HPE FlexNetwork 5520 HI Switch Series

Layer 2—LAN Switching Configuration Guide

Part number: 5200-8302

Software version: Release 6525 and later
Document version: 6W100-20210810
© Copyright 2021 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Contents
Configuring Ethernet interfaces ····································································· 1
About Ethernet interface ···································································································································· 1
Configuring a management Ethernet interface ·································································································· 1
Ethernet interface naming conventions ·············································································································· 2
Configuring common Ethernet interface settings ······························································································· 2
Configuring the physical type for a combo interface (single combo interface) ··········································· 2
Splitting a 40-GE interface and combining 10-GE breakout interfaces ······················································ 3
Configuring basic settings of an Ethernet interface···················································································· 4
Configuring basic settings of an Ethernet subinterface ·············································································· 4
Enabling automatic negotiation for speed downgrading ············································································ 5
Configuring the link mode of an Ethernet interface ···················································································· 5
Configuring jumbo frame support ··············································································································· 6
Configuring physical state change suppression on an Ethernet interface ················································· 6
Configuring dampening on an Ethernet interface······················································································· 7
Enabling link flapping protection on an interface························································································ 9
Configuring storm suppression ·················································································································· 9
Configuring generic flow control on an Ethernet interface ······································································· 10
Enabling energy saving features on an Ethernet interface ······································································ 11
Setting the statistics polling interval ········································································································· 12
Enabling loopback testing on an Ethernet interface ················································································· 12
Forcibly bringing up a fiber port················································································································ 13
Configuring interface alarm functions······································································································· 14
Restoring the default settings for an interface·························································································· 15
Configuring a Layer 2 Ethernet interface ········································································································· 16
Setting speed options for autonegotiation on an Ethernet interface ························································ 16
Setting the MDIX mode of an Ethernet interface······················································································ 17
Configuring storm control on an Ethernet interface·················································································· 18
Testing the cable connection of an Ethernet interface ············································································· 19
Enabling bridging on an Ethernet interface ······························································································ 19
Configuring Layer 3 forwarding on a Layer 2 Ethernet interface······························································ 20
Configuring a Layer 3 Ethernet interface or subinterface················································································· 20
Setting the MTU for an Ethernet interface or subinterface ······································································· 20
Display and maintenance commands for Ethernet interfaces ·········································································· 21
Configuring loopback, null, and inloopback interfaces ································· 23
About loopback, null, and inloopback interfaces ······························································································ 23
About loopback interfaces ························································································································ 23
About null interfaces································································································································· 23
About inloopback interfaces ····················································································································· 23
Configuring a loopback interface ····················································································································· 23
Configuring a null interface ······························································································································ 24
Restoring the default settings for an interface ································································································· 24
Display and maintenance commands for loopback, null, and inloopback interfaces ······································· 25
Bulk configuring interfaces ··········································································· 26
About interface bulk configuration ···················································································································· 26
Restrictions and guidelines: Bulk interface configuration ················································································· 26
Procedure························································································································································· 27
Display and maintenance commands for bulk interface configuration ····························································· 27
Configuring the MAC address table ····························································· 28
About the MAC address table ·························································································································· 28
How a MAC address entry is created······································································································· 28
Types of MAC address entries ················································································································· 28
MAC address table tasks at a glance··············································································································· 29
Configuring MAC address entries ···················································································································· 30
About MAC address entry-based frame forwarding ················································································· 30

i
 Restrictions and guidelines for MAC address entry configuration···························································· 30
Prerequisites for MAC address entry configuration·················································································· 30
Adding or modifying a static or dynamic MAC address entry··································································· 30
Adding or modifying a blackhole MAC address entry ·············································································· 31
Adding or modifying a multiport unicast MAC address entry ··································································· 31
Adding or modifying a multiport unicast MAC address entry for VXLAN ················································· 32
Setting the aging timer for dynamic MAC address entries ··············································································· 33
Disabling MAC address learning ······················································································································ 34
About disabling MAC address learning ···································································································· 34
Disabling global MAC address learning ··································································································· 34
Disabling MAC address learning on an interface ····················································································· 34
Disabling MAC address learning on a VLAN ··························································································· 35
Setting the MAC learning limit ·························································································································· 35
Configuring the unknown frame forwarding rule after the MAC learning limit is reached ································ 35
Assigning MAC learning priority to interfaces ·································································································· 36
Enabling MAC address synchronization ·········································································································· 36
Configuring MAC address move notifications and suppression ······································································· 38
Enabling ARP fast update for MAC address moves ························································································ 39
Disabling static source check ··························································································································· 40
Enabling SNMP notifications for the MAC address table ················································································· 41
Display and maintenance commands for MAC address table ········································································· 41
MAC address table configuration examples····································································································· 42
Example: Configuring the MAC address table ························································································· 42
Configuring MAC Information······································································· 43
About MAC Information ···································································································································· 43
Enabling MAC Information ······························································································································· 43
Configuring the MAC Information mode ··········································································································· 43
Setting the MAC change notification interval ··································································································· 44
Setting the MAC Information queue length ······································································································ 44
MAC Information configuration examples ········································································································ 45
Example: Configuring MAC Information ··································································································· 45
Configuring Ethernet link aggregation ·························································· 47
About Ethernet link aggregation ······················································································································· 47
Ethernet link aggregation application scenario ························································································ 47
Aggregate interface, aggregation group, and member port ····································································· 47
Operational key ········································································································································ 48
Configuration types ·································································································································· 48
Link aggregation modes ··························································································································· 48
How static link aggregation works ············································································································ 49
Dynamic link aggregation ························································································································· 50
How dynamic link aggregation works ······································································································· 53
Edge aggregate interface ························································································································· 55
Load sharing modes for link aggregation groups ····················································································· 55
S-MLAG ··················································································································································· 55
Restrictions and guidelines: Mixed use of manual and automatic link aggregation configuration ··················· 56
Ethernet link aggregation tasks at a glance ····································································································· 56
Configuring the system ID ································································································································ 57
Configuring a manual link aggregation············································································································· 58
Restrictions and guidelines for aggregation group configuration ····························································· 58
Configuring a Layer 2 aggregation group································································································· 59
Configuring a Layer 3 aggregation group································································································· 60
Configuring automatic link aggregation ············································································································ 62
Configuring S-MLAG ········································································································································ 62
Configuring an aggregate interface ·················································································································· 63
Configuring the description of an aggregate interface ············································································· 63
Setting the MAC address for an aggregate interface ··············································································· 64
Configuring jumbo frame support ············································································································· 64
Setting the MTU for a Layer 3 aggregate interface ·················································································· 65
Setting the expected bandwidth for an aggregate interface ····································································· 65
Configuring an edge aggregate interface ································································································· 66

ii
 Configuring physical state change suppression on an aggregate interface ············································· 66
Shutting down an aggregate interface ····································································································· 67
Restoring the default settings for an aggregate interface ········································································ 67
Enabling transparent LACPDU transmission ··································································································· 68
Setting the minimum and maximum numbers of Selected ports for an aggregation group ····························· 69
Configuring the link aggregation capability of the device ················································································· 70
Disabling the default action of selecting a Selected port for dynamic aggregation groups that have not received
LACPDUs ························································································································································· 71
Configuring a dynamic aggregation group to use port speed as the prioritized criterion for reference port
selection ··························································································································································· 71
Configuring load sharing for link aggregation groups······················································································· 72
Setting static load sharing modes for link aggregation groups ································································ 72
Enabling local-first load sharing for link aggregation················································································ 73
Enabling link-aggregation traffic redirection ····································································································· 74
About link-aggregation traffic redirection·································································································· 74
Restrictions and guidelines for link-aggregation traffic redirection ··························································· 74
Enabling link-aggregation traffic redirection globally ················································································ 74
Enabling link-aggregation traffic redirection for an aggregation group····················································· 75
Isolating aggregate interfaces on the device ··································································································· 75
Enabling BFD for an aggregation group··········································································································· 75
Display and maintenance commands for Ethernet link aggregation ································································ 76
Ethernet link aggregation configuration examples ··························································································· 77
Example: Configuring a Layer 2 static aggregation group ······································································· 77
Example: Configuring a Layer 2 dynamic aggregation group ·································································· 79
Example: Configuring a Layer 2 edge aggregate interface ······································································ 81
Example: Configuring a Layer 3 static aggregation group ······································································· 82
Example: Configuring a Layer 3 dynamic aggregation group ·································································· 83
Example: Configuring S-MLAG ················································································································ 85
Configuring DRNI························································································· 88
About DRNI ······················································································································································ 88
DRNI network model ································································································································ 88
DRCP ······················································································································································· 89
Keepalive and failover mechanism ·········································································································· 89
MAD mechanism ······································································································································ 90
Device role calculation ····························································································································· 90
DRNI MAD DOWN state persistence ······································································································· 90
DR system setup process ························································································································ 91
DRNI standalone mode ···························································································································· 92
Configuration consistency check·············································································································· 92
DRNI sequence number check ················································································································ 94
DRNI packet authentication ····················································································································· 94
DRNI failure handling mechanisms ·········································································································· 95
Mechanisms to handle concurrent IPL and keepalive link failures··························································· 96
Protocols and standards ·························································································································· 99
Restrictions and guidelines: DRNI configuration ······························································································ 99
Software version requirements ················································································································ 99
DRNI configuration ··································································································································· 99
Compatibility with other features ·············································································································· 99
DRNI tasks at a glance ·································································································································· 101
Configuring DR system settings ····················································································································· 102
Configuring the DR system MAC address ····························································································· 102
Setting the DR system number ·············································································································· 102
Setting the DR system priority················································································································ 103
Setting the DR role priority of the device········································································································ 103
Enabling DRNI standalone mode on a DR member device ··········································································· 104
Configuring DR keepalive settings ················································································································· 104
Restrictions and guidelines for configuring DR keepalive settings························································· 104
Configuring DR keepalive packet parameters························································································ 104
Setting the DR keepalive interval and timeout timer ·············································································· 105
Configuring DRNI MAD ·································································································································· 105
About this task········································································································································ 105

iii
 Configuring the default DRNI MAD action on network interfaces ·························································· 106
Excluding an interface from the shutdown action by DRNI MAD ··························································· 107
Excluding all logical interfaces from the shutdown action by DRNI MAD ·············································· 107
Specifying interfaces to be shut down by DRNI MAD when the DR system splits································· 108
Enabling DRNI MAD DOWN state persistence ······················································································ 108
Configuring a DR interface ····························································································································· 109
Specifying a Layer 2 aggregate interface or VXLAN tunnel interface as the IPP ·········································· 109
Enabling the IPP to retain MAC address entries for down single-homed devices ········································· 110
Setting the mode of configuration consistency check ···················································································· 111
Disabling configuration consistency check ···································································································· 111
Enabling the short DRCP timeout timer on the IPP or a DR interface ··························································· 111
Setting the keepalive hold timer for identifying the cause of IPL down events ·············································· 112
Configuring DR system auto-recovery ··········································································································· 112
Setting the data restoration interval ··············································································································· 113
Enabling DRNI sequence number check ······································································································· 113
Enabling DRNI packet authentication ············································································································ 114
Displaying and maintaining DRNI ·················································································································· 114
DRNI configuration examples ························································································································ 115
Example: Configuring basic DRNI functions ·························································································· 115
Example: Configuring Layer 3 gateways on a DR system ····································································· 119
Configuring port isolation ··········································································· 127
About port isolation ········································································································································ 127
Assigning a port to an isolation group ············································································································ 127
Configuring community VLANs ······················································································································ 127
Display and maintenance commands for port isolation ················································································· 128
Port isolation configuration examples ············································································································ 128
Example: Configuring port isolation ······································································································· 128
Example: Configuring community VLANs in port isolation ····································································· 129
Spanning tree protocol overview ································································ 133
About STP ······················································································································································ 133
STP protocol frames ······························································································································ 133
Basic concepts in STP ··························································································································· 135
Calculation process of the STP algorithm ······························································································ 136
Example of STP calculation ··················································································································· 137
The configuration BPDU forwarding mechanism of STP ······································································· 141
STP timers ············································································································································· 142
About RSTP ··················································································································································· 142
RSTP protocol frames ···························································································································· 143
Basic concepts in RSTP························································································································· 143
How RSTP works ··································································································································· 143
RSTP BPDU processing ························································································································ 144
About PVST ··················································································································································· 144
PVST protocol frames ···························································································································· 145
How PVST works ··································································································································· 145
About MSTP ··················································································································································· 145
MSTP features ······································································································································· 145
MSTP protocol frames ··························································································································· 146
Basic concepts in MSTP ························································································································ 147
How MSTP works··································································································································· 150
MSTP implementation on devices·········································································································· 151
Rapid transition mechanism ··························································································································· 151
Edge port rapid transition ······················································································································· 151
Root port rapid transition ························································································································ 152
P/A transition ·········································································································································· 152
Protocols and standards ································································································································ 154
Configuring spanning tree protocols ·························································· 155
Restrictions and guidelines: spanning tree protocol configuration ································································· 155
Restrictions: Compatibility with other features ······················································································· 155
Restrictions: Interface configuration ······································································································· 155

iv
 Spanning tree protocol tasks at a glance ······································································································· 155
STP tasks at a glance ···························································································································· 155
RSTP tasks at a glance·························································································································· 156
PVST tasks at a glance ·························································································································· 157
MSTP tasks at a glance ························································································································· 158
Setting the spanning tree mode ····················································································································· 159
Configuring an MST region ···························································································································· 160
Configuring the root bridge or a secondary root bridge ················································································· 161
Restrictions and guidelines ···················································································································· 161
Configuring the device as the root bridge of a spanning tree································································· 161
Configuring the device as a secondary root bridge of a spanning tree ·················································· 162
Configuring the device priority ······················································································································· 162
Configuring the maximum hops of an MST region ························································································· 163
Configuring the network diameter of a switched network ·············································································· 163
Setting spanning tree timers ·························································································································· 164
Setting the timeout factor ······························································································································· 165
Configuring the BPDU transmission rate ······································································································· 165
Configuring edge ports ··································································································································· 166
Configuring path costs of ports ······················································································································ 167
About path cost ······································································································································ 167
Specifying a standard for the default path cost calculation ···································································· 167
Configuring path costs of ports ·············································································································· 170
Configuring the port priority ···························································································································· 170
Configuring the port link type ························································································································· 171
Configuring the mode a port uses to recognize and send MSTP frames······················································· 171
Enabling outputting port state transition information ······················································································ 172
Enabling the spanning tree feature ················································································································ 172
Restrictions and guidelines ···················································································································· 172
Enabling the spanning tree feature in STP/RSTP/MSTP mode ····························································· 173
Enabling the spanning tree feature in PVST mode ················································································ 173
Performing mCheck ······································································································································· 173
About mCheck········································································································································ 173
Restrictions and guidelines ···················································································································· 174
Performing mCheck globally ·················································································································· 174
Performing mCheck in interface view····································································································· 174
Disabling inconsistent PVID protection ·········································································································· 174
Configuring Digest Snooping ························································································································· 175
Configuring No Agreement Check ················································································································· 176
Configuring TC Snooping ······························································································································· 178
Configuring protection features ······················································································································ 179
Spanning tree protection tasks at a glance ···························································································· 179
Configuring BPDU guard························································································································ 179
Configuring BPDU filter ·························································································································· 180
Enabling root guard ································································································································ 181
Enabling loop guard ······························································································································· 181
Configuring port role restriction ·············································································································· 182
Configuring TC-BPDU transmission restriction ······················································································ 183
Enabling TC-BPDU guard ······················································································································ 183
Enabling BPDU drop ······························································································································ 184
Enabling PVST BPDU guard·················································································································· 184
Disabling dispute guard·························································································································· 184
Enabling the device to log events of detecting or receiving TC BPDUs························································· 187
Disabling the device from reactivating edge ports shut down by BPDU guard ·············································· 187
Enabling SNMP notifications for new-root election and topology change events ·········································· 187
Display and maintenance commands for the spanning tree protocols ·························································· 188
Spanning tree configuration examples ··········································································································· 189
Example: Configuring MSTP ·················································································································· 189
Example: Configuring PVST ·················································································································· 193
Configuring loop detection ········································································· 196
About loop detection ······································································································································ 196
Loop detection mechanism ···················································································································· 196

v
 Loop detection interval ··························································································································· 197
Loop protection actions ·························································································································· 197
Port status auto recovery ······················································································································· 197
Restriction and guidelines: DRNI configuration ····························································································· 198
Loop detection tasks at a glance ··················································································································· 198
Enabling loop detection ·································································································································· 198
Restrictions and guidelines for loop detection configuration ·································································· 198
Enabling loop detection globally············································································································· 198
Enabling loop detection on a port··········································································································· 198
Setting the loop protection action ··················································································································· 199
Restrictions and guidelines for loop protection action configuration ······················································ 199
Setting the global loop protection action ································································································ 199
Setting the loop protection action on an interface ·················································································· 199
Setting the loop detection interval ·················································································································· 199
Display and maintenance commands for loop detection ··············································································· 200
Loop detection configuration examples ········································································································· 200
Example: Configuring basic loop detection functions············································································· 200
Example: Configuring loop detection on a DR system ··········································································· 202
Configuring VLANs ···················································································· 208
About VLANs·················································································································································· 208
VLAN frame encapsulation ···················································································································· 208
VLAN types ············································································································································ 209
Port-based VLANs ································································································································· 209
MAC-based VLANs ································································································································ 210
IP subnet-based VLANs ························································································································· 212
Protocol-based VLANs ··························································································································· 213
Layer 3 communication between VLANs ······························································································· 213
Protocols and standards ························································································································ 213
Configuring a VLAN ······································································································································· 213
Restrictions and guidelines ···················································································································· 213
Creating VLANs ····································································································································· 213
Configuring port-based VLANs ······················································································································ 214
Restrictions and guidelines for port-based VLANs················································································· 214
Assigning an access port to a VLAN ······································································································ 214
Assigning a trunk port to a VLAN ··········································································································· 215
Assigning a hybrid port to a VLAN ········································································································· 215
Configuring MAC-based VLANs ···················································································································· 216
Restrictions and guidelines for MAC-based VLANs ··············································································· 216
Configuring static MAC-based VLAN assignment·················································································· 216
Configuring dynamic MAC-based VLAN assignment············································································· 217
Configuring server-assigned MAC-based VLAN ···················································································· 218
Configuring IP subnet-based VLANs ············································································································· 219
Configuring protocol-based VLANs ················································································································ 219
Configuring a VLAN group ····························································································································· 220
Configuring VLAN interfaces ·························································································································· 221
Restrictions and guidelines ···················································································································· 221
VLAN interfaces configuration tasks at a glance···················································································· 221
Prerequisites ·········································································································································· 221
Creating a VLAN interface ····················································································································· 221
Specifying a traffic processing slot for the VLAN interface ···································································· 222
Restoring the default settings for the VLAN interface ············································································ 222
Display and maintenance commands for VLANs ··························································································· 223
VLAN configuration examples ························································································································ 223
Example: Configuring port-based VLANs ······························································································ 223
Example: Configuring MAC-based VLANs····························································································· 225
Example: Configuring IP subnet-based VLANs ····················································································· 227
Example: Configuring protocol-based VLANs ························································································ 228
Configuring super VLANs ·········································································· 232
About super VLANs········································································································································ 232
Restrictions and guidelines: Super VLAN configuration················································································· 232

vi
 Super VLAN tasks at a glance ······················································································································· 232
Creating a sub-VLAN ····································································································································· 232
Configuring a super VLAN ····························································································································· 233
Configuring a super VLAN interface··············································································································· 233
Display and maintenance commands for super VLANs ················································································· 234
Super VLAN configuration examples ············································································································· 234
Example: Configuring a super VLAN ····································································································· 234
Configuring private VLAN ·········································································· 237
About private VLAN········································································································································ 237
Restrictions and guidelines: Private VLAN configuration ··············································································· 238
Private VLAN tasks at a glance ····················································································································· 238
Creating a primary VLAN ······························································································································· 238
Creating secondary VLANs ···························································································································· 238
Associating the primary VLAN with secondary VLANs ·················································································· 239
Configuring the uplink port ····························································································································· 239
Configuring a downlink port···························································································································· 239
Configuring Layer 3 communication for secondary VLANs ··········································································· 240
Display and maintenance commands for the private VLAN ··········································································· 241
Private VLAN configuration examples ··········································································································· 241
Example: Configuring promiscuous ports ······························································································ 241
Example: Configuring trunk promiscuous ports ····················································································· 244
Example: Configuring trunk promiscuous and trunk secondary ports ···················································· 247
Example: Configuring Layer 3 communication for secondary VLANs···················································· 251
Configuring voice VLANs ··········································································· 254
About voice VLANs ········································································································································ 254
Working mechanism······························································································································· 254
Methods of identifying IP phones ··········································································································· 254
Advertising the voice VLAN information to IP phones············································································ 255
IP phone access methods ······················································································································ 255
Voice VLAN assignment modes············································································································· 256
Cooperation of voice VLAN assignment modes and IP phones ···························································· 257
Security mode and normal mode of voice VLANs·················································································· 258
Restrictions and guidelines: Voice VLAN configuration ················································································· 259
Voice VLAN tasks at a glance ························································································································ 259
Configuring the QoS priority settings for voice traffic ····················································································· 259
Configuring the ACL resource occupation mode of voice VLAN ··································································· 260
Configuring voice VLAN assignment modes for a port ·················································································· 261
Configuring a port to operate in automatic voice VLAN assignment mode ············································ 261
Configuring a port to operate in manual voice VLAN assignment mode················································ 262
Enabling LLDP for automatic IP phone discovery ·························································································· 263
Configuring LLDP or CDP to advertise a voice VLAN ··················································································· 263
Configuring LLDP to advertise a voice VLAN ························································································ 263
Configuring CDP to advertise a voice VLAN ·························································································· 264
Display and maintenance commands for voice VLANs ················································································· 264
Voice VLAN configuration examples ·············································································································· 265
Example: Configuring automatic voice VLAN assignment mode ··························································· 265
Example: Configuring manual voice VLAN assignment mode ······························································· 266
Configuring MVRP ····················································································· 269
About MVRP ·················································································································································· 269
MRP implementation ······························································································································ 269
MRP messages ······································································································································ 269
MRP timers ············································································································································ 271
MVRP registration modes ······················································································································ 271
Protocols and standards ························································································································ 272
Restrictions and guidelines: MVRP configuration ·························································································· 272
MVRP tasks at a glance ································································································································· 272
Prerequisites ·················································································································································· 272
Enabling MVRP ·············································································································································· 273
Setting an MVRP registration mode ··············································································································· 273

vii
 Setting MRP timers ········································································································································ 273
Enabling GVRP compatibility ························································································································· 274
Display and maintenance commands for MVRP ··························································································· 275
MVRP configuration examples ······················································································································· 275
Example: Configuring basic MVRP functions························································································· 275
Configuring QinQ ······················································································· 285
About QinQ ···················································································································································· 285
QinQ benefits ········································································································································· 285
How QinQ works ···································································································································· 285
QinQ implementations···························································································································· 286
Protocols and standards ························································································································ 287
Restrictions and guidelines: QinQ configuration ···························································································· 287
Enabling QinQ ················································································································································ 287
Configuring transmission for transparent VLANs ··························································································· 288
Configuring the TPID for VLAN tags ·············································································································· 289
About TPID············································································································································· 289
Restrictions and guidelines ···················································································································· 289
Configuring the TPID for CVLAN tags···································································································· 290
Configuring the TPID for SVLAN tags ···································································································· 290
Setting the 802.1p priority in SVLAN tags ······································································································ 290
About the 802.1p priority in SVLAN tags································································································ 290
Prerequisites for setting the 802.1p priority in SVLAN tags ··································································· 290
Tasks at a glance ··································································································································· 291
Creating a traffic class and configuring CVLAN match criteria ······························································ 291
Creating a traffic behavior and configuring a priority marking action for SVLAN tags ··························· 291
Creating a QoS policy ···························································································································· 291
Applying the QoS policy ························································································································· 292
Display and maintenance commands for QinQ ····························································································· 292
QinQ configuration examples ························································································································· 292
Example: Configuring basic QinQ ·········································································································· 292
Example: Configuring VLAN transparent transmission ·········································································· 294
Configuring VLAN mapping ······································································· 297
About VLAN mapping····································································································································· 297
VLAN mapping types ····························································································································· 297
VLAN mapping application scenarios ···································································································· 297
VLAN mapping implementations ············································································································ 299
Restrictions and guidelines: VLAN mapping configuration ············································································ 302
VLAN mapping tasks at a glance ··················································································································· 302
Prerequisites ·················································································································································· 302
Configuring one-to-one VLAN mapping ········································································································· 303
Configuring many-to-one VLAN mapping ······································································································ 303
Configuring one-to-two VLAN mapping ········································································································· 305
Configuring two-to-two VLAN mapping ·········································································································· 305
Display and maintenance commands for VLAN mapping ·············································································· 306
VLAN mapping configuration examples ········································································································· 306
Example: Configuring one-to-one VLAN mapping ················································································· 306
Example: Configuring many-to-one VLAN mapping ·············································································· 309
Example: Configuring one-to-two and two-to-two VLAN mapping ························································· 310
Configuring LLDP ······················································································ 314
About LLDP ···················································································································································· 314
LLDP agents and bridge modes············································································································· 314
LLDP frame formats ······························································································································· 315
LLDPDUs ··············································································································································· 316
TLVs ······················································································································································· 316
Management address ···························································································································· 319
LLDP operating modes ·························································································································· 319
Transmitting and receiving LLDP frames ······························································································· 320
Collaboration with Track························································································································· 320
Protocols and standards ························································································································ 320

viii
 Restrictions and guidelines: LLDP configuration···························································································· 321
LLDP tasks at a glance ·································································································································· 321
Enabling LLDP ··············································································································································· 322
Setting the LLDP bridge mode ······················································································································· 322
Setting the LLDP operating mode ·················································································································· 322
Setting the LLDP reinitialization delay············································································································ 323
Configuring the advertisable TLVs ················································································································· 323
Configuring advertisement of the management address TLV ········································································ 326
Setting the encapsulation format for LLDP frames ························································································ 327
Setting LLDP frame transmission parameters ······························································································· 327
Setting the timeout for receiving LLDP frames ······························································································ 328
Enabling LLDP polling ···································································································································· 328
Disabling LLDP PVID inconsistency check ···································································································· 329
Configuring CDP compatibility ······················································································································· 329
Configuring LLDP trapping and LLDP-MED trapping ···················································································· 331
Configuring MAC address borrowing ············································································································· 332
Setting the source MAC address of LLDP frames ················································································· 332
Enabling generation of ARP or ND entries for received management address TLVs···························· 332
Display and maintenance commands for LLDP ····························································································· 333
LLDP configuration examples ························································································································ 334
Example: Configuring basic LLDP functions ·························································································· 334
Example: Configuring CDP-compatible LLDP························································································ 338
Configuring L2PT ······················································································· 340
About L2PT ···················································································································································· 340
L2PT application scenario ······················································································································ 340
Supported protocols ······························································································································· 340
L2PT operating mechanism ··················································································································· 341
L2PT tasks at a glance··································································································································· 342
Enabling L2PT················································································································································ 342
Restrictions and guidelines for L2PT ····································································································· 342
Enabling L2PT for a protocol in Layer 2 Ethernet interface view ··························································· 343
Enabling L2PT for a protocol in Layer 2 aggregate interface view························································· 343
Setting the destination multicast MAC address for tunneled packets ···························································· 343
Display and maintenance commands for L2PT ····························································································· 344
L2PT configuration examples ························································································································ 344
Example: Configuring L2PT for STP ······································································································ 344
Example: Configuring L2PT for LACP···································································································· 345
Configuring PPPoE relay ··········································································· 350
About PPPoE ················································································································································· 350
PPPoE network structure ······················································································································· 350
PPPoE relay fundamentals ···················································································································· 351
Protocols and standards ························································································································ 353
Restrictions and guidelines for PPPoE ·········································································································· 353
Configuring the PPPoE relay ························································································································· 353
PPPoE relay tasks at a glance ··············································································································· 353
Enabling the PPPoE relay function ········································································································ 353
Configuring PPPoE relay trusted ports ·································································································· 353
Enabling an interface to strip the vendor-specific tags of the PPPoE server-side packets ···················· 354
Configuring the circuit ID and remote ID padding formats for the client-side PPPoE packets on the PPPoE
relay ······················································································································································· 355
Configuring the vendor-specific tag processing policy for the client-side PPPoE packets on the PPPoE
relay ······················································································································································· 355
Display and maintenance commands for PPPoE relay ················································································· 356
PPPoE configuration examples ····················································································································· 357
Example: Configuring PPPoE relay ······································································································· 357
Document conventions and icons ······························································ 359
Conventions ··················································································································································· 359
Network topology icons ·································································································································· 360

ix
Support and other resources ····································································· 361
Accessing Hewlett Packard Enterprise Support····························································································· 361
Accessing updates ········································································································································· 361
Websites ················································································································································ 362
Customer self repair ······························································································································· 362
Remote support······································································································································ 362
Documentation feedback ······················································································································· 362
Index·········································································································· 364

x
Configuring Ethernet interfaces
About Ethernet interface
The Switch Series supports Ethernet interfaces, management Ethernet interfaces, Console
interfaces, and USB interfaces. For the interface types and the number of interfaces supported by a
switch model, see the installation guide.
This chapter describes how to configure management Ethernet interfaces and Ethernet interfaces.

Configuring a management Ethernet interface

About this task
A management interface uses an RJ-45 connector. You can connect the interface to a PC for
software loading and system debugging, or connect it to a remote NMS for remote system
management.
Each member device in an IRF system has a management Ethernet interface. For management link
backup, perform the following tasks:
1. Connect your PC to the management Ethernet interface on the master device.
2. Connect the PC to a management Ethernet interface with the same interface number on a
subordinate device.
The two management Ethernet interfaces operate as follows:
• When the IRF system has multiple management Ethernet interfaces, only the management
Ethernet interface on the master device processes management traffic.
• When the management Ethernet interface on the master device fails, the management
Ethernet interface on the subordinate device takes over to process management traffic.
• When the management Ethernet interface on the master device recovers, it takes over to
process management traffic again.
Procedure
1. Enter system view.
system-view
2. Enter management Ethernet interface view.
interface M-GigabitEthernet interface-number
3. (Optional.) Set the interface description.
description text
The default setting is M-GigabitEthernet0/0/0 Interface.
4. (Optional.) Set the duplex mode for the management Ethernet interface.
duplex { auto | full | half }
By default, the duplex mode is auto for a management Ethernet interface.
5. (Optional.)_Set the speed for the management Ethernet interface.
speed { 10 | 100 | 1000 | auto }
By default, the speed is auto for a management Ethernet interface.
6. (Optional.) Shut down the interface.
shutdown

1
 By default, the management Ethernet interface is up.

Ethernet interface naming conventions

The Ethernet interfaces are named in the format of interface type A/B/C. The letters that follow the
interface type represent the following elements:
• A—IRF member ID. If the switch is not in an IRF fabric, A is 1 by default.
• B—Card slot number. 0 indicates the interface is a fixed interface of the switch. 1 indicates the
interface is on expansion interface-card 1. 2 indicates the interface is on expansion
interface-card 2.
• C—Port index.
A 10-GE breakout interface split from a 40-GE interface is named in the format of interface type
A/B/C:D. A/B/C is the interface number of the 40-GE interface. D is the number of the 10-GE
interface, which is in the range of 1 to 4. For information about splitting a 40-GE interface, see
"Splitting a 40-GE interface and combining 10-GE breakout interfaces."

Configuring common Ethernet interface settings

This section describes the settings common to Layer 2 Ethernet interfaces, Layer 3 Ethernet
interfaces, and Layer 3 Ethernet subinterfaces. For more information about the settings specific to
Layer 2 Ethernet interfaces, see "Configuring a Layer 2 Ethernet interface." For more information
about the settings specific to Layer 3 Ethernet interfaces or subinterfaces, see "Configuring a Layer
3 Ethernet interface or subinterface."

Configuring the physical type for a combo interface (single

combo interface)
About this task
A combo interface is a logical interface that physically comprises one fiber combo port and one
copper combo port. The two ports share one forwarding channel and one interface view. As a result,
they cannot work simultaneously. When you activate one port, the other port is automatically
disabled. If you execute the combo enable auto command on a combo interface, the interface
automatically identifies the media inserted and activates the corresponding combo port. In the
interface view, you can activate the fiber or copper combo port, and configure other port attributes
such as the interface rate and duplex mode.
Prerequisites
Before you configure combo interfaces, complete the following tasks:
• Determine the combo interfaces on your device. Identify the two physical interfaces that belong
to each combo interface according to the marks on the device panel.
• Use the display interface command to determine which port (fiber or copper) of each
combo interface is active:
 If the copper port is active, the output includes "Media type is twisted pair."
 If the fiber port is active, the output does not include this information.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.

2
 interface interface-type interface-number
3. Activate the copper combo port or fiber combo port.
combo enable { auto | copper | fiber }
The default is auto.

Splitting a 40-GE interface and combining 10-GE breakout

interfaces
About this task
You can use a 40-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can also split a 40-GE interface into four 10-GE breakout interfaces.
The 10-GE breakout interfaces support the same configuration and attributes as common 10-GE
interfaces, except that they are numbered differently.
For example, you can split 40-GE interface FortyGigE 1/0/1 into four 10-GE breakout interfaces
Ten-GigabitEthernet 1/0/1:1 through Ten-GigabitEthernet 1/0/1:4.
If you need higher bandwidth on a single interface, you can combine the four 10-GE breakout
interfaces into a 40-GE interface.
Restrictions and guidelines for 40-GE interface splitting and 10-GE breakout interface
combining
• A 40-GE interface split into four 10-GE breakout interfaces must use a dedicated 1-to-4 cable.
After you combine the four 10-GE breakout interfaces, replace the dedicated 1-to-4 cable with a
dedicated 1-to-1 cable or a 40-GE transceiver module. For more information about the cable or
transceiver module, see the installation guides.
• Device reboot is not required for this feature to take effect. To view information about the
breakout or combined interfaces, execute the display interface brief command.
Splitting a 40-GE interface into four 10-GE breakout interfaces
1. Enter system view.
system-view
2. Enter 40-GE interface view.
interface fortygige interface-number
3. Split the 40-GE interface into four 10-GE breakout interfaces.
using tengige
By default, a 40-GE interface is not split and operates as a single interface.
Combining four 10-GE breakout interfaces into a 40-GE interface
1. Enter system view.
system-view
2. Enter the view of any 10-GE breakout interface.
interface ten-gigabitethernet interface-number
3. Combine the four 10-GE breakout interfaces into a 40-GE interface.
using fortygige
By default, a 10-GE breakout interface operates as a single interface.

3
Configuring basic settings of an Ethernet interface
About this task
You can configure an Ethernet interface to operate in one of the following duplex modes:
• Full-duplex mode—The interface can send and receive packets simultaneously.
• Half-duplex mode—The interface can only send or receive packets at a given time.
• Autonegotiation mode—The interface negotiates a duplex mode with its peer.
You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its
peer. For a 100-Mbps or 1000-Mbps Layer 2 Ethernet interface, you can also set speed options for
autonegotiation. The two ends can select a speed only from the available options. For more
information, see "Setting speed options for autonegotiation on an Ethernet interface."
Restrictions and guidelines
The shutdown and port up-mode commands are mutually exclusive.
The shutdown command cannot be configured on an Ethernet interface in a loopback test.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set the description for the Ethernet interface.
description text
The default setting is interface-name Interface. For example, GigabitEthernet1/0/1 Interface.
4. Set the duplex mode for the Ethernet interface.
duplex { auto | full | half }
By default, the duplex mode is auto for Ethernet interfaces.
Ethernet copper ports that operate in 1000 Mbps or 10000 Mbps and fiber ports do not support
the half keyword.
5. Set the speed for the Ethernet interface.
speed { 10 | 100 | 1000 | 2500 | 5000 | 10000 | 25000 | 40000 | auto }
By default, an Ethernet interface negotiates a speed with its peer.
6. Set the expected bandwidth for the Ethernet interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
7. Bring up the Ethernet interface.
undo shutdown
By default, Ethernet interfaces are in up state.

Configuring basic settings of an Ethernet subinterface

Restrictions and guidelines for Ethernet subinterface basic settings
• The shutdown, port up-mode, and loopback commands are mutually exclusive.
• The shutdown command cannot be configured on an Ethernet interface in a loopback test.

4
Procedure
1. Enter system view.
system-view
2. Create an Ethernet subinterface.
interface interface-type interface-number.subnumber
3. Set the description for the Ethernet subinterface.
description text
The default setting is interface-name Interface. For example, GigabitEthernet1/0/1.1
Interface.
4. Set the expected bandwidth for the Ethernet subinterface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
5. Bring up the Ethernet subinterface.
undo shutdown
By default, Ethernet subinterfaces are in up state.

Enabling automatic negotiation for speed downgrading

About this task
Perform this task to enable interfaces at two ends of a link to automatically negotiate about
downgrading their speed when the following conditions exist:
• The interfaces automatically negotiate a speed of 1000 Mbps.
• The interfaces cannot operate at 1000 Mbps because of link restrictions.
Restrictions and guidelines
This feature is available only on GE interfaces.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable automatic negotiation for speed downgrading.
speed auto downgrade
By default, automatic negotiation for speed downgrading is enabled.

Configuring the link mode of an Ethernet interface

About this task
Interfaces on the device can operate either as Layer 2 or Layer 3 Ethernet interfaces. You can use
commands to set the link mode to bridge or route.
Restrictions and guidelines
After you change the link mode of an Ethernet interface, all commands (except the description,
duplex, jumboframe enable, speed, shutdown, and combo enable commands) on the
Ethernet interface are restored to their defaults in the new link mode.

5
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure the link mode of the Ethernet interface.
port link-mode { bridge | route }
By default, all Ethernet interfaces on the device operate in bridge mode.

Configuring jumbo frame support

About this task
Jumbo frames are frames larger than 1536 bytes and are typically received by an Ethernet interface
during high-throughput data exchanges, such as file transfers.
The Ethernet interface processes jumbo frames in the following ways:
• When the Ethernet interface is configured to deny jumbo frames (by using the undo
jumboframe enable command), the Ethernet interface discards jumbo frames.
• When the Ethernet interface is configured with jumbo frame support, the Ethernet interface
performs the following operations:
 Processes jumbo frames within the specified length.
 Discards jumbo frames that exceed the specified length.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure jumbo frame support.
jumboframe enable [ size ]
By default, the device allows jumbo frames within 10000 bytes to pass through.
If you set the size argument multiple times, the most recent configuration takes effect.

Configuring physical state change suppression on an

Ethernet interface
About this task
The physical link state of an Ethernet interface is either up or down. Each time the physical link of an
interface comes up or goes down, the interface immediately reports the change to the CPU. The
CPU then performs the following operations:
• Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change for guiding packet forwarding.
• Automatically generates traps and logs to inform users to take the correct actions.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression. You can configure this feature to suppress only link-down events, only
link-up events, or both. If an event of the specified type still exists when the suppression interval
expires, the system reports the event to the CPU.

6
Restrictions and guidelines
Do not enable this feature on an interface that has RRPP, spanning tree protocols, or Smart Link
enabled.
You can configure different suppression intervals for link-up and link-down events.
If you execute the link-delay command multiple times on an interface, the following rules apply:
• You can configure the suppression intervals for link-up and link-down events separately.
• If you configure the suppression interval multiple times for link-up or link-down events, the most
recent configuration takes effect.
The link-delay, dampening, and port link-flap protect enable commands are
mutually exclusive on an Ethernet interface.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Configure physical state change suppression.
link-delay { down | up } [ msec ] delay-time
By default, each time the physical link of an interface goes up or comes down, the interface
immediately reports the change to the CPU.

Configuring dampening on an Ethernet interface

About this task
The interface dampening feature uses an exponential decay mechanism to prevent excessive
interface flapping events from adversely affecting routing protocols and routing tables in the network.
Suppressing interface state change events protects the system resources.
If an interface is not dampened, its state changes are reported. For each state change, the system
also generates an SNMP trap and log message.
After a flapping interface is dampened, it does not report its state changes to the CPU. For state
change events, the interface only generates SNMP trap and log messages.
Parameters
• Penalty—The interface has an initial penalty of 0. When the interface flaps, the penalty
increases by 1000 for each down event until the ceiling is reached. It does not increase for up
events. When the interface stops flapping, the penalty decreases by half each time the half-life
timer expires until the penalty drops to the reuse threshold.
• Ceiling—The penalty stops increasing when it reaches the ceiling.
• Suppress-limit—The accumulated penalty that triggers the device to dampen the interface. In
dampened state, the interface does not report its state changes to the CPU. For state change
events, the interface only generates SNMP traps and log messages.
• Reuse-limit—When the accumulated penalty decreases to this reuse threshold, the interface is
not dampened. Interface state changes are reported to the upper layers. For each state change,
the system also generates an SNMP trap and log message.
• Decay—The amount of time (in seconds) after which a penalty is decreased.
• Max-suppress-time—The maximum amount of time the interface can be dampened. If the
penalty is still higher than the reuse threshold when this timer expires, the penalty stops
increasing for down events. The penalty starts to decrease until it drops below the reuse
threshold.

7
 When configuring the dampening command, follow these rules to set the values mentioned above:
•
(Max-suppress-time/Decay)
The ceiling is equal to 2 × reuse-limit. It is not user configurable.
• The configured suppress limit is lower than or equal to the ceiling.
• The ceiling is lower than or equal to the maximum suppress limit supported.
Figure 1 shows the change rule of the penalty value. The lines t0 and t2 indicate the start time and
end time of the suppression, respectively. The period from t0 to t2 indicates the suppression period, t0
to t1 indicates the max-suppress-time, and t1 to t2 indicates the complete decay period.
Figure 1 Change rule of the penalty value
Penalty

t0 t1 t2

Ceiling

Suppress limit

Reuse limit

Time

Not suppressed Suppressed Not suppressed

Restrictions and guidelines

• The dampening, link-delay, and port link-flap protect enable commands are
mutually exclusive on an interface.
• The dampening command does not take effect on the administratively down events. When
you execute the shutdown command, the penalty restores to 0, and the interface reports the
down event to the upper-layer protocols.
• Do not enable the dampening feature on an interface with RRPP, MSTP, or Smart Link enabled.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable dampening on the interface.
dampening [ half-life reuse suppress max-suppress-time ]
By default, interface dampening is disabled on Ethernet interfaces.

8
Enabling link flapping protection on an interface
About this task
Link flapping on an interface changes network topology and increases the system overhead. For
example, in an active/standby link scenario, when interface status on the active link changes
between UP and DOWN, traffic switches between active and standby links. To solve this problem,
configure this feature on the interface.
With this feature enabled on an interface, when the interface goes down, the system enables link
flapping detection. During the link flapping detection interval, if the number of detected flaps reaches
or exceeds the link flapping detection threshold, the system shuts down the interface.
Restrictions and guidelines
This feature takes effect only if it is configured in both the system view and interface view.
IRF system stability might be affected by IRF physical link flapping. For IRF system stability, this
feature is enabled by default on IRF physical interfaces and the enabling status of this feature is not
affected by the status of global link flapping protection. When the number of flaps detected on an IRF
physical interface exceeds the threshold within the detection interval, the device outputs a log rather
than shuts down the IRF physical interface.
The dampening, link-delay, and port link-flap protect enable commands are
mutually exclusive on an Ethernet interface.
To bring up an interface that has been shut down by link flapping protection, execute the undo
shutdown command.
In the display interface command output, the Link-Flap DOWN value of the Current state
field indicates that the interface has been shut down by link flapping protection.
Procedure
1. Enter system view.
system-view
2. Enable link flapping protection globally.
link-flap protect enable
By default, link flapping protection is disabled globally.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Enable link flapping protection on the Ethernet interface.
port link-flap protect enable [ interval interval | threshold threshold ]
*
By default, link flapping protection is disabled on an Ethernet interface.

Configuring storm suppression

About this task
The storm suppression feature ensures that the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) does not exceed the threshold on an interface. When the
broadcast, multicast, or unknown unicast traffic on the interface exceeds this threshold, the system
discards packets until the traffic drops below this threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
uses the chip to suppress traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic.

9
Restrictions and guidelines
• For the traffic suppression result to be determined, do not configure storm control together with
storm suppression for the same type of traffic. For more information about storm control, see
"Configuring storm control on an Ethernet interface."
• When you configure the suppression threshold in kbps, the actual suppression threshold might
be different from the configured one as follows:
 If the configured value is smaller than 64, the value of 64 takes effect.
 If the configured value is greater than 64 but not an integer multiple of 64, the integer
multiple of 64 that is greater than and closest to the configured value takes effect.
For the suppression threshold that takes effect, see the prompt on the device.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable broadcast suppression and set the broadcast suppression threshold.
broadcast-suppression { ratio | pps max-pps | kbps max-kbps }
By default, broadcast suppression is disabled.
4. Enable multicast suppression and set the multicast suppression threshold.
multicast-suppression { ratio | pps max-pps | kbps max-kbps }
By default, multicast suppression is disabled.
5. Enable unknown unicast suppression and set the unknown unicast suppression threshold.
unicast-suppression { ratio | pps max-pps | kbps max-kbps }
By default, unknown unicast suppression is disabled.

Configuring generic flow control on an Ethernet interface

About this task
To avoid dropping packets on a link, you can enable generic flow control at both ends of the link.
When traffic congestion occurs at the receiving end, the receiving end sends a flow control (Pause)
frame to ask the sending end to suspend sending packets. Generic flow control includes the
following types:
• TxRx-mode generic flow control—Enabled by using the flow-control command. With
TxRx-mode generic flow control enabled, an interface can both send and receive flow control
frames:
 When congestion occurs, the interface sends a flow control frame to its peer.
 When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
• Rx-mode generic flow control—Enabled by using the flow-control receive enable
command. With Rx-mode generic flow control enabled, an interface can receive flow control
frames, but it cannot send flow control frames:
 When congestion occurs, the interface cannot send flow control frames to its peer.
 When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
To handle unidirectional traffic congestion on a link, configure the flow-control receive
enable command at one end and the flow-control command at the other end. To enable both
ends of a link to handle traffic congestion, configure the flow-control command at both ends.

10
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable generic flow control.
 Enable TxRx-mode generic flow control.
flow-control
 Enable Rx-mode generic flow control.
flow-control receive enable
By default, generic flow control is disabled on an Ethernet interface.

Enabling energy saving features on an Ethernet interface

About this task
This feature contains auto power-down and Energy Efficient Ethernet (EEE) on an Ethernet
interface.
When an Ethernet interface with auto power-down enabled has been down for a certain period of
time, both of the following events occur:
• The device automatically stops supplying power to the Ethernet interface.
• The Ethernet interface enters the power save mode.
The time period depends on the chip specifications and is not configurable.
When the Ethernet interface comes up, both of the following events occur:
• The device automatically restores power supply to the Ethernet interface.
• The Ethernet interface restores to its normal state.
With Energy Efficient Ethernet (EEE) enabled, a link-up interface enters low power state if it has not
received any packet for a period of time. The time period depends on the chip specifications and is
not configurable. When a packet arrives later, the device automatically restores power supply to the
interface and the interface restores to the normal state.
Restrictions and guidelines
Fiber ports do not support this feature.
Configuring auto power-down on an Ethernet interface
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable auto power-down on the Ethernet interface.
port auto-power-down
By default, auto power-down is disabled on an Ethernet interface.
Configuring EEE on an Ethernet interface
1. Enter system view.
system-view
2. Enter Ethernet interface view.

11
 interface interface-type interface-number
3. Enable EEE on the Ethernet interface.
eee enable
By default, EEE is disabled on an Ethernet interface.

Setting the statistics polling interval

About this task
To display the interface statistics collected in the last statistics polling interval, use the display
interface command. To clear the interface statistics, use the reset counters interface
command.
Setting the statistics polling interval in Ethernet interface view
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set the statistics polling interval for the Ethernet interface.
flow-interval interval
By default, the statistics polling interval is 300 seconds.

Enabling loopback testing on an Ethernet interface

About this task
Perform this task to determine whether an Ethernet link works correctly.
Loopback testing includes the following types:
• Internal loopback testing—Tests the device where the Ethernet interface resides. The
Ethernet interface sends outgoing packets back to the local device. If the device fails to receive
the packets, the device fails.
• External loopback testing—Tests the inter-device link. The Ethernet interface sends incoming
packets back to the remote device. If the remote device fails to receive the packets, the
inter-device link fails.
Restrictions and guidelines
• After you enable this feature on an Ethernet interface, the interface does not forward data
traffic.
• An Ethernet interface in a loopback test cannot correctly forward data packets.
• You cannot perform a loopback test on Ethernet interfaces manually brought down (displayed
as in ADM or Administratively DOWN state).
• The speed, duplex, mdix-mode, and shutdown commands cannot be configured on an
Ethernet interface in a loopback test.
• After you enable this feature on an Ethernet interface, the Ethernet interface switches to full
duplex mode. After you disable this feature, the Ethernet interface restores to its duplex setting.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.

12
 interface interface-type interface-number
3. Enable loopback testing.
loopback{ external | internal }

Forcibly bringing up a fiber port

About this task
As shown in Figure 2, a fiber port uses separate fibers for transmitting and receiving packets. The
physical state of the fiber port is up only when both transmit and receive fibers are physically
connected. If one of the fibers is disconnected, the fiber port does not work.
To enable a fiber port to forward traffic over a single link, you can use the port up-mode command.
This command forcibly brings up a fiber port, even when no fiber links or transceiver modules are
present for the fiber port. When one fiber link is present and up, the fiber port can forward packets
over the link unidirectionally.
Figure 2 Forcibly bring up a fiber port
When Ethernet interfaces
Correct fiber When Ethernet interfaces
cannot be or are not forcibly
connection are forcibly brought up
brought up

Device A Device A Device A

Device B Device B Device B

Fiber port Tx end Rx end Fiber link The fiber is disconnected.

Packets The interface is down.

Restrictions and guidelines

• Copper ports and combo interfaces do not support this feature.
• The port up-mode and shutdown commands are mutually exclusive.
• A fiber port does not support this feature if the port is shut down by a protocol or by using the
shutdown command.
• A fiber port does not support this feature if the port joins an aggregation group.
• The following operations on a fiber port will cause link-down and link-up events before the port
finally stays up:
 Configure both the port up-mode command and the speed or duplex command.

13
  Install or remove fibers or transceiver modules after you forcibly bring up the fiber port.
• An SFP+ fiber port forcibly brought up cannot correctly forward traffic if it is installed with a
fiber-to-copper converter or 100/1000-Mbps transceiver module. To solve the problem, use the
undo port up-mode command on the fiber port.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Forcibly bring up the fiber port.
port up-mode
By default, a fiber port is not forcibly brought up, and the physical state of a fiber port depends
on the physical state of the fibers.

Configuring interface alarm functions

About this task
With the interface alarm functions enabled, when the number of error packets on an interface in
normal state within the specified interval exceeds the upper threshold, the interface generates an
upper threshold exceeding alarm and enters the alarm state. When the number of error packets on
an interface in the alarm state within the specified interval drops below the lower threshold, the
interface generates a recovery alarm and restores to the normal state.
Restrictions and guidelines
You can configure the error packet alarm parameters in system view and interface view.
• The configuration in system view takes effect on all interfaces of the specified slot. The
configuration in interface view takes effect only on the current interface.
• For an interface, the configuration in interface view takes priority, and the configuration in
system view is used only when no configuration is made in interface view.
An interface that is shut down because of error packet alarms cannot automatically recover. To bring
up the interface, execute the undo shutdown command on the interface.
Enabling interface alarm functions
1. Enter system view.
system-view
2. Enable alarm functions for the interface monitoring module.
snmp-agent trap enable ifmonitor { crc-error | input-error |
output-error } *
By default, all alarm functions are enabled for interfaces.
Configuring CRC error packet parameters
1. Enter system view.
system-view
2. Configure global CRC error packet alarm parameters.
ifmonitor crc-error slot slot-number high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, the upper threshold is 1000, the lower threshold is 100, and the statistics collection
and comparison interval is 10 seconds for CRC error packets.

14
 3. Enter Ethernet interface view.
interface interface-type interface-number
4. Configure CRC error packet alarm parameters for the interface.
port ifmonitor crc-error [ ratio ] high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, an interface uses the global CRC error packet alarm parameters.
Configuring input error packet alarm parameters
1. Enter system view.
system-view
2. Configure global input error packet alarm parameters.
ifmonitor input-error slot slot-number high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, the upper threshold is 1000, the lower threshold is 100, and the statistics collection
and comparison interval is 10 seconds for input error packets.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Configure input error packet alarm parameters for the interface.
port ifmonitor input-error high-threshold high-value low-threshold
low-value interval interval [ shutdown ]
By default, an interface uses the global input error packet alarm parameters.
Configuring output error packet alarm parameters
1. Enter system view.
system-view
2. Configure global output error packet alarm parameters.
ifmonitor output-error slot slot-number high-threshold high-value
low-threshold low-value interval interval [ shutdown ]
By default, the upper threshold is 1000, the lower threshold is 100, and the statistics collection
and comparison interval is 10 seconds for output error packets.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Configure output error packet alarm parameters.
port ifmonitor output-error high-threshold high-value low-threshold
low-value interval interval [ shutdown ]
By default, an interface uses the global output error packet alarm parameters.

Restoring the default settings for an interface

Restrictions and guidelines

CAUTION:
This feature might interrupt ongoing network services. Make sure you are fully aware of the impacts
of this feature when you use it in a live network.

This feature might fail to restore the default settings for some commands because of command
dependencies or system restrictions. You can use the display this command in interface view to
check for these commands and perform their undo forms or follow the command reference to

15
 restore their default settings. If your restoration attempt still fails, follow the error message to resolve
the problem.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view or Ethernet subinterface view.
interface interface-type { interface-number |
interface-number.subnumber }
3. Restore the default settings for the interface.
default

Configuring a Layer 2 Ethernet interface

Setting speed options for autonegotiation on an Ethernet
interface
About this task
By default, speed autonegotiation enables an Ethernet interface to negotiate with its peer for the
highest speed that both ends support. You can narrow down the speed option list for negotiation.
Figure 3 Speed autonegotiation application scenario

IP network

Port D Device

Port A Port C

Port B

Sever 1 Sever 2 Sever 3

As shown in Figure 3:
• All interfaces on the device are operating in speed autonegotiation mode, with the highest
speed of 1000 Mbps.
• Port D provides access to the Internet for the servers.
If the transmission rate of each server in the server cluster is 1000 Mbps, their total transmission rate
exceeds the capability of Port D.
To avoid congestion on Port D, configure 100 Mbps as the only option available for speed negotiation
on interfaces Port A, Port B, and Port C. As a result, the transmission rate on each interface
connected to a server is limited to 100 Mbps.

16
Restrictions and guidelines
The speed and speed auto commands supersede each other, and whichever is configured last
takes effect.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set speed options for autonegotiation.
speed auto { 10 | 100 | 1000 } *
No speed options are set for autonegotiation.

Setting the MDIX mode of an Ethernet interface

IMPORTANT:
Fiber ports do not support the MDIX mode setting.

About this task

A physical Ethernet interface has eight pins, each of which plays a dedicated role. For example, pins
1 and 2 transmit signals, and pins 3 and 6 receive signals. You can use both crossover and
straight-through Ethernet cables to connect copper Ethernet interfaces. To accommodate these
types of cables, a copper Ethernet interface can operate in one of the following Medium Dependent
Interface-Crossover (MDIX) modes:
• MDIX mode—Pins 1 and 2 are receive pins and pins 3 and 6 are transmit pins.
• MDI mode—Pins 1 and 2 are transmit pins and pins 3 and 6 are receive pins.
• AutoMDIX mode—The interface negotiates pin roles with its peer.

NOTE:
This feature does not take effect on pins 4, 5, 7, and 8 of physical Ethernet interfaces.
• Pins 4, 5, 7, and 8 of interfaces operating at 10 Mbps or 100 Mbps do not receive or transmit
signals.
• Pins 4, 5, 7, and 8 of interfaces operating at 1000 Mbps or higher rates receive and transmit
signals.

Restrictions and guidelines

To enable a copper Ethernet interface to communicate with its peer, set the MDIX mode of the
interface by following these guidelines:
• Typically, set the MDIX mode of the interface to AutoMDIX. Set the MDIX mode of the interface
to MDI or MDIX only when the device cannot determine the cable type.
• When a straight-through cable is used, configure the interface to operate in an MDIX mode
different than its peer.
• When a crossover cable is used, perform one of the following tasks:
 Configure the interface to operate in the same MDIX mode as its peer.
 Configure either end to operate in AutoMDIX mode.
Procedure
1. Enter system view.

17
 system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Set the MDIX mode of the Ethernet interface.
mdix-mode { automdix | mdi | mdix }
By default, a copper Ethernet interface operates in auto mode to negotiate pin roles with its
peer.

Configuring storm control on an Ethernet interface

About this task
Storm control compares broadcast, multicast and unknown unicast traffic regularly with their
respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control provides
a lower threshold and an upper threshold.
Depending on your configuration, when a particular type of traffic exceeds its upper threshold, the
interface performs either of the following operations:
• Blocks this type of traffic and forwards other types of traffic—Even though the interface
does not forward the blocked traffic, it still counts the traffic. When the blocked traffic drops
below the lower threshold, the interface begins to forward the traffic.
• Goes down automatically—The interface goes down automatically and stops forwarding any
traffic. When the blocked traffic drops below the lower threshold, the interface does not
automatically come up. To bring up the interface, use the undo shutdown command or
disable the storm control feature.
You can configure an Ethernet interface to output threshold event traps and log messages when
monitored traffic meets one of the following conditions:
• Exceeds the upper threshold.
• Drops below the lower threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
uses the chip to suppress traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic. For more information about storm
suppression, see "Configuring storm suppression."
Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next
cycle. An interface takes one to two polling intervals to take a storm control action.
Restrictions and guidelines
For the traffic suppression result to be determined, do not configure storm control together with storm
suppression for the same type of traffic.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the statistics polling interval of the storm control module.
storm-constrain interval interval
The default setting is 10 seconds.
For network stability, use the default or set a longer statistics polling interval.
3. Enter Ethernet interface view.
interface interface-type interface-number
4. Enable storm control, and set the lower and upper thresholds for broadcast, multicast, or
unknown unicast traffic.

18
 storm-constrain { broadcast | multicast | unicast } { pps | kbps |
ratio } upperlimit lowerlimit
By default, storm control is disabled.
5. Set the control action to take when monitored traffic exceeds the upper threshold.
storm-constrain control { block | shutdown }
By default, storm control is disabled.
6. Enable the Ethernet interface to output log messages when it detects storm control threshold
events.
storm-constrain enable log
By default, the Ethernet interface outputs log messages when monitored traffic exceeds the
upper threshold or drops below the lower threshold from a value above the upper threshold.
7. Enable the Ethernet interface to send storm control threshold event traps.
storm-constrain enable trap
By default, the Ethernet interface sends traps when monitored traffic exceeds the upper
threshold or drops below the lower threshold from the upper threshold from a value above the
upper threshold.

Testing the cable connection of an Ethernet interface

IMPORTANT:
If the link of an Ethernet interface is up, testing its cable connection will cause the link to go down
and then come up.

About this task

This feature tests the cable connection of an Ethernet interface and displays cable test result within 5
seconds. The test result includes the cable's status and some physical parameters. If any fault is
detected, the test result shows the length from the local port to the faulty point.
Restrictions and guidelines
Fiber ports do not support this feature.
Procedure
1. Enter system view.
system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Perform a test for the cable connected to the Ethernet interface.
virtual-cable-test

Enabling bridging on an Ethernet interface

About this task
By default, the device drops packets whose outgoing interface and incoming interface are the same.
To enable the device to forward such packets rather than drop them, enable the bridging feature in
Ethernet interface view.
Procedure
1. Enter system view.

19
 system-view
2. Enter Ethernet interface view.
interface interface-type interface-number
3. Enable bridging on the Ethernet interface.
port bridge enable
By default, bridging is disabled on an Ethernet interface.

Configuring Layer 3 forwarding on a Layer 2 Ethernet

interface
About this task
This feature enables a Layer 2 Ethernet interface to deliver a packet of which the destination MAC
address is its own MAC address to the CPU for Layer 3 forwarding. If this feature is disabled, a Layer
2 Ethernet interface floods such a packet in the VLAN to which the packet belongs instead of
delivering the packet to the CPU.
On a network where a firewall is attached to the device for transparent packet inspection, disable this
feature on Layer 2 Ethernet interfaces on the device. In this way, the device will forward Layer 3
packets to the firewall for packet inspection and the firewall forwards only packets that pass packet
inspection back to the device for further forwarding.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable Layer 3 forwarding on the interface.
port ip-forwarding enable
By default, Layer 3 forwarding is enabled on an interface.

Configuring a Layer 3 Ethernet interface or

subinterface
Setting the MTU for an Ethernet interface or subinterface
Restrictions and guidelines
The maximum transmission unit (MTU) of an Ethernet interface affects the fragmentation and
reassembly of IP packets on the interface. Typically, you do not need to modify the MTU of an
interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type { interface-number |
interface-number.subnumber }
3. Set the MTU for the interface.

20
 mtu size
The default setting is 1500 bytes.

Display and maintenance commands for Ethernet

interfaces
Execute display commands in any view and reset commands in user view.

Task Command
display counters { inbound | outbound }
Display interface traffic statistics. interface [ interface-type
[ interface-number ] ]

Display traffic rate statistics of interfaces display counters rate { inbound |

in up state over the last statistics polling outbound } interface [ interface-type
interval. [ interface-number ] ]
display ethernet statistics slot
Display the Ethernet module statistics.
slot-number
display interface [ interface-type
Display the operational and status [ interface-number |
information of the specified interfaces. interface-number.subnumber ] ] [ brief
[ description | down ] ]
Display information about link flapping display link-flap protection [ interface
protection on interfaces. interface-type [ interface-number ] ]
display storm-constrain [ broadcast |
Display information about storm control
multicast | unicast ] [ interface
on the specified interfaces.
interface-type interface-number ]
reset counters interface [ interface-type
Clear interface statistics. [ interface-number |
interface-number.subnumber ] ]
reset ethernet statistics [ slot
Clear the Ethernet module statistics.
slot-number ]
Display the status and packet statistics of
display interface link-info [ main ]
interfaces.
Display the operational and status display interface [ interface-type ] [ brief
information of interfaces except
subinterfaces.
[ description | down ] ] main

21
22
Configuring loopback, null, and
inloopback interfaces
This chapter describes how to configure a loopback interface, a null interface, and an inloopback
interface.

About loopback, null, and inloopback interfaces

About loopback interfaces
A loopback interface is a virtual interface. The physical layer state of a loopback interface is always
up unless the loopback interface is manually shut down. Because of this benefit, loopback interfaces
are widely used in the following scenarios:
• Configuring a loopback interface address as the source address of the IP packets that
the device generates—Because loopback interface addresses are stable unicast addresses,
they are usually used as device identifications.
When you configure a rule on an authentication or security server, you can configure it to permit
or deny packets carrying the loopback interface address of a device. This simplifies your
configuration and achieves the effect of permitting or denying packets that the device generates.
To use a loopback interface address as the source address of IP packets, make sure the
loopback interface is reachable from the peer by performing routing configuration. All data
packets sent to the loopback interface are considered packets sent to the device itself, so the
device does not forward these packets.
• Using a loopback interface in dynamic routing protocols—With no router ID configured for
a dynamic routing protocol, the system selects the highest loopback interface IP address as the
router ID. In BGP, to avoid interruption of BGP sessions due to physical port failure, you can use
a loopback interface as the source interface of BGP packets.

About null interfaces

A null interface is a virtual interface and is always up, but you cannot use it to forward data packets or
configure it with an IP address or link layer protocol. The null interface provides a simpler way to filter
packets than ACL. You can filter undesired traffic by transmitting it to a null interface instead of
applying an ACL. For example, if you specify a null interface as the next hop of a static route to a
network segment, any packets routed to the network segment are dropped.

About inloopback interfaces

An inloopback interface is a virtual interface created by the system, which cannot be configured or
deleted. The physical layer and link layer protocol states of an inloopback interface are always up. All
IP packets sent to an inloopback interface are considered packets sent to the device itself and are
not forwarded.

Configuring a loopback interface

1. Enter system view.
system-view
2. Create a loopback interface and enter loopback interface view.

23
 interface loopback interface-number
3. Configure the interface description.
description text
The default setting is interface name Interface (for example, LoopBack1 Interface).
4. Configure the expected bandwidth of the loopback interface.
bandwidth bandwidth-value
By default, the expected bandwidth of a loopback interface is 0 kbps.
5. Bring up the loopback interface.
undo shutdown
By default, a loopback interface is up.

Configuring a null interface

1. Enter system view.
system-view
2. Enter null interface view.
interface null 0
Interface Null 0 is the default null interface on the device and cannot be manually created or
removed.
Only one null interface, Null 0, is supported on the device. The null interface number is always
0.
3. Configure the interface description.
description text
The default setting is NULL0 Interface.

Restoring the default settings for an interface

Restrictions and guidelines

CAUTION:
This feature might interrupt ongoing network services. Make sure you are fully aware of the impact of
this feature when you use it on a live network.

This feature might fail to restore the default settings for some commands because of command
dependencies or system restrictions. You can use the display this command in interface view to
check for these commands and perform their undo forms or follow the command reference to
restore their default settings. If your restoration attempt still fails, follow the error message to resolve
the problem.
Procedure
1. Enter system view.
system-view
2. Enter loopback interface view or null interface view.
 interface loopback interface-number
 interface null 0
3. Restore the default settings for the interface.
default

24
Display and maintenance commands for loopback,
null, and inloopback interfaces
Execute display commands in any view and reset commands in user view.

Task Command
Display information about the inloopback display interface [ inloopback [ 0 ] ]
interface. [ brief [ description | down ] ]
display interface [ loopback
Display information about the specified or all
[ interface-number ] ] [ brief
loopback interfaces.
[ description | down ] ]
display interface [ null [ 0 ] ] [ brief
Display information about the null interface.
[ description | down ] ]
Clear the statistics on the specified or all reset counters interface [ loopback
loopback interfaces. [ interface-number ] ]
Clear the statistics on the null interface. reset counters interface [ null [ 0 ] ]

25
Bulk configuring interfaces
About interface bulk configuration
You can enter interface range view to bulk configure multiple interfaces with the same feature
instead of configuring them one by one. For example, you can execute the shutdown command in
interface range view to shut down a range of interfaces.
To configure interfaces in bulk, you must configure an interface range and enter its view by using the
interface range or interface range name command.
The interface range created by using the interface range command is not saved to the running
configuration. You cannot use the interface range repeatedly. To create an interface range that can
be used repeatedly, use the interface range name command.

Restrictions and guidelines: Bulk interface

configuration
When you bulk configure interfaces in interface range view, follow these restrictions and guidelines:
• In interface range view, only the commands supported by the first interface in the specified
interface list (alphabetically sorted) are available for configuration.
• Before you configure an interface as the first interface in an interface range, make sure you can
enter the view of the interface by using the interface interface-type
{ interface-number | interface-number.subnumber } command.
• Do not assign both an aggregate interface and any of its member interfaces to an interface
range. Some commands, after being executed on both an aggregate interface and its member
interfaces, can break up the aggregation.
• Understand that the more interfaces you specify, the longer the command execution time.
• To guarantee bulk interface configuration performance, configure fewer than 1000 interface
range names.
The device does not output prompt or alarm messages during the bulk interface configuration
process. Make sure you are fully aware of the impacts of the bulk interface configuration.
• After a command is executed in interface range view, one of the following situations might
occur:
 The system displays an error message and stays in interface range view. This means that
the execution failed on one or multiple member interfaces.
− If the execution failed on the first member interface, the command is not executed on
any member interfaces.
− If the execution failed on a non-first member interface, the command takes effect on the
remaining member interfaces.
 The system returns to system view. This means that:
− The command is supported in both system view and interface view.
− The execution failed on a member interface in interface range view and succeeded in
system view.
− The command is not executed on the subsequent member interfaces.

26
 You can use the display this command to verify the configuration in interface view of
each member interface. In addition, if the configuration in system view is not needed, use
the undo form of the command to remove the configuration.

Procedure
1. Enter system view.
system-view
2. Create an interface range and enter interface range view.
 Create an interface range without specifying a name.
interface range { interface-type interface-number [ to
interface-type interface-number ] } &<1-24>
 Create a named interface range.
interface range name name [ interface { interface-type
interface-number [ to interface-type interface-number ] } &<1-24> ]
3. (Optional.) Display commands available for the first interface in the interface range.
Enter a question mark (?) at the interface range prompt.
4. Use available commands to configure the interfaces.
Available commands depend on the interface.
5. (Optional.) Verify the configuration.
display this

Display and maintenance commands for bulk

interface configuration
Execute the display command in any view.

Task Command
Display information about the interface ranges
display interface range [ name
created by using the interface range name
name ]
command.

27
Configuring the MAC address table
About the MAC address table
An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a
destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame,
it uses the destination MAC address of the frame to look for a match in the MAC address table.
• The device forwards the frame out of the outgoing interface in the matching entry if a match is
found.
• The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries
manually added.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses
of incoming frames on each interface.
The device performs the following operations to learn the source MAC address of incoming packets:
1. Checks the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
 The device updates the entry if an entry is found.
 The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.
When the device receives a frame destined for MAC-SOURCE after learning this source MAC
address, the device performs the following operations:
3. Finds the MAC-SOURCE entry in the MAC address table.
4. Forwards the frame out of the port in the entry.
The device performs the learning process for each incoming frame with an unknown source MAC
address until the table is fully populated.
Manually configuring MAC address entries
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames,
which can invite security hazards. When Host A is connected to Port A, a MAC address entry will be
learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames
with MAC A as the source MAC address to Port B, the device performs the following operations:
1. Learns a new MAC address entry with Port B as the outgoing interface and overwrites the old
entry for MAC A.
2. Forwards frames destined for MAC A out of Port B to the illegal user.
As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually
configure a static entry to bind Host A to Port A. Then, the frames destined for Host A are always sent
out of Port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined
for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

28
 • Static entries—A static entry is manually added to forward frames with a specific destination
MAC address out of the associated interface, and it never ages out. A static entry has higher
priority than a dynamically learned one.
• Dynamic entries—A dynamic entry can be manually configured or dynamically learned to
forward frames with a specific destination MAC address out of the associated interface. A
dynamic entry might age out. A manually configured dynamic entry has the same priority as a
dynamically learned one.
• Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole
entry is configured for filtering out frames with a specific source or destination MAC address.
For example, to block all frames destined for or sourced from a user, you can configure the
MAC address of the user as a blackhole MAC address entry. A blackhole entry has higher
priority than a dynamically learned one.
• Multiport unicast entries—A multiport unicast entry is manually added to send frames with a
specific unicast destination MAC address out of multiple ports, and it never ages out. A multiport
unicast entry has higher priority than a dynamically learned one.
A static or blackhole MAC address entry can overwrite a dynamic MAC address entry. A dynamic
MAC address entry cannot overwrite a static, blackhole, or multiport unicast MAC address entry. A
static entry, a blackhole entry, and a multiport unicast entry cannot overwrite one another.
A multiport unicast MAC address entry does not affect learning the corresponding dynamic MAC
address entry. For the same MAC address, a multiport unicast MAC address entry and a dynamic
MAC address entry can coexist, and the multiport unicast MAC address takes priority.
This document does not cover the configuration of static multicast MAC address entries. For more
information about configuring static multicast MAC address entries, see IGMP snooping in IP
Multicast Configuration Guide.

MAC address table tasks at a glance

All MAC address table configuration tasks are optional.
To configure the MAC address table, perform the following tasks:
• Configuring MAC address entries
 Adding or modifying a static or dynamic MAC address entry
 Adding or modifying a blackhole MAC address entry
 Adding or modifying a multiport unicast MAC address entry
• Setting the aging timer for dynamic MAC address entries
• Configuring MAC address learning
 Disabling MAC address learning
 Setting the MAC learning limit
 Configuring the unknown frame forwarding rule after the MAC learning limit is reached
 Assigning MAC learning priority to interfaces
• Enabling MAC address synchronization
• Configuring MAC address move notifications and suppression
• Enabling ARP fast update for MAC address moves
• Disabling static source check
• Enabling SNMP notifications for the MAC address table

29
Configuring MAC address entries
About MAC address entry-based frame forwarding
A frame whose source MAC address matches different types of MAC address entries is processed
differently.

Type Description
Forwards the frame according to the destination MAC address regardless of
Static MAC address entry
whether the frame's ingress interface is the same as that in the entry.
Learns the source MAC address of the frame, generates a dynamic MAC
Multiport unicast MAC address entry for that MAC address, and forwards the frame. The multiport
address entry unicast MAC address entry has higher priority than the dynamic MAC address
entry in traffic forwarding.

Blackhole MAC address

Drops the frame.
entry
• Learns the MAC address of the frames received on a different interface
Dynamic MAC address from that in the entry and overwrites the original entry.
entry • Forwards the frame received on the same interface as that in the entry
and updates the aging timer for the entry.

Restrictions and guidelines for MAC address entry

configuration
A manually configured dynamic MAC address entry will overwrite a learned entry that already exists
with a different outgoing interface for the MAC address.
The manually configured static, blackhole, and multiport unicast MAC address entries cannot survive
a reboot if you do not save the configuration. The manually configured dynamic MAC address entries
are lost upon reboot whether or not you save the configuration.
You cannot configure the reserved MAC addresses of the device as static, dynamic, blackhole, or
multiport unicast MAC addresses. Reserved MAC addresses of the device are addresses from the
bridge MAC address of the device to the bridge MAC address plus 103. For more information about
the bridge MAC address, see IRF configuration in Virtual Technologies Configuration Guide.

Prerequisites for MAC address entry configuration

Before manually configuring a MAC address entry for an interface, make sure the VLAN in the entry
has been created.

Adding or modifying a static or dynamic MAC address entry

Adding or modifying a static or dynamic MAC address entry globally
1. Enter system view.
system-view
2. Add or modify a static or dynamic MAC address entry.
mac-address { dynamic | static } mac-address interface interface-type
interface-number vlan vlan-id

30
 By default, no MAC address entry is configured globally.
Make sure you have assigned the interface to the VLAN.
Adding or modifying a static or dynamic MAC address entry on an interface
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Add or modify a static or dynamic MAC address entry.
mac-address { dynamic | static } mac-address vlan vlan-id
By default, no MAC address entry is configured on an interface.
Make sure you have assigned the interface to the VLAN.

Adding or modifying a blackhole MAC address entry

1. Enter system view.
system-view
2. Add or modify a blackhole MAC address entry.
mac-address blackhole mac-address vlan vlan-id
By default, no blackhole MAC address entry is configured.

Adding or modifying a multiport unicast MAC address entry

About this task
You can configure a multiport unicast MAC address entry to associate a unicast destination MAC
address with multiple ports. The frame with a destination MAC address matching the entry is sent out
of multiple ports.
For example, in NLB unicast mode (see Figure 4):
• All servers within a cluster uses the cluster's MAC address as their own address.
• Frames destined for the cluster are forwarded to every server in the group.
In this case, you can configure a multiport unicast MAC address entry on the device connected to the
server group. Then, the device forwards the frame destined for the server group to every server
through all ports connected to the servers within the cluster.

31
 Figure 4 NLB cluster

Device

NLB cluster

You can configure a multiport unicast MAC address entry globally or on an interface.
Configuring a multiport unicast MAC address entry globally
1. Enter system view.
system-view
2. Add or modify a multiport unicast MAC address entry.
mac-address multiport mac-address interface interface-list vlan
vlan-id
By default, no multiport unicast MAC address entry is configured globally.
Make sure you have assigned the interface to the VLAN.
Configuring a multiport unicast MAC address entry on an interface
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Add the interface to a multiport unicast MAC address entry.
mac-address multiport mac-address vlan vlan-id
By default, no multiport unicast MAC address entry is configured on an interface.
Make sure you have assigned the interface to the VLAN.

Adding or modifying a multiport unicast MAC address entry

for VXLAN
About this task
VXLAN has local and remote MAC addresses. A local MAC address is the MAC address of a VM in
the local site. A remote MAC address is the MAC address of a VM in a remote site.
To send frames destined for a local or remote MAC address out of multiple ports, configure a
multiport unicast MAC address entry. For more information about VXLAN, see VXLAN Configuration
Guide.

32
Restrictions and guidelines
Do not specify the tunnel interfaces automatically created by using EVPN as outgoing interfaces for
a remote multiport unicast MAC address entry. If you do so, the numbers of these tunnel interfaces
might change during tunnel re-establishment, and the related entries cannot be restored as a result.
For more information about EVPN, see EVPN Configuration Guide.
In an EVPN network, you cannot configure the same multiport unicast MAC address entry on
multiple leaf nodes or VTEPs. When configured with EVPN multihoming or EVPN distributed relay, a
VTEP does not support synchronization of multiport unicast MAC address entries. For more
information about EVPN, see EVPN Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Add or modify a multiport unicast MAC address entry for VXLAN.
 Add or modify a local multiport unicast MAC address entry.
mac-address multiport mac-address { interface { interface-type
interface-number service-instance instance-id }&<1-4> } vsi
vsi-name
For successful configuration, make sure the specified Ethernet service instances have been
mapped to the specified VSI.
 Add or modify a remote multiport unicast MAC address entry.
mac-address multiport mac-address { interface { tunnel
tunnel-number1 [ to tunnel tunnel-number2 ] }&<1-4> } vsi vsi-name
For successful configuration, make sure the specified VXLAN tunnel interfaces have been
associated with the specified VSI.

Setting the aging timer for dynamic MAC address

entries
About this task
For security and efficient use of table space, the MAC address table uses an aging timer for each
dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer
expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can
promptly update to accommodate latest network topology changes.
A stable network requires a longer aging interval, and an unstable network requires a shorter aging
interval.
An aging interval that is too long might cause the MAC address table to retain outdated entries. As a
result, the MAC address table resources might be exhausted, and the MAC address table might fail
to update its entries to accommodate the latest network changes.
An interval that is too short might result in removal of valid entries, which would cause unnecessary
floods and possibly affect the device performance.
To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic
entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing
flooding also improves the security because it reduces the chances for a data frame to reach
unintended destinations.
Procedure
1. Enter system view.
system-view

33
 2. Set the aging timer for dynamic MAC address entries.
mac-address timer { aging seconds | no-aging }
By default, the aging timer is 300 seconds for dynamic MAC address entries.

Disabling MAC address learning

About disabling MAC address learning
MAC address learning is enabled by default. To prevent the MAC address table from being saturated
when the device is experiencing attacks, disable MAC address learning. For example, you can
disable MAC address learning to prevent the device from being attacked by a large amount of frames
with different source MAC addresses.
After MAC address learning is disabled, the device immediately deletes existing dynamic MAC
address entries.

Disabling global MAC address learning

Restrictions and guidelines
After you disable global MAC address learning, the device cannot learn MAC addresses on any
interfaces.
Global MAC address learning does not take effect on VXLAN VSIs. For information about VXLAN
VSIs, see VXLAN Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Disable global MAC address learning.
undo mac-address mac-learning enable
By default, global MAC address learning is enabled.

Disabling MAC address learning on an interface

About this task
When global MAC address learning is enabled, you can disable MAC address learning on a single
interface.
Restrictions and guidelines
The mac-address mac-learning enable command and its undo form do not take effect on
a Layer 2 aggregate interface acting as an IPP, because MAC address learning is always disabled
on that interface. For more information about IPPs, see "Configuring DRNI."
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.

34
 interface bridge-aggregation interface-number
3. Disable MAC address learning on the interface.
undo mac-address mac-learning enable
By default, MAC address learning is enabled on an interface.

Disabling MAC address learning on a VLAN

About this task
When global MAC address learning is enabled, you can disable MAC address learning on a
per-VLAN basis.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Disable MAC address learning on the VLAN.
undo mac-address mac-learning enable
By default, MAC address learning on the VLAN is enabled.

