HP HSR6800 Routers Layer 2 - LAN Switching Configuration Guide Part number: 5998-4489 Software version: HSR6800-CMW520-R3303P05 Document version: 6PW105-20140507
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents Configuring the MAC address table ·························································································································· 1 Overview············································································································································································ 1 How a MAC address table entry is created ··········································································································1 Types of MAC
Shutting down an aggregate interface ··············································································································· 19 Configuring load-sharing criteria for link aggregation groups ················································································· 19 Configuring the global link-aggregation load sharing criteria ········································································· 20 Configuring load-sharing criteria for an aggregation group ···············
Configuration restrictions and guidelines ··········································································································· 57 Configuration procedure ······································································································································ 57 Configuring path costs of ports ···································································································································· 58 Specifying a standard for the
Configuring VLANs ···················································································································································· 85 Overview········································································································································································· 85 VLAN frame encapsulation ·································································································································· 86 VL
Configuring GVRP ··················································································································································· 127 Overview······································································································································································· 127 GARP ······························································································································································
Network requirements ········································································································································· 163 Configuration procedure ···································································································································· 164 Configuration example for Dot1q termination supporting PPPoE server ································································ 165 Network requirements ······························
Basic concepts ····················································································································································· 204 Work mechanism ················································································································································ 208 Protocols and standards ····································································································································· 209 LLDP configuratio
Configuring the MAC address table This book covers only the unicast MAC address table. For information about configuring static multicast MAC address table entries, see IP Multicast Configuration Guide. For information about MAC address table configuration in VPLS, see MPLS Configuration Guide. The MAC address table configuration tasks can be performed in any order. The MAC address table is available on only SAP modules that are operating in bridge mode.
Manually configuring MAC address entries With dynamic MAC address learning, a device does not distinguish between illegitimate and legitimate frames. For example, when a hacker sends frames with a forged source MAC address to a port different from the one to which the real MAC address is connected, the device creates an entry for the forged MAC address, and forwards frames destined for the legal user to the hacker instead.
Step 2. Command Add or modify a dynamic or static MAC address entry. Remarks mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id By default, no MAC address entry is configured. Make sure you have created the VLAN and assigned the interface to the VLAN. Adding or modifying a static or dynamic MAC address table entry in interface view Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 2 Ethernet or aggregate interface view.
Disabling global MAC address learning Disabling global MAC address learning disables the learning function on all ports. To disable global MAC address learning: Step Command Remarks 1. Enter system view. system-view N/A 2. Disable global MAC address learning. mac-address mac-learning disable By default, global MAC address learning is enabled. Disabling MAC address learning on ports You can disable MAC address learning on a single port, or on all ports in a port group.
Configuring the aging timer for dynamic MAC address entries The MAC address table uses an aging timer for dynamic MAC address entries for security and efficient use of table space. If a dynamic MAC address entry has failed to update before the aging timer expires, the device deletes that entry. This aging mechanism makes sure the MAC address table can promptly update to accommodate the most recent network changes. Set the aging timer appropriately.
Step Configure the MAC learning limit on the interface or port group. 3. Command Remarks mac-address max-mac-count count By default, the MAC learning limit on an interface is not configured. Displaying and maintaining MAC address tables Task Command Remarks Display MAC address table information.
Figure 1 Network diagram Configuration procedure # Add a static MAC address entry. system-view [Router] mac-address static 000f-e235-dc71 interface GigabitEthernet 4/0/1 vlan 1 # Add a destination blackhole MAC address entry. [Router] mac-address blackhole 000f-e235-abcd vlan 1 # Set the aging timer for dynamic MAC address entries to 500 seconds. [Router] mac-address timer aging 500 # Display the MAC address entry for GigabitEthernet 4/0/1.
1
Configuring MAC Information The MAC Information feature is available on only SAP modules that are operating in bridge mode. The MAC Information feature can generate syslog messages or SNMP traps when MAC address entries are learned or deleted. You can use these messages to monitor users leaving or joining the network for suspicious users. The MAC Information feature buffers the MAC change syslog messages or SNMP traps in a queue and sends them to the information center regularly.
Step 2. Configure MAC Information mode. Command Remarks mac-address information mode { syslog | trap } Optional. The default setting is trap. Configuring the interval for sending syslog or trap messages To prevent syslog or trap messages from being sent too frequently, change the interval for sending syslog or trap messages. To set the interval for sending syslog or trap messages: Step Command Remarks 1. Enter system view. system-view N/A 2.
Figure 2 Network diagram Router GE4/0/1 Host A GE4/0/2 GE4/0/3 Server 192.168.1.1/24 192.168.1.3/24 Host B 192.168.1.2/24 Configuration procedure 1. Configure Router to send syslog messages to Host B (see Network Management and Monitoring Configuration Guide). 2. Enable MAC Information. # Enable MAC Information globally. system-view [Router] mac-address information enable # Configure MAC Information mode as syslog.
Configuring Ethernet link aggregation Layer 2 aggregation groups are supported only on SAP modules operating in bridge mode. Overview Ethernet link aggregation, or simply link aggregation, combines multiple physical Ethernet ports into one logical link called an "aggregate link." Link aggregation delivers the following benefits: • Increases bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports. • Improves link reliability.
You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group, and Layer 3 Ethernet interfaces only to a Layer 3 aggregation group. Aggregation states of member ports in an aggregation group A member port in an aggregation group can be in either of the following aggregation states: • Selected—A Selected port can forward user traffic. • Unselected—An Unselected port cannot forward user traffic.
Reference port When setting the aggregation state of the ports in an aggregation group, the system automatically picks a member port as the reference port. A Selected port must have the same port attributes and class-two configurations as the reference port. For information about how a reference port is chosen in a static link aggregation group, see "Choosing a reference port" in the section "Aggregating links in static mode.
Category Extended LACP functions Description Implemented by extending the LACPDU with new TLV fields. This is how IRF LACP MAD is implemented. If a device supports LACP extensions, the device can: • Participate in LACP MAD as either an IRF member device or an intermediate device. (In IRF mode.) • Participate in LACP MAD only as an intermediate device. (In standalone mode.) For more information about IRF, member devices, intermediate devices, and the LACP MAD mechanism, see IRF Configuration Guide. 2.
The one at the top is chosen as the reference port. If two ports have the same aggregation priority, duplex mode, and speed, the one with the lower port number is chosen. Setting the aggregation state of each member port After choosing the reference port, the static aggregation group sets the aggregation state of each member port, as shown in Figure 4.
aggregation priority value is chosen. If two ports have the same aggregation priority, the system compares their port numbers. The port with the smaller port number is chosen. Setting the aggregation state of each member port After the reference port is chosen, the system with the lower system ID sets the state of each member port in the dynamic aggregation group on its side.
When the port attribute configurations or class-two configurations of a member port change, the Selected/Unselected state of all other member ports in the dynamic aggregation group might change. Load-sharing criteria for link aggregation groups In a link aggregation group, traffic can be load-shared across the selected member ports based on a set of criteria, depending on your configuration.
Configuring an aggregation group You can choose to create a Layer 2 or Layer 3 link aggregation group depending on the ports to be aggregated: • To aggregate Layer 2 Ethernet interfaces, create a Layer 2 link aggregation group. • To aggregate Layer 3 Ethernet interfaces, create a Layer 3 link aggregation group. Configuration guidelines • You cannot assign a port to a Layer 2 aggregation group if any of the features listed in Table 5 is configured on the port.
To configure a Layer 2 static aggregation group: Step Command Remarks system-view N/A 1. Enter system view. 2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same. 3. Exit to system view. quit N/A 4. Assign a Layer 2 Ethernet interface to the aggregation group. a.
Step Command Remarks Optional. By default, the aggregation priority of a port is 32768. 5. Assign the port an aggregation priority. link-aggregation port-priority port-priority When the number of ports eligible for becoming Selected ports exceeds the maximum number of Selected ports allowed in a static aggregation group, changing the aggregation priority of a port might affect the aggregation state of the ports in the static aggregation group.
Step Command Remarks Optional. By default, the aggregation priority of a port is 32768. 7. Assign the port an aggregation priority. 8. Set the LACP timeout interval on the port to the short timeout interval (1 second).
Step Command Remarks Optional. By default, the aggregation priority of a port is 32768. 7. Assign the port an aggregation priority. 8. Set the LACP timeout interval on the port to the short timeout interval (1 second). When the number of ports eligible for becoming Selected ports exceeds the maximum number of Selected ports allowed in a dynamic aggregation group, changing the aggregation priority of a port might affect the aggregation state of ports in the dynamic aggregation group.
Configuring the MTU of a Layer 3 aggregate interface or subinterface IMPORTANT: To guarantee data transmission, make sure the MTU of a Layer 3 aggregate interface is not greater than the maximum MTU of its member ports. The MTU of an interface affects IP packets fragmentation and reassembly on the interface. To change the MTU of a Layer 3 aggregate interface or subinterface: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter Layer 3 aggregate interface or subinterface view.
Step Command Remarks • In standalone mode: 3. Specify a card to process and forward traffic for the interface.
Step Command Remarks • Enter Layer 2 aggregate interface Enter aggregate interface view. 2. view: interface bridge-aggregation interface-number • Enter Layer 3 aggregate interface Use either command. view: interface route-aggregation interface-number Set the expected bandwidth for the aggregate interface. 3.
You can configure global or group-specific load-sharing criteria. A link aggregation group preferentially uses the group-specific load-sharing criteria. If no group-specific load-sharing criteria is available, the group uses the global load-sharing criteria. Configuring the global link-aggregation load sharing criteria Step 1. 2. Enter system view. Configure the global link-aggregation load-sharing criteria.
Figure 6 Local-first link-aggregation load sharing To enable local-first load sharing for link aggregation: Step Command Remarks 1. Enter system view. system-view N/A 2. Enable local-first load-sharing for link aggregation. link-aggregation load-sharing mode local-first Optional. By default, the function is enabled. Displaying and maintaining Ethernet link aggregation Task Display information about aggregate interfaces.
Task Command Remarks Display detailed link aggregation information for link aggregation member ports. display link-aggregation member-port [ interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display summary information about all aggregation groups. display link-aggregation summary [ | { begin | exclude | include } regular-expression ] Available in any view. Display detailed information about a specific or all aggregation groups.
Configuration procedure 1. Configure Router A: # Create VLAN 10, and assign port GigabitEthernet 4/0/4 to VLAN 10. system-view [RouterA] vlan 10 [RouterA-vlan10] port GigabitEthernet 4/0/4 [RouterA-vlan10] quit # Create VLAN 20, and assign port GigabitEthernet 4/0/5 to VLAN 20. [RouterA] vlan 20 [RouterA-vlan20] port GigabitEthernet 4/0/5 [RouterA-vlan20] quit # Create Layer 2 aggregate interface Bridge-Aggregation 1.
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Actor System ID: 0x8000, 000f-e2ff-0001 AGG AGG Interface Mode Partner ID Select Unselect Share Ports Type Ports ------------------------------------------------------------------------------BAGG1 S none 3 0 Shar The output shows that link aggregation group 1 is a load-shared Layer 2 static aggregation group and it contains three Selected ports. # Display the global link-aggregation load-sharing criteria on Router A.
