H3C S5830V2 & S5820V2 Switch Series

Layer 2—LAN Switching

Configuration Guide

Hangzhou H3C Technologies Co., Ltd.

http://www.h3c.com

Software version: 6W100-20160130

Document version: Release 2422P01
Copyright ©2016, Hangzhou H3C Technologies Co., Ltd. and its licensors
All rights reserved
No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of Hangzhou H3C Technologies Co., Ltd.
Trademarks

H3C, , H3CS, H3CIE, H3CNE, Aolynk, , H3Care, , IRF, NetPilot, Netflow, SecEngine,
SecPath, SecCenter, SecBlade, Comware, ITCMM and HUASAN are trademarks of Hangzhou H3C
Technologies Co., Ltd.
All other trademarks that may be mentioned in this manual are the property of their respective owners
Notice
The information in this document is subject to change without notice. Every effort has been made in the
preparation of this document to ensure accuracy of the contents, but all statements, information, and
recommendations in this document do not constitute the warranty of any kind, express or implied.
Preface
The H3C S5830V2 & S5820V2 documentation set describes the software features for the H3C
S5830V2 & S5820V2 Switch Series and guide you through the software configuration procedures.
These guides also provide configuration examples to help you apply software features to different
network scenarios.
The Layer 2—LAN Switching Configuration Guide describes features and tasks that help you get
started with the device, including:
• Flow control and load sharing.
• User isolation in the same VLAN and VLAN configuration.
• Layer 2 loop elimination.
• Transmission of customer network packets over the service provider network.
• VLAN tag manipulations.
This preface includes the following topics about the documentation:
• Audience.
• Conventions.
• About the H3C S5830V2 & S5820V2 documentation set
• Obtaining documentation.
• Technical support.
• Documentation feedback.

Audience
This documentation is intended for:
• Network planners.
• Field technical support and servicing engineers.
• Network administrators working with the H3C S5830V2 & S5820V2 switch series.

Conventions
This section describes the conventions used in the documentation.
Port numbering in examples
The port numbers in the documentation are for illustration only and might be unavailable on your
device.
Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
[ x | y | ... ] Square brackets enclose a set of optional syntax choices separated by vertical bars,
 Convention Description
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window appears; click OK.
Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.
An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

Network topology icons

Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

T Wireless terminator unit.

 Convention Description

T Wireless terminator.

  Represents a mesh access point.

 
Represents omnidirectional signals.

  Represents directional signals.

  Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security card, such as a firewall, load balancing, NetStream, SSL VPN,
IPS, or ACG card.

About the H3C S5830V2 & S5820V2

documentation set
The H3C S5830V2 & S5820V2 documentation set includes the following categories of documents:

Category Documents Purposes

Compliance and safety Provides regulatory information and the safety
manual instructions that must be followed during
CE DOC installation.

Guides you through initial installation and setup

Quick start procedures to help you quickly set up and use your
device with the minimum configuration.
Provides a complete guide to hardware installation
Installation guide
and hardware specifications.
Describes the appearance, specifications, and
Hardware specifications Fan assemblies
installation and removal of hot-swappable fan
and installation installation manual
assemblies.
Describes the appearance, specifications, and
Power modules user
installation and removal of hot-swappable power
manual
modules.
Pluggable transceiver
Guides you through installing SFP/SFP+/QSFP+
modules installation
transceiver modules.
guide
Describes the hot-swappable modules available for
Pluggable modules
the H3C switches, their external views, and
manual
specifications.
Describe software features and configuration
Configuration guides
procedures.
Software configuration
Provide a quick reference to all available
Command references
commands.

Operations and MIB Companion Describes the MIBs for the software release.
 Category Documents Purposes
maintenance Provide information about the product release,
including the version history, hardware and
Release notes software compatibility matrix, version upgrade
information, technical support information, and
software upgrading.

Obtaining documentation
Access the most up-to-date H3C product documentation on the World Wide Web
at http://www.h3c.com.
Click the following links to obtain different categories of product documentation:
[Technical Documents]—Provides hardware installation, software upgrading, and software feature
configuration and maintenance documentation.
[Products & Solutions]—Provides information about products and technologies, as well as solutions.
[Software Download]—Provides the documentation released with the software version.

Technical support
[email protected]
http://www.h3c.com

Documentation feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
Contents
Configuring Ethernet interfaces ······································································ 1 
Configuring a management Ethernet interface ·································································································· 1 
Ethernet interface naming conventions ·············································································································· 1 
Configuring common Ethernet interface settings ······························································································· 1 
Splitting a 40-GE interface and combining 10-GE breakout interfaces ······················································ 2 
Configuring basic settings of an Ethernet interface···················································································· 3 
Configuring the link mode of an Ethernet interface ···················································································· 4 
Configuring jumbo frame support ··············································································································· 4 
Configuring physical state change suppression on an Ethernet interface ················································· 4 
Performing a loopback test on an Ethernet interface ················································································· 5 
Configuring generic flow control on an Ethernet interface ········································································· 6 
Configuring PFC on an Ethernet interface ································································································· 7 
Enabling energy saving features on an Ethernet interface ········································································ 8 
Setting the statistics polling interval ··········································································································· 9 
Forcibly bringing up a fiber port·················································································································· 9 
Configuring storm suppression ················································································································ 10 
Configuring a Layer 2 Ethernet interface ········································································································· 11 
Configuring storm control on an Ethernet interface·················································································· 11 
Setting the MDIX mode of an Ethernet interface······················································································ 13 
Testing the cable connection of an Ethernet interface ············································································· 13 
Changing a Layer 2 Ethernet interface to an FC interface ······································································· 14 
Enabling bridging on an Ethernet interface ······························································································ 14 
Configuring a Layer 3 Ethernet interface or subinterface ················································································ 15 
Setting the MTU for an Ethernet interface or subinterface ······································································· 15 
Displaying and maintaining an Ethernet interface ···························································································· 15 
Configuring loopback, null, and inloopback interfaces ·································· 17 
Configuring a loopback interface ····················································································································· 17 
Configuring a null interface ······························································································································ 17 
Configuring an inloopback interface ················································································································· 18 
Displaying and maintaining loopback, null, and inloopback interfaces ···························································· 18 
Bulk configuring interfaces ············································································ 19 
Configuration restrictions and guidelines ········································································································· 19 
Configuration procedure ·································································································································· 19 
Displaying and maintaining bulk interface configuration ·················································································· 20 
Configuring the MAC address table ······························································ 21 
Overview ·························································································································································· 21 
How a MAC address entry is created······································································································· 21 
Types of MAC address entries ················································································································· 21 
MAC address table configuration task list ········································································································ 22 
Configuring MAC address entries ···················································································································· 23 
Configuration guidelines··························································································································· 23 
Adding or modifying a static or dynamic MAC address entry globally ····················································· 23 
Adding or modifying a static or dynamic MAC address entry on an interface ·········································· 23 
Adding or modifying a blackhole MAC address entry ·············································································· 24 
Adding or modifying a multiport unicast MAC address entry ··································································· 24 
Disabling MAC address learning ······················································································································ 26 
Disabling global MAC address learning ··································································································· 26 
Disabling MAC address learning on an interface ····················································································· 26 
Disabling MAC address learning on a VLAN ··························································································· 27 
Setting the aging timer for dynamic MAC address entries ··············································································· 27 
Setting the MAC learning limit on an interface ································································································· 27 
Configuring the device to forward unknown frames after the MAC learning limit on an interface is reached ·· 28 
Assigning MAC learning priority to an interface ······························································································· 28 
Enabling MAC address synchronization ·········································································································· 29 

i
 Enable MAC address move notifications ········································································································· 30 
Enabling ARP fast update for MAC address moves ························································································ 32 
Disabling static source check ··························································································································· 32 
Enabling SNMP notifications for the MAC address table ················································································· 33 
Displaying and maintaining the MAC address table ························································································ 33 
MAC address table configuration example ······································································································ 34 
Network requirements ······························································································································ 34 
Configuration procedure··························································································································· 34 
Verifying the configuration························································································································ 35 
Configuring MAC Information ········································································ 36 
Enabling MAC Information ······························································································································· 36 
Configuring the MAC Information mode ··········································································································· 36 
Configuring the MAC change notification interval ···························································································· 37 
Configuring the MAC Information queue length ······························································································· 37 
MAC Information configuration example ·········································································································· 37 
Network requirements ······························································································································ 37 
Configuration restrictions and guidelines ································································································· 38 
Configuration procedure··························································································································· 38 
Configuring Ethernet link aggregation ··························································· 40 
Basic concepts ················································································································································· 40 
Aggregation group, member port, and aggregate interface ····································································· 40 
Aggregation states of member ports in an aggregation group ································································· 41 
Operational key ········································································································································ 41 
Configuration types ·································································································································· 41 
Link aggregation modes ··························································································································· 42 
Aggregating links in static mode ······················································································································ 42 
Choosing a reference port························································································································ 42 
Setting the aggregation state of each member port ················································································· 42 
Aggregating links in dynamic mode ················································································································· 43 
LACP ························································································································································ 43 
How dynamic link aggregation works ······································································································· 44 
Edge aggregate interface ································································································································· 47 
Load sharing modes for link aggregation groups ····························································································· 47 
Ethernet link aggregation configuration task list ······························································································ 47 
Configuring an aggregation group ··················································································································· 48 
Configuration restrictions and guidelines ································································································· 48 
Configuring a static aggregation group ···································································································· 49 
Configuring a dynamic aggregation group ······························································································· 50 
Configuring an aggregate interface ·················································································································· 53 
Setting the description for an aggregate interface ··················································································· 53 
Specifying ignored VLANs for a Layer 2 aggregate interface ·································································· 54 
Setting the MTU for a Layer 3 aggregate interface ·················································································· 54 
Setting the minimum and maximum numbers of Selected ports for an aggregation group ····················· 55 
Setting the expected bandwidth for an aggregate interface ····································································· 56 
Configuring an edge aggregate interface ································································································· 57 
Enabling BFD for an aggregation group··································································································· 57 
Shutting down an aggregate interface ····································································································· 58 
Restoring the default settings for an aggregate interface ········································································ 58 
Specifying link aggregation management VLANs and management port ················································ 59 
Configuring load sharing for link aggregation groups ······················································································ 59 
Configuring load sharing modes for link aggregation groups ··································································· 59 
Enabling local-first load sharing for link aggregation················································································ 60 
Configuring per-flow load sharing algorithm settings for Ethernet link aggregation ································· 61 
Setting the global load sharing mode for MAC-in-MAC traffic·································································· 62 
Enabling link-aggregation traffic redirection ····································································································· 62 
Configuration restrictions and guidelines ································································································· 62 
Configuration procedure··························································································································· 63 
Displaying and maintaining Ethernet link aggregation ····················································································· 63 
Ethernet link aggregation configuration examples ··························································································· 64 
Layer 2 static aggregation configuration example···················································································· 64 

ii
 Layer 2 dynamic aggregation configuration example··············································································· 66 
Layer 2 aggregation load sharing configuration example ········································································ 68 
Layer 2 edge aggregate interface configuration example ········································································ 71 
Layer 3 static aggregation configuration example···················································································· 72 
Layer 3 dynamic aggregation configuration example··············································································· 73 
Layer 3 edge aggregate interface configuration example ········································································ 74 
Configuring port isolation ·············································································· 77 
Assigning a port to an isolation group ·············································································································· 77 
Displaying and maintaining port isolation ········································································································· 77 
Port isolation configuration example ················································································································ 78 
Network requirements ······························································································································ 78 
Configuration procedure··························································································································· 78 
Verifying the configuration························································································································ 78 
Configuring spanning tree protocols ····························································· 80 
STP ·································································································································································· 80 
STP protocol packets ······························································································································· 80 
Basic concepts in STP ····························································································································· 80 
Calculation process of the STP algorithm ································································································ 81 
RSTP ······························································································································································· 87 
PVST ································································································································································ 87 
MSTP ······························································································································································· 87 
MSTP features ········································································································································· 88 
MSTP basic concepts ······························································································································ 88 
How MSTP works····································································································································· 91 
MSTP implementation on devices············································································································ 92 
Protocols and standards ·································································································································· 92 
Spanning tree configuration task lists ·············································································································· 92 
STP configuration task list························································································································ 93 
RSTP configuration task list ····················································································································· 94 
PVST configuration task list ····················································································································· 94 
MSTP configuration task list····················································································································· 95 
Setting the spanning tree mode ······················································································································· 96 
Configuring an MST region ······························································································································ 97 
Configuring the root bridge or a secondary root bridge ··················································································· 97 
Configuring the current device as the root bridge of a specific spanning tree ········································· 98 
Configuring the current device as a secondary root bridge of a specific spanning tree ··························· 98 
Configuring the device priority ························································································································· 99 
Configuring the maximum hops of an MST region ··························································································· 99 
Configuring the network diameter of a switched network ·············································································· 100 
Configuring spanning tree timers ··················································································································· 100 
Configuration restrictions and guidelines ······························································································· 101 
Configuration procedure························································································································· 101 
Configuring the timeout factor ························································································································ 101 
Configuring the BPDU transmission rate ······································································································· 102 
Configuring edge ports ··································································································································· 102 
Configuration restrictions and guidelines ······························································································· 102 
Configuration procedure························································································································· 103 
Configuring path costs of ports ······················································································································ 103 
Specifying a standard for the device to use when it calculates the default path cost ···························· 103 
Configuring path costs of ports ·············································································································· 105 
Configuration example ··························································································································· 106 
Configuring the port priority ···························································································································· 106 
Configuring the port link type ························································································································· 107 
Configuration restrictions and guidelines ······························································································· 107 
Configuration procedure························································································································· 107 
Configuring the mode a port uses to recognize and send MSTP packets ····················································· 107 
Enabling outputting port state transition information ······················································································ 108 
Enabling the spanning tree feature ················································································································ 108 
Enabling the spanning tree feature in STP/RSTP/MSTP mode ····························································· 109 
Enabling the spanning tree feature in PVST mode ················································································ 109 

iii
 Performing mCheck ······································································································································· 109 
Configuration restrictions and guidelines ······························································································· 110 
Configuration procedure························································································································· 110 
Configuring Digest Snooping ························································································································· 110 
Configuration restrictions and guidelines ······························································································· 111 
Configuration procedure························································································································· 111 
Digest Snooping configuration example································································································· 111 
Configuring No Agreement Check ················································································································· 112 
Configuration prerequisites ···················································································································· 113 
Configuration procedure························································································································· 114 
No Agreement Check configuration example························································································· 114 
Configuring TC Snooping ······························································································································· 114 
Configuration restrictions and guidelines ······························································································· 115 
Configuration procedure························································································································· 115 
Configuring protection functions ···················································································································· 115 
Enabling BPDU guard ···························································································································· 116 
Enabling root guard ································································································································ 117 
Enabling loop guard ······························································································································· 117 
Configuring port role restriction ·············································································································· 118 
Configuring TC-BPDU transmission restriction ······················································································ 118 
Enabling TC-BPDU guard ······················································································································ 119 
Enabling BPDU drop ······························································································································ 119 
Disabling the device to reactivate the shutdown edge ports ·········································································· 120 
Enabling SNMP notifications for new-root election and topology change events ·········································· 120 
Displaying and maintaining the spanning tree ······························································································· 121 
Spanning tree configuration example ············································································································ 121 
MSTP configuration example ················································································································· 121 
PVST configuration example·················································································································· 125 
Configuring loop detection ·········································································· 129 
Overview ························································································································································ 129 
Loop detection mechanism ···················································································································· 129 
Loop detection interval ··························································································································· 130 
Loop protection actions ·························································································································· 130 
Port status auto recovery ······················································································································· 130 
Loop detection configuration task list ············································································································· 131 
Enabling loop detection ·································································································································· 131 
Enabling loop detection globally············································································································· 131 
Enabling loop detection on a port··········································································································· 131 
Configuring the loop protection action ··········································································································· 132 
Configuring the global loop protection action ························································································· 132 
Configuring the loop protection action on a Layer 2 Ethernet interface ················································· 132 
Configuring the loop protection action on a Layer 2 aggregate interface··············································· 132 
Setting the loop detection interval ·················································································································· 132 
Displaying and maintaining loop detection ····································································································· 133 
Loop detection configuration example ··········································································································· 133 
Network requirements ···························································································································· 133 
Configuration procedure························································································································· 133 
Verifying the configuration······················································································································ 134 
Configuring VLANs ····················································································· 136 
Overview ························································································································································ 136 
VLAN frame encapsulation ···················································································································· 136 
Protocols and standards ························································································································ 137 
Configuring basic VLAN settings ··················································································································· 137 
Configuring basic settings of a VLAN interface ······························································································ 138 
Configuring port-based VLANs ······················································································································ 139 
Introduction ············································································································································ 139 
Assigning an access port to a VLAN ······································································································ 140 
Assigning a trunk port to a VLAN ··········································································································· 141 
Assigning a hybrid port to a VLAN ········································································································· 142 
Configuring MAC-based VLANs ···················································································································· 143 

iv
 Introduction ············································································································································ 143 
Configuration restrictions and guidelines ······························································································· 146 
Configuring static MAC-based VLAN assignment·················································································· 146 
Configuring dynamic MAC-based VLAN assignment············································································· 147 
Configuring server-assigned MAC-based VLAN ···················································································· 147 
Configuring IP subnet-based VLANs ············································································································· 148 
Configuring protocol-based VLANs ················································································································ 149 
Configuring a VLAN group ····························································································································· 150 
Displaying and maintaining VLANs ················································································································ 150 
VLAN configuration examples ························································································································ 151 
Port-based VLAN configuration example ······························································································· 151 
MAC-based VLAN configuration example······························································································ 152 
IP subnet-based VLAN configuration example ······················································································ 154 
Protocol-based VLAN configuration example ························································································ 156 
Configuring super VLANs ··········································································· 160 
Super VLAN configuration task list ················································································································ 160 
Creating a sub-VLAN ····································································································································· 160 
Configuring a super VLAN ····························································································································· 160 
Configuring a super VLAN interface ·············································································································· 161 
Displaying and maintaining super VLANs ······································································································ 161 
Super VLAN configuration example ··············································································································· 162 
Network requirements ···························································································································· 162 
Configuration procedure························································································································· 162 
Verifying the configuration······················································································································ 163 
Configuring the private VLAN ····································································· 165 
Configuration task list ····································································································································· 165 
Configuration restrictions and guidelines ······································································································· 166 
Configuration procedure ································································································································ 166 
Displaying and maintaining the private VLAN ································································································ 168 
Private VLAN configuration examples ··········································································································· 168 
Promiscuous port configuration example ······························································································· 168 
Trunk promiscuous port configuration example ····················································································· 171 
Trunk promiscuous and trunk secondary port configuration example···················································· 174 
Secondary VLAN Layer 3 communication configuration example ························································· 179 
Configuring voice VLANs ············································································ 182 
Overview ························································································································································ 182 
Methods of identifying IP phones ··················································································································· 182 
Identifying IP phones through OUI addresses ······················································································· 182 
Automatically identifying IP phones through LLDP ················································································ 183 
Advertising the voice VLAN information to IP phones ··················································································· 183 
IP phone access methods ······························································································································ 184 
Connecting the host and the IP phone in series ···················································································· 184 
Connecting the IP phone to the device ·································································································· 184 
Configuring a voice VLAN on a port ··············································································································· 184 
Voice VLAN assignment modes············································································································· 184 
Security mode and normal mode of voice VLANs·················································································· 186 
Configuration prerequisites ···················································································································· 187 
Configuring the QoS priority settings for voice traffic ············································································· 187 
Configuring a port to operate in automatic voice VLAN assignment mode ············································ 188 
Configuring a port to operate in manual voice VLAN assignment mode················································ 189 
Enabling LLDP for automatic IP phone discovery ·························································································· 190 
Configuration prerequisites ···················································································································· 190 
Configuration restrictions and guidelines ······························································································· 190 
Configuration procedure························································································································· 190 
Configuring LLDP or CDP to advertise a voice VLAN ··················································································· 190 
Dynamically advertising an authorization VLAN through LLDP or CDP ························································ 191 
Displaying and maintaining voice VLANs ······································································································ 191 
Voice VLAN configuration examples ·············································································································· 192 
Automatic voice VLAN assignment mode configuration example ·························································· 192 

v
 Manual voice VLAN assignment mode configuration example ······························································ 194 
Configuring MVRP ······················································································ 196 
MRP ······························································································································································· 196 
MRP implementation ······························································································································ 196 
MRP messages ······································································································································ 196 
MRP timers ············································································································································ 198 
MVRP registration modes ······························································································································ 199 
Protocols and standards ································································································································ 199 
MVRP configuration task list ·························································································································· 199 
Configuration restrictions and guidelines ······································································································· 199 
Configuration prerequisites ···························································································································· 200 
Enabling MVRP ·············································································································································· 200 
Configuring an MVRP registration mode ······································································································· 201 
Configuring MRP timers ································································································································· 201 
Enabling GVRP compatibility ························································································································· 202 
Displaying and maintaining MVRP ················································································································· 202 
MVRP configuration example ························································································································ 202 
Network requirements ···························································································································· 202 
Configuration procedure························································································································· 203 
Verifying the configuration······················································································································ 206 
Configuring QinQ ························································································ 213 
Overview ························································································································································ 213 
How QinQ works ···································································································································· 213 
QinQ implementations···························································································································· 214 
Protocols and standards ························································································································ 214 
Restrictions and guidelines ···························································································································· 215 
Enabling QinQ ················································································································································ 215 
Configuring transparent transmission for VLANs ··························································································· 215 
Configuring the TPID in VLAN tags ··············································································································· 216 
Configuring the CVLAN TPID················································································································· 217 
Configuring the SVLAN TPID ················································································································· 217 
Setting the 802.1p priority in SVLAN tags ······································································································ 217 
Displaying and maintaining QinQ ··················································································································· 219 
QinQ configuration examples ························································································································· 219 
Basic QinQ configuration example ········································································································· 219 
VLAN transparent transmission configuration example ········································································· 221 
Configuring VLAN mapping ········································································ 223 
Overview ························································································································································ 223 
Application scenario of one-to-one and many-to-one VLAN mapping ··················································· 223 
Application scenario of one-to-two and two-to-two VLAN mapping ······················································· 225 
VLAN mapping implementations ············································································································ 225 
General configuration restrictions and guidelines ·························································································· 228 
VLAN mapping configuration task list ············································································································ 228 
Configuring one-to-one VLAN mapping ········································································································· 229 
Configuring many-to-one VLAN mapping ······································································································ 229 
Configuring many-to-one VLAN mapping in a network with dynamic IP address assignment··············· 230 
Configuring many-to-one VLAN mapping in a network with static IP address assignment···················· 232 
Configuring one-to-two VLAN mapping ········································································································· 234 
Configuring two-to-two VLAN mapping ·········································································································· 234 
Displaying and maintaining VLAN mapping ··································································································· 235 
VLAN mapping configuration examples ········································································································· 235 
One-to-one and many-to-one VLAN mapping configuration example ··················································· 235 
One-to-two and two-to-two VLAN mapping configuration example ······················································· 240 
Configuring PBB ························································································· 243 
Overview ························································································································································ 243 
PBB network model································································································································ 243 
Terminology ··········································································································································· 244 
PBB frame format··································································································································· 244 

vi
 PBB frame forwarding ···························································································································· 246 
Protocols and standards ························································································································ 246 
PBB configuration task list ····························································································································· 246 
Enabling L2VPN ············································································································································· 247 
Creating a PBB VSI ······································································································································· 247 
Configuring a B-VLAN for a PBB VSI ············································································································ 247 
Configuring an uplink port ······························································································································ 247 
Configuring a downlink port ··························································································································· 248 
Configuring the data encapsulation type ········································································································ 249 
Displaying and maintaining PBB ···················································································································· 250 
PBB configuration example ···························································································································· 250 
Network requirements ···························································································································· 250 
Configuration procedures ······················································································································· 250 
Verifying the configuration······················································································································ 251 
Troubleshooting ············································································································································· 252 
Symptom ················································································································································ 252 
Analysis ·················································································································································· 252 
Solution ·················································································································································· 252 
Configuring LLDP ························································································ 253 
Overview ························································································································································ 253 
Basic concepts ······································································································································· 253 
Working mechanism······························································································································· 258 
Protocols and standards ························································································································ 259 
LLDP configuration task list ··························································································································· 259 
Performing basic LLDP configurations ··········································································································· 259 
Enabling LLDP ······································································································································· 259 
Configuring the LLDP bridge mode ········································································································ 260 
Setting the LLDP operating mode ·········································································································· 261 
Setting the LLDP reinitialization delay···································································································· 261 
Enabling LLDP polling ···························································································································· 262 
Configuring the advertisable TLVs ········································································································· 262 
Configuring the management address and its encoding format····························································· 264 
Setting other LLDP parameters·············································································································· 265 
Setting an encapsulation format for LLDP frames ················································································· 265 
Disabling LLDP PVID inconsistency check ···························································································· 266 
Configuring CDP compatibility ······················································································································· 266 
Configuration prerequisites ···················································································································· 267 
Configuration procedure························································································································· 267 
Configuring DCBX ·········································································································································· 268 
DCBX configuration task list··················································································································· 269 
Enabling LLDP and DCBX TLV advertising ··························································································· 269 
Configuring APP parameters ················································································································· 270 
Configuring ETS parameters·················································································································· 271 
Configuring PFC parameters ················································································································· 273 
Configuring the DCBX version ··············································································································· 273 
Configuring LLDP trapping and LLDP-MED trapping ···················································································· 274 
Displaying and maintaining LLDP ·················································································································· 274 
LLDP configuration examples ························································································································ 275 
Basic LLDP configuration example ········································································································ 275 
CDP-compatible LLDP configuration example ······················································································· 279 
DCBX configuration example ························································································································· 281 
Configuring service loopback groups ·························································· 287 
Configuration procedure ································································································································ 287 
Displaying and maintaining service loopback groups ···················································································· 288 
Service loopback group configuration example ····························································································· 288 
Network requirements ···························································································································· 288 
Configuration procedure························································································································· 288 
Configuring cut-through Layer 2 forwarding ················································ 289 
Index ··········································································································· 290 
vii
Configuring Ethernet interfaces
The switch series supports Ethernet interfaces, management Ethernet interfaces, Console
interfaces, and USB interfaces. For the interface types and the number of interfaces supported by a
switch model, see the installation guide.
This document describes how to configure management Ethernet interfaces and Ethernet interfaces.

Configuring a management Ethernet interface

A management interface uses an RJ-45 connector. You can connect the interface to a PC for
software loading and system debugging, or connect it to a remote NMS for remote system
management.
To configure a management Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter management interface

Ethernet interface view. M-GigabitEthernet N/A
interface-number
3. (Optional.) Set the The default setting is
interface description. description text
M-GigabitEthernet0/0/0 Interface.
4. (Optional.) Shut down By default, the management Ethernet
the interface. shutdown
interface is up.

Ethernet interface naming conventions

The Ethernet interfaces are named in the format of interface type A/B/C. The letters that follow the
interface type represent the following elements:
• A—IRF member ID or virtual slot number of PEX. If the switch is not in an IRF or IRF 3 fabric, A
is 1 by default.
• B—Card slot number. 0 indicates the interface is a fixed interface of the switch.
• C—Port index.
A 10-GE breakout interface split from a 40-GE interface is named in the format of interface type
A/B/C:D. A/B/C is the interface number of the 40-GE interface and D is the number of the 10-GE
interface, which is in the range of 1 to 4. For information about splitting a 40-GE interface, see
"Splitting a 40-GE interface and combining 10-GE breakout interfaces."

Configuring common Ethernet interface settings

This section describes the settings common to Layer 2 and Layer 3 Ethernet interfaces. You can set
an Ethernet interface as a Layer 3 interface by using the port link-mode route command. For more
information, see "Configuring the link mode of an Ethernet interface." For more information about the
settings specific to Layer 2 and Layer 3 Ethernet interfaces, see "Configuring a Layer 2 Ethernet
interface" and "Configuring a Layer 3 Ethernet interface or subinterface."

1
Splitting a 40-GE interface and combining 10-GE breakout
interfaces
Splitting a 40-GE QSFP+ interface into four 10-GE breakout interfaces
You can use a 40-GE QSFP+ interface as a single interface. To improve port density, reduce costs,
and improve network flexibility, you can also split a 40-GE QSFP+ interface into four 10-GE breakout
interfaces.
After the using tengige command is successfully configured, the system prompts you to reboot your
device. You must reboot the device and then the system deletes the 40-GE interface and creates
four 10-GE breakout interfaces.
A 40-GE interface split into four 10-GE breakout interfaces must use a dedicated 1-to-4 cable. For
more information about the cable, see the installation guides.
To split a 40-GE interface into four 10-GE breakout interfaces:

Step Command Remarks

1. Enter system view. system-view N/A

Enter 40-GE interface view. interface interface-type

2. N/A
interface-number
By default, a 40-GE interface is not
split and operates as a single
interface.
3. Split the 40-GE interface into The 10-GE breakout interfaces split
four 10-GE breakout using tengige from a 40-GE interface support the
interfaces. same configuration and attributes as
common 10-GE interfaces, except
that they are numbered in a different
way.

Combining four 10-GE breakout interfaces into a 40-GE interface

If you need higher bandwidth, you can combine the four 10-GE breakout interfaces into a 40-GE
interface.
After the using fortygige command is successfully configured, the system prompts you to reboot
your device. You must reboot the device and then the system deletes the four 10-GE breakout
interfaces and creates the combined 40-GE interface.
After you combine the four 10-GE breakout interfaces, replace the dedicated 1-to-4 cable with a
dedicated 1-to-1 cable or a 40-GE transceiver module. For more information about the cable or
transceiver module, see the installation guides.
To combine four 10-GE breakout interfaces into a 40-GE interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter the view of any 10-GE
breakout interface split from interface interface-type
N/A
a 40-GE interface. interface-number

3. Combine the four 10-GE By default, a 40-GE interface is

breakout interfaces into a using fortygige not split and operates as a single
40-GE interface. interface.

2
Configuring basic settings of an Ethernet interface
Configuring an Ethernet interface

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Set the interface The default setting is in the format of

description. description text interface-name Interface. For example,
Ten-GigabitEthernet1/0/1 Interface.
The default setting is auto for Ethernet
interfaces.
4. Set the duplex mode of
the Ethernet interface. duplex { auto | full | half } Copper ports operating at 1000 Mbps or
10 Gbps and fiber ports do not support the
half keyword.
The default setting is auto for Ethernet
interfaces.
5. Set the port speed. speed { 1000 | 10000 | 40000 | Support for the keywords depends on the
auto } interface type. For more information,
execute the speed? command in
interface view.
6. Configure the expected By default, the expected bandwidth (in
bandwidth of the bandwidth bandwidth-value kbps) is the interface baud rate divided by
interface. 1000.
7. Restore the default
settings for the Ethernet default N/A
interface.
8. Bring up the Ethernet By default, Ethernet interfaces are in up
interface. undo shutdown
state.

Configuring an Ethernet subinterface

Step Command Remarks

1. Enter system view. system-view N/A
2. Create an Ethernet
subinterface and enter interface interface-type
N/A
its view. interface-number.subnumber

The default setting is in the format of

3. Set the subinterface interface-name Interface. For
description. description text example,
Ten-GigabitEthernet1/0/1.1
Interface.
4. Restore the default
settings for the Ethernet default N/A
subinterface.
5. Configure the expected By default, the expected bandwidth
bandwidth for the bandwidth bandwidth-value (in kbps) is the interface baud rate
interface. divided by 1000.
6. Bring up the Ethernet By default, Ethernet subinterfaces
subinterface. undo shutdown
are in up state.

3
Configuring the link mode of an Ethernet interface
CAUTION:
After you change the link mode of an Ethernet interface, all commands (except the shutdown
command) on the Ethernet interface are restored to their defaults in the new link mode.

The interfaces on this switch series can operate either as Layer 2 or Layer 3 Ethernet interfaces.
You can set the link mode to bridge or route.
To change the link mode of an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Change the link mode of the By default, Ethernet interfaces
Ethernet interface. port link-mode { bridge | route }
operate in bridge mode.

Configuring jumbo frame support

An Ethernet interface might receive some frames larger than the standard Ethernet frame size during
high-throughput data exchanges, such as file transfers. These frames are called jumbo frames.
The interface processes jumbo frames in the following ways:
• When the Ethernet interface is configured to deny jumbo frames (by using the undo
jumboframe enable command), the Ethernet interface discards jumbo frames without further
processing.
• When the Ethernet interface is configured with jumbo frame support, the Ethernet interface
performs the following operations:
{ Processes jumbo frames within the specified length.
{ Discards jumbo frames exceeding the specified length without further processing.
To configure jumbo frame support in interface view:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Configure jumbo frame By default, the switch allows jumbo

support. jumboframe enable [ value ] frames within 10000 bytes to pass
through all Ethernet interfaces.

Configuring physical state change suppression on an

Ethernet interface
IMPORTANT:
Do not configure physical state change suppression on an Ethernet interface with RRPP, spanning
tree protocols, or Smart Link enabled.

4
 The physical link state of an Ethernet interface is either up or down. Each time the physical link of a
port comes up or goes down, the interface immediately reports the change to the CPU. The CPU
then performs the following operations:
• Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change for guiding packet forwarding.
• Automatically generates traps and logs, informing the user to take the correct actions.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression to suppress the reporting of physical link state changes. The system
reports physical layer changes only when the suppression interval expires.
When the link-delay delay-time command is configured:
• The link-down event is not reported to the CPU unless the interface is still down when the
suppression interval (delay-time) expires.
• The link-up event is immediately reported.
When the link-delay delay-time mode up command is configured:
• The link-up event is not reported to the CPU unless the interface is still up when the
suppression interval (delay-time) expires.
• The link-down event is immediately reported.
When the link-delay delay-time mode updown command is configured:
• The link-down event is not reported to the CPU unless the interface is still down when the
suppression interval (delay-time) expires.
• The link-up event is not reported to the CPU unless the interface is still up when the
suppression interval (delay-time) expires.
To configure physical state change suppression on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface-type
interface view. N/A
interface-number
By default, the link-down or link-up event is
3. Configure physical immediately reported to the CPU.
state change link-delay [ msec ]
suppression on the delay-time [ mode { up | If you configure this command multiple times on
interface. updown }] an Ethernet interface, the most recent
configuration takes effect.

Performing a loopback test on an Ethernet interface

If an Ethernet interface does not work correctly, you can perform a loopback test on it to identify the
problem. An Ethernet interface in a loopback test does not forward data traffic.
Loopback tests include the following types:
• Internal loopback test—Tests all on-chip functions related to the Ethernet interface.
• External loopback test—Tests the hardware of the Ethernet interface. To perform an external
loopback test on the Ethernet interface, connect a loopback plug to the Ethernet interface. The
switch sends test packets out of the interface, which are expected to loop over the plug and
back to the interface. If the interface fails to receive any test packets, the hardware of the
interface is faulty.

5
Configuration restrictions and guidelines
• On an administratively shut down Ethernet interface (displayed as in ADM or Administratively
DOWN state), you cannot perform an internal or external loopback test.
• The speed, duplex, mdix-mode, and shutdown commands are not available during a
loopback test.
• During a loopback test, the Ethernet interface operates in full duplex mode. When a loopback
test is complete, the port returns to its duplex setting.
Configuration procedure
To perform a loopback test on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

Perform a loopback test. By default, no loopback test is

3. loopback { external | internal }
performed.

Configuring generic flow control on an Ethernet interface

CAUTION:
Configuring generic flow control on an Ethernet interface will cause link-up and link-down events
before the interface finally stays up.

To avoid packet drops on a link, you can enable generic flow control at both ends of the link. When
traffic congestion occurs at the receiving end, the receiving end sends a flow control (Pause) frame
to ask the sending end to suspend sending packets.
• With TxRx mode generic flow control enabled, an interface can both send and receive flow
control frames. When congestion occurs, the interface sends a flow control frame to its peer.
When the interface receives a flow control frame from the peer, it suspends sending packets.
• With Rx flow mode generic control enabled, an interface can receive flow control frames, but it
cannot send flow control frames. When the interface receives a flow control frame from its peer,
it suspends sending packets to the peer. When congestion occurs, the interface cannot send
flow control frames to the peer.
To handle unidirectional traffic congestion on a link, configure the flow-control receive enable
command at one end and the flow-control command at the other end. To enable both ends of a link
to handle traffic congestion, configure the flow-control command at both ends.
To enable generic flow control on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
• Enable TxRx mode generic
flow control:
3. Enable generic flow flow-control By default, generic flow control is
control. • Enable Rx mode generic disabled on an Ethernet interface.
flow control:
flow-control receive

6
 Step Command Remarks
enable

Configuring PFC on an Ethernet interface

PFC performs flow control based on 802.1p priorities. With PFC enabled, an interface requires its
peer to suspend sending packets with certain 802.1p priorities when congestion occurs. By
decreasing the transmission rate, PFC helps avoid packet loss.
If you enable PFC and configure the priority-flow-control no-drop dot1p dot1p-list command on
both ends, the local port processes a received packet as follows when network congestion occurs:
• If PFC is enabled for the 802.1p priority carried in the packet, the local port perform the following
tasks:
{ Accepts the packet.
{ Notifies the peer to stop sending packets carrying the 802.1p priority until the congestion is
removed.
• If PFC is disabled for the 802.1p priority carried in the packet, the local port drops the packet.
To configure PFC on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable PFC on the interface
through automatic priority-flow-control { auto |
By default, PFC is disabled.
negotiation or forcibly. enable }

4. Enable PFC for 802.1p priority-flow-control no-drop By default, PFC is disabled for all
priorities. dot1p dot1p-list 802.1p priorities.

When you configure PFC, follow these guidelines:

• To perform PFC on a network port of an IRF member device, configure PFC on both the
network port and the IRF physical ports. For information about IRF, see IRF configuration
Guide.
• As a best practice to ensure correct operations of IRF and other protocols, do not enable PFC
for 802.1p priorities 0, 6, and 7.
• Perform the same PFC configuration on all ports that traffic travels through.
• A port can receive PFC pause frames regardless of whether PFC is enabled on the port.
However, only a port with PFC enabled can process PFC pause frames. To make PFC take
effect, make sure PFC is enabled on both the local end and the peer end.
The relationship between the PFC feature and the generic flow control feature is shown in Table 1.
Table 1 The relationship between the PFC feature and the generic flow control feature

priority-flo priority-flow-cont
flow-control w-control rol no-drop Remarks
enable dot1p
You cannot enable flow control by using the
Unconfigurable Configured Configured flow-control command on a port where PFC is
enabled and PFC is enabled for the specified

7
 priority-flo priority-flow-cont
flow-control w-control rol no-drop Remarks
enable dot1p
802.1p priority values.
• On a port configured with the flow-control
command, you can enable PFC, but you
cannot enable PFC for specific 802.1p
priorities.
• Enabling both generic flow control and PFC
Configured Configurable Unconfigurable
on a port disables the port from sending
common or PFC pause frames to inform the
peer of congestion conditions. However, the
port can still handle common and PFC
pause frames from the peer.

Enabling energy saving features on an Ethernet interface

Enabling auto power-down on an Ethernet interface

IMPORTANT:
Fiber ports do not support this feature.

When the auto power-down feature is enabled on an interface and the interface has been down for a
certain period of time, both of the following events occur:
• The switch automatically stops supplying power to the interface.
• The interface enters the power save mode.
The time period depends on the chip specifications and is not configurable.
When the interface comes up, both of the following events occur:
• The switch automatically restores power supply to the interface.
• The interface enters its normal state.
This feature is applicable only to S5820V2-54QS-GE switches.
To enable auto power-down on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Enable auto power-down. By default, auto power-down is

port auto-power-down
disabled.

Enabling EEE energy saving for Ethernet interfaces in up state

IMPORTANT:
Fiber ports do not support this feature.

With the Energy Efficient Ethernet (EEE) energy saving feature, a link-up port enters the low power
state if it has not received any packet for a certain period of time. The time period depends on the
chip specifications and is not configurable. When a packet arrives later, the switch automatically
restores power supply to the interface and the port enters the normal state.

8
 For the 10-GE copper ports of S5820V2-52Q switches, this feature is available only when the ports
operate at 10 Gbps.
To enable EEE energy saving:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable EEE energy By default, EEE energy
saving. eee enable
saving is disabled.

Setting the statistics polling interval

To set the statistics polling interval in Ethernet interface view:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Set the statistics polling By default, the statistics polling
interval. flow-interval interval
interval is 300 seconds.

To display the interface statistics collected in the last polling interval, use the display interface
command.
To clear interface statistics, use the reset counters interface command.

Forcibly bringing up a fiber port

CAUTION:
The following operations on a fiber port will cause link updown events before the port finally stays up:
• Configure the port up-mode command and the speed or duplex command at the same time.
• Install or remove fiber links or transceiver modules after you forcibly bring up the fiber port.

IMPORTANT:
Copper ports do not support this feature.

As shown inFigure 1, a fiber port typically uses separate fibers for transmitting and receiving packets.
The physical state of the fiber port is up only when both transmit and receive fibers are physically
connected. If one of the fibers is disconnected, the fiber port does not work.
To enable a fiber port to forward traffic over a single link, you can use the port up-mode command.
This command brings up a fiber port by force, even when no fiber links or optical modules are
present. If one fiber link is present and up, the fiber port can forward packets over the link
unidirectionally.

9
 Figure 1 Forcibly bring up a fiber port
When Ethernet
Correct fiber interfaces cannot When Ethernet interfaces
connection be or are not are forcibly brought up
forcibly brought up
Device A Device A Device A

XGE1/0/1 XGE1/0/1 XGE1/0/1

XGE1/0/1 XGE1/0/1 XGE1/0/1

Device B Device B Device B

The fiber is
Fiber port Tx end Rx end Fiber link
disconnected.

The interface is
Packets
down.

Configuration restrictions and guidelines

The port up-mode command is mutually exclusive with either of the shutdown and loopback
commands.
Configuration procedure
To forcibly bring up a fiber port:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Ethernet interface interface interface-type

view. N/A
interface-number

By default, a fiber Ethernet port is not

3. Forcibly bring up the fiber forcibly brought up, and the physical
port. port up-mode
state of a fiber port depends on the
physical state of the fibers.

Configuring storm suppression

The storm suppression feature ensures that the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) does not exceed the threshold on an interface. When the
broadcast, multicast, or unknown unicast traffic on the interface exceeds this threshold, the system
discards packets until the traffic drops below this threshold.

10
 Any of the storm-constrain, broadcast-suppression, multicast-suppression, and
unicast-suppression commands can suppress storm on an interface. The
broadcast-suppression, multicast-suppression, and unicast-suppression commands use the
chip to suppress traffic. They have less impact on the device performance than the storm-constrain
command, which uses software to suppress traffic.
Configuration restrictions and guidelines
When you configure storm suppression, follow these restrictions and guidelines:
• For the traffic suppression result to be determined, do not configure storm control together with
storm suppression for the same type of traffic on an interface. For more information about storm
control, see "Configuring storm control on an Ethernet interface."
• When you configure the suppression threshold in kbps, the actual suppression threshold might
be different from the configured one as follows:
{ If the configured value is smaller than 64, the value of 64 takes effect.
{ If the configured value is greater than 64 but not an integer multiple of 64, the integer
multiple of 64 that is greater than and closest to the configured value takes effect.
For the suppression threshold that takes effect, see the prompt on the device.
Configuration procedure
To set storm suppression thresholds on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable broadcast
suppression and set the broadcast-suppression { ratio | pps By default, broadcast
broadcast suppression max-pps | kbps max-kbps } suppression is disabled.
threshold.
4. Enable multicast
suppression and set the multicast-suppression { ratio | pps
By default, multicast
multicast suppression max-pps | kbps max-kbps }
suppression is disabled.
threshold. [ unknown ]

5. Enable unknown unicast

suppression and set the unicast-suppression { ratio | pps By default, unknown unicast
unknown unicast max-pps | kbps max-kbps } suppression is disabled.
suppression threshold.

Configuring a Layer 2 Ethernet interface

Configuring storm control on an Ethernet interface
Storm control compares broadcast, multicast, and unknown unicast traffic regularly with their
respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control provides
a lower threshold and a higher threshold.
For management purposes, you can configure the interface to output threshold event traps and log
messages when monitored traffic meets one of the following conditions:
• Exceeds the upper threshold.
• Falls below the lower threshold from the upper threshold.

11
 Depending on your configuration, when a particular type of traffic exceeds its upper threshold, the
interface does either of the following:
• Blocks this type of traffic, while forwarding other types of traffic—Even though the
interface does not forward the blocked traffic, it still counts the traffic. When the blocked traffic
drops below the lower threshold, the port begins to forward the traffic.
• Goes down automatically—The interface goes down automatically and stops forwarding any
traffic. When the blocked traffic is detected dropping below the lower threshold, the port does
not forward the traffic. To bring up the interface, use the undo shutdown command or disable
the storm control feature.
Any of the storm-constrain, broadcast-suppression, multicast-suppression, and
unicast-suppression commands can suppress storm on a port. The broadcast-suppression,
multicast-suppression, and unicast-suppression commands suppress traffic in hardware, and
have less impact on device performance than the storm-constrain command, which performs
suppression in software.
Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next
cycle. An interface takes one to two polling intervals to take a storm control action.
Configuration guidelines
For the same type of traffic, do not configure the storm constrain command together with any of the
broadcast-suppression, multicast-suppression, and unicast-suppression commands.
Otherwise, the traffic suppression result is not determined. For more information about the
broadcast-suppression, multicast-suppression, and unicast-suppression commands, see
"Configuring storm suppression."
Configuration procedure
To configure storm control on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
The default setting is 10 seconds.
2. (Optional.) Set the traffic
polling interval of the storm storm-constrain interval For network stability, use the
control module. seconds default or set a higher traffic
polling interval (10 seconds).
3. Enter Ethernet interface interface interface-type
view. N/A
interface-number
4. (Optional.) Enable storm
control, and set the lower storm-constrain { broadcast |
and upper thresholds for multicast | unicast } { pps | kbps By default, storm control is
broadcast, multicast, or | ratio } max-pps-values disabled.
unknown unicast traffic. min-pps-values

5. Set the control action to take

when monitored traffic storm-constrain control { block By default, storm control is
exceeds the upper | shutdown } disabled.
threshold.
By default, the interface outputs
6. (Optional.) Enable the log messages when monitored
interface to log storm control traffic exceeds the upper
storm-constrain enable log
threshold events. threshold or falls below the lower
threshold from the upper
threshold.
7. (Optional.) Enable the By default, the interface sends
interface to send storm traps when monitored traffic
control threshold event storm-constrain enable trap
exceeds the upper threshold or
traps. drops below the lower threshold

12
 Step Command Remarks
from the upper threshold.

Setting the MDIX mode of an Ethernet interface

IMPORTANT:
• Fiber ports do not support the MDIX mode setting.
• 10-GE copper ports support only the automdix mode.

A physical Ethernet interface contains eight pins, each of which plays a dedicated role. For example,
pins 1 and 2 transmit signals, and pins 3 and 6 receive signals. You can use both crossover and
straight-through Ethernet cables to connect copper Ethernet interfaces. To accommodate these
types of cables, a copper Ethernet interface can operate in one of the following Medium Dependent
Interface-Crossover (MDIX) modes:
• MDIX mode—Pins 1 and 2 are receive pins and pins 3 and 6 are transmit pins.
• MDI mode—Pins 1 and 2 are transmit pins and pins 3 and 6 are receive pins.
• AutoMDIX mode—The interface negotiates pin roles with its peer.
To enable the interface to communicate with its peer, set the MDIX mode of the interface mode by
using the following guidelines:
• Typically, set the MDIX mode of the interface to AutoMDIX. Set the MDIX mode of the interface
to MDI or MDIX only when the switch cannot determine the cable type.
• When a straight-through cable is used, set the interface to operate in the MDIX mode different
than its peer.
• When a crossover cable is used, perform either of the following tasks:
{ Set the interface to operate in the same MDIX mode as its peer.
{ Set either end to operate in AutoMDIX mode.
To set the MDIX mode of an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

Set the MDIX mode of the By default, a copper Ethernet

3. mdix-mode { automdix | mdi |
Ethernet interface. interface operates in auto mode to
mdix }
negotiate pin roles with its peer.

Testing the cable connection of an Ethernet interface

IMPORTANT:
• If the link of an Ethernet port is up, testing its cable connection will cause the link to go down and
then come up.
• Fiber ports do not support this feature.

This feature tests the cable connection of an Ethernet interface and displays cable test results within
5 seconds. The test results include the cable's status and some physical parameters. If any fault is
detected, the test results include the length of the faulty cable segment.

13
 To test the cable connection of an Ethernet interface:

Step Command
1. Enter system view. system-view
2. Enter Ethernet interface view. interface interface-type interface-number
3. Test the cable connected to the Ethernet
interface. virtual-cable-test

Changing a Layer 2 Ethernet interface to an FC interface

IMPORTANT:
This feature is applicable only to S5820V2-52QF-U switches.

This feature allows you to change a Layer 2 Ethernet interface to an FC interface.

After you configure this feature on a Layer 2 Ethernet interface, the system deletes the interface,
creates the FC interface, and enters FC interface view. This feature does not modify the interface
number.
To change a Layer 2 Ethernet interface to an FC interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
3. Change the Layer 2
Ethernet interface to an FC By default, the interface operates as a Layer 2
port-type fc
interface. Ethernet interface.

4. (Optional.) Change the FC

interface back to a Layer 2 By default, the interface operates as a Layer 2
port-type ethernet
Ethernet interface. Ethernet interface.

Enabling bridging on an Ethernet interface

When a packet arrives at an interface, the switch looks up the destination MAC address of the packet
in the MAC address table. If an entry is found and the outgoing interface is the same as the incoming
interface, the switch drops the packet.
To enable the switch to forward such packets rather than drop them, enable the bridging feature on
the Ethernet interface.
To enable bridging on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable bridging on the
Ethernet interface. port bridge enable By default, bridging is disabled.

14
Setting the interface connection distance
When two directly connected interfaces communicate, they use the buffer area to buffer the received
data. A longer interface connection distance requires a greater buffer area.
Perform this task to modify the buffer area size by setting the interface connection distance.
To set the interface connection distance:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet interface interface-type

interface view. N/A
interface-number
By default, the interface
3. Set the interface port connection-distance { 300 | 10000 |
connection distance. connection distance is 10000
20000 | 40000 } meters.

Configuring a Layer 3 Ethernet interface or

subinterface
Setting the MTU for an Ethernet interface or subinterface
The value of maximum transmission unit (MTU) affects the fragmentation and reassembly of IP
packets. Typically, you do not need to modify the MTU of an interface.
To set the MTU for an Ethernet interface or subinterface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type { interface-number |
or subinterface view. N/A
interface-number.subnumber

3. Set the MTU. The default setting is 1500

mtu size
bytes.

Displaying and maintaining an Ethernet interface

Execute display commands in any view and reset commands in user view.

Task Command
display counters { inbound | outbound } interface
Display interface traffic statistics. [ interface-type [ interface-number |
interface-number.subnumber ] ]
display counters rate { inbound | outbound } interface
Display traffic rate statistics of interfaces
[ interface-type [ interface-number |
in up state over the last sampling interval.
interface-number.subnumber ] ]
Display the operational and status
display interface [ interface-type [ interface-number |
information of the specified interface or
interface-number.subnumber ] ]
all interfaces.

15
Task Command
Display summary information about the display interface [ interface-type [ interface-number |
specified interface or all interfaces. interface-number.subnumber ] ] brief [ description ]
Display information about dropped
display packet-drop { interface [ interface-type
packets on the specified interface or all
[ interface-number ] ] | summary }
interfaces.
Display PFC information and frame
display priority-flow-control interface [ interface-type
statistics on the specified interfaces or
[ interface-number ] ]
all interfaces.
Display information about storm control
display storm-constrain [ broadcast | multicast | unicast ]
on the specified interface or all
[ interface interface-type interface-number ]
interfaces.
Display the Ethernet statistics. display ethernet statistics slot slot-number
reset counters interface [ interface-type [ interface-number |
Clear the interface statistics.
interface-number.subnumber ] ]
Clear the statistics of dropped packets reset packet-drop interface [ interface-type
on the specified interfaces. [ interface-number ] ]
Clear the Ethernet statistics. reset ethernet statistics

16
Configuring loopback, null, and
inloopback interfaces
This chapter describes how to configure a loopback interface, a null interface, and an inloopback
interface.

Configuring a loopback interface

A loopback interface is a virtual interface. The physical layer state of a loopback interface is always
up unless the loopback interface is manually shut down. Because of this benefit, loopback interfaces
are widely used in the following scenarios:
• Configuring a loopback interface address as the source address of the IP packets that
the device generates—Because loopback interface addresses are stable unicast addresses,
they are usually used as device identifications.
{ When you configure a rule on an authentication or security server to permit or deny packets
that a device generates, you can simplify the rule by configuring it to permit or deny packets
carrying the loopback interface address that identifies the device.
{ When you use a loopback interface address as the source address of IP packets, make
sure the route from the loopback interface to the peer is reachable by performing routing
configuration. All data packets sent to the loopback interface are considered packets sent to
the device itself, so the device does not forward these packets.
• Using a loopback interface in dynamic routing protocols—With no router ID configured for
a dynamic routing protocol, the system selects the highest loopback interface IP address as the
router ID. In BGP, to avoid interruption of BGP sessions due to physical port failure, you can use
a loopback interface as the source interface of BGP packets.
To configure a loopback interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a loopback interface
and enter loopback interface interface loopback
N/A
view. interface-number

The default setting is interface name

3. Set the interface description. description text Interface (for example, LoopBack1
Interface).
4. Configure the expected
bandwidth of the loopback By default, the expected bandwidth
bandwidth bandwidth-value
interface. of a loopback interface is 0 kbps.

5. Restore the default settings

for the loopback interface. default N/A

6. Bring up the loopback By default, a loopback interface is

interface. undo shutdown
up.

Configuring a null interface

A null interface is a virtual interface and is always up, but you cannot use it to forward data packets or
configure it with an IP address or link layer protocol. The null interface provides a simpler way to filter
packets than ACL. You can filter undesired traffic by transmitting it to a null interface instead of

17
 applying an ACL. For example, if you specify a null interface as the next hop of a static route to a
network segment, any packets routed to the network segment are dropped.
To configure a null interface:

Step Command Remarks

1. Enter system view. system-view N/A
Interface Null 0 is the default null
interface on the device and cannot
be manually created or removed.
2. Enter null interface view. interface null 0
Only one null interface, Null 0, is
supported on the device. The null
interface number is always 0.

3. Set the interface description. The default setting is NULL0

description text
Interface.
4. Restore the default settings
for the null interface. default N/A

Configuring an inloopback interface

An inloopback interface is a virtual interface created by the system, which cannot be configured or
deleted. The physical layer and link layer protocol states of an inloopback interface are always up. All
IP packets sent to an inloopback interface are considered packets sent to the device itself and are
not forwarded.

Displaying and maintaining loopback, null, and

inloopback interfaces
Execute display commands in any view and reset commands in user view.

Task Command
display interface [ loopback [ interface-number ] ]
Display information about the specified or all [ brief [ description ] ]
loopback interfaces.
display interface [ loopback ] [ brief [ down ] ]
Display information about the null interface. display interface [ null [ 0 ] ] [ brief [ description ] ]
Display information about the inloopback display interface [ inloopback [ 0 ] ] [ brief
interface. [ description ] ]
Clear the statistics on the specified or all loopback reset counters interface loopback
interfaces. [ interface-number ]
Clear the statistics on the null interface. reset counters interface [ null [ 0 ] ]

18
Bulk configuring interfaces
You can enter interface range view to bulk configure multiple interfaces with the same feature instead
of configuring them one by one. For example, you can execute the shutdown command in interface
range view to shut down a range of interfaces.

Configuration restrictions and guidelines

When you bulk configure interfaces in interface range view, follow these restrictions and guidelines:
• In interface range view, only the commands supported by the first interface are available. The
first interface is specified with the interface range command.
• If you cannot enter the view of an interface by using the interface interface-type
interface-number command, do not configure the interface as the first interface in the interface
range.
• Do not assign both an aggregate interface and any of its member interfaces to an interface
range. Some commands might break up the aggregation after they are executed on both an
aggregate interface and its member interfaces.
• No limit is set on the maximum number of interfaces in an interface range. The more interfaces
in an interface range, the longer the command execution time.
• The maximum number of interface range names is limited only by the system resources. As a
best practice to guarantee bulk interface configuration performance, configure fewer than 1000
interface range names.
• After a command is executed in interface range view, one of the following situations might
occur:
{ The system stays in interface range view and does not display an error message. It means
that the execution succeeded on all member interfaces in the interface range.
{ The system displays an error message and stays in interface range view. It means that the
execution failed on member interfaces in the interface range.
− If the execution failed on the first member interface in the interface range, the command
is not executed on any member interfaces.
− If the execution failed on non-first member interfaces, the command takes effect on the
other member interfaces.
{ The system returns to system view. It means that:
− The command is supported in both system view and interface view.
− The execution failed on a member interface in interface range view and succeeded in
system view.
− The command is not executed on the subsequent member interfaces.
You can use the display this command to verify the configuration in interface view of each
member interface. In addition, if the configuration in system view is not needed, use the
undo form of the command to remove the configuration.

Configuration procedure
To bulk configure interfaces:

Step Command Remarks

1. Enter system view. system-view N/A

19
 Step Command Remarks
• interface range
{ interface-type
interface-number [ to
interface-type By using the interface range name
2. Enter interface range interface-number ] } &<1-24> command, you assign a name to an
view. interface range and can specify this
• interface range name name
name rather than the interface range
[ interface { interface-type
to enter the interface range view.
interface-number [ to
interface-type
interface-number ] } &<1-24> ]
3. (Optional.) Display
commands available for Enter a question mark (?) at the
the first interface in the N/A
interface range prompt.
interface range.

4. Use available
commands to configure Available commands vary by
N/A
the interfaces. interface.

5. (Optional.) Verify the

configuration. display this N/A

Displaying and maintaining bulk interface

configuration
Execute the display command in any view.

Task Command
Display information about the interface ranges that
are configured by using the interface range name display interface range [ name name ]
command.

20
Configuring the MAC address table
Overview
An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a
destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame,
it uses the destination MAC address of the frame to look for a match in the MAC address table.
• The device forwards the frame out of the outgoing interface in the matching entry if a match is
found.
• The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries
manually added.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses
of incoming frames on each interface.
When a frame arrives at an interface (for example, port A), the device performs the following
operations:
1. Checks the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
{ The device updates the entry if an entry is found.
{ The device adds an entry for MAC-SOURCE and port A if no entry is found.
3. When the device receives a frame destined for MAC-SOURCE after learning this source MAC
address, the device performs the following operations:
a. Finds the MAC-SOURCE entry in the MAC address table.
b. Forwards the frame out of port A.
The device performs the learning process each time it receives a frame with an unknown source
MAC address until the table is fully populated.
Manually configuring MAC address entries
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames,
which can invite security hazards. When Host A is connected to port A, a MAC address entry will be
learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames
with MAC A as the source MAC address to port B, the device performs the following operations:
1. Learns a new MAC address entry with port B as the outgoing interface and overwrites the old
entry for MAC A.
2. Forwards frames destined for MAC A out of port B to the illegal user.
As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually
configure a static entry to bind Host A to port A. Then, the frames destined for Host A are always sent
out of port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined
for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

21
 • Static entries—A static entry is manually added to forward frames with a specific destination
MAC address out of the associated interface, and it never ages out. A static entry has higher
priority than a dynamically learned one.
• Dynamic entries—A dynamic entry can be manually configured or dynamically learned to
forward frames with a specific destination MAC address out of the associated interface. A
dynamic entry might age out. A manually configured dynamic entry has the same priority as a
dynamically learned one.
• Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole
entry is configured for filtering out frames with a specific source or destination MAC address.
For example, for security purposes, to block all frames destined for or sourced from a user, you
can configure the user's MAC address as a blackhole MAC address entry.
• Multiport unicast entries—A multiport unicast entry is manually added to send frames with a
specific unicast destination MAC address out of multiple ports, and it never ages out. A multiport
unicast entry has higher priority than a dynamically learned one.
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address
entry, but not vice versa.

MAC address table configuration task list

The configuration tasks discussed in the following sections can be performed in any order.
This document covers only the configuration of unicast MAC address entries, including static,
dynamic, blackhole, and multiport unicast MAC address entries. For information about configuring
static multicast MAC address entries, see IP Multicast Configuration Guide. For information about
MAC address table configuration in VPLS, see MPLS Configuration Guide.
To configure the MAC address table, perform the following tasks:

Tasks at a glance
(Optional.) Configuring MAC address entries
• Adding or modifying a static or dynamic MAC address entry globally
• Adding or modifying a static or dynamic MAC address entry on an interface
• Adding or modifying a blackhole MAC address entry
• Adding or modifying a multiport unicast MAC address entry
(Optional.) Disabling MAC address learning
(Optional.) Setting the aging timer for dynamic MAC address entries
(Optional.) Setting the MAC learning limit on an interface
(Optional.) Configuring the device to forward unknown frames after the MAC learning limit on an interface is
reached
(Optional.) Assigning MAC learning priority to an interface
(Optional.) Enabling MAC address synchronization
(Optional.) Enable MAC address move notifications
(Optional.) Enabling ARP fast update for MAC address moves
(Optional.) Disabling static source check
(Optional.) Enabling SNMP notifications for the MAC address table

22
Configuring MAC address entries
Configuration guidelines
• You cannot add a dynamic MAC address entry if a learned entry already exists with a different
outgoing interface for the MAC address.
• The manually configured static, blackhole, and multiport unicast MAC address entries cannot
survive a reboot if you do not save the configuration. The manually configured dynamic MAC
address entries are lost upon reboot whether or not you save the configuration.
A frame whose source MAC address matches different types of MAC address entries is processed
differently.

