H3C S6805 & S6825 & S6850 & S9850

Switch Series
Layer 2—LAN Switching Configuration Guide

New H3C Technologies Co., Ltd.

http://www.h3c.com

Software version: Release 66xx

Document version: 6W103-20220420
Copyright © 2020-2022 New H3C Technologies Co., Ltd. and its licensors

All rights reserved

No part of this manual may be reproduced or transmitted in any form or by any means without prior written
consent of New H3C Technologies Co., Ltd.
Trademarks
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this
document are the property of their respective owners.
Notice
The information in this document is subject to change without notice. All contents in this document, including
statements, information, and recommendations, are believed to be accurate, but they are presented without
warranty of any kind, express or implied. H3C shall not be liable for technical or editorial errors or omissions
contained herein.
Preface
This configuration guide describes LAN switching features and tasks for Layer 2 network
configuration, including:
• Flow control and load sharing.
• Isolating users within the same VLAN and configuring VLANs.
• Eliminating Layer 2 loops.
• Transmitting packets of the customer network over the service provider network.
• Modifying VLAN tags of packets.
This preface includes the following topics about the documentation:
• Audience.
• Conventions.
• Documentation feedback.

Audience
This documentation is intended for:
• Network planners.
• Field technical support and servicing engineers.
• Network administrators working with the S6805, S6850, or S9850 switch series.

Conventions
The following information describes the conventions used in the documentation.
Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select a minimum of one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.
GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window opens; click OK.

Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.

An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

Network topology icons

Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

T Represents a wireless terminator unit.

T Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.
 Convention Description
Represents a security module, such as a firewall, load balancing, NetStream, SSL
VPN, IPS, or ACG module.

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.

Documentation feedback
You can e-mail your comments about product documentation to [email protected].
We appreciate your comments.
Contents
Configuring the MAC address table ······························································· 1
About the MAC address table ···························································································································· 1
How a MAC address entry is created········································································································· 1
Types of MAC address entries ··················································································································· 1
MAC address table tasks at a glance················································································································· 2
Configuring MAC address entries ······················································································································ 3
About MAC address entry-based frame forwarding ··················································································· 3
Restrictions and guidelines for MAC address entry configuration······························································ 3
Prerequisites for MAC address entry configuration···················································································· 3
Adding or modifying a static or dynamic MAC address entry····································································· 4
Adding or modifying a blackhole MAC address entry ················································································ 4
Adding or modifying a multiport unicast MAC address entry ····································································· 4
Setting the aging timer for dynamic MAC address entries ················································································· 5
Disabling MAC address learning ························································································································ 6
About disabling MAC address learning ······································································································ 6
Disabling global MAC address learning ····································································································· 6
Disabling MAC address learning on an interface ······················································································· 7
Disabling MAC address learning on a VLAN ····························································································· 7
Disabling the device from learning the source MAC addresses of Layer 2 protocol packets ···················· 7
Setting the MAC learning limit ···························································································································· 8
Configuring the unknown frame forwarding rule after the MAC learning limit is reached ·································· 8
About unknown frame forwarding rule configuration ·················································································· 9
Configuring the device to forward unknown frames after the MAC learning limit on an interface is reached
··································································································································································· 9
Assigning MAC learning priority to interfaces ···································································································· 9
Enabling MAC address synchronization ·········································································································· 10
Configuring MAC address move notifications and suppression ······································································· 11
Enabling ARP fast update for MAC address moves ························································································ 12
Disabling static source check ··························································································································· 13
Enabling SNMP notifications for the MAC address table ················································································· 14
Display and maintenance commands for MAC address table ········································································· 14
MAC address table configuration examples····································································································· 15
Example: Configuring the MAC address table ························································································· 15
Configuring MAC Information······································································· 17
About MAC Information ···································································································································· 17
Enabling MAC Information ······························································································································· 17
Configuring the MAC Information mode ··········································································································· 17
Setting the MAC change notification interval ··································································································· 18
Setting the MAC Information queue length ······································································································ 18
MAC Information configuration examples ········································································································ 19
Example: Configuring MAC Information ··································································································· 19

i
Configuring the MAC address table
About the MAC address table
An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a
destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame,
it uses the destination MAC address of the frame to look for a match in the MAC address table.
• The device forwards the frame out of the outgoing interface in the matching entry if a match is
found.
• The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries
manually added.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses
of incoming frames on each interface.
The device performs the following operations to learn the source MAC address of incoming packets:
1. Checks the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
 The device updates the entry if an entry is found.
 The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.
When the device receives a frame destined for MAC-SOURCE after learning this source MAC
address, the device performs the following operations:
1. Finds the MAC-SOURCE entry in the MAC address table.
2. Forwards the frame out of the port in the entry.
The device performs the learning process for each incoming frame with an unknown source MAC
address until the table is fully populated.
Manually configuring MAC address entries
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames,
which can invite security hazards. When Host A is connected to Port A, a MAC address entry will be
learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames
with MAC A as the source MAC address to Port B, the device performs the following operations:
1. Learns a new MAC address entry with Port B as the outgoing interface and overwrites the old
entry for MAC A.
2. Forwards frames destined for MAC A out of Port B to the illegal user.
As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually
configure a static entry to bind Host A to Port A. Then, the frames destined for Host A are always sent
out of Port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined
for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

1
 • Static entries—A static entry is manually added to forward frames with a specific destination
MAC address out of the associated interface, and it never ages out. A static entry has higher
priority than a dynamically learned one.
• Dynamic entries—A dynamic entry can be manually configured or dynamically learned to
forward frames with a specific destination MAC address out of the associated interface. A
dynamic entry might age out. A manually configured dynamic entry has the same priority as a
dynamically learned one.
• Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole
entry is configured for filtering out frames with a specific source or destination MAC address.
For example, to block all frames destined for or sourced from a user, you can configure the
MAC address of the user as a blackhole MAC address entry. A blackhole entry has higher
priority than a dynamically learned one.
• Multiport unicast entries—A multiport unicast entry is manually added to send frames with a
specific unicast destination MAC address out of multiple ports, and it never ages out. A multiport
unicast entry has higher priority than a dynamically learned one.
A static or blackhole MAC address entry can overwrite a dynamic MAC address entry. A dynamic
MAC address entry cannot overwrite a static, blackhole, or multiport unicast MAC address entry. A
static entry, a blackhole entry, and a multiport unicast entry cannot overwrite one another.
A multiport unicast MAC address entry does not affect learning the corresponding dynamic MAC
address entry. For the same MAC address, a multiport unicast MAC address entry and a dynamic
MAC address entry can coexist, and the multiport unicast MAC address takes priority.
This document does not cover the configuration of static multicast MAC address entries and MAC
address entries in VPLS. For more information about configuring static multicast MAC address
entries, see IGMP snooping in IP Multicast Configuration Guide. For more information about MAC
address table configuration in VPLS, see VPLS in MPLS Configuration Guide.

MAC address table tasks at a glance

All MAC address table configuration tasks are optional.
To configure the MAC address table, perform the following tasks:
• Configuring MAC address entries
 Adding or modifying a static or dynamic MAC address entry
 Adding or modifying a blackhole MAC address entry
 Adding or modifying a multiport unicast MAC address entry
• Setting the aging timer for dynamic MAC address entries
• Configuring MAC address learning
 Disabling MAC address learning
 Setting the MAC learning limit
 Configuring the unknown frame forwarding rule after the MAC learning limit is reached
 Assigning MAC learning priority to interfaces
• Enabling MAC address synchronization
• Configuring MAC address move notifications and suppression
• Enabling ARP fast update for MAC address moves
• Disabling static source check
• Enabling SNMP notifications for the MAC address table

2
Configuring MAC address entries
About MAC address entry-based frame forwarding
A frame whose source MAC address matches different types of MAC address entries is processed
differently.

Type Description
Forwards the frame according to the destination MAC address regardless of
Static MAC address entry
whether the frame's ingress interface is the same as that in the entry.
Learns the source MAC address of the frame, generates a dynamic MAC
Multiport unicast MAC address entry for that MAC address, and forwards the frame. The multiport
address entry unicast MAC address entry has higher priority than the dynamic MAC address
entry in traffic forwarding.

Blackhole MAC address

Drops the frame.
entry
• Learns the MAC address of the frames received on a different interface
Dynamic MAC address from that in the entry and overwrites the original entry.
entry • Forwards the frame received on the same interface as that in the entry
and updates the aging timer for the entry.

Restrictions and guidelines for MAC address entry

configuration
A manually configured dynamic MAC address entry will overwrite a learned entry that already exists
with a different outgoing interface for the MAC address.
The manually configured static, blackhole, and multiport unicast MAC address entries cannot survive
a reboot if you do not save the configuration. The manually configured dynamic MAC address entries
are lost upon reboot whether or not you save the configuration.
Do not configure the reserved MAC addresses of the device and MAC addresses assigned to Layer
3 interfaces as static, dynamic, blackhole, or multiport unicast MAC addresses. Layer 3 interfaces
include Layer 3 Ethernet interfaces, Layer 3 Ethernet subinterfaces, Layer 3 aggregate interface,
Layer 3 aggregate subinterfaces, and VLAN interfaces. The reserved MAC addresses of different
device models are as follows:

Hardware Reserved MAC address range

S6805/S6825 series Bridge MAC address to bridge MAC address + 109
S6850-56HF Bridge MAC address to bridge MAC address + 131
S6850-2C Bridge MAC address to bridge MAC address + 121
S9850-4C/S9850-32H Bridge MAC address to bridge MAC address + 179

Prerequisites for MAC address entry configuration

Before manually configuring a MAC address entry for an interface, make sure the VLAN in the entry
has been created.

3
Adding or modifying a static or dynamic MAC address entry
Adding or modifying a static or dynamic MAC address entry globally
1. Enter system view.
system-view
2. Add or modify a static or dynamic MAC address entry.
mac-address { dynamic | static } mac-address interface interface-type
interface-number vlan vlan-id
By default, no MAC address entry is configured globally.
Make sure you have assigned the interface to the VLAN.
Adding or modifying a static or dynamic MAC address entry on an interface
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Add or modify a static or dynamic MAC address entry.
mac-address { dynamic | static } mac-address vlan vlan-id
By default, no MAC address entry is configured on an interface.
Make sure you have assigned the interface to the VLAN.

Adding or modifying a blackhole MAC address entry

1. Enter system view.
system-view
2. Add or modify a blackhole MAC address entry.
mac-address blackhole mac-address vlan vlan-id
By default, no blackhole MAC address entry is configured.

Adding or modifying a multiport unicast MAC address entry

About this task
You can configure a multiport unicast MAC address entry to associate a unicast destination MAC
address with multiple ports. The frame with a destination MAC address matching the entry is sent out
of multiple ports.
For example, in NLB unicast mode (see Figure 1):
• All servers within a cluster uses the cluster's MAC address as their own address.
• Frames destined for the cluster are forwarded to every server in the group.
In this case, you can configure a multiport unicast MAC address entry on the device connected to the
server group. Then, the device forwards the frame destined for the server group to every server
through all ports connected to the servers within the cluster.

4
 Figure 1 NLB cluster

Device

NLB cluster

You can configure a multiport unicast MAC address entry globally or on an interface.
Configuring a multiport unicast MAC address entry globally
1. Enter system view.
system-view
2. Add or modify a multiport unicast MAC address entry.
mac-address multiport mac-address interface interface-list vlan
vlan-id
By default, no multiport unicast MAC address entry is configured globally.
Make sure you have assigned the interface to the VLAN.
Configuring a multiport unicast MAC address entry on an interface
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Add the interface to a multiport unicast MAC address entry.
mac-address multiport mac-address vlan vlan-id
By default, no multiport unicast MAC address entry is configured on an interface.
Make sure you have assigned the interface to the VLAN.

Setting the aging timer for dynamic MAC address

entries
About this task
For security and efficient use of table space, the MAC address table uses an aging timer for each
dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer
expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can
promptly update to accommodate latest network topology changes.
A stable network requires a longer aging interval, and an unstable network requires a shorter aging
interval.

5
 An aging interval that is too long might cause the MAC address table to retain outdated entries. As a
result, the MAC address table resources might be exhausted, and the MAC address table might fail
to update its entries to accommodate the latest network changes.
An interval that is too short might result in removal of valid entries, which would cause unnecessary
floods and possibly affect the device performance.
To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic
entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing
flooding also improves the security because it reduces the chances for a data frame to reach
unintended destinations.
Procedure
1. Enter system view.
system-view
2. Set the aging timer for dynamic MAC address entries.
mac-address timer { aging seconds | no-aging }
By default, the aging timer is 300 seconds for dynamic MAC address entries.

Disabling MAC address learning

About disabling MAC address learning
MAC address learning is enabled by default. To prevent the MAC address table from being saturated
when the device is experiencing attacks, disable MAC address learning. For example, you can
disable MAC address learning to prevent the device from being attacked by a large amount of frames
with different source MAC addresses.
After MAC address learning is disabled, the device immediately deletes existing dynamic MAC
address entries.

Disabling global MAC address learning

Restrictions and guidelines
After you disable global MAC address learning, the device cannot learn MAC addresses on any
interfaces.
Global MAC address learning does not take effect on a VPLS VSI or VXLAN VSI. For information
about VPLS VSIs, see MPLS Configuration Guide. For information about VXLAN VSIs, see VXLAN
Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Disable global MAC address learning.
undo mac-address mac-learning enable
By default, global MAC address learning is enabled.

6
Disabling MAC address learning on an interface
About this task
When global MAC address learning is enabled, you can disable MAC address learning on a single
interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Disable MAC address learning on the interface.
undo mac-address mac-learning enable
By default, MAC address learning is enabled on an interface.

Disabling MAC address learning on a VLAN

About this task
When global MAC address learning is enabled, you can disable MAC address learning on a
per-VLAN basis.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Disable MAC address learning on the VLAN.
undo mac-address mac-learning enable
By default, MAC address learning on the VLAN is enabled.

Disabling the device from learning the source MAC

addresses of Layer 2 protocol packets
About this task
As shown in Figure 2, the server attached to the device has two NICs that use the same MAC
address. The NICs send LLDP protocol packets sourced from the same MAC address to the device,
and that MAC address moves frequently between the server-facing interfaces of the device. To
resolve this issue, disable the device from learning the source MAC addresses of Layer 2 protocol
packets.

7
 Figure 2 Frequent MAC moves caused by protocol packets
Server Device

If you disable the device from learning the source MAC addresses of Layer 2 protocol packets, the
device does not learn the source MAC addresses of the following protocol packets:
• BPDUs destined for a MAC address in the range of 0x01-80-c2-00-00-00 to
0x01-80-c2-00-00-0f.
• GARP PDUs destined for a MAC address in the range of 0x01-80-c2-00-00-20 to
0x01-80-c2-00-00-2f.
• PVST BPDUs destined for MAC address 0x01-00-0c-cc-cc-cd.
Procedure
1. Enter system view.
system-view
2. Disable the device from learning the source MAC addresses of Layer 2 protocol packets.
undo mac-address mac-learning pdu
By default, the device learns the source MAC addresses of Layer 2 protocol packets.

Setting the MAC learning limit

About this task
This feature limits the MAC address table size. A large MAC address table will degrade forwarding
performance.
Restrictions and guidelines
The MAC learning limit does not control the number of MAC addresses learned in voice VLANs. For
more information, see "Configuring voice VLANs."
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Set the MAC learning limit on the interface.
mac-address max-mac-count count
By default, no MAC learning limit is configured on an interface.

Configuring the unknown frame forwarding rule

after the MAC learning limit is reached
In this document, unknown frames refer to frames whose source MAC addresses are not in the MAC
address table.

8
About unknown frame forwarding rule configuration
You can enable or disable forwarding of unknown frames after the MAC learning limit is reached.

Configuring the device to forward unknown frames after the

MAC learning limit on an interface is reached
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure the device to forward unknown frames received on the interface after the MAC
learning limit on the interface is reached.
mac-address max-mac-count enable-forwarding
By default, the device can forward unknown frames received on an interface after the MAC
learning limit on the interface is reached.

Assigning MAC learning priority to interfaces

About this task
The MAC learning priority mechanism assigns either low priority or high priority to an interface. An
interface with high priority can learn MAC addresses as usual. However, an interface with low priority
is not allowed to learn MAC addresses already learned on a high-priority interface.
The MAC learning priority mechanism can help defend your network against MAC address spoofing
attacks. In a network that performs MAC-based forwarding, an upper layer device MAC address
might be learned by a downlink interface because of a loop or attack to the downlink interface. To
avoid this issue, perform the following tasks:
• Assign high MAC learning priority to an uplink interface.
• Assign low MAC learning priority to a downlink interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Assign MAC learning priority to the interface.
mac-address mac-learning priority { high | low }
By default, low MAC learning priority is used.

9
Enabling MAC address synchronization
About this task
To avoid unnecessary floods and improve forwarding speed, make sure all member devices have the
same MAC address table. After you enable MAC address synchronization, each member device
advertises learned MAC address entries to other member devices.
As shown in Figure 3:
• Device A and Device B form an IRF fabric enabled with MAC address synchronization.
• Device A and Device B connect to AP C and AP D, respectively.
When Client A associates with AP C, Device A learns a MAC address entry for Client A and
advertises it to Device B.
Figure 3 MAC address tables of devices when Client A accesses AP C

MAC address Port MAC address Port

MAC A A1 MAC A A1

IRF
Device A Device B

Port A1 Port B1

AP C AP D

Client A

When Client A roams to AP D, Device B learns a MAC address entry for Client A. Device B
advertises it to Device A to ensure service continuity for Client A, as shown in Figure 4.

10
 Figure 4 MAC address tables of devices when Client A roams to AP D

MAC address Port MAC address Port

MAC A A1 B1 MAC A B1

IRF
Device A Device B

Port A1 Port B1

AP C AP D

Client A

Procedure
1. Enter system view.
system-view
2. Enable MAC address synchronization.
mac-address mac-roaming enable
By default, MAC address synchronization is disabled.

Configuring MAC address move notifications and

suppression
About this task
The outgoing interface for a MAC address entry learned on interface A is changed to interface B
when the following conditions exist:
• Interface B receives a packet with the MAC address as the source MAC address.
• Interface B belongs to the same VLAN as interface A.
In this case, the MAC address is moved from interface A to interface B, and a MAC address move
occurs.
The MAC address move notifications feature enables the device to output MAC address move logs
when MAC address moves are detected.
If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur. To
detect and locate loops, you can view the MAC address move information. To display the MAC
address move records after the device is started, use the display mac-address mac-move
command.

11
 If the system detects that MAC address moves occur frequently on an interface, you can configure
MAC address move suppression to shut the interface down. The interface automatically goes up
after a suppression interval. Or, you can manually bring up the interface.
Restrictions and guidelines
After you configure MAC address move notifications, the system sends only log messages to the
information center module. If the device is also configured with the snmp-agent trap enable
mac-address command, the system also sends SNMP notifications to the SNMP module.
Procedure
1. Enter system view.
system-view
2. Enable MAC address move notifications and optionally specify a MAC move detection interval.
mac-address notification mac-move [ interval interval ]
By default, MAC address move notifications are disabled.
3. (Optional.) Set MAC address move suppression parameters.
mac-address notification mac-move suppression { interval interval |
threshold threshold }
By default, the suppression interval is 30 seconds, and the suppression threshold is 3.
For the MAC address move suppression parameters to take effect, enable the MAC address
move suppression on a port.
4. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
5. Enable MAC address move suppression.
mac-address notification mac-move suppression
By default, MAC address move suppression is disabled.

Enabling ARP fast update for MAC address

moves
About this task
ARP fast update for MAC address moves allows the device to update an ARP entry immediately after
the outgoing interface for a MAC address changes. This feature ensures data connection without
interruption.
As shown in Figure 5, a mobile user laptop accesses the network by connecting to AP 1 or AP 2.
When the AP to which the user connects changes, the device updates the ARP entry for the user
immediately after it detects a MAC address move.

12
 Figure 5 ARP fast update application scenario
Device

Port A Port B

AP 1 AP 2

Laptop

Procedure
1. Enter system view.
system-view
2. Enable ARP fast update for MAC address moves.
mac-address mac-move fast-update
By default, ARP fast update for MAC address moves is disabled.

Disabling static source check

About this task
By default, the static source check feature is enabled on an interface. The check identifies whether a
received frame meets the following conditions:
• The source MAC address of the frame matches a static MAC address entry.
• The incoming interface of the frame is different from the outgoing interface in the entry.
If the frame meets both conditions, the device drops the frame.
When this feature is disabled, the device does not perform the check for a received frame. It can
forward the frame whether or not the frame meets the conditions.
Restrictions and guidelines
To correctly forward traffic sourced from the MAC address of a VLAN interface, you must disable the
static source check feature on the Layer 2 interfaces in the VLAN.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 Ethernet interface view.

13
 interface interface-type interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter IRF physical interface view.
interface interface-type interface-number
3. Disable the static source check feature.
undo mac-address static source-check enable
By default, the static source check feature is enabled.

Enabling SNMP notifications for the MAC address

table
About this task
To report critical MAC address move events to an NMS, enable SNMP notifications for the MAC
address table. For MAC address move event notifications to be sent correctly, you must also
configure SNMP on the device.
When SNMP notifications are disabled for the MAC address table, the device sends the generated
logs to the information center. To display the logs, configure the log destination and output rule
configuration in the information center.
For more information about SNMP and information center configuration, see the network
management and monitoring configuration guide for the device.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for the MAC address table.
snmp-agent trap enable mac-address [ mac-move ]
By default, SNMP notifications are enabled for the MAC address table.
When SNMP notifications are disabled for the MAC address table, syslog messages are sent to
notify important events on the MAC address table module.

Display and maintenance commands for MAC

address table
Execute display commands in any view.

Task Command
display mac-address [ mac-address [ vlan
vlan-id ] | [ [ dynamic | static ] [ interface
Display MAC address table
interface-type interface-number ] |
information.
blackhole | multiport ] [ vlan vlan-id ]
[ count ] ]
Display the aging timer for dynamic
display mac-address aging-time
MAC address entries.

Display the system or interface MAC display mac-address mac-learning

14
 Task Command
address learning state. [ interface interface-type interface-number ]
Display the MAC address move display mac-address mac-move [ slot
records. slot-number]
Display MAC address statistics. display mac-address statistics

MAC address table configuration examples

Example: Configuring the MAC address table
Network configuration
As shown in Figure 6:
• Host A at MAC address 000f-e235-dc71 is connected to Twenty-FiveGigE 1/0/1 of Device and
belongs to VLAN 1.
• Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also
belongs to VLAN 1.
Configure the MAC address table as follows:
• To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of
Device.
• To drop all frames destined for Host B, add a blackhole MAC address entry for Host B.
• Set the aging timer to 500 seconds for dynamic MAC address entries.
Figure 6 Network diagram

WGE1/0/1

Host A Device Host B

000f-e235-dc71 000f-e235-abcd

Procedure
# Add a static MAC address entry for MAC address 000f-e235-dc71 on Twenty-FiveGigE 1/0/1 that
belongs to VLAN 1.
<Device> system-view
[Device] mac-address static 000f-e235-dc71 interface twenty-fivegige 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.
[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.
[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for Twenty-FiveGigE 1/0/1.
[Device] display mac-address static interface twenty-fivegige 1/0/1
MAC Address VLAN ID State Port/Nickname Aging
000f-e235-dc71 1 Static WGE1/0/1 N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole

15
MAC Address VLAN ID State Port/Nickname Aging
000f-e235-abcd 1 Blackhole N/A N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time
MAC address aging time: 500s.

16
Configuring MAC Information
About MAC Information
The MAC Information feature can generate syslog messages or SNMP notifications when MAC
address entries are learned or deleted. You can use these messages to monitor user's leaving or
joining the network and analyze network traffic.
The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a
queue. The device overwrites the oldest MAC address change written into the queue with the most
recent MAC address change when the following conditions exist:
• The MAC change notification interval does not expire.
• The queue has been exhausted.
To send a syslog message or SNMP notification immediately after it is created, set the queue length
to zero.

Enabling MAC Information

Restrictions and guidelines
For MAC Information to take effect, you must enable MAC Information both globally and on
interfaces.
Procedure
1. Enter system view.
system-view
2. Enable MAC Information globally.
mac-address information enable
By default, MAC Information is globally disabled.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Enable MAC Information on the interface.
mac-address information enable { added | deleted }
By default, MAC Information is disabled on an interface.

Configuring the MAC Information mode

About this task
The following MAC Information modes are available for sending MAC address changes:
• Syslog—The device sends syslog messages to notify MAC address changes. The device
sends syslog messages to the information center, which then outputs them to the monitoring
terminal. For more information about information center, see Network Management and
Monitoring Configuration Guide.
• Trap—The device sends SNMP notifications to notify MAC address changes. The device sends
SNMP notifications to the NMS. For more information about SNMP, see Network Management
and Monitoring Configuration Guide.

17
Procedure
1. Enter system view.
system-view
2. Configure the MAC Information mode.
mac-address information mode { syslog | trap }
The default setting is trap.

Setting the MAC change notification interval

About this task
To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the
MAC change notification interval to a larger value.
Procedure
1. Enter system view.
system-view
2. Set the MAC change notification interval.
mac-address information interval interval
The default setting is 1 second.

Setting the MAC Information queue length

About this task
If the MAC Information queue length is 0, the device sends a syslog message or SNMP notification
immediately after learning or deleting a MAC address.
If the MAC Information queue length is not 0, the device stores MAC changes in the queue:
• The device overwrites the oldest MAC change written into the queue with the most recent MAC
change when the following conditions exist:
 The MAC change notification interval does not expire.
 The queue has been exhausted.
• The device sends syslog messages or SNMP notifications only if the MAC change notification
interval expires.
Procedure
1. Enter system view.
system-view
2. Set the MAC Information queue length.
mac-address information queue-length value
The default setting is 50.

18
MAC Information configuration examples
Example: Configuring MAC Information
Network configuration
Enable MAC Information on Twenty-FiveGigE 1/0/1 on Device in Figure 7 to send MAC address
changes in syslog messages to the log host, Host B, through interface Twenty-FiveGigE 1/0/2.
Figure 7 Network diagram
Device

WGE1/0/1 WGE1/0/3

WGE1/0/2
Host A Server
192.168.1.1/24 192.168.1.3/24

Host B
192.168.1.2/24

Restrictions and guidelines

When you edit file /etc/syslog.conf, follow these restrictions and guidelines:
• Comments must be on a separate line and must begin with a pound sign (#).
• No redundant spaces are allowed after the file name.
The logging facility name and the severity level specified in the /etc/syslog.conf file must be the
same as those configured on the device. Otherwise, the log information might not be output correctly
to the log host. The logging facility name and the severity level are configured by using the
info-center loghost and info-center source commands, respectively.
Procedure
1. Configure Device to send syslog messages to Host B:
# Enable the information center.
<Device> system-view
[Device] info-center enable
# Specify the log host 192.168.1.2/24 and specify local4 as the logging facility.
[Device] info-center loghost 192.168.1.2 facility local4
# Disable log output to the log host.
[Device] info-center source default loghost deny
To avoid output of unnecessary information, disable all modules from outputting logs to the
specified destination (loghost, in this example) before you configure an output rule.
# Configure an output rule to output to the log host MAC address logs that have a severity level
no lower than informational.
[Device] info-center source mac loghost level informational
2. Configure the log host, Host B:
Configure Solaris as follows. Configure other UNIX operating systems in the same way Solaris
is configured.
a. Log in to the log host as a root user.
b. Create a subdirectory named Device in directory /var/log/.

19
 # mkdir /var/log/Device
c. Create file info.log in the Device directory to save logs from Device.
# touch /var/log/Device/info.log
d. Edit the file syslog.conf in directory /etc/ and add the following contents:
# Device configuration messages
local4.info /var/log/Device/info.log
In this configuration, local4 is the name of the logging facility that the log host uses to
receive logs, and info is the informational level. The UNIX system records the log
information that has a severity level no lower than informational to file
/var/log/Device/info.log.
e. Display the process ID of syslogd, end the syslogd process, and then restart syslogd
using the –r option to make the new configuration take effect.
# ps -ae | grep syslogd
147
# kill -HUP 147
# syslogd -r &
The device can output MAC address logs to the log host, which stores the logs to the specified
file.
3. Enable MAC Information on Device:
# Enable MAC Information globally.
[Device] mac-address information enable
# Configure the MAC Information mode as syslog.
[Device] mac-address information mode syslog
# Enable MAC Information on Twenty-FiveGigE 1/0/1 to enable the port to record MAC address
change information when the interface performs either of the following operations:
 Learns a new MAC address.
 Deletes an existing MAC address.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] mac-address information enable added
[Device-Twenty-FiveGigE1/0/1] mac-address information enable deleted
[Device-Twenty-FiveGigE1/0/1] quit
# Set the MAC Information queue length to 100.
[Device] mac-address information queue-length 100
# Set the MAC change notification interval to 20 seconds.
[Device] mac-address information interval 20

20
Contents
Bulk configuring interfaces ············································································· 1
About interface bulk configuration ······················································································································ 1
Restrictions and guidelines: Bulk interface configuration ··················································································· 1
Procedure··························································································································································· 2
Display and maintenance commands for bulk interface configuration ······························································· 2

i
Bulk configuring interfaces
About interface bulk configuration
You can enter interface range view to bulk configure multiple interfaces with the same feature
instead of configuring them one by one. For example, you can execute the shutdown command in
interface range view to shut down a range of interfaces.
To configure interfaces in bulk, you must configure an interface range and enter its view by using the
interface range or interface range name command.
The interface range created by using the interface range command is not saved to the running
configuration. You cannot use the interface range repeatedly. To create an interface range that can
be used repeatedly, use the interface range name command.

Restrictions and guidelines: Bulk interface

configuration
When you bulk configure interfaces in interface range view, follow these restrictions and guidelines:
• In interface range view, only the commands supported by the first interface in the specified
interface list (alphabetically sorted) are available for configuration.
• Before you configure an interface as the first interface in an interface range, make sure you can
enter the view of the interface by using the interface interface-type
{ interface-number | interface-number.subnumber } command.
• Do not assign both an aggregate interface and any of its member interfaces to an interface
range. Some commands, after being executed on both an aggregate interface and its member
interfaces, can break up the aggregation.
• Understand that the more interfaces you specify, the longer the command execution time.
• To guarantee bulk interface configuration performance, configure fewer than 1000 interface
range names.
The device does not output prompt or alarm messages during the bulk interface configuration
process. Make sure you are fully aware of the device support and impacts of the bulk interface
configuration.
• After a command is executed in interface range view, one of the following situations might
occur:
 The system displays an error message and stays in interface range view. This means that
the execution failed on one or multiple member interfaces.
− If the execution failed on the first member interface, the command is not executed on
any member interfaces.
− If the execution failed on a non-first member interface, the command takes effect on the
remaining member interfaces.
 The system returns to system view. This means that:
− The command is supported in both system view and interface view.
− The execution failed on a member interface in interface range view and succeeded in
system view.
− The command is not executed on the subsequent member interfaces.

1
 You can use the display this command to verify the configuration in interface view of
each member interface. In addition, if the configuration in system view is not needed, use
the undo form of the command to remove the configuration.

Procedure
1. Enter system view.
system-view
2. Create an interface range and enter interface range view.
 Create an interface range without specifying a name.
interface range { interface-type interface-number [ to
interface-type interface-number ] } &<1-24>
 Create a named interface range.
interface range name name [ interface { interface-type
interface-number [ to interface-type interface-number ] } &<1-24> ]
3. (Optional.) Display commands available for the first interface in the interface range.
Enter a question mark (?) at the interface range prompt.
4. Use available commands to configure the interfaces.
Available commands depend on the interface.
5. (Optional.) Verify the configuration.
display this

Display and maintenance commands for bulk

interface configuration
Execute the display command in any view.

Task Command

Display information about the interface ranges

display interface range [ name
created by using the interface range name
name ]
command.

2
Contents
Configuring Ethernet interfaces ····································································· 1
About Ethernet interface ···································································································································· 1
Configuring a management Ethernet interface ·································································································· 1
Ethernet interface naming conventions ·············································································································· 2
Restrictions and guidelines for 25-GE interfaces ······························································································· 2
Restrictions and guidelines for 10-GE interfaces ······························································································· 5
Configuring common Ethernet interface settings ······························································································· 5
Splitting a 40-GE interface and combining 10-GE breakout interfaces ······················································ 6
Splitting a 100-GE interface and combining 50-GE breakout interfaces ···················································· 7
Splitting a 100-GE interface and combining 10-GE breakout interfaces ···················································· 8
Splitting a 100-GE interface and combining 25-GE breakout interfaces ···················································· 9
Configuring basic settings of an Ethernet interface·················································································· 10
Configuring basic settings of an Ethernet subinterface ············································································ 11
Configuring the link mode of an Ethernet interface ·················································································· 12
Configuring jumbo frame support ············································································································· 12
Configuring physical state change suppression on an Ethernet interface ··············································· 13
Configuring dampening on an Ethernet interface····················································································· 13
Enabling link flapping protection on an interface······················································································ 15
Configuring FEC······································································································································· 16
Configuring link compensation ················································································································· 17
Configuring storm suppression ················································································································ 17
Configuring generic flow control on an Ethernet interface ······································································· 18
Configuring PFC······································································································································· 19
Setting PFC thresholds ···························································································································· 20
Configuring PFC deadlock detection········································································································ 22
Configuring the early warning thresholds for PFC packets ······································································ 24
Enabling energy saving features on an Ethernet interface ······································································ 25
Setting the statistics polling interval ········································································································· 25
Enabling loopback testing on an Ethernet interface ················································································· 25
Forcibly bringing up a fiber port················································································································ 26
Setting the media type for an Ethernet interface ······················································································ 28
Configuring interface alarm functions······································································································· 28
Restoring the default settings for an interface·························································································· 30
Configuring a Layer 2 Ethernet interface ········································································································· 30
Configuring storm control on an Ethernet interface·················································································· 30
Changing a Layer 2 Ethernet interface to an FC interface ······································································· 32
Enabling bridging on an Ethernet interface ······························································································ 32
Configuring a Layer 3 Ethernet interface or subinterface················································································· 33
Setting the MTU for an Ethernet interface or subinterface ······································································· 33
Setting the MAC address of an Ethernet interface or subinterface ·························································· 33
Display and maintenance commands for Ethernet interfaces ·········································································· 34

i
Configuring Ethernet interfaces
About Ethernet interface
The Switch Series supports Ethernet interfaces, management Ethernet interfaces, Console
interfaces, and USB interfaces. For the interface types and the number of interfaces supported by a
switch model, see the installation guide.
This chapter describes how to configure management Ethernet interfaces and Ethernet interfaces.

Configuring a management Ethernet interface

About this task
A management interface uses an RJ-45/LC connector. You can connect the interface to a PC for
software loading and system debugging, or connect it to a remote NMS for remote system
management.
Each member device in an IRF system has a management Ethernet interface. For management link
backup, perform the following tasks:
1. Connect your PC to the management Ethernet interface on the master device.
2. Connect the PC to a management Ethernet interface with the same interface number on a
subordinate device.
The two management Ethernet interfaces operate as follows:
• When the IRF system has multiple management Ethernet interfaces, only the management
Ethernet interface on the master device processes management traffic.
• When the management Ethernet interface on the master device fails, the management
Ethernet interface on the subordinate device takes over to process management traffic.
• When the management Ethernet interface on the master device recovers, it takes over to
process management traffic again.
Procedure
1. Enter system view.
system-view
2. Enter management Ethernet interface view.
interface M-GigabitEthernet interface-number
3. (Optional.) Set the interface description.
description text
The default setting is M-GigabitEthernet0/0/0 Interface.
4. (Optional.) Set the duplex mode for the management Ethernet interface.
duplex { auto | full | half }
By default, the duplex mode is auto for a management Ethernet interface.
5. (Optional.)_Set the speed for the management Ethernet interface.
speed { 10 | 100 | 1000 | auto }
By default, the speed is auto for a management Ethernet interface.
6. (Optional.) Shut down the interface.
shutdown

1
 By default, the management Ethernet interface is up.

CAUTION:
Executing the shutdown command on an interface will disconnect the link of the interface and
interrupt communication. Use this command with caution.

Ethernet interface naming conventions

The Ethernet interfaces are named in the format of interface type A/B/C. The letters that follow the
interface type represent the following elements:
• A—IRF member ID. If the switch is not in an IRF fabric, A is 1 by default.
• B—Card slot number. 0 indicates the interface is a fixed interface of the switch.
• C—Port index.
For example, a 10-GE breakout interface split from a 40-GE interface is named in the format of
interface type A/B/C:D. A/B/C is the interface number of the 40-GE interface. D is the number of
the 10-GE interface, which is in the range of 1 to 4. For information about splitting a 40-GE interface,
see "Splitting a 40-GE interface and combining 10-GE breakout interfaces."

Restrictions and guidelines for 25-GE interfaces

25-GE interfaces can operate at 25 Gbps, 10 Gbps, or 1 Gbps.
• See Table 1 and Table 2 for the configuration requirements for interfaces operating at 25 Gbps.
• For a 25-GE interface on an S6850 or S9850 device to operate at 10 Gbps or 1 Gbps, execute
the speed command to configure the speed. For an interface to come up, make sure the speed
configured is the same as the speed of the transceiver module or cable installed in the interface.
For a 25-GE interface on an S6825 device to operate at 10 Gbps or 1 Gbps, you do not need to
execute the speed command to set the speed.
• A 25-GE breakout interface can operate only at 25 Gbps.
When you configure autonegotiation for a 25-GE interface, follow these restrictions and guidelines:
• When an SFP28 interface on an S6850-56HF or S6825-54HF device uses an SFP28 or SFP+
cable to connect to a peer interface that does not support autonegotiation, you must execute
the speed and duplex full commands on both ends. For an interface to come up, make
sure the speed configured by using the speed command is the same as the speed of the
transceiver module or cable installed in the interface.
• SFP28 interfaces on an LSWM124TG2H cards do not support autonegotiation. When such an
interface uses an SFP+ transceiver module/cable or SFP transceiver module, you must
execute the speed and duplex full commands on both ends. For an interface to come up,
make sure the speed configured by using the speed command is the same as the speed of the
transceiver module or cable installed in the interface.
• When an SFP28 interface uses an SFP transceiver module except SFP-GE-T and SFP-GE-T-D
to connect to a peer interface, you must disable autonegotiation on the peer interface.
25-GE interfaces on an S6850-56HF switch are grouped as follows:
• For interfaces 1 through 24 and 33 through 56, four continuous interfaces starting from 1 or 33
are organized into one group.
• When you use the using twenty-fivegige command to split a 100-GE interface into four
25-GE breakout interfaces, the four breakout interfaces are organized into one group.
For 25-GE interfaces on an LSWM124TG2H interface module, four continuous interfaces starting
from 1 are organized into one group.

2
Interfaces in the same group must have the same speed settings. When you modify the speed of an
interface in a group, the modification takes effect on all interfaces in the group. When you use the
default command to restore the default settings for the interface, the speed will be restored to the
default for the interface and the other interfaces in the group.
For the following 25-GE interfaces, 12 contiguous interfaces in ascending order of interface number
are organized into one group. When one of the following 25-GE interfaces uses an
SFP-XG-LX-SM1310-D (0231A1RQ) transceiver module, for the transceiver module to operate
correctly, you must set the same speed for interfaces in the same group as the interface.
• Interfaces 1 through 24 and interfaces 33 through 56 on an S6850-56HF switch. When you set
the speed for an interface, the speed is set for four interfaces in the same group as the
interface.
• Interfaces 1 through 24 and interfaces 31 through 54 on an S6825-54HF switch.
• Interfaces 1 through 24 on an LSWM124TG2H card. When you set the speed for an interface,
the speed is set for four interfaces in the same group as the interface.
For example, when interface 3 on an S6850-56HF switch uses an SFP-XG-LX-SM1310-D
transceiver module, interfaces 1 through 12 must be configured to operate at 10 Gbps for the
transceiver module to operate properly. When you set the speed for an interface, set the speed for
four interfaces in the same group as prompted.
For 25-GE interfaces on an LSWM124TG2H interface module, you must use the port
media-type { copper | fiber } command to set the media type. Set the media type to fiber
for an interface that uses a transceiver module or fiber cable. Set the media type to copper for an
interface that uses a copper cable. The media type of interfaces in the same group is the same.
When you set the media type for any interface in a group, the setting is synchronized to the other
interfaces in the group.
When a local 25-GE interface on an S6825-54HF, S6850-56HF, or S9850-32H switch is connected
to a peer 25-GE interface on a different device, the interface configuration requirements are as
shown in Table 1. For interfaces to operate properly, you must enable link compensation (also known
as training or CL72) on both ends when the interfaces are connected by using a copper cable. This
requirement is not otherwise described in Table 1.
In Table 1, the 25-GE interfaces are supposed to be connected when they use the default settings.
Table 1 States of a local 25-GE interface on an S6825-54HF, S6850-56HF, or S9850-32H
switch

Local interface state and operations for bringing the

Peer device
interface up
By default, the local interface is down.
• When the local interface is connected to the peer by using a cable,
perform the following operations:
 Configure the local interface to operate in the same speed and
duplex mode as the peer interface. Do not configure
autonegotiation settings.
 Set the FEC mode to BASE-R FEC for the local interface.
S6820 switch series  Execute the port media-type copper command on
the peer interface if the peer interface is one of
Twenty-FiveGigE1/0/1 through Twenty-FiveGigE1/0/8 and
Twenty-FiveGigE1/0/49 through Twenty-FiveGigE1/0/56 on an
S6820-56HF switch or an SFP28 interface on an
LSWM124TG2H interface module.
• When the local interface is connected to the peer by using a
transceiver module, set the FEC mode to BASE-R FEC for the
local interface.
25-GE breakout interfaces split Up by default.
from interfaces 1 through 32 on an

3
 S9820-64H switch
• By default, the local interface is down when connected to the peer
by using a cable. To bring up the local interface, perform the
following operations:
25-GE breakout interfaces split  Configure the local interface to operate in the same speed and
from interfaces 33 through 64 on duplex mode as the peer interface. Do not configure
an S9820-64H switch autonegotiation settings.
 Set the FEC mode to RS-FEC for the local interface.
• The local interface is up by default when connected to the peer by
using a transceiver module.
• By default, the local interface is down when connected to the peer
by using a cable. To bring up the local interface, perform the
following operations:
 Configure the local interface to operate in the same speed and
duplex mode as the peer interface. Do not configure
autonegotiation settings.
S9850-4C, S6850-2C  Set the FEC mode to RS-FEC for the local interface.
 Execute the port media-type copper command on
the peer interface if the peer interface is an SFP28 interface on
an LSWM124TG2H interface module.
• The local interface is up by default when connected to the peer by
using a transceiver module.
S6825-54HF, S6850-56HF,
Up by default.
S9850-32H

When a local 25-GE interface on an S9850-4C or S6850-2C switch is connected to a peer 25-GE
interface on a different device, the interface configuration requirements are as shown in Table 2. For
interfaces to operate properly, you must enable link compensation (also known as training or CL72)
on both ends when the interfaces are connected by using a copper cable. This requirement is not
otherwise described in Table 2.
In Table 2, the 25-GE interfaces (including 25-GE breakout interfaces split from a 100-GE interface)
are supposed to be connected when they use the default settings.
Table 2 States of a local 25-GE interface on an S9850-4C or S6850-2C switch

Local interface state and operations for bringing the

Peer device
interface up
By default, the local interface is down.
• When the local interface is connected to the peer by using a cable,
perform the following operations to bring up the interface:
 Set the FEC mode to BASE-R FEC for the local interface.
 Execute the port media-type copper command on
the local interface if the local interface is an SFP28 interface
on an LSWM124TG2H interface module.
S6820 switch series  Execute the port media-type copper command on
the peer interface if the peer interface is one of
Twenty-FiveGigE1/0/1 through Twenty-FiveGigE1/0/8 and
Twenty-FiveGigE1/0/49 through Twenty-FiveGigE1/0/56 on an
S6820-56HF switch or an SFP28 interface on an
LSWM124TG2H interface module.
• When the local interface is connected to the peer by using a
transceiver module, set the FEC mode to BASE-R FEC for the
local interface.
• By default, the local interface is down when connected to the peer
25-GE breakout interfaces split
by using a cable. To bring up the local interface, perform the
from interfaces 1 through 32 on an following operations:
S9820-64H switch
 Configure the peer interface to operate in the same speed and

4
 duplex mode as the local interface. Do not configure
autonegotiation settings.
 Set the FEC mode to RS-FEC for the peer interface.
 Execute the port media-type copper command on
the local interface if the local interface is an SFP28 interface
on an LSWM124TG2H interface module.
• The local interface is up by default when connected to the peer by
using a transceiver module.
• When the local interface is connected to the peer by using a cable,
execute the port media-type copper command on the
25-GE breakout interfaces split local interface if the local interface is an SFP28 interface on an
from interfaces 33 through 64 on LSWM124TG2H interface module.
an S9820-64H switch
• When the local interface is connected to the peer by using a
transceiver module, the local interface is up by default.
• When the local interface is connected to the peer by using a cable,
execute the port media-type copper command on both
the local interface and peer interface if the interfaces are SFP28
S9850-4C, S6850-2C interfaces on LSWM124TG2H interface modules.
• When the local interface is connected to the peer by using a
transceiver module, the local interface is up by default.
• By default, the local interface is down when connected to the peer
by using a cable. To bring up the local interface, perform the
following operations:
 Configure the peer interface to operate in the same speed and
duplex mode as the local interface. Do not configure
S6825-54HF, S6850-56HF, autonegotiation settings.
S9850-32H  Set the FEC mode to RS-FEC for the peer interface.
 Execute the port media-type copper command on
the local interface if the local interface is an SFP28 interface
on an LSWM124TG2H interface module.
• The local interface is up by default when connected to the peer by
using a transceiver module.

Restrictions and guidelines for 10-GE interfaces

When an interface on an LSWM124XG2QL card uses a 1000-Mbps SFP transceiver module, the
interface does not support speed or duplex mode autonegotiation. You must manually execute the
speed 1000 and duplex full commands on both ends.
When an SFP+ interface uses an SFP transceiver module except SFP-GE-T and SFP-GE-T-D to
connect to a peer interface, you must disable autonegotiation on the peer interface.
When a 10GBase-T Ethernet interface on an S6805-54HT device operates at 1 Gbps, you must
execute the speed 1000 command on the local end.
When the speed and duplex commands or their undo forms are executed on a 10GBase-T
Ethernet interface on an S6805-54HT device or its peer interface, the interface will go down and then
come up.

Configuring common Ethernet interface settings

This section describes the settings common to Layer 2 Ethernet interfaces, Layer 3 Ethernet
interfaces, and Layer 3 Ethernet subinterfaces. For more information about the settings specific to
Layer 2 Ethernet interfaces, see "Configuring a Layer 2 Ethernet interface." For more information
about the settings specific to Layer 3 Ethernet interfaces or subinterfaces, see "Configuring a Layer
3 Ethernet interface or subinterface."

5
Splitting a 40-GE interface and combining 10-GE breakout
interfaces
About this task
You can use a 40-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can also split a 40-GE interface into four 10-GE breakout interfaces.
The 10-GE breakout interfaces support the same configuration and attributes as common 10-GE
interfaces, except that they are numbered differently.
For example, you can split 40-GE interface FortyGigE 1/0/1 into four 10-GE breakout interfaces
Ten-GigabitEthernet 1/0/1:1 through Ten-GigabitEthernet 1/0/1:4.
If you need higher bandwidth on a single interface, you can combine the four 10-GE breakout
interfaces into a 40-GE interface.
Hardware and feature compatibility
The S6805 and S6825 switch series does not support this feature.
Restrictions and guidelines for 40-GE interface splitting and 10-GE breakout interface
combining
• A 40-GE interface split into four 10-GE breakout interfaces must use a dedicated 1-to-4 cable.
After you combine the four 10-GE breakout interfaces, replace the dedicated 1-to-4 cable with a
dedicated 1-to-1 cable or a 40-GE transceiver module. For more information about the cable or
transceiver module, see the installation guides.
• Device reboot is not required for this feature to take effect. You can view the split or combined
interface by using the display interface brief command.
• When the LSWM18QC interface module is installed in the slot 2 on the S9850-4C switch, the
interface numbered 8 on the interface module cannot be split.
• When the LSWM124XG2Q, LSWM124XGT2Q, LSWM124XG2QFC, LSWM124XG2QL
interface module is installed in the slot 2 on the S9850-4C switch, the interface numbered 25 on
the interface module cannot be split.
• All interfaces on the LSWM116Q interface module cannot be split.
• An interface with any of the following configurations cannot be split:
 IRF physical interface.
 Service loopback group member.
 Reflector port for mirroring.
 Forcibly bringing up a fiber port.
Splitting a 40-GE interface into four 10-GE breakout interfaces
1. Enter system view.
system-view
2. Enter 40-GE interface view.
interface fortygige interface-number
3. Split the 40-GE interface into four 10-GE breakout interfaces.
using tengige
By default, a 40-GE interface is not split and operates as a single interface.
Combining four 10-GE breakout interfaces into a 40-GE interface
1. Enter system view.
system-view

6
 2. Enter the view of any 10-GE breakout interface.
interface ten-gigabitethernet interface-number
3. Combine the four 10-GE breakout interfaces into a 40-GE interface.
using fortygige
By default, a 10-GE breakout interface operates as a single interface.

Splitting a 100-GE interface and combining 50-GE breakout

interfaces
About this task
You can use a 100-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can also split a 100-GE interface into two 50-GE breakout interfaces.
The 50-GE breakout interfaces support the same configuration and attributes as common 50-GE
interfaces, except that they are numbered differently.
For example, you can split 100-GE interface HundredGigE 1/0/1 into two 50-GE breakout interfaces
FiftyGigE 1/0/1:1 and FiftyGigE 1/0/1:2.
If you need higher bandwidth on a single interface, you can combine the two 50-GE breakout
interfaces into a 100-GE interface.
Hardware and feature compatibility
This feature is supported only on the S9850-32H switches.
The interface numbered 31 on an S9850-32H switch cannot be split by default. To split this interface,
first enable the hardware resource flex mode for the device by using the hardware-resource
flex-mode enable command. For more information about the hardware resource flex mode, see
Fundamentals Configuration Guide.
Restrictions and guidelines for 100-GE interface splitting and 50-GE breakout interface
combining
• This feature is supported only in Release 6616 and later.
• A 100-GE interface split into two 50-GE breakout interfaces must use a dedicated cable. After
you combine the breakout interfaces, use a dedicated 1-to-1 cable or a 100-GE transceiver
module. For more information about the cable or transceiver module, see the installation
guides.
• Device reboot is not required for this feature to take effect. You can view the split or combined
interface by using the display interface brief command.
• An interface with any of the following configurations cannot be split:
 IRF physical interface.
 Service loopback group member.
 Reflector port for mirroring.
 Forcibly bringing up a fiber port.
Splitting a 100-GE interface into two 50-GE breakout interfaces
1. Enter system view.
system-view
2. Enter 100-GE interface view.
interface hundredgige interface-number
3. Split the 100-GE interface into two 50-GE breakout interfaces.
using fiftygige

7
 By default, a 100-GE interface is not split and operates as a single interface.
Combining two 50-GE breakout interfaces into a 100-GE interface
1. Enter system view.
system-view
2. Enter the view of any 50-GE breakout interface.
interface fiftygige interface-number
3. Combine the two 50-GE breakout interfaces into a 100-GE interface.
using hundredgige
By default, a 100-GE interface is not split and operates as a single interface.

Splitting a 100-GE interface and combining 10-GE breakout

interfaces
About this task
You can use a 100-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can split a 100-GE interface with a split-capable transceiver module
installed into four 10-GE breakout interfaces. The 10-GE breakout interfaces support the same
configuration and attributes as common 10-GE interfaces, except that they are numbered differently.
For example, you can split 100-GE interface HundredGigE 1/0/1 into four 10-GE breakout interfaces
Ten-GigabitEthernet1/0/1:1 through Ten-GigabitEthernet1/0/1:4.
If you need higher bandwidth on a single interface, you can combine the multiple 10-GE breakout
interfaces into a 100-GE interface.
Hardware and feature compatibility
On an S6805-54HT device, interfaces 51 and 52 can be split into 10-GE or 25-GE breakout
interfaces in Release 6635 and later. On an S6805-54HF device, interfaces 27 and 28 can be split
into 10-GE or 25-GE breakout interfaces.
On an S6825-54HF device, interfaces 27 and 28 can be split into 10-GE or 25-GE breakout
interfaces in Release 6635 and later.
Restrictions and guidelines for 100-GE interface splitting and 10-GE breakout interface
combining
A 100-GE interface split into multiple 10-GE breakout interfaces must use a dedicated cable. After
you combine the multiple 10-GE breakout interfaces, replace the dedicated cable with a dedicated
1-to-1 cable or a 100-GE transceiver module. For more information about the cable or transceiver
module, see the installation guides.
After configuring this feature, you do not need to reboot the device. To view information about the
breakout interfaces, execute the display interface brief command.
The interface numbered 31 on the S6850-56HF switch cannot be split.
The interface numbered 31 on an S9850-32H switch cannot be split by default. To split this interface,
first enable the hardware resource flex mode for the device by using the hardware-resource
flex-mode enable command. For more information about the hardware resource flex mode, see
Fundamentals Configuration Guide.
When the LSWM18CQ or LSWM18CQMSEC interface module is installed in the slot 2 on the
S9850-4C switch, the interface numbered 7 on the interface module cannot be split.
When the LSWM124TG2H interface module is installed in the slot 2 on the S9850-4C switch, the
interface numbered 25 on the interface module cannot be split.
An interface with any of the following configurations cannot be split:

8
 • IRF physical interface.
• Service loopback group member.
• Reflector port for mirroring.
• Forcibly bringing up a fiber port.
Splitting a 100-GE interface into multiple 10-GE breakout interfaces
1. Enter system view.
system-view
2. Enter 100-GE interface view.
interface hundredgige interface-number
3. Split the 100-GE interface into multiple 10-GE breakout interfaces.
using tengige
By default, a 100-GE interface is not split and operates as a single interface.
Combining multiple 10-GE breakout interfaces into a 100-GE interface
1. Enter system view.
system-view
2. Enter the view of any 10-GE breakout interface.
interface ten-gigabitethernet interface-number
3. Combine the multiple 10-GE breakout interfaces into a 100-GE interface.
using hundredgige
By default, a 10-GE breakout interface operates as a single interface.

Splitting a 100-GE interface and combining 25-GE breakout

interfaces
About this task
You can use a 100-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can also split a 100-GE interface into four 25-GE breakout interfaces.
The 25-GE breakout interfaces support the same configuration and attributes as common 25-GE
interfaces, except that they are numbered differently.
For example, you can split 100-GE interface HundredGigE 1/0/1 into four 25-GE breakout interfaces
Twenty-FiveGigE 1/0/1:1 through Twenty-FiveGigE 1/0/1:4.
If you need higher bandwidth on a single interface, you can combine the four 25-GE breakout
interfaces into a 100-GE interface.
Hardware and feature compatibility
On an S6805-54HT device, interfaces 51 and 52 can be split into 10-GE or 25-GE breakout
interfaces in Release 6635 and later. On an S6805-54HF device, interfaces 27 and 28 can be split
into 10-GE or 25-GE breakout interfaces.
On an S6825-54HF device, interfaces 27 and 28 can be split into 10-GE or 25-GE breakout
interfaces in Release 6635 and later.
Restrictions and guidelines for 100-GE interface splitting and 25-GE breakout interface
combining
A 100-GE interface split into four 25-GE breakout interfaces must use a dedicated 1-to-4 cable. After
you combine the four 25-GE breakout interfaces, replace the dedicated 1-to-4 cable with a dedicated
1-to-1 cable or a 100-GE transceiver module. For more information about the cable or transceiver
module, see the installation guides.

9
 After configuring this feature, you do not need to reboot the device. To view information about the
breakout interfaces, execute the display interface brief command.
The interface numbered 31 on the S6850-56HF switch cannot be split.
The interface numbered 31 on an S9850-32H switch cannot be split by default. To split this interface,
first enable the hardware resource flex mode for the device by using the hardware-resource
flex-mode enable command. For more information about the hardware resource flex mode, see
Fundamentals Configuration Guide.
When the LSWM18CQ or LSWM18CQMSEC interface module is installed in the slot 2 on the
S9850-4C switch, the interface numbered 7 on the interface module cannot be split.
When the LSWM124TG2H interface module is installed in the slot 2 on the S9850-4C switch, the
interface numbered 25 on the interface module cannot be split.
An interface with any of the following configurations cannot be split:
• IRF physical interface.
• Service loopback group member.
• Reflector port for mirroring.
• Forcibly bringing up a fiber port.
Splitting a 100-GE interface into four 25-GE breakout interfaces
1. Enter system view.
system-view
2. Enter 100-GE interface view.
interface hundredgige interface-number
3. Split the 100-GE interface into four 25-GE breakout interfaces.
using twenty-fivegige
By default, a 100-GE interface is not split and operates as a single interface.
Combining four 25-GE breakout interfaces into a 100-GE interface
1. Enter system view.
system-view
2. Enter the view of any 25-GE breakout interface.
interface twenty-fivegige interface-number
3. Combine the four 25-GE breakout interfaces into a 100-GE interface.
using hundredgige
By default, a 25-GE breakout interface operates as a single interface.

Configuring basic settings of an Ethernet interface

About this task
You can configure an Ethernet interface to operate in one of the following duplex modes:
• Full-duplex mode—The interface can send and receive packets simultaneously.
• Half-duplex mode—The interface can only send or receive packets at a given time.
• Autonegotiation mode—The interface negotiates a duplex mode with its peer.
You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its
peer.

10
Restrictions and guidelines
When a 25-GE or 10-GE interface connects to a peer through a 1-Gbps transceiver module, you
must disable autonegotiation on the peer interface.
The shutdown and port up-mode commands are mutually exclusive.
The shutdown command cannot be configured on an Ethernet interface in a loopback test.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set the description for the Ethernet interface.
description text
The default setting is interface-name Interface. For example, Twenty-FiveGigE1/0/1
Interface.
4. Set the duplex mode for the Ethernet interface.
duplex { auto | full | half }
By default, the duplex mode is auto for Ethernet interfaces.
Fiber ports do not support the half keyword.
5. Set the speed for the Ethernet interface.
speed { 10 | 100 | 1000 | 10000 | 25000 | 40000 | 100000 | auto }
By default, an Ethernet interface negotiates a speed with its peer.
6. Set the expected bandwidth for the Ethernet interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
7. Bring up the Ethernet interface.
undo shutdown
By default, Ethernet interfaces are in up state.

Configuring basic settings of an Ethernet subinterface

About this task
By default, a Layer 3 Ethernet subinterface processes packets for only the VLAN whose ID is the
same as the subinterface number.
Restrictions and guidelines for Ethernet subinterface basic settings
The shutdown command cannot be configured on an Ethernet interface in a loopback test.
Procedure
1. Enter system view.
system-view
2. Create an Ethernet subinterface.
interface interface-type interface-number.subnumber
3. Set the description for the Ethernet subinterface.
description text

11
 The default setting is interface-name Interface. For example, Twenty-FiveGigE1/0/1.1
Interface.
4. Set the expected bandwidth for the Ethernet subinterface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
5. Bring up the Ethernet subinterface.
undo shutdown
By default, Ethernet subinterfaces are in up state.

Configuring the link mode of an Ethernet interface

About this task
Interfaces on the device can operate either as Layer 2 or Layer 3 Ethernet interfaces. You can use
commands to set the link mode to bridge or route.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure the link mode of the Ethernet interface.
port link-mode { bridge | route }
By default, all Ethernet interfaces on the device operate in bridge mode.

CAUTION:
After you change the link mode of an Ethernet interface, all commands (except the
description, duplex, jumboframe enable, speed, and shutdown commands) on
the Ethernet interface are restored to their defaults in the new link mode.

Configuring jumbo frame support

About this task
Jumbo frames are frames larger than 1536 bytes and are typically received by an Ethernet interface
during high-throughput data exchanges, such as file transfers.
The Ethernet interface processes jumbo frames in the following ways:
• When the Ethernet interface is configured to deny jumbo frames (by using the undo
jumboframe enable command), the Ethernet interface discards jumbo frames.
• When the Ethernet interface is configured with jumbo frame support, the Ethernet interface
performs the following operations:
 Processes jumbo frames within the specified length.
 Discards jumbo frames that exceed the specified length.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number

12
 3. Configure jumbo frame support.
jumboframe enable [ size ]
By default, the device allows jumbo frames within 9416 bytes to pass through.
If you set the size argument multiple times, the most recent configuration takes effect.

Configuring physical state change suppression on an

Ethernet interface
About this task
The physical link state of an Ethernet interface is either up or down. Each time the physical link of an
interface comes up or goes down, the interface immediately reports the change to the CPU. The
CPU then performs the following operations:
• Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change for guiding packet forwarding.
• Automatically generates traps and logs to inform users to take the correct actions.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression. You can configure this feature to suppress only link-down events, only
link-up events, or both. If an event of the specified type still exists when the suppression interval
expires, the system reports the event to the CPU.
Restrictions and guidelines
Do not enable this feature on an interface that has RRPP, spanning tree protocols, or Smart Link
enabled.
You can configure different suppression intervals for link-up and link-down events.
If you execute the link-delay command multiple times on an interface, the following rules apply:
• You can configure the suppression intervals for link-up and link-down events separately.
• If you configure the suppression interval multiple times for link-up or link-down events, the most
recent configuration takes effect.
The link-delay, dampening, and port link-flap protect enable commands are
mutually exclusive on an Ethernet interface.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure physical state change suppression.
link-delay { down | up } [ msec ] delay-time
By default, each time the physical link of an interface goes up or comes down, the interface
immediately reports the change to the CPU.

Configuring dampening on an Ethernet interface

About this task
The interface dampening feature uses an exponential decay mechanism to prevent excessive
interface flapping events from adversely affecting routing protocols and routing tables in the network.
Suppressing interface state change events protects the system resources.

13
 If an interface is not dampened, its state changes are reported. For each state change, the system
also generates an SNMP trap and log message.
After a flapping interface is dampened, it does not report its state changes to the CPU. For state
change events, the interface only generates SNMP trap and log messages.
Parameters
• Penalty—The interface has an initial penalty of 0. When the interface flaps, the penalty
increases by 1000 for each down event until the ceiling is reached. It does not increase for up
events. When the interface stops flapping, the penalty decreases by half each time the half-life
timer expires until the penalty drops to the reuse threshold.
• Ceiling—The penalty stops increasing when it reaches the ceiling.
• Suppress-limit—The accumulated penalty that triggers the device to dampen the interface. In
dampened state, the interface does not report its state changes to the CPU. For state change
events, the interface only generates SNMP traps and log messages.
• Reuse-limit—When the accumulated penalty decreases to this reuse threshold, the interface is
not dampened. Interface state changes are reported to the upper layers. For each state change,
the system also generates an SNMP trap and log message.
• Decay—The amount of time (in seconds) after which a penalty is decreased.
• Max-suppress-time—The maximum amount of time the interface can be dampened. If the
penalty is still higher than the reuse threshold when this timer expires, the penalty stops
increasing for down events. The penalty starts to decrease until it drops below the reuse
threshold.
When configuring the dampening command, follow these rules to set the values mentioned above:
•
(Max-suppress-time/Decay)
The ceiling is equal to 2 × reuse-limit. It is not user configurable.
• The configured suppress limit is lower than or equal to the ceiling.
• The ceiling is lower than or equal to the maximum suppress limit supported.
Figure 1 shows the change rule of the penalty value. The lines t0 and t2 indicate the start time and
end time of the suppression, respectively. The period from t0 to t2 indicates the suppression period, t0
to t1 indicates the max-suppress-time, and t1 to t2 indicates the complete decay period.

14
 Figure 1 Change rule of the penalty value
Penalty

t0 t1 t2

Ceiling

Suppress limit

Reuse limit

Time

Not suppressed Suppressed Not suppressed

Restrictions and guidelines

• The dampening, link-delay, and port link-flap protect enable commands are
mutually exclusive on an interface.
• The dampening command does not take effect on the administratively down events. When
you execute the shutdown command, the penalty restores to 0, and the interface reports the
down event to the upper-layer protocols.
• Do not enable the dampening feature on an interface with RRPP, MSTP, or Smart Link enabled.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable dampening on the interface.
dampening [ half-life reuse suppress max-suppress-time ]
By default, interface dampening is disabled on Ethernet interfaces.

Enabling link flapping protection on an interface

About this task
Link flapping on an interface changes network topology and increases the system overhead. For
example, in an active/standby link scenario, when interface status on the active link changes
between UP and DOWN, traffic switches between active and standby links. To solve this problem,
configure this feature on the interface.
With this feature enabled on an interface, when the interface goes down, the system enables link
flapping detection. During the link flapping detection interval, if the number of detected flaps reaches
or exceeds the link flapping detection threshold, the system shuts down the interface.

15
Restrictions and guidelines
This feature takes effect only if it is configured in both the system view and interface view.
IRF system stability might be affected by IRF physical link flapping. For IRF system stability, this
feature is enabled by default on IRF physical interfaces and the enabling status of this feature is not
affected by the status of global link flapping protection. When the number of flaps detected on an IRF
physical interface exceeds the threshold within the detection interval, the device outputs a log rather
than shuts down the IRF physical interface.
The dampening, link-delay, and port link-flap protect enable commands are
mutually exclusive on an Ethernet interface.
To bring up an interface that has been shut down by link flapping protection, execute the undo
shutdown command.
In the display interface command output, the Link-Flap DOWN value of the Current state
field indicates that the interface has been shut down by link flapping protection.
Procedure
1. Enter system view.
system-view
2. Enable link flapping protection globally.
link-flap protect enable
By default, link flapping protection is disabled globally.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Enable link flapping protection on the Ethernet interface.
port link-flap protect enable [ interval interval | threshold
threshold ] *
By default, link flapping protection is disabled on an Ethernet interface.

Configuring FEC
About this task
The forward error correction (FEC) feature corrects packet errors to improve transmission quality. It
attaches correction information to a packet at the sending end, and corrects error codes generated
during transmission at the receiving end based on the correction information. You can set the FEC
mode as needed.
Restrictions and guidelines
This feature is supported on 25-GE interfaces operating at 25 Gbps.
This feature is supported on 100-GE interfaces operating at 100 Gbps (supported only in Release
6616 and later).
Make sure you set the same FEC mode for both interfaces of a link.
On a 100-GE interface installed with a QSFP-100G-LR4-WDM1300 transceiver module, manual
FEC configuration does not take effect. However, the interface will go down and then come up upon
the configuration.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.

16
 interface interface-type interface-number
3. Set the FEC mode of the Ethernet interface.
port fec mode { auto | base-r | none | rs-fec }
By default, the FEC mode of an Ethernet interface is autonegotiation.
100-GE interfaces do not support the base-r keyword.

Configuring link compensation

About this task
As the signal transmission rate or frequency increases, high frequency components in signals
attenuate more severely. For signal transmission performance, common signal compensation
technologies such as pre-emphasis and equalization are introduced. Pre-emphasis amplifies high
frequency components but increases the probability of crosstalk. Equalization is introduced to filter
out high frequency crosstalk on the receiving end.
Link compensation enables the sending and receiving ends to exchange pre-emphasis and
equalization parameters through frames. This feature improves the performance of pre-emphasis
and equalization.
Hardware and feature compatibility
The S6805 switch series does not support this feature.
Restrictions and guidelines
Only 25-GE Ethernet interfaces connected through copper cables support this command. For 25-GE
interfaces connected through copper cables to operate properly, you must enable link compensation.
You must enable or disable link compensation on both interfaces of a link.
Typically, the link compensation status is controlled by the software, and do not adjust the link
compensation status as a best practice. Use this command to adjust the link compensation status
only when the interface cannot come up.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure link compensation on the interface.
port training { disable | enable }
By default, link compensation is disabled on an interface.

Configuring storm suppression

About this task
The storm suppression feature ensures that the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) does not exceed the threshold on an interface. When the
broadcast, multicast, or unknown unicast traffic on the interface exceeds this threshold, the system
discards packets until the traffic drops below this threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
physically suppresses traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic.

17
Restrictions and guidelines
• For the traffic suppression result to be determined, do not configure storm control together with
storm suppression for the same type of traffic. For more information about storm control, see
"Configuring storm control on an Ethernet interface."
• When you configure the suppression threshold in kbps, the actual suppression threshold might
be different from the configured one as follows:
 If the configured value is smaller than 64, the value of 64 takes effect.
 If the configured value is greater than 64 but not an integer multiple of 64, the integer
multiple of 64 that is greater than and closest to the configured value takes effect.
For the suppression threshold that takes effect, see the prompt on the device.
• Set the same type of thresholds for each interface.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable broadcast suppression and set the broadcast suppression threshold.
broadcast-suppression { ratio | pps max-pps | kbps max-kbps }
By default, broadcast suppression is disabled.
4. Enable multicast suppression and set the multicast suppression threshold.
multicast-suppression { ratio | pps max-pps | kbps max-kbps }
[ unknown ]
By default, multicast suppression is disabled.
5. Enable unknown unicast suppression and set the unknown unicast suppression threshold.
unicast-suppression { ratio | pps max-pps | kbps max-kbps }
By default, unknown unicast suppression is disabled.

Configuring generic flow control on an Ethernet interface

About this task
To avoid dropping packets on a link, you can enable generic flow control at both ends of the link.
When traffic congestion occurs at the receiving end, the receiving end sends a flow control (Pause)
frame to ask the sending end to suspend sending packets. Generic flow control includes the
following types:
• TxRx-mode generic flow control—Enabled by using the flow-control command. With
TxRx-mode generic flow control enabled, an interface can both send and receive flow control
frames:
 When congestion occurs, the interface sends a flow control frame to its peer.
 When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
• Rx-mode generic flow control—Enabled by using the flow-control receive enable
command. With Rx-mode generic flow control enabled, an interface can receive flow control
frames, but it cannot send flow control frames:
 When congestion occurs, the interface cannot send flow control frames to its peer.
 When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.

18
 To handle unidirectional traffic congestion on a link, configure the flow-control receive
enable command at one end and the flow-control command at the other end. To enable both
ends of a link to handle traffic congestion, configure the flow-control command at both ends.
Restrictions and guidelines
To implement flow control, configure flow control on each interface that the traffic passes through.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable generic flow control.
 Enable TxRx-mode generic flow control.
flow-control
 Enable Rx-mode generic flow control.
flow-control receive enable
By default, generic flow control is disabled on an Ethernet interface.

Configuring PFC
About this task
When congestion occurs in the network, the local device notifies the peer to stop sending packets
carrying the specified 802.1p priority if all of the following conditions exist:
• Both the local end and the remote end have priority-based flow control (PFC) enabled.
• Both the local end and the remote end have the priority-flow-control no-drop
dot1p command configured.
• The specified 802.1p priority is in the 802.1p priority list specified by the dot1p-list
argument.
• The local end receives a packet carrying the specified 802.1p priority.
Feature and hardware compatibility
The two 1-Gbps SFP interfaces on the rear panel of an S9850-4C, S9850-32H, or S6850-56HF
switch does not support this feature.
Restrictions and guidelines
• You can configure PFC in both system view and Ethernet interface view. If you configure PFC in
system view and Ethernet interface view multiple times, the most recent configuration takes
effect.
• For IRF and other protocols to operate correctly, as a best practice, do not enable PFC for
802.1p priorities 0, 6, and 7.
• To perform PFC on an IRF port, configure PFC on the IRF port and the IRF physical interfaces
that are bound to the IRF port. For information about IRF, see Virtual Technologies
Configuration Guide.
• To perform PFC in an overlay network, execute the qos trust tunnel-dot1p command.
For information about the overlay network, see VXLAN Configuration Guide. For information
about the qos trust tunnel-dot1p command, see ACL and QoS Command Reference.
• To avoid packet loss, apply the same PFC configuration to all interfaces that the packets pass
through.

19
 • If you do not enable PFC on an interface, the interface can receive but cannot process PFC
pause frames. To make PFC take effect, you must enable PFC on both ends.
• If you configure the flow control or flow-control receive enable command on a
PFC-enabled interface, the following rules apply:
 The PFC configuration takes effect.
 The configuration of the flow control or flow-control receive enable
command is ignored.
 The flow control or flow-control receive enable command takes effect on the
interface only when PFC is disabled on it.
Configuring PFC in system view
1. Enter system view.
system-view
2. Enable PFC on all Ethernet interfaces.
priority-flow-control enable { receive | send }
By default, PFC is disabled on all Ethernet interfaces.
3. Enable PFC for 802.1p priorities on all Ethernet interfaces.
priority-flow-control no-drop dot1p dot1p-list
By default, PFC is disabled for all 802.1p priorities on all Ethernet interfaces.
Configuring PFC in Ethernet interface view
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable PFC on the Ethernet interface.
priority-flow-control enable { receive | send }
By default, PFC is disabled on an Ethernet interface.
4. Enable PFC for 802.1p priorities.
priority-flow-control no-drop dot1p dot1p-list
By default, PFC is disabled for all 802.1p priorities.
5. (Optional.) Set the pause time in PFC pause frames.
priority-flow-control pause-time time-vale
By default, the pause time in PFC pause frames is 65535.

Setting PFC thresholds

About PFC thresholds
The storage spaces for an interface include the following types:
• Headroom storage space.
• Shared storage space.
• Guaranteed storage space.
Setting PFC thresholds enables flexible control over PFC and can make good use of the storage
spaces. The device supports the following PFC thresholds:

20
 • Headroom buffer threshold—Maximum number of cell resources that can be used by packets
with a specific 802.1p priority value in a headroom storage space. An interface drops received
packets once this threshold is reached.
• Back pressure frame triggering threshold—Maximum number of cell resources that can be
used by packets with a specific 802.1p priority value in a shared storage space. PFC is
triggered once this threshold is reached. The back pressure frame triggering threshold includes
the following types:
 Dynamic back pressure frame triggering threshold—Maximum cell resources set in
percentage.
 Static back pressure frame triggering threshold—Maximum cell resources set in an
absolute value.
• Offset between the back pressure frame stopping threshold and triggering
threshold—When the number of cell resources used by packets with a specific 802.1p priority
value decreases by this offset after PFC is triggered, PFC will be stopped.
• PFC reserved threshold—Number of cell resources reserved for packets with a specific
802.1p priority value in a guaranteed storage space.
Feature and hardware compatibility
The two 1-Gbps SFP interfaces on the rear panel of an S9850-4C, S9850-32H, or S6850-56HF
switch does not support this feature.
Restrictions and guidelines

WARNING!
After PFC is enabled for 802.1p priorities, the PFC thresholds use the default values, which are
adequate in typical network environments. As a practice, change the thresholds only when
necessary. Table 3 and Table 4 describe the default PFC thresholds.

Table 3 Default PFC thresholds in R6616 and later

Offset between
PFC threshold the back
Dynamic back
(right) Headroom pressure frame
pressure frame PFC reserved
buffer stopping
Interface type triggering threshold
threshold threshold and
(below) threshold
triggering
threshold
1-GE/10-GE 100 5 12 17
25-GE 125 5 12 17
40-GE 200 5 12 17
100-GE 491 5 12 17

Table 4 Default PFC thresholds in versions earlier than R6616

Offset between
PFC threshold the back
Dynamic back
(right) Headroom pressure frame
pressure frame PFC reserved
buffer stopping
Interface type triggering threshold
threshold threshold and
(below) threshold
triggering
threshold
All interfaces 8192 Not configured 48 6

21
 You must enable PFC for 802.1p priorities before setting the PFC thresholds.
If you cancel PFC threshold settings on an interface, the PFC thresholds are restored to the state
when only the priority-flow-control no-drop dot1p command is executed.
Complete PFC threshold settings before the device receives and forwards packets. If you perform
these tasks when the device is forwarding packets, packets might be lost.
This feature does not support preprovisioning. For more information about preprovisioning, see
Fundamentals Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Set the maximum number of cell resources in a headroom storage space.
priority-flow-control poolID pool-number headroom headroom-number
By default, the maximum number of cell resources in a headroom storage space is 12288.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Set the headroom buffer threshold.
priority-flow-control dot1p dot1p headroom headroom-number
See Table 3 and Table 4 for the default value.
5. Set the back pressure frame triggering threshold.
 Set the dynamic back pressure frame triggering threshold.
priority-flow-control dot1p dot1p ingress-buffer dynamic ratio
See Table 3 and Table 4 for the default value.
 Set the static back pressure frame triggering threshold.
priority-flow-control dot1p dot1p ingress-buffer static threshold
By default, the static back pressure frame triggering threshold is not configured.
6. Set the offset between the back pressure frame stopping threshold and triggering threshold.
priority-flow-control dot1p dot1p ingress-threshold-offset
offset-number
See Table 3 and Table 4 for the default value.
7. Set the PFC reserved threshold.
priority-flow-control dot1p dot1p reserved-buffer reserved-number
See Table 3 and Table 4 for the default value.

Configuring PFC deadlock detection

About this task
When packets carrying the specified 802.1p priority are transmitted in a loop, packets in the data
buffer cannot be forwarded and PFC frames are repeatedly transmitted between devices. As a result,
the cell resources in the buffer for device interfaces always cannot be released. In this case, the
device enters the PFC deadlock state.
This feature periodically detects whether the device is in the PFC deadlock state. If an interface is
always in the PFC XOFF state within the PFC deadlock detection interval, the device enters the PFC
deadlock state. If PFC deadlock detection is recovered in automatic mode, the device automatically
releases the deadlock state and recovers PFC and PFC deadlock detection after the delay timer
expires. During the delay timer period, the device disables PFC and PFC deadlock detection on the
interface, so that packets can be forwarded properly.

22
 After the PFC deadlock state is released, the PFC deadlock detection feature can be recovered on
the interface in automatic or manual mode. Recovering this feature enables the PFC feature again at
the same time. Use the automatic recovery mode when no serious failures occur.
When a packet loop cannot be eliminated and the device enters PFC deadlock state frequently,
manually recover PFC deadlock detection on the interface as follows:
1. Perform troubleshooting and set the manual recovery mode for PFC deadlock detection.
2. Execute the priority-flow-control deadlock recover command to recover the
PFC deadlock detection and PFC features.
Feature and hardware compatibility
The two 1-Gbps SFP interfaces on the rear panel of an S9850-4C, S9850-32H, or S6850-56HF
switch does not support this feature.
Restrictions and guidelines
The specified CoS value must be within the 802.1p priority list specified by using the
priority-flow-control no-drop dot1p command. To view the 802.1p priority for each
CoS value, execute the display qos map-table dot1p-lp command.
Prerequisites
Before you configure PFC deadlock detection on an Ethernet interface, complete the following tasks:
• Enable PFC in auto mode or forcibly on the Ethernet interface.
• Enable PFC for 802.1p priorities on the Ethernet interface.
Procedure
1. Enter system view.
system-view
2. Set the precision for the PFC deadlock detection timer.
priority-flow-control deadlock precision { high | normal | low }
By default, the PFC deadlock detection timer uses normal precision.
3. Set the PFC deadlock detection interval for the specified CoS value.
priority-flow-control deadlock cos cos-value interval interval
[ pause-recover ]
By default, the PFC deadlock detection interval is not set.
The pause-recover keyword is supported only in Release 6616 and later.
4. Configure the delay timer for PFC deadlock detection automatic recovery.
priority-flow-control deadlock auto-recover cos cos-value delay
delay-interval
By default, the delay timer for PFC deadlock detection automatic recovery is not configured.
5. Configure the action to take on packets during the delay timer period for PFC deadlock
automatic recovery.
priority-flow-control deadlock auto-recover action { discard |
forwarding }
By default, the device forwards received data packets during the delay timer period for PFC
deadlock detection automatic recovery.
6. Configure the upper threshold for PFC deadlock times during the specified period.
priority-flow-control deadlock threshold cos cos-value period period
count count
By default, the upper threshold for PFC deadlock times during the specified period is not
configured.

23
 7. Enter Ethernet interface view.
interface interface-type interface-number
8. Set the recovery mode for PFC deadlock detection on the Ethernet interface.
priority-flow-control deadlock recover-mode { auto | manual }
By default, PFC deadlock detection recovers in automatic mode.
9. Enable PFC deadlock detection on the Ethernet interface.
priority-flow-control deadlock enable
By default, PFC deadlock detection is disabled.
10. (Optional.) Recover PFC deadlock detection on the Ethernet interface.
priority-flow-control deadlock recover
You can use only this command to recover PFC deadlock detection if you set the manual
recovery mode for PFC deadlock detection on the Ethernet interface.

