HP 6600/HSR6600 Routers Layer 2 - LAN Switching Configuration Guide Part number: 5998-1501 Software version: A6602-CMW520-R3303P05 A6600-CMW520-R3303P05-RPE A6600-CMW520-R3303P05-RSE HSR6602_MCP-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring the MAC address table ·························································································································· 1 Overview············································································································································································ 1 How a MAC address table entry is created ··········································································································1 Types of MAC
Shutting down an aggregate interface ··············································································································· 26 Configuring load-sharing criteria for link aggregation groups ················································································· 26 Configuring the global link-aggregation load sharing criteria ········································································· 26 Configuring load-sharing criteria for an aggregation group ···············
Configuration restrictions and guidelines ··········································································································· 64 Configuration procedure ······································································································································ 64 Configuring path costs of ports ···································································································································· 64 Specifying a standard for the
VLAN frame encapsulation ·································································································································· 90 VLAN types ···························································································································································· 91 Protocols and standards ······································································································································· 91 Configuring basic V
GARP ···································································································································································· 131 GVRP····································································································································································· 134 Protocols and standards ····································································································································· 134 GV
Configuration example for Dot1q termination supporting PPPoE server ································································ 169 Network requirements ········································································································································· 169 Configuration procedure ···································································································································· 169 Unambiguous QinQ termination configuration example
Protocols and standards ····································································································································· 211 LLDP configuration task list ·········································································································································· 211 Performing basic LLDP configuration ·························································································································· 211 Enabling LLDP ·
Configuring the MAC address table This book covers only the unicast MAC address table. For information about configuring static multicast MAC address table entries, see IP Multicast Configuration Guide. For information about MAC address table configuration in VPLS, see MPLS Configuration Guide. The MAC address table configuration tasks can be performed in any order. The MAC address table is available on only SAP modules that are operating in bridge mode.
Manually configuring MAC address entries With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate frames. For example, when a hacker sends frames with a forged source MAC address to a port different from the one to which the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead.
Adding or modifying a static or dynamic MAC address table entry in interface view Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet or aggregate interface view. interface interface-type interface-number N/A 3. Add or modify a static or dynamic MAC address entry. mac-address { dynamic | static } mac-address vlan vlan-id By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN.
Disabling MAC address learning on ports You can disable MAC address learning on a single port, or on all ports in a port group. To disable MAC address learning on an interface or a port group: Step 1. 2. Enter system view. Enter interface view or port group view. Command Remarks system-view N/A • Enter Layer 2 Ethernet or Use either command. • Enter port group view: Settings in interface view take effect only on the current interface.
Step 2. Command Configure the aging timer for dynamic MAC address entries. Remarks Optional. mac-address timer { aging seconds | no-aging } The default aging timer for .dynamic MAC address entries is 300 seconds. The no-aging keyword disables the aging timer. You can reduce floods on a stable network by disabling the aging timer to prevent dynamic entries from unnecessarily aging out.
Task Command Remarks Display MAC address statistics. display mac-address statistics [ | { begin | exclude | include } regular-expression ] Available in any view. MAC address table configuration example Network requirements As shown in Figure 1: • The MAC address of Host A is 000f-e235-dc71 and belongs to VLAN 1. It is connected to GigabitEthernet 4/0/1 of the device. To prevent MAC address spoofing, add a static entry for the host in the MAC address table of the device.
000f-e235-dc71 --- 1 Config static 1 mac address(es) found GigabitEthernet4/0/1 NOAGED --- # Display information about the destination blackhole MAC address table. [Router] display mac-address blackhole MAC ADDR VLAN ID STATE PORT INDEX AGING STATE 000f-e235-abcd 1 Blackhole N/A NOAGED --- 1 mac address(es) found --- # View the aging time of dynamic MAC address entries.
8
Configuring MAC Information The MAC Information feature is available on only SAP modules that are operating in bridge mode. MAC Information feature can generate syslog messages or SNMP traps when MAC address entries are learned or deleted. You can use these messages to monitor users leaving or joining the network for suspicious users. The MAC Information feature buffers the MAC change syslog messages or SNMP traps in a queue and sends them to the information center regularly.
Step 2. Configure MAC Information mode. Command Remarks mac-address information mode { syslog | trap } Optional. The default setting is trap. Configuring the interval for sending syslog or trap messages To prevent syslog or trap messages from being sent too frequently, change the interval for sending syslog or trap messages. To set the interval for sending syslog or trap messages: Step Command Remarks 1. Enter system view. system-view N/A 2.
Figure 2 Network diagram Router GE4/0/1 Host A GE4/0/2 GE4/0/3 Server 192.168.1.1/24 192.168.1.3/24 Host B 192.168.1.2/24 Configuration procedure 1. Configure Router to send syslog messages to Host B (see Network Management and Monitoring Configuration Guide). 2. Enable MAC Information. # Enable MAC Information globally. system-view [Router] mac-address information enable # Configure MAC Information mode as syslog.
Configuring Ethernet link aggregation Layer 2 aggregation groups are supported only on SAP modules operating in bridge mode. Overview Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one logical link called an "aggregate link." Link aggregation delivers the following benefits: • Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports. • Improves link reliability.
You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group, and Layer 3 Ethernet interfaces only to a Layer 3 aggregation group. Aggregation states of member ports in an aggregation group A member port in an aggregation group can be in either of the following aggregation states: • Selected—A Selected port can forward user traffic. • Unselected—An Unselected port cannot forward user traffic.
Reference port When setting the aggregation state of the ports in an aggregation group, the system automatically picks a member port as the reference port. A Selected port must have the same port attributes and class-two configurations as the reference port. For information about how a reference port is chosen in a static link aggregation group, see "Choosing a reference port" in the section "Aggregating links in static mode.
Table 3 LACP priorities Type Description Used by two peer devices (or systems) to determine which one is superior in link aggregation. System LACP priority In dynamic link aggregation, the system with higher system LACP priority sets the Selected state of member ports on its side first, and then the system with lower priority sets the port state accordingly. Port aggregation priority Determines the likelihood of a member port to be selected on a system.
Figure 4 Setting the aggregation state of a member port in a static aggregation group Set the aggregation state of a member port Yes Is there any hardware restriction? No No Is the port up? Yes Port attribute/class 2 configurations same as the reference port? No Yes More candidate ports than max.
Figure 5 Setting the state of a member port in a dynamic aggregation group Meanwhile, the system with the higher system ID, which has identified the aggregation state changes on the remote system, sets the aggregation state of local member ports to the same as their peer ports.
Load-sharing criteria for link aggregation groups In a link aggregation group, traffic can be load-shared across the selected member ports based on a set of criteria, depending on your configuration. You can choose one or any combination of the following criteria for load sharing: • Source/Destination MAC addresses • Source/Destination IP addresses Alternatively, you can configure the system to perform per-packet load sharing.
Configuring an aggregation group You can choose to create a Layer 2 or Layer 3 link aggregation group depending on the ports to be aggregated: • To aggregate Layer 2 Ethernet interfaces, create a Layer 2 link aggregation group. • To aggregate Layer 3 Ethernet interfaces, create a Layer 3 link aggregation group. Configuration guidelines • You cannot assign a port to a Layer 2 aggregation group if any of the features listed in Table 4 is configured on the port.
Step Command Remarks system-view N/A 1. Enter system view. 2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same. 3. Exit to system view. quit N/A 4. Assign a Layer 2 Ethernet interface to the aggregation group. a. interface interface-type interface-number b.
Step Command Remarks Optional. By default, the aggregation priority of a port is 32768. 5. Assign the port an aggregation priority. link-aggregation port-priority port-priority When the number of ports eligible for becoming Selected ports exceeds the maximum number of Selected ports allowed in a static aggregation group, changing the aggregation priority of a port might affect the aggregation state of the ports in the static aggregation group.
Step Command Remarks Optional. By default, the aggregation priority of a port is 32768. 7. Assign the port an aggregation priority. 8. Set the LACP timeout interval on the port to the short timeout interval (1 second).
Step Command Remarks Optional. By default, the aggregation priority of a port is 32768. 7. Assign the port an aggregation priority. 8. Set the LACP timeout interval on the port to the short timeout interval (1 second). When the number of ports eligible for becoming Selected ports exceeds the maximum number of Selected ports allowed in a dynamic aggregation group, changing the aggregation priority of a port might affect the aggregation state of ports in the dynamic aggregation group.
Configuring the MTU of a Layer 3 aggregate interface or subinterface IMPORTANT: To guarantee data transmission, make sure the MTU of a Layer 3 aggregate interface is not greater than the maximum MTU of its member ports. The MTU of an interface affects IP packets fragmentation and reassembly on the interface. To change the MTU of a Layer 3 aggregate interface or subinterface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 3 aggregate interface or subinterface view.
Step 3. Specify a card to process and forward traffic for the interface. Command Remarks service slot slot-number By default, traffic on a Layer 3 aggregate interface whose member ports are located on the same card is processed and forwarded by the card that houses the member ports, and traffic on a Layer 3 aggregate interface whose member ports are located on different cards is processed and forwarded by the card that houses the first selected member port.
Step Set the expected bandwidth for the aggregate interface. 3. Command Remarks bandwidth bandwidth-value N/A Shutting down an aggregate interface Shutting down or bringing up an aggregate interface affects the aggregation state and link state of aggregated member ports in the following ways: • When an aggregate interface is shut down, all Selected member ports become unselected and their link state becomes down.
Step 1. 2. Command Remarks Enter system view. system-view N/A Configure the global link-aggregation load-sharing criteria. link-aggregation load-sharing mode { { destination-ip | destination-mac | source-ip | source-mac } * | per-packet } The default settings are source and destination MAC addresses for Layer 2 traffic and source and destination IP addresses for Layer 3 traffic. Global link-aggregation load sharing criteria configuration applies to all aggregation groups.
Task Display information about aggregate interfaces. Command display interface [ bridge-aggregation | route-aggregation ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface { bridge-aggregation | route-aggregation } interface-number [ brief [ description ] ] [ | { begin | exclude | include } regular-expression ] Remarks Available in any view. Display the local system ID.
Figure 6 Network diagram Configuration procedure 1. Configure Router A: # Create VLAN 10, and assign port GigabitEthernet 4/0/4 to VLAN 10. system-view [RouterA] vlan 10 [RouterA-vlan10] port GigabitEthernet 4/0/4 [RouterA-vlan10] quit # Create VLAN 20, and assign port GigabitEthernet 4/0/5 to VLAN 20. [RouterA] vlan 20 [RouterA-vlan20] port GigabitEthernet 4/0/5 [RouterA-vlan20] quit # Create Layer 2 aggregate interface Bridge-Aggregation 1.