Type Description
• Discards the frame received on a different interface from that in the entry.
Static MAC address entry
• Forwards the frame received on the same interface with that in the entry.
Learns the MAC address (for example, MAC A) of the frame, generates a
Multiport unicast MAC dynamic MAC address entry for MAC A, and forwards the frame. However, the
address entry generated dynamic MAC address entry does not take effect. Frames destined
for MAC A are forwarded based on the multiport unicast MAC address entry.
• Learns the MAC address of the frames received on a different interface
Dynamic MAC address from that in the entry and overwrites the original entry.
entry • Forwards the frame received on the same interface as that in the entry
and updates the aging timer for the entry.

Adding or modifying a static or dynamic MAC address entry

globally
Step Command Remarks
1. Enter system view. system-view N/A
By default, no MAC address
2. Add or modify a entry is configured globally.
static or dynamic mac-address { dynamic | static } mac-address
MAC address interface interface-type interface-number vlan Make sure you have created
entry. vlan-id the VLAN and assigned the
interface to the VLAN.

Adding or modifying a static or dynamic MAC address entry

on an interface
Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter interface view. N/A
interface-number
• Enter Layer 2 aggregate
interface view:

23
 Step Command Remarks
interface
bridge-aggregation
interface-number
• Enter S-channel interface
view:
interface s-channel
interface-number.channel-id
• Enter S-channel aggregate
interface view:
interface
schannel-aggregation
interface-number:channel-id
By default, no MAC address entry
is configured on an interface.
3. Add or modify a static or mac-address { dynamic | static }
dynamic MAC address entry. mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Adding or modifying a blackhole MAC address entry

Step Command Remarks
1. Enter system view. system-view N/A
By default, no blackhole MAC
2. Add or modify a blackhole mac-address blackhole address entry is configured.
MAC address entry. mac-address vlan vlan-id Make sure you have created the
VLAN.

Adding or modifying a multiport unicast MAC address entry

You can configure a multiport unicast MAC address entry to associate a unicast destination MAC
address with multiple ports. The frame with a destination MAC address matching the entry is sent out
of multiple ports.
For example, in NLB unicast mode:
• All servers within the cluster uses the cluster's MAC address as their own address.
• Frames destined for the cluster are forwarded to every server in the group.
In this case, you can configure a multiport unicast MAC address entry on the device connected to the
server group. Then, the device forwards the frame destined for the server group through all ports
connected to the servers within the cluster.

24
 Figure 2 NLB cluster

Device

NLB cluster

Do not configure an interface as the output interface of a multiport unicast MAC address entry if the
interface receives frames destined for the multiport unicast MAC address. Otherwise, the frames are
flooded on the VLAN to which they belong.
You can configure a multiport unicast MAC address entry globally or on an interface.
Configuring a multiport unicast MAC address entry globally

Step Command Remarks

1. Enter system view. system-view N/A
By default, no multiport unicast
MAC address entry is configured
2. Add or modify a multiport mac-address multiport globally.
unicast MAC address entry. mac-address interface
interface-list vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Configuring a multiport unicast MAC address entry on an interface

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
By default, no multiport unicast
MAC address entry is configured
3. Add the interface to a on an interface.
multiport unicast MAC mac-address multiport
address entry. mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

25
Disabling MAC address learning
MAC address learning is enabled by default. To prevent the MAC address table from being saturated
when the device is experiencing attacks, disable MAC address learning. For example, you can
disable MAC address learning to prevent the device from being attacked by a large amount of frames
with different source MAC addresses.
When MAC address learning is disabled, the device immediately deletes the existing dynamic MAC
address entries.

Disabling global MAC address learning

Step Command Remarks
1. Enter system view. system-view N/A
2. Disable global MAC address undo mac-address By default, global MAC address
learning. mac-learning enable learning is enabled.

Disabling global MAC address learning disables MAC address learning on all interfaces.
The global MAC address learning configuration does not take effect in a TRILL network, in a VPLS
VSI, or for an S-channel. For information about TRILL, see TRILL Configuration Guide. For
information about VSIs, see MPLS Configuration Guide. For information about S-channels, see EVB
Configuration Guide.

Disabling MAC address learning on an interface

When global MAC address learning is enabled, you can disable MAC address learning on a single
interface.
To disable MAC address learning on an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
2. Enter interface view. N/A
• Enter S-channel interface view:
interface s-channel
interface-number.channel-id
• Enter S-channel aggregate
interface view:
interface
schannel-aggregation
interface-number:channel-id

3. Disable MAC address By default, MAC address

undo mac-address mac-learning
learning on the interface. learning on the interface is
enable
enabled.

26
Disabling MAC address learning on a VLAN
When global MAC address learning is enabled, you can disable MAC address learning on a
per-VLAN basis.
To disable MAC address learning on a VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable global MAC address mac-address mac-learning By default, global MAC address
learning. enable learning is enabled.
3. Enter VLAN view. vlan vlan-id N/A
4. Disable MAC address undo mac-address By default, MAC address learning
learning on the VLAN. mac-learning enable on the VLAN is enabled.

Setting the aging timer for dynamic MAC address

entries
For security and efficient use of table space, the MAC address table uses an aging timer for each
dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer
expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can
promptly update to accommodate latest network topology changes.
A stable network requires a longer aging interval, and an unstable network requires a shorter aging
interval.
An aging interval that is too long might cause the MAC address table to retain outdated entries. As a
result, the MAC address table resources might be exhausted, and the MAC address table might fail
to update to accommodate the latest network changes.
An interval that is too short might result in removal of valid entries, which would cause unnecessary
floods and possibly affect the device performance.
To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic
entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing
flooding also improves the security because it reduces the chances for a data frame to reach
unintended destinations.
To set the aging timer for dynamic MAC address entries:

Step Command Remarks

1. Enter system view. system-view N/A
By default, the aging timer is 300
2. Set the aging timer for seconds for dynamic MAC
dynamic MAC address mac-address timer { aging address entries.
entries. seconds | no-aging }
The no-aging keyword disables
the aging timer.

Setting the MAC learning limit on an interface

This feature limits the MAC address table size. A large MAC address table will degrade forwarding
performance..

27
 To set the MAC learning limit on an interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

3. Set the MAC learning limit on By default, the maximum number

mac-address max-mac-count
the interface. of MAC addresses that can be
count
learned on an interface is not set.

Configuring the device to forward unknown

frames after the MAC learning limit on an interface
is reached
In this document, unknown frames refer to frames whose source MAC addresses are not in the MAC
address table.
You can enable or disable forwarding of unknown frames after the MAC learning limit is reached.
To enable the interface to forward unknown frames after the MAC learning limit is reached:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view.
interface
bridge-aggregation
interface-number
3. Configure the device to
forward unknown frames By default, the device can forward
received on the interface mac-address max-mac-count unknown frames received on an
after the MAC learning limit enable-forwarding interface after the MAC learning
on the interface is reached. limit on the interface is reached.

Assigning MAC learning priority to an interface

IMPORTANT:
To make this feature take effect in an IRF fabric, you must also enable MAC address
synchronization by using the mac-address mac-roaming enable command.

The MAC learning priority mechanism assigns either low priority or high priority to an interface. An
interface with high priority can learn MAC addresses as usual. However, an interface with low priority
is not allowed to learn MAC addresses already learned on a high-priority interface.
The MAC learning priority mechanism can help defend your network against MAC address spoofing
attacks. In a network that performs MAC-based forwarding, an upper layer device MAC address

28
 might be learned by a downlink interface because of a loop or attack to the downlink interface. To
avoid this problem, perform the following tasks:
• Assign high MAC learning priority to an uplink interface.
• Assign low MAC learning priority to a downlink interface.
To assign MAC learning priority to an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
3. Assign MAC learning priority mac-address mac-learning priority By default, low MAC learning
to the interface. { high | low } priority is used.

Enabling MAC address synchronization

To avoid unnecessary floods and improve forwarding speed, make sure all member devices have the
same MAC address table. After you enable MAC address synchronization, each member device
advertises learned MAC address entries to other member devices.
As shown in Figure 3,
• Device A and Device B form an IRF fabric enabled with MAC address synchronization.
• Device A and Device B connect to AP C and AP D, respectively.
When Client A associates with AP C, Device A learns a MAC address entry for Client A and
advertises it to Device B.
Figure 3 MAC address tables of devices when Client A accesses AP C

29
 When Client A roams to AP D, Device B learns a MAC address entry for Client A. Device B
advertises it to Device A to ensure service continuity for Client A, as shown in Figure 4.
Figure 4 MAC address tables of devices when Client A roams to AP D

To enable MAC address synchronization:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable MAC address mac-address mac-roaming By default, MAC address

synchronization. enable synchronization is disabled.

Enable MAC address move notifications

The outgoing interface for a MAC address entry learned on interface A is changed to interface B
when the following conditions exist:
• Interface B receives a packet with the MAC address as the source MAC address.
• Interface B belongs to the same VLAN as interface A.
In this case, the MAC address is moved from interface A to interface B, and a MAC address move
occurs.
If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur.. To
detect and locate loops, you can view the MAC address move information.
When the system detects that a MAC address frequently moves from an interface, you can configure
MAC address move suppression on the interface to bring it down. The interface can automatically
come up after waiting for the specified suppression interval. Or, you can manually bring up the
interface. To make MAC address move suppression take effect, you must use this feature together
with ARP fast update. For more information about ARP fast update, see "Enabling ARP fast update
for MAC address moves."
To display the MAC address move records after the device is started, use the display mac-address
mac-move command.
To enable MAC address move notifications:

30
Step Command Remarks
1. Enter system view. system-view N/A

By default, MAC address move

notifications are disabled.
If you do not specify a detection
interval, the default setting of 1
minute is used.
After you execute this
command:

2. Enable MAC address • If the device is configured

move notifications and with the snmp-agent trap
mac-address notification mac-move
optionally specify a enable mac-address
[ interval interval-value ]
detection interval. command, the system
sends SNMP notifications
to the SNMP module.
• If the device is not
configured with the
snmp-agent trap enable
mac-address command,
the system sends log
messages to the
information center module.
3. Set a threshold for MAC
address moves sourced mac-address notification mac-move
from an interface within The default setting is 3.
suppression threshold threshold-value
a detection interval.
4. Set a MAC address
move suppression mac-address notification mac-move The default setting is 30
interval. suppression interval interval-value seconds.

• Enter Layer 2 Ethernet interface

view:
interface interface-type
interface-number
5. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
6. Enable MAC address mac-address notification mac-move By default, MAC address move
move suppression. suppression suppression is disabled.

7. Return to system view. quit N/A

This task is required when you

enable MAC address move
8. Enable ARP fast update suppression.
for MAC address mac-address mac-move fast-update
moves. By default, ARP fast update for
MAC address moves is
disabled.

31
Enabling ARP fast update for MAC address
moves
ARP fast update for MAC address moves allows the device to update an ARP entry immediately after
the outgoing interface for a MAC address changes. This feature ensures data connection without
interruption.
As shown in Figure 5, a mobile user Laptop accesses the network by connecting to AP 1 or AP 2.
When the AP to which the user connects changes, the switch updates the ARP entry for the user
immediately after it detects a MAC address move.
Figure 5 ARP fast update application scenario

To enable ARP fast update for MAC address moves:

Step Command Remarks

1. Enter system
view. system-view N/A

2. Enable ARP fast

update for MAC By default, ARP fast update for
mac-address mac-move fast-update
address moves. MAC address moves is disabled.

Disabling static source check

By default, the static source check feature is enabled on an interface. The check identifies whether a
received frame meets the following conditions:
• The source MAC address of the frame matches a static MAC address entry.
• The incoming interface of the frame is different from the outgoing interface in the entry.
If the frame meets both conditions, the switch drops the frame.
When this feature is disabled, the switch does not perform the check for a received frame. It can
forward the frame whether or not the frame meets the conditions.
To disable the static source check feature:

Step Command Remarks

1. Enter system
view. system-view N/A

2. Enter interface • Enter Layer 2 Ethernet interface view:

view. N/A
interface interface-type

32
 Step Command Remarks
interface-number
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
• Enter Layer 3 Ethernet
interface/subinterface view:
interface interface-type
{ interface-number |
interface-number.subnumber }
• Enter Layer 3 aggregate
interface/subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }
3. Disable the static
source check undo mac-address static source-check By default, the static source
feature. enable check feature is enabled.

Enabling SNMP notifications for the MAC address

table
After you enable SNMP notifications for the MAC address table, the device will send SNMP
notifications to the SNMP module to notify the NMS of important events. You can set the notification
sending parameters in SNMP to determine the attributes of sending notifications.
After you disable SNMP notifications for the MAC address table, the device will send log messages
to the information center module. You can set the output rules and destinations to examine the log
messages of the MAC address table module.
For more information about SNMP notifications and information center, see Network Management
and Monitoring Configuration Guide.
To enable SNMP notifications for the MAC address table:

Step Command Remarks

1. Enter system
view. system-view N/A

2. Enable SNMP
notifications for By default, SNMP notifications
snmp-agent trap enable mac-address
the MAC address are disabled for the MAC address
[ mac-move ]
table. table.

Displaying and maintaining the MAC address

table
Execute display commands in any view.

Task Command
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic |
Display MAC address table
static ] [ interface interface-type interface-number ] | blackhole |
information.
multiport ] [ vlan vlan-id ] [ count ] ]

33
 Task Command
Display the MAC address information
of the egress RB specified by its display mac-address nickname nickname
nickname (see Figure 6).
Display the aging timer for dynamic
display mac-address aging-time
MAC address entries.
Display the system or interface MAC display mac-address mac-learning [ interface interface-type
address learning state. interface-number ]
Display MAC address statistics. display mac-address statistics
Display the MAC address move
display mac-address mac-move [ slot slot-number ]
records.

Figure 6 An example for the display mac-address nickname command

MAC address table configuration example

Network requirements
Host A at MAC address 000f-e235-dc71 is connected to interface Ten-GigabitEthernet 1/0/1 of
Device and belongs to VLAN 1.
Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also belongs
to VLAN 1.
Configure the MAC address as follows:
• To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of
Device.
• To drop all frames destined for Host B, add a blackhole MAC address entry for the host.
• Set the aging timer to 500 seconds for dynamic MAC address entries.

Configuration procedure
# Add a static MAC address entry for MAC address 000f-e235-dc71 on Ten-GigabitEthernet 1/0/1
that belongs to VLAN 1.
<Device> system-view

34
 [Device] mac-address static 000f-e235-dc71 interface ten-gigabitethernet 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.
[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.
[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for interface Ten-GigabitEthernet 1/0/1.
[Device] display mac-address static interface ten-gigabitethernet 1/0/1
MAC Address VLAN ID State Port/NickName Aging
000f-e235-dc71 1 Static XGE1/0/1 N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole
MAC Address VLAN ID State Port/NickName Aging
000f-e235-abcd 1 Blackhole N/A N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time
MAC address aging time: 500s.

35
Configuring MAC Information
The MAC Information feature can generate syslog messages or SNMP notifications when MAC
address entries are learned or deleted. You can use these messages to monitor users leaving or
joining the network and analyze network traffic.
The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a
queue. The device overwrites the oldest MAC address change written into the queue with the most
recent MAC address change when the following conditions exist:
• The MAC change notification interval does not expire.
• The queue has been exhausted.
To send a syslog message or SNMP notification immediately after it is created, set the queue length
to zero.
The device writes information and sends messages only for the following MAC addresses:
• Dynamic MAC addresses.
• MAC addresses that pass MAC authentication.
• MAC addresses that pass 802.1X authentication.
• Secure MAC addresses.
The device does not write information or send messages for blackhole MAC addresses, static MAC
addresses, multiport unicast MAC addresses, multicast MAC addresses, and local MAC addresses.
For more information about MAC authentication, 802.1X, and secure MAC addresses, see Security
Configuration Guide.

Enabling MAC Information

Step Command Remarks
1. Enter system view. system-view N/A
2. Enable MAC Information By default, MAC Information is
globally. mac-address information enable
globally disabled.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, MAC Information is
disabled on an interface.
4. Enable MAC Information on mac-address information enable
the interface. { added | deleted } Make sure you have enabled
MAC Information globally before
you enable it on the interface.

Configuring the MAC Information mode

The following MAC Information modes are available for sending MAC address changes:
• Syslog—The device sends syslog messages to notify MAC address changes. The device
sends syslog messages to the information center, which then outputs them to the monitoring
terminal. For more information about information center, see Network Management and
Monitoring Configuration Guide.
• Trap—The device sends SNMP notifications to notify MAC address changes. The device sends
SNMP notifications to the NMS. For more information about SNMP, see Network Management
and Monitoring Configuration Guide.
36
 To configure the MAC Information mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the MAC mac-address information mode
Information mode. The default setting is trap.
{ syslog | trap }

Configuring the MAC change notification interval

To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the
MAC change notification interval to a larger value.
To set the MAC change notification interval:

Step Command Remarks

1. Enter system view. system-view N/A

2. Set the MAC change mac-address information

notification interval. The default setting is 1 second.
interval interval-time

Configuring the MAC Information queue length

Step Command Remarks
1. Enter system view. system-view N/A

2. Configure the MAC mac-address information

Information queue length. The default setting is 50.
queue-length value

MAC Information configuration example

Network requirements
Enable MAC Information on interface Ten-GigabitEthernet 1/0/1 on Device in Figure 7 to send MAC
address changes in syslog messages to the log host, Host B, through interface Ten-GigabitEthernet
1/0/2.

37
 Figure 7 Network diagram

Configuration restrictions and guidelines

When you edit the file /etc/syslog.conf, follow these restrictions and guidelines:
• Comments must be on a separate line and must begin with a pound sign (#).
• No redundant spaces are allowed after the file name.
• The logging facility name and the severity level specified in the /etc/syslog.conf file must be
the same as those configured on the device. Otherwise, the log information might not be output
correctly to the log host. The logging facility name and the severity level are configured by using
the info-center loghost and info-center source commands, respectively.

Configuration procedure
1. Configure Device to send syslog messages to Host B:
# Enable the information center.
<Device> system-view
[Device] info-center enable
# Specify the log host 192.168.1.2/24 and specify local4 as the logging facility.
[Device] info-center loghost 192.168.1.2 facility local4
# Disable log output to the log host.
[Device] info-center source default loghost deny
To avoid output of unnecessary information, disable all modules from outputting logs to the
specified destination (loghost, in this example) before you configure an output rule.
# Configure an output rule to output to the log host MAC address logs that have a severity level
of at least informational.
[Device] info-center source mac loghost level informational
2. Configure the log host, Host B:
Configure Solaris as follows. Configure other UNIX operating systems in the same way Solaris
is configured.
a. Log in to the log host as a root user.
b. Create a subdirectory named Device in directory /var/log/.
# mkdir /var/log/Device
c. Create file info.log in the Device directory to save logs from Device.
# touch /var/log/Device/info.log
d. Edit the file syslog.conf in directory /etc/ and add the following contents:

38
 # Device configuration messages
local4.info /var/log/Device/info.log
In this configuration, local4 is the name of the logging facility that the log host uses to
receive logs, and info is the informational level. The UNIX system records the log
information that has a severity level of at least informational to the file
/var/log/Device/info.log.
e. Display the process ID of syslogd, end the syslogd process, and then restart syslogd
using the –r option to make the new configuration take effect.
# ps -ae | grep syslogd
147
# kill -HUP 147
# syslogd -r &
The device can output MAC address logs to the log host, which stores the logs to the specified
file.
3. Enable MAC Information on Device:
# Enable MAC Information globally.
[Device] mac-address information enable
# Configure the MAC Information mode as syslog.
[Device] mac-address information mode syslog
# Enable MAC Information on interface Ten-GigabitEthernet 1/0/1 to enable
Ten-GigabitEthernet 1/0/1 to record MAC address change information when the interface
performs either of the following operations:
{ Learns a new MAC address.
{ Deletes an existing MAC address.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] mac-address information enable added
[Device-Ten-GigabitEthernet1/0/1] mac-address information enable deleted
[Device-Ten-GigabitEthernet1/0/1] quit
# Set the MAC Information queue length to 100.
[Device] mac-address information queue-length 100
# Set the MAC change notification interval to 20 seconds.
[Device] mac-address information interval 20

39
Configuring Ethernet link aggregation
Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an
aggregate link. Link aggregation has the following benefits:
• Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is
distributed across the member ports.
• Improved link reliability. The member ports dynamically back up one another. When a member
port fails, its traffic is automatically switched to other member ports.
As shown in Figure 8, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth
of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the
same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the
traffic previously carried on the failed link is switched to the other two links.
Figure 8 Ethernet link aggregation diagram

Basic concepts
Aggregation group, member port, and aggregate interface
Link bundling is implemented through interface bundling. An aggregation group is a group of
Ethernet interfaces bundled together, which are called member ports of the aggregation group. For
each aggregation group, a logical interface (called an aggregate interface), is created. When an
upper layer entity uses the link aggregation service, the following events occur:
• A link aggregation group appears the same as a single logical link.
• An aggregate interface transmits data traffic.
When you create an aggregate interface, the device automatically creates an aggregation group of
the same type and number as the aggregate interface. For example, when you create aggregate
interface 1, aggregation group 1 is created.
Aggregate interfaces include Layer 2 aggregate interfaces and Layer 3 aggregate interfaces.
You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group, and Layer 3
Ethernet interfaces only to a Layer 3 aggregation group.

NOTE:
You can use the port link-mode command to configure an Ethernet port as a Layer 2 or Layer 3
interface (see "Configuring Ethernet interfaces").

On a Layer 3 aggregate interface, you can create subinterfaces.

The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex
mode is the same as that of the Selected member ports. For more information about the states of
member ports in an aggregation group, see "Aggregation states of member ports in an aggregation
group."

40
Aggregation states of member ports in an aggregation group
A member port in an aggregation group can be in any of the following aggregation states:
• Selected—A Selected port can forward traffic.
• Unselected—An Unselected port cannot forward traffic.
• Individual—An Individual port can forward traffic as a normal physical port. A port is placed in
the Individual state when the following conditions are met:
{ The corresponding aggregate interface is configured as an edge aggregate interface.
{ The port does not receive LACPDUs from its peer port.

Operational key
When aggregating ports, the system automatically assigns each port an operational key based on
port information, such as port rate and duplex mode. Any change to this information triggers a
recalculation of the operational key.
In an aggregation group, all Selected ports are assigned the same operational key.

Configuration types
Every configuration setting on a port might affect its aggregation state. Port configurations include
the following types:
• Attribute configurations—To become a Selected port, a member port must have the same
attribute configurations as the aggregate interface. Table 2 describes the attribute
configurations.
Attribute configurations made on an aggregate interface are automatically synchronized to all
member ports. These configurations are retained on the member ports even after the aggregate
interface is removed.
Any attribute configuration change might affect the aggregation state of link aggregation
member ports and running services. The system displays a warning message every time you
try to change an attribute configuration setting on a member port.
Table 2 Attribute configurations

Feature Considerations
Indicates whether the port has joined an isolation group and which isolation
Port isolation
group the port belongs to.
QinQ enable state (enabled/disabled), TPID for VLAN tags, and VLAN
QinQ
transparent transmission. For information about QinQ, see "Configuring QinQ."
Different types of VLAN mapping configured on the port. For more information
VLAN mapping
about VLAN mapping, see "Configuring VLAN mapping."
• Permitted VLAN IDs.
• PVID.
• Link type (trunk, hybrid, or access).
VLAN
• Operating mode (promiscuous, trunk promiscuous, host).
• VLAN tagging mode.
For information about VLAN, see "Configuring VLANs."

• Protocol configurations—Protocol configurations do not affect the aggregation state of the

member ports. MAC address learning and spanning tree settings are examples of protocol
configurations.

41
 NOTE:
The protocol configuration for a member port is effective only when the member port leaves the
aggregation group.

Link aggregation modes

An aggregation group operates in one of the following modes:
• Static—Static aggregation is stable. An aggregation group in static mode is called a static
aggregation group. The aggregation states of the member ports in a static aggregation group
are not affected by the peer ports.
• Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. The
local system and the peer system automatically maintain the aggregation states of the member
ports. Dynamic link aggregation reduces the administrators' workload.

Aggregating links in static mode

Choosing a reference port
When setting the aggregation state of the ports in an aggregation group, the system automatically
chooses a member port as the reference port. A Selected port must have the same operational key
and attribute configurations as the reference port.
The system chooses a reference port from the member ports in up state.
The candidate reference ports are organized into different priority levels following these rules:
1. In descending order of port priority.
2. Full duplex.
3. In descending order of speed.
4. Half duplex.
5. In descending order of speed.
From the candidate ports with the same attribute configurations as the aggregate interface, the one
with the highest priority level is chosen as the reference port.
• If multiple ports have the same priority level, the port that has been Selected (if any) is chosen.
If multiple ports with the same priority level have been Selected, the one with the smallest port
number is chosen.
• If multiple ports have the same priority level and none of them has been Selected, the port with
the smallest port number is chosen.

Setting the aggregation state of each member port

After a static aggregation group reaches the limit on Selected ports, ports attempting to join the
group are put in Unselected state. This prevents traffic interruption on the existing Selected ports.

42
 Figure 9 Setting the aggregation state of a member port in a static aggregation group

For more information about configuring the maximum number of Selected ports in a static
aggregation group, see "Setting the minimum and maximum numbers of Selected ports for an
aggregation group."
Any operational key or attribute configuration change might affect the aggregation state of link
aggregation member ports.

Aggregating links in dynamic mode

Dynamic aggregation mode is implemented through IEEE 802.3ad Link Aggregation Control
Protocol (LACP).

LACP
LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices.
Each member port in an LACP-enabled aggregation group exchanges information with its peer.
When a member port receives an LACPDU, it compares the received information with information
received on the other member ports. In this way, the two systems reach an agreement on which ports
are placed in the Selected state.

43
LACP functions
LACP offers basic LACP functions and extended LACP functions, as described in Table 3.
Table 3 Basic and extended LACP functions

Category Description
Implemented through the basic LACPDU fields, including the system LACP
Basic LACP functions
priority, system MAC address, port priority, port number, and operational key.
Implemented by extending the LACPDU with new TLV fields. This is how the
LACP MAD mechanism of the IRF feature is implemented.
Extended LACP
functions The switch series can participate in LACP MAD as either an IRF member device or
an intermediate device. For more information about IRF and the LACP MAD
mechanism, see IRF Configuration Guide.

LACP operating modes

LACP can operate in active mode or passive mode.
When LACP is operating in passive mode on a local member port and its peer port, both ports cannot
send LACPDUs. When LACP is operating in active mode on the port on either end of a link, both
ports can send LACPDUs.
LACP priorities
LACP priorities include system LACP priority and port priority, as described in Table 4. The smaller
the priority value, the higher the priority.
Table 4 LACP priorities

Type Description
Used by two peer devices (or systems) to determine which one is superior in link
aggregation.
System LACP
priority In dynamic link aggregation, the system that has higher system LACP priority sets
the Selected state of member ports on its side. The system that has lower priority
sets port state accordingly.
Determines the likelihood of a member port to be selected on a system. A port with a
Port priority
higher port priority is more likely to become Selected.

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the
peer port. If a local member port does not receive LACPDUs from the peer within the LACP timeout
interval, the member port considers the peer as failed.
The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout
intervals include the following types:
• Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one
LACPDU per second.
• Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one
LACPDU every 30 seconds.

How dynamic link aggregation works

Choosing a reference port
The system chooses a reference port from the member ports that are in up state and have the same
attribute configurations as the aggregate interface. A Selected port must have the same operational
key and attribute configurations as the reference port.

44
 The local system (the actor) and the remote system (the partner) negotiate a reference port by using
the following workflow:
1. The two systems compare their system IDs to determine the system with the smaller system ID.
A system ID contains the system LACP priority and the system MAC address.
a. The two systems compare their LACP priority values.
The lower the LACP priority, the smaller the system ID. If LACP priority values are the same,
the two systems proceed to step b.
b. The two systems compare their MAC addresses.
The lower the MAC address, the smaller the system ID.
2. The system with the smaller system ID chooses the port with the smallest port ID as the
reference port.
A port ID contains a port priority and a port number. The lower the port priority, the smaller the
port ID.
a. The system chooses the port with the lowest priority value as the reference port.
If ports have the same priority, the system proceeds to step b.
b. The system compares their port numbers.
The smaller the port number, the smaller the port ID.
The port with the smallest port number and the same attribute configurations as the
aggregate interface is chosen as the reference port.
Setting the aggregation state of each member port
After the reference port is chosen, the system with the smaller system ID sets the state of each
member port on its side.

45
Figure 10 Setting the state of a member port in a dynamic aggregation group
 

Meanwhile, the system with the higher system ID is aware of the aggregation state changes on the
remote system. The system sets the aggregation state of local member ports the same as their peer
ports.
When you aggregate interfaces in dynamic mode, follow these guidelines:
• A dynamic link aggregation group preferably sets full-duplex ports as the Selected ports. The
group will set only one half-duplex port as a Selected port when either of the following
conditions exist:
{ None of the full-duplex ports can be chosen as Selected ports.
{ Only half-duplex ports exist in the group.
• To ensure stable aggregation and service continuity, do not change the operational key or
attribute configurations on any member port.

46
 • When the aggregation state of a local port changes in a dynamic aggregation group, the
aggregation state of the peer port also changes.
• After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more
eligible than a current Selected port.
For more information about configuring the maximum number of Selected ports in a dynamic
aggregation group, see "Setting the minimum and maximum numbers of Selected ports for an
aggregation group."

Edge aggregate interface

Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is
configured only on the device. The device forwards traffic by using only one of the physical ports that
are connected to the server.
To improve link reliability, configure the aggregate interface as an edge aggregate interface. This
feature enables all member ports of the aggregation group to forward traffic. When a member port
fails, its traffic is automatically switched to other member ports.
After dynamic link aggregation is configured on the server, the device can receive LACPDUs from
the server. Then, link aggregation between the device and the server operates correctly.
An edge aggregate interface takes effect only when it is configured on an aggregate interface
corresponding to a dynamic aggregation group.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be load shared across the Selected ports based on any of the
following modes:
• Per-flow load sharing—Load shares traffic on a per-flow basis. The load sharing mode
classifies packets into flows and forwards packets of the same flow on the same link. This mode
can be one or any combination of the following criteria that classify traffic:
{ Source or destination MAC address.
{ Source or destination port number.
{ Ingress port.
{ Source or destination IP address.
• Packet type-based load sharing—Load shares traffic automatically based on packet types
(Layer 2, IPv4, or IPv6 for example).

Ethernet link aggregation configuration task list

Tasks at a glance
(Required.) Configuring an aggregation group:
• Configuring a static aggregation group
• Configuring a dynamic aggregation group

47
 Tasks at a glance
(Optional.) Configuring an aggregate interface:
• Setting the description for an aggregate interface
• Specifying ignored VLANs for a Layer 2 aggregate interface
• Setting the MTU for a Layer 3 aggregate interface
• Setting the minimum and maximum numbers of Selected ports for an aggregation group
• Setting the expected bandwidth for an aggregate interface
• Configuring an edge aggregate interface
• Enabling BFD for an aggregation group
• Shutting down an aggregate interface
• Restoring the default settings for an aggregate interface
• Specifying link aggregation management VLANs and management port
(Optional.) Configuring load balancing for link aggregation group:
• Configuring load sharing modes for link aggregation groups
• Enabling local-first load sharing for link aggregation
• Configuring per-flow load sharing algorithm settings for Ethernet link aggregation
• Setting the global load sharing mode for MAC-in-MAC traffic
Enabling link-aggregation traffic redirection

Configuring an aggregation group

This section explains how to configure an aggregation group.

Configuration restrictions and guidelines

When you configure an aggregation group, follow these restrictions and guidelines:
• You cannot assign a port to a Layer 2 aggregation group if any of the following features are
configured on the port:
{ MAC authentication (see Security Configuration Guide).
{ Port security (see Security Configuration Guide).
{ 802.1X (see Security Configuration Guide).
{ Association between AC and cross connection (see MPLS Configuration Guide).
{ AC-VSI association (see MPLS Configuration Guide).
• You cannot assign a port to a Layer 3 aggregation group if any of the following features are
configured on the port:
{ Association between AC and cross connection (see MPLS Configuration Guide).
{ AC-VSI association (see MPLS Configuration Guide).
• If a port is used as a reflector port for port mirroring, do not assign it to an aggregation group.
For more information about reflector ports, see Network Management and Monitoring
Configuration Guide.
• Removing an aggregate interface also removes its aggregation group and causes all member
ports to leave the aggregation group.
• You must configure the same aggregation mode on the two ends of an aggregate link.
• This switch series supports a maximum of 128 aggregation groups. As a best practice to ensure
the operation of the service loopback groups, configure no more than 126 aggregation groups.

48
Configuring a static aggregation group
To guarantee a successful static aggregation, make sure that the ports at both ends of each link are
in the same aggregation state.
Avoid assigning ports to a static aggregation group that has reached the limit on Selected ports.
These ports will be placed in the Unselected state to avoid traffic interruption on the current Selected
ports. However, a device reboot can cause the aggregation state of member ports to change.
Configuring a Layer 2 static aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a
Layer 2
aggregat
e
interface When you create a Layer 2
and aggregate interface, the system
interface bridge-aggregation
enter automatically creates a Layer 2
interface-number
Layer 2 static aggregation group
aggregat numbered the same.
e
interface
view.
3. Exit to
system quit N/A
view.
a. Enter
Layer 2
Ethernet
interface
view:
interfac
e
interface
4. Assign -type
an interface
interface -number
to the Repeat these two sub-steps to
b. Assign assign more Layer 2 Ethernet
specified the
Layer 2 interfaces to the aggregation
interface group.
aggregat to the
ion specified
group. Layer 2
aggregat
ion
group:
port
link-agg
regation
group
number

Configuring a Layer 3 static aggregation group

Step Command Remarks

1. Enter system view. system-view N/A

49
 Step Command Remarks
2. Create a
Layer 3
aggregat
e
interface When you create a Layer 3
and aggregate interface, the system
interface route-aggregation
enter automatically creates a Layer 3
interface-number
Layer 3 static aggregation group
aggregat numbered the same.
e
interface
view.
3. Exit to
system quit N/A
view.
a. Enter Layer 3 Ethernet
interface view:
interface interface-type
interface-number
4. Assign b. Assign
an the
interface interface
to the to the Repeat these two sub-steps to
specified specified assign more Layer 3 Ethernet
Layer 3 Layer 3 interfaces to the aggregation
aggregat aggregat group.
ion ion
group. group:
port
link-agg
regation
group
number

Configuring a dynamic aggregation group

To guarantee a successful dynamic aggregation, make sure that the peer ports of the ports
aggregated at one end are also aggregated. The two ends can automatically negotiate the
aggregation state of each member port.
Configuring a Layer 2 dynamic aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
By default, the system LACP
2. Set the priority is 32768.
system lacp system-priority Changing the system LACP
LACP system-priority priority might affect the
priority. aggregation state of the ports in a
dynamic aggregation group.
3. Create a
When you create a Layer 2
Layer 2
aggregate interface, the system
aggregat interface bridge-aggregation
automatically creates a Layer 2
e interface-number
static aggregation group
interface
numbered the same.
and

50
Step Command Remarks
enter
Layer 2
aggregat
e
interface
view.
4. Configur
e the
aggregat
ion
group to By default, an aggregation group
operate link-aggregation mode dynamic operates in static aggregation
in mode.
dynamic
aggregat
ion
mode.
5. Exit to
system quit N/A
view.
a. Enter
Layer 2
Ethernet
interface
view:
interfac
e
interface
6. Assign -type
an interface
interface -number
to the Repeat these two sub-steps to
b. Assign assign more Layer 2 Ethernet
specified the
Layer 2 interfaces to the aggregation
interface group.
aggregat to the
ion specified
group. Layer 2
aggregat
ion
group:
port
link-agg
regation
group
number

• Set LACP to operate in

passive mode:
7. Set the LACP operating lacp mode passive By default, LACP is operating in
mode on the interface. • Set LACP to operate in active mode.
active mode:
undo lacp mode
8. Configure the port link-aggregation port-priority
priority for the interface. The default setting is 32768.
port-priority
9. Configur By default, the long LACP timeout
e the interval (90 seconds) is adopted
short by the interface. The peer sends
lacp period short
LACP LACPDUs slowly.
timeout
interval Do not configure the short LACP

51
 Step Command Remarks
(3 timeout interval before performing
seconds) an ISSU. Otherwise, traffic
on the interruption will occur during the
interface ISSU. For more information about
. ISSU, see Fundamentals
Configuration Guide.

Configuring a Layer 3 dynamic aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
By default, the system LACP
2. Set the priority is 32768.
system lacp system-priority Changing the system LACP
LACP system-priority priority might affect the
priority. aggregation state of the ports in
the dynamic aggregation group.
3. Create a
Layer 3
aggregat
e
interface When you create a Layer 3
and aggregate interface, the system
interface route-aggregation
enter automatically creates a Layer 3
interface-number
Layer 3 static aggregation group
aggregat numbered the same.
e
interface
view.
4. Configur
e the
aggregat
ion
group to By default, an aggregation group
operate link-aggregation mode dynamic operates in static aggregation
in mode.
dynamic
aggregat
ion
mode.
5. Exit to
system quit N/A
view.
a. Enter Layer 3 Ethernet
interface view:
interface interface-type
6. Assign interface-number
an b. Assign
interface the
to the Repeat these two sub-steps to
interface assign more Layer 3 Ethernet
specified to the
Layer 3 interfaces to the aggregation
specified group.
aggregat Layer 3
ion aggregat
group. ion
group:
port
link-agg

52
 Step Command Remarks
regation
group
number

• Set LACP to operate in

passive mode:
7. Set the LACP lacp mode passive
operating mode on By default, LACP is operating in
the interface. • Set LACP to operate in active mode.
active mode:
undo lacp mode

8. Configure the port

priority for the link-aggregation port-priority
The default setting is 32768.
interface. port-priority

9. Configur By default, the long LACP timeout

e the interval (90 seconds) is adopted
short by the interface. The peer sends
LACP LACPDUs slowly.
timeout Do not configure the short LACP
interval lacp period short timeout interval before performing
(3 an ISSU. Otherwise, traffic
seconds) interruption will occur during the
on the ISSU. For more information about
interface ISSU, see Fundamentals
. Configuration Guide.

Configuring an aggregate interface

Most of the configurations that can be performed on Layer 2 or Layer 3 Ethernet interfaces can also
be performed on Layer 2 or Layer 3 aggregate interfaces.

Setting the description for an aggregate interface

You can set the description for an aggregate interface for administration purposes, for example,
describing the purpose of the interface.
To set the description for an aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Ent • Enter Layer 2 aggregate
er interface view:
agg interface bridge-aggregation
reg interface-number
ate N/A
inte • Enter Layer 3 aggregate
rfac interface or subinterface view:
e interface route-aggregation
vie { interface-number |

53
 Step Command Remarks
w. interface-number.subnumber }

3. Set
the
des
cript
ion
for By default, the description of an
the description text interface is interface-name
agg Interface.
reg
ate
inte
rfac
e.

Specifying ignored VLANs for a Layer 2 aggregate interface

By default, to become Selected ports, the member ports must have the same VLAN permit state and
VLAN tagging mode as the corresponding Layer 2 aggregate interface.
The system ignores the permit state and tagging mode of an ignored VLAN when choosing Selected
ports.
To specify ignored VLANs for a Layer 2 aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter
Layer 2
aggregat interface bridge-aggregation
e N/A
interface-number
interface
view.
3. Specify By default, a Layer 2 aggregate
ignored link-aggregation ignore vlan
interface does not ignore any
VLANs. vlan-id-list
VLANs.

Setting the MTU for a Layer 3 aggregate interface

Maximum transmission unit (MTU) of an interface affects IP packets fragmentation and reassembly
on the interface.
To set the MTU for a Layer 3 aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter interface route-aggregation N/A
Layer 3 { interface-number |

54
 Step Command Remarks
aggregat interface-number.subnumber }
e
interface
or
subinterf
ace view.
3. Set the
MTU for
the
Layer 3
aggregat
e mtu size The default setting is 1500 bytes.
interface
or
subinterf
ace.

Setting the minimum and maximum numbers of Selected

ports for an aggregation group
IMPORTANT:
The minimum and maximum number of Selected ports must be the same for the local and peer
aggregation groups.

The bandwidth of an aggregate link increases as the number of Selected member ports increases.
To avoid congestion, you can set the minimum number of Selected ports required for bringing up an
aggregate interface.
This minimum threshold setting affects the aggregation state of both aggregation member ports and
the aggregate interface.
• When the number of member ports eligible to be Selected ports is smaller than the minimum
threshold:
{ All member ports are placed in the Unselected state.
{ The link of the aggregate interface goes down.
• When the minimum threshold is reached, the eligible member ports are placed in the Selected
state, and the link of the aggregate interface goes up.
The maximum number of Selected ports allowed in an aggregation group is limited by either the
configured maximum number or hardware capability, whichever value is smaller.
You can configure backup between two ports by performing the following tasks:
• Assign two ports to an aggregation group.
• Configure 1 as the maximum number of Selected ports allowed in the aggregation group.
Then, only one Selected port is allowed in the aggregation group at any point in time, and the
Unselected port acts as a backup port.
To set the minimum and maximum numbers of Selected ports for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A

55
 Step Command Remarks
• Enter Layer 2 aggregate
interface view:
interface
2. Enter bridge-aggregation
aggregat interface-number
e N/A
interface • Enter Layer 3 aggregate
view. interface view:
interface
route-aggregation
interface-number
3. Set the
minimum
number
of By default, the minimum number
Selected link-aggregation selected-port of Selected ports for the
ports for minimum number aggregation group is not
the specified.
aggregat
ion
group.
4. Set the
maximu
m
number
of By default, the maximum number
Selected link-aggregation selected-port
of Selected ports for an
ports for maximum number
aggregation group is 32.
the
aggregat
ion
group.

Setting the expected bandwidth for an aggregate interface

Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter interface-number
aggregat • Enter Layer 3 aggregate
e interface or subinterface N/A
interface view:
view. interface
route-aggregation
{ interface-number |
interface-number.subnumbe
r}
3. Set the
expected By default, the expected
bandwidt bandwidth (in kbps) is the
h for the bandwidth bandwidth-value
interface baud rate divided by
interface 1000.
.

56
Configuring an edge aggregate interface
When you configure an edge aggregate interface, follow these restrictions and guidelines:
• This configuration takes effect only on the aggregate interface corresponding to a dynamic
aggregation group.
• Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.
For more information about link-aggregation traffic redirection, see "Enabling link-aggregation
traffic redirection."
To configure an edge aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Configure the aggregate By default, an aggregate interface
interface as an edge lacp edge-port does not operate as an edge
aggregate interface. aggregate interface.

Enabling BFD for an aggregation group

BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you
enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a
BFD session with its peer port. All the BFD sessions use UDP port 6784 and destination MAC
address 01-00-5E-90-00-01. BFD operates differently depending on the aggregation mode.
• BFD for static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link
aggregation module that the peer port is unreachable. The local port is placed in the Unselected
state. The BFD session between the local and peer ports remains, and the local port keeps
sending BFD packets. When the link is recovered, the local port receives BFD packets from the
peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.
The local port is placed in the Selected state again. This mechanism ensures that the local and
peer ports of a static aggregate link have the same aggregation state.
• BFD for dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet
link aggregation module that the peer port is unreachable. BFD clears the session and stops
sending BFD packets. When the link is recovered and the local port is placed in the Selected
state again, the local port establishes a new session with the peer port. BFD notifies the
Ethernet link aggregation module that the peer port is reachable. Because BFD provides fast
failure detection, the local and peer systems of a dynamic aggregate link can negotiate the
aggregation state of their member ports faster.
To enable BFD for an aggregation group:

57
 Step Command Remarks

1. Enter system
view. system-view N/A

• Enter Layer 2 aggregate interface view:

interface bridge-aggregation
2. Enter aggregate interface-number
interface view. N/A
• Enter Layer 3 aggregate interface view:
interface route-aggregation
interface-number

3. Enable BFD for

the aggregation link-aggregation bfd ipv4 source ip-address By default, BFD is disabled for
group. destination ip-address an aggregation group.

Shutting down an aggregate interface

Make sure no member port in an aggregation group is configured with the loopback command when
you shut down the aggregate interface. Similarly, a port configured with the loopback command
cannot be assigned to an aggregate interface already shut down. For more information about the
loopback command, see Layer 2—LAN Switching Command Reference.
Shutting down or bringing up an aggregate interface affects the aggregation state and link state of
ports in the corresponding aggregation group in the following ways:
• When an aggregate interface is shut down, all Selected ports in the corresponding aggregation
group become unselected and their link state becomes down.
• When an aggregate interface is brought up, the aggregation state of ports in the corresponding
aggregation group is recalculated.
To shut down an aggregate interface:

Step Command
1. Enter system view. system-view

• Enter Layer 2 aggregate interface view:

interface bridge-aggregation interface-number
2. Enter aggregate
interface view. • Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number |
interface-number.subnumber }

3. Shut down the

aggregate interface. shutdown

Restoring the default settings for an aggregate interface

You can return all configurations on an aggregate interface to default settings.
To restore the default settings for an aggregate interface:

Step Command
1. Enter system view. system-view

58
 Step Command

• Enter Layer 2 aggregate interface view:

interface bridge-aggregation interface-number
2. Enter aggregate
interface view. • Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number |
interface-number.subnumber }

3. Restore the
default settings for
the aggregate default
interface.

Specifying link aggregation management VLANs and

management port
For an aggregation group to forward traffic of some VLANs through a specific port, specify the
VLANs as management VLANs and the port as a management port.
To specify link aggregation management VLANs and management port for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
By default, no link aggregation
management VLANs are
2. Specify link aggregation link-aggregation specified.
management VLANs. management-vlan vlan-id1
[ vlan-id2 ] If you execute this command
multiple times, the most recent
configuration takes effect.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, a port does not act as
4. Configure the port as a a management port in its
management port for its link-aggregation aggregation group.
aggregation group. management-port
The management port must be a
Selected port.

Configuring load sharing for link aggregation

groups
This section explains how to configure load sharing modes for link aggregation groups and how to
enable local-first load sharing for link aggregation.

Configuring load sharing modes for link aggregation groups

You can configure the global or group-specific load sharing mode. A link aggregation group
preferentially uses the group-specific load sharing mode. If no group-specific load sharing mode is
available, the group uses the global load sharing mode.

59
Configuring the global link-aggregation load sharing mode

Step Command Remarks

1. Enter system view. system-view N/A
2. Co
nfig
ure
the
glo
bal
link link-aggregation global load-sharing By default, the system
-ag mode { destination-ip | automatically chooses the global
gre destination-mac | destination-port | link-aggregation load sharing
gati ingress-port | source-ip | mode according to the packet
on source-mac | source-port } * type.
loa
d
sha
ring
mo
de.

Configuring group-specific load sharing mode

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
2. Enter interface view
aggreg interface bridge-aggregation
ate interface-number
interfa N/A
• Enter Layer 3 aggregate
ce interface view:
view. interface route-aggregation
interface-number
3. Config
ure the
load
sharin link-aggregation load-sharing
g The default settings are the
mode { destination-ip |
mode same as the global load sharing
destination-mac | source-ip |
for the mode.
source-mac } *
aggreg
ation
group.

Enabling local-first load sharing for link aggregation

Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially
across member ports on the ingress card or device.
When you aggregate ports on different member devices in an IRF fabric, you can use local-first load
sharing to reduce traffic on IRF links, as shown in Figure 11. For more information about IRF, see IRF
Configuration Guide.

60
 Figure 11 Load sharing for multiswitch link aggregation in an IRF fabric

The egress port for a traffic flow is an

aggregate interface that has Selected
ports on different IRF member switches

Yes Local-first load sharing No

mechanism enabled?

Any Selected ports on the No

ingress switch?

Yes

Packets are load shared only

Packets are load shared across
across the Selected ports on the
all Selected ports
ingress switch

To enable local-first load sharing for link aggregation:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable
local-first
load
sharing link-aggregation load-sharing By default, local-first load sharing
for link mode local-first for link aggregation is enabled.
aggregat
ion.

Configuring per-flow load sharing algorithm settings for

Ethernet link aggregation
Configure the per-flow load sharing algorithm and algorithm seed to optimize traffic distribution on
aggregate links based on existing per-flow load sharing settings. You can set only the algorithm or
the algorithm seed, or both. You can combine an algorithm with different algorithm seeds to obtain
different effects.
This feature does not take effect on per-flow load sharing that uses the following traffic classification
criteria:
• Source IP address.
• Destination IP address.
• Source MAC address.
• Destination MAC address.
• Source and destination IP addresses.
• Source and destination MAC addresses.

61
 To configure per-flow load sharing algorithm settings for Ethernet link aggregation:

Step Command Remarks

1. Enter system view. system-view N/A
By default, algorithm 0 is used.
link-aggregation global If the device fails to load share
2. Configure the load sharing traffic flows across all Selected
algorithm. load-sharing algorithm
algorithm-number ports, you can specify algorithm 1
to 8 in sequence until the problem
is solved.
3. Configure the load sharing link-aggregation global By default, algorithm seed 0 is
algorithm seed. load-sharing seed seed-number used.

Setting the global load sharing mode for MAC-in-MAC traffic

This feature sets the global load sharing mode for MAC-in-MAC traffic on the aggregate links of a
backbone core bridge. For more information about backbone core bridges, see "Configuring PBB."
MAC-in-MAC traffic can be load shared based on any of the following items:
• The outer frame header, and source and destination ports.
• The inner frame header, and source and destination ports.
To set the global load sharing mode for MAC-in-MAC traffic:

Step Command Remarks

1. Enter system view. system-view N/A

2. Set the global load sharing By default, MAC-in-MAC traffic is

link-aggregation global
mode for MAC-in-MAC load shared based on the inner
load-sharing minm { inner |
traffic. frame header, and source and
outer }
destination ports.

Enabling link-aggregation traffic redirection

Link-aggregation traffic redirection prevents traffic interruption.
When you shut down a Selected port in an aggregation group, this feature redirects traffic to other
Selected ports.
When you restart an IRF member device that contains Selected ports, this feature redirects traffic to
other IRF member devices.
You can enable link-aggregation traffic redirection globally or for an aggregation group. Global
link-aggregation traffic redirection settings take effect on all aggregation groups. A link aggregation
group preferentially uses the group-specific link-aggregation traffic redirection settings. If
group-specific link-aggregation traffic redirection is not configured, the group uses the global
link-aggregation traffic redirection settings.

Configuration restrictions and guidelines

When you enable ink-aggregation traffic redirection, follow these restrictions and guidelines:
• Link-aggregation traffic redirection applies only to dynamic link aggregation groups and takes
effect on only known unicast packets.

62
 • To prevent traffic interruption, enable link-aggregation traffic redirection on devices at both ends
of the aggregate link.
• To prevent packet loss that might occur at a reboot, do not enable spanning tree together with
link-aggregation traffic redirection.
• Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.
• As a best practice, enable link-aggregation traffic redirection on aggregate interfaces. If you
enable this feature globally, communication with a third-party peer device might be affected if
the peer is not compatible with this feature.

Configuration procedure
To enable link-aggregation traffic redirection globally:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable
link-aggr
egation link-aggregation lacp
traffic By default, link-aggregation traffic
traffic-redirect-notification
redirecti redirection is disabled globally.
enable
on
globally.

To enable link-aggregation traffic redirection for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Enable link-aggregation link-aggregation lacp By default, link-aggregation traffic
traffic redirection for the traffic-redirect-notification redirection is disabled for an
aggregation group. enable aggregation group.

Displaying and maintaining Ethernet link

aggregation
Execute display commands in any view and reset commands in user view.

Task Command
display interface [ bridge-aggregation |
Display information for an aggregate interface route-aggregation ] [ brief [ down ] ]
or multiple aggregate interfaces.
display interface [ { bridge-aggregation |

63
 Task Command
route-aggregation } [ interface-number ] ] [ brief
[ description ] ]
Display the local system ID. display lacp system-id
display link-aggregation load-sharing mode [ interface
Display the global or group-specific
[ { bridge-aggregation | route-aggregation }
link-aggregation load sharing modes.
interface-number ] ]
display link-aggregation load-sharing path interface
{ bridge-aggregation | route-aggregation }
interface-number ingress-port interface-type
interface-number [ route ] { { destination-ip ip-address |
Display forwarding information for the specified
destination-ipv6 ipv6-address } | { source-ip ip-address |
traffic flow.
source-ipv6 ipv6-address } | destination-mac
mac-address | destination-port port-id | ethernet-type
type-number | ip-protocol protocol-id | source-mac
mac-address | source-port port-id | vlan vlan-id }*
Display detailed link aggregation information
display link-aggregation member-port [ interface-list ]
for link aggregation member ports.
Display summary information about all
display link-aggregation summary
aggregation groups.
display link-aggregation verbose
Display detailed information about the
[ { bridge-aggregation | route-aggregation }
specified aggregation groups.
[ interface-number ] ]
Clear LACP statistics for the specified link
reset lacp statistics [ interface interface-list ]
aggregation member ports.
Clear statistics for the specified aggregate reset counters interface [ { bridge-aggregation |
interfaces. route-aggregation } [ interface-number ] ]

Ethernet link aggregation configuration examples

Layer 2 static aggregation configuration example
Network requirements
On the network shown in Figure 12, perform the following tasks:
• Configure a Layer 2 static aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.

64
 Figure 12 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign port Ten-GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port ten-gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port Ten-GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port ten-gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to link aggregation
group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)

65
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLAN : None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1
XGE1/0/3 S 32768 1

The output shows that:

• Link aggregation group 1 is a Layer 2 static aggregation group.
• The aggregation group contains three Selected ports.

Layer 2 dynamic aggregation configuration example

Network requirements
On the network shown in Figure 13, perform the following tasks:
• Configure a Layer 2 dynamic aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 13 Network diagram

66
Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port Ten-GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port ten-gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port Ten-GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port ten-gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode
to dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to link aggregation
group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: Shar

67
 Management VLAN : None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Oper-Key Flag
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1 {ACDEF}
XGE1/0/2 S 32768 1 {ACDEF}
XGE1/0/3 S 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
XGE1/0/1 1 32768 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/2 2 32768 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/3 3 32768 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that:

• Link aggregation group 1 is a Layer 2 dynamic aggregation group.
• The aggregation group contains three Selected ports.

Layer 2 aggregation load sharing configuration example

Network requirements
On the network shown in Figure 14, perform the following tasks:
• Configure two Layer 2 static aggregation groups 1 and 2 on Device A and Device B,
respectively.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
• Configure link aggregation groups 1 and 2 to load share traffic across aggregation group
member ports.
{ Configure link aggregation group 1 to load share packets based on source MAC addresses.
{ Configure link aggregation group 2 to load share packets based on destination MAC
addresses.
Figure 14 Network diagram

68
Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port Ten-GigabitEthernet 1/0/5 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port ten-gigabitethernet 1/0/5
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port Ten-GigabitEthernet 1/0/6 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port ten-gigabitethernet 1/0/6
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
# Configure Layer 2 aggregation group 1 to load share packets based on source MAC
addresses.
[DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to link aggregation
group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLAN 10.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10
[DeviceA-Bridge-Aggregation1] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 2.
[DeviceA] interface bridge-aggregation 2
# Configure Layer 2 aggregation group 2 to load share packets based on destination MAC
addresses.
[DeviceA-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac
[DeviceA-Bridge-Aggregation2] quit
# Assign ports Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 to link aggregation
group 2.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 2
[DeviceA-Ten-GigabitEthernet1/0/3] quit
[DeviceA] interface ten-gigabitethernet 1/0/4
[DeviceA-Ten-GigabitEthernet1/0/4] port link-aggregation group 2
[DeviceA-Ten-GigabitEthernet1/0/4] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to
VLAN 20.
[DeviceA] interface bridge-aggregation 2

69
 [DeviceA-Bridge-Aggregation2] port link-type trunk
[DeviceA-Bridge-Aggregation2] port trunk permit vlan 20
[DeviceA-Bridge-Aggregation2] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLAN : None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/3 S 32768 2
XGE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups.
• Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface

Bridge-Aggregation1 Load-Sharing Mode:

source-mac address

Bridge-Aggregation2 Load-Sharing Mode:

destination-mac address

The output shows that:

• Link aggregation group 1 load shares packets based on source MAC addresses.
• Link aggregation group 2 load shares packets based on destination MAC addresses.

70
Layer 2 edge aggregate interface configuration example
Network requirements
As shown in Figure 15, a Layer 2 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic to improve link reliability.
Figure 15 Network diagram

Configuration procedure
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] link-aggregation mode dynamic

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as an edge aggregate interface.

[Device-Bridge-Aggregation1] lacp edge-port
[Device-Bridge-Aggregation1] quit

# Assign ports Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to link aggregation group 1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/1] quit
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: NonS
Management VLAN : None
System ID: 0x8000, 000f-e267-6c6a
Local:

71
 Port Status Priority Oper-Key Flag
--------------------------------------------------------------------------------
XGE1/0/1 I 32768 1 {AG}
XGE1/0/2 I 32768 1 {AG}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
XGE1/0/1 0 32768 0 0x8000, 0000-0000-0000 {DEF}
XGE1/0/2 0 32768 0 0x8000, 0000-0000-0000 {DEF}

The output shows that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are in Individual
state when they do not receive LACPDUs from the server. Both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic. When one port fails, its traffic is automatically switched
to the other port.

Layer 3 static aggregation configuration example

Network requirements
On the network shown in Figure 16, perform the following tasks:
• Configure a Layer 3 static aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 16 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet
1/0/3 to aggregation group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)

72
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLAN : None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1
XGE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a non-load-shared Layer 3 static aggregation
group that contains three Selected ports.

Layer 3 dynamic aggregation configuration example

Network requirements
On the network shown in Figure 17, perform the following tasks:
• Configure a Layer 3 dynamic aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 17 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Set the link aggregation mode to dynamic.
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
# Configure an IP address and subnet mask for Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet
1/0/3 to aggregation group 1.

73
 [DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLAN : None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Oper-Key Flag
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1 {ACDEF}
XGE1/0/2 S 32768 1 {ACDEF}
XGE1/0/3 S 32768 1 {ACDEF}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
XGE1/0/1 1 32768 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/2 2 32768 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/3 3 32768 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that:

• Link aggregation group 1 is a non-load-shared Layer 3 dynamic aggregation group.
• The aggregation group contains three Selected ports.

Layer 3 edge aggregate interface configuration example

Network requirements
As shown in Figure 18, a Layer 3 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.

74
 Configure an edge aggregate interface so that both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic to improve link reliability.
Figure 18 Network diagram

Configuration procedure
# Create Layer 3 aggregate interface Route-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface route-aggregation 1
[Device-Route-Aggregation1] link-aggregation mode dynamic

# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation 1.
[Device-Route-Aggregation1] ip address 192.168.1.1 24

# Configure Layer 3 aggregate interface Route-Aggregation 1 as an edge aggregate interface.

[Device-Route-Aggregation1] lacp edge-port
[Device-Route-Aggregation1] quit

# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to

aggregation group 1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/1] quit
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected
I -- Individual, * -- Management port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: NonS
Management VLAN : None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Oper-Key Flag
--------------------------------------------------------------------------------
XGE1/0/1 I 32768 1 {AG}

75
 XGE1/0/2 I 32768 1 {AG}
Remote:
Actor Partner Priority Oper-Key SystemID Flag
--------------------------------------------------------------------------------
XGE1/0/1 0 32768 0 0x8000, 0000-0000-0000 {DEF}
XGE1/0/2 0 32768 0 0x8000, 0000-0000-0000 {DEF}

The output shows that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are in Individual
state when they do not receive LACPDUs from the server. Both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic. When one port fails, its traffic is automatically switched
to the other port.

76
Configuring port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate
with ports outside the isolation group.

Assigning a port to an isolation group

The device supports multiple isolation groups, which can be configured manually. The number of
ports assigned to an isolation group is not limited.
To assign a port to an isolation group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create an isolation port-isolate group
group. By default, no isolation group exists.
group-number
• The configuration in Layer 2
Ethernet interface view applies only
to the interface.
• Enter Layer 2 Ethernet • The configuration in Layer 2
interface view: aggregate interface view applies to
interface interface-type the Layer 2 aggregate interface and
interface-number its aggregation member ports. If the
Enter interface view. device fails to apply the configuration
3. • Enter Layer 2 aggregate
to the aggregate interface, it does
interface view:
not assign any aggregation member
interface
port to the isolation group. If the
bridge-aggregation
failure occurs on an aggregation
interface-number
member port, the device skips the
port and continues to assign other
aggregation member ports to the
isolation group.
By default, the port is not in any isolation
group.
4. Assign the port to the You can assign a port to at most one
specified isolation port-isolate enable group
group-number isolation group. If you execute the
group. port-isolate enable group command
multiple times, the most recent
configuration takes effect.

Displaying and maintaining port isolation

Execute display commands in any view.

Task Command
Display isolation group information. display port-isolate group [ group-number ]

77
Port isolation configuration example
Network requirements
As shown in Figure 19, configure port isolation on the device to meet the following requirements:
• The hosts can access the Internet.
• The hosts cannot communicate with each other at Layer 2.
Figure 19 Network diagram

Configuration procedure
# Create isolation group 2.
<Device> system-view
[Device] port-isolate group 2

# Assign Ten-GigabitEthernet 1/0/1, Ten-GigabitEthernet 1/0/2, and Ten-GigabitEthernet 1/0/3 to

isolation group 2.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port-isolate enable group 2
[Device-Ten-GigabitEthernet1/0/1] quit
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port-isolate enable group 2
[Device-Ten-GigabitEthernet1/0/2] quit
[Device] interface ten-gigabitethernet 1/0/3
[Device-Ten-GigabitEthernet1/0/3] port-isolate enable group 2

Verifying the configuration

# Display information about isolation group 2.
[Device] display port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:

78
 Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/3

The output shows that interfaces Ten-GigabitEthernet 1/0/1, Ten-GigabitEthernet 1/0/2, and
Ten-GigabitEthernet 1/0/3 are assigned to isolation group 2. As a result, Host A, Host B, and Host C
are isolated from each other at layer 2.

