figure 12-6 Networking diagram for configuring a policy for triggering LSP establishment
1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
LSRA LSRB LSRC
MPLS Network
To meet the preceding requirements, configure a policy for triggering LSP establishment on
LSRA or LSRC. The configuration roadmap is as follows:
As shown in Figure 12-6, only the FECs whose routes are 3.3.3.3/32 trigger the establishment
of LSPs on LSRA. This reduces the number of LSPs and saves network resources.
Procedure
Step 1 Configure an LDP LSP.
After a local LDP session is configured according to Example for Configuring Local LDP
Sessions, LSRs establish LSPs based on the host IP routes with the 32-bit addresses (default
triggering policy).
# Run the display mpls ldp lsp command on the LSRs, and the command outputs show that all
the host routes trigger the establishment of LDP LSPs.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/3 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
3.3.3.3/32 NULL/1025 - 10.1.1.2 Vlanif10
3.3.3.3/32 1022/1025 2.2.2.2 10.1.1.2 Vlanif10
------------------------------------------------------------------------------
A '*' before a UpstreamPeer means the session is state
A '*' before a DS means the session is state
Step 2 Configure an IP prefix list based on the LSP establishment control. Use this IP prefix list on
LSRA to filter out LSP routes.
# Configure an IP prefix list on LSRA to allow only 3.3.3.3/32 on LSRC to establish LSPs.

[LSRA] ip ip-prefix FilterOnIngress permit 3.3.3.3 32

[LSRA] mpls
[LSRA-mpls] lsp-trigger ip-prefix FilterOnIngress
[LSRA-mpls] quit
# Run the display mpls ldp lsp command on each node to view the establishment of the LDP
LSPs. LSRA is used as an example.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
3.3.3.3/32 NULL/1025 - 10.1.1.2 Vlanif10
3.3.3.3/32 1022/1025 2.2.2.2 10.1.1.2 Vlanif10
------------------------------------------------------------------------------
The preceding command output shows that only the LDP LSP to the destination 3.3.3.3/32 that
takes LSRA as the ingress node exists on each node. This is because the IP prefix list is
configured.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.1
mpls
lsp-trigger ip-prefix FilterOnIngress
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255

#
ip ip-prefix FilterOnIngress index 10 permit 3.3.3.3 32
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname LSRC
#
vlan batch 20
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255

#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
12.2.5 Example for Configuring a Policy for Triggering Transit LSP

Establishment
On an MPLS network shown in Figure 12-7, an LDP LSP is automatically established when
MPLS LDP is enabled on interfaces of each LSR. On a large network, establishment of a large
number of LSPs wastes resources. The number of established LSPs needs to be controlled to
save system resources.
Figure 12-7 Networking diagram for configuring a policy for triggering transit LSP
establishment
Loopback0 Loopback0
2.2.2.9/32 3.3.3.9/32
GE0/0/2 GE0/0/1
10.2.1.1/24 10.2.1.2/24
LSRB LSRC
VLANIF20 VLANIF20
GE0/0/1 GE0/0/2
10.1.1.2/24 VLANIF10 VLANIF30
10.3.1.1/24
GE0/0/1 GE0/0/1
10.1.1.1/24 VLANIF10 VLANIF30 10.3.1.2/24
LSRA LSRD
Loopback0 Loopback0
1.1.1.9/32 4.4.4.9/32
MPLS Network
To meet the preceding requirements, configure a policy for triggering transit LSP establishment.
As shown in Figure 12-7, only the FECs whose routes are 4.4.4.9/32 trigger the establishment
of transit LSPs on LSRB. This reduces the number of LSPs and saves network resources.

Procedure
# Configure LSRA.
[LSRA] vlan 10
[LSRA-vlan10] quit
# Configure LSRA.
[LSRA] ospf 1
[LSRA-ospf-1] quit
Step 3 Configure basic MPLS and MPLS LDP functions on the nodes and interfaces
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] quit
[LSRA] mpls ldp
[LSRD] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------

-------------------------------------------------------------------------------
1.1.1.9/32 NULL/4110 - 10.3.1.1 Vlanif30
1.1.1.9/32 4100/4110 3.3.3.9 10.3.1.1 Vlanif30
3.3.3.9/32 NULL/3 - 10.3.1.1 Vlanif30
3.3.3.9/32 1026/3 3.3.3.9 10.3.1.1 Vlanif30
4.4.4.9/32 3/NULL 3.3.3.9 127.0.0.1 InLoop0
*4.4.4.9/32 Liberal/3 DS/3.3.3.9
------------------------------------------------------------------------------
Step 4 Configure an IP prefix list on transit node LSRB to filter out routes on transit node LSRB.
# Configure the IP prefix list on transit node LSRB to allow only 4.4.4.9/32 on LSRD to establish
the transit LSP.
[LSRB] ip ip-prefix FilterOnTransit permit 4.4.4.9 32
[LSRB] mpls ldp
[LSRB-mpls-ldp] propagate mapping for ip-prefix FilterOnTransit
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.9/32 3/NULL 2.2.2.9 127.0.0.1 InLoop0
*1.1.1.9/32 Liberal/3 DS/2.2.2.9
2.2.2.9/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.9/32 1024/3 2.2.2.9 10.1.1.2 Vlanif10
4.4.4.9/32 NULL/4118 - 10.1.1.2 Vlanif10
4.4.4.9/32 4105/4118 2.2.2.9 10.1.1.2 Vlanif10
------------------------------------------------------------------------------
The preceding command output shows that only the LDP LSPs to the destination 2.2.2.9/32 and
4.4.4.9/32 that take LSRA as the ingress node exists on each node, and other LDP LSPs that do
not take LSRA as the ingress node exist on each node. This is because the IP prefix list is
configured.
----End
Configuration Files

#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#
mpls ldp
propagate mapping for ip-prefix FilterOnTransit
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255

#
ip ip-prefix FilterOnTransit index 10 permit 4.4.4.9 32
#
return

#
sysname LSRC
#
vlan batch 20 30
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.3.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return

#
sysname LSRD
#
vlan batch 30
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.3.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 4.4.4.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 10.3.1.0 0.0.0.255
#
return
12.2.6 Example for Disabling Devices from Distributing LDP

Labels to Remote Peers
As shown in Figure 12-8, PE1, PE2, and PE3 are connected through P, and IS-IS runs among
devices. PE1 uses the public network LSP to establish remote LDP sessions with PE2 and PE3
to transmit private network label information. Dynamic Pseudo Wires (PWs) are established
between PE1 and PE2, between PE1 and PE3.
On an MPLS network, LDP transmits private network label and distributes common LDP labels
to remote peers. Multiple remote LDP peers on the network lead to a large number of null labels,
which occupies many system resources. The label distribution to remote LDP peers needs to be
controlled to save system resources.
Figure 12-8 Networking diagram for disabling devices from distributing LDP labels to remote
peers
Loopback 0
5.5.5.5/32
PE2
AN 1.1 /3
Loopback 0
AN 1.2 /1
IF /24
VL .1. 0/0
IF /24
VL .1. 0/0
20
1.1.1.1/32
20 GE
20
20 GE
GE0/0/1
10.1.1.2/24
VLANIF10 Loopback 0
GE0/0/1 2.2.2.2/32
P G G
PE1 10.1.1.1/24 30 E 30 E
VLANIF10 VL .1. 0/0 V .1. 0/0
AN 1.1 /2 LA 1.2 /1
IF /24 N /2
IF 4
30 30
PE3
Loopback 0
4.4.4.4/32

To meet the preceding requirements, disable devices from distributing LDP labels to remote
peers. The configuration roadmap is as follows:
Disable devices from distributing LDP labels to remote peers on PEs to prohibit them from
distributing common LDP labels to each other.
Procedure
Step 1 Create VLANs and VLANIF interfaces on the switch,configure IP addresses for the VLANIF
# Configure PE1.
[PE1] interface loopback 0
[PE1-LoopBack0] ip address 1.1.1.1 32
[PE1-LoopBack0] quit
[PE1] vlan 10
[PE1-vlan10] quit
[PE1-Vlanif10] ip address 10.1.1.1 24
[PE1-Vlanif10] quit
The configurations of P, PE2, and PE3 are similar to the configuration of PE1, and are not
mentioned here.
Step 2 Configure IS-IS to advertise the network segments connecting to interfaces on each node and
# Configure PE1.
[PE1] isis 1
[PE1-isis-1] is-level level-2
[PE1-isis-1] network-entity 86.4501.0010.0100.0001.00
[PE1-isis-1] quit
[PE1-Vlanif10] isis enable 1
[PE1-Vlanif10] quit
[PE1-LoopBack0] isis enable 1
# Configure P.
[P] isis 1
[P-isis-1] is-level level-2
[P-isis-1] network-entity 86.4501.0030.0300.0003.00
[P-isis-1] quit
[P-Vlanif10] isis enable 1
[P-Vlanif10] quit
[P-Vlanif20] quit
[P-Vlanif30] quit

[P] interface loopback 0

[P-LoopBack0] isis enable 1
[P-LoopBack0] quit
# Configure PE2.
[PE2] isis 1
[PE2-isis-1] quit
[PE2-Vlanif20] quit
# Configure PE3.
[PE3] isis 1
[PE3-isis-1] quit
[PE3-Vlanif30] quit
Step 3 Enable MPLS and MPLS LDP on each node and each interface.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif10] mpls
[P-Vlanif10] quit
[P-Vlanif20] mpls
[P-Vlanif20] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
# Configure PE2.
[PE2] mpls

[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
# Configure PE3.
[PE3] mpls
[PE3-mpls] quit
[PE3] mpls ldp
[PE3-mpls-ldp] quit
[PE3-Vlanif30] mpls
[PE3-Vlanif30] quit
When the configurations are complete, LDP sessions and public network LSPs are established
between neighboring nodes. Run the display mpls ldp session command on each node. The
command output shows that LDP session status is Operational. PE1 is used as an example

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Run the display mpls ldp lsp command to check the LSP setup result and label distribution.
[PE1] display mpls ldp lsp
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1025 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
4.4.4.4/32 NULL/1024 - 10.1.1.2 Vlanif10
4.4.4.4/32 1025/1024 2.2.2.2 10.1.1.2 Vlanif10
5.5.5.5/32 NULL/1026 - 10.1.1.2 Vlanif10
5.5.5.5/32 1022/1026 2.2.2.2 10.1.1.2 Vlanif10
-------------------------------------------------------------------------------
Step 4 Set up the remote MPLS LDP peer relationship between PEs at both ends of the PW.
# Configure PE1.
[PE1] mpls ldp remote-peer pe2
[PE1-mpls-ldp-remote-pe2] remote-ip 5.5.5.5

[PE1-mpls-ldp-remote-pe2] quit
# Configure PE2.
# Configure PE3.
When the configurations are complete, remote LDP sessions are established between
neighboring PEs. Run the display mpls ldp session command on each node. The command
output shows that LDP session status is Operational. PE1 is used as an example

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Run the display mpls ldp lsp command to view the label distribution. The command output
shows that PEs have distributed liberal labels to their own remote neighbors. These labels,
however, are idle and occupy many system resources in MPLS L2VPN applications that use
PWE3 technology.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
1.1.1.1/32 3/NULL 5.5.5.5 127.0.0.1 InLoop0
1.1.1.1/32 3/NULL 4.4.4.4 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/1025 DS/2.2.2.2
*1.1.1.1/32 Liberal/1024 DS/5.5.5.5
*1.1.1.1/32 Liberal/1025 DS/4.4.4.4
2.2.2.2/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 5.5.5.5 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 4.4.4.4 10.1.1.2 Vlanif10
*2.2.2.2/32 Liberal/1025 DS/5.5.5.5
*2.2.2.2/32 Liberal/1024 DS/4.4.4.4
4.4.4.4/32 NULL/1024 - 10.1.1.2 Vlanif10
4.4.4.4/32 1025/1024 2.2.2.2 10.1.1.2 Vlanif10
4.4.4.4/32 1025/1024 5.5.5.5 10.1.1.2 Vlanif10
4.4.4.4/32 1025/1024 4.4.4.4 10.1.1.2 Vlanif10
*4.4.4.4/32 Liberal/1026 DS/5.5.5.5
*4.4.4.4/32 Liberal/3 DS/4.4.4.4
5.5.5.5/32 NULL/1026 - 10.1.1.2 Vlanif10
5.5.5.5/32 1022/1026 2.2.2.2 10.1.1.2 Vlanif10

5.5.5.5/32 1022/1026 5.5.5.5 10.1.1.2 Vlanif10

5.5.5.5/32 1022/1026 4.4.4.4 10.1.1.2 Vlanif10
*5.5.5.5/32 Liberal/3 DS/5.5.5.5
*5.5.5.5/32 Liberal/1026 DS/4.4.4.4
-------------------------------------------------------------------------------
Step 5 Disable devices from distributing LDP labels to remote peers on PEs at both ends of a PW.
# Configure PE1.
[PE1-mpls-ldp-remote-pe2] remote-ip 5.5.5.5 pwe3
# Configure PE2.
# Configure PE3.
When the configurations are complete, PEs do not distribute labels to remote LDP peers. Run
the display mpls ldp lsp command on each node to view the established LSP after devices from
distributing LDP labels to remote peers is disabled. PE1 is used as an example.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
2.2.2.2/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
*2.2.2.2/32 Liberal/1025 DS/5.5.5.5
4.4.4.4/32 NULL/1024 - 10.1.1.2 Vlanif10
4.4.4.4/32 1025/1024 2.2.2.2 10.1.1.2 Vlanif10
5.5.5.5/32 NULL/1026 - 10.1.1.2 Vlanif10
5.5.5.5/32 1022/1026 2.2.2.2 10.1.1.2 Vlanif10
-------------------------------------------------------------------------------

A large number of idle remote labels and LSPs are disabled. The LSPs are established based on
the local LDP sessions.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
mpls ldp remote-peer pe3
remote-ip 4.4.4.4 pwe3
#
#
isis 1
is-level level-2
network-entity 86.4501.0010.0100.0001.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
isis enable 1
#
return
l Configuration file of the P

#
sysname P
#
vlan batch 10 20 30
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
isis 1
is-level level-2
network-entity 86.4501.0030.0300.0003.00
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#

interface Vlanif20
ip address 20.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
ip address 30.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
isis enable 1
#
return

#
sysname PE2
#
vlan batch 20
#
mpls lsr-id 5.5.5.5
mpls
#
mpls ldp
#
#
isis 1
is-level level-2
network-entity 86.4501.0050.0500.0005.00
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
interface LoopBack0
ip address 5.5.5.5 255.255.255.255
isis enable 1
#
return

#
sysname PE3

#
vlan batch 30
#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
#
isis 1
is-level level-2
network-entity 86.4501.0040.0400.0004.00
#
interface Vlanif30
ip address 30.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
interface LoopBack0
ip address 4.4.4.4 255.255.255.255
isis enable 1
#
return
12.2.7 Example for Configuring Static BFD to Detect LDP LSPs
On a simple and stable network shown in Figure 12-9, the path PE1 -> P1 -> PE2 is an LDP
LSP, while the path PE2 -> P2 -> PE1 is an IP link. It takes an interface a long period to detect
a fault on the connected link. Connectivity check on the LSP is required. If a fault occurs on the
LSP, PE1 can receive the fault report within 500 ms.

Figure 12-9 Networking diagram of configuring static BFD for LDP LSPs
Loopback1
2.2.2.2/32
G
0 /1 4 10 E0/
/
0 /2 .2 0/
GE .1.2 0 VL .1.1/ 2
.1 1 AN 24 G
Loopback1 /1 10 NIF P1 IF2 10 E0/ Loopback1
/0 4 A 0 . 0
1.1.1.1/32 E0 .1/2 L 2 / 4.4.4.4/32
G .1 0
V VL .1.2 1
.1 1 A /2
10 ANIF LDP LSP
NI
F2
4
V L 0
VL
AN 0
PE1 10 GE0 IF30 NIF4 2 PE2
A /
.3. /0/2
1.1 VL VL E0/0 /24
AN 0 G .1.2
/24 IF3 P2 I F4 .4
GE 0 LAN 10
10 0/ V /2
.3. 0/1
1.2 E 0/0 /24
/24 G .1.1
.4
10
Loopback1
3.3.3.3/32
To meet the preceding requirements, configure static BFD to detect LDP LSPs. The
1. Configure BFD that can quickly check connectivity of the LDP LSP.
2. Configure static BFD for LDP LSP because the network is stable and IP addresses of
devices do not change. Configure BFD sessions on PE1 and PE2.
3. Adjust BFD parameters to enable PE1 to receive a fault report within 500 ms.
Procedure
# Configure PE1.
[PE1] vlan batch 10 30


[PE1-Vlanif10] quit
[PE1-Vlanif30] quit
The configurations of P1, P2, and PE2 are similar to the configuration of PE1, and are not
mentioned here.
# Configure PE1.
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
The configurations of P1, P2, and PE2 are similar to the configuration of PE1, and are not
mentioned here.
Step 3 Set up an LDP LSP whose path is PE1 -> P1 -> PE2.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif10] mpls
[PE1-Vlanif10] quit
# Configure P1.
[P1] mpls
[P1-mpls] quit
[P1] mpls ldp
[P1-mpls-ldp] quit
[P1-Vlanif10] mpls
[P1-Vlanif10] mpls ldp
[P1-Vlanif10] quit
[P1-Vlanif20] mpls
[P1-Vlanif20] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit

# Run the display mpls ldp lsp command. The command output shows that an LDP LSP destined
for 4.4.4.4/32 is set up on PE1.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/3 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
4.4.4.4/32 NULL/1025 - 10.1.1.2 Vlanif10
4.4.4.4/32 1022/1025 2.2.2.2 10.1.1.2 Vlanif10
-------------------------------------------------------------------------------
Step 4 Enable global BFD on the two nodes of the detected link.
# Configure PE1.
[PE1] bfd
[PE1-bfd] quit
# Configure PE2.
[PE2] bfd
[PE2-bfd] quit
Step 5 Bind the BFD session destined for the LDP LSP on the ingress node. Set the interval for sending
and receiving packets to both 100 ms. Configure the port status table to be changeable.
# Configure PE1.
[PE1] bfd pe1tope2 bind ldp-lsp peer-ip 4.4.4.4 nexthop 10.1.1.2 interface vlanif
10
[PE1-bfd-lsp-session-pe1tope2] discriminator local 1
[PE1-bfd-lsp-session-pe1tope2] discriminator remote 2
[PE1-bfd-lsp-session-pe1tope2] min-tx-interval 100
[PE1-bfd-lsp-session-pe1tope2] min-rx-interval 100
[PE1-bfd-lsp-session-pe1tope2] process-pst
[PE1-bfd-lsp-session-pe1tope2] commit
[PE1-bfd-lsp-session-pe1tope2] quit
Step 6 On PE2, configure a BFD session that is bound to the IP link to notify PE1 of the detected faults
on the LDP LSP.
# Configure PE2.
[PE2] bfd pe2tope1 bind peer-ip 1.1.1.1
[PE2-bfd-session-pe2tope1] min-tx-interval 100
[PE2-bfd-session-pe2tope1] min-rx-interval 100

# Run the display bfd session all verbose command on PE1. The command output shows that
the State field is displayed as Up and the BFD Bind Type field is displayed as LDP_LSP.
--------------------------------------------------------------------------------
Session MIndex : 4094 State : Up Name : pe1tope2
--------------------------------------------------------------------------------
BFD Bind Type : LDP_LSP
LSP Token : 0x10000
Active Multi : 3
--------------------------------------------------------------------------------
# Run the display bfd session all verbose command on PE2, and the command output that the
(Multi Hop) State field is displayed as Up and the BFD Bind Type field is displayed as Peer
IP Address.
--------------------------------------------------------------------------------
Session MIndex : 4097 (Multi Hop) State : Up Name : pe2tope1
--------------------------------------------------------------------------------
Bind Interface : -
Track Interface : -
Active Multi : 3
--------------------------------------------------------------------------------

----End
Configuration Files
#
sysname PE1
#
vlan batch 10 30
#
bfd
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
interface Vlanif30
ip address 10.3.1.1 255.255.255.0
#
#
#
interface LoopBack1
ip address 1.1.1.1 255.255.255.255
#
bfd pe1tope2 bind ldp-lsp peer-ip 4.4.4.4 nexthop 10.1.1.2 interface vlanif 10
min-tx-interval 100
min-rx-interval 100
process-pst
commit
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return
#
sysname P1
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#

interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
#
sysname P2
#
vlan batch 30 40
#
interface Vlanif30
ip address 10.3.1.2 255.255.255.0
#
interface Vlanif40
ip address 10.4.1.1 255.255.255.0
#
#
#
interface LoopBack1
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 20 40
#
bfd

#
mpls lsr-id 4.4.4.4
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.4.1.2 255.255.255.0
#
#
#
interface LoopBack1
ip address 4.4.4.4 255.255.255.255
#
bfd pe2tope1 bind peer-ip 1.1.1.1
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 4.4.4.4 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return
12.2.8 Example for Configuring Dynamic BFD to Detect LDP LSPs
On a complex and unstable network shown in Figure 12-10, LSRA, LSRB, and LSRC belong
to the same MPLS domain, and an LDP LSP is established between LSRA and LSRC. It takes
an interface a long period to detect a fault on the connected link. Connectivity check on the LSP
is required. If a fault occurs on the LSP, LSRA can receive the fault report within 500 ms.
Figure 12-10 Networking diagram of dynamic BFD for LDP LSPs

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
LSRA LSRB LSRC

To meet the preceding requirements, configure dynamic BFD to detect LDP LSPs. The
1. Configure BFD that can quickly check connectivity of the LDP LSP.
2. Configure dynamic BFD for LDP LSPs, and configure BFD sessions on LSRA and LSRC.
3. Adjust BFD parameters to enable LSRA to receive a fault report within 500 ms.
Procedure
Step 3 Create an LDP LSP between LSRA and LSRC.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] quit
[LSRA] mpls ldp
[LSRA-mpl-ldp] quit
# Configure LSRB.
[LSRB] mpls
[LSRB-mpls] quit
[LSRB] mpls ldp
[LSRB-mpl-ldp] quit
# Configure LSRC.
[LSRC] mpls
[LSRC-mpls] quit
[LSRC] mpls ldp
[LSRC-mpl-ldp] quit

After the configuration is complete, run the display mpls ldp lsp command on LSRA. The
command output shows that an LDP LSP is set up between LSRA and LSRC. LSRA is used as
an example.
LDP LSP Information

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
1.1.1.1/32 3/NULL 2.2.2.2 127.0.0.1 InLoop0
*1.1.1.1/32 Liberal/3 DS/2.2.2.2
2.2.2.2/32 NULL/3 - 10.1.1.2 Vlanif10
2.2.2.2/32 1024/3 2.2.2.2 10.1.1.2 Vlanif10
3.3.3.3/32 NULL/1025 - 10.1.1.2 Vlanif10
3.3.3.3/32 1025/1025 2.2.2.2 10.1.1.2 Vlanif10
-------------------------------------------------------------------------------
Step 4 Configure dynamic BFD to detect the connectivity of the LDP LSP between LSRA and LSRC.
# Configure an FEC list on LSRA to ensure that BFD detects only the connectivity of the LDP
LSP between LSRA and LSRC.
[LSRA] fec-list tortc
[LSRA-fec-list-tortc] fec-node 3.3.3.3
# Enable BFD on LSRA, specify the FEC list that triggers BFD session establishment
dynamically, and adjust BFD parameters.
[LSRA] bfd
[LSRA-bfd] quit
[LSRA] mpls
[LSRA-mpls] mpls bfd-trigger fec-list tortc
[LSRA-mpls] mpls bfd enable
[LSRA-mpls] mpls bfd min-tx-interval 100 min-rx-interval 100
[LSRA-mpls] quit
# Enable BFD for LSPs passively on LSRC.