Setting the MAC learning limit

About this task
This feature limits the MAC address table size. A large MAC address table will degrade forwarding
performance.
Restrictions and guidelines
The MAC learning limit does not control the number of MAC addresses learned in voice VLANs. For
more information, see "Configuring voice VLANs."
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Set the MAC learning limit on the interface.
mac-address max-mac-count count
By default, no MAC learning limit is configured on an interface.

Configuring the unknown frame forwarding rule

after the MAC learning limit is reached
About this task
In this document, unknown frames refer to frames whose source MAC addresses are not in the MAC
address table.
You can enable or disable forwarding of unknown frames after the MAC learning limit is reached.

35
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure the device to forward unknown frames received on the interface after the MAC
learning limit on the interface is reached.
mac-address max-mac-count enable-forwarding
By default, the device can forward unknown frames received on an interface after the MAC
learning limit on the interface is reached.

Assigning MAC learning priority to interfaces

About this task
The MAC learning priority mechanism assigns either low priority or high priority to an interface. An
interface with high priority can learn MAC addresses as usual. However, an interface with low priority
is not allowed to learn MAC addresses already learned on a high-priority interface.
The MAC learning priority mechanism can help defend your network against MAC address spoofing
attacks. In a network that performs MAC-based forwarding, an upper layer device MAC address
might be learned by a downlink interface because of a loop or attack to the downlink interface. To
avoid this issue, perform the following tasks:
• Assign high MAC learning priority to an uplink interface.
• Assign low MAC learning priority to a downlink interface.
Restrictions and guidelines
In an IRF fabric, this feature takes effect only on interfaces on one IRF member device. An interface
with low MAC learning priority can still learn MAC addresses already learned on a high-priority
interface of a different IRF member device.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Assign MAC learning priority to the interface.
mac-address mac-learning priority { high | low }
By default, low MAC learning priority is used.

Enabling MAC address synchronization

About this task
To avoid unnecessary floods and improve forwarding speed, make sure all member devices have the
same MAC address table. After you enable MAC address synchronization, each member device
advertises learned MAC address entries to other member devices.

36
As shown in Figure 5:
• Device A and Device B form an IRF fabric enabled with MAC address synchronization.
• Device A and Device B connect to AP C and AP D, respectively.
When Client A associates with AP C, Device A learns a MAC address entry for Client A and
advertises it to Device B.
Figure 5 MAC address tables of devices when Client A accesses AP C

MAC address Port MAC address Port

MAC A A1 MAC A A1

IRF
Device A Device B

Port A1 Port B1

AP C AP D

Client A

When Client A roams to AP D, Device B learns a MAC address entry for Client A. Device B
advertises it to Device A to ensure service continuity for Client A, as shown in Figure 6.

37
 Figure 6 MAC address tables of devices when Client A roams to AP D

MAC address Port MAC address Port

MAC A A1 B1 MAC A B1

IRF
Device A Device B

Port A1 Port B1

AP C AP D

Client A

Procedure
1. Enter system view.
system-view
2. Enable MAC address synchronization.
mac-address mac-roaming enable
By default, MAC address synchronization is disabled.

Configuring MAC address move notifications and

suppression
About this task
The outgoing interface for a MAC address entry learned on interface A is changed to interface B
when the following conditions exist:
• Interface B receives a packet with the MAC address as the source MAC address.
• Interface B belongs to the same VLAN as interface A.
In this case, the MAC address is moved from interface A to interface B, and a MAC address move
occurs.
The MAC address move notifications feature enables the device to output MAC address move logs
when MAC address moves are detected.
If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur. To
detect and locate loops, you can view the MAC address move information. To display the MAC
address move records after the device is started, use the display mac-address mac-move
command.

38
 If the system detects that MAC address moves occur frequently on an interface, you can configure
MAC address move suppression to shut the interface down. The interface automatically goes up
after a suppression interval. Or, you can manually bring up the interface.
Restrictions and guidelines
After you configure MAC address move notifications, the system sends only log messages to the
information center module. If the device is also configured with the snmp-agent trap enable
mac-address command, the system also sends SNMP notifications to the SNMP module.
Procedure
1. Enter system view.
system-view
2. Enable MAC address move notifications and optionally specify a MAC move detection interval.
mac-address notification mac-move [ interval interval ]
By default, MAC address move notifications are disabled.
3. (Optional.) Set MAC address move suppression parameters.
mac-address notification mac-move suppression { interval interval |
threshold threshold }
By default, the suppression interval is 30 seconds, and the suppression threshold is 3.
For the MAC address move suppression parameters to take effect, enable the MAC address
move suppression on a port.
4. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
5. Enable MAC address move suppression.
mac-address notification mac-move suppression
By default, MAC address move suppression is disabled.

Enabling ARP fast update for MAC address

moves
About this task
ARP fast update for MAC address moves allows the device to update an ARP entry immediately after
the outgoing interface for a MAC address changes. This feature ensures data connection without
interruption.
As shown in Figure 7, a mobile user laptop accesses the network by connecting to AP 1 or AP 2.
When the AP to which the user connects changes, the device updates the ARP entry for the user
immediately after it detects a MAC address move.

39
 Figure 7 ARP fast update application scenario
Device

Port A Port B

AP 1 AP 2

Laptop

Procedure
1. Enter system view.
system-view
2. Enable ARP fast update for MAC address moves.
mac-address mac-move fast-update
By default, ARP fast update for MAC address moves is disabled.

Disabling static source check

About this task
By default, the static source check feature is enabled on an interface. The check identifies whether a
received frame meets the following conditions:
• The source MAC address of the frame matches a static MAC address entry.
• The incoming interface of the frame is different from the outgoing interface in the entry.
If the frame meets both conditions, the device drops the frame.
When this feature is disabled, the device does not perform the check for a received frame. It can
forward the frame whether or not the frame meets the conditions.
Procedure
1. Enter system view.
system-view
2. Disable the static source check feature.
undo mac-address static source-check enable
By default, the static source check feature is enabled.

40
Enabling SNMP notifications for the MAC address
table
About this task
To report critical MAC address move events to an NMS, enable SNMP notifications for the MAC
address table. For MAC address move event notifications to be sent correctly, you must also
configure SNMP on the device.
When SNMP notifications are disabled for the MAC address table, the device sends the generated
logs to the information center. To display the logs, configure the log destination and output rule
configuration in the information center.
For more information about SNMP and information center configuration, see the network
management and monitoring configuration guide for the device.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for the MAC address table.
snmp-agent trap enable mac-address [ mac-move ]
By default, SNMP notifications are enabled for the MAC address table.
When SNMP notifications are disabled for the MAC address table, syslog messages are sent to
notify important events on the MAC address table module.

Display and maintenance commands for MAC

address table
Execute display commands in any view.

Task Command
display mac-address [ mac-address [ vlan
vlan-id ] | [ [ dynamic | static ] [ interface
Display MAC address table
interface-type interface-number ] |
information.
blackhole | multiport ] [ vlan vlan-id ]
[ count ] ]
Display the aging timer for dynamic
display mac-address aging-time
MAC address entries.

Display the system or interface MAC display mac-address mac-learning

address learning state. [ interface interface-type interface-number ]
Display the MAC address move display mac-address mac-move [ slot
records. slot-number]
Display MAC address statistics. display mac-address statistics

41
MAC address table configuration examples
Example: Configuring the MAC address table
Network configuration
As shown in Figure 8:
• Host A at MAC address 000f-e235-dc71 is connected to GigabitEthernet 1/0/1 of Device and
belongs to VLAN 1.
• Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also
belongs to VLAN 1.
Configure the MAC address table as follows:
• To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of
Device.
• To drop all frames destined for Host B, add a blackhole MAC address entry for Host B.
• Set the aging timer to 500 seconds for dynamic MAC address entries.
Figure 8 Network diagram

GE1/0/1

Host A Device Host B

000f-e235-dc71 000f-e235-abcd

Procedure
# Add a static MAC address entry for MAC address 000f-e235-dc71 on GigabitEthernet 1/0/1 that
belongs to VLAN 1.
<Device> system-view
[Device] mac-address static 000f-e235-dc71 interface gigabitethernet 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.
[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.
[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for GigabitEthernet 1/0/1.
[Device] display mac-address static interface gigabitethernet 1/0/1
MAC Address VLAN ID State Port/Nickname Aging
000f-e235-dc71 1 Static GE1/0/1 N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole
MAC Address VLAN ID State Port/Nickname Aging
000f-e235-abcd 1 Blackhole N/A N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time
MAC address aging time: 500s.

42
Configuring MAC Information
About MAC Information
The MAC Information feature can generate syslog messages or SNMP notifications when MAC
address entries are learned or deleted. You can use these messages to monitor user's leaving or
joining the network and analyze network traffic.
The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a
queue. The device overwrites the oldest MAC address change written into the queue with the most
recent MAC address change when the following conditions exist:
• The MAC change notification interval does not expire.
• The queue has been exhausted.
To send a syslog message or SNMP notification immediately after it is created, set the queue length
to zero.

Enabling MAC Information

Restrictions and guidelines
For MAC Information to take effect, you must enable MAC Information both globally and on
interfaces.
Procedure
1. Enter system view.
system-view
2. Enable MAC Information globally.
mac-address information enable
By default, MAC Information is globally disabled.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Enable MAC Information on the interface.
mac-address information enable { added | deleted }
By default, MAC Information is disabled on an interface.

Configuring the MAC Information mode

About this task
The following MAC Information modes are available for sending MAC address changes:
• Syslog—The device sends syslog messages to notify MAC address changes. The device
sends syslog messages to the information center, which then outputs them to the monitoring
terminal. For more information about information center, see Network Management and
Monitoring Configuration Guide.
• Trap—The device sends SNMP notifications to notify MAC address changes. The device sends
SNMP notifications to the NMS. For more information about SNMP, see Network Management
and Monitoring Configuration Guide.

43
Procedure
1. Enter system view.
system-view
2. Configure the MAC Information mode.
mac-address information mode { syslog | trap }
The default setting is trap.

Setting the MAC change notification interval

About this task
To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the
MAC change notification interval to a larger value.
Procedure
1. Enter system view.
system-view
2. Set the MAC change notification interval.
mac-address information interval interval
The default setting is 1 second.

Setting the MAC Information queue length

About this task
If the MAC Information queue length is 0, the device sends a syslog message or SNMP notification
immediately after learning or deleting a MAC address.
If the MAC Information queue length is not 0, the device stores MAC changes in the queue:
• The device overwrites the oldest MAC change written into the queue with the most recent MAC
change when the following conditions exist:
 The MAC change notification interval does not expire.
 The queue has been exhausted.
• The device sends syslog messages or SNMP notifications only if the MAC change notification
interval expires.
Procedure
1. Enter system view.
system-view
2. Set the MAC Information queue length.
mac-address information queue-length value
The default setting is 50.

44
MAC Information configuration examples
Example: Configuring MAC Information
Network configuration
Enable MAC Information on GigabitEthernet 1/0/1 on Device in Figure 9 to send MAC address
changes in syslog messages to the log host, Host B, through interface GigabitEthernet 1/0/2.
Figure 9 Network diagram
Device

GE1/0/1 GE1/0/3

Host A GE1/0/2
Server
192.168.1.1/24 192.168.1.3/24

Host B
192.168.1.2/24

Restrictions and guidelines

When you edit file /etc/syslog.conf, follow these restrictions and guidelines:
• Comments must be on a separate line and must begin with a pound sign (#).
• No redundant spaces are allowed after the file name.
The logging facility name and the severity level specified in the /etc/syslog.conf file must be the
same as those configured on the device. Otherwise, the log information might not be output correctly
to the log host. The logging facility name and the severity level are configured by using the
info-center loghost and info-center source commands, respectively.
Procedure
1. Configure Device to send syslog messages to Host B:
# Enable the information center.
<Device> system-view
[Device] info-center enable
# Specify the log host 192.168.1.2/24 and specify local4 as the logging facility.
[Device] info-center loghost 192.168.1.2 facility local4
# Disable log output to the log host.
[Device] info-center source default loghost deny
To avoid output of unnecessary information, disable all modules from outputting logs to the
specified destination (loghost, in this example) before you configure an output rule.
# Configure an output rule to output to the log host MAC address logs that have a severity level
no lower than informational.
[Device] info-center source mac loghost level informational
2. Configure the log host, Host B:
Configure Solaris as follows. Configure other UNIX operating systems in the same way Solaris
is configured.
a. Log in to the log host as a root user.
b. Create a subdirectory named Device in directory /var/log/.

45
 # mkdir /var/log/Device
c. Create file info.log in the Device directory to save logs from Device.
# touch /var/log/Device/info.log
d. Edit the file syslog.conf in directory /etc/ and add the following contents:
# Device configuration messages
local4.info /var/log/Device/info.log
In this configuration, local4 is the name of the logging facility that the log host uses to
receive logs, and info is the informational level. The UNIX system records the log
information that has a severity level no lower than informational to file
/var/log/Device/info.log.
e. Display the process ID of syslogd, end the syslogd process, and then restart syslogd
using the –r option to make the new configuration take effect.
# ps -ae | grep syslogd
147
# kill -HUP 147
# syslogd -r &
The device can output MAC address logs to the log host, which stores the logs to the specified
file.
3. Enable MAC Information on Device:
# Enable MAC Information globally.
[Device] mac-address information enable
# Configure the MAC Information mode as syslog.
[Device] mac-address information mode syslog
# Enable MAC Information on GigabitEthernet 1/0/1 to enable the port to record MAC address
change information when the interface performs either of the following operations:
 Learns a new MAC address.
 Deletes an existing MAC address.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] mac-address information enable added
[Device-GigabitEthernet1/0/1] mac-address information enable deleted
[Device-GigabitEthernet1/0/1] quit
# Set the MAC Information queue length to 100.
[Device] mac-address information queue-length 100
# Set the MAC change notification interval to 20 seconds.
[Device] mac-address information interval 20

46
Configuring Ethernet link aggregation
About Ethernet link aggregation
Ethernet link aggregation bundles multiple physical Ethernet links into one logical link (called an
aggregate link). Link aggregation provides the following benefits:
• Increased bandwidth beyond the limits of a single individual link. In an aggregate link, traffic is
distributed across the member ports.
• Improved link reliability. The member ports dynamically back up one another. When a member
port fails, its traffic is automatically switched to other member ports.

Ethernet link aggregation application scenario

As shown in Figure 10, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth
of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the
same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the
traffic transmitted on the failed link is switched to the other two links.
Figure 10 Ethernet link aggregation diagram
Port A1 Port B1
Port A2 Port B2
Link aggregation 1
Port A3 Port B3

Device A Device B

Aggregate interface, aggregation group, and member port

Each link aggregation is represented by a logical aggregate interface. Each aggregate interface has
an automatically created aggregation group, which contains member ports to be used for
aggregation. The type and number of an aggregation group are the same as its aggregate interface.
Supported aggregate interface types
An aggregate interface can be one of the following types:
• Layer 2—A Layer 2 aggregate interface is created manually. The member ports in a Layer 2
aggregation group can only be Layer 2 Ethernet interfaces.
• Layer 3—A Layer 3 aggregate interface is created manually. The member ports in its Layer 3
aggregation group can only be Layer 3 Ethernet interfaces.
On a Layer 3 aggregate interface, you can create subinterfaces. A Layer 3 aggregate
subinterface processes traffic only for the VLAN numbered with the same ID as the subinterface
number.
The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex
mode is the same as that of the Selected member ports. For more information about Selected
member ports, see "Aggregation states of member ports in an aggregation group."
Aggregation states of member ports in an aggregation group
A member port in an aggregation group can be in any of the following aggregation states:
• Selected—A Selected port can forward traffic.
• Unselected—An Unselected port cannot forward traffic.

47
 • Individual—An Individual port can forward traffic as a normal physical port. This state is
peculiar to the member ports of edge aggregate interfaces. A Selected or Unselected member
port of an edge aggregate interface is placed in Individual state if the following events occur in
sequence:
a. The member port goes down and then comes up.
b. The LACP timeout timer expires because it has not received LACPDUs.
For more information about edge aggregate interfaces, see "Edge aggregate interface."

Operational key
When aggregating ports, the system automatically assigns each port an operational key based on
port information, such as port rate and duplex mode. Any change to this information triggers a
recalculation of the operational key.
In an aggregation group, all Selected ports have the same operational key.

Configuration types
Port configuration includes the attribute configuration and protocol configuration. Attribute
configuration affects the aggregation state of the port but the protocol configuration does not.
Attribute configuration
To become a Selected port, a member port must have the same attribute configuration as the
aggregate interface. Table 1 describes the attribute configuration.
Table 1 Attribute configuration

Feature Attribute configuration

Membership of the port in an isolation group.
Port isolation
Isolation group number.
QinQ status (enabled/disabled), TPID for VLAN tags, and VLAN transparent
QinQ
transmission. For information about QinQ, see "Configuring QinQ."

VLAN mapping configured on the port. For more information about VLAN
VLAN mapping
mapping, see "Configuring VLAN mapping."

VLAN attribute settings:

• Permitted VLAN IDs.
• PVID.
• Link type (trunk, hybrid, or access).
• PVLAN port type (promiscuous, trunk promiscuous, host, or trunk
VLAN secondary).
• IP subnet-based VLAN configuration.
• Protocol-based VLAN configuration.
• VLAN tagging mode.
For information about VLANs, see "Configuring VLANs."

Protocol configuration
Protocol configuration of a member port does not affect the aggregation state of the member port.
MAC address learning and spanning tree settings are examples of the protocol configuration.

Link aggregation modes

An aggregation group operates in one of the following modes:

48
 • Static—Static aggregation is stable. An aggregation group in static mode is called a static
aggregation group. The aggregation states of the member ports in a static aggregation group
are not affected by the peer ports.
• Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group.
Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol
(LACP). The local system and the peer system automatically maintain the aggregation states of
the member ports. Dynamic link aggregation reduces the administrators' workload.

How static link aggregation works

Reference port selection process
When setting the aggregation states of the ports in an aggregation group, the system automatically
chooses a member port as the reference port. A Selected port must have the same operational key
and attribute configurations as the reference port.
The system chooses a reference port from the member ports in up state.
The candidate reference ports are organized into different priority levels following these rules:
1. In descending order of port priority.
2. Full duplex.
3. In descending order of speed.
4. Half duplex.
5. In descending order of speed.
From the candidate ports with the same attribute configurations as the aggregate interface, the one
with the highest priority level is chosen as the reference port.
• If multiple ports have the same priority level, the port that has been Selected (if any) is chosen.
If multiple ports with the same priority level have been Selected, the one with the smallest port
number is chosen.
• If multiple ports have the same priority level and none of them has been Selected, the port with
the smallest port number is chosen.
Setting the aggregation state of each member port
After the reference port is chosen, the system sets the aggregation state of each member port in the
static aggregation group.

49
 Figure 11 Setting the aggregation state of a member port in a static aggregation group

Set the aggregation state of a member port

Yes
Is there any hardware restriction?

No

No
Is the port up？

Yes

Operational No
key/attribute configuration same as the
reference port?

Yes

More Selected ports than max. Yes

number of Selected ports?

No

Set the port to the

Set the port to the Selected state
Unselected state

After the limit on Selected ports is reached, the aggregation state of a new member port varies by
following conditions:
• The port is placed in Unselected state if the port and the Selected ports have the same port
priority. This mechanism prevents traffic interruption on the existing Selected ports. A device
reboot can cause the device to recalculate the aggregation states of member ports.
• The port is placed in Selected state when the following conditions are met:
 The port and the Selected ports have different port priorities, and the port has a higher port
priority than a minimum of one Selected port.
 The port has the same attribute configurations as the aggregate interface.
Any operational key or attribute configuration change might affect the aggregation states of link
aggregation member ports.

Dynamic link aggregation

About LACP
Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol
(LACP).
LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each
member port in a dynamic aggregation group can exchange information with its peer. When a
member port receives an LACPDU, it compares the received information with information received

50
 on the other member ports. In this way, the two systems reach an agreement on which ports are
placed in Selected state.
LACP functions
LACP offers basic LACP functions and extended LACP functions, as described in Table 2.
Table 2 Basic and extended LACP functions

Category Description
Implemented through the basic LACPDU fields, including the LACP system
Basic LACP functions
priority, system MAC address, port priority, port number, and operational key.
Implemented by extending the LACPDU with new TLV fields. Extended LACP can
implement LACP MAD for the IRF feature. For more information about IRF and the
Extended LACP LACP MAD mechanism, see Virtual Technologies Configuration Guide.
functions
The device can participate in LACP MAD as either an IRF member device or an
intermediate device.

LACP operating modes

LACP can operate in active or passive mode.
When LACP is operating in passive mode on a local member port and its peer port, both ports cannot
send LACPDUs. When LACP is operating in active mode on either end of a link, both ports can send
LACPDUs.
LACP priorities
LACP priorities include LACP system priority and port priority, as described in Table 3. The smaller
the priority value, the higher the priority.
Table 3 LACP priorities

Type Description
Used by two peer devices (or systems) to determine which one is superior in link
aggregation.
LACP system In dynamic link aggregation, the system that has higher LACP system priority sets
priority the Selected state of member ports on its side. The system that has lower priority
sets the aggregation state of local member ports the same as their respective peer
ports.

Determines the likelihood of a member port to be a Selected port on a system. A port

Port priority
with a higher port priority is more likely to become Selected.

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the
peer port. If a local member port has not received LACPDUs from the peer in 3 seconds after the
LACP timeout interval expires, the member port considers the peer as failed.
The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout
intervals include the following types:
• Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one
LACPDU per second.
• Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one
LACPDU every 30 seconds.
Methods to assign interfaces to a dynamic link aggregation group
You can use one of the following methods to assign interfaces to a dynamic link aggregation group:
• Manual assignment—Manually assign interfaces to the dynamic link aggregation group.

51
 • Automatic assignment—Enable automatic assignment on interfaces to have them
automatically join a dynamic link aggregation group depending on the peer information in the
received LACPDUs.

NOTE:
When you use automatic assignment on one end, you must use manual assignment on the
other end.

Alternatively, you can use automatic link aggregation for two devices to automatically create a
dynamic link aggregation between them by using LLDP.
Automatic member port assignment
This feature automates the assignment of aggregation member ports to an aggregation group. You
can use this feature when setting up an aggregate link to a server.
As shown in Figure 12, an interface enabled with automatic assignment joins a dynamic aggregation
group based on the peer information in the LACPDUs received from the aggregation peer. If none of
the existing dynamic aggregation groups is qualified, the device automatically creates a new
dynamic aggregation group, Then, the device assigns the interface to that group and synchronizes
the interface's attribute configurations to the aggregate interface.
A dynamic aggregation group that contains automatically assigned member ports selects a
reference port and Selected ports as described in "How dynamic link aggregation works." The
assignment methods of member ports do not change the processes of reference port selection and
Selected port selection.
Figure 12 Automatic member port assignment process
An interface enabled with
automatic link aggregation
receives LACPDUs

Yes No
Does a preferred aggregation
group exist?

No
Does the reference port have
the same peer information as the
LACPDUs?

Yes
Yes
Does an aggregation
group matching the LACPDUs
exist?
No

Create a dynamic aggregation

Assign the interface to the group based on the peer
aggregation group information in the LACPDUs

Automatic link aggregation

Automatic link aggregation enables two devices to automatically create a dynamic link aggregation
between them by using LLDP.

52
 After you enable automatic link aggregation and LLDP on two connected devices, they automatically
establish a dynamic link aggregation based on the information in incoming LLDP frames. The
devices each automatically create a dynamic aggregate interface and assign the redundant ports
connected to the peer to the aggregation group of that interface. When assigning the first member
port to the aggregate group, the device synchronizes the member port's attribute configuration to the
aggregate interface.
An automatically created dynamic aggregation group selects a reference port and Selected ports as
described in "How dynamic link aggregation works." The aggregation group creation methods do not
change the processes of reference port selection and Selected port selection.

IMPORTANT:
As a best practice to ensure correct operation of dynamic aggregation groups, do not use automatic
link aggregation and automatic member port assignment together.

How dynamic link aggregation works

Choosing a reference port
The system chooses a reference port from the member ports in up state. A Selected port must have
the same operational key and attribute configurations as the reference port.
The local system (the actor) and the peer system (the partner) negotiate a reference port by using
the following workflow:
1. The two systems determine the system with the smaller system ID.
A system ID contains the LACP system priority and the system MAC address.
a. The two systems compare their LACP priority values.
The lower the LACP priority, the smaller the system ID. If the LACP priority values are the
same, the two systems proceed to step b.
b. The two systems compare their MAC addresses.
The lower the MAC address, the smaller the system ID.
2. The system with the smaller system ID chooses the port with the smallest port ID as the
reference port.
A port ID contains a port priority and a port number. The lower the port priority, the smaller the
port ID.
a. The system chooses the port with the lowest priority value as the reference port.
If the ports have the same priority, the system proceeds to step b.
b. The system compares their port numbers.
The smaller the port number, the smaller the port ID.
The port with the smallest port number and the same attribute configurations as the
aggregate interface is chosen as the reference port.

NOTE:
To identify the port numbers of aggregation member ports, execute the display
link-aggregation verbose command and examine the Index field in the command
output.

Setting the aggregation state of each member port

After the reference port is chosen, the system with the smaller system ID sets the state of each
member port on its side.

53
Figure 13 Setting the state of a member port in a dynamic aggregation group

Set the aggregation state of a member port

Yes
Is there any hardware restriction?

No

No
Is the port up？

Yes

Operational No
key/attribute configuration same as the
reference port?

Yes

Operational
key/attribute configuration of the peer No
port same as the peer port of the
reference port?

Yes

Yes Port number No

More Selected ports than max.
as low as to set the port to the
number of Selected ports?
Selected state?

No Yes

Set the port to the

Set the port to the Selected state
Unselected state

The system with the greater system ID can detect the aggregation state changes on the peer system.
The system with the greater system ID sets the aggregation state of local member ports the same as
their peer ports.
When you aggregate interfaces in dynamic mode, follow these guidelines:
• A dynamic link aggregation group chooses only full-duplex ports as the Selected ports.
• For stable aggregation and service continuity, do not change the operational key or attribute
configurations on any member port.
• When a member port changes to the Selected or Unselected state, its peer port changes to the
same aggregation state.
• After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more
eligible than a current Selected port.

54
Edge aggregate interface
Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is
configured only on the device. The device forwards traffic by using only one of the physical ports that
are connected to the server.
To improve link reliability, configure the aggregate interface as an edge aggregate interface. This
feature enables all member ports of the aggregation group to forward traffic. When a member port
fails, its traffic is automatically switched to other member ports.
After dynamic link aggregation is configured on the server, the device can receive LACPDUs from
the server. Then, link aggregation between the device and the server operates correctly.
An edge aggregate interface takes effect only when it is configured on an aggregate interface
corresponding to a dynamic aggregation group.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be load shared across the Selected ports based on any of the
following modes:
• Per-flow load sharing—Distributes traffic on a per-flow basis. The load sharing mode
classifies packets into flows and forwards packets of the same flow on the same link. This mode
can be one of or a combination of the following traffic classification criteria:
 Ingress port.
 Source or destination IP.
 Source or destination MAC.
 Source or destination port number.
• Packet type-based load sharing—Distributes traffic automatically based on packet types.
• Intelligent load sharing—Distributes traffic based on the bandwidth usage of Selected
member ports. In this mode, the device periodically samples the bandwidth usage of Selected
member ports and adjusts traffic distribution if the bandwidth usage of a Selected member port
exceeds a threshold. The threshold varies by device model. After you set the intelligent load
sharing mode, the device distributes traffic based on the default load sharing mode and then
optimizes traffic distribution based on the bandwidth usage.

S-MLAG
Simple multichassis link aggregation (S-MLAG) enhances dynamic link aggregation to establish an
aggregation that spans multiple standalone devices to a remote device. Typically, the remote device
is a server.
An S-MLAG multichassis aggregation connects one dynamic Layer 2 aggregate interface on each
S-MLAG device to the remote device, as shown in Figure 14.
S-MLAG uses an S-MLAG group to manage the aggregate interfaces for each aggregation, and it
runs LACP to maintain each aggregation as does dynamic link aggregation. To the remote device,
the S-MLAG devices appear as one peer aggregation system.

55
 Figure 14 S-MLAG application scenario
Device A

Port A1 Port A3

Port A2
BAGG

Port B1 Port C1 Port D1

Device B Device C Device D

Restrictions and guidelines: Mixed use of manual

and automatic link aggregation configuration
To avoid unexpected aggregation issues, do not use manual assignment, automatic assignment,
and automatic link aggregation in any combination. If you use any two of these features in
combination, an automatically assigned member port might move between aggregation groups or
undesirably change from Selected to Unselected in some situations.

Ethernet link aggregation tasks at a glance

To configure Ethernet link aggregation, perform the following tasks:
1. Configuring the system ID
2. Configuring link aggregations
 Configuring a manual link aggregation
 Configuring automatic link aggregation
 Configuring S-MLAG
3. (Optional.) Configuring an aggregate interface
 Configuring the description of an aggregate interface
 Setting the MAC address for an aggregate interface
 Configuring jumbo frame support
 Setting the MTU for a Layer 3 aggregate interface
 Setting the expected bandwidth for an aggregate interface
 Configuring an edge aggregate interface
An edge aggregate interface uses all member ports to forward traffic when the aggregation
peer is not enabled with dynamic link aggregation.
 Configuring physical state change suppression on an aggregate interface
 Shutting down an aggregate interface
 Restoring the default settings for an aggregate interface
4. (Optional.) Enabling transparent LACPDU transmission
5. (Optional.) Adjusting aggregation states of link aggregation member ports
 Setting the minimum and maximum numbers of Selected ports for an aggregation group
 Configuring the link aggregation capability of the device

56
  Disabling the default action of selecting a Selected port for dynamic aggregation groups that
have not received LACPDUs
 Configuring a dynamic aggregation group to use port speed as the prioritized criterion for
reference port selection
6. (Optional.) Configuring load sharing for link aggregation groups
 Setting static load sharing modes for link aggregation groups
 Enabling local-first load sharing for link aggregation
7. (Optional.) Optimizing traffic forwarding
 Enabling link-aggregation traffic redirection
This feature redirects traffic on an unavailable Selected port to the remaining available
Selected ports of an aggregation group to avoid traffic interruption.
 Isolating aggregate interfaces on the device
8. (Optional.) Enabling BFD for an aggregation group

Configuring the system ID

About this task
The two ends of a dynamic aggregate link choose a reference port from the end with a smaller
system ID.
The system ID contains the LACP system priority and LACP system MAC address. Two devices use
the following rules to compare their system IDs:
• If their system IDs contain different LACP system priorities, the system ID with a smaller LACP
system priority value is smaller.
• If their system IDs contain the same LACP system priority, the system ID with a lower LACP
system MAC address is smaller.
To view the LACP system MAC address and LACP system priority, execute the display
link-aggregation verbose command.
You can configure the system ID globally and in aggregate interface view. The global system ID
takes effect on all aggregation groups, and an aggregate-interface-specific system ID takes
precedence over the global system ID.
Restrictions and guidelines
Member devices in an S-MLAG system must use the same LACP system priority and LACP system
MAC address.
On a DR system, DR interfaces in the same DR group must use the same LACP system MAC
address.
For member ports to be selected correctly, do not modify the LACP system priority and LACP system
MAC address after a dynamic link aggregation is established.
Procedure
1. Enter system view.
system-view
2. Set the LACP system MAC address globally.
lacp system-mac mac-address
By default, the LACP system MAC address is the bridge MAC address of the device.
3. Set the LACP system priority globally.
lacp system-priority priority

57
 By default, the LACP system priority is 32768.
4. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
5. Set the LACP system MAC address on the aggregate interface.
port lacp system-mac mac-address
By default, the LACP system MAC address is the bridge MAC address of the device.
6. Set the LACP system priority on the aggregate interface.
port lacp system-priority priority
By default, the LACP system priority is 32768.

Configuring a manual link aggregation

Restrictions and guidelines for aggregation group
configuration
Layer 2 aggregation group restrictions
You cannot assign an interface to a Layer 2 aggregation group if any features in Table 4 are
configured on that interface.
Table 4 Features incompatible with Layer 2 aggregation member ports

Feature on the interface Reference

MAC authentication MAC authentication in Security Configuration Guide
Port security Port security in Security Configuration Guide
802.1X 802.1X in Security Configuration Guide

Aggregation member port restrictions

Deleting an aggregate interface also deletes its aggregation group and causes all member ports to
leave the aggregation group.
An interface cannot join an aggregation group if it has different attribute configurations from the
aggregate interface. After joining an aggregation group, an interface inherits the attribute
configurations on the aggregate interface. You can modify the attribute configurations only on the
aggregate interface.
Do not assign a reflector port for port mirroring to an aggregation group. For more information about
reflector ports, see Network Management and Monitoring Configuration Guide.
Attribute and protocol configuration restrictions
For a link aggregation, attribute configurations are configurable only on the aggregate interface and
are automatically synchronized to all member ports. You cannot configure attribute configurations on
a member port until it is removed from the link aggregation group. The configurations that have been
synchronized from the aggregate interface are retained on the member ports even after the
aggregate interface is deleted.
If an attribute setting on the aggregate interface fails to be synchronized to a Selected member port,
the port might change to the Unselected state.

58
 The protocol configurations for an aggregate interface take effect only on the current aggregate
interface. The protocol configurations for a member port take effect only when the port leaves its
aggregation group.
Configuration consistency requirements
You must configure the same aggregation mode at the two ends of an aggregate link.
• For a successful static aggregation, make sure the ports at both ends of each link are in the
same aggregation state.
• For a successful dynamic aggregation:
 Make sure the ports at both ends of a link are assigned to the correct aggregation group.
The two ends can automatically negotiate the aggregation state of each member port.
 If you use automatic interface assignment on one end, you must use manual assignment on
the other end.

Configuring a Layer 2 aggregation group

Configuring a Layer 2 static aggregation group
1. Enter system view.
system-view
2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2
static aggregation group numbered the same as that interface.
3. Return to system view.
quit
4. Assign an interface to the Layer 2 aggregation group:
a. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 2 aggregation group.
port link-aggregation group group-id [ force ]
Repeat the substeps to assign more interfaces to the aggregation group.
To synchronize the attribute configurations from the aggregate interface when the current
interface joins the aggregation group, specify the force keyword.
5. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default port priority of an interface is 32768.
Configuring a Layer 2 dynamic aggregation group
1. Enter system view.
system-view
2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2
static aggregation group numbered the same as that interface.
3. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.

59
 4. Return to system view.
quit
5. Assign an interface to the Layer 2 aggregation group:
a. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 2 aggregation group or enable automatic assignment on
that interface.
port link-aggregation group { group-id [ force ] | auto [ group-id ] }
Repeat these two substeps to assign more Layer 2 Ethernet interfaces to the aggregation
group.
To synchronize the attribute configurations from the aggregate interface when the current
interface joins the aggregation group, specify the force keyword.
To enable automatic assignment, specify the auto keyword. As a best practice, do not modify
the configuration on an automatically created aggregate interface or its member ports.
6. Set the LACP operating mode for the interface.
 Set the LACP operating mode to passive.
lacp mode passive
 Set the LACP operating mode to active.
undo lacp mode
By default, LACP is operating in active mode.
7. (Optional.) Set the port priority for the interface.
link-aggregation port-priority priority
The default setting is 32768.
8. (Optional.) Set the short LACP timeout interval (3 seconds) for the interface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before
performing the ISSU. For more information about ISSU, see Fundamentals Configuration
Guide.

Configuring a Layer 3 aggregation group

Configuring a Layer 3 static aggregation group
1. Enter system view.
system-view
2. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3
static aggregation group numbered the same as that interface.
3. Return to system view.
quit
4. Assign an interface to the Layer 3 aggregation group:
a. Enter Layer 3 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 3 aggregation group.

60
 port link-aggregation group group-id
Repeat the substeps to assign more interfaces to the aggregation group.
5. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default port priority of an interface is 32768.
Configuring a Layer 3 dynamic aggregation group
1. Enter system view.
system-view
2. Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3
static aggregation group numbered the same as that interface.
3. Configure the aggregation group to operate in dynamic mode.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
4. Return to system view.
quit
5. Assign an interface to the Layer 3 aggregation group:
a. Enter Layer 3 Ethernet interface view.
interface interface-type interface-number
b. Assign the interface to the Layer 3 aggregation group or enable automatic assignment on
that interface.
port link-aggregation group { group-id | auto [ group-id ] }
Repeat these two substeps to assign more Layer 3 Ethernet interfaces to the aggregation
group.
To enable automatic assignment, specify the auto keyword. As a best practice, do not modify
the configuration on an automatically created aggregate interface or its member ports.
6. Set the LACP operating mode for the interface.
 Set the LACP operating mode to passive.
lacp mode passive
 Set the LACP operating mode to active.
undo lacp mode
By default, LACP is operating in active mode.
7. (Optional.) Set the port priority of the interface.
link-aggregation port-priority priority
The default setting is 32768.
8. (Optional.) Set the short LACP timeout interval (3 seconds) for the interface.
lacp period short
By default, the long LACP timeout interval (90 seconds) is used by the interface.
To avoid traffic interruption during an ISSU, do not set the short LACP timeout interval before
performing the ISSU. For more information about ISSU, see Fundamentals Configuration
Guide.

61
Configuring automatic link aggregation
About this task
You can use automatic link aggregation to aggregate the redundant physical links between devices
to ease management and increase bandwidth and availability.
Restrictions and guidelines
On an interface, the port link-aggregation group setting takes precedence over automatic
link aggregation. The interface will not be added to the aggregation group of an automatically created
aggregate interface if it has been the member port of a manually created aggregate interface.
If automatic link aggregation is enabled, subinterface creation might fail on LLDP-enabled Layer 3
Ethernet interfaces. As a best practice, do not create subinterfaces on LLDP-enabled Layer 3
Ethernet interfaces.
To ensure correct operation of an automatically created aggregate interface ,do not modify the
configuration on the member ports of its aggregation group. Doing so might cause the member ports
to be removed from the aggregation group.
For DRNI to operate correctly, do not configure automatic link aggregation on a DR system.
As a best practice to ensure correct operation of dynamic aggregation groups, do not use automatic
link aggregation and automatic member port assignment together.
Prerequisites
Before you configure automatic link aggregation, enable LLDP on the peer devices.
Procedure
1. Enter system view.
system-view
2. Enable automatic link aggregation.
link-aggregation auto-aggregation enable
By default, automatic link aggregation is disabled.

Configuring S-MLAG
Restrictions and guidelines
Use S-MLAG only for setting up multichassis link aggregations to servers.
S-MLAG is intended for a non-IRF environment. Do not configure it on an IRF fabric. For more
formation about IRF, see Virtual Technologies Configuration Guide.
Each S-MLAG group can contain only one aggregate interface on each device.
The aggregate interfaces in an S-MLAG group cannot be used as DR interfaces or IPPs in DRNI. For
more information about DR interfaces and IPPs, see DRNI configuration in Layer 2—LAN Switching
Configuration Guide.
On S-MLAG devices, make sure the member ports in an aggregation group have the same speed
and duplex mode. Inconsistency in these settings might cause reference port reselection and
interrupt traffic forwarding when new member ports join the aggregation group.
Do not configure the following settings on S-MLAG devices:
• LACP MAD.
• Link-aggregation traffic redirection.
• Maximum or minimum number of Selected ports.

62
 • Automatic member port assignment.
• Spanning tree. For more information, see "Configuring spanning tree protocols."
As a best practice, maintain consistency across S-MLAG devices in service feature configuration.
Prerequisites
Configure the link aggregation settings other than S-MLAG settings on each S-MLAG device. Make
sure the settings are consistent across the S-MLAG devices.
Procedure
1. Enter system view.
system-view
2. Set the LACP system MAC address.
lacp system-mac mac-address
By default, the LACP system MAC address is the bridge MAC address of the device.
All S-MLAG devices must use the same LACP system MAC address.
3. Set the LACP system priority.
lacp system-priority priority
By default, the LACP system priority is 32768.
All S-MLAG devices must use the same LACP system priority.
4. Set the LACP system number.
lacp system-number number
By default, the LACP system number is not set.
You must assign a unique LACP system number to each S-MLAG device.
5. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
6. Set the link aggregation mode to dynamic.
link-aggregation mode dynamic
By default, an aggregation group operates in static mode.
7. Assign the aggregate interface to an S-MLAG group.
port s-mlag group group-id
By default, an aggregate interface is not assigned to any S-MLAG group.

Configuring an aggregate interface

Most settings that can be made on Layer 2 or Layer 3 Ethernet interfaces can also be made on Layer
2 or Layer 3 aggregate interfaces.

Configuring the description of an aggregate interface

About this task
You can configure the description of an aggregate interface for administration purposes, for example,
describing the purpose of the interface.
Procedure
1. Enter system view.
system-view

63
 2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Configure the interface description.
description text
By default, the description of an interface is interface-name Interface.

Setting the MAC address for an aggregate interface

About this task
Typically, all aggregate interfaces on a device use the same MAC address, and aggregate interfaces
on different devices use different MAC addresses. However, you must set different MAC addresses
for aggregate interfaces on a device in some situations.
For example, in a spanning tree network, the BPDUs sent by Layer 2 aggregate interfaces on a
device have the same source MAC address. A third-party device might handle these BPDUs as
attack packets and drop them. To resolve this issue, set different MAC addresses for the Layer 2
aggregate interfaces.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the MAC address for the aggregate interface.
mac-address mac-address
By default, all aggregate interfaces on the device use the same default MAC address.

Configuring jumbo frame support

About this task
An aggregate interface might receive frames larger than 1536 bytes during high-throughput data
exchanges, such as file transfers. These frames are called jumbo frames.
How an aggregate interface processes jumbo frames depends on whether jumbo frame support is
enabled on the interface.
• If configured to deny jumbo frames, the aggregate interface discards jumbo frames.
• If enabled with jumbo frame support, the aggregate interface performs the following operations:
 Processes jumbo frames that are within the allowed length.
 Discards jumbo frames that exceed the allowed length.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.

64
  Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Allow jumbo frames.
jumboframe enable [ size ]
By default, an aggregate interface allows jumbo frames with a maximum length of 10000 bytes
to pass through.
If you execute this command multiple times, the most recent configuration takes effect.

Setting the MTU for a Layer 3 aggregate interface

About this task
The MTU of an interface affects IP packets fragmentation and reassembly on the interface.
Procedure
1. Enter system view.
system-view
2. Enter Layer 3 aggregate interface or subinterface view.
interface route-aggregation { interface-number |
interface-number.subnumber }
3. Set the MTU.
mtu size
The default setting is 1500 bytes.

Setting the expected bandwidth for an aggregate interface

About this task
Expected bandwidth is an informational parameter used only by higher-layer protocols for calculation.
You cannot adjust the actual bandwidth of an interface by performing this task.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Set the expected bandwidth for the interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

65
Configuring an edge aggregate interface
Restrictions and guidelines
This configuration takes effect only on aggregate interfaces in dynamic mode.
Link-aggregation traffic redirection cannot operate correctly on an edge aggregate interface. For
more information about link-aggregation traffic redirection, see "Enabling link-aggregation traffic
redirection."
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure the aggregate interface as an edge aggregate interface.
lacp edge-port
By default, an aggregate interface does not operate as an edge aggregate interface.

Configuring physical state change suppression on an

aggregate interface
About this task
The physical link state of an aggregate interface is either up or down. Each time the physical link of
an interface comes up or goes down, the system immediately reports the change to the CPU. The
CPU then notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change, and the device automatically generates traps and log messages and sends them to the
SNMP and information center modules. You can configure SNMP and information center to output
these messages.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression. You can configure this feature to suppress link-down events, link-up
events, or both. If an event of the specified type still exists when the suppression interval expires, the
system reports the event to the CPU.
Restrictions and guidelines
On an interface, you can configure different suppression intervals for link-up and link-down events. If
you execute the link-delay command multiple times for an event type, the most recent
configuration takes effect on that event type.
Use this feature on an aggregate interface to reduce the impact of interface flapping on upper-layer
services, for example, on a DRNI IPP. For more information about IPPs, see "Configuring DRNI."
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number

66
  Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Configure physical state change suppression.
link-delay { down | up } [ msec ] delay-time
By default, each time the physical link of an aggregate interface goes up or comes down, the
system immediately reports the change to the CPU.

Shutting down an aggregate interface

Restrictions and guidelines
Shutting down or bringing up an aggregate interface affects the aggregation states and link states of
member ports in the corresponding aggregation group as follows:
• When an aggregate interface is shut down, all its Selected ports become Unselected and all
member ports go down.
• When an aggregate interface is brought up, the aggregation states of all its member ports are
recalculated.
When you shut down or bring up a Layer 3 aggregate interface, all its aggregate subinterfaces are
also shut down or brought up. Shutting down or bringing up a Layer 3 aggregate subinterface does
not affect the state of the main aggregate interface.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Shut down the interface.
shutdown

Restoring the default settings for an aggregate interface

Restrictions and guidelines

CAUTION:
The default command might interrupt ongoing network services. Make sure you are fully aware of
the impacts of this command when you execute it on a live network.

The default command might fail to restore the default settings for some commands for reasons
such as command dependencies and system restrictions.
To resolve this issue:
1. Use the display this command in interface view to identify these commands.
2. Use their undo forms or follow the command reference to restore their default settings.
3. If the restoration attempt still fails, follow the error message instructions to resolve the issue.

67
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
 Enter Layer 3 aggregate subinterface view.
interface route-aggregation interface-number.subnumber }
3. Restore the default settings for the aggregate interface.
default

Enabling transparent LACPDU transmission

About this task
To establish a dynamic aggregation between two remote CEs in an L2VPN network, use transparent
LACPDU transmission on the PEs to which the CEs are attached, as shown in Figure 15.
This feature enables the PEs to forward LACPDUs for the CEs to establish a dynamic aggregation.
If this feature is disabled, the PEs terminate the LACPDUs. The remote CEs cannot establish
dynamic aggregations.
Figure 15 Application scenario of transparent LACPDU transmission

PE 1 PE 2
Network
Tunnel
Port 1 Port 1

Port 2 Port 2

CE 1 CE 2

Prerequisites
Perform the following tasks on PEs:
1. Configure the untagged or default frame match criterion for the Ethernet service instances on
the interfaces connected to CEs.
2. Map the Ethernet service instances to different VSIs and set the access mode to Ethernet for
the VSIs.
For more information about Ethernet service instances, see MPLS L2VPN and VPLS configuration in
MPLS Configuration Guide.
Restrictions and guidelines
When you use this feature on the PEs, follow these guidelines:
• Enable transparent LACPDU transmission on the interfaces that transmit traffic between CEs
and PEs and between PEs.

68
 • Do not use an interface for dynamic link aggregation if you enable transparent LACPDU
transmission on that interface. With transparent LACPDU transmission enabled, an interface
cannot be selected for aggregation.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable transparent LACPDU transmission.
lacp transparent enable
By default, transparent LACPDU transmission is disabled.

Setting the minimum and maximum numbers of

Selected ports for an aggregation group
About this task
The bandwidth of an aggregate link increases as the number of Selected member ports increases.
To avoid congestion, you can set the minimum number of Selected ports required for bringing up an
aggregate interface.
This minimum threshold setting affects the aggregation states of aggregation member ports and the
state of the aggregate interface.
• When the number of member ports eligible to be Selected ports is smaller than the minimum
threshold, the following events occur:
 The eligible member ports are placed in Unselected state.
 The link layer state of the aggregate interface becomes down.
• When the number of member ports eligible to be Selected ports reaches or exceeds the
minimum threshold, the following events occur:
 The eligible member ports are placed in Selected state.
 The link layer state of the aggregate interface becomes up.
The maximum number of Selected ports allowed in an aggregation group is limited by either manual
configuration or hardware limitation, whichever value is smaller.
You can implement backup between two ports by performing the following tasks:
• Assigning two ports to an aggregation group.
• Setting the maximum number of Selected ports to 1 for the aggregation group.
Then, only one Selected port is allowed in the aggregation group, and the Unselected port acts as a
backup port.
Restrictions and guidelines

IMPORTANT:
After you set the minimum percentage of Selected ports for an aggregation group, aggregate
interface flapping might occur when ports join or leave an aggregation group. Make sure you are
fully aware of the impacts of this setting when you configure it on a live network.

69
 You can set either the minimum number or the minimum percentage of Selected ports for an
aggregation group. If you configure both settings on an aggregate interface, the higher Selected port
number limit takes effect.
The minimum and maximum numbers of Selected ports must be the same between the two ends of
an aggregate link.
The minimum percentage of Selected ports must be the same between the two ends of an aggregate
link.
For an aggregation group, the maximum number of Selected ports must be equal to or higher than
the minimum number of Selected ports.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Set the minimum number of Selected ports for the aggregation group. Choose one of the
following methods:
 Set the minimum number of Selected ports.
link-aggregation selected-port minimum min-number
 Set the minimum percentage of Selected ports.
link-aggregation selected-port minimum percentage number
By default, the minimum number of Selected ports is not specified for an aggregation group.
4. Set the maximum number of Selected ports for the aggregation group.
link-aggregation selected-port maximum max-number [ lacp-sync ]
By default, an aggregation group can have a maximum of 8 Selected ports.
For a static aggregate link, you must set the maximum number of Selected ports to the same
value at its two ends.
For a dynamic aggregate link, you must set the maximum number of Selected ports to the same
value at its two ends if you do not specify the lacp-sync keyword. If you specify this keyword,
the two ends of the aggregate link compare their maximum Selected port number settings and
use the smaller value.

Configuring the link aggregation capability of the

device
About this task
Perform this task to modify the maximum number of aggregation groups and the maximum number
of Selected ports per aggregation group.
Restrictions and guidelines
After you configure the link aggregation capability of the device, save the configuration and reboot
the device for the configuration to take effect. Before rebooting the device, make sure you know the
possible impact on the network.

70
 For link aggregation to operate correctly, set the same link aggregation capability at both ends of an
aggregate link.
The maximum number of Selected ports in an aggregation group is limited by one of the following
values, whichever value is smaller:
• Maximum number set by using the link-aggregation selected-port maximum
command.
• Maximum number of Selected ports allowed by the link aggregation capability.
Procedure
1. Enter system view.
system-view
2. Configure the link aggregation capability of the device.
link-aggregation capability max-group max-group-number
max-selected-port max-selected-port-number
By default, the maximum number of Selected ports per aggregation group is 8, and the
maximum number of aggregation groups is 128.

Disabling the default action of selecting a

Selected port for dynamic aggregation groups that
have not received LACPDUs
About this task
The default port selection action applies to dynamic aggregation groups.
This action automatically chooses the port with the lowest ID from among all up member ports as a
Selected port if none of them has received LACPDUs before the LACP timeout interval expires.
After this action is disabled, a dynamic aggregation group will not have any Selected ports to forward
traffic if it has not received LACPDUs before the LACP timeout interval expires.
Procedure
1. Enter system view.
system-view
2. Disable the default port selection action.
lacp default-selected-port disable
By default, the default port selection action is enabled for dynamic aggregation groups.

Configuring a dynamic aggregation group to use

port speed as the prioritized criterion for reference
port selection
About this task
Perform this task to ensure that a dynamic aggregation group selects a high-speed member port as
the reference port. After you perform this task, the reference port will be selected based on the
criteria in order of device ID, port speed, and port ID.

71
Restrictions and guidelines
Changing reference port selection criteria might cause transient traffic interruption. Make sure you
understand the impact of this task on your network.
You must perform this task at both ends of the aggregate link so the peer aggregation systems use
the same criteria for reference port selection.
As a best practice, shut down the peer aggregate interfaces before you execute this command and
bring up the interfaces after this command is executed on both of them.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Specify port speed as the prioritized criterion for reference port selection.
lacp select speed
By default, port ID is the prioritized criterion for reference port selection of a dynamic
aggregation group.

Configuring load sharing for link aggregation

groups
Setting static load sharing modes for link aggregation groups
About this task
You can set a global load sharing mode for all link aggregation groups.
The load sharing mode set for link aggregation groups might cause unbalanced traffic distribution
across ECMP routes. Make sure you are fully aware of the impacts of this feature when you
configure it on a live network.
Restrictions and guidelines
The dynamic load sharing mode has priority over the static load sharing mode. If you configure both
settings on an aggregate interface, the dynamic mode takes effect.
The following are global load sharing modes supported on the device:
• Load sharing mode automatically determined based on the packet type.
• Source IP.
• Destination IP.
• Source MAC.
• Destination MAC.
• Ingress port.
• Source IP and destination IP.
• Source IP and source port.
• Destination IP and destination port.

72
 • Source IP, source port, destination IP, and destination port.
• Any combinations of ingress port, source MAC, and destination MAC.
Procedure
1. Enter system view.
system-view
2. Set the global link-aggregation load sharing mode.
link-aggregation global load-sharing mode { destination-ip |
destination-mac | destination-port | ingress-port | source-ip |
source-mac | source-port } *
By default, packets are load shared based on the following information:
 Source and destination IP addresses.
 Source and destination MAC addresses.
 Source and destination ports.

Enabling local-first load sharing for link aggregation

About this task
Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially
across member ports on the ingress slot.
When you aggregate ports on different member devices in an IRF fabric, you can use local-first load
sharing to reduce traffic on IRF links, as shown in Figure 16. For more information about IRF, see
Virtual Technologies Configuration Guide.
Figure 16 Load sharing for multidevice link aggregation in an IRF fabric

The egress port for a traffic flow is an

aggregate interface that has Selected
ports on different IRF member devices

Yes Local-first load sharing No

mechanism enabled?

No
Any Selected ports on the
ingress device?

Yes

Packets are load-shared only

Packets are load-shared across
across the Selected ports on the
all Selected ports
ingress device

Enabling local-first load sharing for link aggregation globally

1. Enter system view.
system-view
2. Enable local-first load sharing for link aggregation globally.

73
 link-aggregation load-sharing mode local-first
By default, local-first load sharing is enabled globally.

Enabling link-aggregation traffic redirection

About link-aggregation traffic redirection
This feature operates on dynamic link aggregation groups. It redirects traffic on a Selected port to the
remaining available Selected ports of an aggregation group if one of the following events occurs:
• The port is shut down by using the shutdown command.
• The slot that hosts the port reboots, and the aggregation group spans multiple slots.

NOTE:
The device does not redirect traffic to member ports that become Selected during the traffic
redirection process.

This feature ensures zero packet loss for known unicast traffic, but does not protect unknown unicast
traffic.
You can enable link-aggregation traffic redirection globally or for an aggregation group. Global
link-aggregation traffic redirection settings take effect on all aggregation groups. A link aggregation
group preferentially uses the group-specific link-aggregation traffic redirection settings. If
group-specific link-aggregation traffic redirection is not configured, the group uses the global
link-aggregation traffic redirection settings.

Restrictions and guidelines for link-aggregation traffic

redirection
Link-aggregation traffic redirection applies only to dynamic link aggregation groups.
As a best practice, enable link-aggregation traffic redirection on a per-interface basis. If you enable
this feature globally, communication with a third-party peer device might be affected if the peer is not
compatible with this feature.
To prevent traffic interruption, enable link-aggregation traffic redirection at both ends of the
aggregate link.
To prevent packet loss that might occur at a reboot, do not enable the spanning tree feature together
with link-aggregation traffic redirection.
Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.

Enabling link-aggregation traffic redirection globally

1. Enter system view.
system-view
2. Enable link-aggregation traffic redirection globally.
link-aggregation lacp traffic-redirect-notification enable
By default, link-aggregation traffic redirection is disabled globally.

74
Enabling link-aggregation traffic redirection for an
aggregation group
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Enable link-aggregation traffic redirection for the aggregation group.
link-aggregation lacp traffic-redirect-notification enable
By default, link-aggregation traffic redirection is disabled for an aggregation group.

Isolating aggregate interfaces on the device

About this task
Aggregate interface isolation is applicable to the aggregate interfaces that act as DR interfaces when
the device acts a DR member device in a DR system. It gracefully changes all DR interfaces on the
device to the Unselected state and switch traffic over to their counterpart DR interfaces on the other
DR member device.
Restrictions and guidelines
This feature takes effect only on dynamic aggregate interfaces. It cannot isolate static aggregate
interfaces or IPPs.
As a best practice, make sure no DR interfaces are in DRNI MAD DOWN state before you isolate
them. If one of the DR interfaces is in DRNI MAD DOWN state when you isolate them, DR interface
will persist in that state and cannot forward traffic after the isolation is removed.
Procedure
1. Enter system view.
system-view
2. Isolate aggregate interfaces.
link-aggregation lacp isolate
By default, aggregate interfaces are not isolated.
To remove DR interface isolation, execute the undo form of this command.

Enabling BFD for an aggregation group

About this task
You can use BFD to monitor member link status in an aggregation group. After you enable BFD on
an aggregate interface, each Selected port in the aggregation group establishes a BFD session with
its peer port. BFD operates differently depending on the aggregation mode.
• BFD on a static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link
aggregation module that the peer port is unreachable. The local port is then placed in
Unselected state. However, the BFD session between the local and peer ports remains, and the
local port keeps sending BFD packets. When BFD on the local port receives packets from the

75
 peer port upon link recovery, BFD notifies the Ethernet link aggregation module that the peer
port is reachable. Then, the local port is placed in Selected state again. This mechanism
ensures that the local and peer ports of a static aggregate link have the same aggregation state.
• BFD on a dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet
link aggregation module that the peer port is unreachable. At the same time, BFD clears the
session and stops sending BFD packets. When the local port is placed in Selected state again
upon link recovery, the local port establishes a new session with the peer port and BFD notifies
the Ethernet link aggregation module that the peer port is reachable. Because BFD provides
fast failure detection, the local and peer systems of a dynamic aggregate link can negotiate the
aggregation state of their member ports faster.
For more information about BFD, see High Availability Configuration Guide.
Restrictions and guidelines
When you enable BFD for an aggregation group, follow these restrictions and guidelines:
• Make sure the source and destination IP addresses are reversed between the two ends of an
aggregate link. For example, if you execute link-aggregation bfd ipv4 source
1.1.1.1 destination 2.2.2.2 at the local end, execute link-aggregation bfd
ipv4 source 2.2.2.2 destination 1.1.1.1 at the peer end. The source and
destination IP addresses cannot be the same.
• The BFD parameters configured on an aggregate interface take effect on all BFD sessions
established by the member ports in its aggregation group. BFD on a link aggregation supports
only control packet mode for session establishment and maintenance. The two ends of an
established BFD session can only operate in Asynchronous mode.
• As a best practice, do not configure BFD for any protocols on a BFD-enabled aggregate
interface.
• Make sure the number of member ports in a BFD-enabled aggregation group is less than or
identical to the number of BFD sessions supported by the device. If the aggregation group
contains more member ports than the supported sessions, some Selected ports might change
to the Unselected state.
• If the number of BFD sessions differs between the two ends of an aggregate link, check their
settings for inconsistency in the maximum number of Selected ports. You must make sure the
two ends have the same setting for the maximum number of Selected ports.
Procedure
1. Enter system view.
system-view
2. Enter aggregate interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter Layer 3 aggregate interface view.
interface route-aggregation interface-number
3. Enable BFD for the aggregation group.
link-aggregation bfd ipv4 source ip-address destination ip-address
By default, BFD is disabled for an aggregation group.

Display and maintenance commands for Ethernet

link aggregation
Execute display commands in any view and reset commands in user view.

76
 Task Command
display interface
[ { bridge-aggregation |
Display information about aggregate
route-aggregation }
interfaces.
[ interface-number ] ] [ brief
[ description | down ] ]
Display the local system ID. display lacp system-id
Display the link aggregation capability of the
display link-aggregation capability
device.

Display the global or group-specific display link-aggregation load-sharing

link-aggregation load sharing modes. mode
Display detailed link aggregation information display link-aggregation member-port
about link aggregation member ports. [ interface-list | auto ]
Display summary information about all
display link-aggregation summary
aggregation groups.

display link-aggregation
Display the aggregation states of aggregation troubleshooting [ { bridge-aggregation
member ports and the reason why a port was
placed in Unselected state.
| route-aggregation }
[ interface-number ] ]
display link-aggregation verbose
Display detailed information about the [ { bridge-aggregation |
specified aggregation groups. route-aggregation }
[ interface-number ] ]
reset counters interface
Clear statistics for the specified aggregate [ { bridge-aggregation |
interfaces. route-aggregation }
[ interface-number ] ]
Clear LACP statistics for the specified link reset lacp statistics [ interface
aggregation member ports. interface-list ]

Ethernet link aggregation configuration examples

Example: Configuring a Layer 2 static aggregation group
Network configuration
On the network shown in Figure 17, perform the following tasks:
• Configure a Layer 2 static aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.

77
 Figure 17 Network diagram

VLAN 10 VLAN 10

GE1/0/4 GE1/0/4
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Device A Link aggregation 1 Device B
GE1/0/3 GE1/0/3

GE1/0/5 BAGG1 BAGG1 GE1/0/5

VLAN 20 VLAN 20

Procedure
1. Configure Device A:
# Create VLAN 10, and assign port GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.

78
 [DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/1(R) S 32768 1
GE1/0/2 S 32768 1
GE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 2 static aggregation group that contains
three Selected ports.

Example: Configuring a Layer 2 dynamic aggregation group

Network configuration
On the network shown in Figure 18, perform the following tasks:
• Configure a Layer 2 dynamic aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 18 Network diagram

VLAN 10 VLAN 10

GE1/0/4 GE1/0/4
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Device A Link aggregation 1 Device B
GE1/0/3 GE1/0/3

GE1/0/5 BAGG1 BAGG1 GE1/0/5

VLAN 20 VLAN 20

Procedure
1. Configure Device A:
# Create VLAN 10, and assign the port GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10

79
 [DeviceA-vlan10] port gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode
to dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1(R) S 32768 11 1 {ACDEF}
GE1/0/2 S 32768 12 1 {ACDEF}

80
 GE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group that contains
three Selected ports.

Example: Configuring a Layer 2 edge aggregate interface

Network configuration
As shown in Figure 19, a Layer 2 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
can forward traffic to improve link reliability.
Figure 19 Network diagram

GE1/0/1
GE1/0/2 Link aggregation 1

Device BAGG1 BAGG1 Server

Procedure
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] link-aggregation mode dynamic

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as an edge aggregate interface.

[Device-Bridge-Aggregation1] lacp edge-port
[Device-Bridge-Aggregation1] quit

# Assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to link aggregation group 1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,

81
 G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1 I 32768 11 1 {AG}
GE1/0/2 I 32768 12 1 {AG}

Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 0 0x8000, 0000-0000-0000 {DEF}
GE1/0/2 32768 82 0 0x8000, 0000-0000-0000 {DEF}

The output shows that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are in Individual state when
they do not receive LACPDUs from the server. Both GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
can forward traffic. When one port fails, its traffic is automatically switched to the other port.

Example: Configuring a Layer 3 static aggregation group

Network configuration
On the network shown in Figure 20, perform the following tasks:
• Configure a Layer 3 static aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 20 Network diagram
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Link aggregation 1
GE1/0/3 GE1/0/3

Device A RAGG1 RAGG1 Device B

192.168.1.1/24 192.168.1.2/24

Procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to
aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2

82
 [DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/1(R) S 32768 1
GE1/0/2 S 32768 1
GE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 3 static aggregation group that contains
three Selected ports.

Example: Configuring a Layer 3 dynamic aggregation group

Network configuration
On the network shown in Figure 21, perform the following tasks:
• Configure a Layer 3 dynamic aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 21 Network diagram
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Link aggregation 1
GE1/0/3 GE1/0/3

Device A RAGG1 RAGG1 Device B

192.168.1.1/24 192.168.1.2/24

Procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Set the link aggregation mode to dynamic.
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic

83
 # Configure an IP address and subnet mask for Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to
aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1(R) S 32768 11 1 {ACDEF}
GE1/0/2 S 32768 12 1 {ACDEF}
GE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 3 dynamic aggregation group that contains
three Selected ports.

84
Example: Configuring S-MLAG
Network configuration
Device B, Device C, and Device D are standalone devices. As shown in Figure 22, configure Device
B, Device C, and Device D as S-MLAG devices to establish a multidevice aggregate link with Device
A.
Figure 22 Network diagram
Device A

GE1/0/1 GE1/0/3

GE1/0/2
BAGG

GE1/0/1 GE1/0/1 GE1/0/1

Device B Device C Device D

Procedure
1. Configure Device A:
# Create Layer 2 aggregate interface Bridge-Aggregation 10, and set the link aggregation mode
to dynamic.
<DeviceA> system-view
[DeviceA] interface bridge-aggregation 10
[DeviceA-Bridge-Aggregation10] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation10] quit
# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to aggregation group 10.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 10
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 10
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 10
[DeviceA-GigabitEthernet1/0/3] quit
2. Configure Device B:
# Set the LACP system MAC address to 0001-0001-0001.
<DeviceB> system-view
[DeviceB] lacp system-mac 1-1-1
# Set the LACP system priority to 123.
[DeviceB] lacp system-priority 123
# Set the LACP system number to 1.
[DeviceB] lacp system-number 1
# Create Layer 2 aggregate interface Bridge-Aggregation 2, and set the link aggregation mode
to dynamic.

85
 [DeviceB] interface bridge-aggregation 2
[DeviceB-Bridge-Aggregation2] link-aggregation mode dynamic
# Assign Bridge-Aggregation 2 to S-MLAG group 100.
[DeviceB-Bridge-Aggregation2] port s-mlag group 100
# Assign GigabitEthernet 1/0/1 to aggregation group 2.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-aggregation group 2
[DeviceB-GigabitEthernet1/0/1] quit
3. Configure Device C:
# Set the LACP system MAC address to 0001-0001-0001.
<DeviceC> system-view
[DeviceC] lacp system-mac 1-1-1
# Set the LACP system priority to 123.
[DeviceC] lacp system-priority 123
# Set the LACP system number to 2.
[DeviceC] lacp system-number 2
# Create Layer 2 aggregate interface Bridge-Aggregation 3, and set the link aggregation mode
to dynamic.
[DeviceC] interface bridge-aggregation 3
[DeviceC-Bridge-Aggregation3] link-aggregation mode dynamic
# Assign Bridge-Aggregation 3 to S-MLAG group 100.
[DeviceC-Bridge-Aggregation3] port s-mlag group 100
# Assign GigabitEthernet 1/0/1 to aggregation group 3.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-aggregation group 3
[DeviceC-GigabitEthernet1/0/1] quit
4. Configure Device D:
# Set the LACP system MAC address to 0001-0001-0001.
<DeviceD> system-view
[DeviceD] lacp system-mac 1-1-1
# Set the LACP system priority to 123.
[DeviceD] lacp system-priority 123
# Set the LACP system number to 3.
[DeviceD] lacp system-number 3
# Create Layer 2 aggregate interface Bridge-Aggregation 4, and set the link aggregation mode
to dynamic.
[DeviceD] interface bridge-aggregation 4
[DeviceD-Bridge-Aggregation4] link-aggregation mode dynamic
# Assign Bridge-Aggregation 4 to S-MLAG group 100.
[DeviceD-Bridge-Aggregation4] port s-mlag group 100
# Assign GigabitEthernet 1/0/1 to aggregation group 4.
[DeviceD] interface gigabitethernet 1/0/1
[DeviceD-GigabitEthernet1/0/1] port link-aggregation group 4
[DeviceD-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 on Device A are Selected ports.
[DeviceA] display link-aggregation verbose

86
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation10

Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 40fa-264f-0100
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1(R) S 32768 1 1 {ACDEF}
GE1/0/2 S 32768 2 1 {ACDEF}
GE1/0/3 S 32768 3 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 16385 50100 0x7b , 0001-0001-0001 {ACDEF}
GE1/0/2 32768 32769 50100 0x7b , 0001-0001-0001 {ACDEF}
GE1/0/3 32768 49153 50100 0x7b , 0001-0001-0001 {ACDEF}

87
Configuring DRNI
About DRNI
Distributed Resilient Network Interconnect (DRNI) virtualizes two physical devices into one system
through multichassis link aggregation.

DRNI network model

As shown in Figure 23, DRNI virtualizes two devices into a distributed-relay (DR) system, which
connects to the remote aggregation system through a multichassis aggregate link. To the remote
aggregation system, the DR system is one device.
Figure 23 DRNI network model

IP network

Device A (DR 1) Device B (DR 2)

IPP IPL IPP

Keepalive link
BAGG1 BAGG2
(DR interface) DR system (DR interface)

BAGG

Device C

The DR member devices are DR peers to each other. For features that require centralized traffic
processing (for example, spanning tree), a DR member device is assigned the primary or secondary
role based on its DR role priority. The secondary DR member device passes the traffic of those
features to the primary DR member device for processing. If the DR member devices in a DR system
have the same DR role priority, the device with the lower bridge MAC address is assigned the
primary role.
DRNI defines the following interface roles for each DR member device:
• DR interface—Layer 2 aggregate interface connected to the remote aggregation system. DR
interfaces connected to the same remote aggregation system belong to one DR group. In
Figure 23, Bridge-Aggregation 1 on Device A and Bridge-Aggregation 2 on Device B belong to
the same DR group. DR interfaces in a DR group form a multichassis aggregate link.

88
 • Intra-portal port (IPP)—Interface connected to the DR peer for internal control. Each DR
member device has only one IPP. The IPPs of the DR member devices transmit DRNI protocol
packets and data packets through the intra-portal link (IPL) established between them. A DR
system has only one IPL.
DR member devices use a keepalive link to monitor each other's state. For more information about
the keepalive mechanism, see "Keepalive and failover mechanism."
If a device is attached to only one of the DR member devices in a DR system, that device is a
single-homed device.

DRCP
DRNI uses IEEE P802.1AX Distributed Relay Control Protocol (DRCP) for multichassis link
aggregation. DRCP runs on the IPL and uses distributed relay control protocol data units (DRCPDUs)
to advertise the DRNI configuration out of IPPs and DR interfaces.
DRCP operating mechanism
DRNI-enabled devices use DRCPDUs for the following purposes:
• Exchange DRCPDUs through DR interfaces to determine whether they can form a DR system.
• Exchange DRCPDUs through IPPs to negotiate the IPL state.
DRCP timeout timers
DRCP uses a timeout mechanism to specify the amount of time that an IPP or DR interface must wait
to receive DRCPDUs before it determines that the peer interface is down. This timeout mechanism
provides the following timer options:
• Short DRCP timeout timer, which is fixed at 3 seconds. If this timer is used, the peer interface
sends one DRCPDU every second.
• Long DRCP timeout timer, which is fixed at 90 seconds. If this timer is used, the peer interface
sends one DRCPDU every 30 seconds.
Short DRCP timeout timer enables the DR member devices to detect a peer interface down event
more quickly than the long DRCP timeout timer. However this benefit is at the expense of bandwidth
and system resources.

Keepalive and failover mechanism

For the secondary DR member device to monitor the state of the primary device, you must establish
a Layer 3 keepalive link between the DR member devices.
The DR member devices periodically send keepalive packets over the keepalive link. If a DR
member device has not received keepalive packets from the peer when the keepalive timeout timer
expires, it determines that the keepalive link is down. When both the keepalive link and the IPL are
down, a DR member device acts depending on its role.
• If its role is primary, the device retains its role as long as it has up DR interfaces. If all its DR
interfaces are down, its role becomes None.
• If its role is secondary, the device takes over the primary role and retains the role as long as it
has up DR interfaces. If all its DR interfaces are down, its role becomes None.
A device with the None role cannot send or receive keepalive packets. Its keepalive link stays in the
down state.
If the keepalive link is down while the IPL is up, the DR member devices prompt you to check for
keepalive link issues.
If the keepalive link is up while the IPL is down, the DR member devices elect a primary device based
on the information in the keepalive packets.

89
MAD mechanism
A multi-active collision occurs if the IPL goes down while the keepalive link is up. To avoid network
issues, DRNI MAD shuts down all network interfaces on the secondary DR member device except
those manually or automatically excluded.
When the IPL comes up, the secondary DR member device starts a delay timer and begins to restore
table entries (including MAC address entries and ARP entries) from the primary DR member device.
When the delay timer expires, the secondary DR member device brings up all network interfaces
placed in DRNI MAD DOWN state.

Device role calculation

The role of a DR member device can be primary, secondary, or none.
DRNI uses the following process to determine the role of each DR member device:
1. Initially, each DR member device is assigned the none role when it joins a DR system or
reboots with DRNI configuration.
2. If the IPL is up, the DR member devices exchange DRCPDUs over the IPL to determine which
of them takes the primary role.
a. Device roles before calculation. If one device already has the primary role, the primary
device retains its role.
b. DRNI MAD DOWN state. If one device has not placed any network interfaces in DRNI MAD
DOWN state, it becomes the primary device.
c. Health state. The healthier device takes the primary role.
The smaller the health state value, the healthier the device is. The health state value is 0 if
the device is running without faults.
d. DR role priority. The device with higher DR role priority takes the primary role.
e. Bridge MAC address. The device with a lower bridge MAC address takes the primary role.
The device that has failed the election takes the secondary role if it has DR interfaces in up
state. If the device does not have DR interfaces in up state, its role is none.
3. If the IPL is down, each DR member device examines the availability of their local DR
interfaces.
 A DR member device changes its role to none if all its local DR interfaces are down.
 A DR member device does not change its role if it has a minimum of one DR interface in up
state.
4. If the keepalive link is up, the DR member devices exchange keepalive packets over the link to
determine their roles.
 If the role of one DR member device is none, the other DR member device retains its
primary role or changes its role from secondary to primary.
 If neither of them has the none role, the DR member devices negotiate their roles as they do
on the IPL.
5. If both the IPL and the keepalive link are down, a DR member device takes the primary role if it
has available DR interfaces.

DRNI MAD DOWN state persistence

Both of the DR member devices might take the primary role if both of them have DR interfaces in up
state after the following series of events occur:

90
 1. The IPL goes down while the keepalive link is up. Then, DRNI MAD shuts down all network
interfaces on the secondary DR member device except those excluded from the shutdown
action by IRF MAD or DRNI MAD.
2. The keepalive link also goes down. Then, the secondary DR member device brings up the
network interfaces in DRNI MAD DOWN state and sets its role to primary.
DRNI MAD DOWN state persistence helps avoid the forwarding issues that might occur in the
multi-active situation that occurs because the keepalive link goes down while the IPL is down.

DR system setup process

As shown in Figure 24, two devices perform the following operations to form a DR system:
1. Send DRCPDUs over the IPL to each other and compare the DRCPDUs to determine the DR
system stackability and device roles:
a. Compare the DR system settings. The devices can form a DR system if they have the same
DR system MAC address and system priority and different DR system numbers.
b. Determine the device roles based on the DR role priority and the bridge MAC address.
c. Perform configuration consistency check. For more information, see "Configuration
consistency check."
2. Send keepalive packets over the keepalive link after primary DR member election to verify that
the peer system is operating correctly.
3. Synchronize configuration data by sending DRCPDUs over the IPL. The configuration data
includes MAC address entries and ARP entries.
Figure 24 DR system setup process

IP network

IPL

Keepalive link
Device A Device B

Compare DR settings

Set up DR system

Assign DR roles

Send keepalive packets

Synchronize data

……

91
DRNI standalone mode
The DR member devices might both operate with the primary role to forward traffic if they have DR
interfaces in up state after the DR system splits. DRNI standalone mode helps avoid traffic
forwarding issues in this multi-active situation by allowing only the member ports in the DR interfaces
on one member device to forward traffic.
The following information describes the operating mechanism of this feature.
The DR member devices change to DRNI standalone mode when they detect that both the IPL and
the keepalive link are down. In addition, the secondary DR member device changes its role to
primary.
In DRNI standalone mode, the LACPDUs sent out of a DR interface by each DR member device
contain the interface-specific LACP system MAC address and LACP system priority.
The Selected state of the member ports in the DR interfaces in a DR group depends on their LACP
system MAC address and LACP system priority. If a DR interface has a lower LACP system priority
value or LACP system MAC address, the member ports in that DR interface become Selected to
forward traffic. If those Selected ports fail, the member ports in the DR interface on the other DR
member device become Selected to forward traffic.

NOTE:
A DR member device changes to DRNI standalone mode only when it detects that both the IPL and
the keepalive link are down. It does not change to DRNI standalone mode when the peer DR
member device reboots.

Configuration consistency check

During DR system setup, DR member devices exchange the configuration and perform configuration
consistency check to verify their consistency in the following configurations:
• Type 1 configuration—Settings that affect traffic forwarding of the DR system. If an
inconsistency in type 1 configuration is detected, the secondary DR member device shuts down
its DR interfaces.
• Type 2 configuration—Settings that affect only service features. If an inconsistency in type 2
configuration is detected, the secondary DR member device disables the affected service
features, but it does not shut down its DR interfaces.
To prevent interface flapping, the DR system performs configuration consistency check when half the
data restoration internal elapses.

NOTE:
The data restoration interval specifies the maximum amount of time for the secondary DR member
device to synchronize data with the primary DR member device during DR system setup. For more
information, see "Setting the data restoration interval."

Type 1 configuration
Type 1 configuration consistency check is performed both globally and on DR interfaces. Table 5 and
Table 6 show settings that type 1 configuration contains.
Table 5 Global type 1 configuration

Setting Details
IPP link type IPP link type, including access, hybrid, and trunk.
PVID on the IPP PVID on the IPP.

92
 Setting Details
• Global spanning tree state.
Spanning tree state • VLAN-specific spanning tree state. DRNI checks the VLAN-specific spanning
tree state only when PVST is enabled.

Spanning tree mode Spanning tree mode, including STP, RSTP, PVST, and MSTP.
• MST region name.
MST region settings • MST region revision level.
• VLAN-to-MSTI mappings.

Table 6 DR interface type 1 configuration

Setting Details
Aggregation mode Aggregation mode, including static and dynamic.
Spanning tree state Interface-specific spanning tree state.
Link type Interface link type, including access, hybrid, and trunk.
PVID Interface PVID.

Type 2 configuration
Type 2 configuration consistency check is performed both globally and on DR interfaces. Table 7 and
Table 8 show settings that type 2 configuration contains.
Table 7 Global type 2 configuration

Setting Details
VLANs permitted by VLANs permitted by the IPP.
the IPP The DR system compares tagged VLANs prior to untagged VLANs.
VLAN interfaces Up VLAN interfaces of which the VLANs contain the IPP.
VLAN interface status Whether a VLAN interface is in administratively down state.
IPv4 address of a
IPv4 address assigned to a VLAN interface.
VLAN interface
IPv6 address of a
IPv6 address assigned to a VLAN interface.
VLAN interface
Virtual IPv4 address of
the VRRP group on a Virtual IPv4 address of the VRRP group configured on a VLAN interface.
VLAN interface
Global BPDU guard Global status of BPDU guard.
MAC aging timer Aging timer for dynamic MAC address entries.
VSI name Name of a VSI that has ACs on a DR interface.
VXLAN ID VXLAN ID of a VSI.
Gateway interface VSI interface associated with a VSI.
VSI interface number Number of a VSI interface.
MAC address of a VSI
MAC address assigned to a VSI interface.
interface

IPv4 address of a VSI

IPv4 address assigned to a VSI interface.
interface

93
 Setting Details
IPv6 address of a VSI
IPv6 address assigned to a VSI interface.
interface
Physical state of a VSI
Physical link state of a VSI interface.
interface
Protocol state of a VSI
Data link layer state of a VSI interface.
interface

The device displays the following global type 2 settings only when VLAN or VLAN interface
configuration inconsistency exists:
• VLAN interface status.
• IPv4 address of a VLAN interface.
• IPv6 address of a VLAN interface.
• Virtual IPv4 address of the VRRP group on a VLAN interface.
Table 8 DR interface type 2 configuration

Setting Details
VLANs permitted by a VLANs permitted by a DR interface.
DR interface The DR system compares tagged VLANs prior to untagged VLANs.
Using port speed as
the prioritized criterion Whether a DR interface uses port speed as the prioritized criterion for reference
for reference port port selection.
selection
Ignoring port speed in
Whether a DR interface ignores port speed in setting the aggregation states of
setting the aggregation
member ports.
states of member ports
Root guard status Status of root guard.

DRNI sequence number check

DRNI sequence number check protects DR member devices from replay attacks.
With this feature enabled, the DR member devices insert a sequence number into each outgoing
DRCPDU or keepalive packet and the sequence number increases by 1 for each sent packet. When
receiving a DRCPDU or keepalive packet, the DR member devices check its sequence number and
drop the packet if the check result is either of the following:
• The sequence number of the packet is the same as that of a previously received packet.
• The sequence number of the packet is smaller than that of the most recently received packet.