79
Configuring spanning tree protocols
Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking
redundant links and putting them in a standby state.
The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN
Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).

STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in
a LAN. Networks often have redundant links as backups in case of failures, but loops are a very
serious problem. Devices running STP detect loops in the network by exchanging information with
one another. They eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would
occur in a loop network.
In a narrow sense, STP refers to IEEE 802.1d STP. In a broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol packets

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
packets. This chapter uses BPDUs to represent all types of spanning tree protocol packets.
STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain
sufficient information for the network devices to complete spanning tree calculation.
STP uses the following types of BPDUs:
• Configuration BPDUs—Used by the network devices to calculate a spanning tree and
maintain the spanning tree topology.
• Topology change notification (TCN) BPDUs—Notify network devices of network topology
changes.
Configuration BPDUs contain sufficient information for the network devices to complete spanning
tree calculation. Important fields in a configuration BPDU include the following:
• Root bridge ID—Consisting of the priority and MAC address of the root bridge.
• Root path cost—Cost of the path to the root bridge denoted by the root identifier from the
transmitting bridge.
• Designated bridge ID—Consisting of the priority and MAC address of the designated bridge.
• Designated port ID—Consisting of the priority and global port number of the designated port.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU stored on the switch.
• Hello time—Configuration BPDU transmission interval.
• Forward delay—Delay that STP bridges use to transit port state.

Basic concepts in STP

Root bridge
A tree network must have a root bridge. The entire network contains only one root bridge, and all the
other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change
with changes of the network topology.

80
 Upon initialization of a network, each device generates and periodically sends configuration BPDUs,
with itself as the root bridge. After network convergence, only the root bridge generates and
periodically sends configuration BPDUs. The other devices only forward the BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates
with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.
Designated bridge and designated port

Classification Designated bridge Designated port

Device directly connected with the local
Port through which the designated
For a device device and responsible for forwarding
bridge forwards BPDUs to this device
BPDUs to the local device
Port through which the designated
Device responsible for forwarding BPDUs to
For a LAN bridge forwards BPDUs to this LAN
this LAN segment
segment

As shown in Figure 20, Device B and Device C are directly connected to a LAN.
If Device A forwards BPDUs to Device B through port A1, the designated bridge and designated port
are as follows:
• The designated bridge for Device B is Device A.
• The designated port of Device B is port A1 on Device A.
If Device B forwards BPDUs to the LAN, the designated bridge and designated port are as follows:
• The designated bridge for the LAN is Device B.
• The designated port for the LAN is port B2 on Device B.
Figure 20 Designated bridges and designated ports
Device A

Port A1 Port A2

Device B Device C
Port B1 Port C1

Port B2 Port C2

LAN

Path cost
Path cost is a reference value used for link selection in STP. To prune the network into a loop-free
tree, STP calculates path costs to select the most robust links and block redundant links that are less
robust.

Calculation process of the STP algorithm

The spanning tree calculation process described in the following sections is an example of a
simplified process.

81
Calculation process
The STP algorithm uses the following calculation process:
1. Initialize the network.
Upon initialization of a device, each port generates a BPDU with the following contents:
{ The port as the designated port.
{ The device as the root bridge.
{ 0 as the root path cost.
{ The device ID as the designated bridge ID.
2. Select the root bridge.
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its
own device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare
their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
3. Root port and designated ports selection on the non-root bridges.

Step Description
A non-root–bridge device regards the port on which it received the optimum configuration
1
BPDU as the root port. Table 5 describes how the optimum configuration BPDU is selected.

Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus the
path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on the
port whose port role will be determined, and acts depending on the result of the comparison:
• If the calculated configuration BPDU is superior, the device performs the following tasks:
{ Considers this port as the designated port.
3 { Replaces the configuration BPDU on the port with the calculated configuration BPDU.
{ Periodically sends the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs, but cannot send
BPDUs or forward data traffic.

When the network topology is stable, only the root port and designated ports forward user traffic.
Other ports are all in the blocked state to receive BPDUs but not to forward BPDUs or user
traffic.
Table 5 Selecting the optimum configuration BPDU

Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the received
configuration BPDU with that of the configuration BPDU generated by the port.
• If the former priority is lower, the device discards the received configuration BPDU and
1
keeps the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration BPDU
generated by the port with the content of the received configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.

The following are the principles of configuration BPDU comparison:

a. The configuration BPDU with the lowest root bridge ID has the highest priority.

82
 b. If configuration BPDUs have the same root bridge ID, their root path costs are compared.
For example, the root path cost in a configuration BPDU plus the path cost of a receiving
port is S. The configuration BPDU with the smallest S value has the highest priority.
c. If all configuration BPDUs have the same root bridge ID and S value, the following attributes
are compared in sequence:
− Designated bridge IDs.
− Designated port IDs.
− IDs of the receiving ports.
The configuration BPDU that contains a smaller designated bridge ID, designated port ID, or
receiving port ID is selected.
A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.
Example of STP calculation
Figure 21 provides an example showing how the STP algorithm works.
Figure 21 The STP algorithm
Device A
Priority = 0

Port A1 Port A2

Port B1 Port C1
Port B2 Port C2

Path cost = 4
Device B Device C
Priority = 1 Priority = 2

As shown in Figure 21, the priority values of Device A, Device B, and Device C are 0, 1, and 2,
respectively. The path costs of links among the three devices are 5, 10, and 4.
1. Device state initialization.
In Table 6, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Table 6 Initial state of each device

Configuration BPDU on the

Device Port name
port
Port A1 {0, 0, 0, Port A1}
Device A
Port A2 {0, 0, 0, Port A2}
Port B1 {1, 0, 1, Port B1}
Device B
Port B2 {1, 0, 1, Port B2}
Port C1 {2, 0, 2, Port C1}
Device C
Port C2 {2, 0, 2, Port C2}

2. Configuration BPDUs comparison on each device.

83
 In Table 7, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Table 7 Comparison process and result on each device

Configuration BPDU on
Device Comparison process
ports after comparison
Port A1 performs the following tasks:
5. Receives the configuration BPDU of Port B1 {1, 0, 1, Port
B1}.
6. Determines that its existing configuration BPDU {0, 0, 0,
Port A1} is superior to the received configuration BPDU.
7. Discards the received one.
Port A2 performs the following tasks: • Port A1: {0, 0, 0, Port
8. Receives the configuration BPDU of Port C1 {2, 0, 2, Port A1}
Device A C1}. • Port A2: {0, 0, 0, Port
9. Determines that its existing configuration BPDU {0, 0, 0, A2}
Port A2} is superior to the received configuration BPDU.
10. Discards the received one.
Device A determines that it is both the root bridge and
designated bridge in the configuration BPDUs of all its ports. It
considers itself as the root bridge. It does not change the
configuration BPDU of any port and starts to periodically send
configuration BPDUs.
Port B1 performs the following tasks:
11. Receives the configuration BPDU of Port A1 {0, 0, 0, Port
A1}.
12. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {1, 0, 1, Port
B1}. • Port B1: {0, 0, 0, Port
A1}
13. Updates its configuration BPDU.
• Port B2: {1, 0, 1, Port
Port B2 performs the following tasks: B2}
14. Receives the configuration BPDU of Port C2 {2, 0, 2, Port
C2}.
15. Determines that its existing configuration BPDU {1, 0, 1,
Port B2} is superior to the received configuration BPDU.
16. Discards the received BPDU.
Device B
Device B performs the following tasks:
17. Compares the configuration BPDUs of all its ports.
18. Decides that the configuration BPDU of Port B1 is the
optimum.
19. Selects Port B1 as the root port with the configuration
BPDU unchanged. • Root port (Port B1): {0,
0, 0, Port A1}
Based on the configuration BPDU and path cost of the root
port, Device B calculates a designated port configuration • Designated port (Port
BPDU for Port B2 {0, 5, 1, Port B2}. Device B compares it with B2): {0, 5, 1, Port B2}
the existing configuration BPDU of Port B2 {1, 0, 1, Port B2}.
Device B determines that the calculated one is superior, and
determines that Port B2 is the designated port. It replaces the
configuration BPDU on Port B2 with the calculated one, and
periodically sends the calculated configuration BPDU.
Port C1 performs the following tasks:
20. Receives the configuration BPDU of Port A2 {0, 0, 0, Port • Port C1: {0, 0, 0, Port
A2}. A2}
Device C
21. Determines that the received configuration BPDU is • Port C2: {1, 0, 1, Port
superior to its existing configuration BPDU {2, 0, 2, Port B2}
C1}.

84
 Configuration BPDU on
Device Comparison process
ports after comparison
22. Updates its configuration BPDU.
Port C2 performs the following tasks:
23. Receives the original configuration BPDU of Port B2 {1, 0,
1, Port B2}.
24. Determines that the received configuration BPDU is
superior to the existing configuration BPDU {2, 0, 2, Port
C2}.
25. Updates its configuration BPDU.
Device C performs the following tasks:
26. Compares the configuration BPDUs of all its ports.
27. Decides that the configuration BPDU of Port C1 is the
optimum.
28. Selects Port C1 as the root port with the configuration
BPDU unchanged. • Root port (Port C1): {0,
0, 0, Port A2}
Based on the configuration BPDU and path cost of the root
port, Device C calculates the configuration BPDU of Port C2 {0, • Designated port (Port
10, 2, Port C2}. Device C compares it with the existing C2): {0, 10, 2, Port C2}
configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C
determines that the calculated configuration BPDU is superior
to the existing one, selects Port C2 as the designated port, and
replaces the configuration BPDU of Port C2 with the calculated
one.
Port C2 performs the following tasks:
29. Receives the updated configuration BPDU of Port B2 {0,
5, 1, Port B2}.
30. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {0, 10, 2, Port
C2}. • Port C1: {0, 0, 0, Port
A2}
31. Updates its configuration BPDU.
• Port C2: {0, 5, 1, Port
Port C1 performs the following tasks: B2}
32. Receives a periodic configuration BPDU {0, 0, 0, Port A2}
from Port A2.
33. Determines that it is the same as the existing
configuration BPDU.
34. Discards the received BPDU.
Device C determines that the root path cost of Port C1 (10)
(root path cost of the received configuration BPDU (0) plus
path cost of Port C1 (10)) is larger than that of Port C2 (9) (root
path cost of the received configuration BPDU (5) plus path cost
of Port C2 (4)). Device C determines that the configuration
BPDU of Port C2 is the optimum, and selects Port C2 as the
root port with the configuration BPDU unchanged.
Based on the configuration BPDU and path cost of the root
port, Device C performs the following tasks: • Blocked port (Port C1):
{0, 0, 0, Port A2}
35. Calculates a designated port configuration BPDU for Port
C1 {0, 9, 2, Port C1}. • Root port (Port C2): {0,
5, 1, Port B2}
36. Compares it with the existing configuration BPDU of Port
C1 {0, 0, 0, Port A2}.
37. Determines that the existing configuration BPDU is
superior to the calculated one and blocks Port C1 with the
configuration BPDU unchanged.
Port C1 does not forward data until a new event triggers a
spanning tree calculation process: for example, the link
between Device B and Device C is down.

85
 After the comparison processes described in Table 7, a spanning tree with Device A as the root
bridge is established, as shown in Figure 22.
Figure 22 The final calculated spanning tree

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:
• Upon network initiation, every device regards itself as the root bridge and generates
configuration BPDUs with itself as the root. Then it sends the configuration BPDUs at a regular
hello interval.
• If the root port received a configuration BPDU superior to the configuration BPDU of the port,
the device performs the following tasks:
{ Increases the message age carried in the configuration BPDU.
{ Starts a timer to time the configuration BPDU.
{ Sends this configuration BPDU through the designated port.
• If a designated port receives a configuration BPDU with a lower priority than its configuration
BPDU, the port immediately responds with its configuration BPDU.
• If a path fails, the root port on this path no longer receives new configuration BPDUs and the old
configuration BPDUs will be discarded due to timeout. The device generates a configuration
BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new
spanning tree calculation process to establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU cannot be propagated throughout the network
immediately. As a result, the old root ports and designated ports that have not detected the topology
change continue forwarding data along the old path. If the new root ports and designated ports begin
to forward data as soon as they are elected, a temporary loop might occur.
STP timers
The most important timing parameters in STP calculation are forward delay, hello time, and max age.
• Forward delay
Forward delay is the delay time for port state transition.
A path failure can cause spanning tree recalculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
immediately, a temporary loop will likely occur.
The newly elected root ports or designated ports require twice the forward delay time before
they transit to the forwarding state. This allows the new configuration BPDU to propagate
throughout the network.
• Hello time
The device sends hello packets at the hello time interval to the neighboring devices to make
sure the paths are fault-free.

86
 • Max age
The device uses the max age to determine whether a stored configuration BPDU has expired
and discards it if the max age is exceeded.

RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port
to enter the forwarding state much faster than STP.
A newly elected RSTP root port rapidly enters the forwarding state when the following conditions
exist:
• The old root port on the device has stopped forwarding data.
• The upstream designated port has started forwarding data.
A newly elected RSTP designated port rapidly enters the forwarding state if it is an edge port or it
connects to a point-to-point link.
• A port that directly connects to a user terminal can be configured as an edge port. Edge ports
directly enter the forwarding state.
• When a designated port connects to a point-to-point link, it enters the forwarding state
immediately after the device receives a handshake response from the directly connected
device.

PVST
In an STP- or RSTP-enabled LAN, all bridges share one spanning tree. Traffic from all VLANs is
forwarded along the spanning tree, and ports cannot be blocked on a per-VLAN basis to prune loops.
PVST allows every VLAN to have its own spanning tree, which increases utilization of links and
bandwidth. Because each VLAN runs STP or RSTP independently, a spanning tree only serves its
VLAN.
A PVST-enabled H3C device can communicate with a third-party device that is running Rapid PVST
or PVST. The PVST-enabled H3C device supports fast network convergence like RSTP when
connected to PVST-enabled H3C devices or third-party devices enabled with Rapid PVST.
A port's link type determines the type of BPDUs the port sends.
• An access port sends STP BPDUs.
• A trunk or hybrid port sends STP BPDUs in VLAN 1 and sends PVST BPDUs in other VLANs.

MSTP
MSTP overcomes the following STP, RSTP, and PVST limitations:
• STP limitations—STP does not support rapid state transition of ports. A newly elected port
must wait twice the forward delay time before it transits to the forwarding state.
• RSTP limitations—Although RSTP enables faster network convergence than STP, RSTP fails
to provide load balancing among VLANs. As with STP, all RSTP bridges in a LAN share one
spanning tree and forward packets from all VLANs along this spanning tree.
• PVST limitations—Because each VLAN has its spanning tree, the amount of PVST BPDUs is
proportional to the number of VLANs on a trunk or hybrid port. When the trunk or hybrid port
permits too many VLANs, both resources and calculations for maintaining the VLAN spanning
trees increase dramatically. If a status change occurs on the trunk or hybrid port that permits
multiple VLANs, the device CPU will be overburdened with recalculating the affected spanning
trees. As a result, network performance is degraded.

87
MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In
addition to supporting rapid network convergence, it allows data flows of different VLANs to be
forwarded along separate paths. This provides a better load sharing mechanism for redundant links.
MSTP provides the following features:
• MSTP divides a switched network into multiple regions, each of which contains multiple
spanning trees that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.
• MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless
cycling of packets in a loop network. In addition, it supports load balancing of VLAN data by
providing multiple redundant paths for data forwarding.
• MSTP is compatible with STP and RSTP, and partially compatible with PVST.

MSTP basic concepts

Figure 23 shows a switched network that comprises four MST regions, each MST region comprising
four MSTP devices. Figure 24 shows the networking topology of MST region 3.
Figure 23 Basic concepts in MSTP
VLAN 1 MSTI 1 VLAN 1 MSTI 1
VLAN 2 MSTI 2 VLAN 2 MSTI 2
Other VLANs MSTI 0 Other VLANs MSTI 0

MST region 1 MST region 4

MST region 2 MST region 3

VLAN 1 MSTI 1 VLAN 1 MSTI 1

VLAN 2 MSTI 2 CST VLAN 2&3 MSTI 2
Other VLANs MSTI 0 Other VLANs MSTI 0

88
 Figure 24 Network diagram and topology of MST region 3

To MST region 2

MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and
the network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same
MST region as shown in Figure 23.
• The switched network comprises four MST regions, MST region 1 through MST region 4.
• All devices in each MST region have the same MST region configuration.
MSTI
MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree
is mapped to the specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 24, MST region 3 comprises three MSTIs, MSTI 1, MSTI 2, and MSTI 0.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs.
In Figure 24, the VLAN-to-instance mapping table of MST region 3 is as follows:
• VLAN 1 to MSTI 1.
• VLAN 2 and VLAN 3 to MSTI 2.
• Other VLANs to MSTI 0.
MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a
switched network. If you regard each MST region as a device, the CST is a spanning tree calculated
by these devices through STP or RSTP.

89
 The blue lines in Figure 23 represent the CST.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0,
a special MSTI to which all VLANs are mapped by default.
In Figure 23, MSTI 0 is the IST in MST region 3.
CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in
a switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 23, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI.
Based on the topology, different spanning trees in an MST region might have different regional roots,
as shown in MST region 3 in Figure 24:
• The regional root of MSTI 1 is Device B.
• The regional root of MSTI 2 is Device C.
• The regional root of MSTI 0 (also known as the IST) is Device A.
Common root bridge
The common root bridge is the root bridge of the CIST.
In Figure 23, the common root bridge is a device in MST region 1.
Port roles
A port can play different roles in different MSTIs. As shown in Figure 25, an MST region comprises
Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the
common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C
connect to other MST regions. Port D3 of Device D directly connects to a host.
Figure 25 Port roles

90
 MSTP calculation involves the following port roles:
• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not
have any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—Acts as the backup port for a root port or master port. When the root port or
master port is blocked, the alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port acts as the backup.
• Edge port—Does not connect to any network device or network segment, but directly connects
to a user host.
• Master port—Acts as a port on the shortest path from the local MST region to the common root
bridge. The master port is not always located on the regional root. It is a root port on the IST or
CIST and still a master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running
device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the
CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the
CIST.
Port states
In MSTP, a port can be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or
forward user traffic.

NOTE:
When in different MSTIs, a port can be in different states.

A port state is not exclusively associated with a port role. Table 8 lists the port states that each port
role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates
that the port does not support this state.)
Table 8 Port states that different port roles support

Port role (right) Root

Designated
port/master Alternate port Backup port
Port state (below) port
port
Forwarding √ √ — —
Learning √ √ — —
Discarding √ √ √ √

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a
calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among
these MSTIs, MSTI 0 is the IST.

91
 Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is
that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.
CIST calculation
During the CIST calculation, the following process takes place:
• The device with the highest priority is elected as the root bridge of the CIST.
• MSTP generates an IST within each MST region through calculation.
• MSTP regards each MST region as a single device and generates a CST among these MST
regions through calculation.
The CST and ISTs constitute the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation
process similar to spanning tree calculation in STP. For more information, see "Calculation process
of the STP algorithm."
In MSTP, a VLAN packet is forwarded along the following paths:
• Within an MST region, the packet is forwarded along the corresponding MSTI.
• Between two MST regions, the packet is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for
spanning tree calculation can identify STP and RSTP protocol packets.
In addition to basic MSTP functions, the following functions are provided for ease of management:
• Root bridge hold
• Root bridge backup
• Root guard
• BPDU guard
• Loop guard
• TC-BPDU guard
• Port role restriction
• TC-BPDU transmission restriction

Protocols and standards

MSTP is documented in the following protocols and standards:
• IEEE 802.1d, Media Access Control (MAC) Bridges
• IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid
Reconfiguration
• IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees
• IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks —Clause 13: Spanning tree Protocols

Spanning tree configuration task lists

Before configuring a spanning tree, complete the following tasks:

92
 • Determine the spanning tree protocol to be used (STP, RSTP, PVST, or MSTP).
• Plan the device roles (the root bridge or leaf node).
When you configure spanning tree protocols, follow these restrictions and guidelines:
• If both MVRP and a spanning tree protocol are enabled on a device, MVRP packets are
forwarded along MSTIs. To advertise a specific VLAN within the network through MVRP, make
sure this VLAN is mapped to an MSTI when you configure the VLAN-to-instance mapping table.
For more information about MVRP, see "Configuring MVRP."
• To connect a spanning tree network to a TRILL network, make sure the following requirements
are met:
{ The spanning tree protocol is disabled on the TRILL network.
{ An edge port is used to connect the spanning tree network to the TRILL network. The edge
port can quickly transit to the forwarding state. This prevents network topology changes
from influencing the TRILL network.
For more information about TRILL, see TRILL Configuration Guide.
• The spanning tree configurations are mutually exclusive with service loopback and Smart Link.
• Configurations made in system view take effect globally. Configurations made in Ethernet
interface view or WLAN mesh interface view take effect on the interface only. Configurations
made in Layer 2 aggregate interface view take effect only on the aggregate interface.
Configurations made on an aggregation member port can take effect only after the port is
removed from the aggregation group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system
performs spanning tree calculation on the Layer 2 aggregate interface. It does not perform
spanning tree calculation on the aggregation member ports. The spanning tree protocol enable
state and forwarding state of each selected member port is consistent with those of the
corresponding Layer 2 aggregate interface.
• The member ports of an aggregation group do not participate in spanning tree calculation.
However, the ports still reserve their spanning tree configurations for participating in spanning
tree calculation after leaving the aggregation group.

STP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Configuring spanning tree timers
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Enabling outputting port state transition information

93
 Tasks at a glance
• (Required.) Enabling the spanning tree feature
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection functions
(Optional.) Disabling the device to reactivate the shutdown edge ports
(Optional.) Enabling SNMP notifications for new-root election and topology change events

RSTP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Configuring spanning tree timers
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection functions
(Optional.) Disabling the device to reactivate the shutdown edge ports
(Optional.) Enabling SNMP notifications for new-root election and topology change events

PVST configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode

94
 Tasks at a glance
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Configuring spanning tree timers
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring protection functions
(Optional.) Disabling the device to reactivate the shutdown edge ports
(Optional.) Enabling SNMP notifications for new-root election and topology change events

MSTP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Required.) Configuring an MST region
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the maximum hops of an MST region
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Configuring spanning tree timers
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Configuring the mode a port uses to recognize and send MSTP packets
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Required.) Configuring an MST region

95
 Tasks at a glance
• (Optional.) Configuring the device priority
• (Optional.) Configuring the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Configuring the mode a port uses to recognize and send MSTP packets
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring Digest Snooping
(Optional.) Configuring No Agreement Check
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection functions
(Optional.) Disabling the device to reactivate the shutdown edge ports
(Optional.) Enabling SNMP notifications for new-root election and topology change events

Setting the spanning tree mode

The spanning tree modes include:
• STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device
of a port supports only STP.
• RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically
transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode
does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.
• MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically
transits to the STP mode when receiving STP BPDUs from the peer device. A port in this mode
does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.
• PVST mode—All ports of the device send PVST BPDUs. Each VLAN maintains a spanning
tree. In a network, the amount of spanning trees maintained by all devices equals the number of
PVST-enabled VLANs multiplied by the number of PVST-enabled ports. If the amount of
spanning trees exceeds the capacity of the network, device CPUs will be overloaded. Packet
forwarding is interrupted, and the network becomes unstable. The number of spanning trees
that a device can maintain is 144.
The MSTP mode is compatible with the RSTP mode, and the RSTP mode is compatible with the STP
mode.
Compatibility of the PVST mode depends on the link type of a port.
• On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.
• On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes
only in VLAN 1.
To set the spanning tree mode:

Step Command Remarks

1. Enter system view. system-view N/A

96
 Step Command Remarks

Set the spanning tree mode. The default setting is the

2. stp mode { mstp |pvst | rstp | stp }
MSTP mode.

Configuring an MST region

Spanning tree devices belong to the same MST region if they are both connected through a physical
link and configured with the following details:
• Format selector (0 by default, not configurable).
• MST region name.
• MST region revision level.
• VLAN-to-instance mapping entries in the MST region.
The configuration of MST region-related parameters (especially the VLAN-to-instance mapping table)
might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of topology
instability, the MST region configuration takes effect only after you activate it by doing one of the
following:
• Use the active region-configuration command.
• Enable a spanning tree protocol by using the stp global enable command if the spanning tree
protocol is disabled.
In STP, RSTP, or PVST mode, MST region configurations do not take effect.
To configure an MST region:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter MST region view. stp region-configuration N/A
3. Configure the MST region The default setting is the MAC
name. region-name name
address.
• instance instance-id vlan Use one of the commands.
4. Configure the vlan-id-list
VLAN-to-instance mapping By default, all VLANs in an MST
table. • vlan-mapping modulo region are mapped to the CIST (or
modulo MSTI 0).
5. Configure the MSTP revision
level of the MST region. revision-level level The default setting is 0.

6. (Optional.) Display the MST

region configurations that are check region-configuration N/A
not activated yet.
7. Manually activate MST
region configuration. active region-configuration N/A

Configuring the root bridge or a secondary root

bridge
You can have the spanning tree protocol determine the root bridge of a spanning tree through
calculation. You can also specify the current device as the root bridge or as a secondary root bridge.

97
 A device has independent roles in different spanning trees. It can act as the root bridge in one
spanning tree and as a secondary root bridge in another. However, one device cannot be the root
bridge and a secondary root bridge in the same spanning tree.
A spanning tree can have only one root bridge. If multiple devices can be selected as the root bridge
in a spanning tree, the device with the lowest MAC address is chosen.
When the root bridge of an instance fails or is shut down and no new root bridge is specified, the
following events occur:
• If you specify only one secondary root bridge for the instance, it becomes the root bridge.
• If you specify multiple secondary root bridges for the instance, the secondary root bridge with
the lowest MAC address is given priority.
• If you do not specify a secondary root bridge, a new root bridge is calculated.
You can specify one root bridge for each spanning tree, regardless of the device priority settings.
Once you specify a device as the root bridge or a secondary root bridge, you cannot change its
priority.
You can configure the current device as the root bridge by setting the device priority to 0. For the
device priority configuration, see "Configuring the device priority."

Configuring the current device as the root bridge of a specific

spanning tree
Step Command Remarks
1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp root primary
2. Configure the current • In PVST mode:
device as the root stp vlan vlan-id-list root primary By default, a device does not
bridge. function as the root bridge.
• In MSTP mode:
stp [ instance instance-list ] root
primary

Configuring the current device as a secondary root bridge of

a specific spanning tree
Step Command Remarks
1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp root secondary
2. Configure the current • In PVST mode: By default, a device does not
device as a secondary root stp vlan vlan-id-list root secondary function as a secondary root
bridge. • In MSTP mode: bridge.
stp [ instance instance-list ] root
secondary

98
Configuring the device priority
Device priority is a factor in calculating the spanning tree. The priority of a device determines
whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a
higher priority. You can set the priority of a device to a low value to specify the device as the root
bridge of the spanning tree. A spanning tree device can have different priorities in different spanning
trees.
During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address is selected. You cannot change the priority of a device after it is configured as
the root bridge or as a secondary root bridge.
To configure the priority of a device in a specified MSTI:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp priority priority
• In PVST mode:
2. Configure the priority of
the current device.
stp vlan vlan-id-list priority priority The default setting is 32768.
• In MSTP mode:
stp [ instance instance-list ] priority
priority

Configuring the maximum hops of an MST region

Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on
the regional root bridge is used as the hop limit for the MST region.
Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum
value. When a device receives this configuration BPDU, it decrements the hop count by one, and
uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches
zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops
can no longer participate in spanning tree calculations, so the size of the MST region is limited.
Make this configuration only on the root bridge. All other devices in the MST region use the maximum
hop value set for the root bridge.
You can configure the maximum hops of an MST region based on the STP network size. As a best
practice, configure the maximum hops to a value that is greater than the maximum hops of each
edge device to the root bridge.
To configure the maximum number of hops of an MST region:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the maximum
hops of the MST region. stp max-hops hops The default setting is 20.

99
Configuring the network diameter of a switched
network
Any two terminal devices in a switched network can reach each other through a specific path, and
there are a series of devices on the path. The switched network diameter is the maximum number of
devices on the path for an edge device to reach another one in the switched network through the root
bridge. The network diameter indicates the network size. The bigger the diameter, the larger the
network size.
Based on the network diameter you configured, the system automatically sets an optimal hello time,
forward delay, and max age for the device.
In STP, RSTP, or MSTP mode, each MST region is considered a device. The configured network
diameter takes effect only on the CIST (or the common root bridge) but not on other MSTIs.
In PVST mode, the configured network diameter takes effect only on the root bridges of the specified
VLANs.
To configure the network diameter of a switched network:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
2. Configure the network stp bridge-diameter diameter
diameter of the switched • In PVST mode: The default setting is 7.
network. stp vlan vlan-id-list bridge-diameter
diameter

Configuring spanning tree timers

The following timers are used for spanning tree calculation:
• Forward delay—Delay time for port state transition. To prevent temporary loops on a network,
the spanning tree feature sets an intermediate port state (the learning state) before it transits
from the discarding state to the forwarding state. The feature also requires that the port transit
its state after a forward delay timer to make sure the state transition of the local port stays
synchronized with the peer.
• Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If
the device receives no configuration BPDUs within the timeout period, it recalculates the
spanning tree. The formula for calculating the timeout period is timeout period = timeout factor ×
3 × hello time.
• Max age—In the CIST of an MSTP network, the device uses the max age timer to determine if
a configuration BPDU received by a port has expired. If it has, a new spanning tree calculation
process starts. The max age timer does not take effect on other MSTIs except the CIST.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)
Do not manually set the spanning tree timers. As a best practice, specify the network diameter for the
spanning tree protocols to automatically calculate the timers based on the network diameter. If the
network diameter uses the default value, the timers also use their default values.
Configure the timers only on the root bridge. The timer settings on the root bridge apply to all devices
on the entire switched network.

100
Configuration restrictions and guidelines
• The length of the forward delay timer is related to the network diameter of the switched network.
The larger the network diameter is, the longer the forward delay time should be. If the forward
delay timer is too short, temporary redundant paths might occur. If the forward delay timer is too
long, network convergence might take a long time. As a best practice, use the automatically
calculated value.
• An appropriate hello time setting enables the device to promptly detect link failures on the
network without using excessive network resources. If the hello time is too long, the device
mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If
the hello time is too short, the device frequently sends the same configuration BPDUs, which
wastes device and network resources. As a best practice, use the automatically calculated
value.
• If the max age timer is too short, the device frequently begins spanning tree calculations and
might mistake network congestion as a link failure. If the max age timer is too long, the device
might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing
the auto-sensing capability of the network. As a best practice, use the automatically calculated
value.

Configuration procedure
To configure the spanning tree timers:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
stp timer forward-delay time
2. Configure the forward
delay timer. • In PVST mode: The default setting is 15 seconds.
stp vlan vlan-id-list timer
forward-delay time
• In STP/RSTP/MSTP mode:
stp timer hello time
3. Configure the hello
timer. • In PVST mode: The default setting is 2 seconds.
stp vlan vlan-id-list timer hello
time
• In STP/RSTP/MSTP mode:
stp timer max-age time
4. Configure the max age
timer. • In PVST mode: The default setting is 20 seconds.
stp vlan vlan-id-list timer
max-age time

Configuring the timeout factor

The timeout factor is a parameter used to decide the timeout period. The formula for calculating the
timeout period is: timeout period = timeout factor × 3 × hello time.
In a stable network, each non-root-bridge device forwards configuration BPDUs to the downstream
devices at the hello time interval to detect link failures. If a device does not receive a BPDU from the
upstream device within nine times the hello time, it assumes that the upstream device has failed.
Then, it starts a new spanning tree calculation process.
A device might fail to receive a BPDU from the upstream device because the upstream device is
busy. If a spanning tree calculation occurs, the calculation can fail and also waste network resources.

101
 On a stable network, you can prevent undesired spanning tree calculations by setting the timeout
factor to 5, 6, or 7.
To configure the timeout factor:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the timeout factor
of the device. stp timer-factor factor The default setting is 3.

Configuring the BPDU transmission rate

The maximum number of BPDUs a port can send within each hello time equals the BPDU
transmission rate plus the hello timer value. Configure an appropriate BPDU transmission rate based
on the physical status of the port and the network structure.
The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the
more system resources are used. By setting an appropriate BPDU transmission rate, you can limit
the rate at which the port sends BPDUs. Setting an appropriate rate also prevents spanning tree
protocols from using excessive network resources when the network topology changes. As a best
practice, use the default setting.
To configure the BPDU transmission rate:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number
3. Configure the BPDU
transmission rate of the stp transmit-limit limit The default setting is 10.
ports.

Configuring edge ports

If a port directly connects to a user terminal rather than another device or a shared LAN segment,
this port is regarded as an edge port. When network topology change occurs, an edge port will not
cause a temporary loop. Because a device does not determine whether a port is directly connected
to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly
transit from the blocked state to the forwarding state.

Configuration restrictions and guidelines

• If BPDU guard is disabled on a port set as an edge port, the port becomes a non-edge port
again if it receives a BPDU from another port. To restore the edge port, re-enable it.
• If a port directly connects to a user terminal, configure it as an edge port and enable BPDU
guard for it. This enables the port to quickly transit to the forwarding state when ensuring
network security.
• On a port, the loop guard function and the edge port setting are mutually exclusive.

102
Configuration procedure
To configure a port as an edge port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number
3. Configure the current ports By default, all ports are
as edge ports. stp edged-port
non-edge ports.

Configuring path costs of ports

Path cost is a parameter related to the rate of a port. On a spanning tree device, a port can have
different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows to be
forwarded along different physical links, achieving VLAN-based load balancing.
You can have the device automatically calculate the default path cost, or you can configure the path
cost for ports.

Specifying a standard for the device to use when it calculates

the default path cost
CAUTION:
If you change the standard that the device uses to calculate the default path costs, you restore the
path costs to the default.

You can specify a standard for the device to use in automatic calculation for the default path cost.
The device supports the following standards:
• dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.
• legacy—The device calculates the default path cost for ports based on a private standard.
When you specify a standard for the device to use when it calculates the default path cost, follow
these guidelines:
• When it calculates the path cost for an aggregate interface, IEEE 802.1t takes into account the
number of Selected ports in its aggregation group. However, IEEE 802.1d-1998 does not take
into account the number of Selected ports. The calculation formula of IEEE 802.1t is: Path cost
= 200,000,000/link speed (in 100 kbps), where link speed is the sum of the link speed values of
the Selected ports in the aggregation group.
• IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a
single port or an aggregate interface when the link speed of the port or interface exceeds 10
Gbps. The forwarding path selected based on this criterion might not be the best one. To solve
this problem, perform one of the following tasks:
{ Use dot1t as the standard for default path cost calculation.
{ Manually set the path cost for the port (see "Configuring path costs of ports").
To specify a standard for the device to use when it calculates the default path cost:

103
 Step Command Remarks
1. Enter system view. system-view N/A
2. Specify a standard for the
device to use when it stp pathcost-standard
calculates the default path The default setting is legacy.
{ dot1d-1998 | dot1t | legacy }
costs of its ports.

Table 9 Mappings between the link speed and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
0 N/A 65535 200000000 200000
Single port 2000000 2000
Aggregate interface
containing two Selected 1000000 1800
ports

10 Mbps Aggregate interface 100

containing three Selected 666666 1600
ports
Aggregate interface
containing four Selected 500000 1400
ports
Single port 200000 200
Aggregate interface
containing two Selected 100000 180
ports

100 Mbps Aggregate interface 19

containing three Selected 66666 160
ports
Aggregate interface
containing four Selected 50000 140
ports
Single port 20000 20
Aggregate interface
containing two Selected 10000 18
ports

1000 Mbps Aggregate interface 4

containing three Selected 6666 16
ports
Aggregate interface
containing four Selected 5000 14
ports
Single port 2000 2
Aggregate interface
containing two Selected 1000 1
10 Gbps ports 2
Aggregate interface
containing three Selected 666 1
ports

104
 Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Aggregate interface
containing four Selected 500 1
ports
Single port 1000 1
Aggregate interface
containing two Selected 500 1
ports

20 Gbps Aggregate interface 1

containing three Selected 333 1
ports
Aggregate interface
containing four Selected 250 1
ports
Single port 500 1
Aggregate interface
containing two Selected 250 1
ports

40 Gbps Aggregate interface 1

containing three Selected 166 1
ports
Aggregate interface
containing four Selected 125 1
ports
Single port 200 1
Aggregate interface
containing two Selected 100 1
ports

100 Gbps Aggregate interface 1

containing three Selected 66 1
ports
Aggregate interface
containing four Selected 50 1
ports

Configuring path costs of ports

When the path cost of a port changes, the system recalculates the role of the port and initiates a
state transition.
To configure the path cost of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number

3. Configure the path cost of • In STP/RSTP mode: By default, the system

105
 Step Command Remarks
the ports. stp cost cost automatically calculates
• In PVST mode: the path cost of each port.
stp vlan vlan-id-list cost cost
• In MSTP mode:
stp [ instance instance-list ] cost
cost

Configuration example
# In MSTP mode, perform the following tasks:
• Configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998.
• Set the path cost of Ten-GigabitEthernet 1/0/3 to 200 on MSTI 2.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
Cost of every port will be reset and automatically re-calculated after you change the
current pathcost standard. Continue?[Y/N]:y
Cost of every port has been re-calculated.
[Sysname] interface ten-gigabitethernet 1/0/3
[Sysname-Ten-GigabitEthernet1/0/3] stp instance 2 cost 200

# In PVST mode, perform the following tasks:

• Configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998.
• Set the path cost of Ten-GigabitEthernet 1/0/3 to 2000 on VLAN 20 through VLAN 30.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
Cost of every port will be reset and automatically re-calculated after you change the
current pathcost standard. Continue?[Y/N]:y
Cost of every port has been re-calculated
[Sysname] interface ten-gigabitethernet 1/0/3
[Sysname-Ten-GigabitEthernet1/0/3] stp vlan 20 to 30 cost 2000

Configuring the port priority

The priority of a port is a factor that determines whether the port can be elected as the root port of a
device. If all other conditions are the same, the port with the highest priority is elected as the root
port.
On a spanning tree device, a port can have different priorities and play different roles in different
spanning trees. As a result, data of different VLANs can be propagated along different physical paths,
implementing per-VLAN load balancing. You can set port priority values based on the actual
networking requirements.
When the priority of a port changes, the system recalculates the port role and initiates a state
transition.
To configure the priority of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type interface-number N/A

106
 Step Command Remarks
aggregate interface view.
• In STP/RSTP mode:
stp port priority priority
• In PVST mode:
3. Configure the port priority.
stp vlan vlan-id-list port priority The default setting is 128
priority for all ports.
• In MSTP mode:
stp [ instance instance-list ] port
priority priority

Configuring the port link type

A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement
handshake process.

Configuration restrictions and guidelines

• You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that
operates in full duplex mode. As a best practice, use the default setting for the device to
automatically detect the port link type.
• The stp point-to-point force-false or stp point-to-point force-true command configured on a
port in MSTP or PVST mode takes effect on all MSTIs or VLANs.
• If you configure a non-point-to-point link as a point-to-point link, a temporary loop might occur.

Configuration procedure
To configure the link type of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number
By default, the link type is auto
Configure the port link type. stp point-to-point { auto |
3. where the port automatically
force-false | force-true }
detects the link type.

Configuring the mode a port uses to recognize

and send MSTP packets
A port can receive and send MSTP packets in the following formats:
• dot1s—802.1s-compliant standard format
• legacy—Compatible format
By default, the packet format recognition mode of a port is auto. The port automatically distinguishes
the two MSTP packet formats, and determines the format of packets that it will send based on the
recognized format.

107
 You can configure the MSTP packet format on a port. Then, the port sends only MSTP packets of the
configured format to communicate with devices that send packets of the same format.
By default, a port in auto mode sends 802.1s MSTP packets. When the port receives an MSTP
packet of a legacy format, the port starts to send packets only of the legacy format. This prevents the
port from frequently changing the format of sent packets. To configure the port to send 802.1s MSTP
packets, shut down and then bring up the port.
When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP packets.
To configure the MSTP packet format to be supported on a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number
3. Configure the mode that the
port uses to recognize/send stp compliance { auto | dot1s | legacy } The default setting is auto.
MSTP packets.

Enabling outputting port state transition

information
In a large-scale spanning tree network, you can enable devices to output the port state transition
information. Then you can monitor the port states in real time.
To enable outputting port state transition information:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp port-log instance 0
2. Enable outputting port • In PVST mode:
state transition stp port-log vlan vlan-id-list By default, this function is
information. disabled.
• In MSTP mode:
stp port-log { all | instance
instance-list }

Enabling the spanning tree feature

You must enable the spanning tree feature for the device before any other spanning tree related
configurations can take effect. In STP, RSTP, or MSTP mode, make sure the spanning tree feature is
enabled globally and on the desired ports. In PVST mode, make sure the spanning tree feature is
enabled globally, in the desired VLANs, and on the desired ports.
You can disable the spanning tree feature for certain ports with the undo stp enable command to
exclude them from spanning tree calculation and save CPU resources of the device. Make sure no
loops occur in the network after you disable the spanning tree feature on these ports.

108
Enabling the spanning tree feature in STP/RSTP/MSTP
mode
Step Command Remarks
1. Enter system view. system-view N/A
• If the device starts up with the initial
settings, the spanning tree feature is
disabled globally by default.
• If the device starts up with the factory
2. Enable the spanning tree
stp global enable defaults, the spanning tree feature is
feature.
enabled globally by default.
For more information about the startup
configuration, see Fundamentals
Configuration Guide.
3. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number
4. (Optional.) Enable the
spanning tree feature for the By default, the spanning tree feature is
stp enable
port. enabled on all ports.

Enabling the spanning tree feature in PVST mode

Step Command Remarks
1. Enter system view. system-view N/A
• If the device starts up with the initial
settings, the spanning tree feature is
disabled globally by default.
• If the device starts up with the factory
2. Enable the spanning tree
stp global enable defaults, the spanning tree feature is
feature.
enabled globally by default.
For more information about the startup
configuration, see Fundamentals
Configuration Guide.
3. Enable the spanning tree stp vlan vlan-id-list The spanning tree feature is enabled for all
feature in VLANs. enable VLANs.
4. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number
5. Enable the spanning tree By default, the spanning tree feature is
feature on the port. stp enable
enabled on all ports.

Performing mCheck
The mCheck feature enables user intervention in the port status transition process.
When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP
BPDUs, the port automatically transits to the STP mode. However, the port cannot automatically
transit back to the original mode when the following conditions exist:
• The peer STP device is shut down or removed.

109
 • The port cannot detect the change.
To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.
For example, Device A, Device B, and Device C are connected in sequence. Device A runs STP,
Device B does not run any spanning tree protocol, and Device C runs RSTP, PVST, or MSTP. In this
case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving
port transits to the STP mode. If you configure Device B to run RSTP, PVST, or MSTP with Device C,
you must perform mCheck operations on the ports interconnecting Device B and Device C.

Configuration restrictions and guidelines

When you configure mCheck, follow these restrictions and guidelines:
• The mCheck operation takes effect on devices operating in MSTP, PVST, or RSTP mode.
• When you enable or disable TRILL on a port, the port might send TCN BPDUs to the peer port,
which causes the peer port to transit to STP mode. When you disable TRILL and enable STP on
a port, perform mCheck on both the port and the peer port as a best practice.

Configuration procedure
Performing mCheck globally

Step Command
1. Enter system view. system-view

2. Perform mCheck. stp global mcheck

Performing mCheck in interface view

Step Command
1. Enter system view. system-view
2. Enter Layer 2 Ethernet or aggregate interface
view. interface interface-type interface-number

3. Perform mCheck. stp mcheck

Configuring Digest Snooping

CAUTION:
Use caution with global Digest Snooping in the following situations:
• When you modify the VLAN-to-instance mappings.
• When you restore the default MST region configuration.
If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or
traffic interruption will occurs.

As defined in IEEE 802.1s, connected devices are in the same region only when they have the same
MST region-related configurations, including:
• Region name.
• Revision level.
• VLAN-to-instance mappings.

110
 A spanning tree device identifies devices in the same MST region by determining the configuration
ID in BPDU packets. The configuration ID includes the region name, revision level, and configuration
digest. It is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Because spanning tree implementations vary by vendor, the configuration digests calculated through
private keys are different. The devices of different vendors in the same MST region cannot
communicate with each other.
To enable communication between an H3C device and a third-party device in the same MST region,
enable Digest Snooping on the H3C device port connecting them.

Configuration restrictions and guidelines

When you configure Digest Snooping, follow these restrictions and guidelines:
• Before you enable Digest Snooping, make sure associated devices of different vendors are
connected and run spanning tree protocols.
• With Digest Snooping enabled, in-the-same-region verification does not require comparison of
configuration digest. The VLAN-to-instance mappings must be the same on associated ports.
• To make Digest Snooping take effect, you must enable Digest Snooping both globally and on
associated ports. As a best practice, enable Digest Snooping on all associated ports first and
then enable it globally. This will make the configuration take effect on all configured ports and
reduce impact on the network.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• As a best practice, enable Digest Snooping first and then the spanning tree feature. To avoid
traffic interruption, do not configure Digest Snooping when the network is already working well.

Configuration procedure
You can enable Digest Snooping only on the H3C device that is connected to a third-party device that
uses its private key to calculate the configuration digest.
To configure Digest Snooping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number

3. Enable Digest Snooping on By default, Digest Snooping is

the interface. stp config-digest-snooping
disabled on ports.

4. Return to system view. quit N/A

5. Enable Digest Snooping stp global By default, Digest Snooping is
globally. config-digest-snooping disabled globally.

Digest Snooping configuration example

Network requirements
As shown in Figure 26, Device A and Device B connect to Device C, which is a third-party device. All
these devices are in the same region.

111
 Enable Digest Snooping on the ports of Device A and Device B that connect to Device C, so that the
three devices can communicate with one another.
Figure 26 Network diagram

MST region Device C

(Root bridge)

XGE1/0/1 XGE1/0/2 Root port

Designated port

Blocked port

Normal link

XGE1/0/1 XGE1/0/1
Blocked link
XGE1/0/2 XGE1/0/2

Device A Device B

Configuration procedure
# Enable Digest Snooping on Ten-GigabitEthernet 1/0/1 of Device A and enable global Digest
Snooping on Device A.
<DeviceA> system-view
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] stp global config-digest-snooping

# Enable Digest Snooping on Ten-GigabitEthernet 1/0/1 of Device B and enable global Digest
Snooping on Device B.
<DeviceB> system-view
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceB-Ten-GigabitEthernet1/0/1] quit
[DeviceB] stp global config-digest-snooping

Configuring No Agreement Check

In RSTP and MSTP, the following types of messages are used for rapid state transition on
designated ports:
• Proposal—Sent by designated ports to request rapid transition
• Agreement—Used to acknowledge rapid transition requests
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the
following differences:
• For MSTP, the root port of the downstream device sends an agreement packet only after it
receives an agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet regardless of whether an
agreement packet from the upstream device is received.

112
 Figure 27 Rapid state transition of an MSTP designated port

Figure 28 Rapid state transition of an RSTP designated port

If the upstream device is a third-party device, the rapid state transition implementation might be
limited as follows:
• The upstream device uses a rapid transition mechanism similar to that of RSTP.
• The downstream device adopts MSTP and does not operate in RSTP mode.
In this case, the following occurs:
1. The root port on the downstream device receives no agreement packet from the upstream
device.
2. It sends no agreement packets to the upstream device.
As a result, the designated port of the upstream device can transit to the forwarding state only after a
period twice the Forward Delay.
You can enable the No Agreement Check feature on the downstream device's port to enable the
designated port of the upstream device to transit its state rapidly.

Configuration prerequisites
Before you configure the No Agreement Check function, complete the following tasks:
• Connect a device to a third-party upstream device that supports spanning tree protocols
through a point-to-point link.
• Configure the same region name, revision level, and VLAN-to-instance mappings on the two
devices.

113
Configuration procedure
Enable the No Agreement Check feature on the root port.
To configure No Agreement Check:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or
aggregate interface view. interface interface-type interface-number N/A

3. Enable No Agreement By default, No Agreement

Check. stp no-agreement-check
Check is disabled.

No Agreement Check configuration example

Network requirements
As shown in Figure 29, Device A connects to a third-party device that has a different spanning tree
implementation. Both devices are in the same region.
The third-party device (Device B) is the regional root bridge, and Device A is the downstream device.
Figure 29 Network diagram

Configuration procedure
# Enable No Agreement Check on Ten-GigabitEthernet 1/0/1 of Device A.
<DeviceA> system-view
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] stp no-agreement-check

Configuring TC Snooping
As shown in Figure 30, an IRF fabric connects to two user networks through double links.
• Device A and Device B form an IRF fabric.
• The spanning tree feature is disabled on Device A and Device B and enabled on all devices in
user network 1 and user network 2.
• The IRF fabric transparently transmits BPDUs for both user networks and is not involved in the
calculation of spanning trees.
When the network topology changes, it takes time for the IRF fabric to update its MAC address table
and ARP table. During this period, traffic in the network might be interrupted.

114
 Figure 30 TC Snooping application scenario

To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a
TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries
associated with the port's VLAN. In this way, TC Snooping prevents topology change from
interrupting traffic forwarding in the network. For more information about the MAC address table and
the ARP table, see "Configuring the MAC address table" and Layer 3—IP Services Configuration
Guide.

Configuration restrictions and guidelines

When you configure TC Snooping, follow these restrictions and guidelines:
• TC Snooping and the spanning tree feature are mutually exclusive. You must globally disable
the spanning tree feature before enabling TC Snooping.
• TC Snooping does not support the PVST mode.

Configuration procedure
To enable TC Snooping:

Step Command Remarks

1. Enter system view. system-view N/A
• If the device starts up with the initial
settings, the spanning tree feature is
disabled globally by default.
• If the device starts up with the factory
2. Globally disable the
undo stp global enable defaults, the spanning tree feature is
spanning tree feature.
enabled globally by default.
For more information about the startup
configuration, see Fundamentals
Configuration Guide.
3. Enable TC Snooping. stp tc-snooping By default, TC Snooping is disabled.

Configuring protection functions

A spanning tree device supports the following protection functions:

115
 • BPDU guard
• Root guard
• Loop guard
• Port role restriction
• TC-BPDU transmission restriction
• TC-BPDU guard
• BPDU drop

Enabling BPDU guard

For access layer devices, the access ports can directly connect to the user terminals (such as PCs)
or file servers. The access ports are configured as edge ports to allow rapid transition. When these
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and
starts a new spanning tree calculation process. This causes a change of network topology. Under
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses
configuration BPDUs maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard function to protect the system against such
attacks. When edge ports receive configuration BPDUs on a device with BPDU guard enabled, the
device performs the following tasks:
• Shuts down these ports.
• Notifies the NMS that these ports have been shut down by the spanning tree protocol.
The device reactivates the shutdown ports after a detection interval. For more information about this
detection interval, see Fundamentals Configuration Guide.
You can configure the BPDU guard feature globally or on a per-edge port basis.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see "Configuring Ethernet interfaces."
Enabling BPDU guard globally
The global BPDU guard setting takes effect on all edge ports that are not configured by using the stp
port bpdu-protection command.
To enable BPDU guard globally:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable BPDU guard globally. By default, BPDU guard is

stp bpdu-protection
disabled globally.

Configuring BPDU guard on an interface

An edge port preferentially uses the port-specific BPDU guard setting. If the port-specific BPDU
guard setting is not available, the edge port uses the global BPDU guard setting.
To configure BPDU guard on an interface:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet The specified interface must

interface view or Layer 2 interface interface-type connect to a user terminal rather
aggregate interface view. interface-number than another device or shared
LAN segment.

116
 Step Command Remarks
By default, BPDU guard is not
configured on a per-edge port
Configure BPDU guard. stp port bpdu-protection
3. basis. The status of BPDU guard
{ enable | disable }
on an interface is the same as the
global BPDU status.

Enabling root guard

The root bridge and secondary root bridge of a spanning tree should be located in the same MST
region. Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth
core region during network design. However, due to possible configuration errors or malicious
attacks in the network, the legal root bridge might receive a configuration BPDU with a higher priority.
Another device supersedes the current legal root bridge, causing an undesired change of the
network topology. The traffic that should go over high-speed links is switched to low-speed links,
resulting in network congestion.
To prevent this situation, MSTP provides the root guard function. If root guard is enabled on a port of
a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a
configuration BPDU with a higher priority from an MSTI, it performs the following tasks:
• Immediately sets that port to the listening state in the MSTI.
• Does not forward the received configuration BPDU.
This is equivalent to disconnecting the link connected with this port in the MSTI. If the port receives
no BPDUs with a higher priority within twice the forwarding delay, it reverts to its original state.
On a port, the loop guard function and the root guard function are mutually exclusive.
Configure root guard on a designated port.
To enable root guard:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or
aggregate interface view. interface interface-type interface-number N/A

3. Enable the root guard By default, root guard is

function. stp root-protection
disabled.

Enabling loop guard

By continuing to receive BPDUs from the upstream device, a device can maintain the state of the
root port and blocked ports. However, link congestion or unidirectional link failures might cause these
ports to fail to receive BPDUs from the upstream devices. In this case, the device reselects the
following port roles:
• Those ports in forwarding state that failed to receive upstream BPDUs become designated
ports.
• The blocked ports transit to the forwarding state.
As a result, loops occur in the switched network. The loop guard function can suppress the
occurrence of such loops.
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives
BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops.

117
 Do not enable loop guard on a port that connects user terminals. Otherwise, the port stays in the
discarding state in all MSTIs because it cannot receive BPDUs.
On a port, the loop guard function is mutually exclusive with the root guard function or the edge port
setting.
Configure loop guard on the root port and alternate ports of a device.
To enable loop guard:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or
aggregate interface view. interface interface-type interface-number N/A

3. Enable the loop guard By default, loop guard is

function for the ports. stp loop-protection
disabled.

Configuring port role restriction

CAUTION:
Use this feature with caution, because enabling port role restriction on a port might affect the
connectivity of the spanning tree topology.

The change to the bridge ID of a device in the user access network might cause a change to the
spanning tree topology in the core network. To avoid this problem, you can enable port role
restriction on a port. With this feature enabled, when the port receives a superior BPDU, it becomes
an alternate port rather than a root port.
Make this configuration on the port that connects to the user access network.
To configure port role restriction:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number

3. Enable port role restriction. By default, port role restriction is

stp role-restriction
disabled.

Configuring TC-BPDU transmission restriction

CAUTION:
Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address
table to fail to be updated when the topology changes.

The topology change to the user access network might cause the forwarding address changes to the
core network. When the user access network topology is unstable, the user access network might
affect the core network. To avoid this problem, you can enable TC-BPDU transmission restriction on
a port. With this feature enabled, when the port receives a TC-BPDU, it does not forward the
TC-BPDU to other ports.
Make this configuration on the port that connects to the user access network.
To configure TC-BPDU transmission restriction:

118
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet or interface interface-type
aggregate interface view. N/A
interface-number

3. Enable TC-BPDU By default, TC-BPDU

transmission restriction. stp tc-restriction transmission restriction is
disabled.

Enabling TC-BPDU guard

When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology
changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device,
the device will receive a large number of TC-BPDUs within a short time and be busy with forwarding
address entry flushing. This affects network stability.
TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry
flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs
received in excess of the limit, the device performs a forwarding address entry flush when the time
period expires. This prevents frequent flushing of forwarding address entries. As a best practice,
enable TC-BPDU guard.
To enable TC-BPDU guard:

Step Command Remarks

1. Enter system view. system-view N/A
By default, TC-BPDU guard
is enabled.
2. Enable the TC-BPDU guard function. stp tc-protection
As a best practice, do not
disable this feature.
3. (Optional.) Configure the maximum
number of forwarding address entry stp tc-protection threshold
flushes that the device can perform The default setting is 6.
number
every 10 seconds.

Enabling BPDU drop

In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process
and is then forwarded to other devices in the network. Malicious attackers might use the vulnerability
to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make all
devices in the network continue performing STP calculations. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not
receive any BPDUs and is invulnerable to forged BPDU attacks.
To enable BPDU drop on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

119
 Step Command Remarks
3. Enable BPDU drop on the By default, BPDU drop is
current interface. bpdu-drop any
disabled.

Disabling the device to reactivate the shutdown

edge ports
A device enabled with BPDU guard shuts down edge ports that have received configuration BPDUs
and notifies the NMS of the shutdown event. After a port status detection interval, the device
reactivates the shutdown ports. This feature allows you to disable the device to reactivate the
shutdown ports. The feature applies to edge ports that are shut down after you configure the stp port
shutdown permanent command. To bring up these ports, use the undo shutdown command.
For more information about the port status detection interval, see device management configuration
in Fundamentals Configuration Guide.
To disable the device to reactivate the shutdown edge ports:

Step Command Remarks

1. Enter system view. system-view N/A
2. Disable the device to By default, a device reactivates
reactivate the shutdown edge stp port shutdown permanent the shutdown edge ports after a
ports. port status detection interval.

Enabling SNMP notifications for new-root election

and topology change events
This feature enables the device to generate logs and report new-root election events or spanning
tree topology changes to SNMP. For the event notifications to be sent correctly, you must also
configure SNMP on the device. For more information about SNMP configuration, see the network
management and monitoring configuration guide for the device.
When you use the snmp-agent trap enable stp [ new-root | tc ] command, follow these guidelines:
• The new-root keyword applies only to STP, MSTP, and RSTP modes.
• The tc keyword applies only to PVST mode.
• In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables SNMP
notifications for new-root election events.
• In PVST mode, the snmp-agent trap enable stp enables SNMP notifications for spanning tree
topology changes.
To enable SNMP notifications for new-root election and topology change events:

Step Command Remarks

1. Enter system view. system-view N/A
In STP, MSTP, or RSTP mode, The default settings are as
execute either of the following follows:
2. Enable SNMP notifications
commands: • SNMP notifications are
for new-root election events.
• snmp-agent trap enable disabled for new-root
stp new-root election events.

120
 Step Command Remarks
• snmp-agent trap enable • In MSTP mode, SNMP
stp notifications are enabled in
MSTI 0 and disabled in other
In PVST mode, execute either of MSTIs for spanning tree
the following commands: topology changes.
3. Enable SNMP notifications
for spanning tree topology • snmp-agent trap enable • In PVST mode, SNMP
changes. stp tc notifications are disabled for
• snmp-agent trap enable spanning tree topology
stp changes in all VLANs.
4. Enable the device to By default, the device does not
generate a log when it generate a log when it detects or
detects or receives a TCN stp log enable tc
receives a TCN BPDU in PVST
BPDU in PVST mode. mode.

Displaying and maintaining the spanning tree

Execute display commands in any view and reset command in user view.

Task Command
Display information about ports blocked by spanning
display stp abnormal-port
tree protection functions.
display stp bpdu-statistics [ interface
Display BPDU statistics on ports. interface-type interface-number [ instance
instance-list ] ]
Display information about ports shut down by spanning
display stp down-port
tree protection functions.
Display the historical information of port role calculation display stp [ instance instance-list | vlan
for the specified MSTI or all MSTIs. vlan-id-list ] history [ slot slot-number ]
Display the statistics of TC/TCN BPDUs sent and display stp [ instance instance-list | vlan
received by all ports in the specified MSTI or all MSTIs. vlan-id-list ] tc [ slot slot-number ]
display stp [ instance instance-list | vlan
Display the spanning tree status and statistics. vlan-id-list ] [ interface interface-list | slot
slot-number ] [ brief ]
Display the MST region configuration information that
display stp region-configuration
has taken effect.
Display the root bridge information of all MSTIs. display stp root
Clear the spanning tree statistics. reset stp [ interface interface-list ]

Spanning tree configuration example

MSTP configuration example
Network requirements
As shown in Figure 31, all devices on the network are in the same MST region. Device A and Device
B work at the distribution layer. Device C and Device D work at the access layer.
Configure MSTP so that packets of different VLANs are forwarded along different spanning trees.

121
 • VLAN 10 packets are forwarded along MSTI 1.
• VLAN 30 packets are forwarded along MSTI 3.
• VLAN 40 packets are forwarded along MSTI 4.
• VLAN 20 packets are forwarded along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated
on the access layer devices. The root bridges of MSTI 1 and MSTI 3 are Device A and Device B,
respectively, and the root bridge of MSTI 4 is Device C.
Figure 31 Network diagram
1

XG
/0/
E1

E1
XG

/0/
1

XG
1
/0/

E1
E1

/0/
XG

Configuration procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, and configure the MST region name as example.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Specify the device as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary

122
 # Enable the spanning tree feature globally.
[DeviceA] stp global enable
3. Configure Device B:
# Enter MST region view, and configure the MST region name as example.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Specify the device as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp global enable
4. Configure Device C:
# Enter MST region view, and configure the MST region name as example.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Specify the device as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.
[DeviceC] stp global enable
5. Configure Device D:
# Enter MST region view, and configure the MST region name as example.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40

123
 # Configure the revision level of the MST region as 0.
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp global enable

Verifying the configuration

In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root
bridge in MSTI 0.
When the network is stable, use the display stp brief command to display brief spanning tree
information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
3 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
3 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
3 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
3 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE

124
 0 Ten-GigabitEthernet1/0/3 ALTE DISCARDING NONE
3 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
3 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 32.
Figure 32 MSTIs mapped to different VLANs

A B A B

C C D

MSTI 1 mapped to VLAN 10 MSTI 0 mapped to VLAN 20

A B

D C D

MSTI 3 mapped to VLAN 30 MSTI 4 mapped to VLAN 40

Root bridge Normal link Blocked link

PVST configuration example

Network requirements
As shown in Figure 33, Device A and Device B work at the distribution layer, and Device C and
Device D work at the access layer.
Configure PVST to meet the following requirements:
• Packets of a VLAN are forwarded along the spanning trees of the VLAN.
• VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN
40 is terminated on the access layer devices.
• The root bridge of VLAN 10 and VLAN 20 is Device A.
• The root bridge of VLAN 30 is Device B.
• The root bridge of VLAN 40 is Device C.