Configuring GigabitEthernet4/0/2... Done. Configuring GigabitEthernet4/0/3... Done. [RouterA-Bridge-Aggregation1] quit # Configure Router A to use the source and destination MAC addresses of packets as the global link-aggregation load-sharing criteria. [RouterA] link-aggregation load-sharing mode source-mac destination-mac 2. Configure Router B in the same way Router A is configured. (Details not shown.) 3.
Figure 7 Network diagram Configuration procedure 1. Configure Router A: # Create VLAN 10, and assign the port GigabitEthernet 4/0/4 to VLAN 10. system-view [RouterA] vlan 10 [RouterA-vlan10] port GigabitEthernet 4/0/4 [RouterA-vlan10] quit # Create VLAN 20, and assign the port GigabitEthernet 4/0/5 to VLAN 20.
Configuring GigabitEthernet4/0/1... Done. Configuring GigabitEthernet4/0/2... Done. Configuring GigabitEthernet4/0/3... Done. [RouterA-Bridge-Aggregation1] quit # Configure the device to use the source and destination MAC addresses of packets as the global link-aggregation load-sharing criteria. [RouterA] link-aggregation load-sharing mode source-mac destination-mac 2. Configure Router B in the same way Router A is configured. (Details not shown.) 3.
Figure 8 Network diagram Configuration procedure 1. Configure Router A: # Create VLAN 10, and assign the port GigabitEthernet 4/0/5 to VLAN 10. system-view [RouterA] vlan 10 [RouterA-vlan10] port GigabitEthernet 4/0/5 [RouterA-vlan10] quit # Create VLAN 20, and assign the port GigabitEthernet 4/0/6 to VLAN 20.
[RouterA-Bridge-Aggregation1] quit # Create Layer 2 aggregate interface Bridge-Aggregation 2, and configure the load sharing criterion for the link aggregation group as the destination MAC addresses of packets. [RouterA] interface bridge-aggregation 2 [RouterA-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac [RouterA-Bridge-Aggregation2] quit # Assign ports GigabitEthernet 4/0/3 and GigabitEthernet 4/0/4 to link aggregation group 2.
destination-mac address The output shows that the load sharing criterion for link aggregation group 1 is the source MAC addresses of packets and that for link aggregation group 2 is the destination MAC addresses of packets. Layer 3 static aggregation configuration example Network requirements As shown in Figure 9: • Configure a Layer 3 static aggregation group on Router A and Router B respectively and configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
[RouterA] display link-aggregation summary Aggregation Interface Type: BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation Aggregation Mode: S -- Static, D -- Dynamic Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Actor System ID: 0x8000, 000f-e2ff-0001 AGG AGG Interface Mode Partner ID Select Unselect Share Ports Type Ports ------------------------------------------------------------------------------RAGG1 S none 3 0 Shar The output shows that link aggregation group 1 is
# Assign Layer 3 Ethernet interfaces GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to aggregation group 1.
Figure 11 Network diagram GE4/0/1 GE4/0/2 GE4/0/3 GE4/0/4 Router A 192.168.1.1/24 RAGG1 192.168.1.2/24 RAGG1 Link aggregation 1 Link aggregation 2 RAGG2 192.168.2.1/24 RAGG2 192.168.2.2/24 GE4/0/1 GE4/0/2 GE4/0/3 GE4/0/4 Router B Configuration procedure 1. Configure Router A: # Create Layer 3 aggregate interface Route-Aggregation 1, configure it to perform load sharing based on source IP address, and configure an IP address and subnet mask for the aggregate interface.
BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation Aggregation Mode: S -- Static, D -- Dynamic Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Actor System ID: 0x8000, 000f-e2ff-0001 AGG AGG Interface Mode Partner ID Select Unselect Share Ports Type Ports ------------------------------------------------------------------------------RAGG1 S none 2 0 Shar RAGG2 S none 2 0 Shar The output shows that link aggregation groups 1 and 2 are both load-shared Layer 3 static agg
Configuring port isolation The port isolation feature is supported on SAP cards that are operating in bridge mode. Overview Port isolation enables isolating Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another. The device supports only one isolation group that is created automatically by the system as isolation group 1.
Port isolation configuration example Network requirements As shown in Figure 12, GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, GigabitEthernet 3/0/3, and GigabitEthernet 3/0/4 are in the same VLAN. Configure the router to provide Internet access for LAN users Host A, Host B, and Host C, and isolate them from one another at Layer 2. Figure 12 Network diagram Configuration procedure # Assign ports GigabitEthernet 3/0/1, GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 to the isolation group.
Configuring spanning tree protocols This feature is supported on SAP modules that are operating in bridge mode. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, putting them in a standby state, which still allows for link redundancy. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). STP STP was developed based on the 802.
Basic concepts in STP Root bridge A tree network must have a root bridge. There is only one root bridge in the entire network. The entire network contains only one root bridge. All the other bridges in the network are called "leaf nodes." The root bridge is not permanent, but can change when the network topology changes. Upon initialization of a network, each device generates and periodically sends configuration BPDUs with itself as the root bridge.
STP algorithm The spanning tree calculation process described in the following sections is a simplified process for example only. Calculation process The STP algorithm uses the following calculation process: 1. State initialization. Upon initialization of a device, each port generates a BPDU with the device as the designated port, the device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID. 2. Root bridge selection.
Table 7 Selecting the optimum configuration BPDU Step Actions Upon receiving a configuration BPDU on a port, the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port, and: 1 • If the former priority is lower, the device discards the received configuration BPDU and keeps the configuration BPDU that the port generated.
Table 8 Initial state of each device Device Device A Device B Device C 2. Port name Configuration BPDU on the port Port A1 {0, 0, 0, Port A1} Port A2 {0, 0, 0, Port A2} Port B1 {1, 0, 1, Port B1} Port B2 {1, 0, 1, Port B2} Port C1 {2, 0, 2, Port C1} Port C2 {2, 0, 2, Port C2} BPDU comparison on each device. In Table 9, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.
Device Configuration BPDU on ports after comparison Comparison process • Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port A2}, finds that the received configuration BPDU is superior to its existing configuration BPDU {2, 0, 2, Port C1}, and updates its configuration BPDU.
Figure 15 The final calculated spanning tree A Root bridge Root port Designated port Blocked port Normal link B Blocked link C The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
RSTP RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP. A newly elected RSTP root port rapidly enters the forwarding state if the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.
Figure 16 Basic concepts in MSTP VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs MST region 1 MST region 4 MST region 2 MST region 3 VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs CST VLAN 1 MSTI 1 MSTI 2 VLAN 2&3 MSTI 0 Other VLANs Figure 17 Network diagram and topology of MST region 3 To MST region 2 To MST region 4 Device A MST region 3 A B A D C B Device B C MSTI 1 A D MSTI 2 B Regional root Device C Device D C D MSTI MSTI 0 VLAN
• Same VLAN-to-instance mapping configuration. • Same MSTP revision level. • Physically linked together. Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 16, the switched network comprises MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration. MSTI MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree is mapped to specific VLANs.
Port roles A port can play different roles in different MSTIs. As shown in Figure 18, an MST region comprises Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other MST regions. Port D3 of Device D directly connects to a host.
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic. • Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user traffic. Learning is an intermediate port state. • Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward user traffic. When in different MSTIs, a port can be in different states. A port state is not exclusively associated with a port role.
• Root bridge hold • Root bridge backup • Root guard • BPDU guard • Loop guard • TC-BPDU guard • Support for hot swapping of interface cards and active/standby changeover Protocols and standards • IEEE 802.1d, Media Access Control (MAC) Bridges • IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration • IEEE 802.
STP configuration task list Task Remarks Required. Setting the spanning tree mode Configuring the root bridge Configure the device to operate in STP mode. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional.
Task Remarks Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional. Configuring edge ports Optional. Configuring the port link type Optional. Configuring the mode a port uses to recognize and send MSTP packets Optional.
Task Remarks Configuring an MST region Required. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the maximum hops of an MST region Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional. Configuring edge ports Optional. Configuring the port link type Optional.
Setting the spanning tree mode The spanning tree modes include the following: • STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port supports only STP. • RSTP mode—All ports of the device send RSTP BPDUs. When an RSTP port receives STP BPDUs from a peer device, it automatically transits to STP mode. When an RSTP port receives MSTP BPDUs from a peer device, it stays in RSTP mode. • MSTP mode—All ports of the device send MSTP BPDUs.
Step Command Remarks Display the MST region configurations that are not activated yet. check region-configuration Optional. 7. Activate MST region configuration manually. active region-configuration N/A 8. Display the activated configuration information of the MST region. display stp region-configuration [ | { begin | exclude | include } regular-expression ] Optional. 6. Available in any view.
Step 2. Command Configure the current device as the root bridge. Remarks • In STP/RSTP mode: stp root primary • In MSTP mode: stp [ instance instance-id ] root primary Use one of the commands. By default, a device does not function as the root bridge. Configuring the current device as a secondary root bridge of a specific spanning tree To configure the current device as a secondary root bridge of a specific spanning tree: Step 1. Enter system view. 2.
Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum value. When a device receives this configuration BPDU, it decrements the hop count by 1 and uses the new hop count in BPDUs that it propagates. When the hop count of a BPDU reaches 0, it is discarded by the device that received it. This prevents devices beyond the reach of the maximum hop from participating in spanning tree calculation, so the size of the MST region is limited.
calculation process starts. The max age timer is does not take effect on other MSTIs except MSTI 0 (or the CIST). To prevent network instability, make sure that the timer settings meet the following formulas: • 2 × (forward delay – 1 second) ≥ max age • Max age ≥ 2 × (hello time + 1 second) HP recommends not manually setting the spanning tree timers. Instead, HP recommends specifying the network diameter and using the automatically calculated timers based on the network diameter.
After the network topology stabilizes, each non-root-bridge device forwards configuration BPDUs to downstream devices at the interval of hello time to determine whether any link is faulty. If a device does not receive a BPDU from the upstream device within nine times (the default timeout factor x 3) the hello time, it assumes that the upstream device has failed and starts a new spanning tree calculation process.
Configuration restrictions and guidelines • If BPDU guard is disabled, a port set as an edge port will become a non-edge port again if it receives a BPDU from another port. To restore the edge port, re-enable it. • If a port directly connects to a user terminal, configure it as an edge port and enable BPDU guard for it. This enables the port to transit to the forwarding state quickly while ensuring network security. • You cannot configure edge port settings and loop guard on a port at the same time.