Configuring the early warning thresholds for PFC packets

About this task
You can configure the early warning threshold for incoming or outgoing PFC packets of an interface
as needed. The early warning threshold notifies a situation where the PFC packet transmission rate
is still within a normal range but needs attention.
When the rate of PFC packets that an interface sends or receives reaches the early warning
threshold, the system generates traps and logs to notify the user. According to the traps and logs, the
user can discover some exceptions in the network, for example:
• The NIC of the peer device fails and continuously sends PFC packets at a high speed. In this
case, you can set the early warning threshold for incoming PFC packets.
• The device fails and continuously sends PFC frames. In this case, you can set the early warning
threshold for outgoing PFC packets.
To monitor bidirectional PFC packets, you can set the early warning thresholds for incoming packets
and outgoing packets separately.
Feature and hardware compatibility
The two 1-Gbps SFP interfaces on the rear panel of an S9850-4C, S9850-32H, or S6850-56HF
switch does not support this feature.
Restrictions and guidelines
The number of PFC pause frames that an interface sends or receives is counted and the early
warning threshold configuration takes effect only when PFC is enabled.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure the early warning threshold for incoming PFC packets.
priority-flow-control early-warning dot1p dot1p-list inpps pps-value
By default, no early warning threshold is configured for incoming PFC packets.
4. Configure the early warning threshold for outgoing PFC packets.
priority-flow-control early-warning dot1p dot1p-list outpps
pps-value

24
 By default, no early warning threshold is configured for outgoing PFC packets.

Enabling energy saving features on an Ethernet interface

About this task
With Energy Efficient Ethernet (EEE) enabled, a link-up interface enters low power state if it has not
received any packet for a period of time. The time period depends on the specifications and is not
configurable. When a packet arrives later, the device automatically restores power supply to the
interface and the interface restores to the normal state.
Restrictions and guidelines
Fiber ports do not support this feature.
This feature and MACsec are mutually exclusive on an interface. For more information about
MACsec, see MACsec configuration in Security Configuration Guide.
Configuring EEE on an Ethernet interface
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable EEE on the Ethernet interface.
eee enable
By default, EEE is disabled on an Ethernet interface.

Setting the statistics polling interval

About this task
To display the interface statistics collected in the last statistics polling interval, use the display
interface command. To clear the interface statistics, use the reset counters interface
command.
Setting the statistics polling interval in Ethernet interface view
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set the statistics polling interval for the Ethernet interface.
flow-interval interval
By default, the statistics polling interval is 300 seconds.

Enabling loopback testing on an Ethernet interface

About this task
Perform this task to determine whether an Ethernet link works correctly.
Loopback testing includes the following types:
• Internal loopback testing—Tests the device where the Ethernet interface resides. The
Ethernet interface sends outgoing packets back to the local device. If the device fails to receive
the packets, the device fails.

25
 • External loopback testing—Tests the hardware function of the Ethernet interface. The
Ethernet interface sends outgoing packets to the local device through a self-loop plug. If the
device fails to receive the packets, the hardware function of the Ethernet interface fails.
Restrictions and guidelines
• After you enable this feature on an Ethernet interface, the interface does not forward data
traffic.
• You cannot perform a loopback test on the following Ethernet interfaces:
 Ethernet interfaces manually brought down (displayed as in ADM or Administratively
DOWN state).
 Ethernet interfaces configured with the port up-mode command.
• The speed, duplex, and shutdown commands cannot be configured on an Ethernet
interface in a loopback test.
• After you enable this feature on an Ethernet interface, the Ethernet interface switches to full
duplex mode. After you disable this feature, the Ethernet interface restores to its duplex setting.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable loopback testing.
loopback{ external | internal }

Forcibly bringing up a fiber port

About this task
As shown in Figure 2, a fiber port uses separate fibers for transmitting and receiving packets. The
physical state of the fiber port is up only when both transmit and receive fibers are physically
connected. If one of the fibers is disconnected, the fiber port does not work.
To enable a fiber port to forward traffic over a single link, you can use the port up-mode command.
This command forcibly brings up a fiber port, even when no fiber links or transceiver modules are
present for the fiber port. When one fiber link is present and up, the fiber port can forward packets
over the link unidirectionally.

26
 Figure 2 Forcibly bring up a fiber port
When Ethernet interfaces
Correct fiber When Ethernet interfaces
cannot be or are not forcibly
connection are forcibly brought up
brought up

Device A Device A Device A

Device B Device B Device B

Fiber port Tx end Rx end Fiber link The fiber is disconnected.

Packets The interface is down.

Restrictions and guidelines

• The port up-mode and shutdown commands are mutually exclusive.
• A fiber port does not support this feature if the port is shut down by a protocol or by using the
shutdown command.
• A fiber port does not support this feature if the port joins an aggregation group.
• A fiber port forcibly brought up stays physically up whether or not a transceiver module or a fiber
link is present for the port.
• A GE fiber port forcibly brought up cannot correctly forward traffic if it is installed with a
fiber-to-copper converter, 100/1000-Mbps transceiver module, or 100-Mbps transceiver module.
To solve the problem, use the undo port up-mode command on the fiber port.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Forcibly bring up the fiber port.
port up-mode
By default, a fiber port is not forcibly brought up, and the physical state of a fiber port depends
on the physical state of the fibers.

27
Setting the media type for an Ethernet interface
Hardware and feature compatibility
The S6805 and S6825 switch series does not support this feature.
Restrictions and guidelines
For 25-GE interfaces on an LSWM124TG2H interface module, you must set the media type. Set the
media type to fiber for an interface that uses a transceiver module or fiber cable. Set the media type
to copper for an interface that uses a copper cable. The media type of interfaces in the same group is
the same. When you set the media type for any interface in a group, the setting is synchronized to
the other interfaces in the group.
This configuration fails when an interface group has any service loopback interface or reflector port
for mirroring.
When you configure this feature for an interface through the preprovisioning feature, the
configuration on the interface is not automatically synchronized to the other interfaces in the same
group. For more information about preprovisioning, see preprovisioning configuration in
Fundamentals Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set the media type for the Ethernet interface.
port media-type { copper | fiber }
By default, the media type of an Ethernet interface is fiber.

Configuring interface alarm functions

About this task
With the interface alarm functions enabled, when the number of error packets on an interface in
normal state within the specified interval exceeds the upper threshold, the interface generates an
upper threshold exceeding alarm and enters the alarm state. When the number of error packets on
an interface in the alarm state within the specified interval drops below the lower threshold, the
interface generates a recovery alarm and restores to the normal state.
Restrictions and guidelines
You can configure the interface alarm parameters in system view and interface view.
• The configuration in system view takes effect on all interfaces of the specified slot. The
configuration in interface view takes effect only on the current interface.
• For an interface, the configuration in interface view takes priority, and the configuration in
system view is used only when no configuration is made in interface view.
An interface that is shut down because of error packet alarms cannot automatically recover. To bring
up the interface, execute the undo shutdown command on the interface.
If you specify the shutdown keyword for an alarm after the corresponding upper threshold has been
exceeded on an interface, the interface will not be shut down immediately. The interface will be shut
down when the corresponding upper threshold is exceeded again after the previous alarm is cleared.
(Available in versions earlier than F6620.)
If you specify the shutdown keyword when the upper threshold has been exceeded on an interface,
the interface will be shut down. (Available in version F6620 and later.)

28
Enabling interface alarm functions
1. Enter system view.
system-view
2. Enable alarm functions for the interface monitoring module.
snmp-agent trap enable ifmonitor [ crc-error | input-error |
output-error ] *
By default, all alarm functions are enabled for interfaces.
Configuring CRC error packet parameters
1. Enter system view.
system-view
2. Configure global CRC error packet alarm parameters.
ifmonitor crc-error slot slot-number high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, the upper threshold is 1000, the lower threshold is 100, and the statistics collection
and comparison interval is 10 seconds for CRC error packets.
This command is supported only in Release 6616, Release 6616P01, and F6619 or later. This
command is not supported in F6617L01 and F6618.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Configure CRC error packet alarm parameters for the interface.
port ifmonitor crc-error [ ratio ] high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, an interface uses the global CRC error packet alarm parameters.
Configuring input error packet alarm parameters
1. Enter system view.
system-view
2. Configure global input error packet alarm parameters.
ifmonitor input-error slot slot-number high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, the upper threshold is 1000, the lower threshold is 100, and the statistics collection
and comparison interval is 10 seconds for input error packets.
This command is supported only in Release 6616, Release 6616P01, and F6619 or later. This
command is not supported in F6617L01 and F6618.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Configure input error packet alarm parameters for the interface.
port ifmonitor input-error high-threshold high-value low-threshold
low-value interval interval [ shutdown ]
By default, an interface uses the global input error packet alarm parameters.
Configuring output error packet alarm parameters
1. Enter system view.
system-view
2. Configure global output error packet alarm parameters.
ifmonitor output-error slot slot-number high-threshold high-value
low-threshold low-value interval interval [ shutdown ]

29
 By default, the upper threshold is 1000, the lower threshold is 100, and the statistics collection
and comparison interval is 10 seconds for output error packets.
This command is supported only in Release 6616, Release 6616P01, and F6619 or later. This
command is not supported in F6617L01 and F6618.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Configure output error packet alarm parameters.
port ifmonitor output-error high-threshold high-value low-threshold
low-value interval interval [ shutdown ]
By default, an interface uses the global output error packet alarm parameters.

Restoring the default settings for an interface

Restrictions and guidelines

CAUTION:
This feature might interrupt ongoing network services. Make sure you are fully aware of the impacts
of this feature when you use it in a live network.

This feature might fail to restore the default settings for some commands because of command
dependencies or system restrictions. You can use the display this command in interface view to
check for these commands and perform their undo forms or follow the command reference to
restore their default settings. If your restoration attempt still fails, follow the error message to resolve
the problem.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view or Ethernet subinterface view.
interface interface-type { interface-number |
interface-number.subnumber }
3. Restore the default settings for the interface.
default

Configuring a Layer 2 Ethernet interface

Configuring storm control on an Ethernet interface
About this task
Storm control compares broadcast, multicast and unknown unicast traffic regularly with their
respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control provides
a lower threshold and an upper threshold.
Depending on your configuration, when a particular type of traffic exceeds its upper threshold, the
interface performs either of the following operations:
• Blocks this type of traffic and forwards other types of traffic—Even though the interface
does not forward the blocked traffic, it still counts the traffic. When the blocked traffic drops
below the lower threshold, the interface begins to forward the traffic.
• Goes down automatically—The interface goes down automatically and stops forwarding any
traffic. When the blocked traffic drops below the lower threshold, the interface does not

30
 automatically come up. To bring up the interface, use the undo shutdown command or
disable the storm control feature.
You can configure an Ethernet interface to output threshold event traps and log messages when
monitored traffic meets one of the following conditions:
• Exceeds the upper threshold.
• Drops below the lower threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
physically suppresses traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic. For more information about storm
suppression, see "Configuring storm suppression."
Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next
cycle. An interface takes one to two polling intervals to take a storm control action.
Restrictions and guidelines
For the traffic suppression result to be determined, do not configure storm control together with storm
suppression for the same type of traffic.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the statistics polling interval of the storm control module.
storm-constrain interval interval
The default setting is 10 seconds.
For network stability, use the default or set a longer statistics polling interval.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Enable storm control, and set the lower and upper thresholds for broadcast, multicast, or
unknown unicast traffic.
storm-constrain { broadcast | multicast | unicast } { pps | kbps |
ratio } upperlimit lowerlimit
By default, storm control is disabled.
5. Set the control action to take when monitored traffic exceeds the upper threshold.
storm-constrain control { block | shutdown }
By default, storm control is disabled.
6. Enable the Ethernet interface to output log messages when it detects storm control threshold
events.
storm-constrain enable log
By default, the Ethernet interface outputs log messages when monitored traffic exceeds the
upper threshold or drops below the lower threshold from a value above the upper threshold.
7. Enable the Ethernet interface to send storm control threshold event traps.
storm-constrain enable trap
By default, the Ethernet interface sends traps when monitored traffic exceeds the upper
threshold or drops below the lower threshold from the upper threshold from a value above the
upper threshold.

31
Changing a Layer 2 Ethernet interface to an FC interface
About this task
This feature allows you to change a Layer 2 Ethernet interface to an FC interface.
Hardware and feature compatibility
Only interfaces on the LSWM124XG2QFC and LSWM116FC interface modules support this feature.
The S6805 and S6825 switch series does not support this feature.
Restrictions and guidelines
After the type of an interface is changed, the system creates a new interface that is numbered the
same as the original interface.
An LSWM116FC interface expansion card has 16 interfaces, and every two neighboring interfaces
belong to one port group. If you change an Ethernet interface to an FC interface by using the
port-type fc command, the other interface in the same port group is also changed to an FC
interface. If you change an FC interface to an Ethernet interface by using the port-type
ethernet command, the other interface in the same port group is also changed to an Ethernet
interface. An Ethernet interface on the card operates at 25 Gbps in full duplex and cannot perform
speed autonegotiation.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Change the type of the interface:
 Change the Layer 2 Ethernet interface to an FC interface.
port-type fc
 Change the FC interface back to a Layer 2 Ethernet interface.
port-type ethernet

CAUTION:
After the type of an interface is changed, the system deletes the original interface and creates a
new interface that is numbered the same as the original interface. All the other commands are
restored to the default on the new interface.

Enabling bridging on an Ethernet interface

About this task
By default, the device drops packets whose outgoing interface and incoming interface are the same.
To enable the device to forward such packets rather than drop them, enable the bridging feature in
Ethernet interface view.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number

32
 3. Enable bridging on the Ethernet interface.
port bridge enable
By default, bridging is disabled on an Ethernet interface.

Configuring a Layer 3 Ethernet interface or

subinterface
Setting the MTU for an Ethernet interface or subinterface
Restrictions and guidelines
The maximum transmission unit (MTU) of an Ethernet interface affects the fragmentation and
reassembly of IP packets on the interface. Typically, you do not need to modify the MTU of an
interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type { interface-number |
interface-number.subnumber }
3. Set the MTU for the interface.
mtu size
The default setting is 1500 bytes.

Setting the MAC address of an Ethernet interface or

subinterface
About this task
In a network, when the Layer 3 Ethernet interfaces or subinterfaces of different devices have the
same MAC address, the devices might fail to communicate correctly. To eliminate the MAC address
conflicts, use the mac-address command to modify the MAC addresses of Layer 3 Ethernet
interfaces or subinterfaces.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type { interface-number |
interface-number.subnumber }
3. Set the interface MAC address.
mac-address mac-address
By default, no MAC address is set for an Ethernet interface.
As a best practice, do not set a MAC address in the VRRP-reserved MAC address range for a
Layer 3 Ethernet subinterface.

33
Display and maintenance commands for Ethernet
interfaces
Execute display commands in any view and reset commands in user view.

Task Command
display counters { inbound | outbound }
Display interface traffic statistics. interface [ interface-type
[ interface-number ] ]

Display traffic rate statistics of interfaces display counters rate { inbound |

in up state over the last statistics polling outbound } interface [ interface-type
interval. [ interface-number ] ]
display ethernet statistics slot
Display the Ethernet module statistics.
slot-number
display interface [ interface-type
Display the operational and status [ interface-number |
information of the specified interfaces. interface-number.subnumber ] ] [ brief
[ description | down ] ]
Display information about link flapping display link-flap protection [ interface
protection on interfaces. interface-type [ interface-number ] ]
display packet-drop { interface
Display information about dropped
[ interface-type [ interface-number ] ] |
packets on the specified interfaces.
summary }
Display PFC information on the specified display priority-flow-control interface
interfaces. [ interface-type [ interface-number ] ]
display storm-constrain [ broadcast |
Display information about storm control
multicast | unicast ] [ interface
on the specified interfaces.
interface-type interface-number ]
reset counters interface [ interface-type
Clear interface statistics.
[ interface-number ] ]
reset ethernet statistics [ slot
Clear the Ethernet module statistics.
slot-number ]
Clear the statistics of dropped packets reset packet-drop interface
on the specified interfaces. [ interface-type [ interface-number ] ]
Display the status and packet statistics of
display interface link-info [ main ]
interfaces.
Display the operational and status display interface [ interface-type ] [ brief
information of interfaces except
subinterfaces.
[ description | down ] ] main

34
Contents
Configuring Ethernet link aggregation ···························································· 1
About Ethernet link aggregation ························································································································· 1
Ethernet link aggregation application scenario ·························································································· 1
Aggregate interface, aggregation group, and member port ······································································· 1
Operational key ·········································································································································· 2
Configuration types ···································································································································· 2
Link aggregation modes ····························································································································· 3
How static link aggregation works ·············································································································· 3
Dynamic link aggregation ··························································································································· 4
How dynamic link aggregation works ········································································································· 6
Edge aggregate interface ··························································································································· 9
Load sharing modes for link aggregation groups ······················································································· 9
S-MLAG ····················································································································································· 9
Restrictions and guidelines: Mixed use of manual and automatic link aggregation configuration ··················· 10
Ethernet link aggregation tasks at a glance ····································································································· 10
Configuring the system ID ································································································································ 11
Configuring a manual link aggregation············································································································· 12
Restrictions and guidelines for aggregation group configuration ····························································· 12
Configuring a Layer 2 aggregation group································································································· 13
Configuring a Layer 3 aggregation group································································································· 15
Configuring S-MLAG ········································································································································ 16
Configuring an aggregate interface ·················································································································· 17
Configuring the description of an aggregate interface ············································································· 17
Setting the MAC address for an aggregate interface ··············································································· 18
Configuring jumbo frame support ············································································································· 18
Setting the MTU for a Layer 3 aggregate interface ·················································································· 19
Setting the expected bandwidth for an aggregate interface ····································································· 19
Configuring an edge aggregate interface ································································································· 19
Configuring physical state change suppression on an aggregate interface ············································· 20
Shutting down an aggregate interface ····································································································· 21
Restoring the default settings for an aggregate interface ········································································ 21
Setting the minimum and maximum numbers of Selected ports for an aggregation group ····························· 22
Disabling the default action of selecting a Selected port for dynamic aggregation groups that have not received
LACPDUs ························································································································································· 23
Configuring a dynamic aggregation group to use port speed as the prioritized criterion for reference port
selection ··························································································································································· 24
Specifying ignored VLANs for a Layer 2 aggregate interface ·········································································· 24
Configuring load sharing for link aggregation groups······················································································· 25
Setting static load sharing modes for link aggregation groups ································································ 25
Setting a dynamic load sharing mode for a link aggregation group ························································· 27
Specifying ignored packet fields for default link-aggregation load sharing ·············································· 28
Enabling local-first load sharing for link aggregation················································································ 28
Configuring link aggregation load sharing algorithm and hash seed settings ·········································· 29
Setting a hash offset to adjust the load balancing results on link aggregations ······································· 29
Setting the load sharing mode for tunneled traffic···················································································· 30
Specifying link aggregation management VLANs and link aggregation management port ····························· 30
Excluding a subnet from load sharing on aggregate links ··············································································· 30
Enabling a Layer 2 aggregate interface to reflect incoming packets back ······················································· 32
Enabling link-aggregation traffic redirection ····································································································· 32
About link-aggregation traffic redirection·································································································· 32
Restrictions and guidelines for link-aggregation traffic redirection ··························································· 32
Enabling link-aggregation traffic redirection globally ················································································ 33
Enabling link-aggregation traffic redirection for an aggregation group····················································· 33
Isolating aggregate interfaces on the device ··································································································· 33
Enabling BFD for an aggregation group··········································································································· 34
Display and maintenance commands for Ethernet link aggregation ································································ 35
Ethernet link aggregation configuration examples ··························································································· 36

i
Example: Configuring a Layer 2 static aggregation group ······································································· 36
Example: Configuring a Layer 2 dynamic aggregation group ·································································· 38
Example: Configuring Layer 2 aggregation load sharing ········································································· 39
Example: Configuring a Layer 2 edge aggregate interface ······································································ 42
Example: Configuring a Layer 3 static aggregation group ······································································· 44
Example: Configuring a Layer 3 dynamic aggregation group ·································································· 45
Example: Configuring Layer 3 aggregation load sharing ········································································· 46
Example: Configuring S-MLAG ················································································································ 48

ii
Configuring Ethernet link aggregation
About Ethernet link aggregation
Ethernet link aggregation bundles multiple physical Ethernet links into one logical link (called an
aggregate link). Link aggregation provides the following benefits:
• Increased bandwidth beyond the limits of a single individual link. In an aggregate link, traffic is
distributed across the member ports.
• Improved link reliability. The member ports dynamically back up one another. When a member
port fails, its traffic is automatically switched to other member ports.

Ethernet link aggregation application scenario

As shown in Figure 1, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth
of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the
same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the
traffic transmitted on the failed link is switched to the other two links.
Figure 1 Ethernet link aggregation diagram
Port A1 Port B1
Port A2 Port B2
Link aggregation 1
Port A3 Port B3

Device A Device B

Aggregate interface, aggregation group, and member port

Each link aggregation is represented by a logical aggregate interface. Each aggregate interface has
an automatically created aggregation group, which contains member ports to be used for
aggregation. The type and number of an aggregation group are the same as its aggregate interface.
Supported aggregate interface types
An aggregate interface can be one of the following types:
• Layer 2—A Layer 2 aggregate interface is created manually. The member ports in a Layer 2
aggregation group can only be Layer 2 Ethernet interfaces.
• Layer 3—A Layer 3 aggregate interface is created manually. The member ports in its Layer 3
aggregation group can only be Layer 3 Ethernet interfaces.
On a Layer 3 aggregate interface, you can create subinterfaces. A Layer 3 aggregate
subinterface processes traffic only for the VLAN numbered with the same ID as the subinterface
number.
The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex
mode is the same as that of the Selected member ports. For more information about Selected
member ports, see "Aggregation states of member ports in an aggregation group."
Aggregation states of member ports in an aggregation group
A member port in an aggregation group can be in any of the following aggregation states:
• Selected—A Selected port can forward traffic.
• Unselected—An Unselected port cannot forward traffic.

1
 • Individual—An Individual port can forward traffic as a normal physical port. This state is
peculiar to the member ports of edge aggregate interfaces. A Selected or Unselected member
port of an edge aggregate interface is placed in Individual state if the following events occur in
sequence:
a. The member port goes down and then comes up.
b. The LACP timeout timer expires because it has not received LACPDUs.
For more information about edge aggregate interfaces, see "Edge aggregate interface."

Operational key
When aggregating ports, the system automatically assigns each port an operational key based on
port information, such as port rate and duplex mode. Any change to this information triggers a
recalculation of the operational key.
In an aggregation group, all Selected ports have the same operational key.

Configuration types
Port configuration includes the attribute configuration and protocol configuration. Attribute
configuration affects the aggregation state of the port but the protocol configuration does not.
Attribute configuration
To become a Selected port, a member port must have the same attribute configuration as the
aggregate interface. Table 1 describes the attribute configuration.
Table 1 Attribute configuration

Feature Attribute configuration

Membership of the port in an isolation group.

Port isolation
Isolation group number.
QinQ status (enabled/disabled), TPID for VLAN tags, and VLAN transparent
QinQ
transmission. For information about QinQ, see "Configuring QinQ."
VLAN mapping configured on the port. For more information about VLAN
VLAN mapping
mapping, see "Configuring VLAN mapping."
VLAN attribute settings:
• Permitted VLAN IDs.
• PVID.
• Link type (trunk, hybrid, or access).
• PVLAN port type (promiscuous, trunk promiscuous, host, or trunk
VLAN secondary).
• IP subnet-based VLAN configuration.
• Protocol-based VLAN configuration.
• VLAN tagging mode.
For information about VLANs, see "Configuring VLANs."

Protocol configuration
Protocol configuration of a member port does not affect the aggregation state of the member port.
MAC address learning and spanning tree settings are examples of the protocol configuration.

2
Link aggregation modes
An aggregation group operates in one of the following modes:
• Static—Static aggregation is stable. An aggregation group in static mode is called a static
aggregation group. The aggregation states of the member ports in a static aggregation group
are not affected by the peer ports.
• Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group.
Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol
(LACP). The local system and the peer system automatically maintain the aggregation states of
the member ports. Dynamic link aggregation reduces the administrators' workload.

How static link aggregation works

Reference port selection process
When setting the aggregation states of the ports in an aggregation group, the system automatically
chooses a member port as the reference port. A Selected port must have the same operational key
and attribute configurations as the reference port.
The system chooses a reference port from the member ports in up state.
The candidate reference ports are organized into different priority levels following these rules:
1. In descending order of port priority.
2. Full duplex.
3. In descending order of speed.
4. Half duplex.
5. In descending order of speed.
From the candidate ports with the same attribute configurations as the aggregate interface, the one
with the highest priority level is chosen as the reference port.
• If multiple ports have the same priority level, the port that has been Selected (if any) is chosen.
If multiple ports with the same priority level have been Selected, the one with the smallest port
number is chosen.
• If multiple ports have the same priority level and none of them has been Selected, the port with
the smallest port number is chosen.
Setting the aggregation state of each member port
After the reference port is chosen, the system sets the aggregation state of each member port in the
static aggregation group.

3
 Figure 2 Setting the aggregation state of a member port in a static aggregation group

Set the aggregation state of a member port

Yes
Is there any hardware restriction?

No

No
Is the port up？

Yes

Operational No
key/attribute configuration same as the
reference port?

Yes

More Selected ports than max. Yes

number of Selected ports?

No

Set the port to the

Set the port to the Selected state
Unselected state

After the limit on Selected ports is reached, the aggregation state of a new member port varies by
following conditions:
• The port is placed in Unselected state if the port and the Selected ports have the same port
priority. This mechanism prevents traffic interruption on the existing Selected ports. A device
reboot can cause the device to recalculate the aggregation states of member ports.
• The port is placed in Selected state when the following conditions are met:
 The port and the Selected ports have different port priorities, and the port has a higher port
priority than a minimum of one Selected port.
 The port has the same attribute configurations as the aggregate interface.
Any operational key or attribute configuration change might affect the aggregation states of link
aggregation member ports.

Dynamic link aggregation

About LACP
Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol
(LACP).
LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each
member port in a dynamic aggregation group can exchange information with its peer. When a
member port receives an LACPDU, it compares the received information with information received

4
 on the other member ports. In this way, the two systems reach an agreement on which ports are
placed in Selected state.
LACP functions
LACP offers basic LACP functions and extended LACP functions, as described in Table 2.
Table 2 Basic and extended LACP functions

Category Description

Implemented through the basic LACPDU fields, including the LACP system
Basic LACP functions
priority, system MAC address, port priority, port number, and operational key.
Implemented by extending the LACPDU with new TLV fields. Extended LACP can
implement LACP MAD for the IRF feature. For more information about IRF and the
Extended LACP LACP MAD mechanism, see Virtual Technologies Configuration Guide.
functions
The device can participate in LACP MAD as either an IRF member device or an
intermediate device.

LACP operating modes

LACP can operate in active or passive mode.
When LACP is operating in passive mode on a local member port and its peer port, both ports cannot
send LACPDUs. When LACP is operating in active mode on either end of a link, both ports can send
LACPDUs.
LACP priorities
LACP priorities include LACP system priority and port priority, as described in Table 3. The smaller
the priority value, the higher the priority.
Table 3 LACP priorities

Type Description

Used by two peer devices (or systems) to determine which one is superior in link
aggregation.
LACP system In dynamic link aggregation, the system that has higher LACP system priority sets
priority the Selected state of member ports on its side. The system that has lower priority
sets the aggregation state of local member ports the same as their respective peer
ports.
Determines the likelihood of a member port to be a Selected port on a system. A port
Port priority
with a higher port priority is more likely to become Selected.

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the
peer port. If a local member port has not received LACPDUs from the peer in 3 seconds after the
LACP timeout interval expires, the member port considers the peer as failed.
The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout
intervals include the following types:
• Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one
LACPDU per second.
• Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one
LACPDU every 30 seconds.
Methods to assign interfaces to a dynamic link aggregation group
You can use one of the following methods to assign interfaces to a dynamic link aggregation group:
• Manual assignment—Manually assign interfaces to the dynamic link aggregation group.

5
 • Automatic assignment—Enable automatic assignment on interfaces to have them
automatically join a dynamic link aggregation group depending on the peer information in the
received LACPDUs.

NOTE:
When you use automatic assignment on one end, you must use manual assignment on the
other end.

Automatic member port assignment

This feature automates the assignment of aggregation member ports to an aggregation group. You
can use this feature when setting up an aggregate link to a server.
As shown in Figure 3, an interface enabled with automatic assignment joins a dynamic aggregation
group based on the peer information in the LACPDUs received from the aggregation peer. If none of
the existing dynamic aggregation groups is qualified, the device automatically creates a new
dynamic aggregation group, Then, the device assigns the interface to that group and synchronizes
the interface's attribute configurations to the aggregate interface.
A dynamic aggregation group that contains automatically assigned member ports selects a
reference port and Selected ports as described in "How dynamic link aggregation works." The
assignment methods of member ports do not change the processes of reference port selection and
Selected port selection.
Figure 3 Automatic member port assignment process
An interface enabled with
automatic link aggregation
receives LACPDUs

Yes No
Does a preferred aggregation
group exist?

No
Does the reference port have
the same peer information as the
LACPDUs?

Yes
Yes
Does an aggregation
group matching the LACPDUs
exist?
No

Create a dynamic aggregation

Assign the interface to the group based on the peer
aggregation group information in the LACPDUs

How dynamic link aggregation works

Choosing a reference port
The system chooses a reference port from the member ports in up state. A Selected port must have
the same operational key and attribute configurations as the reference port.

6
 The local system (the actor) and the peer system (the partner) negotiate a reference port by using
the following workflow:
1. The two systems determine the system with the smaller system ID.
A system ID contains the LACP system priority and the system MAC address.
a. The two systems compare their LACP priority values.
The lower the LACP priority, the smaller the system ID. If the LACP priority values are the
same, the two systems proceed to step b.
b. The two systems compare their MAC addresses.
The lower the MAC address, the smaller the system ID.
2. The system with the smaller system ID chooses the port with the smallest port ID as the
reference port.
A port ID contains a port priority and a port number. The lower the port priority, the smaller the
port ID.
a. The system chooses the port with the lowest priority value as the reference port.
If the ports have the same priority, the system proceeds to step b.
b. The system compares their port numbers.
The smaller the port number, the smaller the port ID.
The port with the smallest port number and the same attribute configurations as the
aggregate interface is chosen as the reference port.

NOTE:
To identify the port numbers of aggregation member ports, execute the display
link-aggregation verbose command and examine the Index field in the command
output.

Setting the aggregation state of each member port

After the reference port is chosen, the system with the smaller system ID sets the state of each
member port on its side.

7
Figure 4 Setting the state of a member port in a dynamic aggregation group

Set the aggregation state of a member port

Yes
Is there any hardware restriction?

No

No
Is the port up？

Yes

Operational No
key/attribute configuration same as the
reference port?

Yes

Operational
key/attribute configuration of the peer No
port same as the peer port of the
reference port?

Yes

Yes Port number No

More Selected ports than max.
as low as to set the port to the
number of Selected ports?
Selected state?

No Yes

Set the port to the

Set the port to the Selected state
Unselected state

The system with the greater system ID can detect the aggregation state changes on the peer system.
The system with the greater system ID sets the aggregation state of local member ports the same as
their peer ports.
When you aggregate interfaces in dynamic mode, follow these guidelines:
• A dynamic link aggregation group chooses only full-duplex ports as the Selected ports.
• For stable aggregation and service continuity, do not change the operational key or attribute
configurations on any member port.
• When a member port changes to the Selected or Unselected state, its peer port changes to the
same aggregation state.
• After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more
eligible than a current Selected port.

8
Edge aggregate interface
Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is
configured only on the device. The device forwards traffic by using only one of the physical ports that
are connected to the server.
To improve link reliability, configure the aggregate interface as an edge aggregate interface. This
feature enables all member ports of the aggregation group to forward traffic. When a member port
fails, its traffic is automatically switched to other member ports.
After dynamic link aggregation is configured on the server, the device can receive LACPDUs from
the server. Then, link aggregation between the device and the server operates correctly.
An edge aggregate interface takes effect only when it is configured on an aggregate interface
corresponding to a dynamic aggregation group.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be load shared across the Selected ports based on any of the
following modes:
• Per-flow load sharing—Distributes traffic on a per-flow basis. The load sharing mode
classifies packets into flows and forwards packets of the same flow on the same link. This mode
can be one of or a combination of the following traffic classification criteria:
 Ingress port.
 Source or destination IP.
 Source or destination MAC.
 Source or destination port number.
 MPLS label.
• Per-packet load sharing—Distributes traffic on a per-packet basis.
• Automatic load sharing—Automatically selects a load sharing mode depending on the packet
type. For example, the load sharing mode differs between IPv4 packets and Layer 2 packets.
This mode is also called the flexible mode.
• Resilient load sharing—Redistributes as less traffic as possible when a link state change
occurs to minimize its impact on services. In this mode, an aggregation group distributes traffic
based on the default load sharing mode when no link change occurs. When a link fails, the
system rehashes the traffic on the failed link across the remaining Selected links. Because the
existing traffic on the Selected links is not rehashed as in other modes, impact on the ongoing
services is minimized. When the failed link recovers, the system rehashes part of the traffic on
the existing Selected links to the recovered link. Because not all traffic is rehashed, the traffic
distribution pattern might differ from what it was before the link failure. The mode is supported
only in Release 6616 and later.

S-MLAG
Simple multichassis link aggregation (S-MLAG) enhances dynamic link aggregation to establish an
aggregation that spans multiple standalone devices to a remote device.
An S-MLAG multichassis aggregation connects one dynamic Layer 2 aggregate interface on each
S-MLAG device to the remote device, as shown in Figure 5.
S-MLAG uses an S-MLAG group to manage the aggregate interfaces for each aggregation, and it
runs LACP to maintain each aggregation as does dynamic link aggregation. To the remote device,
the S-MLAG devices appear as one peer aggregation system.

9
 Figure 5 S-MLAG application scenario
Device A

Port A1 Port A3

Port A2
BAGG

Port B1 Port C1 Port D1

Device B Device C Device D

Restrictions and guidelines: Mixed use of manual

and automatic link aggregation configuration
To avoid unexpected aggregation issues, do not use manual assignment, automatic assignment,
and automatic link aggregation in any combination. If you use any two of these features in
combination, an automatically assigned member port might move between aggregation groups or
undesirably change from Selected to Unselected in some situations.
If you use port mirroring together with Ethernet link aggregation, assign the source port, destination
port, egress port, and reflector port for a mirroring group to the same aggregation group. If the source
port is in a different aggregation group than the other ports, mirrored LACPDUs will be transmitted
between aggregation groups and cause aggregate interface flapping.

Ethernet link aggregation tasks at a glance

To configure Ethernet link aggregation, perform the following tasks:
1. Configuring the system ID
2. Configuring link aggregations
 Configuring a manual link aggregation
 Configuring S-MLAG
3. (Optional.) Configuring an aggregate interface
 Configuring the description of an aggregate interface
 Setting the MAC address for an aggregate interface
 Configuring jumbo frame support
 Setting the MTU for a Layer 3 aggregate interface
 Setting the expected bandwidth for an aggregate interface
 Configuring an edge aggregate interface
An edge aggregate interface uses all member ports to forward traffic when the aggregation
peer is not enabled with dynamic link aggregation.
 Configuring physical state change suppression on an aggregate interface
 Shutting down an aggregate interface
 Restoring the default settings for an aggregate interface
4. (Optional.) Adjusting aggregation states of link aggregation member ports

10
  Setting the minimum and maximum numbers of Selected ports for an aggregation group
 Disabling the default action of selecting a Selected port for dynamic aggregation groups that
have not received LACPDUs
 Configuring a dynamic aggregation group to use port speed as the prioritized criterion for
reference port selection
 Specifying ignored VLANs for a Layer 2 aggregate interface
To have the system ignore the permit state and tagging mode of a VLAN when it decides
Selected ports, perform this task.
5. (Optional.) Configuring load sharing for link aggregation groups
 Setting static load sharing modes for link aggregation groups
 Setting a dynamic load sharing mode for a link aggregation group
 Specifying ignored packet fields for default link-aggregation load sharing
 Enabling local-first load sharing for link aggregation
 Configuring link aggregation load sharing algorithm and hash seed settings
 Setting a hash offset to adjust the load balancing results on link aggregations
 Setting the load sharing mode for tunneled traffic
6. (Optional.) Optimizing traffic forwarding
 Specifying link aggregation management VLANs and link aggregation management port
Perform this task to enable an aggregation group to forward Layer 3 data traffic of some
VLANs through a specific member port.
 Excluding a subnet from load sharing on aggregate links
Perform this task to make sure the bidirectional traffic of a subnet traverses the same
member port in an aggregation group.
 Enabling a Layer 2 aggregate interface to reflect incoming packets back
Perform this task to have a Layer 2 aggregate interface reflect a packet back when it is both
the incoming and outgoing interfaces of that packet.
 Enabling link-aggregation traffic redirection
This feature redirects traffic on an unavailable Selected port to the remaining available
Selected ports of an aggregation group to avoid traffic interruption.
 Isolating aggregate interfaces on the device
7. (Optional.) Enabling BFD for an aggregation group

Configuring the system ID

About this task
The two ends of a dynamic aggregate link choose a reference port from the end with a smaller
system ID.
The system ID contains the LACP system priority and LACP system MAC address. Two devices use
the following rules to compare their system IDs:
• If their system IDs contain different LACP system priorities, the system ID with a smaller LACP
system priority value is smaller.
• If their system IDs contain the same LACP system priority, the system ID with a lower LACP
system MAC address is smaller.
To view the LACP system MAC address and LACP system priority, execute the display
link-aggregation verbose command.

11
 You can configure the system ID globally and in aggregate interface view. The global system ID
takes effect on all aggregation groups, and an aggregate-interface-specific system ID takes
precedence over the global system ID.
Software version and feature compatibility
The system ID conifiguration in aggregate interface view is supported only in Release 6616 and later.
Restrictions and guidelines
Member devices in an S-MLAG system must use the same LACP system priority and LACP system
MAC address.
For member ports to be selected correctly, do not modify the LACP system priority and LACP system
MAC address after a dynamic link aggregation is established.
Procedure
1. Enter system view.
system-view
2. Set the LACP system MAC address globally.
lacp system-mac mac-address
By default, the LACP system MAC address is the bridge MAC address of the device.
3. Set the LACP system priority globally.
lacp system-priority priority
By default, the LACP system priority is 32768.
4. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
5. Set the LACP system MAC address on the aggregate interface.
port lacp system-mac mac-address
By default, the LACP system MAC address is the bridge MAC address of the device.
6. Set the LACP system priority on the aggregate interface.
port lacp system-priority priority
By default, the LACP system priority is 32768.

Configuring a manual link aggregation

Restrictions and guidelines for aggregation group
configuration
Layer 2 aggregation group restrictions
You cannot assign an interface to a Layer 2 aggregation group if any features in Table 4 are
configured on that interface.
Table 4 Features incompatible with Layer 2 aggregation member ports

Feature on the interface Reference

Forcibly bringing up a fiber port by using Ethernet interface configuration in Interface Configuration

12
 Feature on the interface Reference
the port up-mode command Guide.

MAC authentication MAC authentication in Security Configuration Guide

Port security Port security in Security Configuration Guide
802.1X 802.1X in Security Configuration Guide

Aggregation member port restrictions

Deleting an aggregate interface also deletes its aggregation group and causes all member ports to
leave the aggregation group.
An interface cannot join an aggregation group if it has different attribute configurations from the
aggregate interface. After joining an aggregation group, an interface inherits the attribute
configurations on the aggregate interface. You can modify the attribute configurations only on the
aggregate interface.
Do not assign a reflector port for port mirroring to an aggregation group. For more information about
reflector ports, see Network Management and Monitoring Configuration Guide.
Attribute and protocol configuration restrictions
For a link aggregation, attribute configurations are configurable only on the aggregate interface and
are automatically synchronized to all member ports. You cannot configure attribute configurations on
a member port until it is removed from the link aggregation group. The configurations that have been
synchronized from the aggregate interface are retained on the member ports even after the
aggregate interface is deleted.
If an attribute setting on the aggregate interface fails to be synchronized to a Selected member port,
the port might change to the Unselected state.
The protocol configurations for an aggregate interface take effect only on the current aggregate
interface. The protocol configurations for a member port take effect only when the port leaves its
aggregation group.
Configuration consistency requirements
You must configure the same aggregation mode at the two ends of an aggregate link.
• For a successful static aggregation, make sure the ports at both ends of each link are in the
same aggregation state.
• For a successful dynamic aggregation:
 Make sure the ports at both ends of a link are assigned to the correct aggregation group.
The two ends can automatically negotiate the aggregation state of each member port.
 If you use automatic interface assignment on one end, you must use manual assignment on
the other end.

Configuring a Layer 2 aggregation group

Configuring a Layer 2 static aggregation group
1. Enter system view.
system-view
2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2
static aggregation group numbered the same as that interface.
3. Return to system view.

13
 quit
4. Assign an interface to the Layer 2 aggregation group:
a. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 2 aggregation group.
port link-aggregation group group-id [ force ]
Repeat the substeps to assign more interfaces to the aggregation group.
To synchronize the attribute configurations from the aggregate interface when the current
interface joins the aggregation group, specify the force keyword.
5. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default port priority of an interface is 32768.
Configuring a Layer 2 dynamic aggregation group
1. Enter system view.
system-view
2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2
static aggregation group numbered the same as that interface.
3. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
4. Return to system view.
quit
5. Assign an interface to the Layer 2 aggregation group:
a. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 2 aggregation group or enable automatic assignment on
that interface.
port link-aggregation group { group-id [ force ] | auto [ group-id ] }
Repeat these two substeps to assign more Layer 2 Ethernet interfaces to the aggregation
group.
To synchronize the attribute configurations from the aggregate interface when the current
interface joins the aggregation group, specify the force keyword.
To enable automatic assignment, specify the auto keyword. As a best practice, do not modify
the configuration on an automatically created aggregate interface or its member ports.
6. Set the LACP operating mode for the interface.
 Set the LACP operating mode to passive.
lacp mode passive
 Set the LACP operating mode to active.
undo lacp mode
By default, LACP is operating in active mode.
7. (Optional.) Set the port priority for the interface.
link-aggregation port-priority priority
The default setting is 32768.

14
 8. (Optional.) Set the short LACP timeout interval (3 seconds) for the interface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before
performing the ISSU. For more information about ISSU, see Fundamentals Configuration
Guide.

Configuring a Layer 3 aggregation group

Configuring a Layer 3 static aggregation group
1. Enter system view.
system-view
2. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3
static aggregation group numbered the same as that interface.
3. Return to system view.
quit
4. Assign an interface to the Layer 3 aggregation group:
a. Enter Layer 3 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 3 aggregation group.
port link-aggregation group group-id
Repeat the substeps to assign more interfaces to the aggregation group.
5. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default port priority of an interface is 32768.
Configuring a Layer 3 dynamic aggregation group
1. Enter system view.
system-view
2. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3
static aggregation group numbered the same as that interface.
3. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
4. Return to system view.
quit
5. Assign an interface to the Layer 3 aggregation group:
a. Enter Layer 3 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 3 aggregation group or enable automatic assignment on
that interface.
port link-aggregation group { group-id | auto [ group-id ] }

15
 Repeat these two substeps to assign more Layer 3 Ethernet interfaces to the aggregation
group.
To enable automatic assignment, specify the auto keyword. As a best practice, do not modify
the configuration on an automatically created aggregate interface or its member ports.
6. Set the LACP operating mode for the interface.
 Set the LACP operating mode to passive.
lacp mode passive
 Set the LACP operating mode to active.
undo lacp mode
By default, LACP is operating in active mode.
7. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default setting is 32768.
8. (Optional.) Set the short LACP timeout interval (3 seconds) for the interface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before
performing the ISSU. For more information about ISSU, see Fundamentals Configuration
Guide.

Configuring S-MLAG
Restrictions and guidelines
Use S-MLAG only to establish aggregate links with servers.
S-MLAG is intended for a non-IRF environment. Do not configure it on an IRF fabric. For more
formation about IRF, see Virtual Technologies Configuration Guide.
Each S-MLAG group can contain only one aggregate interface on each device.
The aggregate interfaces in an S-MLAG group cannot be used as DR interfaces or IPPs in DRNI. For
more information about DR interfaces and IPPs, see DRNI configuration in Layer 2—LAN Switching
Configuration Guide.
On S-MLAG devices, make sure the member ports in an aggregation group have the same speed
and duplex mode. Inconsistency in these settings might cause reference port reselection and
interrupt traffic forwarding when new member ports join the aggregation group.
Do not configure the following settings on S-MLAG devices:
• LACP MAD.
• Link-aggregation traffic redirection.
• Maximum or minimum number of Selected ports.
• Automatic member port assignment.
• Spanning tree. For more information about spanning tree, see "Configuring spanning tree
protocols."
As a best practice, maintain consistency across S-MLAG devices in service feature configuration.
Prerequisites
Configure the link aggregation settings other than S-MLAG settings on each S-MLAG device. Make
sure the settings are consistent across the S-MLAG devices.

16
Procedure
1. Enter system view.
system-view
2. Set the LACP system MAC address.
lacp system-mac mac-address
By default, the LACP system MAC address is the bridge MAC address of the device.
All S-MLAG devices must use the same LACP system MAC address.
3. Set the LACP system priority.
lacp system-priority priority
By default, the LACP system priority is 32768.
All S-MLAG devices must use the same LACP system priority.
4. Set the LACP system number.
lacp system-number number
By default, the LACP system number is not set.
You must assign a unique LACP system number to each S-MLAG device.
5. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
6. Set the link aggregation mode to dynamic.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
7. Assign the aggregate interface to an S-MLAG group.
port s-mlag group group-id
By default, an aggregate interface is not assigned to any S-MLAG group.

Configuring an aggregate interface

Most settings that can be made on Layer 2 or Layer 3 Ethernet interfaces can also be made on Layer
2 or Layer 3 aggregate interfaces.

Configuring the description of an aggregate interface

About this task
You can configure the description of an aggregate interface for administration purposes, for example,
describing the purpose of the interface.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }

17
 3. Configure the interface description.
description text
By default, the description of an interface is interface-name Interface.

Setting the MAC address for an aggregate interface

About this task
Typically, all aggregate interfaces on a device use the same MAC address, and aggregate interfaces
on different devices use different MAC addresses. However, you must set different MAC addresses
for aggregate interfaces on a device in some situations.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber
3. Set the MAC address for the aggregate interface.
mac-address mac-address
By default, all Layer 3 aggregate interfaces and subinterfaces on the device use the same
default MAC address.

Configuring jumbo frame support

About this task
An aggregate interface might receive frames larger than 1536 bytes during high-throughput data
exchanges, such as file transfers. These frames are called jumbo frames.
How an aggregate interface processes jumbo frames depends on whether jumbo frame support is
enabled on the interface.
• If configured to deny jumbo frames, the aggregate interface discards jumbo frames.
• If enabled with jumbo frame support, the aggregate interface performs the following operations:
 Processes jumbo frames that are within the allowed length.
 Discards jumbo frames that exceed the allowed length.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Allow jumbo frames.
jumboframe enable [ size ]

18
 By default, an aggregate interface allows jumbo frames with a maximum length of 9416 bytes to
pass through.
If you execute this command multiple times, the most recent configuration takes effect.

Setting the MTU for a Layer 3 aggregate interface

About this task
The MTU of an interface affects IP packets fragmentation and reassembly on the interface.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 aggregate interface or subinterface view.
interface route-aggregation { interface-number |
interface-number.subnumber }
3. Set the MTU.
mtu size
The default setting is 1500 bytes.

Setting the expected bandwidth for an aggregate interface

About this task
Expected bandwidth is an informational parameter used only by higher-layer protocols for calculation.
You cannot adjust the actual bandwidth of an interface by performing this task.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Set the expected bandwidth for the interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

Configuring an edge aggregate interface

Restrictions and guidelines
This configuration takes effect only on aggregate interfaces in dynamic mode.
Link-aggregation traffic redirection cannot operate correctly on an edge aggregate interface. For
more information about link-aggregation traffic redirection, see "Enabling link-aggregation traffic
redirection."

19
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure the aggregate interface as an edge aggregate interface.
lacp edge-port
By default, an aggregate interface does not operate as an edge aggregate interface.

Configuring physical state change suppression on an

aggregate interface
About this task
The physical link state of an aggregate interface is either up or down. Each time the physical link of
an interface comes up or goes down, the system immediately reports the change to the CPU. The
CPU then notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change, and the device automatically generates traps and log messages and sends them to the
SNMP and information center modules. You can configure SNMP and information center to output
these messages.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression. You can configure this feature to suppress link-down events, link-up
events, or both. If an event of the specified type still exists when the suppression interval expires, the
system reports the event to the CPU.
Restrictions and guidelines
When you configure suppression interval settings on an aggregate interface, make sure its peer
interface is also an aggregate interface in the same aggregation mode. In addition, the suppression
interval settings must be the same between the peer aggregate interfaces.
As a best practice, use the default setting in an S-MLAG environment.
On an interface, you can configure different suppression intervals for link-up and link-down events. If
you execute the link-delay command multiple times for an event type, the most recent
configuration takes effect on that event type.
Use this feature on an aggregate interface to reduce the impact of interface flapping on upper-layer
services, for example, on a DRNI IPP. For more information about IPPs, see "Configuring DRNI."
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure physical state change suppression.

20
 link-delay { down | up } [ msec ] delay-time
By default, each time the physical link of an aggregate interface goes up or comes down, the
system immediately reports the change to the CPU.

Shutting down an aggregate interface

Restrictions and guidelines
Shutting down or bringing up an aggregate interface affects the aggregation states and link states of
member ports in the corresponding aggregation group as follows:
• When an aggregate interface is shut down, all its Selected ports become Unselected and all
member ports go down.
• When an aggregate interface is brought up, the aggregation states of all its member ports are
recalculated.
When you shut down or bring up a Layer 3 aggregate interface, all its aggregate subinterfaces are
also shut down or brought up. Shutting down or bringing up a Layer 3 aggregate subinterface does
not affect the state of the main aggregate interface.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Shut down the interface.
Shutdown

CAUTION:
The shutdown command will disconnect all links established on an interface. Make sure you
are fully aware of the impacts of this command when you use it on a live network.

Restoring the default settings for an aggregate interface

Restrictions and guidelines

CAUTION:
The default command might interrupt ongoing network services. Make sure you are fully aware of
the impacts of this command when you execute it on a live network.

The default command might fail to restore the default settings for some commands for reasons
such as command dependencies and system restrictions.
To resolve this issue:
1. Use the display this command in interface view to identify these commands.
2. Use their undo forms or follow the command reference to restore their default settings.

21
 3. If the restoration attempt still fails, follow the error message instructions to resolve the issue.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Restore the default settings for the aggregate interface.
Default

Setting the minimum and maximum numbers of

Selected ports for an aggregation group
About this task
The bandwidth of an aggregate link increases as the number of Selected member ports increases.
To avoid congestion, you can set the minimum number of Selected ports required for bringing up an
aggregate interface.
This minimum threshold setting affects the aggregation states of aggregation member ports and the
state of the aggregate interface.
• When the number of member ports eligible to be Selected ports is smaller than the minimum
threshold, the following events occur:
 The eligible member ports are placed in Unselected state.
 The link layer state of the aggregate interface becomes down.
• When the number of member ports eligible to be Selected ports reaches or exceeds the
minimum threshold, the following events occur:
 The eligible member ports are placed in Selected state.
 The link layer state of the aggregate interface becomes up.
The maximum number of Selected ports allowed in an aggregation group is limited by either manual
configuration or hardware limitation, whichever value is smaller.
You can implement backup between two ports by performing the following tasks:
• Assigning two ports to an aggregation group.
• Setting the maximum number of Selected ports to 1 for the aggregation group.
Then, only one Selected port is allowed in the aggregation group, and the Unselected port acts as a
backup port.
Restrictions and guidelines

IMPORTANT:
After you set the minimum percentage of Selected ports for an aggregation group, aggregate
interface flapping might occur when ports join or leave an aggregation group. Make sure you are
fully aware of the impacts of this setting when you configure it on a live network.

22
 You can set either the minimum number or the minimum percentage of Selected ports for an
aggregation group. If you configure both settings on an aggregate interface, the higher Selected port
number limit takes effect.
The minimum and maximum numbers of Selected ports must be the same between the two ends of
an aggregate link.
The minimum percentage of Selected ports must be the same between the two ends of an aggregate
link.
For an aggregation group, the maximum number of Selected ports must be equal to or higher than
the minimum number of Selected ports.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Set the minimum number of Selected ports for the aggregation group. Choose one of the
following methods:
 Set the minimum number of Selected ports.
link-aggregation selected-port minimum min-number
 Set the minimum percentage of Selected ports.
link-aggregation selected-port minimum percentage number
By default, the minimum number of Selected ports is not specified for an aggregation group.
4. Set the maximum number of Selected ports for the aggregation group.
link-aggregation selected-port maximum max-number
By default, an aggregation group can have a maximum of 32 Selected ports.

Disabling the default action of selecting a

Selected port for dynamic aggregation groups that
have not received LACPDUs
About this task
The default port selection action applies to dynamic aggregation groups.
This action automatically chooses the port with the lowest ID from among all up member ports as a
Selected port if none of them has received LACPDUs before the LACP timeout interval expires.
After this action is disabled, a dynamic aggregation group will not have any Selected ports to forward
traffic if it has not received LACPDUs before the LACP timeout interval expires.
Procedure
1. Enter system view.
system-view
2. Disable the default port selection action.

23
 lacp default-selected-port disable
By default, the default port selection action is enabled for dynamic aggregation groups.

Configuring a dynamic aggregation group to use

port speed as the prioritized criterion for reference
port selection
About this task
Perform this task to ensure that a dynamic aggregation group selects a high-speed member port as
the reference port. After you perform this task, the reference port will be selected based on the
criteria in order of device ID, port speed, and port ID.
Restrictions and guidelines
Changing reference port selection criteria might cause transient traffic interruption. Make sure you
understand the impact of this task on your network.
You must perform this task at both ends of the aggregate link so the peer aggregation systems use
the same criteria for reference port selection.
As a best practice, shut down the peer aggregate interfaces before you execute this command and
bring up the interfaces after this command is executed on both of them.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Specify port speed as the prioritized criterion for reference port selection.
lacp select speed
By default, port ID is the prioritized criterion for reference port selection of a dynamic
aggregation group.

Specifying ignored VLANs for a Layer 2 aggregate

interface
About this task
By default, you cannot add a port to a Layer 2 link aggregation group if it has a different VLAN permit
state or tagging mode than the aggregate interface.
To have a port participate in a Layer 2 aggregation despite its difference with the aggregate interface
in the settings of a VLAN, configure that VLAN as an ignored VLAN.
Restrictions and guidelines
This feature takes effect only when the link type of a Layer 2 aggregate interface is hybrid or trunk.

24
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Specify ignored VLANs.
link-aggregation ignore vlan vlan-id-list
By default, a Layer 2 aggregate interface does not ignore any VLANs.

Configuring load sharing for link aggregation

groups
Setting static load sharing modes for link aggregation groups
About this task
You can set the static global or group-specific load sharing mode. A link aggregation group
preferentially uses the group-specific load sharing mode. If the group-specific load sharing mode is
not available, the group uses the global load sharing mode.
Restrictions and guidelines
The following are the global load sharing modes supported on the device:
• Load sharing mode automatically determined based on the packet type.
• Source IP.
• Destination IP.
• Source MAC.
• Destination MAC.
• Layer 1 MPLS label.
• Layer 2 MPLS label.
• Source IP and destination IP.
• Source IP and source port.
• Destination IP and destination port.
• Layer 1 MPLS label and Layer 2 MPLS label.
• Source IP, source port, destination IP, and destination port.
• Any combination of ingress port, source MAC, and destination MAC.
The following are the load sharing modes supported in aggregate interface view:
• Load sharing mode automatically determined based on the packet type.
• Per-packet load sharing.
• Resilient.
• Source IP.
• Destination IP.
• Source MAC.
• Destination MAC.
• Source IP and destination IP.

25
 • Source MAC and destination MAC.
When you configure resilient load sharing, follow these restrictions and guidelines:
• In resilient load sharing mode, an aggregation group distributes traffic based on the default load
sharing mode if no link change occurs.
• If you have configured dynamic load sharing on an aggregate interface, you cannot configure
resilient load sharing on any aggregate interfaces.
• Before you enable resilient load sharing on an aggregate interface, make sure its aggregation
group does not contain Selected member ports. If Selected member ports exist, shut down the
aggregate interface.
• To use resilient load sharing on a DR interface, you must configure the resilient load sharing
mode before you assign member ports to the DR interface.
• If a local DR interface or its peer DR interface already has member ports, use the following
procedure to configure the resilient load sharing mode on the local DR interface:
a. Delete the DR interface.
b. Recreate the DR interface.
c. Configure the resilient load sharing mode.
d. Assign member ports to the DR interface.
For information about DR interfaces, see "Configuring DRNI."
Setting the global link-aggregation load sharing mode
1. Enter system view.
system-view
2. Set the global link-aggregation load sharing mode.
link-aggregation global load-sharing mode { { destination-ip |
destination-mac | destination-port | ingress-port | mpls-label1 |
mpls-label2 | source-ip | source-mac | source-port } *
The default settings are as follows:
 Layer 2 frames are load shared based on the source and destination MAC addresses, and
EtherType value.
 IP packets are load shared based on the source and destination IP addresses, protocol
number, and source and destination port numbers.
Setting the group-specific load sharing mode
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Set the load sharing mode for the aggregation group.
link-aggregation load-sharing mode { { destination-ip |
destination-mac | source-ip | source-mac } * | flexible | per-packet|
resilient }
By default, group-specific load sharing mode is the same as the global load sharing mode.
The resilient keyword is supported only in Release 6616 and later.

26
Setting a dynamic load sharing mode for a link aggregation
group
About this task
An aggregation group does not distribute traffic based on the bandwidth usage of its member ports
when using a static load sharing mode. As a result, traffic might be distributed unevenly among the
aggregation member ports. To obtain balanced load sharing results, you can use dynamic load
sharing to distribute traffic based on the bandwidth usage of aggregation member ports.
Dynamic load sharing supports the following modes:
• Eligible—Distributes the traffic from a flow on a per-flowlet basis. Flowlets are bursts of packets
from a flow, which are separated based on the flowlet gap timer. If the forwarding latency
between two bursts of packets is larger than the flowlet gap timer, they are two flowlets and can
be forwarded on different links. The link selected for a flowlet is the least utilized link at the time
of selection.
• Fixed—Distributes traffic across the aggregation member links on a per-flow basis. The link
selected for a flow is the least utilized link at the time of selection.
• Spray—Distributes traffic across the aggregation member links on a per-packet basis. The link
selected for a packet is the least utilized link at the time of selection.

IMPORTANT:
In spray mode, packets in a flow might be distributed to different links and arrive at the receiving
device out of order. When you use this mode, you must make sure the receiving device
supports packet reordering.

Software version and feature compatibility

The feature is supported only in Release 6616 and later.
Restrictions and guidelines

The dynamic load sharing mode has priority over the static load sharing mode. If you configure both
settings on an aggregate interface, the dynamic mode takes effect.
If you have configured resilient load sharing on an aggregate interface, you cannot configure
dynamic load sharing on any aggregate interfaces.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure a dynamic load sharing mode.
link-aggregation load-sharing mode dynamic { eligible
[ flowlet-gap-time flowlet-gap-time ] | fixed | spray }
By default, an aggregation group uses the static load sharing mode.

27
Specifying ignored packet fields for default link-aggregation
load sharing
About this task
To obtain the optimal load distribution performance in the default load sharing mode, you can
perform this task to exclude some fields from load sharing calculation.
Procedure
1. Enter system view.
system-view
2. Specify ignored packet fields for default link-aggregation load sharing.
link-aggregation load-sharing ignore { destination-ip |
destination-mac | destination-port | ethernet-type | ingress-port |
ip-protocol | mpls-label1 | mpls-label2 | mpls-label3 | source-ip |
source-mac | source-port | vlan-id } *
By default, no ignored packet fields are specified for default link-aggregation load sharing.

Enabling local-first load sharing for link aggregation

About this task
Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially
across member ports on the ingress slot.
When you aggregate ports on different member devices in an IRF fabric, you can use local-first load
sharing to reduce traffic on IRF links, as shown in Figure 6. For more information about IRF, see
Virtual Technologies Configuration Guide.
Figure 6 Load sharing for multidevice link aggregation in an IRF fabric

The egress port for a traffic flow is an

aggregate interface that has Selected
ports on different IRF member devices

Yes Local-first load sharing No

mechanism enabled?

No
Any Selected ports on the
ingress device?

Yes

Packets are load-shared only

Packets are load-shared across
across the Selected ports on the
all Selected ports
ingress device

Enabling local-first load sharing for link aggregation globally

1. Enter system view.

28
 system-view
2. Enable local-first load sharing for link aggregation globally.
link-aggregation load-sharing mode local-first
By default, local-first load sharing is enabled globally.

Configuring link aggregation load sharing algorithm and hash

seed settings
About this task
Use the link aggregation load sharing algorithm and hash seed features to optimize traffic distribution
on aggregate links when the default load sharing mode is used. Each algorithm represents a CRC
calculation method and the hash seed is used in hashing.
You can use a load sharing algorithm and a hash seed individually or in combination to obtain the
optimal load sharing performance.
When you try each algorithm or algorithm and seed combination, use the display counters
command to verify the load sharing result.
Restrictions and guidelines
The link aggregation load sharing algorithm and hash seed settings do not take effect on per-flow
load sharing.
Procedure
1. Enter system view.
system-view
2. Configure a link aggregation load sharing algorithm.
link-aggregation global load-sharing algorithm algorithm-number
By default, no algorithm is configured.
3. Configure a link aggregation load sharing hash seed.
link-aggregation global load-sharing seed seed-number
By default, no hash seed is configured.

Setting a hash offset to adjust the load balancing results on

link aggregations
About this task
If undesirable traffic imbalance occurs on link aggregations, you can use this command to adjust the
load sharing results on link aggregations.
Restrictions and guidelines
Misuse of this feature causes unbalanced traffic distribution. Make sure you are fully aware of the
impacts of this feature when you configure it on a live network.
Procedure
1. Enter system view.
system-view
2. Set a hash offset to adjust the load sharing results on link aggregations.
link-aggregation global load-sharing offset offset-value

29
 By default, no hash offset is configured for load sharing on link aggregations.

Setting the load sharing mode for tunneled traffic

About this task
Perform this task to set the criterion used by aggregation groups to distribute tunneled traffic for load
sharing.
The device can use one of the following modes to distribute tunneled traffic on a link aggregation:
• Inner—Distributes tunneled traffic based on the inner IP header.
• Outer—Distributes tunneled traffic based on the outer IP header.
Procedure
1. Enter system view.
system-view
2. Set the load sharing mode for tunneled traffic on aggregate links.
link-aggregation global load-sharing tunnel { inner | outer }
By default, tunneled traffic is distributed based on the inner IP header on aggregate links.

Specifying link aggregation management VLANs

and link aggregation management port
About this task
For an aggregation group to forward Layer 3 data traffic of some VLANs through a specific port,
specify the VLANs as management VLANs and the port as a management port.
Procedure
1. Enter system view.
system-view
2. Specify link aggregation management VLANs.
link-aggregation management-vlan vlan-id-list
By default, no link aggregation management VLANs are specified.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Configure the port as a management port for its aggregation group.
link-aggregation management-port
By default, a port does not act as a management port in its aggregation group.

Excluding a subnet from load sharing on

aggregate links
About this task
Typically, an aggregate interface distributes traffic across its Selected member ports. The uplink and
downlink traffic of a host might be distributed to different member ports. To make sure the
bidirectional traffic of a subnet traverses the same member port, you can exclude that subnet from
load sharing by specifying it as a link aggregation management subnet.

30
 As shown in Figure 7, an aggregate link is established between the server and the IRF fabric. The
server sends all uplink traffic of a subnet through Port C1 to Port A1 on the IRF fabric. If that subnet
is not specified as a management subnet, the IRF fabric distributes its downlink traffic across Port A1
and Port B2. To send the downlink traffic of that subnet to the server only through Port A1, you can
specify the subnet as a link aggregation management subnet.
Figure 7 Link aggregation scenario before management subnets are used

IP network

Uplink traffic

Downlink traffic
Device A IRF Device B
IRF- port1/2 IRF-port2/1

Port A1 Port B2
BAGG

BAGG

Port C1

Server

When an aggregate interface receives an ARP packet from the management subnet, the device
looks up the sender IP address in the ARP table for a matching entry.
• If no matching entry exists, the device creates an ARP entry on the aggregation member port
from which the packet came in. This mechanism ensures that the returned downlink traffic will
be forwarded out of the member port that received the uplink traffic.
• If an ARP entry already exists on a different port than the aggregate interface or its member
ports, the device does not update that ARP entry. Instead, the device broadcasts an ARP
request out of all ports to relearn the ARP entry.
When an aggregate interface sends an ARP packet to the management subnet, the device sends
the packet out of all Selected member ports of the aggregate interface.
Restrictions and guidelines
You can configure a maximum of 20 management subnets.
To ensure correct packet forwarding, delete all ARP entries of a subnet before you specify it as a
management subnet or after you remove it from the management subnet list.
If you are using link aggregation management subnets, do not use the following features:
• DRNI. For more information, see Layer 2—LAN Switching Configuration Guide.
• ARP snooping. For more information, see Layer 3—IP Services Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Specify a link aggregation management subnet.
link-aggregation management-subnet ip-address { mask | mask-length }
By default, no link aggregation management subnets are specified.

31
Enabling a Layer 2 aggregate interface to reflect
incoming packets back
About this task
By default, the device drops a packet if its outgoing interface is the incoming interface where the
packet arrived. To have a Layer 2 aggregate interface reflect a packet back when it is both the
incoming and outgoing interfaces of that packet, perform this task.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Enable port bridging.
port bridge enable
By default, port bridging is disabled. A Layer 2 aggregate interface cannot reflect incoming
packets back.

Enabling link-aggregation traffic redirection

About link-aggregation traffic redirection
This feature operates on dynamic link aggregation groups. It redirects traffic on a Selected port to the
remaining available Selected ports of an aggregation group if one of the following events occurs:
• The port is shut down by using the shutdown command.
• The slot that hosts the port reboots, and the aggregation group spans multiple slots.

NOTE:
The device does not redirect traffic to member ports that become Selected during the traffic
redirection process.

This feature ensures zero packet loss for known unicast traffic, but does not protect unknown unicast
traffic.
You can enable link-aggregation traffic redirection globally or for an aggregation group. Global
link-aggregation traffic redirection settings take effect on all aggregation groups. A link aggregation
group preferentially uses the group-specific link-aggregation traffic redirection settings. If
group-specific link-aggregation traffic redirection is not configured, the group uses the global
link-aggregation traffic redirection settings.

Restrictions and guidelines for link-aggregation traffic

redirection
Link-aggregation traffic redirection applies only to dynamic link aggregation groups.
As a best practice, enable link-aggregation traffic redirection on a per-interface basis. If you enable
this feature globally, communication with a third-party peer device might be affected if the peer is not
compatible with this feature.

32
 To prevent traffic interruption, enable link-aggregation traffic redirection at both ends of the
aggregate link.
To prevent packet loss that might occur at a reboot, do not enable the spanning tree feature together
with link-aggregation traffic redirection.
Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.

Enabling link-aggregation traffic redirection globally

1. Enter system view.
system-view
2. Enable link-aggregation traffic redirection globally.
link-aggregation lacp traffic-redirect-notification enable
By default, link-aggregation traffic redirection is disabled globally.

Enabling link-aggregation traffic redirection for an

aggregation group
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Enable link-aggregation traffic redirection for the aggregation group.
link-aggregation lacp traffic-redirect-notification enable
By default, link-aggregation traffic redirection is disabled for an aggregation group.

Isolating aggregate interfaces on the device

About this task
Aggregate interface isolation is applicable to dynamic aggregate interfaces when the device acts a
DR member device in a DR system. It gracefully changes all dynamic aggregate interfaces on the
device to the Unselected state and switch traffic over to their counterpart DR interfaces on the other
DR member device.
Restrictions and guidelines
The aggregate interface isolation feature is available in Release 6635 and later.
This feature takes effect only on dynamic aggregate interfaces. It cannot isolate static aggregate
interfaces or IPPs.
As a best practice, make sure no DR interfaces are in DRNI MAD DOWN state before you isolate
them. If one of the DR interfaces is in DRNI MAD DOWN state when you isolate them, DR interface
will persist in that state and cannot forward traffic after the isolation is removed.
Procedure
1. Enter system view.
system-view

33
 2. Isolate aggregate interfaces.
link-aggregation lacp isolate
By default, aggregate interfaces are not isolated.

Enabling BFD for an aggregation group

About this task
You can use BFD to monitor member link status in an aggregation group. After you enable BFD on
an aggregate interface, each Selected port in the aggregation group establishes a BFD session with
its peer port. BFD operates differently depending on the aggregation mode.
• BFD on a static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link
aggregation module that the peer port is unreachable. The local port is then placed in
Unselected state. However, the BFD session between the local and peer ports remains, and the
local port keeps sending BFD packets. When BFD on the local port receives packets from the
peer port upon link recovery, BFD notifies the Ethernet link aggregation module that the peer
port is reachable. Then, the local port is placed in Selected state again. This mechanism
ensures that the local and peer ports of a static aggregate link have the same aggregation state.
• BFD on a dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet
link aggregation module that the peer port is unreachable. At the same time, BFD clears the
session and stops sending BFD packets. When the local port is placed in Selected state again
upon link recovery, the local port establishes a new session with the peer port and BFD notifies
the Ethernet link aggregation module that the peer port is reachable. Because BFD provides
fast failure detection, the local and peer systems of a dynamic aggregate link can negotiate the
aggregation state of their member ports faster.
For more information about BFD, see High Availability Configuration Guide.
Restrictions and guidelines
When you enable BFD for an aggregation group, follow these restrictions and guidelines:
• Make sure the source and destination IP addresses are reversed between the two ends of an
aggregate link. For example, if you execute link-aggregation bfd ipv4 source
1.1.1.1 destination 2.2.2.2 at the local end, execute link-aggregation bfd
ipv4 source 2.2.2.2 destination 1.1.1.1 at the peer end. The source and
destination IP addresses cannot be the same.
• The BFD parameters configured on an aggregate interface take effect on all BFD sessions
established by the member ports in its aggregation group. BFD on a link aggregation supports
only control packet mode for session establishment and maintenance. The two ends of an
established BFD session can only operate in Asynchronous mode.
• As a best practice, do not configure BFD for any protocols on a BFD-enabled aggregate
interface.
• Make sure the number of member ports in a BFD-enabled aggregation group is less than or
identical to the number of BFD sessions supported by the device. If the aggregation group
contains more member ports than the supported sessions, some Selected ports might change
to the Unselected state.
• If the number of BFD sessions differs between the two ends of an aggregate link, check their
settings for inconsistency in the maximum number of Selected ports. You must make sure the
two ends have the same setting for the maximum number of Selected ports.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.

34
  Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Enable BFD for the aggregation group.
link-aggregation bfd ipv4 source ip-address destination ip-address
By default, BFD is disabled for an aggregation group.

Display and maintenance commands for Ethernet

link aggregation
Execute display commands in any view and reset commands in user view.

Task Command

display interface
[ { bridge-aggregation |
Display information about aggregate
route-aggregation }
interfaces.
[ interface-number ] ] [ brief
[ description | down ] ]
Display the local system ID. display lacp system-id
display link-aggregation load-sharing
Display the global or group-specific mode [ interface [ { bridge-aggregation
link-aggregation load sharing modes. | route-aggregation }
interface-number ] ]
display link-aggregation load-sharing
path interface { bridge-aggregation |
route-aggregation } interface-number
ingress-port interface-type
interface-number [ route ]
{ { destination-ip ip-address |
Display the outgoing physical interface destination-ipv6 ipv6-address } |
selected for a traffic flow. { source-ip ip-address | source-ipv6
ipv6-address } | destination-mac
mac-address | destination-port port-id
| ethernet-type type-number |
ip-protocol protocol-id | source-mac
mac-address | source-port port-id |
vlan vlan-id } *
Display detailed link aggregation information display link-aggregation member-port
about link aggregation member ports. [ interface-list | auto ]
Display summary information about all
display link-aggregation summary
aggregation groups.

display link-aggregation
Display the aggregation states of aggregation troubleshooting [ { bridge-aggregation
member ports and the reason why a port was
placed in Unselected state.
| route-aggregation }
[ interface-number ] ]
Display detailed information about the display link-aggregation verbose

35
 Task Command
specified aggregation groups. [ { bridge-aggregation |
route-aggregation }
[ interface-number ] ]
reset counters interface
Clear statistics for the specified aggregate [ { bridge-aggregation |
interfaces. route-aggregation }
[ interface-number ] ]
Clear LACP statistics for the specified link reset lacp statistics [ interface
aggregation member ports. interface-list ]

Ethernet link aggregation configuration examples

Example: Configuring a Layer 2 static aggregation group
Network configuration
On the network shown in Figure 8, perform the following tasks:
• Configure a Layer 2 static aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 8 Network diagram

VLAN 10 VLAN 10

WGE1/0/4 WGE1/0/4
WGE1/0/1 WGE1/0/1
WGE1/0/2 WGE1/0/2
Device A Link aggregation 1 Device B
WGE1/0/3 WGE1/0/3

WGE1/0/5 BAGG1 BAGG1 WGE1/0/5

VLAN 20 VLAN 20

Procedure
1. Configure Device A:
# Create VLAN 10, and assign port Twenty-FiveGigE 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port twenty-fivegige 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port Twenty-FiveGigE 1/0/5 to VLAN 20.
[DeviceA] vlan 20

36
 [DeviceA-vlan20] port twenty-fivegige 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/3 to link aggregation
group 1.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/2] quit
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
WGE1/0/1(R) S 32768 1
WGE1/0/2 S 32768 1
WGE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 2 static aggregation group that contains
three Selected ports.

37
Example: Configuring a Layer 2 dynamic aggregation group
Network configuration
On the network shown in Figure 9, perform the following tasks:
• Configure a Layer 2 dynamic aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 9 Network diagram

VLAN 10 VLAN 10

WGE1/0/4 WGE1/0/4
WGE1/0/1 WGE1/0/1
WGE1/0/2 WGE1/0/2
Device A Link aggregation 1 Device B
WGE1/0/3 WGE1/0/3

WGE1/0/5 BAGG1 BAGG1 WGE1/0/5

VLAN 20 VLAN 20

Procedure
1. Configure Device A:
# Create VLAN 10, and assign the port Twenty-FiveGigE 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port twenty-fivegige 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port Twenty-FiveGigE 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port twenty-fivegige 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode
to dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/3 to link aggregation
group 1.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/2] quit

38
 [DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1(R) S 32768 11 1 {ACDEF}
WGE1/0/2 S 32768 12 1 {ACDEF}
WGE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
WGE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
WGE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group that contains
three Selected ports.

Example: Configuring Layer 2 aggregation load sharing

Network configuration
On the network shown in Figure 10, perform the following tasks:
• Configure Layer 2 static aggregation groups 1 and 2 on Device A and Device B, respectively.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.

39
 • Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
• Configure link aggregation groups 1 and 2 to load share traffic across aggregation group
member ports.
 Configure link aggregation group 1 to load share packets based on source MAC addresses.
 Configure link aggregation group 2 to load share packets based on destination MAC
addresses.
Figure 10 Network diagram

VLAN 10 VLAN 10

WGE1/0/5 BAGG1 BAGG1 WGE1/0/5

WGE1/0/1 WGE1/0/1
WGE1/0/2 Link aggregation 1 WGE1/0/2
Device A Device B
WGE1/0/3 Link aggregation 2 WGE1/0/3
WGE1/0/4 WGE1/0/4
WGE1/0/6 BAGG2 BAGG2 WGE1/0/6

VLAN 20 VLAN 20

Procedure
1. Configure Device A:
# Create VLAN 10, and assign the port Twenty-FiveGigE 1/0/5 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port twenty-fivegige 1/0/5
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port Twenty-FiveGigE 1/0/6 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port twenty-fivegige 1/0/6
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
# Configure Layer 2 aggregation group 1 to load share packets based on source MAC
addresses.
[DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to link aggregation group 1.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLAN 10.

40
 [DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10
[DeviceA-Bridge-Aggregation1] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 2.
[DeviceA] interface bridge-aggregation 2
# Configure Layer 2 aggregation group 2 to load share packets based on destination MAC
addresses.
[DeviceA-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac
[DeviceA-Bridge-Aggregation2] quit
# Assign ports Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to link aggregation group 2.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 2
[DeviceA-Twenty-FiveGigE1/0/3] quit
[DeviceA] interface twenty-fivegige 1/0/4
[DeviceA-Twenty-FiveGigE1/0/4] port link-aggregation group 2
[DeviceA-Twenty-FiveGigE1/0/4] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to
VLAN 20.
[DeviceA] interface bridge-aggregation 2
[DeviceA-Bridge-Aggregation2] port link-type trunk
[DeviceA-Bridge-Aggregation2] port trunk permit vlan 20
[DeviceA-Bridge-Aggregation2] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
WGE1/0/1(R) S 32768 1
WGE1/0/2 S 32768 1

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
WGE1/0/3(R) S 32768 2

41
 WGE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups.
• Each aggregation group contains two Selected ports.
# (Release 6607.) Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface
Bridge-Aggregation1 Load-Sharing Mode:
source-mac address

Bridge-Aggregation2 Load-Sharing Mode:

destination-mac address

# (Release 6616 and later.) Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface
The dynamic load sharing mode takes effect if it exists.
Route-Aggregation1 load-sharing mode:
Dynamic:
N/A
Static:
source-mac address

The dynamic load sharing mode takes effect if it exists.

Route-Aggregation2 load-sharing mode:
Dynamic:
N/A
Static:
destination-mac address

The output shows that:

• Link aggregation group 1 distributes packets based on source MAC addresses.
• Link aggregation group 2 distributes packets based on destination MAC addresses.

Example: Configuring a Layer 2 edge aggregate interface

Network configuration
As shown in Figure 11, a Layer 2 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE
1/0/2 can forward traffic to improve link reliability.
Figure 11 Network diagram

WGE1/0/1
WGE1/0/2 Link aggregation 1

Device BAGG1 BAGG1 Server

Procedure
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to
dynamic.

42
 <Device> system-view
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] link-aggregation mode dynamic

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as an edge aggregate interface.

[Device-Bridge-Aggregation1] lacp edge-port
[Device-Bridge-Aggregation1] quit

# Assign ports Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to link aggregation group 1.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[Device-Twenty-FiveGigE1/0/1] quit
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[Device-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1 I 32768 11 1 {AG}
WGE1/0/2 I 32768 12 1 {AG}

Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1 32768 81 0 0x8000, 0000-0000-0000 {DEF}
WGE1/0/2 32768 82 0 0x8000, 0000-0000-0000 {DEF}

The output shows that Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 are in Individual state
when they do not receive LACPDUs from the server. Both Twenty-FiveGigE 1/0/1 and
Twenty-FiveGigE 1/0/2 can forward traffic. When one port fails, its traffic is automatically switched to
the other port.

43
Example: Configuring a Layer 3 static aggregation group
Network configuration
On the network shown in Figure 12, perform the following tasks:
• Configure a Layer 3 static aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 12 Network diagram
WGE1/0/1 WGE1/0/1
WGE1/0/2 WGE1/0/2
Link aggregation 1
WGE1/0/3 WGE1/0/3

Device A RAGG1 RAGG1 Device B

192.168.1.1/24 192.168.1.2/24

Procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/3 to
aggregation group 1.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/2] quit
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None

44
 Port Status Priority Oper-Key
WGE1/0/1(R) S 32768 1
WGE1/0/2 S 32768 1
WGE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 3 static aggregation group that contains
three Selected ports.

Example: Configuring a Layer 3 dynamic aggregation group

Network configuration
On the network shown in Figure 13, perform the following tasks:
• Configure a Layer 3 dynamic aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 13 Network diagram
WGE1/0/1 WGE1/0/1
WGE1/0/2 WGE1/0/2
Link aggregation 1
WGE1/0/3 WGE1/0/3

Device A RAGG1 RAGG1 Device B

192.168.1.1/24 192.168.1.2/24

Procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Set the link aggregation mode to dynamic.
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
# Configure an IP address and subnet mask for Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/3 to
aggregation group 1.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/2] quit
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual

45
 Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1(R) S 32768 11 1 {ACDEF}
WGE1/0/2 S 32768 12 1 {ACDEF}
WGE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
WGE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
WGE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 3 dynamic aggregation group that contains
three Selected ports.

Example: Configuring Layer 3 aggregation load sharing

Network configuration
On the network shown in Figure 14, perform the following tasks:
• Configure Layer 3 static aggregation groups 1 and 2 on Device A and Device B, respectively.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
• Configure link aggregation group 1 to load share packets based on source IP addresses.
• Configure link aggregation group 2 to load share packets based on destination IP addresses.
Figure 14 Network diagram
192.168.1.1/24 192.168.1.2/24
RAGG1 RAGG1
WGE1/0/1 WGE1/0/1
WGE1/0/2 Link aggregation 1 WGE1/0/2
WGE1/0/3 Link aggregation 2 WGE1/0/3
WGE1/0/4 WGE1/0/4
RAGG2 RAGG2
Device A Device B
192.168.2.1/24 192.168.2.2/24

Procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Configure Layer 3 aggregation group 1 to load share packets based on source IP addresses.
[DeviceA-Route-Aggregation1] link-aggregation load-sharing mode source-ip

46
 # Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation
1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to
aggregation group 1.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Create Layer 3 aggregate interface Route-Aggregation 2.
[DeviceA] interface route-aggregation 2
# Configure Layer 3 aggregation group 2 to load share packets based on destination IP
addresses.
[DeviceA-Route-Aggregation2] link-aggregation load-sharing mode destination-ip
# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation
2.
[DeviceA-Route-Aggregation2] ip address 192.168.2.1 24
[DeviceA-Route-Aggregation2] quit
# Assign Layer 3 Ethernet interfaces Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to
aggregation group 2.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 2
[DeviceA-Twenty-FiveGigE1/0/3] quit
[DeviceA] interface twenty-fivegige 1/0/4
[DeviceA-Twenty-FiveGigE1/0/4] port link-aggregation group 2
[DeviceA-Twenty-FiveGigE1/0/4] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
WGE1/0/1(R) S 32768 1
WGE1/0/2 S 32768 1

47
 Aggregate Interface: Route-Aggregation2
Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
WGE1/0/3(R) S 32768 2
WGE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 3 static aggregation groups.
• Each aggregation group contains two Selected ports.
# (Release 6607.) Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface
Route-Aggregation1 Load-Sharing Mode:
source-ip address

Route-Aggregation2 Load-Sharing Mode:

destination-ip address

# (Release 6616 and later.) Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface
The dynamic load sharing mode takes effect if it exists.
Route-Aggregation1 load-sharing mode:
Dynamic:
N/A
Static:
source-ip address

The dynamic load sharing mode takes effect if it exists.