[LSRC] bfd
[LSRC-bfd] mpls-passive
# Run the display bfd session all verbose command to view the BFD session status that is
created dynamically.
[LSRA] display bfd session all verbose
---------------------------------------------------------------------
Session MIndex : 4095 State : Up Name : dyn_8192
---------------------------------------------------------------------
Local Discriminator: 8192 Remote Discriminator : 8192
BFD Bind Type : LDP_LSP
Bind Session Type : Dynamic

LSP Token : 0x10000

Proc interface status : Disable Process PST : Enable
Active Multi : 3
Bind Application : LSPM | LDP | L2VPN | OAM_MANAGER
-------------------------------------------------------------------
# Check the status of the BFD session created dynamically on LSRC. The BFD Bind Type field
is displayed as Peer IP Address, indicating that BFD packets sent by LSRC are transmitted
through the IP route.
[LSRC] display bfd session passive-dynamic verbose
----------------------------------------------------------------------
Session MIndex : 257 (Multi Hop) State : Up Name : dyn_8192
----------------------------------------------------------------------
Bind Session Type : Entire_Dynamic
Bind Interface : -
Proc interface status : Disable Process PST : Disable
Active Multi : 3
Bind Application : LSPV
--------------------------------------------------------------------
----End
Configuration Files
#
sysname LSRA
#
vlan batch 10
#
bfd
#

mpls lsr-id 1.1.1.1

mpls
mpls bfd enable
mpls bfd-trigger fec-list tortc
mpls bfd min-tx-interval 100 min-rx-interval 100
#
fec-list tortc
fec-node 3.3.3.3
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255

#
return

#
sysname LSRC
#
bfd
mpls-passive
#
vlan batch 20
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
12.2.9 Example for Configuring Synchronization Between LDP and

IGP
As shown in Figure 12-11, P1, P2, P3, and PE2 exist on an MPLS backbone network, and OSPF
runs between each two devices. Two LSPs are established between PE1 and PE2. The LSP PE1
-> P1 -> P2 -> PE2 is the primary LSP, while the LSP PE1 -> P1 -> P3 -> PE2 is the backup
LSP. When the primary LSP recovers, IGP traffic is switched back to the primary LSP earlier
than LDP traffic because IGP route convergence is faster than LDP convergence. As a result,
LSP traffic is lost. The LSP traffic loss needs to be prevented on the MPLS network where
primary and backup LSPs are configured.

Figure 12-11 Networking diagram for configuring synchronization between LDP and IGP
OSPF
Lookback1
Area0
2.2.2.9/32
/1 G
0/0 /24 10 E0/
GE .1.2 10 V
.2
LA .1.1/ 2
0/
.1 I F
1 10 N NI 24 GE
/0/ /24 VLA F2 10
0 P2 0 . 0 /0
GE .1.1 10 VL 2.1. /1
.1 IF AN 2/2
10 LAN IF2 4
V 0 PE2
Lookback1 Lookback1
1.1.1.9/32 4.4.4.9/32
PE1 P1 1 E0 G /2
0.3 /0 Lookback1 0 / 0 / 24
VL .1 /2 3.3.3.9/32 G E . 1. 2 F 40
AN .1/2 .4 I
IF 4 1 GE / 2 1 0 LA N
30 0 0/
VL .3.1. 0/1 E 0 /0 1 /2 4 V
AN 2/2 G .1 . 4 0
IF3 4 .4 IF
10 LAN
0 P3 V
Primary link
Bypass link
To meet the preceding requirements, configure synchronization between LDP and IGP. The
1. Enable synchronization between LDP and IGP on the interfaces at both ends of the link
between P1 (crossing node of the primary and backup LSPs) and P2 (LDP neighboring
node on the primary LSP).
2. Set the values of Hold-down timer, Hold-max-cost timer and Delay timer on the interfaces
at both ends of the link between P1 and P2.
Procedure
# Configure P1.
[HUAWEI] sysname P1
[P1] interface loopback 1
[P1-LoopBack1] ip address 1.1.1.9 32
[P1-LoopBack1] quit
[P1] interface gigabitethernet 0/0/1
[P1-GigabitEthernet0/0/1] port link-type trunk
[P1-GigabitEthernet0/0/1] port trunk allow-pass vlan 10
[P1-GigabitEthernet0/0/1] quit
[P1] interface gigabitethernet 0/0/2
[P1-GigabitEthernet0/0/2] port link-type trunk
[P1-GigabitEthernet0/0/2] port trunk allow-pass vlan 30
[P1-GigabitEthernet0/0/2] quit

[P1] vlan batch 10 30

[P1-Vlanif10] ip address 10.1.1.1 24
[P1-Vlanif10] quit
[P1-Vlanif30] ip address 10.3.1.1 24
[P1-Vlanif30] quit
The configurations of P2, P3, and PE2 are similar to the configuration of P1, and are not
mentioned here.
# Configure P1.
[P1] ospf 1
[P1-ospf-1] area 0
[P1-ospf-1-area-0.0.0.0] network 1.1.1.9 0.0.0.0
[P1-ospf-1-area-0.0.0.0] quit
[P1-ospf-1] quit
The configurations of P2, P3, and PE2 are similar to the configuration of P1, and are not
mentioned here.
Step 3 Set the cost of VLANIF 30 on P1 to 1000.

[P1-Vlanif30] ospf cost 1000
[P1-Vlanif30] quit
When the configurations are complete, run the display ip routing-table command on each node.
The command output shows that the nodes have learned routes from each other. The outbound
interface of P1-to-PE2 route is VLANIF 10. Use the display on P1 as an example.
[P1] display ip routing-table
------------------------------------------------------------------------------
2.2.2.9/32 OSPF 10 1 D 10.1.1.2 Vlanif10
3.3.3.9/32 OSPF 10 3 D 10.1.1.2 Vlanif10
4.4.4.9/32 OSPF 10 2 D 10.1.1.2 Vlanif10
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.2.1.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
10.3.1.0/24 Direct 0 0 D 10.3.1.1 Vlanif30
10.3.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif30
10.4.1.0/24 OSPF 10 3 D 10.1.1.2 Vlanif10
Step 4 Enable MPLS and MPLS LDP on each node and each interface.
# Configure P1.
[P1] mpls
[P1-mpls] quit
[P1] mpls ldp
[P1-mpls-ldp] quit

[P1-Vlanif10] mpls
[P1-Vlanif10] quit
[P1-Vlanif30] mpls
[P1-Vlanif30] quit
# Configure P2.
[P2] mpls
[P2-mpls] quit
[P2] mpls ldp
[P2-mpls-ldp] quit
[P2-Vlanif10] mpls
[P2-Vlanif10] quit
[P2-Vlanif20] mpls
[P2-Vlanif20] quit
# Configure P3.
[P3] mpls
[P3-mpls] quit
[P3] mpls ldp
[P3-mpls-ldp] quit
[P3-Vlanif30] mpls
[P3-Vlanif30] quit
[P3-Vlanif40] mpls
[P3-Vlanif40] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif20] mpls
[PE2-Vlanif20] quit
[PE2-Vlanif40] mpls
[PE2-Vlanif40] quit
When the configurations are complete, LDP sessions are established between neighboring nodes.
Run the display mpls ldp session command on each node. The command output shows that
LDP session status is Operational. Use the display on P1 as an example.
[P1] display mpls ldp session

------------------------------------------------------------------------------

------------------------------------------------------------------------------
2.2.2.9:0 Operational DU Active 000:00:56 227/227
------------------------------------------------------------------------------
Step 5 Enable synchronization between LDP and IGP on the interfaces at both ends of the link between
P1 and P2.
# Configure P1.
[P1-Vlanif10] ospf ldp-sync
[P1-Vlanif10] quit
# Configure P2.
[P2-Vlanif10] ospf ldp-sync
[P2-Vlanif10] quit
Step 6 Set the value of Hold-down timer on the interfaces at both ends of the link between P1 and P2.
# Configure P1.
[P1-Vlanif10] ospf timer ldp-sync hold-down 8
[P1-Vlanif10] quit
# Configure P2.
[P2-Vlanif10] ospf timer ldp-sync hold-down 8
[P2-Vlanif10] quit
Step 7 Set the value of Hold-max-cost timer on the interfaces at both ends of the link between P1 and
P2.
# Configure P1.
[P1-Vlanif10] ospf timer ldp-sync hold-max-cost 9
[P1-Vlanif10] quit
# Configure P2.
[P2-Vlanif10] ospf timer ldp-sync hold-max-cost 9
[P2-Vlanif10] quit
Step 8 Set the value of Delay timer on the interfaces at both ends of the link between P1 and P2.
# Configure P1.
[P1-Vlanif10] mpls ldp timer igp-sync-delay 6
[P1-Vlanif10] quit
# Configure P2.
[P2-Vlanif10] mpls ldp timer igp-sync-delay 6
[P2-Vlanif10] quit

Run the display ospf ldp-sync command on P1. The command output shows that the interface
status is Sync-Achieved.
[P1] display ospf ldp-sync interface vlanif 10
Interface Vlanif10
HoldDown Timer: 8 HoldMaxCost Timer: 9
LDP State: Up OSPF Sync State: Sync-Achieved
----End
Configuration Files
#
sysname P1
#
vlan batch 10 30
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
ospf ldp-sync
ospf timer ldp-sync hold-down 8
ospf timer ldp-sync hold-max-cost 9
mpls
mpls ldp
mpls ldp timer igp-sync-delay 6
#
interface Vlanif30
ip address 10.3.1.1 255.255.255.0
ospf cost 1000
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.3.1.0 0.0.0.255
#
return
#
sysname P2
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.9
mpls
#

mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
ospf ldp-sync
ospf timer ldp-sync hold-down 8
ospf timer ldp-sync hold-max-cost 9
mpls
mpls ldp
mpls ldp timer igp-sync-delay 6
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return
#
sysname P3
#
vlan batch 30 40
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif30
ip address 10.3.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.4.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#

ospf 1
area 0.0.0.0
network 3.3.3.9 0.0.0.0
network 10.3.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return

#
sysname PE2
#
vlan batch 20 40
#
mpls lsr-id 4.4.4.9
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif40
ip address 10.4.1.2 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9 0.0.0.0
network 10.2.1.0 0.0.0.255
network 10.4.1.0 0.0.0.255
#
return
12.2.10 Example for Configuring LDP GR
As shown in Figure 12-12, MPLS LDP is deployed on the MPLS network, and LSRA, LSRB,
and LSRC are all equipped with one main control board. During the AMB/SMB switchover or
system upgrade, a neighbor deletes an LSP because the LDP session is Down. Therefore, LDP
traffic is interrupted for a short period of time. A neighbor is required not to delete an LSP during
the AMB/SMB switchover or system upgrade to ensure uninterrupted LDP traffic.

Figure 12-12 Networking diagram for configuring LDP GR

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/24 10.1.1.2/24 10.2.1.1/24 10.2.1.2/24
LSRA LSRB LSRC
MPLS Network
To meet the preceding requirements, configure LDP GR. The configuration roadmap is as
follows:
Enable MPLS LDP GR on each node, ensuring uninterrupted traffic in a short period of time.
Procedure
Step 1 Create VLANs and VLANIF interfaces on the switch,configure IP addresses for the VLANIF
Step 3 Configure MPLS and MPLS LDP on each node globally.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] quit
[LSRA] mpls ldp
# Configure LSRB.
[LSRB] mpls
[LSRB-mpls] quit
[LSRB] mpls ldp
# Configure LSRC.
[LSRC] mpls
[LSRC-mpls] quit
[LSRC] mpls ldp
Step 4 Enable MPLS and MPLS LDP on each interface of nodes.

# Configure LSRA.


# Configure LSRB.
# Configure LSRC.
When the configurations are complete, local LDP sessions are established between LSRA and
LSRB, and between LSRB and LSRC.
Run the display mpls ldp session command on each node to view the establishment of the LDP
session. LSRA is used as an example.

--------------------------------------------------------------------------
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Step 5 Configure LDP GR.
# Configure LSRA.
[LSRA] mpls ldp
[LSRA-mpls-ldp] graceful-restart
Warning: All the related sessions will be deleted if the operation is performed
!Continue? (y/n)y
# Configure LSRB.
[LSRB] mpls ldp
[LSRB-mpls-ldp] graceful-restart
!Continue? (y/n)y
# Configure LSRC.
[LSRC] mpls ldp
[LSRC-mpls-ldp] graceful-restart
!Continue? (y/n)y

# Run the display mpls ldp session verbose command on the LSRs. The command output shows
that the Session FT Flag field is displayed as On. LSRA is used as an example.
[LSRA]display mpls ldp session verbose

------------------------------------------------------------------------------
Peer LDP ID : 2.2.2.2:0 Local LDP ID : 1.1.1.1:0
TCP Connection : 1.1.1.1 <- 2.2.2.2
Session State : Operational Session Role : Passive
Session FT Flag : On MD5 Flag : Off
Reconnect Timer : 300 Sec Recovery Timer : 300 Sec
Keychain Name : ---
Negotiated Keepalive Hold Timer : 45 Sec

Configured Keepalive Send Timer : ---
Keepalive Message Sent/Rcvd : 1/1 (Message Count)
Label Advertisement Mode : Downstream Unsolicited
Label Resource Status(Peer/Local) : Available/Available
Session Age : 000:00:00 (DDD:HH:MM)
Session Deletion Status : No
Capability:
Capability-Announcement : Off
Outbound&Inbound Policies applied : NULL
Addresses received from peer: (Count: 3)

10.1.1.2 10.2.1.1 2.2.2.2
------------------------------------------------------------------------------
# Or run the display mpls ldp peer verbose command on the LSRs. The command output shows
that the Peer FT Flag field is displayed as On. LSRA is used as an example.
[LSRA] display mpls ldp peer verbose
LDP Peer Information in Public network

------------------------------------------------------------------------------
Peer LDP ID : 2.2.2.2:0
Peer Max PDU Length : 4096 Peer Transport Address : 2.2.2.2
Peer Loop Detection : Off Peer Path Vector Limit : ----
Peer FT Flag : On Peer Keepalive Timer : 45 Sec
Recovery Timer : 300 Sec Reconnect Timer : 300 Sec
Peer Type : Local
Peer Label Advertisement Mode : Downstream Unsolicited

Peer Discovery Source : Vlanif10
Peer Deletion Status : No
Capability-Announcement : Off
------------------------------------------------------------------------------
----End
Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.1

mpls
#
mpls ldp
graceful-restart
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
graceful-restart
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.2.1.0 0.0.0.255
#
return

#
sysname LSRC
#
vlan batch 20
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
graceful-restart
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.0
mpls
mpls ldp
#
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.255
#
return
12.2.11 Example for Configuring LDP GTSM
On an MPLS network shown in Figure 12-13, MPLS and MPLS LDP run between each two
nodes. Attackers may simulate LDP unicast packets and send the packets to LSRB. LSRB
becomes busy processing these packets, causing high CPU usage. The preceding problems need
to be addressed to protect nodes and enhance system security.
Figure 12-13 Networking diagram for configuring LDP GTSM

1.1.1.1/32 2.2.2.2/32 3.3.3.3/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
10.1.1.1/30 10.1.1.2/30 10.2.1.1/30 10.2.1.2/30
LSRA LSRB LSRC

MPLS Network
To meet the preceding requirements, configure LDP GTSM. The configuration roadmap is as
follows:

Configure the LDP GTSM function on LSRs and set the TTL range.
Procedure
Step 3 Enable MPLS and MPLS LDP on each node and each interface of nodes.
When the configurations are complete, run the display mpls ldp session command on each node
to view the established LDP session. LSRA is used as an example.

------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 4 Configure LDP GTSM.

# On LSRA, configure the TTL values carried in LDP packets received from LSRB to range
from 253 to 255.
[LSRA] mpls ldp
[LSRA-mpls-ldp] gtsm peer 2.2.2.2 valid-ttl-hops 3
# On LSRB, configure the TTL values carried in the LDP packets received from LSRA to range
from 252 to 255, and the TTL values carried in LDP packets received from LSRC to range from
251 to 255.
[LSRB] mpls ldp
[LSRB-mpls-ldp] gtsm peer 1.1.1.1 valid-ttl-hops 4
[LSRB-mpls-ldp] gtsm peer 3.3.3.3 valid-ttl-hops 5
# On LSRC, configure the TTL values carried in LDP packets received from LSRB to range
from 250 to 255.
[LSRC] mpls ldp
[LSRC-mpls-ldp] gtsm peer 2.2.2.2 valid-ttl-hops 6
If a host simulates the LDP packets of LSRA to attack LSRB, LSRB directly discards the packets
because the TTL values carried in the LDP packets are beyond the range of 252 to 255. In the
GTSM statistics on LSRB, the number of discarded packets increases.
----End

Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.1.1
mpls
#
mpls ldp
gtsm peer 2.2.2.2 valid-ttl-hops 3
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.255
#
#
ospf 1
area 0.0.0.0
network 1.1.1.1 0.0.0.0
network 10.1.1.0 0.0.0.3
#
return

#
sysname LSRB
#
vlan batch 10 20
#
mpls lsr-id 2.2.2.2
mpls
#
mpls ldp
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.252
mpls
mpls ldp
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.252
mpls
mpls ldp
#
interface LoopBack0
ip address 2.2.2.2 255.255.255.255
#
#
#

ospf 1
area 0.0.0.0
network 2.2.2.2 0.0.0.0
network 10.1.1.0 0.0.0.3
network 10.2.1.0 0.0.0.3
#
return

#
sysname LSRC
#
vlan batch 20
#
mpls lsr-id 3.3.3.3
mpls
#
mpls ldp
#
interface Vlanif20
ip address 10.2.1.2 255.255.255.252
mpls
mpls ldp
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.255
#
#
ospf 1
area 0.0.0.0
network 3.3.3.3 0.0.0.0
network 10.2.1.0 0.0.0.3
#
return
12.2.12 Example for Configuring LDP Extension for Inter-Area LSP
On a large network, multiple IGP areas need to be configured for flexible network deployment
and fast route convergence. When advertising routes between IGP areas, to prevent a large
number of routes from consuming too many resources, an Area Border Router (ABR) needs to
aggregate the routes in the area and advertises the aggregated route to the neighboring IGP areas.
By default, when establishing LSPs, LDP searches the routing table for the route that exactly
matches the FEC in the received Label Mapping message. If the route is an aggregated route,
LDP establishes only a liberal LSP, not an inter-area LSP.
As shown in Figure 12-14, IS-IS runs between devices. Two IGP areas Area 10 and Area 20
exist. LSRD aggregates routes from LSRB and LSRC and sends the aggregated route to Area
20. Two inter-area LSPs need to be established: one is from LSRA to LSRB and the other is
from LSRA to LSRC.