DRNI packet authentication

DRNI packet authentication prevents DRCPDU and keepalive packet tampering from causing link
flapping.
With this feature enabled, the DR member devices compute a message digest by using an
authentication key for each outgoing DRCPDU or keepalive packet and insert the message digest
into the packet. When receiving a DRCPDU or keepalive packet, a DR member device computes a
message digest and compares it with the message digest in the packet. If the message digests
match, the packet passes authentication. If the message digests do not match, the device drops the
packet.

94
DRNI failure handling mechanisms
DR interface failure handling mechanism
When the DR interface of one DR member device fails, the DR system forwards traffic through the
other DR member device.
As shown in Figure 25, Device A and Device B form a DR system, to which Device C is attached
through a multichassis aggregation. If traffic to Device C arrives at Device B after the DR interface
connected Device B to Device C has failed, the DR system forwards the traffic as follows:
1. Device B sends the traffic to Device A over the IPL.
2. Device A forwards the downlink traffic received from the IPL to Device C.
After the faulty DR interface comes up, Device B forwards traffic to Device C through the DR
interface.
Figure 25 DR interface failure handling mechanism
DR system
Device A

Primary

Faulty interface

IPL IP network Uplink traffic

Downlink traffic
Device C
Forwarding path
Secondary after failure

Device B

IPL failure handling mechanism

As shown in Figure 26, multi-active collision occurs if the IPL goes down while the keepalive link is up.
To avoid network issues, the secondary DR device sets all network interfaces to DRNI MAD DOWN
state, except for the interfaces excluded from the shutdown action by DRNI MAD.
In this situation, the primary DR member device forwards all traffic for the DR system.
When the IPP comes up, the secondary DR member device does not bring up the network interfaces
immediately. Instead, it starts a delay timer and begins to recover data from the primary DR member
device. When the delay timer expires, the secondary DR member device brings up all network
interfaces.
Figure 26 IPL failure handling mechanism
DR system
Device A

Primary
Faulty link

Uplink traffic
IPL IP network
Downlink traffic
Device C
Interface in DRNI
MAD DOWN state
Secondary

Device B

95
Device failure handling mechanism
As shown in Figure 27, when the primary DR member device fails, the secondary DR member device
takes over the primary role to forward all traffic for the DR system. When the faulty device recovers,
it becomes the secondary DR member device.
When the secondary DR member device fails, the primary DR member device forwards all traffic for
the DR system.
Figure 27 Device failure handling mechanism
DR system
Device A

Primary

Faulty device

IPL IP network Uplink traffic

Downlink traffic
Device C

Secondary

Device B

Uplink failure handling mechanism

Uplink failure does not interrupt traffic forwarding of the DR system. As shown in Figure 28, when the
uplink of Device A fails, Device A passes traffic destined for the IP network to Device B for
forwarding.
To enable faster traffic switchover in response to an uplink failure and minimize traffic losses,
configure Monitor Link to associate the DR interfaces with the uplink interfaces. When the uplink
interface of a DR member device fails, that device shuts down its DR interface for the other DR
member device to forward all traffic of Device C. For more information about Monitor Link, see High
Availability Configuration Guide.
Figure 28 Uplink failure handling mechanism
DR system
Device A

Primary

Faulty link

IPL IP network Uplink traffic

Downlink traffic
Device C

Secondary

Device B

Mechanisms to handle concurrent IPL and keepalive link

failures
When both the IPL and the keepalive link are down, the DR member devices handle this situation
depending on your configuration.

96
Default failure handling mechanism
Figure 29 shows the default mechanism to handle IPL and keepalive link failures when the DRNI
standalone mode and DRNI MAD DOWN state persistency features are not configured.
• If the IPL goes down while the keepalive link is up, the DR member devices negotiate their roles
over the keepalive link. DRNI MAD shuts down all network interfaces on the secondary DR
member device except those excluded from the shutdown action by IRF MAD or DRNI MAD.
• If the keepalive link goes down while the IPL is down, the secondary DR member device sets its
role to primary and brings up the network interfaces in DRNI MAD DOWN state to forward traffic.
In this situation, both of the DR member devices might operate with the primary role to forward
traffic. Forwarding errors might occur because the DR member devices cannot synchronize
MAC address entries over the IPL.
• If the keepalive link is down before the IPL goes down, DRNI MAD will not place network
interfaces in DRNI MAD DOWN state. Both DR member devices can operate with the primary
role to forward traffic.
Figure 29 Default failure handling mechanism
DR system
Device A

Primary
Faulty link
Keepalive

Uplink traffic
Network
Downlink traffic
IPL

Device C

Secondary

Device B

Failure handling mechanism with DRNI MAD DOWN state persistence

Figure 30 shows the mechanism to handle IPL and keepalive link failures when the DRNI MAD
DOWN state persistence feature is configured.
• If the IPL goes down while the keepalive link is up, the DR member devices negotiate their roles
over the keepalive link. DRNI MAD shuts down all network interfaces on the secondary DR
member device except those excluded from the shutdown action by IRF MAD or DRNI MAD.
• If the keepalive link goes down while the IPL is down, the secondary DR member device sets its
role to primary, but it does not bring up the network interfaces in DRNI MAD DOWN state. Only
the original primary member device can forward traffic.
• If the keepalive link is down before the IPL goes down, DRNI MAD will not place network
interfaces in DRNI MAD DOWN state. Both DR member devices can operate with the primary
role to forward traffic.

97
 Figure 30 Failure handling mechanism with DRNI MAD DOWN state persistence
DR system
Device A

Primary
Faulty link

Keepalive
Uplink traffic
Network
Downlink traffic

IPL
Device C
Interface in DRNI
MAD DOWN state
Secondary

Device B

As shown in Figure 31, you can bring up the interfaces in DRNI MAD DOWN state on the secondary
DR member device for it to forward traffic if the following conditions exist:
• Both the IPL and the keepalive link are down.
• The primary DR member device fails or its DR interface fails.
Figure 31 Bringing up the interfaces in DRNI MAD DOWN state
DR system
Device A

Primary
Faulty interface, link,
or device
Keepalive

Uplink traffic
Network
Downlink traffic
IPL

Device C Interface in DRNI

MAD DOWN state
Secondary

Device B

Failure handling mechanism with DRNI standalone mode

Figure 32 shows the mechanism to handle IPL and keepalive link failures when the DRNI standalone
mode feature is configured.
• If the IPL goes down while the keepalive link is up, the DR member devices negotiate their roles
over the keepalive link. DRNI MAD shuts down all network interfaces on the secondary DR
member device except those excluded from the shutdown action by IRF MAD or DRNI MAD.
• If the keepalive link goes down while the IPL is down, both DR member devices change to DRNI
standalone mode. The secondary DR member device sets its role to primary and brings up its
network interfaces in DRNI MAD DOWN state. In DRNI standalone mode, only the aggregation
member ports on one DR member device can become Selected to forward traffic. For more
information about how DRNI standalone mode operates, see "DRNI standalone mode."
• If the keepalive link is down before the IPL goes down, both DR member devices change to
DRNI standalone mode.

98
 Figure 32 Failure handling mechanism with DRNI standalone mode
DR system
Device A

Primary
Faulty interface, link,
or device

Keepalive
Uplink traffic
Network
Downlink traffic

IPL
Device C Interface in DRNI
MAD DOWN state
Secondary

Device B

Protocols and standards

™
IEEE P802.1AX-REV /D4.4c, Draft Standard for Local and Metropolitan Area Networks

Restrictions and guidelines: DRNI configuration

Software version requirements
The DR member devices in a DR system must use the same software version.

DRNI configuration
For the DR member devices to be identified as one DR system, you must configure the same DR
system MAC address and DR system priority on them. You must assign different DR system
numbers to the DR member devices.
Do not configure the same LACP system MAC address for the DR interfaces in the same DR group.
As a best practice to reduce the impact of interface flapping on upper-layer services, use the
link-delay command to configure the same link delay settings on the IPPs.
To prevent data synchronization failure, you must set the same maximum jumbo frame length on the
IPPs of the DR member devices.
For the DR system to correctly forward traffic for single-homed devices, set the link type to trunk for
the IPPs and the interfaces attached to the single-homed devices. If you fail to do so, the ND protocol
packets sent to or from the single-homed devices cannot be forwarded over the IPL.
To ensure correct forwarding, delete DRNI configuration from a DR member device if it leaves its DR
system.

Compatibility with other features

For correct traffic forwarding, make sure the DR member devices are consistent in service feature
settings.

Feature Restrictions and guidelines

DRNI cannot work correctly on an IRF fabric. Do not configure DRNI on an
IRF IRF fabric. For more information about IRF, see Virtual Technologies
Configuration Guide.

99
Feature Restrictions and guidelines
If the DR system has a large number of MAC address entries, set the MAC
aging timer to a higher value than 20 minutes as a best practice. To set the
MAC aging timer, use the mac-address timer command.
MAC address table
The MAC address learning feature is not configurable on the IPP.
For more information about the MAC address table, see "Configuring the
MAC address table."
Do not configure automatic link aggregation on a DR system.
The aggregate interfaces in an S-MLAG group cannot be used as DR
interfaces or IPPs.
When you configure a DR interface, follow these restrictions and
guidelines:
• The link-aggregation selected-port maximum and
link-aggregation selected-port minimum
commands do not take effect on a DR interface.
Ethernet link aggregation
• If you execute the display link-aggregation verbose
command for a DR interface, the displayed system ID contains the DR
system MAC address and the DR system priority.
• If the reference port is a member port of a DR interface, the
display link-aggregation verbose command displays
the reference port on both DR member devices.
For more information about Ethernet link aggregation, see "Configuring
Ethernet link aggregation."
Do not assign DR interfaces or IPPs to a port isolation group. For more
Port isolation
information about port isolation, see "Configuring port isolation."
Member devices in a DR system must have the same loop detection
Loop detection configuration. For information about loop detection, see "Configuring loop
detection."
When the spanning tree protocol is enabled for a DR system, follow these
restrictions and guidelines:
• Make sure the DR member devices have the same spanning tree
configuration. Violation of this rule might cause network flapping. The
configuration includes:
 Global spanning tree configuration.
 Spanning tree configuration on the IPP.
Spanning tree  Spanning tree configuration on DR interfaces.
• IPPs of the DR system do not participate in spanning tree calculation.
• The DR member devices still use the DR system MAC address after
the DR system splits, which will cause spanning tree calculation
issues. To avoid the issues, enable DRNI standalone mode on the DR
member devices before the DR system splits.
For more information about spanning tree, see "Configuring spanning
tree."
Do not use the MAC address of a remote MEP for CFD tests on IPPs.
CFD These tests cannot work on IPPs. For more information about CFD, see
High Availability Configuration Guide.

If you use DRNI and VRRP together, make sure the keepalive hold timer is
shorter than the interval at which the VRRP master sends VRRP
advertisements. Violation of this restriction might cause a VRRP
master/backup switchover to occur before IPL failure is confirmed. To set
VRRP the interval at which the VRRP master sends VRRP advertisements, use
the vrrp vrid timer advertise or vrrp ipv6 vrid timer
advertise command. For more information about the commands, see
High Availability Command Reference.

100
 Feature Restrictions and guidelines
If you use port mirroring together with DRNI, assign the source port,
destination port, egress port, and reflector port for a mirroring group to the
Mirroring same aggregation group. If the source port is in a different aggregation
group than the other ports, mirrored LACPDUs will be transmitted between
aggregation groups and cause aggregate interface flapping.
For information about VXLAN and EVPN restrictions, see VXLAN
VXLAN and EVPN Configuration Guide and EVPN VXLAN configuration in EVPN
Configuration Guide.

DRNI tasks at a glance

To configure DRNI, perform the following tasks:
1. Configuring DR system settings
 Configuring the DR system MAC address
 Setting the DR system number
 Setting the DR system priority
2. Setting the DR role priority of the device
3. (Optional.) Enabling DRNI standalone mode on a DR member device
4. Configuring DR keepalive settings
 Configuring DR keepalive packet parameters
 Setting the DR keepalive interval and timeout timer
5. Configuring DRNI MAD
 Configuring the default DRNI MAD action on network interfaces
 Excluding an interface from the shutdown action by DRNI MAD
 Excluding all logical interfaces from the shutdown action by DRNI MAD
 Specifying interfaces to be shut down by DRNI MAD when the DR system splits
 Enabling DRNI MAD DOWN state persistence
6. Configuring a DR interface
7. Specifying a Layer 2 aggregate interface or VXLAN tunnel interface as the IPP
8. (Optional.) Enabling the IPP to retain MAC address entries for down single-homed devices
9. (Optional.) Configuring configuration consistency check
 Setting the mode of configuration consistency check
 (Optional.) Disabling configuration consistency check
Configuration consistency check might fail when you upgrade the DR member devices in a
DR system. To prevent the DR system from falsely shutting down DR interfaces,
temporarily disable configuration consistency check.
10. (Optional.) Enabling the short DRCP timeout timer on the IPP or a DR interface
11. Configuring DRNI timers
 (Optional.) Setting the keepalive hold timer for identifying the cause of IPL down events
 Configuring DR system auto-recovery
 (Optional.) Setting the data restoration interval
12. (Optional.) Configuring DRNI security features
 Enabling DRNI sequence number check
 Enabling DRNI packet authentication

101
Configuring DR system settings
Configuring the DR system MAC address
Restrictions and guidelines
On a DR system, DR interfaces in the same DR group must use the same LACP system MAC
address. As a best practice, use the bridge MAC address of one DR member device as the DR
system MAC address.
Changing the DR system MAC address causes DR system split. When you perform this task on a
live network, make sure you are fully aware of its impact.
You can configure the DR system MAC address on an aggregate interface only after it is configured
as a DR interface.
You can configure the DR system MAC address globally and in aggregate interface view. The global
DR system MAC address takes effect on all aggregation groups. On an aggregate interface, the
interface-specific DR system MAC address takes precedence over the global DR system MAC
address.
Procedure
1. Enter system view.
system-view
2. Configure the DR system MAC address.
drni system-mac mac-address
By default, the DR system MAC address is not configured.
3. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Set the DR system MAC address on the aggregate interface.
port drni system-mac mac-address
By default, the DR system MAC address is not configured.

Setting the DR system number

Restrictions and guidelines
Changing the DR system number causes DR system split. When you perform this task on a live
network, make sure you are fully aware of its impact.
You must assign different DR system numbers to the DR member devices in a DR system.
Procedure
1. Enter system view.
system-view
2. Set the DR system number.
drni system-number system-number
By default, the DR system number is not set.

102
Setting the DR system priority
About this task
A DR system uses its DR system priority as the system LACP priority to communicate with the
remote aggregation system.
Restrictions and guidelines
Changing the DR system priority in system view causes DR system split. When you perform this task
on a live network, make sure you are fully aware of its impact.
You must configure the same DR system priority for the DR interfaces in the same DR group.
You can configure the DR system priority on an aggregate interface only after it is configured as a DR
interface.
You can configure the DR system priority globally and in aggregate interface view. The global DR
system priority takes effect on all aggregation groups. On an aggregate interface, the
interface-specific DR system priority takes precedence over the global DR system priority.
Procedure
1. Enter system view.
system-view
2. Set the DR system priority.
drni system-priority system-priority
By default, the DR system priority is 32768.
3. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Set the DR system priority on the aggregate interface.
port drni system-priority priority
By default, the DR system priority is 32768.

Setting the DR role priority of the device

About this task
DRNI assigns the primary or secondary role to a DR member device based on its DR role priority.
The smaller the priority value, the higher the priority. If the DR member devices in a DR system use
the same DR role priority, the device with the lower bridge MAC address is assigned the primary role.
Restrictions and guidelines
To prevent a primary/secondary role switchover from causing network flapping, avoid changing the
DR priority assignment after the DR system is established.
Procedure
1. Enter system view.
system-view
2. Set the DR role priority of the device.
drni role priority priority-value
By default, the DR role priority of the device is 32768.

103
Enabling DRNI standalone mode on a DR
member device
About this task
Perform this task to avoid forwarding issues in the multi-active situation that might occur after both
the IPL and the keepalive link are down.
DRNI standalone mode helps avoid traffic forwarding issues in this multi-active situation by allowing
only the member ports in the DR interfaces on one member device to forward traffic. For more
information about this mode, see "DRNI standalone mode."
When you configure this feature, you can configure a delay to prevent an unnecessary mode change
because of transient link down issues.
Restrictions and guidelines
As a best practice, enable DRNI standalone mode on both DR member devices.
Before you enable DRNI standalone mode on a DR member device, make sure its LACP system
priority is higher than that of the remote aggregation system. This restriction ensures that the
reference port is on the remote aggregation system and prevents the interfaces attached to the DR
system from flapping.
Procedure
1. Enter system view.
system-view
2. Enable DRNI standalone mode.
drni standalone enable [ delay delay-time ]
By default, DRNI standalone mode is disabled.

Configuring DR keepalive settings

Restrictions and guidelines for configuring DR keepalive
settings
Use Layer 3 Ethernet interfaces or management Ethernet interfaces to set up the keepalive link.
Make sure the two ends use the same keepalive settings. DR member devices check the peer
keepalive settings for consistency. If an inconsistency is found, the device will prompt for
configuration revision.

Configuring DR keepalive packet parameters

About this task
Perform this task to specify the parameters for sending DR keepalive packets, such as its source and
destination IP addresses.
The device accepts only keepalive packets that are sourced from the specified destination IP
address. The keepalive link goes down if the device receives keepalive packets sourced from any
other IP address.
Restrictions and guidelines
Make sure the DR member devices in a DR system use the same keepalive destination UDP port.

104
Procedure
1. Enter system view.
system-view
2. Configure DR keepalive packet parameters.
drni keepalive { ip | ipv6 } destination { ipv4-address | ipv6-address }
[ source { ipv4-address | ipv6-address } | udp-port udp-number |
vpn-instance vpn-instance-name ] *
By default, the DR keepalive packet parameters are not configured. If you do not specify a
source IP address or destination UDP port when you execute this command, the IP address of
the outgoing interface and UDP port 6400 are used, respectively.

Setting the DR keepalive interval and timeout timer

About this task
The device sends keepalive packets at the specified interval to its DR peer. If the device has not
received a keepalive packet from the DR peer before the keepalive timeout timer expires, the device
determines that the keepalive link is down.
Restrictions and guidelines
The local DR keepalive timeout timer must be two times the DR keepalive interval of the peer at
minimum.
Configure the same DR keepalive interval on the DR member devices in the DR system.
Procedure
1. Enter system view.
system-view
2. Set the DR keepalive interval and timeout timer.
drni keepalive interval interval [ timeout timeout ]
By default, the DR keepalive interval is 1000 milliseconds, and the DR keepalive timeout timer
is 5 seconds.

Configuring DRNI MAD

About this task
DRNI MAD configuration methods
When you configure DRNI MAD, use either of the following methods:
• To shut down all network interfaces on the secondary DR member device except a few
special-purpose interfaces that must be retained in up state:
 Set the default DRNI MAD action to DRNI MAD DOWN. For more information, see
"Configuring the default DRNI MAD action on network interfaces."
 Exclude interfaces from being shut down by DRNI MAD. For more information, see
"Excluding an interface from the shutdown action by DRNI MAD."
This method is applicable to most network environments.
• To have the secondary DR member device retain a large number of interfaces in up state and
shut down the remaining interfaces:
 Set the default DRNI MAD action to NONE. For more information, see "Configuring the
default DRNI MAD action on network interfaces."

105
  Specify network interfaces that must be shut down by DRNI MAD. For more information,
see "Specifying interfaces to be shut down by DRNI MAD when the DR system splits."
One applicable scenario of this method is the EVPN environment in which you use a VXLAN
tunnel as the IPL. In this scenario, you must retain a large number of logical interfaces (for
example, tunnel and loopback interfaces) in up state.
List of automatically included interfaces
DRNI MAD will always shut down the ports in the system-configured included port list if the device
acts as the secondary DR member device when the DR system splits.
This list contains aggregation member ports of DR interfaces. To identify system-configured included
ports, execute the display drni mad verbose command.
List of automatically excluded interfaces
DRNI MAD will not shut down the ports in the following list when the DR system splits:
• System-configured excluded port list in DRNI MAD:
 IPP.
 Aggregation member interfaces if a Layer 2 aggregate interface is used as the IPP.
 DR interfaces.
 Management interfaces.
To identify these interfaces, execute the display drni mad verbose command.
• Interfaces manually or automatically excluded from being shut down by IRF MAD. To identify
these interfaces, execute the display mad verbose command.
• Network interfaces used for special purposes, including:
 Interfaces placed in a loopback test by using the loopback command.
 Interfaces in a mirroring group.
 Interfaces forced to stay up by using the port-up mode command.

Configuring the default DRNI MAD action on network

interfaces
About this task
You can configure DRNI MAD to take either of the following default actions on network interfaces if
the device acts as the secondary DR member device when the DR system splits:
• DRNI MAD DOWN—DRNI MAD will shut down all network interfaces on the secondary DR
member device when the DR system splits, except the interfaces excluded manually or by the
system.
• NONE—DRNI MAD will not shut down any network interfaces when the DR system splits,
except the interfaces configured manually or by the system to be shut down by DRNI MAD.
Restrictions and guidelines
The DRNI MAD DOWN action will not take effect on the interfaces listed in "List of automatically
excluded interfaces."
The DRNI MAD DOWN action will always take on the interfaces listed in "List of automatically
included interfaces," even if the default DRNI MAD action is NONE.
Procedure
1. Enter system view.
system-view

106
 2. Configure the default DRNI MAD action to take on network interfaces on the secondary DR
member device when the DR system splits.
drni mad default-action { down | none }
By default, DRNI MAD shuts down network interfaces on the secondary DR member device.

Excluding an interface from the shutdown action by DRNI

MAD
About this task
By default, DRNI MAD automatically excludes the interfaces listed in "List of automatically excluded
interfaces" when it shuts down network interfaces on the secondary DR member device.
To specify additional interfaces that cannot be shut down, perform this task.
You typically perform this task when the default DRNI MAD action is set to DRNI MAD DOWN.
Restrictions and guidelines
You must always exclude the following interfaces from being shut down by DRNI MAD:
• For correct keepalive detection, you must exclude the interfaces used for keepalive detection.
• If the IPP is a tunnel interface, you must exclude the traffic outgoing interface for the tunnel.
• For DR member devices to synchronize ARP entries, you must exclude the VLAN interfaces of
the VLANs to which the DR interfaces and IPPs belong.
The DRNI MAD DOWN action is always taken on interfaces listed in "List of automatically included
interfaces." You cannot disable the action by excluding those interfaces.
To view interfaces excluded from the MAD shutdown action, see the Excluded ports
(user-configured) field in the output from the display drni mad verbose command.
If you exclude an interface that is already in DRNI MAD DOWN state from the MAD shutdown action,
the interface stays in that state. It will not come up automatically.
Procedure
1. Enter system view.
system-view
2. Exclude an interface from the shutdown action by DRNI MAD.
drni mad exclude interface interface-type interface-number
By default, DRNI MAD shuts down all network interfaces when detecting a multi-active collision,
except for the network interfaces set by the system to not shut down.

Excluding all logical interfaces from the shutdown action by

DRNI MAD
About this task
When a VXLAN tunnel is used as the IPL on an EVPN DR system, you must retain a large number of
logical interfaces (for example, tunnel and loopback interfaces) in up state. To simplify configuration,
you can exclude all logical interfaces from the shutdown action by DRNI MAD.
Restrictions and guidelines
The drni mad exclude interface and drni mad include interface commands take
precedence over the drni mad exclude logical-interfaces command.

107
Procedure
1. Enter system view.
system-view
2. Exclude all logical interfaces from the shutdown action by DRNI MAD.
drni mad exclude logical-interfaces
By default, DRNI MAD shuts down all network interfaces when it detects a multi-active collision,
except for the network interfaces set by the system to not shut down.

Specifying interfaces to be shut down by DRNI MAD when

the DR system splits
About this task
By default, DRNI MAD automatically shuts down the interfaces listed in "List of automatically
included interfaces" if the device is the secondary DR member device when the DR system splits.
To specify additional interfaces to be shut down by DRNI MAD, perform this task.
You typically perform this task when the default DRNI MAD action is set to NONE.
Restrictions and guidelines
The DRNI MAD DOWN action will not take effect on the interfaces listed in "List of automatically
excluded interfaces."
Procedure
1. Enter system view.
system-view
2. Specify interfaces to be shut down by DRNI MAD when the DR system splits.
drni mad include interface interface-type interface-number
By default, the user-configured included port list does not contain any ports.

Enabling DRNI MAD DOWN state persistence

About this task
DRNI MAD DOWN state persistency helps avoid the multi-active situation by preventing the
secondary DR member device from bringing up the network interfaces in DRNI MAD DOWN state.
For more information about this feature, see "DRNI MAD DOWN state persistence" and "Failure
handling mechanism with DRNI MAD DOWN state persistence."
You can bring up the interfaces in DRNI MAD DOWN state on the secondary DR member device for
it to forward traffic if the following conditions exist:
• The primary DR member device fails while the IPL is down.
• The DRNI MAD DOWN state persists on the secondary DR member device.
Procedure
1. Enter system view.
system-view
2. Enable DRNI MAD DOWN state persistence.
drni mad persistent
By default, the secondary DR member device brings up interfaces in DRNI MAD DOWN state
when its role changes to primary.

108
 3. (Optional.) Bring up the interfaces in DRNI MAD DOWN state.
drni mad restore

Configuring a DR interface
Restrictions and guidelines
The device can have multiple DR interfaces. However, you can assign a Layer 2 aggregate interface
to only one DR group.
A Layer 2 aggregate interface cannot operate as both IPP and DR interface.
To improve forwarding efficiency, exclude the DR interface on the secondary DR member device
from the shutdown action by DRNI MAD. This action enables the DR interface to forward traffic
immediately after a multi-active collision is removed without having to wait for the secondary DR
member device to complete entry restoration.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Assign the aggregate interface to a DR group.
port drni group group-id

Specifying a Layer 2 aggregate interface or

VXLAN tunnel interface as the IPP
Restrictions and guidelines
A Layer 2 aggregate interface or VXLAN tunnel interface cannot operate as both IPP and DR
interface. Make sure the bandwidth of the IPP is higher than that of a DR interface.
Do not associate a VXLAN tunnel interface with a VXLAN if you use it as the IPP. You can use a
VXLAN tunnel interface as an IPP only in an EVPN network. For more information about EVPN, see
EVPN Configuration Guide.
A DR member device can have only one IPP.
As a best practice to reduce the impact of interface flapping on upper-layer services, execute the
link-delay command on the IPP. For more information about this command, see Ethernet link
aggregation commands in Layer 2—LAN Switching Command Reference.
By default, MAC address learning is enabled on the IPP. This feature is not configurable on the IPP.
For more information about the MAC address learning feature, see "Configuring the MAC address
table."
To prevent data synchronization failure, you must set the same maximum jumbo frame length on the
IPPs of the DR member devices. For more information about jumbo frames, see "Configuring
Ethernet link aggregation."
Do not use the MAC address of a remote MEP for CFD tests on IPPs. These tests cannot work on
IPPs. For more information about CFD, see High Availability Configuration Guide.
Procedure
1. Enter system view.
system-view

109
 2. Enter interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter VXLAN tunnel interface view.
interface tunnel number
3. Specify the interface as the IPP.
port drni intra-portal-port port-id
4. For DRNI to operate correctly, disable the static source check feature for the MAC address
table.
quit
undo mac-address static source-check enable
By default, static source check is enabled.
For more information about the mac-address static source-check enable command,
see "Configuring the MAC address table."

Enabling the IPP to retain MAC address entries

for down single-homed devices
About this task
When a DR member device detects that the link to a single-homed device goes down, the IPP takes
the following actions:
• Deletes the MAC address entries for the single-homed device.
• Sends a message to the peer IPP for it to delete the affected MAC address entries.
If the link to a single-homed device flaps constantly, the IPP repeatedly deletes and adds MAC
address entries for the device. This situation increases floods of unicast traffic destined for the
single-homed device.
To reduce flood traffic, enable the IPP to retain MAC address entries for single-homed devices. After
the links to single-homed devices go down, the affected MAC address entries age out on expiration
of the MAC aging timer instead of being deleted immediately. The timer is set by using the
mac-address timer command. For more information about this command, see MAC address
table commands in Layer 2—LAN Switching Command Reference.
Procedure
1. Enter system view.
system-view
2. Enable the IPP to retain MAC address entries for single-homed devices.
drni ipp mac-address hold
By default, the IPP does not retain MAC address entries for single-homed devices when the
devices go down.

110
Setting the mode of configuration consistency
check
About this task
The device handles configuration inconsistency depending on the mode of configuration consistency
check.
• For type 1 configuration inconsistency:
 The device generates log messages if loose mode is enabled.
 The device shuts down DR interfaces and generates log messages if strict mode is enabled.
• For type 2 configuration inconsistency, the device only generates log messages, whether strict
or loose mode is enabled.
Procedure
1. Enter system view.
system-view
2. Set the mode of configuration consistency check.
drni consistency-check mode { loose | strict }
By default, configuration consistency check uses strict mode.

Disabling configuration consistency check

About this task
To ensure that the DR system can operate correctly, DRNI by default performs configuration
consistency check when the DR system is set up.
Configuration consistency check might fail when you upgrade the DR member devices in a DR
system. To prevent the DR system from falsely shutting down DR interfaces, you can temporarily
disable configuration consistency check.
Restrictions and guidelines
Make sure the DR member devices use the same setting for configuration consistency check.
Procedure
1. Enter system view.
system-view
2. Disable configuration consistency check.
drni consistency-check disable
By default, configuration consistency check is enabled.

Enabling the short DRCP timeout timer on the IPP

or a DR interface
About this task
By default, the IPP or a DR interface uses the 90-second long DRCP timeout timer. To detect peer
interface down events more quickly, enable the 3-second short DRCP timeout timer on the interface.

111
Restrictions and guidelines
To avoid traffic interruption during an ISSU or DRNI process restart, disable the short DRCP timeout
timer before you perform an ISSU or DRNI process restart. For more information about ISSU, see
Fundamentals Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
 Enter VXLAN tunnel interface view.
interface tunnel number
3. Enable the short DRCP timeout timer.
drni drcp period short
By default, an interface uses the long DRCP timeout timer (90 seconds).

Setting the keepalive hold timer for identifying the

cause of IPL down events
About this task
The keepalive hold timer starts when the IPL goes down. The keepalive hold timer specifies the
amount of time that the device uses to identify the cause of an IPL down event.
• If the device receives keepalive packets from the DR peer before the timer expires, the IPL is
down because the IPL fails.
• If the device does not receive keepalive packets from the DR peer before the timer expires, the
IPL is down because the peer DR member device fails.
Procedure
1. Enter system view.
system-view
2. Set the keepalive hold timer.
drni keepalive hold-time value
By default, the keepalive hold timer is 3 seconds.

Configuring DR system auto-recovery

About this task
If only one DR member device recovers after the entire DR system reboots, auto-recovery enables
that member device to remove its DR interfaces from the DRNI DOWN interface list.
• If that member device has up DR interfaces, it takes over the primary role when the reload delay
timer expires and forwards traffic.
• If that member device does not have up DR interfaces, it is stuck in the None role and does not
forward traffic.
If auto-recovery is disabled, that DR member device will be stuck in the None role with all its DR
interfaces being DRNI DOWN after it recovers.

112
Restrictions and guidelines
If both DR member devices recover and have up DR interfaces after the entire DR system reboots,
active-active situation might occur if both the IPL and the keepalive link were down when the reload
delay timer expires. If this rare situation occurs, examine the IPL and the keepalive link and restore
them.
To avoid incorrect role preemption, make sure the reload delay timer is longer than the amount of
time required for the device to restart.
Procedure
1. Enter system view.
system-view
2. Configure DR system auto-recovery.
drni auto-recovery reload-delay delay-value
By default, DR system auto-recovery is not configured. The reload delay timer is not set.

Setting the data restoration interval

About this task
The data restoration interval specifies the maximum amount of time for the secondary DR member
device to synchronize data with the primary DR member device during DR system setup. Within the
data restoration interval, the secondary DR member device sets all network interfaces to DRNI MAD
DOWN state, except for the following interfaces:
• Interfaces excluded from the shutdown action by IRF MAD.
• Interfaces excluded from the shutdown action by DRNI MAD.
When the data restoration interval expires, the secondary DR member device brings up all network
interfaces.
Restrictions and guidelines
Increase the data restoration interval as needed for the following purposes:
• Avoid packet loss and forwarding failure that might occur when the amount of data is large or
when you perform an ISSU between the DR member devices.
• Avoid DR interface flapping that might occur if type 1 configuration consistency check fails after
the DR interfaces come up upon expiration of the data restoration interval.
Procedure
1. Enter system view.
system-view
2. Set the data restoration interval.
drni restore-delay value
By default, the data restoration interval is 30 seconds.

Enabling DRNI sequence number check

Restrictions and guidelines
As a best practice to improve security, use DRNI sequence number check together with DRNI packet
authentication.

113
 After one DR member device reboots, the other DR member device might receive and accept the
packets that were intercepted by an attacker before the reboot. As a best practice, change the
authentication key after a DR member device reboots.
Procedure
1. Enter system view.
system-view
2. Enable DRNI sequence number check.
drni sequence enable
By default, DRNI sequence number check is disabled.

Enabling DRNI packet authentication

Restrictions and guidelines
For successful authentication, configure the same authentication key for the DR member devices.
Procedure
1. Enter system view.
system-view
2. Enable DRNI packet authentication and configure an authentication key.
drni authentication key { simple | cipher } string
By default, DRNI packet authentication is disabled.

Displaying and maintaining DRNI

Execute display commands in any view and reset commands in user view.

Task Command
Display information about the display drni consistency { type1 | type2 }
configuration consistency check done { global | interface interface-type
by DRNI. interface-number }
display drni drcp statistics [ interface
Display DRCPDU statistics.
interface-type interface-number ]
Display DR keepalive packet statistics. display drni keepalive
Display detailed DRNI MAD
display drni mad verbose
information.

Display DR role information. display drni role

Display brief information about the IPP
display drni summary
and DR interfaces.

Display the DR system settings. display drni system

Display detailed information about the display drni verbose [ interface
IPP and DR interfaces. bridge-aggregation interface-number ]
Display DRNI troubleshooting display drni troubleshooting [ dr | ipp |
information. keepalive ] [ history ] [ count ]

114
 Task Command
reset drni drcp statistics [ interface
Clear DRCPDU statistics.
interface-list ]
Clear DRNI troubleshooting records. reset drni troubleshooting history

DRNI configuration examples

Example: Configuring basic DRNI functions
Network configuration
As shown in Figure 33, configure DRNI on Device A and Device B to establish a multichassis
aggregate link with Device C.
Figure 33 Network diagram
Device C

GE1/0/1 GE1/0/2
GE1/0/3
GE1/0/4

BAGG

GE1/0/3 GE1/0/3
GE1/0/4 GE1/0/4
IPL
GE1/0/1, GE1/0/2 GE1/0/1, GE1/0/2
DR 1 DR 2
GE1/0/5 Keepalive GE1/0/5
Device A Device B
DR system

Procedure

1. Configure Device A:
# Configure DR system settings.
<DeviceA> system-view
[DeviceA] drni system-mac 1-1-1
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive packet parameters.
[DeviceA] drni keepalive ip destination 1.1.1.1 source 1.1.1.2
# Set the link mode of GigabitEthernet 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port link-mode route
[DeviceA-GigabitEthernet1/0/5] ip address 1.1.1.2 24
[DeviceA-GigabitEthernet1/0/5] quit
# Exclude the interface used for DR keepalive detection (GigabitEthernet 1/0/5) from the
shutdown action by DRNI MAD.

115
 [DeviceA] drni mad exclude interface gigabitethernet 1/0/5
# Disable the static source check feature.
[DeviceA] undo mac-address static source-check enable
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation3] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 3.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 3
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 3
[DeviceA-GigabitEthernet1/0/2] quit
# Specify Bridge-Aggregation 3 as the IPP.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation3] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation4] quit
# Assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 4.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 4
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port link-aggregation group 4
[DeviceA-GigabitEthernet1/0/4] quit
# Assign Bridge-Aggregation 4 to DR group 4.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] port drni group 4
[DeviceA-Bridge-Aggregation4] quit
2. Configure Device B:
# Configure DR system settings.
<DeviceB> system-view
[DeviceB] drni system-mac 1-1-1
[DeviceB] drni system-number 2
[DeviceB] drni system-priority 123
# Configure DR keepalive packet parameters.
[DeviceB] drni keepalive ip destination 1.1.1.2 source 1.1.1.1
# Set the link mode of GigabitEthernet 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port link-mode route
[DeviceB-GigabitEthernet1/0/5] ip address 1.1.1.1 24
[DeviceB-GigabitEthernet1/0/5] quit

116
 # Exclude the interface used for DR keepalive detection (GigabitEthernet 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceB] drni mad exclude interface gigabitethernet 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3.
[DeviceB] interface bridge-aggregation 3
[DeviceB-Bridge-Aggregation3] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation3] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 3.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-aggregation group 3
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-aggregation group 3
[DeviceB-GigabitEthernet1/0/2] quit
# Specify Bridge-Aggregation 3 as the IPP.
[DeviceB] interface bridge-aggregation 3
[DeviceB-Bridge-Aggregation3] port drni intra-portal-port 1
[DeviceB-Bridge-Aggregation3] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
[DeviceB] interface bridge-aggregation 4
[DeviceB-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation4] quit
# Assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 4.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port link-aggregation group 4
[DeviceB-GigabitEthernet1/0/3] quit
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port link-aggregation group 4
[DeviceB-GigabitEthernet1/0/4] quit
# Assign Bridge-Aggregation 4 to DR group 4.
[DeviceB] interface bridge-aggregation 4
[DeviceB-Bridge-Aggregation4] port drni group 4
[DeviceB-Bridge-Aggregation4] quit
3. Configure Device C:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
<DeviceC> system-view
[DeviceC] interface bridge-aggregation 4
[DeviceC-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceC-Bridge-Aggregation4] quit
# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to aggregation group 4.
[DeviceC] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/4
[DeviceC-if-range] port link-aggregation group 4
[DeviceC-if-range] quit

Verifying the configuration

# Verify that the keepalive link is working correctly on Device A.
[DeviceA] display drni keepalive
Neighbor keepalive link status (cause): Up

117
Neighbor is alive for: 104 s, 16 ms
Keepalive packet transmission status:
Sent: Successful
Received: Successful
Last received keepalive packet information:
Source IP address: 1.1.1.1
Time: 2019/09/11 09:21:51
Action: Accept

Distributed relay keepalive parameters:

Destination IP address: 1.1.1.1
Source IP address: 1.1.1.2
Keepalive UDP port : 6400
Keepalive VPN name : N/A
Keepalive interval : 1000 ms
Keepalive timeout : 5 sec
Keepalive hold time: 3 sec

# Verify that the IPP and the DR interface are working correctly on Device A.
[DeviceA] display drni summary
Flags: A -- Aggregate interface down, B -- No peer DR interface configured
C -- Configuration consistency check failed

IPP: BAGG3
IPP state (cause): UP
Keepalive link state (cause): UP

DR interface information
DR interface DR group Local state (cause) Peer state Remaining down time (s)
BAGG4 4 UP UP -
[DeviceA] display drni verbose
Flags: A -- Home_Gateway, B -- Neighbor_Gateway, C -- Other_Gateway,
D -- IPP_Activity, E -- DRCP_Timeout, F -- Gateway_Sync,
G -- Port_Sync, H -- Expired
IPP/IPP ID: BAGG3/1
State: UP
Cause: -
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): GE1/0/1 (260), GE1/0/2 (261)
Peer Selected ports indexes: 260, 261

DR interface/DR group ID: BAGG4/4

Local DR interface state: UP
Peer DR interface state: UP
DR group state: UP
Local DR interface down cause: -
Remaining DRNI DOWN time: -
Local DR interface LACP MAC: Config=0001-0001-0001, Effective=0001-0001-0001
Peer DR interface LACP MAC: Config=0001-0001-0001, Effective=0001-0001-0001

118
 Local DR interface LACP priority: Config=123, Effective=123
Peer DR interface LACP priority: Config=123, Effective=123
Local DRCP flags/Peer DRCP flags: ABDFG/ABDFG
Local Selected ports (index): GE1/0/3 (258), GE1/0/4 (259)
Peer Selected ports indexes: 258, 259

# Verify that all member ports of aggregation group 4 are in Selected state on Device C, which
indicates a successful link aggregation between the DR system and Device C.
[DeviceC] display link-aggregation verbose bridge-aggregation 4
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Aggregate Interface: Bridge-Aggregation4
Creation Mode: Manual
Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 2e56-cbae-0600
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1(R) S 32768 1 1 {ACDEF}
GE1/0/2 S 32768 2 1 {ACDEF}
GE1/0/3 S 32768 3 1 {ACDEF}
GE1/0/4 S 32768 4 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 16387 40004 0x7b , 0001-0001-0001 {ACDEF}
GE1/0/2 32768 16388 40004 0x7b , 0001-0001-0001 {ACDEF}
GE1/0/3 32768 32771 40004 0x7b , 0001-0001-0001 {ACDEF}
GE1/0/4 32768 32772 40004 0x7b , 0001-0001-0001 {ACDEF}

Example: Configuring Layer 3 gateways on a DR system

Network configuration
As shown in Figure 34:
• Configure Device A and Device B as a DR system to establish one multichassis aggregate link
with Device C and one with Device D.
• Set up a keepalive link between GigabitEthernet 1/0/5 of Device A and GigabitEthernet 1/0/5 of
Device B, and exclude the interfaces from the shutdown action by DRNI MAD.
• Configure two VRRP groups on Device A and Device B to provide gateway services for VLAN
100 and VLAN 200. Configure Device A as the master of the VRRP groups.

119
 Figure 34 Network diagram
Virtual router 1 Virtual router 2
Virtual IP address 1: Virtual IP address 2:
10.1.1.100/24 20.1.1.100/24
Device A
Master

/1 GE
BAGG100 1/0 1/0 BAGG101
GE /2
Vlan-int101
Vlan-int100
GE1/0/5
GE
1/0/1 1/0
GE /1
IPL
Device C Keepalive Device D
BAGG125
GE
GE1/0/3 1/0 1 /0/2 GE1/0/3
/2 GE
GE1/0/5
GE /2
1/0 1/0
/1 GE

Device B
Backup

Host A Host B
10.1.1.4/24 20.1.1.4/24
VLAN 100 VLAN 101

Procedure

1. Configure Device A:
# Configure DR system settings.
<DeviceA> system-view
[DeviceA] drni system-mac 1-1-1
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive parameters.
[DeviceA] drni keepalive ip destination 1.1.1.2 source 1.1.1.1
# Set the link mode of GigabitEthernet 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port link-mode route
[DeviceA-GigabitEthernet1/0/5] ip address 1.1.1.1 24
[DeviceA-GigabitEthernet1/0/5] quit
# Exclude the interface used for DR keepalive detection (GigabitEthernet 1/0/5) from the
shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface gigabitethernet 1/0/5
# Disable the static source check feature.
[DeviceA] undo mac-address static source-check enable
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 125, and specify it as the
IPP.
[DeviceA] interface bridge-aggregation 125
[DeviceA-Bridge-Aggregation125] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation125] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation125] quit
# Assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 125.

120
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 125
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface GigabitEthernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port link-aggregation group 125
[DeviceA-GigabitEthernet1/0/4] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 100, and assign it to DR
group 1.
[DeviceA] interface bridge-aggregation 100
[DeviceA-Bridge-Aggregation100] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation100] port drni group 1
[DeviceA-Bridge-Aggregation100] quit
# Assign GigabitEthernet 1/0/1 to aggregation group 100.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 100
[DeviceA-GigabitEthernet1/0/1] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 101, and assign it to DR
group 2.
[DeviceA] interface bridge-aggregation 101
[DeviceA-Bridge-Aggregation101] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation101] port drni group 2
[DeviceA-Bridge-Aggregation101] quit
# Assign GigabitEthernet 1/0/2 to aggregation group 101.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 101
[DeviceA-GigabitEthernet1/0/2] quit
# Create VLAN 100 and VLAN 101.
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 101
[DeviceA-vlan101] quit
# Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 100
[DeviceA-Bridge-Aggregation100] port link-type trunk
[DeviceA-Bridge-Aggregation100] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation100] quit
# Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101.
[DeviceA] interface bridge-aggregation 101
[DeviceA-Bridge-Aggregation101] port link-type trunk
[DeviceA-Bridge-Aggregation101] port trunk permit vlan 101
[DeviceA-Bridge-Aggregation101] quit
# Set the link type of Bridge-Aggregation 125 to trunk, and assign it to VLAN 100 and VLAN
101.
[DeviceA] interface bridge-aggregation 125
[DeviceA-Bridge-Aggregation125] port link-type trunk
[DeviceA-Bridge-Aggregation125] port trunk permit vlan 100 101
[DeviceA-Bridge-Aggregation125] quit
# Create VLAN-interface 100 and VLAN-interface 101, and assign IP addresses to them.

121
 [DeviceA] interface vlan-interface 100
[DeviceA-vlan-interface100] ip address 10.1.1.1 24
[DeviceA-vlan-interface100] quit
[DeviceA] interface vlan-interface 101
[DeviceA-vlan-interface101] ip address 20.1.1.1 24
[DeviceA-vlan-interface101] quit
# Exclude VLAN-interface 100 and VLAN-interface 101 from the shutdown action by DRNI
MAD.
[DeviceA] drni mad exclude interface vlan-interface 100
[DeviceA] drni mad exclude interface vlan-interface 101
# Configure OSPF.
[DeviceA] ospf
[DeviceA-ospf-1] import-route direct
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
# Create VRRP group 1 on VLAN-interface 100 and set its virtual IP address to 10.1.1.100.
[DeviceA] interface vlan-interface 100
[DeviceA-Vlan-interface100] vrrp vrid 1 virtual-ip 10.1.1.100
# Set the priority of Device A (primary DR member device) to 200 for it to become the master in
VRRP group 1.
[DeviceA-Vlan-interface100] vrrp vrid 1 priority 200
[DeviceA-Vlan-interface100] quit
# Create VRRP group 2 on VLAN-interface 101 and set its virtual IP address to 20.1.1.100.
[DeviceA] interface vlan-interface 101
[DeviceA-Vlan-interface101] vrrp vrid 2 virtual-ip 20.1.1.100
# Set the priority of Device A (primary DR member device) to 200 for it to become the master in
VRRP group 2.
[DeviceA-Vlan-interface101] vrrp vrid 2 priority 200
[DeviceA-Vlan-interface101] quit
2. Configure Device B:
# Configure DR system settings.
<DeviceB> system-view
[DeviceB] drni system-mac 1-1-1
[DeviceB] drni system-number 2
[DeviceB] drni system-priority 123
# Configure DR keepalive parameters.
[DeviceB] drni keepalive ip destination 1.1.1.1 source 1.1.1.2
# Set the link mode of GigabitEthernet 1/0/5 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port link-mode route
[DeviceB-GigabitEthernet1/0/5] ip address 1.1.1.2 24
[DeviceB-GigabitEthernet1/0/5] quit
# Exclude the interface used for DR keepalive detection (GigabitEthernet 1/0/5) from the
shutdown action by DRNI MAD.

122
[DeviceB] drni mad exclude interface gigabitethernet 1/0/5
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 125, and specify it as the
IPP.
[DeviceB] interface bridge-aggregation 125
[DeviceB-Bridge-Aggregation125] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation125] port drni intra-portal-port 1
[DeviceB-Bridge-Aggregation125] quit
# Assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 125.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port link-aggregation group 125
[DeviceB-GigabitEthernet1/0/3] quit
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port link-aggregation group 125
[DeviceB-GigabitEthernet1/0/4] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 100, and assign it to DR
group 1.
[DeviceB] interface bridge-aggregation 100
[DeviceB-Bridge-Aggregation100] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation100] port drni group 1
[DeviceB-Bridge-Aggregation100] quit
# Assign GigabitEthernet 1/0/1 to aggregation group 100.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-aggregation group 100
[DeviceB-GigabitEthernet1/0/1] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 101, and assign it to DR
group 2.
[DeviceB] interface bridge-aggregation 101
[DeviceB-Bridge-Aggregation101] link-aggregation mode dynamic
[DeviceB-Bridge-Aggregation101] port drni group 2
[DeviceB-Bridge-Aggregation101] quit
# Assign GigabitEthernet 1/0/2 to aggregation group 101.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-aggregation group 101
[DeviceB-GigabitEthernet1/0/2] quit
# Create VLAN 100 and VLAN 101.
[DeviceB] vlan 100
[DeviceB-vlan100] quit
[DeviceB] vlan 101
[DeviceB-vlan101] quit
# Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100.
[DeviceB] interface bridge-aggregation 100
[DeviceB-Bridge-Aggregation100] port link-type trunk
[DeviceB-Bridge-Aggregation100] port trunk permit vlan 100
[DeviceB-Bridge-Aggregation100] quit
# Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101.
[DeviceB] interface bridge-aggregation 101
[DeviceB-Bridge-Aggregation101] port link-type trunk
[DeviceB-Bridge-Aggregation101] port trunk permit vlan 101

123
 [DeviceB-Bridge-Aggregation101] quit
# Set the link type of Bridge-Aggregation 125 to trunk, and assign it to VLAN 100 and VLAN
101.
[DeviceB] interface bridge-aggregation 125
[DeviceB-Bridge-Aggregation125] port link-type trunk
[DeviceB-Bridge-Aggregation125] port trunk permit vlan 100 101
[DeviceB-Bridge-Aggregation125] quit
# Create VLAN-interface 100 and VLAN-interface 101, and assign IP addresses to them.
[DeviceB] interface vlan-interface 100
[DeviceB-vlan-interface100] ip address 10.1.1.2 24
[DeviceB-vlan-interface100] quit
[DeviceB] interface vlan-interface 101
[DeviceB-vlan-interface101] ip address 20.1.1.2 24
[DeviceB-vlan-interface101] quit
# Exclude VLAN-interface 100 and VLAN-interface 101 from the shutdown action by DRNI
MAD.
[DeviceB] drni mad exclude interface vlan-interface 100
[DeviceB] drni mad exclude interface vlan-interface 101
# Configure OSPF.
[DeviceB] ospf
[DeviceB-ospf-1] import-route direct
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
# Create VRRP group 1 on VLAN-interface 100 and set its virtual IP address to 10.1.1.100.
[DeviceB] interface vlan-interface 100
[DeviceB-Vlan-interface100] vrrp vrid 1 virtual-ip 10.1.1.100
[DeviceB-Vlan-interface100] quit
# Create VRRP group 2 on VLAN-interface 101 and set its virtual IP address to 20.1.1.100.
[DeviceB] interface vlan-interface 101
[DeviceB-Vlan-interface101] vrrp vrid 2 virtual-ip 20.1.1.100
[DeviceB-Vlan-interface101] quit
3. Configure Device C:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 100.
<DeviceC> system-view
[DeviceC] interface bridge-aggregation 100
[DeviceC-Bridge-Aggregation100] link-aggregation mode dynamic
[DeviceC-Bridge-Aggregation100] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 100.
[DeviceC] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2
[DeviceC-if-range] port link-aggregation group 100
[DeviceC-if-range] quit
# Create VLAN 100.
[DeviceC] vlan 100
[DeviceC-vlan100] quit
# Set the link type of Bridge-Aggregation 100 to trunk, and assign it to VLAN 100.

124
 [DeviceC] interface bridge-aggregation 100
[DeviceC-Bridge-Aggregation100] port link-type trunk
[DeviceC-Bridge-Aggregation100] port trunk permit vlan 100
[DeviceC-Bridge-Aggregation100] quit
# Set the link type of GigabitEthernet 1/0/3 to trunk, and assign it to VLAN 100.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port link-type trunk
[DeviceC-GigabitEthernet1/0/3] port trunk permit vlan 100
[DeviceC-GigabitEthernet1/0/3] quit
# Create VLAN-interface 100, and assign it an IP address.
[DeviceC] interface vlan-interface 100
[DeviceC-vlan-interface100] ip address 10.1.1.3 24
[DeviceC-vlan-interface100] quit
# Configure OSPF.
[DeviceC] ospf
[DeviceC-ospf-1] import-route direct
[DeviceC-ospf-1] area 0
[DeviceC-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceC-ospf-1-area-0.0.0.0] quit
[DeviceC-ospf-1] quit
4. Configure Device D:
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 101.
<DeviceD> system-view
[DeviceD] interface bridge-aggregation 101
[DeviceD-Bridge-Aggregation101] link-aggregation mode dynamic
[DeviceD-Bridge-Aggregation101] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 101.
[DeviceD] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2
[DeviceD-if-range] port link-aggregation group 101
[DeviceD-if-range] quit
# Create VLAN 101.
[DeviceD] vlan 101
[DeviceD-vlan101] quit
# Set the link type of Bridge-Aggregation 101 to trunk, and assign it to VLAN 101.
[DeviceD] interface bridge-aggregation 101
[DeviceD-Bridge-Aggregation101] port link-type trunk
[DeviceD-Bridge-Aggregation101] port trunk permit vlan 101
[DeviceD-Bridge-Aggregation101] quit
# Set the link type of GigabitEthernet 1/0/3 to trunk, and assign it to VLAN 101.
[DeviceD] interface gigabitethernet 1/0/3
[DeviceD-GigabitEthernet1/0/3] port link-type trunk
[DeviceD-GigabitEthernet1/0/3] port trunk permit vlan 101
[DeviceD-GigabitEthernet1/0/3] quit
# Create VLAN-interface 101, and assign it an IP address.
[DeviceD] interface vlan-interface 101
[DeviceD-vlan-interface101] ip address 20.1.1.3 24
[DeviceD-vlan-interface101] quit

125
 # Configure OSPF.
[DeviceD] ospf
[DeviceD-ospf-1] import-route direct
[DeviceD-ospf-1] area 0
[DeviceD-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[DeviceD-ospf-1-area-0.0.0.0] quit
[DeviceD-ospf-1] quit

Verifying the configuration

# Verify that Device C has established OSPF neighbor relationships with Device A and Device B.
[DeviceC] display ospf peer

OSPF Process 1 with Router ID 10.1.1.3

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
20.1.1.1 10.1.1.1 1 37 Full/DR Vlan100
20.1.1.2 10.1.1.2 1 32 Full/BDR Vlan100

# Verify that Device D has established OSPF neighbor relationships with Device A and Device B.
[DeviceD] display ospf peer

OSPF Process 1 with Router ID 20.1.1.3

Neighbor Brief Information

Area: 0.0.0.0
Router ID Address Pri Dead-Time State Interface
20.1.1.1 20.1.1.1 1 38 Full/DR Vlan101
20.1.1.2 20.1.1.2 1 37 Full/BDR Vlan101

# Verify that Host A and Host B can ping each other. (Details not shown.)

126
Configuring port isolation
About port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate
with ports outside the isolation group.

Assigning a port to an isolation group

About this task
The device supports multiple isolation groups, which can be configured manually. The number of
ports assigned to an isolation group is not limited.
Restrictions and guidelines
• You can assign a port to only one isolation group. If you execute the port-isolate enable
group command multiple times, the most recent configuration takes effect.
• The configuration in Layer 2 Ethernet interface view applies only to the interface.
• The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface
and its aggregation member ports. If the device fails to apply the configuration to the aggregate
interface, it does not assign any aggregation member port to the isolation group. If the failure
occurs on an aggregation member port, the device skips the port and continues to assign other
aggregation member ports to the isolation group.
Procedure
1. Enter system view.
system-view
2. Create an isolation group.
port-isolate group group-id
3. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Assign the port to the isolation group.
port-isolate enable group group-id
By default, the port is not in any isolation group.

Configuring community VLANs

About this task
You can configure community VLANs in an isolation group. Ports in an isolation group can
communicate with each other if they belong to a community VLAN.
Procedure
1. Enter system view.

127
 system-view
2. Create an isolation group.
port-isolate group group-id
3. Specify the community VLANs.
community-vlan vlan { vlan-id-list | all }
By default, an isolation group does not contain any community VLANs.

Display and maintenance commands for port

isolation
Execute display commands in any view.

Task Command
display port-isolate group
Display isolation group information.
[ group-id ]

Port isolation configuration examples

Example: Configuring port isolation
Network configuration
As shown in Figure 35:
• LAN users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet
1/0/2, and GigabitEthernet 1/0/3 on the device, respectively.
• The device connects to the Internet through GigabitEthernet 1/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at
Layer 2.
Figure 35 Network diagram

Internet

GE1/0/4
Device
GE1/0/1 GE1/0/3

GE1/0/2

Host A Host B Host C

Procedure
# Create isolation group 2.

128
 <Device> system-view
[Device] port-isolate group 2

# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to isolation group
2.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-isolate enable group 2
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port-isolate enable group 2
[Device-GigabitEthernet1/0/2] quit
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] port-isolate enable group 2
[Device-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about isolation group 2.
[Device] display port-isolate group 2
Port isolation group information:
Group ID: 2
Group members:
GigabitEthernet1/0/1 GigabitEthernet1/0/2
GigabitEthernet1/0/3
Community VLAN ID: None

The output shows that GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are
assigned to isolation group 2. As a result, Host A, Host B, and Host C are isolated from one another
at layer 2.

Example: Configuring community VLANs in port isolation

Network configuration
As shown in Figure 36, the company branches Site 1 and Site 2 transfer service traffic in VLAN 2 and
VLAN 3.
Configure port isolation and community VLANs on the network to meet the following requirements:
• All hosts can access the Internet through Device A.
• Host B and Host D can exchange video conferencing traffic in VLAN 3.
• Other Layer 2 traffic between Device B and Device C is isolated.

129
 Figure 36 Network diagram

Internet

GE1/0/1

Device A

GE1/0/2 GE1/0/3

Isolation group 1

GE1/0/1 GE1/0/1

Device B Device C

GE1/0/2 GE1/0/3 GE1/0/2 GE1/0/3

VLAN 2 VLAN 3 VLAN 2 VLAN 3

Host A Host B Host C Host D

Site 1 Site 2

Procedure
1. Configure Device A:
# Create VLAN 2 and VLAN 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Configure GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 as trunk ports, and assign them to
VLAN 2 and VLAN 3.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 2 3
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 2 3
[DeviceA-GigabitEthernet1/0/3] quit
# Create isolation group 1.
[DeviceA] port-isolate group 1
[DeviceA-port-isolate-group1] quit
# Assign GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 to isolation group 1.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port-isolate enable group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port-isolate enable group 1
[DeviceA-GigabitEthernet1/0/3] quit
# Configure VLAN 3 as a community VLAN in isolation group 1.

130
 [DeviceA] port-isolate group 1
[DeviceA-port-isolate-group1] community-vlan vlan 3
[DeviceA-port-isolate-group1] quit
2. Configure Device B:
# Create VLAN 2 and assign GigabitEthernet 1/0/2 to it.
<DeviceB> system-view
[DeviceB] vlan 2
[DeviceB-vlan2] port gigabitethernet 1/0/2
[DeviceB-vlan2] quit
# Create VLAN 3 and assign GigabitEthernet 1/0/3 to it.
[DeviceB] vlan 3
[DeviceB-vlan3] port gigabitethernet 1/0/3
[DeviceB-vlan3] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 2 and VLAN 3.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 2 3
3. Configure Device C in the same way Device B is configured.
Verifying the configuration
# Display information about isolation group 1 on device A.
[DeviceA] display port-isolate group 1
Port-isolate group information:
Group ID: 1
Group members:
GigabitEthernet1/0/2 GigabitEthernet1/0/3
Community VLAN ID: 3

The output shows that:

• GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3 are assigned to isolation group 1.
• VLAN 3 is configured as a community VLAN in the isolation group.

131
132
Spanning tree protocol overview
Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking
redundant links and putting them in a standby state.
The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN
Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).

About STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in
a LAN. Networks often have redundant links as backups in case of failures, but loops are a very
serious problem. Devices running STP detect loops in the network by exchanging information with
one another. They eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would
occur in a loop network.
In a narrow sense, STP refers to IEEE 802.1d STP. In a broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol frames

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
frames. This chapter uses BPDUs to represent all types of spanning tree protocol frames.
STP-enabled devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the devices to complete spanning tree calculation.
STP uses two types of BPDUs, configuration BPDUs and topology change notification (TCN)
BPDUs.
Configuration BPDUs
Devices exchange configuration BPDUs to elect the root bridge and determine port roles. Figure 37
shows the configuration BPDU format.
Figure 37 Configuration BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address Protocol ID 2
L/T: Frame length Protocol version ID 1
LLC header: Logical link control header
Payload: BPDU data BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2

The payload of a configuration BPDU includes the following fields:

133
 • Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x00 for a configuration BPDU.
• Flags—An 8-bit field indicates the purpose of the BPDU. The lowest bit is the Topology Change
(TC) flag. The highest bit is the Topology Change Acknowledge (TCA) flag. All other bits are
reserved.
• Root ID—Root bridge ID formed by the priority and MAC address of the root bridge.
• Root path cost—Cost of the path to the root bridge.
• Bridge ID—Designated bridge ID formed by the priority and MAC address of the designated
bridge.
• Port ID—Designated port ID formed by the priority and global port number of the designated
port.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU stored on the switch.
• Hello time—Configuration BPDU transmission interval.
• Forward delay—Delay for STP bridges to transit port state.
Devices use the root bridge ID, root path cost, designated bridge ID, designated port ID, message
age, max age, hello time, and forward delay for spanning tree calculation.
TCN BPDUs
Devices use TCN BPDUs to announce changes in the network topology. Figure 38 shows the TCN
BPDU format.
Figure 38 TCN BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address
Protocol ID 2
L/T: Frame length
LLC header: Logical link control header Protocol version ID 1
Payload: BPDU data BPDU type 1

The payload of a TCN BPDU includes the following fields:

• Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x80 for a TCN BPDU.
A non-root bridge sends TCN BPDUs when one of the following events occurs on the bridge:
• A port transits to the forwarding state, and the bridge has a minimum of one designated port.
• A port transits from the forwarding or learning state to the blocking state.
The non-root bridge uses TCN BPDUs to notify the root bridge once the network topology changes.
The root bridge then sets the TC flag in its configuration BPDU and propagates it to other bridges.

134
Basic concepts in STP
Root bridge
A tree network must have a root bridge. The entire network contains only one root bridge, and all the
other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change
with changes of the network topology.
Upon initialization of a network, each device generates and periodically sends configuration BPDUs,
with itself as the root bridge. After network convergence, only the root bridge generates and
periodically sends configuration BPDUs. The other devices only forward the BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates
with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.
Designated bridge and designated port

Classification Designated bridge Designated port

Device directly connected to the local device
Port through which the designated
For a device and responsible for forwarding BPDUs to the
bridge forwards BPDUs to this device.
local device.

Port through which the designated

Device responsible for forwarding BPDUs to
For a LAN bridge forwards BPDUs to this LAN
this LAN segment.
segment.

As shown in Figure 39, Device B and Device C are directly connected to a LAN.
If Device A forwards BPDUs to Device B through port A1, the designated bridge and designated port
are as follows:
• The designated bridge for Device B is Device A.
• The designated port for Device B is port A1 on Device A.
If Device B forwards BPDUs to the LAN, the designated bridge and designated port are as follows:
• The designated bridge for the LAN is Device B.
• The designated port for the LAN is port B2 on Device B.
Figure 39 Designated bridges and designated ports
Device A

Port A1 Port A2

Device B Device C
Port B1 Port C1

Port B2 Port C2

LAN

Port states
Table 9 lists the port states in STP.

135
 Table 9 STP port states

State Receives/sends BPDUs Learns MAC addresses Forwards user data

Disabled No No No
Listening Yes No No
Learning Yes Yes No
Forwarding Yes Yes Yes
Blocking Receive No No

Path cost
Path cost is a reference value used for link selection in STP. To prune the network into a loop-free
tree, STP calculates path costs to select the most robust links and block redundant links that are less
robust.

Calculation process of the STP algorithm

In STP calculation, a device compares the priorities of the received configuration BPDUs from
different ports, and elects the root bridge, root ports and designated ports. When the spanning tree
calculation is completed, a tree-shape topology forms.
The spanning tree calculation process described in the following sections is an example of a
simplified process.
Network initialization
Upon initialization of a device, each port generates a BPDU with the following contents:
• The port as the designated port.
• The device as the root bridge.
• 0 as the root path cost.
• The device ID as the designated bridge ID.
Root bridge selection
The root bridge can be selected in the following methods:
• Automatic election—Initially, each STP-enabled device on the network assumes itself to be
the root bridge, with its own device ID as the root bridge ID. By exchanging configuration
BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root
bridge ID as the root bridge.
• Manual assignment—You can configure a device as the root bridge or a secondary root bridge
of a spanning tree.
 A spanning tree can have only one root bridge. If you configure multiple devices as the root
bridge for a spanning tree, the device with the lowest MAC address is selected.
 You can configure one or multiple secondary root bridges for a spanning tree. When the root
bridge fails or is shut down, a secondary root bridge can take over. If multiple secondary root
bridges are configured, the one with the lowest MAC address is selected. However, if a new
root bridge is configured, the secondary root bridge is not selected.
Root port and designated ports selection on the non-root bridges

Step Description
A non-root-bridge device regards the port on which it received the optimum configuration BPDU
1
as the root port. Table 10 describes how the optimum configuration BPDU is selected.

136
 Step Description
Based on the configuration BPDU and the path cost of the root port, the device calculates a
designated port configuration BPDU for each of the other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus the
path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.

The device compares the calculated configuration BPDU with the configuration BPDU on the
port whose port role will be determined. Then, the device acts depending on the result of the
comparison:
• If the calculated configuration BPDU is superior, the device performs the following
operations:
3  Considers this port as the designated port.
 Replaces the configuration BPDU on the port with the calculated configuration BPDU.
 Periodically sends the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs, but cannot send
BPDUs or forward data traffic.

When the network topology is stable, only the root port and designated ports forward user traffic.
Other ports are all in the blocking state to receive BPDUs but not to forward BPDUs or user traffic.
Table 10 Selecting the optimum configuration BPDU

Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the received
configuration BPDU with that of the configuration BPDU generated by the port.
• If the former priority is lower, the device discards the received configuration BPDU and
1
keeps the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration BPDU
generated by the port with the content of the received configuration BPDU.

The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.

The following are the principles of configuration BPDU comparison:

1. The configuration BPDU with the lowest root bridge ID has the highest priority.
2. If configuration BPDUs have the same root bridge ID, their root path costs are compared. For
example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S.
The configuration BPDU with the smallest S value has the highest priority.
3. If all configuration BPDUs have the same root bridge ID and S value, the following attributes are
compared in sequence:
a. Designated bridge IDs.
b. Designated port IDs.
c. IDs of the receiving ports.
The configuration BPDU that contains a smaller designated bridge ID, designated port ID, or
receiving port ID is selected.
A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.

Example of STP calculation

Figure 40 provides an example showing how the STP algorithm works.

137
 Figure 40 The STP algorithm
Device A
Priority = 0

Port A1 Port A2

Pa
=5

th
st

co
co

st
th

=1
Pa

0
Port B1 Port C1
Port B2 Port C2

Path cost = 4
Device B Device C
Priority = 1 Priority = 2

As shown in Figure 40, the priority values of Device A, Device B, and Device C are 0, 1, and 2,
respectively. The path costs of links among the three devices are 5, 10, and 4.
Device state initialization
In Table 11, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Table 11 Initial state of each device

Configuration BPDU on the

Device Port name
port
Port A1 {0, 0, 0, Port A1}
Device A
Port A2 {0, 0, 0, Port A2}
Port B1 {1, 0, 1, Port B1}
Device B
Port B2 {1, 0, 1, Port B2}
Port C1 {2, 0, 2, Port C1}
Device C
Port C2 {2, 0, 2, Port C2}

Configuration BPDUs comparison on each device

In Table 12, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.

138
Table 12 Comparison process and result on each device

Configuration BPDU on
Device Comparison process
ports after comparison
Port A1 performs the following operations:
1. Receives the configuration BPDU of Port B1 {1, 0, 1,
Port B1}.
2. Determines that its existing configuration BPDU {0, 0,
0, Port A1} is superior to the received configuration
BPDU.
3. Discards the received one.
Port A2 performs the following operations:
4. Receives the configuration BPDU of Port C1 {2, 0, 2, • Port A1: {0, 0, 0, Port A1}
Device A Port C1}. • Port A2: {0, 0, 0, Port A2}
5. Determines that its existing configuration BPDU {0, 0,
0, Port A2} is superior to the received configuration
BPDU.
6. Discards the received one.
Device A determines that it is both the root bridge and
designated bridge in the configuration BPDUs of all its
ports. It considers itself as the root bridge. It does not
change the configuration BPDU of any port and starts to
periodically send configuration BPDUs.

Port B1 performs the following operations:

7. Receives the configuration BPDU of Port A1 {0, 0, 0,
Port A1}.
8. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {1, 0, 1,
Port B1}.
9. Updates its configuration BPDU. • Port B1: {0, 0, 0, Port A1}
Port B2 performs the following operations: • Port B2: {1, 0, 1, Port B2}
10. Receives the configuration BPDU of Port C2 {2, 0, 2,
Port C2}.
11. Determines that its existing configuration BPDU {1, 0,
1, Port B2} is superior to the received configuration
BPDU.
12. Discards the received BPDU.
Device B
Device B performs the following operations:
13. Compares the configuration BPDUs of all its ports.
14. Decides that the configuration BPDU of Port B1 is the
optimum.
15. Selects Port B1 as the root port with the configuration
BPDU unchanged. • Root port (Port B1): {0, 0, 0,
Based on the configuration BPDU and path cost of the root Port A1}
port, Device B calculates a designated port configuration • Designated port (Port B2):
BPDU for Port B2 {0, 5, 1, Port B2}. Device B compares it {0, 5, 1, Port B2}
with the existing configuration BPDU of Port B2 {1, 0, 1, Port
B2}. Device B determines that the calculated one is
superior, and determines that Port B2 is the designated
port. It replaces the configuration BPDU on Port B2 with the
calculated one, and periodically sends the calculated
configuration BPDU.

139
 Configuration BPDU on
Device Comparison process
ports after comparison
Port C1 performs the following operations:
16. Receives the configuration BPDU of Port A2 {0, 0, 0,
Port A2}.
17. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {2, 0, 2,
Port C1}.
18. Updates its configuration BPDU. • Port C1: {0, 0, 0, Port A2}
Port C2 performs the following operations: • Port C2: {1, 0, 1, Port B2}
19. Receives the original configuration BPDU of Port B2
{1, 0, 1, Port B2}.
20. Determines that the received configuration BPDU is
superior to the existing configuration BPDU {2, 0, 2,
Port C2}.
21. Updates its configuration BPDU.
Device C performs the following operations:
22. Compares the configuration BPDUs of all its ports.
23. Decides that the configuration BPDU of Port C1 is the
optimum.
24. Selects Port C1 as the root port with the configuration
BPDU unchanged. • Root port (Port C1): {0, 0,
Device C 0, Port A2}
Based on the configuration BPDU and path cost of the root
port, Device C calculates the configuration BPDU of Port C2 • Designated port (Port C2):
{0, 10, 2, Port C2}
{0, 10, 2, Port C2}. Device C compares it with the existing
configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C
determines that the calculated configuration BPDU is
superior to the existing one, selects Port C2 as the
designated port, and replaces the configuration BPDU of
Port C2 with the calculated one.
Port C2 performs the following operations:
25. Receives the updated configuration BPDU of Port B2
{0, 5, 1, Port B2}.
26. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {0, 10, 2,
Port C2}.
• Port C1: {0, 0, 0, Port A2}
27. Updates its configuration BPDU.
• Port C2: {0, 5, 1, Port B2}
Port C1 performs the following operations:
28. Receives a periodic configuration BPDU {0, 0, 0, Port
A2} from Port A2.
29. Determines that it is the same as the existing
configuration BPDU.
30. Discards the received BPDU.

140
 Configuration BPDU on
Device Comparison process
ports after comparison
Device C determines that the root path cost of Port C1 is
larger than that of Port C2. The root path cost of Port C1 is
10, root path cost of the received configuration BPDU (0)
plus path cost of Port C1 (10). The root path cost of Port C2
is 9, root path cost of the received configuration BPDU (5)
plus path cost of Port C2 (4). Device C determines that the
configuration BPDU of Port C2 is the optimum, and selects
Port C2 as the root port with the configuration BPDU
unchanged.
Based on the configuration BPDU and path cost of the root • Blocked port (Port C1): {0,
port, Device C performs the following operations: 0, 0, Port A2}
31. Calculates a designated port configuration BPDU for • Root port (Port C2): {0, 5,
Port C1 {0, 9, 2, Port C1}. 1, Port B2}
32. Compares it with the existing configuration BPDU of
Port C1 {0, 0, 0, Port A2}.
33. Determines that the existing configuration BPDU is
superior to the calculated one and blocks Port C1 with
the configuration BPDU unchanged.
Port C1 does not forward data until a new event triggers a
spanning tree calculation process: for example, the link
between Device B and Device C is down.

Final calculated spanning tree

After the comparison processes described in Table 12, a spanning tree with Device A as the root
bridge is established, as shown in Figure 41.
Figure 41 The final calculated spanning tree

A
Root bridge

Root port

Designated port

Blocked port

Normal link

B C Blocked link

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:
• Upon network initiation, every device regards itself as the root bridge and generates
configuration BPDUs with itself as the root. Then it sends the configuration BPDUs at a regular
hello interval.
• If the root port receives a configuration BPDU superior to the configuration BPDU of the port,
the device performs the following operations:
 Increases the message age carried in the configuration BPDU.
 Starts a timer to time the configuration BPDU.
 Sends this configuration BPDU through the designated port.

141
 • If a designated port receives a configuration BPDU with a lower priority than its configuration
BPDU, the port immediately responds with its configuration BPDU.
• If a path fails, the root port on this path no longer receives new configuration BPDUs and the old
configuration BPDUs will be discarded due to timeout. The device generates a configuration
BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new
spanning tree calculation process to establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU cannot be propagated throughout the network
immediately. As a result, the old root ports and designated ports that have not detected the topology
change continue forwarding data along the old path. If the new root ports and designated ports begin
to forward data as soon as they are elected, a temporary loop might occur.

STP timers
The most important timing parameters in STP calculation are forward delay, hello time, and max age.
• Forward delay
Forward delay is the delay time for port state transition. By default, the forward delay is 15
seconds.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
immediately, a temporary loop will likely occur.
The newly elected root ports or designated ports must go through the listening and learning
states before they transit to the forwarding state. This requires twice the forward delay time and
allows the new configuration BPDU to propagate throughout the network.
• Hello time
The device sends configuration BPDUs at the hello time interval to the neighboring devices to
ensure that the paths are fault-free. By default, the hello time is 2 seconds. If the device does
not receive configuration BPDUs within the timeout period, it recalculates the spanning tree.
The formula for calculating the timeout period is timeout period = timeout factor × 3 × hello time.
• Max age
The device uses the max age to determine whether a stored configuration BPDU has expired
and discards it if the max age is exceeded. By default, the max age is 20 seconds. In the CIST
of an MSTP network, the device uses the max age timer to determine whether a configuration
BPDU received by a port has expired. If it is expired, a new spanning tree calculation process
starts. The max age timer does not take effect on MSTIs.
If a port does not receive any configuration BPDUs within the timeout period, the port transits to the
listening state. The device will recalculate the spanning tree. It takes the port 50 seconds to transit
back to the forwarding state. This period includes 20 seconds for the max age, 15 seconds for the
listening state, and 15 seconds for the learning state.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)

About RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port
to enter the forwarding state much faster than STP.

142
RSTP protocol frames
An RSTP BPDU uses the same format as an STP BPDU except that a Version1 length field is added
to the payload of RSTP BPDUs. The differences between an RSTP BPDU and an STP BPDU are as
follows:
• Protocol version ID—The value is 0x02 for RSTP.
• BPDU type—The value is 0x02 for RSTP BPDUs.
• Flags—All 8 bits are used.
• Version1 length—The value is 0x00, which means no version 1 protocol information is
present.
RSTP does not use TCN BPDUs to advertise topology changes. RSTP floods BPDUs with the TC
flag set in the network to advertise topology changes.

Basic concepts in RSTP

Port roles
In addition to root port and designated port, RSTP also uses the following port roles:
• Alternate port—Acts as the backup port for a root port. When the root port is blocked, the
alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port is the backup port.
• Edge port—Directly connects to a user host rather than a network device or network segment.
Port states
RSTP uses the discarding state to replace the disabled, blocking, and listening states in STP. Table
13 shows the differences between the port states in RSTP and STP.
Table 13 Port state differences between RSTP and STP

RSTP port Sends Learns MAC Forwards user

STP port state
state BPDU addresses data
Disabled Discarding No No No
Blocking Discarding No No No
Listening Discarding Yes No No
Learning Learning Yes Yes No
Forwarding Forwarding Yes Yes Yes

How RSTP works

During RSTP calculation, the following events occur:
• If a port in discarding state becomes an alternate port, it retains its state.
• If a port in discarding state is elected as the root port or designated port, it enters the learning
state after the forward delay. The port learns MAC addresses, and enters the forwarding state
after another forward delay.
 A newly elected RSTP root port rapidly enters the forwarding state if the following
requirements are met:

143
 − The old root port on the device has stopped forwarding data.
− The upstream designated port has started forwarding data.
 A newly elected RSTP designated port rapidly enters the forwarding state if one of the
following requirements is met:
− The designated port is configured as an edge port which directly connects to a user
terminal.
− The designated port connects to a point-to-point link and receives a handshake
response from the directly connected device.

RSTP BPDU processing

In RSTP, a non-root bridge actively sends RSTP BPDUs at the hello time through designated ports
without waiting for the root bridge to send RSTP BPDUs. This enables RSTP to quickly detect link
failures. If a device fails to receive any RSTP BPDUs on a port within triple the hello time, the device
considers that a link failure has occurred. After the stored configuration BPDU expires, the device
floods RSTP BPDUs with the TC flag set to initiate a new RSTP calculation.
In RSTP, a port in blocking state can immediately respond to an RSTP BPDU with a lower priority
than its own BPDU.
As shown in Figure 42, Device A is the root bridge. The priority of Device B is higher than the priority
of Device C. Port C2 on Device C is blocked.
When the link between Device A and Device B fails, the following events occur:
1. Device B sends an RSTP BPDU with itself as the root bridge to Device C.
2. Device C compares the RSTP BPDU with its own BPDU.
3. Because the RSTP BPDU from Device B has a lower priority, Device C sends its own BPDU to
Device B.
4. Device B considers that Port B2 is the root port and stops sending RSTP BPDUs to Device C.
Figure 42 BPDU processing in RSTP
Device A Failed link
Root bridge
BID=0.MAC A RSTP BPDU with
low priority
RSTP BPDU with
Port A1 Port A2 high priority

Port B1
Device A is the root Port C1
Device B Device C
BID=4096.MAC B Port B2 Port C2 BID=8192.MAC C
Device B is the root

About PVST
In an STP- or RSTP-enabled LAN, all bridges share one spanning tree. Traffic from all VLANs is
forwarded along the spanning tree, and ports cannot be blocked on a per-VLAN basis to prune loops.
PVST allows every VLAN to have its own spanning tree, which increases usage of links and
bandwidth. Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN.

144
 A PVST-enabled HPE device can communicate with a third-party device that is running Rapid PVST
or PVST. The PVST-enabled HPE device supports fast network convergence like RSTP when
connected to PVST-enabled HPE devices or third-party devices enabled with Rapid PVST.

PVST protocol frames

As shown in Figure 43, a PVST BPDU uses the same format as an RSTP BPDU except the following
differences:
• The destination MAC address of a PVST BPDU is 01-00-0c-cc-cc-cd, which is a private MAC
address.
• Each PVST BPDU carries a VLAN tag. The VLAN tag identifies the VLAN to which the PVST
BPDU belongs.
• The organization code and PID fields are added to the LLC header of the PVST BPDU.
Figure 43 PVST BPDU format

DMA SMA L/T VLAN tag LLC header Payload

Organization code
PID

A port's link type determines the type of BPDUs the port sends.
• An access port sends RSTP BPDUs.
• A trunk or hybrid port sends RSTP BPDUs in the default VLAN and sends PVST BPDUs in
other VLANs.