Route-Aggregation2 load-sharing mode:
Dynamic:
N/A
Static:
destination-ip address

The output shows that:

• Link aggregation group 1 distributes packets based on source IP addresses.
• Link aggregation group 2 distributes packets based on destination IP addresses.

Example: Configuring S-MLAG

Network configuration
Device B, Device C, and Device D are standalone devices. As shown in Figure 15, configure Device
B, Device C, and Device D as S-MLAG devices to establish a multidevice aggregate link with Device
A.

48
 Figure 15 Network diagram
Device A

WGE1/0/1 WGE1/0/3

WGE1/0/2
BAGG

WGE1/0/1 WGE1/0/1 WGE1/0/1

Device B Device C Device D

Procedure
1. Configure Device A:
# Create Layer 2 aggregate interface Bridge-Aggregation 10, and set the link aggregation mode
to dynamic.
<DeviceA> system-view
[DeviceA] interface bridge-aggregation 10
[DeviceA-Bridge-Aggregation10] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation10] quit
# Assign Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/3 to aggregation group 10.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 10
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 10
[DeviceA-Twenty-FiveGigE1/0/2] quit
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 10
[DeviceA-Twenty-FiveGigE1/0/3] quit
2. Configure Device B:
# Set the LACP system MAC address to 0001-0001-0001.
<DeviceB> system-view
[DeviceB] lacp system-mac 1-1-1
# Set the LACP system priority to 123.
[DeviceB] lacp system-priority 123
# Set the LACP system number to 1.
[DeviceB] lacp system-number 1
# Create Layer 2 aggregate interface Bridge-Aggregation 2, and set the link aggregation mode
to dynamic.
[DeviceB] interface bridge-aggregation 2
[DeviceB-Bridge-Aggregation2] link-aggregation mode dynamic
# Assign Bridge-Aggregation 2 to S-MLAG group 100.
[DeviceB-Bridge-Aggregation2] port s-mlag group 100
# Assign Twenty-FiveGigE 1/0/1 to aggregation group 2.
[DeviceB] interface twenty-fivegige 1/0/1

49
 [DeviceB-Twenty-FiveGigE1/0/1] port link-aggregation group 2
[DeviceB-Twenty-FiveGigE1/0/1] quit
3. Configure Device C:
# Set the LACP system MAC address to 0001-0001-0001.
<DeviceC> system-view
[DeviceC] lacp system-mac 1-1-1
# Set the LACP system priority to 123.
[DeviceC] lacp system-priority 123
# Set the LACP system number to 2.
[DeviceC] lacp system-number 2
# Create Layer 2 aggregate interface Bridge-Aggregation 3, and set the link aggregation mode
to dynamic.
[DeviceC] interface bridge-aggregation 3
[DeviceC-Bridge-Aggregation3] link-aggregation mode dynamic
# Assign Bridge-Aggregation 3 to S-MLAG group 100.
[DeviceC-Bridge-Aggregation3] port s-mlag group 100
# Assign Twenty-FiveGigE 1/0/1 to aggregation group 3.
[DeviceC] interface twenty-fivegige 1/0/1
[DeviceC-Twenty-FiveGigE1/0/1] port link-aggregation group 3
[DeviceC-Twenty-FiveGigE1/0/1] quit
4. Configure Device D:
# Set the LACP system MAC address to 0001-0001-0001.
<DeviceD> system-view
[DeviceD] lacp system-mac 1-1-1
# Set the LACP system priority to 123.
[DeviceD] lacp system-priority 123
# Set the LACP system number to 3.
[DeviceD] lacp system-number 3
# Create Layer 2 aggregate interface Bridge-Aggregation 4, and set the link aggregation mode
to dynamic.
[DeviceD] interface bridge-aggregation 4
[DeviceD-Bridge-Aggregation4] link-aggregation mode dynamic
# Assign Bridge-Aggregation 4 to S-MLAG group 100.
[DeviceD-Bridge-Aggregation4] port s-mlag group 100
# Assign Twenty-FiveGigE 1/0/1 to aggregation group 4.
[DeviceD] interface twenty-fivegige 1/0/1
[DeviceD-Twenty-FiveGigE1/0/1] port link-aggregation group 4
[DeviceD-Twenty-FiveGigE1/0/1] quit

Verifying the configuration

# Verify that Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/3 on Device A are Selected ports.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

50
Aggregate Interface: Bridge-Aggregation10
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 40fa-264f-0100
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1(R) S 32768 1 1 {ACDEF}
WGE1/0/2 S 32768 2 1 {ACDEF}
WGE1/0/3 S 32768 3 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1 32768 16385 50100 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/2 32768 32769 50100 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/3 32768 49153 50100 0x7b , 0001-0001-0001 {ACDEF}

51
Contents
Configuring DRNI··························································································· 1
About DRNI ························································································································································ 1
DRNI network model ·································································································································· 1
DRCP ························································································································································· 2
Keepalive and failover mechanism ············································································································ 2
MAD mechanism ········································································································································ 3
Device role calculation ······························································································································· 3
DRNI MAD DOWN state persistence ········································································································· 3
DR system setup process ·························································································································· 4
DRNI standalone mode ······························································································································ 4
Configuration consistency check················································································································ 5
DRNI sequence number check ·················································································································· 7
DRNI packet authentication ······················································································································· 7
DRNI failure handling mechanisms ············································································································ 8
Mechanisms to handle concurrent IPL and keepalive link failures··························································· 10
Protocols and standards ·························································································································· 12
Restrictions and guidelines: DRNI configuration ······························································································ 12
Software version requirements ················································································································ 12
DRNI configuration ··································································································································· 12
Compatibility with other features ·············································································································· 14
DRNI tasks at a glance ···································································································································· 16
Configuring DR system settings ······················································································································· 17
Configuring the DR system MAC address ······························································································· 17
Setting the DR system number ················································································································ 17
Setting the DR system priority·················································································································· 18
Setting the DR role priority of the device·········································································································· 18
Enabling DRNI standalone mode on a DR member device ············································································· 19
Configuring DR keepalive settings ··················································································································· 20
Restrictions and guidelines for configuring DR keepalive settings··························································· 20
Configuring DR keepalive packet parameters·························································································· 20
Setting the DR keepalive interval and timeout timer ················································································ 20
Configuring DRNI MAD ···································································································································· 21
About this task·········································································································································· 21
Configuring the default DRNI MAD action on network interfaces ···························································· 22
Excluding an interface from the shutdown action by DRNI MAD ····························································· 22
Excluding all logical interfaces from the shutdown action by DRNI MAD ················································ 23
Specifying interfaces to be shut down by DRNI MAD when the DR system splits··································· 23
Enabling DRNI MAD DOWN state persistence ························································································ 24
Configuring a DR interface ······························································································································· 24
Specifying a Layer 2 aggregate interface or VXLAN tunnel interface as the IPP ············································ 25
Enabling the IPP to retain MAC address entries for down single-homed devices ··········································· 26
Assigning a DRNI virtual IP address to an interface ························································································ 27
Setting the mode of configuration consistency check ······················································································ 28
Disabling configuration consistency check ······································································································ 29
Enabling the short DRCP timeout timer on the IPP or a DR interface ····························································· 29
Setting the keepalive hold timer for identifying the cause of IPL down events ················································ 30
Configuring DR system auto-recovery ············································································································· 30
Setting the data restoration interval ················································································································· 31
Enabling DRNI sequence number check ········································································································· 31
Enabling DRNI packet authentication ·············································································································· 32
Displaying and maintaining DRNI ···················································································································· 32
DRNI configuration examples ·························································································································· 33
Example: Configuring basic DRNI functions ···························································································· 33
Example: Configuring Layer 3 gateways on a DR system ······································································· 37
Example: Configuring IPv4 and IPv6 VLAN gateways on a DR system ·················································· 47

i
Configuring DRNI
About DRNI
Distributed Resilient Network Interconnect (DRNI) virtualizes two physical devices into one system
through multichassis link aggregation.

DRNI network model

As shown in Figure 1, DRNI virtualizes two devices into a distributed-relay (DR) system, which
connects to the remote aggregation system through a multichassis aggregate link. To the remote
aggregation system, the DR system is one device.
Figure 1 DRNI network model

IP network

Device A (DR 1) Device B (DR 2)

IPP IPL IPP

Keepalive link
BAGG1 BAGG2
(DR interface) DR system (DR interface)

BAGG

Device C

The DR member devices are DR peers to each other. For features that require centralized traffic
processing (for example, spanning tree), a DR member device is assigned the primary or secondary
role based on its DR role priority. The secondary DR member device passes the traffic of those
features to the primary DR member device for processing. If the DR member devices in a DR system
have the same DR role priority, the device with the lower bridge MAC address is assigned the
primary role.
DRNI defines the following interface roles for each DR member device:
• DR interface—Layer 2 aggregate interface connected to the remote aggregation system. DR
interfaces connected to the same remote aggregation system belong to one DR group. In
Figure 1, Bridge-Aggregation 1 on Device A and Bridge-Aggregation 2 on Device B belong to
the same DR group. DR interfaces in a DR group form a multichassis aggregate link.

1
 • Intra-portal port (IPP)—Interface connected to the DR peer for internal control. Each DR
member device has only one IPP. The IPPs of the DR member devices transmit DRNI protocol
packets and data packets through the intra-portal link (IPL) established between them. A DR
system has only one IPL.
DR member devices use a keepalive link to monitor each other's state. For more information about
the keepalive mechanism, see "Keepalive and failover mechanism."
If a device is attached to only one of the DR member devices in a DR system, that device is a
single-homed device.

DRCP
DRNI uses IEEE P802.1AX Distributed Relay Control Protocol (DRCP) for multichassis link
aggregation. DRCP runs on the IPL and uses distributed relay control protocol data units (DRCPDUs)
to advertise the DRNI configuration out of IPPs and DR interfaces.
DRCP operating mechanism
DRNI-enabled devices use DRCPDUs for the following purposes:
• Exchange DRCPDUs through DR interfaces to determine whether they can form a DR system.
• Exchange DRCPDUs through IPPs to negotiate the IPL state.
DRCP timeout timers
DRCP uses a timeout mechanism to specify the amount of time that an IPP or DR interface must wait
to receive DRCPDUs before it determines that the peer interface is down. This timeout mechanism
provides the following timer options:
• Short DRCP timeout timer, which is fixed at 3 seconds. If this timer is used, the peer interface
sends one DRCPDU every second.
• Long DRCP timeout timer, which is fixed at 90 seconds. If this timer is used, the peer interface
sends one DRCPDU every 30 seconds.
Short DRCP timeout timer enables the DR member devices to detect a peer interface down event
more quickly than the long DRCP timeout timer. However this benefit is at the expense of bandwidth
and system resources.

Keepalive and failover mechanism

For the secondary DR member device to monitor the state of the primary device, you must establish
a Layer 3 keepalive link between the DR member devices.
The DR member devices periodically send keepalive packets over the keepalive link. If a DR
member device has not received keepalive packets from the peer when the keepalive timeout timer
expires, it determines that the keepalive link is down. When both the keepalive link and the IPL are
down, a DR member device acts depending on its role.
• If its role is primary, the device retains its role as long as it has up DR interfaces. If all its DR
interfaces are down, its role becomes None.
• If its role is secondary, the device takes over the primary role and retains the role as long as it
has up DR interfaces. If all its DR interfaces are down, its role becomes None.
A device with the None role cannot send or receive keepalive packets. Its keepalive link stays in the
down state.
If the keepalive link is down while the IPL is up, the DR member devices prompt you to check for
keepalive link issues.
If the keepalive link is up while the IPL is down, the DR member devices elect a primary device based
on the information in the keepalive packets.

2
MAD mechanism
A multi-active collision occurs if the IPL goes down while the keepalive link is up. To avoid network
issues, DRNI MAD shuts down all network interfaces on the secondary DR member device except
those manually or automatically excluded.
When the IPL comes up, the secondary DR member device starts a delay timer and begins to restore
table entries (including MAC address entries and ARP entries) from the primary DR member device.
When the delay timer expires, the secondary DR member device brings up all network interfaces
placed in DRNI MAD DOWN state.

Device role calculation

The role of a DR member device can be primary, secondary, or none.
DRNI uses the following process to determine the role of each DR member device:
1. Initially, each DR member device is assigned the none role when it joins a DR system or
reboots with DRNI configuration.
2. If the IPL is up, the DR member devices exchange DRCPDUs over the IPL to determine which
of them takes the primary role.
a. Device roles before calculation. If one device already has the primary role, the primary
device retains its role.
b. DRNI MAD DOWN state. If one device has not placed any network interfaces in DRNI MAD
DOWN state, it becomes the primary device.
c. Health state. The healthier device takes the primary role.
d. DR role priority. The device with higher DR role priority takes the primary role.
e. Bridge MAC address. The device with a lower bridge MAC address takes the primary role.
The device that has failed the election takes the secondary role if it has DR interfaces in up
state. If the device does not have DR interfaces in up state, its role is none.
3. If the IPL is down, each DR member device examines the availability of their local DR
interfaces.
 A DR member device changes its role to none if all its local DR interfaces are down.
 A DR member device does not change its role if it has a minimum of one DR interface in up
state.
4. If the keepalive link is up, the DR member devices exchange keepalive packets over the link to
determine their roles.
 If the role of one DR member device is none, the other DR member device retains its
primary role or changes its role from secondary to primary.
 If neither of them has the none role, the DR member devices negotiate their roles as they do
on the IPL.
5. If both the IPL and the keepalive link are down, a DR member device takes the primary role if it
has available DR interfaces.

DRNI MAD DOWN state persistence

Both of the DR member devices might take the primary role if both of them have DR interfaces in up
state after the following series of events occur:
1. The IPL goes down while the keepalive link is up. Then, DRNI MAD shuts down all network
interfaces on the secondary DR member device except those excluded from the shutdown
action by DRNI MAD.

3
 2. The keepalive link also goes down. Then, the secondary DR member device brings up the
network interfaces in DRNI MAD DOWN state and sets its role to primary.
DRNI MAD DOWN state persistence helps avoid the forwarding issues that might occur in the
multi-active situation that occurs because the keepalive link goes down while the IPL is down.

DR system setup process

As shown in Figure 2, two devices perform the following operations to form a DR system:
1. Send DRCPDUs over the IPL to each other and compare the DRCPDUs to determine the DR
system stackability and device roles:
a. Compare the DR system settings. The devices can form a DR system if they have
consistent DR system settings.
b. Determine the device roles as described in "Device role calculation."
c. Perform configuration consistency check. For more information, see "Configuration
consistency check."
2. Send keepalive packets over the keepalive link after primary DR member election to verify that
the peer system is operating correctly.
3. Synchronize configuration data by sending DRCPDUs over the IPL. The configuration data
includes MAC address entries and ARP entries.
Figure 2 DR system setup process

IP network

IPL

Keepalive link
Device A Device B

Compare DR settings

Set up DR system

Assign DR roles

Send keepalive packets

Synchronize data

……

DRNI standalone mode

The DR member devices might both operate with the primary role to forward traffic if they have DR
interfaces in up state after the DR system splits. DRNI standalone mode helps avoid traffic
forwarding issues in this multi-active situation by allowing only the member ports in the DR interfaces
on one member device to forward traffic.

4
 The following information describes the operating mechanism of this feature.
The DR member devices change to DRNI standalone mode when they detect that both the IPL and
the keepalive link are down. In addition, the secondary DR member device changes its role to
primary.
In DRNI standalone mode, the LACPDUs sent out of a DR interface by each DR member device
contain the interface-specific LACP system MAC address and LACP system priority.
The Selected state of the member ports in the DR interfaces in a DR group depends on their LACP
system MAC address and LACP system priority. If a DR interface has a lower LACP system priority
value or LACP system MAC address, the member ports in that DR interface become Selected to
forward traffic. If those Selected ports fail, the member ports in the DR interface on the other DR
member device become Selected to forward traffic.

NOTE:
A DR member device changes to DRNI standalone mode only when it detects that both the IPL and
the keepalive link are down. It does not change to DRNI standalone mode when the peer DR
member device reboots.

Configuration consistency check

During DR system setup, DR member devices exchange the configuration and perform configuration
consistency check to verify their consistency in the following configurations:
• Type 1 configuration—Settings that affect traffic forwarding of the DR system. If an
inconsistency in type 1 configuration is detected, the secondary DR member device shuts down
its DR interfaces.
• Type 2 configuration—Settings that affect only service features. If an inconsistency in type 2
configuration is detected, the secondary DR member device disables the affected service
features, but it does not shut down its DR interfaces.
To prevent interface flapping, the DR system performs configuration consistency check when half the
data restoration internal elapses.

NOTE:
The data restoration interval specifies the maximum amount of time for the secondary DR member
device to synchronize data with the primary DR member device during DR system setup. For more
information, see "Setting the data restoration interval."

Type 1 configuration
Type 1 configuration consistency check is performed both globally and on DR interfaces. Table 1 and
Table 2 show settings that type 1 configuration contains.
Table 1 Global type 1 configuration

Setting Details

IPP link type IPP link type, including access, hybrid, and trunk.
PVID on the IPP PVID on the IPP.
• Global spanning tree state.
Spanning tree state • VLAN-specific spanning tree state. DRNI checks the VLAN-specific spanning
tree state only when PVST is enabled.

Spanning tree mode Spanning tree mode, including STP, RSTP, PVST, and MSTP.
• MST region name.
MST region settings
• MST region revision level.

5
 Setting Details
• VLAN-to-MSTI mappings.

Table 2 DR interface type 1 configuration

Setting Details

Aggregation mode Aggregation mode, including static and dynamic.

Spanning tree state Interface-specific spanning tree state.
Link type Interface link type, including access, hybrid, and trunk.
PVID Interface PVID.

Type 2 configuration
Type 2 configuration consistency check is performed both globally and on DR interfaces. Table 3 and
Table 4 show settings that type 2 configuration contains.
Table 3 Global type 2 configuration

Setting Details

VLANs permitted by the IPP.

VLANs permitted by the IPP
The DR system compares tagged VLANs prior to untagged VLANs.
VLAN interfaces Up VLAN interfaces of which the VLANs contain the IPP.
VLAN interface status Whether a VLAN interface is in administratively down state.
IPv4 address of a VLAN
IPv4 address assigned to a VLAN interface.
interface
IPv6 address of a VLAN
IPv6 address assigned to a VLAN interface.
interface
Virtual IPv4 address of the
VRRP group on a VLAN Virtual IPv4 address of the VRRP group configured on a VLAN interface.
interface
Global BPDU guard Global status of BPDU guard.
MAC aging timer Aging timer for dynamic MAC address entries.
VSI name Name of a VSI that has ACs on a DR interface.
VXLAN ID VXLAN ID of a VSI.
Gateway interface VSI interface associated with a VSI.
VSI interface number Number of a VSI interface.
MAC address of a VSI interface MAC address assigned to a VSI interface.
IPv4 address of a VSI interface IPv4 address assigned to a VSI interface.
IPv6 address of a VSI interface IPv6 address assigned to a VSI interface.
Physical state of a VSI interface Physical link state of a VSI interface.
Protocol state of a VSI interface Data link layer state of a VSI interface.
Mode of RoCEv2 traffic analysis Mode used by NetAnalysis to analyze RoCEv2 traffic.
RoCEv2 traffic statistics State of RoCEv2 traffic statistics collection.
collection

6
 Setting Details

ACL used for RoCEv2 traffic ACL used to match RoCEv2 traffic for RoCEv2 traffic statistics collection.
statistics collection
Global RoCEv2 packet loss State of global RoCEv2 packet loss analysis.
analysis
Interval for reporting RoCEv2 Whether the interval is set for reporting RoCEv2 traffic statistics to the
traffic statistics to the NDA NDA.
Aging timer for inactive RoCEv2 Whether the aging timer is set for inactive RoCEv2 flows.
flows

The device displays the following global type 2 settings only when VLAN or VLAN interface
configuration inconsistency exists:
• VLAN interface status.
• IPv4 address of a VLAN interface.
• IPv6 address of a VLAN interface.
• Virtual IPv4 address of the VRRP group on a VLAN interface.
Table 4 DR interface type 2 configuration

Setting Details

VLANs permitted by a DR VLANs permitted by a DR interface.

interface The DR system compares tagged VLANs prior to untagged VLANs.
Using port speed as the
Whether a DR interface uses port speed as the prioritized criterion for
prioritized criterion for
reference port selection.
reference port selection
Ignoring port speed in setting
Whether a DR interface ignores port speed in setting the aggregation
the aggregation states of
states of member ports.
member ports

Root guard status Status of root guard.

DRNI sequence number check

DRNI sequence number check protects DR member devices from replay attacks.
With this feature enabled, the DR member devices insert a sequence number into each outgoing
DRCPDU or keepalive packet and the sequence number increases by 1 for each sent packet. When
receiving a DRCPDU or keepalive packet, the DR member devices check its sequence number and
drop the packet if the check result is either of the following:
• The sequence number of the packet is the same as that of a previously received packet.
• The sequence number of the packet is smaller than that of the most recently received packet.

DRNI packet authentication

DRNI packet authentication prevents DRCPDU and keepalive packet tampering from causing link
flapping.
With this feature enabled, the DR member devices compute a message digest by using an
authentication key for each outgoing DRCPDU or keepalive packet and insert the message digest
into the packet. When receiving a DRCPDU or keepalive packet, a DR member device computes a
message digest and compares it with the message digest in the packet. If the message digests

7
 match, the packet passes authentication. If the message digests do not match, the device drops the
packet.

DRNI failure handling mechanisms

DR interface failure handling mechanism
When the DR interface of one DR member device fails, the DR system forwards traffic through the
other DR member device.
As shown in Figure 3, Device A and Device B form a DR system, to which Device C is attached
through a multichassis aggregation. If traffic to Device C arrives at Device B after the DR interface
connected Device B to Device C has failed, the DR system forwards the traffic as follows:
1. Device B sends the traffic to Device A over the IPL.
2. Device A forwards the downlink traffic received from the IPL to Device C.
After the faulty DR interface comes up, Device B forwards traffic to Device C through the DR
interface.
Figure 3 DR interface failure handling mechanism
DR system
Device A

Primary

Faulty interface

IPL IP network Uplink traffic

Downlink traffic
Device C
Forwarding path
Secondary after failure

Device B

IPL failure handling mechanism

As shown in Figure 4, multi-active collision occurs if the IPL goes down while the keepalive link is up.
To avoid network issues, the secondary DR member device sets all network interfaces to DRNI MAD
DOWN state, except for interfaces excluded from the shutdown action by DRNI MAD.
In this situation, the primary DR member device forwards all traffic for the DR system.
When the IPP comes up, the secondary DR member device does not bring up the network interfaces
immediately. Instead, it starts a delay timer and begins to recover data from the primary DR member
device. When the delay timer expires, the secondary DR member device brings up all network
interfaces.

8
 Figure 4 IPL failure handling mechanism
DR system
Device A

Primary
Faulty link

Uplink traffic
IPL IP network
Downlink traffic
Device C
Interface in DRNI
MAD DOWN state
Secondary

Device B

Device failure handling mechanism

As shown in Figure 5, when the primary DR member device fails, the secondary DR member device
takes over the primary role to forward all traffic for the DR system. When the faulty device recovers,
it becomes the secondary DR member device.
When the secondary DR member device fails, the primary DR member device forwards all traffic for
the DR system.
Figure 5 Device failure handling mechanism
DR system
Device A

Primary

Faulty device

IPL IP network Uplink traffic

Downlink traffic
Device C

Secondary

Device B

Uplink failure handling mechanism

Uplink failure does not interrupt traffic forwarding of the DR system. As shown in Figure 6, when the
uplink of Device A fails, Device A passes traffic destined for the IP network to Device B for
forwarding.
To enable faster traffic switchover in response to an uplink failure and minimize traffic losses,
configure Monitor Link to associate the DR interfaces with the uplink interfaces. When the uplink
interface of a DR member device fails, that device shuts down its DR interface for the other DR
member device to forward all traffic of Device C. For more information about Monitor Link, see High
Availability Configuration Guide.

9
 Figure 6 Uplink failure handling mechanism
DR system
Device A

Primary

Faulty link

IPL IP network Uplink traffic

Downlink traffic
Device C

Secondary

Device B

Mechanisms to handle concurrent IPL and keepalive link

failures
When both the IPL and the keepalive link are down, the DR member devices handle this situation
depending on your configuration.
Default failure handling mechanism
Figure 7 shows the default mechanism to handle IPL and keepalive link failures when the DRNI
standalone mode and DRNI MAD DOWN state persistency features are not configured.
• If the IPL goes down while the keepalive link is up, the DR member devices negotiate their roles
over the keepalive link. DRNI MAD shuts down all network interfaces on the secondary DR
member device except those excluded from the shutdown action by DRNI MAD.
• If the keepalive link goes down while the IPL is down, the secondary DR member device sets its
role to primary and brings up the network interfaces in DRNI MAD DOWN state to forward traffic.
In this situation, both of the DR member devices might operate with the primary role to forward
traffic. Forwarding errors might occur because the DR member devices cannot synchronize
MAC address entries over the IPL.
• If the keepalive link is down before the IPL goes down, DRNI MAD will not place network
interfaces in DRNI MAD DOWN state. Both DR member devices can operate with the primary
role to forward traffic.
Figure 7 Default failure handling mechanism
DR system
Device A

Primary
Faulty link
Keepalive

Uplink traffic
Network
Downlink traffic
IPL

Device C

Secondary

Device B

Failure handling mechanism with DRNI MAD DOWN state persistence

Figure 8 shows the mechanism to handle IPL and keepalive link failures when the DRNI MAD DOWN
state persistence feature is configured.

10
 • If the IPL goes down while the keepalive link is up, the DR member devices negotiate their roles
over the keepalive link. DRNI MAD shuts down all network interfaces on the secondary DR
member device except those excluded from the shutdown action by DRNI MAD.
• If the keepalive link goes down while the IPL is down, the secondary DR member device sets its
role to primary, but it does not bring up the network interfaces in DRNI MAD DOWN state. Only
the original primary member device can forward traffic.
• If the keepalive link is down before the IPL goes down, DRNI MAD will not place network
interfaces in DRNI MAD DOWN state. Both DR member devices can operate with the primary
role to forward traffic.
Figure 8 Failure handling mechanism with DRNI MAD DOWN state persistence
DR system
Device A

Primary
Faulty link
Keepalive

Uplink traffic
Network
Downlink traffic
IPL

Device C
Interface in DRNI
MAD DOWN state
Secondary

Device B

As shown in Figure 9, you can bring up the interfaces in DRNI MAD DOWN state on the secondary
DR member device for it to forward traffic if the following conditions exist:
• Both the IPL and the keepalive link are down.
• The primary DR member device fails or its DR interface fails.
Figure 9 Bringing up the interfaces in DRNI MAD DOWN state
DR system
Device A

Primary
Faulty interface, link,
or device
Keepalive

Uplink traffic
Network
Downlink traffic
IPL

Device C Interface in DRNI

MAD DOWN state
Secondary

Device B

Failure handling mechanism with DRNI standalone mode

Figure 10 shows the mechanism to handle IPL and keepalive link failures when the DRNI standalone
mode feature is configured.
• If the IPL goes down while the keepalive link is up, the DR member devices negotiate their roles
over the keepalive link. DRNI MAD shuts down all network interfaces on the secondary DR
member device except those excluded from the shutdown action by DRNI MAD.
• If the keepalive link goes down while the IPL is down, both DR member devices change to DRNI
standalone mode. The secondary DR member device sets its role to primary and brings up its
network interfaces in DRNI MAD DOWN state. In DRNI standalone mode, only the aggregation
member ports on one DR member device can become Selected to forward traffic. For more
information about how DRNI standalone mode operates, see "DRNI standalone mode."

11
 • If the keepalive link is down before the IPL goes down, both DR member devices change to
DRNI standalone mode.
Figure 10 Failure handling mechanism with DRNI standalone mode
DR system
Device A

Primary
Faulty interface, link,
or device

Keepalive
Uplink traffic
Network
Downlink traffic

IPL
Device C Interface in DRNI
MAD DOWN state
Secondary

Device B

Protocols and standards

™
IEEE P802.1AX-REV /D4.4c, Draft Standard for Local and Metropolitan Area Networks

Restrictions and guidelines: DRNI configuration

Software version requirements
The DR member devices in a DR system must use the same software version.

DRNI configuration
DR system configuration
DRNI is an H3C proprietary protocol. You cannot use DR interfaces for communicating with
third-party devices.
You can assign two member devices to a DR system. For the DR member devices to be identified as
one DR system by the upstream or downstream devices, you must configure the same DR system
MAC address and DR system priority on the DR member devices. You must assign different DR
system numbers to the DR member devices.
Make sure each DR system uses a unique DR system MAC address.
To ensure correct forwarding, delete DRNI configuration from a DR member device if it leaves its DR
system.
When you bulk shut down physical interfaces on a DR member device for service changes or
hardware replacement, shut down the physical interfaces used for keepalive detection prior to the
physical member ports of the IPP. If you fail to do so, link flapping will occur on the member ports of
DR interfaces.
IPL
In addition to protocol packets, the IPL also transmits data packets between the DR member devices
when an uplink fails.
If a DR member device is a fixed-port device with interface expansion modules, assign ports from
multiple interface expansion modules to the aggregation group of the IPP. As a best practice, make

12
 sure at least one member port resides on a different interface expansion module than the uplink
interfaces.
If a DR member device is a fixed-port device, assign at least two physical interfaces to the
aggregation group of the IPP.
Make sure the member ports in the aggregation group of the IPP have the same speed.
If a leaf-tier DR system is attached to a large number of servers whose NICs operate in
active/standby mode, take the size of the traffic sent among those servers into account when you
determine the bandwidth of the IPL.
As a best practice to reduce the impact of interface flapping on upper-layer services, use the
link-delay command to configure the same link delay settings on the IPPs. Do not set the link
delay to 0.
In a DR system , two IPPs must have the same configuration for the maximum jumbo frame length.
For the DR system to correctly forward traffic for single-homed devices, set the link type to trunk for
the IPPs and the interfaces attached to the single-homed devices. If you fail to do so, the ARP and
ND protocol packets sent to or from the single-homed devices cannot be forwarded over the IPL.
Keepalive link
The DR member devices exchange keepalive packets over the keepalive link to detect multi-active
collisions when the IPL is down.
As a best practice, establish a dedicated direct link between two DR member devices as a keepalive
link. Do not use the keepalive link for any other purposes. Make sure the DR member devices have
Layer 2 and Layer 3 connectivity to each other over the keepalive link.
You can use management Ethernet interfaces, Layer 3 Ethernet interfaces, Layer 3 aggregate
interfaces, or interfaces with a bound VPN instance to set up the keepalive link. As a best practice,
do not use VLAN interfaces for keepalive link setup. If you have to use VLAN interfaces, remove the
IPPs from the related VLANs to avoid loops.
On a fixed-port device with interface expansion modules, do not use the same module to provide
interfaces for setting up the keepalive link and IPL.
For correct keepalive detection, you must exclude the physical and logical interfaces used for
keepalive detection from the shutdown action by DRNI MAD.
DR interface
DR interfaces in the same DR group must use the different LACP system MAC addresses.
As a best practice, use the undo lacp period command to enable the long LACP timeout timer
(90 seconds) on a DR system.
You must execute the lacp edge-port command on the DR interfaces attached to bare metal
servers.
Interfaces excluded from the shutdown action by DRNI MAD
When you configure DRNI on the underlay networks, follow these restrictions and guidelines:
• Set the default DRNI MAD action to DRNI MAD DOWN by using the drni mad
default-action down command. By default, the default DRNI MAD action is DRNI MAD
DOWN.
• Exclude the VLAN interfaces of the VLANs to which the DR interfaces and IPPs belong from the
shutdown action by DRNI MAD. These interfaces will not be shut down by DRNI MAD.
• Exclude the interfaces used for keepalive detection. These interfaces will not be shut down by
DRNI MAD.
• Do not exclude the uplink Layer 3 interfaces, VLAN interfaces, or physical interfaces. These
interfaces will be shut down by DRNI MAD.

13
DRNI standalone mode
The DR member devices might both operate with the primary role to forward traffic if they have DR
interfaces in up state after the DR system splits. DRNI standalone mode helps avoid traffic
forwarding issues in this multi-active situation by allowing only the member ports in the DR interfaces
on one member device to forward traffic.
The following information describes the operating mechanism of this feature.
The DR member devices change to DRNI standalone mode when they detect that both the IPL and
the keepalive link are down. In addition, the secondary DR member device changes its role to
primary.
In DRNI standalone mode, the LACPDUs sent out of a DR interface by each DR member device
contain the interface-specific LACP system MAC address and LACP system priority.
The Selected state of the member ports in the DR interfaces in a DR group depends on their LACP
system MAC address and LACP system priority. If a DR interface has a lower LACP system priority
value or LACP system MAC address, the member ports in that DR interface become Selected to
forward traffic. If those Selected ports fail, the member ports in the DR interface on the other DR
member device become Selected to forward traffic.
To configure the DR system priority, use the drni system-priority command in system view.
To configure the LACP system priority, use one of the following methods:
• Execute the lacp system-mac and lacp system-priority commands in system view.
• Execute the port lacp system-mac and port lacp system-priority commands in
DR interface view.
The DR interface-specific configuration takes precedence over the global configuration.
When you configure the DR system priority and LACP system priority, follow these guidelines:
• For a single tier of DR system at the leaf layer, set the DR system priority value to be larger than
the LACP system priority value for DR interfaces. The smaller the value, the higher the priority.
For a DR group, configure different LACP system priority values for the member DR interfaces.
• For two or more tiers of DR systems, configure the same LACP system priority for the devices
with the same DR role. This ensures traffic is forwarded along the correct path when a DR
system splits.

Compatibility with other features

GIR
Before you change a DR system back to normal mode by using the undo gir system-mode
maintenance command, execute the display drni mad verbose command to verify that no
network interfaces are in DRNI MAD DOWN state. For information about GIR, see Fundamentals
Configuration Guide.
IRF
DRNI cannot work correctly on an IRF fabric. Do not configure DRNI on an IRF fabric. For more
information about IRF, see Virtual Technologies Configuration Guide.
MAC address table
If the DR system has a large number of MAC address entries, set the MAC aging timer to a higher
value than 20 minutes as a best practice. To set the MAC aging timer, use the mac-address
timer command.
The MAC address learning feature is disabled on the IPP.
For more information about the MAC address table, see "Configuring the MAC address table."

14
Ethernet link aggregation
Do not configure automatic link aggregation on a DR system.
The aggregate interfaces in an S-MLAG group cannot be used as DR interfaces or IPPs.
You cannot configure link aggregation management subnets on a DR system.
When you configure a DR interface, follow these restrictions and guidelines:
• The link-aggregation selected-port maximum and link-aggregation
selected-port minimum commands do not take effect on a DR interface.
• If you execute the display link-aggregation verbose command for a DR interface,
the displayed system ID contains the DR system MAC address and the DR system priority.
• If the reference port is a member port of a DR interface, the display link-aggregation
verbose command displays the reference port on both DR member devices.
For more information about Ethernet link aggregation, see "Configuring Ethernet link aggregation."
Port isolation
Do not assign DR interfaces or IPPs to a port isolation group. For more information about port
isolation, see "Configuring port isolation."
Loop detection
Member devices in a DR system must have the same loop detection configuration. For information
about loop detection, see "Configuring loop detection."
Spanning tree
When the spanning tree protocol is enabled for a DR system, follow these restrictions and
guidelines:
• Make sure the DR member devices have the same spanning tree configuration. Violation of this
rule might cause network flapping. The configuration includes:
 Global spanning tree configuration.
 Spanning tree configuration on the IPP.
 Spanning tree configuration on DR interfaces.
• IPPs of the DR system do not participate in spanning tree calculation.
• The DR member devices still use the DR system MAC address after the DR system splits,
which will cause spanning tree calculation issues. To avoid the issues, enable DRNI standalone
mode on the DR member devices before the DR system splits.
For more information about spanning tree, see "Configuring spanning tree."
Multicast
You can configure multicast on a DR system only with Release 6635.
Multicast VPN is not supported on a DR system. For more information about multicast VPN, see IP
Multicast Configuration Guide.
CFD
Do not use the MAC address of a remote MEP for CFD tests on IPPs. These tests cannot work on
IPPs. For more information about CFD, see High Availability Configuration Guide.
Smart Link
The DR member devices in a DR system must have the same Smart Link configuration.
For Smart Link to operate correctly on a DR interface, do not assign the DR interface and non-DR
interfaces to the same smart link group.
Do not assign an IPP to a smart link group.

15
 For more information about Smart Link configuration, see High Availability Configuration Guide.
VRRP
If you use DRNI and VRRP together, make sure the keepalive hold timer is shorter than the interval
at which the VRRP master sends VRRP advertisements. Violation of this restriction might cause a
VRRP master/backup switchover to occur before IPL failure is confirmed. To set the interval at which
the VRRP master sends VRRP advertisements, use the vrrp vrid timer advertise or vrrp
ipv6 vrid timer advertise command. For more information about the commands, see High
Availability Command Reference.
Mirroring
For a mirroring group, do not assign the source port to an aggregation group other than the one that
accommodates the destination port, egress port, or reflector port. If the source port is in a different
aggregation group than the other ports, mirrored LACPDUs will be transmitted between the
aggregation groups and cause aggregate interface flapping.
VXLAN and EVPN
For information about VXLAN and EVPN restrictions, see VXLAN Configuration Guide and EVPN
VXLAN configuration in EVPN Configuration Guide.

DRNI tasks at a glance

To configure DRNI, perform the following tasks:
1. Configuring DR system settings
 Configuring the DR system MAC address
 Setting the DR system number
 Setting the DR system priority
2. Setting the DR role priority of the device
3. (Optional.) Enabling DRNI standalone mode on a DR member device
4. Configuring DR keepalive settings
 Configuring DR keepalive packet parameters
 Setting the DR keepalive interval and timeout timer
5. Configuring DRNI MAD
6. Configuring a DR interface
7. Specifying a Layer 2 aggregate interface or VXLAN tunnel interface as the IPP
8. (Optional.) Enabling the IPP to retain MAC address entries for down single-homed devices
9. (Optional.) Assigning a DRNI virtual IP address to an interface
Configure DRNI virtual IP addresses for devices to communicate with the DR system by using
dynamic routing protocols.
10. (Optional.) Configuring configuration consistency check
 Setting the mode of configuration consistency check
 (Optional.) Disabling configuration consistency check
Configuration consistency check might fail when you upgrade the DR member devices in a
DR system. To prevent the DR system from falsely shutting down DR interfaces,
temporarily disable configuration consistency check.
11. (Optional.) Enabling the short DRCP timeout timer on the IPP or a DR interface
12. Configuring DRNI timers
 (Optional.) Setting the keepalive hold timer for identifying the cause of IPL down events
 Configuring DR system auto-recovery

16
  (Optional.) Setting the data restoration interval
13. (Optional.) Configuring DRNI security features
 Enabling DRNI sequence number check
 Enabling DRNI packet authentication

Configuring DR system settings

Configuring the DR system MAC address
Restrictions and guidelines
On a DR system, DR interfaces in the same DR group must use the same LACP system MAC
address. As a best practice, use the bridge MAC address of one DR member device as the DR
system MAC address.
Changing the DR system MAC address causes DR system split. When you perform this task on a
live network, make sure you are fully aware of its impact.
You can configure the DR system MAC address on an aggregate interface only after it is configured
as a DR interface.
You can configure the DR system MAC address globally and in aggregate interface view. The global
DR system MAC address takes effect on all aggregation groups. On an aggregate interface, the
interface-specific DR system MAC address takes precedence over the global DR system MAC
address.
Procedure
1. Enter system view.
system-view
2. Configure the DR system MAC address.
drni system-mac mac-address
By default, the DR system MAC address is not configured.
3. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Set the DR system MAC address on the aggregate interface.
port drni system-mac mac-address
By default, the DR system MAC address is not configured.
This command is supported only in Release 6616 and later.

Setting the DR system number

Restrictions and guidelines
Changing the DR system number causes DR system split. When you perform this task on a live
network, make sure you are fully aware of its impact.
You must assign different DR system numbers to the DR member devices in a DR system.
Procedure
1. Enter system view.
system-view
2. Set the DR system number.
drni system-number system-number
17
 By default, the DR system number is not set.

Setting the DR system priority

About this task
A DR system uses its DR system priority as the system LACP priority to communicate with the
remote aggregation system.
Restrictions and guidelines
Changing the DR system priority in system view causes DR system split. When you perform this task
on a live network, make sure you are fully aware of its impact.
You must configure the same DR system priority for the DR interfaces in the same DR group.
You can configure the DR system priority on an aggregate interface only after it is configured as a DR
interface.
You can configure the DR system priority globally and in aggregate interface view. The global DR
system priority takes effect on all aggregation groups. On an aggregate interface, the
interface-specific DR system priority takes precedence over the global DR system priority.
Procedure
1. Enter system view.
system-view
2. Set the DR system priority.
drni system-priority system-priority
By default, the DR system priority is 32768.
3. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Set the DR system priority on the aggregate interface.
port drni system-priority priority
By default, the DR system priority is 32768.
This command is supported only in Release 6616 and later.

Setting the DR role priority of the device

About this task
DRNI assigns the primary or secondary role to a DR member device based on its DR role priority.
The smaller the priority value, the higher the priority. If the DR member devices in a DR system use
the same DR role priority, the device with the lower bridge MAC address is assigned the primary role.
Restrictions and guidelines
To prevent a primary/secondary role switchover from causing network flapping, avoid changing the
DR priority assignment after the DR system is established.
Procedure
1. Enter system view.
system-view
2. Set the DR role priority of the device.
drni role priority priority-value
By default, the DR role priority of the device is 32768.

18
Enabling DRNI standalone mode on a DR
member device
About this task
Perform this task to avoid forwarding issues in the multi-active situation that might occur after both
the IPL and the keepalive link are down.
DRNI standalone mode helps avoid traffic forwarding issues in this multi-active situation by allowing
only the member ports in the DR interfaces on one member device to forward traffic. For more
information about this mode, see "DRNI standalone mode."
When you configure this feature, you can configure a delay to prevent an unnecessary mode change
because of transient link down issues.
If the keepalive link fails before the IPL fails, DRNI MAD will not shut down the interfaces on the DR
member devices. After the DR member devices enter DRNI standalone mode, they use different
LACP system IDs for link aggregation. As a result, the aggregation member ports on one of the DR
member devices are selected to forward traffic.
If the IPL fails, DRNI MAD shuts down the interfaces on the secondary DR member device. When the
keepalive link also fails, DRNI MAD brings up the interfaces in DRNI MAD DOWN state, and then the
secondary DR member device enters DRNI standalone mode.
Software version and feature compatibility
The feature is supported only in Release 6616 and later.
Restrictions and guidelines
A DR member device changes to DRNI standalone mode only when it detects that both the IPL and
the keepalive link are down. It does not change to DRNI standalone mode when the peer DR
member device reboots, because the peer notifies the DR member device of the reboot event.
As a best practice, enable DRNI standalone mode on both DR member devices.
Before you enable DRNI standalone mode on a DR member device, make sure its LACP system
priority is higher than that of the remote aggregation system. This restriction ensures that the
reference port is on the remote aggregation system and prevents the interfaces attached to the DR
system from flapping. For more information about the LACP system priority, see "Configuring
Ethernet link aggregation."
To configure the DR system priority, use the drni system-priority command in system view.
To configure the LACP system priority, use one of the following methods:
• Execute the lacp system-mac and lacp system-priority commands in system view.
• Execute the port lacp system-mac and port lacp system-priority commands in
DR interface view.
The DR interface-specific configuration takes precedence over the global configuration.
When you configure the DR system priority and LACP system priority, follow these guidelines:
• For a single tier of DR system at the leaf layer, set the DR system priority value to be larger than
the LACP system priority value for DR interfaces. The smaller the value, the higher the priority.
For a DR group, configure different LACP system priority values for the member DR interfaces.
• For two tiers of DR systems at the spine and leaf layers, configure the same DR system priority
and LACP system priority settings of for the DR systems. This ensures traffic is forwarded along
the correct path when a DR system splits.
Procedure
1. Enter system view.
system-view

19
 2. Enable DRNI standalone mode.
drni standalone enable [ delay delay-time ]
By default, DRNI standalone mode is disabled.

Configuring DR keepalive settings

Restrictions and guidelines for configuring DR keepalive
settings
As a best practice, establish a dedicated direct link between DR member devices as a keepalive link.
Do not use the keepalive link for any other purposes. Make sure the DR member devices have Layer
2 and Layer 3 connectivity to each other over the keepalive link.

Configuring DR keepalive packet parameters

About this task
Perform this task to specify the parameters for sending DR keepalive packets, such as its source and
destination IP addresses.
The device accepts only keepalive packets that are sourced from the specified destination IP
address. The keepalive link goes down if the device receives keepalive packets sourced from any
other IP address.
Restrictions and guidelines
Make sure the source and destination IP addresses of keepalive packets can reach each other.
Make sure the DR member devices in a DR system use the same keepalive destination UDP port.
Procedure
1. Enter system view.
system-view
2. Configure DR keepalive packet parameters.
drni keepalive { ip | ipv6 } destination { ipv4-address | ipv6-address }
[ source { ipv4-address | ipv6-address } | udp-port udp-number |
vpn-instance vpn-instance-name ] *
By default, the DR keepalive packet parameters are not configured. If you do not specify a
source IP address or destination UDP port when you execute this command, the IP address of
the outgoing interface and UDP port 6400 are used, respectively.

Setting the DR keepalive interval and timeout timer

About this task
The device sends keepalive packets at the specified interval to its DR peer. If the device has not
received a keepalive packet from the DR peer before the keepalive timeout timer expires, the device
determines that the keepalive link is down.
Restrictions and guidelines
The local DR keepalive timeout timer must be two times the DR keepalive interval of the peer at
minimum.
Configure the same DR keepalive interval on the DR member devices in the DR system.

20
Procedure
1. Enter system view.
system-view
2. Set the DR keepalive interval and timeout timer.
drni keepalive interval interval [ timeout timeout ]
By default, the DR keepalive interval is 1000 milliseconds, and the DR keepalive timeout timer
is 5 seconds.

Configuring DRNI MAD

About this task
DRNI MAD configuration methods
When you configure DRNI MAD, use either of the following methods:
• To shut down all network interfaces on the secondary DR member device except a few
special-purpose interfaces that must be retained in up state:
 Set the default DRNI MAD action to DRNI MAD DOWN. For more information, see
"Configuring the default DRNI MAD action on network interfaces."
 Exclude interfaces from being shut down by DRNI MAD. For more information, see
"Excluding an interface from the shutdown action by DRNI MAD."
This method is applicable to most network environments.
• To have the secondary DR member device retain a large number of interfaces in up state and
shut down the remaining interfaces:
 Set the default DRNI MAD action to NONE. For more information, see "Configuring the
default DRNI MAD action on network interfaces."
 Specify network interfaces that must be shut down by DRNI MAD. For more information,
see "Specifying interfaces to be shut down by DRNI MAD when the DR system splits."
One applicable scenario of this method is the EVPN environment in which you use a VXLAN
tunnel as the IPL. In this scenario, you must retain a large number of logical interfaces (for
example, VLAN, aggregate, loopback, tunnel, and VSI interfaces) in up state.
List of automatically included interfaces
DRNI MAD will always shut down the ports in the system-configured included port list if the device
acts as the secondary DR member device when the DR system splits.
This list contains aggregation member ports of DR interfaces. To identify system-configured included
ports, execute the display drni mad verbose command.
List of automatically excluded interfaces
DRNI MAD will not shut down the ports in the following list when the DR system splits:
• System-configured excluded port list in DRNI MAD:
 IPP.
 Aggregation member interfaces if a Layer 2 aggregate interface is used as the IPP.
 DR interfaces.
 Management interfaces.
To identify these interfaces, execute the display drni mad verbose command.
• Network interfaces used for special purposes, including:
 Interfaces placed in a loopback test by using the loopback command.

21
  Interfaces assigned to a service loopback group by using the port service-loopback
group command.
 Mirroring reflector ports configured by using the mirroring-group reflector-port
command.
 Interfaces forced to stay up by using the port up-mode command.

Configuring the default DRNI MAD action on network

interfaces
About this task
You can configure DRNI MAD to take either of the following default actions on network interfaces if
the device acts as the secondary DR member device when the DR system splits:
• DRNI MAD DOWN—DRNI MAD will shut down all network interfaces on the secondary DR
member device when the DR system splits, except the interfaces excluded manually or by the
system.
• NONE—DRNI MAD will not shut down any network interfaces when the DR system splits,
except the interfaces configured manually or by the system to be shut down by DRNI MAD.
Restrictions and guidelines
The DRNI MAD DOWN action will not take effect on the interfaces listed in "List of automatically
excluded interfaces."
The DRNI MAD DOWN action will always take on the interfaces listed in "List of automatically
included interfaces," even if the default DRNI MAD action is NONE.
Procedure
1. Enter system view.
system-view
2. Configure the default DRNI MAD action to take on network interfaces on the secondary DR
member device when the DR system splits.
drni mad default-action { down | none }
By default, DRNI MAD shuts down network interfaces on the secondary DR member device.

Excluding an interface from the shutdown action by DRNI

MAD
About this task
By default, DRNI MAD automatically excludes the interfaces listed in "List of automatically excluded
interfaces" when it shuts down network interfaces on the secondary DR member device.
To specify additional interfaces that cannot be shut down, perform this task.
You typically perform this task when the default DRNI MAD action is set to DRNI MAD DOWN.
Restrictions and guidelines
You must always exclude the following interfaces from being shut down by DRNI MAD:
• For correct keepalive detection, you must exclude the interfaces used for keepalive detection.
• If the IPP is a tunnel interface, you must exclude the traffic outgoing interface for the tunnel.
• For DR member devices to synchronize ARP entries, you must exclude the VLAN interfaces of
the VLANs to which the DR interfaces and IPPs belong.

22
 The DRNI MAD DOWN action is always taken on interfaces listed in "List of automatically included
interfaces." You cannot disable the action by excluding those interfaces.
To view interfaces excluded from the MAD shutdown action, see the Excluded ports
(user-configured) field in the output from the display drni mad verbose command.
If you exclude an interface that is already in DRNI MAD DOWN state from the MAD shutdown action,
the interface stays in that state. It will not come up automatically.
Procedure
1. Enter system view.
system-view
2. Exclude an interface from the shutdown action by DRNI MAD.
drni mad exclude interface interface-type interface-number
By default, DRNI MAD shuts down all network interfaces when detecting a multi-active collision,
except for the network interfaces set by the system to not shut down.

Excluding all logical interfaces from the shutdown action by

DRNI MAD
About this task
When a VXLAN tunnel is used as the IPL on an EVPN DR system, you must retain a large number of
logical interfaces (for example, VLAN, aggregate, loopback, tunnel, and VSI interfaces) in up state.
To simplify configuration, you can exclude all logical interfaces from the shutdown action by DRNI
MAD.
Software version and feature compatibility
The feature is supported only in Release 6616 and later.
Restrictions and guidelines
The drni mad exclude interface and drni mad include interface commands take
precedence over the drni mad exclude logical-interfaces command.
Procedure
1. Enter system view.
system-view
2. Exclude all logical interfaces from the shutdown action by DRNI MAD.
drni mad exclude logical-interfaces
By default, DRNI MAD shuts down all network interfaces when it detects a multi-active collision,
except for the network interfaces set by the system to not shut down.

Specifying interfaces to be shut down by DRNI MAD when

the DR system splits
About this task
By default, DRNI MAD automatically shuts down the interfaces listed in "List of automatically
included interfaces" if the device is the secondary DR member device when the DR system splits.
To specify additional interfaces to be shut down by DRNI MAD, perform this task.
You typically perform this task when the default DRNI MAD action is set to NONE.

23
Restrictions and guidelines
The DRNI MAD DOWN action will not take effect on the interfaces listed in "List of automatically
excluded interfaces."
Procedure
1. Enter system view.
system-view
2. Specify interfaces to be shut down by DRNI MAD when the DR system splits.
drni mad include interface interface-type interface-number
By default, the user-configured included port list does not contain any ports.

Enabling DRNI MAD DOWN state persistence

About this task
DRNI MAD DOWN state persistence helps avoid the multi-active situation by preventing the
secondary DR member device from bringing up the network interfaces in DRNI MAD DOWN state.
For more information about this feature, see "DRNI MAD DOWN state persistence" and "Failure
handling mechanism with DRNI MAD DOWN state persistence."
You can bring up the interfaces in DRNI MAD DOWN state on the secondary DR member device for
it to forward traffic if the following conditions exist:
• The primary DR member device fails while the IPL is down.
• The DRNI MAD DOWN state persists on the secondary DR member device.
Software version and feature compatibility
The feature is supported only in Release 6616 and later.
Procedure
1. Enter system view.
system-view
2. Enable DRNI MAD DOWN state persistence.
drni mad persistent
By default, the secondary DR member device brings up interfaces in DRNI MAD DOWN state
when its role changes to primary.
3. (Optional.) Bring up the interfaces in DRNI MAD DOWN state.
drni mad restore
Execute this command only when both the IPL and the keepalive link are down.

Configuring a DR interface
About this task
If a DR group contains only one DR interface, that interface is called a single-homed DR interface. By
default, DRNI does not allow access through single-homed DR interfaces, which means DRNI MAD
shuts down a DR interface if it is the only member in its DR group.
To ensure traffic forwarding for a device single-homed to a DR interface, allow the DR interface to be
the single member in its DR group. DRNI MAD will not shut down the single-homed DR interface,
and the device will not perform configuration consistency check on the interface.

24
Restrictions and guidelines
The device can have multiple DR interfaces. However, you can assign a Layer 2 aggregate interface
to only one DR group.
A Layer 2 aggregate interface cannot operate as both IPP and DR interface.
To improve forwarding efficiency, exclude the DR interface on the secondary DR member device
from the shutdown action by DRNI MAD. This action enables the DR interface to forward traffic
immediately after a multi-active collision is removed without having to wait for the secondary DR
member device to complete entry restoration.
To use resilient load sharing on a DR interface, you must configure the resilient load sharing mode
before you assign member ports to the DR interface.
If a DR interface or its peer DR interface already has member ports, use the following procedure to
configure the resilient load sharing mode on that DR interface:
1. Delete the DR interface.
2. Recreate the DR interface.
3. Configure the resilient load sharing mode.
4. Assign member ports to the DR interface.
For more information about the resilient load sharing mode, see "Configuring Ethernet link
aggregation."
To change the allow-single-member setting for a single-homed DR interface, first execute the
undo port drni group command to remove it from its DR group.
To prevent loops when you assign a single-homed aggregate interface to a DR group, use the
following procedure:
1. Assign the aggregate interface to the DR group.
2. Assign ports to the aggregation group of the aggregate interface.
When you remove a single-homed DR interface from its DR group, use the following procedure:
1. Remove the member ports from the aggregation group of the DR interface.
2. Remove the DR interface from the DR group.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Assign the aggregate interface to a DR group.
port drni group group-id [ allow-single-member ]
As a best practice, specify the allow-single-member keyword for a dynamic aggregate
interface.
The allow-single-member keyword is supported in Release 6635 and later.

Specifying a Layer 2 aggregate interface or

VXLAN tunnel interface as the IPP
Restrictions and guidelines
A DR member device can have only one IPP. A Layer 2 aggregate interface or VXLAN tunnel
interface cannot operate as both IPP and DR interface.

25
 Do not associate a VXLAN tunnel interface with a VXLAN if you use it as the IPP. You can use a
VXLAN tunnel interface as an IPP only in an EVPN network. For more information about EVPN, see
EVPN Configuration Guide.
If you specify an aggregate interface as an IPP, the device assigns the aggregate interface as a trunk
port to all VLANs when the interface uses the default VLAN settings. If not, the device does not
change the VLAN settings of the interface.
To ensure correct Layer 3 forwarding over the IPL, you must use the undo mac-address static
source-check enable command to disable static source check on the Layer 2 aggregate
interface assigned the IPP role.
The device does not change the VLAN settings of an aggregate interface when you remove its IPP
role.
Do not use the MAC address of a remote MEP for CFD tests on IPPs. These tests cannot work on
IPPs. For more information about CFD, see High Availability Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter VXLAN tunnel interface view.
interface tunnel number
3. Specify the interface as the IPP.
port drni intra-portal-port port-id

Enabling the IPP to retain MAC address entries

for down single-homed devices
About this task
When a DR member device detects that the link to a single-homed device goes down, the IPP takes
the following actions:
• Deletes the MAC address entries for the single-homed device.
• Sends a message to the peer IPP for it to delete the affected MAC address entries.
If the link to a single-homed device flaps constantly, the IPP repeatedly deletes and adds MAC
address entries for the device. This situation increases floods of unicast traffic destined for the
single-homed device.
To reduce flood traffic, enable the IPP to retain MAC address entries for single-homed devices. After
the links to single-homed devices go down, the affected MAC address entries age out on expiration
of the MAC aging timer instead of being deleted immediately. The timer is set by using the
mac-address timer command. For more information about this command, see MAC address
table commands in Layer 2—LAN Switching Command Reference.
Software version and feature compatibility
The feature is supported only in Release 6616 and later.
Procedure
1. Enter system view.
system-view

26
 2. Enable the IPP to retain MAC address entries for single-homed devices.
drni ipp mac-address hold
By default, the IPP does not retain MAC address entries for single-homed devices when the
devices go down.

Assigning a DRNI virtual IP address to an

interface
About this task
DRNI virtual IP addresses allow devices to communicate with the DR system by using dynamic
routing protocols.
To ensure correct traffic forwarding, assign DRNI virtual IP addresses to the following interfaces on
the DR system:
• VLAN interfaces that act as dual-active gateways for the same VLAN.
• Loopback interfaces that offer AAA and 802.1X authentication services. For more information,
see AAA configuration in Security Configuration Guide.
• VSI interfaces that act as distributed EVPN gateways. For more information, see EVPN VXLAN
configuration in EVPN Configuration Guide.
When both DR member devices act as gateways for dualhomed user-side devices, the gateway
interfaces (VLAN or VSI interfaces) on the DR member devices use the same IP address and MAC
address. In this scenario, the DR member devices cannot set up neighbor relationships with the
user-side devices. To resolve this issue, assign virtual IP addresses to the gateway interfaces and
configure routing protocols such as BGP, OSPF, and OSPFv3 to use the virtual IP addresses for
neighbor relationship setup.
When dual-active gateways exist on the DR system, you must assign unique virtual IP addresses to
the gateway interfaces on the DR member devices and configure both virtual IP addresses to be
active. When you assign a virtual MAC address to a VLAN interface, make sure the virtual MAC
address is identical to the MAC address assigned to the VLAN interface by using the mac-address
command.
Restrictions and guidelines
The feature is supported only in Release 6635 and later.
When you assign multiple DRNI virtual IP addresses to an interface, follow these restrictions and
guidelines:
• You can assign a maximum of two virtual IPv4 or IPv6 addresses to an interface.
• If you configure different virtual MAC addresses for a virtual IPv4 or IPv6 address, the most
recent configuration takes effect.
• You cannot configure the same virtual MAC address for multiple virtual IPv4 or IPv6 addresses.
• When you assign a virtual IPv4 or IPv6 address to VLAN interfaces, you must configure the
same virtual MAC address for the virtual IPv4 or IPv6 address on both DR member devices.
If you assign both virtual IPv4 and IPv6 addresses to VLAN interfaces, make sure the virtual IPv4
and IPv6 addresses that use the same virtual MAC address are in the same state on the DR member
devices.
Assigning DRNI virtual IP addresses to a VLAN interface
1. Enter system view.
system-view
2. Enter VLAN interface view.

27
 interface vlan-interface interface-number
3. Assign a virtual IPv4 address to the VLAN interface.
port drni virtual-ip ipv4-address { mask-length | mask } [ active |
standby ] virtual-mac mac-address
By default, no virtual IPv4 addresses are assigned to interfaces.
4. Assign a virtual IPv6 address to the VLAN interface.
port drni ipv6 virtual-ip ipv6-address { prefix-length [ active |
standby ] [ virtual-mac mac-address ] | link-local }
By default, no virtual IPv6 addresses are assigned to interfaces.
Assigning DRNI virtual IP addresses to a loopback interface
1. Enter system view.
system-view
2. Enter loopback interface view.
interface loopback interface-number
3. Assign a virtual IPv4 address to the loopback interface.
port drni virtual-ip ipv4-address { mask-length | mask } [ active |
standby ]
By default, no virtual IPv4 addresses are assigned to interfaces.
4. Assign a virtual IPv6 address to the loopback interface.
port drni ipv6 virtual-ip ipv6-address { prefix-length [ active |
standby ] | link-local }
By default, no virtual IPv6 addresses are assigned to interfaces.
Assigning DRNI virtual IP addresses to a VSI interface
1. Enter system view.
system-view
2. Enter VSI interface view.
interface vsi-interface interface-number
3. Assign a virtual IPv4 address to the VSI interface.
port drni virtual-ip ipv4-address { mask-length | mask } [ active |
standby ]
By default, no virtual IPv4 addresses are assigned to interfaces.
4. Assign a virtual IPv6 address to the VSI interface.
port drni ipv6 virtual-ip ipv6-address { prefix-length [ active |
standby ] | link-local }
By default, no virtual IPv6 addresses are assigned to interfaces.

Setting the mode of configuration consistency

check
About this task
The device handles configuration inconsistency depending on the mode of configuration consistency
check.
• For type 1 configuration inconsistency:
 The device generates log messages if loose mode is enabled.

28
  The device shuts down DR interfaces and generates log messages if strict mode is enabled.
• For type 2 configuration inconsistency, the device only generates log messages, whether strict
or loose mode is enabled.
Procedure
1. Enter system view.
system-view
2. Set the mode of configuration consistency check.
drni consistency-check mode { loose | strict }
By default, configuration consistency check uses strict mode.

Disabling configuration consistency check

About this task
To ensure that the DR system can operate correctly, DRNI by default performs configuration
consistency check when the DR system is set up.
Configuration consistency check might fail when you upgrade the DR member devices in a DR
system. To prevent the DR system from falsely shutting down DR interfaces, you can temporarily
disable configuration consistency check.
Restrictions and guidelines
Make sure the DR member devices use the same setting for configuration consistency check.
Procedure
1. Enter system view.
system-view
2. Disable configuration consistency check.
drni consistency-check disable
By default, configuration consistency check is enabled.

Enabling the short DRCP timeout timer on the IPP

or a DR interface
About this task
By default, the IPP or a DR interface uses the 90-second long DRCP timeout timer. To detect peer
interface down events more quickly, enable the 3-second short DRCP timeout timer on the interface.
Restrictions and guidelines
To avoid traffic interruption during an ISSU or DRNI process restart, disable the short DRCP timeout
timer before you perform an ISSU or DRNI process restart. For more information about ISSU, see
Fundamentals Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number

29
  Enter VXLAN tunnel interface view.
interface tunnel number
3. Enable the short DRCP timeout timer.
drni drcp period short
By default, an interface uses the long DRCP timeout timer (90 seconds).

Setting the keepalive hold timer for identifying the

cause of IPL down events
About this task
The keepalive hold timer starts when the IPL goes down. The keepalive hold timer specifies the
amount of time that the device uses to identify the cause of an IPL down event.
• If the device receives keepalive packets from the DR peer before the timer expires, the IPL is
down because the IPL fails.
• If the device does not receive keepalive packets from the DR peer before the timer expires, the
IPL is down because the peer DR member device fails.
Restrictions and guidelines
For the DR member device to correctly determine the cause of an IPL down event, make sure the
keepalive hold timer is longer than the keepalive interval and is shorter than the keepalive timeout
timer.
If you use DRNI and VRRP together, make sure the keepalive hold timer is shorter than the interval
at which the VRRP master sends VRRP advertisements. Violation of this restriction might cause a
VRRP master/backup switchover to occur before IPL failure is confirmed. To set the interval at which
the VRRP master sends VRRP advertisements, use the vrrp vrid timer advertise
command. For more information about this command, see High Availability Command Reference.
Procedure
1. Enter system view.
system-view
2. Set the keepalive hold timer.
drni keepalive hold-time value
By default, the keepalive hold timer is 3 seconds.

Configuring DR system auto-recovery

About this task
If only one DR member device recovers after the entire DR system reboots, auto-recovery enables
that member device to remove its DR interfaces from the DRNI DOWN interface list.
• If that member device has up DR interfaces, it takes over the primary role when the reload delay
timer expires and forwards traffic.
• If that member device does not have up DR interfaces, it is stuck in the None role and does not
forward traffic.
If auto-recovery is disabled, that DR member device will be stuck in the None role with all its DR
interfaces being DRNI DOWN after it recovers.

30
Restrictions and guidelines
If both DR member devices recover and have up DR interfaces after the entire DR system reboots,
active-active situation might occur if both IPL and keepalive links were down when the reload delay
timer expires. If this rare situation occurs, examine the IPL and keepalive links and restore them.
To avoid incorrect role preemption, make sure the reload delay timer is longer than the amount of
time required for the device to restart.
Procedure
1. Enter system view.
system-view
2. Configure DR system auto-recovery.
drni auto-recovery reload-delay delay-value
By default, DR system auto-recovery is not configured. The reload delay timer is not set.

Setting the data restoration interval

About this task
The data restoration interval specifies the maximum amount of time for the secondary DR member
device to synchronize data with the primary DR member device during DR system setup. Within the
data restoration interval, the secondary DR member device sets all network interfaces to DRNI MAD
DOWN state, except for interfaces excluded from the shutdown action by DRNI MAD.
When the data restoration interval expires, the secondary DR member device brings up all network
interfaces.
Restrictions and guidelines
Make sure the data restoration interval is long enough for the device to reboot and restore forwarding
entries after failure occurs.
Adjust the data restoration interval based on the size of forwarding tables. If the DR member devices
have small forwarding tables, reduce this interval. If the forwarding tables are large, increase this
interval. Typically, set the data restoration interval to 300 seconds.
Increase the data restoration interval as needed for the following purposes:
• Avoid packet loss and forwarding failure that might occur when the amount of data is large or
when you perform an ISSU between the DR member devices.
• Avoid DR interface flapping that might occur if type 1 configuration consistency check fails after
the DR interfaces come up upon expiration of the data restoration interval.
Procedure
1. Enter system view.
system-view
2. Set the data restoration interval.
drni restore-delay value
By default, the data restoration interval is 30 seconds.

Enabling DRNI sequence number check

Restrictions and guidelines
As a best practice to improve security, use DRNI sequence number check together with DRNI packet
authentication.

31
 After one DR member device reboots, the other DR member device might receive and accept the
packets that were intercepted by an attacker before the reboot. As a best practice, change the
authentication key after a DR member device reboots.
Procedure
1. Enter system view.
system-view
2. Enable DRNI sequence number check.
drni sequence enable
By default, DRNI sequence number check is disabled.

Enabling DRNI packet authentication

Restrictions and guidelines
For successful authentication, configure the same authentication key for the DR member devices.
Procedure
1. Enter system view.
system-view
2. Enable DRNI packet authentication and configure an authentication key.
drni authentication key { simple | cipher } string
By default, DRNI packet authentication is disabled.

Displaying and maintaining DRNI

IMPORTANT:
The following commands are supported only in Release 6616 and later:
• display drni troubleshooting [ dr | ipp | keepalive ] [ history ] [ count ]
• reset drni troubleshooting history

Execute display commands in any view and reset commands in user view.

Task Command

Display information about the display drni consistency { type1 | type2 }

configuration consistency check done { global | interface interface-type
by DRNI. interface-number }
Display the configuration consistency
display drni consistency-check status
check status.

display drni drcp statistics [ interface

Display DRCPDU statistics.
interface-type interface-number ]
Display DR keepalive packet statistics. display drni keepalive
Display detailed DRNI MAD
display drni mad verbose
information.

Display DR role information. display drni role

Display brief information about the IPP display drni summary

32
 Task Command
and DR interfaces.

Display the DR system settings. display drni system

Display DRNI troubleshooting display drni troubleshooting [ dr | ipp |
information. keepalive ] [ history ] [ count ]
Display detailed information about the display drni verbose [ interface
IPP and DR interfaces. bridge-aggregation interface-number ]
display drni virtual-ip [ interface
Display DRNI virtual IP addresses.
interface-type interface-number ]
reset drni drcp statistics [ interface
Clear DRCPDU statistics.
interface-list ]
Clear DRNI troubleshooting records. reset drni troubleshooting history

DRNI configuration examples

Example: Configuring basic DRNI functions
Network configuration
As shown in Figure 11, configure DRNI on Device A and Device B to establish a multichassis
aggregate link with Device C.
Figure 11 Network diagram
Device C

WGE1/0/1 WGE1/0/2
WGE1/0/3
WGE1/0/4

BAGG

WGE1/0/3 WGE1/0/3
WGE1/0/4 WGE1/0/4
IPL
WGE1/0/1, WGE1/0/2 WGE1/0/1, WGE1/0/2
DR 1 DR 2
WGE1/0/5 Keepalive WGE1/0/5
Device A Device B
DR system

Procedure

1. Configure Device A:
# Configure DR system settings.
<DeviceA> system-view
[DeviceA] drni system-mac 1-1-1
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive packet parameters.

33
 [DeviceA] drni keepalive ip destination 1.1.1.1 source 1.1.1.2
# Set the link mode of Twenty-FiveGigE 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceA] interface twenty-fivegige 1/0/5
[DeviceA-Twenty-FiveGigE1/0/5] port link-mode route
[DeviceA-Twenty-FiveGigE1/0/5] ip address 1.1.1.2 24
[DeviceA-Twenty-FiveGigE1/0/5] quit
# Exclude the interface used for DR keepalive detection (Twenty-FiveGigE 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface twenty-fivegige 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation3] quit
# Assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to aggregation group 3.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 3
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 3
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Specify Bridge-Aggregation 3 as the IPP.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation3] undo mac-address static source-check enable
[DeviceA-Bridge-Aggregation3] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation4] quit
# Assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to aggregation group 4.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 4
[DeviceA-Twenty-FiveGigE1/0/3] quit
[DeviceA] interface twenty-fivegige 1/0/4
[DeviceA-Twenty-FiveGigE1/0/4] port link-aggregation group 4
[DeviceA-Twenty-FiveGigE1/0/4] quit
# Assign Bridge-Aggregation 4 to DR group 4.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] port drni group 4
[DeviceA-Bridge-Aggregation4] quit
2. Configure Device B:
# Configure DR system settings.
<DeviceB> system-view
[DeviceB] drni system-mac 1-1-1
[DeviceB] drni system-number 2
[DeviceB] drni system-priority 123
# Configure DR keepalive packet parameters.

34
 [DeviceB] drni keepalive ip destination 1.1.1.2 source 1.1.1.1
# Set the link mode of Twenty-FiveGigE 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceB] interface twenty-fivegige 1/0/5
[DeviceB-Twenty-FiveGigE1/0/5] port link-mode route
[DeviceB-Twenty-FiveGigE1/0/5] ip address 1.1.1.1 24
[DeviceB-Twenty-FiveGigE1/0/5] quit
# Exclude the interface used for DR keepalive detection (Twenty-FiveGigE 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceB] drni mad exclude interface twenty-fivegige 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.
[DeviceB] interface bridge-aggregation 3
[DeviceB-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation3] quit
# Assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to aggregation group 3.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port link-aggregation group 3
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-aggregation group 3
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Specify Bridge-Aggregation 3 as the IPP.
[DeviceB] interface bridge-aggregation 3
[DeviceB-Bridge-Aggregation3] port drni intra-portal-port 1
[DeviceB-Bridge-Aggregation3] undo mac-address static source-check enable
[DeviceB-Bridge-Aggregation3] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
[DeviceB] interface bridge-aggregation 4
[DeviceB-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation4] quit
# Assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to aggregation group 4.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] port link-aggregation group 4
[DeviceB-Twenty-FiveGigE1/0/3] quit
[DeviceB] interface twenty-fivegige 1/0/4
[DeviceB-Twenty-FiveGigE1/0/4] port link-aggregation group 4
[DeviceB-Twenty-FiveGigE1/0/4] quit
# Assign Bridge-Aggregation 4 to DR group 4.
[DeviceB] interface bridge-aggregation 4
[DeviceB-Bridge-Aggregation4] port drni group 4
[DeviceB-Bridge-Aggregation4] quit
3. Configure Device C:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
<DeviceC> system-view
[DeviceC] interface bridge-aggregation 4
[DeviceC-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceC-Bridge-Aggregation4] quit
# Assign Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/4 to aggregation group 4.

35
 [DeviceC] interface range twenty-fivegige 1/0/1 to twenty-fivegige 1/0/4
[DeviceC-if-range] port link-aggregation group 4
[DeviceC-if-range] quit

Verifying the configuration

# Verify that the keepalive link is working correctly on Device A.
[DeviceA] display drni keepalive
Neighbor keepalive link status: Up
Neighbor is alive for: 104 s, 16 ms
Keepalive packet transmission status:
Sent: Successful
Received: Successful
Last received keepalive packet information:
Source IP address: 1.1.1.1
Time: 2019/09/11 09:21:51
Action: Accept

Distributed relay keepalive parameters:

Destination IP address: 1.1.1.1
Source IP address: 1.1.1.2
Keepalive UDP port : 6400
Keepalive VPN name : N/A
Keepalive interval : 1000 ms
Keepalive timeout : 5 sec
Keepalive hold time: 3 sec

# Verify that the IPP and the DR interface are working correctly on Device A.
[DeviceA] display drni summary
Flags: A -- Aggregate interface down, B -- No peer DR interface configured
C -- Configuration consistency check failed

IPP: BAGG3
IPP state (cause): UP
Keepalive link state (cause): UP

DR interface information
DR interface DR group Local state (cause) Peer state Remaining down time(s)
BAGG4 4 UP UP -
[DeviceA] display drni verbose
Flags: A -- Home_Gateway, B -- Neighbor_Gateway, C -- Other_Gateway,
D -- IPP_Activity, E -- DRCP_Timeout, F -- Gateway_Sync,
G -- Port_Sync, H -- Expired
IPP/IPP ID: BAGG3/1
State: UP
Cause: -
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): WGE1/0/1 (1), WGE1/0/2 (2)
Peer Selected ports indexes: 1, 2

DR interface/DR group ID: BAGG4/4

36
 Local DR interface state: UP
Peer DR interface state: UP
DR group state: UP
Local DR interface down cause: -
Remaining DRNI DOWN time: -
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): WGE1/0/3 (16387), WGE1/0/4 (16388)
Peer Selected ports indexes: 32771, 32772

# Verify that all member ports of aggregation group 4 are in Selected state on Device C, which
indicates a successful link aggregation between the DR system and Device C.
[DeviceC] display link-aggregation verbose bridge-aggregation 4
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation4
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 2e56-cbae-0600
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1(R) S 32768 1 1 {ACDEF}
WGE1/0/2 S 32768 2 1 {ACDEF}
WGE1/0/3 S 32768 3 1 {ACDEF}
WGE1/0/4 S 32768 4 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1 32768 16387 40004 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/2 32768 16388 40004 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/3 32768 32771 40004 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/4 32768 32772 40004 0x7b , 0001-0001-0001 {ACDEF}

Example: Configuring Layer 3 gateways on a DR system

Network configuration
As shown in Figure 12:
• Configure Device A and Device B as a DR system to establish one multichassis aggregate link
with Device C and one with Device D.
• Set up a keepalive link between Twenty-FiveGigE 1/0/5 of Device A and Twenty-FiveGigE 1/0/5
of Device B, and exclude the interfaces from the shutdown action by DRNI MAD.
• Configure two VRRP groups on Device A and Device B to provide gateway services for VLAN
100 and VLAN 200. Configure Device A as the master of the VRRP groups.

