advertisement
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration l Run the display mac-address static command to check static MAC address entries.
l Run the display mac-address dynamic command to check dynamic MAC address entries.
l Run the display mac-address blackhole command to check blackhole MAC address entries.
l Run the display mac-address aging-time command to check the aging time of dynamic
MAC address entries.
l Run the display mac-address summary command to check statistics on all the MAC address entries.
l Run the display mac-address total-number command to check the number of MAC address entries.
l Run the display mac-limit command to check the limit of the number of learned MAC addresses.
----End
1.6.2 Configuring Port Security
The port security function changes MAC addresses learned on an interface into secure MAC addresses (including secure dynamic MAC addresses and sticky MAC addresses). Only hosts using secure MAC addresses or static MAC addresses can communicate with the device through the interface. This function enhances security of the device.
Pre-configuration Tasks
Before configuring port security on an interface, complete the following tasks: l Disabling MAC address limiting on the interface l Disabling MAC address authentication on the interface l Disabling 802.1x authentication on the interface l Disabling MAC address security for DHCP snooping on the interface
1.6.2.1 Configuring the Secure MAC Function on an Interface
Context
If a network requires high access security, you can configure port security on specified interfaces.
MAC addresses learned by these interfaces change to secure dynamic MAC addresses or sticky
MAC addresses. When the number of learned MAC addresses reaches the limit, the interface does not learn new MAC addresses and allows only the devices with the learned MAC addresses to communicate with the industrial switch router. This prevents devices with untrusted MAC addresses from accessing these interfaces, improving security of the industrial switch router and the network.
By default, secure dynamic MAC addresses will not be aged out. You can set the aging time for secure dynamic MAC addresses so that they can be aged out. Secure dynamic MAC addresses are lost after the device restarts and the device needs to learn the MAC addresses again.
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
14
Huawei AR530&AR550 Series Industrial Switch Routers
Configuration Guide - Ethernet Switching 1 MAC Address Table Configuration
Procedure
Step 1 Run: system-view
The system view is displayed.
Step 2 Run: interface interface-type interface-number
The interface view is displayed.
Step 3 Run: port-security enable
Port security is enabled.
By default, port security is disabled on an interface.
Step 4 (Optional) Run: port-security max-mac-num max-number
The limit on the number of secure dynamic MAC addresses is set.
By default, the limit on the number of secure dynamic MAC addresses is 1.
Step 5 (Optional) Run: port-security protect-action { protect | restrict | shutdown }
The protection action is configured.
The default action is restrict .
The protection actions are as follows: l protect : discards packets with new source MAC addresses when the number of learned MAC addresses reaches the limit.
l restrict : discards packets with new source MAC addresses and sends an alarm when the number of learned MAC addresses exceeds the limit.
l shutdown : set the interface status to error down and sends an alarm when the number of learned MAC addresses exceeds the limit.
By default, an interface cannot automatically restore to Up state after it is shut down. To restore the interface, run the undo shutdown command on the interface in sequence.
Alternatively, run the restart command on the interface to restart the interface.
Step 6 (Optional) Run: port-security aging-time time
The aging time of secure dynamic MAC addresses is set.
By default, secure dynamic MAC addresses will not be aged out.
----End
Issue 01 (2014-11-30) Huawei Proprietary and Confidential
Copyright © Huawei Technologies Co., Ltd.