125
 Figure 33 Network diagram

/1

XG
/0
E1

E1
XG

/0
/1

XG
1
/0/

E1
E1

/0/
XG

1
Configuration procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Configure the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceA] stp global enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst
# Configure the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceB] stp global enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.
<DeviceC> system-view
[DeviceC] stp mode pvst
# Configure the device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 40.
[DeviceC] stp global enable

126
 [DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 20, VLAN 30, and VLAN 40.
[DeviceD] stp global enable
[DeviceD] stp vlan 20 30 40 enable

Verifying the configuration

When the network is stable, use the display stp brief command to display brief spanning tree
information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
10 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
VLAN ID Port Role STP State Protection
10 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
30 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
VLAN ID Port Role STP State Protection
10 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
40 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
20 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 ALTE DISCARDING NONE
30 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE

127
 30 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
40 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw a topology for each VLAN spanning tree, as shown in Figure 34.
Figure 34 VLAN spanning tree topologies

128
Configuring loop detection
Overview
Incorrect network connections or configurations can create Layer 2 loops, which results in repeated
transmission of broadcasts, multicasts, or unknown unicasts. The repeated transmission can waste
network resources and can sometimes paralyze networks. The loop detection mechanism
immediately generates a log when a loop occurs so that you are promptly notified to adjust network
connections and configurations. You can configure loop detection to shut down the looped port. Logs
are maintained in the information center. For more information, see Network Management and
Monitoring Configuration Guide.

Loop detection mechanism

The device detects loops by sending detection frames and then checking whether these frames
return to any port on the device. If they do, the device considers that the port is on a looped link.
Loop detection usually works within a VLAN. If a detection frame is returned with a VLAN tag
different from the one it was sent out with, an inter-VLAN loop has occurred. To remove the loop,
examine the QinQ configuration for incorrect settings. For more information about QinQ, see
"Configuring QinQ.".
Figure 35 Ethernet frame header for loop detection

The Ethernet frame header for loop detection contains the following fields:
• DMAC—Destination MAC address of the frame, which is the multicast MAC address
010F-E200-0007. When a loop detection-enabled device receives a frame with this destination
MAC address, it sends the frame to the CPU and floods the frame in the VLAN from which the
frame was originally received.
• SMAC—Source MAC address of the frame, which is the bridge MAC address of the sending
device.
• TPID—Type of the VLAN tag, with the value of 0x8100.
• TCI—Information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.
Figure 36 Inner frame header for loop detection

The inner frame header for loop detection contains the following fields:

129
 • Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol.
• Version—Protocol version, which is always 0x0000.
• Length—Length of the frame. The value includes the inner header, but excludes the Ethernet
header.
• Reserved—This field is reserved.
Frames for loop detection are encapsulated as TLV triplets.
Table 10 TLVs supported by loop detection

TLV Description Remarks

End of PDU End of a PDU. Optional.

Device ID Bridge MAC address of the sending device. Required.

Port ID ID of the PDU sending port. Optional.

Port Name Name of the PDU sending port. Optional.

System Name Device name. Optional.

Chassis ID Chassis ID of the sending port. Optional.

Slot ID Slot ID of the sending port. Optional.

Sub Slot ID Sub-slot ID of the sending port. Optional.

Loop detection interval

Loop detection is a continuous process as the network changes. Loop detection frames are sent at a
specified interval (called a loop detection interval) to determine whether loops occur on ports and
whether loops are removed.

Loop protection actions

When the switch detects a loop on a port, it generates a log but performs no action on the port by
default. You can configure the switch to take one of the following actions:
• Block—Disables the port from learning MAC addresses and blocks inbound traffic to the port.
• No-learning—Disables the port from learning MAC addresses.
• Shutdown—Shuts down the port to disable it from receiving and sending any frames.

Port status auto recovery

When the device configured with the block or no-learning loop action detects a loop on a port, it
performs the action and waits three loop detection intervals. If the device does not receive a loop
detection frame within three loop detection intervals, it performs the following tasks:
• Automatically sets the port to the forwarding state.
• Notifies the user of the event.
When the device configured with the shutdown action detects a loop on a port, the following events
occur:
1. The device automatically shuts down the port.

130
 2. The device automatically sets the port to the forwarding state after the detection timer
configured by using the shutdown-interval command expires. For more information about the
shutdown-interval command, see Fundamentals Command Reference.
3. The device shuts down the port again if a loop is still detected on the port when the detection
timer expires.
This process is repeated until the loop is removed.

NOTE:
Incorrect recovery can occur when loop detection frames are discarded to reduce the load. To avoid
this problem, use the shutdown action or manually remove the loop.

Loop detection configuration task list

Tasks at a glance
(Required.) Enabling loop detection

(Optional.) Configuring the loop protection action

(Optional.) Setting the loop detection interval

Enabling loop detection

You can enable loop detection globally or on a per-port basis. The global configuration applies to all
ports in the specified VLANs. The per-port configuration applies to the individual port only when the
port belongs to the specified VLANs. Per-port configurations take precedence over global
configurations.
As a best practice, do not enable loop detection on TRILL ports, because TRILL networks prevent
loops from being generated. For information more about TRILL, see TRILL Configuration Guide.

Enabling loop detection globally

Step Command Remarks
1. Enter system view. system-view N/A
2. Globally enable loop loopback-detection global
detection. Disabled by default.
enable vlan { vlan-list | all }

Enabling loop detection on a port

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable loop detection on the loopback-detection enable vlan

port. Disabled by default.
{ vlan-list | all }

131
Configuring the loop protection action
You can configure the loop protection action globally or on a per-port basis. The global configuration
applies to all ports. The per-port configuration applies to the individual ports. The per-port
configuration takes precedence over the global configuration.

Configuring the global loop protection action

Step Command Remarks
1. Enter system view. system-view N/A

2. Configure the global loop By default, the switch generates a

loopback-detection global
protection action. log but performs no action on the
action shutdown
port on which a loop is detected.

Configuring the loop protection action on a Layer 2 Ethernet

interface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, the switch
3. Configure the loop protection loopback-detection action generates a log but performs
action on the interface. { block | no-learning | shutdown } no action on the port on which
a loop is detected.

Configuring the loop protection action on a Layer 2 aggregate

interface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 aggregate interface bridge-aggregation
interface view. N/A
interface-number
By default, the switch
3. Configure the loop protection loopback-detection action generates a log but performs
action on the interface. shutdown no action on the port on which
a loop is detected.

Setting the loop detection interval

With loop detection enabled, the switch sends loop detection frames at a specified interval. A shorter
interval offers more sensitive detection but consumes more resources. Consider the system
performance and loop detection speed when you set the loop detection interval.
To set the loop detection interval:

132
 Step Command Remarks
1. Enter system view. system-view N/A
2. Set the loop detection loopback-detection
interval. The default setting is 30 seconds.
interval-time interval

Displaying and maintaining loop detection

Execute display commands in any view.

Task Command
Display the loop detection configuration and status. display loopback-detection

Loop detection configuration example

Network requirements
As shown in Figure 37, configure loop detection on Device A, so that Device A generates a log as a
notification and automatically shuts down the port on which a loop is detected.
Figure 37 Network diagram

Device A

XGE1/0/1 XGE1/0/2

Device B Device C

VLAN 100

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and globally enable loop detection for the VLAN.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] loopback-detection global enable vlan 100

133
 # Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports, and
assign them to VLAN 100.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Configure the global loop protection action as shutdown.
[DeviceA] loopback-detection global action shutdown
# Set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35
2. Configure Device B:
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit
# Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports, and
assign them to VLAN 100.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceB-Ten-GigabitEthernet1/0/1] quit
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceB-Ten-GigabitEthernet1/0/2] quit
3. Configure Device C:
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit
# Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports, and
assign them to VLAN 100.
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceC-Ten-GigabitEthernet1/0/1] quit
[DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceC-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# View the system logs on devices, for example, Device A.

134
[DeviceA]
%Feb 24 15:04:29:663 2013 DeviceA LPDT/4/LPDT_LOOPED: Loopback exists on
Ten-GigabitEthernet1/0/1.
%Feb 24 15:04:29:667 2013 DeviceA LPDT/4/LPDT_LOOPED: Loopback exists on
Ten-GigabitEthernet1/0/2.
%Feb 24 15:04:44:243 2013 DeviceA LPDT/5/LPDT_RECOVERED: Loopback on
Ten-GigabitEthernet1/0/1 recovered.
%Feb 24 15:04:44:248 2013 DeviceA LPDT/5/LPDT_RECOVERED: Loopback on
Ten-GigabitEthernet1/0/2 recovered.

The output shows the following information:

• Device A detects loops on ports Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 within
a loop detection interval.
• Device A automatically shuts down the ports and generates log messages.
# Use the display loopback-detection command to display the loop detection configuration and
status on devices, for example, Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Loop detection interval is 35 second(s).
No loopback is detected.

The output shows that the device has removed the loops from Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 according to the shutdown action.
# Display the status of Ten-GigabitEthernet 1/0/1 on devices, for example, Device A.
[DeviceA] display interface ten-gigabitethernet 1/0/1
Ten-GigabitEthernet1/0/1 current state: DOWN (Loop detection down)
...

The output shows that Ten-GigabitEthernet 1/0/1 is already shut down by the loop detection module.
# Display the status of Ten-GigabitEthernet 1/0/2 on Device A.
[DeviceA] display interface ten-gigabitethernet 1/0/2
Ten-GigabitEthernet1/0/2 current state: DOWN (Loop detection down)
...

The output shows that Ten-GigabitEthernet 1/0/2 is already shut down by the loop detection module.

135
Configuring VLANs
Overview
Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An
Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared,
collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches
can reduce collisions in an Ethernet LAN. To confine broadcasts, a Layer 2 switch must use the
Virtual Local Area Network (VLAN) technology.
VLANs enable a Layer 2 switch to break a LAN down into smaller broadcast domains, as shown
in Figure 38.
Figure 38 A VLAN diagram
VLAN 2

Switch A Switch B
Router

VLAN 5

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example,
you can assign all workstations and servers used by a particular workgroup to the same VLAN,
regardless of their physical locations. Hosts in the same VLAN can directly communicate with one
another. You need a router or a Layer 3 switch for hosts in different VLANs to communicate with one
another.
All these VLAN features reduce bandwidth waste, improve LAN security, and enable flexible virtual
group creation.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag
between the destination and source MAC address (DA&SA) field and Type field.
Figure 39 VLAN tag placement and format

A VLAN tag includes the following fields:

• TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default,
the TPID value 0x8100 identifies a VLAN-tagged frame. A device vendor can set TPID to

136
 different values. For compatibility with a neighbor device, configure the TPID value on the
device to be the same as the neighbor device.
• Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL
and QoS Configuration Guide.
• CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are
encapsulated in the standard format when packets are transmitted across different media.
Available values include:
{ 0 (default)—The MAC addresses are encapsulated in the standard format.
{ 1—The MAC addresses are encapsulated in a nonstandard format.
This field is always set to 0 for Ethernet.
• VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0
to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a
VLAN-tag and the value of the VLAN tag (if any). For more information, see "Introduction."
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and
802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag
fields in other frame encapsulation formats, see related protocols and standards.
For a frame with multiple VLAN tags, the device handles it according to its outer-most VLAN tag and
transmits its inner VLAN tags as the payload.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks

Configuring basic VLAN settings

Step Command Remarks
1. Enter system view. system-view N/A
2. (Optional.) Create a
VLAN and enter its vlan { vlan-id1 [ to vlan-id2 ] | By default, only the system default VLAN
view, or create a list of all } (VLAN 1) exists.
VLANs.

3. Enter VLAN view. To configure a VLAN after you create a list

vlan vlan-id
of VLANs, you must perform this step.

4. Configure a name for By default, VLAN names are in the format

the VLAN. name text VLAN vlan-id. For example, the name of
VLAN 100 is VLAN 0100 by default.

5. Configure the The default setting is VLAN vlan-id, which

description of the is the ID of the VLAN. For example, the
description text
VLAN. description of VLAN 100 is VLAN 0100 by
default.

NOTE:
• As the system default VLAN, VLAN 1 cannot be created or deleted.
• Before you delete a dynamic VLAN, a VLAN configured with the QoS policy, or a VLAN locked by
an application, you must first remove the configuration from the VLAN.

137
Configuring basic settings of a VLAN interface
For hosts of different VLANs to communicate at Layer 3, you can use VLAN interfaces. VLAN
interfaces are virtual interfaces used for Layer 3 communication between different VLANs. They do
not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and
assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets
destined for another IP subnet.
When you configure a VLAN interface, follow these restrictions and guidelines:
• Before you create a VLAN interface for a VLAN, create the VLAN first.
• You cannot create a VLAN interface for a sub-VLAN. For more information about sub-VLANs,
see "Configuring super VLANs."
• You cannot create VLAN interfaces for secondary VLANs that have the following
characteristics:
{ Associated with the same primary VLAN.
{ Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface.
For more information about secondary VLANs, see "Configuring the private VLAN."
To configure basic settings of a VLAN interface:

Step Command Remarks

1. Enter system view. system-view N/A
If the VLAN interface already exists,
2. Create a VLAN interface you enter its view directly.
and enter VLAN interface interface vlan-interface
view. vlan-interface-id By default, no VLAN interface is
created.
3. Assign an IP address to ip address ip-address { mask | By default, no IP address is assigned to
the VLAN interface. mask-length } [ sub ] any VLAN interface.

4. Configure the description The default setting is the VLAN

of the VLAN interface. description text interface name. For example,
Vlan-interface1 Interface.
5. (Optional.) Specify a
member device for
forwarding the traffic on By default, no member devices are
service slot slot-number
the current VLAN specified.
interface.
6. Configure the MTU for the
VLAN interface. mtu size The default setting is 1500 bytes.

7. Configure the expected By default, the expected bandwidth (in

bandwidth of the interface. bandwidth bandwidth-value kbps) is the interface baud rate divided
by 1000.
8. (Optional.) Restore the
default settings for the default N/A
VLAN interface.
By default, a VLAN interface is not
9. (Optional.) Bring up the manually shut down. The VLAN
VLAN interface. undo shutdown interface is up if one or more ports in
the VLAN is up, and goes down if all
ports in the VLAN go down.

138
Configuring port-based VLANs
Introduction
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it
is assigned to the VLAN.
Port link type
You can configure the link type of a port as access, trunk, or hybrid. The link types use the following
VLAN tag handling methods:
• Access—An access port can forward packets from only one VLAN and send these packets
untagged. An access port can connect a terminal device that does not support VLAN packets or
is used in scenarios that do not distinguish VLANs.
• Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port
VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network
devices are typically configured as trunk ports.
• Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the
packets forwarded by a hybrid port depends on the port configuration. Hybrid ports are typically
used in one-to-two VLAN mapping to remove SVLAN tags for downlink traffic. For more
information about one-to-two VLAN mapping, see "Configuring VLAN mapping."
PVID
The PVID identifies the default VLAN of a port.
When configuring the PVID on a port, follow these restrictions and guidelines:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID
of the port.
• A trunk or hybrid port supports multiple VLANs and the PVID configuration.
• When you use the undo vlan command to delete the PVID of a port, either of the following
events occurs depending on the port link type:
{ For an access port, the PVID of the port changes to VLAN 1.
{ For a hybrid or trunk port, the PVID setting on the port does not change.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access
port.
• As a best practice, set the same PVID for a local port and its peer.
• To prevent a port from dropping packets from its PVID and untagged packets, assign the port to
its PVID.
How ports of different link types handle frames

Actions Access Trunk Hybrid

In the
inbound • If the PVID is permitted on the port, tags the frame with the
Tags the frame with the PVID tag.
direction for
PVID tag.
an untagged • If not, drops the frame.
frame
• Receives the
In the frame if its VLAN
inbound ID is the same as • Receives the frame if its VLAN is permitted on the port.
direction for the PVID.
• Drops the frame if its VLAN is not permitted on the port.
a tagged • Drops the frame if
frame its VLAN ID is
different from the

139
 Actions Access Trunk Hybrid
PVID.
• Removes the tag and
sends the frame if the
frame carries the PVID
tag and the port belongs Sends the frame if its VLAN is
In the to the PVID. permitted on the port. The
Removes the VLAN tag
outbound tagging status of the frame
and sends the frame. • Sends the frame without
direction depends on the port hybrid
removing the tag if its vlan command configuration.
VLAN is carried on the
port but is different from
the PVID.

In a VLAN-aware network, the default processing order for untagged packets is as follows, in
descending order of priority:
• MAC-based VLANs.
• IP subnet-based VLANs.
• Protocol-based VLANs.
• Port-based VLANs.

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view.
Make sure the VLAN has been created.
Assigning one or multiple access ports to a VLAN in VLAN view

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Assign one or a group of By default, all ports belong to
access ports to the VLAN. port interface-list
VLAN 1.

Assigning an access port to a VLAN in interface view

Step Command Remarks

1. Enter system view. system-view N/A

• Enter Layer 2 Ethernet • The configuration made in

interface view: Layer 2 Ethernet interface view
interface interface-type applies only to the port.
interface-number • The configuration made in
• Enter Layer 2 aggregate Layer 2 aggregate interface
interface view: view applies to the aggregate
interface interface and its aggregation
bridge-aggregation member ports. If the system
2. Enter interface view. fails to apply the configuration
interface-number
to an aggregation member
• Enter S-channel interface port, it skips the port and
view: moves to the next member
interface s-channel port. If the system fails to apply
interface-number.channel- the configuration to the
id aggregate interface, it stops
• Enter S-channel applying the configuration to
aggregate interface view: aggregation member ports.

140
 Step Command Remarks
interface • The configuration made in
schannel-aggregation S-channel interface view or
interface-number:channel- S-channel aggregate interface
id view applies only to the
interface. For more information
about S-channel interfaces and
S-channel aggregate
interfaces, see EVB
Configuration Guide.
3. Configure the link type of the By default, all ports are access
port as access. port link-type access
ports.
4. (Optional.) Assign the By default, all access ports belong to
access port to a VLAN. port access vlan vlan-id
VLAN 1.

Assigning a trunk port to a VLAN

A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
When you assign a trunk port to a VLAN, follow these restrictions and guidelines:
• To change the link type of a port from trunk to hybrid or vice versa, set the link type to access
first.
• To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the
PVID by using the port trunk permit vlan command.
To assign a trunk port to one or multiple VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
• The configuration made in
Layer 2 Ethernet interface
view applies only to the port.
• The configuration made in
• Enter Layer 2 Ethernet Layer 2 aggregate interface
interface view: view applies to the aggregate
interface interface-type interface and its aggregation
interface-number member ports. If the system
• Enter Layer 2 aggregate fails to apply the
interface view: configuration to an
interface aggregation member port, it
bridge-aggregation skips the port and moves to
interface-number the next member port. If the
2. Enter interface view. system fails to apply the
• Enter S-channel interface configuration to the
view: aggregate interface, it stops
interface s-channel applying the configuration to
interface-number.channel-id aggregation member ports.
• Enter S-channel aggregate • The configuration made in
interface view: S-channel interface view or
interface S-channel aggregate
schannel-aggregation interface view applies only to
interface-number:channel-id the interface. For more
information about S-channel
interfaces and S-channel
aggregate interfaces, see
EVB Configuration Guide.
3. Configure the link type of the port link-type trunk By default, all ports are access

141
 Step Command Remarks
port as trunk. ports.
4. Assign the trunk port to the port trunk permit vlan By default, a trunk port permits
specified VLANs. { vlan-id-list | all } only VLAN 1.
5. (Optional.) Configure the
PVID of the trunk port. port trunk pvid vlan vlan-id The default setting is VLAN 1.

Assigning a hybrid port to a VLAN

A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view.
Make sure the VLANs have been created.
When you assign a hybrid port to a VLAN, follow these restrictions and guidelines:
• To change the link type of a port from trunk to hybrid or vice versa, set the link type to access
first.
• To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the
PVID by using the port hybrid vlan command.
To assign a hybrid port to one or multiple VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
• The configuration made in
Layer 2 Ethernet interface
view applies only to the port.
• The configuration made in
• Enter Layer 2 Ethernet Layer 2 aggregate interface
interface view: view applies to the aggregate
interface interface-type interface and its aggregation
interface-number member ports. If the system
• Enter Layer 2 aggregate fails to apply the
interface view: configuration to an
interface aggregation member port, it
bridge-aggregation skips the port and moves to
interface-number the next member port. If the
2. Enter interface view. system fails to apply the
• Enter S-channel interface configuration to the
view: aggregate interface, it stops
interface s-channel applying the configuration to
interface-number.channel-id aggregation member ports.
• Enter S-channel aggregate • The configuration made in
interface view: S-channel interface view or
interface S-channel aggregate
schannel-aggregation interface view applies only to
interface-number:channel-id the interface. For more
information about S-channel
interfaces and S-channel
aggregate interfaces, see
EVB Configuration Guide.
3. Configure the link type of the By default, all ports are access
port as hybrid. port link-type hybrid
ports.
By default, a hybrid port is an
4. Assign the hybrid port to the port hybrid vlan vlan-id-list untagged member of the VLAN to
specified VLANs. { tagged | untagged } which the port belongs when its
link type is access.

142
 Step Command Remarks
By default, the PVID of a hybrid
5. (Optional.) Configure the port is the ID of the VLAN to which
PVID of the hybrid port. port hybrid pvid vlan vlan-id
the port belongs when its link type
is access.

Configuring MAC-based VLANs

Introduction
This feature is available only on hybrid ports.
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature
is usually used with security technologies such as 802.1X to provide secure and flexible network
access for terminal devices.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To
configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows
before sending the frame out:
• For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
− Searches for the MAC-to-VLAN entries whose masks are not all-Fs.
− Performs a logical AND operation on the source MAC address and each of these
masks.
If the result of an AND operation matches the MAC address in a MAC-to-VLAN entry,
the port tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN
entries whose masks are all-Fs. If the source MAC address of the frame matches the MAC
address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to this
entry.
c. If no matching VLAN ID is found, other criteria, such as IP subnet or protocol, are used for
VLAN assignment.
d. If no VLAN is available, the port tags the frame with its PVID.
• For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the
port.
{ If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
{ If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, you can use dynamic
MAC-based VLAN assignment on the port. To use dynamic MAC-based VLAN assignment, perform
the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.

143
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 40:
4. When a port receives a frame, it first determines whether the frame is tagged.
{ If the frame is tagged, the port reports the source MAC address of the frame.
{ If the frame is untagged, the port selects a VLAN for the frame by using the following
matching order:
− MAC-based VLAN.
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
After tagging the frame with the selected VLAN, the port reports the source MAC address of
the frame.
5. The port uses the source address and VLAN of the frame to match the MAC-to VLAN entries.
{ If the source MAC address of the frame exactly matches the MAC address in a
MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN
in the entry.
− If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
− If the two VLAN IDs do not match, the port drops the frame.
{ If the source MAC address of the frame does not match any MAC addresses in
MAC-to-VLAN entries exactly, the port checks whether the VLAN ID of the frame is its PVID.
− If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows
the PVID. If the PVID is allowed, the port forwards the frame within the PVID. If the PVID
is not allowed, the port drops the frame.
− If the VLAN ID of the frame is not the PVID of the port, the port matches the VLAN ID of
the frame by using other criteria, such as IP subnet or protocol, and forwards the frame.
If no VLAN is available, the port drops the frame.

144
 Figure 40 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
The port receives a
frame

No
Tagged frame ?

Yes

Selects a VLAN for the

Reports the source MAC
frame

Match MAC and VLAN

of the frame against
MAC-to-VLAN entries

MAC addresses No No Assigns a VLAN by

VLAN ID match the
exactly match? using other criteria
port PVID?
Yes Yes

No VLAN IDs No No Available VLAN

PVID allowed? Drops the frame
match? exists?

Yes Yes Yes

Forwards the frame in

Drops the frame Joins the VLAN
the VLAN

When you configure dynamic MAC-based VLAN assignment, follow these guidelines:
• When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events
occurs depending on the port configuration:
{ If the port has not been configured to allow packets from the VLAN to pass through, the port
joins the VLAN as an untagged member.
{ If the port has been configured to allow packets from the VLAN to pass through, the port
configuration remains the same.
• If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic
MAC-based VLAN assignment takes effect.
• When a packet matches a MAC-to-VLAN entry, the device determines a forwarding policy for
the packet according to the 802.1p priority of the VLAN in the MAC-to-VLAN entry.
Server-assigned MAC-based VLAN
Use the server-assigned MAC-based VLAN feature with access authentication, such as MAC-based
802.1X authentication, to implement secure and flexible terminal access. In addition to configuring
the server-assigned MAC-based VLAN feature on the device, you must configure the
username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server issues the VLAN
ID for the user to the device. The device then performs the following operations:
1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the
received VLAN ID. The VLAN is a MAC-based VLAN.
2. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes
the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication,
see Security Configuration Guide.

145
Configuration restrictions and guidelines
When you configure MAC-based VLANs, follow these restrictions and guideline:
• Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
• As a best practice, do not set the MAC learning limit or disable MAC address learning when you
enable dynamic MAC-based VLAN assignment.
When dynamic MAC-based VLAN assignment is enabled on a port, packets received on the
port are delivered to the CPU. Processing to these packets has the highest priority. The
configuration of MAC learning limit and disabling of MAC address learning cannot take effect.
• Do not use dynamic MAC-based VLAN assignment together with 802.1X or MAC
authentication.
• For successful dynamic MAC-based VLAN assignment, use static VLANs when you create
MAC-to-VLAN entries.
• The MAC-based VLAN feature is mainly configured on downlink ports of user access devices.
Do not enable this function with link aggregation.
• As a best practice, do not use dynamic MAC-based VLAN assignment together with MSTP. In
MSTP mode, if a port is blocked in the MSTI of the target VLAN, the port drops the received
packets instead of delivering them to the CPU. As a result, the receiving port will not be
dynamically assigned to the VLAN.
• As a best practice, do not use dynamic MAC-based VLAN assignment together with PVST. In
PVST mode, if the target VLAN is not permitted on a port, the port is placed in blocked state.
The received packets are dropped instead of being delivered to the CPU. As a result, the
receiving port will not be dynamically assigned to the VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. If you have to configure both of them on a port,
configure dynamic MAC-based VLAN assignment first. If you configure them in a reverse order,
conflict will occur. When you remove one of the configurations, the operation of the other is
affected.

Configuring static MAC-based VLAN assignment

Step Command Remarks
1. Enter system view. system-view N/A

2. Create a MAC-to-VLAN mac-vlan mac-address mac-address

entry. [ mask mac-mask ] vlan vlan-id N/A
[ dot1q priority ]

3. Enter Layer 2 Ethernet interface interface-type

interface view. N/A
interface-number

4. Configure the link type of By default, all ports are access

the port as hybrid. port link-type hybrid
ports.

5. Configure the hybrid port By default, a hybrid port is an

to forward packets from port hybrid vlan vlan-id-list { tagged | untagged member of the VLAN to
the MAC-based VLANs. untagged } which the port belongs when its
link type is access.
6. Enable the MAC-based By default, this feature is
VLAN feature. mac-vlan enable
disabled.

(Optional.) Configure By default, the system assigns

7. vlan precedence { mac-vlan |
VLAN matching order. VLANs based on the MAC
ip-subnet-vlan }
address preferentially.

146
Configuring dynamic MAC-based VLAN assignment
Step Command Remarks
1. Enter system view. system-view N/A
The VLAN assignment for a port is
triggered only when the source
Create a MAC-to-VLAN mac-vlan mac-address
2. MAC address of its receiving
entry. mac-address vlan vlan-id [ dot1q
packet exactly matches the MAC
priority ]
address in the MAC-to-VLAN
entry.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
4. Configure the link type of By default, all ports are access
the port as hybrid. port link-type hybrid
ports.
5. Enable the MAC-based By default, MAC-based VLAN is
VLAN feature. mac-vlan enable
disabled.
6. Enable dynamic
MAC-based VLAN By default, dynamic MAC-based
mac-vlan trigger enable
assignment. VLAN assignment is disabled.

By default, the system assigns

VLANs based on the MAC address
preferentially..
As a best practice to ensure the
priority of MAC-based VLAN
7. (Optional.) Configure vlan precedence { mac-vlan | matching, configure the vlan
VLAN matching order. ip-subnet-vlan } precedence mac-vlan command
when you enable dynamic
MAC-based VLAN assignment. If
you execute the vlan precedence
ip-subnet-vlan command, the
command will not take effect.
8. (Optional.) Disable the
port from forwarding By default, when a port receives
packets that fail the exact packets whose source MAC
port pvid forbidden
MAC address match in its addresses fail the exact match, the
PVID. port forwards them in its PVID.

Configuring server-assigned MAC-based VLAN

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
3. Configure the link type of the By default, all ports are access
ports as hybrid. port link-type hybrid
ports.

4. Configure the hybrid port to By default, a hybrid port is an

forward packets from the port hybrid vlan vlan-id-list untagged member of the VLAN
MAC-based VLANs. { tagged | untagged } to which the port belongs when
its link type is access.
5. Enable the MAC-based By default, MAC-based VLAN is
VLAN feature. mac-vlan enable
disabled.

147
 Step Command Remarks
6. Configure 802.1X or MAC For more information, see Security
authentication. N/A
Command Reference.

Configuring IP subnet-based VLANs

In this method, packets are assigned to VLANs based on their source IP addresses and subnet
masks. A port configured with IP subnet-based VLANs assigns a received untagged packet to a
VLAN based on the source address of the packet.
Use this feature when packets from an IP subnet or IP address must be transmitted in a VLAN.
This feature is available only on hybrid ports, and it processes only untagged packets.
An IP subnet-based VLAN has one or multiple subnets to match inbound packets. Each subnet has
a unique index in the IP subnet-based VLAN. All subnets in an IP subnet-based VLAN have the
same VLAN ID.
To configure a IP subnet-based VLAN:

Task Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, a VLAN is not associated
3. Associate an IP with any IP subnets or IP addresses.
subnet or IP ip-subnet-vlan [ ip-subnet-index ] ip
address with the ip-address [ mask ] A multicast subnet or a multicast
VLAN. address cannot be associated with a
VLAN.
4. Return to system
view. quit N/A

• The configurations made in Layer

2 Ethernet interface view apply
only to the port.
• The configurations made in Layer
• Enter Layer 2 Ethernet interface 2 aggregate interface view apply
view: to the aggregate interface and its
interface interface-type aggregation member ports. If the
interface-number system fails to apply the
5. Enter interface view.
• Enter Layer 2 aggregate interface configurations to the aggregate
view: interface, it stops applying the
interface bridge-aggregation configurations to the aggregation
interface-number member ports. If the system fails
to apply the configurations to an
aggregation member port, it skips
the port and moves to the next
member port.
6. Configure the port
link type as hybrid. port link-type hybrid By default, all ports are access ports.

7. Assign the hybrid By default, a hybrid port is an

port to the specified port hybrid vlan vlan-id-list { tagged | untagged member of the VLAN to
IP subnet-based untagged } which the port belongs when its link
VLANs. type is access.
8. Associate the hybrid
port with the port hybrid ip-subnet-vlan vlan By default, no IP subnet-based VLAN
specified IP vlan-id is associated with a hybrid port.
subnet-based

148
 Task Command Remarks
VLAN.

Configuring protocol-based VLANs

The protocol-based VLAN feature assigns inbound packets to different VLANs based on their
protocol types and encapsulation formats. The protocols available for VLAN assignment include IP,
IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
A protocol template defines a protocol type and an encapsulation format. A combination of a
protocol-based VLAN ID and a protocol index uniquely identify a protocol template. You can assign
multiple protocol templates to a protocol-based VLAN.
This feature is available only on hybrid ports, and it processes only untagged packets. It associates
the available network service types with VLANs and facilitates network management and
maintenance.
A protocol-based VLAN has one or multiple protocol templates. A protocol template defines a
protocol type and an encapsulation format as the match criteria to match inbound packets. Each
protocol template has a unique index in the protocol-based VLAN. All protocol templates in a
protocol-based VLAN have the same VLAN ID.
For a port to assign inbound packets to protocol-based VLANs, perform the following tasks:
• Assign the port to the protocol-based VLANs.
• Associate the port with the protocol templates of the protocol-based VLANs.
When an untagged packet arrives at the port, the port processes the packet as follows:
• If the protocol type and encapsulation format in the packet match a protocol template, the port
tags the packet with the VLAN tag specific to the protocol template.
• If no protocol templates are matched, the port tags the packet with its PVID.
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as
both a protocol-based VLAN and a voice VLAN.
To configure a protocol-based VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
If the specified VLAN does not exist, this
2. Enter VLAN view. vlan vlan-id command first creates the VLAN and
enters VLAN view of this VLAN.
protocol-vlan
[ protocol-index ] { at | ipv4 |
ipv6 | ipx { ethernetii | llc |
3. Create a protocol snap } | mode { ethernetii By default, no protocol template is
template for the VLAN. etype etype-id | llc { dsap configured for a VLAN.
dsap-id [ ssap ssap-id ] | ssap
ssap-id } | snap etype
etype-id } }
4. Exit VLAN view. quit N/A
• Enter Layer 2 Ethernet • The configurations made in Layer 2
interface view: Ethernet interface view apply only
interface interface-type to the port.
5. Enter interface view.
interface-number • The configurations made in Layer 2
• Enter Layer 2 aggregate aggregate interface view apply to
interface view: the aggregate interface and its

149
 Step Command Remarks
interface aggregation member ports. If the
bridge-aggregation system fails to apply the
interface-number configurations to the aggregate
interface, it stops applying the
configurations to aggregation
member ports. If the system fails to
apply the configurations to an
aggregation member port, it skips
the port and moves to the next
member port.
6. Configure the port link
type as hybrid. port link-type hybrid By default, all ports are access ports.

7. Assign the hybrid port to By default, a hybrid port is an untagged

the specified port hybrid vlan vlan-id-list
member of the VLAN to which the port
protocol-based VLANs. { tagged | untagged }
belongs when its link type is access.
8. Associate the hybrid port port hybrid protocol-vlan
with the specified By default, a port is not associated with
vlan vlan-id { protocol-index
protocol-based VLAN. any protocol-based VLANs.
[ to protocol-end ] | all }

Configuring a VLAN group

After you configure a VLAN group on the device, the authentication sever can assign the VLAN
group name to the 802.1X user that passes authentication. The VLAN group name identifies this
group of VLANs. For more information about 802.1X authentication, see Security Configuration
Guide.
To configure a VLAN group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN group and
enter VLAN group view. vlan-group group-name By default, no VLAN group exists.

3. Add VLANs to the VLAN By default, no VLAN exists in a

group. vlan-list vlan-id-list
VLAN group.

Displaying and maintaining VLANs

Execute display commands in any view.

Task Command
display interface vlan-interface [ brief [ description |
down ] ]
Display VLAN interface information.
display interface vlan-interface interface-number [ brief
[ description ] ]
display mac-vlan { all | dynamic | mac-address
Display MAC-to-VLAN entries.
mac-address [ mask mac-mask ] | static | vlan vlan-id }
Display all ports that are enabled with the
display mac-vlan interface
MAC-based VLAN feature.
Display information about IP subnet-based display ip-subnet-vlan interface { interface-type
VLANs that are associated with the specified interface-number1 [ to interface-type interface-number2 ] |

150
 Task Command
ports. all }
Display information about IP subnet-based
display ip-subnet-vlan vlan { vlan-id1 [ to vlan-id2 ] | all }
VLANs.
Display information about protocol-based display protocol-vlan interface { interface-type
VLANs that are associated with the specified interface-number1 [ to interface-type interface-number2 ] |
ports. all }
Display information about protocol-based
display protocol-vlan vlan { vlan-id1 [ to vlan-id2 ] | all }
VLANs.
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic |
Display VLAN information.
reserved | static ]
Display brief VLAN information. display vlan brief
Display VLAN group information. display vlan-group [ group-name ]
Display hybrid ports or trunk ports on the
display port { hybrid | trunk }
device.

VLAN configuration examples

Port-based VLAN configuration example
Network requirements
As shown in Figure 41:
• Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.
• Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each
other.
Figure 41 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and assign Ten-GigabitEthernet 1/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port ten-gigabitethernet 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign Ten-GigabitEthernet 1/0/2 to VLAN 200.

151
 [DeviceA] vlan 200
[DeviceA-vlan200] port ten-gigabitethernet 1/0/2
[DeviceA-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port to forward packets from VLANs 100 and
200 to Device B.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
{ Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.
{ Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B. (Details not
shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A. (Details not
shown.)
# Verify that VLANs 100 and 200 are correctly configured on devices, for example, on Device A.
[DeviceA-Ten-GigabitEthernet1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:
Ten-GigabitEthernet1/0/3
Untagged ports:
Ten-GigabitEthernet1/0/1
[DeviceA-Ten-GigabitEthernet1/0/3] display vlan 200
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
Ten-GigabitEthernet1/0/3
Untagged ports:
Ten-GigabitEthernet1/0/2

MAC-based VLAN configuration example

Network requirements
As shown in Figure 42:
• Ten-GigabitEthernet 1/0/1 of Device A and Device C are each connected to a meeting room.
Laptop 1 and Laptop 2 are used for meetings and might be used in either of the two meeting
rooms.

152
 • Different departments own Laptop 1 and Laptop 2. The two departments use VLANs 100 and
200, respectively.
Configure MAC-based VLANs, so that each laptop is able to access only its own department server,
no matter which meeting room they are used in.
Figure 42 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200,
respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port to forward packets from VLANs 100 and
200 without VLAN tags.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on Ten-GigabitEthernet 1/0/1.
[DeviceA-Ten-GigabitEthernet1/0/1] mac-vlan enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit
# Configure the uplink port Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs
100 and 200.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk

153
 [DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceA-Ten-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLAN 100 and assign Ten-GigabitEthernet 1/0/13 to VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port ten-gigabitethernet 1/0/13
[DeviceB-vlan100] quit
# Create VLAN 200 and assign Ten-GigabitEthernet 1/0/14 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port ten-gigabitethernet 1/0/14
[DeviceB-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign the port to VLANs 100 and
200.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/3] port trunk permit vlan 100 200
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Configure Ten-GigabitEthernet 1/0/4 as a trunk port, and assign the port to VLANs 100 and
200.
[DeviceB] interface ten-gigabitethernet 1/0/4
[DeviceB-Ten-GigabitEthernet1/0/4] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/4] port trunk permit vlan 100 200
[DeviceB-Ten-GigabitEthernet1/0/4] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
Verifying the configuration
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not
shown.)
# Verify the MAC-to-VLAN entries on Device A and Device C, for example, Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Dot1q State
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count: 2

IP subnet-based VLAN configuration example

Network requirements
As shown in Figure 43, the hosts in the office belong to different IP subnets.
Configure Device C to transmit packets from 192.168.5.0/24 and 192.168.50.0/24 in VLANs 100 and
200, respectively.

154
 Figure 43 Network diagram

Configuration procedure
1. Configure Device C:
# Associate IP subnet 192.168.5.0/24 with VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0
[DeviceC-vlan100] quit
# Associate IP subnet 192.168.50.0/24 with VLAN 200.
[DeviceC] vlan 200
[DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0
[DeviceC-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/11 as a hybrid port, and assign it to VLAN 100 as a tagged
VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/11
[DeviceC-Ten-GigabitEthernet1/0/11] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/11] port hybrid vlan 100 tagged
[DeviceC-Ten-GigabitEthernet1/0/11] quit
# Configure Ten-GigabitEthernet1/0/12 as a hybrid port, and assign it to VLAN 200 as a tagged
VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/12
[DeviceC-Ten-GigabitEthernet1/0/12] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/12] port hybrid vlan 200 tagged
[DeviceC-Ten-GigabitEthernet1/0/12] quit
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/1

155
 [DeviceC-Ten-GigabitEthernet1/0/1] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate Ten-GigabitEthernet 1/0/1 with IP subnet-based VLANs 100 and 200.
[DeviceC-Ten-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100
[DeviceC-Ten-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200
[DeviceC-Ten-GigabitEthernet1/0/1] quit
2. Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively.
(Details not shown.)
Verifying the configuration
# Display information about all IP subnet-based VLANs.
[DeviceC] display ip-subnet-vlan vlan all
VLAN ID: 100
Subnet index IP address Subnet mask
0 192.168.5.0 255.255.255.0

VLAN ID: 200

Subnet index IP address Subnet mask
0 192.168.50.0 255.255.255.0

# Display IP subnet-based VLANs on Ten-GigabitEthernet 1/0/1.

[DeviceC] display ip-subnet-vlan interface ten-gigabitethernet 1/0/1
Interface: Ten-GigabitEthernet1/0/1
VLAN ID Subnet index IP address Subnet mask Status
100 0 192.168.5.0 255.255.255.0 Active
200 0 192.168.50.0 255.255.255.0 Active

Protocol-based VLAN configuration example

Network requirements
As shown in Figure 44:
• The majority of hosts in a lab environment run the IPv4 protocol.
• The other hosts run the IPv6 protocol for teaching purposes.
To isolate IPv4 and IPv6 traffic at Layer 2, configure protocol-based VLANs to associate the IPv4 and
ARP protocols with VLAN 100, and associate the IPv6 protocol with VLAN 200.

156
 Figure 44 Network diagram
VLAN 100 VLAN 200

IPv4 server IPv6 server

XGE1/0/11
XGE1/0/12

XGE1/0/1 XGE1/0/2
Device

L2 Switch A L2 Switch B

IPv4 Host A IPv6 Host A IPv4 Host B IPv6 Host B

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Configuration procedure
In this example, L2 Switch A and L2 Switch B use the factory configuration.
1. Configure Device:
# Create VLAN 100, and configure the description for VLAN 100 as protocol VLAN for IPv4.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
# Assign Ten-GigabitEthernet 1/0/11 to VLAN 100.
[Device-vlan100] port ten-gigabitethernet 1/0/11
[Device-vlan100] quit
# Create VLAN 200, and configure the description for VLAN 200 as protocol VLAN for IPv6.
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
# Assign Ten-GigabitEthernet 1/0/12 to VLAN 200.
[Device-vlan200] port ten-gigabitethernet 1/0/12
# Configure VLAN 200 as a protocol-based VLAN, and create an IPv6 protocol template with
the index 1 for VLAN 200.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
# Configure VLAN 100 as a protocol-based VLAN, and create an IPv4 protocol template with
the index 1 for VLAN 100.
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4
# Create an ARP protocol template with the index 2 for VLAN 100. (In Ethernet II encapsulation,
the protocol type ID for ARP is 0x0806.)
[Device-vlan100] protocol-vlan 2 mode ethernetii etype 0806
[Device-vlan100] quit

157
 # Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-type hybrid
[Device-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate Ten-GigabitEthernet 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100
and the IPv6 protocol template of VLAN 200.
[Device-Ten-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 100 1 to 2
[Device-Ten-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 200 1
[Device-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port link-type hybrid
[Device-Ten-GigabitEthernet1/0/2] port hybrid vlan 100 200 untagged
# Associate Ten-GigabitEthernet 1/0/2 with the IPv4 and ARP protocol templates of VLAN 100
and the IPv6 protocol template of VLAN 200.
[Device-Ten-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 100 1 to 2
[Device-Ten-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 200 1
[Device-Ten-GigabitEthernet1/0/2] quit
2. Configure hosts and servers:
a. Configure IPv4 Host A, IPv4 Host B, and IPv4 server to be on the same network segment
(192.168.100.0/24, for example). (Details not shown.)
b. Configure IPv6 Host A, IPv6 Host B, and IPv6 server to be on the same network segment
(2001::1/64, for example). (Details not shown.)
Verifying the configuration
1. Verify the following:
{ The hosts and the server in VLAN 100 can successfully ping one another. (Details not
shown.)
{ The hosts and the server in VLAN 200 can successfully ping one another. (Details not
shown.)
{ The hosts or the server in VLAN 100 cannot ping the hosts or server in VLAN 200. (Details
not shown.)
2. Verify the protocol-based VLAN configuration:
# Display protocol-based VLANs on Device.
[Device] display protocol-vlan vlan all
VLAN ID: 100
Protocol index Protocol type
1 IPv4
2 Ethernet II Etype 0x0806

VLAN ID: 200

Protocol index Protocol type
1 IPv6
# Display protocol-based VLANs on the ports of Device.
[Device] display protocol-vlan interface all
Interface: Ten-GigabitEthernet1/0/1
VLAN ID Protocol index Protocol type Status

158
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

Interface: Ten-GigabitEthernet 1/0/2

VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

159
Configuring super VLANs
Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with
other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This
requires a large number of IP addresses.
The super VLAN feature was introduced to save IP addresses. A super VLAN is associated with
multiple sub-VLANs. These sub-VLANs use the VLAN interface of the super VLAN (also known as a
super VLAN interface) as the gateway for Layer 3 communication.
You can create a VLAN interface for a super VLAN and assign an IP address to it. However, you
cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but
you cannot assign a physical port to a super VLAN. Sub-VLANs are isolated at Layer 2.
You can enable Layer 3 communication between sub-VLANs by performing the following tasks:
1. Create a super VLAN and the super VLAN interface.
2. Enable local proxy ARP or ND on the super VLAN interface as follows:
{ In an IPv4 network, enable local proxy ARP on the super VLAN interface. The super VLAN
can then process ARP requests and replies sent from the sub-VLANs.
{ In an IPv6 network, enable local proxy ND on the super VLAN interface. The super VLAN
can forward and process the NS and NA messages sent from the sub-VLANs.

Super VLAN configuration task list

Tasks at a glance
(Required.) Creating a sub-VLAN
(Required.) Configuring a super VLAN
(Required.) Configuring a super VLAN interface

Creating a sub-VLAN
Step Command Remarks
1. Enter system view. system-view N/A

2. Create a sub-VLAN. By default, only the system default VLAN (VLAN 1)

vlan vlan-id
exists.

Configuring a super VLAN

When you configure a super VLAN, follow these restrictions and guidelines:
• Do not configure a VLAN as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical
VLAN for a port, and vice versa. For more information about guest VLANs, Auth-Fail VLANs,
and critical VLANs, see Security Configuration Guide.
• Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
• Do not configure a VLAN as both a super VLAN and a sub-VLAN.
• You can configure Layer 2 multicast for super VLANs. However, the configuration does not take
effect because super VLANs do not have physical ports.

160
 To configure a super VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Configure the VLAN as a
super VLAN. supervlan By default, a VLAN is not a super VLAN.

By default, a super VLAN is not associated with any

4. Associate the super VLAN sub-VLANs.
with the sub-VLANs. subvlan vlan-id-list
Make sure the sub-VLANs already exist before
associating them with a super VLAN.

Configuring a super VLAN interface

As a best practice, do not configure VRRP for the VLAN interface of a super VLAN because the
configuration affects network performance. For more information about VRRP, see High Availability
Configuration Guide.
To configure a super VLAN interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN
interface and enter its interface vlan-interface The vlan-interface-id argument must
view. vlan-interface-id be the super VLAN ID.

• Configure an IPv4 address:

ip address ip-address
3. Configure an IP { mask-length | mask } [ sub ]
address for the VLAN By default, no IP address is
interface of the super • Configure an IPv6 address:
configured for a VLAN interface.
VLAN. ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
By default:
• Sub-VLANs cannot
communicate with each other at
Layer 3.
• Enable local proxy ARP for • Local proxy ARP or ND is
4. (Optional.) Configure devices that run IPv4 protocols: disabled.
Layer 3 local-proxy-arp enable
For more information about local
communication • Enable local proxy ND for proxy ARP and proxy ND, see Layer
between sub-VLANs. devices that run IPv6 protocols: 3—IP Services Configuration Guide.
local-proxy-nd enable
For more information about
local-proxy-arp enable and
local-proxy-nd enable commands,
see Layer 3—IP Services Command
Reference.

Displaying and maintaining super VLANs

Execute display commands in any view.

161
 Task Command
Display information about super VLANs and all
display supervlan [ supervlan-id ]
sub-VLANs associated with each super VLAN.

Super VLAN configuration example

Network requirements
As shown in Figure 45:
• Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are in VLAN 2.
• Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 are in VLAN 3.
• Ten-GigabitEthernet 1/0/5 and Ten-GigabitEthernet 1/0/6 are in VLAN 5.
To save IP addresses and enable sub-VLANs to be isolated at Layer 2 but interoperable at Layer 3,
perform the following tasks:
• Create a super VLAN and assign an IP address to its VLAN interface.
• Associate the super VLAN with VLANs 2, 3, and 5.
Figure 45 Network diagram

VLAN 2
XGE1/0/1 XGE1/0/2 Vlan-int10
XGE1/0/3 10.1.1.1/24
XGE1/0/4
Device A
XGE1/0/5 XGE1/0/6 Device B
VLAN 3

VLAN 5

Configuration procedure
# Create VLAN 10, and configure its VLAN interface IP address as 10.1.1.1/24.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0

# Enable local proxy ARP.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

# Create VLAN 2, and assign Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to the VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] port ten-gigabitethernet 1/0/1 ten-gigabitethernet 1/0/2
[DeviceA-vlan2] quit

# Create VLAN 3, and assign Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 to the VLAN.

162
 [DeviceA] vlan 3
[DeviceA-vlan3] port ten-gigabitethernet 1/0/3 ten-gigabitethernet 1/0/4
[DeviceA-vlan3] quit

# Create VLAN 5, and assign Ten-GigabitEthernet 1/0/5 and Ten-GigabitEthernet 1/0/6 to the VLAN.
[DeviceA] vlan 5
[DeviceA-vlan5] port ten-gigabitethernet 1/0/5 ten-gigabitethernet 1/0/6
[DeviceA-vlan5] quit

# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 5 with the super VLAN.
[DeviceA] vlan 10
[DeviceA-vlan10] supervlan
[DeviceA-vlan10] subvlan 2 3 5
[DeviceA-vlan10] quit
[DeviceA] quit

Verifying the configuration

# Display information about super VLAN 10 and its associated sub-VLANs.
<DeviceA> display supervlan
Super VLAN ID: 10
Sub-VLAN ID: 2-3 5

VLAN ID: 10
VLAN type: Static
It is a super VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: none
Untagged ports: none

VLAN ID: 2
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: none
Untagged ports:
Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
It is a sub VLAN.
Route interface: Configured

163
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: none
Untagged ports:
Ten-GigabitEthernet1/0/3 Ten-GigabitEthernet1/0/4

VLAN ID: 5
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: none
Untagged ports:
Ten-GigabitEthernet1/0/5 Ten-GigabitEthernet1/0/6

164
Configuring the private VLAN
The private VLAN feature uses a two-tier VLAN structure, including a primary VLAN and secondary
VLANs. This feature simplifies the network configuration and saves VLAN resources.
A primary VLAN is used for upstream data exchange. A primary VLAN can be associated with
multiple secondary VLANs. Because the upstream device identifies only the primary VLAN and not
the secondary VLANs, network configuration is simplified and VLAN resources are saved.
Secondary VLANs are isolated at Layer 2. To enable Layer 3 communication between secondary
VLANs associated with the same primary VLAN, you can enable local proxy ARP or ND on the
upstream device (for example, Device A in Figure 46).
As shown in Figure 46, the private VLAN feature is enabled on Device B. VLAN 10 is the primary
VLAN. VLAN 2, VLAN 5, and VLAN 8 are secondary VLANs associated with VLAN 10 and are
invisible to Device A.
Figure 46 Private VLAN example

Configuration task list

To configure the private VLAN feature, perform the following tasks:
1. Configure the primary VLAN.
2. Configure the secondary VLANs.
3. Configure the uplink and downlink ports:
{ Configure the uplink port (for example, the port connecting Device B to Device A in Figure
46):
− When the port allows only one primary VLAN, configure the port as a promiscuous port
of the primary VLAN. The promiscuous port can be automatically assigned to the
primary VLAN and its associated secondary VLANs.
− When the port allows multiple primary VLANs, configure the port as a trunk promiscuous
port of the primary VLANs. The trunk promiscuous port can be automatically assigned to
these primary VLANs and their associated secondary VLANs.
{ Configure a downlink port (for example, the port connecting Device B to a host in Figure 46)
as a host port. The host port can be automatically assigned to the secondary VLAN and its
associated primary VLAN.
{ If a downlink port allows multiple secondary VLANs, configure the port as a trunk secondary
port. The trunk secondary port can be automatically assigned to the secondary VLANs and
their associated primary VLANs.

165
 For more information about promiscuous, trunk promiscuous, host, and trunk secondary ports,
see Layer 2—LAN Switching Command Reference.
4. Associate the secondary VLANs with the primary VLAN.
5. (Optional.) Configure Layer 3 communication between the specified secondary VLANs that are
associated with the primary VLAN.

Configuration restrictions and guidelines

When you configure the private VLAN feature, follow these restrictions and guidelines:
• After you complete the private VLAN configurations, perform the following tasks:
{ For a promiscuous port, make sure the following requirements are met:
− The primary VLAN is the PVID of the port.
− The port is an untagged member of the primary VLAN and secondary VLANs.
{ For a host port, make sure the following requirements are met:
− The PVID of the port is a secondary VLAN.
− The port is an untagged member of the primary VLAN and the secondary VLAN.
{ For a trunk promiscuous or trunk secondary port, make sure the port is a tagged member of
the primary VLANs and the secondary VLANs.
• VLAN 1 (system default VLAN) does not support the private VLAN configuration.

Configuration procedure
To configure the private VLAN feature:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN and enter
VLAN view. vlan vlan-id N/A

3. Configure the VLAN as a By default, a VLAN is not a

primary VLAN. private-vlan primary
primary VLAN.
4. Return to system view. quit N/A
5. Create one or multiple
secondary VLANs. vlan { vlan-id1 [ to vlan-id2 ] | all } N/A

Use either command.

By default, ports in the same
secondary VLAN can
communicate with each other at
Layer 2.
6. Enable Layer 2 This configuration takes effect
• undo private-vlan isolated when the following conditions
communication for ports in
the same secondary VLAN. • private-vlan community exist:
• The ports in the secondary
VLAN are configured as host
ports.
• The secondary VLAN is
associated with a primary
VLAN.
7. Return to system view. quit N/A

166
Step Command Remarks
8. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

• Configure the uplink port as a

promiscuous port of the
specified VLAN:
9. Configure the uplink port as a port private-vlan vlan-id
promiscuous or trunk promiscuous By default, a port is not a
promiscuous port of the promiscuous or trunk
• Configure the uplink port as a
specified VLANs. promiscuous port of any VLAN.
trunk promiscuous port of the
specified VLANs:
port private-vlan vlan-id-list
trunk promiscuous
10. Return to system view. quit N/A
11. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

a. Set the link type of the

port:
port link-type { access |
hybrid | trunk }
b. Assign the access port to
the specified VLAN:
port access vlan vlan-id
12. Assign the downlink port to c. Assign the trunk port to Select substep b, c, or d
secondary VLANs. the specified VLANs: depending on the port link type.
port trunk permit vlan
{ vlan-id-list | all }
d. Assign the hybrid port to
the specified VLANs:
port hybrid vlan
vlan-id-list { tagged |
untagged }

13. Return to system view. quit N/A

14. Enter Layer 2 Ethernet

interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

• Configure the downlink port

as a host port:
15. Configure the downlink port port private-vlan host
as a host or trunk secondary By default, a port is not a host or
• Configure the downlink port
port. trunk secondary port.
as a trunk secondary port:
port private-vlan vlan-id-list
trunk secondary
16. Enter primary VLAN view. vlan vlan-id N/A
17. Associate the primary VLAN By default, a primary VLAN is not
with the specified secondary private-vlan secondary
associated with any secondary
VLANs. vlan-id-list
VLAN.
18. Return to system view. quit N/A

167
 Step Command Remarks
a. Enter VLAN interface
view of the primary VLAN
interface:
interface vlan-interface
vlan-id
b. Enable Layer 3
communication between
secondary VLANs that
are associated with the
primary VLAN: Use substeps a, b, c, and e for
private-vlan secondary devices that run IPv4 protocols.
vlan-id-list Use substeps a, b, d, and f for
c. Assign an IPv4 address devices that run IPv6 protocols.
to the primary VLAN By default:
19. (Optional.) Configure Layer 3 interface:
communication between the • Secondary VLANs cannot
ip address ip-address
specified secondary VLANs. communicate with each
{ mask-length | mask }
other at Layer 3.
[ sub ]
• No IP address is configured
d. Assign an IPv6 address for a VLAN interface.
to the primary VLAN
interface: • Local proxy ARP and local
ipv6 address proxy ND are disabled.
{ ipv6-address
prefix-length |
ipv6-address/prefix-lengt
h}
e. Enable local proxy ARP:
local-proxy-arp enable
f. Enable local proxy ND:
local-proxy-nd enable

Displaying and maintaining the private VLAN

Execute display commands in any view.

Task Command
Display information about primary VLANs and the
display private-vlan [ primary-vlan-id ]
secondary VLANs associated with each primary VLAN.

Private VLAN configuration examples

Promiscuous port configuration example
Network requirements
As shown in Figure 47, configure the private VLAN feature to meet the following requirements:
• On Device B, VLAN 5 is a primary VLAN that is associated with secondary VLANs 2 and 3.
Ten-GigabitEthernet 1/0/5 is in VLAN 5. Ten-GigabitEthernet 1/0/2 is in VLAN 2.
Ten-GigabitEthernet 1/0/1 is in VLAN 3.

168
 • On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4.
Ten-GigabitEthernet 1/0/5 is in VLAN 6. Ten-GigabitEthernet 1/0/3 is in VLAN 3.
Ten-GigabitEthernet 1/0/4 is in VLAN 4.
• Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C.
Figure 47 Network diagram

Configuration procedure
This example describes the configurations on Device B and Device C.
1. Configure Device B:
# Configure VLAN 5 as a primary VLAN.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# Create VLANs 2 and 3.
[DeviceB] vlan 2 to 3
# Configure the uplink port Ten-GigabitEthernet 1/0/5 as a promiscuous port of VLAN 5.
[DeviceB] interface ten-gigabitethernet 1/0/5
[DeviceB-Ten-GigabitEthernet1/0/5] port private-vlan 5 promiscuous
[DeviceB-Ten-GigabitEthernet1/0/5] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/1 to VLAN 3, and configure the port as a
host port.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port access vlan 3
[DeviceB-Ten-GigabitEthernet1/0/1] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a
host port.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Associate the secondary VLANs 2 and 3 with the primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3

169
 [DeviceB-vlan5] quit
2. Configure Device C:
# Configure VLAN 6 as a primary VLAN.
<DeviceC> system-view
[DeviceC] vlan 6
[DeviceC–vlan6] private-vlan primary
[DeviceC–vlan6] quit
# Create VLANs 3 and 4.
[DeviceC] vlan 3 to 4
# Configure the uplink port Ten-GigabitEthernet 1/0/5 as a promiscuous port of VLAN 6.
[DeviceC] interface ten-gigabitethernet 1/0/5
[DeviceC-Ten-GigabitEthernet1/0/5] port private-vlan 6 promiscuous
[DeviceC-Ten-GigabitEthernet1/0/5] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a
host port.
[DeviceC] interface ten-gigabitethernet 1/0/3
[DeviceC-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceC-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceC-Ten-GigabitEthernet1/0/3] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/4 to VLAN 4, and configure the port as a
host port.
[DeviceC] interface ten-gigabitethernet 1/0/4
[DeviceC-Ten-GigabitEthernet1/0/4] port access vlan 4
[DeviceC-Ten-GigabitEthernet1/0/4] port private-vlan host
[DeviceC-Ten-GigabitEthernet1/0/4] quit
# Associate the secondary VLANs 3 and 4 with the primary VLAN 6.
[DeviceC] vlan 6
[DeviceC-vlan6] private-vlan secondary 3 to 4
[DeviceC-vlan6] quit

Verifying the configuration

# Display the private VLAN configuration on the devices, for example, on Device B.
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/5

VLAN ID: 2
VLAN type: Static

170
 Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/5

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: None
Untagged Ports:
Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/5

The output shows that:

• The promiscuous port Ten-GigabitEthernet 1/0/5 is an untagged member of primary VLAN 5
and secondary VLANs 2 and 3.
• The host port Ten-GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and
secondary VLAN 2.
• The host port Ten-GigabitEthernet 1/0/1 is an untagged member of primary VLAN 5 and
secondary VLAN 3.

Trunk promiscuous port configuration example

Network requirements
As shown in Figure 48, configure the private VLAN feature to meet the following requirements:
• VLANs 5 and 10 are primary VLANs on Device B. The uplink port Ten-GigabitEthernet 1/0/1 on
Device B permits the packets from VLANs 5 and 10 to pass through tagged.
• On Device B, the downlink port Ten-GigabitEthernet 1/0/2 permits secondary VLAN 2. The
downlink port Ten-GigabitEthernet 1/0/3 permits secondary VLAN 3. Secondary VLANs 2 and 3
are associated with primary VLAN 5.
• On Device B, the downlink port Ten-GigabitEthernet 1/0/6 permits secondary VLAN 6. The
downlink port Ten-GigabitEthernet 1/0/8 permits secondary VLAN 8. Secondary VLANs 6 and 8
are associated with primary VLAN 10.
• Device A is aware of only VLANs 5 and 10 on Device B.

171
 Figure 48 Network diagram

XG
/2
/0

E1
E1

/0
XG

/8

Configuration procedure
1. Configure Device B:
# Configure VLANs 5 and 10 as primary VLANs.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# Create VLANs 2, 3, 6, and 8.
[DeviceB] vlan 2 to 3
[DeviceB] vlan 6
[DeviceB-vlan6] quit
[DeviceB] vlan 8
[DeviceB-vlan8] quit
# Configure the uplink port Ten-GigabitEthernet 1/0/1 as a trunk promiscuous port of VLANs 5
and 10.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port private-vlan 5 10 trunk promiscuous
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a
host port.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a
host port.