37
 Figure 12 Network diagram
Virtual route 1 Virtual route 2
Virtual IP address 1: Virtual IP address 2:
10.1.1.100/24 20.1.1.100/24
Device A
Master

/ 1 WG
BAGG100 1/0 E1 BAGG101
GE /0 /2
Vlan-int100 W Vlan-int101
WGE1/0/5 WG
/0 /1 E1
E1 /0
WG /1
IPL
Device C Keepalive Device D
BAGG125
WG
WGE1/0/3 E1 /0/2 WGE1/0/3
/0 E1
/2 WG
WGE1/0/5
WG
E1 /0/2
/0 E1
/1 WG

Device B
Backup

Host A Host B
10.1.1.4/24 20.1.1.4/24
VLAN 100 VLAN 101

Procedure

1. Configure Device A:
# Configure DR system settings.
<DeviceA> system-view
[DeviceA] drni system-mac 1-1-1
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive parameters.
[DeviceA] drni keepalive ip destination 1.1.1.2 source 1.1.1.1
# Set the link mode of Twenty-FiveGigE 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceA] interface twenty-fivegige 1/0/5
[DeviceA-Twenty-FiveGigE1/0/5] port link-mode route
[DeviceA-Twenty-FiveGigE1/0/5] ip address 1.1.1.1 24
[DeviceA-Twenty-FiveGigE1/0/5] quit
# Exclude the interface used for DR keepalive detection (Twenty-FiveGigE 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface twenty-fivegige 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 125.
[DeviceA] interface bridge-aggregation 125
[DeviceA-Bridge-Aggregation125] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation125] quit
# Assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to aggregation group 125.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 125
[DeviceA-Twenty-FiveGigE1/0/3] quit
[DeviceA] interface Twenty-FiveGigE 1/0/4

38
[DeviceA-Twenty-FiveGigE1/0/4] port link-aggregation group 125
[DeviceA-Twenty-FiveGigE1/0/4] quit
# Specify Bridge-Aggregation 125 as the IPP.
[DeviceA] interface bridge-aggregation 125
[DeviceA-Bridge-Aggregation125] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation125] undo mac-address static source-check enable
[DeviceA-Bridge-Aggregation125] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 100, and assign it to DR
group 1.
[DeviceA] interface bridge-aggregation 100
[DeviceA-Bridge-Aggregation100] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation100] port drni group 1
[DeviceA-Bridge-Aggregation100] quit
# Assign Twenty-FiveGigE 1/0/1 to aggregation group 100.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 100
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 101, and assign it to DR
group 2.
[DeviceA] interface bridge-aggregation 101
[DeviceA-Bridge-Aggregation101] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation101] port drni group 2
[DeviceA-Bridge-Aggregation101] quit
# Assign Twenty-FiveGigE 1/0/2 to aggregation group 101.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 101
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Create VLAN 100 and VLAN 101.
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 101
[DeviceA-vlan101] quit
# Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 100
[DeviceA-Bridge-Aggregation100] port link-type trunk
[DeviceA-Bridge-Aggregation100] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation100] quit
# Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101.
[DeviceA] interface bridge-aggregation 101
[DeviceA-Bridge-Aggregation101] port link-type trunk
[DeviceA-Bridge-Aggregation101] port trunk permit vlan 101
[DeviceA-Bridge-Aggregation101] quit
# Set the link type of Bridge-Aggregation 125 to trunk, and assign it to VLAN 100 and VLAN
101.
[DeviceA] interface bridge-aggregation 125
[DeviceA-Bridge-Aggregation125] port link-type trunk
[DeviceA-Bridge-Aggregation125] port trunk permit vlan 100 101
[DeviceA-Bridge-Aggregation125] quit

39
 # Create VLAN-interface 100 and VLAN-interface 101, and assign IP addresses to them.
[DeviceA] interface vlan-interface 100
[DeviceA-vlan-interface100] ip address 10.1.1.1 24
[DeviceA-vlan-interface100] quit
[DeviceA] interface vlan-interface 101
[DeviceA-vlan-interface101] ip address 20.1.1.1 24
[DeviceA-vlan-interface101] quit
# Exclude VLAN-interface 100 and VLAN-interface 101 from the shutdown action by DRNI
MAD.
[DeviceA] drni mad exclude interface vlan-interface 100
[DeviceA] drni mad exclude interface vlan-interface 101
# Configure OSPF.
[DeviceA] ospf
[DeviceA-ospf-1] import-route direct
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create VRRP group 1 on VLAN-interface 100 and set its virtual IP address to 10.1.1.100.
[DeviceA] interface vlan-interface 100
[DeviceA-Vlan-interface100] vrrp vrid 1 virtual-ip 10.1.1.100
# Set the priority of Device A (primary DR member device) to 200 for it to become the master in
VRRP group 1.
[DeviceA-Vlan-interface100] vrrp vrid 1 priority 200
[DeviceA-Vlan-interface100] quit
# Create VRRP group 2 on VLAN-interface 101 and set its virtual IP address to 20.1.1.100.
[DeviceA] interface vlan-interface 101
[DeviceA-Vlan-interface101] vrrp vrid 2 virtual-ip 20.1.1.100
# Set the priority of Device A (primary DR member device) to 200 for it to become the master in
VRRP group 2.
[DeviceA-Vlan-interface101] vrrp vrid 2 priority 200
[DeviceA-Vlan-interface101] quit
2. Configure Device B:
# Configure DR system settings.
<DeviceB> system-view
[DeviceB] drni system-mac 1-1-1
[DeviceB] drni system-number 2
[DeviceB] drni system-priority 123
# Configure DR keepalive parameters.
[DeviceB] drni keepalive ip destination 1.1.1.1 source 1.1.1.2
# Set the link mode of Twenty-FiveGigE 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceB] interface twenty-fivegige 1/0/5
[DeviceB-Twenty-FiveGigE1/0/5] port link-mode route
[DeviceB-Twenty-FiveGigE1/0/5] ip address 1.1.1.2 24
[DeviceB-Twenty-FiveGigE1/0/5] quit

40
# Exclude the interface used for DR keepalive detection (Twenty-FiveGigE 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceB] drni mad exclude interface twenty-fivegige 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 125.
[DeviceB] interface bridge-aggregation 125
[DeviceB-Bridge-Aggregation125] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation125] quit
# Assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to aggregation group 125.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] port link-aggregation group 125
[DeviceB-Twenty-FiveGigE1/0/3] quit
[DeviceB] interface twenty-fivegige 1/0/4
[DeviceB-Twenty-FiveGigE1/0/4] port link-aggregation group 125
[DeviceB-Twenty-FiveGigE1/0/4] quit
# Specify Bridge-Aggregation 125 as the IPP.
[DeviceB] interface bridge-aggregation 125
[DeviceB-Bridge-Aggregation125] port drni intra-portal-port 1
[DeviceB-Bridge-Aggregation125] undo mac-address static source-check enable
[DeviceB-Bridge-Aggregation125] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 100, and assign it to DR
group 1.
[DeviceB] interface bridge-aggregation 100
[DeviceB-Bridge-Aggregation100] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation100] port drni group 1
[DeviceB-Bridge-Aggregation100] quit
# Assign Twenty-FiveGigE 1/0/1 to aggregation group 100.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port link-aggregation group 100
[DeviceB-Twenty-FiveGigE1/0/1] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 101, and assign it to DR
group 2.
[DeviceB] interface bridge-aggregation 101
[DeviceB-Bridge-Aggregation101] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation101] port drni group 2
[DeviceB-Bridge-Aggregation101] quit
# Assign Twenty-FiveGigE 1/0/2 to aggregation group 101.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-aggregation group 101
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Create VLAN 100 and VLAN 101.
[DeviceB] vlan 100
[DeviceB-vlan100] quit
[DeviceB] vlan 101
[DeviceB-vlan101] quit
# Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100.
[DeviceB] interface bridge-aggregation 100
[DeviceB-Bridge-Aggregation100] port link-type trunk
[DeviceB-Bridge-Aggregation100] port trunk permit vlan 100

41
 [DeviceB-Bridge-Aggregation100] quit
# Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101.
[DeviceB] interface bridge-aggregation 101
[DeviceB-Bridge-Aggregation101] port link-type trunk
[DeviceB-Bridge-Aggregation101] port trunk permit vlan 101
[DeviceB-Bridge-Aggregation101] quit
# Set the link type of Bridge-Aggregation 125 to trunk, and assign it to VLAN 100 and VLAN
101.
[DeviceB] interface bridge-aggregation 125
[DeviceB-Bridge-Aggregation125] port link-type trunk
[DeviceB-Bridge-Aggregation125] port trunk permit vlan 100 101
[DeviceB-Bridge-Aggregation125] quit
# Create VLAN-interface 100 and VLAN-interface 101, and assign IP addresses to them.
[DeviceB] interface vlan-interface 100
[DeviceB-vlan-interface100] ip address 10.1.1.2 24
[DeviceB-vlan-interface100] quit
[DeviceB] interface vlan-interface 101
[DeviceB-vlan-interface101] ip address 20.1.1.2 24
[DeviceB-vlan-interface101] quit
# Exclude VLAN-interface 100 and VLAN-interface 101 from the shutdown action by DRNI
MAD.
[DeviceB] drni mad exclude interface vlan-interface 100
[DeviceB] drni mad exclude interface vlan-interface 101
# Configure OSPF.
[DeviceB] ospf
[DeviceB-ospf-1] import-route direct
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
# Create VRRP group 1 on VLAN-interface 100 and set its virtual IP address to 10.1.1.100.
[DeviceB] interface vlan-interface 100
[DeviceB-Vlan-interface100] vrrp vrid 1 virtual-ip 10.1.1.100
[DeviceB-Vlan-interface100] quit
# Create VRRP group 2 on VLAN-interface 101 and set its virtual IP address to 20.1.1.100.
[DeviceB] interface vlan-interface 101
[DeviceB-Vlan-interface101] vrrp vrid 2 virtual-ip 20.1.1.100
[DeviceB-Vlan-interface101] quit
3. Configure Device C:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 100.
<DeviceC> system-view
[DeviceC] interface bridge-aggregation 100
[DeviceC-Bridge-Aggregation100] link-aggregation mode dynamic
[DeviceC-Bridge-Aggregation100] quit
# Assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to aggregation group 100.
[DeviceC] interface range twenty-fivegige 1/0/1 to twenty-fivegige 1/0/2
[DeviceC-if-range] port link-aggregation group 100

42
 [DeviceC-if-range] quit
# Create VLAN 100.
[DeviceC] vlan 100
[DeviceC-vlan100] quit
# Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100.
[DeviceC] interface bridge-aggregation 100
[DeviceC-Bridge-Aggregation100] port link-type trunk
[DeviceC-Bridge-Aggregation100] port trunk permit vlan 100
[DeviceC-Bridge-Aggregation100] quit
# Set the link type of Twenty-FiveGigE 1/0/3 to trunk, and assign it to VLAN 100.
[DeviceC] interface twenty-fivegige 1/0/3
[DeviceC-Twenty-FiveGigE1/0/3] port link-type trunk
[DeviceC-Twenty-FiveGigE1/0/3] port trunk permit vlan 100
[DeviceC-Twenty-FiveGigE1/0/3] quit
# Create VLAN-interface 100, and assign it an IP address.
[DeviceC] interface vlan-interface 100
[DeviceC-vlan-interface100] ip address 10.1.1.3 24
[DeviceC-vlan-interface100] quit
# Configure OSPF.
[DeviceC] ospf
[DeviceC-ospf-1] import-route direct
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
4. Configure Device D:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 101.
<DeviceD> system-view
[DeviceD] interface bridge-aggregation 101
[DeviceD-Bridge-Aggregation101] link-aggregation mode dynamic
[DeviceD-Bridge-Aggregation101] quit
# Assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to aggregation group 101.
[DeviceD] interface range twenty-fivegige 1/0/1 to twenty-fivegige 1/0/2
[DeviceD-if-range] port link-aggregation group 101
[DeviceD-if-range] quit
# Create VLAN 101.
[DeviceD] vlan 101
[DeviceD-vlan101] quit
# Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101.
[DeviceD] interface bridge-aggregation 101
[DeviceD-Bridge-Aggregation101] port link-type trunk
[DeviceD-Bridge-Aggregation101] port trunk permit vlan 101
[DeviceD-Bridge-Aggregation101] quit
# Set the link type of Twenty-FiveGigE 1/0/3 to trunk, and assign it to VLAN 101.
[DeviceD] interface twenty-fivegige 1/0/3
[DeviceD-Twenty-FiveGigE1/0/3] port link-type trunk
[DeviceD-Twenty-FiveGigE1/0/3] port trunk permit vlan 101

43
 [DeviceD-Twenty-FiveGigE1/0/3] quit
# Create VLAN-interface 101, and assign it an IP address.
[DeviceD] interface vlan-interface 101
[DeviceD-vlan-interface101] ip address 20.1.1.3 24
[DeviceD-vlan-interface101] quit
# Configure OSPF.
[DeviceD] ospf
[DeviceD-ospf-1] import-route direct
[DeviceD-ospf-1] area 0
[DeviceD-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceD-ospf-1-area-0.0.0.0] quit
[DeviceD-ospf-1] quit

Verifying the configuration

# Verify that Device A has formed a DR system with Device B.
[DeviceA] display drni summary
Flags: A -- Aggregate interface down, B -- No peer DR interface configured
C -- Configuration consistency check failed

IPP: BAGG125
IPP state (cause): UP
Keepalive link state (cause): UP

DR interface information
DR interface DR group Local state (cause) Peer state Remaining down time(s)
BAGG100 1 UP UP -
BAGG101 2 UP UP -
[DeviceA] display drni verbose
Flags: A -- Home_Gateway, B -- Neighbor_Gateway, C -- Other_Gateway,
D -- IPP_Activity, E -- DRCP_Timeout, F -- Gateway_Sync,
G -- Port_Sync, H -- Expired

IPP/IPP ID: BAGG125/1

State: UP
Cause: -
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): WGE1/0/3 (260), WGE1/0/4 (261)
Peer Selected ports indexes: 260, 261

DR interface/DR group ID: BAGG100/1

Local DR interface state: UP
Peer DR interface state: UP
DR group state: UP
Local DR interface down cause: -
Remaining DRNI DOWN time: -
Local DR interface LACP MAC: Config=N/A, Effective=0001-0001-0001
Peer DR interface LACP MAC: Config=N/A, Effective=0001-0001-0001
Local DR interface LACP priority: Config=32768, Effective=123
Peer DR interface LACP priority: Config=32768, Effective=123

44
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): WGE1/0/1 (258)
Peer Selected ports indexes: 258

DR interface/DR group ID: BAGG101/2

Local DR interface state: UP
Peer DR interface state: UP
DR group state: UP
Local DR interface down cause: -
Remaining DRNI DOWN time: -
Local DR interface LACP MAC: Config=N/A, Effective=0001-0001-0001
Peer DR interface LACP MAC: Config=N/A, Effective=0001-0001-0001
Local DR interface LACP priority: Config=32768, Effective=123
Peer DR interface LACP priority: Config=32768, Effective=123
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): WGE1/0/2 (259)
Peer Selected ports indexes: 259

# Verify that Device C and Device D have correctly set up aggregate links with the DR system.
[DeviceC] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation100

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, a03b-0694-0300
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1 S 32768 1 1 {ACDEF}
WGE1/0/2 S 32768 2 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1(R) 32768 16386 40001 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/2 32768 32770 40001 0x7b , 0001-0001-0001 {ACDEF}
[DeviceD] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

45
Aggregate Interface: Bridge-Aggregation101
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, a03b-0d51-0400
Local:
Port Status Priority Index Oper-Key Flag
WGE1/0/1 S 32768 1 1 {ACDEF}
WGE1/0/2 S 32768 2 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
WGE1/0/1(R) 32768 16387 40002 0x7b , 0001-0001-0001 {ACDEF}
WGE1/0/2 32768 32771 40002 0x7b , 0001-0001-0001 {ACDEF}

# Verify that Device A is the master in VRRP group 1 and VRRP group 2.
[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
Vlan100 1 Master 200 100 None 10.1.1.100
Vlan101 2 Master 200 100 None 20.1.1.100
[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
----------------------------------------------------------------------------
Vlan100 1 Backup 100 100 None 10.1.1.100
Vlan101 2 Backup 100 100 None 20.1.1.100

# Verify that Device C and Device D have established OSPF neighbor relationships with Device A
and Device B.
[DeviceC] display ospf peer

OSPF Process 1 with Router ID 10.1.1.3

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
20.1.1.1 10.1.1.1 1 37 Full/DR Vlan100
20.1.1.2 10.1.1.2 1 32 Full/BDR Vlan100
[DeviceD] display ospf peer

OSPF Process 1 with Router ID 20.1.1.3

Neighbor Brief Information

46
 Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
20.1.1.1 20.1.1.1 1 38 Full/DR Vlan101
20.1.1.2 20.1.1.2 1 37 Full/BDR Vlan101

# Verify that Host A and Host B can ping each other. (Details not shown.)

Example: Configuring IPv4 and IPv6 VLAN gateways on a

DR system
Network configuration
As shown in Figure 13:
• Configure Device A and Device B as a DR system to establish a multichassis aggregate link
with Device D.
• Configure ECMP routes for Device A and Device B to communicate with Device C.
• Configure Device A and Device B as IPv4 and IPv6 gateways for Server 1 and Server 2 to
communicate with Network 1.
If Device A or Device B is disconnected from Device C because of link failure, the device that has
connectivity to Device C forwards all traffic to ensure communication between the servers and the
external network.
Figure 13 Network diagram

Network 1

HGE1/0/3

Device C
HGE1/0/1 HGE1/0/2

HGE1/0/6 HGE1/0/6
HGE1/0/5 HGE1/0/5
HGE1/0/4 HGE1/0/4
Device A Device B
HGE1/0/3 HGE1/0/3
HG

IPL
/2

1
HG

/
/0

/0
E1

BAGG 1
E1

E1
E1

/0

HG

HG
/2
/0
/1

BAGG 3

HGE1/0/1～HGE1/0/4
Device D

Server 1 Server 2

47
Device Interface IP address Peer device and interface

HGE1/0/1 - Device D: HGE1/0/1

HGE1/0/2 - Device D: HGE1/0/2
HGE1/0/3 - Device B: HGE1/0/3
HGE1/0/4 - Device B: HGE1/0/4
IPv4: 21.1.1.1
HGE1/0/5 Device B: HGE1/0/5
IPv6: 21::1
HGE1/0/6 - Device C: HGE1/0/1
Device A
IPv4: 100.1.1.100/24
VLAN-int100 -
IPv6: 100::100/64
Device B: Vlan-int101
IPv4: 101.1.1.1/24
Vlan-int101 • IPv4: 101.1.1.2/24
IPv6: 101::1/64
• IPv6: 101::2/64

Device C: Vlan-int32
IPv4: 32.1.1.1/24
Vlan-int32 • IPv4: 32.1.1.2/24
IPv6: 32::1/64
• IPv6: 32::2/64

HGE1/0/1 - Device D: HGE1/0/3

HGE1/0/2 - Device D: HGE1/0/4
HGE1/0/3 - Device A: HGE1/0/3
HGE1/0/4 - Device A: HGE1/0/4
IPv4: 21.1.1.2
HGE1/0/5 Device A: HGE1/0/5
IPv6: 21::2
HGE1/0/6 - Device C: HGE1/0/6
Device B
IPv4: 100.1.1.100/24
Vlan-int100 -
IPv6: 100::100/64
Device A: Vlan-int101
IPv4: 101.1.1.2/24
Vlan-int101 • IPv4: 101.1.1.1/24
IPv6: 101::2/64
• IPv6: 101::1/64

Device C: Vlan-int33
IPv4: 33.1.1.1/24
Vlan-int33 • IPv4: 33.1.1.2/24
IPv6: 33::1/64
• IPv6: 33::2/64

HGE1/0/1 - Device A: HGE1/0/6

HGE1/0/2 - Device B: HGE1/0/6
HGE1/0/3 - Network 1
IPv4: 22.1.1.1/24
Vlan-int22 Network 1
IPv6: 22::1/64
Device C
Device A: Vlan-int32
IPv4: 32.1.1.2/24
Vlan-int32 • IPv4: 32.1.1.1/24
IPv6: 32::2/64
• IPv6: 32::1/64

IPv4: 33.1.1.2/24 Device B: Vlan-int33

Vlan-int33
IPv6: 33::2/64 • IPv4: 33.1.1.1/24

48
 • IPv6: 33::1/64

HGE1/0/1 - Device A: HGE1/0/1

HGE1/0/2 - Device A: HGE1/0/2
Device D
HGE1/0/3 - Device B: HGE1/0/1

HGE1/0/4 - Device B: HGE1/0/2

Requirement analysis
To meet the network requirements, you must perform the following tasks:
• Create VLAN-interface 100 as an IPv4 and IPv6 gateway on Device A and DeviceB. Assign the
same IPv4 address, MAC address, IPv6 global unicast address, and IPv6 link-local address to
VLAN-interface 100 on Device A and Device B.
• Create VLAN-interface 101 on Device A and Device B for them to have Layer 3 connectivity to
each other. The VLAN interface configuration enables Device A and Device B to send traffic to
each other.
Restrictions and guidelines
In this example, all devices use default settings. If you use this example on a live network, make sure
the existing configuration on your devices does not conflict with the DRNI configuration in this
example.
Make sure each DR system uses a unique DR system MAC address.
Procedure

1. Configure Device A:
# Configure DR system settings.
<DeviceA> system-view
[DeviceA] drni system-mac 0002-0002-0002
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive packet parameters.
[DeviceA] drni keepalive ip destination 21.1.1.2 source 21.1.1.1
# Set the link mode of HundredGigE 1/0/5 to Layer 3, and assign the interface IPv4 and IPv6
addresses. The IPv4 or IPv6 address will be used as the source IP address of keepalive
packets.
[DeviceA] interface hundredgige 1/0/5
[DeviceA-HundredGigE1/0/5] port link-mode route
[DeviceA-HundredGigE1/0/5] ip address 21.1.1.1 255.255.255.0
[DeviceA-HundredGigE1/0/5] ipv6 address 21::1 64
[DeviceA-HundredGigE1/0/5] quit
# Exclude the interface used for DR keepalive detection (HundredGigE 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface hundredgige 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit
# Assign HundredGigE 1/0/3 and HundredGigE 1/0/4 to aggregation group 1.
[DeviceA] interface hundredgige 1/0/3

49
[DeviceA-HundredGigE1/0/3] port link-aggregation group 1
[DeviceA-HundredGigE1/0/3] quit
[DeviceA] interface hundredgige 1/0/4
[DeviceA-HundredGigE1/0/4] port link-aggregation group 1
[DeviceA-HundredGigE1/0/4] quit
# Specify Bridge-Aggregation 1 as the IPP.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation1] undo port trunk permit vlan 1
[DeviceA-Bridge-Aggregation1] undo mac-address static source-check enable
[DeviceA-Bridge-Aggregation1] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3, and specify the interface
as DR interface 1.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation3] port drni group 1
[DeviceA-Bridge-Aggregation3] quit
# Assign HundredGigE 1/0/1 and HundredGigE 1/0/2 to aggregation group 3.
[DeviceA] interface hundredgige 1/0/1
[DeviceA-HundredGigE1/0/1] port link-aggregation group 3
[DeviceA-HundredGigE1/0/1] quit
[DeviceA] interface hundredgige 1/0/2
[DeviceA-HundredGigE1/0/2] port link-aggregation group 3
[DeviceA-HundredGigE1/0/2] quit
# Create VLANs 100 and 101.
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 101
[DeviceA-vlan101] quit
# Configure Bridge-Aggregation 3 as a trunk port, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] port link-type trunk
[DeviceA-Bridge-Aggregation3] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation3] undo port trunk permit vlan 1
[DeviceA-Bridge-Aggregation3] quit
# Create VLAN-interface 100 and assign it an IPv4 address and a MAC address for the
interface to act as an IPv4 gateway.
[DeviceA] interface vlan-interface 100
[DeviceA-Vlan-interface100] ip address 100.1.1.100 255.255.255.0
[DeviceA-Vlan-interface100] mac-address 0000-0010-0010
# Configure an IPv6 global unicast address and an IPv6 link-local address for VLAN-interface
100 to act as an IPv6 gateway.
[DeviceA] interface vlan-interface 100
[DeviceA-Vlan-interface100] ipv6 address 100::100 64
[DeviceA-Vlan-interface100] ipv6 address FE80::80 link-local
# Enable unsolicited NA learning. For ND entries to be synchronous on DR member devices,
enable this feature.
[DeviceA-Vlan-interface100] ipv6 nd unsolicited-na-learning enable

50
# Exclude VLAN-interface 100 from the shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface vlan-interface100
# Create VLAN-interface 101 and assign it an IPv4 address and an IPv6 address for Layer 3
communication between the DR member devices.
[DeviceA] interface vlan-interface 101
[DeviceA-Vlan-interface101] ip address 101.1.1.1 255.255.255.0
[DeviceA-Vlan-interface101] ipv6 address 101::1 64
[DeviceA-Vlan-interface101] quit
# Exclude VLAN-interface 101 from the shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface vlan-interface101
# Configure a global router ID.
[DeviceA] router id 3.3.3.3
# Enable an OSPF process on VLAN-interfaces 100 and 101, and disable VLAN-interface 100
from receiving and sending OSPF packets for the DR member devices to have IPv4
connectivity.
[DeviceA] ospf 1
[DeviceA-ospf-1] silent-interface vlan-interface 100
[DeviceA-ospf-1] import-route direct
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
[DeviceA] interface vlan-interface 100
[DeviceA-Vlan-interface100] ospf 1 area 0.0.0.0
[DeviceA-Vlan-interface100] quit
[DeviceA] interface vlan-interface 101
[DeviceA-Vlan-interface101] ospf 1 area 0.0.0.0
[DeviceA-Vlan-interface101] quit
# Enable an OSPFv3 process on VLAN-interfaces 100 and 101, and disable VLAN-interface
100 from receiving and sending OSPFv3 packets for the DR member devices to have IPv6
connectivity.
[DeviceA] ospfv3 1
[DeviceA-ospfv3-1] silent-interface vlan-interface 100
[DeviceA-ospfv3-1] import-route direct
[DeviceA-ospfv3-1] area 0
[DeviceA-ospfv3-1-area-0.0.0.0] quit
[DeviceA-ospfv3-1] quit
[DeviceA] interface vlan-interface 100
[DeviceA-Vlan-interface100] ospfv3 1 area 0.0.0.0
[DeviceA-Vlan-interface100] quit
[DeviceA] interface vlan-interface 101
[DeviceA-Vlan-interface101] ospfv3 1 area 0.0.0.0
[DeviceA-Vlan-interface101] quit
# Create VLAN 32, and assign uplink HundredGigE 1/0/6 to VLAN 32.
[DeviceA] vlan 32
[DeviceA-vlan32] quit
[DeviceA] interface hundredgige 1/0/6
[DeviceA-HundredGigE1/0/6] port link-type trunk
[DeviceA-HundredGigE1/0/6] port trunk permit vlan 32
[DeviceA-HundredGigE1/0/6] undo port trunk permit vlan 1

51
 [DeviceA-HundredGigE1/0/6] quit
# Create VLAN-interface 32 and assign it an IPv4 address and an IPv6 address.
[DeviceA] interface vlan-interface 32
[DeviceA-Vlan-interface32] ip address 32.1.1.1 255.255.255.0
[DeviceA-Vlan-interface32] ipv6 address 32::1 64
# Configure OSPF and OSPFv3 processes on VLAN-interface 32.
[DeviceA-Vlan-interface32] ospf 1 area 0
[DeviceA-Vlan-interface32] ospfv3 1 area 0
[DeviceA-Vlan-interface32] quit
2. Configure Device B:
# Configure DR system settings.
<DeviceB> system-view
[DeviceB] drni system-mac 0002-0002-0002
[DeviceB] drni system-number 2
[DeviceB] drni system-priority 123
# Configure DR keepalive packet parameters.
[DeviceB] drni keepalive ip destination 21.1.1.1 source 21.1.1.2
# Set the link mode of HundredGigE 1/0/5 to Layer 3, and assign the interface IPv4 and IPv6
addresses. The IPv4 or IPv6 address will be used as the source IP address of keepalive
packets.
[DeviceB] interface hundredgige 1/0/5
[DeviceB-HundredGigE1/0/5] port link-mode route
[DeviceB-HundredGigE1/0/5] ip address 21.1.1.2 255.255.255.0
[DeviceB-HundredGigE1/0/5] ipv6 address 21::2 64
[DeviceB-HundredGigE1/0/5] quit
# Exclude the interface used for DR keepalive detection (HundredGigE 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceB] drni mad exclude interface hundredgige 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 1.
[DeviceB] interface bridge-aggregation 1
[DeviceB-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation1] quit
# Assign HundredGigE 1/0/3 and HundredGigE 1/0/4 to aggregation group 1.
[DeviceB] interface hundredgige 1/0/3
[DeviceB-HundredGigE1/0/3] port link-aggregation group 1
[DeviceB-HundredGigE1/0/3] quit
[DeviceB] interface hundredgige 1/0/4
[DeviceB-HundredGigE1/0/4] port link-aggregation group 1
[DeviceB-HundredGigE1/0/4] quit
# Specify Bridge-Aggregation 1 as the IPP.
[DeviceB] interface bridge-aggregation 1
[DeviceB-Bridge-Aggregation1] port drni intra-portal-port 1
[DeviceB-Bridge-Aggregation1] undo port trunk permit vlan 1
[DeviceB-Bridge-Aggregation1] undo mac-address static source-check enable
[DeviceB-Bridge-Aggregation1] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3, and specify the interface
as DR interface 1.
[DeviceB] interface bridge-aggregation 3

52
[DeviceB-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation3] port drni group 1
[DeviceB-Bridge-Aggregation3] quit
# Assign HundredGigE 1/0/1 and HundredGigE 1/0/2 to aggregation group 3.
[DeviceB] interface hundredgige 1/0/1
[DeviceB-HundredGigE1/0/1] port link-aggregation group 3
[DeviceB-HundredGigE1/0/1] quit
[DeviceB] interface hundredgige 1/0/2
[DeviceB-HundredGigE1/0/2] port link-aggregation group 3
[DeviceB-HundredGigE1/0/2] quit
# Create VLANs 100 and 101.
[DeviceB] vlan 100
[DeviceB-vlan100] quit
[DeviceB] vlan 101
[DeviceB-vlan101] quit
# Configure Bridge-Aggregation 3 as a trunk port, and assign it to VLAN 100.
[DeviceB] interface bridge-aggregation 3
[DeviceB-Bridge-Aggregation3] port link-type trunk
[DeviceB-Bridge-Aggregation3] port trunk permit vlan 100
[DeviceB-Bridge-Aggregation3] undo port trunk permit vlan 1
[DeviceB-Bridge-Aggregation3] quit
# Create VLAN-interface 100 and assign it an IPv4 address and a MAC address for the
interface to act as an IPv4 gateway.
[DeviceB] interface vlan-interface 100
[DeviceB-Vlan-interface100] ip address 100.1.1.100 255.255.255.0
[DeviceB-Vlan-interface100] mac-address 0000-0010-0010
# Configure an IPv6 global unicast address and an IPv6 link-local address for VLAN-interface
100 to act as an IPv6 gateway.
[DeviceB] interface vlan-interface 100
[DeviceB-Vlan-interface100] ipv6 address 100::100 64
[DeviceB-Vlan-interface100] ipv6 address FE80::80 link-local
# Enable unsolicited NA learning. For ND entries to be synchronous on DR member devices,
enable this feature.
[DeviceB-Vlan-interface100] ipv6 nd unsolicited-na-learning enable
# Exclude VLAN-interface 100 from the shutdown action by DRNI MAD.
[DeviceB] drni mad exclude interface vlan-interface100
# Create VLAN-interface 101 and assign it an IPv4 address and an IPv6 address for Layer 3
communication between the DR member devices.
[DeviceB] interface vlan-interface 101
[DeviceB-vlan-interface101] ip address 101.1.1.2 24
[DeviceB-vlan-interface101] ipv6 address 101::2 64
[DeviceB-vlan-interface101] quit
# Exclude VLAN-interface 101 from the shutdown action by DRNI MAD.
[DeviceB] drni mad exclude interface vlan-interface101
# Configure a global router ID.
[DeviceB] router id 4.4.4.4

53
 # Enable an OSPF process on VLAN-interfaces 100 and 101, and disable VLAN-interface 100
from receiving and sending OSPF packets for the DR member devices to have IPv4
connectivity.
[DeviceB] ospf 1
[DeviceB-ospf-1] silent-interface vlan-interface100
[DeviceB-ospf-1] import-route direct
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
[DeviceB] interface vlan-interface 100
[DeviceB-Vlan-interface100] ospf 1 area 0.0.0.0
[DeviceB-Vlan-interface100] quit
[DeviceB] interface vlan-interface 101
[DeviceB-Vlan-interface101] ospf 1 area 0.0.0.0
[DeviceB-Vlan-interface101] quit
# Enable an OSPFv3 process on VLAN-interfaces 100 and 101, and disable VLAN-interface
100 from receiving and sending OSPFv3 packets for the DR member devices to have IPv6
connectivity.
[DeviceB] ospfv3 1
[DeviceB-ospf-1] silent-interface vlan-interface100
[DeviceB-ospfv3-1] import-route direct
[DeviceB-ospfv3-1] area 0
[DeviceB-ospfv3-1-area-0.0.0.0] quit
[DeviceB-ospfv3-1] quit
[DeviceB] interface vlan-interface 100
[DeviceB-vlan-interface100] ospfv3 1 area 0
[DeviceB-vlan-interface100] quit
[DeviceB] interface vlan-interface 101
[DeviceB-vlan-interface101] ospfv3 1 area 0
[DeviceB-vlan-interface101] quit
# Create VLAN 33, and assign uplink HundredGigE 1/0/6 to VLAN 33.
[DeviceB] vlan 33
[DeviceB-vlan33] quit
[DeviceB] interface hundredgige 1/0/6
[DeviceB-HundredGigE1/0/6] port link-type trunk
[DeviceB-HundredGigE1/0/6] port trunk permit vlan 33
[DeviceB-HundredGigE1/0/6] undo port trunk permit vlan 1
[DeviceB-HundredGigE1/0/6] quit
# Create VLAN-interface 33 and assign it an IPv4 address and an IPv6 address.
[DeviceB] interface vlan-interface 33
[DeviceB-Vlan-interface33] ip address 33.1.1.1 255.255.255.0
[DeviceB-Vlan-interface33] ipv6 address 33::1 64
# Configure OSPF and OSPFv3 processes on VLAN-interface 33.
[DeviceB-Vlan-interface33] ospf 1 area 0
[DeviceB-Vlan-interface33] ospfv3 1 area 0
[DeviceB-Vlan-interface33] quit
3. Configure Device C:
# Create VLAN 32.
<DeviceC> system-view

54
[DeviceC] vlan 32
[DeviceC-vlan32] quit
# Assign interface HundredGigE 1/0/1 connected to Device A to VLAN 32.
[DeviceC] interface hundredgige 1/0/1
[DeviceC-HundredGigE1/0/1] port link-type trunk
[DeviceC-HundredGigE1/0/1] port trunk permit vlan 32
[DeviceC-HundredGigE1/0/1] undo port trunk permit vlan 1
[DeviceC-HundredGigE1/0/1] quit
# Create VLAN-interface 32 and assign it an IPv4 address and an IPv6 address.
[DeviceC] interface vlan-interface 32
[DeviceC-Vlan-interface32] ip address 32.1.1.2 24
[DeviceC-Vlan-interface32] ipv6 address 32::2 64
[DeviceC-Vlan-interface32] quit
# Create VLAN 33.
[DeviceC] vlan 33
[DeviceC-vlan33] quit
# Assign interface HundredGigE 1/0/2 connected to Device B to VLAN 33.
[DeviceC] interface hundredgige 1/0/2
[DeviceC-HundredGigE1/0/2] port link-type trunk
[DeviceC-HundredGigE1/0/2] port trunk permit vlan 33
[DeviceC-HundredGigE1/0/2] undo port trunk permit vlan 1
[DeviceC-HundredGigE1/0/2] quit
# Create VLAN-interface 33 and assign it an IPv4 address and an IPv6 address.
[DeviceC] interface vlan-interface 33
[DeviceC-Vlan-interface33] ip address 33.1.1.2 24
[DeviceC-Vlan-interface33] ipv6 address 33::2 64
[DeviceC-Vlan-interface33] quit
# Configure a global router ID.
[DeviceC] router id 5.5.5.5
# Enable an OSPF process on VLAN-interfaces 32 and 33.
[DeviceC] ospf 1
[DeviceC-ospf-1] import-route direct
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
[DeviceC] interface vlan-interface 32
[DeviceC-Vlan-interface32] ospf 1 area 0
[DeviceC-Vlan-interface32] quit
[DeviceC] interface vlan-interface 33
[DeviceC-Vlan-interface33] ospf 1 area 0
[DeviceC-Vlan-interface33] quit
# Enable an OSPFv3 process on VLAN-interfaces 32 and 33.
[DeviceC] ospfv3 1
[DeviceC-ospfv3-1] import-route direct
[DeviceC-ospfv3-1] area 0
[DeviceC-ospfv3-1-area-0.0.0.0] quit
[DeviceC-ospfv3-1] quit
[DeviceC] interface vlan-interface 32

55
 [DeviceC-Vlan-interface32] ospfv3 1 area 0
[DeviceC-Vlan-interface32] quit
[DeviceC] interface vlan-interface 33
[DeviceC-Vlan-interface33] ospfv3 1 area 0
[DeviceC-Vlan-interface33] quit
# Create VLAN 22.
[DeviceC] vlan 22
[DeviceC-vlan22] quit
# Assign interface HundredGigE 1/0/3 connected to Network 1 to VLAN 22.
[DeviceC] interface hundredgige 1/0/3
[DeviceC-HundredGigE1/0/3] port link-type trunk
[DeviceC-HundredGigE1/0/3] port trunk permit vlan 22
[DeviceC-HundredGigE1/0/3] undo port trunk permit vlan 1
[DeviceC-HundredGigE1/0/3] quit
# Create VLAN-interface 22 and assign it an IPv4 address and an IPv6 address.
[DeviceC] interface vlan-interface 22
[DeviceC-Vlan-interface22] ip address 22.1.1.1 24
[DeviceC-Vlan-interface22] ipv6 address 22::1 64
[DeviceC-Vlan-interface22] quit
4. Configure Device D:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.
<DeviceD> system-view
[DeviceD] interface bridge-aggregation 3
[DeviceD-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceD-Bridge-Aggregation3] quit
# Assign HundredGigE 1/0/1 through HundredGigE 1/0/4 to aggregation group 3.
[DeviceD] interface range hundredgige 1/0/1 to hundredgige 1/0/4
[DeviceD-if-range] port link-aggregation group 3
[DeviceD-if-range] quit
# Create VLAN 100.
[DeviceD] vlan 100
[DeviceD-vlan100] quit
# Configure Bridge-Aggregation 3 as a trunk port, and assign it to VLAN 100.
[DeviceD] interface bridge-aggregation 3
[DeviceD-Bridge-Aggregation3] port link-type trunk
[DeviceD-Bridge-Aggregation3] port trunk permit vlan 100
[DeviceD-Bridge-Aggregation3] undo port trunk permit vlan 1
[DeviceD-Bridge-Aggregation3] quit

Verifying the configuration

1. Verify that Device A has formed a DR system with Device B:
# Display brief information about the IPP and DR interfaces.
[DeviceA] display drni summary
Flags: A -- Aggregate interface down, B -- No peer DR interface configured
C -- Configuration consistency check failed

IPP: BAGG1
IPP state (cause): UP

56
Keepalive link state (cause): UP

DR interface information
DR interface DR group Local state (cause) Peer state Remaining down time (s)
BAGG3 1 UP UP -
# Verify that the keepalive link is working correctly on Device A.
[DeviceA] display drni keepalive
Neighbor keepalive link status: Up
Neighbor is alive for: 64765 s 28 ms
Keepalive packet transmission status:
Sent: Successful
Received: Successful
Last received keepalive packet information:
Source IP address: 21.1.1.2
Time: 2021/01/17 17:10:52
Action: Accept

Distributed relay keepalive parameters:

Destination IP address: 21.1.1.2
Source IP address: 21.1.1.1
Keepalive UDP port : 6400
Keepalive VPN name : N/A
Keepalive interval : 1000 ms
Keepalive timeout : 5 sec
Keepalive hold time: 3 sec
# Verify that the IPP and the DR interface are working correctly on Device A.
[DeviceA] display drni verbose
Flags: A -- Home_Gateway, B -- Neighbor_Gateway, C -- Other_Gateway,
D -- IPP_Activity, E -- DRCP_Timeout, F -- Gateway_Sync,
G -- Port_Sync, H -- Expired

IPP/IPP ID: BAGG1/1

State: UP
Cause: -
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): HGE1/0/3 (27), HGE1/0/4 (32)
Peer Selected ports indexes: 125, 130

DR interface/DR group ID: BAGG3/1

Local DR interface state: UP
Peer DR interface state: UP
DR group state: UP
Local DR interface down cause: -
Remaining DRNI DOWN time: -
Local DR interface LACP MAC: Config=N/A, Effective=0002-0002-0002
Peer DR interface LACP MAC: Config=N/A, Effective=0002-0002-0002
Local DR interface LACP priority: Config=32768, Effective=123
Peer DR interface LACP priority: Config=32768, Effective=123

57
 Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): HGE1/0/1 (12), HGE1/0/2 (13)
Peer Selected ports indexes: 56, 57
2. Verify that routing protocols operate correctly:
# Display OSPF neighbors on Device A to verify the neighbor relationship between Device A
and Device B, as well as Device A and Device C.
[DeviceA] display ospf peer

OSPF Process 1 with Router ID 3.3.3.3

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
4.4.4.4 101.1.1.2 1 36 Full/DR Vlan101
5.5.5.5 32.1.1.2 1 38 Full/DR Vlan32
# Display OSPFv3 neighbors on Device A to verify the neighbor relationship between Device A
and Device B, as well as Device A and Device C.
[DeviceA] display ospf peer

OSPF Process 1 with Router ID 3.3.3.3

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
4.4.4.4 101.1.1.2 1 36 Full/DR Vlan101
5.5.5.5 32.1.1.2 1 38 Full/DR Vlan32
# Display OSPF neighbors on Device B to verify the neighbor relationship between Device B
and Device A, as well as Device B and Device C.
[DeviceB] display ospf peer

OSPF Process 1 with Router ID 4.4.4.4

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
3.3.3.3 101.1.1.1 1 32 Full/BDR Vlan101
5.5.5.5 33.1.1.2 1 33 Full/DR Vlan33
# Display OSPFv3 neighbors on Device B to verify the neighbor relationship between Device B
and Device A, as well as Device B and Device C.
[DeviceB] display ospfv3 peer

OSPFv3 Process 1 with Router ID 4.4.4.4

Area: 0.0.0.0
-------------------------------------------------------------------------
Router ID Pri State Dead-Time InstID Interface
3.3.3.3 1 Full/BDR 00:00:35 0 Vlan101
5.5.5.5 1 Full/DR 00:00:38 0 Vlan33

58
 # Display OSPF neighbors on Device C to verify the neighbor relationship between Device C
and Device A, as well as Device C and Device B.
[DeviceC] display ospf peer

OSPF Process 1 with Router ID 5.5.5.5

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
3.3.3.3 32.1.1.1 1 32 Full/DR Vlan32
4.4.4.4 33.1.1.1 1 38 Full/DR Vlan33
# Display OSPFv3 neighbors on Device B to verify the neighbor relationship between Device C
and Device A, as well as Device C and Device B.
[DeviceC] display ospfv3 peer

OSPFv3 Process 1 with Router ID 5.5.5.5

Area: 0.0.0.0
-------------------------------------------------------------------------
Router ID Pri State Dead-Time InstID Interface
3.3.3.3 1 Full/DR 00:00:37 0 Vlan32
4.4.4.4 1 Full/DR 00:00:34 0 Vlan33
3. Verify that Server 1 and Server 2 can communicate with Network 1 through IPv4 and IPv6
packets.
4. Verify that Server 1 and Server 2 can communicate Network 1 in the following conditions:
 The uplink interface on Device A or Device B fails.
 The uplink interface of Device A is down. In the traffic switchover process, transient packet
loss might occur.

59
Contents
Configuring port isolation ··············································································· 1
About port isolation ············································································································································ 1
Assigning a port to an isolation group ················································································································ 1
Display and maintenance commands for port isolation ····················································································· 1
Port isolation configuration examples ················································································································ 2
Example: Configuring port isolation ··········································································································· 2

i
Configuring port isolation
About port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate
with ports outside the isolation group.

Assigning a port to an isolation group

About this task
The device supports multiple isolation groups, which can be configured manually. The number of
ports assigned to an isolation group is not limited.
Restrictions and guidelines
• You can assign a port to only one isolation group. If you execute the port-isolate enable
group command multiple times, the most recent configuration takes effect.
• The configuration in Layer 2 Ethernet interface view applies only to the interface.
• The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface
and its aggregation member ports. If the device fails to apply the configuration to the aggregate
interface, it does not assign any aggregation member port to the isolation group. If the failure
occurs on an aggregation member port, the device skips the port and continues to assign other
aggregation member ports to the isolation group.
Procedure
1. Enter system view.
system-view
2. Create an isolation group.
port-isolate group group-id
3. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Assign the port to the isolation group.
port-isolate enable group group-id
By default, the port is not in any isolation group.

Display and maintenance commands for port

isolation
Execute display commands in any view.

1
 Task Command

display port-isolate group

Display isolation group information.
[ group-id ]

Port isolation configuration examples

Example: Configuring port isolation
Network configuration
As shown in Figure 1:
• LAN users Host A, Host B, and Host C are connected to Twenty-FiveGigE 1/0/1,
Twenty-FiveGigE 1/0/2, and Twenty-FiveGigE 1/0/3 on the device, respectively.
• The device connects to the Internet through Twenty-FiveGigE 1/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at
Layer 2.
Figure 1 Network diagram

Internet

WGE1/0/4
Device
WGE1/0/1 WGE1/0/3

WGE1/0/2

Host A Host B Host C

Procedure
# Create isolation group 2.
<Device> system-view
[Device] port-isolate group 2

# Assign Twenty-FiveGigE 1/0/1, Twenty-FiveGigE 1/0/2, and Twenty-FiveGigE 1/0/3 to isolation

group 2.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port-isolate enable group 2
[Device-Twenty-FiveGigE1/0/1] quit
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] port-isolate enable group 2
[Device-Twenty-FiveGigE1/0/2] quit
[Device] interface twenty-fivegige 1/0/3
[Device-Twenty-FiveGigE1/0/3] port-isolate enable group 2

2
 [Device-Twenty-FiveGigE1/0/3] quit

Verifying the configuration

# Display information about isolation group 2.
[Device] display port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
Twenty-FiveGigE1/0/1 Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/3

The output shows that Twenty-FiveGigE 1/0/1, Twenty-FiveGigE 1/0/2, and Twenty-FiveGigE 1/0/3
are assigned to isolation group 2. As a result, Host A, Host B, and Host C are isolated from one
another at layer 2.

3
Contents
Configuring VLANs ························································································ 1
About VLANs······················································································································································ 1
VLAN frame encapsulation ························································································································ 1
VLAN types ················································································································································ 2
Port-based VLANs ····································································································································· 2
MAC-based VLANs ···································································································································· 3
IP subnet-based VLANs ····························································································································· 5
Protocol-based VLANs ······························································································································· 6
Layer 3 communication between VLANs ··································································································· 6
Protocols and standards ···························································································································· 6
Configuring a VLAN ··········································································································································· 6
Restrictions and guidelines ························································································································ 6
VLAN configuration tasks at a glance ········································································································ 6
Creating VLANs ········································································································································· 6
Enabling packet dropping in the VLAN ······································································································ 7
Configuring port-based VLANs ·························································································································· 7
Restrictions and guidelines for port-based VLANs····················································································· 7
Assigning an access port to a VLAN ·········································································································· 7
Assigning a trunk port to a VLAN ··············································································································· 8
Assigning a hybrid port to a VLAN ············································································································· 9
Configuring MAC-based VLANs ························································································································ 9
Restrictions and guidelines for MAC-based VLANs ··················································································· 9
Configuring static MAC-based VLAN assignment···················································································· 10
Configuring dynamic MAC-based VLAN assignment··············································································· 10
Configuring server-assigned MAC-based VLAN ······················································································ 12
Configuring IP subnet-based VLANs ··············································································································· 12
Configuring protocol-based VLANs ·················································································································· 13
Configuring a VLAN group ······························································································································· 14
Configuring VLAN interfaces ···························································································································· 14
Restrictions and guidelines ······················································································································ 14
VLAN interfaces configuration tasks at a glance······················································································ 14
Prerequisites ············································································································································ 15
Creating a VLAN interface ······················································································································· 15
Specifying a traffic processing slot for the VLAN interface ······································································ 15
Restoring the default settings for the VLAN interface ·············································································· 16
Display and maintenance commands for VLANs ····························································································· 16
VLAN configuration examples ·························································································································· 17
Example: Configuring port-based VLANs ································································································ 17
Example: Configuring MAC-based VLANs······························································································· 18
Example: Configuring IP subnet-based VLANs ······················································································· 20
Example: Configuring protocol-based VLANs ·························································································· 22
Configuring super VLANs ············································································ 26
About super VLANs·········································································································································· 26
Restrictions and guidelines: Super VLAN configuration··················································································· 26
Super VLAN tasks at a glance ························································································································· 26
Creating a sub-VLAN ······································································································································· 26
Configuring a super VLAN ······························································································································· 27
Configuring a super VLAN interface················································································································· 27
Display and maintenance commands for super VLANs ··················································································· 28
Super VLAN configuration examples ··············································································································· 28
Example: Configuring a super VLAN ······································································································· 28
Configuring private VLAN ············································································ 31
About private VLAN·········································································································································· 31
Restrictions and guidelines: Private VLAN configuration ················································································· 32
Private VLAN tasks at a glance ······················································································································· 32

i
 Creating a primary VLAN ································································································································· 32
Creating secondary VLANs ······························································································································ 32
Associating the primary VLAN with secondary VLANs ···················································································· 33
Configuring the uplink port ······························································································································· 33
Configuring a downlink port······························································································································ 33
Configuring Layer 3 communication for secondary VLANs ············································································· 34
Display and maintenance commands for the private VLAN ············································································· 35
Private VLAN configuration examples ············································································································· 35
Example: Configuring promiscuous ports ································································································ 35
Example: Configuring trunk promiscuous ports ······················································································· 38
Example: Configuring trunk promiscuous and trunk secondary ports ······················································ 41
Example: Configuring Layer 3 communication for secondary VLANs······················································ 45
Configuring voice VLANs ············································································· 48
About voice VLANs ·········································································································································· 48
Working mechanism································································································································· 48
Methods of identifying IP phones ············································································································· 48
Advertising the voice VLAN information to IP phones·············································································· 49
IP phone access methods ························································································································ 49
Voice VLAN assignment modes··············································································································· 50
Cooperation of voice VLAN assignment modes and IP phones ······························································ 51
Security mode and normal mode of voice VLANs···················································································· 52
Restrictions and guidelines: Voice VLAN configuration ··················································································· 52
Voice VLAN tasks at a glance ·························································································································· 53
Configuring the QoS priority settings for voice traffic ······················································································· 53
Configuring voice VLAN assignment modes for a port ···················································································· 54
Configuring a port to operate in automatic voice VLAN assignment mode ·············································· 54
Configuring a port to operate in manual voice VLAN assignment mode·················································· 55
Enabling LLDP for automatic IP phone discovery ···························································································· 56
Configuring LLDP or CDP to advertise a voice VLAN ····················································································· 56
Configuring LLDP to advertise a voice VLAN ·························································································· 56
Configuring CDP to advertise a voice VLAN ···························································································· 57
Display and maintenance commands for voice VLANs ··················································································· 57
Voice VLAN configuration examples ················································································································ 58
Example: Configuring automatic voice VLAN assignment mode ····························································· 58
Example: Configuring manual voice VLAN assignment mode ································································· 60

ii
Configuring VLANs
About VLANs
The Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple logical LANs.
It has the following benefits:
• Security—Hosts in the same VLAN can communicate with one another at Layer 2, but they are
isolated from hosts in other VLANs at Layer 2.
• Broadcast traffic isolation—Each VLAN is a broadcast domain that limits the transmission of
broadcast packets.
• Flexibility—A VLAN can be logically divided on a workgroup basis. Hosts in the same
workgroup can be assigned to the same VLAN, regardless of their physical locations.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag
between the destination and source MAC address (DA&SA) field and the Type field.
Figure 1 VLAN tag placement and format
VLAN Tag

DA&SA TPID Priority CFI VLAN ID Type Data FCS

A VLAN tag includes the following fields:

• TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default,
the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the
TPID to a different value. For compatibility with a neighbor device, set the TPID value on the
device to be the same as the neighbor device. For more information about setting the TPID
value, see QinQ commands in Layer 2—LAN Switching Command Reference.
• Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL
and QoS Configuration Guide.
• CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are
encapsulated in the standard format when packets are transmitted across different media.
Available values include:
 0 (default)—The MAC addresses are encapsulated in the standard format.
 1—The MAC addresses are encapsulated in a non-standard format.
This field is always set to 0 for Ethernet.
• VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0
to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a VLAN
tag and the value of the VLAN tag (if any).
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and
802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag
fields in other frame encapsulation formats, see related protocols and standards.
For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag
and transmits its inner VLAN tags as the payload.

1
VLAN types
The following VLAN types are available:
• Port-based VLAN.
• MAC-based VLAN.
• IP subnet-based VLAN.
• Protocol-based VLAN.
If all these types of VLANs are configured on a port, the port processes packets in the following
descending order of priority by default:
• MAC-based VLAN.
• IP subnet-based VLAN.
• Protocol-based VLAN.
• Port-based VLAN.

Port-based VLANs
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it
is assigned to the VLAN.
Port link type
You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether
the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling
methods:
• Access—An access port can forward packets only from one VLAN and send these packets
untagged. An access port is typically used in the following conditions:
 Connecting to a terminal device that does not support VLAN packets.
 In scenarios that do not distinguish VLANs.
• Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port
VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network
devices are typically configured as trunk ports.
• Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the
packets forwarded by a hybrid port depends on the port configuration. In one-to-two VLAN
mapping, hybrid ports are used to remove SVLAN tags for downlink traffic. For more
information about one-to-two VLAN mapping, see "Configuring VLAN mapping."
PVID
The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered
as the packets from the port PVID.
An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of
the port. A trunk or hybrid port supports multiple VLANs and the PVID configuration.
How ports of different link types handle frames

Actions Access Trunk Hybrid

In the inbound • If the PVID is permitted on the port, tags the frame with
Tags the frame with the the PVID tag.
direction for an
PVID tag.
untagged frame • If not, drops the frame.

In the inbound • Receives the • Receives the frame if its VLAN is permitted on the port.
direction for a frame if its VLAN
• Drops the frame if its VLAN is not permitted on the port.
tagged frame ID is the same as

2
 Actions Access Trunk Hybrid
the PVID.
• Drops the frame if
its VLAN ID is
different from the
PVID.
• Removes the tag
and sends the frame
if the frame carries
the PVID tag and the Sends the frame if its VLAN is
port belongs to the permitted on the port. The
In the outbound Removes the VLAN tag PVID. tagging status of the frame
direction and sends the frame. • Sends the frame depends on the port
without removing the hybrid vlan command
tag if its VLAN is configuration.
carried on the port
but is different from
the PVID.

MAC-based VLANs
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature
is also called user-based VLAN because VLAN configuration remains the same regardless of a
user's physical location.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To
configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows
before sending the frame out:
• For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
− Searches for the MAC-to-VLAN entries whose masks are not all Fs.
− Performs a logical AND operation on the source MAC address and each of these
masks.
If an AND operation result matches the MAC address in a MAC-to-VLAN entry, the port
tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN
entries whose masks are all Fs. If the source MAC address of the frame exactly matches the
MAC address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to
this entry.
c. If no matching VLAN ID is found, the port determines the VLAN for the packet by using the
following matching order:
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
When a match is found, the port tags the packet with the matching VLAN ID.

3
 • For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the
port.
 If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
 If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, use dynamic MAC-based VLAN
assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 2:
1. When a port receives a frame, it first determines whether the frame is tagged.
 If the frame is tagged, the port gets the source MAC address of the frame.
 If the frame is untagged, the port selects a VLAN for the frame by using the following
matching order:
− MAC-based VLAN (fuzzy and exact MAC address match).
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
After tagging the frame with the selected VLAN, the port gets the source MAC address of
the frame.
2. The port uses the source MAC address and VLAN of the frame to match the MAC-to VLAN
entries.
 If the source MAC address of the frame exactly matches the MAC address in a
MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN
in the entry.
− If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
− If the two VLAN IDs do not match, the port drops the frame.
 If the source MAC address of the frame does not exactly match any MAC addresses in
MAC-to-VLAN entries, the port checks whether the VLAN ID of the frame is its PVID.
− If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows
the PVID.
If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not
allowed, the port drops the frame.
− If the VLAN ID of the frame is not the PVID of the port, the port determines whether the
VLAN ID is the primary VLAN ID and the port PVID is a secondary VLAN ID. If yes, the
port forwards the frame. Otherwise, the port drops the frame.

4
 Figure 2 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
The port receives a
frame

No
Tagged frame ?

Yes

Selects a VLAN for the

Gets the source MAC
frame

Uses source MAC to

match the MAC in MAC-
to-VLAN entries

MAC addresses No No Yes

VLAN ID match the Is the VLAN ID the primary VLAN ID and the
match? port PVID? port PVID a secondary VLAN ID?
Yes Yes
No

No VLAN IDs No
PVID allowed? Drops the frame
match?

Yes Yes

Forwards the frame in

Drops the frame Joins the VLAN
the VLAN

Server-assigned MAC-based VLAN

Use this feature with access authentication, such as MAC-based 802.1X authentication, to
implement secure and flexible terminal access.
To implement server-assigned MAC-based VLAN, perform the following tasks:
1. Configure the server-assigned MAC-based VLAN feature on the access device.
2. Configure username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server assigns the
authorization VLAN information for the user to the device. The device then performs the following
operations:
1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the
authorization VLAN information. The authorization VLAN is a MAC-based VLAN.
The generated MAC-to-VLAN entry cannot conflict with the existing static MAC-to-VLAN entries.
If a confliction exists, the dynamic MAC-to-VLAN entry cannot be generated.
2. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes
the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication,
see Security Configuration Guide.

IP subnet-based VLANs
The IP subnet-based VLAN feature assigns untagged packets to VLANs based on their source IP
addresses and subnet masks.
Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a
VLAN.

5
Protocol-based VLANs
The protocol-based VLAN feature assigns inbound packets to different VLANs based on their
protocol types and encapsulation formats. The protocols available for VLAN assignment include IP,
IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
This feature associates the available network service types with VLANs and facilitates network
management and maintenance.

Layer 3 communication between VLANs

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are
virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create
one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the
VLAN to forward packets destined for another IP subnet at Layer 3.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks

Configuring a VLAN
Restrictions and guidelines
• As the system default VLAN, VLAN 1 cannot be created or deleted.
• Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove
the configuration from the VLAN.

VLAN configuration tasks at a glance

To configure VLANs, perform the following tasks:
1. Creating VLANs
2. (Optional.) Enabling packet dropping in the VLAN

Creating VLANs
1. Enter system view.
system-view
2. Create one or multiple VLANs.
 Create a VLAN and enter its view.
vlan vlan-id
 Create multiple VLANs and enter VLAN view.
Create VLANs.
vlan { vlan-id-list | all }
Enter VLAN view.
vlan vlan-id
By default, only the system default VLAN (VLAN 1) exists.

6
 3. (Optional.) Set a name for the VLAN.
name text
By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in
a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For
example, the name of VLAN 100 is VLAN 0100.
4. (Optional.) Configure the description for the VLAN.
description text
By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN
ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For
example, the default description of VLAN 100 is VLAN 0100.

Enabling packet dropping in the VLAN

About this task
This feature enables the device to drop packets (including protocol packets) forwarded by the
software in a VLAN. To drop all packets that are received and transmitted in the VLAN, you must
configure a QoS policy. For more information about configuring QoS policies, see QoS configuration
in ACL and QoS Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable packet dropping in the VLAN.
block outbound
By default, packet dropping is disabled in a VLAN.

Configuring port-based VLANs

Restrictions and guidelines for port-based VLANs
• When you use the undo vlan command to delete the PVID of a port, either of the following
events occurs depending on the port link type:
 For an access port, the PVID of the port changes to VLAN 1.
 For a hybrid or trunk port, the PVID setting of the port does not change.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access
port.
• As a best practice, set the same PVID for a local port and its peer.
• To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to
its PVID.

Assigning an access port to a VLAN

About this task
You can assign an access port to a VLAN in VLAN view or interface view.

7
Assigning one or multiple access ports to a VLAN in VLAN view
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Assign one or multiple access ports to the VLAN.
port interface-list
By default, all ports belong to VLAN 1.
Assigning an access port to a VLAN in interface view
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to access.
port link-type access
By default, all ports are access ports.
4. Assign the access port to a VLAN.
port access vlan vlan-id
By default, all access ports belong to VLAN 1.

Assigning a trunk port to a VLAN

About this task
A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
Restrictions and guidelines
To change the link type of a port from trunk to hybrid, set the link type to access first.
To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID
by using the port trunk permit vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to trunk.
port link-type trunk
By default, all ports are access ports.
4. Assign the trunk port to the specified VLANs.

8
 port trunk permit vlan { vlan-id-list | all }
By default, a trunk port permits only VLAN 1.
5. (Optional.) Set the PVID for the trunk port.
port trunk pvid vlan vlan-id
The default setting is VLAN 1.

Assigning a hybrid port to a VLAN

About this task
A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view.
Make sure the VLANs have been created.
Restrictions and guidelines
To change the link type of a port from trunk to hybrid, set the link type to access first.
To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID
by using the port hybrid vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
4. Assign the hybrid port to the specified VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, the hybrid port is an untagged member of the VLAN to which the port belongs when
its link type is access.
5. (Optional.) Set the PVID for the hybrid port.
port hybrid pvid vlan vlan-id
By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link
type is access.

Configuring MAC-based VLANs

Restrictions and guidelines for MAC-based VLANs
• MAC-based VLANs are available only on hybrid ports.
• Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
• The MAC-based VLAN feature is mainly configured on downlink ports of user access devices.
Do not use this feature with link aggregation.

9
Configuring static MAC-based VLAN assignment
1. Enter system view.
system-view
2. Create a MAC-to-VLAN entry.
mac-vlan mac-address mac-address [ mask mac-mask ] vlan vlan-id [ dot1p
priority ]
By default, no MAC-to-VLAN entries exist.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
5. Assign the hybrid port to the MAC-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
6. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, this feature is disabled.
7. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially.
vlan precedence mac-vlan
By default, the system assigns VLANs based on the MAC address preferentially when both the
MAC-based VLAN and IP subnet-based VLAN are configured on a port.

Configuring dynamic MAC-based VLAN assignment

About this task
For successful dynamic MAC-based VLAN assignment, use static VLANs when you create
MAC-to-VLAN entries.
When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events occurs
depending on the port configuration:
• If the port has not been configured to allow packets from the VLAN to pass through, the port
joins the VLAN as an untagged member.
• If the port has been configured to allow packets from the VLAN to pass through, the port
configuration remains the same.
The 802.1p priority of the VLAN in a MAC-to-VLAN entry determines the transmission priority of the
matching packets.
Restrictions and guidelines
• If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic
MAC-based VLAN assignment takes effect.
• As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use
dynamic MAC-based VLAN assignment with 802.1X or MAC authentication.
• As a best practice, do not both configure dynamic MAC-based VLAN assignment and disable
MAC address learning on a port. If the two features are configured together on a port, the port

10
 forwards only packets exactly matching the MAC-to-VLAN entries and drops inexactly matching
packets.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and the MAC
learning limit on a port.
If the two features are configured together on a port and the port learns the configured
maximum number of MAC address entries, the port processes packets as follows:
 Forwards only packets matching the MAC address entries learnt by the port.
 Drops unmatching packets.
• As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP
mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the target VLAN.
• As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST
mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked state.
The port drops the received packets instead of delivering them to the CPU. As a result, the port
will not be dynamically assigned to the target VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.
Procedure
1. Enter system view.
system-view
2. Create a MAC-to-VLAN entry.
mac-vlan mac-address mac-address vlan vlan-id [ dot1p priority ]
By default, no MAC-to-VLAN entries exist.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
5. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, MAC-based VLAN is disabled.
6. Enable dynamic MAC-based VLAN assignment.
mac-vlan trigger enable
By default, dynamic MAC-based VLAN assignment is disabled.
The VLAN assignment for a port is triggered only when the source MAC address of its receiving
packet exactly matches the MAC address in a MAC-to-VLAN entry.
7. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially.
vlan precedence mac-vlan
By default, the system assigns VLANs based on the MAC address preferentially when both the
MAC-based VLAN and IP subnet-based VLAN are configured on a port.
8. (Optional.) Disable the port from forwarding packets that fail the exact MAC address match in its
PVID.
port pvid forbidden
By default, when a port receives packets whose source MAC addresses fail the exact match,
the port forwards them in its PVID.

11
Configuring server-assigned MAC-based VLAN
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
4. Assign the hybrid port to the MAC-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
5. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, MAC-based VLAN is disabled.
6. Configure 802.1X or MAC authentication.
For more information, see Security Command Reference.

Configuring IP subnet-based VLANs

Restrictions and guidelines
This feature is available only on hybrid ports, and it processes only untagged packets.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Associate the VLAN with an IP subnet or IP address.
ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ]
By default, a VLAN is not associated with an IP subnet or IP address.
A multicast subnet or a multicast address cannot be associated with a VLAN.
4. Return to system view.
quit
5. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
6. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
7. Assign the hybrid port to the specified IP subnet-based VLANs.

12
 port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
8. Associate the hybrid port with the specified IP subnet-based VLAN.
port hybrid ip-subnet-vlan vlan vlan-id
By default, a hybrid port is not associated with a subnet-based VLAN.

Configuring protocol-based VLANs

About this task
A protocol-based VLAN has one or multiple protocol templates. A protocol template defines a
protocol type and an encapsulation format as the match criteria to match inbound packets. Each
protocol template has a unique index in the protocol-based VLAN. All protocol templates in a
protocol-based VLAN have the same VLAN ID.
For a port to assign inbound packets to protocol-based VLANs, perform the following tasks:
• Assign the port to the protocol-based VLANs.
• Associate the port with the protocol templates of the protocol-based VLANs.
When an untagged packet arrives at the port, the port processes the packet as follows:
• If the protocol type and encapsulation format in the packet match a protocol template, the port
tags the packet with the VLAN tag specific to the protocol template.
• If no protocol templates are matched, the port tags the packet with its PVID.
Restrictions and guidelines
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as
both a protocol-based VLAN and a voice VLAN.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Associate the VLAN with a protocol template.
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii |
llc | raw | snap } | mode { ethernetii etype etype-id | llc { dsap dsap-id
[ ssap ssap-id ] | ssap ssap-id } | snap etype etype-id } }
By default, a VLAN is not associated with a protocol template.
4. Exit VLAN view.
quit
5. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
6. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.

13
 7. Assign the hybrid port to the specified protocol-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
8. Associate the hybrid port with the specified protocol-based VLAN.
port hybrid protocol-vlan vlan vlan-id { protocol-index [ to
protocol-end ] | all }
By default, a hybrid port is not associated with a protocol-based VLAN.

Configuring a VLAN group

About this task
A VLAN group includes a set of VLANs.
On an authentication server, a VLAN group name represents a group of authorization VLANs. When
an 802.1X or MAC authentication user passes authentication, the authentication server assigns a
VLAN group name to the device. The device then uses the received VLAN group name to match the
locally configured VLAN group names. If a match is found, the device selects a VLAN from the group
and assigns the VLAN to the user. For more information about 802.1X and MAC authentication, see
Security Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a VLAN group and enter its view.
vlan-group group-name
3. Add VLANs to the VLAN group.
vlan-list vlan-id-list
By default, no VLANs exist in a VLAN group.
You can add multiple VLAN lists to a VLAN group.

Configuring VLAN interfaces

Restrictions and guidelines
• You cannot create VLAN interfaces for sub-VLANs. For more information about sub-VLANs,
see "Configuring super VLANs."
• You cannot create VLAN interfaces for secondary VLANs that have the following
characteristics:
 Associated with the same primary VLAN.
 Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface.
For more information about secondary VLANs, see "Configuring private VLAN."

VLAN interfaces configuration tasks at a glance

To configure VLAN interfaces, perform the following tasks:
1. Creating a VLAN interface
2. (Optional.) Specifying a traffic processing slot for the VLAN interface

14
 3. (Optional.) Restoring the default settings for the VLAN interface

Prerequisites
Before you create a VLAN interface for a VLAN, create the VLAN first.

Creating a VLAN interface

1. Enter system view.
system-view
2. Create a VLAN interface and enter its view.
interface vlan-interface interface-number
3. Assign an IP address to the VLAN interface.
ip address ip-address { mask | mask-length } [ sub ]
By default, no IP address is assigned to a VLAN interface.
4. (Optional.) Configure the description for the VLAN interface.
description text
The default setting is the VLAN interface name. For example, Vlan-interface1 Interface.
5. (Optional.) Set the MTU for the VLAN interface.
mtu size
By default, the MTU of a VLAN interface is 1500 bytes.
6. (Optional.) Set a MAC address for the VLAN interface.
mac-address mac-address
By default, no MAC addresses are set for a VLAN interface.
7. (Optional.) Set the expected bandwidth for the interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
8. Bring up the VLAN interface.
undo shutdown
By default, a VLAN interface is not manually shut down. The status of the VLAN interface
depends on the status of member ports of the VLAN.

Specifying a traffic processing slot for the VLAN interface

About this task
Specify a traffic processing slot for a VLAN interface if all traffic on the VLAN interface must be
processed on the same slot.
Procedure
1. Enter system view.
system-view
2. Enter a VLAN interface view.
interface vlan-interface interface-number
3. Specify a traffic processing slot for the VLAN interface.
service slot slot-number
By default, no traffic processing slot is specified for the VLAN interface.

15
Restoring the default settings for the VLAN interface
Restrictions and guidelines

CAUTION:
This feature might interrupt ongoing network services. Make sure you are fully aware of the impact of
this feature when you use it on a live network.

This feature might fail to restore the default settings for some commands for reasons such as
command dependencies or system restrictions. Use the display this command in interface view
to identify these commands, and then use their undo forms or follow the command reference to
restore their default settings. If your restoration attempt still fails, follow the error message
instructions to resolve the problem.
Procedure
1. Enter system view.
system-view
2. Enter a VLAN interface view.
interface vlan-interface interface-number
3. Restore the default settings for the VLAN interface.
default

Display and maintenance commands for VLANs

Execute display commands in any view and reset commands in user view.

Task Command

display interface [ vlan-interface

Display VLAN interface information. [ interface-number ] ] [ brief [ description
| down ] ]

Display information about IP display ip-subnet-vlan interface

subnet-based VLANs that are associated { interface-type interface-number1 [ to
with the specified ports. interface-type interface-number2 ] | all }
Display information about IP display ip-subnet-vlan vlan { vlan-id1 [ to
subnet-based VLANs. vlan-id2 ] | all }
Display hybrid ports or trunk ports on the
display port { hybrid | trunk }
device.

Display information about protocol-based display protocol-vlan interface

VLANs that are associated with the { interface-type interface-number1 [ to
specified ports. interface-type interface-number2 ] | all }
Display information about protocol-based display protocol-vlan vlan { vlan-id1 [ to
VLANs. vlan-id2 ] | all }
display vlan [ vlan-id1 [ to vlan-id2 ] | all
Display VLAN information.
| dynamic | reserved | static ]
Display brief VLAN information. display vlan brief
Display VLAN group information. display vlan-group [ group-name ]

16
 Task Command

reset counters interface [ vlan-interface

Clear statistics on a VLAN interface.
[ interface-number ] ]
display mac-vlan { all | dynamic |
Display MAC-to-VLAN entries. mac-address mac-address [ mask mac-mask ]
| static | vlan vlan-id }
Display all ports that are enabled with the
display mac-vlan interface
MAC-based VLAN feature.

VLAN configuration examples

Example: Configuring port-based VLANs
Network configuration
As shown in Figure 3:
• Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.
• Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each
other.
Figure 3 Network diagram
WGE1/0/3 WGE1/0/3
Device A Device B
WGE1/0/1 WGE1/0/2 WGE1/0/1 WGE1/0/2

Host A Host B Host C Host D

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Procedure
1. Configure Device A:
# Create VLAN 100, and assign Twenty-FiveGigE 1/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port twenty-fivegige 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign Twenty-FiveGigE 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port twenty-fivegige 1/0/2
[DeviceA-vlan200] quit
# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/3] port trunk permit vlan 100 200

17
 Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.
b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D.
(Details not shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C.
(Details not shown.)
# Verify that VLANs 100 and 200 are correctly configured on Device A.
[DeviceA-Twenty-FiveGigE1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:
Twenty-FiveGigE1/0/3
Untagged ports:
Twenty-FiveGigE1/0/1
[DeviceA-Twenty-FiveGigE1/0/3] display vlan 200
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
Twenty-FiveGigE1/0/3
Untagged ports:
Twenty-FiveGigE1/0/2

Example: Configuring MAC-based VLANs

Network configuration
As shown in Figure 4:
• Twenty-FiveGigE 1/0/1 of Device A and Device C are each connected to a meeting room.
Laptop 1 and Laptop 2 are used for meetings and might be used in either of the two meeting
rooms.
• One department uses VLAN 100 and owns Laptop 1. The other department uses VLAN 200
and owns Laptop 2.
Configure MAC-based VLANs, so that Laptop 1 and Laptop 2 can access Server 1 and Server 2,
respectively, no matter which meeting room they are used in.

18
 Figure 4 Network diagram
VLAN 100 VLAN 200
Server1 Server2
IP: 1.1.1.1/24 IP: 1.1.2.1/24

WGE1/0/3 WGE1/0/4

WGE1/0/1 WGE1/0/2
Device B

WGE1/0/2 WGE1/0/2

Device A Device C
WGE1/0/1 WGE1/0/1

VLAN 100 VLAN 200

Laptop1 Laptop2
IP: 1.1.1.2/24 IP: 1.1.2.2/24
MAC: 000d-88f8-4e71 MAC: 0014-222c-aa69

Procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200,
respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Twenty-FiveGigE 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-type hybrid
[DeviceA-Twenty-FiveGigE1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on Twenty-FiveGigE 1/0/1.
[DeviceA-Twenty-FiveGigE1/0/1] mac-vlan enable
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Configure the uplink port (Twenty-FiveGigE 1/0/2) as a trunk port, and assign it to VLANs 100
and 200.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 200
[DeviceA-Twenty-FiveGigE1/0/2] quit
2. Configure Device B:

19
 # Create VLAN 100, and assign Twenty-FiveGigE 1/0/3 to VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port twenty-fivegige 1/0/3
[DeviceB-vlan100] quit
# Create VLAN 200 and assign Twenty-FiveGigE 1/0/4 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port twenty-fivegige 1/0/4
[DeviceB-vlan200] quit
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/1] port trunk permit vlan 100 200
[DeviceB-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 200
[DeviceB-Twenty-FiveGigE1/0/2] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
Verifying the configuration
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not
shown.)
# Verify the MAC-to-VLAN entries on Device A and Device C, for example, on Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Dot1p State
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count: 2

Example: Configuring IP subnet-based VLANs

Network configuration
As shown in Figure 5, the hosts in the office belong to different IP subnets.
Configure Device C to transmit packets from 192.168.5.0/24 and 192.168.50.0/24 in VLANs 100 and
200, respectively.

20
 Figure 5 Network diagram

Device A Device B

VLAN 100 VLAN 200

WGE1/0/2 WGE1/0/3

Device C

WGE1/0/1

192.168.5.0/24 192.168.50.0/24
Office

Procedure
1. Configure Device C:
# Associate IP subnet 192.168.5.0/24 with VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0
[DeviceC-vlan100] quit
# Associate IP subnet 192.168.50.0/24 with VLAN 200.
[DeviceC] vlan 200
[DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0
[DeviceC-vlan200] quit
# Configure Twenty-FiveGigE 1/0/2 as a hybrid port, and assign it to VLAN 100 as a tagged
VLAN member.
[DeviceC] interface twenty-fivegige 1/0/2
[DeviceC-Twenty-FiveGigE1/0/2] port link-type hybrid
[DeviceC-Twenty-FiveGigE1/0/2] port hybrid vlan 100 tagged
[DeviceC-Twenty-FiveGigE1/0/2] quit
# Configure Twenty-FiveGigE 1/0/3 as a hybrid port, and assign it to VLAN 200 as a tagged
VLAN member.
[DeviceC] interface twenty-fivegige 1/0/3
[DeviceC-Twenty-FiveGigE1/0/3] port link-type hybrid
[DeviceC-Twenty-FiveGigE1/0/3] port hybrid vlan 200 tagged
[DeviceC-Twenty-FiveGigE1/0/3] quit
# Configure Twenty-FiveGigE 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.

21
 [DeviceC] interface twenty-fivegige 1/0/1
[DeviceC-Twenty-FiveGigE1/0/1] port link-type hybrid
[DeviceC-Twenty-FiveGigE1/0/1] port hybrid vlan 100 200 untagged
# Associate Twenty-FiveGigE 1/0/1 with the IP subnet-based VLANs 100 and 200.
[DeviceC-Twenty-FiveGigE1/0/1] port hybrid ip-subnet-vlan vlan 100
[DeviceC-Twenty-FiveGigE1/0/1] port hybrid ip-subnet-vlan vlan 200
[DeviceC-Twenty-FiveGigE1/0/1] quit
2. Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively.
(Details not shown.)
Verifying the configuration
# Verify the IP subnet-based VLAN configuration on Device C.
[DeviceC] display ip-subnet-vlan vlan all
VLAN ID: 100
Subnet index IP address Subnet mask
0 192.168.5.0 255.255.255.0

VLAN ID: 200

Subnet index IP address Subnet mask
0 192.168.50.0 255.255.255.0

# Verify the IP subnet-based VLAN configuration on Twenty-FiveGigE 1/0/1 of Device C.

[DeviceC] display ip-subnet-vlan interface twenty-fivegige 1/0/1
Interface: Twenty-FiveGigE1/0/1
VLAN ID Subnet index IP address Subnet mask Status
100 0 192.168.5.0 255.255.255.0 Active
200 0 192.168.50.0 255.255.255.0 Active

Example: Configuring protocol-based VLANs

Network configuration
As shown in Figure 6:
• The majority of hosts in a lab environment run the IPv4 protocol.
• The other hosts run the IPv6 protocol for teaching purposes.
To isolate IPv4 and IPv6 traffic at Layer 2, configure protocol-based VLANs to associate the IPv4 and
ARP protocols with VLAN 100, and associate the IPv6 protocol with VLAN 200.

22
 Figure 6 Network diagram
VLAN 100 VLAN 200

IPv4 server IPv6 server

WGE1/0/3
WGE1/0/4

WGE1/0/1 WGE1/0/2
Device

L2 switch A L2 switch B

IPv4 host A IPv6 host A IPv4 host B IPv6 host B

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Procedure
In this example, L2 Switch A and L2 Switch B use the factory configuration.
1. Configure Device:
# Create VLAN 100, and configure the description for VLAN 100 as protocol VLAN for IPv4.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
# Assign Twenty-FiveGigE 1/0/3 to VLAN 100.
[Device-vlan100] port twenty-fivegige 1/0/3
[Device-vlan100] quit
# Create VLAN 200, and configure the description for VLAN 200 as protocol VLAN for IPv6.
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
# Assign Twenty-FiveGigE 1/0/4 to VLAN 200.
[Device-vlan200] port twenty-fivegige 1/0/4
# Configure VLAN 200 as a protocol-based VLAN, and create an IPv6 protocol template with
the index 1 for VLAN 200.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
# Configure VLAN 100 as a protocol-based VLAN. Create an IPv4 protocol template with the
index 1, and create an ARP protocol template with the index 2. (In Ethernet II encapsulation, the
protocol type ID for ARP is 0806 in hexadecimal notation.)
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4
[Device-vlan100] protocol-vlan 2 mode ethernetii etype 0806
[Device-vlan100] quit

23
 # Configure Twenty-FiveGigE 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[Device] interface twenty-fivegige 1/0/1
[Device-Twenty-FiveGigE1/0/1] port link-type hybrid
[Device-Twenty-FiveGigE1/0/1] port hybrid vlan 100 200 untagged
# Associate Twenty-FiveGigE 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100 and
the IPv6 protocol template of VLAN 200.
[Device-Twenty-FiveGigE1/0/1] port hybrid protocol-vlan vlan 100 1 to 2
[Device-Twenty-FiveGigE1/0/1] port hybrid protocol-vlan vlan 200 1
[Device-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[Device] interface twenty-fivegige 1/0/2
[Device-Twenty-FiveGigE1/0/2] port link-type hybrid
[Device-Twenty-FiveGigE1/0/2] port hybrid vlan 100 200 untagged
# Associate Twenty-FiveGigE 1/0/2 with the IPv4 and ARP protocol templates of VLAN 100 and
the IPv6 protocol template of VLAN 200.
[Device-Twenty-FiveGigE1/0/2] port hybrid protocol-vlan vlan 100 1 to 2
[Device-Twenty-FiveGigE1/0/2] port hybrid protocol-vlan vlan 200 1
[Device-Twenty-FiveGigE1/0/2] quit
2. Configure hosts and servers:
a. Configure IPv4 Host A, IPv4 Host B, and IPv4 server to be on the same network segment
(192.168.100.0/24, for example). (Details not shown.)
b. Configure IPv6 Host A, IPv6 Host B, and IPv6 server to be on the same network segment
(2001::1/64, for example). (Details not shown.)
Verifying the configuration
1. Verify the following:
 The hosts and the server in VLAN 100 can successfully ping one another. (Details not
shown.)
 The hosts and the server in VLAN 200 can successfully ping one another. (Details not
shown.)
 The hosts or the server in VLAN 100 cannot ping the hosts or server in VLAN 200. (Details
not shown.)
2. Verify the protocol-based VLAN configuration:
# Display protocol-based VLANs on Device.
[Device] display protocol-vlan vlan all
VLAN ID: 100
Protocol index Protocol type
1 IPv4
2 Ethernet II Etype 0x0806

VLAN ID: 200

Protocol index Protocol type
1 IPv6
# Display protocol-based VLANs on the ports of Device.
[Device] display protocol-vlan interface all
Interface: Twenty-FiveGigE1/0/1
VLAN ID Protocol index Protocol type Status

24
 100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

Interface: Twenty-FiveGigE 1/0/2

VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

25
Configuring super VLANs
About super VLANs
Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with
other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This
requires a large number of IP addresses.
The super VLAN feature was introduced to save IP addresses. A super VLAN is associated with
multiple sub-VLANs. These sub-VLANs use the VLAN interface of the super VLAN (also known as a
super VLAN interface) as the gateway for Layer 3 communication.
You can create a VLAN interface for a super VLAN and assign an IP address to it. However, you
cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but
you cannot assign a physical port to a super VLAN. Sub-VLANs are isolated at Layer 2.
To enable Layer 3 communication between sub-VLANs, perform the following tasks:
1. Create a super VLAN and the VLAN interface for the super VLAN.
2. Enable local proxy ARP or ND on the super VLAN interface as follows:
 In an IPv4 network, enable local proxy ARP on the super VLAN interface. The super VLAN
can then process ARP requests and replies sent from the sub-VLANs.
 In an IPv6 network, enable local proxy ND on the super VLAN interface. The super VLAN
can then process the NS and NA messages sent from the sub-VLANs.

Restrictions and guidelines: Super VLAN

configuration
• The VLAN of a MAC address-to-VLAN entry cannot be configured as a super VLAN.
• A VLAN cannot be configured as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or
critical VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs,
see Security Configuration Guide.
• A VLAN cannot be configured as both a super VLAN and a sub-VLAN.
• Layer 2 multicast configuration for super VLANs does not take effect because they do not have
physical ports.

Super VLAN tasks at a glance

To configure a super VLAN, perform the following tasks:
1. Creating a sub-VLAN
2. Configuring a super VLAN
3. Configuring a super VLAN interface

Creating a sub-VLAN
1. Enter system view.
system-view
2. Create a sub-VLAN.

26
 vlan vlan-id-list
By default, only the system default VLAN (VLAN 1) exists.

Configuring a super VLAN

1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Configure the VLAN as a super VLAN.
supervlan
By default, a VLAN is not a super VLAN.
4. Associate the super VLAN with the sub-VLANs.
subvlan vlan-id-list
Make sure the sub-VLANs already exist before associating them with a super VLAN.

Configuring a super VLAN interface

Restrictions and guidelines
As a best practice, do not configure VRRP for a super VLAN interface because the configuration
affects network performance. For more information about VRRP, see High Availability Configuration
Guide.
Procedure
1. Enter system view.
system-view
2. Create a VLAN interface and enter its view.
interface vlan-interface interface-number
The value for the interface-number argument must be the super VLAN ID.
3. Configure an IP address for the super VLAN interface.
IPv4:
ip address ip-address { mask-length | mask } [ sub ]
IPv6:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
By default, no IP address is configured for a VLAN interface.
4. Configure Layer 3 communication between sub-VLANs by enabling local proxy ARP or ND.
IPv4:
local-proxy-arp enable
By default:
 Sub-VLANs cannot communicate with each other at Layer 3.
 Local proxy ARP is disabled.
For more information about local proxy ARP, see Layer 3—IP Services Configuration Guide.
IPv6:
local-proxy-nd enable
By default:

27
  Sub-VLANs cannot communicate with each other at Layer 3.
 Local proxy ND is disabled.
For more information about local proxy ND, see Layer 3—IP Services Configuration Guide.