Figure 12-14 Networking diagram for configuring LDP extension for inter-area LSP
Loopback0
1.3.0.1/32
/3
E 0/0 /24 1
Loopback0 Loopback0 G .1.1 0 /0/ /24 LSRB
. 1 F 3 0
1.1.0.1/32 GE0/0/1 1.2.0.1/32 20 NI GE . 1 . 2 3 0
A
10.1.1.1/24 VL G 0 . 1 NI F IS-IS
VLANIF10 20 E0/ 2 LA
.1. 0/2 V Area10
VL 2.
GE0/0/1 AN 1/2
LSRA 10.1.1.2/24 LSRD I F2 4
0 Loopback0
VLANIF10 1.3.0.2/32
IS-IS GE
Area20 20 0/
. 0
V L 1 .2 . /1
AN 2/2
I F2 4
0 LSRC
To meet the preceding requirements, configure LDP extension for inter-area LSP. The
Configure LDP extension for inter-area LSP on LSRA to enable LDP to search for a route
according to the longest match rule to establish an LDP LSP.
Procedure
# Configure LSRA.
[LSRA] vlan 10
[LSRA-vlan10] quit

# Configure LSRA.
[LSRA] isis 1
[LSRA-isis-1] is-level level-2
[LSRA-isis-1] network-entity 20.0010.0100.0001.00
[LSRA-isis-1] quit
[LSRA-Vlanif10] isis enable 1
[LSRA-LoopBack0] isis enable 1
# Configure LSRD.
[LSRD] isis 1
[LSRD-isis-1] network-entity 10.0010.0200.0001.00
[LSRD-isis-1] quit
[LSRD-Vlanif10] isis enable 1
[LSRD-Vlanif10] isis circuit-level level-2
[LSRD] interface loopback 0
[LSRD-LoopBack0] isis enable 1
[LSRD-LoopBack0] quit
# Configure LSRB.
[LSRB] isis 1
[LSRB-isis-1] is-level level-1
[LSRB-isis-1] network-entity 10.0010.0300.0001.00
[LSRB-isis-1] quit
# Configure LSRC.
[LSRC] isis 1
[LSRC-isis-1] is-level level-1
[LSRC-isis-1] network-entity 10.0010.0300.0002.00
[LSRC-isis-1] quit
# Run the display ip routing-table command on LSRA to check routing information.


------------------------------------------------------------------------------

1.2.0.1/32 ISIS-L2 15 10 D 10.1.1.2 Vlanif10
1.3.0.1/32 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
1.3.0.2/32 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
20.1.1.0/24 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
20.1.2.0/24 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
Step 3 Configure a policy for generating the aggregated route.
# Run the summary command on LSRD to aggregate host routes that are destined for LSRB
and LSRC.
[LSRD] isis 1
[LSRD-isis-1] summary 1.3.0.0 255.255.255.0 avoid-feedback
# Run the display ip routing-table command on LSRA to check routing information.

------------------------------------------------------------------------------

1.2.0.1/32 ISIS-L2 15 10 D 10.1.1.2 Vlanif10
1.3.0.0/24 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
20.1.1.0/24 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
20.1.2.0/24 ISIS-L2 15 20 D 10.1.1.2 Vlanif10
The command output shows that host routes that are destined for LSRB and LSRC are
aggregated.
Step 4 Configure global and interface-based MPLS and MPLS LDP on each node so that the network
can forward MPLS traffic. Then check the LSP setup result.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] quit
[LSRA] mpls ldp
# Configure LSRD.

[LSRD] mpls lsr-id 1.2.0.1

[LSRD] mpls
[LSRD-mpls] quit
[LSRD] mpls ldp
[LSRD-mpls-ldp] quit
[LSRD-Vlanif10] mpls ldp
# Configure LSRB.
[LSRB] mpls
[LSRB-mpls] quit
[LSRB] mpls ldp
# Configure LSRC.
[LSRC] mpls
[LSRC-mpls] quit
[LSRC] mpls ldp
# When the configurations are complete, run the display mpls lsp command on LSRA to view
the established LSP.
[LSRA] display mpls lsp
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
FEC In/Out Label In/Out IF Vrf Name
1.2.0.1/32 NULL/3 -/Vlanif10
1.2.0.1/32 1024/3 -/Vlanif10
1.1.0.1/32 3/NULL -/-
The command output shows that by default, LDP does not establish the inter-area LSPs from
LSRA to LSRB and from LSRA to LSRC.
Step 5 Configure LDP extension for inter-area LSP.
# Run the longest-match command on LSRA to configure LDP to search for a route according
[LSRA] mpls ldp
[LSRA-mpls-ldp] longest-match

# Run the display mpls lsp command on LSRA to view the established LSP.
-------------------------------------------------------------------------------
LSP Information: LDP LSP
-------------------------------------------------------------------------------
1.2.0.1/32 NULL/3 -/Vlanif10
1.2.0.1/32 1024/3 -/Vlanif10
1.3.0.1/32 NULL/1025 -/Vlanif10
1.3.0.1/32 1025/1025 -/Vlanif10
1.3.0.2/32 NULL/1026 -/Vlanif10
1.3.0.2/32 1026/1026 -/Vlanif10
1.1.0.1/32 3/NULL -/-
The command output shows that LDP establishes the inter-area LSPs from LSRA to LSRB and
from LSRA to LSRC.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 10
#
mpls lsr-id 1.1.0.1
mpls
#
mpls ldp
longest-match
#
isis 1
is-level level-2
network-entity 20.0010.0100.0001.00
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.1.0.1 255.255.255.255
isis enable 1
#
return

#
sysname LSRD
#
vlan batch 10 20 30
#
mpls lsr-id 1.2.0.1
mpls
#

mpls ldp
#
isis 1
network-entity 10.0010.0200.0001.00
summary 1.3.0.0 255.255.255.0 avoid-feedback
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif20
ip address 20.1.2.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
interface Vlanif30
ip address 20.1.1.1 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
#
#
interface LoopBack0
ip address 1.2.0.1 255.255.255.255
isis enable 1
#
return

#
sysname LSRB
#
vlan batch 30
#
mpls lsr-id 1.3.0.1
mpls
#
mpls ldp
#
isis 1
is-level level-1
network-entity 10.0010.0300.0001.00
#
interface Vlanif30
ip address 20.1.1.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#


#
interface LoopBack0
ip address 1.3.0.1 255.255.255.255
isis enable 1
#
return

#
sysname LSRC
#
vlan batch 20
#
mpls lsr-id 1.3.0.2
mpls
#
mpls ldp
#
isis 1
is-level level-1
network-entity 10.0010.0300.0002.00
#
interface Vlanif20
ip address 20.1.2.2 255.255.255.0
isis enable 1
mpls
mpls ldp
#
#
interface LoopBack0
ip address 1.3.0.2 255.255.255.255
isis enable 1
#
return
12.2.13 Example for Configuring MPLS QoS
Enterprises A and B connect their headquarters to branches by deploying the BGP/MPLS IP
VPN. As shown in Figure 12-15, CE1 and CE3 connect branches to the headquarters of
Enterprise A, and CE2 and CE4 connect branches to the headquarters of Enterprise B. Enterprise
A uses vpna and Enterprise B uses vpnb.
The service quality of video conferences (whose DSCP priority is 32) needs to be ensured and
better QoS guarantee is required for services of Enterprise A.

Figure 12-15 Networking diagram for configuring MPLS QoS
AS: 65410 AS: 65430

vpna vpna
GE0/0/1 CE1 CE3

GE0/0/1
VLANIF 10 VLANIF 40
10.1.1.1/24 10.3.1.1/24
Loopback1
GE0/0/1 2.2.2.9/32 GE0/0/1
10.1.1.2/24 PE1 VLANIF30 VLANIF60 PE2 10.3.1.2/24
Loopback1 172.1.1.2/24 172.2.1.1/24 Loopback1
1.1.1.9/32 GE0/0/3 GE0/0/3 3.3.3.9/32
GE0/0/2 VLANIF30 P VLANIF60 GE0/0/2
VLANIF20 172.1.1.1/24 AS: 100 172.2.1.2/24 VLANIF50
10.2.1.2/24 10.4.1.2/24
MPLS backbone
GE0/0/1 GE0/0/1
VLANIF 20 VLANIF 50
10.2.1.1/24 10.4.1.1/24
CE2 CE4
vpnb vpnb
AS: 65420 AS: 65440
To meet the preceding requirements, configure MPLS QoS. The configuration roadmap is as
follows:
1. Configure DiffServ domains on PE1 and PE2, and map DSCP priority 32 to MPLS EXP
5 to preferentially ensure video quality.
2. Enable the pipe mode on vpna and vpnb. Set the MPLS EXP values of vpna and vpnb to 4
and 3 respectively to provide better QoS guarantee for services of Enterprise A.
Procedure
Step 1 Configure OSPF on the MPLS backbone network so that PE and P can communicate with each
other.
# Configure PE1.

[PE1] vlan batch 10 20 30
[PE1-Vlanif30] quit
[PE1] ospf 1
[PE1-ospf-1] area 0
[PE1-ospf-1] quit
# Configure P.
[HUAWEI] sysname P
[P] interface loopback 1
[P-LoopBack1] ip address 2.2.2.9 32
[P-LoopBack1] quit
[P] vlan batch 30 60
[P] interface gigabitethernet 0/0/1
[P-GigabitEthernet0/0/1] port link-type trunk
[P-GigabitEthernet0/0/1] port trunk allow-pass vlan 30
[P-GigabitEthernet0/0/1] quit
[P] interface gigabitethernet 0/0/2
[P-GigabitEthernet0/0/2] port link-type trunk
[P-GigabitEthernet0/0/2] port trunk allow-pass vlan 60
[P-GigabitEthernet0/0/2] quit
[P-Vlanif30] ip address 172.1.1.2 24
[P-Vlanif30] quit
[P-Vlanif60] ip address 172.2.1.1 24
[P-Vlanif60] quit
[P] ospf
[P-ospf-1] area 0
[P-ospf-1-area-0.0.0.0] network 172.1.1.0 0.0.0.255
[P-ospf-1-area-0.0.0.0] quit
[P-ospf-1] quit
# Configure PE2.
[PE2] vlan batch 40 50 60


[PE2-Vlanif60] quit
[PE2] ospf
[PE2-ospf-1] area 0
[PE2-ospf-1] quit
When the configurations are complete, OSPF neighbor relationships are set up between PE1, P,
and PE2. Run the display ip routing-table command. The command output shows that PEs
have learned the routes to Loopback1 of each other.
Step 2 Configure basic MPLS functions, enable MPLS LDP, and establish LDP LSPs on the MPLS
backbone network.
# Configure PE1.
[PE1] mpls
[PE1-mpls] quit
[PE1] mpls ldp
[PE1-mpls-ldp] quit
[PE1-Vlanif30] mpls
[PE1-Vlanif30] quit
# Configure P.
[P] mpls
[P-mpls] quit
[P] mpls ldp
[P-mpls-ldp] quit
[P-Vlanif30] mpls
[P-Vlanif30] quit
[P-Vlanif60] mpls
[P-Vlanif60] quit
# Configure PE2.
[PE2] mpls
[PE2-mpls] quit
[PE2] mpls ldp
[PE2-mpls-ldp] quit
[PE2-Vlanif60] mpls
[PE2-Vlanif60] quit
When the configurations are complete, LDP sessions are set up between PE1 and P and between
P and PE2. Run the display mpls ldp session command. The command output shows that the
LDP session status is Operational.

PE1 is used as an example


------------------------------------------------------------------------------
------------------------------------------------------------------------------
------------------------------------------------------------------------------
Step 3 Configure a VPN instance on each PE and connect the CEs to the PEs.
# Configure PE1.
[PE1] ip vpn-instance vpna
[PE1-vpn-instance-vpna] ipv4-family
[PE1-vpn-instance-vpna-af-ipv4] route-distinguisher 100:1
[PE1-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE1-vpn-instance-vpna-af-ipv4] quit
[PE1-vpn-instance-vpna] quit
[PE1] ip vpn-instance vpnb
[PE1-vpn-instance-vpnb] ipv4-family
[PE1-vpn-instance-vpnb-af-ipv4] route-distinguisher 100:2
[PE1-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE1-vpn-instance-vpnb-af-ipv4] quit
[PE1-vpn-instance-vpnb] quit
[PE1-Vlanif10] ip binding vpn-instance vpna
[PE1-Vlanif10] quit
[PE1-Vlanif20] ip binding vpn-instance vpnb
[PE1-Vlanif20] quit
# Configure PE2.
[PE2-vpn-instance-vpna] ipv4-family
[PE2-vpn-instance-vpna-af-ipv4] route-distinguisher 200:1
[PE2-vpn-instance-vpna-af-ipv4] vpn-target 111:1 both
[PE2-vpn-instance-vpna-af-ipv4] quit
[PE2-vpn-instance-vpnb] ipv4-family
[PE2-vpn-instance-vpnb-af-ipv4] route-distinguisher 200:2
[PE2-vpn-instance-vpnb-af-ipv4] vpn-target 222:2 both
[PE2-vpn-instance-vpnb-af-ipv4] quit
[PE2-Vlanif40] ip binding vpn-instance vpna
[PE2-Vlanif40] quit
[PE2-Vlanif50] ip binding vpn-instance vpnb
[PE2-Vlanif50] quit
# Assign IP addresses to the interfaces on the CEs according to Figure 12-15. The configuration
procedure is not mentioned here.
After the configurations are complete, each PE can ping its connected CE.

NOTE
If a PE has multiple interfaces bound to the same VPN instance, specify a source IP addresses by specifying
-a source-ip-address in the ping -vpn-instance vpn-instance-name -a source-ip-address dest-ip-
address command to ping the CE connected to the remote PE. If you do not specify a source IP address,
the ping fails.
Use the command output on PE1 and CE1 as an example.

[PE1] ping -vpn-instance vpna 10.1.1.1

0.00% packet loss
Step 4 Set up an MP-IBGP peer relationship between PEs.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] peer 3.3.3.9 as-number 100
[PE1-bgp] peer 3.3.3.9 connect-interface loopback 1
[PE1-bgp] ipv4-family vpnv4
[PE1-bgp-af-vpnv4] peer 3.3.3.9 enable
[PE1-bgp-af-vpnv4] quit
[PE1-bgp] quit
# Configure PE2.
[PE2] bgp 100
[PE2-bgp] peer 1.1.1.9 as-number 100
[PE2-bgp] peer 1.1.1.9 connect-interface loopback 1
[PE2-bgp] ipv4-family vpnv4
[PE2-bgp-af-vpnv4] peer 1.1.1.9 enable
[PE2-bgp-af-vpnv4] quit
[PE2-bgp] quit
When the configurations are complete, run the display bgp peer command on PEs. The
command output shows that the BGP peer relationships have been established between the PEs.
[PE1] display bgp peer


PrefRcv
3.3.3.9 4 100 12 6 0 00:02:21 Established

0
Step 5 Set up the EBGP peer relationships between the PEs and CEs and import VPN routes.
# Configure CE1.
[CE1] bgp 65410
[CE1-bgp] peer 10.1.1.2 as-number 100
[CE1-bgp] import-route direct

The configurations of CE2, CE3, and CE4 are similar to the configuration of CE1, and are not
mentioned here.
# Configure PE1.
[PE1] bgp 100
[PE1-bgp] ipv4-family vpn-instance vpna
[PE1-bgp-vpna] peer 10.1.1.1 as-number 65410
[PE1-bgp-vpna] import-route direct
[PE1-bgp-vpna] quit
[PE1-bgp] ipv4-family vpn-instance vpnb
[PE1-bgp-vpnb] peer 10.2.1.1 as-number 65420
[PE1-bgp-vpnb] import-route direct
[PE1-bgp-vpnb] quit
[PE1-bgp] quit
The configuration of PE2 is similar to that of PE1, and is not mentioned here.
After the configurations are complete, run the display bgp vpnv4 vpn-instance peer command
on the PEs. The command output shows that BGP peer relationships between PEs and CEs have
been established.
Use the peer relationship between PE1 and CE1 as an example.

[PE1] display bgp vpnv4 vpn-instance vpna peer


PrefRcv
10.1.1.1 4 65410 11 9 0 00:07:25 Established

1
Step 6 Configure the DiffServ domain.
#Configure PE1.
[PE1] diffserv domain dsvpna
[PE1-dsdomain-dsvpna] ip-dscp-inbound 32 phb af3 green
[PE1-dsdomain-dsvpna] mpls-exp-outbound af3 green map 5
[PE1-dsdomain-dsvpna] quit
[PE1] mpls-qos ingress trust upstream dsvpna
[PE1-GigabitEthernet0/0/1] trust dscp
[PE1-GigabitEthernet0/0/1] trust upstream dsvpna
[PE1-GigabitEthernet0/0/2] trust upstream dsvpna
#Configure PE2.
[PE2] diffserv domain dsvpnb
[PE2-dsdomain-dsvpnb] ip-dscp-inbound 32 phb af3 green
[PE2-dsdomain-dsvpnb] mpls-exp-outbound af3 green map 5
[PE2-dsdomain-dsvpnb] quit
[PE2] mpls-qos ingress trust upstream dsvpnb
[PE2-GigabitEthernet0/0/1] trust upstream dsvpnb


[PE2-GigabitEthernet0/0/2] trust upstream dsvpnb
NOTE
After the configurations are complete, reset MPLS LDP.
Step 7 Configure the DiffServ modes on PE1 and PE2.
#Configure PE1.
[PE1-vpn-instance-vpna] diffserv-mode pipe mpls-exp 4
[PE1-vpn-instance-vpnb] diffserv-mode pipe mpls-exp 3
#Configure PE2.
[PE2-vpn-instance-vpna] diffserv-mode pipe mpls-exp 4
[PE2-vpn-instance-vpnb] diffserv-mode pipe mpls-exp 3
NOTE
After the configurations are complete, you must reset BGP connections to make the configuration take
effect.
----End
Configuration Files
#
sysname PE1
#
vlan batch 10 20 30
#
diffserv domain dsvpna
ip-dscp-inbound 32 phb af3 green
mpls-exp-outbound af3 green map 5
#
mpls-qos ingress trust upstream dsvpna
#
ip vpn-instance vpna
ipv4-family
route-distinguisher 100:1
vpn-target 111:1 import-extcommunity
vpn-target 111:1 export-extcommunity
diffserv-mode pipe mpls-exp 4
#
ip vpn-instance vpnb
ipv4-family
#
mpls lsr-id 1.1.1.9
mpls
#
mpls ldp

#
interface Vlanif10
ip binding vpn-instance vpna
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip binding vpn-instance vpnb
ip address 10.2.1.2 255.255.255.0
#
interface Vlanif30
ip address 172.1.1.1 255.255.255.0
mpls
mpls ldp
#
trust dscp
trust upstream dsvpna
#
trust dscp
trust upstream dsvpna
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 3.3.3.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 3.3.3.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
return
l Configuration file of the P

#
sysname P
#
vlan batch 30 60
#
mpls lsr-id 2.2.2.9

mpls
#
mpls ldp
#
interface Vlanif30
ip address 172.1.1.2 255.255.255.0
mpls
mpls ldp
#
interface Vlanif60
ip address 172.2.1.1 255.255.255.0
mpls
mpls ldp
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
return

#
sysname PE2
#
vlan batch 40 50 60
#
diffserv domain dsvpnb
ip-dscp-inbound 32 phb af3 green
mpls-exp-outbound af3 green map 5
#
mpls-qos ingress trust upstream dsvpnb
#
ip vpn-instance
vpna
ipv4-family
#
ip vpn-instance
vpnb
ipv4-family
#
mpls lsr-id 3.3.3.9
mpls
#
mpls ldp
#
interface Vlanif40

ip binding vpn-instance vpna

ip address 10.3.1.2 255.255.255.0
#
interface Vlanif50
ip binding vpn-instance vpnb
ip address 10.4.1.2 255.255.255.0
#
interface Vlanif60
ip address 172.2.1.2 255.255.255.0
mpls
mpls ldp
#
trust dscp
trust upstream dsvpnb
#
trust dscp
trust upstream dsvpnb
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
bgp 100
#
ipv4-family unicast
peer 1.1.1.9 enable
#
ipv4-family vpnv4
policy vpn-target
peer 1.1.1.9 enable
#
ipv4-family vpn-instance vpna
import-route direct
#
ipv4-family vpn-instance vpnb
import-route direct
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
return