172
 [DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Associate the secondary VLANs 2 and 3 with the primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/6 to VLAN 6, and configure the port as a
host port.
[DeviceB] interface ten-gigabitethernet 1/0/6
[DeviceB-Ten-GigabitEthernet1/0/6] port access vlan 6
[DeviceB-Ten-GigabitEthernet1/0/6] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/6] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/8 to VLAN 8, and configure the port as a
host port.
[DeviceB] interface ten-gigabitethernet 1/0/8
[DeviceB-Ten-GigabitEthernet1/0/8] port access vlan 8
[DeviceB-Ten-GigabitEthernet1/0/8] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/8] quit
# Associate the secondary VLANs 6 and 8 with the primary VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan secondary 6 8
[DeviceB-vlan10] quit
2. Configure Device A:
# Create VLANs 5 and 10.
[DeviceA] vlan 5
[DeviceA-vlan5] quit
[DeviceA] vlan 10
[DeviceA-vlan10] quit
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 5 and 10 as a
tagged VLAN member.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid vlan 5 10 tagged
[DeviceA-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display primary VLAN configurations on Device B. The following output uses primary VLAN 5 as
an example.
[DeviceB] display private-vlan 5
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005

173
 Name: VLAN 0005
Tagged ports:
Ten-GigabitEthernet1/0/1
Untagged ports:
Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports:
Ten-GigabitEthernet1/0/1
Untagged ports:
Ten-GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged ports:
Ten-GigabitEthernet1/0/1
Untagged ports:
Ten-GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port Ten-GigabitEthernet 1/0/1 is a tagged member of primary VLAN 5
and secondary VLANs 2 and 3.
• The host port Ten-GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and
secondary VLAN 2.
• The host port Ten-GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and
secondary VLAN 3.

Trunk promiscuous and trunk secondary port configuration

example
Network requirements
As shown in Figure 49, configure the private VLAN feature to meet the following requirements:
• VLANs 10 and 20 are primary VLANs on Device A. The uplink port Ten-GigabitEthernet 1/0/5
on Device A permits the packets from VLANs 10 and 20 to pass through tagged.
• VLAN 11, VLAN 12, VLAN 21, and VLAN 22 are secondary VLANs on Device A.
{ The downlink port Ten-GigabitEthernet 1/0/2 permits the packets from VLAN 11 and VLAN
21 to pass through tagged.
{ The downlink port Ten-GigabitEthernet 1/0/1 permits VLAN 22.
{ The downlink port Ten-GigabitEthernet 1/0/3 permits VLAN 12.

174
 • Secondary VLANs 11 and 12 are associated with primary VLAN 10.
• Secondary VLANs 21 and 22 are associated with primary VLAN 20.
Figure 49 Network diagram

Configuration procedure
1. Configure Device A:
# Configure VLANs 10 and 20 as primary VLANs.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# Create VLANs 11, 12, 21, and 22, which are to be configured as secondary VLANs.
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# Associate the secondary VLANs 11 and 12 with the primary VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan secondary 11 12
[DeviceA-vlan10] quit
# Associate the secondary VLANs 21 and 22 with the primary VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan secondary 21 22
[DeviceA-vlan20] quit
# Configure the uplink port Ten-GigabitEthernet 1/0/5 as a trunk promiscuous port of VLANs 10
and 20.
[DeviceA] interface ten-gigabitethernet 1/0/5
[DeviceA-Ten-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous

175
 [DeviceA-Ten-GigabitEthernet1/0/5] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/1 to VLAN 22 and configure the port as a
host port.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port access vlan 22
[DeviceA-Ten-GigabitEthernet1/0/1] port private-vlan host
[DeviceA-Ten-GigabitEthernet1/0/1] quit
# Assign the downlink port Ten-GigabitEthernet 1/0/3 to VLAN 12 and configure the port as a
host port.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port access vlan 12
[DeviceA-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Configure the downlink port Ten-GigabitEthernet 1/0/2 as a trunk secondary port in VLANs 11
and 21.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port private-vlan 11 21 trunk secondary
[DeviceA-Ten-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLANs 11 and 21.
<DeviceB> system-view
[DeviceB] vlan 11
[DeviceB-vlan11] quit
[DeviceB] vlan 21
[DeviceB-vlan21] quit
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 11 and 21 as a
tagged VLAN member.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type hybrid
[DeviceB-Ten-GigabitEthernet1/0/2] port hybrid vlan 11 21 tagged
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Assign the port Ten-GigabitEthernet 1/0/4 to VLAN 11.
[DeviceB] interface ten-gigabitethernet 1/0/4
[DeviceB-Ten-GigabitEthernet1/0/4] port access vlan 11
[DeviceB-Ten-GigabitEthernet1/0/4] quit
# Assign the port Ten-GigabitEthernet 1/0/3 to VLAN 21.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port access vlan 21
[DeviceB-Ten-GigabitEthernet1/0/3] quit
3. Configure Device C:
# Create VLANs 10 and 20.
<DeviceC> system-view
[DeviceC] vlan 10
[DeviceC-vlan10] quit
[DeviceC] vlan 20
[DeviceC-vlan20] quit
# Configure Ten-GigabitEthernet1/0/5 as a hybrid port, and assign it to VLANs 10 and 20 as a
tagged VLAN member.

176
 [DeviceC] interface ten-gigabitethernet 1/0/5
[DeviceC-Ten-GigabitEthernet1/0/5] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/5] port hybrid vlan 10 20 tagged
[DeviceC-Ten-GigabitEthernet1/0/5] quit

Verifying the configuration

# Display the configuration of primary VLAN 10 on Device A.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 11-12

VLAN ID: 10
VLAN type: Static
Private-vlan type: Primary
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/5
Untagged ports:
Ten-GigabitEthernet1/0/3

VLAN ID: 11
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0011
Name: VLAN 0011
Tagged ports:
Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/5
Untagged ports: None

VLAN ID: 12
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0012
Name: VLAN 0012
Tagged ports:
Ten-GigabitEthernet1/0/5
Untagged ports:
Ten-GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port Ten-GigabitEthernet 1/0/5 is a tagged member of primary VLAN 10
and secondary VLANs 11 and 12.
• The trunk secondary port Ten-GigabitEthernet 1/0/2 is a tagged member of primary VLAN 10
and secondary VLAN 11.
• The host port Ten-GigabitEthernet 1/0/3 is an untagged member of primary VLAN 10 and
secondary VLAN 12.

177
# Display the configuration of primary VLAN 20 on Device A.
[DeviceA] display private-vlan 20
Primary VLAN ID: 20
Secondary VLAN ID: 21-22

VLAN ID: 20
VLAN type: Static
Private-vlan type: Primary
Route interface: Not configured
Description: VLAN 0020
Name: VLAN 0020
Tagged ports:
Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/5
Untagged ports:
Ten-GigabitEthernet1/0/1

VLAN ID: 21
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0021
Name: VLAN 0021
Tagged ports:
Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/5
Untagged ports: None

VLAN ID: 22
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0022
Name: VLAN 0022
Tagged ports:
Ten-GigabitEthernet1/0/5
Untagged ports:
Ten-GigabitEthernet1/0/1

The output shows that:

• The trunk promiscuous port Ten-GigabitEthernet 1/0/5 is a tagged member of primary VLAN 20
and secondary VLANs 21 and 22.
• The trunk secondary port Ten-GigabitEthernet 1/0/2 is a tagged member of primary VLAN 20
and secondary VLAN 21.
• The host port Ten-GigabitEthernet 1/0/1 is an untagged member of primary VLAN 20 and
secondary VLAN 22.

178
Secondary VLAN Layer 3 communication configuration
example
Network requirements
As shown in Figure 50, configure the private VLAN feature to meet the following requirements:
• Primary VLAN 10 on Device B is associated with secondary VLANs 2 and 3.
• The uplink port Ten-GigabitEthernet 1/0/1 is in VLAN 10.
• The IP address of VLAN-interface 10 is 192.168.1.1/24.
• The ports Ten-GigabitEthernet 1/0/2 and Ten-GigabitEthernet 1/0/3 are in VLAN 2 and VLAN 3,
respectively.
• Secondary VLANs are isolated at Layer 2 but interoperable at Layer 3.
Figure 50 Network diagram

Configuration procedure
# Create VLAN 2 and VLAN 3.
<DeviceB> system-view
[DeviceB] vlan 2 to 3

# Configure VLAN 10 as a primary VLAN, and associate VLAN 2 and VLAN 3 with primary VLAN 10
as secondary VLANs.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] private-vlan secondary 2 3
[DeviceB-vlan10] quit

# Configure the uplink port Ten-GigabitEthernet 1/0/1 as a promiscuous port of VLAN 10.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port private-vlan 10 promiscuous
[DeviceB-Ten-GigabitEthernet1/0/1] quit

# Assign the downlink port Ten-GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/2] quit

179
 # Assign the downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/3] quit

# Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with
primary VLAN 10.
[DeviceB] interface vlan-interface 10
[DeviceB-Vlan-interface10] private-vlan secondary 2 3

# Assign the IP address 192.168.1.1/24 to VLAN-interface 10.

[DeviceB-Vlan-interface10] ip address 192.168.1.1 255.255.255.0

# Enable local proxy ARP on VLAN-interface 10.

[DeviceB-Vlan-interface10] local-proxy-arp enable
[DeviceB-Vlan-interface10] quit

Verifying the configuration

# Display the configuration of primary VLAN 10.
[DeviceB] display private-vlan 10
Primary VLAN ID: 10
Secondary-VLAN ID: 2-3

VLAN ID: 10
VLAN type: Static
Private VLAN type: Primary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/3
VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static

180
 Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/3

The Route interface field in the output is Configured, indicating that secondary VLANs 2 and 3 are
interoperable at Layer 3.

181
Configuring voice VLANs
Overview
A voice VLAN is used for transmitting voice traffic. When ports that connect to voice devices are
assigned to a voice VLAN, the system can configure QoS parameters for voice packets to ensure
higher transmission priority and sound voice quality.
Common voice devices include IP phones and integrated access devices (IADs). This chapter uses
IP phone as an example.
For an IP phone to access a device, the device must perform the following operations:
• Identify the IP phone in the network and obtain the MAC address of the IP phone.
• Advertise the voice VLAN information to the IP phone.
After receiving the voice VLAN information, the IP phone can perform automatic configuration, so the
voice packets sent from the IP phone can be transmitted within the voice VLAN.

Methods of identifying IP phones

Devices can use the OUI addresses or LLDP to identify IP phones.

Identifying IP phones through OUI addresses

A device determines whether a received packet is a voice packet based on its source MAC address.
A packet whose source MAC address complies with any of the Organizationally Unique Identifier
(OUI) addresses of the voice devices is regarded as voice traffic.
You can use system default OUI addresses (see Table 11) or configure OUI addresses for the device.
You can manually remove or add the system default OUI addresses.
The switch supports 128 OUI addresses, including system default OUI addresses.
Table 11 Default OUI addresses

Number OUI address Vendor

1 0001-E300-0000 Siemens phone
2 0003-6B00-0000 Cisco phone
3 0004-0D00-0000 Avaya phone
4 00D0-1E00-0000 Pingtel phone
5 0060-B900-0000 Philips/NEC phone
6 00E0-7500-0000 Polycom phone
7 00E0-BB00-0000 3Com phone

Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a
globally unique identifier that IEEE assigns to a vendor. However, OUI addresses in this chapter are
addresses that the system uses to determine whether a received packet is a voice packet. They are
the logical AND results of the mac-address and oui-mask arguments in the voice-vlan
mac-address command.

182
Automatically identifying IP phones through LLDP
When you use OUI addresses to identify IP phones, the number of OUI addresses that can be
configured is limited. Additionally, when there are plenty of IP phones in the network, you must
configure many OUI addresses. If IP phones support LLDP, configure LLDP on the device for
automatic IP phone discovery. For more information, see "Enabling LLDP for automatic IP phone
discovery."

Advertising the voice VLAN information to IP

phones
Figure 51 shows the workflow of advertising the voice VLAN information to IP phones.
Figure 51 Workflow of advertising the voice VLAN information to IP phones

After receiving the voice VLAN information, the IP phone automatically completes the voice VLAN
configuration.
• If the voice VLAN configuration is based on the received LLDP-MED TLVs or CDP packets, the
IP phone will send out packets tagged with the advertised voice VLAN ID. The voice packets
will be forwarded in the voice VLAN.
For more information about configuring LLDP or CDP, see "Configuring LLDP or CDP to
advertise a voice VLAN." For more information about LLDP and CDP compatibility, see
"Configuring LLDP."
• If the voice VLAN configuration is based on the authorization VLAN information, the IP phone
will send out packets tagged with the advertised authorization VLAN ID. The voice packets will
be forwarded in the authorization VLAN.
For more information about advertising the authorization VLAN information to IP phones, see
"Dynamically advertising an authorization VLAN through LLDP or CDP." For more information
about authorization VLANs, see Security Configuration Guide.
• If the voice VLAN configuration is based on the voice VLAN information of the accessing port,
the voice traffic from the IP phone will be forwarded in the voice VLAN of the accessing port.
Whether the voice packets are tagged depends on the voice VLAN configuration of the
accessing port. For more information about configuring a voice VLAN on a port, see
"Configuring a voice VLAN on a port."

183
IP phone access methods
Connecting the host and the IP phone in series
As shown in Figure 52, the host is connected to the IP phone, and the IP phone is connected to the
device. In this scenario, the following requirements must be met:
• The host and the IP phone use different VLANs.
• The IP phone is able to send out VLAN-tagged packets, so that the device can differentiate
traffic from the host and the IP phone.
• The port connecting to the IP phone forwards packets from the voice VLAN and the PVID.
Figure 52 Connecting the host and IP phone in series

Connecting the IP phone to the device

As shown in Figure 53, the IP phone is connected to the device without the presence of the host. Use
this connection method when the IP phone sends out untagged voice packets. In this scenario, you
must configure the voice VLAN as the PVID of the port, and configure the port to forward the packets
from the PVID.
Figure 53 Connecting the IP phone to the device

Configuring a voice VLAN on a port

Voice VLAN assignment modes
A port can be assigned to a voice VLAN automatically or manually.
Automatic mode
Use automatic mode when PCs and IP phones are connected in series to access the network
through the device, as shown in Figure 52. Ports on the device transmit both voice traffic and data
traffic.

184
 When an IP phone is powered on, it sends out protocol packets. After receiving these protocol
packets, the device uses the source MAC address of the protocol packets to match its OUI
addresses. If the match succeeds, the system performs the following operations:
• Assigns the receiving port of the protocol packets to the voice VLAN.
• Issues ACL rules to set the packet precedence.
• Starts the voice VLAN aging timer.
The system will remove the port from the voice VLAN if no packet is received from the port before the
aging timer expires. The aging timer is also configurable.
If the device reboots, the port is reassigned to the voice VLAN to ensure the correct operation of the
existing voice connections. The reassignment occurs automatically without being triggered by voice
traffic as long as the voice VLAN operates correctly.
Manual mode
Use manual mode when only IP phones access the network through the device, as shown in Figure
53. In this mode, ports are assigned to a voice VLAN that transmits voice traffic exclusively. No data
traffic affects the voice traffic transmission.
You must manually assign the receiving port on the device to a voice VLAN. The device uses the
source MAC address of the received voice packets to match its OUI addresses. If the match
succeeds, the system issues ACL rules to set the packet precedence.
To remove the port from the voice VLAN, you must manually remove it.
Cooperation of voice VLAN assignment modes and IP phones
Some IP phones send out VLAN-tagged packets, and others send out only untagged packets. For
correct packet processing, ports of different link types must meet specific configuration requirements
in different voice VLAN assignment modes.
Table 12 Configuration requirements for access/trunk/hybrid ports to support tagged voice
traffic

Support for
Port link Voice VLAN
tagged voice Configuration requirements
type assignment mode
traffic
Automatic No N/A
Access
Manual No N/A
The PVID of the port cannot be the
Automatic Yes
voice VLAN.

Trunk The PVID of the port cannot be the

voice VLAN. Configure the port to
Manual Yes
forward the packets from the voice
VLAN.
The PVID of the port cannot be the
Automatic Yes
voice VLAN.

Hybrid The PVID of the port cannot be the

voice VLAN. Configure the port to
Manual Yes
forward the packets from the voice
VLAN with VLAN tags.

185
 Table 13 Configuration requirements for access/trunk/hybrid ports to support untagged
voice traffic

Port Voice VLAN Support for

link assignment untagged voice Configuration requirements
type mode traffic
Automatic No N/A
Access Configure the voice VLAN as the PVID of the
Manual Yes
port.
Automatic No N/A

Trunk Configure the voice VLAN as the PVID of the

Manual Yes port. Configure the port to forward the packets
from the voice VLAN.
Automatic No N/A

Hybrid Configure the voice VLAN as the PVID of the

Manual Yes port. Configure the port to forward the packets
from the voice VLAN without VLAN tags.

If an IP phone sends out tagged voice traffic, and its accessing port is configured with 802.1X
authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, the VLAN ID must be different for the
following VLANs:
• Voice VLAN.
• PVID of the accessing port.
• 802.1X guest, Auth-Fail, or critical VLAN.
If an IP phone sends out untagged voice traffic, the PVID of the accessing port must be the voice
VLAN. As a result, 802.1X authentication is not supported.

Security mode and normal mode of voice VLANs

Depending on the incoming packet filtering mechanisms, a voice VLAN-enabled port can operate in
one of the following modes:
• Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice
VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the
port operates in manual VLAN assignment mode, the port forwards all the received untagged
packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send large
quantities of forged voice-VLAN-tagged or untagged packets to consume the voice VLAN
bandwidth to affect normal voice communication.
• Security mode—The port uses the source MAC addresses of voice packets to match the OUI
addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode to reduce the
system resource consumption in source MAC address checking.

TIP:
As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you
must transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled.

186
 Table 14 Packet processing on a voice VLAN-enabled port in normal and security mode

Voice VLAN
Packet type Packet processing
mode
Untagged packets or The port does not examine the source MAC addresses of
packets with the voice incoming packets. Both voice traffic and non-voice traffic can
Normal VLAN tags be transmitted in the voice VLAN.
Packets with other VLAN Forwarded or dropped depending on whether the port allows
tags packets from these VLANs to pass through.
• If the source MAC address of a packet matches an OUI
Untagged packets or address on the device, the packet is forwarded in the
packets with the voice voice VLAN.
Security VLAN tags • If the source MAC address of a packet does not match
an OUI address on the device, the packet is dropped.

Packets with other VLAN Forwarded or dropped depending on whether the port allows
tags packets from these VLANs to pass through.

Configuration prerequisites
Before you configure a voice VLAN, complete the following tasks:
• Create a VLAN.
• Determine the QoS priority settings for voice VLAN traffic.
• Determine the voice VLAN assignment mode.

Configuring the QoS priority settings for voice traffic

The QoS priority settings carried in voice traffic include the CoS and DSCP values. You can
configure the device to modify the QoS priority settings for voice traffic.
Before you configure the QoS priority settings for voice traffic on a port, make sure the voice VLAN
feature is disabled on it.
To configure the QoS priority settings for voice traffic:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
• Configure the port to trust and
retain the QoS priority settings: By default, a port modifies the
CoS and DSCP values for
a. Use the 802.1p priority in voice VLAN packets to 6 and
incoming packets for priority 46, respectively.
mapping:
qos trust dot1p If you execute the voice-vlan
3. Configure QoS priority qos and voice-vlan qos trust
settings for incoming voice b. Configure the port to trust commands multiple times, the
VLAN packets. and retain the QoS priority most recent configuration
settings: takes effect.
voice-vlan qos trust
For more information about the
• Configure the port to modify the qos trust dot1p command,
CoS and DSCP values: see ACL and QoS Command
voice-vlan qos cos-value Reference.
dscp-value

187
Configuring a port to operate in automatic voice VLAN
assignment mode
Configuration restrictions and guidelines
When you configure a port to operate in automatic voice VLAN assignment mode, follow these
restrictions and guidelines:
• Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN. A voice VLAN in
automatic mode on a hybrid port processes only tagged incoming voice traffic. A protocol-based
VLAN on a hybrid port processes only untagged incoming packets. For more information about
protocol-based VLANs, see "Configuring protocol-based VLANs."
• As a best practice, do not use the automatic voice VLAN assignment mode together with MSTP.
In MSTP mode, if a port is blocked in the MSTI of the target voice VLAN, the port drops the
received packets instead of delivering them to the CPU. As a result, the receiving port will not
be dynamically assigned to the voice VLAN.
• As a best practice, do not use the automatic voice VLAN assignment mode together with PVST.
In PVST mode, if the target voice VLAN is not permitted on a port, the port is placed in blocked
state. The received packets are dropped instead of being delivered to the CPU. As a result, the
receiving port will not be dynamically assigned to the voice VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. If you have to configure both of them on a port,
configure dynamic MAC-based VLAN assignment first. If you configure them in a reverse order,
conflict will occur. When you remove one of the configurations, the operation of the other is
affected.
Configuration procedure
To configure a port to operate in automatic voice VLAN assignment mode:

Step Command Remarks

1. Enter system view. system-view N/A
By default, the aging timer of a
voice VLAN is 1440 minutes.
2. (Optional.) Set the voice
VLAN aging timer. voice-vlan aging minutes The voice VLAN aging timer takes
effect only on ports in automatic
voice VLAN assignment mode.
3. (Optional.) Enable the voice By default, the voice VLAN
VLAN security mode. voice-vlan security enable
security mode is enabled.
4. (Optional.) Add an OUI voice-vlan mac-address oui By default, system default OUI
address for voice packet mask oui-mask [ description addresses exist. For more
identification. text ] information, see Table 11.
5. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
6. Configure the link type of the • port link-type trunk
port. N/A
• port link-type hybrid
7. (Optional.) Configure the port By default, the automatic voice
to operate in automatic voice voice-vlan mode auto VLAN assignment mode is
VLAN assignment mode. enabled.
8. Enable the voice VLAN By default, the voice VLAN
feature on the port. voice-vlan vlan-id enable
feature is disabled.

188
Configuring a port to operate in manual voice VLAN
assignment mode
Configuration restrictions and guidelines
When you configure a port to operate in manual voice VLAN assignment mode, follow these
restrictions and guidelines:
• You can configure different voice VLANs on different ports on the same device. Make sure the
following requirements are met:
{ One port can be configured with only one voice VLAN.
{ Voice VLANs must be existing static VLANs.
• Do not enable voice VLAN on the member ports of a link aggregation group. For more
information about link aggregation, see "Configuring Ethernet link aggregation."
• For a port that is enabled with voice VLAN and operating in manual mode, you must manually
assign the port to the voice VLAN to make the voice VLAN take effect.
Configuration procedure
To configure a port to operate in manual voice VLAN assignment mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. (Optional.) Enable the voice By default, the voice VLAN
VLAN security mode. voice-vlan security enable
security mode is enabled.
3. (Optional.) Add an OUI voice-vlan mac-address oui By default, system default OUI
address for voice packet mask oui-mask [ description addresses exist. For more
identification. text ] information, see Table 11.
4. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
5. Configure the port to operate By default, the manual voice
in manual voice VLAN undo voice-vlan mode auto VLAN assignment mode is
assignment mode. disabled.
• For the access port, see
"Assigning an access port to
a VLAN."
6. Assign the access, trunk, or
• For the trunk port, see After you assign an access port to
hybrid port in manual voice
"Assigning a trunk port to a the voice VLAN, the voice VLAN
VLAN assignment mode to
VLAN." becomes the PVID of the port.
the voice VLAN.
• For the hybrid port, see
"Assigning a hybrid port to a
VLAN."
• For the trunk port, see
"Assigning a trunk port to a This step is required for untagged
7. (Optional.) Configure the VLAN."
voice VLAN as the PVID of incoming voice traffic and
the trunk or hybrid port. • For the hybrid port, see prohibited for tagged incoming
"Assigning a hybrid port to a voice traffic.
VLAN."
8. Enable the voice VLAN By default, the voice VLAN
feature on the port. voice-vlan vlan-id enable
feature is disabled.

189
Enabling LLDP for automatic IP phone discovery
The device can automatically discover the peer through LLDP, and exchange LLDP TLVs with the
peer. If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a
telephone, the device sends an LLDP TLV with the voice VLAN configuration to the peer.
When the IP phone discovery process is complete, the port will continue the following voice VLAN
configuration:
• Join the voice VLAN.
• Increase the transmission priority of the voice traffic sent from the IP phone.
To ensure that the IP phone can pass authentication, the device will add the MAC address of the IP
phone to the MAC address table.

Configuration prerequisites
Before you enable LLDP for automatic IP phone discovery, complete the following tasks:
• Enable LLDP globally and on ports.
• Complete voice VLAN configurations.

Configuration restrictions and guidelines

When you enable LLDP for automatic IP phone discovery, following these restrictions and
guidelines:
• A maximum of five IP phones can be connected to each port of the device.
• Use this feature only with the automatic voice VLAN assignment mode.
• You cannot use this feature together with CDP compatibility.

Configuration procedure
To enable LLDP for automatic IP phone discovery:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable LLDP for automatic By default, this function is
IP phone discovery. voice-vlan track lldp
disabled.

Configuring LLDP or CDP to advertise a voice

VLAN
If IP phones support LLDP, the device advertises the voice VLAN information to the IP phones
through the LLDP-MED TLVs. If IP phones support only CDP, configure CDP compatibility on the
device to enable it to advertise the voice VLAN information through CDP packets.
In either case, the voice VLAN information includes the voice VLAN ID and the tagging status
indicator of the voice packets. The LLDP packets sent from the device carry the priority information.
The CDP packets sent from the device do not carry the priority information.
After you configure this feature, the device advertises the voice VLAN to the IP phone by following
the workflow described in Figure 51.

190
 To configure LLDP or CDP to advertise a voice VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
• Configure LLDP to advertise a
voice VLAN:
lldp tlv-enable med-tlv
By default, LLDP and CDP
network-policy vlan-id
advertise the voice VLAN
• Configure CDP to advertise a configured on the port.
3. Configure LLDP or CDP to voice VLAN:
For more information about
advertise a voice VLAN. a. Specify the ID of an the lldp tlv-enable med-tlv
advertised VLAN: network-policy command,
cdp voice-vlan vlan-id see Layer 2—LAN Switching
b. Configure CDP compatibility: Command Reference.
For more information, see
"Configuring LLDP."

The advertised voice LAN

4. (Optional.) Display the voice information is displayed in the
VLAN advertised by LLDP. display lldp local-information
MED information fields in the
command output.

Dynamically advertising an authorization VLAN

through LLDP or CDP
This function is available only on IP phones that support LLDP or CDP.
Dynamic authorization VLAN advertisement through LLDP or CDP works with 802.1X or MAC
authentication. If 802.1X authentication is used, make sure the IP phone support 802.1X
authentication.
After the IP phone passes authentication, LLDP advertises the authorization VLAN in the LLDP-MED
Network Policy TLV to the IP phone. If the IP phone supports only CDP, CDP advertises the
authorization VLAN in CDP packets to the IP phone. The port connected to the IP phone will be
added to the authorization VLAN.
To implement this function, perform the following configuration tasks:
1. Enable LLDP globally and on the port connected to the IP phone.
If the IP phone supports only CDP, configure CDP compatibility on the device.
2. Configure 802.1X or MAC authentication to ensure that the IP phone can pass security
authentication. For more information about 802.1X and MAC authentication, see Security
Configuration Guide.
3. Configure the authorization VLAN for the IP phone on the authentication server. For more
information about authorization VLANs, see Security Configuration Guide.

Displaying and maintaining voice VLANs

Execute display commands in any view.

191
 Task Command
Display the voice VLAN state. display voice-vlan state
Display the OUI addresses that the system supports. display voice-vlan mac-address

Voice VLAN configuration examples

Automatic voice VLAN assignment mode configuration
example
Network requirements
As shown in Figure 54, Device A transmits traffic from IP phones and hosts.
For correct voice traffic transmission, perform the following tasks on Device A:
• Configure voice VLANs 2 and 3 to transmit voice packets from IP phones A and B, respectively.
• Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to operate in automatic
voice VLAN assignment mode.
• Add MAC addresses of IP phones A and B to the device for voice packet identification. The
mask of the two MAC addresses is FFFF-FF00-0000.
Figure 54 Network diagram

Configuration procedure
1. Configure voice VLANs:
# Create VLANs 2 and 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Set the voice VLAN aging timer to 30 minutes.
[DeviceA] voice-vlan aging 30
# Configure voice VLANs to operate in security mode to transmit only voice packets.
[DeviceA] voice-vlan security enable
# Add MAC addresses of IP phones A and B to the device with the mask FFFF-FF00-0000.
[DeviceA] voice-vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP
phone A

192
 [DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP
phone B
2. Configure Ten-GigabitEthernet 1/0/1:
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid
# Configure Ten-GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode.
[DeviceA-Ten-GigabitEthernet1/0/1] voice-vlan mode auto
# Enable voice VLAN on Ten-GigabitEthernet 1/0/1 and configure VLAN 2 as the voice VLAN
for it.
[DeviceA-Ten-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit
3. Configure Ten-GigabitEthernet 1/0/2:
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type hybrid
# Configure Ten-GigabitEthernet 1/0/2 to operate in automatic voice VLAN assignment mode.
[DeviceA-Ten-GigabitEthernet1/0/2] voice-vlan mode auto
# Enable voice VLAN on Ten-GigabitEthernet 1/0/2 and configure VLAN 3 as the voice VLAN
for it.
[DeviceA-Ten-GigabitEthernet1/0/2] voice-vlan 3 enable
[DeviceA-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display the OUI addresses and their masks and descriptions.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current Voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode COS DSCP
XGE1/0/1 2 AUTO 6 46
XGE1/0/2 3 AUTO 6 46

193
Manual voice VLAN assignment mode configuration example
Network requirements
As shown in Figure 55:
• Device A transmits only voice traffic.
• IP phone A send untagged voice traffic.
For correct voice traffic transmission, perform the following tasks on Device A:
• Configure a voice VLAN to transmit voice traffic.
• Configure Ten-GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.
• Add the MAC address of IP phone A to the device for voice packet identification. The mask is
FFFF-FF00-0000.
Figure 55 Network diagram

Configuration procedure
# Configure the voice VLAN to operate in security mode.
<DeviceA> system-view
[DeviceA] voice-vlan security enable

# Add a MAC address 0011-2200-0000 with the mask FFFF-FF00-0000.

[DeviceA] voice-vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test

# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit

# Configure Ten-GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.

[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] undo voice-vlan mode auto

# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port.

[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid

# Configure VLAN 2 as the PVID of Ten-GigabitEthernet 1/0/1.

[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid pvid vlan 2

# Configure Ten-GigabitEthernet 1/0/1 to forward the voice traffic from VLAN 2 without VLAN tags.
[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid vlan 2 untagged

# Enable voice VLAN and configure VLAN 2 as the voice VLAN on Ten-GigabitEthernet 1/0/1.
[DeviceA-Ten-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit

194
Verifying the configuration
# Display the OUI addresses and their masks and descriptions.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current Voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
XGE1/0/1 2 Manual 6 46

195
Configuring MVRP
Multiple Registration Protocol (MRP) is an attribute registration protocol used to transmit attribute
values.
Multiple VLAN Registration Protocol (MVRP) is a typical MRP application. It synchronizes VLAN
information among devices.
MVRP propagates local VLAN information to other devices, receives VLAN information from other
devices, and dynamically updates local VLAN information. When the network topology changes,
MVRP propagates and learns VLAN information again according to the new topology.

MRP
MRP allows devices in the same LAN to transmit attribute values on a per MSTI basis. For more
information about MSTIs, see "Configuring spanning tree protocols."

MRP implementation
An MRP-enabled port is called an MRP participant. An MVRP-enabled port is called an MVRP
participant.
As shown in Figure 56, an MRP participant sends declarations and withdrawals to notify other
participants to register and deregister its attribute values. It also registers and deregisters the
attribute values of other participants according to the received declarations and withdrawals. MRP
rapidly propagates the configuration information of an MRP participant throughout the LAN.
Figure 56 MRP implementation

For example, MRP registers and deregisters VLAN attributes as follows:

• When a port receives a declaration for a VLAN, the port registers the VLAN and joins the VLAN.
• When a port receives a withdrawal for a VLAN, the port deregisters the VLAN and leaves the
VLAN.
Figure 56 shows a simple MRP implementation on an MSTI. In a network with multiple MSTIs, MRP
performs attribute registration and deregistration on a per-MSTI basis.

MRP messages
MRP messages include the following types:
• Declaration—Includes Join and New messages.
• Withdrawal—Includes Leave and LeaveAll messages.

196
Join message
An MRP participant sends a Join message to request the peer participant to register attributes in the
Join message.
When receiving a Join message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the Join message.
• Propagates the Join message to all other participants on the device.
After receiving the Join message, other participants send the Join message to their respective peer
participants.
Join messages sent from a local participant to its peer participant include the following types:
• JoinEmpty—Declares an unregistered attribute. For example, when an MRP participant joins
an unregistered static VLAN, it sends a JoinEmpty message.
VLANs created manually and locally are called static VLANs. VLANs learned through MRP are
called dynamic VLANs.
• JoinIn—Declares a registered attribute. A JoinIn message is used in one of the following
situations:
{ An MRP participant joins an existing static VLAN and sends a JoinIn message after
registering the VLAN.
{ The MRP participant receives a Join message propagated by another participant on the
device and sends a JoinIn message after registering the VLAN.
New message
Similar to a Join message, a New message enables MRP participants to register attributes.
When the MSTP topology changes, an MRP participant sends a New message to the peer
participant to declare the topology change.
Upon receiving a New message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the message.
• Propagates the New message to all other participants on the device.
After receiving the New message, other participants send the New message to their respective peer
participants.
Leave message
An MRP participant sends a Leave message to the peer participant when it wants the peer
participant to deregister attributes that it has deregistered.
When the peer participant receives the Leave message, it performs the following tasks:
• Deregisters the attribute in the Leave message.
• Propagates the Leave message to all other participants on the device.
After a participant on the device receives the Leave message, it determines whether to send the
Leave message to its peer participant depending on the attribute status on the device.
• If the VLAN in the Leave message is a dynamic VLAN not registered by any participants on the
device, both of the following events occur:
{ The VLAN is deleted on the device.
{ The participant sends the Leave message to its peer participant.
• If the VLAN in the a Leave message is a static VLAN, the participant will not send the Leave
message to its peer participant.

197
LeaveAll message
Each MRP participant starts its LeaveAll timer when starting up. When the timer expires, the MRP
participant sends LeaveAll messages to the peer participant.
Upon sending or receiving a LeaveAll message, the local participant starts the Leave timer. The local
participant determines whether to send a Join message depending on its the attribute status. A
participant can re-register the attributes in the received Join message before the Leave timer
expires.
When the Leave timer expires, a participant deregisters all attributes that have not been
re-registered to periodically clear useless attributes in the network.

MRP timers
MRP uses the following timers to control message transmission.
Periodic timer
The Periodic timer controls the transmission of MRP messages. An MRP participant starts its own
Periodic timer upon startup, and stores MRP messages to be sent before the Periodic timer expires.
When the Periodic timer expires, MRP sends stored MRP messages in as few MRP frames as
possible and restarts the Periodic timer. This mechanism reduces the number of MRP frames
periodically sent.
You can enable or disable the Periodic timer. When the Periodic timer is disabled, MRP does not
periodically send MRP messages. Instead, an MRP participant sends MRP messages when the
LeaveAll timer expires or the participant receives a LeaveAll message from the peer participant.
Join timer
The Join timer controls the transmission of Join messages. An MRP participant starts the Join timer
after sending a Join message to the peer participant. Before the Join timer expires, the participant
does not resend the Join message when the following conditions exist:
• The participant receives a JoinIn message from the peer participant.
• The received JoinIn message has the same attributes as the sent Join message.
When both the Join timer and the Periodic timer expire, the participant resends the Join message.
Leave timer
The Leave timer controls the deregistration of attributes.
An MRP participant starts the Leave timer in one of the following conditions:
• The participant receives a Leave message from its peer participant.
• The participant receives or sends a LeaveAll message.
The MRP participant does not deregister the attributes in the Leave or LeaveAll message if the
following conditions exist:
• The participant receives a Join message before the Leave timer expires.
• The Join message includes the attributes that have been encapsulated in the Leave or LeaveAll
message.
If the participant does not receive a Join message for these attributes before the Leave timer expires,
MRP deregisters the attributes.
LeaveAll timer
After startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, the
MRP participant sends out a LeaveAll message and restarts the LeaveAll timer.

198
 Upon receiving the LeaveAll message, other participants restart their LeaveAll timer. The value of
the LeaveAll timer is randomly selected between the LeaveAll timer and 1.5 times the LeaveAll timer.
This mechanism provides the following benefits:
• Effectively reduces the number of LeaveAll messages in the network.
• Prevents the LeaveAll timer of a particular participant from always expiring first.

MVRP registration modes

VLAN information propagated by MVRP includes dynamic VLAN information from other devices and
local static VLAN information.
MVRP has the following registration modes, which process dynamic VLANs in different ways.
Normal
An MVRP participant in normal registration mode registers and deregisters dynamic VLANs.
Fixed
An MVRP participant in fixed registration mode disables deregistering dynamic VLANs and drops
received MVRP frames. The MVRP participant does not deregister dynamic VLANs or register new
dynamic VLANs.
Forbidden
An MVRP participant in forbidden registration mode disables registering dynamic VLANs and drops
received MVRP frames. The MVRP participant does not register new dynamic VLANs or re-register
a deregistered dynamic VLAN.

Protocols and standards

IEEE 802.1ak IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks – Amendment 07: Multiple Registration Protocol

MVRP configuration task list

Tasks at a glance
(Required.) Enabling MVRP
(Optional.) Configuring an MVRP registration mode
(Optional.) Configuring MRP timers
(Optional.) Enabling GVRP compatibility

Configuration restrictions and guidelines

When you configure MVRP, follow these restrictions and guidelines:
• MVRP can work with STP, RSTP, or MSTP. MVRP cannot work with other link layer topology
protocols, including service loopback, PVST, RRPP, and Smart Link. Ports blocked by STP,
RSTP, or MSTP can receive and send MVRP frames.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree
protocols."
For more information about service loopback, see "Configuring service loopback groups."

199
 For more information about RRPP and Smart Link, see High Availability Configuration Guide.
• Do not configure both MVRP and remote port mirroring on a port. Otherwise, MVRP might
register the remote probe VLAN with incorrect ports, which would cause the monitor port to
receive undesired copies. For more information about port mirroring, see Network Management
and Monitoring Configuration Guide.
• MVRP takes effect only on trunk ports. For more information about trunk ports, see "Configuring
VLANs."
• Enabling MVRP on a Layer 2 aggregate interface takes effect on the aggregate interface and all
Selected member ports in the link aggregation group.
• MVRP configuration made on an aggregation group member port takes effect only after the port
is removed from the aggregation group.

Configuration prerequisites
Before configuring MVRP, make sure each MSTI is mapped to an existing VLAN on each device in
the network.

Enabling MVRP
Step Command Remarks
1. Enter system view. system-view N/A
By default, MVRP is globally
disabled.
2. Enable MVRP globally. mvrp global enable To make MVRP take effect on a
port, enable MVRP both on the
port and globally.

3. Enter Layer 2 Ethernet

interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

By default, any port is an access

port. For more information about
4. Configure the port as a trunk
port link-type trunk the port link-type trunk
port.
command, see Layer 2—LAN
Switching Command Reference.

By default, a trunk port permits

only VLAN 1.
Make sure the trunk port permits
5. Configure the trunk port to port trunk permit vlan all registered VLANs.
permit the specified VLANs. { vlan-id-list | all } For more information about the
port trunk permit vlan
command, see Layer 2—LAN
Switching Command Reference.

6. Enable MVRP on the port. By default, MVRP is disabled on a

mvrp enable
port.

200
Configuring an MVRP registration mode
Step Command Remarks
1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet

interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Optional.
3. Configure an MVRP mvrp registration { fixed |
registration mode. forbidden | normal } The default setting is normal
registration mode.

Configuring MRP timers

To avoid frequent VLAN registrations and deregistrations, use the same MRP timers throughout the
network.
Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port
maintains a Leave timer.
To configure MRP timers:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet

interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Optional.
3. Configure the LeaveAll timer. mrp timer leaveall timer-value The default setting is 1000
centiseconds.
Optional.
4. Configure the Join timer. mrp timer join timer-value The default setting is 20
centiseconds.
Optional.
5. Configure the Leave timer. mrp timer leave timer-value The default setting is 60
centiseconds.
Optional.
The default setting is 100
6. Configure the Periodic timer. mrp timer periodic timer-value centiseconds.
You can restore the Periodic timer
to the default at any time.

Table 15 shows the value ranges for Join, Leave, and LeaveAll timers and their dependencies.
• If you set a timer to a value beyond the allowed value range, your configuration fails. You can
set a timer by tuning the value of any other timer. The value of each timer must be an integer
multiple of 20 centiseconds and in the range defined in Table 15.

201
 • As a best practice, restore the timers in the order of Join, Leave, and LeaveAll.
Table 15 Dependencies of the Join, Leave, and LeaveAll timers

Timer Lower limit Upper limit

Join 20 centiseconds Half the Leave timer

Leave Twice the Join timer LeaveAll timer

LeaveAll Leave timer on each port 32760 centiseconds

Enabling GVRP compatibility

Enable GVRP compatibility for MVRP when the peer device supports GVRP. Then, the local end can
receive and send both MVRP and GVRP frames.
When you enable GVRP compatibility, follow these restrictions and guidelines:
• GVRP compatibility enables MVRP to work with STP or RSTP, but not MSTP.
• When the system is busy, disable the Period timer to prevent the participant from frequently
registering or deregistering attributes.
To enable GVRP compatibility:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable GVRP mvrp gvrp-compliance
compatibility. By default, GVRP compatibility is disabled.
enable

Displaying and maintaining MVRP

Execute display commands in any view and reset commands in user view.

Task Command
Display MVRP running status. display mvrp running-status [ interface interface-list ]
Display the MVRP state of a port in a display mvrp state interface interface-type interface-number
VLAN. vlan vlan-id
Display MVRP statistics. display mvrp statistics [ interface interface-list ]
Clear MVRP statistics. reset mvrp statistics [ interface interface-list ]

MVRP configuration example

Network requirements
As shown in Figure 57:
• Create VLAN 10 on Device A and VLAN 20 on Device B.
• Configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 to MSTI 2, and map the other VLANs
to MSTI 0.

202
 Configure MVRP on Device A, Device B, Device C, and Device D to meet the following
requirements:
• The devices can register and deregister dynamic VLANs.
• The devices can keep identical VLAN configuration for each MSTI.
Figure 57 Network diagram
Device A Device B
Permit: all VLANs
XGE1/0/3 XGE1/0/3
XG 2

XG
E1 /0/ VLAN 20

/0/
VLAN 10 /0/ E1

E1
E1
2 XG

/0/
XG

1
Permit: all VLANs Permit: VLANs 20, 40
s Pe
AN rm
VL it:

XG
all VL
1
/0/

it: AN

E1
rm XG
E1

2 40
/0/ Pe

/0/
E1
XG

E1 /0/

1
XG 2

VLAN 10 MSTI 1
VLAN 20 MSTI 2
Other VLANs MSTI 0
Device C Device D

A B A B A B

C D C C D
MSTI 0 MSTI 1 MSTI 2

Link not blocked Link blocked by

Root bridge by spanning tree spanning tree

Blocked port Root port Designated port

Topology of each MSTI

Configuration procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.

203
 [DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp global enable
# Globally enable MVRP.
[DeviceA] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on port Ten-GigabitEthernet 1/0/1.
[DeviceA-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on port Ten-GigabitEthernet 1/0/2.
[DeviceA-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/3.
[DeviceA-Ten-GigabitEthernet1/0/3] mvrp enable
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp global enable
# Globally enable MVRP.
[DeviceB] mvrp global enable

204
 # Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on Ten-GigabitEthernet 1/0/1.
[DeviceB-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceB-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/3.
[DeviceB-Ten-GigabitEthernet1/0/3] mvrp enable
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure Device C as the root bridge of MSTI 0.
[DeviceC] stp instance 0 root primary
# Globally enable the spanning tree feature.
[DeviceC] stp global enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/1] port trunk permit vlan all

205
 # Enable MVRP on Ten-GigabitEthernet 1/0/1.
[DeviceC-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceC-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceC-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceC-Ten-GigabitEthernet1/0/2] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp global enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
[DeviceD] interface ten-gigabitethernet 1/0/1
[DeviceD-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on Ten-GigabitEthernet 1/0/1.
[DeviceD-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceD-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface ten-gigabitethernet 1/0/2
[DeviceD-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceD-Ten-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceD-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceD-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

Verifying the normal registration mode configuration
# Display the local VLAN information on Device A.
[DeviceA] display mvrp running-status

206
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 10, 20
Propagated VLANs :
1(default)

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
None
Declared VLANs :
1(default)
Propagated VLANs :
None

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
20
Declared VLANs :
1(default), 10
Propagated VLANs :
20

207
The output shows that the following events have occurred:
• Ten-GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1, VLAN 10, and VLAN 20,
and propagated VLAN 1 through MVRP.
• Ten-GigabitEthernet 1/0/2 has declared VLAN 1, and registered and propagated no VLANs.
• Ten-GigabitEthernet 1/0/3 has registered VLAN 20, declared VLAN 1 and VLAN 10, and
propagated VLAN 20 through MVRP.
# Display the local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)

208
 LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10

The output shows that the following events have occurred:

• Ten-GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1 and VLAN 20, and
propagated VLAN 1 through MVRP.
• Ten-GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 10, declared VLAN 1 and VLAN 20,
and propagated VLAN 1.
• Ten-GigabitEthernet 1/0/3 has registered VLAN 1 and VLAN 10, declared VLAN 20, and
propagated VLAN 10 through MVRP.
# Display the local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10, 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 10

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default), 10

209
 Propagated VLANs :
1(default), 20

The output shows that the following events have occurred:

• Ten-GigabitEthernet 1/0/1 has registered VLAN 1, VLAN 10, and VLAN 20, declared VLAN 1,
and propagated VLAN 1 and VLAN 10 through MVRP.
• Ten-GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 20, declared VLAN 1 and VLAN 10,
and propagated VLAN 1 and VLAN 20 through MVRP.
# Display the local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 20

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
None
Propagated VLANs :
None

The output shows that the following events have occurred:

• Ten-GigabitEthernet 1/0/1 has registered and propagated VLAN 10 and VLAN 20, and declared
VLAN 1 through MVRP.
• Port Ten-GigabitEthernet 1/0/2 has registered VLAN 1, and declared and propagated no VLANs
through MVRP.

210
Verifying the configuration after changing the registration mode
When the network is stable, set the MVRP registration mode to fixed on the port of Device B
connected to Device A. Then, verify that dynamic VLANs on the port will not be deregistered.
# Set the MVRP registration mode to fixed on Ten-GigabitEthernet 1/0/3 of Device B.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] mvrp registration fixed
[DeviceB-Ten-GigabitEthernet1/0/3] quit

# Display the local MVRP VLAN information on Ten-GigabitEthernet 1/0/3 of Device B.

[DeviceB] display mvrp running-status interface ten-gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10

The output shows that VLAN information on Ten-GigabitEthernet 1/0/3 is not changed after you set
its MVRP registration mode to fixed.
# Delete VLAN 10 on Device A.
[DeviceA] undo vlan 10

# Display the local MVRP VLAN information on Ten-GigabitEthernet 1/0/3 of Device B.

[DeviceB] display mvrp running-status interface ten-gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10

211
 Declared VLANs :
20
Propagated VLANs :
10

The output shows that the dynamic VLAN information on Ten-GigabitEthernet 1/0/3 is not changed
after you set its MVRP registration mode to fixed.

212
Configuring QinQ
This document uses the following terms:
• CVLAN—Customer network VLANs, also called inner VLANs, refer to VLANs that a customer
uses on the private network.
• SVLAN—Service provider network VLANs, also called outer VLANs, refer to VLANs that a
service provider uses to transmit VLAN tagged traffic for customers.

Overview
802.1Q-in-802.1Q (QinQ) adds an 802.1Q tag to 802.1Q tagged customer traffic. It enables a
service provider to extend Layer 2 connections across an Ethernet network between customer sites.
QinQ provides the following benefits:
• Enables a service provider to use a single SVLAN to convey multiple CVLANs for a customer.
• Enables customers to plan CVLANs without conflicting with SVLANs.
• Enables customers to keep their VLAN assignment schemes unchanged when the service
provider changes its VLAN assignment scheme.
• Allows customers to use overlapping CVLAN IDs. Devices in the service provider network make
forwarding decisions based on SVLAN IDs instead of CVLAN IDs.

How QinQ works

As shown in Figure 58, a QinQ frame transmitted over the service provider network carries the
following tags:
• CVLAN tag—Identifies the VLAN to which the frame belongs when it is transmitted in the
customer network.
• SVLAN tag—Identifies the VLAN to which the QinQ frame belongs when it is transmitted in the
service provider network. The service provider allocates the SVLAN tag to the customer.
The devices in the service provider network forward a tagged frame according to its SVLAN tag only.
The CVLAN tag is transmitted as part of the frame's payload.
Figure 58 Single-tagged Ethernet frame header and double-tagged Ethernet frame header

As shown in Figure 59, customer A has remote sites CE 1 and CE 4. Customer B has remote sites
CE 2 and CE 3. The CVLANs of the two customers overlap. The service provider assigns SVLANs 3
and 4 to customers A and B, respectively.

213
 When a tagged frame from CE 1 arrives, PE 1 tags the frame with SVLAN 3. The double-tagged
frame travels over the service provider network until it arrives at PE 2. PE 2 removes the SVLAN tag
of the frame, and then sends the frame to CE 4.
Figure 59 Typical QinQ application scenario
VLANs 1 to 20 VLANs 1 to 10

CE 3 CE 4
Customer Customer
network B network A
CVLAN B Data CVLAN A Data

SVLAN 4 CVLAN B Data SVLAN 3 CVLAN A Data

PE 1 Network PE 2

SVLAN 3 CVLAN A Data SVLAN 4 CVLAN B Data

Service provider network

CVLAN A Data CVLAN B Data

Customer Customer
network A network B
CE 1 CE 2

VLANs 1 to 10 VLANs 1 to 20

QinQ implementations
QinQ is enabled on a per-port basis. The link type of a QinQ-enabled port can be access, hybrid, or
trunk. The QinQ tagging behaviors are the same across these types of ports.
A QinQ-enabled port tags all incoming frames (tagged or untagged) with the PVID tag.
• If an incoming frame already has one tag, it becomes a double-tagged frame.
• If the frame does not have any 802.1Q tags, it becomes a frame tagged with the PVID.
QinQ provides the most basic VLAN manipulation method to tag all incoming frames (tagged or
untagged) with the PVID tag. To perform advanced VLAN manipulations, use VLAN mapping (see
"Configuring VLAN mapping") or QoS policies. For example:
• To use different SVLANs for different CVLAN tags, use one-to-two VLAN mapping.
• To replace the SVLAN ID, CVLAN ID, or both IDs for an incoming double-tagged frame, use
two-to-two VLAN mapping.
• To set the 802.1p priority in SVLAN tags, configure a QoS policy as described in "Setting the
802.1p priority in SVLAN tags."

Protocols and standards

• IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks
• IEEE 802.1ad, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks-Amendment 4: Provider Bridges

214
Restrictions and guidelines
When you configure QinQ, follow these restrictions and guidelines:
• EVB and QinQ are mutually exclusive. Do not enable both features on a port.
• Before you can configure QinQ on a port, you must remove any VLAN mappings on the port.
After you enable QinQ on the port, you can configure any VLAN mapping types except
two-to-two VLAN mapping. If QinQ and a VLAN mapping conflict, the VLAN mapping takes
effect.
• The inner 802.1Q tag of QinQ frames is treated as part of the payload. As a best practice to
ensure correct transmission of QinQ frames, set the MTU to a minimum of 1504 bytes for each
port on the forwarding path. This value is the sum of the default Ethernet interface MTU (1500
bytes) and the length (4 bytes) of a VLAN tag.

Enabling QinQ
Enable QinQ on customer-side ports of PEs. A QinQ-enabled port tags an incoming frame with its
PVID.
To enable QinQ:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable QinQ. qinq enable By default, QinQ is disabled.

Configuring transparent transmission for VLANs

You can exclude traffic of a VLAN (for example, the management VLAN) from the QinQ tagging
action on a customer-side port. This VLAN is called a transparent VLAN.
To ensure successful transmission for a transparent VLAN, follow these configuration guidelines:
• Set the link type of the port to trunk or hybrid, and assign the port to its PVID and the transparent
VLAN.
• Do not configure any other VLAN manipulation actions for the VLAN on the port.
• Make sure all ports on the traffic path permit the VLAN to pass through.
To enable transparent transmission for a list of VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Configure the port link type. By default, the link type of

3. port link-type { hybrid | trunk }
ports is access.
4. Configure the port to allow • For hybrid ports: By default, trunk ports allow
packets from its PVID and port hybrid vlan vlan-id-list only packets from VLAN 1 to
the transparent VLANs to { tagged | untagged } pass through. Hybrid ports

215
 Step Command Remarks
pass through. • For trunk ports: allow only packets from
port trunk permit vlan VLAN 1 to pass through
{ vlan-id-list | all } untagged.
5. Enable QinQ on the port. qinq enable By default, QinQ is disabled.
By default, transparent
6. Specify transparent VLANs. transmission is not
qinq transparent-vlan vlan-list
configured for any VLANs on
a port.

Configuring the TPID in VLAN tags

TPID identifies a frame as an 802.1Q tagged frame. The TPID value varies by vendor. On the device,
the TPID in the 802.1Q tag added on a QinQ-enabled port is 0x8100 by default, in compliance with
IEEE 802.1Q. In a multi-vendor network, make sure the TPID setting is the same across all devices
so 802.1Q tagged frames can be identified correctly.
TPID settings include CVLAN TPID and SVLAN TPID.
A QinQ-enabled port uses the CLAN TPID to match incoming tagged frames. An incoming frame is
handled as untagged if its TPID is different from the CVLAN TPID.
SVLAN TPIDs are configurable on a per-port basis. A service provider-side port uses the SVLAN
TPID to replace the TPID in outgoing frames' SVLAN tags and match incoming tagged frames. An
incoming frame is handled as untagged if the TPID in its outer VLAN tag is different from the SVLAN
TPID.
For example, a PE device is connected to a customer device that uses the TPID 0x8200 and to a
provider device that uses the TPID 0x9100. For correct packet processing, you must set the CVLAN
TPID and SVLAN TPID to 0x8200 and 0x9100 on the PE, respectively.
The TPID field is in the same position as the EtherType field in an untagged Ethernet frame. To
ensure correct packet type identification, do not set the TPID value to any of the values listed in Table
16.
Table 16 Reserved EtherType values

Protocol type Value

ARP 0x0806
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86DD
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
802.1X 0x888E
LLDP 0x88CC
802.1ag 0x8902

216
 Protocol type Value
Cluster 0x88A7
Reserved 0xFFFD/0xFFFE/0xFFFF

Configuring the CVLAN TPID

Step Command Remarks
1. Enter system view. system-view N/A
2. Configure the TPID value for qinq ethernet-type The default setting is 0x8100 for
CVLAN tags. customer-tag hex-value CVLAN tags.

Configuring the SVLAN TPID

When you configure the SVLAN ID, follow these restrictions and guidelines:
• Configure the SVLAN TPID on service provider-side ports of PEs.
• Do not configure the SVLAN TPID on a QinQ-enabled port.
• EVB and SVLAN TPID configuration are mutually exclusive. Do not configure both features on
a port.
To configure the SVLAN TPID:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface view interface interface-type
or aggregate interface view. N/A
interface-number

3. Configure the SVLAN TPID. qinq ethernet-type service-tag The default setting is 0x8100 for
hex-value SVLAN tags.

Setting the 802.1p priority in SVLAN tags

By default, a QinQ-enabled port sets the 802.1p priority in the SVLAN tag depending on the priority
trust mode.
• If the 802.1p priority is trusted, the port copies the 802.1p priority in the CVLAN tag to the
SVLAN tag.
• If port priority is trusted, the port sets the 802.1p priority in the SVLAN to be the same as the port
priority. The default port priority is 0.
Alternatively, you can configure a QoS policy to set the 802.1p priority in the SVLAN by using one of
the following methods:
• Sets an 802.1p priority value in the SVLAN tag depending on the VLAN ID or 802.1p priority in
the CVLAN tag.
• Copies the 802.1p priority in the CVLAN tag to the SVLAN tag.
To set the 802.1p priority in SVLAN tags:

217
 Step Command Remarks
1. Enter system view. system-view N/A
2. Create a traffic class and traffic classifier classifier-name [ operator By default, no traffic
enter traffic class view. { and | or } ] class is configured.
• Match CVLAN IDs:
if-match customer-vlan-id vlan-id-list
3. Configure CVLAN match
criteria. • Match 802.1p priority: N/A
if-match customer-dot1p
dot1p-value&<1-8>
4. Return to system view. quit N/A
5. Create a traffic behavior
and enter traffic behavior traffic behavior behavior-name N/A
view.

• Replace the priority in the SVLAN tags of

matching frames with the configured
6. Configure a priority priority:
marking action for SVLAN remark dot1p dot1p-value N/A
tags. • Copy the 802.1p priority in the CVLAN
tag to the SVLAN tag:
remark dot1p customer-dot1p-trust

7. Return to system view. quit N/A

8. Create a QoS policy and
enter QoS policy view. qos policy policy-name N/A

9. Associate the traffic class classifier classifier-name behavior

with the traffic behavior. N/A
behavior-name
10. Return to system view. quit N/A
11. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

By default, the device

does not trust the 802.1p
12. Configure the port to trust priority carried in frames.
the 802.1p priority in qos trust dot1p Skip this step if the
incoming frames. remark dot1p
customer-dot1p-trust
command is configured.
13. Enable QinQ. qinq enable N/A
14. Apply the QoS policy to
the inbound direction of qos apply policy policy-name inbound N/A
the port.

For more information about QoS policies, see ACL and QoS Configuration Guide.

218
Displaying and maintaining QinQ
Execute display commands in any view.

Task Command
display qinq [ interface interface-type
Display QinQ-enabled ports.
interface-number ]

QinQ configuration examples

Basic QinQ configuration example
Network requirements
As shown in Figure 60:
• The service provider assigns VLAN 100 to Company A's VLANs 10 through 70.
• The service provider assigns VLAN 200 to Company B's VLANs 30 through 90.
• The devices between PE 1 and PE 2 in the service provider network use a TPID value of
0x8200.
Configure QinQ on PE 1 and PE 2 to transmit traffic in VLANs 100 and 200 for Company A and
Company B, respectively.
For the QinQ frames to be identified correctly, set the SVLAN TPID to 0x8200 on the service
provider-side ports of PE 1 and PE 2.
Figure 60 Network diagram
VLANs 30 to 90 VLANs 10 to 70

Site 3 CE 3 CE 4 Site 2
Company B Company A

XGE1/0/3 XGE1/0/3
XGE1/0/2 VLANs 100 and 200 XGE1/0/2
PE 1 PE 2
TPID = 0x8200
XGE1/0/1 XGE1/0/1

Service provider network

Company A Company B
Site 1 CE 1 CE 2 Site 4

VLANs 10 to 70 VLANs 30 to 90

Configuration procedure
1. Configure PE 1:

219
 # Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 100 and VLANs 10
through 70.
<PE1> system-view
[PE1] interface ten-gigabitethernet 1/0/1
[PE1-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 10 to 70
# Configure VLAN 100 as the PVID for Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] qinq enable
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on Ten-GigabitEthernet 1/0/2.
[PE1-Ten-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE1-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 200 and VLANs 30
through 90.
[PE1] interface ten-gigabitethernet 1/0/3
[PE1-Ten-GigabitEthernet1/0/3] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/3] port trunk permit vlan 200 30 to 90
# Configure VLAN 200 as the PVID for Ten-GigabitEthernet 1/0/3.
[PE1-Ten-GigabitEthernet1/0/3] port trunk pvid vlan 200
# Enable QinQ on Ten-GigabitEthernet 1/0/3.
[PE1-Ten-GigabitEthernet1/0/3] qinq enable
[PE1-Ten-GigabitEthernet1/0/3] quit
2. Configure PE 2:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 200 and VLANs 30
through 90.
<PE2> system-view
[PE2] interface ten-gigabitethernet 1/0/1
[PE2-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200 30 to 90
# Configure VLAN 200 as the PVID for Ten-GigabitEthernet 1/0/1.
[PE2-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 200
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE2-Ten-GigabitEthernet1/0/1] qinq enable
[PE2-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE2] interface ten-gigabitethernet 1/0/2
[PE2-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on Ten-GigabitEthernet 1/0/2.
[PE2-Ten-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE2-Ten-GigabitEthernet1/0/2] quit

220
 # Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 100 and VLANs 10
through 70.
[PE2] interface ten-gigabitethernet 1/0/3
[PE2-Ten-GigabitEthernet1/0/3] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/3] port trunk permit vlan 100 10 to 70
# Configure VLAN 100 as the PVID for Ten-GigabitEthernet 1/0/3.
[PE2-Ten-GigabitEthernet1/0/3] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/3.
[PE2-Ten-GigabitEthernet1/0/3] qinq enable
[PE2-Ten-GigabitEthernet1/0/3] quit
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all the ports on the forwarding path to allow frames from VLANs 100 and 200 to
pass through without removing the VLAN tag. (Details not shown.)

