advertisement
Huawei AR530&AR550 Series Industrial Switch
Routers
V200R005C70
Configuration Guide - Ethernet
Switching
Issue
Date
01
2014-11-30
HUAWEI TECHNOLOGIES CO., LTD.
Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.
Trademarks and Permissions
and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.
All other trademarks and trade names mentioned in this document are the property of their respective holders.
Notice
The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.
The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.
Huawei Technologies Co., Ltd.
Address:
Website:
Huawei Industrial Base
Bantian, Longgang
Shenzhen 518129
People's Republic of China http://enterprise.huawei.com
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
i
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching About This Document
About This Document
Intended Audience
This document describes how to configure the components for LAN services, including link aggregation groups, VLANs, voice VLANs, MAC address tables, transparent bridging, as well as GVRP, STP/RSTP, and MSTP protocols.
This document provides procedures and examples to illustrate the methods and application scenarios for the service configurations.
This document is intended for: l Data configuration engineers l Commissioning engineers l Network monitoring engineers l System maintenance engineers
Symbol Conventions
The symbols that may be found in this document are defined as follows.
Symbol Description
Indicates an imminently hazardous situation which, if not avoided, will result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided, could result in death or serious injury.
Indicates a potentially hazardous situation which, if not avoided, may result in minor or moderate injury.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ii
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Symbol
NOTE
About This Document
Description
Indicates a potentially hazardous situation which, if not avoided, could result in equipment damage, data loss, performance deterioration, or unanticipated results.
NOTICE is used to address practices not related to personal injury.
Calls attention to important information, best practices and tips.
NOTE is used to address information not related to personal injury, equipment damage, and environment deterioration.
Command Conventions
The command conventions that may be found in this document are defined as follows.
Convention
Boldface
Italic
[ ]
{ x | y | ... }
[ x | y | ... ]
{ x | y | ... } *
[ x | y | ... ] *
&<1-n>
#
Description
The keywords of a command line are in boldface .
Command arguments are in italics .
Items (keywords or arguments) in brackets [ ] are optional.
Optional items are grouped in braces and separated by vertical bars. One item is selected.
Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.
Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.
Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.
The parameter before the & sign can be repeated 1 to n times.
A line starting with the # sign is comments.
Interface Numbering Conventions
Interface numbers used in this manual are examples. In device configuration, use the existing interface numbers on devices.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iii
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching About This Document
Security Conventions
l Password setting
– When configuring a password, the cipher text is recommended. To ensure device security, change the password periodically.
– When you configure a password in plain text that starts and ends with %@%@ (the password can be decrypted by the device), the password is displayed in the same manner as the configured one in the configuration file. Do not use this setting.
– When you configure a password in cipher text, different features cannot use the same cipher-text password. For example, the cipher-text password set for the AAA feature cannot be used for other features.
l Encryption algorithm
Currently, the device uses the following encryption algorithms: 3DES, AES, RSA, SHA1,
SHA2, and MD5. 3DES, RSA and AES are reversible, while SHA1, SHA2, and MD5 are irreversible. The encryption algorithms DES/3DES/RSA (RSA-1024 or lower)/MD5 (in digital signature scenarios and password encryption)/SHA1 (in digital signature scenarios) have a low security, which may bring security risks. If protocols allowed, using more secure encryption algorithms, such as AES/RSA (RSA-2048 or higher)/SHA2/HMAC-SHA2, is recommended. The encryption algorithm depends on actual networking. The irreversible encryption algorithm must be used for the administrator password, SHA2 is recommended.
l Personal data
Some personal data may be obtained or used during operation or fault location of your purchased products, services, features, so you have an obligation to make privacy policies and take measures according to the applicable law of the country to protect personal data.
l The terms mirrored port, port mirroring, traffic mirroring, and mirroing in this manual are mentioned only to describe the product's function of communication error or failure detection, and do not involve collection or processing of any personal information or communication data of users.
Change History
Changes between document issues are cumulative. Therefore, the latest document version contains all updates made to previous versions.
Changes in Issue 01 (2014-11-30)
Initial commercial release.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
iv
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching Contents
Contents
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
v
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Contents
Issue 01 (2014-11-30) vi
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching Contents
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
vii
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching Contents
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
viii
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching Contents
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
ix
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Contents
Issue 01 (2014-11-30) x
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Contents
Issue 01 (2014-11-30) xi
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Contents
Issue 01 (2014-11-30) xii
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching Contents
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
xiii
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
1
MAC Address Table Configuration
About This Chapter
This chapter provides the basics for MAC address table, configuration procedure, and configuration examples.
1.1 Introduction to the MAC Address
This section describes the concept of the MAC address.
This section describes principles of MAC address table.
This section describes the applicable environment of MAC address flapping.
1.4 Configuration Task Summary
This chapter describes the configuration task summary of MAC.
This section describes the default configuration of a MAC address table.
1.6 Configuring the MAC Address Table
This section describes the MAC address table configuration.
This section provides several configuration examples of MAC address.
1.8 Common Configuration Errors
This section describes how to process common configuration errors in MAC address entries.
This section describes references of MAC address table.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
1.1 Introduction to the MAC Address
This section describes the concept of the MAC address.
A Media Access Control (MAC) address defines the location of a network device. A MAC address consists of 48 bits and is displayed as a 12-digit hexadecimal number. Bits 0 to 23 are assigned by the IETF and other institutions to identify vendors, and bits 24 to 47 are the unique
ID assigned by vendors to identify their network adapters.
MAC addresses fall into the following types: l Physical MAC address: uniquely identifies a terminal on an Ethernet network and is the globally unique hardware address.
l Broadcast MAC address: indicates all terminals on a LAN. The broadcast address is all 1s
(FF-FF-FF-FF-FF-FF).
l Multicast MAC address: indicates a group of terminals on a LAN. All the MAC addresses with the eighth bit as 1 are multicast MAC addresses (for example, 01-00-00-00-00-00), excluding the broadcast MAC address.
1.2 Principles
This section describes principles of MAC address table.
1.2.1 MAC Address Table
Each device maintains a MAC address table. A MAC address table records the MAC address,
VLAN ID and outbound interfaces learned from other devices. When forwarding a data frame, the device searches the MAC table for the outbound interface according to the destination MAC address and VLAN ID in the frame. This helps the device reduce broadcasting.
Packet Forwarding Based on the MAC Address Table
The device forwards packets based on the MAC address table in either of the following modes: l Unicast mode: If the destination MAC address of a packet can be found in the MAC address table, the device forwards the packet through the outbound interface specified in the matching entry.
l Broadcast mode: If a packet is a broadcast or multicast packet or its destination MAC address cannot be found in the MAC address table, the device broadcasts the packet to all the interfaces in the VLAN except the inbound interface.
Categories of MAC Address Entries
The MAC address entry can be classified into the dynamic entry, the static entry and the blackhole entry.
l The dynamic entry is created by learning the source MAC address. It has aging time.
l The static entry is set by users and is delivered to each SIC. It does not age.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration l The blackhole entry is used to discard the frame with the specified source MAC address or destination MAC address. Users manually set the blackhole entries and send them to each
SIC. Blackhole entries have no aging time.
The dynamic entry will be lost after the system is reset or the interface board is hot swapped or reset. The static entry and the blackhole entry, however, will not be lost.
Generation of a MAC address entry
MAC address entries are generated automatically or configured manually.
l Automatically Generated MAC Address Entries
MAC address entries are learned by the system automatically. For example, RouterA and
RouterB are connected. When RouterB sends a frame to RouterA, RouterA obtains the source MAC address (the MAC address of RouterB) from the frame and adds the source
MAC address and the interface number to the MAC address table. When RouterA receives a frame sent to RouterB again, RouterA can search the MAC address table to find the correct outbound interface.
The entries in the MAC table will not be valid all the time. Each entry has its own lifetime.
If the entry has not been refreshed at the expiration of its lifetime, the device will delete that entry from the MAC table. That lifetime is called aging time. If the entry is refreshed before its lifetime expires, the device resets the aging time for it.
NOTE
The system do not generate MAC address entries when receiving multicast packets or broadcast packets.
l Manually Configured MAC Address Entries
When creating MAC address entries by itself, the device cannot identify whether the packets are from the legal users or the hackers. This threatens the network safety.
Hackers can fake the source MAC address in attack packets. The packet with a forged address enters the device from the other port. Then the device learns a fault MAC table entry. That is why the packets sent to the legal users are forwarded to the hackers.
For security, the network administrator can add static entries to the MAC table manually to bind the user's device and the port of the device. In this way, the device can stop the illegal users from stealing data.
By configuring blackhole MAC address entries, you can configure the specified user traffic not to pass through a switch to prevent attacks from unauthorized users.
The priority of MAC entries set up by users is higher than that generated by the device itself.
Aging Time of MAC Addresses
To adapt to the changes of networks, the MAC table needs to be updated constantly. The dynamic entries automatically created in a MAC address table are not always valid. Each entry has a life cycle. The entry that has never been updated till its life cycle ends will be deleted. This life cycle is called aging time. If the entry is updated before its life cycle ends, the aging time of the entry is recalculated.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Figure 1-1 Aging of MAC addresses
PC1
MAC Address
MAC1
MAC2
MAC3
VLANID
10
10
10
Swtich
Port
Port1
Port2
Port3
Port2
Port1
MAC3 MAC1 VLAN10 Type Data
PC2
MAC3
Port3
MAC1
PC3
VLAN10
Type D ata
As shown in the preceding figure, the aging time of MAC addresses is set to T. At t
1
, packets with the source MAC address 00e0-fc00-0001 and VLAN ID 1 reach an interface. Assume that the interface is added to VLAN 1. If no entry with the MAC address as 00e0-fc00-0001 and the
VLAN ID as 1 exists in the MAC address table, the MAC address is added to the MAC address table as a dynamic MAC address entry and the flag of the matching entry is set to 1.
The switch checks all learned dynamic MAC address entries at an interval of T. For example, at t
2
, if the switch discovers that the flag of the matching dynamic MAC address entry with the
MAC address as 00e0-fc00-0001 and the VLAN ID as 1 is 1, the flag of the matching MAC address entry is set to 0 and the MAC address entry is not deleted. If packets with the source
MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enter the switch between t
2
and t
3
, the flag of the matching MAC address entry is set to 1 again. If no packet with the source MAC address as 00e0-fc00-0001 and the VLAN ID as 1 enters the switch between t
2
and t
3
, the flag of the matching MAC address entry is always 0. At t
3
, after discovering that the flag of the matching MAC address entry is 0, the switch assumes that the aging time of the MAC address entry expires and deletes the MAC address entry.
As stated above, the minimum holdtime of a dynamic MAC address entry in the MAC address table ranges from the aging time T to 2 T configured on the switch through automatic aging.
The aging time of MAC addresses is configurable. By setting the aging time of MAC addresses, you can flexibly control the holdtime of learned dynamic MAC address entries in the MAC address table.
1.2.2 Disabling MAC Address Learning and Limiting the Number of MAC Addresses
The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to a device, the MAC address table of the device may reach its full capacity. When the MAC address table is full, the device cannot learn source MAC addresses of valid packets.
A device limits the number of learned MAC addresses in one of the following modes:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration l Disabling MAC address learning on an interface or a VLAN l Limiting the number of MAC addresses on an interface or a VLAN
After MAC address learning is disabled on an interface or a VLAN, no MAC address entry can be learned on the interface or VLAN. The system deletes the previously learned dynamic MAC entries after the aging time expires. You can also manually delete these entries.
You can limit the maximum number of dynamic MAC address entries on a specified VLAN or interface. After the number of MAC address entries learned by the VLAN or interface reaches the limit, no MAC address entry can be learned on the VLAN or interface until the previously learned MAC address entries age out.
In most cases, attack packets sent by a hacker enter a switch through the same interface.
Therefore, you can set the limit on the number of MAC address entries or disable MAC address learning on an interface to prevent attack packets from exhausting the MAC address table.
1.2.3 Port Security
Introduction to Port Security
The port security function changes MAC addresses learned on an interface into secure MAC addresses (including dynamic secure MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances device security.
Secure MAC Address Learning
Secure MAC addresses are classified into dynamic secure MAC addresses and sticky MAC addresses: l Dynamic secure MAC addresses: are learned on an interface where port security is enabled but the sticky MAC function is disabled. By default, secure dynamic MAC addresses will never be aged out. After the switch restarts, secure dynamic MAC addresses are lost and need to be learned again.
l Sticky MAC addresses: are learned on an interface where both port security and sticky
MAC function are enabled. Sticky MAC addresses will not be aged out. After you save the configuration and restart the switch, sticky MAC addresses still exist.
Before port security is enabled on an interface, MAC address entries can be configured statically or learned dynamically on the interface. After port security is enabled on an interface, dynamic
MAC address entries that have been learned on the interface are deleted and MAC address entries learned subsequently turn into secure dynamic MAC address entries. Only packets with source
MAC addresses matching the secure dynamic MAC address entries or static MAC address entries can pass through the interface. After the sticky MAC function is enabled on the interface, existing secure dynamic MAC address entries and MAC address entries learned subsequently on the interface turn into sticky MAC address entries. When the number of secure MAC addresses reaches the limit, the switch stops learning MAC addresses on the interface and takes a protection action on the interface or packets received.
1.2.4 MAC Address Flapping
MAC address flapping occurs when a MAC address is learned by two interfaces in the same
VLAN. The MAC address entry learned later replaces the earlier one. If a large number of MAC
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
5
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration addresses flap in a short time on the network, MAC address flapping is caused by loops. When a loop occurs and causes a broadcast storm, MAC address flapping occurs on each switch affected by the broadcast storm. Therefore, MAC address flapping detection can be used to check for loops on a network.
MAC Address Flapping Detection
The device can detect MAC address flapping. When MAC address flapping occurs, the device can provide diagnosis information, including the flapping MAC address, interfaces between which the MAC address flaps, and VLAN that the interfaces belong to. A loop may exist on the interfaces between which the MAC address flaps. You will know how the loop is generated by checking interfaces where MAC addresses are flapping.
Figure 1-2 MAC address flapping detection
Network
Port1
MAC:11-22-33
SwitchA
Port2 Access port
MAC:11-22-33
Router Users
SwitchB SwitchC
Broadcast storm
Incorrect connection Data flow
As shown in Figure 1-2 , Switch B should not be connected to Switch C. When the two switches
are connected, Router, Switch B, and Switch C form a loop. When Port1 of Switch A receives a broadcast packet, Switch A forwards the packet to Switch B. The packet is then sent to Port2 of Switch A. Switch A detects that the source MAC address of the packet flaps from Port1 to
Port2. If the MAC address flaps between the two ports frequently, Switch A considers that MAC address flapping occurs.
NOTE l MAC address flapping detection allows a router to detect changes in traffic based on learned MAC addresses, but the router cannot obtain the entire network topology. It is recommended that this function be used on an interface when the interface connects to a user network where loops may occur.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
1.3 Application Environment
This section describes the applicable environment of MAC address flapping.
MAC Address Flapping Detection
, a loop occurs on a user network because network cables between two
LSWs are incorrectly connected. The loop causes MAC address flapping and MAC address table flapping.
You can enable MAC address flapping detection on the Router to detect MAC address flapping and discover loops.
Figure 1-3 Networking diagram of MAC address flapping detection
Network
Switch
LSW1 LSW2
Incorrect connection
1.4 Configuration Task Summary
This chapter describes the configuration task summary of MAC.
lists the configuration task summary of MAC address table.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Table 1-1 Configuration task summary of MAC address table
Item Description
Configuring the MAC
Address Table
This section describes procedures to configure static, blackhole, and dynamic MAC address entries, prevent an interface from learning MAC addresses, limit the number of learned MAC addresses.
Task
Configuring Port Security
Configuring MAC Address
Flapping Detection
The port security function changes MAC addresses learned on an interface into secure MAC addresses. Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances security of the device.
MAC address flapping occurs when a MAC address is learned by two interfaces in the same VLAN. The MAC address entry learned later replaces the earlier one.
MAC address flapping detection enables the device to check all MAC addresses.
If MAC address flapping occurs, the device sends an alarm to the NMS. You can locate the faulty device according to the alarm and
MAC address flapping history records. This greatly improves network maintainability. If the user network connected to the device does not support loop prevention protocols, configure the device to shut down the interfaces where
MAC address flapping occurs. This reduces the impact of MAC address flapping on the user network.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Item
Configuring the Switch to
Discard Packets with an
All-0 MAC Address
Description
A faulty device may send packets with an all-zero source or destination MAC address to the switch. You can configure the switch to discard such packets and send an alarm to the network management system (NMS).
You can locate the faulty device according to the alarm.
Task
Router to Discard Packets with an All-0 MAC Address
1.5 Default Configuration
This section describes the default configuration of a MAC address table.
Table 1-2 Default values of a MAC address entry
Parameter Default Value
Aging time of a dynamic MAC address entry 300 seconds
Whether MAC address learning is enabled Enable
Port security
Limit on the number of MAC addresses learned by an interface
Action to be taken when the number of learned MAC addresses reaches the limit
Disabled
1
Restrict
Discarding packets with all-0 invalid MAC addresses
Alarms generated when receiving packets with all-0 invalid MAC addresses
Disabled
Disabled
1.6 Configuring the MAC Address Table
This section describes the MAC address table configuration.
1.6.1 Configuring the MAC Address Table
This section describes procedures to configure static, blackhole, and dynamic MAC address entries, prevent an interface from learning MAC addresses, limit the number of learned MAC addresses.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
1.6.1.1 Configuring a Static MAC Address Entry
Context
1 MAC Address Table Configuration
To ensure communication security, you can configure MAC addresses of trusted upstream devices or users as static MAC address entries. When there are few trusted users, configure static
MAC address entries to ensure security. When there are many trusted users, configure dynamic binding according to
1.7.2 Example for Configuring Port Security
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: mac-address static mac-address interface-type interface-number vlan vlan-id
A static MAC address entry is configured.
NOTE
A static MAC address entry takes precedence over a dynamic MAC address entry. The system discards packets with configured static MAC addresses that have been learned by other interfaces.
----End
1.6.1.2 Configuring a Blackhole MAC Address Entry
Context
To save the MAC address table space, protect user devices or network devices from MAC address attacks, you can configure untrusted MAC addresses as blackhole MAC addresses.
Packets with source or destination MAC addresses matching the blackhole MAC address entries are discarded.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: mac-address blackhole mac-address vlan vlan-id
A blackhole MAC address entry is configured.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
10
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
1.6.1.3 Setting the Aging Time of Dynamic MAC Address Entries
Context
The network topology changes frequently, and the industrial switch router will learn many MAC addresses. After the aging time of dynamic MAC address entries is set, the device can delete unneeded MAC address entries to prevent sharp increase of MAC address entries. A shorter aging time is applicable to networks where network topology changes frequently, and a longer aging time is applicable to stable networks.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: mac-address aging-time aging-time
The aging time of a dynamic MAC address entry is set.
----End
1.6.1.4 Disabling MAC Address Learning
Context
When the industrial switch router with MAC address learning enabled receives an Ethernet frame, it records the source MAC address and inbound interface of the Ethernet frame in a MAC address entry. When receiving other Ethernet frames destined for this MAC address, the industrial switch router forwards the data frames through the outbound interface according to the MAC address entry. The MAC address learning function reduces broadcast packets on a network. After MAC address learning is disabled on an interface, the industrial switch router does not learn source MAC addresses of packets received by the interface.
Configuration Process l Disabling MAC address learning in the interface view
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The interface view is displayed.
3.
Run: mac-address learning disable [ action { discard | forward } ]
MAC address learning is disabled on the interface.
By default, MAC address learning is enabled on an interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
11
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
1.6.1.5 Limiting the Number of Learned MAC Addresses
Context
The network with low security may be attacked by MAC address attacks. The capacity of a MAC address table is limited. Therefore, when hackers forge a large quantity of packets with different source MAC addresses and send the packets to the industrial switch router, the MAC address table of the industrial switch router may reach its full capacity. When the MAC address table is full, the industrial switch router cannot learn source MAC addresses of valid packets.
You can limit the number of MAC address entries learned on the industrial switch router. When the number of learned MAC address entries reaches the limit, the industrial switch router does not learn new MAC addresses. You can also configure the action and enable the device to send an alarm to the NMS when the number of MAC address entries reaches the limit.. This prevents
MAC address attacks and improves network security.
NOTE
The AR530&AR550 donot support limiting the number of MAC addresses learned in a VLAN.
Procedure
By default, the industrial switch router performs the forward action after MAC address learning is disabled. That is, the industrial switch router forwards packets according to the MAC address table. When the action is configured to discard, the industrial switch router matches the source MAC addresses of packets with the MAC address entries. If the inbound interface and source MAC address of a packet matches a MAC address entry, the industrial switch router forwards the packet. Otherwise, the industrial switch router discards the packet.
l Disabling MAC address learning in the VLAN view
1.
Run: system-view
The system view is displayed.
2.
Run: vlan vlan-id
The VLAN view is displayed.
3.
Run: mac-address learning disable
MAC address learning is disabled in the VLAN.
By default, MAC address learning is enabled in a VLAN.
l Limit the number of MAC addresses learned by an interface.
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The interface view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
12
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
3.
Run: mac-limit maximum max-num
The maximum number of MAC address entries learned by the interface is set.
By default, the number of MAC address entries learned on an interface is not limited.
4.
Run: mac-limit action { discard | forward }
The action to be taken on packets with unknown source MAC addresses is configured when the number of learned MAC address entries reaches the limit.
By default, the device discards packets with unknown source MAC addresses after the number of learned MAC address entries reaches the limit.
5.
Run: mac-limit alarm { disable | enable }
The industrial switch router is configured to (or not to) send an alarm to the NMS when the number of learned MAC address entries reaches the limit.
By default, the industrial switch router sends an alarm to the NMS when the number of learned MAC address entries reaches the limit.
l Limit the number of MAC address entries learned in a VLAN.
1.
Run: system-view
The system view is displayed.
2.
Run: vlan vlan-id
The VLAN view is displayed.
3.
Run: mac-limit maximum max-num
The maximum number of MAC address entries learned in the VLAN is set.
By default, the number of MAC address entries learned in a VLAN is not limited.
4.
Run: mac-limit alarm { disable | enable }
The industrial switch router is configured to (or not to) send an alarm to the NMS when the number of learned MAC address entries reaches the limit.
By default, the industrial switch router sends an alarm to the NMS when the number of learned MAC address entries reaches the limit.
----End
1.6.1.6 Checking the Configuration
Procedure
Issue 01 (2014-11-30) l Run the display mac-address command to check all MAC address entries.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
13
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration l Run the display mac-address static command to check static MAC address entries.
l Run the display mac-address dynamic command to check dynamic MAC address entries.
l Run the display mac-address blackhole command to check blackhole MAC address entries.
l Run the display mac-address aging-time command to check the aging time of dynamic
MAC address entries.
l Run the display mac-address summary command to check statistics on all the MAC address entries.
l Run the display mac-address total-number command to check the number of MAC address entries.
l Run the display mac-limit command to check the limit of the number of learned MAC addresses.
----End
1.6.2 Configuring Port Security
The port security function changes MAC addresses learned on an interface into secure MAC addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances security of the device.
Pre-configuration Tasks
Before configuring port security on an interface, complete the following tasks: l Disabling MAC address limiting on the interface l Disabling MAC address authentication on the interface l Disabling 802.1x authentication on the interface l Disabling MAC address security for DHCP snooping on the interface
1.6.2.1 Configuring the Secure MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the industrial switch router. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the industrial switch router and the network.
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses are lost after the device restarts and the device needs to learn the MAC addresses again.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: port-security enable
Port security is enabled.
By default, port security is disabled on an interface.
Step 4 (Optional) Run: port-security max-mac-num max-number
The limit on the number of secure dynamic MAC addresses is set.
By default, the limit on the number of secure dynamic MAC addresses is 1.
Step 5 (Optional) Run: port-security protect-action { protect | restrict | shutdown }
The protection action is configured.
The default action is restrict .
The protection actions are as follows: l protect : discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
l restrict : discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses exceeds the limit.
l shutdown : set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.
By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the undo shutdown command on the interface in sequence.
Alternatively, run the restart command on the interface to restart the interface.
Step 6 (Optional) Run: port-security aging-time time
The aging time of secure dynamic MAC addresses is set.
By default, secure dynamic MAC addresses will not be aged out.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
1.6.2.2 Configuring the Sticky MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the industrial switch router. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the industrial switch router and the network.
The sticky MAC function changes MAC addresses learned by an interface to sticky MAC addresses. Sticky MAC addresses will not be aged out. After you save the configuration and restart the industrial switch router, sticky MAC addresses still exist.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: port-security enable
Port security is enabled.
By default, port security is disabled on an interface.
Step 4 Run: port-security mac-address sticky
The sticky MAC function is enabled on the interface.
By default, the sticky MAC function is disabled on an interface.
Step 5 (Optional) Run: port-security max-mac-num max-number
The limit on the number of sticky MAC addresses is set on the interface.
By default, the limit on the number of sticky MAC addresses is 1.
Step 6 (Optional) Run: port-security protect-action { protect | restrict | shutdown }
The protection action is configured.
The default action is restrict .
The protection actions are as follows:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
16
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1 MAC Address Table Configuration l protect : discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
l restrict : discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses exceeds the limit.
l shutdown : set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.
By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the shutdown and undo shutdown commands on the interface in sequence. Alternatively, run the restart command on the interface to restart the interface.
Step 7 (Optional) Run: port-security mac-address sticky mac-address vlan vlan-id
A sticky MAC address entry is configured.
----End
1.6.2.3 Checking the Configuration
Procedure l Run the display current-configuration interface interface-type interface-number command to view the current configuration of an interface.
l Run the display mac-address security [ vlan vlan-id | interface-type interface-number ] command to view secure dynamic MAC address entries.
l Run the display mac-address sticky [ vlan vlan-id | interface-type interface-number ] command to view sticky MAC address entries.
----End
1.6.3 Configuring MAC Address Flapping Detection
MAC address flapping detection detects all MAC addresses on the device. When MAC address flapping occurs, the device sends an alarm to the NMS.
Context
After MAC address flapping detection is configured in a VLAN, the device checks all MAC addresses in the VLAN to detect MAC address flapping. When MAC address flapping occurs on an interface, the device blocks the interface or MAC address, or reports an alarm according to the configuration.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: vlan vlan-id
Issue 01 (2014-11-30) 17
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
1 MAC Address Table Configuration
A VLAN is created and the VLAN view is displayed.
Step 3 Run: loop-detect eth-loop { [ block-mac ] block-time block-time retry-times retry-times
| alarm-only }
MAC address flapping detection is configured in the VLAN.
When detecting MAC address flapping in a VLAN, the device can take either of the following actions: l Block the interface or MAC address. When block-mac is specified in the command, the industrial switch router does not block the interface but blocks the traffic from the flapping
MAC address.
l Send an alarm to the NMS.
----End
Checking the Configuration
Run the display loop-detect eth-loop [ vlan vlan-id ] command to check information about
MAC address flapping detection in a VLAN.
Follow-up Procedure
After an interface or a MAC address is permanently blocked because of MAC address flapping, you must run the reset loop-detect eth-loop command in the corresponding VLAN if you want to restore the interface or MAC address.
1.
Run the system-view command to enter the system view.
2.
Run the reset loop-detect eth-loop vlan vlan-id { all | interface interface-type interfacenumber | mac-address mac-address } command to unblock the specified interface or MAC address.
Before using the reset loop-detect eth-loop command, run the display loop-detect eth-loop command to check the blocked interface or MAC address.
1.6.4 Configuring the Router to Discard Packets with an All-0 MAC
Address
A faulty network device may send packets with an all-0 source or destination MAC address to the industrial switch router. You can configure the industrial switch router to discard such packets and send an alarm to the network management system (NMS). You can locate the faulty device according to the alarm.
Context
You can configure the industrial switch router to discard packets with an all-0 source or destination MAC address.
Procedure
Step 1 Run:
Issue 01 (2014-11-30) 18
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration system-view
The system view is displayed.
Step 2 Run: drop illegal-mac enable
The industrial switch router is configured to discard packets with an all-0 MAC address.
By default, the industrial switch router does not discard packets with an all-0 MAC address.
NOTE
The AR530&AR550 do not support discarding packets with an all-0 MAC address.
Step 3 (Optional) Run: drop illegal-mac alarm
The industrial switch router is configured to send an alarm to the NMS when receiving packets with an all-0 MAC address.
By default, the industrial switch router does not send an alarm to the NMS when receiving packets with an all-0 MAC address.
NOTE
The industrial switch router sends only one alarm after receiving packets with an all-0 MAC address. To enable the industrial switch router to send an alarm again after receiving packets with an all-0 MAC address, run the drop illegal-mac alarm command.
----End
Checking the Configuration
Run the display current-configuration command to check whether the industrial switch router is configured to discard packets with an all-0 MAC address.
1.7 Configuration Examples
This section provides several configuration examples of MAC address.
1.7.1 Example for Configuring the MAC Address Table
Networking Requirements
As shown in Figure 1-4 , the MAC address of PC1 is 0002-0002-0002, and the MAC address of
PC2 is 0003-0003-0003. The LSW connects the PCs to the Router. The LSW is connected to
Ethernet2/0/1 of the Router, which belongs to VLAN 2. The MAC address of the server is
0004-0004-0004. The server is connected to Ethernet2/0/2 of the Router, which belongs to
VLAN 2. The network requires the following configurations: l To prevent hackers from using MAC addresses to attack the network, configure a static
MAC address entry for each user host on the Router. Set the aging time for the dynamic
MAC address entries to 500 seconds.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
19
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching l To prevent hackers from stealing user information by forging the MAC address of the server, configure a static MAC address entry on the Router for the server.
Figure 1-4 Network diagram
1 MAC Address Table Configuration
Server
Eth2/0/2
Router
Eth2/0/1
MAC:
0004-0004-0004
VLAN2
LSW VLAN2
PC1 PC2
MAC:
0002-0002-0002
MAC:
0003-0003-0003
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs on the Router and add the interfaces to the VLANs.
2.
Configure static MAC address entries.
3.
Set the aging time for the dynamic MAC address entries.
Procedure
Step 1 Add static MAC address entries.
# Create VLAN 2 and add Ethernet2/0/1 and Ethernet2/0/2 to VLAN 2.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 2
[Router-vlan2] quit
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port hybrid tagged vlan 2
[Router-Ethernet2/0/1] quit
[Router] interface ethernet 2/0/2
[Router-Ethernet2/0/2] port hybrid pvid vlan 2
[Router-Ethernet2/0/2] port hybrid untagged vlan 2
[Router-Ethernet2/0/2] quit
# Configure static MAC address entries.
[Router] mac-address static 0002-0002-0002 ethernet 2/0/1 vlan 2
[Router] mac-address static 0003-0003-0003 ethernet 2/0/1 vlan 2
[Router] mac-address static 0004-0004-0004 ethernet 2/0/2 vlan 2
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
20
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Step 2 Set the aging time for the dynamic MAC address entries.
[Router] mac-address aging-time 500
Step 3 Verify the configuration.
# Run the display mac-address command in any view to check whether the static MAC address entries are successfully added to the MAC address table.
[Router] display mac-address static vlan 2
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge Learned-From Type
-------------------------------------------------------------------------------
0002-0002-0002 2/- Eth2/0/1 static
0003-0003-0003 2/- Eth2/0/1 static
0004-0004-0004 2/- Eth2/0/2 static
-------------------------------------------------------------------------------
Total items displayed = 3
# Run the display mac-address aging-time command to check whether the aging time for dynamic entries is set successfully.
[Router] display mac-address aging-time
Aging time: 500 seconds
----End
Configuration Files
Configuration file of the Router
# vlan batch 2
#
mac-address aging-time 500
# interface Ethernet2/0/1
port hybrid tagged vlan 2
# interface Ethernet2/0/2
port hybrid pvid vlan 2
port hybrid untagged vlan 2
#
mac-address static 0002-0002-0002 Ethernet2/0/1 vlan 2
mac-address static 0003-0003-0003 Ethernet2/0/1 vlan 2
mac-address static 0004-0004-0004 Ethernet2/0/2 vlan 2
# return
1.7.2 Example for Configuring Port Security
Networking Requirements
, a company wants to prevent non-employees from accessing the intranet.
To achieve this information security goal, the company needs to enable the port security function on the router interface connected to computers of employees and set the maximum number of
MAC addresses learned on the interface to the total number of trusted computers.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
21
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 1-5 Network diagram of port security configuration
1 MAC Address Table Configuration
Internet
Router
VLAN 10
Eth2/0/1
Switch
PC1 PC2 PC3
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN and set the link type of the interface to trunk.
2.
Enable the port security function.
3.
Enable the sticky MAC function on the interface.
4.
Configure the protective action on the interface.
5.
Set the maximum number of MAC addresses that can be learned on the interface.
Procedure
Step 1 Create a VLAN and set the link type of the interface to trunk.
<Huawei> system-view
[Huawei] sysname Huawei
[Router] vlan 10
[Router-vlan10] quit
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type trunk
[Router-Ethernet2/0/1] port trunk allow-pass vlan 10
Step 2 Configure the port security function.
# Enable the port security function.
[Router-Ethernet2/0/1] port-security enable
Enable the sticky MAC function.
[Router-Ethernet2/0/1] port-security mac-address sticky
# Configure the protective action.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
22
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
[Router-Ethernet2/0/1] port-security protect-action protect
# Set the maximum number of MAC addresses that can be learned on the interface.
[Router-Ethernet2/0/1] port-security max-mac-num 4
# To enable the port security function on other interfaces, repeat the preceding steps.
Step 3 Verify the configuration.
# The PCs cannot access the company intranet.
----End
Configuration Files
Configuration file of the Router
# vlan batch 10
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
port-security enable
port-security protect-action protect
port-security mac-address sticky
port-security max-mac-num 4
# return
1.7.3 Example for Configuring MAC Address Limiting Rules on
Interfaces
Networking Requirements
, Ethernet2/0/1 and Ethernet2/0/2 of the Router are connected to LSWs.
One LSW is connected to individual users, and the other is connected to enterprise users. To prevent MAC address attacks and limit the number of access users on the Router, configure
MAC address limiting rules on Ethernet2/0/1 and Ethernet2/0/2.
Figure 1-6 Network diagram for MAC address limiting on interfaces
IP network
Eth2/0/1
LSW
……
Router
Eth2/0/2
LSW
Individual user
Enterprise user
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
23
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Set the limit on the number of MAC addresses learned by the interfaces.
2.
Set the action performed when the limit is reached.
Procedure
Step 1 Configure MAC address limiting rules on the interfaces.
<Huawei> system-view
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] mac-limit maximum 4 action discard alarm enable
[Huawei-Ethernet2/0/1] quit
[Huawei] interface ethernet 2/0/2
[Huawei-Ethernet2/0/2] mac-limit maximum 100 action discard alarm enable
[Huawei-Ethernet2/0/2] quit
Step 2 Verify the configuration.
# Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
Eth2/0/1 - 4 discard enable
Eth2/0/2 - 100 discard enable
-----------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Router
# interface Ethernet2/0/1
mac-limit maximum 4
# interface Ethernet2/0/2
mac-limit maximum 100
# return
1.7.4 Example for Configuring a MAC Address Learning Rule in a
VLAN
Networking Requirements
, Ethernet2/0/1 and Ethernet2/0/2 of the Router are connected to LSWs.
The LSWs are connected to users, including a few IP phone users and many computer users. IP phone users are in VLAN 100, and computer users are in VLAN 200. To prevent MAC address
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
24
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration attacks and save MAC address table space, configure a rule to limit the number of MAC addresses learned in VLAN 200.
Figure 1-7 Networking diagram for MAC address limiting in a VLAN
IP network
LSW
Eth2/0/1
……
Router
Eth2/0/2
LSW
VLAN100 VLAN200
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs on the Router and add the interfaces to the VLANs.
2.
Set the limit on the number of MAC addresses learned in the VLAN 200.
Procedure
Step 1 Configure a MAC address limiting rule in the VLAN 200.
# Add Ethernet2/0/1 to VLAN 100 and VLAN 200; add Ethernet2/0/2 to VLAN 200.
<Huawei> system-view
[Huawei] vlan batch 100 200
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type trunk
[Huawei-Ethernet2/0/1] port trunk allow-pass vlan 100 200
[Huawei-Ethernet2/0/1] quit
[Huawei] interface ethernet 2/0/2
[Huawei-Ethernet2/0/2] port link-type trunk
[Huawei-Ethernet2/0/2] port trunk allow-pass vlan 200
[Huawei-Ethernet2/0/2] quit
# Configure the following MAC address limiting rule in VLAN 200: l A maximum of 500 MAC addresses can be learned.
l When the number of learned MAC address entries reaches the limit, the Router forwards packets with new source MAC addresses and generates an alarm, but does not add the new
MAC addresses to the MAC address table.
[Huawei] vlan 200
[Huawei-vlan200] mac-limit maximum 500 alarm enable
[Huawei-vlan200] quit
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
25
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Step 2 Verify the configuration.
# Run the display mac-limit command in any view to check whether the MAC address limiting rule is successfully configured.
<Huawei> display mac-limit
-----------------------------------------------------------------------
PORT VLAN Maximum Action Alarm
-----------------------------------------------------------------------
- 200 500 forward enable
-----------------------------------------------------------------------
----End
Configuration Files
Configuration file of the Router
# vlan batch 100 200
# vlan 200
mac-limit maximum 500
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 100 200
# interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 200
# return
1.8 Common Configuration Errors
This section describes how to process common configuration errors in MAC address entries.
1.8.1 Correct MAC Address Entry Cannot Be Learned on the Device
Fault Description
MAC address entries cannot be learned on the device, so Layer 2 forwarding fails.
Procedure
Step 1 Check that the configurations on the interface are correct.
Run the display mac-address command in any view to check whether the binding relationships between the MAC address, VLAN, and interface are correct.
<Huawei> display mac-address
-------------------------------------------------------------------------------
MAC Address VLAN/Bridge Learned-From Type
-------------------------------------------------------------------------------
0025-9e80-2494 1/- Eth0/0/1 dynamic
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
26
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
-------------------------------------------------------------------------------
Total items displayed = 1
If not, re-configure the binding relationships between the MAC address, VLAN, and interface.
If yes, go to step 2.
Step 2 Check whether a loop on the network causes MAC address flapping.
l Remove the loop from the network.
If no loop exists, go to step 3.
Step 3 Check whether the interface is blocked by a loop prevention protocol.
Run the display stp brief command in any view to check whether the interface participates in
STP calculation and check the interface status.
Run the display sep topology command in any view to check whether the interface participates in STP calculation and check the interface status.
If the interface status is incorrect, check the STP or SEP configuration.
If the interface status is correct, go to step 4.
Step 4 Check that MAC address learning is enabled.
Check whether MAC address learning is enabled in the interface view and the VLAN view.
[Huawei-Ethernet0/0/1] display this
# interface Ethernet0/0/1 mac-address learning disable
port hybrid tagged vlan 10
undo negotiation auto
speed 100
# return
[Huawei-vlan10] display this
# vlan 10
mac-address learning disable
# return
If the command output contains mac-address learning disable , MAC address learning is disabled on the interface or VLAN.
l If MAC address learning is disabled, run the undo mac-address learning disable command in the interface view or VLAN view to enable MAC address learning.
l If MAC address learning is enabled on the interface, go to step 4.
Step 5 Check whether any blackhole MAC address entry or MAC address limiting is configured.
If a blackhole MAC address entry or MAC address limiting is configured, the interface discards packets.
l Blackhole MAC address entry
Run the display mac-address blackhole command to check whether any blackhole MAC address entry is configured.
[Huawei] display mac-address blackhole
------------------------------------------------------------------------------
-
MAC Address VLAN/Bridge Learned-From Type
------------------------------------------------------------------------------
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
27
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
-
0001-0001-0001 3333/- - blackhole
------------------------------------------------------------------------------
-
Total items displayed = 1
If a blackhole MAC address entry is displayed, run the undo mac-address blackhole command to delete it.
l MAC address limiting on the interface or VLAN
– Run the display this command in the interface view or VLAN view. If the command output contains mac-limit maximum , the number of learned MAC addresses is limited.
Run either of the following commands:
– Run the undo mac-limit command in the interface view or VLAN view to cancel
MAC address limiting.
– Run the mac-limit command in the interface view or VLAN view to increase the maximum number of learned MAC address entries.
– Run the display this command in the interface view. If the command output contains port-security max-mac-num or port-security enable , the number of secure dynamic
MAC addresses is limited on the interface. Run either of the following commands:
NOTE
By default, the limit on the number of secure dynamic MAC addresses is 1 after port security is enabled.
– Run the undo port-security enable command in the interface view to disable port security.
– Run the port-security max-mac-num command in the interface view to increase the maximum number of secure dynamic MAC address entries on the interface.
If the fault persists, go to step 5.
Step 6 Check whether the number of learned MAC address entries has reached the maximum value supported by the industrial switch router.
Run the display mac-address summary command to check the number of MAC address entries in the MAC address table.
l If the number of learned MAC address entries has reached the maximum value supported by the industrial switch router, no MAC address entry can be created. Run the display macaddress command to view all MAC address entries.
– If the number of MAC address entries learned on an interface is much larger than the number of devices on the network connected to the interface, a user on the network may maliciously update the MAC address table. Check the device connected to the interface:
– If the interface is connected to a device, run the display mac-address command on the device to view its MAC address table. Locate the interface connected to the malicious user host based on the displayed MAC address entries. If the interface that you find is connected to another device, repeat this step until you find the user of the malicious user.
– If the interface is connected to a computer, perform either of the following operations after obtaining permission from the administrator:
– Disconnect the computer. When the attack stops, connect the computer to the network again.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
28
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
– Run the port-security enable command on the interface to enable port security or run the mac-limit command to set the maximum number of MAC addresses that the interface can learn to 1.
– If the interface is connected to a hub, perform either of the following operations:
– Configure port mirroring or other tools to observe packets received by the interface. Analyze the packet types to locate the attacking computer. Disconnect the computer after obtaining permission from the administrator. When the attack stops, connect the computer to the hub again.
– Disconnect computers connected to the hub one by one after obtaining permission from the administrator. If the fault is rectified after a computer is disconnected, the computer is the attacker. After it stops the attack, connect it to the hub again.
– If the number of MAC addresses on the interface is equal to or smaller than the number of devices connected to the interface, the number of devices connected to the industrial switch router has exceeded the maximum supported by the industrial switch router.
Adjust network deployment.
----End
1.9 Reference
This section describes references of MAC address table.
The following table lists the references of this document.
Document
IEEE 802.1D
IEEE 802.1Q
Description
Standard for Information technology--
Telecommunications and information exchange between systems--IEEE standard for local and metropolitan area networks--Common specifications--
Media access control (MAC) Bridges
IEEE standard for Local and
Metropolitan Area Networks: Virtual
Bridged Local Area Networks
-
-
Remarks
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
29
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2
Link Aggregation Configuration
About This Chapter
Link aggregation is a technology that bundles multiple Ethernet links into a logical link to increase bandwidth, improve reliability, and load balance traffic.
2.1 Introduction to Link Aggregation
This section describes definition and purpose of link aggregation.
This section describes principles of link aggregation.
This section describes application environments of Ethernet link aggregation.
2.4 Configuration Task Summary
The device supports the manual load balancing mode and Link Aggregation Control Protocol
This section describes default parameter settings of link aggregation.
2.6 Configuring Ethernet Link Aggregation
This section describes how to configure Ethernet link aggregation.
2.7 Maintaining Link Aggregation
This section provides several configuration examples of link aggregation.
2.9 Common Configuration Errors
This section describes common configuration errors.
This section describes references of link aggregation.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
30
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2.1 Introduction to Link Aggregation
This section describes definition and purpose of link aggregation.
Definition
Ethernet link aggregation, also called Eth-Trunk, bundles multiple physical links to form a logical link to increase link bandwidth. The bundled links back up each other, increasing reliability.
Purpose
As the network scale expands increasingly, users propose increasingly high requirements on
Ethernet backbone network bandwidth and reliability. Originally, to increase the bandwidth, users use high-speed cards or devices supporting high-speed interface cards to replace old interface cards or devices.This solution, however, is costly and inflexible.
Link aggregation helps increase bandwidth by bundling a group of physical interfaces into a single logical interface, without having to upgrade hardware. In addition, link aggregation provides link backup mechanisms, greatly improving link reliability.
Link aggregation has the following advantages: l Increased bandwidth
The bandwidth of the link aggregation interface is the sum of bandwidth of member interfaces.
l Higher reliability
When an active link fails, traffic on this active link is switched to another active link, improving reliability of the link aggregation interface.
l Load balancing
In a link aggregation group (LAG), traffic is load balanced among active links of member interfaces.
2.2 Principles
This section describes principles of link aggregation.
2.2.1 Concepts
As shown in Figure 2-1 , DeviceA and DeviceB are connected through three Ethernet physical
links. These three Ethernet physical links are bundled into an Eth-Trunk link. The bandwidth of the Eth-Trunk link is the sum of bandwidth of the three Ethernet physical links, increasing the bandwidth. The three Ethernet physical links back up each other, which improves reliability.
NOTE
Both devices of the Eth-Trunk must use the same number of physical interfaces, interface rate, duplex mode, jumbo, and flow control mode.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
31
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 2-1 Eth-Trunk networking
Eth-Trunk
DeviceA
2 Link Aggregation Configuration
DeviceB
Issue 01 (2014-11-30)
The link aggregation interface can be used as a common Ethernet interface to implement routing protocols and other services. Unlike a common Ethernet interface, the link aggregation interface needs to select one or more member interfaces to forward traffic.
Link aggregation concepts are described as follows: l Link aggregation, link aggregation group (LAG), and link aggregation interface
Link aggregation technology bundles a group of physical interfaces into a logical interface to increase bandwidth and improve reliability.
An LAG is the logical link bundled by many Ethernet links.
Each LAG corresponds to a logical interface, that is, link aggregation interface or Eth-
Trunk.
l Member interface and member link
The interfaces that constitute an Eth-Trunk are member interfaces. A link corresponding to a member interface is a member link.
l Active and inactive interfaces and links
There are two types of interfaces in an LAG: active and inactive interfaces. The interface that forwards data is called the active interface, while the interface that does not forward data is called the inactive interface.
The link connected to an active interface is the active link, whereas the link connected to an inactive interface is the inactive link.
l Upper threshold for the number of active interfaces
When the number of active interfaces reaches this threshold, the bandwidth of the Eth-
Trunk will not increase even if more member links go Up. This guarantees high network reliability. When the number of active member interfaces reaches the upper threshold, additional active member interfaces go Down.
For example, 8 trouble-free member links are bundled into a trunk link, each link provides the bandwidth of 1 Gbit/s, and the trunk link needs to provide a maximum of 5 Gbit/s bandwidth. You can set the maximum number of Up member links to 5 or larger. The remaining unselected links in Up state automatically enter the backup state, improving reliability.
NOTE
The upper threshold for the number of active interfaces is inapplicable to the manual load balancing
mode. For details about the manual load balancing mode, see 2.2.3 Link Aggregation in Manual
.
l Lower threshold for the number of active interfaces
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes
Down. This guarantees the minimum available bandwidth for the Eth-Trunk.
For example, if the Eth-Trunk is required to provide a minimum bandwidth of 2 Gbit/s and each member link's bandwidth is 1 Gbit/s, the lower threshold must be set to 2 or larger.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
32
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2.2.2 Forwarding Principle
The Eth-Trunk forwarding table is composed of the following entries: l HASH-KEY value
The key value is calculated through the hash algorithm based on the MAC address or IP address in a data packet.
l Interface number
Eth-Trunk forwarding entries are relevant to the number of member interfaces in an Eth-
Trunk. Different HASH-KEY values map different outbound interfaces.
For example, an Eth-Trunk supports a maximum of eight member interfaces. If physical interfaces 1, 2, 3, and 4 are bundled into an Eth-Trunk, the Eth-Trunk forwarding table
contains four entries, as shown in Figure 2-2 . In the Eth-Trunk forwarding table, the
HASH-KEY values are 0, 1, 2, 3, 4, 5, 6, and 7, and the corresponding interface numbers are 1, 2, 3, 4, 1, 2, 3, and 4.
Figure 2-2 Example of an Eth-Trunk forwarding table
HASH-KEY
PORT
0
1
1
2
2
3
3
4
4
1
5
2
6
3
7
4
The Eth-Trunk module forwards a packet according to the Eth-Trunk forwarding table:
1.
The Eth-Trunk module receives a packet from the MAC sub-layer, and then extracts its source MAC address/IP address or destination MAC address/IP address.
2.
The Eth-Trunk module calculates the HASH-KEY value using the hash algorithm.
3.
Based on the HASH-KEY value, the Eth-Trunk module searches the Eth-Trunk forwarding table for the interface number, and then sends the packet from the corresponding interface.
2.2.3 Link Aggregation in Manual Load Balancing Mode
Link aggregation can work in manual load balancing mode or LACP mode depending on whether
LACP is used.
In manual load balancing mode, you must manually create an Eth-Trunk and add member interfaces to the Eth-Trunk. LACP is not used. In this mode, all active links load balance traffic evenly. If an active link fails, the other active links share the traffic evenly. The manual load balancing mode applies to the scenario where a high link bandwidth between two directly connected devices is required but the remote device does not support the LACP protocol.
2.2.4 Link Aggregation in LACP Mode
Background
An Eth-Trunk in manual load balancing mode can increase the bandwidth. However, the manual mode can only detect member link disconnections, but cannot detect other faults such as link layer faults and incorrect link connections.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
33
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
The Link Aggregation Control Protocol (LACP) can improve fault tolerance of the Eth-Trunk, provide backup, and ensure high reliability of member links.
LACP uses a standard negotiation mechanism for a switching device so that the switching device can create and start the aggregated link based on its configuration. After the aggregated link is created, LACP maintains the link status. If an aggregated link's status changes, LACP adjusts or removes the link.
For example, in
, four interfaces on DeviceA are bundled into an Eth-Trunk and the
Eth-Trunk is connected to the corresponding interfaces on DeviceB. Because an interface on
DeviceA is incorrectly connected to an interface on DeviceC, DeviceA may incorrectly send data destined for DeviceB to DeviceC. However, the Eth-Trunk in manual load balancing mode cannot detect this fault in a timely manner.
If LACP is enabled on DeviceA and DeviceB, the Eth-Trunk correctly selects active links to forward data after negotiation. Data sent by DeviceA can reach DeviceB.
Figure 2-3 Incorrect Eth-Trunk connection
DeviceA
Eth-Trunk
DeviceB
DeviceC
Concepts
Issue 01 (2014-11-30) l LACP system priority
LACP system priorities are set on devices at both ends of an Eth-Trunk. In LACP mode, active member interfaces selected by both devices must be consistent; otherwise, an LAG cannot be established. To keep active member interfaces consistent at both ends, set a higher priority for one end so that the other end selects active member interfaces based on the selection of the end with a higher priority. The smaller the LACP system priority value, the higher the LACP system priority.
l LACP interface priority
Interface LACP priorities are set to prioritize interfaces of an Eth-Trunk. Interfaces with higher priorities are selected as active interfaces. The smaller the LACP interface priority value, the higher the LACP interface priority.
l M:N backup of member interfaces
In LACP mode, LACP is used to negotiate parameters to determine active links in an LAG.
This mode is also called the M:N mode, where M refers to the number of active links and
N refers to the number of backup links. This mode guarantees high reliability and allows traffic to be load balanced among M active links.
, M+N links with the same attributes (in the same LAG) are set up between two devices. When data is transmitted over the aggregated link, traffic is load balanced among M active links and no data is transmitted over N backup links. Therefore, the actual bandwidth of the aggregated link is the sum of the M links' bandwidth, and the maximum bandwidth of the aggregated link is the sum of the M+N links' bandwidth.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
34
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
If one of M links fails, LACP selects a link from N backup links to replace the faulty link.
The actual bandwidth of the aggregated link is still the sum of M links' bandwidth, but the maximum bandwidth of the aggregated link is the sum of the (M+N-1) links' bandwidth.
Figure 2-4 Networking of M:N backup
DeviceA
Eth-Trunk
Eth-Trunk 1
DeviceB
Eth-Trunk 1
Active link
Backup link
M:N backup is mainly applied in situations where the bandwidth of M links must be assured and a fault tolerance mechanism is in place. If an active link fails, the system selects the backup link with the highest priority as the active link.
If no available backup link is found and the number of active links is smaller than the lower threshold for the number of active interfaces, the system shuts down the LAG.
Implementation of Link Aggregation in LACP Mode
LACP, as specified in IEEE 802.3ad, implements dynamic link aggregation and de-aggregation, allowing both ends to exchange LACPDUs.
After member interfaces are added to an Eth-Trunk in LACP mode, each end sends LACPDUs to inform its remote end of its system priority, MAC address, member interface priorities, interface numbers, and keys. The remote end then compares this information with that saved on itself, and selects which interfaces to be aggregated. The two ends perform LACP negotiation to select active interfaces and links.
shows the format of an LACPDU.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
35
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 2-5 Fields in an LACPDU
Destination Address
Source Address
Length/Type
Subtype=LACP
Version Number
TLV_type=Actor Information
Actor_Information_Length=20
Actor_System_Priority
Actor_System
Actor_Key
Actor_Port_Priority
Actor_Port
Actor_State
Reserved
TLV_type=Partner Information
Partner_Information_Length=20
Partner_System_Priority
Partner_System
Partner_Key
Partner_Port_Priority
Partner_Port
Partner_State
Reserved
TLV_type=Collector Information
Collector_Information_Length=16
CollectorMaxDelay
Reserved
TLV_type=Terminator
Terminator_Length=0
Reserved
FCS
2 Link Aggregation Configuration
Issue 01 (2014-11-30)
Item
Actor_Port/Partner_Port
Actor_State/Partner_State
Actor_System_Priority/
Partner_System_Priority
Actor_System/Partner_System
Actor_Key/Partner_Key
Actor_Port_Priority/Partner_Port_Priority
Description
Interface of the Actor or Partner.
Status of the Actor or Partner.
System priority of the Actor or Partner.
System ID of the Actor or Partner.
Operational key of the Actor or Partner.
Interface priority of the Actor or Partner.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
36
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration l An Eth-Trunk in LACP mode is set up as follows:
1.
Devices at both ends send LACPDUs to each other.
As shown in Figure 2-6 , you need to create an Eth-Trunk in LACP mode on DeviceA
and DeviceB and add member interfaces to the Eth-Trunk. Then the member interfaces are enabled with LACP, and devices at both ends can send LACPDUs to each other.
Figure 2-6 LACPDUs sent in LACP mode
DeviceA
LACPDU
DeviceB
Issue 01 (2014-11-30)
LACPDU
2.
Devices at both ends determine the Actor and active links.
, devices at both ends receive LACPDUs from each other. For example, when DeviceB receives LACPDUs from DeviceA, DeviceB checks and records information about DeviceA and compares system priorities. If the system priority of DeviceA is higher than that of DeviceB, DeviceA acts as the Actor. If
DeviceA and DeviceB have the same system priority, the device with a smaller MAC address functions as the Actor.
After devices at both ends select the Actor, they select active interfaces according to the priorities of the Actor's interfaces. Then active interfaces are selected, active links in the LAG are specified, and load balancing is implemented among these active links.
Figure 2-7 Selecting the Actor in LACP mode
DeviceA
LACP port priority
1
2
3
The device with higher system priority
DeviceA
LACP port priority
1
2
3
LACP port priority
3
2
1
DeviceB
The device with lower system priority
Compare system priority and determine the Actor
LACP port priority
3
2
1
DeviceB
Actor
DeviceA
LACP port priority
1
2
3
The Actor determines active links
LACP port priority
3
2
1
DeviceB
Actor l LACP preemption
When LACP preemption is enabled, interfaces with higher priorities in an LAG function as active interfaces.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
37
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
, Port 1, Port 2, and Port 3 are member interfaces of an Eth-Trunk;
DeviceA acts as the Actor; the upper threshold for the number of active interfaces is 2;
LACP priorities of Port 1, Port 2, and Port 3 are 10, 20, and 30 respectively. When LACP negotiation is complete, Port 1 and Port 2 are selected as active interfaces because their
LACP priorities are higher, and Port 3 is used as the backup interface.
Figure 2-8 LACP preemption
DeviceA LACP port priority
Port 1 10
Port 2 20
Port 3 30
Eth-Trunk
Actor
DeviceB
Port 1
Port 2
Port 3
Active link
Backup link
Issue 01 (2014-11-30)
LACP preemption is used in the following situations:
– Port 1 becomes faulty, and then recovers. When Port 1 fails, Port 3 replaces Port 1 to transmit services. After Port 1 recovers, if LACP preemption is not enabled on the Eth-
Trunk, Port 1 still retains in backup state. If LACP preemption is enabled on the Eth-
Trunk, Port 1 and Port 3 become the active interface and backup interface respectively.
– If LACP preemption is enabled and Port 3 needs to replace Port 1 or Port 2 to become the active interface, set the highest LACP priority value for Port 3. When LACP preemption is not enabled, the system does not re-select the active interface even if the priority of a backup interface is higher than that of the active interface.
l LACP preemption delay
After LACP preemption occurs, a backup link waits for a given period of time and then switches to the active status. This period is called LACP preemption delay. The LACP preemption delay is used to prevent unstable data transmission over an Eth-Trunk link caused by frequent status changes of member links.
, Port 1 becomes inactive due to a link fault. Then the link of Port
1 recovers. If LACP preemption is enabled and the LACP preemption delay is set, Port 1 switches to be active after the LACP preemption delay.
l Switchover between active and inactive links
In LACP mode, a link switchover in an LAG is triggered if a device at one end detects one of the following events:
– An active link goes Down.
– Ethernet OAM detects a link fault.
– LACP detects a link fault.
– An active interface becomes unavailable.
– When LACP preemption is enabled, a backup interface's priority is changed to be higher than that of the current active interface.
When any of the preceding events occurs, perform the following operations:
1.
Shut down the faulty link.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
38
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2.
Select the backup link with the highest priority among N backup links to replace the faulty active link.
The highest priority backup link becomes the active link and begins forwarding data.
2.2.5 Load Balancing Using Link Aggregation
A data flow is a group of data packets with one or more identical attributes. The attributes include the source MAC address, destination MAC address, source IP address, destination IP address, source TCP/UDP port number, and destination TCP/UDP port number.
Because there are multiple physical links between devices of the Eth-Trunk, the first data frame of the same data flow is transmitted on one physical link, and the second data frame may be transmitted on another physical link. In this case, the second data frame may arrive at the remote device earlier than the first data frame. As a result, packet mis-sequencing occurs.
To prevent packet mis-sequencing, Eth-Trunk uses the load balancing mechanism. This mechanism uses the hash algorithm to calculate the address in a data frame and generates a
HASH-KEY. Then the system searches for the outbound interface in the Eth-Trunk forwarding table based on the generated HASH-KEY value. Each MAC or IP address corresponds to a
HASH-KEY, so the system uses different outbound interfaces to forward data. This mechanism ensures that frames of the same data flow are forwarded on the same physical link and implements flow-based load balancing. Flow-based load balancing ensures the sequence of data transmission, but reduces the bandwidth usage.
2.3 Application Environment
This section describes application environments of Ethernet link aggregation.
2.3.1 Application of Eth-Trunk
As shown in Figure 2-9 , traffic of services with different priorities is sent to the core network
through the UPE and PE-AGG. To ensure the bandwidth and reliability of the link between the
UPE and PE-AGG, an LAG, Eth-Trunk 1, is established.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
39
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 2-9 Link aggregation networking
VoIP
2 Link Aggregation Configuration
UPE
……
Core
Network
PE-AGG
Eth-Trunk 1
……
IPTV
DATA
You can determine the working mode for the Eth-Trunk according to the following situations: l If devices at both ends of the Eth-Trunk support LACP, the LACP mode is recommended.
l If the device at either end of the Eth-Trunk does not support LACP, you must use the manual load balancing mode.
QoS can be implemented on an Eth-Trunk as a common interface. At both ends (UPE and PE-
AGG) of Eth-Trunk 1, traffic shaping, congestion management, and congestion avoidance can be performed for outgoing traffic, ensuring that packets of high priorities are sent in a timely manner.
2.4 Configuration Task Summary
The device supports the manual load balancing mode and Link Aggregation Control Protocol
(LACP) mode.
lists the link aggregation configuration tasks.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
40
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Table 2-1 Configuration task summary of link aggregation
Item Description
Configure link aggregation in manual load balancing mode.
Configure link aggregation in
LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member interfaces to the Eth-
Trunk. All active links forward data and evenly load balance traffic. The manual load balancing mode is often used when the remote device does not support LACP.
In LACP mode, you must manually create an Eth-
Trunk and add interfaces to the Eth-Trunk. LACP determines active interfaces by negotiating parameters in
LACPDUs. LACP provides backup links and ensures high reliability of member links
Task
2.5 Default Settings
This section describes default parameter settings of link aggregation.
Table 2-2 Default parameter settings of link aggregation
Parameter Value
Link aggregation mode
Upper threshold for the number of active member links
Manual load balancing mode
8
1 Lower threshold for the number of active member links
LACP system priority
LACP interface priority
LACP preemption
32768
32768
Disabled
LACP preemption delay
Timeout interval at which LACPDUs are received
30s
90s
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
41
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2.6 Configuring Ethernet Link Aggregation
This section describes how to configure Ethernet link aggregation.
2.6.1 Configuring Link Aggregation in Manual Load Balancing
Mode
Link aggregation implements load balancing, increases bandwidth, and improves transmission reliability.
2.6.1.1 Creating an Eth-Trunk
Context
Eth-Trunks increase bandwidth and improve transmission reliability. You can configure Layer
2 and Layer 3 Eth-Trunks based on network applications.
Procedure
Issue 01 (2014-11-30) l Create a Layer 2 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
A Layer 2 Eth-Trunk is created.
By default, an Eth-Trunk works in Layer 2 mode.
l Create a Layer 3 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
A Layer 2 Eth-Trunk is created.
3.
Run: undo portswitch
The Eth-Trunk is configured to work in Layer 3 mode.
4.
Run: ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Layer 3 Eth-Trunk.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
42
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
5.
(Optional) Run: mtu mtu
The maximum transmission unit (MTU) of the Eth-Trunk is set.
The default MTU of an interface is 1500 bytes.
NOTICE l The mtu command cannot be used on Layer 2 Eth-Trunks.
l Directly connected interfaces must use the same MTU. If you change the MTU of a local interface, you must use the mtu command to change the MTU of the remote interface to be the same value; otherwise, services may be interrupted.
l After changing the MTU on an interface, run the shutdown command and then the undo shutdown command on the interface to make the setting take effect.
----End
2.6.1.2 Setting the Manual Load Balancing Mode
Context
Link aggregation can work in manual load balancing mode and LACP mode.
In manual load balancing mode, you must manually create an Eth-Trunk and add member interfaces to the Eth-Trunk. All active links forward data and evenly load balance traffic. The manual load balancing mode mode is used when the peer device does not support LACP.
Before changing the working mode of an Eth-Trunk, ensure that the Eth-Trunk contains no member interface.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: mode manual load-balance
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
43
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2.6.1.3 Adding Member Interfaces to an Eth-Trunk
Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member interface view.
Procedure
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the local end works in manual load balancing mode, the remote end must use the manual load balancing mode.
----End l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
3.
Run: trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be added to the Eth-Trunk, all subsequent interfaces in the batch cannot be added to the Eth-Trunk, either.
l Add member interfaces to an Eth-Trunk in the member interface view.
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The member interface view is displayed.
3.
Run: eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Eth-Trunk contains a maximum of 8 member interfaces.
– A member interface cannot be configured with some services or static MAC addresses.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
44
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Link Aggregation Configuration
– When adding an interface to an Eth-Trunk, ensure that the interface uses the default link type.
– An Eth-Trunk cannot be added to another Eth-Trunk.
– An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet interface to another Eth-Trunk, delete it from the Eth-Trunk first.
– Member interfaces of an Eth-Trunk must use the same type.
– If an interface of the local device is added to an Eth-Trunk, an interface of the remote device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses and
ARP entries but member interfaces do not.
– Devices at both ends of an Eth-Trunk must use the same number of physical interfaces, interface rate, duplex mode, jumbo and flow control mode.
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the Eth-Trunk member interface status changes. After the device receives a trap message, check whether the device fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk, run the trunk-member trap in private-mib enable command to enable Eth-Trunk member interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using the proprietary
MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public MIB do not carry
Eth-Trunk IDs.
NOTE
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk member interfaces only use the proprietary MIB to send trap messages. To view these trap messages, use the Huawei proprietary MIB.