Display and maintenance commands for super

VLANs
Execute display commands in any view.

Task Command

Display information about super VLANs and their

display supervlan [ supervlan-id ]
associated sub-VLANs.

Super VLAN configuration examples

Example: Configuring a super VLAN
Network configuration
As shown in Figure 7:
• Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 are in VLAN 2.
• Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 are in VLAN 3.
• Twenty-FiveGigE 1/0/5 and Twenty-FiveGigE 1/0/6 are in VLAN 5.
To save IP addresses and enable sub-VLANs to be isolated at Layer 2 but interoperable at Layer 3,
perform the following tasks:
• Create a super VLAN and assign an IP address to its VLAN interface.
• Associate the super VLAN with VLANs 2, 3, and 5.
Figure 7 Network diagram

VLAN 2

WGE1/0/1 WGE1/0/2
Vlan-int10
WGE1/0/3 10.1.1.1/24
WGE1/0/4
Device A
VLAN 3 WGE1/0/5 WGE1/0/6 Device B

VLAN 5

Procedure
# Create VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10

28
 [DeviceA-vlan10] quit

# Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it.

[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0

# Enable local proxy ARP.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

# Create VLAN 2, and assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to the VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] port twenty-fivegige 1/0/1 twenty-fivegige 1/0/2
[DeviceA-vlan2] quit

# Create VLAN 3, and assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to the VLAN.
[DeviceA] vlan 3
[DeviceA-vlan3] port twenty-fivegige 1/0/3 twenty-fivegige 1/0/4
[DeviceA-vlan3] quit

# Create VLAN 5, and assign Twenty-FiveGigE 1/0/5 and Twenty-FiveGigE 1/0/6 to the VLAN.
[DeviceA] vlan 5
[DeviceA-vlan5] port twenty-fivegige 1/0/5 twenty-fivegige 1/0/6
[DeviceA-vlan5] quit

# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 5 with the super VLAN.
[DeviceA] vlan 10
[DeviceA-vlan10] supervlan
[DeviceA-vlan10] subvlan 2 3 5
[DeviceA-vlan10] quit
[DeviceA] quit

Verifying the configuration

# Display information about super VLAN 10 and its associated sub-VLANs.
<DeviceA> display supervlan
Super VLAN ID: 10
Sub-VLAN ID: 2-3 5
VLAN ID: 10
VLAN type: Static
It is a super VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports: None
VLAN ID: 2
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0

29
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/1
Twenty-FiveGigE1/0/2
VLAN ID: 3
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/3
Twenty-FiveGigE1/0/4
VLAN ID: 5
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/5
Twenty-FiveGigE1/0/6

30
Configuring private VLAN
About private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a
network, customer traffic must be isolated for security or accounting purposes. If VLANs are
assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
• Primary VLAN—Used for connecting the upstream device. A primary VLAN can be associated
with multiple secondary VLANs. The upstream device identifies only the primary VLAN.
• Secondary VLANs—Used for connecting users. Secondary VLANs are isolated at Layer 2. To
implement Layer 3 communication between secondary VLANs associated with the primary
VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A in
Figure 8).
As shown in Figure 8, the private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary
VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is
only aware of VLAN 10.
Figure 8 Private VLAN example

L3 Device A

VLAN 10

VLAN 10

L2 Device B

VLAN 2 VLAN 5 VLAN 8

If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on
the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required
between secondary VLANs that are associated with the same primary VLAN, or between secondary
VLANs and other networks.
• Method 1:
a. Create VLAN interfaces for the secondary VLANs.
b. Assign IP addresses to the secondary VLAN interfaces.
• Method 2:
a. Enable Layer 3 communication between the secondary VLANs that are associated with the
primary VLAN.
b. Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not
create secondary VLAN interfaces if you use this method.)
c. Enable local proxy ARP or ND on the primary VLAN interface.

31
Restrictions and guidelines: Private VLAN
configuration
• Make sure the following requirements are met:
 For a promiscuous port:
− The primary VLAN is the PVID of the port.
− The port is an untagged member of the primary VLAN and secondary VLANs.
 For a host port:
− The PVID of the port is a secondary VLAN.
− The port is an untagged member of the primary VLAN and the secondary VLAN.
 A trunk promiscuous or trunk secondary port must be a tagged member of the primary
VLANs and the secondary VLANs.
• VLAN 1 (system default VLAN) does not support the private VLAN configuration.

Private VLAN tasks at a glance

To configure a private VLAN, perform the following tasks:
1. Creating a primary VLAN
2. Creating secondary VLANs
3. Associating the primary VLAN with secondary VLANs
4. Configuring the uplink port
5. Configuring a downlink port
6. (Optional.) Configuring Layer 3 communication for secondary VLANs

Creating a primary VLAN

1. Enter system view.
system-view
2. Create a VLAN and enter VLAN view.
vlan vlan-id
3. Configure the VLAN as a primary VLAN.
private-vlan primary
By default, a VLAN is not a primary VLAN.

Creating secondary VLANs

1. Enter system view.
system-view
2. Create one or multiple secondary VLANs.
vlan { vlan-id-list | all }

32
Associating the primary VLAN with secondary
VLANs
1. Enter system view.
system-view
2. Create enter VLAN view of the primary VLAN.
vlan vlan-id
3. Associate the primary VLAN with the secondary VLANs.
private-vlan secondary vlan-id-list
By default, a primary VLAN is not associated with any secondary VLANs.

Configuring the uplink port

About this task
Configure the uplink port (for example, the port connecting L2 Device B to L3 Device A in Figure 8) as
follows:
• If the port allows only one primary VLAN, configure the port as a promiscuous port of the
primary VLAN. The promiscuous port can be automatically assigned to the primary VLAN and
its associated secondary VLANs.
• If the port allows multiple primary VLANs, configure the port as a trunk promiscuous port of the
primary VLANs. The trunk promiscuous port can be automatically assigned to the primary
VLANs and their associated secondary VLANs.
Procedure
1. Enter system view.
system-view
2. Enter interface view of the uplink port.
interface interface-type interface-number
3. Configure the uplink port as a promiscuous or trunk promiscuous port of the specified VLANs.
 Configure the uplink port as a promiscuous port of the specified VLAN.
port private-vlan vlan-id promiscuous
 Configure the uplink port as a trunk promiscuous port of the specified VLANs.
port private-vlan vlan-id-list trunk promiscuous
By default, a port is not a promiscuous or trunk promiscuous port of any VLANs.

Configuring a downlink port

About this task
Configure a downlink port as follows:
• If a downlink port allows only one secondary VLAN (for example, the port connecting L2 Device
B to a host in Figure 8), configure the port as a host port. The host port can be automatically
assigned to the secondary VLAN and its associated primary VLAN.
• If a downlink port allows multiple secondary VLANs, configure the port as a trunk secondary
port. The trunk secondary port can be automatically assigned to the secondary VLANs and their
associated primary VLANs.

33
Procedure
1. Enter system view.
system-view
2. Enter interface view of the downlink port.
interface interface-type interface-number
3. Assign the downlink port to secondary VLANs.
a. Set the link type of the port.
port link-type { access | hybrid | trunk }
b. Assign the access port to the specified VLAN.
port access vlan vlan-id
c. Assign the trunk port to the specified VLANs.
port trunk permit vlan { vlan-id-list | all }
d. Assign the hybrid port to the specified VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
Select substep b, c, or d depending on the port link type.
4. Configure the downlink port as a host or trunk secondary port.
 Configure the downlink port as a host port.
port private-vlan host
 Configure the downlink port as a trunk secondary port of the specified VLANs.
port private-vlan vlan-id-list trunk secondary
By default, a port is not a host or trunk secondary port.
5. Return to system view.
quit
6. Enter VLAN view of a secondary VLAN.
vlan vlan-id
7. (Optional.) Enable Layer 2 communication for ports in the same secondary VLAN. Choose one
command as needed:
undo private-vlan isolated
private-vlan community
By default, ports in the same secondary VLAN can communicate with each other at Layer 2.

Configuring Layer 3 communication for secondary

VLANs
1. Enter system view.
system-view
2. Enter VLAN interface view of the primary VLAN interface.
interface vlan-interface interface-number
3. Enable Layer 3 communication between secondary VLANs that are associated with the primary
VLAN.
private-vlan secondary vlan-id-list
By default, secondary VLANs cannot communicate with each other at Layer 3.
4. Assign an IP address to the primary VLAN interface.

34
 IPv4:
ip address ip-address { mask-length | mask } [ sub ]
IPv6:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
By default, no IP address is configured for a VLAN interface.
5. Enable local proxy ARP or ND.
IPv4:
local-proxy-arp enable
By default, local proxy ARP is disabled.
For more information about local proxy ARP, see Layer 3—IP Services Configuration Guide.
IPv6:
local-proxy-nd enable
By default, local proxy ND is disabled.
For more information about local proxy ND, see Layer 3—IP Services Configuration Guide.

Display and maintenance commands for the

private VLAN
Execute display commands in any view.

Task Command

Display information about primary VLANs and the display private-vlan

secondary VLANs associated with each primary VLAN. [ primary-vlan-id ]

Private VLAN configuration examples

Example: Configuring promiscuous ports
Network configuration
As shown in Figure 9, configure the private VLAN feature to meet the following requirements:
• On Device B, VLAN 5 is a primary VLAN that is associated with secondary VLANs 2 and 3.
Twenty-FiveGigE 1/0/5 is in VLAN 5. Twenty-FiveGigE 1/0/2 is in VLAN 2. Twenty-FiveGigE
1/0/3 is in VLAN 3.
• On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4.
Twenty-FiveGigE 1/0/5 is in VLAN 6. Twenty-FiveGigE 1/0/3 is in VLAN 3. Twenty-FiveGigE
1/0/4 is in VLAN 4.
• Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C.

35
 Figure 9 Network diagram
Device A

VLAN 5 Device B Device C VLAN 6

WGE1/0/5 WGE1/0/5

WGE1/0/3 WGE1/0/2 WGE1/0/3 WGE1/0/4

Host A Host B Host C Host D

VLAN 3 VLAN 2 VLAN 3 VLAN 4

Procedure
This example describes the configurations on Device B and Device C.
1. Configure Device B:
# Configure VLAN 5 as a primary VLAN.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# Create VLANs 2 and 3.
[DeviceB] vlan 2 to 3
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Configure the uplink port (Twenty-FiveGigE 1/0/5) as a promiscuous port of VLAN 5.
[DeviceB] interface twenty-fivegige 1/0/5
[DeviceB-Twenty-FiveGigE1/0/5] port private-vlan 5 promiscuous
[DeviceB-Twenty-FiveGigE1/0/5] quit
# Assign downlink port Twenty-FiveGigE 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port access vlan 2
[DeviceB-Twenty-FiveGigE1/0/2] port private-vlan host
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Assign downlink port Twenty-FiveGigE 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] port access vlan 3
[DeviceB-Twenty-FiveGigE1/0/3] port private-vlan host
[DeviceB-Twenty-FiveGigE1/0/3] quit

36
 2. Configure Device C:
# Configure VLAN 6 as a primary VLAN.
<DeviceC> system-view
[DeviceC] vlan 6
[DeviceC–vlan6] private-vlan primary
[DeviceC–vlan6] quit
# Create VLANs 3 and 4.
[DeviceC] vlan 3 to 4
# Associate secondary VLANs 3 and 4 with primary VLAN 6.
[DeviceC] vlan 6
[DeviceC-vlan6] private-vlan secondary 3 to 4
[DeviceC-vlan6] quit
# Configure the uplink port (Twenty-FiveGigE 1/0/5) as a promiscuous port of VLAN 6.
[DeviceC] interface twenty-fivegige 1/0/5
[DeviceC-Twenty-FiveGigE1/0/5] port private-vlan 6 promiscuous
[DeviceC-Twenty-FiveGigE1/0/5] quit
# Assign downlink port Twenty-FiveGigE 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceC] interface twenty-fivegige 1/0/3
[DeviceC-Twenty-FiveGigE1/0/3] port access vlan 3
[DeviceC-Twenty-FiveGigE1/0/3] port private-vlan host
[DeviceC-Twenty-FiveGigE1/0/3] quit
# Assign downlink port Twenty-FiveGigE 1/0/4 to VLAN 4, and configure the port as a host port.
[DeviceC] interface twenty-fivegige 1/0/4
[DeviceC-Twenty-FiveGigE1/0/4] port access vlan 4
[DeviceC-Twenty-FiveGigE1/0/4] port private-vlan host
[DeviceC-Twenty-FiveGigE1/0/4] quit

Verifying the configuration

# Verify the private VLAN configurations on the devices, for example, on Device B.
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/3
Twenty-FiveGigE1/0/5

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary

37
 Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/5

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: None
Untagged Ports:
Twenty-FiveGigE1/0/3
Twenty-FiveGigE1/0/5

The output shows that:

• The promiscuous port (Twenty-FiveGigE 1/0/5) is an untagged member of primary VLAN 5 and
secondary VLANs 2 and 3.
• Host port Twenty-FiveGigE 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port Twenty-FiveGigE 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Example: Configuring trunk promiscuous ports

Network configuration
As shown in Figure 10, configure the private VLAN feature to meet the following requirements:
• VLANs 5 and 10 are primary VLANs on Device B. The uplink port (Twenty-FiveGigE 1/0/1) on
Device B permits the packets from VLANs 5 and 10 to pass through tagged.
• On Device B, downlink port Twenty-FiveGigE 1/0/2 permits secondary VLAN 2. Downlink port
Twenty-FiveGigE 1/0/3 permits secondary VLAN 3. Secondary VLANs 2 and 3 are associated
with primary VLAN 5.
• On Device B, downlink port Twenty-FiveGigE 1/0/4 permits secondary VLAN 6. Downlink port
Twenty-FiveGigE 1/0/5 permits secondary VLAN 8. Secondary VLANs 6 and 8 are associated
with primary VLAN 10.
• Device A is aware of only VLANs 5 and 10 on Device B.

38
 Figure 10 Network diagram

Device A

WGE1/0/1 VLAN 5
VLAN 10

WGE1/0/1

Device B

WGE1/0/2 WGE1/0/5

WGE1/0/3 WGE1/0/4

Host A Host B Host C Host D

VLAN 2 VLAN 3 VLAN 6 VLAN 8

Procedure
1. Configure Device B:
# Configure VLANs 5 and 10 as primary VLANs.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# Create VLANs 2, 3, 6, and 8.
[DeviceB] vlan 2 to 3
[DeviceB] vlan 6
[DeviceB-vlan6] quit
[DeviceB] vlan 8
[DeviceB-vlan8] quit
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Associate secondary VLANs 6 and 8 with primary VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan secondary 6 8
[DeviceB-vlan10] quit
# Configure the uplink port (Twenty-FiveGigE 1/0/1) as a trunk promiscuous port of VLANs 5
and 10.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port private-vlan 5 10 trunk promiscuous
[DeviceB-Twenty-FiveGigE1/0/1] quit

39
 # Assign downlink port Twenty-FiveGigE 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port access vlan 2
[DeviceB-Twenty-FiveGigE1/0/2] port private-vlan host
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Assign downlink port Twenty-FiveGigE 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] port access vlan 3
[DeviceB-Twenty-FiveGigE1/0/3] port private-vlan host
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Assign downlink port Twenty-FiveGigE 1/0/4 to VLAN 6, and configure the port as a host port.
[DeviceB] interface twenty-fivegige 1/0/4
[DeviceB-Twenty-FiveGigE1/0/4] port access vlan 6
[DeviceB-Twenty-FiveGigE1/0/4] port private-vlan host
[DeviceB-Twenty-FiveGigE1/0/4] quit
# Assign downlink port Twenty-FiveGigE 1/0/5 to VLAN 8, and configure the port as a host port.
[DeviceB] interface twenty-fivegige 1/0/5
[DeviceB-Twenty-FiveGigE1/0/5] port access vlan 8
[DeviceB-Twenty-FiveGigE1/0/5] port private-vlan host
[DeviceB-Twenty-FiveGigE1/0/5] quit
2. Configure Device A:
# Create VLANs 5 and 10.
[DeviceA] vlan 5
[DeviceA-vlan5] quit
[DeviceA] vlan 10
[DeviceA-vlan10] quit
# Configure Twenty-FiveGigE 1/0/1 as a hybrid port, and assign it to VLANs 5 and 10 as a
tagged VLAN member.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-type hybrid
[DeviceA-Twenty-FiveGigE1/0/1] port hybrid vlan 5 10 tagged
[DeviceA-Twenty-FiveGigE1/0/1] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device B. The following output uses primary VLAN 5 as
an example.
[DeviceB] display private-vlan 5
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports:
Twenty-FiveGigE1/0/1
Untagged ports:

40
 Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports:
Twenty-FiveGigE1/0/1
Untagged ports:
Twenty-FiveGigE1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged ports:
Twenty-FiveGigE1/0/1
Untagged ports:
Twenty-FiveGigE1/0/3

The output shows that:

• The trunk promiscuous port (Twenty-FiveGigE 1/0/1) is a tagged member of primary VLAN 5
and secondary VLANs 2 and 3.
• Host port Twenty-FiveGigE 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port Twenty-FiveGigE 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Example: Configuring trunk promiscuous and trunk

secondary ports
Network configuration
As shown in Figure 11, configure the private VLAN feature to meet the following requirements:
• VLANs 10 and 20 are primary VLANs on Device A. The uplink port (Twenty-FiveGigE 1/0/5) on
Device A permits the packets from VLANs 10 and 20 to pass through tagged.
• VLANs 11, 12, 21, and 22 are secondary VLANs on Device A.
 Downlink port Twenty-FiveGigE 1/0/2 permits the packets from secondary VLANs 11 and 21
to pass through tagged.
 Downlink port Twenty-FiveGigE 1/0/1 permits secondary VLAN 22.
 Downlink port Twenty-FiveGigE 1/0/3 permits secondary VLAN 12.
• Secondary VLANs 11 and 12 are associated with primary VLAN 10.
• Secondary VLANs 21 and 22 are associated with primary VLAN 20.

41
 Figure 11 Network diagram

VLAN 10 VLAN 20

Device C

WGE1/0/5

WGE1/0/5

Device A
WGE1/0/1 WGE1/0/3
WGE1/0/2

WGE1/0/2

Device B
WGE1/0/3 WGE1/0/4

Host C Host D
VLAN 22 VLAN 12

Host A Host B
VLAN 11 VLAN 21

Procedure
1. Configure Device A:
# Configure VLANs 10 and 20 as primary VLANs.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# Create VLANs 11, 12, 21, and 22.
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# Associate secondary VLANs 11 and 12 with primary VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan secondary 11 12
[DeviceA-vlan10] quit
# Associate secondary VLANs 21 and 22 with primary VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan secondary 21 22
[DeviceA-vlan20] quit
# Configure the uplink port (Twenty-FiveGigE 1/0/5) as a trunk promiscuous port of VLANs 10
and 20.

42
 [DeviceA] interface twenty-fivegige 1/0/5
[DeviceA-Twenty-FiveGigE1/0/5] port private-vlan 10 20 trunk promiscuous
[DeviceA-Twenty-FiveGigE1/0/5] quit
# Assign downlink port Twenty-FiveGigE 1/0/1 to VLAN 22 and configure the port as a host port.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port access vlan 22
[DeviceA-Twenty-FiveGigE1/0/1] port private-vlan host
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Assign downlink port Twenty-FiveGigE 1/0/3 to VLAN 12 and configure the port as a host port.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port access vlan 12
[DeviceA-Twenty-FiveGigE1/0/3] port private-vlan host
[DeviceA-Twenty-FiveGigE1/0/3] quit
# Configure downlink port Twenty-FiveGigE 1/0/2 as a trunk secondary port of VLANs 11 and
21.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port private-vlan 11 21 trunk secondary
[DeviceA-Twenty-FiveGigE1/0/2] quit
2. Configure Device B:
# Create VLANs 11 and 21.
<DeviceB> system-view
[DeviceB] vlan 11
[DeviceB-vlan11] quit
[DeviceB] vlan 21
[DeviceB-vlan21] quit
# Configure Twenty-FiveGigE 1/0/2 as a hybrid port, and assign it to VLANs 11 and 21 as a
tagged VLAN member.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-type hybrid
[DeviceB-Twenty-FiveGigE1/0/2] port hybrid vlan 11 21 tagged
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Assign Twenty-FiveGigE 1/0/3 to VLAN 11.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] port access vlan 11
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Assign Twenty-FiveGigE 1/0/4 to VLAN 21.
[DeviceB] interface twenty-fivegige 1/0/4
[DeviceB-Twenty-FiveGigE1/0/4] port access vlan 21
[DeviceB-Twenty-FiveGigE1/0/4] quit
3. Configure Device C:
# Create VLANs 10 and 20.
<DeviceC> system-view
[DeviceC] vlan 10
[DeviceC-vlan10] quit
[DeviceC] vlan 20
[DeviceC-vlan20] quit
# Configure Twenty-FiveGigE 1/0/5 as a hybrid port, and assign it to VLANs 10 and 20 as a
tagged VLAN member.

43
 [DeviceC] interface twenty-fivegige 1/0/5
[DeviceC-Twenty-FiveGigE1/0/5] port link-type hybrid
[DeviceC-Twenty-FiveGigE1/0/5] port hybrid vlan 10 20 tagged
[DeviceC-Twenty-FiveGigE1/0/5] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device A. The following output uses primary VLAN 10
as an example.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 11-12

VLAN ID: 10
VLAN type: Static
Private-vlan type: Primary
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/5
Untagged ports:
Twenty-FiveGigE1/0/3

VLAN ID: 11
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0011
Name: VLAN 0011
Tagged ports:
Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/5
Untagged ports: None

VLAN ID: 12
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0012
Name: VLAN 0012
Tagged ports:
Twenty-FiveGigE1/0/5
Untagged ports:
Twenty-FiveGigE1/0/3

The output shows that:

• The trunk promiscuous port (Twenty-FiveGigE 1/0/5) is a tagged member of primary VLAN 10
and secondary VLANs 11 and 12.

44
 • The trunk secondary port (Twenty-FiveGigE 1/0/2) is a tagged member of primary VLAN 10 and
secondary VLAN 11.
• The host port (Twenty-FiveGigE 1/0/3) is an untagged member of primary VLAN 10 and
secondary VLAN 12.

Example: Configuring Layer 3 communication for secondary

VLANs
Network configuration
As shown in Figure 12, configure the private VLAN feature to meet the following requirements:
• Primary VLAN 10 on Device A is associated with secondary VLANs 2 and 3. The IP address of
VLAN-interface 10 is 192.168.1.1/24.
• Twenty-FiveGigE 1/0/1 belongs to VLAN 10. Twenty-FiveGigE 1/0/2 and Twenty-FiveGigE
1/0/3 belong to VLAN 2 and VLAN 3, respectively.
• Secondary VLANs are isolated at Layer 2 but interoperable at Layer 3.
Figure 12 Network diagram

Device B

VLAN 10
Vlan-int10
WGE1/0/1
192.168.1.1/24

Device A
WGE1/0/2 WGE1/0/3

VLAN 2 VLAN 3

Procedure
# Create VLAN 10 and configure it as a primary VLAN.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit

# Create VLANs 2 and 3.

<DeviceA> system-view
[DeviceA] vlan 2 to 3

# Associate primary VLAN 10 with secondary VLANs 2 and 3.

[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] private-vlan secondary 2 3
[DeviceA-vlan10] quit

# Configure the uplink port (Twenty-FiveGigE 1/0/1) as a promiscuous port of VLAN 10.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port private-vlan 10 promiscuous
[DeviceA-Twenty-FiveGigE1/0/1] quit

45
 # Assign downlink port Twenty-FiveGigE 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port access vlan 2
[DeviceA-Twenty-FiveGigE1/0/2] port private-vlan host
[DeviceA-Twenty-FiveGigE1/0/2] quit

# Assign downlink port Twenty-FiveGigE 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port access vlan 3
[DeviceA-Twenty-FiveGigE1/0/3] port private-vlan host
[DeviceA-Twenty-FiveGigE1/0/3] quit

# Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with
primary VLAN 10.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] private-vlan secondary 2 3

# Assign IP address 192.168.1.1/24 to VLAN-interface 10.

[DeviceA-Vlan-interface10] ip address 192.168.1.1 255.255.255.0

# Enable local proxy ARP on VLAN-interface 10.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

Verifying the configuration

# Display the configuration of primary VLAN 10.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 2-3

VLAN ID: 10
VLAN type: Static
Private VLAN type: Primary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/1
Twenty-FiveGigE1/0/2
Twenty-FiveGigE1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002

46
 Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/1
Twenty-FiveGigE1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
Twenty-FiveGigE1/0/1
Twenty-FiveGigE1/0/3

The Route interface field in the output is Configured, indicating that secondary VLANs 2 and 3 are
interoperable at Layer 3.

47
Configuring voice VLANs
About voice VLANs
A voice VLAN is used for transmitting voice traffic. The device can configure QoS parameters for
voice packets to ensure higher transmission priority of the voice packets.
Common voice devices include IP phones and integrated access devices (IADs). This chapter uses
IP phones as an example.

Working mechanism
When an IP phone accesses a device, the device performs the following operations:
1. Identifies the IP phone in the network and obtains the MAC address of the IP phone.
2. Advertises the voice VLAN information to the IP phone.
After receiving the voice VLAN information, the IP phone performs automatic configuration. Voice
packets sent from the IP phone can then be transmitted within the voice VLAN.

Methods of identifying IP phones

Devices can use the OUI addresses or LLDP to identify IP phones.
Identifying IP phones through OUI addresses
A device identifies voice packets based on their source MAC addresses. A packet whose source
MAC address complies with an Organizationally Unique Identifier (OUI) address of the device is
regarded as a voice packet.
You can use system default OUI addresses (see Table 1) or configure OUI addresses for the device.
You can manually remove or add the system default OUI addresses.
Table 1 Default OUI addresses

Number OUI address Vendor

1 0001-e300-0000 Siemens phone

2 0003-6b00-0000 Cisco phone
3 0004-0d00-0000 Avaya phone
4 000f-e200-0000 H3C Aolynk phone
5 0060-b900-0000 Philips/NEC phone
6 00d0-1e00-0000 Pingtel phone
7 00e0-7500-0000 Polycom phone
8 00e0-bb00-0000 3Com phone

Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a
globally unique identifier that IEEE assigns to a vendor. However, OUI addresses in this chapter are
addresses that the system uses to identify voice packets. They are the logical AND results of the
mac-address and oui-mask arguments in the voice-vlan mac-address command.

48
Automatically identifying IP phones through LLDP
If IP phones support LLDP, configure LLDP for automatic IP phone discovery on the device. The
device can then automatically discover the peer through LLDP, and exchange LLDP TLVs with the
peer.
If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a telephone,
the device performs the following operations:
1. Sends an LLDP TLV with the voice VLAN configuration to the peer.
2. Assigns the receiving port to the voice VLAN.
3. Increases the transmission priority of the voice packets sent from the IP phone.
4. Adds the MAC address of the IP phone to the MAC address table to ensure that the IP phone
can pass authentication.
Use LLDP instead of the OUI list to identify IP phones if the network has more IP phone categories
than the maximum number of OUI addresses supported on the device. LLDP has higher priority than
the OUI list.
For more information about LLDP, see "Configuring LLDP."

Advertising the voice VLAN information to IP phones

Figure 13 shows the workflow of advertising the voice VLAN information to IP phones.
Figure 13 Workflow of advertising the voice VLAN information to IP phones

Yes Advertise the

Is LLDP/CDP configured to
voice VLAN ID to the IP
advertise the voice VLAN
phone
ID?

No

Yes
Is the authorization VLAN Advertise the
received from the authorization VLAN to
authentication server? to the IP phone

No

Advertise the voice VLAN

configured on the port to the
IP phone

IP phone access methods

Connecting the host and the IP phone in series
As shown in Figure 14, the host is connected to the IP phone, and the IP phone is connected to the
device. In this scenario, the following requirements must be met:
• The host and the IP phone use different VLANs.
• The IP phone is able to send out VLAN-tagged packets, so that the device can differentiate
traffic from the host and the IP phone.
• The port connecting to the IP phone forwards packets from the voice VLAN and the PVID.

49
 Figure 14 Connecting the host and IP phone in series

Voice gateway

Host IP phone Device

Connecting the IP phone to the device

As shown in Figure 15, IP phones are connected to the device without the presence of the host. Use
this connection method when IP phones sends out untagged voice packets. In this scenario, you
must configure the voice VLAN as the PVID of the access port of the IP phone, and configure the port
to forward the packets from the PVID.
Figure 15 Connecting the IP phone to the device

Voice gateway

Device

IP phone IP phone

Voice VLAN assignment modes

A port can be assigned to a voice VLAN automatically or manually.
Automatic mode
Use automatic mode when PCs and IP phones are connected in series to access the network
through the device, as shown in Figure 14. Ports on the device transmit both voice traffic and data
traffic.
When an IP phone is powered on, it sends out protocol packets. After receiving these protocol
packets, the device uses the source MAC address of the protocol packets to match its OUI
addresses. If the match succeeds, the device performs the following operations:
• Assigns the receiving port of the protocol packets to the voice VLAN.
• Issues ACL rules to set the packet precedence.
• Starts the voice VLAN aging timer.
If no voice packet is received from the port before the aging timer expires, the device will remove the
port from the voice VLAN. The aging timer is also configurable.
When the IP phone reboots, the port is reassigned to the voice VLAN to ensure the correct operation
of the existing voice connections. The reassignment occurs automatically without being triggered by
voice traffic as long as the voice VLAN operates correctly.

50
Manual mode
Use manual mode when only IP phones access the network through the device, as shown in Figure
15. In this mode, ports are assigned to a voice VLAN that transmits voice traffic exclusively. No data
traffic affects the voice traffic transmission.
You must manually assign the port that connects to the IP phone to a voice VLAN. The device uses
the source MAC address of the received voice packets to match its OUI addresses. If the match
succeeds, the device issues ACL rules to set the packet precedence.
To remove the port from the voice VLAN, you must manually remove it.

Cooperation of voice VLAN assignment modes and IP

phones
Some IP phones send out VLAN-tagged packets, and others send out only untagged packets. For
correct packet processing, ports of different link types must meet specific configuration requirements
in different voice VLAN assignment modes.
If an IP phone sends out tagged voice traffic, and its access port is configured with 802.1X
authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, VLAN IDs must be different for the
following VLANs:
• Voice VLAN.
• PVID of the access port.
• 802.1X guest, Auth-Fail, or critical VLAN.
If an IP phone sends out untagged voice traffic, the PVID of the access port must be the voice VLAN.
In this scenario, 802.1X authentication is not supported.
Access ports do not transmit tagged packets.
Configuration requirements for transmitting tagged voice traffic

Port link Voice VLAN

Configuration requirements
type assignment mode

Automatic The PVID of the port cannot be the voice VLAN.

Trunk The PVID of the port cannot be the voice VLAN.
Manual
The port must forward packets from the voice VLAN.
Automatic The PVID of the port cannot be the voice VLAN.

Hybrid The PVID of the port cannot be the voice VLAN.

Manual The port must forward packets from the voice VLAN with VLAN
tags.

Configuration requirements for transmitting untagged voice traffic

When IP phones send out untagged packets, you must set the voice VLAN assignment mode to
manual.
Table 2 Configuration requirements for ports in manual mode to support untagged voice
traffic

Port link
Configuration requirements
type

Access The voice VLAN must be the PVID of the port.

Trunk The voice VLAN must be the PVID of the port.

51
 Port link
Configuration requirements
type
The port must forward packets from the voice VLAN.
The voice VLAN must be the PVID of the port.
Hybrid
The port must forward packets from the voice VLAN without VLAN tags.

Security mode and normal mode of voice VLANs

Depending on the filtering mechanisms to incoming packets, a voice VLAN-enabled port can operate
in one of the following modes:
• Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice
VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the
port operates in manual VLAN assignment mode, the port forwards all the received untagged
packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send a large
number of forged voice-VLAN-tagged or untagged packets to affect voice communication.
• Security mode—The port uses the source MAC addresses of voice packets to match the OUI
addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode. This mode reduces
system resource consumption in source MAC address checking.
In either mode, the device modifies the transmission priority only for voice VLAN packets whose
source MAC addresses match OUI addresses of the device.
As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you must
transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled.
Table 3 Packet processing on a voice VLAN-enabled port in normal or security mode

Voice VLAN
Packet type Packet processing
mode
• Untagged packets The port does not examine their source MAC addresses.
• Packets with the Both voice traffic and non-voice traffic can be transmitted in
Normal voice VLAN tags the voice VLAN.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.
• If the source MAC address of a packet matches an OUI
• Untagged packets address on the device, the packet is forwarded in the
• Packets with the voice VLAN.
Security voice VLAN tags • If the source MAC address of a packet does not match
an OUI address on the device, the packet is dropped.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.

Restrictions and guidelines: Voice VLAN

configuration
The aging timer of a voice VLAN starts only when the dynamic MAC address entry of the voice VLAN
ages out. The aging period for the voice VLAN equals the sum of the voice VLAN aging timer and the

52
 aging timer for its dynamic MAC address entry. For more information about the aging timer for
dynamic MAC address entries, see "Configuring the MAC address table."
As a best practice, do not both configure voice VLAN and disable MAC address learning on a port. If
the two features are configured together on a port, the port forwards only packets exactly matching
the OUI addresses and drops inexactly matching packets.
As a best practice, do not configure both voice VLAN and the MAC learning limit on a port. If the two
features are configured together on a port and the port learns the configured maximum number of
MAC address entries, the port processes packets as follows:
• Forwards only packets matching the MAC address entries learnt by the port and OUI
addresses.
• Drops unmatching packets.

Voice VLAN tasks at a glance

To configure a voice VLAN, perform the following tasks:
1. Configuring the QoS priority settings for voice traffic
2. Use one of the following methods:
 Configuring a port to operate in automatic voice VLAN assignment mode
 Configuring a port to operate in manual voice VLAN assignment mode
3. (Optional.) Enabling LLDP for automatic IP phone discovery
4. (Optional.) Use one of the following methods:
 Configuring LLDP to advertise a voice VLAN
 Configuring CDP to advertise a voice VLAN

Configuring the QoS priority settings for voice

traffic
About this task
The QoS priority settings carried in voice traffic include the CoS and DSCP values. You can
configure the device to modify the QoS priority settings for voice traffic.
Restrictions and guidelines
You cannot configure the QoS priority settings on a voice VLAN-enabled port. Before you configure
the QoS priority settings for voice traffic on a port, you must disable the voice VLAN feature on it.
If you execute the voice-vlan qos and voice-vlan qos trust commands multiple times,
the most recent configuration takes effect.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure QoS priority settings for incoming voice VLAN packets.
 Configure the port to trust the QoS priority settings.
voice-vlan qos trust
 Configure the port to modify the CoS and DSCP values.

53
 voice-vlan qos cos-value dscp-value
By default, a port modifies the CoS and DSCP values for voice VLAN packets to 6 and 46,
respectively.
If a port trusts the QoS priority settings in incoming voice VLAN packets, the port does not
modify their CoS and DSCP values.

Configuring voice VLAN assignment modes for a

port
Configuring a port to operate in automatic voice VLAN
assignment mode
Restrictions and guidelines
• Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN.
 A voice VLAN in automatic mode on a hybrid port processes only tagged incoming voice
traffic.
 A protocol-based VLAN on a hybrid port processes only untagged incoming packets. For
more information about protocol-based VLANs, see "Configuring protocol-based VLANs."
• As a best practice, do not use this mode with MSTP. In MSTP mode, if a port is blocked in the
MSTI of the target voice VLAN, the port drops the received packets instead of delivering them to
the CPU. As a result, the port will not be dynamically assigned to the voice VLAN.
• As a best practice, do not use this mode with PVST. In PVST mode, if the target voice VLAN is
not permitted on a port, the port is placed in blocked state. The port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the voice VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the voice VLAN aging timer.
voice-vlan aging minutes
By default, the aging timer of a voice VLAN is 1440 minutes.
The voice VLAN aging timer takes effect only on ports in automatic voice VLAN assignment
mode.
3. (Optional.) Enable the voice VLAN security mode.
voice-vlan security enable
By default, the voice VLAN security mode is enabled.
4. (Optional.) Add an OUI address for voice packet identification.
voice-vlan mac-address oui mask oui-mask [ description text ]
By default, system default OUI addresses exist. For more information, see Table 1.
5. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
6. Configure the link type of the port.
 port link-type trunk

54
  port link-type hybrid
7. Configure the port to operate in automatic voice VLAN assignment mode.
voice-vlan mode auto
By default, the automatic voice VLAN assignment mode is enabled.
8. Enable the voice VLAN feature on the port.
voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.

Configuring a port to operate in manual voice VLAN

assignment mode
Restrictions and guidelines
• You can configure different voice VLANs for different ports on the same device. Make sure the
following requirements are met:
 One port can be configured with only one voice VLAN.
 Voice VLANs must be existing static VLANs.
• Do not enable voice VLAN on the member ports of a link aggregation group. For more
information about link aggregation, see "Configuring Ethernet link aggregation."
• To make a voice VLAN take effect on a port operating in manual mode, you must manually
assign the port to the voice VLAN.
Procedure
1. Enter system view.
system-view
2. (Optional.) Enable the voice VLAN security mode.
voice-vlan security enable
By default, the voice VLAN security mode is enabled.
3. (Optional.) Add an OUI address for voice packet identification.
voice-vlan mac-address oui mask oui-mask [ description text ]
By default, system default OUI addresses exist. For more information, see Table 1.
4. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
5. Configure the port to operate in manual voice VLAN assignment mode.
undo voice-vlan mode auto
By default, a port operates in automatic voice VLAN assignment mode.
6. Assign the access, trunk, or hybrid port to the voice VLAN.
 For the access port, see "Assigning an access port to a VLAN."
 For the trunk port, see "Assigning a trunk port to a VLAN."
 For the hybrid port, see "Assigning a hybrid port to a VLAN."
After you assign an access port to the voice VLAN, the voice VLAN becomes the PVID of the
port.
7. (Optional.) Configure the voice VLAN as the PVID of the trunk or hybrid port.
 For the trunk port, see "Assigning a trunk port to a VLAN."

55
  For the hybrid port, see "Assigning a hybrid port to a VLAN."
This step is required for untagged incoming voice traffic and prohibited for tagged incoming
voice traffic.
8. Enable the voice VLAN feature on the port.
voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.

Enabling LLDP for automatic IP phone discovery

Restrictions and guidelines
• Before you enable this feature, enable LLDP both globally and on access ports.
• Use this feature only with the automatic voice VLAN assignment mode.
• Do not use this feature together with CDP compatibility.
• After you enable this feature on the device, each port of the device can be connected to a
maximum of five IP phones.
Procedure
1. Enter system view.
system-view
2. Enable LLDP for automatic IP phone discovery.
voice-vlan track lldp
By default, this feature is disabled.

Configuring LLDP or CDP to advertise a voice

VLAN
Configuring LLDP to advertise a voice VLAN
About this task
For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones
through the LLDP-MED TLVs.
Prerequisites
Before you configure this feature, enable LLDP both globally and on access ports.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure an advertised voice VLAN ID.
lldp tlv-enable med-tlv network-policy vlan-id
By default, no advertised voice VLAN ID is configured.
For more information about the command, see Layer 2—LAN Switching Command Reference.

56
 4. (Optional.) Display the voice VLAN advertised by LLDP.
display lldp local-information
For more information about the command, see Layer 2—LAN Switching Command Reference.

Configuring CDP to advertise a voice VLAN

About this task
If an IP phone supports CDP but does not support LLDP, it will send out CDP packets to the device to
request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period,
it will send out untagged packets. The device cannot differentiate untagged voice packets from other
types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
• Receive and identify CDP packets from the IP phone.
• Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone performs automatic voice VLAN
configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
LLDP packets sent from the device carry the priority information. CDP packets sent from the device
do not carry the priority information.
Prerequisites
Before you configure this feature, enable LLDP globally and on access ports.
Procedure
1. Enter system view.
system-view
2. Enable CDP compatibility.
lldp compliance cdp
By default, CDP compatibility is disabled.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Configure CDP-compatible LLDP to operate in TxRx mode.
lldp compliance admin-status cdp txrx
By default, CDP-compatible LLDP operates in Disable mode.
5. Configure an advertised voice VLAN ID.
cdp voice-vlan vlan-id
By default, no advertised voice VLAN ID is configured.
For more information about the command, see Layer 2—LAN Switching Command Reference.

Display and maintenance commands for voice

VLANs
Execute display commands in any view.

Task Command

Display OUI addresses on a device. display voice-vlan mac-address

57
 Task Command

Display the voice VLAN state. display voice-vlan state

Voice VLAN configuration examples

Example: Configuring automatic voice VLAN assignment
mode
Network configuration
As shown in Figure 16, Device A transmits traffic from IP phones and hosts.
For correct voice traffic transmission, perform the following tasks on Device A:
• Configure voice VLANs 2 and 3 to transmit voice packets from IP phone A and IP phone B,
respectively.
• Configure Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to operate in automatic voice
VLAN assignment mode.
• Add MAC addresses of IP phones A and B to the device for voice packet identification. The
mask of the two MAC addresses is FFFF-FF00-0000.
• Set an aging timer for voice VLANs.
Figure 16 Network diagram
Device A Device B
Internet
WGE1/0/1
WGE1/0/2

VLAN 2 VLAN 3
IP phone A IP phone B
010-1001 010-1002
MAC: 0011-1100-0001 MAC: 0011-2200-0001
Mask: ffff-ff00-0000 Mask: ffff-ff00-0000 0755-2002

PC A PC B
MAC: 0022-1100-0002 MAC: 0022-2200-0002

Procedure
1. Configure voice VLANs:
# Create VLANs 2 and 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Set the voice VLAN aging timer to 30 minutes.
[DeviceA] voice-vlan aging 30
# Enable security mode for voice VLANs.
[DeviceA] voice-vlan security enable
# Add MAC addresses of IP phones A and B to the device with mask FFFF-FF00-0000.

58
 [DeviceA] voice-vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP
phone A
[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP
phone B
2. Configure Twenty-FiveGigE 1/0/1:
# Configure Twenty-FiveGigE 1/0/1 as a hybrid port.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-type hybrid
# Configure Twenty-FiveGigE 1/0/1 to operate in automatic voice VLAN assignment mode.
[DeviceA-Twenty-FiveGigE1/0/1] voice-vlan mode auto
# Enable voice VLAN on Twenty-FiveGigE 1/0/1 and configure VLAN 2 as the voice VLAN for it.
[DeviceA-Twenty-FiveGigE1/0/1] voice-vlan 2 enable
[DeviceA-Twenty-FiveGigE1/0/1] quit
3. Configure Twenty-FiveGigE 1/0/2:
# Configure Twenty-FiveGigE 1/0/2 as a hybrid port.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-type hybrid
# Configure Twenty-FiveGigE 1/0/2 to operate in automatic voice VLAN assignment mode.
[DeviceA-Twenty-FiveGigE1/0/2] voice-vlan mode auto
# Enable voice VLAN on Twenty-FiveGigE 1/0/2 and configure VLAN 3 as the voice VLAN for it.
[DeviceA-Twenty-FiveGigE1/0/2] voice-vlan 3 enable
[DeviceA-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
WGE1/0/1 2 Auto 6 46
WGE1/0/2 3 Auto 6 46

59
Example: Configuring manual voice VLAN assignment mode
Network configuration
As shown in Figure 17, IP phone A send untagged voice traffic.
To enable Twenty-FiveGigE 1/0/1 to transmit only voice packets, perform the following tasks on
Device A:
• Create VLAN 2. This VLAN will be used as a voice VLAN.
• Configure Twenty-FiveGigE 1/0/1 to operate in manual voice VLAN assignment mode and add
it to VLAN 2.
• Add the OUI address of IP phone A to the OUI list of Device A.
Figure 17 Network diagram
Device A Device B

Internet
WGE1/0/1
VLAN 2

IP phone A IP phone B
010-1001 0755-2002
MAC: 0011-2200-0001
Mask: ffff-ff00-0000

Procedure
# Enable security mode for voice VLANs.
<DeviceA> system-view
[DeviceA] voice-vlan security enable

# Add MAC address 0011-2200-0001 with mask FFFF-FF00-0000.

[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description test

# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit

# Configure Twenty-FiveGigE 1/0/1 to operate in manual voice VLAN assignment mode.

[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] undo voice-vlan mode auto

# Configure Twenty-FiveGigE 1/0/1 as a hybrid port.

[DeviceA-Twenty-FiveGigE1/0/1] port link-type hybrid

# Set the PVID of Twenty-FiveGigE 1/0/1 to VLAN 2.

[DeviceA-Twenty-FiveGigE1/0/1] port hybrid pvid vlan 2

# Assign Twenty-FiveGigE 1/0/1 to VLAN 2 as an untagged VLAN member.

[DeviceA-Twenty-FiveGigE1/0/1] port hybrid vlan 2 untagged

# Enable voice VLAN and configure VLAN 2 as the voice VLAN on Twenty-FiveGigE 1/0/1.
[DeviceA-Twenty-FiveGigE1/0/1] voice-vlan 2 enable
[DeviceA-Twenty-FiveGigE1/0/1] quit

60
Verifying the configuration
# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-2200-0000 ffff-ff00-0000 test
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
WGE1/0/1 2 Manual 6 46

61
Contents
Configuring MVRP ························································································· 1
About MVRP ······················································································································································ 1
MRP implementation ·································································································································· 1
MRP messages ·········································································································································· 1
MRP timers ················································································································································ 3
MVRP registration modes ·························································································································· 3
Protocols and standards ···························································································································· 4
Restrictions and guidelines: MVRP configuration ······························································································ 4
MVRP tasks at a glance ····································································································································· 4
Prerequisites ······················································································································································ 4
Enabling MVRP ·················································································································································· 5
Setting an MVRP registration mode ··················································································································· 5
Setting MRP timers ············································································································································ 5
Enabling GVRP compatibility ····························································································································· 6
Display and maintenance commands for MVRP ······························································································· 7
MVRP configuration examples ··························································································································· 7
Example: Configuring basic MVRP functions····························································································· 7

i
Configuring MVRP
About MVRP
Multiple Registration Protocol (MRP) is an attribute registration protocol used to transmit attribute
values. Multiple VLAN Registration Protocol (MVRP) is a typical MRP application. It synchronizes
VLAN information among devices and greatly reduces the workload of network administrators.

MRP implementation
An MRP-enabled port is called an MRP participant. An MVRP-enabled port is called an MVRP
participant.
As shown in Figure 1, an MRP participant sends declarations and withdrawals to notify other
participants to register and deregister its attribute values. It also registers and deregisters the
attribute values of other participants according to the received declarations and withdrawals. MRP
rapidly propagates the configuration information of an MRP participant throughout the LAN.
Figure 1 MRP implementation
Register

Device A Device B

Declaration
Deregister
Withdrawal

For example, MRP registers and deregisters VLAN attributes as follows:

• When a port receives a declaration for a VLAN, the port registers the VLAN and joins the VLAN.
• When a port receives a withdrawal for a VLAN, the port deregisters the VLAN and leaves the
VLAN.
MRP allows devices in the same LAN to transmit attribute values on a per MSTI basis. Figure 1
shows a simple MRP implementation on an MSTI. In a network with multiple MSTIs, MRP performs
attribute registration and deregistration on a per MSTI basis. For more information about MSTIs, see
"Configuring spanning tree protocols."

MRP messages
MRP messages include the following types:
• Declaration—Includes Join and New messages.
• Withdrawal—Includes Leave and LeaveAll messages.
Join message
An MRP participant sends a Join message to request the peer participant to register attributes in the
Join message.
When receiving a Join message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the Join message.

1
 • Propagates the Join message to all other participants on the device.
After receiving the Join message, other participants send the Join message to their respective peer
participants.
Join messages sent from a local participant to its peer participant include the following types:
• JoinEmpty—Declares an unregistered attribute. For example, when an MRP participant joins
an unregistered static VLAN, it sends a JoinEmpty message.
VLANs created manually and locally are called static VLANs. VLANs learned through MRP are
called dynamic VLANs.
• JoinIn—Declares a registered attribute. A JoinIn message is used in one of the following
situations:
 An MRP participant joins an existing static VLAN and sends a JoinIn message after
registering the VLAN.
 The MRP participant receives a Join message propagated by another participant on the
device and sends a JoinIn message after registering the VLAN.
New message
Similar to a Join message, a New message enables MRP participants to register attributes.
When the MSTP topology changes, an MRP participant sends a New message to the peer
participant to declare the topology change.
Upon receiving a New message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the message.
• Propagates the New message to all other participants on the device.
After receiving the New message, other participants send the New message to their respective peer
participants.
Leave message
An MRP participant sends a Leave message to the peer participant when it wants the peer
participant to deregister attributes that it has deregistered.
When the peer participant receives the Leave message, it performs the following tasks:
• Deregisters the attribute in the Leave message.
• Propagates the Leave message to all other participants on the device.
After a participant on the device receives the Leave message, it determines whether to send the
Leave message to its peer participant depending on the attribute status on the device.
• If the VLAN in the Leave message is a dynamic VLAN not registered by any participants on the
device, both of the following events occur:
 The VLAN is deleted on the device.
 The participant sends the Leave message to its peer participant.
• If the VLAN in the Leave message is a static VLAN, the participant will not send the Leave
message to its peer participant.
LeaveAll message
Each MRP participant starts its LeaveAll timer when starting up. When the timer expires, the MRP
participant sends LeaveAll messages to the peer participant.
Upon sending or receiving a LeaveAll message, the local participant starts the Leave timer. The local
participant determines whether to send a Join message depending on its attribute status. A
participant can re-register the attributes in the received Join message before the Leave timer
expires.

2
 When the Leave timer expires, a participant deregisters all attributes that have not been
re-registered to periodically clear useless attributes in the network.

MRP timers
MRP uses the following timers to control message transmission.
Periodic timer
The Periodic timer controls the transmission of MRP messages. An MRP participant starts its own
Periodic timer upon startup, and stores MRP messages to be sent before the Periodic timer expires.
When the Periodic timer expires, MRP sends stored MRP messages in as few MRP frames as
possible and restarts the Periodic timer. This mechanism reduces the number of MRP frames sent.
You can enable or disable the Periodic timer. When the Periodic timer is disabled, MRP does not
periodically send MRP messages. Instead, an MRP participant sends MRP messages when the
LeaveAll timer expires or the participant receives a LeaveAll message from the peer participant.
Join timer
The Join timer controls the transmission of Join messages. An MRP participant starts the Join timer
after sending a Join message to the peer participant. Before the Join timer expires, the participant
does not resend the Join message when the following conditions exist:
• The participant receives a JoinIn message from the peer participant.
• The received JoinIn message has the same attributes as the sent Join message.
When both the Join timer and the Periodic timer expire, the participant resends the Join message.
Leave timer
The Leave timer controls the deregistration of attributes.
An MRP participant starts the Leave timer in one of the following conditions:
• The participant receives a Leave message from its peer participant.
• The participant receives or sends a LeaveAll message.
The MRP participant does not deregister the attributes in the Leave or LeaveAll message if the
following conditions exist:
• The participant receives a Join message before the Leave timer expires.
• The Join message includes the attributes that have been encapsulated in the Leave or LeaveAll
message.
If the participant does not receive a Join message for these attributes before the Leave timer expires,
MRP deregisters the attributes.
LeaveAll timer
After startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, the
MRP participant sends out a LeaveAll message and restarts the LeaveAll timer.
Upon receiving the LeaveAll message, other participants restart their LeaveAll timer. The value of
the LeaveAll timer is randomly selected between the LeaveAll timer and 1.5 times the LeaveAll timer.
This mechanism provides the following benefits:
• Effectively reduces the number of LeaveAll messages in the network.
• Prevents the LeaveAll timer of a particular participant from always expiring first.

MVRP registration modes

VLAN information propagated by MVRP includes dynamic VLAN information from other devices and
local static VLAN information.

3
 Based on how an MVRP participant handles registration of dynamic VLANs, MVRP has the following
registration modes:
• Normal—An MVRP participant in normal registration mode registers and deregisters dynamic
VLANs.
• Fixed—An MVRP participant in fixed registration mode disables deregistering dynamic VLANs
and drops received MVRP frames. The MVRP participant does not deregister dynamic VLANs
or register new dynamic VLANs.
• Forbidden—An MVRP participant in forbidden registration mode disables registering dynamic
VLANs and drops received MVRP frames. When you set the forbidden registration mode for a
port, VLAN 1 of the port retains and all dynamically registered VLANs of the port will be deleted.

Protocols and standards

IEEE 802.1ak, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks – Amendment 07: Multiple Registration Protocol

Restrictions and guidelines: MVRP configuration

When you configure MVRP, follow these restrictions and guidelines:
• MVRP can work with STP, RSTP, or MSTP. Ports blocked by STP, RSTP, or MSTP can receive
and send MVRP frames. Do not configure MVRP with other link layer topology protocols (such
as service loopback, PVST, RRPP, and Smart Link) on the same port.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree
protocols." For more information about service loopback, see "Configuring service loopback
groups." For more information about RRPP and Smart Link, see High Availability Configuration
Guide.
• Do not configure both MVRP and remote port mirroring on a port. Otherwise, MVRP might
register the remote probe VLAN with incorrect ports, which would cause the monitor port to
receive undesired copies. For more information about port mirroring, see Network Management
and Monitoring Configuration Guide.
• Enabling MVRP on a Layer 2 aggregate interface takes effect on the aggregate interface and all
Selected member ports in the link aggregation group.
• MVRP configuration made on an aggregation group member port takes effect only after the port
is removed from the aggregation group.

MVRP tasks at a glance

To configure MVRP, perform the following tasks:
1. Enabling MVRP
2. Setting an MVRP registration mode
3. (Optional.) Setting MRP timers
4. (Optional.) Enabling GVRP compatibility

Prerequisites
Before you configure MVRP, complete the following tasks:
• Map each MSTI used by MVRP to an existing VLAN on each device in the network.
• Set the port link type of MVRP participants to trunk because MVRP takes effect only on trunk
ports. For more information about trunk ports, see "Configuring VLANs."

4
Enabling MVRP
1. Enter system view.
system-view
2. Enable MVRP globally.
mvrp global enable
By default, MVRP is globally disabled.
For MVRP to take effect on a port, enable MVRP both on the port and globally.
3. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
4. Configure the port as a trunk port.
port link-type trunk
By default, each port is an access port. For more information about the port link-type
trunk command, see Layer 2—LAN Switching Command Reference.
5. Configure the trunk port to permit the specified VLANs.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port permits only VLAN 1.
Make sure the trunk port permits all registered VLANs.
For more information about the port trunk permit vlan command, see Layer 2—LAN
Switching Command Reference.
6. Enable MVRP on the port.
mvrp enable
By default, MVRP is disabled on a port.

Setting an MVRP registration mode

1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set an MVRP registration mode for the port.
mvrp registration { fixed | forbidden | normal }
The default setting is normal registration mode.

Setting MRP timers

Restrictions and guidelines
When you set MVRP timers, follow these restrictions and guidelines:
• Follow the value range requirements for Join, Leave, and LeaveAll timers and their
dependencies as described in Table 1. If you set a timer to a value beyond the allowed value
range, your configuration fails. You can set a timer by tuning the value of any other timer. The
value of each timer must be an integer multiple of 20 centiseconds.

5
 Table 1 Dependencies of the Join, Leave, and LeaveAll timers

Timer Lower limit Upper limit

Join 20 centiseconds Half the Leave timer

Leave Twice the Join timer LeaveAll timer

LeaveAll Leave timer on each port 32760 centiseconds

• To avoid frequent VLAN registrations and deregistrations, use the same MRP timers throughout
the network.
• Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port
maintains a Leave timer.
• As a best practice, restore the timers in the order of Join, Leave, and LeaveAll when you restore
these timers to their default values.
• You can restore the Periodic timer to its default value at any time.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the LeaveAll timer.
mrp timer leaveall timer-value
The default setting is 1000 centiseconds.
4. Set the Join timer.
mrp timer join timer-value
The default setting is 20 centiseconds.
5. Set the Leave timer.
mrp timer leave timer-value
The default setting is 60 centiseconds.
6. Set the Periodic timer.
mrp timer periodic timer-value
The default setting is 100 centiseconds.

Enabling GVRP compatibility

About this task
Perform this task to enable the device to receive and send both MVRP and GVRP frames when the
peer device supports GVRP. For more information about GVRP, see the IEEE 802.1Q standard.
Restrictions and guidelines
When you enable GVRP compatibility, follow these restrictions and guidelines:
• GVRP compatibility enables MVRP to work with STP or RSTP, but not MSTP.
• When the system is busy, disable the Period timer to prevent the participant from frequently
registering or deregistering attributes.
Procedure
1. Enter system view.

6
 system-view
2. Enable GVRP compatibility.
mvrp gvrp-compliance enable
By default, GVRP compatibility is disabled.

Display and maintenance commands for MVRP

Execute display commands in any view and reset commands in user view.

Task Command
display mvrp running-status [ interface
Display MVRP running status.
interface-list ]
Display the MVRP state of a port in a display mvrp state interface interface-type
VLAN. interface-number vlan vlan-id
display mvrp statistics [ interface
Display MVRP statistics.
interface-list ]
reset mvrp statistics [ interface
Clear MVRP statistics.
interface-list ]

MVRP configuration examples

Example: Configuring basic MVRP functions
Network configuration
As shown in Figure 2:
• Create VLAN 10 on Device A and VLAN 20 on Device B.
• Configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 to MSTI 2, and map the other VLANs
to MSTI 0.
Configure MVRP on Device A, Device B, Device C, and Device D to meet the following
requirements:
• The devices can register and deregister dynamic VLANs.
• The devices can keep identical VLAN configurations for each MSTI.

7
 Figure 2 Network diagram
Device A Device B
Permit: all VLANs
WGE1/0/3 WGE1/0/3
WG

WG
/2

/0/
VLAN 10 E1
/0/ E 1/0 VLAN 20

E1

E1
2 WG

WG

/0/
1
Permit: all VLANs Permit: VLANs 20, 40
N s Pe
rm
VLA it:
all VL

WG
t: AN
/0/ mi
E1 r 40 WG
0/2 Pe

E1
E1
1/ /0/
WG

/0/
E 2
WG

1
VLAN 10 à MSTI 1
VLAN 20 à MSTI 2
Other VLANs à MSTI 0
Device C Device D

A B A B A B

C D C C D
MSTI 0 MSTI 1 MSTI 2

Link not blocked by Link blocked by

Root bridge spanning tree spanning tree

Blocked port Root port Designated port

Topology of each MSTI

Procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp global enable
# Globally enable MVRP.
[DeviceA] mvrp global enable

8
 # Configure Twenty-FiveGigE 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/1] port trunk permit vlan all
# Enable MVRP on Twenty-FiveGigE 1/0/1.
[DeviceA-Twenty-FiveGigE1/0/1] mvrp enable
[DeviceA-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/2] port trunk permit vlan 40
# Enable MVRP on Twenty-FiveGigE 1/0/2.
[DeviceA-Twenty-FiveGigE1/0/2] mvrp enable
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/3] port trunk permit vlan all
# Enable MVRP on Twenty-FiveGigE 1/0/3.
[DeviceA-Twenty-FiveGigE1/0/3] mvrp enable
[DeviceA-Twenty-FiveGigE1/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp global enable
# Globally enable MVRP.
[DeviceB] mvrp global enable
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and configure it to permit VLANs 20 and 40.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/1] port trunk permit vlan 20 40
# Enable MVRP on Twenty-FiveGigE 1/0/1.

9
 [DeviceB-Twenty-FiveGigE1/0/1] mvrp enable
[DeviceB-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/2] port trunk permit vlan all
# Enable MVRP on Twenty-FiveGigE 1/0/2.
[DeviceB-Twenty-FiveGigE1/0/2] mvrp enable
[DeviceB-Twenty-FiveGigE1/0/2] quit
# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/3] port trunk permit vlan all
# Enable MVRP on Twenty-FiveGigE 1/0/3.
[DeviceB-Twenty-FiveGigE1/0/3] mvrp enable
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure Device C as the root bridge of MSTI 0.
[DeviceC] stp instance 0 root primary
# Globally enable the spanning tree feature.
[DeviceC] stp global enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface twenty-fivegige 1/0/1
[DeviceC-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceC-Twenty-FiveGigE1/0/1] port trunk permit vlan all
# Enable MVRP on Twenty-FiveGigE 1/0/1.
[DeviceC-Twenty-FiveGigE1/0/1] mvrp enable
[DeviceC-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface twenty-fivegige 1/0/2
[DeviceC-Twenty-FiveGigE1/0/2] port link-type trunk

10
 [DeviceC-Twenty-FiveGigE1/0/2] port trunk permit vlan all
# Enable MVRP on Twenty-FiveGigE 1/0/2.
[DeviceC-Twenty-FiveGigE1/0/2] mvrp enable
[DeviceC-Twenty-FiveGigE1/0/2] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp global enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and configure it to permit VLANs 20 and 40.
[DeviceD] interface twenty-fivegige 1/0/1
[DeviceD-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceD-Twenty-FiveGigE1/0/1] port trunk permit vlan 20 40
# Enable MVRP on Twenty-FiveGigE 1/0/1.
[DeviceD-Twenty-FiveGigE1/0/1] mvrp enable
[DeviceD-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface twenty-fivegige 1/0/2
[DeviceD-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceD-Twenty-FiveGigE1/0/2] port trunk permit vlan 40
# Enable MVRP on Twenty-FiveGigE 1/0/2.
[DeviceD-Twenty-FiveGigE1/0/2] mvrp enable
[DeviceD-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

1. Verify the normal registration mode configuration.
# Display local VLAN information on Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Twenty-FiveGigE1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)

11
 Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 10, 20
Propagated VLANs :
1(default)

----[Twenty-FiveGigE1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
None
Declared VLANs :
1(default)
Propagated VLANs :
None

----[Twenty-FiveGigE1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
20
Declared VLANs :
1(default), 10
Propagated VLANs :
20
The output shows that the following events have occurred:
 Twenty-FiveGigE 1/0/1 has registered VLAN 1, declared VLAN 1, VLAN 10, and VLAN 20,
and propagated VLAN 1 through MVRP.
 Twenty-FiveGigE 1/0/2 has declared VLAN 1, and registered and propagated no VLANs.
 Twenty-FiveGigE 1/0/3 has registered VLAN 20, declared VLAN 1 and VLAN 10, and
propagated VLAN 20 through MVRP.
# Display local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------

12
 Global Status : Enabled
Compliance-GVRP : False

----[Twenty-FiveGigE1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[Twenty-FiveGigE1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[Twenty-FiveGigE1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10
The output shows that the following events have occurred:

13
 Twenty-FiveGigE 1/0/1 has registered VLAN 1, declared VLAN 1 and VLAN 20, and
propagated VLAN 1 through MVRP.
 Twenty-FiveGigE 1/0/2 has registered VLAN 1 and VLAN 10, declared VLAN 1 and VLAN
20, and propagated VLAN 1.
 Twenty-FiveGigE 1/0/3 has registered VLAN 1 and VLAN 10, declared VLAN 20, and
propagated VLAN 10 through MVRP.
# Display local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Twenty-FiveGigE1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10, 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 10

----[Twenty-FiveGigE1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default), 10
Propagated VLANs :
1(default), 20
The output shows that the following events have occurred:
 Twenty-FiveGigE 1/0/1 has registered VLAN 1, VLAN 10, and VLAN 20, declared VLAN 1,
and propagated VLAN 1 and VLAN 10 through MVRP.
 Twenty-FiveGigE 1/0/2 has registered VLAN 1 and VLAN 20, declared VLAN 1 and VLAN
10, and propagated VLAN 1 and VLAN 20 through MVRP.
# Display local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------

14
 Global Status : Enabled
Compliance-GVRP : False

----[Twenty-FiveGigE1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 20

----[Twenty-FiveGigE1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
None
Propagated VLANs :
None
The output shows that the following events have occurred:
 Twenty-FiveGigE 1/0/1 has registered and propagated VLAN 10 and VLAN 20, and
declared VLAN 1 through MVRP.
 Twenty-FiveGigE 1/0/2 has registered VLAN 1, and declared and propagated no VLANs
through MVRP.
2. Verify the configuration after changing the registration mode.
When the network is stable, set the MVRP registration mode to fixed on the port of Device B
connected to Device A. Then, verify that dynamic VLANs on the port will not be deregistered.
# Set the MVRP registration mode to fixed on Twenty-FiveGigE 1/0/3 of Device B.
[DeviceB] interface twenty-fivegige 1/0/3
[DeviceB-Twenty-FiveGigE1/0/3] mvrp registration fixed
[DeviceB-Twenty-FiveGigE1/0/3] quit
# Display local MVRP VLAN information on Twenty-FiveGigE 1/0/3.
[DeviceB] display mvrp running-status interface twenty-fivegige 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled

15
 Compliance-GVRP : False

----[Twenty-FiveGigE1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10
The output shows that VLAN information on Twenty-FiveGigE 1/0/3 is not changed after you
set its MVRP registration mode to fixed.
# Delete VLAN 10 on Device A.
[DeviceA] undo vlan 10
# Display local MVRP VLAN information on Twenty-FiveGigE 1/0/3 of Device B.
[DeviceB] display mvrp running-status interface twenty-fivegige 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Twenty-FiveGigE1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10
The output shows that dynamic VLAN information on Twenty-FiveGigE 1/0/3 is not changed
after you set its MVRP registration mode to fixed.

16
Contents
Configuring loopback, null, and inloopback interfaces ··································· 1
About loopback, null, and inloopback interfaces ································································································ 1
About loopback interfaces ·························································································································· 1
About null interfaces··································································································································· 1
About inloopback interfaces ······················································································································· 1
Configuring a loopback interface ······················································································································· 1
Configuring a null interface ································································································································ 2
Restoring the default settings for an interface ··································································································· 2
Display and maintenance commands for loopback, null, and inloopback interfaces ········································· 3

i
Configuring loopback, null, and
inloopback interfaces
This chapter describes how to configure a loopback interface, a null interface, and an inloopback
interface.

About loopback, null, and inloopback interfaces

About loopback interfaces
A loopback interface is a virtual interface. The physical layer state of a loopback interface is always
up unless the loopback interface is manually shut down. Because of this benefit, loopback
interfaces are widely used in the following scenarios:
• Configuring a loopback interface address as the source address of the IP packets that
the device generates—Because loopback interface addresses are stable unicast addresses,
they are usually used as device identifications.
When you configure a rule on an authentication or security server, you can configure it to
permit or deny packets carrying the loopback interface address of a device. This simplifies
your configuration and achieves the effect of permitting or denying packets that the device
generates. To use a loopback interface address as the source address of IP packets, make
sure the loopback interface is reachable from the peer by performing routing configuration. All
data packets sent to the loopback interface are considered packets sent to the device itself, so
the device does not forward these packets.
• Using a loopback interface in dynamic routing protocols—With no router ID configured for
a dynamic routing protocol, the system selects the highest loopback interface IP address as
the router ID. In BGP, to avoid interruption of BGP sessions due to physical port failure, you
can use a loopback interface as the source interface of BGP packets.

About null interfaces

A null interface is a virtual interface and is always up, but you cannot use it to forward data packets
or configure it with an IP address or link layer protocol. The null interface provides a simpler way to
filter packets than ACL. You can filter undesired traffic by transmitting it to a null interface instead of
applying an ACL. For example, if you specify a null interface as the next hop of a static route to a
network segment, any packets routed to the network segment are dropped.

About inloopback interfaces

An inloopback interface is a virtual interface created by the system, which cannot be configured or
deleted. The physical layer and link layer protocol states of an inloopback interface are always up.
All IP packets sent to an inloopback interface are considered packets sent to the device itself and
are not forwarded.

Configuring a loopback interface

1. Enter system view.
system-view
2. Create a loopback interface and enter loopback interface view.

1
 interface loopback interface-number
3. Configure the interface description.
description text
The default setting is interface name Interface (for example, LoopBack1 Interface).
4. Configure the expected bandwidth of the loopback interface.
bandwidth bandwidth-value
By default, the expected bandwidth of a loopback interface is 0 kbps.
5. Bring up the loopback interface.
undo shutdown
By default, a loopback interface is up.

Configuring a null interface

1. Enter system view.
system-view
2. Enter null interface view.
interface null 0
Interface Null 0 is the default null interface on the device and cannot be manually created or
removed.
Only one null interface, Null 0, is supported on the device. The null interface number is always
0.
3. Configure the interface description.
description text
The default setting is NULL0 Interface.

Restoring the default settings for an interface

Restrictions and guidelines

CAUTION:
This feature might interrupt ongoing network services. Make sure you are fully aware of the impact
of this feature when you use it on a live network.

This feature might fail to restore the default settings for some commands because of command
dependencies or system restrictions. You can use the display this command in interface view
to check for these commands and perform their undo forms or follow the command reference to
restore their default settings. If your restoration attempt still fails, follow the error message to resolve
the problem.
Procedure
1. Enter system view.
system-view
2. Enter loopback interface view or null interface view.
 interface loopback interface-number
 interface null 0
3. Restore the default settings for the interface.
default

2
Display and maintenance commands for
loopback, null, and inloopback interfaces
Execute display commands in any view and reset commands in user view.

Task Command

Display information about the inloopback display interface [ inloopback [ 0 ] ]

interface. [ brief [ description | down ] ]
display interface [ loopback
Display information about the specified or all
loopback interfaces.
[ interface-number ] ] [ brief
[ description | down ] ]
display interface [ null [ 0 ] ] [ brief
Display information about the null interface.
[ description | down ] ]
Clear the statistics on the specified or all reset counters interface [ loopback
loopback interfaces. [ interface-number ] ]
Clear the statistics on the null interface. reset counters interface [ null [ 0 ] ]

3
Contents
Configuring QinQ ··························································································· 1
About QinQ ························································································································································ 1
QinQ benefits ············································································································································· 1
How QinQ works ········································································································································ 1
QinQ implementations································································································································ 2
Protocols and standards ···························································································································· 3
Restrictions and guidelines: QinQ configuration ································································································ 3
Enabling QinQ ···················································································································································· 3
Configuring transmission for transparent VLANs ······························································································· 4
Configuring the TPID for VLAN tags ·················································································································· 5
About TPID················································································································································· 5
Restrictions and guidelines ························································································································ 5
Configuring the TPID for CVLAN tags········································································································ 6
Configuring the TPID for SVLAN tags ········································································································ 6
Setting the 802.1p priority in SVLAN tags ·········································································································· 6
About the 802.1p priority in SVLAN tags···································································································· 6
Prerequisites for setting the 802.1p priority in SVLAN tags ······································································· 6
Tasks at a glance ······································································································································· 7
Creating a traffic class and configuring CVLAN match criteria ·································································· 7
Creating a traffic behavior and configuring a priority marking action for SVLAN tags ······························· 7
Creating a QoS policy ································································································································ 7
Applying the QoS policy ····························································································································· 8
Display and maintenance commands for QinQ ································································································· 8
QinQ configuration examples ····························································································································· 8
Example: Configuring basic QinQ ·············································································································· 8
Example: Configuring VLAN transparent transmission ············································································ 10

i
Configuring QinQ
This document uses the following terms:
• CVLAN—Customer network VLANs, also called inner VLANs, refer to VLANs that a customer
uses on the private network.
• SVLAN—Service provider network VLANs, also called outer VLANs, refer to VLANs that a
service provider uses to transmit VLAN tagged traffic for customers.

About QinQ
802.1Q-in-802.1Q (QinQ) adds an 802.1Q tag to 802.1Q tagged customer traffic. It enables a
service provider to extend Layer 2 connections across an Ethernet network between customer sites.

QinQ benefits
QinQ provides the following benefits:
• Enables a service provider to use a single SVLAN to convey multiple CVLANs for a customer.
• Enables customers to plan CVLANs without conflicting with SVLANs.
• Enables customers to keep their VLAN assignment schemes unchanged when the service
provider changes its VLAN assignment scheme.
• Allows different customers to use overlapping CVLAN IDs. Devices in the service provider
network make forwarding decisions based on SVLAN IDs instead of CVLAN IDs.

How QinQ works

As shown in Figure 1, a QinQ frame transmitted over the service provider network carries the
following tags:
• CVLAN tag—Identifies the VLAN to which the frame belongs when it is transmitted in the
customer network.
• SVLAN tag—Identifies the VLAN to which the QinQ frame belongs when it is transmitted in the
service provider network. The service provider allocates the SVLAN tag to the customer.
The devices in the service provider network forward a tagged frame according to its SVLAN tag only.
The CVLAN tag is transmitted as part of the frame's payload.
Figure 1 Single-tagged Ethernet frame header and double-tagged Ethernet frame header
6 bytes 6 bytes 4 bytes 2 bytes 46–1500 bytes 4 bytes
CVLAN
DA SA Etype Data FCS
tag
Single-tagged frame structure

6 bytes 6 bytes 4 bytes 4 bytes 2 bytes 46–1500 bytes 4 bytes

SVLAN CVLAN
DA SA Etype Data FCS
tag tag
Double-tagged frame
structure Outer Inner
VLAN tag VLAN tag

1
 As shown in Figure 2, customer A has remote sites CE 1 and CE 4. Customer B has remote sites CE
2 and CE 3. The CVLANs of the two customers overlap. The service provider assigns SVLANs 3 and
4 to customers A and B, respectively.
When a tagged Ethernet frame from CE 1 arrives at PE 1, the PE tags the frame with SVLAN 3. The
double-tagged Ethernet frame travels over the service provider network until it arrives at PE 2. PE 2
removes the SVLAN tag of the frame, and then sends the frame to CE 4.
Figure 2 Typical QinQ application scenario
VLANs 1 to 20 VLANs 1 to 10

CE 3 CE 4
Customer Customer
network B network A
CVLAN B Data CVLAN A Data

SVLAN 4 CVLAN B Data SVLAN 3 CVLAN A Data

PE 1 Internet PE 2

SVLAN 3 CVLAN A Data SVLAN 4 CVLAN B Data

Service provider network

CVLAN A Data CVLAN B Data

Customer Customer
network A network B
CE 1 CE 2

VLANs 1 to 10 VLANs 1 to 20

QinQ implementations
QinQ is enabled on a per-port basis. The link type of a QinQ-enabled port can be access, hybrid, or
trunk. The QinQ tagging behaviors are the same across these types of ports.
A QinQ-enabled port tags all incoming frames (tagged or untagged) with the PVID tag.
• If an incoming frame already has one tag, it becomes a double-tagged frame.
• If the frame does not have any 802.1Q tags, it becomes a frame tagged with the PVID.
QinQ provides the most basic VLAN manipulation method to tag all incoming frames (tagged or
untagged) with the PVID tag. To perform advanced VLAN manipulations, use VLAN mappings or
QoS policies as follows:
• To add different SVLANs for different CVLAN tags, use one-to-two VLAN mappings.
• To replace the SVLAN ID, CVLAN ID, or both IDs for an incoming double-tagged frame, use
two-to-two VLAN mappings.
• To use criteria other than the CVLAN ID to match packets for SVLAN tagging, use the QoS nest
action. The QoS nest action can also be used with other actions in the same traffic behavior.
• To set the 802.1p priority in SVLAN tags, use the priority marking action as described in "Setting
the 802.1p priority in SVLAN tags."
For more information about VLAN mappings, see "Configuring VLAN mapping." For more
information about QoS, see ACL and QoS Configuration Guide.

2
Protocols and standards
• IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks
• IEEE 802.1ad, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks-Amendment 4: Provider Bridges

Restrictions and guidelines: QinQ configuration

When you configure QinQ, follow these restrictions and guidelines:
• The inner 802.1Q tag of QinQ frames is treated as part of the payload. As a best practice to
ensure correct transmission of QinQ frames, set the MTU to a minimum of 1504 bytes for each
port on their forwarding path. This value is the sum of the default Ethernet interface MTU (1500
bytes) and the length (4 bytes) of a VLAN tag.
• You can use a QoS policy, a VLAN mapping, and QinQ on a port for VLAN tag manipulation. If
their settings conflict, the QoS policy has the highest priority, the VLAN mapping has the
medium priority, and QinQ has the lowest priority.
• QinQ and two-to-two mappings are mutually exclusive. The device does not support adding an
SVLAN tag on a QinQ-enabled port and then modifying the CVLAN and SVLAN IDs.

Enabling QinQ
About this task
Enable QinQ on customer-side ports of PEs. A QinQ-enabled port tags an incoming frame with its
PVID.
Restrictions and guidelines
Before you enable or disable QinQ on a port, you must remove any VLAN mappings on the port. For
more information about VLAN mapping, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the port link type.
port link-type { access | hybrid | trunk }
By default, the link type of a port is access.
4. Configure the port to allow packets from its PVID to pass through.
 Assign the access port to the specified VLAN.
port access vlan vlan-id
By default, all access ports belong to VLAN 1.
The PVID of an access port is the VLAN to which the port belongs. The port sends packets
from the VLAN untagged.
 Configure the hybrid port to send packets from its PVID untagged.
port hybrid vlan vlan-id-list untagged
By default, the hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.

3
  Configure trunk port to allow packets from its PVID to pass through.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port allows packets only from VLAN 1 to pass through.
5. Enable QinQ on the port.
qinq enable
By default, QinQ is disabled on the port.

Configuring transmission for transparent VLANs

About this task
You can exclude a VLAN (for example, the management VLAN) from the QinQ tagging action on a
customer-side port. This VLAN is called a transparent VLAN.
Restrictions and guidelines
• Do not configure any other VLAN manipulation actions for the transparent VLAN on the port.
• Make sure all ports on the traffic path permit the transparent VLAN to pass through.
• If you use both transparent VLANs and VLAN mappings on an interface, the transparent VLANs
cannot be the following VLANs:
 Original or translated VLANs of one-to-one, one-to-two, and many-to-one VLAN mappings.
 Original or translated outer VLANs of two-to-two VLAN mappings.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the port link type.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Configure the port to allow packets from the transparent VLANs to pass through.
 Configure the hybrid port to allow packets from the transparent VLANs to pass through.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
 Configure the trunk port to allow packets from the transparent VLANs to pass through.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port allows packets only from VLAN 1 to pass through.
5. Specify transparent VLANs for the port.
qinq transparent-vlan vlan-id-list
By default, transparent transmission is not configured for any VLANs.

4
Configuring the TPID for VLAN tags
About TPID
TPID identifies a frame as an 802.1Q tagged frame. The TPID value varies by vendor. On an H3C
device, the TPID in the 802.1Q tag added on a QinQ-enabled port is 0x8100 by default, in
compliance with IEEE 802.1Q. In a multi-vendor network, make sure the TPID setting is the same
between directly connected devices so 802.1Q tagged frames can be identified correctly.
TPID settings include CVLAN TPID and SVLAN TPID.
A QinQ-enabled port uses the CVLAN TPID to match incoming tagged frames. An incoming frame is
handled as untagged if its TPID is different from the CVLAN TPID.
SVLAN TPIDs are configurable on a per-port basis. A port without QinQ enabled uses the SVLAN
TPID to replace the TPID in outgoing frames' SVLAN tags and match incoming tagged frames. An
incoming frame is handled as untagged if the TPID in its outer VLAN tag is different from the SVLAN
TPID.
The TPID field is at the same position as the EtherType field in an untagged Ethernet frame. To
ensure correct packet type identification, do not set the TPID value to any of the values listed in Table
1.
Table 1 Reserved EtherType values

Protocol type Value

ARP 0x0806
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86dd
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
LLDP 0x88cc
802.1X 0x888e
802.1ag 0x8902
Cluster 0x88a7
Reserved 0xfffd/0xfffe/0xffff

Restrictions and guidelines

The TPID value in CVLAN tags is typically configured on PEs. The TPID value in SVLAN tags is
typically configured on the service provider-side ports of PEs.

5
Configuring the TPID for CVLAN tags
1. Enter system view.
system-view
2. Set the TPID for CVLAN tags.
qinq ethernet-type customer-tag hex-value
By default, the TPID is 0x8100 for CVLAN tags.

Configuring the TPID for SVLAN tags

1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the TPID for SVLAN tags.
qinq ethernet-type service-tag hex-value
By default, the TPID is 0x8100 for SVLAN tags.

Setting the 802.1p priority in SVLAN tags

About the 802.1p priority in SVLAN tags
By default, the 802.1p priority in the SVLAN tag added by a QinQ-enabled port depends on the
priority trust mode on the port.
• If the 802.1p priority in frames is trusted, the device copies the 802.1p priority in the CVLAN tag
to the SVLAN tag.
• If port priority is trusted, the port priority (0 by default) is used as the 802.1p priority in the
SVLAN tag.
You can configure a QoS policy to modify the 802.1p priority in SVLAN tags as follows:
• Modify the 802.1p priority in the SVLAN tag based on the 802.1p priority in the CVLAN tag or
the CVLAN ID.
• Copy the 802.1p priority in the CVLAN tag to the SVLAN tag.
For more information about QoS policies and priority trust mode, see ACL and QoS Configuration
Guide.