[RouterA-vlan10] quit # Create VLAN 20, and assign the port GigabitEthernet 4/0/5 to VLAN 20. [RouterA] vlan 20 [RouterA-vlan20] port GigabitEthernet 4/0/5 [RouterA-vlan20] quit # Create Layer 2 aggregate interface Bridge-Aggregation 1, and configure the link aggregation mode as dynamic. [RouterA] interface bridge-aggregation 1 [RouterA-Bridge-Aggregation1] link-aggregation mode dynamic # Assign ports GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to link aggregation group 1 one at a time.
BAGG1 D 0x8000, 000f-e2ff-0002 3 0 Shar The output shows that link aggregation group 1 is a load-shared Layer 2 dynamic aggregation group, and it contains three Selected ports. # Display the global link-aggregation load-sharing criteria on Router A.
[RouterA-vlan20] quit # Create Layer 2 aggregate interface Bridge-Aggregation 1, and configure the load sharing criterion for the link aggregation group as the source MAC addresses of packets. [RouterA] interface bridge-aggregation 1 [RouterA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac [RouterA-Bridge-Aggregation1] quit # Assign ports GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 to link aggregation group 1.
Aggregation Interface Type: BAGG -- Bridge-Aggregation, RAGG -- Route-Aggregation Aggregation Mode: S -- Static, D -- Dynamic Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing Actor System ID: 0x8000, 000f-e2ff-0001 AGG AGG Interface Mode Partner ID Select Unselect Share Ports Type Ports ------------------------------------------------------------------------------BAGG1 S none 2 0 Shar BAGG2 S none 2 0 Shar The output shows that link aggregation groups 1 and 2 are both lo
[RouterA-Route-Aggregation1] ip address 192.168.1.1 24 [RouterA-Route-Aggregation1] quit # Assign Layer 3 Ethernet interfaces GigabitEthernet 4/0/1 through GigabitEthernet 4/0/3 to aggregation group 1.
Enable traffic to be load-shared across aggregation group member ports based on source and destination IP addresses. Figure 11 Network diagram Configuration procedure 1. Configure Router A: # Create Layer 3 aggregate interface Route-Aggregation 1, configure the link aggregation mode as dynamic, and configure an IP address and subnet mask for the aggregate interface.
The output shows that link aggregation group 1 is a load-shared Layer 3 dynamic aggregation group and it contains three Selected ports. # Display the global link-aggregation load-sharing criteria on Router A. [RouterA] display link-aggregation load-sharing mode Link-Aggregation Load-Sharing Mode: destination-ip address, source-ip address The output shows that the global link-aggregation load-sharing criteria are the source and destination IP addresses of packets.
[RouterA] interface route-aggregation 2 [RouterA-Route-Aggregation2] link-aggregation load-sharing mode destination-ip [RouterA-Route-Aggregation2] ip address 192.168.2.1 24 [RouterA-Route-Aggregation2] quit # Assign Layer 3 Ethernet interfaces GigabitEthernet 4/0/3 and GigabitEthernet 4/0/4 to aggregation group 2.
Configuring port isolation The port isolation feature is supported on SAP cards that are operating in bridge mode. Overview Port isolation enables isolating Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another. The device supports only one isolation group that is created automatically by the system as isolation group 1.
Port isolation configuration example Network requirements As shown in Figure 13, GigabitEthernet 3/0/1, GigabitEthernet 3/0/2, GigabitEthernet 3/0/3, and GigabitEthernet 3/0/4 are in the same VLAN. Configure the router to provide Internet access for LAN users Host A, Host B, and Host C, and isolate them from one another at Layer 2. Figure 13 Network diagram Configuration procedure # Assign ports GigabitEthernet 3/0/1, GigabitEthernet 3/0/2 and GigabitEthernet 3/0/3 to the isolation group.
Configuring spanning tree protocols This feature is supported on SAP modules that are operating in bridge mode. As a Layer 2 management protocol, the Spanning Tree Protocol (STP) eliminates Layer 2 loops by selectively blocking redundant links in a network, putting them in a standby state, which still allows for link redundancy. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP). STP STP was developed based on the 802.
Basic concepts in STP Root bridge A tree network must have a root bridge. There is only one root bridge in the entire network. The entire network contains only one root bridge. All the other bridges in the network are called "leaf nodes." The root bridge is not permanent, but can change when the network topology changes. Upon initialization of a network, each device generates and periodically sends configuration BPDUs with itself as the root bridge.
STP algorithm The spanning tree calculation process described in the following sections is a simplified process for example only. Calculation process The STP algorithm uses the following calculation process: 1. State initialization. Upon initialization of a device, each port generates a BPDU with the device as the designated port, the device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID. 2. Root bridge selection.
Table 8 Selecting the optimum configuration BPDU Step Actions Upon receiving a configuration BPDU on a port, the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port, and: 1 • If the former priority is lower, the device discards the received configuration BPDU and keeps the configuration BPDU that the port generated.
Table 9 Initial state of each device Device Device A Device B Device C 2. Port name Configuration BPDU on the port Port A1 {0, 0, 0, Port A1} Port A2 {0, 0, 0, Port A2} Port B1 {1, 0, 1, Port B1} Port B2 {1, 0, 1, Port B2} Port C1 {2, 0, 2, Port C1} Port C2 {2, 0, 2, Port C2} BPDU comparison on each device. In Table 10, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.
Device Configuration BPDU on ports after comparison Comparison process • Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port A2}, finds that the received configuration BPDU is superior to its existing configuration BPDU {2, 0, 2, Port C1}, and updates its configuration BPDU.
Figure 16 The final calculated spanning tree A Root bridge Root port Designated port Blocked port Normal link B Blocked link C The configuration BPDU forwarding mechanism of STP The configuration BPDUs of STP are forwarded according to these guidelines: • Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.
RSTP RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP. A newly elected RSTP root port rapidly enters the forwarding state if the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data.
Figure 17 Basic concepts in MSTP VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs MST region 1 MST region 4 MST region 2 MST region 3 VLAN 1 MSTI 1 MSTI 2 VLAN 2 MSTI 0 Other VLANs CST VLAN 1 MSTI 1 MSTI 2 VLAN 2&3 MSTI 0 Other VLANs Figure 18 Network diagram and topology of MST region 3 To MST region 2 To MST region 4 Device A MST region 3 A B A D C B Device B C MSTI 1 A D MSTI 2 B Regional root Device C Device D C D MSTI MSTI 0 VLAN
• Same VLAN-to-instance mapping configuration. • Same MSTP revision level. • Physically linked together. Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 17, the switched network comprises MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration. MSTI MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree is mapped to specific VLANs.
Port roles A port can play different roles in different MSTIs. As shown in Figure 19, an MST region comprises Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other MST regions. Port D3 of Device D directly connects to a host.
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic. • Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user traffic. Learning is an intermediate port state. • Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward user traffic. When in different MSTIs, a port can be in different states. A port state is not exclusively associated with a port role.
• Root bridge hold • Root bridge backup • Root guard • BPDU guard • Loop guard • TC-BPDU guard • Support for hot swapping of interface cards and active/standby changeover Protocols and standards • IEEE 802.1d, Media Access Control (MAC) Bridges • IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration • IEEE 802.
STP configuration task list Task Remarks Required. Setting the spanning tree mode Configuring the root bridge Configure the device to operate in STP mode. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional.
Task Remarks Required. Setting the spanning tree mode Configuring the root bridge Configure the device to operate in RSTP mode. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional. Configuring the maximum port rate Optional. Configuring edge ports Optional.
Task Remarks Optional. Configuring the root bridge Setting the spanning tree mode By default, the device operates in MSTP mode. Configuring an MST region Required. Configuring the root bridge or a secondary root bridge Optional. Configuring the device priority Optional. Configuring the maximum hops of an MST region Optional. Configuring the network diameter of a switched network Optional. Configuring spanning tree timers Optional. Configuring the timeout factor Optional.
Task Remarks Configuring protection functions Optional. Setting the spanning tree mode The spanning tree modes include the following: • STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port supports only STP. • RSTP mode—All ports of the device send RSTP BPDUs. When an RSTP port receives STP BPDUs from a peer device, it automatically transits to STP mode. When an RSTP port receives MSTP BPDUs from a peer device, it stays in RSTP mode.
Step Command Remarks Configure the VLAN-to-instance mapping table. instance instance-id vlan vlan-list Optional. Or All VLANs in an MST region are mapped to the CIST (or MSTI 0) by default. Configure the MSTP revision level of the MST region. revision-level level Display the MST region configurations that are not activated yet. check region-configuration Optional. 7. Activate MST region configuration manually. active region-configuration N/A 8.
Step 1. Enter system view. 2. Configure the current device as the root bridge. Command Remarks system-view N/A • In STP/RSTP mode: stp root primary • In MSTP mode: stp [ instance instance-id ] root primary Use one of the commands. By default, a device does not function as the root bridge. Configuring the current device as a secondary root bridge of a specific spanning tree To configure the current device as a secondary root bridge of a specific spanning tree: Step 1. Enter system view.
Configuring the maximum hops of an MST region By setting the maximum hops of an MST region, you can restrict the region size. The maximum hops configured on the regional root bridge will be used as the maximum hops of the MST region. Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum value. When a device receives this configuration BPDU, it decrements the hop count by 1 and uses the new hop count in BPDUs that it propagates.
discarding state to the forwarding state. The port transits its state after a forward delay timer expires, to make sure that the state transition of the local port remains synchronized with the peer. • Hello time—The device detects whether a link failure has occurred with the hello time interval. The spanning tree sends a configuration BPDU during every hello time interval. If the device receives no configuration BPDUs within the hello time interval, it recalculates the spanning tree.
Step Command Remarks Optional. 3. Configure the hello timer. stp timer hello time 4. Configure the max age timer. stp timer max-age time The default setting is 2 seconds. Optional. The default setting is 20 seconds. Configuring the timeout factor The timeout factor is a parameter used to calculate the timeout time in the following formula: Timeout time = timeout factor × 3 × hello time.
Step Command Remarks • Enter Ethernet interface view or Layer 2 Enter interface view or port group view. 2. aggregate interface view: interface interface-type interface-number Use one of the commands. • Enter port group view: port-group manual port-group-name Configure the maximum rate of the ports. 3. stp transmit-limit limit The default setting is 10.
Configuring path costs of ports Path cost is a parameter related to the rate of a port. On a spanning tree device, a port can have different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows to be forwarded along different physical links, achieving VLAN-based load balancing. You can have the device automatically calculate the default path cost, or you can configure the path cost for ports.
Path cost Link speed 10 Gbps Port type IEEE 802.1d-1998 IEEE 802.
Step Command Remarks • Enter Ethernet interface view or Layer 2 2. aggregate interface view: interface interface-type interface-number Enter interface view or port group view. Use one of the commands. • Enter port group view: port-group manual port-group-name 3. Configure the path cost of the ports. • In STP/RSTP mode: Use one of the commands. • In MSTP mode: By default, the system automatically calculates the path cost of each port.