2.6.1.4 (Optional) Setting the Lower Threshold for the Number of Active Interfaces
Context
The lower threshold for the number of active interfaces affects the status and bandwidth of an
Eth-Trunk. To ensure that the Eth-Trunk functions properly and is less affected by member link status changes, set the lower threshold for the number of active interfaces.
When the number of active interfaces falls below the lower threshold, the Eth-Trunk goes Down.
This ensures that the Eth-Trunk has a minimum available bandwidth.
NOTE
The upper threshold for the number of active interfaces is inapplicable to the manual load balancing mode.
Procedure
Step 1 Run: system-view
Issue 01 (2014-11-30) 45
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local industrial switch router can be different from that on the remote industrial switch router. If the two values are different, the larger one is used.
----End
2.6.1.5 (Optional) Configuring a Load Balancing Mode
Context
Perform the following steps on the device to configure a load balancing mode for an Eth-Trunk.
Procedure
Issue 01 (2014-11-30) l Configure a Layer 2 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dstmac }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of a Layer 2 Eth-Trunk is src-dst-mac .
Eth-Trunk member interfaces use flow-based load balancing. The local and remote ends can use different load balancing modes, without affecting each other.
NOTE
All Layer 2 Eth-Trunks in the system must use the same load balancing mode. If the load balancing mode of one Eth-Trunk is changed, all the other Eth-Trunks use the new load balancing mode.
l Configure a Layer 3 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run:
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
46
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
3.
Run: load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dstmac }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of a Layer 3 Eth-Trunk is src-dst-ip .
Eth-Trunk member interfaces use flow-based load balancing. The local and remote ends can use different load balancing modes, without affecting each other.
----End
2.6.1.6 Checking the Configuration
Procedure l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number | verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information about Eth-Trunk member interfaces.
l Run the display trunk resource command to check Eth-Trunk resources that have been used on a device.
----End
2.6.2 Configuring Link Aggregation in LACP Mode
Link aggregation implements load balancing, increases bandwidth, and improves transmission reliability.
2.6.2.1 Creating an Eth-Trunk
Context
Eth-Trunks increase bandwidth and improve transmission reliability. You can configure Layer
2 and Layer 3 Eth-Trunks based on network applications.
Procedure
Issue 01 (2014-11-30) l Create a Layer 2 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
A Layer 2 Eth-Trunk is created.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
47
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
By default, an Eth-Trunk works in Layer 2 mode.
l Create a Layer 3 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
A Layer 2 Eth-Trunk is created.
3.
Run: undo portswitch
The Eth-Trunk is configured to work in Layer 3 mode.
4.
Run: ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the Layer 3 Eth-Trunk.
5.
(Optional) Run: mtu mtu
The maximum transmission unit (MTU) of the Eth-Trunk is set.
The default MTU of an interface is 1500 bytes.
NOTICE l The mtu command cannot be used on Layer 2 Eth-Trunks.
l Directly connected interfaces must use the same MTU. If you change the MTU of a local interface, you must use the mtu command to change the MTU of the remote interface to be the same value; otherwise, services may be interrupted.
l After changing the MTU on an interface, run the shutdown command and then the undo shutdown command on the interface to make the setting take effect.
----End
2.6.2.2 Setting the LACP Mode
Context
Issue 01 (2014-11-30)
Link aggregation can work in manual load balancing mode or LACP mode depending on whether
LACP is used.
In LACP mode, you must manually create an Eth-Trunk and add interfaces to the Eth-Trunk.
However, LACP determines active interfaces through negotiation.
Before changing the working mode of an Eth-Trunk, ensure that the Eth-Trunk contains no member interface.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
48
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: mode lacp-static
A working mode of the Eth-Trunk is configured.
By default, an Eth-Trunk works in manual load balancing mode.
Before configuring an Eth-Trunk, ensure that both ends use the same working mode. If the local end works in LACP mode, the remote end must use the LACP mode.
----End
2.6.2.3 Adding Member Interfaces to an Eth-Trunk
Context
You can add member interfaces to an Eth-Trunk in the Eth-Trunk interface view or member interface view.
Procedure l Add member interfaces to an Eth-Trunk in the Eth-Trunk interface view.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
3.
Run: trunkport interface-type { interface-number1 [ to interface-number2 ] }
&<1-8>
A member interface is added to the Eth-Trunk.
NOTE
When you add member interfaces to an Eth-Trunk in a batch, if one interface cannot be added to the Eth-Trunk, all subsequent interfaces in the batch cannot be added to the Eth-Trunk, either.
l Add member interfaces to an Eth-Trunk in the member interface view.
1.
Run: system-view
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
49
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
The system view is displayed.
2.
Run: interface interface-type interface-number
The member interface view is displayed.
3.
Run: eth-trunk trunk-id
The member interface is added to an Eth-Trunk.
When adding an interface to an Eth-Trunk, pay attention to the following points:
– An Eth-Trunk contains a maximum of 8 member interfaces.
– A member interface cannot be configured with some services or static MAC addresses.
– When adding an interface to an Eth-Trunk, ensure that the interface uses the default link type.
– An Eth-Trunk cannot be added to another Eth-Trunk.
– An Ethernet interface can be added to only one Eth-Trunk. To add the Ethernet interface to another Eth-Trunk, delete it from the Eth-Trunk first.
– Member interfaces of an Eth-Trunk must use the same type.
– If an interface of the local device is added to an Eth-Trunk, an interface of the remote device directly connected to the interface of the local device must also be added to an
Eth-Trunk so that the two ends can communicate.
– After interfaces are added to an Eth-Trunk, the Eth-Trunk learns MAC addresses and
ARP entries but member interfaces do not.
– Devices at both ends of an Eth-Trunk must use the same number of physical interfaces, interface rate, duplex mode, jumbo and flow control mode.
----End
Follow-up Procedure
You can configure Eth-Trunk member interfaces to send trap messages after the Eth-Trunk member interface status changes. After the device receives a trap message, check whether the device fails or recovers.
If you need to know the status change of the member interface of a specified Eth-Trunk, run the trunk-member trap in private-mib enable command to enable Eth-Trunk member interfaces to use the proprietary MIB to send trap messages. The trap messages sent by using the proprietary
MIB carry Eth-Trunk IDs, whereas the trap messages sent by using the public MIB do not carry
Eth-Trunk IDs.
NOTE
After the trunk-member trap in private-mib enable command is configured, Eth-Trunk member interfaces only use the proprietary MIB to send trap messages. To view these trap messages, use the Huawei proprietary MIB.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
50
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
2.6.2.4 (Optional) Setting the Upper and Lower Thresholds for the Number of
Active Interfaces
Context
The number of Up member links affects the status and bandwidth of an Eth-Trunk. To ensure that the Eth-Trunk functions properly and is less affected by member link status changes, set the following thresholds.
l Lower threshold for the number of active interfaces: When the number of active interfaces falls below this threshold, the Eth-Trunk goes Down. This guarantees the Eth-Trunk a minimum available bandwidth.
l Upper threshold for the number of active interfaces: It is used for improving network reliability with assured bandwidth. When the number of active interfaces reaches this threshold, you can add new member interfaces to the Eth-Trunk, but excess member interfaces enter the Down state.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: least active-linknumber link-number
The lower threshold for the number of active interfaces is set.
By default, the lower threshold for the number of active interfaces is 1.
The lower threshold for the number of active interfaces on the local device can be different from that on the remote device. If the two values are different, the larger one is used.
Step 4 Run: max active-linknumber link-number
The upper threshold for the number of active interfaces is set.
By default, the upper threshold for the number of active interfaces is 8.
The upper threshold for the number of active interfaces at the local end can be different from that at the remote end. If the two values are different, the smaller one is used.
NOTE
The upper threshold for the number of active interfaces must be greater than or equal to the lower threshold for the number of active interfaces.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
51
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
2.6.2.5 (Optional) Configuring a Load Balancing Mode
2 Link Aggregation Configuration
Context
Perform the following steps on the device to configure a load balancing mode for an Eth-Trunk.
Procedure l Configure a Layer 2 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dstmac }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of a Layer 2 Eth-Trunk is src-dst-mac .
Eth-Trunk member interfaces use flow-based load balancing. The local and remote ends can use different load balancing modes, without affecting each other.
NOTE
All Layer 2 Eth-Trunks in the system must use the same load balancing mode. If the load balancing mode of one Eth-Trunk is changed, all the other Eth-Trunks use the new load balancing mode.
l Configure a Layer 3 Eth-Trunk.
1.
Run: system-view
The system view is displayed.
2.
Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
3.
Run: load-balance { dst-ip | dst-mac | src-ip | src-mac | src-dst-ip | src-dstmac }
A load balancing mode is configured for the Eth-Trunk.
By default, the load balancing mode of a Layer 3 Eth-Trunk is src-dst-ip .
Eth-Trunk member interfaces use flow-based load balancing. The local and remote ends can use different load balancing modes, without affecting each other.
----End
2.6.2.6 (Optional) Setting the LACP System Priority
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
52
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Context
2 Link Aggregation Configuration
LACP system priority differentiates priorities of devices at both ends. In LACP mode, active interfaces selected by devices at both ends must be consistent; otherwise, the LAG cannot be set up. To keep active interfaces consistent at both ends, you can set the priority of one device to be higher than that of the other device so that the other device can select active interfaces according to those selected by the device with a higher priority.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: lacp priority-command-mode { default | system-priority }
The configuration mode of the LACP system priority is set.
By default, the configuration mode of the LACP system priority is default .
If the lacp priority command used to set the LACP interface priority is executed in the system view, the Eth-Trunk in LACP mode may alternate between Up and Down. To prevent this situation, run the lacp priority-command-mode command in the system view to set the configuration mode of the LACP system priority to system-priority . This mode can be used to differentiate the LACP system priority and LACP interface priority.
Step 3 Use either of the following methods to set the LACP system priority based on the configuration mode.
l default mode
Run the lacp priority priority command to set the LACP system priority.
l system-priority mode
Run the lacp system-priority priority command to set the LACP system priority.
A smaller LACP priority value indicates a higher priority. By default, the LACP system priority is 32768.
The end with a smaller priority value functions as the Actor. If the two ends have the same priority, the end with a smaller MAC address functions as the Actor.
----End
2.6.2.7 (Optional) Setting the LACP Interface Priority
Context
Issue 01 (2014-11-30)
In LACP mode, LACP interface priorities are set to prioritize interfaces of the same device.
Interfaces with higher priorities are selected as active interfaces.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
53
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The member interface view is displayed.
Step 3 Run: lacp priority priority
The LACP priority of the member interface is configured.
By default, the LACP interface priority is 32768. A smaller priority value indicates a higher
LACP priority.
NOTE
By default, the system selects active interfaces based on interface priorities. However, low-speed member interfaces with high priorities may be selected as active interfaces. To select high-speed member interfaces as active interfaces, run the lacp selected { priority | speed } command to configure the system to select active interfaces based on the interface rate.
----End
2.6.2.8 (Optional) Configuring LACP Preemption
Context
The LACP preemption function ensures that the interface with the highest LACP priority always functions as an active interface. For example, the interface with the highest priority becomes inactive due to a failure. If LACP preemption is enabled, the interface becomes active again after it recovers; if LACP preemption is disabled, the interface cannot become active interface after it recovers.
The LACP preemption delay is the period during which an inactive interface switches to active.
The LACP preemption delay prevents instable data transmission on an Eth-Trunk link due to frequent status changes of some links.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: lacp preempt enable
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
54
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
LACP preemption is enabled.
By default, LACP preemption is disabled.
NOTE
To ensure normal running of an Eth-Trunk, enable or disable LACP preemption at both ends of the Eth-
Trunk.
Step 4 Run: lacp preempt delay delay-time
The LACP preemption delay is set.
By default, the LACP preemption delay is 30 seconds.
NOTE
If both devices of an Eth-Trunk use different preemption delays, a longer preemption delay is used.
----End
2.6.2.9 (Optional) Setting the Timeout Interval for Receiving LACPDUs
Context
If the Eth-Trunk on the local device cannot detect a self-loop or fault that occurred on a member interface in the LAG on the remote device, data on the local device is still load balanced among original active interfaces. As a result, data traffic on the faulty link is discarded.
After the timeout interval at which LACPDUs are received is set, if a local member interface does not receive any LACPDUs within the configured timeout interval, the local member interface becomes Down immediately and no longer forwards data.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: lacp timeout { fast [ user-defined user-defined ] | slow }
The timeout interval at which LACPDUs are received is set.
By default, the timeout interval at which an Eth-Trunk receives LACPDUs is 90 seconds.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
55
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
NOTE l After you run the lacp timeout command, the local end notifies the remote end of the timeout interval by sending LACPDUs. When fast is specified, the interval for sending LACPDUs is 1 second. When slow is specified, the interval for sending LACPDUs is 30 seconds.
l The timeout interval for receiving LACPDUs is three times the interval for sending LACPDUs. When fast is specified, the timeout interval for receiving LACPDUs is 3 seconds. When slow is specified, the timeout interval for receiving LACPDUs is 90 seconds.
l You can use different modes of the timeout interval at the two ends. However, to facilitate maintenance, you are advised to use the same mode at both ends.
----End
2.6.2.10 Checking the Configuration
Procedure l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number | verbose ] ] command to check the Eth-Trunk configuration.
l Run the display trunkmembership eth-trunk trunk-id command to check information about Eth-Trunk member interfaces.
l Run the display trunk resource command to check Eth-Trunk resources that have been used on a device.
----End
2.6.3 Creating an Eth-Trunk Sub-interface
Sub-interfaces can be configured on a Layer 3 Eth-Trunk. When Layer 3 devices connect to
Layer 2 devices in different VALNs through the Layer 3 Eth-Trunk, sub-interfaces must be configured on the Eth-Trunk to identify packets from different VLANs and to enable users in different VLANs to communicate with each other.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
An Eth-Trunk is created and the Eth-Trunk interface view is displayed.
Step 3 Run: undo portswitch
A Layer 3 Eth-Trunk is configured.
Step 4 Run: quit
The system view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
56
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Step 5 Run: interface eth-trunk trunk-id.subnumber
An Eth-Trunk sub-interface is created.
subnumber specifies the number of a sub-interface. The value ranges from 1 to 4096.
Step 6 Run: ip address ip-address { mask | mask-length } [ sub ]
An IP address is configured for the sub-interface.
When configuring multiple IP addresses for an Eth-Trunk sub-interface, use the sub keyword to indicate the IP addresses configured after the first one.
----End
2.7 Maintaining Link Aggregation
This section describes how to maintain link aggregation, including monitoring the link aggregation running status and clearing LACPDU statistics.
2.7.1 Clearing LACP Packet Statistics
Context
NOTICE
The cleared LACPDU statistics cannot be restored. Exercise caution when you run the reset command.
Procedure l Run the reset lacp statistics eth-trunk [ trunk-id [ interface interface-type interfacenumber ] ] command in the user view to clear statistics about LACPDUs received and sent.
l Run the reset lacp error packet statistics command in the user view to clear statistics on error LACPDUs.
----End
2.7.2 Monitoring the LAG Operating
Context
Issue 01 (2014-11-30)
During routine maintenance, run the following commands in any view to check the LAG operating status.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
57
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Procedure l Run the display eth-trunk [ trunk-id [ interface interface-type interface-number | verbose ] ] command to check the Eth-Trunk configuration.
l Run the display lacp statistics eth-trunk [ trunk-id [ interface interface-type interfacenumber ] ] command to check the statistics about LACPDUs sent and received in LACP mode.
l Run the display interface eth-trunk [ trunk-id ] command to check the Eth-Trunk status.
l Run the display trunkmembership eth-trunk trunk-id command to check information about member interfaces of an Eth-Trunk.
----End
2.7.3 Using Ping to Monitor the Reachability of Layer 3 Eth-Trunk
Member Interfaces
Context
Multiple physical interfaces can be bundled into an Eth-Trunk, and these physical interfaces are
Eth-Trunk member interfaces. Each member interface uses a specified transmission path. The path-specific service parameters, such as delay, jitter, and packet loss ratio, are also different.
Therefore, you cannot determine which member interface is faulty when the quality of services on an Eth-Trunk deteriorates. To resolve this problem, perform a ping test to detect each physical link to help locate the faulty link.
NOTE
The ping test applies to scenarios where two devices are directly connected through an Eth-Trunk.
Pre-configuration Tasks
Before using ping to monitor the reachability of Layer 3 Eth-Trunk member interfaces, complete the following task: l Running the undo portswitch command to configure the Eth-Trunk to work in Layer 3 mode and configuring an IP address for the Layer 3 Eth-Trunk
NOTE
An Eth-Trunk works in Layer 2 mode by default.
Procedure
Step 1 Enable the receive end to monitor Layer 3 Eth-Trunk member interfaces.
1.
Run: system-view
The system view is displayed.
2.
Run: trunk member-port-inspect
The receive end is enabled to monitor Layer 3 Eth-Trunk member interfaces.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
58
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
2 Link Aggregation Configuration
By default, the receive end is disabled from monitoring Layer 3 Eth-Trunk member interfaces.
NOTE
The trunk member-port-inspect command takes effect for all Layer 3 Eth-Trunks on a device. To test the connectivity of Eth-Trunks, disable this function after detection of Eth-Trunk member interfaces is completed. If this function is not disabled, the device keeps monitoring Eth-Trunk member interfaces, which consumes a lot of system resources.
Step 2 Enable the transmit end to monitor Layer 3 Eth-Trunk member interfaces.
1.
Run: ping [ ip ] [ -a source-ip-address | -c count | -d | -h ttl-value | -i interface-type interface-number | -m time | -p pattern | -q | -r | -s packetsize | -system-time | -t timeout | -v | -vpn-instance vpn-instancename ] * host [ ip-forwarding ]
The transmit end is enabled to monitor the reachability of Layer 3 Eth-Trunk member interfaces.
NOTE
When testing the reachability of Layer 3 Eth-Trunk member interfaces, you must specify the -a and -i parameters in the ping command. -a and -i indicate the source IP address and source interface of ICMP
Echo Request packets respectively.
The ping command output contains the following information: l Response to each ping message: If an echo response message is not received by the transmit end after the corresponding timer expires, a message reading "Request time out" is displayed, indicating that an Eth-Trunk member interface fails. If an echo response message is received, the data bytes, message sequence number, and response time are displayed, indicating that no Eth-Trunk member interface fails.
l Final statistics: The statistics include the number of sent and received packets, percentage of failure response packets, and minimum, maximum, and average response times.
<Huawei> ping -a 192.168.1.1 -i gigabitethernet 1/0/1 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=254 time=2 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=254 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=254 time=2 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=254 time=1 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=254 time=2 ms
--- 10.1.1.2 ping statistics
---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
Issue 01 (2014-11-30) 59
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
round-trip min/avg/max = 1/1/2 ms
----End
2 Link Aggregation Configuration
2.8 Configuration Examples
This section provides several configuration examples of link aggregation.
2.8.1 Example for Configuring Link Aggregation in Manual Load
Balancing Mode
Networking Requirements
As shown in Figure 2-10 , RouterA and RouterB connect to devices in VLAN 10 and VLAN 20
through Ethernet links, and heavy traffic is transmitted between RouterA and RouterB.
RouterA and RouterB can provide higher link bandwidth to implement inter-VLAN communication. Reliability of data transmission needs to be ensured.
Figure 2-10 Configuring link aggregation in manual load balancing mode
VLAN10 VLAN20
Eth1/0/4
RouterA
Eth1/0/5
VLAN20
Eth1/0/1
Eth1/0/2
Eth1/0/3
Eth-Trunk 1
Eth-Trunk
Eth1/0/1
Eth1/0/2
Eth1/0/3
Eth-Trunk 1
Eth1/0/4
RouterB
Eth1/0/5
VLAN10
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create an Eth-Trunk and add member interfaces to the Eth-Trunk to increase link bandwidth.
2.
Create VLANs and add interfaces to the VLANs.
3.
Configure a load balancing mode to ensure that traffic is load balanced among Eth-Trunk member interfaces.
Procedure
Step 1 Create an Eth-Trunk on RouterA and add member interfaces to the Eth-Trunk. The configuration of RouterB is similar to the configuration of RouterA, and is not mentioned here.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
60
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface Eth-Trunk1
[RouterA-Eth-Trunk1] trunkport ethernet 1/0/1 to 1/0/3
[RouterA-Eth-Trunk1] quit
Step 2 Create VLANs and add interfaces to the VLANs. The configuration of RouterB is similar to the configuration of RouterA, and is not mentioned here.
# Create VLAN 10 and VLAN 20, and add interfaces to VLAN 10 and VLAN 20.
[RouterA] vlan batch 10 20
[RouterA] interface ethernet 1/0/4
[RouterA-Ethernet1/0/4] port link-type trunk
[RouterA-Ethernet1/0/4] port trunk allow-pass vlan 10
[RouterA-Ethernet1/0/4] quit
[RouterA] interface ethernet 1/0/5
[RouterA-Ethernet1/0/5] port link-type trunk
[RouterA-Ethernet1/0/5] port trunk allow-pass vlan 20
[RouterA-Ethernet1/0/5] quit
# Configure Eth-Trunk 1 to allow packets from VLAN 10 and VLAN 20 to pass through.
[RouterA] interface Eth-Trunk1
[RouterA-Eth-Trunk1] port link-type trunk
[RouterA-Eth-Trunk1] port trunk allow-pass vlan 10 20
Step 3 Configure a load balancing mode for Eth-Trunk 1. The configuration of RouterB is similar to the configuration of RouterA, and is not mentioned here.
[RouterA-Eth-Trunk1] load-balance src-dst-mac
[RouterA-Eth-Trunk1] quit
Step 4 Verify the configuration.
# Run the display eth-trunk 1 command in any view to check whether the Eth-Trunk is created and whether member interfaces are added.
[RouterA] display eth-trunk 1
Eth-Trunk1's state information is:
WorkingMode: NORMAL Hash arithmetic: According to SIP-XOR-
DIP
Least Active-linknumber: 1 Max Bandwidth-affected-linknumber: 8
Operate status: up Number Of Up Ports In Trunk: 3
--------------------------------------------------------------------------------
PortName Status Weight
Ethernet1/0/1 Up 1
Ethernet1/0/2 Up 1
Ethernet1/0/3 Up 1
# The preceding command output shows that Eth-Trunk 1 has three member interfaces:
Ethernet1/0/1, Ethernet1/0/2, and Ethernet1/0/3. The member interfaces are all in Up state.
----End
Configuration Files
Configuration file of RouterA
#
sysname RouterA
# vlan batch 10 20
# interface Eth-Trunk1
port link-type trunk
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
61
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
# interface Ethernet1/0/1
eth-trunk 1
# interface Ethernet1/0/2
eth-trunk 1
# interface Ethernet1/0/3
eth-trunk 1
# interface Ethernet1/0/4
port link-type trunk
port trunk allow-pass vlan 10
# interface Ethernet1/0/5
port link-type trunk
port trunk allow-pass vlan 20
# return
Configuration file of RouterB
#
sysname RouterB
# vlan batch 10 20
# interface Eth-Trunk1
port link-type trunk
port trunk allow-pass vlan 10 20
load-balance src-dst-mac
# interface Ethernet1/0/1
eth-trunk 1
# interface Ethernet1/0/2
eth-trunk 1
# interface Ethernet1/0/3
eth-trunk 1
# interface Ethernet1/0/4
port link-type trunk
port trunk allow-pass vlan 20
# interface Ethernet1/0/5
port link-type trunk
port trunk allow-pass vlan 10
# return
2.8.2 Example for Configuring Link Aggregation in LACP Mode
Networking Requirements
To increase the bandwidth and improve the connection reliability, you can configure an LAG on two directly connected routers, as shown in
. The requirements are as follows: l The LAG contains three member links. Two links function as active links to implement load balancing, and the other link functions as the backup link.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
62
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration l When a fault occurs on an active link, the backup link replaces the faulty one to ensure nonstop services.
Figure 2-11 Link aggregation in LACP mode
RouterA
Eth-Trunk 1
Eth 2/0/1
Eth 2/0/2
Eth 2/0/3
Eth-Trunk
Eth-Trunk 1
Eth 2/0/1
Eth 2/0/2
Eth 2/0/3
RouterB
Active link
Backup link
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create an Eth-Trunk on each router and configure the Eth-Trunk to work in LACP mode.
2.
Add member interfaces to the Eth-Trunk.
3.
Set the LACP system priority and determine the Actor.
4.
Set the maximum number of active interfaces in the Eth-Trunk.
5.
Set LACP interface priorities and determine active links.
Procedure
Step 1 Create Eth-Trunk 1 and configure Eth-Trunk 1 to work in LACP mode.
# Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] mode lacp-static
[RouterA-Eth-Trunk1] quit
# Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] mode lacp-static
[RouterB-Eth-Trunk1] quit
Step 2 Add member interfaces to Eth-Trunk 1.
# Configure RouterA.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] eth-trunk 1
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] eth-trunk 1
[RouterA-Ethernet2/0/2] quit
[RouterA] interface ethernet 2/0/3
[RouterA-Ethernet2/0/3] eth-trunk 1
[RouterA-Ethernet2/0/3] quit
# Configure RouterB.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
63
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] eth-trunk 1
[RouterB-Ethernet2/0/1] quit
[RouterB] interface ethernet 2/0/2
[RouterB-Ethernet2/0/2] eth-trunk 1
[RouterB-Ethernet2/0/2] quit
[RouterB] interface ethernet 2/0/3
[RouterB-Ethernet2/0/3] eth-trunk 1
[RouterB-Ethernet2/0/3] quit
Step 3 Set the LACP system priority on RouterA to 100 so that RouterA becomes the Actor.
[RouterA] lacp priority 100
Step 4 Set maximum number of active interfaces in Eth-Trunk 1 on RouterA to 2.
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] max active-linknumber 2
[RouterA-Eth-Trunk1] quit
Step 5 Set LACP interface priorities and determine active links on RouterA.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] lacp priority 100
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] lacp priority 100
[RouterA-Ethernet2/0/2] quit
Step 6 Verify the configuration.
# Check information about the Eth-Trunk of the routers and check whether the negotiation is successful.
[RouterA] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 100 System ID: 00e0-fca8-0417
Least Active-linknumber: 1 Max Active-linknumber: 2
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Weight
Ethernet2/0/1 Selected 100M 100 6145 2865 11111100
1
Ethernet2/0/2 Selected 100M 100 6146 2865 11111100
1
Ethernet2/0/3 Unselect 100M 32768 6147 2865 11100000
1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey PortState
Ethernet2/0/1 32768 00e0-fca6-7f85 32768 6145 2609 11111100
Ethernet2/0/2 32768 00e0-fca6-7f85 32768 6146 2609 11111100
Ethernet2/0/3 32768 00e0-fca6-7f85 32768 6147 2609 11110000
[RouterB] display eth-trunk 1
Eth-Trunk1's state information is:
Local:
LAG ID: 1 WorkingMode: STATIC
Preempt Delay: Disabled Hash arithmetic: According to SA-XOR-DA
System Priority: 32768 System ID: 00e0-fca6-7f85
Least Active-linknumber: 1 Max Active-linknumber: 8
Operate status: Up Number Of Up Port In Trunk: 2
------------------------------------------------------------------------------
ActorPortName Status PortType PortPri PortNo PortKey PortState
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
64
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Weight
Ethernet2/0/1 Selected 100M 32768 6145 2609 11111100
1
Ethernet2/0/2 Selected 100M 32768 6146 2609 11111100
1
Ethernet2/0/3 Unselect 100M 32768 6147 2609 11100000
1
Partner:
------------------------------------------------------------------------------
PartnerPortName SysPri SystemID PortPri PortNo PortKey
PortState
Ethernet2/0/1 100 00e0-fca8-0417 100 6145 2865
11111100
Ethernet2/0/2 100 00e0-fca8-0417 100 6146 2865
11111100
Ethernet2/0/3 100 00e0-fca8-0417 32768 6147 2865
11110000
According to the preceding information, the system priority of RouterA is 100, which is higher than the system priority of RouterB; Ethernet2/0/1 and Ethernet2/0/2 are active interfaces and are in Selected state; Ethernet2/0/3 is in Unselect state. That is, load balancing and redundancy are implemented.
----End
Configuration Files l Configuration file of RouterA
#
sysname RouterA
#
lacp priority 100
# interface Eth-Trunk1
mode lacp-static
max active-linknumber 2
# interface Ethernet2/0/1
eth-trunk 1
lacp priority 100
# interface Ethernet2/0/2
eth-trunk 1
lacp priority 100
# interface Ethernet2/0/3
eth-trunk 1
# return l Configuration file of RouterB
#
sysname RouterB
# interface Eth-Trunk1
mode lacp-static
# interface Ethernet2/0/1
eth-trunk 1
# interface Ethernet2/0/2
eth-trunk 1
# interface Ethernet2/0/3
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
65
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
eth-trunk 1
# return
2.8.3 Example for Configuring Layer 3 Link Aggregation
Networking Requirements
RouterA and RouterB are connected by two Layer 3 Ethernet interfaces. To increase link bandwidth and improve reliability, you can create an Eth-Trunk on each router and add the Layer
3 Ethernet interfaces to the Eth-Trunk.
Figure 2-12 Networking of Layer 3 link aggregation
RouterA
Eth1/0/0
Eth2/0/0
Eth-Trunk1
10.1.1.1/24
Eth1/0/0
RouterB
Eth-Trunk1
10.1.1.2/24
Eth2/0/0
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a Layer 3 Eth-Trunk on each device and configure an IP address for each Eth-Trunk.
2.
Add Ethernet interfaces to the Eth-Trunk.
Procedure
Step 1 Configure RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
# Create a Layer 3 Eth-Trunk (Eth-Trunk 1) and configure an IP address for Eth-Trunk 1.
[RouterA] interface eth-trunk 1
[RouterA-Eth-Trunk1] undo portswitch
[RouterA-Eth-Trunk1] ip address 10.1.1.1 24
[RouterA-Eth-Trunk1] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to Eth-Trunk 1.
[RouterA] interface ethernet 1/0/0
[RouterA-Ethernet1/0/0] eth-trunk 1
[RouterA-Ethernet1/0/0] quit
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] eth-trunk 1
[RouterA-Ethernet2/0/0] quit
Step 2 Configure RouterB.
<Huawei> system-view
[Huawei] sysname RouterB
# Create a Layer 3 Eth-Trunk (Eth-Trunk 1) and configure an IP address for Eth-Trunk 1.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
66
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
[RouterB] interface eth-trunk 1
[RouterB-Eth-Trunk1] undo portswitch
[RouterB-Eth-Trunk1] ip address 10.1.1.2 24
[RouterB-Eth-Trunk1] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to Eth-Trunk 1.
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] eth-trunk 1
[RouterB-Ethernet1/0/0] quit
[RouterB] interface ethernet 2/0/0
[RouterB-Ethernet2/0/0] eth-trunk 1
[RouterB-Ethernet2/0/0] quit
Step 3 Verify the configuration.
Run the display interface eth-trunk command on RouterA or RouterB. You can see that the
Eth-Trunks are in Up state.
The display on RouterA is used as an example.
[RouterA] display interface eth-trunk 1
Eth-Trunk1 current state : UP
Line protocol current state : UP
Description:HUAWEI, AR Series, Eth-Trunk1 Interface
Route Port, Hash arithmetic : According to SIP-XOR-DIP,The Maximum Transmit Unit is 1500
Internet Address is 10.1.1.1/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc09-9722
Current system time: 2011-4-14 14:51:01
Input bandwidth utilization : 0.00%
Output bandwidth utilization : 0.00%
-----------------------------------------------------
PortName Status Weight
-----------------------------------------------------
Ethernet1/0/0 UP 1
Ethernet2/0/0 UP 1
-----------------------------------------------------
The Number of Ports in Trunk : 2
The Number of UP Ports in Trunk : 2
The Eth-Trunks on RouterA and RouterB can ping each other.
[RouterA] ping -a 10.1.1.1 10.1.1.2
PING 10.1.1.2: 56 data bytes, press CTRL_C to break
Reply from 10.1.1.2: bytes=56 Sequence=1 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=2 ttl=255 time=31 ms
Reply from 10.1.1.2: bytes=56 Sequence=3 ttl=255 time=62 ms
Reply from 10.1.1.2: bytes=56 Sequence=4 ttl=255 time=62 ms
Reply from 10.1.1.2: bytes=56 Sequence=5 ttl=255 time=62 ms
--- 10.1.1.2 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 31/49/62 ms
----End
Configuration Files l Configuration file of RouterA
#
sysname RouterA
# interface Eth-Trunk1
undo portswitch
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
67
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
ip address 10.1.1.1 255.255.255.0
# interface Ethernet1/0/0
eth-trunk 1
# interface Ethernet2/0/0
eth-trunk 1
# return l Configuration file of RouterB
#
sysname RouterB
# interface Eth-Trunk1
undo portswitch
ip address 10.1.1.2 255.255.255.0
# interface Ethernet1/0/0
eth-trunk 1
# interface Ethernet2/0/0
eth-trunk 1
# return
2 Link Aggregation Configuration
2.9 Common Configuration Errors
This section describes common configuration errors.
2.9.1 Traffic Is Unevenly Load Balanced Among Eth-Trunk Member
Interfaces Because the Load Balancing Mode Is Incorrect
Fault Description
Traffic is unevenly load balanced among Eth-Trunk member interfaces due to the incorrect load balancing mode.
Procedure
1.
Run the display eth-trunk command to check whether the load balancing mode of the Eth-
Trunk meets networking requirements. For example, source or destination IP address-based load balancing is not recommended in Layer 2 networking.
2.
Run the load-balance command to set an appropriate load balancing mode.
2.10 References
This section describes references of link aggregation.
The following table lists the reference of this document.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
68
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 2 Link Aggregation Configuration
Document
IEEE 802.3AD
Description
IEEE Std 802.3ad - 2005 IEEE Standard for Link Aggregation operation , Link Aggregation Control , Link Aggregation
Control Protocol , Marker protocol and Configuration capabilities and restrictions.
-
Rema rks
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
69
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
3
VLAN Configuration
About This Chapter
VLANs have advantages of broadcast domain isolation, security hardening, flexible networking, and good extensibility.
This section describes definition, purpose and benefits of VLAN.
This section describes principles of VLAN.
This section describes the applicable environment of the VLAN.
3.4 Configuration Task Summary
This chapter describes the configuration task summary of VLAN.
This section describes the default configuration of VLAN.
This section describes the VLAN configuration.
3.8 Common Configuration Errors
This section describes common VLAN configuration errors.
This section describes references of VLAN.
70 Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
3.1 Introduction to VLAN
This section describes definition, purpose and benefits of VLAN.
Definition
The Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate with each other, while hosts in different VLANs cannot directly communicate with each other.
Therefore, the broadcast packets are limited in each VLAN.
Purpose
The Ethernet technology is used to share communication media and data based on the Carrier
Sense Multiple Access/Collision Detection (CSMA/CD). If there are a large number of hosts on an Ethernet network, collision becomes a serious problem and can lead to broadcast storms. As a result, network performance deteriorates. Switches can be used to connect LANs, preventing collision. However, broadcast packets cannot be isolated and network quality cannot be improved.
The VLAN technology divides a physical LAN into multiple broadcast domains, each of which is called a VLAN. Hosts within a VLAN can communicate with each other, while hosts in different VLANs cannot communicate with each other directly. Therefore, the broadcast packets are limited in each VLAN.
NOTE
In this document, the Layer 2 switch is referred to as the switch for short.
Figure 3-1 Networking diagram for a typical VLAN application
Router
Issue 01 (2014-11-30)
VLAN-A
Switch1
VLAN-B
VLAN-C
Switch2
Huawei Proprietary and Confidential
Switch3
Copyright © Huawei Technologies Co., Ltd.
71
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
shows a typical VLAN application. Three switches are placed in different locations
(for example, in different floors of a building); each switch is connected to three hosts that respectively belong to different VLANs (for example, different companies).
Benefits
The VLAN technology brings the following benefits to customers: l Limits broadcast domains. A broadcast domain is limited in a VLAN. This saves bandwidth and improves network processing capabilities.
l Enhances network security. Packets from different VLANs are separately transmitted.
Hosts in a VLAN cannot directly communicate with hosts in another VLAN.
l Improves network robustness. A fault in a VLAN does not affect hosts in other VLANs.
l Flexibly sets up virtual groups. With the VLAN technology, hosts in different geographical areas can be grouped together. This facilitates network construction and maintenance.
3.2 Principles
This section describes principles of VLAN.
3.2.1 Basic Concepts of VLAN
VLAN frame format
A conventional Ethernet frame is encapsulated with the Length/Type field for an upper-layer protocol following the Destination address and Source address fields, as shown in
.
Figure 3-2 Conventional Ethernet frame format
6bytes
Destination address
6bytes
Source address
2bytes
Length/Type
46-1500bytes 4bytes
Data FCS
IEEE 802.1Q is an Ethernet networking standard for a specified Ethernet frame format. It adds a 4-byte field between the Source address and the Length/Type fields of the original frame, as shown in
.
Figure 3-3 802.1Q frame format
6bytes
Destination address
6bytes
Source address
4bytes 2bytes
802.1Q
Tag
Length/
Type
46-1500bytes 4bytes
Data FCS
Issue 01 (2014-11-30)
TPID PRI CFI VID
2bytes 3bits 1bit 12bits
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
72
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
describes the fields contained in an 802.1Q tag.
Table 3-1 Fields contained in an 802.1Q tag
Field Leng th
Name
TPID
PRI
CFI
VID
2 bytes
3 bits
1 bit
12 bits
Tag Protocol Identifier (TPID), indicating the frame type.
Priority (PRI), indicating the frame priority.
Canonical Format Indicator
(CFI), indicating whether the
MAC address is in canonical format.
VLAN ID (VID), indicating the
VLAN to which the frame belongs.
Description
The value 0x8100 indicates an 802.1Qtagged frame. If an 802.1Q-incapable device receives an 802.1Q frame, it will discard the frame.
The value ranges from 0 to 7. The greater the value, the higher the priority.
These values can be used to prioritize different classes of traffic to ensure that frames with high priorities are transmitted first when traffic is heavy.
If the value is 0, the MAC address is in the canonical format. CFI is used to ensure compatibility between Ethernet networks and Token Ring networks. It is always set to zero for Ethernet switches.
VLAN IDs range from 0 to 4095. The values 0 and 4095 are reserved, and therefore VLAN IDs range from 1 to
4094.
Each frame sent by an 802.1Q-capable switch carries a VLAN ID. In a VLAN, Ethernet frames are classified into the following types: l Tagged frames: frames with 4-byte 802.1Q tags.
l Untagged frames: frames without 4-byte 802.1Q tags.
Link Types
As shown in Figure 3-4 , there are the following types of VLAN links:
l Access link: connects a host to a switch. Generally, a host does not know which VLAN it belongs to, and host hardware cannot distinguish frames with VLAN tags. Therefore, hosts send and receive only untagged frames.
l Trunk link: connects a switch to another switch or to a router. Data of different VLANs are transmitted along a trunk link. The two ends of a trunk link must be able to distinguish frames with VLAN tags. Therefore, only tagged frames are transmitted along trunk links.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
73
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 3-4 Link types
VLAN3
PC3
VLAN3
PC4
3 VLAN Configuration
Access link
3
3
2
DeviceB
Trunk link DeviceA Trunk link
2
Access link
3
2
DeviceC
PC1
VLAN2
PC2
VLAN2 untagged frames in VLAN2 2 untagged frames in VLAN3 3 frames tagged with VLAN2 frames tagged with VLAN3
Access Link
Trunk Link
NOTE l A host does not need to know the VLAN to which it belongs. It sends only untagged frames.
l After receiving an untagged frame from a host, a switching device determines the VLAN to which the frame belongs. The determination is based on the configured VLAN assignment method such as port information, and then the switching device processes the frame accordingly.
l If the frame needs to be forwarded to another switching device, the frame must be transparently transmitted along a trunk link. Frames transmitted along trunk links must carry VLAN tags to allow other switching devices to properly forward the frame based on the VLAN information.
l Before sending the frame to the destination host, the switching device connected to the destination host removes the VLAN tag from the frame to ensure that the host receives an untagged frame.
Generally, only tagged frames are transmitted on trunk links; only untagged frames are transmitted on access links. In this manner, switching devices on the network can properly process VLAN information and hosts are not concerned about VLAN information.
Port Types
Issue 01 (2014-11-30)
After the 802.1Q defines VLAN frames, some ports on the device can identify VLAN frames, while others cannot. According to whether VLAN frames can be identified, ports can be classified into four types: l Access port
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
74
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
As shown in Figure 3-4 , the access port on a switch connects to the port on a host. The
access port can only connect to an access link. Only the VLAN whose ID is the same as the default VLAN ID is allowed on the access port. Ethernet frames sent from the access port are untagged frames.
l Trunk port
As shown in Figure 3-4 , a trunk port on a switch connects to another switch. It can only
connect to a trunk link. Multiple tagged VLAN frames are allowed on the trunk port.
l Hybrid port
As shown in Figure 3-5 , a hybrid port on a switch can connect either to a host or to another
switch. A hybrid port can connect either to an access link or to a trunk link. The hybrid port allows multiple VLAN frames and removes tags from some VLAN frames on the outbound port.
Figure 3-5 Port types
Issue 01 (2014-11-30)
Hybrid Port
Access Link
Trunk Link l QinQ port
QinQ ports are enabled with the IEEE 802.1 QinQ protocol. A QinQ port adds a tag to a single-tagged frame and supports a maximum of 4094 x 4094 VLAN tags, which meets the requirement for the VLAN quantity.
shows the format of a QinQ frame. The outer tag usually called the public tag carries the public VLAN ID. The inner tag usually called the private tag carries the private
VLAN ID.
Figure 3-6 Format of a QinQ frame
6 bytes
Destination address
6 bytes
Source address
4 bytes
802.1Q
Tag
4 bytes 2 bytes 46-1500 bytes4 bytes
802.1Q
Tag
Length/
Type
Data
FCS
(CRC-32)
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
75
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Default VLAN
Each port can be configured with a default VLAN identified by the port VLAN ID (PVID). The meaning of the default VLAN varies according to the port type.
For details on different PVIDs and methods of processing Ethernet frames, see
Frame processing based on the port type
.
3.2.2 VLAN Assignment
VLAN assignment can be based on interface numbers, and VLAN frames are processed depending on the interface type.
The network administrator configures a port default VLAN ID (PVID), that is, the default VLAN
ID, for each port on the switching device. That is, a port belongs to a VLAN by default.
l When a data frame reaches a port, it is marked with the PVID if the data frame carries no
VLAN tag and the port is configured with a PVID.
l If the data frame carries a VLAN tag, the switching device will not add a VLAN tag to the data frame even if the port is configured with a PVID.
3.2.3 Principle of VLAN Communication
Basic Principle of VLAN Communication
To improve the efficiency in processing frames, frames within a switch all carry VLAN tags for uniform processing. When a data frame reaches a port of the switch, if the frame carries no
VLAN tag and the port is configured with a PVID, the frame is marked with the port's PVID. If the frame has a VLAN tag, the switch will not mark a VLAN tag for the frame regardless of whether the port is configured with a PVID.
The switch processes frames differently according to the type of port receiving the frames. The following describes the frame processing according to the port type.
Table 3-2 Frame processing based on the port type
Port
Type
Access port
Untagged Frame
Processing
Accepts an untagged frame and adds a tag with the default VLAN ID to the frame.
Tagged Frame
Processing l Accepts the tagged frame if the frame's
VLAN ID matches the default VLAN ID.
l Discards the tagged frame if the frame's
VLAN ID differs from the default VLAN ID.
Frame
Transmission
After the PVID tag is stripped, the frame is transmitted.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
76
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Port
Type
Trunk port
Hybrid port
Untagged Frame
Processing l Adds a tag with the default VLAN ID to the untagged frame and then transmits it if the default VLAN ID is permitted by the port.
l Adds a tag with the default VLAN ID to the untagged frame and then discards it if the default VLAN ID is denied by the port.
l Adds a tag with the default VLAN ID to an untagged frame and accepts the frame if the port permits the default
VLAN ID.
l Adds a tag with the default VLAN ID to an untagged frame and discards the frame if the port denies the default
VLAN ID.
Tagged Frame
Processing l Accepts a tagged frame if the VLAN ID carried in the frame is permitted by the port.
l Discards a tagged frame if the VLAN ID carried in the frame is denied by the port.
Frame
Transmission l If the frame's
VLAN ID matches the default VLAN
ID and the VLAN
ID is permitted by the port, the switch removes the tag and transmits the frame.
l If the frame's
VLAN ID differs from the default
VLAN ID, but the
VLAN ID is still permitted by the port, the switch will directly transmit the frame.
l Accepts a tagged frame if the VLAN ID carried in the frame is permitted by the port.
l Discards a tagged frame if the VLAN ID carried in the frame is denied by the port.
If the frame's VLAN
ID is permitted by the port, the frame is transmitted. The port can be configured whether to transmit frames with tags.
NOTE
Because all interfaces join VLAN 1 by default, broadcast storms may occur if unknown unicast, multicast, or broadcast packets exist in VLAN 1. To prevent loops, delete interfaces that do not need to be added to
VLAN 1 from VLAN 1.
Intra-VLAN Communication
Sometimes VLAN hosts are connected to different switches, in which case the VLAN spans multiple switches. Since ports between these switches must recognize and send packets belonging to the VLAN, the trunk link technology becomes helpful in simplifying this solution.
The trunk link plays the following two roles: l Trunk line
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
77
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
The trunk link transparently transmits VLAN packets between switches.
l Backbone line
The trunk link transmits packets belonging to multiple VLANs.
Figure 3-7 Trunk link communication
VLAN 3
DeviceA
Port4
Port2 Port1
Trunk Link
DeviceB
Port3
VLAN 2
Host A Host B
As shown in Figure 3-7 , the trunk link between DeviceA and DeviceB must both support the
intra-communication of VLAN 2 and the intra-communication of VLAN 3. Therefore, the ports at both ends of the trunk link must be configured to belong to both VLANs. That is, Port2 on
DeviceA and Port1 on DeviceB must belong to both VLAN 2 and VLAN 3.
Host A sends a frame to Host B in the following process:
1.
The frame is first sent to Port4 on DeviceA.
2.
A tag is added to the frame on Port4. The VID field of the tag is set to 2, that is, the ID of the VLAN to which Port4 belongs.
3.
DeviceA queries its MAC address table for the MAC forwarding entry with the destination
MAC address of Host B.
l If this entry exists, DeviceA sends the frame to the outbound interface Port2.
l If this entry does not exist, DeviceA sends the frame to all interfaces bound to VLAN
2 except for Port4.
4.
Port2 sends the frame to DeviceB.
5.
After receiving the frame, DeviceB queries its MAC address table for the MAC forwarding entry with the destination MAC address of Host B.
l If this entry exists, DeviceB sends the frame to the outbound interface Port3.
l If this entry does not exist, DeviceB sends the frame to all interfaces bound to VLAN
2 except for Port1.
6.
Port3 sends the frame to Host B.
Inter-VLAN Communication
After VLANs are configured, hosts in different VLANs cannot directly communicate with each other. To implement communication between VLANs, use either of the following methods:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
78
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Port1.1
3 VLAN Configuration l Sub-interface
As shown in Figure 3-8 , DeviceA is a Layer 3 switch supporting sub-interface, and
DeviceB is a Layer 2 switch. LANs are connected using the switched Ethernet interface on
DeviceB and the routed Ethernet interface on DeviceA. User hosts are assigned to VLAN2 and VLAN3. To implement inter-VLAN communication, configure as follows:
– On DeviceA, create two sub-interfaces Port1.1 and Port2.1 on the Ethernet interface connecting to DeviceB, and configure 802.1Q encapsulation on sub-interfaces corresponding to VLAN2 and VLAN3.
– Configure IP addresses for sub-interfaces.
– Set types of Ethernet interfaces connecting DeviceB and DeviceA to Trunk or
Hybrid , to allow VLAN2 and VLAN3 frames.
– Set the default gateway address to the IP address of the sub-interface mapping the VLAN to which the user host belongs.
Figure 3-8 Inter-VLAN communication using sub-interfaces
DeviceA
Port2.1
VLAN Trunk
DeviceB
Access port
Host A Host B
VLAN2
Host C
VLAN3
Host D
Issue 01 (2014-11-30)
Host A communicates with host C as follows:
1.
Host A checks the IP address of host C and determines that host C is in another VLAN.
2.
Host A sends an ARP request packet to DeviceA to request DeviceA's MAC address.
3.
After receiving the ARP request packet, DeviceA returns an ARP reply packet in which the source MAC address is the MAC address of the sub-interface mapping
VLAN2.
4.
Host A obtains DeviceA's MAC address.
5.
Host A sends a packet whose destination MAC address is the MAC address of the sub-interface and destination IP address is host C's IP address to DeviceA.
6.
After receiving the packet, DeviceA forwards the packet and detects that the route to host C is a direct route. The packet is forwarded by the sub-interface mapping VLAN3.
7.
Functioning as the gateway of hosts in VLAN3, DeviceA broadcasts an ARP packet requesting host C's MAC address.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
79
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
8.
After receiving the packet, host C returns an ARP reply packet.
9.
After receiving the reply packet, DeviceA sends the packet from host A to host C. All packets sent from host A to host C are sent to DeviceA first to implement Layer 3 forwarding.
l VLANIF interface
Layer 3 switching combines routing and switching techniques to implement routing on a switch, improving the overall performance of the network. After sending the first data flow, a Layer 3 switch generates a mapping table on which it records the mapping between the
MAC address and the IP address for the data flow. If the switch needs to send the same data flow again, it directly sends the data flow at Layer 2 based on the mapping table. In this manner, network delays caused by route selection are eliminated, and data forwarding efficiency is improved.
In order for new data flows to be correctly forwarded, the routing table must have the correct routing entries. Therefore, VLANIF interfaces are used to configure routing protocols on
Layer 3 switches to reach Layer 3 routes.
A VLANIF interface is a Layer 3 logical interface, which can be configured on either a
Layer 3 switch or a router.
As shown in Figure 3-9 , hosts connected to the switch are assigned to VLAN 2 and VLAN
3. To implement inter-VLAN communication, configure as follows:
– Create two VLANIF interfaces on the device, and configure IP addresses for them.
– Set the default gateway address to the IP address of the VLANIF interface mapping the
VLAN to which the user host belongs.
Figure 3-9 Inter-VLAN communication through VLANIF interfaces
Device
VLANIF2 VLANIF3
Host A Host B
VLAN2
Host C Host D
VLAN3
Issue 01 (2014-11-30)
Host A communicates with host C as follows:
1.
Host A checks the IP address of host C and determines that host C is in another subnet.
2.
Host A sends an ARP request packet to Device to request Device's MAC address.
3.
After receiving the ARP request packet, Device returns an ARP reply packet in which the source MAC address is the MAC address of VLANIF2.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
80
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
4.
Host A obtains Device's MAC address.
5.
Host A sends a packet whose destination MAC address is the MAC address of the
VLANIF interface and destination IP address is host C's IP address to Device.
6.
After receiving the packet, Device forwards the packet and detects that the route to host C is a direct route. The packet is forwarded by VLANIF3.
7.
Functioning as the gateway of hosts in VLAN3, Device broadcasts an ARP packet requesting host C's MAC address.
8.
After receiving the packet, host C returns an ARP reply packet.
9.
After receiving the reply packet, DeviceA sends the packet from host A to host C. All packets sent from host A to host C are sent to Device first to implement Layer 3 forwarding.
3.2.4 VLAN Aggregation
Background of VLAN Aggregation
NOTE
AR550 series do not support VLAN Aggregation.
VLAN is widely applied to switching networks because of its flexible control of broadcast domains and convenient deployment. On a Router, the interconnection between the broadcast domains is implemented using one VLAN to correspond to one Layer-3 logic interface.
However, this can waste IP addresses.
shows the VLAN division in the device.
Figure 3-10 Diagram of a common VLAN
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
81
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Table 3-3 Example of Assigning Host Addresses on a common VLAN
VLAN Subnetwork
2 10.1.1.0/28
Gateway address
10.1.1.1
Number of available addresses
14
Number of available hosts
13
3
4
10.1.1.16/29 10.1.1.17
10.1.1.24/30 10.1.1.25
6
2
5
1
Practical requirements
10
5
1
As show in Table 3-3 , VLAN 2 requires 10 host addresses. The sub network 10.1.1.0/28 with
the mask length as 28 bits is assigned for VLAN 2. 10.1.1.0 is the address of the sub network, and 10.1.1.15 is the directed broadcast address. These two addresses cannot serve as the host address. In addition, as the default address of the network gateway of the sub network, 10.1.1.1
cannot be used as the host address. The other 13 addresses ranging from 10.1.1.2 to 10.1.1.14
can be used by the hosts. In this way, although VLAN 2 needs only ten addresses, 13 addresses need to be assigned for it according to the division of the sub network.
VLAN 3 requires five host addresses. The sub network 10.1.1.16/29 with the mask length as 29 bits needs to be assigned for VLAN 3. VLAN 4 requires only one address. The sub network
10.1.1.24/30 with the mask length as 30 bits needs to be assigned for VLAN 4.
In above, 16 (10+5+1) addresses are needed for all the preceding VLANs. However, 28 (16+8
+4) addresses are needed according to the common VLAN addressing mode even if the optimal scheme is used. Nearly half of the addresses is wasted. In addition, if VLAN 2 is accessed to three hosts instead of ten hosts later, the extra addresses will not be used by other VLANs and will be wasted.
This division is inconvenient for the later network upgrade and expansion. Assume that two more hosts need to be added to VLAN 4 and VLAN 4 does not want to change the assigned IP addresses, and the addresses after 10.1.1.24 has been assigned to others, a new sub network with the mask length as 29 bits and a new VLAN need to be assigned for the new customers of VLAN
4. Therefore, the customers of VLAN 4 have only three hosts, but the customers are assigned to two sub networks and are not in the same VLAN. As a result, this is inconvenient for network management.
In above, many IP addresses are used as the addresses of sub networks, directional broadcast addresses of sub networks, and default addresses of network gateways of sub networks. These
IP addresses cannot be used as the host addresses in the VLAN. The limit on address assignation reduces the addressing flexibility, so that many idle addresses are wasted. To solve this problem,
VLAN aggregation is used.
Principle
The VLAN aggregation technology, also known as the super-VLAN, provides a mechanism that partitions the broadcast domain using multiple VLANs in a physical network so that different
VLANs can belong to the same subnet. In VLAN aggregation, two concepts are involved, namely, super-VLAN and sub-VLAN.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
82
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration l Super-VLAN: It is different from the common VLAN. In the super-VLAN, only Layer 3 interfaces are created and physical ports are not contained. The super-VLAN can be viewed as a logical Layer 3 concept. It is a collection of many sub-VLANs.
l Sub-VLAN: It is used to isolate broadcast domains. In the sub-VLAN, only physical ports are contained and Layer 3 VLANIF interfaces cannot be created. The Layer 3 switching with the external network is implemented through the Layer 3 interface of the super-VLAN.
A super-VLAN can contain one or more sub-VLANs retaining different broadcast domains. The sub-VLAN does not occupy an independent subnet segment. In the same super-VLAN, IP addresses of hosts belong to the subnet segment of the super-VLAN, regardless of the mapping between hosts and sub-VLANs.
The same Layer 3 interface is shared by sub-VLANs. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced.
Take the Table 3-3 to explain the implementation theory. Suppose that user demands are
unchanged. In VLAN 2, 10 host addresses are demanded; in VLAN 3, 5 host addresses are demanded; in VLAN 4, 1 host address is demanded.
According to the implementation of VLAN aggregation, create VLAN 10 and configure VLAN
10 as a super-VLAN. Then assign a subnet address 10.1.1.0/24 with the mask length being 24 to VLAN 10; 10.1.1.0 is the subnet ID and 10.1.1.1 is the gateway address of the subnet, as
. Address assignments of sub-VLANs (VLAN 2, VLAN 3, and VLAN 4)
.
Figure 3-11 Schematic diagram of VLAN aggregation
Super VLAN 10
VLANIF10:10.1.1.1/24
VLAN 2 VLAN 3
Sub VLAN 2
Host IP
10.1.1.2-10.1.1.11
Sub VLAN 3
Host IP
10.1.1.12-10.1.1.16
VLAN 4
Sub VLAN 4
Host IP
10.1.1.17
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
83
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Table 3-4 Example for assigning Host addresses in VLAN aggregation mode
VLA
N
2
Subnet
10.1.1.0/24
Gateway address
10.1.1.1
Number of available addresses
10
Number of available hosts
10.1.1.2-10.1.1.11
Practical requirements
10
3 5 5
4 1
10.1.1.12-10.1.1.1
6
10.1.1.17
1
In VLAN aggregation implementation, sub-VLANs are not divided according to the previous subnet border. Instead, their addresses are flexibly assigned in the subnet corresponding to the super-VLAN according to the required host number.
As the Table 3-4 shows that VLAN 2, VLAN 3, and VLAN 4 share a subnet (10.1.1.0/24), a
default gateway address of the subnet (10.1.1.1), and a directed broadcast address of the subnet
(10.1.1.255). In this manner, the subnet ID (10.1.1.16, 10.1.1.24), the default gateway of the subnet (10.1.1.17, 10.1.1.25), and the directed broadcast address of the subnet (10.1.1.15,
10.1.1.23, and 10.1.1.27) can be used as IP addresses of hosts.
Totally, 16 addresses (10 + 5 + 1 = 16) are required for the three VLANs. In practice, in this subnet, a total of 16 addresses are assigned to the three VLANs (10.1.1.2 to 10.1.1.17). A total of 19 IP addresses are used, that is, the 16 host addresses together with the subnet ID (10.1.1.0), the default gateway of the subnet (10.1.1.1), and the directed broadcast address of the subnet
(10.1.1.255). In the network segment, 236 addresses (255 - 19 = 236) are available, which can be used by any host in the sub-VLAN.
Communications Between VLANs l Introduction
VLAN aggregation ensures that different VLANs use the IP addresses in the same subnet segment. This, however, leads to the problem of Layer 3 forwarding between sub-VLANs.
In common VLAN mode, the hosts of different VLANs can communicate with each other based on the Layer 3 forwarding through their respective gateways. In VLAN aggregation mode, the hosts in a super-VLAN uses the IP addresses in the same network segment and share the same gateway address. The hosts in different sub-VLANs belong to the same subnet. Therefore, they communicate with each other based on the Layer 2 forwarding, rather than the Layer 3 forwarding through a gateway. In practice, hosts in different sub-
VLANs are separated in Layer 2. As a result, sub-VLANs fails to communicate with each other.
To solve the preceding problem, you can use Proxy ARP.
NOTE
For details of Proxy ARP , refer to the chapter ARP in the IP Services .
l Layer 3 Communications Between Different Sub-VLANs
As shown in Figure 3-12 , the super-VLAN, namely, VLAN 10, contains the sub-VLANs,
namely, VLAN 2 and VLAN 3.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
84
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Figure 3-12 Networking diagram of Layer 3 communications between different sub-
VLANs based on Proxy ARP
Eth2/0/1 Eth2/0/2
Super VLAN 10
VLANIF10: 10.1.1.1/24
VLAN 2 VLAN 3
Issue 01 (2014-11-30)
Host A
10.1.1.2/24
Host B
10.1.1.3/24
Suppose that the ARP table of Host A has no corresponding entry of Host B, and the gateway is enabled with the Proxy ARP between sub-VLANs. Then the communication process between Host A in VLAN 2 and Host B in VLAN 3 is shown as below:
1.
After comparing the IP address of Host B 10.1.1.3 with its IP address, Host A finds that both IP addresses are in the same network segment 10.1.1.0/24, and its ARP table has no corresponding entry of Host B.
2.
Host A initiates an ARP broadcast to request for the MAC address of Host B.
3.
Host is not in the broadcast domain of VLAN 2, and cannot receive the ARP request.
4.
The gateway is enabled with the Proxy ARP between sub-VLANs. Therefore, after receiving the ARP request from Host A, the gateway finds that the IP address of
Host B 10.1.1.3 is the IP address of a directly-connected interface. Then the gateway initiates an ARP broadcast to all the other sub-VLAN interfaces to request for the
MAC address of Host B.
5.
After receiving the ARP request, Host B offers an ARP response.
6.
After receiving the ARP response from Host B, the gateway replies its MAC address to Host A.
7.
The ARP tables in both the gateway and Host A have the corresponding entries of
Host B.
8.
To send packets to Host B, Host A first sends packets to the gateway, and then the gateway performs the Layer 3 forwarding.
The process that Host B sends packets to Host A is just the same, and is not mentioned here.
l Layer 2 Communications Between a Sub-VLAN and an External Network
As shown in Figure 3-13 , in the Layer 2 VLAN communications based on ports, the
received or sent frames are not tagged with the super-VLAN ID.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
85
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Figure 3-13 Networking diagram of Layer 2 communications between a sub-VLAN and an external network
RouterB
Eth2/0/1 VLAN Trunk all
Eth2/0/3 VLAN Trunk all
RouterA
Eth2/0/1 Eth2/0/2
Super VLAN 10
VLANIF10:10.1.1.1/24
VLAN 2 VLAN 3
Host A
10.1.1.2/24
Host B
10.1.1.3/24
The frame that accesses RouterA through Port1 on Host A is tagged with the ID of VLAN
2. The VLAN ID, however, is not changed to the ID of VLAN 10 on RouterA even if VLAN
2 is the sub-VLAN of VLAN 10. After passing through Port3, which is the trunk type, this frame still carries the ID of VLAN 2.
That is to say, RouterA itself does not send the frames of VLAN 10. In addition,
RouterA discards the frames of VLAN 10 that are sent to RouterA by other devices because
RouterA has no corresponding physical port for VLAN 10.
A super-VLAN has no physical port. This limitation is obligatory, as shown below:
– If you configure the super-VLAN and then the trunk interface, the frames of a super-
VLAN are filtered automatically according to the VLAN range set on the trunk interface.
As shown in Figure 3-13 , no frame of the super-VLAN 10 passes through Port3 on
RouterA, even though the interface allows frames from all VLANs to pass through.
– If you finish configuring the trunk interface and allow all VLANs to pass through, you still cannot configure the super-VLAN on RouterA. The root cause is that any VLAN with physical ports cannot be configured as the super-VLAN, and the trunk interface allows only the frames tagged with VLAN IDs to pass through. Therefore, no VLAN can be configured as a super-VLAN.
As for RouterA, the valid VLANs are just VLAN 2 and VLAN 3, and all frames are forwarded in these VLANs.
l Layer 3 Communications Between a Sub-VLAN and an External Network
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
86
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Figure 3-14 Networking diagram of Layer 3 communications between a sub-VLAN and an external network
VLANIF20
10.1.3.1/24
Eth2/0/2
RouterB
Eth2/0/1
Eth2/0/3
VLANIF10
10.1.2.2/24
VLANIF10
10.1.2.1/24
RouterA
Eth2/0/1 Eth2/0/2
Host C
10.1.3.2/24
Super VLAN 4
VLANIF4:10.1.1.1/24
VLAN 2 VLAN 3
Issue 01 (2014-11-30)
Host A
10.1.1.2/24
Host B
10.1.1.3/24
, RouterA is configured with super-VLAN 4, sub-VLAN 2, sub-
VLAN 3, and a common VLAN 10. RouterB is configured with two common VLANs, namely, VLAN 10 and VLAN 20. Suppose that RouterA is configured with the route to the network segment 10.1.3.0/24, and RouterB is configured with the route to the network segment 10.1.1.0/24. Then Host A in sub-VLAN 2 that belongs to the super-VLAN 4 needs to access Host C in RouterB.
1.
After comparing the IP address of Host C 10.1.3.2 with its IP address, Host A finds that two IP addresses are not in the same network segment 10.1.1.0/24.
2.
Host A initiates an ARP broadcast to its gateway to request for the MAC address of the gateway.
3.
After receiving the ARP request, RouterA identifies the correlation between the sub-
VLAN and the super-VLAN, and offers an ARP response to Host A through sub-
VLAN 2. The source MAC address in the ARP response packet is the MAC address of VLANIF4 for super-VLAN 4.
4.
Host A learns the MAC address of the gateway.
5.
Host A sends the packet to the gateway, with the destination MAC address as the MAC address of VLANIF4 for super-VLAN 4, and the destination IP address as 10.1.3.2.
6.
After receiving the packet, RouterA performs the Layer 3 forwarding and sends the packet to RouterB, with the next hop address as 10.1.2.2, the outgoing interface as
VLANIF10.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
87
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
7.
After receiving the packet, RouterB performs the Layer 3 forwarding and sends the packet to Host C through the directly-connected interface VLANIF20.
8.
The response packet from Host C reaches RouterA after the Layer 3 forwarding on
RouterB.
9.
After receiving the packet, RouterA performs the Layer 3 forwarding and sends the packet to Host A through the super-VLAN.