Table 11 shows a comparison between link speeds and path costs for each of these standards. Table 11 Mappings between the link speed and the path cost Path cost Link speed Port type IEEE 802.1d-1998 IEEE 802.
Step Command Remarks N/A 1. Enter system view. system-view 2. Specify a standard for the device to use when it calculates the default path costs of its ports. stp pathcost-standard { dot1d-1998 | dot1t | legacy } Optional. The default standard used by the device is legacy. Configuring path costs of ports When the path cost of a port changes, the system re-calculates the role of the port and initiates a state transition. To configure the path cost of ports: Step 1. Enter system view.
To configure the priority of a port or a group of ports: Step Enter system view. 1. Command Remarks system-view N/A • Enter Ethernet interface view or Layer 2 Enter interface view or port group view. 2. aggregate interface view: interface interface-type interface-number • Enter port group view: Use one of the commands. port-group manual port-group-name • In STP/RSTP mode: Configure the port priority. 3.
Configuring the mode a port uses to recognize and send MSTP packets A port can receive and send MSTP packets in the following formats: • dot1s—802.1s-compliant standard format • legacy—Compatible format By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the two MSTP packet formats, and determines the format of packets that it will send based on the recognized format. You can configure the MSTP packet format on a port.
Step Enable outputting port state transition information. 2. Command Remarks • In STP/RSTP mode: Use one of the commands. • In MSTP mode: By default, this feature is disabled. stp port-log instance 0 stp port-log instance { instance-id | all } Enabling the spanning tree feature You must enable the spanning tree feature for the device before any other spanning tree related configurations can take effect.
To forcibly transit the port to operate in the original mode, you can perform an mCheck operation. An mCheck operation takes effect on a device that operates in MSTP or RSTP mode. The following methods for performing mCheck produce the same result. Performing mCheck globally Step Command 1. Enter system view. system-view 2. Perform mCheck. stp mcheck Performing mCheck in interface view Step Command 1. Enter system view. system-view 2.
Configuration restrictions and guidelines • With the digest snooping feature enabled, in-the-same-region verification does not need comparison of configuration digest, so the VLAN-to-instance mappings must be the same on associated ports.
Figure 19 Network diagram Configuration procedure # Enable digest snooping on GigabitEthernet 4/0/1 of Router A and enable global digest snooping on Router A. system-view [RouterA] interface GigabitEthernet 4/0/1 [RouterA-GigabitEthernet4/0/1] stp config-digest-snooping [RouterA-GigabitEthernet4/0/1] quit [RouterA] stp config-digest-snooping # Enable digest snooping on GigabitEthernet 4/0/1 of Router B and enable global digest snooping on Router B.
Figure 20 Rapid state transition of an MSTP designated port Figure 21 Rapid state transition of an RSTP designated port If the upstream device is a third-party device, the rapid state transition implementation might be limited.
To configure No Agreement Check: Step 1. Enter system view. Command Remarks system-view N/A • Enter Ethernet interface view or Layer 2 2. Enter interface or port group view. aggregate interface view: interface interface-type interface-number • Enter port group view: Use one of the commands. port-group manual port-group-name 3. Enable No Agreement Check. stp no-agreement-check By default, No Agreement Check is disabled.
Enabling BPDU guard For access layer devices, access ports can directly connect to user terminals (such as PCs) or file servers. Access ports are configured as edge ports to allow rapid transition. When these ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new spanning tree calculation process. This causes a change of network topology. Under normal conditions, these ports should not receive configuration BPDUs.
Step Command Remarks • Enter Ethernet interface view or Layer 2 Enter interface view or port group view. 2. aggregate interface view: interface interface-type interface-number • Enter port group view: Use one of the commands. port-group manual port-group-name Enable the root guard function for the ports. 3. stp root-protection By default, root guard is disabled.
With the TC-BPDU guard function, you can set the maximum number of immediate forwarding address entry flushes that the device can perform every a specified period of time (10 seconds). For TC-BPDUs received in excess of the limit, the device performs a forwarding address entry flush when the time period expires. This prevents frequent flushing of forwarding address entries. HP recommends not disabling this feature. To enable TC-BPDU guard: Step Command Remarks 1. Enter system view. system-view N/A 2.
MSTP configuration example Network requirements As shown in Figure 23: • All devices on the network are in the same MST region. Router A and Router B work at the distribution layer. Router C and Router D work at the access layer.
[RouterA-mst-region] instance 1 vlan 10 [RouterA-mst-region] instance 3 vlan 30 [RouterA-mst-region] instance 4 vlan 40 [RouterA-mst-region] revision-level 0 # Activate MST region configuration. [RouterA-mst-region] active region-configuration [RouterA-mst-region] quit # Specify the current device as the root bridge of MSTI 1. [RouterA] stp instance 1 root primary # Enable the spanning tree feature globally. [RouterA] stp enable 3.
[RouterC] stp enable 5. Configure Router D: # Enter MST region view, and configure the MST region name as example. Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively. Configure the revision level of the MST region as 0.
0 GigabitEthernet4/0/1 DESI FORWARDING NONE 0 GigabitEthernet4/0/2 ROOT FORWARDING NONE 0 GigabitEthernet4/0/3 DESI FORWARDING NONE 1 GigabitEthernet4/0/1 ROOT FORWARDING NONE 1 GigabitEthernet4/0/2 ALTE DISCARDING NONE 4 GigabitEthernet4/0/3 DESI FORWARDING NONE # Display brief spanning tree information on Router D.
Configuring BPDU tunneling BPDU tunneling is supported on SAP modules that are operating in bridge mode. Overview As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific tunnels across a service provider network. Background Dedicated lines are used in a service provider network to build user-specific Layer 2 networks.
• CDP • DLDP • EOAM • GVRP • HGMP • LACP • LLDP • PAGP • PVST • STP • UDLD • VTP BPDU tunneling implementation The BPDU tunneling implementations for different protocols are all similar. This section uses the Spanning Tree Protocol (STP) to describe how to implement BPDU tunneling. This document uses the term STP in a broad sense. It includes STP, RSTP, and MSTP. STP calculates the topology of a network by transmitting BPDUs among devices in the network.
Figure 26 BPDU tunneling implementation The upper section of Figure 26 represents the service provider network (ISP network). The lower section, including User A network 1 and User A network 2, represents the customer networks. Enabling BPDU tunneling on edge devices (PE 1 and PE 2) in the service provider network allows BPDUs of User A network 1 and User A network 2 to be transparently transmitted through the service provider network.
Enabling BPDU tunneling Configuration guidelines • You can enable BPDU tunneling for different protocols in different views. Settings made in Layer 2 Ethernet interface view or Layer 2 aggregate interface view take effect only on the current port. Settings made in port group view take effect on all ports in the port group. • Before you enable BPDU tunneling for DLDP, EOAM, GVRP, HGMP, LLDP, or STP on a port, disable the protocol on the port.
Configuring destination multicast MAC address for BPDUs By default, the destination multicast MAC address for BPDUs is 0x010F-E200-0003. You can change it to 0x0100-0CCD-CDD0, 0x0100-0CCD-CDD1, or 0x0100-0CCD-CDD2. To configure destination multicast MAC address for BPDUs: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the destination multicast MAC address for BPDUs. bpdu-tunnel tunnel-dmac mac-address Optional. The default setting is 0x010F-E200-0003.
Configuration procedure 1. Configure PE 1: # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0. system-view [PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # Create VLAN 2 and assign GigabitEthernet 3/0/1 to VLAN 2. [PE1] vlan 2 [PE1-vlan2] quit [PE1] interface GigabitEthernet 3/0/1 [PE1-GigabitEthernet3/0/1] port access vlan 2 # Disable STP on GigabitEthernet 3/0/1, and then enable BPDU tunneling for STP on it.
Figure 28 Network diagram Configuration procedure 1. Configure PE 1: # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0. system-view [PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # Configure GigabitEthernet 3/0/1 as a trunk port and assign it to all VLANs.
Configuring VLANs The VLAN feature is supported on SAP modules that are operating in bridge mode. Overview Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full of collisions and broadcasts. As a result, the LAN performance is degraded or even the LAN becomes unavailable.
VLAN frame encapsulation In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation. The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999. As shown in Figure 30, in the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper layer protocol type.
VLAN types You can implement VLANs based on the following criteria: • Port • MAC address • Protocol • IP subnet • Policy • Other criteria This chapter covers port-based VLAN, MAC-based VLAN, protocol-based VLAN, and IP-based VLAN. The port-based VLAN implementation is the basis of all other VLAN implementations. To use any other VLAN implementations, you must configure port-based VLAN settings. You can configure these types of VLANs on a port at the same time.
Step 3. Enter VLAN view. 4. Configure a name for the VLAN. Command Remarks vlan vlan-id Required only when you create VLANs in bulk. Optional. The default name is VLAN vlan-id, which is the ID of the VLAN. For example, the name of VLAN 100 is VLAN 0100 by default. name text Optional. 5. Configure a description for the VLAN. The default description is VLAN vlan-id, which is the ID of the VLAN. For example, the description of VLAN 100 is VLAN 0100 by default.
Step Command Remarks Optional. 8. Cancel the action of manually shutting down the VLAN interface. undo shutdown By default, a VLAN interface is not manually shut down. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down. VLAN interface configuration example Network requirements As shown in Figure 32, PC A is assigned to VLAN 5, and PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other.
2. Configure the default gateway of PC A as 192.168.0.10. 3. Configure the default gateway of PC B as 192.168.1.20. Verifying the configuration 1. The PCs can ping each other. 2. Display brief information about Layer 3 interfaces on Router to verify the configuration. display ip interface brief *down: administratively down (s): spoofing Interface Physical Protocol IP Address Description Vlan-interface5 up up 192.168.0.10 Vlan-inte... Vlan-interface10 up up 192.168.1.20 Vlan-inte.
Figure 33 Network diagram VLAN 2 VLAN 2 VLAN 3 Device A Device B Device C Access links are required Trunk links are reuqired VLAN 3 Hybrid links are required PVID By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required. When you configure the PVID on a port, use the following guidelines: • An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
Actions Access Trunk Hybrid • Receives the frame if Incoming tagged frame its VLAN ID is the same as the PVID. • Drops the frame if its VLAN ID is different from the PVID. • Receives the frame if its VLAN is permitted on the port. • Drops the frame if its VLAN is not permitted on the port. • Removes the tag and sends Outgoing frames Removes the VLAN tag and sends the frame. the frame if the frame carries the PVID tag and the port belongs to the PVID.