Step Command Remarks • In STP/RSTP mode: Configure the port priority. 3. stp port priority priority • In MSTP mode: stp [ instance instance-id ] port priority priority Use one of the commands. The default setting is 128. Configuring the port link type A point-to-point link directly connects two devices. If two root ports or designated ports are connected over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement handshake process.
• dot1s—802.1s-compliant standard format • legacy—Compatible format By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the two MSTP packet formats, and determines the format of packets that it will send based on the recognized format. You can configure the MSTP packet format on a port.
Enabling the spanning tree feature You must enable the spanning tree feature for the device before any other spanning tree related configurations can take effect. You can disable the spanning tree feature for certain ports with the undo stp enable command to exclude them from spanning tree calculation and save CPU resources of the device. In STP, RSTP, or MSTP mode, make sure that the spanning tree feature is enabled globally and on the desired ports.
Performing mCheck globally Step Command 1. Enter system view. system-view 2. Perform mCheck. stp mcheck Performing mCheck in interface view Step Command 1. Enter system view. system-view 2. Enter Ethernet interface view or Layer 2 aggregate interface view. interface interface-type interface-number 3. Perform mCheck. stp mcheck Configuring digest snooping As defined in IEEE 802.
might be interrupted because the local VLAN-to-instance mapping is different from that on a neighbor device. Perform these operations with caution. • To make digest snooping take effect, you must enable it both globally and on associated ports. HP recommends that you enable digest snooping on all associated ports first and then globally. This will make the configuration take effect on all configured ports and reduce impact on the network.
Figure 20 Network diagram Configuration procedure # Enable digest snooping on GigabitEthernet 4/0/1 of Router A and enable global digest snooping on Router A. system-view [RouterA] interface GigabitEthernet 4/0/1 [RouterA-GigabitEthernet4/0/1] stp config-digest-snooping [RouterA-GigabitEthernet4/0/1] quit [RouterA] stp config-digest-snooping # Enable digest snooping on GigabitEthernet 4/0/1 of Router B and enable global digest snooping on Router B.
Figure 21 Rapid state transition of an MSTP designated port Figure 22 Rapid state transition of an RSTP designated port If the upstream device is a third-party device, the rapid state transition implementation might be limited.
To configure No Agreement Check: Step 1. Enter system view. Command Remarks system-view N/A • Enter Ethernet interface view or Layer 2 2. Enter interface or port group view. aggregate interface view: interface interface-type interface-number • Enter port group view: Use one of the commands. port-group manual port-group-name 3. Enable No Agreement Check. stp no-agreement-check By default, No Agreement Check is disabled.
Figure 24 TC snooping application scenario In the network, the IRF fabric transparently transmits the received BPDUs and does not participate in spanning tree calculations. When a topology change occurs to the IRF fabric or user networks, the IRF fabric might need a long time to learn the correct MAC address table entries and ARP entries, resulting in long network disruption. To avoid the network disruption, you can enable TC snooping on the IRF fabric.
Configuring protection functions A spanning tree device supports the following protection functions: • BPDU guard • Root guard • Loop guard • TC-BPDU guard Enabling BPDU guard For access layer devices, access ports can directly connect to user terminals (such as PCs) or file servers. Access ports are configured as edge ports to allow rapid transition.
this port in the MSTI. If the port receives no BPDUs with a higher priority after a period that is twice the forwarding delay, it reverts to its original state. Configure root guard on a designated port. You cannot configure root guard and loop guard on a port at the same time. To enable root guard: Step Enter system view. 1. Command Remarks system-view N/A • Enter Ethernet interface view or Layer 2 Enter interface view or port group view. 2.
Step 3. Enable the loop guard function for the ports. Command Remarks stp loop-protection By default, loop guard is disabled. Enabling TC-BPDU guard When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology changes), the device flushes the forwarding address entries. If someone forges TC-BPDUs to attack the device, the device will receive a large number of TC-BPDUs within a short time and be busy with flushing forwarding address entries.
Task Command Remarks Display historical information about port role calculations for the specified MSTI or all MSTIs (in IRF mode). display stp [ instance instance-id ] history [ chassis chassis-number slot slot-number ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display statistics about TC/TCN BPDUs sent and received by all ports in the specified MSTI or all MSTIs (in standalone mode).
Figure 25 Network diagram MST region Router A Router B Permit: all VLAN GE4/0/3 GE4/0/3 GE 4/0 /2 Permit: VLAN 10, 20 G 2 /0/ E4 P 0 ,2 10 N A VL it: erm /2 4/0 GE Permit: VLAN 20, 30 Pe rm it: V LA N 20 ,3 GE4/0/3 0 GE 4/0 /2 GE4/0/3 Permit: VLAN 20, 40 Router C Router D Configuration procedure 1. Configure VLANs and VLAN member ports: Create VLAN 10, VLAN 20, and VLAN 30 on Router A and Router B, respectively.
system-view [RouterB] stp region-configuration [RouterB-mst-region] region-name example [RouterB-mst-region] instance 1 vlan 10 [RouterB-mst-region] instance 3 vlan 30 [RouterB-mst-region] instance 4 vlan 40 [RouterB-mst-region] revision-level 0 # Activate MST region configuration. [RouterB-mst-region] active region-configuration [RouterB-mst-region] quit # Specify the current device as the root bridge of MSTI 3. [RouterB] stp instance 3 root primary # Enable the spanning tree feature globally.
# Enable the spanning tree feature globally. [RouterD] stp enable Verifying the configuration: In this example, suppose Router B has the lowest root bridge ID. As a result, Router B is elected as the root bridge of MSTI 0. You can use the display stp brief command to display brief spanning tree information on each device after the network is stable. # Display brief spanning tree information on Router A.
Based on the output, you can draw the MSTI mapped to each VLAN, as shown in Figure 26.
Configuring BPDU tunneling BPDU tunneling is supported on SAP modules that are operating in bridge mode. Overview As a Layer 2 tunneling technology, BPDU tunneling enables Layer 2 protocol packets from geographically dispersed customer networks to be transparently transmitted over specific tunnels across a service provider network. Background Dedicated lines are used in a service provider network to build user-specific Layer 2 networks.
• CDP • DLDP • EOAM • GVRP • HGMP • LACP • LLDP • PAGP • PVST • STP • UDLD • VTP BPDU tunneling implementation The BPDU tunneling implementations for different protocols are all similar. This section uses the Spanning Tree Protocol (STP) to describe how to implement BPDU tunneling. This document uses the term STP in a broad sense. It includes STP, RSTP, and MSTP. STP calculates the topology of a network by transmitting BPDUs among devices in the network.
Figure 28 BPDU tunneling implementation The upper section of Figure 28 represents the service provider network (ISP network). The lower section, including User A network 1 and User A network 2, represents the customer networks. Enabling BPDU tunneling on edge devices (PE 1 and PE 2) in the service provider network allows BPDUs of User A network 1 and User A network 2 to be transparently transmitted through the service provider network.
• Before you enable BPDU tunneling for DLDP, EOAM, GVRP, HGMP, LLDP, or STP on a port, disable the protocol on the port. • Because PVST is a special STP protocol, you must do two things before you enable BPDU tunneling for PVST on a port: first, disable STP; second, enable BPDU tunneling for STP on the port. • Do not enable BPDU tunneling for DLDP, EOAM, LACP, LLDP, PAGP, or UDLD on the member port of a Layer 2 aggregation group.
Step Command Remarks N/A 1. Enter system view. system-view 2. Configure the destination multicast MAC address for BPDUs. bpdu-tunnel tunnel-dmac mac-address Optional. The default setting is 0x010F-E200-0003. For BPDUs to be recognized, the destination multicast MAC addresses configured for BPDU tunneling must be the same on the edge devices on the service provider network.
[PE1-vlan2] quit [PE1] interface GigabitEthernet 3/0/1 [PE1-GigabitEthernet3/0/1] port access vlan 2 # Disable STP on GigabitEthernet 3/0/1, and then enable BPDU tunneling for STP on it. [PE1-GigabitEthernet3/0/1] undo stp enable [PE1-GigabitEthernet3/0/1] bpdu-tunnel dot1q stp 2. Configure PE 2: # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0. system-view [PE2] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # Create VLAN 2 and assign GigabitEthernet 3/0/2 to VLAN 2.
Configuration procedure 1. Configure PE 1: # Configure the destination multicast MAC address for BPDUs as 0x0100-0CCD-CDD0. system-view [PE1] bpdu-tunnel tunnel-dmac 0100-0ccd-cdd0 # Configure GigabitEthernet 3/0/1 as a trunk port and assign it to all VLANs. [PE1] interface GigabitEthernet 3/0/1 [PE1-GigabitEthernet3/0/1] port link-type trunk [PE1-GigabitEthernet3/0/1] port trunk permit vlan all # Disable STP on GigabitEthernet 3/0/1, and then enable BPDU tunneling for STP and PVST on it.
Configuring VLANs The VLAN feature is supported on SAP modules that are operating in bridge mode. Overview Ethernet is a shared-media network based on the CSMA/CD mechanism. A LAN built by using Ethernet is both a collision domain and a broadcast domain. In a LAN with plenty of hosts, the LAN might be full of collisions and broadcasts. As a result, the LAN performance is degraded or even the LAN becomes unavailable.
VLAN frame encapsulation In order that a network device can identify frames of different VLANs, a VLAN tag field is inserted into the data link layer encapsulation. The format of VLAN-tagged frames is defined in IEEE 802.1Q issued in 1999. As shown in Figure 32, in the header of a traditional Ethernet data frame, the field after the destination MAC address and the source MAC address (DA&SA) field is the Type field, which indicates the upper layer protocol type.
VLAN types You can implement VLANs based on the following criteria: • Port • MAC address • Protocol • IP subnet • Policy • Other criteria This chapter covers port-based VLAN, MAC-based VLAN, protocol-based VLAN, and IP-based VLAN. The port-based VLAN implementation is the basis of all other VLAN implementations. To use any other VLAN implementations, you must configure port-based VLAN settings. You can configure these types of VLANs on a port at the same time.
Step 3. Enter VLAN view. 4. Configure a name for the VLAN. Command Remarks vlan vlan-id Required only when you create VLANs in bulk. Optional. The default name is VLAN vlan-id, which is the ID of the VLAN. For example, the name of VLAN 100 is VLAN 0100 by default. name text Optional. 5. Configure a description for the VLAN. The default description is VLAN vlan-id, which is the ID of the VLAN. For example, the description of VLAN 100 is VLAN 0100 by default.
Step Command Remarks Optional. 8. Cancel the action of manually shutting down the VLAN interface. undo shutdown By default, a VLAN interface is not manually shut down. The VLAN interface is up if one or more ports in the VLAN is up, and goes down if all ports in the VLAN go down. VLAN interface configuration example Network requirements As shown in Figure 34, PC A is assigned to VLAN 5, and PC B is assigned to VLAN 10. The PCs belong to different IP subnets and cannot communicate with each other.
2. Configure the default gateway of PC A as 192.168.0.10. 3. Configure the default gateway of PC B as 192.168.1.20. Verifying the configuration 1. The PCs can ping each other. 2. Display brief information about Layer 3 interfaces on Router to verify the configuration. display ip interface brief *down: administratively down (s): spoofing Interface Physical Protocol IP Address Description Vlan-interface5 up up 192.168.0.10 Vlan-inte... Vlan-interface10 up up 192.168.1.20 Vlan-inte.