3.2.5 VLAN Damping
In a specified VLAN where a VLANIF interface has been configured, when all interfaces in the
VLAN goes Down, the VLAN becomes Down. The interface Down event is reported to the
VLANIF interface, causing the VLANIF interface status change. To avoid network flapping due to the status change of the VLANIF interface, you can enable VLAN damping on the VLANIF interface and set a delay after which the VLANIF interface goes Down.
With VLAN damping enabled, when the last Up interface in the VLAN goes Down, the Down event will be reported to the VLANIF interface after a delay (the delay can be set as required).
If an interface in the VLAN goes Up during the delay, the status of the VLANIF interface keeps unchanged. That is, the VLAN damping function postpones the time at which the VLAN reports a Down event to the VLANIF interface, avoiding unnecessary route flapping.
3.2.6 VLAN Management
To use a network management system to manage multiple devices, create a VLANIF interface on each device and configure a management IP address for the VLANIF interface. You can then log in to a device and manage it using its management IP address. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the device. This brings security risks to the device.
After a VLAN is configured as a management VLAN, no access interface can be added to the
VLAN. An access interface is connected to users. The management VLAN forbids users connected to access interfaces to log in to the device, improving device performance.
3.3 Application Environment
This section describes the applicable environment of the VLAN.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
88
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
3.3.1 VLAN Assignment
Port-Based VLAN Assignment
Figure 3-15 Networking diagram of port-based VLAN assignment
Router
3 VLAN Configuration
L2 Switch
CompanyA
VLAN 2
CompanyB CompanyC
VLAN 3 VLAN 4
Different companies residing in the same business building may need to isolate service data from each other. Therefore, based on the ports requirement of each company, VLANs are created on the core router of the business building, and ports of each company are assigned to the corresponding VLANs. This ensures that each company can have a "virtual switch" or a "virtual workstation".
MAC Address-Based VLAN Assignment
Figure 3-16 Networking diagram of MAC address-based VLAN assignment
RouterC
VLAN 10
User C
RouterA RouterB
Issue 01 (2014-11-30)
User A
VLAN 10
User A
VLAN 10
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
89
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
, User A is initially connected to RouterA. Now, it is required that User
A be connected to RouterB. To ensure that User A can still communicate with User C, configure the assignment of VLANs based on MAC addresses on RouterC. As long as the MAC address of User A remains unchanged, no configuration needs to be changed for User A to communicate with User C.
3.3.2 Inter-VLAN Communication
Inter-VLAN communication ensures that different companies can communicate with each other.
The inter-VLAN communication can be classified into two types, as shown as follows:
Multiple VLANs belong to the same Layer 3 device
Figure 3-17 Networking diagram of communications between multiple VLANs on the same
Layer 3 device
Router A
Trunk Link
L2 Switch
CompanyA
VLAN 2
CompanyB CompanyC
VLAN 3 VLAN 4
As shown in Figure 3-17 , if VLAN 2, VLAN 3, and VLAN 4 only belong to RouterA, these
VLANs are not VLANs across different switches. In such a situation, you can configure a
VLANIF interface for each VLAN on RouterA to implement the communications between these
VLANs.
The Layer 3 device shown in
can be a router or a Layer 3 switch.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
90
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Multiple VLANs belongs to different Layer 3 devices
Figure 3-18 Networking diagram of communications between multiple VLANs on different
Layer 3 devices
Router A
Trunk Link
Router B
L2 Switch
Trunk Link Trunk Link
L2 Switch
Company A Company B Company C Company A Company B Company C
VLAN 2 VLAN 3 VLAN 4 VLAN 2 VLAN 3 VLAN 4
, VLAN 2, VLAN 3, and VLAN 4 are VLANs across different switches.
In such a situation, you can configure a VLANIF interface respectively on Switch A and Switch
B for each VLAN, and then configure the static route or run a routing protocol between Switch
A and Switch B.
The Layer 3 device shown in
can be a router or a Layer 3 switch.
3.3.3 VLAN Aggregation
NOTE
AR550 series do not support VLAN Aggregation.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
91
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 3-19 Networking diagram of VLAN aggregation application
3 VLAN Configuration
Router
Proxy ARP
Network
L2 Switch L2 Switch
Super VLAN 2
L2 Switch L2 Switch
Super VLAN 3
Sub VLAN 21 Sub VLAN 22 Sub VLAN 31 Sub VLAN 32
As shown in Figure 3-19 , four VLANs, namely, VLAN 21, VLAN 22, VLAN 31, and VLAN
32, are configured. If these VLANs need to communicate with each other, you should configure an IP address for each VLAN on the Router.
As an alternative, you can enable VLAN aggregation to aggregate VLAN 21 and VLAN 22 into super VLAN 2, and VLAN 31 and VLAN 32 into super VLAN 3. In this manner, you can save
IP addresses by only assigning IP addresses to the super VLANs.
After Proxy ARP is configured on Router, the sub-VLANs in each super VLAN can communicate with each other.
3.4 Configuration Task Summary
This chapter describes the configuration task summary of VLAN.
lists the configuration task summary of VLAN.
Table 3-5 Configuration task summary of VLAN
Item Description
Assigning a LAN to VLANs VLANs can isolate the hosts that require no communication with each other, which improves network security, reduces broadcast traffic, and suppresses broadcast storms.
Task
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
92
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Item
Configuring Inter-VLAN
Communication
Configuring an mVLAN to
Implement Integrated
Management
Description
After VLANs are configured, users in the same VLAN can communication with each other while users in different
VLANs cannot. To implement inter-VLAN communication, configure the VLANIF interfaces which are Layer 3 logical interfaces, sub-interface.
Management VLAN
(mVLAN) configuration allows users to use the
VLANIF interface of the mVLAN to log in to the management industrial switch router to manage devices in a centralized manner.
Task
3.6.4 Configuring an mVLAN to Implement
3.5 Default Configuration
This section describes the default configuration of VLAN.
Table 3-6 Default configuration of VLAN
Parameter
Port link type
Default VLAN ID
Damping time
Default Setting
Hybrid
1
0s
3.6 Configuring VLAN
This section describes the VLAN configuration.
3.6.1 Assigning a LAN to VLANs
VLANs can isolate the hosts that require no communication with each other, which improves network security, reduces broadcast traffic, and suppresses broadcast storms.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
93
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Context
Ports on a Layer 2 switching device can be bound to a specific VLAN. After a port is added to a VLAN, packets of the user that is connected to the port can only be forwarded within the
VLAN, but not forwarded to another VLAN. This implementation ensures that broadcast packets are forwarded only within a single VLAN.
You must create VLANs, configure the port type, and associate ports with VLANs.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: vlan vlan-id
A VLAN is created, and the VLAN view is displayed. If the specified VLAN has been created, the VLAN view is directly displayed.
The VLAN ID ranges from 1 to 4094. If VLANs need to be created in batches, run the vlan batch { vlan-id1 [ to vlan-id2 ] } &<1-10> command to create VLANs in batches, and then run the vlan vlan-id command to enter the view of a specified VLAN.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
Step 3 Run: quit
The system view is displayed.
Step 4 Configure the port type and features.
1.
Run the interface interface-type interface-number command to enter the view of an
Ethernet port to be added to the VLAN.
2.
Run the port link-type { access | hybrid | trunk } command to configure the port type.
By default, the port type is Hybrid.
l If an Ethernet port is directly connected to a terminal, set the port type to access or hybrid.
l If an Ethernet port is connected to another industrial switch router, set the port type to trunk or hybrid.
NOTE
Before changing the interface type, restore the default VLAN configuration of the interface so that the interface belongs to only VLAN 1.
3.
(Optional) Run the port priority priority-value command to configure the port priority.
By default, the port priority value is 0. The value ranges from 0 to 7. A larger value indicates a higher priority.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
94
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Step 5 Add ports to the VLAN.
Run either of the following commands as needed: l For access ports:
Run the port default vlan vlan-id command to add a port to a specified VLAN.
To add interfaces to a VLAN in a batch, perform either of the following configurations:
– Run the port interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the VLAN view to add one interface or a group of interfaces to a VLAN.
– Run the port default vlan vlan-id [ step step-number [ increased | decreased ] ] command in the port group view.
l For trunk ports:
– Run the port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add the port to specified VLANs.
– (Optional) Run the port trunk pvid vlan vlan-id command to specify the default VLAN for a trunk interface.
To add interfaces to a VLAN in a batch, run the port trunk allow-pass vlan vlan-id [ step step-number [ increased | decreased ] ] command in the port group view.
l For hybrid ports:
– Run either of the following commands to add a port to VLANs in untagged or tagged mode:
– Run the port hybrid untagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add a port to VLANs in untagged mode.
In untagged mode, a port removes tags from frames and then forwards the frames.
This is applicable to scenarios in which Ethernet ports are connected to terminals.
To add interfaces to a VLAN in a batch, run the port hybrid untagged vlan vlan-id
[ step step-number [ increased | decreased ] ] command in the port group view.
– Run the port hybrid tagged vlan { { vlan-id1 [ to vlan-id2 ] } &<1-10> | all } command to add a port to VLANs in tagged mode.
In tagged mode, a port forwards frames without removing their tags. This is applicable to scenarios in which Ethernet ports are connected to industrial switch routeres.
To add interfaces to a VLAN in a batch, run the port hybrid tagged vlan vlan-id3
[ step step-number [ increased | decreased ] ] command in the port group view.
– (Optional) Run the port hybrid pvid vlan vlan-id command to specify the default VLAN of a hybrid interface.
By default, all ports are added to VLAN 1.
----End
Checking the Configuration l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to view information about all VLANs or a specified VLAN.
3.6.2 Configuring Inter-VLAN Communication
This section describes how to configure VLANIF interfaces, sub interfaces to implement inter-
VLAN communication.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
95
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Pre-configuration Tasks
Before creating a VLANIF interface, complete the following tasks: l Create a VLAN.
l Associate the VLAN with the physical interface.
3.6.2.1 Configuring VLANIF Interfaces for Inter-VLAN Communication
Context
After VLANs are configured, users in the same VLAN can communication with each other while users in different VLANs cannot. To implement inter-VLAN communication, configure
VLANIF interfaces which are Layer 3 logical interfaces.
If a VLAN goes Down because all ports in the VLAN go Down, the system immediately reports the VLAN Down event to the corresponding VLANIF interface, instructing the VLANIF interface to go Down. To prevent network flapping caused by changes of VLANIF interface status, enable VLAN damping on the VLANIF interface. After the last Up port in a VLAN goes
Down, the system starts a delay timer and informs the corresponding VLANIF interface of the
VLAN Down event after the timer expires. If a port in the VLAN goes Up during the delay period, the VLANIF interface remains Up.
MTU is short for maximum transmission unit. An MTU value determines the maximum number of bytes each time a sender can send. If the size of packets exceeds the MTU supported by a transit node or a receiver, the transit node or receiver fragments the packets or even discards them, aggravating the network transmission load. To avoid this problem, set the MTU value of the VLANIF interface.
After configuring bandwidth for VLANIF interfaces, you can use the NMS to query the bandwidth. This facilitates traffic monitoring.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the corresponding VLANIF interface as the gateway address.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.
The VLAN ID specified in this command must be the ID of an existing VLAN.
A VLANIF interface is Up only when at least one physical port added to the corresponding
VLAN is Up.
Step 3 Run: ip address ip-address { mask | mask-length } [ sub ]
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
96
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 VLAN Configuration
An IP address is assigned to the VLANIF interface for communication at the network layer.
If IP addresses assigned to VLANIF interfaces belong to different network segments, a routing protocol must be configured on the device to provide reachable routes. Otherwise, VLANIF interfaces cannot communicate with each other at the network layer.
Step 4 (Optional) Run: damping time delay-time
The delay period of VLAN damping is configured.
The delay-time value ranges from 0 to 20, in seconds. By default, the delay is 0 second, indicating that VLAN damping is disabled.
Step 5 (Optional) Run: mtu mtu
The MTU value of the VLANIF interface is configured.
By default, the value is 1500.
Step 6 (Optional) Run: bandwidth bandwidth
The bandwidth of the VLANIF interface is configured.
----End
3.6.2.2 Configuring Sub-Interfaces for Inter-VLAN Communication
Context
Users belong to different VLANs and are located on different network segments can communicate with each other by configuring sub-interfaces.
NOTE
To implement communication between VLANs, hosts in each VLAN must use the IP address of the corresponding sub-interface as the gateway address.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number.subinterface-number
The sub-interface view is displayed.
Step 3 Run: ip address ip-address { mask | mask-length } [ sub ]
The IP address of the sub-interface is set.
Step 4 Run:
Issue 01 (2014-11-30) 97
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration dot1q termination vid pe-vid
The VLANs allowed by the dot1q sub-interface are specified.
Each sub-interface can terminate only one VLAN tag.
Sub-interfaces of different main interfaces can be associated with the same VLAN ID. However, different sub-interfaces of the same main interface cannot be associated with the same VLAN
ID.
Step 5 Run: arp broadcast enable
The ARP broadcast function is enabled on the sub-interface.
When you enable or disable the ARP broadcast function on a sub-interface, the routing status of the sub-interface becomes Down and then Up. This may result in flapping of routes on the entire network, affecting the normal operation of services.
----End
3.6.2.3 Checking the Configuration
Prerequisites
The configurations of inter-VLAN communication are complete.
Procedure l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to check information about all VLANs or a specified VLAN.
l Run the display interface vlanif [ vlan-id ] command to check information about VLANIF interfaces.
Before running this command, ensure that VLANIF interfaces have been configured.
----End
3.6.3 Configuring VLAN Aggregation to Save IP Addresses
VLAN aggregation prevents the waste of IP addresses and implements inter-VLAN communication.
Context
NOTE
The AR550 series routers do not support VLAN aggregation.
3.6.3.1 Creating a Sub-VLAN
Context
Issue 01 (2014-11-30)
In VLAN aggregation, physical interfaces can be added to a sub-VLAN but no VLANIF interface can be created for the sub-VLAN. All the interfaces in the sub-VLAN use the same IP address
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
98
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration with the VLANIF interface of the super-VLAN. Some subnet IDs, default gateway addresses of the subnets, and directed broadcast addresses of the subnets are saved and different broadcast domains can use the addresses in the same subnet segment. As a result, subnet differences are eliminated, addressing becomes flexible and idle addresses are reduced. VLAN aggregation allows each sub-VLAN to function as a broadcast domain to implement broadcast isolation and saves IP address resources.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: port link-type access
The link type of the interface is set to access.
Step 4 Run: quit
Return to the system view.
Step 5 Run: vlan vlan-id
A sub-VLAN is created and the sub-VLAN view is displayed.
Step 6 Run: port interface-type { interface-number1 [ to interface-number2 ] } &<1-10>
A port is added to the sub-VLAN.
----End
3.6.3.2 Creating a Super-VLAN
Context
Issue 01 (2014-11-30)
A super-VLAN consists of several sub-VLANs. No physical port can be added to a super-VLAN, but a VLANIF interface can be configured for the super-VLAN and an IP address can be assigned to the VLANIF interface.
NOTE
Before configuring a super-VLAN, ensure that sub-VLANs have been configured.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
99
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: vlan vlan-id
A VLAN is created, and the VLAN view is displayed.
The VLAN ID of a super-VLAN must be different from every sub-VLAN ID.
Step 3 Run: aggregate-vlan
A super-VLAN is created.
A super-VLAN cannot contain any physical interfaces.
VLAN 1 cannot be configured as a super-VLAN.
Step 4 Run: access-vlan { vlan-id1 [ to vlan-id2 ] } &<1-10>
A sub-VLAN is added to a super-VLAN.
Before adding sub-VLANs to a super-VLAN, ensure that these sub-VLANs are not configured with VLANIF interfaces.
----End
3.6.3.3 Assigning an IP Address to the VLANIF Interface of a Super-VLAN
Context
The IP address of the VLANIF interface of a super-VLAN must contain the subnet segments where users in sub-VLANs reside. All the sub-VLANs use the IP address of the VLANIF interface of the super-VLAN, saving IP addresses.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface vlanif vlan-id
A VLANIF interface is created for a super-VLAN, and the view of the VLANIF interface is displayed.
Step 3 Run: ip address ip-address { mask | mask-length } [ sub ]
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
100
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
An IP address is assigned to the VLANIF interface.
----End
3.6.3.4 (Optional) Configuring an IP Address Pool for a Sub-VLAN
Specifying an IP address range for users in a sub-VLAN filters out unauthorized users of which
IP addresses are beyond the range.
Context
After configuring an IP address pool for a sub-VLAN, note the following points: l The sub-VLAN processes only packets carrying IP addresses in this address pool, such as
ARP Request, ARP Reply, ARP Proxy, and ARP Miss packets.
l If the super VLAN is enabled with proxy ARP, the system directly sends an ARP Request packet from a user in the sub-VLAN to the sub-VLAN based on the IP address carried in the packet. This reduces broadcast traffic.
l When sending an ARP Miss packet carrying the IP address in the address pool, the system directly broadcasts the packet in the sub-VLAN to ensure that traffic is properly forwarded.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: vlan vlan-id
The view of a created sub-VLAN is displayed.
Step 3 Run: ip pool start-address [ to end-address ]
An IP address pool is configured for the sub-VLAN.
----End
3.6.3.5 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN
Context
VLAN aggregation allows sub-VLANs to use the same subnet address, but prevents PCs in different sub-VLANs from communicating with each other at the network layer.
PCs in ordinary VLANs can communicate with each other at the network layer by using different gateway addresses. In VLAN aggregation, PCs in a super-VLAN use the same subnet address and gateway address. As PCs in different sub-VLANs belong to one subnet, they communicate with each other only at Layer 2, not Layer 3. These PCs are isolated from each other at Layer
2. Consequently, PCs in different sub-VLANs cannot communicate with each other.
Proxy ARP is required to enable PCs in a sub-VLAN to communicate with PCs in another sub-
VLAN or PCs on other networks. After a super-VLAN and its VLANIF interface are created,
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
101
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration proxy ARP must be enabled to allow the super-VLAN to forward or process ARP request and reply packets. Proxy ARP helps PCs in sub-VLANs communicate with each other at the network layer.
NOTE
An IP address must have been assigned to the VLANIF interface corresponding to the super-VLAN.
Otherwise, proxy ARP cannot take effect.
VLAN aggregation simplifies configurations for the network where many VLANs are configured and PCs in different VLANs need to communicate with each other.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface vlanif vlan-id
The view of the VLANIF interface of the super-VLAN is displayed.
Step 3 Run: arp-proxy inter-sub-vlan-proxy enable
Inter-sub-VLAN proxy ARP is enabled.
----End
3.6.3.6 Checking the Configuration
Procedure l Run the display vlan [ { vlan-id | vlan-name vlan-name } [ verbose ] ] command to check
VLAN information.
l Run the display interface vlanif [ vlan-id ] command to check information about a specific
VLANIF interface.
l Run the display sub-vlan [ vlan-id ] command to check mappings between sub-VLANs and super-VLANs.
l Run the display super-vlan [ vlan-id ] command to check sub-VLANs contained in a super-
VLAN.
----End
3.6.4 Configuring an mVLAN to Implement Integrated
Management
Management VLAN (mVLAN) configuration allows users to use the VLANIF interface of the mVLAN to log in to the management industrial switch router to manage devices in a centralized manner.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
102
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Context
To use a network management system to manage multiple devices, create a VLANIF interface on each device and configure a management IP address for the VLANIF interface. You can then log in to a device and manage it using its management IP address. If a user-side interface is added to the VLAN, users connected to the interface can also log in to the device. This brings security risks to the device.
After a VLAN is configured as a management VLAN, no access interface can be added to the
VLAN. An access interface is connected to users. The management VLAN forbids users connected to access interfaces to log in to the device, improving device performance.
Pre-configuration Tasks
Before creating a VLANIF interface, complete the following tasks: l Create a VLAN.
l Associate the VLAN with the physical interface.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: vlan vlan-id
The VLAN view is displayed.
NOTE
If a device is configured with multiple VLANs, configuring names for these VLANs is recommended:
Run the name vlan-name command in the VLAN view. After a VLAN name is configured, you can run the vlan vlan-name vlan-name command in the system view to enter the corresponding VLAN view.
Step 3 Run: management-vlan
An mVLAN is configured.
After an mVLAN is configured, an interface added to the mVLAN must be a trunk or hybrid interface.
VLAN 1 cannot be configured as an mVLAN.
Step 4 Run: quit
The VLAN view is quit.
Step 5 Run: interface vlanif vlan-id
A VLANIF interface is created and the VLANIF interface view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
103
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Step 6 Run: ip address ip-address { mask | mask-length } [ sub ]
The IP address of the VLANIF interface is configured.
After assigning an IP address to the VLANIF interface, you can run the stelnet command to log in to a management industrial switch router to manage attached devices.
----End
Checking the Configuration l Run the display vlan command to check information about the mVLAN. The command output shows information about the mVLAN in the line started with an asterisk sign (*).
3.7 Configuration Examples
This section provides several configuration examples of VLANs including networking requirements, configuration roadmap, and configuration procedure.
3.7.1 Example for Configuring Interface-based VLAN Assignment
Networking Requirements
An enterprise requires departments in charge of the same service to communicate with each other while isolating departments in charge of different services.
As shown in Figure 3-20 , an enterprise has four departments. Department 1 is connected to
RouterA, which is connected to Ethernet 2/0/1 of the Router. Department 2 is connected to
RouterB, which is connected to Ethernet 2/0/2 of the Router. Department 3 is connected to
RouterC, which is connected to Ethernet 2/0/3 of the Router. Department 4 is connected to
RouterD, which is connected to Ethernet 2/0/4 of the Router. The requirements are as follows: l Department 1 and Department 2 in VLAN 2 are isolated from Department 3 and Department
4 in VLAN 3.
l Department 1 and Department 2 in VLAN 2 can communicate with each other.
l Department 3 and Department 4 in VLAN 3 can communicate with each other.
Figure 3-20 Network diagram of interface-based VLAN assignment
Router
VLAN2
Eth2/0/1
RouterA
Eth2/0/2
RouterB
Eth2/0/4
Eth2/0/3
RouterC RouterD
VLAN3
Issue 01 (2014-11-30)
Department 1 Department 2 Department 3 Department 4
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
104
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create VLANs.
2.
Add interfaces to the VLAN.
Procedure
Step 1 Configure the Router.
# Create VLAN 2.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan 2
[Router-vlan2] quit
# Set the link type of Ethernet 2/0/1 to trunk and add Ethernet 2/0/1 to VLAN 2.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type trunk
[Router-Ethernet2/0/1] port trunk allow-pass vlan 2
[Router-Ethernet2/0/1] quit
# Set the link type of Ethernet 2/0/2 to trunk and add Ethernet 2/0/2 to VLAN 2.
[Router] interface ethernet 2/0/2
[Router-Ethernet2/0/2] port link-type trunk
[Router-Ethernet2/0/2] port trunk allow-pass vlan 2
[Router-Ethernet2/0/2] quit
# Create VLAN 3.
[Router] vlan 3
[Router-vlan3] quit
# Set the link type of Ethernet 2/0/3 to trunk and add Ethernet 2/0/3 to VLAN 3.
[Router] interface ethernet 2/0/3
[Router-Ethernet2/0/3] port link-type trunk
[Router-Ethernet2/0/3] port trunk allow-pass vlan 3
[Router-Ethernet2/0/3] quit
# Set the link type of Ethernet 2/0/4 to trunk and add Ethernet 2/0/4 to VLAN 3.
[Router] interface ethernet 2/0/4
[Router-Ethernet2/0/4] port link-type trunk
[Router-Ethernet2/0/4] port trunk allow-pass vlan 3
[Router-Ethernet2/0/4] quit
Step 2 Verify the configuration.
Ping any host in VLAN 3 from a host in VLAN 2. The ping operation fails, indicating that
Department 1 and Department 2 are isolated from Department 3 and Department 4.
Ping any host in Department 2 from a host in Department 1. The ping operation is successful, indicating that Department 1 and Department 2 can communicate with each other.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
105
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Ping any host in Department 4 from a host in Department 3. The ping operation is successful, indicating that Department 3 and Department 4 can communicate with each other.
----End
Configuration Files
Configuration file of the Router
#
vlan batch 2 to 3
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2
# interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 2
# interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 3
# interface Ethernet2/0/4
port link-type trunk
port trunk allow-pass vlan 3
# return
3.7.2 Example for Configuring Communication Between VLANs
Using VLANIF Interfaces
Networking Requirements
As shown in Figure 3-21 , Ethernet 2/0/1 of the Router is connected to the uplink interface of
SwitchA.
On SwitchA, the downlink interface Ethernet 2/0/1 is added to VLAN 10 and the downlink interface Ethernet 2/0/2 is added to VLAN 20.
PC1 in VLAN 10 and PC2 in VLAN 20 need to communicate with each other.
Figure 3-21 Network diagram for communication between VLANs through VLANIF interfaces
Router
Issue 01 (2014-11-30)
Eth2/0/1
VLAN 10
PC1
10.10.10.2/24
Eth2/0/1
Eth2/0/3
SwitchA
Eth2/0/2
VLAN 20
PC2
10.10.20.2/24
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
106
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add Ethernet interfaces to the VLAN.
2.
Configure VLANIF interfaces.
Procedure
Step 1 Configure the Router.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10 20
# Add interfaces to the VLANs.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type trunk
[Router-Ethernet2/0/1] port trunk allow-pass vlan 10 20
[Router-Ethernet2/0/1] quit
# Assign IP addresses to the VLANIF interfaces.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.10.10.1 24
[Router-Vlanif10] quit
[Router] interface vlanif 20
[Router-Vlanif20] ip address 10.10.20.1 24
[Router-Vlanif20] quit
Step 2 Configure SwitchA.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname SwitchA
[SwitchA] vlan batch 10 20
# Add interfaces to the VLANs.
[SwitchA] interface ethernet 2/0/1
[SwitchA-Ethernet2/0/1] port link-type access
[SwitchA-Ethernet2/0/1] port default vlan 10
[SwitchA-Ethernet2/0/1] quit
[SwitchA] interface ethernet 2/0/2
[SwitchA-Ethernet2/0/2] port link-type access
[SwitchA-Ethernet2/0/2] port default vlan 20
[SwitchA-Ethernet2/0/2] quit
[SwitchA] interface ethernet 2/0/3
[SwitchA-Ethernet2/0/3] port link-type trunk
[SwitchA-Ethernet2/0/3] port trunk allow-pass vlan 10 20
[SwitchA-Ethernet2/0/3] quit
Step 3 Verify the configuration.
# On PC1 in VLAN 10, configure the default gateway address as the IP address of VLANIF 10
(in this example: 10.10.10.1/24).
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
107
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
# On PC2 in VLAN 20, configure the default gateway address as the IP address of VLANIF 20
(in this example: 10.10.20.1/24).
# After the configuration is complete, PC1 in VLAN 10 can communicate with PC2 in VLAN
20.
----End
Configuration Files
Configuration file of the Router
#
sysname Router
# vlan batch 10 20
# interface Vlanif10
ip address 10.10.10.1 255.255.255.0
# interface Vlanif20
ip address 10.10.20.1 255.255.255.0
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10 20
# return
Configuration file of SwitchA
#
sysname SwitchA
# vlan batch 10 20
# interface Ethernet2/0/1
port link-type access
port default vlan 10
# interface Ethernet2/0/2
port link-type access
port default vlan 20
# interface Ethernet2/0/3
port link-type trunk
port trunk allow-pass vlan 10 20
# return
3.7.3 Example for Configuring VLAN Damping
Networking Requirements
, the hosts in VLAN 10 communicate with the hosts outside VLAN 10 through VLANIF 10.
The VLAN damping feature is configured on VLANIF 10 to prevent route flapping caused by changes in the status of the VLANIF interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
108
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 3-22 Networking diagram of VLAN damping configuration
3 VLAN Configuration
Router
IP network
VLANIF10
10.100.100.100/24
VLAN 10
10.100.100.111/24 10.100.100.110/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a VLAN.
2.
Add interfaces to the VLAN.
3.
Create a VLANIF interface and set the IP address of the VLANIF interface.
4.
Set the VLAN damping delay.
Procedure
Step 1 Create a VLAN.
# Create VLAN 10.
<Huawei> system-view
[Huawei] sysname Router
[Router] vlan batch 10
Step 2 Add interfaces to the VLAN.
# Add Ethernet 2/0/0 to VLAN 10.
[Router] interface ethernet 2/0/0
[Router-Ethernet2/0/0] port link-type access
[Router-Ethernet2/0/0] port default vlan 10
[Router-Ethernet2/0/0] quit
# Add Ethernet 2/0/1 to VLAN 10.
[Router] interface ethernet 2/0/1
[Router-Ethernet2/0/1] port link-type access
[Router-Ethernet2/0/1] port default vlan 10
[Router-Ethernet2/0/1] quit
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
109
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Step 3 Create VLANIF 10.
# Create VLANIF 10 and configure the IP address.
[Router] interface vlanif 10
[Router-Vlanif10] ip address 10.100.100.100 24
Step 4 Set the VLAN damping delay.
# Set the VLAN damping delay to 20 seconds.
[Router-Vlanif10] damping time 20
Step 5 Verify the configuration.
Run the display interface vlanif command on Router to view the VLAN damping delay.
<Router> display interface vlanif 10
Vlanif10 current state : UP
Line protocol current state : UP
Last line protocol up time : 2008-01-25 09:05:13
Description:HUAWEI, AR Series, Vlanif10 Interface
Route Port,The Maximum Transmit Unit is 1500, The Holdoff Timer is 20(sec)
Internet Address is 10.100.100.100/24
IP Sending Frames' Format is PKTFMT_ETHNT_2, Hardware address is 00e0-fc01-0005
Current system time: 2008-01-25 09:05:37
Input bandwidth utilization : --
Output bandwidth utilization : --
----End
Configuration Files
#
sysname Router
# vlan batch 10
# interface Vlanif10
ip address 10.100.100.100 255.255.255.0
damping time 20
# interface Ethernet2/0/0
port link-type access
port default vlan 10
# interface Ethernet2/0/1
port link-type access
port default vlan 10
# return
3.7.4 Example for Configuring VLAN Aggregation
Networking Requirements
As shown in Figure 3-23 , VLAN 2 and VLAN 3 are combined into a super-VLAN, VLAN 4.
The sub-VLANs (VLAN 2 and VLAN 3) cannot ping each other.
After proxy ARP is configured, VLAN 2 and VLAN 3 can ping each other.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
110
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 3-23 Network diagram of VLAN aggregation
Router
Eth2/0/1
Eth2/0/2
VLAN2
Eth2/0/3
Eth2/0/4
VLAN3
VLANIF4:10.1.1.1/24
3 VLAN Configuration
VLAN 2 VLAN 3
NOTE
AR550 series do not support VLAN aggregation.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add interfaces of the Router to sub-VLANs.
2.
Add the sub-VLANs to the super-VLAN.
3.
Configure the IP address for the super-VLAN.
4.
Configure proxy ARP for the super-VLAN.
Procedure
Step 1 Set the interface type.
# Configure Ethernet 2/0/1 as an access interface.
<Huawei> system-view
[Huawei] interface ethernet 2/0/1
[Huawei-Ethernet2/0/1] port link-type access
[Huawei-Ethernet2/0/1] quit
# Configure Ethernet 2/0/2 as an access interface.
<Huawei> system-view
[Huawei] interface ethernet 2/0/2
[Huawei-Ethernet2/0/2] port link-type access
[Huawei-Ethernet2/0/2] quit
# Configure Ethernet 2/0/3 as an access interface.
<Huawei> system-view
[Huawei] interface ethernet 2/0/3
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
111
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
[Huawei-Ethernet2/0/3] port link-type access
[Huawei-Ethernet2/0/3] quit
# Configure Ethernet 2/0/4 as an access interface.
<Huawei> system-view
[Huawei] interface ethernet 2/0/4
[Huawei-Ethernet2/0/4] port link-type access
[Huawei-Ethernet2/0/4] quit
Step 2 Configure VLAN 2.
# Create VLAN 2.
[Huawei] vlan 2
# Add Ethernet 2/0/1 and Ethernet 2/0/2 to VLAN 2.
[Huawei-vlan2] port ethernet 2/0/1 2/0/2
[Huawei-vlan2] quit
Step 3 Configure VLAN 3.
# Create VLAN 3.
[Huawei] vlan 3
# Add Ethernet 2/0/3 and Ethernet 2/0/4 to VLAN 3.
[Huawei-vlan3] port ethernet 2/0/3 2/0/4
[Huawei-vlan3] quit
Step 4 Configure VLAN 4.
# Configure the super-VLAN.
[Huawei] vlan 4
[Huawei-vlan4] aggregate-vlan
[Huawei-vlan4] access-vlan 2 to 3
# Configure the VLANIF interface.
[Huawei] interface vlanif 4
[Huawei-Vlanif4] ip address 10.1.1.1 255.255.255.0
[Huawei-Vlanif4] quit
Step 5 Configure the personal computers.
# Configure the IP address for each personal computer and ensure that they reside in the same network segment as VLAN 4.
# After the preceding configuration is complete, the personal computers and the Router can ping each other, but the computers in VLAN 2 and the computers in VLAN 3 cannot ping each other.
Step 6 Configure proxy ARP.
[Huawei] interface vlanif 4
[Huawei-Vlanif4] arp-proxy inter-sub-vlan-proxy enable
Step 7 Verify the configuration.
# After the preceding configuration is complete, the computers in VLAN 2 and the computers in VLAN 3 can ping each other.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
112
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Configuration Files
Configuration file of the Router
# vlan batch 2 to 4
# vlan 4
aggregate-vlan
access-vlan 2 to 3
# interface Vlanif4
ip address 10.1.1.1 255.255.255.0
arp-proxy inter-sub-vlan-proxy enable
# interface Ethernet2/0/1
port link-type access
port default vlan 2
# interface Ethernet2/0/2
port link-type access
port default vlan 2
# interface Ethernet2/0/3
port link-type access
port default vlan 3
# interface Ethernet2/0/4
port link-type access
port default vlan 3
# return
3.7.5 Example for Configuring Communication Across a Layer 3
Network Using VLANIF Interfaces
Networking Requirements
As shown in Figure 3-24 , RouterA and RouterB connect to Layer 2 networks on VLAN 10.
RouterA and RouterB communicate with each other through an OSPF-enabled Layer 3 network.
Computers on the two Layer 2 networks need to be isolated at Layer 2 and communicate at Layer
3.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
113
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Figure 3-24 Network diagram of communication across a Layer 3 network through VLANIF interfaces
RouterA
Eth2/0/1
VLANIF10
10.10.10.1/24
Eth2/0/2
VLANIF30
10.10.30.1/24
OSPF
Eth2/0/1
VLANIF30
10.10.30.2/24
VLAN 30
RouterB
Eth2/0/2
VLANIF10
10.10.20.1/24
VLAN 10 VLAN 10
10.10.10.2/24 10.10.20.2/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add interfaces to the VLANs.
2.
Assign IP addresses to VLANIF interfaces.
3.
Configure basic OSPF functions.
Procedure
Step 1 Configure RouterA.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] vlan batch 10 30
# Add interfaces to the VLANs.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type trunk
[RouterA-Ethernet2/0/1] port trunk allow-pass vlan 10
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type trunk
[RouterA-Ethernet2/0/2] port trunk allow-pass vlan 30
[RouterA-Ethernet2/0/2] quit
# Assign IP addresses to the VLANIF interfaces.
[RouterA] interface vlanif 10
[RouterA-Vlanif10] ip address 10.10.10.1 24
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
114
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
[RouterA-Vlanif10] quit
[RouterA] interface vlanif 30
[RouterA-Vlanif30] ip address 10.10.30.1 24
[RouterA-Vlanif30] quit
# Configure basic OSPF functions.
[RouterA] router id 1.1.1.1
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 10.10.10.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
Step 2 Configure RouterB.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] vlan batch 10 30
# Add interfaces to the VLANs.
[RouterB] interface ethernet 2/0/2
[RouterB-Ethernet2/0/2] port link-type trunk
[RouterB-Ethernet2/0/2] port trunk allow-pass vlan 10
[RouterB-Ethernet2/0/2] quit
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] port link-type trunk
[RouterB-Ethernet2/0/1] port trunk allow-pass vlan 30
[RouterB-Ethernet2/0/1] quit
# Assign IP addresses to the VLANIF interfaces.
[RouterB] interface vlanif 10
[RouterB-Vlanif10] ip address 10.10.20.1 24
[RouterB-Vlanif10] quit
[RouterB] interface vlanif 30
[RouterB-Vlanif30] ip address 10.10.30.2 24
[RouterB-Vlanif30] quit
# Configure basic OSPF functions.
[RouterB] router id 2.2.2.2
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.10.20.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 10.10.30.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
Step 3 Verify the configuration.
# On the computer on the Layer 2 network connected to RouterA, set the default gateway address to the IP address of VLANIF 10 (10.10.10.1/24 in this example).
# On the computer on the Layer 2 network connected to RouterB, set the default gateway address to the IP address of VLANIF 10 (10.10.20.1/24 in this example).
# After the configurations are complete, computers on the two Layer 2 networks are isolated at
Layer 2 and can communicate at Layer 3.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
115
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Configuration Files
Configuration file of RouterA
#
sysname RouterA
#
router id 1.1.1.1
# vlan batch 10 30
# interface Vlanif10
ip address 10.10.10.1 255.255.255.0
# interface Vlanif30
ip address 10.10.30.1 255.255.255.0
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 10
# interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 30
# ospf 1
area 0.0.0.0
network 10.10.10.0 0.0.0.255
network 10.10.30.0 0.0.0.255
# return
Configuration file of RouterB
#
sysname RouterB
#
router id 2.2.2.2
# vlan batch 10 30
# interface Vlanif10
ip address 10.10.20.1 255.255.255.0
# interface Vlanif30
ip address 10.10.30.2 255.255.255.0
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 30
# interface Ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 10
# ospf 1
area 0.0.0.0
network 10.10.20.0 0.0.0.255
network 10.10.30.0 0.0.0.255
# return
3.8 Common Configuration Errors
This section describes common VLAN configuration errors.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
3 VLAN Configuration
116
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
3.8.1 User Terminals in the Same VLAN Cannot Ping Each Other
Fault Description
User terminals in the same VLAN cannot ping each other.
Procedure
Step 1 Check that the interfaces connected to the user terminals are in Up state.
Run the display interface interface-type interface-number command in any view to check the status of the interfaces.
l If the interface is Down, rectify the interface fault.
l If the interface is Up, go to
.
Step 2 Check whether the IP addresses of user terminals are in the same network segment.
l If they are in different network segments, change the IP addresses of the user terminals.
l If they are in the same network segment, go to
Step 3 Check that the MAC address entries on the Router are correct.
Run the display mac-address command on the Router to check whether the MAC addresses, interfaces, and VLANs in the learned MAC address entries are correct. If the learned MAC address entries are incorrect, run the undo mac-address mac-address vlan vlan-id command on the system view to delete the current entries so that the Router can learn MAC address entries again.
After the MAC address table is updated, check the MAC address entries again.
l
If the MAC address entries are incorrect, go to Step 4 .
l
If the MAC address entries are correct, go to Step 5 .
Step 4 Check that the VLAN is properly configured.
l Check the VLAN configuration according to the following table.
Check Item Method
Whether the
VLAN has been created
Run the display vlan vlan-id command in any view to check whether the VLAN has been created. If not, run the vlan command in system view to create the VLAN.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
117
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 3 VLAN Configuration
Check Item
Whether the interfaces are added to the
VLAN
Whether connections between interfaces and user terminals are correct
Method
Run the display vlan vlan-id command in any view to check whether the VLAN contains the interfaces. If not, add the interfaces to the
VLAN.
NOTE
If the interfaces are located on different devices, add the interfaces connecting the devices to the VLAN.
The default type of an Router interface is Hybrid. You can run the port linktype command to change the interface type.
l Add an access interface to the VLAN using either of the following methods:
1. Run the port default vlan command in the interface view.
2. Run the port command in the VLAN view.
l Add a trunk interface to the VLAN.
Run the port trunk allow-pass vlan command in the interface view.
l Add a hybrid interface to the VLAN using either of the following methods:
1. Run the port hybrid tagged vlan command in the interface view.
2. Run the port hybrid untagged vlan command in the interface view.
Check the connections between interfaces and user terminals according to the network plan. If any user terminal is connected to an incorrect interface, connect it to the correct interface.
After the preceding operations, if the MAC address entries are correct, go to Step 5 .
Step 5 Check whether port isolation is configured.
Run the interface interface-type interface-number command in the system view to enter the interface view, and then run the display this command to check whether port isolation is configured on the interface.
l
If port isolation is not configured, go to Step 6 .
l If port isolation is configured, run the undo port-isolate enable command on the interface
to disable port isolation. If the fault persists, go to Step 6
.
Step 6 Check whether correct static Address Resolution Protocol (ARP) entries are configured on the user terminals. If the static ARP entries are incorrect, modify them.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
118
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
3.8.2 VLANIF Interface Goes Down
Fault Symptom
A VLANIF interface is in Down state.
Common causes and solutions
lists the common causes and solutions.
Table 3-7 Common causes and solutions
Common Cause
No interface is added to the corresponding
VLAN.
All interfaces added to the VLAN are physically Down.
No IP address is assigned to the VLANIF interface.
The VLANIF interface is shut down.
3 VLAN Configuration
Solution
Add interfaces to the corresponding VLAN.
Rectify the fault. A VLANIF interface is Up as long as an interface in the corresponding
VLAN is Up.
Run the ip address command in the view of the VLANIF interface to assign an IP address to the VLANIF interface.
Run the undo shutdown (interface view) command in the view of the VLANIF interface to enable the VLANIF interface.
3.9 References
This section describes references of VLAN.
The following table lists the references of this document.
Document
RFC 3069
IEEE 802.1Q
IEEE 802.1ad
IEEE 802.10
Description
VLAN Aggregation for Efficient IP Address
Allocation
IEEE Standards for Local and Metropolitan
Area Networks: Virtual Bridged Local Area
Networks
IEEE Standards for Local and Metropolitan
Area Networks: Virtual Bridged Local Area
Networks- Amendment 4
IEEE Standards for Local and Metropolitan
Area Networks: Standard for Interoperable
LAN/MAN Security
-
-
-
-
Remarks
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
119
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Document
YD/T 1260-2003
Description
3 VLAN Configuration
Technical and Testing Specification of Virtual
LAN Based on Port
-
Remarks
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
120
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
4
QinQ Configuration
About This Chapter
This chapter describes the concepts and configuration procedure of 802.1Q-in-802.1Q (QinQ), and provides configuration examples.
Context
NOTE
Only the support QinQ.
Only the support termination sub-interface access to the VPN.
This section defines QinQ and describes its purpose and benefits.
This section describes the principles behind QinQ.
This section describes the applicable environment of QinQ.
4.4 Configuration Task Summary
This section describes the points of attention when configuring QinQ.
This section describes how to configure QinQ.
This section provides several configuration examples of QinQ.
This section provides the references for QinQ.
121 Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
4.1 Introduction to QinQ
This section defines QinQ and describes its purpose and benefits.
Definition
802.1Q-in-802.1Q (QinQ) expands VLAN space by adding an additional 802.1Q tag to 802.1Q
tagged packets. It allows services in a private VLAN to be transparently transmitted over a public network. A packet transmitted on the backbone network carries two 802.1Q tags: a public VLAN tag and a private VLAN tag.
Purpose
Ethernet is widely used on ISP networks, but 802.1Q VLANs are unable to identify and isolate large numbers of users on metro Ethernet networks because the 12-bit VLAN tag field defined in IEEE 802.1Q only identifies a maximum of 4096 VLANs. QinQ was developed to expand
VLAN space beyond 4096 VLANs so that a larger number of users can be identified on a metro
Ethernet network.
QinQ technology encapsulates an 802.1Q tag to an 802.1Q packet. With this extra tag, the number of VLANs increases to 4094 x 4094.
In addition to expanding VLAN space, QinQ is applied in other scenarios with the development of metro Ethernet networks and carriers' requirements on refined service operation. The outer and inner VLAN tags can be used to differentiate packets based on users and services. For example, the inner tag represents a user, while the outer tag represents a service. Moreover, QinQ functions as a simple and practical VPN technology by transparently transmitting private VLAN services over a public network. It extends core MPLS VPN services to metro Ethernet networks and implements an end-to-end VPN.
Benefits
QinQ offers the following benefits: l Extends the VLAN space to isolate and identify more users.
l Facilitates service deployment by allowing the inner and outer tags to represent different information. For example, the inner tag identifies a user and the outer tag identifies a service.
l Allows ISPs to implement refined service operation by providing diversified encapsulation and termination modes.
4.2 QinQ Principles
This section describes the principles behind QinQ.
4.2.1 QinQ Fundamentals
QinQ expands VLAN space by adding an additional 802.1Q VLAN tag to an 802.1Q-tagged packet. Devices forward packets over the public network according to outer VLAN tags of the packets, and learn MAC addresses from the outer VLAN tags. The private VLAN tags in the packets are forwarded as payload of the packets.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
122
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
QinQ Packet Encapsulation Format
A QinQ packet has a fixed format, in which an 802.1Q tag is added outside the existing 802.1Q
tag of the packet. A QinQ packet has 4 more bytes than an 802.1Q packet.
Figure 4-1 802.1Q encapsulation
TPID
QinQ Encapsulation
QinQ encapsulation changes a single-tagged packet into a double-tagged packet.
QinQ encapsulation falls into basic QinQ and selective QinQ depending on the data encapsulated. Basic QinQ refers to interface-based QinQ, and selective QinQ includes VLAN
ID-based QinQ and 802.1p priority-based QinQ.
l Interface-based QinQ encapsulation
This encapsulation mode is also called QinQ tunneling. It encapsulates packets arriving at the same interface with the same outer VLAN tag, and therefore cannot distinguish users and services at the same time.
l VLAN ID-based QinQ encapsulation
This encapsulation mode determines whether to add outer VLAN tags and which outer
VLAN tags to add based on data flows.
Traffic can be classified based on VLAN ID ranges if a customer uses different VLAN IDs for different services. For example, PC users access the Internet through VLANs 101 to
200, IPTV users through VLANs 201 to 300, and VoIP users through VLANs 301 to 400.
When receiving service data, the underlayer provider edge (UPE) adds outer tag 100 to packets from PCs, outer tag 300 to packets from IPTV users, and outer tag 500 to packets from VoIP users.
l 802.1p priority-based QinQ encapsulation
This encapsulation mode determines whether to add outer VLAN tag and which outer
VLAN tags to add based on priorities of data flows.
For example, when different services of a user have different priorities, these services can be transmitted over different data channels based on priorities.
QinQ Implementation
QinQ can be implemented in either of the following ways:
1.
Basic QinQ
Basic QinQ is implemented based on interfaces. After basic QinQ is configured on an interface, the device adds the default VLAN tag of this interface to all packets regardless of whether the packets carry VLAN tags.
l If a single-tagged packet is received, the packet becomes a double-tagged packet.
l If an untagged packet is received, the packet is tagged with the default VLAN ID of the local interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
123
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
2.
Selective QinQ
Selective QinQ is implemented based on interfaces and VLAN IDs. That is, an interface can forward packets based on a single VLAN tag or double VLAN tags. In addition, the device processes packets received on an interface as follows based on their VLAN IDs: l Adds different outer VLAN tags to packets carrying different inner VLAN IDs.
l Marks outer 802.1p fields and adds different outer VLAN tags to packets according to the 802.1p fields in inner VLAN tags.
In addition to separating carrier and customer networks, selective QinQ provides extensive service features and allows flexible networking.
QinQ/Dot1q VLAN Tag Termination Sub-interface
Termination removes the single or double tags from packets before the packets are sent.
Different termination modes are used in different situations when QinQ technology is applied to an MPLS/IP core network.
Termination is performed on a sub-interface; therefore, a sub-interface used for terminating
VLAN tags is called a termination sub-interface. A termination sub-interface can be either of the following: l Dot1q VLAN tag termination sub-interface: removes a single VLAN tag from packets.
l QinQ VLAN tag termination sub-interface: removes double VLAN tags from packets.
QinQ VLAN tag termination sub-interfaces provide different functions in different scenarios.
4.2.2 Basic QinQ
Basic QinQ is implemented based on interfaces. Basic QinQ allows the device to add the outer tag to a packet received on an interface. If the received packet carries a VLAN tag, the device adds the outer VLAN tag to the packet. If the received packet does not carry any VLAN tag, the device adds the inner VLAN tag and then the outer VLAN tag.
As shown in Figure 4-2 , enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
124
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 4-2 Networking diagram of basic QinQ
P
4 QinQ Configuration
CE1
20
10 to
50
PE1 20
10
t o
50
20
Network
10 to
50
PE2
20
10 to
50
CE2
Enterprise A
Branch 1
VLAN 10 to 50
Enterprise A
Branch 2
VLAN 10 to 50
Enterprise A has different services, so different VLANs are assigned. Basic QinQ is configured on the CE interface connected to the carrier network. The outer VLAN 20 is added to the packet passing through the CE interface and removed after the packet reaches another branch. Traffic between two branches is transparently transmitted on the public network so that users using the same service in different branches of enterprise A can communicate and users using different services are isolated.
4.2.3 Selective QinQ
Selective QinQ, also known as VLAN Stacking or QinQ Stacking, is performed based on ports and VLAN IDs. Besides basic QinQ functions, selective QinQ has the following functions: l VLAN ID-based selective QinQ: adds outer VLAN tags based on VLAN IDs.
l 802.1p priority-based selective QinQ: adds outer VLAN tags based on 802.1p priorities in inner VLAN tags.
Selective QinQ is an extension of basic QinQ and is more flexible. The difference is as follows: l Basic QinQ: adds the same outer VLAN tag to all the frames entering a Layer 2 port.
l Selective QinQ: adds different outer VLAN tags to the frames entering a Layer 2 port based on the inner VLAN tags.
As shown in Figure 4-3 , enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
125
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 4-3 Networking diagram of selective QinQ
P
4 QinQ Configuration
CE1
PE1 20
10
t o
30
31
t o
50
21
21
20
31 to
Network
10 to
30
50
20
10 to
30
31 to
50
21
PE2
21
20
10 to
30
31 to
50
CE2
Enterprise A
Branch 1
VLAN 10 to 50
Enterprise A
Branch 2
VLAN 10 to 50
Data: VLAN 10 to 30
Voice: VLAN 31 to 50
Enterprise A has different services, so different VLANs are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are transmitted in VLAN 31 to VLAN
50.
Selective QinQ is configured on the user-side interface of the CE to add outer VLAN 20 to packets with VLAN IDs 10 to 30, and outer VLAN 21 to packets with VLAN IDs 31 to 50, and the device is configured to increase the priority of voice packets. Traffic between two branches can be transparently transmitted through the public network so that users using the same service in different branches of enterprise A can communicate, users using different services are isolated, and voice services are transmitted preferentially.
4.2.4 TPID
The Tag Protocol Identifier (TPID) specifies the protocol type of a VLAN tag. The TPID value defined in IEEE 802.1Q is 0x8100.
shows the Ethernet packet format defined in IEEE 802.1Q. An IEEE 802.1Q tag, containing the TPID, lies between the Source Address field and the Length/Type field. A device checks the TPID value in a received packet to determine whether the VLAN tag is an S-VLAN tag or C-VLAN tag. The device compares the configured TPID value with the TPID value in the packet. For example, if a frame carries the VLAN tag with TPID 0x8100 but the TPID configured for a customer network on a device is 0x8200, the device considers the frame untagged.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
126
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
Figure 4-4 802.1Q encapsulation
802.1Q Encapsulation
DA
6 Bytes
SA
6 Bytes
802.1Q TAG
4 Bytes
Length/Type
2 Bytes
Data
46 Bytes~1500 Bytes
FCS
4 Bytes
TPID 2 Bytes
0X8100 Priority
3bits
TCI 2 Bytes
CFI VLAN ID
1bit 12bits
Carrier's systems may use different TPID values in outer VLAN tags. When a Huawei device needs to interoperate with such a carrier system, set the TPID value to the value used by the carrier so that QinQ packets sent from the Huawei device can be transmitted across the carrier network. To prevent errors in packet forwarding and processing, do not set the TPID to any of
.
Table 4-1 Protocol types and values
Protocol Type
ARP
RARP
IP
IPv6
PPPoE
MPLS
IPX/SPX
LACP
802.1x
HGMP
Reserved
Value
0x0806
0x8035
0x0800
0x86DD
0x8863/0x8864
0x8847/0x8848
0x8137
0x8809
0x888E
0x88A7
0xFFFD/0xFFFE/0xFFFF
4.3 Application Environment
This section describes the applicable environment of QinQ.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
127
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Basic QinQ
4 QinQ Configuration
As shown in Figure 4-5 , enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs are assigned. To save public VLAN IDs, it is required that traffic between two branches of enterprise
A be transparently transmitted through the public network, users using the same service in different branches of enterprise A be allowed to communicate, and users using different services be isolated. You can configure QinQ on the network-side interface of the CE to meet the preceding requirements.
Figure 4-5 Typical networking of basic QinQ
P
CE1
20
10 to
50
PE1 20
10
t o
50
20
Network
10 to
50
PE2
20
10 to
50
CE2
Enterprise A
Branch 1
VLAN 10 to 50
Enterprise A
Branch 2
VLAN 10 to 50
Selective QinQ
As shown in Figure 4-6 , enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are transmitted in VLAN 31 to VLAN 50. To save public VLAN IDs, it is required that traffic between two branches of enterprise A be transparently transmitted through the public network, users using the same service in different branches of enterprise A be allowed to communicate, users using different services be isolated, and voice services be transmitted preferentially. You can configure selective QinQ on the user-side interface of the CE to meet the preceding requirements.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
128
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 4-6 Typical networking of selective QinQ
P
4 QinQ Configuration
CE1
PE1 20
10
t o
30
31
t o
50
21
20
21
31 to
Network
10 to
30
50
20
10 to
30
31 to
50
21
PE2
21
20
10 to
30
31 to
50
CE2
Enterprise A
Branch 1
VLAN 10 to 50
Enterprise A
Branch 2
VLAN 10 to 50
Data: VLAN 10 to 30
Voice: VLAN 31 to 50
4.4 Configuration Task Summary
describes the QinQ configuration tasks.
Table 4-2 QinQ configuration task summary
Scenario Description
Configure QinQ tunneling This section describes how to configure QinQ tunneling, including basic QinQ and selective QinQ.
Set the TPID value in an outer
VLAN tag
To enable interoperation between devices from different vendors, set the same TPID value in outer
VLAN tags on the devices.
Task
4.5 Configuration Notes
This section describes the points of attention when configuring QinQ.
When deploying QinQ on the industrial switch router, pay attention to the following points:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
129
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration l Before configuring QinQ on an interface, add the interface to a network bridge. If the interface is deleted from the network bridge, the QinQ configuration is also deleted from the interface.
l You can configure only QinQ, selective QinQ, or VLAN mapping on a sub-interface.
4.6 Configuring QinQ
This section describes how to configure QinQ.
4.6.1 Configuring QinQ Tunneling
This section describes how to configure QinQ tunneling, including basic QinQ and selective
QinQ.
4.6.1.1 Configuring Basic QinQ
Background
Dot1q tunnel isolates a carrier network from a user network and is widely used when users connect to a carrier network. When private networks connect to a carrier network through CEs and PEs, run the vlan dot1q-tunnel command on CE interfaces connected to PEs so that the CE interfaces add the outer VLAN tag allocated by the carrier to user packets. This implementation saves VLAN IDs and allows user packets to be transparently transmitted on the carrier network.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
A bridge group is created and the bridge group view is displayed.
Step 3 Run: quit
Exit from the bridge group view.
Step 4 Run: interface { ethernet | gigabitethernet } interface-number .
subinterface-number
The Ethernet sub-interface view is displayed.
NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in Layer 2 mode and supports switching between Layer 2 and Layer 3 modes, run the undo portswitch command to switch the interface in Layer 3 mode before creating a sub-interface on the interface.
Step 5 Run: bridge bridge-id
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
130
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 QinQ Configuration
The Ethernet sub-interface is added to the bridge group.
Step 6 Run: bridge vlan-transmit enable
The interface is enabled to transparently transmit VLAN IDs.
Step 7 Run: vlan allow-pass { vid vlan-id1 [ to vlan-id2 ] | default }
The VLAN allowed by the Ethernet sub-interface is configured.
NOTE
VLANs allowed by all sub-interfaces of a main interface cannot overlap.
The vlan allow-pass default command can be executed only on a sub-interface among all sub-interfaces of each main interface. Packets are forwarded through the default sub-interface when the packets do not match other
QinQ or VLAN mapping entries on a sub-interface.
Step 8 Run: vlan dot1q-tunnel tunnel-vlan-id [ native vid native-vlan-id ]
The basic QinQ function is configured on a sub-interface.
The vlan dot1q-tunnel command can be only executed at one time on a sub-interface and the
VLAN specified by tunnel-vlan-id must be allowed by the sub-interface.
----End
4.6.1.2 Configuring Selective QinQ
Context
You can configure either of the following selective QinQ modes: l VLAN ID-based selective QinQ
When private networks connect to a carrier network through CEs and PEs, run the vlan stacking command on CE interfaces connected to PEs so that the CE interfaces add the outer VLAN tag allocated by the carrier to user packets. This implementation saves VLAN
IDs and allows user packets to be transparently transmitted on the carrier network.
l 802.1p priority-based selective QinQ
An 802.1p priority indicates a packet priority. Generally, different services of a user use different priorities. A carrier can establish different data transmission networks for different services based on 802.1p priorities so that services on the carrier network can be differentiated.
Procedure l Configure VLAN ID-based selective QinQ.
1.
Run: system-view
The system view is displayed.
2.
Run: bridge bridge-id
Issue 01 (2014-11-30) 131
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
A bridge group is created and the bridge group view is displayed.
3.
Run: quit
Exit from the bridge group view.
4.
Run: interface { ethernet | gigabitethernet } interface-number .
subinterfacenumber
The Ethernet sub-interface view is displayed.
NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in Layer
2 mode and supports switching between Layer 2 and Layer 3 modes, run the undo portswitch command to switch the interface in Layer 3 mode before creating a sub-interface on the interface.
5.
Run: bridge bridge-id
The Ethernet sub-interface is added to the bridge group.
6.
Run: bridge vlan-transmit enable
The interface is enabled to transparently transmit VLAN IDs.
7.
Run: vlan stacking { default | vid low-ce-vid [ to high-ce-vid ] } pe-vid pevid [ remark-8021p 8021p-value2 ]
VLAN ID-based selective QinQ is configured.
NOTE
The VLANs allowed by all sub-interfaces of a main interface cannot overlap.
The vlan stacking default command can only be executed on a sub-interface among all subinterfaces of each main interface. Packets are forwarded through the default sub-interface when the packets do not match other QinQ entries on a sub-interface.
l Configure 802.1p priority-based selective QinQ.
1.
Run: system-view
The system view is displayed.
2.
Run: bridge bridge-id
A bridge group is created and the bridge group view is displayed.
3.
Run: quit
Exit from the bridge group view.
4.
Run: interface { ethernet | gigabitethernet } interface-number .
subinterfacenumber
The Ethernet sub-interface view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
132
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
NOTE
Sub-interfaces can only be created on Layer 3 Ethernet interfaces. If an interface works in Layer
2 mode and supports switching between Layer 2 and Layer 3 modes, run the undo portswitch command to switch the interface in Layer 3 mode before creating a sub-interface on the interface.
5.
Run: bridge bridge-id
The Ethernet sub-interface is added to the bridge group.
6.
Run: bridge vlan-transmit enable
The interface is enabled to transparently transmit VLAN IDs.
7.
Run: vlan allow-pass { vid vlan-id1 [ to vlan-id2 ] | default }
The VLAN allowed by the Ethernet sub-interface is configured.
NOTE
VLANs allowed by all sub-interfaces of a main interface cannot overlap.
The vlan allow-pass default command can be executed only on a sub-interface among all subinterfaces of each main interface. Packets are forwarded through the default sub-interface when the packets do not match other QinQ or VLAN mapping entries on a sub-interface.
8.
Run: vlan stacking 8021p 8021p-value1 pe-vid pe-vid [ remark-8021p 8021pvalue2 ]
802.1p priority-based selective QinQ is configured.
----End
4.6.2 Configuring the TPID Value in an Outer VLAN Tag
To enable interoperation between devices from different vendors, set the same TPID value in outer VLAN tags on the devices.
Context
Devices from different vendors or in different network plans may use different TPID values in
VLAN tags of VLAN packets. To adapt to an existing network plan, the industrial switch router supports TPID value configuration. You can set the TPID value on the industrial switch router to be the same as the TPID value in the network plan to ensure compatibility with the current network.
NOTE l To implement interoperability with a non-Huawei device, ensure that the protocol type in the outer
VLAN tag added by the industrial switch router can be identified by the non-Huawei device.
l The qinq protocol command identifies incoming packets, and adds or changes the TPID value of outgoing packets.
l The protocol ID configured on an interface by the qinq protocol command must be different from other commonly used protocol IDs; otherwise, the interface cannot distinguish packets of these protocols. For example, protocol-id cannot be set to 0x0806, which is the ARP protocol ID.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
133
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: qinq protocol protocol-id
The protocol type in the outer VLAN tag is set.
By default, the TPID value in the outer VLAN tag is 0x8100.
----End
4 QinQ Configuration
4.7 Configuration Examples
This section provides several configuration examples of QinQ.
4.7.1 Example for Configuring Basic QinQ
Networking Requirements
As shown in Figure 4-7 , enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs are assigned.
The requirements are as follows: l VLANs are assigned independently in enterprise A, and are independent of carrier VLANs or VLANs of other enterprises.
l Traffic between two branches of enterprise A is transparently transmitted through the public network, devices transmitting the same service in different branches of enterprise A are allowed to communicate, and devices transmitting different services are isolated.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
134
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 4-7 Networking diagram for configuring basic QinQ
P
4 QinQ Configuration
CE1
PE1
VL
AN
20
GE0/0/1
GE0/0/0
GE0/0/1
VL
AN
20
GE0/0/0
GE0/0/0
VL
AN
20
Network
GE0/0/0
PE2
VLA
N20
GE0/0/1
GE0/0/0
CE2
Enterprise A
Branch 1
VLAN 10 to 50
Enterprise A
Branch 2
VLAN 10 to 50
Configuration Roadmap
The configuration roadmap is as follows:
You can configure the basic QinQ function on a CE connected to a PE and implement communication between two branches of enterprise A through VLAN 20 provided by the carrier.
1.
Create a bridge group and add a sub-interface to the bridge group.
2.
Configure VLANs allowed by the sub-interface.
3.
Configure basic QinQ on the CE interface connected to the PE so that the CE can add the
S-VLAN tag to user packets.
4.
Add interfaces of the PE and P to VLAN 20 so that packets from VLAN 20 are allowed to pass through.
Procedure
Step 1 Create a bridge group and add a sub-interface to the bridge group.
# Create a bridge group and add a sub-interface to the bridge group on CE1. The configuration of CE2 is similar to that of CE1.
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
[CE1] interface gigabitethernet 0/0/0.1
[CE1-GigabitEthernet0/0/0.1] bridge 1
[CE1-GigabitEthernet0/0/0.1] bridge vlan-transmit enable
Step 2 Configure VLANs allowed by the sub-interface.
# Configure VLANs allowed by the sub-interface on CE1. The configuration of CE2 is similar to that of CE1.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
135
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
[CE1-GigabitEthernet0/0/0.1] vlan allow-pass vid 10 to 50
Step 3 Configure an interface on CE connected to a PE to add a VLAN tag to user packets.
# Configure an interface on CE1 connected to a PE to add a VLAN tag to user packets. The configuration of CE2 is similar to that of CE1.
[CE1-GigabitEthernet0/0/0.1] vlan dot1q-tunnel 20
[CE1-GigabitEthernet0/0/0.1] quit
Step 4 Add interfaces on PEs to VLAN 20 in trunk mode. The configurations of PE2 and P are similar to the configuration of PE1.
# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 in trunk mode.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] vlan batch 20
[PE1] interface gigabitethernet 0/0/0
[PE1-GigabitEthernet0/0/0] port link-type trunk
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20
[PE1-GigabitEthernet0/0/0] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20
[PE1-GigabitEthernet0/0/1] quit
Step 5 Verify the configuration.
# On a PC in a VLAN of a branch in enterprise A, ping a PC in the same VLAN of the other branch in enterprise A. The ping operation succeeds, indicating that devices transmitting the same service can communicate with each other.