Step Command Remarks Use one of the commands. • The configuration made in Layer 2 • Enter Layer 2 Ethernet interface view: interface interface-type interface-number 2. Enter interface view or port group view. • Enter Layer 2 aggregation interface view: interface bridge-aggregation interface-number • Enter port group view: port-group manual port-group-name 3. 4. Configure the link type of the ports as access. port link-type access Assign the access ports to a VLAN.
Step Command Remarks 3. Configure the link type of the ports as trunk. port link-type trunk By default, all ports are access ports. 4. Assign the trunk ports to the specified VLANs. port trunk permit vlan { vlan-list | all } By default, a trunk port carries only VLAN 1. 5. Configure the PVID of the trunk ports. port trunk pvid vlan vlan-id Optional. By default, the PVID is VLAN 1.
After you configure the PVID for a hybrid port, you must use the port hybrid vlan command to configure the hybrid port to allow packets from the PVID to pass through. Port-based VLAN configuration example Network requirements As shown in Figure 34, Host A and Host C belong to Department A, and access the enterprise network through different devices. Host B and Host D belong to Department B. They also access the enterprise network through different devices.
Verifying the configuration 1. Host A and Host C can ping each other successfully, but they both fail to ping Host B. Host B and Host D can ping each other successfully, but they both fail to ping Host A. 2. Determine whether the configuration is successful by displaying relevant VLAN information. # Display information about VLANs 100 and 200 on Router A.
the source MAC address and each mask. If the result of an AND operation matches the corresponding MAC address, the device tags the frame with the corresponding VLAN ID. { { { • If the fuzzy match fails, the device performs an exact match. In the exact match, the device searches the MAC address-to-VLAN entries whose masks are all-Fs. If the MAC address of a MAC address-to-VLAN entry matches the source MAC address of the untagged frame, the device tags the frame with the corresponding VLAN ID.
Figure 35 Flowchart for processing a frame in dynamic MAC-based VLAN assignment When you configure dynamic MAC-based VLAN assignment, follow these guidelines: • When a port is assigned to the corresponding VLAN in a MAC address-to-VLAN entry, but has not been assigned to the VLAN by using the port hybrid vlan command, the port sends packets from the VLAN with VLAN tags removed.
• MAC-based VLANs are available only on hybrid ports. • Do not configure a super VLAN as the VLAN of a MAC address-to-VLAN entry. • The MAC-based VLAN feature is mainly configured on downlink ports of user access devices. Do not enable this function together with link aggregation. • With MSTP enabled, if a port is blocked in the MSTI of the target MAC-based VLAN, the port drops received packets instead of delivering them to the CPU.
Step Command • Enter interface view: 2. Enter interface view or port group view. interface interface-type interface-number • Enter port group view: port-group manual port-group-name Remarks Use one of the commands. • The configuration made in Ethernet interface view applies only to the port. • The configuration made in port group view applies to all ports in the port group. 3. Configure the link type of the ports as hybrid. port link-type hybrid By default, all ports are access ports. 4.
Figure 36 Network diagram Configuration considerations • Create VLANs 100 and 200. • Configure the uplink ports of Router A and Router C as trunk ports, and assign them to VLANs 100 and 200. • Configure the downlink ports of Router B as trunk ports, and assign them to VLANs 100 and 200. Assign the uplink ports of Router B to VLANs 100 and 200. • Associate the MAC address of Laptop 1 with VLAN 100, and associate the MAC address of Laptop 2 with VLAN 200. Configuration procedure 1.
Please wait... Done. [RouterA-GigabitEthernet4/0/1] mac-vlan enable [RouterA-GigabitEthernet4/0/1] quit # To enable the laptops to access Server 1 and Server 2, configure the uplink port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLANs 100 and 200. [RouterA] interface GigabitEthernet 4/0/2 [RouterA-GigabitEthernet4/0/2] port link-type trunk [RouterA-GigabitEthernet4/0/2] port trunk permit vlan 100 200 [RouterA-GigabitEthernet4/0/2] quit 2. Configure Router B: # Create VLANs 100 and 200.
MAC-based VLAN is usually configured on downlink ports of access layer devices, and cannot be configured together with the link aggregation function. • Configuring protocol-based VLANs Introduction to protocol-based VLAN The protocol-based VLAN feature assigns inbound packets to different VLANs based on their protocol type and encapsulation format. The protocols available for VLAN assignment include IP, IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
Step 4. Exit VLAN view. Command Remarks quit N/A • Enter Ethernet interface 5. Enter interface view or port group view. view: interface interface-type interface-number Use one of the commands. • The configuration made in Ethernet interface view applies only to the port. • Enter port group view: • The configuration made in port group port-group manual port-group-name view applies to all ports in the port group. 6. Configure the port link type as hybrid.
Configuration considerations Create VLANs 100 and 200. Associate VLAN 100 with IPv4, and associate VLAN 200 with IPv6. Configure protocol-based VLANs to isolate IPv4 traffic and IPv6 traffic at Layer 2. Configuration procedure 1. Configure Router: # Create VLAN 100, and assign port GigabitEthernet 4/0/11 to VLAN 100.
Configure IPv4 Host A, IPv4 Host B, and IPv4 Server to be on the same network segment (192.168.100.0/24, for example), and configure IPv6 Host A, IPv6 Host B, and IPv6 Server to be on the same network segment (2001::1/64, for example). Verifying the configuration 1. The hosts and server in VLAN 100 can ping one another successfully. The hosts and server in VLAN 200 can ping one another successfully. The hosts or server in VLAN 100 cannot ping the hosts or server in VLAN 200, and vice versa. 2.
Configuration procedure This feature is applicable only on hybrid ports. To configure an IP subnet-based VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Associate an IP subnet with the VLAN. ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ] The IP subnet or IP address to be associated with a VLAN cannot be a multicast subnet or a multicast address. 4. Return to system view. quit N/A Use one of the commands.
Configure Router to transmit packets over separate VLANs based on their source IP addresses. Figure 38 Network diagram Device A Device B VLAN 100 VLAN 200 GE4/0/11 GE4/0/12 Router GE4/0/1 192.168.5.0/24 Office 192.168.50.0/24 Configuration considerations • Create VLANs 100 and 200. • Associate IP subnets with the VLANs. • Assign ports to the VLANs. Configuration procedure # Associate IP subnet 192.168.5.0/24 with VLAN 100.
[Router] interface GigabitEthernet 4/0/12 [Router-GigabitEthernet4/0/12] port link-type hybrid [Router-GigabitEthernet4/0/12] port hybrid vlan 200 tagged Please wait... Done. [Router-GigabitEthernet4/0/12] quit # Associate interface GigabitEthernet 4/0/1 with IP subnet-based VLANs 100 and 200. [Router] interface GigabitEthernet 4/0/1 [Router-GigabitEthernet4/0/1] port link-type hybrid [Router-GigabitEthernet4/0/1] port hybrid vlan 100 200 untagged Please wait... Done.
Task Display VLAN interface information. Command Remarks display interface [ vlan-interface ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface vlan-interface vlan-interface-id [ brief [ description ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display hybrid ports or trunk ports on the device. display port { hybrid | trunk } [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring super VLANs The super VLAN feature is supported on SAP modules that are operating in bridge mode. Super VLAN, also called "VLAN aggregation," was introduced to save IP address space. A super VLAN is associated with multiple sub-VLANs. You can create a VLAN interface for a super VLAN and assign an IP address for the VLAN interface. However, you cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but not to a super VLAN.
To configure a super VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id If the specified VLAN does not exist, this command creates the VLAN first, and then enters VLAN view. 3. Configure the VLAN as a super VLAN. supervlan By default, a super VLAN not is configured. 4. Associate the super VLAN with the specified sub-VLANs. subvlan vlan-list VLANs specified by vlan-list must be the sub-VLANs configured earlier.
Step Command Remarks Use one of the commands. By default, local proxy ARP and local proxy ND are disabled. 4. Enable local proxy ARP. 5. Enable local proxy ND. • Enable local proxy ARP: local-proxy-arp enable • Enable local proxy ND: local-proxy-nd enable For more information about local proxy ARP and proxy ND functions, see Layer 3—IP Services Configuration Guide. For more information about local-proxy-arp enable and local-proxy-nd enable commands, see Layer 3—IP Services Command Reference.
system-view [Sysname] vlan 10 [Sysname-vlan10] quit [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0 # Enable local proxy ARP. [Sysname-Vlan-interface10] local-proxy-arp enable [Sysname-Vlan-interface10] quit # Create VLAN 2, and assign GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 to it.
It is a Sub VLAN. Route Interface: configured Ip Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0002 Name: VLAN 0002 Tagged Ports: none Untagged Ports: GigabitEthernet4/0/1 GigabitEthernet4/0/2 VLAN ID: 3 VLAN Type: static It is a Sub VLAN. Route Interface: configured Ip Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: GigabitEthernet4/0/3 GigabitEthernet4/0/4 VLAN ID: 5 VLAN Type: static It is a Sub VLAN.
Configuring a voice VLAN The voice VLAN feature is supported on SAP modules that are operating in bridge mode. Overview A voice VLAN is configured for voice traffic. After assigning ports that connect to voice devices to a voice VLAN, the system automatically configures QoS parameters for voice traffic, to improve the transmission priority of voice traffic and ensure voice quality. Common voice devices include IP phones and IADs.
automatically assigns the receiving port to the voice VLAN, issues ACL rules, and configures the packet precedence. You can configure a voice VLAN aging time on the device. The system will remove a port from the voice VLAN if no packets are received from the port during the aging time. The system automatically assigns ports to, or removes ports from, a voice VLAN.
Table 13 Required configurations on ports of different link types for them to support tagged voice traffic Port link type Voice VLAN assignment mode supported for tagged voice traffic Configuration requirements Access N/A N/A In automatic mode, the PVID of the port cannot be the voice VLAN. Trunk Automatic and manual In manual mode, the PVID of the port cannot be the voice VLAN. Configure the port to permit packets from the voice VLAN to pass through.
• Security mode—Only voice packets whose source MAC addresses match the recognizable OUI addresses can pass through the voice VLAN-enabled inbound port, but all other packets are dropped. In a safe network, you can configure the voice VLANs to operate in normal mode, which reduces the system resources used for checking source MAC addresses. Table 15 shows how packets are handled based on different security modes. HP recommends not transmitting both voice traffic and non-voice traffic in a voice VLAN.