#
sysname CE1
#
vlan batch 10
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#

#
bgp 65410
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE2
#
vlan batch 20
#
interface Vlanif20
ip address 10.2.1.1 255.255.255.0
#
#
bgp 65420
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE3
#
vlan batch 40
#
interface Vlanif40
ip address 10.3.1.1 255.255.255.0
#
#
bgp 65430
#
ipv4-family unicast
import-route direct
#
return

#
sysname CE4
#
vlan batch 50
#
interface Vlanif50

ip address 10.4.1.1 255.255.255.0

#
#
bgp 65440
#
ipv4-family unicast
import-route direct
#
return
12.3 MPLS TE Configuration

MPLS TE tunnels transmit MPLS L2VPN (VLL and VPLS) services and MPLS L3VPN services
and provide high security and guarantees reliable QoS for VPN services.
12.3.1 Example for Configuring a Static MPLS TE Tunnel
As shown in Figure 12-16, static TE tunnels from LSRA to LSRC and from LSRC to LSRA
need to be set up.
Figure 12-16 Networking of static MPLS TE tunnels

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
172.1.1.1/24 172.1.1.2/24 172.2.1.1/24 172.2.1.2/24
LSRA LSRB LSRC
1. Assign an IP address to each interface on each LSR and configure OSPF to ensure that
there are reachable routes between LSRs.
2. Configure an ID for each LSR and globally enable MPLS and MPLS TE on each LSR and
interface.
3. Create a tunnel interface on the ingress node and set the tunnel type to static CR-LSP.
4. Configure the static LSP bound to the tunnel; specify the next hop address and outgoing
label on the ingress node; specify the inbound interface, incoming label, next hop address,

and outgoing label on the transit node; specify the incoming label and inbound interface
on the egress node.
NOTE
l The value of the outgoing label of each node is the value of the incoming label of its next node.
l When running the static-cr-lsp ingress { tunnel-interface tunnel interface-number | tunnel-name }
destination destination-address { nexthop next-hop-address | outgoing-interface interface-type
interface-number } * out-label out-label command to configure the ingress node of a CR-LSP, ensure
that tunnel-name must be the same as the tunnel name created by using the interface tunnel interface-
number command. tunnel-name is a case-sensitive character string without spaces. For example, the
name of the tunnel created by using the interface tunnel 1 command is Tunnel1. In this case, the
parameter of the ingress node of the static CR-LSP is Tunnel1; otherwise, the tunnel cannot be created.
There is no such limitation on the transit node and egress node.
Procedure
Step 1 Configure an IP address and routing protocol for each interface.
# Configure LSRA.
[LSRA] vlan batch 100
[LSRA-Vlanif100] ip address 172.1.1.1 255.255.255.0
[LSRA-LoopBack1] ip address 1.1.1.9 255.255.255.255
[LSRA] ospf 1
[LSRA-ospf-1] quit
# Configure IP addresses for interfaces of LSRB and LSRC and OSPF according to Figure
12-16. The configurations of LSRB and LSRC are similar to the configuration of LSRA, and
After the configurations are complete, OSPF neighbor relationships can be set up between
LSRA, LSRB, and LSRC. Run the display ospf peer command. You can see that the neighbor
status is Full. Run the display ip routing-table command. You can see that LSRs have learnt
the routes to Loopback1 of each other.
Step 2 Configure basic MPLS functions and enable MPLS TE.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
[LSRA-Vlanif100] mpls te

The configurations of LSRB and LSRC are similar to the configuration of LSRA, and are not
mentioned here.
Step 3 Configure MPLS TE tunnels.
# On LSRA, create an MPLS TE tunnel from LSRA to LSRC.
[LSRA] interface tunnel 1
[LSRA-Tunnel1] ip address unnumbered interface loopback 1
[LSRA-Tunnel1] tunnel-protocol mpls te
[LSRA-Tunnel1] destination 3.3.3.9
[LSRA-Tunnel1] mpls te tunnel-id 100
[LSRA-Tunnel1] mpls te signal-protocol cr-static
[LSRA-Tunnel1] mpls te commit
[LSRA-Tunnel1] quit
# On LSRC, create an MPLS TE tunnel from LSRC to LSRA.

[LSRC] interface tunnel 1
[LSRC-Tunnel1] ip address unnumbered interface loopback 1
[LSRC-Tunnel1] tunnel-protocol mpls te
[LSRC-Tunnel1] destination 1.1.1.9
[LSRC-Tunnel1] mpls te tunnel-id 200
[LSRC-Tunnel1] mpls te signal-protocol cr-static
[LSRC-Tunnel1] mpls te commit
[LSRC-Tunnel1] quit
Step 4 Create a static CR-LSP from LSRA to LSRC.

# Configure LSRA as the ingress node of the static CR-LSP.
[LSRA] static-cr-lsp ingress tunnel-interface Tunnel1 destination 3.3.3.9 nexthop
172.1.1.2 out-label 20
# Configure LSRB as the transit node of the static CR-LSP.

[LSRB] static-cr-lsp transit LSRA2LSRC incoming-interface vlanif 100 in-label 20
nexthop 172.2.1.2 out-label 30
# Configure LSRC as the egress node of the static CR-LSP.

[LSRC] static-cr-lsp egress LSRA2LSRC incoming-interface vlanif 200 in-label 30
Step 5 Create a static CR-LSP from LSRC to LSRA.

# Configure LSRC as the ingress node of the static CR-LSP.
[LSRC] static-cr-lsp ingress tunnel-interface Tunnel1 destination 1.1.1.9 nexthop
172.2.1.1 out-label 120
# Configure LSRB as the transit node of the static CR-LSP.

[LSRB] static-cr-lsp transit LSRC2LSRA incoming-interface vlanif 200 in-label 120
# Configure LSRA as the egress node of the static CR-LSP.

[LSRA] static-cr-lsp egress LSRC2LSRA incoming-interface vlanif 100 in-label 130

After the configurations are complete, run the display interface tunnel command on LSRA.
You can see that the tunnel interface status is Up.
The display on LSRA is used as an example.
[LSRA] display interface tunnel 1

Line protocol current state : UP

...
Run the display mpls te tunnel command on each LSR to view the MPLS TE tunnel status.

[LSRA] display mpls te tunnel
------------------------------------------------------------------------------
Ingress LsrId Destination LSPID In/Out Label R Tunnel-name
------------------------------------------------------------------------------
1.1.1.9 3.3.3.9 1 --/20 I Tunnel1
- - - 130/-- E LSRC2LSRA
Run the display mpls lsp or display mpls static-cr-lsp command on each LSR to view the static
CR-LSP status.

----------------------------------------------------------------------
LSP Information: STATIC CRLSP
----------------------------------------------------------------------
3.3.3.9/32 NULL/20 -/Vlanif100
-/- 130/NULL Vlanif100/-
[LSRA] display mpls static-cr-lsp

TOTAL : 2 STATIC CRLSP(S)
UP : 2 STATIC CRLSP(S)
DOWN : 0 STATIC CRLSP(S)
Tunnel1 3.3.3.9/32 NULL/20 -/Vlanif100 Up
LSRC2LSRA -/- 130/NULL Vlanif100/- Up
When a static CR-LSP is used to establish an MPLS TE tunnel, the transit node and the egress
node do not forward packets according to the specified incoming label and outgoing label.
Therefore, no EFC information is displayed on LSRB or LSRC.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
mpls te
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#

interface Tunnel1
destination 3.3.3.9
mpls te signal-protocol cr-static
mpls te commit
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 1.1.1.9 0.0.0.0
#
static-cr-lsp ingress tunnel-interface Tunnel1 destination 3.3.3.9 nexthop
172.1.1.2 out-label 20
static-cr-lsp egress LSRC2LSRA incoming-interface Vlanif100 in-label 130
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
mpls
mpls te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 172.1.1.0 0.0.0.255
network 172.2.1.0 0.0.0.255
network 2.2.2.9 0.0.0.0
#
static-cr-lsp transit LSRA2LSRC incoming-interface Vlanif100 in-label 20
static-cr-lsp transit LSRC2LSRA incoming-interface Vlanif200 in-label 120
#
return

#
sysname LSRC
#

vlan batch 200

#
mpls lsr-id 3.3.3.9
mpls
mpls te
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
mpls
mpls te
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
interface Tunnel1
destination 1.1.1.9
mpls te signal-protocol cr-static
mpls te commit
#
ospf 1
area 0.0.0.0
network 172.2.1.0 0.0.0.255
network 3.3.3.9 0.0.0.0
#
static-cr-lsp ingress tunnel-interface Tunnel1 destination 1.1.1.9 nexthop
172.2.1.1 out-label 120
static-cr-lsp egress LSRA2LSRC incoming-interface Vlanif200 in-label 30
#
return
12.3.2 Example for Configuring a Dynamic MPLS TE Tunnel
As shown in Figure 12-17, an enterprise establishes its own MPLS backbone network with
LSRA, LSRB, and LSRC deployed. The MPLS backbone network uses IS-IS, and LSRA, LSRB,
and LSRC are level-2 devices. A tunnel needs to be set up over the public network on the MPLS
backbone network to transmit L2VPN or L3VPN services, and the tunnel must be able to adapt
to network topology changes to ensure stable data transmission.
RSVP-TE is used to establish a dynamic MPLS TE tunnel.
Figure 12-17 Networking of a dynamic MPLS TE tunnel

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
GE0/0/1 GE0/0/1 GE0/0/2 GE0/0/1
172.1.1.1/24 172.1.1.2/24 172.2.1.1/24 172.2.1.2/24
LSRA LSRB LSRC

1. On the MPLS backbone network, MPLS LDP and MPLS TE tunnels can carry L2VPN or
L3VPN services. Configure an MPLS TE tunnel to ensure stable data transmission upon
frequent topology changes on the enterprise network.
2. Configure IS-IS to ensure that there are reachable routes between devices on the MPLS
backbone network.
3. Enable MPLS TE and RSVP-TE on each node so that an MPLS TE tunnel can be set up.
4. Enable IS-IS TE and change the cost type so that TE information can be advertised to other
nodes through IS-IS.
5. Create a tunnel interface on the ingress node, configure tunnel attributes, and enable MPLS
TE CSPF to create a dynamic MPLS TE tunnel.
Procedure
Step 1 Assign IP addresses to interfaces.
# Configure LSRA.
# Configure IP addresses for interfaces of LSRB and LSRC according to Figure 12-17. The
configurations of LSRB and LSRC are similar to the configuration of LSRA, and are not
mentioned here.
Step 2 Configure IS-IS to advertise routes.
# Configure LSRA.
[LSRA] isis 1
[LSRA-isis-1] network-entity 00.0005.0000.0000.0001.00
[LSRA-isis-1] is-level level-2
[LSRA-isis-1] quit
[LSRA-Vlanif100] isis enable 1
[LSRA-LoopBack1] isis enable 1
# Configure LSRB.
[LSRB] isis 1
[LSRB-isis-1] network-entity 00.0005.0000.0000.0002.00
[LSRB-isis-1] is-level level-2
[LSRB-isis-1] quit


# Configure LSRC.
[LSRC] isis 1
[LSRC-isis-1] network-entity 00.0005.0000.0000.0003.00
[LSRC-isis-1] is-level level-2
[LSRC-isis-1] quit
After the configurations are complete, run the display ip routing-table command on each LSR.
You can see that the LSRs have learned the routes from each other. The display on LSRA is
used as an example.
------------------------------------------------------------------------------

2.2.2.9/32 ISIS-L2 15 10 D 172.1.1.2 Vlanif100
3.3.3.9/32 ISIS-L2 15 20 D 172.1.1.2 Vlanif100
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif100
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.2.1.0/24 ISIS-L2 15 20 D 172.1.1.2 Vlanif100
Step 3 Configure basic MPLS functions and enable MPLS TE and RSVP-TE.
Enable MPLS, MPLS TE, and RSVP-TE globally on each node and interfaces along the tunnel.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] mpls rsvp-te
[LSRA-mpls] quit
[LSRA-Vlanif100] mpls rsvp-te
mentioned here.
Step 4 Configure IS-IS TE.
# Configure LSRA.

[LSRA] isis 1
[LSRA-isis-1] cost-style wide
[LSRA-isis-1] traffic-eng level-2
[LSRA-isis-1] quit
mentioned here.
Step 5 Configure an MPLS TE tunnel interface and enable MPLS TE CSPF.
# On the ingress node of the tunnel, create a tunnel interface, and set the IP address, tunnel
protocol, destination IP address, tunnel ID, and dynamic signaling protocol for the tunnel
interface. Then run the mpls te commit command to commit the configuration.
# Configure LSRA.
[LSRA-Tunnel1] mpls te signal-protocol rsvp-te
[LSRA-Tunnel1] quit
[LSRA] mpls
[LSRA-mpls] mpls te cspf
[LSRA-mpls] quit

[LSRA] display interface tunnel
Last line protocol up time : 2013-01-14 09:18:46
Description:
...
Run the display mpls te tunnel-interface command on LSRA. You can view tunnel interface
information.
[LSRA] display mpls te tunnel-interface
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Tunnel State Desc : UP
Active LSP : Primary LSP
Session ID : 100
Ingress LSR ID : 1.1.1.9 Egress LSR ID: 3.3.3.9
Admin State : UP Oper State : UP
Primary LSP State : UP
Main LSP State : READY LSP ID : 3
Run the display mpls te tunnel verbose command on LSRA. You can view detailed information
about the tunnel.
[LSRA] display mpls te tunnel verbose
No : 1
Tunnel-Name : Tunnel1
Tunnel Interface Name : Tunnel1
TunnelIndex : 1 LSP Index : 2048
Session ID : 100 LSP ID : 3
LSR Role : Ingress LSP Type : Primary
Ingress LSR ID : 1.1.1.9

Egress LSR ID : 3.3.3.9

In-Interface : -
Sign-Protocol : RSVP TE Resv Style : SE
IncludeAnyAff : 0x0 ExcludeAnyAff : 0x0
IncludeAllAff : 0x0
LspConstraint : -
ER-Hop Table Index : - AR-Hop Table Index: -
C-Hop Table Index : -
PrevTunnelIndexInSession: - NextTunnelIndexInSession: -
PSB Handle : 16388
Created Time : 2013-09-16 11:51:21+00:00
RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------
Bandwidth Reserved Flag : Unreserved
CT0 Bandwidth(Kbit/sec) : 0 CT1 Bandwidth(Kbit/sec): 0
Setup-Priority : 7 Hold-Priority : 7
--------------------------------
FRR Information
--------------------------------
Primary LSP Info
TE Attribute Flag : 0x3 Protected Flag : 0x0
Bypass In Use : Not Exists
Bypass Tunnel Id : -
BypassTunnel : -
Bypass LSP ID : - FrrNextHop : -
ReferAutoBypassHandle : -
FrrPrevTunnelTableIndex : - FrrNextTunnelTableIndex: -
Bypass Attribute(Not configured)
Setup Priority : - Hold Priority : -
HopLimit : - Bandwidth : -
IncludeAnyGroup : - ExcludeAnyGroup : -
IncludeAllGroup : -
Bypass Unbound Bandwidth Info(Kbit/sec)
CT0 Unbound Bandwidth : - CT1 Unbound Bandwidth: -
--------------------------------
BFD Information
--------------------------------
NextSessionTunnelIndex : - PrevSessionTunnelIndex: -
NextLspId : - PrevLspId : -
Run the display mpls te cspf tedb all command on LSRA. You can view link information in
the TEDB.
[LSRA] display mpls te cspf tedb all
Maximum Nodes Supported: 1024 Current Total Node Number: 3
Maximum Links Supported: 2048 Current Total Link Number: 4
Maximum SRLGs supported: 5120 Current Total SRLG Number: 0
ID Router-ID IGP Process-ID Area Link-Count
1 1.1.1.9 ISIS 1 Level-2 1
2 2.2.2.9 ISIS 1 Level-2 2
3 3.3.3.9 ISIS 1 Level-2 1
----End

Configuration Files
#
sysname LSRA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0001.00
traffic-eng level-2
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
interface Tunnel1
destination 3.3.3.9
mpls te commit
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0002.00
traffic-eng level-2
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te

#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
return

#
sysname LSRC
#
vlan batch 200
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0003.00
traffic-eng level-2
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
return
12.3.3 Example for Setting Up CR-LSPs Using CR-LSP Attribute

Templates

As shown in Figure 12-18, an MPLS TE tunnel is set up between LSRA and LSRC. The primary
path of the tunnel is LSRA -> LSRB -> LSRC. When the primary CR-LSP fails, traffic must be
switched to a backup CR-LSP.
LSRA needs to set up multiple MPLS TE tunnels to meet service requirements. The network
administrator wants to simplify the MPLS TE tunnel configuration.
NOTE
STP must be disabled on the network. Otherwise, an interface may be blocked by STP.
Figure 12-18 Networking of CR-LSP setup using CR-LSP attribute templates

Loopback1
6.6.6.9/32
GE0/0/1 GE0/0/2
VLANIF600 VLANIF700
172.6.1.2/24 172.7.1.1/24
LSRF
GE0/0/2 GE0/0/3
VLANIF600 VLANIF700
Loopback1
172.6.1.1/24 172.7.1.2/24
Loopback1 2.2.2.9/32 Loopback1
GE0/0/1 GE0/0/2
1.1.1.9/32 3.3.3.9/32
VLANIF100 VLANIF200
172.1.1.2/24 172.2.1.1/24
LSRA LSRC
GE0/0/1 GE0/0/1
VLANIF100 VLANIF200
GE0/0/3 172.1.1.1/24 LSRB 172.2.1.2/24 GE0/0/2
VLANIF400 VLANIF500
172.4.1.1/24 172.5.1.2/24
Loopback1
5.5.5.9/32
GE0/0/1 GE0/0/2
VLANIF400 VLANIF500
172.4.1.2/24 172.5.1.1/24
LSRE
Primary CR-LSP
1. Assign IP addresses to interfaces and configure OSPF to ensure that public network routes
between the nodes are reachable.
2. Configure LSR IDs for the nodes, enable MPLS, MPLS TE, RSVP-TE, and CSPF on the
LSRs globally and on their interfaces, and enable OSPF TE on the LSRs.
3. Use CR-LSP attribute templates to simplify the configuration. Configure different attribute
templates for the primary CR-LSP, hot-standby CR-LSP, and ordinary backup CR-LSP.
4. On the ingress node of the primary tunnel, create a tunnel interface, configure the tunnel
IP address, tunneling protocol, destination IP address, tunnel ID, and RSVP-TE signaling

protocol for the tunnel interface, and then apply the corresponding CR-LSP attribute
template to set up the primary CR-LSP.
5. Configure hot-standby and ordinary backup CR-LSPs on the ingress node of the primary
tunnel. In this way, traffic can be switched to the backup CR-LSP when the primary CR-
LSP fails. Apply the CR-LSP corresponding attribute template to create the backup CR-
LSP.
Procedure
Step 1 Assign IP addresses to interfaces and configure OSPF on the LSRs.
# Configure LSRA.
[LSRA] vlan batch 100 400 600
[LSRA] ospf 1
[LSRA-ospf-1] quit
Assign IP addresses to interfaces of LSRB, LSRC, LSRE, and LSRF according to Figure
12-18. The configurations on these LSRs are similar to the configuration on LSRA, and are not
mentioned here.
After the configurations are complete, run the display ip routing-table command on the LSRs.
You can see that the LSRs learn the routes of Loopback1 from each other. The command output
on LSRA is provided as an example:
------------------------------------------------------------------------------


2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif100
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif100
OSPF 10 2 D 172.4.1.2 Vlanif400
OSPF 10 2 D 172.6.1.2 Vlanif600
5.5.5.9/32 OSPF 10 1 D 172.4.1.2 Vlanif400
6.6.6.9/32 OSPF 10 1 D 172.6.1.2 Vlanif600
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif100
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif100
172.4.1.0/24 Direct 0 0 D 172.4.1.1 Vlanif400
172.4.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
172.5.1.0/24 OSPF 10 2 D 172.4.1.2 Vlanif400
172.6.1.0/24 Direct 0 0 D 172.6.1.1 Vlanif600
172.6.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif600
172.7.1.0/24 OSPF 10 2 D 172.6.1.2 Vlanif600
Step 2 Configure basic MPLS capabilities and enable MPLS TE, RSVP-TE, and CSPF.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
The configurations on LSRB, LSRC, LSRE, and LSRF are similar to the configuration on LSRA,
and are not mentioned here. CSPF needs to be enabled only on the ingress node of the primary
tunnel.
Step 3 Configure OSPF TE.
# Configure LSRA.
[LSRA] ospf
[LSRA-ospf-1] opaque-capability enable
[LSRA-ospf-1-area-0.0.0.0] mpls-te enable
[LSRA-ospf-1] quit
The configurations on LSRB, LSRC, LSRE, and LSRF are similar to the configuration on LSRA,
Step 4 Configure CR-LSP attribute templates and specify explicit paths for the CR-LSPs.