Figure 35 Network diagram VLAN 2 VLAN 2 VLAN 3 Device A Device B Device C Access links are required Trunk links are reuqired VLAN 3 Hybrid links are required PVID By default, VLAN 1 is the port VLAN ID (PVID) for all ports. You can configure the PVID for a port as required. When you configure the PVID on a port, use the following guidelines: • An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.
Actions Access Trunk Hybrid • Receives the frame if Incoming tagged frame its VLAN ID is the same as the PVID. • Drops the frame if its VLAN ID is different from the PVID. • Receives the frame if its VLAN is permitted on the port. • Drops the frame if its VLAN is not permitted on the port. • Removes the tag and sends Outgoing frames Removes the VLAN tag and sends the frame. the frame if the frame carries the PVID tag and the port belongs to the PVID.
Step Command Remarks Use one of the commands. • The configuration made in Layer 2 • Enter Layer 2 Ethernet interface view: interface interface-type interface-number 2. Enter interface view or port group view. • Enter Layer 2 aggregation interface view: interface bridge-aggregation interface-number • Enter port group view: port-group manual port-group-name 3. 4. Configure the link type of the ports as access. port link-type access Assign the access ports to a VLAN.
Step Command Remarks 3. Configure the link type of the ports as trunk. port link-type trunk By default, all ports are access ports. 4. Assign the trunk ports to the specified VLANs. port trunk permit vlan { vlan-list | all } By default, a trunk port carries only VLAN 1. 5. Configure the PVID of the trunk ports. port trunk pvid vlan vlan-id Optional. By default, the PVID is VLAN 1.
To change the link type of a port from trunk to hybrid or from hybrid to trunk, you must set the link type to access first. After you configure the PVID for a hybrid port, you must use the port hybrid vlan command to configure the hybrid port to allow packets from the PVID to pass through. Port-based VLAN configuration example Network requirements As shown in Figure 36, Host A and Host C belong to Department A, and access the enterprise network through different devices.
3. Configure Host A and Host C to be on the same IP subnet, 192.168.100.0/24, for example. Configure Host B and Host D to be on the same IP subnet, 192.168.200.0/24, for example. Verifying the configuration 1. Host A and Host C can ping each other successfully, but they both fail to ping Host B. Host B and Host D can ping each other successfully, but they both fail to ping Host A. 2. Determine whether the configuration is successful by displaying relevant VLAN information.
{ { { { • The device first performs a fuzzy match. In the fuzzy match, the device searches the MAC address-to-VLAN entries whose masks are not all-Fs and performs a logical AND operation on the source MAC address and each mask. If the result of an AND operation matches the corresponding MAC address, the device tags the frame with the corresponding VLAN ID. If the fuzzy match fails, the device performs an exact match.
Figure 37 Flowchart for processing a frame in dynamic MAC-based VLAN assignment When you configure dynamic MAC-based VLAN assignment, follow these guidelines: • When a port is assigned to the corresponding VLAN in a MAC address-to-VLAN entry, but has not been assigned to the VLAN by using the port hybrid vlan command, the port sends packets from the VLAN with VLAN tags removed.
• MAC-based VLANs are available only on hybrid ports. • Do not configure a super VLAN as the VLAN of a MAC address-to-VLAN entry. • The MAC-based VLAN feature is mainly configured on downlink ports of user access devices. Do not enable this function together with link aggregation. • With MSTP enabled, if a port is blocked in the MSTI of the target MAC-based VLAN, the port drops received packets instead of delivering them to the CPU.
Step Command • Enter interface view: 2. Enter interface view or port group view. interface interface-type interface-number • Enter port group view: port-group manual port-group-name Remarks Use one of the commands. • The configuration made in Ethernet interface view applies only to the port. • The configuration made in port group view applies to all ports in the port group. 3. Configure the link type of the ports as hybrid. port link-type hybrid By default, all ports are access ports. 4.
Figure 38 Network diagram Configuration considerations • Create VLANs 100 and 200. • Configure the uplink ports of Router A and Router C as trunk ports, and assign them to VLANs 100 and 200. • Configure the downlink ports of Router B as trunk ports, and assign them to VLANs 100 and 200. Assign the uplink ports of Router B to VLANs 100 and 200. • Associate the MAC address of Laptop 1 with VLAN 100, and associate the MAC address of Laptop 2 with VLAN 200. Configuration procedure 1.
Please wait... Done. [RouterA-GigabitEthernet4/0/1] mac-vlan enable [RouterA-GigabitEthernet4/0/1] quit # To enable the laptops to access Server 1 and Server 2, configure the uplink port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLANs 100 and 200. [RouterA] interface GigabitEthernet 4/0/2 [RouterA-GigabitEthernet4/0/2] port link-type trunk [RouterA-GigabitEthernet4/0/2] port trunk permit vlan 100 200 [RouterA-GigabitEthernet4/0/2] quit 2. Configure Router B: # Create VLANs 100 and 200.
MAC-based VLAN is usually configured on downlink ports of access layer devices, and cannot be configured together with the link aggregation function. • Configuring protocol-based VLANs Introduction to protocol-based VLAN The protocol-based VLAN feature assigns inbound packets to different VLANs based on their protocol type and encapsulation format. The protocols available for VLAN assignment include IP, IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
Step 4. Exit VLAN view. Command Remarks quit N/A • Enter Ethernet interface 5. Enter interface view or port group view. view: interface interface-type interface-number Use one of the commands. • The configuration made in Ethernet interface view applies only to the port. • Enter port group view: • The configuration made in port group port-group manual port-group-name view applies to all ports in the port group. 6. Configure the port link type as hybrid.
Configuration considerations Create VLANs 100 and 200. Associate VLAN 100 with IPv4, and associate VLAN 200 with IPv6. Configure protocol-based VLANs to isolate IPv4 traffic and IPv6 traffic at Layer 2. Configuration procedure 1. Configure Router: # Create VLAN 100, and assign port GigabitEthernet 4/0/11 to VLAN 100.
Configure IPv4 Host A, IPv4 Host B, and IPv4 Server to be on the same network segment (192.168.100.0/24, for example), and configure IPv6 Host A, IPv6 Host B, and IPv6 Server to be on the same network segment (2001::1/64, for example). Verifying the configuration 1. The hosts and server in VLAN 100 can ping one another successfully. The hosts and server in VLAN 200 can ping one another successfully. The hosts or server in VLAN 100 cannot ping the hosts or server in VLAN 200, and vice versa. 2.
Configuration procedure This feature is applicable only on hybrid ports. To configure an IP subnet-based VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id N/A 3. Associate an IP subnet with the VLAN. ip-subnet-vlan [ ip-subnet-index ] ip ip-address [ mask ] The IP subnet or IP address to be associated with a VLAN cannot be a multicast subnet or a multicast address. 4. Return to system view. quit N/A Use one of the commands.
Configure Router to transmit packets over separate VLANs based on their source IP addresses. Figure 40 Network diagram Device A Device B VLAN 100 VLAN 200 GE4/0/11 GE4/0/12 Router GE4/0/1 192.168.5.0/24 Office 192.168.50.0/24 Configuration considerations • Create VLANs 100 and 200. • Associate IP subnets with the VLANs. • Assign ports to the VLANs. Configuration procedure # Associate IP subnet 192.168.5.0/24 with VLAN 100.
[Router] interface GigabitEthernet 4/0/12 [Router-GigabitEthernet4/0/12] port link-type hybrid [Router-GigabitEthernet4/0/12] port hybrid vlan 200 tagged Please wait... Done. [Router-GigabitEthernet4/0/12] quit # Associate interface GigabitEthernet 4/0/1 with IP subnet-based VLANs 100 and 200. [Router] interface GigabitEthernet 4/0/1 [Router-GigabitEthernet4/0/1] port link-type hybrid [Router-GigabitEthernet4/0/1] port hybrid vlan 100 200 untagged Please wait... Done.
Task Display VLAN interface information. Command Remarks display interface [ vlan-interface ] [ brief [ down ] ] [ | { begin | exclude | include } regular-expression ] display interface vlan-interface vlan-interface-id [ brief [ description ] ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display hybrid ports or trunk ports on the device. display port { hybrid | trunk } [ | { begin | exclude | include } regular-expression ] Available in any view.
Configuring super VLANs The super VLAN feature is supported on SAP modules that are operating in bridge mode. Super VLAN, also called "VLAN aggregation," was introduced to save IP address space. A super VLAN is associated with multiple sub-VLANs. You can create a VLAN interface for a super VLAN and assign an IP address for the VLAN interface. However, you cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but not to a super VLAN.
To configure a super VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Enter VLAN view. vlan vlan-id If the specified VLAN does not exist, this command creates the VLAN first, and then enters VLAN view. 3. Configure the VLAN as a super VLAN. supervlan By default, a super VLAN not is configured. 4. Associate the super VLAN with the specified sub-VLANs. subvlan vlan-list VLANs specified by vlan-list must be the sub-VLANs configured earlier.
Step Command Remarks Use one of the commands. By default, local proxy ARP and local proxy ND are disabled. • Enable local proxy ARP: 4. Enable local proxy ARP. local-proxy-arp enable 5. Enable local proxy ND. • Enable local proxy ND: local-proxy-nd enable For more information about local proxy ARP and proxy ND functions, see Layer 3—IP Services Configuration Guide. For more information about local-proxy-arp enable and local-proxy-nd enable commands, see Layer 3—IP Services Command Reference.
system-view [Sysname] vlan 10 [Sysname-vlan10] quit [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0 # Enable local proxy ARP. [Sysname-Vlan-interface10] local-proxy-arp enable [Sysname-Vlan-interface10] quit # Create VLAN 2, and assign GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2 to it.
It is a Sub VLAN. Route Interface: configured Ip Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0002 Name: VLAN 0002 Tagged Ports: none Untagged Ports: GigabitEthernet4/0/1 GigabitEthernet4/0/2 VLAN ID: 3 VLAN Type: static It is a Sub VLAN. Route Interface: configured Ip Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0003 Name: VLAN 0003 Tagged Ports: none Untagged Ports: GigabitEthernet4/0/3 GigabitEthernet4/0/4 VLAN ID: 5 VLAN Type: static It is a Sub VLAN.
OUI addresses A device determines whether a received packet is a voice packet by evaluating its source MAC address. A packet whose source MAC address complies with the Organizationally Unique Identifier (OUI) address of the voice device is regarded as voice traffic. You can configure the OUI addresses of a device in advance, or use the default OUI addresses. You can manually remove the default OUI address of a device and then add new ones. Table 13 lists the default OUI address for each vendor's devices.
Figure 42 PCs and IP phones connected in series access the network • Manual mode—You must manually assign an IP phone accessing port to a voice VLAN. Then, the system matches the source MAC addresses carried in packets against the device's OUI addresses. If the system finds a match, it issues ACL rules and configures the packet precedence. In this mode, you must manually assign ports to, or remove ports from, a voice VLAN.