VLAN transparent transmission configuration example

Network requirements
As shown in Figure 61:
• The service provider assigns VLAN 100 to a company's VLANs 10 through 50.
• VLAN 3000 is the dedicated VLAN of the company on the service provider network.
Configure QinQ on PE 1 and PE 2 to provide Layer 2 connectivity for CVLANs 10 through 50 over the
service provider network.
Configure VLAN transparent transmission for VLAN 3000 on PE 1 and PE 2 to enable the hosts in
VLAN 3000 to communicate without using an SVLAN.
Figure 61 Network diagram

PE 1 PE 2
XGE1/0/2 XGE1/0/2
VLANs 100 and 3000
XGE1/0/1 XGE1/0/1

Service provider network

Site 1 Site 2
CE 1 CE 2

VLANs 10 to 50, 3000 VLANs 10 to 50, 3000

Configuration procedure
1. Configure PE 1:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 10 through 50,
100, and 3000.
<PE1> system-view
[PE1] interface ten-gigabitethernet 1/0/1

221
 [PE1-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 10 to 50
# Configure VLAN 100 as the PVID of Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] qinq enable
# Configure Ten-GigabitEthernet 1/0/1 to transparently transmit frames from VLAN 3000.
[PE1-Ten-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
[PE1-Ten-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 10 through 50,
100, and 3000.
<PE2> system-view
[PE2] interface ten-gigabitethernet 1/0/1
[PE2-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 10 to 50
# Configure VLAN 100 as the PVID of Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE2-Ten-GigabitEthernet1/0/1] qinq enable
# Configure Ten-GigabitEthernet 1/0/1 to transparently transmit frames from VLAN 3000.
[PE2-Ten-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE2-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE2] interface ten-gigabitethernet 1/0/2
[PE2-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all the ports on the forwarding path to allow frames from VLANs 100 and 3000 to
pass through without removing the VLAN tag. (Details not shown.)

222
Configuring VLAN mapping
Overview
VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. H3C provides the following types
of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another.
• Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag.
• Two-to-two VLAN mapping—Replaces the SVLAN ID, CVLAN ID, or both IDs for an incoming
double-tagged frame.

Application scenario of one-to-one and many-to-one VLAN

mapping
Figure 62 shows a typical application scenario of one-to-one and many-to-one VLAN mapping. The
scenario implements broadband Internet access for a community.

223
Figure 62 Application scenario of one-to-one and many-to-one VLAN mapping

...

...
...

...

...

...
...

As shown in Figure 62, the network is implemented as follows:

• Each home gateway uses different VLANs to transmit the PC, VoD, and VoIP services.
• To further subclassify each type of traffic by customer, configure one-to-one VLAN mapping on
the wiring-closet switches. This feature assigns a separate VLAN to each type of traffic from
each customer. The required total number of VLANs in the network can be very large.
• To prevent the maximum number of VLANs from being exceeded on the distribution layer
device, configure many-to-one VLAN mapping on the campus switch. This feature assigns the
same VLAN to the same type of traffic from different customers.

224
Application scenario of one-to-two and two-to-two VLAN
mapping
Figure 63 shows a typical application scenario of one-to-two and two-to-two VLAN mapping. In this
scenario, the remote sites of the same VPN must communicate across two SP networks.
Figure 63 Application scenario of one-to-two and two-to-two VLAN mapping

Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The SP 1 network assigns SVLAN 10 to
Site 1. The SP 2 network assigns SVLAN 20 to Site 2. When the packet from Site 1 arrives at PE 1,
PE 1 tags the packet with SVLAN 10 by using one-to-two VLAN mapping.
When the double-tagged packet from the SP 1 network arrives at the SP 2 network interface, PE 3
processes the packet as follows:
• Replaces SVLAN tag 10 with SVLAN tag 20.
• Replaces CVLAN tag 2 with CVLAN tag 3.
One-to-two VLAN mapping provides the following benefits:
• Enables a customer network to plan its CVLAN assignment without conflicting with SVLANs.
• Adds a VLAN tag to a tagged packet and expands the number of available VLANs to 4094 ×
4094.
• Reduces the stress on the SVLAN resources, which were 4094 VLANs in the SP network
before the mapping process was initiated.

VLAN mapping implementations

Figure 64 shows a simplified network that illustrates basic VLAN mapping terms.
Basic VLAN mapping terms include the following:
• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer
network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.

225
 Figure 64 Basic VLAN mapping terms

SP

Network-side port
Customer-side port
Uplink traffic
Downlink traffic

One-to-one VLAN mapping

As shown in Figure 65, one-to-one VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN with the SVLAN for the uplink traffic.
• Replaces the SVLAN with the CVLAN for the downlink traffic.
Figure 65 One-to-one VLAN mapping implementation

Many-to-one VLAN mapping

As shown in Figure 66, many-to-one VLAN mapping is implemented on both the customer-side and
network-side ports as follows:
• For the uplink traffic, the customer-side many-to-one VLAN mapping replaces multiple CVLANs
with the same SVLAN.
• For the downlink traffic, the network-side many-to-one VLAN mapping replaces the SVLAN with
the CVLAN found in the DHCP snooping table or ARP snooping table. For more information
about DHCP snooping or ARP snooping, see Layer 3—IP Services Configuration Guide.

226
 Figure 66 Many-to-one VLAN mapping implementation

...

...
One-to-two VLAN mapping
As shown in Figure 67, one-to-two VLAN mapping is implemented on the customer-side port to add
the SVLAN tag for the uplink traffic.
For the downlink traffic to be correctly sent to the customer network, make sure the SVLAN tag is
removed on the customer-side port before transmission. Use one of the following methods to remove
the SVLAN tag from the downlink traffic:
• Configure the customer-side port as a hybrid port and assign the port to the SVLAN as an
untagged member.
• Configure the customer-side port as a trunk port and configure the SVLAN as the PVID.
Figure 67 One-to-two VLAN mapping implementation

Two-to-two VLAN mapping

As shown in Figure 68, two-to-two VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN and the SVLAN with the CVLAN' and the SVLAN' for the uplink traffic.
• Replaces the SVLAN' and CVLAN' with the SVLAN and the CVLAN for the downlink traffic.

227
 Figure 68 Two-to-two VLAN mapping implementation
Two-to-two VLAN
mapping

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

Customer
SP network
network
SVLAN CVLAN Data SVLAN’ CVLAN’ Data

Network-side port Customer-side port Uplink traffic Downlink traffic

General configuration restrictions and guidelines

When you configure VLAN mapping, follow these restrictions and guidelines:
• When you configure one-to-two VLAN mapping on a QinQ-enabled port, the switch operates as
follows:
{ If a packet matches the one-to-two VLAN mapping, the switch tags the packet with the
SVLAN that is specified in the VLAN mapping.
{ If a packet does not match the one-to-two VLAN mapping, the switch tags the packet with
the PVID.
• When you configure one-to-one or many-to-one VLAN mapping on a QinQ-enabled port, the
switch operates as follows:
{ If a packet matches the one-to-one or many-to-one VLAN mapping, the switch replaces the
CVLAN tag with the SVLAN tag specified in the VLAN mapping.
{ If a packet does not match the one-to-one or many-to-one VLAN mapping, the switch tags
the packet with the PVID.
For more information about QinQ, see "Configuring QinQ."
• You can configure both VLAN mapping and a QoS policy for VLAN tagging. The QoS policy
takes effect if a configuration conflict occurs. For information about QoS policies, see ACL and
QoS Configuration Guide.
• VLAN mapping is mutually exclusive with EVB. Do not configure both features on a port. For
more information about EVB, see EVB Configuration Guide.

VLAN mapping configuration task list

IMPORTANT:
Use the appropriate VLAN mapping methods for the devices in the network.

To configure VLAN mapping:

Tasks at a glance Remarks

Configure one-to-one VLAN mapping on the
Configuring one-to-one VLAN mapping
wiring-closet switch, as shown in Figure 62.
Configuring many-to-one VLAN mapping Configure many-to-one VLAN mapping on the
• Configuring many-to-one VLAN mapping in a campus switch, as shown in Figure 62.
network with dynamic IP address assignment Complete one of the tasks based on the IP address

228
 Tasks at a glance Remarks
• Configuring many-to-one VLAN mapping in a assignment method.
network with static IP address assignment
Configure one-to-two VLAN mapping on PE 1 and
PE 4, as shown in Figure 63, through which traffic
Configuring one-to-two VLAN mapping
from customer networks enter the service provider
networks.
Configure two-to-two VLAN mapping on PE 3, as
Configuring two-to-two VLAN mapping shown in Figure 63, which is an edge device of the
SP 2 network.

Configuring one-to-one VLAN mapping

Configure one-to-one VLAN mapping on the customer-side ports of wiring-closet switches
(see Figure 62) to isolate traffic of the same service type from different homes.
Before you configure one-to-one VLAN mapping, create the original VLAN and the translated VLAN.
To configure one-to-one VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number

• Set the port link type to trunk:

port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid

• For the trunk port:

port trunk permit vlan
4. Assign the port to the original
vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

5. Configuring a one-to-one vlan mapping vlan-id By default, no VLAN mapping

VLAN mapping. translated-vlan vlan-id is configured on an interface.

Configuring many-to-one VLAN mapping

Configure many-to-one VLAN mapping on campus switches (see Figure 62) to transmit the same
type of traffic from different users in one VLAN.

229
Configuring many-to-one VLAN mapping in a network with
dynamic IP address assignment
In a network that uses dynamic address assignment, configure many-to-one VLAN mapping with
DHCP snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the DHCP snooping entry lookup.
Configuration restrictions and guidelines
When you configure many-to-one VLAN mapping in a network that uses dynamic address
assignment, follow these restrictions and guidelines:
• Before you configure many-to-one VLAN mapping, create the original VLANs and the
translated VLANs.
• Customer-side many-to-one VLAN mapping is not supported on Layer 2 aggregate interfaces.
• To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
• To modify many-to-one VLAN mappings, first use the reset dhcp snooping binding command
to clear the DHCP snooping entries.
Configuration task list

Tasks at a glance
(Required.) Enabling DHCP snooping
(Required.) Enabling ARP detection
(Required.) Configuring the customer-side port
(Required.) Configuring the network-side port

Enabling DHCP snooping

Step Command Remarks

1. Enter system view. system-view N/A
By default, DHCP snooping is disabled.
For more information about DHCP
2. Enable DHCP snooping. dhcp snooping enable snooping configuration commands, see
Layer 3—IP Services Command
Reference.

Enabling ARP detection

Enable ARP detection for the original VLANs and the translated VLANs.
To enable ARP detection:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, ARP detection is disabled.
3. Enable ARP detection. arp detection enable For more information about ARP
detection configuration commands, see

230
 Step Command Remarks
Security Command Reference.

Configuring the customer-side port

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

Configure a many-to-one vlan mapping uni { range

5. By default, no VLAN mapping
VLAN mapping. vlan-range-list | single vlan-id-list }
is configured on an interface.
translated-vlan vlan-id

6. Enable DHCP snooping entry By default, DHCP snooping

recording. dhcp snooping binding record entry recording is disabled on
an interface.

Configuring the network-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
translated VLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
tagged
By default, all ports that
5. Configuring the port as a support DHCP snooping are
DHCP snooping trusted port. dhcp snooping trust
untrusted ports when DHCP
snooping is enabled.

6. Configure the port as an ARP arp detection trust By default, all ports are ARP

231
 Step Command Remarks
trusted port. untrusted ports.

7. Configure the port to use the

original VLAN tags of the By default, the port does not
many-to-one mapping to replace the VLAN tags of the
replace the VLAN tags of the vlan mapping nni
packets destined for the user
packets destined for the user network.
network.

Configuring many-to-one VLAN mapping in a network with

static IP address assignment
In a network that uses static IP addresses, configure many-to-one VLAN mapping with ARP
snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the ARP snooping entry lookup.
Configuration restrictions and guidelines
When you configure many-to-one VLAN mapping in a network that uses static address assignment,
follow these restrictions and guidelines:
• Before you configure many-to-one VLAN mapping, create the original VLANs and the
translated VLANs.
• Make sure two hosts in different CVLANs do not use the same IP address.
• When an IP address is no longer associated with the MAC address in a VLAN as in the ARP
snooping table, perform one of the following operations:
{ Use the reset arp snooping ip ip-address command to clear this ARP snooping entry.
{ Wait for this ARP snooping entry to be aged out.
• Customer-side many-to-one VLAN mapping is not supported on Layer 2 aggregate interfaces.
• Before you modify many-to-one VLAN mapping, use the reset arp snooping vlan vlan-id
command to clear the ARP snooping entries in each CVLAN.
• To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
Configuration task list

Tasks at a glance
(Required.) Enabling ARP snooping
(Required.) Configuring the customer-side port
(Required.) Configuring the network-side port

Enabling ARP snooping

Enable ARP snooping for the original VLANs and the translated VLANs.
To enable ARP snooping:

Step Command Remarks

1. Enter system view. system-view N/A

232
 Step Command Remarks
2. Enter VLAN view. vlan vlan-id N/A
By default, ARP snooping is disabled.
3. Enable ARP snooping. arp snooping enable For more information about ARP
snooping commands, see Layer 3—IP
Services Command Reference.

Configuring the customer-side port

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
• Set the port link type to trunk:
port link-type trunk
Set the link type of the port. By default, the link type of a port is
3. • Set the port link type to
access.
hybrid:
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged
vlan mapping uni { range
5. Configure a many-to-one vlan-range-list | single By default, no VLAN mapping is
VLAN mapping. vlan-id-list } translated-vlan configured on an interface.
vlan-id

Configuring the network-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 • Enter Layer 2 aggregate N/A
aggregate interface view. interface view:
interface
bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk
Set the link type of the port. By default, the link type of a port is
3. • Set the port link type to
access.
hybrid:
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
translated VLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
tagged

233
 Step Command Remarks
5. Configure the port to use the
original VLAN tags of the By default, the port does not
many-to-one mapping to replace the VLAN tags of the
replace the VLAN tags of the vlan mapping nni
packets destined for the user
packets destined for the user network.
network.

Configuring one-to-two VLAN mapping

Configure one-to-two VLAN mapping on customer-side ports of the edge devices from which
customer traffic enters SP networks, for example, on PE 1 and PE 4 in Figure 63. One-to-two VLAN
mapping enables the edge devices to add an SVLAN tag to each incoming packet.
Before you configure one-to-two VLAN mapping, create the CVLAN and the SVLAN.
The MTU of an interface is 1500 bytes by default. After a VLAN tag is added to a packet, the packet
length is added by 4 bytes. As a best practice, set the MTU to a minimum of 1504 bytes for ports on
the forwarding path of the packet in the service provider network.
To configure one-to-two VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
3. Configure the link type of the By default, the link type of a
port as hybrid. port link-type hybrid
port is access.
By default, a hybrid port is an
Assign the port to the untagged member of the
4. port hybrid vlan vlan-id-list { tagged
CVLANs. VLAN to which the port
| untagged }
belongs when its link type is
access.
By default, a hybrid port is an
5. Assign the port to the untagged member of the
SVLANs as an untagged port hybrid vlan vlan-id-list
VLAN to which the port
member. untagged
belongs when its link type is
access.

Configure a one-to-two VLAN vlan mapping nest { range

6. By default, no VLAN mapping
mapping. vlan-range-list | single vlan-id-list }
is configured on an interface.
nested-vlan vlan-id

Configuring two-to-two VLAN mapping

Configure two-to-two VLAN mapping on the customer-side port of an edge device that connects two
SP networks, for example, on PE 3 in Figure 63. Two-to-two VLAN mapping enables two sites in
different VLANs to communicate at Layer 2 across two service provider networks that use different
VLAN assignment schemes.

234
 Before you configure two-to-two VLAN mapping, create the original VLANs and the translated
VLANs.
To configure two-to-two VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

Configure a two-to-two VLAN vlan mapping tunnel outer-vlan-id

5. By default, no VLAN mapping
mapping. inner-vlan-id translated-vlan
is configured on an interface.
outer-vlan-id inner-vlan-id

Displaying and maintaining VLAN mapping

Execute display commands in any view.

Task Command
Display VLAN mapping
display vlan mapping [ interface interface-type interface-number ]
information.

VLAN mapping configuration examples

One-to-one and many-to-one VLAN mapping configuration
example
Network requirements
As shown in Figure 69:
• Each household subscribes to PC, VoD, and VoIP services, and obtains the IP address through
DHCP.
• On the home gateways, VLANs 1, 2, and 3 are assigned to PC, VoD, and VoIP traffic,
respectively.

235
To isolate traffic of the same service type from different households, configure one-to-one VLAN
mapping on the wiring-closet switches. This feature assigns one VLAN to each type of traffic from
each household.
To save VLAN resources, configure many-to-one VLAN mapping on the campus switch (Switch C).
This feature transmits the same type of traffic from different households in one VLAN. Use VLANs
501, 502, and 503 for PC, VoD, and VoIP traffic, respectively.
Table 17 VLAN mapping for each service

VLANs on home VLANs on wiring-closet switches VLANs on campus

Service
gateways (Switch A and Switch B) switch (Switch C)
PC VLAN 1 VLANs 101, 102, 103, 104 VLAN 501
VoD VLAN 2 VLANs 201, 202, 203, 204 VLAN 502
VoIP VLAN 3 VLANs 301, 302, 303, 304 VLAN 503

Figure 69 Network diagram

DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP XGE1/0/1 VLAN 3 -> VLAN 301

Wiring-closet XGE1/0/3
Switch A
VLAN 1 XGE1/0/2
PC VLAN 1 -> VLAN 102 DHCP server
VLAN 2 -> VLAN 202
VLAN 3 -> VLAN 302

VLAN 2
VoD
Home gateway VLANs 101–102 -> VLAN 501
VLAN 3 VLANs 201–202 -> VLAN 502
VoIP XGE1/0/1 VLANs 301–302 -> VLAN 503
Campus switch XGE1/0/3 XGE1/0/1
Switch D
Switch C
VLAN 1 XGE1/0/2 VLANs 103–104 -> VLAN 501
PC
VLANs 203–204 -> VLAN 502
Home gateway VLANs 303–304 -> VLAN 503
VLAN 2
VoD
Distribution
VLAN 1 -> VLAN 103 network
VLAN 3 VLAN 2 -> VLAN 203
VoIP XGE1/0/1 VLAN 3 -> VLAN 303

Wiring-closet XGE1/0/3
Switch B
VLAN 1 XGE1/0/2
PC VLAN 1 -> VLAN 104
VLAN 2 -> VLAN 204
VLAN 3 -> VLAN 304

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

236
Configuration procedure
1. Configure Switch A:
# Create the original VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
# Create the translated VLANs.
[SwitchA] vlan 101 to 102
[SwitchA] vlan 201 to 202
[SwitchA] vlan 301 to 302
# Configure the customer-side port Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the
port to all original VLANs and translated VLANs.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 1 2 3 101 201 301
# Configure one-to-one VLAN mappings on Ten-GigabitEthernet 1/0/1 to map VLANs 1, 2, and
3 to VLANs 101, 201, and 301, respectively.
[SwitchA-Ten-GigabitEthernet1/0/1] vlan mapping 1 translated-vlan 101
[SwitchA-Ten-GigabitEthernet1/0/1] vlan mapping 2 translated-vlan 201
[SwitchA-Ten-GigabitEthernet1/0/1] vlan mapping 3 translated-vlan 301
[SwitchA-Ten-GigabitEthernet1/0/1] quit
# Configure the customer-side port Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the
port to all original VLANs and translated VLANs.
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 1 2 3 102 202 302
# Configure one-to-one VLAN mappings on Ten-GigabitEthernet 1/0/2 to map VLANs 1, 2, and
3 to VLANs 102, 202, and 302, respectively.
[SwitchA-Ten-GigabitEthernet1/0/2] vlan mapping 1 translated-vlan 102
[SwitchA-Ten-GigabitEthernet1/0/2] vlan mapping 2 translated-vlan 202
[SwitchA-Ten-GigabitEthernet1/0/2] vlan mapping 3 translated-vlan 302
[SwitchA-Ten-GigabitEthernet1/0/2] quit
# Configure the network-side port Ten-GigabitEthernet 1/0/3 as a trunk port, and assign the port
to the translated VLANs.
[SwitchA] interface ten-gigabitethernet 1/0/3
[SwitchA-Ten-GigabitEthernet1/0/3] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 101 201 301 102 202 302
[SwitchA-Ten-GigabitEthernet1/0/3] quit
2. Configure Switch B in the same way Switch A is configured. (Details not shown.)
3. Configure Switch C:
# Enable DHCP snooping.
<SwitchC> system-view
[SwitchC] dhcp snooping enable
# Create the original VLANs and translated VLANs, and enable ARP detection for these
VLANs.
[SwitchC] vlan 101
[SwitchC-vlan101] arp detection enable
[SwitchC-vlan101] vlan 201
[SwitchC-vlan201] arp detection enable

237
[SwitchC-vlan201] vlan 301
[SwitchC-vlan301] arp detection enable
[SwitchC-vlan301] vlan 102
[SwitchC-vlan102] arp detection enable
[SwitchC-vlan102] vlan 202
[SwitchC-vlan202] arp detection enable
[SwitchC-vlan202] vlan 302
[SwitchC-vlan302] arp detection enable
[SwitchC-vlan302] vlan 103
[SwitchC-vlan103] arp detection enable
[SwitchC-vlan103] vlan 203
[SwitchC-vlan203] arp detection enable
[SwitchC-vlan203] vlan 303
[SwitchC-vlan303] arp detection enable
[SwitchC-vlan303] vlan 104
[SwitchC-vlan104] arp detection enable
[SwitchC-vlan104] vlan 204
[SwitchC-vlan204] arp detection enable
[SwitchC-vlan204] vlan 304
[SwitchC-vlan304] arp detection enable
[SwitchC-vlan304] vlan 501
[SwitchC-vlan501] arp detection enable
[SwitchC-vlan501] vlan 502
[SwitchC-vlan502] arp detection enable
[SwitchC-vlan502] vlan 503
[SwitchC-vlan503] arp detection enable
[SwitchC-vlan503] quit
# Configure the customer-side port Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the
port to original VLANs and translated VLANs.
[SwitchC] interface ten-gigabitethernet 1/0/1
[SwitchC-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 101 102 201 202 301 302 501
to 503
# Configure many-to-one VLAN mappings on the customer-side port Ten-GigabitEthernet 1/0/1
to map VLANs for PC, VoD, and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-Ten-GigabitEthernet1/0/1] vlan mapping uni range 101 to 102 translated-vlan
501
[SwitchC-Ten-GigabitEthernet1/0/1] vlan mapping uni range 201 to 202 translated-vlan
502
[SwitchC-Ten-GigabitEthernet1/0/1] vlan mapping uni range 301 to 302 translated-vlan
503
# Enable DHCP snooping entry recording on Ten-GigabitEthernet 1/0/1.
[SwitchC-Ten-GigabitEthernet1/0/1] dhcp snooping binding record
[SwitchC-Ten-GigabitEthernet1/0/1] quit
# Configure the customer-side port Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the
port to original VLANs and translated VLANs.
[SwitchC] interface ten-gigabitethernet 1/0/2
[SwitchC-Ten-GigabitEthernet1/0/2] port link-type trunk

238
 [SwitchC-Ten-GigabitEthernet1/0/2] port trunk permit vlan 103 104 203 204 303 304 501
to 503
# Configure many-to-one VLAN mappings on the customer-side port Ten-GigabitEthernet 1/0/2
to map VLANs for PC, VoD, and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-Ten-GigabitEthernet1/0/2] vlan mapping uni range 103 to 104 translated-vlan
501
[SwitchC-Ten-GigabitEthernet1/0/2] vlan mapping uni range 203 to 204 translated-vlan
502
[SwitchC-Ten-GigabitEthernet1/0/2] vlan mapping uni range 303 to 304 translated-vlan
503
# Enable DHCP snooping entry recording on Ten-GigabitEthernet 1/0/2.
[SwitchC-Ten-GigabitEthernet1/0/2] dhcp snooping binding record
[SwitchC-Ten-GigabitEthernet1/0/2] quit
# Configure the network-side port Ten-GigabitEthernet 1/0/3 to use the original VLAN tags of
the many-to-one mappings to replace the VLAN tags of the packets destined for the user
network.
[SwitchC] interface ten-gigabitethernet 1/0/3
[SwitchC-Ten-GigabitEthernet1/0/3] vlan mapping nni
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign the port to the translated
VLANs.
[SwitchC-Ten-GigabitEthernet1/0/3] port link-type trunk
[SwitchC-Ten-GigabitEthernet1/0/3] port trunk permit vlan 501 to 503
# Configure Ten-GigabitEthernet 1/0/3 as a DHCP snooping trusted and ARP trusted port.
[SwitchC-Ten-GigabitEthernet1/0/3] dhcp snooping trust
[SwitchC-Ten-GigabitEthernet1/0/3] arp detection trust
[SwitchC-Ten-GigabitEthernet1/0/3] quit
4. Configure Switch D:
# Create the translated VLANs.
<SwitchD> system-view
[SwitchD] vlan 501 to 503
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to the translated
VLANs 501 through 503.
[SwitchD] interface ten-gigabitethernet 1/0/1
[SwitchD-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 501 to 503
[SwitchD-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify VLAN mapping information on the wiring-closet switches, for example, Switch A.
[SwitchA] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 101 N/A
2 N/A 201 N/A
3 N/A 301 N/A
Interface Ten-GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 102 N/A
2 N/A 202 N/A

239
 3 N/A 302 N/A

# Verify VLAN mapping information on Switch C.

[SwitchC] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
101-102 N/A 501 N/A
201-202 N/A 502 N/A
301-302 N/A 503 N/A
Interface Ten-GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
103-104 N/A 501 N/A
203-204 N/A 502 N/A
303-304 N/A 503 N/A

One-to-two and two-to-two VLAN mapping configuration

example
Network requirements
As shown in Figure 70:
• Two VPN A branches, Site 1 and Site 2, are in VLAN 5 and VLAN 6, respectively.
• The two sites use different VPN access services from different service providers, SP 1 and SP
2.
• SP 1 assigns VLAN 100 to Site 1 and Site 2. SP 2 assigns VLAN 200 to Site 1 and Site 2.
Configure one-to-two VLAN mapping and two-to-two VLAN mapping to enable the two branches to
communicate across networks SP 1 and SP 2.
Figure 70 Network diagram

SP 1 SP 2
PE 1 PE 2 PE 3 PE 4
XGE1/0/2 XGE1/0/1 XGE1/0/2 XGE1/0/1 XGE1/0/2 XGE1/0/1

XGE1/0/1 XGE1/0/2
VLAN 100 VLAN 5 Data VLAN 200 VLAN 6 Data

VLAN 5 Data VLAN 6 Data

VPN A VPN A CE 2
CE 1
Site 1 Site 2

Configuration procedure
1. Configure PE 1:
# Configure a one-to-two VLAN mapping on the customer-side port Ten-GigabitEthernet 1/0/1
to add SVLAN tag 100 to traffic from VLAN 5.
<PE1> system-view
[PE1] interface ten-gigabitethernet 1/0/1

240
 [PE1-Ten-GigabitEthernet1/0/1] vlan mapping nest single 5 nested-vlan 100
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port. Assign the port to VLAN 5 and VLAN
100 as a tagged member and an untagged member, respectively.
[PE1-Ten-GigabitEthernet1/0/1] port link-type hybrid
[PE1-Ten-GigabitEthernet1/0/1] port hybrid vlan 5 tagged
[PE1-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 untagged
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure the network-side port Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port
to VLAN 100.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE1-Ten-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 100.
<PE2> system-view
[PE2] interface ten-gigabitethernet 1/0/1
[PE2-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[PE2-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 100.
[PE2] interface ten-gigabitethernet 1/0/2
[PE2-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE2-Ten-GigabitEthernet1/0/2] quit
3. Configure PE 3:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 100 and
200.
<PE3> system-view
[PE3] interface ten-gigabitethernet 1/0/1
[PE3-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE3-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 200
# Configure a two-to-two VLAN mapping on Ten-GigabitEthernet 1/0/1 to map SVLAN 100 and
CVLAN 5 to SVLAN 200 and CVLAN 6.
[PE3-Ten-GigabitEthernet1/0/1] vlan mapping tunnel 100 5 translated-vlan 200 6
[PE3-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 200.
[PE3] interface ten-gigabitethernet 1/0/2
[PE3-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE3-Ten-GigabitEthernet1/0/2] port trunk permit vlan 200
[PE3-Ten-GigabitEthernet1/0/2] quit
4. Configure PE 4:
# Configure the network-side port Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port
to VLAN 200.
<PE4> system-view
[PE4] interface ten-gigabitethernet 1/0/1
[PE4-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE4-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200

241
 [PE4-Ten-GigabitEthernet1/0/1] quit
# Configure the customer-side port Ten-GigabitEthernet 1/0/2 as a hybrid port. Assign the port
to VLAN 6 and VLAN 200 as a tagged member and an untagged member, respectively.
[PE4] interface ten-gigabitethernet 1/0/2
[PE4-Ten-GigabitEthernet1/0/2] port link-type hybrid
[PE4-Ten-GigabitEthernet1/0/2] port hybrid vlan 6 tagged
[PE4-Ten-GigabitEthernet1/0/2] port hybrid vlan 200 untagged
# Configure a one-to-two VLAN mapping on the customer-side port Ten-GigabitEthernet 1/0/2
to add SVLAN tag 200 to traffic from VLAN 6.
[PE4-Ten-GigabitEthernet1/0/2] vlan mapping nest single 6 nested-vlan 200
[PE4-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify VLAN mapping information on PE 1.
[PE1] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
5 N/A 100 5

# Verify VLAN mapping information on PE 3.

[PE3] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
100 5 200 6

# Verify VLAN mapping information on PE 4.

[PE4] display vlan mapping
Interface Ten-GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
6 N/A 200 6

242
Configuring PBB
Overview
IEEE 802.1ah Provider Backbone Bridge (PBB) is a MAC-in-MAC Layer 2 VPN technology. It
interconnects multiple provider bridged networks to build a large-scale end-to-end Layer 2 provider
bridged network.
PBB has the following advantages over QinQ:
• Reduces the MAC address table size. In a PBB-enabled service provider network, only the
edge devices maintain entries for customer MAC addresses. In a QinQ-enabled service
provider network, all devices must maintain entries for customer MAC addresses.
• Supports more than 16 million service instances. QinQ supports only a maximum of 4094 outer
VLANs (service instances).
For more information about QinQ, see "Configuring QinQ."

PBB network model

As shown in Figure 71, the PBB network includes backbone edge bridges and backbone core
bridges.
Backbone edge bridges connect customer sites or provider bridge networks to the PBB network.
They encapsulate the customer MAC in the service provider MAC. Backbone core bridges forward
traffic based on the service provider MAC.
Figure 71 Typical PBB network

243
Terminology
PBBN
A network using PBB is a provider backbone bridge network (PBBN). A PBBN is a Layer 2 switching
network where Layer 2 connections are established between different nodes.
PBN
A provider bridge network (PBN) connects a PBBN to a customer network. A customer network can
connect to a PBBN directly or through a PBN.
BEB
A backbone edge bridge (BEB) is an edge device in a PBBN. A BEB encapsulates frames from a
customer network by using PBB. It decapsulates PBB frames from a PBBN and forwards them to a
customer network. The BEB learns customer MAC addresses.
BCB
A backbone core bridge (BCB) is a core device in a PBBN. It forwards a PBB frame according to its
B-MAC and B-VLAN. A BCB only forwards frames and learns MAC addresses within the PBBN. It
does not learn a large number of customer MAC addresses. This reduces network deployment costs,
and the PBBN is more expandable.
B-MAC and B-VLAN
A backbone MAC address (B-MAC) is a bridge MAC address associated with a PBB bridge. A
backbone VLAN (B-VLAN) is a VLAN assigned by the service provider for transmitting customer
traffic on the PBBN.
For customer frames to be transmitted across a PBBN, the ingress BEB encapsulates them in
MAC-in-MAC format. In the outer frame header, the source MAC address is a B-MAC of the ingress
BEB, and the destination MAC is a B-MAC of the egress BEB. All devices in the PBBN forward the
PBB frames based on the destination B-MAC and B-VLAN.
Uplink port and downlink port
A port that connects a BEB to a PBBN is an uplink port, and a port that connects a BEB to a customer
network is a downlink port. After frames from the customer network are encapsulated in PBB frames,
they are forwarded out of the corresponding uplink ports on the BEB. After PBB frames from the
PBBN are decapsulated, they are forwarded out of the corresponding downlink ports on the BEB
according to the customer MAC addresses.
PBB VSI and I-SID
In a PBBN, a PBB VSI is a virtual switch provided by the service provider, and it is uniquely identified
by a backbone service instance identifier (I-SID). A VSI acts as a virtual switch with all conventional
Ethernet switch functions, including source MAC address learning, MAC address aging, and
flooding.

PBB frame format

Figure 72 shows the format of a PBB frame.

244
Figure 72 PBB frame format

Table 18 describes key fields in the frame.

Table 18 PBB frame fields

Field Full name Description

Destination B-MAC, outer destination MAC address in a PBB
Backbone destination MAC frame. It is the MAC address of the BEB at the destination
B-DA
address end of the PBBN tunnel. The combination of B-DA and B-SA
is B-MAC.
Source B-MAC, outer source MAC address in a PBB frame.
B-SA Backbone source MAC address It is the MAC address of the BEB at the source end of the
PBBN tunnel. The combination of B-DA and B-SA is B-MAC.
B-VLAN tag, outer VLAN tag in a PBB frame. It indicates the
B-Tag Backbone VLAN tag VLAN information and priority information of the frame within
the PBBN. The TPID in a B-Tag is 0x8100.
Service identifier of a PBB frame. The I-Tag contains the
following fields:
• TPID—The TPID in an I-Tag is 0x88E7.
• I-PCP—Backbone service instance priority code point.
• I-DEI—Backbone service instance drop eligibility
I-Tag Backbone service instance tag
indicator.
• I-SID—Backbone service instance identifier.
• C-DA—Destination MAC address of the customer
frame.
• C-SA—Source MAC address of the customer frame.
Outer VLAN tag of the frame in the PBN, which indicates the
S-Tag Service provider VLAN tag
VLAN and priority information of the frame within the PBN.
Inner VLAN tag of the frame in the PBN, which indicates the
C-Tag Customer VLAN tag VLAN and priority information of the frame within the
customer network.

For more information about TPID, see "Configuring VLANs."

245
PBB frame forwarding
Figure 73 PBB frame forwarding

As shown in Figure 73, a PBB frame is forwarded in the PBBN as follows:

1. BEB 1 encapsulates a customer frame with the corresponding B-MAC, B-VLAN, and I-SID.
Then it forwards the frame to the BCB through its uplink port.
2. BCB forwards the PBB frame from BEB 1 to BEB 2 according to the frame's B-MAC and
B-VLAN.
3. BEB 2 removes the PBB encapsulation, and then forwards the Ethernet frame out of the
downlink port to the customer network.

Protocols and standards

IEEE 802.1ah, Virtual Bridged Local Area Networks Amendment 7: Provider Backbone Bridges

PBB configuration task list

You need to configure PBB only on BEBs.
To configure PBB, perform the following tasks:

Tasks at a glance
(Required.) Enabling L2VPN
(Required.) Creating a PBB VSI
(Required.) Configuring a B-VLAN for a PBB VSI
(Required.) Configuring an uplink port
(Required.) Configuring a downlink port
(Optional.) Configuring the data encapsulation type

246
Enabling L2VPN
Step Command Remarks
1. Enter system view. system-view N/A
2. Enable L2VPN. l2vpn enable By default, L2VPN is disabled.

Creating a PBB VSI

You must assign a unique I-SID to each PBB VSI for identification. The name of a PBB VSI can be
different on different PBB nodes, but its I-SID must be the same across the PBBN. For more
information about VSIs, see MPLS Configuration Guide.
You can configure one PBB I-SID and one SPB I-SID for a VSI, but the two I-SIDs cannot be the
same. For more information about SPB, see SPB Configuration Guide.
To create a PBB VSI:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VSI and enter VSI
view. vsi vsi-name By default, no VSIs exist.

3. Configure the VSI as a PBB

VSI, specify a PBB I-SID for
the PBB VSI, and enter PBB pbb i-sid i-sid By default, no PBB VSI exists.
VSI view.

Configuring a B-VLAN for a PBB VSI

You can assign only one B-VLAN to a PBB VSI, but different PBB VSIs can use the same B-VLAN.
For a PBB VSI, you must specify the same I-SID and B-VLAN across all BEBs.
To configure a B-VLAN for a PBB VSI:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VSI view. vsi vsi-name N/A
3. Configure the VSI as a PBB
VSI, specify a PBB I-SID for
the PBB VSI, and enter PBB pbb i-sid i-sid N/A
VSI view.
4. Specify a B-VLAN for the By default, no B-VLAN is specified
PBB VSI. bvlan vlan-id
for a PBB VSI.

Configuring an uplink port

On the BEB, you must specify uplink ports for a PBB VSI to forward frames from the customer
network to the service provider network.

247
 You can specify multiple uplink ports for one PBB VSI.
For the uplink port configuration to take effect, perform the following tasks before uplink port
assignment:
• Assign a B-VLAN to the PBB VSI.
• Make sure the port is in up state and is not a link aggregation group member.
• Assign the port to the B-VLAN.
To configure an uplink port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Specify the port as the uplink

port for the specified or all pbb uplink { all | vsi By default, a port is not configured
PBB VSIs. vsi-name-list } as the uplink port of any PBB VSI.

Configuring a downlink port

On the BEB, frames from the customer network are mapped to a PBB VSI based on match criteria
configured on downlink ports. PBB frames from the PBBN are decapsulated in the corresponding
PBB VSI. They are forwarded out of the corresponding downlink ports based on their customer MAC
addresses.
You can specify one or multiple downlink ports for a PBB VSI.
To configure a downlink port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, no Ethernet service
instances exist on a port.
3. Create an Ethernet service
instance and enter Ethernet service-instance instance-id Do not execute this command on
service instance view. an EVB-enabled interface. For
information about EVB, see EVB
Configuration Guide.
• Match frames that do not
match any other service
instance on the interface:
encapsulation default
• Match any 802.1Q tagged or By default, no frame match
untagged frames: criterion is configured.
encapsulation { tagged |
4. Configure a frame match To match frames from a VLAN
untagged }
criterion. correctly, make sure you have
• Match frames tagged with
created the VLAN and assigned
the specified outer 802.1Q
the interface to the VLAN.
VLAN ID:
encapsulation s-vid vlan-id
[ only-tagged ]
• Match frames tagged with
the specified outer and inner

248
 Step Command Remarks
802.1Q VLAN IDs:
encapsulation s-vid vlan-id
c-vid vlan-id
5. Associate the Ethernet xconnect vsi vsi-name By default, an Ethernet service
service instance with the [ access-mode { ethernet | instance is not associated with
specified PBB VSI. vlan } ] any PBB VSI.

For more information about the service-instance, encapsulation, and xconnect vsi commands,
see MPLS Command Reference.

Configuring the data encapsulation type

A PBB VSI supports Ethernet and VLAN data encapsulation types.
Data encapsulation type decides how the BEB handles the P-tag on a PBB VSI, as shown in Table
19. P-tags are unique VLAN tags that the service provider assigns to users for differentiation.
Table 19 P-tag manipulation

Traffic
Ethernet encapsulation VLAN encapsulation
direction
The traffic must contain a P-tag.
• VLAN access mode—The BEB
The traffic must not contain a P-tag.
retains the P-tag or changes the
• VLAN access mode—The BEB P-tag to the value assigned by the
removes the P-tag before it peer BEB.
encapsulates the traffic in PBB.
CE to PBBN • Ethernet access mode—The BEB
• Ethernet access mode—The BEB adds the P-tag assigned by the peer
directly encapsulates the traffic in BEB. The original VLAN tag in the
PBB. The VLAN tag in the received received traffic is considered a U-tag.
traffic is considered a U-tag.
The P-tag assigned by the peer BEB
might be a null tag (tag 0).
• VLAN access mode—The BEB
adds a P-tag before it forwards the
traffic. • VLAN access mode—The BEB
forwards the traffic with the P-tag
• Ethernet access mode—The BEB
modified or intact.
PBBN to CE forwards the traffic without adding a
P-tag. • Ethernet access mode—The BEB
removes the P-tag before it forwards
The BEB cannot modify or remove any the traffic.
tags already in the traffic from PBBN to
CE.

NOTE:
To configure the access mode, use the xconnect vsi command (see MPLS Command Reference).

To configure the data encapsulation type for a PBB VSI:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VSI view. vsi vsi-name N/A
3. Enter PBB VSI view. pbb i-sid i-sid N/A
4. Specify an encapsulation encapsulation { ethernet | By default, VLAN encapsulation

249
 Step Command Remarks
type for the PBB VSI. vlan } applies.

Displaying and maintaining PBB

Execute display commands in any view and execute the reset command in user view.

Task Command
Display the PBB VSI uplink connection information. display pbb connection
Display MAC-in-MAC connection information. display l2vpn minm connection [ vsi vsi-name ]
display l2vpn minm forwarding [ vsi vsi-name ]
Display MAC-in-MAC forwarding entries.
[ slot slot-number ]
Display VSI information. display l2vpn vsi [ name vsi-name ] [ verbose ]
reset pbb connection [ bvlan vlan-id | interface
Clear the PBB VSI uplink connection information.
interface-type interface-number ] *

PBB configuration example

Network requirements
As shown in Figure 74, customer networks A and B both have VLANs 100 through 120. Device A and
Device B send tagged frames to the BEBs.
Configure PBB on the BEBs to extend the VLANs across the two customer networks.
Figure 74 Network diagram

BEB 1 BEB 2
XGE1/0/1 Core XGE1/0/1
network

XGE1/0/2 XGE1/0/2

PBBN

Device A Device B

Customer Customer
network A network B

Configuration procedures
1. Configure BEB 1:
# Create VLAN 20.
<BEB1> system-view
[BEB1] vlan 20
[BEB1-vlan20] quit

250
 # Enable L2VPN.
[BEB1] l2vpn enable
# Create a VSI of the PBB type named aaa.
[BEB1] vsi aaa
# Specify the I-SID as 1.
[BEB1-vsi-aaa] pbb i-sid 1
# Specify B-VLAN 20 for PBB VSI aaa.
[BEB1-vsi-aaa-1] bvlan 20
[BEB1-vsi-aaa-1] quit
[BEB1-vsi-aaa] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, assign it to VLAN 20, and configure it as
an uplink port of PBB VSI aaa.
[BEB1] interface ten-gigabitethernet 1/0/1
[BEB1-Ten-GigabitEthernet1/0/1] port link-type trunk
[BEB1-Ten-GigabitEthernet1/0/1] port trunk permit vlan 20
[BEB1-Ten-GigabitEthernet1/0/1] pbb uplink vsi aaa
[BEB1-Ten-GigabitEthernet1/0/1] quit
# Create VLANs 100 through 120.
[BEB1] vlan 100 to 120
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to all VLANs.
[BEB1] interface ten-gigabitethernet 1/0/2
[BEB1-Ten-GigabitEthernet1/0/2] port link-type trunk
[BEB1-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
# Create Ethernet service instance 1 on Ten-GigabitEthernet 1/0/2.
[BEB1-Ten-GigabitEthernet1/0/2] service-instance 1
# Configure the Ethernet service instance to match all 802.1q tagged frames. Associate the
Ethernet service instance with PBB VSI aaa, and set the access mode to Ethernet.
[BEB1-Ten-GigabitEthernet1/0/2-srv1] encapsulation tagged
[BEB1-Ten-GigabitEthernet1/0/2-srv1] xconnect vsi aaa access-mode ethernet
[BEB1-Ten-GigabitEthernet1/0/2-srv1] quit
[BEB1-Ten-GigabitEthernet1/0/2] quit
# Configure Ethernet encapsulation for the PBB VSI.
[BEB1] vsi aaa
[BEB1-vsi-aaa] pbb i-sid 1
[BEB1-vsi-aaa-1] encapsulation ethernet
[BEB1-vsi-aaa-1] quit
2. Configure BEB 2 in the same way BEB 1 is configured. (Details not shown.)

Verifying the configuration

# Display PBB VSI uplink connection information on BEB 1.
[BEB1] display pbb connection
BMAC BVLAN Port Type Aging
011e-8300-0001 20 XGE1/0/1 MC N
000f-e200-0001 20 XGE1/0/1 UC Y

# Verify that Device A and Device B can ping each other. (Details not shown.)

251
Troubleshooting
Symptom
Customer frames cannot be transmitted to the peer network by using PBB.

Analysis
• No PBB VSI is configured on the BEB, or the configured VSI is down.
• PBB configurations on the BEBs are inconsistent.
• The B-VLAN in the BEB is not created on the BCB, or ports connecting the BEB and BCB are
not both assigned to the B-VLAN.

Solution
To resolve the problem:
1. Use the display l2vpn vsi verbose command to display the PBB configuration of the VSI.
{ If the VSI is not configured as a PBB VSI, configure the VSI as a PBB VSI.
{ If the VSI is down, use the undo shutdown command to bring the VSI up.
For more information about the display l2vpn vsi verbose command, see MPLS Command
Reference.
2. Use the display l2vpn vsi verbose command to verify that the VSI's PBB settings are
consistent across BEBs, especially the I-SID and B-VLAN settings.
3. Use the display vlan all command to verify that the following settings are configured on all
BCBs:
{ The B-VLAN is created on each BCB.
{ All ports on the path between the BEBs are assigned to the B-VLAN.
4. If the problem persists, contact H3C Support.

252
Configuring LLDP
You can set an Ethernet interface to work in Layer 3 mode by using the port link-mode route
command (see "Configuring Ethernet interfaces").

Overview
In a heterogeneous network, a standard configuration exchange platform makes sure different types
of network devices from different vendors can discover one another and exchange configuration.
The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on
the data link layer to exchange device information between directly connected devices. With LLDP, a
device sends local device information as TLV (type, length, and value) triplets in LLDP Data Units
(LLDPDUs) to the directly connected devices. Local device information includes its system
capabilities, management IP address, device ID, and port ID. The device stores the device
information in LLDPDUs from the LLDP neighbors in a standard MIB. For more information about
MIBs, see Network Management and Monitoring Configuration Guide. LLDP enables a network
management system to quickly detect and identify Layer 2 network topology changes.

Basic concepts
LLDP agent
An LLDP agent is a mapping of an entity where LLDP runs. Multiple LLDP agents can run on the
same interface.
LLDP agents are divided into the following types:
• Nearest bridge agent.
• Nearest customer bridge agent.
• Nearest non-TPMR bridge agent.
A Two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible bridge
ports, and supports a subset of the functions of a MAC bridge. A TPMR is transparent to all
frame-based media-independent protocols except for the following:
• Protocols destined to it.
• Protocols destined to reserved MAC addresses that the relay function of the TPMR is
configured not to forward.
LLDP exchanges packets between neighbor agents and creates and maintains neighbor information
for them. Figure 75 shows the neighbor relationships for these LLDP agents. LLDP has two bridge
modes: customer bridge (CB) and service bridge (SB).
Figure 75 LLDP neighbor relationships
Nearest Nearest
customer customer
bridge bridge
Nearest non- Nearest non- Nearest non- Nearest non-
TPMR bridge TPMR bridge TPMR bridge TPMR bridge
Nearest bridge Nearest bridge Nearest bridge Nearest bridge

XGE1/0/1 XGE1/0/2 XGE1/0/3 XGE1/0/4

CB 1 SB 1 CB 2

253
LLDP frame formats
LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or
SNAP frames.
• LLDP frame encapsulated in Ethernet II
Figure 76 Ethernet II-encapsulated LLDP frame

Table 20 Fields in an Ethernet II-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. LLDP specifies
different multicast MAC addresses as destination MAC addresses for LLDP
frames destined for agents of different types. This helps distinguish between
LLDP frames sent and received by different agent types on the same
interface. The destination MAC address is fixed to one of the following
multicast MAC addresses:
Destination MAC address • 0x0180-C200-000E for LLDP frames destined for nearest bridge
agents.
• 0x0180-C200-0000 for LLDP frames destined for nearest customer
bridge agents.
• 0x0180-C200-0003 for LLDP frames destined for nearest non-TPMR
bridge agents.

Source MAC address MAC address of the sending port.

Type Ethernet type for the upper-layer protocol. It is 0x88CC for LLDP.
Data LLDPDU. An LLDP frame contains only one LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

• LLDP frame encapsulated in SNAP

254
 Figure 77 SNAP-encapsulated LLDP frame

Table 21 Fields in a SNAP-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. It is the same as that
Destination MAC address
for Ethernet II-encapsulated LLDP frames.

Source MAC address MAC address of the sending port.

SNAP type for the upper-layer protocol. It is 0xAAAA-0300-0000-88CC for

Type
LLDP.
Data LLDPDU. An LLDP frame contains only one LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

LLDPDUs
LLDP uses LLDPDUs to exchange information. An LLDPDU comprises multiple TLVs. Each TLV
carries a type of device information, as shown in Figure 78.
Figure 78 LLDPDU encapsulation format

An LLDPDU can carry up to 32 types of TLVs. Mandatory TLVs include Chassis ID TLV, Port ID TLV,
Time to Live TLV, and End of LLDPDU TLV. Other TLVs are optional.
TLVs
A TLV is an information element that contains the type, length, and value fields.
LLDPDU TLVs include the following categories:
• Basic management TLVs
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs
• LLDP-MED (media endpoint discovery) TLVs
Basic management TLVs are essential to device management.
Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management.
They are defined by standardization or other organizations and are optional for LLDPDUs.
• Basic management TLVs
Table 22 lists the basic management TLV types. Some of them are mandatory for LLDPDUs.

255
 Table 22 Basic management TLVs

Type Description Remarks

Chassis ID Specifies the bridge MAC address of the sending device.

Specifies the ID of the sending port:

• If the LLDPDU carries LLDP-MED TLVs, the port ID TLV
Port ID
carries the MAC address of the sending port.
Mandatory.
• Otherwise, the port ID TLV carries the port name.
Specifies the life of the transmitted information on the receiving
Time to Live
device.
End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.
Port Description Specifies the description for the sending port.
System Name Specifies the assigned name of the sending device.
System Description Specifies the description for the sending device.
Identifies the primary functions of the sending device and the
System Capabilities Optional.
enabled primary functions.
Specifies the following elements:
• The management address of the local device.
Management Address
• The interface number and object identifier (OID)
associated with the address.

• IEEE 802.1 organizationally specific TLVs

Table 23 IEEE 802.1 organizationally specific TLVs

Type Description
Port VLAN ID Specifies the port VLAN identifier (PVID).
Indicates whether the device supports protocol VLANs and, if so, what
Port And Protocol VLAN ID
VLAN IDs these protocols will be associated with.
VLAN Name Specifies the textual name of any VLAN to which the port belongs.
Protocol Identity Indicates protocols supported on the port.
DCBX Data center bridging exchange protocol.
Edge Virtual Bridging module, including EVB TLV and CDCP TLV. For more
EVB module
information, see EVB Configuration Guide.
Indicates whether the port supports link aggregation, and if yes, whether link
Link Aggregation
aggregation is enabled.
Management VID Management VLAN ID.
VID Usage Digest VLAN ID usage digest.
ETS Configuration Enhanced Transmission Selection configuration.
ETS Recommendation ETS recommendation.
PFC Priority-based Flow Control.
APP Application protocol.
QCN Quantized Congestion Notification.

256
NOTE:
• H3C devices support only receiving protocol identity TLVs and VID usage digest TLVs.
• Layer 3 Ethernet ports support only link aggregation TLVs.

• IEEE 802.3 organizationally specific TLVs

Table 24 IEEE 802.3 organizationally specific TLVs

Type Description
Contains the bit-rate and duplex capabilities of the sending port,
MAC/PHY Configuration/Status support for autonegotiation, enabling status of autonegotiation, and
the current rate and duplex mode.
Contains the power supply capabilities of the port:
• Port class (PSE or PD).
• Power supply mode.
Power Via MDI
• Whether PSE power supply is supported.
• Whether PSE power supply is enabled.
• Whether pair selection can be controlled.
Indicates the supported maximum frame size. It is now the MTU of
Maximum Frame Size
the port.
Indicates the power state control configured on the sending port,
including the following:
Power Stateful Control • Power supply mode of the PSE/PD.
• PSE/PD priority.
• PSE/PD power.

NOTE:
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0 and is not supported in later
versions. H3C devices send this type of TLVs only after receiving them.

• LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as
basic configuration, network policy configuration, and address and directory management.
LLDP-MED TLVs provide a cost-effective and easy-to-use solution for deploying voice devices
in Ethernet. LLDP-MED TLVs are shown in Table 25.
Table 25 LLDP-MED TLVs

Type Description
Allows a network device to advertise the LLDP-MED TLVs that it
LLDP-MED Capabilities
supports.
Allows a network device or terminal device to advertise the VLAN ID
Network Policy of a port, the VLAN type, and the Layer 2 and Layer 3 priorities for
specific applications.
Allows a network device or terminal device to advertise power
Extended Power-via-MDI supply capability. This TLV is an extension of the Power Via MDI
TLV.
Hardware Revision Allows a terminal device to advertise its hardware version.
Firmware Revision Allows a terminal device to advertise its firmware version.
Software Revision Allows a terminal device to advertise its software version.
Serial Number Allows a terminal device to advertise its serial number.

257
 Type Description
Manufacturer Name Allows a terminal device to advertise its vendor name.
Model Name Allows a terminal device to advertise its model name.
Allows a terminal device to advertise its asset ID. The typical case is
Asset ID that the user specifies the asset ID for the endpoint to facilitate
directory management and asset tracking.
Allows a network device to advertise the appropriate location
Location Identification identifier information for a terminal device to use in the context of
location-based applications.

NOTE:
• If the MAC/PHY configuration/status TLV is not advertisable, none of the LLDP-MED TLVs will be
advertised even if they are advertisable.
• If the LLDP-MED capabilities TLV is not advertisable, the other LLDP-MED TLVs will not be
advertised even if they are advertisable.

Management address
The network management system uses the management address of a device to identify and manage
the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.

Working mechanism
LLDP operating modes
An LLDP agent can operate in one of the following modes:
• TxRx mode—An LLDP agent in this mode can send and receive LLDP frames.
• Tx mode—An LLDP agent in this mode can only send LLDP frames.
• Rx mode—An LLDP agent in this mode can only receive LLDP frames.
• Disable mode—An LLDP agent in this mode cannot send or receive LLDP frames.
Each time the LLDP operating mode of an LLDP agent changes, its LLDP protocol state machine
reinitializes. A configurable reinitialization delay prevents frequent initializations caused by frequent
changes to the operating mode. If you configure the reinitialization delay, an LLDP agent must wait
the specified amount of time to initialize LLDP after the LLDP operating mode changes.
Transmitting LLDP frames
An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected
devices both periodically and when the local configuration changes. To prevent LLDP frames from
overwhelming the network during times of frequent changes to local device information, LLDP uses
the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket
mechanism, see ACL and QoS Configuration Guide.
LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following
cases:
• A new neighbor is discovered. A new LLDP frame is received and carries device information
new to the local device.
• The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.
With this mechanism, the specified number of LLDP frames are sent successively at a configurable
fast transmission interval to help LLDP neighbors discover the local device as soon as possible.
Then, the normal LLDP frame transmission interval resumes.

258
Receiving LLDP frames
An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every
received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an
aging timer. When the TTL value in the Time To Live TLV carried in the LLDP frame becomes zero,
the information ages out immediately.

Protocols and standards

• IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery
• IEEE 802.1AB-2009, Station and Media Access Control Connectivity Discovery
• ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices
• DCB Capability Exchange Protocol Specification Rev 1.00
• DCB Capability Exchange Protocol Base Specification Rev 1.01
• IEEE Std 802.1Qaz-2011, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes

LLDP configuration task list

Tasks at a glance
Performing basic LLDP configurations:
• (Required.) Enabling LLDP
• (Optional.) Configuring the LLDP bridge mode
• (Optional.) Setting the LLDP operating mode
• (Optional.) Setting the LLDP reinitialization delay
• (Optional.) Enabling LLDP polling
• (Optional.) Configuring the advertisable TLVs
• (Optional.) Configuring the management address and its encoding format
• (Optional.) Setting other LLDP parameters
• (Optional.) Setting an encapsulation format for LLDP frames
• (Optional.) Disabling LLDP PVID inconsistency check
(Optional.) Configuring CDP compatibility
(Optional.) Configuring DCBX
(Optional.) Configuring LLDP trapping and LLDP-MED trapping

Performing basic LLDP configurations

Enabling LLDP
To make LLDP take effect on specific ports, you must enable LLDP both globally and on these ports.
To use LLDP together with OpenFlow, you must enable LLDP globally on OpenFlow switches. To
prevent LLDP from affecting topology discovery of OpenFlow controllers, disable LLDP on ports of
OpenFlow instances. For more information about OpenFlow, see OpenFlow Configuration Guide.
To enable LLDP:

259
 Step Command Remarks
1. Enter system view. system-view N/A
By default:
• If the switch starts up
with empty
configuration, LLDP is
disabled globally
(initial setting).
• If the switch starts up
with the default
2. Enable LLDP globally. lldp global enable configuration file,
LLDP is enabled
globally (factory
default).
For more information about
empty configuration and
the default configuration
file, see Fundamentals
Configuration Guide.
3. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.

4. Enable LLDP. By default, LLDP is

lldp enable
enabled on a port.

NOTE:
An LLDP-enabled IRF physical interface supports only the nearest bridge agents.

Configuring the LLDP bridge mode

The following LLDP bridge modes are available:
• Customer bridge mode—In customer bridge mode, LLDP supports nearest bridge agents,
nearest non-TPMR bridge agents, and nearest customer bridge agents. LLDP processes the
LLDP frames with destination MAC addresses for these agents and transparently transmits the
LLDP frames with other destination MAC addresses in VLANs.
• Service bridge mode—In service bridge mode, LLDP supports nearest bridge agents and
nearest non-TPMR bridge agents. LLDP processes the LLDP frames with destination MAC
addresses for these agents and transparently transmits the LLDP frames with other destination
MAC addresses in VLANs.
To configure the LLDP bridge mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure LLDP to operate By default, LLDP operates in
in service bridge mode. lldp mode service-bridge
customer bridge mode.

260
Setting the LLDP operating mode
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
By default:
• The nearest bridge
agent operates in txrx
mode.
• The nearest customer
bridge agent and
• In Layer 2/Layer 3 Ethernet interface
nearest non-TPMR
view or management Ethernet
bridge agent operate
interface view:
in disable mode.
lldp [ agent { nearest-customer |
nearest-nontpmr } ] admin-status In Ethernet interface view,
{ disable | rx | tx | txrx } if no agent type is
3. Set the LLDP operating • In Layer 2/Layer 3 aggregate interface specified, the command
mode. view: configures the operating
lldp agent { nearest-customer | mode for nearest bridge
nearest-nontpmr } admin-status agents.
{ disable | rx | tx | txrx } In aggregate interface
• In IRF physical interface view: view, you can configure the
lldp admin-status { disable | rx | tx | operating mode only for
txrx } nearest customer bridge
agents and nearest
non-TPMR bridge agents.
In IRF physical interface
view, you can configure the
operating mode only for
nearest bridge agents.

Setting the LLDP reinitialization delay

When the LLDP operating mode changes on a port, the port initializes the protocol state machines
after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations
caused by frequent changes to the LLDP operating mode on a port.
To set the LLDP reinitialization delay for ports:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the LLDP reinitialization
delay. lldp timer reinit-delay delay The default setting is 2 seconds.

261
Enabling LLDP polling
With LLDP polling enabled, a device periodically searches for local configuration changes. When the
device detects a configuration change, it sends LLDP frames to inform neighboring devices of the
change.
To enable LLDP polling:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ]
check-change-interval interval
3. Enable LLDP polling and By default, LLDP polling is
• In Layer 2/Layer 3 aggregate interface
set the polling interval. disabled.
view:
lldp agent { nearest-customer |
nearest-nontpmr }
check-change-interval interval
• In IRF physical interface view:
lldp check-change-interval interval

Configuring the advertisable TLVs

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, or Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.

• lldp tlv-enable { basic-tlv { all | By default:

port-description | system-capability • Nearest bridge
| system-description | system-name agents can
| management-address-tlv advertise all types of
[ ip-address ] } | dot1-tlv { all | LLDP TLVs except
3. Configure the advertisable congestion-notification | the DCBX TLV,
TLVs (in Layer 2 Ethernet port-vlan-id | link-aggregation | dcbx location
interface view). | protocol-vlan-id [ vlan-id ] | identification TLV,
vlan-name [ vlan-id ] | port and protocol
management-vid [ mvlan-id ] } | VLAN ID TLVs,
dot3-tlv { all | mac-physic | VLAN name TLVs,
max-frame-size | power } | med-tlv and management
{ all | capability | inventory | VLAN ID TLVs.
network-policy [ vlan-id ] || • Nearest non-TPMR

262
Step Command Remarks
power-over-ethernet | location-id bridge agents can
{ civic-address device-type advertise only the
country-code { ca-type EVB TLV.
ca-value }&<1-10> | elin-address • Nearest customer
tel-number } } } bridge agents can
• lldp agent nearest-nontpmr advertise basic
tlv-enable { basic-tlv { all | TLVs and IEEE
port-description | system-capability 802.1
| system-description | system-name organizationally
| management-address-tlv specific TLVs.
[ ip-address ] } | dot1-tlv { all |
congestion-notification | evb |
port-vlan-id | link-aggregation } }
• lldp agent nearest-customer
tlv-enable { basic-tlv { all |
port-description | system-capability
| system-description | system-name
| management-address-tlv
[ ip-address ] } | dot1-tlv { all |
congestion-notification |
port-vlan-id | link-aggregation } }
By default:
• lldp tlv-enable { basic-tlv { all | • Nearest bridge
port-description | system-capability agents can
| system-description | system-name advertise all types of
| management-address-tlv LLDP TLVs (only
[ ip-address ] } | dot1-tlv { all | link aggregation TLV
link-aggregation } | dot3-tlv { all | in 802.1
mac-physic | max-frame-size | organizationally
power } | med-tlv { all | capability | specific TLVs)
4. Configure the advertisable inventory | power-over-ethernet | except network
TLVs (in Layer 3 Ethernet location-id { civic-address policy TLVs.
interface view or device-type country-code { ca-type • Nearest non-TPMR
management Ethernet ca-value }&<1-10> | elin-address bridge agents
interface view). tel-number } } } advertise no TLVs.
• lldp agent { nearest-nontpmr | • Nearest customer
nearest-customer } tlv-enable bridge agents can
{ basic-tlv { all | port-description | advertise basic
system-capability | TLVs and IEEE
system-description | system-name | 802.1
management-address-tlv organizationally
[ ip-address ] } | dot1-tlv { all | specific TLVs (only
link-aggregation } } link aggregation
TLV).
• lldp agent nearest-nontpmr By default:
tlv-enable { basic-tlv { all | • Nearest non-TPMR
management-address-tlv bridge agents can
[ ip-address ] | port-description | advertise only EVB
system-capability | TLVs.
system-description | system-name }
• Nearest customer
| dot1-tlv { all | evb | port-vlan-id } }
5. Configure the advertisable bridge agents can
TLVs (in Layer 2 aggregate • lldp agent nearest-customer advertise basic
interface view). tlv-enable { basic-tlv { all | TLVs and IEEE
management-address-tlv 802.1
[ ip-address ] | port-description | organizationally
system-capability | specific TLVs (only
system-description | system-name } port and protocol
| dot1-tlv { all | port-vlan-id } } VLAN ID TLV, VLAN
• lldp tlv-enable dot1-tlv name TLV, and
{ protocol-vlan-id [ vlan-id ] | management VLAN

263
 Step Command Remarks
vlan-name [ vlan-id ] | ID TLV).
management-vid [ mvlan-id ] } Nearest bridge agents
are not supported on
Layer 2 aggregate
interfaces.
By default:
• Nearest non-TPMR
bridge agents
lldp agent { nearest-nontpmr | advertise no TLVs.
6. Configure the advertisable nearest-customer } tlv-enable basic-tlv • Nearest customer
TLVs (in Layer 3 aggregate { all | management-address-tlv bridge agents can
interface view). [ ip-address ] | port-description | advertise only basic
system-capability | system-description | TLVs.
system-name }
Nearest bridge agents
are not supported on
Layer 3 aggregate
interfaces.
7. Configure the advertisable lldp tlv-enable basic-tlv By default, IRF interfaces
TLVs (in IRF physical { port-description | system-capability | advertise all supported
interface view). system-description | system-name } types of TLVs.