15
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 15 1 MAC Address Table Configuration
- 16 1.1 Introduction to the MAC Address
- 16 1.2 Principles
- 16 1.2.1 MAC Address Table
- 18 1.2.2 Disabling MAC Address Learning and Limiting the Number of MAC Addresses
- 19 1.2.3 Port Security
- 19 1.2.4 MAC Address Flapping
- 21 1.3 Application Environment
- 21 1.4 Configuration Task Summary
- 23 1.5 Default Configuration
- 23 1.6 Configuring the MAC Address Table
- 23 1.6.1 Configuring the MAC Address Table
- 24 1.6.1.1 Configuring a Static MAC Address Entry
- 24 1.6.1.2 Configuring a Blackhole MAC Address Entry
- 25 1.6.1.3 Setting the Aging Time of Dynamic MAC Address Entries
- 25 1.6.1.4 Disabling MAC Address Learning
- 26 1.6.1.5 Limiting the Number of Learned MAC Addresses
- 27 1.6.1.6 Checking the Configuration
- 28 1.6.2 Configuring Port Security
- 28 1.6.2.1 Configuring the Secure MAC Function on an Interface
- 30 1.6.2.2 Configuring the Sticky MAC Function on an Interface
- 31 1.6.2.3 Checking the Configuration
- 31 1.6.3 Configuring MAC Address Flapping Detection
- 32 1.6.4 Configuring the Router to Discard Packets with an All-0 MAC Address
- 33 1.7 Configuration Examples
- 33 1.7.1 Example for Configuring the MAC Address Table
- 35 1.7.2 Example for Configuring Port Security
- 37 1.7.3 Example for Configuring MAC Address Limiting Rules on Interfaces
- 38 1.7.4 Example for Configuring a MAC Address Learning Rule in a VLAN
- 40 1.8 Common Configuration Errors
- 40 1.8.1 Correct MAC Address Entry Cannot Be Learned on the Device
- 43 1.9 Reference
- 44 2 Link Aggregation Configuration
- 45 2.1 Introduction to Link Aggregation
- 45 2.2 Principles
- 45 2.2.1 Concepts
- 47 2.2.2 Forwarding Principle
- 47 2.2.3 Link Aggregation in Manual Load Balancing Mode
- 47 2.2.4 Link Aggregation in LACP Mode
- 53 2.2.5 Load Balancing Using Link Aggregation
- 53 2.3 Application Environment
- 53 2.3.1 Application of Eth-Trunk
- 54 2.4 Configuration Task Summary
- 55 2.5 Default Settings
- 56 2.6 Configuring Ethernet Link Aggregation
- 56 2.6.1 Configuring Link Aggregation in Manual Load Balancing Mode
- 56 2.6.1.1 Creating an Eth-Trunk
- 57 2.6.1.2 Setting the Manual Load Balancing Mode
- 58 2.6.1.3 Adding Member Interfaces to an Eth-Trunk
- 59 2.6.1.4 (Optional) Setting the Lower Threshold for the Number of Active Interfaces
- 60 2.6.1.5 (Optional) Configuring a Load Balancing Mode
- 61 2.6.1.6 Checking the Configuration
- 61 2.6.2 Configuring Link Aggregation in LACP Mode
- 61 2.6.2.1 Creating an Eth-Trunk
- 62 2.6.2.2 Setting the LACP Mode
- 63 2.6.2.3 Adding Member Interfaces to an Eth-Trunk
- 65 2.6.2.4 (Optional) Setting the Upper and Lower Thresholds for the Number of Active Interfaces
- 66 2.6.2.5 (Optional) Configuring a Load Balancing Mode
- 66 2.6.2.6 (Optional) Setting the LACP System Priority
- 67 2.6.2.7 (Optional) Setting the LACP Interface Priority
- 68 2.6.2.8 (Optional) Configuring LACP Preemption
- 69 2.6.2.9 (Optional) Setting the Timeout Interval for Receiving LACPDUs
- 70 2.6.2.10 Checking the Configuration
- 70 2.6.3 Creating an Eth-Trunk Sub-interface