----End
Configuration Files
Configuration file of CE1
#
sysname CE1
# bridge 1
# interface GigabitEthernet0/0/0
# interface GigabitEthernet0/0/0.1
bridge 1
bridge vlan-transmit enable
vlan allow-pass vid 10 to 50
vlan dot1q-tunnel 20
# return
Configuration file of CE2
#
sysname CE2
# bridge 1
# interface GigabitEthernet0/0/0
# interface GigabitEthernet0/0/0.1
bridge 1
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
136
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
bridge vlan-transmit enable
vlan allow-pass vid 10 to 50
vlan dot1q-tunnel 20
# return
Configuration file of PE1
#
sysname PE1
# vlan batch 20
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
# interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
# return
Configuration file of PE2
#
sysname PE2
# vlan batch 20
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
# interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
# return
Configuration file of P
#
sysname P
# vlan batch 20
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20
# interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20
# return
4.7.2 Example for Configuring Selective QinQ
Networking Requirements
As shown in Figure 4-8 , enterprise A has two branches that connect to the carrier network
through PE1 and PE2 respectively. Enterprise A has different services, so different VLANs are assigned. Data services are transmitted in VLAN 10 to VLAN 30, and voice services are transmitted in VLAN 31 to VLAN 50.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
137
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
The requirements are as follows: l VLANs are assigned independently in enterprise A, and are independent of carrier VLANs or VLANs of other enterprises.
l Traffic between two branches of enterprise A is transparently transmitted through the public network, devices transmitting the same service in different branches of enterprise A are allowed to communicate, and devices transmitting different services are isolated.
l High-priority voice services are transmitted first.
Figure 4-8 Networking diagram for configuring selective QinQ
P
GE0/0/1 GE0/0/0
CE1
PE1
GE0/0/1
GE0/0/0
GE0/0/0 Network
GE0/0/0
GE0/0/1
PE2
GE0/0/1
GE0/0/0
GE0/0/1
CE2
Enterprise A
Branch 1
VLAN 10 to 50
Enterprise A
Branch 2
VLAN 10 to 50
Data: VLAN 10 to 30
Voice: VLAN 31 to 50
Configuration Roadmap
The configuration roadmap is as follows:
You can configure selective QinQ on the CE user-side interface and implement communication between two branches of enterprise A through VLAN 20 and VLAN 21 provided by the carrier.
1.
Create a bridge group and add sub-interfaces to the bridge group.
2.
Configure VLANs allowed by the user-side sub-interfaces of the CE, configure the CE user-side interface to add different outer VLAN tags to packets with different user VLAN
IDs, and re-mark voice services with high priority.
3.
Add the CE interface connected to the PE, PE interface, and P interface to VLAN 20 and
VLAN 21 so that packets from VLAN 20 and VLAN 21 are allowed to pass through.
Procedure
Step 1 Create a bridge group and add sub-interfaces to the bridge group.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
138
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 4 QinQ Configuration
<Huawei> system-view
[Huawei] sysname CE1
[CE1] bridge 1
[CE1-bridge1] quit
[CE1] interface gigabitethernet 0/0/1.1
[CE1-GigabitEthernet0/0/1.1] bridge 1
[CE1-GigabitEthernet0/0/1.1] bridge vlan-transmit enable
[CE1-GigabitEthernet0/0/1.1] quit
[CE1] interface gigabitethernet 0/0/1.2
[CE1-GigabitEthernet0/0/1.2] bridge 1
[CE1-GigabitEthernet0/0/1.2] bridge vlan-transmit enable
[CE1-GigabitEthernet0/0/1.2] quit
# The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 2 Configure CE1 user-side interface to add VLAN tags to user packets and re-mark voice services with high priority.
[CE1] interface gigabitethernet 0/0/1.1
[CE1-GigabitEthernet0/0/1.1] vlan stacking vid 10 to 30 pe-vid 20
[CE1-GigabitEthernet0/0/1.1] quit
[CE1] interface gigabitethernet 0/0/1.2
[CE1-GigabitEthernet0/0/1.2] vlan stacking vid 31 to 50 pe-vid 21 remark-8021p 7
[CE1-GigabitEthernet0/0/1.2] quit
# The configuration of CE2 is similar to that of CE1, and is not mentioned here.
Step 3 Add GE0/0/0 on CE1, and GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 and VLAN 21 in trunk mode.
# Add GE10/0/0 on CE1 to VLAN 20 and VLAN 21 in trunk mode. The configuration of CE2 is similar to that of CE1, and is not mentioned here.
[CE1] vlan batch 20 to 21
[CE1] interface gigabitethernet 0/0/0
[CE1-GigabitEthernet0/0/0] port link-type trunk
[CE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20 21
[CE1-GigabitEthernet0/0/0] quit
# Add GE0/0/0 and GE0/0/1 on PE1 to VLAN 20 and VLAN 21 in trunk mode. The configurations of PE2 and P are similar to the configuration of PE1, and are not mentioned here.
<Huawei> system-view
[Huawei] sysname PE1
[PE1] vlan batch 20 to 21
[PE1] interface gigabitethernet 0/0/0
[PE1-GigabitEthernet0/0/0] port link-type trunk
[PE1-GigabitEthernet0/0/0] port trunk allow-pass vlan 20 21
[PE1-GigabitEthernet0/0/0] quit
[PE1] interface gigabitethernet 0/0/1
[PE1-GigabitEthernet0/0/1] port link-type trunk
[PE1-GigabitEthernet0/0/1] port trunk allow-pass vlan 20 21
[PE1-GigabitEthernet0/0/1] quit
Step 4 Verify the configuration.
# On a PC in a VLAN of a branch in enterprise A, ping a PC in the same VLAN of the other branch in enterprise A. The ping operation succeeds, indicating that devices transmitting the same service can communicate with each other.
----End
Configuration Files
Configuration file of CE1
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
139
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
#
sysname CE1
# vlan batch 20 to 21
# bridge 1
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20 to 21
# interface GigabitEthernet0/0/1
# interface GigabitEthernet0/0/1.1
bridge 1
bridge vlan-transmit enable
vlan stacking vid 10 to 30 pe-vid 20
# interface GigabitEthernet0/0/1.2
bridge 1
bridge vlan-transmit enable
vlan stacking vid 31 to 50 pe-vid 21 remark 8021p 7
# return
Configuration file of CE2
#
sysname CE2
# vlan batch 20 to 21
# bridge 1
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20 to 21
# interface GigabitEthernet0/0/1
# interface GigabitEthernet0/0/1.1
bridge 1
bridge vlan-transmit enable
vlan stacking vid 10 to 30 pe-vid 20
# interface GigabitEthernet0/0/1.2
bridge 1
bridge vlan-transmit enable
vlan stacking vid 31 to 50 pe-vid 21 remark 8021p 7
# return
Configuration file of PE1
#
sysname PE1
# vlan batch 20 to 21
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20 to 21
# interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 to 21
# return
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
4 QinQ Configuration
140
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Configuration file of PE2
#
sysname PE2
# vlan batch 20 to 21
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20 to 21
# interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 to 21
# return
Configuration file of P
#
sysname P
# vlan batch 20 to 21
# interface GigabitEthernet0/0/0
port link-type trunk
port trunk allow-pass vlan 20 to 21
# interface GigabitEthernet0/0/1
port link-type trunk
port trunk allow-pass vlan 20 to 21
# return
4 QinQ Configuration
4.8 References
This section provides the references for QinQ.
The following table lists the references for the QinQ feature.
Document
IEEE 802.1Q
IEEE 802.1ad
Description
IEEE standard for local and metropolitan area networks: Virtual Bridged Local Area Networks
IEEE 802.1ad, "Virtual Bridged Local Area
Networks: Provider Bridges"
-
-
Remarks
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
141
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
5
GVRP Configuration
About This Chapter
This chapter describes basic GVRP concepts, GVRP configuration procedures, and concludes with a GVRP configuration example.
Context
NOTE
AR550 series routers do not support GVRP.
This section describes the definition, purpose and benefit of GVRP.
This section describes the implementation of GVRP.
This section describes the applicable scenario of GVRP.
This section describes default GVRP settings that can be changed in actual applications.
This section describes how to configure the GVRP function.
This section describes how to clear the GVRP statistics.
This section provides a configuration example for GVRP.
This section lists references of GVRP.
142 Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
5.1 Introduction to GVRP
This section describes the definition, purpose and benefit of GVRP.
Definition
The Generic Attribute Registration Protocol (GARP) provides a mechanism to propagate attributes so that a protocol entity can register and deregister attributes. By filling different attributes into GARP packets, GARP supports different upper-layer applications.
The GARP VLAN Registration Protocol (GVRP) is used to register and deregister VLAN attributes.
GARP identifies applications through destination MAC addresses. IEEE Std 802.1Q assigns
01-80-C2-00-00-21 to the VLAN application (GVRP).
Purpose
To deploy certain VLANs on all devices on a network, the network administrator needs to manually create these VLANs on each device. As shown in
, three routers are connected through trunk links. VLAN 2 is configured on Router A, and VLAN 1 is configured on Router B and Router C. To forward packets of VLAN 2 from Router A to Router C, the network administrator must manually create VLAN 2 on Router B and Router C.
Figure 5-1 Networking of GVRP application
RouterA RouterC
RouterB
When a network is complicated and the network administrator is unfamiliar with the network topology or when many VLANs are configured on the network, huge workload is required for manual configuration. In addition, configuration errors may occur. In this case, you can configure
GVRP on the network to implement automatic registration of VLANs.
Benefits
Issue 01 (2014-11-30)
GVRP is based on GARP and is used to maintain VLAN attributes dynamically on devices.
Through GVRP, VLAN attributes of one device can be propagated throughout the entire
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
143
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration switching network. GVRP enables network devices to dynamically deliver, register, and propagate VLAN attributes, reducing workload of the network administrator and ensuring correct configuration.
5.2 Principles
This section describes the implementation of GVRP.
5.2.1 Basic Concepts
Participant
On a device, each port running a protocol is considered as a participant. On a device running
GVRP, each GVRP-enabled port is considered as a GVRP participant, as shown in
Figure 5-2 GVRP participant
GVRP participants
RouterA
RouterC
RouterB
VLAN Registration and Deregistration
GVRP implements automatic registration and deregistration of VLAN attributes. The functions of VLAN registration and deregistration are: l VLAN registration: adds a port to a VLAN.
l VLAN deregistration: removes a port from a VLAN.
GVRP registers and deregisters VLAN attributes through attribute declarations and reclaim declarations as follows: l When a port receives a VLAN attribute declaration, it registers the VLAN specified in the declaration. That is, the port is added to the VLAN.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
144
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration l When a port receives a VLAN attribute reclaim declaration, it deregisters the VLAN specified in the declaration. That is, the port is removed from the VLAN.
A port registers or deregisters VLANs only when it receives GVRP messages.
Figure 5-3 VLAN registration and deregistration
Declaration
Register
RouterA
Reclaim declaration
Deregister
RouterB
GARP Messages
GARP participants exchange VLAN information through GARP messages. Major GARP messages are Join messages, Leave messages, and LeaveAll messages.
l Join message
When a GARP participant expects other devices to register its attributes, it sends Join messages to other devices. When the GARP participant receives a Join message from another participant or is configured with attributes statically, it also sends Join messages to other devices for the devices to register the new attributes.
Join messages are classified into JoinEmpty messages and JoinIn messages. The difference between the two types of messages is:
– JoinEmpty: declares an unregistered attribute.
– JoinIn: declares a registered attribute.
l Leave message
When a GARP participant expects other devices to deregister its attributes, it sends Leave messages to other devices. When the GARP participant receives a Leave message from another participant or some of its attributes are deregistered statically, it also sends Leave messages to other devices.
Leave messages are classified into LeaveEmpty messages and LeaveIn messages. The difference between the two types of messages is:
– LeaveEmpty: deregisters an unregistered attribute.
– LeaveIn: deregisters a registered attribute.
l LeaveAll message
When a participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires, the participant sends LeaveAll messages to other devices.
A participant sends LeaveAll messages to deregister all attributes so that other participants can re-register attributes of the local participant. LeaveAll messages are used to periodically delete useless attributes on the network. For example, an attribute of a participant is deleted but the participant does not send Leave messages to request other participants to deregister the attribute because of a sudden power failure. Then this attribute becomes useless.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
145
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
GARP Timers
The GARP protocol defines four timers: l Join timer
The Join timer controls sending of Join messages including JoinIn messages and JoinEmpty messages.
After sending the first Join message, a participant starts the Join timer. If the participant receives a JoinIn message before the Join timer expires, it does not send the second Join message. If the participant does not receive any JoinIn message, it sends the second Join message when the Join timer expires. This ensures that the Join message can be sent to other participants. Each port maintains an independent Join timer.
l Hold timer
The Hold timer controls sending of Join messages (JoinIn messages and JoinEmpty messages) and Leave messages (LeaveIn messages and LeaveEmpty messages).
After a participant is configured with an attribute or receives a message, it does not send the message to other participants before the Hold timer expires. The participant encapsulates messages received within the hold time into a minimum number of packets, reducing the packets sent to other participants. If the participant does not use the Hold timer but forwards a message immediately after receiving one, a large number of packets are transmitted on the network. This makes the network unstable and wastes data fields of packets.
Each port maintains an independent Hold timer. The Hold timer value must be equal to or smaller than half of the Join timer value.
l Leave timer
The Leave timer controls attribute deregistration.
A participant starts the Leave timer after receiving a Leave or LeaveAll message. If the participant does not receive any Join message of the corresponding attribute before the
Leave timer expires, the participant deregisters the attribute.
A participant sends a Leave message if one of its attributes is deleted, but this attribute may still exist on other participants. Therefore, the participant receiving the Leave message cannot deregister the attribute immediately and needs to wait for messages from other participants.
For example, an attribute has two sources on the network: participant A and participant B.
Other participants register the attribute through GARP. If the attribute is deleted from participant A, participant A sends a Leave message to other participants. After receiving the Leave message, participant B sends a Join message to other participants because the attribute still exists on participant B. After receiving the Join message from participant B, other participants retain the attribute. Other participants deregister the attribute only if they do not receive any Join message of the attribute within a period longer than two times the
Join timer value. Therefore, the Leave timer value must be greater than two times the Join timer value.
Each port maintains an independent Leave timer.
l LeaveAll timer
When a GARP participant starts, it starts the LeaveAll timer. When the LeaveAll timer expires, the participant sends a LeaveAll message and restarts the LeaveAll timer.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
146
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
After receiving a LeaveAll message, a participant restarts all GARP timers. The participant sends another LeaveAll message when its LeaveAll timer expires. This reduces LeaveAll messages sent in a period of time.
If LeaveAll timers of multiple devices expire at the same time, they send LeaveAll messages at the same time, which causes unnecessary LeaveAll messages. To solve this problem, each device uses a random value between the LeaveAll timer value and 1.5 times the
LeaveAll timer value as its LeaveAll timer value. When a LeaveAll event occurs, all attributes on the entire network are deregistered. The LeaveAll event affects the entire network; therefore, you need to set the LeaveAll timer to a proper value, at least greater than the Leave timer value.
Each device maintains a global LeaveAll timer.
Registration Modes
A manually configured VLAN is a static VLAN, and a VLAN created through GVRP is a dynamic VLAN. GVRP provides three registration modes. Static VLANs and dynamic VLANs are processed differently in each registration mode as follows: l Normal mode: Dynamic VLANs can be registered on a port, and the port can send declarations of static VLANs and dynamic VLANs.
l Fixed mode: Dynamic VLANs cannot be registered on a port, and the port can send only declarations of static VLANs.
l Forbidden mode: Dynamic VLANs cannot be registered on a port. All VLANs except
VLAN 1 are deleted from the port, and the port can send only the declaration of VLAN 1.
5.2.2 Packet Structure
GARP packets are encapsulated in the IEEE 802.3 Ethernet format, as shown in Figure 5-4 .
Figure 5-4 GARP packet structure
1
DA SA length DSAP SSAP Ctrl
3
PDU
Protocol ID Message 1 … Message N End Mark
N
1 2
Attribute Type Attribute List
N
1 N
Attribute 1 … Attribute N End Mark
1 2 3
Attribute Length Attribute Event Attribute Value
N
Ethernet Frame
GARP PDU structure
Message structure
Attribute List structure
Attribute structure
Issue 01 (2014-11-30)
The following table describes the fields in a GARP packet.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
147
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
Field
Protocol ID
Message
Attribute Type
Attribute List
Attribute
Attribute Length
Attribute Event
Attribute Value
End Mark
Description
Indicates the protocol ID.
Indicates the messages in the packet. Each message consists of the Attribute Type and Attribute list fields.
-
Value
The value is 1.
Indicates the type of an attribute, which is defined by the GARP application.
Indicates the attribute list of a message, which consists of multiple attributes.
Indicates an attribute, which consists of the Attribute
Length, Attribute Event, and
Attribute Value fields.
Indicates the length of an attribute.
Indicates the event that an attribute describes.
-
-
The value is 0x01 for GVRP, indicating that the attribute value is a VLAN ID
Indicates the value of an attribute.
Indicates the end of a GARP
PDU.
The value ranges from 2 to
255, in bytes.
The value can be: l 0: LeaveAll Event l 1: JoinEmpty Event l 2: JoinIn Event l 3: LeaveEmpty Event l 4: LeaveIn Event l 5: Empty Event
The value is a VLAN ID for
GVRP. This field is invalid in a LeaveAll attribute.
The value is 0x00.
5.2.3 Working Procedure
This section describes the working procedure of GVRP by using an example. This example illustrates how a VLAN attribute is registered and deregistered on a network in four phases.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
148
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
One-Way Registration
Figure 5-5 One-way registration of a VLAN attribute
RouterA
Static vlan 2
Port 1 JoinEmpty
Port 4
RouterC
JoinEmpty
Port 2
RouterB
Port 3
5 GVRP Configuration
Static VLAN 2 is created on RouterA. Ports on RouterB and RouterC can join VLAN 2 automatically through one-way registration. The process is as follows:
1.
After VLAN 2 is created on RouterA, Port 1 of RouterA starts the Join timer and Hold timer. When the Hold timer expires, Port 1 sends the first JoinEmpty message to RouterB.
When the Join timer expires, Port 1 restarts the Hold timer. When the Hold timer expires again, Port 1 sends the second JoinEmpty message.
2.
After Port 2 of RouterB receives the first JoinEmpty message, RouterB creates dynamic
VLAN 2 and adds Port 2 to VLAN 2. In addition, RouterB requests Port 3 to start the Join timer and Hold timer. When the Hold timer expires, Port 3 sends the first JoinEmpty message to RouterC. When the Join timer expires, Port 3 restarts the Hold timer. When the
Hold timer expires again, Port 3 sends the second JoinEmpty message. After Port 2 receives the second JoinEmpty message, RouterB does not take any action because Port 2 has been added to VLAN 2.
3.
After Port 4 of RouterC receives the first JoinEmpty message, RouterC creates dynamic
VLAN 2 and adds Port 4 to VLAN 2. After Port 4 receives the second JoinEmpty message,
RouterC does not take any action because Port 4 has been added to VLAN 2.
4.
Every time the LeaveAll timer expires or a LeaveAll message is received, each router restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Then Port 1 repeats step 1 to send JoinEmpty messages. Port 3 of RouterB sends JoinEmpty messages to
RouterC in the same way.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
149
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Two-Way Registration
Figure 5-6 Two-way registration of a VLAN attribute
RouterA RouterC
Port 1
Static vlan 2 Static vlan 2
Port 4
JoinEmpty
JoinIn
JoinIn
JoinEmpty
JoinIn
Port 2
JoinIn
Port 3
RouterB
5 GVRP Configuration
After one-way registration is complete, Port 1, Port 2, and Port 4 are added to VLAN 2 but Port
3 is not added to VLAN 2 because only ports receiving a JoinEmpty or JoinIn message can be added to dynamic VLANs. To transmit traffic of VLAN 2 in both directions, VLAN registration from RouterC to RouterA is required. The process is as follows:
1.
After one-way registration is complete, static VLAN 2 is created on RouterC (the dynamic
VLAN is replaced by the static VLAN). Port 4 of RouterC starts the Join timer and Hold timer. When the Hold timer expires, Port 4 sends the first JoinIn message (because it has registered VLAN 2) to RouterB. When the Join timer expires, Port 4 restarts the Hold timer.
When the Hold timer expires, Port 4 sends the second JoinIn message.
2.
After Port 3 of RouterB receives the first JoinIn message, RouterB adds Port 3 to VLAN
2 and requests Port 2 to start the Join timer and Hold timer. When the Hold timer expires,
Port 2 sends the first JoinIn message to RouterA. When the Join timer expires, Port 2 restarts the Hold timer. When the Hold timer expires again, Port 2 sends the second JoinIn message.
After Port 3 receives the second JoinIn message, RouterB does not take any action because
Port 3 has been added to VLAN 2.
3.
When RouterA receives the JoinIn message, it stops sending JoinEmpty messages to
RouterB. Every time the LeaveAll timer expires or a LeaveAll message is received, each router restarts the LeaveAll timer, Join timer, Hold timer, and Leave timer. Port 1 of
RouterA sends a JoinIn message to RouterB when the Hold timer expires.
4.
RouterB sends a JoinIn message to RouterC.
5.
After receiving the JoinIn message, RouterC does not create dynamic VLAN 2 because static VLAN 2 has been created.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
150
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
One-Way Deregistration
Figure 5-7 One-way deregistration of a VLAN attribute
RouterA
Static vlan 2
LeaveEmpty
Port 4
RouterC
Port 1
Port 2 Port 3
LeaveIn
RouterB
5 GVRP Configuration
When VLAN 2 is not required on the routers, the routers can deregister VLAN 2. The process is as follows:
1.
After static VLAN 2 is manually deleted from RouterA, Port 1 of RouterA starts the Hold timer. When the Hold timer expires, Port 1 sends a LeaveEmpty message to RouterB. Port
1 needs to send only one LeaveEmpty message.
2.
After Port 2 of RouterB receives the LeaveEmpty message, it starts the Leave timer. When the Leave timer expires, Port 2 deregisters VLAN 2. Then Port 2 is deleted from VLAN 2, but VLAN 2 is not deleted from RouterB because Port 3 is still in VLAN 2. At this time,
RouterB requests Port 3 to start the Hold timer and Leave timer. When the Hold timer expires, Port 3 sends a LeaveIn message to RouterC. Static VLAN 2 is not deleted from
RouterC; therefore, Port 3 can receive the JoinIn message sent from Port 4 after the Leave timer expires. In this case, RouterA and RouterB can still learn dynamic VLAN 2.
3.
After RouterC receives the LeaveIn message, Port 4 is not deleted from VLAN 2 because
VLAN 2 is a static VLAN on RouterC.
Two-Way Deregistration
Figure 5-8 Two-way deregistration of a VLAN attribute
RouterA
Port 1
LeaveEmpty
LeaveEmpty
Port 4
RouterC
LeaveEmpty
Port 2
LeaveIn
Port 3
RouterB
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
151
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
To delete VLAN 2 from all the routers, two-way deregistration is required. The process is as follows:
1.
After static VLAN 2 is manually deleted from RouterC, Port 4 of RouterC starts the Hold timer. When the Hold timer expires, Port 4 sends a LeaveEmpty message to RouterB.
2.
After Port 3 of RouterB receives the LeaveEmpty message, it starts the Leave timer. When the Leave timer expires, Port 3 deregisters VLAN 2. Then Port 3 is deleted from dynamic
VLAN 2, and dynamic VLAN 2 is deleted from RouterB. At this time, RouterB requests
Port 2 to start the Hold timer. When the Hold timer expires, Port 2 sends a LeaveEmpty message to RouterA.
3.
After Port 1 of RouterA receives the LeaveEmpty message, it starts the Leave timer. When the Leave timer expires, Port 1 deregisters VLAN 2. Then Port 1 is deleted from dynamic
VLAN 2, and dynamic VLAN 2 is deleted from RouterA.
5.3 Applications
This section describes the applicable scenario of GVRP.
GVRP enables routers on a network to dynamically maintain and update VLAN information.
With GVRP, you can adjust the VLAN deployment on the entire network by configuring only a few devices. You do not need to analyze the topology and manage configurations. As shown in
, GVRP is enabled on all devices. Devices are interconnected through trunk ports and each trunk port allows packets of all VLANs to pass. You simply need to configure static
VLANs 100 to 1000 on RouterA and RouterC. Then the other devices can learn VLANs 100 to
1000 through GVRP.
Figure 5-9 Typical application of GVRP
RouterB
RouterA
VLAN 100~1000
RouterC
VLAN 100~1000
5.4 Default Configuration
This section describes default GVRP settings that can be changed in actual applications.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
152
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
Parameter
GVRP function
Registration mode of the GVRP interface
LeaveAll timer
Hold timer
Join timer
Leave timer
Default Setting
The GVRP function is disabled globally and on interfaces.
normal
1000 centiseconds
40 centiseconds
80 centiseconds
240 centiseconds
5.5 Configuring GVRP
This section describes how to configure the GVRP function.
5.5.1 Enabling GVRP
Context
Before enabling GVRP on an interface, you must enable GVRP globally. GVRP can be enabled only on trunk interfaces. You must perform related configurations to ensure that all dynamically registered VLANs can pass the trunk interfaces.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: gvrp
GVRP is enabled globally.
Step 3 Run: interface interface-type interface-number
The interface view is displayed.
Step 4 Run: port link-type trunk
The link type of the interface is set to trunk.
Step 5 Run: port trunk allow-pass vlan { { vlan-id1 [ to vlan-id2 ] }&<1-10> | all }
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
153
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
The interface is added to the specified VLANs.
Step 6 Run: gvrp
GVRP is enabled on the interface.
By default, GVRP is disabled globally and on each interface.
NOTE
The device supports a maximum of 256 dynamic VLANs when using default GARP timers. When the recommended GARP timer settings are used, the device supports a maximum of 4094 dynamic VLANs.
----End
5.5.2 (Optional) Setting the Registration Mode for a GVRP Interface
Context
A GVRP interface supports three registration modes: l Normal: In this mode, the GVRP interface can dynamically register and deregister VLANs, and transmit dynamic VLAN registration information and static VLAN registration information.
l Fixed: In this mode, the GVRP interface is disabled from dynamically registering and deregistering VLANs and can transmit only the static VLAN registration information. If the registration mode is set to fixed for a trunk interface, the interface allows only the manually configured VLANs to pass even if it is configured to allow all the VLANs to pass.
l Forbidden: In this mode, the GVRP interface is disabled from dynamically registering and deregistering VLANs and can transmit only information about VLAN 1. If the registration mode is set to forbidden for a trunk interface, the interface allows only VLAN 1 to pass even if it is configured to allow all the VLANs to pass.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: gvrp registration { fixed | forbidden | normal }
The registration mode is set for the interface.
By default, the registration mode of a GVRP interface is normal .
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
154
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
NOTE
Before setting the registration mode for an interface, enable GVRP on the interface.
----End
5.5.3 (Optional) Setting the GARP Timers
Context
When a GARP participant is enabled, the LeaveAll timer is started. When the LeaveAll timer expires, the GARP participant sends LeaveAll messages to request other GARP participants to re-register all its attributes. Then the LeaveAll timer restarts.
Devices on a network may have different settings for the LeaveAll timer. In this case, all the devices use the smallest LeaveAll timer value on the network. When the LeaveAll timer of a device expires, the device sends LeaveAll messages to other devices. After other devices receive the LeaveAll messages, they reset their LeaveAll timers. Therefore, only the LeaveAll timer with the smallest value takes effect even if devices have different settings for the LeaveAll timer.
When using the garp timer command to set the GARP timers, pay attention to the following points: l The undo garp timer command restores the default values of GARP timers. If the default value of a timer is out of the valid range, the undo garp timer command does not take effect.
l The value range of each timer changes with the values of the other timers. If a value you set for a timer is not in the allowed range, you can change the value of the timer that determines the value range of this timer.
l To restore the default values of all the GARP timers, restore the Hold timer to the default value, and then sequentially restore the Join timer, Leave timer, and LeaveAll timer to the default values.
NOTE
It is recommended that you use the following values for the GVRP timers: l GARP Hold timer: 100 centiseconds (1 second) l GARP Join timer: 600 centiseconds (6 seconds) l GARP Leave timer: 3000 centiseconds (30 seconds) l GARP LeaveAll timer: 12000 centiseconds (2 minutes)
When more than 80 dynamic VLANs are created or more than three devices are running GVRP on the network, set the GVRP timer to be larger than or equal to the reconmmended value. Otherwise, the device
CPU is affected. When the number of dynamic VLANs or GVRP devices increases, increase lengths of the GARP timers. Otherwise, traffic may fail to be forwarded.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: garp timer leaveall timer-value
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
155
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
The value of the LeaveAll timer is set.
The default value of the LeaveAll timer is 1000 centiseconds (10 seconds).
The Leave timer length on an interface is restricted by the global LeaveAll timer length. When configuring the global LeaveAll timer, ensure that all the interfaces configured with a GARP
Leave timer are working properly.
Step 3 Run: interface interface-type interface-number
The interface view is displayed.
Step 4 Run: garp timer { hold | join | leave } timer-value
The value of the Hold timer, Join timer, or Leave timer is set.
By default, the value of the Hold timer is 40 centiseconds, the value of the Join timer is 80 centiseconds, and the value of the Leave timer is 240 centiseconds.
----End
5.5.4 Checking the Configuration
Procedure l Run the display gvrp status command to view the status of global GVRP.
l Run the display gvrp statistics [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-5> ] command to view the GVRP statistics on an interface.
l Run the display garp timer [ interface { interface-type interface-number [ to interfacetype interface-number ] }&<1-5> ] command to view the values of the GARP timers.
----End
5.6 Maintaining GVRP
This section describes how to clear the GVRP statistics.
5.6.1 Clearing GVRP Statistics
Context
Issue 01 (2014-11-30)
NOTICE
GVRP statistics cannot be restored after being cleared. Confirm your action before using this command.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
156
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
Procedure
Step 1 Run the reset garp statistics [ interface { interface-type interface-number [ to interface-type interface-number ] }&<1-10> ] command in the user view to clear GARP statistics on the specified interfaces.
----End
5.7 Configuration Examples
This section provides a configuration example for GVRP.
5.7.1 Example for Configuring GVRP
Networking Requirements
As shown in Figure 5-10 , company A, a branch of company A, and company B are connected
using switches. To implement dynamic VLAN registration, enable GVRP. The branch of company A can communicate with the headquarters using RouterA and RouterB. Company B can communicate with company A using RouterB and RouterC. Interfaces connected to company A allow only the VLAN to which company B belongs to pass.
Figure 5-10 Networking diagram of GVRP configuration
Eth2/0/1
RouterB
Eth2/0/2
RouterA
Eth2/0/1
Eth2/0/1
RouterC
Company A
Eth2/0/2
Eth2/0/2
Branch of company A
Company B
Configuration Roadmap
The configuration roadmap is as follows:
1.
Enable GVRP to implement dynamic VLAN registration.
2.
Configure GVRP on all switche devices of company A and set the registration mode to normal for the interfaces to simplify configurations.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
157
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
3.
Configure GVRP on all switche devices of company B and set the registration mode to fixed for the interfaces connecting to company A to allow only the VLAN to which company B belongs to pass.
Procedure
Step 1 Create VLAN 101 to VLAN 200 on RouterA.
<RouterA> system-view
[RouterA] vlan batch 101 to 200
Step 2 Configure GVRP on Router A.
# Enable GVRP globally.
[RouterA] gvrp
# Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all
VLANs to pass through.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type trunk
[RouterA-Ethernet2/0/1] port trunk allow-pass vlan all
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type trunk
[RouterA-Ethernet2/0/2] port trunk allow-pass vlan all
[RouterA-Ethernet2/0/2] quit
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] gvrp
[RouterA-Ethernet2/0/1] gvrp registration normal
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] gvrp
[RouterA-Ethernet2/0/2] gvrp registration normal
[RouterA-Ethernet2/0/2] quit
The configuration of RouterB is similar to that of RouterA.
Step 3 Configure RouterC.
# Create VLAN 101 to VLAN 200.
<RouterC> system-view
[RouterC] vlan batch 101 to 200
# Enable GVRP globally.
[RouterC] gvrp
# Set the link type of Eth 2/0/1 and Eth 2/0/2 to trunk, and configure the interfaces to allow all
VLANs to pass through.
[RouterC] interface ethernet 2/0/1
[RouterC-Ethernet2/0/1] port link-type trunk
[RouterC-Ethernet2/0/1] port trunk allow-pass vlan all
[RouterC-Ethernet2/0/1] quit
[RouterC] interface ethernet 2/0/2
[RouterC-Ethernet2/0/2] port link-type trunk
[RouterC-Ethernet2/0/2] port trunk allow-pass vlan all
[RouterC-Ethernet2/0/2] quit
# Enable GVRP on the interfaces and set the registration modes for the interfaces.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
158
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 5 GVRP Configuration
[RouterC] interface ethernet 2/0/1
[RouterC-Ethernet2/0/1] gvrp
[RouterC-Ethernet2/0/1] gvrp registration fixed
[RouterC-Ethernet2/0/1] quit
[RouterC] interface ethernet 2/0/2
[RouterC-Ethernet2/0/2] gvrp
[RouterC-Ethernet2/0/2] gvrp registration normal
[RouterC-Ethernet2/0/2] quit
Step 4 Verify the configuration.
After the configuration is complete, the branch of Company A can communicate with the headquarters, and users of Company A in VLAN 101 to VLAN 200 can communicate with users in Company B.
Run the display gvrp status command on RouterA to check whether GVRP is enabled globally.
The following information is displayed:
<RouterA> display gvrp status
Info: GVRP is enabled.
Run the display gvrp statistics command on RouterA to view GVRP statistics, including the
GVRP state of each interface, number of GVRP registration failures, source MAC address of the last GVRP PDU, and registration mode of each interface.
<RouterA> display gvrp statistics interface ethernet 2/0/1
GVRP statistics on port Ethernet2/0/1
GVRP status : Enabled
GVRP registrations failed : 0
GVRP last PDU origin : 0001-0001-0001
GVRP registration type : Normal
Verify the configurations of RouterB and RouterC in the same way.
----End
Configuration Files l Configuration file of RouterA
#
sysname RouterA
# vlan batch 101 to 200
#
gvrp
# interface ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
# interface ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
# return l Configuration file of RouterB
#
sysname RouterB
#
gvrp
#
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
159
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching interface ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
# interface ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
# return l Configuration file of RouterC
#
sysname RouterC
# vlan batch 101 to 200
#
gvrp
# interface ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
gvrp registration fixed
# interface ethernet2/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 4094
gvrp
# return
5 GVRP Configuration
5.8 References
This section lists references of GVRP.
The following table lists the references of this document.
Document
IEEE Std 802.1D
IEEE Std 802.1Q
Description
Information technology-Telecommunications and information exchange between systems-
Local and metropolitan area networks-
Common specifications-Media Access Control
(MAC) Bridges
IEEE Standards for Local and Metropolitan
Area Networks: Virtual Bridged Local Area
Networks
-
-
Remarks
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
160
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
6
STP/RSTP Configuration
About This Chapter
This chapter describes the concepts and configuration procedures for the Spanning Tree Protocol
(STP) and Rapid Spanning Tree Protocol (RSTP), and provides configuration examples.
This section describes definition and purpose of STP/RSTP.
This section describes how STP/RSTP works.
This section describes the typical application of STP/RSTP.
6.4 Configuration Task Summary
This section describes the STP/RSTP configuration tasks and configuration logic.
This section describes how to configure STP/RSTP.
This section describes how to view and reset STP/RSTP statistics.
This section provides several STP/RSTP configuration examples.
This section provides references for STP/RSTP.
161 Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
6.1 Introduction to STP/RSTP
This section describes definition and purpose of STP/RSTP.
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and making the MAC address table unstable. As a result, network communication may encounter quality deterioration or even be interrupted. The Spanning Tree
Protocol (STP) solves this problem.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined in IEEE 802.1W, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1S.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP.
compares the STP, RSTP, and MSTP protocols.
Table 6-1 Comparison of STP, RSTP, and MSTP
Spanning
Tree
Protocol
STP
Characteristics l A loop-free tree topology is form in an STP region to prevent broadcast storms while implementing link redundancy.
l Route convergence is slow.
RSTP
MSTP
Usage Scenario
STP or RSTP is used in a scenario where all VLANs share one spanning tree. In this situation, users or services do not need to be differentiated.
l A loop-free tree topology is form in an STP region to prevent broadcast storms while implementing link redundancy.
l RSTP achieves fast network convergence.
l A loop-free tree topology is form in an MSTP region to prevent broadcast storms while implementing link redundancy.
l MSTP achieves fast network convergence.
l MSTP implements load balancing among VLANs. Traffic in different VLANs is transmitted along different paths.
MSTP is used in a scenario where traffic in different VLANs is forwarded through different spanning trees for load balancing. The spanning trees are independent of each other. In this situation, users or services are distinguished by VLANs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
162
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Purpose
6 STP/RSTP Configuration
After a spanning tree protocol is configured on an Ethernet switching network, the protocol calculates the network topology to implement the following functions: l Loop prevention: The spanning tree protocol blocks redundant links to prevent potential loops on the network.
l Link redundancy: When an active path fails, a redundant link is activated to ensure network connectivity.
6.2 Principles
This section describes how STP/RSTP works.
6.2.1 Background
STP prevents loops on a local area network (LAN). The switching devices running STP exchange information with one another to discover loops on the network, and block certain ports to eliminate loops. With the growth in scale of LANs, STP has become an important protocol for a LAN.
Figure 6-1 Typical LAN networking
Host A port1
S1 port2
2
3
1 port1 port2
5
S2
4
Host B
Data flow
Issue 01 (2014-11-30)
On the network shown in
, the following situations may occur: l Broadcast storms cause a breakdown of the network.
If a loop exists on the network, broadcast storms may occur, leading to a breakdown of the
network. In Figure 6-1 , STP is not enabled on the switching devices. If Host A sends a
broadcast request, both S1 and S2 receive the request on port 1 and forward the request through their port 2. Then, S1 and S2 receive the request forwarded by each other on port
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
163
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
2 and forward the request through port 1. As this process repeats, resources on the entire network are exhausted, and the network finally breaks down.
l
Assume that no broadcast storm has occurred on the network shown in Figure 6-1 .
HostA sends a unicast packet to HostB. If HostB is temporarily removed from the network at this time, the MAC address entry for HostB on S1 and S2 are deleted. The unicast packet sent by HostA to HostB is received by port 1 on S1. S1 has no matching MAC address entry, so the unicast packet is forwarded to port 2. Then port 2 on S2 receives the unicast packet from port 2 on S1 and sends it out through port 1. In addition, port 1 on S2 also receives the unicast packet sent by HostA to HostB, and sends it out through port 2. As such transmissions repeat, port 1 and port 2 on S1 and S2 continuously receive unicast packets from HostA. S1 and S2 modify the MAC address entries continuously, causing the
MAC address table to flap. As a result, MAC address entries are damaged.
6.2.2 Basic Concepts
One Root Bridge
A tree topology must have a root. As defined in STP, the device that functions as the root of a tree network is called the root bridge.
There is only one root bridge on the entire STP network. The root bridge is the logical center of but is not necessarily at the physical center of the network. The root bridge changes dynamically with the network topology.
After network convergence completes, the root bridge generates and sends configuration BPDUs at specific intervals. Other devices process and forward the configuration BPDU to communicate the topology changes, ensuring a stable network topology.
Two Metrics
A spanning tree is calculated based on two metrics: ID and path cost.
l ID
IDs are classified into bridge ID (BID) and port ID (PID).
– BID
According to IEEE 802.1D, a BID is composed of a bridge priority (leftmost 16 bits) and a bridge MAC address (rightmost 48 bits).
On an STP network, the device with the smallest BID is elected as the root bridge.
– PID
A PID is composed of a port priority (leftmost 4 bits) and a port number (rightmost 12 bits).
The PID is used to select the designated port.
NOTE
The port priority affects the role of a port in a specified spanning tree instance. For details, see
6.2.4 STP Topology Calculation
.
l Path cost
The path cost is a port variable used for link selection. STP calculates path costs to select robust links and blocks redundant links, and finally trims the network into a loop-free tree topology.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
164
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
On an STP network, a port's accumulative path cost to the root bridge is the sum of the path costs of all ports between the port and the root bridge. The accumulative path cost is the root path cost.
Three Elements
Three elements are involved in pruning a ring network into a tree network: root bridge, root port, and designated port.
shows the three elements.
Figure 6-2 STP network architecture
S1 root bridge
A
PC=100;RPC=0
B
PC=100;RPC=0
B
PC=100;RPC=100
A
PC=99;RPC=199
S2
A
PC=100;RPC=100
B
PC=99;RPC=199
S3
B
PC=200;RPC=300
A
PC=200;RPC=300 S4
PC: path cost
RPC: root path cost root port designated port blocked port l Root bridge
The root bridge is the bridge with the smallest BID. The smallest BID is discovered by exchanging configuration BPDUs.
l Root port
The root port on an STP device is the port with the smallest path cost to the root bridge and is responsible for forwarding data to the root bridge. The root port is determined based on root path costs of all ports. Among all the STP ports on a device, the port with the smallest root path cost is the root port. An STP device has only one root port, and there is no root port on the root bridge.
l Designated port
Table 6-2 explains what designated bridge and designated port are.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
165
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Table 6-2 Description of the designated bridge and designated port
Object Designated Bridge Designated Port
Device
LAN
A directly connected device that forwards configuration
BPDUs to the local device
A device that forwards configuration BPDUs to the local network segment
The designated bridge's port that forwards configuration BPDUs to the local device
The designated bridge's port that forwards configuration BPDUs to the local network segment.
As shown in Figure 6-3 , AP1 and AP2 are ports of S1; BP1 and BP2 are ports of S2; CP1
and CP2 are ports of S3.
– S1 sends configuration BPDUs to S2 through AP1, so S1 is the designated bridge for
S2, and AP1 is the designated port on S1.
– S2 and S3 are connected to the LAN. If S2 forwards configuration BPDUs to the LAN,
S2 is the designated bridge for the LAN, and BP2 is the designated port on S2.
Figure 6-3 Designated bridge and designated port
S1
AP1 AP2
BP1
BP2
S2
LAN
CP1
S3
CP2
After the root bridge, root ports, and designated ports are selected successfully, a tree topology is set up on the entire network. When the topology is stable, only the root port and designated ports forward traffic. The other ports are in the Blocking state; they only receive STP BPDUs and do not forward user traffic.
Four Comparison Principles
During role election, STP devices compare four factors, which form a BPDU priority vector
{root ID, root path cost, sender BID, PID}.
describes the port information carried in a configuration BPDU.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
166
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Table 6-3 Four important fields
Field
Root ID
Root path cost
Sender BID
PID
6 STP/RSTP Configuration
Description
Each STP network has only one root bridge.
The distance between the port sending the configuration
BPDU and the root bridge determines the path cost to the root bridge.
It is the BID of the device that sends the configuration
BPDU.
It is the PID of the port that sends the configuration
BPDU.
After a device on the STP network receives a configuration BPDU, it compares the fields listed in
with its own values. The four comparison principles are as follows:
NOTE
During STP calculation, all factors follow the rule of "the smaller the value, the higher the priority." l Smallest BID: used to select the root bridge. Devices on an STP network select the device with the smallest BID based on the root ID field in
.
l Smallest root path cost: used to select the root port on a non-root bridge. On the root bridge, the path cost of each port is 0.
l Smallest sender BID: used to select the root port among ports with the same root path cost.
The port with the smallest BID is selected as the root port in STP calculation. For example,
S2 has a smaller BID than S3 in Figure 6-2 . If the BPDUs received on port A and port B
of S4 contain the same root path cost, port B becomes the root port on S4 because the BPDU received on port B has a smaller sender BID.
l Smallest PID: used to determine which port should be blocked when multiple ports have the same root path cost. The port with the greatest PID is blocked. The PIDs are compared in the scenario shown in
. The BPDUs received on port A and port B of S1 contain the same root path cost and sender BID. Port A has a smaller PID than port B.
Therefore, port B is blocked to prevent loops.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
167
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-4 Scenario where PIDs need to be compared
S1
A B
6 STP/RSTP Configuration
S2 designated port blocked port
Five Port States
describes the possible states of ports on an STP device.
Table 6-4 STP port states
Port
State
Purpose
Forwardi ng
A port in Forwarding state can forward user traffic and process BPDUs.
Learning When a port is in Learning state, the device creates MAC address entries based on user traffic received on the port but does not forward user traffic through the port.
Description
Only the root port and designated port can enter the Forwarding state.
This is a transitional state, which is designed to prevent temporary loops.
Listening All ports are in Listening state before the root bridge, root port, and designated port are selected.
Blocking A port in Blocking state receives and forwards only BPDUs, and does not forward user traffic.
This is a transitional state.
This is the final state of a blocked port.
Disabled A port in Disabled state does not process BPDUs or forward user traffic.
The port is Down.
shows the state transitions of a port.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
168
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-5 STP state transitions of a port
2
6 STP/RSTP Configuration
2
Listening
3 5
4
Disabled or
Down
1
2
Blocking
4
Learning
4
5
2
Forwarding
1. The port is initialized or enabled.
2. The port is blocked or the link has failed.
3. The port is selected as the root or designated port.
4. The port is no longer the root or designated port.
5. The forwarding delay timer has expired.
NOTICE
By default, a Huawei network device uses the MSTP mode. After a device transitions from the
MSTP mode to the STP mode, its STP ports support only those states defined in MSTP, including
Forwarding, Learning, and Discarding. Table 6-5 describes the three port states.
Issue 01 (2014-11-30)
Table 6-5 MSTP port states
Port
State
Forwardi ng
Description
A port in Forwarding state can forward user traffic and process BPDUs.
Learning This is a transitional state. When a port is in Learning state, the device creates
MAC address entries based on user traffic received on the port but does not forward user traffic through the port.
In Learning state, the port can send and receive BPDUs, but does not forward user traffic.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
169
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Port
State
Discardin g
Description
A port in the Discarding state can only receive BPDUs.
Issue 01 (2014-11-30)
The following parameters affect the STP port states and convergence.
l Hello Time
The Hello Time specifies the interval at which an STP device sends configuration BPDUs and Hello packets to detect link failures.
When the Hello Time is changed, the new value takes effect only after a new root bridge is elected. The new root bridge adds the new Hello Time value in BPDUs it sends to nonroot bridges. The Hello Time does not control transmission of TCN BPDUs when the network topology changes.
l Forward Delay
The Forward Delay timer specifies the length of the delay before a port state transition.
When a link fails, STP calculation is triggered and the spanning tree structure changes.
However, new configuration BPDUs cannot be immediately transmitted over the entire network. If the new root port and designated port forward data immediately, transient loops may occur. Therefore, STP defines a port state transition delay mechanism. The newly selected root port and designated port transition to the Forwarding state after two Forward
Delay intervals. In this manner, the new BPDUs can be transmitted over the network before the new root port and designated port start to forward data, preventing transient loops.
NOTE
The Forward Delay timer specifies the duration in which a port stays in Listening and Learning states.
The default value is 15 seconds. This means that the port stays in the Listening state for 15 seconds and then stays in the Learning state for another 15 seconds. The port is blocked when it is in the
Listening or Learning state, which is key to preventing transient loops.
l Max Age
The Max Age specifies the aging time of BPDUs. This parameter can be manually configured on the root bridge.
The Max Age is spread to the entire network with configuration BPDUs. After a non-root bridge receives a configuration BPDU, it compares the Message Age value with the Max
Age value in the received configuration BPDU.
– If the Message Age value is smaller than or equal to the Max Age value, the non-root bridge forwards the configuration BPDU.
– If the Message Age value is larger than the Max Age value, the configuration BPDU is aged and forwarded by the non-root bridge. When this happens, the network size is considered too large and the non-root bridge disconnects from the root bridge.
NOTE
If the configuration BPDU is sent from the root bridge, the value of Message Age is 0. Otherwise, the value of Message Age is the total time spent to transmit the BPDU from the root bridge to the local bridge, including the transmission delay. In real world situations, the Message Age value of a configuration BPDU increases by 1 each time the configuration BPDU passes through a bridge.
provides the timer values defined in IEEE 802.1D.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
170
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Table 6-6 Values of STP parameters (in centiseconds)
Parameter Default Value
Hello Time 200
Max Age
Forward Delay
2000
1500
6 STP/RSTP Configuration
Value Range
100-1000
600-4000
400-3000
6.2.3 BPDU Format
The BID, root path cost, and PID are all carried in BPDUs. There are two types of STP BPDUs: l Configuration BPDUs are heartbeat packets. STP-enabled designated ports send configuration BPDUs at Hello intervals.
l Topology Change Notification (TCN) BPDUs are sent only after a device detects a network topology change.
A BPDU is encapsulated in an Ethernet frame. Its destination MAC address is a multicast MAC address 01-80-C2-00-00-00.
Configuration BPDU
Configuration BPDUs are used most commonly.
Each bridge actively sends configuration BPDUs during initialization. After the network topology becomes stable, only the root bridge actively sends configuration BPDUs. Other bridges send configuration BPDUs only after receiving configuration BPDUs from upstream devices. A configuration BPDU is at least 35 bytes long, including the parameters such as the
BID, root path cost, and PID. A bridge processes a received configuration BPDU only when it finds that at least one of the sender BID and PID is different from that on the local receive port.
If both fields are the same as those on the receive port, the bridge drops the configuration BPDU.
In this way, the bridge does not need to process BPDUs with the same information as the local port.
A configuration BPDU is generated in one of the following scenarios: l After STP is enabled on ports of a device, the designated port on the device sends configuration BPDUs at Hello intervals.
l When the root port on a device receives a configuration BPDU, the device sends a copy of the configuration BPDU to each of its designated ports.
l When a designated port receives an inferior configuration BPDU, the designated port immediately sends its own configuration BPDU to the downstream device.
describes fields in a BPDU.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
171
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Table 6-7 Fields in a BPDU
Field Byte s
Protocol Identifier 2
1 Protocol Version
Identifier
BPDU Type 1
Description
The value is fixed at 0.
The value is fixed at 0.
Flags
Root Identifier
Root Path Cost
Bridge Identifier
Port Identifier
Message Age
Max Age
Hello Time
Forward Delay
1
8
4
8
2
2
2
2
2
Indicates the type of a BPDU. The value is one of the following: l 0x00: configuration BPDU l 0x80: TCN BPDU
Indicates whether the network topology has changed.
l The rightmost bit is the Topology Change (TC) flag.
l The leftmost bit is the Topology Change Acknowledgment
(TCA) flag.
Indicates the BID of the current root bridge.
Indicates the accumulated path cost from a port to the root bridge.
Indicates the BID of the bridge that sends the BPDU.
Indicates the ID of the port that sends the BPDU.
Records the time that has elapsed since the original BPDU was generated on the root bridge.
If the configuration BPDU is sent from the root bridge, the value of Message Age is 0. Otherwise, the value of Message
Age is the total time spent to transmit the BPDU from the root bridge to the local bridge, including the transmission delay.
In real world situations, the Message Age value of a configuration BPDU increases by 1 each time the configuration BPDU passes through a bridge.
Indicates the aging time of a BPDU.
Indicates the interval at which BPDUs are sent.
Indicates the period during which a port stays in the Listening and Learning states.
shows the Flags field. Only the leftmost and rightmost bits are used in STP.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
172
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-6 Format of the Flags field
Reserved
Bit7 Bit0
6 STP/RSTP Configuration
TCA ( Topology Change
Acknowledgment flag )
TC ( Topology
Change flag )
TCN BPDU
A TCN BPDU contains only three fields: Protocol Identifier, Version, and Type, as shown in
. The Type field is four bytes long and is fixed at 0x80.
When the network topology changes, TCN BPDUs are transmitted upstream until they reach the root bridge. A TCN BPDU is generated in one of the following scenarios: l A port transitions to the Forwarding state, and the local device has at least one designated port.
l A designated port receives a TCN BPDU and sends a copy to the root bridge.
6.2.4 STP Topology Calculation
After STP is enabled on all devices on a network, all devices consider themselves the root bridge.
They only transmit and receive BPDUs and do not forward user traffic. All ports on the devices are in Listening state. Then the devices select the root bridge, root ports, and designated ports based on configuration BPDUs.
BPDU Exchange
shows the initial information exchange process. The four parameters in a pair of brackets represent the root ID (S1_MAC and S2_MAC are BIDs of the two devices), root path cost, sender BID, and PID. Configuration BPDUs are sent at Hello intervals.
Figure 6-7 Initial BPDU exchange
{S1_MAC,0,S1_MAC,A_PID}
S1
A
{S2_MAC,0,S2_MAC,B_PID}
B
S2
STP Algorithm Implementation
1.
Initialization
Because each bridge considers itself the root bridge, the BPDU sent from a port is set as follows:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
173
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
The root ID is the BID of the local bridge, the root path cost is 0 (accumulative path cost from the port to the local bridge), the sender BID is the BID of the local bridge, and the
PID is the ID of the port that sends the BPDU.
2.
Root bridge election
During network initialization, every device considers itself the root bridge and sets the root
ID to its own BID. Then devices exchange configuration BPDUs and compare their root
IDs to find the device with the smallest BID, which finally becomes the root bridge.
3.
Root port and designated port selection
Table 6-8 describes the process of selecting the root port and designated port.
Table 6-8 Selecting the root port and designated port
Ste p
Process
1 A non-bridge device selects the port that receives the optimal configuration BPDU as the root port.
describes the process of selecting the optimal configuration BPDU.
2
3
The device generates a configuration BPDU for each port and calculates the fields in the configuration BPDU based on the configuration BPDU on the root port and path cost of the root port: l Replaces the root ID with the root ID in the configuration BPDU on the root port.
l Replaces the root path cost with the sum of the root path cost in configuration
BPDU on the root port and the path cost of the root port.
l Replaces the sender BID with the local BID.
l Replaces the PID with the local port ID.
The device compares the calculated configuration BPDU with the configuration
BPDU received on the port: l If the calculated configuration BPDU is superior, the port is selected as the designated port and periodically sends the calculated configuration BPDU.
l If the port's own configuration BPDU is superior, the configuration BPDU on the port is not updated and the port is blocked. After that, the port only receives
BPDUs, and does not forward data or send BPDUs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
174
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Table 6-9 Selecting the optimal configuration BPDU
Ste p
Process
1 Each port compares the received configuration BPDU with its own configuration
BPDU: l If the received configuration BPDU is inferior, the port discards the received configuration BPDU and does retain its own configuration BPDU.
l If the received configuration BPDU is superior, the port replaces its own configuration BPDU with the received one.
2 The device compares configuration BPDUs on all the ports and selects the optimal one.
Example of STP Topology Calculation
After the root bridge, root ports, and designated ports are selected successfully, a tree topology is set up on the entire network. The following example illustrates how STP calculation is implemented.
Figure 6-8 STP networking and calculated topology
DeviceA
Priority=0 DeviceA
Root
Bridge
Port A1
Port B1
P at h co st
=5
Port A2
P ath
co st=
10
STP Topology
Calculation
Port C1
Port B2
DeviceB
Priority=1
Path cost=4
Port C2
DeviceC
Priority=2
DeviceB DeviceC root port designated port blocked port
Issue 01 (2014-11-30)
As shown in Figure 6-8 , DeviceA, DeviceB, and DeviceC are deployed on the network, with
priorities 0, 1, and 2, respectively. The path costs between DeviceA and DeviceB, DeviceA and
DeviceC, and DeviceB and DeviceC are 5, 10, and 4, respectively.
1.
Initial state of each device
Table 6-10 lists the initial state of each device.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
175
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Table 6-10 Initial state of each device
Device Port Configuration BPDU
DeviceA Port A1 {0, 0, 0, Port A1}
Port A2 {0, 0, 0, Port A2}
DeviceB Port B1
Port B2
DeviceC Port C1
{1, 0, 1, Port B1}
{1, 0, 1, Port B2}
{2, 0, 2, Port C1}
Port C2 {2, 0, 2, Port C2}
2.
Configuration comparison and result
Table 6-11 describes configuration comparison process and result.
NOTE
The fields in a configuration BPDU are {root ID, root path cost, sender BID, PID}.
Table 6-11 Topology calculation process and result
Dev ice
Comparison
Devi ceA l Port A1 receives the configuration BPDU {1,
0, 1, Port B1} from Port B1 and finds it inferior to its own configuration BPDU {0, 0, 0, Port
A1}, so Port A1 discards the received configuration BPDU.
l Port A2 receives the configuration BPDU {2,
0, 2, Port C1} from Port C1 and finds it inferior to its own configuration BPDU {0, 0, 0, Port
A2} superior, so Port A2 discards the received configuration BPDU.
l DeviceA finds that the root bridge and designated bridge specified in the configuration BPDUs on its ports are both itself. Therefore, DeviceA considers itself as the root bridge and periodically sends configuration BPDUs from each port without modifying the BPDUs.
Configuration BPDU
After Comparison l Port A1: {0, 0, 0, Port
A1} l Port A2: {0, 0, 0, Port
A2}
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
176
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Dev ice
Devi ceB
Comparison l Port B1 receives the configuration BPDU {0,
0, 0, Port A1} from Port A1 and finds it superior to its own configuration BPDU {0, 0, 0, Port
A1}, so Port B1 updates its configuration
BPDU.
l Port B2 receives the configuration BPDU {2,
0, 2, Port C2} from Port C2 and finds it inferior to its own configuration BPDU {1, 0, 1, Port
B2}, so Port B2 discards the received configuration BPDU.
l DeviceB compares the configuration BPDU on each port and finds that Port B1 has optimal configuration BPDU. DeviceB selects Port B1 as the root port and retains the configuration
BPDU on Port B1.
l DeviceB calculates the configuration BPDU
{0, 5, 1, Port B2} for Port B2 based on the configuration BPDU and path cost of the root port, and compares the calculated configuration BPDU with the original configuration BPDU {1, 0, 1, Port B2} on Port
B2. The calculated configuration BPDU is superior to the original one, so DeviceB selects
Port B2 as the designated port, replaces its configuration BPDU with the calculated one, and periodically sends the configuration BPDU from Port B2.
Devi ceC l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it superior to its own configuration BPDU {0, 0, 0, Port
A2}, so Port C1 updates its configuration
BPDU.
l Port C2 receives the configuration BPDU {1,
0, 1, Port B2} from Port B2 and finds it superior to its own configuration BPDU {1, 0, 1, Port
B2}, so Port C2 updates its configuration
BPDU.
Configuration BPDU
After Comparison l Port B1: {0, 0, 0, Port
A1} l Port B2: {1, 0, 1, Port
B2} l Root port (Port B1): {0,
0, 0, Port A1} l Designated port (Port
B2): {0, 5, 1, Port B2} l Port C1: {0, 0, 0, Port
A2} l Port C2: {1, 0, 1, Port
B2}
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
177
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Dev ice
Comparison l DeviceC compares the configuration BPDU on each port and finds that the configuration
BPDU on Port C1 is optimal. DeviceC selects
Port C1 as the root port and retains the configuration BPDU on Port C1.
l DeviceC calculates the configuration BPDU
{0, 10, 2, Port C2} for Port C2 based on the configuration BPDU and path cost of the root port, and compares the calculated configuration BPDU with the original configuration BPDU {1, 0, 1, Port B2} on Port
C2. The calculated configuration BPDU is superior to the original one, so DeviceC selects
Port C2 as the designated port and replaces its configuration BPDU with the calculated one.
Configuration BPDU
After Comparison l Root port (Port C1): {0,
0, 0, Port A2} l Designated port (Port
C2): {0, 10, 2, Port C2} l Port C2 receives the configuration BPDU {0,
5, 1, Port B2} from Port B2 and finds it superior to its own configuration BPDU {0, 10, 2, Port
C2}, so Port C2 updates its configuration
BPDU.
l Port C1 receives the configuration BPDU {0,
0, 0, Port A2} from Port A2 and finds it the same as its own configuration BPDU, so Port
C1 discards the received configuration BPDU.
l Port C1: {0, 0, 0, Port
A2} l Port C2: {0, 5, 1, Port
B2} l The root path cost of Port C1 is 10 (root path cost 0 in the received configuration BPDU plus the link patch cost 10), and the root path cost of Port C2 is 9 (root path cost 5 in the received configuration BPDU plus the link patch cost 4).
DeviceC finds that Port C2 has a smaller root path cost and therefore considers the configuration BPDU of Port C2 superior to that of Port C1. DeviceC then selects Port C2 as the root port and retains its configuration BPDU.
l DeviceC calculates the configuration BPDU
{0, 9, 2, Port C1} for Port C1 based on the configuration BPDU and path cost of the root port, and finds the calculated configuration
BPDU inferior to the original configuration
BPDU {0, 0, 0, Port A2} on Port C2. DeviceC blocks Port C1 and does not update its configuration BPDU. Port C1 no longer forwards data until STP recalculation is triggered, for example, when the link between
DeviceB and DeviceC is Down.
l Blocked port (Port C1):
{0, 0, 0, Port A2} l Root port (Port C2): {0,
5, 1, Port B2}
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
178
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
After the topology becomes stable, the root bridge still sends configuration BPDUs at intervals specified by the Hello timer. Each non-root bridge forwards the received configuration BPDUs through its designated port. When a non-root bridge receives a superior configuration BPDU on a port, the non-root bridge updates the configuration BPDU on the port based on the information carried in the received configuration BPDU.
STP Topology Changes
shows the packet transmission process after an STP topology change.
Figure 6-9 Packet transmission after a topology change
Root Bridge Root Bridge
Issue 01 (2014-11-30)
T
A topology change is generated on
Point T. 1 st Step: A TCN is going up to the root.
2 nd Step:The root advertises the TC for max_age+ forward delay
1.
After the network topology changes, a downstream device continuously sends TCN BPDUs to the upstream device.
2.
The upstream device processes only the TCN BPDUs received on the designated port and drops TCN BPDUs on other ports.
3.
The upstream device sets the TCA bit of the Flags field in the configuration BPDUs to 1 and returns the configuration BPDUs to instruct the downstream device to stop sending
TCN BPDUs.
4.
The upstream device sends a copy of the TCN BPDUs toward the root bridge.
5.
Steps 1, 2, 3 and 4 are repeated until the root bridge receives the TCN BPDUs.
6.
The root bridge sets the TC bit of the Flags field in the configuration BPDUs to 1 to instruct the downstream devices to delete MAC address entries.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
179
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
NOTE l TCN BPDUs are used to inform the upstream device and root bridge of topology changes.
l Configuration BPDUs with the TCA bit set to 1 are used by the upstream device to inform the downstream device that the topology changes are known and instruct the downstream device to stop sending TCN BPDUs.
l Configuration BPDUs with the TC bit set to 1 are used by the upstream device to inform the downstream device of topology changes and instruct the downstream device to delete MAC address entries. In this manner, fast network convergence is achieved.
6.2.5 Improvements in RSTP
In 2001, IEEE 802.1w was published to introduce the Rapid Spanning Tree Protocol (RSTP), an extension of the Spanning Tree Protocol (STP). RSTP was developed based on STP and makes supplements and modifications to STP.
Disadvantages of STP
STP ensures a loop-free network but has a slow network topology convergence speed, leading to service quality deterioration. If the network topology changes frequently, connections on the
STP network are frequently torn down, causing frequent service interruption. This is unacceptable to users.
STP has the following disadvantages: l STP does not distinguish port states and port roles clearly, making it difficult for less experienced administrators to learn and deploy this protocol.
A network protocol that clearly defines and distinguishes different situations outperforms the others that fail to do so.
– Ports in the Listening, Learning, and Blocking states are the same to users because they are all prevented from forwarding service traffic.
– From the perspective of port use and configuration, the essential differences between ports lie in the port roles rather than port states.
Both root and designated ports can be in Listening state or Forwarding state, so the ports cannot be distinguished by their states.
l The STP algorithm determines topology changes after the timer expires, which slows down network convergence.
l The STP algorithm requires that the root bridge should send configuration BPDUs after the network topology becomes stable, and other devices process and spread the configuration BPDUs to the entire network. This also slows down topology convergence.
Improvements Made in RSTP
RSTP deletes three port states, defines two new port roles, and distinguishes port attributes based on port states and roles. In addition, RSTP provides enhanced features and protection measures to ensure network stability and fast convergence.
l More port roles are defined to simplify the learning and deployment of the protocol.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
180
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-10 Diagram of port roles
S1 root bridge
B A
6 STP/RSTP Configuration
A
S2
S1 root bridge
B A
S3
A a
A b
B
S2 S3
A a root port designated port
Alternate port
Backup port
Issue 01 (2014-11-30)
, RSTP defines four port roles: root port, designated port, alternate port, and backup port.
The functions of the root port and designated port are the same as those defined in STP.
The alternate port and backup port are described as follows:
– From the perspective of configuration BPDU transmission:
– An alternate port is blocked after learning a configuration BPDU sent by another bridge.
– A backup port is blocked after learning a configuration BPDU sent by itself.