How PVST works

PVST implements per-VLAN spanning tree calculation by mapping each VLAN to an MSTI. In PVST,
each VLAN runs RSTP independently to maintain its own spanning tree without affecting the
spanning trees of other VLANs. In this way, loops in each VLAN are eliminated and traffic of different
VLANs is load shared over links. PVST uses RSTP BPDUs in the default VLAN and PVST BPDUs in
other VLANs for spanning tree calculation.
PVST uses the same port roles and port states as RSTP for rapid transition. For more information,
see "Basic concepts in RSTP."

About MSTP
MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In
addition to supporting rapid network convergence, it allows data flows of different VLANs to be
forwarded along separate paths. This provides a better load sharing mechanism for redundant links.
MSTP provides the following features:
• MSTP divides a switched network into multiple regions, each of which contains multiple
spanning trees that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.

145
 • MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless
cycling of frames in a loop network. In addition, it supports load balancing of VLAN data by
providing multiple redundant paths for data forwarding.
• MSTP is compatible with STP and RSTP, and partially compatible with PVST.

MSTP protocol frames

Figure 44 shows the format of an MSTP BPDU.
Figure 44 MSTP BPDU format
Fields Byte
Protocol ID 2
Protocol version ID 1
BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2
Version1 length=0 1
Version3 length 2
MST configuration ID 51
CIST IRPC 4
MSTP-specific
CIST bridge ID 8 fields
CIST remaining ID 1
MSTI configuration messages LEN

The first 13 fields of an MSTP BPDU are the same as an RSTP BPDU. The other six fields are
unique to MSTP.
• Protocol version ID—The value is 0x03 for MSTP.
• BPDU type—The value is 0x02 for RSTP/MSTP BPDUs.
• Root ID—ID of the common root bridge.
• Root path cost—CIST external path cost.
• Bridge ID—ID of the regional root for the IST or an MSTI.
• Port ID—ID of the designated port in the CIST.
• Version3 length—Length of the MSTP-specific fields. Devices use this field for verification
upon receiving an MSTP BPDU.
• MST configuration ID—Includes the format selector, configuration name, revision level, and
configuration digest. The value for format selector is fixed at 0x00. The other parameters are
used to identify the MST region for the originating bridge.
• CIST IRPC—Internal root path cost (IRPC) from the originating bridge to the root of the MST
region.
• CIST bridge ID—ID of the bridge that sends the MSTP BPDU.
• CIST remaining ID—Remaining hop count. This field limits the scale of the MST region. The
regional root sends a BPDU with the remaining hop count set to the maximum value. Each
device that receives the BPDU decrements the hop count by one. When the hop count reaches

146
 zero, the BPDU is discarded. Devices beyond the maximum hops of the MST region cannot
participate in spanning tree calculation. The default remaining hop count is 20.
• MSTI configuration messages—Contains MSTI configuration messages. Each MSTI
configuration message is 16 bytes. This field can contain 0 to 64 MSTI configuration messages.
The number of the MSTI configuration messages is determined by the number of MSTIs in the
MST region.

Basic concepts in MSTP

Figure 45 shows a switched network that contains four MST regions, each MST region containing
four MSTP devices. Figure 46 shows the networking topology of MST region 3.
Figure 45 Basic concepts in MSTP

VLAN 1 à MSTI 1 VLAN 1 à MSTI 1

VLAN 2 à MSTI 2 VLAN 2 à MSTI 2
Other VLANs à MSTI 0 Other VLANs à MSTI 0

MST region 1 MST region 4

MST region 2 MST region 3

VLAN 1 à MSTI 1 VLAN 1 à MSTI 1

VLAN 2 à MSTI 2 CST VLAN 2&3 à MSTI 2
Other VLANs à MSTI 0 Other VLANs à MSTI 0

147
 Figure 46 Network diagram and topology of MST region 3
To MST region 4

To MST region 2 MST region 3 A B A B

Device A Device B

C D C D
MSTI 1 MSTI 2

A B
Regional root

Device C Device D C D MSTI

MSTI 0
VLAN 1 à MSTI 1
VLAN 2&3 à MSTI 2 Topology of MSTIs in MST region 3
Other VLANs à MSTI 0

MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and
the network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same
MST region, as shown in Figure 45.
• The switched network contains four MST regions, MST region 1 through MST region 4.
• All devices in each MST region have the same MST region configuration.
MSTI
MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree
is mapped to the specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 46, MST region 3 contains three MSTIs, MSTI 1, MSTI 2, and MSTI 0.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs.
In Figure 46, the VLAN-to-instance mapping table of MST region 3 is as follows:
• VLAN 1 to MSTI 1.
• VLAN 2 and VLAN 3 to MSTI 2.
• Other VLANs to MSTI 0.
MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a
switched network. If you regard each MST region as a device, the CST is a spanning tree calculated
by these devices through STP or RSTP.

148
 The blue lines in Figure 45 represent the CST.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0,
a special MSTI to which all VLANs are mapped by default.
In Figure 45, MSTI 0 is the IST in MST region 3.
CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in
a switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 45, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI.
Based on the topology, different spanning trees in an MST region might have different regional roots,
as shown in MST region 3 in Figure 46.
• The regional root of MSTI 1 is Device B.
• The regional root of MSTI 2 is Device C.
• The regional root of MSTI 0 (also known as the IST) is Device A.
Common root bridge
The common root bridge is the root bridge of the CIST.
In Figure 45, the common root bridge is a device in MST region 1.
Port roles
A port can play different roles in different MSTIs. As shown in Figure 47, an MST region contains
Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the
common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C
connect to other MST regions. Port D3 of Device D directly connects to a host.
Figure 47 Port roles
To the common root

MST region Port A1 Port A2

Root port

Port A3 Port A4 Designated port

Device A
(Root bridge) Alternate port

Device B Device D Backup port

Port B1 Port D1
Edge port
Port B2 Port B3 Port D2
Port D3
Master port

Boundary port

Port C1
Port C2
Normal link
Device C
Blocked link
Port C3 Port C4

To other MST regions

149
 MSTP calculation involves the following port roles:
• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not
have any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—Acts as the backup port for a root port or master port. When the root port or
master port is blocked, the alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port acts as the backup.
• Edge port—Directly connects to a user host rather than a network device or network segment.
• Master port—Acts as a port on the shortest path from the local MST region to the common root
bridge. The master port is not always located on the regional root. It is a root port on the IST or
CIST and still a master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running
device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the
CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the
CIST.
Port states
In MSTP, a port can be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or
forward user traffic.

NOTE:
When in different MSTIs, a port can be in different states.

A port state is not exclusively associated with a port role. Table 14 lists the port states that each port
role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates
that the port does not support this state.)
Table 14 Port states that different port roles support

Port role (right) Root

Designated
port/master Alternate port Backup port
Port state (below) port
port
Forwarding √ √ — —
Learning √ √ — —
Discarding √ √ √ √

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a
calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among
these MSTIs, MSTI 0 is the IST.

150
 Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is
that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.
CIST calculation
During the CIST calculation, the following process takes place:
• The device with the highest priority is elected as the root bridge of the CIST.
• MSTP generates an IST within each MST region through calculation.
• MSTP regards each MST region as a single device and generates a CST among these MST
regions through calculation.
The CST and ISTs constitute the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation
process similar to spanning tree calculation in STP. For more information, see "Calculation process
of the STP algorithm."
In MSTP, a VLAN frame is forwarded along the following paths:
• Within an MST region, the frame is forwarded along the corresponding MSTI.
• Between two MST regions, the frame is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for
spanning tree calculation can identify STP and RSTP protocol frames.
In addition to basic MSTP features, the following features are provided for ease of management:
• Root bridge hold.
• Root bridge backup.
• Root guard.
• BPDU guard.
• Loop guard.
• TC-BPDU guard.
• Port role restriction.
• TC-BPDU transmission restriction.

Rapid transition mechanism

In STP, a port must wait twice the forward delay (30 seconds by default) before it transits from the
blocking state to the forwarding state. The forward delay is related to the hello time and network
diameter. If the forward delay is too short, loops might occur. This affects the stability of the network.
RSTP, PVST, and MSTP all use the rapid transition mechanism to speed up port state transition for
edge ports, root ports, and designated ports. The rapid transition mechanism for designated ports is
also known as the proposal/agreement (P/A)_transition.

Edge port rapid transition

As shown in Figure 48, Port C3 is an edge port connected to a host. When a network topology
change occurs, the port can immediately transit from the blocking state to the forwarding state
because no loop will be caused.

151
 Because a device cannot determine whether a port is directly connected to a terminal, you must
manually configure the port as an edge port.
Figure 48 Edge port rapid transition
Root port
Port A1 Port A2
Designated port
Device A
Root bridge Alternate port

Port B1 Port C1 Edge port

Device B Device C Normal link

Port B2 Port C2
Port C3
Blocked link

Root port rapid transition

When a root port is blocked, the bridge will elect the alternate port with the highest priority as the new
root port. If the new root port's peer is in the forwarding state, the new root port immediately transits
to the forwarding state.
As shown in Figure 49, Port C2 on Device C is a root port and Port C1 is an alternate port. When Port
C2 transits to the blocking state, Port C1 is elected as the root port and immediately transits to the
forwarding state.
Figure 49 Root port rapid transition
Root port
Designated port
Alternate port
Normal link
Blocked link
Device A Device A
Root bridge Root bridge

Port A1 Port A2 Port A1 Port A2

Port B1 Port C1 Port B1 Port C1

Device B Device C Device B Device C

Port B2 Port C2 Port B2 Port C2

P/A transition
The P/A transition enables a designated port to rapidly transit to the forwarding state after a
handshake with its peer. The P/A transition applies only to point-to-point links.
P/A transition for RSTP and PVST
In RSTP or PVST, the ports on a new link or recovered link are designated ports in blocking state.
When one of the designated ports transits to the discarding or learning state, it sets the proposal flag
in its BPDU. Its peer bridge receives the BPDU and determines whether the receiving port is the root

152
 port. If it is the root port, the bridge blocks the other ports except edge ports. The bridge then replies
an agreement BPDU to the designated port. The designated port immediately transits to the
forwarding state upon receiving the agreement BPDU. If the designated port does not receive the
agreement BPDU, it waits for twice the forward delay to transit to the forwarding state.
As shown in Figure 50, the P/A transition operates as follows:
1. Device A sends a proposal BPDU to Device B through Port A1.
2. Device B receives the proposal BPDU on Port B2. Port B2 is elected as the root port.
3. Device B blocks its designated port Port B1 and alternate port Port B3 to eliminate loops.
4. The root port Port B2 transits to the forwarding state and sends an agreement BPDU to Device
A.
5. The designated port Port A1 on Device A immediately transits to the forwarding state after
receiving the agreement BPDU.
Figure 50 P/A transition for RSTP and PVST
Root port
Designated port
Alternate port
Edge port
Device A Device A
RID=0.MAC A RID=0.MAC A
Port A1 Port A1

Proposal Agreement

Port B2 Port B2
Device B Device B
RID=4096.MAC B RID=4096.MAC B
Port B3 Port B1 Port B3 Port B1

P/A transition for MSTP

In MSTP, an upstream bridge sets both the proposal and agreement flags in its BPDU. If a
downstream bridge receives the BPDU and its receiving port is elected as the root port, the bridge
blocks all the other ports except edge ports. The downstream bridge then replies an agreement
BPDU to the upstream bridge. The upstream port immediately transits to the forwarding state upon
receiving the agreement BPDU. If the upstream port does not receive the agreement BPDU, it waits
for twice the forward delay to transit to the forwarding state.
As shown in Figure 51, the P/A transition operates as follows:
1. Device A sets the proposal and agreement flags in its BPDU and sends it to Device B through
Port A1.
2. Device B receives the BPDU. Port B1 of Device B is elected as the root port.
3. Device B then blocks all its ports except the edge ports.
4. The root port Port B1 of Device B transits to the forwarding state and sends an agreement
BPDU to Device A.
5. Port A1 of Device A immediately transits to the forwarding state upon receiving the agreement
BPDU.

153
 Figure 51 P/A transition for MSTP
Proposal

Device A Port A1 Port B1 Device B

RID=0.MAC A RID=4096.MAC B

Agreement

Protocols and standards

MSTP is documented in the following protocols and standards:
• IEEE 802.1d, Media Access Control (MAC) Bridges
• IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid
Reconfiguration
• IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees
• IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks —Clause 13: Spanning tree Protocols

154
Configuring spanning tree protocols
Restrictions and guidelines: spanning tree
protocol configuration
Restrictions: Compatibility with other features
• If both MVRP and a spanning tree protocol are enabled on a device, MVRP packets are
forwarded along MSTIs. To advertise a specific VLAN within the network through MVRP, make
sure this VLAN is mapped to an MSTI when you configure the VLAN-to-instance mapping table.
For more information about MVRP, see "Configuring MVRP."
• The spanning tree configurations are mutually exclusive with any of the following features on a
port: RRPP, Smart Link, and L2PT.

Restrictions: Interface configuration

• Some spanning tree features are supported in Layer 2 Ethernet interface view and Layer 2
aggregate interface view. Unless otherwise stated, these views are collectively referred to as
interface view in this document. BPDU drop can be configured only in Layer 2 Ethernet
interface view.
• Configurations made in system view take effect globally. Configurations made in Layer 2
Ethernet interface view take effect only on the interface. Configurations made in Layer 2
aggregate interface view take effect only on the aggregate interface. Configurations made on
an aggregation member port can take effect only after the port is removed from the aggregation
group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system
performs spanning tree calculation on the Layer 2 aggregate interface. It does not perform
spanning tree calculation on the aggregation member ports. The spanning tree protocol enable
state and forwarding state of each selected member port are consistent with those of the
corresponding Layer 2 aggregate interface.
• The member ports of an aggregation group do not participate in spanning tree calculation.
However, the ports still reserve their spanning tree configurations for participating in spanning
tree calculation after leaving the aggregation group.

Spanning tree protocol tasks at a glance

STP tasks at a glance
Configuring the root bridge
To configure the root bridge in STP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to STP.
2. (Optional.) Configuring the root bridge or a secondary root bridge
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects STP topology convergence
 Configuring the network diameter of a switched network

155
  Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
5. (Optional.) Enabling outputting port state transition information
6. Enabling the spanning tree feature
7. (Optional.) Configuring advanced spanning tree features
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in STP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to STP.
2. (Optional.) Configuring the device priority
3. (Optional.) Configuring parameters that affects STP topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring path costs of ports
 Configuring the port priority
4. (Optional.) Enabling outputting port state transition information
5. Enabling the spanning tree feature
6. (Optional.) Configuring advanced spanning tree features
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events

RSTP tasks at a glance

Configuring the root bridge
To configure the root bridge in RSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to RSTP.
2. (Optional.) Configuring the root bridge or a secondary root bridge
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects RSTP topology convergence
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring the port link type
5. (Optional.) Enabling outputting port state transition information

156
 6. Enabling the spanning tree feature
7. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in RSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to RSTP.
2. (Optional.) Configuring the device priority
3. (Optional.) Configuring parameters that affects RSTP topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring path costs of ports
 Configuring the port priority
 Configuring the port link type
4. (Optional.) Enabling outputting port state transition information
5. Enabling the spanning tree feature
6. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events

PVST tasks at a glance

Configuring the root bridge
To configure the root bridge in PVST mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to PVST.
2. (Optional.) Configuring the root bridge or a secondary root bridge
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects PVST topology convergence
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring the port link type
5. (Optional.) Enabling outputting port state transition information

157
 6. Enabling the spanning tree feature
7. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Disabling inconsistent PVID protection
 Configuring protection features
 Enabling the device to log events of detecting or receiving TC BPDUs
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in PVST mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to PVST.
2. (Optional.) Configuring the device priority
3. (Optional.) Configuring parameters that affects PVST topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring path costs of ports
 Configuring the port priority
 Configuring the port link type
4. (Optional.) Enabling outputting port state transition information
5. Enabling the spanning tree feature
6. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Disabling inconsistent PVID protection
 Configuring protection features
 Enabling the device to log events of detecting or receiving TC BPDUs
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events

MSTP tasks at a glance

Configuring the root bridge
To configure the root bridge in MSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to MSTP.
2. Configuring an MST region
3. (Optional.) Configuring the root bridge or a secondary root bridge
4. (Optional.) Configuring the device priority
5. (Optional.) Configuring parameters that affects MSTP topology convergence
 Configuring the maximum hops of an MST region
 Configuring the network diameter of a switched network
 Setting spanning tree timers
 Setting the timeout factor

158
  Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring the port link type
6. (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
7. (Optional.) Enabling outputting port state transition information
8. Enabling the spanning tree feature
9. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring Digest Snooping
 Configuring No Agreement Check
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events
Configuring the leaf nodes
To configure the leaf nodes in MSTP mode, perform the following tasks:
1. Setting the spanning tree mode
Set the spanning tree mode to MSTP.
2. Configuring an MST region
3. (Optional.) Configuring the device priority
4. (Optional.) Configuring parameters that affects MSTP topology convergence
 Setting the timeout factor
 Configuring the BPDU transmission rate
 Configuring edge ports
 Configuring path costs of ports
 Configuring the port priority
 Configuring the port link type
5. (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
6. (Optional.) Enabling outputting port state transition information
7. Enabling the spanning tree feature
8. (Optional.) Configuring advanced spanning tree features
 Performing mCheck
 Configuring Digest Snooping
 Configuring No Agreement Check
 Configuring TC Snooping
 Configuring protection features
 Disabling the device from reactivating edge ports shut down by BPDU guard
 Enabling SNMP notifications for new-root election and topology change events

Setting the spanning tree mode

About this task
The spanning tree modes include:

159
 • STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device
of a port supports only STP.
• RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically
transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode
does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.
• PVST mode—All ports of the device send PVST BPDUs. Each VLAN maintains a spanning
tree. In a network, the amount of spanning trees maintained by all devices equals the number of
PVST-enabled VLANs multiplied by the number of PVST-enabled ports. If the amount of
spanning trees exceeds the capacity of the network, device CPUs will be overloaded. Packet
forwarding is interrupted, and the network becomes unstable. The device can maintain
spanning trees for 128 VLANs.
• MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically
transits to the STP mode when receiving STP BPDUs from the peer device. A port in this mode
does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.
Restrictions and guidelines
The MSTP mode is compatible with the RSTP mode, and the RSTP mode is compatible with the STP
mode.
Compatibility of the PVST mode depends on the link type of a port.
• On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.
• On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes
only in the default VLAN.
Procedure
1. Enter system view.
system-view
2. Set the spanning tree mode.
stp mode { mstp | pvst | rstp | stp }
The default setting is the MSTP mode.

Configuring an MST region

About this task
Spanning tree devices belong to the same MST region if they are both connected through a physical
link and configured with the following details:
• Format selector (0 by default, not configurable).
• MST region name.
• MST region revision level.
• VLAN-to-instance mapping entries in the MST region.
The configuration of MST region-related parameters (especially the VLAN-to-instance mapping table)
might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of topology
instability, the MST region configuration takes effect only after you activate it by doing one of the
following:
• Use the active region-configuration command.
• Enable a spanning tree protocol by using the stp global enable command if the spanning
tree protocol is disabled.
Restrictions and guidelines
In STP, RSTP, or PVST mode, MST region configurations do not take effect.

160
Procedure
1. Enter system view.
system-view
2. Enter MST region view.
stp region-configuration
3. Configure the MST region name.
region-name name
The default setting is the MAC address.
4. Configure the VLAN-to-instance mapping table. Choose one option as needed:
 Map a list of VLANs to an MSTI.
instance instance-id vlan vlan-id-list
 Quickly create a VLAN-to-instance mapping table.
vlan-mapping modulo modulo
By default, all VLANs in an MST region are mapped to the CIST (or MSTI 0).
5. Configure the MSTP revision level of the MST region.
revision-level level
The default setting is 0.
6. (Optional.) Display the MST region configurations that are not activated yet.
check region-configuration
7. Manually activate MST region configuration.
active region-configuration

Configuring the root bridge or a secondary root

bridge
Restrictions and guidelines
You can have the spanning tree protocol determine the root bridge of a spanning tree through
calculation. You can also specify a device as the root bridge or as a secondary root bridge.
When you specify a device as the root bridge or as a secondary root bridge, follow these restrictions
and guidelines:
• A device has independent roles in different spanning trees. It can act as the root bridge in one
spanning tree and as a secondary root bridge in another. However, one device cannot be the
root bridge and a secondary root bridge in the same spanning tree.
• If you specify the root bridge for a spanning tree, no new root bridge is elected according to the
device priority settings. Once you specify a device as the root bridge or a secondary root bridge,
you cannot change the priority of the device.
• You can configure a device as the root bridge by setting the device priority to 0. For the device
priority configuration, see "Configuring the device priority."

Configuring the device as the root bridge of a spanning tree

1. Enter system view.
system-view
2. Configure the device as the root bridge.

161
  In STP/RSTP mode:
stp root primary
 In PVST mode:
stp vlan vlan-id-list root primary
 In MSTP mode:
stp [ instance instance-list ] root primary
By default, the device is not a root bridge.

Configuring the device as a secondary root bridge of a

spanning tree
1. Enter system view.
system-view
2. Configure the device as a secondary root bridge.
 In STP/RSTP mode:
stp root secondary
 In PVST mode:
stp vlan vlan-id-list root secondary
 In MSTP mode:
stp [ instance instance-list ] root secondary
By default, the device is not a secondary root bridge.

Configuring the device priority

About this task
Device priority is a factor in calculating the spanning tree. The priority of a device determines
whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a
higher priority. You can set the priority of a device to a low value to specify the device as the root
bridge of the spanning tree. A spanning tree device can have different priorities in different spanning
trees.
During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address is selected. You cannot change the priority of a device after it is configured as
the root bridge or as a secondary root bridge.
Procedure
1. Enter system view.
system-view
2. Configure the priority of the device.
 In STP/RSTP mode:
stp priority priority
 In PVST mode:
stp vlan vlan-id-list priority priority
 In MSTP mode:
stp [ instance instance-list ] priority priority
The default setting is 32768.

162
Configuring the maximum hops of an MST region
About this task
Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on
the regional root bridge is used as the hop limit for the MST region.
Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum
value. When a device receives this configuration BPDU, it decrements the hop count by one, and
uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches
zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops
can no longer participate in spanning tree calculations, so the size of the MST region is limited.
Restrictions and guidelines
Make this configuration only on the root bridge. All other devices in the MST region use the maximum
hop value set for the root bridge.
You can configure the maximum hops of an MST region based on the STP network size. As a best
practice, set the maximum hops to a value that is greater than the maximum hops of each edge
device to the root bridge.
Procedure
1. Enter system view.
system-view
2. Configure the maximum hops of the MST region.
stp max-hops hops
The default setting is 20.

Configuring the network diameter of a switched

network
About this task
Any two terminal devices in a switched network can reach each other through a specific path, and
there are a series of devices on the path. The switched network diameter is the maximum number of
devices on the path for an edge device to reach another one in the switched network through the root
bridge. The network diameter indicates the network size. The bigger the diameter, the larger the
network size.
Based on the network diameter you configured, the system automatically sets an optimal hello time,
forward delay, and max age for the device.
In STP, RSTP, or MSTP mode, each MST region is considered a device. The configured network
diameter takes effect only on the CIST (or the common root bridge) but not on other MSTIs.
In PVST mode, the configured network diameter takes effect only on the root bridges of the specified
VLANs.
Procedure
1. Enter system view.
system-view
2. Configure the network diameter of the switched network.
 In STP/RSTP/MSTP mode:
stp bridge-diameter diameter
 In PVST mode:

163
 stp vlan vlan-id-list bridge-diameter diameter
The default setting is 7.

Setting spanning tree timers

About this task
The following timers are used for spanning tree calculation:
• Forward delay—Delay time for port state transition. To prevent temporary loops on a network,
the spanning tree feature sets an intermediate port state (the learning state) before it transits
from the discarding state to the forwarding state. The feature also requires that the port transit
its state after a forward delay timer. This ensures that the state transition of the local port stays
synchronized with the peer.
• Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If
the device does not receive configuration BPDUs within the timeout period, it recalculates the
spanning tree. The formula for calculating the timeout period is timeout period = timeout factor ×
3 × hello time.
• Max age—In the CIST of an MSTP network, the device uses the max age timer to determine
whether a configuration BPDU received by a port has expired. If it is expired, a new spanning
tree calculation process starts. The max age timer does not take effect on MSTIs.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)
As a best practice, specify the network diameter and letting spanning tree protocols automatically
calculate the timers based on the network diameter instead of manually setting the spanning tree
timers. If the network diameter uses the default value, the timers also use their default values.
Set the timers only on the root bridge. The timer settings on the root bridge apply to all devices on the
entire switched network.
Restrictions and guidelines
• The length of the forward delay is related to the network diameter of the switched network. The
larger the network diameter is, the longer the forward delay time should be. As a best practice,
use the automatically calculated value because inappropriate forward delay setting might cause
temporary redundant paths or increase the network convergence time.
• An appropriate hello time setting enables the device to promptly detect link failures on the
network without using excessive network resources. If the hello time is too long, the device
mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If
the hello time is too short, the device frequently sends the same configuration BPDUs, which
wastes device and network resources. As a best practice, use the automatically calculated
value.
• If the max age timer is too short, the device frequently begins spanning tree calculations and
might mistake network congestion as a link failure. If the max age timer is too long, the device
might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing
the auto-sensing capability of the network. As a best practice, use the automatically calculated
value.
Procedure
1. Enter system view.
system-view
2. Set the forward delay timer.
 In STP/RSTP/MSTP mode:

164
 stp timer forward-delay time
 In PVST mode:
stp vlan vlan-id-list timer forward-delay time
The default setting is 15 seconds.
3. Set the hello timer.
 In STP/RSTP/MSTP mode:
stp timer hello time
 In PVST mode:
stp vlan vlan-id-list timer hello time
The default setting is 2 seconds.
4. Set the max age timer.
 In STP/RSTP/MSTP mode:
stp timer max-age time
 In PVST mode:
stp vlan vlan-id-list timer max-age time
The default setting is 20 seconds.

Setting the timeout factor

About this task
The timeout factor is a parameter used to decide the timeout period. The formula for calculating the
timeout period is: timeout period = timeout factor × 3 × hello time.
In a stable network, each non-root-bridge device forwards configuration BPDUs to the downstream
devices at the hello time interval to detect link failures. If a device does not receive a BPDU from the
upstream device within nine times the hello time, it assumes that the upstream device has failed.
Then, it starts a new spanning tree calculation process.
Restrictions and guidelines
As a best practice, set the timeout factor to 5, 6, or 7 in the following situations:
• To prevent undesired spanning tree calculations. An upstream device might be too busy to
forward configuration BPDUs in time, for example, many Layer 2 interfaces are configured on
the upstream device. In this case, the downstream device fails to receive a BPDU within the
timeout period and then starts an undesired spanning tree calculation.
• To save network resources on a stable network.
Procedure
1. Enter system view.
system-view
2. Set the timeout factor of the device.
stp timer-factor factor
The default setting is 3.

Configuring the BPDU transmission rate

About this task
The maximum number of BPDUs a port can send within each hello time equals the BPDU
transmission rate plus the hello timer value.

165
 The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the
more system resources are used. By setting an appropriate BPDU transmission rate, you can limit
the rate at which the port sends BPDUs. Setting an appropriate rate also prevents spanning tree
protocols from using excessive network resources when the network topology changes.
Restrictions and guidelines
The BPDU transmission rate depends on the physical status of the port and the network structure.
As a best practice, use the default setting.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the BPDU transmission rate of the ports.
stp transmit-limit limit
The default setting is 10.

Configuring edge ports

About this task
If a port directly connects to a user terminal rather than another device or a shared LAN segment,
this port is regarded as an edge port. When network topology change occurs, an edge port will not
cause a temporary loop. Because a device does not determine whether a port is directly connected
to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly
transit from the blocking state to the forwarding state.
Restrictions and guidelines
• If BPDU guard is disabled on a port configured as an edge port, the port becomes a non-edge
port again if it receives a BPDU from another port. To restore the edge port, re-enable it.
• If a port directly connects to a user terminal, configure it as an edge port and enable BPDU
guard for it. This enables the port to quickly transit to the forwarding state when ensuring
network security.
• After spanning tree is enabled on an interface, the system checks whether the interface
receives BPDUs within twice the hello time plus 1 second. If no BPDUs are received, the device
automatically assigns the edge port role to the interface. The edge port role assigned by using
the stp edged-port command takes precedence over the system assigned edge port role.
• On a port, the loop guard feature and the edge port setting are mutually exclusive.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port as an edge port.
stp edged-port
By default, all ports are non-edge ports.

166
Configuring path costs of ports
About path cost
Path cost is a parameter related to the link speed of a port. On a spanning tree device, a port can
have different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows
to be forwarded along different physical links, achieving VLAN-based load balancing.
You can have the device automatically calculate the default path cost, or you can configure the path
cost for ports.

Specifying a standard for the default path cost calculation

About this task
You can specify a standard for the device to use in automatic calculation for the default path cost.
The device supports the following standards:
• dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.
• legacy—The device calculates the default path cost for ports based on a private standard.
Table 15 Mappings between the link speed (100M and below) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
0 N/A 65535 200000000 200000
Single port 2000000 2000
Aggregate interface
containing two Selected 1000000 1800
ports

10 Mbps Aggregate interface 100

containing three Selected 666666 1600
ports
Aggregate interface
containing four Selected 500000 1400
ports

Single port 200000 200

Aggregate interface
containing two Selected 100000 180
ports

100 Mbps Aggregate interface 19

containing three Selected 66666 160
ports

Aggregate interface
containing four Selected 50000 140
ports

167
Table 16 Mappings between the link speed (1000M) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 20000 20
Aggregate interface
containing two Selected 10000 18
ports

1000 Mbps Aggregate interface 4

containing three Selected 6666 16
ports
Aggregate interface
containing four Selected 5000 14
ports

Table 17 Mappings between the link speed (2.5G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1D-1998 standard
Single port 8000 17
Aggregate interface
containing two Selected 4000 12
ports

2.5 Gbps Aggregate interface 2

containing three Selected 2666 7
ports
Aggregate interface
containing four Selected 2000 2
ports

Table 18 Mappings between the link speed (5G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1D-1998 standard
Single port 4000 12
Aggregate interface
containing two Selected 2000 2
ports

5 Gbps Aggregate interface 2

containing three Selected 1333 1
ports
Aggregate interface
containing four Selected 1000 1
ports

168
 Table 19 Mappings between the link speed (10G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 2000 2
Aggregate interface
containing two Selected 1000 1
ports

10 Gbps Aggregate interface 2

containing three Selected 666 1
ports
Aggregate interface
containing four Selected 500 1
ports

Table 20 Mappings between the link speed (40G) and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Single port 500 1
Aggregate interface
containing two Selected 250 1
ports

40 Gbps Aggregate interface 1

containing three Selected 166 1
ports
Aggregate interface
containing four Selected 125 1
ports

Restrictions and guidelines

If you change the standard for the default path cost calculation, you restore the path costs to the
default.
When the device calculates the path cost for an aggregate interface, IEEE 802.1t takes into account
the number of Selected ports in its aggregation group. However, IEEE 802.1d-1998 does not take
into account the number of Selected ports. The calculation formula of IEEE 802.1t is: Path cost =
200,000,000/link speed (in 100 kbps). The link speed is the sum of the link speed values of the
Selected ports in the aggregation group.
IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a single port
or aggregate interface with a speed exceeding 10 Gbps. The forwarding path selected based on this
criterion might not be the best one. To solve this problem, perform one of the following tasks:
• Use dot1t as the standard for default path cost calculation.
• Manually set the path cost for the port (see "Configuring path costs of ports").
Procedure
1. Enter system view.
system-view
2. Specify a standard for the default path costs calculation.

169
 stp pathcost-standard { dot1d-1998 | dot1t | legacy }
By default, the device uses legacy to calculate the default path costs of its ports.

Configuring path costs of ports

Restrictions and guidelines
When the path cost of a port changes, the system recalculates the port role and initiates a state
transition.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the path cost of the ports.
 In STP/RSTP mode:
stp cost cost-value
 In PVST mode:
stp vlan vlan-id-list cost cost-value
 In MSTP mode:
stp [ instance instance-list ] cost cost-value
By default, the system automatically calculates the path cost of each port.

Configuring the port priority

About this task
The priority of a port is a factor that determines whether the port can be elected as the root port of a
device. If all other conditions are the same, the port with the highest priority is elected as the root
port.
On a spanning tree device, a port can have different priorities and play different roles in different
spanning trees. As a result, data of different VLANs can be propagated along different physical paths,
implementing per-VLAN load balancing. You can set port priority values based on the actual
networking requirements.
Restrictions and guidelines
When the priority of a port changes, the system recalculates the port role and initiates a state
transition. Prepare for the network topology change before configuring the port priority.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port priority.
 In STP/RSTP mode:
stp port priority priority
 In PVST mode:

170
 stp vlan vlan-id-list port priority priority
 In MSTP mode:
stp [ instance instance-list ] port priority priority
The default setting is 128 for all ports.

Configuring the port link type

About this task
A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement
handshake process.
Restrictions and guidelines
• You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that
operates in full duplex mode. As a best practice, use the default setting and let the device
automatically detect the port link type.
• In PVST or MSTP mode, the stp point-to-point force-false or stp
point-to-point force-true command configured on a port takes effect on all VLANs or
all MSTIs.
• Before you set the link type of a port to point-to-point, make sure the port is connected to a
point-to-point link. Otherwise, a temporary loop might occur.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the port link type.
stp point-to-point { auto | force-false | force-true }
By default, the link type is auto where the port automatically detects the link type.

Configuring the mode a port uses to recognize

and send MSTP frames
About this task
A port can receive and send MSTP frames in the following formats:
• dot1s—802.1s-compliant standard format
• legacy—Compatible format
By default, the frame format recognition mode of a port is auto. The port automatically distinguishes
the two MSTP frame formats, and determines the format of frames that it will send based on the
recognized format.
You can configure the MSTP frame format on a port. Then, the port sends only MSTP frames of the
configured format to communicate with devices that send frames of the same format.
By default, a port in auto mode sends 802.1s MSTP frames. When the port receives an MSTP frame
of a legacy format, the port starts to send frames only of the legacy format. This prevents the port
from frequently changing the format of sent frames. To configure the port to send 802.1s MSTP
frames, shut down and then bring up the port.

171
Restrictions and guidelines
When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP frames.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the mode that the port uses to recognize/send MSTP frames.
stp compliance { auto | dot1s | legacy }
The default setting is auto.

Enabling outputting port state transition

information
About this task
In a large-scale spanning tree network, you can enable devices to output the port state transition
information. Then, you can monitor the port states in real time.
Procedure
1. Enter system view.
system-view
2. Enable outputting port state transition information.
 In STP/RSTP mode:
stp port-log instance 0
 In PVST mode:
stp port-log vlan vlan-id-list
 In MSTP mode:
stp port-log { all | instance instance-list }
By default, outputting port state transition information is disabled.

Enabling the spanning tree feature

Restrictions and guidelines
You must enable the spanning tree feature for the device before any other spanning tree related
configurations can take effect. In STP, RSTP, or MSTP mode, make sure the spanning tree feature is
enabled globally and on the desired ports. In PVST mode, make sure the spanning tree feature is
enabled globally, in the desired VLANs, and on the desired ports.
To exclude specific ports from spanning tree calculation and save CPU resources, disable the
spanning tree feature for these ports with the undo stp enable command. Make sure no loops
occur in the network after you disable the spanning tree feature on these ports.

172
Enabling the spanning tree feature in STP/RSTP/MSTP
mode
1. Enter system view.
system-view
2. Enable the spanning tree feature.
stp global enable
When the device starts up with initial settings, the spanning tree feature is globally disabled by
default.
When the device starts up with factory defaults, the spanning tree feature is globally enabled by
default.
For more information about the initial settings and factory defaults, see Fundamentals
Configuration Guide.
3. Enter interface view.
interface interface-type interface-number
4. Enable the spanning tree feature for the port.
stp enable
By default, the spanning tree feature is enabled on all ports.

Enabling the spanning tree feature in PVST mode

1. Enter system view.
system-view
2. Enable the spanning tree feature.
stp global enable
When the device starts up with initial settings, the spanning tree feature is globally disabled by
default.
When the device starts up with factory defaults, the spanning tree feature is globally enabled by
default.
For more information about the initial settings and factory defaults, see Fundamentals
Configuration Guide.
3. Enable the spanning tree feature in VLANs.
stp vlan vlan-id-list enable
By default, the spanning tree feature is enabled in VLANs.
4. Enter interface view.
interface interface-type interface-number
5. Enable the spanning tree feature on the port.
stp enable
By default, the spanning tree feature is enabled on all ports.

Performing mCheck
About mCheck
The mCheck feature enables user intervention in the port state transition process.

173
 When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP
BPDUs, the port automatically transits to the STP mode. However, the port cannot automatically
transit back to the original mode when the following conditions exist:
• The peer STP device is shut down or removed.
• The port cannot detect the change.
To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.
For example, Device A, Device B, and Device C are connected in sequence. Device A runs STP,
Device B does not run any spanning tree protocol, and Device C runs RSTP, PVST, or MSTP. In this
case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving
port transits to the STP mode. If you configure Device B to run RSTP, PVST, or MSTP with Device C,
you must perform mCheck operations on the ports interconnecting Device B and Device C.

Restrictions and guidelines

The mCheck operation takes effect on devices operating in MSTP, PVST, or RSTP mode.

Performing mCheck globally

1. Enter system view.
system-view
2. Perform mCheck.
stp global mcheck

Performing mCheck in interface view

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Perform mCheck.
stp mcheck

Disabling inconsistent PVID protection

About this task
In PVST, if two connected ports use different PVIDs, PVST calculation errors might occur. By default,
inconsistent PVID protection is enabled to avoid PVST calculation errors. If PVID inconsistency is
detected on a port, the system blocks the port.
Restrictions and guidelines
If different PVIDs are required on two connected ports, disable inconsistent PVID protection on the
devices that host the ports. To avoid PVST calculation errors, make sure the following requirements
are met:
• Make sure the VLANs on one device do not use the same ID as the PVID of its peer port (except
the default VLAN) on another device.
• If the local port or its peer is a hybrid port, do not configure the local and peer ports as untagged
members of the same VLAN.
• Disable inconsistent PVID protection on both the local device and the peer device.

174
 This feature takes effect only when the device is operating in PVST mode.
Procedure
1. Enter system view.
system-view
2. Disable the inconsistent PVID protection feature.
stp ignore-pvid-inconsistency
By default, the inconsistent PVID protection feature is enabled.

Configuring Digest Snooping

About this task
As defined in IEEE 802.1s, connected devices are in the same region only when they have the same
MST region-related configurations, including:
• Region name.
• Revision level.
• VLAN-to-instance mappings.
A spanning tree device identifies devices in the same MST region by determining the configuration
ID in BPDUs. The configuration ID includes the region name, revision level, and configuration digest.
It is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Because spanning tree implementations vary by vendor, the configuration digests calculated through
private keys are different. The devices of different vendors in the same MST region cannot
communicate with each other.
To enable communication between an HPE device and a third-party device in the same MST region,
enable Digest Snooping on the HPE device port connecting them.
Restrictions and guidelines

CAUTION:
Use caution with global Digest Snooping in the following situations:
• When you modify the VLAN-to-instance mappings.
• When you restore the default MST region configuration.
If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or
traffic interruption will occur.

• Before you enable Digest Snooping, make sure associated devices of different vendors are
connected and run spanning tree protocols.
• With Digest Snooping enabled, in-the-same-region verification does not require comparison of
configuration digest. The VLAN-to-instance mappings must be the same on associated ports.
• To make Digest Snooping take effect, you must enable Digest Snooping both globally and on
associated ports. As a best practice, enable Digest Snooping on all associated ports first and
then enable it globally. This will make the configuration take effect on all configured ports and
reduce impact on the network.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• As a best practice, enable Digest Snooping first and then enable the spanning tree feature. To
avoid traffic interruption, do not configure Digest Snooping when the network is already working
well.

175
Prerequisites
Before configuring Digest Snooping, you need to make sure your HPE device and the third-party
device both run spanning tree protocols properly.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable Digest Snooping on the interface.
stp config-digest-snooping
By default, Digest Snooping is disabled on ports.
4. Return to system view.
quit
5. Enable Digest Snooping globally.
stp global config-digest-snooping
By default, Digest Snooping is disabled globally.

Configuring No Agreement Check

About this task
In RSTP and MSTP, the following types of messages are used for rapid state transition on
designated ports:
• Proposal—Sent by designated ports to request rapid transition
• Agreement—Used to acknowledge rapid transition requests
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the
following differences:
• For MSTP, the root port of the downstream device sends an agreement packet only after it
receives an agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet whether or not an agreement
packet from the upstream device is received.
Figure 52 Rapid state transition of an MSTP designated port
Upstream device Downstream device

(1) Proposal for rapid transition The root port blocks non-edge
ports.

The root port changes to the

(2) Agreement forwarding state and sends an
Agreement to the upstream
device.

The designated port (3) Agreement

changes to the
forwarding state.

Root port Designated port

176
 Figure 53 Rapid state transition of an RSTP designated port
Upstream device Downstream device

The root port blocks non-edge

(1) Proposal for rapid transition ports, changes to the forwarding
state, and sends an Agreement to
the upstream device.

The designated (2) Agreement

port changes to the
forwarding state.

Root port Designated port

If the upstream device is a third-party device, the rapid state transition implementation might be
limited as follows:
• The upstream device uses a rapid transition mechanism similar to that of RSTP.
• The downstream device runs MSTP and does not operate in RSTP mode.
In this case, the following occurs:
1. The root port on the downstream device receives no agreement from the upstream device.
2. It sends no agreement to the upstream device.
As a result, the designated port of the upstream device can transit to the forwarding state only after a
period twice the forward delay.
To enable the designated port of the upstream device to transit its state rapidly, enable No
Agreement Check on the downstream device's port.
Restrictions and guidelines
Configure No Agreement Check on the root port of your device, because this feature takes effect
only if it's configured on root ports.
Prerequisites
Before you configure the No Agreement Check feature, complete the following tasks:
• Connect a device to a third-party upstream device that supports spanning tree protocols
through a point-to-point link.
• Configure the same region name, revision level, and VLAN-to-instance mappings on the two
devices.
Procedure
Enable the No Agreement Check feature on the root port.
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable No Agreement Check.
stp no-agreement-check
By default, No Agreement Check is disabled.

177
Configuring TC Snooping
About this task
As shown in Figure 54, an IRF fabric connects to two user networks through double links.
• Device A and Device B form the IRF fabric.
• The spanning tree feature is disabled on Device A and Device B and enabled on all devices in
user network 1 and user network 2.
• The IRF fabric transparently transmits BPDUs for both user networks and is not involved in the
calculation of spanning trees.
When the network topology changes, it takes time for the IRF fabric to update its MAC address table
and ARP table. During this period, traffic in the network might be interrupted.
Figure 54 TC Snooping application scenario
IRF

Device A Device B
IRF link

User network 1 User network 2

To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a
TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries
associated with the port's VLAN. In this way, TC Snooping prevents topology change from
interrupting traffic forwarding in the network. For more information about the MAC address table and
the ARP table, see "Configuring the MAC address table" and Layer 3—IP Services Configuration
Guide.
Restrictions and guidelines
• TC Snooping and the spanning tree feature are mutually exclusive. You must globally disable
the spanning tree feature before enabling TC Snooping.
• The priority of BPDU tunneling is higher than that of TC Snooping. When BPDU tunneling is
enabled on a port, the TC Snooping feature does not take effect on the port.
• TC Snooping does not support the PVST mode.
Procedure
1. Enter system view.
system-view
2. Globally disable the spanning tree feature.
undo stp global enable
When the device starts up with initial settings, the spanning tree feature is globally disabled.
When the device starts up with factory defaults, the spanning tree feature is globally enabled.

178
 For more information about the initial settings and factory defaults, see Fundamentals
Configuration Guide.
3. Enable TC Snooping.
stp tc-snooping
By default, TC Snooping is disabled.

Configuring protection features

Spanning tree protection tasks at a glance
All spanning tree protection tasks are optional.
• Configuring BPDU guard
• Configuring BPDU filter
• Enabling root guard
• Enabling loop guard
• Configuring port role restriction
• Configuring TC-BPDU transmission restriction
• Enabling TC-BPDU guard
• Enabling BPDU drop
• Enabling PVST BPDU guard
• Disabling dispute guard

Configuring BPDU guard

About this task
For access layer devices, the access ports can directly connect to the user terminals (such as PCs)
or file servers. The access ports are configured as edge ports to allow rapid transition. When these
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and
starts a new spanning tree calculation process. This causes a change of network topology. Under
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses
configuration BPDUs maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard feature to protect the system against such
attacks. When ports with BPDU guard enabled receive configuration BPDUs on a device, the device
performs the following operations:
• Shuts down these ports.
• Notifies the NMS that these ports have been shut down by the spanning tree protocol.
The device reactivates the ports that have been shut down when the port status detection timer
expires. You can set this timer by using the shutdown-interval command. For more information
about this command, see device management commands in Fundamentals Command Reference.
Restrictions and guidelines
You can configure the BPDU guard feature in system view or on a per-port basis. A port preferentially
uses the port-specific BPDU guard setting. If the port-specific BPDU guard setting is not available,
the port uses the global BPDU guard setting.
Configure BPDU guard on ports which directly connect to a user terminal rather than other device or
shared LAN segment.

179
 Global BPDU guard takes effect only on the edge ports configured by using the stp edged-port
command. For the BPDU guard feature to take effect on a non-edge port, use the port-specific BPDU
guard setting.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Ethernet interface configuration in Interface Configuration Guide.
Enabling BPDU guard in system view
1. Enter system view.
system-view
2. Enable BPDU guard globally.
stp bpdu-protection
By default, BPDU guard is globally disabled.
Configuring BPDU guard in interface view
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure BPDU guard.
stp port bpdu-protection { enable | disable }
By default, the enabling status of BPDU guard on an interface is the same as that of global
BPDU guard. BPDU guard is not configured on non-edge ports.

Configuring BPDU filter

About this task
To prevent undesired spanning tree calculation and network flapping in the networks attached to an
edge device, enable BPDU filter on the device to disable its ports from sending BPDUs.
Restrictions and guidelines

IMPORTANT:
With BPDU filter enabled, a port does not send any BPDUs and ignores all incoming BPDUs
regardless of whether it is an edge port. Make sure you are fully aware of the impacts of this feature
before you enable it on a port.

You can configure the BPDU filter feature globally or on a per-port basis. A port preferentially uses
the port-specific BPDU filter setting. If the port-specific BPDU filter setting is not available, the port
uses the global BPDU filter setting.
The global BPDU filter setting takes effect on all edge ports configured by using the stp
edged-port command. With BPDU filter enabled globally, edge ports no longer send BPDUs, and
they will become non-edge ports to participate in spanning tree calculation after receiving BPDUs.
Enabling BPDU filter globally
1. Enter system view.
system-view
2. Enable BPDU filter globally.
stp bpdu-filter
By default, BPDU filter is disabled globally.

180
Configuring BPDU filter on a port
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure BPDU filter on the interface.
stp port bpdu-filter { disable | enable }
By default, the enabling status of BPDU filter on an edge port is the same as that of global
BPDU filter. The BPDU filter feature is disabled on non-edge ports.

Enabling root guard

About this task
Configure root guard on a designated port.
The root bridge and secondary root bridge of a spanning tree should be located in the same MST
region. Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth
core region during network design. However, due to possible configuration errors or malicious
attacks in the network, the legal root bridge might receive a configuration BPDU with a higher priority.
Another device supersedes the current legal root bridge, causing an undesired change of the
network topology. The traffic that should go over high-speed links is switched to low-speed links,
resulting in network congestion.
To prevent this situation, MSTP provides the root guard feature. If root guard is enabled on a port of
a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a
configuration BPDU with a higher priority from an MSTI, it performs the following operations:
• Immediately sets that port to the listening state in the MSTI.
• Does not forward the received configuration BPDU.
This is equivalent to disconnecting the link connected to this port in the MSTI. If the port receives no
BPDUs with a higher priority within twice the forwarding delay, it reverts to its original state.
Restrictions and guidelines
On a port, the loop guard feature and the root guard feature are mutually exclusive.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the root guard feature.
stp root-protection
By default, root guard is disabled.

Enabling loop guard

About this task
Configure loop guard on the root port and alternate ports of a device.
By continuing to receive BPDUs from the upstream device, a device can maintain the state of the
root port and blocked ports. However, link congestion or unidirectional link failures might cause these

181
 ports to fail to receive BPDUs from the upstream devices. In this situation, the device reselects the
following port roles:
• Those ports in forwarding state that failed to receive upstream BPDUs become designated
ports.
• The blocked ports transit to the forwarding state.
As a result, loops occur in the switched network. The loop guard feature can suppress the
occurrence of such loops.
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives
BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops.
Restrictions and guidelines
Do not enable loop guard on a port that connects user terminals. Otherwise, the port stays in the
discarding state in all MSTIs because it cannot receive BPDUs.
On a port, the loop guard feature is mutually exclusive with the root guard feature or the edge port
setting.
A loop guard-enabled interface can receive BPDUs and transit from the discarding state to the
forwarding state after two forward delays if one of the following events occurs:
• The state of the interface changes from down to up.
• The spanning tree feature is enabled on the up interface.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable the loop guard feature.
stp loop-protection
By default, loop guard is disabled.

Configuring port role restriction

About this task
Make this configuration on the port that connects to the user access network.
The bridge ID change of a device in the user access network might cause a change to the spanning
tree topology in the core network. To avoid this problem, you can enable port role restriction on a port.
With this feature enabled, when the port receives a superior BPDU, it becomes an alternate port
rather than a root port.
Restrictions and guidelines
Use this feature with caution, because enabling port role restriction on a port might affect the
connectivity of the spanning tree topology.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable port role restriction.
stp role-restriction

182
 By default, port role restriction is disabled.

Configuring TC-BPDU transmission restriction

About this task
Make this configuration on the port that connects to the user access network.
The topology change to the user access network might cause the forwarding address changes to the
core network. When the user access network topology is unstable, the user access network might
affect the core network. To avoid this problem, you can enable TC-BPDU transmission restriction on
a port. With this feature enabled, when the port receives a TC-BPDU, it does not forward the
TC-BPDU to other ports.
Restrictions and guidelines
Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address
table to fail to be updated when the topology changes.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable TC-BPDU transmission restriction.
stp tc-restriction
By default, TC-BPDU transmission restriction is disabled.

Enabling TC-BPDU guard

About this task
When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology
changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device,
the device will receive a large number of TC-BPDUs within a short time. Then, the device is busy with
forwarding address entry flushing. This affects network stability.
TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry
flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs
received in excess of the limit, the device performs a forwarding address entry flush when the time
period expires. This prevents frequent flushing of forwarding address entries.
Restrictions and guidelines
As a best practice, enable TC-BPDU guard.
Procedure
1. Enter system view.
system-view
2. Enable the TC-BPDU guard feature.
stp tc-protection
By default, TC-BPDU guard is enabled.
3. (Optional.) Configure the maximum number of forwarding address entry flushes that the device
can perform every 10 seconds.
stp tc-protection threshold number
The default setting is 6.

183
Enabling BPDU drop
About this task
In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process
and is then forwarded to other devices in the network. Malicious attackers might use the vulnerability
to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make all
devices in the network continue performing STP calculations. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not
receive any BPDUs and is invulnerable to forged BPDU attacks.
Restrictions and guidelines
This feature allows the device to drop BPDUs of STP, RSTP, MSTP, LACP, Ethernet OAM, GVRP,
and LLDP. Make sure you are fully aware of the impact of this feature when you use it on a live
network.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable BPDU drop on the interface.
bpdu-drop any
By default, BPDU drop is disabled.

Enabling PVST BPDU guard

About this task
This feature takes effect only when the device is operating in MSTP mode.
An MSTP-enabled device forwards PVST BPDUs as data traffic because it cannot recognize PVST
BPDUs. If a PVST-enabled device in another independent network receives the PVST BPDUs, a
PVST calculation error might occur. To avoid PVST calculation errors, enable PVST BPDU guard on
the MSTP-enabled device. The device shuts down a port if the port receives PVST BPDUs.
Procedure
1. Enter system view.
system-view
2. Enable PVST BPDU guard.
stp pvst-bpdu-protection
By default, PVST BPDU guard is disabled.

Disabling dispute guard

About this task
Dispute guard can be triggered by unidirectional link failures. If an upstream port receives inferior
BPDUs from a downstream designated port in forwarding or learning state because of a
unidirectional link failure, a loop appears. Dispute guard blocks the upstream designated port to
prevent the loop.
As shown in Figure 55, in normal conditions, the spanning tree calculation result is as follows:

184
• Device A is the root bridge, and Port A1 is a designated port.
• Port B1 is blocked.
When the link between Port A1 and Port B1 fails in the direction of Port A1 to Port B1 and becomes
unidirectional, the following events occur:
1. Port A1 can only receive BPDUs and cannot send BPDUs to Port B1.
2. Port B1 does not receive BPDUs from Port A1 for a certain period of time.
3. Device B determines itself as the root bridge.
4. Port B1 sends its BPDUs to Port A1.
5. Port A1 determines the received BPDUs are inferior to its own BPDUs. A dispute is detected.
6. Dispute guard is triggered and blocks Port A1 to prevent a loop.
Figure 55 Dispute guard triggering scenario (on a designated port)

Normal condition Unidirectional link Dispute guard is

occurs triggered
Device A Device A Device A

Root Root Root

Port A1 Port A2 Port A1 Port A2 Port A1 Port A2

Port B1 Port B2 Port B1 Port B2 Port B1 Port B2

Device B Device B Device B

Root port Normal link

Designated port Blocked link

Blocked port Unidirectional link

As shown in Figure 56, in normal conditions, Device A is the root bridge, and Port B1 and Port C1 are
root ports. When the links between Device A and Device B become unidirectional (the links fail in the
direction of Port A1 to Port B1), the following events occur:
7. Device B cannot receive BPDUs from Device A.
8. Device B determines itself as the root bridge.
9. Port B1 sends BPDUs in which the root bridge is Device B to Port C1.
10. Port C1 receives BPDUs from two root bridges, Device A and Device B. A dispute is detected.
11. Dispute guard is triggered and blocks Port C1 to avoid a loop.

185
 Figure 56 Dispute guard triggering scenario (on a root port)
Device A Device B Device A Device B Device A Device B

Root Root Root Root Root

Port A1 Port B1 Port A1 Port B1 Port A1 Port B1

Hub Hub Hub

Port C1 Port C1 Port C1

Device C Device C Device C

Root port Normal link

Designated port Blocked link

Blocked port BPDUs

However, dispute guard might disrupt the network connectivity. You can disable dispute guard to
avoid connectivity loss in VLAN networks. As shown in Figure 57, the spanning tree feature is
disabled on Device B and enabled on Device A and device C. Device B transparently transmits
BPDUs.
Device C cannot receive superior BPDUs of VLAN 1 from Device A because Port B1 of Device B is
configured to deny packets of VLAN 1. Device C determines itself as the root bridge after a certain
period of time. Then, Port C1 sends an inferior BPDU of VLAN 100 to Device A.
When Device A receives the inferior BPDU, dispute guard blocks Port A1, which causes traffic
interruption. To ensure service continuity, you can disable dispute guard on Device A to prevent the
link from being blocked.
Figure 57 Disabling dispute guard application scenario
Device A Device B Device C
Port A1 Port B1 Port B2 Port C1
Root

Port A1: Port B1:

port trunk permit vlan 100 undo port trunk permit vlan 1
port trunk pvid vlan 1 port trunk permit vlan 100
port trunk pvid vlan 1
Port B2:
port access vlan 100

Inferior BPDU Superior BPDU

Restrictions and guidelines

You can disable dispute guard if the network does not have unidirectional link failures.
Procedure
1. Enter system view.
system-view
2. Disable dispute guard.
undo stp dispute-protection
By default, dispute guard is enabled.

186
Enabling the device to log events of detecting or
receiving TC BPDUs
About this task
This feature allows the device to generate logs when it detects or receives TC BPDUs. This feature
applies only to PVST mode.
Procedure
1. Enter system view.
system-view
2. Enable the device to log events of receiving or detecting TC BPDUs.
stp log enable tc
By default, the device does not generate logs when it detects or receives TC BPDUs.

Disabling the device from reactivating edge ports

shut down by BPDU guard
About this task
BPDU guard shuts down edge ports that have received configuration BPDUs and notifies the NMS of
the shutdown event.
The device reactivates the ports that have been shut down when the port status detection timer
expires. You can set this timer by using the shutdown-interval command. For more information
about this command, see device management commands in Fundamentals Command Reference.
Restrictions and guidelines
This feature prevents the device from reactivating edge ports shut down by BPDU guard after this
feature is configured. The device does not bring up the shutdown ports if you execute the undo stp
port shutdown permanent command. To bring up these ports, use the undo shutdown
command.
Procedure
1. Enter system view.
system-view
2. Disable the device from reactivating edge ports shut down by BPDU guard.
stp port shutdown permanent
By default, the device reactivates an edge port shut down by BPDU guard after the port status
detection timer expires.

Enabling SNMP notifications for new-root election

and topology change events
About this task
This task enables the device to generate logs and report new-root election events or spanning tree
topology changes to SNMP. For the event notifications to be sent correctly, you must also configure

187
 SNMP on the device. For more information about SNMP configuration, see the network
management and monitoring configuration guide for the device.
When you use the snmp-agent trap enable stp [ new-root | tc ] command, follow these
guidelines:
• The new-root keyword applies only to STP, MSTP, and RSTP modes.
• The tc keyword applies only to PVST mode.
• In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables
SNMP notifications for new-root election events.
• In PVST mode, the snmp-agent trap enable stp command enables SNMP notifications
for spanning tree topology changes.
Procedure
1. Enter system view.
system-view
2. Enable SNMP notifications for new-root election and topology change events.
snmp-agent trap enable stp [ new-root | tc ]
The default settings are as follows:
 SNMP notifications are disabled for new-root election events.
 In MSTP mode, SNMP notifications are enabled in MSTI 0 and disabled in other MSTIs for
spanning tree topology changes.
 In PVST mode, SNMP notifications are disabled for spanning tree topology changes in all
VLANs.

Display and maintenance commands for the

spanning tree protocols
Execute display commands in any view and reset command in user view.

Task Command
display stp [ instance instance-list | vlan
Display the spanning tree status
and statistics.
vlan-id-list ] [ interface interface-list |
slot slot-number ] [ brief ]
Display the port role calculation display stp [ instance instance-list | vlan
history for the specified MSTI or all
MSTIs.
vlan-id-list ] history [ slot slot-number ]

Display the incoming and outgoing

TC/TCN BPDU statistics by all display stp [ instance instance-list | vlan
ports in the specified MSTI or all vlan-id-list ] tc [ slot slot-number ]
MSTIs.

Display history about ports

blocked by spanning tree display stp abnormal-port
protection features.

display stp bpdu-statistics [ interface

Display BPDU statistics on ports. interface-type interface-number [ instance
instance-list ] ]
Display information about ports
shut down by spanning tree display stp down-port
protection features.

188
 Task Command
Display the MST region
configuration information that has display stp region-configuration
taken effect.

Display the root bridge information

display stp root
of all MSTIs.

Clear the spanning tree statistics. reset stp [ interface interface-list ]

Spanning tree configuration examples

Example: Configuring MSTP
Network configuration
As shown in Figure 58, all devices on the network are in the same MST region. Device A and Device
B work at the distribution layer. Device C and Device D work at the access layer.
Configure MSTP so that frames of different VLANs are forwarded along different spanning trees.
• VLAN 10 frames are forwarded along MSTI 1.
• VLAN 30 frames are forwarded along MSTI 3.
• VLAN 40 frames are forwarded along MSTI 4.
• VLAN 20 frames are forwarded along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated
on the access layer devices. The root bridges of MSTI 1 and MSTI 3 are Device A and Device B,
respectively, and the root bridge of MSTI 4 is Device C.
Figure 58 Network diagram

MST region
Device A Device B
Permit: all VLANs
GE1/0/3 GE1/0/3
GE
/1

/2
GE

1/0 1/0
1/0

/2 GE
1/0
GE

1 /

Permit: VLANs 10 and Permit: VLANs 20 and

20 20 Pe 30
rm
and it:
s 10 VL
AN
AN
/1

GE

s2
VL
1/0

0a
it:
1/0

2 nd GE
GE

/ rm 1/0
1/0 Pe 30
1/

GE /2

GE1/0/3 GE1/0/3
Permit: VLANs 20 and 40

Device C Device D

Procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
 Create VLAN 20, VLAN 30, and VLAN 40 on Device D.

189
  Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, and configure the MST region name as example.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure the Device A as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Enable the spanning tree feature globally.
[DeviceA] stp global enable
3. Configure Device B:
# Enter MST region view, and configure the MST region name as example.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp global enable
4. Configure Device C:
# Enter MST region view, and configure the MST region name as example.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.

190
 [DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure the Device C as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.
[DeviceC] stp global enable
5. Configure Device D:
# Enter MST region view, and configure the MST region name as example.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp global enable

Verifying the configuration

In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root
bridge in MSTI 0.
When the network is stable, you can use the display stp brief command to display brief
spanning tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING NONE
1 GigabitEthernet1/0/3 DESI FORWARDING NONE
3 GigabitEthernet1/0/2 DESI FORWARDING NONE
3 GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
1 GigabitEthernet1/0/2 DESI FORWARDING NONE

191
 1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
3 GigabitEthernet1/0/1 DESI FORWARDING NONE
3 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 ALTE DISCARDING NONE
3 GigabitEthernet1/0/1 ROOT FORWARDING NONE
3 GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 59.
Figure 59 MSTIs mapped to different VLANs

A B A B

C C D

MSTI 1 mapped to VLAN 10 MSTI 0 mapped to VLAN 20

A B

D C D

MSTI 3 mapped to VLAN 30 MSTI 4 mapped to VLAN 40

Root bridge Normal link Blocked link

192
Example: Configuring PVST
Network configuration
As shown in Figure 60, Device A and Device B work at the distribution layer, and Device C and
Device D work at the access layer.
Configure PVST to meet the following requirements:
• Frames of a VLAN are forwarded along the spanning trees of the VLAN.
• VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN
40 is terminated on the access layer devices.
• The root bridge of VLAN 10 and VLAN 20 is Device A.
• The root bridge of VLAN 30 is Device B.
• The root bridge of VLAN 40 is Device C.
Figure 60 Network diagram
Device A Device B
Permit: all VLANs
GE1/0/3 GE1/0/3
GE /2
/1

GE
1/0 1/0
1/0

/2 GE

1/0
GE

/1
Permit: VLANs 10 and Permit: VLANs 20 and
20 0 Pe 30
d2 rm
an it:
s 10 VL
AN
AN
/1

s2 GE
VL
1/0

it: 0a 1/0
/2 nd GE
erm
GE

1/0 30 1/0
/1
P /2
GE
GE1/0/3 GE1/0/3
Permit: VLANs 20 and 40

Device C Device D

Procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
 Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
 Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Configure the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceA] stp global enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst

193
 # Configure the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceB] stp global enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.
<DeviceC> system-view
[DeviceC] stp mode pvst
# Configure the device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 40.
[DeviceC] stp global enable
[DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 20, VLAN 30, and VLAN 40.
[DeviceD] stp global enable
[DeviceD] stp vlan 20 30 40 enable

Verifying the configuration

When the network is stable, you can use the display stp brief command to display brief
spanning tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
10 GigabitEthernet1/0/1 DESI FORWARDING NONE
10 GigabitEthernet1/0/3 DESI FORWARDING NONE
20 GigabitEthernet1/0/1 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
30 GigabitEthernet1/0/2 DESI FORWARDING NONE
30 GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
VLAN ID Port Role STP State Protection
10 GigabitEthernet1/0/2 DESI FORWARDING NONE
10 GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 GigabitEthernet1/0/1 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 ROOT FORWARDING NONE
30 GigabitEthernet1/0/1 DESI FORWARDING NONE
30 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief

194
 VLAN ID Port Role STP State Protection
10 GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
40 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
20 GigabitEthernet1/0/1 ALTE DISCARDING NONE
20 GigabitEthernet1/0/2 ROOT FORWARDING NONE
20 GigabitEthernet1/0/3 ALTE DISCARDING NONE
30 GigabitEthernet1/0/1 ROOT FORWARDING NONE
30 GigabitEthernet1/0/2 ALTE DISCARDING NONE
40 GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw a topology for each VLAN spanning tree, as shown in Figure 61.
Figure 61 VLAN spanning tree topologies

A B A B

C C D

Spanning tree for VLAN 10 Spanning tree for VLAN 20

A B

D C D

Spanning tree for VLAN 30 Spanning tree for VLAN 40

Root bridge Normal link Blocked link

195
Configuring loop detection
About loop detection
The loop detection mechanism performs periodic checking for Layer 2 loops. The mechanism
immediately generates a log when a loop occurs so that you are promptly notified to adjust network
connections and configurations. You can configure loop detection to shut down the looped port. Logs
are maintained in the information center. For more information, see Network Management and
Monitoring Configuration Guide.

Loop detection mechanism

The device detects loops by sending detection frames and then checking whether these frames
return to any port on the device. If they do, the device considers that the port is on a looped link.
Loop detection usually works within a VLAN. If a detection frame is returned with a different VLAN
tag than it was sent out with, an inter-VLAN loop has occurred. To remove the loop, examine the
QinQ or VLAN mapping configuration for incorrect settings. For more information about QinQ and
VLAN mapping, see "Configuring QinQ" and "Configuring VLAN mapping."
Figure 62 Ethernet frame header for loop detection
0 15 31
DMAC

SMAC

TPID TCI

Type

The Ethernet frame header of a loop detection packet contains the following fields:
• DMAC—Destination MAC address of the frame, which is the multicast MAC address
010f-e200-0007. When a loop detection-enabled device receives a frame with this destination
MAC address, it performs the following operations:
 Sends the frame to the CPU.
 Floods the frame in the VLAN from which the frame was originally received.
• SMAC—Source MAC address of the frame, which is the bridge MAC address of the sending
device.
• TPID—Type of the VLAN tag, with the value of 0x8100.
• TCI—Information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.
Figure 63 Inner frame header for loop detection
0 15 31
Code Version

Length Reserved

The inner frame header of a loop detection packet contains the following fields:
• Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol.

196
 • Version—Protocol version, which is always 0x0000.
• Length—Length of the frame. The value includes the inner header, but excludes the Ethernet
header.
• Reserved—This field is reserved.
Frames for loop detection are encapsulated as TLV triplets.
Table 21 TLVs supported by loop detection

TLV Description Remarks

End of PDU End of a PDU. Optional.

Device ID Bridge MAC address of the sending device. Required.

Port ID ID of the PDU sending port. Optional.

Port Name Name of the PDU sending port. Optional.

System Name Device name. Optional.

Chassis ID Chassis ID of the sending port. Optional.

Slot ID Slot ID of the sending port. Optional.

Sub Slot ID Sub-slot ID of the sending port. Optional.

Loop detection interval

Loop detection is a continuous process as the network changes. Loop detection frames are sent at
the loop detection interval to determine whether loops occur on ports and whether loops are
removed.

Loop protection actions

When the device detects a loop on a port, it generates a log but performs no action on the port by
default. You can configure the device to take one of the following actions:
• Block—Disables the port from learning MAC addresses and blocks the port.
• No-learning—Disables the port from learning MAC addresses.
• Shutdown—Shuts down the port to disable it from receiving and sending any frames.

Port status auto recovery

When the device configured with the block or no-learning loop action detects a loop on a port, it
performs the action and waits three loop detection intervals. If the device does not receive a loop
detection frame within three loop detection intervals, it performs the following operations:
• Automatically sets the port to the forwarding state.
• Notifies the user of the event.
When the device configured with the shutdown action detects a loop on a port, the following events
occur:
1. The device automatically shuts down the port.

197
 2. The device automatically sets the port to the forwarding state after the detection timer set by
using the shutdown-interval command expires. For more information about the
shutdown-interval command, see Fundamentals Command Reference.
3. The device shuts down the port again if a loop is still detected on the port when the detection
timer expires.
This process is repeated until the loop is removed.

NOTE:
Incorrect recovery can occur when loop detection frames are discarded to reduce the load. To avoid
this, use the shutdown action, or manually remove the loop.

Restriction and guidelines: DRNI configuration

Member devices in a DR system must have the same loop detection configuration.

Loop detection tasks at a glance

To configure loop detection, perform the following tasks:
1. Enabling loop detection
 Enabling loop detection globally
 Enabling loop detection on a port
2. (Optional) Setting the loop protection action
 Setting the global loop protection action
 Setting the loop protection action on an interface
3. (Optional) Setting the loop detection interval

Enabling loop detection

Restrictions and guidelines for loop detection configuration
You can enable loop detection globally or on a per-port basis. When a port receives a detection
frame in any VLAN, the loop protection action is triggered on that port, regardless of whether loop
detection is enabled on it.

Enabling loop detection globally

1. Enter system view.
system-view
2. Globally enable loop detection.
loopback-detection global enable vlan { vlan-id--list | all }
By default, loop detection is globally disabled.

Enabling loop detection on a port

1. Enter system view.
system-view

198
 2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Enable loop detection on the port.
loopback-detection enable vlan { vlan-id--list | all }
By default, loop detection is disabled on ports.

Setting the loop protection action

Restrictions and guidelines for loop protection action
configuration
You can set the loop protection action globally or on a per-port basis. The global action applies to all
ports. The per-port action applies to the individual ports. The per-port action takes precedence over
the global action.

Setting the global loop protection action

1. Enter system view.
system-view
2. Set the global loop protection action.
loopback-detection global action shutdown
By default, the device generates a log but performs no action on the port on which a loop is
detected.

Setting the loop protection action on an interface

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the loop protection action on the interface.
loopback-detection action { block | no-learning | shutdown }
By default, the device generates a log but performs no action on the port on which a loop is
detected.
Support for the keywords of this command varies by interface type. For more information, see
Layer 2—LAN Switching Command Reference.

Setting the loop detection interval

About this task
With loop detection enabled, the device sends loop detection frames at the loop detection interval. A
shorter interval offers more sensitive detection but consumes more resources. Consider the system
performance and loop detection speed when you set the loop detection interval.
Procedure
1. Enter system view.

199
 system-view
2. Set the loop detection interval.
loopback-detection interval-time interval
The default setting is 30 seconds.

Display and maintenance commands for loop

detection
Execute display commands in any view.

Task Command
Display the loop detection configuration and status. display loopback-detection

Loop detection configuration examples

Example: Configuring basic loop detection functions
Network configuration
As shown in Figure 64, configure loop detection on Device A to meet the following requirements:
• Device A generates a log as a notification.
• Device A automatically shuts down the port on which a loop is detected.
Figure 64 Network diagram

Device A
/1

GE
1/0

1/0
GE

/2
/2

GE
1/0

1/0
GE

1 /

GE1/0/1 GE1/0/2

Device B Device C

VLAN 100

Procedure
1. Configure Device A:
# Create VLAN 100, and globally enable loop detection for the VLAN.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit

200
 [DeviceA] loopback-detection global enable vlan 100
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to
VLAN 100.
[DeviceA] interface GigabitEthernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceA-GigabitEthernet1/0/2] quit
# Set the global loop protection action to shutdown.
[DeviceA] loopback-detection global action shutdown
# Set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35
2. Configure Device B:
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to
VLAN 100.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device C:
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to
VLAN 100.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceC-GigabitEthernet1/0/1] quit
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceC-GigabitEthernet1/0/2] quit

Verifying the configuration

# View the system logs on devices, for example, Device A.

201
 [DeviceA]
%Feb 24 15:04:29:663 2019 DeviceA LPDT/4/LPDT_LOOPED: A loop was detected on
GigabitEthernet1/0/1.
%Feb 24 15:04:29:664 2019 DeviceA LPDT/4/LPDT_VLAN_LOOPED: A loop was detected on
GigabitEthernet1/0/1 in VLAN 100.
%Feb 24 15:04:29:667 2019 DeviceA LPDT/4/LPDT_LOOPED: A loop was detected on
GigabitEthernet1/0/2.
%Feb 24 15:04:29:668 2019 DeviceA LPDT/4/LPDT_VLAN_LOOPED: A loop was detected on
GigabitEthernet1/0/2 in VLAN 100.
%Feb 24 15:04:44:243 2019 DeviceA LPDT/5/LPDT_VLAN_RECOVERED: A loop was removed on
GigabitEthernet1/0/1 in VLAN 100.
%Feb 24 15:04:44:243 2019 DeviceA LPDT/5/LPDT_RECOVERED: All loops were removed on
GigabitEthernet1/0/1.
%Feb 24 15:04:44:248 2019 DeviceA LPDT/5/LPDT_VLAN_RECOVERED: A loop was removed on
GigabitEthernet1/0/2 in VLAN 100.
%Feb 24 15:04:44:248 2019 DeviceA LPDT/5/LPDT_RECOVERED: All loops were removed on
GigabitEthernet1/0/2.

The output shows the following information:

• Device A detected loops on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 within a loop
detection interval.
• Loops on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 were removed.
# Use the display loopback-detection command to display the loop detection configuration
and status on devices, for example, Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Global loop detection interval is 35 second(s).
Loop is detected on following interfaces:
Interface Action mode VLANs/VSI
GigabitEthernet1/0/1 Shutdown 100
GigabitEthernet1/0/2 Shutdown 100

The output shows that the device has removed the loops from GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2 according to the shutdown action.
# Display the status of GigabitEthernet 1/0/1 on devices, for example, Device A.
[DeviceA] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: DOWN (Loop detection down)
...

The output shows that GigabitEthernet 1/0/1 is already shut down by the loop detection module.
# Display the status of GigabitEthernet 1/0/2 on devices, for example, Device A.
[DeviceA] display interface gigabitethernet 1/0/2
GigabitEthernet1/0/2 current state: DOWN (Loop detection down)
...

The output shows that GigabitEthernet 1/0/2 is already shut down by the loop detection module.

Example: Configuring loop detection on a DR system

Network configuration
As shown in Figure 65, configure loop detection on the DR system formed by Device A and Device B
to meet the following requirements:

202
 • Generates a log as a notification.
• Automatically shuts down the port on which a loop is detected.
Figure 65 Network diagram
Device C

GE1/0/5

BAGG4

GE
1
0/
1/

1/
GE
2
0/
GE

0/
1/
1/

3
0/
GE

4
1

GE
0/
1/

1/
GE
0/
GE

0/
1/

1
1/
GE

0/
BAGG4 BAGG4

2
GE1/0/1
IPL
GE1/0/5 GE1/0/5
Device A Device B
BAGG3 Device E
DR 1 DR 2
GE1/0/6 Keepalive GE1/0/6
GE1/0/2
BAGG5 DR system BAGG5
GE

4
0/
1/
1/
GE

3
0/
GE
0/

1/
1/

GE
0/
3

GE

2
0/
1/
1/
GE

1
0/
GE
0/

1/
1/

GE
0/
3

BAGG5

GE1/0/5

Device D

Procedure
1. Configure Device A:
# Create VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
# Configure DR system settings.
[DeviceA] drni system-mac 1-1-1
[DeviceA] drni system-number 1
[DeviceA] drni system-priority 123
# Configure DR keepalive packet parameters.
[DeviceA] drni keepalive ip destination 1.1.1.1 source 1.1.1.2
# Set the link mode of GigabitEthernet 1/0/6 to Layer 3, and assign the interface an IP address.
The IP address will be used as the source IP address of keepalive packets.
[DeviceA] interface gigabitethernet 1/0/6
[DeviceA-GigabitEthernet1/0/6] port link-mode route
[DeviceA-GigabitEthernet1/0/6] ip address 1.1.1.2 24
[DeviceA-GigabitEthernet1/0/6] quit
# Exclude the interface used for DR keepalive detection (GigabitEthernet 1/0/6) from the
shutdown action by DRNI MAD.
[DeviceA] drni mad exclude interface gigabitethernet 1/0/6
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 3, and specify it as the IPP.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] link-aggregation mode dynamic

203
[DeviceA-Bridge-Aggregation3] port drni intra-portal-port 1
[DeviceA-Bridge-Aggregation3] quit
# Assign GigabitEthernet 1/0/5 to aggregation group 3.
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port link-aggregation group 3
[DeviceA-GigabitEthernet1/0/5] quit
# Set the link type of Bridge-Aggregation 3 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 3
[DeviceA-Bridge-Aggregation3] port link-type trunk
[DeviceA-Bridge-Aggregation3] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation3] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4, and assign it to DR group
4.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation4] port drni group 4
[DeviceA-Bridge-Aggregation4] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation group 4.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 4
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 4
[DeviceA-GigabitEthernet1/0/2] quit
# Set the link type of Bridge-Aggregation 4 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 4
[DeviceA-Bridge-Aggregation4] port link-type trunk
[DeviceA-Bridge-Aggregation4] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation4] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5, and assign it to DR group
5.
[DeviceA] interface bridge-aggregation 5
[DeviceA-Bridge-Aggregation5] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation5] port drni group 5
[DeviceA-Bridge-Aggregation5] quit
# Assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to aggregation group 5.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 5
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port link-aggregation group 5
[DeviceA-GigabitEthernet1/0/4] quit
# Set the link type of Bridge-Aggregation 5 to trunk, and assign it to VLAN 100.
[DeviceA] interface bridge-aggregation 5
[DeviceA-Bridge-Aggregation5] port link-type trunk
[DeviceA-Bridge-Aggregation5] port trunk permit vlan 100
[DeviceA-Bridge-Aggregation5] quit
# Disable the spanning tree feature.