# Specify an explicit path for the primary CR-LSP.

[LSRA] explicit-path pri-path
[LSRA-explicit-path-pri-path] next hop 172.1.1.2
[LSRA-explicit-path-pri-path] quit
# Specify an explicit path for the hot-standby CR-LSP.

[LSRA] explicit-path hotstandby-path
[LSRA-explicit-path-hotstandby-path] next hop 172.4.1.2
[LSRA-explicit-path-hotstandby-path] quit
# Specify an explicit path for the ordinary backup CR-LSP.

[LSRA] explicit-path ordinary-path
[LSRA-explicit-path-ordinary-path] next hop 172.6.1.2
[LSRA-explicit-path-ordinary-path] quit
# Configure the CR-LSP attribute template used for setting up the primary CR-LSP.
[LSRA] lsp-attribute lsp_attribute_pri
[LSRA-lsp-attribute-lsp_attribute_pri] explicit-path pri-path
[LSRA-lsp-attribute-lsp_attribute_pri] commit
[LSRA-lsp-attribute-lsp_attribute_pri] quit
# Configure the CR-LSP attribute template used for setting up the hot-standby CR-LSP.
[LSRA] lsp-attribute lsp_attribute_hotstandby
[LSRA-lsp-attribute-lsp_attribute_hotstandby] explicit-path hotstandby-path
[LSRA-lsp-attribute-lsp_attribute_hotstandby] hop-limit 12
[LSRA-lsp-attribute-lsp_attribute_hotstandby] commit
[LSRA-lsp-attribute-lsp_attribute_hotstandby] quit
# Configure the CR-LSP attribute template used for setting up the ordinary backup CR-LSP.
[LSRA] lsp-attribute lsp_attribute_ordinary
[LSRA-lsp-attribute-lsp_attribute_ordinary] explicit-path ordinary-path
[LSRA-lsp-attribute-lsp_attribute_ordinary] hop-limit 15
[LSRA-lsp-attribute-lsp_attribute_ordinary] commit
[LSRA-lsp-attribute-lsp_attribute_ordinary] quit
Step 5 On the ingress node LSRA, create the MPLS TE tunnel on the primary CR-LSP.
# Specify an MPLS TE tunnel interface for the primary CR-LSP and apply the primary CR-LSP
attribute template to set up this CR-LSP.
[LSRA-Tunnel1] ip address unnumbered interface loopBack 1
[LSRA-Tunnel1] mpls te primary-lsp-constraint lsp-attribute lsp_attribute_pri
[LSRA-Tunnel1] quit
Run the display interface tunnel 1 command on LSRA to check the tunnel status. The tunnel
is in Up state.


Description:
...
Step 6 Configure hot-standby and common backup CR-LSPs on the ingress node.
# On LSRA, apply CR-LSP attribute templates to create hot-standby and common backup CR-
LSPs.
[LSRA-Tunnel1] mpls te hotstandby-lsp-constraint 1 lsp-attribute
lsp_attribute_hotstandby
[LSRA-Tunnel1] mpls te ordinary-lsp-constraint 1 lsp-attribute
lsp_attribute_ordinary
[LSRA-Tunnel1] quit
Run the display mpls te tunnel-interface command on LSRA to check tunnel information. You
can see that the hot-standby CR-LSP has been set up successfully.
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Session ID : 100
Hot-Standby LSP State : UP
Run the display mpls te tunnel-interface lsp-constraint command on LSRA to view the
configurations of the CR-LSP attribute templates.
[LSRA] display mpls te tunnel-interface lsp-constraint
Tunnel Name : Tunnel1
Primary-lsp-constraint Name : lsp_attribute_pri
Hotstandby-lsp-constraint Number: 1
Hotstandby-lsp-constraint Name : lsp_attribute_hotstandby
Ordinary-lsp-constraint Number : 1
Ordinary-lsp-constraint Name : lsp_attribute_ordinary
# Run the display mpls te tunnel verbose command on LSRA to view detailed tunnel
information. You can see that the primary and hot-standby CR-LSPs have been set up using the
attribute templates.
No : 1
In-Interface : -
IncludeAllAff : 0x0

LspConstraint : 1
ER-Hop Table Index : 0 AR-Hop Table Index: 0
C-Hop Table Index : 1
PrevTunnelIndexInSession: 2 NextTunnelIndexInSession: -
PSB Handle : 8194
Created Time : 2013-09-16 14:53:15+00:00
RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------
--------------------------------
FRR Information
--------------------------------
Primary LSP Info
BypassTunnel : -
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------
No : 2
LSR Role : Ingress LSP Type : Hot-Standby
In-Interface : -
IncludeAllAff : 0x0
LspConstraint : 1
PrevTunnelIndexInSession: - NextTunnelIndexInSession: 1
PSB Handle : 8195
Created Time : 2013-09-16 14:53:15+00:00
RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------


--------------------------------
FRR Information
--------------------------------
Primary LSP Info
BypassTunnel : -
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------
# Run the shutdown command on VLANIF100 and VLANIF400 of LSRA.

[LSRA-Vlanif100] shutdown
# Run the display mpls te tunnel verbose command on LSRA. You can see that an ordinary
CR-LSP has been set up using the attribute template.
No : 1
LSR Role : Ingress LSP Type : Ordinary
In-Interface : -
IncludeAllAff : 0x0
LspConstraint : 1
PSB Handle : 8196
Created Time : 2013-09-16 15:00:08+00:00
RSVP LSP Type : -

--------------------------------
DS-TE Information
--------------------------------
--------------------------------
FRR Information
--------------------------------
Primary LSP Info
BypassTunnel : -
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------
----End
Configuration File
#
sysname LSRA
#
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls rsvp-
te
mpls te cspf
#
explicit-path hotstandby-path
next hop 172.4.1.2
next hop 172.5.1.2
next hop 3.3.3.9
#
explicit-path ordinary-path
next hop 172.6.1.2
next hop 172.7.1.2
next hop 3.3.3.9
#

explicit-path pri-path
next hop 172.1.1.2
next hop 172.2.1.2
next hop 3.3.3.9
#
lsp-attribute lsp_attribute_hotstandby
explicit-path hotstandby-path
hop-limit 12
commit
#
lsp-attribute lsp_attribute_ordinary
explicit-path ordinary-path
hop-limit 15
commit
#
lsp-attribute lsp_attribute_pri
commit
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif600
ip address 172.6.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
destination 3.3.3.9
mpls te primary-lsp-constraint lsp-attribute lsp_attribute_pri
mpls te hotstandby-lsp-constraint 1 lsp-attribute lsp_attribute_hotstandby
mpls te ordinary-lsp-constraint 1 lsp-attribute lsp_attribute_ordinary
mpls te commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9

0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.4.1.0 0.0.0.255
network 172.6.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.2.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#

interface Vlanif200
ip address 172.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif700
ip address 172.7.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9
0.0.0.0
network 172.2.1.0
0.0.0.255
network 172.5.1.0
0.0.0.255
network 172.7.1.0 0.0.0.255
mpls-te enable
#
return
l Configuration file of LSRE

#
sysname LSRE
#
vlan batch 400 500
#
mpls lsr-id 5.5.5.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
mpls

mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9
0.0.0.0
network 172.4.1.0
0.0.0.255
network 172.5.1.0 0.0.0.255
mpls-te enable
#
return
l Configuration file of LSRF

#
sysname LSRF
#
vlan batch 600 700
#
mpls lsr-id 6.6.6.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif600
ip address 172.6.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif700
ip address 172.7.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 6.6.6.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 6.6.6.9
0.0.0.0
network 172.6.1.0
0.0.0.255

network 172.7.1.0 0.0.0.255

mpls-te enable
#
return
12.3.4 Example for Configuring IGP Shortcut to Direct Traffic to an

MPLS TE Tunnel
An MPLS TE tunnel does not automatically direct traffic. To direct traffic to an MPLS TE tunnel,
configure Interior Gateway Protocol (IGP) shortcut. IGP shortcut enables a device to use a TE
tunnel as a logical link for IGP route calculation. You can set a proper metric for an MPLS TE
tunnel to ensure that the route passing through the MPLS TE tunnel is preferred, allowing traffic
to be directed to the MPLS TE tunnel.
As shown in Figure 12-19, devices use OSPF to communicate with each other. An MPLS TE
tunnel is established from LSRA and LSRC. The MPLS TE tunnel passes through LSRB. The
number marked on each link indicates the link cost. If LSRA has traffic destined for LSRE and
LSRC, LSRA sends the traffic to GE0/0/2 based on the OSPF route selection result. If the link
between LSRA and LSRD has 100 Mbit/s of bandwidth and LSRA requires 50 Mbit/s bandwidth
to send traffic to LSRC and 60 Mbit/s bandwidth to send traffic to LSRE, the link between LSRA
and LSRB is congested. Congestion on the link causes traffic transmission delay or packet loss.
To resolve this problem, configure IGP shortcut on the tunnel interface of LSRA to direct traffic
destined for LSRC to the MPLS TE tunnel. By doing this, traffic is forwarded by GE0/0/1 and
network congestion is prevented.
NOTE
After IGP shortcut is configured on the tunnel interface of LSRA, LSRA does not advertise the MPLS TE
tunnel to its peers as a route. The MPLS TE tunnel is used only for local route calculation.
Figure 12-19 Networking of IGP shortcut

LSRD GE0/0/3 GE0/0/1 LSRE
VLANIF400 172.5.1.1/24 172.5.1.2/24
172.4.1.2/24
10
GE0/0/1
10 VLANIF300
LSRA GE0/0/2 172.3.1.2/24
VLANIF400
Loopback1 172.4.1.1/24 10
1.1.1.9/32 TE Metric=10
GE0/0/1
VLANIF100 15
GE0/0/2
172.1.1.1/24 VLANIF300
LSRB
172.3.1.1/24
GE0/0/1 10
LSRC
VLANIF100 GE0/0/2 GE0/0/1
172.1.1.2/24 VLANIF200 VLANIF200
172.2.1.1/24 172.2.1.2/24
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32

1. Assign an IP address to each interface, configure OSPF to ensure that there are reachable
routes between LSRs, and configure the OSPF cost.
2. On LSRA, create an MPLS TE tunnel over the path LSRA -> LSRB -> LSRC. This example
uses RSVP-TE to establish a dynamic MPLS TE tunnel. Configure an ID for each LSR,
enable MPLS TE, RSVP-TE, and CSPF on each node and interface, and enable OSPF TE.
On the ingress node of the primary tunnel, create a tunnel interface, and specify the IP
address, tunneling protocol, destination IP address, tunnel ID, and dynamic signaling
protocol RSVP-TE for the tunnel interface.
3. Enable IGP shortcut on the TE tunnel interface of LSRA and configure an IGP metric for
the TE tunnel.
Procedure
Step 1 Assign an IP address to each interface, configure OSPF, and set the OSPF cost.
# Configure LSRA.
[LSRA-Vlanif100] ospf cost 15
[LSRA] ospf 1
[LSRA-ospf-1] quit
# Configure IP addresses for interfaces of LSRB, LSRC, LSRD, and LSRE according to Figure
12-19. The configurations on LSRB, LSRC, LSRD, and LSRE are similar to the configuration
of LSRA, and are not mentioned here.

After the configurations are complete, run the display ip routing-table command on LSRA,
LSRB, and LSRC. You can see that PE1 and PE2 have learned the routes to Loopback1 of each
other.
Step 2 Configure basic MPLS functions and enable MPLS TE, RSVP-TE, and CSPF.
To set up a TE tunnel from LSRA to LSRC, perform the following configurations on LSRA,
LSRB, and LSRC.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
The configurations on LSRB and LSRC are similar to the configuration of LSRA, and are not
mentioned here. CSPF only needs to be configured on the ingress node of the primary tunnel.
To set up a TE tunnel from LSRA to LSRC, perform the following configurations on LSRA,
LSRB, and LSRC.
# Configure LSRA.
[LSRA] ospf
[LSRA-ospf-1] quit
mentioned here.
Step 4 Create an MPLS TE tunnel.
# Specify an explicit path for a TE tunnel.

# Create a tunnel interface on LSRA.

[LSRA-Tunnel1] mpls te path explicit-path pri-path
[LSRA-Tunnel1] quit

Step 5 Configure IGP shortcut.

Enable IGP shortcut on the TE tunnel interface of LSRA and set the IGP metric to 10 for the TE
tunnel.
# Configure LSRA.
[LSRA-Tunnel1] mpls te igp shortcut ospf
[LSRA-Tunnel1] mpls te igp metric absolute 10
[LSRA-Tunnel1] quit
[LSRA] ospf 1
[LSRA-ospf-1] enable traffic-adjustment
[LSRA-ospf-1] quit

After the configurations are complete, run the display ip routing-table 3.3.3.9 command on
LSRA. You can see that the next hop address of the route destined for LSRC (3.3.3.9) is 1.1.1.9
and the outbound interface of this route is Tunnel1. The traffic destined for LSRC has been
directed to the MPLS TE tunnel.
------------------------------------------------------------------------------
Summary Count : 1
3.3.3.9/32 OSPF 10 10 D 1.1.1.9 Tunnel1
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100 400
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls rsvp-
te
mpls te cspf
#
explicit-path pri-
path
next hop
172.1.1.2
next hop
172.2.1.2
next hop 3.3.3.9
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
ospf cost 15
mpls
mpls te
mpls rsvp-te

#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
ospf cost 10
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
ip address unnumbered interface
LoopBack1
tunnel-protocol mpls
te
destination
3.3.3.9
mpls te tunnel-id
100
mpls te path explicit-path pri-
path
mpls te igp shortcut
ospf
mpls te igp metric absolute
10
mpls te commit
#
ospf
1
opaque-capability
enable
enable traffic-adjustment
area
0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.4.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
ospf cost 15
mpls
mpls te
mpls rsvp-te
#

interface Vlanif200
ip address 172.2.1.1 255.255.255.0
ospf cost 10
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.2.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#
vlan batch 200 300
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
ospf cost 10
mpls
mpls te
mpls rsvp-te
#
interface Vlanif300
ip address 172.3.1.1 255.255.255.0
ospf cost 10
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0

network 3.3.3.9
0.0.0.0
network 172.2.1.0
0.0.0.255
network 172.3.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRD
#
#
interface Vlanif300
ip address 172.3.1.2 255.255.255.0
ospf cost 10
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
ospf cost 10
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
ospf cost 10
#
#
#
#
ospf 1
area 0.0.0.0
network 172.3.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
network 172.5.1.0 0.0.0.255
#
return

#
sysname LSRE
#
vlan batch 500
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
ospf cost 10
#
#
ospf 1
area 0.0.0.0
network 172.5.1.0 0.0.0.255
#
return

12.3.5 Example for Configuring Forwarding Adjacency to Direct

Traffic to an MPLS TE Tunnel
An MPLS TE tunnel does not automatically direct traffic. To direct traffic to an MPLS TE tunnel,
configure forwarding adjacency. Forwarding adjacency enables a device to use a TE tunnel as
a logical link for IGP route calculation. Unlike IGP shortcut, forwarding adjacency advertises a
TE tunnel to its peers as an IGP route. You can set a proper metric for an MPLS TE tunnel to
ensure that the route passing through the MPLS TE tunnel is preferred, allowing traffic to be
As shown in Figure 12-20, devices use OSPF to communicate with each other. An MPLS TE
tunnel is established from LSRA and LSRC. The MPLS TE tunnel passes through LSRB. The
number marked on each link indicates the link cost. If LSRA and LSRE have traffic destined
for LSRC, traffic from the two LSRs is forwarded by GE0/0/1 on LSRD based on the OSPF
route selection result. If LSRA requires 10 Mbit/s bandwidth to send traffic to LSRC, and LSRE
requires 100 Mbit/s bandwidth to send traffic to LSRC, but the link between LSRC and LSRD
has only 100 Mbit/s of bandwidth, the link is congested. Congestion on the link causes traffic
transmission delay or packet loss.
To resolve this problem, configure forwarding adjacency on the MPLS TE tunnel interface of
LSRA. Then all traffic from LSRA to LSRC is forwarded over the MPLS TE tunnel, whereas
only some of traffic from LSRE to LSRC is forwarded over the MPLS TE tunnel. The rest of
traffic is forwarded by LSRD. Therefore, traffic congestion is prevented over the link between
LSRC and LSRD.
NOTE
After you configure forwarding adjacency, LSRA advertises the MPLS TE tunnel to its peer as an OSPF
route. Because OSPF requires bidirectional link detection, the MPLS TE tunnel from LSRC to LSRA must
be established and forwarding adjacency must be configured on the tunnel interface.
STP must be disabled on the network. Otherwise, some interfaces may be blocked by STP.

Figure 12-20 Networking of forwarding adjacency

LSRE GE0/0/1 GE0/0/3 LSRD
VLANIF500 VLANIF500
172.5.1.2/24 172.5.1.1/24
10 GE0/0/1
GE0/0/2 VLANIF300
10 VLANIF600 GE0/0/2
10 172.3.1.2/24
GE0/0/3 172.6.1.2/24 VLANIF400
VLANIF600 172.4.1.2/24
GE0/0/2
172.6.1.1/24
VLANIF400
Loopback1 10
172.4.1.1/24
1.1.1.9/32 TE Metric=10
LSRA
GE0/0/1 15 GE0/0/2
VLANIF100 VLANIF300
172.1.1.1/24 LSRB
172.3.1.1/24
GE0/0/1 10
VLANIF100 LSRC
GE0/0/2 GE0/0/1
172.1.1.2/24 VLANIF200 VLANIF200
172.2.1.1/24 172.2.1.2/24
Loopback1 Loopback1
2.2.2.9/32 3.3.3.9/32
1. Assign an IP address to each interface, configure OSPF to ensure that there are reachable
routes between LSRs, and configure the OSPF cost.
2. On LSRA, create an MPLS TE tunnel over the path LSRA -> LSRB -> LSRC. On LSRC,
create an MPLS TE tunnel over the path LSRC -> LSRB -> LSRA. This example uses
RSVP-TE to establish a dynamic MPLS TE tunnel. Configure an ID for each LSR, enable
MPLS TE, RSVP-TE, and CSPF on each node and interface, and enable OSPF TE. On the
ingress node of the primary tunnel, create a tunnel interface, and specify the IP address,
tunneling protocol, destination IP address, tunnel ID, and dynamic signaling protocol
RSVP-TE for the tunnel interface.
3. Enable forwarding adjacency on the TE tunnel interfaces of LSRA and LSRC, and
configure the IGP metric for the TE tunnels.
Procedure
Step 1 Assign an IP address to each interface, configure OSPF, and set the OSPF cost.
# Configure LSRA.


[LSRA] ospf 1
[LSRA-ospf-1] quit
12-20. The configurations on LSRB, LSRC, LSRD, and LSRE are similar to the configuration
After the configurations are complete, run the display ip routing-table command on LSRA,
LSRB, and LSRC. You can see that PE1 and PE2 have learned the routes to Loopback1 interfaces
of each other.
To create TE tunnels on LSRA and LSRC, perform the following configurations on LSRA,
LSRB, and LSRC.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
To create TE tunnels on LSRA and LSRC, perform the following configurations on LSRA,
LSRB, and LSRC.

# Configure LSRA.
[LSRA] ospf
[LSRA-ospf-1] quit
mentioned here.
Step 4 Create an MPLS TE tunnel.
Create MPLS TE tunnel interfaces on LSRA and LSRC, and configure explicit paths.
# Configure LSRA.
[LSRA-Tunnel1] quit
# Configure LSRC.
[LSRC] explicit-path pri-path
[LSRC-explicit-path-pri-path] next hop 172.2.1.1
[LSRC-explicit-path-pri-path] quit
[LSRC-Tunnel1] ip address unnumbered interface loopback 1
[LSRC-Tunnel1] tunnel-protocol mpls te
[LSRC-Tunnel1] destination 1.1.1.9
[LSRC-Tunnel1] mpls te tunnel-id 101
[LSRC-Tunnel1] mpls te path explicit-path pri-path
[LSRC-Tunnel1] quit
Step 5 Configure forwarding adjacency.