– From the perspective of user traffic:
– An alternate port acts as a backup of the root port and provides an alternate path from the designated bridge to the root bridge.
– A backup port acts as a backup of the designated port and provides a backup path from the root bridge to the related network segment.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
181
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
After roles of all RSTP ports are determined, the topology convergence is completed.
l RSTP redefines port states.
RSTP deletes two port states defined in STP and reduces the number of port states to 3.
Depending on whether a port can forward user traffic and learn MAC addresses, the port may be in any of the following states:
– If the port does not forward user traffic or learn MAC addresses, it is in the Discarding state.
– If the port does not forward user traffic but learns MAC addresses, it is in the Learning state.
– If the port forwards user traffic and learns MAC addresses, it is in the Forwarding state.
Table 6-12 compares the port states defined in STP and RSTP.
NOTE
Port states are not necessarily related to port roles. Table 6-12
lists possible states for different port roles.
Table 6-12 Comparison between port states defined in STP and RSTP
STP Port State RSTP Port State Port Role
Forwarding
Learning
Forwarding
Learning
Root port or designated port
Root port or designated port
Listening Discarding Root port or designated port
Blocking Discarding Alternate port or backup port
Disabled Discarding Disabled port l RSTP changes the configuration BPDU format and uses the Flags field to describe port roles.
RSTP retains the basic configuration BPDU format defined in STP and makes minor changes:
– The value of the Type field is changed from 0 to 2, so devices running STP will drop the configuration BPDUs sent from devices running RSTP.
– The Flags field uses the six bits reserved in STP. This configuration BPDU is called an
RST BPDU. Figure 6-11 shows the Flags field in an RSTP BPDU.
Figure 6-11 Format of the Flags field in an RST BPDU
Bit7 Bit6 Bit5 Bit4 Bit3 Bit2 Bit1 Bit0
TCA Agreement Forwarding Learning Port role Proposal TC
Topology Change
Acknowledgment flag
Topology
Change flag
Port role = 00 Unknown
01 Root port
10 Alternate/Backup port
11 Designated port
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
182
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration l Configuration BPDUs are processed in a different way.
– Configuration BPDU transmission
In STP, the root bridge sends configuration BPDUs at Hello intervals after the topology becomes stable. Non-root bridges send configuration BPDUs only after they receive configuration BPDUs from upstream devices. This complicates the STP calculation and slows down network convergence. RSTP allows non-root bridges to send configuration
BPDUs at Hello time intervals after the topology becomes stable, regardless of whether they have received configuration BPDUs from the root bridge.
– BPDU timeout period
In STP, a device has to wait a Max Age period before determining a negotiation failure.
In RSTP, a device determines that the negotiation with the upstream device has failed if the corresponding port does not receive any configuration BPDUs sent from the upstream device for three consecutive Hello intervals.
– Processing of inferior BPDUs
When an RSTP port receives an RST BPDU from the upstream designated bridge, the port compares the received RST BPDU with its own RST BPDU.
If its own RST BPDU is superior to the received one, the port discards the received RST
BPDU and immediately responds to the upstream device with its own RST BPDU. After receiving the RST BPDU, the upstream device updates its own RST BPDU based on the corresponding fields in the received RST BPDU.
In this manner, RSTP processes inferior BPDUs more rapidly, independent of any timer that is used in STP.
l Rapid convergence
– Proposal/agreement mechanism
In STP, a port that is selected as a designated port needs to wait at least one Forward
Delay interval (Learning state) before it enters the Forwarding state. In RSTP, the port enters the Discarding state, and then the proposal/agreement mechanism allows the port to immediately enter the Forwarding state. The proposal/agreement mechanism must be applied on P2P links in full-duplex mode.
For details, see
.
– Fast switchover of the root port
If a root port fails, the best alternate port becomes the root port and enters Forwarding state. This is because the network segment connected to this alternate port has a designated port connected to the root bridge.
When the port role changes, the network topology changes accordingly. For details, see
6.2.6 RSTP Technology Details .
– Edge ports
In RSTP, a designated port on the network edge is called an edge port. An edge port directly connects to a terminal and does not connect to any other switching devices.
An edge port cannot receive or process configuration BPDUs and does not participate in RSTP calculation. This port can transition from Disable to Forwarding state immediately without a delay, just like an STP-incapable port. An edge port becomes a common STP port once it receives a configuration BPDU. The spanning tree needs to be recalculated, causing network flapping.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
183
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration l Protection functions
Table 6-13 describes protection functions provided by RSTP.
Table 6-13 Protection functions
Protectio n
Function
Scenario
BPDU protection
On a switching device, ports directly connected to a user terminal such as a PC or file server are edge ports.
Usually, no RST BPDUs are sent to edge ports. If a switching device receives bogus RST BPDUs on an edge port, the switching device automatically sets the edge port to a non-edge port and performs STP calculation again. This causes network flapping.
Principle
BPDU protection enables a switching device to set the state of an edge port to error-down if the edge port receives an
RST BPDU. In this case, the port remains the edge port, and the switching device sends a notification to the NMS.
Root protection
The root bridge on a network may receive superior RST
BPDUs due to incorrect configurations or malicious attacks. When this occurs, the root bridge can no longer serve as the root bridge, causing an incorrect change of the network topology. As a result, traffic may be switched from high-speed links to low-speed links, leading to network congestion.
If root protection is enabled on a designated port, the port role cannot be changed. When the designated port receives a superior RST BPDU, the port enters the Discarding state and does not forward packets. If the port does not receive any superior RST BPDUs within a period (generally two Forward Delay periods), the port automatically enters the
Forwarding state.
NOTE
Root protection takes effect only on designated ports.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
184
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Protectio n
Function
Loop protection
Scenario
On an RSTP network, a switching device maintains the states of the root port and blocked ports based on RST
BPDUs received from the upstream switching device.
If the ports cannot receive
RST BPDUs from the upstream switching device because of link congestion or unidirectional link failures, the switching device re-selects a root port. Then, the previous root port becomes a designated port and the blocked ports change to the
Forwarding state. As a result, loops may occur on the network.
Principle
Loop protection can be enabled on the root and alternate port of a switching device. If the root port or alternate port does not receive any RST BPDUs from the upstream switching device for a specific period of time, the switching device can send a notification to the NMS. (The root port enters the Discarding state in this case.) The blocked port remains in the
Blocking state and does not forward packets, preventing loops on the network.
The root port or alternate port restores the
Forwarding state after receiving new RST
BPDUs.
NOTE
Loop protection takes effect only on the root port and alternate ports.
TC
BPDU attack defense
A switching device deletes its
MAC address entries and ARP entries after receiving TC
BPDUs. If an attacker sends a large number of bogus TC
BPDUs to the switching device in a short time, the device frequently deletes
MAC address entries and ARP entries. This increases the load of the switching device and threatens network stability.
After enabling TC BPDU attack defense on a switching device, you can set the number of times the device processes TC
BPDUs within a given time. If the number of TC BPDUs that the switching device receives within the given time exceeds the specified threshold, the switching device processes only the specified number of TC
BPDUs. Excess TC BPDUs are processed by the switching device as a whole after the specified period expires. This function prevents the switching device from frequently deleting its MAC address entries and ARP entries.
6.2.6 RSTP Technology Details
The Proposal/Agreement mechanism enables a designated port to enter the Forwarding state
quickly. As shown in Figure 6-12 , root bridge S1 establishes a link with S2. On S2, p2 is an
alternate port; p3 is a designated port and is in the Forwarding state; p4 is an edge port.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
185
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-12 Proposal/Agreement negotiation process
S1
3 Agreement p0
1 Proposal
6 STP/RSTP Configuration p1
S2 p2 p3
E p4
2 sync
(Leaves the port state unchanged)
2 sync
(Blocks the port)
2 sync
(leaves the port state unchanged)
Designated port
Alternate port
E Edge port
Issue 01 (2014-11-30)
The Proposal/Agreement mechanism works as follows:
1.
p0 and p1 become designated ports and send RST BPDUs to each other.
2.
The RST BPDU sent from p0 is superior to that of p1, so p1 becomes a root port and stops sending RST BPDUs.
3.
p0 enters the Discarding state and sets the Proposal field in its RST BPDU to 1.
4.
After S2 receives an RST BPDU with the Proposal field set to 1, it sets the sync variable to 1 for all its ports.
5.
As p2 has been blocked, its state remains unchanged. p4 is an edge port and does not participate in calculation. Therefore, only the non-edge designated port p3 needs to be blocked.
6.
After p2, p3, and p4 enter the Discarding state, their synced variable is set to 1. The synced variable of the root port p1 is also set to 1, and p1 sends an RST BPDU with the Agreement field set to S1. This RST BPDU carries the same information as the one sent from the root bridge S1, except that the Agreement field is set to 1 and the Proposal field is set to 0.
7.
After S1 receives this RST BPDU, it identifies that the RST BPDU is sent in response to the proposal that it has sent. Then p0 immediately enters the Forwarding state.
The proposal/agreement process can proceed to downstream devices.
STP can select designated ports quickly; however, to prevent loops, all ports must wait at least one Forward Delay interval before starting data forwarding. RSTP blocks non-root ports to prevent loops and uses the proposal/agreement mechanism to shorten the time that an upstream port waits before transitioning to the Forwarding state.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
186
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
NOTE
The proposal/agreement mechanism applies only to P2P full-duplex links between two switching devices.
When proposal/agreement fails, a designated port is elected after two Forward Delay intervals, the same as designated port election in STP mode.
RSTP Topology Changes
RSTP considers that the network topology has changed when a non-edge port transitions to the
Forwarding state.
When detecting a topology change, RSTP devices react as follows: l The local device starts a TC While timer on each non-edge designated port. The TC While timer value is two times the Hello timer value.
Within the TC While time, the local device clears MAC address entries learned on ports whose states have changed.
At the same time, these ports send out RST BPDUs with the TC bit set to 1. When the TC
While timer expires, the ports stop sending RST BPDUs.
l When other switching devices receive RST BPDUs, they clear MAC address entries learned on all their ports except the ports that receive the RST BPDUs. These switching devices also start a TC While timer on each non-edge designated port and repeat the preceding process.
RST BPDUs are then flooded on the entire network.
Interoperability with STP
RSTP can interoperate with STP, but its advantages such as fast convergence are lost when it interoperates with STP.
On a network has both STP-capable and RSTP-capable devices, STP-capable devices drop RST
BPDUs. If a port on an RSTP-capable device receives a configuration BPDU from an STPcapable device, the port switches to the STP mode and starts to send configuration BPDUs after two Hello intervals. In this manner, RSTP and STP are interoperable.
After STP-capable devices are removed, Huawei RSTP-capable devices can switch back to the
RSTP mode.
6.3 Application
This section describes the typical application of STP/RSTP.
STP Application
Loops often occur on a complex network, because multiple physical links are often deployed between two devices to implement link redundancy (one as the primary link and the others as backup links). Loops may cause broadcast storms and damage MAC address entries on network devices.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
187
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-13 Typical STP application
Network
PE1 Root
Bridge
PE2
STP
CE1 CE2
6 STP/RSTP Configuration
PC1 PC2
Blocked port
As shown in Figure 6-13 , STP is deployed on the devices. The devices exchange information
to discover loops on the network and block a port to trim the ring topology into a loop-free tree topology. The tree topology prevents infinite looping of packets on the network and ensures packet processing capabilities of the devices.
6.4 Configuration Task Summary
This section describes the STP/RSTP configuration tasks and configuration logic.
Table 6-14 summarizes STP/RSTP configuration tasks.
Table 6-14 STP/RSTP configuration task summary
Scenario Description
Configuring basic STP/
RSTP functions
Configure STP/RSTP on switching devices on a network to trim the network into a tree topology free from loops.
Task
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
188
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Scenario
Setting STP parameters that affect STP convergence
Setting RSTP parameters that affect RSTP convergence
Configuring RSTP protection functions
Setting parameters for interoperation between
Huawei and non-Huawei devices
Description
STP cannot implement rapid convergence. However, you can set STP parameters, including the network diameter, timeout interval,
Hello timer value, Max Age timer value, and Forward
Delay timer value to speed up convergence.
RSTP supports link type and fast transition configuration on ports to implement rapid convergence.
You can configure one or more functions RSTP protection functions on a
Huawei device.
To implement interoperation between a Huawei device and a non-Huawei device, select the fast transition mode based on the Proposal/Agreement mechanism of the non-
Huawei device.
Task
6.6.5 Setting Parameters for Interoperation Between
6.5 Default Configuration
This section provides the default STP/RSTP configuration. You can change the configuration based on your needs.
Parameter
Working mode
STP/RSTP status
Switching device priority
Port priority
Algorithm used to calculate the default path cost
Forward Delay
Hello Time
Default Setting
MSTP
Enabled globally and on an interface
32768
128 dot1t, IEEE 802.1t
1500 centiseconds
200 centiseconds
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
189
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Parameter
Max Age
Default Setting
2000 centiseconds
6.6 Configuring STP/RSTP
This section describes how to configure STP/RSTP.
6.6.1 Configuring Basic STP/RSTP Functions
You can configure STP/RSTP on an Ethernet network to trim the network into a loop-free tree topology.
6.6.1.1 Configuring the STP/RSTP Mode
Context
A switching device supports three working modes: STP, RSTP, and MSTP. Use the STP mode on a ring network running only STP, and use the RSTP mode on a ring network running only
RSTP. In other scenarios, the default MSTP mode is recommended.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp mode { stp | rstp }
The working mode of the switching device is set to STP or RSTP.
By default, the working mode of a switching device is MSTP. MSTP is compatible with STP and RSTP.
----End
6.6.1.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge
Context
The root bridge of a spanning tree is automatically calculated. You can also manually specify a root bridge or secondary root bridge.
l A spanning tree can have only one effective root bridge. When two or more devices are specified as root bridges for a spanning tree, the device with the smallest MAC address is used as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root bridge fails or is powered off, a secondary root bridge becomes the new root bridge. If a
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
190
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration new root bridge is specified, the secondary root bridge will not become the root bridge. If there are multiple secondary root bridges, the one with smallest MAC address becomes the root bridge of the spanning tree.
NOTE
It is recommended that you specify the root bridge and secondary root bridge when configuring STP/RSTP.
Procedure l Perform the following operations on the device you want to use as the root bridge.
1.
Run: system-view
The system view is displayed.
2.
Run: stp root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After you run this command, the priority value of the device is set to 0 and cannot be changed.
l Perform the following operations on the device you want to use as the secondary root bridge.
1.
Run: system-view
The system view is displayed.
2.
Run: stp root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After you run this command, the priority value of the device is set to 4096 and cannot be changed.
----End
6.6.1.3 (Optional) Setting a Priority for a Switching Device
Context
An STP/RSTP network can have only one root bridge, which is the logical center of the spanning tree. The root bridge should be a high-performance switching device deployed at a high network layer; however, such a device may not have the highest priority on the network. Therefore; you need to set a high priority for such a device to ensure that it can be selected as the root bridge.
Because low-performance devices at lower network layers are not suitable as the root bridge, set low priorities for these devices.
A smaller priority value indicates a higher priority of the switching device. The switching device with a higher priority is more likely to be elected as the root bridge. The switching device with a lower priority is less likely to be elected as the root bridge.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
191
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp priority priority
A priority is set for the switching device.
The default priority value of a switching device is 32768.
NOTE
If the stp root primary or stp root secondary command has been executed to configure the device as the root bridge or secondary root bridge, run the undo stp root command to disable the root bridge or secondary root bridge function and then run the stp priority priority command to set a priority.
----End
6.6.1.4 (Optional) Setting a Path Cost for a Port
Context
Path cost is the reference value used for link selection on an STP/RSTP network.
The path cost value range is determined by the calculation method. After the calculation method is determined, it is recommended that you set smaller path cost values for the ports with higher link rates.
In the Huawei calculation method, the link rate determines the recommended value for the path cost.
lists the recommended path costs for ports with different link rates.
Table 6-15 Mappings between link rates and path cost values
Link Rate
10 Mbit/s
Recommended
Path Cost
2000
Recommended
Path Cost Range
200 to 20000
100 Mbit/s
1 Gbit/s
10 Gbit/s
Over 10 Gbit/s
200
20
2
1
20 to 2000
2 to 200
2 to 20
1 to 2
Allowable Path
Cost Range
1 to 200000
1 to 200000
1 to 200000
1 to 200000
1 to 200000
Issue 01 (2014-11-30)
If a network has loops, it is recommended that you set a large path cost for ports with low link rates. STP/RSTP then blocks these ports.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
192
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 (Optional) Run: stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is specified.
By default, the IEEE 802.1t standard ( dot1t ) is used to calculate the path costs.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run: interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 4 Run: stp cost cost
A path cost is set for the interface.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
6.6.1.5 (Optional) Setting a Priority for a Port
Context
In spanning tree calculation, priorities of the ports in a ring affect designated port election.
To block a port on a switching device, set a greater priority value than the default priority value for the port.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 3 Run: stp port priority priority
A priority is set for the interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
193
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
The default priority value of a port on a switching device is 128.
----End
6.6.1.6 Enabling STP/RSTP
Context
6 STP/RSTP Configuration
NOTICE
After STP/RSTP is enabled on a ring network, spanning tree calculation starts immediately on the network. Configurations on a switching device, such as the device priority and port priority, affect spanning tree calculation. Any change to the configurations may cause network flapping.
To ensure rapid, stable spanning tree calculation, perform basic configuration on the switching device and its ports before enabling STP/RSTP.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp enable
STP/RSTP is enabled on the switching device.
By default, STP/RSTP is enabled on a industrial switch router.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths for associated VLANs are changed. Switching devices need to update the ARP entries corresponding to those VLANs.
Depending on how switching devices process ARP entries, STP/RSTP convergence mode can be fast or normal.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0 to immediately age the ARP entries out. If the number of ARP aging probes is greater than 0, the switching device performs aging probe for these ARP entries.
Run the stp converge { fast | normal } command in the system view to configure the STP/RSTP convergence mode.
By default, the normal STP/RSTP convergence mode is used.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
194
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
NOTE
The normal mode is recommended. If the fast mode is used, ARP entries will be frequently deleted, causing a high CPU usage (even 100%). As a result, network flapping will frequently occur.
6.6.1.7 Checking the Configuration
Procedure l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the spanning tree status and statistics.
----End
6.6.2 Setting STP Parameters that Affect STP Convergence
STP cannot implement rapid convergence. However, STP parameters including the network diameter, timeout interval, Hello timer value, Max Age timer value, and Forward Delay timer value can affect the STP convergence speed.
Pre-configuration Tasks
Before setting STP parameters that affect STP convergence, configure basic STP functions.
6.6.2.1 Setting the STP Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along multiple devices. The network diameter is the maximum number of devices between any two terminals.
A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect communication.
Run the stp bridge-diameter command to set an appropriate network diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
195
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
NOTE l RSTP uses a single spanning tree instance on the entire network. As a result, performance deterioration cannot be prevented when the network scale grows. Therefore, the network diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer value, and Max Age timer value based on the configured network diameter.
----End
6.6.2.2 Setting the STP Timeout Interval
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval, the device considers the upstream device to have failed and recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout interval because the upstream device is busy. In this case, recalculating the spanning tree will cause a waste of network resources. To avoid wasting network resources, set a long timeout interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the timeout interval, spanning tree recalculation is performed. The timeout interval is calculated as follows:
Timeout interval = Hello time x 3 x Timer Factor
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp timer-factor factor
The Timer Factor value is set. This parameter determines the timeout interval during which the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello timer value.
----End
6.6.2.3 Setting the STP Timers
Context
The following timers are used in spanning tree calculation: l Forward Delay: specifies the delay before a state transition. After the topology of a ring network changes, it takes some time to spread the new configuration BPDU throughout the entire network. As a result, the original blocked port may be unblocked before a new port is blocked. When this occurs, a loop exists on the network. You can set the Forward Delay
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
196
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration timer to prevent loops. When the topology changes, all ports will be temporarily blocked during the Forward Delay.
l Hello Time: specifies the interval at which hello packets are sent. A switching device sends configuration BPDUs at the specified interval to detect link failures. If the switching device does not receive any BPDUs within an interval of Hello Time, the switching device recalculates the spanning tree.
l Max Age: determines whether BPDUs expire. A switching device determines that a received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three timers. The three parameters are relevant to the network scale; therefore, it is recommended that you set the network diameter so that the spanning tree protocol automatically adjusts these timers. When the default network diameter is used, the three timers also retain their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and Max
Age timer values conform to the following formulas: l 2 x (Forward Delay - 1.0 second) >= Max Age l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1.
Run: stp timer forward-delay forward-delay
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds.
2.
Run: stp timer hello hello-time
The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds.
3.
Run: stp timer max-age max-age
The Max Age timer is set for the switching device.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
197
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
By default, the Max Age timer is 2000 centiseconds.
----End
6.6.2.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects
Spanning Tree Calculation
Context
The path costs affect spanning tree calculation. Changes of path costs trigger spanning tree recalculation. The path cost of an interface is affected by its bandwidth, so you can change the interface bandwidth to affect spanning tree calculation.
As shown in Figure 6-14 , deviceA and deviceB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces in Up state. Each member link has the same bandwidth, and deviceA is selected as the root bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1 on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1, the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk 2. Therefore, the two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes the root port.
Figure 6-14 Setting the maximum number of connections in an Eth-Trunk
RouterA
Before configuration
Eth-Trunk1
Eth-Trunk2
RouterB
After configuration
RouterA
Eth-Trunk1
Eth-Trunk2
RouterB
Alternate port
Root port
Designated port
Procedure
Step 1 Run:
NOTE
The maximum number of connections affects only the path cost of an Eth-Trunk interface participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active member interfaces in the Eth-Trunk.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
198
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is
8.
----End
6.6.2.5 Checking the Configuration
Procedure l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the spanning tree status and statistics.
----End
6.6.3 Setting RSTP Parameters that Affect RSTP Convergence
RSTP supports link type and fast transition configuration on ports to implement rapid convergence.
Pre-configuration Tasks
Before configuring RSTP parameters that affect RSTP convergence, configure basic RSTP functions.
6.6.3.1 Setting the RSTP Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along multiple devices. The network diameter is the maximum number of devices between any two terminals.
A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect communication.
Run the stp bridge-diameter command to set an appropriate network diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
199
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration system-view
The system view is displayed.
Step 2 Run: stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
NOTE l RSTP uses a single spanning tree instance on the entire network. As a result, performance deterioration cannot be prevented when the network scale grows. Therefore, the network diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network diameter. Then, the switching device calculates the optimal Forward Delay timer value, Hello timer value, and Max Age timer value based on the configured network diameter.
----End
6.6.3.2 Setting the RSTP Timeout Interval
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval, the device considers the upstream device to have failed and recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout interval because the upstream device is busy. In this case, recalculating the spanning tree will cause a waste of network resources. To avoid wasting network resources, set a long timeout interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the timeout interval, spanning tree recalculation is performed. The timeout interval is calculated as follows:
Timeout interval = Hello time x 3 x Timer Factor
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp timer-factor factor
The Timer Factor value is set. This parameter determines the timeout interval during which the device waits for BPDUs from the upstream device.
By default, the timeout period is 9 times the Hello timer value.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
200
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
6.6.3.3 Setting RSTP Timers
Context
The following timers are used in spanning tree calculation: l Forward Delay: specifies the delay before a state transition. After the topology of a ring network changes, it takes some time to spread the new configuration BPDU throughout the entire network. As a result, the original blocked port may be unblocked before a new port is blocked. When this occurs, a loop exists on the network. You can set the Forward Delay timer to prevent loops. When the topology changes, all ports will be temporarily blocked during the Forward Delay.
l Hello Time: specifies the interval at which hello packets are sent. A switching device sends configuration BPDUs at the specified interval to detect link failures. If the switching device does not receive any BPDUs within an interval of Hello Time, the switching device recalculates the spanning tree.
l Max Age: determines whether BPDUs expire. A switching device determines that a received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
You are not advised to directly change the preceding three timers. The three parameters are relevant to the network scale; therefore, it is recommended that you set the network diameter so that the spanning tree protocol automatically adjusts these timers. When the default network diameter is used, the three timers also retain their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and Max
Age timer values conform to the following formulas: l 2 x (Forward Delay - 1.0 second) >= Max Age l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Set the Forward Delay, Hello Time, and Max Age timers.
1.
Run: stp timer forward-delay forward-delay
The Forward Delay timer is set for the switching device.
By default, the Forward Delay timer is 1500 centiseconds.
2.
Run: stp timer hello hello-time
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
201
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
The Hello Time is set for the switching device.
By default, the Hello Time is 200 centiseconds.
3.
Run: stp timer max-age max-age
The Max Age timer is set for the switching device.
By default, the Max Age timer is 2000 centiseconds.
----End
6 STP/RSTP Configuration
6.6.3.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects
Spanning Tree Calculation
Context
The path costs affect spanning tree calculation. Changes of path costs trigger spanning tree recalculation. The path cost of an interface is affected by its bandwidth, so you can change the interface bandwidth to affect spanning tree calculation.
As shown in Figure 6-15 , deviceA and deviceB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces in Up state. Each member link has the same bandwidth, and deviceA is selected as the root bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1 on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1, the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk 2. Therefore, the two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes the root port.
Figure 6-15 Setting the maximum number of connections in an Eth-Trunk
RouterA
Before configuration
Eth-Trunk1
Eth-Trunk2
RouterB
After configuration
RouterA
Eth-Trunk1
Eth-Trunk2
RouterB
Alternate port
Root port
Designated port
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
202
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
NOTE
The maximum number of connections affects only the path cost of an Eth-Trunk interface participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active member interfaces in the Eth-Trunk.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is
8.
----End
6.6.3.5 Setting the Link Type for a Port
Context
P2P links can implement rapid convergence. If the two ports connected by a P2P link are root or designated ports, they can transit to the Forwarding state quickly by sending Proposal and
Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run: stp point-to-point { auto | force-false | force-true }
The link type is set for the interface.
By default, an interface automatically identifies whether it is connected to a P2P link. P2P links implement rapid network convergence.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
203
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration l If the Ethernet interface works in full-duplex mode, the interface is connected to a P2P link.
In this case, force-true can be specified in the command to implement rapid network convergence.
l If the Ethernet interface works in half-duplex mode, you can run the stp point-to-point force-true command to forcibly set the link type to P2P.
----End
6.6.3.6 Setting the Maximum Transmission Rate of an Interface
Context
The more BPDUs sent from an interface within a Hello Time interval, the more system resources consumed. Setting a proper transmission rate ( packet-number ) on an interface prevents excess bandwidth usage when network flapping occurs.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of an Ethernet interface participating in STP calculation is displayed.
Step 3 Run: stp transmit-limit packet-number
The maximum transmission rate of BPDUs (BPDUs per second) is set for the interface.
By default, an interface sends a maximum of six BPDUs per second.
NOTE
If the same maximum transmission rate of BPDUs needs to be sent for each interface on a device, run the stp transmit-limit (system view) command.
----End
6.6.3.7 Switching to the RSTP Mode
Context
If an interface on an RSTP-enabled device is connected to an STP-enabled device, the interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the RSTP-enabled device, the interface cannot switch back to the RSTP mode. In this case, run the stp mcheck command to switch the interface to the RSTP mode.
You need to manually switch the interface to the RSTP mode in the following situations:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
204
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration l The STP-enabled device is shut down or disconnected.
l The STP-enabled device is switched to the RSTP mode.
Procedure l Switching to the RSTP mode in the interface view
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The view of an interface participating in spanning tree calculation is displayed.
3.
Run: stp mcheck
The interface is switched to the RSTP mode.
l Switching to the RSTP mode in the system view
1.
Run: system-view
The system view is displayed.
2.
Run: stp mcheck
The device is switched to the RSTP mode.
----End
6.6.3.8 Configuring Edge Ports and BPDU Filter Ports
Context
As defined in RSTP, a port that is located at the edge of a network and directly connected to a terminal device is an edge port.
An edge port does not process configuration BPDUs or participate in RSTP calculation. It can transit from the Disable to Forwarding state without any delay.
Edge ports can still send BPDUs. If the BPDUs are sent to another network, this network may encounter network flapping. To prevent this problem, configure the BPDU filter function on edge ports so that the edge ports do not process or send BPDUs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
205
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
NOTICE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of ports on the local device send BPDUs or negotiate the STP states with directly connected ports on the peer device. All ports are in Forwarding state. This may cause loops on the network, leading to broadcast storms. Exercise caution when deciding to perform this configuration.
After a specified port is configured as an edge port and BPDU filter port in the interface view, the port does not process or send BPDUs and cannot negotiate the STP state with the directly connected port on the peer device. Exercise caution when deciding to perform this configuration.
Procedure
Issue 01 (2014-11-30) l Configuring all ports as edge ports and BPDU filter ports
1.
Run: system-view
The system view is displayed.
2.
Run: stp edged-port default
All ports are configured as edge ports.
By default, all ports are non-edge ports.
3.
Run: stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, all ports are non-BPDU filter ports.
l Configuring a specified port as an edge port and BPDU filter port
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The view of an Ethernet interface that participates in spanning tree calculation is displayed.
3.
Run: stp edged-port enable
The port is configured as an edge port.
By default, all ports are non-edge ports.
4.
Run: stp bpdu-filter enable
The port is configured as a BPDU filter port.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
206
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
By default, a port is a non-BPDU filter port.
----End
6.6.3.9 Checking the Configuration
Procedure l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the spanning tree status and statistics.
----End
6.6.4 Configuring RSTP Protection Functions
Huawei network devices provide the following RSTP protection functions. You can configure one or more functions.
6.6.4.1 Configuring BPDU Protection on a Switching Device
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is disabled on a switching device.
----End
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-down auto-recovery cause bpdu-protection interval interval-value command in the system view to configure the auto recovery function and set a recovery delay on the port. Then a port in errordown state can automatically go Up after the delay expires. Note the following when setting the recovery delay: l By default, the auto recovery function is disabled; therefore, the recovery delay parameter does not have a default value. When you enable the auto recovery function, you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up, and a longer service interruption time.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
207
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration l The auto recovery function takes effect only for the interfaces that transition to the errordown state after the error-down auto-recovery command is executed.
6.6.4.2 Configuring TC Protection on a Switching Device
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp tc-protection threshold threshold
The maximum number of times the switching device processes TC BPDUs and updates forwarding entries within the specified time period is set.
NOTE
The time period is set by the stp tc-protection interval command.
----End
6.6.4.3 Configuring Root Protection on a Port
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of an interface participating in STP calculation is displayed.
Step 3 Run: stp root-protection
Root protection is enabled on the interface.
By default, root protection is disabled on the interface.
NOTE
Root protection takes effect only on designated ports.
Root protection and loop protection cannot be configured on the same interface.
----End
6.6.4.4 Configuring Loop Protection on a Port
Context
On an RSTP network, a switching device maintains states of the root port and blocked ports based on BPDUs received from an upstream switching device. If the switching device cannot
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
208
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration receive BPDUs from the upstream because of link congestion or unidirectional-link failure, the switching device selects a new root port. The original root port becomes a designated port, and the original blocked ports change to the Forwarding state, which may cause loops on the network.
To prevent such a problem, configure loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long time, the switch enabled with loop protection sends a notification to the NMS. If the root port is used, the root port enters the Discarding state and becomes the designated port. If the alternate port is used, the alternate port keeps blocked and becomes the designated port. In this case, loops will not occur. After the link is not congested or unidirectional link failures are rectified, the port receives BPDUs for negotiation and restores its original role and status.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of the root port or alternate port is displayed.
Step 3 Run: stp loop-protection
Loop protection is enabled on the root port ore alternate port.
By default, loop protection is disabled on a port.
NOTE
An alternate port is a backup for a root port. If a switching device has an alternate port, configure loop protection on both the root port and the alternate port.
Root protection and loop protection cannot be configured on the same port.
----End
6.6.4.5 Checking the Configuration
Procedure l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the spanning tree status and statistics.
----End
6.6.5 Setting Parameters for Interoperation Between Huawei and
Non-Huawei Devices
To implement interoperation between Huawei and non-Huawei devices, select the fast transition mode based on the Proposal/Agreement mechanism of the non-Huawei device.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
209
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
Context
A switching device supports the following Proposal/Agreement modes: l Enhanced mode: The device determines the root port when it calculates the synchronization flag bit.
1.
An upstream device sends a Proposal message to a downstream device to request fast state transition. After receiving the message, the downstream device sets the port connected to the upstream device as the root port and blocks all non-edge ports.
2.
The upstream device sends an Agreement message to the downstream device. After the downstream device receives the message, the root port transitions to the
Forwarding state.
3.
The downstream device responds with an Agreement message. After receiving the message, the upstream device sets the port connected to the downstream device as the designated port, and then the designated port transitions to the Forwarding state.
l Common mode: The device ignores the root port when it calculates the synchronization flag bit.
1.
An upstream device sends a Proposal message to a downstream device to request fast state transition. After receiving the message, the downstream device sets the port connected to the upstream device as the root port and blocks all non-edge ports. Then, the root port transitions to the Forwarding state.
2.
The downstream device responds with an Agreement message. After receiving the message, the upstream device sets the port connected to the downstream device as the designated port, and then the designated port transitions to the Forwarding state.
On an STP network, if a Huawei switching device is connected to a non-Huawei device that uses a different Proposal/Agreement mechanism, the two devices may fail to interoperate with each other. Select the enhanced mode or common mode based on the Proposal/Agreement mechanism of the non-Huawei device.
Pre-configuration Tasks
Before setting parameters for interoperation between Huawei and non-Huawei devices, configure basic STP/RSTP functions.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of an interface participating in spanning tree calculation is displayed.
Step 3 Run: stp no-agreement-check
The common fast transition mode is specified.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
210
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
By default, the enhanced fast transition mode is used on a port.
----End
6.7 Maintaining STP/RSTP
This section describes how to view and reset STP/RSTP statistics.
6 STP/RSTP Configuration
6.7.1 Clearing STP/RSTP Statistics
Context
NOTICE
STP/RSTP statistics cannot be restored after being cleared. Exercise caution when deciding to clear STP/RSTP statistics.
Procedure l Run the reset stp [ interface interface-type interface-number ] statistics command to clear spanning-tree statistics.
l Run the reset stp error packet statistics command to clear statistics about error STP packets.
----End
6.7.2 Monitoring STP/RSTP Topology Change Statistics
The statistics about STP/RSTP topology changes can be viewed. If the statistics increase, network flapping occurs.
Procedure l Run the display stp topology-change command to view statistics about STP/RSTP topology changes.
l Run the display stp [ interface interface-type interface-number ] [ brief ] command to view the spanning tree status and statistics.
----End
6.8 Configuration Examples
This section provides several STP/RSTP configuration examples.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
211
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
6.8.1 Example for Configuring Basic STP Functions
Networking Requirements
On a complex network, multiple physical links are often deployed between two devices for link redundancy (one as the active link and the others as standby links). Redundant links may cause loops on the network, and loops will result in broadcast storms and damage MAC address entries.
STP can be deployed on a network to eliminate loops by blocking redundant ports. As shown in
, loops exist on the network, and RouterA, SwitchA, SwitchB, SwitchC and
SwitchD are all running STP. These devices exchange BPDUs to discover the loops and block appropriate ports to trim the ring topology into a loop-free tree topology. The tree topology prevents infinite looping of packets, which in turn helps improve packet processing performance.
Figure 6-16 Networking diagram of basic STP configurations
6 STP/RSTP Configuration
Network
Eth2/0/0
Root
Bridge
RouterA
Eth2/0/1
Eth0/0/1
SwitchA
Eth0/0/2
Eth
0/0
/3
STP
Et h0
/0/
3
Eth0/0/1
SwitchB
Eth0/0/2
Eth0/0/1
SwitchC
Eth0/0/2
Et h0
/0/
4
Eth0/0/3
Eth
0/0
/4
Eth0/0/2
Eth0/0/1
SwitchD
Eth0/0/3
PC1
PC2 PC3
PC4
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
212
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
1.
Configure basic STP functions, including: a.
Configure the STP mode for the switching devices on the ring network.
b.
Configure primary and secondary root bridges.
c.
Set a path cost for the port to be blocked.
d.
Enable STP to eliminate loops.
l Enable STP globally.
l Enable STP on all the ports except those connected to terminals.
NOTE
STP is not required on the ports connected to terminals because these ports do not need to participate in STP calculation. Disable STP on the ports or configure the ports as edge ports.
Procedure
Step 1 Configure basic STP functions.
1.
Configure the STP mode for the switching devices on the ring network.
# Configure the STP mode on RouterA. The configurations of SwitchA, SwitchB, SwitchC and SwitchD are similar to that of RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] stp mode stp
2.
Configure primary and secondary root bridges.
# Configure RouterA as the primary root bridge.
[RouterA] stp root primary
# Configure SwitchA as the secondary root bridge.
[SwitchA] stp root secondary
3.
Set a path cost for the port to be blocked.
NOTE l The path cost value range depends on path cost calculation methods. This example uses the
Huawei proprietary calculation method and sets the path cost to 200000.
l All switching devices on a network must use the same path cost calculation method. To use other path cost calculation methods, see the list of recommended value ranges for the specific path cost calculation method.
# On RouterA, set the path cost calculation method to the Huawei proprietary method. The configurations of SwitchA, SwitchB, SwitchC and SwitchD are similar to that of RouterA.
[RouterA] stp pathcost-standard legacy
# Set the path cost of ethernet0/0/4 on SwitchC and SwitchD to 200000.
[SwitchC] interface ethernet 0/0/4
[SwitchC-Ethernet0/0/4] stp cost 200000
[SwitchC-Ethernet0/0/4] quit
[SwitchD] interface ethernet 0/0/4
[SwitchD-Ethernet0/0/4] stp cost 200000
[SwitchD-Ethernet0/0/4] quit
4.
Enable STP to eliminate loops.
l Disable STP on the ports directly connected to PCs.
# Disable STP on Ethernet0/0/2 and Ethernet0/0/3 of SwitchC. The configuration of
SwitchD is similar to that of SwitchC.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
213
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
[SwitchC] interface ethernet 0/0/2
[SwitchC-Ethernet0/0/2] stp disable
[SwitchC-Ethernet0/0/2] quit
[SwitchC] interface ethernet 0/0/3
[SwitchC-Ethernet0/0/3] stp disable
[SwitchC-Ethernet0/0/3] quit l Enable STP globally.
# Enable STP globally on RouterA. The configurations of SwitchA, SwitchB, SwitchC and SwitchD are similar to that of RouterA.
[RouterA] stp enable l Enable STP on all the ports except those connected to PCs.
# Enable STP on RouterA Eth2/0/0 and Eth2/0/1. The configurations of SwitchA,
SwitchB, SwitchC and SwitchD are similar to that of RouterA.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] stp enable
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] stp enable
[RouterA-Ethernet2/0/1] quit
Step 2 Verify the configuration.
# Wait for 35s, and then run the display stp brief command on RouterA to view port roles and states. Eth2/0/0 and Eth2/0/1 are selected as designated ports through spanning tree calculation and are both in the Forwarding state.
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet2/0/0 DESI FORWARDING NONE
0 Ethernet2/0/1 DESI FORWARDING NONE
# Run the display stp brief command on SwitchA to view port roles and states. Eth0/0/1 is selected as the root port, whereas Eth0/0/2 and Eth0/0/3 are selected as designated ports. The ports are all in the Forwarding state.
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
0 Ethernet0/0/3 DESI FORWARDING NONE
# Run the display stp brief command on SwitchB to view port roles and states. Eth0/0/1 is selected as the root port, whereas Eth0/0/2 and Eth0/0/3 are selected as designated ports. The ports are all in the Forwarding state.
[SwitchB] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/2 DESI FORWARDING NONE
0 Ethernet0/0/3 DESI FORWARDING NONE
# Run the display stp brief command on SwitchC to view port roles and states. Eth0/0/1 is selected as root port and is in the Forwarding state. Eth0/0/4 is selected as designated port and is in the Discarding state.
[SwitchC] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/4 DESI DISCARDING NONE
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
214
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6 STP/RSTP Configuration
# Run the display stp brief command on SwitchD to view port roles and states. Eth0/0/1 is selected as root port and is in the Forwarding state. Eth0/0/4 is selected as designated port and is in the Discarding state.
[SwitchC] display stp brief
MSTID Port Role STP State Protection
0 Ethernet0/0/1 ROOT FORWARDING NONE
0 Ethernet0/0/4 DESI DISCARDING NONE
----End
Configuration Files l Configuration file of RouterA
#
sysname RouterA
#
stp mode stp
stp instance 0 root primary
stp pathcost-standard legacy
# interface Ethernet2/0/0
# interface Ethernet2/0/1
# return l Configuration file of SwitchA
#
sysname SwitchA
#
stp mode stp
stp instance 0 root secondary
stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
# interface Ethernet0/0/3
# return l Configuration file of SwitchB
#
sysname SwitchB
#
stp mode stp
stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
# interface Ethernet0/0/3
# return l Configuration file of SwitchC
#
sysname SwitchC
#
stp mode stp
stp pathcost-standard legacy
#
Issue 01 (2014-11-30) 215
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration interface Ethernet0/0/1
# interface Ethernet0/0/2
stp disable
# interface Ethernet0/0/3
stp disable
# interface Ethernet0/0/4
stp instance 0 cost 200000
# return l Configuration file of SwitchD
#
sysname SwitchD
#
stp mode stp
stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
stp disable
# interface Ethernet0/0/3
stp disable
# interface Ethernet0/0/4
stp instance 0 cost 200000
# return
6.8.2 Example for Configuring Basic RSTP Functions
Networking Requirements
On a complex network, multiple physical links are often deployed between two devices for link redundancy (one as the active link and the others as standby links). Redundant links may cause loops on the network, and loops will result in broadcast storms and damage MAC address entries.
RSTP can be deployed on a network to eliminate loops by blocking some ports. As shown in
Figure 6-17 , loops exist on the network, and RouterA, SwitchA, SwitchB, SwitchC and SwitchD
are all running RSTP. These devices exchange BPDUs to discover the loops and block appropriate ports to trim the ring topology into a loop-free tree topology. The tree topology prevents infinite looping of packets on the network, which in turn helps improve packet processing performance.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
216
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 6-17 Networking diagram of basic RSTP configurations
6 STP/RSTP Configuration
Network
Eth2/0/0
Root
Bridge
RouterA
Eth2/0/1
Eth0/0/1
SwitchA
Eth0/0/2
Eth
0/0
/3
RSTP
Et h0
/0/
3
Eth0/0/1
SwitchB
Eth0/0/2
Eth0/0/1
SwitchC
Eth0/0/2
Et h0
/0/
4
Eth0/0/3
Eth
0/0
/4
Eth0/0/2
Eth0/0/1
SwitchD
Eth0/0/3
PC1
PC2 PC3
PC4
Blocked port
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic RSTP functions, including: a.
Configure the RSTP mode for the switching devices on the ring network.
b.
Configure primary and secondary root bridges.
c.
Set a path cost for the ports to block certain ports.
d.
Enable RSTP to eliminate loops.
l Enable RSTP globally.
l Enable RSTP on all the ports except those connected to terminals.
NOTE
RSTP is not required on the ports connected to terminals because these ports do not need to participate in RSTP calculation.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
217
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 6 STP/RSTP Configuration
2.
Configure RSTP protection functions. For example, configure root protection on designated ports of the root bridge.
Procedure
Step 1 Configure basic RSTP functions.
1.
Configure the RSTP mode for the devices on the ring network.
# Configure the RSTP mode on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] stp mode rstp
# Configure the RSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.
2.
Configure primary and secondary root bridges.
# Configure RouterA as the primary root bridge.
[RouterA] stp root primary
# Configure SwitchA as a second root bridge according to the configuration guide of
SwitchA.
3.
Set a path cost for the port to be blocked.
NOTE l The path cost value range depends on path cost calculation methods. This example uses the
Huawei proprietary calculation method and sets the path cost to 200000.
l All switching devices on a network must use the same path cost calculation method. To use other path cost calculation methods, see the list of recommended value ranges for the specific path cost calculation method.
# On RouterA, set the path cost calculation method to the Huawei proprietary method.
[RouterA] stp pathcost-standard legacy
# On SwitchA, SwitchB, SwitchC and SwitchD, set the path cost calculation method to the
Huawei proprietary method according to the configuration guide of the switches.
# Set the path cost of Eth0/0/4 on SwitchC and SwitchD to 200000. (The detailed configuration is not provided here.)
4.
Enable RSTP to eliminate loops.
l Disable RSTP on the ports directly connected to PCs.
# Disable RSTP on the ports of SwitchC and SwitchD connected to PCs.
l Enable RSTP globally.
# Enable RSTP globally on RouterA.
[RouterA] stp enable
# Enable RSTP globally on other switching devices.
l Enable RSTP on all the ports except those connected to PCs.
# Enable RSTP on RouterA Ethernet2/0/0 and Ethernet2/0/1.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] stp enable
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] stp enable
[RouterA-Ethernet2/0/1] quit
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
218
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6 STP/RSTP Configuration
# Enable RSTP on all the ports except those connected to PCs on SwitchA, SwitchB,
SwitchC and SwitchD.
Step 2 Configure RSTP protection.
# Enable root protection on Eth2/0/0 and Eth2/0/1 of RouterA.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] stp root-protection
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] stp root-protection
[RouterA-Ethernet2/0/1] quit
Step 3 Verify the configuration.
After the preceding configuration is complete and the network becomes stable, perform the following operation to verify the configuration:
# Run the display stp brief command on RouterA to view the states and protection type on
RSTP ports. The following information is displayed:
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet2/0/0 DESI FORWARDING ROOT
0 Ethernet2/0/1 DESI FORWARDING ROOT
After RouterA is configured as the root bridge, Ethernet2/0/0 connected to SwitchA and
Ethernet2/0/1 connected to SwitchB are elected as designated ports through spanning tree calculation.
----End
Configuration Files l Configuration file of RouterA
#
sysname RouterA
# stp mode rstp stp instance 0 root primary stp pathcost-standard legacy
# interface Ethernet2/0/0
stp root-protection
# interface Ethernet2/0/1
stp root-protection
# return l Configuration file of SwitchA
#
sysname SwitchA
# stp mode rstp stp instance 0 root secondary stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
# interface Ethernet0/0/3
Issue 01 (2014-11-30) 219
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
# return l Configuration file of SwitchB
#
sysname SwitchB
# stp mode rstp stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
# interface Ethernet0/0/3
# return l Configuration file of SwitchC
#
sysname SwitchC
# stp mode rstp stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
stp disable
# interface Ethernet0/0/3
stp disable
# interface Ethernet0/0/4
stp instance 0 cost 200000
# return l Configuration file of SwitchD
#
sysname SwitchD
# stp mode rstp stp pathcost-standard legacy
# interface Ethernet0/0/1
# interface Ethernet0/0/2
stp disable
# interface Ethernet0/0/3
stp disable
# interface Ethernet0/0/4
stp instance 0 cost 200000
# return
6.9 References
This section provides references for STP/RSTP.
The following table lists the references for STP/RSTP.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
6 STP/RSTP Configuration
220
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Document
IEEE 802.1D
IEEE 802.1S
IEEE 802.1W
Description
IEEE Standard for:
Local and metropolitan area networks
Virtual Bridged Local Area Networks
IEEE Standard for:
Local and metropolitan area networks
Virtual Bridged Local Area Networks
IEEE Standard for:
Local and metropolitan area networks
Common specifications
6 STP/RSTP Configuration
-
Rema rks
-
-
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
221
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7
MSTP Configuration
About This Chapter
This chapter describes the concepts and configuration procedure of MSTP, and provides configuration examples.
This section describes definition and purpose of MSTP.
This section describes the principles of MSTP.
This section describes the applicable environment of MSTP.
7.4 Configuration Task Summary
This section describes the configuration task and logic of MSTP.
This section describes the MSTP configuration.
This section describes how to maintain MSTP.
This section provides several configuration examples of MSTP.
This section provides references for STP/RSTP.
222 Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7.1 Introduction to MSTP
This section describes definition and purpose of MSTP.
Definition
Generally, redundant links are used on an Ethernet switching network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, the communication quality deteriorates, and the communication service may even be interrupted.
The Spanning Tree Protocol (STP) is introduced to solve this problem.
STP refers to STP defined in IEEE 802.1D, the Rapid Spanning Tree Protocol (RSTP) defined in IEEE 802.1w, and the Multiple Spanning Tree Protocol (MSTP) defined in IEEE 802.1s.
MSTP is compatible with RSTP and STP, and RSTP is compatible with STP. Table 7-1 shows
the comparison between STP, RSTP, and MSTP.
Issue 01 (2014-11-30)
Table 7-1 Comparison between STP, RSTP, and MSTP
Spanning
Tree
Protocol
STP
Characteristics Usage Scenario
RSTP l In an STP region, a loop-free tree is generated. Broadcast storms are prevented and redundancy is achieved.
l Route convergence is slow.
l In an RSTP region, a loop-free tree is generated. Broadcast storms are prevented and redundancy is achieved.
l RSTP allows fast convergence of the network topology.
STP or RSTP is used in a scenario where all VLANs share one spanning tree. In this situation, users or services do not need to be differentiated.
MSTP l In an MSTP region, multiple loopfree trees are generated.
Therefore, broadcast storms are prevented and redundancy is achieved.
l MSTP achieves fast convergence of the network topology.
l MSTP implements load balancing among VLANs. Traffic in different VLANs is transmitted along different paths.
MSTP is used in a scenario where traffic in different VLANs is forwarded through different spanning trees that are independent of each other to implement load balancing. In this situation, users or services are distinguished by using VLANs.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
223
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Purpose
7 MSTP Configuration
After a spanning tree protocol is configured on an Ethernet switching network, it calculates the network topology and implements the following functions to remove network loops: l Loop cut-off: The potential loops on the network are cut off by blocking redundant links.
l Link redundancy: When an active path becomes faulty, a redundant link can be activated to ensure network connectivity.
7.2 MSTP Principles
This section describes the principles of MSTP.
7.2.1 MSTP Background
RSTP, an enhancement to STP, implements fast convergence of the network topology. There is a defect for both RSTP and STP: All VLANs on a LAN use one spanning tree, and VLAN-based load balancing cannot be performed. Once a link is blocked, it will no longer transmit traffic, wasting bandwidth and causing the failure in forwarding certain VLAN packets.
Figure 7-1 STP/RSTP defect
S1
VLAN3
HostC
( VLAN3 ) VLAN3
VLAN2
S2
VLAN2
VLAN2
VLAN3
S4
S5
VLAN2
HostA
( VLAN2 )
HostB
( VLAN2 )
VLAN2
S3
VLAN2
VLAN3
VLAN3
VLAN2
VLAN3
HostD
( VLAN3 )
VLAN3
S6 spanning tree(root bridge:S6)
Issue 01 (2014-11-30)
On the network shown in
, STP or RSTP is enabled. The broken line shows the spanning tree. S6 is the root switching device. The links between S1 and S4 and between S2 and
S5 are blocked. VLAN packets are transmitted by using the corresponding links marked with
"VLAN2" or "VLAN3."
Host A and Host B belong to VLAN 2 but they cannot communicate with each other because the link between S2 and S5 is blocked and the link between S3 and S6 denies packets from
VLAN 2.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
224
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
To fix the defect of STP and RSTP, the IEEE released 802.1s in 2002, defining the Multiple
Spanning Tree Protocol (MSTP). MSTP implements fast convergence and provides multiple paths to load balance VLAN traffic.
MSTP divides a switching network into multiple regions, each of which has multiple spanning trees that are independent of each other. Each spanning tree is called a Multiple Spanning Tree
Instance (MSTI) and each region is call a Multiple Spanning Tree (MST) region.
NOTE
An instance is a collection of VLANs. Binding multiple VLANs to an instance saves communication costs and reduces resource usage. The topology of each MSTI is calculated independent of one another, and traffic can be balanced among MSTIs. Multiple VLANs that have the same topology can be mapped to one instance. The forwarding status of the VLANs for a port is determined by the port status in the MSTI.
Figure 7-2 Multiple spanning trees in an MST region
S1 S4
VLAN3 VLAN2
HostC
( VLAN3 ) VLAN3
VLAN2
VLAN3
VLAN2
S2 S5
VLAN2
HostA
( VLAN2 )
HostB
( VLAN2 )
VLAN2
S3
VLAN2
VLAN3
VLAN3
VLAN2
VLAN3
HostD
( VLAN3 )
VLAN3
S6 spanning tree(root bridge:S4) spanning tree(root bridge:S6)
As shown in Figure 7-2 , MSTP maps VLANs to MSTIs in the VLAN mapping table. Each
VLAN can be mapped to only one MSTI. This means that traffic of a VLAN can be transmitted in only one MSTI. An MSTI, however, can correspond to multiple VLANs.
Two spanning trees are calculated: l MSTI 1 uses S4 as the root switching device to forward packets of VLAN 2.
l MSTI 2 uses S6 as the root switching device to forward packets of VLAN 3.
In this manner, devices within the same VLAN can communicate with each other; packets of different VLANs are load balanced along different paths.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
225
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7.2.2 Basic MSTP Concepts
MSTP Network Hierarchy
As shown in Figure 7-3 , the MSTP network consists of one or more MST regions. Each MST
region contains one or more MSTIs. An MSTI is a tree network consisting of switching devices running STP, RSTP, or MSTP.
Figure 7-3 MSTP network hierarchy
MSTP Network
MSTI1
MSTI2
MSTI0
MST Region
MSTI1
MSTI2
MSTI0
MST Region
MSTI1
MSTI2
MSTI0
MST Region
MST Region
An MST region contains multiple switching devices and network segments between them. The switching devices of one MST region have the following characteristics: l MSTP-enabled l Same region name l Same VLAN-MSTI mappings l Same MSTP revision level
A LAN can comprise several MST regions that are directly or indirectly connected. Multiple switching devices can be grouped into an MST region by using MSTP configuration commands.
As shown in Figure 7-4 , the MST region D0 contains the switching devices S1, S2, S3, and S4,
and has three MSTIs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
226
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 7-4 MST region
D0
AP1
S1
Master Bridge
S2
S4
S3
7 MSTP Configuration
MSTI1 root switch:S3
MSTI2 root switch:S2
MSTI0 (IST) root switch:S1
VLAN1 MSTI1
VLAN2,VLAN3 MSTI2 other VLANs MSTI0
VLAN Mapping Table
The VLAN mapping table is an attribute of the MST region. It describes mappings between
VLANs and MSTIs.
As shown in Figure 7-4 , the mappings in the VLAN mapping table of the MST region D0 are
as follows: l VLAN 1 is mapped to MSTI 1.
l VLAN 2 and VLAN 3 are mapped to MSTI 2.
l Other VLANs are mapped to MSTI 0.
Regional Root
Regional roots are classified into Internal Spanning Tree (IST) and MSTI regional roots.
In the region B0, C0, and D0 on the network shown in Figure 7-6
, the switching devices closest to the Common and Internal Spanning Tree (CIST) root are IST regional roots.
An MST region can contain multiple spanning trees, each called an MSTI. An MSTI regional root is the root of the MSTI. On the network shown in
, each MSTI has its own regional root.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
227
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 7-5 MSTI
VLAN
10&20&30
MST Region
VLAN
10&20
VLAN 20&30
VLAN
10&30
VLAN30
VLAN20
VLAN 10
VLAN
10&30
Root
7 MSTP Configuration
Root
MSTI corresponding to
VLAN 10
MSTI corresponding to
VLAN 20
MSTI Root corresponding to
VLAN 30
MSTI links
MSTI links blocked by the protocol
MSTIs are independent of each other. an MSTI can correspond to one or more VLANs, but a
VLAN can be mapped to only one MSTI.
Master Bridge
The master bridge is the IST master, which is the switching device closest to the CIST root in a
region, for example, S1 shown in Figure 7-4 .
If the CIST root is in an MST region, the CIST root is the master bridge of the region.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
228
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
CIST Root
Figure 7-6 MSTP network
A0
CIST Root
7 MSTP Configuration
D0
Region Root
C0
Region Root
B0
Region Root
IST
CST
On the network shown in
, the CIST root is the root bridge of the CIST. The CIST root is a device in A0.
CST
A Common Spanning Tree (CST) connects all the MST regions on a switching network.
If each MST region is considered a node, the CST is calculated by using STP or RSTP based on all the nodes.
As shown in Figure 7-6 , the MST regions are connected to form a CST.
IST
Issue 01 (2014-11-30)
An IST resides within an MST region.
An IST is a special MSTI with the MSTI ID being 0, called MSTI 0.
An IST is a segment of the CIST in an MST region.
As shown in Figure 7-6 , the switching devices in an MST region are connected to form an IST.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
229
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
CIST
7 MSTP Configuration
A CIST, calculated by using STP or RSTP, connects all the switching devices on a switching network.
As shown in Figure 7-6 , the ISTs and the CST form a complete spanning tree, the CIST.
SST
A Single Spanning Tree (SST) is formed in either of the following situations: l A switching device running STP or RSTP belongs to only one spanning tree.
l An MST region has only one switching device.
As shown in Figure 7-6 , the switching device in B0 forms an SST.
Port Role
Based on RSTP, MSTP has two additional port types. MSTP ports can be root ports, designated ports, alternate ports, backup ports, edge ports, master ports, and regional edge port.
The functions of root ports, designated ports, alternate ports, and backup ports have been defined
in RSTP. Table 7-2 lists all port roles in MSTP.
NOTE
Except edge ports, all ports participate in MSTP calculation.
A port can play different roles in different spanning tree instances.
Table 7-2 Port roles
Port
Role
Description
Root port A root port is the non-root bridge port closest to the root bridge. Root bridges do not have root ports.
Root ports are responsible for sending data to root bridges.
As shown in
, S1 is the root; CP1 is the root port on S3; BP1 is the root port on S2.
Designate d port
Alternate port
The designated port on a switching device forwards BPDUs to the downstream switching device.
As shown in
, AP2 and AP3 are designated ports on S1; CP2 is a designated port on S3.
l From the perspective of sending BPDUs, an alternate port is blocked after a
BPDU sent by another bridge is received.
l From the perspective of user traffic, an alternate port provides an alternate path to the root bridge. This path is different than using the root port.
As shown in
, BP2 is an alternate port.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
230
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Port
Role
Backup port
Master port
Description l From the perspective of sending BPDUs, a backup port is blocked after a
BPDU sent by itself is received.
l From the perspective of user traffic, a backup port provides a backup/ redundant path to a segment where a designated port already connects.
As shown in
, CP3 is a backup port.
A master port is on the shortest path connecting MST regions to the CIST root.
BPDUs of an MST region are sent to the CIST root through the master port.
Master ports are special regional edge ports, functioning as root ports on ISTs or CISTs and master ports in instances.
As shown in
, S1, S2, S3, and S4 form an MST region. AP1 on S1, being the nearest port in the region to the CIST root, is the master port.
Regional edge port
A regional edge port is located at the edge of an MST region and connects to another MST region or an SST.
During MSTP calculation, the roles of a regional edge port in the MSTI and the
CIST instance are the same. If the regional edge port is the master port in the
CIST instance, it is the master port in all the MSTIs in the region.
As shown in
, AP1, DP1, and DP2 in an MST region are directly connected to other regions, and therefore they are all regional edge ports of the
MST region.
AP1 is a master port in the CIST. Therefore, AP1 is the master port in every
MSTI in the MST region.
Edge port An edge port is located at the edge of an MST region and does not connect to any switching device.
Generally, edge ports are directly connected to terminals.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
231
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 7-7 Root port, designated port, alternate port, and backup port
S1
AP2
Root
AP3
7 MSTP Configuration
CP2
CP1
S3
CP3
BP1
S2
BP2 root port designated port
Alternate port
Backup port
Figure 7-8 Master port and regional edge port
Connect to the
CIST root
AP1
Master
S1
S2 S3
S4
DP1 DP2
MST Region
The port is blocked
MSTP Port Status
lists the MSTP port status, which is the same as the RSTP port status.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
232
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Table 7-3 Port status
Port
Status
Description
Forwardi ng
A port in the Forwarding state can send and receive BPDUs as well as forward user traffic.
Learning A port in the Learning state learns MAC addresses from user traffic to construct a MAC address table.
In the Learning state, the port can send and receive BPDUs, but not forward user traffic.
Discardin g
A port in the Discarding state can only receive BPDUs.
There is no necessary link between the port status and the port role. Table 7-4 lists the
relationships between port roles and port status.
Table 7-4 Relationships between port roles and port status
Port
Status
Root Port/
Master Port
Designated
Port
Regional
Edge Port
Forwardi ng
Yes Yes Yes
Learning Yes
Discardi ng
Yes
Yes
Yes
Yes
Yes
Alternate
Port
No
No
Yes
Backup Port
No
No
Yes
NOTE
Yes: The port supports this status.
No: The port does not support this status.
7.2.3 MST BPDUs
MSTP calculates spanning trees on the basis of Multiple Spanning Tree Bridge Protocol Data
Units (MST BPDUs). By transmitting MST BPDUs, spanning tree topologies are computed, network topologies are maintained, and topology changes are conveyed.
Table 7-5 shows differences between TCN BPDUs, configuration BPDUs defined by STP, RST
BPDUs defined by RSTP, and MST BPDUs defined by MSTP.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
233
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Table 7-5 Differences between BPDUs
Version Type
0 0x00
0 0x80
2
3
0x02
0x02
7 MSTP Configuration
Name
Configuration BPDU
TCN BPDU
RST BPDU
MST BPDU
MST BPDU Format
shows the MST BPDU format.
Figure 7-9 MST BPDU format
MST special fields
Protocol Identifier
Protocol Version Identifier
BPDU Type
CIST Flags
CIST Root Identifier
CIST External Path Cost
CIST Regional Root Identifier
CIST Port Identifier
Message Age
Max Age
Hello Time
Forward Delay
Version 1 Length=0
Version 3 Length
MST Configuration Identifier
CIST Internal Root Path Cost
CIST Bridge Identifier
CIST Remaining Hops
MSTI Configuration Messages
(may be absent)
Octet
1-2
3
4
5
6-13
14-17
18-25
26-27
28-29
30-31
32-33
34-35
36
37-38
39-89
90-93
94-101
102
103-39+Version
3 Length
Issue 01 (2014-11-30)
The first 36 bytes of an intra-region or inter-region MST BPDU are the same as those of an RST
BPDU.
Fields from the 37th byte of an MST BPDU are MSTP-specific. The field MSTI Configuration
Messages consists of configuration messages of multiple MSTIs.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
234
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
lists the major information carried in an MST BPDU.
Table 7-6 Major information carried in an MST BPDU
Field
Protocol
Identifier
Byte
2
Description
Indicates the protocol identifier.
Protocol
Version
Identifier
1 Indicates the protocol version identifier. 0 indicates STP;
2 indicates RSTP; 3 indicates MSTP.
BPDU Type 1
CIST Flags
CIST Root
Identifier
CIST External
Path Cost
1
8
4
Indicates the BPDU type: l 0x00: Configuration BPDU for STP l 0x80: TCN BPDU for STP l 0x02: RST BPDU or MST BPDU
Indicates the CIST flags.
Indicates the CIST root switching device ID.
CIST Regional
Root Identifier
8
Indicates the total path costs from the MST region where the switching device resides to the MST region where the
CIST root switching device resides. This value is calculated based on link bandwidth.
Indicates the ID of the regional root switching device on the CIST, that is, the IST master ID. If the root is in this region, the CIST Regional Root Identifier is the same as the CIST Root Identifier.
Indicates the ID of the designated port in the IST.
CIST Port
Identifier
2
Message Age 2
Max Age 2
Hello Time
Forward Delay
2
2
Indicates the lifecycle of the BPDU.
Indicates the maximum lifecycle of the BPDU. If the
Max Age timer expires, it is considered that the link to the root fails.
Indicates the Hello timer value. The default value is 2 seconds.
Indicates the forwarding delay timer. The default value is 15 seconds.
Version 1
Length
Version 3
Length
1
2
Indicates the BPDUv1 length, which has a fixed value of
0.
Indicates the BPDUv3 length.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
235
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Field
MST
Configuration
Identifier
CIST Internal
Root Path Cost
Byte
51
4
Description
Indicates the MST configuration identifier, which has four fields.
CIST Bridge
Identifier
CIST
Remaining
Hops
MSTI
Configuration
Messages(may be absent)
8
1
16
Indicates the total path costs from the local port to the
IST master. This value is calculated based on link bandwidth.
Indicates the ID of the designated switching device on the CIST.
Indicates the remaining hops of the BPDU in the CIST.
Indicates an MSTI configuration message. Each MSTI configuration message occupies 16 bytes. If there are n
MSTIs, MSTI configuration messages are of n x16 bytes.
Configurable MST BPDU Format
Currently, there are two MST BPDU formats: l dot1s: BPDU format defined in IEEE 802.1s.
l legacy: private BPDU format.