204
 [DeviceA] undo stp global enable
# Enable loop detection for VLAN 100 globally, set the global loop protection action to shutdown,
and set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection global enable vlan 100
[DeviceA] loopback-detection global action shutdown
[DeviceA] loopback-detection interval-time 35
2. Configure Device B in the same way Device A is configured. Set the DR system number to 2,
and set the source and destination IP addresses of keepalive packets to 1.1.1.1 and 1.1.1.2,
respectively. (Details not shown.)
3. Configure Device C:
# Disable the spanning tree feature.
<DeviceC> system-view
[DeviceC] undo stp global enable
# Create VLAN 100.
[DeviceC] vlan 100
[DeviceC-vlan100] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 4.
[DeviceC] interface bridge-aggregation 4
[DeviceC-Bridge-Aggregation4] link-aggregation mode dynamic
[DeviceC-Bridge-Aggregation4] quit
# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to aggregation group 4.
[DeviceC] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/4
[DeviceC-if-range] port link-aggregation group 4
[DeviceC-if-range] quit
# Set the link type of Bridge-Aggregation 4 to trunk, and assign it to VLAN 100.
[DeviceC] interface bridge-aggregation 4
[DeviceC-Bridge-Aggregation4] port link-type trunk
[DeviceC-Bridge-Aggregation4] port trunk permit vlan 100
[DeviceC-Bridge-Aggregation4] quit
# Set the link type of GigabitEthernet 1/0/5 to trunk, and assign it to VLAN 100.
[DeviceC] interface gigabitethernet 1/0/5
[DeviceC-GigabitEthernet1/0/5] port link-type trunk
[DeviceC-GigabitEthernet1/0/5] port trunk permit vlan 100
[DeviceC-GigabitEthernet1/0/5] quit
4. Configure Device D:
# Disable the spanning tree feature.
<DeviceD> system-view
[DeviceD] undo stp global enable
# Create VLAN 100.
[DeviceD] vlan 100
[DeviceD-vlan100] quit
# Create Layer 2 dynamic aggregate interface Bridge-Aggregation 5.
[DeviceD] interface bridge-aggregation 5
[DeviceD-Bridge-Aggregation5] link-aggregation mode dynamic
[DeviceD-Bridge-Aggregation5] quit
# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/4 to aggregation group 5.
[DeviceD] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/4

205
 [DeviceD-if-range] port link-aggregation group 5
[DeviceD-if-range] quit
# Set the link type of Bridge-Aggregation 5 to trunk, and assign it to VLAN 100.
[DeviceD] interface bridge-aggregation 5
[DeviceD-Bridge-Aggregation5] port link-type trunk
[DeviceD-Bridge-Aggregation5] port trunk permit vlan 100
[DeviceD-Bridge-Aggregation5] quit
# Set the link type of GigabitEthernet 1/0/5 to trunk, and assign it to VLAN 100.
[DeviceD] interface gigabitethernet 1/0/5
[DeviceD-GigabitEthernet1/0/5] port link-type trunk
[DeviceD-GigabitEthernet1/0/5] port trunk permit vlan 100
[DeviceD-GigabitEthernet1/0/5] quit
5. Configure Device E:
# Disable the spanning tree feature.
<DeviceE> system-view
[DeviceE] undo stp global enable
# Create VLAN 100.
[DeviceE] vlan 100
[DeviceE-vlan100] quit
# Set the link type of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to trunk, and assign them
to VLAN 100.
[DeviceE] interface gigabitethernet 1/0/1
[DeviceE-GigabitEthernet1/0/1] port link-type trunk
[DeviceE-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceE-GigabitEthernet1/0/1] quit
[DeviceE] interface gigabitethernet 1/0/2
[DeviceE-GigabitEthernet1/0/2] port link-type trunk
[DeviceE-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceE-GigabitEthernet1/0/2] quit

Verifying the configuration

# View the system logs on Device A.
[DeviceA]
%Aug 1 03:28:48:110 2019 DeviceA LPDT/4/LPDT_LOOPED: A loop was detected on
Bridge-Aggregation4.
%Aug 1 03:28:48:191 2019 DeviceA LPDT/4/LPDT_VLAN_LOOPED: A loop was detect
ed on Bridge-Aggregation4 in VLAN 100.
%Aug 1 03:28:48:194 2019 DeviceA LPDT/4/LPDT_LOOPED: A loop was detected on
Bridge-Aggregation5.
%Aug 1 03:28:48:288 2019 DeviceA LPDT/4/LPDT_VLAN_LOOPED: A loop was detect
ed on Bridge-Aggregation5 in VLAN 100.
%Aug 1 03:28:48:290 2019 DeviceA LPDT/5/LPDT_VLAN_RECOVERED: A loop was rem
oved on Bridge-Aggregation4 in VLAN 100.
%Aug 1 03:28:48:291 2019 DeviceA LPDT/5/LPDT_RECOVERED: All loops were remo
ved on Bridge-Aggregation4.
%Aug 1 03:28:48:302 2019 DeviceA LPDT/5/LPDT_VLAN_RECOVERED: A loop was rem
oved on Bridge-Aggregation5 in VLAN 100.
%Aug 1 03:28:48:304 2019 DeviceA LPDT/5/LPDT_RECOVERED: All loops were remo

206
ved on Bridge-Aggregation5.

The output shows the following information:

• Device A detected loops on Bridge-Aggregation 4 and Bridge-Aggregation 5 within a loop
detection interval.
• Loops on Bridge-Aggregation 4 and Bridge-Aggregation 5 were removed.
# Use the display loopback-detection command to display the loop detection configuration
and status on Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Global loop detection interval is 35 second(s).
Loop is detected on following interfaces:
Interface Action mode VLANs/VSI
Bridge-Aggregation4 Shutdown 100
Bridge-Aggregation5 Shutdown 100

The output shows that the device has removed the loops from Bridge-Aggregation 4 and
Bridge-Aggregation 5 according to the shutdown action.
# Verify that Bridge-Aggregation 4 has been shut down by loop detection.
[DeviceA] display interface Bridge-Aggregation 4
Bridge-Aggregation4
Current state: DOWN (Loopback detection down)
…

# Verify that Bridge-Aggregation 5 has been shut down by loop detection.

[DeviceA] display interface Bridge-Aggregation 5
Bridge-Aggregation5
Current state: DOWN (Loopback detection down)
…

# Verify that loops have been removed on Device B. (Details not shown.)

207
Configuring VLANs
About VLANs
The Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple logical LANs.
It has the following benefits:
• Security—Hosts in the same VLAN can communicate with one another at Layer 2, but they are
isolated from hosts in other VLANs at Layer 2.
• Broadcast traffic isolation—Each VLAN is a broadcast domain that limits the transmission of
broadcast packets.
• Flexibility—A VLAN can be logically divided on a workgroup basis. Hosts in the same
workgroup can be assigned to the same VLAN, regardless of their physical locations.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag
between the destination and source MAC address (DA&SA) field and the Type field.
Figure 66 VLAN tag placement and format
VLAN Tag

DA&SA TPID Priority CFI VLAN ID Type Data FCS

A VLAN tag includes the following fields:

• TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default,
the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the
TPID to a different value. For compatibility with a neighbor device, set the TPID value on the
device to be the same as the neighbor device. For more information about setting the TPID
value, see QinQ commands in Layer 2—LAN Switching Command Reference.
• Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL
and QoS Configuration Guide.
• CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are
encapsulated in the standard format when packets are transmitted across different media.
Available values include:
 0 (default)—The MAC addresses are encapsulated in the standard format.
 1—The MAC addresses are encapsulated in a non-standard format.
This field is always set to 0 for Ethernet.
• VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0
to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a VLAN
tag and the value of the VLAN tag (if any).
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and
802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag
fields in other frame encapsulation formats, see related protocols and standards.
For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag
and transmits its inner VLAN tags as the payload.

208
VLAN types
The following VLAN types are available:
• Port-based VLAN.
• MAC-based VLAN.
• IP subnet-based VLAN.
• Protocol-based VLAN.
If all these types of VLANs are configured on a port, the port processes packets in the following
descending order of priority by default:
• MAC-based VLAN.
• IP subnet-based VLAN.
• Protocol-based VLAN.
• Port-based VLAN.

Port-based VLANs
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it
is assigned to the VLAN.
Port link type
You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether
the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling
methods:
• Access—An access port can forward packets only from one VLAN and send these packets
untagged. An access port is typically used in the following conditions:
 Connecting to a terminal device that does not support VLAN packets.
 In scenarios that do not distinguish VLANs.
• Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port
VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network
devices are typically configured as trunk ports.
• Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the
packets forwarded by a hybrid port depends on the port configuration. In one-to-two VLAN
mapping, hybrid ports are used to remove SVLAN tags for downlink traffic. For more
information about one-to-two VLAN mapping, see "Configuring VLAN mapping."
PVID
The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered
as the packets from the port PVID.
An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of
the port. A trunk or hybrid port supports multiple VLANs and the PVID configuration.
How ports of different link types handle frames

Actions Access Trunk Hybrid

In the inbound • If the PVID is permitted on the port, tags the frame with
Tags the frame with the the PVID tag.
direction for an
PVID tag.
untagged frame • If not, drops the frame.

209
 Actions Access Trunk Hybrid
• Receives the
frame if its VLAN
ID is the same as
In the inbound the PVID. • Receives the frame if its VLAN is permitted on the port.
direction for a
• Drops the frame if • Drops the frame if its VLAN is not permitted on the port.
tagged frame
its VLAN ID is
different from the
PVID.
• Removes the tag
and sends the frame
if the frame carries
the PVID tag and the Sends the frame if its VLAN is
port belongs to the permitted on the port. The
In the outbound Removes the VLAN tag PVID. tagging status of the frame
direction and sends the frame. • Sends the frame depends on the port
without removing the hybrid vlan command
tag if its VLAN is configuration.
carried on the port
but is different from
the PVID.

MAC-based VLANs
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature
is also called user-based VLAN because VLAN configuration remains the same regardless of a
user's physical location.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To
configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows
before sending the frame out:
• For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
− Searches for the MAC-to-VLAN entries whose masks are not all Fs.
− Performs a logical AND operation on the source MAC address and each of these
masks.
If an AND operation result matches the MAC address in a MAC-to-VLAN entry, the port
tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN
entries whose masks are all Fs. If the source MAC address of the frame exactly matches the
MAC address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to
this entry.
c. If no matching VLAN ID is found, the port determines the VLAN for the packet by using the
following matching order:
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.

210
 When a match is found, the port tags the packet with the matching VLAN ID.
• For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the
port.
 If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
 If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, use dynamic MAC-based VLAN
assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 67:
4. When a port receives a frame, it first determines whether the frame is tagged.
 If the frame is tagged, the port gets the source MAC address of the frame.
 If the frame is untagged, the port selects a VLAN for the frame by using the following
matching order:
− MAC-based VLAN (fuzzy and exact MAC address match).
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
After tagging the frame with the selected VLAN, the port gets the source MAC address of
the frame.
5. The port uses the source MAC address and VLAN of the frame to match the MAC-to VLAN
entries.
 If the source MAC address of the frame exactly matches the MAC address in a
MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN
in the entry.
− If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
− If the two VLAN IDs do not match, the port drops the frame.
 If the source MAC address of the frame does not exactly match any MAC addresses in
MAC-to-VLAN entries, the port checks whether the VLAN ID of the frame is its PVID.
− If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows
the PVID.
If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not
allowed, the port drops the frame.
− If the VLAN ID of the frame is not the PVID of the port, the port determines whether the
VLAN ID is the primary VLAN ID and the port PVID is a secondary VLAN ID. If yes, the
port forwards the frame. Otherwise, the port drops the frame.

211
 Figure 67 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
The port receives a
frame

No
Tagged frame ?

Yes

Selects a VLAN for the

Gets the source MAC
frame

Uses source MAC to

match the MAC in MAC-
to-VLAN entries

MAC addresses No No Yes

VLAN ID match the Is the VLAN ID the primary VLAN ID and the
match? port PVID? port PVID a secondary VLAN ID?
Yes Yes
No

No VLAN IDs No
PVID allowed? Drops the frame
match?

Yes Yes

Forwards the frame in

Drops the frame Joins the VLAN
the VLAN

Server-assigned MAC-based VLAN

Use this feature with access authentication, such as MAC-based 802.1X authentication, to
implement secure and flexible terminal access.
To implement server-assigned MAC-based VLAN, perform the following tasks:
1. Configure the server-assigned MAC-based VLAN feature on the access device.
2. Configure username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server assigns the
authorization VLAN information for the user to the device. The device then performs the following
operations:
3. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the
authorization VLAN information. The authorization VLAN is a MAC-based VLAN.
The generated MAC-to-VLAN entry cannot conflict with the existing static MAC-to-VLAN
entries. If a confliction exists, the dynamic MAC-to-VLAN entry cannot be generated.
4. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes
the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication,
see Security Configuration Guide.

IP subnet-based VLANs
The IP subnet-based VLAN feature assigns untagged packets to VLANs based on their source IP
addresses and subnet masks.
Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a
VLAN.

212
Protocol-based VLANs
The protocol-based VLAN feature assigns inbound packets to different VLANs based on their
protocol types and encapsulation formats. The protocols available for VLAN assignment include IP,
IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
This feature associates the available network service types with VLANs and facilitates network
management and maintenance.

Layer 3 communication between VLANs

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are
virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create
one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the
VLAN to forward packets destined for another IP subnet at Layer 3.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks

Configuring a VLAN
Restrictions and guidelines
• As the system default VLAN, VLAN 1 cannot be created or deleted.
• Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove
the configuration from the VLAN.

Creating VLANs
1. Enter system view.
system-view
2. Create one or multiple VLANs.
 Create a VLAN and enter its view.
vlan vlan-id
 Create multiple VLANs and enter VLAN view.
Create VLANs.
vlan { vlan-id-list | all }
Enter VLAN view.
vlan vlan-id
By default, only the system default VLAN (VLAN 1) exists.
3. (Optional.) Set a name for the VLAN.
name text
By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in
a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For
example, the name of VLAN 100 is VLAN 0100.
4. (Optional.) Configure the description for the VLAN.

213
 description text
By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN
ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For
example, the default description of VLAN 100 is VLAN 0100.

Configuring port-based VLANs

Restrictions and guidelines for port-based VLANs
• When you use the undo vlan command to delete the PVID of a port, either of the following
events occurs depending on the port link type:
 For an access port, the PVID of the port changes to VLAN 1.
 For a hybrid or trunk port, the PVID setting of the port does not change.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access
port.
• As a best practice, set the same PVID for a local port and its peer.
• To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to
its PVID.

Assigning an access port to a VLAN

About this task
You can assign an access port to a VLAN in VLAN view or interface view.
Assigning one or multiple access ports to a VLAN in VLAN view
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Assign one or multiple access ports to the VLAN.
port interface-list
By default, all ports belong to VLAN 1.
Assigning an access port to a VLAN in interface view
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to access.
port link-type access
By default, all ports are access ports.
4. Assign the access port to a VLAN.
port access vlan vlan-id

214
 By default, all access ports belong to VLAN 1.

Assigning a trunk port to a VLAN

About this task
A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
Restrictions and guidelines
To change the link type of a port from trunk to hybrid, set the link type to access first.
To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID
by using the port trunk permit vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to trunk.
port link-type trunk
By default, all ports are access ports.
4. Assign the trunk port to the specified VLANs.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port permits only VLAN 1.
5. (Optional.) Set the PVID for the trunk port.
port trunk pvid vlan vlan-id
The default setting is VLAN 1.

Assigning a hybrid port to a VLAN

About this task
A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view.
Make sure the VLANs have been created.
Restrictions and guidelines
To change the link type of a port from trunk to hybrid, set the link type to access first.
To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID
by using the port hybrid vlan command.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number

215
  Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
4. Assign the hybrid port to the specified VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, the hybrid port is an untagged member of the VLAN to which the port belongs when
its link type is access.
5. (Optional.) Set the PVID for the hybrid port.
port hybrid pvid vlan vlan-id
By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link
type is access.

Configuring MAC-based VLANs

Restrictions and guidelines for MAC-based VLANs
• MAC-based VLANs are available only on hybrid ports.
• Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
• Do not configure MAC-based VLANs together with mapping an Ethernet service instance to a
VSI on a Layer 2 Ethernet interface or Layer 2 aggregate interface. Do not configure
MAC-based VLANs on a Layer 2 Ethernet interface or Layer 2 aggregate interface that acts as
the source interface of a VXLAN tunnel. For information about VXLAN and VSIs, see VXLAN
Configuration Guide.

Configuring static MAC-based VLAN assignment

1. Enter system view.
system-view
2. Create a MAC-to-VLAN entry.
mac-vlan mac-address mac-address [ mask mac-mask ] vlan vlan-id [ dot1p
priority ]
By default, no MAC-to-VLAN entries exist.
3. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
4. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
5. Assign the hybrid port to the MAC-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.

216
 6. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, this feature is disabled.
7. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially.
vlan precedence mac-vlan
By default, the system assigns VLANs based on the MAC address preferentially when both the
MAC-based VLAN and IP subnet-based VLAN are configured on a port.

Configuring dynamic MAC-based VLAN assignment

About this task
For successful dynamic MAC-based VLAN assignment, use static VLANs when you create
MAC-to-VLAN entries.
When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events occurs
depending on the port configuration:
• If the port has not been configured to allow packets from the VLAN to pass through, the port
joins the VLAN as an untagged member.
• If the port has been configured to allow packets from the VLAN to pass through, the port
configuration remains the same.
The 802.1p priority of the VLAN in a MAC-to-VLAN entry determines the transmission priority of the
matching packets.
Restrictions and guidelines
• If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic
MAC-based VLAN assignment takes effect.
• As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use
dynamic MAC-based VLAN assignment with 802.1X or MAC authentication.
• As a best practice, do not both configure dynamic MAC-based VLAN assignment and disable
MAC address learning on a port. If the two features are configured together on a port, the port
forwards only packets exactly matching the MAC-to-VLAN entries and drops inexactly matching
packets.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and the MAC
learning limit on a port.
If the two features are configured together on a port and the port learns the configured
maximum number of MAC address entries, the port processes packets as follows:
 Forwards only packets matching the MAC address entries learnt by the port.
 Drops unmatching packets.
• As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP
mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the target VLAN.
• As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST
mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked state.
The port drops the received packets instead of delivering them to the CPU. As a result, the port
will not be dynamically assigned to the target VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.
Procedure
1. Enter system view.

217
 system-view
2. Create a MAC-to-VLAN entry.
mac-vlan mac-address mac-address vlan vlan-id [ dot1p priority ]
By default, no MAC-to-VLAN entries exist.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
5. Enable the MAC-based VLAN feature.
mac-vlan enable
By default, MAC-based VLAN is disabled.
6. Enable dynamic MAC-based VLAN assignment.
mac-vlan trigger enable
By default, dynamic MAC-based VLAN assignment is disabled.
The VLAN assignment for a port is triggered only when the source MAC address of its receiving
packet exactly matches the MAC address in a MAC-to-VLAN entry.
7. (Optional.) Configure the system to assign VLANs based on the MAC address preferentially.
vlan precedence mac-vlan
By default, the system assigns VLANs based on the MAC address preferentially when both the
MAC-based VLAN and IP subnet-based VLAN are configured on a port.
8. (Optional.) Disable the port from forwarding packets that fail the exact MAC address match in its
PVID.
port pvid forbidden
By default, when a port receives packets whose source MAC addresses fail the exact match,
the port forwards them in its PVID.

Configuring server-assigned MAC-based VLAN

1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
4. Assign the hybrid port to the MAC-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
5. Enable the MAC-based VLAN feature.
mac-vlan enable

218
 By default, MAC-based VLAN is disabled.
6. Configure 802.1X or MAC authentication.
For more information, see Security Command Reference.

Configuring IP subnet-based VLANs

Restrictions and guidelines
This feature is available only on hybrid ports, and it processes only untagged packets.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Associate the VLAN with an IP subnet or IP address.
ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ]
By default, a VLAN is not associated with an IP subnet or IP address.
A multicast subnet or a multicast address cannot be associated with a VLAN.
4. Return to system view.
quit
5. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
6. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
7. Assign the hybrid port to the specified IP subnet-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
8. Associate the hybrid port with the specified IP subnet-based VLAN.
port hybrid ip-subnet-vlan vlan vlan-id
By default, a hybrid port is not associated with a subnet-based VLAN.

Configuring protocol-based VLANs

About this task
A protocol-based VLAN has one or multiple protocol templates. A protocol template defines a
protocol type and an encapsulation format as the match criteria to match inbound packets. Each
protocol template has a unique index in the protocol-based VLAN. All protocol templates in a
protocol-based VLAN have the same VLAN ID.
For a port to assign inbound packets to protocol-based VLANs, perform the following tasks:
• Assign the port to the protocol-based VLANs.

219
 • Associate the port with the protocol templates of the protocol-based VLANs.
When an untagged packet arrives at the port, the port processes the packet as follows:
• If the protocol type and encapsulation format in the packet match a protocol template, the port
tags the packet with the VLAN tag specific to the protocol template.
• If no protocol templates are matched, the port tags the packet with its PVID.
Restrictions and guidelines
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as
both a protocol-based VLAN and a voice VLAN.
Procedure
1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Associate the VLAN with a protocol template.
protocol-vlan [ protocol-index ] { at | ipv4 | ipv6 | ipx { ethernetii |
llc | raw | snap } | mode { ethernetii etype etype-id | llc { dsap dsap-id
[ ssap ssap-id ] | ssap ssap-id } | snap etype etype-id } }
By default, a VLAN is not associated with a protocol template.
4. Exit VLAN view.
quit
5. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
6. Set the port link type to hybrid.
port link-type hybrid
By default, all ports are access ports.
7. Assign the hybrid port to the specified protocol-based VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs when its
link type is access.
8. Associate the hybrid port with the specified protocol-based VLAN.
port hybrid protocol-vlan vlan vlan-id { protocol-index [ to
protocol-end ] | all }
By default, a hybrid port is not associated with a protocol-based VLAN.

Configuring a VLAN group

About this task
A VLAN group includes a set of VLANs.
On an authentication server, a VLAN group name represents a group of authorization VLANs. When
an 802.1X or MAC authentication user passes authentication, the authentication server assigns a
VLAN group name to the device. The device then uses the received VLAN group name to match the
locally configured VLAN group names. If a match is found, the device selects a VLAN from the group

220
 and assigns the VLAN to the user. For more information about 802.1X and MAC authentication, see
Security Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Create a VLAN group and enter its view.
vlan-group group-name
3. Add VLANs to the VLAN group.
vlan-list vlan-id-list
By default, no VLANs exist in a VLAN group.
You can add multiple VLAN lists to a VLAN group.

Configuring VLAN interfaces

Restrictions and guidelines
• You cannot create VLAN interfaces for sub-VLANs. For more information about sub-VLANs,
see "Configuring super VLANs."
• You cannot create VLAN interfaces for secondary VLANs that have the following
characteristics:
 Associated with the same primary VLAN.
 Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface.
For more information about secondary VLANs, see "Configuring private VLAN."

VLAN interfaces configuration tasks at a glance

To configure VLAN interfaces, perform the following tasks:
1. Creating a VLAN interface
2. (Optional.) Specifying a traffic processing slot for the VLAN interface
3. (Optional.) Restoring the default settings for the VLAN interface

Prerequisites
Before you create a VLAN interface for a VLAN, create the VLAN first.

Creating a VLAN interface

1. Enter system view.
system-view
2. Create a VLAN interface and enter its view.
interface vlan-interface interface-number
3. Assign an IP address to the VLAN interface.
ip address ip-address { mask | mask-length } [ sub ]
By default, no IP address is assigned to a VLAN interface.
4. (Optional.) Configure the description for the VLAN interface.

221
 description text
The default setting is the VLAN interface name. For example, Vlan-interface1 Interface.
5. (Optional.) Set the MTU for the VLAN interface.
mtu size
By default, the MTU of a VLAN interface is 1500 bytes.
6. (Optional.) Set a MAC address for the VLAN interface.
mac-address mac-address
By default, no MAC addresses are set for a VLAN interface.
7. (Optional.) Set the expected bandwidth for the interface.
bandwidth bandwidth-value
By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
8. Bring up the VLAN interface.
undo shutdown
By default, a VLAN interface is not manually shut down. The status of the VLAN interface
depends on the status of member ports of the VLAN.

Specifying a traffic processing slot for the VLAN interface

About this task
Specify a traffic processing slot for a VLAN interface if all traffic on the VLAN interface must be
processed on the same slot.
Procedure
1. Enter system view.
system-view
2. Enter a VLAN interface view.
interface vlan-interface interface-number
3. Specify a traffic processing slot for the VLAN interface.
service slot slot-number
By default, no traffic processing slot is specified for the VLAN interface.

Restoring the default settings for the VLAN interface

Restrictions and guidelines

CAUTION:
This feature might interrupt ongoing network services. Make sure you are fully aware of the impact of
this feature when you use it on a live network.

This feature might fail to restore the default settings for some commands for reasons such as
command dependencies or system restrictions. Use the display this command in interface view
to identify these commands, and then use their undo forms or follow the command reference to
restore their default settings. If your restoration attempt still fails, follow the error message
instructions to resolve the problem.
Procedure
1. Enter system view.
system-view

222
 2. Enter a VLAN interface view.
interface vlan-interface interface-number
3. Restore the default settings for the VLAN interface.
default

Display and maintenance commands for VLANs

Execute display commands in any view and reset commands in user view.

Task Command
display interface [ vlan-interface
Display VLAN interface information. [ interface-number ] ] [ brief [ description
| down ] ]

Display information about IP display ip-subnet-vlan interface

subnet-based VLANs that are associated { interface-type interface-number1 [ to
with the specified ports. interface-type interface-number2 ] | all }
Display information about IP display ip-subnet-vlan vlan { vlan-id1 [ to
subnet-based VLANs. vlan-id2 ] | all }
Display hybrid ports or trunk ports on the
display port { hybrid | trunk }
device.

Display information about protocol-based display protocol-vlan interface

VLANs that are associated with the { interface-type interface-number1 [ to
specified ports. interface-type interface-number2 ] | all }
Display information about protocol-based display protocol-vlan vlan { vlan-id1 [ to
VLANs. vlan-id2 ] | all }
display vlan [ vlan-id1 [ to vlan-id2 ] | all
Display VLAN information.
| dynamic | reserved | static ]
Display brief VLAN information. display vlan brief
Display VLAN group information. display vlan-group [ group-name ]
reset counters interface [ vlan-interface
Clear statistics on a VLAN interface.
[ interface-number ] ]
display mac-vlan { all | dynamic |
Display MAC-to-VLAN entries. mac-address mac-address [ mask mac-mask ]
| static | vlan vlan-id }
Display all ports that are enabled with the
display mac-vlan interface
MAC-based VLAN feature.

VLAN configuration examples

Example: Configuring port-based VLANs
Network configuration
As shown in Figure 68:
• Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.

223
 • Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each
other.
Figure 68 Network diagram
GE1/0/3 GE1/0/3
Device A Device B
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2

Host A Host B Host C Host D

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Procedure
1. Configure Device A:
# Create VLAN 100, and assign GigabitEthernet 1/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port gigabitethernet 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign GigabitEthernet 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port gigabitethernet 1/0/2
[DeviceA-vlan200] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.
b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D.
(Details not shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C.
(Details not shown.)
# Verify that VLANs 100 and 200 are correctly configured on Device A.
[DeviceA-GigabitEthernet1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:

224
 GigabitEthernet1/0/3
Untagged ports:
GigabitEthernet1/0/1
[DeviceA-GigabitEthernet1/0/3] display vlan 200
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
GigabitEthernet1/0/3
Untagged ports:
GigabitEthernet1/0/2

Example: Configuring MAC-based VLANs

Network configuration
As shown in Figure 69:
• GigabitEthernet 1/0/1 of Device A and Device C are each connected to a meeting room. Laptop
1 and Laptop 2 are used for meetings and might be used in either of the two meeting rooms.
• One department uses VLAN 100 and owns Laptop 1. The other department uses VLAN 200
and owns Laptop 2.
Configure MAC-based VLANs, so that Laptop 1 and Laptop 2 can access Server 1 and Server 2,
respectively, no matter which meeting room they are used in.
Figure 69 Network diagram

VLAN 100 VLAN 200

Server1 Server2
IP: 1.1.1.1/24 IP: 1.1.2.1/24

GE1/0/3 GE1/0/4

GE1/0/1 GE1/0/2
Device B

GE1/0/2 GE1/0/2

Device A Device C
GE1/0/1 GE1/0/1

VLAN 100 VLAN 200

Laptop1 Laptop2
IP: 1.1.1.2/24 IP: 1.1.2.2/24
MAC: 000d-88f8-4e71 MAC: 0014-222c-aa69

Procedure
1. Configure Device A:
# Create VLANs 100 and 200.

225
 <DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200,
respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mac-vlan enable
[DeviceA-GigabitEthernet1/0/1] quit
# Configure the uplink port (GigabitEthernet 1/0/2) as a trunk port, and assign it to VLANs 100
and 200.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceA-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLAN 100, and assign GigabitEthernet 1/0/3 to VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port gigabitethernet 1/0/3
[DeviceB-vlan100] quit
# Create VLAN 200 and assign GigabitEthernet 1/0/4 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port gigabitethernet 1/0/4
[DeviceB-vlan200] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
Verifying the configuration
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not
shown.)

226
 # Verify the MAC-to-VLAN entries on Device A and Device C, for example, on Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Dot1p State
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count: 2

Example: Configuring IP subnet-based VLANs

Network configuration
As shown in Figure 70, the hosts in the office belong to different IP subnets.
Configure Device C to transmit packets from 192.168.5.0/24 and 192.168.50.0/24 in VLANs 100 and
200, respectively.
Figure 70 Network diagram

Device A Device B

VLAN 100 VLAN 200

GE1/0/2 GE1/0/3

Device C

GE1/0/1

192.168.5.0/24 192.168.50.0/24
Office

Procedure
1. Configure Device C:
# Associate IP subnet 192.168.5.0/24 with VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0
[DeviceC-vlan100] quit
# Associate IP subnet 192.168.50.0/24 with VLAN 200.
[DeviceC] vlan 200

227
 [DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0
[DeviceC-vlan200] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLAN 100 as a tagged
VLAN member.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] port link-type hybrid
[DeviceC-GigabitEthernet1/0/2] port hybrid vlan 100 tagged
[DeviceC-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a hybrid port, and assign it to VLAN 200 as a tagged
VLAN member.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port link-type hybrid
[DeviceC-GigabitEthernet1/0/3] port hybrid vlan 200 tagged
[DeviceC-GigabitEthernet1/0/3] quit
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type hybrid
[DeviceC-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/1 with the IP subnet-based VLANs 100 and 200.
[DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100
[DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200
[DeviceC-GigabitEthernet1/0/1] quit
2. Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively.
(Details not shown.)
Verifying the configuration
# Verify the IP subnet-based VLAN configuration on Device C.
[DeviceC] display ip-subnet-vlan vlan all
VLAN ID: 100
Subnet index IP address Subnet mask
0 192.168.5.0 255.255.255.0

VLAN ID: 200

Subnet index IP address Subnet mask
0 192.168.50.0 255.255.255.0

# Verify the IP subnet-based VLAN configuration on GigabitEthernet 1/0/1 of Device C.

[DeviceC] display ip-subnet-vlan interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
VLAN ID Subnet index IP address Subnet mask Status
100 0 192.168.5.0 255.255.255.0 Active
200 0 192.168.50.0 255.255.255.0 Active

Example: Configuring protocol-based VLANs

Network configuration
As shown in Figure 71:
• The majority of hosts in a lab environment run the IPv4 protocol.

228
 • The other hosts run the IPv6 protocol for teaching purposes.
To isolate IPv4 and IPv6 traffic at Layer 2, configure protocol-based VLANs to associate the IPv4 and
ARP protocols with VLAN 100, and associate the IPv6 protocol with VLAN 200.
Figure 71 Network diagram
VLAN 100 VLAN 200

IPv4 server IPv6 server

GE1/0/3
GE1/0/4

GE1/0/1 GE1/0/2
Device

L2 switch A L2 switch B

IPv4 host A IPv6 host A IPv4 host B IPv6 host B

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Procedure
In this example, L2 Switch A and L2 Switch B use the factory configuration.
1. Configure Device:
# Create VLAN 100, and configure the description for VLAN 100 as protocol VLAN for IPv4.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
# Assign GigabitEthernet 1/0/3 to VLAN 100.
[Device-vlan100] port gigabitethernet 1/0/3
[Device-vlan100] quit
# Create VLAN 200, and configure the description for VLAN 200 as protocol VLAN for IPv6.
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
# Assign GigabitEthernet 1/0/4 to VLAN 200.
[Device-vlan200] port gigabitethernet 1/0/4
# Configure VLAN 200 as a protocol-based VLAN, and create an IPv6 protocol template with
the index 1 for VLAN 200.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
# Configure VLAN 100 as a protocol-based VLAN. Create an IPv4 protocol template with the
index 1, and create an ARP protocol template with the index 2. (In Ethernet II encapsulation, the
protocol type ID for ARP is 0806 in hexadecimal notation.)
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4

229
 [Device-vlan100] protocol-vlan 2 mode ethernetii etype 0806
[Device-vlan100] quit
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port link-type hybrid
[Device-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100 and
the IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 100 1 to 2
[Device-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port link-type hybrid
[Device-GigabitEthernet1/0/2] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/2 with the IPv4 and ARP protocol templates of VLAN 100 and
the IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 100 1 to 2
[Device-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet1/0/2] quit
2. Configure hosts and servers:
a. Configure IPv4 Host A, IPv4 Host B, and IPv4 server to be on the same network segment
(192.168.100.0/24, for example). (Details not shown.)
b. Configure IPv6 Host A, IPv6 Host B, and IPv6 server to be on the same network segment
(2001::1/64, for example). (Details not shown.)
Verifying the configuration
1. Verify the following:
 The hosts and the server in VLAN 100 can successfully ping one another. (Details not
shown.)
 The hosts and the server in VLAN 200 can successfully ping one another. (Details not
shown.)
 The hosts or the server in VLAN 100 cannot ping the hosts or server in VLAN 200. (Details
not shown.)
2. Verify the protocol-based VLAN configuration:
# Display protocol-based VLANs on Device.
[Device] display protocol-vlan vlan all
VLAN ID: 100
Protocol index Protocol type
1 IPv4
2 Ethernet II Etype 0x0806

VLAN ID: 200

Protocol index Protocol type
1 IPv6
# Display protocol-based VLANs on the ports of Device.
[Device] display protocol-vlan interface all

230
Interface: GigabitEthernet1/0/1
VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

Interface: GigabitEthernet 1/0/2

VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

231
Configuring super VLANs
About super VLANs
Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with
other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This
requires a large number of IP addresses.
The super VLAN feature was introduced to save IP addresses. A super VLAN is associated with
multiple sub-VLANs. These sub-VLANs use the VLAN interface of the super VLAN (also known as a
super VLAN interface) as the gateway for Layer 3 communication.
You can create a VLAN interface for a super VLAN and assign an IP address to it. However, you
cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but
you cannot assign a physical port to a super VLAN. Sub-VLANs are isolated at Layer 2.
To enable Layer 3 communication between sub-VLANs, perform the following tasks:
1. Create a super VLAN and the VLAN interface for the super VLAN.
2. Enable local proxy ARP or ND on the super VLAN interface as follows:
 In an IPv4 network, enable local proxy ARP on the super VLAN interface. The super VLAN
can then process ARP requests and replies sent from the sub-VLANs.
 In an IPv6 network, enable local proxy ND on the super VLAN interface. The super VLAN
can then process the NS and NA messages sent from the sub-VLANs.

Restrictions and guidelines: Super VLAN

configuration
• The VLAN of a MAC address-to-VLAN entry cannot be configured as a super VLAN.
• A VLAN cannot be configured as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or
critical VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs,
see Security Configuration Guide.
• A VLAN cannot be configured as both a super VLAN and a sub-VLAN.
• Layer 2 multicast configuration for super VLANs does not take effect because they do not have
physical ports.

Super VLAN tasks at a glance

To configure a super VLAN, perform the following tasks:
1. Creating a sub-VLAN
2. Configuring a super VLAN
3. Configuring a super VLAN interface

Creating a sub-VLAN
1. Enter system view.
system-view
2. Create a sub-VLAN.

232
 vlan vlan-id-list
By default, only the system default VLAN (VLAN 1) exists.

Configuring a super VLAN

1. Enter system view.
system-view
2. Enter VLAN view.
vlan vlan-id
3. Configure the VLAN as a super VLAN.
supervlan
By default, a VLAN is not a super VLAN.
4. Associate the super VLAN with the sub-VLANs.
subvlan vlan-id-list
Make sure the sub-VLANs already exist before associating them with a super VLAN.

Configuring a super VLAN interface

Restrictions and guidelines
As a best practice, do not configure VRRP for a super VLAN interface because the configuration
affects network performance. For more information about VRRP, see High Availability Configuration
Guide.
Procedure
1. Enter system view.
system-view
2. Create a VLAN interface and enter its view.
interface vlan-interface interface-number
The value for the interface-number argument must be the super VLAN ID.
3. Configure an IP address for the super VLAN interface.
IPv4:
ip address ip-address { mask-length | mask } [ sub ]
IPv6:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
By default, no IP address is configured for a VLAN interface.
4. Configure Layer 3 communication between sub-VLANs by enabling local proxy ARP or ND.
IPv4:
local-proxy-arp enable
By default:
 Sub-VLANs cannot communicate with each other at Layer 3.
 Local proxy ARP is disabled.
For more information about local proxy ARP, see Layer 3—IP Services Configuration Guide.
IPv6:
local-proxy-nd enable
By default:

233
  Sub-VLANs cannot communicate with each other at Layer 3.
 Local proxy ND is disabled.
For more information about local proxy ND, see Layer 3—IP Services Configuration Guide.

Display and maintenance commands for super

VLANs
Execute display commands in any view.

Task Command
Display information about super VLANs and their
display supervlan [ supervlan-id ]
associated sub-VLANs.

Super VLAN configuration examples

Example: Configuring a super VLAN
Network configuration
As shown in Figure 72:
• GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are in VLAN 2.
• GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are in VLAN 3.
• GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 are in VLAN 5.
To save IP addresses and enable sub-VLANs to be isolated at Layer 2 but interoperable at Layer 3,
perform the following tasks:
• Create a super VLAN and assign an IP address to its VLAN interface.
• Associate the super VLAN with VLANs 2, 3, and 5.
Figure 72 Network diagram

VLAN 2

GE1/0/1 GE1/0/2
Vlan-int10
GE1/0/3 10.1.1.1/24
GE1/0/4
Device A
VLAN 3 GE1/0/5 GE1/0/6 Device B

VLAN 5

Procedure
# Create VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit

234
 # Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0

# Enable local proxy ARP.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

# Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2
[DeviceA-vlan2] quit

# Create VLAN 3, and assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to the VLAN.
[DeviceA] vlan 3
[DeviceA-vlan3] port gigabitethernet 1/0/3 gigabitethernet 1/0/4
[DeviceA-vlan3] quit

# Create VLAN 5, and assign GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 to the VLAN.
[DeviceA] vlan 5
[DeviceA-vlan5] port gigabitethernet 1/0/5 gigabitethernet 1/0/6
[DeviceA-vlan5] quit

# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 5 with the super VLAN.
[DeviceA] vlan 10
[DeviceA-vlan10] supervlan
[DeviceA-vlan10] subvlan 2 3 5
[DeviceA-vlan10] quit
[DeviceA] quit

Verifying the configuration

# Display information about super VLAN 10 and its associated sub-VLANs.
<DeviceA> display supervlan
Super VLAN ID: 10
Sub-VLAN ID: 2-3 5
VLAN ID: 10
VLAN type: Static
It is a super VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports: None
VLAN ID: 2
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002

235
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/1
GigabitEthernet1/0/2
VLAN ID: 3
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/4
VLAN ID: 5
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/5
GigabitEthernet1/0/6

236
Configuring private VLAN
About private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a
network, customer traffic must be isolated for security or accounting purposes. If VLANs are
assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
• Primary VLAN—Used for connecting the upstream device. A primary VLAN can be associated
with multiple secondary VLANs. The upstream device identifies only the primary VLAN.
• Secondary VLANs—Used for connecting users. Secondary VLANs are isolated at Layer 2. To
implement Layer 3 communication between secondary VLANs associated with the primary
VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A in
Figure 73).
As shown in Figure 73, the private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary
VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is
only aware of VLAN 10.
Figure 73 Private VLAN example

L3 Device A

VLAN 10

VLAN 10

L2 Device B

VLAN 2 VLAN 5 VLAN 8

If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on
the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required
between secondary VLANs that are associated with the same primary VLAN, or between secondary
VLANs and other networks.
• Method 1:
a. Create VLAN interfaces for the secondary VLANs.
b. Assign IP addresses to the secondary VLAN interfaces.
• Method 2:
c. Enable Layer 3 communication between the secondary VLANs that are associated with the
primary VLAN.
d. Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not
create secondary VLAN interfaces if you use this method.)
e. Enable local proxy ARP or ND on the primary VLAN interface.

237
Restrictions and guidelines: Private VLAN
configuration
• Make sure the following requirements are met:
 For a promiscuous port:
− The primary VLAN is the PVID of the port.
− The port is an untagged member of the primary VLAN and secondary VLANs.
 For a host port:
− The PVID of the port is a secondary VLAN.
− The port is an untagged member of the primary VLAN and the secondary VLAN.
 A trunk promiscuous or trunk secondary port must be a tagged member of the primary
VLANs and the secondary VLANs.
• VLAN 1 (system default VLAN) does not support the private VLAN configuration.

Private VLAN tasks at a glance

To configure a private VLAN, perform the following tasks:
1. Creating a primary VLAN
2. Creating secondary VLANs
3. Associating the primary VLAN with secondary VLANs
4. Configuring the uplink port
5. Configuring a downlink port
6. (Optional.) Configuring Layer 3 communication for secondary VLANs

Creating a primary VLAN

1. Enter system view.
system-view
2. Create a VLAN and enter VLAN view.
vlan vlan-id
3. Configure the VLAN as a primary VLAN.
private-vlan primary
By default, a VLAN is not a primary VLAN.

Creating secondary VLANs

1. Enter system view.
system-view
2. Create one or multiple secondary VLANs.
vlan { vlan-id-list | all }

238
Associating the primary VLAN with secondary
VLANs
1. Enter system view.
system-view
2. Create enter VLAN view of the primary VLAN.
vlan vlan-id
3. Associate the primary VLAN with the secondary VLANs.
private-vlan secondary vlan-id-list
By default, a primary VLAN is not associated with any secondary VLANs.

Configuring the uplink port

About this task
Configure the uplink port (for example, the port connecting L2 Device B to L3 Device A in Figure 73)
as follows:
• If the port allows only one primary VLAN, configure the port as a promiscuous port of the
primary VLAN. The promiscuous port can be automatically assigned to the primary VLAN and
its associated secondary VLANs.
• If the port allows multiple primary VLANs, configure the port as a trunk promiscuous port of the
primary VLANs. The trunk promiscuous port can be automatically assigned to the primary
VLANs and their associated secondary VLANs.
Procedure
1. Enter system view.
system-view
2. Enter interface view of the uplink port.
interface interface-type interface-number
3. Configure the uplink port as a promiscuous or trunk promiscuous port of the specified VLANs.
 Configure the uplink port as a promiscuous port of the specified VLAN.
port private-vlan vlan-id promiscuous
 Configure the uplink port as a trunk promiscuous port of the specified VLANs.
port private-vlan vlan-id-list trunk promiscuous
By default, a port is not a promiscuous or trunk promiscuous port of any VLANs.

Configuring a downlink port

About this task
Configure a downlink port as follows:
• If a downlink port allows only one secondary VLAN (for example, the port connecting L2 Device
B to a host in Figure 73), configure the port as a host port. The host port can be automatically
assigned to the secondary VLAN and its associated primary VLAN.
• If a downlink port allows multiple secondary VLANs, configure the port as a trunk secondary
port. The trunk secondary port can be automatically assigned to the secondary VLANs and their
associated primary VLANs.

239
Procedure
1. Enter system view.
system-view
2. Enter interface view of the downlink port.
interface interface-type interface-number
3. Assign the downlink port to secondary VLANs.
a. Set the link type of the port.
port link-type { access | hybrid | trunk }
b. Assign the access port to the specified VLAN.
port access vlan vlan-id
c. Assign the trunk port to the specified VLANs.
port trunk permit vlan { vlan-id-list | all }
d. Assign the hybrid port to the specified VLANs.
port hybrid vlan vlan-id-list { tagged | untagged }
Select substep b, c, or d depending on the port link type.
4. Configure the downlink port as a host or trunk secondary port.
 Configure the downlink port as a host port.
port private-vlan host
 Configure the downlink port as a trunk secondary port of the specified VLANs.
port private-vlan vlan-id-list trunk secondary
By default, a port is not a host or trunk secondary port.
5. Return to system view.
quit
6. Enter VLAN view of a secondary VLAN.
vlan vlan-id
7. (Optional.) Enable Layer 2 communication for ports in the same secondary VLAN. Choose one
command as needed:
undo private-vlan isolated
private-vlan community
By default, ports in the same secondary VLAN can communicate with each other at Layer 2.

Configuring Layer 3 communication for secondary

VLANs
1. Enter system view.
system-view
2. Enter VLAN interface view of the primary VLAN interface.
interface vlan-interface interface-number
3. Enable Layer 3 communication between secondary VLANs that are associated with the primary
VLAN.
private-vlan secondary vlan-id-list
By default, secondary VLANs cannot communicate with each other at Layer 3.
4. Assign an IP address to the primary VLAN interface.

240
 IPv4:
ip address ip-address { mask-length | mask } [ sub ]
IPv6:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
By default, no IP address is configured for a VLAN interface.
5. Enable local proxy ARP or ND.
IPv4:
local-proxy-arp enable
By default, local proxy ARP is disabled.
For more information about local proxy ARP, see Layer 3—IP Services Configuration Guide.
IPv6:
local-proxy-nd enable
By default, local proxy ND is disabled.
For more information about local proxy ND, see Layer 3—IP Services Configuration Guide.

Display and maintenance commands for the

private VLAN
Execute display commands in any view.

Task Command
Display information about primary VLANs and the display private-vlan
secondary VLANs associated with each primary VLAN. [ primary-vlan-id ]

Private VLAN configuration examples

Example: Configuring promiscuous ports
Network configuration
As shown in Figure 74, configure the private VLAN feature to meet the following requirements:
• On Device B, VLAN 5 is a primary VLAN that is associated with secondary VLANs 2 and 3.
GigabitEthernet 1/0/5 is in VLAN 5. GigabitEthernet 1/0/2 is in VLAN 2. GigabitEthernet 1/0/3 is
in VLAN 3.
• On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4.
GigabitEthernet 1/0/5 is in VLAN 6. GigabitEthernet 1/0/3 is in VLAN 3. GigabitEthernet 1/0/4 is
in VLAN 4.
• Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C.

241
 Figure 74 Network diagram
Device A

VLAN 5 Device B Device C VLAN 6

GE1/0/5 GE1/0/5

GE1/0/3 GE1/0/2 GE1/0/3 GE1/0/4

Host A Host B Host C Host D

VLAN 3 VLAN 2 VLAN 3 VLAN 4

Procedure
This example describes the configurations on Device B and Device C.
1. Configure Device B:
# Configure VLAN 5 as a primary VLAN.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# Create VLANs 2 and 3.
[DeviceB] vlan 2 to 3
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a promiscuous port of VLAN 5.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port private-vlan 5 promiscuous
[DeviceB-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-GigabitEthernet1/0/2] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quit

242
 2. Configure Device C:
# Configure VLAN 6 as a primary VLAN.
<DeviceC> system-view
[DeviceC] vlan 6
[DeviceC–vlan6] private-vlan primary
[DeviceC–vlan6] quit
# Create VLANs 3 and 4.
[DeviceC] vlan 3 to 4
# Associate secondary VLANs 3 and 4 with primary VLAN 6.
[DeviceC] vlan 6
[DeviceC-vlan6] private-vlan secondary 3 to 4
[DeviceC-vlan6] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a promiscuous port of VLAN 6.
[DeviceC] interface gigabitethernet 1/0/5
[DeviceC-GigabitEthernet1/0/5] port private-vlan 6 promiscuous
[DeviceC-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port access vlan 3
[DeviceC-GigabitEthernet1/0/3] port private-vlan host
[DeviceC-GigabitEthernet1/0/3] quit
# Assign downlink port GigabitEthernet 1/0/4 to VLAN 4, and configure the port as a host port.
[DeviceC] interface gigabitethernet 1/0/4
[DeviceC-GigabitEthernet1/0/4] port access vlan 4
[DeviceC-GigabitEthernet1/0/4] port private-vlan host
[DeviceC-GigabitEthernet1/0/4] quit

Verifying the configuration

# Verify the private VLAN configurations on the devices, for example, on Device B.
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
GigabitEthernet1/0/5

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary

243
 Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: None
Untagged Ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/5

The output shows that:

• The promiscuous port (GigabitEthernet 1/0/5) is an untagged member of primary VLAN 5 and
secondary VLANs 2 and 3.
• Host port GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Example: Configuring trunk promiscuous ports

Network configuration
As shown in Figure 75, configure the private VLAN feature to meet the following requirements:
• VLANs 5 and 10 are primary VLANs on Device B. The uplink port (GigabitEthernet 1/0/1) on
Device B permits the packets from VLANs 5 and 10 to pass through tagged.
• On Device B, downlink port GigabitEthernet 1/0/2 permits secondary VLAN 2. Downlink port
GigabitEthernet 1/0/3 permits secondary VLAN 3. Secondary VLANs 2 and 3 are associated
with primary VLAN 5.
• On Device B, downlink port GigabitEthernet 1/0/4 permits secondary VLAN 6. Downlink port
GigabitEthernet 1/0/5 permits secondary VLAN 8. Secondary VLANs 6 and 8 are associated
with primary VLAN 10.
• Device A is aware of only VLANs 5 and 10 on Device B.

244
 Figure 75 Network diagram

Device A

GE1/0/1 VLAN 5
VLAN 10

GE1/0/1

Device B

GE1/0/2 GE1/0/5

GE1/0/3 GE1/0/4

Host A Host B Host C Host D

VLAN 2 VLAN 3 VLAN 6 VLAN 8

Procedure
1. Configure Device B:
# Configure VLANs 5 and 10 as primary VLANs.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# Create VLANs 2, 3, 6, and 8.
[DeviceB] vlan 2 to 3
[DeviceB] vlan 6
[DeviceB-vlan6] quit
[DeviceB] vlan 8
[DeviceB-vlan8] quit
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Associate secondary VLANs 6 and 8 with primary VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan secondary 6 8
[DeviceB-vlan10] quit
# Configure the uplink port (GigabitEthernet 1/0/1) as a trunk promiscuous port of VLANs 5 and
10.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port private-vlan 5 10 trunk promiscuous
[DeviceB-GigabitEthernet1/0/1] quit

245
 # Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-GigabitEthernet1/0/2] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quit
# Assign downlink port GigabitEthernet 1/0/4 to VLAN 6, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port access vlan 6
[DeviceB-GigabitEthernet1/0/4] port private-vlan host
[DeviceB-GigabitEthernet1/0/4] quit
# Assign downlink port GigabitEthernet 1/0/5 to VLAN 8, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port access vlan 8
[DeviceB-GigabitEthernet1/0/5] port private-vlan host
[DeviceB-GigabitEthernet1/0/5] quit
2. Configure Device A:
# Create VLANs 5 and 10.
[DeviceA] vlan 5
[DeviceA-vlan5] quit
[DeviceA] vlan 10
[DeviceA-vlan10] quit
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 5 and 10 as a tagged
VLAN member.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 5 10 tagged
[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device B. The following output uses primary VLAN 5 as
an example.
[DeviceB] display private-vlan 5
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports:
GigabitEthernet1/0/1
Untagged ports:

246
 GigabitEthernet1/0/2
GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports:
GigabitEthernet1/0/1
Untagged ports:
GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged ports:
GigabitEthernet1/0/1
Untagged ports:
GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port (GigabitEthernet 1/0/1) is a tagged member of primary VLAN 5 and
secondary VLANs 2 and 3.
• Host port GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Example: Configuring trunk promiscuous and trunk

secondary ports
Network configuration
As shown in Figure 76, configure the private VLAN feature to meet the following requirements:
• VLANs 10 and 20 are primary VLANs on Device A. The uplink port (GigabitEthernet 1/0/5) on
Device A permits the packets from VLANs 10 and 20 to pass through tagged.
• VLANs 11, 12, 21, and 22 are secondary VLANs on Device A.
 Downlink port GigabitEthernet 1/0/2 permits the packets from secondary VLANs 11 and 21
to pass through tagged.
 Downlink port GigabitEthernet 1/0/1 permits secondary VLAN 22.
 Downlink port GigabitEthernet 1/0/3 permits secondary VLAN 12.
• Secondary VLANs 11 and 12 are associated with primary VLAN 10.
• Secondary VLANs 21 and 22 are associated with primary VLAN 20.

247
 Figure 76 Network diagram

VLAN 10 VLAN 20

Device C

GE1/0/5

GE1/0/5

Device A
GE1/0/1 GE1/0/3
GE1/0/2

GE1/0/2

Device B
GE1/0/3 GE1/0/4

Host C Host D
VLAN 22 VLAN 12

Host A Host B
VLAN 11 VLAN 21

Procedure
1. Configure Device A:
# Configure VLANs 10 and 20 as primary VLANs.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# Create VLANs 11, 12, 21, and 22.
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# Associate secondary VLANs 11 and 12 with primary VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan secondary 11 12
[DeviceA-vlan10] quit
# Associate secondary VLANs 21 and 22 with primary VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan secondary 21 22
[DeviceA-vlan20] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a trunk promiscuous port of VLANs 10
and 20.

248
 [DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous
[DeviceA-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/1 to VLAN 22 and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port access vlan 22
[DeviceA-GigabitEthernet1/0/1] port private-vlan host
[DeviceA-GigabitEthernet1/0/1] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 12 and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port access vlan 12
[DeviceA-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] quit
# Configure downlink port GigabitEthernet 1/0/2 as a trunk secondary port of VLANs 11 and 21.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port private-vlan 11 21 trunk secondary
[DeviceA-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLANs 11 and 21.
<DeviceB> system-view
[DeviceB] vlan 11
[DeviceB-vlan11] quit
[DeviceB] vlan 21
[DeviceB-vlan21] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 11 and 21 as a
tagged VLAN member.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type hybrid
[DeviceB-GigabitEthernet1/0/2] port hybrid vlan 11 21 tagged
[DeviceB-GigabitEthernet1/0/2] quit
# Assign GigabitEthernet 1/0/3 to VLAN 11.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 11
[DeviceB-GigabitEthernet1/0/3] quit
# Assign GigabitEthernet 1/0/4 to VLAN 21.
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port access vlan 21
[DeviceB-GigabitEthernet1/0/4] quit
3. Configure Device C:
# Create VLANs 10 and 20.
<DeviceC> system-view
[DeviceC] vlan 10
[DeviceC-vlan10] quit
[DeviceC] vlan 20
[DeviceC-vlan20] quit
# Configure GigabitEthernet 1/0/5 as a hybrid port, and assign it to VLANs 10 and 20 as a
tagged VLAN member.
[DeviceC] interface gigabitethernet 1/0/5

249
 [DeviceC-GigabitEthernet1/0/5] port link-type hybrid
[DeviceC-GigabitEthernet1/0/5] port hybrid vlan 10 20 tagged
[DeviceC-GigabitEthernet1/0/5] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device A. The following output uses primary VLAN 10
as an example.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 11-12

VLAN ID: 10
VLAN type: Static
Private-vlan type: Primary
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5
Untagged ports:
GigabitEthernet1/0/3

VLAN ID: 11
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0011
Name: VLAN 0011
Tagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5
Untagged ports: None

VLAN ID: 12
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0012
Name: VLAN 0012
Tagged ports:
GigabitEthernet1/0/5
Untagged ports:
GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port (GigabitEthernet 1/0/5) is a tagged member of primary VLAN 10
and secondary VLANs 11 and 12.
• The trunk secondary port (GigabitEthernet 1/0/2) is a tagged member of primary VLAN 10 and
secondary VLAN 11.

250
 • The host port (GigabitEthernet 1/0/3) is an untagged member of primary VLAN 10 and
secondary VLAN 12.

Example: Configuring Layer 3 communication for secondary

VLANs
Network configuration
As shown in Figure 77, configure the private VLAN feature to meet the following requirements:
• Primary VLAN 10 on Device A is associated with secondary VLANs 2 and 3. The IP address of
VLAN-interface 10 is 192.168.1.1/24.
• GigabitEthernet 1/0/1 belongs to VLAN 10. GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3
belong to VLAN 2 and VLAN 3, respectively.
• Secondary VLANs are isolated at Layer 2 but interoperable at Layer 3.
Figure 77 Network diagram

Device B

VLAN 10
Vlan-int10
GE1/0/1
192.168.1.1/24

Device A
GE1/0/2 GE1/0/3

VLAN 2 VLAN 3

Procedure
# Create VLAN 10 and configure it as a primary VLAN.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit

# Create VLANs 2 and 3.

<DeviceA> system-view
[DeviceA] vlan 2 to 3

# Associate primary VLAN 10 with secondary VLANs 2 and 3.

[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] private-vlan secondary 2 3
[DeviceA-vlan10] quit

# Configure the uplink port (GigabitEthernet 1/0/1) as a promiscuous port of VLAN 10.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port private-vlan 10 promiscuous
[DeviceA-GigabitEthernet1/0/1] quit

# Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/2

251
 [DeviceA-GigabitEthernet1/0/2] port access vlan 2
[DeviceA-GigabitEthernet1/0/2] port private-vlan host
[DeviceA-GigabitEthernet1/0/2] quit

# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port access vlan 3
[DeviceA-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] quit

# Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with
primary VLAN 10.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] private-vlan secondary 2 3

# Assign IP address 192.168.1.1/24 to VLAN-interface 10.

[DeviceA-Vlan-interface10] ip address 192.168.1.1 255.255.255.0

# Enable local proxy ARP on VLAN-interface 10.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

Verifying the configuration

# Display the configuration of primary VLAN 10.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 2-3

VLAN ID: 10
VLAN type: Static
Private VLAN type: Primary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/1
GigabitEthernet1/0/2
GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:

252
 GigabitEthernet1/0/1
GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/1
GigabitEthernet1/0/3

The Route interface field in the output is Configured, indicating that secondary VLANs 2 and 3 are
interoperable at Layer 3.

253
Configuring voice VLANs
About voice VLANs
A voice VLAN is used for transmitting voice traffic. The device can configure QoS parameters for
voice packets to ensure higher transmission priority of the voice packets.
Common voice devices include IP phones and integrated access devices (IADs). This chapter uses
IP phones as an example.

Working mechanism
When an IP phone accesses a device, the device performs the following operations:
1. Identifies the IP phone in the network and obtains the MAC address of the IP phone.
2. Advertises the voice VLAN information to the IP phone.
After receiving the voice VLAN information, the IP phone performs automatic configuration. Voice
packets sent from the IP phone can then be transmitted within the voice VLAN.

Methods of identifying IP phones

Devices can use the OUI addresses or LLDP to identify IP phones.
Identifying IP phones through OUI addresses
A device identifies voice packets based on their source MAC addresses. A packet whose source
MAC address complies with an Organizationally Unique Identifier (OUI) address of the device is
regarded as a voice packet.
You can use system default OUI addresses (see Table 22) or configure OUI addresses for the device.
You can manually remove or add the system default OUI addresses.
Table 22 Default OUI addresses

Number OUI address Vendor

1 0001-e300-0000 Siemens phone
2 0003-6b00-0000 Cisco phone
3 0004-0d00-0000 Avaya phone
4 000f-e200-0000 H3C Aolynk phone
5 0060-b900-0000 Philips/NEC phone
6 00d0-1e00-0000 Pingtel phone
7 00e0-7500-0000 Polycom phone
8 00e0-bb00-0000 3Com phone

Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a
globally unique identifier that IEEE assigns to a vendor. However, OUI addresses in this chapter are
addresses that the system uses to identify voice packets. They are the logical AND results of the
mac-address and oui-mask arguments in the voice-vlan mac-address command.

254
Automatically identifying IP phones through LLDP
If IP phones support LLDP, configure LLDP for automatic IP phone discovery on the device. The
device can then automatically discover the peer through LLDP, and exchange LLDP TLVs with the
peer.
If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a telephone,
the device performs the following operations:
1. Sends an LLDP TLV with the voice VLAN configuration to the peer.
2. Assigns the receiving port to the voice VLAN.
3. Increases the transmission priority of the voice packets sent from the IP phone.
4. Adds the MAC address of the IP phone to the MAC address table to ensure that the IP phone
can pass authentication.
Use LLDP instead of the OUI list to identify IP phones if the network has more IP phone categories
than the maximum number of OUI addresses supported on the device. LLDP has higher priority than
the OUI list.
For more information about LLDP, see "Configuring LLDP."

Advertising the voice VLAN information to IP phones

Figure 78 shows the workflow of advertising the voice VLAN information to IP phones.
Figure 78 Workflow of advertising the voice VLAN information to IP phones

Yes Advertise the

Is LLDP/CDP configured to
voice VLAN ID to the IP
advertise the voice VLAN
phone
ID?

No

Yes
Is the authorization VLAN Advertise the
received from the authorization VLAN to
authentication server? to the IP phone

No

Advertise the voice VLAN

configured on the port to the
IP phone

IP phone access methods

Connecting the host and the IP phone in series
As shown in Figure 79, the host is connected to the IP phone, and the IP phone is connected to the
device. In this scenario, the following requirements must be met:
• The host and the IP phone use different VLANs.
• The IP phone is able to send out VLAN-tagged packets, so that the device can differentiate
traffic from the host and the IP phone.
• The port connecting to the IP phone forwards packets from the voice VLAN and the PVID.

255
 Figure 79 Connecting the host and IP phone in series

Voice gateway

Host IP phone Device

Connecting the IP phone to the device

As shown in Figure 80, IP phones are connected to the device without the presence of the host. Use
this connection method when IP phones sends out untagged voice packets. In this scenario, you
must configure the voice VLAN as the PVID of the access port of the IP phone, and configure the port
to forward the packets from the PVID.
Figure 80 Connecting the IP phone to the device

Voice gateway

Device

IP phone IP phone

Voice VLAN assignment modes

A port can be assigned to a voice VLAN automatically or manually.
Automatic mode
Use automatic mode when PCs and IP phones are connected in series to access the network
through the device, as shown in Figure 79. Ports on the device transmit both voice traffic and data
traffic.
When an IP phone is powered on, it sends out protocol packets. After receiving these protocol
packets, the device uses the source MAC address of the protocol packets to match its OUI
addresses. If the match succeeds, the device performs the following operations:
• Assigns the receiving port of the protocol packets to the voice VLAN.
• Issues ACL rules to set the packet precedence.
• Starts the voice VLAN aging timer.
If no voice packet is received from the port before the aging timer expires, the device will remove the
port from the voice VLAN. The aging timer is also configurable.
When the IP phone reboots, the port is reassigned to the voice VLAN to ensure the correct operation
of the existing voice connections. The reassignment occurs automatically without being triggered by
voice traffic as long as the voice VLAN operates correctly.

256
Manual mode
Use manual mode when only IP phones access the network through the device, as shown in Figure
80. In this mode, ports are assigned to a voice VLAN that transmits voice traffic exclusively. No data
traffic affects the voice traffic transmission.
You must manually assign the port that connects to the IP phone to a voice VLAN. The device uses
the source MAC address of the received voice packets to match its OUI addresses. If the match
succeeds, the device issues ACL rules to set the packet precedence.
To remove the port from the voice VLAN, you must manually remove it.

Cooperation of voice VLAN assignment modes and IP

phones
Some IP phones send out VLAN-tagged packets, and others send out only untagged packets. For
correct packet processing, ports of different link types must meet specific configuration requirements
in different voice VLAN assignment modes.
If an IP phone sends out tagged voice traffic, and its access port is configured with 802.1X
authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, VLAN IDs must be different for the
following VLANs:
• Voice VLAN.
• PVID of the access port.
• 802.1X guest, Auth-Fail, or critical VLAN.
If an IP phone sends out untagged voice traffic, the PVID of the access port must be the voice VLAN.
In this scenario, 802.1X authentication is not supported.
Access ports do not transmit tagged packets.
Configuration requirements for transmitting tagged voice traffic

Port link Voice VLAN

Configuration requirements
type assignment mode
Automatic The PVID of the port cannot be the voice VLAN.
Trunk The PVID of the port cannot be the voice VLAN.
Manual
The port must forward packets from the voice VLAN.
Automatic The PVID of the port cannot be the voice VLAN.

Hybrid The PVID of the port cannot be the voice VLAN.

Manual The port must forward packets from the voice VLAN with VLAN
tags.

Configuration requirements for transmitting untagged voice traffic

When IP phones send out untagged packets, you must set the voice VLAN assignment mode to
manual.
Table 23 Configuration requirements for ports in manual mode to support untagged voice
traffic

Port link
Configuration requirements
type
Access The voice VLAN must be the PVID of the port.

257
 Port link
Configuration requirements
type
The voice VLAN must be the PVID of the port.
Trunk
The port must forward packets from the voice VLAN.
The voice VLAN must be the PVID of the port.
Hybrid
The port must forward packets from the voice VLAN without VLAN tags.

Security mode and normal mode of voice VLANs

Depending on the filtering mechanisms to incoming packets, a voice VLAN-enabled port can operate
in one of the following modes:
• Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice
VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the
port operates in manual VLAN assignment mode, the port forwards all the received untagged
packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send a large
number of forged voice-VLAN-tagged or untagged packets to affect voice communication.
• Security mode—The port uses the source MAC addresses of voice packets to match the OUI
addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode. This mode reduces
system resource consumption in source MAC address checking.
In either mode, the device modifies the transmission priority only for voice VLAN packets whose
source MAC addresses match OUI addresses of the device.
As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you must
transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled.
Table 24 Packet processing on a voice VLAN-enabled port in normal or security mode

Voice VLAN
Packet type Packet processing
mode
• Untagged packets The port does not examine their source MAC addresses.
• Packets with the Both voice traffic and non-voice traffic can be transmitted in
Normal voice VLAN tags the voice VLAN.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.
• If the source MAC address of a packet matches an OUI
• Untagged packets address on the device, the packet is forwarded in the
• Packets with the voice VLAN.
Security voice VLAN tags • If the source MAC address of a packet does not match
an OUI address on the device, the packet is dropped.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.

258
Restrictions and guidelines: Voice VLAN
configuration
The aging timer of a voice VLAN starts only when the dynamic MAC address entry of the voice VLAN
ages out. The aging period for the voice VLAN equals the sum of the voice VLAN aging timer and the
aging timer for its dynamic MAC address entry. For more information about the aging timer for
dynamic MAC address entries, see "Configuring the MAC address table."
As a best practice, do not both configure voice VLAN and disable MAC address learning on a port. If
the two features are configured together on a port, the port forwards only packets exactly matching
the OUI addresses and drops inexactly matching packets.
As a best practice, do not configure both voice VLAN and the MAC learning limit on a port. If the two
features are configured together on a port and the port learns the configured maximum number of
MAC address entries, the port processes packets as follows:
• Forwards only packets matching the MAC address entries learnt by the port and OUI
addresses.
• Drops unmatching packets.

Voice VLAN tasks at a glance

To configure a voice VLAN, perform the following tasks:
1. Configuring the QoS priority settings for voice traffic
2. (Optional.) Configuring the ACL resource occupation mode of voice VLAN
3. Use one of the following methods:
 Configuring a port to operate in automatic voice VLAN assignment mode
 Configuring a port to operate in manual voice VLAN assignment mode
4. (Optional.) Enabling LLDP for automatic IP phone discovery
5. (Optional.) Use one of the following methods:
 Configuring LLDP to advertise a voice VLAN
 Configuring CDP to advertise a voice VLAN

Configuring the QoS priority settings for voice

traffic
About this task
The QoS priority settings carried in voice traffic include the CoS and DSCP values. You can
configure the device to modify the QoS priority settings for voice traffic.
Restrictions and guidelines
By default, a port does not trust the 802.1p priority of incoming packets. To configure the port to trust
the priority settings in incoming voice VLAN packets, you must also use the qos trust dot1p
command to set the priority trust mode to 802.1p priority on the port. For information about setting
the priority trust mode, see ACL and QoS Configuration Guide.
If you execute the voice-vlan qos and voice-vlan qos trust commands multiple times,
the most recent configuration takes effect.

259
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure QoS priority settings for incoming voice VLAN packets.
 Configure the port to trust the QoS priority settings.
voice-vlan qos trust
 Configure the port to modify the CoS and DSCP values.
voice-vlan qos cos-value dscp-value
By default, a port modifies the CoS and DSCP values for voice VLAN packets to 6 and 46,
respectively.
If a port trusts the QoS priority settings in incoming voice VLAN packets, the port does not
modify their CoS and DSCP values.

Configuring the ACL resource occupation mode of

voice VLAN
About this task
With voice VLAN enabled on ports, you can configure the ACL resource occupation mode of voice
VLAN as the global mode or the port mode.
• In global mode, ports in the same voice VLAN share one ACL resource. The global mode
sharply saves ACL resources.
• In port mode, each port uses its dedicated ACL resource.
Restrictions and guidelines
For the new ACL resource occupation mode of voice VLAN to take effect, you must save the
configuration and reboot the device. As a best practice to ensure normal voice VLAN functionality, do
not configure voice VLAN-relation settings before rebooting the device.
When the ACL resource occupation mode of voice VLAN is global mode, the device does not support
setting the QoS priority values for voice packets.
Procedure
1. Enter system view.
system-view
2. Configure the ACL resource occupation mode of voice VLAN.
voice-vlan acl-resource-mode { global | port }
The default varies by device model.

260
Configuring voice VLAN assignment modes for a
port
Configuring a port to operate in automatic voice VLAN
assignment mode
Restrictions and guidelines
• Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN.
 A voice VLAN in automatic mode on a hybrid port processes only tagged incoming voice
traffic.
 A protocol-based VLAN on a hybrid port processes only untagged incoming packets. For
more information about protocol-based VLANs, see "Configuring protocol-based VLANs."
• As a best practice, do not use this mode with MSTP. In MSTP mode, if a port is blocked in the
MSTI of the target voice VLAN, the port drops the received packets instead of delivering them to
the CPU. As a result, the port will not be dynamically assigned to the voice VLAN.
• As a best practice, do not use this mode with PVST. In PVST mode, if the target voice VLAN is
not permitted on a port, the port is placed in blocked state. The port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the voice VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.
Procedure
1. Enter system view.
system-view
2. (Optional.) Set the voice VLAN aging timer.
voice-vlan aging minutes
By default, the aging timer of a voice VLAN is 1440 minutes.
The voice VLAN aging timer takes effect only on ports in automatic voice VLAN assignment
mode.
3. (Optional.) Enable the voice VLAN security mode.
voice-vlan security enable
By default, the voice VLAN security mode is enabled.
4. (Optional.) Add an OUI address for voice packet identification.
voice-vlan mac-address oui mask oui-mask [ description text ]
By default, system default OUI addresses exist. For more information, see Table 22.
5. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
6. Configure the link type of the port.
 port link-type trunk
 port link-type hybrid
7. Configure the port to operate in automatic voice VLAN assignment mode.
voice-vlan mode auto
By default, the automatic voice VLAN assignment mode is enabled.
8. Enable the voice VLAN feature on the port.

261
 voice-vlan vlan-id enable
By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.

Configuring a port to operate in manual voice VLAN

assignment mode
Restrictions and guidelines
• You can configure different voice VLANs for different ports on the same device. Make sure the
following requirements are met:
 One port can be configured with only one voice VLAN.
 Voice VLANs must be existing static VLANs.
• Do not enable voice VLAN on the member ports of a link aggregation group. For more
information about link aggregation, see "Configuring Ethernet link aggregation."
• To make a voice VLAN take effect on a port operating in manual mode, you must manually
assign the port to the voice VLAN.
Procedure
1. Enter system view.
system-view
2. (Optional.) Enable the voice VLAN security mode.
voice-vlan security enable
By default, the voice VLAN security mode is enabled.
3. (Optional.) Add an OUI address for voice packet identification.
voice-vlan mac-address oui mask oui-mask [ description text ]
By default, system default OUI addresses exist. For more information, see Table 22.
4. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
5. Configure the port to operate in manual voice VLAN assignment mode.
undo voice-vlan mode auto
By default, a port operates in automatic voice VLAN assignment mode.
6. Assign the access, trunk, or hybrid port to the voice VLAN.
 For the access port, see "Assigning an access port to a VLAN."
 For the trunk port, see "Assigning a trunk port to a VLAN."
 For the hybrid port, see "Assigning a hybrid port to a VLAN."
After you assign an access port to the voice VLAN, the voice VLAN becomes the PVID of the
port.
7. (Optional.) Configure the voice VLAN as the PVID of the trunk or hybrid port.
 For the trunk port, see "Assigning a trunk port to a VLAN."
 For the hybrid port, see "Assigning a hybrid port to a VLAN."
This step is required for untagged incoming voice traffic and prohibited for tagged incoming
voice traffic.
8. Enable the voice VLAN feature on the port.
voice-vlan vlan-id enable

262
 By default, the voice VLAN feature is disabled.
Before you execute this command, make sure the specified VLAN already exists.

Enabling LLDP for automatic IP phone discovery

Restrictions and guidelines
• Before you enable this feature, enable LLDP both globally and on access ports.
• Use this feature only with the automatic voice VLAN assignment mode.
• Do not use this feature together with CDP compatibility.
• After you enable this feature on the device, each port of the device can be connected to a
maximum of five IP phones.
Procedure
1. Enter system view.
system-view
2. Enable LLDP for automatic IP phone discovery.
voice-vlan track lldp
By default, this feature is disabled.

Configuring LLDP or CDP to advertise a voice

VLAN
Configuring LLDP to advertise a voice VLAN
About this task
For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones
through the LLDP-MED TLVs.
Prerequisites
Before you configure this feature, enable LLDP both globally and on access ports.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure an advertised voice VLAN ID.
lldp tlv-enable med-tlv network-policy vlan-id
By default, no advertised voice VLAN ID is configured.
For more information about the command, see Layer 2—LAN Switching Command Reference.
4. (Optional.) Display the voice VLAN advertised by LLDP.
display lldp local-information
For more information about the command, see Layer 2—LAN Switching Command Reference.

263
Configuring CDP to advertise a voice VLAN
About this task
If an IP phone supports CDP but does not support LLDP, it will send out CDP packets to the device to
request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period,
it will send out untagged packets. The device cannot differentiate untagged voice packets from other
types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
• Receive and identify CDP packets from the IP phone.
• Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone performs automatic voice VLAN
configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
LLDP packets sent from the device carry the priority information. CDP packets sent from the device
do not carry the priority information.
Prerequisites
Before you configure this feature, enable LLDP globally and on access ports.
Procedure
1. Enter system view.
system-view
2. Enable CDP compatibility.
lldp compliance cdp
By default, CDP compatibility is disabled.
3. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
4. Configure CDP-compatible LLDP to operate in TxRx mode.
lldp compliance admin-status cdp txrx
By default, CDP-compatible LLDP operates in Disable mode.
5. Configure an advertised voice VLAN ID.
cdp voice-vlan vlan-id
By default, no advertised voice VLAN ID is configured.
For more information about the command, see Layer 2—LAN Switching Command Reference.

Display and maintenance commands for voice

VLANs
Execute display commands in any view.

Task Command
Display OUI addresses on a device. display voice-vlan mac-address
Display the voice VLAN state. display voice-vlan state

264
Voice VLAN configuration examples
Example: Configuring automatic voice VLAN assignment
mode
Network configuration
As shown in Figure 81, Device A transmits traffic from IP phones and hosts.
For correct voice traffic transmission, perform the following tasks on Device A:
• Configure voice VLANs 2 and 3 to transmit voice packets from IP phone A and IP phone B,
respectively.
• Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate in automatic voice VLAN
assignment mode.
• Add MAC addresses of IP phones A and B to the device for voice packet identification. The
mask of the two MAC addresses is FFFF-FF00-0000.
• Set an aging timer for voice VLANs.
Figure 81 Network diagram
Device A Device B
Internet
GE1/0/1
GE1/0/2

VLAN 2 VLAN 3
IP phone A IP phone B
010-1001 010-1002
MAC: 0011-1100-0001 MAC: 0011-2200-0001
Mask: ffff-ff00-0000 Mask: ffff-ff00-0000 0755-2002

PC A PC B
MAC: 0022-1100-0002 MAC: 0022-2200-0002

Procedure
1. Configure voice VLANs:
# Create VLANs 2 and 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Set the voice VLAN aging timer to 30 minutes.
[DeviceA] voice-vlan aging 30
# Enable security mode for voice VLANs.
[DeviceA] voice-vlan security enable
# Add MAC addresses of IP phones A and B to the device with mask FFFF-FF00-0000.
[DeviceA] voice-vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP
phone A
[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP
phone B
2. Configure GigabitEthernet 1/0/1:

265
 # Configure GigabitEthernet 1/0/1 as a hybrid port.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
# Configure GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/1] voice-vlan mode auto
# Enable voice VLAN on GigabitEthernet 1/0/1 and configure VLAN 2 as the voice VLAN for it.
[DeviceA-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-GigabitEthernet1/0/1] quit
3. Configure GigabitEthernet 1/0/2:
# Configure GigabitEthernet 1/0/2 as a hybrid port.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type hybrid
# Configure GigabitEthernet 1/0/2 to operate in automatic voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/2] voice-vlan mode auto
# Enable voice VLAN on GigabitEthernet 1/0/2 and configure VLAN 3 as the voice VLAN for it.
[DeviceA-GigabitEthernet1/0/2] voice-vlan 3 enable
[DeviceA-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
GE1/0/1 2 Auto 6 46
GE1/0/2 3 Auto 6 46

Example: Configuring manual voice VLAN assignment mode

Network configuration
As shown in Figure 82, IP phone A send untagged voice traffic.
To enable GigabitEthernet 1/0/1 to transmit only voice packets, perform the following tasks on
Device A:

266
 • Create VLAN 2. This VLAN will be used as a voice VLAN.
• Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode and add it
to VLAN 2.
• Add the OUI address of IP phone A to the OUI list of Device A.
Figure 82 Network diagram
Device A Device B

Internet
GE1/0/1
VLAN 2

IP phone A IP phone B
010-1001 0755-2002
MAC: 0011-2200-0001
Mask: ffff-ff00-0000

Procedure
# Enable security mode for voice VLANs.
<DeviceA> system-view
[DeviceA] voice-vlan security enable

# Add MAC address 0011-2200-0001 with mask FFFF-FF00-0000.

[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description test

# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit

# Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.

[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] undo voice-vlan mode auto

# Configure GigabitEthernet 1/0/1 as a hybrid port.

[DeviceA-GigabitEthernet1/0/1] port link-type hybrid

# Set the PVID of GigabitEthernet 1/0/1 to VLAN 2.

[DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 2

# Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged VLAN member.

[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 2 untagged

# Enable voice VLAN and configure VLAN 2 as the voice VLAN on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone

267
0011-2200-0000 ffff-ff00-0000 test
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
GE1/0/1 2 Manual 6 46

268
Configuring MVRP
About MVRP
Multiple Registration Protocol (MRP) is an attribute registration protocol used to transmit attribute
values. Multiple VLAN Registration Protocol (MVRP) is a typical MRP application. It synchronizes
VLAN information among devices and greatly reduces the workload of network administrators.

MRP implementation
An MRP-enabled port is called an MRP participant. An MVRP-enabled port is called an MVRP
participant.
As shown in Figure 83, an MRP participant sends declarations and withdrawals to notify other
participants to register and deregister its attribute values. It also registers and deregisters the
attribute values of other participants according to the received declarations and withdrawals. MRP
rapidly propagates the configuration information of an MRP participant throughout the LAN.
Figure 83 MRP implementation
Register

Device A Device B

Declaration
Deregister
Withdrawal

For example, MRP registers and deregisters VLAN attributes as follows:

• When a port receives a declaration for a VLAN, the port registers the VLAN and joins the VLAN.
• When a port receives a withdrawal for a VLAN, the port deregisters the VLAN and leaves the
VLAN.
MRP allows devices in the same LAN to transmit attribute values on a per MSTI basis. Figure 83
shows a simple MRP implementation on an MSTI. In a network with multiple MSTIs, MRP performs
attribute registration and deregistration on a per MSTI basis. For more information about MSTIs, see
"Configuring spanning tree protocols."

MRP messages
MRP messages include the following types:
• Declaration—Includes Join and New messages.
• Withdrawal—Includes Leave and LeaveAll messages.
Join message
An MRP participant sends a Join message to request the peer participant to register attributes in the
Join message.
When receiving a Join message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the Join message.

269
 • Propagates the Join message to all other participants on the device.
After receiving the Join message, other participants send the Join message to their respective peer
participants.
Join messages sent from a local participant to its peer participant include the following types:
• JoinEmpty—Declares an unregistered attribute. For example, when an MRP participant joins
an unregistered static VLAN, it sends a JoinEmpty message.
VLANs created manually and locally are called static VLANs. VLANs learned through MRP are
called dynamic VLANs.
• JoinIn—Declares a registered attribute. A JoinIn message is used in one of the following
situations:
 An MRP participant joins an existing static VLAN and sends a JoinIn message after
registering the VLAN.
 The MRP participant receives a Join message propagated by another participant on the
device and sends a JoinIn message after registering the VLAN.
New message
Similar to a Join message, a New message enables MRP participants to register attributes.
When the MSTP topology changes, an MRP participant sends a New message to the peer
participant to declare the topology change.
Upon receiving a New message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the message.
• Propagates the New message to all other participants on the device.
After receiving the New message, other participants send the New message to their respective peer
participants.
Leave message
An MRP participant sends a Leave message to the peer participant when it wants the peer
participant to deregister attributes that it has deregistered.
When the peer participant receives the Leave message, it performs the following tasks:
• Deregisters the attribute in the Leave message.
• Propagates the Leave message to all other participants on the device.
After a participant on the device receives the Leave message, it determines whether to send the
Leave message to its peer participant depending on the attribute status on the device.
• If the VLAN in the Leave message is a dynamic VLAN not registered by any participants on the
device, both of the following events occur:
 The VLAN is deleted on the device.
 The participant sends the Leave message to its peer participant.
• If the VLAN in the Leave message is a static VLAN, the participant will not send the Leave
message to its peer participant.
LeaveAll message
Each MRP participant starts its LeaveAll timer when starting up. When the timer expires, the MRP
participant sends LeaveAll messages to the peer participant.
Upon sending or receiving a LeaveAll message, the local participant starts the Leave timer. The local
participant determines whether to send a Join message depending on its attribute status. A
participant can re-register the attributes in the received Join message before the Leave timer
expires.