Enable forwarding adjacency on the TE tunnel interface of LSRA and set the IGP metric to 10
for the TE tunnel.
# Configure LSRA.
[LSRA-Tunnel1] mpls te igp advertise
[LSRA-Tunnel1] mpls te igp metric absolute 10
[LSRA-Tunnel1] quit
[LSRA] ospf 1
[LSRA-ospf-1] enable traffic-adjustment advertise
[LSRA-ospf-1] quit
# Configure LSRC.
[LSRC-Tunnel1] mpls te igp advertise

[LSRC-Tunnel1] mpls te igp metric absolute 10

[LSRC-Tunnel1] quit
[LSRC] ospf 1
[LSRC-ospf-1] enable traffic-adjustment advertise
[LSRC-ospf-1] quit

After the configurations are complete, run the display ip routing-table 3.3.3.9 command on
LSRA. You can see that the next hop address of the route destined for LSRC (3.3.3.9) is 1.1.1.9
and the outbound interface of this route is Tunnel1. The traffic destined for LSRC has been
------------------------------------------------------------------------------
Summary Count : 1
3.3.3.9/32 OSPF 10 10 D 1.1.1.9 Tunnel1
Run the display ip routing-table 3.3.3.9 command on LSRE. You can see that there are two
equal-cost routes to LSRC (3.3.3.9). Some traffic destined for LSRC is forwarded by LSRD and
some traffic is sent to the LSRA and forwarded over the MPLS TE tunnel.
[LSRE] display ip routing-table 3.3.3.9
------------------------------------------------------------------------------
Summary Count : 2
3.3.3.9/32 OSPF 10 20 D 172.5.1.1 Vlanif500

OSPF 10 20 D 172.6.1.1 Vlanif600
----End
Configuration Files
#
sysname LSRA
#
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls rsvp-
te
mpls te cspf
#
explicit-path pri-
path
next hop
172.1.1.2
next hop
172.2.1.2
next hop 3.3.3.9
#
interface Vlanif100

ip address 172.1.1.1 255.255.255.0

ospf cost 15
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
ospf cost 10
#
interface Vlanif600
ip address 172.6.1.1 255.255.255.0
ospf cost 10
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
LoopBack1
te
destination
3.3.3.9
mpls te tunnel-id
100
path
mpls te igp advertise
10
mpls te commit
#
ospf
1
opaque-capability
enable
enable traffic-adjustment advertise
area
0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.4.1.0 0.0.0.255
network 172.6.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
vlan batch 100 200

#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
ospf cost 15
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
ospf cost 10
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.2.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#
vlan batch 200 300
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path pri-
path
next hop
172.2.1.1
next hop
172.1.1.1
next hop 1.1.1.9
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
ospf cost 10

mpls
mpls te
mpls rsvp-te
#
interface Vlanif300
ip address 172.3.1.1 255.255.255.0
ospf cost 10
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
interface Tunnel1
LoopBack1
te
destination
1.1.1.9
mpls te tunnel-id
101
path
mpls te igp
advertise
10
mpls te commit
#
ospf 1
enable traffic-adjustment advertise
area 0.0.0.0
network 3.3.3.9
0.0.0.0
network 172.2.1.0
0.0.0.255
network 172.3.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRD
#
#
interface Vlanif300
ip address 172.3.1.2 255.255.255.0
ospf cost 10
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
ospf cost 10
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
ospf cost 10

#
#
#
#
ospf 1
area 0.0.0.0
network 172.3.1.0 0.0.0.255
network 172.4.1.0 0.0.0.255
network 172.5.1.0 0.0.0.255
#
return

#
sysname LSRE
#
vlan batch 500 600
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
ospf cost 10
#
interface Vlanif600
ip address 172.6.1.2 255.255.255.0
ospf cost 10
#
#
#
ospf 1
area 0.0.0.0
network 172.5.1.0 0.0.0.255
network 172.6.1.0 0.0.0.255
#
return
12.3.6 Example for Setting Attributes for an MPLS TE Tunnel
As shown in Figure 12-21, LSRA has two dynamic MPLS TE tunnels to LSRD: Tunnel1 and
Tunnel2. The affinity attribute and mask need to be used according to the administrative group
attribute so that Tunnel1 on LSRA uses the physical link LSRA -> LSRB -> LSRC -> LSRD
and Tunnel2 uses the physical link LSRA -> LSRB -> LSRE -> LSRC -> LSRD.
NOTE

Figure 12-21 Networking for setting MPLS TE tunnel attributes

Loopback1
4.4.4.9/32
LSRD
GE0/0/1
VLANIF300
172.3.1.2/24
Loopback1 Loopback1 GE0/0/2 Loopback1

1.1.1.9/32 2.2.2.9/32 VLANIF300 3.3.3.9/32
GE0/0/1 GE0/0/2
172.3.1.1/24
VLANIF100 VLANIF200
172.1.1.1/24 172.2.1.1/24
GE0/0/1 LSRB GE0/0/1 LSRC
VLANIF100 VLANIF200
LSRA 172.1.1.2/24 GE0/0/3 172.2.1.2/24 GE0/0/3
VLANIF400 Loopback1 VLANIF500
172.4.1.1/24 5.5.5.9/32 172.5.1.2/24
GE0/0/1 GE0/0/2
Path of Tunnel 1 VLANIF400 VLANIF500
172.4.1.2/24 172.5.1.1/24
Path of Tunnel 2 LSRE
1. Assign an IP address to each interface and configure OSPF to ensure that there are reachable
routes between LSRs.
2. Configure an ID for each LSR and globally enable MPLS TE, RSVP-TE, CSPF on each
node and interface, and enable OSPF TE.
3. Configure the administrative group attribute of the outbound interface of the tunnel on each
LSR.
4. On the ingress node of the primary tunnel, create a tunnel interface, and specify the IP
protocol RSVP-TE for the tunnel interface.
5. Determine and configure the affinity attribute and mask for each tunnel according to the
administrative group attribute and networking requirements.
Procedure
Step 1 Assign an IP address to each interface and configure OSPF.
# Configure LSRA.


[LSRA] ospf 1
[LSRA-ospf-1] quit
12-21. The configurations of LSRB, LSRC, LSRD, and LSRE are similar to the configuration
You can see that the LSRs have learned the routes to Loopback1 interfaces of each other. The
display on LSRA is used as an example.
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif100
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif100
4.4.4.9/32 OSPF 10 3 D 172.1.1.2 Vlanif100
5.5.5.9/32 OSPF 10 2 D 172.1.1.2 Vlanif100
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif100
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif100
172.3.1.0/24 OSPF 10 3 D 172.1.1.2 Vlanif100
172.4.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif100
172.5.1.0/24 OSPF 10 3 D 172.1.1.2 Vlanif100
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
The configurations of LSRB, LSRC, LSRD, and LSRE are similar to the configuration of LSRA,
and are not mentioned here. CSPF only needs to be configured on the ingress node of the primary
tunnel.
# Configure LSRA.

[LSRA] ospf
[LSRA-ospf-1] quit
The configurations of LSRB, LSRC, LSRD, and LSRE are similar to the configuration of LSRA,
Step 4 Set MPLS TE attributes of the outbound interface of each node.
# Configure the administrative group attribute on LSRA.
[LSRA-Vlanif100] mpls te link administrative group 10001
# Configure the administrative group attribute on LSRB.

[LSRB-Vlanif200] mpls te link administrative group 10101
[LSRB-Vlanif400] mpls te link administrative group 10011
# Configure the administrative group attribute on LSRC.

[LSRC-Vlanif300] mpls te link administrative group 10001
# Configure the administrative group attribute on LSRE.

[LSRE] interface vlanif 500
[LSRE-Vlanif500] mpls te link administrative group 10011
[LSRE-Vlanif500] quit
After the configurations are complete, check the TEDB including the Color field of each link.
The Color field indicates the administrative group attribute. The display on LSRA is used as an
example.
[LSRA] display mpls te cspf tedb node
Router ID: 1.1.1.9
IGP Type: OSPF Process ID: 1
MPLS-TE Link Count: 1
Link[1]:
OSPF Router ID: 1.1.1.9 Opaque LSA ID: 1.0.0.1
Interface IP Address: 172.1.1.1
DR Address: 172.1.1.2
IGP Area: 0
Link Type: Multi-access Link Status: Active
IGP Metric: 1 TE Metric: 1 Color: 0x10001
...
Step 5 Create MPLS TE tunnels on the ingress node.

# Create Tunnel1 on LSRA.
[LSRA-Tunnel1] mpls te record-route label
[LSRA-Tunnel1] mpls te affinity property 10101 mask 11011


[LSRA-Tunnel1] quit

[LSRA-Tunnel2] mpls te record-route label
[LSRA-Tunnel2] mpls te affinity property 10011 mask 11101
[LSRA-Tunnel2] quit

After the configurations are complete, run the display mpls te tunnel-interface command to
view the tunnel status on LSRA. You can see that both Tunnel1 and Tunnel2 are Up.
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Session ID : 100
----------------------------------------------------------------
Tunnel2
----------------------------------------------------------------
Session ID : 101
Run the display mpls te tunnel path command to view the path of the tunnel. You can see that
the affinity attribute and mask of the tunnel match the administrative group attribute of each
link.
[LSRA] display mpls te tunnel path
Lsp ID : 1.1.1.9 :100 :47
Hop Information
Hop 0 172.1.1.1
Hop 1 172.1.1.2 Label 1065
Hop 2 2.2.2.9 Label 1065
Hop 3 172.2.1.1
Hop 4 172.2.1.2 Label 1075
Hop 5 3.3.3.9 Label 1075
Hop 6 172.3.1.1
Hop 7 172.3.1.2 Label 3
Hop 8 4.4.4.9 Label 3

Lsp ID : 1.1.1.9 :101 :4
Hop Information
Hop 0 172.1.1.1
Hop 1 172.1.1.2 Label 1067

Hop 2 2.2.2.9 Label 1067

Hop 3 172.4.1.1
Hop 4 172.4.1.2 Label 1040
Hop 5 5.5.5.9 Label 1040
Hop 6 172.5.1.1
Hop 7 172.5.1.2 Label 1077
Hop 8 3.3.3.9 Label 1077
Hop 9 172.3.1.1
Hop 10 172.3.1.2 Label 3
Hop 11 4.4.4.9 Label 3
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls rsvp-
te
mpls te cspf
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls te link administrative group 10001
mpls rsvp-te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
LoopBack1
te
destination
4.4.4.9
mpls te tunnel-id
100
label
mpls te affinity property 10101 mask
11011
mpls te
commit
#
interface Tunnel2
LoopBack1
te
destination

4.4.4.9
mpls te tunnel-id
101
label
mpls te affinity property 10011 mask
11101
mpls te
commit
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#

interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.2.1.0
0.0.0.255
network 172.4.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif300
ip address 172.3.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9
0.0.0.0

network 172.2.1.0
0.0.0.255
network 172.3.1.0
0.0.0.255
network 172.5.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRD
#
vlan batch 300
#
mpls lsr-id
4.4.4.9
mpls
mpls
te
mpls rsvp-te
#
interface Vlanif300
ip address 172.3.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 4.4.4.9
0.0.0.0
network 172.3.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRE
#
vlan batch 400 500
#
mpls lsr-id 5.5.5.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
mpls
mpls te


mpls rsvp-te
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9
0.0.0.0
network 172.4.1.0
0.0.0.255
network 172.5.1.0 0.0.0.255
mpls-te enable
#
return
12.3.7 Example for Configuring Srefresh Based on Manual TE FRR
As shown in Figure 12-22, the primary CR-LSP is along the path LSRA -> LSRB -> LSRC ->
LSRD, and the link between LSRB and LSRC needs to be protected by FRR.
A bypass CR-LSP is set up along the path LSRB -> LSRE -> LSRC. LSRB functions as the
PLR and LSRC functions as the MP.
The primary and bypass MPLS TE tunnels are set up by using explicit paths. RSVP-TE is used
as the signaling protocol.
The Srefresh function needs to be configured on LSRB and LSRC.
NOTE

Figure 12-22 Networking for configuring Srefresh based on manual TE FRR

Loopback1
4.4.4.9/32
LSRD
GE0/0/1
VLANIF300
172.3.1.2/24

1.1.1.9/32 2.2.2.9/32 VLANIF300 3.3.3.9/32
GE0/0/1 GE0/0/2
172.3.1.1/24
VLANIF100 VLANIF200
172.1.1.1/24 172.2.1.1/24
VLANIF100 VLANIF200
LSRA 172.1.1.2/24 GE0/0/3 172.2.1.2/24 GE0/0/3
172.4.1.1/24 5.5.5.9/32 172.5.1.2/24
GE0/0/1 GE0/0/2
Primary CR-LSP VLANIF400 VLANIF500
172.4.1.2/24 172.5.1.1/24
Bypass CR-LSP LSRE
1. Configure manual TE FRR.
2. Configure Srefresh on the PLR and MP along a tunnel to enhance transmission reliability
of RSVP messages and improve resource use efficiency.
Procedure
Step 1 Configure manual TE FRR.
Configure the primary and bypass MPLS TE tunnels according to 12.3.13 Example for
Configuring Manual TE FRR, and then bind the two tunnels.
Step 2 Configure the Srefresh function on LSRB and LSRC.
# Configure the Srefresh function on LSRB.
[LSRB] mpls
[LSRB-mpls] mpls rsvp-te srefresh
[LSRB-mpls] quit
# Configure the Srefresh function on LSRC.

[LSRC] mpls
[LSRC-mpls] mpls rsvp-te srefresh
[LSRC-mpls] quit

# Run the display mpls rsvp-te statistics global command on LSRB. You can view the status
of the Srefresh function. If the command output shows that the values of SendSrefreshCounter,

RecSrefreshCounter, SendAckMsgCounter, and RecAckMsgCounter are not zero, Srefresh

packets are successfully transmitted.
[LSRB]display mpls rsvp-te statistics global
LSR ID: 2.2.2.9 LSP Count: 2
PSB Count: 2 RSB Count: 2
RFSB Count: 1
Total Statistics Information:

PSB CleanupTimeOutCounter: 0 RSB CleanupTimeOutCounter: 0
SendPacketCounter: 122613 RecPacketCounter: 127446
SendCreatePathCounter: 25 RecCreatePathCounter: 260
SendRefreshPathCounter: 62209 RecRefreshPathCounter: 62113
SendCreateResvCounter: 21 RecCreateResvCounter: 31
SendRefreshResvCounter: 60101 RecRefreshResvCounter: 64792
SendResvConfCounter: 0 RecResvConfCounter: 0
SendHelloCounter: 0 RecHelloCounter: 0
SendAckCounter: 0 RecAckCounter: 0
SendPathErrCounter: 242 RecPathErrCounter: 0
SendResvErrCounter: 0 RecResvErrCounter: 0
SendPathTearCounter: 11 RecPathTearCounter: 8
SendResvTearCounter: 2 RecResvTearCounter: 0
SendSrefreshCounter: 1 RecSrefreshCounter: 1
SendAckMsgCounter: 1 RecAckMsgCounter: 1
SendChallengeMsgCounter: 0 RecChallengeMsgCounter: 0
SendResponseMsgCounter: 0 RecResponseMsgCounter: 0
SendErrMsgCounter: 0 RecErrMsgCounter: 0
SendRecoveryPathMsgCounter: 0 RecRecoveryPathMsgCounter: 0
SendGRPathMsgCounter: 0 RecGRPathMsgCounter: 0
ResourceReqFaultCounter: 0 RecGRPathMsgFromLSPMCounter: 0
Bfd neighbor count: 3 Bfd session count: 0
# Shut down the protected outbound interface VLANIF200 on LSRB.

[LSRB-Vlanif200] shutdown
Run the display interface tunnel 1 command on LSRA. You can view the status of the primary
CR-LSP and that the status of the tunnel interface is still Up.
Description:
...
Run the tracert lsp te tunnel 1 command on LSRA. You can view the path that the tunnel
passes.
[LSRA] tracert lsp te tunnel 1
LSP Trace Route FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel1 , press CTRL_C t
o break.
TTL Replier Time Type Downstream
0 Ingress 172.1.1.2/[1034 ]
1 172.1.1.2 1 ms Transit 172.4.1.2/[1042 1025 ]
2 172.4.1.2 1 ms Transit 172.5.1.2/[3 ]
3 172.5.1.2 2 ms Transit 172.3.1.2/[3 ]
4 4.4.4.9 2 ms Egress
The preceding information shows that services on the link have been switched to the bypass CR-
LSP.
Run the display mpls te tunnel name Tunnel1 verbose command on LSRB. You can see that
the bypass CR-LSP is in use.

[LSRB] display mpls te tunnel name Tunnel1 verbose

No : 1
Tunnel Interface Name : -
LSR Role : Transit
IncludeAllAff : 0x0
ER-Hop Table Index : - AR-Hop Table Index: 0
PSB Handle : 8421
Created Time : 2013-09-16 18:27:55+00:00
RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------
--------------------------------
FRR Information
--------------------------------
Primary LSP Info
Bypass In Use : In Use
Bypass Tunnel Id : 1225021547
BypassTunnel : Tunnel Index[Tunnel2], InnerLabel[1042]
Bypass Lsp ID : 2 FrrNextHop : 172.5.1.2
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------
Run the display mpls rsvp-te statistics global command on LSRB to view Srefresh statistics.
[LSRB]display mpls rsvp-te statistics global
RFSB Count: 1


Because the Srefresh function is configured globally on LSRB and LSRC, the Srefresh function
takes effect on LSRB and LSRC when the primary tunnel fails.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
next hop 172.1.1.2
next hop 172.2.1.2
next hop 172.3.1.2
next hop 4.4.4.9
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0001.00
traffic-eng level-2
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
interface Tunnel1


destination 4.4.4.9
mpls te record-route label
mpls te path explicit-path pri-path
mpls te fast-reroute
mpls te commit
#
return

#
sysname LSRB
#
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls te timer fast-reroute 120
mpls rsvp-te
mpls rsvp-te srefresh
mpls te cspf
#
explicit-path by-path
next hop 172.4.1.2
next hop 172.5.1.2
next hop 3.3.3.9
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0002.00
traffic-eng level-2
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#


#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
interface Tunnel2
destination 3.3.3.9
mpls te path explicit-path by-path
mpls te bypass-tunnel
mpls te protected-interface Vlanif200
mpls te commit
#
return

#
sysname LSRC
#
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
mpls rsvp-te srefresh
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0003.00
traffic-eng level-2
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif300
ip address 172.3.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#


#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
return

#
sysname LSRD
#
vlan batch 300
#
mpls lsr-id 4.4.4.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0004.00
traffic-eng level-2
#
interface Vlanif300
ip address 172.3.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 4.4.4.9 255.255.255.255
isis enable 1
#
return

#
sysname LSRE
#
vlan batch 400 500
#
mpls lsr-id 5.5.5.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0005.00
traffic-eng level-2
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#

interface Vlanif500
ip address 172.5.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
isis enable 1
#
return
12.3.8 Example for Configuring RSVP Authentication
As shown in Figure 12-23, VLANIF100 between LSRA and LSRB contains member interfaces
GE0/0/1 and GE0/0/2. An MPLS TE tunnel from LSRA to LSRC is set up by using RSVP.
The handshake function needs to be configured so that LSRA and LSRB perform RSPV
authentication to prevent forged Resv messages from consuming network resources. In addition,
the message window function is configured to solve the problem of RSVP packet mis-
sequencing.
NOTE
Figure 12-23 Networking of RSVP authentication

1.1.1.9/32 2.2.2.9/32 3.3.3.9/32
172.1.1.1/24 172.1.1.2/24 VLANIF200
172.2.1.1/24
GE0/0/1
GE0/0/1
LSRA GE0/0/1 LSRB VLANIF200 LSRC
GE0/0/2 GE0/0/2 172.2.1.2/24
1. Assign an IP address to each interface on each LSR and configure OSPF to ensure that
there are reachable routes between LSRs.
2. Configure an ID for each LSR and globally enable MPLS, MPLS TE, and RSVP-TE on
each node and interface.

3. On the ingress node, create a tunnel interface, and specify the IP address, tunneling protocol,
destination IP address, tunnel ID, and dynamic signaling protocol RSVP-TE, and enable
CSPF.
4. Configure RSVP authentication on LSRA and LSRB of the tunnel.
5. Configure the Handshake function on LSRA and LSRB to prevent forged Resv messages
from consuming network resources.
6. Configure the sliding window function on LSRA and LSRB to solve the problem of RSVP
packet mis-sequencing.
NOTE
It is recommended that the window size be larger than 32. If the window size is too small, some received
RSVP messages may be discarded, which can terminate the RSVP neighbor relationships.
Procedure
# Configure LSRA.
[LSRA] ospf 1
[LSRA-ospf-1] quit
# Configure IP addresses for interfaces of LSRB and LSRC according to Figure 12-23. The
configurations of LSRB and LSRC are similar to the configuration of LSRA, and are not
mentioned here.
You can see that the LSRs have learned the routes to Loopback1 interfaces of each other.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit

# Configure LSRA.
[LSRA] ospf
[LSRA-ospf-1] quit
mentioned here.
Step 4 Create an MPLS TE tunnel on the ingress node.

[LSRA-Tunnel1] quit
Description:...
Step 5 On LSRA and LSRB, configure RSVP authentication on the interfaces on the MPLS TE link.
# Configure LSRA.
[LSRA-Vlanif100] mpls rsvp-te authentication plain 123456789
[LSRA-Vlanif100] mpls rsvp-te authentication handshake 12345678
[LSRA-Vlanif100] mpls rsvp-te authentication window-size 32
# Configure LSRB.
[LSRB-Vlanif100] mpls rsvp-te authentication plain 123456789
[LSRB-Vlanif100] mpls rsvp-te authentication handshake 12345678
[LSRB-Vlanif100] mpls rsvp-te authentication window-size 32
Run the reset mpls rsvp-te command, and then run the display interface tunnel command on
LSRA. You can see that the tunnel interface is Up.
Run the display mpls rsvp-te interface command on LSRA or LSRB to view information about
RSVP authentication.