If a port transmits either dot1s or legacy BPDUs by default, the user needs to identify the format of BPDUs sent by the peer, and then runs a command to configure the port to support the peer
BPDU format. Once the configuration is incorrect, a loop probably occurs due to incorrect MSTP calculation.
By using the stp compliance command, you can configure a port on a Huawei datacom device to automatically adjust the MST BPDU format. With this function, the port automatically adopts the peer BPDU format. The following MST BPDU formats are supported by Huawei datacom devices: l auto l dot1s l legacy
In addition to dot1s and legacy formats, the auto mode allows a port to automatically switch to the BPDU format used by the peer based on BPDUs received from the peer. In this manner, the two ports use the same BPDU format. In auto mode, a port uses the dot1s BPDU format by default, and keeps pace with the peer after receiving BPDUs from the peer.
Configurable Maximum Number of BPDUs Sent by a Port at a Hello Interval
BPDUs are sent at Hello intervals to maintain the spanning tree. If a switching device does not receive any BPDU during a certain period of time, the spanning tree will be re-calculated.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
236
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
After a switching device becomes the root, it sends BPDUs at Hello intervals. Non-root switching devices adopt the Hello Time value set for the root.
Huawei datacom devices allow the maximum number of BPDUs sent by a port at a Hello interval to be configured as needed.
The greater the Hello Time value, the more BPDUs sent at a Hello interval. Setting the Hello
Time to a proper value limits the number of BPDUs sent by a port at a Hello interval. This helps prevent network topology flapping and avoid excessive use of bandwidth resources by BPDUs.
7.2.4 MSTP Topology Calculation
MSTP Principle
In MSTP, the entire Layer 2 network is divided into multiple MST regions, which are interconnected by a single CST. In an MST region, multiple spanning trees are calculated, each of which is called an MSTI. Among these MSTIs, MSTI 0 is also known as the internal spanning tree (IST). Like STP, MSTP uses configuration messages to calculate spanning trees, but the configuration messages are MSTP-specific.
Vectors
Both MSTIs and the CIST are calculated based on vectors, which are carried in MST BPDUs.
Therefore, switching devices exchange MST BPDUs to calculate MSTIs and the CIST.
l Vectors are described as follows:
– The following vectors participate in the CIST calculation:
{ root ID, external root path cost, region root ID, internal root path cost, designated switching device ID, designated port ID, receiving port ID }
– The following vectors participate in the MSTI calculation:
{ regional root ID, internal root path cost, designated switching device ID, designated port ID, receiving port ID }
The priorities of vectors in braces are in descending order from left to right.
Table 7-7 describes the vectors.
Table 7-7 Vector description
Vector Name
Root ID
External root path cost (ERPC)
Description
Identifies the root switching device for the CIST. The root identifier consists of the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
Indicates the path cost from a CIST regional root to the root. ERPCs saved on all switching devices in an MST region are the same. If the CIST root is in an MST region, ERPCs saved on all switching devices in the MST region are 0s.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
237
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Vector Name Description
Regional root ID Identifies the MSTI regional root. The regional root ID consists of the priority value (16 bits) and MAC address (48 bits).
The priority value is the priority of MSTI 0.
Internal root path cost (IRPC)
Designated switching device
ID
Designated port
ID
Indicates the path cost from the local bridge to the regional root.
The IRPC saved on a regional edge port is greater than the IRPC saved on a non-regional edge port.
Identifies the nearest upstream bridge on the path from the local bridge to the regional root. If the local bridge is the root or the regional root, this ID is the local bridge ID.
Identifies the port on the designated switching device connected to the root port on the local bridge. The port ID consists of the priority value (4 bits) and port number (12 bits). The priority value must be a multiple of 16.
Receiving port ID Identifies the port receiving the BPDU. The port ID consists of the priority value (4 bits) and port number (12 bits). The priority value must be a multiple of 16.
l The vector comparison principle is as follows:
For a vector, the smaller the priority value, the higher the priority.
Vectors are compared based on the following rules:
1.
Compare the IDs of the roots.
2.
If the IDs of the roots are the same, compare ERPCs.
3.
If ERPCs are the same, compare the IDs of regional roots.
4.
If the IDs of regional roots are the same, compare IRPCs.
5.
If IRPCs are the same, compare the IDs of designated switching devices.
6.
If the IDs of designated switching devices are the same, compare the IDs of designated ports.
7.
If the IDs of designated ports are the same, compare the IDs of receiving ports.
If the priority of a vector carried in the configuration message of a BPDU received by a port is higher than the priority of the vector in the configuration message saved on the port, the port replaces the saved configuration message with the received one. In addition, the port updates the global configuration message saved on the device. If the priority of a vector carried in the configuration message of a BPDU received on a port is equal to or lower than the priority of the vector in the configuration message saved on the port, the port discards the BPDU.
CIST Calculation
After completing the configuration message comparison, the switching device with the highest priority on the entire network is selected as the CIST root. MSTP calculates an IST for each
MST region, and computes a CST to interconnect MST regions. On the CST, each MST region is considered a switching device. The CST and ISTs constitute a CIST for the entire network.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
238
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
MSTI Calculation
In an MST region, MSTP calculates an MSTI for each VLAN based on mappings between
VLANs and MSTIs. Each MSTI is calculated independently. The calculation process is similar to the process for STP to calculate a spanning tree. For details, see
.
MSTIs have the following characteristics: l The spanning tree is calculated independently for each MSTI, and spanning trees of MSTIs are independent of each other.
l MSTP calculates the spanning tree for an MSTI in the manner similar to STP.
l Spanning trees of MSTIs can have different roots and topologies.
l Each MSTI sends BPDUs in its spanning tree.
l The topology of each MSTI is configured by using commands.
l A port can be configured with different parameters for different MSTIs.
l A port can play different roles or have different status in different MSTIs.
On an MSTP-aware network, a VLAN packet is forwarded along the following paths: l MSTI in an MST region l CST among MST regions
MSTP Responding to Topology Changes
MSTP topology changes are processed in the manner similar to that in RSTP. For details about
how RSTP processes topology changes, see 6.2.6 RSTP Technology Details .
7.2.5 MSTP Fast Convergence
MSTP supports both ordinary and enhanced Proposal/Agreement (P/A) mechanisms: l Ordinary P/A
The ordinary P/A mechanism supported by MSTP is implemented in the same manner as that supported by RSTP. For details about the P/A mechanism supported by RSTP, see
.
l Enhanced P/A
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
239
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 7-10 Enhanced P/A mechanism
Upstream device
Downstream device
7 MSTP Configuration
The designated port enters the
Forwarding state
Sends a proposal so that the port can rapidly enter the
Forwarding state
Sends an agreement
Sends an agreement
The root port blocks all the other nonedge ports
The root port enters the
Forwarding state root port designated port
As shown in Figure 7-10 , in MSTP, the P/A mechanism works as follows:
1.
The upstream device sends a proposal to the downstream device, indicating that the port connecting to the downstream device wants to enter the Forwarding state as soon as possible. After receiving this BPDU, the downstream device sets its port connecting to the upstream device to the root port, and blocks all non-edge ports.
2.
The upstream device continues to send an agreement. After receiving this BPDU, the root port enters the Forwarding state.
3.
The downstream device replies with an agreement. After receiving this BPDU, the upstream device sets its port connecting to the downstream device to the designated port, and the port enters the Forwarding state.
By default, Huawei datacom devices use the fast transition mechanism in enhanced mode. To enable a Huawei datacom device to communicate with a third-party device that use the fast transition mechanism in common mode, configure the Proposal/Agreement mechanism on the
Huawei datacom device so that the Huawei datacom device works in common mode.
7.3 Application Environment
This section describes the applicable environment of MSTP.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
240
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Application of MSTP
Figure 7-11 Networking diagram for a typical MSTP application
S1
MST Region
all VLAN
S2
7 MSTP Configuration
VLAN
10&20 VLAN
10&20
VLAN
20&30
VLAN
20&30
S3
VLAN
20&40
S4
MSTP allows packets in different VLANs to be forwarded by using different spanning tree instances, as shown in
Figure 7-11 . The configurations are as follows:
l All devices on the network belong to the same MST region.
l VLAN 10 packets are forwarded within MSTI 1; VLAN 30 packets are forwarded within
MSTI 3; VLAN 40 packets are forwarded within MSTI 4; VLAN 20 packets are forwarded within MSTI 0.
In
, S1 and S2 are devices at the aggregation layer; S3 and S4 are devices at the access layer. Traffic from VLAN 10 and VLAN 30 is terminated by aggregation devices, and traffic from VLAN 40 is terminated by the access device. Therefore, S1 and S2 can be configured as the roots of MSTI 1 and MSTI 3, and S3 can be configured as the root of MSTI 4.
7.4 Configuration Task Summary
This section describes the configuration task and logic of MSTP.
lists the configuration task summary of MSTP.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
241
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Table 7-8 Configuration task summary of MSTP
Item Description
Configuring Basic MSTP
Functions
MSTP is commonly configured on switching devices to trim a ring network to a loop-free network.
Devices start spanning tree calculation after the working mode is set and MSTP is enabled. Use any of the following methods if you need to intervene in the spanning tree calculation: l Manually configure the root bridge and secondary root bridge l Set a priority for a switching device in an
MSTI l Set a path cost for a port in an MSTI l Set a priority for a port in an MSTI
Configuring MSTP
Parameters on an Interface
Configuring MSTP
Protection Functions
Proper MSTP parameter settings achieve rapid convergence.
This section describes how to configure MSTP protection functions. You can configure one or more functions.
Configuring MSTP
Interoperability Between
Huawei Devices and Non-
Huawei Devices
To communicate with a non-
Huawei device, set proper parameters on the MSTPenabled Huawei device.
Task
7.5 Default Configuration
This section describes the default MSTP configuration. You can change the configuration based on actual needs.
Parameter
Working mode
Default Setting
MSTP
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
242
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Parameter
MSTP status
Switching device priority
Port priority
Algorithm used to calculate the default path cost
Forward Delay Time
Hello Time
Max Age Time
Default Setting
MSTP is enabled globally and on an interface.
32768
128 dot1t, IEEE 802.1t
1500 centiseconds
200 centiseconds
2000 centiseconds
7.6 Configuring MSTP
This section describes the MSTP configuration.
7.6.1 Configuring Basic MSTP Functions
MSTP based on the basic STP/RSTP function divides a switching network into multiple regions, each of which has multiple spanning trees that are independent of each other. MSTP isolates different VLANs' traffic, and load-balances VLAN traffic.
Context
MSTP is commonly configured on switching devices to trim a ring network to a loop-free network. Devices start spanning tree calculation after the working mode is set and MSTP is enabled. Use any of the following methods if you need to intervene in the spanning tree calculation: l Manually configure the root bridge and secondary root bridge.
l Set a priority for a switching device in an MSTI: The lower the numerical value, the higher the priority of the switching device and the more likely the switching device becomes a root bridge; the higher the numerical value, the lower the priority of the switching device and the less likely that the switching device becomes a root bridge.
l Set a path cost for a port in an MSTI: With the same calculation method, the lower the numerical value, the smaller the cost of the path from the port to the root bridge and the more likely the port becomes a root port; the higher the numerical value, the larger the cost of the path from the port to the root bridge and the less likely that the port becomes a root port.
l Set a priority for a port in an MSTI: The lower the numerical value, the more likely the port becomes a designated port; the higher the numerical value, the less likely that the port becomes a designated port.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
243
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7.6.1.1 Configuring the MSTP Mode
Context
Before configuring basic MSTP functions, set the working mode of a switching device to MSTP.
MSTP is compatible with STP and RSTP.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp mode mstp
The working mode of the switching device is set to MSTP. By default, the working mode is
MSTP.
STP and MSTP cannot recognize packets of each other, but MSTP and RSTP can. If an MSTPenabled switching device is connected to switching devices running STP, interfaces of the
MSTP-enabled switching device connected to devices running STP automatically transition to
STP mode, and other interfaces still work in MSTP mode. This enables devices running different spanning tree protocols to interwork with each other.
----End
7.6.1.2 Configuring and Activating an MST Region
Context
An MST region contains multiple switching devices and network segments. These switching devices are directly connected and have the same region name, same VLAN-to-instance mapping, and the same configuration revision number after MSTP is enabled. One switching network can have multiple MST regions. You can use MSTP commands to group multiple switching devices into one MST region.
NOTE
Two switching devices belong to the same MST region when they have the same: l Name of the MST region l Mapping between VLANs and MSTIs l Revision level of the MST region
Perform the following steps on a switching device that needs to join an MST region.
Procedure
Step 1 Run: system-view
The system view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
244
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Step 2 Run: stp region-configuration
The MST region view is displayed.
Step 3 Run: region-name name
The name of an MST region is configured.
By default, the MST region name is the MAC address of the management network interface on the MPU of the switching device.
Step 4 Perform either of the following steps to configure VLAN-to-instance mappings.
l Run the instance instance-id vlan { vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure
VLAN-to-instance mappings.
l Run the vlan-mapping modulo modulo command to enable VLAN-to-instance mapping assignment based on a default algorithm.
By default, all VLANs in an MST region are mapped to MSTI 0.
NOTE l The VLAN-to-instance mappings generated using the vlan-mapping modulo modulo commands cannot meet network requirements. It is recommended that you run the instance instance-id vlan
{ vlan-id1 [ to vlan-id2 ] }&<1-10> command to configure VLAN-to-instance mappings.
l The vlan-mapping modulo specifies the formula (VLAN ID-1)%modulo+1. In the formula, (VLAN
ID-1)%modulo means the remainder of (VLAN ID-1) divided by the value of modulo. This formula is used to map a VLAN to the corresponding MSTI. The calculation result of the formula is the ID of the mapping MSTI.
Step 5 (Optional) Run: revision-level level
The MSTP revision number is set.
By default, the MSTP revision number is 0.
If the revision number of the MST region is not 0, this step is necessary.
NOTICE
Changing MST region configurations (especially change of the VLAN mapping table) triggers spanning tree recalculation and causes route flapping. Therefore: l After configuring an MST region name, VLAN-to-instance mappings, and an MSTP revision number, run the check region-configuration command in the MST region view to verify the configuration. After confirming the region configurations, run the active regionconfiguration command to activate MST region configurations.
l You are advised not to modify MST region parameters after the MST region is activated.
Step 6 Run: active region-configuration
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
245
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
7.6.1.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge
Context
The root bridge can be calculated through calculation. You can also manually configure the root bridge or secondary root bridge.
l A switching device plays different roles in different spanning trees. The switching device can function as the root switch or secondary root switch of a spanning tree and the root switch or secondary root switch of another spanning tree. The switching device can function as only the root switch or secondary root switch of the same spanning tree.
l In a spanning tree, only one root bridge takes effect. When two or more than two devices are specified as root bridges of a spanning tree, the device with the smallest MAC address is used as the root bridge.
l You can specify multiple secondary root bridges for each spanning tree. When the root bridge fails or is powered off, the secondary root bridge becomes the new root bridge. If a new root bridge is specified, the secondary root bridge will not become the root bridge. If multiple secondary root bridges are configured, the secondary root bridge with smallest
MAC address will become the root bridge of the spanning tree.
NOTE
It is recommended that the root bridge and secondary root bridge be configured manually.
Procedure
MST region configurations are activated so that the configured region name, VLAN-to-instance mappings, and revision number can take effect.
If this step is not done, the preceding configurations cannot take effect.
If you have changed MST region configurations on the switching device after MSTP starts, run the active region-configuration command to activate the MST region so that the changed configurations can take effect.
----End l Perform the following operations on the device to be used as the root bridge.
1.
Run: system-view
The system view is displayed.
2.
Run: stp [ instance instance-id ] root primary
The device is configured as the root bridge.
By default, a switching device does not function as the root bridge. After the configuration is complete, the BID of the device is 0 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a root bridge.
l Perform the following operations on the device to be used as the secondary root bridge.
1.
Run: system-view
Issue 01 (2014-11-30) 246
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
The system view is displayed.
2.
Run: stp [ instance instance-id ] root secondary
The device is configured as the secondary root bridge.
By default, a switching device does not function as the secondary root bridge. After the configuration is complete, the BID of the device is 4096 and cannot be changed.
If instance is not specified, the device in MSTI 0 is a backup root bridge.
----End
7.6.1.4 (Optional) Configuring a Priority for a Switching Device in an MSTI
Context
In an MSTI, there is only one root bridge, which is the logic center of the MSTI. During root bridge selection, a high-performance switching device at a high network layer should be selected as the root bridge; however, the priority of such a device may not be the highest on the network.
It is therefore necessary to set a high priority for the switching device to ensure that the device functions as a root bridge.
Low-performance devices at lower network layers are not fit to serve as a root bridge. Therefore, set low priorities for these devices.
A switching device with a high priority is more likely to be selected as the root bridge in an
MSTI. A smaller priority value indicates a higher priority.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp [ instance instance-id ] priority priority
A priority is set for the switching device in an MSTI.
The default priority value of the switching device is 32768.
If the instance-id is not designated, a priority is set for the switching device in MSTI0.
NOTE
If the stp [ instance instance-id ] root primary or stp [ instance instance-id ] root secondary command has been executed to configure the device as the root bridge or secondary root bridge, to change the device priority, run the undo stp [ instance instance-id ] root command to disable the root bridge or secondary root bridge function and run the stp [ instance instance-id ] priority priority command to set a priority.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
247
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
7.6.1.5 (Optional) Configuring a Path Cost of a Port in an MSTI
Context
A path cost is port-specific and is used by MSTP to select a link.
Path costs of ports are an important basis for calculating spanning trees. If you set different path costs for a port in different MSTIs, VLAN traffic can be transmitted along different physical links for load balancing.
The MSTP path cost determines root port selection in an MSTI. The port with the lowest path cost to the root bridge is selected as the root port.
In the Huawei calculation method for example, the link rate determines the recommended value for the path cost. The following table lists the recommended path costs for ports with different link rates.
Table 7-9 Mappings between link rates and path cost values
Link Rate
10 Mbit/s
Recommended
Path Cost
2000
Recommended
Path Cost Range
200 to 20000
100 Mbit/s 200 20 to 2000
1 Gbit/s
10 Gbit/s
Higher than 10 Gbit/ s
20
2
1
2 to 200
2 to 20
1 to 2
7 MSTP Configuration
Path Cost Range
1 to 200000
1 to 200000
1 to 200000
1 to 200000
1 to 200000
If a network has loops, it is recommended that you set a relatively large path cost for ports with low link rates.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp pathcost-standard { dot1d-1998 | dot1t | legacy }
A path cost calculation method is configured.
By default, the IEEE 802.1t standard ( dot1t ) is used to calculate the default path cost.
All switching devices on a network must use the same path cost calculation method.
Step 3 Run: interface interface-type interface-number
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
248
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
The Ethernet interface view is displayed.
Step 4 Run: stp instance instance-id cost cost
A path cost is set for the port in the current MSTI.
l When the Huawei calculation method is used, cost ranges from 1 to 200000.
l When the IEEE 802.1d standard method is used, cost ranges from 1 to 65535.
l When the IEEE 802.1t standard method is used, cost ranges from 1 to 200000000.
----End
7.6.1.6 (Optional) Configuring a Port Priority in an MSTI
Context
During spanning tree calculation, port priorities in MSTIs determine which ports are selected as designated ports.
To block a port in an MSTI to eliminate loops, set the port priority value to larger than the default value. This port will be blocked during designated port selection.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run: stp instance instance-id port priority priority
A port priority is set in an MSTI.
By default, the port priority is 128.
The value range of the priority is from 0 to 240, in steps of 16.
----End
7.6.1.7 Enabling MSTP
Context
After configuring basic MSTP functions on a switching device, enable MSTP function.
After MSTP is enabled on a ring network, it immediately calculates spanning trees on the network. Configurations on the switching device, such as, the switching device priority and port priority, will affect spanning tree calculation. Any change to the configurations may cause
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
249
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration network flapping. Therefore, to ensure rapid and stable spanning tree calculation, perform basic configurations on the switching device and its ports and enable MSTP.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp enable
MSTP is enabled on the switching device.
By default, the MSTP function is enabled on the device.
----End
Follow-up Procedure
When the topology of a spanning tree changes, the forwarding paths to associated VLANs are changed. The ARP entries corresponding to those VLANs on the switching device need to be updated. MSTP processes ARP entries in either fast or normal mode.
l In fast mode, ARP entries to be updated are directly deleted.
l In normal mode, ARP entries to be updated are rapidly aged.
The remaining lifetime of ARP entries to be updated is set to 0. The switching device rapidly processes these aged entries. If the number of ARP aging probe attempts is not set to 0,
ARP implements aging probe for these ARP entries.
You can run the stp converge { fast | normal } command in the system view to configure the
STP/RSTP convergence mode.
By default, the normal MSTP convergence mode is used.
NOTE
The normal mode is recommended. If the fast mode is adopted, ARP entries will be frequently deleted, causing the CPU usage on device to reach 100%. As a result, network flapping will frequently occur.
7.6.1.8 Checking the Configuration
Procedure l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
l Run the display stp region-configuration command to view configurations of activated
MST regions.
l Run the display stp region-configuration digest command to view the digest configurations of activated MST regions.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
250
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
7.6.2 Configuring MSTP Parameters on an Interface
Proper MSTP parameter settings achieve rapid convergence.
7 MSTP Configuration
Pre-configuration Tasks
Before configuring MSTP parameters that affect route convergence, complete the following task: l Configuring MSTP
7.6.2.1 Setting the MSTP Network Diameter
Context
Any two terminals on a switching network are connected through a specific path along multiple devices. The network diameter is the maximum number of devices between any two terminals.
A larger network diameter indicates a larger network scale.
An improper network diameter may cause slow network convergence and affect communication.
Run the stp bridge-diameter command to set an appropriate network diameter based on the network scale, which helps speed up convergence.
It is recommended that all devices be configured with the same network diameter.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp bridge-diameter diameter
The network diameter is configured.
By default, the network diameter is 7.
NOTE l RSTP uses a single spanning tree instance on the entire network. As a result, performance deterioration cannot be prevented when the network scale grows. Therefore, the network diameter cannot be larger than 7.
l It is recommended that you run the stp bridge-diameter diameter command to set the network diameter. Then, the switching device calculates the optimal Forward Delay period, Hello timer value, and Max Age timer value based on the set network diameter.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
251
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7.6.2.2 Setting the MSTP Timeout Interval
Context
If a device does not receive any BPDUs from the upstream device within the timeout interval, the device considers the upstream device to have failed and recalculates the spanning tree.
Sometimes, a device cannot receive the BPDU from the upstream device within the timeout interval because the upstream device is busy. In this case, recalculating the spanning tree will cause a waste of network resources. To avoid wasting network resources, set a long timeout interval on a stable network.
If a switching device does not receive any BPDUs from the upstream device within the timeout interval, spanning tree recalculation is performed. The timeout interval is calculated as follows:
Timeout interval = Hello time x 3 x Timer Factor
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp timer-factor factor
The timeout period for waiting for BPDUs from the upstream device is set.
By default, the timeout period is 9 times the Hello timer value.
----End
7.6.2.3 Setting the Values of MSTP Timers
Context
The following timers are used in spanning tree calculation: l Forward Delay: specifies the delay before a state transition. After the topology of a ring network changes, it takes some time to spread the new configuration BPDU throughout the entire network. As a result, the original blocked port may be unblocked before a new port is blocked. When this occurs, a loop exists on the network. You can set the Forward Delay timer to prevent loops. When the topology changes, all ports will be temporarily blocked during the Forward Delay.
l Hello Time: specifies the interval at which hello packets are sent. A switching device sends configuration BPDUs at the specified interval to detect link failures. If the switching device does not receive any BPDUs within an interval of Hello Time, the switching device recalculates the spanning tree.
l Max Age: determines whether BPDUs expire. A switching device determines that a received configuration BPDU times out when the Max Age expires.
Devices on a ring network must use the same values of Forward Delay, Hello Time, and Max
Age.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
252
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
You are not advised to directly change the preceding three timers. The three parameters are relevant to the network scale; therefore, it is recommended that you set the network diameter so that the spanning tree protocol automatically adjusts these timers. When the default network diameter is used, the three timers also retain their default values.
NOTICE
To prevent frequent network flapping, make sure that the Hello Time, Forward Delay, and Max
Age timer values conform to the following formulas: l 2 x (Forward Delay - 1.0 second) >= Max Age l Max Age >= 2 x (Hello Time + 1.0 second)
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Set Forward Delay, Hello Time, and Max Age.
1.
Run: stp timer forward-delay forward-delay
The value of Forward Delay of the switching device is set.
By default, the value of Forward Delay of the switching device is 1500 centiseconds.
2.
Run: stp timer hello hello-time
The value of Hello Time of the switching device is set.
By default, the value of Hello Time of the switching device is 200 centiseconds.
3.
Run: stp timer max-age max-age
The value of Max Age of the switching device is set.
By default, the value of Max Age of the switching device is 2000 centiseconds.
----End
7.6.2.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects
Spanning Tree Calculation
Context
The path costs affect spanning tree calculation. Changes of path costs trigger spanning tree recalculation. The path cost of an interface is affected by its bandwidth, so you can change the interface bandwidth to affect spanning tree calculation.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
253
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
As shown in Figure 7-12 , deviceA and deviceB are connected through two Eth-Trunk links.
Eth-Trunk 1 has three member interfaces in Up state and Eth-Trunk 2 has two member interfaces in Up state. Each member link has the same bandwidth, and deviceA is selected as the root bridge.
l Eth-Trunk 1 has higher bandwidth than Eth-Trunk 2. After STP calculation, Eth-Trunk 1 on deviceB is selected as the root port and Eth-Trunk 2 is selected as the alternate port.
l If the maximum number of connections affecting bandwidth of Eth-Trunk 1 is set to 1, the path cost of Eth-Trunk 1 is larger than the path cost of Eth-Trunk 2. Therefore, the two devices perform spanning tree recalculation. Then Eth-Trunk 1 on deviceB becomes the alternate port and Eth-Trunk 2 becomes the root port.
Figure 7-12 Setting the maximum number of connections in an Eth-Trunk
RouterA RouterB
Before configuration
Eth-Trunk1
Eth-Trunk2
After configuration
RouterA
Eth-Trunk1
Eth-Trunk2
RouterB
Alternate port
Root port
Designated port
NOTE
The maximum number of connections affects only the path cost of an Eth-Trunk interface participating in spanning tree calculation, and does not affect the actual bandwidth of the Eth-Trunk link. The actual bandwidth for an Eth-Trunk link depends on the number of active member interfaces in the Eth-Trunk.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface eth-trunk trunk-id
The Eth-Trunk interface view is displayed.
Step 3 Run: max bandwidth-affected-linknumber link-number
The maximum number of connections affecting the Eth-Trunk bandwidth is set.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
254
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
By default, the maximum number of connections affecting the bandwidth of an Eth-Trunk is
8.
----End
7.6.2.5 Setting the Link Type of a Port
Context
It is easy to implement rapid convergence on a P2P link. If the two ports connected to a P2P link are root or designated ports, the ports can transit to the forwarding state quickly by sending
Proposal and Agreement packets. This reduces the forwarding delay.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run: stp point-to-point { auto | force-false | force-true }
The link type is configured for the interface.
By default, an interface automatically determines whether to connect to a P2P link. The P2P link supports rapid network convergence.
l If the Ethernet port works in full-duplex mode, the port is connected to a P2P link. In this case, force-true can be configured to implement rapid network convergence.
l If the Ethernet port works in half-duplex mode, you can run stp point-to-point force-true to forcibly set the link type to P2P.
----End
7.6.2.6 Setting the Maximum Transmission Rate of an Interface
Context
.A larger value of packet-number indicates more BPDUs sent in a hello interval and therefore more system resources occupied. Setting the proper value of packet-number prevents excess bandwidth usage when route flapping occurs.
Procedure
Step 1 Run: system-view
The system view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
255
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Step 2 Run: interface interface-type interface-number
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run: stp transmit-limit packet-number
The maximum number of BPDUs sent by a port in a specified period is set.
By default, the maximum number of BPDUs that a port sends is 6 per second.
----End
7.6.2.7 Switching to the MSTP Mode
Context
If an interface on an MSTP-enabled device is connected to an STP-enabled device, the interface switches to the STP compatible mode.
If the STP-enabled device is powered off or disconnected from the MSTP-enabled device, the interface cannot switch to the MSTP mode. In this case, you can switch the interface to the MSTP mode by using the stp mcheck command.
In the following cases, you need to manually switch the interface back to the MSTP mode manually: l The STP-enabled device is shut down or disconnected.
l The STP-enabled device is switched to the MSTP mode.
Procedure l Switching to the MSTP mode in the interface view
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
3.
Run: stp mcheck
The device is switched to the MSTP mode.
l Switching to the MSTP mode in the system view
1.
Run: system-view
The system view is displayed.
2.
Run: stp mcheck
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
256
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
The device is switched to the MSTP mode.
----End
7.6.2.8 Configuring a Port as an Edge Port and BPDU Filter Port
Context
If a designated port is located at the edge of a network and is directly connected to terminal devices, this port is called edge port.
An edge port does not receive or process configuration BPDUs, or MSTP calculation. It can transit from Disable to Forwarding without any delay.
After a designated port is configured as an edge port, the port can still send BPDUs. Then BPDUs are sent to other networks, causing flapping of other networks. You can configure a port as an edge port and BPDU filter port so that the port does not process or send BPDUs.
NOTICE
After all ports are configured as edge ports and BPDU filter ports in the system view, none of ports on the device send BPDUs or negotiate the STP status with directly connected ports on the peer device. All ports are in forwarding state. This may cause loops on the network, leading to broadcast storms. Exercise caution when you configure a port as an edge port and BPDU filter port.
After a port is configured as an edge port and BPDU filter port in the interface view, the port does not process or send BPDUs. The port cannot negotiate the STP status with the directly connected port on the peer device. Exercise caution when you configure a port as an edge port and BPDU filter port.
Procedure
Issue 01 (2014-11-30) l Configuring all ports as edge ports and BPDU filter ports in the system view
1.
Run: system-view
The system view is displayed.
2.
Run: stp edged-port default
All ports are configured as edge ports.
By default, all ports are non-edge ports.
3.
Run: stp bpdu-filter default
All ports are configured as BPDU filter ports.
By default, a port is a non-BPDU filter port.
l Configuring a port as an edge port and BPDU filter port in the interface view
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
257
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
1.
Run: system-view
The system view is displayed.
2.
Run: interface interface-type interface-number
The view of the Ethernet interface that participates in spanning tree calculation is displayed.
3.
(Optional) Run: stp edged-port enable
The port is configured as an edge port.
By default, all ports are non-edge ports.
4.
Run: stp bpdu-filter enable
The port is configured as a BPDU filter port.
By default, a port is a non-BPDU filter port.
----End
7.6.2.9 Setting the Maximum Number of Hops in an MST Region
Context
Switching devices on a Layer 2 network running MSTP communicate with each other by exchanging MST BPDUs. An MST BPDU has a field that indicates the number of remaining hops.
l The number of remaining hops in a BPDU sent by the root switching device equals the maximum number of hops.
l The number of remaining hops in a BPDU sent by a non-root switching device equals the maximum number of hops minus the number of hops from the non-root switching device to the root switching device.
l If a switching device receives a BPDU in which the number of remaining hops is 0, the switching device will discard the BPDU.
Therefore, the maximum number of hops of a spanning tree in an MST region determines the network scale. The stp max-hops command can be used to set the maximum number of hops in an MST domain so that the network scale of a spanning tree can be controlled.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp max-hops hop
The maximum number of hops in an MST region is set.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
258
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
By default, the maximum number of hops of the spanning tree in an MST region is 20.
----End
7.6.2.10 Checking the Configuration
Procedure l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
----End
7.6.3 Configuring MSTP Protection Functions
Huawei datacom devices provide the following MSTP protection functions. You can configure one or more functions.
Pre-configuration Tasks
Before configuring MSTP protection functions, complete the following task: l Configuring MSTP
7.6.3.1 Configuring BPDU Protection on a Switching Device
Context
Edge ports are directly connected to user terminal and will not receive BPDUs. Attackers may send pseudo BPDUs to attack the switching device. If the edge ports receive the BPDUs, the switching device configures the edge ports as non-edge ports and triggers a new spanning tree calculation. Network flapping then occurs. BPDU protection can be used to protect switching devices against malicious attacks.
NOTE
Perform the following procedure on all switching devices that have edge ports.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp bpdu-protection
BPDU protection is enabled on the switching device.
By default, BPDU protection is not enabled on the switching device.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
259
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
Follow-up Procedure
If you want an edge port to automatically recover from the error-down state, run the error-down auto-recovery cause bpdu-protection interval interval-value command in the system view to configure the auto recovery function and set a recovery delay on the port. Then a port in errordown state can automatically go Up after the delay expires. Note the following when setting the recovery delay: l By default, the auto recovery function is disabled; therefore, the recovery delay parameter does not have a default value. When you enable the auto recovery function, you must set a recovery delay.
l A smaller value of interval-value indicates a shorter time taken for an edge port to go Up, and a higher frequency of Up/Down state transitions on the port.
l A larger value of interval-value indicates a longer time taken for the edge port to go Up, and a longer service interruption time.
l The auto recovery function takes effect only for the interfaces that transition to the errordown state after the error-down auto-recovery command is executed.
7.6.3.2 Configuring TC Protection on a Switching Device
Context
If attackers forge TC-BPDUs to attack the switching device, the switching device receives a large number of TC BPDUs within a short time. If MAC address entries and ARP entries are deleted frequently, the switching device is heavily burdened, causing potential risks to the network.
TC protection is used to suppress TC BPDUs. The number of times that TC BPDUs are processed by a switching device within a given time period is configurable. If the number of TC BPDUs that the switching device receives within a given time exceeds the specified threshold, the switching device handles TC BPDUs only for the specified number of times. Excess TC BPDUs are processed by the switching device as a whole for once after the specified time period expires.
This protects the switching device from frequently deleting MAC entries and ARP entries, therefore avoiding overburden.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp tc-protection threshold threshold
The number of times the MSTP process handles the received TC BPDUs and updates forwarding entries within a given time is set.
NOTE
The time is set using the stp tc-protection interval command.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
260
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7.6.3.3 Configuring Root Protection on an Interface
Context
Due to incorrect configurations or malicious attacks on the network, a root bridge may receive
BPDUs with a higher priority. Consequently, the legitimate root bridge is no longer able to serve as the root bridge and the network topology is changed, triggering spanning tree recalculation.
This also may cause the traffic that should be transmitted over high-speed links to be transmitted over low-speed links, leading to network congestion. The root protection function on a switching device is used to protect the root bridge by preserving the role of the designated port.
NOTE
Root protection takes effect only on designated ports.
Perform the following steps on the root bridge in an MST region.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of the Ethernet interface participating in STP calculation is displayed.
Step 3 Run: stp root-protection
Root protection is configured on the switching device.
By default, root protection is disabled.
----End
7.6.3.4 Configuring Loop Protection on an Interface
Context
On a network running MSTP, a switching device maintains the root port status and status of blocked ports by receiving BPDUs from an upstream switching device. If the switching device cannot receive BPDUs from the upstream device because of link congestion or unidirectionallink failure, the switching device re-selects a root port. The original root port becomes a designated port and the original blocked ports change to the Forwarding state. This switching may cause network loops, which can be mitigated by configuring loop protection.
If the root port or alternate port does not receive BPDUs from the upstream device for a long time, the switch enabled with loop protection sends a notification to the NMS. If the root port is used, the root port enters the Discarding state and becomes the designated port. If the alternate port is used, the alternate port keeps blocked and becomes the designated port. In this case, loops will not occur. After the link is not congested or unidirectional link failures are rectified, the port receives BPDUs for negotiation and restores its original role and status.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
261
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
NOTE
An alternate port is a backup port for a root port. If a switching device has an alternate port, you need to configure loop protection on both the root port and the alternate port.
Perform the following steps on the root port and alternate port on a switching device in an MST region.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run: stp loop-protection
Loop protection for the root port is configured on the switching device.
By default, loop protection is disabled.
Root protection and loop protection cannot be configured simultaneously.
----End
7.6.3.5 Checking the Configuration
Procedure l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
----End
7.6.4 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
To communicate with a non-Huawei device, set proper parameters on the MSTP-enabled
Huawei device.
7.6.4.1 Configuring a Proposal/Agreement Mechanism
Context
The rapid transition mechanism is also called the Proposal/Agreement mechanism. All switching devices support the following modes: l Enhanced mode: The current interface counts the root port calculation when it computes the synchronization flag bit.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
262
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
– An upstream device sends a Proposal message to a downstream device, requesting rapid status transition. After receiving the message, the downstream device sets the port connected to the upstream device as a root port and blocks all non-edge ports.
– The upstream device then sends an Agreement message to the downstream device. After the downstream device receives the message, the root port transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the downstream device as a designated port, and the designated port transitions to the
Forwarding state.
l Common mode: The current interface ignores the root port when it computes the synchronization flag bit.
– An upstream device sends a Proposal message to a downstream device, requesting rapid status transition. After receiving the message, the downstream device sets the port connected to the upstream device as a root port and blocks all non-edge ports. The root port then transitions to the Forwarding state.
– The downstream device responds to the Proposal message with an Agreement message.
After receiving the message, the upstream device sets the port connected to the downstream device as a designated port. The designated port then transitions to the
Forwarding state.
When Huawei devices are connected to non-Huawei devices, select the same mode as that used on non-Huawei devices.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run: stp no-agreement-check
The common rapid transition mechanism is configured.
By default, the interface uses the enhanced rapid transition mechanism.
----End
7.6.4.2 Configuring the MSTP Protocol Packet Format on an Interface
Context
MSTP protocol packets have two formats: dot1s (IEEE 802.1s standard packets) and legacy
(proprietary protocol packets).
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
263
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
You can specify the packet format and use the auto mode. In auto mode, the switching device switches the MSTP protocol packet format based on the received MSTP protocol packet format so that the switching device can communicate with the peer device.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run: stp compliance { auto | dot1s | legacy }
The MSTP protocol packet format is configured on the interface.
The auto mode is used by default.
NOTE
The negotiation will fail if the format of MSTP packets is set to dot1s at one end and legacy at the other end.
----End
7.6.4.3 Enabling the Digest Snooping Function
Context
Interconnected Huawei and non-Huawei devices cannot communicate with each other if they have the same region name, revision number, and VLAN-to-instance mappings but different
BPDU keys. To address this problem, enable the digest snooping function on the Huawei device.
Perform the following steps on a switching device in an MST region to enable the digest snooping function.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The Ethernet interface view is displayed.
Step 3 Run: stp config-digest-snoop
Issue 01 (2014-11-30) 264
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
The digest snooping function is enabled.
----End
7.6.4.4 Checking the Configuration
Procedure l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ]
[ brief ] command to view spanning-tree status and statistics.
----End
7.7 Maintaining MSTP
This section describes how to maintain MSTP.
7.7.1 Clearing MSTP Statistics
Context
NOTICE
MSTP statistics cannot be restored after being cleared.
Procedure l Run the reset stp [ interface interface-type interface-number ] statistics command to clear spanning-tree statistics.
l Run the reset stp error packet statistics to clears the statistics of error STP packets.
----End
7.7.2 Monitoring the Statistics on MSTP Topology Changes
Procedure l Run the display stp [ instance instance-id ] topology-change command to view the statistics about MSTP topology changes.
l Run the display stp [ instance instance-id ] [ interface interface-type interface-number ] tc-bpdu statistics command to view the statistics about TC/TCN packets.
----End
7.8 Configuration Examples
This section provides several configuration examples of MSTP.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
265
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
7.8.1 Example for Configuring Basic MSTP Functions
Networking Requirements
On a complex network, loops are inevitable. With the requirement for network redundancy backup, network designers tend to deploy multiple physical links between two devices, one of which is the master and the others are the backup. Loops are likely or bound to occur in such a situation.
Loops will cause broadcast storms, thereby exhausting network resources and paralyzing the network. Loops also cause flapping of MAC address tables and damages MAC address entries.
MSTP can be deployed to eliminate loops. MSTP blocks redundant links on a Layer 2 network and trims the network into a loop-free tree.
As shown in
Figure 7-13 , to load balance traffic of VLANs 2 to 10 and traffic of VLANs 11 to
20, multiple MSTIs are created. MSTP defines a VLAN mapping table in which VLANs are associated with spanning tree instances. Run MSTP on RouterA, SwitchA, SwitchB, SwitchC and SwitchD.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
266
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 7-13 Networking diagram of configuring basic MSTP functions
7 MSTP Configuration
Network
MST
Region
RouterA
Eth2/0/1 Eth2/0/0
Eth0/0/1
SwitchA
Eth0/0/2
Eth0/0/1
SwitchC
Eth0/0/2
Eth
0/0
/3
RG1
Et h0
/0
/3
Et h0
/0
/4
Eth0/0/3
Eth0/0/1
SwitchB
Eth0/0/2
Eth
0/0
/4
Eth0/0/2
Eth0/0/1
SwitchD
Eth0/0/3
PC1
PC2
PC3
VLAN2~10
VLAN11~20
PC4
MSTI1
MSTI2
MSTI1:
Root Switch:RouterA
Blocked port
Issue 01 (2014-11-30)
MSTI2:
Root Switch:RouterA
Blocked port
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
267
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic MSTP functions, including: a.
Configure the MSTP mode for the ring network.
b.
Configure an MST region and create multiple MSTIs to implement load balancing.
c.
In the MST region, configure a primary root bridge and a secondary root bridge for each MSTI.
d.
Set path costs for ports to be blocked in each MSTI.
e.
Enable MSTP to eliminate loops, including: l Enable MSTP globally.
l Disable MSTP on the interfaces that connected to terminals, or configure those interfaces as edge ports.
l Enable MSTP on all the interfaces except the interfaces connected to terminals.
NOTE
MSTP is not required on the interfaces connected to terminals because these interfaces do not need to participate in MSTP calculation.
2.
Configure MSTP protection functions, for example, configure root protection on a designated port of a root bridge in each MSTI.
3.
Configure the Layer 2 forwarding function on devices.
Procedure
Step 1 Configure basic MSTP functions.
1.
Configure the MSTP mode for the devices on the ring network.
# Configure the MSTP mode on RouterA.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] stp mode mstp
# Configure the MSTP mode on SwitchA, SwitchB, SwitchC and SwitchD.
2.
Add all devices to MST region RG1, and create two MSTIs. MSTI1 maps to VLAN (2 to
10), and MSTI2 maps to VLAN (11 to 20).
# Configure RouterA to MST region.
[RouterA] stp region-configuration
[RouterA-mst-region] region-name RG1
[RouterA-mst-region] instance 1 vlan 2 to 10
[RouterA-mst-region] instance 2 vlan 11 to 20
[RouterA-mst-region] active region-configuration
[RouterA] quit
# Configure SwitchA, SwitchB, SwitchC and SwitchD to MST region RG1, and create two
MSTIs. MSTI1 maps to VLAN (2 to 10), and MSTI2 maps to VLAN (11 to 20).
3.
In RG1, configure primary and secondary root bridges for MSTI1 and MSTI2.
# Configure primary root bridge on RouterA in MSTI1.
[RouterA] stp instance 1 root primary
Issue 01 (2014-11-30) 268
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
# Configure secondary root bridge on SwitchA in MSTI1.
# Configure primary root bridge on RouterA in MSTI2.
[RouterA] stp instance 2 root primary
# Configure secondary root bridge on SwitchB in MSTI2.
4.
Set the path costs of the ports to be blocked in MSTI1 and MSTI2 to be larger than the default value.
NOTE l The values of path costs depend on path cost calculation methods. Use the Huawei proprietary calculation method as an example to set the path costs of the ports to be blocked to 200000.
l If the switches are not Huawei 2300 Series, all switches on a network must use the same path cost calculation method. Refer to STP List of path costs to get standard of other calculation methods.
# On RouterA, configure the path cost calculation method as the Huawei proprietary method.
[RouterA] stp pathcost-standard legacy
# On SwitchA, SwitchB, SwitchC and SwitchD, configure the path cost calculation method as the Huawei proprietary method.
, set the path cost of Eth0/0/4 on SwitchC to 200000 in MSTI1.
# As shown in Figure 7-13 , set the path cost of Eth0/0/4 on SwitchD to 200000 in MSTI2.
5.
Enable MSTP to eliminate loops.
l Disable MSTP on interfaces connected to PCs, or set those interfaces as edge ports.
# As shown in Figure 7-13 , disable MSTP on interface Eth0/0/2 and Eth0/0/3 of
SwitchC, or set them as edge ports.
# As shown in Figure 7-13 , disable MSTP on interface Eth0/0/2 and Eth0/0/3 of
SwitchD, or set them as edge ports.
l Enable MSTP globally.
# Enable MSTP globally on RouterA.
[RouterA] stp enable
# Enable MSTP globally on SwitchA, SwitchB, SwitchC and SwitchD.
l Enable MSTP on all the interfaces except the interfaces connected to terminals.
# Enable MSTP on RouterA Eth2/0/0 and Eth2/0/1.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] stp enable
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] stp enable
[RouterA-Ethernet2/0/1] quit
# As shown in Figure 7-13 , Enable MSTP on all interfaces except the interfaces
connected to terminals, for SwitchA, SwitchB, SwitchC and SwitchD.
Step 2 Configure MSTP protection function.
# Enable root protection on RouterA Eth2/0/0 and Eth2/0/1.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] stp root-protection
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] stp root-protection
Issue 01 (2014-11-30) 269
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 7 MSTP Configuration
[RouterA-Ethernet2/0/1] quit
Step 3 Configure the Layer 2 forwarding function on devices in the ring.
l Create VLANs on RouterA, SwitchA, SwitchB, SwitchC and SwitchD.
# Create VLANs 2 to 20 on RouterA.
[RouterA] vlan batch 2 to 20
# Create VLANs 2 to 20 on SwitchA and SwitchB.
# Create VLANs 2 to 10 on SwitchC.
# Create VLANs 11 to 20 on SwitchD.
l Add interfaces on the switching devices in the ring to VLANs.
# Add RouterA Eth2/0/0 and Eth2/0/1 to VLAN 2 to 20.
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] port link-type trunk
[RouterA-Ethernet2/0/0] port trunk allow-pass vlan 2 to 20
[RouterA-Ethernet2/0/0] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type trunk
[RouterA-Ethernet2/0/1] port trunk allow-pass vlan 2 to 20
[RouterA-Ethernet2/0/1] quit
# Add interfaces Eth0/0/1, Eth0/0/2 and Eth0/0/3 on SwitchA and SwitchB to VLAN 2 to
20.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchC to VLAN 2 to 10.
# Add interfaces Eth0/0/1, Eth0/0/2, Eth0/0/3 and Eth0/0/4 on SwitchD to VLAN 11 to 20.
Step 4 Verify the configuration.
After the previous configurations, run the following commands to verify the configuration when the network is stable:
# run display stp brief on RouterA to view the interface status and protection type. The displayed information is as follows:
[RouterA] display stp brief
MSTID Port Role STP State Protection
0 Ethernet2/0/0 DESI FORWARDING NONE
0 Ethernet2/0/1 DESI FORWARDING NONE
1 Ethernet2/0/0 DESI FORWARDING ROOT
1 Ethernet2/0/1 DESI FORWARDING ROOT
2 Ethernet2/0/0 DESI FORWARDING ROOT
2 Ethernet2/0/1 DESI FORWARDING ROOT
In MSTI1, after RouterA is configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are elected as designated ports during spanning tree calculation. In MSTI2, after RouterA is configured as a root bridge, RouterA Eth2/0/0 and Eth2/0/1 are elected as designated ports during spanning tree calculation.
# Verify the interface status and protection type on SwitchA. In MSTI1, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports.
# Verify the interface status and protection type on SwitchB. In MSTI1, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports. In MSTI2, interface Eth0/0/1 is elected as root port, interfaces Eth0/0/2 and Eth0/0/3 are elected as designated ports.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
270
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
# Verify the interface status and protection type on SwitchC. In MSTI1, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked. In MSTI2, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is elected as designated port.
# Verify the interface status and protection type on SwitchD. In MSTI1, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is elected as designated port. In MSTI2, interface Eth0/0/1 is elected as root port, interface Eth0/0/4 is blocked.
----End
Configuration Files l Configuration file of RouterA
#
sysname RouterA
# vlan batch 2 to 20
#
stp instance 1 root primary
stp instance 2 root primary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
# interface Ethernet2/0/0
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
# interface Ethernet2/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
stp root-protection
# return l Configuration file of SwitchA
#
sysname SwitchA
# vlan batch 2 to 20
#
stp instance 1 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
# interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
# interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
# interface Ethernet0/0/3
Issue 01 (2014-11-30) 271
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
port link-type trunk
port trunk allow-pass vlan 2 to 20
# return l Configuration file of SwitchB
#
sysname SwitchB
# vlan batch 2 to 20
#
stp instance 2 root secondary
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
# interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 20
# interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 20
# interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 20
# return l Configuration file of SwitchC
#
sysname SwitchC
# vlan batch 2 to 10
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
# interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 2 to 10
# interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 2 to 10
stp disable
# interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 2 to 10
stp disable
# interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 2 to 10
stp instance 1 cost 200000
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
272
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
# return l Configuration file of SwitchD
#
sysname SwitchD
# vlan batch 11 to 20
#
stp pathcost-standard legacy
#
stp region-configuration
region-name RG1
instance 1 vlan 2 to 10
instance 2 vlan 11 to 20
active region-configuration
# interface Ethernet0/0/1
port link-type trunk
port trunk allow-pass vlan 11 to 20
# interface Ethernet0/0/2
port link-type trunk
port trunk allow-pass vlan 11 to 20
stp disable
# interface Ethernet0/0/3
port link-type trunk
port trunk allow-pass vlan 11 to 20
stp disable
# interface Ethernet0/0/4
port link-type trunk
port trunk allow-pass vlan 11 to 20
stp instance 2 cost 200000
# return
7.9 References
This section provides references for STP/RSTP.
The following table lists the references for STP/RSTP.
Document Description
IEEE 802.1D
IEEE 802.1S
IEEE 802.1W
IEEE Standard for:
Local and metropolitan area networks
Virtual Bridged Local Area Networks
IEEE Standard for:
Local and metropolitan area networks
Virtual Bridged Local Area Networks
IEEE Standard for:
Local and metropolitan area networks
Common specifications
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
7 MSTP Configuration
273
-
-
-
Rema rks
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
8
SEP Configuration
About This Chapter
Smart Ethernet Protection (SEP) is a ring network protocol specially used for the Ethernet link layer. It blocks redundant links to prevent logical loops on a ring network.
This section describes the definition and purpose of SEP.
This section describes the implementation of SEP.
This section describes the applicable scenario of IPSec.
8.4 Configuration Task Summary
This section describes the configuration task and logic of SEP.
This section describes the SEP configuration.
This section describes how to maintain SEP, including clearing SEP statistics.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
274
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
8.1 Introduction to SEP
This section describes the definition and purpose of SEP.
Definition
The Smart Ethernet Protection (SEP) protocol is a ring network protocol specially used for the
Ethernet link layer. A SEP segment consists of interconnected Layer 2 switching devices configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic unit for SEP.
Purpose
Generally, redundant links are used on an Ethernet switching network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, communication quality deteriorates, and services may even be interrupted. To solve the loop problem, Huawei datacom devices support the following ring network protocols: l STP/RSTP/MSTP
STP, RSTP, and MSTP are standard protocols for breaking loops on Ethernet networks.
They are mature and widely used. Huawei devices running STP, RSTP, or MSTP can communicate with non-Huawei devices. Networks running these protocols converge slowly (in seconds), failing to meet transmission requirements of some real-time services.
The convergence time is affected by the network topology.
Huawei developed SEP to overcome the disadvantages of the preceding ring network protocols.
SEP has the following advantages: l Applies to diverse complex networks and supports all topologies and network topology query. For example, a network running SEP can connect to a network running STP, RSTP, or MSTP.
Network topology display helps locate blocked interfaces quickly. When a fault occurs,
SEP can quickly locate the fault, improving network maintainability.
l Allows selectively interface blocking, which effectively implements traffic load balancing.
l Prevents traffic from being switched back after link recovery, which improves network stability.
8.2 Principles
This section describes the implementation of SEP.
8.2.1 Principles of SEP
SEP is a ring network protocol dedicated to the Ethernet link layer. A SEP segment is the basic unit for SEP. Only two interfaces on a switching device can be added to the same SEP segment.
To prevent loops in a SEP segment, a ring protection mechanism is used to selectively block interfaces to eliminate Ethernet redundant links. When a link on a ring network fails, the device
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
275
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration running SEP immediately unblocks the interface and performs link switching to restore communication between nodes.
shows a typical SEP application. CE1 is connected to Network Provider Edges
(NPEs) through a semi-ring formed by Routers. A VRRP group is deployed on the NPEs.
Initially, NPE1 serves as the master and NPE2 as backup to NPE1. When the link between NPE1 and Router5 or a node on the link becomes faulty, NPE1 becomes the backup to NPE2, which then becomes the master. The following situations occur depending on whether SEP is deployed.
The following assumes that the link between Router1 and Router5 becomes faulty.
l If SEP is not deployed on the semi-ring, CE1 traffic is still transmitted along the original path, but NPE1 does not forward traffic, causing traffic interruption.
l If SEP is deployed on the semi-ring, the blocked interface on Router5 is unblocked, enters the Forwarding state, and sends link state advertisements (LSAs) to instruct other nodes on the SEP segment to update their LSA databases. Then CE1 traffic is transmitted along backup link Router5->Router2->Router4->NPE2, ensuring uninterrupted traffic transmission.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
276
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-1 Schematic diagram for SEP
Access Aggregation
Router1 Router3
8 SEP Configuration
Master
Core
Backup
CE1
Access
Router5
NPE1
VRRP+peer BFD
NPE2
IP/MPLS
Core
Router2 Router4
Backup a,SEP is not deployed on the semi-ring
Aggregation Core
Router1 Router3
Master
Master
Backup
SEP
Segment
NPE1
VRRP+peer BFD
NPE2
IP/MPLS
Core
CE1
Router5
Access
Router2
Router1
Router4
Aggregation
Router3
Backup
Core
Master
Master Backup
SEP
Segment
NPE1
VRRP+peer BFD
NPE2
IP/MPLS
Core
CE1
Router5
Router2 Router4 Backup Master b,SEP is deployed on the semi-ring
Primary Edge Port
Secondary Edge Port
Block Port
In common SEP networking, a physical ring can be configured with only one SEP segment in which only one interface can be blocked. If an interface in a complete SEP segment is blocked, all service data is transmitted only along the path where the primary edge interface is located.
The path where the secondary edge interface is located remains idle, wasting bandwidth.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
277
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load balancing. SEP multi-instance allows two SEP segments to be configured on a physical ring.
Each SEP segment independently detects the completeness of the physical ring, blocks or unblocks interfaces without affecting the other.
For details about SEP multi-instance, see 8.2.3 SEP Implementation Mechanisms
.
8.2.2 Basic Concepts of SEP
Network Architecture of SEP
As shown in Figure 8-2 , Router1 through Router5constitute a ring and are dual-homed to an
upper-layer a Layer 2 network. Two edge devices Router1 and Router5 are indirectly connected.
This networking is called open-ring networking. This access mode will cause a loop on the entire network. To eliminate redundant links and ensure link connectivity, a mechanism used to prevent loops is required.
Figure 8-2 shows the typical networking of an open ring running SEP. The following describes
the basic concepts of SEP.
Figure 8-2 Networking diagram of an open ring running SEP
Network Network
Router5
Router1
SEP
Segment
Router2
Router3
Router1
Router4 Router2
Router3
SEP
Segment
Router5
Router4
CE CE
No-Neighbor Primary Edge Port
No-Neighbor Secondary Edge Port
Primary Edge Port
Secondary Edge Port
Block Port
Issue 01 (2014-11-30) l SEP segment
A SEP segment consists of interconnected Layer 2 switching devices configured with the same SEP segment ID and control VLAN ID. A SEP segment is the basic unit for SEP.
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
278
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
A SEP segment is a ring or linear Ethernet topology. Each SEP segment has a control
VLAN, edge interfaces, and common interfaces.
l Control VLAN
In a SEP segment, the control VLAN is used to transmit only SEP packets.
Each SEP segment must have a control VLAN. After an interface is added to a SEP segment that has a control VLAN, the interface is automatically added to the control VLAN.
Different SEP segments can use the same control VLAN.
Different from a control VLAN, a data VLAN is used to transmit data packets.
l Node
Each Layer 2 switching device in a SEP segment is a node. Each node can have at most two interfaces added to the same SEP segment.
l Interface role
As defined in SEP, there are two interface roles: common interfaces and edge interfaces.
, edge interfaces are further classified into primary edge interfaces, secondary edge interfaces, no-neighbor primary edge interfaces, and no-neighbor secondary edge interfaces.
NOTE
Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
Table 8-1 Interface roles
Interface Role
Edge interface
Sub-role
Primary edge interface
Secondary edge interface
Description
A SEP segment has only one primary edge interface, which is determined by the configuration and election.
The primary edge interface initiates blocked interface preemption, terminates packets, and sends topology change notification messages to other networks.
A SEP segment has only one secondary edge interface, which is determined by the configuration and election.
The secondary edge interface terminates packets and sends topology change notification messages to other networks.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
279
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Interface Role Sub-role
No-neighbor primary edge interface
No-neighbor secondary edge interface
Description
An interface at the edge of a SEP segment is a no-neighbor edge interface, which is determined by the configuration and election.
The no-neighbor primary edge interface terminates packets and sends topology change notification messages to other networks.
No-neighbor primary edge interfaces are used to interconnect Huawei devices and non-Huawei devices or interconnect
Huawei devices and devices that do not support SEP.
A SEP segment has only one no-neighbor secondary edge interface, which is determined by the configuration and election.
The no-neighbor secondary edge interface terminates packets and sends topology change notification messages to other networks.
No-neighbor secondary edge interfaces are used to interconnect Huawei devices and non-Huawei devices or interconnect
Huawei devices and devices that do not support SEP.
Common interface In a SEP segment, all interfaces except edge interfaces are common interfaces.
A common interface monitors the status of the directly-connected SEP link. When the link status changes, the interface sends a topology change notification message to notify its neighbors. Then the topology change notification message is flooded on the link until it finally reaches the primary edge interface. The primary edge interface determines how to process the link change.
l Blocked interface
In a SEP segment, some interfaces are blocked to prevent loops.
Any interface in a SEP segment may be blocked if no interface is specified for blocking.
A complete SEP segment has only one blocked interface.
l Status of a SEP interface
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
280
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
In a SEP segment, a SEP interface has two working states: Forwarding and Discarding, as shown in
.
Table 8-2 Interface status
Interface
Status
Description
Forwarding The interface can forward user traffic, receive and send SEP packets.
Discarding The interface can receive and send SEP packets but cannot forward user traffic.
An interface may be in Forwarding or Discarding state regardless of its role.
SEP Packet
shows the types of SEP packets.
Table 8-3 Types of SEP packets
Packet Type Packet Subtype Description
Hello packet After an interface is added to a SEP segment, neighbor negotiations start. The interface and its neighbor exchange Hello packets to establish a neighbor relationship. After neighbor negotiations succeed, the two interfaces continue to exchange Hello packets to detect their neighbor status.
LSA
TC packet
GR packet -
-
LSA request packet
LSA ACK packet
After an interface has SEP enabled, the interface periodically sends LSAs to its neighbor. After the state machine of the neighbor goes Up, the two interfaces update their LSA databases, that is, all topology information.
When the topology of a SEP segment changes, the device where the SEP segment and the upper-layer network are intersected sends a Topology Change (TC) packet to notify the upper-layer network. Then all nodes on the upper-layer network need to update their
MAC address tables and ARP tables.
When a device is performing an active/standby switchover, it sends a SEP Graceful Restart (GR) packet to instruct other nodes to prolong the aging time of the LSAs received from the device. After the active/ standby switchover is complete, the device needs to send another GR packet to instruct other nodes to restore the aging time of the LSAs received from the device to the previous value.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
281
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Packet Type Packet Subtype Description
Primary edge interface election packet
After an interface has SEP enabled, it considers itself the primary edge interface if it is qualified for primary edge interface selection. The interface then periodically sends primary edge interface election packets without waiting for the success of neighbor negotiations. A primary edge interface election packet contains the interface role (primary edge interface, secondary edge interface, or common interface), bridge
MAC address of the interface, interface ID, and integrity of the topology database.
Preemption packet
Preemption request packet
Preemption ACK packet
A preemption packet is used to block a specified interface.
Preemption packets are sent by the elected primary edge interface or brother interface of a no-neighbor primary edge interface.
8.2.3 SEP Implementation Mechanisms
Neighbor Negotiation Mechanism
After an interface is added to a SEP segment, neighbor negotiations start. The interface and its neighbor exchange Hello packets to establish a neighbor relationship. After neighbor negotiations succeed, the two interfaces continue to exchange Hello packets to detect their neighbor status.
Neighbor negotiations prevent unidirectional links because neighbor negotiations are bidirectional. Interfaces at both ends of a link, must send Hello packets to each other, as a means of status confirmation. If an interface does not receive a Hello packet from an interface at the other end of a link within a specified period, the interface considers the other to be Down.
Neighbor negotiations provide information required to obtain the SEP segment topology.
Interfaces establish neighbor relationships through neighbor negotiations, forming a complete
SEP segment. Therefore, the SEP segment topology can be obtained.
Synchronization of SEP LSA Databases and Topology Display l Synchronization of SEP link state advertisement (LSA) databases
After neighbor negotiations are complete, devices in a SEP segment enter the LSA database synchronization phase and periodically send LSAs. After a device receives LSAs from other devices, the device updates its LSA database. This ensures that the LSA databases of all devices in the SEP segment are consistent.
If a device does not receive LSAs from its peer device or other devices in the SEP segment within three LSA transmission intervals, the device will age the database that saves the
LSAs of the other devices in the SEP segment.
When a faulty device in a SEP segment recovers, the device needs to obtain topology information from the other devices in the SEP segment and sends LSA request packets to
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
282
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration the other devices. After receiving LSA request packets from the device, neighboring interfaces reply with LSA ACK packets that contain the latest link state information.
l SEP segment topology display
The topology display function allows you to view the topology with the highest network connectivity on any device in a SEP segment. Link state synchronization ensures that all devices in a SEP segment display the same topology.
Table 8-4 shows the types of SEP segment topologies.
Table 8-4 Types of SEP segment topologies
Topology Type Description
Ring topology Each interface in a SEP segment has a neighboring interface in Up state and a brother interface, and each node has two interfaces in the SEP segment.
Linear topology All topologies except ring topologies are linear topologies.
Constraint l If the primary edge interface is elected on a ring, the primary edge interface is listed first in the topology information displayed on each interface.
l If the primary edge interface is not elected but the secondary edge interface is elected, the secondary edge interface is listed first in the topology information displayed on each interface.
For interfaces at both ends of a link: l If one interface functions as the primary edge interface, the primary edge interface is listed first in the topology information displayed on each interface.
l If the primary edge interface is not elected but the secondary edge interface is elected, the secondary edge interface is listed first in the topology information displayed on each interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
283
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
NOTE
The constraints listed in Table 8-4 ensure that each node in a ring or linear topology displays the
same topology information.
Primary Edge Interface Election
Only interfaces that are configured as no-neighbor edge interfaces, primary edge interfaces, and secondary edge interfaces can participate in primary edge interface election.
NOTE
If only one interface on a node has SEP enabled, you must set the role of the interface to edge so that the interface can function as an edge interface.
As shown in Figure 8-3 , if there is no faulty link on the network and SEP is enabled on the
interfaces, the following situations occur: l Common interfaces do not participate in primary edge interface election. Only P1 on
Router1 and P1 on Router5 participate in primary edge interface election.
l If P1 on Router1 and P1 on Router5 have the same role, P1 with a higher MAC address is elected as the primary edge interface.
After the primary edge interface is selected, it periodically sends primary edge interface election packets without waiting for the success of neighbor negotiations. A primary edge interface election packet contains the interface role (primary edge interface, secondary edge interface, or common interface), bridge MAC address of the interface, interface ID, and integrity of the topology database.
Figure 8-3 Networking diagram of electing the primary edge interface
Issue 01 (2014-11-30)
Router1
P1
Router2
Network
Router5 Router1
P1
SEP
Segment
Router4
Failed
Router3
Network
Router5
P1
P1
Router2
SEP
Segment
Router4
Failed
Router3
Primary Edge Port
Secondary Edge Port
Election packet of
Primary Edge Port
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
284
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
As shown in Figure 8-3 , if a link fault occurs in the SEP segment, P1 on Router1 and P1 on
Router5 receive fault notification packets or P1 on LSW5 does not receive primary edge interface election packets within a specified period. Then P1 on Router1 becomes the secondary edge interface. Consequently, two secondary edge interfaces exist in the SEP segment and periodically send primary edge interface election packets.