Port link type Voice VLAN assignment mode supported for tagged voice traffic Configuration requirements In automatic mode, the PVID of the port cannot be the voice VLAN. Hybrid • Automatic and manual In manual mode, the PVID of the port cannot be the voice VLAN. Configure the port to permit packets from the voice VLAN to pass through tagged.
Table 16 How a voice VLAN-enabled port processes packets in security and normal mode Voice VLAN mode Packet processing mode • For untagged packets and packets that carry the voice VLAN tag: Security mode If the source MAC address of a packet matches an OUI address configured for the device, it is forwarded in the voice VLAN. Otherwise, it is dropped.
Step Command Configure the interface to trust the QoS priority settings in incoming voice traffic, but not to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN. 3. Configure the interface to modify the CoS and DSCP values marked for incoming traffic of the voice VLAN into specified values. 4. Remarks Use one of the commands.
Step Enter Layer 2 Ethernet interface view. 5. Command Remarks interface interface-type interface-number N/A • Configure the link type as Configure the link type of the interface. 6. trunk: port link-type trunk • Configure the link type as N/A hybrid: port link-type hybrid Optional. 7. 8. Configure the port to operate in automatic voice VLAN assignment mode. voice vlan mode auto Enable the voice VLAN feature.
Step 5. 6. Command Remarks Configure the port to operate in manual voice VLAN assignment mode. undo voice vlan mode auto By default, the manual voice VLAN assignment mode is disabled. Assign the access, trunk, or hybrid port in manual voice VLAN assignment mode to the voice VLAN. For the configuration procedure, see "Configuring VLANs." After you assign an access port to the voice VLAN, the voice VLAN automatically becomes the PVID of the port. Optional. 7.
Figure 44 Network diagram Configuration procedure # Create VLAN 2 and VLAN 3. system-view [RouterA] vlan 2 to 3 Please wait... Done. # Set the voice VLAN aging time to 30 minutes. [RouterA] voice vlan aging 30 # (Optional.) GigabitEthernet 4/0/1 might receive both voice traffic and data traffic at the same time. To ensure the quality of voice packets and effective bandwidth use, configure voice VLANs to operate in security mode. Configure the voice VLANs to transmit only voice packets.
[RouterA-GigabitEthernet4/0/2] voice vlan mode auto [RouterA-GigabitEthernet4/0/2] voice vlan 3 enable Verifying the configuration # Display OUI addresses, OUI address masks, and description strings.
Figure 45 Network diagram Configuration procedure # (Optional.) Configure the voice VLAN to operate in security mode. A voice VLAN operates in security mode by default. system-view [RouterA] voice vlan security enable # Add a recognizable OUI address 0011-2200-0000. [RouterA] voice vlan mac-address 0011-2200-0000 mask ffff-ff00-0000 description test # Create VLAN 2. [RouterA] vlan 2 [RouterA-vlan2] quit # Configure GigabitEthernet 4/0/1 to operate in manual voice VLAN assignment mode.
# Display the states of voice VLANs.
Configuring GVRP GVRP is supported on SAP modules that are operating in bridge mode. The Generic Attribute Registration Protocol (GARP) provides a generic framework for routers in a switched LAN, such as end stations and switches, to register and deregister attribute values. The GARP VLAN Registration Protocol (GVRP) is a GARP application that registers and deregisters VLAN attributes.
• Join messages A GARP participant sends Join messages when it wishes to declare its attribute values or receives Join messages from other GARP participants. Join messages include the following categories: { { • JoinEmpty—A GARP participant sends JoinEmpty messages to declare attribute values that it has not registered. JoinIn—A GARP participant sends JoinIn messages to declare attribute values that it has registered.
GARP PDU format As shown in Figure 47, GARP PDUs are encapsulated in IEEE 802.3 Ethernet frames. Figure 47 GARP PDU format Ethernet frame DA SA Length DSAP SSAP Protocol ID Ctrl GARP PDU Message 1 Attribute type Attribute 1 Attribute length Message n End mark Attribute list ... Attribute event ... Attribute n End mark Attribute value Table 17 describes the usage and values of fields contained in the GARP PDU portion of the Ethernet frames.
Field Description Value VLAN ID for GVRP. Attribute value If the value of the Attribute event field is 0x00 (LeaveAll event), the Attribute value field is invalid. Attribute value. The destination MAC addresses of GARP messages are multicast MAC addresses, and vary with GARP applications. For example, the destination MAC address of GVRP is 01-80-C2-00-00-21.
Complete these tasks to configure GVRP: Task Remarks Configuring basic GVRP functions Required Configuring the GARP timers Optional Configuring basic GVRP functions Configuration prerequisites Before enabling GVRP on a port, you must enable GVRP globally. In addition, you can configure GVRP only on trunk ports, and you must assign the involved trunk ports to all dynamic VLANs. Configuration restrictions and guidelines • GVRP is mutually exclusive with service loopback.
Step Command Remarks The default setting is access. Configure the link type of the ports as trunk. 4. For more information about the port link-type trunk command, see Layer 2—LAN Switching Command Reference. port link-type trunk By default, a trunk port is assigned to VLAN 1 only. For more information about the port trunk permit vlan all command, see Layer 2—LAN Switching Command Reference. 5. Assign the trunk ports to all VLANs. port trunk permit vlan all 6. Enable GVRP on the ports. gvrp 7.
• On a GARP-enabled network, each port maintains its own Hold, Join, and Leave timers, but only one LeaveAll timer is maintained on each router. This LeaveAll timer applies to all ports on the router. • The value ranges for the Hold, Join, Leave, and LeaveAll timers are dependent on one another. See Table 18 for their dependencies. • Set the LeaveAll timer greater than any Leave timer and not smaller than its default value, 1000 centiseconds.
Task Command Remarks Display statistics about GARP on ports. display garp statistics [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display GARP timers on ports. display garp timer [ interface interface-list ] [ | { begin | exclude | include } regular-expression ] Available in any view. Display the local VLAN information that GVRP maintains on ports.
[RouterA] interface GigabitEthernet 3/0/1 [RouterA-GigabitEthernet3/0/1] port link-type trunk [RouterA-GigabitEthernet3/0/1] port trunk permit vlan all # Enable GVRP on trunk port GigabitEthernet 3/0/1. [RouterA-GigabitEthernet3/0/1] gvrp [RouterA-GigabitEthernet3/0/1] quit # Create VLAN 2 (a static VLAN). [RouterA] vlan 2 [RouterA-vlan2] quit 2. Configure Router B: # Enable GVRP globally.
GVRP fixed registration mode configuration example Network requirements As shown in Figure 49, enable GVRP and configure the fixed registration mode on ports to enable registration and deregistration of static VLAN information between the two routers. Figure 49 Network diagram Configuration procedure 1. Configure Router A: # Enable GVRP globally. system-view [RouterA] gvrp # Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs.
Verifying the configuration: Use the display gvrp local-vlan command to display the local VLAN information that GVRP maintains on ports. For example: # Display the local VLAN information maintained by GVRP on port GigabitEthernet 3/0/1 of Router A.
# Create VLAN 2 (a static VLAN). [RouterA] vlan 2 [RouterA-vlan2] quit 2. Configure Router B: # Enable GVRP globally. system-view [RouterB] gvrp # Configure port GigabitEthernet 3/0/1 as a trunk port, and assign it to all VLANs. [RouterB] interface GigabitEthernet 3/0/1 [RouterB-GigabitEthernet3/0/1] port link-type trunk [RouterB-GigabitEthernet3/0/1] port trunk permit vlan all # Enable GVRP on GigabitEthernet 3/0/1, and set the GVRP registration mode to forbidden on the port.
Configuring QinQ QinQ is supported on SAP modules that are operating in bridge mode. This document uses the following terms: • CVLAN—Customer network VLANs, also called "inner VLANs," refer to VLANs that a customer uses on the private network. • SVLAN—Service provider network VLANs, also called "outer VLANs," refer to VLANs that a service provider uses to transmit VLAN tagged traffic for customers. Overview 802.1Q-in-802.
Figure 51 Single-tagged Ethernet frame header and double-tagged Ethernet frame header NOTE: For correct transmission of tagged frames, set the MTU of each interface on the service provider network to at least 1504 bytes, which is the sum of the default interface MTU (1500 bytes) and the size of a VLAN tag (4 bytes). The devices in the service provider network forward a tagged frame according to its SVLAN tag only, and they transmit the CVLAN tag as part of the frame's payload.
QinQ implementations HP provides the following QinQ implementations: • Basic QinQ—Basic QinQ enables a port to tag any incoming frames with its PVID tag, regardless of whether they have already been tagged. If an incoming frame has been tagged, it becomes a double-tagged frame. If the frame has not been tagged, it becomes a single-tagged frame. • Selective QinQ—Selective QinQ is more flexible than basic QinQ.
Configuring basic QinQ This section describes how to configure basic QinQ. Enabling basic QinQ Enable QinQ on the customer-side port. A basic QinQ-enabled port tags an incoming packet with its PVID tag. To enable basic QinQ: Step Enter system view. 1. Command Remarks system-view N/A • Enter Layer 2 Ethernet or Layer Enter interface view or port group view. 2.
Step Command • For hybrid ports: 7. Configure the port to allow packets from its PVID and the transparent VLANs to pass through. port hybrid vlan vlan-id-list { tagged | untagged } • For trunk ports: port trunk permit vlan { vlan-id-list | all } Remarks By default, trunk ports allow only packets from VLAN 1 to pass through. Hybrid ports allow only packets from VLAN 1 to pass through untagged. 8. Enable basic QinQ. qinq enable By default, basic QinQ is disabled on ports. 9.
Step Command Remarks Optional. This action counts the number of double-tagged QinQ packets, and helps you understand the traffic volume changes of the specific packets and adjust the network transmission policy accordingly. 16. Configure the behavior to count QinQ packets. accounting 17. Return to system view. quit N/A 18. Create a QoS policy and enter QoS policy view. qos policy policy-name N/A 19. Associate the class with the traffic behavior.
Step Command Remarks 29. Configure a behavior to set the 802.1p priority in the SVLAN tags. remark dot1p 8021p N/A 30. Return to system view. quit N/A 31. Create a QoS policy and enter QoS policy view. qos policy policy-name N/A 32. Associate the traffic class with the traffic behavior defined earlier. classifier classifier-name behavior behavior-name N/A 33. Return to system view. quit N/A • Enter Layer 2 Ethernet interface view: 34.
Step Command Remarks 45. Associate the traffic class with the traffic behavior defined earlier. classifier classifier-name behavior behavior-name N/A 46. Return to system view. quit N/A • Enter Layer 2 Ethernet interface 47. Enter Ethernet interface view or port group view of the service provider network-side port. view: interface interface-type interface-number • Enter port group view: N/A port-group manual port-group-name 48. Apply the QoS policy to the outgoing traffic.
Protocol type Value MPLS 0x8847/0x8848 IPX/SPX 0x8137 IS-IS 0x8000 LACP 0x8809 802.1X 0x888E Cluster 0x88A7 Reserved 0xFFFD/0xFFFE/0xFFFF To configure the TPID value in VLAN tags: Step Command Remarks 49. Enter system view. system-view N/A 50. Configure the global TPID value for CVLAN tags. qinq ethernet-type customer-tag hex-value • Enter Layer 2 Ethernet or Layer 51. Enter interface view or port group view of the service provider-side port.