[LSRA] display mpls rsvp-te interface vlanif 100

Interface: Vlanif100
Interface Address: 172.1.1.1
Interface state: UP Interface Index: 0x36
Total-BW: 0 Used-BW: 0
Hello configured: NO Num of Neighbors: 1
SRefresh feature: DISABLE SRefresh Interval: 30 sec
Mpls Mtu: 1500 Retransmit Interval: 5000 msec
Increment Value: 1 Authentication: ENABLE
Challenge: ENABLE WindowSize: 32
Next Seq # to be sent:2767789282 0 Key ID: 0xa4ff1cdc0000
Bfd Enabled: DISABLE Bfd Min-Tx: 1000
Bfd Min-Rx: 1000 Bfd Detect-Multi: 3
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls rsvp-
te
mpls te cspf
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls rsvp-te authentication plain 123456789
mpls rsvp-te authentication handshake 12345678
mpls rsvp-te authentication window-size 32
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
LoopBack1
te
destination
3.3.3.9
mpls te tunnel-id
101
mpls te
commit
#
ospf

1
opaque-capability
enable
area
0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id
2.2.2.9
mpls
mpls
te
mpls rsvp-
te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
mpls rsvp-te authentication plain 123456789
mpls rsvp-te authentication handshake 12345678
mpls rsvp-te authentication window-size 32
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255

network 172.2.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#
vlan batch 200
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9
0.0.0.0
network 172.2.1.0
0.0.0.255
mpls-te enable
#
return
12.3.9 Example for Configuring RSVP Authentication Based on

Manual TE FRR
As shown in Figure 12-24, the primary CR-LSP is along the path LSRA -> LSRB -> LSRC ->
LSRD, and the link between LSRB and LSRC needs to be protected by TE FRR.
A bypass CR-LSP is set up along the path LSRB -> LSRE -> LSRC. LSRB functions as the
PLR and LSRC functions as the MP.
The primary and bypass MPLS TE tunnels are set up by using explicit paths. RSVP-TE is used
as the signaling protocol.
RSVP authentication needs to be configured on LSRB and LSRC.
NOTE

Figure 12-24 Networking of RSVP authentication based on manual TE FRR

Loopback1
4.4.4.9/32
LSRD
GE0/0/1
VLANIF300
172.3.1.2/24

1.1.1.9/32 2.2.2.9/32 VLANIF300 3.3.3.9/32
GE0/0/1 GE0/0/2
172.3.1.1/24
VLANIF100 VLANIF200
172.1.1.1/24 172.2.1.1/24
VLANIF100 VLANIF200
LSRA 172.1.1.2/24 GE0/0/3 172.2.1.2/24 GE0/0/3
172.4.1.1/24 5.5.5.9/32 172.5.1.2/24
GE0/0/1 GE0/0/2
Primary CR-LSP VLANIF400 VLANIF500
172.4.1.2/24 172.5.1.1/24
Bypass CR-LSP LSRE
1. Configure manual TE FRR.
2. Configure RSVP authentication on LSRB and LSRC to prevent forged Resv messages from
consuming network resources.
Procedure
Step 1 Configure MPLS TE FRR.
Configure the primary and bypass MPLS TE tunnels according to 12.3.13 Example for
Configuring Manual TE FRR, and then bind the two tunnels.
Step 2 Configure RSVP authentication on LSRB and LSRC.
The Handshake function and local password are configured to check whether RSVP
authentication is configured successfully.
NOTE
The neighbor node is identified by its LSR-ID, therefore, you must enable CSPF on two neighboring devices
where RSVP authentication is required.
# Configure RSVP authentication on LSRB.

[LSRB] mpls rsvp-te peer 3.3.3.9
[LSRB-mpls-rsvp-te-peer-3.3.3.9] mpls rsvp-te authentication plain huawei
[LSRB-mpls-rsvp-te-peer-3.3.3.9] mpls rsvp-te authentication handshake nanjingHW
# Configure RSVP authentication on LSRC.

[LSRC] mpls
[LSRC-mpls] mpls te cspf
[LSRC-mpls] quit
[LSRC] mpls rsvp-te peer 2.2.2.9
[LSRC-mpls-rsvp-te-peer-2.2.2.9] mpls rsvp-te authentication plain huawei
[LSRC-mpls-rsvp-te-peer-2.2.2.9] mpls rsvp-te authentication handshake nanjingHW

Run the display mpls rsvp-te statistics global command on LSRB. You can view the status of
RSVP authentication. If the command output shows that the values of
SendChallengeMsgCounter, RecChallengeMsgCounter, SendResponseMsgCounter, and
RecResponseMsgCounter are not zero, the PLR and the MP successfully shake hands with each
other and RSVP authentication is configured successfully.
[LSRB] display mpls rsvp-te statistics global
RFSB Count: 1

# Shut down the protected outbound interface on the LSRB.

[LSRB-Vlanif200] shutdown
Run the display interface tunnel 1 command on LSRA. You can view the status of the primary
CR-LSP and that the status of the tunnel interface is still Up.
Description:
...
Run the tracert lsp te tunnel 1 command on LSRA. You can view the path that the tunnel
passes.
[LSRA] tracert lsp te tunnel 1
o break.

0 Ingress 172.1.1.2/[1037 ]
1 172.1.1.2 1 ms Transit 172.4.1.2/[1045 1027 ]
2 172.4.1.2 1 ms Transit 172.5.1.2/[3 ]
3 172.5.1.2 2 ms Transit 172.3.1.2/[3 ]
4 4.4.4.9 2 ms Egress
The preceding information shows that services on the link have been switched to the bypass CR-
LSP.
Run the display mpls te tunnel name Tunnel1 verbose command on LSRB. You can see that
the bypass CR-LSP is in use.
[LSRB] display mpls te tunnel name Tunnel1 verbose
No : 1
Tunnel Interface Name : -
LSR Role : Transit
IncludeAllAff : 0x0
ER-Hop Table Index : - AR-Hop Table Index: 2
PSB Handle : 8562
Created Time : 2013-09-16 19:14:37
+00:00
RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------
--------------------------------
FRR Information
--------------------------------
Primary LSP Info
Bypass In Use : In Use
Bypass Lsp ID : 4 FrrNextHop : 172.5.1.2
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------

# Run the display mpls rsvp-te peer command to check whether the bypass CR-LSP is
successfully set up.
[LSRB] display mpls rsvp-te peer
Remote Node id Neighbor
Neighbor Addr: -----
SrcInstance: 0x60128590 NbrSrcInstance: 0x0
Hello Type Sent: NONE
SRefresh Enable: NO
Last valid seq # rcvd: NULL
Remote Node id Neighbor

Neighbor Addr: 3.3.3.9
SRefresh Enable: NO
SRefresh Enable: NO
SRefresh Enable: NO
The command output shows that the number of RSBs on neighbor of LSRB is not zero. This
indicates that RSVP authentication is successful on LSRB and its neighbor LSRC, and resources
are successfully reserved.
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
next hop 172.1.1.2
next hop 172.2.1.2
next hop 172.3.1.2
next hop 4.4.4.9

#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0001.00
traffic-eng level-2
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
isis enable 1
#
interface Tunnel1
destination 4.4.4.9
mpls te commit
#
return

#
sysname LSRB
#
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls te timer fast-reroute 120
mpls rsvp-te
mpls te cspf
#
explicit-path by-path
next hop 172.4.1.2
next hop 172.5.1.2
next hop 3.3.3.9
#
mpls rsvp-te peer 3.3.3.9
mpls rsvp-te authentication plain huawei
mpls rsvp-te authentication handshake nanjingHW
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0002.00
traffic-eng level-2
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
isis enable 1
mpls
mpls te

mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
isis enable 1
#
interface Tunnel2
destination 3.3.3.9
mpls te path explicit-path by-path
mpls te bypass-tunnel
mpls te protected-interface Vlanif200
mpls te commit
#
return

#
sysname LSRC
#
#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
mpls rsvp-te peer 2.2.2.9
mpls rsvp-te authentication plain huawei
mpls rsvp-te authentication handshake nanjingHW
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0003.00
traffic-eng level-2
#

interface Vlanif200
ip address 172.2.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif300
ip address 172.3.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
isis enable 1
#
return

#
sysname LSRD
#
vlan batch 300
#
mpls lsr-id 4.4.4.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0004.00
traffic-eng level-2
#
interface Vlanif300
ip address 172.3.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#

interface LoopBack1
ip address 4.4.4.9 255.255.255.255
isis enable 1
#
return

#
sysname LSRE
#
vlan batch 400 500
#
mpls lsr-id 5.5.5.9
mpls
mpls te
mpls rsvp-te
#
isis 1
is-level level-2
cost-style wide
network-entity 00.0005.0000.0000.0005.00
traffic-eng level-2
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
isis enable 1
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
isis enable 1
#
return
12.3.10 Example for Configuring SRLG Based on Auto TE FRR
As shown in Figure 12-25, An MPLS TE tunnel is set up between LSRA and LSRC, with the
path LSRA -> LSRB -> LSRC.
The link LSRA -> LSRB and link LSRA -> LSRE belong to the same SRLG (SRLG1 is used
here).
To improve reliability, auto TE FRR needs to be configured and the links of the bypass CR-LSP
and primary tunnel must be in different SRLGs. If no path is available, SRLG attributes can be
ignored.

NOTE
Figure 12-25 Networking for configuring SRLG based on auto TE FRR

Loopback1
6.6.6.9/32
GE0/0/1 GE0/0/2
VLANIF600 VLANIF700
172.6.1.2/24 172.7.1.1/24
LSRF
GE0/0/2 GE0/0/3
VLANIF600 VLANIF700
Loopback1
172.6.1.1/24 172.7.1.2/24
GE0/0/1 GE0/0/2
1.1.1.9/32 3.3.3.9/32
VLANIF100 VLANIF200
172.1.1.2/24 172.2.1.1/24
LSRA LSRC
GE0/0/1 GE0/0/1
VLANIF100 VLANIF200
GE0/0/3 172.1.1.1/24 LSRB 172.2.1.2/24 GE0/0/2
VLANIF400 VLANIF500
172.4.1.1/24 172.5.1.2/24
Loopback1
5.5.5.9/32
GE0/0/1 GE0/0/2
VLANIF400 VLANIF500
172.4.1.2/24 172.5.1.1/24
LSRE
Primary CR-LSP
2. Configure an ID for each LSR and globally enable MPLS, MPLS TE, RSVP-TE, CSPF on
each node and interface, and enable OSPF TE.
protocol RSVP-TE for the tunnel interface. The explicit path is LSRA -> LSRB -> LSRC.
4. Configure SRLG numbers for SRLG member interfaces.
5. Configure the SRLG path calculation mode on the ingress node of the primary tunnel.
6. Configure auto TE FRR on the ingress node of the primary tunnel to protect LSRB.
Procedure
# Configure LSRA.


[LSRA] ospf 1
[LSRA-ospf-1] quit
Configure IP addresses for interfaces of LSRB, LSRC, LSRE, and LSRF according to Figure
12-25. The configurations of LSRB, LSRC, LSRE, and LSRF are similar to the configuration
You can see that the LSRs learn the routes to Loopback1 of each other. The display on LSRA
is used as an example.
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif100
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif100
OSPF 10 2 D 172.4.1.2 Vlanif400
OSPF 10 2 D 172.6.1.2 Vlanif600
5.5.5.9/32 OSPF 10 1 D 172.4.1.2 Vlanif400
6.6.6.9/32 OSPF 10 1 D 172.6.1.2 Vlanif600
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif100
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif100
172.4.1.0/24 Direct 0 0 D 172.4.1.1 Vlanif400
172.4.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
172.5.1.0/24 OSPF 10 2 D 172.4.1.2 Vlanif400
172.6.1.0/24 Direct 0 0 D 172.6.1.1 Vlanif600

172.6.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif600

172.7.1.0/24 OSPF 10 2 D 172.6.1.2 Vlanif600
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
The configurations of LSRB, LSRC, LSRE, and LSRF are similar to the configuration of LSRA,
tunnel.
# Configure LSRA.
[LSRA] ospf
[LSRA-ospf-1] quit
Step 4 On LSRA, create an MPLS TE tunnel for the primary CR-LSP.
# Configure the explicit path of the primary CR-LSP.
# Configure the MPLS TE tunnel interface of the primary CR-LSP.

[LSRA-Tunnel1] quit

Run the display interface tunnel 1 command on LSRA. You can see that the tunnel status is
Up.
Description:
...
Step 5 Configure SRLG.
Add links LSRA -> LSRB and LSRA -> LSRE to SRLG1, and configure the SRLG path
calculation mode on the ingress node LSRA of the primary tunnel.
# Configure LSRA.
[LSRA-Vlanif100] mpls te srlg 1
# Configure the SRLG path calculation mode on LSRA.

[LSRA] mpls
[LSRA-mpls] mpls te srlg path-calculation preferred
[LSRA-mpls] quit
Run the display mpls te srlg command to view SRLG information and the interfaces that belong
to the SRLG. The display on LSRA is used as an example.
[LSRA] display mpls te srlg all
Total SRLG supported : 512
Total SRLG configured : 2
SRLG 1: Vlanif100
Vlanif400
Run the display mpls te link-administration srlg-information to view SRLGs to which the
interfaces belong. The display on LSRA is used as an example.
[LSRA] display mpls te link-administration srlg-information
SRLGs on Vlanif100 :
1
1
Run the display mpls te cspf tedb srlg command to view TEDB information of the specified
SRLG.
[LSRA] display mpls te cspf tedb srlg 1
Interface-Address IGP-Type Area
172.1.1.1 OSPF 0
172.4.1.1 OSPF 0
Step 6 Configure auto TE FRR.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te auto-frr
[LSRA-mpls] quit

[LSRA-Tunnel1] mpls te fast-reroute

Run the display mpls te tunnel command on LSRA. You can see that the bypass CR-LSP has
been established.
[LSRA] display mpls te tunnel
------------------------------------------------------------------------------
Ingress LsrId Destination LSPID In/Out Label R Tunnel-name
------------------------------------------------------------------------------
1.1.1.9 3.3.3.9 1 --/1024 I Tunnel1
1.1.1.9 3.3.3.9 4 --/1025 I Tunnel2048
Run the display mpls te tunnel path Tunnel1 command on LSRA. You can see that local
protection is enabled on the outbound interface (172.1.1.1) of the primary tunnel on LSRA.
[LSRA] display mpls te tunnel path Tunnel1
Lsp ID : 1.1.1.9 :100 :1
Hop Information
Hop 0 172.1.1.1 Local-Protection available | node
Hop 1 172.1.1.2 Label 1024
Hop 2 2.2.2.9 Label 1024
Hop 3 172.2.1.1
Hop 4 172.2.1.2 Label 3
Hop 5 3.3.3.9 Label 3
After the configurations are complete, run the display mpls te tunnel name Tunnel1
verbose command on LSRA. You can see that the primary tunnel is bound to a bypass CR-LSP
(Tunnel2048) and the FRR next hop is 172.7.1.2.
[LSRA] display mpls te tunnel name Tunnel1 verbose
No : 1
In-Interface : -
IncludeAllAff : 0x0
LspConstraint : -
PSB Handle : 8198
Created Time : 2013-09-16 15:20:42+00:00
RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------
--------------------------------
FRR Information
--------------------------------

Primary LSP Info

Bypass In Use : Not Used
Bypass LSP ID : 4 FrrNextHop : 172.7.1.2
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------
# Run the display mpls te tunnel path Tunnel2048 command on LSRA to check the path of
the bypass CR-LSP. You can see that the path of the bypass CR-LSP is LSRA -> LSRF -> LSRC.
Lsp ID : 1.1.1.9 :1025 :4
Hop Information
Hop 0 172.6.1.1
Hop 1 172.6.1.2 Label 1025
Hop 2 6.6.6.9 Label 1025
Hop 3 172.7.1.1
Hop 4 172.7.1.2 Label 3
Hop 5 3.3.3.9 Label 3
# Run the shutdown command on VLANIF600 of LSRA.

# Run the display mpls te tunnel name Tunnel1 verbose command on LSRA. You can see
that the primary tunnel is bound to Tunnel2049 and the FRR next hop is 172.5.1.2.
[LSRA] display mpls te tunnel name Tunnel1 verbose
No : 1
In-Interface : -
IncludeAllAff : 0x0
LspConstraint : -
PSB Handle : 8198

Created Time : 2013-09-16 15:20:42+00:00

RSVP LSP Type : -
--------------------------------
DS-TE Information
--------------------------------
--------------------------------
FRR Information
--------------------------------
Primary LSP Info
Bypass In Use : Not Used
Bypass LSP ID : 4 FrrNextHop : 172.5.1.2
IncludeAllGroup : -
--------------------------------
BFD Information
--------------------------------
# Run the display mpls te tunnel path Tunnel2049 command to check the path of the bypass
CR-LSP.
Lsp ID : 1.1.1.9 :1026 :4
Hop Information
Hop 0 172.4.1.1
Hop 1 172.4.1.2 Label 1026
Hop 2 5.5.5.9 Label 1026
Hop 3 172.5.1.1
Hop 4 172.5.1.2 Label 3
Hop 5 3.3.3.9 Label 3
You can see that the path of the bypass CR-LSP is LSRA -> LSRE -> LSRC. This is because
the SRLG path calculation mode is configured as preferred. CSPF tries to calculate the path of
the bypass tunnel to avoid the links in the same SRLG as the protected interface(s). If calculation
fails, CSPF does not take the SRLG as a constraint.
----End
Configuration Files
#
sysname LSRA

#
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls te auto-frr
mpls te srlg path-calculation preferred
mpls rsvp-
te
mpls te cspf
#
explicit-path pri-
path
next hop
172.1.1.2
next hop
172.2.1.2
next hop 3.3.3.9
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls te srlg 1
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
mpls
mpls te
mpls te srlg 1
mpls rsvp-te
#
interface Vlanif600
ip address 172.6.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
destination 3.3.3.9
mpls te commit
#

ospf 1
area 0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.4.1.0 0.0.0.255
network 172.6.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.2.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#
#
mpls lsr-id 3.3.3.9

mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif700
ip address 172.7.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9
0.0.0.0
network 172.2.1.0
0.0.0.255
network 172.5.1.0
0.0.0.255
network 172.7.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRE
#
vlan batch 400 500
#
mpls lsr-id 5.5.5.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te

#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9
0.0.0.0
network 172.4.1.0
0.0.0.255
network 172.5.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRF
#
vlan batch 600 700
#
mpls lsr-id 6.6.6.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif600
ip address 172.6.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif700
ip address 172.7.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 6.6.6.9 255.255.255.255
#
ospf 1
area 0.0.0.0

network 6.6.6.9
0.0.0.0
network 172.6.1.0
0.0.0.255
network 172.7.1.0 0.0.0.255
mpls-te enable
#
return
12.3.11 Example for Configuring SRLG Based on CR-LSP Hot

Standby
As shown in Figure 12-26, An MPLS TE tunnel is set up between LSRA and LSRC, with the
path LSRA -> LSRB -> LSRC.
The link LSRA -> LSRB and the link LSRA -> LSRE are in the same SRLG (SRLG1 for
example); the link LSRC -> LSRB and the link LSRC -> LSRE are in the same SLRG (SRLG2
for example).
To improve reliability, a hot-standby CR-LSP needs to be established and the links of the bypass
CR-LSP and primary tunnel must be in different SRLGs.
NOTE
Figure 12-26 Networking for configuring SRLG based on CR-LSP hot standby
Loopback1
6.6.6.9/32
GE0/0/1 GE0/0/2
VLANIF600 VLANIF700
172.6.1.2/24 172.7.1.1/24
LSRF
GE0/0/2 GE0/0/3
VLANIF600 VLANIF700
Loopback1
172.6.1.1/24 172.7.1.2/24
GE0/0/1 GE0/0/2
1.1.1.9/32 3.3.3.9/32
VLANIF100 VLANIF200
172.1.1.2/24 172.2.1.1/24
LSRA LSRC
GE0/0/1 GE0/0/1
VLANIF100 VLANIF200
GE0/0/3 172.1.1.1/24 LSRB 172.2.1.2/24 GE0/0/2
VLANIF400 VLANIF500
172.4.1.1/24 172.5.1.2/24
Loopback1
5.5.5.9/32
GE0/0/1 GE0/0/2
VLANIF400 VLANIF500
172.4.1.2/24 172.5.1.1/24
LSRE
Primary CR-LSP

protocol RSVP-TE for the tunnel interface. The explicit path is LSRA -> LSRB -> LSRC.
4. Configure SRLG numbers for SRLG member interfaces.
5. Configure the SRLG path calculation mode on the ingress node of the primary tunnel.
6. Configure a hot-standby CR-LSP on the ingress node of the primary tunnel.
Procedure
# Configure LSRA.
[LSRA] ospf 1
[LSRA-ospf-1] quit
Configure IP addresses for interfaces of LSRB, LSRC, LSRE, and LSRF according to Figure
12-26. The configurations of LSRB, LSRC, LSRE, and LSRF are similar to the configuration

You can see that the LSRs learn the routes to Loopback1 of each other. The display on LSRA
is used as an example.
------------------------------------------------------------------------------

2.2.2.9/32 OSPF 10 1 D 172.1.1.2 Vlanif100
3.3.3.9/32 OSPF 10 2 D 172.1.1.2 Vlanif100
OSPF 10 2 D 172.4.1.2 Vlanif400
OSPF 10 2 D 172.6.1.2 Vlanif600
5.5.5.9/32 OSPF 10 1 D 172.4.1.2 Vlanif400
6.6.6.9/32 OSPF 10 1 D 172.6.1.2 Vlanif600
172.1.1.0/24 Direct 0 0 D 172.1.1.1 Vlanif100
172.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
172.2.1.0/24 OSPF 10 2 D 172.1.1.2 Vlanif100
172.4.1.0/24 Direct 0 0 D 172.4.1.1 Vlanif400
172.4.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif400
172.5.1.0/24 OSPF 10 2 D 172.4.1.2 Vlanif400
172.6.1.0/24 Direct 0 0 D 172.6.1.1 Vlanif600
172.6.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif600
172.7.1.0/24 OSPF 10 2 D 172.6.1.2 Vlanif600
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
tunnel.
# Configure LSRA.
[LSRA] ospf

[LSRA-ospf-1] quit
Step 4 On LSRA, create an MPLS TE tunnel for the primary CR-LSP.
# Configure the explicit path of the primary CR-LSP.
# Configure the MPLS TE tunnel interface of the primary CR-LSP.