Configuring the management address and its encoding

format
LLDP encodes management addresses in numeric or string format in management address TLVs.
By default, management addresses are encoded in numeric format. If a neighbor encodes its
management address in string format, configure the encoding format of the management address as
string on the connecting port. This guarantees normal communication with the neighbor.
To configure a management address to be advertised and its encoding format on a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, or Layer N/A
interface-number
2/Layer 3 aggregate interface
view.
• In Layer 2/Layer 3 Ethernet
interface view or
management Ethernet By default:
interface view:
lldp [ agent • Nearest bridge agents and
3. Allow LLDP to advertise the { nearest-customer | nearest customer bridge
management address in nearest-nontpmr } ] agents can advertise the
LLDP frames and configure tlv-enable basic-tlv management address in
the advertised management management-address-tlv LLDP frames.
address. [ ip-address ] • Nearest non-TPMR bridge
• In Layer 2/Layer 3 agents cannot advertise the
aggregate interface view: management address in
lldp agent LLDP frames.
{ nearest-customer |
nearest-nontpmr }

264
 Step Command Remarks
tlv-enable basic-tlv
management-address-tlv
[ ip-address ]
• In Layer 2/Layer 3 Ethernet
interface view or
management Ethernet
interface view:
lldp [ agent
{ nearest-customer |
nearest-nontpmr } ]
4. Configure the encoding management-address-for By default, the encoding format of
format of the management mat string the management address is
address as string. numeric.
• In Layer 2/Layer 3
aggregate interface view:
lldp agent
{ nearest-customer |
nearest-nontpmr }
management-address-for
mat string

Setting other LLDP parameters

The Time to Live TLV carried in an LLDPDU determines how long the device information carried in
the LLDPDU can be saved on a recipient device.
By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs, which determines
how long information about the local device can be saved on a neighboring device. The TTL is
expressed by using the following formula:
TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))
As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be
rounded down to 65535 seconds.
To change LLDP parameters:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the TTL multiplier. lldp hold-multiplier value The default setting is 4.
3. Set the LLDP frame The default setting is 30
transmission interval. lldp timer tx-interval interval
seconds.
4. Set the token bucket size for
sending LLDP frames. lldp max-credit credit-value The default setting is 5.

5. Set the number of LLDP

frames sent each time fast
LLDP frame transmission is lldp fast-count count The default setting is 4.
triggered.
6. Set the interval for fast LLDP
frame transmission. lldp timer fast-interval interval The default setting is 1 second.

Setting an encapsulation format for LLDP frames

LLDP frames can be encapsulated in the following formats:

265
 • Ethernet II—With Ethernet II encapsulation configured, an LLDP port sends LLDP frames in
Ethernet II frames.
• SNAP—With SNAP encapsulation configured, an LLDP port sends LLDP frames in SNAP
frames.
LLDP of earlier versions requires the same encapsulation format on both ends to process LLDP
frames. To successfully communicate with a neighboring device running LLDP of earlier versions,
the local device must be configured with the same encapsulation format.
To set the encapsulation format for LLDP frames to SNAP:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ] encapsulation
3. Set the encapsulation snap By default, Ethernet II
format for LLDP frames to • In Layer 2/Layer 3 aggregate interface encapsulation format
SNAP. view: applies.
lldp agent { nearest-customer |
nearest-nontpmr } encapsulation
snap
• In IRF physical interface view:
lldp encapsulation snap

Disabling LLDP PVID inconsistency check

By default, when the system receives an LLDP packet, it compares the PVID value contained in the
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
To disable LLDP PVID inconsistency check:

Step Command Remarks

1. Enter system view. system-view N/A

2. Disable LLDP PVID By default, LLDP PVID

inconsistency check. lldp ignore-pvid-inconsistency inconsistency check is
enabled.

Configuring CDP compatibility

When the switch is directly connected to a Cisco device that supports only CDP rather than LLDP,
you can enable CDP compatibility to enable the switch to exchange information with the
directly-connected device.

266
 CDP compatibility enables the switch to use LLDP to receive and recognize CDP packets from the
directly-connected device and send CDP packets to the directly-connected device. The packets that
the switch sends to the neighboring CDP device carry the following information:
• Device ID.
• ID of the port connecting to the neighboring device.
• port IP address.
• PVID.
• TTL.
The port IP address is the primary IP address of the VLAN interface in up state. The VLAN ID of the
VLAN interface must be the lowest among the VLANs permitted on the port. If no VLAN interfaces of
the permitted VLANs is assigned an IP address or all VLAN interfaces are down, no port IP address
will be advertised.
The CDP neighbor-information-related fields in the output of the display lldp neighbor-information
command show the CDP neighboring device information that can be recognized by the switch. For
more information about the display lldp neighbor-information command, see Layer 2—LAN
Switching Command Reference.
If your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of
Cisco IP phones for the voice VLAN ID configured on the device. As a result, a requesting Cisco IP
phone sends voice traffic without any VLAN tag to your device. Your device cannot differentiate the
voice traffic from other types of traffic.
CDP compatibility enables your device to receive and recognize CDP packets from a Cisco IP phone
and respond with CDP packets carrying TLVs with the voice VLAN configuration. According to TLVs
with the voice VLAN configuration, the IP phone automatically configures the voice VLAN. As a result,
the voice traffic is confined in the configured voice VLAN and is differentiated from other types of
traffic.
For more information about voice VLANs, see "Configuring voice VLANs."

Configuration prerequisites
Before you configure CDP compatibility, complete the following tasks:
• Globally enable LLDP.
• Enable LLDP on the port connecting to a device supporting CDP.
• Configure LLDP to operate in TxRx mode on the port.

Configuration procedure
CDP-compatible LLDP operates in one of the following modes:
• TxRx—CDP packets can be transmitted and received.
• Disable—CDP packets cannot be transmitted or received.
To make CDP-compatible LLDP take effect on ports, follow these steps:
1. Enable CDP-compatible LLDP globally.
2. Configure CDP-compatible LLDP to operate in TxRx mode.
The maximum TTL value that CDP allows is 255 seconds. To make CDP-compatible LLDP work
correctly with Cisco IP phones, configure the LLDP frame transmission interval to be no more than
1/3 of the TTL value.
To enable LLDP to be compatible with CDP:

267
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enable CDP compatibility By default, CDP compatibility is
globally. lldp compliance cdp
disabled globally.
3. Enter Layer 2/Layer 3
Ethernet interface view or interface interface-type
management Ethernet N/A
interface-number
interface view.
4. Configure CDP-compatible
LLDP to operate in TxRx lldp compliance admin-status By default, CDP-compatible LLDP
mode. cdp txrx operates in disable mode.

Configuring DCBX
Data Center Ethernet (DCE), also known as Converged Enhanced Ethernet (CEE), is enhancement
and expansion of traditional Ethernet local area networks for use in data centers. DCE uses the Data
Center Bridging Exchange Protocol (DCBX) to negotiate and remotely configure the bridge capability
of network elements.
DCBX has the following self-adaptable versions:
• DCB Capability Exchange Protocol Specification Rev 1.00.
• DCB Capability Exchange Protocol Base Specification Rev 1.01.
• IEEE Std 802.1Qaz-2011 (Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes).
DCBX offers the following functions:
• Discovers the peer devices' capabilities and determines whether devices at both ends support
these capabilities.
• Detects configuration errors on peer devices.
• Remotely configures the peer device if the peer device accepts the configuration.

NOTE:
H3C devices support only the remote configuration function.

Figure 79 DCBX application scenario

DCBX enables lossless packet transmission on DCE networks.

As shown in Figure 79, DCBX applies to an FCoE-based data center network, and operates on an
access switch. DCBX enables the switch to control the server's or disk device's adapter, and
simplifies the configuration and guarantees configuration consistency. DCBX extends LLDP by using
the IEEE 802.1 organizationally specific TLVs (DCBX TLVs) to transmit DCBX data, including:

268
 • In DCBX Rev 1.00 and DCBX Rev 1.01:
{ Application Protocol (APP).
{ Enhanced Transmission Selection (ETS).
{ Priority-based Flow Control (PFC).
• In IEEE Std 802.1Qaz-2011:
{ ETS Configuration.
{ ETS Recommendation.
{ PFC.
{ APP.
H3C devices can send these types of DCBX information to a server's or disk device's adapter
supporting FCoE, but they cannot accept them.

DCBX configuration task list

Tasks at a glance
(Required.) Enabling LLDP and DCBX TLV advertising
(Required.) Configuring APP parameters
(Required.) Configuring ETS parameters:
• Configuring the 802.1p-to-local priority mapping
• Configuring group-based WRR queuing
(Required.) Configuring PFC parameters
(Optional.) Configuring the DCBX version

Enabling LLDP and DCBX TLV advertising

To enable the device to advertise APP, ETS, and PFC data through an interface, perform the
following tasks:
• Enable LLDP globally.
• Enable LLDP and DCBX TLV advertising on the interface.
To enable LLDP and DCBX TLV advertising:

Step Command Remarks

1. Enter system view. system-view N/A
By default:
• If the switch starts up
with empty
configuration, LLDP is
disabled globally (initial
setting).
2. Enable LLDP globally. lldp global enable • If the switch starts up
with the default
configuration file, LLDP
is enabled globally
(factory default).
For more information about
empty configuration and the
default configuration file, see

269
 Step Command Remarks
Fundamentals Configuration
Guide.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

4. Enable LLDP. By default, LLDP is enabled

lldp enable
on an interface.

5. Enable the interface to By default, DCBX TLV

advertise DCBX TLVs. lldp tlv-enable dot1-tlv dcbx advertising is disabled on an
interface.

Configuring APP parameters

The device negotiates with the server adapter by using the APP parameters to achieve the following
purposes:
• Control the 802.1p priority values of the protocol packets that the server adapter sends.
• Identify traffic based on the 802.1p priority values.
For example, the device can use the APP parameters to negotiate with the server adapter to set
802.1p priority of all FCoE frames and FIP frames to 3. If the negotiation succeeds, all the FCoE
frames and FIP frames that the server adapter sends to the device carry the 802.1p priority 3.
Configuration restrictions and guidelines
When you configure APP parameters, follow these restrictions and guidelines:
• An Ethernet frame header ACL identifies application protocol packets by frame type.
• An IPv4 advanced ACL identifies application protocol packets by TCP/UDP port number.
• DCBX Rev 1.00 identifies application protocol packets only by frame type and advertises TLVs
with frame type 0x8906 (FCoE) only.
• DCBX Rev 1.01 has the following attributes:
{ Supports identifying application protocol packets by both frame type and TCP/UDP port
number.
{ Does not restrict the frame type or TCP/UDP port number for advertising TLVs.
{ Can advertise up to 77 TLVs according to the remaining length of the current packet.
• In a QoS policy, you can configure multiple class-behavior associations. A packet might be
configured with multiple 802.1p priority marking or mapping actions, and the one configured first
takes effect.
Configuration procedure

Step Command Remarks

1. Enter system view. system-view N/A
An Ethernet frame header ACL
number is in the range of 4000 to
4999. An IPv4 advanced ACL
number is in the range of 3000 to
2. Create an Ethernet frame 3999.
header ACL or an IPv4 acl number acl-number [ name
advanced ACL and enter acl-name ] [ match-order { auto | DCBX Rev 1.00 supports only
ACL view. config } ] Ethernet frame header ACLs.
DCBX Rev 1.01 and IEEE Std
802.1Qaz-2011 support both
Ethernet frame header ACLs and
IPv4 advanced ACLs.

270
 Step Command Remarks
• For the Ethernet frame
header ACL:
rule [ rule-id ] permit type
protocol-type ffff Create rules according to the type
3. Create a rule for the ACL.
• For the IPv4 advanced ACL: of the ACL previously created.
rule [ rule-id ] permit { tcp |
udp } destination-port eq
port
4. Return to system view. quit N/A
5. Create a class, specify the
operator of the class as OR, traffic classifier classifier-name
N/A
and enter class view. operator or

6. Use the specified ACL as the

match criterion of the class. if-match acl acl-number N/A

7. Return to system view. quit N/A

8. Create a traffic behavior and
enter traffic behavior view. traffic behavior behavior-name N/A

9. Configure the behavior to

mark packets with an 802.1p remark dot1p 8021p N/A
priority.
10. Return to system view. quit N/A
11. Create a QoS policy and
enter QoS policy view. qos policy policy-name N/A

12. Associate the class with the

traffic behavior in the QoS classifier classifier-name
policy, and apply the behavior behavior-name mode N/A
association to DCBX. dcbx

13. Return to system view. quit N/A

• (Method 1) To the outgoing
traffic of all ports:
qos apply policy
policy-name global
outbound
• (Method 2) To the outgoing • Configurations made in
traffic of a Layer 2 Ethernet system view take effect on all
interface: ports.
14. Apply the QoS policy. • Configurations made in
a. Enter Layer 2 Ethernet
interface view: Layer 2 Ethernet interface
interface interface-type view take effect on the
interface-number interface.

b. Apply the QoS policy to

the outgoing traffic:
qos apply policy
policy-name outbound

For more information about the acl, rule, traffic classifier, if-match, traffic behavior, remark
dot1p, qos policy, classifier behavior, qos apply policy global, and qos apply policy
commands, see ACL and QoS Command Reference.

Configuring ETS parameters

ETS provides committed bandwidth. To avoid packet loss caused by congestion, the device
performs the following tasks:

271
 • Uses ETS parameters to negotiate with the server adapter.
• Controls the server adapter's transmission speed of the specified type of traffic,
• Guarantees that the transmission speed is within the committed bandwidth of the interface.
To configure ETS parameters, you must configure the 802.1p-to-local priority mapping and
group-based WRR queuing.
Configuring the 802.1p-to-local priority mapping

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter 802.1p-to-local
priority mapping table view. qos map-table dot1p-lp N/A

3. Configure the priority

mapping table to map the For information about the default
specified 802.1p priority import import-value-list export
priority mapping tables, see ACL
values to a local export-value
and QoS Configuration Guide.
precedence value.
4. Return to system view. quit N/A
5. Enter Ethernet interface interface interface-type
view. N/A
interface-number
6. Configure the interface to
trust the 802.1p priority By default, the port priority of the
qos trust dot1p
carried in packets. incoming port is trusted.

For more information about the qos map-table, qos map-table color, and import commands, see
ACL and QoS Command Reference.
Configuring group-based WRR queuing
You can configure group-based WRR queuing to allocate bandwidth.
To configure group-based WRR queuing:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

3. Enable WRR queuing. By default, byte-count WRR is

qos wrr byte-count
used.
• Add a queue to WRR priority group
1 and configure the scheduling
weight for the queue:
qos wrr queue-id group 1
4. Configure a queue. byte-count schedule-value Use one or both commands.
• Configure a queue to use SP
queuing:
qos wrr queue-id group sp

For more information about the qos wrr, qos wrr byte-count, and qos wrr group sp commands,
see ACL and QoS Command Reference.

272
Configuring PFC parameters
To prevent packets with an 802.1p priority value from being dropped, enable PFC for the 802.1p
priority value. This feature reduces the sending rate of packets carrying this priority when network
congestion occurs.
The device uses PFC parameters to negotiate with the server adapter and to enable PFC for the
specified 802.1p priorities on the server adapter.
To configure PFC parameters:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
3. Enable the Ethernet interface By default, PFC is disabled.
to automatically negotiate with
its peer to decide whether to priority-flow-control auto To advertise the PFC data, you
enable PFC. must enable PFC in auto mode.

By default, PFC is disabled for all

802.1p priorities.
As a best practice, enable PFC for
4. Enable PFC for the specified priority-flow-control no-drop the 802.1p priority of FCoE traffic.
802.1p priorities. dot1p dot1p-list If you enable PFC for multiple
802.1p priorities, packet loss
might occur during periods of
congestion.
5. Configure the interface to trust
the 802.1p priority carried in By default, the port priority of the
qos trust dot1p
packets. incoming port is trusted.

For more information about the priority-flow-control and priority-flow-control no-drop dot1p
commands, see Interface Command Reference.

Configuring the DCBX version

When you configure the DCBX version, follow these restrictions and guidelines:
• For DCBX to work correctly, configure the same DCBX version on the local port and peer port.
As a best practice, configure the highest version supported on both ends. IEEE Std
802.1Qaz-2011, DCBX Rev 1.01, and DCBX Rev 1.00 are in descending order.
• After the configuration, LLDP frames sent by the local port carry information about the
configured DCBX version. The local port and peer port do not negotiate the DCBX version.
• If the DCBX version is autonegotiated, the version IEEE Std 802.1Qaz-2011 is preferably
negotiated.
To configure the DCBX version:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

3. Configure the DCBX dcbx version { rev100 | rev101 | By default, the DCBX version
version. standard } is not configured. It is
autonegotiated by the local

273
 Step Command Remarks
port and peer port.

Configuring LLDP trapping and LLDP-MED

trapping
LLDP trapping or LLDP-MED trapping notifies the network management system of events such as
newly detected neighboring devices and link failures.
To prevent excessive LLDP traps from being sent when the topology is unstable, set a trap
transmission interval for LLDP.
To configure LLDP trapping and LLDP-MED trapping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ] notification
remote-change enable
• In Layer 2/Layer 3 aggregate interface By default, LLDP trapping
3. Enable LLDP trapping.
view: is disabled.
lldp agent { nearest-customer |
nearest-nontpmr } notification
remote-change enable
• In IRF physical interface view:
lldp notification remote-change
enable
4. Enable LLDP-MED
trapping (in Layer 2/Layer
3 Ethernet interface view lldp notification med-topology-change By default, LLDP-MED
or management Ethernet enable trapping is disabled.
interface view).
5. Return to system view. quit N/A
6. (Optional.) Set the LLDP The default setting is 30
trap transmission interval. lldp timer notification-interval interval
seconds.

Displaying and maintaining LLDP

Execute display commands in any view.

274
 Task Command
display lldp local-information [ global | interface interface-type
Display local LLDP information.
interface-number ]
display lldp neighbor-information [ [ [ interface interface-type
Display the information contained
interface-number ] [ agent { nearest-bridge | nearest-customer |
in the LLDP TLVs sent from
nearest-nontpmr } ] [ verbose ] ] | list [ system-name
neighboring devices.
system-name ] ]
display lldp statistics [ global | [ interface interface-type
Display LLDP statistics. interface-number ] [ agent { nearest-bridge | nearest-customer |
nearest-nontpmr } ] ]
display lldp status [ interface interface-type interface-number ]
Display LLDP status of a port.
[ agent { nearest-bridge | nearest-customer | nearest-nontpmr } ]
Display types of advertisable display lldp tlv-config [ interface interface-type interface-number ]
optional LLDP TLVs. [ agent { nearest-bridge | nearest-customer | nearest-nontpmr } ]

LLDP configuration examples

Basic LLDP configuration example
Network requirements
As shown in Figure 80, the NMS and Switch A are located in the same Ethernet network. A MED
device and Switch B are connected to Ten-GigabitEthernet1/0/1 and Ten-GigabitEthernet 1/0/2 of
Switch A.
Enable LLDP globally on Switch A and Switch B to perform the following tasks:
• Monitor the link between Switch A and Switch B.
• Monitor the link between Switch A and the MED device on the NMS.
Figure 80 Network diagram

MED

XGE1/0/1
NMS
XGE1/0/2 XGE1/0/1

Switch A Switch B

Configuration procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP on Ten-GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Rx.
[SwitchA-Ten-GigabitEthernet1/0/1] lldp admin-status rx

275
 [SwitchA-Ten-GigabitEthernet1/0/1] quit
# Enable LLDP on Ten-GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] lldp enable
# Set the LLDP operating mode to Rx.
[SwitchA-Ten-GigabitEthernet1/0/2] lldp admin-status rx
[SwitchA-Ten-GigabitEthernet1/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view
[SwitchB] lldp global enable
# Enable LLDP on Ten-GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchB] interface ten-gigabitethernet 1/0/1
[SwitchB-Ten-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Tx.
[SwitchB-Ten-GigabitEthernet1/0/1] lldp admin-status tx
[SwitchB-Ten-GigabitEthernet1/0/1] quit

Verify the configuration:

# Verify that:
• Ten-GigabitEthernet 1/0/1 of Switch A connects to a MED device.
• Ten-GigabitEthernet 1/0/2 of Switch A connects to a non-MED device.
• Both ports operate in Rx mode, and they can receive LLDP frames but cannot send LLDP
frames.
[SwitchA] display lldp status
Global status of LLDP: Enable
Bridge mode of LLDP: customer-bridge
The current number of LLDP neighbors: 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 4 minutes, 40 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [Ten-GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : RX_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0

276
Number of sent optional TLV : 21
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

LLDP status information of port 2 [Ten-GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : RX_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 3

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0

277
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

# Remove the link between Switch A and Switch B.

# Verify that Ten-GigabitEthernet 1/0/2 of Switch A does not connect to any neighboring devices.
[SwitchA] display lldp status
Global status of LLDP: Enable
The current number of LLDP neighbors: 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 5 minutes, 20 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [Ten-GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : RX_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP status information of port 2 [Ten-GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : RX_Only
Trap flag : No

278
 MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

CDP-compatible LLDP configuration example

Network requirements
As shown in Figure 81, Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 of Switch A are
each connected to a Cisco IP phone, which sends VLAN-tagged voice traffic.
Configure voice VLAN 2 on Switch A. Enable CDP compatibility of LLDP on Switch A to allow the
Cisco IP phones to automatically configure the voice VLAN. The voice VLAN feature performs the
following actions:
• Confines the voice traffic to the voice VLAN.
• Isolates the voice traffic from other types of traffic.
Figure 81 Network diagram

279
Configuration procedure
1. Configure a voice VLAN on Switch A:
# Create VLAN 2.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Set the link type of Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to trunk, and
enable voice VLAN on them.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/1] voice vlan 2 enable
[SwitchA-Ten-GigabitEthernet1/0/1] quit
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/2] voice vlan 2 enable
[SwitchA-Ten-GigabitEthernet1/0/2] quit
2. Configure CDP-compatible LLDP on Switch A:
# Enable LLDP globally, and enable CDP compatibility globally.
[SwitchA] lldp global enable
[SwitchA] lldp compliance cdp
# Enable LLDP on Ten-GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] lldp enable
# Configure LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/1.
[SwitchA-Ten-GigabitEthernet1/0/1] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/1.
[SwitchA-Ten-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx
[SwitchA-Ten-GigabitEthernet1/0/1] quit
# Enable LLDP on Ten-GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] lldp enable
# Configure LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/2.
[SwitchA-Ten-GigabitEthernet1/0/2] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/2.
[SwitchA-Ten-GigabitEthernet1/0/2] lldp compliance admin-status cdp txrx
[SwitchA-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify that Switch A has completed the following tasks:
• Discovering the IP phones connected to Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet
1/0/2.
• Obtaining IP phone information.
[SwitchA] display lldp neighbor-information

CDP neighbor-information of port 1[Ten-GigabitEthernet1/0/1]:

CDP neighbor index : 1
Chassis ID : SEP00141CBCDBFE
Port ID : Port 1

280
 Software version : P0030301MFG2
Platform : Cisco IP Phone 7960
Duplex : Full

CDP neighbor-information of port 2[Ten-GigabitEthernet1/0/2]:

CDP neighbor index : 2
Chassis ID : SEP00141CBCDBFF
Port ID : Port 1
Software version : P0030301MFG2
Platform : Cisco IP Phone 7960
Duplex : Full

DCBX configuration example

Network requirements
As shown in Figure 82, in a data center network, interface Ten-GigabitEthernet 1/0/1 of the access
switch (Switch A) connects to the FCoE adapter of the data center server (DC server).
Configure Switch A to implement lossless FCoE and FIP frame transmission to DC server.

NOTE:
In this example, both Switch A and the DC server support DCBX Rev 1.01.

Figure 82 Network diagram

Configuration procedure
1. Enable LLDP and DCBX TLV advertising:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP and DCBX TLV advertising on interface Ten-GigabitEthernet 1/0/1.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] lldp enable
[SwitchA-Ten-GigabitEthernet1/0/1] lldp tlv-enable dot1-tlv dcbx
[SwitchA-Ten-GigabitEthernet1/0/1] quit
2. Configure APP parameters:
# Create Ethernet frame header ACL 4000.
[SwitchA] acl number 4000
# Configure ACL 4000 to permit FCoE frames (frame type is 0x8906) and FIP frames (frame
type is 0x8914) to pass through.
[SwitchA-acl-ethernetframe-4000] rule permit type 8906 ffff
[SwitchA-acl-ethernetframe-4000] rule permit type 8914 ffff

281
 [SwitchA-acl-ethernetframe-4000] quit
# Create a class named app_c, specify the operator of the class as OR, and use ACL 4000 as
the match criterion of the class.
[SwitchA] traffic classifier app_c operator or
[SwitchA-classifier-app_c] if-match acl 4000
[SwitchA-classifier-app_c] quit
# Create a traffic behavior named app_b, and configure the traffic behavior to mark packets
with 802.1p priority value 3.
[SwitchA] traffic behavior app_b
[SwitchA-behavior-app_b] remark dot1p 3
[SwitchA-behavior-app_b] quit
# Create a QoS policy named plcy, associate class app_c with traffic behavior app_b in the
QoS policy, and apply the association to DCBX.
[SwitchA] qos policy plcy
[SwitchA-qospolicy-plcy] classifier app_c behavior app_b mode dcbx
[SwitchA-qospolicy-plcy] quit
# Apply the policy named plcy to the outgoing traffic of interface Ten-GigabitEthernet 1/0/1.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] qos apply policy plcy outbound
[SwitchA-Ten-GigabitEthernet1/0/1] quit
3. Configure ETS parameters:
# Configure the 802.1p-to-local priority mapping table to map 802.1p priority value 3 to local
precedence 3. (This is the default mapping table. You can modify this configuration as needed.)
[SwitchA] qos map-table dot1p-lp
[SwitchA-maptbl-dot1p-lp] import 3 export 3
[SwitchA-maptbl-dot1p-lp] quit
# Configure the interface Ten-GigabitEthernet 1/0/1 to trust the 802.1p priority carried in
packets.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] qos trust dot1p
# Enable byte-count WRR queuing on interface Ten-GigabitEthernet 1/0/1, and configure
queue 3 on the interface to use SP queuing.
[SwitchA-Ten-GigabitEthernet1/0/1] qos wrr byte-count
[SwitchA-Ten-GigabitEthernet1/0/1] qos wrr 3 group sp
4. Enable interface Ten-GigabitEthernet 1/0/1 to automatically negotiate with its peer to decide
whether to enable PFC, and enable PFC for 802.1 priority 3.
[SwitchA-Ten-GigabitEthernet1/0/1] priority-flow-control auto
[SwitchA-Ten-GigabitEthernet1/0/1] priority-flow-control no-drop dot1p 3

Verifying the configuration

# Display the data exchange result on the DC server through the software interface for the network
adapter. This example uses the data exchange result for a QLogic adapter on the DC server.
------------------------------------------------------
DCBX Parameters Details for CNA Instance 0 - QLE8142
------------------------------------------------------

Mon May 17 10:00:50 2010

DCBX TLV (Type-Length-Value) Data

282
=================================
DCBX Parameter Type and Length
DCBX Parameter Length: 13
DCBX Parameter Type: 2

DCBX Parameter Information

Parameter Type: Current
Pad Byte Present: Yes
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

Priority Group ID of Priority 1: 0
Priority Group ID of Priority 0: 2

Priority Group ID of Priority 3: 15

Priority Group ID of Priority 2: 1

Priority Group ID of Priority 5: 5

Priority Group ID of Priority 4: 4

Priority Group ID of Priority 7: 7

Priority Group ID of Priority 6: 6

Priority Group 0 Percentage: 2

Priority Group 1 Percentage: 4
Priority Group 2 Percentage: 6
Priority Group 3 Percentage: 0
Priority Group 4 Percentage: 10
Priority Group 5 Percentage: 18
Priority Group 6 Percentage: 27
Priority Group 7 Percentage: 31

Number of Traffic Classes Supported: 8

DCBX Parameter Information

Parameter Type: Remote
Pad Byte Present: Yes
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

Priority Group ID of Priority 1: 0
Priority Group ID of Priority 0: 2

Priority Group ID of Priority 3: 15

Priority Group ID of Priority 2: 1

283
 Priority Group ID of Priority 5: 5
Priority Group ID of Priority 4: 4

Priority Group ID of Priority 7: 7

Priority Group ID of Priority 6: 6

Priority Group 0 Percentage: 2

Priority Group 1 Percentage: 4
Priority Group 2 Percentage: 6
Priority Group 3 Percentage: 0
Priority Group 4 Percentage: 10
Priority Group 5 Percentage: 18
Priority Group 6 Percentage: 27
Priority Group 7 Percentage: 31

Number of Traffic Classes Supported: 8

DCBX Parameter Information

Parameter Type: Local
Pad Byte Present: Yes
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

Priority Group ID of Priority 1: 0
Priority Group ID of Priority 0: 0

Priority Group ID of Priority 3: 1

Priority Group ID of Priority 2: 0

Priority Group ID of Priority 5: 0

Priority Group ID of Priority 4: 0

Priority Group ID of Priority 7: 0

Priority Group ID of Priority 6: 0

Priority Group 0 Percentage: 50

Priority Group 1 Percentage: 50
Priority Group 2 Percentage: 0
Priority Group 3 Percentage: 0
Priority Group 4 Percentage: 0
Priority Group 5 Percentage: 0
Priority Group 6 Percentage: 0
Priority Group 7 Percentage: 0

Number of Traffic Classes Supported: 2

The output shows that the DC server will use SP queuing (priority group ID 15) for 802.1p priority 3.
DCBX Parameter Type and Length

284
 DCBX Parameter Length: 2
DCBX Parameter Type: 3

DCBX Parameter Information

Parameter Type: Current
Pad Byte Present: No
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

PFC Enabled on Priority 0: No
PFC Enabled on Priority 1: No
PFC Enabled on Priority 2: No
PFC Enabled on Priority 3: Yes
PFC Enabled on Priority 4: No
PFC Enabled on Priority 5: No
PFC Enabled on Priority 6: No
PFC Enabled on Priority 7: No

Number of Traffic Classes Supported: 6

DCBX Parameter Information

Parameter Type: Remote
Pad Byte Present: No
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

PFC Enabled on Priority 0: No
PFC Enabled on Priority 1: No
PFC Enabled on Priority 2: No
PFC Enabled on Priority 3: Yes
PFC Enabled on Priority 4: No
PFC Enabled on Priority 5: No
PFC Enabled on Priority 6: No
PFC Enabled on Priority 7: No

Number of Traffic Classes Supported: 6

DCBX Parameter Information

Parameter Type: Local
Pad Byte Present: No
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

PFC Enabled on Priority 0: No
PFC Enabled on Priority 1: No

285
 PFC Enabled on Priority 2: No
PFC Enabled on Priority 3: Yes
PFC Enabled on Priority 4: No
PFC Enabled on Priority 5: No
PFC Enabled on Priority 6: No
PFC Enabled on Priority 7: No

Number of Traffic Classes Supported: 1

The output shows that the DC server will use PFC for 802.1p priority 3.

286
Configuring service loopback groups
A service loopback group contains one or multiple Ethernet ports for looping packets sent out by the
device back to the device. This feature must work with other features, such as GRE.
A service loopback group provides one of the following services:
• Tunnel—Supports unicast tunnel traffic.
• Multicast tunnel—Supports multicast tunnel traffic.
• Multiport—Supports multiport ARP traffic.
The device supports only one service loopback group for each service type. You can use the service
loopback group with multiple features.
Member ports in the service loopback group are load balanced.

Configuration procedure
Follow these guidelines when you configure the service loopback group:
• Make sure the ports you are assigning to the service loopback group meet the following
requirements:
{ The ports are not used for any other purposes. The configuration on a port is removed when
it is assigned to the service loopback group.
{ The ports support the service type of the service loopback group and are not members of
any other service loopback group.
• You cannot change the service type of a service loopback group.
• For correct traffic processing, follow these guidelines:
{ Make sure the service loopback group has a minimum of one member port when it is being
used by a feature.
{ Do not delete the service loopback group when it is being used by a feature.
To configure a service loopback group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a service loopback service-loopback group number
group and specify its service type { { multicast-tunnel | tunnel } * N/A
type. | multiport }
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, the service
loopback group does not
4. Assign the port to the service port service-loopback group contain ports.
loopback group. number You can assign a maximum of
32 ports to the service
loopback group.

287
Displaying and maintaining service loopback
groups
Execute display commands in any view.

Task Command
Display information about service loopback groups. display service-loopback group [ number ]

Service loopback group configuration example

Network requirements
All Ethernet ports on Device A support the tunnel service.
Assign Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to a service loopback group to
loop GRE packets sent out by the device back to the device.

Configuration procedure
# Create service loopback group 1, and specify its service type as tunnel.
<DeviceA> system-view
[DeviceA] service-loopback group 1 type tunnel

# Assign Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to service loopback group 1.

[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port service-loopback group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port service-loopback group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port service-loopback group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit

# Create the interface Tunnel 1 and set it to GRE mode. The interface will automatically use service
loopback group 1.
[DeviceA] interface tunnel 1 mode gre
[DeviceA-Tunnel1]

288
Configuring cut-through Layer 2
forwarding
A cut-through forwarding-enabled switch forwards a frame after it receives the first 64 bytes of the
frame. This feature reduces the transmission time of a frame within the switch, and enhances
forwarding performance.
To configure cut-through forwarding:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable cut-through
forwarding. cut-through enable By default, cut-through forwarding is disabled.

289
Index
Numerics SNMP notification for MAC address table, 33
1\ static source check disable, 32
1 VLAN mappingapplication scenario, 223 advertising
1 VLAN mappingconfiguration, 229, 235 LAN switching LLDP advertisable TLV, 262
1 VLAN mappingimplementation, 225, 226 LAN switching LLDP+DCBX TLV
advertisement, 269
2 VLAN mappingapplication scenario, 225
voice VLAN CDP advertisement
2 VLAN mappingconfiguration, 234, 240
configuration, 190
2 VLAN mappingimplementation, 225, 227
voice VLAN information advertisement to IP
10-GE interface;10-GE interface phones, 183
combine, 2 voice VLAN LLDP advertisement
2\ configuration, 190
2 VLAN mappingapplication scenario, 225 aggregating
2 VLAN mappingconfiguration, 234, 240 link. See Ethernet link aggregation
2 VLAN mappingimplementation, 225, 227 aging
40-GE interface;40-GE interface MAC address table timer, 27
split, 2 spanning tree max age timer, 100
802 algorithm
802.1ah PBB configuration, 243 STP calculation, 81
802.1Q-in-802.1Q. Use QinQ alternate port (MST), 90
QinQ SVLAN tag 802.1p priority, 217 APP parameter (LLDP), 270
VLAN group configuration, 150 ARP
802.x ARP fast update enabling for MAC address
802.1 LLDPDU TLV types, 255 move, 32
802.1p-to-local priority mapping, 272 ARP detection
802.3 LLDPDU TLV types, 255 VLAN M\1 mapping (dynamic IP address
LAN switching LLDP PFC 802.1p priority, 273 assignment), 230
ARP snooping
A
VLAN M\1 mapping (static IP address
accessing assignment), 232
port-based VLAN assignment (access assigning
port), 140 Layer 2 LAN switching port-based VLAN access
ACL port, 140
LAN switching LLDP APP parameter, 270 MAC address table learning priority, 28
action MAC-based VLAN dynamic assignment, 143
loop detection block, 130 MAC-based VLAN server assignment, 145
loop detection no-learning protection, 130 MAC-based VLAN static assignment, 143
loop detection shutdown protection, 130 port to isolation group (multiple), 77
adding port-based VLAN access port (interface
MAC address table blackhole entry, 24 view), 140
MAC address table multiport unicast entry, 24 port-based VLAN access port (VLAN view), 140
address port-based VLAN hybrid port, 142
MAC address learning disable, 26 port-based VLAN trunk port, 141
MAC address move notification, 30 voice VLAN assignment mode, 184
MAC address table address voice VLAN assignment mode (automatic), 184
synchronization, 29 voice VLAN assignment mode (manual), 185
MAC address table learning priority, 28 attribute
MAC Information queue length, 37

290
 Ethernet link aggregation attribute LAN switching LLDP agent non-TPMR
configuration, 41 bridge, 253
auto bridging
interface auto power-down (Ethernet), 8 MST common root bridge, 90
loop detection port status auto recovery, 130 MST regional root, 90
voice VLAN assignment (automatic), 184 PBB network model, 243
voice VLAN port operation configuration spanning tree loop guard, 117
(automatic assignment), 188, 192 spanning tree root bridge, 97
AutoMDIX mode (Ethernet interface), 13 spanning tree root bridge (device), 98
B spanning tree root guard, 117
spanning tree secondary root bridge (device), 98
backbone
STP designated bridge, 81
core bridge. See BCB
STP root bridge, 80
edge bridge. See
bulk
MAC address. See B-MACBEB
interface configuration, 19
PBB configuration, 243, 246, 250
interface configuration display, 20
PBB core bridge network model, 243
interface configuration restrictions, 19
PBB edge bridge network model, 243
B-VLAN
service instance identifier. See I-SID
PBB VSI, 247
VLAN. See B-VLAN
backing up C
MST backup port, 90 cable
bandwidth interface cable connection (Layer 2 Ethernet), 13
Ethernet link aggregate interface (expected calculating
bandwidth), 56 MSTI calculation, 92
LAN switching LLDP ETS parameters, 271 MSTP CIST calculation, 92
basic management LLDPDU TLV types, 255 spanning tree port path cost calculation
BFD standard, 103
Ethernet link aggregation group BFD, 57 spanning tree timeout factor, 101
bidirectional STP algorithm, 81
forwarding detection. Use BFD CDP
blackhole entry LAN switching LLDP CDP compatibility, 266
MAC address table, 21, 24 LAN switching LLDP CDP-compatible
block action (loop detection), 130 configuration, 279
boundary port (MST), 90 voice VLAN information advertisement to IP
BPDU phones, 183
MST region max hops, 99 changing
spanning tree BPDU drop, 119 interface to FC interface (Layer 2 Ethernet), 14
spanning tree BPDU guard, 116 checking
spanning tree hello time, 100 spanning tree No Agreement Check, 112, 114
spanning tree max age timer, 100 choosing
spanning tree TC-BPDU guard, 119 Ethernet link aggregation reference port, 42, 44
spanning tree TC-BPDU transmission Cisco
restriction, 118 LAN switching LLDP CDP compatibility, 266
STP BPDU forwarding, 86 LAN switching LLDP configuration
transmission rate configuration, 102 (CDP-compatible), 279
bridge CIST
LAN switching LLDP agent customer calculation, 92
bridge, 253 network device connection, 90
LAN switching LLDP agent nearest spanning tree max age timer, 100
bridge, 253 combining

291
 interfaces (Ethernet 10-GE into 40-GE), 2 LAN switching LLDP-MED trapping, 274
common root bridge, 90 Layer 2 cut-through forwarding, 289
configuring Layer 2 Ethernet interface, 11
Ethernet aggregate interface, 53 Layer 2 Ethernet link aggregation (dynamic), 66
Ethernet link aggregation, 40, 47, 64 Layer 2 Ethernet link aggregation (static), 64
Ethernet link aggregation edge aggregate Layer 2 Ethernet link aggregation edge aggregate
interface, 57 interface, 71
Ethernet link aggregation group, 48 Layer 2 Ethernet link aggregation group
Ethernet link aggregation group (dynamic), 50 (dynamic), 50
Ethernet link aggregation group (static), 49 Layer 2 Ethernet link aggregation group
Ethernet link aggregation group BFD, 57 (static), 49
Ethernet link aggregation group load sharing Layer 2 Ethernet link aggregation load sharing, 68
mode, 59 Layer 3 Ethernet link aggregation (dynamic), 73
Ethernet link aggregation load sharing, 59 Layer 3 Ethernet link aggregation (static), 72
Ethernet link aggregation load sharing mode Layer 3 Ethernet link aggregation edge aggregate
(global), 60 interface, 74
Ethernet link aggregation load sharing mode Layer 3 Ethernet link aggregation group
(group-specific), 60 (dynamic), 52
interface (Ethernet), 1 Layer 3 Ethernet link aggregation group
interface (inloopback), 18 (static), 49
interface (Layer 3 Ethernet), 15 loop detection, 129, 131, 133
interface (loopback), 17 loop detection protection action, 132
interface (null), 17 loop detection protection action (global), 132
interface basic settings (Ethernet), 3 loop detection protection action (Layer 2
aggregate interface), 132
interface common settings (Ethernet), 1
loop detection protection action (Layer 2 Ethernet
interface generic flow control (Ethernet), 6
interface), 132
interface jumbo frame support (Ethernet), 4
MAC address table, 21, 22, 34
interface link mode (Ethernet), 4
MAC address table entry, 23
interface PFC (Ethernet), 7
MAC address table unknown frame forwarding
interface physical state change suppression rule, 28
(Ethernet), 4
MAC change notification interval, 37
interface storm control (Layer 2 Ethernet), 11
MAC Information, 36, 37
IP subnet-based VLAN, 148, 154
MAC Information mode, 36
LAN switching LLDP, 253, 259, 275
MAC Information queue length, 37
LAN switching LLDP (CDP-compatible), 279
MAC-based VLAN, 143, 152
LAN switching LLDP 802.1p-to-local priority
MAC-based VLAN dynamic assignment, 147
mapping, 272
MAC-based VLAN server assignment, 147
LAN switching LLDP advertisable TLVs, 262
MAC-based VLAN static assignment, 146
LAN switching LLDP APP parameter, 270
management interface, 1
LAN switching LLDP basics, 259, 275
MST region, 97
LAN switching LLDP bridge mode, 260
MST region max hops, 99
LAN switching LLDP CDP compatibility, 266
MSTP, 95, 121
LAN switching LLDP DCBX, 268, 281
MVRP, 196, 199, 202
LAN switching LLDP ETS parameter, 271
MVRP registration mode, 201
LAN switching LLDP group-based WRR
queuing, 272 MVRP timer, 201
LAN switching LLDP management PBB, 243, 246, 250
address, 264 PBB data encapsulation type, 249
LAN switching LLDP management address PBB downlink port, 248
encoding format, 264 PBB uplink port, 247
LAN switching LLDP PFC parameter, 273 PBB VSI B-VLAN, 247
LAN switching LLDP trapping, 274 port isolation, 77

292
port isolation (multiple isolation groups), 78 VLAN mapping, 223, 228, 235
port-based VLAN, 139, 151 VLAN mapping (1\1), 229, 235
private VLAN, 165, 166, 168 VLAN mapping (1\2), 234, 240
private VLAN promiscuous port, 168 VLAN mapping (2\2), 234, 240
private VLAN trunk promiscuous port, 171 VLAN mapping (M\1), 229, 235
private VLAN trunk promiscuous+trunk VLAN mapping (M\1) (static IP address
secondary port, 174 assignment), 232
protocol-based VLAN, 149, 156 VLAN mapping (M\1)(dynamic IP address
PVST, 94, 125 assignment), 230
QinQ, 213, 219 VLAN mapping M\1 customer-side port (dynamic
QinQ basics, 219 IP address assignment), 231
QinQ CVLAN tag TPID value, 217 VLAN mapping M\1 customer-side port (static IP
address assignment), 233
QinQ SVLAN tag TPID value, 217
VLAN mapping M\1 network-side port (dynamic
QinQ VLAN tag TPID value, 216
IP address assignment), 231
QinQ VLAN transparent
VLAN mapping M\1 network-side port (static IP
transmission, 215, 221
address assignment), 233
RSTP, 94
voice VLAN, 182, 192
secondary VLAN Layer 3 communication, 179
voice VLAN CDP advertisement, 190
service loopback group, 287, 287, 288
voice VLAN LLDP advertisement, 190
spanning tree, 80, 92, 121
voice VLAN port operation (automatic
spanning tree BPDU transmission rate, 102 assignment), 188, 192
spanning tree device priority, 99 voice VLAN port operation (manual
spanning tree Digest Snooping, 110, 111 assignment), 189, 194
spanning tree edge port, 102 voice VLAN QoS priority settings, 187
spanning tree No Agreement Check, 112, 114 connecting
spanning tree port link type, 107 interface cable connection (Layer 2 Ethernet), 13
spanning tree port mode, 107 voice VLAN host+IP phone connection (in
spanning tree port path cost, 103, 105 series), 184
spanning tree port priority, 106 voice VLAN IP phone connection (device), 184
spanning tree port role restriction, 118 Converged Enhanced Ethernet. Use CEE
spanning tree protection functions, 115 CoS
spanning tree root bridge, 97 voice VLAN QoS priority setting
spanning tree root bridge (device), 98 configuration, 187
spanning tree secondary root bridge, 97 cost
spanning tree secondary root bridge spanning tree port path cost calculation
(device), 98 standard, 103
spanning tree switched network diameter, 100 spanning tree port path cost
spanning tree TC Snooping, 114 configuration, 103, 105
spanning tree TC-BPDU transmission STP path cost, 81
restriction, 118 creating
spanning tree timeout factor, 101 PBB VSI, 247
spanning tree timer, 100 super VLAN sub-VLAN, 160
storm suppression, 10 CST
STP, 93 MST region connection, 89
subinterface (Layer 3 Ethernet), 15 customer
super VLAN, 160, 160, 162 LAN switching LLDP customer bridge mode, 260
super VLAN interface, 161 cut-through Layer 2 forwarding, 289
VLAN, 136, 151 CVLAN
VLAN basic settings, 137 QinQ basic configuration, 219
VLAN group, 150 QinQ configuration, 213, 219
VLAN interface basics, 138

293
 QinQ VLAN transparent transmission spanning tree loop guard, 117
configuration, 221 spanning tree No Agreement Check, 112, 114
VLAN mapping configuration, 223, 228, 235 spanning tree port role restriction, 118
VLAN mapping implementation, 225 spanning tree priority, 99
D spanning tree protection functions, 115
spanning tree root guard, 117
data
spanning tree SNMP notification (new-root
PBB data encapsulation, 249
election, topology change events), 120
Data Center
spanning tree TC Snooping, 114
Bridging Exchange Protocol. Use DCBX
spanning tree TC-BPDU guard, 119
Ethernet. Use DCE
spanning tree TC-BPDU transmission
DCBX restriction, 118
configuration, 268, 281 voice VLAN IP phone connection, 184
LAN switching LLDP APP parameter DHCP snooping
configuration, 270
VLAN M\1 mapping (dynamic IP address
LAN switching LLDP ETS parameter assignment), 230
configuration, 271
Digest Snooping (spanning tree), 110, 111
LAN switching LLDP PFC parameter
disabling
configuration, 273
LLDP PVID inconsistency check, 266
LAN switching LLDP+DCBX TLV
advertisement, 269 MAC address learning, 26
default static source check, 32
Ethernet link aggregate interface default discarding
settings, 58 MST discarding port state, 91
designated displaying
MST port, 90 bulk interface configuration, 20
STP bridge, 81 Ethernet link aggregation, 63
STP port, 81 interface, 18
detecting interface (Ethernet), 15
Ethernet link aggregation group BFD, 57 LAN switching LLDP, 274
device loop detection, 133
disabling the device to reactivate the MAC address table, 33
shutdown edge ports, 120 MVRP, 202
interface configuration (Ethernet), 1 PBB, 250
LAN switching LLDP basic port isolation, 77
configuration, 259, 275 private VLAN, 168
LAN switching LLDP CDP compatibility, 266 QinQ, 219
LAN switching LLDP service loopback group, 288
configuration, 253, 259, 275 spanning tree, 121
LAN switching LLDP configuration super VLAN, 161
(CDP-compatible), 279
VLAN, 150
LAN switching LLDP DCBX
VLAN mapping, 235
configuration, 268, 281, 281
voice VLAN, 191
LAN switching LLDP parameters, 265
dot1d-1998 (STP port path cost calculation), 103
Layer 2 cut-through forwarding
configuration, 289 dot1s (STP port mode), 107
loop protection actions, 130 dot1t (STP port path cost calculation), 103
MSTP implementation, 92 downlink port
MVRP configuration, 196, 199, 202 PBB configuration, 248
spanning tree BPDU drop, 119 DSCP
spanning tree BPDU guard, 116 voice VLAN QoS priority setting
configuration, 187
spanning tree Digest Snooping, 110, 111
dynamic

294
 Ethernet link aggregation dynamic mode, 43 spanning tree loop guard, 117
Ethernet link aggregation edge aggregate spanning tree port state transition information
interface, 47 output, 108
Ethernet link aggregation group, 50 spanning tree root guard, 117
Ethernet link aggregation mode, 42 spanning tree SNMP notification (new-root
Layer 2 Ethernet link aggregation, 66 election, topology change events), 120
Layer 2 Ethernet link aggregation edge spanning tree TC-BPDU guard, 119
aggregate interface, 71 VLAN mapping M\1 ARP detection (dynamic IP
Layer 2 Ethernet link aggregation group address assignment), 230
(dynamic), 50 VLAN mapping M\1 ARP snooping (static IP
Layer 3 Ethernet link aggregation, 73 address assignment), 232
Layer 3 Ethernet link aggregation edge VLAN mapping M\1 DHCP snooping (dynamic IP
aggregate interface, 74 address assignment), 230
Layer 3 Ethernet link aggregation group voice VLAN LLDP, 190
(dynamic), 52 encapsulating
MAC address table dynamic aging timer, 27 LAN switching LLDP frame encapsulated in
MAC address table entry, 21 Ethernet II, 254
MAC-based VLAN dynamic LAN switching LLDP frame encapsulated in
assignment, 143, 147 SNAP format, 254
LAN switching LLDP frame encapsulation
E
format, 265
edge port PBB data encapsulation, 249
MST, 90 VLAN frame encapsulation, 136
spanning tree, 102 Energy Efficient Ethernet. See EEE
EEE energy saving, 8 energy-saving features, 8
enabling entry
ARP fast update for MAC address move, 32 ARP fast update enabling for MAC address
BPDU guard on an interface, 116 move, 32
Ethernet link aggregation traffic redirection, 62 Ethernet
global BPDU guard, 116 interface. See Ethernet interface
interface auto power-down (Ethernet), 8 LAN switching LLDP APP parameters, 270
interface bridging (Ethernet), 14 LAN switching LLDP DCBX
interface EEE energy saving, 8 configuration, 268, 281
interface energy-saving features (Ethernet), 8 LAN switching LLDP ETS parameters, 271
LAN switching LLDP, 259 LAN switching LLDP frame encapsulated in
LAN switching LLDP polling, 262 Ethernet II, 254
LAN switching LLDP+DCBX TLV LAN switching LLDP group-based WRR
advertisement, 269 queuing, 272
loop detection, 131 LAN switching LLDP PFC parameters, 273
loop detection (global), 131 LAN switching LLDP trapping, 274
loop detection (port-specific), 131 LAN switching LLDP+DCBX TLV
advertisement, 269
MAC address move notification, 30
LAN switching LLDP-MED trapping, 274
MAC address synchronization, 29
link aggregation. See Ethernet link aggregation
MAC Information, 36
loop detection configuration, 129, 133
MVRP, 200
MAC address table configuration, 21, 22, 34
MVRP GVRP compatibility, 202
MAC Information configuration, 36, 37
PBB L2VPN, 247
PBB data encapsulation, 249
QinQ, 215
port isolation configuration, 77
SNMP notification for MAC address table, 33
port isolation configuration (multiple isolation
spanning tree BPDU drop, 119
groups), 78
spanning tree BPDU guard, 116
port-based VLAN assignment (access port), 140
spanning tree feature, 108

295
 port-based VLAN assignment (hybrid physical state change suppression, 4
port), 142 statistics polling interval, 9
port-based VLAN assignment (trunk port), 141 storm control restrictions (Layer 2), 6
port-based VLAN configuration, 139 storm suppression, 10
private VLAN configuration, 165, 166, 168 storm suppression restrictions (Layer 2), 6
private VLAN promiscuous port Ethernet link aggregation
configuration, 168 aggregate group Selected ports min/max, 55
private VLAN trunk promiscuous port aggregate interface, 40
configuration, 171
aggregate interface (description), 53
private VLAN trunk promiscuous+trunk
aggregate interface configuration, 53
secondary port configuration, 174
aggregate interface default settings, 58
QinQ CVLAN frame header tag, 213
aggregate interface shutdown, 58
QinQ SVLAN frame header tag, 213
aggregation group, 40
secondary VLAN Layer 3 communication, 179
aggregation group restrictions, 48
service loopback group
configuration, 287, 287, 288 basic concepts, 40
subinterface. See Ethernet interface, Ethernet configuration, 40, 47, 64
subinterface, subinterface configuration types, 41
super VLAN configuration, 160, 160, 162 display, 63
super VLAN sub-VLAN creation, 160 dynamic mode, 43
VLAN basic configuration, 137 edge aggregate interface, 47, 57
VLAN configuration, 136, 151 group configuration, 48
VLAN frame encapsulation, 136 group configuration (dynamic), 50
VLAN interface basics, 138 group configuration (static), 49
VLAN port-based configuration, 151 group load sharing mode, 59
voice VLAN configuration, 182, 192 how dynamic link aggregation works, 44
Ethernet interface interface configuration (expected bandwidth), 56
10-GE into 40-GE interface combine;10-GE LACP, 43
into 40-GE interface combine, 2 Layer 2 aggregate interface (ignored
40-GE interface split;40-GE interface split, 2 VLAN), 54, 54
auto power-down enable, 8 Layer 2 aggregation (dynamic), 66
basic settings configuration, 3 Layer 2 aggregation (static), 64
bridging, 14 Layer 2 aggregation load sharing, 68
common settings configuration, 1 Layer 2 edge aggregate interface, 71
configuration, 1 Layer 2 group (dynamic), 50
dampening restrictions, 6 Layer 2 group (static), 49
displaying, 15 Layer 3 aggregate interface configuration
EEE energy saving enable, 8 (MTU), 54
energy-saving features, 8 Layer 3 aggregation (dynamic), 73
fiber port restrictions (Layer 2), 6 Layer 3 aggregation (static), 72
generic flow control, 6 Layer 3 edge aggregate interface, 74
interface change to FC interface (Layer 2), 14 Layer 3 group (dynamic), 52
jumbo frame support configuration, 4 Layer 3 group (static), 49
link mode, 4 load sharing configuration, 59
loopback test, 5 load sharing mode, 47
loopback test restrictions, 6 local-first load sharing, 60
maintaining, 15 maintain, 63
management interface configuration, 1 management VLAN+management port, 59
naming conventions, 1 member port, 40
PFC configuration, 7 member port state, 41, 42, 45
PFC configuration restrictions, 6 modes, 42
operational key, 41

296
 per-flow load sharing algorithm settings, 61 MAC address table blackhole entry, 24
reference port, 44 MAC address table configuration, 21, 22, 34
reference port choice, 42 MAC address table entry configuration, 23
static mode, 42 MAC address table multiport unicast entry, 24
traffic redirection, 62 MAC address table unknown frame forwarding
traffic redirection restrictions, 62 rule, 28
Ethernet link aggregation group MAC Information configuration, 36, 37
BFD configuration, 57 port-based VLAN frame handling, 139
Ethernet subinterface, 1, See also Ethernet QinQ CVLAN Ethernet frame header tag, 213
interface, Layer 2 Ethernet subinterface, Layer 3 QinQ implementation, 214
Ethernet subinterface QinQ SVLAN Ethernet frame header tag, 213
ETS parameter (LLDP), 271 VLAN frame encapsulation, 136
external
G
interface external loopback test (Ethernet), 5
GARP
F
VLAN Registration Protocol. Use GVRP
FCoE generic flow control (Ethernet interface), 6
LAN switching LLDP APP parameters, 270 Generic VLAN Registration Protocol. Use GVRP
LAN switching LLDP DCBX configuration, 281 group
flow control Ethernet link aggregate group Selected ports
interface generic flow control (Ethernet), 6 min/max, 55
interface PFC (Ethernet), 7 Ethernet link aggregation, 48
forcing Ethernet link aggregation group, 40
interface fiber port (Layer 2 Ethernet), 9 Ethernet link aggregation group (dynamic), 50
format Ethernet link aggregation group (static), 49
LAN switching LLDP frame encapsulated in Ethernet link aggregation LACP, 43
Ethernet II, 254 Ethernet link aggregation load sharing, 59
LAN switching LLDP frame encapsulated in Ethernet link aggregation load sharing
SNAP format, 254 mode, 47, 59
LAN switching LLDP frame encapsulation Ethernet link aggregation member port state, 41
format, 265 Layer 2 Ethernet link aggregation group
LAN switching LLDP management address (dynamic), 50
encoding format, 264 Layer 2 Ethernet link aggregation group
PBB frame format, 244 (static), 49
forwarding Layer 3 Ethernet link aggregation group
Layer 2 cut-through forwarding (dynamic), 52
configuration, 289 Layer 3 Ethernet link aggregation group
MAC address table unknown frame (static), 49
forwarding rule, 28 VLAN group configuration, 150
MST forwarding port state, 91 GVRP
spanning tree forward delay timer, 100 MVRP compatibility, 202
STP BPDU forwarding, 86
H
STP forward delay timer, 86
frame hello
interface jumbo frame support (Ethernet), 4 spanning tree timer, 100
Layer 2 cut-through forwarding STP timer, 86
configuration, 289 host
loop detection, 129 voice VLAN host+IP phone connection (in
loop detection (Ethernet frame header), 129 series), 184
loop detection (inner frame header), 129 voice VLAN IP phone connection (device), 184
loop detection interval, 130 hybrid port
MAC address learning, 21 port-based VLAN assignment (hybrid port), 142

297
I voice VLAN IP phone connection (device), 184
identifying IP subnet-based VLAN
voice VLAN IP phone identification method configuration, 148, 154
(LLDP), 183 isolating
voice VLAN IP phone identification method ports. See port isolation
(OUI address), 182 IST
ignored VLAN MST region, 90
Layer 2 aggregate interface, 54 J
implementing
jumbo frame support (Ethernet interface), 4
1\1 VLAN mapping, 225, 226
1\2 VLAN mapping, 225, 227 K
2\2 VLAN mapping, 225, 227 key
M\1 VLAN mapping, 225, 226 Ethernet link aggregation operational key, 41
MSTP device implementation, 92
L
QinQ, 214
inloopback interface L2VPN
configuration, 18 PBB enable, 247
display, 18 LACP
maintain, 18 Ethernet link aggregation, 43
interface LAN switching
bulk configuration, 19 displaying LLDP, 274
configuration (inloopback), 17, 18 Ethernet aggregate interface, 53
configuration (loopback), 17, 17 Ethernet aggregate interface (description), 53
configuration (null), 17, 17 Ethernet aggregate interface (ignored VLAN), 54
Ethernet aggregate interface, 53 Ethernet link aggregate group Selected ports
min/max, 55
Ethernet aggregate interface (description), 53
Ethernet link aggregate interface (expected
Ethernet link aggregate interface default
settings, 58 bandwidth), 56
Ethernet link aggregate interface Ethernet link aggregate interface default
shutdown, 58 settings, 58
Ethernet link aggregation edge aggregate Ethernet link aggregate interface shutdown, 58
interface, 47, 57 Ethernet link aggregation (dynamic), 66
Layer 2 Ethernet aggregate interface (ignored Ethernet link aggregation (static), 64
VLAN), 54 Ethernet link aggregation basic concepts, 40
Layer 3 aggregate interface configuration Ethernet link aggregation configuration, 40, 47, 64
(MTU), 54 Ethernet link aggregation display, 63
internal Ethernet link aggregation dynamic mode, 43
interface internal loopback test (Ethernet), 5 Ethernet link aggregation edge aggregate
interval interface, 47, 57, 71
loop detection, 130, 132 Ethernet link aggregation group, 48
MAC change notification interval, 37 Ethernet link aggregation group (dynamic), 50, 50
IP addressing Ethernet link aggregation group (static), 49
voice VLAN configuration, 182, 192 Ethernet link aggregation group load sharing
IP phone mode, 59
voice VLAN host+IP phone connection (in Ethernet link aggregation LACP, 43
series), 184 Ethernet link aggregation load sharing, 59, 68
voice VLAN identification method (LLDP), 183 Ethernet link aggregation load sharing mode, 47
voice VLAN identification method (OUI Ethernet link aggregation local-first load
address), 182 sharing, 60
voice VLAN information advertisement, 183 Ethernet link aggregation maintain, 63
voice VLAN IP phone access method, 184 Ethernet link aggregation static mode, 42