Configure the QoS priority settings for voice traffic on an interface before you enable voice VLAN on the interface. If the configuration order is reversed, your priority trust setting will fail. To configure QoS priority settings for voice traffic: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 3.
Step Command Enable the voice VLAN security mode. 3. Remarks Optional. voice vlan security enable By default, the voice VLAN security mode is enabled. Optional. 4. Add a recognizable OUI address. voice vlan mac-address oui mask oui-mask [ description text ] 5. Enter Layer 2 Ethernet interface view. interface interface-type interface-number By default, each voice VLAN has default OUI addresses configured. For the default OUI addresses of different vendors, see Table 12.
Step Command Remarks Optional. By default, each voice VLAN has default OUI addresses configured. For default OUI addresses of different vendors, see Table 12. 3. Add a recognizable OUI address. voice vlan mac-address oui mask oui-mask [ description text ] 4. Enter Layer 2 Ethernet interface view. interface interface-type interface-number N/A 5. Configure the port to operate in manual voice VLAN assignment mode.
• The MAC address of IP phone B is 0011-2200-0001. The phone connects to a downstream device named PC B whose MAC address is 0022-2200-0002, and to GigabitEthernet 4/0/2 on Router A. • Router A uses voice VLAN 2 to transmit voice packets for IP phone A and uses voice VLAN 3 to transmit voice packets for IP phone B. Configure GigabitEthernet4/0/1 and GigabitEthernet 4/0/2 to operate in automatic voice VLAN assignment mode.
[RouterA-GigabitEthernet4/0/1] voice vlan mode auto # Configure VLAN 2 as the voice VLAN for GigabitEthernet 4/0/1. [RouterA-GigabitEthernet4/0/1] voice vlan 2 enable [RouterA-GigabitEthernet4/0/1] quit # Configure GigabitEthernet 4/0/2.
Figure 43 Network diagram Configuration procedure # (Optional.) Configure the voice VLAN to operate in security mode. A voice VLAN operates in security mode by default. system-view [RouterA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000. [RouterA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2. [RouterA] vlan 2 [RouterA-vlan2] quit # Configure GigabitEthernet 4/0/1 to operate in manual voice VLAN assignment mode.
# Display the states of voice VLANs.
Configuring GVRP GVRP is supported on SAP modules that are operating in bridge mode. The Generic Attribute Registration Protocol (GARP) provides a generic framework for routers in a switched LAN, such as end stations and switches, to register and deregister attribute values. The GARP VLAN Registration Protocol (GVRP) is a GARP application that registers and deregisters VLAN attributes.
• Join messages A GARP participant sends Join messages when it wishes to declare its attribute values or receives Join messages from other GARP participants. Join messages include the following categories: { { • JoinEmpty—A GARP participant sends JoinEmpty messages to declare attribute values that it has not registered. JoinIn—A GARP participant sends JoinIn messages to declare attribute values that it has registered.
GARP PDU format As shown in Figure 45, GARP PDUs are encapsulated in IEEE 802.3 Ethernet frames. Figure 45 GARP PDU format Ethernet frame DA SA Length DSAP SSAP Protocol ID Ctrl GARP PDU Message 1 Attribute type Attribute 1 Attribute length Message n End mark Attribute list ... Attribute event ... Attribute n End mark Attribute value Table 16 describes the usage and values of fields contained in the GARP PDU portion of the Ethernet frames.
Field Description Value VLAN ID for GVRP. Attribute value If the value of the Attribute event field is 0x00 (LeaveAll event), the Attribute value field is invalid. Attribute value. The destination MAC addresses of GARP messages are multicast MAC addresses, and vary with GARP applications. For example, the destination MAC address of GVRP is 01-80-C2-00-00-21.
Complete these tasks to configure GVRP: Task Remarks Configuring basic GVRP functions Required Configuring the GARP timers Optional Configuring basic GVRP functions Configuration prerequisites Before enabling GVRP on a port, you must enable GVRP globally. In addition, you can configure GVRP only on trunk ports, and you must assign the involved trunk ports to all dynamic VLANs. Configuration restrictions and guidelines • GVRP is mutually exclusive with service loopback.
Step Command Remarks The default setting is access. Configure the link type of the ports as trunk. 4. For more information about the port link-type trunk command, see Layer 2—LAN Switching Command Reference. port link-type trunk By default, a trunk port is assigned to VLAN 1 only. For more information about the port trunk permit vlan all command, see Layer 2—LAN Switching Command Reference. 5. Assign the trunk ports to all VLANs. port trunk permit vlan all 6. Enable GVRP on the ports. gvrp 7.
• On a GARP-enabled network, each port maintains its own Hold, Join, and Leave timers, but only one LeaveAll timer is maintained on each router. This LeaveAll timer applies to all ports on the router. • The value ranges for the Hold, Join, Leave, and LeaveAll timers are dependent on one another. See Table 17 for their dependencies. • Set the LeaveAll timer greater than any Leave timer and not smaller than its default value, 1000 centiseconds.
Task Command Remarks Display GARP timers on ports. display garp timer [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local VLAN information that GVRP maintains on ports. display gvrp local-vlan interface interface-type interface-number [ | { begin | exclude | include } regular-expression ] Available in any view. Display the current GVRP state in the specified VLANs on ports.
[RouterA-GigabitEthernet3/0/1] gvrp [RouterA-GigabitEthernet3/0/1] quit # Create VLAN 2 (a static VLAN). [RouterA] vlan 2 [RouterA-vlan2] quit 2. Configure Router B: # Enable GVRP globally. system-view [RouterB] gvrp # Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
Figure 47 Network diagram Configuration procedure 1. Configure Router A: # Enable GVRP globally. system-view [RouterA] gvrp # Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs. [RouterA] interface GigabitEthernet 3/0/1 [RouterA-GigabitEthernet3/0/1] port link-type trunk [RouterA-GigabitEthernet3/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 3/0/1 and set the GVRP registration mode to fixed on the port.
1(default), 2 The output shows that information about VLAN 1 and static VLAN information about VLAN 2 on the local router are registered through GVRP, but dynamic VLAN information about VLAN 3 on Router B is not. # Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of Router B.
# Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs. [RouterB] interface GigabitEthernet 3/0/1 [RouterB-GigabitEthernet3/0/1] port link-type trunk [RouterB-GigabitEthernet3/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to forbidden on the port. [RouterB-GigabitEthernet3/0/1] gvrp [RouterB-GigabitEthernet3/0/1] gvrp registration forbidden [RouterB-GigabitEthernet3/0/1] quit # Create VLAN 3 (a static VLAN).
Configuring QinQ QinQ is supported on SAP modules that are operating in bridge mode. This document uses the following terms: • CVLAN—Customer network VLANs, also called "inner VLANs," refer to VLANs that a customer uses on the private network. • SVLAN—Service provider network VLANs, also called "outer VLANs," refer to VLANs that a service provider uses to transmit VLAN tagged traffic for customers. Overview 802.1Q-in-802.
Figure 49 Single-tagged Ethernet frame header and double-tagged Ethernet frame header NOTE: For correct transmission of tagged frames, set the MTU of each interface on the service provider network to at least 1504 bytes, which is the sum of the default interface MTU (1500 bytes) and the size of a VLAN tag (4 bytes). The devices in the service provider network forward a tagged frame according to its SVLAN tag only, and they transmit the CVLAN tag as part of the frame's payload.
QinQ implementations HP provides the following QinQ implementations: • Basic QinQ—Basic QinQ enables a port to tag any incoming frames with its PVID tag, regardless of whether they have already been tagged. If an incoming frame has been tagged, it becomes a double-tagged frame. If the frame has not been tagged, it becomes a single-tagged frame. • Selective QinQ—Selective QinQ is more flexible than basic QinQ.
Task Remarks Configuring inner VLAN ID substitution Configuring the TPID in VLAN tags Optional. Configuring basic QinQ This section describes how to configure basic QinQ. Enabling basic QinQ Enable QinQ on the customer-side port. A basic QinQ-enabled port tags an incoming packet with its PVID tag. To enable basic QinQ: Step Enter system view. 1. Command Remarks system-view N/A • Enter Layer 2 Ethernet or Layer Enter interface view or port group view. 2.
Step Command Remarks • Enter Layer 2 Ethernet or Layer 2. Enter interface view or port group view. 2 aggregate interface view: interface interface-type interface-number • Enter port group view: N/A port-group manual port-group-name 3. Configure the link type of the port. 4. Configure the port to allow packets from its PVID and the transparent VLANs to pass through.
Step Command Remarks 3. Specify CVLAN IDs of matching frames. if-match customer-vlan-id vlan-id-list N/A 4. Return to system view. quit N/A 5. Create a traffic behavior and enter traffic behavior view. traffic behavior behavior-name N/A nest top-most vlan-id vlan-id You can create multiple class-behavior associations in a QoS policy. However, you must make sure one CVLAN ID is mapped to only one SVLAN ID. 6. Specify an SVLAN ID. Optional.
Step Command Remarks • Match a specified inner VLAN ID: if-match customer-vlan-id vlan-id-list 3. Configure a match criterion. • Match a specified inner VLAN tag Use one of the commands. priority: if-match customer-dot1p 8021p-list 4. Return to system view. quit N/A 5. Create a traffic behavior and enter traffic behavior view. traffic behavior behavior-name N/A 6. Configure a behavior to set the 802.1p priority in the SVLAN tags. remark dot1p 8021p N/A 7. Return to system view.
Step Command Remarks 6. Configure the action of marking the inner VLAN ID. remark customer-vlan-id vlan-id N/A 7. Return to system view. quit N/A 8. Create a QoS policy and enter QoS policy view. qos policy policy-name N/A 9. Associate the traffic class with the traffic behavior defined earlier. classifier classifier-name behavior behavior-name N/A quit N/A 10. Return to system view. • Enter Layer 2 Ethernet interface 11.
Protocol type Value RARP 0x8035 IP 0x0800 IPv6 0x86DD PPPoE 0x8863/0x8864 MPLS 0x8847/0x8848 IPX/SPX 0x8137 IS-IS 0x8000 LACP 0x8809 802.1X 0x888E Cluster 0x88A7 Reserved 0xFFFD/0xFFFE/0xFFFF To configure the TPID value in VLAN tags: Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the global TPID value for CVLAN tags. qinq ethernet-type customer-tag hex-value • Enter Layer 2 Ethernet or Layer 3.