[LSRA-Tunnel1] quit
Run the display interface tunnel 1 command on LSRA. You can see that the tunnel status is
Up.
Description:
...
Step 5 Configure SRLG.

Configure SRLG1 for links LSRA -> LSRB and LSRA -> LSRE, and SRLG2 for links LSRC
-> LSRB and LSRC -> LSRE. Configure the SRLG path calculation mode on the ingress node
LSRA of the primary tunnel.
# Configure LSRA.
# Configure LSRB.
[LSRB-Vlanif200] mpls te srlg 2
# Configure LSRE.
[LSRE] interface vlanif 500
[LSRE-Vlanif500] mpls te srlg 2
[LSRE-Vlanif500] quit
# Configure the SRLG path calculation mode on LSRA.

[LSRA] mpls
[LSRA-mpls] mpls te srlg path-calculation strict
[LSRA-mpls] quit
Run the display mpls te srlg command to view SRLG information and the interfaces that belong
to the SRLG. The display on LSRA is used as an example.
[LSRA] display mpls te srlg all
Total SRLG supported : 512
Total SRLG configured : 2
SRLG 1: Vlanif100
Vlanif400
Run the display mpls te link-administration srlg-information to view SRLGs to which the
interfaces belong. The display on LSRA is used as an example.
[LSRA] display mpls te link-administration srlg-information
1
1
Run the display mpls te cspf tedb srlg command to view TEDB information of the specified
SRLG.
172.1.1.1 OSPF 0
172.4.1.1 OSPF 0
172.2.1.1 OSPF 0
172.5.1.1 OSPF 0
Step 6 Configure a hot-standby CR-LSP on the ingress node.

# Configure LSRA.
[LSRA-Tunnel1] mpls te backup hot-standby
Run the display mpls te tunnel-interface command on LSRA. You can see that the hot-standby
CR-LSP has been established.
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Session ID : 100
Run the display mpls te hot-standby state interface tunnel 1 command on LSRA to view the
hot-standby CR-LSP.
[LSRA] display mpls te hot-standby state interface tunnel 1
---------------------------------------------------------------------

Verbose information about the Tunnel1 hot-standby state

---------------------------------------------------------------------
session id : 100
main LSP token : 0x51
hot-standby LSP token : 0x4f
HSB switch result : Primary LSP
HSB switch reason : -
WTR config time : 10s
WTR remain time : -
using overlapped path : no
After the configurations are complete, run the display mpls te tunnel path command on LSRA
to view nodes that the primary CR-LSP and backup CR-LSP pass.
Lsp ID : 1.1.1.9 :100 :32780
Hop Information
Hop 0 172.6.1.1
Hop 1 172.6.1.2 Label 1034
Hop 2 6.6.6.9 Label 1034
Hop 3 172.7.1.1
Hop 4 172.7.1.2 Label 3
Hop 5 3.3.3.9 Label 3

Lsp ID : 1.1.1.9 :100 :54
Hop Information
Hop 0 172.1.1.1
Hop 1 172.1.1.2 Label 1071
Hop 2 2.2.2.9 Label 1071
Hop 3 172.2.1.1
Hop 4 172.2.1.2 Label 3
Hop 5 3.3.3.9 Label 3
# Run the shutdown command on VLANIF600 of LSRA.

Run the display mpls te hot-standby state interface tunnel 1 command on LSRA. You can
see that the hot-standby LSP token is 0x0. This means that the hot-standby LSP is not set up
even though there are paths for setting up the hot-standby LSP.
[LSRA] display mpls te hot-standby state interface tunnel 1
---------------------------------------------------------------------
---------------------------------------------------------------------
session id : 100
main LSP token : 0x51
hot-standby LSP token : 0x0
WTR remain time : -
using overlapped path : -
----End
Configuration Files

#
sysname LSRA
#
#
mpls lsr-id
1.1.1.9
mpls
mpls
te
mpls te srlg path-calculation strict
mpls rsvp-
te
mpls te cspf
#
explicit-path pri-
path
next hop
172.1.1.2
next hop
172.2.1.2
next hop 3.3.3.9
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls te srlg 1
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
mpls
mpls te
mpls te srlg 1
mpls rsvp-te
#
interface Vlanif600
ip address 172.6.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1
destination 3.3.3.9
mpls te backup hot-
standby

mpls te commit
#
ospf 1
area 0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.4.1.0 0.0.0.255
network 172.6.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
vlan batch 100 200
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
mpls te srlg 2
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 2.2.2.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 2.2.2.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.2.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRC
#


#
mpls lsr-id 3.3.3.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif700
ip address 172.7.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
#
interface LoopBack1
ip address 3.3.3.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 3.3.3.9
0.0.0.0
network 172.2.1.0
0.0.0.255
network 172.5.1.0
0.0.0.255
network 172.7.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRE
#
vlan batch 400 500
#
mpls lsr-id 5.5.5.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.2 255.255.255.0

mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
mpls
mpls te
mpls te srlg 2
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 5.5.5.9 255.255.255.255
#
ospf 1
area 0.0.0.0
network 5.5.5.9
0.0.0.0
network 172.4.1.0
0.0.0.255
network 172.5.1.0 0.0.0.255
mpls-te enable
#
return

#
sysname LSRF
#
vlan batch 600 700
#
mpls lsr-id 6.6.6.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif600
ip address 172.6.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif700
ip address 172.7.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 6.6.6.9 255.255.255.255

#
ospf 1
area 0.0.0.0
network 6.6.6.9
0.0.0.0
network 172.6.1.0
0.0.0.255
network 172.7.1.0 0.0.0.255
mpls-te enable
#
return
12.3.12 Example for Configuring CR-LSP Hot Standby
Figure 12-27 shows an MPLS VPN. A TE tunnel with LSRA as the ingress node and LSRC as
the egress node needs to be established on LSRA. A hot-standby CR-LSP and best-effort path
also need to be configured.
l The path of the primary CR-LSP is LSRA -> LSRB -> LSRC.
l The path of the backup CR-LSP is LSRA -> LSRD -> LSRC.
l The best-effort path is LSRA -> LSRD -> LSRB -> LSRC.
When the primary CR-LSP fails, traffic switches to the backup CR-LSP. After the primary CR-
LSP recovers, traffic switches back to the primary CR-LSP in 15 seconds. If both the primary
CR-LSP and backup CR-LSP fail, traffic switches to the best-effort path.
NOTE
STP must be disabled on the network. Otherwise, some interfaces may be blocked by STP.

Figure 12-27 Networking of CR-LSP hot standby

Loopback1 Loopback1
2.2.2.9/32 4.4.4.9/32
GE0/0/3 GE0/0/3
VLANIF400 VLANIF400
172.4.1.1/24 172.4.1.2/24
LSRB LSRD
GE0/0/2 GE0/0/2
VLANIF100 172.2.1.1/24 172.5.1.2/24 VLANIF300
172.1.1.2/24 172.3.1.2/24
GE0/0/1 GE0/0/1
VLANIF100 VLANIF300
172.1.1.1/24 172.3.1.1 /24
GE0/0/2 GE0/0/2
LSRA VLANIF500 VLANIF200 LSRC
172.5.1.1/24 172.2.1.2/24
Loopback1 Loopback1
1.1.1.9/32 3.3.3.9/32
Path of Primary CR-LSP

Path of Backup CR-LSP
Path of Best-effort CR-LSP
3. Specify explicit paths for the primary and backup CR-LSPs on LSRA.
4. Create a tunnel interface with LSRC as the egress node on LSRA, specify an explicit path,
configure the hot-standby CR-LSP and best-effort path, and set the WTR time to 15
seconds.
Procedure
# Configure LSRA.

[LSRA] ospf 1
[LSRA-ospf-1] quit
# Configure IP addresses for interfaces of LSRB, LSRC, and LSRD according to Figure
12-27. The configurations on LSRB, LSRC, and LSRD are similar to the configuration of LSRA,
After the configurations are complete, run the display ip routing-table command on the LSRs.
You can see that the LSRs learn the routes to Loopback1 of each other.
On each node, enable MPLS TE and RSVP-TE in the MPLS view and in the interface view.
Enable CSPF on the ingress node.
# Configure LSRA.
[LSRA] mpls
[LSRA-mpls] mpls te
[LSRA-mpls] quit
The configurations on LSRB, LSRC, and LSRD are similar to the configuration of LSRA, and
are not mentioned here. CSPF only needs to be configured on the ingress nodes of the primary
tunnel and bypass tunnel. That is, CSPF needs to be enabled on only LSRA.
# Configure LSRA.
[LSRA] ospf
[LSRA-ospf-1] quit

The configurations on LSRB, LSRC, and LSRD are similar to the configuration of LSRA, and
Step 4 Configure the explicit paths for the primary and backup CR-LSPs.
# Configure the explicit path of the primary CR-LSP on LSRA.

# Configure the explicit path of the backup CR-LSP on LSRA.

[LSRA] explicit-path backup-path
[LSRA-explicit-path-backup-path] next hop 172.5.1.2
[LSRA-explicit-path-backup-path] quit
After the configurations are complete, you can view explicit paths through commands.
[LSRA] display explicit-path pri-path
Path Name : pri-path Path Status : Enabled
1 172.1.1.2 Strict Include
[LSRA] display explicit-path backup-path

Path Name : backup-path Path Status : Enabled
Step 5 Configure a tunnel interface.
# Configure a tunnel interface on LSRA and specify an explicit path.

# Configure CR-LSP hot standby on the tunnel interface, set the WTR time to 15 seconds, specify
an explicit path, and configure the best-effort path.
[LSRA-Tunnel1] mpls te backup hot-standby wtr 15
[LSRA-Tunnel1] mpls te path explicit-path backup-path secondary
[LSRA-Tunnel1] mpls te backup ordinary best-effort
[LSRA-Tunnel1] quit
After the configurations are complete, run the display mpls te tunnel-interface tunnel 1
command on LSRA. You can see that the primary and backup CR-LSPs are successfully
established.
[LSRA] display mpls te tunnel-interface tunnel 1
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Session ID : 100


Run the display mpls te hot-standby state interface tunnel 1 command on LSRA to view CR-
LSP hot standby information.
[LSRA] display mpls te hot-standby state interface Tunnel 1
---------------------------------------------------------------------
---------------------------------------------------------------------
session id : 100
main LSP token : 0xc
hot-standby LSP token : 0xb
WTR remain time : -
using overlapped path : no
Run the ping lsp te command on LSRA to detect connectivity of the hot-standby CR-LSP.
[LSRA] ping lsp te tunnel 1 hot-standby
LSP PING FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel1 : 100 data bytes, pres
s CTRL_C to break
Reply from 3.3.3.9: bytes=100 Sequence=1 time=11 ms
--- FEC: TE TUNNEL IPV4 SESSION QUERY Tunnel1 ping statistics ---
0.00% packet loss
Run the tracert lsp te command on LSRA to check the path of the hot-standby CR-LSP.
[LSRA] tracert lsp te tunnel 1 hot-standby
o break.
0 Ingress 172.5.1.2/[1027 ]
1 172.5.1.2 9 ms Transit 172.3.1.1/[3 ]
2 3.3.3.9 10 ms Egress
Connect two interfaces, Port 1 and Port 2, on a tester to LSRA and LSRC respectively. On Port
1, inject MPLS traffic and send traffic to Port 2. After the cable attached to GE0/0/1 on LSRA
or LSRC is removed, traffic fast switches to the backup CR-LSP at the millisecond level.
# Run the shutdown command on VLANIF100 of LSRA to simulate cable removal.

Run the display mpls te tunnel-interface tunnel 1 command on LSRA. You can see that traffic
switches to the backup CR-LSP.
----------------------------------------------------------------
Tunnel1

----------------------------------------------------------------
Active LSP : Hot-Standby LSP
Session ID : 100
Primary LSP State : DOWN
Main LSP State : SETTING UP
After attaching the cable into GE0/0/1 (running the undo shutdown command on VLANIF100
of LSRA), you can see that traffic switches back to the primary CR-LSP in 15 seconds.
After you remove the cable from GE0/0/1 on LSRA or LSRB and the cable from GE0/0/1 on
LSRC or LSRD, the tunnel interface goes Down and then Up. This means that the best-effort
path has been set up successfully, allowing traffic to switch to the best-effort path.
# Run the shutdown command on VLANIF100 of LSRA, and then run the shutdown command
on VLANIF300 of LSRC.
[LSRC-Vlanif300] shutdown
Run the display mpls te tunnel-interface tunnel 1 command on LSRA. You can see that the
tunnel interface becomes Down and the best-effort path is being established.
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Tunnel State Desc : DOWN
Active LSP : -
Session ID : 100
Admin State : UP Oper State : DOWN
Hot-Standby LSP State : DOWN
Best-Effort LSP State : DOWN
After several seconds, run the display mpls te tunnel-interface tunnel 1 command on LSRA.
You can see that the tunnel interface is Up and the best-effort path is successfully established.
----------------------------------------------------------------
Tunnel1
----------------------------------------------------------------
Active LSP : Best-Effort LSP
Session ID : 100
Hot-Standby LSP State : DOWN
Best-Effort LSP State : UP


Lsp ID : 1.1.1.9 :100 :32776
Hop Information
Hop 0 172.5.1.1
Hop 1 172.5.1.2
Hop 2 4.4.4.9
Hop 3 172.4.1.2
Hop 4 172.4.1.1
Hop 5 2.2.2.9
Hop 6 172.2.1.1
Hop 7 172.2.1.2
Hop 8 3.3.3.9
----End
Configuration Files
#
sysname LSRA
#
vlan batch 100 500
#
mpls lsr-id 1.1.1.9
mpls
mpls te
mpls rsvp-te
mpls te cspf
#
explicit-path backup-path
next hop 172.5.1.2
next hop 172.3.1.1
next hop 3.3.3.9
#
next hop 172.1.1.2
next hop 172.2.1.2
next hop 3.3.3.9
#
interface Vlanif100
ip address 172.1.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif500
ip address 172.5.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#
#
interface LoopBack1
ip address 1.1.1.9 255.255.255.255
#
interface Tunnel1

te
destination
3.3.3.9
mpls te tunnel-id
100
mpls te record-
route
path
mpls te path explicit-path backup-path
secondary
mpls te backup hot-standby mode revertive wtr
15
mpls te backup ordinary best-
effort
mpls te commit
#
ospf
1
opaque-capability
enable
area
0.0.0.0
network 1.1.1.9
0.0.0.0
network 172.1.1.0
0.0.0.255
network 172.5.1.0
0.0.0.255
mpls-te enable
#
return

#
sysname LSRB
#
#
mpls lsr-id 2.2.2.9
mpls
mpls te
mpls rsvp-te
#
interface Vlanif100
ip address 172.1.1.2 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif200
ip address 172.2.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
interface Vlanif400
ip address 172.4.1.1 255.255.255.0
mpls
mpls te
mpls rsvp-te
#
#


S2350&S5300&S6300 V200R003 (C00&C02) Typical Configuration Examples 04

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

S2350&S5300&S6300 V200R003 (C00&C02) Typical Configuration Examples 04

Uploaded by

Copyright:

Available Formats

S2350&S5300&S6300 Series Ethernet Switches

Typical Configuration Examples

HUAWEI TECHNOLOGIES CO., LTD.

Trademarks and Permissions

Huawei Technologies Co., Ltd.

Issue 04 (2013-11-06) Huawei Proprietary and Confidential i

About This Document

This document provides the typical configuration examples supported by the

This document is intended for:

l Data configuration engineers

Indicates an imminently hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Indicates a potentially hazardous situation

Issue 04 (2013-11-06) Huawei Proprietary and Confidential ii

NOTE Calls attention to important information, best

Boldface The keywords of a command line are in boldface.

Italic Command arguments are in italics.

[] Items (keywords or arguments) in brackets [ ] are optional.

{ x | y | ... } Optional items are grouped in braces and separated by

[ x | y | ... ] Optional items are grouped in brackets and separated by

{ x | y | ... }* Optional items are grouped in braces and separated by

[ x | y | ... ]* Optional items are grouped in brackets and separated by

# A line starting with the # sign is comments.

Interface Numbering Conventions

Issue 04 (2013-11-06) Huawei Proprietary and Confidential iii

Mappings between Product Software Versions and NMS

Product Software Version iManager U2000

Changes in Issue 04 (2013-11-06) V200R003(C00&C02)

Changes in Issue 03 (2013-09-30) V200R003(C00&C02)

Issue 04 (2013-11-06) Huawei Proprietary and Confidential iv

Changes in Issue 02 (2013-07-25) V200R003C00

Changes in Issue 01 (2013-05-30) V200R003C00

Issue 04 (2013-11-06) Huawei Proprietary and Confidential v

About This Document.....................................................................................................................ii

Issue 04 (2013-11-06) Huawei Proprietary and Confidential vi

Issue 04 (2013-11-06) Huawei Proprietary and Confidential vii

3.7.1 Example for Configuring the MAC Address Table.................................................................................................209

Issue 04 (2013-11-06) Huawei Proprietary and Confidential viii

4.2.4 Example for Configuring Inter-VLAN Proxy ARP................................................................................................371

Issue 04 (2013-11-06) Huawei Proprietary and Confidential ix

5.3.3 Example for Configuring One-Arm Static BFD for RIP.........................................................................................465

Issue 04 (2013-11-06) Huawei Proprietary and Confidential x

5.9.12 Example for Associating BGP with BFD..............................................................................................................651

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xi

6.11 MLD Configuration..................................................................................................................................................814

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xii

8.1.3 Example for Configuring Domain-based User Management..................................................................................933

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xiii

9.1 BFD Configuration...................................................................................................................................................1021

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xiv

9.10.3 Example for Configuring Tangent RRPP Rings..................................................................................................1165

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xv

11.2 RMON Configuration.............................................................................................................................................1280

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xvi

11.8 Packet Capture Configuration................................................................................................................................1407

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xvii

12.3.20 Example for Configuring RSVP GR.................................................................................................................1671

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xviii

13.4.7 Example for Configuring Dynamic BFD for a Multi-hop PW............................................................................2028

14 Miscellaneous Configuration Examples...........................................................................2144

Issue 04 (2013-11-06) Huawei Proprietary and Confidential xix

About This Chapter