298
Ethernet link aggregation traffic redirection, 62 private VLAN trunk promiscuous port
IP subnet-based VLAN configuration, 171
configuration, 148, 154 private VLAN trunk promiscuous+trunk
LLDP basic concepts, 253 secondary port configuration, 174
LLDP basic configuration, 259, 275 protocol-based VLAN configuration, 149, 156
LLDP CDP compatibility, 266 QinQ basic configuration, 219
LLDP configuration, 253, 259, 275 QinQ configuration, 213, 219
LLDP configuration (CDP-compatible), 279 QinQ configuration restrictions, 215
LLDP DCBX configuration, 281 QinQ CVLAN tag TPID value, 217
MAC-based VLAN configuration, 143, 152 QinQ implementation, 214
MAC-based VLAN dynamic QinQ protocols and standards, 214
assignment, 143, 147 QinQ SVLAN tag 802.1p priority, 217
MAC-based VLAN server QinQ SVLAN tag TPID value, 217
assignment, 145, 147 QinQ VLAN tag TPID value, 216
MAC-based VLAN static QinQ VLAN transparent transmission
assignment, 143, 146 configuration, 221
MRP implementation, 196 secondary VLAN Layer 3 communication, 179
MVRP configuration, 196, 199, 202 service loopback group
MVRP display, 202 configuration, 287, 287, 288
MVRP GVRP compatibility, 202 service loopback group display, 288
MVRP maintain, 202 super VLAN configuration, 160, 160, 162
MVRP protocols and standards, 199 super VLAN display, 161
MVRP registration mode configuration, 201 super VLAN interface configuration, 161
MVRP timer configuration, 201 super VLAN sub-VLAN creation, 160
PBB configuration, 243, 246, 250 troubleshooting PBB, 252
PBB data encapsulation type troubleshooting PBB customer frames cannot be
configuration, 249 transmitted, 252
PBB display, 250 VLAN basic configuration, 137
PBB downlink port, 248 VLAN configuration, 136, 151
PBB frame format, 244 VLAN display, 150
PBB frame forwarding, 246 VLAN group configuration, 150
PBB L2VPN enable, 247 VLAN interface basics, 138
PBB maintain, 250 VLAN maintain, 150
PBB protocols and standards, 246 VLAN port-based configuration, 151
PBB uplink port, 247 VLAN protocols and standards, 137
PBB VSI B-VLAN configuration, 247 voice VLAN CDP advertisement
PBB VSI creation, 247 configuration, 190
port isolation configuration, 77 voice VLAN display, 191
port isolation configuration (multiple isolation voice VLAN LLDP advertisement
groups), 78 configuration, 190
port isolation display, 77 voice VLAN LLDP enable, 190
port isolation group assignment (multiple), 77 voice VLAN LLDP enable restrictions, 190
port-based VLAN assignment (access voice VLAN port operation configuration
port), 140 (automatic assignment), 188, 192
port-based VLAN assignment (hybrid voice VLAN port operation configuration (manual
port), 142 assignment), 189, 194
port-based VLAN assignment (trunk port), 141 voice VLAN port operation configuration
port-based VLAN configuration, 139 restrictions (automatic assignment), 188
private VLAN configuration, 166, 168 voice VLAN port operation configuration
restrictions (manual assignment), 189
private VLAN display, 168
Layer 2
private VLAN promiscuous port
configuration, 168 interface configuration (Ethernet), 1, 11

299
 interface FC interface change (Ethernet), 14 Ethernet link aggregate interface default
LAN switching LLDP basic configuration, 275 settings, 58
LAN switching LLDP configuration, 275 Ethernet link aggregate interface shutdown, 58
LAN switching LLDP group-based WRR Ethernet link aggregation (dynamic), 73
queuing, 272 Ethernet link aggregation (static), 72
LAN switching LLDP trapping, 274 Ethernet link aggregation configuration, 40, 47, 64
LAN switching LLDP+DCBX TLV Ethernet link aggregation edge aggregate
advertisement, 269 interface, 47, 57, 74
LAN switching LLDP-MED trapping, 274 Ethernet link aggregation group, 48
loop detection configuration, 129, 131, 133 Ethernet link aggregation group (dynamic), 50, 52
PBB configuration, 243, 246, 250 Ethernet link aggregation group (static), 49, 49
PBB data encapsulation type Ethernet link aggregation group load sharing
configuration, 249 mode, 59
PBB downlink port, 248 Ethernet link aggregation load sharing, 59
PBB frame format, 244 Ethernet link aggregation local-first load
PBB frame forwarding, 246 sharing, 60
PBB L2VPN enable, 247 Ethernet link aggregation traffic redirection, 62
PBB uplink port, 247 interface configuration (Ethernet), 1
PBB VSI B-VLAN configuration, 247 interface configuration (Layer 3), 15
PBB VSI creation, 247 IP subnet-based VLAN configuration, 148, 154
voice VLAN configuration, 182, 192 LAN switching LAN switching VLAN interface
Layer 2 Ethernet interface basics, 138
cable connection, 13 LAN switching LLDP basic configuration, 275
fiber port, 9 LAN switching LLDP configuration, 275
interface connection distance setting, 15 LAN switching LLDP trapping, 274
MDIX mode, 13 LAN switching LLDP-MED trapping, 274
storm control configuration, 11 MAC-based VLAN configuration, 152
Layer 2 LAN switching port-based VLAN assignment (access port), 140
cut-through forwarding configuration, 289 port-based VLAN assignment (hybrid port), 142
displaying spanning tree, 121 port-based VLAN assignment (trunk port), 141
Ethernet link aggregation group (static), 49 port-based VLAN configuration, 139
maintaining spanning tree, 121 private VLAN configuration, 168
MST region, 97 private VLAN promiscuous port configuration, 168
MSTP configuration, 121 private VLAN trunk promiscuous port
configuration, 171
private VLAN configuration, 165
private VLAN trunk promiscuous+trunk
PVST configuration, 125
secondary port configuration, 174
spanning tree configuration, 80, 121
protocol-based VLAN configuration, 149, 156
spanning tree Digest Snooping, 110, 111
secondary VLAN Layer 3 communication, 179
VLAN mapping configuration, 223, 228, 235
subinterface configuration (Ethernet), 15
VLAN mapping configuration (1\1), 229, 235
subinterface MTU setting (Layer 3 Ethernet), 15
VLAN mapping configuration (1\2), 234, 240
super VLAN configuration, 162
VLAN mapping configuration (2\2), 234, 240
VLAN configuration, 151
VLAN mapping configuration (M\1), 229, 235
VLAN port-based configuration, 151
Layer 3
voice VLAN configuration, 182, 192
aggregate interface configuration (MTU), 54
Layer 3 Ethernet interface
Ethernet aggregate interface, 53
MTU setting, 15
Ethernet aggregate interface (description), 53
learning
Ethernet link aggregate group Selected ports
loop detection no-learning action, 130
min/max, 55
MAC address, 21
Ethernet link aggregate interface (expected
bandwidth), 56 MAC address learning disable, 26

300
 MAC address table learning priority, 28 parameter set, 265
MST learning port state, 91 PFC parameter configuration, 273
legacy polling enable, 262
spanning tree port mode, 107 protocols and standards, 259
spanning tree port path cost calculation, 103 reinitialization delay, 261
link trapping configuration, 274
aggregation. See Ethernet link aggregation voice VLAN CDP advertisement
Ethernet link aggregation group BFD, 57 configuration, 190
interface link mode (Ethernet), 4 voice VLAN information advertisement to IP
link layer discovery protocol. Use LLDP phones, 183
MSTP configuration, 121 voice VLAN IP phone identification
method, 182, 183
PVST configuration, 125
voice VLAN LLDP advertisement
spanning tree configuration, 80, 92, 121
configuration, 190
spanning tree hello time, 100
voice VLAN LLDP enable, 190
spanning tree port link type configuration, 107
LLDP frame
LLDP
encapsulated in Ethernet II format, 254
802.1p-to-local priority mapping, 272
encapsulated in SNAP format, 254
advertisable TLV configuration, 262
encapsulation format, 265
agent, 253
receiving, 259
APP parameter configuration, 270
transmitting, 258
basic concepts, 253
LLDPDU
basic configuration, 259, 275
LAN switching LLDP basic configuration, 275
bridge mode configuration, 260
LAN switching LLDP configuration, 259, 275
CDP compatibility configuration, 266
LLDP basic configuration, 259
CDP-compatible configuration, 279
LLDP configuration, 253
configuration, 253, 259, 275
LLDP parameters, 265
DCBX configuration, 268, 281
management address configuration, 264
disabling PVID inconsistency check, 266
management address encoding format, 264
displaying, 274
management address TLV, 258
enable, 259
TLV basic management types, 255
ETS parameter configuration, 271
TLV LLDP-MED types, 255
group-based WRR queuing, 272
TLV organization-specific types, 255
how it works, 258
load balancing
LAN switching LLDP+DCBX TLV
service loopback group
advertisement, 269
configuration, 287, 287, 288
LAN switching LLDP-MED trapping
load sharing
configuration, 274
Ethernet link aggregation configuration, 59
LLDP frame encapsulation format, 265
Ethernet link aggregation group load sharing, 47
LLDP frame format, 254
Ethernet link aggregation load sharing mode, 59
LLDP frame reception, 259
Ethernet link aggregation load sharing mode for
LLDP frame transmission, 258
MAC-in-MAC traffic (global), 62
LLDPDU management address TLV, 258
Ethernet link aggregation local-first load
LLDPDU TLV types, 255 sharing, 60
LLDPDU TLVs, 255 Ethernet link aggregation packet type-based load
management address configuration, 264 sharing, 47
management address encoding format, 264 Ethernet link aggregation per-flow load
operating mode (disable), 258 sharing, 47
operating mode (Rx), 258 Ethernet link aggregation per-flow load sharing
operating mode (Tx), 258 algorithm settings, 61
operating mode (TxRx), 258 Ethernet link aggregation per-packet load
operating mode set, 261 sharing, 47

301
 Layer 2 Ethernet link aggregation 1 VLAN mappingcustomer-side port (static IP
configuration, 68 address assignment), 233
local 1 VLAN mappingDHCP snooping (dynamic IP
Ethernet link aggregation local-first load address assignment), 230
sharing, 60 1 VLAN mappingimplementation, 225, 226
Ethernet link aggregation per-flow load 1 VLAN mappingnetwork-side port (dynamic IP
sharing algorithm settings, 61 address assignment), 231
logging 1 VLAN mappingnetwork-side port (static IP
loop detection configuration, 129, 131, 133 address assignment), 233
loop MAC
MSTP configuration, 121 PBB configuration, 246, 250
PVST configuration, 125 MAC address move
spanning tree configuration, 80, 92, 121 ARP fast update enabling, 32
spanning tree loop guard, 117 MAC address table
loop detection address learning, 21
configuration, 129, 131, 133 address synchronization, 29
displaying, 133 blackhole entry, 24
enable, 131 configuration, 21, 22, 34
enable (global), 131 displaying, 33
enable (port-specific), 131 dynamic aging timer, 27
interval, 130 enabling SNMP notification, 33
interval setting, 132 entry configuration, 23
mechanisms, 129 entry creation, 21
port status auto recovery, 130 entry types, 21
protection action configuration, 132 learning priority assignment, 28
protection action configuration (global), 132 MAC address learning disable, 26
protection action configuration (Layer 2 MAC address move notification, 30
aggregate interface), 132 manual entries, 21
protection action configuration (Layer 2 multiport unicast entry, 24
Ethernet interface), 132 static source check disable, 32
protection actions, 130 unknown frame forwarding rule, 28
loopback MAC address table learning limit on interface
interface loopback test (Ethernet), 5 set, 27
loopback interface MAC addressing
configuration, 17 MAC-based VLAN configuration, 143
display, 18 MAC-based VLAN dynamic assignment, 143, 147
maintain, 18 MAC-based VLAN server assignment, 145, 147
M MAC-based VLAN static assignment, 143, 146
VLAN frame encapsulation, 136
M\
MAC Information
1 VLAN mappingapplication scenario, 223
change notification interval, 37
1 VLAN mappingARP detection (dynamic IP
address assignment), 230 configuration, 36, 37
1 VLAN mappingARP snooping (static IP enable, 36
address assignment), 232 mode configuration, 36
1 VLAN mappingconfiguration, 229, 235 queue length configuration, 37
1 VLAN mappingconfiguration (dynamic IP MAC relay (LLDP agent), 253
address assignment), 230 MAC-based VLAN
1 VLAN mappingconfiguration (static IP configuration, 143, 152
address assignment), 232 dynamic assignment, 143, 147
1 VLAN mappingcustomer-side port (dynamic dynamic assignment restrictions, 146
IP address assignment), 231 server assignment, 145, 147

302
 static assignment, 143, 146 interface Auto MDIX mode (Layer 2 Ethernet), 13
MAC-in-MAC interface link mode (Ethernet), 4
Ethernet link aggregation group load sharing interface MDI mode (Layer 2 Ethernet), 13
mode for MAC-in-MAC traffic, 62 interface MDIX mode (Layer 2 Ethernet), 13
PBB configuration, 243 LAN switching LLDP customer bridge mode, 260
maintaining LAN switching LLDP disable, 258, 261
Ethernet link aggregation, 63 LAN switching LLDP Rx, 258, 261
interface, 18 LAN switching LLDP service bridge mode, 260
interface (Ethernet), 15 LAN switching LLDP Tx, 258, 261
MVRP, 202 LAN switching LLDP TxRx, 258, 261
PBB, 250 MAC Information syslog, 36
spanning tree, 121 MAC Information trap, 36
VLAN, 150 MVRP registration, 201
management address MVRP registration fixed, 199
LAN switching LLDP encoding format, 264 MVRP registration forbidden, 199
manual MVRP registration normal, 199
voice VLAN assignment mode, 185 spanning tree mCheck, 109
voice VLAN port operation spanning tree MSTP, 96
configuration, 189, 194 spanning tree PVST, 96
mapping spanning tree RSTP, 96
1\1 VLAN mapping, 223 spanning tree STP, 96
1\2 VLAN mapping, 225 voice VLAN assignment, 184
2\2 VLAN mapping, 225 voice VLAN assignment (automatic), 184
M\1 VLAN mapping, 223 voice VLAN assignment (manual), 185
MSTP VLAN-to-instance mapping table, 89 voice VLAN port normal, 186
master voice VLAN port security, 186
MSTP master port, 90 modifying
max age timer (STP), 86 MAC address table blackhole entry, 24
maximum transmission unit. Use MTU MAC address table multiport unicast entry, 24
mCheck MRP
spanning tree, 109 implementation, 196
MDI mode (Ethernet interface), 13 messages, 196
MDIX mode (Ethernet interface), 13 MVRP configuration, 196, 199, 202
MED (LLDP-MED trapping), 274 timers, 198
message MST
MRP JoinEmpty, 196 region max hops, 99
MRP JoinIn, 196 MSTI
MRP Leave, 196 calculation, 92
MRP LeaveAll, 196 MRP, 196
MRP New, 196 MST instance, 89
MRP timers, 198 MSTP, 80, See also STP
MIB basic concepts, 88
LAN switching LLDP basic CIST, 90
configuration, 259, 275
CIST calculation, 92
LAN switching LLDP
common root bridge, 90
configuration, 253, 259, 275
configuration, 95, 121
mode
CST, 89
Ethernet link aggregation dynamic, 42, 43
device implementation, 92
Ethernet link aggregation load sharing, 47
feature enable, 109
Ethernet link aggregation static, 42, 42
features, 88

303
 how it works, 91 Ethernet link aggregation reference port, 44
IST, 90 Ethernet link aggregation reference port
mode set, 96 choice, 42
MST region, 89 Ethernet link aggregation static mode, 42
MST region configuration, 97 interface auto power-down (Ethernet), 8
MSTI, 89 interface basic settings (Ethernet), 3
MSTI calculation, 92 interface bridging (Ethernet), 14
port roles, 90 interface cable connection (Layer 2 Ethernet), 13
port states, 91 interface common settings configuration
protocols and standards, 92 (Ethernet), 1
regional root, 90 interface configuration (inloopback), 18
relationships, 87 interface configuration (loopback), 17
spanning tree max age timer, 100 interface configuration (null), 17
spanning tree port mode configuration, 107 interface EEE energy saving, 8
VLAN-to-instance mapping table, 89 interface energy-saving features (Ethernet), 8
MTU interface fiber port (Layer 2 Ethernet), 9
Layer 3 Ethernet aggregate interface, 54 interface generic flow control (Ethernet), 6
subinterface MTU setting (Layer 3 interface jumbo frame support (Ethernet), 4
Ethernet), 15 interface link mode (Ethernet), 4
multiple interface loopback test (Ethernet), 5
registration protocol. Use MRP interface MDIX mode (Layer 2 Ethernet), 13
VLAN registration protocol. Use MVRP interface MTU setting (Layer 3 Ethernet), 15
Multiple Spanning Tree Protocol. Use MSTP interface PFC (Ethernet), 7
multiport unicast entry (MAC address table), 21, 24 interface physical state change suppression
MVRP (Ethernet), 4
configuration, 196, 199, 202 interface split (Ethernet 40-GE), 2
configuration restrictions, 199 interface statistics polling interval (Ethernet), 9
display, 202 interface storm control (Layer 2 Ethernet), 11
enable, 200 interfaces combine (Ethernet 10-GE into
40-GE), 2
GVRP compatibility, 202
IP subnet-based VLAN configuration, 148, 154
maintain, 202
LAN switching LLDP basic configuration, 259
MRP implementation, 196
Layer 2 Ethernet interface configuration, 11
protocols and standards, 199
Layer 2 Ethernet link aggregation (dynamic), 66
registration mode configuration, 201
Layer 2 Ethernet link aggregation (static), 64
registration modes, 199
Layer 2 Ethernet link aggregation edge aggregate
timer configuration, 201
interface, 71
N Layer 2 Ethernet link aggregation load sharing, 68
network Layer 3 Ethernet link aggregation (dynamic), 73
disabling the device to reactivate the Layer 3 Ethernet link aggregation (static), 72
shutdown edge ports, 120 Layer 3 Ethernet link aggregation edge aggregate
Ethernet link aggregation configuration interface, 74
types, 41 loop detection interval, 130, 132
Ethernet link aggregation dynamic mode, 43 loop detection protection action configuration, 132
Ethernet link aggregation edge aggregate loop protection actions, 130
interface, 47 MAC address move notification, 30
Ethernet link aggregation LACP, 43 MAC address table address synchronization, 29
Ethernet link aggregation member port MAC address table blackhole entry, 24
state, 42, 45 MAC address table dynamic aging timer, 27
Ethernet link aggregation modes, 42 MAC address table entry configuration, 23
Ethernet link aggregation operational key, 41 MAC address table entry types, 21

304
MAC address table learning priority, 28 spanning tree port path cost, 103, 105
MAC address table multiport unicast entry, 24 spanning tree port priority, 106
MAC-based VLAN configuration, 143, 152 spanning tree port role restriction, 118
MAC-based VLAN dynamic spanning tree port state transition, 108
assignment, 143, 147 spanning tree priority, 99
MAC-based VLAN server spanning tree protection functions, 115
assignment, 145, 147 spanning tree root bridge, 97
MAC-based VLAN static spanning tree root bridge (device), 98
assignment, 143, 146
spanning tree root guard, 117
management interface configuration, 1
spanning tree secondary root bridge (device), 98
MRP timers, 198
spanning tree SNMP notification (new-root
MST region configuration, 97 election, topology change events), 120
MVRP timer configuration, 201 spanning tree switched network diameter, 100
PBB frame format, 244 spanning tree TC Snooping, 114
PBB frame forwarding, 246 spanning tree TC-BPDU guard, 119
port isolation group assignment (multiple), 77 spanning tree TC-BPDU transmission
port-based VLAN assignment (access restriction, 118
port), 140 storm suppression, 10
port-based VLAN assignment (hybrid STP algorithm calculation, 81
port), 142
STP designated bridge, 81
port-based VLAN assignment (trunk port), 141
STP designated port, 81
port-based VLAN configuration, 139
STP path cost, 81
private VLAN configuration, 166
STP root bridge, 80
private VLAN promiscuous port
STP root port, 81
configuration, 168
subinterface MTU setting (Layer 3 Ethernet), 15
private VLAN trunk promiscuous port
configuration, 171 super VLAN configuration, 160, 162
private VLAN trunk promiscuous+trunk super VLAN interface configuration, 161
secondary port configuration, 174 super VLAN sub-VLAN creation, 160
protocol-based VLAN configuration, 149, 156 VLAN basic configuration, 137
QinQ basic configuration, 219 VLAN group configuration, 150
QinQ CVLAN tag TPID value, 217 VLAN interface basics, 138
QinQ SVLAN tag TPID value, 217 VLAN mapping 1\1 implementation, 226
QinQ VLAN tag TPID value, 216 VLAN mapping 1\2 implementation, 227
QinQ VLAN transparent transmission, 215 VLAN mapping 2\2 implementation, 227
QinQ VLAN transparent transmission VLAN mapping configuration (1\1), 229
configuration, 221 VLAN mapping configuration (1\2), 234
RSTP network convergence, 87 VLAN mapping configuration (2\2), 234
secondary VLAN Layer 3 communication, 179 VLAN mapping configuration (M\1), 229
service loopback group VLAN mapping configuration (M\1) (dynamic IP
configuration, 287, 288 address assignment), 230
SNMP notification for MAC address table, 33 VLAN mapping configuration (M\1) (static IP
spanning tree BPDU drop, 119 address assignment), 232
spanning tree BPDU guard, 116 VLAN mapping M\1 customer-side port (dynamic
spanning tree BPDU transmission rate, 102 IP address assignment), 231
spanning tree Digest Snooping, 110, 111 VLAN mapping M\1 customer-side port (static IP
address assignment), 233
spanning tree edge port, 102
VLAN mapping M\1 implementation, 226
spanning tree loop guard, 117
VLAN mapping M\1 network-side port (dynamic
spanning tree mode set, 96
IP address assignment), 231
spanning tree No Agreement Check, 112, 114
VLAN mapping M\1 network-side port (static IP
spanning tree port link type, 107 address assignment), 233
spanning tree port mode, 107

305
 VLAN port-based configuration, 151 port isolation configuration, 77
voice VLAN assignment mode, 184 port isolation configuration (multiple isolation
voice VLAN CDP advertisement groups), 78
configuration, 190 private VLAN configuration, 165, 168
voice VLAN host+IP phone connection (in PVST configuration, 125
series), 184 QinQ configuration, 213, 219
voice VLAN information advertisement to IP service loopback group configuration, 287
phones, 183 spanning tree configuration, 80, 92, 121
voice VLAN IP phone access method, 184 subinterface configuration (Layer 3 Ethernet), 15
voice VLAN IP phone connection super VLAN configuration, 160
(device), 184
VLAN configuration, 136, 151
voice VLAN IP phone identification method
VLAN mapping configuration, 223, 228, 235
(LLDP), 183
VLAN mapping configuration (1\1), 235
voice VLAN IP phone identification method
(OUI address), 182 VLAN mapping configuration (1\2), 240
voice VLAN LLDP advertisement VLAN mapping configuration (2\2), 240
configuration, 190 VLAN mapping configuration (M\1), 235
voice VLAN LLDP enable, 190 voice VLAN configuration, 182, 192
voice VLAN port mode, 186 No Agreement Check (spanning tree), 112, 114
voice VLAN port operation configuration no-learning action (loop detection), 130
(automatic assignment), 188, 192 normal
voice VLAN port operation configuration voice VLAN mode, 186
(manual assignment), 189, 194 notification
voice VLAN QoS priority setting MAC address move, 30
configuration, 187 SNMP notification for MAC address table, 33
network management null interface
Ethernet link aggregation configuration, 17, 17
configuration, 40, 47, 64
display, 18
interface bulk configuration, 19
maintain, 18
interface configuration (Ethernet), 1
interface configuration (inloopback), 17 O
interface configuration (Layer 3 Ethernet), 15 operational key (Ethernet link aggregation), 41
interface configuration (loopback), 17 organization-specific LLDPDU TLV types, 255
interface configuration (null), 17 OUI address
LAN switching LLDP basic concepts, 253 voice VLAN IP phone identification method, 182
LAN switching LLDP basic configuration, 275 outputting
LAN switching LLDP spanning tree port state transition
configuration, 253, 259, 275 information, 108
LAN switching LLDP configuration
P
(CDP-compatible), 279
LAN switching LLDP DCBX packet
configuration, 268, 281 Ethernet link aggregation group BFD, 57
Layer 2 cut-through forwarding Ethernet link aggregation packet type-based load
configuration, 289 sharing, 47
loop detection, 129 LAN switching LLDP CDP compatibility, 266
loop detection configuration, 131, 133 LAN switching LLDP DCBX configuration, 281
MAC address table configuration, 21, 22, 34 LAN switching LLDP PFC parameters, 273
MAC Information configuration, 36, 37 service loopback group
MSTP configuration, 121 configuration, 287, 287, 288
MVRP, 196, 199, 202 spanning tree port mode configuration, 107
PBB configuration, 243, 246, 250 STP BPDU protocol packets, 80
PBB network model, 243 STP TCN BPDU protocol packets, 80
VLAN mapping configuration, 223, 228, 235

306
 VLAN mapping configuration (1\1), 229, 235 Ethernet link aggregate interface (expected
VLAN mapping configuration (1\2), 234, 240 bandwidth), 56
VLAN mapping configuration (2\2), 234, 240 Ethernet link aggregate interface default
VLAN mapping configuration (M\1), 229, 235 settings, 58
VLAN mapping configuration (M\1) (dynamic Ethernet link aggregate interface shutdown, 58
IP address assignment), 230 Ethernet link aggregation configuration, 40, 47, 64
VLAN mapping configuration (M\1) (static IP Ethernet link aggregation configuration types, 41
address assignment), 232 Ethernet link aggregation dynamic mode, 43
parameter Ethernet link aggregation edge aggregate
LAN switching LLDP APP configuration, 270 interface, 47, 57
LAN switching LLDP ETS configuration, 271 Ethernet link aggregation group, 48
LAN switching LLDP PFC configuration, 273 Ethernet link aggregation group (dynamic), 50
spanning tree timeout factor, 101 Ethernet link aggregation group (static), 49
PBB Ethernet link aggregation LACP, 43
configuration, 243, 246, 250 Ethernet link aggregation load sharing, 59
data encapsulation type configuration, 249 Ethernet link aggregation load sharing mode, 47
display, 250 Ethernet link aggregation local-first load
downlink port configuration, 248 sharing, 60
frame format, 244 Ethernet link aggregation member port, 40
frame forwarding, 246 Ethernet link aggregation member port
state, 41, 42, 45
L2VPN enable, 247
Ethernet link aggregation modes, 42
maintain, 250
Ethernet link aggregation operational key, 41
network model, 243
Ethernet link aggregation per-flow load sharing
protocols and standards, 246
algorithm settings, 61
terminology, 244
Ethernet link aggregation reference port, 44
troubleshoot, 252
Ethernet link aggregation reference port
troubleshooting customer frames cannot be choice, 42
transmitted, 252
Ethernet link aggregation static mode, 42
uplink port configuration, 247
Ethernet link aggregation traffic redirection, 62
VSI B-VLAN configuration, 247
interface fiber port (Layer 2 Ethernet), 9
VSI creation, 247
isolation. See port isolation
per-flow load sharing, 47, 61
LAN switching LLDP basic
performing configuration, 259, 275
interface loopback test (Ethernet), 5 LAN switching LLDP configuration, 253, 259, 275
spanning tree mCheck, 109 LAN switching LLDP disable operating mode, 258
per-packet load sharing, 47 LAN switching LLDP enable, 259
Per-VLAN Spanning Tree Protocol. Use PVST LAN switching LLDP frame encapsulation
PFC (Ethernet interface), 7 format, 265
PFC priority (LLDP), 273 LAN switching LLDP frame reception, 259
physical LAN switching LLDP frame transmission, 258
interface physical state change suppression LAN switching LLDP operating mode, 261
(Ethernet), 4 LAN switching LLDP polling, 262
polling LAN switching LLDP reinitialization delay, 261
interface statistics polling interval (Ethernet), 9 LAN switching LLDP Rx operating mode, 258
LAN switching LLDP enable, 262 LAN switching LLDP Tx operating mode, 258
port LAN switching LLDP TxRx operating mode, 258
Ethernet aggregate interface, 53 Layer 2 aggregate interface (ignored VLAN), 54
Ethernet aggregate interface (description), 53 Layer 2 Ethernet link aggregation (dynamic), 66
Ethernet link aggregate group Selected ports Layer 2 Ethernet link aggregation (static), 64
min/max, 55
Layer 2 Ethernet link aggregation edge aggregate
interface, 71

307
Layer 2 Ethernet link aggregation group spanning tree port mode configuration, 107
(dynamic), 50 spanning tree port priority configuration, 106
Layer 2 Ethernet link aggregation group spanning tree port role restriction, 118
(static), 49 spanning tree port state transition output, 108
Layer 2 Ethernet link aggregation load spanning tree root guard, 117
sharing, 68
spanning tree TC-BPDU guard, 119
Layer 3 aggregate interface configuration
spanning tree TC-BPDU transmission
(MTU), 54
restriction, 118
Layer 3 Ethernet link aggregation
STP designated port, 81
(dynamic), 73
STP root port, 81
Layer 3 Ethernet link aggregation (static), 72
VLAN mapping M\1 customer-side port (dynamic
Layer 3 Ethernet link aggregation edge
IP address assignment), 231
aggregate interface, 74
VLAN mapping M\1 customer-side port (static IP
Layer 3 Ethernet link aggregation group
address assignment), 233
(dynamic), 52
VLAN mapping M\1 network-side port (dynamic
Layer 3 Ethernet link aggregation group
IP address assignment), 231
(static), 49
VLAN mapping M\1 network-side port (static IP
link aggregation management
address assignment), 233
VLAN+management port, 59
VLAN port link type, 139
loop detection configuration, 129, 131, 133
voice VLAN port mode, 186
loop detection interval, 130, 132
voice VLAN port operation configuration
loop detection protection action
(automatic assignment), 188, 192
configuration, 132
voice VLAN port operation configuration (manual
loop detection protection actions, 130
assignment), 189, 194
loop detection status auto recovery, 130
port isolation
MAC address learning, 21
configuration, 77
MAC address table blackhole entry, 24
configuration (multiple isolation groups), 78
MAC address table configuration, 21, 22, 34
display, 77
MAC address table entry configuration, 23
port assignment to group (multiple), 77
MAC address table multiport unicast entry, 24
port-based VLAN
MAC Information configuration, 36, 37
access port assignment (interface view), 140
MST port roles, 90
access port assignment (VLAN view), 140
MST port states, 91
assignment (access port), 140
MVRP application, 196, 199, 202
assignment (hybrid port), 142
MVRP timer configuration, 201
assignment (trunk port), 141
PBB downlink port, 248
configuration, 139, 151
PBB uplink port, 247
port frame handling, 139
QinQ implementation, 214
port link type, 139
RSTP network convergence, 87
PVID, 139
service loopback group
power
configuration, 287, 287, 288
interface auto power-down (Ethernet), 8
spanning tree BPDU drop, 119
interface EEE energy saving, 8
spanning tree BPDU guard, 116
interface energy-saving features (Ethernet), 8
spanning tree BPDU transmission rate, 102
priority
spanning tree edge port configuration, 102
802.1p-to-local priority mapping, 272
spanning tree forward delay timer, 100
Ethernet link aggregation LACP, 43
spanning tree loop guard, 117
LAN switching LLDP PFC 802.1p priority, 273
spanning tree path cost calculation
standard, 103 MAC address table learning priority, 28
spanning tree path cost QinQ SVLAN tag 802.1p priority, 217
configuration, 103, 105 spanning tree device priority, 99
spanning tree port link type configuration, 107 spanning tree port priority configuration, 106

308
priority-based flow control. Use PFC configuring interface (loopback), 17
private VLAN configuring interface (null), 17
configuration, 165, 166, 168 configuring interface auto power-down
display, 168 (Ethernet), 8
promiscuous port configuration, 168 configuring interface basic settings (Ethernet), 3
secondary VLAN Layer 3 communication, 179 configuring interface common settings
trunk promiscuous port configuration, 171 (Ethernet), 1
trunk promiscuous+trunk secondary port configuring interface EEE energy saving, 8
configuration, 174 configuring interface energy-saving features
procedure (Ethernet), 8
adding MAC address table blackhole entry, 24 configuring interface generic flow control
(Ethernet), 6
adding MAC address table multiport unicast
entry, 24 configuring interface jumbo frame support
(Ethernet), 4
assigning MAC address table learning priority
to interface, 28 configuring interface link mode (Ethernet), 4
assigning port isolation group (multiple), 77 configuring interface PFC (Ethernet), 7
assigning port-based VLAN access port, 140 configuring interface physical state change
suppression (Ethernet), 4
assigning port-based VLAN access port
(interface view), 140 configuring interface storm control (Layer 2
Ethernet), 11
assigning port-based VLAN access port
(VLAN view), 140 configuring IP subnet-based VLAN, 148, 154
assigning port-based VLAN hybrid port, 142 configuring LAN switching LLDP, 259, 275
assigning port-based VLAN trunk port, 141 configuring LAN switching LLDP
(CDP-compatible), 279
bulk configuring interfaces, 19
configuring LAN switching LLDP 802.1p-to-local
changing interface to FC interface (Layer 2
priority mapping, 272
Ethernet), 14
configuring LAN switching LLDP advertisable
combining interfaces (Ethernet 10-GE into
TLVs, 262
40-GE), 2
configuring LAN switching LLDP APP
configuring Ethernet aggregate interface, 53
parameters, 270
configuring Ethernet link aggregation, 47
configuring LAN switching LLDP basics, 259, 275
configuring Ethernet link aggregation edge
configuring LAN switching LLDP bridge
aggregate interface, 57
mode, 260
configuring Ethernet link aggregation
configuring LAN switching LLDP CDP
group, 48
compatibility, 266
configuring Ethernet link aggregation group
configuring LAN switching LLDP DCBX, 268, 281
(dynamic), 50
configuring LAN switching LLDP ETS
configuring Ethernet link aggregation group
parameters, 271
(static), 49
configuring LAN switching LLDP group-based
configuring Ethernet link aggregation group
WRR queuing, 272
BFD, 57
configuring LAN switching LLDP management
configuring Ethernet link aggregation group
address, 264
load sharing mode, 59
configuring LAN switching LLDP management
configuring Ethernet link aggregation load
address encoding format, 264
sharing, 59
configuring LAN switching LLDP PFC
configuring Ethernet link aggregation load
parameters, 273
sharing mode (global), 60
configuring LAN switching LLDP trapping, 274
configuring Ethernet link aggregation load
sharing mode (group-specific), 60 configuring LAN switching LLDP-MED
trapping, 274
configuring Ethernet link aggregation per-flow
load sharing algorithm settings, 61 configuring LAN switching QinQ CVLAN tag TPID
value, 217
configuring interface (inloopback), 18
configuring LAN switching QinQ SVLAN tag TPID
configuring interface (Layer 2 Ethernet), 11
value, 217
configuring interface (Layer 3 Ethernet), 15

309
configuring LAN switching QinQ VLAN tag configuring MST region, 97
TPID value, 216 configuring MST region max hops, 99
configuring LAN switching spanning tree configuring MSTP, 95, 121
Digest Snooping, 111 configuring MVRP, 199, 202
configuring Layer 2 cut-through configuring MVRP registration mode, 201
forwarding, 289
configuring MVRP timer, 201
configuring Layer 2 Ethernet link aggregation
configuring PBB, 246, 250
(dynamic), 66
configuring PBB data encapsulation
configuring Layer 2 Ethernet link aggregation
type, 249, 249
(static), 64
configuring PBB downlink port, 248
configuring Layer 2 Ethernet link aggregation
edge aggregate interface, 71 configuring PBB uplink port, 247
configuring Layer 2 Ethernet link aggregation configuring PBB VSI B-VLAN, 247
group (dynamic), 50 configuring port isolation (multiple isolation
configuring Layer 2 Ethernet link aggregation groups), 78
group (static), 49 configuring port-based VLAN, 139, 151
configuring Layer 2 Ethernet link aggregation configuring private VLAN, 166, 168
load sharing, 68 configuring private VLAN promiscuous port, 168
configuring Layer 3 Ethernet link aggregation configuring private VLAN trunk promiscuous
(dynamic), 73 port, 171
configuring Layer 3 Ethernet link aggregation configuring private VLAN trunk
(static), 72 promiscuous+trunk secondary port, 174
configuring Layer 3 Ethernet link aggregation configuring protocol-based VLAN, 149, 156
edge aggregate interface, 74 configuring PVST, 94, 125
configuring Layer 3 Ethernet link aggregation configuring QinQ, 219
group (dynamic), 52 configuring QinQ basics, 219
configuring Layer 3 Ethernet link aggregation configuring QinQ VLAN transparent
group (static), 49 transmission, 215, 221
configuring loop detection, 131, 133 configuring RSTP, 94
configuring loop detection protection configuring secondary VLAN Layer 3
action, 132 communication, 179
configuring loop detection protection action configuring service loopback group, 287, 288
(global), 132
configuring spanning tree, 92, 121
configuring loop detection protection action
(Layer 2 aggregate interface), 132 configuring spanning tree BPDU transmission
rate, 102
configuring loop detection protection action
configuring spanning tree device priority, 99
(Layer 2 Ethernet interface), 132
configuring spanning tree Digest Snooping, 110
configuring MAC address table, 34
configuring spanning tree edge port, 102
configuring MAC address table entry, 23
configuring spanning tree No Agreement
configuring MAC address table unknown
frame forwarding rule, 28 Check, 112, 114
configuring MAC change notification configuring spanning tree port link type, 107
interval, 37 configuring spanning tree port mode for MSTP
configuring MAC Information, 37 packets, 107
configuring spanning tree port path cost, 103, 105
configuring MAC Information mode, 36
configuring spanning tree port priority, 106
configuring MAC Information queue length, 37
configuring spanning tree port role restriction, 118
configuring MAC-based VLAN, 143, 152
configuring spanning tree protection
configuring MAC-based VLAN dynamic
assignment, 147 functions, 115
configuring MAC-based VLAN server configuring spanning tree root bridge, 97
assignment, 147 configuring spanning tree root bridge (device), 98
configuring MAC-based VLAN static configuring spanning tree secondary root
assignment, 146 bridge, 97
configuring management interface, 1

310
configuring spanning tree secondary root disabling MAC address learning on interface, 26
bridge (device), 98 disabling MAC address learning on VLAN, 27
configuring spanning tree switched network disabling static source check, 32
diameter, 100 disabling the device to reactivate the shutdown
configuring spanning tree TC Snooping, 114 edge ports, 120
configuring spanning tree TC-BPDU displaying bulk interface configuration, 20
transmission restriction, 118 displaying Ethernet link aggregation, 63
configuring spanning tree timeout factor, 101 displaying interface, 18
configuring spanning tree timer, 100 displaying interface (Ethernet), 15
configuring storm suppression, 10 displaying LAN switching LLDP, 274
configuring STP, 93 displaying loop detection, 133
configuring subinterface (Layer 3 displaying MAC address table, 33
Ethernet), 15
displaying MVRP, 202
configuring super VLAN, 160, 160, 162
displaying PBB, 250
configuring super VLAN interface, 161
displaying port isolation, 77
configuring VLAN, 151
displaying private VLAN, 168
configuring VLAN basic settings, 137
displaying QinQ, 219
configuring VLAN group, 150
displaying service loopback group, 288
configuring VLAN interface basics, 138
displaying spanning tree, 121
configuring VLAN mapping, 228, 235
displaying super VLAN, 161
configuring VLAN mapping (1\1), 229, 235
displaying VLAN, 150
configuring VLAN mapping (1\2), 234, 240
displaying VLAN mapping, 235
configuring VLAN mapping (2\2), 234, 240
displaying voice VLAN, 191
configuring VLAN mapping (M\1), 229, 235
enabling ARP fast update for MAC address
configuring VLAN mapping (M\1) (dynamic IP move, 32
address assignment), 230
enabling BPDU guard on an interface, 116
configuring VLAN mapping (M\1) (static IP
enabling Ethernet link aggregation local-first load
address assignment), 232
sharing, 60
configuring VLAN mapping M\1 customer-side
enabling Ethernet link aggregation traffic
port (dynamic IP address assignment), 231
redirection, 62
configuring VLAN mapping M\1 customer-side
enabling global BPDU guard, 116
port (static IP address assignment), 233
enabling interface bridging (Ethernet), 14
configuring VLAN mapping M\1 network-side
port (dynamic IP address assignment), 231 enabling LAN switching LLDP, 259
configuring VLAN mapping M\1 network-side enabling LAN switching LLDP polling, 262
port (static IP address assignment), 233 enabling LAN switching LLDP+DCBX TLV
configuring voice VLAN, 192 advertisement, 269
configuring voice VLAN CDP enabling loop detection, 131
advertisement, 190 enabling loop detection (global), 131
configuring voice VLAN LLDP enabling loop detection (port-specific), 131
advertisement, 190 enabling MAC address move notification, 30
configuring voice VLAN port operation enabling MAC address synchronization
(automatic assignment), 188, 192 globally, 29
configuring voice VLAN port operation enabling MAC Information, 36
(manual assignment), 189, 194 enabling MVRP, 200
configuring voice VLAN QoS priority enabling MVRP GVRP compatibility, 202
settings, 187 enabling PBB L2VPN, 247
creating PBB VSI, 247 enabling QinQ, 215
creating super VLAN sub-VLAN, 160 enabling SNMP notification for MAC address
disabling global MAC address learning, 26 table, 33
disabling LLDP PVID inconsistency enabling spanning tree BPDU drop, 119
check, 266 enabling spanning tree BPDU guard, 116
disabling MAC address learning, 26

311
enabling spanning tree feature, 108 setting LAN switching LLDP parameters, 265
enabling spanning tree loop guard, 117 setting LAN switching LLDP reinitialization
enabling spanning tree port state transition delay, 261
information output, 108 setting Layer 3 aggregate interface (MTU), 54
enabling spanning tree root guard, 117 setting loop detection interval, 132
enabling spanning tree SNMP notification setting MAC address table dynamic aging
(new-root election, topology change timer, 27
events), 120 setting MAC address table learning limit on
enabling spanning tree TC-BPDU guard, 119 interface, 27
enabling VLAN mapping M\1 ARP detection setting QinQ SVLAN tag 802.1p priority, 217
(dynamic IP address assignment), 230 setting spanning tree mode, 96
enabling VLAN mapping M\1 ARP snooping setting subinterface MTU (Layer 3 Ethernet), 15
(static IP address assignment), 232 shutting down Ethernet link aggregate
enabling VLAN mapping M\1 DHCP snooping interface, 58
(dynamic IP address assignment), 230 specifying Layer 2 aggregate interface (ignored
enabling voice VLAN LLDP, 190 VLAN), 54
forcing interface fiber port (Layer 2 specifying link aggregation management
Ethernet), 9 VLAN+management port, 59, 59
maintaining Ethernet link aggregation, 63 specifying spanning tree port path cost calculation
maintaining interface, 18 standard, 103
maintaining interface (Ethernet), 15 splitting interface (Ethernet 40-GE), 2
maintaining MVRP, 202 testing interface cable connection (Layer 2
maintaining PBB, 250 Ethernet), 13
maintaining spanning tree, 121 troubleshooting PBB customer frames cannot be
maintaining VLAN, 150 transmitted, 252
modifying MAC address table blackhole promiscuous
entry, 24 private VLAN promiscuous port configuration, 168
modifying MAC address table multiport private VLAN trunk promiscuous port
unicast entry, 24 configuration, 171
performing interface loopback test private VLAN trunk promiscuous+trunk
(Ethernet), 5 secondary port configuration, 174
performing spanning tree mCheck, 109 protecting
restoring Ethernet link aggregate interface disabling the device to reactivate the shutdown
default settings, 58 edge ports, 120
setting Ethernet aggregate interface spanning tree protection functions, 115
(description), 53 spanning tree SNMP notification (new-root
setting Ethernet link aggregate group election, topology change events), 120
Selected ports min/max, 55 protocol-based VLAN
setting Ethernet link aggregate interface configuration, 149, 156
(expected bandwidth), 56 protocols and standards
setting Ethernet link aggregation load sharing Ethernet link aggregation protocol
mode for MAC-in-MAC traffic (global), 62 configuration, 41
setting interface connection distance (Layer 2 LAN switching LLDP, 259
Ethernet), 15 MSTP, 92
setting interface MDIX mode (Layer 2 MVRP, 199
Ethernet), 13
PBB, 246
setting interface MTU (Layer 3 Ethernet), 15
QinQ, 214
setting interface statistics polling interval
STP protocol packets, 80
(Ethernet), 9
VLAN, 137
setting LAN switching LLDP frame
encapsulation format, 265 provider
setting LAN switching LLDP operating backbone bridge. Use PBB
mode, 261 backbone bridge network. See PBBN

312
 backbone network. See PBN MST, 89
PVID (port-based VLAN), 139 MST region configuration, 97
PVST, 80, See also STP MST region max hops, 99
configuration, 94, 125 MST regional root, 90
feature enable, 109 registering
mode set, 96 MVRP registration fixed mode, 199
port links, 87 MVRP registration forbidden mode, 199
Q MVRP registration mode, 201
MVRP registration normal mode, 199
QinQ
reinitialization delay (LLDP), 261
basic configuration, 219
restoring
configuration, 213, 219
Ethernet link aggregate interface default
configuration restrictions, 215 settings, 58
CVLAN tag, 213 restrictions
CVLAN tag TPID value, 217 bulk interface configuration, 19
display, 219 Ethernet link aggregation group, 48
enable, 215 Ethernet link aggregation traffic redirection, 62
how it works, 213 interface dampening (Ethernet), 6
implementation, 214 interface fiber port (Layer 2 Ethernet), 6
loop detection configuration, 129, 131, 133 interface loopback test (Ethernet), 6
protocols and standards, 214 interface PFC configuration (Ethernet), 6
SVLAN tag, 213 interface storm control (Layer 2 Ethernet), 6
SVLAN tag 802.1p priority, 217 interface storm suppression (Layer 2 Ethernet), 6
SVLAN tag TPID value, 217 LAN switching STP Digest Snooping
VLAN tag TPID value, 216 configuration, 111
VLAN transparent transmission, 215 LAN switching STP edge port configuration, 102
VLAN transparent transmission LAN switching STP mCheck configuration, 110
configuration, 221 LAN switching STP port link type
QoS configuration, 107
LAN switching LLDP 802.1p-to-local priority LAN switching STP TC Snooping
mapping, 272 configuration, 115
LAN switching LLDP APP parameters, 270 LAN switching STP timer configuration, 101
LAN switching LLDP ETS parameters, 271 MAC-based VLAN dynamic assignment, 146
LAN switching LLDP group-based WRR MVRP configuration, 199
queuing, 272 QinQ configuration, 215
LAN switching LLDP PFC parameters, 273 spanning tree port role restriction, 118
QinQ SVLAN tag 802.1p priority, 217 spanning tree TC-BPDU transmission
voice VLAN QoS priority setting restriction, 118
configuration, 187 voice VLAN LLDP enable, 190
queuing voice VLAN port operation configuration
MAC Information queue length, 37 restrictions (automatic assignment), 188
R voice VLAN port operation configuration
restrictions (manual assignment), 189
Rapid Spanning Tree Protocol. Use RSTP root
rate MST common root bridge, 90
spanning tree BPDU transmission rate, 102 MST regional root, 90
receiving MST root port role, 90
LAN switching LLDP frames, 259 spanning tree root bridge, 97
recovering spanning tree root bridge (device), 98
loop detection port status auto recovery, 130 spanning tree root guard, 117
reference port (Ethernet link aggregation), 42, 44 spanning tree secondary root bridge (device), 98
region

313
 STP algorithm calculation, 81 Ethernet link aggregation member port
STP root bridge, 80 state, 42, 45
STP root port, 81 interface connection distance (Layer 2
routing Ethernet), 15
IP subnet-based VLAN interface MDIX mode (Layer 2 Ethernet), 13
configuration, 148, 154 interface MTU (Layer 3 Ethernet), 15
MAC-based VLAN configuration, 143, 152 interface statistics polling interval (Ethernet), 9
MAC-based VLAN dynamic assignment, 147 LAN switching LLDP frame encapsulation
MAC-based VLAN server assignment, 147 format, 265
MAC-based VLAN static assignment, 146 LAN switching LLDP operating mode, 261
protocol-based VLAN configuration, 149, 156 LAN switching LLDP parameters, 265
voice VLAN configuration, 182, 192 LAN switching LLDP reinitialization delay, 261
voice VLAN IP phone access method, 184 Layer 3 aggregate interface (MTU), 54
RSTP, 80, See also STP loop detection interval, 132
configuration, 94 MAC address table dynamic aging timer, 27
feature enable, 109 MAC address table learning limit on interface, 27
mode set, 96 QinQ SVLAN tag 802.1p priority, 217
MSTP device implementation, 92 spanning tree mode, 96
network convergence, 87 subinterface MTU (Layer 3 Ethernet), 15
rule shutting down
MAC address table unknown frame Ethernet link aggregate interface, 58
forwarding rule, 28 loop detection shutdown action, 130
SNAP
S
LAN switching LLDP frame encapsulated in
security SNAP format, 254
voice VLAN mode, 186 LAN switching LLDP frame encapsulation
selecting format, 265
Ethernet link aggregation Selected ports SNMP
min/max, 55 MAC Information configuration, 36, 37
Ethernet link aggregation selected state, 41 snooping
Ethernet link aggregation unselected state, 41 spanning tree Digest Snooping, 110, 111
series spanning tree TC Snooping, 114
voice VLAN host+IP phone connection (in spanning tree, 80, See also STP, RSTP, PVST, MSTP
series), 184 BPDU drop, 119
server BPDU guard enable, 116
MAC-based VLAN server BPDU transmission rate configuration, 102
assignment, 145, 147
configuration, 80, 92, 121
service
device priority configuration, 99
LAN switching LLDP service bridge
Digest Snooping, 110, 111
mode, 260
disabling the device to reactivate the shutdown
service loopback group
edge ports, 120
configuration, 287, 287, 288
displaying, 121
display, 288
edge port configuration, 102
setting
feature enable, 108
Ethernet aggregate interface (description), 53
loop guard enable, 117
Ethernet link aggregate group Selected ports
maintaining, 121
min/max, 55
mCheck, 109
Ethernet link aggregate interface (expected
bandwidth), 56 mode set, 96
Ethernet link aggregation load sharing mode MST region max hops, 99
for MAC-in-MAC traffic (global), 62 MSTP, 87, See also MSTP
No Agreement Check, 112, 114

314
 port link type configuration, 107 interface statistics polling interval (Ethernet), 9
port mode configuration, 107 storm
port path cost calculation standard, 103 interface storm control (Layer 2 Ethernet), 11
port path cost configuration, 103, 105 STP
port priority configuration, 106 algorithm calculation, 81
port role restriction, 118 basic concepts, 80
port state transition output, 108 BPDU forwarding, 86
protection functions, 115 configuration, 93
PVST, 87, See also PVST designated bridge, 81
root bridge configuration, 97 designated port, 81
root bridge configuration (device), 98 Digest Snooping configuration restrictions, 111
root guard enable, 117 edge port configuration restrictions, 102
RSTP, 87, See also RSTP feature enable, 109
secondary root bridge configuration loop detection, 80
(device), 98 mCheck configuration restrictions, 110
SNMP notification enable (new-root election, mode set, 96
topology change events), 120 MSTP device implementation, 92
switched network diameter, 100 path cost, 81
TC Snooping, 114 port link type configuration restrictions, 107
TC-BPDU guard, 119 protocol packets, 80
TC-BPDU transmission restriction, 118 root bridge, 80
timeout factor configuration, 101 root port, 81
timer configuration, 100 TC Snooping configuration restrictions, 115
specifying timer configuration restrictions, 101
Layer 2 aggregate interface (ignored timers, 86
VLAN), 54
subinterface. See Ethernet subinterface
link aggregation management
subnetting
VLAN+management port, 59
IP subnet-based VLAN configuration, 148, 154
spanning tree port path cost calculation
standard, 103 sub-VLAN
splitting creation, 160
interface (Ethernet 40-GE), 2 super VLAN
state configuration, 160, 160, 162
Ethernet link aggregation member port display, 161
state, 41, 42, 45 interface configuration, 161
interface state change suppression sub-VLAN creation, 160
(Ethernet), 4 suppressing
static interface physical state change suppression
Ethernet link aggregation group, 49 (Ethernet), 4
Ethernet link aggregation mode, 42 interface storm control configuration (Layer 2
Ethernet link aggregation static mode, 42 Ethernet), 11
Layer 2 Ethernet link aggregation, 64 SVLAN
Layer 2 Ethernet link aggregation group, 49 QinQ basic configuration, 219
Layer 3 Ethernet link aggregation, 72 QinQ configuration, 213, 219
Layer 3 Ethernet link aggregation group, 49 QinQ SVLAN tag 802.1p priority, 217
MAC address table entry, 21 QinQ VLAN transparent transmission
configuration, 221
MAC-based VLAN static
assignment, 143, 146 VLAN mapping configuration, 223, 228, 235
static MAC address entry VLAN mapping implementation, 225
static source check disable, 32 switching
statistics interface configuration (Ethernet), 1
interface configuration (inloopback), 17, 18

315
 interface configuration (loopback), 17, 17 spanning tree forward delay, 100
interface configuration (null), 17, 17 spanning tree hello, 100
MAC address table configuration, 21, 22, 34 spanning tree max age, 100
spanning tree switched network diameter, 100 STP forward delay, 86
synchronizing STP hello, 86
MAC addresses, 29 STP max age, 86
system TLV
interface bulk configuration, 19 LAN switching LLDP advertisable TLV
configuration, 262
T
LAN switching LLDP management address
table configuration, 264
LAN switching LLDP priority mapping LAN switching LLDP management address
table, 272 encoding format, 264
MAC address, 21, 22, 34 LAN switching LLDP parameters, 265
MSTP VLAN-to-instance mapping table, 89 LAN switching LLDP+DCBX TLV
tag advertisement, 269
QinQ CVLAN, 213 LAN switching LLDPDU basic management
QinQ CVLAN tag TPID value, 217 types, 255
QinQ SVLAN, 213 LAN switching LLDPDU LLDP-MED types, 255
QinQ SVLAN tag 802.1p priority, 217 LAN switching LLDPDU management address
QinQ SVLAN tag TPID value, 217 TLV, 258
QinQ VLAN tag TPID value, 216 LAN switching LLDPDU organization-specific
types, 255
VLAN mapping configuration, 223, 228, 235
topology
VLAN mapping configuration (1\1), 229, 235
STP TCN BPDU protocol packets, 80
VLAN mapping configuration (1\2), 234, 240
traffic
VLAN mapping configuration (2\2), 234, 240
Ethernet link aggregation traffic redirection, 62
VLAN mapping configuration (M\1), 229, 235
PBB configuration, 243, 246, 250
VLAN mapping configuration (M\1) (dynamic
IP address assignment), 230 voice VLAN QoS priority setting
configuration, 187
VLAN mapping configuration (M\1) (static IP
address assignment), 232 transmitting
TC Snooping (spanning tree), 114 LAN switching LLDP frames, 258
TC-BPDU QinQ VLAN transparent transmission, 215, 221
spanning tree TC-BPDU guard, 119 spanning tree TC-BPDU transmission
restriction, 118
spanning tree TC-BPDU transmission
restriction, 118 transparent transmission (QinQ for VLAN), 215, 221
testing trapping
interface cable connection (Layer 2 LAN switching LLDP configuration, 274
Ethernet), 13 LAN switching LLDP-MED configuration, 274
time MAC Information configuration, 36, 37
Ethernet link aggregation LACP timeout MAC Information mode configuration, 36
interval, 43 troubleshooting
timeout PBB, 252
spanning tree timeout factor, 101 PBB customer frames cannot be transmitted, 252
timer trunk port
LAN switching LLDP reinitialization delay, 261 port-based VLAN assignment (trunk port), 141
MAC address table dynamic aging timer, 27 U
MRP Join, 198
unicast
MRP Leave, 198
MAC address table configuration, 21, 22, 34
MRP LeaveAll, 198
MAC address table multiport unicast entry, 21
MRP Periodic, 198
uplink port
MVRP configuration, 201

316
 PBB configuration, 247 QinQ CVLAN tag, 213
V QinQ CVLAN tag TPID value, 217
QinQ implementation, 214
Virtual Local Area Network. Use VLAN
QinQ SVLAN tag, 213
VLAN
QinQ SVLAN tag 802.1p priority, 217
basic configuration, 137
QinQ SVLAN tag TPID value, 217
configuration, 136, 151
QinQ transparent transmission, 215
display, 150
QinQ VLAN tag TPID value, 216
frame encapsulation, 136
QinQ VLAN transparent transmission
group configuration, 150 configuration, 221
interface basics configuration, 138 super VLAN configuration, 160, 160, 162
IP subnet-based configuration, 148, 154 super VLAN interface configuration, 161
LAN switching LLDP CDP compatibility, 266 voice VLAN assignment mode, 184
LAN switching LLDP configuration voice VLAN CDP advertisement
(CDP-compatible), 279 configuration, 190
Layer 2 Ethernet aggregate interface (ignored voice VLAN configuration, 182, 192
VLAN), 54
voice VLAN host+IP phone connection (in
link aggregation management series), 184
VLAN+management port, 59
voice VLAN IP phone access method, 184
loop detection configuration, 129, 131, 133
voice VLAN IP phone connection (device), 184
MAC-based configuration, 152
voice VLAN LLDP advertisement
MAC-based dynamic assignment, 147 configuration, 190
MAC-based server assignment, 147 voice VLAN LLDP enable, 190
MAC-based static assignment, 146 voice VLAN LLDP enable restrictions, 190
MAC-based VLAN configuration, 143 voice VLAN port mode, 186
MAC-based VLAN dynamic assignment, 143 voice VLAN port operation configuration
MAC-based VLAN server assignment, 145 (automatic assignment), 188, 192
MAC-based VLAN static assignment, 143 voice VLAN port operation configuration (manual
maintain, 150 assignment), 189, 194
mapping. See VLAN mapping voice VLAN port operation configuration
MRP implementation, 196 restrictions (automatic assignment), 188
MSTP VLAN-to-instance mapping table, 89 voice VLAN port operation configuration
MVRP configuration, 196, 199, 202 restrictions (manual assignment), 189
MVRP GVRP compatibility, 202 voice VLAN QoS priority setting
configuration, 187
PBB data encapsulation, 249
VLAN mapping
port isolation configuration, 77
1\1 application scenario, 223
port link type, 139
1\1 configuration, 229, 235
port-based configuration, 139, 151
1\1 implementation, 225, 226
port-based VLAN assignment (access
port), 140 1\2 application scenario, 225
port-based VLAN assignment (hybrid 1\2 configuration, 234, 240
port), 142 1\2 implementation, 225, 227
port-based VLAN assignment (trunk port), 141 2\2 application scenario, 225
port-based VLAN frame handling, 139 2\2 configuration, 234, 240
private VLAN configuration, 165, 166 2\2 implementation, 225, 227
protocol-based configuration, 149, 156 ARP detection (M\1) (dynamic IP address
protocols and standards, 137 assignment), 230
PVID, 139 ARP snooping (M\1) (static IP address
assignment), 232
PVST, 87
configuration, 223, 228, 235
QinQ basic configuration, 219
DHCP snooping (M\1) (dynamic IP address
QinQ configuration, 213, 219 assignment), 230

317
 displaying, 235 voice VLAN information advertisement to IP
M\1 application scenario, 223 phones, 183
M\1 configuration, 229, 235 voice VLAN IP phone access method, 184
M\1 configuration (dynamic IP address voice VLAN IP phone identification method
assignment), 230 (LLDP), 183
M\1 configuration (static IP address voice VLAN IP phone identification method (OUI
assignment), 232 address), 182
M\1 customer-side port (dynamic IP address VPN
assignment), 231 PBB configuration, 243, 246, 250
M\1 customer-side port (static IP address QinQ basic configuration, 219
assignment), 233 QinQ configuration, 213, 219
M\1 implementation, 225, 226 QinQ VLAN transparent transmission
M\1 network-side port (dynamic IP address configuration, 221
assignment), 231 VSI
M\1 network-side port (static IP address PBB B-VLAN configuration, 247
assignment), 233 PBB creation, 247
voice traffic
W
LAN switching LLDP CDP compatibility, 266
LAN switching LLDP configuration WRR queuing
(CDP-compatible), 279 LAN switching LLDP group-based WRR
voice VLAN queuing, 272
assignment mode, 184
assignment mode (automatic), 184
assignment mode (manual), 185
assignment mode+IP phone cooperation, 185
CDP advertisement configuration, 190
configuration, 182, 192
display, 191
host+IP phone connection (in series), 184
information advertisement to IP phone, 183
IP phone access method, 184
IP phone connection (device), 184
IP phone identification method, 182
IP phone identification method (LLDP), 183
IP phone identification method (OUI
address), 182
LLDP advertisement configuration, 190
LLDP enable, 190
LLDP enable restrictions, 190
port mode, 186
port operation configuration (automatic
assignment), 188, 192
port operation configuration (manual
assignment), 189, 194
port operation configuration restrictions
(automatic assignment), 188
port operation configuration restrictions
(manual assignment), 189
QoS priority setting configuration, 187
VoIP
voice VLAN configuration, 182, 192

318