Set the SVLAN TPID to 0x8200 on the service provider-side ports of PE 1 and PE 2, because they are connected through third-party devices that use a TPID value of 0x8200.
c. Configure GigabitEthernet 4/0/3: # Configure GigabitEthernet 4/0/3 as a trunk port and assign it to VLAN 200 and VLANs 30 through 90. [PE1] interface GigabitEthernet 4/0/3 [PE1-GigabitEthernet4/0/3] port link-type trunk [PE1-GigabitEthernet4/0/3] port trunk permit vlan 200 30 to 90 # Configure VLAN 200 as the PVID for the port. [PE1-GigabitEthernet4/0/3] port trunk pvid vlan 200 # Enable basic QinQ on the port. [PE1-GigabitEthernet4/0/3] qinq enable [PE1-GigabitEthernet4/0/3] quit 2.
On third-party devices between PE 1 and PE 2, configure the port that connects to PE 1 and the port that connects to PE 2 to allow tagged frames of VLAN 100 and VLAN 200 to pass through. (Details not shown.) Selective QinQ configuration example Network requirements As shown in Figure 52, configure selective QinQ to meet the following requirements: • VLAN 10 of CE A and CE B can intercommunicate across VLAN 1000 in the service provider network.
[PEA-GigabitEthernet2/0/1] port hybrid pvid vlan 3000 # Enable basic QinQ on the port. [PEA-GigabitEthernet2/0/1] qinq enable [PEA-GigabitEthernet2/0/1] quit # Create a class A10 to match the frames from VLAN 10 of CE A. [PEA] traffic classifier A10 [PEA-classifier-A10] if-match customer-vlan-id 10 [PEA-classifier-A10] quit # Create a traffic behavior P1000 and configure the action of tagging frames with the SVLAN tag 1000 for the traffic behavior.
# Set the TPID value in the outer VLAN tag to 0x8200 on the port. [PEA-GigabitEthernet2/0/3] qinq ethernet-type service-tag 8200 2. Configure PE B: a. Configure GigabitEthernet 2/0/1: # Configure the port as a trunk port to permit frames from VLAN 1000, VLAN 2000, and VLAN 3000 to pass through.
Figure 53 Network diagram Configuration procedure This example assumes that devices in the service provider network have been configured to allow QinQ packets to pass through. 1. Configure PE 1: a. Configure GigabitEthernet 4/0/1: # Configure GigabitEthernet 4/0/1 as a trunk port and assign it to VLANs 10 through 50.
# Enable basic QinQ on the port. [PE2-GigabitEthernet4/0/1] qinq enable # Configure the port to transparently transmit frames from VLANs 10 through 50. [PE2-GigabitEthernet4/0/1] qinq transparent-vlan 10 to 50 [PE2-GigabitEthernet4/0/1] quit b. Configure GigabitEthernet 4/0/2: # Configure GigabitEthernet 4/0/2 as a trunk port and assign it to VLANs 10 through 50.
Configuring VLAN termination In this chapter, for a packet that carries two or more layers of VLAN tags, the outermost layer of VLAN tags is called "Layer 1 VLAN tag," and the second outermost layer of VLAN tags is called "Layer 2 VLAN tag." This also applies to VLAN IDs. Overview VLAN termination assigns a VLAN-tagged packet received to the corresponding interface according to its VLAN tags, and then the interface removes its VLAN tags, and forwards it through Layer 3 or processes it in another way.
Figure 54 VLAN termination for inter-VLAN communication (through Layer 3 Ethernet subinterfaces) LAN-WAN communication Most packets sent out of LANs carry VLAN tags, but some WAN protocols such as ATM, Frame Relay, and PPP cannot recognize VLAN-tagged packets. Therefore, before sending VLAN-tagged packets to a WAN, the sending port must locally record VLAN information and remove VLAN tags from the packets. VLAN termination can help implement this purpose.
• A main interface cannot terminate VLAN-tagged packets, but you can create subinterfaces for it to terminate VLAN-tagged packets. • A subinterface can send and receive only VLAN-tagged packets. • Layer 3 Ethernet subinterfaces can terminate packets whose outermost VLAN IDs match the configured values or the outermost two layers of VLAN IDs match the configured values.
Step Command Remarks • Enter Layer 3 Ethernet subinterface Enter interface view. 2. view: interface interface-type interface-number.subnumber • Enter Layer 3 aggregate subinterface Use one of the commands. view: interface route-aggregation interface-number.subnumber Enable Dot1q termination on the subinterface, and configure the subinterface to terminate the VLAN-tagged packets whose outermost VLAN IDs match the specified VLAN ID. 3.
Ambiguous QinQ termination—Terminates packets whose Layer 1 VLAN IDs match the specified VLAN ID and Layer 2 VLAN IDs are in the specified range and does not allow any other VLAN-tagged packets to pass through the subinterface. When the subinterface receives a packet, it removes the two layers of VLAN tags of the packet.
Step Command Remarks • Enter Layer 3 Ethernet subinterface view: 2. Enter interface view. interface interface-type interface-number.subnumber • Enter Layer 3 aggregate subinterface view: Use one of the commands. interface route-aggregation interface-number.subnumber 3. Enable QinQ termination on the subinterface, and configure the subinterface to terminate the VLAN-tagged packets whose outermost two layers of VLAN tags match the specified values.
value, and sets the TPID values in the other VLAN tags to 0x8100 if the packet carries two or more layers of VLAN tags. To set the TPID value for VLAN-tagged packets: Step 1. Enter system view Command Remarks system-view N/A • Enter Layer 3 Ethernet interface view: 2. Enter interface view. interface interface-type interface-number • Enter Layer 3 aggregate interface view: interface route-aggregation interface-number 3.
Figure 56 Network diagram Configuration procedure IMPORTANT: The vlan-type dot1q vid command is mandatory for devices that support it, because an Ethernet subinterface can be activated and transmit packets only after it is associated with VLANs. 1. 2. Configure Host A, Host B, Host C, and Host D: { Configure Host A's IP address as 1.1.1.1/8, and gateway IP address as 1.0.0.1/8. { Configure Host B's IP address as 2.2.2.2/8, and gateway IP address as 2.0.0.1/8. { Configure Host C's IP address as 3.3.
# Create GigabitEthernet 4/0/1.10, GigabitEthernet 4/0/1.20, GigabitEthernet 4/0/2.10, and GigabitEthernet 4/0/2.20, and then assign IP addresses to them. Configure GigabitEthernet 4/0/1.10 and GigabitEthernet 4/0/2.10 to terminate packets tagged with VLAN 10, and configure GigabitEthernet 4/0/1.20 and GigabitEthernet 4/0/2.20 to terminate packets tagged with VLAN 20. system-view [Router] interface GigabitEthernet 4/0/1.10 [Router-GigabitEthernet4/0/1.10] ip address 1.0.0.1 255.0.0.
Figure 57 Network diagram Configuration procedure 1. Configure Host A, Host B, and Host C: { { 2. Configure the IP addresses of Host A, Host B, and Host C as 1.1.1.1/24, 1.1.1.2/24, and 1.1.1.3/24, respectively. Configure the gateway IP address as 1.1.1.11/24 for the hosts. Configure Layer 2 Switch A: # Assign Ethernet 1/1 to VLAN 11. system-view [L2_SwitchA] vlan 11 [L2_SwitchA-vlan11] port ethernet 1/1 [L2_SwitchA-vlan11] quit # Assign Ethernet 1/2 to VLAN 12.
system-view [Router] interface GigabitEthernet 4/0/1.10 [Router-GigabitEthernet4/0/1.10] ip address 1.1.1.11 255.255.255.0 # Enable Dot1q termination on GigabitEthernet 4/0/1.10, and configure the subinterface to terminate VLAN-tagged packets whose Layer 1 VLAN ID is in the range of 11, 12, or 13. [Router-GigabitEthernet4/0/1.10] vlan-type dot1q vid 11 to 13 [Router-GigabitEthernet4/0/1.10] quit # Configure an IP address for GigabitEthernet4/0/2.
2. Configure related PPPoE settings on GigabitEthernet 4/0/1.10. For more information about the PPPoE configuration, see Layer 2—WAN Configuration Guide. Unambiguous QinQ termination configuration example Network requirements As shown in Figure 59, Host A connects to Layer 2 Switch A and belongs to VLAN 11. Host B connects to Layer 2 Switch C, which supports only single VLAN-tagged packets.
[L2_SwitchA-Ethernet1/1] port hybrid vlan 11 tagged 3. Configure Layer 2 Switch B: # Configure Ethernet 1/2 as a trunk port, configure its PVID as VLAN 100, and assign the port to VLAN 11 and VLAN 100.
Figure 60 Network diagram Configuration procedure 1. Configure Host A, Host B, and Host C: { { 2. Configure the IP addresses of Host A, Host B, and Host C as 1.1.1.1/24, 1.1.1.2/24, and 1.1.1.3/24, respectively. Configure the gateway address as 1.1.1.11/24 for the hosts. Configure Layer 2 Switch A: # Assign Ethernet 1/1 to VLAN 11. system-view [L2_SwitchA] vlan 11 [L2_SwitchA-vlan11] port ethernet 1/1 [L2_SwitchA-vlan11] quit # Assign Ethernet 1/2 to VLAN 12.
# Configure Ethernet 1/2 as a trunk port, configure its PVID as VLAN 100, and assign the port to VLANs 11 through 13 and VLAN 100. system-view [L2_SwitchB] interface ethernet 1/2 [L2_SwitchB-Ethernet1/2] port link-type trunk [L2_SwitchB-Ethernet1/2] port trunk pvid vlan 100 [L2_SwitchB-Ethernet1/2] port trunk permit vlan 11 to 13 100 # Enable basic QinQ on Ethernet 1/2, and configure the port to add outer VLAN tag 100 to packets tagged with VLANs 11 through 13.
Figure 61 Network diagram Configuration procedure 1. Configure VLANs and QinQ termination. For the configuration procedure, see "Ambiguous QinQ termination configuration example." 2. Configure related PPPoE settings on GigabitEthernet 4/0/1.10. For more information about the PPPoE configuration, see Layer 2—WAN Configuration Guide.
Figure 62 Network diagram Configuration procedure 1. Configure DHCP relay agent Provider A: # Enable DHCP service. system-view [ProviderA] dhcp enable # Create the DHCP server group. [ProviderA] dhcp relay server-group 1 ip 10.2.1.1 # Create a Layer 3 Ethernet subinterface GigabitEthernet 4/0/1.100. [ProviderA] interface GigabitEthernet 4/0/1.100 # Configure subinterface GigabitEthernet 4/0/1.100 to terminate packets whose Layer 2 VLAN ID is 10 or 20. [ProviderA-GigabitEthernet4/0/1.