270
 When the Leave timer expires, a participant deregisters all attributes that have not been
re-registered to periodically clear useless attributes in the network.

MRP timers
MRP uses the following timers to control message transmission.
Periodic timer
The Periodic timer controls the transmission of MRP messages. An MRP participant starts its own
Periodic timer upon startup, and stores MRP messages to be sent before the Periodic timer expires.
When the Periodic timer expires, MRP sends stored MRP messages in as few MRP frames as
possible and restarts the Periodic timer. This mechanism reduces the number of MRP frames sent.
You can enable or disable the Periodic timer. When the Periodic timer is disabled, MRP does not
periodically send MRP messages. Instead, an MRP participant sends MRP messages when the
LeaveAll timer expires or the participant receives a LeaveAll message from the peer participant.
Join timer
The Join timer controls the transmission of Join messages. An MRP participant starts the Join timer
after sending a Join message to the peer participant. Before the Join timer expires, the participant
does not resend the Join message when the following conditions exist:
• The participant receives a JoinIn message from the peer participant.
• The received JoinIn message has the same attributes as the sent Join message.
When both the Join timer and the Periodic timer expire, the participant resends the Join message.
Leave timer
The Leave timer controls the deregistration of attributes.
An MRP participant starts the Leave timer in one of the following conditions:
• The participant receives a Leave message from its peer participant.
• The participant receives or sends a LeaveAll message.
The MRP participant does not deregister the attributes in the Leave or LeaveAll message if the
following conditions exist:
• The participant receives a Join message before the Leave timer expires.
• The Join message includes the attributes that have been encapsulated in the Leave or LeaveAll
message.
If the participant does not receive a Join message for these attributes before the Leave timer expires,
MRP deregisters the attributes.
LeaveAll timer
After startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, the
MRP participant sends out a LeaveAll message and restarts the LeaveAll timer.
Upon receiving the LeaveAll message, other participants restart their LeaveAll timer. The value of
the LeaveAll timer is randomly selected between the LeaveAll timer and 1.5 times the LeaveAll timer.
This mechanism provides the following benefits:
• Effectively reduces the number of LeaveAll messages in the network.
• Prevents the LeaveAll timer of a particular participant from always expiring first.

MVRP registration modes

VLAN information propagated by MVRP includes dynamic VLAN information from other devices and
local static VLAN information.

271
 Based on how an MVRP participant handles registration of dynamic VLANs, MVRP has the following
registration modes:
• Normal—An MVRP participant in normal registration mode registers and deregisters dynamic
VLANs.
• Fixed—An MVRP participant in fixed registration mode disables deregistering dynamic VLANs
and drops received MVRP frames. The MVRP participant does not deregister dynamic VLANs
or register new dynamic VLANs.
• Forbidden—An MVRP participant in forbidden registration mode disables registering dynamic
VLANs and drops received MVRP frames. When you set the forbidden registration mode for a
port, VLAN 1 of the port retains and all dynamically registered VLANs of the port will be deleted.

Protocols and standards

IEEE 802.1ak, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks – Amendment 07: Multiple Registration Protocol

Restrictions and guidelines: MVRP configuration

When you configure MVRP, follow these restrictions and guidelines:
• MVRP can work with STP, RSTP, or MSTP. Ports blocked by STP, RSTP, or MSTP can receive
and send MVRP frames. Do not configure MVRP with other link layer topology protocols, such
as PVST, RRPP, and Smart Link.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree
protocols." For more information about RRPP and Smart Link, see High Availability
Configuration Guide.
• Do not configure both MVRP and remote port mirroring on a port. Otherwise, MVRP might
register the remote probe VLAN with incorrect ports, which would cause the monitor port to
receive undesired copies. For more information about port mirroring, see Network Management
and Monitoring Configuration Guide.
• Enabling MVRP on a Layer 2 aggregate interface takes effect on the aggregate interface and all
Selected member ports in the link aggregation group.
• MVRP configuration made on an aggregation group member port takes effect only after the port
is removed from the aggregation group.

MVRP tasks at a glance

To configure MVRP, perform the following tasks:
1. Enabling MVRP
2. Setting an MVRP registration mode
3. (Optional.) Setting MRP timers
4. (Optional.) Enabling GVRP compatibility

Prerequisites
Before you configure MVRP, complete the following tasks:
• Map each MSTI used by MVRP to an existing VLAN on each device in the network.
• Set the port link type of MVRP participants to trunk because MVRP takes effect only on trunk
ports. For more information about trunk ports, see "Configuring VLANs."

272
Enabling MVRP
1. Enter system view.
system-view
2. Enable MVRP globally.
mvrp global enable
By default, MVRP is globally disabled.
For MVRP to take effect on a port, enable MVRP both on the port and globally.
3. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
4. Configure the port as a trunk port.
port link-type trunk
By default, each port is an access port. For more information about the port link-type
trunk command, see Layer 2—LAN Switching Command Reference.
5. Configure the trunk port to permit the specified VLANs.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port permits only VLAN 1.
Make sure the trunk port permits all registered VLANs.
For more information about the port trunk permit vlan command, see Layer 2—LAN
Switching Command Reference.
6. Enable MVRP on the port.
mvrp enable
By default, MVRP is disabled on a port.

Setting an MVRP registration mode

1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set an MVRP registration mode for the port.
mvrp registration { fixed | forbidden | normal }
The default setting is normal registration mode.

Setting MRP timers

Restrictions and guidelines
When you set MVRP timers, follow these restrictions and guidelines:
• Follow the value range requirements for Join, Leave, and LeaveAll timers and their
dependencies as described in Table 25. If you set a timer to a value beyond the allowed value
range, your configuration fails. You can set a timer by tuning the value of any other timer. The
value of each timer must be an integer multiple of 20 centiseconds.

273
 Table 25 Dependencies of the Join, Leave, and LeaveAll timers

Timer Lower limit Upper limit

Join 20 centiseconds Half the Leave timer

Leave Twice the Join timer LeaveAll timer

LeaveAll Leave timer on each port 32760 centiseconds

• To avoid frequent VLAN registrations and deregistrations, use the same MRP timers throughout
the network.
• Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port
maintains a Leave timer.
• As a best practice, restore the timers in the order of Join, Leave, and LeaveAll when you restore
these timers to their default values.
• You can restore the Periodic timer to its default value at any time.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the LeaveAll timer.
mrp timer leaveall timer-value
The default setting is 1000 centiseconds.
4. Set the Join timer.
mrp timer join timer-value
The default setting is 20 centiseconds.
5. Set the Leave timer.
mrp timer leave timer-value
The default setting is 60 centiseconds.
6. Set the Periodic timer.
mrp timer periodic timer-value
The default setting is 100 centiseconds.

Enabling GVRP compatibility

About this task
Perform this task to enable the device to receive and send both MVRP and GVRP frames when the
peer device supports GVRP. For more information about GVRP, see the IEEE 802.1Q standard.
Restrictions and guidelines
When you enable GVRP compatibility, follow these restrictions and guidelines:
• GVRP compatibility enables MVRP to work with STP or RSTP, but not MSTP.
• When the system is busy, disable the Period timer to prevent the participant from frequently
registering or deregistering attributes.
Procedure
1. Enter system view.

274
 system-view
2. Enable GVRP compatibility.
mvrp gvrp-compliance enable
By default, GVRP compatibility is disabled.

Display and maintenance commands for MVRP

Execute display commands in any view and reset commands in user view.

Task Command
display mvrp running-status [ interface
Display MVRP running status.
interface-list ]
Display the MVRP state of a port in a display mvrp state interface interface-type
VLAN. interface-number vlan vlan-id
display mvrp statistics [ interface
Display MVRP statistics.
interface-list ]
reset mvrp statistics [ interface
Clear MVRP statistics.
interface-list ]

MVRP configuration examples

Example: Configuring basic MVRP functions
Network configuration
As shown in Figure 84:
• Create VLAN 10 on Device A and VLAN 20 on Device B.
• Configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 to MSTI 2, and map the other VLANs
to MSTI 0.
Configure MVRP on Device A, Device B, Device C, and Device D to meet the following
requirements:
• The devices can register and deregister dynamic VLANs.
• The devices can keep identical VLAN configurations for each MSTI.

275
 Figure 84 Network diagram
Device A Device B
Permit: all VLANs
GE1/0/3 GE1/0/3
GE

GE
/2

/
1/0 1/0 VLAN 20

1/0
VLAN 10

1/0
/2 GE

GE

1 /
Permit: all VLANs Permit: VLANs 20, 40
Ns Pe
rm
V LA it:
all VL

GE
t: AN
1
mi
/
1/0 r 40

1/0
Pe GE
0/2 1/0
GE

/
/

1
1 /2
GE

VLAN 10 à MSTI 1
VLAN 20 à MSTI 2
Other VLANs à MSTI 0
Device C Device D

A B A B A B

C D C C D
MSTI 0 MSTI 1 MSTI 2

Link not blocked by Link blocked by

Root bridge spanning tree spanning tree

Blocked port Root port Designated port

Topology of each MSTI

Procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp global enable
# Globally enable MVRP.
[DeviceA] mvrp global enable

276
 # Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mvrp enable
[DeviceA-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceA-GigabitEthernet1/0/2] mvrp enable
[DeviceA-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/3.
[DeviceA-GigabitEthernet1/0/3] mvrp enable
[DeviceA-GigabitEthernet1/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp global enable
# Globally enable MVRP.
[DeviceB] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and 40.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on GigabitEthernet 1/0/1.

277
 [DeviceB-GigabitEthernet1/0/1] mvrp enable
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceB-GigabitEthernet1/0/2] mvrp enable
[DeviceB-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/3.
[DeviceB-GigabitEthernet1/0/3] mvrp enable
[DeviceB-GigabitEthernet1/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure Device C as the root bridge of MSTI 0.
[DeviceC] stp instance 0 root primary
# Globally enable the spanning tree feature.
[DeviceC] stp global enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/1.
[DeviceC-GigabitEthernet1/0/1] mvrp enable
[DeviceC-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] port link-type trunk

278
 [DeviceC-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceC-GigabitEthernet1/0/2] mvrp enable
[DeviceC-GigabitEthernet1/0/2] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp global enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and 40.
[DeviceD] interface gigabitethernet 1/0/1
[DeviceD-GigabitEthernet1/0/1] port link-type trunk
[DeviceD-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on GigabitEthernet 1/0/1.
[DeviceD-GigabitEthernet1/0/1] mvrp enable
[DeviceD-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface gigabitethernet 1/0/2
[DeviceD-GigabitEthernet1/0/2] port link-type trunk
[DeviceD-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceD-GigabitEthernet1/0/2] mvrp enable
[DeviceD-GigabitEthernet1/0/2] quit

Verifying the configuration

1. Verify the normal registration mode configuration.
# Display local VLAN information on Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)

279
 Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 10, 20
Propagated VLANs :
1(default)

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
None
Declared VLANs :
1(default)
Propagated VLANs :
None

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
20
Declared VLANs :
1(default), 10
Propagated VLANs :
20
The output shows that the following events have occurred:
 GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1, VLAN 10, and VLAN 20,
and propagated VLAN 1 through MVRP.
 GigabitEthernet 1/0/2 has declared VLAN 1, and registered and propagated no VLANs.
 GigabitEthernet 1/0/3 has registered VLAN 20, declared VLAN 1 and VLAN 10, and
propagated VLAN 20 through MVRP.
# Display local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------

280
 Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10
The output shows that the following events have occurred:

281
 GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1 and VLAN 20, and
propagated VLAN 1 through MVRP.
 GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 10, declared VLAN 1 and VLAN 20,
and propagated VLAN 1.
 GigabitEthernet 1/0/3 has registered VLAN 1 and VLAN 10, declared VLAN 20, and
propagated VLAN 10 through MVRP.
# Display local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10, 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 10

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default), 10
Propagated VLANs :
1(default), 20
The output shows that the following events have occurred:
 GigabitEthernet 1/0/1 has registered VLAN 1, VLAN 10, and VLAN 20, declared VLAN 1,
and propagated VLAN 1 and VLAN 10 through MVRP.
 GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 20, declared VLAN 1 and VLAN 10,
and propagated VLAN 1 and VLAN 20 through MVRP.
# Display local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------

282
 Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 20

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
None
Propagated VLANs :
None
The output shows that the following events have occurred:
 GigabitEthernet 1/0/1 has registered and propagated VLAN 10 and VLAN 20, and declared
VLAN 1 through MVRP.
 GigabitEthernet 1/0/2 has registered VLAN 1, and declared and propagated no VLANs
through MVRP.
2. Verify the configuration after changing the registration mode.
When the network is stable, set the MVRP registration mode to fixed on the port of Device B
connected to Device A. Then, verify that dynamic VLANs on the port will not be deregistered.
# Set the MVRP registration mode to fixed on GigabitEthernet 1/0/3 of Device B.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] mvrp registration fixed
[DeviceB-GigabitEthernet1/0/3] quit
# Display local MVRP VLAN information on GigabitEthernet 1/0/3.
[DeviceB] display mvrp running-status interface gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled

283
 Compliance-GVRP : False

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10
The output shows that VLAN information on GigabitEthernet 1/0/3 is not changed after you set
its MVRP registration mode to fixed.
# Delete VLAN 10 on Device A.
[DeviceA] undo vlan 10
# Display local MVRP VLAN information on GigabitEthernet 1/0/3 of Device B.
[DeviceB] display mvrp running-status interface gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10
The output shows that dynamic VLAN information on GigabitEthernet 1/0/3 is not changed after
you set its MVRP registration mode to fixed.

284
Configuring QinQ
This document uses the following terms:
• CVLAN—Customer network VLANs, also called inner VLANs, refer to VLANs that a customer
uses on the private network.
• SVLAN—Service provider network VLANs, also called outer VLANs, refer to VLANs that a
service provider uses to transmit VLAN tagged traffic for customers.

About QinQ
802.1Q-in-802.1Q (QinQ) adds an 802.1Q tag to 802.1Q tagged customer traffic. It enables a
service provider to extend Layer 2 connections across an Ethernet network between customer sites.

QinQ benefits
QinQ provides the following benefits:
• Enables a service provider to use a single SVLAN to convey multiple CVLANs for a customer.
• Enables customers to plan CVLANs without conflicting with SVLANs.
• Enables customers to keep their VLAN assignment schemes unchanged when the service
provider changes its VLAN assignment scheme.
• Allows different customers to use overlapping CVLAN IDs. Devices in the service provider
network make forwarding decisions based on SVLAN IDs instead of CVLAN IDs.

How QinQ works

As shown in Figure 85, a QinQ frame transmitted over the service provider network carries the
following tags:
• CVLAN tag—Identifies the VLAN to which the frame belongs when it is transmitted in the
customer network.
• SVLAN tag—Identifies the VLAN to which the QinQ frame belongs when it is transmitted in the
service provider network. The service provider allocates the SVLAN tag to the customer.
The devices in the service provider network forward a tagged frame according to its SVLAN tag only.
The CVLAN tag is transmitted as part of the frame's payload.
Figure 85 Single-tagged Ethernet frame header and double-tagged Ethernet frame header
6 bytes 6 bytes 4 bytes 2 bytes 46–1500 bytes 4 bytes
CVLAN
DA SA Etype Data FCS
tag
Single-tagged frame structure

6 bytes 6 bytes 4 bytes 4 bytes 2 bytes 46–1500 bytes 4 bytes

SVLAN CVLAN
DA SA Etype Data FCS
tag tag
Double-tagged frame
structure Outer Inner
VLAN tag VLAN tag

285
 As shown in Figure 86, customer A has remote sites CE 1 and CE 4. Customer B has remote sites
CE 2 and CE 3. The CVLANs of the two customers overlap. The service provider assigns SVLANs 3
and 4 to customers A and B, respectively.
When a tagged Ethernet frame from CE 1 arrives at PE 1, the PE tags the frame with SVLAN 3. The
double-tagged Ethernet frame travels over the service provider network until it arrives at PE 2. PE 2
removes the SVLAN tag of the frame, and then sends the frame to CE 4.
Figure 86 Typical QinQ application scenario
VLANs 1 to 20 VLANs 1 to 10

CE 3 CE 4
Customer Customer
network B network A
CVLAN B Data CVLAN A Data

SVLAN 4 CVLAN B Data SVLAN 3 CVLAN A Data

PE 1 Internet PE 2

SVLAN 3 CVLAN A Data SVLAN 4 CVLAN B Data

Service provider network

CVLAN A Data CVLAN B Data

Customer Customer
network A network B
CE 1 CE 2

VLANs 1 to 10 VLANs 1 to 20

QinQ implementations
QinQ is enabled on a per-port basis. The link type of a QinQ-enabled port can be access, hybrid, or
trunk. The QinQ tagging behaviors are the same across these types of ports.
A QinQ-enabled port tags all incoming frames (tagged or untagged) with the PVID tag.
• If an incoming frame already has one tag, it becomes a double-tagged frame.
• If the frame does not have any 802.1Q tags, it becomes a frame tagged with the PVID.
QinQ provides the most basic VLAN manipulation method to tag all incoming frames (tagged or
untagged) with the PVID tag. To perform advanced VLAN manipulations, use VLAN mappings or
QoS policies as follows:
• To add different SVLANs for different CVLAN tags, use one-to-two VLAN mappings.
• To replace the SVLAN ID, CVLAN ID, or both IDs for an incoming double-tagged frame, use
two-to-two VLAN mappings.
• To use criteria other than the CVLAN ID to match packets for SVLAN tagging, use the QoS nest
action. The QoS nest action can also be used with other actions in the same traffic behavior.
• To set the 802.1p priority in SVLAN tags, use the priority marking action as described in "Setting
the 802.1p priority in SVLAN tags."
For more information about VLAN mappings, see "Configuring VLAN mapping." For more
information about QoS, see ACL and QoS Configuration Guide.

286
Protocols and standards
• IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks
• IEEE 802.1ad, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks-Amendment 4: Provider Bridges

Restrictions and guidelines: QinQ configuration

When you configure QinQ, follow these restrictions and guidelines:
• The inner 802.1Q tag of QinQ frames is treated as part of the payload. As a best practice to
ensure correct transmission of QinQ frames, set the MTU to a minimum of 1504 bytes for each
port on their forwarding path. This value is the sum of the default Ethernet interface MTU (1500
bytes) and the length (4 bytes) of a VLAN tag.
• You can use a VLAN mapping and QinQ on a port for VLAN tag manipulation. If their settings
conflict, the VLAN mapping has higher priority.
• QinQ and two-to-two mappings are mutually exclusive. The device does not support adding an
SVLAN tag on a QinQ-enabled port and then modifying the CVLAN and SVLAN IDs.
• Do not enable QinQ and apply a QoS policy containing a nesting action on the same interface.
Otherwise, QinQ or the QoS policy might not take effect.
• Do not configure QinQ and Ethernet service instance-to-VSI binding on the same Layer 2
Ethernet interface or Layer 2 aggregate interface. Do not configure QinQ on a Layer 2 Ethernet
interface or Layer 2 aggregate interface that acts as the source interface of a VXLAN tunnel. If
you make the previous configurations, the features involved might not take effect. For more
information about VXLAN and VSI, see VXLAN Configuration Guide.

Enabling QinQ
About this task
Enable QinQ on customer-side ports of PEs. A QinQ-enabled port tags an incoming frame with its
PVID.
Restrictions and guidelines
Before you enable or disable QinQ on a port, you must remove any VLAN mappings on the port. For
more information about VLAN mapping, see Layer 2—LAN Switching Configuration Guide.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the port link type.
port link-type { access | hybrid | trunk }
By default, the link type of a port is access.
4. Configure the port to allow packets from its PVID to pass through.
 Assign the access port to the specified VLAN.
port access vlan vlan-id
By default, all access ports belong to VLAN 1.

287
 The PVID of an access port is the VLAN to which the port belongs. The port sends packets
from the VLAN untagged.
 Configure the hybrid port to send packets from its PVID untagged.
port hybrid vlan vlan-id-list untagged
By default, the hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
 Configure trunk port to allow packets from its PVID to pass through.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port allows packets only from VLAN 1 to pass through.
5. Enable QinQ on the port.
qinq enable
By default, QinQ is disabled on the port.

Configuring transmission for transparent VLANs

About this task
You can exclude a VLAN (for example, the management VLAN) from the QinQ tagging action on a
customer-side port. This VLAN is called a transparent VLAN.
Restrictions and guidelines
• Do not configure any other VLAN manipulation actions for the transparent VLAN on the port.
• Make sure all ports on the traffic path permit the transparent VLAN to pass through.
• If you use both transparent VLANs and VLAN mappings on an interface, the transparent VLANs
cannot be the following VLANs:
 Original or translated VLANs of one-to-one, one-to-two, and many-to-one VLAN mappings.
 Original or translated outer VLANs of two-to-two VLAN mappings.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the port link type.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Configure the port to allow packets from the transparent VLANs to pass through.
 Configure the hybrid port to allow packets from the transparent VLANs to pass through.
port hybrid vlan vlan-id-list { tagged | untagged }
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
 Configure the trunk port to allow packets from the transparent VLANs to pass through.
port trunk permit vlan { vlan-id-list | all }
By default, a trunk port allows packets only from VLAN 1 to pass through.
5. Specify transparent VLANs for the port.
qinq transparent-vlan vlan-id-list
By default, transparent transmission is not configured for any VLANs.

288
Configuring the TPID for VLAN tags
About TPID
TPID identifies a frame as an 802.1Q tagged frame. The TPID value varies by vendor. On an HPE
device, the TPID in the 802.1Q tag added on a QinQ-enabled port is 0x8100 by default, in
compliance with IEEE 802.1Q. In a multi-vendor network, make sure the TPID setting is the same
between directly connected devices so 802.1Q tagged frames can be identified correctly.
TPID settings include CVLAN TPID and SVLAN TPID.
A QinQ-enabled port uses the CVLAN TPID to match incoming tagged frames. An incoming frame is
handled as untagged if its TPID is different from the CVLAN TPID.
SVLAN TPIDs are configurable on a per-port basis. A service provider-side port uses the SVLAN
TPID to replace the TPID in outgoing frames' SVLAN tags and match incoming tagged frames. An
incoming frame is handled as untagged if the TPID in its outer VLAN tag is different from the SVLAN
TPID.
For example, a PE device is connected to a customer device that uses the TPID 0x8200 and to a
provider device that uses the TPID 0x9100. For correct packet processing, you must set the CVLAN
TPID and SVLAN TPID to 0x8200 and 0x9100 on the PE, respectively.
The TPID field is at the same position as the EtherType field in an untagged Ethernet frame. To
ensure correct packet type identification, do not set the TPID value to any of the values listed in Table
26.
Table 26 Reserved EtherType values

Protocol type Value

ARP 0x0806
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86dd
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
LLDP 0x88cc
802.1X 0x888e
802.1ag 0x8902
Cluster 0x88a7
Reserved 0xfffd/0xfffe/0xffff

Restrictions and guidelines

The TPID value in CVLAN tags is typically configured on PEs. The TPID value in SVLAN tags is
typically configured on the service provider-side ports of PEs.

289
Configuring the TPID for CVLAN tags
1. Enter system view.
system-view
2. Set the TPID for CVLAN tags.
qinq ethernet-type customer-tag hex-value
By default, the TPID is 0x8100 for CVLAN tags.

Configuring the TPID for SVLAN tags

1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.
interface interface-type interface-number
3. Set the TPID for SVLAN tags.
qinq ethernet-type service-tag hex-value
By default, the TPID is 0x8100 for SVLAN tags.

Setting the 802.1p priority in SVLAN tags

About the 802.1p priority in SVLAN tags
By default, the 802.1p priority in the SVLAN tag added by a QinQ-enabled port depends on the
priority trust mode on the port.
• If the 802.1p priority in frames is trusted, the device copies the 802.1p priority in the CVLAN tag
to the SVLAN tag.
• If port priority is trusted, the port priority (0 by default) is used as the 802.1p priority in the
SVLAN tag.
You can configure a QoS policy to modify the 802.1p priority in SVLAN tags as follows:
• Modify the 802.1p priority in the SVLAN tag based on the 802.1p priority in the CVLAN tag or
the CVLAN ID.
• Copy the 802.1p priority in the CVLAN tag to the SVLAN tag.
For more information about QoS policies and priority trust mode, see ACL and QoS Configuration
Guide.

Prerequisites for setting the 802.1p priority in SVLAN tags

1. Enable QinQ. For more information, see "Enabling QinQ."
To use the CVLAN ID or 802.1p priority of the CVLAN tag to set the 802.1p priority of the
SVLAN tag, you must first enable QinQ on the port.
2. Use the qos trust dot1p command to configure the port to trust the 802.1p priority in
incoming frames. For more information, see ACL and QoS Configuration Guide.
This setting is required if the remark dot1p command is configured. It is optional if the
remark dot1p customer-dot1p-trust command is configured.

290
Tasks at a glance
To use QoS policies to set the 802.1p priority in SVLAN tags, perform the following tasks:
1. Creating a traffic class and configuring CVLAN match criteria
2. Creating a traffic behavior and configuring a priority marking action for SVLAN tags
3. Creating a QoS policy
4. Applying the QoS policy

Creating a traffic class and configuring CVLAN match criteria

1. Enter system view.
system-view
2. Create a traffic class and enter its view.
traffic classifier classifier-name [ operator { and | or } ]
3. Configure CVLAN match criteria.
Choose one option as needed:
 Match CVLAN IDs.
if-match customer-vlan-id vlan-id-list
 Match 802.1p priority.
if-match customer-dot1p dot1p-value&<1-8>

Creating a traffic behavior and configuring a priority marking

action for SVLAN tags
1. Enter system view.
system-view
2. Create a traffic behavior and enter its view.
traffic behavior behavior-name
3. Configure a priority marking action for SVLAN tags.
Choose one option as needed:
 Replace the priority in the SVLAN tags of matching frames with the configured priority.
remark dot1p dot1p-value
 Copy the 802.1p priority in the CVLAN tag to the SVLAN tag.
remark dot1p customer-dot1p-trust

Creating a QoS policy

1. Enter system view.
system-view
2. Create a QoS policy and enter its view.
qos policy policy-name
3. Specify the traffic behavior for the traffic class in the QoS policy.
classifier classifier-name behavior behavior-name

291
Applying the QoS policy
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Apply the QoS policy to the inbound direction of the port.
qos apply policy policy-name inbound

Display and maintenance commands for QinQ

Execute display commands in any view.

Task Command
display qinq [ interface
Display QinQ-enabled ports.
interface-type interface-number ]

QinQ configuration examples

Example: Configuring basic QinQ
Network configuration
As shown in Figure 87:
• The service provider assigns VLAN 100 to Company A's VLANs 10 through 70.
• The service provider assigns VLAN 200 to Company B's VLANs 30 through 90.
• The devices between PE 1 and PE 2 in the service provider network use a TPID value of
0x8200.
Configure QinQ on PE 1 and PE 2 to transmit traffic in VLANs 100 and 200 for Company A and
Company B, respectively.
For the QinQ frames to be identified correctly, set the SVLAN TPID to 0x8200 on the service
provider-side ports of PE 1 and PE 2.

292
 Figure 87 Network diagram
VLANs 30 to 90 VLANs 10 to 70

Site 3 CE3 CE4 Site 2

Company B Company A

GE1/0/3 GE1/0/3

GE1/0/2 GE1/0/2
PE1 VLANs 100 and 200 PE2
TPID = 0x 8200
GE1/0/1 GE1/0/1

Service provider network

Company A Company B
Site 1 CE1 CE2 Site 4

VLANs 10 to 70 VLANs 30 to 90

Procedure
1. Configure PE 1:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 100.
<PE1> system-view
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan 100
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq enable
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on GigabitEthernet 1/0/2.
[PE1-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE1-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 200.
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk permit vlan 200
# Set the PVID of GigabitEthernet 1/0/3 to VLAN 200.
[PE1-GigabitEthernet1/0/3] port trunk pvid vlan 200
# Enable QinQ on GigabitEthernet 1/0/3.
[PE1-GigabitEthernet1/0/3] qinq enable

293
 [PE1-GigabitEthernet1/0/3] quit
2. Configure PE 2:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 200.
<PE2> system-view
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk permit vlan 200
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 200.
[PE2-GigabitEthernet1/0/1] port trunk pvid vlan 200
# Enable QinQ on GigabitEthernet 1/0/1.
[PE2-GigabitEthernet1/0/1] qinq enable
[PE2-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on GigabitEthernet 1/0/2.
[PE2-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE2-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 100.
[PE2] interface gigabitethernet 1/0/3
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk permit vlan 100
# Set the PVID of GigabitEthernet 1/0/3 to VLAN 100.
[PE2-GigabitEthernet1/0/3] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/3.
[PE2-GigabitEthernet1/0/3] qinq enable
[PE2-GigabitEthernet1/0/3] quit
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 200 to pass
through without removing the VLAN tag. (Details not shown.)

Example: Configuring VLAN transparent transmission

Network configuration
As shown in Figure 88:
• The service provider assigns VLAN 100 to a company's VLANs 10 through 50.
• VLAN 3000 is the dedicated VLAN of the company on the service provider network.
Configure QinQ on PE 1 and PE 2 to provide Layer 2 connectivity for CVLANs 10 through 50 over the
service provider network.
Configure VLAN transparent transmission for VLAN 3000 on PE 1 and PE 2 to enable the hosts in
VLAN 3000 to communicate without using an SVLAN.

294
 Figure 88 Network diagram

PE 1 PE 2
GE1/0/2 GE1/0/2
VLANs 100 and 3000
GE1/0/1 GE1/0/1

Service provider network

Site 1 Site 2
CE 1 CE 2

VLANs 10 to 50, 3000 VLANs 10 to 50, 3000

Procedure
1. Configure PE 1:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 100 and VLAN 3000.
<PE1> system-view
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan 100 3000
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
[PE1-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 100 and VLAN 3000.
<PE2> system-view
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk permit vlan 100 3000
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/1.
[PE2-GigabitEthernet1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on GigabitEthernet 1/0/1.
[PE2-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE2-GigabitEthernet1/0/1] quit

295
 # Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 3000 to pass
through without removing the VLAN tag. (Details not shown.)

296
Configuring VLAN mapping
About VLAN mapping
VLAN mapping re-marks VLAN traffic with new VLAN IDs.

VLAN mapping types

Hewlett Packard Enterprise provides the following types of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another.
• Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag.
• Two-to-two VLAN mapping—Replaces the outer and inner VLAN IDs of double tagged traffic
with a new pair of VLAN IDs.

VLAN mapping application scenarios

One-to-one and many-to-one VLAN mapping
One-to-one and many-to-one VLAN mapping are typically used by a community for broadband
Internet access, as shown in Figure 89.

297
 Figure 89 Application scenario of one-to-one and many-to-one VLAN mapping
DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP VLAN 3 -> VLAN 301

Wiring-closet
switch DHCP server
VLAN 1
PC VLAN 1 -> VLAN 102
VLAN 2 -> VLAN 202
VLAN 3 -> .VLAN 302
..
VLAN 2
VoD
Home gateway VLANs 101 and 102 -> VLAN 501
VLANs 201 and 202 -> VLAN 502
VLAN 3 VLANs 301 and .302 -> VLAN 503
VoIP ..
... ... ...
Campus switch ..
.
VLAN 1
PC
VLANs 199 and 200 -> VLAN 501
VLANs 299 and 300 -> VLAN 502
Home gateway VLANs 399 and 400 -> VLAN 503
VLAN 2
VoD ...
Distribution
VLAN 1 -> VLAN 199 network
VLAN 3 VLAN 2 -> VLAN 299
VoIP VLAN 3 -> VLAN 399

Wiring-closet
switch
VLAN 1
PC VLAN 1 -> VLAN 200
VLAN 2 -> VLAN 300
VLAN 3 -> VLAN 400

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

As shown in Figure 89, the network is implemented as follows:

• Each home gateway uses different VLANs to transmit the PC, VoD, and VoIP services.
• To further subclassify each type of traffic by customer, configure one-to-one VLAN mapping on
the wiring-closet switches. This feature assigns a separate VLAN to each type of traffic from
each customer. The required total number of VLANs in the network can be very large.
• To prevent the maximum number of VLANs from being exceeded on the distribution layer
device, configure many-to-one VLAN mapping on the campus switch. This feature assigns the
same VLAN to the same type of traffic from different customers.
One-to-two and two-to-two VLAN mapping
One-to-two and two-to-two VLAN mapping are typically used to implement communication across
different SP networks, as shown in Figure 90.

298
 Figure 90 Application scenario of one-to-two and two-to-two VLAN mapping

One-to-two VLAN Two-to-two VLAN One-to-two VLAN

mapping mapping mapping

VLAN 10 VLAN 2 Data VLAN 20 VLAN 3 Data

PE 1 PE 2 PE 3 PE 4
SP 1 SP 2

VLAN 2 Data VLAN 3 Data

Traffic
VPN A VPN A
CE 1 Site 1 Site 2 CE 2

As shown in Figure 90, Site 1 and Site 2 of VPN A are in VLAN 2 and VLAN 3, respectively. The SP
1 network assigns SVLAN 10 to Site 1. The SP 2 network assigns SVLAN 20 to Site 2. When the
packet from Site 1 arrives at PE 1, PE 1 tags the packet with SVLAN 10 by using one-to-two VLAN
mapping.
When the double-tagged packet from the SP 1 network arrives at the SP 2 network interface, PE 3
processes the packet as follows:
• Replaces SVLAN tag 10 with SVLAN tag 20.
• Replaces CVLAN tag 2 with CVLAN tag 3.
One-to-two VLAN mapping provides the following benefits:
• Enables a customer network to plan its CVLAN assignment without conflicting with SVLANs.
• Adds a VLAN tag to a tagged packet and expands the number of available VLANs to 4094 ×
4094.
• Reduces the stress on the SVLAN resources, which were 4094 VLANs in the SP network
before the mapping process was initiated.

VLAN mapping implementations

Figure 91 shows a simplified network that illustrates basic VLAN mapping terms.
Basic VLAN mapping terms include the following:
• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer
network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.

299
 Figure 91 Basic VLAN mapping terms

SP

Network-side port
Customer-side port
Uplink traffic
Downlink traffic

One-to-one VLAN mapping

As shown in Figure 92, one-to-one VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN with the SVLAN for the uplink traffic.
• Replaces the SVLAN with the CVLAN for the downlink traffic.
Figure 92 One-to-one VLAN mapping implementation

One-to-one
VLAN mapping

CVLAN Data SVLAN Data

Customer
SP network
network
CVLAN Data SVLAN Data

Customer-side port Uplink traffic Downlink traffic

Many-to-one VLAN mapping

As shown in Figure 93, many-to-one VLAN mapping is implemented on both the customer-side and
network-side ports as follows:
• For the uplink traffic, the customer-side many-to-one VLAN mapping replaces multiple CVLANs
with the same SVLAN.
• For the downlink traffic, the device performs the following operations:
a. Searches the MAC address table for an entry that matches the destination MAC address of
the downlink packets.
b. Replaces the SVLAN tag with a CVLAN tag based on the matching many-to-one mapping
entry.
For more information about the MAC address table, see "Configuring the MAC address table."

300
 Figure 93 Many-to-one VLAN mapping implementation

Customer-side Network-side
CVLAN 1 Data many-to-one many-to-one SVLAN Data
... VLAN mapping VLAN mapping ...

CVLAN n Data SVLAN Data

Customer
SP network
network
CVLAN Data SVLAN Data

ARP snooping or DHCP snooping

table lookup

Network-side port Customer-side port Uplink traffic Downlink traffic

One-to-two VLAN mapping

As shown in Figure 94, one-to-two VLAN mapping is implemented on the customer-side port to add
the SVLAN tag for the uplink traffic.
For the downlink traffic to be correctly sent to the customer network, make sure the SVLAN tag is
removed on the customer-side port before transmission. Use one of the following methods to remove
the SVLAN tag from the downlink traffic:
• Configure the customer-side port as a hybrid port and assign the port to the SVLAN as an
untagged member.
• Configure the customer-side port as a trunk port and set the port PVID to the SVLAN.
Figure 94 One-to-two VLAN mapping implementation

One-to-two VLAN mapping

CVLAN Data SVLAN CVLAN Data

Customer
SP network
network
CVLAN Data SVLAN CVLAN Data

Remove the SVLAN tag from downlink traffic

Customer-side port Uplink traffic Downlink traffic

Two-to-two VLAN mapping

As shown in Figure 95, two-to-two VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN and the SVLAN with the CVLAN' and the SVLAN' for the uplink traffic.
• Replaces the SVLAN' and CVLAN' with the SVLAN and the CVLAN for the downlink traffic.

301
 Figure 95 Two-to-two VLAN mapping implementation

Two-to-two
VLAN mapping

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

SP network 1 SP network 2

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

Customer-side port Uplink traffic Downlink traffic

Restrictions and guidelines: VLAN mapping

configuration
To add VLAN tags to packets, you can configure both VLAN mapping and QinQ. VLAN mapping
takes effect if a configuration conflict occurs. For more information about QinQ, see "Configuring
QinQ."
To add or replace VLAN tags for packets, you can configure both VLAN mapping and a QoS policy.
The QoS policy takes effect if a configuration conflict occurs. For information about QoS policies, see
ACL and QoS Configuration Guide.
Do not configure VLAN mapping and Ethernet service instance-to-VSI binding on the same Layer 2
Ethernet interface or Layer 2 aggregate interface. Do not configure VLAN mapping on a Layer 2
Ethernet interface or Layer 2 aggregate interface that acts as the source interface of a VXLAN tunnel.
Otherwise, these features might not take effect. For more information about VXLAN and VSI, see
VXLAN Configuration Guide.

VLAN mapping tasks at a glance

Use the appropriate VLAN mapping methods for the devices in the network.
To configure VLAN mapping, perform the following tasks:
• Configuring one-to-one VLAN mapping
Configure one-to-one VLAN mapping on the wiring-closet switch, as shown in Figure 89.
• Configuring many-to-one VLAN mapping
Configure many-to-one VLAN mapping on the campus switch, as shown in Figure 89.
• Configuring one-to-two VLAN mapping
Configure one-to-two VLAN mapping on PE 1 and PE 4, as shown in Figure 90, through which
traffic from customer networks enters the service provider networks.
• Configuring two-to-two VLAN mapping
Configure two-to-two VLAN mapping on PE 3, as shown in Figure 90, which is an edge device
of the SP 2 network.

Prerequisites
Before you configure VLAN mapping, create original and translated VLANs.

302
Configuring one-to-one VLAN mapping
About this task
Configure one-to-one VLAN mapping on the customer-side ports of wiring-closet switches (see
Figure 89) to isolate traffic of the same service type from different homes.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLAN and the translated VLAN.
 Assign the trunk port to the original VLAN and the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLAN and the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which
the port belongs when its link type is access.
5. Configure a one-to-one VLAN mapping.
vlan mapping vlan-id translated-vlan vlan-id
By default, no VLAN mapping is configured on an interface.

Configuring many-to-one VLAN mapping

About many-to-one VLAN mapping
Configure many-to-one VLAN mapping on campus switches (see Figure 89) to transmit the same
type of traffic from different users in one VLAN.
Restrictions and guidelines for many-to-one VLAN mapping
To ensure correct traffic forwarding from the service provider network to the customer network, do
not configure many-to-one VLAN mappings together with the following features:
• uRPF.
• Disabling MAC address learning.
• Setting the MAC learning limit.
For more information about uRPF, see Security Configuration Guide. For more information about
MAC address learning, see "Configuring the MAC address table."
Many-to-one VLAN mapping tasks at a glance
1. Configuring the customer-side port

303
 2. Configuring the network-side port
Configuring the customer-side port
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLANs.
 Assign the trunk port to the original VLANs.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLANs as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which
the port belongs when its link type is access.
5. Configure a many-to-one VLAN mapping.
vlan mapping uni { range vlan-range-list | single vlan-id-list }
translated-vlan vlan-id
By default, no VLAN mapping is configured on an interface.
Configuring the network-side port
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the translated VLAN.
 Assign the trunk port to the translated VLAN.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the translated VLAN as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which
the port belongs when its link type is access.

304
Configuring one-to-two VLAN mapping
About this task
Configure one-to-two VLAN mapping on the customer-side ports of edge devices from which
customer traffic enters SP networks, for example, on PEs 1 and 4 in Figure 90. One-to-two VLAN
mapping enables the edge devices to add an SVLAN tag to each incoming packet.
Restrictions and guidelines
Only one SVLAN tag can be added to packets from the same CVLAN. To add different SVLAN tags
to different CVLAN packets on a port, set the port link type to hybrid and configure multiple
one-to-two VLAN mappings.
The MTU of an interface is 1500 bytes by default. After a VLAN tag is added to a packet, the packet
length is added by 4 bytes. As a best practice, set the MTU to a minimum of 1504 bytes for ports on
the forwarding path of the packet in the service provider network.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Configure the port to allow packets from the SVLAN to pass through untagged.
 Configure the SVLAN as the PVID of the trunk port and assign the trunk port to the SVLAN.
port trunk pvid vlan vlan-id
port trunk permit vlan { vlan-id-list | all }
 Assign the hybrid port to the SVLAN as an untagged member.
port hybrid vlan vlan-id-list untagged
5. Configure a one-to-two VLAN mapping.
vlan mapping nest { range vlan-range-list | single vlan-id-list }
nested-vlan vlan-id
By default, no VLAN mapping is configured on an interface.

Configuring two-to-two VLAN mapping

About this task
Configure two-to-two VLAN mapping on the customer-side port of an edge device that connects two
SP networks, for example, on PE 3 in Figure 90. Two-to-two VLAN mapping enables two sites in
different VLANs to communicate at Layer 2 across two service provider networks that use different
VLAN assignment schemes.
Procedure
1. Enter system view.

305
 system-view
2. Enter interface view.
 Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
 Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-number
3. Set the link type of the port.
port link-type { hybrid | trunk }
By default, the link type of a port is access.
4. Assign the port to the original VLANs and the translated VLANs.
 Assign the trunk port to the original VLANs and the translated VLANs.
port trunk permit vlan vlan-id-list
By default, a trunk port is assigned to VLAN 1.
 Assign the hybrid port to the original VLANs and the translated VLANs as a tagged member.
port hybrid vlan vlan-id-list tagged
By default, a hybrid port is an untagged member of the VLAN to which the port belongs
when its link type is access.
5. Configure a two-to-two VLAN mapping.
vlan mapping tunnel outer-vlan-id inner-vlan-id translated-vlan
outer-vlan-id inner-vlan-id
By default, no VLAN mapping is configured on an interface.

Display and maintenance commands for VLAN

mapping
Execute display commands in any view.

Task Command
display vlan mapping [ interface
Display VLAN mapping information.
interface-type interface-number ]

VLAN mapping configuration examples

Example: Configuring one-to-one VLAN mapping
Network configuration
As shown in Figure 96:
• Each household subscribes to PC, VoD, and VoIP services.
• On the home gateways, VLANs 1, 2, and 3 are assigned to PC, VoD, and VoIP traffic,
respectively.
To isolate traffic of the same service type from different households, configure one-to-one VLAN
mappings on the wiring-closet switches. This feature assigns one VLAN to each type of traffic from
each household.

306
 Table 27 VLAN mappings for each service

VLANs on wiring-closet switches (Switch A

Service VLANs on home gateways
and Switch B)
PC VLAN 1 VLANs 101, 102, 103, 104
VoD VLAN 2 VLANs 201, 202, 203, 204
VoIP VLAN 3 VLANs 301, 302, 303, 304

Figure 96 Network diagram

DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP XGE1/0/1 VLAN 3 -> VLAN 301

Wiring-closet GE1/0/3
Switch A
VLAN 1 GE1/0/2
PC VLAN 1 -> VLAN 102 DHCP server
VLAN 2 -> VLAN 202
VLAN 3 -> VLAN 302
VLAN 2
VoD
Home gateway
VLAN 3
VoIP

Campus switch
Switch D
Switch C
VLAN 1
PC

Home gateway
VLAN 2
VoD
Distribution
VLAN 1 -> VLAN 103 network
VLAN 3 VLAN 2 -> VLAN 203
VoIP XGE1/0/1 VLAN 3 -> VLAN 303

Wiring-closet XGE1/0/3
Switch B
VLAN 1 xGE1/0/2
PC VLAN 1 -> VLAN 104
VLAN 2 -> VLAN 204
VLAN 3 -> VLAN 304
VLAN 2
VoD
Home gateway
VLAN 3
VoIP

Procedure
1. Configure Switch A:
# Create the original VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3

307
 # Create the translated VLANs.
[SwitchA] vlan 101 to 102
[SwitchA] vlan 201 to 202
[SwitchA] vlan 301 to 302
# Configure customer-side port GigabitEthernet 1/0/1 as a trunk port.
<SwitchA> system-view
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to all original VLANs and translated VLANs.
[SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 1 2 3 101 201 301
# Configure one-to-one VLAN mappings on GigabitEthernet 1/0/1 to map VLANs 1, 2, and 3 to
VLANs 101, 201, and 301, respectively.
[SwitchA-GigabitEthernet1/0/1] vlan mapping 1 translated-vlan 101
[SwitchA-GigabitEthernet1/0/1] vlan mapping 2 translated-vlan 201
[SwitchA-GigabitEthernet1/0/1] vlan mapping 3 translated-vlan 301
[SwitchA-GigabitEthernet1/0/1] quit
# Configure customer-side port GigabitEthernet 1/0/2 as a trunk port.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to all original VLANs and translated VLANs.
[SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 1 2 3 102 202 302
# Configure one-to-one VLAN mappings on GigabitEthernet 1/0/2 to map VLANs 1, 2, and 3 to
VLANs 102, 202, and 302, respectively.
[SwitchA-GigabitEthernet1/0/2] vlan mapping 1 translated-vlan 102
[SwitchA-GigabitEthernet1/0/2] vlan mapping 2 translated-vlan 202
[SwitchA-GigabitEthernet1/0/2] vlan mapping 3 translated-vlan 302
[SwitchA-GigabitEthernet1/0/2] quit
# Configure the network-side port (GigabitEthernet 1/0/3) as a trunk port.
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
# Assign GigabitEthernet 1/0/3 to the translated VLANs.
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 101 201 301 102 202 302
[SwitchA-GigabitEthernet1/0/3] quit
2. Configure Switch B in the same way Switch A is configured. (Details not shown.)
Verifying the configuration
# Verify VLAN mapping information on the wiring-closet switches, for example, Switch A.
[SwitchA] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 101 N/A
2 N/A 201 N/A
3 N/A 301 N/A
Interface GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 102 N/A
2 N/A 202 N/A
3 N/A 302 N/A

308
Example: Configuring many-to-one VLAN mapping
Network configuration
As shown in Figure 97:
• Create VLAN 2, VLAN 3, and VLAN 4 on the wiring-closet switches to isolate traffic of the same
service type from different households.
• Configure many-to-one VLAN mappings on the campus switch. This feature assigns one VLAN
to each type of traffic from different households.
Figure 97 Network diagram

Distribution
network

VLAN 2~4 -> VLAN 10

Campus switch
Switch E
GE1/0/1

GE1/0/4
Access switch
Switch D
GE1/0/3

GE1/0/1 GE1/0/2

GE1/0/2 GE1/0/2 GE1/0/2

Wiring-closet Wiring-closet Wiring-closet

Switch A Switch B Switch C

GE1/0/1 GE1/0/1 GE1/0/1

VLAN 2 VLAN 3 VLAN 4

Procedure
1. Configure Switch A:
# Create VLAN 2 as an original VLAN.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to VLAN 2.
[SwitchA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2
[SwitchA-if-range] port access vlan 2
[SwitchA-if-range] quit
2. Configure Switch B and Switch C in the same way Switch A is configured. (Details not shown.)
3. Configure Switch D:

309
 # Create VLANs 2, 3, and 4 as original VLANs.
<SwitchD> system-view
[SwitchD] vlan 2 to 4
# Assign ports GigabitEthernet 1/0/1 to VLAN 2, GigabitEthernet 1/0/2 to VLAN 3, and
GigabitEthernet 1/0/3 to VLAN 4.
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port access vlan 2
[SwitchD-GigabitEthernet1/0/1] quit
[SwitchD] interface gigabitethernet 1/0/2
[SwitchD-GigabitEthernet1/0/2] port access vlan 3
[SwitchD-GigabitEthernet1/0/2] quit
[SwitchD] interface gigabitethernet 1/0/3
[SwitchD-GigabitEthernet1/0/3] port access vlan 4
[SwitchD-GigabitEthernet1/0/3] quit
# Configure port GigabitEthernet 1/0/4 as a trunk port.
[SwitchD] interface gigabitethernet 1/0/4
[SwitchD-GigabitEthernet1/0/4] port link-type trunk
# Assign GigabitEthernet 1/0/4 to the original VLANs.
[SwitchD-GigabitEthernet1/0/4] port trunk permit vlan 2 to 4
[SwitchD-GigabitEthernet1/0/4] quit
4. Configure Switch E:
# Configure the customer-side port (GigabitEthernet 1/0/1) as a trunk port.
<SwitchE> system-view
[SwitchE] interface gigabitethernet 1/0/1
# Assign GigabitEthernet 1/0/1 to the translated VLANs.
[SwitchE-GigabitEthernet1/0/1] port link-type trunk
[SwitchE-GigabitEthernet1/0/1] port trunk permit vlan 2 to 4
# Configure many-to-one VLAN mapping on GigabitEthernet 1/0/1, which replaces VLAN tag 2
through VLAN tag 4 with VLAN tag 10.
[SwitchE-GigabitEthernet1/0/1] vlan mapping uni range 2 to 4 translated-vlan 10
[SwitchE-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify VLAN mapping information on Switch E.
[SwitchE] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
2-4 N/A 10 N/A

Example: Configuring one-to-two and two-to-two VLAN

mapping
Network configuration
As shown in Figure 98:
• Two VPN A branches, Site 1 and Site 2, are in VLAN 5 and VLAN 6, respectively.
• The two sites use different VPN access services from different service providers, SP 1 and SP
2.

310
 • SP 1 assigns VLAN 100 to Site 1 and Site 2. SP 2 assigns VLAN 200 to Site 1 and Site 2.
Configure one-to-two VLAN mappings and two-to-two VLAN mappings to enable the two branches
to communicate across networks SP 1 and SP 2.
Figure 98 Network diagram

SP 1 SP 2
PE 1 PE 2 PE 3 PE 4
GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1

GE1/0/1 VLAN 100 VLAN 5 Data VLAN 200 VLAN 6 Data GE1/0/2

VLAN 5 Data VLAN 6 Data

VPN A VPN A CE 2
CE 1
Site 1 Site 2

Procedure
1. Configure PE 1:
# Create VLANs 5 and 100.
<PE1> system-view
[PE1] vlan 5
[PE1-vlan5] quit
[PE1] vlan 100
[PE1-vlan100] quit
# Configure a one-to-two VLAN mapping on the customer-side port (GigabitEthernet 1/0/1) to
add SVLAN tag 100 to packets from VLAN 5.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] vlan mapping nest single 5 nested-vlan 100
# Configure GigabitEthernet 1/0/1 as a hybrid port.
[PE1-GigabitEthernet1/0/1] port link-type hybrid
# Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member.
[PE1-GigabitEthernet1/0/1] port hybrid vlan 100 untagged
[PE1-GigabitEthernet1/0/1] quit
# Configure the network-side port (GigabitEthernet 1/0/2) as a trunk port.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to VLAN 100.
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE1-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Create VLAN 100.
<PE2> system-view
[PE2] vlan 100
[PE2-vlan100] quit

311
 # Configure GigabitEthernet 1/0/1 as a trunk port.
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to VLAN 100.
[PE2-GigabitEthernet1/0/1] port trunk permit vlan 100
[PE2-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to VLAN 100.
[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE2-GigabitEthernet1/0/2] quit
3. Configure PE 3:
# Create VLANs 5, 6, 100, and 200.
<PE3> system-view
[PE3] vlan 5 to 6
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] vlan 200
[PE3-vlan200] quit
# Configure GigabitEthernet 1/0/1 as a trunk port.
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to VLANs 100 and 200.
[PE3-GigabitEthernet1/0/1] port trunk permit vlan 100 200
# Configure a two-to-two VLAN mapping on GigabitEthernet 1/0/1 to map SVLAN 100 and
CVLAN 5 to SVLAN 200 and CVLAN 6.
[PE3-GigabitEthernet1/0/1] vlan mapping tunnel 100 5 translated-vlan 200 6
[PE3-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port.
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to VLAN 200.
[PE3-GigabitEthernet1/0/2] port trunk permit vlan 200
[PE3-GigabitEthernet1/0/2] quit
4. Configure PE 4:
# Create VLANs 6 and 200.
<PE4> system-view
[PE4] vlan 6
[PE4-vlan6] quit
[PE4] vlan 200
[PE4-vlan200] quit
# Configure the network-side port (GigabitEthernet 1/0/1) as a trunk port.
[PE4] interface gigabitethernet 1/0/1
[PE4-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to VLAN 200.
[PE4-GigabitEthernet1/0/1] port trunk permit vlan 200

312
 [PE4-GigabitEthernet1/0/1] quit
# Configure the customer-side port (GigabitEthernet 1/0/2) as a hybrid port.
[PE4] interface gigabitethernet 1/0/2
[PE4-GigabitEthernet1/0/2] port link-type hybrid
# Assign GigabitEthernet 1/0/2 to VLAN 200 as an untagged member.
[PE4-GigabitEthernet1/0/2] port hybrid vlan 200 untagged
# Configure a one-to-two VLAN mapping on GigabitEthernet 1/0/2 to add SVLAN tag 200 to
packets from VLAN 6.
[PE4-GigabitEthernet1/0/2] vlan mapping nest single 6 nested-vlan 200
[PE4-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify VLAN mapping information on PE 1.
[PE1] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
5 N/A 100 5

# Verify VLAN mapping information on PE 3.

[PE3] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
100 5 200 6

# Verify VLAN mapping information on PE 4.

[PE4] display vlan mapping
Interface GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
6 N/A 200 6

313
Configuring LLDP
About LLDP
The Link Layer Discovery Protocol (LLDP) is a standard link layer protocol that allows network
devices from different vendors to discover neighbors and exchange system and configuration
information.
In an LLDP-enabled network, a device advertises local device information in LLDP Data Units
(LLDPDUs) to the directly connected devices. The information distributed through LLDP is stored by
its recipients in standard MIBs, making it possible for the information to be accessed by a Network
Management System (NMS) through SNMP.
Information that can be distributed through LLDP includes (but is not limited to):
• Major capabilities of the system.
• Management IP address of the system.
• Device ID.
• Port ID.

LLDP agents and bridge modes

An LLDP agent is a mapping of a protocol entity that implements LLDP. Multiple LLDP agents can
run on the same interface.
LLDP agents are classified into the following types:
• Nearest bridge agent.
• Nearest customer bridge agent.
• Nearest non-TPMR bridge agent.
A Two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible
bridge ports. It supports a subset of the features of a MAC bridge. A TPMR is transparent to all
frame-based media-independent protocols except for the following protocols:
 Protocols destined for the TPMR.
 Protocols destined for reserved MAC addresses that the relay feature of the TPMR is
configured not to forward.
LLDP exchanges packets between neighbor agents and creates and maintains neighbor information
for them. Figure 99 shows the neighbor relationships for these LLDP agents.
Figure 99 LLDP neighbor relationships

Nearest Nearest
customer customer
bridge bridge
Nearest Nearest Nearest
non-TPMR non-TPMR non-TPMR
bridge bridge bridge
Nearest Nearest Nearest Nearest
bridge bridge bridge bridge

CB 1 SB 1 TPMR CB 2

314
 The types of supported LLDP agents vary with the bridge mode in which LLDP operates. LLDP
supports the following bridge modes: customer bridge (CB) and service bridge (SB).
• Customer bridge mode—LLDP supports nearest bridge agent, nearest non-TPMR bridge
agent, and nearest customer bridge agent. LLDP processes the LLDP frames with destination
MAC addresses for these agents and transparently transmits the LLDP frames with other
destination MAC addresses in VLANs.
• Service bridge mode—LLDP supports nearest bridge agent and nearest non-TPMR bridge
agent. LLDP processes the LLDP frames with destination MAC addresses for these agents and
transparently transmits the LLDP frames with other destination MAC addresses in VLANs.

LLDP frame formats

LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or
Subnetwork Access Protocol (SNAP) format.
LLDP frame encapsulated in Ethernet II
Figure 100 Ethernet II-encapsulated LLDP frame
0 15 31
Destination MAC address

Source MAC address

Type

Data = LLDPDU
(1500 bytes)

FCS

Table 28 Fields in an Ethernet II-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. LLDP specifies
different multicast MAC addresses as destination MAC addresses for LLDP
frames destined for agents of different types. This helps distinguish between
LLDP frames sent and received by different agent types on the same
interface. The destination MAC address is fixed to one of the following
multicast MAC addresses:
Destination MAC address • 0x0180-c200-000E for LLDP frames destined for nearest bridge
agents.
• 0x0180-c200-0000 for LLDP frames destined for nearest customer
bridge agents.
• 0x0180-c200-0003 for LLDP frames destined for nearest non-TPMR
bridge agents.

Source MAC address MAC address of the sending port.

Type Ethernet type for the upper-layer protocol. This field is 0x88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

315
LLDP frame encapsulated in SNAP
Figure 101 SNAP-encapsulated LLDP frame
0 15 31
Destination MAC address

Source MAC address

Type

Data = LLDPDU
(n bytes)

FCS

Table 29 Fields in a SNAP-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. It is the same as that
Destination MAC address
for Ethernet II-encapsulated LLDP frames.

Source MAC address MAC address of the sending port.

SNAP type for the upper-layer protocol. This field is

Type
0xAAAA-0300-0000-88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the validity of
FCS
the received Ethernet frame.

LLDPDUs
Each LLDP frame contains one LLDPDU. Each LLDPDU is a sequence of type-length-value (TLV)
structures.
Figure 102 LLDPDU encapsulation format

Chassis ID TLV Port ID TLV Time To Live TLV Optional TLV ... Optional TLV End of LLDPDU TLV

As shown in Figure 102, each LLDPDU starts with the following mandatory TLVs: Chassis ID TLV,
Port ID TLV, and Time to Live TLV. The mandatory TLVs are followed by a maxiumu of 29 optional
TLVs.

TLVs
A TLV is an information element that contains the type, length, and value fields.
LLDPDU TLVs include the following categories:
• Basic management TLVs.
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs.
• LLDP-MED (media endpoint discovery) TLVs.
Basic management TLVs are essential to device management.

316
 Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management.
They are defined by standardization or other organizations and are optional for LLDPDUs.
Basic management TLVs
Table 30 lists the basic management TLV types. Some of them are mandatory for LLDPDUs.
Table 30 Basic management TLVs

Type Description Remarks

Chassis ID Specifies the bridge MAC address of the sending device.

Specifies the ID of the sending port:

• If the LLDPDU carries LLDP-MED TLVs, the port ID TLV
Port ID
carries the MAC address of the sending port.
Mandatory.
• Otherwise, the port ID TLV carries the port name.

Specifies the life of the transmitted information on the receiving

Time to Live
device.

End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.
Port Description Specifies the description for the sending port.
System Name Specifies the assigned name of the sending device.
System Description Specifies the description for the sending device.
Identifies the primary features of the sending device and the
System Capabilities Optional.
enabled primary features.
Specifies the following elements:
• The management address of the local device.
Management Address
• The interface number and object identifier (OID)
associated with the address.

IEEE 802.1 organizationally specific TLVs

Table 31 lists the IEEE 802.1 organizationally specific TLVs.
The device can receive protocol identity TLVs and VID usage digest TLVs, but it cannot send these
TLVs.
Layer 3 Ethernet ports support only link aggregation TLVs.
Table 31 IEEE 802.1 organizationally specific TLVs

Type Description
Port VLAN ID (PVID) Specifies the port VLAN identifier.
Port And Protocol VLAN ID Indicates whether the device supports protocol VLANs and, if so, what
(PPVID) VLAN IDs these protocols will be associated with.
VLAN Name Specifies the textual name of any VLAN to which the port belongs.
Protocol Identity Indicates protocols supported on the port.
Data center bridging exchange protocol.
DCBX

Edge Virtual Bridging module, including EVB TLV and CDCP TLV. For more
EVB module information, see EVB Configuration Guide.

Indicates whether the port supports link aggregation, and if yes, whether link
Link Aggregation
aggregation is enabled.

317
 Type Description
Management VID Management VLAN ID.
VID Usage Digest VLAN ID usage digest.
ETS Configuration Enhanced Transmission Selection configuration.
ETS Recommendation ETS recommendation.
PFC Priority-based Flow Control.
APP Application protocol.
Quantized Congestion Notification.
QCN

IEEE 802.3 organizationally specific TLVs

Table 32 shows the IEEE 802.3 organizationally specific TLVs.
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0 and is not supported in later
versions. The device sends this type of TLVs only after receiving them.
Table 32 IEEE 802.3 organizationally specific TLVs

Type Description
Contains the bit-rate and duplex capabilities of the port, support for
MAC/PHY Configuration/Status autonegotiation, enabling status of autonegotiation, and the current
rate and duplex mode.
Indicates whether the port supports link aggregation, and if yes,
Link Aggregation
whether link aggregation is enabled.
Contains the power supply capabilities of the port:
• Port class (PSE or PD).
• Power supply mode.
• Whether PSE power supply is supported.
• Whether PSE power supply is enabled.
Power Via MDI • Whether pair selection can be controlled.
• Power supply type.
• Power source.
• Power priority.
• PD requested power.
• PSE allocated power.
Maximum Frame Size Indicates the supported maximum frame size.
Indicates the power state control configured on the sending port,
including the following:
Power Stateful Control • Power supply mode of the PSE/PD.
• PSE/PD priority.
• PSE/PD power.
Energy-Efficient Ethernet Indicates Energy Efficient Ethernet (EEE).

LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic
configuration, network policy configuration, and address and directory management. LLDP-MED
TLVs provide a cost-effective and easy-to-use solution for deploying voice devices in Ethernet.
LLDP-MED TLVs are shown in Table 33.

318
 If the MAC/PHY configuration/status TLV is not advertisable, none of the LLDP-MED TLVs will be
advertised even if they are advertisable.
If the LLDP-MED capabilities TLV is not advertisable, the other LLDP-MED TLVs will not be
advertised even if they are advertisable.
Table 33 LLDP-MED TLVs

Type Description
Allows a network device to advertise the LLDP-MED TLVs that it
LLDP-MED Capabilities
supports.

Allows a network device or terminal device to advertise the VLAN ID

Network Policy of a port, the VLAN type, and the Layer 2 and Layer 3 priorities for
specific applications.

Allows a network device or terminal device to advertise power

Extended Power-via-MDI supply capability. This TLV is an extension of the Power Via MDI
TLV.

Hardware Revision Allows a terminal device to advertise its hardware version.

Firmware Revision Allows a terminal device to advertise its firmware version.

Software Revision Allows a terminal device to advertise its software version.

Serial Number Allows a terminal device to advertise its serial number.

Manufacturer Name Allows a terminal device to advertise its vendor name.

Model Name Allows a terminal device to advertise its model name.

Allows a terminal device to advertise its asset ID. The typical case is
Asset ID that the user specifies the asset ID for the endpoint to facilitate
directory management and asset tracking.

Allows a network device to advertise the appropriate location

Location Identification identifier information for a terminal device to use in the context of
location-based applications.

Management address
The network management system uses the management address of a device to identify and manage
the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.

LLDP operating modes

An LLDP agent can operate in one of the following modes:
• TxRx mode—An LLDP agent in this mode can send and receive LLDP frames.
• Tx mode—An LLDP agent in this mode can only send LLDP frames.
• Rx mode—An LLDP agent in this mode can only receive LLDP frames.
• Disable mode—An LLDP agent in this mode cannot send or receive LLDP frames.
Each time the operating mode of an LLDP agent changes, its LLDP protocol state machine
reinitializes. A configurable reinitialization delay prevents frequent initializations caused by frequent
changes to the operating mode. If you configure the reinitialization delay, an LLDP agent must wait
the specified amount of time to initialize LLDP after the LLDP operating mode changes.

319
Transmitting and receiving LLDP frames
Transmitting LLDP frames
An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected
devices both periodically and when the local configuration changes. To prevent LLDP frames from
overwhelming the network during times of frequent changes to local device information, LLDP uses
the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket
mechanism, see ACL and QoS Configuration Guide.
LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following
cases:
• A new LLDP frame is received and carries device information new to the local device.
• The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.
The fast LLDP frame transmission mechanism successively sends the specified number of LLDP
frames at a configurable fast LLDP frame transmission interval. The mechanism helps LLDP
neighbors discover the local device as soon as possible. Then, the normal LLDP frame transmission
interval resumes.
Receiving LLDP frames
An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every
received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an
aging timer. The initial value of the aging timer is equal to the TTL value in the Time To Live TLV
carried in the LLDP frame. When the LLDP agent receives a new LLDP frame, the aging timer
restarts. When the aging timer decreases to zero, all saved information ages out.

Collaboration with Track

You can configure a track entry and associate it with an LLDP interface. The LLDP module checks
the neighbor availability of the LLDP interface and reports the check result to the Track module. The
Track module changes the track entry status accordingly so the associated application module can
take correct actions.
The Track module changes the track entry status based on the neighbor availability of a monitored
LLDP interface as follows:
• If the neighbor of the LLDP interface is available, the Track module sets the track entry to
Positive state.
• If the neighbor of the LLDP interface is unavailable, the Track module sets the track entry to
Negative state.
For more information about collaboration between Track and LLDP, see the track configuration in
High Availability Configuration Guide.

Protocols and standards

• IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery
• IEEE 802.1AB-2009, Station and Media Access Control Connectivity Discovery
• ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices
• IEEE Std 802.1Qaz-2011, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes

320
Restrictions and guidelines: LLDP configuration
When you configure LLDP, follow these restrictions and guidelines:
• Some of the LLDP configuration tasks are available in different interface views (see Table 34).
Table 34 Support of LLDP configuration tasks in different views

Tasks Supported views

Enabling LLDP
Setting the LLDP operating mode
Layer 2 Ethernet interface view
Configuring the advertisable TLVs Layer 3 Ethernet interface view
Configuring advertisement of the management Management Ethernet interface view
address TLV Layer 2 aggregate interface view
Setting the encapsulation format for LLDP frames Layer 3 aggregate interface view
IRF physical interface view
Enabling LLDP polling
Configuring LLDP trapping and LLDP-MED trapping

• To use LLDP together with OpenFlow, you must enable LLDP globally on OpenFlow switches.
To prevent LLDP from affecting topology discovery of OpenFlow controllers, disable LLDP on
ports of OpenFlow instances. For more information about OpenFlow, see OpenFlow
Configuration Guide.
• You can configure LLDP on an IRF physical interface to monitor the connection and link status
of the IRF physical link. An LLDP-enabled IRF physical interface supports only the nearest
bridge agent.

LLDP tasks at a glance

To configure LLDP, perform the following tasks:
1. Enabling LLDP
2. Setting the LLDP bridge mode
3. Setting the LLDP operating mode
4. (Optional.) Setting the LLDP reinitialization delay
5. (Optional.) Configuring LLDP packet-related settings
 Configuring the advertisable TLVs
 Configuring advertisement of the management address TLV
 Setting the encapsulation format for LLDP frames
 Setting LLDP frame transmission parameters
 Setting the timeout for receiving LLDP frames
6. (Optional.) Enabling LLDP polling
7. (Optional.) Disabling LLDP PVID inconsistency check
8. (Optional.) Configuring CDP compatibility
9. (Optional.) Configuring LLDP trapping and LLDP-MED trapping
10. (Optional.) Configuring MAC address borrowing
 (Optional.) Setting the source MAC address of LLDP frames
 (Optional.) Enabling generation of ARP or ND entries for received management address
TLVs

321
Enabling LLDP
Restrictions and guidelines
For LLDP to take effect on specific ports, you must enable LLDP both globally and on these ports.
Procedure
1. Enter system view.
system-view
2. Enable LLDP globally.
lldp global enable
If the device is started with the software default settings, LLDP is disabled globally.
If the device is started with the factory default settings, LLDP is enabled globally.
3. Enter interface view.
interface interface-type interface-number
4. Enable LLDP.
lldp enable
By default, LLDP is enabled on a port.

Setting the LLDP bridge mode

1. Enter system view.
system-view
2. Set the LLDP bridge mode.
 Set the LLDP bridge mode to service bridge.
lldp mode service-bridge
By default, LLDP operates in customer bridge mode.
 Set the LLDP bridge mode to customer bridge.
undo lldp mode
By default, LLDP operates in customer bridge mode.

Setting the LLDP operating mode

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the LLDP operating mode.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] admin-status
{ disable | rx | tx | txrx }
In Ethernet interface view, if you do not specify an agent type, the command sets the
operating mode for the nearest bridge agent.
 In Layer 2/Layer 3 aggregate interface view:

322
 lldp agent { nearest-customer | nearest-nontpmr } admin-status
{ disable | rx | tx | txrx }
In aggregate interface view, you can set the operating mode only for the nearest customer
bridge agent and nearest non-TPMR bridge agent.
 In IRF physical interface view:
lldp admin-status { disable | rx | tx | txrx }
In IRF physical interface view, you can set the operating mode only for the nearest bridge
agent.
By default:
 The nearest bridge agent operates in TxRx mode.
 The nearest customer bridge agent and nearest non-TPMR bridge agent operate in Disable
mode.

Setting the LLDP reinitialization delay

About this task
When the LLDP operating mode changes on a port, the port initializes the protocol state machines
after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations
caused by frequent changes to the LLDP operating mode on a port.
Procedure
1. Enter system view.
system-view
2. Set the LLDP reinitialization delay.
lldp timer reinit-delay delay
The default LLDP reinitialization delay is 2 seconds.

Configuring the advertisable TLVs

1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Configure the advertisable TLVs.
 In Layer 2 Ethernet interface view:
lldp tlv-enable { basic-tlv { all | port-description |
system-capability | system-description | system-name |
management-address-tlv [ ipv6 ] [ ip-address | interface loopback
interface-number ] } | dot1-tlv { all | port-vlan-id |
link-aggregation | protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ] } | dot3-tlv { all |
link-aggregation | mac-physic | max-frame-size | power } | med-tlv
{ all | capability | inventory | network-policy [ vlan-id ] |
power-over-ethernet | location-id { civic-address device-type
country-code { ca-type ca-value }&<1-10> | elin-address
tel-number } } }
By default, the nearest bridge agent advertises all supported TLVs except the following
TLVs:

323
 − Location identification TLVs.
− Port and protocol VLAN ID TLVs.
− VLAN name TLVs.
− Management VLAN ID TLVs.
lldp agent nearest-nontpmr tlv-enable { basic-tlv { all |
port-description | system-capability | system-description |
system-name | management-address-tlv [ ipv6 ] [ ip-address ] } |
dot1-tlv { all | port-vlan-id | link-aggregation } | dot3-tlv { all |
link-aggregation } }
lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ] }
By default, the nearest non-TPMR bridge agent does not advertise any TLVs.
lldp agent nearest-customer tlv-enable { basic-tlv { all |
port-description | system-capability | system-description |
system-name | management-address-tlv [ ipv6 ] [ ip-address ] } |
dot1-tlv { all | port-vlan-id | link-aggregation } | dot3-tlv { all
| link-aggregation } }
lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ] }
By default, the nearest customer bridge agent advertises all the supported basic
management TLVs and IEEE 802.1 organizationally specific TLVs.
 In Layer 3 Ethernet interface view:
lldp tlv-enable { basic-tlv { all | port-description |
system-capability | system-description | system-name |
management-address-tlv [ ipv6 ] [ ip-address | interface loopback
interface-number ] } | dot1-tlv { all | link-aggregation } | dot3-tlv
{ all | link-aggregation | mac-physic | max-frame-size | power } |
med-tlv { all | capability | inventory | power-over-ethernet |
location-id { civic-address device-type country-code { ca-type
ca-value }&<1-10> | elin-address tel-number } } }
By default, the nearest bridge agent advertises the following TLVs:
− Link aggregation TLVs in the 802.1 organizationally specific TLV set.
− All supported 802.3 organizationally specific TLVs except the Energy-Efficient Ethernet
TLVs.
− All supported LLDP-MED TLVs except the network policy TLVs.
lldp agent { nearest-nontpmr | nearest-customer } tlv-enable
{ basic-tlv { all | port-description | system-capability |
system-description | system-name | management-address-tlv [ ipv6 ]
[ ip-address ] } | dot1-tlv { all | link-aggregation } | dot3-tlv { all |
link-aggregation } }
By default:
− The nearest non-TPMR bridge agent does not advertise any TLVs.
− The nearest customer bridge agent advertises all supported basic management TLVs
and link aggregation TLVs in the IEEE 802.1 organizationally specific TLV set.
 In management Ethernet interface view:
lldp tlv-enable { basic-tlv { all | port-description |
system-capability | system-description | system-name |
management-address-tlv [ ipv6 ] [ ip-address ] } | dot1-tlv { all |
link-aggregation } | dot3-tlv { all | link-aggregation | mac-physic |
max-frame-size | power | eee } | med-tlv { all | capability | inventory

324
 | power-over-ethernet | location-id { civic-address device-type
country-code { ca-type ca-value }&<1-10> | elin-address
tel-number } } }
By default, the nearest bridge agent advertises the following TLVs:
− All supported basic management TLVs.
− Link aggregation TLVs in the 802.1 organizationally specific TLV set.
− All supported 802.3 organizationally specific TLVs.
− All supported LLDP-MED TLVs except the network policy TLVs.
lldp agent { nearest-nontpmr | nearest-customer } tlv-enable
{ basic-tlv { all | port-description | system-capability |
system-description | system-name | management-address-tlv [ ipv6 ]
[ ip-address ] } | dot1-tlv { all | link-aggregation } | dot3-tlv { all |
link-aggregation } }
By default:
− The nearest non-TPMR bridge agent does not advertise anyTLVs.
− The nearest customer bridge agent advertises all supported basic management TLVs
and link aggregation TLVs in the IEEE 802.1 organizationally specific TLV set.
 In Layer 2 aggregate interface view:
lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] | vlan-name
[ vlan-id ] | management-vid [ mvlan-id ]
lldp agent nearest-nontpmr tlv-enable { basic-tlv { all |
management-address-tlv [ ipv6 ] [ ip-address ] | port-description |
system-capability | system-description | system-name } | dot1-tlv
{ all | port-vlan-id } }
By default, the nearest non-TPMR bridge agent does not advertise any TLVs.
lldp agent nearest-customer tlv-enable { basic-tlv { all |
management-address-tlv [ ipv6 ] [ ip-address ] | port-description |
system-capability | system-description | system-name } | dot1-tlv
{ all | port-vlan-id } }
By default, the nearest customer bridge agent advertises all supported basic management
TLVs and Port VLAN ID TLVs in the IEEE 802.1 organizationally specific TLV set.
The nearest bridge agent is not supported.
 In Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } tlv-enable
basic-tlv { all | management-address-tlv [ ipv6 ] [ ip-address ] |
port-description | system-capability | system-description |
system-name }
By default:
− The nearest non-TPMR bridge agent does not advertise any TLVs.
− The nearest customer bridge agent advertises all supported basic management TLVs.
The nearest bridge agent is not supported.
 In IRF physical interface view:
lldp tlv-enable basic-tlv { port-description | system-capability
| system-description | system-name }
By default, the nearest bridge agent advertises all supported basic management TLVs.
Only the nearest bridge agent is supported.

325
Configuring advertisement of the management
address TLV
About this task
LLDP encodes management addresses in numeric or string format in management address TLVs.
If a neighbor encodes its management address in string format, set the encoding format of the
management address to string on the connecting port. This guarantees normal communication
with the neighbor.
You can configure advertisement of the management address TLV globally or on a per-interface
basis. The device selects the management address TLV advertisement setting for an interface in the
following order:
1. Interface-based setting, configured by using the lldp tlv-enable command with the
management-address-tlv keyword.
2. Global setting, configured by using the lldp global tlv-enable basic-tlv
management-address-tlv command.
3. Default setting for the interface.
By default:
 The nearest bridge agent and nearest customer bridge agent advertise the management
address TLV.
 The nearest non-TPMR bridge agent does not advertise the management address TLV.
Procedure
1. Enter system view.
system-view
2. Enable advertisement of the management address TLV globally and set the management
address to be advertised.
lldp [ agent { nearest-customer | nearest-nontpmr } ] global tlv-enable
basic-tlv management-address-tlv [ ipv6 ] { ip-address | interface
loopback interface-number | interface m-gigabitethernet
interface-number | interface vlan-interface interface-number }
By default, advertisement of the management address TLV is disabled globally.
3. Enter interface view.
interface interface-type interface-number
4. Enable advertisement of the management address TLV on the interface and set the
management address to be advertised.
 In Layer 2 Ethernet interface view or management Ethernet interface view:
lldp tlv-enable basic-tlv management-address-tlv [ ipv6 ]
[ ip-address | interface loopback interface-number ]
lldp agent { nearest-customer | nearest-nontpmr } tlv-enable
basic-tlv management-address-tlv [ ipv6 ] [ ip-address ]
 In Layer 3 Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] tlv-enable
basic-tlv management-address-tlv [ ipv6 ] [ ip-address ] | interface
loopback interface-number ]
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } tlv-enable
basic-tlv management-address-tlv [ ipv6 ] [ ip-address ]

326
 By default:
 The nearest bridge agent and nearest customer bridge agent advertise the management
address TLVs.
 The nearest non-TPMR bridge agent does not advertise the management address TLV.
5. Set the encoding format of the management address to string.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ]
management-address-format string
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr }
management-address-format string
The default management address encoding format is numeric.
The device supports only the numeric encoding format for IPv6 management addresses.

Setting the encapsulation format for LLDP frames

About this task
Earlier versions of LLDP require the same encapsulation format on both ends to process LLDP
frames. To successfully communicate with a neighboring device running an earlier version of LLDP,
the local device must be set with the same encapsulation format.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Set the encapsulation format for LLDP frames to SNAP.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] encapsulation
snap
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } encapsulation
snap
 In IRF physical interface view:
lldp encapsulation snap
By default, the Ethernet II encapsulation format is used.

Setting LLDP frame transmission parameters

About this task
The Time to Live TLV carried in an LLDPDU determines how long the device information carried in
the LLDPDU can be saved on a recipient device.
By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs. The TTL is
expressed by using the following formula:
TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))

327
 As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be
rounded down to 65535 seconds.
Procedure
1. Enter system view.
system-view
2. Set the TTL multiplier.
lldp hold-multiplier value
The default setting is 4.
3. Set the LLDP frame transmission interval.
lldp timer tx-interval interval
The default setting is 30 seconds.
4. Set the token bucket size for sending LLDP frames.
lldp max-credit credit-value
The default setting is 5.
5. Set the number of LLDP frames sent each time fast LLDP frame transmission is triggered.
lldp fast-count count
The default setting is 4.
6. Set the fast LLDP frame transmission interval.
lldp timer fast-interval interval
The default setting is 1 second.

Setting the timeout for receiving LLDP frames

About this task
This feature allows the device to detect the presence of directly connected neighbors by setting the
timeout timer for receiving LLDP frames. If an interface has not received any frames when the
timeout timer expires, the device reports a no LLDP neighbor event to the NETCONF module.
Restrictions and guidelines
To avoid misdetection, make sure the timeout for receiving LLDP frames is greater than the LLDP
frame transmission interval.
Procedure
1. Enter system view.
system-view
2. Set the timeout for receiving LLDP frames.
lldp timer rx-timeout timeout
By default, no timeout is set for receiving LLDP frames, and the device does not report no LLDP
neighbor events.