Prerequisites for setting the 802.1p priority in SVLAN tags

1. Enable QinQ. For more information, see "Enabling QinQ."
To use the CVLAN ID or 802.1p priority of the CVLAN tag to set the 802.1p priority of the
SVLAN tag, you must first enable QinQ on the port.
2. Use the qos trust dot1p command to configure the port to trust the 802.1p priority in
incoming frames. For more information, see ACL and QoS Configuration Guide.
This setting is required if the remark dot1p command is configured. It is optional if the
remark dot1p customer-dot1p-trust command is configured.

6
Tasks at a glance
To use QoS policies to set the 802.1p priority in SVLAN tags, perform the following tasks:
1. Creating a traffic class and configuring CVLAN match criteria
2. Creating a traffic behavior and configuring a priority marking action for SVLAN tags
3. Creating a QoS policy
4. Applying the QoS policy

Creating a traffic class and configuring CVLAN match criteria

1. Enter system view.
system-view
2. Create a traffic class and enter its view.
traffic classifier classifier-name [ operator { and | or } ]
3. Configure CVLAN match criteria.
Choose one option as needed:
 Match CVLAN IDs.
if-match customer-vlan-id vlan-id-list
 Match 802.1p priority.
if-match customer-dot1p dot1p-value&<1-8>

Creating a traffic behavior and configuring a priority marking

action for SVLAN tags
1. Enter system view.
system-view
2. Create a traffic behavior and enter its view.
traffic behavior behavior-name
3. Configure a priority marking action for SVLAN tags.
Choose one option as needed:
 Replace the priority in the SVLAN tags of matching frames with the configured priority.
remark dot1p dot1p-value
 Copy the 802.1p priority in the CVLAN tag to the SVLAN tag.
remark dot1p customer-dot1p-trust

Creating a QoS policy

1. Enter system view.
system-view
2. Create a QoS policy and enter its view.
qos policy policy-name
3. Specify the traffic behavior for the traffic class in the QoS policy.
classifier classifier-name behavior behavior-name

7
Applying the QoS policy
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Apply the QoS policy to the inbound direction of the port.
qos apply policy policy-name inbound

Display and maintenance commands for QinQ

Execute display commands in any view.

Task Command
display qinq [ interface
Display QinQ-enabled ports.
interface-type interface-number ]

QinQ configuration examples

Example: Configuring basic QinQ
Network configuration
As shown in Figure 3:
• The service provider assigns VLAN 100 to Company A's VLANs 10 through 70.
• The service provider assigns VLAN 200 to Company B's VLANs 30 through 90.
• The devices between PE 1 and PE 2 in the service provider network use a TPID value of
0x8200.
Configure QinQ on PE 1 and PE 2 to transmit traffic in VLANs 100 and 200 for Company A and
Company B, respectively.
For the QinQ frames to be identified correctly, set the SVLAN TPID to 0x8200 on the service
provider-side ports of PE 1 and PE 2.

8
 Figure 3 Network diagram
VLANs 30 to 90 VLANs 10 to 70

Site 3 CE 3 CE 4 Site 2
Company B Company A

WGE1/0/3 WGE1/0/3
WGE1/0/2 VLANs 100 and 200 WGE1/0/2
PE 1 PE 2
TPID = 0x8200
WGE1/0/1 WGE1/0/1

Service provider network

Company A Company B
Site 1 CE 1 CE 2 Site 4

VLANs 10 to 70 VLANs 30 to 90

Procedure
1. Configure PE 1:
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and assign it to VLAN 100.
<PE1> system-view
[PE1] interface twenty-fivegige 1/0/1
[PE1-Twenty-FiveGigE1/0/1] port link-type trunk
[PE1-Twenty-FiveGigE1/0/1] port trunk permit vlan 100
# Set the PVID of Twenty-FiveGigE 1/0/1 to VLAN 100.
[PE1-Twenty-FiveGigE1/0/1] port trunk pvid vlan 100
# Enable QinQ on Twenty-FiveGigE 1/0/1.
[PE1-Twenty-FiveGigE1/0/1] qinq enable
[PE1-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE1] interface twenty-fivegige 1/0/2
[PE1-Twenty-FiveGigE1/0/2] port link-type trunk
[PE1-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on Twenty-FiveGigE 1/0/2.
[PE1-Twenty-FiveGigE1/0/2] qinq ethernet-type service-tag 8200
[PE1-Twenty-FiveGigE1/0/2] quit
# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and assign it to VLAN 200.
[PE1] interface twenty-fivegige 1/0/3
[PE1-Twenty-FiveGigE1/0/3] port link-type trunk
[PE1-Twenty-FiveGigE1/0/3] port trunk permit vlan 200
# Set the PVID of Twenty-FiveGigE 1/0/3 to VLAN 200.
[PE1-Twenty-FiveGigE1/0/3] port trunk pvid vlan 200
# Enable QinQ on Twenty-FiveGigE 1/0/3.
[PE1-Twenty-FiveGigE1/0/3] qinq enable

9
 [PE1-Twenty-FiveGigE1/0/3] quit
2. Configure PE 2:
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and assign it to VLAN 200.
<PE2> system-view
[PE2] interface twenty-fivegige 1/0/1
[PE2-Twenty-FiveGigE1/0/1] port link-type trunk
[PE2-Twenty-FiveGigE1/0/1] port trunk permit vlan 200
# Set the PVID of Twenty-FiveGigE 1/0/1 to VLAN 200.
[PE2-Twenty-FiveGigE1/0/1] port trunk pvid vlan 200
# Enable QinQ on Twenty-FiveGigE 1/0/1.
[PE2-Twenty-FiveGigE1/0/1] qinq enable
[PE2-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE2] interface twenty-fivegige 1/0/2
[PE2-Twenty-FiveGigE1/0/2] port link-type trunk
[PE2-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on Twenty-FiveGigE 1/0/2.
[PE2-Twenty-FiveGigE1/0/2] qinq ethernet-type service-tag 8200
[PE2-Twenty-FiveGigE1/0/2] quit
# Configure Twenty-FiveGigE 1/0/3 as a trunk port, and assign it to VLAN 100.
[PE2] interface twenty-fivegige 1/0/3
[PE2-Twenty-FiveGigE1/0/3] port link-type trunk
[PE2-Twenty-FiveGigE1/0/3] port trunk permit vlan 100
# Set the PVID of Twenty-FiveGigE 1/0/3 to VLAN 100.
[PE2-Twenty-FiveGigE1/0/3] port trunk pvid vlan 100
# Enable QinQ on Twenty-FiveGigE 1/0/3.
[PE2-Twenty-FiveGigE1/0/3] qinq enable
[PE2-Twenty-FiveGigE1/0/3] quit
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 200 to pass
through without removing the VLAN tag. (Details not shown.)

Example: Configuring VLAN transparent transmission

Network configuration
As shown in Figure 4:
• The service provider assigns VLAN 100 to a company's VLANs 10 through 50.
• VLAN 3000 is the dedicated VLAN of the company on the service provider network.
Configure QinQ on PE 1 and PE 2 to provide Layer 2 connectivity for CVLANs 10 through 50 over the
service provider network.
Configure VLAN transparent transmission for VLAN 3000 on PE 1 and PE 2 to enable the hosts in
VLAN 3000 to communicate without using an SVLAN.

10
 Figure 4 Network diagram

PE 1 PE 2
WGE1/0/2 WGE1/0/2
VLANs 100 and 3000
WGE1/0/1 WGE1/0/1

Service provider network

Site 1 Site 2
CE 1 CE 2

VLANs 10 to 50, 3000 VLANs 10 to 50, 3000

Procedure
1. Configure PE 1:
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and assign it to VLAN 100 and VLAN 3000.
<PE1> system-view
[PE1] interface twenty-fivegige 1/0/1
[PE1-Twenty-FiveGigE1/0/1] port link-type trunk
[PE1-Twenty-FiveGigE1/0/1] port trunk permit vlan 100 3000
# Set the PVID of Twenty-FiveGigE 1/0/1 to VLAN 100.
[PE1-Twenty-FiveGigE1/0/1] port trunk pvid vlan 100
# Enable QinQ on Twenty-FiveGigE 1/0/1.
[PE1-Twenty-FiveGigE1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on Twenty-FiveGigE 1/0/1.
[PE1-Twenty-FiveGigE1/0/1] qinq transparent-vlan 3000
[PE1-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE1] interface twenty-fivegige 1/0/2
[PE1-Twenty-FiveGigE1/0/2] port link-type trunk
[PE1-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 3000
[PE1-Twenty-FiveGigE1/0/2] quit
2. Configure PE 2:
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, and assign it to VLAN 100 and VLAN 3000.
<PE2> system-view
[PE2] interface twenty-fivegige 1/0/1
[PE2-Twenty-FiveGigE1/0/1] port link-type trunk
[PE2-Twenty-FiveGigE1/0/1] port trunk permit vlan 100 3000
# Set the PVID of Twenty-FiveGigE 1/0/1 to VLAN 100.
[PE1-Twenty-FiveGigE1/0/1] port trunk pvid vlan 100
# Enable QinQ on Twenty-FiveGigE 1/0/1.
[PE2-Twenty-FiveGigE1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on Twenty-FiveGigE 1/0/1.
[PE2-Twenty-FiveGigE1/0/1] qinq transparent-vlan 3000
[PE2-Twenty-FiveGigE1/0/1] quit

11
 # Configure Twenty-FiveGigE 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE2] interface twenty-fivegige 1/0/2
[PE2-Twenty-FiveGigE1/0/2] port link-type trunk
[PE2-Twenty-FiveGigE1/0/2] port trunk permit vlan 100 3000
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 3000 to pass
through without removing the VLAN tag. (Details not shown.)

12
Contents
Configuring VLAN mapping ··········································································· 1
About VLAN mapping········································································································································· 1
VLAN mapping types ································································································································· 1
VLAN mapping application scenarios ········································································································ 1
VLAN mapping implementations ················································································································ 4
Restrictions and guidelines: VLAN mapping configuration ················································································ 7
VLAN mapping tasks at a glance ······················································································································· 7
Prerequisites ······················································································································································ 8
Configuring one-to-one VLAN mapping ············································································································· 8
Configuring many-to-one VLAN mapping ·········································································································· 8
About many-to-one VLAN mapping ··········································································································· 8
Configuring many-to-one VLAN mapping in dynamic IP address assignment environment ······················ 9
Configuring many-to-one VLAN mapping in static IP address assignment environment ························· 11
Configuring one-to-two VLAN mapping ··········································································································· 13
Configuring two-to-one VLAN mapping ··········································································································· 13
Configuring two-to-two VLAN mapping ············································································································ 14
Display and maintenance commands for VLAN mapping ················································································ 15
VLAN mapping configuration examples ··········································································································· 15
Example: Configuring one-to-one and many-to-one VLAN mapping ······················································· 15
Example: Configuring one-to-two and two-to-two VLAN mapping ··························································· 20

i
Configuring VLAN mapping
About VLAN mapping
VLAN mapping re-marks VLAN traffic with new VLAN IDs.

VLAN mapping types

H3C provides the following types of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another.
• Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag.
• Two-to-one VLAN mapping—Removes VLAN tags from double-tagged packets and adds a
new VLAN tag to them.
• Two-to-two VLAN mapping—Replaces the outer and inner VLAN IDs of double tagged traffic
with a new pair of VLAN IDs.

VLAN mapping application scenarios

One-to-one and many-to-one VLAN mapping
One-to-one and many-to-one VLAN mapping are typically used by a community for broadband
Internet access, as shown in Figure 1.

1
 Figure 1 Application scenario of one-to-one and many-to-one VLAN mapping
DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP VLAN 3 -> VLAN 301

Wiring-closet
switch DHCP server
VLAN 1
PC VLAN 1 -> VLAN 102
VLAN 2 -> VLAN 202
VLAN 3 -> .VLAN 302
..
VLAN 2
VoD
Home gateway VLANs 101 and 102 -> VLAN 501
VLANs 201 and 202 -> VLAN 502
VLAN 3 VLANs 301 and .302 -> VLAN 503
VoIP ..
... ... ...
Campus switch ..
.
VLAN 1
PC
VLANs 199 and 200 -> VLAN 501
VLANs 299 and 300 -> VLAN 502
Home gateway VLANs 399 and 400 -> VLAN 503
VLAN 2
VoD ...
Distribution
VLAN 1 -> VLAN 199 network
VLAN 3 VLAN 2 -> VLAN 299
VoIP VLAN 3 -> VLAN 399

Wiring-closet
switch
VLAN 1
PC VLAN 1 -> VLAN 200
VLAN 2 -> VLAN 300
VLAN 3 -> VLAN 400

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

As shown in Figure 1, the network is implemented as follows:

• Each home gateway uses different VLANs to transmit the PC, VoD, and VoIP services.
• To further subclassify each type of traffic by customer, configure one-to-one VLAN mapping on
the wiring-closet switches. This feature assigns a separate VLAN to each type of traffic from
each customer. The required total number of VLANs in the network can be very large.
• To prevent the maximum number of VLANs from being exceeded on the distribution layer
device, configure many-to-one VLAN mapping on the campus switch. This feature assigns the
same VLAN to the same type of traffic from different customers.
One-to-two and two-to-two VLAN mapping
One-to-two and two-to-two VLAN mapping are typically used to implement communication across
different SP networks, as shown in Figure 2.

2
 Figure 2 Application scenario of one-to-two and two-to-two VLAN mapping

One-to-two VLAN Two-to-two VLAN One-to-two VLAN

mapping mapping mapping

VLAN 10 VLAN 2 Data VLAN 20 VLAN 3 Data

PE 1 PE 2 PE 3 PE 4
SP 1 SP 2

VLAN 2 Data VLAN 3 Data

Traffic
VPN A VPN A
CE 1 Site 1 Site 2 CE 2

As shown in Figure 2, Site 1 and Site 2 of VPN A are in VLAN 2 and VLAN 3, respectively. The SP 1
network assigns SVLAN 10 to Site 1. The SP 2 network assigns SVLAN 20 to Site 2. When the
packet from Site 1 arrives at PE 1, PE 1 tags the packet with SVLAN 10 by using one-to-two VLAN
mapping.
When the double-tagged packet from the SP 1 network arrives at the SP 2 network interface, PE 3
processes the packet as follows:
• Replaces SVLAN tag 10 with SVLAN tag 20.
• Replaces CVLAN tag 2 with CVLAN tag 3.
One-to-two VLAN mapping provides the following benefits:
• Enables a customer network to plan its CVLAN assignment without conflicting with SVLANs.
• Adds a VLAN tag to a tagged packet and expands the number of available VLANs to 4094 ×
4094.
• Reduces the stress on the SVLAN resources, which were 4094 VLANs in the SP network
before the mapping process was initiated.
Two-to-one VLAN mapping
As shown in Figure 3, configure VLANs and VLAN mappings to isolate traffic of different services and
ensure the communication between the user network and the service provider network:
• On Device A, assign different types of service traffic to different VLANs.
• On Device B, configure one-to-one VLAN mappings and one-to-two VLAN mappings for uplink
traffic.
• On Device B, configure two-to-one VLAN mappings for the downlink traffic. After receiving
double-tagged reply packets, Device B removes their double VLAN tags and adds the original
VLAN tags to them.

3
 Figure 3 Application scenario of two-to-one VLAN mapping

VLAN 2
PC
VLAN 2 -> VLAN 20
VLAN 3 -> VLAN 30

Device A Device B
SP network

VLAN 20 -> VLAN 20 VLAN 200

VLAN 30 -> VLAN 30 VLAN 300
VLAN 3
VoD
Uplink traffic

VLAN 2
PC

Device A Device B
SP network
VLAN 2 <- VLAN 20 VLAN 200
VLAN 3 <- VLAN 30 VLAN 300
VLAN 3
VoD
Downlink traffic

VLAN mapping implementations

Figure 4 shows a simplified network that illustrates basic VLAN mapping terms.
Basic VLAN mapping terms include the following:
• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer
network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.
Figure 4 Basic VLAN mapping terms

SP

Network-side port
Customer-side port
Uplink traffic
Downlink traffic

One-to-one VLAN mapping

As shown in Figure 5, one-to-one VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN with the SVLAN for the uplink traffic.
• Replaces the SVLAN with the CVLAN for the downlink traffic.

4
 Figure 5 One-to-one VLAN mapping implementation

One-to-one
VLAN mapping

CVLAN Data SVLAN Data

Customer
SP network
network
CVLAN Data SVLAN Data

Customer-side port Uplink traffic Downlink traffic

Many-to-one VLAN mapping

As shown in Figure 6, many-to-one VLAN mapping is implemented on both the customer-side and
network-side ports as follows:
• For the uplink traffic, the customer-side many-to-one VLAN mapping replaces multiple CVLANs
with the same SVLAN.
• For the downlink traffic, the network-side many-to-one VLAN mapping replaces the SVLAN with
the CVLAN found in the DHCP snooping table or ARP snooping table. For more information
about DHCP snooping and ARP snooping, see Layer 3—IP Services Configuration Guide.
Figure 6 Many-to-one VLAN mapping implementation

Customer-side Network-side
CVLAN 1 Data many-to-one many-to-one SVLAN Data
.. VLAN mapping VLAN mapping ..
. .

CVLAN n Data SVLAN Data

Customer
SP network
network
CVLAN Data SVLAN Data

ARP snooping or DHCP snooping

table lookup

Network-side port Customer-side port Uplink traffic Downlink traffic

One-to-two VLAN mapping

As shown in Figure 7, one-to-two VLAN mapping is implemented on the customer-side port to add
the SVLAN tag for the uplink traffic.
For the downlink traffic to be correctly sent to the customer network, make sure the SVLAN tag is
removed on the customer-side port before transmission. Use one of the following methods to remove
the SVLAN tag from the downlink traffic:
• Configure the customer-side port as a hybrid port and assign the port to the SVLAN as an
untagged member.
• Configure the customer-side port as a trunk port and set the port PVID to the SVLAN.

5
 Figure 7 One-to-two VLAN mapping implementation

One-to-two VLAN mapping

CVLAN Data SVLAN CVLAN Data

Customer
SP network
network
CVLAN Data SVLAN CVLAN Data

Remove the SVLAN tag from downlink traffic

Customer-side port Uplink traffic Downlink traffic

Two-to-one VLAN mapping

As shown in Figure 8, configure two-to-one VLAN mapping on the customer-side port to remove
double VLAN tags from downstream packets and add the CVLAN tag to them.
Two-to-one VLAN mapping takes effect only on the outgoing downstream packets of the
customer-side port and does not affect the incoming packets of the port.
Figure 8 Two-to-one VLAN mapping implementation

Two-to-one
VLAN mapping

CVLAN Data SVLAN’ CVLAN’ Data

User network SP network

Removes tags from double-tagged

packets and adds the CVLAN tag to the
packets before sending them out

Customer-side port Downlink traffic

Two-to-two VLAN mapping

As shown in Figure 9, two-to-two VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN and the SVLAN with the CVLAN' and the SVLAN' for the uplink traffic.
• Replaces the SVLAN' and CVLAN' with the SVLAN and the CVLAN for the downlink traffic.

6
 Figure 9 Two-to-two VLAN mapping implementation

Two-to-two
VLAN mapping

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

SP network 1 SP network 2

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

Customer-side port Uplink traffic Downlink traffic

Restrictions and guidelines: VLAN mapping

configuration
To add VLAN tags to packets, you can configure both VLAN mapping and QinQ. VLAN mapping
takes effect if a configuration conflict occurs. For more information about QinQ, see "Configuring
QinQ."
To add or replace VLAN tags for packets, you can configure both VLAN mapping and a QoS policy.
The QoS policy takes effect if a configuration conflict occurs. For information about QoS policies, see
ACL and QoS Configuration Guide.
Do not configure VLAN mapping and Ethernet service instance-to-VSI binding on the same Layer 2
Ethernet interface or Layer 2 aggregate interface. Otherwise, these features might not take effect.

VLAN mapping tasks at a glance

Use the appropriate VLAN mapping methods for the devices in the network.
To configure VLAN mapping, perform the following tasks:
• Configuring one-to-one VLAN mapping
Configure one-to-one VLAN mapping on the wiring-closet switch, as shown in Figure 1.
• Configuring many-to-one VLAN mapping
Configure many-to-one VLAN mapping on the campus switch, as shown in Figure 1.
 Configuring many-to-one VLAN mapping in dynamic IP address assignment environment
 Configuring many-to-one VLAN mapping in static IP address assignment environment
• Configuring one-to-two VLAN mapping
Configure one-to-two VLAN mapping on PE 1 and PE 4, as shown in Figure 2, through which
traffic from customer networks enters the service provider networks.
• Configuring two-to-one VLAN mapping
Configure two-to-one VLAN mapping on the customer-side port of Device B, as shown in Figure
3.
• Configuring two-to-two VLAN mapping
Configure two-to-two VLAN mapping on PE 3, as shown in Figure 2, which is an edge device of
the SP 2 network.

7
Prerequisites
Before you configure VLAN mapping, create original and translated VLANs.

Configuring one-to-one VLAN mapping

About this task
Configure one-to-one VLAN mapping on the customer-side ports of wiring-closet switches (see
Figure 1) to isolate traffic of the same service type from different homes.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLAN and the translated VLAN.
 Assign the trunk port to the original VLAN and the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLAN and the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure a one-to-one VLAN mapping.
vlan mapping vlan-id translated-vlan vlan-id
By default, no VLAN mapping is configured on an interface.

Configuring many-to-one VLAN mapping

About many-to-one VLAN mapping
Configure many-to-one VLAN mapping on campus switches (see Figure 1) to transmit the same type
of traffic from different users in one VLAN.

8
Configuring many-to-one VLAN mapping in dynamic IP
address assignment environment
About this task
In a network that uses dynamic address assignment, configure many-to-one VLAN mapping with
DHCP snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the DHCP snooping entry lookup.
Restrictions and guidelines for many-to-one VLAN mapping in dynamic IP address
assignment environment
To ensure correct traffic forwarding from the service provider network to the customer network, do
not configure many-to-one VLAN mapping together with uRPF. For more information about uRPF,
see Security Configuration Guide.
To modify many-to-one VLAN mappings, first use the reset dhcp snooping binding
command to clear the DHCP snooping entries.
Many-to-one VLAN mapping in dynamic IP address assignment environment tasks at a
glance
To configure many-to-one VLAN mapping in dynamic IP address assignment environment, perform
the following tasks:
1. Enabling DHCP snooping
2. Enabling ARP detection
3. Configuring the customer-side port
4. Configuring the network-side port
Enabling DHCP snooping
1. Enter system view.
system-view
2. Enable DHCP snooping.
dhcp snooping enable
By default, DHCP snooping is disabled.
Enabling ARP detection
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable ARP detection.
arp detection enable
By default, ARP detection is disabled.
You must enable ARP detection for the original VLANs and the translated VLANs.
Configuring the customer-side port
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.

9
 interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLANs and the translated VLAN.
 Assign the trunk port to the original VLANs and the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLANs and the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure a many-to-one VLAN mapping.
vlan mapping uni { range vlan-range-list | single vlan-id-list }
translated-vlan vlan-id
By default, no VLAN mapping is configured on an interface.
6. Enable DHCP snooping entry recording.
dhcp snooping binding record
By default, DHCP snooping entry recording is disabled on an interface.
Configuring the network-side port
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the translated VLAN.
 Assign the trunk port to the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure the port as a DHCP snooping trusted port.
dhcp snooping trust
By default, all ports that support DHCP snooping are untrusted ports when DHCP snooping is
enabled.

10
 6. Configure the port as an ARP trusted port.
arp detection trust
By default, all ports are ARP untrusted ports.
7. Configure the port to use the original VLAN tags of the many-to-one mapping to replace the
VLAN tags of the packets destined for the user network.
vlan mapping nni
By default, the port does not replace the VLAN tags of the packets destined for the user
network.

Configuring many-to-one VLAN mapping in static IP address

assignment environment
About this task
In a network that uses static IP addresses, configure many-to-one VLAN mapping with ARP
snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the ARP snooping entry lookup.
Restrictions and guidelines for many-to-one VLAN mapping in static IP address assignment
environment
When you configure many-to-one VLAN mapping in a network that uses static address assignment,
follow these restrictions and guidelines:
• Make sure hosts in different CVLANs do not use the same IP address.
• When an IP address is no longer associated with the MAC address and VLAN in an ARP
snooping entry, wait for this entry to be aged out. You can also use the reset arp snooping
ip ip-address command to clear the entry.
• Before you modify many-to-one VLAN mapping, use the reset arp snooping vlan
vlan-id command to clear the ARP snooping entries in each CVLAN.
• To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
Many-to-one VLAN mapping in static IP address assignment environment tasks at a glance
To configure many-to-one VLAN mapping in static IP address assignment environment, perform the
following tasks:
1. Enabling ARP snooping
2. Configuring the customer-side port
3. Configuring the network-side port
Enabling ARP snooping
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Enable ARP snooping.
arp snooping enable
By default, ARP snooping is disabled.
You must enable ARP snooping for the original VLANs and the translated VLANs.

11
Configuring the customer-side port
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLANs and the translated VLAN.
 Assign the trunk port to the original VLANs and the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLANs and the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure a many-to-one VLAN mapping.
vlan mapping uni { range vlan-range-list | single vlan-id-list }
translated-vlan vlan-id
By default, no VLAN mapping is configured on an interface.
Configuring the network-side port
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the translated VLAN.
 Assign the trunk port to the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure the port to use the original VLAN tags of the many-to-one mapping to replace the
VLAN tags of the packets destined for the user network.

12
 vlan mapping nni
By default, the port does not replace the VLAN tags of the packets destined for the user
network.

Configuring one-to-two VLAN mapping

About this task
Configure one-to-two VLAN mapping on the customer-side ports of edge devices from which
customer traffic enters SP networks, for example, on PEs 1 and 4 in Figure 2. One-to-two VLAN
mapping enables the edge devices to add an SVLAN tag to each incoming packet.
Restrictions and guidelines
Only one SVLAN tag can be added to packets from the same CVLAN. To add different SVLAN tags
to different CVLAN packets on a port, set the port link type to hybrid and configure multiple
one-to-two VLAN mappings.
The MTU of an interface is 1500 bytes by default. After a VLAN tag is added to a packet, the packet
length is added by 4 bytes. As a best practice, set the MTU to a minimum of 1504 bytes for ports on
the forwarding path of the packet in the service provider network.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Configure the port to allow packets from the SVLAN to pass through untagged.
 Configure the SVLAN as the PVID of the trunk port and assign the trunk port to the SVLAN.
port trunk pvid vlan vlan-id
port trunk permit vlan { vlan-id-list | all }
 Assign the hybrid port to the SVLAN as an untagged member.
port hybrid vlan vlan-id-list untagged
5. Configure a one-to-two VLAN mapping.
vlan mapping nest { range vlan-range-list | single vlan-id-list }
nested-vlan vlan-id
By default, no VLAN mapping is configured on an interface.

Configuring two-to-one VLAN mapping

About this task
Configure two-to-one VLAN mapping on the customer-side port of Device B, as shown in Figure 3.
Device B will remove VLAN tags from double-tagged packets and add the CVLAN tag to them. When
packets arrives Device A, Device A removes the CVLAN tag.

13
Restrictions and guidelines
On an interface, the original CVLAN and SVLAN of a two-to-one VLAN mapping cannot be the same
as the translated CVLAN and SVLAN of a two-to-two VLAN mapping.
You cannot specify multiple translated VLANs for the same original CVLAN and SVLAN on an
interface. To modify an existing two-to-one VLAN mapping on an interface, you must execute the
undo vlan mapping egress command to remove it first and then configure a new mapping.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to hybrid or trunk.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the translated VLAN.
 Assign the trunk port to the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the translated VLAN.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure a two-to-one VLAN mapping.
vlan mapping egress outer-vlan outer-vlan-id inner-vlan
inner-vlan-id translated-vlan vlan-id
By default, no VLAN mapping is configured on an interface.

Configuring two-to-two VLAN mapping

About this task
Configure two-to-two VLAN mapping on the customer-side port of an edge device that connects two
SP networks, for example, on PE 3 in Figure 2. Two-to-two VLAN mapping enables two sites in
different VLANs to communicate at Layer 2 across two service provider networks that use different
VLAN assignment schemes.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.

14
 interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLANs and the translated VLANs.
 Assign the trunk port to the original VLANs and the translated VLANs.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLANs and the translated VLANs as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure a two-to-two VLAN mapping.
vlan mapping tunnel outer-vlan-id inner-vlan-id translated-vlan
outer-vlan-id inner-vlan-id
By default, no VLAN mapping is configured on an interface.

Display and maintenance commands for VLAN

mapping
Execute display commands in any view.

Task Command
display vlan mapping [ interface
Display VLAN mapping information.
interface-type interface-number ]

VLAN mapping configuration examples

Example: Configuring one-to-one and many-to-one VLAN
mapping
Network configuration
As shown in Figure 10:
• Each household subscribes to PC, VoD, and VoIP services, and obtains the IP address through
DHCP.
• On the home gateways, VLANs 1, 2, and 3 are assigned to PC, VoD, and VoIP traffic,
respectively.
To isolate traffic of the same service type from different households, configure one-to-one VLAN
mappings on the wiring-closet switches. This feature assigns one VLAN to each type of traffic from
each household.
To save VLAN resources, configure many-to-one VLAN mappings on the campus switch (Switch C).
This feature transmits the same type of traffic from different households in one VLAN. Use VLANs
501, 502, and 503 for PC, VoD, and VoIP traffic, respectively.

15
 Table 1 VLAN mappings for each service

VLANs on home VLANs on wiring-closet switches VLANs on campus

Service
gateways (Switch A and Switch B) switch (Switch C)
PC VLAN 1 VLANs 101, 102, 103, 104 VLAN 501
VoD VLAN 2 VLANs 201, 202, 203, 204 VLAN 502
VoIP VLAN 3 VLANs 301, 302, 303, 304 VLAN 503

Figure 10 Network diagram

DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP WGE1/0/1 VLAN 3 -> VLAN 301

Wiring-closet WGE1/0/3
Switch A
VLAN 1 WGE1/0/2
PC VLAN 1 -> VLAN 102 DHCP server
VLAN 2 -> VLAN 202
VLAN 3 -> VLAN 302

VLAN 2
VoD
Home gateway VLANs 101–102 -> VLAN 501

VLAN 3 VLANs 201–202 -> VLAN 502

VoIP WGE1/0/1 VLANs 301–302 -> VLAN 503
Campus switch WGE1/0/3 WGE1/0/1
Switch D
Switch C
VLAN 1 WGE1/0/2 VLANs 103–104 -> VLAN 501
PC
VLANs 203–204 -> VLAN 502
VLANs 303–304 -> VLAN 503
Home gateway
VLAN 2
VoD
Distribution
VLAN 1 -> VLAN 103 network
VLAN 2 -> VLAN 203
VLAN 3
VoIP VLAN 3 -> VLAN 303
WGE1/0/1
Wiring-closet WGE1/0/3
Switch B
VLAN 1 WGE1/0/2 VLAN 1 -> VLAN 104
PC
VLAN 2 -> VLAN 204
VLAN 3 -> VLAN 304

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

Procedure
1. Configure Switch A:
# Create the original VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3

16
 # Create the translated VLANs.
[SwitchA] vlan 101 to 102
[SwitchA] vlan 201 to 202
[SwitchA] vlan 301 to 302
# Configure customer-side port Twenty-FiveGigE 1/0/1 as a trunk port.
<SwitchA> system-view
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] port link-type trunk
# Assign Twenty-FiveGigE 1/0/1 to all original VLANs and translated VLANs.
[SwitchA-Twenty-FiveGigE1/0/1] port trunk permit vlan 1 2 3 101 201 301
# Configure one-to-one VLAN mappings on Twenty-FiveGigE 1/0/1 to map VLANs 1, 2, and 3
to VLANs 101, 201, and 301, respectively.
[SwitchA-Twenty-FiveGigE1/0/1] vlan mapping 1 translated-vlan 101
[SwitchA-Twenty-FiveGigE1/0/1] vlan mapping 2 translated-vlan 201
[SwitchA-Twenty-FiveGigE1/0/1] vlan mapping 3 translated-vlan 301
[SwitchA-Twenty-FiveGigE1/0/1] quit
# Configure customer-side port Twenty-FiveGigE 1/0/2 as a trunk port.
[SwitchA] interface twenty-fivegige 1/0/2
[SwitchA-Twenty-FiveGigE1/0/2] port link-type trunk
# Assign Twenty-FiveGigE 1/0/2 to all original VLANs and translated VLANs.
[SwitchA-Twenty-FiveGigE1/0/2] port trunk permit vlan 1 2 3 102 202 302
# Configure one-to-one VLAN mappings on Twenty-FiveGigE 1/0/2 to map VLANs 1, 2, and 3
to VLANs 102, 202, and 302, respectively.
[SwitchA-Twenty-FiveGigE1/0/2] vlan mapping 1 translated-vlan 102
[SwitchA-Twenty-FiveGigE1/0/2] vlan mapping 2 translated-vlan 202
[SwitchA-Twenty-FiveGigE1/0/2] vlan mapping 3 translated-vlan 302
[SwitchA-Twenty-FiveGigE1/0/2] quit
# Configure the network-side port (Twenty-FiveGigE 1/0/3) as a trunk port.
[SwitchA] interface twenty-fivegige 1/0/3
[SwitchA-Twenty-FiveGigE1/0/3] port link-type trunk
# Assign Twenty-FiveGigE 1/0/3 to the translated VLANs.
[SwitchA-Twenty-FiveGigE1/0/3] port trunk permit vlan 101 201 301 102 202 302
[SwitchA-Twenty-FiveGigE1/0/3] quit
2. Configure Switch B in the same way Switch A is configured. (Details not shown.)
3. Configure Switch C:
# Enable DHCP snooping.
<SwitchC> system-view
[SwitchC] dhcp snooping enable
# Create the original VLANs and translated VLANs, and enable ARP detection for these
VLANs.
[SwitchC] vlan 101
[SwitchC-vlan101] arp detection enable
[SwitchC-vlan101] vlan 201
[SwitchC-vlan201] arp detection enable
[SwitchC-vlan201] vlan 301
[SwitchC-vlan301] arp detection enable
[SwitchC-vlan301] vlan 102
[SwitchC-vlan102] arp detection enable

17
[SwitchC-vlan102] vlan 202
[SwitchC-vlan202] arp detection enable
[SwitchC-vlan202] vlan 302
[SwitchC-vlan302] arp detection enable
[SwitchC-vlan302] vlan 103
[SwitchC-vlan103] arp detection enable
[SwitchC-vlan103] vlan 203
[SwitchC-vlan203] arp detection enable
[SwitchC-vlan203] vlan 303
[SwitchC-vlan303] arp detection enable
[SwitchC-vlan303] vlan 104
[SwitchC-vlan104] arp detection enable
[SwitchC-vlan104] vlan 204
[SwitchC-vlan204] arp detection enable
[SwitchC-vlan204] vlan 304
[SwitchC-vlan304] arp detection enable
[SwitchC-vlan304] vlan 501
[SwitchC-vlan501] arp detection enable
[SwitchC-vlan501] vlan 502
[SwitchC-vlan502] arp detection enable
[SwitchC-vlan502] vlan 503
[SwitchC-vlan503] arp detection enable
[SwitchC-vlan503] quit
# Configure customer-side port Twenty-FiveGigE 1/0/1 as a trunk port.
[SwitchC] interface twenty-fivegige 1/0/1
[SwitchC-Twenty-FiveGigE1/0/1] port link-type trunk
# Assign Twenty-FiveGigE 1/0/1 to all original VLANs and translated VLANs.
[SwitchC-Twenty-FiveGigE1/0/1] port trunk permit vlan 101 102 201 202 301 302 501 to
503
# Configure many-to-one VLAN mappings on Twenty-FiveGigE 1/0/1 to map VLANs for PC,
VoD, and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-Twenty-FiveGigE1/0/1] vlan mapping uni range 101 to 102 translated-vlan 501
[SwitchC-Twenty-FiveGigE1/0/1] vlan mapping uni range 201 to 202 translated-vlan 502
[SwitchC-Twenty-FiveGigE1/0/1] vlan mapping uni range 301 to 302 translated-vlan 503
# Enable DHCP snooping entry recording on Twenty-FiveGigE 1/0/1.
[SwitchC-Twenty-FiveGigE1/0/1] dhcp snooping binding record
[SwitchC-Twenty-FiveGigE1/0/1] quit
# Configure customer-side port Twenty-FiveGigE 1/0/2 as a trunk port.
[SwitchC] interface twenty-fivegige 1/0/2
[SwitchC-Twenty-FiveGigE1/0/2] port link-type trunk
# Assign Twenty-FiveGigE 1/0/2 to all original VLANs and translated VLANs.
[SwitchC-Twenty-FiveGigE1/0/2] port trunk permit vlan 103 104 203 204 303 304 501 to
503
# Configure many-to-one VLAN mappings on Twenty-FiveGigE 1/0/2 to map VLANs for PC,
VoD, and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-Twenty-FiveGigE1/0/2] vlan mapping uni range 103 to 104 translated-vlan 501
[SwitchC-Twenty-FiveGigE1/0/2] vlan mapping uni range 203 to 204 translated-vlan 502
[SwitchC-Twenty-FiveGigE1/0/2] vlan mapping uni range 303 to 304 translated-vlan 503

18
 # Enable recording of client information in DHCP snooping entries on Twenty-FiveGigE 1/0/2.
[SwitchC-Twenty-FiveGigE1/0/2] dhcp snooping binding record
[SwitchC-Twenty-FiveGigE1/0/2] quit
# Configure the network-side port (Twenty-FiveGigE 1/0/3) to use the original VLAN tags of the
many-to-one mappings to replace the VLAN tags of the packets destined for the user network.
[SwitchC] interface twenty-fivegige 1/0/3
[SwitchC-Twenty-FiveGigE1/0/3] vlan mapping nni
# Configure Twenty-FiveGigE 1/0/3 as a trunk port.
[SwitchC-Twenty-FiveGigE1/0/3] port link-type trunk
# Assign Twenty-FiveGigE 1/0/3 to the translated VLANs.
[SwitchC-Twenty-FiveGigE1/0/3] port trunk permit vlan 501 to 503
# Configure Twenty-FiveGigE 1/0/3 as a DHCP snooping trusted and ARP trusted port.
[SwitchC-Twenty-FiveGigE1/0/3] dhcp snooping trust
[SwitchC-Twenty-FiveGigE1/0/3] arp detection trust
[SwitchC-Twenty-FiveGigE1/0/3] quit
4. Configure Switch D:
# Create the translated VLANs.
<SwitchD> system-view
[SwitchD] vlan 501 to 503
# Configure Twenty-FiveGigE 1/0/1 as a trunk port.
<SwitchD> system-view
[SwitchD] interface twenty-fivegige 1/0/1
[SwitchD-Twenty-FiveGigE1/0/1] port link-type trunk
# Assign Twenty-FiveGigE 1/0/1 to the translated VLANs.
[SwitchD-Twenty-FiveGigE1/0/1] port trunk permit vlan 501 to 503
[SwitchD-Twenty-FiveGigE1/0/1] quit

Verifying the configuration

# Verify VLAN mapping information on the wiring-closet switches, for example, Switch A.
[SwitchA] display vlan mapping
Interface Twenty-FiveGigE1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 101 N/A
2 N/A 201 N/A
3 N/A 301 N/A
Interface Twenty-FiveGigE1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 102 N/A
2 N/A 202 N/A
3 N/A 302 N/A

# Verify VLAN mapping information on Switch C.

[SwitchC] display vlan mapping
Interface Twenty-FiveGigE1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
101-102 N/A 501 N/A
201-202 N/A 502 N/A
301-302 N/A 503 N/A
Interface Twenty-FiveGigE1/0/2:

19
 Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
103-104 N/A 501 N/A
203-204 N/A 502 N/A
303-304 N/A 503 N/A

Example: Configuring one-to-two and two-to-two VLAN

mapping
Network configuration
As shown in Figure 11:
• Two VPN A branches, Site 1 and Site 2, are in VLAN 5 and VLAN 6, respectively.
• The two sites use different VPN access services from different service providers, SP 1 and SP
2.
• SP 1 assigns VLAN 100 to Site 1 and Site 2. SP 2 assigns VLAN 200 to Site 1 and Site 2.
Configure one-to-two VLAN mappings and two-to-two VLAN mappings to enable the two branches
to communicate across networks SP 1 and SP 2.
Figure 11 Network diagram

SP 1 SP 2
PE 1 PE 2 PE 3 PE 4
WGE1/0/2 WGE1/0/1 WGE1/0/2 WGE1/0/1 WGE1/0/2 WGE1/0/1

WGE1/0/1 WGE1/0/2
VLAN 100 VLAN 5 Data VLAN 200 VLAN 6 Data

VLAN 5 Data VLAN 6 Data

VPN A VPN A CE 2
CE 1
Site 1 Site 2

Procedure
1. Configure PE 1:
# Create VLANs 5 and 100.
<PE1> system-view
[PE1] vlan 5
[PE1-vlan5] quit
[PE1] vlan 100
[PE1-vlan100] quit
# Configure a one-to-two VLAN mapping on the customer-side port (Twenty-FiveGigE 1/0/1) to
add SVLAN tag 100 to packets from VLAN 5.
[PE1] interface twenty-fivegige 1/0/1
[PE1-Twenty-FiveGigE1/0/1] vlan mapping nest single 5 nested-vlan 100
# Configure Twenty-FiveGigE 1/0/1 as a hybrid port.
[PE1-Twenty-FiveGigE1/0/1] port link-type hybrid

20
 # Assign Twenty-FiveGigE 1/0/1 to VLAN 100 as an untagged member.
[PE1-Twenty-FiveGigE1/0/1] port hybrid vlan 100 untagged
[PE1-Twenty-FiveGigE1/0/1] quit
# Configure the network-side port (Twenty-FiveGigE 1/0/2) as a trunk port.
[PE1] interface twenty-fivegige 1/0/2
[PE1-Twenty-FiveGigE1/0/2] port link-type trunk
# Assign Twenty-FiveGigE 1/0/2 to VLAN 100.
[PE1-Twenty-FiveGigE1/0/2] port trunk permit vlan 100
[PE1-Twenty-FiveGigE1/0/2] quit
2. Configure PE 2:
# Create VLAN 100.
<PE2> system-view
[PE2] vlan 100
[PE2-vlan100] quit
# Configure Twenty-FiveGigE 1/0/1 as a trunk port.
[PE2] interface twenty-fivegige 1/0/1
[PE2-Twenty-FiveGigE1/0/1] port link-type trunk
# Assign Twenty-FiveGigE 1/0/1 to VLAN 100.
[PE2-Twenty-FiveGigE1/0/1] port trunk permit vlan 100
[PE2-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port.
[PE2] interface twenty-fivegige 1/0/2
[PE2-Twenty-FiveGigE1/0/2] port link-type trunk
# Assign Twenty-FiveGigE 1/0/2 to VLAN 100.
[PE2-Twenty-FiveGigE1/0/2] port trunk permit vlan 100
[PE2-Twenty-FiveGigE1/0/2] quit
3. Configure PE 3:
# Create VLANs 5, 6, 100, and 200.
<PE3> system-view
[PE3] vlan 5 to 6
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] vlan 200
[PE3-vlan200] quit
# Configure Twenty-FiveGigE 1/0/1 as a trunk port.
[PE3] interface twenty-fivegige 1/0/1
[PE3-Twenty-FiveGigE1/0/1] port link-type trunk
# Assign Twenty-FiveGigE 1/0/1 to VLANs 100 and 200.
[PE3-Twenty-FiveGigE1/0/1] port trunk permit vlan 100 200
# Configure a two-to-two VLAN mapping on Twenty-FiveGigE 1/0/1 to map SVLAN 100 and
CVLAN 5 to SVLAN 200 and CVLAN 6.
[PE3-Twenty-FiveGigE1/0/1] vlan mapping tunnel 100 5 translated-vlan 200 6
[PE3-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port.
[PE3] interface twenty-fivegige 1/0/2
[PE3-Twenty-FiveGigE1/0/2] port link-type trunk
# Assign Twenty-FiveGigE 1/0/2 to VLAN 200.

21
 [PE3-Twenty-FiveGigE1/0/2] port trunk permit vlan 200
[PE3-Twenty-FiveGigE1/0/2] quit
4. Configure PE 4:
# Create VLANs 6 and 200.
<PE4> system-view
[PE4] vlan 6
[PE4-vlan6] quit
[PE4] vlan 200
[PE4-vlan200] quit
# Configure the network-side port (Twenty-FiveGigE 1/0/1) as a trunk port.
[PE4] interface twenty-fivegige 1/0/1
[PE4-Twenty-FiveGigE1/0/1] port link-type trunk
# Assign Twenty-FiveGigE 1/0/1 to VLAN 200.
[PE4-Twenty-FiveGigE1/0/1] port trunk permit vlan 200
[PE4-Twenty-FiveGigE1/0/1] quit
# Configure the customer-side port (Twenty-FiveGigE 1/0/2) as a hybrid port.
[PE4] interface twenty-fivegige 1/0/2
[PE4-Twenty-FiveGigE1/0/2] port link-type hybrid
# Assign Twenty-FiveGigE 1/0/2 to VLAN 200 as an untagged member.
[PE4-Twenty-FiveGigE1/0/2] port hybrid vlan 200 untagged
# Configure a one-to-two VLAN mapping on Twenty-FiveGigE 1/0/2 to add SVLAN tag 200 to
packets from VLAN 6.
[PE4-Twenty-FiveGigE1/0/2] vlan mapping nest single 6 nested-vlan 200
[PE4-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

# Verify VLAN mapping information on PE 1.
[PE1] display vlan mapping
Interface Twenty-FiveGigE1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
5 N/A 100 5

# Verify VLAN mapping information on PE 3.

[PE3] display vlan mapping
Interface Twenty-FiveGigE1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
100 5 200 6

# Verify VLAN mapping information on PE 4.

[PE4] display vlan mapping
Interface Twenty-FiveGigE1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
6 N/A 200 6

22
Contents
Configuring loop detection ············································································· 1
About loop detection ·········································································································································· 1
Loop detection mechanism ························································································································ 1
Loop detection interval ······························································································································· 2
Loop protection actions ······························································································································ 2
Port status auto recovery ··························································································································· 2
Restriction and guidelines: DRNI configuration ································································································· 3
Loop detection tasks at a glance ······················································································································· 3
Enabling loop detection ······································································································································ 3
Restrictions and guidelines for loop detection configuration ······································································ 3
Enabling loop detection globally················································································································· 3
Enabling loop detection on a port··············································································································· 3
Setting the loop protection action ······················································································································· 4
Restrictions and guidelines for loop protection action configuration ·························································· 4
Setting the global loop protection action ···································································································· 4
Setting the loop protection action on an interface ······················································································ 4
Setting the loop detection interval ······················································································································ 4
Display and maintenance commands for loop detection ··················································································· 5
Loop detection configuration examples ············································································································· 5
Example: Configuring basic loop detection functions················································································· 5
Example: Configuring loop detection on a DR system ··············································································· 8

i
Configuring loop detection
About loop detection
The loop detection mechanism performs periodic checking for Layer 2 loops. The mechanism
immediately generates a log when a loop occurs so that you are promptly notified to adjust network
connections and configurations. You can configure loop detection to shut down the looped port. Logs
are maintained in the information center. For more information, see Network Management and
Monitoring Configuration Guide.

Loop detection mechanism

The device detects loops by sending detection frames and then checking whether these frames
return to any port on the device. If they do, the device considers that the port is on a looped link.
Loop detection usually works within a VLAN. If a detection frame is returned with a different VLAN
tag than it was sent out with, an inter-VLAN loop has occurred. To remove the loop, examine the
QinQ or VLAN mapping configuration for incorrect settings. For more information about QinQ and
VLAN mapping, see "Configuring QinQ" and "Configuring VLAN mapping."
Figure 1 Ethernet frame header for loop detection
0 15 31
DMAC

SMAC

TPID TCI

Type

The Ethernet frame header of a loop detection packet contains the following fields:
• DMAC—Destination MAC address of the frame, which is the multicast MAC address
010f-e200-0007. When a loop detection-enabled device receives a frame with this destination
MAC address, it performs the following operations:
 Sends the frame to the CPU.
 Floods the frame in the VLAN from which the frame was originally received.
• SMAC—Source MAC address of the frame, which is the bridge MAC address of the sending
device.
• TPID—Type of the VLAN tag, with the value of 0x8100.
• TCI—Information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.
Figure 2 Inner frame header for loop detection
0 15 31
Code Version

Length Reserved

The inner frame header of a loop detection packet contains the following fields:
• Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol.

1
 • Version—Protocol version, which is always 0x0000.
• Length—Length of the frame. The value includes the inner header, but excludes the Ethernet
header.
• Reserved—This field is reserved.
Frames for loop detection are encapsulated as TLV triplets.
Table 1 TLVs supported by loop detection

TLV Description Remarks

End of PDU End of a PDU. Optional.

Device ID Bridge MAC address of the sending device. Required.

Port ID ID of the PDU sending port. Optional.

Port Name Name of the PDU sending port. Optional.

System Name Device name. Optional.

Chassis ID Chassis ID of the sending port. Optional.

Slot ID Slot ID of the sending port. Optional.

Sub Slot ID Sub-slot ID of the sending port. Optional.

Loop detection interval

Loop detection is a continuous process as the network changes. Loop detection frames are sent at
the loop detection interval to determine whether loops occur on ports and whether loops are
removed.

Loop protection actions

When the device detects a loop on a port, it generates a log but performs no action on the port by
default. You can configure the device to take one of the following actions:
• Block—Disables the port from learning MAC addresses and blocks the port.
• No-learning—Disables the port from learning MAC addresses.
• Shutdown—Shuts down the port to disable it from receiving and sending any frames.

Port status auto recovery

When the device configured with the block or no-learning loop action detects a loop on a port, it
performs the action and waits three loop detection intervals. If the device does not receive a loop
detection frame within three loop detection intervals, it performs the following operations:
• Automatically sets the port to the forwarding state.
• Notifies the user of the event.
When the device configured with the shutdown action detects a loop on a port, the following events
occur:
1. The device automatically shuts down the port.

2
 2. The device automatically sets the port to the forwarding state after the detection timer set by
using the shutdown-interval command expires. For more information about the
shutdown-interval command, see Fundamentals Command Reference.
3. The device shuts down the port again if a loop is still detected on the port when the detection
timer expires.
This process is repeated until the loop is removed.

NOTE:
Incorrect recovery can occur when loop detection frames are discarded to reduce the load. To avoid
this, use the shutdown action, or manually remove the loop.

Restriction and guidelines: DRNI configuration

Member devices in a DR system must have the same loop detection configuration.

Loop detection tasks at a glance

To configure loop detection, perform the following tasks:
1. Enabling loop detection
 Enabling loop detection globally
 Enabling loop detection on a port
2. (Optional) Setting the loop protection action
 Setting the global loop protection action
 Setting the loop protection action on an interface
3. (Optional) Setting the loop detection interval

Enabling loop detection

Restrictions and guidelines for loop detection configuration
You can enable loop detection globally or on a per-port basis. When a port receives a detection
frame in any VLAN, the loop protection action is triggered on that port, regardless of whether loop
detection is enabled on it.

Enabling loop detection globally

1. Enter system view.
system-view
2. Globally enable loop detection.
loopback-detection global enable vlan { vlan-id--list | all }
By default, loop detection is globally disabled.

Enabling loop detection on a port

1. Enter system view.
system-view

3
 2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Enable loop detection on the port.
loopback-detection enable vlan { vlan-id--list | all }
By default, loop detection is disabled on ports.

Setting the loop protection action

Restrictions and guidelines for loop protection action
configuration
You can set the loop protection action globally or on a per-port basis. The global action applies to all
ports. The per-port action applies to the individual ports. The per-port action takes precedence over
the global action.

Setting the global loop protection action

1. Enter system view.
system-view
2. Set the global loop protection action.
loopback-detection global action shutdown
By default, the device generates a log but performs no action on the port on which a loop is
detected.

Setting the loop protection action on an interface

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the loop protection action on the interface.
loopback-detection action { block | no-learning | shutdown }
By default, the device generates a log but performs no action on the port on which a loop is
detected.
Support for the keywords of this command varies by interface type. For more information, see
Layer 2—LAN Switching Command Reference.

Setting the loop detection interval

About this task
With loop detection enabled, the device sends loop detection frames at the loop detection interval. A
shorter interval offers more sensitive detection but consumes more resources. Consider the system
performance and loop detection speed when you set the loop detection interval.
Procedure
1. Enter system view.

4
 system-view
2. Set the loop detection interval.
loopback-detection interval-time interval
The default setting is 30 seconds.

Display and maintenance commands for loop

detection
Execute display commands in any view.

Task Command

Display the loop detection configuration and status. display loopback-detection

Loop detection configuration examples

Example: Configuring basic loop detection functions
Network configuration
As shown in Figure 3, configure loop detection on Device A to meet the following requirements:
• Device A generates a log as a notification.
• Device A automatically shuts down the port on which a loop is detected.
Figure 3 Network diagram

Device A
1

WG
/0/
E1

E1
WG

/0/
2
2

WG
/0/
E1

E1
WG

/0/
1

WGE1/0/1 WGE1/0/2

Device B Device C

VLAN 100

Procedure
1. Configure Device A:
# Create VLAN 100, and globally enable loop detection for the VLAN.
<DeviceA> system-view
[DeviceA] vlan 100

5
 [DeviceA-vlan100] quit
[DeviceA] loopback-detection global enable vlan 100
# Configure Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 as trunk ports, and assign
them to VLAN 100.
[DeviceA] interface Twenty-FiveGigE 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/1] port trunk permit vlan 100
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceA-Twenty-FiveGigE1/0/2] port trunk permit vlan 100
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Set the global loop protection action to shutdown.
[DeviceA] loopback-detection global action shutdown
# Set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35
2. Configure Device B:
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit
# Configure Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 as trunk ports, and assign
them to VLAN 100.
[DeviceB] interface twenty-fivegige 1/0/1
[DeviceB-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/1] port trunk permit vlan 100
[DeviceB-Twenty-FiveGigE1/0/1] quit
[DeviceB] interface twenty-fivegige 1/0/2
[DeviceB-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceB-Twenty-FiveGigE1/0/2] port trunk permit vlan 100
[DeviceB-Twenty-FiveGigE1/0/2] quit
3. Configure Device C:
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit
# Configure Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 as trunk ports, and assign
them to VLAN 100.
[DeviceC] interface twenty-fivegige 1/0/1
[DeviceC-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceC-Twenty-FiveGigE1/0/1] port trunk permit vlan 100
[DeviceC-Twenty-FiveGigE1/0/1] quit
[DeviceC] interface twenty-fivegige 1/0/2
[DeviceC-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceC-Twenty-FiveGigE1/0/2] port trunk permit vlan 100
[DeviceC-Twenty-FiveGigE1/0/2] quit

6
Verifying the configuration
# View the system logs on devices, for example, Device A.
[DeviceA]
%Feb 24 15:04:29:663 2013 DeviceA LPDT/4/LPDT_LOOPED: A loop was detected on
Twenty-FiveGigE1/0/1.
%Feb 24 15:04:29:664 2013 DeviceA LPDT/4/LPDT_VLAN_LOOPED: A loop was detected on
Twenty-FiveGigE1/0/1 in VLAN 100.
%Feb 24 15:04:29:667 2013 DeviceA LPDT/4/LPDT_LOOPED: A loop was detected on
Twenty-FiveGigE1/0/2.
%Feb 24 15:04:29:668 2013 DeviceA LPDT/4/LPDT_VLAN_LOOPED: A loop was detected on
Twenty-FiveGigE1/0/2 in VLAN 100.
%Feb 24 15:04:44:243 2013 DeviceA LPDT/5/LPDT_VLAN_RECOVERED: A loop was removed on
Twenty-FiveGigE1/0/1 in VLAN 100.
%Feb 24 15:04:44:243 2013 DeviceA LPDT/5/LPDT_RECOVERED: All loops were removed on
Twenty-FiveGigE1/0/1.
%Feb 24 15:04:44:248 2013 DeviceA LPDT/5/LPDT_VLAN_RECOVERED: A loop was removed on
Twenty-FiveGigE1/0/2 in VLAN 100.
%Feb 24 15:04:44:248 2013 DeviceA LPDT/5/LPDT_RECOVERED: All loops were removed on
Twenty-FiveGigE1/0/2.

The output shows the following information:

• Device A detected loops on Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 within a loop
detection interval.
• Loops on Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 were removed.
# Use the display loopback-detection command to display the loop detection configuration
and status on devices, for example, Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Loop detection interval is 35 second(s).
Loop is detected on following interfaces:
Interface Action mode VLANs
Twenty-FiveGigE1/0/1 Shutdown 100
Twenty-FiveGigE1/0/2 Shutdown 100

The output shows that the device has removed the loops from Twenty-FiveGigE 1/0/1 and
Twenty-FiveGigE 1/0/2 according to the shutdown action.
# Display the status of Twenty-FiveGigE 1/0/1 on devices, for example, Device A.
[DeviceA] display interface twenty-fivegige 1/0/1
Twenty-FiveGigE1/0/1 current state: DOWN (Loop detection down)
...

The output shows that Twenty-FiveGigE 1/0/1 is already shut down by the loop detection module.
# Display the status of Twenty-FiveGigE 1/0/2 on devices, for example, Device A.
[DeviceA] display interface twenty-fivegige 1/0/2
Twenty-FiveGigE1/0/2 current state: DOWN (Loop detection down)
...

The output shows that Twenty-FiveGigE 1/0/2 is already shut down by the loop detection module.

7
Example: Configuring loop detection on a DR system
Network configuration
As shown in Figure 4, configure loop detection on the DR system formed by Device A and Device B
to meet the following requirements:
• Generates a log as a notification.
• Automatically shuts down the port on which a loop is detected.
Figure 4 Network diagram
Device C

WGE1/0/5

BAGG4

W
1
0/

GE
1/

W
2
0/
GE

1/
GE
1/

0
W

/3
GE

1/
0/
W

4
1

W
0/

GE
1/

W
GE

0/

1/
GE
1/

0/
W

GE

1
1/
0/
BAGG4 BAGG4
W

WGE1/0/1
IPL 2
WGE1/0/5 WGE1/0/5
Device A Device B
BAGG3 Device E
DR 1 DR 2
WGE1/0/6 Keepalive WGE1/0/6
WGE1/0/2
BAGG5 DR system BAGG5
W

4
0/
GE

1/

3
W

0/
GE
1/
GE

1/
0/

GE
4
1/
0/

W
3

2
0/
GE

1/
W

1
0/
GE
1/
GE

1/
0/

GE
1/

4
0/

W
3

BAGG5

WGE1/0/5

Device D

Procedure
1. Configure Device A:
# Create VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
# Configure DR system settings.
[DeviceA] drni system-mac 1-1-1
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive packet parameters.
[DeviceA] drni keepalive ip destination 1.1.1.1 source 1.1.1.2
# Set the link mode of Twenty-FiveGigE 1/0/6 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceA] interface twenty-fivegige 1/0/6
[DeviceA-Twenty-FiveGigE1/0/6] port link-mode route
[DeviceA-Twenty-FiveGigE1/0/6] ip address 1.1.1.2 24
[DeviceA-Twenty-FiveGigE1/0/6] quit

8
# Exclude the interface used for DR keepalive detection (Twenty-FiveGigE 1/0/6) from the
shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface twenty-fivegige 1/0/6
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3, and specify it as the IPP.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation3] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation3] quit
# Assign Twenty-FiveGigE 1/0/5 to aggregation group 3.
[DeviceA] interface twenty-fivegige 1/0/5
[DeviceA-Twenty-FiveGigE1/0/5] port link-aggregation group 3
[DeviceA-Twenty-FiveGigE1/0/5] quit
# Set the link type of Bridge-Aggregation 3 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] port link-type trunk
[DeviceA-Bridge-Aggregation3] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation3] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4, and assign it to DR group
4.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation4] port drni group 4
[DeviceA-Bridge-Aggregation4] quit
# Assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to aggregation group 4.
[DeviceA] interface twenty-fivegige 1/0/1
[DeviceA-Twenty-FiveGigE1/0/1] port link-aggregation group 4
[DeviceA-Twenty-FiveGigE1/0/1] quit
[DeviceA] interface twenty-fivegige 1/0/2
[DeviceA-Twenty-FiveGigE1/0/2] port link-aggregation group 4
[DeviceA-Twenty-FiveGigE1/0/2] quit
# Set the link type of Bridge-Aggregation 4 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] port link-type trunk
[DeviceA-Bridge-Aggregation4] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation4] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5, and assign it to DR group
5.
[DeviceA] interface bridge-aggregation 5
[DeviceA-Bridge-Aggregation5] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation5] port drni group 5
[DeviceA-Bridge-Aggregation5] quit
# Assign Twenty-FiveGigE 1/0/3 and Twenty-FiveGigE 1/0/4 to aggregation group 5.
[DeviceA] interface twenty-fivegige 1/0/3
[DeviceA-Twenty-FiveGigE1/0/3] port link-aggregation group 5
[DeviceA-Twenty-FiveGigE1/0/3] quit
[DeviceA] interface twenty-fivegige 1/0/4
[DeviceA-Twenty-FiveGigE1/0/4] port link-aggregation group 5
[DeviceA-Twenty-FiveGigE1/0/4] quit

9
 # Set the link type of Bridge-Aggregation 5 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 5
[DeviceA-Bridge-Aggregation5] port link-type trunk
[DeviceA-Bridge-Aggregation5] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation5] quit
# Disable the spanning tree feature.
[DeviceA] undo stp global enable
# Enable loop detection for VLAN 100 globally, set the global loop protection action to shutdown,
and set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection global enable vlan 100
[DeviceA] loopback-detection global action shutdown
[DeviceA] loopback-detection interval-time 35
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure Device C:
# Disable the spanning tree feature.
<DeviceC> system-view
[DeviceC] undo stp global enable
# Create VLAN 100.
[DeviceC] vlan 100
[DeviceC-vlan100] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
[DeviceC] interface bridge-aggregation 4
[DeviceC-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceC-Bridge-Aggregation4] quit
# Assign Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/4 to aggregation group 4.
[DeviceC] interface range twenty-fivegige 1/0/1 to twenty-fivegige 1/0/4
[DeviceC-if-range] port link-aggregation group 4
[DeviceC-if-range] quit
# Set the link type of Bridge-Aggregation 4 to trunk, and assign it to VLAN 100.
[DeviceC] interface bridge-aggregation 4
[DeviceC-Bridge-Aggregation4] port link-type trunk
[DeviceC-Bridge-Aggregation4] port trunk permit vlan 100
[DeviceC-Bridge-Aggregation4] quit
# Set the link type of Twenty-FiveGigE 1/0/5 to trunk, and assign it to VLAN 100.
[DeviceC] interface twenty-fivegige 1/0/5
[DeviceC-Twenty-FiveGigE1/0/5] port link-type trunk
[DeviceC-Twenty-FiveGigE1/0/5] port trunk permit vlan 100
[DeviceC-Twenty-FiveGigE1/0/5] quit
4. Configure Device D:
# Disable the spanning tree feature.
<DeviceD> system-view
[DeviceD] undo stp global enable
# Create VLAN 100.
[DeviceD] vlan 100
[DeviceD-vlan100] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.
[DeviceD] interface bridge-aggregation 5

10
 [DeviceD-Bridge-Aggregation5] link-aggregation mode dynamic
[DeviceD-Bridge-Aggregation5] quit
# Assign Twenty-FiveGigE 1/0/1 through Twenty-FiveGigE 1/0/4 to aggregation group 5.
[DeviceD] interface range twenty-fivegige 1/0/1 to twenty-fivegige 1/0/4
[DeviceD-if-range] port link-aggregation group 5
[DeviceD-if-range] quit
# Set the link type of Bridge-Aggregation 5 to trunk, and assign it to VLAN 100.
[DeviceD] interface bridge-aggregation 5
[DeviceD-Bridge-Aggregation5] port link-type trunk
[DeviceD-Bridge-Aggregation5] port trunk permit vlan 100
[DeviceD-Bridge-Aggregation5] quit
# Set the link type of Twenty-FiveGigE 1/0/5 to trunk, and assign it to VLAN 100.
[DeviceD] interface twenty-fivegige 1/0/5
[DeviceD-Twenty-FiveGigE1/0/5] port link-type trunk
[DeviceD-Twenty-FiveGigE1/0/5] port trunk permit vlan 100
[DeviceD-Twenty-FiveGigE1/0/5] quit
5. Configure Device E:
# Disable the spanning tree feature.
<DeviceE> system-view
[DeviceE] undo stp global enable
# Create VLAN 100.
[DeviceE] vlan 100
[DeviceE-vlan100] quit
# Set the link type of Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to trunk, and assign
them to VLAN 100.
[DeviceE] interface twenty-fivegige 1/0/1
[DeviceE-Twenty-FiveGigE1/0/1] port link-type trunk
[DeviceE-Twenty-FiveGigE1/0/1] port trunk permit vlan 100
[DeviceE-Twenty-FiveGigE1/0/1] quit
[DeviceE] interface twenty-fivegige 1/0/2
[DeviceE-Twenty-FiveGigE1/0/2] port link-type trunk
[DeviceE-Twenty-FiveGigE1/0/2] port trunk permit vlan 100
[DeviceE-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

# View the system logs on Device A.
[DeviceA]
%Aug 1 03:28:48:110 2019 Sysname LPDT/4/LPDT_LOOPED: A loop was detected on
Bridge-Aggregation4.
%Aug 1 03:28:48:191 2019 Sysname LPDT/4/LPDT_VLAN_LOOPED: A loop was detect
ed on Bridge-Aggregation4 in VLAN 100.
%Aug 1 03:28:48:194 2019 Sysname LPDT/4/LPDT_LOOPED: A loop was detected on
Bridge-Aggregation5.
%Aug 1 03:28:48:288 2019 Sysname LPDT/4/LPDT_VLAN_LOOPED: A loop was detect
ed on Bridge-Aggregation5 in VLAN 100.
%Aug 1 03:28:48:290 2019 Sysname LPDT/5/LPDT_VLAN_RECOVERED: A loop was rem
oved on Bridge-Aggregation4 in VLAN 100.
%Aug 1 03:28:48:291 2019 Sysname LPDT/5/LPDT_RECOVERED: All loops were remo

11
ved on Bridge-Aggregation4.
%Aug 1 03:28:48:302 2019 Sysname LPDT/5/LPDT_VLAN_RECOVERED: A loop was rem
oved on Bridge-Aggregation5 in VLAN 100.
%Aug 1 03:28:48:304 2019 Sysname LPDT/5/LPDT_RECOVERED: All loops were remo
ved on Bridge-Aggregation5.

The output shows the following information:

• Device A detected loops on Bridge-Aggregation 4 and Bridge-Aggregation 5 within a loop
detection interval.
• Loops on Bridge-Aggregation 4 and Bridge-Aggregation 5 were removed.
# Use the display loopback-detection command to display the loop detection configuration
and status on Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Global loop detection interval is 35 second(s).
Loop is detected on following interfaces:
Interface Action mode VLANs/VSI
Bridge-Aggregation4 Shutdown 100
Bridge-Aggregation5 Shutdown 100

The output shows that the device has removed the loops from Bridge-Aggregation 4 and
Bridge-Aggregation 5 according to the shutdown action.
# Verify that Bridge-Aggregation 4 has been shut down by loop detection.
[DeviceA] display interface Bridge-Aggregation 4
Bridge-Aggregation4
The interface has assigned a DR group.
Current state: DOWN (Loopback detection down)
…

# Verify that Bridge-Aggregation 5 has been shut down by loop detection.

[DeviceA] display interface Bridge-Aggregation 5
Bridge-Aggregation5
The interface has assigned a DR group.
Current state: DOWN (Loopback detection down)
…

# Verify that loops have been removed on Device B. (Details not shown.)

12
Contents
Spanning tree protocol overview ···································································· 1
About STP ·························································································································································· 1
STP protocol frames ·································································································································· 1
Basic concepts in STP ······························································································································· 3
Calculation process of the STP algorithm ·································································································· 4
Example of STP calculation ······················································································································· 5
The configuration BPDU forwarding mechanism of STP ··········································································· 9
STP timers ················································································································································· 9
About RSTP ····················································································································································· 10
RSTP protocol frames ······························································································································ 10
Basic concepts in RSTP··························································································································· 11
How RSTP works ····································································································································· 11
RSTP BPDU processing ·························································································································· 11
About PVST ····················································································································································· 12
PVST protocol frames ······························································································································ 12
How PVST works ····································································································································· 13
About MSTP ····················································································································································· 13
MSTP features ········································································································································· 13
MSTP protocol frames ····························································································································· 13
Basic concepts in MSTP ·························································································································· 15
How MSTP works····································································································································· 18
MSTP implementation on devices············································································································ 19
Rapid transition mechanism ····························································································································· 19
Edge port rapid transition ························································································································· 19
Root port rapid transition ·························································································································· 20
P/A transition ············································································································································ 20
Protocols and standards ·································································································································· 21
Configuring spanning tree protocols ···························································· 23
Restrictions and guidelines: spanning tree protocol configuration ··································································· 23
Restrictions: Compatibility with other features ························································································· 23
Restrictions: Interface configuration ········································································································· 23
Spanning tree protocol tasks at a glance ········································································································· 24
STP tasks at a glance ······························································································································ 24
RSTP tasks at a glance···························································································································· 25
PVST tasks at a glance ···························································································································· 26
MSTP tasks at a glance ··························································································································· 27
Setting the spanning tree mode ······················································································································· 28
Configuring an MST region ······························································································································ 29
Configuring the root bridge or a secondary root bridge ··················································································· 30
Restrictions and guidelines ······················································································································ 30
Configuring the device as the root bridge of a spanning tree··································································· 30
Configuring the device as a secondary root bridge of a spanning tree ···················································· 30
Configuring the device priority ························································································································· 31
Configuring the maximum hops of an MST region ··························································································· 31
Configuring the network diameter of a switched network ················································································ 32
Setting spanning tree timers ···························································································································· 32
Setting the timeout factor ································································································································· 34
Configuring the BPDU transmission rate ········································································································· 34
Configuring edge ports ····································································································································· 35
Configuring path costs of ports ························································································································ 35
About path cost ········································································································································ 35
Specifying a standard for the default path cost calculation ······································································ 35
Configuring path costs of ports ················································································································ 38
Configuring the port priority ······························································································································ 39
Configuring the port link type ··························································································································· 39
Configuring the mode a port uses to recognize and send MSTP frames························································· 40

i
Enabling outputting port state transition information ························································································ 41
Enabling the spanning tree feature ·················································································································· 41
Restrictions and guidelines ······················································································································ 41
Enabling the spanning tree feature in STP/RSTP/MSTP mode ······························································· 41
Enabling the spanning tree feature in PVST mode ·················································································· 42
Performing mCheck ········································································································································· 42
About mCheck·········································································································································· 42
Restrictions and guidelines ······················································································································ 42
Performing mCheck globally ···················································································································· 43
Performing mCheck in interface view······································································································· 43
Disabling inconsistent PVID protection ············································································································ 43
Configuring Digest Snooping ··························································································································· 43
Configuring No Agreement Check ··················································································································· 45
Configuring TC Snooping ································································································································· 46
Configuring protection features ························································································································ 47
Spanning tree protection tasks at a glance ······························································································ 47
Configuring BPDU guard·························································································································· 48
Enabling root guard ·································································································································· 49
Enabling loop guard ································································································································· 49
Configuring port role restriction ················································································································ 50
Configuring TC-BPDU transmission restriction ························································································ 51
Enabling TC-BPDU guard ························································································································ 51
Enabling BPDU drop ································································································································ 52
Enabling PVST BPDU guard···················································································································· 52
Disabling dispute guard···························································································································· 52
Enabling the device to log events of detecting or receiving TC BPDUs··························································· 55
Disabling the device from reactivating edge ports shut down by BPDU guard ················································ 55
Enabling BPDU transparent transmission on a port ························································································ 55
Enabling SNMP notifications for new-root election and topology change events ············································ 56
Display and maintenance commands for the spanning tree protocols ···························································· 57
Spanning tree configuration examples ············································································································· 57
Example: Configuring MSTP ···················································································································· 57
Example: Configuring PVST ···················································································································· 61
Example: Configuring DRNI with PVST ··································································································· 64

ii
Spanning tree protocol overview
Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking
redundant links and putting them in a standby state.
The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN
Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).

About STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in
a LAN. Networks often have redundant links as backups in case of failures, but loops are a very
serious problem. Devices running STP detect loops in the network by exchanging information with
one another. They eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would
occur in a loop network.
In a narrow sense, STP refers to IEEE 802.1d STP. In a broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol frames

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
frames. This chapter uses BPDUs to represent all types of spanning tree protocol frames.
STP-enabled devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the devices to complete spanning tree calculation.
STP uses two types of BPDUs, configuration BPDUs and topology change notification (TCN)
BPDUs.
Configuration BPDUs
Devices exchange configuration BPDUs to elect the root bridge and determine port roles. Figure 1
shows the configuration BPDU format.
Figure 1 Configuration BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address Protocol ID 2
L/T: Frame length Protocol version ID 1
LLC header: Logical link control header
Payload: BPDU data BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2

The payload of a configuration BPDU includes the following fields:

1
 • Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x00 for a configuration BPDU.
• Flags—An 8-bit field indicates the purpose of the BPDU. The lowest bit is the Topology Change
(TC) flag. The highest bit is the Topology Change Acknowledge (TCA) flag. All other bits are
reserved.
• Root ID—Root bridge ID formed by the priority and MAC address of the root bridge.
• Root path cost—Cost of the path to the root bridge.
• Bridge ID—Designated bridge ID formed by the priority and MAC address of the designated
bridge.
• Port ID—Designated port ID formed by the priority and global port number of the designated
port.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU stored on the switch.
• Hello time—Configuration BPDU transmission interval.
• Forward delay—Delay for STP bridges to transit port state.
Devices use the root bridge ID, root path cost, designated bridge ID, designated port ID, message
age, max age, hello time, and forward delay for spanning tree calculation.
TCN BPDUs
Devices use TCN BPDUs to announce changes in the network topology. Figure 2 shows the TCN
BPDU format.
Figure 2 TCN BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address
Protocol ID 2
L/T: Frame length
LLC header: Logical link control header Protocol version ID 1
Payload: BPDU data BPDU type 1

The payload of a TCN BPDU includes the following fields:

• Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x80 for a TCN BPDU.
A non-root bridge sends TCN BPDUs when one of the following events occurs on the bridge:
• A port transits to the forwarding state, and the bridge has a minimum of one designated port.
• A port transits from the forwarding or learning state to the blocking state.
The non-root bridge uses TCN BPDUs to notify the root bridge once the network topology changes.
The root bridge then sets the TC flag in its configuration BPDU and propagates it to other bridges.

2
Basic concepts in STP
Root bridge
A tree network must have a root bridge. The entire network contains only one root bridge, and all the
other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change
with changes of the network topology.
Upon initialization of a network, each device generates and periodically sends configuration BPDUs,
with itself as the root bridge. After network convergence, only the root bridge generates and
periodically sends configuration BPDUs. The other devices only forward the BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates
with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.
Designated bridge and designated port

Classification Designated bridge Designated port

Device directly connected to the local device
Port through which the designated
For a device and responsible for forwarding BPDUs to the
bridge forwards BPDUs to this device.
local device.

Port through which the designated

Device responsible for forwarding BPDUs to
For a LAN bridge forwards BPDUs to this LAN
this LAN segment.
segment.

As shown in Figure 3, Device B and Device C are directly connected to a LAN.

If Device A forwards BPDUs to Device B through port A1, the designated bridge and designated port
are as follows:
• The designated bridge for Device B is Device A.
• The designated port for Device B is port A1 on Device A.
If Device B forwards BPDUs to the LAN, the designated bridge and designated port are as follows:
• The designated bridge for the LAN is Device B.
• The designated port for the LAN is port B2 on Device B.
Figure 3 Designated bridges and designated ports
Device A

Port A1 Port A2

Device B Device C
Port B1 Port C1

Port B2 Port C2

LAN

Port states
Table 1 lists the port states in STP.

3
 Table 1 STP port states

State Receives/sends BPDUs Learns MAC addresses Forwards user data

Disabled No No No
Listening Yes No No
Learning Yes Yes No
Forwarding Yes Yes Yes
Blocking Receive No No

Path cost
Path cost is a reference value used for link selection in STP. To prune the network into a loop-free
tree, STP calculates path costs to select the most robust links and block redundant links that are less
robust.

Calculation process of the STP algorithm

In STP calculation, a device compares the priorities of the received configuration BPDUs from
different ports, and elects the root bridge, root ports and designated ports. When the spanning tree
calculation is completed, a tree-shape topology forms.
The spanning tree calculation process described in the following sections is an example of a
simplified process.
Network initialization
Upon initialization of a device, each port generates a BPDU with the following contents:
• The port as the designated port.
• The device as the root bridge.
• 0 as the root path cost.
• The device ID as the designated bridge ID.
Root bridge selection
The root bridge can be selected in the following methods:
• Automatic election—Initially, each STP-enabled device on the network assumes itself to be
the root bridge, with its own device ID as the root bridge ID. By exchanging configuration
BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root
bridge ID as the root bridge.
• Manual assignment—You can configure a device as the root bridge or a secondary root bridge
of a spanning tree.
 A spanning tree can have only one root bridge. If you configure multiple devices as the root
bridge for a spanning tree, the device with the lowest MAC address is selected.
 You can configure one or multiple secondary root bridges for a spanning tree. When the root
bridge fails or is shut down, a secondary root bridge can take over. If multiple secondary root
bridges are configured, the one with the lowest MAC address is selected. However, if a new
root bridge is configured, the secondary root bridge is not selected.
Root port and designated ports selection on the non-root bridges

Step Description
A non-root-bridge device regards the port on which it received the optimum configuration BPDU
1
as the root port. Table 2 describes how the optimum configuration BPDU is selected.

4
 Step Description
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus the
path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.

The device compares the calculated configuration BPDU with the configuration BPDU on the
port whose port role will be determined. Then, the device acts depending on the result of the
comparison:
• If the calculated configuration BPDU is superior, the device performs the following
operations:
3  Considers this port as the designated port.
 Replaces the configuration BPDU on the port with the calculated configuration BPDU.
 Periodically sends the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs, but cannot send
BPDUs or forward data traffic.

When the network topology is stable, only the root port and designated ports forward user traffic.
Other ports are all in the blocking state to receive BPDUs but not to forward BPDUs or user traffic.
Table 2 Selecting the optimum configuration BPDU

Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the received
configuration BPDU with that of the configuration BPDU generated by the port.
• If the former priority is lower, the device discards the received configuration BPDU and
1
keeps the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration BPDU
generated by the port with the content of the received configuration BPDU.

The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.

The following are the principles of configuration BPDU comparison:

1. The configuration BPDU with the lowest root bridge ID has the highest priority.
2. If configuration BPDUs have the same root bridge ID, their root path costs are compared. For
example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S.
The configuration BPDU with the smallest S value has the highest priority.
3. If all configuration BPDUs have the same root bridge ID and S value, the following attributes are
compared in sequence:
a. Designated bridge IDs.
b. Designated port IDs.
c. IDs of the receiving ports.
The configuration BPDU that contains a smaller designated bridge ID, designated port ID, or
receiving port ID is selected.
A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.

Example of STP calculation

Figure 4 provides an example showing how the STP algorithm works.

5
 Figure 4 The STP algorithm
Device A
Priority = 0

Port A1 Port A2

Pa
=5

th
st

co
co

st
th

=1
Pa

0
Port B1 Port C1
Port B2 Port C2

Path cost = 4
Device B Device C
Priority = 1 Priority = 2

As shown in Figure 4, the priority values of Device A, Device B, and Device C are 0, 1, and 2,
respectively. The path costs of links among the three devices are 5, 10, and 4.
Device state initialization
In Table 3, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Table 3 Initial state of each device

Configuration BPDU on the

Device Port name
port
Port A1 {0, 0, 0, Port A1}
Device A
Port A2 {0, 0, 0, Port A2}
Port B1 {1, 0, 1, Port B1}
Device B
Port B2 {1, 0, 1, Port B2}
Port C1 {2, 0, 2, Port C1}
Device C
Port C2 {2, 0, 2, Port C2}

Configuration BPDUs comparison on each device

In Table 4, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.

6
Table 4 Comparison process and result on each device

Configuration BPDU on
Device Comparison process
ports after comparison
Port A1 performs the following operations:
1. Receives the configuration BPDU of Port B1 {1, 0, 1,
Port B1}.
2. Determines that its existing configuration BPDU {0, 0,
0, Port A1} is superior to the received configuration
BPDU.
3. Discards the received one.
Port A2 performs the following operations:
1. Receives the configuration BPDU of Port C1 {2, 0, 2, • Port A1: {0, 0, 0, Port A1}
Device A Port C1}. • Port A2: {0, 0, 0, Port A2}
2. Determines that its existing configuration BPDU {0, 0,
0, Port A2} is superior to the received configuration
BPDU.
3. Discards the received one.
Device A determines that it is both the root bridge and
designated bridge in the configuration BPDUs of all its
ports. It considers itself as the root bridge. It does not
change the configuration BPDU of any port and starts to
periodically send configuration BPDUs.