[ProviderA-GigabitEthernet4/0/1.100] quit # Assign an IP address to the interface connecting to the DHCP server. [ProviderA] interface serial 2/1/1 [ProviderA-Serial2/1/1] ip address 10.1.1.1 24 2. Configure DHCP server Provider B: # Assign an IP address to the DHCP server. system-view [ProviderB] interface serial 2/1/1 [ProviderB-Serial2/1/1] ip address 10.2.1.1 24 [ProviderB-Serial2/1/1] quit # Enable DHCP. [ProviderB] dhcp enable # Configure an IP address pool on the DHCP server.
# Configure Ethernet 1/1 as a trunk port and assign it to VLAN 20. [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] port link-type trunk [SwitchB-Ethernet1/1] port trunk permit vlan 20 5. Configure Switch C: # Add Ethernet 1/2 to VLAN 10. system-view [SwitchC] vlan 10 [SwitchC-vlan10] port ethernet 1/2 [SwitchC-vlan10] quit # Configure Ethernet 1/1 as a trunk port and assign it to VLAN 10.
Configuring VLAN mapping VLAN mapping is supported on SAP modules that are operating in bridge mode. Overview VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. HP provides the following types of VLAN mapping: • One-to-one VLAN mapping—Replaces one VLAN tag with another. You can use one-to-one VLAN mapping to sub-classify traffic from a particular VLAN for granular QoS control. • Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
Figure 63 Application scenario of one-to-one and many-to-one VLAN mapping ... ... ... ... ... ... ... To further sub-classify each type of traffic by customer, perform one-to-one VLAN mapping on the building devices, assigning a separate VLAN for each type of traffic from each customer. The required total number of VLANs in the network can be very large.
Figure 64 Application scenario of one-to-two and two-to-two VLAN mapping One-to-two VLAN mapping VLAN 10 PE 1 VLAN 2 SP 1 VLAN 2 One-to-two VLAN mapping Two-to-two VLAN mapping Data VLAN 20 PE 2 PE 3 Data VLAN 3 Data PE 4 SP 2 VLAN 3 Data Traffic CE a1 VPN A Site 1 VPN A Site 2 CE a2 Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The VLAN assigned for VPN A is VLAN 10 in the SP 1 network and VLAN 20 in the SP 2 network.
Figure 65 Basic concepts of VLAN mapping SP Network-side port Customer-side port Uplink traffic Downlink traffic These basic concepts include: • Uplink traffic—Traffic transmitted from the customer network to the service provider network. • Downlink traffic—Traffic transmitted from the service provider network to the customer network. • Network-side port—A port connected to or closer to the service provider network. • Customer-side port—A port connected to or closer to the customer network.
Figure 66 One-to-one VLAN mapping implementation Many-to-one VLAN mapping Implement many-to-one VLAN mapping through the following configurations, as shown in Figure 67: • Apply an uplink policy to incoming traffic on the customer-side port to map different CVLAN IDs to one SVLAN ID. When a packet arrives, the switch replaces its CVLAN tag with the matching SVLAN tag. • Configure the network-side port as a DHCP snooping trusted port.
Figure 68 One-to-two VLAN mapping Two-to-two VLAN mapping Implement two-to-two VLAN mapping through the following configurations, as shown in Figure 69. • For uplink traffic, apply an inbound policy on the customer-side port to replace the SVLAN with a new SVLAN, and apply an outbound policy on the network-side port to replace the CVLAN with a new CVLAN. • For downlink traffic, apply an outbound policy on the customer-side port to replace the double tags with the original VLAN tag pair.
Configuring one-to-one VLAN mapping Perform one-to-one VLAN mapping on building devices (see Figure 63) to isolate traffic by both user and traffic type. Complete the following tasks to configure one-to-one VLAN mapping: Task Remarks Configuring an uplink policy Creates CVLAN-to-SVLAN mappings (required). Configuring a downlink policy Creates SVLAN-to-CVLAN mappings (required). Configuring the customer-side port Configures settings required for one-to-one VLAN mapping (required).
Configuring a downlink policy To configure a downlink policy to map SVLANs back to CVLANs: Step 1. Enter system view. Command Remarks system-view N/A a. Create a class and enter class view: traffic classifier tcl-name [ operator { and | or } ] 2. Configure one class for an SVLAN. b. Configure an SVLAN as the match criterion: if-match service-vlan-id vlan-id Repeat this step to configure one class for each SVLAN. c. Return to system view: quit 3. Configure one behavior for a CVLAN. a.
Step Command Remarks Use one of the commands. • As a trunk port: 4. By default: port trunk permit vlan { vlan-list | all } Assign the port to all CVLANs. • A trunk port is assigned to only VLAN 1. • As a hybrid port: • A hybrid port is an port hybrid vlan vlan-list tagged untagged member of VLAN 1. 5. Enable basic QinQ. qinq enable By default, basic QinQ is disabled. 6. Apply the uplink policy to incoming traffic. qos apply policy policy-name inbound N/A 7.
Complete the following tasks to configure many-to-one VLAN mapping: Task Remarks Enabling DHCP snooping Enables DHCP snooping globally (required). Enabling ARP detection in SVLANs Enables ARP detection in all SVLANs (required). Configuring an uplink policy Configures an uplink policy for the customer-side port (required). Configuring the customer-side port Configures VLAN and other settings required for many-to-one VLAN mapping (required).
Configuring an uplink policy To configure an uplink policy to map a group of CVLANs to one SVLAN: Step 1. Enter system view. Command Remarks system-view N/A a. Create a class and enter class view: traffic classifier tcl-name operator or 2. b. Configure multiple CVLANs as match criteria: if-match customer-vlan-id { vlan-list | vlan-id1 to vlan-id2 } Configure one class for a group of CVLANs. Repeat this step to configure one class for each group of CVLANs. c. Return to system view: quit 3. a.
Step Command Remarks • Configure the port as a trunk port: 3. Configure the link type of the port. port link-type trunk • Configure the port as a hybrid port: port link-type hybrid • As a trunk port: 4. Assign the port to all CVLANs. port trunk permit vlan { vlan-list | all } • As a hybrid port: port hybrid vlan vlan-list tagged Use one of the commands. The default link type of an Ethernet port is access. Use one of the commands. By default: • A trunk port is assigned to only VLAN 1.
Configuring one-to-two VLAN mapping Perform one-to-two VLAN mapping on the edge devices from which customer traffic enters SP networks, on PE 1 and PE 4 in Figure 64 for example. One-to-two VLAN mapping enables the edge devices to insert an outer VLAN tag to each incoming packet. Complete the following tasks to configure one-to-two VLAN mapping: Task Remarks Configuring an uplink policy Configures an uplink policy for the customer-side port (required).
Step 5. Associate the class with the behavior. Command Remarks classifier tcl-name behavior behavior-name mode dot1q-tag-manipulation Repeat this step to create class-behavior associations for other CVLANs. Configuring the customer-side port Step 1. Enter system view. Command Remarks system-view N/A • Enter Layer 2 Ethernet interface 2. view: interface interface-type interface-number Enter interface view. • Ethernet port group view: N/A port-group manual port-group-name 3.
Step Command Remarks By default: • As a trunk port: 4. Assign the port to all SVLANs. port trunk permit vlan { vlan-list | all } • As a hybrid port: port hybrid vlan vlan-list tagged • A trunk port is assigned to only VLAN 1. • A hybrid port is an untagged member of VLAN 1. Configuring two-to-two VLAN mapping Perform two-to-two VLAN mapping on an edge device that connects two SP networks, for example, on PE 3 in Figure 64.
Step Command Remarks a. Create a class and enter class view: traffic classifier tcl-name [ operator and ] 2. Configure one class for a foreign CVLAN and SVLAN pair. b. Specify a foreign CVLAN as a match criterion: if-match customer-vlan-id vlan-id c. Specify a foreign SVLAN as a match criterion: if-match service-vlan-id vlan-id Repeat this step to create one class for each foreign CVLAN and SVLAN pair. d. Return to system view: quit 3. Configure one SVLAN marking action for a CVLAN and SVLAN pair.
Step 3. 4. 5. Command Configure one CVLAN marking action for a local SVLAN and foreign CVLAN pair. Remarks a. Create a traffic behavior and enter traffic behavior view: traffic behavior behavior-name b. Configure a CVLAN marking action to replace the foreign CVLAN ID with a local CVLAN ID: remark customer-vlan-id vlan-id Repeat this step to configure one CVLAN marking action for each local SVLAN and foreign CVLAN pair. c. Return to system view: quit Create a QoS policy and enter QoS policy view.
Step 4. 5. Command Remarks Create a QoS policy and enter QoS policy view. qos policy policy-name N/A Associate the class with the behavior. classifier tcl-name behavior behavior-name Repeat this step to create other class-behavior associations. Configuring the customer-side port Step 1. Enter system view. Command Remarks system-view N/A • Enter Layer 2 Ethernet interface 2. view: interface interface-type interface-number Enter interface view.
Step Command Remarks • Enter Layer 2 Ethernet interface view: 2. Enter interface view. interface interface-type interface-number • Ethernet port group view: N/A port-group manual port-group-name • Configure the port as a trunk port: 3. Configure the link type of the port. port link-type trunk • Configure the port as a hybrid port: The default link type of an Ethernet port is access. • As a trunk port: By default: port link-type hybrid 4. Assign the port to all CVLANs.
Figure 70 Network diagram Configuration procedure 1. Configure Router A: # Create the CVLANs and the SVLANs. system-view [RouterA] vlan 2 to 3 [RouterA] vlan 101 to 102 [RouterA] vlan 201 to 202 [RouterA] vlan 301 to 302 # Configure uplink policies p1 and p2 to enable one SVLAN to transmit one service for one customer.