Enabling LLDP polling

About this task
With LLDP polling enabled, a device periodically searches for local configuration changes. When the
device detects a configuration change, it sends LLDP frames to inform neighboring devices of the
change.

328
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable LLDP polling and set the polling interval.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ]
check-change-interval interval
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr }
check-change-interval interval
 In IRF physical interface view:
lldp check-change-interval interval
By default, LLDP polling is disabled.

Disabling LLDP PVID inconsistency check

About this task
By default, when the system receives an LLDP packet, it compares the PVID value contained in the
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
Procedure
1. Enter system view.
system-view
2. Disable LLDP PVID inconsistency check.
lldp ignore-pvid-inconsistency
By default, LLDP PVID inconsistency check is enabled.

Configuring CDP compatibility

About this task
To enable your device to exchange information with a directly connected Cisco device that supports
only CDP, you must enable CDP compatibility.
CDP compatibility enables your device to receive and recognize CDP packets from the neighboring
CDP device and send CDP packets to the neighboring device. The CDP packets sent to the
neighboring CDP device carry the following information:
• Device ID.
• ID of the port connecting to the neighboring device.
• Port IP address.
• TTL.
The port IP address is the primary IP address of a VLAN interface in up state. The VLAN ID of the
VLAN interface must be the lowest among the VLANs permitted on the port. If no VLAN interfaces of

329
 the permitted VLANs are assigned an IP address or all VLAN interfaces are down, no port IP address
will be advertised.
You can view the neighboring CDP device information that can be recognized by the device in the
output of the display lldp neighbor-information command. For more information about
the display lldp neighbor-information command, see LLDP commands in Layer 2—LAN
Switching Command Reference.
To make your device work with Cisco IP phones, you must enable CDP compatibility.
If your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of
Cisco IP phones for the voice VLAN ID configured on the device. As a result, a requesting Cisco IP
phone sends voice traffic without any tag to your device. Your device cannot differentiate the voice
traffic from other types of traffic.
CDP compatibility enables your device to receive and recognize CDP packets from a Cisco IP phone
and respond with CDP packets carrying TLVs with the configured voice VLAN. If no voice VLAN is
configured for CDP packets, CDP packets carry the voice VLAN of the port or the voice VLAN
assigned by the RADIUS server. The assigned voice VLAN has a higher priority. According to TLVs
with the voice VLAN configuration, the IP phone automatically configures the voice VLAN. As a result,
the voice traffic is confined in the configured voice VLAN and is differentiated from other types of
traffic.
For more information about voice VLANs, see "Configuring voice VLANs."
When the device is connected to a Cisco IP phone that has a host attached to its data port, the host
must access the network through the Cisco IP phone. If the data port goes down, the IP phone will
send a CDP packet to the device so the device can log out the user.
CDP-compatible LLDP operates in one of the following modes:
• TxRx—CDP packets can be transmitted and received.
• Rx—CDP packets can be received but cannot be transmitted.
• Disable—CDP packets cannot be transmitted or received.
Restrictions and guidelines
When you configure CDP compatibility for LLDP, follow these restrictions and guidelines:
• To make CDP-compatible LLDP take effect on a port, follow these steps:
a. Enable CDP-compatible LLDP globally.
b. Configure CDP-compatible LLDP to operate in TxRx mode on the port.
• The maximum TTL value that CDP allows is 255 seconds. To make CDP-compatible LLDP
work correctly with Cisco IP phones, configure the LLDP frame transmission interval to be no
more than 1/3 of the TTL value.
Prerequisites
Before you configure CDP compatibility, complete the following tasks:
• Globally enable LLDP.
• Enable LLDP on the port connecting to a CDP device.
• Configure LLDP to operate in TxRx mode on the port.
Procedure
1. Enter system view.
system-view
2. Enable CDP compatibility globally.
lldp compliance cdp
By default, CDP compatibility is disabled globally.
3. Enter Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view.

330
 interface interface-type interface-number
4. Configure CDP-compatible LLDP to operate in TxRx mode.
lldp compliance admin-status cdp txrx
By default, CDP-compatible LLDP operates in disable mode.
5. Set the voice VLAN ID carried in CDP packets.
cdp voice-vlan vlan-id
By default, no voice VLAN ID is configured to be carried in CDP packets.

Configuring LLDP trapping and LLDP-MED

trapping
About this task
LLDP trapping or LLDP-MED trapping notifies the network management system of events such as
newly detected neighboring devices and link failures.
To prevent excessive LLDP traps from being sent when the topology is unstable, set a trap
transmission interval for LLDP.
Procedure
1. Enter system view.
system-view
2. Enter interface view.
interface interface-type interface-number
3. Enable LLDP trapping.
 In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view:
lldp [ agent { nearest-customer | nearest-nontpmr } ] notification
remote-change enable
 In Layer 2/Layer 3 aggregate interface view:
lldp agent { nearest-customer | nearest-nontpmr } notification
remote-change enable
 In IRF physical interface view:
lldp notification remote-change enable
By default, LLDP trapping is disabled.
4. (In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view.) Enable
LLDP-MED trapping.
lldp notification med-topology-change enable
By default, LLDP-MED trapping is disabled.
5. Return to system view.
quit
6. (Optional.) Set the LLDP trap transmission interval.
lldp timer notification-interval interval
The default setting is 30 seconds.

331
Configuring MAC address borrowing
Setting the source MAC address of LLDP frames
About this task
This feature must be configured with generation of ARP or ND entries for received management
address TLVs to meet the following requirements:
• The source MAC address of outgoing LLDP frames is the MAC address of a VLAN interface
instead of the MAC address of the egress interface.
• The neighbor device can generate correct ARP or ND entries for the local device.
In Layer 2 Ethernet interface view, this feature sets the source MAC address of outgoing LLDP
frames to the MAC address of a VLAN interface to which the specified VLAN ID belongs. The source
MAC address of outgoing LLDP frames is the MAC address of the Layer 2 Ethernet interface in the
following situations:
• The specified VLAN or the corresponding VLAN interface does not exist.
• The VLAN interface to which the VLAN ID belongs is physically down.
In Layer 3 Ethernet interface view, the MAC address of the Layer 3 Ethernet interface is always used
as the source MAC address of outgoing LLDP frames.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 or Layer 3 Ethernet interface view.
interface interface-type interface-number
3. Set the source MAC address of LLDP frames to the MAC address of a VLAN interface.
lldp source-mac vlan vlan-id
By default, the source MAC address of LLDP frames is the MAC address of the egress
interface.

Enabling generation of ARP or ND entries for received

management address TLVs
About this task
This feature enables the device to generate an ARP or ND entry after receiving an LLDP frame
containing a management address TLV on an interface. The ARP or ND entry maps the advertised
management address to the source MAC address of the frame.
You can enable generation of both ARP and ND entries on an interface. If the management address
TLV contains an IPv4 address, the device generates an ARP entry. If the management address TLV
contains an IPv6 address, the device generates an ND entry.
In Layer 2 Ethernet interface view, this feature sets the Layer 2 Ethernet interface to the output
interface in the generated entries. The VLAN to which the entries belong is the VLAN specified by
this feature. The device cannot generate ARP or ND entries in one of the following situations:
• The specified VLAN or the corresponding VLAN interface does not exist.
• The VLAN interface to which the VLAN ID belongs is physically down.
In Layer 3 Ethernet interface view, the Layer 3 Ethernet interface is always recorded as the output
interface.

332
Restrictions and guidelines
In Layer 2 Ethernet interface view, you must configure the interface to use the MAC address of a
VLAN interface instead of its own MAC address as the source MAC address of LLDP frames. This
ensures that the neighbor NE can generate correct ARP or ND entries.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 or Layer 3 Ethernet interface view.
interface interface-type interface-number
3. Enable generation of ARP or ND entries for management address TLVs received on the
interface.
 In Layer 2 Ethernet interface view:
lldp management-address { arp-learning | nd-learning } vlan vlan-id
 In Layer 3 Ethernet interface view:
lldp management-address { arp-learning | nd-learning } [ vlan
vlan-id ]
By default, generation of ARP or ND entries for received management address TLVs is
disabled on an interface.
In Layer 2 Ethernet interface view, the vlan vlan-id option specifies the ID of the VLAN to
which the generated ARP or ND entry belongs. To prevent the ARP or ND entries from
overwriting each other, do not specify the same VLAN ID for different Layer 2 Ethernet
interfaces.
You can enable generation of both ARP and ND entries on an interface.

Display and maintenance commands for LLDP

Execute display commands in any view.

Task Command
Display local LLDP display lldp local-information [ global | interface
information. interface-type interface-number ]
display lldp neighbor-information [ [ [ interface
Display the information interface-type interface-number ] [ agent
contained in the LLDP
{ nearest-bridge | nearest-customer |
TLVs sent from
neighboring devices. nearest-nontpmr } ] [ verbose ] ] | list [ system-name
system-name ] ]
display lldp statistics [ global | [ interface
interface-type interface-number ] [ agent
Display LLDP statistics.
{ nearest-bridge | nearest-customer |
nearest-nontpmr } ] ]
display lldp status [ interface interface-type
Display LLDP status of a
interface-number ] [ agent { nearest-bridge |
port.
nearest-customer | nearest-nontpmr } ]

Display types of display lldp tlv-config [ interface interface-type

advertisable optional LLDP interface-number ] [ agent { nearest-bridge |
TLVs. nearest-customer | nearest-nontpmr } ]

333
 Task Command
reset lldp statistics [ interface interface-type
Clear LLDP statistics on
ports.
interface number ] [ agent { nearest-bridge |
nearest-customer | nearest-nontpmr } ]

LLDP configuration examples

Example: Configuring basic LLDP functions
Network configuration
As shown in Figure 103, enable LLDP globally on Switch A and Switch B to perform the following
tasks:
• Monitor the link between Switch A and Switch B on the NMS.
• Monitor the link between Switch A and the MED device on the NMS.
Figure 103 Network diagram

MED

GE1/0/1
NMS
GE1/0/2 GE1/0/1

Switch A Switch B

Procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] lldp admin-status rx
[SwitchA-GigabitEthernet1/0/1] quit
# Enable LLDP on GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet1/2
[SwitchA-GigabitEthernet1/0/2] lldp enable
# Set the LLDP operating mode to Rx on GigabitEthernet 1/0/2.
[SwitchA-GigabitEthernet1/0/2] lldp admin-status rx
[SwitchA-GigabitEthernet1/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view

334
 [SwitchB] lldp global enable
# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1.
[SwitchB-GigabitEthernet1/0/1] lldp admin-status tx
[SwitchB-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify the following items:
• GigabitEthernet 1/0/1 of Switch A connects to a MED device.
• GigabitEthernet 1/0/2 of Switch A connects to a non-MED device.
• Both ports operate in Rx mode, and they can receive LLDP frames but cannot send LLDP
frames.
[SwitchA] display lldp status
Global status of LLDP: Enable
Bridge mode of LLDP: customer-bridge
The current number of LLDP neighbors: 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 4 minutes, 40 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0

335
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

LLDP status information of port 2 [GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 3

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

# Remove the link between Switch A and Switch B.

# Verify that GigabitEthernet 1/0/2 of Switch A does not connect to any neighboring devices.
[SwitchA] display lldp status
Global status of LLDP: Enable
The current number of LLDP neighbors: 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 5 minutes, 20 seconds

336
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP status information of port 2 [GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable

337
 Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

Example: Configuring CDP-compatible LLDP

Network configuration
As shown in Figure 104, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch A are each
connected to a Cisco IP phone, which sends tagged voice traffic.
Configure voice VLAN 2 on Switch A. Enable CDP compatibility of LLDP on Switch A to allow the
Cisco IP phones to automatically configure the voice VLAN. The voice VLAN feature performs the
following operations:
• Confines the voice traffic to the voice VLAN.
• Isolates the voice traffic from other types of traffic.
Figure 104 Network diagram
GE1/0/1 GE1/0/2

Cisco IP phone 1 Switch A Cisco IP phone 2

Procedure
1. Configure a voice VLAN on Switch A:
# Create VLAN 2.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Set the link type of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to trunk, and enable voice
VLAN on them.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk

338
 [SwitchA-GigabitEthernet1/0/1] voice-vlan 2 enable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] voice-vlan 2 enable
[SwitchA-GigabitEthernet1/0/2] quit
2. Configure CDP-compatible LLDP on Switch A:
# Enable LLDP globally, and enable CDP compatibility globally.
[SwitchA] lldp global enable
[SwitchA] lldp compliance cdp
# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lldp enable
# Configure LLDP to operate in TxRx mode on GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet1/0/1] quit
# Enable LLDP on GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lldp enable
# Configure LLDP to operate in TxRx mode on GigabitEthernet 1/0/2.
[SwitchA-GigabitEthernet1/0/2] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/2.
[SwitchA-GigabitEthernet1/0/2] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify that Switch A has completed the following operations:
• Discovering the IP phones connected to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
• Obtaining IP phone information.
[SwitchA] display lldp neighbor-information

CDP neighbor-information of port 1[GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
CDP neighbor index : 1
Chassis ID : SEP00141CBCDBFE
Port ID : Port 1

CDP neighbor-information of port 2[GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
CDP neighbor index : 2
Chassis ID : SEP00141CBCDBFF
Port ID : Port 1

339
Configuring L2PT
About L2PT
Layer 2 Protocol Tunneling (L2PT) can transparently send Layer 2 protocol packets from
geographically dispersed customer networks across a service provider network or drop them.

L2PT application scenario

Dedicated lines are used in a service provider network to build user-specific Layer 2 networks. As a
result, a customer network contains sites located at different sides of the service provider network.
As shown in Figure 105, Customer A's network is divided into network 1 and network 2, which are
connected by the service provider network. For Customer A's network to implement Layer 2 protocol
calculations, the Layer 2 protocol packets must be transmitted across the service provider network.
Upon receiving a Layer 2 protocol packet, the PEs cannot determine whether the packet is from the
customer network or the service provider network. They must deliver the packet to the CPU for
processing. In this case, the Layer 2 protocol calculation in Customer A's network is mixed with the
Layer 2 protocol calculation in the service provider network. Neither the customer network nor the
service provider network can implement independent Layer 2 protocol calculations.
Figure 105 L2PT application scenario

PE 1 PE 2

ISP network

CE 1 CE 2

Customer A Customer A
network 1 network 2
VLAN 100 VLAN 100

L2PT is introduced to resolve the problem. L2PT provides the following functions:
• Multicasts Layer 2 protocol packets from a customer network in a VLAN. Dispersed customer
networks can complete an independent Layer 2 protocol calculation, which is transparent to the
service provider network.
• Isolates Layer 2 protocol packets from different customer networks through different VLANs.

Supported protocols
HPE devices support L2PT for the following protocols:
• CDP.
• DLDP.
• EOAM.
• GVRP.
• LACP.

340
 • LLDP.
• MVRP.
• PAgP.
• PVST.
• STP (including STP, RSTP, and MSTP).
• UDLD.
• VTP.

L2PT operating mechanism

As shown in Figure 106, L2PT operates as follows:
• When a port of PE 1 receives a Layer 2 protocol packet from the customer network in a VLAN,
it performs the following operations:
 Multicasts the packet out of all customer-facing ports in the VLAN except the receiving port.
 Encapsulates the packet with a specified destination multicast address, and multicasts it out
of all ISP-facing ports in the VLAN. The encapsulated packet is called the BPDU tunneled
packet.
• When a port of PE 2 in the VLAN receives the tunneled packet from the service provider
network, it performs the following operations:
 Multicasts the packet out of all ISP-facing ports in the VLAN except the receiving port.
 Decapsulates the packet and multicasts the decapsulated packet out of all customer-facing
ports in the VLAN.
Figure 106 L2PT operating mechanism

Customer Customer
Service provider network
network network

Layer 2 protocol packets

from customer networks
PE 1 PE 2
Tunneled packets

For example, as shown in Figure 107, PE 1 receives an STP packet (BPDU) from network 1 to
network 2. CEs are the edge devices on the customer network, and PEs are the edge devices on the
service provider network. L2PT processes the packet as follows:
1. PE 1 performs the following operations:
a. Encapsulates the packet with a specified destination multicast MAC address
(010f-e200-0003 by default).
b. Sends the tunneled packet out of all ISP-facing ports in the packet's VLAN.
2. Upon receiving the tunneled packet, PE 2 decapsulates the packet and sends the BPDU to CE
2.
Through L2PT, both the ISP network and Customer A's network can perform independent spanning
tree calculations.

341
 Figure 107 L2PT network diagram

PE 1 ISP network PE 2

BPDU tunnel

CE 1 CE 2

Customer A Customer A
network 1 network 2

L2PT tasks at a glance

To configure L2PT, perform the following tasks:
1. Enabling L2PT
This feature is applicable only to customer-facing ports.
2. (Optional.) Setting the destination multicast MAC address for tunneled packets

Enabling L2PT
Restrictions and guidelines for L2PT
• To enable L2PT for a Layer 2 protocol on a port, perform the following tasks:
 Enable the protocol on the connected CE, and disable the protocol on the port.
 When a PE establishes a connection to a network device within the service provider
network through CDP, you must enable CDP compatibility for LLDP on the PE. CDP
compatibility for LLDP can be enabled only globally, and cannot be disabled separately on
customer-facing interfaces. As a result, the CDP packets from the CE cannot be
transparently transmitted within the service provider network. In this case, as a best practice,
do not enable L2PT for CDP on the PE. For L2PT to take effect on CDP on the PE, you must
disable CDP compatibility for LLDP globally on the PE, which will cause the PE to fail to
communicate with the network devices within the service provider network through CDP.
Before you disable CDP compatibility for LLDP on the PE, make sure you know its influence
on the network. For more information about CDP compatibility of LLDP, see "Configuring
LLDP."
 Disable the protocol (for example, STP) on the PE ports connecting to an aggregate
interface on a CE when the following conditions exist:
− The protocol is running on the aggregate interface on the CE.
− The aggregate interface on the CE connects to an L2PT-enabled port on the PE.
 Enable L2PT on PE ports connected to a customer network. If you enable L2PT on ports
connected to the service provider network, L2PT determines that the ports are connected to
a customer network.
 Make sure the VLAN tags of Layer 2 protocol packets are not changed or deleted for the
tunneled packets to be transmitted correctly across the service provider network.
• L2PT for LLDP supports LLDP packets from only nearest bridge agents.
• You can enable L2PT on a member port of a Layer 2 aggregation group, but the configuration
does not take effect.

342
Enabling L2PT for a protocol in Layer 2 Ethernet interface
view
Restrictions and guidelines
LACP and EOAM require point-to-point transmission. If you enable L2PT on a Layer 2 Ethernet
interface for LACP or EOAM, L2PT multicasts LACP or EOAM packets out of customer-facing ports.
As a result, the transmission between two CEs is not point-to-point. To ensure point-to-point
transmission for the LACP or EOAM packets, you must configure other features (for example,
VLAN).
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable L2PT for a protocol.
l2protocol { cdp | dldp | eoam | gvrp | lacp | lldp | mvrp | pagp | pvst | stp
| udld | vtp } tunnel dot1q
By default, L2PT is disabled for all protocols.

Enabling L2PT for a protocol in Layer 2 aggregate interface

view
1. Enter system view.
system-view
2. Enter Layer 2 aggregate interface view.
interface bridge-aggregation interface-type interface-number
3. Enable L2PT for a protocol.
l2protocol { cdp | gvrp | lacp | lldp | mvrp | pagp | pvst | stp | udld |
vtp } tunnel dot1q
By default, L2PT is disabled for all protocols.

Setting the destination multicast MAC address for

tunneled packets
About this task
The available multicast MAC addresses are 010f-e200-0003, 0100-0ccd-cdd0, 0100-0ccd-cdd1, and
0100-0ccd-cdd2.
Restrictions and guidelines
For tunneled packets to be recognized, set the same destination multicast MAC addresses on PEs
that are connected to the same customer network.
As a best practice, set different destination multicast MAC addresses on PEs connected to different
customer networks. It prevents L2PT from sending packets of a customer network to another
customer network.

343
Procedure
1. Enter system view.
system-view
2. Set the destination multicast MAC address for tunneled packets.
l2protocol tunnel-dmac mac-address
By default, 010f-e200-0003 is used for tunneled packets.

Display and maintenance commands for L2PT

Execute display commands in any view and reset commands in user view.

Task Command
display l2protocol statistics [ interface
Display L2PT statistics.
interface-type interface-number ]
reset l2protocol statistics [ interface
Clear L2PT statistics.
interface-type interface-number ]

L2PT configuration examples

Example: Configuring L2PT for STP
Network configuration
As shown in Figure 108, the MAC addresses of CE 1 and CE 2 are 00e0-fc02-5800 and
00e0-fc02-5802, respectively. MSTP is enabled in Customer A's network, and default MSTP settings
are used.
Perform the following tasks on the PEs:
• Configure the ports that connect to CEs as access ports, and configure the ports in the service
provider network as trunk ports. Configure ports in the service provider network to allow packets
from any VLAN to pass.
• Enable L2PT for STP to enable Customer A's network to implement independent spanning tree
calculation across the service provider network.
• Set the destination multicast MAC address to 0100-0ccd-cdd0 for tunneled packets.
Figure 108 Network diagram

PE 1 PE 2
ISP network
BPDU tunnel
GE1/0/1 GE1/0/1
VLAN 2 VLAN 2

CE 1 CE 2

Customer A Customer A
network 1 network 2

344
Procedure
1. Configure PE 1:
# Set the destination multicast address to 0100-0ccd-cdd0 for tunneled packets.
<PE1> system-view
[PE1] l2protocol tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2.
[PE1] vlan 2
[PE1-vlan2] quit
# Configure GigabitEthernet 1/0/1 as an access port and assign the port to VLAN 2.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port access vlan 2
# Disable STP and enable L2PT for STP on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] undo stp enable
[PE1-GigabitEthernet1/0/1] l2protocol stp tunnel dot1q
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 connected to the service provider network as a trunk port,
and assign the port to all VLANs.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan all
[PE1-GigabitEthernet1/0/2] quit
2. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that the root bridge of Customer A's network is CE 1.
<CE2> display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.00e0-fc02-5800 0 0

# Verify that the root bridge of the service provider network is not CE 1.
[PE1] display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.0cda-41c5-ba50 0 0

Example: Configuring L2PT for LACP

Network configuration
As shown in Figure 109, the MAC addresses of CE 1 and CE 2 are 0001-0000-0000 and
0004-0000-0000, respectively.
Perform the following tasks:
• Configure Ethernet link aggregation on CE 1 and CE 2.
• Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on CE 1 to form aggregate links with
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on CE 2, respectively.
• Enable L2PT for LACP to enable CE 1 and CE 2 to implement Ethernet link aggregation across
the service provider network.

345
 Figure 109 Network diagram

PE 1 PE 2
ISP network
GE1/0/1 BPDU tunnel
VLAN 2 GE1/0/1
VLAN 2
GE1/0/2 GE1/0/2
GE1/0/1 VLAN 3 VLAN 3 GE1/0/1

CE 1 GE1/0/2 GE1/0/2 CE 2

Customer A Customer A
network 1 network 2

Requirements analysis
To meet the network requirements, perform the following tasks:
• For Ethernet link aggregation to operate correctly, configure VLANs on the PEs to ensure
point-to-point transmission between CE 1 and CE 2 in an aggregation group.
 Set the PVIDs to VLAN 2 and VLAN 3 for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
on PE 1, respectively.
 Configure PE 2 in the same way PE 1 is configured.
 Configure ports that connect to the CEs as trunk ports.
• To retain the VLAN tag of the customer network, enable QinQ on GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2 on both PE 1 and PE 2.
• For packets from any VLAN to be transmitted, configure all ports in the service provider network
as trunk ports.
Procedure
1. Configure CE 1:
# Configure Layer 2 aggregation group Bridge-Aggregation 1 to operate in dynamic
aggregation mode.
<CE1> system-view
[CE1] interface bridge-aggregation 1
[CE1-Bridge-Aggregation1] port link-type access
[CE1-Bridge-Aggregation1] link-aggregation mode dynamic
[CE1-Bridge-Aggregation1] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to Bridge-Aggregation 1.
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] port link-aggregation group 1
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 1/0/2
[CE1-GigabitEthernet1/0/2] port link-aggregation group 1
[CE1-GigabitEthernet1/0/2] quit
2. Configure CE 2 in the same way CE 1 is configured. (Details not shown.)
3. Configure PE 1:
# Create VLANs 2 and 3.
<PE1> system-view
[PE1] vlan 2
[PE1-vlan2] quit
[PE1] vlan 3

346
 [PE1-vlan3] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, assign the port to VLAN 2, and set the PVID
to VLAN 2.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-mode bridge
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan 2
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 2
# Enable QinQ on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq enable
# Enable L2PT for LACP on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] l2protocol lacp tunnel dot1q
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, assign the port to VLAN 3, and set the PVID
to VLAN 3.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-mode bridge
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 3
[PE1-GigabitEthernet1/0/2] port trunk pvid vlan 3
# Enable QinQ on GigabitEthernet 1/0/2.
[PE1-GigabitEthernet1/0/2] qinq enable
# Enable L2PT for LACP on GigabitEthernet 1/0/2.
[PE1-GigabitEthernet1/0/2] l2protocol lacp tunnel dot1q
[PE1-GigabitEthernet1/0/2] quit
4. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that CE 1 and CE 2 have completed Ethernet link aggregation successfully.
[CE1] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

GigabitEthernet1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)

347
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

GigabitEthernet1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)
[CE2] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

GigabitEthernet1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

GigabitEthernet1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}

348
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)

349
Configuring PPPoE relay
About PPPoE
Point-to-Point Protocol over Ethernet (PPPoE) extends PPP by transporting PPP frames
encapsulated in Ethernet over point-to-point links.
PPPoE specifies the methods for establishing PPPoE sessions and encapsulating PPP frames over
Ethernet. PPPoE requires a point-to-point relationship between peers instead of a point-to-multipoint
relationship as in multi-access environments such as Ethernet. PPPoE provides Internet access for
the hosts in an Ethernet through a remote access device and implement access control,
authentication, and accounting on a per-host basis. Integrating the low cost of Ethernet and
scalability and management functions of PPP, PPPoE gained popularity in various application
environments, such as residential access networks.
For more information about PPPoE, see RFC 2516.

PPPoE network structure

PPPoE uses the client/server model. The PPPoE client initiates a connection request to the PPPoE
server. After session negotiation between them is complete, a session is established between them,
and the PPPoE server provides access control, authentication, and accounting to the PPPoE client.
To granularly manage the PPPoE clients based on their location information, you can deploy a
PPPoE relay between the PPPoE clients and PPPoE server.
PPPoE network structures are classified into router-initiated and host-initiated network structures
depending on the starting point of the PPPoE session.
Router-initiated network structure
As shown in Figure 110, the PPPoE session is established between routers (Router A and Router B).
All hosts share one PPPoE session for data transmission without being installed with PPPoE client
software. This network structure is typically used by enterprises.

350
 Figure 110 Router-initiated network structure

Carrier device PPPoE relay PPPoE Server

Internet
Router B

Modem
Client device

Router A PPPoE Client

Host A Host B Host C

Host-initiated network structure

As shown in Figure 111, a PPPoE session is established between each host (PPPoE client) and the
carrier router (PPPoE server). The service provider assigns an account to each host for billing and
control. The host must be installed with PPPoE client software.
Figure 111 Host-initiated network structure

PPPoE Client

Host A PPPoE Server

PPPoE Relay

Internet
PPPoE Client

Host B

PPPoE relay fundamentals

The PPPoE relay controls protocol packet forwarding through monitoring the protocol packet
exchange between the PPPoE client and the PPPoE server. Figure 112 shows the detailed process.

351
Figure 112 PPPoE client access procedure in a PPPoE relay network

PPPoE Client PPPoE Relay PPPoE Server AAA Server

（1）PADI

（2）Insert Vendor-
Specific Tag

PADI

（4）PADO （3）PADO

（5）PADR

（6）Insert Vendor-
Specific Tag

PADR

（8）PADS （7）PADS

（9）LCP negotiation success

（10）Access Request

（11）Access Accept

（12）NCP negotiation

1. The PPPoE client broadcasts a PADI packet.

2. When receiving the PADI packet, the PPPoE relay adds the vendor-specific tag field to the
PADI packet and broadcasts the packet out of all trusted ports.
The vendor-specific tag in a PPPoE packet identifies the location information (for example, the
access port and VLANs) of a PPPoE client.
3. When receiving the PADI packets, the PPPoE server responds with a PADO packet to the
PPPoE client.
4. When receiving the PADO packet, the PPPoE relay forwards the packet to the PPPoE client.
5. When receiving the PADO packet, the PPPoE client unicasts a PADR packet to the PPPoE
server to apply for the PPPoE service.
6. When receiving the PADR packet, the PPPoE relay adds the vendor-specific tag to the packet
and searches for an outgoing interface based on the destination MAC address of the PADR
packet.
 If the outgoing interface is a trusted port, the PPPoE relay forwards the packet out of the
port.
 If the outgoing interface is an untrusted port, the PPPoE relay drops the PADR packet.
7. When receiving the PADR packet, the PPPoE server assigns a session ID to the PPPoE client
and binds the session ID to the vendor-specific tag. Then, the PPPoE server responds with a
PADS packet to the PPPoE client.
8. When receiving the PADS packet, the PPPoE relay forwards the packet to the PPPoE client.
9. When receiving the PADS packet, the PPPoE client starts the LCP negotiation and
authentication with the PPPoE server.
10. During the authentication phase, the PPPoE server will send the location information,
username, and password of the PPPoE client to the RADIUS server for authentication.
11. The RADIUS server compares the location information, username, and password saved in the
database with those of the PPPoE client. If they match, the PPPoE client passes the
authentication.

352
 12. After the PPPoE client passes authentication, the PPPoE client starts NCP negotiation with the
PPPoE server. After the NCP negotiation succeeds, the PPPoE client successfully comes
online.

Protocols and standards

RFC 2516: A Method for Transmitting PPP Over Ethernet (PPPoE)

Restrictions and guidelines for PPPoE

The device can act as a PPPoE relay and cannot act as a PPPoE server or PPPoE client.
The PPPoE relay supports the following interface views:
• Layer 2 Ethernet interface view
• Layer 2 aggregate interface view

Configuring the PPPoE relay

PPPoE relay tasks at a glance
To configure the PPPoE relay, perform the following tasks:
1. Enabling the PPPoE relay function
2. Configuring PPPoE relay trusted ports
3. (Optional.) Enabling an interface to strip the vendor-specific tags of the PPPoE server-side
packets
4. (Optional.) Configuring the circuit ID and remote ID padding formats for the client-side PPPoE
packets on the PPPoE relay
5. (Optional.) Configuring the vendor-specific tag processing policy for the client-side PPPoE
packets on the PPPoE relay

Enabling the PPPoE relay function

About this task
For the PPPoE relay-related configurations to take effect, you must enable the PPPoE relay function.
Procedure
1. Enter system view.
system-view
2. Enable the PPPoE relay function.
pppoe-relay enable
By default, the PPPoE relay function is disabled.

Configuring PPPoE relay trusted ports

About this task
A PPPoE relay-enabled device processes PPPoE protocol packets as follows:
• When receiving PADI, PADR, and PADT on untrusted ports, the device can forward the packets
out of only the trusted ports.

353
 • When receiving PADO and PADS packets on untrusted ports, the device directly drops the
packets.
• When receiving PADO, PADS, and PADT packets on trusted ports, the device can forward the
packets out of any port.
• When receiving PADI and PADR packets on trusted ports, the device can forward the packets
out of only the trusted ports.
For a PPPoE relay to correctly forward and process PPPoE protocol packets, you must configure the
PPPoE server-facing interfaces on the PPPoE relay as trusted ports, and configure the PPPoE
client-facing interfaces on the PPPoE relay as untrusted ports.
Restrictions and guidelines
This command is not supported on Layer 2 aggregation group member ports. If a Layer 2 Ethernet
interface is configured with this command before joining a Layer 2 aggregation group, the command
is cleared on the member port after the member port joins the aggregation group.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure the interface as a PPPoE relay trusted port.
pppoe-relay trust
By default, an interface is not configured as a PPPoE relay trusted port.

Enabling an interface to strip the vendor-specific tags of the

PPPoE server-side packets
About this task
When the PPPoE relay receives PADO and PADS packets from the PPPoE server on a PPPoE relay
trusted port with this feature enabled, the PPPoE relay strips the vendor-specific tags of the packets
before forwarding the packets.
Restrictions and guidelines
This feature takes effect only on packets received on PPPoE relay trusted ports.
This command is not supported on Layer 2 aggregation group member ports. If a Layer 2 Ethernet
interface is configured with this command before joining a Layer 2 aggregation group, the command
is cleared on the member port after the member ports joins the aggregation group.
Procedure
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Enable the interface to strip the vendor-specific tags of the PPPoE server-side packets.
pppoe-relay server-information vendor-specific strip
By default, the function of stripping vendor-specific tags of the PPPoE server-side packets is
disabled.

354
Configuring the circuit ID and remote ID padding formats for
the client-side PPPoE packets on the PPPoE relay
About this task
When the PPPoE relay receives PPPoE packets from the PPPoE client, the PPPoE relay pads the
circuit ID and remote ID with the contents in the format configured by using this command.
Both the circuit ID and remote ID are of up to 63 characters. When the content to be padded exceeds
63 characters, the first 63 characters are padded.
Procedure
1. Enter system view.
system-view
2. Configure the circuit ID and remote ID padding formats for the client-side PPPoE packets on the
PPPoE relay.
pppoe-relay client-information format { circuit-id | remote-id }
{ ascii | hex | user-defined text }
By default, both the circuit ID padding format and the remote ID padding format for the
client-side PPPoE packets are the ASCII string format on the PPPoE relay.

Configuring the vendor-specific tag processing policy for the

client-side PPPoE packets on the PPPoE relay
About this task
When the PPPoE relay receives PADI or PADR packets, the PPPoE relay processes the packet
according to whether the packets carry the vendor-specific tag and the configured vendor-specific
tag processing policy. Then, the PPPoE relay sends the packets to the PPPoE server. Table 35
shows the detailed process.
Table 35 Vendor-specific tag processing policy on the PPPoE relay

Whether the
Vendor-specific
received packets
tag processing Processing for packets on the PPPoE relay
carry the
policy
vendor-specific tag
Strips the vendor-specific tag and then forwards the
Drop
packets.

The received packets Keeps the vendor-specific tag unchanged and forwards
Keep
carry vendor-specific the packets.
tag
Pads the vendor-specific tag in the configured format,
Replace replaces the original vendor-specific tag with the new
vendor-specific tag, and forwards the packets.

Drop Directly forwards the packets.

The received packets Keep Directly forwards the packets.
do not carry
vendor-specific tag Pads the vendor-specific tag in the configured format,
Replace adds the new vendor-specific tag to the packets, and
forwards the packets.

355
Restrictions and guidelines
This feature can be configured both in system view and in interface view. The configuration in system
view takes effect on all interfaces. The configuration in interface view takes effect only on the current
interface. The configuration in interface view takes precedence over the configuration in system
view.
The processing policy takes effect only on incoming packets of interfaces.
This command is not supported on Layer 2 aggregation group member ports. If a Layer 2 Ethernet
interface is configured with this command before joining a Layer 2 aggregation group, the command
is cleared on the member port after the member ports joins the aggregation group.
Configuring the global vendor-specific tag processing policy for the client-side PADI and
PADR packets on the PPPoE relay
1. Enter system view.
system-view
2. Configure the global vendor-specific tag processing policy for the client-side PADI and PADR
packets on the PPPoE relay.
pppoe-relay client-information strategy { drop | keep | replace }
By default, the global vendor-specific tag processing policy for the client-side PADI and PADR
packets on the PPPoE relay is replace.
Configuring an interface-level vendor-specific tag processing policy for the client-side PADI
and PADR packets on the PPPoE relay
1. Enter system view.
system-view
2. Enter Layer 2 Ethernet interface view.
interface interface-type interface-number
3. Configure the vendor-specific tag processing policy for the client-side PADI and PADR packets
for the interface on the PPPoE relay.
pppoe-relay client-information strategy { drop | keep | replace }
By default, no vendor-specific tag processing policy for the client-side PADI and PADR packets
is configured for an interface on the PPPoE relay.

Display and maintenance commands for PPPoE

relay
Execute display commands in any view and reset commands in user view.

Task Command
Display the vendor-specific tag
processing configuration for display pppoe-relay client-information
client-side packets on the PPPoE { format | strategy }
relay.

Display packet statistics for the display pppoe-relay statistics [ interface

PPPoE relay. interface-type interface-number ]
Clear packet statistics for the
reset pppoe-relay statistics
PPPoE relay.

356
PPPoE configuration examples
Example: Configuring PPPoE relay
Network configuration
The host uses the PPPoE access method to connect to the router through the switch. The switch
acts as the PPPoE relay. The router acts as the PPPoE server and assigns IPv4 addresses to the
PPPoE client through a PPP address pool.
Figure 113 Network diagram

RADIUS Server
11.110.91.146

GE1/0/2
11.110.91.1/24
GE1/0/1 GE1/0/2 GE1/0/1
Internet

Host Switch Router

PPPoE Client PPPoE Relay PPPoE Server

Procedure
1. Configure the switch as the PPPoE relay:
# Enable the PPPoE relay function.
<Switch> system-view
[Switch] pppoe-relay enable
# Configure the server-facing interface GigabitEthernet 1/0/2 as a PPPoE relay trusted port.
[Switch] interface GigabitEthernet 1/0/2
[Switch-GigabitEthernet1/0/2] pppoe-relay trust
2. Configure the router as a PPPoE server:
# Create a PPPoE user.
<Router> system-view
[Router] local-user user1 class network
[Router-luser-network-user1] password simple pass1
[Router-luser-network-user1] service-type ppp
[Router-luser-network-user1] quit
# Configure Virtual-Template 1 to use CHAP for authentication and use a PPP address pool for
IP address assignment. Set the DNS server IP address for the peer.
[Router] interface virtual-template 1
[Router-Virtual-Template1] ppp authentication-mode chap domain system
[Router-Virtual-Template1] ppp chap user user1
[Router-Virtual-Template1] remote address pool 1
[Router-Virtual-Template1] ppp ipcp dns 8.8.8.8
[Router-Virtual-Template1] quit
# Configure a PPP address pool that contains nine assignable IP addresses, and configure a
gateway address for the PPP address pool.
[Router] ip pool 1 1.1.1.2 1.1.1.10
[Router] ip pool 1 gateway 1.1.1.1

357
 # Enable the PPPoE server on GigabitEthernet 1/0/1, and bind the interface to Virtual-Template
1.
[Router] interface gigabitethernet 1/0/1
[Router-GigabitEthernet1/0/1] pppoe-server bind virtual-template 1
[Router-GigabitEthernet1/0/1] quit
# Configure the default ISP domain (system) to use the RADIUS scheme for authentication,
authorization, and accounting.
[Router] domain system
[Router-isp-system] authentication ppp radius-scheme rs1
[Router-isp-system] authorization ppp radius-scheme rs1
[Router-isp-system] accounting ppp radius-scheme rs1
[Router-isp-system] quit
# Configure a RADIUS scheme, and specify the primary authentication server and the primary
accounting server.
[Router] radius scheme rs1
[Router-radius-rs1] primary authentication 11.110.91.146
[Router-radius-rs1] primary accounting 11.110.91.146
# Set the shared key for secure communication with the authentication and accounting servers
to expert in plain text.
[Router-radius-rs1] key authentication simple expert
[Router-radius-rs1] key accounting simple expert
[Router-radius-rs1] quit
3. Configure the RADIUS server:
a. Configure the authentication and accounting passwords as expert.
b. Add a PPPoE user with username user1 and password 123456.
For more information, see the user manual for the RADIUS server.
Verifying the configuration
Install the PPPoE client software and configure the username and password (user1 and pass1 in
this example) on the hosts. Then, the hosts can use PPPoE to access the Internet through the router.

358
Document conventions and icons
Conventions
This section describes the conventions used in the documentation.
Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.
Italic Italic text represents arguments that you replace with actual values.

[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.

Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.

Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.

Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.

The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.

# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window opens; click OK.
Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.
An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

359
Network topology icons
Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

T Represents a wireless terminator unit.

T Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL

VPN, IPS, or ACG module.

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.

360
Support and other resources
Accessing Hewlett Packard Enterprise Support
• For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
www.hpe.com/assistance
• To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website:
www.hpe.com/support/hpesc
Information to collect
• Technical support registration number (if applicable)
• Product name, model or version, and serial number
• Operating system name and version
• Firmware version
• Error messages
• Product-specific reports and logs
• Add-on products or components
• Third-party products or components

Accessing updates
• Some software products provide a mechanism for accessing software updates through the
product interface. Review your product documentation to identify the recommended software
update method.
• To download product updates, go to either of the following:
 Hewlett Packard Enterprise Support Center Get connected with updates page:
www.hpe.com/support/e-updates
 Software Depot website:
www.hpe.com/support/softwaredepot
• To view and update your entitlements, and to link your contracts, Care Packs, and warranties
with your profile, go to the Hewlett Packard Enterprise Support Center More Information on
Access to Support Materials page:
www.hpe.com/support/AccessToSupportMaterials

IMPORTANT:
Access to some updates might require product entitlement when accessed through the Hewlett
Packard Enterprise Support Center. You must have an HP Passport set up with relevant
entitlements.

361
Websites
Website Link
Networking websites

Hewlett Packard Enterprise Information Library for

www.hpe.com/networking/resourcefinder
Networking
Hewlett Packard Enterprise Networking website www.hpe.com/info/networking
Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support
Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking
Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty
General websites

Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs

Hewlett Packard Enterprise Support Center www.hpe.com/support/hpesc
Hewlett Packard Enterprise Support Services Central ssc.hpe.com/portal/site/ssc/
Contact Hewlett Packard Enterprise Worldwide www.hpe.com/assistance
Subscription Service/Support Alerts www.hpe.com/support/e-updates
Software Depot www.hpe.com/support/softwaredepot
Customer Self Repair (not applicable to all devices) www.hpe.com/support/selfrepair
Insight Remote Support (not applicable to all devices) www.hpe.com/info/insightremotesupport/docs

Customer self repair

Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If
a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your
convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized
service provider will determine whether a repair can be accomplished by CSR.
For more information about CSR, contact your local service provider or go to the CSR website:
www.hpe.com/support/selfrepair

Remote support
Remote support is available with supported devices as part of your warranty, Care Pack Service, or
contractual support agreement. It provides intelligent event diagnosis, and automatic, secure
submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast
and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly
recommends that you register your device for remote support.
For more information and device support details, go to the following website:
www.hpe.com/info/insightremotesupport/docs

Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help
us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback ([email protected]). When submitting your feedback, include the document title,

362
part number, edition, and publication date located on the front cover of the document. For online help
content, include the product name, product version, help edition, and publication date located on the
legal notices page.

363
Index
Numerics MAC address table learning limit, 35
0:2 VLAN mapping MAC Information queue length, 44
implementation, 299 advertising
1:1 VLAN mapping LLDP advertisable TLV, 323
application scenario, 297 voice VLAN advertisement (CDP), 264
configuration, 303, 306 voice VLAN advertisement (LLDP or CDP), 263
implementation, 299, 300 voice VLAN advertisement (LLDP), 263
1:2 VLAN mapping voice VLAN information advertisement to IP
phones, 255
application scenario, 298
aggregate interface
configuration, 305, 310
DRNI DR interface configuration, 109
implementation, 299, 301
DRNI IPP interface assignment, 109
10-GE interface;010-GE interface
IPP retain MAC address entries for down
combine, 3
single-homed devices, 110
2:2 VLAN mapping
physical state change suppression, 66
application scenario, 298
aggregating
configuration, 305, 310
link. See link aggregation
implementation, 299, 301
aging
2:3 VLAN mapping
MAC address table timer, 33
implementation, 299
spanning tree max age timer, 164
40-GE interface;040-GE interface
algorithm
split, 3
STP calculation, 136
802
alternate port (MST), 149
802.1 LLDPDU TLV types, 316
ARP
802.1Q-in-802.1Q. Use QinQ
distributed-relay (DR) system setup, 91
802.3 LLDPDU TLV types, 316
LLDP ARP entry generation, 332
P802.1AX DRCP operating mechanism, 89
MAC address table ARP fast update, 39
QinQ SVLAN tag 802.1p priority, 290
assigning
802.1X
MAC address table learning priority, 36
VLAN group configuration, 220
MAC-based VLAN assignment (dynamic), 211
A MAC-based VLAN assignment (server-assigned),
accessing 212
port-based VLAN assignment (access port), MAC-based VLAN assignment (static), 210
214 port isolation group (multiple ports), 127
action port-based VLAN hybrid port, 215
loop detection block, 197 port-based VLAN trunk port, 215
loop detection no-learning protection, 197 voice VLAN assignment mode (automatic), 256
loop detection protection action setting, 199 voice VLAN assignment mode (manual), 257
loop detection shutdown protection, 197 associating
adding private VLAN primary+secondary, 239
MAC address table blackhole entry, 31 attribute
MAC address table entry, 30 Ethernet link aggregation attribute configuration,
MAC address table entry (global), 30 48
MAC address table entry (on interface), 31 authentication
MAC address table multiport unicast entry, 31 DRNI protocol packet, 94
address auto
MAC address learning disable, 34 DRNI DR system auto-recovery, 112

364
 Ethernet interface auto power-down, 11 Ethernet interface bridging enable (Layer 2), 19
Ethernet interface automatic negotiation, 5 LLDP agent customer bridge, 314
Ethernet interface autonegotiation speed LLDP agent nearest bridge, 314
options (Layer 2), 16 LLDP agent non-TPMR bridge, 314
loop detection port status auto recovery, 197 LLDP bridge mode configuration, 322
voice VLAN assignment (automatic), 256 MST common root bridge, 149
voice VLAN assignment mode configuration MST regional root, 149
(automatic), 265 MSTP leaf node configuration, 159
voice VLAN LLDP automatic IP phone MSTP root bridge configuration, 158
discovery enable, 263
PVST leaf node configuration, 158
voice VLAN port operation configuration
PVST root bridge configuration, 157
(automatic assignment), 261
RSTP leaf node configuration, 157
AutoMDIX mode (Ethernet interface), 17
RSTP root bridge configuration, 156
B spanning tree dispute guard, 184
backing up spanning tree leaf node configuration, 156
MST backup port, 149 spanning tree loop guard, 181
bandwidth spanning tree root bridge, 161
Ethernet link aggregate interface (expected spanning tree root bridge (device), 161
bandwidth), 65 spanning tree root bridge configuration, 155
basic management LLDPDU TLV types, 316 spanning tree root guard, 181
BFD spanning tree secondary root bridge (device), 162
Ethernet link aggregation group BFD, 75 STP designated bridge, 135
blackhole STP root bridge, 135
MAC address table entry, 28, 31 bulk
block action (loop detection), 197 interface configuration, 26, 27
boundary port (MST), 149 interface configuration display, 27
BPDU interface configuration restrictions, 26
configuration BPDUs, 133
C
MST region max hops, 163
MSTP BPDU protocol frames, 146 cable
PVST BPDU guard, 184 Ethernet interface cable connection (Layer 2), 19
RSTP BPDU processing, 144 calculating
spanning tree BPDU drop, 184 MSTI calculation, 151
spanning tree BPDU filter, 180 MSTP CIST calculation, 151
spanning tree BPDU guard, 179 spanning tree port path cost calculation standard,
167
spanning tree device edge port reactivation
disable, 187 spanning tree timeout factor, 165
spanning tree hello time, 164 STP algorithm, 136
spanning tree max age timer, 164 CDP
spanning tree TC BPDU event logging (PVST LLDP CDP compatibility, 329
mode), 187 LLDP CDP-compatible configuration, 338
spanning tree TC-BPDU guard, 183 voice VLAN advertisement, 264
spanning tree TC-BPDU transmission voice VLAN information advertisement to IP
restriction, 183 phones, 255
STP BPDU forwarding, 141 CE
TCN BPDUs, 134 L2PT configuration, 340, 342, 344
transmission rate configuration, 165 L2PT for LACP configuration, 345
transmission rate configuration restrictions, L2PT for STP configuration, 344
166 CHAP
bridging PPPoE configuration, 350, 357
checking

365
 DRNI configuration consistency check disable, DRNI DR system auto-recovery, 112
111 DRNI DR system MAC address, 102
DRNI distributed-relay (DR) configuration DRNI DR system settings, 102
consistency check, 92 DRNI DR system+Layer 3 gateway, 119
LLDP PVID inconsistency check disable, 329 DRNI sequence number check, 113, 114
spanning tree No Agreement Check, 176 Ethernet aggregate interface, 63
choosing Ethernet aggregate interface (description), 63
Ethernet link aggregation reference port, 49, Ethernet aggregate interface jumbo frame
53 support, 64
circuit ID padding format for client-side PPPoE Ethernet interface, 1
packet
Ethernet interface (Layer 2), 16
configuration, 355
Ethernet interface (Layer 3), 20
Cisco
Ethernet interface basic settings, 4
Discovery Protocol. Use CDP
Ethernet interface dampening, 7
LLDP CDP compatibility, 329
Ethernet interface generic flow control, 10
LLDP configuration (CDP-compatible), 338
Ethernet interface interface alarm functions, 14
CIST
Ethernet interface jumbo frame support, 6
calculation, 151
Ethernet interface link mode, 5
network device connection, 149
Ethernet interface physical state change
spanning tree max age timer, 164 suppression, 6
collaborating Ethernet interface physical type (single combo), 2
LLDP+Track collaboration, 320 Ethernet interface storm control (Layer 2), 18
combining Ethernet interface storm suppression, 9
Ethernet interfaces (10-GE > 40-GE), 3 Ethernet link aggregate interface (Layer 2 edge),
common root bridge, 149 81
community VLAN Ethernet link aggregation, 47, 56, 77
port isolation configuration, 127, 129 Ethernet link aggregation device capability, 70
configuration restrictions and guidelines Ethernet link aggregation edge aggregate
voice VLAN, 259 interface, 66
configuring Ethernet link aggregation group (Layer 2
1:1 VLAN mapping, 303, 306 dynamic), 79
1:2 VLAN mapping, 305, 310 Ethernet link aggregation group (Layer 2 static),
2:2 VLAN mapping, 305, 310 77
aggregate interface physical state change Ethernet link aggregation group (Layer 3
suppression, 66 dynamic), 83
aggregate interface system ID, 57 Ethernet link aggregation group (Layer 3 static),
82
automatic link aggregation, 62
Ethernet link aggregation group BFD, 75
basic MVRP, 275
Ethernet link aggregation group configuration
circuit ID padding format for client-side PPPoE
(Layer 2 dynamic), 59
packet, 355
Ethernet link aggregation group configuration
common Ethernet interface settings, 2
(Layer 2 static), 59
DRNI, 88, 101, 115
Ethernet link aggregation group configuration
DRNI basics, 115 (Layer 3 dynamic), 61
DRNI configuration consistency check disable, Ethernet link aggregation group configuration
111 (Layer 3 static), 60
DRNI configuration consistency check mode, Ethernet link aggregation group load sharing, 72
111
Ethernet link aggregation group reference port
DRNI distributed-relay (DR) configuration selection criteria, 71
consistency check, 92
Ethernet link aggregation S-MLAG, 62, 85
DRNI DR interface, 109
Ethernet subinterface (Layer 3), 20
DRNI DR keepalive packet parameter, 104
Ethernet subinterface basic settings, 4
DRNI DR keepalive settings, 104

366
interfaces in bulk, 26, 27 private VLAN trunk promiscuous port, 244
IP subnet-based VLAN, 219, 227 private VLAN trunk promiscuous+secondary port,
L2PT, 340, 342, 344 247
L2PT for LACP, 345 private VLAN uplink port, 239, 239
L2PT for STP, 344 protocol-based VLAN, 219, 228
LLDP, 314, 321, 334 PVST, 157, 193
LLDP (CDP-compatible), 338 PVST leaf nodes, 158
LLDP advertisable TLVs, 323 PVST root bridge, 157
LLDP basics, 334 QinQ, 285, 292
LLDP CDP compatibility, 329 QinQ basics, 292
LLDP management address TLV QinQ CVLAN tag TPID value, 290
advertisement, 326 QinQ SVLAN tag TPID value, 290
LLDP trapping, 331 QinQ VLAN tag TPID value, 289
LLDP-MED trapping, 331 QinQ VLAN transparent transmission, 288, 294
loop detection, 196, 198, 200 remote ID padding format for client-side PPPoE
loop detection basics, 200, 202 packet, 355
M:1 VLAN mapping, 303, 309 restore the default settings for an Ethernet
MAC address borrowing, 332 interface, 15
MAC address move suppression, 38 RSTP, 156
MAC address table, 28, 29, 42, 42 RSTP leaf nodes, 157
MAC address table multiport unicast entry RSTP root bridge, 156
(global), 32 spanning tree, 189
MAC address table multiport unicast entry (on spanning tree BPDU filter, 180
interface), 32 spanning tree BPDU filter (on interface), 181
MAC Information, 43, 45, 45 spanning tree BPDU guard, 179
MAC Information mode, 43 spanning tree BPDU guard (on interface), 180
MAC-based VLAN, 216, 225 spanning tree BPDU transmission rate, 165
MAC-based VLAN (server-assigned), 218 spanning tree device priority, 162
MAC-based VLAN assignment (dynamic), 217 spanning tree Digest Snooping, 175
MAC-based VLAN assignment (static), 216 spanning tree edge port, 166
management Ethernet interface, 1 spanning tree leaf nodes, 156
manual link aggregation, 58 spanning tree No Agreement Check, 176
MST region, 160 spanning tree port link type, 171
MST region max hops, 163 spanning tree port MSTP frame recognition mode,
MSTP, 158, 189 171
MSTP leaf nodes, 159 spanning tree port path cost, 167, 170
MSTP root bridge, 158 spanning tree port priority, 170
MVRP, 272, 275 spanning tree port role restriction, 182
port isolation, 127, 128, 128 spanning tree protection, 179
port isolation community VLAN, 127, 129 spanning tree protocols, 155, 155
port-based VLAN, 214, 223 spanning tree root bridge, 155, 161
PPPoE, 350, 357 spanning tree root bridge (device), 161
PPPoE relay, 353, 357 spanning tree secondary root bridge, 161
PPPoE relay trusted port, 353 spanning tree secondary root bridge (device), 162
private VLAN, 237, 238, 241 spanning tree switched network diameter, 163
private VLAN downlink port, 239 spanning tree TC Snooping, 178
private VLAN Layer 3 communication spanning tree TC-BPDU transmission restriction,
(secondary VLAN), 240 183
private VLAN Layer 3 communication spanning tree timeout factor, 165
(secondary), 251 spanning tree timer, 164
private VLAN promiscuous port, 241 STP, 155

367
 super VLAN, 232, 233, 234 CVLAN
super VLAN interface, 233 QinQ basic configuration, 292
vendor-specific tag processing policy for QinQ configuration, 285, 292
client-side PPPoE packet (global), 355, 356 QinQ VLAN transparent transmission
vendor-specific tag processing policy for configuration, 294
client-side PPPoE packet (interface), 355, 356 VLAN mapping configuration, 297, 302, 306
VLAN, 208, 223 VLAN mapping implementation, 299
VLAN basic settings, 213
D
VLAN group, 220
VLAN interface, 221 dampening
VLAN mapping, 297, 302, 306 Ethernet interface dampening, 7
voice VLAN, 254, 259, 265 data
voice VLAN ACL resource occupation mode, DRNI DR data restoration interval, 113
260 default
voice VLAN advertisement (CDP), 264 Ethernet link aggregate interface default settings,
voice VLAN advertisement (LLDP or CDP), 67
263 restore the default settings (Ethernet), 15
voice VLAN advertisement (LLDP), 263 designated
voice VLAN assignment mode (automatic), MST port, 149
265 STP bridge, 135
voice VLAN assignment mode (manual), 266 STP port, 135
voice VLAN port operation (automatic detecting
assignment), 261 Ethernet link aggregation group BFD, 75
voice VLAN port operation (manual device
assignment), 262 basic MVRP configuration, 275
voice VLAN port operation mode, 261 DRNI device failure handling mechanism, 96
voice VLAN traffic QoS priority settings, 259 DRNI DR data restoration interval, 113
VXLAN MAC address table multiport unicast Ethernet interface configuration, 1
entry, 32
LLDP basic configuration, 334
connecting
LLDP CDP compatibility, 329
Ethernet interface cable connection (Layer 2),
LLDP configuration, 314, 321, 334
19
LLDP configuration (CDP-compatible), 338
voice VLAN host+IP phone connection (in
series), 255 LLDP frame tramission parameters, 327
voice VLAN IP phone+device, 256 loop protection actions, 197
CoS MSTP implementation, 151
voice VLAN traffic QoS priority settings, 259 MVRP configuration, 269, 272, 275
cost PPPoE configuration, 350, 357
spanning tree port path cost calculation PPPoE relay configuration, 353, 357
standard, 167 PVST BPDU guard, 184
spanning tree port path cost configuration, spanning tree BPDU drop, 184
167, 170 spanning tree BPDU filter, 180
STP path cost, 136 spanning tree BPDU guard, 179
creating spanning tree device edge port reactivation
private VLAN (primary), 238 disable, 187
private VLAN (secondary), 238 spanning tree Digest Snooping, 175
super VLAN sub-VLAN, 232 spanning tree dispute guard, 184
VLAN, 213 spanning tree inconsistent PVID protection
CST disable, 174
MST region connection, 148 spanning tree loop guard, 181
customer spanning tree No Agreement Check, 176
LLDP customer bridge mode, 322 spanning tree port role restriction, 182

368
 spanning tree priority, 162 spanning tree, 188
spanning tree protection, 179 super VLAN, 234
spanning tree root guard, 181 VLAN, 223
spanning tree SNMP notification (new-root VLAN mapping, 306
election, topology change events), 187 voice VLAN, 264
spanning tree TC BPDU event logging (PVST dispute
mode), 187 spanning tree dispute guard, 184
spanning tree TC Snooping, 178 Distributed Relay Control Protocol. See DRCP
spanning tree TC-BPDU guard, 183 Distributed Resilient Network Interconnect. See DRNI
spanning tree TC-BPDU transmission distributed-relay (DR)
restriction, 183
configuration consistency check, 92
timeout for receiving LLDP frames, 328
configuring DRNI MAD, 105
voice VLAN IP phone+device connection, 256
device role priority setting, 103
diameter
DRNI device role calculation, 90
spanning tree switched network diameter, 163
DRNI DR data restoration interval, 113
Digest Snooping (spanning tree), 175
DRNI DR interface configuration, 109
directing
DRNI DR keepalive interval+timeout timer, 105
Ethernet link aggregation traffic redirection, 74
DRNI DR keepalive packet parameter, 104
disabling
DRNI DR keepalive packet parameter
DRNI configuration consistency check, 111 configuration restrictions, 104
Ethernet link aggregation Selected member DRNI DR keepalive setting configuration
port selection, 71 restrictions, 104
LLDP PVID inconsistency check, 329 DRNI DR keepalive settings, 104
MAC address learning (global), 34 DRNI DR system auto-recovery, 112
MAC address learning (on interface), 34 DRNI DR system MAC address, 102
MAC address learning (on VLAN), 35 DRNI DR system number, 102
MAC address table static source check, 40 DRNI DR system priority, 103
spanning tree device edge port reactivation, DRNI DR system setting configuration, 102
187
DRNI IPP interface assignment restrictions, 109
spanning tree dispute guard, 184
DRNI keepalive mechanism, 89
spanning tree inconsistent PVID protection,
DRNI MAD, 105
174
DRNI MAD action, 106
discarding
DRNI MAD DOWN state persistence, 108
MST discarding port state, 150
DRNI network mode, 88
display
DRNI sequence number check, 113, 114
loop detection, 200
DRNI short DRCP timeout timer, 111
displaying
DRNI short DRCP timeout timer enable
bulk interface configuration, 27
restrictions, 112
DRNI, 114
DRNI standalone mode, 92, 104
Ethernet interface, 21
interface configuration restrictions, 109
Ethernet link aggregation, 76
interface failure handling mechanism, 95
Ethernet subinterface, 21
interface MAD shutdown exclusion, 107, 107
interface, 25
interface MAD shutdown inclusion, 108
L2PT, 344
keepalive interval+timeout timer restrictions, 105
LLDP, 333
system MAC address configuration restrictions,
MAC address table, 41 102
MVRP, 275 system number restrictions, 102
port isolation, 128 system priority restrictions, 103
PPPoE, 356 system setup process, 91
private VLAN, 241 Dot1
QinQ, 292

369
 spanning tree dot1d-1998 (port path cost DR system MAC address configuration
calculation), 167, 167 restrictions, 102
spanning tree dot1t (port path cost calculation), DR system number, 102
167 DR system number restrictions, 102
Dot1s (STP port mode), 171 DR system priority, 103
DRCP DR system priority restrictions, 103
DRNI short DRCP timeout timer, 111 DR system setting configuration, 102
operating mechanism, 89 DR system+Layer 3 gateway configuration, 119
timeout timers, 89 DRCP, 89
timers, 89 DRNI MAD, 105
DRNI DRNI MAD DOWN action, 106
basic configuration, 115 DRNI MAD DOWN state persistence, 108
concurrent IPL and keepalive link failures DRNI MAD NONE action, 106
handling mechanisms, 96 DRNI standalone mode, 92, 104
configuration, 88, 101, 115 failure handling mechanisms, 95
configuration consistency check disable, 111 holding the DRNI MAD DOWN state, 90
configuration consistency check disable IPL failure handling mechanism, 95
restrictions, 111
IPP interface assignment, 109
configuration consistency check mode, 111
IPP interface assignment restrictions, 109
configuration restrictions, 99
IPP retain MAC address entries for down
default DRNI MAD action, 106 single-homed devices, 110
device failure handling mechanism, 96 keepalive hold timer, 112
display, 114 logical interfaces MAD shutdown exclusion, 107
distributed-relay (DR) configuration MAD mechanism, 90
consistency check, 92
maintain, 114
distributed-relay (DR) device role calculation,
network mode, 88
90
protocol packet authentication, 94
distributed-relay (DR) keepalive mechanism,
89 protocols and standards, 99
distributed-relay (DR) system setup, 91 sequence number check, 94, 113, 114
DR data restoration interval, 113 short DRCP timeout timer, 111
DR data restoration interval restrictions, 113 short DRCP timeout timer enable restrictions, 112
DR device role priority setting, 103 DRNI MAD
DR interface configuration, 109 automatically excluded interfaces, 105
DR interface configuration restrictions, 109 automatically included interfaces, 105
DR interface failure handling mechanism, 95 configuration methods, 105
DR interface MAD shutdown exclusion, 107 DRNI protocol packet
DR interface MAD shutdown exclusion authentication, 94
restrictions, 107 DSCP
DR interface MAD shutdown inclusion, 108 voice VLAN traffic QoS priority settings, 259
DR keepalive interval+timeout timer, 105 dynamic
DR keepalive interval+timeout timer Ethernet link aggregation edge aggregate
restrictions, 105 interface, 55
DR keepalive packet parameter, 104 Ethernet link aggregation group (Layer 2), 59
DR keepalive packet parameter configuration Ethernet link aggregation group (Layer 3), 60
restrictions, 104 Ethernet link aggregation group BFD, 75
DR keepalive setting configuration restrictions, Ethernet link aggregation group configuration
104 (Layer 2), 79
DR keepalive settings, 104 Ethernet link aggregation group configuration
DR system auto-recovery, 112 (Layer 3), 83
DR system MAC address configuration, 102 Ethernet link aggregation group reference port
selection criteria, 71

370
 Ethernet link aggregation mode, 48 MAC address table ARP fast update, 39
MAC address table dynamic aging timer, 33 MAC address table move notification, 38
MAC address table entry, 28 MAC address table SNMP notification, 41
MAC address table entry configuration, 30 MAC Information, 43
MAC address table entry configuration (on MVRP GVRP compatibility, 274
interface), 31 PPPoE relay, 353
MAC-based VLAN assignment, 211, 217 PVST BPDU guard, 184
E QinQ, 287
spanning tree BPDU drop, 184
edge
spanning tree BPDU filter (global), 180
Ethernet link aggregate interface configuration
(Layer 2 edge), 81 spanning tree BPDU guard (global), 180
STP edge port rapid transition, 151 spanning tree feature, 172
edge port spanning tree loop guard, 181
MST, 149 spanning tree port state transition information
output, 172
spanning tree, 166
spanning tree root guard, 181
EEE energy saving, 11
spanning tree SNMP notification (new-root
enabling
election, topology change events), 187
DRNI sequence number check, 113, 114
spanning tree TC BPDU event logging (PVST
DRNI short DRCP timeout timer, 111 mode), 187
Ethernet interface auto power-down, 11 spanning tree TC-BPDU guard, 183
Ethernet interface automatic negotiation, 5 stripping vendor-specific tag of PPPoE
Ethernet interface bridging (Layer 2), 19 server-side packet on interface, 354
Ethernet interface EEE, 11 voice VLAN LLDP automatic IP phone discovery,
Ethernet interface energy-saving features, 11 263
Ethernet interface Layer 3 forwarding (Layer encapsulating
2), 20 L2PT configuration, 340, 342, 344
Ethernet interface link flapping protection, 9 L2PT for LACP configuration, 345
Ethernet interface loopback testing, 12 L2PT for STP configuration, 344
Ethernet link aggregation local-first load LLDP frame encapsulation (Ethernet II), 315
sharing, 73 LLDP frame encapsulation (SNAP), 315
Ethernet link aggregation local-first load LLDP frame encapsulation format, 327
sharing (global), 73
VLAN frame encapsulation, 208
Ethernet link aggregation traffic isolation, 75,
Energy Efficient Ethernet. See EEE
75
energy-saving features, 11
Ethernet link aggregation traffic redirection, 74
Ethernet
Ethernet link aggregation traffic redirection
(aggregation group), 75 ARP entry generation, 332
Ethernet link aggregation traffic redirection interface. See Ethernet interface
(global), 74 link aggregation. See Ethernet link aggregation
Ethernet link aggregation transparent LLDP frame encapsulation, 315
LACPDU transmission, 68 LLDP trapping, 331
L2PT, 342 LLDP-MED trapping, 331
L2PT (for protocol) (Layer 2 Ethernet interface loop detection basic configuration, 200, 202
view), 343, 343 loop detection configuration, 196, 200
LLDP, 322 MAC address table configuration, 28, 29, 42, 42
LLDP ARP entry generation, 332 MAC Information configuration, 43, 45, 45
LLDP ND entry generation, 332, 332 ND entry generation, 332, 332
LLDP polling, 328 port isolation community VLAN configuration, 129
loop detection (global), 198 port isolation configuration, 127, 128, 128
loop detection (port), 198 port-based VLAN, 209
MAC address synchronization, 36 port-based VLAN assignment (access port), 214

371
 port-based VLAN assignment (hybrid port), energy-saving features, 11
215 fiber port (Layer 2), 13
port-based VLAN assignment (trunk port), 215 fiber port restrictions (Layer 2), 13
port-based VLAN configuration, 214 generic flow control, 10
PPPoE configuration, 350, 357 interface alarm functions, 14
private VLAN configuration, 237, 238, 241 jumbo frame support configuration, 6
private VLAN creation (primary), 238 Layer 3 forwarding enable (Layer 2), 20
private VLAN creation (secondary), 238 link flapping protection, 9
private VLAN Layer 3 communication link flapping protection restrictions, 9
(secondary VLAN), 240 link mode, 5
private VLAN Layer 3 communication loopback test restrictions, 12
configuration (secondary), 251
loopback testing, 12
private VLAN primary+secondary association,
maintain, 21
239
management interface configuration, 1
private VLAN promiscuous port configuration,
241 MDIX mode (Layer 2), 17
private VLAN trunk promiscuous port MTU setting (Layer 3), 20
configuration, 244 naming conventions, 2
private VLAN trunk promiscuous+secondary physical state change suppression, 6
port configuration, 247 restore the default settings, 15
QinQ CVLAN frame header tag, 285 single combo interface physical type configuration,
QinQ SVLAN frame header tag, 285 2
subinterface. See Ethernet interface, Ethernet statistics polling interval, 12
subinterface, subinterface storm control (Layer 2), 18
super VLAN configuration, 232, 233, 234 storm control configuration restrictions (Layer 2),
super VLAN sub-VLAN creation, 232 18
VLAN basic configuration, 213 storm suppression, 9
VLAN configuration, 208, 223 storm suppression restrictions, 10
VLAN frame encapsulation, 208 Ethernet link aggregation
VLAN interface, 221 aggregate group Selected ports min/max, 69
VLAN port-based configuration, 223 aggregate group Selected ports min/max
voice VLAN configuration, 254, 259, 265 restrictions, 62
voice VLAN configuration restrictions and aggregate interface, 47
guidelines, 259 aggregate interface (description), 63
Ethernet interface aggregate interface (MAC address), 64
10-GE > 40-GE combine;010-GE > 40-GE aggregate interface configuration, 63
combine, 3 aggregate interface default setting restrictions, 67
40-GE split;040-GE split, 3 aggregate interface default settings, 67
auto power-down enable, 11 aggregate interface jumbo frame support, 64
automatic negotiation enable, 5 aggregate interface setting restrictions (MAC
autonegotiation speed options (Layer 2), 16 address), 62
basic settings configuration, 4 aggregate interface shutdown, 67
bridging enable (Layer 2), 19 aggregate interface shutdown restrictions, 67
cable connection (Layer 2), 19 aggregate interface system ID, 57
common settings configuration, 2 aggregate interface types, 47
configuration, 1 aggregation group, 47
configuration (Layer 2), 16 aggregation group restrictions, 58
configuration (Layer 3), 20 aggregation member port restrictions, 58
dampening, 7 application scenario, 47
dampening restrictions, 8 attribute+protocol configuration restrictions, 58
display, 21 automatic link aggregation, 62
EEE enable, 11 BFD configuration, 75

372
BFD configuration restrictions, 72, 76 S-MLAG configuration, 62, 85
configuration, 47, 56, 77 static mode, 49
configuration consistency requirements, 59 traffic isolation, 75
configuration types, 48 traffic isolation restrictions, 75
device capability configuration, 70 traffic redirection, 74
display, 76 traffic redirection restrictions, 74
dynamic link aggregation, 50 transparent LACPDU transmission enable, 68
edge aggregate interface, 55, 66 Ethernet subinterface, 1, See also Ethernet interface,
edge aggregate interface configuration Layer 3 Ethernet subinterface
restrictions, 66 basic settings, 4
group configuration (Layer 2 dynamic), 59 display, 21
group configuration (Layer 2 static), 59 maintain, 21
group configuration (Layer 2), 59 MTU setting (Layer 3), 20
group configuration (Layer 3 dynamic), 61 excluding
group configuration (Layer 3 static), 60 default DRNI MAD action, 106
group configuration (Layer 3), 60 DRNI DR interface from MAD shutdown, 107
group load sharing configuration, 72 DRNI logical interfaces from MAD shutdown, 107
group load sharing mode, 72 external
group reference port selection criteria, 71 Ethernet interface external loopback testing, 12
group reference port selection criteria F
restrictions, 68
how dynamic link aggregation works, 52, 53 failing
interface configuration (expected bandwidth), DRNI concurrent IPL and keepalive link failures
65 handling mechanisms, 96
Layer 2 aggregate interface configuration DRNI failure handling mechanisms, 95
(Layer 2 edge), 81 fast
Layer 2 aggregation group configuration MAC address table ARP fast update, 39
(dynamic), 79 fiber port
Layer 2 aggregation group configuration Ethernet interface fiber port (Layer 2), 13
(static), 77 flow control
Layer 2 aggregation group restrictions, 58 Ethernet interface generic flow control, 10
Layer 3 aggregate interface configuration forcing
MTU, 65 Ethernet interface fiber port (Layer 2), 13
Layer 3 aggregation group configuration format
(dynamic), 83
LLDP frame encapsulation (Ethernet II), 315
Layer 3 aggregation group configuration
LLDP frame encapsulation (SNAP), 315
(static), 82
LLDP frame encapsulation format, 327
load sharing algorithm setting restrictions, 69
forwarding
load sharing hash offset adjustment
restrictions, 70 MAC address table frame forwarding rule, 35
load sharing mode, 55 MST forwarding port state, 150
local-first load sharing, 73 spanning tree forward delay timer, 164
maintain, 76 STP BPDU forwarding, 141
manual link aggregation, 58 STP forward delay timer, 142
member port, 47 frame
member port state, 47, 49, 53 Ethernet aggregate interface jumbo frame
support, 64
modes, 48
Ethernet interface jumbo frame support, 6
operational key, 48
LLDP ARP entry generation, 332
reference port, 53
LLDP frame encapsulation format, 327
reference port choice, 49
LLDP ND entry generation, 332, 332
Selected member port selection, 71
LLDP source MAC address, 332
simple multichassis link aggregation, 55

373
 loop detection (Ethernet frame header), 196 Ethernet link aggregation group (Layer 2), 59
loop detection (inner frame header), 196 Ethernet link aggregation group (Layer 3), 60
loop detection interval, 197 Ethernet link aggregation group load sharing, 72
MAC address learning, 28 Ethernet link aggregation load sharing mode, 55,
MAC address table blackhole entry, 31 72
MAC address table configuration, 28, 29, 42, Ethernet link aggregation member port state, 47
42 manual link aggregation, 58
MAC address table entry configuration, 30 port isolation configuration, 128
MAC address table frame forwarding rule, 35 VLAN group configuration, 220
MAC address table multiport unicast entry, 31 GVRP
MAC Information configuration, 43, 45, 45 MVRP compatibility, 274
MSTP BPDU protocol frames, 146 H
port-based VLAN frame handling, 209
hello
PVST BPDU protocol frames, 145, 145
spanning tree timer, 164
QinQ benefit, 285
STP timer, 142
QinQ CVLAN Ethernet frame header tag, 285
host
QinQ implementation, 286
PPPoE network structure (host-initiated), 351
QinQ SVLAN Ethernet frame header tag, 285
voice VLAN host+IP phone connection (in series),
RSTP BPDU protocol frames, 143
255
spanning tree port MSTP frame recognition
voice VLAN IP phone+device connection, 256
mode configuration, 171
hybrid port
STP BPDU protocol frames, 133
port-based VLAN assignment (hybrid port), 215
STP TCN BPDU protocol frames, 133
VLAN frame encapsulation, 208 I
VXLAN MAC address table multiport unicast identifying
entry, 32 voice VLAN IP phone identification (LLDP), 255
G voice VLAN IP phone identification (OUI address),
254
GARP
implementing
VLAN Registration Protocol. Use GVRP
0:2 VLAN mapping, 299
gateway
1:1 VLAN mapping, 299, 300
DRNI DR system+Layer 3 gateway
configuration, 119 1:2 VLAN mapping, 299, 301
generic flow control (Ethernet interface), 10 2:2 VLAN mapping, 299, 301
Generic VLAN Registration Protocol. Use GVRP 2:3 VLAN mapping, 299
global M:1 VLAN mapping, 299
Ethernet link aggregation load sharing mode M:1 VLAN mapping , 300
set, 73 MSTP device, 151
loop detection protection action, 199 QinQ, 286
MAC address learning disable, 34 including
MAC address table multiport unicast entry DRNI DR interface from MAD shutdown, 108
configuration, 32 inconsistency check (LLDP), 329
spanning tree BPDU filter enable, 180 inloopback interface
spanning tree BPDU guard enable, 180 display, 25
group maintain, 25
aggregate interface system ID, 57 interface
dynamic link aggregation, 50 automatic link aggregation, 62
Ethernet link aggregate group Selected ports bulk configuration, 26, 27
min/max, 69 configuration (inloopback), 23
Ethernet link aggregation device capability configuration (loopback), 23
configuration, 70 configuration (null), 23
Ethernet link aggregation group, 47 Ethernet aggregate interface, 63

374
 Ethernet aggregate interface (description), 63 type, 212
Ethernet aggregate interface (MAC address), IPL
64 DRNI keepalive hold timer, 112
Ethernet link aggregate interface default failure handling mechanism, 95
settings, 67 IPP
Ethernet link aggregate interface shutdown, DRNI intra-portal port, 88
67
DRNI IPP interface assignment, 109
Ethernet link aggregation edge aggregate
DRNI keepalive hold timer, 112
interface, 55, 66
DRNI short DRCP timeout timer, 111
Layer 3 aggregate interface configuration
MTU, 65 IPP retain MAC address entries for down
single-homed devices, 110
loop detection protection action, 199
isolating
simple multichassis link aggregation, 55
Ethernet link aggregation traffic isolation, 75
internal
ports. See port isolation
Ethernet interface internal loopback testing,
12 IST
Internet MST region, 149
PPPoE configuration, 350, 357 J
interval jumbo frame support (Ethernet interface), 6
DRNI DR data restoration interval, 113
K
DRNI DR keepalive interval+timeout timer,
105 keepalive
Ethernet link aggregation LACP long timeout, distributed-relay (DR) keepalive mechanism, 89
51 distributed-relay (DR) system setup, 91
Ethernet link aggregation LACP short timeout, DRNI DR keepalive interval+timeout timer, 105
51 DRNI DR keepalive packet parameter, 104
loop detection, 197, 199 DRNI DR keepalive settings, 104
MAC change notification interval, 44 DRNI standalone mode, 92
intra-portal port. See IPP
key
IP addressing Ethernet link aggregation operational key, 48
IP subnet-based VLAN, 212
IP subnet-based VLAN configuration, 219, L
227 L2PT
PPPoE configuration, 350, 357 configuration, 340, 342, 344
super VLAN configuration, 232, 233, 234 display, 344
super VLAN interface configuration, 233 enable, 342
voice VLAN configuration, 254, 259, 265 enable restrictions, 342
voice VLAN configuration restrictions and how it works, 341
guidelines, 259 LACP configuration, 345
IP phone maintain, 344
voice VLAN assignment mode+IP phone STP configuration, 344
cooperation, 257
tunneled packet destination multicast MAC
voice VLAN host+IP phone connection (in address, 343
series), 255
LACP
voice VLAN identification (LLDP), 255
dynamic link aggregation, 50
voice VLAN identification (OUI address), 254
L2PT for LACP configuration, 345
voice VLAN information advertisement, 255
LACPDU
voice VLAN IP phone access method, 255
Ethernet link aggregation transparent LACPDU
voice VLAN IP phone+device connection, 256 transmission, 68
IP subnet-based VLAN LAN
configuration, 219, 227 Virtual Local Area Network. Use VLAN
configuration restrictions, 219 LAN switching