When all link faults in the SEP segment are rectified, the two secondary edge interfaces can receive primary edge interface election packets and elect a new primary edge interface within a configured interval (1s by default).
Specifying an Interface to Block
Normally, a blocked interface is one of the two interfaces that complete neighbor negotiations last. In some cases, however, the negotiated blocked interface may not be the required one. You can specify an interface to block according to network requirements. The specified interface preempts to be the blocked interface only after the preemption mechanism takes effect.
l Interface blocking mode
You can configure the interface blocking mode to specify a blocked interface. Table 8-5
lists interface blocking modes.
Table 8-5 Interface blocking mode
Interface Blocking Mode Description
Specify the interface with the highest priority as the blocked interface.
SEP compares interface priorities as follows:
1. Compares configured interface priority values. A larger value indicates a higher priority.
2. Compares bridge MAC addresses of interfaces with same priority values. A smaller bridge MAC address indicates a higher priority.
3. Compares interface numbers of interfaces with identical bridge MAC addresses. A smaller interface number indicates a higher priority.
Specify the interface in the middle of a SEP segment as the blocked interface.
Specify a blocked interface based on the configured hop count.
SEP sets the hop count of the primary edge interface to
1 and the hop count of the neighboring interface of the primary interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of the primary edge interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
285
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Interface Blocking Mode Description
Specify a blocked interface based on the device and interface names.
After SEP is configured, the interface to be blocked is determined by the device and interface names. Before specifying an interface to block, run the display command to view the current ring topology and all interfaces, and then specify the device and interface names.
If multiple interfaces on the ring have the same device and interface names, SEP blocks the interface nearest to the primary edge interface in the topology.
NOTE
If you change the device name or interface name after specifying the interface to block, the interface cannot preempt to be the blocked interface.
l Preemption
After the interface blocking mode is specified, whether a specified interface will be blocked
is determined by the preemption mode. Table 8-6 lists the preemption modes.
Table 8-6 Preemption mode
Preemption Mode
Non-preemption mode
Description
When all link faults are rectified or the last two interfaces enabled with SEP complete neighbor negotiations, interfaces send blocking status packets to each other.
The interface with the highest priority is then blocked, and the other interfaces enter the Forwarding state.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
286
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Preemption Mode
Preemption Mode
NOTE
Preemption can only be implemented on the device where the primary edge interface or no-neighbor primary edge interface resides.
Description
Preemption is classified into delayed preemption and manual preemption.
l Delayed preemption
After all the faulty interfaces recover, the edge interfaces no longer receive fault notification packets. If the primary edge interface does not receive fault advertisement packets within 3 seconds, it starts the delay timer. After the delay timer expires, nodes in the SEP segment start blocked interface preemption.
l Manual preemption
When the link status databases of the primary edge interface and secondary edge interface are complete, the primary edge interface or brother interface of the no-neighbor primary edge interface sends preemption packets to block a specified interface.
The specified interface then sends blocking status packets to request the previously blocked interface to transition to the Forwarding state.
NOTE
Only two interfaces on a device can be added to the same
SEP segment. If one interface is the no-neighbor primary edge interface, the other interface is the brother interface of the no-neighbor primary edge interface.
Whether the brother interface of the no-neighbor primary edge interface needs to send preemption packets depends on whether the brother interface is blocked.
l If the brother interface is blocked, it does not need to send preemption packets.
l If the brother interface is unblocked, it needs to send preemption packets.
SEP Topology Change Notification
SEP considers that the topology of a SEP-enabled network changes in either of the following
situations described in Table 8-7 .
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
287
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Table 8-7 SEP topology change notification
SEP Topology Change
Notification
Description
An interface fault occurs.
shows an interface fault in a SEP segment.
An interface fault can be a link fault or neighboring interface fault.
If a device having an interface in Forwarding state in the
SEP segment receives a fault advertisement packet, the device needs to send a Flush-Forwarding Database (Flush-
FDB) packet through the interface to notify other nodes in the SEP segment that there is a change in topology.
The fault is rectified and the preemption function takes effect.
After faults occur in the SEP segment and the last faulty interface recovers, the blocked interface is preempted and the topology is considered changed.
Preemption is triggered by the primary edge interface.
When an interface in a SEP segment receives a preemption packet from the primary edge interface, the interface needs to send Flush-FDB packets to notify other nodes in the
SEP segment that there is a change in topology.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
288
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-4 Networking diagram for SEP topology change notification
8 SEP Configuration
Network
Router1
Router8
SEP
Segment1
Router9 Router10
Router2 SEP
Segment2
SEP
Segment3
Router11
SEP
Segment4
Router13
Router12
Router3 Router4 Router5 Router6
Failed
Router7
Block Port
Primary Edge Port
Forwarding Database
Topology Change
NOTE
The topology change notification function is configured on devices that connect an upper-layer network and a lower-layer network. If the topology of one network changes, devices affected inform the other network of the change.
lists the scenarios in which topology changes are reported.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
289
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Table 8-8 SEP topology change notification
SEP
Topology
Change
Notification
Scenario Description
Topology change notification from a lowerlayer network to an upperlayer network
A SEP network is connected to an upper-layer network running other features such as SEP and STP.
l If the blocked interface on a lower-layer SEP network is manually changed, the topology of the SEP segment changes. Because the upper-layer network is unable to detect the change in topology, traffic is interrupted.
l If an interface on a lowerlayer SEP network becomes faulty, the topology of the SEP segment changes but the upper-layer network is unable to detect the change. As a result, traffic is interrupted.
Solution
Configure the SEP topology change notification function.
Suppression of SEP TC Notification Packets
Topology changes of a SEP segment are advertised to other SEP segments or upper-layer networks. A large number of topology change (TC) notification packets are generated in the following cases: l A link becomes disconnected transiently.
l A SEP segment is attacked by invalid TC notification packets.
l There are multiple SEP ring networks.
shows a networking scenario with three SEP ring networks. If the topology of
SEP segment 3 changes, the number of TC notification packets doubles and SEP segment
2 is flooded with these packets. Each time TC notification packets pass through a SEP segment, the number of TC notification packets doubles.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
290
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-5 Networking diagram for multiple SEP ring networks
8 SEP Configuration
Router9
Router10
SEP
Segment 1
Router7
Router8
SEP
Segment2
Router4 Router6
Router1
Router5
SEP
Segment3
Router3
Router2
Primary Edge Port
Secondary Edge Port
Block Port
Sending a large number of TC notification packets reduces the CPU capability to quickly process other types of packets. In addition, devices in SEP segments frequently update MAC address entries, heavily consuming bandwidth resources. To solve such problems, the following measures can be taken to suppress TC notification packets: l Configure a device to process only one of the TC notification packets carrying the same source address.
l Configure a device to process a specified number of TC notification packets within a specified period. By default, three TC notification packets with different source addresses are processed in 2s.
l Avoid the networking scenario having more than three SEP ring networks.
SEP Multi-Instance
In common SEP networking shown in
, a physical ring network can be configured with only one SEP segment in which only one interface can be blocked.
If an interface in a complete SEP segment is blocked, all service data is transmitted only along the path where the primary edge interface is located. The path where the secondary edge interface is located remains idle, wasting bandwidth.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
291
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-6 Networking diagram for SEP
Router2
SEP
Segment1
Router4
8 SEP Configuration
VLAN 100~200
Router1 Router3
VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance allows two SEP segments to be configured on a physical ring. Each SEP segment independently detects the completeness of the physical ring, blocks or unblocks interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be configured with a protected instance, each protected instance indicating a VLAN range. The topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between protected instances and VLANs is set, a blocked interface is only valid for the VLANs protected by the SEP segment where the blocked interface resides. Data traffic for different VLANs can be transmitted along different paths. This implements traffic load balancing and link backup.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
292
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-7 Networking diagram for SEP multi-instance
8 SEP Configuration
Router2 Router4
P2
Instance1:
VLAN 100~200
SEP
Segment2
SEP Segment1
Router1
P1
Router3
Instance2:
VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 8-7 , the SEP multi-instance ring network that consists of Router1 to
Router4 has two SEP segments. P1 is the blocked interface in SEP segment 1, and P2 is the blocked interface in SEP segment 2.
l Protected instance 1 is configured in SEP segment 1 to protect the data from VLAN 100 to VLAN 200. The data is transmitted along path Router1->Router2. As the blocked interface in SEP segment 2, P2 blocks only the data from VLAN 201 to VLAN 400.
l Protected instance 2 is configured in SEP segment 2 to protect the data from VLAN 201 to VLAN 400. The data is transmitted along path Router3->Router4. As the blocked interface in SEP segment 1, P1 blocks only the data from VLAN 100 to VLAN 200.
When a node fault or link fault occurs, each SEP segment calculates its own topology independently, and the nodes in each SEP segment update their own LSA databases.
As shown in Figure 8-8 , a fault occurs on the link between LSW3 and LSW4. The link fault
does not affect the transmission path for the data from VLAN 100 to VLAN 200 in SEP segment
1, but blocks the transmission path for the data from VLAN 201 to VLAN 400 in SEP segment
2.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
293
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Figure 8-8 Networking diagram for a link fault on a SEP multi-instance network
Router2
Router4
P2
SEP
Segment2
SEP Segment1
Instance1:
VLAN 100~200
Router1 Router3
P1
Instance2:
VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
After the link between Router3 and Router4 becomes faulty, Router3 starts to send LSAs to instruct the other devices in SEP segment 2 to update their LSA databases, and the blocked interface enters the Forwarding state. After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to VLAN 400 is transmitted along path Router3->Router1->Router2.
After the link between Router3 and Router4 recovers, the devices in SEP segment 2 perform delayed preemption. After the preemption delay expires, P1 becomes the blocked interface again, and sends LSAs to instruct the other devices in SEP segment 2 to update their LSA databases.
After the topology of SEP segment 2 is recalculated, the data from VLAN 201 to VLAN 400 is transmitted along path Router3->Router4.
8.3 Applications
This section describes the applicable scenario of IPSec.
8.3.1 Open-Ring Networking
As shown in Figure 8-9 , Router1 to Router5 form an open ring to access a Layer 2 network.
The two edge devices on the Layer 2 network, that is, Router1 and Router5, are not directly connected. This networking is called open-ring networking. The open-ring networking is at the access layer and is used to transparently transmit Layer 2 unicast and multicast services. When
SEP runs at the access layer, redundancy protection switching can be implemented at the access layer and topology of the SEP segment can be displayed.
On an open-ring network, edge interfaces are located on the two edge devices in the SEP segment.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
294
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-9 Networking diagram of an open ring running SEP
Network
Router1
Router2
Router5
SEP
Segment
Router4
Router3
8 SEP Configuration
CE
Primary Edge Port
Secondary Edge Port
Block Port
8.3.2 Closed-Ring Networking
As shown in Figure 8-10 , Router1 to Router5 form a dual-homed link to access a Layer 2
network. Router1 and Router5at the edge of the Layer 2 network are directly connected. This networking is called closed-ring networking. The networking is at the aggregation layer and is used to aggregate Layer 2 unicast and multicast services. When SEP runs at the aggregation layer, redundancy protection switching can be implemented at the aggregation layer and the topology of the SEP segment can be displayed.
On a closed-ring network, two edge interfaces are located on the same edge device.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
295
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-10 Networking diagram of a closed ring running SEP
Router5 Router1
Router2
Router3
SEP
Segment
Router4
8 SEP Configuration
CE1 CE2 CE3
Primary Edge Port
Secondary Edge Port
Block Port
8.3.3 Multi-Ring Networking
As shown in Figure 8-11 , the networking composed of Router1 to Router14 is called multi-ring
networking. Router1 to Router5 are at the aggregation layer, and Router6 to Router14 are at the access layer. Layer 2 services are transparently transmitted at the access layer and the aggregation layer. When SEP runs at the access layer and the aggregation layer, redundancy protection switching can be implemented at the access layer and the aggregation layer and the topology of the SEP segment can be displayed.
If the topology of the access layer changes, a node in the SEP segment sends a Flush-FDB packet to instruct other nodes in the SEP segment to update their MAC address forwarding tables and
ARP tables. Edge devices in the SEP segment send TC packets to notify the upper-layer network that the topology of the SEP segment changes.
In multi-ring networking, the topology change notification function needs to be configured among ring networks.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
296
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-11 Networking diagram of multiple rings running SEP
8 SEP Configuration
Router6
Router1
Router2
Router7
S
Se
EP gm en t 2
Router8
Router5
SEP
Segment 1
Router3
Se gm
SE en t 3
P
Router4
SEP
Segment 4
Router12
SEP
Segment 5
Router14
Router9
Router13
Router10 Router11
Block Port
8.3.4 Hybrid SEP+MSTP Ring Networking
As shown in Figure 8-12 , Router1 to Router3 form a SEP segment to access the MSTP ring.
The networking is called hybrid SEP+MSTP ring networking. Router1 to Router3 are at the access layer and transparently transmit Layer 2 unicast and multicast services. When SEP runs at the access layer, redundancy protection switching can be implemented at the access layer.
If the topology of the access layer changes, a node in the SEP segment sends a Flush-FDB packet to instruct other nodes in the SEP segment to update their MAC address forwarding tables and
ARP tables. Router1 and Router2 at the edge of the SEP segment send a TC packet to notify the aggregation layer of the topology change in the SEP segment.
In hybrid-ring networking, no-neighbor edge interfaces need to be deployed on the edge devices of SEP networks, and the SEP networks need to report topology changes to MSTP networks.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
297
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-12 Networking diagram of hybrid rings running SEP+MSTP
8 SEP Configuration
PE3
PE1
MSTP
PE4
PE2
Router1
Do not Support SEP
SEP
Segment
Router2
Router3
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port
8.3.5 SEP Multi-Instance
As shown in Figure 8-13 , SEP multi-instance allows two SEP segments to be configured on a
physical ring. Each SEP segment independently detects the completeness of the physical ring, blocks or unblocks interfaces without affecting the other.
A physical ring may contain one or two SEP segments. Each SEP segment needs to be configured with a protected instance, each protected instance indicating a VLAN range. The topology calculated by a SEP segment is only valid for that SEP segment.
After different protected instances are configured for SEP segments and the mapping between protected instances and VLANs is set, a blocked interface is only valid for the VLANs protected by the SEP segment where the blocked interface resides. Data traffic for different VLANs can be transmitted along different paths. This implements traffic load balancing and link backup.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
298
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-13 Networking diagram for SEP multi-instance
8 SEP Configuration
Router2 Router4
P2
Instance1:
VLAN 100~200
SEP
Segment2
SEP Segment1
Router1
P1
Router3
Instance2:
VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
8.4 Configuration Task Summary
This section describes the configuration task and logic of SEP.
lists the configuration task summary of SEP.
Table 8-9 Configuration task summary of SEP
Item
Configuring Basic SEP
Functions
Description
After basic SEP functions are configured on devices, the devices start SEP negotiation. One of the two interfaces that complete neighbor negotiations last is blocked to eliminate redundant links.
NOTE
When logging in to nodes on a
SEP semi-ring through Telnet to configure the nodes, note the following points: l Basic SEP functions need to be configured from the node at one end of the semiring to the node at the other end of the semi-ring.
Task
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
299
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Item
Specifying an Interface to
Block
Configuring SEP Multi-
Instance
Configuring the Topology
Change Notification
Function
Description
In some cases, however, the negotiated blocked interface may not be the required one.
You can specify an interface to block according to network requirements.
To implement load balancing and make efficient use of bandwidth, protected instances need to be deployed on a SEP network and mapped to VLANs.
A SEP network usually needs to work together with another network running other features. To ensure network reliability, if the topology of one network changes, the other network must be able to detect the topology change and take measures to ensure reliable data transmission.
Therefore, the topology change notification function needs to be enabled on the
SEP network.
Task
8.5 Configuring SEP
This section describes the SEP configuration.
8.5.1 Configuring Basic SEP Functions
When there is no faulty link on a ring network running SEP, SEP can eliminate loops on the
Ethernet. When a link fault occurs on the ring network, SEP can immediately restore the communication between the nodes on the network.
Pre-configuration Tasks
Before configuring basic SEP functions, complete the following tasks: l Establishing the ring networking l Ensuring that the devices are powered on correctly and operate properly
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
300
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
8.5.1.1 Configuring a SEP Segment
Context
A SEP segment is the basic unit for SEP. A SEP segment consists of interconnected Layer 2 switching devices configured with the same SEP segment ID and control VLAN ID.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 (Optional) Run: description text
A description is configured for the SEP segment.
By default, no description is configured for an SEP segment.
----End
8.5.1.2 Configuring a Control VLAN
Context
In a SEP segment, a control VLAN is used to transmit SEP packets but not service packets, enhancing SEP security. Each SEP segment must be configured with a control VLAN. After being added to a SEP segment configured with a control VLAN, an interface is added to the control VLAN automatically.
NOTE
On a SEP network that has no-neighbor edge interfaces, a device that is not in a SEP segment cannot be added to the control VLAN of the SEP segment. Otherwise, a loop will occur on the network.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run: control-vlan vlan-id
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
301
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
A control VLAN is configured for the SEP segment to transmit SEP packets.
The control VLAN must be not created, and is not used by VLAN mapping and VLAN stacking.
Additionally, no interface is added to the control VLAN in trunk, access, hybrid, or qinq mode.
l Different SEP segments can use the same control VLAN.
l If an interface has been added to the SEP segment, the control VLAN of the SEP segment cannot be deleted directly. To delete the control VLAN, run the undo sep segment segmentid command in the interface view to delete the interface from the SEP segment, and then run the undo control-vlan command in the SEP segment view to delete the control VLAN.
l If no interface is added to the SEP segment, you can run the control-vlan vlan-id command multiple times. Only the latest configuration takes effect.
l After the control VLAN is created successfully, the command used to create a common
VLAN will be displayed in the configuration file.
Each SEP segment must be configured with a control VLAN. After an interface is added to a SEP segment configured with a control VLAN, the interface is automatically added to the control VLAN.
– If the interface type is trunk, in the configuration file, the port trunk allow-pass vlan command is displayed in the view of the interface added to the SEP segment.
– If the interface type is hybrid, in the configuration file, the port hybrid tagged vlan command is displayed in the view of the interface added to the SEP segment.
----End
8.5.1.3 Creating a Protected Instance
Context
Interfaces can be added to a SEP segment only after the SEP segment is configured with protected instances.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run: protected-instance { all | { instance-id1 [ to instance-id2 ] } &<1-10> }
A protected instance is created in a SEP segment.
By default, no protected instance is configured in a SEP segment.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
302
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
8.5.1.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the
Interface
Context
To ensure that SEP packets are forwarded correctly in a SEP segment, add Layer 2 interfaces to the SEP segment and configure different roles for the interfaces.
After an interface is added to a SEP segment, the interface sets its interface role to the primary edge interface if the interface has the right to participate in primary edge interface election. Then, the interface periodically sends a primary edge interface election packet without waiting for the success of neighbor negotiations.
A primary edge interface election packet contains the interface role (primary edge interface, secondary edge interface, or common interface), bridge MAC address of the interface, interface
ID, and integrity of the topology database.
Table 8-10 lists interface roles.
Table 8-10 Interface roles
Interface
Role
Sub-role Description
Common interface
In a SEP segment, all interfaces except edge interfaces and blocked interfaces are common interfaces.
A common interface monitors the status of the directly-connected SEP link.
When the link status changes, the interface sends a topology change notification message to notify its neighbors. Then the topology change notification message is flooded on the link until it finally reaches the primary edge interface. The primary edge interface determines how to process the link change.
-
Deployment Scenario
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
303
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Interface
Role
Sub-role
Edge interface Primary edge interface
Description
A SEP segment has only one primary edge interface, which is determined by the configuration and election.
The primary edge interface initiates blocked interface preemption, terminates packets, and sends topology change notification messages to other networks.
Secondary edge interface
Deployment Scenario
Open-ring networking
Closed-ring networking
Multi-ring networking
Noneighbor primary edge interface
A SEP segment has only one secondary edge interface, which is determined by the configuration and election.
The secondary edge interface terminates packets and sends topology change notification messages to other networks.
An interface at the edge of a
SEP segment is a noneighbor edge interface, which is determined by the configuration and election.
The no-neighbor primary edge interface terminates packets and sends topology change notification messages to other networks.
No-neighbor primary edge interfaces are used to interconnect Huawei devices and non-Huawei devices or interconnect Huawei devices and devices that do not support SEP.
Hybrid SEP+MSTP ring networking
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
304
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Interface
Role
Sub-role Description
Noneighbor secondary edge interface
The no-neighbor secondary edge interface terminates packets and sends topology change notification messages to other networks.
No-neighbor secondary edge interfaces are used to interconnect Huawei devices and non-Huawei devices or interconnect Huawei devices and devices that do not support SEP.
8 SEP Configuration
Deployment Scenario
NOTE l Normally, edge interfaces and no-neighbor edge interfaces belong to different SEP segments.
l Before adding a Layer 2 interface to a SEP segment, ensure that STP has been disabled on the interface
(except that the interface is a no-neighbor edge interface).
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of an Ethernet interface added to the SEP segment is displayed.
Step 3 (Optional) Run: stp disable
STP is disabled on the interface.
Step 4 Run: sep segment segment-id [ edge [ no-neighbor ] { primary | secondary } ]
The Ethernet interface is added to a specified SEP segment and a role is configured for the interface.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
305
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
8.5.1.5 Checking the Configuration
Procedure l Run the display sep segment { segment-id | all } command to check the configurations of
SEP segments.
l Run the display sep interface [ interface-type interface-number | segment segment-id ]
[ verbose ] command to check information about interfaces that are added to a specified
SEP segment.
l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the topology status of a specified SEP segment.
----End
8.5.2 Specifying an Interface to Block
By default, the blocked interface is one of the two interfaces that complete neighbor negotiations last. Sometimes, the negotiated blocked interface, however, may not be the expected one. You can configure a blocked interface to suit your needs.
8.5.2.1 Setting an Interface Blocking Mode
Context
In a SEP segment, some interfaces are blocked to prevent loops.
You can configure the interface blocking mode to specify a blocked interface. Table 8-11 lists
interface blocking modes.
Table 8-11 Interface blocking mode
Interface Blocking
Mode
Description
Specify the interface with the highest priority as the blocked interface.
This mode applies to a large-scale network.
After fault recovery, the interface with the highest priority in a
SEP segment becomes the blocked interface. In this mode, the priorities of the interfaces in the SEP segment need to be set in advanced.
Specify the interface in the middle of a SEP segment as the blocked interface.
Specify a blocked interface based on the configured hop count.
This mode applies to a network where traffic is symmetrically distributed.
After fault recovery, the interface in the middle of a SEP segment becomes the blocked interface.
This mode applies to a small-scale network.
After fault recovery, a specified interface is blocked based on the hop count. A network planner needs to be familiar with the topology of the entire SEP segment and the number of hops from the blocked interface to the primary edge interface.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
306
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Interface Blocking
Mode
Specify a blocked interface based on the device and interface names.
Description
This mode applies to a small-scale network.
After fault recovery, a specified interface is blocked based on the device and interface names. A network planner needs to be familiar with the names of devices and interfaces in the entire
SEP segment and ensures that each device name is unique.
Perform the following operations on the device where the primary edge interface or no-neighbor primary edge interface is located:
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run: block port { optimal | middle | hop hop-id | sysname sysname interface { interfacetype interface-number | interface-name } }
An interface blocking mode is set.
By default, one of the interfaces at two ends of the link that is set up last or recovers from a fault last is blocked.
----End
Follow-up Procedure
If the interface with the highest priority is specified to block, run the sep segment segment-id priority priority command in the view of the interface to be blocked to increase its priority.
When a fault is rectified, the specified interface is blocked.
The default priority of an interface added to a SEP segment is 64. The priority value of an interface is an integer that ranges from 1 to 128. A larger priority value indicates a higher priority.
8.5.2.2 Configuring the Preemption Mode
Context
After the interface blocking mode is specified, whether a specified interface will be blocked is determined by the preemption mode.
lists the preemption modes.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
307
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
Table 8-12 Preemption mode
Preemption
Mode
Advantage
Non-preemption mode
SEP is in nonpreemption mode by default.
In this mode, blocking an interface does not disconnect any link in a
SEP segment.
Preempt ion mode
Delayed preempt ion
Each time a fault is rectified, the system automatically completes preemption and ensures that the specified interface is blocked.
Manual preempt ion
Whether the specified interface will be blocked can be controlled manually.
Disadvantage
The blocked interface is one of the two interfaces that complete neighbor negotiations last.
l The delayed preemption mode needs to be specified in advance. There is no default delay in preemption, and the delay time needs to be configured using a command.
l After delayed preemption is configured successfully, a fault needs to be simulated to ensure that the specified interface is blocked.
l The manual preemption mode needs to be specified in advance.
l After a network fault is rectified and the preemption action is taken, manual preemption no longer takes effect.
Manual preemption needs to be configured again to ensure that the blocked point can be moved to the specified point after the next fault is rectified. This increases the maintenance workload.
The following conditions must be met to trigger preemption: l The SEP segment topology is complete.
l The primary edge interface or no-neighbor primary edge interface has been elected in the
SEP segment.
l The function of flexibly specifying a blocked interface is enabled on the device where the primary edge interface or no-neighbor primary edge interface resides.
Perform the following operations on the Layer 2 switching device where the primary edge interface or no-neighbor primary edge interface resides.
Procedure
Step 1 Run: system-view
Issue 01 (2014-11-30) 308
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
The system view is displayed.
Step 2 Run: sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run: preempt { manual | delay seconds }
The preemption mode is configured on the primary edge interface.
By default, no preemption mode is configured on the primary edge interface, that is, the nonpreemption mode is used.
----End
8.5.2.3 Checking the Configuration
Procedure l Run the display sep topology [ segment segment-id ] [ verbose ] command to check the topology status of a specified SEP segment.
----End
8.5.3 Configuring SEP Multi-Instance
Applicable Environment
In common SEP networking, a physical ring can be configured with only one SEP segment in which only one interface can be blocked. If an interface in a complete SEP segment is blocked, all service data is transmitted only along the path where the primary edge interface is located.
The path where the secondary edge interface is located remains idle, wasting bandwidth.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
309
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-14 Networking diagram for SEP multi-instance
8 SEP Configuration group 1:Master group 2:Backup
NPE1
IP/MPLS Core group 2:Master group 1:Backup
NPE2
VRRP+peer BFD
Router2
Router4
P2
Instance1:
VLAN 100~200
SEP
Segment2
SEP Segment1
Router1
P1
Router3
Instance2:
VLAN 201~400
CE1 CE2
Primary Edge Port
Secondary Edge Port
Block Port
SEP multi-instance is used to improve bandwidth efficiency and implement traffic load balancing and link backup. As shown in
, multiple instances are deployed in the
SEP segment, and protected instances are mapped to different VLANs. Data traffic for different
VLANs can then be transmitted along different paths.
NOTE
Currently, SEP multi-instance allows two SEP segments to be configured on a physical ring. Different blocked interfaces and priorities need to be configured for the two SEP segments.
Pre-configuration Tasks
Before configuring SEP multi-instance, complete the following tasks: l Configuring basic SEP functions l Specifying an interface to block
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
310
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: stp region-configuration
The MST region view is displayed.
Step 3 Run: instance instance-id vlan { vlan-id [ to vlan-id ] } &<1-10>
Mappings between protected instances and VLANs are configured.
The value of instance-id specified in this command must be the same as that of instance-id specified in the protected-instance command.
Before you switch a VLAN from one SEP segment to another segment, shut down the blocked port. If you do not shut down the blocked port, a routing loop may occur after the VLAN switchover.
Step 4 Run: active region-configuration
Mappings between protected instances and VLANs are activated.
After mappings between protected instances and VLANs take effect, topology changes of a SEP segment affect only corresponding VLANs. This ensures reliable service data transmission.
----End
8.5.4 Configuring the Topology Change Notification Function
The topology change notification function is configured on the device that connects a lowerlayer network to an upper-layer network. This function enables the device to notify the peer device of topology changes in the lower-layer and upper-layer networks. All the devices on the network where the peer device resides then delete original MAC addresses and ARP entries and learn new MAC addresses to ensure uninterrupted traffic forwarding.
8.5.4.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology
Change Notification
Context
SEP runs on devices at the access layer. The topology change notification function enables devices to detect topology changes on the upper and lower-layer networks.
If the upper-layer network fails to be notified of the topology change in a SEP segment, the MAC address entries remain unchanged on the upper layer network and user traffic may be interrupted.
To ensure uninterrupted traffic forwarding, configure devices on the lower-layer network to report topology changes to the upper-layer network and specify the devices on the upper-layer network that will be notified of topology changes.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
311
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
NOTE
Currently, topology changes in a SEP segment can be reported to other SEP segments, STP networks.
After receiving a topology change notification from a lower-layer network, a device on the upperlayer network sends TC packets to instruct other devices on the upper-layer network to clear original MAC addresses and learn new MAC addresses after the topology of the lower-layer network changes. This ensures uninterrupted traffic forwarding.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: sep segment segment-id
A SEP segment is created and the view of the SEP segment is displayed.
Step 3 Run: tc-notify { segment { segment-id1 [ to segment-id2 ] } &<1-10> | stp }
The topology change of the specified SEP segment is reported to another SEP segment or a network running other ring protocols such as STP or RRPP.
By default, the topology change of a SEP segment is not reported.
----End
Follow-up Procedure
In the networking scenario where three or more SEP ring networks exist, when a topology change notification is sent through multiple links, the upper-layer network will receive it multiple times.
This reduces packet processing efficiency on the upper-layer network. Therefore, topology change notifications need to be suppressed. Suppressing topology change notifications frees the upper-layer network from processing multiple duplicate packets and protects the devices in the
SEP segment against topology change notification attacks.
Run the tc-protection interval interval-value command in the SEP segment view to set the interval for suppressing topology change notifications.
By default, the interval for suppressing topology change notifications is 2s, and three topology change notifications with different source addresses are processed within 2s.
NOTE l In the networking scenario where three or more SEP ring networks exist, the tc-protection interval interval-value command must be run. If this command is not run, the default interval for suppressing topology change notifications is used.
l A longer interval ensures stable SEP operation but reduces convergence performance.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
312
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
8.5.4.2 Checking the Configuration
Procedure l Run the display sep interface verbose command to check information about the interfaces added to a SEP segment.
----End
8.6 Maintaining SEP
This section describes how to maintain SEP, including clearing SEP statistics.
8.6.1 Clearing SEP Statistics
You can run the reset command to clear existing SEP statistics before re-collecting SEP statistics.
Context
NOTICE
SEP statistics cannot be restored after being cleared. Therefore, exercise caution when you run reset commands.
Procedure
Step 1 Run the reset sep interface interface-type interface-number statistics command in the user view to clear SEP packet statistics on a specified interface in a SEP segment.
----End
8.7 Configuration Examples
This section describes the typical application scenarios of SEP, networking requirements, and configuration roadmap.
8.7.1 Example for Configuring SEP on a Closed Ring Network
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, communication quality deteriorates, and services may even be interrupted.
SEP can be deployed on the ring network to eliminate loops and restore communication if a link fault occurs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
313
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
In the closed ring networking, CE1 is dual-homed to a Layer 2 network through multiple Layer
2 switching devices. The two edge devices connected to the upper-layer Layer 2 network are directly connected to each other. The closed ring network is deployed at the aggregation layer to transparently transmit Layer 2 unicast and multicast packets. SEP runs at the aggregation layer to implement link redundancy.
As shown in Figure 8-15 , Layer 2 switching devices Router1 to Router5 form a ring network.
SEP runs at the aggregation layer.
l When there is no faulty link on a ring network, SEP can eliminate loops on the network.
l When a link fails on the ring network, SEP can rapidly restore communication between nodes on the network.
Figure 8-15 Networking diagram of a closed ring SEP network
GE7/0/2
Router1
GE7/0/1
GE7/0/3
GE7/0/3 GE7/0/2
Router5
GE7/0/1
SEP
Segment1
GE7/0/1 GE7/0/1
Router2
Router3
GE7/0/2
GE7/0/1
GE7/0/3
GE7/0/2
GE7/0/1
Router4
GE7/0/2
CE1
Primary Edge Port
Secondary Edge Port
VLAN
100
Block Port
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic SEP functions.
a.
Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as the control VLAN of SEP segment 1.
b.
Add all devices on the ring to SEP segment 1, and configure the roles of GE7/0/1 and
GE7/0/3 of Router1 in SEP segment 1.
c.
On the device where the primary edge interface is located, specify the interface with the highest priority to block.
d.
Set priorities of the interfaces in the SEP segment.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
314
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Set the highest priority for GE7/0/2 of Router3 and retain the default priority of the other interfaces so that GE7/0/2 of Router3 will be blocked.
e.
Configure delayed preemption on the device where the primary edge interface is located.
2.
Configure the Layer 2 forwarding function on CE1 and Router1 to Router5.
Procedure
Step 1 Configure basic SEP functions.
1.
Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment 1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] protected-instance all
[Router2-sep-segment1] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] protected-instance all
[Router3-sep-segment1] quit
# Configure Router4.
<Huawei> system-view
[Huawei] sysname Router4
[Router4] sep segment 1
[Router4-sep-segment1] control-vlan 10
[Router4-sep-segment1] protected-instance all
[Router4-sep-segment1] quit
# Configure Router5.
<Huawei> system-view
[Huawei] sysname Router5
[Router5] sep segment 1
[Router5-sep-segment1] control-vlan 10
[Router5-sep-segment1] protected-instance all
[Router5-sep-segment1] quit
NOTE l The control VLAN must be a VLAN that has not been created or used, but the configuration file automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2.
Add all devices on the ring to SEP segment 1 and configure interface roles on the devices.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
315
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
Issue 01 (2014-11-30)
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/3
[Router1-GigabitEthernet7/0/3] stp disable
[Router1-GigabitEthernet7/0/3] sep segment 1 edge secondary
[Router1-GigabitEthernet7/0/3] quit
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] stp disable
[Router2-GigabitEthernet7/0/1] sep segment 1
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/2
[Router2-GigabitEthernet7/0/2] stp disable
[Router2-GigabitEthernet7/0/2] sep segment 1
[Router2-GigabitEthernet7/0/2] quit
# Configure Router3.
[Router3] interface gigabitethernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 1
[Router3-GigabitEthernet7/0/1] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 1
[Router3-GigabitEthernet7/0/2] quit
# Configure Router4.
[Router4] interface gigabitethernet 7/0/1
[Router4-GigabitEthernet7/0/1] stp disable
[Router4-GigabitEthernet7/0/1] sep segment 1
[Router4-GigabitEthernet7/0/1] quit
[Router4] interface gigabitethernet 7/0/2
[Router4-GigabitEthernet7/0/2] stp disable
[Router4-GigabitEthernet7/0/2] sep segment 1
[Router4-GigabitEthernet7/0/2] quit
# Configure Router5.
[Router5] interface gigabitethernet 7/0/1
[Router5-GigabitEthernet7/0/1] stp disable
[Router5-GigabitEthernet7/0/1] sep segment 1
[Router5-GigabitEthernet7/0/1] quit
[Router5] interface gigabitethernet 7/0/3
[Router5-GigabitEthernet7/0/3] stp disable
[Router5-GigabitEthernet7/0/3] sep segment 1
[Router5-GigabitEthernet7/0/3] quit
3.
Specify an interface to block.
# On Router1 where the primary edge interface is located, specify the interface with the highest priority to block.
[Router1] sep segment 1
[Router1-sep-segment1] block port optimal
4.
Set the priority of GE7/0/2 on Router3.
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] sep segment 1 priority 128
[Router3-GigabitEthernet7/0/2] quit
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
316
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
5.
Configure the preemption mode.
# Configure delayed preemption on Router1.
[Router1-sep-segment1] preempt delay 30
[Router1-sep-segment1] quit
NOTE l You must set the preemption delay when delayed preemption is used because there is no default delay time.
l When the last faulty interface recovers, edge interfaces do not receive any fault notification packet. If the primary edge interface does not receive any fault notification packet, it starts the delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the fault.
For example:
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then run the undo shutdown command on GE7/0/2 to rectify the fault.
Step 2 Configure the Layer 2 forwarding function on CE1 and Router1 to Router5.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
l Run the shutdown command on GE7/0/1 of Router3 to simulate an interface fault, and then run the display sep interface command on Router3 to check whether GE7/0/2 of Router3 has switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/2 common up forwarding
----End
Configuration Files l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 200
# sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1 edge primary
# interface GigabitEthernet7/0/2
port hybrid pvid vlan 200
port hybrid tagged vlan 100
port hybrid untagged vlan 200
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200
Issue 01 (2014-11-30) 317
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
stp disable
sep segment 1 edge secondary
# return l Configuration file of Router2
#
sysname Router2
#
vlan batch 10 100
# sep segment 1
control-vlan 10
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# return l Configuration file of Router3
#
sysname Router3
#
vlan batch 10 100
# sep segment 1
control-vlan 10
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
sep segment 1 priority 128
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 100
# return l Configuration file of Router4
#
sysname Router4
#
vlan batch 10 100
# sep segment 1
control-vlan 10
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
318
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# return l Configuration file of Router5
#
sysname Router5
#
vlan batch 10 100 200
# sep segment 1
control-vlan 10
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# interface GigabitEthernet7/0/2
port hybrid pvid vlan 200
port hybrid tagged vlan 100
port hybrid untagged vlan 200
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
# return l Configuration file of CE1
#
sysname CE1
#
vlan batch 100
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# return
8.7.2 Example for Configuring SEP on a Multi-Ring Network
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, communication quality deteriorates, and services may even be interrupted.
SEP can be deployed on the ring network to eliminate loops and restore communication if a link fault occurs.
In multi-ring networking, multiple rings consisting of Layer 2 switching devices are deployed at the access layer and aggregation layer. SEP runs at the access layer and aggregation layer to implement link redundancy.
, multiple Layer 2 switching devices form ring networks at the access layer and aggregation layer.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
319
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
SEP runs at the access layer and aggregation layer. When there is no faulty link on a ring network,
SEP can eliminate loops on the network. When a link fails on the ring network, SEP can rapidly restore communication between nodes on the network.
Figure 8-16 Networking diagram of a multi-ring SEP network
Router1
GE7/0/1
GE7/0/3 GE7/0/3
Router5
GE7/0/1
GE7/0/1
Router2
GE7/0/2
GE
7/0
SEP
Segment 1
GE7/0/2
GE7/0/3
Router4
GE7/0/1
GE7/0/1
Router6
GE7/0/2
GE7/0/1
Router7
GE7/0/4
S
EP gm en
Se
GE7/0/2 t 2
GE7/0/2
Router8
GE7/0/1
Se gm
SE en
P t 3
GE7/0/1
GE7/0/2
GE7/0/1
Router9 GE7/0/1
GE7/0/3
Router10
GE7/0/2
Router11
GE7/0/1
GE7/0/2
GE7/0/3
GE7/0/1
CE2
GE7/0/1
CE1
VLAN
200
VLAN
100
Primary Edge Port
Secondary Edge Port
Block Port
Control VLAN 10
Control VLAN 20
Control VLAN 30
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic SEP functions.
a.
Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their respective control VLANs.
l Configure SEP segment 1 on Router1 to Router5 and configure VLAN 10 as the control VLAN of SEP segment 1.
l Configure SEP segment 2 on Router2, Router3, and Router6 to Router8, and configure VLAN 20 as the control VLAN of SEP segment 2.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
320
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration l Configure SEP segment 3 on Router3, Router4, and Router9 to Router11, and configure VLAN 30 as the control VLAN of SEP segment 3.
b.
Add devices on the rings to the SEP segments and configure interface roles on the edge devices of the SEP segments.
l On Router1 to Router5, add the interfaces on the ring at the access layer to SEP segment 1. Configure the roles of GE7/0/1 and GE7/0/3 of Router1 in SEP segment
1.
l Add GE7/0/2 of Router2, GE7/0/1 and GE7/0/2 of Router6 to Router8, and
GE7/0/2 of Router3 to SEP segment 2. Configure the roles of GE7/0/2 of
Router2 and GE7/0/2 of Router3 in SEP segment 2.
l Add GE7/0/1 of Router3, GE7/0/1 and GE7/0/2 of Router9 to Router11, and
GE7/0/1 of Router4 to SEP segment 3. Configure the roles of GE7/0/1 of
Router3 and GE7/0/1 of Router4 in SEP segment 3.
c.
Specify an interface to block on the device where the primary edge interface is located.
l In SEP segment 1, specify the interface with the highest priority to block.
l In SEP segment 2, specify the device and interface names to block the specified interface.
l In SEP segment 3, specify the blocked interface based on the configured hop count.
d.
Configure the preemption mode on the device where the primary edge interface is located.
Configure delayed preemption in SEP segment 1 and manual preemption in SEP segment 2 and SEP segment 3.
e.
Configure the topology change notification function on the edge devices between SEP segments, namely, Router2, Router3, and Router4.
2.
Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router11.
Procedure
Step 1 Configure basic SEP functions.
1.
Configure SEP segments 1 to 3 and configure VLAN 10, VLAN 20, and VLAN 30 as their respective control VLANs, as shown in
.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment 1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] protected-instance all
[Router2-sep-segment1] quit
[Router2] sep segment 2
[Router2-sep-segment2] control-vlan 20
[Router2-sep-segment2] protected-instance all
[Router2-sep-segment2] quit
# Configure Router3.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
321
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] protected-instance all
[Router3-sep-segment1] quit
[Router3] sep segment 2
[Router3-sep-segment2] control-vlan 20
[Router3-sep-segment2] protected-instance all
[Router3-sep-segment2] quit
[Router3] sep segment 3
[Router3-sep-segment3] control-vlan 30
[Router3-sep-segment3] protected-instance all
[Router3-sep-segment3] quit
# Configure Router4.
<Huawei> system-view
[Huawei] sysname Router4
[Router4] sep segment 1
[Router4-sep-segment1] control-vlan 10
[Router4-sep-segment1] protected-instance all
[Router4-sep-segment1] quit
[Router4] sep segment 3
[Router4-sep-segment3] control-vlan 30
[Router4-sep-segment3] protected-instance all
[Router4-sep-segment3] quit
# Configure Router5.
<Huawei> system-view
[Huawei] sysname Router5
[Router5] sep segment 1
[Router5-sep-segment1] control-vlan 10
[Router5-sep-segment1] protected-instance all
[Router5-sep-segment1] quit
# Configure Router6 to Router11.
The configurations of Router6 to Router11 are similar to the configurations of Router1 to
Router5 except for the control VLANs of different SEP segments.
For details about the configuration, see the configuration files.
NOTE l The control VLAN must be a VLAN that has not been created or used, but the configuration file automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2.
Add devices on the rings to the SEP segments and configure interface roles according to
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/3
[Router1-GigabitEthernet7/0/3] stp disable
[Router1-GigabitEthernet7/0/3] sep segment 1 edge secondary
[Router1-GigabitEthernet7/0/3] quit
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
322
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] stp disable
[Router2-GigabitEthernet7/0/1] sep segment 1
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/3
[Router2-GigabitEthernet7/0/3] stp disable
[Router2-GigabitEthernet7/0/3] sep segment 1
[Router2-GigabitEthernet7/0/3] quit
[Router2] interface gigabitethernet 7/0/2
[Router2-GigabitEthernet7/0/2] stp disable
[Router2-GigabitEthernet7/0/2] sep segment 2 edge primary
[Router2-GigabitEthernet7/0/2] quit
# Configure Router3.
[Router3] interface gigabitethernet 7/0/3
[Router3-GigabitEthernet7/0/3] stp disable
[Router3-GigabitEthernet7/0/3] sep segment 1
[Router3-GigabitEthernet7/0/3] quit
[Router3] interface gigabitethernet 7/0/4
[Router3-GigabitEthernet7/0/4] stp disable
[Router3-GigabitEthernet7/0/4] sep segment 1
[Router3-GigabitEthernet7/0/4] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 2 edge secondary
[Router3-GigabitEthernet7/0/2] quit
[Router3] interface GigabitEthernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 3 edge secondary
[Router3-GigabitEthernet7/0/1] quit
# Configure Router4.
[Router4] interface gigabitethernet 7/0/2
[Router4-GigabitEthernet7/0/2] stp disable
[Router4-GigabitEthernet7/0/2] sep segment 1
[Router4-GigabitEthernet7/0/2] quit
[Router4] interface GigabitEthernet 7/0/3
[Router4-GigabitEthernet7/0/3] stp disable
[Router4-GigabitEthernet7/0/3] sep segment 1
[Router4-GigabitEthernet7/0/3] quit
[Router4] interface gigabitethernet 7/0/1
[Router4-GigabitEthernet7/0/1] stp disable
[Router4-GigabitEthernet7/0/1] sep segment 3 edge primary
[Router4-GigabitEthernet7/0/1] quit
# Configure Router5.
[Router5] interface gigabitethernet 7/0/1
[Router5-GigabitEthernet7/0/1] stp disable
[Router5-GigabitEthernet7/0/1] sep segment 1
[Router5-GigabitEthernet7/0/1] quit
[Router5] interface gigabitethernet 7/0/3
[Router5-GigabitEthernet7/0/3] stp disable
[Router5-GigabitEthernet7/0/3] sep segment 1
[Router5-GigabitEthernet7/0/3] quit
# Configure Router6 to Router11.
The configurations of Router6 to Router11 are similar to the configurations of Router1 to
Router5 except for the interface roles.
For details about the configuration, see the configuration files.
3.
Specify an interface to block.
# On Router1 where the primary edge interface of SEP segment 1 is located, specify the interface with the highest priority to block.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
323
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
[Router1] sep segment 1
[Router1-sep-segment1] block port optimal
[Router1-sep-segment1] quit
# On Router3, set the priority of GE7/0/4 to 128, which is the highest priority among the interfaces so that GE7/0/4 will be blocked.
[Router3] interface gigabitethernet 7/0/4
[Router3-GigabitEthernet7/0/4] sep segment 1 priority 128
[Router3-GigabitEthernet7/0/4] quit
Retain the default priority of the other interfaces in SEP segment 1.
# On Router2 where the primary edge interface of SPE segment 2 is located, specify the device and interface names so that the specified interface will be blocked.
Before specifying the interface to block, use the display sep topology command to view the current topology information and obtain information about all the interfaces in the topology. Then specify the device and interface names.
[Router2] sep segment 2
[Router2-sep-segment2] block port sysname Router7 interface gigabitethernet
7/0/1
[Router2-sep-segment2] quit
# On Router4 where the primary edge interface of SEP segment 3 is located, specify the blocked interface based on the configured hop count.
[Router4] sep segment 3
[Router4-sep-segment3] block port hop 5
[Router4-sep-segment3] quit
NOTE
SEP sets the hop count of the primary edge interface to 1 and the hop count of the secondary edge interface to 2. Hop counts of other interfaces increase by steps of 1 in the downstream direction of the primary interface.
4.
Configure the preemption mode.
# Configure delayed preemption on Router1.
[Router1] sep segment 1
[Router1-sep-segment1] preempt delay 30
NOTE l You must set the preemption delay when delayed preemption is used because there is no default delay time.
l When the last faulty interface recovers, edge interfaces do not receive any fault notification packet. If the primary edge interface does not receive any fault notification packet, it starts the delay timer. When the delay timer expires, nodes in the SEP segment start blocked interface preemption.
To implement delayed preemption in this example, simulate a port fault and then rectify the fault.
For example:
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then run the undo shutdown command on GE7/0/2 to rectify the fault.
# Configure manual preemption on Router2.
[Router2] sep segment 2
[Router2-sep-segment2] preempt manual
# Configure the manual preemption mode on Router4.
[Router4] sep segment 3
[Router4-sep-segment3] preempt manual
5.
Configure the topology change notification function.
# Configure devices in SEP segment 2 to notify SEP segment 1 of topology changes.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
324
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
# Configure Router2.
[Router2] sep segment 2
[Router2-sep-segment2] tc-notify segment 1
[Router2-sep-segment2] quit
# Configure Router3.
[Router3] sep segment 2
[Router3-sep-segment2] tc-notify segment 1
[Router3-sep-segment2] quit
# Configure SEP segment 3 to notify SEP segment 1 of topology changes.
# Configure Router3.
[Router3] sep segment 3
[Router3-sep-segment3] tc-notify segment 1
[Router3-sep-segment3] quit
# Configure Router4.
[Router4] sep segment 3
[Router4-sep-segment3] tc-notify segment 1
[Router4-sep-segment3] quit
NOTE
The topology change notification function is configured on edge devices between SEP segments so that the upper-layer network can be notified of topology changes on the lower-layer network.
Step 2 Configure the Layer 2 forwarding function on the CEs and Router1 to Router11.
For details about the configuration, see the configuration files.
Step 3 Verify the configuration.
After completing the preceding configurations, verify the configuration. Router1 is used as an example.
l Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then run the display sep interface command on Router3 to check whether GE7/0/4 of Router3 has switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/4
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/4 common up forwarding
----End
Configuration Files l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 200 300
# sep segment 1
control-vlan 10
block port optimal
preempt delay 30
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 200
Issue 01 (2014-11-30) 325
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
stp disable
sep segment 1 edge primary
# interface GigabitEthernet7/0/2
port hybrid pvid vlan 300
port hybrid tagged vlan 100 200
port hybrid untagged vlan 300
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1 edge secondary
# return l Configuration file of Router2
#
sysname Router2
#
vlan batch 10 20 100 200
# sep segment 1
control-vlan 10
protected-instance 0 to 4094 sep segment 2
control-vlan 20
block port sysname Router7 interface GigabitEthernet7/0/1
tc-notify segment 1
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2 edge primary
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
# return l Configuration file of Router3
#
sysname Router3
#
vlan batch 10 20 30 100 200
# sep segment 1
control-vlan 10
protected-instance 0 to 4094 sep segment 2
control-vlan 20
tc-notify segment 1
protected-instance 0 to 4094 sep segment 3
control-vlan 30
tc-notify segment 1
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 30 100
8 SEP Configuration
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
326
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
stp disable
sep segment 3 edge secondary
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2 edge secondary
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
# interface GigabitEthernet7/0/4
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
sep segment 1 priority 128
# return l Configuration file of Router4
#
sysname Router4
#
vlan batch 10 30 100 200
# sep segment 1
control-vlan 10
protected-instance 0 to 4094 sep segment 3
control-vlan 30
block port hop 5
tc-notify segment 1
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 30 100
stp disable
sep segment 3 edge primary
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
# return l Configuration file of Router5
#
sysname Router5
#
vlan batch 10 100 200 300
# sep segment 1
control-vlan 10
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 200
stp disable
sep segment 1
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
327
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
# interface GigabitEthernet7/0/2
port hybrid pvid vlan 300
port hybrid tagged vlan 100 200
port hybrid untagged vlan 300
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 200 300
stp disable
sep segment 1
# return l Configuration file of Router6
#
sysname Router6
#
vlan batch 20 200
# sep segment 2
control-vlan 20
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 20 200
stp disable
sep segment 2
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
# return l Configuration file of Router7
#
sysname Router7
#
vlan batch 20 200
# sep segment 2
control-vlan 20
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 20 200
stp disable
sep segment 2
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 200
# return l Configuration file of Router8
#
sysname Router8
#
vlan batch 20 200
# sep segment 2
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
328
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
control-vlan 20
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 20 200
stp disable
sep segment 2
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 20 200
stp disable
sep segment 2
# return l Configuration file of Router9
#
sysname Router9
#
vlan batch 30 100
# sep segment 3
control-vlan 30
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 30 100
stp disable
sep segment 3
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 30 100
stp disable
sep segment 3
# return l Configuration file of Router10
#
sysname Router10
#
vlan batch 30 100
# sep segment 3
control-vlan 30
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 30 100
stp disable
sep segment 3
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 30 100
stp disable
sep segment 3
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 100
# return l Configuration file of Router11
#
sysname Router11
#
vlan batch 30 100
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
329
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
# sep segment 3
control-vlan 30
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 30 100
stp disable
sep segment 3
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 30 100
stp disable
sep segment 3
# return l Configuration file of CE1
#
sysname CE1
#
vlan batch 100
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# return l Configuration file of CE2
#
sysname CE2
#
vlan batch 200
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 200
# return
8.7.3 Example for Configuring a Hybrid SEP+MSTP Ring Network
Networking Requirements
Generally, redundant links are used to connect an Ethernet switching network to an upper-layer network to provide link backup and enhance network reliability. The use of redundant links, however, may produce loops, causing broadcast storms and rendering the MAC address table unstable. As a result, communication quality deteriorates, and services may even be interrupted.
SEP can be deployed on the ring network to eliminate loops and restore communication if a link fault occurs.
NOTE
In this example, devices at the aggregation layer run the MSTP protocol.
As shown in Figure 8-17 , multiple Layer 2 switching devices form a ring at the access layer,
and multiple Layer 3 devices form a ring at the aggregation layer. The two devices where the access layer and the aggregation layer are intersected do not support SEP. You can configure
SEP at the access layer to implement redundancy protection switching and configure the topology change notification function on an edge device in a SEP segment. This function enables an upper-layer network to detect topology changes in a lower-layer network in time.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
330
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration l When there is no faulty link on the ring network, SEP can eliminate loops.
l When a link fails on the ring network, SEP can rapidly restore communication between nodes.
l The topology change notification function must be configured on an edge device in a SEP segment. This enables an upper-layer network to detect topology changes in a lower-layer network in time.
After receiving a message indicating the topology change in a lower-layer network, a device on an upper-layer network sends TC packets to instruct other devices to delete original MAC addresses and learn new MAC addresses after the topology of the lower-layer network changes.
This ensures uninterrupted traffic forwarding.
Figure 8-17 Networking diagram of a hybrid-ring SEP network
GE7/0/3
PE3
GE7/0/1
GE7/0/2
GE7/0/2
GE7/0/3
PE4
GE7/0/1
MSTP
GE7/0/2 PE1
PE2
GE7/0/2
GE7/0/1
GE7/0/1
GE7/0/3
Do not Support SEP
GE7/0/1
GE7/0/1
Router1
SEP
Segment1
Router2
GE7/0/2
GE7/0/2
GE7/0/2
GE7/0/1
GE7/0/3
Router3
GE7/0/1
VLAN100
CE
No-neighbor Primary Edge Port
No-neighbor Secondary Edge Port
Block Port(SEP)
Block Port(MSTP)
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic SEP functions.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
331
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration a.
Configure SEP segment 1 on Router1 to Router3 and configure VLAN 10 as the control VLAN of SEP segment 1.
b.
Add Router1 to Router3 to SEP segment 1 and configure interface roles on the edge devices (Router1 and Router2) of the SEP segment.
NOTE
PE1 and PE2 do not support the SEP protocol; therefore, the interfaces of Router1 and
Router2 connected to the PEs must be no-neighbor edge interfaces.
c.
On the device where the no-neighbor primary edge interface is located, specify the interface in the middle of the SEP segment as the interface to block.
d.
Configure manual preemption.
e.
Configure the topology change notification function so that the upper-layer network running MSTP can be notified of topology changes in the SEP segment.
2.
Configure basic MSTP functions.
a.
Add Router1, Router2, PE1 to PE4 to an MST region RG1.
b.
Create VLANs on Router1, Router2, PE1 to PE4 and add interfaces on the STP ring to the VLANs.
c.
Configure PE3 as the root bridge and PE4 as the backup root bridge.
3.
Configure the Layer 2 forwarding function on CE and Router1 to Router3.
Procedure
Step 1 Configure basic SEP functions.
1.
Configure SEP segment 1 on Router1 to Router3 and configure VLAN 10 as the control
VLAN of SEP segment 1.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] protected-instance all
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment 1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] protected-instance all
[Router2-sep-segment1] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] protected-instance all
[Router3-sep-segment1] quit
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
332
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
NOTE l The control VLAN must be a VLAN that has not been created or used, but the configuration file automatically displays the command for creating the VLAN.
l Each SEP segment must be configured with a control VLAN. After an interface is added to the
SEP segment configured with a control VLAN, the interface is automatically added to the control
VLAN.
2.
Add Router1 to Router3 to SEP segment 1 and configure interface roles.
# Configure Router1.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] sep segment 1 edge no-neighbor primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/2
[Router1-GigabitEthernet7/0/2] stp disable
[Router1-GigabitEthernet7/0/2] sep segment 1
[Router1-GigabitEthernet7/0/2] quit
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] sep segment 1 edge no-neighbor secondary
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/2
[Router2-GigabitEthernet7/0/2] stp disable
[Router2-GigabitEthernet7/0/2] sep segment 1
[Router2-GigabitEthernet7/0/2] quit
# Configure Router3.
[Router3] interface gigabitethernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 1
[Router3-GigabitEthernet7/0/1] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 1
[Router3-GigabitEthernet7/0/2] quit
3.
Specify an interface to block.
# On Router1 where the no-neighbor primary edge interface of SEP segment 1 is located, specify the interface in the middle of the SEP segment as the interface to block.
[Router1] sep segment 1
[Router1-sep-segment1] block port middle
4.
Configure the preemption mode.
# Configure the manual preemption mode on Router1.
[Router1-sep-segment1] preempt manual
5.
Configure the topology change notification function.
# Configure devices in SEP segment 1 to notify the MSTP network of topology changes.
# Configure Router1.
[Router1-sep-segment1] tc-notify stp
[Router1-sep-segment1] quit
# Configure Router2.
[Router2] sep segment 1
[Router2-sep-segment1] tc-notify stp
[Router2-sep-segment1] quit
Step 2 Configure basic MSTP functions.
1.
Configure an MST region.
# Configure PE1.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
333
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
<Huawei> system-view
[Huawei] sysname PE1
[PE1] stp region-configuration
[PE1-mst-region] region-name RG1
[PE1-mst-region] active region-configuration
[PE1-mst-region] quit
# Configure PE2.
<Huawei> system-view
[Huawei] sysname PE2
[PE2] stp region-configuration
[PE2-mst-region] region-name RG1
[PE2-mst-region] active region-configuration
[PE2-mst-region] quit
# Configure PE3.
<Huawei> system-view
[Huawei] sysname PE3
[PE3] stp region-configuration
[PE3-mst-region] region-name RG1
[PE3-mst-region] active region-configuration
[PE3-mst-region] quit
# Configure PE4.
<Huawei> system-view
[Huawei] sysname PE4
[PE4] stp region-configuration
[PE4-mst-region] region-name RG1
[PE4-mst-region] active region-configuration
[PE4-mst-region] quit
# Configure Router1.
[Router1] stp region-configuration
[Router1-mst-region] region-name RG1
[Router1-mst-region] active region-configuration
[Router1-mst-region] quit
# Configure Router2.
[Router2] stp region-configuration
[Router2-mst-region] region-name RG1
[Router2-mst-region] active region-configuration
[Router2-mst-region] quit
2.
Create VLANs and add interfaces to VLANs.
# On PE1, create VLAN 100 and add GE7/0/1, GE7/0/2, and GE7/0/3 to VLAN 100.
[PE1] vlan 100
[PE1-vlan100] quit
[PE1] interface gigabitethernet 7/0/1
[PE1-GigabitEthernet7/0/1] port hybrid tagged vlan 100
[PE1-GigabitEthernet7/0/1] quit
[PE1] interface gigabitethernet 7/0/2
[PE1-GigabitEthernet7/0/2] port hybrid tagged vlan 100
[PE1-GigabitEthernet7/0/2] quit
[PE1] interface gigabitethernet 7/0/3
[PE1-GigabitEthernet7/0/3] port hybrid tagged vlan 100
[PE1-GigabitEthernet7/0/3] quit
# On PE2, PE3, and PE4, create VLAN 100 and add GE7/0/1, GE7/0/2, and GE7/0/3 to
VLAN 100.
The configurations of PE2, PE3, and PE4 are similar to the configuration of PE1. For details about the configuration, see the configuration files.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
334
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
# On Router1 and Router2, create VLAN 100 and add GE7/0/1 to VLAN 100. The configurations of Router1 and Router2 are similar to the configuration of PE1. For details about the configuration, see the configuration files.
3.
Enable MSTP.
# Configure PE1.
[PE1] stp enable
# Configure PE2.
[PE2] stp enable
# Configure PE3.
[PE3] stp enable
# Configure PE4.
[PE4] stp enable
# Configure Router1.
[Router1] stp enable
# Configure Router2.
[Router2] stp enable
4.
Configure PE3 as the root bridge and PE4 as the backup root bridge.
# Set the priority of PE3 to 0 in MSTP to ensure that PE3 functions as the root bridge.
[PE3] stp root primary
# Set the priority of PE4 to 4096 in MSTP to ensure that PE4 functions as the backup root bridge.
[PE4] stp root secondary
Step 3 Configure the Layer 2 forwarding function on the CE and Router1 to Router3.
For details about the configuration, see the configuration files.
Step 4 Verify the configuration.
After the configurations are complete and network becomes stable, run the following commands to verify the configuration. Router1 is used as an example.
l Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault, and then run the display sep interface command on Router3 to check whether GE7/0/2 of Router3 has switched from the Discarding state to the Forwarding state.
<Router3> display sep interface gigabitethernet 7/0/2
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/2 common up forwarding
----End
Configuration Files l Configuration file of Router1
#
sysname Router1
# vlan batch 10 100
# stp region-configuration
Issue 01 (2014-11-30) 335
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
region-name RG1
active region-configuration
# sep segment 1
control-vlan 10
block port middle
tc-notify stp
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor primary
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# return l Configuration file of Router2
#
sysname Router2
#
vlan batch 10 100
# stp region-configuration
region-name RG1
active region-configuration
# sep segment 1
control-vlan 10
tc-notify stp
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
sep segment 1 edge no-neighbor secondary
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# return l Configuration file of Router3
#
sysname Router3
#
vlan batch 10 100
# sep segment 1
control-vlan 10
protected-instance 0 to 4094
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100
stp disable
sep segment 1
# interface GigabitEthernet7/0/3
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
336
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
port hybrid tagged vlan vlan 100
# return l Configuration file of PE1
#
sysname PE1
#
vlan batch 100
#
stp region-configuration
region-name RG1
active region-configuration
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 100
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 100
# return l Configuration file of PE2
#
sysname PE2
#
vlan batch 100
#
stp region-configuration
region-name RG1
active region-configuration
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 100
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 100
# return l Configuration file of PE3
#
sysname PE3
#
vlan batch 100 200
#
stp instance 0 root primary
#
stp region-configuration
region-name RG1
active region-configuration
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 100 200
# interface GigabitEthernet7/0/3
port hybrid pvid vlan 200
port hybrid tagged vlan 100
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
337
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
port hybrid untagged vlan 200
# return l Configuration file of PE4
#
sysname PE4
#
vlan batch 100 200
#
stp instance 0 root secondary
#
stp region-configuration
region-name RG1
active region-configuration
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 100 200
# interface GigabitEthernet7/0/3
port hybrid pvid vlan 200
port hybrid tagged vlan 100
port hybrid untagged vlan 200
# return l Configuration file of CE
#
sysname CE
#
vlan batch 100
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100
# return
8.7.4 Example for Configuring SEP Multi-Instance
On a closed ring network, two SEP segments are configured to process different VLAN services, implement load balancing, and provide link backup.
Networking Requirements
In common SEP networking, a physical ring can be configured with only one SEP segment in which only one interface can be blocked. If an interface in a complete SEP segment is blocked, all service data is transmitted only along the path where the primary edge interface is located.
The path where the secondary edge interface is located remains idle, wasting bandwidth.
To improve bandwidth efficiency and implement traffic load balancing, Huawei develops SEP multi-instance.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
338
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 8-18 SEP multi-instance on a closed ring network
Network
8 SEP Configuration
GE7/0/2
Router1
GE7/0/1
GE7
/0/3
GE7/0/3
GE7/0/2
Router4
GE7/0/1
GE7/0/1
Router2
GE7/0/3
P2
GE7
/0/2
GE7
/0/2
P1
GE7/0/1
Router3
GE7/0/3
GE7/0/1
Instance 1 :
VLAN
100~300
CE1
GE7/0/1
CE2
Instance2:
VLAN
301~500
SEP Segment1
SEP Segment2
Primary Edge Port
Secondary Edge Port
Block Port
As shown in Figure 8-18 , a ring network comprising Layer 2 switches (Router1 to Router4) is
connected to the network. SEP runs at the aggregation layer. SEP multi-instance is configured on Router1 to Router4 to allow for two SEP segments to improve bandwidth efficiency, implement load balancing, and provide link backup.
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure basic SEP functions.
a.
Create two SEP segments and a control VLAN on Router1 to Router4.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
339
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
Different SEP segments can use the same control VLAN.
b.
Configure SEP protected instances, and set mappings between SEP protected instances and user VLANs to ensure that topology changes affect only corresponding
VLANs.
c.