Port B1 performs the following operations:

4. Receives the configuration BPDU of Port A1 {0, 0, 0,
Port A1}.
5. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {1, 0, 1,
Port B1}.
6. Updates its configuration BPDU. • Port B1: {0, 0, 0, Port A1}
Port B2 performs the following operations: • Port B2: {1, 0, 1, Port B2}
1. Receives the configuration BPDU of Port C2 {2, 0, 2,
Port C2}.
2. Determines that its existing configuration BPDU {1, 0,
1, Port B2} is superior to the received configuration
BPDU.
3. Discards the received BPDU.
Device B
Device B performs the following operations:
1. Compares the configuration BPDUs of all its ports.
2. Decides that the configuration BPDU of Port B1 is the
optimum.
3. Selects Port B1 as the root port with the configuration
BPDU unchanged. • Root port (Port B1): {0, 0, 0,
Based on the configuration BPDU and path cost of the root Port A1}
port, Device B calculates a designated port configuration • Designated port (Port B2):
BPDU for Port B2 {0, 5, 1, Port B2}. Device B compares it {0, 5, 1, Port B2}
with the existing configuration BPDU of Port B2 {1, 0, 1, Port
B2}. Device B determines that the calculated one is
superior, and determines that Port B2 is the designated
port. It replaces the configuration BPDU on Port B2 with the
calculated one, and periodically sends the calculated
configuration BPDU.
Port C1 performs the following operations:
1. Receives the configuration BPDU of Port A2 {0, 0, 0, • Port C1: {0, 0, 0, Port A2}
Device C Port A2}.
• Port C2: {1, 0, 1, Port B2}
2. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {2, 0, 2,

7
 Configuration BPDU on
Device Comparison process
ports after comparison
Port C1}.
3. Updates its configuration BPDU.
Port C2 performs the following operations:
1. Receives the original configuration BPDU of Port B2
{1, 0, 1, Port B2}.
2. Determines that the received configuration BPDU is
superior to the existing configuration BPDU {2, 0, 2,
Port C2}.
3. Updates its configuration BPDU.

Device C performs the following operations:

1. Compares the configuration BPDUs of all its ports.
2. Decides that the configuration BPDU of Port C1 is the
optimum.
3. Selects Port C1 as the root port with the configuration
BPDU unchanged. • Root port (Port C1): {0, 0,
0, Port A2}
Based on the configuration BPDU and path cost of the root
port, Device C calculates the configuration BPDU of Port C2 • Designated port (Port C2):
{0, 10, 2, Port C2}. Device C compares it with the existing {0, 10, 2, Port C2}
configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C
determines that the calculated configuration BPDU is
superior to the existing one, selects Port C2 as the
designated port, and replaces the configuration BPDU of
Port C2 with the calculated one.
Port C2 performs the following operations:
1. Receives the updated configuration BPDU of Port B2
{0, 5, 1, Port B2}.
2. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {0, 10, 2,
Port C2}.
• Port C1: {0, 0, 0, Port A2}
3. Updates its configuration BPDU.
• Port C2: {0, 5, 1, Port B2}
Port C1 performs the following operations:
1. Receives a periodic configuration BPDU {0, 0, 0, Port
A2} from Port A2.
2. Determines that it is the same as the existing
configuration BPDU.
3. Discards the received BPDU.

Device C determines that the root path cost of Port C1 is

larger than that of Port C2. The root path cost of Port C1 is
10, root path cost of the received configuration BPDU (0)
plus path cost of Port C1 (10). The root path cost of Port C2
is 9, root path cost of the received configuration BPDU (5)
plus path cost of Port C2 (4). Device C determines that the
configuration BPDU of Port C2 is the optimum, and selects
Port C2 as the root port with the configuration BPDU
unchanged. • Blocked port (Port C1): {0,
0, 0, Port A2}
Based on the configuration BPDU and path cost of the root
port, Device C performs the following operations: • Root port (Port C2): {0, 5,
1, Port B2}
1. Calculates a designated port configuration BPDU for
Port C1 {0, 9, 2, Port C1}.
2. Compares it with the existing configuration BPDU of
Port C1 {0, 0, 0, Port A2}.
3. Determines that the existing configuration BPDU is
superior to the calculated one and blocks Port C1 with
the configuration BPDU unchanged.
Port C1 does not forward data until a new event triggers a

8
 Configuration BPDU on
Device Comparison process
ports after comparison
spanning tree calculation process: for example, the link
between Device B and Device C is down.

Final calculated spanning tree

After the comparison processes described in Table 4, a spanning tree with Device A as the root
bridge is established, as shown in Figure 5.
Figure 5 The final calculated spanning tree

A
Root bridge

Root port

Designated port

Blocked port

Normal link

B C Blocked link

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:
• Upon network initiation, every device regards itself as the root bridge and generates
configuration BPDUs with itself as the root. Then it sends the configuration BPDUs at a regular
hello interval.
• If the root port receives a configuration BPDU superior to the configuration BPDU of the port,
the device performs the following operations:
 Increases the message age carried in the configuration BPDU.
 Starts a timer to time the configuration BPDU.
 Sends this configuration BPDU through the designated port.
• If a designated port receives a configuration BPDU with a lower priority than its configuration
BPDU, the port immediately responds with its configuration BPDU.
• If a path fails, the root port on this path no longer receives new configuration BPDUs and the old
configuration BPDUs will be discarded due to timeout. The device generates a configuration
BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new
spanning tree calculation process to establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU cannot be propagated throughout the network
immediately. As a result, the old root ports and designated ports that have not detected the topology
change continue forwarding data along the old path. If the new root ports and designated ports begin
to forward data as soon as they are elected, a temporary loop might occur.

STP timers
The most important timing parameters in STP calculation are forward delay, hello time, and max age.

9
 • Forward delay
Forward delay is the delay time for port state transition. By default, the forward delay is 15
seconds.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
immediately, a temporary loop will likely occur.
The newly elected root ports or designated ports must go through the listening and learning
states before they transit to the forwarding state. This requires twice the forward delay time and
allows the new configuration BPDU to propagate throughout the network.
• Hello time
The device sends configuration BPDUs at the hello time interval to the neighboring devices to
ensure that the paths are fault-free. By default, the hello time is 2 seconds. If the device does
not receive configuration BPDUs within the timeout period, it recalculates the spanning tree.
The formula for calculating the timeout period is timeout period = timeout factor × 3 × hello time.
• Max age
The device uses the max age to determine whether a stored configuration BPDU has expired
and discards it if the max age is exceeded. By default, the max age is 20 seconds. In the CIST
of an MSTP network, the device uses the max age timer to determine whether a configuration
BPDU received by a port has expired. If it is expired, a new spanning tree calculation process
starts. The max age timer does not take effect on MSTIs.
If a port does not receive any configuration BPDUs within the timeout period, the port transits to the
listening state. The device will recalculate the spanning tree. It takes the port 50 seconds to transit
back to the forwarding state. This period includes 20 seconds for the max age, 15 seconds for the
listening state, and 15 seconds for the learning state.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)

About RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port
to enter the forwarding state much faster than STP.

RSTP protocol frames

An RSTP BPDU uses the same format as an STP BPDU except that a Version1 length field is added
to the payload of RSTP BPDUs. The differences between an RSTP BPDU and an STP BPDU are as
follows:
• Protocol version ID—The value is 0x02 for RSTP.
• BPDU type—The value is 0x02 for RSTP BPDUs.
• Flags—All 8 bits are used.
• Version1 length—The value is 0x00, which means no version 1 protocol information is
present.
RSTP does not use TCN BPDUs to advertise topology changes. RSTP floods BPDUs with the TC
flag set in the network to advertise topology changes.

10
Basic concepts in RSTP
Port roles
In addition to root port and designated port, RSTP also uses the following port roles:
• Alternate port—Acts as the backup port for a root port. When the root port is blocked, the
alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port is the backup port.
• Edge port—Directly connects to a user host rather than a network device or network segment.
Port states
RSTP uses the discarding state to replace the disabled, blocking, and listening states in STP. Table 5
shows the differences between the port states in RSTP and STP.
Table 5 Port state differences between RSTP and STP

RSTP port Sends Learns MAC Forwards user

STP port state
state BPDU addresses data
Disabled Discarding No No No
Blocking Discarding No No No
Listening Discarding Yes No No
Learning Learning Yes Yes No
Forwarding Forwarding Yes Yes Yes

How RSTP works

During RSTP calculation, the following events occur:
• If a port in discarding state becomes an alternate port, it retains its state.
• If a port in discarding state is elected as the root port or designated port, it enters the learning
state after the forward delay. The port learns MAC addresses, and enters the forwarding state
after another forward delay.
 A newly elected RSTP root port rapidly enters the forwarding state if the following
requirements are met:
− The old root port on the device has stopped forwarding data.
− The upstream designated port has started forwarding data.
 A newly elected RSTP designated port rapidly enters the forwarding state if one of the
following requirements is met:
− The designated port is configured as an edge port which directly connects to a user
terminal.
− The designated port connects to a point-to-point link and receives a handshake
response from the directly connected device.

RSTP BPDU processing

In RSTP, a non-root bridge actively sends RSTP BPDUs at the hello time through designated ports
without waiting for the root bridge to send RSTP BPDUs. This enables RSTP to quickly detect link

11
 failures. If a device fails to receive any RSTP BPDUs on a port within triple the hello time, the device
considers that a link failure has occurred. After the stored configuration BPDU expires, the device
floods RSTP BPDUs with the TC flag set to initiate a new RSTP calculation.
In RSTP, a port in blocking state can immediately respond to an RSTP BPDU with a lower priority
than its own BPDU.
As shown in Figure 6, Device A is the root bridge. The priority of Device B is higher than the priority of
Device C. Port C2 on Device C is blocked.
When the link between Device A and Device B fails, the following events occur:
1. Device B sends an RSTP BPDU with itself as the root bridge to Device C.
2. Device C compares the RSTP BPDU with its own BPDU.
3. Because the RSTP BPDU from Device B has a lower priority, Device C sends its own BPDU to
Device B.
4. Device B considers that Port B2 is the root port and stops sending RSTP BPDUs to Device C.
Figure 6 BPDU processing in RSTP
Device A Failed link
Root bridge
BID=0.MAC A RSTP BPDU with
low priority
RSTP BPDU with
Port A1 Port A2 high priority

Port B1
Device A is the root Port C1
Device B Device C
BID=4096.MAC B Port B2 Port C2 BID=8192.MAC C
Device B is the root

About PVST
In an STP- or RSTP-enabled LAN, all bridges share one spanning tree. Traffic from all VLANs is
forwarded along the spanning tree, and ports cannot be blocked on a per-VLAN basis to prune loops.
PVST allows every VLAN to have its own spanning tree, which increases usage of links and
bandwidth. Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN.
A PVST-enabled H3C device can communicate with a third-party device that is running Rapid PVST
or PVST. The PVST-enabled H3C device supports fast network convergence like RSTP when
connected to PVST-enabled H3C devices or third-party devices enabled with Rapid PVST.

PVST protocol frames

As shown in Figure 7, a PVST BPDU uses the same format as an RSTP BPDU except the following
differences:
• The destination MAC address of a PVST BPDU is 01-00-0c-cc-cc-cd, which is a private MAC
address.
• Each PVST BPDU carries a VLAN tag. The VLAN tag identifies the VLAN to which the PVST
BPDU belongs.
• The organization code and PID fields are added to the LLC header of the PVST BPDU.

12
 Figure 7 PVST BPDU format

DMA SMA L/T VLAN tag LLC header Payload

Organization code
PID

A port's link type determines the type of BPDUs the port sends.
• An access port sends RSTP BPDUs.
• A trunk or hybrid port sends RSTP BPDUs in the default VLAN and sends PVST BPDUs in
other VLANs.

How PVST works

PVST implements per-VLAN spanning tree calculation by mapping each VLAN to an MSTI. In PVST,
each VLAN runs RSTP independently to maintain its own spanning tree without affecting the
spanning trees of other VLANs. In this way, loops in each VLAN are eliminated and traffic of different
VLANs is load shared over links. PVST uses RSTP BPDUs in the default VLAN and PVST BPDUs in
other VLANs for spanning tree calculation.
PVST uses the same port roles and port states as RSTP for rapid transition. For more information,
see "Basic concepts in RSTP."

About MSTP
MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In
addition to supporting rapid network convergence, it allows data flows of different VLANs to be
forwarded along separate paths. This provides a better load sharing mechanism for redundant links.
MSTP provides the following features:
• MSTP divides a switched network into multiple regions, each of which contains multiple
spanning trees that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.
• MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless
cycling of frames in a loop network. In addition, it supports load balancing of VLAN data by
providing multiple redundant paths for data forwarding.
• MSTP is compatible with STP and RSTP, and partially compatible with PVST.

MSTP protocol frames

Figure 8 shows the format of an MSTP BPDU.

13
Figure 8 MSTP BPDU format
Fields Byte
Protocol ID 2
Protocol version ID 1
BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2
Version1 length=0 1
Version3 length 2
MST configuration ID 51
CIST IRPC 4
MSTP-specific
CIST bridge ID 8 fields
CIST remaining ID 1
MSTI configuration messages LEN

The first 13 fields of an MSTP BPDU are the same as an RSTP BPDU. The other six fields are
unique to MSTP.
• Protocol version ID—The value is 0x03 for MSTP.
• BPDU type—The value is 0x02 for RSTP/MSTP BPDUs.
• Root ID—ID of the common root bridge.
• Root path cost—CIST external path cost.
• Bridge ID—ID of the regional root for the IST or an MSTI.
• Port ID—ID of the designated port in the CIST.
• Version3 length—Length of the MSTP-specific fields. Devices use this field for verification
upon receiving an MSTP BPDU.
• MST configuration ID—Includes the format selector, configuration name, revision level, and
configuration digest. The value for format selector is fixed at 0x00. The other parameters are
used to identify the MST region for the originating bridge.
• CIST IRPC—Internal root path cost (IRPC) from the originating bridge to the root of the MST
region.
• CIST bridge ID—ID of the bridge that sends the MSTP BPDU.
• CIST remaining ID—Remaining hop count. This field limits the scale of the MST region. The
regional root sends a BPDU with the remaining hop count set to the maximum value. Each
device that receives the BPDU decrements the hop count by one. When the hop count reaches
zero, the BPDU is discarded. Devices beyond the maximum hops of the MST region cannot
participate in spanning tree calculation. The default remaining hop count is 20.
• MSTI configuration messages—Contains MSTI configuration messages. Each MSTI
configuration message is 16 bytes. This field can contain 0 to 64 MSTI configuration messages.
The number of the MSTI configuration messages is determined by the number of MSTIs in the
MST region.

14
Basic concepts in MSTP
Figure 9 shows a switched network that contains four MST regions, each MST region containing four
MSTP devices. Figure 10 shows the networking topology of MST region 3.
Figure 9 Basic concepts in MSTP

VLAN 1 à MSTI 1 VLAN 1 à MSTI 1

VLAN 2 à MSTI 2 VLAN 2 à MSTI 2
Other VLANs à MSTI 0 Other VLANs à MSTI 0

MST region 1 MST region 4

MST region 2 MST region 3

VLAN 1 à MSTI 1 VLAN 1 à MSTI 1

VLAN 2 à MSTI 2 CST VLAN 2&3 à MSTI 2
Other VLANs à MSTI 0 Other VLANs à MSTI 0

Figure 10 Network diagram and topology of MST region 3

To MST region 4

A B A B
To MST region 2

MST region 3
Device A Device B

C D C D
MSTI 1 MSTI 2

A B
Regional root

Device C Device D C D MSTI

MSTI 0
VLAN 1 à MSTI 1
VLAN 2&3 à MSTI 2 Topology of MSTIs in MST region 3
Other VLANs à MSTI 0

15
MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and
the network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same
MST region, as shown in Figure 9.
• The switched network contains four MST regions, MST region 1 through MST region 4.
• All devices in each MST region have the same MST region configuration.
MSTI
MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree
is mapped to the specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 10, MST region 3 contains three MSTIs, MSTI 1, MSTI 2, and MSTI 0.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs.
In Figure 10, the VLAN-to-instance mapping table of MST region 3 is as follows:
• VLAN 1 to MSTI 1.
• VLAN 2 and VLAN 3 to MSTI 2.
• Other VLANs to MSTI 0.
MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a
switched network. If you regard each MST region as a device, the CST is a spanning tree calculated
by these devices through STP or RSTP.
The blue lines in Figure 9 represent the CST.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0,
a special MSTI to which all VLANs are mapped by default.
In Figure 9, MSTI 0 is the IST in MST region 3.
CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in
a switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 9, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI.
Based on the topology, different spanning trees in an MST region might have different regional roots,
as shown in MST region 3 in Figure 10.

16
 • The regional root of MSTI 1 is Device B.
• The regional root of MSTI 2 is Device C.
• The regional root of MSTI 0 (also known as the IST) is Device A.
Common root bridge
The common root bridge is the root bridge of the CIST.
In Figure 9, the common root bridge is a device in MST region 1.
Port roles
A port can play different roles in different MSTIs. As shown in Figure 11, an MST region contains
Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the
common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C
connect to other MST regions. Port D3 of Device D directly connects to a host.
Figure 11 Port roles
To the common root

MST region Port A1 Port A2

Root port

Port A3 Port A4 Designated port

Device A
(Root bridge) Alternate port

Device B Device D Backup port

Port B1 Port D1
Edge port
Port B2 Port B3 Port D2
Port D3
Master port

Boundary port

Port C1
Port C2
Normal link
Device C
Blocked link
Port C3 Port C4

To other MST regions

MSTP calculation involves the following port roles:

• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not
have any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—Acts as the backup port for a root port or master port. When the root port or
master port is blocked, the alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port acts as the backup.
• Edge port—Directly connects to a user host rather than a network device or network segment.
• Master port—Acts as a port on the shortest path from the local MST region to the common root
bridge. The master port is not always located on the regional root. It is a root port on the IST or
CIST and still a master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running
device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the

17
 CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the
CIST.
Port states
In MSTP, a port can be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or
forward user traffic.

NOTE:
When in different MSTIs, a port can be in different states.

A port state is not exclusively associated with a port role. Table 6 lists the port states that each port
role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates
that the port does not support this state.)
Table 6 Port states that different port roles support

Port role (right) Root

Designated
port/master Alternate port Backup port
Port state (below) port
port
Forwarding √ √ — —
Learning √ √ — —
Discarding √ √ √ √

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a
calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among
these MSTIs, MSTI 0 is the IST.
Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is
that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.
CIST calculation
During the CIST calculation, the following process takes place:
• The device with the highest priority is elected as the root bridge of the CIST.
• MSTP generates an IST within each MST region through calculation.
• MSTP regards each MST region as a single device and generates a CST among these MST
regions through calculation.
The CST and ISTs constitute the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation
process similar to spanning tree calculation in STP. For more information, see "Calculation process
of the STP algorithm."
In MSTP, a VLAN frame is forwarded along the following paths:

18
 • Within an MST region, the frame is forwarded along the corresponding MSTI.
• Between two MST regions, the frame is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for
spanning tree calculation can identify STP and RSTP protocol frames.
In addition to basic MSTP features, the following features are provided for ease of management:
• Root bridge hold.
• Root bridge backup.
• Root guard.
• BPDU guard.
• Loop guard.
• TC-BPDU guard.
• Port role restriction.
• TC-BPDU transmission restriction.

Rapid transition mechanism

In STP, a port must wait twice the forward delay (30 seconds by default) before it transits from the
blocking state to the forwarding state. The forward delay is related to the hello time and network
diameter. If the forward delay is too short, loops might occur. This affects the stability of the network.
RSTP, PVST, and MSTP all use the rapid transition mechanism to speed up port state transition for
edge ports, root ports, and designated ports. The rapid transition mechanism for designated ports is
also known as the proposal/agreement (P/A)_transition.

Edge port rapid transition

As shown in Figure 12, Port C3 is an edge port connected to a host. When a network topology
change occurs, the port can immediately transit from the blocking state to the forwarding state
because no loop will be caused.
Because a device cannot determine whether a port is directly connected to a terminal, you must
manually configure the port as an edge port.
Figure 12 Edge port rapid transition
Root port
Port A1 Port A2
Designated port
Device A
Root bridge Alternate port

Port B1 Port C1 Edge port

Device B Device C Normal link

Port B2 Port C2
Port C3
Blocked link

19
Root port rapid transition
When a root port is blocked, the bridge will elect the alternate port with the highest priority as the new
root port. If the new root port's peer is in the forwarding state, the new root port immediately transits
to the forwarding state.
As shown in Figure 13, Port C2 on Device C is a root port and Port C1 is an alternate port. When Port
C2 transits to the blocking state, Port C1 is elected as the root port and immediately transits to the
forwarding state.
Figure 13 Root port rapid transition
Root port
Designated port
Alternate port
Normal link
Blocked link
Device A Device A
Root bridge Root bridge

Port A1 Port A2 Port A1 Port A2

Port B1 Port C1 Port B1 Port C1

Device B Device C Device B Device C

Port B2 Port C2 Port B2 Port C2

P/A transition
The P/A transition enables a designated port to rapidly transit to the forwarding state after a
handshake with its peer. The P/A transition applies only to point-to-point links.
P/A transition for RSTP and PVST
In RSTP or PVST, the ports on a new link or recovered link are designated ports in blocking state.
When one of the designated ports transits to the discarding or learning state, it sets the proposal flag
in its BPDU. Its peer bridge receives the BPDU and determines whether the receiving port is the root
port. If it is the root port, the bridge blocks the other ports except edge ports. The bridge then replies
an agreement BPDU to the designated port. The designated port immediately transits to the
forwarding state upon receiving the agreement BPDU. If the designated port does not receive the
agreement BPDU, it waits for twice the forward delay to transit to the forwarding state.
As shown in Figure 14, the P/A transition operates as follows:
1. Device A sends a proposal BPDU to Device B through Port A1.
2. Device B receives the proposal BPDU on Port B2. Port B2 is elected as the root port.
3. Device B blocks its designated port Port B1 and alternate port Port B3 to eliminate loops.
4. The root port Port B2 transits to the forwarding state and sends an agreement BPDU to Device
A.
5. The designated port Port A1 on Device A immediately transits to the forwarding state after
receiving the agreement BPDU.

20
 Figure 14 P/A transition for RSTP and PVST
Root port
Designated port
Alternate port
Edge port
Device A Device A
RID=0.MAC A RID=0.MAC A
Port A1 Port A1

Proposal Agreement

Port B2 Port B2
Device B Device B
RID=4096.MAC B RID=4096.MAC B
Port B3 Port B1 Port B3 Port B1

P/A transition for MSTP

In MSTP, an upstream bridge sets both the proposal and agreement flags in its BPDU. If a
downstream bridge receives the BPDU and its receiving port is elected as the root port, the bridge
blocks all the other ports except edge ports. The downstream bridge then replies an agreement
BPDU to the upstream bridge. The upstream port immediately transits to the forwarding state upon
receiving the agreement BPDU. If the upstream port does not receive the agreement BPDU, it waits
for twice the forward delay to transit to the forwarding state.
As shown in Figure 15, the P/A transition operates as follows:
1. Device A sets the proposal and agreement flags in its BPDU and sends it to Device B through
Port A1.
2. Device B receives the BPDU. Port B1 of Device B is elected as the root port.
3. Device B then blocks all its ports except the edge ports.
4. The root port Port B1 of Device B transits to the forwarding state and sends an agreement
BPDU to Device A.
5. Port A1 of Device A immediately transits to the forwarding state upon receiving the agreement
BPDU.
Figure 15 P/A transition for MSTP
Proposal

Device A Port A1 Port B1 Device B

RID=0.MAC A RID=4096.MAC B

Agreement

Protocols and standards

MSTP is documented in the following protocols and standards:
• IEEE 802.1d, Media Access Control (MAC) Bridges
• IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid
Reconfiguration
• IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees

21
• IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks —Clause 13: Spanning tree Protocols

22
Configuring spanning tree protocols
Restrictions and guidelines: spanning tree
protocol configuration
Restrictions: Compatibility with other features
• When the spanning tree protocol is enabled for a DR system, following these restrictions and
guidelines:
 Make sure the DR member devices have the same spanning tree configuration, including:
− Global spanning tree configuration.
− Spanning tree configuration on the IPP.
− Spanning tree configuration on DR interfaces.
Violation of this rule might cause network flapping. IPPs in the DR system do not participate
in spanning tree calculation. To view the spanning tree information of DR interfaces, use
related display commands on the primary DR device.
 If spanning tree is enabled on a DR system, the DR member devices still use the DR system
MAC address after the DR system splits, which will cause spanning tree calculation issues.
To avoid the issues, enable DRNI standalone mode on the DR member devices before the
DR system splits.
For more information about the DR system, DR interfaces, IPPs, and DRNI standalone mode,
see "Configuring DRNI."
• If both MVRP and a spanning tree protocol are enabled on a device, MVRP packets are
forwarded along MSTIs. To advertise a specific VLAN within the network through MVRP, make
sure this VLAN is mapped to an MSTI when you configure the VLAN-to-instance mapping table.
For more information about MVRP, see "Configuring MVRP."
• The spanning tree configurations are mutually exclusive with any of the following features on a
port: service loopback group, RRPP, Smart Link, and L2PT.
• Spanning tree protocols do not support eliminating loops from a VXLAN or EVPN network.

Restrictions: Interface configuration

• Some spanning tree features are supported in Layer 2 Ethernet interface view and Layer 2
aggregate interface view. Unless otherwise stated, these views are collectively referred to as
interface view in this document. BPDU drop can be configured only in Layer 2 Ethernet
interface view.
• Configurations made in system view take effect globally. Configurations made in Layer 2
Ethernet interface view take effect only on the interface. Configurations made in Layer 2
aggregate interface view take effect only on the aggregate interface. Configurations made on
an aggregation member port can take effect only after the port is removed from the aggregation
group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system
performs spanning tree calculation on the Layer 2 aggregate interface. It does not perform
spanning tree calculation on the aggregation member ports. The spanning tree protocol enable
state and forwarding state of each selected member port are consistent with those of the
corresponding Layer 2 aggregate interface.

23
 • The member ports of an aggregation group do not participate in spanning tree calculation.
However, the ports still reserve their spanning tree configurations for participating in spanning
tree calculation after leaving the aggregation group.

Spanning tree protocol tasks at a glance

STP tasks at a glance
Configuring the root bridge
To configure the root bridge in STP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to STP.
2. (Optional.) Configuring the root bridge or a secondary root bridge
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects STP topology convergence
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
5. (Optional.) Enabling outputting port state transition information
6. Enabling the spanning tree feature
7. (Optional.) Configuring advanced spanning tree features
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in STP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to STP.
2. (Optional.) Configuring the device priority
3. (Optional.) Configuring parameters that affects STP topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring path costs of ports
 Configuring the port priority
4. (Optional.) Enabling outputting port state transition information
5. Enabling the spanning tree feature
6. (Optional.) Configuring advanced spanning tree features
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port

24
  Enabling SNMP notifications for new-root election and topology change events

RSTP tasks at a glance

Configuring the root bridge
To configure the root bridge in RSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to RSTP.
2. (Optional.) Configuring the root bridge or a secondary root bridge
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects RSTP topology convergence
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring the port link type
5. (Optional.) Enabling outputting port state transition information
6. Enabling the spanning tree feature
7. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in RSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to RSTP.
2. (Optional.) Configuring the device priority
3. (Optional.) Configuring parameters that affects RSTP topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring path costs of ports
 Configuring the port priority
 Configuring the port link type
4. (Optional.) Enabling outputting port state transition information
5. Enabling the spanning tree feature
6. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring TC Snooping
 Configuring protection features

25
  Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events

PVST tasks at a glance

Configuring the root bridge
To configure the root bridge in PVST mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to PVST.
2. (Optional.) Configuring the root bridge or a secondary root bridge
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects PVST topology convergence
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring the port link type
5. (Optional.) Enabling outputting port state transition information
6. Enabling the spanning tree feature
7. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Disabling inconsistent PVID protection
 Configuring protection features
 Enabling the device to log events of detecting or receiving TC BPDUs
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in PVST mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to PVST.
2. (Optional.) Configuring the device priority
3. (Optional.) Configuring parameters that affects PVST topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring path costs of ports
 Configuring the port priority
 Configuring the port link type
4. (Optional.) Enabling outputting port state transition information
5. Enabling the spanning tree feature
6. (Optional.) Configuring advanced spanning tree features

26
  Performing mCheck
 Disabling inconsistent PVID protection
 Configuring protection features
 Enabling the device to log events of detecting or receiving TC BPDUs
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events

MSTP tasks at a glance

Configuring the root bridge
To configure the root bridge in MSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to MSTP.
2. Configuring an MST region
3. (Optional.) Configuring the root bridge or a secondary root bridge
4. (Optional.) Configuring the device priority
5. (Optional.) Configuring parameters that affects MSTP topology convergence
 Configuring the maximum hops of an MST region
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring the port link type
6. (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
7. (Optional.) Enabling outputting port state transition information
8. Enabling the spanning tree feature
9. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring Digest Snooping
 Configuring No Agreement Check
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in MSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to MSTP.
2. Configuring an MST region
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects MSTP topology convergence

27
  Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring path costs of ports
 Configuring the port priority
 Configuring the port link type
5. (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
6. (Optional.) Enabling outputting port state transition information
7. Enabling the spanning tree feature
8. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring Digest Snooping
 Configuring No Agreement Check
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling BPDU transparent transmission on a port
 Enabling SNMP notifications for new-root election and topology change events

Setting the spanning tree mode

About this task
The spanning tree modes include:
• STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device
of a port supports only STP.
• RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically
transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode
does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.
• PVST mode—All ports of the device send PVST BPDUs. Each VLAN maintains a spanning
tree. In a network, the amount of spanning trees maintained by all devices equals the number of
PVST-enabled VLANs multiplied by the number of PVST-enabled ports. If the amount of
spanning trees exceeds the capacity of the network, device CPUs will be overloaded. Packet
forwarding is interrupted, and the network becomes unstable. The device can maintain
spanning trees for 500 VLANs.
• MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically
transits to the STP mode when receiving STP BPDUs from the peer device. A port in this mode
does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.
Restrictions and guidelines
The MSTP mode is compatible with the RSTP mode, and the RSTP mode is compatible with the STP
mode.
Compatibility of the PVST mode depends on the link type of a port.
• On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.
• On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes
only in the default VLAN.
Procedure
1. Enter system view.

28
 system-view
2. Set the spanning tree mode.
stp mode { mstp | pvst | rstp | stp }
The default setting is the MSTP mode.

Configuring an MST region

About this task
Spanning tree devices belong to the same MST region if they are both connected through a physical
link and configured with the following details:
• Format selector (0 by default, not configurable).
• MST region name.
• MST region revision level.
• VLAN-to-instance mapping entries in the MST region.
The configuration of MST region-related parameters (especially the VLAN-to-instance mapping table)
might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of topology
instability, the MST region configuration takes effect only after you activate it by doing one of the
following:
• Use the active region-configuration command.
• Enable a spanning tree protocol by using the stp global enable command if the spanning
tree protocol is disabled.
Restrictions and guidelines
In STP, RSTP, or PVST mode, MST region configurations do not take effect.
Procedure
1. Enter system view.
system-view
2. Enter MST region view.
stp region-configuration
3. Configure the MST region name.
region-name name
The default setting is the MAC address.
4. Configure the VLAN-to-instance mapping table. Choose one option as needed:
 Map a list of VLANs to an MSTI.
instance instance-id vlan vlan-id-list
 Quickly create a VLAN-to-instance mapping table.
vlan-mapping modulo modulo
By default, all VLANs in an MST region are mapped to the CIST (or MSTI 0).
5. Configure the MSTP revision level of the MST region.
revision-level level
The default setting is 0.
6. (Optional.) Display the MST region configurations that are not activated yet.
check region-configuration
7. Manually activate MST region configuration.
active region-configuration

29
Configuring the root bridge or a secondary root
bridge
Restrictions and guidelines
You can have the spanning tree protocol determine the root bridge of a spanning tree through
calculation. You can also specify a device as the root bridge or as a secondary root bridge.
When you specify a device as the root bridge or as a secondary root bridge, follow these restrictions
and guidelines:
• A device has independent roles in different spanning trees. It can act as the root bridge in one
spanning tree and as a secondary root bridge in another. However, one device cannot be the
root bridge and a secondary root bridge in the same spanning tree.
• If you specify the root bridge for a spanning tree, no new root bridge is elected according to the
device priority settings. Once you specify a device as the root bridge or a secondary root bridge,
you cannot change the priority of the device.
• You can configure a device as the root bridge by setting the device priority to 0. For the device
priority configuration, see "Configuring the device priority."

Configuring the device as the root bridge of a spanning tree

1. Enter system view.
system-view
2. Configure the device as the root bridge.
 In STP/RSTP mode:
stp root primary
 In PVST mode:
stp vlan vlan-id-list root primary
 In MSTP mode:
stp [ instance instance-list ] root primary
By default, the device is not a root bridge.

Configuring the device as a secondary root bridge of a

spanning tree
1. Enter system view.
system-view
2. Configure the device as a secondary root bridge.
 In STP/RSTP mode:
stp root secondary
 In PVST mode:
stp vlan vlan-id-list root secondary
 In MSTP mode:
stp [ instance instance-list ] root secondary
By default, the device is not a secondary root bridge.

30
Configuring the device priority
About this task
Device priority is a factor in calculating the spanning tree. The priority of a device determines
whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a
higher priority. You can set the priority of a device to a low value to specify the device as the root
bridge of the spanning tree. A spanning tree device can have different priorities in different spanning
trees.
During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address is selected. You cannot change the priority of a device after it is configured as
the root bridge or as a secondary root bridge.
Procedure
1. Enter system view.
system-view
2. Configure the priority of the device.
 In STP/RSTP mode:
stp priority priority
 In PVST mode:
stp vlan vlan-id-list priority priority
 In MSTP mode:
stp [ instance instance-list ] priority priority
The default setting is 32768.

Configuring the maximum hops of an MST region

About this task
Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on
the regional root bridge is used as the hop limit for the MST region.
Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum
value. When a device receives this configuration BPDU, it decrements the hop count by one, and
uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches
zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops
can no longer participate in spanning tree calculations, so the size of the MST region is limited.
Restrictions and guidelines
Make this configuration only on the root bridge. All other devices in the MST region use the maximum
hop value set for the root bridge.
You can configure the maximum hops of an MST region based on the STP network size. As a best
practice, set the maximum hops to a value that is greater than the maximum hops of each edge
device to the root bridge.
Procedure
1. Enter system view.
system-view
2. Configure the maximum hops of the MST region.
stp max-hops hops
The default setting is 20.

31
Configuring the network diameter of a switched
network
About this task
Any two terminal devices in a switched network can reach each other through a specific path, and
there are a series of devices on the path. The switched network diameter is the maximum number of
devices on the path for an edge device to reach another one in the switched network through the root
bridge. The network diameter indicates the network size. The bigger the diameter, the larger the
network size.
Based on the network diameter you configured, the system automatically sets an optimal hello time,
forward delay, and max age for the device.
In STP, RSTP, or MSTP mode, each MST region is considered a device. The configured network
diameter takes effect only on the CIST (or the common root bridge) but not on other MSTIs.
In PVST mode, the configured network diameter takes effect only on the root bridges of the specified
VLANs.
Procedure
1. Enter system view.
system-view
2. Configure the network diameter of the switched network.
 In STP/RSTP/MSTP mode:
stp bridge-diameter diameter
 In PVST mode:
stp vlan vlan-id-list bridge-diameter diameter
The default setting is 7.

Setting spanning tree timers

About this task
The following timers are used for spanning tree calculation:
• Forward delay—Delay time for port state transition. To prevent temporary loops on a network,
the spanning tree feature sets an intermediate port state (the learning state) before it transits
from the discarding state to the forwarding state. The feature also requires that the port transit
its state after a forward delay timer. This ensures that the state transition of the local port stays
synchronized with the peer.
• Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If
the device does not receive configuration BPDUs within the timeout period, it recalculates the
spanning tree. The formula for calculating the timeout period is timeout period = timeout factor ×
3 × hello time.
• Max age—In the CIST of an MSTP network, the device uses the max age timer to determine
whether a configuration BPDU received by a port has expired. If it is expired, a new spanning
tree calculation process starts. The max age timer does not take effect on MSTIs.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)

32
 As a best practice, specify the network diameter and letting spanning tree protocols automatically
calculate the timers based on the network diameter instead of manually setting the spanning tree
timers. If the network diameter uses the default value, the timers also use their default values.
Set the timers only on the root bridge. The timer settings on the root bridge apply to all devices on the
entire switched network.
Restrictions and guidelines
• The length of the forward delay is related to the network diameter of the switched network. The
larger the network diameter is, the longer the forward delay time should be. As a best practice,
use the automatically calculated value because inappropriate forward delay setting might cause
temporary redundant paths or increase the network convergence time.
• An appropriate hello time setting enables the device to promptly detect link failures on the
network without using excessive network resources. If the hello time is too long, the device
mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If
the hello time is too short, the device frequently sends the same configuration BPDUs, which
wastes device and network resources. As a best practice, use the automatically calculated
value.
• If the max age timer is too short, the device frequently begins spanning tree calculations and
might mistake network congestion as a link failure. If the max age timer is too long, the device
might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing
the auto-sensing capability of the network. As a best practice, use the automatically calculated
value.
Procedure
1. Enter system view.
system-view
2. Set the forward delay timer.
 In STP/RSTP/MSTP mode:
stp timer forward-delay time
 In PVST mode:
stp vlan vlan-id-list timer forward-delay time
The default setting is 15 seconds.
3. Set the hello timer.
 In STP/RSTP/MSTP mode:
stp timer hello time
 In PVST mode:
stp vlan vlan-id-list timer hello time
The default setting is 2 seconds.
4. Set the max age timer.
 In STP/RSTP/MSTP mode:
stp timer max-age time
 In PVST mode:
stp vlan vlan-id-list timer max-age time
The default setting is 20 seconds.

33
Setting the timeout factor
About this task
The timeout factor is a parameter used to decide the timeout period. The formula for calculating the
timeout period is: timeout period = timeout factor × 3 × hello time.
In a stable network, each non-root-bridge device forwards configuration BPDUs to the downstream
devices at the hello time interval to detect link failures. If a device does not receive a BPDU from the
upstream device within nine times the hello time, it assumes that the upstream device has failed.
Then, it starts a new spanning tree calculation process.
Restrictions and guidelines
As a best practice, set the timeout factor to 5, 6, or 7 in the following situations:
• To prevent undesired spanning tree calculations. An upstream device might be too busy to
forward configuration BPDUs in time, for example, many Layer 2 interfaces are configured on
the upstream device. In this case, the downstream device fails to receive a BPDU within the
timeout period and then starts an undesired spanning tree calculation.
• To save network resources on a stable network.
Procedure
1. Enter system view.
system-view
2. Set the timeout factor of the device.
stp timer-factor factor
The default setting is 3.

Configuring the BPDU transmission rate

About this task
The maximum number of BPDUs a port can send within each hello time equals the BPDU
transmission rate plus the hello timer value.
The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the
more system resources are used. By setting an appropriate BPDU transmission rate, you can limit
the rate at which the port sends BPDUs. Setting an appropriate rate also prevents spanning tree
protocols from using excessive network resources when the network topology changes.
Restrictions and guidelines
The BPDU transmission rate depends on the physical status of the port and the network structure.
As a best practice, use the default setting.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the BPDU transmission rate of the ports.
stp transmit-limit limit
The default setting is 10.

34
Configuring edge ports
About this task
If a port directly connects to a user terminal rather than another device or a shared LAN segment,
this port is regarded as an edge port. When network topology change occurs, an edge port will not
cause a temporary loop. Because a device does not determine whether a port is directly connected
to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly
transit from the blocking state to the forwarding state.
Restrictions and guidelines
• If BPDU guard is disabled on a port configured as an edge port, the port becomes a non-edge
port again if it receives a BPDU from another port. To restore the edge port, re-enable it.
• If a port directly connects to a user terminal, configure it as an edge port and enable BPDU
guard for it. This enables the port to quickly transit to the forwarding state when ensuring
network security.
• On a port, the loop guard feature and the edge port setting are mutually exclusive.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port as an edge port.
stp edged-port
By default, all ports are non-edge ports.

Configuring path costs of ports

About path cost
Path cost is a parameter related to the link speed of a port. On a spanning tree device, a port can
have different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows
to be forwarded along different physical links, achieving VLAN-based load balancing.
You can have the device automatically calculate the default path cost, or you can configure the path
cost for ports.

Specifying a standard for the default path cost calculation

About this task
You can specify a standard for the device to use in automatic calculation for the default path cost.
The device supports the following standards:
• dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.
• legacy—The device calculates the default path cost for ports based on a private standard.

35
Table 7 Mappings between the link speed (100M and below) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
0 N/A 65535 200000000 200000
Single port 2000000 2000
Aggregate interface
containing two Selected 1000000 1800
ports

10 Mbps Aggregate interface 100

containing three Selected 666666 1600
ports
Aggregate interface
containing four Selected 500000 1400
ports
Single port 200000 200
Aggregate interface
containing two Selected 100000 180
ports

100 Mbps Aggregate interface 19

containing three Selected 66666 160
ports
Aggregate interface
containing four Selected 50000 140
ports

Table 8 Mappings between the link speed (1000M) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 20000 20
Aggregate interface
containing two Selected 10000 18
ports

1000 Mbps Aggregate interface 4

containing three Selected 6666 16
ports
Aggregate interface
containing four Selected 5000 14
ports

Table 9 Mappings between the link speed (10G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 2000 2
10 Gbps 2
Aggregate interface 1000 1

36
 Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
containing two Selected
ports

Aggregate interface
containing three Selected 666 1
ports
Aggregate interface
containing four Selected 500 1
ports

Table 10 Mappings between the link speed (25G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 800 1
Aggregate interface
containing two Selected 400 1
ports

25 Gbps Aggregate interface 1

containing three Selected 266 1
ports
Aggregate interface
containing four Selected 200 1
ports

Table 11 Mappings between the link speed (40G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 500 1
Aggregate interface
containing two Selected 250 1
ports

40 Gbps Aggregate interface 1

containing three Selected 166 1
ports
Aggregate interface
containing four Selected 125 1
ports

Table 12 Mappings between the link speed (100G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
100 Gbps Single port 1 200 1

37
 Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Aggregate interface
containing two Selected 100 1
ports
Aggregate interface
containing three Selected 66 1
ports

Aggregate interface
containing four Selected 50 1
ports

Restrictions and guidelines

If you change the standard for the default path cost calculation, you restore the path costs to the
default.
When the device calculates the path cost for an aggregate interface, IEEE 802.1t takes into account
the number of Selected ports in its aggregation group. However, IEEE 802.1d-1998 does not take
into account the number of Selected ports. The calculation formula of IEEE 802.1t is: Path cost =
200,000,000/link speed (in 100 kbps). The link speed is the sum of the link speed values of the
Selected ports in the aggregation group.
IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a single port
or aggregate interface with a speed exceeding 10 Gbps. The forwarding path selected based on this
criterion might not be the best one. To solve this problem, perform one of the following tasks:
• Use dot1t as the standard for default path cost calculation.
• Manually set the path cost for the port (see "Configuring path costs of ports").
Procedure
1. Enter system view.
system-view
2. Specify a standard for the default path costs calculation.
stp pathcost-standard { dot1d-1998 | dot1t | legacy }
By default, the device uses legacy to calculate the default path costs of its ports.

Configuring path costs of ports

Restrictions and guidelines
When the path cost of a port changes, the system recalculates the port role and initiates a state
transition.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the path cost of the ports.
 In STP/RSTP mode:
stp cost cost-value

38
  In PVST mode:
stp vlan vlan-id-list cost cost-value
 In MSTP mode:
stp [ instance instance-list ] cost cost-value
By default, the system automatically calculates the path cost of each port.

Configuring the port priority

About this task
The priority of a port is a factor that determines whether the port can be elected as the root port of a
device. If all other conditions are the same, the port with the highest priority is elected as the root
port.
On a spanning tree device, a port can have different priorities and play different roles in different
spanning trees. As a result, data of different VLANs can be propagated along different physical paths,
implementing per-VLAN load balancing. You can set port priority values based on the actual
networking requirements.
Restrictions and guidelines
When the priority of a port changes, the system recalculates the port role and initiates a state
transition. Prepare for the network topology change before configuring the port priority.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port priority.
 In STP/RSTP mode:
stp port priority priority
 In PVST mode:
stp vlan vlan-id-list port priority priority
 In MSTP mode:
stp [ instance instance-list ] port priority priority
The default setting is 128 for all ports.

Configuring the port link type

About this task
A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement
handshake process.
Restrictions and guidelines
• You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that
operates in full duplex mode. As a best practice, use the default setting and let the device
automatically detect the port link type.

39
 • In PVST or MSTP mode, the stp point-to-point force-false or stp
point-to-point force-true command configured on a port takes effect on all VLANs or
all MSTIs.
• Before you set the link type of a port to point-to-point, make sure the port is connected to a
point-to-point link. Otherwise, a temporary loop might occur.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port link type.
stp point-to-point { auto | force-false | force-true }
By default, the link type is auto where the port automatically detects the link type.

Configuring the mode a port uses to recognize

and send MSTP frames
About this task
A port can receive and send MSTP frames in the following formats:
• dot1s—802.1s-compliant standard format
• legacy—Compatible format
By default, the frame format recognition mode of a port is auto. The port automatically distinguishes
the two MSTP frame formats, and determines the format of frames that it will send based on the
recognized format.
You can configure the MSTP frame format on a port. Then, the port sends only MSTP frames of the
configured format to communicate with devices that send frames of the same format.
By default, a port in auto mode sends 802.1s MSTP frames. When the port receives an MSTP frame
of a legacy format, the port starts to send frames only of the legacy format. This prevents the port
from frequently changing the format of sent frames. To configure the port to send 802.1s MSTP
frames, shut down and then bring up the port.
Restrictions and guidelines
When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP frames.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the mode that the port uses to recognize/send MSTP frames.
stp compliance { auto | dot1s | legacy }
The default setting is auto.

40
Enabling outputting port state transition
information
About this task
In a large-scale spanning tree network, you can enable devices to output the port state transition
information. Then, you can monitor the port states in real time.
Procedure
1. Enter system view.
system-view
2. Enable outputting port state transition information.
 In STP/RSTP mode:
stp port-log instance 0
 In PVST mode:
stp port-log vlan vlan-id-list
 In MSTP mode:
stp port-log { all | instance instance-list }
By default, outputting port state transition information is disabled.

Enabling the spanning tree feature

Restrictions and guidelines
You must enable the spanning tree feature for the device before any other spanning tree related
configurations can take effect. In STP, RSTP, or MSTP mode, make sure the spanning tree feature is
enabled globally and on the desired ports. In PVST mode, make sure the spanning tree feature is
enabled globally, in the desired VLANs, and on the desired ports.
To exclude specific ports from spanning tree calculation and save CPU resources, disable the
spanning tree feature for these ports with the undo stp enable command. Make sure no loops
occur in the network after you disable the spanning tree feature on these ports.

Enabling the spanning tree feature in STP/RSTP/MSTP

mode
1. Enter system view.
system-view
2. Enable the spanning tree feature.
stp global enable
When the device starts up with initial settings, the spanning tree feature is globally disabled by
default.
When the device starts up with factory defaults, the spanning tree feature is globally enabled by
default.
For more information about the initial settings and factory defaults, see Fundamentals
Configuration Guide.
3. Enter interface view.

41
 interface interface-type interface-number
4. Enable the spanning tree feature for the port.
stp enable
By default, the spanning tree feature is enabled on all ports.

Enabling the spanning tree feature in PVST mode

1. Enter system view.
system-view
2. Enable the spanning tree feature.
stp global enable
When the device starts up with initial settings, the spanning tree feature is globally disabled by
default.
When the device starts up with factory defaults, the spanning tree feature is globally enabled by
default.
For more information about the initial settings and factory defaults, see Fundamentals
Configuration Guide.
3. Enable the spanning tree feature in VLANs.
stp vlan vlan-id-list enable
By default, the spanning tree feature is enabled in VLANs.
4. Enter interface view.
interface interface-type interface-number
5. Enable the spanning tree feature on the port.
stp enable
By default, the spanning tree feature is enabled on all ports.

Performing mCheck
About mCheck
The mCheck feature enables user intervention in the port state transition process.
When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP
BPDUs, the port automatically transits to the STP mode. However, the port cannot automatically
transit back to the original mode when the following conditions exist:
• The peer STP device is shut down or removed.
• The port cannot detect the change.
To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.
For example, Device A, Device B, and Device C are connected in sequence. Device A runs STP,
Device B does not run any spanning tree protocol, and Device C runs RSTP, PVST, or MSTP. In this
case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving
port transits to the STP mode. If you configure Device B to run RSTP, PVST, or MSTP with Device C,
you must perform mCheck operations on the ports interconnecting Device B and Device C.

Restrictions and guidelines

The mCheck operation takes effect on devices operating in MSTP, PVST, or RSTP mode.

42
Performing mCheck globally
1. Enter system view.
system-view
2. Perform mCheck.
stp global mcheck

Performing mCheck in interface view

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Perform mCheck.
stp mcheck

Disabling inconsistent PVID protection

About this task
In PVST, if two connected ports use different PVIDs, PVST calculation errors might occur. By default,
inconsistent PVID protection is enabled to avoid PVST calculation errors. If PVID inconsistency is
detected on a port, the system blocks the port.
Restrictions and guidelines
If different PVIDs are required on two connected ports, disable inconsistent PVID protection on the
devices that host the ports. To avoid PVST calculation errors, make sure the following requirements
are met:
• Make sure the VLANs on one device do not use the same ID as the PVID of its peer port (except
the default VLAN) on another device.
• If the local port or its peer is a hybrid port, do not configure the local and peer ports as untagged
members of the same VLAN.
• Disable inconsistent PVID protection on both the local device and the peer device.
This feature takes effect only when the device is operating in PVST mode.
Procedure
1. Enter system view.
system-view
2. Disable the inconsistent PVID protection feature.
stp ignore-pvid-inconsistency
By default, the inconsistent PVID protection feature is enabled.

Configuring Digest Snooping

About this task
As defined in IEEE 802.1s, connected devices are in the same region only when they have the same
MST region-related configurations, including:
• Region name.

43
 • Revision level.
• VLAN-to-instance mappings.
A spanning tree device identifies devices in the same MST region by determining the configuration
ID in BPDUs. The configuration ID includes the region name, revision level, and configuration digest.
It is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Because spanning tree implementations vary by vendor, the configuration digests calculated through
private keys are different. The devices of different vendors in the same MST region cannot
communicate with each other.
To enable communication between an H3C device and a third-party device in the same MST region,
enable Digest Snooping on the H3C device port connecting them.
Restrictions and guidelines

CAUTION:
Use caution with global Digest Snooping in the following situations:
• When you modify the VLAN-to-instance mappings.
• When you restore the default MST region configuration.
If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or
traffic interruption will occur.

• Before you enable Digest Snooping, make sure associated devices of different vendors are
connected and run spanning tree protocols.
• With Digest Snooping enabled, in-the-same-region verification does not require comparison of
configuration digest. The VLAN-to-instance mappings must be the same on associated ports.
• To make Digest Snooping take effect, you must enable Digest Snooping both globally and on
associated ports. As a best practice, enable Digest Snooping on all associated ports first and
then enable it globally. This will make the configuration take effect on all configured ports and
reduce impact on the network.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• As a best practice, enable Digest Snooping first and then enable the spanning tree feature. To
avoid traffic interruption, do not configure Digest Snooping when the network is already working
well.
Prerequisites
Before configuring Digest Snooping, you need to make sure your H3C device and the third-party
device both run spanning tree protocols properly.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable Digest Snooping on the interface.
stp config-digest-snooping
By default, Digest Snooping is disabled on ports.
4. Return to system view.
quit
5. Enable Digest Snooping globally.
stp global config-digest-snooping

44
 By default, Digest Snooping is disabled globally.

Configuring No Agreement Check

About this task
In RSTP and MSTP, the following types of messages are used for rapid state transition on
designated ports:
• Proposal—Sent by designated ports to request rapid transition
• Agreement—Used to acknowledge rapid transition requests
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the
following differences:
• For MSTP, the root port of the downstream device sends an agreement packet only after it
receives an agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet whether or not an agreement
packet from the upstream device is received.
Figure 16 Rapid state transition of an MSTP designated port
Upstream device Downstream device

(1) Proposal for rapid transition The root port blocks non-edge
ports.

The root port changes to the

(2) Agreement forwarding state and sends an
Agreement to the upstream
device.

The designated port (3) Agreement

changes to the
forwarding state.

Root port Designated port

Figure 17 Rapid state transition of an RSTP designated port

Upstream device Downstream device

The root port blocks non-edge

(1) Proposal for rapid transition ports, changes to the forwarding
state, and sends an Agreement to
the upstream device.

The designated (2) Agreement

port changes to the
forwarding state.

Root port Designated port

If the upstream device is a third-party device, the rapid state transition implementation might be
limited as follows:
• The upstream device uses a rapid transition mechanism similar to that of RSTP.
• The downstream device runs MSTP and does not operate in RSTP mode.

45
 In this case, the following occurs:
1. The root port on the downstream device receives no agreement from the upstream device.
2. It sends no agreement to the upstream device.
As a result, the designated port of the upstream device can transit to the forwarding state only after a
period twice the forward delay.
To enable the designated port of the upstream device to transit its state rapidly, enable No
Agreement Check on the downstream device's port.
Restrictions and guidelines
Configure No Agreement Check on the root port of your device, because this feature takes effect
only if it's configured on root ports.
Prerequisites
Before you configure the No Agreement Check feature, complete the following tasks:
• Connect a device to a third-party upstream device that supports spanning tree protocols
through a point-to-point link.
• Configure the same region name, revision level, and VLAN-to-instance mappings on the two
devices.
Procedure
Enable the No Agreement Check feature on the root port.
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable No Agreement Check.
stp no-agreement-check
By default, No Agreement Check is disabled.

Configuring TC Snooping
About this task
As shown in Figure 18, an IRF fabric connects to two user networks through double links.
• Device A and Device B form the IRF fabric.
• The spanning tree feature is disabled on Device A and Device B and enabled on all devices in
user network 1 and user network 2.
• The IRF fabric transparently transmits BPDUs for both user networks and is not involved in the
calculation of spanning trees.
When the network topology changes, it takes time for the IRF fabric to update its MAC address table
and ARP table. During this period, traffic in the network might be interrupted.

46
 Figure 18 TC Snooping application scenario
IRF

Device A Device B
IRF link

User network 1 User network 2

To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a
TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries
associated with the port's VLAN. In this way, TC Snooping prevents topology change from
interrupting traffic forwarding in the network. For more information about the MAC address table and
the ARP table, see "Configuring the MAC address table" and Layer 3—IP Services Configuration
Guide.
Restrictions and guidelines
• TC Snooping and the spanning tree feature are mutually exclusive. You must globally disable
the spanning tree feature before enabling TC Snooping.
• The priority of BPDU tunneling is higher than that of TC Snooping. When BPDU tunneling is
enabled on a port, the TC Snooping feature does not take effect on the port.
• TC Snooping does not support the PVST mode.
Procedure
1. Enter system view.
system-view
2. Globally disable the spanning tree feature.
undo stp global enable
When the device starts up with initial settings, the spanning tree feature is globally disabled.
When the device starts up with factory defaults, the spanning tree feature is globally enabled.
For more information about the initial settings and factory defaults, see Fundamentals
Configuration Guide.
3. Enable TC Snooping.
stp tc-snooping
By default, TC Snooping is disabled.

Configuring protection features

Spanning tree protection tasks at a glance
All spanning tree protection tasks are optional.
• Configuring BPDU guard

47
 • Enabling root guard
• Enabling loop guard
• Configuring port role restriction
• Configuring TC-BPDU transmission restriction
• Enabling TC-BPDU guard
• Enabling BPDU drop
• Enabling PVST BPDU guard
• Disabling dispute guard

Configuring BPDU guard

About this task
For access layer devices, the access ports can directly connect to the user terminals (such as PCs)
or file servers. The access ports are configured as edge ports to allow rapid transition. When these
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and
starts a new spanning tree calculation process. This causes a change of network topology. Under
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses
configuration BPDUs maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard feature to protect the system against such
attacks. When ports with BPDU guard enabled receive configuration BPDUs, the device performs
the following operations:
• Shuts down these ports.
• Notifies the NMS that these ports have been shut down by the spanning tree protocol.
The device reactivates the ports that have been shut down when the port status detection timer
expires. You can set this timer by using the shutdown-interval command. For more information
about this command, see device management commands in Fundamentals Command Reference.
Restrictions and guidelines
You can configure the BPDU guard feature in system view or on a per-port basis. A port preferentially
uses the port-specific BPDU guard setting. If the port-specific BPDU guard setting is not available,
the port uses the global BPDU guard setting.
The global BPDU guard setting takes effect only on the edge ports configured by using the stp
edged-port command. For the BPDU guard setting to take effect on non-edge ports, you must
configure the feature on a per-port basis. The port-specific BPDU guard setting takes effect on both
edge and non-edge ports.
Configure BPDU guard on ports which directly connect to a user terminal rather than other device or
shared LAN segment.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Ethernet interface configuration in Interface Configuration Guide.
Enabling BPDU guard in system view
1. Enter system view.
system-view
2. Enable BPDU guard globally.
stp bpdu-protection
By default, BPDU guard is globally disabled.
Configuring BPDU guard in interface view
1. Enter system view.

48
 system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure BPDU guard.
stp port bpdu-protection { enable | disable }
By default, the enabling status of BPDU guard on an edge port is the same as that of global
BPDU guard, and BPDU guard is not configured for non-edge ports.

Enabling root guard

About this task
Configure root guard on a designated port.
The root bridge and secondary root bridge of a spanning tree should be located in the same MST
region. Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth
core region during network design. However, due to possible configuration errors or malicious
attacks in the network, the legal root bridge might receive a configuration BPDU with a higher priority.
Another device supersedes the current legal root bridge, causing an undesired change of the
network topology. The traffic that should go over high-speed links is switched to low-speed links,
resulting in network congestion.
To prevent this situation, MSTP provides the root guard feature. If root guard is enabled on a port of
a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a
configuration BPDU with a higher priority from an MSTI, it performs the following operations:
• Immediately sets that port to the listening state in the MSTI.
• Does not forward the received configuration BPDU.
This is equivalent to disconnecting the link connected to this port in the MSTI. If the port receives no
BPDUs with a higher priority within twice the forwarding delay, it reverts to its original state.
Restrictions and guidelines
On a port, the loop guard feature and the root guard feature are mutually exclusive.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the root guard feature.
stp root-protection
By default, root guard is disabled.

Enabling loop guard

About this task
Configure loop guard on the root port and alternate ports of a device.
By continuing to receive BPDUs from the upstream device, a device can maintain the state of the
root port and blocked ports. However, link congestion or unidirectional link failures might cause these
ports to fail to receive BPDUs from the upstream devices. In this situation, the device reselects the
following port roles:

49
 • Those ports in forwarding state that failed to receive upstream BPDUs become designated
ports.
• The blocked ports transit to the forwarding state.
As a result, loops occur in the switched network. The loop guard feature can suppress the
occurrence of such loops.
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives
BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops.
Restrictions and guidelines
Do not enable loop guard on a port that connects user terminals. Otherwise, the port stays in the
discarding state in all MSTIs because it cannot receive BPDUs.
On a port, the loop guard feature is mutually exclusive with the root guard feature or the edge port
setting.
A loop guard-enabled interface can receive BPDUs and transit from the discarding state to the
forwarding state after two forward delays if one of the following events occurs:
• The state of the interface changes from down to up.
• The spanning tree feature is enabled on the up interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the loop guard feature.
stp loop-protection
By default, loop guard is disabled.

Configuring port role restriction

About this task
Make this configuration on the port that connects to the user access network.
The bridge ID change of a device in the user access network might cause a change to the spanning
tree topology in the core network. To avoid this problem, you can enable port role restriction on a port.
With this feature enabled, when the port receives a superior BPDU, it becomes an alternate port
rather than a root port.
Restrictions and guidelines
Use this feature with caution, because enabling port role restriction on a port might affect the
connectivity of the spanning tree topology.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable port role restriction.
stp role-restriction
By default, port role restriction is disabled.

50
Configuring TC-BPDU transmission restriction
About this task
Make this configuration on the port that connects to the user access network.
The topology change to the user access network might cause the forwarding address changes to the
core network. When the user access network topology is unstable, the user access network might
affect the core network. To avoid this problem, you can enable TC-BPDU transmission restriction on
a port. With this feature enabled, when the port receives a TC-BPDU, it does not forward the
TC-BPDU to other ports.
Restrictions and guidelines
Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address
table to fail to be updated when the topology changes.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable TC-BPDU transmission restriction.
stp tc-restriction
By default, TC-BPDU transmission restriction is disabled.

Enabling TC-BPDU guard

About this task
When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology
changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device,
the device will receive a large number of TC-BPDUs within a short time. Then, the device is busy with
forwarding address entry flushing. This affects network stability.
TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry
flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs
received in excess of the limit, the device performs a forwarding address entry flush when the time
period expires. This prevents frequent flushing of forwarding address entries.
Restrictions and guidelines
As a best practice, enable TC-BPDU guard.
Procedure
1. Enter system view.
system-view
2. Enable the TC-BPDU guard feature.
stp tc-protection
By default, TC-BPDU guard is enabled.
3. (Optional.) Configure the maximum number of forwarding address entry flushes that the device
can perform every 10 seconds.
stp tc-protection threshold number
The default setting is 6.

51
Enabling BPDU drop
About this task
In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process
and is then forwarded to other devices in the network. Malicious attackers might use the vulnerability
to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make all
devices in the network continue performing STP calculations. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not
receive any BPDUs and is invulnerable to forged BPDU attacks.
Restrictions and guidelines
This feature allows the device to drop BPDUs of STP, RSTP, MSTP, LACP, PVST, Ethernet OAM,
GVRP, and LLDP. Make sure you are fully aware of the impact of this feature when you use it on a
live network.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable BPDU drop on the interface.
bpdu-drop any
By default, BPDU drop is disabled.

Enabling PVST BPDU guard

About this task
This feature takes effect only when the device is operating in MSTP mode.
An MSTP-enabled device forwards PVST BPDUs as data traffic because it cannot recognize PVST
BPDUs. If a PVST-enabled device in another independent network receives the PVST BPDUs, a
PVST calculation error might occur. To avoid PVST calculation errors, enable PVST BPDU guard on
the MSTP-enabled device. The device shuts down a port if the port receives PVST BPDUs.
Procedure
1. Enter system view.
system-view
2. Enable PVST BPDU guard.
stp pvst-bpdu-protection
By default, PVST BPDU guard is disabled.

Disabling dispute guard

About this task
Dispute guard can be triggered by unidirectional link failures. If an upstream port receives inferior
BPDUs from a downstream designated port in forwarding or learning state because of a
unidirectional link failure, a loop appears. Dispute guard blocks the upstream designated port to
prevent the loop.
As shown in Figure 19, in normal conditions, the spanning tree calculation result is as follows:

52
• Device A is the root bridge, and Port A1 is a designated port.
• Port B1 is blocked.
When the link between Port A1 and Port B1 fails in the direction of Port A1 to Port B1 and becomes
unidirectional, the following events occur:
1. Port A1 can only receive BPDUs and cannot send BPDUs to Port B1.
2. Port B1 does not receive BPDUs from Port A1 for a certain period of time.
3. Device B determines itself as the root bridge.
4. Port B1 sends its BPDUs to Port A1.
5. Port A1 determines the received BPDUs are inferior to its own BPDUs. A dispute is detected.
6. Dispute guard is triggered and blocks Port A1 to prevent a loop.
Figure 19 Dispute guard triggering scenario (on a designated port)

Normal condition Unidirectional link Dispute guard is

occurs triggered
Device A Device A Device A

Root Root Root

Port A1 Port A2 Port A1 Port A2 Port A1 Port A2

Port B1 Port B2 Port B1 Port B2 Port B1 Port B2

Device B Device B Device B

Root port Normal link

Designated port Blocked link

Blocked port Unidirectional link

As shown in Figure 20, in normal conditions, Device A is the root bridge, and Port B1 and Port C1 are
root ports. When the links between Device A and Device B become unidirectional (the links fail in the
direction of Port A1 to Port B1), the following events occur:
1. Device B cannot receive BPDUs from Device A.
2. Device B determines itself as the root bridge.
3. Port B1 sends BPDUs in which the root bridge is Device B to Port C1.
4. Port C1 receives BPDUs from two root bridges, Device A and Device B. A dispute is detected.
5. Dispute guard is triggered and blocks Port C1 to avoid a loop.

53
 Figure 20 Dispute guard triggering scenario (on a root port)
Device A Device B Device A Device B Device A Device B

Root Root Root Root Root

Port A1 Port B1 Port A1 Port B1 Port A1 Port B1

Hub Hub Hub

Port C1 Port C1 Port C1

Device C Device C Device C

Root port Normal link

Designated port Blocked link

Blocked port BPDUs

However, dispute guard might disrupt the network connectivity. You can disable dispute guard to
avoid connectivity loss in VLAN networks. As shown in Figure 21, the spanning tree feature is
disabled on Device B and enabled on Device A and device C. Device B transparently transmits
BPDUs.
Device C cannot receive superior BPDUs of VLAN 1 from Device A because Port B1 of Device B is
configured to deny packets of VLAN 1. Device C determines itself as the root bridge after a certain
period of time. Then, Port C1 sends an inferior BPDU of VLAN 100 to Device A.
When Device A receives the inferior BPDU, dispute guard blocks Port A1, which causes traffic
interruption. To ensure service continuity, you can disable dispute guard on Device A to prevent the
link from being blocked.
Figure 21 Disabling dispute guard application scenario
Device A Device B Device C
Port A1 Port B1 Port B2 Port C1
Root

Port A1: Port B1:

port trunk permit vlan 100 undo port trunk permit vlan 1
port trunk pvid vlan 1 port trunk permit vlan 100
port trunk pvid vlan 1
Port B2:
port access vlan 100

Inferior BPDU Superior BPDU

Restrictions and guidelines

You can disable dispute guard if the network does not have unidirectional link failures.
Procedure
1. Enter system view.
system-view
2. Disable dispute guard.
undo stp dispute-protection
By default, dispute guard is enabled.

54
Enabling the device to log events of detecting or
receiving TC BPDUs
About this task
This feature allows the device to generate logs when it detects or receives TC BPDUs. This feature
applies only to PVST mode.
Procedure
1. Enter system view.
system-view
2. Enable the device to log events of receiving or detecting TC BPDUs.
stp log enable tc
By default, the device does not generate logs when it detects or receives TC BPDUs.

Disabling the device from reactivating edge ports

shut down by BPDU guard
About this task
BPDU guard shuts down edge ports that have received configuration BPDUs and notifies the NMS of
the shutdown event.
The device reactivates the ports that have been shut down when the port status detection timer
expires. You can set this timer by using the shutdown-interval command. For more information
about this command, see device management commands in Fundamentals Command Reference.
Restrictions and guidelines
This feature prevents the device from reactivating edge ports shut down by BPDU guard after this
feature is configured. The device does not bring up the shutdown ports if you execute the undo stp
port shutdown permanent command. To bring up these ports, use the undo shutdown
command.
Procedure
1. Enter system view.
system-view
2. Disable the device from reactivating edge ports shut down by BPDU guard.
stp port shutdown permanent
By default, the device reactivates an edge port shut down by BPDU guard after the port status
detection timer expires.

Enabling BPDU transparent transmission on a

port
Restrictions and guidelines
Perform this task to enable a port to transmit BPDUs transparently. Whether the spanning tree
protocols are enabled on a port does not affect the BPDU transparent transmission feature.

55
 If this feature and the spanning tree protocol are enabled on a port which is inferior to its downstream
port, the downstream port can receive BPDUs from that port. To prevent network flapping caused by
this problem, disable the spanning tree protocol before you enable BPDU transparent transmission
on the port.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable BPDU transparent transmission.
stp transparent enable
By default, the BPDU transparent transmission feature is disabled on a port.

Enabling SNMP notifications for new-root election

and topology change events
About this task
This task enables the device to generate logs and report new-root election events or spanning tree
topology changes to SNMP. For the event notifications to be sent correctly, you must also configure
SNMP on the device. For more information about SNMP configuration, see the network
management and monitoring configuration guide for the device.
When you use the snmp-agent trap enable stp [ new-root | tc ] command, follow these
guidelines:
• The new-root keyword applies only to STP, MSTP, and RSTP modes.
• The tc keyword applies only to PVST mode.
• In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables
SNMP notifications for new-root election events.
• In PVST mode, the snmp-agent trap enable stp command enables SNMP notifications
for spanning tree topology changes.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for new-root election and topology change events.
snmp-agent trap enable stp [ new-root | tc ]
The default settings are as follows:
 SNMP notifications are disabled for new-root election events.
 In MSTP mode, SNMP notifications are enabled in MSTI 0 and disabled in other MSTIs for
spanning tree topology changes.
 In PVST mode, SNMP notifications are disabled for spanning tree topology changes in all
VLANs.

56
Display and maintenance commands for the
spanning tree protocols
IMPORTANT:
You can view DR system settings by using the display stp and display stp root
commands only in Release 6616 and later.

Execute display commands in any view and reset command in user view.

Task Command
display stp [ instance instance-list | vlan
Display the spanning tree status
and statistics.
vlan-id-list ] [ interface interface-list |
slot slot-number ] [ brief ]
Display the port role calculation display stp [ instance instance-list | vlan
history for the specified MSTI or all
MSTIs.
vlan-id-list ] history [ slot slot-number ]

Display the incoming and outgoing

TC/TCN BPDU statistics by all display stp [ instance instance-list | vlan
ports in the specified MSTI or all vlan-id-list ] tc [ slot slot-number ]
MSTIs.

Display history about ports

blocked by spanning tree display stp abnormal-port
protection features.

display stp bpdu-statistics [ interface

Display BPDU statistics on ports. interface-type interface-number [ instance
instance-list ] ]
Display information about ports
shut down by spanning tree display stp down-port
protection features.
Display the MST region
configuration information that has display stp region-configuration
taken effect.
Display the root bridge information
display stp root
of all MSTIs.

Clear the spanning tree statistics. reset stp [ interface interface-list ]

Spanning tree configuration examples

Example: Configuring MSTP
Network configuration
As shown in Figure 22, all devices on the network are in the same MST region. Device A and Device
B work at the distribution layer. Device C and Device D work at the access layer.
Configure MSTP so that frames of different VLANs are forwarded along different spanning trees.
• VLAN 10 frames are forwarded along MSTI 1.
• VLAN 30 frames are forwarded along MSTI 3.

57
 • VLAN 40 frames are forwarded along MSTI 4.
• VLAN 20 frames are forwarded along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated
on the access layer devices. The root bridges of MSTI 1 and MSTI 3 are Device A and Device B,
respectively, and the root bridge of MSTI 4 is Device C.
Figure 22 Network diagram

MST region
Device A Device B
Permit: all VLANs
WGE1/0/3 WGE1/0/3
WG
1

/2

WG
1/0
/0/

E1
/0/ E
E1

E1
2 WG
WG

/0/
1
Permit: VLANs 10 Permit: VLANs 20
and 20 d 20 Pe and 30
an rm
it:
10 VL
Ns

WG
AN
1

A
/0/

VL s2
it:

E1
0a
E1

WG
/0/2 rm nd
Pe

/0/
E1
WG

E1 30 /0/

1
WG 2

WGE1/0/3 WGE1/0/3
Permit: VLANs 20 and 40

Device C Device D

Procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
 Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
 Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, and configure the MST region name as example.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure the Device A as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Enable the spanning tree feature globally.
[DeviceA] stp global enable
3. Configure Device B:

58
 # Enter MST region view, and configure the MST region name as example.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp global enable
4. Configure Device C:
# Enter MST region view, and configure the MST region name as example.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure the Device C as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.
[DeviceC] stp global enable
5. Configure Device D:
# Enter MST region view, and configure the MST region name as example.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.

59
 [DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp global enable

Verifying the configuration

In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root
bridge in MSTI 0.
When the network is stable, you can use the display stp brief command to display brief
spanning tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 Twenty-FiveGigE1/0/1 ALTE DISCARDING NONE
0 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
0 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE
1 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
1 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE
3 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
3 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
0 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
0 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE
1 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
1 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE
3 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
3 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
0 Twenty-FiveGigE1/0/2 ROOT FORWARDING NONE
0 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE
1 Twenty-FiveGigE1/0/1 ROOT FORWARDING NONE
1 Twenty-FiveGigE1/0/2 ALTE DISCARDING NONE
4 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 Twenty-FiveGigE1/0/1 ROOT FORWARDING NONE
0 Twenty-FiveGigE1/0/2 ALTE DISCARDING NONE
0 Twenty-FiveGigE1/0/3 ALTE DISCARDING NONE
3 Twenty-FiveGigE1/0/1 ROOT FORWARDING NONE
3 Twenty-FiveGigE1/0/2 ALTE DISCARDING NONE
4 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE

60
 Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 23.
Figure 23 MSTIs mapped to different VLANs

A B A B

C C D

MSTI 1 mapped to VLAN 10 MSTI 0 mapped to VLAN 20

A B

D C D

MSTI 3 mapped to VLAN 30 MSTI 4 mapped to VLAN 40

Root bridge Normal link Blocked link

Example: Configuring PVST

Network configuration
As shown in Figure 24, Device A and Device B work at the distribution layer, and Device C and
Device D work at the access layer.
Configure PVST to meet the following requirements:
• Frames of a VLAN are forwarded along the spanning trees of the VLAN.
• VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN
40 is terminated on the access layer devices.
• The root bridge of VLAN 10 and VLAN 20 is Device A.
• The root bridge of VLAN 30 is Device B.
• The root bridge of VLAN 40 is Device C.

61
 Figure 24 Network diagram
Device A Device B
Permit: all VLANs
WGE1/0/3 WGE1/0/3
WG

/1
2

WG
E1 /0/

1/0
/0/ E1

E
2 WG

1/0
WG

/1
Permit: VLANs 10 Permit: VLANs 20
and 20 20 P and 30
nd erm
0a it:
N s1 VL
AN
LA

WG
/1

V s2
it:
1/0

0a WG

E
0/2 rm nd

1/0
Pe E1
E

1/ 30
WG

E /0/
WG

/1
2

WGE1/0/3 WGE1/0/3
Permit: VLANs 20 and 40

Device C Device D

Procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
 Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
 Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Configure the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceA] stp global enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst
# Configure the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceB] stp global enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.
<DeviceC> system-view
[DeviceC] stp mode pvst
# Configure the device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 40.

62
 [DeviceC] stp global enable
[DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 20, VLAN 30, and VLAN 40.
[DeviceD] stp global enable
[DeviceD] stp vlan 20 30 40 enable

Verifying the configuration

When the network is stable, you can use the display stp brief command to display brief
spanning tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
10 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
10 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE
20 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
20 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
20 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE
30 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
30 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
VLAN ID Port Role STP State Protection
10 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
10 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE
20 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
20 Twenty-FiveGigE1/0/2 DESI FORWARDING NONE
20 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE
30 Twenty-FiveGigE1/0/1 DESI FORWARDING NONE
30 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
VLAN ID Port Role STP State Protection
10 Twenty-FiveGigE1/0/1 ROOT FORWARDING NONE
10 Twenty-FiveGigE1/0/2 ALTE DISCARDING NONE
20 Twenty-FiveGigE1/0/1 ROOT FORWARDING NONE
20 Twenty-FiveGigE1/0/2 ALTE DISCARDING NONE
20 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE
40 Twenty-FiveGigE1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
20 Twenty-FiveGigE1/0/1 ALTE DISCARDING NONE
20 Twenty-FiveGigE1/0/2 ROOT FORWARDING NONE
20 Twenty-FiveGigE1/0/3 ALTE DISCARDING NONE

63
 30 Twenty-FiveGigE1/0/1 ROOT FORWARDING NONE
30 Twenty-FiveGigE1/0/2 ALTE DISCARDING NONE
40 Twenty-FiveGigE1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw a topology for each VLAN spanning tree, as shown in Figure 25.
Figure 25 VLAN spanning tree topologies

A B A B

C C D

Spanning tree for VLAN 10 Spanning tree for VLAN 20

A B

D C D

Spanning tree for VLAN 30 Spanning tree for VLAN 40

Root bridge Normal link Blocked link

Example: Configuring DRNI with PVST

Network configuration
As shown in Figure 26, Device A and Device B work at the distribution layer, and Device C and
Device D work at the access layer.
Configure DRNI on Device A and Device B. In the DR system, Device A is the primary DR device,
and Device B is the secondary DR device.
Configure PVST on the devices to meet the following requirements:
• Frames of a VLAN are forwarded along the spanning trees of the VLAN.
• VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices.
• The root bridge of VLAN 10, VLAN 20, and VLAN 30 is the DR system formed by Device A and
Device B.

NOTE:
• As a best practice, do not connect ports on Device A and Device B that have the same port ID with each
other, for example Layer 2 aggregate ports. Otherwise, when Device A and Device B communicate through
the link, the spanning tree protocol determines that the device receives its own BPDUs. Loop guard will
block the link, though spanning tree features are not affected.
• You can view port IDs of interfaces on the device by using the display stp interface command.
• The preceding restrictions do not apply to IPPs and their member ports.

64
 Figure 26 Network diagram
Device A Device B

IPL
Permit: all VLANs

Permit: VLANs Permit: VLANs

10 and 20 0 Pe 20 and 30
d2 rm
an it:
s 10 VL
AN
LAN s2
t: V 0a
er mi nd
P 30
BAGG1 BAGG2

Device C Device D

Procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, and VLAN 20 on Device C.
 Create VLAN 20, and VLAN 30 on Device D.
 Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure DRNI on Device A and Device B. (Details not shown.)
For more information about DRNI, see "Configuring DRNI."
3. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Configure the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceA] stp global enable
[DeviceA] stp vlan 10 20 30 enable
4. Configure Device B in the same way Device A is configured. (Details not shown.)
5. Configure Device C:
# Set the spanning tree mode to PVST.
<DeviceC> system-view
[DeviceC] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 10, and VLAN 20.
[DeviceC] stp global enable
[DeviceC] stp vlan 10 20 enable
6. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 20, and VLAN 30.
[DeviceD] stp global enable
[DeviceD] stp vlan 20 30 enable

65
Verifying the configuration
When the network is stable, you can use the display stp brief command to display brief
spanning tree information on each device.
# Display brief spanning tree information of the DR system on the primary DR device, Device A.
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
10 Bridge-Aggregation1 (DR) DESI FORWARDING NONE
20 Bridge-Aggregation1 (DR) DESI FORWARDING NONE
20 Bridge-Aggregation2 (DR) DESI FORWARDING NONE
30 Bridge-Aggregation2 (DR) DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
VLAN ID Port Role STP State Protection
10 Bridge-Aggregation1 ROOT FORWARDING NONE
20 Bridge-Aggregation1 ROOT FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
20 Bridge-Aggregation2 ROOT FORWARDING NONE
30 Bridge-Aggregation2 ROOT FORWARDING NONE

66
Contents
Configuring LLDP ·························································································· 1
About LLDP ························································································································································ 1
LLDP agents and bridge modes················································································································· 1
LLDP frame formats ··································································································································· 2
LLDPDUs ··················································································································································· 3
TLVs ··························································································································································· 3
Management address ································································································································ 6
LLDP operating modes ······························································································································ 6
Transmitting and receiving LLDP frames ··································································································· 7
Collaboration with Track····························································································································· 7
Protocols and standards ···························································································································· 7
Restrictions and guidelines: LLDP configuration································································································ 8
LLDP tasks at a glance ······································································································································ 8
Enabling LLDP ··················································································································································· 9
Setting the LLDP bridge mode ··························································································································· 9
Setting the LLDP operating mode ······················································································································ 9
Setting the LLDP reinitialization delay·············································································································· 10
Configuring the advertisable TLVs ··················································································································· 10
Configuring advertisement of the management address TLV ·········································································· 13
Setting the encapsulation format for LLDP frames ·························································································· 14
Setting LLDP frame transmission parameters ································································································· 15
Setting the timeout for receiving LLDP frames ································································································ 15
Enabling LLDP polling ······································································································································ 16
Disabling LLDP PVID inconsistency check ······································································································ 16
Configuring CDP compatibility ························································································································· 16
Configuring LLDP trapping and LLDP-MED trapping ······················································································ 18
Configuring LLDP neighbor validation and aging····························································································· 19
Configuring LLDP neighbor validation on an interface ············································································· 19
Configuring LLDP neighbor aging on an interface ··················································································· 19
Configuring MAC address borrowing ··············································································································· 20
Setting the source MAC address of LLDP frames ··················································································· 20
Enabling generation of ARP or ND entries for received management address TLVs······························ 20
Display and maintenance commands for LLDP ······························································································· 21
LLDP configuration examples ·························································································································· 22
Example: Configuring basic LLDP functions ···························································································· 22
Example: Configuring CDP-compatible LLDP·························································································· 26
Configuring DCBX ······················································································· 29
About DCBX ····················································································································································· 29
DCBX versions ········································································································································· 29
DCBX functions ········································································································································ 29
DCBX application scenario ······················································································································ 29
Protocols and standards ·························································································································· 30
DCBX tasks at a glance ··································································································································· 30
Enabling LLDP and DCBX TLV advertising ····································································································· 30
Setting the DCBX version ································································································································ 31
Configuring APP parameters ··························································································································· 31
Configuring ETS parameters···························································································································· 33
About ETS parameters····························································································································· 33
Restrictions and guidelines ······················································································································ 33
Configuring the 802.1p-to-local priority mapping ····················································································· 33
Configuring group-based WRR queuing ·································································································· 34
Configuring PFC parameters ··························································································································· 35
DCBX configuration examples ························································································································· 35
Example: Configuring DCBX ···················································································································· 35

i
Configuring LLDP
About LLDP
The Link Layer Discovery Protocol (LLDP) is a standard link layer protocol that allows network
devices from different vendors to discover neighbors and exchange system and configuration
information.
In an LLDP-enabled network, a device advertises local device information in LLDP Data Units
(LLDPDUs) to the directly connected devices. The information distributed through LLDP is stored by
its recipients in standard MIBs, making it possible for the information to be accessed by a Network
Management System (NMS) through SNMP.
Information that can be distributed through LLDP includes (but is not limited to):
• Major capabilities of the system.
• Management IP address of the system.
• Device ID.
• Port ID.