375
1:1 VLAN mapping configuration, 303, 306 Ethernet link aggregation configuration, 47, 56, 77
1:2 VLAN mapping configuration, 305, 310 Ethernet link aggregation configuration
2:2 VLAN mapping configuration, 305, 310 consistency requirements, 59
aggregate interface system ID, 57 Ethernet link aggregation display, 76
automatic link aggregation, 62 Ethernet link aggregation edge aggregate
basic MVRP configuration, 275 interface, 55, 66
BPDU transmission rate configuration Ethernet link aggregation edge aggregate
restrictions, 166 interface configuration restrictions, 66
DRNI basics configuration, 115 Ethernet link aggregation group (Layer 2), 59
DRNI configuration, 88, 101, 115 Ethernet link aggregation group configuration
(Layer 2 dynamic), 79
DRNI configuration consistency check disable
restrictions, 111 Ethernet link aggregation group configuration
(Layer 2 static), 77
DRNI configuration restrictions, 99
Ethernet link aggregation group configuration
DRNI display, 114
(Layer 3 dynamic), 83
DRNI DR data restoration interval restrictions,
Ethernet link aggregation group configuration
113
(Layer 3 static), 82
DRNI DR interface MAD shutdown exclusion
Ethernet link aggregation group load sharing, 72
restrictions, 107
Ethernet link aggregation group load sharing
DRNI DR system setting configuration, 102
mode, 72
DRNI DR system+Layer 3 gateway
Ethernet link aggregation group reference port
configuration, 119
selection criteria restrictions, 68
DRNI maintain, 114
Ethernet link aggregation group restrictions, 58
DRNI protocols and standards, 99
Ethernet link aggregation Layer 2 aggregation
dynamic link aggregation, 50 group restrictions, 58
Ethernet aggregate interface, 63 Ethernet link aggregation load sharing algorithm
Ethernet aggregate interface (description), 63 setting restrictions, 69
Ethernet aggregate interface jumbo frame Ethernet link aggregation load sharing hash offset
support, 64 adjustment restrictions, 70
Ethernet link aggregate group Selected ports Ethernet link aggregation load sharing mode, 55
min/max, 69 Ethernet link aggregation local-first load sharing,
Ethernet link aggregate group Selected ports 73
min/max restrictions, 62 Ethernet link aggregation maintain, 76
Ethernet link aggregate interface (expected Ethernet link aggregation member port
bandwidth), 65 restrictions, 58
Ethernet link aggregate interface configuration Ethernet link aggregation S-MLAG configuration,
(Layer 2 edge), 81 62, 85
Ethernet link aggregate interface default Ethernet link aggregation traffic isolation, 75
setting restrictions, 67
Ethernet link aggregation traffic isolation
Ethernet link aggregate interface default restrictions, 75
settings, 67
Ethernet link aggregation traffic redirection, 74
Ethernet link aggregate interface shutdown,
Ethernet link aggregation traffic redirection
67
restrictions, 74
Ethernet link aggregate interface shutdown
Ethernet link aggregation transparent LACPDU
restrictions, 67
transmission, 68
Ethernet link aggregation (static mode), 49
IP subnet-based VLAN, 212
Ethernet link aggregation aggregate interface
IP subnet-based VLAN configuration, 219, 227
setting restrictions (MAC address), 62
L2PT configuration, 340, 344
Ethernet link aggregation application scenario,
47 L2PT display, 344
Ethernet link aggregation attribute+protocol L2PT enable, 342, 342
configuration restrictions, 58 L2PT enable restrictions, 342
Ethernet link aggregation BFD configuration L2PT for LACP configuration, 345
restrictions, 72, 76 L2PT for STP configuration, 344

376
L2PT maintain, 344 port-based VLAN assignment (trunk port), 215
LLDP basic configuration, 334 port-based VLAN configuration, 214
LLDP CDP compatibility, 329 private VLAN configuration, 237, 238, 241
LLDP configuration, 314, 321, 334 private VLAN creation (primary), 238
LLDP configuration (CDP-compatible), 338 private VLAN creation (secondary), 238
LLDP display, 333 private VLAN display, 241
LLDP protocols and standards, 320 private VLAN downlink port configuration, 239
LLDP PVID inconsistency check disable, 329 private VLAN Layer 3 communication (secondary
loop detection basic configuration, 200, 202 VLAN), 240
loop detection configuration, 196, 198, 200 private VLAN Layer 3 communication
loop detection enable restrictions, 198 configuration (secondary), 251
loop detection protection action setting private VLAN primary+secondary association,
restrictions, 199 239
M:1 VLAN mapping configuration, 303, 309 private VLAN promiscuous port configuration, 241
M:1 VLAN mapping restrictions, 303 private VLAN trunk promiscuous port
configuration, 244
MAC address table configuration, 28, 29, 42,
42 private VLAN trunk promiscuous+secondary port
configuration, 247
MAC address table display, 41
private VLAN uplink port configuration, 239, 239
MAC Information configuration, 43, 45, 45
protocol-based VLAN, 213
MAC-based VLAN, 210
protocol-based VLAN configuration, 219, 228
MAC-based VLAN assignment (dynamic), 217
PVST configuration, 193
MAC-based VLAN assignment (static), 216
QinQ basic configuration, 292
MAC-based VLAN assignment configuration
restrictions (dynamic), 217 QinQ benefit, 285
MAC-based VLAN configuration, 216, 225 QinQ configuration, 285, 292
MAC-based VLAN configuration QinQ configuration restrictions, 287
(server-assigned), 218 QinQ CVLAN tag TPID value, 290
manual link aggregation, 58 QinQ display, 292
MRP implementation, 269 QinQ implementation, 286
MST region, 160 QinQ protocols and standards, 287
MST region configuration restrictions, 160 QinQ SVLAN tag 802.1p priority, 290
MST region max hops configuration QinQ SVLAN tag TPID value, 290
restrictions, 163 QinQ VLAN tag TPID value, 289
MSTP configuration, 189 QinQ VLAN transparent transmission
MVRP configuration, 269, 272, 275 configuration, 294
MVRP configuration restrictions, 272 simple multichassis link aggregation, 55
MVRP display, 275 spanning tree BPDU filter configuration
MVRP GVRP compatibility, 274 restrictions, 180
MVRP maintain, 275 spanning tree BPDU guard configuration
restrictions, 179
MVRP protocols and standards, 272
spanning tree configuration, 189
MVRP timer set, 273
spanning tree device edge port reactivation
port isolation community VLAN configuration,
disable restrictions, 187
127, 129
spanning tree Digest Snooping, 175
port isolation configuration, 127, 128, 128
spanning tree display, 188
port isolation display, 128
spanning tree dispute guard disable restrictions,
port isolation group assignment (multiple
186
ports), 127
spanning tree feature compatibility restrictions, 99,
port-based VLAN, 209
155
port-based VLAN assignment (access port),
spanning tree feature enable restrictions, 172
214
spanning tree inconsistent PVID protection
port-based VLAN assignment (hybrid port),
disable restrictions, 174
215

377
spanning tree interface configuration VLAN interface, 221
restrictions, 99, 155 VLAN interface configuration restrictions, 221
spanning tree loop guard restrictions, 182 VLAN Layer 3 communication, 213
spanning tree maintain, 188 VLAN maintain, 223
spanning tree mode setting restrictions, 160 VLAN mapping configuration, 297, 302, 306
spanning tree No Agreement Check, 176 VLAN mapping display, 306
spanning tree No Agreement Check VLAN port-based configuration, 223
configuration restrictions, 177 VLAN protocols and standards, 213
spanning tree overview, 133 voice VLAN advertisement (CDP), 264
spanning tree port MSTP recognition mode voice VLAN advertisement (LLDP or CDP), 263
configuration restrictions, 172
voice VLAN advertisement (LLDP), 263
spanning tree port path cost calculation
voice VLAN assignment mode configuration
standard restrictions, 169
(automatic), 265
spanning tree port path cost configuration
voice VLAN assignment mode configuration
restrictions, 170
(manual), 266
spanning tree port priority configuration
voice VLAN display, 264
restrictions, 170
voice VLAN LLDP automatic IP phone discovery
spanning tree port role restrictions, 182
enable, 263
spanning tree protection configuration, 179
voice VLAN port operation configuration
spanning tree protocol configuration, 155, 155 (automatic assignment), 261
spanning tree protocol configuration voice VLAN port operation configuration (manual
restrictions, 155 assignment), 262
spanning tree root bridge configuration voice VLAN port operation configuration
restrictions, 161 restrictions (automatic assignment), 261
spanning tree root guard enable restrictions, voice VLAN port operation configuration
181 restrictions (manual assignment), 262
spanning tree TC Snooping, 178 Layer 2
spanning tree TC-BPDU guard enable DRNI DR interface configuration, 109
restrictions, 183
DRNI IPP interface assignment, 109
spanning tree TC-BPDU transmission
Ethernet aggregate interface (MAC address), 64
restrictions, 183
Ethernet interface autonegotiation speed options,
spanning tree timeout factor configuration
16
restrictions, 165
Ethernet interface bridging enable, 19
STP Digest Snooping configuration
restrictions, 175 Ethernet interface cable connection, 19
STP edge port configuration restrictions, 166 Ethernet interface configuration, 1, 16
STP mCheck configuration restrictions, 174 Ethernet interface fiber port, 13
STP port link type configuration restrictions, Ethernet interface fiber port restrictions, 13
171 Ethernet interface Layer 3 forwarding enable, 20
STP TC Snooping configuration restrictions, Ethernet interface MDIX mode, 17
178 Ethernet interface storm control configuration, 18
STP timer configuration restrictions, 164 Ethernet interface storm control configuration
super VLAN configuration, 232, 233, 234 restrictions, 18
super VLAN display, 234 Ethernet link aggregate interface configuration
super VLAN interface configuration, 233 (Layer 2 edge), 81
super VLAN sub-VLAN creation, 232 Ethernet link aggregation group, 59
VLAN basic configuration, 213 Ethernet link aggregation group (dynamic), 59
VLAN configuration, 208, 223 Ethernet link aggregation group (static), 59
VLAN configuration restrictions, 213 Ethernet link aggregation group configuration
(Layer 2 dynamic), 79
VLAN creation, 213
Ethernet link aggregation group configuration
VLAN display, 223
(Layer 2 static), 77
VLAN group configuration, 220
L2PT configuration, 342

378
 L2PT tunneled packet destination multicast IP subnet-based VLAN configuration, 219
MAC address, 343 LAN switching LAN switching VLAN interface,
LLDP basic configuration, 334 221
LLDP configuration, 334 LLDP ARP entry generation, 332
LLDP trapping, 331 LLDP basic configuration, 334
LLDP-MED trapping, 331 LLDP configuration, 334
VLAN basic configuration, 213 LLDP ND entry generation, 332, 332
VLAN configuration, 208, 223 LLDP trapping, 331
voice VLAN configuration, 254, 259, 265 LLDP-MED trapping, 331
voice VLAN configuration restrictions and manual link aggregation, 58
guidelines, 259 port-based VLAN, 209
Layer 2 Protocol Tunneling. Use L2PT port-based VLAN assignment (access port), 214
Layer 3 port-based VLAN assignment (hybrid port), 215
aggregate interface configuration MTU, 65 port-based VLAN assignment (trunk port), 215
DRNI DR system+Layer 3 gateway port-based VLAN configuration, 214
configuration, 119 private VLAN configuration, 241
Ethernet aggregate interface, 63 private VLAN Layer 3 communication
Ethernet aggregate interface (description), 63 configuration (secondary), 251
Ethernet aggregate interface (MAC address), private VLAN promiscuous port configuration, 241
64 private VLAN trunk promiscuous port
Ethernet interface configuration, 1, 20 configuration, 244
Ethernet interface MTU setting, 20 private VLAN trunk promiscuous+secondary port
Ethernet link aggregate group Selected ports configuration, 247
min/max, 69 protocol-based VLAN, 213
Ethernet link aggregate interface (expected protocol-based VLAN configuration, 219
bandwidth), 65 super VLAN configuration, 234
Ethernet link aggregate interface default VLAN communication, 213
settings, 67
voice VLAN configuration, 254, 259, 265
Ethernet link aggregate interface shutdown,
voice VLAN configuration restrictions and
67
guidelines, 259
Ethernet link aggregation configuration, 47, 56,
Layer 3 forwarding
77
Ethernet interface Layer 3 forwarding enable
Ethernet link aggregation edge aggregate
(Layer 2), 20
interface, 55, 66
leaf node
Ethernet link aggregation group, 60
MSTP leaf node configuration, 159
Ethernet link aggregation group (dynamic), 61
PVST leaf node configuration, 158
Ethernet link aggregation group (static), 60
RSTP leaf node configuration, 157
Ethernet link aggregation group configuration
(Layer 3 dynamic), 83 spanning tree leaf node configuration, 156
Ethernet link aggregation group configuration learning
(Layer 3 static), 82 loop detection no-learning action, 197
Ethernet link aggregation group load sharing, MAC address, 28
72 MAC address learning disable, 34
Ethernet link aggregation group load sharing MAC address table learning limit, 35
mode, 72 MAC address table learning priority, 36
Ethernet link aggregation local-first load MST learning port state, 150
sharing, 73 legacy
Ethernet link aggregation traffic isolation, 75 spanning tree port MSTP frame recognition mode,
Ethernet link aggregation traffic redirection, 74 171
Ethernet subinterface configuration, 20 spanning tree port path cost calculation, 167
Ethernet subinterface MTU setting, 20 link
IP subnet-based VLAN, 212 aggregation. See link aggregation

379
 Ethernet interface link flapping protection, 9 PVID inconsistency check disable, 329
Ethernet interface link mode, 5 reinitialization delay, 323
Link Layer Discovery Protocol. Use LLDP source MAC address, 332
MSTP configuration, 189 timeout set for receiving LLDP frames, 328
PPPoE configuration, 350, 357 Track collaboration function, 320
PVST configuration, 193 trapping configuration, 331
spanning tree configuration, 189 voice VLAN advertisement, 263, 263
spanning tree hello time, 164 voice VLAN information advertisement to IP
spanning tree overview, 133 phones, 255
spanning tree port link type configuration, 171 voice VLAN IP phone identification, 255
spanning tree protocol configuration, 155, 155 voice VLAN IP phone identification method, 254
link aggregation voice VLAN LLDP automatic IP phone discovery
DRNI basics configuration, 115 enable, 263
DRNI configuration, 88, 101, 115 LLDPDU
DRNI DR system+Layer 3 gateway LLDP basic configuration, 334
configuration, 119 LLDP configuration, 314, 321, 334
Ethernet link aggregation. See Ethernet link management address TLV, 319
aggregation TLV basic management types, 316
LLDP TLV LLDP-MED types, 316
advertisable TLV configuration, 323 TLV organization-specific types, 316
agent, 314 load sharing
ARP entry generation, 332 Ethernet link aggregation group configuration, 72
basic configuration, 334 Ethernet link aggregation group load sharing, 55
bridge mode configuration, 322 Ethernet link aggregation load sharing mode, 72
CDP compatibility configuration, 329 Ethernet link aggregation local-first load sharing,
CDP-compatible configuration, 338 73
configuration, 314, 321, 334 Ethernet link aggregation packet type-based load
display, 333 sharing, 55
enable, 322 Ethernet link aggregation per-flow load sharing,
55
frame encapsulation (Ethernet II), 315
Ethernet link aggregation per-packet load sharing,
frame encapsulation (SNAP), 315
55
frame encapsulation format, 327
local
frame format, 315
Ethernet link aggregation local-first load sharing,
frame reception, 320 73
frame tramission parameter set, 327 logging
frame transmission, 320 spanning tree TC BPDU event logging (PVST
frame transmission and reception, 320 mode), 187
LLDPDU management address TLV, 319 loop
LLDPDU TLV types, 316 MSTP configuration, 189
LLDPDU TLVs, 316 PVST configuration, 193
LLDP-MED trapping configuration, 331 spanning tree configuration, 189
MAC address learning borrowing, 332 spanning tree loop guard, 181
management address advertisement, 326 spanning tree overview, 133
ND entry generation, 332, 332 spanning tree protocol configuration, 155, 155
operating mode (disable), 319 loop detection
operating mode (Rx), 319 basic configuration, 200, 202
operating mode (Tx), 319 configuration, 196, 198, 200
operating mode (TxRx), 319 display, 200
operating mode set, 322 enable, 198
polling enable, 328 enable (global), 198
protocols and standards, 320

380
 enable (port), 198 MAC-based VLAN, 210
enable restrictions, 198 MAC-based VLAN assignment (dynamic), 211,
interval, 197 217
interval setting, 199 MAC-based VLAN assignment (server-assigned),
mechanisms, 196 212
port status auto recovery, 197 MAC-based VLAN assignment (static), 210, 216
protection action setting, 199 MAC-based VLAN configuration, 216, 225
protection action setting restrictions, 199 MAC-based VLAN configuration
(server-assigned), 218
protection actions, 197
VLAN frame encapsulation, 208
loopback
MAC authentication
Ethernet interface loopback testing, 12
VLAN group configuration, 220
loopback interface
MAC Information
display, 25
change notification interval, 44
maintain, 25
configuration, 43, 45, 45
M enable, 43
M:1 VLAN mapping mode configuration, 43
application scenario, 297 queue length setting, 44
configuration, 303, 309 MAC relay (LLDP agent), 314
configuration restrictions, 303 MAC-based VLAN
implementation, 299, 300 assignment (dynamic), 217
MAC address table assignment (static), 216
address learning, 28 configuration, 216, 225
address synchronization, 36 configuration (server-assigned), 218
ARP fast update enable, 39 configuration restrictions, 216
blackhole entry, 31 dynamic assignment, 211
configuration, 28, 29, 42, 42 dynamic assignment configuration restrictions,
display, 41 217
dynamic aging timer, 33 server-assigned, 212
entry configuration, 30, 30 static assignment, 210
entry configuration (on interface), 31 type, 210
entry creation, 28 MAD
entry types, 28 DRNI DR interface MAD shutdown exclusion, 107
frame forwarding rule, 35 DRNI DR interface MAD shutdown inclusion, 108
learning limit setting set, 35 DRNI logical interfaces MAD shutdown exclusion,
learning priority assignment, 36 107
MAC address learning disable, 34 DRNI MAD action, 106
MAC address move suppression, 38 DRNI MAD configuration methods, 105
manual entries, 28 DRNI MAD DOWN state persistence, 108
move notification, 38 DRNI MAD mechanism, 90
multiport unicast entry, 31 holding the DRNI MAD DOWN state, 90
SNMP notification enable, 41 MAD action
static source check enable, 40 DRNI MAD DOWN, 106
VXLAN multiport unicast entry, 32 NONE, 106
MAC addressing maintaining
distributed-relay (DR) system setup, 91 DRNI, 114
DRNI DR system MAC address, 102 Ethernet interface, 21
Ethernet aggregate interface, 64 Ethernet link aggregation, 76
L2PT tunneled packet destination multicast Ethernet subinterface, 21
MAC address, 343 interface, 25
LLDP source MAC address, 332 L2PT, 344

381
 MVRP, 275 LLDP Rx, 319, 322
PPPoE, 356 LLDP service bridge, 322
spanning tree, 188 LLDP Tx, 319, 322
VLAN, 223 LLDP TxRx, 319, 322
manual MAC Information syslog, 43
voice VLAN assignment mode, 257 MAC Information trap, 43
voice VLAN assignment mode configuration, MVRP registration fixed, 271
266 MVRP registration forbidden, 271
voice VLAN port operation configuration, 262 MVRP registration normal, 271
mapping spanning tree mCheck, 173
1:1 VLAN mapping, 297 spanning tree MSTP, 159
1:2 VLAN mapping, 298 spanning tree PVST, 159
2:2 VLAN mapping, 298 spanning tree RSTP, 159
M:1 VLAN mapping, 297 spanning tree STP, 159
MSTP VLAN-to-instance mapping table, 148 voice VLAN assignment automatic, 256
master voice VLAN assignment manual, 257
MSTP master port, 149 voice VLAN port operation normal, 258
max age timer (STP), 142 voice VLAN port operation security, 258
maximum transmission unit. Use MTU modifying
mCheck MAC address table blackhole entry, 31
global performance, 174 MAC address table entry, 30
interface view performance, 174 MAC address table entry (global), 30
spanning tree, 173 MAC address table entry (on interface), 31
MDI mode (Ethernet interface), 17 MAC address table multiport unicast entry, 31
MDIX mode (Ethernet interface), 17 monitoring
MED (LLDP-MED trapping), 331 DRNI distributed-relay (DR) device role
message calculation, 90
MRP JoinEmpty, 269 DRNI distributed-relay (DR) keepalive
MRP JoinIn, 269 mechanism, 89
MRP Leave, 269 moving
MRP LeaveAll, 269 MAC address table move notification, 38
MRP New, 269 MRP
MRP timers, 271 basic MVRP configuration, 275
MIB implementation, 269
LLDP basic configuration, 334 messages, 269
LLDP configuration, 314, 321, 334 MVRP configuration, 269, 272, 275
mode timers, 271
DRNI network, 88 MST
Ethernet interface Auto MDIX (Layer 2), 17 region max hops, 163
Ethernet interface link, 5 region max hops configuration restrictions, 163
Ethernet interface MDI (Layer 2), 17 MSTI
Ethernet interface MDIX (Layer 2), 17 calculation, 151
Ethernet link aggregation dynamic, 48 MST instance, 148
Ethernet link aggregation LACP operation MSTP, 133, See also STP
active, 51 basic concepts, 147
Ethernet link aggregation LACP operation CIST, 149
passive, 51 CIST calculation, 151
Ethernet link aggregation load sharing, 55 common root bridge, 149
Ethernet link aggregation static, 48, 49 configuration, 158, 189
LLDP customer bridge, 322 CST, 148
LLDP disable, 319, 322 device implementation, 151

382
 feature enable, 173 negotiating
features, 145 Ethernet interface automatic negotiation, 5
how it works, 150 network
IST, 149 1:1 VLAN mapping configuration, 303, 306
leaf node configuration, 159 1:2 VLAN mapping configuration, 305, 310
mode set, 159 2:2 VLAN mapping configuration, 305, 310
MST region, 148 aggregate interface physical state change
MST region configuration, 160 suppression, 66
MST region configuration restrictions, 160 common Ethernet interface settings configuration,
MSTI, 148 2
MSTI calculation, 151 configuring DRNI MAD, 105
port roles, 149 DRNI basics configuration, 115
port states, 150 DRNI concurrent IPL and keepalive link failures
handling mechanisms, 96
protocol frames, 146
DRNI configuration consistency check disable,
protocols and standards, 154
111
rapid transition, 151
DRNI configuration consistency check mode, 111
regional root, 149
DRNI DR data restoration interval, 113
relationships, 145
DRNI DR interface configuration, 109
root bridge configuration, 158
DRNI DR interface MAD shutdown exclusion, 107
spanning tree max age timer, 164
DRNI DR interface MAD shutdown inclusion, 108
spanning tree port MSTP frame recognition
DRNI DR keepalive interval+timeout timer, 105
mode configuration, 171
DRNI DR keepalive packet parameter, 104
VLAN-to-instance mapping table, 148
DRNI DR keepalive settings, 104
MTU
DRNI DR system auto-recovery, 112
Ethernet subinterface MTU setting (Layer 3),
20 DRNI DR system MAC address, 102
Layer 3 Ethernet aggregate interface, 65 DRNI DR system number, 102
multicast DRNI DR system priority, 103
L2PT tunneled packet destination multicast DRNI DR system setting configuration, 102
MAC address, 343 DRNI DR system+Layer 3 gateway configuration,
multiple 119
Multiple VLAN Registration Protocol. Use DRNI failure handling mechanisms, 95
MVRP DRNI IPP interface assignment, 109
Registration Protocol. Use MRP DRNI keepalive hold timer, 112
Multiple Spanning Tree Protocol. Use MSTP DRNI logical interfaces MAD shutdown exclusion,
multiport unicast entry (MAC address table), 28, 31 107
multiport unicast entry (MAC address DRNI MAD, 105
table)(VXLAN), 32 DRNI MAD action, 106
MVRP DRNI MAD DOWN state persistence, 108
basic configuration, 275 DRNI network mode, 88
configuration, 269, 272, 275 DRNI sequence number check, 113, 114
configuration restrictions, 272 DRNI short DRCP timeout timer, 111
display, 275 dynamic link aggregation, 50
GVRP compatibility, 274 Ethernet aggregate interface jumbo frame
maintain, 275 support, 64
MRP implementation, 269 Ethernet interface auto power-down, 11
protocols and standards, 272 Ethernet interface automatic negotiation, 5
registration modes, 271 Ethernet interface autonegotiation speed options
(Layer 2), 16
timer set, 273
Ethernet interface basic settings, 4
N Ethernet interface bridging enable (Layer 2), 19

383
Ethernet interface cable connection (Layer 2), Ethernet link aggregation operational key, 48
19 Ethernet link aggregation reference port, 53
Ethernet interface configuration (Layer 2), 16 Ethernet link aggregation reference port choice,
Ethernet interface configuration (Layer 3), 20 49
Ethernet interface dampening, 7 Ethernet subinterface basic settings, 4
Ethernet interface EEE, 11 Ethernet subinterface configuration (Layer 3), 20
Ethernet interface energy-saving features, 11 Ethernet subinterface MTU setting (Layer 3), 20
Ethernet interface fiber port (Layer 2), 13 IP subnet-based VLAN, 212
Ethernet interface generic flow control, 10 IP subnet-based VLAN configuration, 219, 227
Ethernet interface interface alarm functions, IPP retain MAC address entries for down
14 single-homed devices, 110
Ethernet interface jumbo frame support, 6 L2PT for LACP configuration, 345
Ethernet interface Layer 3 forwarding enable L2PT for STP configuration, 344
(Layer 2), 20 L2PT tunneled packet destination multicast MAC
Ethernet interface link flapping protection, 9 address, 343
Ethernet interface link mode, 5 LLDP basic configuration, 334
Ethernet interface loopback testing, 12 LLDP configuration (CDP-compatible), 338
Ethernet interface MDIX mode (Layer 2), 17 LLDP source MAC address, 332
Ethernet interface MTU setting (Layer 3), 20 loop detection basic configuration, 200, 202
Ethernet interface physical state change loop detection enable, 198
suppression, 6 loop detection enable (global), 198
Ethernet interface physical type configuration loop detection enable (port), 198
(single combo), 2 loop detection interval, 197, 199
Ethernet interface split (40-GE), 3 loop detection protection action setting, 199
Ethernet interface statistics polling interval, 12 loop protection actions, 197
Ethernet interface storm control (Layer 2), 18 M:1 VLAN mapping configuration, 303, 309
Ethernet interface storm suppression, 9 MAC address move suppression, 38
Ethernet interfaces combine (10-GE > 40-GE), MAC address table address synchronization, 36
3
MAC address table ARP fast update, 39
Ethernet link aggregate interface configuration
MAC address table blackhole entry, 31
(Layer 2 edge), 81
MAC address table dynamic aging timer, 33
Ethernet link aggregation (static mode), 49
MAC address table entry configuration, 30
Ethernet link aggregation aggregate interface
types, 47 MAC address table entry types, 28
Ethernet link aggregation application scenario, MAC address table learning limit, 35
47 MAC address table learning priority, 36
Ethernet link aggregation configuration types, MAC address table move notification, 38
48 MAC address table multiport unicast entry, 31
Ethernet link aggregation edge aggregate MAC address table SNMP notification, 41
interface, 55 MAC address table static source check, 40
Ethernet link aggregation group configuration MAC Information configuration, 45, 45
(Layer 2 dynamic), 79 MAC-based VLAN, 210
Ethernet link aggregation group configuration MAC-based VLAN assignment (dynamic), 217
(Layer 2 static), 77
MAC-based VLAN assignment (server-assigned),
Ethernet link aggregation group configuration 212
(Layer 3 dynamic), 83
MAC-based VLAN assignment (static), 216
Ethernet link aggregation group configuration
MAC-based VLAN configuration, 216, 225
(Layer 3 static), 82
MAC-based VLAN configuration
Ethernet link aggregation group reference port
(server-assigned), 218
selection criteria, 71
management Ethernet interface configuration, 1
Ethernet link aggregation member port state,
49, 53 MRP timers, 271
Ethernet link aggregation modes, 48 MST region configuration, 160

384
MSTP basic concepts, 147 RSTP port state, 143
MSTP configuration, 189 RSTP root bridge configuration, 156
MSTP leaf node configuration, 159 simple multichassis link aggregation, 55
MSTP root bridge configuration, 158 spanning tree BPDU drop, 184
MVRP timer set, 273 spanning tree BPDU filter, 180
port isolation community VLAN configuration, spanning tree BPDU guard, 179
127, 129 spanning tree BPDU transmission rate, 165
port isolation configuration, 128 spanning tree device edge port reactivation
port isolation group assignment (multiple disable, 187
ports), 127 spanning tree Digest Snooping, 175
port-based VLAN, 209 spanning tree dispute guard, 184
port-based VLAN assignment (access port), spanning tree edge port, 166
214 spanning tree inconsistent PVID protection
port-based VLAN assignment (hybrid port), disable, 174
215 spanning tree leaf node configuration, 156
port-based VLAN assignment (trunk port), 215 spanning tree loop guard, 181
port-based VLAN configuration, 214 spanning tree mode set, 159
PPPoE relay configuration, 353, 357 spanning tree No Agreement Check, 176
private VLAN creation (primary), 238 spanning tree port link type, 171
private VLAN creation (secondary), 238 spanning tree port MSTP frame recognition mode,
private VLAN downlink port configuration, 239 171
private VLAN Layer 3 communication spanning tree port path cost, 167, 170
(secondary VLAN), 240 spanning tree port priority, 170
private VLAN Layer 3 communication spanning tree port role restriction, 182
configuration (secondary), 251
spanning tree port state transition, 172
private VLAN primary+secondary association,
spanning tree priority, 162
239
spanning tree protection, 179
private VLAN promiscuous port configuration,
241 spanning tree protocol configuration, 155, 155
private VLAN trunk promiscuous port spanning tree root bridge, 161
configuration, 244 spanning tree root bridge (device), 161
private VLAN trunk promiscuous+secondary spanning tree root bridge configuration, 155
port configuration, 247 spanning tree root guard, 181
private VLAN uplink port configuration, 239, spanning tree secondary root bridge (device), 162
239 spanning tree SNMP notification (new-root
protocol-based VLAN, 213 election, topology change events), 187
protocol-based VLAN configuration, 219, 228 spanning tree switched network diameter, 163
PVST BPDU guard, 184 spanning tree TC BPDU event logging (PVST
PVST configuration, 193 mode), 187
PVST leaf node configuration, 158 spanning tree TC Snooping, 178
PVST root bridge configuration, 157 spanning tree TC-BPDU guard, 183
QinQ basic configuration, 292 spanning tree TC-BPDU transmission restriction,
QinQ CVLAN tag TPID value, 290 183
QinQ SVLAN tag TPID value, 290 STP algorithm calculation, 136
QinQ VLAN tag TPID value, 289 STP basic concepts, 135
QinQ VLAN transparent transmission, 288 STP path cost, 136
QinQ VLAN transparent transmission super VLAN configuration, 233, 234
configuration, 294 super VLAN interface configuration, 233
RSTP basic concepts, 143 super VLAN sub-VLAN creation, 232
RSTP leaf node configuration, 157 VLAN basic configuration, 213
RSTP network convergence, 142 VLAN creation, 213
RSTP port role, 143 VLAN group configuration, 220

385
 VLAN interface, 221 L2PT configuration, 340, 342, 344
VLAN Layer 3 communication, 213 LLDP configuration, 314, 321, 334
VLAN mapping 1:1 implementation, 300 loop detection, 196
VLAN mapping 1:2 implementation, 301 loop detection configuration, 198, 200
VLAN mapping 2:2 implementation, 301 MAC address table configuration, 28, 29, 42, 42
VLAN mapping M:1 implementation, 300 MAC Information configuration, 43
VLAN port-based configuration, 223 MVRP, 269, 272, 275
VLAN types, 209 port isolation configuration, 127, 128
voice VLAN ACL resource occupation mode PPPoE configuration, 350, 357
configuration, 260 PPPoE network structure, 350
voice VLAN advertisement (CDP), 264 PPPoE network structure (host-initiated), 351
voice VLAN advertisement (LLDP or CDP), PPPoE network structure (router-initiated), 350
263 PPPoE relay fundamentals, 351
voice VLAN advertisement (LLDP), 263 private VLAN configuration, 237, 238, 241
voice VLAN assignment mode, 256 QinQ configuration, 285, 292
voice VLAN assignment mode configuration spanning tree configuration, 189
(automatic), 265
spanning tree overview, 133
voice VLAN assignment mode configuration
super VLAN configuration, 232
(manual), 266
VLAN configuration, 208, 223
voice VLAN configuration, 265
VLAN mapping configuration, 297, 302, 306
voice VLAN host+IP phone connection (in
series), 255 voice VLAN configuration, 254, 259
voice VLAN information advertisement to IP voice VLAN configuration restrictions and
phones, 255 guidelines, 259
voice VLAN IP phone access method, 255 No Agreement Check (spanning tree), 176
voice VLAN IP phone identification (LLDP), node
255 MSTP leaf node configuration, 159
voice VLAN IP phone identification (OUI PVST leaf node configuration, 158
address), 254 RSTP leaf node configuration, 157
voice VLAN IP phone+device connection, 256 spanning tree leaf node configuration, 156
voice VLAN LLDP automatic IP phone no-learning action (loop detection), 197
discovery enable, 263 normal
voice VLAN port operation configuration voice VLAN operation mode, 258
(automatic assignment), 261 notifying
voice VLAN port operation configuration MAC address table move notification, 38
(manual assignment), 262
MAC address table SNMP notification, 41
voice VLAN port operation mode, 258
MAC Information change notification interval, 44
voice VLAN port operation mode configuration,
spanning tree SNMP notification (new-root
261
election, topology change events), 187
voice VLAN traffic QoS priority settings, 259
null interface
VXLAN MAC address table multiport unicast
configuration, 23
entry, 32
display, 25
network management
maintain, 25
basic MVRP, 275
number
DRNI configuration, 88, 101, 115
DRNI DR system number, 102
Ethernet interface configuration, 1
Ethernet link aggregation configuration, 47, 56, O
77 operational key (Ethernet link aggregation), 48
interface bulk configuration, 26, 27 organization-specific LLDPDU TLV types, 316
interface configuration (inloopback), 23 OUI
interface configuration (loopback), 23 voice VLAN IP phone identification (OUI address),
interface configuration (null), 23 254

386
 voice VLAN IP phone identification method, dynamic link aggregation, 50
254 Ethernet aggregate interface, 63
outputting Ethernet aggregate interface (description), 63
spanning tree port state transition information, Ethernet aggregate interface (MAC address), 64
172 Ethernet interface fiber port (Layer 2), 13
P Ethernet link aggregate group Selected ports
min/max, 69
P/A transition (STP), 152
Ethernet link aggregate interface (expected
packet
bandwidth), 65
1:1 VLAN mapping configuration, 303, 306
Ethernet link aggregate interface configuration
1:2 VLAN mapping configuration, 305, 310 (Layer 2 edge), 81
2:2 VLAN mapping configuration, 305, 310 Ethernet link aggregate interface default settings,
DRNI DR keepalive packet parameter, 104 67
Ethernet link aggregation group BFD, 75 Ethernet link aggregate interface shutdown, 67
Ethernet link aggregation packet type-based Ethernet link aggregation (static mode), 49
load sharing, 55 Ethernet link aggregation aggregate interface
L2PT configuration, 340, 342, 344 types, 47
L2PT for LACP configuration, 345 Ethernet link aggregation configuration, 47, 56, 77
L2PT for STP configuration, 344 Ethernet link aggregation configuration types, 48
L2PT tunneled packet destination multicast Ethernet link aggregation device capability
MAC address, 343 configuration, 70
LLDP CDP compatibility, 329 Ethernet link aggregation edge aggregate
M:1 VLAN mapping configuration, 303, 309 interface, 55, 66
VLAN mapping configuration, 297, 302, 306 Ethernet link aggregation group (Layer 2), 59
PAP Ethernet link aggregation group (Layer 3), 60
PPPoE configuration, 350, 357 Ethernet link aggregation group configuration
parameter (Layer 2 dynamic), 79
DRNI DR keepalive packet parameter, 104 Ethernet link aggregation group configuration
spanning tree timeout factor, 165 (Layer 2 static), 77
PE Ethernet link aggregation group configuration
(Layer 3 dynamic), 83
L2PT configuration, 340, 342, 344
Ethernet link aggregation group configuration
L2PT for LACP configuration, 345 (Layer 3 static), 82
L2PT for STP configuration, 344 Ethernet link aggregation group load sharing, 72
per-flow load sharing, 55 Ethernet link aggregation group reference port
performing selection criteria, 71
spanning tree mCheck, 173 Ethernet link aggregation LACP port priority, 51
spanning tree mCheck globally, 174 Ethernet link aggregation load sharing mode, 55
spanning tree mCheck in interface view, 174 Ethernet link aggregation local-first load sharing,
per-packet load sharing, 55 73
Per-VLAN Spanning Tree Protocol. Use PVST Ethernet link aggregation member port, 47
physical Ethernet link aggregation member port state, 47,
aggregate interface physical state change 49, 53
suppression, 66 Ethernet link aggregation modes, 48
Ethernet interface physical state change Ethernet link aggregation operational key, 48
suppression, 6 Ethernet link aggregation reference port, 53
Point-to-Point Protocol over Ethernet. Use PPPoE Ethernet link aggregation reference port choice,
polling 49
Ethernet interface statistics polling interval, 12 Ethernet link aggregation Selected member port
LLDP enable, 328 selection, 71
port Ethernet link aggregation traffic redirection, 74
aggregate interface system ID, 57 isolation. See port isolation
basic MVRP application, 275

387
Layer 3 aggregate interface configuration spanning tree path cost calculation standard, 167
MTU, 65 spanning tree path cost configuration, 167, 170
LLDP ARP entry generation, 332, 332, 332 spanning tree port link type configuration, 171
LLDP basic configuration, 334 spanning tree port MSTP frame recognition mode
LLDP configuration, 314, 321, 334 configuration, 171
LLDP disable operating mode, 319 spanning tree port priority configuration, 170
LLDP enable, 322 spanning tree port role restriction, 182
LLDP frame encapsulation format, 327 spanning tree port state transition output, 172
LLDP frame reception, 320 spanning tree root guard, 181
LLDP frame transmission, 320 spanning tree TC-BPDU guard, 183
LLDP frame transmission and reception, 320 spanning tree TC-BPDU transmission restriction,
LLDP operating mode, 322 183
LLDP polling, 328 STP designated port, 135
LLDP reinitialization delay, 323 STP edge port rapid transition, 151
LLDP Rx operating mode, 319 STP port state, 135
LLDP Tx operating mode, 319 STP rapid transition, 151
LLDP TxRx operating mode, 319 STP root port, 135
loop detection basic configuration, 200, 202 STP root port rapid transition, 152
loop detection configuration, 196, 198, 200 VLAN port link type, 209
loop detection interval, 197, 199 voice VLAN port operation configuration
loop detection protection action setting, 199 (automatic assignment), 261
loop detection protection actions, 197 voice VLAN port operation configuration (manual
assignment), 262
loop detection status auto recovery, 197
voice VLAN port operation mode, 258
MAC address learning, 28
VXLAN MAC address table multiport unicast entry,
MAC address table blackhole entry, 31
32
MAC address table configuration, 28, 29, 42,
port isolation
42
community VLAN configuration, 127, 129
MAC address table entry configuration, 30
configuration, 127, 128, 128
MAC address table multiport unicast entry, 31
display, 128
MAC Information configuration, 43, 45, 45
group assignment (multiple ports), 127
manual link aggregation, 58
port-based VLAN
MST port roles, 149
assignment (access port), 214
MST port states, 150
assignment (hybrid port), 215
MVRP application, 269, 272, 275
assignment (trunk port), 215
MVRP timer set, 273
configuration, 214, 223
private VLAN downlink port configuration, 239
configuration restrictions, 214
private VLAN uplink port configuration, 239,
239 port frame handling, 209
PVST BPDU guard, 184 port link type, 209
QinQ implementation, 286 PVID, 209
RSTP network convergence, 142 type, 209
simple multichassis link aggregation, 55 power
spanning tree BPDU drop, 184 Ethernet interface auto power-down, 11
spanning tree BPDU filter, 180 Ethernet interface EEE, 11
spanning tree BPDU guard, 179 Ethernet interface energy-saving features, 11
spanning tree BPDU transmission rate, 165 PPP
spanning tree dispute guard, 184 PPPoE configuration, 350, 357
spanning tree edge port configuration, 166 protocols and standards, 353
spanning tree forward delay timer, 164 PPPoE
spanning tree loop guard, 181 configuration, 350, 357
spanning tree mCheck, 173 configuration restrictions, 353

388
 display, 356 adding MAC address table multiport unicast entry,
maintain, 356 31
network structure, 350 assigning DRNI IPP interface, 109
network structure (host-initiated), 351 assigning MAC address table learning priority to
network structure (router-initiated), 350 interface, 36
PPPoE relay enable, 353 assigning port isolation group (multiple ports), 127
PPPoE relay trusted port configure, 353 assigning port-based VLAN hybrid port, 215
relay configuration, 353, 357 assigning port-based VLAN trunk port, 215
PPPoE relay associating private VLAN primary+secondary,
239
configuring vendor-specific tag processing
policy for client-side PPPoE packet (global), bulk configuring interfaces, 26, 27
355, 356 combining Ethernet interfaces (10-GE > 40-GE),
configuring vendor-specific tag processing 3
policy for client-side PPPoE packet (interface), configuring 1:1 VLAN mapping, 303, 306
355, 356 configuring 1:2 VLAN mapping, 305, 310
fundamentals, 351 configuring 2:2 VLAN mapping, 305, 310
PPPoE relay trusted port configuring aggregate interface physical state
configure, 353 change suppression, 66
priority configuring aggregate interface system ID, 57
DR device role priority setting, 103 configuring automatic link aggregation, 62
DRNI DR system priority, 103 configuring basic MVRP, 275
dynamic link aggregation, 50 configuring circuit ID padding format for
Ethernet link aggregation LACP port priority, client-side PPPoE packet, 355
51 configuring common Ethernet interface settings, 2
Ethernet link aggregation LACP system configuring default DRNI MAD action, 106
priority, 51 configuring DRNI, 101
MAC address table learning priority, 36 configuring DRNI basics, 115
QinQ SVLAN tag 802.1p priority, 290 configuring DRNI DR interface, 109
spanning tree device priority, 162 configuring DRNI DR keepalive packet parameter,
spanning tree port priority configuration, 170 104
private VLAN configuring DRNI DR keepalive settings, 104
configuration, 237, 238, 241 configuring DRNI DR system auto-recovery, 112
configuration restrictions, 238 configuring DRNI DR system MAC address, 102
display, 241 configuring DRNI DR system setting, 102
downlink port configuration, 239 configuring DRNI DR system+Layer 3 gateway,
Layer 3 communication (secondary VLAN), 119
240 configuring DRNI MAD, 105
Layer 3 communication configuration configuring Ethernet aggregate interface, 63
(secondary), 251 configuring Ethernet aggregate interface
primary creation, 238 (description), 63
primary+secondary association, 239 configuring Ethernet aggregate interface jumbo
promiscuous port configuration, 241 frame support, 64
secondary creation, 238 configuring Ethernet interface (Layer 2), 16
trunk promiscuous port configuration, 244 configuring Ethernet interface (Layer 3), 20
trunk promiscuous+secondary port configuring Ethernet interface auto power-down,
configuration, 247 11
uplink port configuration, 239, 239 configuring Ethernet interface basic settings, 4
procedure configuring Ethernet interface dampening, 7
adding MAC address table blackhole entry, 31 configuring Ethernet interface EEE, 11
adding MAC address table entry (global), 30 configuring Ethernet interface energy-saving
features, 11
adding MAC address table entry (on interface),
31

389
configuring Ethernet interface generic flow configuring LAN switching QinQ CVLAN tag TPID
control, 10 value, 290
configuring Ethernet interface interface alarm configuring LAN switching QinQ SVLAN tag TPID
functions, 14 value, 290
configuring Ethernet interface jumbo frame configuring LAN switching QinQ VLAN tag TPID
support, 6 value, 289
configuring Ethernet interface link mode, 5 configuring LLDP, 321
configuring Ethernet interface physical state configuring LLDP (CDP-compatible), 338
change suppression, 6 configuring LLDP advertisable TLVs, 323
configuring Ethernet interface physical type configuring LLDP basics, 334
(single combo), 2 configuring LLDP CDP compatibility, 329
configuring Ethernet interface storm control configuring LLDP management address TLV
(Layer 2), 18 advertisement, 326
configuring Ethernet interface storm configuring LLDP trapping, 331
suppression, 9
configuring LLDP-MED trapping, 331
configuring Ethernet link aggregate interface
configuring loop detection, 198
(Layer 2 edge), 81
configuring loop detection basics, 200, 202
configuring Ethernet link aggregation, 56
configuring M:1 VLAN mapping, 303, 309
configuring Ethernet link aggregation device
capability, 70 configuring MAC address borrowing, 332
configuring Ethernet link aggregation edge configuring MAC address move suppression, 38
aggregate interface, 66 configuring MAC address table, 29, 42
configuring Ethernet link aggregation group configuring MAC address table multiport unicast
(Layer 2 dynamic), 79 entry (global), 32
configuring Ethernet link aggregation group configuring MAC address table multiport unicast
(Layer 2 static), 77 entry (on interface), 32
configuring Ethernet link aggregation group configuring MAC Information, 45
(Layer 3 dynamic), 83 configuring MAC Information mode, 43
configuring Ethernet link aggregation group configuring MAC-based VLAN, 216, 225
(Layer 3 static), 82 configuring MAC-based VLAN (server-assigned),
configuring Ethernet link aggregation group 218
BFD, 75 configuring MAC-based VLAN assignment
configuring Ethernet link aggregation group (dynamic), 217
configuration (Layer 2 dynamic), 59 configuring MAC-based VLAN assignment (static),
configuring Ethernet link aggregation group 216
configuration (Layer 2 static), 59 configuring management Ethernet interface, 1
configuring Ethernet link aggregation group configuring manual link aggregation, 58
configuration (Layer 3 dynamic), 61 configuring MST region, 160
configuring Ethernet link aggregation group configuring MST region max hops, 163
configuration (Layer 3 static), 60
configuring MSTP, 158, 189
configuring Ethernet link aggregation group
configuring MSTP leaf nodes, 159
load sharing, 72
configuring MSTP root bridge, 158
configuring Ethernet link aggregation group
reference port selection criteria, 71 configuring MVRP, 272, 275
configuring Ethernet link aggregation S-MLAG, configuring port isolation, 128
62, 62, 85, 85 configuring port isolation community VLAN, 127,
configuring Ethernet subinterface (Layer 3), 129
20 configuring port-based VLAN, 214, 223
configuring Ethernet subinterface basic configuring PPPoE relay, 353, 357
settings, 4 configuring PPPoE relay trusted port, 353
configuring IP subnet-based VLAN, 219, 227 configuring private VLAN, 238
configuring L2PT, 342 configuring private VLAN downlink port, 239
configuring L2PT for LACP, 345 configuring private VLAN Layer 3 communication
configuring L2PT for STP, 344 (secondary VLAN), 240

390
configuring private VLAN Layer 3 configuring spanning tree secondary root bridge
communication (secondary), 251 (device), 162
configuring private VLAN promiscuous port, configuring spanning tree switched network
241 diameter, 163
configuring private VLAN trunk promiscuous configuring spanning tree TC Snooping, 178
port, 244 configuring spanning tree TC-BPDU transmission
configuring private VLAN trunk restriction, 183
promiscuous+secondary port, 247 configuring spanning tree timeout factor, 165
configuring private VLAN uplink port, 239, 239 configuring spanning tree timer, 164
configuring protocol-based VLAN, 219, 228 configuring STP, 155
configuring PVST, 157, 193 configuring super VLAN, 232, 233, 234
configuring PVST leaf nodes, 158 configuring super VLAN interface, 233
configuring PVST root bridge, 157 configuring vendor-specific tag processing policy
configuring QinQ basics, 292 for client-side PPPoE packet (global), 355, 356
configuring QinQ VLAN transparent configuring vendor-specific tag processing policy
transmission, 288, 294 for client-side PPPoE packet (interface), 355, 356
configuring remote ID padding format for configuring VLAN basic settings, 213
client-side PPPoE packet, 355 configuring VLAN group, 220
configuring RSTP, 156 configuring VLAN interface, 221
configuring RSTP leaf nodes, 157 configuring VLAN mapping, 302
configuring RSTP root bridge, 156 configuring voice VLAN, 259
configuring spanning tree BPDU filter, 180 configuring voice VLAN ACL resource occupation
configuring spanning tree BPDU filter (on mode, 260
interface), 181 configuring voice VLAN advertisement (CDP),
configuring spanning tree BPDU guard, 179 264
configuring spanning tree BPDU guard (on configuring voice VLAN advertisement (LLDP or
interface), 180 CDP), 263
configuring spanning tree BPDU transmission configuring voice VLAN advertisement (LLDP),
rate, 165 263
configuring spanning tree device priority, 162 configuring voice VLAN assignment mode
configuring spanning tree Digest Snooping, (automatic), 265
175 configuring voice VLAN assignment mode
configuring spanning tree edge port, 166 (manual), 266
configuring spanning tree leaf nodes, 156 configuring voice VLAN port operation (automatic
configuring spanning tree No Agreement assignment), 261
Check, 176 configuring voice VLAN port operation (manual
configuring spanning tree port link type, 171 assignment), 262
configuring spanning tree port MSTP frame configuring voice VLAN port operation mode, 261
recognition mode for MSTP frames, 171 configuring voice VLAN traffic QoS priority
configuring spanning tree port path cost, 167, settings, 259
170 configuring VXLAN MAC address table multiport
configuring spanning tree port priority, 170 unicast entry, 32, 32
configuring spanning tree port role restriction, creating private VLAN (primary), 238
182 creating private VLAN (secondary), 238
configuring spanning tree protection, 179 creating super VLAN sub-VLAN, 232
configuring spanning tree protocols, 155 creating VLAN, 213
configuring spanning tree root bridge, 155, disabling DRNI configuration consistency check,
161 111
configuring spanning tree root bridge (device), disabling LLDP PVID inconsistency check, 329
161 disabling MAC address learning (global), 34
configuring spanning tree secondary root disabling MAC address learning (on interface), 34
bridge, 161 disabling MAC address learning (on VLAN), 35

391
disabling MAC address table static source enabling Ethernet link aggregation traffic
check, 40 redirection (aggregation group), 75
disabling Selected port selection for enabling Ethernet link aggregation traffic
aggregation groups, 71 redirection (global), 74
disabling spanning tree device edge port enabling Ethernet link aggregation transparent
reactivation, 187 LACPDU transmission, 68
disabling spanning tree dispute guard, 184 enabling L2PT, 342
disabling spanning tree inconsistent PVID enabling L2PT (for protocol) (Layer 2 Ethernet
protection, 174 interface view), 343, 343
displaying bulk interface configuration, 27 enabling LLDP, 322
displaying DRNI, 114 enabling LLDP ARP entry generation, 332
displaying Ethernet interface, 21 enabling LLDP ND entry generation, 332, 332
displaying Ethernet link aggregation, 76 enabling LLDP polling, 328
displaying Ethernet subinterface, 21 enabling loop detection (global), 198
displaying interface, 25 enabling loop detection (port), 198
displaying L2PT, 344 enabling MAC address synchronization, 36
displaying LLDP, 333 enabling MAC address table ARP fast update, 39
displaying loop detection, 200 enabling MAC address table move notification, 38
displaying MAC address table, 41 enabling MAC address table SNMP notification,
displaying MVRP, 275 41
displaying port isolation, 128 enabling MAC Information, 43
displaying PPPoE, 356 enabling MVRP GVRP compatibility, 274
displaying private VLAN, 241 enabling PPPoE relay, 353
displaying QinQ, 292 enabling PVST BPDU guard, 184
displaying spanning tree, 188 enabling QinQ, 287
displaying super VLAN, 234 enabling spanning tree BPDU drop, 184
displaying VLAN, 223 enabling spanning tree BPDU filter (global), 180
displaying VLAN mapping, 306 enabling spanning tree BPDU guard (global), 180
displaying voice VLAN, 264 enabling spanning tree feature, 172
enable Ethernet interface bridging (Layer 2), enabling spanning tree loop guard, 181
19 enabling spanning tree port state transition
enable Ethernet interface Layer 3 forwarding information output, 172
(Layer 2), 20 enabling spanning tree root guard, 181
enabling DRNI sequence number check, 113, enabling spanning tree SNMP notification
114 (new-root election, topology change events), 187
enabling DRNI short DRCP timeout timer, 111 enabling spanning tree TC BPDU event logging
enabling DRNI standalone mode, 104 (PVST mode), 187
enabling Ethernet interface automatic enabling spanning tree TC-BPDU guard, 183
negotiation, 5 enabling stripping vendor-specific tag of PPPoE
enabling Ethernet interface link flapping server-side packet on interface, 354
protection, 9 enabling voice VLAN LLDP automatic IP phone
enabling Ethernet interface loopback testing, discovery, 263
12 excluding DRNI DR interface from MAD shutdown,
enabling Ethernet link aggregation local-first 107
load sharing, 73 excluding DRNI logical interfaces from MAD
enabling Ethernet link aggregation local-first shutdown, 107
load sharing (global), 73 forcing Ethernet interface fiber port (Layer 2), 13
enabling Ethernet link aggregation traffic including DRNI DR interface from MAD shutdown,
isolation, 75, 75 108
enabling Ethernet link aggregation traffic maintaining DRNI, 114
redirection, 74 maintaining Ethernet interface, 21
maintaining Ethernet link aggregation, 76

392
maintaining Ethernet subinterface, 21 setting LLDP frame encapsulation format, 327
maintaining interface, 25 setting LLDP frame tramission parameters, 327
maintaining L2PT, 344 setting LLDP operating mode, 322
maintaining MVRP, 275 setting LLDP reinitialization delay, 323
maintaining PPPoE, 356 setting LLDP source MAC address, 332
maintaining spanning tree, 188 setting loop detection interval, 199
maintaining VLAN, 223 setting loop detection protection action (global),
modifying MAC address table blackhole entry, 199
31 setting loop detection protection action (interface),
modifying MAC address table entry (global), 199
30 setting MAC address table dynamic aging timer,
modifying MAC address table entry (on 33
interface), 31 setting MAC Information change notification
modifying MAC address table multiport interval, 44
unicast entry, 31 setting MAC Information queue length, 44
performing spanning tree mCheck, 173 setting MVRP timer, 273
performing spanning tree mCheck globally, setting QinQ SVLAN tag 802.1p priority, 290
174 setting spanning tree mode, 159
performing spanning tree mCheck in interface setting timeout for receiving LLDP frames, 328
view, 174 shutting down Ethernet link aggregate interface,
restore the default settings (Ethernet), 15 67
restoring Ethernet link aggregate interface specifying spanning tree port path cost calculation
default settings, 67 standard, 167
setting DR device role priority, 103 splitting Ethernet interface (40-GE), 3
setting DRNI configuration consistency check testing Ethernet interface cable connection (Layer
mode, 111 2), 19
setting DRNI DR data restoration interval, 113 promiscuous
setting DRNI DR keepalive interval+timeout private VLAN promiscuous port configuration, 241
timer, 105 private VLAN trunk promiscuous port
setting DRNI DR system number, 102 configuration, 244
setting DRNI DR system priority, 103 private VLAN trunk promiscuous+secondary port
setting DRNI keepalive hold timer, 112 configuration, 247
setting Ethernet aggregate interface (MAC protecting
address), 64 loop detection protection action setting, 199
setting Ethernet interface autonegotiation spanning tree device edge port reactivation
speed options (Layer 2), 16 disable, 187
setting Ethernet interface MDIX mode (Layer spanning tree protection, 179
2), 17 protocol packet authentication
setting Ethernet interface MTU (Layer 3), 20 DRNI, 94
setting Ethernet interface statistics polling protocol-based VLAN
interval, 12
configuration, 219, 228
setting Ethernet link aggregate group
configuration restrictions, 220
Selected ports min/max, 69
type, 213
setting Ethernet link aggregate interface
(expected bandwidth), 65 protocols and standards
setting Ethernet link aggregation load sharing DRNI, 99
mode (global), 73 Ethernet link aggregation protocol configuration,
setting Ethernet subinterface MTU (Layer 3), 48
20 LLDP, 320
setting L2PT tunneled packet destination MSTP, 154
multicast MAC address, 343 MSTP protocol frames, 146
setting Layer 3 aggregate interface MTU, 65 MVRP, 272
setting LLDP bridge mode, 322 PPP, 353

393
 PVST protocol frames, 145 Rapid Spanning Tree Protocol. Use RSTP
QinQ, 287 rate
RSTP protocol frames, 143 spanning tree BPDU transmission rate, 165
STP protocol frames, 133 receiving
VLAN, 213 LLDP frames, 320
PVID recovering
LLDP PVID inconsistency check disable, 329 loop detection port status auto recovery, 197
spanning tree inconsistent PVID protection redirecting
disable, 174 Ethernet link aggregation traffic redirection, 74
PVID (port-based VLAN), 209 reference port
PVST, 133, See also STP Ethernet link aggregation group reference port
configuration, 157, 193 selection criteria, 71
feature enable, 173 reference port (Ethernet link aggregation), 49, 53
how it works, 145 region
leaf node configuration, 158 MST, 148
mode set, 159 MST region configuration, 160
port links, 144 MST region max hops, 163
protocol frames, 145 MST regional root, 149
rapid transition, 151 registering
root bridge configuration, 157 MVRP registration fixed mode, 271
spanning tree TC BPDU event logging (PVST MVRP registration forbidden mode, 271
mode), 187 MVRP registration normal mode, 271
Q reinitialization delay (LLDP), 323
relay
QinQ
PPPoE relay enable, 353
basic configuration, 292
remote ID padding format for client-side PPPoE
benefit, 285
packet
configuration, 285, 292
configuration, 355
configuration restrictions, 287
restoring
CVLAN tag, 285
Ethernet link aggregate interface default settings,
CVLAN tag TPID value, 290 67
display, 292 restrictions
enable, 287 BPDU transmission rate configuration, 166
how it works, 285 bulk interface configuration, 26
implementation, 286 DRNI configuration, 99
loop detection basic configuration, 200, 202 DRNI DR data restoration interval, 113
loop detection configuration, 196, 198, 200 DRNI DR interface configuration, 109
protocols and standards, 287 DRNI DR interface MAD shutdown exclusion, 107
SVLAN tag, 285 DRNI DR keepalive interval+timeout timer, 105
SVLAN tag 802.1p priority, 290 DRNI DR keepalive packet parameter
SVLAN tag TPID value, 290 configuration, 104
VLAN tag TPID value, 289 DRNI DR keepalive setting configuration, 104
VLAN transparent transmission, 288 DRNI DR system MAC address configuration,
VLAN transparent transmission configuration, 102
294 DRNI DR system number, 102
QoS DRNI DR system priority, 103
QinQ SVLAN tag 802.1p priority, 290 DRNI DRNI configuration consistency check
voice VLAN traffic QoS priority settings, 259 disable, 111
queuing DRNI IPP interface assignment, 109
MAC Information queue length, 44 DRNI short DRCP timeout timer enable, 112
R Ethernet interface dampening, 8

394
Ethernet interface link flapping protection, 9 spanning tree device edge port reactivation
Ethernet interface loopback test, 12 disable, 187
Ethernet interface storm suppression, 10 spanning tree dispute guard disable, 186
Ethernet link aggregate group Selected ports spanning tree feature compatibility, 99, 155
min/max, 62 spanning tree feature enable, 172
Ethernet link aggregate interface default spanning tree inconsistent PVID protection
setting, 67 disable, 174
Ethernet link aggregate interface shutdown, spanning tree interface configuration, 99, 155
67 spanning tree loop guard, 182
Ethernet link aggregation aggregate interface spanning tree mode setting, 160
setting (MAC address), 62 spanning tree No Agreement Check configuration,
Ethernet link aggregation attribute+protocol 177
configuration, 58 spanning tree port MSTP recognition mode
Ethernet link aggregation BFD configuration, configuration, 172
72, 76 spanning tree port path cost calculation standard,
Ethernet link aggregation configuration 169
consistency, 59 spanning tree port path cost configuration, 170
Ethernet link aggregation edge aggregate spanning tree port priority configuration, 170
interface configuration, 66
spanning tree port role restriction, 182, 182
Ethernet link aggregation group, 58
spanning tree protocol configuration, 155
Ethernet link aggregation group reference port
spanning tree root bridge configuration, 161
selection criteria, 68
spanning tree root guard enable, 181
Ethernet link aggregation Layer 2 aggregation
group, 58 spanning tree TC-BPDU guard enable, 183
Ethernet link aggregation load sharing spanning tree TC-BPDU transmission restriction,
algorithm setting, 69 183, 183
Ethernet link aggregation load sharing hash spanning tree timeout factor configuration, 165
offset adjustment, 70 STP Digest Snooping configuration, 175
Ethernet link aggregation member port, 58 STP edge port configuration, 166
Ethernet link aggregation traffic isolation, 75 STP mCheck configuration, 174
Ethernet link aggregation traffic redirection, 74 STP port link type configuration, 171
IP subnet-based VLAN configuration, 219 STP TC Snooping configuration, 178
L2PT enable, 342 STP timer configuration, 164
Layer 2 Ethernet interface fiber port, 13 super VLAN configuration, 232
Layer 2 Ethernet interface storm control VLAN configuration, 213
configuration, 18 VLAN interface configuration, 221
loop detection enable, 198 voice VLAN LLDP automatic IP phone discovery
loop detection protection action setting, 199 enable, 263
M:1 VLAN mapping configuration, 303 voice VLAN port operation configuration
MAC-based VLAN assignment configuration (automatic assignment), 261
(dynamic), 217 voice VLAN port operation configuration
MAC-based VLANconfiguration, 216 restrictions (manual assignment), 262
MST region configuration, 160 role
MST region max hops configuration, 163 DR device role priority setting, 103
MVRP configuration, 272 DRNI distributed-relay (DR) device role
calculation, 90
port-based VLANconfiguration, 214
DRNI standalone mode, 104
PPPoE configuration, 353
root
private VLAN configuration, 238
MST common root bridge, 149
protocol-based VLAN configuration, 220
MST regional root, 149
QinQ configuration, 287
MST root port role, 149
spanning tree BPDU filter configuration, 180
spanning tree root bridge, 161
spanning tree BPDU guard configuration, 179
spanning tree root bridge (device), 161

395
 spanning tree root guard, 181 MAC address table frame forwarding rule, 35
spanning tree secondary root bridge (device), S
162
STP algorithm calculation, 136 security
STP edge port rapid transition, 152 voice VLAN operation mode, 258
STP root bridge, 135 selecting
STP root port, 135 Ethernet link aggregation Selected ports min/max,
69
root bridge
Ethernet link aggregation selected state, 47
MSTP leaf node configuration, 159
Ethernet link aggregation unselected state, 47
MSTP root bridge configuration, 158
sequence number check
PVST leaf node configuration, 158
DRNI, 94
PVST root bridge configuration, 157
DRNI packet, 94
RSTP leaf node configuration, 157
series
RSTP root bridge configuration, 156
voice VLAN host+IP phone connection (in series),
spanning tree leaf node configuration, 156
255
spanning tree root bridge configuration, 155
server
router
MAC-based VLAN assignment (server-assigned),
PPPoE network structure (router-initiated), 212
350
MAC-based VLAN configuration
routing (server-assigned), 218
IP subnet-based VLAN, 212 service
IP subnet-based VLAN configuration, 219, LLDP service bridge mode, 322
227
setting
MAC-based VLAN, 210
DR device role priority, 103
MAC-based VLAN assignment (dynamic), 217
DRNI configuration consistency check mode, 111
MAC-based VLAN assignment (static), 216
DRNI DR data restoration interval, 113
MAC-based VLAN configuration, 216, 225
DRNI DR keepalive interval+timeout timer, 105
MAC-based VLAN configuration
DRNI DR system number, 102
(server-assigned), 218
DRNI DR system priority, 103
protocol-based VLAN, 213
DRNI keepalive hold timer, 112
protocol-based VLAN configuration, 219, 228
Ethernet aggregate interface (MAC address), 64
voice VLAN configuration, 254, 259, 265
Ethernet interface autonegotiation speed options
voice VLAN configuration restrictions and
(Layer 2), 16, 16
guidelines, 259
Ethernet interface MDIX mode (Layer 2), 17
voice VLAN IP phone access method, 255
Ethernet interface MTU (Layer 3), 20
RSTP, 133, See also STP
Ethernet interface statistics polling interval, 12
basic concepts, 143
Ethernet link aggregate group Selected ports
BPDU processing, 144
min/max, 69
configuration, 156
Ethernet link aggregate interface (expected
feature enable, 173 bandwidth), 65
how it works, 143 Ethernet link aggregation load sharing mode
leaf node configuration, 157 (global), 73
mode set, 159 Ethernet link aggregation member port state, 49,
MSTP device implementation, 151 53
network convergence, 142 Ethernet subinterface MTU (Layer 3), 20
port role, 143 L2PT tunneled packet destination multicast MAC
port state, 143 address, 343
protocol frames, 143 Layer 3 aggregate interface MTU, 65
rapid transition, 151 LLDP bridge mode, 322
root bridge configuration, 156 LLDP frame encapsulation format, 327
rule LLDP frame tramission parameters, 327

396
 LLDP operating mode, 322 BPDU transmission rate configuration, 165
LLDP reinitialization delay, 323 BPDU transmission rate configuration restrictions,
LLDP source MAC address, 332 166
loop detection interval, 199 configuration, 189
loop detection protection action (global), 199 device edge port reactivation disable restrictions,
loop detection protection action (interface), 187
199 device priority configuration, 162
MAC address table dynamic aging timer, 33 Digest Snooping, 175
MAC Information change notification interval, display, 188
44 dispute guard disable, 184
MAC Information queue length, 44 dispute guard disable restrictions, 186
MVRP timer, 273 edge port configuration, 166
QinQ SVLAN tag 802.1p priority, 290 feature compatibility restrictions, 99, 155
spanning tree mode, 159 feature enable, 172
timeout for receiving LLDP frames, 328 feature enable restrictions, 172
shutting down inconsistent PVID protection disable, 174
DRNI DR interface MAD shutdown exclusion, inconsistent PVID protection disable restrictions,
107 174
DRNI DR interface MAD shutdown inclusion, interface configuration restrictions, 99, 155
108 leaf node configuration, 156
DRNI logical interfaces MAD shutdown loop guard enable, 181
exclusion, 107 loop guard enable restrictions, 182
DRNI MAD action, 106 maintain, 188
DRNI MAD DOWN state persistence, 108 mCheck, 173
Ethernet link aggregate interface, 67 mode set, 159
loop detection shutdown action, 197 mode setting restrictions, 160
simple MST region max hops, 163
Ethernet link aggregation simple multichassis MST region max hops configuration restrictions,
link aggregation (S-MLAG) configuration, 62, 163
85
No Agreement Check, 176
single combo Ethernet interface, 2
No Agreement Check configuration restrictions,
S-MLAG 177
Ethernet link aggregation S-MLAG overview, 133
configuration, 62, 85
port link type configuration, 171
SNAP
port MSTP frame recognition mode configuration,
LLDP frame encapsulation, 315 171
LLDP frame encapsulation format, 327 port MSTP recognition mode configuration
SNMP restrictions, 172
MAC address table SNMP notification, 41 port path cost calculation standard, 167
MAC Information configuration, 43, 45, 45 port path cost calculation standard restrictions,
snooping 169
spanning tree Digest Snooping, 175 port path cost configuration, 167, 170
spanning tree TC Snooping, 178 port path cost configuration restrictions, 170
source port priority configuration, 170
MAC address table static source check, 40 port priority configuration restrictions, 170
spanning tree, 133, See also STP, RSTP, PVST, port role restriction, 182
MSTP port role restrictions, 182
BPDU drop, 184 port state transition output, 172
BPDU filter configuration, 180 protection configuration, 179
BPDU filter configuration restrictions, 180 protocol configuration, 155, 155
BPDU guard configuration, 179 protocol configuration restrictions, 155
BPDU guard configuration restrictions, 179

397
 PVST BPDU guard, 184 MAC address table static source check, 40
root bridge configuration, 155, 161 MAC-based VLAN assignment, 210, 216
root bridge configuration (device), 161 statistics
root bridge configuration restrictions, 161 Ethernet interface automatic negotiation, 5
root guard enable, 181 Ethernet interface statistics polling interval, 12
root guard enable restrictions, 181 storm
secondary root bridge configuration (device), Ethernet interface storm control (Layer 2), 18
162 Ethernet interface storm suppression, 9
SNMP notification enable (new-root election, STP
topology change events), 187 algorithm calculation, 136
spanning tree device edge port reactivation basic concepts, 135
disable, 187
BPDU forwarding, 141
switched network diameter, 163
configuration, 155
TC BPDU event logging (PVST mode), 187
configuration BPDUs, 133
TC Snooping, 178
designated bridge, 135
TC-BPDU guard, 183
designated port, 135
TC-BPDU guard enable restrictions, 183
Digest Snooping configuration restrictions, 175
TC-BPDU transmission restriction, 183
edge port configuration restrictions, 166
TC-BPDU transmission restrictions, 183
feature enable, 173
timeout factor configuration, 165
L2PT for STP configuration, 344
timeout factor configuration restrictions, 165
loop detection, 133
timer configuration, 164
mCheck configuration restrictions, 174
specifying
mode set, 159
DRNI IPP interface, 109
MSTP device implementation, 151
spanning tree port path cost calculation
P/A transition, 152
standard, 167
path cost, 136
speed
port link type configuration restrictions, 171
Ethernet interface autonegotiation speed
options (Layer 2), 16 port state, 135
splitting protocol frames, 133
Ethernet interface (40-GE), 3 root bridge, 135
state root port, 135
aggregate interface state change suppression, TC Snooping configuration restrictions, 178
66 TCN BPDUs, 134
Ethernet interface state change suppression, timer configuration restrictions, 164
6 timers, 142
Ethernet link aggregation member port state, subinterface, 1, See also Ethernet subinterface
47, 49, 53 LLDP ARP entry generation, 332
static LLDP ND entry generation, 332, 332
Ethernet link aggregation (static mode), 49 LLDP source MAC address, 332
Ethernet link aggregation group (Layer 2), 59 subnetting
Ethernet link aggregation group (Layer 3), 60 IP subnet-based VLAN, 212
Ethernet link aggregation group BFD, 75 IP subnet-based VLAN configuration, 219, 227
Ethernet link aggregation group configuration sub-VLAN
(Layer 2), 77 creation, 232
Ethernet link aggregation group configuration super VLAN
(Layer 3), 82
configuration, 232, 233, 234
Ethernet link aggregation mode, 48
configuration restrictions, 232
MAC address table entry, 28
display, 234
MAC address table entry configuration, 30
interface configuration, 233
MAC address table entry configuration (on
sub-VLAN creation, 232
interface), 31

398
suppressing spanning tree TC-BPDU transmission restriction,
aggregate interface physical state change, 66 183
Ethernet interface physical state change, 6 testing
Ethernet interface storm, 9 Ethernet interface cable connection (Layer 2), 19
Ethernet interface storm control configuration timeout
(Layer 2), 18 Ethernet link aggregation LACP long timeout
MAC address move, 38 interval, 51
SVLAN Ethernet link aggregation LACP short timeout
QinQ basic configuration, 292 interval, 51
QinQ configuration, 285, 292 spanning tree timeout factor, 165
QinQ SVLAN tag 802.1p priority, 290 timer
QinQ VLAN transparent transmission DRCP timeout (long), 89
configuration, 294 DRCP timeout (short), 89
VLAN mapping configuration, 297, 302, 306 DRNI distributed-relay (DR) keepalive timeout, 89
VLAN mapping implementation, 299 DRNI DR keepalive interval+timeout timer, 105
switching DRNI keepalive hold timer, 112
Ethernet interface configuration, 1 DRNI short DRCP timeout timer, 111
interface configuration (inloopback), 23 LLDP reinitialization delay, 323
interface configuration (loopback), 23 MAC address table dynamic aging, 33
interface configuration (null), 23 MRP Join, 271
spanning tree switched network diameter, 163 MRP Leave, 271
synchronizing MRP LeaveAll, 271
MAC addresses, 36 MRP Periodic, 271
syslog MVRP set, 273
MAC Information configuration, 43, 45, 45 spanning tree forward delay, 164
MAC Information mode configuration, 43 spanning tree hello, 164
system spanning tree max age, 164
DRNI DR system auto-recovery, 112 STP forward delay, 142
DRNI sequence number check, 113, 114 STP hello, 142
interface bulk configuration, 26, 27 STP max age, 142
TLV
T
LLDP advertisable TLV configuration, 323
table LLDP management address TLV advertisement,
MAC address, 28, 29, 42, 42 326
MAC address table learning limit, 35 LLDPDU basic management types, 316
MSTP VLAN-to-instance mapping table, 148 LLDPDU LLDP-MED types, 316
tag LLDPDU management address TLV, 319
1:1 VLAN mapping configuration, 303, 306 LLDPDU organization-specific types, 316
1:2 VLAN mapping configuration, 305, 310 topology
2:2 VLAN mapping configuration, 305, 310 PVST BPDU protocol frames, 145
M:1 VLAN mapping configuration, 303, 309 STP TCN BPDU protocol frames, 133
QinQ CVLAN, 285 Track
QinQ CVLAN tag TPID value, 290 LLDP collaboration, 320
QinQ SVLAN, 285 traffic
QinQ SVLAN tag 802.1p priority, 290 Ethernet link aggregation traffic isolation, 75
QinQ SVLAN tag TPID value, 290 Ethernet link aggregation traffic redirection, 74
QinQ VLAN tag TPID value, 289 private VLAN configuration, 241
VLAN mapping configuration, 297, 302, 306 private VLAN creation (primary), 238
TC Snooping (spanning tree), 178 private VLAN creation (secondary), 238
TC-BPDU private VLAN primary+secondary association,
spanning tree TC-BPDU guard, 183 239

399
 voice VLAN traffic QoS priority settings, 259 virtualizing
transmitting DRNI basics configuration, 115
LLDP frames, 320 DRNI configuration, 88, 101, 115
QinQ VLAN transparent transmission, 288, VLAN
294 basic configuration, 213
spanning tree TC-BPDU transmission basic MVRP configuration, 275
restriction, 183 configuration, 208, 223
transmitting and receiving configuration restrictions, 213
LLDP frames, 320 creation, 213
transparent transmission (QinQ for VLAN), 288, display, 223
294
frame encapsulation, 208
trapping
group configuration, 220
LLDP configuration, 331
interface configuration, 221
LLDP-MED configuration, 331
interface configuration restrictions, 221
MAC address table SNMP notification, 41
IP subnet-based VLAN, 212
MAC Information configuration, 43, 45, 45
IP subnet-based VLAN configuration, 219, 227
MAC Information mode configuration, 43
IP subnet-based VLAN configuration restrictions,
spanning tree SNMP notification (new-root 219
election, topology change events), 187
L2PT configuration, 340, 342, 344
trunk port
L2PT for LACP configuration, 345
port-based VLAN assignment (trunk port), 215
L2PT for STP configuration, 344
private VLAN trunk promiscuous port
Layer 3 communication, 213
configuration, 244
LLDP CDP compatibility, 329
private VLAN trunk promiscuous+secondary
port configuration, 247 LLDP configuration (CDP-compatible), 338
trusted port LLDP source MAC address, 332
PPPoE relay trusted port enable, 353 loop detection basic configuration, 200, 202
tunneling loop detection configuration, 196, 198, 200
L2PT configuration, 340, 342, 344 MAC address learning disable, 35
L2PT enable, 342 MAC-based assignment (dynamic), 217
L2PT for LACP configuration, 345 MAC-based assignment (static), 216
L2PT for STP configuration, 344 MAC-based configuration, 225
L2PT tunneled packet destination multicast MAC-based VLAN, 210
MAC address, 343 MAC-based VLAN configuration, 216
MAC-based VLAN configuration
U
(server-assigned), 218
unicast MAC-based VLAN configuration restrictions, 216
MAC address table configuration, 28, 29, 42, maintain, 223
42 mapping. See VLAN mapping
MAC address table multiport unicast entry, 28 MRP implementation, 269
V MSTP VLAN-to-instance mapping table, 148
vendor-specific tag MVRP configuration, 269, 272, 275
enabling stripping vendor-specific tag of MVRP GVRP compatibility, 274
PPPoE server-side packet on interface, 354 port isolation community VLAN configuration, 127,
vendor-specific tag processing policy for 129
client-side PPPoE packet (global) port isolation configuration, 127, 128
configuration, 355, 356 port link type, 209
vendor-specific tag processing policy for port-based, 209
client-side PPPoE packet (interface) port-based configuration, 214, 223
configuration, 355, 356 port-based configuration restrictions, 214
virtual port-based VLAN assignment (access port), 214
Virtual Local Area Network. Use VLAN port-based VLAN assignment (hybrid port), 215

400
port-based VLAN assignment (trunk port), 215 voice VLAN port operation configuration
port-based VLAN frame handling, 209 (automatic assignment), 261
private VLAN configuration, 237, 238 voice VLAN port operation configuration (manual
private VLAN configuration restrictions, 238 assignment), 262
protocol-based VLAN, 213 voice VLAN port operation configuration
restrictions (automatic assignment), 261
protocol-based VLAN configuration, 219, 228
voice VLAN port operation configuration
protocol-based VLAN configuration
restrictions (manual assignment), 262
restrictions, 220
voice VLAN port operation mode, 258
protocols and standards, 213
voice VLAN port operation mode configuration,
PVID, 209
261
PVST, 144
voice VLAN traffic QoS priority settings, 259
QinQ basic configuration, 292
VLAN mapping
QinQ benefit, 285
0:2 implementation, 299
QinQ configuration, 285, 292
1:1 application scenario, 297
QinQ CVLAN tag, 285
1:1 configuration, 303, 306
QinQ CVLAN tag TPID value, 290
1:1 implementation, 299, 300
QinQ implementation, 286
1:2 application scenario, 298
QinQ SVLAN tag, 285
1:2 configuration, 305, 310
QinQ SVLAN tag 802.1p priority, 290
1:2 implementation, 299, 301
QinQ SVLAN tag TPID value, 290
2:2 application scenario, 298
QinQ transparent transmission, 288
2:2 configuration, 305, 310
QinQ VLAN tag TPID value, 289
2:2 implementation, 299, 301
QinQ VLAN transparent transmission
2:3 implementation, 299
configuration, 294
configuration, 297, 302, 306
spanning tree inconsistent PVID protection
disable, 174 display, 306
super VLAN configuration, 232, 233, 234 M:1 application scenario, 297
super VLAN configuration restrictions, 232 M:1 configuration, 303, 309
super VLAN interface configuration, 233 M:1 implementation, 299, 300
termination. See VLAN termination voice traffic
types, 209 LLDP CDP compatibility, 329
voice VLAN ACL resource occupation mode LLDP configuration (CDP-compatible), 338
configuration, 260 voice VLAN
voice VLAN advertisement (CDP), 264 ACL resource occupation mode configuration,
voice VLAN advertisement (LLDP or CDP), 260
263 advertisement configuration (CDP), 264
voice VLAN advertisement (LLDP), 263 advertisement configuration (LLDP or CDP), 263
voice VLAN assignment mode, 256 advertisement configuration (LLDP), 263
voice VLAN assignment mode configuration assignment mode, 256
(automatic), 265 assignment mode (automatic), 256
voice VLAN assignment mode configuration assignment mode (manual), 257
(manual), 266 assignment mode configuration (automatic), 265
voice VLAN configuration, 254, 259, 265 assignment mode configuration (manual), 266
voice VLAN configuration restrictions and assignment mode+IP phone cooperation, 257
guidelines, 259 configuration, 254, 259, 265
voice VLAN host+IP phone connection (in configuration restrictions and guidelines, 259
series), 255
display, 264
voice VLAN IP phone access method, 255
host+IP phone connection (in series), 255
voice VLAN IP phone+device connection, 256
how it works, 254
voice VLAN LLDP automatic IP phone
information advertisement to IP phone, 255
discovery enable, 263
IP phone access method, 255

401
 IP phone identification (LLDP), 255
IP phone identification (OUI address), 254
IP phone identification method, 254
IP phone+device connection, 256
LLDP automatic IP phone discovery enable,
263
LLDP automatic IP phone discovery enable
restrictions, 263
port operation configuration (automatic
assignment), 261
port operation configuration (manual
assignment), 262
port operation configuration restrictions
(automatic assignment), 261
port operation configuration restrictions
(manual assignment), 262
port operation mode, 258
port operation mode configuration, 261
traffic QoS priority setting configuration, 259
VoIP
voice VLAN configuration, 254, 259, 265
voice VLAN configuration restrictions and
guidelines, 259
voice VLAN information advertisement to IP
phones, 255
voice VLAN IP phone access method, 255
voice VLAN IP phone identification (LLDP),
255
voice VLAN IP phone identification (OUI
address), 254
VPLS
Ethernet link aggregation transparent
LACPDU transmission, 68
VPN
QinQ basic configuration, 292
QinQ configuration, 285, 292
QinQ VLAN transparent transmission
configuration, 294
VXLAN
DRNI IPP interface assignment, 109
W
WAN access
PPPoE configuration, 350, 357
PPPoE display, 356
PPPoE maintain, 356
PPPoE network structure, 350
PPPoE network structure (host-initiated), 351
PPPoE network structure (router-initiated),
350
PPPoE relay configuration, 353, 357
PPPoE relay fundamentals, 351

402