Figure 53 Network diagram VLANs 10 to 70 VLANs 30 to 90 CE 4 CE 3 Site3 Company B GE4/0/3 GE4/0/2 PE1 GE4/0/1 Site2 Company A GE4/0/3 VLANs 100 and 200 TPID = 0x8200 GE4/0/2 PE2 GE4/0/1 Public network Company A Site1 CE 2 CE 1 VLANs 10 to 70 Company B Site4 VLANs 30 to 90 Configuration procedure This example assumes that devices in the service provider network have been configured to allow QinQ packets to pass through. 1. Configure PE 1: a.
# Configure GigabitEthernet 4/0/3 as a trunk port, and assign it to VLAN 200 and VLANs 30 through 90. [PE1] interface GigabitEthernet 4/0/3 [PE1-GigabitEthernet4/0/3] port link-type trunk [PE1-GigabitEthernet4/0/3] port trunk permit vlan 200 30 to 90 # Configure VLAN 200 as the PVID for the port. [PE1-GigabitEthernet4/0/3] port trunk pvid vlan 200 # Enable basic QinQ on the port. [PE1-GigabitEthernet4/0/3] qinq enable [PE1-GigabitEthernet4/0/3] quit 2. Configure PE 2: a.
On third-party devices between PE 1 and PE 2, configure the port that connects to PE 1 and the port that connects to PE 2 to allow tagged frames of VLAN 100 and VLAN 200 to pass through. (Details not shown.) Selective QinQ configuration example Network requirements As shown in 错误!未找到引用源。, configure selective QinQ to meet the following requirements: • VLAN 10 of CE A and CE B can intercommunicate across VLAN 1000 in the service provider network.
[PEA-GigabitEthernet2/0/1] port hybrid pvid vlan 3000 # Enable basic QinQ on the port. [PEA-GigabitEthernet2/0/1] qinq enable [PEA-GigabitEthernet2/0/1] quit # Create a class A10 to match the frames from VLAN 10 of CE A. [PEA] traffic classifier A10 [PEA-classifier-A10] if-match customer-vlan-id 10 [PEA-classifier-A10] quit # Create a traffic behavior P1000 and configure the action of tagging frames with the SVLAN tag 1000 for the traffic behavior.
# Set the TPID value in the outer VLAN tag to 0x8200 on the port. [PEA-GigabitEthernet2/0/3] qinq ethernet-type service-tag 8200 2. Configure PE B: a. Configure GigabitEthernet 2/0/1: # Configure the port as a trunk port to permit frames from VLAN 1000, VLAN 2000, and VLAN 3000 to pass through.
Figure 55 Network diagram Configuration procedure This example assumes that devices in the service provider network have been configured to allow QinQ packets to pass through. 1. Configure PE 1: a. Configure GigabitEthernet 4/0/1: # Configure GigabitEthernet 4/0/1 as a trunk port, and assign it to VLANs 10 through 50.
# Enable basic QinQ on the port. [PE2-GigabitEthernet4/0/1] qinq enable # Configure the port to transparently transmit frames from VLANs 10 through 50. [PE2-GigabitEthernet4/0/1] qinq transparent-vlan 10 to 50 [PE2-GigabitEthernet4/0/1] quit b. Configure GigabitEthernet 4/0/2: # Configure GigabitEthernet 4/0/2 as a trunk port, and assign it to VLANs 10 through 50.
Configuring VLAN termination In this chapter, for a packet that carries two or more layers of VLAN tags, the outermost layer of VLAN tags is called "Layer 1 VLAN tag," and the second outermost layer of VLAN tags is called "Layer 2 VLAN tag." This also applies to VLAN IDs. Overview VLAN termination assigns a VLAN-tagged packet received to the corresponding interface according to its VLAN tags, and then the interface removes its VLAN tags, and forwards it through Layer 3 or processes it in another way.
Figure 56 VLAN termination for inter-VLAN communication (through Layer 3 Ethernet subinterfaces) LAN-WAN communication Most packets sent out of LANs carry VLAN tags, but some WAN protocols such as ATM, Frame Relay, and PPP cannot recognize VLAN-tagged packets. Therefore, before sending VLAN-tagged packets to a WAN, the sending port must locally record VLAN information and remove VLAN tags from the packets. VLAN termination can help implement this purpose.
• A main interface cannot terminate VLAN-tagged packets, but you can create subinterfaces for it to terminate VLAN-tagged packets. • A subinterface can send and receive only VLAN-tagged packets. • Layer 3 Ethernet subinterfaces can terminate packets whose outermost VLAN IDs match the configured values or the outermost two layers of VLAN IDs match the configured values.
Step Command Remarks • Enter Layer 3 Ethernet subinterface Enter interface view. 2. view: interface interface-type interface-number.subnumber • Enter Layer 3 aggregate subinterface Use one of the commands. view: interface route-aggregation interface-number.subnumber Enable Dot1q termination on the subinterface, and configure the subinterface to terminate the VLAN-tagged packets whose outermost VLAN IDs match the specified VLAN ID. 3.
Ambiguous QinQ termination—Terminates packets whose Layer 1 VLAN IDs match the specified VLAN ID and Layer 2 VLAN IDs are in the specified range and does not allow any other VLAN-tagged packets to pass through the subinterface. When the subinterface receives a packet, it removes the two layers of VLAN tags of the packet.
Step Command Remarks • Enter Layer 3 Ethernet subinterface view: 2. Enter interface view. interface interface-type interface-number.subnumber • Enter Layer 3 aggregate subinterface view: Use one of the commands. interface route-aggregation interface-number.subnumber 3. Enable QinQ termination on the subinterface, and configure the subinterface to terminate the VLAN-tagged packets whose outermost two layers of VLAN tags match the specified values.
value is 0x8100 or the configured value, the interface considers the packet as a VLAN-tagged packet. When sending a packet, the interface sets the TPID value in the outermost VLAN tag to the configured value, and sets the TPID values in the other VLAN tags to 0x8100 if the packet carries two or more layers of VLAN tags. To set the TPID value for VLAN-tagged packets: Step 1. Enter system view Command Remarks system-view N/A • Enter Layer 3 Ethernet interface view: 2. Enter interface view.
Figure 58 Network diagram Configuration procedure IMPORTANT: The vlan-type dot1q vid command is mandatory for devices that support it, because an Ethernet subinterface can be activated and transmit packets only after it is associated with VLANs. 1. 2. Configure Host A, Host B, Host C, and Host D: { Configure Host A's IP address as 1.1.1.1/8, and gateway IP address as 1.0.0.1/8. { Configure Host B's IP address as 2.2.2.2/8, and gateway IP address as 2.0.0.1/8. { Configure Host C's IP address as 3.3.
# Create GigabitEthernet 4/0/1.10, GigabitEthernet 4/0/1.20, GigabitEthernet 4/0/2.10, and GigabitEthernet 4/0/2.20, and then assign IP addresses to them. Configure GigabitEthernet 4/0/1.10 and GigabitEthernet 4/0/2.10 to terminate packets tagged with VLAN 10, and configure GigabitEthernet 4/0/1.20 and GigabitEthernet 4/0/2.20 to terminate packets tagged with VLAN 20. system-view [Router] interface GigabitEthernet 4/0/1.10 [Router-GigabitEthernet4/0/1.10] ip address 1.0.0.1 255.0.0.
Figure 59 Network diagram Configuration procedure 1. Configure Host A, Host B, and Host C: { { 2. Configure the IP addresses of Host A, Host B, and Host C as 1.1.1.1/24, 1.1.1.2/24, and 1.1.1.3/24, respectively. Configure the gateway IP address as 1.1.1.11/24 for the hosts. Configure Layer 2 Switch A: # Assign Ethernet 1/1 to VLAN 11. system-view [L2_SwitchA] vlan 11 [L2_SwitchA-vlan11] port ethernet 1/1 [L2_SwitchA-vlan11] quit # Assign Ethernet 1/2 to VLAN 12.
system-view [Router] interface GigabitEthernet 4/0/1.10 [Router-GigabitEthernet4/0/1.10] ip address 1.1.1.11 255.255.255.0 # Enable Dot1q termination on GigabitEthernet 4/0/1.10, and configure the subinterface to terminate VLAN-tagged packets whose Layer 1 VLAN ID is in the range of 11, 12, or 13. [Router-GigabitEthernet4/0/1.10] vlan-type dot1q vid 11 to 13 [Router-GigabitEthernet4/0/1.10] quit # Configure an IP address for GigabitEthernet4/0/2.
2. Configure related PPPoE settings on GigabitEthernet 4/0/1.10. For more information about the PPPoE configuration, see Layer 2—WAN Configuration Guide. Unambiguous QinQ termination configuration example Network requirements As shown in Figure 61, Host A connects to Layer 2 Switch A and belongs to VLAN 11. Host B connects to Layer 2 Switch C, which supports only single VLAN-tagged packets.
[L2_SwitchA-Ethernet1/1] port hybrid vlan 100 untagged 3. Configure Layer 2 Switch B: # Configure Ethernet 1/2 as a trunk port, configure its PVID as VLAN 100, and assign the port to VLAN 11 and VLAN 100.
Figure 62 Network diagram Configuration procedure 1. Configure Host A, Host B, and Host C: { { 2. Configure the IP addresses of Host A, Host B, and Host C as 1.1.1.1/24, 1.1.1.2/24, and 1.1.1.3/24, respectively. Configure the gateway address as 1.1.1.11/24 for the hosts. Configure Layer 2 Switch A: # Assign Ethernet 1/1 to VLAN 11. system-view [L2_SwitchA] vlan 11 [L2_SwitchA-vlan11] port ethernet 1/1 [L2_SwitchA-vlan11] quit # Assign Ethernet 1/2 to VLAN 12.
3. Configure L2 Switch B: # Configure Ethernet 1/2 as a trunk port, configure its PVID as VLAN 100, and assign the port to VLANs 11 through 13 and VLAN 100. system-view [L2_SwitchB] interface ethernet 1/2 [L2_SwitchB-Ethernet1/2] port link-type trunk [L2_SwitchB-Ethernet1/2] port trunk pvid vlan 100 [L2_SwitchB-Ethernet1/2] port trunk permit vlan 11 to 13 100 # Enable basic QinQ on Ethernet 1/2, and configure the port to add outer VLAN tag 100 to packets tagged with VLANs 11 through 13.
Figure 63 Network diagram Configuration procedure 1. Configure VLANs and QinQ termination. For the configuration procedure, see "Ambiguous QinQ termination configuration example." 2. Configure related PPPoE settings on GigabitEthernet 4/0/1.10. For more information about the PPPoE configuration, see Layer 2—WAN Configuration Guide.
Figure 64 Network diagram Configuration procedure 1. Configure DHCP relay agent Provider A: # Enable DHCP service. system-view [ProviderA] dhcp enable # Create the DHCP server group. [ProviderA] dhcp relay server-group 1 ip 10.2.1.1 # Create a Layer 3 Ethernet subinterface GigabitEthernet 4/0/1.100. [ProviderA] interface GigabitEthernet 4/0/1.100 # Configure subinterface GigabitEthernet 4/0/1.100 to terminate packets whose Layer 2 VLAN ID is 10 or 20. [ProviderA-GigabitEthernet4/0/1.
[ProviderA-GigabitEthernet4/0/1.100] quit # Assign an IP address to the interface connecting to the DHCP server. [ProviderA] interface serial 2/1/1 [ProviderA-Serial2/1/1] ip address 10.1.1.1 24 2. Configure DHCP server Provider B: # Assign an IP address to the DHCP server. system-view [ProviderB] interface serial 2/1/1 [ProviderB-Serial2/1/1] ip address 10.2.1.1 24 [ProviderB-Serial2/1/1] quit # Enable DHCP. [ProviderB] dhcp enable # Configure an IP address pool on the DHCP server.
# Configure Ethernet 1/1 as a trunk port and assign it to VLAN 20. [SwitchB] interface ethernet 1/1 [SwitchB-Ethernet1/1] port link-type trunk [SwitchB-Ethernet1/1] port trunk permit vlan 20 5. Configure Switch C: # Add Ethernet 1/2 to VLAN 10. system-view [SwitchC] vlan 10 [SwitchC-vlan10] port ethernet 1/2 [SwitchC-vlan10] quit # Configure Ethernet 1/1 as a trunk port and assign it to VLAN 10.
Configuring VLAN mapping VLAN mapping is supported on SAP modules that are operating in bridge mode. Overview VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. HP provides the following types of VLAN mapping: • One-to-one VLAN mapping—Replaces one VLAN tag with another. You can use one-to-one VLAN mapping to sub-classify traffic from a particular VLAN for granular QoS control. • Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
Figure 65 Application scenario of one-to-one and many-to-one VLAN mapping ... ... ... ... ... ... ... To further sub-classify each type of traffic by customer, perform one-to-one VLAN mapping on the building devices, assigning a separate VLAN for each type of traffic from each customer. The required total number of VLANs in the network can be very large.
Figure 66 Application scenario of one-to-two and two-to-two VLAN mapping One-to-two VLAN mapping VLAN 10 PE 1 VLAN 2 SP 1 VLAN 2 One-to-two VLAN mapping Two-to-two VLAN mapping Data VLAN 20 PE 2 PE 3 Data VLAN 3 Data PE 4 SP 2 VLAN 3 Data Traffic CE a1 VPN A Site 1 VPN A Site 2 CE a2 Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The VLAN assigned for VPN A is VLAN 10 in the SP 1 network and VLAN 20 in the SP 2 network.
Figure 67 Basic concepts of VLAN mapping SP Network-side port Customer-side port Uplink traffic Downlink traffic These basic concepts include: • Uplink traffic—Traffic transmitted from the customer network to the service provider network. • Downlink traffic—Traffic transmitted from the service provider network to the customer network. • Network-side port—A port connected to or closer to the service provider network. • Customer-side port—A port connected to or closer to the customer network.
Figure 68 One-to-one VLAN mapping implementation Many-to-one VLAN mapping Implement many-to-one VLAN mapping through the following configurations, as shown in Figure 69: • Apply an uplink policy to incoming traffic on the customer-side port to map different CVLAN IDs to one SVLAN ID. When a packet arrives, the switch replaces its CVLAN tag with the matching SVLAN tag. • Configure the network-side port as a DHCP snooping trusted port.
Figure 70 One-to-two VLAN mapping Two-to-two VLAN mapping Implement two-to-two VLAN mapping through the following configurations, as shown in Figure 71. • For uplink traffic, apply an inbound policy on the customer-side port to replace the SVLAN with a new SVLAN, and apply an outbound policy on the network-side port to replace the CVLAN with a new CVLAN. • For downlink traffic, apply an outbound policy on the customer-side port to replace the double tags with the original VLAN tag pair.
Configuring one-to-one VLAN mapping Perform one-to-one VLAN mapping on building devices (see Figure 65) to isolate traffic by both user and traffic type. Complete the following tasks to configure one-to-one VLAN mapping: Task Remarks Configuring an uplink policy Creates CVLAN-to-SVLAN mappings (required). Configuring a downlink policy Creates SVLAN-to-CVLAN mappings (required). Configuring the customer-side port Configures settings required for one-to-one VLAN mapping (required).
Step 5. Associate the class with the behavior to map the CVLAN to the SVLAN. Command Remarks classifier tcl-name behavior behavior-name Repeat this step to create other CVLAN-to-SVLAN mappings. Configuring a downlink policy To configure a downlink policy to map SVLANs back to CVLANs: Step 1. Enter system view. Command Remarks system-view N/A a. Create a class and enter class view: traffic classifier tcl-name [ operator { and | or } ] 2. Configure one class for an SVLAN. b.
Step Command Remarks • Enter Layer 2 Ethernet interface 2. Enter Ethernet interface view. view: interface interface-type interface-number • Ethernet port group view: N/A port-group manual port-group-name • Configure the port as a trunk 3. Configure the link type of the port. port: port link-type trunk • Configure the port as a hybrid The default link type of an Ethernet port is access. • As a trunk port: Use one of the commands. port: port link-type hybrid 4. Assign the port to all CVLANs.
Step Command Remarks • Configure the port as a trunk Configure the link type of the port. 3. port: port link-type trunk • Configure the port as a hybrid The default link type of an Ethernet port is access. • As a trunk port: Use one of the commands. port: port link-type hybrid Assign the port to all CVLANs. 4. Use one of the commands. port trunk permit vlan { vlan-list | all } • As a hybrid port: port hybrid vlan vlan-list tagged By default: • A trunk port is assigned to only VLAN 1.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable DHCP snooping. dhcp-snooping By default, DHCP snooping is disabled. Enabling ARP detection in SVLANs The ARP detection function enables a switch to modify the VLAN attributes of ARP packets, which is impossible under the normal ARP packet processing procedure. For more information about ARP detection, see Security Configuration Guide. To enable ARP detection in all SVLANs: Step Command Remarks 1. Enter system view.
Step 3. Command a. Create a traffic behavior and enter traffic behavior view: traffic behavior behavior-name Configure one behavior for an SVLAN. b. Configure an SVLAN marking action: remark service-vlan-id vlan-id Remarks Repeat this step to configure one behavior for each SVLAN. c. Return to system view: quit 4. Create a QoS policy and enter QoS policy view. qos policy policy-name N/A 5. Map the CVLANs to the SVLAN by associating the class with the behavior.
Step 6. Apply the uplink policy to incoming traffic. Command Remarks qos apply policy policy-name inbound N/A Configuring the network-side port Step 1. Enter system view. Command Remarks system-view N/A • Enter Layer 2 Ethernet interface 2. Enter interface view. view: interface interface-type interface-number • Enter Layer 2 aggregate N/A interface view: interface bridge-aggregation interface-number • Configure the port as a trunk 3. Configure the link type of the port.
Task Remarks Configuring an uplink policy Configures an uplink policy for the customer-side port (required). Configuring the customer-side port Configures VLAN and other settings required for one-to-two VLAN mapping (required). Configuring the network-side port Configures VLAN and other settings required for one-to-two VLAN mapping (required). Configuration prerequisites Create VLANs, and plan CVLAN-to-SVLAN mappings.
Configuring the customer-side port Step 1. Enter system view. Command Remarks system-view N/A • Enter Layer 2 Ethernet interface 2. Enter interface view. view: interface interface-type interface-number • Ethernet port group view: N/A port-group manual port-group-name 3. Configure the port as a hybrid port. port link-type hybrid The default link type of an Ethernet port is access. 4. Assign the port to the SVLANs as an untagged member.
Step Command • As a trunk port: 4. Assign the port to all SVLANs. port trunk permit vlan { vlan-list | all } • As a hybrid port: port hybrid vlan vlan-list tagged Remarks By default: • A trunk port is assigned to only VLAN 1. • A hybrid port is an untagged member of VLAN 1. Configuring two-to-two VLAN mapping Perform two-to-two VLAN mapping on an edge device that connects two SP networks, for example, on PE 3 in Figure 66.
Step Command Remarks a. Create a class and enter class view: traffic classifier tcl-name [ operator and ] 2. Configure one class for a foreign CVLAN and SVLAN pair. b. Specify a foreign CVLAN as a match criterion: if-match customer-vlan-id vlan-id c. Specify a foreign SVLAN as a match criterion: if-match service-vlan-id vlan-id Repeat this step to create one class for each foreign CVLAN and SVLAN pair. d. Return to system view: quit a.
Step Command Remarks a. Create a class and enter class view: traffic classifier tcl-name [ operator and ] 2. Create one class for a local SVLAN and foreign CVLAN pair. b. Specify a foreign CVLAN as a match criterion: if-match customer-vlan-id vlan-id c. Specify a local SVLAN as a match criterion: if-match service-vlan-id vlan-id Repeat this step to create one class for each local SVLAN and foreign CVLAN pair. d. Return to system view: quit 3.
Step Command Remarks a. Create a class and enter class view: traffic classifier tcl-name [ operator and ] 2. Create one class for a local CVLAN and SVLAN pair. b. Specify a local CVLAN as a match criterion: if-match customer-vlan-id vlan-id c. Specify a local SVLAN as a match criterion: if-match service-vlan-id vlan-id Repeat this step to create one class for each local CVLAN and SVLAN pair. d. Return to system view: quit a.
Step Command Remarks • Enter Layer 2 Ethernet interface 2. Enter interface view. view: interface interface-type interface-number • Ethernet port group view: N/A port-group manual port-group-name • Configure the port as a trunk 3. Configure the link type of the port. port: port link-type trunk • Configure the port as a hybrid The default link type of an Ethernet port is access. • As a trunk port: Use one of the commands. port: port link-type hybrid 4. Assign the port to all CVLANs.
Step Command • As a trunk port: 4. Assign the port to all CVLANs. port trunk permit vlan { vlan-list | all } • As a hybrid port: port hybrid vlan vlan-list tagged 5. Apply the uplink policy for the network-side port to outgoing traffic. qos apply policy policy-name outbound Remarks By default: • A trunk port is assigned to only VLAN 1. • A hybrid port is an untagged member of VLAN 1. N/A VLAN mapping configuration examples Packets sent by PCs are VLAN untagged.
Figure 72 Network diagram Configuration procedure 1. Configure Router A: # Create the CVLANs and the SVLANs. system-view [RouterA] vlan 2 to 3 [RouterA] vlan 101 to 102 [RouterA] vlan 201 to 202 [RouterA] vlan 301 to 302 # Configure uplink policies p1 and p2 to enable one SVLAN to transmit one service for one customer.
[RouterA-classifier-c1] traffic classifier c2 [RouterA-classifier-c2] if-match customer-vlan-id 2 [RouterA-classifier-c2] traffic classifier c3 [RouterA-classifier-c3] if-match customer-vlan-id 3 [RouterA-classifier-c3] quit [RouterA] traffic behavior b1 [RouterA-behavior-b1] remark service-vlan-id 101 [RouterA-behavior-b1] traffic behavior b2 [RouterA-behavior-b2] remark service-vlan-id 201 [RouterA-behavior-b2] traffic behavior b3 [RouterA-behavior-b3] remark service-vlan-id 301 [RouterA-behavior-b3] traf
[RouterA-behavior-b33] quit [RouterA] qos policy p11 [RouterA-policy-p11] classifier c11 behavior b11 [RouterA-policy-p11] classifier c22 behavior b22 [RouterA-policy-p11] classifier c33 behavior b33 [RouterA-policy-p11] quit [RouterA] qos policy p22 [RouterA-policy-p22] classifier c44 behavior b11 [RouterA-policy-p22] classifier c55 behavior b22 [RouterA-policy-p22] classifier c66 behavior b33 [RouterA-policy-p22] quit # Assign customer-side port GigabitEthernet 4/0/1 to CVLANs 1 to 3, and SVLANs 101, 201
[RouterC-vlan301] vlan 102 [RouterC-vlan102] arp detection enable [RouterC-vlan102] vlan 202 [RouterC-vlan202] arp detection enable [RouterC-vlan202] vlan 302 [RouterC-vlan302] arp detection enable [RouterC-vlan302] vlan 103 [RouterC-vlan103] arp detection enable [RouterC-vlan103] vlan 203 [RouterC-vlan203] arp detection enable [RouterC-vlan203] vlan 303 [RouterC-vlan303] arp detection enable [RouterC-vlan303] vlan 104 [RouterC-vlan104] arp detection enable [RouterC-vlan104] vlan 204 [RouterC-vlan204] arp d
[RouterC-policy-p1] classifier c1 behavior b1 mode dot1q-tag-manipulation [RouterC-policy-p1] classifier c2 behavior b2 mode dot1q-tag-manipulation [RouterC-policy-p1] classifier c3 behavior b3 mode dot1q-tag-manipulation [RouterC-policy-p1] quit [RouterC] qos policy p2 [RouterC-policy-p2] classifier c4 behavior b1 mode dot1q-tag-manipulation [RouterC-policy-p2] classifier c5 behavior b2 mode dot1q-tag-manipulation [RouterC-policy-p2] classifier c6 behavior b3 mode dot1q-tag-manipulation [RouterC-policy-p2]
One-to-two and two-to-two VLAN mapping configuration example Network requirements As shown in Figure 73, two VPN A branches, Site 1 and Site 2, are in VLAN 10 and VLAN 30, respectively. The two sites use different VPN access services from different service providers, SP 1 and SP 2. SP 1 assigns VLAN 100 for Site 1, and SP 2 assigns VLAN 200 for Site 2. Configure one-to-two and two-to-two VLAN mappings to enable the two branches to communicate across networks SP 1 and SP 2.
[PE1-GigabitEthernet4/0/1] quit # Configure network-side port GigabitEthernet 4/0/2 as a trunk port, and assign it to VLAN 100. [PE1] interface GigabitEthernet 4/0/2 [PE1-GigabitEthernet4/0/2] port link-type trunk [PE1-GigabitEthernet4/0/2] port trunk permit vlan 100 2. Configure PE 2: # Configure port GigabitEthernet 4/0/1 as a trunk port, and assign it to VLAN 100.
[PE3-classifier-up_uplink] if-match customer-vlan-id 10 [PE3-classifier-up_uplink] if-match service-vlan-id 200 [PE3-classifier-up_uplink] quit [PE3] traffic behavior up_uplink [PE3-behavior-up_uplink] remark customer-vlan-id 30 [PE3-behavior-up_uplink] quit [PE3] qos policy up_uplink [PE3-qospolicy-up_uplink] classifier up_uplink behavior up_uplink [PE3-qospolicy-up_uplink] quit # Configure customer-side port GigabitEthernet 4/0/1 as a trunk port, assign it to VLAN 200, and apply uplink policy down_uplink
[PE4-GigabitEthernet4/0/2] qinq enable [PE4-GigabitEthernet4/0/2] qos apply policy test inbound 203
Configuring LLDP Overview In a heterogeneous network, having a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration information for the sake of interoperability and management. The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices.
Field Description FCS Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame. 2. LLDPDU encapsulated in SNAP Figure 75 LLDPDU encapsulated in SNAP Table 21 Fields in a SNAP-encapsulated LLDPDU Field Description Destination MAC address MAC address to which the LLDPDU is advertised. It is fixed at 0x0180-C200-000E, a multicast MAC address. Source MAC address MAC address of the sending port. Type SNAP type for the upper layer protocol.
• Basic management TLVs • Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs • LLDP-MED (media endpoint discovery) TLVs Basic management TLVs are essential to device management. Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management, and they are defined by standardization or other organizations and are optional to LLDPDUs. 1. Basic management TLVs: Table 22 lists the basic management TLV types.
NOTE: • The router supports only receiving protocol identity TLVs and does not support DCBX TLVs. • Layer 3 Ethernet ports do not support IEEE 802.1 organizationally specific TLVs. 3. IEEE 802.3 organizationally specific TLVs Table 24 IEEE 802.3 organizationally specific TLVs Type Description MAC/PHY Configuration/Status Contains the bit-rate and duplex capabilities of the sending port, support for auto negotiation, enabling status of auto negotiation, and the current rate and duplex mode.
Type Description Serial Number Allows a terminal device to advertise its serial number. Manufacturer Name Allows a terminal device to advertise its vendor name. Model Name Allows a terminal device to advertise its model name. Asset ID Allows a terminal device to advertise its asset ID. The typical case is that the user specifies the asset ID for the endpoint to assist directory management and asset tracking.
Receiving LLDPDUs An LLDP-enabled port that is operating in TxRx mode or Rx mode checks the validity of TLVs carried in every received LLDPDU. If valid, the information is saved and an aging timer is set for it based on the TTL value in the Time to Live TLV carried in the LLDPDU. If the TTL value is zero, the information ages out immediately. Protocols and standards • IEEE 802.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enable LLDP globally. lldp enable LLDP is globally disabled. • Enter Layer 2/Layer 3 Ethernet interface Enter Ethernet interface view or port group view. 3. view: interface interface-type interface-number • Enter port group view: Use either command. port-group manual port-group-name Optional. Enable LLDP. 4. lldp enable By default, LLDP is enabled on a port.
Step 2. Command Set the LLDP re-initialization delay. lldp timer reinit-delay delay Remarks Optional. The default setting is 2 seconds. Enabling LLDP polling With LLDP polling enabled, a device periodically searches for local configuration changes. On detecting a configuration change, the device sends LLDPDUs to inform neighboring devices of the change. To enable LLDP polling: Step 1. Enter system view. Command Remarks system-view N/A • Enter Layer 2/Layer 3 Ethernet interface 2.
Step 4. Configure the advertisable TLVs in Layer 3 Ethernet interface view. Command Remarks lldp tlv-enable { basic-tlv { all | port-description | system-capability | system-description | system-name } | dot3-tlv { all | link-aggregation | mac-physic | max-frame-size | power } | med-tlv { all | capability | inventory | location-id { civic-address device-type country-code { ca-type ca-value }&<1-10> | elin-address tel-number } | power-over-ethernet } } Optional.
Step Command Configure the encoding format of the management address as a character string. 4. Remarks Optional. lldp management-address-format string By default, the management address is encapsulated in numeric format. Setting other LLDP parameters The Time to Live TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device.
• Ethernet II encapsulation—An LLDP port sends LLDPDUs in Ethernet II frames and processes only incoming, Ethernet II encapsulated LLDPDUs. • SNAP encapsulation—An LLDP port sends LLDPDUs in SNAP frames and processes only incoming, SNAP encapsulated LLDPDUs. By default, LLDPDUs are encapsulated in Ethernet II frames. If neighbor devices encapsulate LLDPDUs in SNAP frames, configure the encapsulation format for LLDPDUs as SNAP to guarantee normal communication with neighbors.
• TxRx—CDP packets can be transmitted and received. • Disable—CDP packets can be neither transmitted nor received. LLDP traps are sent periodically, and the interval is configurable. To make CDP-compatible LLDP take effect on specific ports, first enable CDP-compatible LLDP globally, and then configure CDP-compatible LLDP to operate in TxRx mode. The maximum TTL value that CDP allows is 255 seconds.
Step 5. Command Set the LLDP trap transmit interval. Remarks Optional. lldp timer notification-interval interval The default setting is 5 seconds. Displaying and maintaining LLDP Task Command Remarks Display global LLDP information or information contained in LLDP TLVs to be sent through a port. display lldp local-information [ global | interface interface-type interface-number ] [ | { begin | exclude | include } regular-expression ] Available in any view.
Figure 77 Network diagram Configuration procedure 1. Configure Router A: # Enable LLDP globally. system-view [RouterA] lldp enable # Enable LLDP on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2. (You can skip this step because LLDP is enabled on ports by default.) Set the LLDP operating mode to Rx.
Transmit delay : 2s Trap interval : 5s Fast start times : 3 Port 1 [GigabitEthernet4/0/1]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors: 1 Number of MED neighbors : 1 Number of CDP neighbors : 0 Number of sent optional TLV : 0 Number of received unknown TLV : 0 Port 2 [GigabitEthernet4/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors: 1 Number of
Polling interval : 0s Number of neighbors : 1 Number of MED neighbors : 1 Number of CDP neighbors : 0 Number of sent optional TLV : 0 Number of received unknown TLV : 5 Port 2 [GigabitEthernet4/0/2]: Port status of LLDP : Enable Admin status : Rx_Only Trap flag : No Polling interval : 0s Number of neighbors : 0 Number of MED neighbors : 0 Number of CDP neighbors : 0 Number of sent optional TLV : 0 Number of received unknown TLV : 0 As shown in the sample output, GigabitEthernet
[Router] interface GigabitEthernet 4/0/2 [Router-GigabitEthernet4/0/2] port link-type trunk [Router-GigabitEthernet4/0/2] voice vlan 2 enable [Router-GigabitEthernet4/0/2] quit 2. Configure CDP-compatible LLDP on Router: # Enable LLDP globally and enable LLDP to be compatible with CDP globally. [Router] lldp enable [Router] lldp compliance cdp # Enable LLDP on GigabitEthernet 4/0/1 and GigabitEthernet 4/0/2. (You can skip this step because LLDP is enabled on ports by default.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ABCDEGLMOPQRSUV Configuring destination multicast MAC address for BPDUs,81 A Ambiguous Dot1q termination configuration example,163 Configuring digest snooping,64 Configuring Dot1q termination,157 Ambiguous QinQ termination configuration example,167 Configuring edge ports,57 Configuring IP subnet-based VLANs,106 Assigning ports to the isolation group,33 Configuring LLDP trapping,215 B Basic LLDP configuration example,216 Configuring load-sharing criteria for link aggregation groups,19 BPDU tun
MSTP,42 Configuring the network diameter of a switched network,54 MSTP configuration example,73 Configuring the port link type,61 O Configuring the port priority,60 Overview,139 Configuring the root bridge or a secondary root bridge,52 Overview,155 Overview,204 Configuring the timeout factor,56 Overview,127 Configuring the TPID for VLAN-tagged packets,160 Overview,174 Configuring the TPID in VLAN tags,146 Overview,78 Configuring two-to-two VLAN mapping,189 Overview,33 Contacting HP,221 Ove
226