- 71 2.7 Maintaining Link Aggregation
- 71 2.7.1 Clearing LACP Packet Statistics
- 71 2.7.2 Monitoring the LAG Operating
- 72 2.7.3 Using Ping to Monitor the Reachability of Layer 3 Eth-Trunk Member Interfaces
- 74 2.8 Configuration Examples
- 74 2.8.1 Example for Configuring Link Aggregation in Manual Load Balancing Mode
- 76 2.8.2 Example for Configuring Link Aggregation in LACP Mode
- 80 2.8.3 Example for Configuring Layer 3 Link Aggregation
- 82 2.9 Common Configuration Errors
- 82 Incorrect
- 82 2.10 References
- 84 3 VLAN Configuration
- 85 3.1 Introduction to VLAN
- 86 3.2 Principles
- 86 3.2.1 Basic Concepts of VLAN
- 90 3.2.2 VLAN Assignment
- 90 3.2.3 Principle of VLAN Communication
- 95 3.2.4 VLAN Aggregation
- 102 3.2.5 VLAN Damping
- 102 3.2.6 VLAN Management
- 102 3.3 Application Environment
- 103 3.3.1 VLAN Assignment
- 104 3.3.2 Inter-VLAN Communication
- 105 3.3.3 VLAN Aggregation
- 106 3.4 Configuration Task Summary
- 107 3.5 Default Configuration
- 107 3.6 Configuring VLAN
- 107 3.6.1 Assigning a LAN to VLANs
- 109 3.6.2 Configuring Inter-VLAN Communication
- 110 3.6.2.1 Configuring VLANIF Interfaces for Inter-VLAN Communication
- 111 3.6.2.2 Configuring Sub-Interfaces for Inter-VLAN Communication
- 112 3.6.2.3 Checking the Configuration
- 112 3.6.3 Configuring VLAN Aggregation to Save IP Addresses
- 112 3.6.3.1 Creating a Sub-VLAN
- 113 3.6.3.2 Creating a Super-VLAN
- 114 3.6.3.3 Assigning an IP Address to the VLANIF Interface of a Super-VLAN
- 115 3.6.3.4 (Optional) Configuring an IP Address Pool for a Sub-VLAN
- 115 3.6.3.5 (Optional) Enabling Proxy ARP on the VLANIF Interface of a Super-VLAN
- 116 3.6.3.6 Checking the Configuration
- 116 3.6.4 Configuring an mVLAN to Implement Integrated Management
- 118 3.7 Configuration Examples
- 118 3.7.1 Example for Configuring Interface-based VLAN Assignment
- 120 3.7.2 Example for Configuring Communication Between VLANs Using VLANIF Interfaces
- 122 3.7.3 Example for Configuring VLAN Damping
- 124 3.7.4 Example for Configuring VLAN Aggregation
- 127 3.7.5 Example for Configuring Communication Across a Layer 3 Network Using VLANIF Interfaces
- 130 3.8 Common Configuration Errors
- 131 3.8.1 User Terminals in the Same VLAN Cannot Ping Each Other
- 133 3.8.2 VLANIF Interface Goes Down
- 133 3.9 References
- 135 4 QinQ Configuration
- 136 4.1 Introduction to QinQ
- 136 4.2 QinQ Principles
- 136 4.2.1 QinQ Fundamentals
- 138 4.2.2 Basic QinQ
- 139 4.2.3 Selective QinQ
- 140 4.2.4 TPID
- 141 4.3 Application Environment
- 143 4.4 Configuration Task Summary
- 143 4.5 Configuration Notes
- 144 4.6 Configuring QinQ
- 144 4.6.1 Configuring QinQ Tunneling
- 144 4.6.1.1 Configuring Basic QinQ
- 145 4.6.1.2 Configuring Selective QinQ
- 147 4.6.2 Configuring the TPID Value in an Outer VLAN Tag
- 148 4.7 Configuration Examples
- 148 4.7.1 Example for Configuring Basic QinQ
- 151 4.7.2 Example for Configuring Selective QinQ
- 155 4.8 References
- 156 5 GVRP Configuration
- 157 5.1 Introduction to GVRP
- 158 5.2 Principles
- 158 5.2.1 Basic Concepts
- 161 5.2.2 Packet Structure
- 162 5.2.3 Working Procedure
- 166 5.3 Applications
- 166 5.4 Default Configuration
- 167 5.5 Configuring GVRP
- 167 5.5.1 Enabling GVRP
- 168 5.5.2 (Optional) Setting the Registration Mode for a GVRP Interface
- 169 5.5.3 (Optional) Setting the GARP Timers
- 170 5.5.4 Checking the Configuration
- 170 5.6 Maintaining GVRP
- 170 5.6.1 Clearing GVRP Statistics
- 171 5.7 Configuration Examples
- 171 5.7.1 Example for Configuring GVRP
- 174 5.8 References
- 175 6 STP/RSTP Configuration
- 176 6.1 Introduction to STP/RSTP
- 177 6.2 Principles
- 177 6.2.1 Background
- 178 6.2.2 Basic Concepts
- 185 6.2.3 BPDU Format
- 187 6.2.4 STP Topology Calculation
- 194 6.2.5 Improvements in RSTP
- 199 6.2.6 RSTP Technology Details
- 201 6.3 Application
- 202 6.4 Configuration Task Summary
- 203 6.5 Default Configuration
- 204 6.6 Configuring STP/RSTP
- 204 6.6.1 Configuring Basic STP/RSTP Functions
- 204 6.6.1.1 Configuring the STP/RSTP Mode
- 204 6.6.1.2 (Optional) Configuring the Root Bridge and Secondary Root Bridge
- 205 6.6.1.3 (Optional) Setting a Priority for a Switching Device
- 206 6.6.1.4 (Optional) Setting a Path Cost for a Port
- 207 6.6.1.5 (Optional) Setting a Priority for a Port
- 208 6.6.1.6 Enabling STP/RSTP
- 209 6.6.1.7 Checking the Configuration
- 209 6.6.2 Setting STP Parameters that Affect STP Convergence
- 209 6.6.2.1 Setting the STP Network Diameter
- 210 6.6.2.2 Setting the STP Timeout Interval
- 210 6.6.2.3 Setting the STP Timers
- 212 6.6.2.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation
- 213 6.6.2.5 Checking the Configuration
- 213 6.6.3 Setting RSTP Parameters that Affect RSTP Convergence
- 213 6.6.3.1 Setting the RSTP Network Diameter
- 214 6.6.3.2 Setting the RSTP Timeout Interval
- 215 6.6.3.3 Setting RSTP Timers
- 216 6.6.3.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation
- 217 6.6.3.5 Setting the Link Type for a Port
- 218 6.6.3.6 Setting the Maximum Transmission Rate of an Interface
- 218 6.6.3.7 Switching to the RSTP Mode
- 219 6.6.3.8 Configuring Edge Ports and BPDU Filter Ports
- 221 6.6.3.9 Checking the Configuration
- 221 6.6.4 Configuring RSTP Protection Functions
- 221 6.6.4.1 Configuring BPDU Protection on a Switching Device
- 222 6.6.4.2 Configuring TC Protection on a Switching Device
- 222 6.6.4.3 Configuring Root Protection on a Port
- 222 6.6.4.4 Configuring Loop Protection on a Port
- 223 6.6.4.5 Checking the Configuration
- 223 6.6.5 Setting Parameters for Interoperation Between Huawei and Non-Huawei Devices
- 225 6.7 Maintaining STP/RSTP
- 225 6.7.1 Clearing STP/RSTP Statistics
- 225 6.7.2 Monitoring STP/RSTP Topology Change Statistics
- 225 6.8 Configuration Examples
- 226 6.8.1 Example for Configuring Basic STP Functions
- 230 6.8.2 Example for Configuring Basic RSTP Functions
- 234 6.9 References
- 236 7 MSTP Configuration
- 237 7.1 Introduction to MSTP
- 238 7.2 MSTP Principles
- 238 7.2.1 MSTP Background
- 240 7.2.2 Basic MSTP Concepts
- 247 7.2.3 MST BPDUs
- 251 7.2.4 MSTP Topology Calculation
- 253 7.2.5 MSTP Fast Convergence
- 254 7.3 Application Environment
- 255 7.4 Configuration Task Summary
- 256 7.5 Default Configuration
- 257 7.6 Configuring MSTP
- 257 7.6.1 Configuring Basic MSTP Functions
- 258 7.6.1.1 Configuring the MSTP Mode
- 258 7.6.1.2 Configuring and Activating an MST Region
- 260 7.6.1.3 (Optional) Configuring the Root Bridge and Secondary Root Bridge
- 261 7.6.1.4 (Optional) Configuring a Priority for a Switching Device in an MSTI
- 262 7.6.1.5 (Optional) Configuring a Path Cost of a Port in an MSTI
- 263 7.6.1.6 (Optional) Configuring a Port Priority in an MSTI
- 263 7.6.1.7 Enabling MSTP
- 264 7.6.1.8 Checking the Configuration
- 265 7.6.2 Configuring MSTP Parameters on an Interface
- 265 7.6.2.1 Setting the MSTP Network Diameter
- 266 7.6.2.2 Setting the MSTP Timeout Interval
- 266 7.6.2.3 Setting the Values of MSTP Timers
- 267 7.6.2.4 Setting the Maximum Number of Connections in an Eth-Trunk that Affects Spanning Tree Calculation
- 269 7.6.2.5 Setting the Link Type of a Port
- 269 7.6.2.6 Setting the Maximum Transmission Rate of an Interface
- 270 7.6.2.7 Switching to the MSTP Mode
- 271 7.6.2.8 Configuring a Port as an Edge Port and BPDU Filter Port
- 272 7.6.2.9 Setting the Maximum Number of Hops in an MST Region
- 273 7.6.2.10 Checking the Configuration
- 273 7.6.3 Configuring MSTP Protection Functions
- 273 7.6.3.1 Configuring BPDU Protection on a Switching Device
- 274 7.6.3.2 Configuring TC Protection on a Switching Device
- 275 7.6.3.3 Configuring Root Protection on an Interface
- 275 7.6.3.4 Configuring Loop Protection on an Interface
- 276 7.6.3.5 Checking the Configuration
- 276 7.6.4 Configuring MSTP Interoperability Between Huawei Devices and Non-Huawei Devices
- 276 7.6.4.1 Configuring a Proposal/Agreement Mechanism
- 277 7.6.4.2 Configuring the MSTP Protocol Packet Format on an Interface
- 278 7.6.4.3 Enabling the Digest Snooping Function
- 279 7.6.4.4 Checking the Configuration
- 279 7.7 Maintaining MSTP
- 279 7.7.1 Clearing MSTP Statistics
- 279 7.7.2 Monitoring the Statistics on MSTP Topology Changes
- 279 7.8 Configuration Examples
- 280 7.8.1 Example for Configuring Basic MSTP Functions
- 287 7.9 References
- 288 8 SEP Configuration
- 289 8.1 Introduction to SEP
- 289 8.2 Principles
- 289 8.2.1 Principles of SEP
- 292 8.2.2 Basic Concepts of SEP
- 296 8.2.3 SEP Implementation Mechanisms
- 308 8.3 Applications
- 308 8.3.1 Open-Ring Networking
- 309 8.3.2 Closed-Ring Networking
- 310 8.3.3 Multi-Ring Networking
- 311 8.3.4 Hybrid SEP+MSTP Ring Networking
- 312 8.3.5 SEP Multi-Instance
- 313 8.4 Configuration Task Summary
- 314 8.5 Configuring SEP
- 314 8.5.1 Configuring Basic SEP Functions
- 315 8.5.1.1 Configuring a SEP Segment
- 315 8.5.1.2 Configuring a Control VLAN
- 316 8.5.1.3 Creating a Protected Instance
- 317 8.5.1.4 Adding a Layer 2 Interface to a SEP Segment and Configuring a Role for the Interface
- 320 8.5.1.5 Checking the Configuration
- 320 8.5.2 Specifying an Interface to Block
- 320 8.5.2.1 Setting an Interface Blocking Mode
- 321 8.5.2.2 Configuring the Preemption Mode
- 323 8.5.2.3 Checking the Configuration
- 323 8.5.3 Configuring SEP Multi-Instance
- 325 8.5.4 Configuring the Topology Change Notification Function
- 325 8.5.4.1 Reporting Topology Changes in a Lower-Layer Network - SEP Topology Change Notification
- 327 8.5.4.2 Checking the Configuration
- 327 8.6 Maintaining SEP
- 327 8.6.1 Clearing SEP Statistics
- 327 8.7 Configuration Examples
- 327 8.7.1 Example for Configuring SEP on a Closed Ring Network
- 333 8.7.2 Example for Configuring SEP on a Multi-Ring Network
- 344 8.7.3 Example for Configuring a Hybrid SEP+MSTP Ring Network
- 352 8.7.4 Example for Configuring SEP Multi-Instance
- 360 9 Transparent Bridging Configuration
- 361 9.1 Introduction to Transparent Bridge
- 361 9.2 Principles
- 361 9.2.1 Basic Principles of Transparent Bridging
- 364 9.2.2 Local Bridging
- 365 9.2.3 Remote Bridging
- 366 9.2.4 Integrated Bridging and Routing
- 367 9.2.5 VLAN ID Transparent Transmission
- 368 9.3 Applications
- 373 9.4 Configuration Task Summary
- 373 9.5 Default Configuration
- 373 9.6 Configuring Transparent Bridging
- 374 9.6.1 Configuring Local Bridging
- 374 9.6.1.1 Creating a Bridge Group
- 374 9.6.1.2 Adding Local Interfaces to a Bridge Group
- 375 9.6.1.3 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets
- 376 9.6.1.4 (Optional) Configuring a MAC Address Table for a Bridge Group
- 377 9.6.1.5 Checking the Configuration
- 377 9.6.2 Configuring Local Bridging Integrated with IP Routing
- 377 9.6.2.1 Creating a Bridge Group
- 378 9.6.2.2 Adding Local Interfaces to a Bridge Group
- 379 9.6.2.3 Enabling IP Routing for a Bridge Group
- 380 9.6.2.4 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets
- 380 9.6.2.5 (Optional) Configuring a MAC Address Table for a Bridge Group
- 381 9.6.2.6 Checking the Configuration
- 382 9.6.3 Configuring Remote Bridging
- 382 9.6.3.1 Creating a Bridge Group
- 382 9.6.3.2 Adding a LAN-side Interface to a Bridge Group
- 384 9.6.3.3 Adding a WAN-side Interface to a Bridge Group
- 384 9.6.3.4 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets
- 385 9.6.3.5 (Optional) Configuring VLAN ID Transparent Transmission
- 386 9.6.3.6 (Optional) Configuring a MAC Address Table for a Bridge Group
- 387 9.6.3.7 Checking the Configuration
- 387 9.6.4 Configuring Remote Bridging Integrated with IP Routing
- 387 9.6.4.1 Creating a Bridge Group
- 387 9.6.4.2 Adding a LAN-side Interface to a Bridge Group
- 389 9.6.4.3 Adding a WAN-side Interface to a Bridge Group
- 390 9.6.4.4 Enabling IP Routing for a Bridge Group
- 391 9.6.4.5 (Optional) Disabling a Bridge Group from Bridging Specified Protocol Packets
- 391 9.6.4.6 (Optional) Configuring a MAC Address Table for a Bridge Group
- 392 9.6.4.7 Checking the Configuration
- 392 9.7 Maintaining Transparent Bridging
- 393 9.7.1 Monitoring the Operation of Bridge Groups
- 393 9.7.2 Clearing the Traffic Statistics of a Bridge Group
- 394 9.7.3 Clearing the Traffic Statistics on the Bridge-if Interface of a Bridge Group
- 394 9.8 Configuration Example
- 394 9.8.1 Example for Configuring Local Bridging
- 397 9.8.2 Example for Configuring Local Bridging with IP Routing
- 399 9.8.3 Example for Configuring Remote Bridging
- 401 9.8.4 Example for Configuring Remote Bridging with IP Routing
- 405 9.8.5 Example for Configuring Remote Bridging with VLAN ID Transparent Transmission