LLDP agents and bridge modes

An LLDP agent is a mapping of a protocol entity that implements LLDP. Multiple LLDP agents can
run on the same interface.
LLDP agents are classified into the following types:
• Nearest bridge agent.
• Nearest customer bridge agent.
• Nearest non-TPMR bridge agent.
A Two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible
bridge ports. It supports a subset of the features of a MAC bridge. A TPMR is transparent to all
frame-based media-independent protocols except for the following protocols:
 Protocols destined for the TPMR.
 Protocols destined for reserved MAC addresses that the relay feature of the TPMR is
configured not to forward.
LLDP exchanges packets between neighbor agents and creates and maintains neighbor information
for them. Figure 1 shows the neighbor relationships for these LLDP agents.
Figure 1 LLDP neighbor relationships

Nearest Nearest
customer customer
bridge bridge
Nearest Nearest Nearest
non-TPMR non-TPMR non-TPMR
bridge bridge bridge
Nearest Nearest Nearest Nearest
bridge bridge bridge bridge

CB 1 SB 1 TPMR CB 2

1
 The types of supported LLDP agents vary with the bridge mode in which LLDP operates. LLDP
supports the following bridge modes: customer bridge (CB) and service bridge (SB).
• Customer bridge mode—LLDP supports nearest bridge agent, nearest non-TPMR bridge
agent, and nearest customer bridge agent. LLDP processes the LLDP frames with destination
MAC addresses for these agents and transparently transmits the LLDP frames with other
destination MAC addresses in VLANs.
• Service bridge mode—LLDP supports nearest bridge agent and nearest non-TPMR bridge
agent. LLDP processes the LLDP frames with destination MAC addresses for these agents and
transparently transmits the LLDP frames with other destination MAC addresses in VLANs.

LLDP frame formats

LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or
Subnetwork Access Protocol (SNAP) format.
LLDP frame encapsulated in Ethernet II
Figure 2 Ethernet II-encapsulated LLDP frame
0 15 31
Destination MAC address

Source MAC address

Type

Data = LLDPDU
(1500 bytes)

FCS

Table 1 Fields in an Ethernet II-encapsulated LLDP frame

Field Description

MAC address to which the LLDP frame is advertised. LLDP specifies

different multicast MAC addresses as destination MAC addresses for LLDP
frames destined for agents of different types. This helps distinguish between
LLDP frames sent and received by different agent types on the same
interface. The destination MAC address is fixed to one of the following
multicast MAC addresses:
Destination MAC address • 0x0180-c200-000E for LLDP frames destined for nearest bridge
agents.
• 0x0180-c200-0000 for LLDP frames destined for nearest customer
bridge agents.
• 0x0180-c200-0003 for LLDP frames destined for nearest non-TPMR
bridge agents.

Source MAC address MAC address of the sending port.

Type Ethernet type for the upper-layer protocol. This field is 0x88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

2
LLDP frame encapsulated in SNAP
Figure 3 SNAP-encapsulated LLDP frame
0 15 31
Destination MAC address

Source MAC address

Type

Data = LLDPDU
(n bytes)

FCS

Table 2 Fields in a SNAP-encapsulated LLDP frame

Field Description

MAC address to which the LLDP frame is advertised. It is the same as that
Destination MAC address
for Ethernet II-encapsulated LLDP frames.

Source MAC address MAC address of the sending port.

SNAP type for the upper-layer protocol. This field is

Type
0xAAAA-0300-0000-88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

LLDPDUs
Each LLDP frame contains one LLDPDU. Each LLDPDU is a sequence of type-length-value (TLV)
structures.
Figure 4 LLDPDU encapsulation format

Chassis ID TLV Port ID TLV Time To Live TLV Optional TLV ... Optional TLV End of LLDPDU TLV

As shown in Figure 4, each LLDPDU starts with the following mandatory TLVs: Chassis ID TLV, Port
ID TLV, and Time to Live TLV. The mandatory TLVs are followed by a maxiumu of 29 optional TLVs.

TLVs
A TLV is an information element that contains the type, length, and value fields.
LLDPDU TLVs include the following categories:
• Basic management TLVs.
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs.
• LLDP-MED (media endpoint discovery) TLVs.
Basic management TLVs are essential to device management.

3
 Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management.
They are defined by standardization or other organizations and are optional for LLDPDUs.
Basic management TLVs
Table 3 lists the basic management TLV types. Some of them are mandatory for LLDPDUs.
Table 3 Basic management TLVs

Type Description Remarks

Chassis ID Specifies the bridge MAC address of the sending device.

Specifies the ID of the sending port:

• If the LLDPDU carries LLDP-MED TLVs, the port ID TLV
Port ID
carries the MAC address of the sending port.
• Otherwise, the port ID TLV carries the port name. Mandatory.

Specifies the life of the transmitted information on the receiving

Time to Live
device.

End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.
Port Description Specifies the description for the sending port.
System Name Specifies the assigned name of the sending device.
System Description Specifies the description for the sending device.
Identifies the primary features of the sending device and the
System Capabilities Optional.
enabled primary features.

Specifies the following elements:

• The management address of the local device.
Management Address
• The interface number and object identifier (OID)
associated with the address.

IEEE 802.1 organizationally specific TLVs

Table 4 lists the IEEE 802.1 organizationally specific TLVs.
The device can receive protocol identity TLVs and VID usage digest TLVs, but it cannot send these
TLVs.
Layer 3 Ethernet ports support only link aggregation TLVs.
Table 4 IEEE 802.1 organizationally specific TLVs

Type Description

Port VLAN ID (PVID) Specifies the port VLAN identifier.

Port And Protocol VLAN ID Indicates whether the device supports protocol VLANs and, if so, what
(PPVID) VLAN IDs these protocols will be associated with.

VLAN Name Specifies the textual name of any VLAN to which the port belongs.
Protocol Identity Indicates protocols supported on the port.
DCBX Data center bridging exchange protocol.
Edge Virtual Bridging module, including EVB TLV and CDCP TLV.
EVB module
EVB module TLVs are not supported in the current software version.
Indicates whether the port supports link aggregation, and if yes, whether link
Link Aggregation
aggregation is enabled.
Management VID Management VLAN ID.

4
 Type Description

VID Usage Digest VLAN ID usage digest.

ETS Configuration Enhanced Transmission Selection configuration.
ETS Recommendation ETS recommendation.
PFC Priority-based Flow Control.
APP Application protocol.
Quantized Congestion Notification.
QCN
QCN TLVs are not supported in the current software version.

IEEE 802.3 organizationally specific TLVs

Table 5 shows the IEEE 802.3 organizationally specific TLVs.
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0 and is not supported in later
versions. The device sends this type of TLVs only after receiving them.
Table 5 IEEE 802.3 organizationally specific TLVs

Type Description

Contains the bit-rate and duplex capabilities of the port, support for
MAC/PHY Configuration/Status autonegotiation, enabling status of autonegotiation, and the current
rate and duplex mode.
Indicates whether the port supports link aggregation, and if yes,
Link Aggregation
whether link aggregation is enabled.
Contains the power supply capabilities of the port:
• Port class (PSE or PD).
• Power supply mode.
• Whether PSE power supply is supported.
• Whether PSE power supply is enabled.
Power Via MDI • Whether pair selection can be controlled.
• Power supply type.
• Power source.
• Power priority.
• PD requested power.
• PSE allocated power.
Maximum Frame Size Indicates the supported maximum frame size.
Indicates the power state control configured on the sending port,
including the following:
Power Stateful Control • Power supply mode of the PSE/PD.
• PSE/PD priority.
• PSE/PD power.
Energy-Efficient Ethernet Indicates Energy Efficient Ethernet (EEE).

LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic
configuration, network policy configuration, and address and directory management. LLDP-MED
TLVs provide a cost-effective and easy-to-use solution for deploying voice devices in Ethernet.
LLDP-MED TLVs are shown in Table 6.

5
 If the MAC/PHY configuration/status TLV is not advertisable, none of the LLDP-MED TLVs will be
advertised even if they are advertisable.
If the LLDP-MED capabilities TLV is not advertisable, the other LLDP-MED TLVs will not be
advertised even if they are advertisable.
Table 6 LLDP-MED TLVs

Type Description

Allows a network device to advertise the LLDP-MED TLVs that it

LLDP-MED Capabilities
supports.

Allows a network device or terminal device to advertise the VLAN ID

Network Policy of a port, the VLAN type, and the Layer 2 and Layer 3 priorities for
specific applications.

Allows a network device or terminal device to advertise power

Extended Power-via-MDI supply capability. This TLV is an extension of the Power Via MDI
TLV.

Hardware Revision Allows a terminal device to advertise its hardware version.

Firmware Revision Allows a terminal device to advertise its firmware version.

Software Revision Allows a terminal device to advertise its software version.

Serial Number Allows a terminal device to advertise its serial number.

Manufacturer Name Allows a terminal device to advertise its vendor name.

Model Name Allows a terminal device to advertise its model name.

Allows a terminal device to advertise its asset ID. The typical case is
Asset ID that the user specifies the asset ID for the endpoint to facilitate
directory management and asset tracking.

Allows a network device to advertise the appropriate location

Location Identification identifier information for a terminal device to use in the context of
location-based applications.

Management address
The network management system uses the management address of a device to identify and manage
the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.

LLDP operating modes

An LLDP agent can operate in one of the following modes:
• TxRx mode—An LLDP agent in this mode can send and receive LLDP frames.
• Tx mode—An LLDP agent in this mode can only send LLDP frames.
• Rx mode—An LLDP agent in this mode can only receive LLDP frames.
• Disable mode—An LLDP agent in this mode cannot send or receive LLDP frames.
Each time the operating mode of an LLDP agent changes, its LLDP protocol state machine
reinitializes. A configurable reinitialization delay prevents frequent initializations caused by frequent
changes to the operating mode. If you configure the reinitialization delay, an LLDP agent must wait
the specified amount of time to initialize LLDP after the LLDP operating mode changes.

6
Transmitting and receiving LLDP frames
Transmitting LLDP frames
An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected
devices both periodically and when the local configuration changes. To prevent LLDP frames from
overwhelming the network during times of frequent changes to local device information, LLDP uses
the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket
mechanism, see ACL and QoS Configuration Guide.
LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following
cases:
• A new LLDP frame is received and carries device information new to the local device.
• The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.
The fast LLDP frame transmission mechanism successively sends the specified number of LLDP
frames at a configurable fast LLDP frame transmission interval. The mechanism helps LLDP
neighbors discover the local device as soon as possible. Then, the normal LLDP frame transmission
interval resumes.
Receiving LLDP frames
An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every
received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an
aging timer. The initial value of the aging timer is equal to the TTL value in the Time To Live TLV
carried in the LLDP frame. When the LLDP agent receives a new LLDP frame, the aging timer
restarts. When the aging timer decreases to zero, all saved information ages out.

Collaboration with Track

You can configure a track entry and associate it with an LLDP interface. The LLDP module checks
the neighbor availability of the LLDP interface and reports the check result to the Track module. The
Track module changes the track entry status accordingly so the associated application module can
take correct actions.
The Track module changes the track entry status based on the neighbor availability of a monitored
LLDP interface as follows:
• If the neighbor of the LLDP interface is available, the Track module sets the track entry to
Positive state.
• If the neighbor of the LLDP interface is unavailable, the Track module sets the track entry to
Negative state.
For more information about collaboration between Track and LLDP, see the track configuration in
High Availability Configuration Guide.

Protocols and standards

• IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery
• IEEE 802.1AB-2009, Station and Media Access Control Connectivity Discovery
• ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices
• IEEE Std 802.1Qaz-2011, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes

7
Restrictions and guidelines: LLDP configuration
When you configure LLDP, follow these restrictions and guidelines:
• Some of the LLDP configuration tasks are available in different interface views (see Table 7).
Table 7 Support of LLDP configuration tasks in different views

Tasks Supported views

Enabling LLDP
Setting the LLDP operating mode
Layer 2 Ethernet interface view
Configuring the advertisable TLVs Layer 3 Ethernet interface view
Configuring advertisement of the management Management Ethernet interface view
address TLV Layer 2 aggregate interface view
Setting the encapsulation format for LLDP frames Layer 3 aggregate interface view
IRF physical interface view
Enabling LLDP polling
Configuring LLDP trapping and LLDP-MED trapping

• To use LLDP together with OpenFlow, you must enable LLDP globally on OpenFlow switches.
To prevent LLDP from affecting topology discovery of OpenFlow controllers, disable LLDP on
ports of OpenFlow instances. For more information about OpenFlow, see OpenFlow
Configuration Guide.
• You can configure LLDP on an IRF physical interface to monitor the connection and link status
of the IRF physical link. An LLDP-enabled IRF physical interface supports only the nearest
bridge agent.

LLDP tasks at a glance

To configure LLDP, perform the following tasks:
1. Enabling LLDP
2. Setting the LLDP bridge mode
3. Setting the LLDP operating mode
4. (Optional.) Setting the LLDP reinitialization delay
5. (Optional.) Configuring LLDP packet-related settings
 Configuring the advertisable TLVs
 Configuring advertisement of the management address TLV
 Setting the encapsulation format for LLDP frames
 Setting LLDP frame transmission parameters
 Setting the timeout for receiving LLDP frames
6. (Optional.) Enabling LLDP polling
7. (Optional.) Disabling LLDP PVID inconsistency check
8. (Optional.) Configuring CDP compatibility
9. (Optional.) Configuring LLDP trapping and LLDP-MED trapping
10. (Optional.) Configuring LLDP neighbor validation and aging
 Configuring LLDP neighbor validation on an interface
 Configuring LLDP neighbor aging on an interface

8
 11. (Optional.) Configuring MAC address borrowing
 (Optional.) Setting the source MAC address of LLDP frames
 (Optional.) Enabling generation of ARP or ND entries for received management address
TLVs

Enabling LLDP
Restrictions and guidelines
For LLDP to take effect on specific ports, you must enable LLDP both globally and on these ports.
Procedure
1. Enter system view.
system-view
2. Enable LLDP globally.
lldp global enable
If the device is started with the software default settings, LLDP is disabled globally.
If the device is started with the factory default settings, LLDP is enabled globally.
3. Enter interface view.
interface interface-type interface-number
4. Enable LLDP.
lldp enable
By default, LLDP is enabled on a port.

Setting the LLDP bridge mode

1. Enter system view.
system-view
2. Set the LLDP bridge mode.
 Set the LLDP bridge mode to service bridge.
lldp mode service-bridge
By default, LLDP operates in customer bridge mode.
 Set the LLDP bridge mode to customer bridge.
undo lldp mode
By default, LLDP operates in customer bridge mode.

Setting the LLDP operating mode

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the LLDP operating mode.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] admin-status
{ disable | rx | tx | txrx }

9
 In Ethernet interface view, if you do not specify an agent type, the command sets the
operating mode for the nearest bridge agent.
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } admin-status
{ disable | rx | tx | txrx }
In aggregate interface view, you can set the operating mode only for the nearest customer
bridge agent and nearest non-TPMR bridge agent.
 In IRF physical interface view:
lldp admin-status { disable | rx | tx | txrx }
In IRF physical interface view, you can set the operating mode only for the nearest bridge
agent.
By default:
 The nearest bridge agent operates in TxRx mode.
 The nearest customer bridge agent and nearest non-TPMR bridge agent operate in Disable
mode.

Setting the LLDP reinitialization delay

About this task
When the LLDP operating mode changes on a port, the port initializes the protocol state machines
after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations
caused by frequent changes to the LLDP operating mode on a port.
Procedure
1. Enter system view.
system-view
2. Set the LLDP reinitialization delay.
lldp timer reinit-delay delay
The default LLDP reinitialization delay is 2 seconds.

Configuring the advertisable TLVs

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the advertisable TLVs.
 In Layer 2 Ethernet interface view:
lldp tlv-enable { basic-tlv { all | port-description |
system-capability | system-description | system-name |
management-address-tlv [ ipv6 ] [ ip-address | interface loopback
interface-number ] } | dot1-tlv { all | port-vlan-id |
link-aggregation | dcbx | protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ] } | dot3-tlv { all |
link-aggregation | mac-physic | max-frame-size | power } | med-tlv
{ all | capability | inventory | network-policy [ vlan-id ] |
power-over-ethernet | location-id { civic-address device-type

10
 country-code { ca-type ca-value }&<1-10> | elin-address
tel-number } } }
By default, the nearest bridge agent advertises all supported TLVs except the following
TLVs:
− DCBX TLVs.
− Location identification TLVs.
− Port and protocol VLAN ID TLVs.
− VLAN name TLVs.
− Management VLAN ID TLVs.
lldp agent nearest-nontpmr tlv-enable { basic-tlv { all |
port-description | system-capability | system-description |
system-name | management-address-tlv [ ipv6 ] [ ip-address ] } |
dot1-tlv { all | port-vlan-id | link-aggregation } | dot3-tlv { all |
link-aggregation } }
lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ] }
By default, the nearest non-TPMR bridge agent does not advertise any TLVs.
lldp agent nearest-customer tlv-enable { basic-tlv { all |
port-description | system-capability | system-description |
system-name | management-address-tlv [ ipv6 ] [ ip-address ] } |
dot1-tlv { all | port-vlan-id | link-aggregation } | dot3-tlv { all
| link-aggregation } }
lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ] }
By default, the nearest customer bridge agent advertises all the supported basic
management TLVs and IEEE 802.1 organizationally specific TLVs.
 In Layer 3 Ethernet interface view:
lldp tlv-enable { basic-tlv { all | port-description |
system-capability | system-description | system-name |
management-address-tlv [ ipv6 ] [ ip-address | interface loopback
interface-number ] } | dot1-tlv { all | link-aggregation } | dot3-tlv
{ all | link-aggregation | mac-physic | max-frame-size | power } |
med-tlv { all | capability | inventory | power-over-ethernet |
location-id { civic-address device-type country-code { ca-type
ca-value }&<1-10> | elin-address tel-number } } }
By default, the nearest bridge agent advertises the following TLVs:
− All supported basic management TLVs.
− Link aggregation TLVs in the 802.1 organizationally specific TLV set.
− All supported 802.3 organizationally specific TLVs.
− All supported LLDP-MED TLVs except the network policy TLVs.
lldp agent { nearest-nontpmr | nearest-customer } tlv-enable
{ basic-tlv { all | port-description | system-capability |
system-description | system-name | management-address-tlv [ ipv6 ]
[ ip-address ] } | dot1-tlv { all | link-aggregation } | dot3-tlv { all |
link-aggregation } }
By default:
− The nearest non-TPMR bridge agent does not advertise any TLVs.
− The nearest customer bridge agent advertises all supported basic management TLVs
and link aggregation TLVs in the IEEE 802.1 organizationally specific TLV set.

11
 In management Ethernet interface view:
lldp tlv-enable { basic-tlv { all | port-description |
system-capability | system-description | system-name |
management-address-tlv [ ipv6 ] [ ip-address ] } | dot1-tlv { all |
link-aggregation } | dot3-tlv { all | link-aggregation | mac-physic |
max-frame-size | power } | med-tlv { all | capability | inventory |
power-over-ethernet | location-id { civic-address device-type
country-code { ca-type ca-value }&<1-10> | elin-address
tel-number } } }
By default, the nearest bridge agent advertises the following TLVs:
− All supported basic management TLVs.
− Link aggregation TLVs in the 802.1 organizationally specific TLV set.
− All supported 802.3 organizationally specific TLVs.
− All supported LLDP-MED TLVs except the network policy TLVs.
lldp agent { nearest-nontpmr | nearest-customer } tlv-enable
{ basic-tlv { all | port-description | system-capability |
system-description | system-name | management-address-tlv [ ipv6 ]
[ ip-address ] } | dot1-tlv { all | link-aggregation } | dot3-tlv { all |
link-aggregation } }
By default:
− The nearest non-TPMR bridge agent does not advertise anyTLVs.
− The nearest customer bridge agent advertises all supported basic management TLVs
and link aggregation TLVs in the IEEE 802.1 organizationally specific TLV set.
 In Layer 2 aggregate interface view:
lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ]
lldp agent nearest-nontpmr tlv-enable { basic-tlv { all |
management-address-tlv [ ipv6 ] [ ip-address ] | port-description |
system-capability | system-description | system-name } | dot1-tlv
{ all | port-vlan-id } }
By default, the nearest non-TPMR bridge agent does not advertise any TLVs.
lldp agent nearest-customer tlv-enable { basic-tlv { all |
management-address-tlv [ ipv6 ] [ ip-address ] | port-description |
system-capability | system-description | system-name } | dot1-tlv
{ all | port-vlan-id } }
By default, the nearest customer bridge agent advertises all supported basic management
TLVs and Port VLAN ID TLVs in the IEEE 802.1 organizationally specific TLV set.
The nearest bridge agent is not supported.
 In Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } tlv-enable
basic-tlv { all | management-address-tlv [ ipv6 ] [ ip-address ] |
port-description | system-capability | system-description |
system-name }
By default:
− The nearest non-TPMR bridge agent does not advertise any TLVs.
− The nearest customer bridge agent advertises all supported basic management TLVs.
The nearest bridge agent is not supported.
 In IRF physical interface view:

12
 lldp tlv-enable basic-tlv { port-description | system-capability
| system-description | system-name }
By default, the nearest bridge agent advertises all supported basic management TLVs.
Only the nearest bridge agent is supported.

Configuring advertisement of the management

address TLV
About this task
LLDP encodes management addresses in numeric or string format in management address TLVs.
If a neighbor encodes its management address in string format, set the encoding format of the
management address to string on the connecting port. This guarantees normal communication
with the neighbor.
You can configure advertisement of the management address TLV globally or on a per-interface
basis. The device selects the management address TLV advertisement setting for an interface in the
following order:
1. Interface-based setting, configured by using the lldp tlv-enable command with the
management-address-tlv keyword.
2. Global setting, configured by using the lldp global tlv-enable basic-tlv
management-address-tlv command.
3. Default setting for the interface.
By default:
 The nearest bridge agent and nearest customer bridge agent advertise the management
address TLV.
 The nearest non-TPMR bridge agent does not advertise the management address TLV.
Procedure
1. Enter system view.
system-view
2. Enable advertisement of the management address TLV globally and set the management
address to be advertised.
lldp [ agent { nearest-customer | nearest-nontpmr } ] global tlv-enable
basic-tlv management-address-tlv [ ipv6 ] { ip-address | interface
loopback interface-number | interface m-gigabitethernet
interface-number | interface vlan-interface interface-number }
By default, advertisement of the management address TLV is disabled globally.
3. Enter interface view.
interface interface-type interface-number
4. Enable advertisement of the management address TLV on the interface and set the
management address to be advertised.
 In Layer 2 Ethernet interface view or management Ethernet interface view:
lldp tlv-enable basic-tlv management-address-tlv [ ipv6 ]
[ ip-address | interface loopback interface-number ]
lldp agent { nearest-customer | nearest-nontpmr } tlv-enable
basic-tlv management-address-tlv [ ipv6 ] [ ip-address ]
 In Layer 3 Ethernet interface view:

13
 lldp [ agent { nearest-customer | nearest-nontpmr } ] tlv-enable
basic-tlv management-address-tlv [ ipv6 ] [ ip-address ] | interface
loopback interface-number ]
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } tlv-enable
basic-tlv management-address-tlv [ ipv6 ] [ ip-address ]
By default:
 The nearest bridge agent and nearest customer bridge agent advertise the management
address TLVs.
 The nearest non-TPMR bridge agent does not advertise the management address TLV.
5. Set the encoding format of the management address to string.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ]
management-address-format string
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr }
management-address-format string
The default management address encoding format is numeric.
The device supports only the numeric encoding format for IPv6 management addresses.

Setting the encapsulation format for LLDP frames

About this task
Earlier versions of LLDP require the same encapsulation format on both ends to process LLDP
frames. To successfully communicate with a neighboring device running an earlier version of LLDP,
the local device must be set with the same encapsulation format.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the encapsulation format for LLDP frames to SNAP.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] encapsulation
snap
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } encapsulation
snap
 In IRF physical interface view:
lldp encapsulation snap
By default, the Ethernet II encapsulation format is used.

14
Setting LLDP frame transmission parameters
About this task
The Time to Live TLV carried in an LLDPDU determines how long the device information carried in
the LLDPDU can be saved on a recipient device.
By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs. The TTL is
expressed by using the following formula:
TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))
As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be
rounded down to 65535 seconds.
Procedure
1. Enter system view.
system-view
2. Set the TTL multiplier.
lldp hold-multiplier value
The default setting is 4.
3. Set the LLDP frame transmission interval.
lldp timer tx-interval interval
The default setting is 30 seconds.
4. Set the token bucket size for sending LLDP frames.
lldp max-credit credit-value
The default setting is 5.
5. Set the number of LLDP frames sent each time fast LLDP frame transmission is triggered.
lldp fast-count count
The default setting is 4.
6. Set the fast LLDP frame transmission interval.
lldp timer fast-interval interval
The default setting is 1 second.

Setting the timeout for receiving LLDP frames

About this task
This feature allows the device to detect the presence of directly connected neighbors by setting the
timeout timer for receiving LLDP frames. If an interface has not received any frames when the
timeout timer expires, the device reports a no LLDP neighbor event to the NETCONF module.
Restrictions and guidelines
To avoid misdetection, make sure the timeout for receiving LLDP frames is greater than the LLDP
frame transmission interval.
Procedure
1. Enter system view.
system-view
2. Set the timeout for receiving LLDP frames.
lldp timer rx-timeout timeout

15
 By default, no timeout is set for receiving LLDP frames, and the device does not report no LLDP
neighbor events.

Enabling LLDP polling

About this task
With LLDP polling enabled, a device periodically searches for local configuration changes. When the
device detects a configuration change, it sends LLDP frames to inform neighboring devices of the
change.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable LLDP polling and set the polling interval.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ]
check-change-interval interval
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr }
check-change-interval interval
 In IRF physical interface view:
lldp check-change-interval interval
By default, LLDP polling is disabled.

Disabling LLDP PVID inconsistency check

About this task
By default, when the system receives an LLDP packet, it compares the PVID value contained in the
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
Procedure
1. Enter system view.
system-view
2. Disable LLDP PVID inconsistency check.
lldp ignore-pvid-inconsistency
By default, LLDP PVID inconsistency check is enabled.

Configuring CDP compatibility

About this task
To enable your device to exchange information with a directly connected Cisco device that supports
only CDP, you must enable CDP compatibility.

16
 CDP compatibility enables your device to receive and recognize CDP packets from the neighboring
CDP device and send CDP packets to the neighboring device. The CDP packets sent to the
neighboring CDP device carry the following information:
• Device ID.
• ID of the port connecting to the neighboring device.
• Port IP address.
• TTL.
The port IP address is the primary IP address of a VLAN interface in up state. The VLAN ID of the
VLAN interface must be the lowest among the VLANs permitted on the port. If no VLAN interfaces of
the permitted VLANs are assigned an IP address or all VLAN interfaces are down, no port IP address
will be advertised.
You can view the neighboring CDP device information that can be recognized by the device in the
output of the display lldp neighbor-information command. For more information about
the display lldp neighbor-information command, see LLDP commands in Layer 2—LAN
Switching Command Reference.
To make your device work with Cisco IP phones, you must enable CDP compatibility.
If your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of
Cisco IP phones for the voice VLAN ID configured on the device. As a result, a requesting Cisco IP
phone sends voice traffic without any tag to your device. Your device cannot differentiate the voice
traffic from other types of traffic.
CDP compatibility enables your device to receive and recognize CDP packets from a Cisco IP phone
and respond with CDP packets carrying TLVs with the configured voice VLAN. If no voice VLAN is
configured for CDP packets, CDP packets carry the voice VLAN of the port or the voice VLAN
assigned by the RADIUS server. The assigned voice VLAN has a higher priority. According to TLVs
with the voice VLAN configuration, the IP phone automatically configures the voice VLAN. As a result,
the voice traffic is confined in the configured voice VLAN and is differentiated from other types of
traffic.
For more information about voice VLANs, see "Configuring voice VLANs."
When the device is connected to a Cisco IP phone that has a host attached to its data port, the host
must access the network through the Cisco IP phone. If the data port goes down, the IP phone will
send a CDP packet to the device so the device can log out the user.
CDP-compatible LLDP operates in one of the following modes:
• TxRx—CDP packets can be transmitted and received.
• Rx—CDP packets can be received but cannot be transmitted.
• Disable—CDP packets cannot be transmitted or received.
Restrictions and guidelines
When you configure CDP compatibility for LLDP, follow these restrictions and guidelines:
• To make CDP-compatible LLDP take effect on a port, follow these steps:
a. Enable CDP-compatible LLDP globally.
b. Configure CDP-compatible LLDP to operate in TxRx mode on the port.
• The maximum TTL value that CDP allows is 255 seconds. To make CDP-compatible LLDP
work correctly with Cisco IP phones, configure the LLDP frame transmission interval to be no
more than 1/3 of the TTL value.
Prerequisites
Before you configure CDP compatibility, complete the following tasks:
• Globally enable LLDP.
• Enable LLDP on the port connecting to a CDP device.

17
 • Configure LLDP to operate in TxRx mode on the port.
Procedure
1. Enter system view.
system-view
2. Enable CDP compatibility globally.
lldp compliance cdp
By default, CDP compatibility is disabled globally.
3. Enter Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view.
interface interface-type interface-number
4. Configure CDP-compatible LLDP to operate in TxRx mode.
lldp compliance admin-status cdp txrx
By default, CDP-compatible LLDP operates in disable mode.
5. Set the voice VLAN ID carried in CDP packets.
cdp voice-vlan vlan-id
By default, no voice VLAN ID is configured to be carried in CDP packets.

Configuring LLDP trapping and LLDP-MED

trapping
About this task
LLDP trapping or LLDP-MED trapping notifies the network management system of events such as
newly detected neighboring devices and link failures.
To prevent excessive LLDP traps from being sent when the topology is unstable, set a trap
transmission interval for LLDP.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable LLDP trapping.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] notification
remote-change enable
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } notification
remote-change enable
 In IRF physical interface view:
lldp notification remote-change enable
By default, LLDP trapping is disabled.
4. (In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view.) Enable
LLDP-MED trapping.
lldp notification med-topology-change enable
By default, LLDP-MED trapping is disabled.

18
 5. Return to system view.
quit
6. (Optional.) Set the LLDP trap transmission interval.
lldp timer notification-interval interval
The default setting is 30 seconds.

Configuring LLDP neighbor validation and aging

Configuring LLDP neighbor validation on an interface
About this task
LLDP neighbor validation enables an interface to validate the identity of the neighbor based on the
neighbor validation criteria configured on the interface. The neighbor validation criteria can be the
chassis ID TLV, port ID TLV, or both. Each incoming LLDP packet must match all the validation
criteria configured on the interface. If the neighbor information in an incoming LLDP packet does not
match the criteria, the system shuts down the data link layer and disables data transmission on the
interface.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 or Layer 3 Ethernet interface view.
interface interface-type interface-number
3. Configure the neighbor validation criteria. Choose the following tasks as needed:
 Configure the chassis ID TLV criterion.
lldp neighbor-identity chassis-id chassis-id-subtype chassis-id
 Configure the port ID TLV criterion.
lldp neighbor-identity port-id port-id-subtype port-id
By default, no neighbor validation criteria exist on an interface.
4. Enable LLDP neighbor validation on the interface.
lldp neighbor-protection validation
By default, LLDP neighbor validation is disabled on an interface.

Configuring LLDP neighbor aging on an interface

About this task
An LLDP neighbor aging-enabled interface ages out a neighbor if it does not receive an LLDP packet
from the neighbor within the aging time.
LLDP takes either of the following actions when neighbor aging occurs on an interface:
• Block—Blocks the interface. The block action places the data link layer protocol of the
interface in DOWN state. In this state, the interface cannot transfer data packets. The data
transfer capability automatically recovers when the interface receives an LLDP packet.
• Shutdown—Shuts down the interface. The shutdown action places the interface in LLDP
DOWN state. In this state, the interface can neither transfer data packets nor LLDP packets.
You must manually execute the undo lldp neighbor-protection aging or undo
shutdown command to bring up the interface.

19
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 or Layer 3 Ethernet interface view.
interface interface-type interface-number
3. Enable LLDP neighbor aging on the interface.
lldp neighbor-protection aging { block | shutdown }
By default, neighbor aging is disabled on an interface.

Configuring MAC address borrowing

Setting the source MAC address of LLDP frames
About this task
This feature must be configured with generation of ARP or ND entries for received management
address TLVs to meet the following requirements:
• The source MAC address of outgoing LLDP frames is the MAC address of a VLAN interface
instead of the MAC address of the egress interface.
• The neighbor device can generate correct ARP or ND entries for the local device.
In Layer 2 Ethernet interface view, this feature sets the source MAC address of outgoing LLDP
frames to the MAC address of a VLAN interface to which the specified VLAN ID belongs. The source
MAC address of outgoing LLDP frames is the MAC address of the Layer 2 Ethernet interface in the
following situations:
• The specified VLAN or the corresponding VLAN interface does not exist.
• The VLAN interface to which the VLAN ID belongs is physically down.
In Layer 3 Ethernet interface view, the MAC address of the Layer 3 Ethernet interface is always used
as the source MAC address of outgoing LLDP frames.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 or Layer 3 Ethernet interface view.
interface interface-type interface-number
3. Set the source MAC address of LLDP frames to the MAC address of a VLAN interface or the
Layer 3 Ethernet interface.
lldp source-mac vlan vlan-id
By default, the source MAC address of LLDP frames is the MAC address of the egress
interface.

Enabling generation of ARP or ND entries for received

management address TLVs
About generation of ARP or ND entries for received management address TLVs
This feature enables the device to generate an ARP or ND entry after receiving an LLDP frame
containing a management address TLV on an interface. The ARP or ND entry maps the advertised
management address to the source MAC address of the frame.

20
 You can enable generation of both ARP and ND entries on an interface. If the management address
TLV contains an IPv4 address, the device generates an ARP entry. If the management address TLV
contains an IPv6 address, the device generates an ND entry.
In Layer 2 Ethernet interface view, this feature sets the Layer 2 Ethernet interface to the output
interface in the generated entries. The VLAN to which the entries belong is the VLAN specified by
this feature. The device cannot generate ARP or ND entries in one of the following situations:
• The specified VLAN or the corresponding VLAN interface does not exist.
• The VLAN interface to which the VLAN ID belongs is physically down.
In Layer 3 Ethernet interface view, the Layer 3 Ethernet interface is always recorded as the output
interface.
Restrictions and guidelines
In Layer 2 Ethernet interface view, you must configure the interface to use the MAC address of a
VLAN interface instead of its own MAC address as the source MAC address of LLDP frames. This
ensures that the neighbor NE can generate correct ARP or ND entries.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 or Layer 3 Ethernet interface view.
interface interface-type interface-number
3. Enable generation of ARP or ND entries for management address TLVs received on the
interface.
 In Layer 2 Ethernet interface view:
lldp management-address { arp-learning | nd-learning } vlan vlan-id
 In Layer 3 Ethernet interface view:
lldp management-address { arp-learning | nd-learning } [ vlan
vlan-id ]
By default, generation of ARP or ND entries for received management address TLVs is
disabled on an interface.
In Layer 2 Ethernet interface view, the vlan vlan-id option specifies the ID of the VLAN to
which the generated ARP or ND entry belongs. To prevent the ARP or ND entries from
overwriting each other, do not specify the same VLAN ID for different Layer 2 Ethernet
interfaces.
You can enable generation of both ARP and ND entries on an interface.

Display and maintenance commands for LLDP

Execute display commands in any view.

Task Command

Display local LLDP display lldp local-information [ global | interface

information. interface-type interface-number ]
display lldp neighbor-information [ [ [ interface
Display the information interface-type interface-number ] [ agent
contained in the LLDP
{ nearest-bridge | nearest-customer |
TLVs sent from
neighboring devices. nearest-nontpmr } ] [ verbose ] ] | list [ system-name
system-name ] ]

21
 Task Command

display lldp statistics [ global | [ interface

interface-type interface-number ] [ agent
Display LLDP statistics.
{ nearest-bridge | nearest-customer |
nearest-nontpmr } ] ]
display lldp status [ interface interface-type
Display LLDP status of a
interface-number ] [ agent { nearest-bridge |
port.
nearest-customer | nearest-nontpmr } ]

Display types of display lldp tlv-config [ interface interface-type

advertisable optional LLDP interface-number ] [ agent { nearest-bridge |
TLVs. nearest-customer | nearest-nontpmr } ]
reset lldp statistics [ interface interface-type
Clear LLDP statistics on
interface number ] [ agent { nearest-bridge |
ports.
nearest-customer | nearest-nontpmr } ]

LLDP configuration examples

Example: Configuring basic LLDP functions
Network configuration
As shown in Figure 5, enable LLDP globally on Switch A and Switch B to perform the following tasks:
• Monitor the link between Switch A and Switch B on the NMS.
• Monitor the link between Switch A and the MED device on the NMS.
Figure 5 Network diagram

MED

WGE1/0/1
NMS
WGE1/0/2 WGE1/0/1

Switch A Switch B

Procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP on Twenty-FiveGigE 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] lldp enable
# Set the LLDP operating mode to Rx on Twenty-FiveGigE 1/0/1.
[SwitchA-Twenty-FiveGigE1/0/1] lldp admin-status rx
[SwitchA-Twenty-FiveGigE1/0/1] quit

22
 # Enable LLDP on Twenty-FiveGigE 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet1/2
[SwitchA-Twenty-FiveGigE1/0/2] lldp enable
# Set the LLDP operating mode to Rx on Twenty-FiveGigE 1/0/2.
[SwitchA-Twenty-FiveGigE1/0/2] lldp admin-status rx
[SwitchA-Twenty-FiveGigE1/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view
[SwitchB] lldp global enable
# Enable LLDP on Twenty-FiveGigE 1/0/1. By default, LLDP is enabled on ports.
[SwitchB] interface twenty-fivegige 1/0/1
[SwitchB-Twenty-FiveGigE1/0/1] lldp enable
# Set the LLDP operating mode to Tx on Twenty-FiveGigE 1/0/1.
[SwitchB-Twenty-FiveGigE1/0/1] lldp admin-status tx
[SwitchB-Twenty-FiveGigE1/0/1] quit

Verifying the configuration

# Verify the following items:
• Twenty-FiveGigE 1/0/1 of Switch A connects to a MED device.
• Twenty-FiveGigE 1/0/2 of Switch A connects to a non-MED device.
• Both ports operate in Rx mode, and they can receive LLDP frames but cannot send LLDP
frames.
[SwitchA] display lldp status
Global status of LLDP: Enable
Bridge mode of LLDP: customer-bridge
The current number of LLDP neighbors: 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 4 minutes, 40 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [Twenty-FiveGigE1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 21

23
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

LLDP status information of port 2 [Twenty-FiveGigE1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 3

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0

24
Number of sent optional TLV : 16
Number of received unknown TLV : 0

# Remove the link between Switch A and Switch B.

# Verify that Twenty-FiveGigE 1/0/2 of Switch A does not connect to any neighboring devices.
[SwitchA] display lldp status
Global status of LLDP: Enable
The current number of LLDP neighbors: 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 5 minutes, 20 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [Twenty-FiveGigE1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP status information of port 2 [Twenty-FiveGigE1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No

25
 Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

Example: Configuring CDP-compatible LLDP

Network configuration
As shown in Figure 6, Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 of Switch A are each
connected to a Cisco IP phone, which sends tagged voice traffic.
Configure voice VLAN 2 on Switch A. Enable CDP compatibility of LLDP on Switch A to allow the
Cisco IP phones to automatically configure the voice VLAN. The voice VLAN feature performs the
following operations:
• Confines the voice traffic to the voice VLAN.
• Isolates the voice traffic from other types of traffic.
Figure 6 Network diagram
WGE1/0/1 WGE1/0/2

Cisco IP phone 1 Switch A Cisco IP phone 2

26
Procedure
1. Configure a voice VLAN on Switch A:
# Create VLAN 2.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Set the link type of Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to trunk, and enable
voice VLAN on them.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] port link-type trunk
[SwitchA-Twenty-FiveGigE1/0/1] voice-vlan 2 enable
[SwitchA-Twenty-FiveGigE1/0/1] quit
[SwitchA] interface twenty-fivegige 1/0/2
[SwitchA-Twenty-FiveGigE1/0/2] port link-type trunk
[SwitchA-Twenty-FiveGigE1/0/2] voice-vlan 2 enable
[SwitchA-Twenty-FiveGigE1/0/2] quit
2. Configure CDP-compatible LLDP on Switch A:
# Enable LLDP globally, and enable CDP compatibility globally.
[SwitchA] lldp global enable
[SwitchA] lldp compliance cdp
# Enable LLDP on Twenty-FiveGigE 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] lldp enable
# Configure LLDP to operate in TxRx mode on Twenty-FiveGigE 1/0/1.
[SwitchA-Twenty-FiveGigE1/0/1] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on Twenty-FiveGigE 1/0/1.
[SwitchA-Twenty-FiveGigE1/0/1] lldp compliance admin-status cdp txrx
[SwitchA-Twenty-FiveGigE1/0/1] quit
# Enable LLDP on Twenty-FiveGigE 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface twenty-fivegige 1/0/2
[SwitchA-Twenty-FiveGigE1/0/2] lldp enable
# Configure LLDP to operate in TxRx mode on Twenty-FiveGigE 1/0/2.
[SwitchA-Twenty-FiveGigE1/0/2] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on Twenty-FiveGigE 1/0/2.
[SwitchA-Twenty-FiveGigE1/0/2] lldp compliance admin-status cdp txrx
[SwitchA-Twenty-FiveGigE1/0/2] quit

Verifying the configuration

# Verify that Switch A has completed the following operations:
• Discovering the IP phones connected to Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2.
• Obtaining IP phone information.
[SwitchA] display lldp neighbor-information

CDP neighbor-information of port 1[Twenty-FiveGigE1/0/1]:

LLDP agent nearest-bridge:
CDP neighbor index : 1
Chassis ID : SEP00141CBCDBFE

27
 Port ID : Port 1

CDP neighbor-information of port 2[Twenty-FiveGigE1/0/2]:

LLDP agent nearest-bridge:
CDP neighbor index : 2
Chassis ID : SEP00141CBCDBFF
Port ID : Port 1

28
Configuring DCBX
About DCBX
Data Center Ethernet (DCE), also known as Converged Enhanced Ethernet (CEE), is enhancement
and expansion of traditional Ethernet local area networks for use in data centers. DCE uses the Data
Center Bridging Exchange Protocol (DCBX) to negotiate and remotely configure the bridge capability
of network elements.

DCBX versions
DCBX has the following self-adaptable versions:
• DCB Capability Exchange Protocol Specification Rev 1.00.
• DCB Capability Exchange Protocol Base Specification Rev 1.01.
• IEEE Std 802.1Qaz-2011 (Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes).

DCBX functions
DCBX offers the following functions:
• Discovers the peer devices' capabilities and determines whether devices at both ends support
these capabilities.
• Detects configuration errors on peer devices.
• Remotely configures the peer device if the peer device accepts the configuration.

NOTE:
H3C devices support only the remote configuration feature.

DCBX application scenario

Figure 7 DCBX application scenario

DCBX TLV

Access switch
Server with FCoE card

Data center network

DCBX enables lossless packet transmission on DCE networks.

As shown in Figure 7, DCBX applies to an FCoE-based data center network, and operates on an
access switch. DCBX enables the switch to control the server or storage adapter, and simplifies the
configuration and guarantees configuration consistency. DCBX extends LLDP by using the IEEE
802.1 organizationally specific TLVs (DCBX TLVs) to transmit DCBX data, including:
• In DCBX Rev 1.00 and DCBX Rev 1.01:

29
  Application Protocol (APP).
 Enhanced Transmission Selection (ETS).
 Priority-based Flow Control (PFC).
• In IEEE Std 802.1Qaz-2011:
 ETS Configuration.
 ETS Recommendation.
 PFC.
 APP.
H3C devices can send these types of DCBX information to a server or storage adapter supporting
FCoE. However, H3C devices cannot accept these types of DCBX information.

Protocols and standards

• DCB Capability Exchange Protocol Specification Rev 1.00
• DCB Capability Exchange Protocol Base Specification Rev 1.01

DCBX tasks at a glance

To configure DCBX, perform the following tasks:
1. Enabling LLDP and DCBX TLV advertising
2. Setting the DCBX version
3. Configuring APP parameters
4. Configuring ETS parameters
a. Configuring the 802.1p-to-local priority mapping
b. Configuring group-based WRR queuing
5. Configuring PFC parameters

Enabling LLDP and DCBX TLV advertising

Restrictions and guidelines
To enable the device to advertise APP, ETS, and PFC data through an interface, perform the
following tasks:
• Enable LLDP globally.
• Enable LLDP and DCBX TLV advertising on the interface.
Procedure
1. Enter system view.
system-view
2. Enable LLDP globally.
lldp global enable
By default:
 If the device is started with the software default settings, LLDP is disabled globally.
 If the device is started with the factory default settings, LLDP is enabled globally.
For more information about device startup with software or factory default settings, see
configuration file management in Fundamentals Configuration Guide.

30
 3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Enable LLDP on the interface.
lldp enable
By default, LLDP is enabled on an interface.
5. Enable the interface to advertise DCBX TLVs.
lldp tlv-enable dot1-tlv dcbx
By default, DCBX TLV advertisement is disabled on an interface.

Setting the DCBX version

Restrictions and guidelines
When you set the DCBX version, follow these restrictions and guidelines:
• For DCBX to work correctly, configure the same DCBX version on the local port and peer port.
As a best practice, configure the highest version supported on both ends. IEEE Std
802.1Qaz-2011, DCBX Rev 1.01, and DCBX Rev 1.00 are in descending order.
• After the configuration, LLDP frames sent by the local port carry information about the
configured DCBX version. The local port and peer port do not negotiate the DCBX version.
• When the DCBX version is autonegotiated, the version IEEE Std 802.1Qaz-2011 is preferably
negotiated.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Set the DCBX version.
dcbx version { rev100 | rev101 | standard }
By default, the DCBX version is not configured. It is autonegotiated by the local port and peer
port.

Configuring APP parameters

About this task
The device negotiates with the server adapter by using the APP parameters to achieve the following
purposes:
• Control the 802.1p priority values of the protocol packets that the server adapter sends.
• Identify traffic based on the 802.1p priority values.
For example, the device can use the APP parameters to negotiate with the server adapter to set
802.1p priority 3 for all FCoE and FIP frames. When the negotiation succeeds, all FCoE and FIP
frames that the server adapter sends to the device carry the 802.1p priority 3.
Restrictions and guidelines
When you configure APP parameters, follow these restrictions and guidelines:
• A Layer 2 ACL identifies application protocol packets by frame type.
• An IPv4 advanced ACL identifies application protocol packets by TCP/UDP port number.

31
 • DCBX Rev 1.00 identifies application protocol packets only by frame type and advertises only
TLVs with frame type 0x8906 (FCoE).
• DCBX Rev 1.01 has the following attributes:
 Supports identifying application protocol packets by both frame type and TCP/UDP port
number.
 Does not restrict the frame type or TCP/UDP port number for advertising TLVs.
 Can advertise up to 77 TLVs according to the remaining length of the current packet.
• In a QoS policy, you can configure multiple class-behavior associations. A packet might be
configured with multiple 802.1p priority marking or mapping actions, and the one configured first
takes effect.
Procedure
1. Enter system view.
system-view
2. Create an ACL and enter its view.
 Create a Layer 2 ACL and configure a rule for the ACL.
acl mac { acl-number | name acl-name } [ match-order { auto | config } ]
rule [ rule-id ] permit type protocol-type ffff
 Create an IPv4 advanced ACL and configure a rule for the ACL.
acl advanced { acl-number | name acl-name } [ match-order { auto |
config } ]
rule [ rule-id ] permit { tcp | udp } destination-port eq port
DCBX Rev 1.00 supports only Layer 2 ACLs. DCBX Rev 1.01 and IEEE Std 802.1Qaz-2011
support both Layer 2 ACLs and IPv4 advanced ACLs.
3. Return to system view.
quit
4. Configure a class:
a. Create a class, specify the operator of the class as OR, and enter class view.
traffic classifier classifier-name operator or
b. Use the previously configured ACL as the match criterion of the class.
if-match acl acl-number
c. Return to system view.
quit
5. Configure a traffic behavior:
a. Create a traffic behavior and enter its view.
traffic behavior behavior-name
b. Configure the behavior to mark packets with an 802.1p priority.
remark dot1p 8021p
c. Return to system view.
quit
6. Configure a QoS policy:
a. Create a QoS policy and enter its view.
qos policy policy-name
b. Associate the class with the traffic behavior in the QoS policy, and apply the association to
DCBX.
classifier classifier-name behavior behavior-name mode dcbx

32
 c. Return to system view.
quit
7. Apply the QoS policy.
Choose one option as needed:
 Apply the QoS policy to the outgoing traffic of all ports.
qos apply policy policy-name global outbound
 Apply the QoS policy to the outgoing traffic of a Layer 2 Ethernet interface.
interface interface-type interface-number
qos apply policy policy-name outbound
The configuration in system view applies to all interfaces. The configuration in Layer 2 Ethernet
interface view applies only to the Layer 2 Ethernet interface.

Configuring ETS parameters

About ETS parameters
ETS provides committed bandwidth. To avoid packet loss caused by congestion, the device
performs the following operations:
• Uses ETS parameters to negotiate with the server adapter.
• Controls the server adapter's transmission speed of the specified type of traffic.
• Guarantees that the transmission speed is within the committed bandwidth of the interface.

Restrictions and guidelines

To configure ETS parameters, perform the following tasks:
1. Configure the 802.1p-to-local priority mapping by using either of the following methods:
 MQC method.
 Priority mapping table method.
If you configure the 802.1p-to-local priority mapping in both methods, the configuration made in
the MQC method applies. For information about the QoS commands for configuring
802.1p-to-local priority mapping, see ACL and QoS Command Reference.
2. Configure group-based WRR queuing to allocate bandwidth.
For information about the WRR queuing configuration commands, see ACL and QoS
Command Reference.

Configuring the 802.1p-to-local priority mapping

Configuring the 802.1p-to-local priority mapping in the MQC method
1. Enter system view.
system-view
2. Create a traffic class, specify the operator of the class as OR, and enter class view.
traffic classifier classifier-name operator or
3. Configure the class to match packets with the specified service provider network 802.1p priority
values.
if-match service-dot1p 8021p-list

33
 By default, no match criterion is configured for the class to match packets.
4. Return to system view.
quit
5. Create a traffic behavior and enter traffic behavior view.
traffic behavior behavior-name
6. Configure the behavior to mark packets with the specified local precedence value.
remark local-precedence local-precedence
By default, no local precedence marking action is configured.
7. Return to system view.
quit
8. Create a QoS policy and enter its view.
qos policy policy-name
9. Associate the class with the traffic behavior in the QoS policy, and apply the association to
DCBX.
classifier classifier-name behavior behavior-name mode dcbx
By default, no class-behavior associations exist.
Configuring the 802.1p-to-local priority mapping in the priority mapping table method
1. Enter system view.
system-view
2. Enter 802.1p-to-local priority mapping table view for the outgoing traffic.
qos map-table dot1p-lp
3. Configure the priority mapping table to map the specified 802.1p priority values to a local
precedence value.
import import-value-list export export-value
For information about the default priority mapping tables, see ACL and QoS Configuration
Guide.

Configuring group-based WRR queuing

1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable WRR queuing.
qos wrr byte-count
By default, an interface uses the WRR queue scheduling algorithm.
4. Configure a queue.
Choose one option as needed:
 Add a queue to WRR priority group 1 and configure the scheduling weight for the queue.
qos wrr queue-id group 1 byte-count schedule-value
 Configure a queue to use SP queuing.
qos wrr queue-id group sp

34
Configuring PFC parameters
About this task
To prevent packets with an 802.1p priority value from being dropped, enable PFC for the 802.1p
priority value. This feature reduces the sending rate of packets carrying this priority when network
congestion occurs.
The device uses PFC parameters to negotiate with the server adapter and to enable PFC for the
specified 802.1p priorities on the server adapter.
For more information about PFC commands, see Interface Command Reference.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable PFC in auto mode on the Ethernet interface.
priority-flow-control auto
By default, PFC is disabled.
To advertise the PFC data, you must enable PFC in auto mode.
4. Enable PFC for the specified 802.1p priorities.
priority-flow-control no-drop dot1p dot1p-list
By default, PFC is disabled for all 802.1p priorities.

DCBX configuration examples

Example: Configuring DCBX
Network configuration
As shown in Figure 8, Twenty-FiveGigE 1/0/1 of the access switch (Switch A) connects to the FCoE
adapter of the data center server (DC server).
Configure Switch A to implement lossless FCoE and FIP frame transmission to DC server.

NOTE:
In this example, both Switch A and the DC server support DCBX Rev 1.01.

Figure 8 Network diagram

Data center network

WGE1/0/1

Switch A
DC server

Procedure
1. Enable LLDP and DCBX TLV advertising:

35
 # Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP and DCBX TLV advertising on Twenty-FiveGigE 1/0/1.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] lldp enable
[SwitchA-Twenty-FiveGigE1/0/1] lldp tlv-enable dot1-tlv dcbx
2. Set the DCBX version to Rev. 1.01 on Twenty-FiveGigE 1/0/1.
[SwitchA-Twenty-FiveGigE1/0/1] dcbx version rev101
[SwitchA-Twenty-FiveGigE1/0/1] quit
3. Configure APP parameters:
# Create Layer 2 ACL 4000.
[SwitchA] acl mac 4000
# Configure ACL 4000 to permit FCoE frames (frame type is 0x8906) and FIP frames (frame
type is 0x8914) to pass through.
[SwitchA-acl-mac-4000] rule permit type 8906 ffff
[SwitchA-acl-mac-4000] rule permit type 8914 ffff
[SwitchA-acl-mac-4000] quit
# Create a class named app_c, set the operator of the class to OR, and use ACL 4000 as the
match criterion of the class.
[SwitchA] traffic classifier app_c operator or
[SwitchA-classifier-app_c] if-match acl mac 4000
[SwitchA-classifier-app_c] quit
# Create a traffic behavior named app_b, and configure the traffic behavior to mark packets
with 802.1p priority value 3.
[SwitchA] traffic behavior app_b
[SwitchA-behavior-app_b] remark dot1p 3
[SwitchA-behavior-app_b] quit
# Create a QoS policy named plcy, associate class app_c with traffic behavior app_b in the
QoS policy, and apply the association to DCBX.
[SwitchA] qos policy plcy
[SwitchA-qospolicy-plcy] classifier app_c behavior app_b mode dcbx
[SwitchA-qospolicy-plcy] quit
# Apply QoS policy plcy to the outgoing traffic of Twenty-FiveGigE 1/0/1.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] qos apply policy plcy outbound
[SwitchA-Twenty-FiveGigE1/0/1] quit
4. Configure ETS parameters:
# Configure the 802.1p-to-local priority mapping table to map 802.1p priority value 3 to local
precedence 3. (This is the default mapping table. You can modify this configuration as needed.)
[SwitchA] qos map-table outbound dot1p-lp
[SwitchA-maptbl-out-dot1p-lp] import 3 export 3
[SwitchA-maptbl-out-dot1p-lp] quit
# Enable byte-count WRR queuing on Twenty-FiveGigE 1/0/1, and configure queue 3 on the
interface to use SP queuing.
[SwitchA] interface twenty-fivegige 1/0/1
[SwitchA-Twenty-FiveGigE1/0/1] qos wrr byte-count
[SwitchA-Twenty-FiveGigE1/0/1] qos wrr 3 group sp

36
 5. Configure PFC:
# Enable PFC in auto mode on Twenty-FiveGigE 1/0/1.
[SwitchA-Twenty-FiveGigE1/0/1] priority-flow-control auto
# Enable PFC for 802.1 priority 3.
[SwitchA-Twenty-FiveGigE1/0/1] priority-flow-control no-drop dot1p 3

Verifying the configuration

# Display the data exchange result on the DC server through the software interface. This example
uses the data exchange result for a QLogic adapter on the DC server.
------------------------------------------------------
DCBX Parameters Details for CNA Instance 0 - QLE8142
------------------------------------------------------

Mon May 17 10:00:50 2010

DCBX TLV (Type-Length-Value) Data

=================================
DCBX Parameter Type and Length
DCBX Parameter Length: 13
DCBX Parameter Type: 2

DCBX Parameter Information

Parameter Type: Current
Pad Byte Present: Yes
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

Priority Group ID of Priority 1: 0
Priority Group ID of Priority 0: 2

Priority Group ID of Priority 3: 15

Priority Group ID of Priority 2: 1

Priority Group ID of Priority 5: 5

Priority Group ID of Priority 4: 4

Priority Group ID of Priority 7: 7

Priority Group ID of Priority 6: 6

Priority Group 0 Percentage: 2

Priority Group 1 Percentage: 4
Priority Group 2 Percentage: 6
Priority Group 3 Percentage: 0
Priority Group 4 Percentage: 10
Priority Group 5 Percentage: 18
Priority Group 6 Percentage: 27
Priority Group 7 Percentage: 31

37
 Number of Traffic Classes Supported: 8

DCBX Parameter Information

Parameter Type: Remote
Pad Byte Present: Yes
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

Priority Group ID of Priority 1: 0
Priority Group ID of Priority 0: 2

Priority Group ID of Priority 3: 15

Priority Group ID of Priority 2: 1

Priority Group ID of Priority 5: 5

Priority Group ID of Priority 4: 4

Priority Group ID of Priority 7: 7

Priority Group ID of Priority 6: 6

Priority Group 0 Percentage: 2

Priority Group 1 Percentage: 4
Priority Group 2 Percentage: 6
Priority Group 3 Percentage: 0
Priority Group 4 Percentage: 10
Priority Group 5 Percentage: 18
Priority Group 6 Percentage: 27
Priority Group 7 Percentage: 31

Number of Traffic Classes Supported: 8

DCBX Parameter Information

Parameter Type: Local
Pad Byte Present: Yes
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

Priority Group ID of Priority 1: 0
Priority Group ID of Priority 0: 0

Priority Group ID of Priority 3: 1

Priority Group ID of Priority 2: 0

Priority Group ID of Priority 5: 0

Priority Group ID of Priority 4: 0

38
 Priority Group ID of Priority 7: 0
Priority Group ID of Priority 6: 0

Priority Group 0 Percentage: 50

Priority Group 1 Percentage: 50
Priority Group 2 Percentage: 0
Priority Group 3 Percentage: 0
Priority Group 4 Percentage: 0
Priority Group 5 Percentage: 0
Priority Group 6 Percentage: 0
Priority Group 7 Percentage: 0

Number of Traffic Classes Supported: 2

The output shows that the DC server will use SP queuing (priority group ID 15) for 802.1p priority 3.
DCBX Parameter Type and Length
DCBX Parameter Length: 2
DCBX Parameter Type: 3

DCBX Parameter Information

Parameter Type: Current
Pad Byte Present: No
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

PFC Enabled on Priority 0: No
PFC Enabled on Priority 1: No
PFC Enabled on Priority 2: No
PFC Enabled on Priority 3: Yes
PFC Enabled on Priority 4: No
PFC Enabled on Priority 5: No
PFC Enabled on Priority 6: No
PFC Enabled on Priority 7: No

Number of Traffic Classes Supported: 6

DCBX Parameter Information

Parameter Type: Remote
Pad Byte Present: No
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

PFC Enabled on Priority 0: No
PFC Enabled on Priority 1: No
PFC Enabled on Priority 2: No
PFC Enabled on Priority 3: Yes
PFC Enabled on Priority 4: No

39
 PFC Enabled on Priority 5: No
PFC Enabled on Priority 6: No
PFC Enabled on Priority 7: No

Number of Traffic Classes Supported: 6

DCBX Parameter Information

Parameter Type: Local
Pad Byte Present: No
DCBX Parameter Valid: Yes
Reserved: 0

DCBX Parameter Data

PFC Enabled on Priority 0: No
PFC Enabled on Priority 1: No
PFC Enabled on Priority 2: No
PFC Enabled on Priority 3: Yes
PFC Enabled on Priority 4: No
PFC Enabled on Priority 5: No
PFC Enabled on Priority 6: No
PFC Enabled on Priority 7: No

Number of Traffic Classes Supported: 1

The output shows that the DC server will use PFC for 802.1p priority 3.

40
Contents
Configuring L2PT ··························································································· 1
About L2PT ························································································································································ 1
L2PT application scenario ·························································································································· 1
Supported protocols ··································································································································· 1
L2PT operating mechanism ······················································································································· 2
L2PT tasks at a glance······································································································································· 3
Enabling L2PT···················································································································································· 3
Restrictions and guidelines for L2PT ········································································································· 3
Enabling L2PT for a protocol in Layer 2 Ethernet interface view ······························································· 4
Enabling L2PT for a protocol in Layer 2 aggregate interface view····························································· 4
Setting the destination multicast MAC address for tunneled packets ································································ 4
Display and maintenance commands for L2PT ································································································· 5
L2PT configuration examples ···························································································································· 5
Example: Configuring L2PT for STP ·········································································································· 5
Example: Configuring L2PT for LACP········································································································ 6

i
Configuring L2PT
About L2PT
Layer 2 Protocol Tunneling (L2PT) can transparently send Layer 2 protocol packets from
geographically dispersed customer networks across a service provider network or drop them.

L2PT application scenario

Dedicated lines are used in a service provider network to build user-specific Layer 2 networks. As a
result, a customer network contains sites located at different sides of the service provider network.
As shown in Figure 1, Customer A's network is divided into network 1 and network 2, which are
connected by the service provider network. For Customer A's network to implement Layer 2
protocol calculations, the Layer 2 protocol packets must be transmitted across the service provider
network.
Upon receiving a Layer 2 protocol packet, the PEs cannot determine whether the packet is from the
customer network or the service provider network. They must deliver the packet to the CPU for
processing. In this case, the Layer 2 protocol calculation in Customer A's network is mixed with the
Layer 2 protocol calculation in the service provider network. Neither the customer network nor the
service provider network can implement independent Layer 2 protocol calculations.
Figure 1 L2PT application scenario

PE 1 PE 2

ISP network

CE 1 CE 2

Customer A Customer A
network 1 network 2
VLAN 100 VLAN 100

L2PT is introduced to resolve the problem. L2PT provides the following functions:
• Multicasts Layer 2 protocol packets from a customer network in a VLAN. Dispersed customer
networks can complete an independent Layer 2 protocol calculation, which is transparent to
the service provider network.
• Isolates Layer 2 protocol packets from different customer networks through different VLANs.

Supported protocols
H3C devices support L2PT for the following protocols:
• CDP.
• DLDP.
• EOAM.
• GVRP.
• LACP.

1
 • LLDP.
• MVRP.
• PAgP.
• PVST.
• STP (including STP, RSTP, and MSTP).
• UDLD.
• VTP.

L2PT operating mechanism

As shown in Figure 2, L2PT operates as follows:
• When a port of PE 1 receives a Layer 2 protocol packet from the customer network in a VLAN,
it performs the following operations:
 Multicasts the packet out of all customer-facing ports in the VLAN except the receiving port.
 Encapsulates the packet with a specified destination multicast address, and multicasts it
out of all ISP-facing ports in the VLAN. The encapsulated packet is called the BPDU
tunneled packet.
• When a port of PE 2 in the VLAN receives the tunneled packet from the service provider
network, it performs the following operations:
 Multicasts the packet out of all ISP-facing ports in the VLAN except the receiving port.
 Decapsulates the packet and multicasts the decapsulated packet out of all customer-facing
ports in the VLAN.
Figure 2 L2PT operating mechanism

Customer Customer
Service provider network
network network

Layer 2 protocol packets

from customer networks
PE 1 PE 2
Tunneled packets

For example, as shown in Figure 3, PE 1 receives an STP packet (BPDU) from network 1 to
network 2. CEs are the edge devices on the customer network, and PEs are the edge devices on
the service provider network. L2PT processes the packet as follows:
1. PE 1 performs the following operations:
a. Encapsulates the packet with a specified destination multicast MAC address
(010f-e200-0003 by default).
b. Sends the tunneled packet out of all ISP-facing ports in the packet's VLAN.
2. Upon receiving the tunneled packet, PE 2 decapsulates the packet and sends the BPDU to CE
2.
Through L2PT, both the ISP network and Customer A's network can perform independent spanning
tree calculations.

2
 Figure 3 L2PT network diagram

PE 1 ISP network PE 2

BPDU tunnel

CE 1 CE 2

Customer A Customer A
network 1 network 2

L2PT tasks at a glance

To configure L2PT, perform the following tasks:
1. Enabling L2PT
This feature is applicable only to customer-facing ports.
2. (Optional.) Setting the destination multicast MAC address for tunneled packets

Enabling L2PT
Restrictions and guidelines for L2PT
• To enable L2PT for a Layer 2 protocol on a port, perform the following tasks:
 Enable the protocol on the connected CE, and disable the protocol on the port.
 When a PE establishes a connection to a network device within the service provider
network through CDP, you must enable CDP compatibility for LLDP on the PE. CDP
compatibility for LLDP can be enabled only globally, and cannot be disabled separately on
customer-facing interfaces. As a result, the CDP packets from the CE cannot be
transparently transmitted within the service provider network. In this case, as a best
practice, do not enable L2PT for CDP on the PE. For L2PT to take effect on CDP on the PE,
you must disable CDP compatibility for LLDP globally on the PE, which will cause the PE to
fail to communicate with the network devices within the service provider network through
CDP. Before you disable CDP compatibility for LLDP on the PE, make sure you know its
influence on the network. For more information about CDP compatibility of LLDP, see
"Configuring LLDP."
 Disable the protocol (for example, STP) on the PE ports connecting to an aggregate
interface on a CE when the following conditions exist:
− The protocol is running on the aggregate interface on the CE.
− The aggregate interface on the CE connects to an L2PT-enabled port on the PE.
 Enable L2PT on PE ports connected to a customer network. If you enable L2PT on ports
connected to the service provider network, L2PT determines that the ports are connected
to a customer network.
 Make sure the VLAN tags of Layer 2 protocol packets are not changed or deleted for the
tunneled packets to be transmitted correctly across the service provider network.
• L2PT for LLDP supports LLDP packets from only nearest bridge agents.
• You can enable L2PT on a member port of a Layer 2 aggregation group, but the configuration
does not take effect.

3
 • Do not enable L2PT on a port that is going to join a service loopback group.

Enabling L2PT for a protocol in Layer 2 Ethernet interface

view
Restrictions and guidelines
LACP and EOAM require point-to-point transmission. If you enable L2PT on a Layer 2 Ethernet
interface for LACP or EOAM, L2PT multicasts LACP or EOAM packets out of customer-facing ports.
As a result, the transmission between two CEs is not point-to-point. To ensure point-to-point
transmission for the LACP or EOAM packets, you must configure other features (for example,
VLAN).
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable L2PT for a protocol.
l2protocol { cdp | dldp | eoam | gvrp | lacp | lldp | mvrp | pagp | pvst | stp
| udld | vtp } tunnel dot1q
By default, L2PT is disabled for all protocols.

Enabling L2PT for a protocol in Layer 2 aggregate interface

view
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-type interface-number
3. Enable L2PT for a protocol.
l2protocol { gvrp | mvrp | pvst | stp | vtp } tunnel dot1q
By default, L2PT is disabled for all protocols.

Setting the destination multicast MAC address for

tunneled packets
About this task
The available multicast MAC addresses are 010f-e200-0003, 0100-0ccd-cdd0, 0100-0ccd-cdd1,
and 0100-0ccd-cdd2.
Restrictions and guidelines
For tunneled packets to be recognized, set the same destination multicast MAC addresses on PEs
that are connected to the same customer network.
As a best practice, set different destination multicast MAC addresses on PEs connected to different
customer networks. It prevents L2PT from sending packets of a customer network to another
customer network.

4
Procedure
1. Enter system view.
system-view
2. Set the destination multicast MAC address for tunneled packets.
l2protocol tunnel-dmac mac-address
By default, 010f-e200-0003 is used for tunneled packets.

Display and maintenance commands for L2PT

Execute display commands in any view and reset commands in user view.

Task Command
display l2protocol statistics [ interface
Display L2PT statistics.
interface-type interface-number ]
reset l2protocol statistics [ interface
Clear L2PT statistics.
interface-type interface-number ]

L2PT configuration examples

Example: Configuring L2PT for STP
Network configuration
As shown in Figure 4, the MAC addresses of CE 1 and CE 2 are 00e0-fc02-5800 and
00e0-fc02-5802, respectively. MSTP is enabled in Customer A's network, and default MSTP
settings are used.
Perform the following tasks on the PEs:
• Configure the ports that connect to CEs as access ports, and configure the ports in the service
provider network as trunk ports. Configure ports in the service provider network to allow
packets from any VLAN to pass.
• Enable L2PT for STP to enable Customer A's network to implement independent spanning
tree calculation across the service provider network.
• Set the destination multicast MAC address to 0100-0ccd-cdd0 for tunneled packets.
Figure 4 Network diagram

PE 1 PE 2
ISP network
BPDU tunnel
WGE1/0/1 WGE1/0/1
VLAN 2 VLAN 2

CE 1 CE 2

Customer A Customer A
network 1 network 2

5
Procedure
1. Configure PE 1:
# Set the destination multicast address to 0100-0ccd-cdd0 for tunneled packets.
<PE1> system-view
[PE1] l2protocol tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2.
[PE1] vlan 2
[PE1-vlan2] quit
# Configure Twenty-FiveGigE 1/0/1 as an access port and assign the port to VLAN 2.
[PE1] interface twenty-fivegige 1/0/1
[PE1-Twenty-FiveGigE1/0/1] port access vlan 2
# Disable STP and enable L2PT for STP on Twenty-FiveGigE 1/0/1.
[PE1-Twenty-FiveGigE1/0/1] undo stp enable
[PE1-Twenty-FiveGigE1/0/1] l2protocol stp tunnel dot1q
[PE1-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 connected to the service provider network as a trunk port,
and assign the port to all VLANs.
[PE1] interface twenty-fivegige 1/0/2
[PE1-Twenty-FiveGigE1/0/2] port link-type trunk
[PE1-Twenty-FiveGigE1/0/2] port trunk permit vlan all
[PE1-Twenty-FiveGigE1/0/2] quit
2. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that the root bridge of Customer A's network is CE 1.
<CE2> display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.00e0-fc02-5800 0 0

# Verify that the root bridge of the service provider network is not CE 1.
[PE1] display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.0cda-41c5-ba50 0 0

Example: Configuring L2PT for LACP

Network configuration
As shown in Figure 5, the MAC addresses of CE 1 and CE 2 are 0001-0000-0000 and
0004-0000-0000, respectively.
Perform the following tasks:
• Configure Ethernet link aggregation on CE 1 and CE 2.
• Configure Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 on CE 1 to form aggregate links
with Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 on CE 2, respectively.
• Enable L2PT for LACP to enable CE 1 and CE 2 to implement Ethernet link aggregation
across the service provider network.

6
 Figure 5 Network diagram

PE 1 PE 2
ISP network
WGE1/0/1 BPDU tunnel
VLAN 2 WGE1/0/1
VLAN 2
WGE1/0/2 WGE1/0/2
WGE1/0/1 VLAN 3 VLAN 3
WGE1/0/1
CE 1 WGE1/0/2 WGE1/0/2 CE 2

Customer A Customer A
network 1 network 2

Requirements analysis
To meet the network requirements, perform the following tasks:
• For Ethernet link aggregation to operate correctly, configure VLANs on the PEs to ensure
point-to-point transmission between CE 1 and CE 2 in an aggregation group.
 Set the PVIDs to VLAN 2 and VLAN 3 for Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE
1/0/2 on PE 1, respectively.
 Configure PE 2 in the same way PE 1 is configured.
 Configure ports that connect to the CEs as trunk ports.
• To retain the VLAN tag of the customer network, enable QinQ on Twenty-FiveGigE 1/0/1 and
Twenty-FiveGigE 1/0/2 on both PE 1 and PE 2.
• For packets from any VLAN to be transmitted, configure all ports in the service provider
network as trunk ports.
Procedure
1. Configure CE 1:
# Configure Layer 2 aggregation group Bridge-Aggregation 1 to operate in dynamic
aggregation mode.
<CE1> system-view
[CE1] interface bridge-aggregation 1
[CE1-Bridge-Aggregation1] port link-type access
[CE1-Bridge-Aggregation1] link-aggregation mode dynamic
[CE1-Bridge-Aggregation1] quit
# Assign Twenty-FiveGigE 1/0/1 and Twenty-FiveGigE 1/0/2 to Bridge-Aggregation 1.
[CE1] interface twenty-fivegige 1/0/1
[CE1-Twenty-FiveGigE1/0/1] port link-aggregation group 1
[CE1-Twenty-FiveGigE1/0/1] quit
[CE1] interface twenty-fivegige 1/0/2
[CE1-Twenty-FiveGigE1/0/2] port link-aggregation group 1
[CE1-Twenty-FiveGigE1/0/2] quit
2. Configure CE 2 in the same way CE 1 is configured. (Details not shown.)
3. Configure PE 1:
# Create VLANs 2 and 3.
<PE1> system-view
[PE1] vlan 2
[PE1-vlan2] quit

7
 [PE1] vlan 3
[PE1-vlan3] quit
# Configure Twenty-FiveGigE 1/0/1 as a trunk port, assign the port to VLAN 2, and set the
PVID to VLAN 2.
[PE1] interface twenty-fivegige 1/0/1
[PE1-Twenty-FiveGigE1/0/1] port link-mode bridge
[PE1-Twenty-FiveGigE1/0/1] port link-type trunk
[PE1-Twenty-FiveGigE1/0/1] port trunk permit vlan 2
[PE1-Twenty-FiveGigE1/0/1] port trunk pvid vlan 2
# Enable QinQ on Twenty-FiveGigE 1/0/1.
[PE1-Twenty-FiveGigE1/0/1] qinq enable
# Enable L2PT for LACP on Twenty-FiveGigE 1/0/1.
[PE1-Twenty-FiveGigE1/0/1] l2protocol lacp tunnel dot1q
[PE1-Twenty-FiveGigE1/0/1] quit
# Configure Twenty-FiveGigE 1/0/2 as a trunk port, assign the port to VLAN 3, and set the
PVID to VLAN 3.
[PE1] interface twenty-fivegige 1/0/2
[PE1-Twenty-FiveGigE1/0/2] port link-mode bridge
[PE1-Twenty-FiveGigE1/0/2] port link-type trunk
[PE1-Twenty-FiveGigE1/0/2] port trunk permit vlan 3
[PE1-Twenty-FiveGigE1/0/2] port trunk pvid vlan 3
# Enable QinQ on Twenty-FiveGigE 1/0/2.
[PE1-Twenty-FiveGigE1/0/2] qinq enable
# Enable L2PT for LACP on Twenty-FiveGigE 1/0/2.
[PE1-Twenty-FiveGigE1/0/2] l2protocol lacp tunnel dot1q
[PE1-Twenty-FiveGigE1/0/2] quit
4. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that CE 1 and CE 2 have completed Ethernet link aggregation successfully.
[CE1] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Twenty-FiveGigE1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}

8
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

Twenty-FiveGigE1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)
[CE2] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Twenty-FiveGigE1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

Twenty-FiveGigE1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1

9
 Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)

10
Contents
Configuring service loopback groups ····························································· 1
About service loopback groups ·························································································································· 1
Restrictions and guidelines: Service loopback group configuration ··································································· 1
Configuring a service loopback group ················································································································ 1
Display and maintenance commands for service loopback groups ··································································· 2
Service loopback group configuration examples ······························································································· 2
Example: Configuring a service loopback group ························································································ 2

i
Configuring service loopback groups
About service loopback groups
A service loopback group contains one or multiple Ethernet ports for looping packets sent out by the
device back to the device. This feature must work with other features, such as GRE. Member ports in
a service loopback group are load balanced.
A service loopback group provides one of the following services:
• Tunnel—Supports unicast tunnel services.
• Multicast tunnel—Supports multicast tunnel services.
• Multiport—Supports multiport ARP services.
• Telemetry stream—Supports Telemetry streaming services.

Restrictions and guidelines: Service loopback

group configuration
When you add member ports to a service loopback group, follow these restrictions and guidelines:
• Make sure the ports support the service type of the service loopback group and are not
members of any other service loopback group.
• The configuration on a port is removed when it is assigned to the service loopback group.
• To avoid IRF split, do not assign a physical interface to the service loopback group if that
interface is the only member interface of an IRF port.
• For correct traffic processing, make sure the service loopback group has a minimum of one
member port when it is being used by a feature.
When you apply service loopback groups to features, follow these restrictions and guidelines:
• One service loopback group can be used by multiple features.
• You cannot change the service type of a service loopback group.
• Do not delete a service loopback group that is being used by a feature.

Configuring a service loopback group

1. Enter system view.
system-view
2. Create a service loopback group and specify its service type.
service-loopback group group-id type { { multicast-tunnel | tunnel } * |
multiport | telemetry-stream }
You can configure only one service loopback group for a service type.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Assign the port to the service loopback group.
port service-loopback group group-id
By default, a port does not belong to a service loopback group.

1
 You can assign a maximum of 32 ports to a service loopback group.

Display and maintenance commands for service

loopback groups
Execute display commands in any view.

Task Command

display service-loopback group

Display information about service loopback groups.
[ group-id ]

Service loopback group configuration examples

Example: Configuring a service loopback group
Network configuration
All Ethernet ports on the device support unicast tunnel services. Assign Twenty-FiveGigE 1/0/1
through Twenty-FiveGigE 1/0/3 to a service loopback group to loop GRE packets sent out by the
device back to the device.
Procedure

# Create service loopback group 1, and specify its service type as tunnel.
<Sysname> system-view
[Sysname] service-loopback group 1 type tunnel

# Assign Twenty-FiveGigE1/0/1 through Twenty-FiveGigE1/0/3 to service loopback group 1.

[Sysname] interface twenty-fivegige 1/0/1
[Sysname-Twenty-FiveGigE1/0/1] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
After this command is executed, the speed will be reset to the default value on
Twenty-FiveGigE1/0/1 to Twenty-FiveGigE1/0/4, which belong to the same port group.
Continue? [Y/N]:y
[Sysname-Twenty-FiveGigE1/0/1] quit
[Sysname] interface twenty-fivegige 1/0/2
[Sysname-Twenty-FiveGigE1/0/2] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
After this command is executed, the speed will be reset to the default value on
Twenty-FiveGigE1/0/1 to Twenty-FiveGigE1/0/4, which belong to the same port group.
Continue? [Y/N]:y
[Sysname-Twenty-FiveGigE1/0/2] quit
[Sysname] interface twenty-fivegige 1/0/3
[Sysname-Twenty-FiveGigE1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
After this command is executed, the speed will be reset to the default value on
Twenty-FiveGigE1/0/1 to Twenty-FiveGigE1/0/4, which belong to the same port group.
Continue? [Y/N]:y
[Sysname-Twenty-FiveGigE1/0/3] quit

2
# Create the interface Tunnel 1 and set it to GRE mode. The interface will automatically use service
loopback group 1.
[Sysname] interface tunnel 1 mode gre
[Sysname-Tunnel1]

3
Contents
Configuring cut-through Layer 2 forwarding ··················································· 1
About cut-through Layer 2 forwarding ················································································································ 1
Restrictions and guidelines for cut-through Layer 2 forwarding configuration ··················································· 1
Procedure··························································································································································· 1

i
Configuring cut-through Layer 2
forwarding
About cut-through Layer 2 forwarding
A cut-through forwarding-enabled device forwards a frame after it receives the first 64 bytes of the
frame. This feature reduces the transmission time of a frame and enhances forwarding performance.

Restrictions and guidelines for cut-through Layer

2 forwarding configuration
With cut-through forwarding, the device forwards CRC-error frames because it starts forwarding
frames before their CRC field is received.
This feature is not available on ports operating at 1 Gbps.

Procedure
1. Enter system view.
system-view
2. Enable cut-through forwarding.
cut-through enable
By default, cut-through forwarding is disabled.