[RouterA-classifier-c1] traffic classifier c2 [RouterA-classifier-c2] if-match customer-vlan-id 2 [RouterA-classifier-c2] traffic classifier c3 [RouterA-classifier-c3] if-match customer-vlan-id 3 [RouterA-classifier-c3] quit [RouterA] traffic behavior b1 [RouterA-behavior-b1] remark service-vlan-id 101 [RouterA-behavior-b1] traffic behavior b2 [RouterA-behavior-b2] remark service-vlan-id 201 [RouterA-behavior-b2] traffic behavior b3 [RouterA-behavior-b3] remark service-vlan-id 301 [RouterA-behavior-b3] traf
[RouterA-behavior-b33] quit [RouterA] qos policy p11 [RouterA-policy-p11] classifier c11 behavior b11 [RouterA-policy-p11] classifier c22 behavior b22 [RouterA-policy-p11] classifier c33 behavior b33 [RouterA-policy-p11] quit [RouterA] qos policy p22 [RouterA-policy-p22] classifier c44 behavior b11 [RouterA-policy-p22] classifier c55 behavior b22 [RouterA-policy-p22] classifier c66 behavior b33 [RouterA-policy-p22] quit # Assign customer-side port GigabitEthernet 4/0/1 to CVLANs 1 to 3, and SVLANs 101, 201
[RouterC-vlan301] vlan 102 [RouterC-vlan102] arp detection enable [RouterC-vlan102] vlan 202 [RouterC-vlan202] arp detection enable [RouterC-vlan202] vlan 302 [RouterC-vlan302] arp detection enable [RouterC-vlan302] vlan 103 [RouterC-vlan103] arp detection enable [RouterC-vlan103] vlan 203 [RouterC-vlan203] arp detection enable [RouterC-vlan203] vlan 303 [RouterC-vlan303] arp detection enable [RouterC-vlan303] vlan 104 [RouterC-vlan104] arp detection enable [RouterC-vlan104] vlan 204 [RouterC-vlan204] arp d
[RouterC-policy-p1] classifier c1 behavior b1 mode dot1q-tag-manipulation [RouterC-policy-p1] classifier c2 behavior b2 mode dot1q-tag-manipulation [RouterC-policy-p1] classifier c3 behavior b3 mode dot1q-tag-manipulation [RouterC-policy-p1] quit [RouterC] qos policy p2 [RouterC-policy-p2] classifier c4 behavior b1 mode dot1q-tag-manipulation [RouterC-policy-p2] classifier c5 behavior b2 mode dot1q-tag-manipulation [RouterC-policy-p2] classifier c6 behavior b3 mode dot1q-tag-manipulation [RouterC-policy-p2]
One-to-two and two-to-two VLAN mapping configuration example Network requirements As shown in Figure 71, two VPN A branches, Site 1 and Site 2, are in VLAN 10 and VLAN 30, respectively. The two sites use different VPN access services from different service providers, SP 1 and SP 2. SP 1 assigns VLAN 100 for Site 1, and SP 2 assigns VLAN 200 for Site 2. Configure one-to-two and two-to-two VLAN mappings to enable the two branches to communicate across networks SP 1 and SP 2.
[PE1-GigabitEthernet4/0/1] quit # Configure network-side port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 100. [PE1] interface GigabitEthernet 4/0/2 [PE1-GigabitEthernet4/0/2] port link-type trunk [PE1-GigabitEthernet4/0/2] port trunk permit vlan 100 2. Configure PE 2: # Configure port GigabitEthernet 4/0/1 as a trunk port, and assign it to VLAN 100.
[PE3-classifier-up_uplink] if-match customer-vlan-id 10 [PE3-classifier-up_uplink] if-match service-vlan-id 200 [PE3-classifier-up_uplink] quit [PE3] traffic behavior up_uplink [PE3-behavior-up_uplink] remark customer-vlan-id 30 [PE3-behavior-up_uplink] quit [PE3] qos policy up_uplink [PE3-qospolicy-up_uplink] classifier up_uplink behavior up_uplink [PE3-qospolicy-up_uplink] quit # Configure customer-side port GigabitEthernet 4/0/1 as a trunk port, assign it to VLAN 200, and apply uplink policy down_uplink
[PE4-GigabitEthernet4/0/2] qinq enable [PE4-GigabitEthernet4/0/2] qos apply policy test inbound 205
Configuring LLDP Overview In a heterogeneous network, having a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration information for the sake of interoperability and management. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Field Description FCS Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. 2. LLDPDU encapsulated in SNAP Figure 73 LLDPDU encapsulated in SNAP Table 20 Fields in a SNAP-encapsulated LLDPDU Field Description Destination MAC address MAC address to which the LLDPDU is advertised. It is fixed at 0x0180-C200-000E, a multicast MAC address. Source MAC address MAC address of the sending port. Type SNAP type for the upper layer protocol.
• Basic management TLVs • Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs • LLDP-MED (media endpoint discovery) TLVs Basic management TLVs are essential to device management. Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management, and they are defined by standardization or other organizations and are optional to LLDPDUs. 1. Basic management TLVs: Table 21 lists the basic management TLV types.
NOTE: • The router supports only receiving protocol identity TLVs and does not support DCBX TLVs. • Layer 3 Ethernet ports do not support IEEE 802.1 organizationally specific TLVs. 3. IEEE 802.3 organizationally specific TLVs Table 23 IEEE 802.3 organizationally specific TLVs Type Description MAC/PHY Configuration/Status Contains the bit-rate and duplex capabilities of the sending port, support for auto negotiation, enabling status of auto negotiation, and the current rate and duplex mode.
Type Description Serial Number Allows a terminal device to advertise its serial number. Manufacturer Name Allows a terminal device to advertise its vendor name. Model Name Allows a terminal device to advertise its model name. Asset ID Allows a terminal device to advertise its asset ID. The typical case is that the user specifies the asset ID for the endpoint to assist directory management and asset tracking.
Receiving LLDPDUs An LLDP-enabled port that is operating in TxRx mode or Rx mode checks the validity of TLVs carried in every received LLDPDU. If valid, the information is saved and an aging timer is set for it based on the TTL value in the Time to Live TLV carried in the LLDPDU. If the TTL value is zero, the information ages out immediately. Protocols and standards • IEEE 802.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable LLDP globally. lldp enable LLDP is globally disabled. • Enter Layer 2/Layer 3 Ethernet interface Enter Ethernet interface view or port group view. 3. view: interface interface-type interface-number • Enter port group view: Use either command. port-group manual port-group-name Optional. Enable LLDP. 4. lldp enable By default, LLDP is enabled on a port.
Step 2. Command Set the LLDP re-initialization delay. lldp timer reinit-delay delay Remarks Optional. The default setting is 2 seconds. Enabling LLDP polling With LLDP polling enabled, a device periodically searches for local configuration changes. On detecting a configuration change, the device sends LLDPDUs to inform neighboring devices of the change. To enable LLDP polling: Step 1. Enter system view. Command Remarks system-view N/A • Enter Layer 2/Layer 3 Ethernet interface 2.
Step 4. Configure the advertisable TLVs in Layer 3 Ethernet interface view. Command Remarks lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description | system-name } | dot3-tlv { all | link-aggregation | mac-physic | max-frame-size | power } | med-tlv { all | capability | inventory | location-id { civic-address device-type country-code { ca-type ca-value }&<1-10> | elin-address tel-number } | power-over-ethernet } } Optional.
Step Command Configure the encoding format of the management address as a character string. 4. Remarks Optional. lldp management-address-format string By default, the management address is encapsulated in numeric format. Setting other LLDP parameters The Time to Live TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device.
• Ethernet II encapsulation—An LLDP port sends LLDPDUs in Ethernet II frames and processes only incoming, Ethernet II encapsulated LLDPDUs. • SNAP encapsulation—An LLDP port sends LLDPDUs in SNAP frames and processes only incoming, SNAP encapsulated LLDPDUs. By default, LLDPDUs are encapsulated in Ethernet II frames. If neighbor devices encapsulate LLDPDUs in SNAP frames, configure the encapsulation format for LLDPDUs as SNAP to guarantee normal communication with neighbors.
Enable LLDP on the port connecting to an IP phone and configure the port to operate in TxRx mode. • Configuring CDP compatibility CDP-compatible LLDP operates in one of the following modes: • TxRx—CDP packets can be transmitted and received. • Disable—CDP packets can be neither transmitted nor received. LLDP traps are sent periodically, and the interval is configurable.
Step Command Remarks 3. Enable LLDP trapping. lldp notification remote-change enable By default, LLDP trapping is disabled. 4. Return to system view. quit N/A 5. Set the LLDP trap transmit interval. Optional. lldp timer notification-interval interval The default setting is 5 seconds. Displaying and maintaining LLDP Task Command Remarks Display global LLDP information or information contained in LLDP TLVs to be sent through a port.
Figure 75 Network diagram Configuration procedure 1. Configure Router A: # Enable LLDP globally. system-view [RouterA] lldp enable # Enable LLDP on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2. (You can skip this step because LLDP is enabled on ports by default.) Set the LLDP operating mode to Rx.
Transmit delay : 2s Trap interval : 5s Fast start times : 3 Port 1 [GigabitEthernet4/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors: 1 Number of MED neighbors : 1 Number of CDP neighbors : 0 Number of sent optional TLV : 0 Number of received unknown TLV : 0 Port 2 [GigabitEthernet4/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors: 1 Number of
Polling interval : 0s Number of neighbors : 1 Number of MED neighbors : 1 Number of CDP neighbors : 0 Number of sent optional TLV : 0 Number of received unknown TLV : 5 Port 2 [GigabitEthernet4/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors : 0 Number of MED neighbors : 0 Number of CDP neighbors : 0 Number of sent optional TLV : 0 Number of received unknown TLV : 0 As shown in the sample output, GigabitEthernet
[Router] interface GigabitEthernet 4/0/2 [Router-GigabitEthernet4/0/2] port link-type trunk [Router-GigabitEthernet4/0/2] voice vlan 2 enable [Router-GigabitEthernet4/0/2] quit 2. Configure CDP-compatible LLDP on Router: # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [Router] lldp enable [Router] lldp compliance cdp # Enable LLDP on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2. (You can skip this step because LLDP is enabled on ports by default.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEGLMOPQRSUV Configuring destination multicast MAC address for BPDUs,86 A Ambiguous Dot1q termination configuration example,167 Configuring digest snooping,70 Configuring Dot1q termination,161 Ambiguous QinQ termination configuration example,171 Configuring edge ports,63 Configuring IP subnet-based VLANs,110 Assigning ports to the isolation group,40 Configuring LLDP trapping,217 B Basic LLDP configuration example,218 Configuring load-sharing criteria for link aggregation groups,26 BPDU tun
MSTP,49 Configuring the network diameter of a switched network,61 MSTP configuration example,78 Configuring the port link type,67 O Configuring the port priority,66 Overview,131 Configuring the root bridge or a secondary root bridge,59 Overview,143 Overview,159 Configuring the timeout factor,62 Overview,1 Configuring the TPID for VLAN-tagged packets,164 Overview,206 Configuring the TPID in VLAN tags,150 Overview,40 Configuring two-to-two VLAN mapping,192 Overview,12 Contacting HP,223 Overv
228