Add all the devices on the ring network to the SEP segments, and configure
GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary edge interface on Router1.
d.
Configure an interface blocking mode on the device where the primary edge interface resides.
e.
Configure the preemption mode to ensure that the specified interface is blocked when a fault is rectified.
2.
Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router4.
Procedure
Step 1 Configure basic SEP functions.
l Configure SEP segment 1 and control VLAN 10.
# Configure Router1.
<Huawei> system-view
[Huawei] sysname Router1
[Router1] sep segment 1
[Router1-sep-segment1] control-vlan 10
[Router1-sep-segment1] quit
# Configure Router2.
<Huawei> system-view
[Huawei] sysname Router2
[Router2] sep segment1
[Router2-sep-segment1] control-vlan 10
[Router2-sep-segment1] quit
# Configure Router3.
<Huawei> system-view
[Huawei] sysname Router3
[Router3] sep segment 1
[Router3-sep-segment1] control-vlan 10
[Router3-sep-segment1] quit
# Configure Router4.
<Huawei> system-view
[Huawei] sysname Router4
[Router4] sep segment 1
[Router4-sep-segment1] control-vlan 10
[Router4-sep-segment1] quit l Configure SEP segment 2 and control VLAN 10.
# Configure Router1.
[Router1] sep segment 2
[Router1-sep-segment2] control-vlan 10
[Router1-sep-segment2] quit
# Configure Router2.
[Router2] sep segment2
[Router2-sep-segment2] control-vlan 10
[Router2-sep-segment2] quit
# Configure Router3.
[Router3] sep segment 2
[Router3-sep-segment2] control-vlan 10
[Router3-sep-segment2] quit
Issue 01 (2014-11-30) 340
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
# Configure Router4.
[Router4] sep segment 2
[Router4-sep-segment2] control-vlan 10
[Router4-sep-segment2] quit
NOTE l The control VLAN must be a new one.
l The command used to create a common VLAN is automatically displayed in a configuration file.
l Each SEP segment must be configured with a control VLAN. After being added to a SEP segment configured with a control VLAN, an interface is added to the control VLAN automatically. You do not need to run the port trunk allow-pass vlan command. In the configuration file, the port trunk allow-pass vlan command, however, is displayed in the view of the interface added to the SEP segment.
Step 2 Configure SEP protected instances, and configure mappings between SEP protected instances and user VLANs.
# Configure Router1.
[Router1] vlan batch 100 to 500
[Router1] sep segment 1
[Router1-sep-segment1] protected-instance 1
[Router1-sep-segment1] quit
[Router1] sep segment 2
[Router1-sep-segment2] protected-instance 2
[Router1-sep-segment2] quit
[Router1] stp region-configuration
[Router1-mst-region] instance 1 vlan 100 to 300
[Router1-mst-region] instance 2 vlan 301 to 500
[Router1-mst-region] active region-configuration
[Router1-mst-region] quit
The configurations of Router2 to Router4 are similar to that of Router1, and are not mentioned here. For details, see the configuration files.
Step 3 Add all the devices on the ring network to the SEP segments and configure interface roles.
NOTE
By default, STP is enabled on a Layer 2 interface. Before adding an interface to a SEP segment, disable
STP on the interface.
# On Router1, configure GE7/0/1 as the primary edge interface and GE7/0/3 as the secondary edge interface.
[Router1] interface gigabitethernet 7/0/1
[Router1-GigabitEthernet7/0/1] stp disable
[Router1-GigabitEthernet7/0/1] sep segment 1 edge primary
[Router1-GigabitEthernet7/0/1] sep segment 2 edge primary
[Router1-GigabitEthernet7/0/1] quit
[Router1] interface gigabitethernet 7/0/3
[Router1-GigabitEthernet7/0/3] stp disable
[Router1-GigabitEthernet7/0/3] sep segment 1 edge secondary
[Router1-GigabitEthernet7/0/3] sep segment 2 edge secondary
[Router1-GigabitEthernet7/0/3] quit
# Configure Router2.
[Router2] interface gigabitethernet 7/0/1
[Router2-GigabitEthernet7/0/1] stp disable
[Router2-GigabitEthernet7/0/1] sep segment 1
[Router2-GigabitEthernet7/0/1] sep segment 2
[Router2-GigabitEthernet7/0/1] quit
[Router2] interface gigabitethernet 7/0/2
[Router2-GigabitEthernet7/0/2] stp disable
[Router2-GigabitEthernet7/0/2] sep segment 1
[Router2-GigabitEthernet7/0/2] sep segment 2
Issue 01 (2014-11-30) 341
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
[Router2-GigabitEthernet7/0/2] quit
# Configure Router3.
[Router3] interface gigabitethernet 7/0/1
[Router3-GigabitEthernet7/0/1] stp disable
[Router3-GigabitEthernet7/0/1] sep segment 1
[Router3-GigabitEthernet7/0/1] sep segment 2
[Router3-GigabitEthernet7/0/1] quit
[Router3] interface gigabitethernet 7/0/2
[Router3-GigabitEthernet7/0/2] stp disable
[Router3-GigabitEthernet7/0/2] sep segment 1
[Router3-GigabitEthernet7/0/2] sep segment 2
[Router3-GigabitEthernet7/0/2] quit
# Configure Router4.
[Router4] interface gigabitethernet 7/0/1
[Router4-GigabitEthernet7/0/1] stp disable
[Router4-GigabitEthernet7/0/1] sep segment 1
[Router4-GigabitEthernet7/0/1] sep segment 2
[Router4-GigabitEthernet7/0/1] quit
[Router4] interface gigabitethernet 7/0/3
[Router4-GigabitEthernet7/0/3] stp disable
[Router4-GigabitEthernet7/0/3] sep segment 1
[Router4-GigabitEthernet7/0/3] sep segment 2
[Router4-GigabitEthernet7/0/3] quit
Step 4 Specify an interface to block.
# Configure delayed preemption and block an interface based on the device and interface names on Router1 where the primary edge interface is located.
[Router1] sep segment 1
[Router1-sep-segment1] block port sysname Router3 interface gigabitethernet 7/0/1
[Router1-sep-segment1] preempt delay 15
[Router1-sep-segment1] quit
[Router1] sep segment 2
[Router1-sep-segment2] block port sysname Router2 interface gigabitethernet 7/0/1
[Router1-sep-segment2] preempt delay 15
[Router1-sep-segment2] quit
NOTE l In this configuration example, an interface fault needs to be simulated and then rectified to implement delayed preemption. To ensure that delayed preemption takes effect on the two SEP segments, simulate an interface fault in the two SEP segments. For example: l In SEP segment 1, run the shutdown command on GE 7/0/1 of Router2 to simulate an interface fault. Then, run the undo shutdown command on GE7/0/1 to simulate interface fault recovery.
l In SEP segment 2, run the shutdown command on GE 7/0/1 of Router3 to simulate an interface fault. Then, run the undo shutdown command on GE7/0/1 to simulate interface fault recovery.
Step 5 Configure the Layer 2 forwarding function on CE1, CE2, and Router1 to Router4.
The configuration details are not mentioned here. For details, see the configuration files.
Step 6 Verify the configuration.
Simulate a fault, and then check whether the status of the blocked interface changes from blocked to forwarding.
Run the shutdown command on GE7/0/1 of Router2 to simulate an interface fault.
Run the display sep interface command on Router3 to check whether the status of GE7/0/1 in
SEP segment 1 changes from blocked to forwarding.
[Router3] display sep interface gigabitethernet 7/0/1
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
342
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 8 SEP Configuration
SEP segment 1
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/1 common up forwarding
SEP segment 2
----------------------------------------------------------------
Interface Port Role Neighbor Status Port Status
----------------------------------------------------------------
GE7/0/1 common up forwarding
The preceding command output shows that the status of GE7/0/1 changes from blocked to forwarding and the forwarding path change in SEP segment 1 does not affect the forwarding path in SEP segment 2.
----End
Configuration Files l Configuration file of Router1
#
sysname Router1
#
vlan batch 10 100 to 500
#
stp region-configuration
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
# sep segment 1
control-vlan 10
block port sysname Router3 interface GigabitEthernet7/0/1
preempt delay 15
protected-instance 1 sep segment 2
control-vlan 10
block port sysname Router2 interface GigabitEthernet7/0/1
preempt delay 15
protected-instance 2
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1 edge primary
sep segment 2 edge primary
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1 edge secondary
sep segment 2 edge secondary
# return l Configuration file of Router2
#
sysname Router2
#
vlan batch 10 100 to 500
#
stp region-configuration
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
343
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
# sep segment 1
control-vlan 10
protected-instance 1 sep segment 2
control-vlan 10
protected-instance 2
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 100 to 300
# return l Configuration file of Router3
#
sysname Router3
#
vlan batch 10 100 to 500
#
stp region-configuration
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
# sep segment 1
control-vlan 10
protected-instance 1 sep segment 2
control-vlan 10
protected-instance 2
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
# interface GigabitEthernet7/0/2
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 301 to 500
# return l Configuration file of Router4
#
sysname Router4
#
vlan batch 10 100 to 500
#
stp region-configuration
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
8 SEP Configuration
344
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
instance 1 vlan 100 to 300
instance 2 vlan 301 to 500
active region-configuration
# sep segment 1
control-vlan 10
protected-instance 1 sep segment 2
control-vlan 10
protected-instance 2
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
# interface GigabitEthernet7/0/3
port hybrid tagged vlan 10 100 to 500
stp disable
sep segment 1
sep segment 2
# return l Configuration file of CE1
#
sysname CE1
#
vlan batch 100 to 300
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 100 to 300
# return l Configuration file of CE2
#
sysname CE2
#
vlan batch 301 to 500
# interface GigabitEthernet7/0/1
port hybrid tagged vlan 301 to 500
# return
8 SEP Configuration
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
345
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9
Transparent Bridging Configuration
About This Chapter
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and operate.
Context
NOTE
AR550 series routers do not support transparent bridges.
9.1 Introduction to Transparent Bridge
9.4 Configuration Task Summary
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and operate.
This section provides default parameter settings of transparent bridging.
9.6 Configuring Transparent Bridging
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and operate.
9.7 Maintaining Transparent Bridging
346 Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.1 Introduction to Transparent Bridge
Definition
Transparent bridges are applied in Ethernet environments to connect LANs, to facilitate seamless interaction between LANs. A transparent bridge learns the network topology needed to forward packets by reading the received packet's source MAC address and creating a mapping table between the source MAC address and the interface.
Purpose
Ethernet LAN has become the mainstream technology due to its robust expansibility and low costs. On some small-scale networks especially on dispersed networks, interworking between
LANs remains a problem and needs to be addressed urgently.
Traditional routers can connect LANs, but the costs are high and the configurations are complex.
Transparent bridging can be used on an Ethernet network to connect LANs.
Transparent bridging makes full use of links but not low-speed Ethernet links to connect LANs without affecting the existing LAN network. Transparent bridging is easy to use and costeffective, so it is widely used.
9.2 Principles
9.2.1 Basic Principles of Transparent Bridging
Forwarding Entry Learning
Transparent bridging uses a forwarding table to forward packets. A network bridge's forwarding table records the mapping between the MAC address and the packet's outbound interface. If an
Ethernet frame arrives, the network bridge takes the following actions to forward it: l Obtain the source MAC address of the valid Ethernet frame.
l Add the mapping relationship between the source MAC address and the interface to the forwarding table to generate a forwarding entry.
As shown in Figure 9-1 , PC1, PC2, PC3, and PC4 are located on two LANs. PC 1 connects to
bridge port Port1 and PC2 connects to bridge port Port2. When PC1 sends an Ethernet frame to
PC2, both Port1 and PC2 receive the frame.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
347
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 9-1 PC1 transmitting information to PC2 on LAN1
9 Transparent Bridging Configuration
LAN1 LAN1
PC 1
PC 2
Port1 RouterA Port2
Port3 Port4
Issue 01 (2014-11-30)
LAN2
PC 3
PC 4
LAN2
After Port2 receives the frame, the network bridge learns that PC1 connects to Port1 because the frame is received from Port1. Then the mapping between the MAC address of PC1 and Port1
is added to the network bridge table, as shown in Figure 9-2
.
Figure 9-2 Network bridge learning that PC1 connects to Port1
LAN1
LAN1
PC 1 PC 2
Source MAC Destination MAC
00e0:fcaa:aaaa 00e0:fcaa:bbbb
Port1 RouterA Port2
Port3
MAC address
00e0:fcaa:aaaa
Port4
Port port1
PC 3 PC 4
LAN2 LAN2
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
348
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
When PC2 responds to the frame from PC1, the network bridge also detects the frame from PC2 and learns that PC2 connects to Port2 because the frame is received from Port2. The mapping between the MAC address of PC2 and Port2 is added to the network bridge table, as shown in
.
Figure 9-3 Network bridge learning that PC2 connects to Port2
LAN1 LAN1
PC 1
PC 3
LAN2
Destination MAC Source MAC
00e0:fcaa:aaaa 00e0:fcaa:bbbb
Port1 RouterA Port2
Port3
MAC address
00e0:fcaa:aaaa
00e0:fcaa:bbbb
Port4
Port port1 port2
LAN2
PC 2
PC 4
The network bridge learns the mappings between all MAC addresses and bridge interfaces, as shown in
.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
349
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 9-4 Last network bridge address table
LAN1
PC 1
9 Transparent Bridging Configuration
PC 2
LAN1
PC 3
LAN2
Port1 RouterA Port2
Port3
MAC address
00e0:fcaa:aaaa
00e0:fcaa:bbbb
00e0:fcaa:cccc
00e0:fcaa:dddd
Port4
Port port1 port2 port3 port4
PC 4
LAN2
If a MAC address establishes a mapping relationship with more than one interface, the more recent mapping relationship overrides the earlier one. This ensures each MAC address is related with only one outbound interface.
The transparent bridge can perform dynamic MAC address learning. Learned MAC address entries are deleted when their aging time expires.
Packet Processing
The transparent bridge processes received data frames in either of the following modes: l Unicast frame
If the received data frame's destination MAC address can be found in the forwarding table, and the inbound and outbound interfaces of the frame are different, the outbound interface forwards the data frame.
l Broadcast
If the received data frame's destination MAC address is a unicast MAC address and cannot be found in the forwarding table, or the destination MAC address of the data frame is a multicast or broadcast MAC address, the data frame is forwarded using any interface of one bridge group, and not the frame's inbound interface.
9.2.2 Local Bridging
Local bridging is the basic function of transparent bridging. As shown in
, LAN 1 and LAN 2 are in the same geographic location and need to communicate with each other at the link layer. Transparent bridging can be used to bridge these LANs locally.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
350
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Figure 9-5 Local bridging network diagram
PC 3 PC 4
LAN1
Eth2/0/1
Eth2/0/2
LAN2
RouterA
9 Transparent Bridging Configuration
PC 1 PC 2
A bridge group is created on Router A. Ethernet 2/0/1 in LAN 1 and Ethernet 2/0/2 in LAN 2 are added to the bridge group. In this manner, LAN 1 and LAN 2 are bridged and can communicate with each other at the link layer.
After local bridging is configured, the bridge group configured for the transparent bridge is able to: l Learn the mapping relationship between the MAC address and the interface (MAC forwarding entry).
l Be configured with static and blackhole MAC address entries.
l Be enabled with or disabled from dynamic MAC address entry learning.
l Be configured with the aging time of dynamic MAC entries.
l Bridge all protocol packets (including IP and non-IP packets) by default.
9.2.3 Remote Bridging
If LANs in different geographical locations need to communicate with each other at the link layer, remote bridging can be used to bridge the LANs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
351
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Figure 9-6 Networking diagram for remote bridging
PC 3 PC 4
HostA HostB
PC 7
LAN1 LAN3
PC 8
Eth2/0/1
RouterA
Eth2/0/2
Serial1/0/0
Serial1/0/1
FR
Network
Serial1/0/0
Serial1/0/1
Eth2/0/1
RouterB
Eth2/0/2
LAN2 LAN4
PC 1 PC 2
HostC HostD
PC 5 PC 6
As shown in Figure 9-6 , Router A and Router B are connected with each other over a network.
PC2, PC4, PC5, and PC7 belong to four different LANs (LAN 2, LAN 1, LAN 4, LAN 3) on different network segments. LAN 1 needs to communicate with LAN 3, and LAN 2 with LAN
4.
Bridges 1 and 2 are created on Router A and Router B, respectively.Ethernet2/0/1 and Serial
1/0/0 on both Router A and Router B are added to bridge 1; Ethernet2/0/2 and Serial 1/0/1 on both Router A and Router B are added to bridge 2. In this manner, the preceding communication requirement can be met.
Other types of links, such as Ethernet, Point-to-Point Protocol (PPP), Asynchronous Transfer
Mode (ATM), can also be used for remote bridging.
To support remote bridging, transparent bridging provides the following functions: l Allow Ethernet interfaces, Ethernet sub-interfaces, VLANIF, Serial, Serial sub-interfaces,
VT, Dialer interfaces to be added to bridge groups.
l Link encapsulation protocols such as Ethernet, PPP, PPPoA, PPPoE and PPPoEoA.
l 802.1Q VLAN ID transparent transmission.
l Bridging IP and non-IP packets.
NOTE
The AR550 series do not support VT, Dialer, PPP, PPPoA, PPPoE, PPPoA or PPPoEoA.
9.2.4 Integrated Bridging and Routing
Bridge groups connect different LANs at the link layer. Generally, LAN users that need to be interconnected belong to the same network segment or aggregated network segment. When users in a bridge group need to access another network, link-layer bridging is unsatisfactory. Integrated bridging and routing can meet these needs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
352
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Integrated bridging and routing uses Bridge-if interfaces for routing packets. Bridge-if interfaces can be configured with network layer attributes, such as IP addresses. Each bridge group can be configured with only one Bridge-if interface. A Bridge-if interface's number is the number of the bridge group that the Bridge-if interface represents. After the integrated bridging and routing function has been activated, the Bridge-if interface can route packets between users in the bridge group and the outside network.
The integrated bridging and routing function needs to be enabled using the command line.
Otherwise, all the packets in a bridge group can only be bridged, but not routed. After integrated bridging and routing has been enabled, protocol packets can either be bridged or routed, which can be configured through the command line.
After integrated bridging and routing has been enabled, the interfaces added to a bridge group cannot be configured with IP addresses.
Figure 9-7 Integrated bridging and routing network diagram
PC1
1.1.1.11/24
PC2
1.1.1.12/24
Eth2/0/1
Bridge-if
1.1.1.1/24
Eth2/0/2
Eth1/0/0
2.2.2.1/24
RouterA
Eth1/0/0
2.2.2.2/24
RouterB
Eth2/0/2
1.1.1.13/24 1.1.1.14/24
PC3 PC4
2.2.2.3/24 2.2.2.4/24
PC5 PC6
As shown in Figure 9-7 , a bridge group and a Bridge-if interface are configured on Router A.
Ethernet2/0/1 and Ethernet2/0/2, connecting two different LANs, are added to the bridge group.
An IP address is configured for the Bridge-if interface. After the integrated bridging and routing function and the IP packet routing function have been enabled, the Bridge-if interface can route
IP packets between the four hosts (PC1, PC2, PC3, and PC4) and the network outside the bridge group, and the return route is configured for Router B. That is, the four hosts can access the network outside the bridge group by using the Bridge-if interface.
9.2.5 VLAN ID Transparent Transmission
Packet VLAN IDs need to be transmitted between multiple bridged LANs so that devices in different VLANs can be isolated and those in the same VLAN can communicate with each other.
VLAN ID transparent transmission can prevent VLAN IDs from being dropped during transmission.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
353
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Figure 9-8 Networking diagram for VLAN ID transparent transmission
RouterA
Eth2/0/0
RouterB
Eth2/0/0
VLAN2
Eth1/0/0 Eth1/0/0
VLAN2
SwitchA SwitchB
PC1 PC2
If two trunk interfaces are connected over Ethernet, configuring VLAN ID transparent transmission prevents the transmission devices on the Ethernet from removing VLAN IDs of the packets. The two trunk interfaces can be considered as directly connected. For example, in
VLAN ID transparent transmission is enabled on the interfaces of Router A and
Router B, allowing PC1 and PC2 to communicate with each other.
9.3 Applications
Transparent bridging allows communication between different LANs. Transparent bridging can be configured in four usage scenarios depending on the geographical locations and network segments of LANs.
lists the four usage scenarios and selection rules.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
354
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Table 9-1 Transparent bridging usage scenarios
Scenar io
Users in the
Same
Geographical
Location and
Network
Segment
Users in the
Same
Geographical
Location but
Different
Network
Segments
Functio n
Requir ed
Local bridging as shown in
Local bridging integrated with IP routing as shown
Users in
Different
Geographical
Locations but
Same Network
Segment
Users in
Different
Geographical
Locations and
Network
Segments
Remote bridging and VLAN ID transparent transmission (if communication within VLANs and isolation between VLANs are required)
Users in different locations but on the same network segment communicate with each other using remote bridging, as shown in
. To implement interworking in a
VLAN and isolation between different VLANs, enable VLAN ID transparent transmission, as
Remote bridging integrated with IP routing as shown in
Interworking on the Same Network Segment
An enterprise has multiple departments located in the same office building but on different floors.
As businesses develop, data communication is required between the terminals within the same department, and between some departments. Due to information security, information in some departments need to be isolated with that in the other departments. In this case, local bridging can be used. Users that require communication with each other need to be added to the same bridge group so that some departments can communicate or be isolated with other departments.
As shown in Figure 9-9 , User 1 and User 2 belong to the same department, and both of them
are added to VLAN 11. User 4 and User 3 belong to the different departments. User 1, User 2, and User 3 need to communicate with each other. After bridge groups are created on RouterA,
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
355
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration departments in the same bridge group can communicate with each other and those in different bridge groups are isolated from each other.
Figure 9-9 Interworking on the same network segment
RouterA
User 1 User 2
1.1.1.1/24 1.1.1.2/24
VLAN 11
User 3
1.1.1.3/24
User 4
1.1.1.4/24
Interworking on Different Network Segment
As shown in Figure 9-10 , as businesses of Enterprise A develop, data communication is required
between departments of Enterprise A, and between Enterprise A and local Enterprises B.
Departments of Enterprise A belong to the LANs on the same network segment, and therefore they can be bridged to communicate with each other. Enterprise B, however, belongs to a LAN on a different network segment. Therefore, link-layer bridging cannot meet the requirement of the communication between Enterprise A and Enterprise B.
In this case, you can configure local bridging integrated with IP routing to achieve the communication between Enterprise A and Enterprise B.
Figure 9-10 Interworking on different network segments
Bridge-if
RouterA
Issue 01 (2014-11-30)
User 1 User 2
1.1.1.1/24 1.1.1.2/24
Enterprise A
User 3
3.1.1.3/24
Enterprise B
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
356
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Remote Users on the Same Network Segment
An enterprise has multiple departments in different locations. As businesses develop, data communication is required between the terminals within the same department, and between some departments. To enable the communication between departments in different locations, remote bridging can be used.
As shown in Figure 9-11 , intermediate links are used to connect RouterA and RouterB, which
are located in different locations. Users 1 to 4 are on the same network segment. User 3 and User
4 are in a different location than User 1 and User 2. Configuring remote bridging allows User 1 and User 2 to communicate with User 3 and User 4.
Figure 9-11 Remote users on the same network segment
RouterA RouterB
User 1
1.1.1.1/24
User 2
1.1.1.2/24
User 3
1.1.1.3/24
User 4
1.1.1.4/24
Remote Users in the Same VLAN on the Same Network Segment
To allow users in the same department (the same VLAN) to communicate with each other, and to isolate users in different departments (different VLANs), VLAN ID transparent transmission must be enabled.
, User 1, User 2, User 3, and User 4 are on the same network segment.
User 1 and User 3 belong to a VLAN; User 2 and User 4 belong to the other VLAN. To allow users in the same VLAN to communicate with each other and isolate users in different VLANs, remote bridging and VLAN ID transparent transmission can be enabled. In this manner, User 1 can only communicate with User 3, and User 2 can only communicate with User 4.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
357
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Figure 9-12 Remote users in the same vlan on the same network segment
RouterA RouterB
Eth1/0/1
Eth1/0/3
Eth1/0/2
Switch 1
Eth1/0/1
Eth1/0/3
Eth1/0/2
Switch 2
User 1 User 2
1.1.1.1/24 1.1.1.2/24
VLAN 11 VLAN 12
User 3 User 4
1.1.1.3/24 1.1.1.4/24
VLAN 11 VLAN 12
Remote Users on Different Network Segments
As shown in Figure 9-13 , As businesses of Enterprise A develop, data communication is
required between departments of Enterprise A, and between Enterprise A and remote Enterprises
C (in a different geographical location).
Departments of Enterprise A belong to the LANs on the same network segment, and therefore they can be bridged to communicate with each other. Enterprise C, however, belongs to a LAN on a different network segment. Therefore, link-layer bridging cannot meet the requirement of the communication between Enterprise A and Enterprise C.
In this case, you can configure remote bridging integrated with IP routing to achieve the communication between Enterprise A and Enterprise C.
Figure 9-13 Remote users on different network segments
Bridge-if
RouterA
Network
RouterB
Issue 01 (2014-11-30)
User 1 User 2
1.1.1.1/24 1.1.1.2/24
Enterprise A
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
User 4
2.1.1.4/24
Enterprise C
358
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.4 Configuration Task Summary
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and operate.
lists the configuration task summary of Transparent Bridging.
Table 9-2 Configuration task summary of Transparent Bridging
Item Description
Configuring Local Bridging Configuring local bridging allows users in the same geographical location and on the same network segment to communicate with each other.
Task
Configuring Local Bridging
Integrated with IP Routing
Configuring local bridging integrated with IP routing allows users in the same geographical location but on different network segments to communicate with each other.
9.5 Default Configuration
This section provides default parameter settings of transparent bridging.
Table 9-3 Default parameter settings of transparent bridging
Parameter
Briding function for a specified network protocol
Routing function
Transparent transmission of VLAN IDs
Default Setting
Enabled for all protocols
Disabled for IP protocol packets
Disabled
9.6 Configuring Transparent Bridging
Transparent bridges are widely used in Ethernet LANs because they are easy to configure and operate.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
359
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.6.1 Configuring Local Bridging
Configuring local bridging allows users in the same geographical location and on the same network segment to communicate with each other.
9.6.1.1 Creating a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
9.6.1.2 Adding Local Interfaces to a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
As shown in Figure 9-14 , the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 3 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users to the VLAN. Users then connect to the bridge group through the VLANIF interface. User
1 and User 2 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses this method.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
360
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Figure 9-14 Networking diagram for adding users to bridge groups
User 3 RouterA
User 4
Sub interface
VLANIF 11
User 1 User 2
VLAN 11
Perform the following steps on the user-side interface of the device.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run: bridge bridge-id
An interface is added to a bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
9.6.1.3 (Optional) Disabling a Bridge Group from Bridging Specified Protocol
Packets
Context
To allow a bridge group to forward specified protocol packets, enable the function that bridges the protocol packets on the bridge group. If a bridge group is disabled from bridging specified protocol packets, the bridge group will discard the protocol packets.
Procedure
Step 1 Run:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
361
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Step 3 Run: bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
9.6.1.4 (Optional) Configuring a MAC Address Table for a Bridge Group
Context
By default, dynamic MAC address learning is enabled for a bridge group. When a network is insecure and vulnerable to attacks, you can disable dynamic MAC address learning and use static
MAC address entries for traffic forwarding.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run: mac-address learning disable
Dynamic MAC address learning is disabled.
By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run: quit
Return to the system view.
Step 5 Configure a MAC address entry.
l Run: mac-address static mac-address interface-type interface-number bridge bridge-id
A static MAC address entry is configured for a bridge group.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
362
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
By default, no static MAC address entry is configured. In a bridge group, each MAC address entry can be configured as only one static entry. If the MAC address entry is configured as a static entry repeatedly, the last configuration overwrites the previous configuration.
l Run: mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
By default, no blackhole MAC address entry is configured.
l Run: mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge groups.
----End
9.6.1.5 Checking the Configuration
Prerequisites
The configurations for local bridging are complete.
Procedure l Run the display bridge [ bridge-id ] information command to view information about the bridge group.
l Run the display bridge traffic [ bridge birdge-id | interface interface-type interfacenumber ] command to view the traffic statistics on a specified interface in the bridge group.
----End
9.6.2 Configuring Local Bridging Integrated with IP Routing
Configuring local bridging integrated with IP routing allows users in the same geographical location but on different network segments to communicate with each other.
9.6.2.1 Creating a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
Procedure
Step 1 Run: system-view
The system view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
363
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Step 2 Run: bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
9.6.2.2 Adding Local Interfaces to a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
As shown in Figure 9-15 , the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 3 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users to the VLAN. Users then connect to the bridge group through the VLANIF interface. User
1 and User 2 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses this method.
Figure 9-15 Networking diagram for adding users to bridge groups
User 3 RouterA
User 4
Sub interface
VLANIF 11
User 1 User 2
VLAN 11
Perform the following steps on the user-side interface of the device.
Procedure
Step 1 Run: system-view
The system view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
364
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Step 2 Run: interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run: bridge bridge-id
An interface is added to a bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
9.6.2.3 Enabling IP Routing for a Bridge Group
Context
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all protocol packets can only be bridged. After IP routing is enabled, specified protocol packets can be bridged or routed depending on the configuration.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Step 3 Run: routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group has an IP address. Before configuring the IP routing function, delete the IP addresses of these member interfaces.
Step 4 Run: quit
Return to the system view.
Step 5 Run: interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
Step 6 Run: ip address ip-address { mask | mask-length }
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
365
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
An IP address is configured for the Bridge-if interface.
Step 7 (Optional) Run: mac-address mac-address
A MAC address is configured for the Bridge-if interface.
----End
9.6.2.4 (Optional) Disabling a Bridge Group from Bridging Specified Protocol
Packets
Context
To allow a bridge group to forward specified protocol packets, enable the function that bridges the protocol packets on the bridge group. If a bridge group is disabled from bridging specified protocol packets, the bridge group will discard the protocol packets.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Step 3 Run: bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
9.6.2.5 (Optional) Configuring a MAC Address Table for a Bridge Group
Context
By default, dynamic MAC address learning is enabled for a bridge group. When a network is insecure and vulnerable to attacks, you can disable dynamic MAC address learning and use static
MAC address entries for traffic forwarding.
Procedure
Step 1 Run: system-view
The system view is displayed.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
366
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run: mac-address learning disable
Dynamic MAC address learning is disabled.
By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run: quit
Return to the system view.
Step 5 Configure a MAC address entry.
l Run: mac-address static mac-address interface-type interface-number bridge bridge-id
A static MAC address entry is configured for a bridge group.
By default, no static MAC address entry is configured. In a bridge group, each MAC address entry can be configured as only one static entry. If the MAC address entry is configured as a static entry repeatedly, the last configuration overwrites the previous configuration.
l Run: mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
By default, no blackhole MAC address entry is configured.
l Run: mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge groups.
----End
9.6.2.6 Checking the Configuration
Prerequisites
The configurations for local bridging integrated with IP routing are complete.
Procedure l Run the display interface bridge-if [ bridge-id ] command to check information about the
Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about the remote bridge group.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
367
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration l Run the display bridge traffic [ bridge bridge-id | interface interface-type interfacenumber ] command to view the traffic statistics on a specified interface in the bridge group.
----End
9.6.3 Configuring Remote Bridging
Configuring remote bridging allows users in different geographical locations and on the same network segment to communicate with each other.
9.6.3.1 Creating a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
9.6.3.2 Adding a LAN-side Interface to a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
As shown in Figure 9-16 , the following methods can be used to add users to a bridge group:
l Directly add users to the bridge group. User 1 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users to the VLAN. Users then connect to the bridge group through the VLANIF interface. User
2 and User 3 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses this method.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
368
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Figure 9-16 Networking diagram for adding users to bridge groups
User 1
User 4
RouterA
Network
RouterB
User 5
User 2 User 3
VLAN 11
Perform the following steps on the user-side interface of the device.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run: bridge bridge-id
An interface is added to a bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not support transparent bridging.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
369
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.6.3.3 Adding a WAN-side Interface to a Bridge Group
Context
Two devices can be connected using different types of intermediate links, such as Ethernet, PPP, to bridge data between different LANs.
To implement remote bridging between different LANs, add the user-side interface connecting to a LAN and the network-side interface connecting to the intermediate link to the same bridge group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface: l Add an Ethernet interface to a bridge group.
1.
Run: bridge bridge-id
The Ethernet interface is added to the bridge group.
l Add a PPP interface to a bridge group.
1.
Run: link-protocol ppp
PPP is enabled on the interface.
2.
Run: bridge bridge-id
The PPP interface is added to the bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
9.6.3.4 (Optional) Disabling a Bridge Group from Bridging Specified Protocol
Packets
Context
To allow a bridge group to forward specified protocol packets, enable the function that bridges the protocol packets on the bridge group. If a bridge group is disabled from bridging specified protocol packets, the bridge group will discard the protocol packets.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
370
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Step 3 Run: bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
9.6.3.5 (Optional) Configuring VLAN ID Transparent Transmission
Context
By default, an outbound interface of a bridge group removes the VLAN IDs of the packets to be sent out. After VLAN ID transparent transmission is configured on an outbound interface of a bridge group, the outbound interface does not remove the VLAN IDs of the packets to be sent out.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: bridge vlan-transmit enable
VLAN ID transparent transmission is enabled.
NOTE l VLANIF interfaces do not support VLAN ID transparent transmission.
l It is not recommended to use the VLAN ID transparent transmission for sub-interfaces.
Step 4 Run: quit
Return to the system view.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
371
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.6.3.6 (Optional) Configuring a MAC Address Table for a Bridge Group
Context
By default, dynamic MAC address learning is enabled for a bridge group. When a network is insecure and vulnerable to attacks, you can disable dynamic MAC address learning and use static
MAC address entries for traffic forwarding.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run: mac-address learning disable
Dynamic MAC address learning is disabled.
By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run: quit
Return to the system view.
Step 5 Configure a MAC address entry.
l Run: mac-address static mac-address interface-type interface-number bridge bridge-id
A static MAC address entry is configured for a bridge group.
By default, no static MAC address entry is configured. In a bridge group, each MAC address entry can be configured as only one static entry. If the MAC address entry is configured as a static entry repeatedly, the last configuration overwrites the previous configuration.
l Run: mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
By default, no blackhole MAC address entry is configured.
l Run: mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge groups.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
372
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.6.3.7 Checking the Configuration
Prerequisites
The configurations for remote bridging are complete.
Procedure l Run the display bridge [ bridge-id ] information command to view information about the bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interfacenumber ] command to view the traffic statistics on a specified interface in the bridge group.
----End
9.6.4 Configuring Remote Bridging Integrated with IP Routing
Configuring remote bridging integrated with IP routing allows users in different geographical locations and on different network segments to communicate with each other.
9.6.4.1 Creating a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
A bridge group is created and the bridge group view is displayed.
If the bridge group specified by bridge-id exists, the bridge group view is displayed.
Multiple devices can use the same bridge number.
----End
9.6.4.2 Adding a LAN-side Interface to a Bridge Group
Context
A bridge group is a virtual group. It can forward packets only after interfaces have been added to the group.
As shown in Figure 9-17 , the following methods can be used to add users to a bridge group:
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
373
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration l Directly add users to the bridge group. User 1 uses this method.
l Use a VLAN to add users to the bridge group. Create a VLAN on a bridge and add users to the VLAN. Users then connect to the bridge group through the VLANIF interface. User
2 and User 3 use this method.
l Use Ethernet sub-interfaces to add users to the bridge group. This method is used when flows on a physical interface need to be differentiated using sub-interfaces. User 4 uses this method.
Figure 9-17 Networking diagram for adding users to bridge groups
User 1
User 4
RouterA
Network
RouterB
User 2 User 3
VLAN 11
Perform the following steps on the user-side interface of the device.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The user-side interface view is displayed.
Step 3 Run: bridge bridge-id
An interface is added to a bridge group.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
User 5
374
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
Ethernet sub-interfaces and GE sub-interfaces configured to terminate QinQ tags do not support transparent bridging.
----End
9.6.4.3 Adding a WAN-side Interface to a Bridge Group
Context
Two devices can be connected using different types of intermediate links, such as Ethernet, PPP, to bridge data between different LANs.
To implement remote bridging between different LANs, add the user-side interface connecting to a LAN and the network-side interface connecting to the intermediate link to the same bridge group.
Perform the following steps on the devices at both ends of the intermediate link.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The view of the network-side interface is displayed.
Step 3 Perform the following operations depending on the type of interface: l Add an Ethernet interface to a bridge group.
1.
Run: bridge bridge-id
The Ethernet interface is added to the bridge group.
l Add a PPP interface to a bridge group.
1.
Run: link-protocol ppp
PPP is enabled on the interface.
2.
Run: bridge bridge-id
The PPP interface is added to the bridge group.
A maximum of 20 interfaces can be added to a bridge group. Different types of interfaces can be added to the same bridge group. Layer 2 interfaces cannot be added to a bridge group.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
375
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
9.6.4.4 Enabling IP Routing for a Bridge Group
Context
9 Transparent Bridging Configuration
IP routing enables a bridge group to bridge and route packets. If IP routing is not enabled, all protocol packets can only be bridged. After IP routing is enabled, specified protocol packets can be bridged or routed depending on the configuration.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Step 3 Run: routing ip
IP routing is enabled for the bridge group.
The IP routing function cannot be configured if any of member interfaces in the bridge group has an IP address. Before configuring the IP routing function, delete the IP addresses of these member interfaces.
Step 4 Run: quit
Return to the system view.
Step 5 Run: interface bridge-if bridge-id
A Bridge-if interface is created and the Bridge-if interface view is displayed.
Step 6 Run: ip address ip-address { mask | mask-length }
An IP address is configured for the Bridge-if interface.
Step 7 (Optional) Run: mac-address mac-address
A MAC address is configured for the Bridge-if interface.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
376
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.6.4.5 (Optional) Disabling a Bridge Group from Bridging Specified Protocol
Packets
Context
To allow a bridge group to forward specified protocol packets, enable the function that bridges the protocol packets on the bridge group. If a bridge group is disabled from bridging specified protocol packets, the bridge group will discard the protocol packets.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Step 3 Run: bridging { ip | others } disable
The bridge group is disabled from bridging specified protocol packets.
By default, a bridge group bridges all protocol packets.
----End
9.6.4.6 (Optional) Configuring a MAC Address Table for a Bridge Group
Context
By default, dynamic MAC address learning is enabled for a bridge group. When a network is insecure and vulnerable to attacks, you can disable dynamic MAC address learning and use static
MAC address entries for traffic forwarding.
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: bridge bridge-id
The bridge group view is displayed.
Multiple devices can use the same bridge number.
Step 3 Run: mac-address learning disable
Dynamic MAC address learning is disabled.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
377
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
By default, dynamic MAC address learning is enabled for a bridge group.
Step 4 Run: quit
Return to the system view.
Step 5 Configure a MAC address entry.
l Run: mac-address static mac-address interface-type interface-number bridge bridge-id
A static MAC address entry is configured for a bridge group.
By default, no static MAC address entry is configured. In a bridge group, each MAC address entry can be configured as only one static entry. If the MAC address entry is configured as a static entry repeatedly, the last configuration overwrites the previous configuration.
l Run: mac-address blackhole mac-address bridge bridge-id
A blackhole MAC address entry is configured for a bridge group.
By default, no blackhole MAC address entry is configured.
l Run: mac-address aging-time seconds bridge
The aging time is configured for a dynamic MAC entry.
The configured aging time takes effect on the dynamic MAC address entries of all bridge groups.
----End
9.6.4.7 Checking the Configuration
Prerequisites
The configurations for remote bridging integrated with IP routing are complete.
Procedure l Run the display interface bridge-if [ bridge-id ] command to check information about the
Bridge-if interface.
l Run the display bridge [ bridge-id ] information command to check information about the remote bridge group.
l Run the display bridge traffic [ bridge bridge-id | interface interface-type interfacenumber ] command to view the traffic statistics on the bridge group.
----End
9.7 Maintaining Transparent Bridging
This section describes how to clear traffic statistics on a bridge group to help locate faults in the bridge group.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
378
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.7.1 Monitoring the Operation of Bridge Groups
Context
During routine maintenance, you can run the following commands in any view to monitor the operation of bridge groups.
Procedure l Run the display bridge traffic [ bridge bridge-id | interface interface-type interfacenumber ] command in any view to check whether the traffic statistics on a bridge group have been cleared.
l Run the display bridge [ bridge-id ] information command in any view to check information about a bridge group.
l Run the display interface bridge-if [ bridge-id ] command in any view to check information about the Bridge-if interface of a specified bridge group, including the protocol status, interface description, and IP address.
l Run the display mac-address [ mac-address | blackhole | static | dynamic ] [ bridge bridge-id ] [ verbose ] command in any view to check the static, dynamic, or blackhole
MAC address entry of a specified bridge group.
l Run the display mac-address [ mac-address | interface-type interface-number ] bridge bridge-id [ verbose ] command or display mac-address { static | dynamic } [ interfacetype interface-number ] bridge bridge-id verbose command in any view to check the static or dynamic MAC address entry of a specified bridge group and interface.
----End
9.7.2 Clearing the Traffic Statistics of a Bridge Group
Context
Before collecting traffic statistics on a bridge group, clear the previous statistics.
NOTICE
The traffic statistics cannot be restored after being cleared.
Procedure l Run the reset bridge bridge-id statistics command in the user view to clear the traffic statistics of a bridge group.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
379
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.7.3 Clearing the Traffic Statistics on the Bridge-if Interface of a
Bridge Group
Context
To locate faults in a bridge group, you can clear the traffic statistics on the Bridge-if interface.
NOTICE
The traffic statistics cannot be restored after being cleared.
Procedure l Run the reset counters interface bridge-if [ bridge-id ] command in the user view to clear the traffic statistics on the Bridge-if interface of the bridge group.
----End
9.8 Configuration Example
This section describes the typical application scenarios of transparent bridging and provides configuration roadmaps.
9.8.1 Example for Configuring Local Bridging
Configuring local bridging allows the communication between the LANs on the same network segment and in the same geographical location.
Networking Requirements
An enterprise has multiple departments located in the same office building but on different floors.
As business expands for the enterprise, data communication is required between terminals within the same department, and between some departments. To keep information secure, information in some departments needs to be isolated from that in the other departments. Users that require communication with each other need to be added to the same bridge group so that they can communicate with each other and are isolated from other departments.
As shown in Figure 9-18 , User 1 and User 2 belong to the same department, and both of them
are added to VLAN 11. User 4 and User 3 belong to the different departments. User 1, User 2, and User 3 need to communicate with each other. After bridge groups are created on RouterA, departments in the same bridge group can communicate with each other and those in different bridge groups are isolated from each other.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
380
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Figure 9-18 Networking diagram of local bridging configuration
Eth2/0/2
RouterA
Eth3/0/0
Eth2/0/1
Eth4/0/0
User 1 User 2
10.1.1.1/24 10.1.1.2/24
VLAN 11
User 3
10.1.1.3/24
User 4
10.1.1.4/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Add User 1 and User 2 to VLAN 11 and then add them to bridge group 1 on VLANIF 11.
Add User 3 to bridge group 1. This allows communication between User 1, User 2, and
User 3.
2.
Add User 4 to bridge group 2 to isolate User 4 from User 1, User 2, and User 3.
Configuration Procedure
1.
Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] quit
2.
Add Eth2/0/1 and Eth2/0/2 to VLAN 11.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 11
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 11
[RouterA-Ethernet2/0/2] quit
3.
Add VLANIF 11 and Eth4/0/0 to bridge group 1.
[RouterA] interface ethernet 4/0/0
[RouterA-Ethernet4/0/0] bridge 1
[RouterA-Ethernet4/0/0] quit
[RouterA] interface vlanif 11
[RouterA-Vlanif11] bridge 1
[RouterA-Vlanif11] quit
4.
Create bridge group 2.
[RouterA] bridge 2
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
381
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
[RouterA-bridge2] quit
5.
Add Eth3/0/0 to bridge group 2.
[RouterA] interface ethernet 3/0/0
[RouterA-Ethernet3/0/0] bridge 2
[RouterA-Ethernet3/0/0] quit
6.
Verify the configuration.
# Run the display bridge information command to view the configuration of the bridge groups.
[RouterA] display bridge information
Bridge 1 :
Status : Undo Shutdown
Bridging : IP, Others
Routing : -
MAC learning : Enable
interface :total 2 interface(s) in the bridge
Ethernet4/0/0 : Up
Vlanif11 : Up
Bridge 2 :
Status : Undo Shutdown
Bridging : IP, Others
Routing : -
MAC learning : Enable
interface :total 1 interface(s) in the bridge
Ethernet3/0/0 : Up
# After the preceding configuration is complete, User 1, User 2, and User 3 can ping each other, User 3 cannot ping User 4.
Configuration Files
Configuration file of RouterA
#
sysname RouterA
# vlan batch 11
# bridge 1 bridge 2
# interface Vlanif11
bridge 1
# interface Ethernet2/0/1
port link-type access
port default vlan 11
# interface Ethernet2/0/2
port link-type access
port default vlan 11
# interface Ethernet4/0/0
bridge 1
# interface Ethernet3/0/0
bridge 2
# return
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
382
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.8.2 Example for Configuring Local Bridging with IP Routing
Configuring local bridging and IP routing allows LANs on different network segments to communicate with each other.
Networking Requirements
Departments of Enterprise A need to communicate with each other and with local Enterprise B.
Departments of Enterprise A belong to the LANs on the same network segment and can be bridged, but Enterprise B belongs to a LAN on a different network segment. As a result, linklayer bridging cannot be used to communicate between Enterprise A and Enterprise B.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 9-19 , bridge groups are configured on local bridging, and interfaces are
added to different bridge groups. After Bridge-if interfaces are created and assigned IP addresses, and the IP routing function is enabled, the two hosts of Enterprise A can communicate with the hosts of Enterprises B.
Figure 9-19 Networking diagram of local bridging integrated with IP routing
Eth2/0/1
Eth2/0/2
Bridge-if
RouterA
Eth3/0/0
User 1 User 2
10.1.1.1/24 10.1.1.2/24
Enterprise A
User 3
10.1.3.3/24
Enterprise B
Configuration Roadmap
The configuration roadmap is as follows:
1.
Create a bridge group on RouterA.
2.
Add Eth2/0/1 and Eth2/0/2 on Router A to the created bridge group to allow the two hosts of Enterprise A to communicate with each other.
3.
Create a Bridge-if interface and enable IP routing for the bridge group on RouterA to allow
Enterprise A to communicate with Enterprise B.
Configuration Procedure l Configure the IP routing function.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
383
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
1.
Configure RouterA.
# Create bridge group 1 and enable local bridging and IP routing for the bridge group.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] routing ip
[RouterA-bridge1] quit
# Add Eth2/0/1 and Eth2/0/2 to VLAN 11.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 11
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 11
[RouterA-Ethernet2/0/2] quit
#Add VLANIF 11 to bridge group 1.
[RouterA] interface vlanif 11
[RouterA-Vlanif11] bridge 1
[RouterA-Vlanif11] quit
# Configure an IP address for Ethernet3/0/0 on RouterA.
[RouterA] interface ethernet 3/0/0
[RouterA-Ethernet3/0/0] undo portswitch
[RouterA-Ethernet3/0/0] ip address 10.1.3.1 255.255.255.0
[RouterA-Ethernet3/0/0] quit
# Create Bridge-if interface 1 and configure an IP address for it.
[RouterA] interface bridge-if 1
[RouterA-Bridge-if1] ip address 10.1.1.3 255.255.255.0
[RouterA-Bridge-if1] quit
2.
Verify the configuration.
# After the preceding configurations are complete, User 1 and User 3 can ping each other.
Configuration Files
Configuration file of RouterA
Issue 01 (2014-11-30)
#
sysname RouterA
# vlan batch 11
# bridge 1
routing ip
# interface Vlanif11
bridge 1
# interface Ethernet2/0/1
port link-type access
port default vlan 11
# interface Ethernet2/0/2
port link-type access
port default vlan 11
#
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
384
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration interface Ethernet3/0/0 undo portswitch
ip address 10.1.3.1 255.255.255.0
# interface Bridge-if1
ip address 10.1.1.3 255.255.255.0
# return
9.8.3 Example for Configuring Remote Bridging
Configuring remote bridging allows LANs on the same network segment but in different geographical locations to communicate with each other.
Networking Requirements
An enterprise has multiple departments in different locations. As business expands for the enterprise, data communication is required between terminals within the same department and between other departments located in different geological areas.
As shown in Figure 9-20 , intermediate links are used to connect RouterA and RouterB, which
are located in different locations. Users 1 to 4 are on the same network segment. User 3 and User
4 are in a different location than User 1 and User 2. Configuring remote bridging allows User 1 and User 2 to communicate with User 3 and User 4.
Figure 9-20 Networking diagram of remote bridging
RouterA
Eth2/0/1 Serial3/0/0 Serial3/0/0
RouterB
Eth2/0/1
Eth2/0/2
Eth2/0/2
User 1
10.1.1.1/24
User 2
10.1.1.2/24
User 3
10.1.1.3/24
User 4
10.1.1.4/24
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure bridge groups on RouterA and RouterB.
2.
Add User 1 and User 2 to VLAN 11 on RouterA, and add User 3 and User 4 to VLAN 11 on RouterB so that users can communicate with each other.
3.
Add VLANIF 11 and Serial3/0/0 to bridge group 1 on RouterA and add VLANIF 11 and
Serial3/0/0 to bridge group 1 on RouterB. Enable remote bridging.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
385
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Configuration Procedure
1.
Configure RouterA.
# Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] quit
# Add Eth2/0/2 and Eth2/0/1 to VLAN 11 to allow the communication between User 1 and
User 2.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 11
[RouterA-Ethernet2/0/2] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 11
[RouterA-Ethernet2/0/1] quit
#Add VLANIF 11 to bridge group 1.
[RouterA] interface vlanif 11
[RouterA-Vlanif11] bridge 1
[RouterA-Vlanif11] quit
# Add Serial3/0/0 to bridge group 1.
[RouterA] interface serial 3/0/0
[RouterA-Serial3/0/0] link-protocol ppp
[RouterA-Serial3/0/0] bridge 1
[RouterA-Serial3/0/0] quit
2.
Configure RouterB.
# Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] bridge 1
[RouterB-bridge1] quit
# Add Eth2/0/2 and Eth2/0/1 to VLAN 11 to allow the communication between User 3 and
User 4.
[RouterB] vlan 11
[RouterB-vlan11] quit
[RouterB] interface ethernet 2/0/2
[RouterB-Ethernet2/0/2] port link-type access
[RouterB-Ethernet2/0/2] port default vlan 11
[RouterB-Ethernet2/0/2] quit
[RouterB] interface ethernet 2/0/1
[RouterB-Ethernet2/0/1] port link-type access
[RouterB-Ethernet2/0/1] port default vlan 11
[RouterB-Ethernet2/0/1] quit
#Add VLANIF 11 to bridge group 1.
[RouterB] interface vlanif 11
[RouterB-Vlanif11] bridge 1
[RouterB-Vlanif11] quit
# Add Serial3/0/0 to bridge group 1.
[RouterB] interface serial 3/0/0
[RouterB-Serial3/0/0] link-protocol ppp
[RouterB-Serial3/0/0] bridge 1
[RouterB-Serial3/0/0] quit
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
386
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
3.
Verify the configuration.
# After the preceding configurations are complete, User 1, User 2, User 3, and User 4 can ping each other.
Configuration Files
Configuration file of RouterA
#
sysname RouterA
# vlan batch 11
# bridge 1
# interface Vlanif11
bridge 1
# interface Ethernet2/0/1
port link-type access
port default vlan 11
# interface Ethernet2/0/2
port link-type access
port default vlan 11
# interface Serial3/0/0
bridge 1
link-protocol ppp
# return
Configuration file of RouterB
#
sysname RouterB
# vlan batch 11
# bridge 1
# interface Vlanif11
bridge 1
# interface Ethernet2/0/1
port link-type access
port default vlan 11
# interface Ethernet2/0/2
port link-type access
port default vlan 11
# interface Serial3/0/0
bridge 1
link-protocol ppp
# return
9.8.4 Example for Configuring Remote Bridging with IP Routing
Configuring remote bridging with IP routing allows LANs in different geographical locations and on different network segments to communicate.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
387
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
Networking Requirements
Departments of Enterprise A need to communicate with other and with Enterprises C (in a different geographical location).
Departments of Enterprise A belong to the LANs on the same network segment and can be bridged, but Enterprise C belongs to a different network segment. As a result, link-layer bridging cannot be used to communicate between Enterprise A and Enterprise C.
In this scenario, local bridging integrated with IP routing offers a viable solution.
As shown in Figure 9-21 , bridge groups are configured on local bridging, and interfaces are
added to different bridge groups. After Bridge-if interfaces are created and assigned IP addresses, and the IP routing function is enabled, the two hosts of Enterprise A can communicate with the hosts of Enterprises C.
Figure 9-21 Networking diagram of remote bridging integrated with IP routing
Eth2/0/1
Eth2/0/2
Bridge-if
RouterA
Eth3/0/0
Network
RouterB
Eth3/0/0
Eth2/0/0
User 1 User 2
10.1.1.1/24 10.1.1.2/24
Enterprise A
User 4
10.1.2.4/24
Enterprise C
Configuration Roadmap
The configuration roadmap is as follows:
1.
Configure bridge groups on RouterA and RouterB.
2.
Add Ethernet 2/0/1 and Ethernet 2/0/2 on Router A to a bridge group so that the two hosts of Enterprise A can communicate with each other.
3.
Add Ethernet3/0/0 to another bridge group on Router A, and add Ethernet 3/0/0 to the bridge group on Router B.
4.
Create Bridge-if interfaces and enable the IP routing function for the bridge groups on
Router A and Router B. This allows Enterprise A and Enterprise C to communicate with each other.
Configuration Procedure l Configure the IP routing function.
1.
Configure RouterA.
# Create bridge group 1 and bridge group, then enable the IP routing function for the bridge groups.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
388
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA] bridge 1
[RouterA-bridge1] routing ip
[RouterA-bridge1] quit
[RouterA] bridge 2
[RouterA-bridge2] routing ip
[RouterA-bridge2] quit
# Add Eth2/0/1 and Eth2/0/2 to VLAN 11 to allow the communication between User
1 and User 2.
[RouterA] vlan 11
[RouterA-vlan11] quit
[RouterA] interface ethernet 2/0/1
[RouterA-Ethernet2/0/1] port link-type access
[RouterA-Ethernet2/0/1] port default vlan 11
[RouterA-Ethernet2/0/1] quit
[RouterA] interface ethernet 2/0/2
[RouterA-Ethernet2/0/2] port link-type access
[RouterA-Ethernet2/0/2] port default vlan 11
[RouterA-Ethernet2/0/2] quit
#Add VLANIF 11 to bridge group 1.
[RouterA] interface vlanif 11
[RouterA-Vlanif11] bridge 1
[RouterA-Vlanif11] quit
# Add Ethernet3/0/0 on Router A to bridge group 2.
[RouterA] interface ethernet 3/0/0
[RouterA-Ethernet3/0/0] bridge 2
[RouterA-Ethernet3/0/0] quit
# Create Bridge-if interface 1 for bridge group 1 and Bridge-if interface 2 for bridge group 2, and then configure IP addresses for the two Bridge-if interfaces.
[RouterA] interface bridge-if 1
[RouterA-Bridge-if1] ip address 10.1.1.3 255.255.255.0
[RouterA-Bridge-if1] quit
[RouterA] interface bridge-if 2
[RouterA-Bridge-if2] ip address 10.1.2.3 255.255.255.0
[RouterA-Bridge-if2] quit
2.
Configure RouterB.
# Create bridge group 2 and enable the IP routing function for the bridge groups.
<Huawei> system-view
[Huawei] sysname RouterB
[RouterB] bridge 2
[RouterB-bridge2] routing ip
[RouterB-bridge2] quit
# Add Ethernet2/0/0 to VLAN11.
[RouterB] vlan 11
[RouterB-vlan11] quit
[RouterB] interface ethernet 2/0/0
[RouterB-Ethernet2/0/0] port link-type access
[RouterB-Ethernet2/0/0] port default vlan 11
[RouterB-Ethernet2/0/0] quit
#Add VLANIF 11 to bridge group 2.
[RouterB] interface vlanif 11
[RouterB-Vlanif11] bridge 2
[RouterB-Vlanif11] quit
# Add Ethernet3/0/0 on Router B to bridge group 2.
[RouterB] interface ethernet 3/0/0
[RouterB-Ethernet3/0/0] bridge 2
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
389
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
[RouterB-Ethernet3/0/0] quit
3.
Verify the configuration.
# After the preceding configuration is complete, User 1 and User 4 can successfully ping each other.
Configuration Files
Configuration file of RouterA
#
sysname RouterA
# vlan batch 11
# bridge 1
routing ip bridge 2
routing ip
# interface Vlanif11
bridge 1
# interface Ethernet2/0/1
port link-type access
port default vlan 11
# interface Ethernet2/0/2
port link-type access
port default vlan 11
# interface Bridge-if1
ip address 10.1.1.3 255.255.255.0
# interface Bridge-if2
ip address 10.1.2.3 255.255.255.0
# interface Ethernet3/0/0
bridge 2
# return
Configuration file of RouterB
Issue 01 (2014-11-30)
#
sysname RouterB
# vlan batch 11
# bridge 2
routing ip
# interface Vlanif11
bridge 2
# interface Ethernet2/0/0
port link-type access
port default vlan 11
# interface Ethernet3/0/0
bridge 2
# return
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
390
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
9.8.5 Example for Configuring Remote Bridging with VLAN ID
Transparent Transmission
Remote bridging with VLAN ID transparent transmission allows the devices in the same VLAN but different in locations to communicate with each other.
Networking Requirements
An enterprise has multiple departments in different locations. To allow the communication between departments in different locations, remote bridging can be used. To allow users in the same department (the same VLAN) to communicate with each other, while isolating users in different departments (different VLANs), VLAN ID transparent transmission must be enabled.
, User 1, User 2, User 3, and User 4 are on the same network segment.
User 1 and User 3 belong to a VLAN; User 2 and User 4 belong to the other VLAN. To allow users in the same VLAN to communicate with each other and isolate users in different VLANs, remote bridging and VLAN ID transparent transmission can be enabled. In this manner, User 1 can only communicate with User 3, and User 2 can only communicate with User 4.
Figure 9-22 Networking diagram for remote bridging
RouterA RouterB
Eth2/0/0
Eth1/0/0
Eth1/0/1
Eth1/0/3
Eth1/0/2
Switch 1
Eth2/0/0
Eth1/0/0
Eth1/0/1
Eth1/0/3
Eth1/0/2
Switch 2
User 1 User 2
10.1.1.1/24 10.1.1.2/24
VLAN 11 VLAN 12
User 3 User 4
10.1.1.3/24 10.1.1.4/24
VLAN 11 VLAN 12
Configuration Roadmap
The configuration roadmap is as follows: l On Switch 1 and Switch 2:
1.
Create VLANs.
2.
Add interfaces to the VLANs.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
391
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9 Transparent Bridging Configuration
3.
Configure interfaces to allow the packets from VLAN 11 and VLAN 12 to pass through.
l On Router A and Router B:
1.
Configure bridge groups.
2.
Add WAN interfaces Ethernet1/0/0 and Ethernet2/0/0 to the same bridge group.
3.
Enable VLAN ID transparent transmission on user-side interfaces and network-side interfaces to allow users in the same VLAN to communicate with each other and isolate users in different VLANs.
Configuration Procedure
1.
Configure Router A.
# Create bridge group 1.
<Huawei> system-view
[Huawei] sysname RouterA
[RouterA-bridge1] bridge 1
[RouterA-bridge1] undo shutdown
[RouterA-bridge1] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 1, and enable VLAN ID transparent transmission on the two interfaces.
[RouterA] interface ethernet 1/0/0
[RouterA-Ethernet1/0/0] bridge 1
[RouterA-Ethernet1/0/0] bridge vlan-transmit enable
[RouterA-Ethernet1/0/0] quit
[RouterA] interface ethernet 2/0/0
[RouterA-Ethernet2/0/0] bridge 1
[RouterA-Ethernet2/0/0] bridge vlan-transmit enable
[RouterA-Ethernet2/0/0] quit
2.
Configure Switch 1.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname Switch1
[Switch1] vlan 11
[Switch1-vlan11] quit
[Switch1] vlan 12
[Switch1-vlan12] quit
# Add Ethernet1/0/1 to VLAN 11 and Ethernet1/0/2 to VLAN 12.
[Switch1] interface ethernet 1/0/1
[Switch1-Ethernet1/0/1] port link-type access
[Switch1-Ethernet1/0/1] port default vlan 11
[Switch1-Ethernet1/0/1] quit
[Switch1] interface ethernet 1/0/2
[Switch1-Ethernet1/0/2] port link-type access
[Switch1-Ethernet1/0/2] port default vlan 12
[Switch1-Ethernet1/0/2] quit
# Configure Ethernet 1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass through.
[Switch1] interface ethernet 1/0/3
[Switch1-Ethernet1/0/3] port link-type trunk
[Switch1-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
[Switch1-Ethernet1/0/3] quit
3.
Configure Router B.
# Create bridge group 2.
<Huawei> system-view
Issue 01 (2014-11-30) 392
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 9 Transparent Bridging Configuration
[Huawei] sysname RouterB
[RouterB-bridge2] bridge 2
[RouterB-bridge2] quit
# Add Ethernet1/0/0 and Ethernet2/0/0 to bridge group 2, and enable VLAN ID transparent transmission on the two interfaces.
[RouterB] interface ethernet 1/0/0
[RouterB-Ethernet1/0/0] bridge 2
[RouterB-Ethernet1/0/0] bridge vlan-transmit enable
[RouterB-Ethernet1/0/0] quit
[RouterB] interface ethernet 2/0/0
[RouterB-Ethernet2/0/0] bridge 2
[RouterB-Ethernet2/0/0] bridge vlan-transmit enable
[RouterB-Ethernet2/0/0] quit
4.
Configure Switch 2.
# Create VLANs.
<Huawei> system-view
[Huawei] sysname Switch2
[Switch2] vlan 11
[Switch2-vlan11] quit
[Switch2] vlan 12
[Switch2-vlan12] quit
# Add Ethernet1/0/1 to VLAN 11 and Ethernet1/0/2 to VLAN 12.
[Switch2] interface ethernet 1/0/1
[Switch2-Ethernet1/0/1] port link-type access
[Switch2-Ethernet1/0/1] port default vlan 11
[Switch2-Ethernet1/0/1] quit
[Switch2] interface ethernet 1/0/2
[Switch2-Ethernet1/0/2] port link-type access
[Switch2-Ethernet1/0/2] port default vlan 12
[Switch2-Ethernet1/0/2] quit
# Configure Ethernet1/0/3 to allow the packets from VLAN 11 and VLAN 12 to pass through.
[Switch2] interface ethernet 1/0/3
[Switch2-Ethernet1/0/3] port link-type trunk
[Switch2-Ethernet1/0/3] port trunk allow-pass vlan 11 to 12
[Switch2-Ethernet1/0/3] quit
5.
Verify the configuration.
After the preceding configurations are complete, User 1 and User 3 can ping each other;
User 2 and User 4 can ping each other.
Configuration Files
Configuration file of Router A
Issue 01 (2014-11-30)
#
sysname RouterA
# vlan batch 11 to 12
# bridge 1
# interface Ethernet1/0/0
bridge 1
bridge vlan-transmit enable
# interface Ethernet2/0/0
bridge 1
bridge vlan-transmit enable
Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
393
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching
# return
Configuration file of Router B
#
sysname RouterB
# vlan batch 11 to 12
# bridge 2
# interface Ethernet1/0/0
bridge 2
bridge vlan-transmit enable
# interface Ethernet2/0/0
bridge 2
bridge vlan-transmit enable
# return
Configuration file of Switch 1
#
sysname Switch1
# vlan batch 11 to 12
# interface Ethernet1/0/1
port link-type access
port default vlan 11
# interface Ethernet1/0/2
port link-type access
port default vlan 12
# interface Ethernet1/0/3
port link-type trunk
port trunk allow-pass vlan 11 to 12
# return
Configuration file of Switch 2
#
sysname Switch2
# vlan batch 11 to 12
#
# interface Ethernet1/0/1
port link-type access
port default vlan 11
# interface Ethernet1/0/2
port link-type access
port default vlan 12
# interface Ethernet1/0/3
port link-type trunk
port trunk allow-pass vlan 11 to 12
# return
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
9 Transparent Bridging Configuration
394
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement