HPE FlexFabric 5940 Switch Series

Layer 2—LAN Switching Configuration Guide

Part number: 5200-1018b

Software version: Release 25xx
Document version: 6W102-20170830
© Copyright 2017 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Contents
Configuring Ethernet interfaces ···························································1
Ethernet interface naming conventions ··························································································· 1
Configuring a management Ethernet interface ·················································································· 1
Configuring common Ethernet interface settings ··············································································· 1
Splitting a 40-GE interface and combining 10-GE breakout interfaces ············································· 2
Configuring basic settings of an Ethernet interface or subinterface ················································· 3
Configuring the link mode of an Ethernet interface ······································································ 4
Configuring jumbo frame support ···························································································· 5
Configuring physical state change suppression on an Ethernet interface ········································· 5
Enabling loopback testing on an Ethernet interface ····································································· 6
Configuring generic flow control on an Ethernet interface ····························································· 7
Configuring PFC on an Ethernet interface ················································································· 7
Enabling energy saving features on an Ethernet interface ···························································· 8
Setting the statistics polling interval ························································································· 9
Configuring storm suppression ····························································································· 10
Configuring a Layer 2 Ethernet interface ······················································································· 11
Configuring storm control on an Ethernet interface ··································································· 11
Forcibly bringing up a fiber port ···························································································· 12
Setting the MDIX mode of an Ethernet interface ······································································· 14
Testing the cable connection of an Ethernet interface································································ 14
Enabling bridging on an Ethernet interface ·············································································· 15
Setting the interface connection distance ················································································ 15
Configuring a Layer 3 Ethernet interface or subinterface··································································· 16
Setting the MTU for an Ethernet interface or subinterface ·························································· 16
Setting the MAC address of an Ethernet interface or subinterface ················································ 16
Displaying and maintaining an Ethernet interface or subinterface ······················································· 16
Configuring loopback, null, and inloopback interfaces ···························· 18
Configuring a loopback interface ································································································· 18
Configuring a null interface········································································································· 18
Configuring an inloopback interface ····························································································· 19
Displaying and maintaining loopback, null, and inloopback interfaces ·················································· 19
Bulk configuring interfaces ······························································· 20
Configuration restrictions and guidelines ······················································································· 20
Configuration procedure ············································································································ 20
Displaying and maintaining bulk interface configuration ···································································· 21
Configuring the MAC address table ···················································· 22
Overview ································································································································ 22
How a MAC address entry is created ····················································································· 22
Types of MAC address entries ····························································································· 22
MAC address table configuration task list ······················································································ 23
Configuring MAC address entries ································································································ 24
Configuration guidelines ····································································································· 24
Adding or modifying a static or dynamic MAC address entry globally ············································ 24
Adding or modifying a static or dynamic MAC address entry on an interface ·································· 25
Adding or modifying a blackhole MAC address entry ································································· 25
Adding or modifying a multiport unicast MAC address entry ························································ 25
Disabling MAC address learning ································································································· 26
Disabling global MAC address learning ·················································································· 27
Disabling MAC address learning on interfaces ········································································· 27
Disabling MAC address learning on a VLAN············································································ 27
Setting the aging timer for dynamic MAC address entries ································································· 28
Setting the MAC learning limit ····································································································· 28
Configuring the unknown frame forwarding rule after the MAC learning limit is reached ·························· 29
Assigning MAC learning priority to interfaces ················································································· 29

i
 Enabling MAC address synchronization ························································································ 30
Configuring MAC address move notifications and suppression ·························································· 31
Enabling ARP fast update for MAC address moves ········································································· 32
Disabling static source check······································································································ 33
Enabling conversational remote MAC learning ··············································································· 34
Enabling SNMP notifications for the MAC address table ··································································· 34
Displaying and maintaining the MAC address table ········································································· 35
MAC address table configuration example ····················································································· 35
Network requirements ········································································································ 35
Configuration procedure ····································································································· 36
Verifying the configuration ··································································································· 36
Configuring MAC Information ···························································· 37
Enabling MAC Information ········································································································· 37
Configuring the MAC Information mode ························································································ 37
Setting the MAC change notification interval ·················································································· 38
Setting the MAC Information queue length ···················································································· 38
MAC Information configuration example ························································································ 38
Network requirements ········································································································ 38
Configuration restrictions and guidelines ················································································ 38
Configuration procedure ····································································································· 39
Configuring Ethernet link aggregation ················································· 41
Basic concepts ························································································································ 41
Aggregation group, member port, and aggregate interface ························································· 41
Aggregation states of member ports in an aggregation group ······················································ 41
Operational key················································································································· 42
Configuration types ············································································································ 42
Link aggregation modes ······································································································ 43
Aggregating links in static mode ·································································································· 43
Choosing a reference port ··································································································· 43
Setting the aggregation state of each member port ··································································· 43
Aggregating links in dynamic mode ······························································································ 44
LACP ······························································································································ 45
How dynamic link aggregation works ····················································································· 46
Edge aggregate interface··········································································································· 48
Load sharing modes for link aggregation groups ············································································· 48
Ethernet link aggregation configuration task list ·············································································· 48
Configuring an aggregation group································································································ 49
Configuration restrictions and guidelines ················································································ 49
Configuring a Layer 2 aggregation group ················································································ 49
Configuring a Layer 3 aggregation group ················································································ 51
Configuring an aggregate interface ······························································································ 52
Configuring the description of an aggregate interface ································································ 52
Setting the MAC address for an aggregate interface ································································· 53
Specifying ignored VLANs for a Layer 2 aggregate interface ······················································· 53
Setting the MTU for a Layer 3 aggregate interface ···································································· 54
Setting the minimum and maximum numbers of Selected ports for an aggregation group ················· 54
Setting the expected bandwidth for an aggregate interface ························································· 55
Configuring an edge aggregate interface ················································································ 55
Enabling BFD for an aggregation group·················································································· 56
Shutting down an aggregate interface ···················································································· 57
Restoring the default settings for an aggregate interface ···························································· 57
Configuring load sharing for link aggregation groups ······································································· 58
Setting load sharing modes for link aggregation groups ····························································· 58
Enabling local-first load sharing for link aggregation ·································································· 59
Configuring link aggregation load sharing algorithm settings ······················································· 59
Setting the global load sharing mode for MAC-in-MAC traffic ······················································ 60
Enabling link-aggregation traffic redirection ··················································································· 60
Configuration restrictions and guidelines ················································································ 61
Configuration procedure ····································································································· 61
Forwarding the traffic of specified VLANs out of a fixed member port on an aggregate link ······················ 61

ii
 Excluding a subnet from load sharing on aggregate links ·································································· 62
Displaying and maintaining Ethernet link aggregation ······································································ 63
Ethernet link aggregation configuration examples ··········································································· 64
Layer 2 static aggregation configuration example ····································································· 64
Layer 2 dynamic aggregation configuration example ································································· 66
Layer 2 aggregation load sharing configuration example ···························································· 68
Layer 2 edge aggregate interface configuration example ··························································· 70
Layer 3 static aggregation configuration example ····································································· 71
Layer 3 dynamic aggregation configuration example ································································· 73
Layer 3 aggregation load sharing configuration example ···························································· 74
Layer 3 edge aggregate interface configuration example ··························································· 76
Configuring port isolation ································································· 78
Assigning a port to an isolation group ··························································································· 78
Displaying and maintaining port isolation ······················································································· 78
Port isolation configuration example ····························································································· 79
Network requirements ········································································································ 79
Configuration procedure ····································································································· 79
Verifying the configuration ··································································································· 79
Configuring spanning tree protocols ··················································· 81
STP ······································································································································ 81
STP protocol frames ·········································································································· 81
Basic concepts in STP ········································································································ 83
Calculation process of the STP algorithm ··············································································· 84
RSTP ···································································································································· 90
RSTP protocol frames ········································································································ 90
Basic concepts in RSTP ····································································································· 91
How RSTP works ·············································································································· 91
RSTP BPDU processing ····································································································· 92
PVST ···································································································································· 92
PVST protocol frames ········································································································ 92
Basic concepts in PVST ······································································································ 93
How PVST works ·············································································································· 93
MSTP ···································································································································· 93
MSTP features·················································································································· 93
MSTP protocol frames ········································································································ 94
MSTP basic concepts ········································································································· 95
How MSTP works ·············································································································· 98
MSTP implementation on devices ························································································· 99
Rapid transition mechanism ································································································· 99
Protocols and standards ·········································································································· 102
Spanning tree configuration task lists ························································································· 102
STP configuration task list ································································································· 103
RSTP configuration task list ······························································································· 103
PVST configuration task list ······························································································· 104
MSTP configuration task list ······························································································ 105
Setting the spanning tree mode································································································· 106
Configuring an MST region ······································································································ 106
Configuring the root bridge or a secondary root bridge ··································································· 107
Configuring the device as the root bridge of a specific spanning tree ·········································· 107
Configuring the device as a secondary root bridge of a specific spanning tree ······························ 108
Configuring the device priority··································································································· 108
Configuring the maximum hops of an MST region ········································································· 108
Configuring the network diameter of a switched network································································· 109
Setting spanning tree timers ····································································································· 109
Configuration restrictions and guidelines ·············································································· 110
Configuration procedure ··································································································· 110
Setting the timeout factor ········································································································· 111
Configuring the BPDU transmission rate ····················································································· 111
Configuring edge ports ············································································································ 112
Configuration restrictions and guidelines ·············································································· 112

iii
 Configuration procedure ··································································································· 112
Configuring path costs of ports·································································································· 112
Specifying a standard for the device to use when it calculates the default path cost ······················· 113
Configuring path costs of ports ··························································································· 115
Configuration example ······································································································ 115
Configuring the port priority ······································································································ 116
Configuring the port link type ···································································································· 116
Configuration restrictions and guidelines ·············································································· 116
Configuration procedure ··································································································· 117
Configuring the mode a port uses to recognize and send MSTP frames ············································· 117
Enabling outputting port state transition information ······································································· 118
Enabling the spanning tree feature ···························································································· 118
Enabling the spanning tree feature in STP/RSTP/MSTP mode ·················································· 118
Enabling the spanning tree feature in PVST mode ·································································· 119
Performing mCheck ················································································································ 119
Configuration restrictions and guidelines ·············································································· 119
Performing mCheck globally ······························································································ 119
Performing mCheck in interface view ··················································································· 120
Disabling inconsistent PVID protection ······················································································· 120
Configuring Digest Snooping ···································································································· 120
Configuration restrictions and guidelines ·············································································· 121
Configuration procedure ··································································································· 121
Digest Snooping configuration example ··············································································· 121
Configuring No Agreement Check ····························································································· 122
Configuration prerequisites ································································································ 123
Configuration procedure ··································································································· 124
No Agreement Check configuration example ········································································· 124
Configuring TC Snooping········································································································· 124
Configuration restrictions and guidelines ·············································································· 125
Configuration procedure ··································································································· 125
Configuring protection features ································································································· 126
Configuring BPDU guard ··································································································· 126
Enabling root guard ········································································································· 127
Enabling loop guard ········································································································· 127
Configuring port role restriction ··························································································· 128
Configuring TC-BPDU transmission restriction ······································································· 128
Enabling TC-BPDU guard ································································································· 129
Enabling BPDU drop ········································································································ 129
Enabling PVST BPDU guard ······························································································ 130
About dispute guard ········································································································· 130
Enabling the device to log events of detecting or receiving TC BPDUs ·············································· 131
Enabling BPDU transparent transmission on a port ······································································· 131
Enabling SNMP notifications for new-root election and topology change events ·································· 132
Displaying and maintaining the spanning tree ·············································································· 132
Spanning tree configuration example ························································································· 133
MSTP configuration example ····························································································· 133
PVST configuration example ······························································································ 137
Configuring loop detection ······························································ 141
Overview ······························································································································ 141
Loop detection mechanism ································································································ 141
Loop detection interval ····································································································· 142
Loop protection actions ····································································································· 142
Port status auto recovery ·································································································· 142
Loop detection configuration task list ·························································································· 143
Enabling loop detection ··········································································································· 143
Enabling loop detection globally ························································································· 143
Enabling loop detection on a port ························································································ 143
Setting the loop protection action······························································································· 144
Setting the global loop protection action ··············································································· 144
Setting the loop protection action on a Layer 2 Ethernet interface ·············································· 144
Setting the loop protection action on a Layer 2 aggregate interface ············································ 144

iv
 Setting the loop detection interval ······························································································ 144
Displaying and maintaining loop detection ··················································································· 145
Loop detection configuration example ························································································ 145
Network requirements ······································································································ 145
Configuration procedure ··································································································· 145
Verifying the configuration ································································································· 146
Configuring VLANs ······································································· 148
Overview ······························································································································ 148
VLAN frame encapsulation ································································································ 148
Protocols and standards ··································································································· 149
Configuring a VLAN ················································································································ 149
Configuring VLAN interfaces ···································································································· 150
Configuring port-based VLANs·································································································· 151
Introduction ···················································································································· 151
Assigning an access port to a VLAN ···················································································· 152
Assigning a trunk port to a VLAN ························································································ 153
Assigning a hybrid port to a VLAN ······················································································· 153
Configuring MAC-based VLANs ································································································ 154
Introduction ···················································································································· 154
General configuration restrictions and guidelines···································································· 157
Configuring static MAC-based VLAN assignment ··································································· 157
Configuring dynamic MAC-based VLAN assignment ······························································· 157
Configuring server-assigned MAC-based VLAN ····································································· 159
Configuring IP subnet-based VLANs ·························································································· 159
Configuring protocol-based VLANs ···························································································· 160
Configuring a VLAN group ······································································································· 161
Displaying and maintaining VLANs ···························································································· 161
VLAN configuration examples ··································································································· 162
Port-based VLAN configuration example ·············································································· 162
MAC-based VLAN configuration example ············································································· 164
IP subnet-based VLAN configuration example ······································································· 166
Protocol-based VLAN configuration example ········································································· 167
Configuring super VLANs ······························································· 171
Super VLAN configuration task list ····························································································· 171
Creating a sub-VLAN ·············································································································· 171
Configuring a super VLAN ······································································································· 171
Configuring a super VLAN interface ··························································································· 172
Displaying and maintaining super VLANs ···················································································· 172
Super VLAN configuration example ··························································································· 173
Network requirements ······································································································ 173
Configuration procedure ··································································································· 173
Verifying the configuration ································································································· 174
Configuring the private VLAN ·························································· 176
Configuration task list·············································································································· 176
Configuration restrictions and guidelines ····················································································· 177
Configuration procedure ·········································································································· 177
Displaying and maintaining the private VLAN ··············································································· 179
Private VLAN configuration examples ························································································· 179
Promiscuous port configuration example ·············································································· 179
Trunk promiscuous port configuration example ······································································ 182
Trunk promiscuous and trunk secondary port configuration example ·········································· 185
Secondary VLAN Layer 3 communication configuration example ··············································· 189
Configuring voice VLANs ······························································· 192
Overview ······························································································································ 192
Methods of identifying IP phones ······························································································· 192
Identifying IP phones through OUI addresses ········································································ 192
Automatically identifying IP phones through LLDP ·································································· 193
Advertising the voice VLAN information to IP phones ····································································· 193

v
 IP phone access methods ········································································································ 193
Connecting the host and the IP phone in series ····································································· 193
Connecting the IP phone to the device ················································································· 194
Voice VLAN assignment modes ································································································ 194
Automatic mode ·············································································································· 194
Manual mode ················································································································· 195
Cooperation of voice VLAN assignment modes and IP phones ················································· 195
Security mode and normal mode of voice VLANs ·········································································· 196
Voice VLAN configuration task list ····························································································· 196
Configuring the QoS priority settings for voice traffic ······································································ 197
Configuring a port to operate in automatic voice VLAN assignment mode ·········································· 198
Configuration restrictions and guidelines ·············································································· 198
Configuration procedure ··································································································· 198
Configuring a port to operate in manual voice VLAN assignment mode ············································· 199
Configuration restrictions and guidelines ·············································································· 199
Configuration procedure ··································································································· 199
Enabling LLDP for automatic IP phone discovery ·········································································· 200
Configuration restrictions and guidelines ·············································································· 200
Configuration procedure ··································································································· 200
Configuring LLDP to advertise a voice VLAN ··············································································· 200
Configuring CDP to advertise a voice VLAN ················································································ 201
Displaying and maintaining voice VLANs ···················································································· 202
Voice VLAN configuration examples ·························································································· 202
Automatic voice VLAN assignment mode configuration example ··············································· 202
Manual voice VLAN assignment mode configuration example ··················································· 204
Configuring MVRP ········································································ 206
MRP ··································································································································· 206
MRP implementation ········································································································ 206
MRP messages ·············································································································· 206
MRP timers ···················································································································· 208
MVRP registration modes ········································································································ 209
Protocols and standards ·········································································································· 209
MVRP configuration task list ····································································································· 209
Configuration restrictions and guidelines ····················································································· 209
Configuration prerequisites ······································································································ 210
Enabling MVRP ····················································································································· 210
Setting an MVRP registration mode ··························································································· 210
Setting MRP timers ················································································································ 211
Enabling GVRP compatibility ···································································································· 212
Displaying and maintaining MVRP ····························································································· 212
MVRP configuration example ··································································································· 212
Network requirements ······································································································ 212
Configuration procedure ··································································································· 213
Verifying the configuration ································································································· 216
Configuring QinQ ········································································· 223
Overview ······························································································································ 223
How QinQ works ············································································································· 223
QinQ implementations ······································································································ 224
Protocols and standards ··································································································· 225
Restrictions and guidelines ······································································································ 225
Enabling QinQ ······················································································································· 225
Configuring transparent transmission for VLANs ··········································································· 225
Configuring the TPID for VLAN tags ··························································································· 226
Configuring the TPID for CVLAN tags ·················································································· 227
Configuring the TPID for SVLAN tags ·················································································· 227
Setting the 802.1p priority in SVLAN tags ···················································································· 227
Displaying and maintaining QinQ······························································································· 228
QinQ configuration examples···································································································· 229
Basic QinQ configuration example ······················································································ 229
VLAN transparent transmission configuration example ···························································· 231

vi
Configuring VLAN mapping ···························································· 233
Overview ······························································································································ 233
VLAN mapping application scenarios ··················································································· 233
VLAN mapping implementations ························································································· 235
VLAN mapping configuration task list ························································································· 238
Configuring one-to-one VLAN mapping ······················································································· 238
Configuring many-to-one VLAN mapping ···················································································· 239
Configuring many-to-one VLAN mapping in a network with dynamic IP address assignment ··········· 239
Configuring many-to-one VLAN mapping in a network with static IP address assignment ················ 242
Configuring one-to-two VLAN mapping ······················································································· 244
Configuring two-to-two VLAN mapping ······················································································· 245
Displaying and maintaining VLAN mapping ················································································· 245
VLAN mapping configuration examples ······················································································ 245
One-to-one and many-to-one VLAN mapping configuration example ·········································· 245
One-to-two and two-to-two VLAN mapping configuration example ············································· 251
Configuring LLDP ········································································· 254
Overview ······························································································································ 254
Basic concepts ··············································································································· 254
Working mechanism ········································································································ 259
Protocols and standards ··································································································· 260
LLDP configuration task list ······································································································ 260
Performing basic LLDP configurations ························································································ 261
Enabling LLDP················································································································ 261
Setting the LLDP bridge mode ··························································································· 261
Setting the LLDP operating mode ······················································································· 261
Setting the LLDP reinitialization delay ·················································································· 262
Enabling LLDP polling ······································································································ 262
Configuring the advertisable TLVs ······················································································ 263
Configuring the management address and its encoding format ·················································· 266
Setting other LLDP parameters ·························································································· 267
Setting an encapsulation format for LLDP frames ··································································· 268
Disabling LLDP PVID inconsistency check ············································································ 269
Configuring CDP compatibility ·································································································· 269
Configuration prerequisites ································································································ 270
Configuration procedure ··································································································· 270
Configuring LLDP trapping and LLDP-MED trapping······································································ 270
Displaying and maintaining LLDP ······························································································ 271
LLDP configuration examples ··································································································· 272
Basic LLDP configuration example ······················································································ 272
CDP-compatible LLDP configuration example ······································································· 276
Configuring L2PT ········································································· 278
Overview ······························································································································ 278
Background···················································································································· 278
L2PT operating mechanism ······························································································· 279
L2PT configuration task list ······································································································ 280
Enabling L2PT ······················································································································ 280
Restrictions and guidelines ································································································ 280
Enabling L2PT for a protocol ······························································································ 280
Setting the destination multicast MAC address for tunneled packets ················································· 281
Displaying and maintaining L2PT ······························································································ 281
L2PT configuration examples ··································································································· 282
Configuring L2PT for STP ································································································· 282
Configuring L2PT for LACP ······························································································· 283
Configuring cut-through forwarding ·················································· 287
Configuring service loopback groups ················································ 288
Configuration procedure ·········································································································· 288
Displaying and maintaining service loopback groups ····································································· 289

vii
 Service loopback group configuration example ············································································· 289
Network requirements ······································································································ 289
Configuration procedure ··································································································· 289
Document conventions and icons ···················································· 290
Conventions ························································································································· 290
Network topology icons ··········································································································· 291
Support and other resources ·························································· 292
Accessing Hewlett Packard Enterprise Support ············································································ 292
Accessing updates ················································································································· 292
Websites ······················································································································· 293
Customer self repair········································································································· 293
Remote support ·············································································································· 293
Documentation feedback ·································································································· 293
Index ························································································· 295

viii
Configuring Ethernet interfaces
The Switch Series supports Ethernet interfaces, management Ethernet interfaces, Console
interfaces, and USB interfaces. For the interface types and the number of interfaces supported by a
switch model, see the installation guide.
This chapter describes how to configure management Ethernet interfaces and Ethernet interfaces.

Ethernet interface naming conventions

The Ethernet interfaces are named in the format of interface type A/B/C. The letters that follow the
interface type represent the following elements:
• A—IRF member ID. If the switch is not in an IRF fabric, A is 1 by default.
• B—Slot number. 0 indicates the interface is a fixed interface of the switch.
• C—Port index.
A 10-GE breakout interface split from a 40-GE interface is named in the format of interface type
A/B/C:D. A/B/C is the interface number of the 40-GE interface and D is the number of the 10-GE
interface, which is in the range of 1 to 4. For information about splitting a 40-GE interface, see
"Splitting a 40-GE interface and combining 10-GE breakout interfaces."

Configuring a management Ethernet interface

A management interface uses an RJ-45 connector. You can connect the interface to a PC for
software loading and system debugging, or connect it to a remote NMS for remote system
management.
To configure a management Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter management interface

Ethernet interface view. M-GigabitEthernet N/A
interface-number
3. (Optional.) Set the The default setting is
interface description. description text
M-GigabitEthernet0/0/0 Interface.
4. (Optional.) Shut down By default, the management Ethernet
the interface. shutdown
interface is up.

Configuring common Ethernet interface settings

This section describes the settings common to Layer 2 Ethernet interfaces, Layer 3 Ethernet
interfaces, and Layer 3 Ethernet subinterfaces. For more information about the settings specific to
Layer 2 Ethernet interfaces or subinterfaces, see "Configuring a Layer 2 Ethernet interface." For
more information about the settings specific to Layer 3 Ethernet interfaces or subinterfaces, see
"Configuring a Layer 3 Ethernet interface or subinterface."

1
Splitting a 40-GE interface and combining 10-GE breakout
interfaces
Configuration restrictions and guidelines
When you split a 40-GE interface and combine 10-GE breakout interfaces, follow these restrictions
and guidelines:
• 40-GE interfaces FortyGigE 1/0/1 through FortyGigE 1/0/4 and FortyGigE 1/0/29 through
FortyGigE 1/0/32 on an HPE FlexFabric 5940 32QSFP+ Switch (JH396A) switch do not support
one-to-four splitting.
• 100-GE interfaces on an HPE FlexFabric 5940 48SFP+ 6QSFP28 Switch (JH390A) or HPE
FlexFabric 5940 48XGT 6QSFP28 Switch (JH391A) switch do not support one-to-four splitting.
• When an LSWM124XGT2Q (JH182A), LSWM124XG2Q (JH181A), or LSWM124XG2QL
(JH180A) interface module is installed in an HPE FlexFabric 5940 4-slot Switch (JH398A)
switch , 40-GE interfaces on these modules do not support one-to-four splitting.
• When an LSWM18QC (JH183A) interface module is installed in an HPE FlexFabric 5940 4-slot
Switch (JH398A) switch, the last two 40-GE interfaces on the module do not support one-to-four
splitting.
Splitting a 40-GE interface into four 10-GE breakout interfaces
You can use a 40-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can also split a 40-GE interface into four 10-GE breakout interfaces.
For example, you can split 40-GE interface FortyGigE 1/0/1 into four 10-GE breakout interfaces
Ten-GigabitEthernet 1/0/1:1 through Ten-GigabitEthernet 1/0/1:4.
After you configure this feature on a 40-GE interface, the system deletes the 40-GE interface and
creates the four 10-GE breakout interfaces.
After the using tengige command is successfully configured, you do not need to reboot the switch.
You can view the four 10-GE breakout interfaces by using the display interface brief command.
A 40-GE interface split into four 10-GE breakout interfaces must use a dedicated 1-to-4 cable. For
more information about the cable, see the installation guides.
To split a 40-GE interface into four 10-GE breakout interfaces:

Step Command Remarks

1. Enter system view. system-view N/A

Enter 40-GE interface view. interface interface-type

2. N/A
interface-number
By default, a 40-GE interface is not
split and operates as a single
interface.
3. Split the 40-GE interface into
four 10-GE breakout using tengige The 10-GE breakout interfaces
interfaces. support the same configuration and
attributes as common 10-GE
interfaces, except that they are
numbered differently.

Combining four 10-GE breakout interfaces into a 40-GE interface

If you need higher bandwidth on a single interface, you can combine the four 10-GE breakout
interfaces into a 40-GE interface.
After you configure this feature on a 10-GE breakout interface, the system deletes the four 10-GE
breakout interfaces and creates the 40-GE interface.

2
 After the using fortygige command is successfully configured, you do not need to reboot the switch.
You can view the 40-GE interface by using the display interface brief command.
After you combine the four 10-GE breakout interfaces, replace the dedicated 1-to-4 cable with a
dedicated 1-to-1 cable or a 40-GE transceiver module. For more information about the cable or
transceiver module, see the installation guides.
To combine four 10-GE breakout interfaces into a 40-GE interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter the view of any 10-GE interface interface-type
breakout interface. N/A
interface-number
3. Combine the four 10-GE By default, a 10-GE breakout
breakout interfaces into a using fortygige interface operates as a single
40-GE interface. interface.

Configuring basic settings of an Ethernet interface or

subinterface
You can configure an Ethernet interface to operate in one of the following duplex modes:
• Full-duplex mode—The interface can send and receive packets simultaneously.
• Half-duplex mode—The interface can only send or receive packets at a given time.
• Autonegotiation mode—The interface negotiates a duplex mode with its peer.
You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its
peer.
Configuring an Ethernet interface

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Set the description for The default setting is interface-name

the Ethernet interface. description text Interface. For example,
Ten-GigabitEthernet1/0/1 Interface.
By default, the duplex mode is auto for
Ethernet interfaces.
4. Set the duplex mode for
the Ethernet interface. duplex { auto | full | half } Copper ports operating at 1000 Mbps or
10 Gbps and fiber ports do not support the
half keyword.
The default setting is auto for Ethernet
speed { 10 | 100 | 1000 | interfaces.
5. Set the speed for the
Ethernet interface. 10000 | 40000 | 100000 | Support for the keywords depends on the
auto } interface type. For more information, use
the speed ? command in interface view.
6. Set the expected By default, the expected bandwidth (in
bandwidth for the bandwidth bandwidth-value kbps) is the interface baud rate divided by
Ethernet interface. 1000.

3
 Step Command Remarks
7. Restore the default
settings for the Ethernet default N/A
interface.
By default, Ethernet interfaces are in up
state.
8. Bring up the Ethernet
interface. undo shutdown The loopback, shutdown ,and port
up-mode commands are mutually
exclusive.

Configuring an Ethernet subinterface

Step Command Remarks

1. Enter system view. system-view N/A
2. Create an Ethernet interface interface-type
subinterface. N/A
interface-number.subnumber
The default setting is
3. Set the description for the interface-name Interface. For
Ethernet subinterface. description text example,
Ten-GigabitEthernet1/0/1.1
Interface.
4. Restore the default settings
for the Ethernet subinterface. default N/A

By default, the expected

5. Set the expected bandwidth bandwidth (in kbps) is the
for the Ethernet subinterface. bandwidth bandwidth-value
interface baud rate divided by
1000.
By default, Ethernet subinterfaces
are in up state.
6. Bring up the Ethernet
subinterface. undo shutdown The shutdown and port
up-mode commands are mutually
exclusive.

Configuring the link mode of an Ethernet interface

CAUTION:
After you change the link mode of an Ethernet interface, all commands (except the shutdown
command) on the Ethernet interface are restored to their defaults in the new link mode.

The interfaces on this Switch Series can operate either as Layer 2 or Layer 3 Ethernet interfaces.
You can set the link mode to bridge or route.
To configure the link mode of an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Configure the link mode of By default, Ethernet interfaces
the Ethernet interface. port link-mode { bridge | route }
operate in bridge mode.

4
Configuring jumbo frame support
An Ethernet interface might receive frames larger than the standard Ethernet frame size during
high-throughput data exchanges, such as file transfers. These frames are called jumbo frames.
The Ethernet interface processes jumbo frames in the following ways:
• When the Ethernet interface is configured to deny jumbo frames, the Ethernet interface
discards jumbo frames.
• When the Ethernet interface is configured with jumbo frame support, the Ethernet interface
performs the following operations:
{ Processes jumbo frames within the specified length.
{ Discards jumbo frames that exceed the specified length.
To configure jumbo frame support in interface view:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Configure jumbo frame By default, the switch allows jumbo

support. jumboframe enable [ size ] frames within 10000 bytes to pass
through all Ethernet interfaces.

Configuring physical state change suppression on an

Ethernet interface
IMPORTANT:
Do not enable this feature on an interface that has RRPP, spanning tree protocols, or Smart Link
enabled.

The physical link state of an Ethernet interface is either up or down. Each time the physical link of an
interface comes up or goes down, the interface immediately reports the change to the CPU. The
CPU then performs the following operations:
• Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change for guiding packet forwarding.
• Automatically generates traps and logs to inform users to take the correct actions.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression. You can configure this feature to suppress only link-down events, only
link-up events, or both. If an event of the specified type still exists when the suppression interval
expires, the system reports the event.
When you configure this feature, follow these guidelines:
• To suppress only link-down events, configure the link-delay [ msec ] delay-time command.
• To suppress only link-up events, configure the link-delay [ msec ] delay-time mode up
command.
• To suppress both link-down and link-up events, configure the link-delay [ msec ] delay-time
mode updown command.
To configure physical state change suppression on an Ethernet interface:

5
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface-type
interface view. N/A
interface-number
By default, the link-down or link-up event is
3. Configure physical link-delay [ msec ] immediately reported to the CPU.
state change delay-time [ mode { up | If you configure this command multiple times on
suppression. updown }] an Ethernet interface, the most recent
configuration takes effect.

Enabling loopback testing on an Ethernet interface

CAUTION:
After you enable this feature on an Ethernet interface, the interface cannot forward data traffic
correctly.

Perform this task to determine whether an Ethernet link works correctly.

Loopback testing includes the following types:
• Internal loopback testing—Tests the device where the Ethernet interface resides. The
Ethernet interface sends outgoing packets back to the local device. If the device fails to receive
the packets, the device fails.
• External loopback testing—Tests the inter-device link. The Ethernet interface sends incoming
packets back to the remote device. If the remote device fails to receive the packets, the
inter-device link fails.
Configuration restrictions and guidelines
• On an administratively shut down Ethernet interface (displayed as in ADM or Administratively
DOWN state), you cannot perform an internal or external loopback test.
• The speed, duplex, mdix-mode, and shutdown commands are not available during a
loopback test.
• A loopback test cannot be performed on an interface configured with the port up-mode
command.
• During a loopback test, the Ethernet interface operates in full duplex mode. When a loopback
test is complete, the port returns to its duplex setting..
Configuration procedure
To enable loopback testing on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

Enable loopback testing. By default, no loopback test is

3. loopback { external | internal }
performed.

6
Configuring generic flow control on an Ethernet interface
To avoid dropping packets on a link, you can enable generic flow control at both ends of the link.
When traffic congestion occurs at the receiving end, the receiving end sends a flow control (Pause)
frame to ask the sending end to suspend sending packets. Generic flow control includes the
following types:
• TxRx-mode generic flow control—Enabled by using the flow-control command. With
TxRx-mode generic flow control enabled, an interface can both send and receive flow control
frames:
{ When congestion occurs, the interface sends a flow control frame to its peer.
{ When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
• Rx-mode generic flow control—Enabled by using the flow-control receive enable
command. With Rx-mode generic flow control enabled, an interface can receive flow control
frames, but it cannot send flow control frames:
{ When congestion occurs, the interface cannot send flow control frames to its peer.
{ When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
To handle unidirectional traffic congestion on a link, configure the flow-control receive enable
command at one end and the flow-control command at the other end. To enable both ends of a link
to handle traffic congestion, configure the flow-control command at both ends.
To enable generic flow control on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
• Enable TxRx-mode
generic flow control:
flow-control
3. Enable generic flow By default, generic flow control is
control. • Enable Rx-mode generic
disabled on an Ethernet interface.
flow control:
flow-control receive
enable

Configuring PFC on an Ethernet interface

When congestion occurs in the network, the local device notifies the peer to stop sending packets
carrying the specified 802.1p priority if all of the following conditions exist:
• Both the local end and the remote end have PFC enabled.
• Both the local end and the remote end have the priority-flow-control no-drop dot1p
command configured.
• The specified 802.1p priority is in the 802.1p priority list specified by the dot1p-list argument.
• The local end receives a packet carrying the specified 802.1p priority.
The state of the PFC feature is determined by the PFC configuration on the local end and on the peer
end. In Table 1:
• The first row lists the PFC configuration on the local interface.
• The first column lists the PFC configuration on the peer.

7
 • The Enabled and Disabled fields in other cells are possible negotiation results.
Make sure all interfaces that a data flow passes through have the same PFC configuration.
Table 1 PFC configurations and negotiation results

Local (right)
enable auto Default
Peer (below)
enable Enabled Enabled. Disabled
• Enabled if negotiation
auto Enabled succeeds. Disabled
• Disabled if negotiation fails.

Default Disabled Disabled. Disabled

Configuration restrictions and guidelines

When you configure PFC, follow these restrictions and guidelines:
• For IRF and other protocols to operate correctly, as a best practice, do not enable PFC for
802.1p priorities 0, 6, and 7.
• To avoid packet loss, apply the same PFC configuration to all interfaces that the packets pass
through.
• If you do not enable PFC on an interface, the interface can receive but cannot process PFC
pause frames. To make PFC take effect, you must enable PFC on both ends.
• If you configure the flow control or flow-control receive enable command on a PFC-enabled
interface, the following rules apply:
{ The PFC configuration takes effect.
{ The configuration of the flow control or flow-control receive enable command is ignored.
{ The flow control or flow-control receive enable command takes effect on the interface
only when PFC is disabled on it.
Configuration procedure
To configure PFC on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable PFC in auto mode or
forcibly on the Ethernet priority-flow-control { auto |
By default, PFC is disabled.
interface. enable }

4. Enable PFC for 802.1p priority-flow-control no-drop By default, PFC is disabled for all
priorities. dot1p dot1p-list 802.1p priorities.

Enabling energy saving features on an Ethernet interface

IMPORTANT:
Fiber ports do not support these features.

8
Enabling auto power-down on an Ethernet interface
When an Ethernet interface with auto power-down enabled has been down for a certain period of
time, both of the following events occur:
• The device automatically stops supplying power to the Ethernet interface.
• The Ethernet interface enters the power save mode.
The time period depends on the chip specifications and is not configurable.
When the Ethernet interface comes up, both of the following events occur:
• The device automatically restores power supply to the Ethernet interface.
• The Ethernet interface restores to its normal state.
To enable auto power-down on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable auto power-down on By default, auto power-down is
the Ethernet interface. port auto-power-down
disabled on an Ethernet interface.

Enabling EEE on an Ethernet interface

With Energy Efficient Ethernet (EEE) enabled, a link-up interface enters low power state if it has not
received any packet for a period of time. The time period depends on the chip specifications and is
not configurable. When a packet arrives later, the device automatically restores power supply to the
interface and the interface restores to the normal state.
To enable EEE on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable EEE on the By default, EEE is disabled on
Ethernet interface. eee enable
an Ethernet interface.

Setting the statistics polling interval

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Set the statistics polling
interval for the Ethernet By default, the statistics polling
flow-interval interval
interface. interval is 300 seconds.

To display the interface statistics collected in the last statistics polling interval, use the display
interface command.

9
Configuring storm suppression
The storm suppression feature ensures that the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) does not exceed the threshold on an interface. When the
broadcast, multicast, or unknown unicast traffic on the interface exceeds this threshold, the system
discards packets until the traffic drops below this threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
uses the chip to suppress traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic.
Configuration restrictions and guidelines
When you configure storm suppression, follow these restrictions and guidelines:
• An interframe gap exists between each two continuous frames. The system excludes the time
of interframe gaps in monitoring the traffic size on the interface. The configured suppression
thresholds must be less than the total traffic that passes through the interface.
• For the traffic suppression result to be determined, do not configure storm control together with
storm suppression for the same type of traffic. For more information about storm control, see
"Configuring storm control on an Ethernet interface."
• Storm suppression configured on a Layer 3 Ethernet interface applies to the interface and its
subinterfaces if it is on a boarder gateway of the following networks:
{ VXLAN IP gateway network.
{ EVPN gateway network.
For more information about VXLAN IP gateway and EVPN gateway networks, see VXLAN
Configuration Guide and EVPN Configuration Guide.
• When you configure the suppression threshold in kbps, the actual suppression threshold might
be different from the configured one as follows:
{ If the configured value is smaller than 64, the value of 64 takes effect.
{ If the configured value is greater than 64 but not an integer multiple of 64, the integer
multiple of 64 that is greater than and closest to the configured value takes effect.
For the suppression threshold that takes effect, see the prompt on the device.
Configuration procedure
To set storm suppression thresholds on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable broadcast
suppression and set the broadcast-suppression { ratio | By default, broadcast suppression
broadcast suppression pps max-pps | kbps max-kbps } is disabled.
threshold.
4. Enable multicast
suppression and set the multicast-suppression { ratio |
By default, multicast suppression
multicast suppression pps max-pps | kbps max-kbps }
is disabled.
threshold. [ unknown ]

5. Enable unknown unicast

suppression and set the unicast-suppression { ratio | pps By default, unknown unicast
unknown unicast max-pps | kbps max-kbps } suppression is disabled.
suppression threshold.

10
Configuring a Layer 2 Ethernet interface
Configuring storm control on an Ethernet interface
About storm control
Storm control compares broadcast, multicast, and unknown unicast traffic regularly with their
respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control provides
a lower threshold and an upper threshold.
Depending on your configuration, when a particular type of traffic exceeds its upper threshold, the
interface performs either of the following operations:
• Blocks this type of traffic and forwards other types of traffic—Even though the interface
does not forward the blocked traffic, it still counts the traffic. When the blocked traffic drops
below the lower threshold, the interface begins to forward the traffic.
• Goes down automatically—The interface goes down automatically and stops forwarding any
traffic. When the blocked traffic drops below the lower threshold, the interface does not
automatically come up. To bring up the interface, use the undo shutdown command or disable
the storm control feature.
You can configure an Ethernet interface to output threshold event traps and log messages when
monitored traffic meets one of the following conditions:
• Exceeds the upper threshold.
• Drops below the lower threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
uses the chip to suppress traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic.
Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next
cycle. An interface takes one to two polling intervals to take a storm control action.
Configuration restrictions and guidelines
For the traffic suppression result to be determined, do not configure storm control together with storm
suppression for the same type of traffic. For more information about storm suppression, see
"Configuring storm suppression."
Configuration procedure
To configure storm control on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
The default setting is 10 seconds.
2. (Optional.) Set the statistics
polling interval of the storm storm-constrain interval interval For network stability, use the
control module. default or set a longer statistics
polling interval.
3. Enter Ethernet interface interface interface-type
view. N/A
interface-number
4. (Optional.) Enable storm
control, and set the lower storm-constrain { broadcast |
and upper thresholds for multicast | unicast } { pps | kbps By default, storm control is
broadcast, multicast, or | ratio } max-pps-values disabled.
unknown unicast traffic. min-pps-values

11
 Step Command Remarks
5. Set the control action to take
when monitored traffic storm-constrain control { block By default, storm control is
exceeds the upper | shutdown } disabled.
threshold.
6. (Optional.) Enable the By default, the Ethernet interface
Ethernet interface to output outputs log messages when
log messages when it storm-constrain enable log monitored traffic exceeds the
detects storm control upper threshold or drops below
threshold events. the lower threshold.
By default, the Ethernet interface
7. (Optional.) Enable the sends traps when monitored
Ethernet interface to send traffic exceeds the upper
storm control threshold storm-constrain enable trap
threshold or drops below the
event traps. lower threshold from the upper
threshold.

Forcibly bringing up a fiber port

IMPORTANT:
Copper ports do not support this feature.

As shown in Figure 1, a fiber port uses separate fibers for transmitting and receiving packets. The
physical state of the fiber port is up only when both transmit and receive fibers are physically
connected. If one of the fibers is disconnected, the fiber port does not work.
To enable a fiber port to forward traffic over a single link, you can use the port up-mode command.
This command forcibly brings up a fiber port, even when no fiber links or transceiver modules are
present for the fiber port. When one fiber link is present and up, the fiber port can forward packets
over the link unidirectionally.

12
 Figure 1 Forcibly bring up a fiber port
When Ethernet interfaces
Correct fiber When Ethernet interfaces
cannot be or are not forcibly
connection are forcibly brought up
brought up

Device A Device A Device A

Device B Device B Device B

Fiber port Tx end Rx end Fiber link The fiber is disconnected.

Packets The interface is down.

Configuration restrictions and guidelines

When you forcibly bring up a fiber port, follow these restrictions and guidelines:
• The loopback, shutdown, and port up-mode commands are mutually exclusive.
• The following operations on a fiber port will cause link updown events before the port finally
stays up:
{ Configure both the port up-mode command and the speed or duplex command.
{ Install or remove fiber links or transceiver modules after you forcibly bring up the fiber port.
Configuration procedure
To forcibly bring up a fiber port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
By default, a fiber port is not forcibly
3. Forcibly bring up the fiber brought up, and the physical state of a
port. port up-mode
fiber port depends on the physical state
of the fibers.

13
Setting the MDIX mode of an Ethernet interface
IMPORTANT:
Fiber ports do not support the MDIX mode setting.

A physical Ethernet interface has eight pins, each of which plays a dedicated role. For example, pins
1 and 2 transmit signals, and pins 3 and 6 receive signals. You can use both crossover and
straight-through Ethernet cables to connect copper Ethernet interfaces. To accommodate these
types of cables, a copper Ethernet interface can operate in one of the following Medium Dependent
Interface-Crossover (MDIX) modes:
• MDIX mode—Pins 1 and 2 are receive pins and pins 3 and 6 are transmit pins.
• MDI mode—Pins 1 and 2 are transmit pins and pins 3 and 6 are receive pins.
• AutoMDIX mode—The interface negotiates pin roles with its peer.

NOTE:
This feature does not take effect on pins 4, 5, 7, and 8 of physical Ethernet interfaces.
• Pins 4, 5, 7, and 8 of interfaces operating at 10 Mbps or 100 Mbps do not receive or transmit
signals.
• Pins 4, 5, 7, and 8 of interfaces operating at 1000 Mbps or higher rates receive and transmit
signals.

To enable a copper Ethernet interface to communicate with its peer, set the MDIX mode of the
interface by following these guidelines:
• Typically, set the MDIX mode of the interface to AutoMDIX. Set the MDIX mode of the interface
to MDI or MDIX only when the device cannot determine the cable type.
• When a straight-through cable is used, configure the interface to operate in an MDIX mode
different than its peer.
• When a crossover cable is used, perform one of the following tasks:
{ Configure the interface to operate in the same MDIX mode as its peer.
{ Configure either end to operate in AutoMDIX mode.
To set the MDIX mode of an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
By default, a copper Ethernet
interface operates in auto mode to
3. Set the MDIX mode of the mdix-mode { automdix | mdi | negotiate pin roles with its peer.
Ethernet interface. mdix }
10-GE interfaces support only the
automdix mode.

Testing the cable connection of an Ethernet interface

IMPORTANT:
If the link of an Ethernet interface is up, testing its cable connection will cause the link to go down
and then come up.

14
 NOTE:
Fiber ports do not support this feature.

This feature tests the cable connection of an Ethernet interface and displays cable test result within 5
seconds. The test result includes the cable's status and some physical parameters. If any fault is
detected, the test result shows the length from the local port to the faulty point.
To test the cable connection of an Ethernet interface:

Step Command
1. Enter system view. system-view
2. Enter Ethernet interface view. interface interface-type interface-number
3. Perform a test for the cable connected to the
Ethernet interface. virtual-cable-test

Enabling bridging on an Ethernet interface

By default, the device drops packets whose outgoing interface and incoming interface are the same.
To enable the device to forward such packets rather than drop them, enable the bridging feature in
Ethernet interface view.
To enable bridging on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable bridging on the By default, bridging is disabled on
Ethernet interface. port bridge enable
an Ethernet interface.

Setting the interface connection distance

When two directly connected interfaces communicate, they use the buffer area to buffer the received
data. A longer interface connection distance requires a greater buffer area.
Perform this task to modify the buffer area size by setting the interface connection distance.
To set the interface connection distance:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

3. Set the interface port connection-distance { 300 | By default, the interface connection
connection distance. 10000 | 20000 | 40000 } distance is 10000 meters.

15
Configuring a Layer 3 Ethernet interface or
subinterface
Setting the MTU for an Ethernet interface or subinterface
The maximum transmission unit (MTU) of an Ethernet interface affects the fragmentation and
reassembly of IP packets on the interface. Typically, you do not need to modify the MTU of an
interface.
To set the MTU for an Ethernet interface or subinterface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type { interface-number |
or subinterface view. N/A
interface-number.subnumber }
3. Set the MTU of the
Ethernet interface or The default setting is 1500
mtu size
subinterface. bytes.

Setting the MAC address of an Ethernet interface or

subinterface
In a network, when the Layer 3 Ethernet interfaces or subinterfaces of different devices have the
same MAC address, the devices might fail to communicate correctly. To eliminate the MAC address
conflicts, use the mac-address command to modify the MAC addresses of Layer 3 Ethernet
interfaces or subinterfaces.
Do not configure this feature on the border gateways in the following networks:
• A VXLAN IP gateway network.
• An EVPN gateway network.
To set the MAC address of an Ethernet interface or subinterface:

Step Command Remarks

1. Enter system view. system-view N/A
interface interface-type
2. Enter Ethernet interface or { interface-number |
subinterface view. N/A
interface-number.subnumber
}
3. Set the MAC address of the By default, no MAC address is set for
Ethernet interface or mac-address mac-address a Layer 3 Ethernet interface or
subinterface. subinterface.

Displaying and maintaining an Ethernet interface

or subinterface
Execute display commands in any view and reset commands in user view.

16
Task Command
display counters { inbound | outbound } interface
Display interface traffic statistics. [ interface-type [ interface-number |
interface-number.subnumber ] ]
Display traffic rate statistics of interfaces display counters rate { inbound | outbound } interface
in up state over the last statistics polling [ interface-type [ interface-number |
interval. interface-number.subnumber ] ]
Display the operational and status display interface [ interface-type [ interface-number |
information of the specified interfaces. interface-number.subnumber ] ] [ brief [ description | down ] ]
display packet-drop { interface [ interface-type
Display information about dropped
[ interface-number | interface-number.subnumber ] ] |
packets on the specified interfaces.
summary }
Display the PFC information for an display priority-flow-control interface [ interface-type
interface. [ interface-number ] ]
Display information about storm control display storm-constrain [ broadcast | multicast | unicast ]
on the specified interfaces. [ interface interface-type interface-number ]
Display the Ethernet module statistics. display ethernet statistics slot slot-number
reset counters interface [ interface-type [ interface-number |
Clear interface or subinterface statistics.
interface-number.subnumber ] ]
Clear the statistics of dropped packets reset packet-drop interface [ interface-type [ interface-number
on the specified interfaces. | interface-number.subnumber ] ]
Clear the Ethernet module statistics. reset ethernet statistics [ slot slot-number ]

17
Configuring loopback, null, and
inloopback interfaces
This chapter describes how to configure a loopback interface, a null interface, and an inloopback
interface.

Configuring a loopback interface

A loopback interface is a virtual interface. The physical layer state of a loopback interface is always
up unless the loopback interface is manually shut down. Because of this benefit, loopback interfaces
are widely used in the following scenarios:
• Configuring a loopback interface address as the source address of the IP packets that
the device generates—Because loopback interface addresses are stable unicast addresses,
they are usually used as device identifications.
{ When you configure a rule on an authentication or security server to permit or deny packets
that a device generates, you can simplify the rule by configuring it to permit or deny packets
carrying the loopback interface address that identifies the device.
{ When you use a loopback interface address as the source address of IP packets, make
sure the route from the loopback interface to the peer is reachable by performing routing
configuration. All data packets sent to the loopback interface are considered packets sent to
the device itself, so the device does not forward these packets.
• Using a loopback interface in dynamic routing protocols—With no router ID configured for
a dynamic routing protocol, the system selects the highest loopback interface IP address as the
router ID. In BGP, to avoid interruption of BGP sessions due to physical port failure, you can use
a loopback interface as the source interface of BGP packets.
To configure a loopback interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a loopback interface
and enter loopback interface interface loopback
N/A
view. interface-number

3. Configure the interface The default setting is interface name

description. description text Interface (for example, LoopBack1
Interface).
4. Configure the expected
bandwidth of the loopback By default, the expected bandwidth
bandwidth bandwidth-value
interface. of a loopback interface is 0 kbps.

5. Restore the default settings

for the loopback interface. default N/A

6. Bring up the loopback By default, a loopback interface is

interface. undo shutdown
up.

Configuring a null interface

A null interface is a virtual interface and is always up, but you cannot use it to forward data packets or
configure it with an IP address or link layer protocol. The null interface provides a simpler way to filter
packets than ACL. You can filter undesired traffic by transmitting it to a null interface instead of

18
 applying an ACL. For example, if you specify a null interface as the next hop of a static route to a
network segment, any packets routed to the network segment are dropped.
To configure a null interface:

Step Command Remarks

1. Enter system view. system-view N/A
Interface Null 0 is the default null
interface on the device and cannot
be manually created or removed.
2. Enter null interface view. interface null 0
Only one null interface, Null 0, is
supported on the device. The null
interface number is always 0.
3. Configure the interface The default setting is NULL0
description. description text
Interface.
4. Restore the default settings
for the null interface. default N/A

Configuring an inloopback interface

An inloopback interface is a virtual interface created by the system, which cannot be configured or
deleted. The physical layer and link layer protocol states of an inloopback interface are always up. All
IP packets sent to an inloopback interface are considered packets sent to the device itself and are
not forwarded.

Displaying and maintaining loopback, null, and

inloopback interfaces
Execute display commands in any view and reset commands in user view.

Task Command
Display information about the specified or all display interface loopback [ interface-number ] [ brief
loopback interfaces. [ description | down ] ]
display interface null [ 0 ] [ brief [ description |
Display information about the null interface.
down ] ]
Display information about the inloopback display interface inloopback [ 0 ] [ brief [ description
interface. | down ] ]
Clear the statistics on the specified or all loopback reset counters interface loopback
interfaces. [ interface-number ]
Clear the statistics on the null interface. reset counters interface null [ 0 ]

19
Bulk configuring interfaces
You can enter interface range view to bulk configure multiple interfaces with the same feature instead
of configuring them one by one. For example, you can execute the shutdown command in interface
range view to shut down a range of interfaces.

Configuration restrictions and guidelines

When you bulk configure interfaces in interface range view, follow these restrictions and guidelines:
• In interface range view, only commands supported by the first interface in the specified interface
list are available for configuration.
• Before you configure an interface as the first interface in an interface range, make sure you can
enter the view of the interface by using the interface interface-type { interface-number |
interface-number.subnumber } command.
• Do not assign both an aggregate interface and any of its member interfaces to an interface
range. Some commands, after being executed on both an aggregate interface and its member
interfaces, can break up the aggregation.
• Understand that the more interfaces you specify in an interface range, the longer the command
execution time.
• To guarantee bulk interface configuration performance, configure fewer than 1000 interface
range names.
• After a command is executed in interface range view, one of the following situations might
occur:
{ The system displays an error message and stays in interface range view. It means that the
execution failed on one or multiple member interfaces.
− If the execution failed on the first member interface, the command is not executed on
any member interfaces.
− If the execution failed on a non-first member interface, the command takes effect on the
remaining member interfaces.
{ The system returns to system view. It means that:
− The command is supported in both system view and interface view.
− The execution failed on a member interface in interface range view and succeeded in
system view.
− The command is not executed on the subsequent member interfaces.
You can use the display this command to verify the configuration in interface view of each
member interface. In addition, if the configuration in system view is not needed, use the
undo form of the command to remove the configuration.

Configuration procedure
Step Command Remarks
1. Enter system view. system-view N/A

20
 Step Command Remarks
• interface range
{ interface-type
interface-number [ to
interface-type By using the interface range name
2. Enter interface range interface-number ] } &<1-24> command, you assign a name to an
view. interface range and can specify this
• interface range name name
name rather than the interface range
[ interface { interface-type
to enter the interface range view.
interface-number [ to
interface-type
interface-number ] } &<1-24> ]
3. (Optional.) Display
commands available for Enter a question mark (?) at the
the first interface in the N/A
interface range prompt.
interface range.
4. Use available
commands to configure Available commands depend on
N/A
the interfaces. the interface.

5. (Optional.) Verify the

configuration. display this N/A

Displaying and maintaining bulk interface

configuration
Execute the display command in any view.

Task Command
Display information about the interface ranges
created by using the interface range name display interface range [ name name ]
command.

21
Configuring the MAC address table
Overview
An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a
destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame,
it uses the destination MAC address of the frame to look for a match in the MAC address table.
• The device forwards the frame out of the outgoing interface in the matching entry if a match is
found.
• The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries
manually added.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses
of incoming frames on each interface.
The device performs the following operations to learn the source MAC address of incoming packets:
1. Checks the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
{ The device updates the entry if an entry is found.
{ The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.
When the device receives a frame destined for MAC-SOURCE after learning this source MAC
address, the device performs the following operations:
1. Finds the MAC-SOURCE entry in the MAC address table.
2. Forwards the frame out of the port in the entry.
The device performs the learning process for each incoming frame with an unknown source MAC
address until the table is fully populated.
Manually configuring MAC address entries
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames,
which can invite security hazards. When Host A is connected to port A, a MAC address entry will be
learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames
with MAC A as the source MAC address to port B, the device performs the following operations:
1. Learns a new MAC address entry with port B as the outgoing interface and overwrites the old
entry for MAC A.
2. Forwards frames destined for MAC A out of port B to the illegal user.
As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually
configure a static entry to bind Host A to port A. Then, the frames destined for Host A are always sent
out of port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined
for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

22
 • Static entries—A static entry is manually added to forward frames with a specific destination
MAC address out of the associated interface, and it never ages out. A static entry has higher
priority than a dynamically learned one.
• Dynamic entries—A dynamic entry can be manually configured or dynamically learned to
forward frames with a specific destination MAC address out of the associated interface. A
dynamic entry might age out. A manually configured dynamic entry has the same priority as a
dynamically learned one.
• Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole
entry is configured for filtering out frames with a specific source or destination MAC address.
For example, to block all frames destined for or sourced from a user, you can configure the
MAC address of the user as a blackhole MAC address entry. A blackhole entry has higher
priority than a dynamically learned one.
• Multiport unicast entries—A multiport unicast entry is manually added to send frames with a
specific unicast destination MAC address out of multiple ports, and it never ages out. A multiport
unicast entry has higher priority than a dynamically learned one.
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address
entry, but not vice versa. A static entry, a blackhole entry, and a multiport unicast entry cannot
overwrite one another.
Multiport unicast MAC address entries have no impact on the MAC address learning. When
receiving a frame whose source MAC address matches a multiport unicast entry, the device can still
learn the MAC address of the frame and generate a dynamic entry. However, the generated dynamic
entry has lower priority. The device prefers to use the multiport unicast entry to forward frames
destined for the MAC address in the entry.

MAC address table configuration task list

The configuration tasks discussed in the following sections can be performed in any order.
This document covers only the configuration of unicast MAC address entries, including static,
dynamic, blackhole, and multiport unicast MAC address entries. For information about configuring
static multicast MAC address entries, see IP Multicast Configuration Guide.
To configure the MAC address table, perform the following tasks:

Tasks at a glance
(Optional.) Configuring MAC address entries
• Adding or modifying a static or dynamic MAC address entry globally
• Adding or modifying a static or dynamic MAC address entry on an interface
• Adding or modifying a blackhole MAC address entry
• Adding or modifying a multiport unicast MAC address entry
(Optional.) Disabling MAC address learning
(Optional.) Setting the aging timer for dynamic MAC address entries
(Optional.) Setting the MAC learning limit
(Optional.) Configuring the unknown frame forwarding rule after the MAC learning limit is reached
(Optional.) Assigning MAC learning priority to interfaces
(Optional.) Enabling MAC address synchronization
(Optional.) Configuring MAC address move notifications and suppression
(Optional.) Enabling ARP fast update for MAC address moves
(Optional.) Disabling static source check

23
 Tasks at a glance
(Optional.) Enabling conversational remote MAC learning
(Optional.) Enabling SNMP notifications for the MAC address table

Configuring MAC address entries

Configuration guidelines
• A manually configured dynamic MAC address entry will overwrite a learned entry that already
exists with a different outgoing interface for the MAC address.
• The manually configured static, blackhole, and multiport unicast MAC address entries cannot
survive a reboot if you do not save the configuration. The manually configured dynamic MAC
address entries are lost upon reboot whether or not you save the configuration.
A frame whose source MAC address matches different types of MAC address entries is processed
differently.

Type Description
Forwards the frame according to the destination MAC address regardless of
Static MAC address entry
whether the frame's ingress interface is the same as that in the entry.
• Learns the MAC address (MACA) of the frame and generates a dynamic
MAC address entry, but the generated dynamic MAC address entry does
Multiport unicast MAC not take effect.
address entry
• Forwards frames destined for MACA based on the multiport unicast MAC
address entry.
Blackhole MAC address
Drops the frame.
entry
• Learns the MAC address of the frames received on a different interface
Dynamic MAC address from that in the entry and overwrites the original entry.
entry • Forwards the frame received on the same interface as that in the entry
and updates the aging timer for the entry.

Adding or modifying a static or dynamic MAC address entry

globally
Step Command Remarks
1. Enter system view. system-view N/A
By default, no MAC address entry
mac-address { dynamic | static } is configured globally.
2. Add or modify a static or mac-address interface
dynamic MAC address entry. interface-type interface-number Make sure you have created the
vlan vlan-id VLAN and assigned the interface
to the VLAN.

24
Adding or modifying a static or dynamic MAC address entry
on an interface
Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
By default, no MAC address entry
is configured on the interface.
3. Add or modify a static or mac-address { dynamic | static }
dynamic MAC address entry. mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Adding or modifying a blackhole MAC address entry

Step Command Remarks
1. Enter system view. system-view N/A
By default, no blackhole MAC
2. Add or modify a blackhole mac-address blackhole address entry is configured.
MAC address entry. mac-address vlan vlan-id Make sure you have created the
VLAN.

Adding or modifying a multiport unicast MAC address entry

You can configure a multiport unicast MAC address entry to associate a unicast destination MAC
address with multiple ports. The frame with a destination MAC address matching the entry is sent out
of multiple ports.
For example, in NLB unicast mode (see Figure 2):
• All servers within a cluster uses the cluster's MAC address as their own address.
• Frames destined for the cluster are forwarded to every server in the group.
In this case, you can configure a multiport unicast MAC address entry on the device connected to the
server group. Then, the device forwards the frame destined for the server group to every server
through all ports connected to the servers within the cluster.

25
 Figure 2 NLB cluster

You can configure a multiport unicast MAC address entry globally or on an interface.
Configuring a multiport unicast MAC address entry globally

Step Command Remarks

1. Enter system view. system-view N/A
By default, no multiport unicast
MAC address entry is configured
2. Add or modify a multiport mac-address multiport globally.
unicast MAC address entry. mac-address interface
interface-list vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Configuring a multiport unicast MAC address entry on an interface

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
By default, no multiport unicast
MAC address entry is configured
3. Add the interface to a on the interface.
multiport unicast MAC mac-address multiport
address entry. mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Disabling MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated
when the device is experiencing attacks, disable MAC address learning. For example, you can
disable MAC address learning to prevent the device from being attacked by a large amount of frames
with different source MAC addresses.

26
 After MAC address learning is disabled, the device immediately deletes existing dynamic MAC
address entries.

Disabling global MAC address learning

Global MAC address learning does not take effect on a VXLAN VSI. For information about VXLAN
VSIs, see VXLAN Configuration Guide.
To disable global MAC address learning:

Step Command Remarks

1. Enter system view. system-view N/A
2. Disable global MAC address undo mac-address By default, global MAC address
learning. mac-learning enable learning is enabled.

Disabling MAC address learning on interfaces

When global MAC address learning is enabled, you can disable MAC address learning on a single
interface.
To disable MAC address learning on an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number

3. Disable MAC address By default, MAC address

undo mac-address mac-learning
learning on the interface. learning on the interface is
enable
enabled.

Disabling MAC address learning on a VLAN

When global MAC address learning is enabled, you can disable MAC address learning on a
per-VLAN basis.
To disable MAC address learning on a VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable global MAC address mac-address mac-learning By default, global MAC address
learning. enable learning is enabled.
3. Enter VLAN view. vlan vlan-id N/A
4. Disable MAC address undo mac-address By default, MAC address learning
learning on the VLAN. mac-learning enable on the VLAN is enabled.

27
Setting the aging timer for dynamic MAC address
entries
For security and efficient use of table space, the MAC address table uses an aging timer for each
dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer
expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can
promptly update to accommodate latest network topology changes.
A stable network requires a longer aging interval, and an unstable network requires a shorter aging
interval.
An aging interval that is too long might cause the MAC address table to retain outdated entries. As a
result, the MAC address table resources might be exhausted, and the MAC address table might fail
to update its entries to accommodate the latest network changes.
An interval that is too short might result in removal of valid entries, which would cause unnecessary
floods and possibly affect the device performance.
To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic
entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing
flooding also improves the security because it reduces the chances for a data frame to reach
unintended destinations.
To set the aging timer for dynamic MAC address entries:

Step Command Remarks

1. Enter system view. system-view N/A
The default setting is 300
2. Set the aging timer for seconds.
dynamic MAC address mac-address timer { aging
entries. seconds | no-aging } The no-aging keyword disables
the aging timer.

Setting the MAC learning limit

This feature limits the MAC address table size. A large MAC address table will degrade forwarding
performance.
To set the MAC learning limit on an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
3. Set the MAC learning limit on mac-address max-mac-count By default, the MAC address table
the interface. count size is not limited on an interface.

28
Configuring the unknown frame forwarding rule
after the MAC learning limit is reached
You can enable or disable forwarding of unknown frames after the MAC learning limit is reached.
To configure the device to forward unknown frames received on the interface after the MAC learning
limit on the interface is reached:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view.
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view.
interface
bridge-aggregation
interface-number
3. Configure the device to
forward unknown frames By default, the device can forward
received on the interface mac-address max-mac-count unknown frames received on an
after the MAC learning limit enable-forwarding interface after the MAC learning
on the interface is reached. limit on the interface is reached.

Assigning MAC learning priority to interfaces

The MAC learning priority mechanism assigns either low priority or high priority to an interface. An
interface with high priority can learn MAC addresses as usual. However, an interface with low priority
is not allowed to learn MAC addresses already learned on a high-priority interface.
The MAC learning priority mechanism can help defend your network against MAC address spoofing
attacks. In a network that performs MAC-based forwarding, an upper layer device MAC address
might be learned by a downlink interface because of a loop or attack to the downlink interface. To
avoid this issue, perform the following tasks:
• Assign high MAC learning priority to an uplink interface.
• Assign low MAC learning priority to a downlink interface.
To assign MAC learning priority to an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
3. Assign MAC learning priority mac-address mac-learning priority By default, low MAC learning
to the interface. { high | low } priority is used.

29
Enabling MAC address synchronization
To avoid unnecessary floods and improve forwarding speed, make sure all member devices have the
same MAC address table. After you enable MAC address synchronization, each member device
advertises learned MAC address entries to other member devices.
As shown in Figure 3:
• Device A and Device B form an IRF fabric enabled with MAC address synchronization.
• Device A and Device B connect to AP C and AP D, respectively.
When Client A associates with AP C, Device A learns a MAC address entry for Client A and
advertises it to Device B.
Figure 3 MAC address tables of devices when Client A accesses AP C

When Client A roams to AP D, Device B learns a MAC address entry for Client A. Device B
advertises it to Device A to ensure service continuity for Client A, as shown in Figure 4.

30
 Figure 4 MAC address tables of devices when Client A roams to AP D

To enable MAC address synchronization:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable MAC address mac-address mac-roaming By default, MAC address
synchronization. enable synchronization is disabled.

Configuring MAC address move notifications and

suppression
The outgoing interface for a MAC address entry learned on interface A is changed to interface B
when the following conditions exist:
• Interface B receives a packet with the MAC address as the source MAC address.
• Interface B belongs to the same VLAN as interface A.
In this case, the MAC address is moved from interface A to interface B, and a MAC address move
occurs.
The MAC address move notifications feature enables the device to output MAC address move logs
when MAC address moves are detected.
If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur. To
detect and locate loops, you can view the MAC address move information. To display the MAC
address move records after the device is started, use the display mac-address mac-move
command.
If the system detects that MAC address moves occur frequently on an interface, you can configure
MAC address move suppression to shut the interface down. The interface automatically goes up
after a suppression interval. Or, you can manually bring up the interface.
The MAC address move suppression feature must work with the ARP fast update for MAC address
moves feature. For information about ARP fast update for MAC address moves, see "Enabling ARP
fast update for MAC address moves."

31
 To configure MAC address move notifications and MAC address move suppression:

Step Command Remarks

1. Enter system view. system-view N/A
By default, MAC address move
notifications are disabled.
If you do not specify a detection
interval, the default setting of 1
2. Enable MAC address move minute is used.
notifications and optionally mac-address notification After you execute this command, the
specify a MAC move mac-move [ interval interval ] system sends only log messages to
detection interval. the information center module. If the
device is also configured with the
snmp-agent trap enable
mac-address command, the
system also sends SNMP
notifications to the SNMP module.

(Optional.) Set MAC mac-address notification

3. By default, the suppression interval
address move suppression mac-move suppression
is 30 seconds, and the suppression
parameters. { interval interval | threshold
threshold is 3.
threshold }
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
4. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
5. Enable MAC address move mac-address notification By default, MAC address move
suppression. mac-move suppression suppression is disabled.
6. Return to system view. quit N/A
7. Enable ARP fast update for mac-address mac-move By default, ARP fast update for MAC
MAC address moves. fast-update address moves is disabled.

Enabling ARP fast update for MAC address

moves
ARP fast update for MAC address moves allows the device to update an ARP entry immediately after
the outgoing interface for a MAC address changes. This feature ensures data connection without
interruption.
As shown in Figure 5, a mobile user laptop accesses the network by connecting to AP 1 or AP 2.
When the AP to which the user connects changes, the switch updates the ARP entry for the user
immediately after it detects a MAC address move.

32
 Figure 5 ARP fast update application scenario
Switch

XGE1/0/1 XGE1/0/2

AP 1 AP 2

Laptop

To enable ARP fast update for MAC address moves:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable ARP fast update for mac-address mac-move By default, ARP fast update for
MAC address moves. fast-update MAC address moves is disabled.

Disabling static source check

By default, the static source check feature is enabled on an interface. The check identifies whether a
received frame meets the following conditions:
• The source MAC address of the frame matches a static MAC address entry.
• The incoming interface of the frame is different from the outgoing interface in the entry.
If the frame meets both conditions, the device drops the frame.
When this feature is disabled, the device does not perform the check for a received frame. It can
forward the frame whether or not the frame meets the conditions.
To disable the static source check feature:

Step Command Remarks

1. Enter system view. system-view N/A

33
 Step Command Remarks
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Enter Layer 3 Ethernet interface
view:
2. Enter interface view. interface interface-type N/A
interface-number
• Enter Layer 3 aggregate
interface/subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }
• Enter IRF physical interface
view:
interface interface-type
interface-number
3. Disable the static source undo mac-address static By default, the static source
check feature. source-check enable check feature is enabled.

Enabling conversational remote MAC learning

This feature is available only on EVPN networks. Do not enable this feature on non-EVPN networks.
By default, when the device receives a packet from an unknown MAC address of a remote EVPN
network site, the device directly generates a remote MAC address entry. When this feature is
enabled, the device will generate a remote MAC address entry only when the entry is used for packet
forwarding. This feature saves memory resources of the device.
To enable conversational remote MAC learning:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable conversational By default, conversational

mac-address
remote MAC learning. remote MAC learning is
forwarding-conversational-learning
disabled.

Enabling SNMP notifications for the MAC address

table
To report critical MAC address move events to an NMS, enable SNMP notifications for the MAC
address table. For MAC address move event notifications to be sent correctly, you must also
configure SNMP on the device.
When SNMP notifications are disabled for the MAC address table, the device sends the generated
logs to the information center. To display the logs, configure the log destination and output rule
configuration in the information center.

34
 For more information about SNMP and information center configuration, see the network
management and monitoring configuration guide for the device.
To enable SNMP notifications for the MAC address table:

Step Command Remarks

1. Enter system view. system-view N/A
By default, SNMP notifications are enabled
for the MAC address table.
2. Enable SNMP
notifications for the snmp-agent trap enable When SNMP notifications are disabled for the
MAC address table. mac-address [ mac-move ] MAC address table, syslog messages are
sent to notify important events on the MAC
address table module.

Displaying and maintaining the MAC address

table
Execute display commands in any view.

Task Command
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic |
Display MAC address table
static ] [ interface interface-type interface-number ] | blackhole |
information.
multiport ] [ vlan vlan-id ] [ count ] ]
Display the aging timer for dynamic
display mac-address aging-time
MAC address entries.
Display the system or interface MAC display mac-address mac-learning [ interface interface-type
address learning state. interface-number ]
Display MAC address statistics. display mac-address statistics
Display the MAC address move
display mac-address mac-move [ slot slot-number ]
records.

MAC address table configuration example

Network requirements
As shown in Figure 6:
• Host A at MAC address 000f-e235-dc71 is connected to Ten-GigabitEthernet 1/0/1 of Device
and belongs to VLAN 1.
• Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also
belongs to VLAN 1.
Configure the MAC address table as follows:
• To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of
Device.
• To drop all frames destined for Host B, add a blackhole MAC address entry for Host B.
• Set the aging timer to 500 seconds for dynamic MAC address entries.

35
 Figure 6 Network diagram

Configuration procedure
# Add a static MAC address entry for MAC address 000f-e235-dc71 on Ten-GigabitEthernet 1/0/1
that belongs to VLAN 1.
<Device> system-view
[Device] mac-address static 000f-e235-dc71 interface ten-gigabitethernet 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.
[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.
[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for Ten-GigabitEthernet 1/0/1.
[Device] display mac-address static interface ten-gigabitethernet 1/0/1
MAC Address VLAN ID State Port/NickName Aging
000f-e235-dc71 1 Static XGE1/0/1 N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole
MAC Address VLAN ID State Port/NickName Aging
000f-e235-abcd 1 Blackhole N/A N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time
MAC address aging time: 500s.

36
Configuring MAC Information
The MAC Information feature can generate syslog messages or SNMP notifications when MAC
address entries are learned or deleted. You can use these messages to monitor user's leaving or
joining the network and analyze network traffic.
The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a
queue. The device overwrites the oldest MAC address change written into the queue with the most
recent MAC address change when the following conditions exist:
• The MAC change notification interval does not expire.
• The queue has been exhausted.
To send a syslog message or SNMP notification immediately after it is created, set the queue length
to zero.

Enabling MAC Information

Step Command Remarks
1. Enter system view. system-view N/A
2. Enable MAC Information By default, MAC Information is
globally. mac-address information enable
globally disabled.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, MAC Information is
disabled on the interface.
4. Enable MAC Information on mac-address information enable
the interface. { added | deleted } Make sure you have enabled
MAC Information globally before
you enable it on the interface.

Configuring the MAC Information mode

The following MAC Information modes are available for sending MAC address changes:
• Syslog—The device sends syslog messages to notify MAC address changes. The device
sends syslog messages to the information center, which then outputs them to the monitoring
terminal. For more information about information center, see Network Management and
Monitoring Configuration Guide.
• Trap—The device sends SNMP notifications to notify MAC address changes. The device sends
SNMP notifications to the NMS. For more information about SNMP, see Network Management
and Monitoring Configuration Guide.
To configure the MAC Information mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the MAC mac-address information mode
Information mode. The default setting is trap.
{ syslog | trap }

37
Setting the MAC change notification interval
To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the
MAC change notification interval to a larger value.
To set the MAC change notification interval:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the MAC change mac-address information
notification interval. The default setting is 1 second.
interval interval

Setting the MAC Information queue length

Step Command Remarks
1. Enter system view. system-view N/A
2. Set the MAC Information mac-address information
queue length. The default setting is 50.
queue-length value

MAC Information configuration example

Network requirements
Enable MAC Information on Ten-GigabitEthernet 1/0/1 on Device in Figure 7 to send MAC address
changes in syslog messages to the log host, Host B, through interface Ten-GigabitEthernet 1/0/2.
Figure 7 Network diagram

Configuration restrictions and guidelines

When you edit the file /etc/syslog.conf, follow these restrictions and guidelines:
• Comments must be on a separate line and must begin with a pound sign (#).
• No redundant spaces are allowed after the file name.
• The logging facility name and the severity level specified in the /etc/syslog.conf file must be
the same as those configured on the device. Otherwise, the log information might not be output

38
 correctly to the log host. The logging facility name and the severity level are configured by using
the info-center loghost and info-center source commands, respectively.

Configuration procedure
1. Configure Device to send syslog messages to Host B:
# Enable the information center.
<Device> system-view
[Device] info-center enable
# Specify the log host 192.168.1.2/24 and specify local4 as the logging facility.
[Device] info-center loghost 192.168.1.2 facility local4
# Disable log output to the log host.
[Device] info-center source default loghost deny
To avoid output of unnecessary information, disable all modules from outputting logs to the
specified destination (loghost, in this example) before you configure an output rule.
# Configure an output rule to output to the log host MAC address logs that have a severity level
no lower than informational.
[Device] info-center source mac loghost level informational
2. Configure the log host, Host B:
Configure Solaris as follows. Configure other UNIX operating systems in the same way Solaris
is configured.
a. Log in to the log host as a root user.
b. Create a subdirectory named Device in directory /var/log/.
# mkdir /var/log/Device
c. Create file info.log in the Device directory to save logs from Device.
# touch /var/log/Device/info.log
d. Edit the file syslog.conf in directory /etc/ and add the following contents:
# Device configuration messages
local4.info /var/log/Device/info.log
In this configuration, local4 is the name of the logging facility that the log host uses to
receive logs, and info is the informational level. The UNIX system records the log
information that has a severity level no lower than informational to the file
/var/log/Device/info.log.
e. Display the process ID of syslogd, end the syslogd process, and then restart syslogd
using the –r option to make the new configuration take effect.
# ps -ae | grep syslogd
147
# kill -HUP 147
# syslogd -r &
The device can output MAC address logs to the log host, which stores the logs to the specified
file.
3. Enable MAC Information on Device:
# Enable MAC Information globally.
[Device] mac-address information enable
# Configure the MAC Information mode as syslog.
[Device] mac-address information mode syslog
# Enable MAC Information on Ten-GigabitEthernet 1/0/1 to enable the port to record MAC
address change information when the interface performs either of the following operations:

39
{ Learns a new MAC address.
{ Deletes an existing MAC address.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] mac-address information enable added
[Device-Ten-GigabitEthernet1/0/1] mac-address information enable deleted
[Device-Ten-GigabitEthernet1/0/1] quit
# Set the MAC Information queue length to 100.
[Device] mac-address information queue-length 100
# Set the MAC change notification interval to 20 seconds.
[Device] mac-address information interval 20

40
Configuring Ethernet link aggregation
Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an
aggregate link.
Link aggregation has the following benefits:
• Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is
distributed across the member ports.
• Improved link reliability. The member ports dynamically back up one another. When a member
port fails, its traffic is automatically switched to other member ports.
As shown in Figure 8, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth
of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the
same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the
traffic previously transmitted on the failed link is switched to the other two links.
Figure 8 Ethernet link aggregation diagram

Basic concepts
Aggregation group, member port, and aggregate interface
An aggregation group is a group of Ethernet interfaces bundled together. These Ethernet interfaces
are called member ports of the aggregation group. Each aggregation group has a corresponding
logical interface (called an aggregate interface).
When an aggregate interface is created, the device automatically creates an aggregation group of
the same type and number as the aggregate interface.
An aggregate interface can be one of the following types:
• Layer 2—A Layer 2 aggregate interface is created manually. The member ports of the
corresponding Layer 2 aggregation group can only be Layer 2 Ethernet interfaces.
• Layer 3—A Layer 3 aggregate interface is created manually. The member ports of the
corresponding Layer 3 aggregation group can only be Layer 3 Ethernet interfaces.
On a Layer 3 aggregate interface, you can create subinterfaces.
The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex
mode is the same as that of the Selected member ports. For more information about Selected
member ports, see "Aggregation states of member ports in an aggregation group."

Aggregation states of member ports in an aggregation group

A member port in an aggregation group can be in any of the following aggregation states:
• Selected—A Selected port can forward traffic.
• Unselected—An Unselected port cannot forward traffic.
• Individual—An Individual port can forward traffic as a normal physical port. A port is placed in
the Individual state when the following conditions exist:

41
 { Its aggregate interface is configured as an edge aggregate interface.
{ The port has not received Link Aggregation Control Protocol Data Units (LACPDUs) from its
peer port.

Operational key
When aggregating ports, the system automatically assigns each port an operational key based on
port information, such as port rate and duplex mode. Any change to this information triggers a
recalculation of the operational key.
In an aggregation group, all Selected ports have the same operational key.

Configuration types
Port configurations include attribute configurations and protocol configurations. Attribute
configurations of a link aggregation member port affect its aggregation state.
• Attribute configurations—To become a Selected port, a member port must have the same
attribute configurations as the aggregate interface. Table 2 describes the attribute
configurations.
Attribute configurations made on an aggregate interface are automatically synchronized to all
member ports. These configurations are retained on the member ports even after the aggregate
interface is deleted.
Any attribute configuration change on a member port might affect the aggregation states and
running services of the member ports. The system displays a warning message every time you
try to change an attribute configuration setting on a member port.
Table 2 Attribute configurations

Feature Considerations
Indicates whether the port has joined an isolation group and which isolation
Port isolation
group the port belongs to.
QinQ status (enabled/disabled), TPID for VLAN tags, and VLAN
QinQ transparent transmission. For information about QinQ, see "Configuring
QinQ."
VLAN mapping configured on the port. For more information about VLAN
VLAN mapping
mapping, see "Configuring VLAN mapping."
VLAN attribute configurations include the following:
• Permitted VLAN IDs.
• PVID.
• Link type (trunk, hybrid, or access).
• PVLAN port type (promiscuous, trunk promiscuous, host, or trunk
VLAN secondary).
• IP subnet-based VLAN configuration.
• Protocol-based VLAN configuration.
• VLAN tagging mode.
For information about VLANs, see "Configuring VLANs."

• Protocol configurations—Protocol configurations of a member port do not affect the

aggregation state of the member port. MAC address learning and spanning tree settings are
examples of protocol configurations.

42
 NOTE:
• The protocol configurations for an aggregate interface take effect only on the current
aggregate interface.
• The protocol configurations for a member port take effect only when the port leaves its
aggregation group.

Link aggregation modes

An aggregation group operates in one of the following modes:
• Static—Static aggregation is stable. An aggregation group in static mode is called a static
aggregation group. The aggregation states of the member ports in a static aggregation group
are not affected by the peer ports.
• Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. The
local system and the peer system automatically maintain the aggregation states of the member
ports. Dynamic link aggregation reduces the administrators' workload.

Aggregating links in static mode

Choosing a reference port
When setting the aggregation states of the ports in an aggregation group, the system automatically
chooses a member port as the reference port. A Selected port must have the same operational key
and attribute configurations as the reference port.
The system chooses a reference port from the member ports in up state.
The candidate reference ports are organized into different priority levels following these rules:
1. In descending order of port priority.
2. Full duplex.
3. In descending order of speed.
4. Half duplex.
5. In descending order of speed.
From the candidate ports with the same attribute configurations as the aggregate interface, the one
with the highest priority level is chosen as the reference port.
• If multiple ports have the same priority level, the port that has been Selected (if any) is chosen.
If multiple ports with the same priority level have been Selected, the one with the smallest port
number is chosen.
• If multiple ports have the same priority level and none of them has been Selected, the port with
the smallest port number is chosen.

Setting the aggregation state of each member port

After the reference port is chosen, the system sets the aggregation state of each member port in the
static aggregation group.

43
 Figure 9 Setting the aggregation state of a member port in a static aggregation group

After the limit on Selected ports is reached, the aggregation state of a new member port varies by
following conditions:
• The port is placed in Unselected state if the port and the Selected ports have the same port
priority. This mechanism prevents traffic interruption on the existing Selected ports. A device
reboot can cause the device to recalculate the aggregation states of member ports.
• The port is placed in Selected state when the following conditions are met:
{ The port and the Selected ports have different port priorities, and the port has a higher port
priority than a minimum of one Selected port.
{ The port has the same attribute configurations as the aggregate interface.
Any operational key or attribute configuration change might affect the aggregation states of link
aggregation member ports.

Aggregating links in dynamic mode

Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol
(LACP).

44
LACP
LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each
member port in a dynamic aggregation group can exchange information with its peer. When a
member port receives an LACPDU, it compares the received information with information received
on the other member ports. In this way, the two systems reach an agreement on which ports are
placed in Selected state.
LACP functions
LACP offers basic LACP functions and extended LACP functions, as described in Table 3.
Table 3 Basic and extended LACP functions

Category Description
Implemented through the basic LACPDU fields, including the system LACP
Basic LACP functions
priority, system MAC address, port priority, port number, and operational key.
Implemented by extending the LACPDU with new TLV fields. Extended LACP can
implement LACP MAD for the IRF feature.
Extended LACP The switch series can participate in LACP MAD as either an IRF member device or
functions an intermediate device.
For more information about IRF and the LACP MAD mechanism, see IRF
Configuration Guide.

LACP operating modes

LACP can operate in active or passive mode.
When LACP is operating in passive mode on a local member port and its peer port, both ports cannot
send LACPDUs. When LACP is operating in active mode on either end of a link, both ports can send
LACPDUs.
LACP priorities
LACP priorities include system LACP priority and port priority, as described in Table 4. The smaller
the priority value, the higher the priority.
Table 4 LACP priorities

Type Description
Used by two peer devices (or systems) to determine which one is superior in link
aggregation.
System LACP In dynamic link aggregation, the system that has higher system LACP priority sets
priority the Selected state of member ports on its side. The system that has lower priority
sets the aggregation state of local member ports the same as their respective peer
ports.
Determines the likelihood of a member port to be a Selected port on a system. A port
Port priority
with a higher port priority is more likely to become Selected.

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the
peer port. If a local member port has not received LACPDUs from the peer within the LACP timeout
interval, the member port considers the peer as failed.
The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout
intervals include the following types:
• Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one
LACPDU per second.

45
 • Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one
LACPDU every 30 seconds.

How dynamic link aggregation works

Choosing a reference port
The system chooses a reference port from the member ports in up state. A Selected port must have
the same operational key and attribute configurations as the reference port.
The local system (the actor) and the peer system (the partner) negotiate a reference port by using
the following workflow:
1. The two systems determine the system with the smaller system ID.
A system ID contains the system LACP priority and the system MAC address.
a. The two systems compare their LACP priority values.
The lower the LACP priority, the smaller the system ID. If the LACP priority values are the
same, the two systems proceed to step b.
b. The two systems compare their MAC addresses.
The lower the MAC address, the smaller the system ID.
2. The system with the smaller system ID chooses the port with the smallest port ID as the
reference port.
A port ID contains a port priority and a port number. The lower the port priority, the smaller the
port ID.
a. The system chooses the port with the lowest priority value as the reference port.
If the ports have the same priority, the system proceeds to step b.
b. The system compares their port numbers.
The smaller the port number, the smaller the port ID.
The port with the smallest port number and the same attribute configurations as the
aggregate interface is chosen as the reference port.
Setting the aggregation state of each member port
After the reference port is chosen, the system with the smaller system ID sets the state of each
member port on its side.

46
Figure 10 Setting the state of a member port in a dynamic aggregation group

The system with the greater system ID can detect the aggregation state changes on the peer system.
The system with the greater system ID sets the aggregation state of local member ports the same as
their peer ports.
When you aggregate interfaces in dynamic mode, follow these guidelines:
• A dynamic link aggregation group chooses only full-duplex ports as the Selected ports.
• For stable aggregation and service continuity, do not change the operational key or attribute
configurations on any member port.
• After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more
eligible than a current Selected port.

47
Edge aggregate interface
Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is
configured only on the device. The device forwards traffic by using only one of the physical ports that
are connected to the server.
To improve link reliability, configure the aggregate interface as an edge aggregate interface. This
feature enables all member ports of the aggregation group to forward traffic. When a member port
fails, its traffic is automatically switched to other member ports.
After dynamic link aggregation is configured on the server, the device can receive LACPDUs from
the server. Then, link aggregation between the device and the server operates correctly.
An edge aggregate interface takes effect only when it is configured on an aggregate interface
corresponding to a dynamic aggregation group.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be load shared across the Selected ports based on any of the
following modes:
• Per-flow load sharing—Load shares traffic on a per-flow basis. The load sharing mode
classifies packets into flows and forwards packets of the same flow on the same link. This mode
can be one or any combination of the following traffic classification criteria:
{ Ingress port.
{ Source or destination IP address.
{ Source or destination MAC address.
{ Source or destination port number.
• Packet type-based load sharing—Load shares traffic automatically based on packet types
(Layer 2 protocol, IPv4, or IPv6).

Ethernet link aggregation configuration task list

Tasks at a glance
(Required.) Configuring an aggregation group:
• Configuring a Layer 2 aggregation group
• Configuring a Layer 3 aggregation group
(Optional.) Configuring an aggregate interface:
• Configuring the description of an aggregate interface
• Setting the MAC address for an aggregate interface
• Specifying ignored VLANs for a Layer 2 aggregate interface
• Setting the MTU for a Layer 3 aggregate interface
• Setting the minimum and maximum numbers of Selected ports for an aggregation group
• Setting the expected bandwidth for an aggregate interface
• Configuring an edge aggregate interface
• Enabling BFD for an aggregation group
• Shutting down an aggregate interface
• Restoring the default settings for an aggregate interface

48
 Tasks at a glance
(Optional.) Configuring load sharing for link aggregation groups:
• Setting load sharing modes for link aggregation groups
• Enabling local-first load sharing for link aggregation
• Configuring link aggregation load sharing algorithm settings
• Setting the global load sharing mode for MAC-in-MAC traffic
(Optional.) Enabling link-aggregation traffic redirection
(Optional.) Forwarding the traffic of specified VLANs out of a fixed member port on an aggregate link
(Optional.) Excluding a subnet from load sharing on aggregate links

Configuring an aggregation group

This section explains how to configure an aggregation group.

Configuration restrictions and guidelines

When you configure an aggregation group, follow these restrictions and guidelines:
• Table 5 shows the interfaces that cannot be assigned to a Layer 2 aggregation group.
Table 5 Interfaces that cannot be assigned to a Layer 2 aggregation group

Interface type Reference

Interface configured with MAC
MAC authentication in Security Configuration Guide
authentication
Interface configured with port security Port security in Security Configuration Guide
Interface configured with 802.1X 802.1X in Security Configuration Guide

• Do not assign a reflector port for port mirroring to an aggregation group. For more information
about reflector ports, see Network Management and Monitoring Configuration Guide.
• Deleting an aggregate interface also deletes its aggregation group and causes all member
ports to leave the aggregation group.
• You must configure the same aggregation mode on the two ends of an aggregate link.
• For a successful static aggregation, make sure the ports at both ends of each link are in the
same aggregation state.
• For a successful dynamic aggregation, make sure the peer ports of the ports aggregated at one
end are also aggregated. The two ends can automatically negotiate the aggregation state of
each member port.

Configuring a Layer 2 aggregation group

Configuring a Layer 2 static aggregation group

Step Command Remarks

1. Enter system view. system-view N/A

49
 Step Command Remarks
When you create a Layer 2
2. Create a Layer 2 aggregate aggregate interface, the system
interface and enter Layer 2 interface bridge-aggregation
automatically creates a Layer 2
aggregate interface view. interface-number
static aggregation group
numbered the same.
3. Exit to system view. quit N/A
a Enter Layer 2 Ethernet
interface view:
interface interface-type
4. Assign an interface to the interface-number Repeat these two substeps to
specified Layer 2 assign more Layer 2 Ethernet
b Assign the interface to the
aggregation group. interfaces to the aggregation
specified Layer 2
group.
aggregation group:
port link-aggregation
group group-id
5. (Optional.) Set the port link-aggregation port-priority The default port priority of an
priority for the interface. priority interface is 32768.

Configuring a Layer 2 dynamic aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
By default, the system LACP
priority is 32768.
2. Set the system LACP priority. lacp system-priority priority Changing the system LACP
priority might affect the
aggregation states of the ports in
a dynamic aggregation group.
When you create a Layer 2
3. Create a Layer 2 aggregate aggregate interface, the system
interface and enter Layer 2 interface bridge-aggregation
automatically creates a Layer 2
aggregate interface view. interface-number
static aggregation group
numbered the same.
4. Configure the aggregation
group to operate in dynamic By default, an aggregation group
link-aggregation mode dynamic
mode. operates in static mode.

5. Exit to system view. quit N/A

a Enter Layer 2 Ethernet
interface view:
interface interface-type
6. Assign an interface to the interface-number Repeat these two substeps to
specified Layer 2 assign more Layer 2 Ethernet
b Assign the interface to the
aggregation group. interfaces to the aggregation
specified Layer 2
group.
aggregation group:
port link-aggregation
group group-id
• Set the LACP operating
mode to passive:
7. Set the LACP operating lacp mode passive By default, LACP is operating in
mode for the interface. • Set the LACP operating active mode.
mode to active:
undo lacp mode
8. Set the port priority for the link-aggregation port-priority
interface. The default setting is 32768.
priority

50
 Step Command Remarks
By default, the long LACP timeout
interval (90 seconds) is used by
the interface.
9. Set the short LACP timeout To avoid traffic interruption during
interval (3 seconds) for the lacp period short an ISSU, do not set the short
interface. LACP timeout interval before
performing the ISSU. For more
information about ISSU, see
Fundamentals Configuration
Guide.

Configuring a Layer 3 aggregation group

Configuring a Layer 3 static aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
When you create a Layer 3
2. Create a Layer 3 aggregate aggregate interface, the system
interface and enter Layer 3 interface route-aggregation
automatically creates a Layer 3
aggregate interface view. interface-number
static aggregation group
numbered the same.
3. Exit to system view. quit N/A
a Enter Layer 3 Ethernet
interface view:
interface interface-type
4. Assign an interface to the interface-number Repeat these two substeps to
specified Layer 3 assign more Layer 3 Ethernet
b Assign the interface to the
aggregation group. interfaces to the aggregation
specified Layer 3
group.
aggregation group:
port link-aggregation
group group-id
5. (Optional.) Set the port link-aggregation port-priority The default port priority of an
priority for the interface. priority interface is 32768.

Configuring a Layer 3 dynamic aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
By default, the system LACP
priority is 32768.
2. Set the system LACP priority. lacp system-priority priority Changing the system LACP
priority might affect the
aggregation states of the ports in
the dynamic aggregation group.
When you create a Layer 3
3. Create a Layer 3 aggregate aggregate interface, the system
interface and enter Layer 3 interface route-aggregation
automatically creates a Layer 3
aggregate interface view. interface-number
static aggregation group
numbered the same.

51
 Step Command Remarks
4. Configure the aggregation
group to operate in dynamic By default, an aggregation group
link-aggregation mode dynamic
mode. operates in static mode.

5. Exit to system view. quit N/A

a Enter Layer 3 Ethernet
interface view:
interface interface-type
6. Assign an interface to the interface-number Repeat these two substeps to
specified Layer 3 assign more Layer 3 Ethernet
b Assign the interface to the
aggregation group. interfaces to the aggregation
specified Layer 3
group.
aggregation group:
port link-aggregation
group group-id
• Set the LACP operating
mode to passive:
7. Set the LACP operating lacp mode passive By default, LACP is operating in
mode for the interface. • Set the LACP operating active mode.
mode to active:
undo lacp mode
8. Set the port priority for the link-aggregation port-priority
interface. The default setting is 32768.
priority
By default, the long LACP timeout
interval (90 seconds) is used by
the interface.
9. Set the short LACP timeout To avoid traffic interruption during
interval (3 seconds) for the lacp period short an ISSU, do not set the short
interface. LACP timeout interval before
performing the ISSU. For more
information about ISSU, see
Fundamentals Configuration
Guide.

Configuring an aggregate interface

Most configurations that can be made on Layer 2 or Layer 3 Ethernet interfaces can also be made on
Layer 2 or Layer 3 aggregate interfaces.

Configuring the description of an aggregate interface

You can configure the description of an aggregate interface for administration purposes, for example,
describing the purpose of the interface.
To configure the description of an aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A

52
 Step Command Remarks
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
2. Enter aggregate interface-number
interface or subinterface • Enter Layer 3 aggregate N/A
view. interface or subinterface view:
interface route-aggregation
{ interface-number |
interface-number.subnumber }
3. Configure the
description of the By default, the description of an
aggregate interface or description text interface is interface-name
subinterface. Interface.

Setting the MAC address for an aggregate interface

By default, all aggregate interfaces on a device use the same MAC address, and aggregate
interfaces on different devices use different MAC addresses. Typically, the MAC address of an
aggregate interface is not required to be modified.
Do not set MAC addresses for aggregate interfaces on border gateways in VXLAN or EVPN
networks.
To set the MAC address for an aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 3 aggregate interface route-aggregation
interface or subinterface { interface-number | N/A
view. interface-number.subnumber }
3. Set the MAC address for the By default, the MAC address of a
aggregate interface or mac-address mac-address Layer 3 aggregate interface or
subinterface. subinterface is not set.

Specifying ignored VLANs for a Layer 2 aggregate interface

The system ignores the permit state and tagging mode of an ignored VLAN when choosing Selected
ports.
By default, to become Selected, the member ports must have the same VLAN permit state and
tagging mode as the corresponding Layer 2 aggregate interface.
To specify ignored VLANs for a Layer 2 aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 aggregate interface bridge-aggregation
interface view. N/A
interface-number
By default, a Layer 2 aggregate
Specify ignored VLANs. link-aggregation ignore vlan
3. interface does not ignore any
vlan-id-list
VLANs.

53
Setting the MTU for a Layer 3 aggregate interface
The MTU of an interface affects IP packets fragmentation and reassembly on the interface.
To set the MTU for a Layer 3 aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 3 aggregate interface route-aggregation
interface or subinterface { interface-number | N/A
view. interface-number.subnumber }
3. Set the MTU for the Layer 3
aggregate interface or mtu size The default setting is 1500 bytes.
subinterface.

Setting the minimum and maximum numbers of Selected

ports for an aggregation group
IMPORTANT:
The minimum and maximum numbers of Selected ports must be the same for the local and peer
aggregation groups.

The bandwidth of an aggregate link increases as the number of Selected member ports increases.
To avoid congestion, you can set the minimum number of Selected ports required for bringing up an
aggregate interface.
This minimum threshold setting affects the aggregation states of aggregation member ports and the
state of the aggregate interface.
• When the number of member ports eligible to be Selected ports is smaller than the minimum
threshold, the following events occur:
{ The eligible member ports are placed in Unselected state.
{ The link layer state of the aggregate interface becomes down.
• When the number of member ports eligible to be Selected ports reaches or exceeds the
minimum threshold, the following events occur:
{ The eligible member ports are placed in Selected state.
{ The link layer state of the aggregate interface becomes up.
The maximum number of Selected ports allowed in an aggregation group is limited by either manual
configuration or hardware limitation, whichever value is smaller.
You can implement backup between two ports by performing the following tasks:
• Assigning two ports to an aggregation group.
• Setting the maximum number of Selected ports to 1 for the aggregation group.
Then, only one Selected port is allowed in the aggregation group, and the Unselected port acts as a
backup port.
To set the minimum and maximum numbers of Selected ports for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A

54
 Step Command Remarks
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Set the minimum number of By default, the minimum number
Selected ports for the link-aggregation selected-port
of Selected ports is not specified
aggregation group. minimum min-number
for an aggregation group.
4. Set the maximum number of By default, the maximum number
Selected ports for the link-aggregation selected-port
of Selected ports for an
aggregation group. maximum max-number
aggregation group is 32.

Setting the expected bandwidth for an aggregate interface

Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
interface-number
2. Enter aggregate interface • Enter Layer 3 aggregate
view. interface or subinterface N/A
view:
interface
route-aggregation
{ interface-number |
interface-number.subnumbe
r}
By default, the expected
3. Set the expected bandwidth bandwidth (in kbps) is the
for the interface. bandwidth bandwidth-value
interface baud rate divided by
1000.

Configuring an edge aggregate interface

When you configure an edge aggregate interface, follow these restrictions and guidelines:
• This configuration takes effect only on the aggregate interface corresponding to a dynamic
aggregation group.
• Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.
For more information about link-aggregation traffic redirection, see "Enabling link-aggregation
traffic redirection."
To configure an edge aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A

55
 Step Command Remarks
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Configure the aggregate By default, an aggregate interface
interface as an edge lacp edge-port does not operate as an edge
aggregate interface. aggregate interface.

Enabling BFD for an aggregation group

BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you
enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a
BFD session with its peer port. BFD operates differently depending on the aggregation mode.
• BFD for static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link
aggregation module that the peer port is unreachable. The local port is placed in Unselected
state. The BFD session between the local and peer ports remains, and the local port keeps
sending BFD packets. When the link is recovered, the local port receives BFD packets from the
peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.
The local port is placed in Selected state again. This mechanism ensures that the local and
peer ports of a static aggregate link have the same aggregation state.
• BFD for dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet
link aggregation module that the peer port is unreachable. BFD clears the session and stops
sending BFD packets. When the link is recovered and the local port is placed in Selected state
again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link
aggregation module that the peer port is reachable. Because BFD provides fast failure
detection, the local and peer systems of a dynamic aggregate link can negotiate the
aggregation state of their member ports faster.
For more information about BFD, see High Availability Configuration Guide.
Configuration restrictions and guidelines
When you enable BFD for an aggregation group, follow these restrictions and guidelines:
• Make sure the source and destination IP addresses are consistent at the two ends of an
aggregate link. For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1
destination 2.2.2.2 on the local end, execute link-aggregation bfd ipv4 source 2.2.2.2
destination 1.1.1.1 on the peer end. The source and destination IP addresses cannot be the
same.
• The BFD parameters configured on an aggregate interface take effect on all BFD sessions in
the aggregation group. BFD sessions for link aggregation do not support the echo packet mode
and the Demand mode.
• As a best practice, do not configure other protocols to collaborate with BFD on a BFD-enabled
aggregate interface.
• Make sure the number of member ports in a BFD-enabled aggregation group is not larger than
the number of BFD sessions supported by the device. Otherwise, this command might cause
some Selected ports in the aggregation group to change to the Unselected state.

56
Configuration procedure
To enable BFD for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate interface view:
interface route-aggregation
interface-number
By default, BFD is disabled
for an aggregation group.
3. Enable BFD for the link-aggregation bfd ipv4 source The source and destination
aggregation group. ip-address destination ip-address IP addresses of BFD
sessions must be unicast
addresses excluding
0.0.0.0.

Shutting down an aggregate interface

Shutting down or bringing up an aggregate interface affects the aggregation states and link states of
member ports in the corresponding aggregation group as follows:
• When an aggregate interface is shut down, all Selected ports in the corresponding aggregation
group become Unselected ports and all member ports go down.
• When an aggregate interface is brought up, the aggregation states of member ports in the
corresponding aggregation group are recalculated.
To shut down an aggregate interface:

Step Command
1. Enter system view. system-view
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number
2. Enter aggregate interface view. • Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number |
interface-number.subnumber }
3. Shut down the aggregate interface or
subinterface. shutdown

Restoring the default settings for an aggregate interface

You can restore all configurations on an aggregate interface to the default settings.
To restore the default settings for an aggregate interface:

Step Command
1. Enter system view. system-view

57
 Step Command
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number
2. Enter aggregate interface view. • Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number |
interface-number.subnumber }
3. Restore the default settings for the
aggregate interface. default

Configuring load sharing for link aggregation

groups
This section explains how to configure the load sharing modes for link aggregation groups and how
to enable local-first load sharing for link aggregation.

Setting load sharing modes for link aggregation groups

You can set the global or group-specific load sharing mode. A link aggregation group preferentially
uses the group-specific load sharing mode. If the group-specific load sharing mode is not available,
the group uses the global load sharing mode.
The destination port and source port criteria of the global load sharing mode also take effect on
aggregation groups that have group-specific load sharing settings. If the global load sharing mode
contains one or both of these criteria, these aggregation groups use both the port load sharing
settings and group-specific load sharing settings.
Setting the global link-aggregation load sharing mode

Step Command Remarks

1. Enter system view. system-view N/A
link-aggregation global load-sharing
Set the global mode { destination-ip |
2. By default, the system load shares
link-aggregation load destination-mac | destination-port |
traffic automatically based on
sharing mode. ingress-port | mpls-label1 |
packet types.
mpls-label2 | source-ip | source-mac
| source-port } *

Setting the group-specific load sharing mode

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface route-aggregation
interface-number

58
 Step Command Remarks
link-aggregation load-sharing
3. Set the load sharing mode mode { { destination-ip | By default, the group-specific
for the aggregation group. destination-mac | destination-port | load sharing mode is the same
source-ip | source-mac } * | as the global load sharing mode.
flexible }

Enabling local-first load sharing for link aggregation

Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially
across member ports on the ingress device.
When you aggregate ports on different member devices in an IRF fabric, you can use local-first load
sharing to reduce traffic on IRF links, as shown in Figure 11. For more information about IRF, see IRF
Configuration Guide.
Figure 11 Load sharing for multidevice link aggregation in an IRF fabric

The egress port for a traffic flow is an

aggregate interface that has Selected
ports on different IRF member devices

Yes Local-first load sharing No

mechanism enabled?

No
Any Selected ports on the
ingress device?

Yes

Packets are load-shared only

Packets are load-shared across
across the Selected ports on the
all Selected ports
ingress device

To enable local-first load sharing for link aggregation:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable local-first load link-aggregation load-sharing By default, local-first load sharing
sharing for link aggregation. mode local-first for link aggregation is enabled.

Configuring link aggregation load sharing algorithm settings

To optimize traffic distribution on aggregate links, you can configure a link aggregation load sharing
algorithm and an algorithm seed. You can set only the algorithm or the algorithm seed, or both. You
can combine an algorithm with different algorithm seeds to obtain different effects.

59
 This feature takes effect only when the per-flow load sharing mode is used and the per-flow load
sharing mode does not use the following traffic classification criteria:
• Source IP address.
• Destination IP address.
• Source MAC address.
• Destination MAC address.
• Source and destination IP addresses.
• Source and destination MAC addresses.
To configure a link aggregation load sharing algorithm:

Step Command Remarks

1. Enter system view. system-view N/A
By default, algorithm 5 is used.
link-aggregation global If the device fails to load share
2. Configure a link aggregation traffic flows across all Selected
load sharing algorithm. load-sharing algorithm
algorithm-number ports, you can specify algorithm 1
to 13 in sequence until the
problem is solved.
3. Configure a link aggregation link-aggregation global By default, algorithm seed 0 is
load sharing algorithm seed. load-sharing seed seed-number used.

Setting the global load sharing mode for MAC-in-MAC traffic

MAC-in-MAC traffic can be load shared based on any of the following items:
• The outer frame header, and source and destination ports.
• The inner frame header, and source and destination ports.
To set the global load sharing mode for MAC-in-MAC traffic:

Step Command Remarks

1. Enter system view. system-view N/A

2. Set the global load sharing By default, MAC-in-MAC traffic is

link-aggregation global
mode for MAC-in-MAC load shared based on the inner
load-sharing minm { inner |
traffic. frame header, and source and
outer }
destination ports.

Enabling link-aggregation traffic redirection

This feature redirects traffic on a Selected port to the remaining available Selected ports of an
aggregation group if one of the following events occurs:
• The port is shut down by using the shutdown command.
• The slot that hosts the port reboots, and the aggregation group spans multiple slots.
This feature ensures zero packet loss for known unicast traffic, but does not protect unknown unicast
traffic.
You can enable link-aggregation traffic redirection globally or for an aggregation group. Global
link-aggregation traffic redirection settings take effect on all aggregation groups. A link aggregation
group preferentially uses the group-specific link-aggregation traffic redirection settings. If

60
 group-specific link-aggregation traffic redirection is not configured, the group uses the global
link-aggregation traffic redirection settings.

Configuration restrictions and guidelines

When you enable link-aggregation traffic redirection, follow these restrictions and guidelines:
• Link-aggregation traffic redirection applies only to dynamic link aggregation groups.
• To prevent traffic interruption, enable link-aggregation traffic redirection on devices at both ends
of the aggregate link.
• To prevent packet loss that might occur when a slot reboots, do not enable spanning tree
together with link-aggregation traffic redirection.
• Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.
• As a best practice, enable link-aggregation traffic redirection on aggregate interfaces. If you
enable this feature globally, communication with a third-party peer device might be affected if
the peer is not compatible with this feature.

Configuration procedure
To enable link-aggregation traffic redirection globally:

Step Command Remarks

1. Enter system view. system-view N/A

Enable link-aggregation link-aggregation lacp

2. By default, link-aggregation traffic
traffic redirection globally. traffic-redirect-notification
redirection is disabled globally.
enable

To enable link-aggregation traffic redirection for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Enable link-aggregation link-aggregation lacp By default, link-aggregation traffic
traffic redirection for the traffic-redirect-notification redirection is disabled for an
aggregation group. enable aggregation group.

Forwarding the traffic of specified VLANs out of a

fixed member port on an aggregate link
To forward the traffic in specific VLANs out of a fixed port on an aggregate link, specify those VLANs
as management VLANs and specify that port as a management port.

61
 This task excludes the traffic in the specified VLANs from the load sharing mechanism on the
aggregate link.
An aggregation group can have only one management port. If you specify multiple ports in an
aggregation group as management ports, the system chooses the port with the lowest port number
as the management port.
To forward the traffic in specific VLANs out of a fixed port on an aggregate link:

Step Command Remarks

1. Enter system view. system-view N/A
By default, no management
2. Specify the management link-aggregation VLANs exist on aggregate links.
VLANs. management-vlan vlan-id-list You cannot specify VLAN 1 as a
management VLAN.
If the Layer 2 Ethernet interface is
3. Enter Layer 2 Ethernet not an aggregation member port,
interface interface-type
interface view. the management port setting
interface-number
takes effect after the interface is
assigned to an aggregation group.

4. Configure the interface as a By default, an interface does not

link-aggregation
management port. act as a management port in its
management-port
aggregation group.

Excluding a subnet from load sharing on

aggregate links
IMPORTANT:
This feature is available in 2510P01 and later.

Typically, an aggregate interface distributes traffic across its Selected member ports. The uplink and
downlink traffic of a host might be distributed to different member ports, as shown in Figure 12. To
make sure the bidirectional traffic of a subnet traverses the same member port, you can exclude that
subnet from load sharing by specifying it as a link aggregation management subnet.
When an aggregate interface receives an ARP packet from the management subnet, the device
looks up the sender IP address in the ARP table for a matching entry.
• If no matching entry exists, the device creates an ARP entry on the aggregation member port
from which the packet came in. This mechanism ensures that the returned downlink traffic will
be forwarded out of the member port that received the uplink traffic.
• If an ARP entry already exists on a different port than the aggregate interface or its member
ports, the device does not update that ARP entry. Instead, the device broadcasts an ARP
request out of all ports to relearn the ARP entry.
When an aggregate interface sends an ARP packet to the management subnet, the device sends
the packet out of all Selected member ports of the aggregate interface.
As shown in Figure 12, an aggregate link is established between the server and the IRF fabric. The
server sends all uplink traffic of a subnet through Port C1 to Port A1 on the IRF fabric. If that subnet
is not specified as a management subnet, the IRF fabric distributes its downlink traffic across Port A1
and Port B2. To send the downlink traffic of that subnet to the server only through Port A1, you can
specify the subnet as a link aggregation management subnet.

62
 Figure 12 Link aggregation scenario before management subnets are used

You can configure a maximum of 20 management subnets.

To ensure correct packet forwarding, delete all ARP entries of a subnet before you specify it as a
management subnet or after you remove it from the management subnet list.
If you are using link aggregation management subnets, do not use ARP snooping. For more
information, see Layer 3—IP Services Configuration Guide.
To exclude a subnet from load sharing on aggregate links:

Step Command Remarks

1. Enter system view. system-view N/A

2. Specify a link aggregation link-aggregation By default, no link aggregation

management subnet management-subnet ip-address management subnets are
{ mask | mask-length } specified.

Displaying and maintaining Ethernet link

aggregation
Execute display commands in any view and reset commands in user view.

Task Command
display interface [ { bridge-aggregation |
Display information for an aggregate interface
route-aggregation } [ interface-number ] ] [ brief
or multiple aggregate interfaces.
[ description | down ] ]
Display the local system ID. display lacp system-id
display link-aggregation load-sharing mode [ interface
Display the global or group-specific
[ { bridge-aggregation | route-aggregation }
link-aggregation load sharing modes.
interface-number ] ]

63
 Task Command
display link-aggregation load-sharing path interface
{ bridge-aggregation | route-aggregation }
interface-number ingress-port interface-type
interface-number [ route ] { { destination-ip ip-address |
Display forwarding information for the specified
destination-ipv6 ipv6-address } | { source-ip ip-address |
traffic flow.
source-ipv6 ipv6-address } | destination-mac
mac-address | destination-port port-id | ethernet-type
type-number | ip-protocol protocol-id | source-mac
mac-address | source-port port-id | vlan vlan-id } *
Display detailed link aggregation information
display link-aggregation member-port [ interface-list ]
for link aggregation member ports.
Display summary information about all
display link-aggregation summary
aggregation groups.
display link-aggregation verbose
Display detailed information about the
[ { bridge-aggregation | route-aggregation }
specified aggregation groups.
[ interface-number ] ]
Clear LACP statistics for the specified link
reset lacp statistics [ interface interface-list ]
aggregation member ports.
Clear statistics for the specified aggregate reset counters interface [ { bridge-aggregation |
interfaces. route-aggregation } [ interface-number ] ]

Ethernet link aggregation configuration examples

Layer 2 static aggregation configuration example
Network requirements
On the network shown in Figure 13, perform the following tasks:
• Configure a Layer 2 static aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 13 Network diagram

64
Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign port Ten-GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port ten-gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port Ten-GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port ten-gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to link aggregation
group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: NonS
Management VLANs: None
Port Status Priority Oper-Key

65
 --------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1
XGE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 2 static aggregation group that contains
three Selected ports.

Layer 2 dynamic aggregation configuration example

Network requirements
On the network shown in Figure 14, perform the following tasks:
• Configure a Layer 2 dynamic aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 14 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port Ten-GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port ten-gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port Ten-GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port ten-gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode
to dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit

66
 # Assign ports Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to link aggregation
group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: NonS
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
XGE1/0/1 S 32768 11 1 {ACDEF}
XGE1/0/2 S 32768 12 1 {ACDEF}
XGE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
XGE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group that contains
three Selected ports.

67
Layer 2 aggregation load sharing configuration example
Network requirements
On the network shown in Figure 15, perform the following tasks:
• Configure Layer 2 static aggregation groups 1 and 2 on Device A and Device B, respectively.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
• Configure link aggregation groups 1 and 2 to load share traffic across aggregation group
member ports.
{ Configure link aggregation group 1 to load share packets based on source MAC addresses.
{ Configure link aggregation group 2 to load share packets based on destination MAC
addresses.
Figure 15 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port Ten-GigabitEthernet 1/0/5 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port ten-gigabitethernet 1/0/5
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port Ten-GigabitEthernet 1/0/6 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port ten-gigabitethernet 1/0/6
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
# Configure Layer 2 aggregation group 1 to load share packets based on source MAC
addresses.
[DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac
[DeviceA-Bridge-Aggregation1] quit
# Assign ports Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to link aggregation
group 1.

68
 [DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLAN 10.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10
[DeviceA-Bridge-Aggregation1] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 2.
[DeviceA] interface bridge-aggregation 2
# Configure Layer 2 aggregation group 2 to load share packets based on destination MAC
addresses.
[DeviceA-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac
[DeviceA-Bridge-Aggregation2] quit
# Assign ports Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 to link aggregation
group 2.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 2
[DeviceA-Ten-GigabitEthernet1/0/3] quit
[DeviceA] interface ten-gigabitethernet 1/0/4
[DeviceA-Ten-GigabitEthernet1/0/4] port link-aggregation group 2
[DeviceA-Ten-GigabitEthernet1/0/4] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to
VLAN 20.
[DeviceA] interface bridge-aggregation 2
[DeviceA-Bridge-Aggregation2] port link-type trunk
[DeviceA-Bridge-Aggregation2] port trunk permit vlan 20
[DeviceA-Bridge-Aggregation2] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key

69
 --------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/3 S 32768 2
XGE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups.
• Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface

Bridge-Aggregation1 Load-Sharing Mode:

source-mac address

Bridge-Aggregation2 Load-Sharing Mode:

destination-mac address

The output shows that:

• Link aggregation group 1 load shares packets based on source MAC addresses.
• Link aggregation group 2 load shares packets based on destination MAC addresses.

Layer 2 edge aggregate interface configuration example

Network requirements
As shown in Figure 16, a Layer 2 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic to improve link reliability.
Figure 16 Network diagram

Configuration procedure
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] link-aggregation mode dynamic

70
 # Configure Layer 2 aggregate interface Bridge-Aggregation 1 as an edge aggregate interface.
[Device-Bridge-Aggregation1] lacp edge-port
[Device-Bridge-Aggregation1] quit

# Assign ports Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to link aggregation group 1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/1] quit
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: NonS
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
XGE1/0/1 I 32768 11 1 {AG}
XGE1/0/2 I 32768 12 1 {AG}
Remote:
Actor Priority Index Oper-Key SystemID Flag
XGE1/0/1 32768 81 0 0x8000, 0000-0000-0000 {DEF}
XGE1/0/2 32768 82 0 0x8000, 0000-0000-0000 {DEF}

The output shows that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are in Individual
state when they do not receive LACPDUs from the server. Both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic. When one port fails, its traffic is automatically switched
to the other port.

Layer 3 static aggregation configuration example

Network requirements
On the network shown in Figure 17, perform the following tasks:
• Configure a Layer 3 static aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.

71
 Figure 17 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet
1/0/3 to aggregation group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: NonS
Management VLANs: None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1
XGE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 3 static aggregation group that contains
three Selected ports.

72
Layer 3 dynamic aggregation configuration example
Network requirements
On the network shown in Figure 18, perform the following tasks:
• Configure a Layer 3 dynamic aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 18 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Set the link aggregation mode to dynamic.
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
# Configure an IP address and subnet mask for Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet
1/0/3 to aggregation group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic

73
 Loadsharing Type: NonS
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
XGE1/0/1 S 32768 11 1 {ACDEF}
XGE1/0/2 S 32768 12 1 {ACDEF}
XGE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
XGE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/2 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
XGE1/0/3 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 3 dynamic aggregation group that contains
three Selected ports.

Layer 3 aggregation load sharing configuration example

Network requirements
On the network shown in Figure 19, perform the following tasks:
• Configure Layer 3 static aggregation groups 1 and 2 on Device A and Device B, respectively.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
• Configure link aggregation group 1 to load share packets based on source IP addresses.
• Configure link aggregation group 2 to load share packets based on destination IP addresses.
Figure 19 Network diagram

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Configure Layer 3 aggregation group 1 to load share packets based on source IP addresses.
[DeviceA-Route-Aggregation1] link-aggregation load-sharing mode source-ip
# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation
1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2
to aggregation group 1.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-aggregation group 1

74
 [DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Create Layer 3 aggregate interface Route-Aggregation 2.
[DeviceA] interface route-aggregation 2
# Configure Layer 3 aggregation group 2 to load share packets based on destination IP
addresses.
[DeviceA-Route-Aggregation2] link-aggregation load-sharing mode destination-ip
# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation
2.
[DeviceA-Route-Aggregation2] ip address 192.168.2.1 24
[DeviceA-Route-Aggregation2] quit
# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4
to aggregation group 2.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-aggregation group 2
[DeviceA-Ten-GigabitEthernet1/0/3] quit
[DeviceA] interface ten-gigabitethernet 1/0/4
[DeviceA-Ten-GigabitEthernet1/0/4] port link-aggregation group 2
[DeviceA-Ten-GigabitEthernet1/0/4] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/1 S 32768 1
XGE1/0/2 S 32768 1

Aggregate Interface: Route-Aggregation2

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
--------------------------------------------------------------------------------
XGE1/0/3 S 32768 2

75
 XGE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 3 static aggregation groups.
• Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface

Route-Aggregation1 Load-Sharing Mode:

source-ip address

Route-Aggregation2 Load-Sharing Mode:

destination-ip address

The output shows that:

• Link aggregation group 1 load shares packets based on source IP addresses.
• Link aggregation group 2 load shares packets based on destination IP addresses.

Layer 3 edge aggregate interface configuration example

Network requirements
As shown in Figure 20, a Layer 3 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic to improve link reliability.
Figure 20 Network diagram

Configuration procedure
# Create Layer 3 aggregate interface Route-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface route-aggregation 1
[Device-Route-Aggregation1] link-aggregation mode dynamic

# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation 1.
[Device-Route-Aggregation1] ip address 192.168.1.1 24

# Configure Layer 3 aggregate interface Route-Aggregation 1 as an edge aggregate interface.

[Device-Route-Aggregation1] lacp edge-port
[Device-Route-Aggregation1] quit

# Assign Layer 3 Ethernet interfaces Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to

aggregation group 1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/1] quit

76
 [Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: NonS
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
XGE1/0/1 I 32768 11 1 {AG}
XGE1/0/2 I 32768 12 1 {AG}
Remote:
Actor Priority Index Oper-Key SystemID Flag
XGE1/0/1 32768 81 0 0x8000, 0000-0000-0000 {DEF}
XGE1/0/2 32768 82 0 0x8000, 0000-0000-0000 {DEF}

The output shows that Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are in Individual
state when they do not receive LACPDUs from the server. Both Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 can forward traffic. When one port fails, its traffic is automatically switched
to the other port.

77
Configuring port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate
with ports outside the isolation group.

Assigning a port to an isolation group

The device supports multiple isolation groups, which can be configured manually. The number of
ports assigned to an isolation group is not limited.
To assign a port to an isolation group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create an isolation
group. port-isolate group group-id By default, no isolation groups exist.

• The configuration in Layer 2

Ethernet interface view applies only
to the interface.
• Enter Layer 2 Ethernet • The configuration in Layer 2
interface view: aggregate interface view applies to
interface interface-type the Layer 2 aggregate interface and
interface-number its aggregation member ports. If the
Enter interface view. device fails to apply the configuration
3. • Enter Layer 2 aggregate
to the aggregate interface, it does
interface view:
not assign any aggregation member
interface
port to the isolation group. If the
bridge-aggregation
failure occurs on an aggregation
interface-number
member port, the device skips the
port and continues to assign other
aggregation member ports to the
isolation group.
By default, the port is not in any isolation
group.
4. Assign the port to the port-isolate enable group You can assign a port to only one isolation
isolation group. group-id group. If you execute the port-isolate
enable group command multiple times,
the most recent configuration takes effect.

Displaying and maintaining port isolation

Execute display commands in any view.

Task Command
Display isolation group information. display port-isolate group [ group-id ]

78
Port isolation configuration example
Network requirements
As shown in Figure 21:
• LAN users Host A, Host B, and Host C are connected to Ten-GigabitEthernet 1/0/1,
Ten-GigabitEthernet 1/0/2, and Ten-GigabitEthernet 1/0/3 on the device, respectively.
• The device connects to the Internet through Ten-GigabitEthernet 1/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at
Layer 2.
Figure 21 Network diagram

Internet

XGE1/0/4
Device
XGE1/0/1 XGE1/0/3

XGE1/0/2

Host A Host B Host C

Configuration procedure
# Create isolation group 1.
<Device> system-view
[Device] port-isolate group 1

# Assign Ten-GigabitEthernet 1/0/1, Ten-GigabitEthernet 1/0/2, and Ten-GigabitEthernet 1/0/3 to

isolation group 1.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port-isolate enable group 1
[Device-Ten-GigabitEthernet1/0/1] quit
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port-isolate enable group 1
[Device-Ten-GigabitEthernet1/0/2] quit
[Device] interface ten-gigabitethernet 1/0/3
[Device-Ten-GigabitEthernet1/0/3] port-isolate enable group 1
[Device-Ten-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about isolation group 1.
[Device] display port-isolate group 1

79
 Port isolation group information:
Group ID: 1
Group members:
Ten-GigabitEthernet1/0/1 Ten-GigabitEthernet1/0/2 Ten-GigabitEthernet1/0/3

The output shows that Ten-GigabitEthernet 1/0/1, Ten-GigabitEthernet 1/0/2, and

Ten-GigabitEthernet 1/0/3 are assigned to isolation group 1. As a result, Host A, Host B, and Host C
are isolated from one another at layer 2.

80
Configuring spanning tree protocols
Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking
redundant links and putting them in a standby state.
The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN
Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).

STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in
a LAN. Networks often have redundant links as backups in case of failures, but loops are a very
serious problem. Devices running STP detect loops in the network by exchanging information with
one another. They eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would
occur in a loop network.
In a narrow sense, STP refers to IEEE 802.1d STP. In a broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol frames

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
frames. This chapter uses BPDUs to represent all types of spanning tree protocol frames.
STP-enabled devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the devices to complete spanning tree calculation.
STP uses two types of BPDUs, configuration BPDUs and topology change notification (TCN)
BPDUs.
Configuration BPDUs
Devices exchange configuration BPDUs to elect the root bridge and determine port roles. Figure 22
shows the configuration BPDU format.
Figure 22 Configuration BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address Protocol ID 2
L/T: Frame length Protocol version ID 1
LLC header: Logical link control header
Payload: BPDU data BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2

The payload of a configuration BPDU includes the following fields:

81
 • Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x00 for a configuration BPDU.
• Flags—An 8-bit field indicates the purpose of the BPDU. The lowest bit is the Topology Change
(TC) flag. The highest bit is the Topology Change Acknowledge (TCA) flag. All other bits are
reserved.
• Root ID—Root bridge ID formed by the priority and MAC address of the root bridge.
• Root path cost—Cost of the path to the root bridge.
• Bridge ID—Designated bridge ID formed by the priority and MAC address of the designated
bridge.
• Port ID—Designated port ID formed by the priority and global port number of the designated
port.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU stored on the switch.
• Hello time—Configuration BPDU transmission interval.
• Forward delay—Delay for STP bridges to transit port state.
Devices use the root bridge ID, root path cost, designated bridge ID, designated port ID, message
age, max age, hello time, and forward delay for spanning tree calculation.
TCN BPDUs
Devices use TCN BPDUs to announce changes in the network topology. Figure 23 shows the TCN
BPDU format.
Figure 23 TCN BPDU format

The payload of a TCN BPDU includes the following fields:

• Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x80 for a TCN BPDU.
A non-root bridge sends TCN BPDUs when one of the following events occurs on the bridge:
• A port transits to the forwarding state, and the bridge has a minimum of one designated port.
• A port transits from the forwarding or learning state to the blocking state.
The non-root bridge uses TCN BPDUs to notify the root bridge once the network topology changes.
The root bridge then sets the TC flag in its configuration BPDU and propagates it to other bridges.

82
Basic concepts in STP
Root bridge
A tree network must have a root bridge. The entire network contains only one root bridge, and all the
other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change
with changes of the network topology.
Upon initialization of a network, each device generates and periodically sends configuration BPDUs,
with itself as the root bridge. After network convergence, only the root bridge generates and
periodically sends configuration BPDUs. The other devices only forward the BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates
with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.
Designated bridge and designated port

Classification Designated bridge Designated port

Device directly connected to the local device
Port through which the designated
For a device and responsible for forwarding BPDUs to the
bridge forwards BPDUs to this device.
local device.
Port through which the designated
Device responsible for forwarding BPDUs to
For a LAN bridge forwards BPDUs to this LAN
this LAN segment.
segment.

As shown in Figure 24, Device B and Device C are directly connected to a LAN.
If Device A forwards BPDUs to Device B through port A1, the designated bridge and designated port
are as follows:
• The designated bridge for Device B is Device A.
• The designated port for Device B is port A1 on Device A.
If Device B forwards BPDUs to the LAN, the designated bridge and designated port are as follows:
• The designated bridge for the LAN is Device B.
• The designated port for the LAN is port B2 on Device B.
Figure 24 Designated bridges and designated ports

Port states
Table 6 lists the port states in STP.

83
 Table 6 STP port states

State Receives/sends BPDUs Learns MAC addresses Forwards use data

Disabled No No No
Listening Yes No No
Learning Yes Yes No
Forwarding Yes Yes Yes
Blocking Receive No No

Path cost
Path cost is a reference value used for link selection in STP. To prune the network into a loop-free
tree, STP calculates path costs to select the most robust links and block redundant links that are less
robust.

Calculation process of the STP algorithm

The spanning tree calculation process described in the following sections is an example of a
simplified process.
Calculation process
The STP algorithm uses the following calculation process:
1. Network initialization.
Upon initialization of a device, each port generates a BPDU with the following contents:
{ The port as the designated port.
{ The device as the root bridge.
{ 0 as the root path cost.
{ The device ID as the designated bridge ID.
2. Root bridge selection.
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its
own device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare
their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
3. Root port and designated ports selection on the non-root bridges.

Step Description
A non-root-bridge device regards the port on which it received the optimum configuration
1 BPDU as the root port. Table 7 describes how the optimum configuration BPDU is
selected.
Based on the configuration BPDU and the path cost of the root port, the device calculates
a designated port configuration BPDU for each of the other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus
the path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.

84
 Step Description
The device compares the calculated configuration BPDU with the configuration BPDU on
the port whose port role will be determined. Then, the device acts depending on the result
of the comparison:
• If the calculated configuration BPDU is superior, the device performs the following
operations:
{ Considers this port as the designated port.
3
{ Replaces the configuration BPDU on the port with the calculated configuration
BPDU.
{ Periodically sends the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs, but cannot
send BPDUs or forward data traffic.

When the network topology is stable, only the root port and designated ports forward user traffic.
Other ports are all in the blocking state to receive BPDUs but not to forward BPDUs or user
traffic.
Table 7 Selecting the optimum configuration BPDU

Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the
received configuration BPDU with that of the configuration BPDU generated by the port.
• If the former priority is lower, the device discards the received configuration BPDU
1
and keeps the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration
BPDU generated by the port with the content of the received configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.

The following are the principles of configuration BPDU comparison:

a. The configuration BPDU with the lowest root bridge ID has the highest priority.
b. If configuration BPDUs have the same root bridge ID, their root path costs are compared.
For example, the root path cost in a configuration BPDU plus the path cost of a receiving
port is S. The configuration BPDU with the smallest S value has the highest priority.
c. If all configuration BPDUs have the same root bridge ID and S value, the following attributes
are compared in sequence:
− Designated bridge IDs.
− Designated port IDs.
− IDs of the receiving ports.
The configuration BPDU that contains a smaller designated bridge ID, designated port ID,
or receiving port ID is selected.
A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.
Example of STP calculation
Figure 25 provides an example showing how the STP algorithm works.

85
Figure 25 The STP algorithm

As shown in Figure 25, the priority values of Device A, Device B, and Device C are 0, 1, and 2,
respectively. The path costs of links among the three devices are 5, 10, and 4.
1. Device state initialization.
In Table 8, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Table 8 Initial state of each device

Configuration BPDU on
Device Port name
the port
Port A1 {0, 0, 0, Port A1}
Device A
Port A2 {0, 0, 0, Port A2}
Port B1 {1, 0, 1, Port B1}
Device B
Port B2 {1, 0, 1, Port B2}
Port C1 {2, 0, 2, Port C1}
Device C
Port C2 {2, 0, 2, Port C2}

2. Configuration BPDUs comparison on each device.

In Table 9, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.

86
Table 9 Comparison process and result on each device

Configuration BPDU
Device Comparison process on ports after
comparison
Port A1 performs the following operations:
1. Receives the configuration BPDU of Port B1 {1, 0, 1,
Port B1}.
2. Determines that its existing configuration BPDU {0, 0,
0, Port A1} is superior to the received configuration
BPDU.
3. Discards the received one.
Port A2 performs the following operations: • Port A1: {0, 0, 0, Port
1. Receives the configuration BPDU of Port C1 {2, 0, 2, A1}
Device A Port C1}. • Port A2: {0, 0, 0, Port
2. Determines that its existing configuration BPDU {0, 0, A2}
0, Port A2} is superior to the received configuration
BPDU.
3. Discards the received one.
Device A determines that it is both the root bridge and
designated bridge in the configuration BPDUs of all its
ports. It considers itself as the root bridge. It does not
change the configuration BPDU of any port and starts to
periodically send configuration BPDUs.
Port B1 performs the following operations:
1. Receives the configuration BPDU of Port A1 {0, 0, 0,
Port A1}.
2. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {1, 0, 1,
Port B1}. • Port B1: {0, 0, 0, Port
3. Updates its configuration BPDU. A1}
Port B2 performs the following operations: • Port B2: {1, 0, 1, Port
1. Receives the configuration BPDU of Port C2 {2, 0, 2, B2}
Port C2}.
2. Determines that its existing configuration BPDU {1, 0,
1, Port B2} is superior to the received configuration
BPDU.
3. Discards the received BPDU.
Device B
Device B performs the following operations:
1. Compares the configuration BPDUs of all its ports.
2. Decides that the configuration BPDU of Port B1 is the
optimum.
3. Selects Port B1 as the root port with the configuration
BPDU unchanged. • Root port (Port B1):
Based on the configuration BPDU and path cost of the root {0, 0, 0, Port A1}
port, Device B calculates a designated port configuration • Designated port (Port
BPDU for Port B2 {0, 5, 1, Port B2}. Device B compares it B2): {0, 5, 1, Port B2}
with the existing configuration BPDU of Port B2 {1, 0, 1, Port
B2}. Device B determines that the calculated one is
superior, and determines that Port B2 is the designated
port. It replaces the configuration BPDU on Port B2 with the
calculated one, and periodically sends the calculated
configuration BPDU.

87
 Configuration BPDU
Device Comparison process on ports after
comparison
Port C1 performs the following operations:
1. Receives the configuration BPDU of Port A2 {0, 0, 0,
Port A2}.
2. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {2, 0, 2,
Port C1}. • Port C1: {0, 0, 0, Port
3. Updates its configuration BPDU. A2}
Port C2 performs the following operations: • Port C2: {1, 0, 1, Port
1. Receives the original configuration BPDU of Port B2 B2}
{1, 0, 1, Port B2}.
2. Determines that the received configuration BPDU is
superior to the existing configuration BPDU {2, 0, 2,
Port C2}.
3. Updates its configuration BPDU.
Device C performs the following operations:
1. Compares the configuration BPDUs of all its ports.
2. Decides that the configuration BPDU of Port C1 is the
optimum.
3. Selects Port C1 as the root port with the configuration • Root port (Port C1):
BPDU unchanged. {0, 0, 0, Port A2}
Device C
Based on the configuration BPDU and path cost of the root • Designated port (Port
port, Device C calculates the configuration BPDU of Port C2 C2): {0, 10, 2, Port
{0, 10, 2, Port C2}. Device C compares it with the existing C2}
configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C
determines that the calculated configuration BPDU is
superior to the existing one, selects Port C2 as the
designated port, and replaces the configuration BPDU of
Port C2 with the calculated one.
Port C2 performs the following operations:
1. Receives the updated configuration BPDU of Port B2
{0, 5, 1, Port B2}.
2. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {0, 10, 2,
Port C2}. • Port C1: {0, 0, 0, Port
A2}
3. Updates its configuration BPDU.
• Port C2: {0, 5, 1, Port
Port C1 performs the following operations: B2}
1. Receives a periodic configuration BPDU {0, 0, 0, Port
A2} from Port A2.
2. Determines that it is the same as the existing
configuration BPDU.
3. Discards the received BPDU.

88
 Configuration BPDU
Device Comparison process on ports after
comparison
Device C determines that the root path cost of Port C1 is
larger than that of Port C2. The root path cost of Port C1 is
10, root path cost of the received configuration BPDU (0)
plus path cost of Port C1 (10). The root path cost of Port C2
is 9, root path cost of the received configuration BPDU (5)
plus path cost of Port C2 (4). Device C determines that the
configuration BPDU of Port C2 is the optimum, and selects
Port C2 as the root port with the configuration BPDU
unchanged.
Based on the configuration BPDU and path cost of the root • Blocked port (Port
port, Device C performs the following operations: C1): {0, 0, 0, Port A2}
1. Calculates a designated port configuration BPDU for • Root port (Port C2):
Port C1 {0, 9, 2, Port C1}. {0, 5, 1, Port B2}
2. Compares it with the existing configuration BPDU of
Port C1 {0, 0, 0, Port A2}.
3. Determines that the existing configuration BPDU is
superior to the calculated one and blocks Port C1 with
the configuration BPDU unchanged.
Port C1 does not forward data until a new event triggers a
spanning tree calculation process: for example, the link
between Device B and Device C is down.

After the comparison processes described in Table 9, a spanning tree with Device A as the root
bridge is established, as shown in Figure 26.
Figure 26 The final calculated spanning tree

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:
• Upon network initiation, every device regards itself as the root bridge and generates
configuration BPDUs with itself as the root. Then it sends the configuration BPDUs at a regular
hello interval.
• If the root port receives a configuration BPDU superior to the configuration BPDU of the port,
the device performs the following operations:
{ Increases the message age carried in the configuration BPDU.
{ Starts a timer to time the configuration BPDU.
{ Sends this configuration BPDU through the designated port.
• If a designated port receives a configuration BPDU with a lower priority than its configuration
BPDU, the port immediately responds with its configuration BPDU.

89
 • If a path fails, the root port on this path no longer receives new configuration BPDUs and the old
configuration BPDUs will be discarded due to timeout. The device generates a configuration
BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new
spanning tree calculation process to establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU cannot be propagated throughout the network
immediately. As a result, the old root ports and designated ports that have not detected the topology
change continue forwarding data along the old path. If the new root ports and designated ports begin
to forward data as soon as they are elected, a temporary loop might occur.
STP timers
The most important timing parameters in STP calculation are forward delay, hello time, and max age.
• Forward delay
Forward delay is the delay time for port state transition. By default, the forward delay is 15
seconds.
A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
immediately, a temporary loop will likely occur.
The newly elected root ports or designated ports must go through the listening and learning
states before they transit to the forwarding state. This requires twice the forward delay time and
allows the new configuration BPDU to propagate throughout the network.
• Hello time
The device sends configuration BPDUs at the hello time interval to the neighboring devices to
ensure that the paths are fault-free. By default, the hello time is 2 seconds. If the device does
not receive configuration BPDUs within the timeout period, it recalculates the spanning tree.
The formula for calculating the timeout period is timeout period = timeout factor × 3 × hello time.
• Max age
The device uses the max age to determine whether a stored configuration BPDU has expired
and discards it if the max age is exceeded. By default, the max age is 20 seconds. In the CIST
of an MSTP network, the device uses the max age timer to determine whether a configuration
BPDU received by a port has expired. If it is expired, a new spanning tree calculation process
starts. The max age timer does not take effect on MSTIs.
If a port does not receive any configuration BPDUs within the timeout period, the port transits to the
listening state. The device will recalculate the spanning tree. It takes the port 50 seconds to transit
back to the forwarding state. This period includes 20 seconds for the max age, 15 seconds for the
listening state, and 15 seconds for the learning state.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)

RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port
to enter the forwarding state much faster than STP.

RSTP protocol frames

An RSTP BPDU uses the same format as an STP BPDU except that a Version1 length field is added
to the payload of RSTP BPDUs. The differences between an RSTP BPDU and an STP BPDU are as
follows:
• Protocol version ID—The value is 0x02 for RSTP.

90
 • BPDU type—The value is 0x02 for RSTP BPDUs.
• Flags—All 8 bits are used.
• Version1 length—The value is 0x00, which means no version 1 protocol information is
present.
RSTP does not use TCN BPDUs to advertise topology changes. RSTP floods BPDUs with the TC
flag set in the network to advertise topology changes.

Basic concepts in RSTP

Port roles
In addition to root port and designated port, RSTP also uses the following port roles:
• Alternate port—Acts as the backup port for a root port. When the root port is blocked, the
alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port is the backup port.
• Edge port—Directly connects to a user host rather than a network device or network segment.
Port states
RSTP uses the discarding state to replace the disabled, blocking, and listening states in STP. Table
10 shows the differences between the port states in RSTP and STP.
Table 10 Port state differences between RSTP and STP

RSTP port Sends Learns MAC Forwards user

STP port state
state BPDU addresses data
Disabled Discarding No No No
Blocking Discarding No No No
Listening Discarding Yes No No
Learning Learning Yes Yes No
Forwarding Forwarding Yes Yes Yes

How RSTP works

During RSTP calculation, the following events occur:
• If a port in discarding state becomes an alternate port, it retains its state.
• If a port in discarding state is elected as the root port or designated port, it enters the learning
state after the forward delay. The port learns MAC addresses, and enters the forwarding state
after another forward delay.
{ A newly elected RSTP root port rapidly enters the forwarding state if the following
requirements are met:
− The old root port on the device has stopped forwarding data.
− The upstream designated port has started forwarding data.
{ A newly elected RSTP designated port rapidly enters the forwarding state if one of the
following requirements is met:
− The designated port is configured as an edge port which directly connects to a user
terminal.

91
 − The designated port connects to a point-to-point link and receives a handshake
response from the directly connected device.

RSTP BPDU processing

In RSTP, a non-root bridge actively sends RSTP BPDUs at the hello time through designated ports
without waiting for the root bridge to send RSTP BPDUs. This enables RSTP to quickly detect link
failures. If a device fails to receive any RSTP BPDUs on a port within triple the hello time, the device
considers that a link failure has occurred. After the stored configuration BPDU expires, the device
floods RSTP BPDUs with the TC flag set to initiate a new RSTP calculation.
In RSTP, a port in blocking state can immediately respond to an RSTP BPDU with a lower priority
than its own BPDU.
As shown in Figure 27, Device A is the root bridge. The priority of Device B is higher than the priority
of Device C. Port C2 on Device C is blocked.
When the link between Device A and Device B fails, the following events occur:
1. Device B sends an RSTP BPDU with itself as the root bridge to Device C.
2. Device C compares the RSTP BPDU with its own BPDU.
3. Because the RSTP BPDU from Device B has a lower priority, Device C sends its own BPDU to
Device B.
4. Device B considers that Port B2 is the root port and stops sending RSTP BPDUs to Device C.
Figure 27 BPDU processing in RSTP

PVST
In an STP- or RSTP-enabled LAN, all bridges share one spanning tree. Traffic from all VLANs is
forwarded along the spanning tree, and ports cannot be blocked on a per-VLAN basis to prune loops.
PVST allows every VLAN to have its own spanning tree, which increases usage of links and
bandwidth. Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN.
A PVST-enabled HPE device can communicate with a third-party device that is running Rapid PVST
or PVST. The PVST-enabled HPE device supports fast network convergence like RSTP when
connected to PVST-enabled HPE devices or third-party devices enabled with Rapid PVST.

PVST protocol frames

As shown in Figure 28, a PVST BPDU uses the same format as an RSTP BPDU except the following
differences:

92
 • The destination MAC address of a PVST BPDU is 01-00-0c-cc-cc-cd, which is a private MAC
address.
• Each PVST BPDU carries a VLAN tag. The VLAN tag identifies the VLAN to which the PVST
BPDU belongs.
• The organization code and PID fields are added to the LLC header of the PVST BPDU.
Figure 28 PVST BPDU format

A port's link type determines the type of BPDUs the port sends.
• An access port sends RSTP BPDUs.
• A trunk or hybrid port sends RSTP BPDUs in the default VLAN and sends PVST BPDUs in other
VLANs.

Basic concepts in PVST

PVST uses the same port roles and port states as RSTP for fast convergence. For more information,
see "Basic concepts in RSTP."

How PVST works

In PVST, each VLAN runs RSTP independently to maintain its own spanning tree without affecting
the spanning trees of other VLANs. In this way, loops in each VLAN are eliminated and traffic of
different VLANs is load shared over links. PVST uses RSTP BPDUs in the default VLAN and PVST
BPDUs in other VLANs for spanning tree calculation. PVST of Hewlett Packard Enterprise
implements per-VLAN spanning tree calculation by mapping each VLAN to an MSTI.

MSTP
MSTP overcomes the following STP, RSTP, and PVST limitations:
• STP limitations—STP does not support rapid state transition of ports. A newly elected port
must wait twice the forward delay time before it transits to the forwarding state.
• RSTP limitations—Although RSTP enables faster network convergence than STP, RSTP fails
to provide load balancing among VLANs. As with STP, all RSTP bridges in a LAN share one
spanning tree and forward frames from all VLANs along this spanning tree.
• PVST limitations—Because each VLAN has its spanning tree, the amount of PVST BPDUs is
proportional to the number of VLANs on a trunk or hybrid port. When the trunk or hybrid port
permits too many VLANs, both resources and calculations for maintaining the VLAN spanning
trees increase dramatically. If a status change occurs on the trunk or hybrid port that permits
multiple VLANs, the device CPU will be overburdened with recalculating the affected spanning
trees. As a result, network performance is degraded.

MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In
addition to supporting rapid network convergence, it allows data flows of different VLANs to be
forwarded along separate paths. This provides a better load sharing mechanism for redundant links.

93
 MSTP provides the following features:
• MSTP divides a switched network into multiple regions, each of which contains multiple
spanning trees that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.
• MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless
cycling of frames in a loop network. In addition, it supports load balancing of VLAN data by
providing multiple redundant paths for data forwarding.
• MSTP is compatible with STP and RSTP, and partially compatible with PVST.

MSTP protocol frames

Figure 29 shows the format of an MSTP BPDU.
Figure 29 MSTP BPDU format

The first 13 fields of an MSTP BPDU are the same as an RSTP BPDU. The other six fields are
unique to MSTP.
• Protocol version ID—The value is 0x03 for MSTP.
• BPDU type—The value is 0x02 for RSTP/MSTP BPDUs.
• Root ID—ID of the common root bridge.
• Root path cost—CIST external path cost.
• Bridge ID—ID of the regional root for the IST or an MSTI.
• Port ID—ID of the designated port in the CIST.
• Version3 length—Length of the MSTP-specific fields. Devices use this field for verification
upon receiving an MSTP BPDU.
• MST configuration ID—Includes the format selector, configuration name, revision level, and
configuration digest. The value for format selector is fixed at 0x00. The other parameters are
used to identify the MST region for the originating bridge.

94
 • CIST IRPC—Internal root path cost (IRPC) from the originating bridge to the root of the MST
region.
• CIST bridge ID—ID of the bridge that sends the MSTP BPDU.
• CIST remaining ID—Remaining hop count. This field limits the scale of the MST region. The
regional root sends a BPDU with the remaining hop count set to the maximum value. Each
device that receives the BPDU decrements the hop count by one. When the hop count reaches
zero, the BPDU is discarded. Devices beyond the maximum hops of the MST region cannot
participate in spanning tree calculation. The default remaining hop count is 20.
• MSTI configuration messages—Contains MSTI configuration messages. Each MSTI
configuration message is 16 bytes. This field can contain 0 to 64 MSTI configuration messages.
The number of the MSTI configuration messages is determined by the number of MSTIs in the
MST region.

MSTP basic concepts

Figure 30 shows a switched network that contains four MST regions, each MST region containing
four MSTP devices. Figure 31 shows the networking topology of MST region 3.
Figure 30 Basic concepts in MSTP
VLAN 1 MSTI 1 VLAN 1 MSTI 1
VLAN 2 MSTI 2 VLAN 2 MSTI 2
Other VLANs MSTI 0 Other VLANs MSTI 0

MST region 1 MST region 4

MST region 2 MST region 3

VLAN 1 MSTI 1 VLAN 1 MSTI 1

VLAN 2 MSTI 2 CST VLAN 2&3 MSTI 2
Other VLANs MSTI 0 Other VLANs MSTI 0

95
 Figure 31 Network diagram and topology of MST region 3

MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and
the network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same
MST region, as shown in Figure 30.
• The switched network contains four MST regions, MST region 1 through MST region 4.
• All devices in each MST region have the same MST region configuration.
MSTI
MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree
is mapped to the specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 31, MST region 3 contains three MSTIs, MSTI 1, MSTI 2, and MSTI 0.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs.
In Figure 31, the VLAN-to-instance mapping table of MST region 3 is as follows:
• VLAN 1 to MSTI 1.
• VLAN 2 and VLAN 3 to MSTI 2.
• Other VLANs to MSTI 0.
MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a
switched network. If you regard each MST region as a device, the CST is a spanning tree calculated
by these devices through STP or RSTP.

96
 The blue lines in Figure 30 represent the CST.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0,
a special MSTI to which all VLANs are mapped by default.
In Figure 30, MSTI 0 is the IST in MST region 3.
CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in
a switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 30, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI.
Based on the topology, different spanning trees in an MST region might have different regional roots,
as shown in MST region 3 in Figure 31.
• The regional root of MSTI 1 is Device B.
• The regional root of MSTI 2 is Device C.
• The regional root of MSTI 0 (also known as the IST) is Device A.
Common root bridge
The common root bridge is the root bridge of the CIST.
In Figure 30, the common root bridge is a device in MST region 1.
Port roles
A port can play different roles in different MSTIs. As shown in Figure 32, an MST region contains
Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the
common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C
connect to other MST regions. Port D3 of Device D directly connects to a host.
Figure 32 Port roles
To the common root

MST region Port A1 Port A2

Root port

Port A3 Port A4 Designated port

Device A
(Root bridge) Alternate port

Device B Device D Backup port

Port B1 Port D1
Edge port
Port B2 Port B3 Port D2
Port D3
Master port

Boundary port

Port C1
Port C2
Normal link
Device C
Blocked link
Port C3 Port C4

To other MST regions

97
 MSTP calculation involves the following port roles:
• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not
have any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—Acts as the backup port for a root port or master port. When the root port or
master port is blocked, the alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port acts as the backup.
• Edge port—Directly connects to a user host rather than a network device or network segment.
• Master port—Acts as a port on the shortest path from the local MST region to the common root
bridge. The master port is not always located on the regional root. It is a root port on the IST or
CIST and still a master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running
device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the
CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the
CIST.
Port states
In MSTP, a port can be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or
forward user traffic.

NOTE:
When in different MSTIs, a port can be in different states.

A port state is not exclusively associated with a port role. Table 11 lists the port states that each port
role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates
that the port does not support this state.)
Table 11 Port states that different port roles support

Port role (right) Root

Designated
port/master Alternate port Backup port
Port state (below) port
port
Forwarding √ √ — —
Learning √ √ — —
Discarding √ √ √ √

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a
calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among
these MSTIs, MSTI 0 is the IST.

98
 Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is
that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.
CIST calculation
During the CIST calculation, the following process takes place:
• The device with the highest priority is elected as the root bridge of the CIST.
• MSTP generates an IST within each MST region through calculation.
• MSTP regards each MST region as a single device and generates a CST among these MST
regions through calculation.
The CST and ISTs constitute the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation
process similar to spanning tree calculation in STP. For more information, see "Calculation process
of the STP algorithm."
In MSTP, a VLAN frame is forwarded along the following paths:
• Within an MST region, the frame is forwarded along the corresponding MSTI.
• Between two MST regions, the frame is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for
spanning tree calculation can identify STP and RSTP protocol frames.
In addition to basic MSTP features, the following features are provided for ease of management:
• Root bridge hold
• Root bridge backup
• Root guard
• BPDU guard
• Loop guard
• TC-BPDU guard
• Port role restriction
• TC-BPDU transmission restriction

Rapid transition mechanism

In STP, a port must wait twice the forward delay (30 seconds by default) before it transits from the
blocking state to the forwarding state. The forward delay is related to the hello time and network
diameter. If the forward delay is too short, loops might occur. This affects the stability of the network.
RSTP, PVST, and MSTP all use the rapid transition mechanism to speed up port state transition for
edge ports, root ports, and designated ports. The rapid transition mechanism for designated ports is
also known as the proposal/agreement (P/A)_transition.
Edge port rapid transition
As shown in Figure 33, Port C3 is an edge port connected to a host. When a network topology
change occurs, the port can immediately transit from the blocking state to the forwarding state
because no loop will be caused.
Because a device cannot determine whether a port is directly connected to a terminal, you must
manually configure the port as an edge port.

99
 Figure 33 Edge port rapid transition

Root port rapid transition

When a root port is blocked, the bridge will elect the alternate port with the highest priority as the new
root port. If the new root port's peer is in the forwarding state, the new root port immediately transits
to the forwarding state.
As shown in Figure 34, Port C2 on Device C is a root port and Port C1 is an alternate port. When Port
C2 transits to the blocking state, Port C1 is elected as the root port and immediately transits to the
forwarding state.
Figure 34 Root port rapid transition

P/A transition
The P/A transition enables a designated port to rapidly transit to the forwarding state after a
handshake with its peer. The P/A transition applies only to point-to-point links.
• P/A transition for RSTP and PVST.
In RSTP or PVST, the ports on a new link or recovered link are designated ports in blocking
state. When one of the designated ports transits to the discarding or learning state, it sets the
proposal flag in its BPDU. Its peer bridge receives the BPDU and determines whether the
receiving port is the root port. If it is the root port, the bridge blocks the other ports except edge
ports. The bridge then replies an agreement BPDU to the designated port. The designated port
immediately transits to the forwarding state upon receiving the agreement BPDU. If the
designated port does not receive the agreement BPDU, it waits for twice the forward delay to
transit to the forwarding state.
As shown in Figure 35, the P/A transition operates as follows:

100
 a. Device A sends a proposal BPDU to Device B through Port A1.
b. Device B receives the proposal BPDU on Port B2. Port B2 is elected as the root port.
c. Device B blocks its designated port Port B1 and alternate port Port B3 to eliminate loops.
d. The root port Port B2 transits to the forwarding state and sends an agreement BPDU to
Device A.
e. The designated port Port A1 on Device A immediately transits to the forwarding state after
receiving the agreement BPDU.
Figure 35 P/A transition for RSTP and PVST

• P/A transition for MSTP.

In MSTP, an upstream bridge sets both the proposal and agreement flags in its BPDU. If a
downstream bridge receives the BPDU and its receiving port is elected as the root port, the
bridge blocks all the other ports except edge ports. The downstream bridge then replies an
agreement BPDU to the upstream bridge. The upstream port immediately transits to the
forwarding state upon receiving the agreement BPDU. If the upstream port does not receive the
agreement BPDU, it waits for twice the forward delay to transit to the forwarding state.
As shown in Figure 36, the P/A transition operates as follows:
a. Device A sets the proposal and agreement flags in its BPDU and sends it to Device B
through Port A1.
b. Device B receives the BPDU. Port B1 of Device B is elected as the root port.
c. Device B then blocks all its ports except the edge ports.
d. The root port Port B1 of Device B transits to the forwarding state and sends an agreement
BPDU to Device A.
e. Port A1 of Device A immediately transits to the forwarding state upon receiving the
agreement BPDU.
Figure 36 P/A transition for MSTP

101
Protocols and standards
MSTP is documented in the following protocols and standards:
• IEEE 802.1d, Media Access Control (MAC) Bridges
• IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid
Reconfiguration
• IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees
• IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks —Clause 13: Spanning tree Protocols

Spanning tree configuration task lists

Before configuring a spanning tree, complete the following tasks:
• Determine the spanning tree protocol to be used (STP, RSTP, PVST, or MSTP).
• Plan the device roles (the root bridge or leaf node).
When you configure spanning tree protocols, follow these restrictions and guidelines:
• If both MVRP and a spanning tree protocol are enabled on a device, MVRP packets are
forwarded along MSTIs. To advertise a specific VLAN within the network through MVRP, make
sure this VLAN is mapped to an MSTI when you configure the VLAN-to-instance mapping table.
For more information about MVRP, see "Configuring MVRP."
• The spanning tree configurations are mutually exclusive with any of the following features on a
port: service loopback group, RRPP, and Smart Link.
• Configurations made in system view take effect globally. Configurations made in Ethernet
interface view take effect only on the interface. Configurations made in Layer 2 aggregate
interface view take effect only on the aggregate interface. Configurations made on an
aggregation member port can take effect only after the port is removed from the aggregation
group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system
performs spanning tree calculation on the Layer 2 aggregate interface. It does not perform
spanning tree calculation on the aggregation member ports. The spanning tree protocol enable
state and forwarding state of each selected member port is consistent with those of the
corresponding Layer 2 aggregate interface.
• The member ports of an aggregation group do not participate in spanning tree calculation.
However, the ports still reserve their spanning tree configurations for participating in spanning
tree calculation after leaving the aggregation group.

102
STP configuration task list
Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Enabling BPDU transparent transmission on a port
(Optional.) Enabling SNMP notifications for new-root election and topology change events

RSTP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature

103
 Tasks at a glance
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Enabling BPDU transparent transmission on a port
(Optional.) Enabling SNMP notifications for new-root election and topology change events

PVST configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Disabling inconsistent PVID protection

104
 Tasks at a glance
(Optional.) Configuring protection features
(Optional.) Enabling the device to log events of detecting or receiving TC BPDUs
(Optional.) Enabling BPDU transparent transmission on a port
(Optional.) Enabling SNMP notifications for new-root election and topology change events

MSTP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Required.) Configuring an MST region
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the maximum hops of an MST region
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Required.) Configuring an MST region
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring Digest Snooping
(Optional.) Configuring No Agreement Check
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Enabling BPDU transparent transmission on a port
(Optional.) Enabling SNMP notifications for new-root election and topology change events

105
Setting the spanning tree mode
The spanning tree modes include:
• STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device
of a port supports only STP.
• RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically
transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode
does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.
• PVST mode—All ports of the device send PVST BPDUs. Each VLAN maintains a spanning
tree. In a network, the amount of spanning trees maintained by all devices equals the number of
PVST-enabled VLANs multiplied by the number of PVST-enabled ports. If the amount of
spanning trees exceeds the capacity of the network, device CPUs will be overloaded. Packet
forwarding is interrupted, and the network becomes unstable. The number of PVST-enabled
VLANs supported by the device is 144.
• MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically
transits to the STP mode when receiving STP BPDUs from the peer device. A port in this mode
does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.
The MSTP mode is compatible with the RSTP mode, and the RSTP mode is compatible with the STP
mode.
Compatibility of the PVST mode depends on the link type of a port.
• On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.
• On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes
only in the default VLAN.
To set the spanning tree mode:

Step Command Remarks

1. Enter system view. system-view N/A

Set the spanning tree mode. The default setting is the

2. stp mode { mstp | pvst | rstp | stp }
MSTP mode.

Configuring an MST region

Spanning tree devices belong to the same MST region if they are both connected through a physical
link and configured with the following details:
• Format selector (0 by default, not configurable).
• MST region name.
• MST region revision level.
• VLAN-to-instance mapping entries in the MST region.
The configuration of MST region-related parameters (especially the VLAN-to-instance mapping table)
might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of topology
instability, the MST region configuration takes effect only after you activate it by doing one of the
following:
• Use the active region-configuration command.
• Enable a spanning tree protocol by using the stp global enable command if the spanning tree
protocol is disabled.
In STP, RSTP, or PVST mode, MST region configurations do not take effect.

106
 To configure an MST region:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter MST region view. stp region-configuration N/A
3. Configure the MST region The default setting is the MAC
name. region-name name
address.
• instance instance-id vlan Use one of the commands.
4. Configure the vlan-id-list
VLAN-to-instance mapping By default, all VLANs in an MST
table. • vlan-mapping modulo region are mapped to the CIST (or
modulo MSTI 0).
5. Configure the MSTP revision
level of the MST region. revision-level level The default setting is 0.

6. (Optional.) Display the MST

region configurations that are check region-configuration N/A
not activated yet.
7. Manually activate MST
region configuration. active region-configuration N/A

Configuring the root bridge or a secondary root

bridge
You can have the spanning tree protocol determine the root bridge of a spanning tree through
calculation. You can also specify a device as the root bridge or as a secondary root bridge.
A device has independent roles in different spanning trees. It can act as the root bridge in one
spanning tree and as a secondary root bridge in another. However, one device cannot be the root
bridge and a secondary root bridge in the same spanning tree.
A spanning tree can have only one root bridge. If multiple devices can be selected as the root bridge
in a spanning tree, the device with the lowest MAC address is selected.
When the root bridge of an instance fails or is shut down and no new root bridge is specified, the
following events occur:
• If you specify only one secondary root bridge, it becomes the root bridge.
• If you specify multiple secondary root bridges for the instance, the secondary root bridge with
the lowest MAC address is given priority.
• If you do not specify a secondary root bridge, a new root bridge is calculated.
You can specify one root bridge for each spanning tree, regardless of the device priority settings.
Once you specify a device as the root bridge or a secondary root bridge, you cannot change its
priority.
You can configure a device as the root bridge by setting the device priority to 0. For the device priority
configuration, see "Configuring the device priority."

Configuring the device as the root bridge of a specific

spanning tree
Step Command Remarks
1. Enter system view. system-view N/A

107
 Step Command Remarks
• In STP/RSTP mode:
stp root primary
• In PVST mode:
2. Configure the device as By default, the device is not a
stp vlan vlan-id-list root primary
the root bridge. root bridge.
• In MSTP mode:
stp [ instance instance-list ] root
primary

Configuring the device as a secondary root bridge of a

specific spanning tree
Step Command Remarks
1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp root secondary
• In PVST mode:
2. Configure the device as a By default, the device is not
stp vlan vlan-id-list root secondary
secondary root bridge. a secondary root bridge.
• In MSTP mode:
stp [ instance instance-list ] root
secondary

Configuring the device priority

Device priority is a factor in calculating the spanning tree. The priority of a device determines
whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a
higher priority. You can set the priority of a device to a low value to specify the device as the root
bridge of the spanning tree. A spanning tree device can have different priorities in different spanning
trees.
During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address is selected. You cannot change the priority of a device after it is configured as
the root bridge or as a secondary root bridge.
To configure the priority of the device in a specified MSTI:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp priority priority
• In PVST mode:
2. Configure the priority of
the device.
stp vlan vlan-id-list priority priority The default setting is 32768.
• In MSTP mode:
stp [ instance instance-list ] priority
priority

Configuring the maximum hops of an MST region

Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on
the regional root bridge is used as the hop limit for the MST region.

108
 Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum
value. When a device receives this configuration BPDU, it decrements the hop count by one, and
uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches
zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops
can no longer participate in spanning tree calculations, so the size of the MST region is limited.
Make this configuration only on the root bridge. All other devices in the MST region use the maximum
hop value set for the root bridge.
You can configure the maximum hops of an MST region based on the STP network size. As a best
practice, set the maximum hops to a value that is greater than the maximum hops of each edge
device to the root bridge.
To configure the maximum number of hops of an MST region:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the maximum
hops of the MST region. stp max-hops hops The default setting is 20.

Configuring the network diameter of a switched

network
Any two terminal devices in a switched network can reach each other through a specific path, and
there are a series of devices on the path. The switched network diameter is the maximum number of
devices on the path for an edge device to reach another one in the switched network through the root
bridge. The network diameter indicates the network size. The bigger the diameter, the larger the
network size.
Based on the network diameter you configured, the system automatically sets an optimal hello time,
forward delay, and max age for the device.
In STP, RSTP, or MSTP mode, each MST region is considered a device. The configured network
diameter takes effect only on the CIST (or the common root bridge) but not on other MSTIs.
In PVST mode, the configured network diameter takes effect only on the root bridges of the specified
VLANs.
To configure the network diameter of a switched network:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
2. Configure the network stp bridge-diameter diameter
diameter of the switched • In PVST mode: The default setting is 7.
network. stp vlan vlan-id-list bridge-diameter
diameter

Setting spanning tree timers

The following timers are used for spanning tree calculation:
• Forward delay—Delay time for port state transition. To prevent temporary loops on a network,
the spanning tree feature sets an intermediate port state (the learning state) before it transits
from the discarding state to the forwarding state. The feature also requires that the port transit

109
 its state after a forward delay timer. This ensures that the state transition of the local port stays
synchronized with the peer.
• Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If
the device does not receive configuration BPDUs within the timeout period, it recalculates the
spanning tree. The formula for calculating the timeout period is timeout period = timeout factor ×
3 × hello time.
• Max age—In the CIST of an MSTP network, the device uses the max age timer to determine
whether a configuration BPDU received by a port has expired. If it is expired, a new spanning
tree calculation process starts. The max age timer does not take effect on MSTIs.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)
As a best practice, specify the network diameter and letting spanning tree protocols automatically
calculate the timers based on the network diameter instead of manually setting the spanning tree
timers. If the network diameter uses the default value, the timers also use their default values.
Set the timers only on the root bridge. The timer settings on the root bridge apply to all devices on the
entire switched network.

Configuration restrictions and guidelines

When you set spanning tree timers, follow these restrictions and guidelines:
• The length of the forward delay is related to the network diameter of the switched network. The
larger the network diameter is, the longer the forward delay time should be. As a best practice,
use the automatically calculated value because inappropriate forward delay setting might cause
temporary redundant paths or increase the network convergence time.
• An appropriate hello time setting enables the device to promptly detect link failures on the
network without using excessive network resources. If the hello time is too long, the device
mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If
the hello time is too short, the device frequently sends the same configuration BPDUs, which
wastes device and network resources. As a best practice, use the automatically calculated
value.
• If the max age timer is too short, the device frequently begins spanning tree calculations and
might mistake network congestion as a link failure. If the max age timer is too long, the device
might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing
the auto-sensing capability of the network. As a best practice, use the automatically calculated
value.

Configuration procedure
To set the spanning tree timers:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
stp timer forward-delay time
2. Set the forward delay
timer. • In PVST mode: The default setting is 15 seconds.
stp vlan vlan-id-list timer
forward-delay time

110
 Step Command Remarks
• In STP/RSTP/MSTP mode:
stp timer hello time
3. Set the hello timer. • In PVST mode: The default setting is 2 seconds.
stp vlan vlan-id-list timer hello
time
• In STP/RSTP/MSTP mode:
stp timer max-age time
4. Set the max age timer. • In PVST mode: The default setting is 20 seconds.
stp vlan vlan-id-list timer
max-age time

Setting the timeout factor

The timeout factor is a parameter used to decide the timeout period. The formula for calculating the
timeout period is: timeout period = timeout factor × 3 × hello time.
In a stable network, each non-root-bridge device forwards configuration BPDUs to the downstream
devices at the hello time interval to detect link failures. If a device does not receive a BPDU from the
upstream device within nine times the hello time, it assumes that the upstream device has failed.
Then, it starts a new spanning tree calculation process.
As a best practice, set the timeout factor to 5, 6, or 7 in the following situations:
• To prevent undesired spanning tree calculations. An upstream device might be too busy to
forward configuration BPDUs in time, for example, many Layer 2 interfaces are configured on
the upstream device. In this case, the downstream device fails to receive a BPDU within the
timeout period and then starts an undesired spanning tree calculation.
• To save network resources on a stable network.
To set the timeout factor:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the timeout factor of the
device. stp timer-factor factor The default setting is 3.

Configuring the BPDU transmission rate

The maximum number of BPDUs a port can send within each hello time equals the BPDU
transmission rate plus the hello timer value. Configure an appropriate BPDU transmission rate based
on the physical status of the port and the network structure.
The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the
more system resources are used. By setting an appropriate BPDU transmission rate, you can limit
the rate at which the port sends BPDUs. Setting an appropriate rate also prevents spanning tree
protocols from using excessive network resources when the network topology changes. As a best
practice, use the default setting.
To configure the BPDU transmission rate:

Step Command Remarks

1. Enter system view. system-view N/A

111
 Step Command Remarks
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the BPDU

transmission rate of the stp transmit-limit limit The default setting is 10.
ports.

Configuring edge ports

If a port directly connects to a user terminal rather than another device or a shared LAN segment,
this port is regarded as an edge port. When network topology change occurs, an edge port will not
cause a temporary loop. Because a device does not determine whether a port is directly connected
to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly
transit from the blocking state to the forwarding state.

Configuration restrictions and guidelines

When you configure edge ports, follow these restrictions and guidelines:
• If BPDU guard is disabled on a port configured as an edge port, the port becomes a non-edge
port again if it receives a BPDU from another port. To restore the edge port, re-enable it.
• If a port directly connects to a user terminal, configure it as an edge port and enable BPDU
guard for it. This enables the port to quickly transit to the forwarding state when ensuring
network security.
• On a port, the loop guard feature and the edge port setting are mutually exclusive.

Configuration procedure
To configure a port as an edge port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the port as an By default, all ports are

edge port. stp edged-port
non-edge ports.

Configuring path costs of ports

Path cost is a parameter related to the rate of a port. On a spanning tree device, a port can have
different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows to be
forwarded along different physical links, achieving VLAN-based load balancing.
You can have the device automatically calculate the default path cost, or you can configure the path
cost for ports.

112
Specifying a standard for the device to use when it calculates
the default path cost
CAUTION:
If you change the standard that the device uses to calculate the default path costs, you restore the
path costs to the default.

You can specify a standard for the device to use in automatic calculation for the default path cost.
The device supports the following standards:
• dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.
• legacy—The device calculates the default path cost for ports based on a private standard.
When you specify a standard for the device to use when it calculates the default path cost, follow
these guidelines:
• When it calculates the path cost for an aggregate interface, IEEE 802.1t takes into account the
number of Selected ports in its aggregation group. However, IEEE 802.1d-1998 does not take
into account the number of Selected ports. The calculation formula of IEEE 802.1t is: Path cost
= 200,000,000/link speed (in 100 kbps). The link speed is the sum of the link speed values of
the Selected ports in the aggregation group.
• IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a
single port or aggregate interface with a speed exceeding 10 Gbps. The forwarding path
selected based on this criterion might not be the best one. To solve this problem, perform one of
the following tasks:
{ Use dot1t as the standard for default path cost calculation.
{ Manually set the path cost for the port (see "Configuring path costs of ports").
To specify a standard for the device to use when it calculates the default path cost:

Step Command Remarks

1. Enter system view. system-view N/A
2. Specify a standard for the
device to use when it By default, the device uses
stp pathcost-standard
calculates the default path legacy to calculate the default
{ dot1d-1998 | dot1t | legacy }
costs of its ports. path costs of its ports.

Table 12 Mappings between the link speed and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
0 N/A 65535 200000000 200000
Single port 2000000 2000
Aggregate interface
containing two Selected 1000000 1800
10 Mbps ports 100
Aggregate interface
containing three Selected 666666 1600
ports

113
 Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Aggregate interface
containing four Selected 500000 1400
ports
Single port 200000 200
Aggregate interface
containing two Selected 100000 180
ports

100 Mbps Aggregate interface 19

containing three Selected 66666 160
ports
Aggregate interface
containing four Selected 50000 140
ports
Single port 20000 20
Aggregate interface
containing two Selected 10000 18
ports

1000 Mbps Aggregate interface 4

containing three Selected 6666 16
ports
Aggregate interface
containing four Selected 5000 14
ports
Single port 2000 2
Aggregate interface
containing two Selected 1000 1
ports

10 Gbps Aggregate interface 2

containing three Selected 666 1
ports
Aggregate interface
containing four Selected 500 1
ports
Single port 1000 1
Aggregate interface
containing two Selected 500 1
ports

20 Gbps Aggregate interface 1

containing three Selected 333 1
ports
Aggregate interface
containing four Selected 250 1
ports
Single port 500 1

40 Gbps Aggregate interface 1

containing two Selected 250 1
ports

114
 Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
Aggregate interface
containing three Selected 166 1
ports
Aggregate interface
containing four Selected 125 1
ports
Single port 200 1
Aggregate interface
containing two Selected 100 1
ports

100 Gbps Aggregate interface 1

containing three Selected 66 1
ports
Aggregate interface
containing four Selected 50 1
ports

Configuring path costs of ports

When the path cost of a port changes, the system recalculates the role of the port and initiates a
state transition.
To configure the path cost of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

• In STP/RSTP mode:
stp cost cost-value
• In PVST mode: By default, the system
3. Configure the path cost of
the ports.
stp vlan vlan-id-list cost cost-value automatically calculates
• In MSTP mode: the path cost of each port.
stp [ instance instance-list ] cost
cost-value

Configuration example
# In MSTP mode, perform the following tasks:
• Configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998.
• Set the path cost of Ten-GigabitEthernet 1/0/3 to 200 on MSTI 2.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
Cost of every port will be reset and automatically re-calculated after you change the
current pathcost standard. Continue?[Y/N]:y
Cost of every port has been re-calculated.

115
 [Sysname] interface ten-gigabitethernet 1/0/3
[Sysname-Ten-GigabitEthernet1/0/3] stp instance 2 cost 200

# In PVST mode, perform the following tasks:

• Configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998.
• Set the path cost of Ten-GigabitEthernet 1/0/3 to 2000 on VLAN 20 through VLAN 30.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
Cost of every port will be reset and automatically re-calculated after you change the
current pathcost standard. Continue?[Y/N]:y
Cost of every port has been re-calculated
[Sysname] interface ten-gigabitethernet 1/0/3
[Sysname-Ten-GigabitEthernet1/0/3] stp vlan 20 to 30 cost 2000

Configuring the port priority

The priority of a port is a factor that determines whether the port can be elected as the root port of a
device. If all other conditions are the same, the port with the highest priority is elected as the root
port.
On a spanning tree device, a port can have different priorities and play different roles in different
spanning trees. As a result, data of different VLANs can be propagated along different physical paths,
implementing per-VLAN load balancing. You can set port priority values based on the actual
networking requirements.
When the priority of a port changes, the system recalculates the port role and initiates a state
transition.
To configure the priority of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type interface-number N/A
aggregate interface view.
• In STP/RSTP mode:
stp port priority priority
• In PVST mode:
3. Configure the port priority.
stp vlan vlan-id-list port priority The default setting is 128
priority for all ports.
• In MSTP mode:
stp [ instance instance-list ] port
priority priority

Configuring the port link type

A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement
handshake process.

Configuration restrictions and guidelines

When you configure the port link type, follow these restrictions and guidelines:

116
 • You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that
operates in full duplex mode. As a best practice, use the default setting and let the device
automatically detect the port link type.
• In PVST or MSTP mode, the stp point-to-point force-false or stp point-to-point force-true
command configured on a port takes effect on all VLANs or all MSTIs.
• Before you set the link type of a port to point-to-point, make sure the port is connected to a
point-to-point link. Otherwise, a temporary loop might occur.

Configuration procedure
To configure the link type of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

By default, the link type is auto

Configure the port link type. stp point-to-point { auto |
3. where the port automatically
force-false | force-true }
detects the link type.

Configuring the mode a port uses to recognize

and send MSTP frames
A port can receive and send MSTP frames in the following formats:
• dot1s—802.1s-compliant standard format
• legacy—Compatible format
By default, the frame format recognition mode of a port is auto. The port automatically distinguishes
the two MSTP frame formats, and determines the format of frames that it will send based on the
recognized format.
You can configure the MSTP frame format on a port. Then, the port sends only MSTP frames of the
configured format to communicate with devices that send frames of the same format.
By default, a port in auto mode sends 802.1s MSTP frames. When the port receives an MSTP frame
of a legacy format, the port starts to send frames only of the legacy format. This prevents the port
from frequently changing the format of sent frames. To configure the port to send 802.1s MSTP
frames, shut down and then bring up the port.
When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP frames.
To configure the MSTP frame format to be supported on a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the mode that the

port uses to recognize/send stp compliance { auto | dot1s | legacy } The default setting is auto.
MSTP frames.

117
Enabling outputting port state transition
information
In a large-scale spanning tree network, you can enable devices to output the port state transition
information. Then, you can monitor the port states in real time.
To enable outputting port state transition information:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp port-log instance 0
2. Enable outputting port • In PVST mode:
state transition stp port-log vlan vlan-id-list By default, this feature is
information. enabled.
• In MSTP mode:
stp port-log { all | instance
instance-list }

Enabling the spanning tree feature

You must enable the spanning tree feature for the device before any other spanning tree related
configurations can take effect. In STP, RSTP, or MSTP mode, make sure the spanning tree feature is
enabled globally and on the desired ports. In PVST mode, make sure the spanning tree feature is
enabled globally, in the desired VLANs, and on the desired ports.
To exclude specific ports from spanning tree calculation and save CPU resources, disable the
spanning tree feature for these ports with the undo stp enable command. Make sure no loops occur
in the network after you disable the spanning tree feature on these ports.

Enabling the spanning tree feature in STP/RSTP/MSTP

mode
Step Command Remarks
1. Enter system view. system-view N/A
When the device starts up with
initial settings, the spanning tree
feature is globally disabled.
When the device starts up with
2. Enable the spanning tree factory defaults, the spanning tree
feature. stp global enable
feature is globally enabled.
For more informaiton about the
initial settings and factory
defaults, see Fundamentals
Configuration Guide.
3. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

4. (Optional.) Enable the

spanning tree feature for the By default, the spanning tree
stp enable
port. feature is enabled on all ports.

118
Enabling the spanning tree feature in PVST mode
Step Command Remarks
1. Enter system view. system-view N/A
When the device starts up with
initial settings, the spanning tree
feature is globally disabled.
When the device starts up with
2. Enable the spanning tree factory defaults, the spanning tree
feature. stp global enable
feature is globally enabled.
For more informaiton about the
initial settings and factory
defaults, see Fundamentals
Configuration Guide.
3. Enable the spanning tree By default, the spanning tree
feature in VLANs. stp vlan vlan-id-list enable
feature is enabled in VLANs.
4. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

5. Enable the spanning tree By default, the spanning tree

feature on the port. stp enable
feature is enabled on all ports.

Performing mCheck
The mCheck feature enables user intervention in the port status transition process.
When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP
BPDUs, the port automatically transits to the STP mode. However, the port cannot automatically
transit back to the original mode when the following conditions exist:
• The peer STP device is shut down or removed.
• The port cannot detect the change.
To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.
For example, Device A, Device B, and Device C are connected in sequence. Device A runs STP,
Device B does not run any spanning tree protocol, and Device C runs RSTP, PVST, or MSTP. In this
case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving
port transits to the STP mode. If you configure Device B to run RSTP, PVST, or MSTP with Device C,
you must perform mCheck operations on the ports interconnecting Device B and Device C.

Configuration restrictions and guidelines

The mCheck operation takes effect on devices operating in MSTP, PVST, or RSTP mode.

Performing mCheck globally

Step Command
1. Enter system view. system-view
2. Perform mCheck. stp global mcheck

119
Performing mCheck in interface view
Step Command
1. Enter system view. system-view
2. Enter Layer 2 Ethernet interface or Layer 2
aggregate interface view. interface interface-type interface-number

3. Perform mCheck. stp mcheck

Disabling inconsistent PVID protection

In PVST, if two connected ports use different PVIDs, PVST calculation errors might occur. By default,
inconsistent PVID protection is enabled to avoid PVST calculation errors. If PVID inconsistency is
detected on a port, the system blocks the port.
If different PVIDs are required on two connected ports, disable inconsistent PVID protection on the
devices that host the ports. To avoid PVST calculation errors, make sure the following requirements
are met:
• Make sure the VLANs on one device do not use the same ID as the PVID of its peer port (except
the default VLAN) on another device.
• If the local port or its peer is a hybrid port, do not configure the local and peer ports as untagged
members of the same VLAN.
• Disable inconsistent PVID protection on both the local device and the peer device.
This feature takes effect only when the device is operating in PVST mode.
To disable the inconsistent PVID protection feature:

Step Command Remarks

1. Enter system view. system-view N/A
2. Disable the inconsistent By default, the inconsistent PVID
PVID protection feature. stp ignore-pvid-inconsistency
protection feature is enabled.

Configuring Digest Snooping

CAUTION:
Use caution with global Digest Snooping in the following situations:
• When you modify the VLAN-to-instance mappings.
• When you restore the default MST region configuration.
If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or
traffic interruption will occur.

As defined in IEEE 802.1s, connected devices are in the same region only when they have the same
MST region-related configurations, including:
• Region name.
• Revision level.
• VLAN-to-instance mappings.

120
 A spanning tree device identifies devices in the same MST region by determining the configuration
ID in BPDUs. The configuration ID includes the region name, revision level, and configuration digest.
It is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Because spanning tree implementations vary by vendor, the configuration digests calculated through
private keys are different. The devices of different vendors in the same MST region cannot
communicate with each other.
To enable communication between an HPE device and a third-party device in the same MST region,
enable Digest Snooping on the HPE device port connecting them.

Configuration restrictions and guidelines

When you configure Digest Snooping, follow these restrictions and guidelines:
• Before you enable Digest Snooping, make sure associated devices of different vendors are
connected and run spanning tree protocols.
• With Digest Snooping enabled, in-the-same-region verification does not require comparison of
configuration digest. The VLAN-to-instance mappings must be the same on associated ports.
• To make Digest Snooping take effect, you must enable Digest Snooping both globally and on
associated ports. As a best practice, enable Digest Snooping on all associated ports first and
then enable it globally. This will make the configuration take effect on all configured ports and
reduce impact on the network.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• As a best practice, enable Digest Snooping first and then enable the spanning tree feature. To
avoid traffic interruption, do not configure Digest Snooping when the network is already working
well.

Configuration procedure
Use this feature on when your HPE device is connected to a third-party device that uses its private
key to calculate the configuration digest.
To configure Digest Snooping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable Digest Snooping on By default, Digest Snooping is

the interface. stp config-digest-snooping
disabled on ports.
4. Return to system view. quit N/A
5. Enable Digest Snooping stp global By default, Digest Snooping is
globally. config-digest-snooping disabled globally.

Digest Snooping configuration example

Network requirements
As shown in Figure 37, Device A and Device B connect to Device C, which is a third-party device. All
these devices are in the same region.

121
 Enable Digest Snooping on the ports of Device A and Device B that connect to Device C, so that the
three devices can communicate with one another.
Figure 37 Network diagram

MST region Device C

Root bridge

XGE1/0/1 XGE1/0/2 Root port

Designated port

Blocked port

Normal link

XGE1/0/1 XGE1/0/1
Blocked link
XGE1/0/2 XGE1/0/2

Device A Device B

Configuration procedure
# Enable Digest Snooping on Ten-GigabitEthernet 1/0/1 of Device A and enable global Digest
Snooping on Device A.
<DeviceA> system-view
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] stp global config-digest-snooping

# Enable Digest Snooping on Ten-GigabitEthernet 1/0/1 of Device B and enable global Digest
Snooping on Device B.
<DeviceB> system-view
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceB-Ten-GigabitEthernet1/0/1] quit
[DeviceB] stp global config-digest-snooping

Configuring No Agreement Check

In RSTP and MSTP, the following types of messages are used for rapid state transition on
designated ports:
• Proposal—Sent by designated ports to request rapid transition
• Agreement—Used to acknowledge rapid transition requests
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the
following differences:
• For MSTP, the root port of the downstream device sends an agreement packet only after it
receives an agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet whether or not an agreement
packet from the upstream device is received.

122
 Figure 38 Rapid state transition of an MSTP designated port
Upstream device Downstream device

(1) Proposal for rapid transition The root port blocks non-edge
ports.

The root port changes to the

(2) Agreement forwarding state and sends an
Agreement to the upstream
device.

The designated port (3) Agreement

changes to the
forwarding state.

Root port Designated port

Figure 39 Rapid state transition of an RSTP designated port

Upstream device Downstream device

The root port blocks non-edge

(1) Proposal for rapid transition ports, changes to the forwarding
state, and sends an Agreement to
the upstream device.

The designated (2) Agreement

port changes to the
forwarding state.

Root port Designated port

If the upstream device is a third-party device, the rapid state transition implementation might be
limited as follows:
• The upstream device uses a rapid transition mechanism similar to that of RSTP.
• The downstream device runs MSTP and does not operate in RSTP mode.
In this case, the following occurs:
1. The root port on the downstream device receives no agreement from the upstream device.
2. It sends no agreement to the upstream device.
As a result, the designated port of the upstream device can transit to the forwarding state only after a
period twice the Forward Delay.
To enable the designated port of the upstream device to transit its state rapidly, enable No
Agreement Check on the downstream device's port.

Configuration prerequisites
Before you configure the No Agreement Check feature, complete the following tasks:
• Connect a device to a third-party upstream device that supports spanning tree protocols
through a point-to-point link.
• Configure the same region name, revision level, and VLAN-to-instance mappings on the two
devices.

123
Configuration procedure
Enable the No Agreement Check feature on the root port.
To configure No Agreement Check:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type interface-number N/A
aggregate interface view.
3. Enable No Agreement By default, No Agreement
Check. stp no-agreement-check
Check is disabled.

No Agreement Check configuration example

Network requirements
As shown in Figure 40, Device A connects to a third-party device that has a different spanning tree
implementation. Both devices are in the same region.
The third-party device (Device B) is the regional root bridge, and Device A is the downstream device.
Figure 40 Network diagram

Configuration procedure
# Enable No Agreement Check on Ten-GigabitEthernet 1/0/1 of Device A.
<DeviceA> system-view
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] stp no-agreement-check

Configuring TC Snooping
As shown in Figure 41, an IRF fabric connects to two user networks through double links.
• Device A and Device B form the IRF fabric.
• The spanning tree feature is disabled on Device A and Device B and enabled on all devices in
user network 1 and user network 2.
• The IRF fabric transparently transmits BPDUs for both user networks and is not involved in the
calculation of spanning trees.
When the network topology changes, it takes time for the IRF fabric to update its MAC address table
and ARP table. During this period, traffic in the network might be interrupted.

124
 Figure 41 TC Snooping application scenario

To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a
TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries
associated with the port's VLAN. In this way, TC Snooping prevents topology change from
interrupting traffic forwarding in the network. For more information about the MAC address table and
the ARP table, see "Configuring the MAC address table" and Layer 3—IP Services Configuration
Guide.

Configuration restrictions and guidelines

When you configure TC Snooping, follow these restrictions and guidelines:
• TC Snooping and the spanning tree feature are mutually exclusive. You must globally disable
the spanning tree feature before enabling TC Snooping.
• TC Snooping does not support the PVST mode.

Configuration procedure
To enable TC Snooping:

Step Command Remarks

1. Enter system view. system-view N/A
When the device starts up with
initial settings, the spanning tree
feature is globally disabled.
When the device starts up with
2. Globally disable the spanning factory defaults, the spanning
tree feature. undo stp global enable
tree feature is globally enabled.
For more informaiton about the
initial settings and factory
defaults, see Fundamentals
Configuration Guide.

3. Enable TC Snooping. By default, TC Snooping is

stp tc-snooping
disabled.

125
Configuring protection features
A spanning tree device supports the following protection features:
• BPDU guard
• Root guard
• Loop guard
• Port role restriction
• TC-BPDU transmission restriction
• TC-BPDU guard
• BPDU drop
• PVST BPDU guard
• Dispute gurad

Configuring BPDU guard

For access layer devices, the access ports can directly connect to the user terminals (such as PCs)
or file servers. The access ports are configured as edge ports to allow rapid transition. When these
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and
starts a new spanning tree calculation process. This causes a change of network topology. Under
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses
configuration BPDUs maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard feature to protect the system against such
attacks. When edge ports receive configuration BPDUs on a device with BPDU guard enabled, the
device performs the following operations:
• Shuts down these ports.
• Notifies the NMS that these ports have been shut down by the spanning tree protocol.
The device reactivates the shutdown ports after a detection interval. For more information about this
detection interval, see Fundamentals Configuration Guide.
You can configure the BPDU guard feature globally or on a per-edge port basis.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Interface Configuration Guide.
Enabling BPDU guard globally
The global BPDU guard setting takes effect on all edge ports that are not configured by using the stp
port bpdu-protection command.
To enable BPDU guard globally:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable BPDU guard globally. By default, BPDU guard is globally

stp bpdu-protection
disabled.

Configuring BPDU guard on an interface

An edge port preferentially uses the port-specific BPDU guard setting. If the port-specific BPDU
guard setting is not available, the edge port uses the global BPDU guard setting.
To configure BPDU guard on an interface:

126
 Step Command Remarks
1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet The specified interface must

interface or Layer 2 interface interface-type connect to a user terminal rather
aggregate interface view. interface-number than other device or shared LAN
segment.
By default, BPDU guard is not
configured on a per-edge port
Configure BPDU guard. stp port bpdu-protection
3. basis. The status of BPDU guard on
{ enable | disable }
an interface is the same as the
global BPDU status.

Enabling root guard

The root bridge and secondary root bridge of a spanning tree should be located in the same MST
region. Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth
core region during network design. However, due to possible configuration errors or malicious
attacks in the network, the legal root bridge might receive a configuration BPDU with a higher priority.
Another device supersedes the current legal root bridge, causing an undesired change of the
network topology. The traffic that should go over high-speed links is switched to low-speed links,
resulting in network congestion.
To prevent this situation, MSTP provides the root guard feature. If root guard is enabled on a port of
a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a
configuration BPDU with a higher priority from an MSTI, it performs the following operations:
• Immediately sets that port to the listening state in the MSTI.
• Does not forward the received configuration BPDU.
This is equivalent to disconnecting the link connected to this port in the MSTI. If the port receives no
BPDUs with a higher priority within twice the forwarding delay, it reverts to its original state.
On a port, the loop guard feature and the root guard feature are mutually exclusive.
Configure root guard on a designated port.
To enable root guard:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface or Layer interface interface-type
2 aggregate interface view. N/A
interface-number

3. Enable the root guard feature. By default, root guard is

stp root-protection
disabled.

Enabling loop guard

By continuing to receive BPDUs from the upstream device, a device can maintain the state of the
root port and blocked ports. However, link congestion or unidirectional link failures might cause these
ports to fail to receive BPDUs from the upstream devices. In this situation, the device reselects the
following port roles:
• Those ports in forwarding state that failed to receive upstream BPDUs become designated
ports.
• The blocked ports transit to the forwarding state.

127
 As a result, loops occur in the switched network. The loop guard feature can suppress the
occurrence of such loops.
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives
BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops.
Do not enable loop guard on a port that connects user terminals. Otherwise, the port stays in the
discarding state in all MSTIs because it cannot receive BPDUs.
On a port, the loop guard feature is mutually exclusive with the root guard feature or the edge port
setting.
Configure loop guard on the root port and alternate ports of a device.
To enable loop guard:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface or interface interface-type
Layer 2 aggregate interface view. N/A
interface-number
3. Enable the loop guard feature for the By default, loop guard is
ports. stp loop-protection
disabled.

Configuring port role restriction

CAUTION:
Use this feature with caution, because enabling port role restriction on a port might affect the
connectivity of the spanning tree topology.

The bridge ID change of a device in the user access network might cause a change to the spanning
tree topology in the core network. To avoid this problem, you can enable port role restriction on a port.
With this feature enabled, when the port receives a superior BPDU, it becomes an alternate port
rather than a root port.
Make this configuration on the port that connects to the user access network.
To configure port role restriction:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable port role restriction. By default, port role restriction is

stp role-restriction
disabled.

Configuring TC-BPDU transmission restriction

CAUTION:
Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address
table to fail to be updated when the topology changes.

The topology change to the user access network might cause the forwarding address changes to the
core network. When the user access network topology is unstable, the user access network might

128
 affect the core network. To avoid this problem, you can enable TC-BPDU transmission restriction on
a port. With this feature enabled, when the port receives a TC-BPDU, it does not forward the
TC-BPDU to other ports.
Make this configuration on the port that connects to the user access network.
To configure TC-BPDU transmission restriction:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable TC-BPDU By default, TC-BPDU

transmission restriction. stp tc-restriction transmission restriction is
disabled.

Enabling TC-BPDU guard

When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology
changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device,
the device will receive a large number of TC-BPDUs within a short time. Then, the device is busy with
forwarding address entry flushing. This affects network stability.
TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry
flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs
received in excess of the limit, the device performs a forwarding address entry flush when the time
period expires. This prevents frequent flushing of forwarding address entries. As a best practice,
enable TC-BPDU guard.
To enable TC-BPDU guard:

Step Command Remarks

1. Enter system view. system-view N/A
By default, TC-BPDU guard
is enabled.
2. Enable the TC-BPDU guard feature. stp tc-protection
As a best practice, do not
disable this feature.
3. (Optional.) Configure the maximum
number of forwarding address entry stp tc-protection threshold
flushes that the device can perform The default setting is 6.
number
every 10 seconds.

Enabling BPDU drop

In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process
and is then forwarded to other devices in the network. Malicious attackers might use the vulnerability
to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make all
devices in the network continue performing STP calculations. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not
receive any BPDUs and is invulnerable to forged BPDU attacks.
To enable BPDU drop on an Ethernet interface:

129
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
3. Enable BPDU drop on the By default, BPDU drop is
interface. bpdu-drop any
disabled.

Enabling PVST BPDU guard

An MSTP-enabled device forwards PVST BPDUs as data traffic because it cannot recognize PVST
BPDUs. If a PVST-enabled device in another independent network receives the PVST BPDUs, a
PVST calculation error might occur. To avoid PVST calculation errors, enable PVST BPDU guard on
the MSTP-enabled device. The device shuts down a port if the port receives PVST BPDUs.
To enable PVST BPDU guard:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable PVST BPDU guard. By default, PVST BPDU guard is

stp pvst-bpdu-protection
disabled.

About dispute guard

Dispute guard is enabled by default. You do not need to manually configure this feature.
Dispute guard can be triggered by unidirectional link failures. If an upstream port receives inferior
BPDUs from a downstream designated port in forwarding or learning state because of a
unidirectional link failure, a loop appears. Dispute guard blocks the upstream designated port to
prevent the loop.
As shown in Figure 42, in normal conditions, the spanning tree calculation result is as follows:
• Device A is the root bridge, and Port A1 is a designated port.
• Port B1 is blocked.
When the link between Port A1 and Port B1 fails in the direction of Port A1 to Port B1 and becomes
unidirectional, the following events occur:
1. Port A1 can only receive BPDUs and cannot send BPDUs to Port B1.
2. Port B1 does not receive BPDUs from Port A1 for a certain period of time.
3. Device B determines itself as the root bridge.
4. Port B1 sends its BPDUs to Port A1.
5. Port A1 determines the received BPDUs are inferior to its own BPDUs. A dispute is detected.
6. Dispute guard is triggered and blocks Port A1 to prevent a loop.

130
 Figure 42 Dispute guard triggering scenario

Normal condition Unidirectional link Dispute guard is

occurs triggered
Device A Device A Device A

Root Root Root

Port A1 Port A2 Port A1 Port A2 Port A1 Port A2

Port B1 Port B2 Port B1 Port B2 Port B1 Port B2

Device B Device B Device B

Root port Normal link

Designated port Blocked link

Blocked port Unidirectional link

Enabling the device to log events of detecting or

receiving TC BPDUs
This feature allows the device to generate logs when it detects or receives TC BPDUs. This feature
applies only to PVST mode.
To enable the device to log events of detecting or receiving TC BPDUs:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable the device to log By default, the device does not
events of receiving or stp log enable tc generate logs when it detects or
detecting TC BPDUs. receives TC BPDUs.

Enabling BPDU transparent transmission on a

port
Perform this task to enable a port to transmit BPDUs transparently. Whether the spanning tree
protocols are enabled on a port does not affect the BPDU transparent transmission feature.
If this feature and the spanning tree protocol are enabled on a port which is inferior to its downstream
port, the downstream port can receive BPDUs from that port. To prevent network flapping caused by
this problem, disable the spanning tree protocol before you enable BPDU transparent transmission
on the port.
To enable BPDU transparent transmission on a port:

131
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable BPDU transparent By default, the BPDU

transmission. stp transparent enable transparent transmission feature
is disabled on a port.

Enabling SNMP notifications for new-root election

and topology change events
This task enables the device to generate logs and report new-root election events or spanning tree
topology changes to SNMP. For the event notifications to be sent correctly, you must also configure
SNMP on the device. For more information about SNMP configuration, see the network
management and monitoring configuration guide for the device.
When you use the snmp-agent trap enable stp [ new-root | tc ] command, follow these guidelines:
• The new-root keyword applies only to STP, MSTP, and RSTP modes.
• The tc keyword applies only to PVST mode.
• In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables SNMP
notifications for new-root election events.
• In PVST mode, the snmp-agent trap enable stp enables SNMP notifications for spanning tree
topology changes.
To enable SNMP notifications for new-root election and topology change events:

Step Command Remarks

1. Enter system view. system-view N/A
In STP, MSTP, or RSTP mode, The default settings are as
execute either of the following follows:
commands: • SNMP notifications are
2. Enable SNMP notifications
for new-root election events. • snmp-agent trap enable disabled for new-root
stp new-root election events.
• snmp-agent trap enable • In MSTP mode, SNMP
stp notifications are enabled in
MSTI 0 and disabled in other
In PVST mode, execute either of MSTIs for spanning tree
the following commands: topology changes.
3. Enable SNMP notifications
for spanning tree topology • snmp-agent trap enable • In PVST mode, SNMP
changes. stp tc notifications are disabled for
• snmp-agent trap enable spanning tree topology
stp changes in all VLANs.

Displaying and maintaining the spanning tree

Execute display commands in any view and reset command in user view.

132
 Task Command
Display history about ports blocked by spanning tree
display stp abnormal-port
protection features.
display stp bpdu-statistics [ interface
Display BPDU statistics on ports. interface-type interface-number [ instance
instance-list ] ]
Display information about ports shut down by spanning
display stp down-port
tree protection features.
Display the port role calculation history for the specified display stp [ instance instance-list | vlan
MSTI or all MSTIs. vlan-id-list ] history [ slot slot-number ]
Display the incoming and outgoing TC/TCN BPDU display stp [ instance instance-list | vlan
statistics by all ports in the specified MSTI or all MSTIs. vlan-id-list ] tc [ slot slot-number ]
display stp [ instance instance-list | vlan
Display the spanning tree status and statistics. vlan-id-list ] [ interface interface-list | slot
slot-number ] [ brief ]
Display the MST region configuration information that
display stp region-configuration
has taken effect.
Display the root bridge information of all MSTIs. display stp root
Clear the spanning tree statistics. reset stp [ interface interface-list ]

Spanning tree configuration example

MSTP configuration example
Network requirements
As shown in Figure 43, all devices on the network are in the same MST region. Device A and Device
B work at the distribution layer. Device C and Device D work at the access layer.
Configure MSTP so that frames of different VLANs are forwarded along different spanning trees.
• VLAN 10 frames are forwarded along MSTI 1.
• VLAN 30 frames are forwarded along MSTI 3.
• VLAN 40 frames are forwarded along MSTI 4.
• VLAN 20 frames are forwarded along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated
on the access layer devices. The root bridges of MSTI 1 and MSTI 3 are Device A and Device B,
respectively, and the root bridge of MSTI 4 is Device C.

133
 Figure 43 Network diagram

XG
/0/

E1
E1

/0/
XG

XG
1
/0/

E1
E1

/0/
XG

1
Configuration procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, and configure the MST region name as example.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure the Device A as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Enable the spanning tree feature globally.
[DeviceA] stp global enable
3. Configure Device B:
# Enter MST region view, and configure the MST region name as example.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.

134
 [DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp global enable
4. Configure Device C:
# Enter MST region view, and configure the MST region name as example.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure the Device C as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.
[DeviceC] stp global enable
5. Configure Device D:
# Enter MST region view, and configure the MST region name as example.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp global enable

135
Verifying the configuration
In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root
bridge in MSTI 0.
When the network is stable, you can use the display stp brief command to display brief spanning
tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
3 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
3 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
3 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
3 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
1 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
0 Ten-GigabitEthernet1/0/3 ALTE DISCARDING NONE
3 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
3 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 44.

136
 Figure 44 MSTIs mapped to different VLANs

A B A B

C C D

MSTI 1 mapped to VLAN 10 MSTI 0 mapped to VLAN 20

A B

D C D

MSTI 3 mapped to VLAN 30 MSTI 4 mapped to VLAN 40

Root bridge Normal link Blocked link

PVST configuration example

Network requirements
As shown in Figure 45, Device A and Device B work at the distribution layer, and Device C and
Device D work at the access layer.
Configure PVST to meet the following requirements:
• Frames of a VLAN are forwarded along the spanning trees of the VLAN.
• VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN
40 is terminated on the access layer devices.
• The root bridge of VLAN 10 and VLAN 20 is Device A.
• The root bridge of VLAN 30 is Device B.
• The root bridge of VLAN 40 is Device C.

137
 Figure 45 Network diagram

XG
/0/

E1
E1

/0/
XG

XG
1
/0/

E1
E1

/0/
XG

1
Configuration procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
{ Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
{ Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
{ Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
{ Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Configure the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceA] stp global enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst
# Configure the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceB] stp global enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.
<DeviceC> system-view
[DeviceC] stp mode pvst
# Configure the device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 40.
[DeviceC] stp global enable

138
 [DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 20, VLAN 30, and VLAN 40.
[DeviceD] stp global enable
[DeviceD] stp vlan 20 30 40 enable

Verifying the configuration

When the network is stable, you can use the display stp brief command to display brief spanning
tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
10 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
VLAN ID Port Role STP State Protection
10 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
10 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 DESI FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE
30 Ten-GigabitEthernet1/0/1 DESI FORWARDING NONE
30 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
VLAN ID Port Role STP State Protection
10 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE
40 Ten-GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
20 Ten-GigabitEthernet1/0/1 ALTE DISCARDING NONE
20 Ten-GigabitEthernet1/0/2 ROOT FORWARDING NONE
20 Ten-GigabitEthernet1/0/3 ALTE DISCARDING NONE
30 Ten-GigabitEthernet1/0/1 ROOT FORWARDING NONE

139
 30 Ten-GigabitEthernet1/0/2 ALTE DISCARDING NONE
40 Ten-GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw a topology for each VLAN spanning tree, as shown in Figure 46.
Figure 46 VLAN spanning tree topologies

140
Configuring loop detection
Overview
Incorrect network connections or configurations can create Layer 2 loops, which results in repeated
transmission of broadcasts, multicasts, or unknown unicasts. The repeated transmissions can waste
network resources and can paralyze networks. The loop detection mechanism immediately
generates a log when a loop occurs so that you are promptly notified to adjust network connections
and configurations. You can configure loop detection to shut down the looped port. Logs are
maintained in the information center. For more information, see Network Management and
Monitoring Configuration Guide.

Loop detection mechanism

The device detects loops by sending detection frames and then checking whether these frames
return to any port on the device. If they do, the device considers that the port is on a looped link.
Loop detection usually works within a VLAN. If a detection frame is returned with a different VLAN
tag than it was sent out with, an inter-VLAN loop has occurred. To remove the loop, examine the
QinQ or VLAN mapping configuration for incorrect settings. For more information about QinQ and
VLAN mapping, see "Configuring QinQ" and "Configuring VLAN mapping."
Figure 47 Ethernet frame header for loop detection

The Ethernet frame header for loop detection contains the following fields:
• DMAC—Destination MAC address of the frame, which is the multicast MAC address
010f-e200-0007. When a loop detection-enabled device receives a frame with this destination
MAC address, it performs the following operations:
{ Sends the frame to the CPU.
{ Floods the frame in the VLAN from which the frame was originally received.
• SMAC—Source MAC address of the frame, which is the bridge MAC address of the sending
device.
• TPID—Type of the VLAN tag, with the value of 0x8100.
• TCI—Information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.
Figure 48 Inner frame header for loop detection

141
 The inner frame header for loop detection contains the following fields:
• Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol.
• Version—Protocol version, which is always 0x0000.
• Length—Length of the frame. The value includes the inner header, but excludes the Ethernet
header.
• Reserved—This field is reserved.
Frames for loop detection are encapsulated as TLV triplets.
Table 13 TLVs supported by loop detection

TLV Description Remarks

End of PDU End of a PDU. Optional.
Device ID Bridge MAC address of the sending device. Required.
Port ID ID of the PDU sending port. Optional.
Port Name Name of the PDU sending port. Optional.
System Name Device name. Optional.
Chassis ID Chassis ID of the sending port. Optional.
Slot ID Slot ID of the sending port. Optional.
Sub Slot ID Sub-slot ID of the sending port. Optional.

Loop detection interval

Loop detection is a continuous process as the network changes. Loop detection frames are sent at
the loop detection interval to determine whether loops occur on ports and whether loops are
removed.

Loop protection actions

When the device detects a loop on a port, it generates a log but performs no action on the port by
default. You can configure the device to take one of the following actions:
• Block—Disables the port from learning MAC addresses and blocks the port.
• No-learning—Disables the port from learning MAC addresses.
• Shutdown—Shuts down the port to disable it from receiving and sending any frames.

Port status auto recovery

When the device configured with the block or no-learning loop action detects a loop on a port, it
performs the action and waits three loop detection intervals. If the device does not receive a loop
detection frame within three loop detection intervals, it performs the following operations:
• Automatically sets the port to the forwarding state.
• Notifies the user of the event.
When the device configured with the shutdown action detects a loop on a port, the following events
occur:
1. The device automatically shuts down the port.

142
 2. The device automatically sets the port to the forwarding state after the detection timer set by
using the shutdown-interval command expires. For more information about the
shutdown-interval command, see Fundamentals Command Reference.
3. The device shuts down the port again if a loop is still detected on the port when the detection
timer expires.
This process is repeated until the loop is removed.

NOTE:
Incorrect recovery can occur when loop detection frames are discarded to reduce the load. To avoid
this, use the shutdown action, or manually remove the loop.

Loop detection configuration task list

Tasks at a glance
(Required.) Enabling loop detection
(Optional.) Setting the loop protection action
(Optional.) Setting the loop detection interval

Enabling loop detection

You can enable loop detection globally or on a per-port basis. The global configuration applies to all
ports in the specified VLANs. The per-port configuration applies to the individual port only when the
port belongs to the specified VLANs. Per-port configurations take precedence over global
configurations.

Enabling loop detection globally

Step Command Remarks
1. Enter system view. system-view N/A
2. Globally enable loop loopback-detection global
detection. Disabled by default.
enable vlan { vlan-id--list | all }

Enabling loop detection on a port

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable loop detection on the loopback-detection enable vlan

port. Disabled by default.
{ vlan-id--list | all }

143
Setting the loop protection action
You can set the loop protection action globally or on a per-port basis. The global setting applies to all
ports. The per-port setting applies to the individual ports. The per-port setting takes precedence over
the global setting.

Setting the global loop protection action

Step Command Remarks
1. Enter system view. system-view N/A

2. Set the global loop protection By default, the device generates a

loopback-detection global
action. log but performs no action on the
action shutdown
port on which a loop is detected.

Setting the loop protection action on a Layer 2 Ethernet

interface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, the device
3. Set the loop protection action loopback-detection action generates a log but performs
on the interface. { block | no-learning | shutdown } no action on the port on which
a loop is detected.

Setting the loop protection action on a Layer 2 aggregate

interface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 aggregate interface interface-type
interface view. N/A
interface-number
By default, the device
3. Set the loop protection action loopback-detection action generates a log but performs
on the interface. shutdown no action on the port on which
a loop is detected.

Setting the loop detection interval

With loop detection enabled, the device sends loop detection frames at the loopback detection
interval. A shorter interval offers more sensitive detection but consumes more resources. Consider
the system performance and loop detection speed when you set the loop detection interval.
To set the loop detection interval:

144
 Step Command Remarks
1. Enter system view. system-view N/A
2. Set the loop detection loopback-detection
interval. The default setting is 30 seconds.
interval-time interval

Displaying and maintaining loop detection

Execute display commands in any view.

Task Command
Display the loop detection configuration and status. display loopback-detection

Loop detection configuration example

Network requirements
As shown in Figure 49, configure loop detection on Device A to meet the following requirements:
• Device A generates a log as a notification.
• Device A automatically shuts down the port on which a loop is detected.
Figure 49 Network diagram

Device A

XGE1/0/1 XGE1/0/2

Device B Device C

VLAN 100

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and globally enable loop detection for the VLAN.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] loopback-detection global enable vlan 100

145
 # Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports, and
assign them to VLAN 100.
[DeviceA] interface Ten-GigabitEthernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Set the global loop protection action to shutdown.
[DeviceA] loopback-detection global action shutdown
# Set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35
2. Configure Device B:
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit
# Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports, and
assign them to VLAN 100.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceB-Ten-GigabitEthernet1/0/1] quit
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceB-Ten-GigabitEthernet1/0/2] quit
3. Configure Device C:
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit
# Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 as trunk ports, and
assign them to VLAN 100.
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceC-Ten-GigabitEthernet1/0/1] quit
[DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceC-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# View the system logs on devices, for example, Device A.

146
[DeviceA]
%Feb 24 15:04:29:663 2013 DeviceA LPDT/4/LPDT LOOPED: Loopback exists on
Ten-GigabitEthernet1/0/1.
%Feb 24 15:04:29:667 2013 DeviceA LPDT/4/LPDT LOOPED: Loopback exists on
Ten-GigabitEthernet1/0/2.
%Feb 24 15:04:44:243 2013 DeviceA LPDT/5/LPDT RECOVERED: Loopback on
Ten-GigabitEthernet1/0/1 recovered.
%Feb 24 15:04:44:248 2013 DeviceA LPDT/5/LPDT RECOVERED: Loopback on
Ten-GigabitEthernet1/0/2 recovered.

The output shows the following information:

• Device A detected loops on Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 within a
loop detection interval.
• Loops on Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 were removed.
# Use the display loopback-detection command to display the loop detection configuration and
status on devices, for example, Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Loop detection interval is 35 second(s).
No loopback is detected.

The output shows that the device has removed the loops from Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 according to the shutdown action.
# Display the status of Ten-GigabitEthernet 1/0/1 on devices, for example, Device A.
[DeviceA] display interface ten-gigabitethernet 1/0/1
Ten-GigabitEthernet1/0/1 current state: DOWN (Loop detection down)
...

The output shows that Ten-GigabitEthernet 1/0/1 is already shut down by the loop detection module.
# Display the status of Ten-GigabitEthernet 1/0/2 on devices, for example, Device A.
[DeviceA] display interface ten-gigabitethernet 1/0/2
Ten-GigabitEthernet1/0/2 current state: DOWN (Loop detection down)
...

The output shows that Ten-GigabitEthernet 1/0/2 is already shut down by the loop detection module.

147
Configuring VLANs
Overview
Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An
Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared,
collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches
can reduce collisions in an Ethernet LAN. To confine broadcasts, a Layer 2 switch must use the
Virtual Local Area Network (VLAN) technology.
VLANs enable a Layer 2 switch to break a LAN down into smaller broadcast domains, as shown
in Figure 50.
Figure 50 A VLAN diagram
VLAN 2

Switch A Switch B
Router

VLAN 5

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example,
you can assign all workstations and servers used by a particular workgroup to the same VLAN,
regardless of their physical locations. Hosts in the same VLAN can directly communicate with one
another. You need a router or a Layer 3 switch for hosts in different VLANs to communicate with one
another.
All these VLAN features reduce bandwidth waste, improve LAN security, and enable flexible virtual
group creation.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag
between the destination and source MAC address (DA&SA) field and the Type field.
Figure 51 VLAN tag placement and format

A VLAN tag includes the following fields:

• TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default,
the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the

148
 TPID to a different value. For compatibility with a neighbor device, set the TPID value on the
device to be the same as the neighbor device.
• Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL
and QoS Configuration Guide.
• CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are
encapsulated in the standard format when packets are transmitted across different media.
Available values include:
{ 0 (default)—The MAC addresses are encapsulated in the standard format.
{ 1—The MAC addresses are encapsulated in a non-standard format.
This field is always set to 0 for Ethernet.
• VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0
to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a VLAN
tag and the value of the VLAN tag (if any). For more information, see "Introduction."
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and
802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag
fields in other frame encapsulation formats, see related protocols and standards.
For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag
and transmits its inner VLAN tags as the payload.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks

Configuring a VLAN
Step Command Remarks
1. Enter system view. system-view N/A
2. (Optional.) Create a
VLAN and enter its vlan { vlan-id1 [ to vlan-id2 ] | By default, only the system default VLAN
view, or create a list of all } (VLAN 1) exists.
VLANs.

3. Enter VLAN view. To configure a VLAN after you create a list

vlan vlan-id
of VLANs, you must perform this step.
By default, the name of a VLAN is VLAN
vlan-id. The vlan-id argument specifies
4. Set a name for the the VLAN ID in a four-digit format. If the
VLAN. name text
VLAN ID has fewer than four digits,
leading zeros are added. For example, the
name of VLAN 100 is VLAN 0100.
By default, the description of a VLAN is
VLAN vlan-id. The vlan-id argument
5. Configure the specifies the VLAN ID in a four-digit
description for the description text format. If the VLAN ID has fewer than four
VLAN. digits, leading zeros are added. For
example, the default description of VLAN
100 is VLAN 0100.

149
 Step Command Remarks
By default, packet dropping is disabled in
a VLAN.
This feature enables the device to drop
6. (Optional.) Enable Layer 3 packets in a VLAN and packets
packet dropping in the block outbound originating from the device. To drop all
VLAN. packets that are received and transmitted
in the VLAN, you must configure a QoS
policy. For more information about
configuring QoS policies, see ACL and
QoS Configuration Guide.

NOTE:
• As the system default VLAN, VLAN 1 cannot be created or deleted.
• Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove
the configuration from the VLAN.

Configuring VLAN interfaces

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are
virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create
one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the
VLAN to forward packets destined for another IP subnet at Layer 3.
When you configure a VLAN interface, follow these restrictions and guidelines:
• Before you create a VLAN interface for a VLAN, create the VLAN first.
• You cannot create VLAN interfaces for sub-VLANs. For more information about sub-VLANs,
see "Configuring super VLANs."
• You cannot create VLAN interfaces for secondary VLANs that have the following
characteristics:
{ Associated with the same primary VLAN.
{ Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface.
For more information about secondary VLANs, see "Configuring the private VLAN."
To configure basic settings of a VLAN interface:

Step Command Remarks

1. Enter system view. system-view N/A
If the VLAN interface already exists,
2. Create a VLAN interface interface vlan-interface you enter its view directly.
and enter its view. interface-number
By default, no VLAN interfaces exist.
3. Assign an IP address to ip address ip-address { mask | By default, no IP address is assigned to
the VLAN interface. mask-length } [ sub ] a VLAN interface.

4. Configure the description The default setting is the VLAN

for the VLAN interface. description text interface name. For example,
Vlan-interface1 Interface.

5. (Optional.) Specify a traffic By default, no traffic processing slot is

processing slot for the specified for the VLAN interface. Traffic
service slot slot-number
VLAN interface. on a VLAN interface is processed on
the slot at which the traffic arrives.

150
 Step Command Remarks
6. Set the MTU for the VLAN
interface. mtu size The default setting is 1500 bytes.

7. Set the MAC address for By default, no MAC address is set for a
the VLAN interface. mac-address mac-address
VLAN interface.
8. Set the expected By default, the expected bandwidth (in
bandwidth for the bandwidth bandwidth-value kbps) is the interface baud rate divided
interface. by 1000.
9. (Optional.) Restore the
default settings for the default N/A
VLAN interface.
10. (Optional.) Bring up the
VLAN interface. undo shutdown N/A

Configuring port-based VLANs

Introduction
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it
is assigned to the VLAN.
Port link type
You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether
the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling
methods:
• Access—An access port can forward packets only from one VLAN and send these packets
untagged. An access port is typically used in the following conditions:
{ Connecting to a terminal device that does not support VLAN packets.
{ In scenarios that do not distinguish VLANs.
• Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port
VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network
devices are typically configured as trunk ports.
• Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the
packets forwarded by a hybrid port depends on the port configuration. In one-to-two VLAN
mapping, hybrid ports are used to remove SVLAN tags for downlink traffic. For more
information about one-to-two VLAN mapping, see "Configuring VLAN mapping."
PVID
The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered
as the packets from the port PVID.
When you set the PVID for a port, follow these restrictions and guidelines:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID
of the port.
• A trunk or hybrid port supports multiple VLANs and the PVID configuration.
• When you use the undo vlan command to delete the PVID of a port, either of the following
events occurs depending on the port link type:
{ For an access port, the PVID of the port changes to VLAN 1.
{ For a hybrid or trunk port, the PVID setting of the port does not change.

151
 You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access
port.
• As a best practice, set the same PVID for a local port and its peer.
• To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to
its PVID.
How ports of different link types handle frames

Actions Access Trunk Hybrid

In the inbound • If the PVID is permitted on the port, tags the frame with
Tags the frame with the the PVID tag.
direction for an
PVID tag.
untagged frame • If not, drops the frame.
• Receives the
frame if its VLAN
ID is the same as
In the inbound the PVID. • Receives the frame if its VLAN is permitted on the port.
direction for a
• Drops the frame if • Drops the frame if its VLAN is not permitted on the port.
tagged frame
its VLAN ID is
different from the
PVID.
• Removes the tag
and sends the frame
if the frame carries
the PVID tag and the
port belongs to the Sends the frame if its VLAN is
PVID. permitted on the port. The
In the outbound Removes the VLAN tag
tagging status of the frame
direction and sends the frame. • Sends the frame
depends on the port hybrid
without removing the vlan command configuration.
tag if its VLAN is
carried on the port
but is different from
the PVID.

In a VLAN-aware network, the default processing order for untagged packets is as follows, in
descending order of priority:
• MAC-based VLANs.
• IP subnet-based VLANs.
• Protocol-based VLANs.
• Port-based VLANs.

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view.
Make sure the VLAN has been created.
Assign one or multiple access ports to a VLAN in VLAN view

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Assign one or multiple By default, all ports belong to
access ports to the VLAN. port interface-list
VLAN 1.

152
Assign an access port to a VLAN in interface view

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
3. Set the port link type to By default, all ports are
access. port link-type access
access ports.
4. (Optional.) Assign the By default, all access ports
access port to a VLAN. port access vlan vlan-id
belong to VLAN 1.

Assigning a trunk port to a VLAN

A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
When you assign a trunk port to a VLAN, follow these restrictions and guidelines:
• To change the link type of a port from trunk to hybrid, set the link type to access first.
• To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the
PVID by using the port trunk permit vlan command.
To assign a trunk port to one or multiple VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
3. Set the port link type to By default, all ports are
trunk. port link-type trunk
access ports.
4. Assign the trunk port to By default, a trunk port
the specified VLANs. port trunk permit vlan { vlan-id-list | all }
permits only VLAN 1.
5. (Optional.) Set the The default setting is VLAN
PVID for the trunk port. port trunk pvid vlan vlan-id
1.

Assigning a hybrid port to a VLAN

A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view.
Make sure the VLANs have been created.
When you assign a hybrid port to a VLAN, follow these restrictions and guidelines:
• To change the link type of a port from trunk to hybrid, set the link type to access first.
• To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the
PVID by using the port hybrid vlan command.

153
 To assign a hybrid port to one or multiple VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
3. Set the port link type to By default, all ports are
hybrid. port link-type hybrid
access ports.
By default, the hybrid port is
Assign the hybrid port an untagged member of the
4. port hybrid vlan vlan-id-list { tagged |
to the specified VLANs. VLAN to which the port
untagged }
belongs when its link type is
access.
By default, the PVID of a
5. (Optional.) Set the hybrid port is the ID of the
PVID for the hybrid port hybrid pvid vlan vlan-id VLAN to which the port
port. belongs when its link type is
access.

Configuring MAC-based VLANs

Introduction
This feature is available only on hybrid ports.
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature
is also called user-based VLAN because VLAN configuration remains the same regardless of a
user's physical location.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To
configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows
before sending the frame out:
• For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
− Searches for the MAC-to-VLAN entries whose masks are not all Fs.
− Performs a logical AND operation on the source MAC address and each of these
masks.
If an AND operation result matches the MAC address in a MAC-to-VLAN entry, the port
tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN
entries whose masks are all Fs. If the source MAC address of the frame exactly matches the

154
 MAC address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to
this entry.
c. If no matching VLAN ID is found, the port determines the VLAN for the packet by using the
following VLAN match order:
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
When a match is found, the port tags the packet with the matching VLAN ID.
• For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the
port.
{ If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
{ If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, use dynamic MAC-based VLAN
assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 52:
1. When a port receives a frame, it first determines whether the frame is tagged.
{ If the frame is tagged, the port gets the source MAC address of the frame.
{ If the frame is untagged, the port selects a VLAN for the frame by using the following
matching order:
− MAC-based VLAN (fuzzy and exact MAC address match).
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
After tagging the frame with the selected VLAN, the port gets the source MAC address of the
frame.
2. The port uses the source address and VLAN of the frame to match the MAC-to VLAN entries.
{ If the source MAC address of the frame exactly matches the MAC address in a
MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN
in the entry.
− If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
− If the two VLAN IDs do not match, the port drops the frame.
{ If the source MAC address of the frame does not exactly match any MAC addresses in
MAC-to-VLAN entries, the port checks whether the VLAN ID of the frame is its PVID.
− If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows
the PVID.
If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not
allowed, the port drops the frame.
− If the VLAN ID of the frame is not the PVID of the port, the port determines whether the
VLAN ID is the primary VLAN ID and the port PVID is a secondary VLAN ID.
If yes, the port forwards the frame. Otherwise, the port drops the frame.

155
 Figure 52 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
The port receives a
frame

No
Tagged frame ?

Yes

Selects a VLAN for the

Gets the source MAC
frame

Uses source MAC to

match the MAC in MAC-
to-VLAN entries

MAC addresses No No Yes

VLAN ID match the Is the VLAN ID the primary VLAN ID and the
match? port PVID? port PVID a secondary VLAN ID?
Yes Yes
No

No VLAN IDs No
PVID allowed? Drops the frame
match?

Yes Yes

Forwards the frame in

Drops the frame Joins the VLAN
the VLAN

When you configure dynamic MAC-based VLAN assignment, follow these guidelines:
• When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events
occurs depending on the port configuration:
{ If the port has not been configured to allow packets from the VLAN to pass through, the port
joins the VLAN as an untagged member.
{ If the port has been configured to allow packets from the VLAN to pass through, the port
configuration remains the same.
• If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic
MAC-based VLAN assignment takes effect.
• The 802.1p priority of the VLAN in a MAC-to-VLAN entry determines the transmission priority of
the matching packets.
Server-assigned MAC-based VLAN
Use this feature with access authentication, such as MAC-based 802.1X authentication, to
implement secure and flexible terminal access.
To implement server-assigned MAC-based VLAN, perform the following tasks:
1. Configure the server-assigned MAC-based VLAN feature on the access device.
2. Configure username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server assigns the
authorization VLAN information for the user to the device. The device then performs the following
operations:
1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the
authorization VLAN information. The authorization VLAN is a MAC-based VLAN.
The generated MAC-to-VLAN entry cannot conflict with the existing static MAC-to-VLAN entries.
If a confliction exists, the dynamic MAC-to-VLAN entry cannot be generated.

156
 2. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes
the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication,
see Security Configuration Guide.

General configuration restrictions and guidelines

When you configure MAC-based VLANs, follow these restrictions and guideline:
• Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
• The MAC-based VLAN feature is mainly configured on downlink ports of user access devices.
Do not use this feature with link aggregation.

Configuring static MAC-based VLAN assignment

Step Command Remarks
1. Enter system view. system-view N/A

Create a MAC-to-VLAN mac-vlan mac-address mac-address

2. By default, no MAC-to-VLAN
entry. [ mask mac-mask ] vlan vlan-id [ dot1q
entries exist.
priority ]
3. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

4. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.
By default, a hybrid port is an
Assign the hybrid port to untagged member of the
5. port hybrid vlan vlan-id-list { tagged |
the MAC-based VLANs. VLAN to which the port
untagged }
belongs when its link type is
access.
6. Enable the MAC-based By default, this feature is
VLAN feature. mac-vlan enable
disabled.

7. (Optional.) Configure By default, the system assigns

the system to assign VLANs based on the MAC
VLANs based on the address preferentially when
vlan precedence mac-vlan
MAC address both the MAC-based VLAN
preferentially. and IP subnet-based VLAN
are configured on a port.

Configuring dynamic MAC-based VLAN assignment

Configuration restrictions and guidelines
When you configure dynamic MAC-based VLAN assignment, follow these restrictions and guideline:
• As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use
dynamic MAC-based VLAN assignment with 802.1X or MAC authentication.
• As a best practice, do not both configure dynamic MAC-based VLAN assignment and disable
MAC address learning on a port. If the two features are configured together on a port, the port
forwards only packets exactly matching the MAC-to-VLAN entries and drops inexactly matching
packets.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and the MAC
learning limit on a port.

157
 If the two features are configured together on a port and the port learns the configured
maximum number of MAC address entries, the port processes packets as follows:
{ Forwards only packets matching the MAC address entries learnt by the port.
{ Drops unmatching packets.
• For successful dynamic MAC-based VLAN assignment, use static VLANs when you create
MAC-to-VLAN entries.
• As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP
mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the target VLAN.
• As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST
mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked state.
The port drops the received packets instead of delivering them to the CPU. As a result, the port
will not be dynamically assigned to the target VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.
Configuration procedure
To configure dynamic MAC-based VLAN assignment:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a mac-vlan mac-address mac-address By default, no MAC-to-VLAN
MAC-to-VLAN entry. vlan vlan-id [ dot1q priority ] entries exist.
3. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

4. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.
5. Enable the
MAC-based VLAN By default, MAC-based VLAN
mac-vlan enable
feature. is disabled.

By default, dynamic
MAC-based VLAN assignment
is disabled.
6. Enable dynamic The VLAN assignment for a
MAC-based VLAN mac-vlan trigger enable port is triggered only when the
assignment. source MAC address of its
receiving packet exactly
matches the MAC address in a
MAC-to-VLAN entry.

7. (Optional.) Configure By default, the system assigns

the system to assign VLANs based on the MAC
VLANs based on the address preferentially when
vlan precedence mac-vlan
MAC address both the MAC-based VLAN and
preferentially. IP subnet-based VLAN are
configured on a port.
8. (Optional.) Disable the By default, when a port
port from forwarding receives packets whose source
packets that fail the port pvid forbidden MAC addresses fail the exact
exact MAC address match, the port forwards them
match in its PVID. in its PVID.

158
Configuring server-assigned MAC-based VLAN
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

3. Set the port link type to By default, all ports are

hybrid. port link-type hybrid
access ports.
By default, a hybrid port is an
4. Assign the hybrid port untagged member of the
to the MAC-based port hybrid vlan vlan-id-list { tagged |
VLAN to which the port
VLANs. untagged }
belongs when its link type is
access.
5. Enable the
MAC-based VLAN By default, MAC-based VLAN
mac-vlan enable
feature. is disabled.

6. Configure 802.1X or For more information, see Security

MAC authentication. N/A
Command Reference.

Configuring IP subnet-based VLANs

In this method, untagged packets are assigned to VLANs based on their source IP addresses and
subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet
to a VLAN based on the source address of the packet.
Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a
VLAN.
This feature is available only on hybrid ports, and it processes only untagged packets.
An IP subnet-based VLAN has one or multiple subnets to match inbound packets. Each subnet has
a unique index in the IP subnet-based VLAN. All subnets in an IP subnet-based VLAN have the
same VLAN ID.
To configure an IP subnet-based VLAN:

Task Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, a VLAN is not associated
3. Associate the VLAN with an IP subnet or IP address.
with an IP subnet or ip-subnet-vlan [ ip-subnet-index ] ip
ip-address [ mask ] A multicast subnet or a multicast
IP address. address cannot be associated with a
VLAN.
4. Return to system
view. quit N/A

159
 Task Command Remarks
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
5. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
6. Set the port link type
to hybrid. port link-type hybrid By default, all ports are access ports.

7. Assign the hybrid By default, a hybrid port is an

port to the specified port hybrid vlan vlan-id-list { tagged | untagged member of the VLAN to
IP subnet-based untagged } which the port belongs when its link
VLANs. type is access.
8. Associate the hybrid
port with the By default, a hybrid port is not
specified IP port hybrid ip-subnet-vlan vlan
associated with a subnet-based
subnet-based vlan-id
VLAN.
VLAN.

Configuring protocol-based VLANs

The protocol-based VLAN feature assigns inbound packets to different VLANs based on their
protocol types and encapsulation formats. The protocols available for VLAN assignment include IP,
IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
This feature is available only on hybrid ports, and it processes only untagged packets. It associates
the available network service types with VLANs and facilitates network management and
maintenance.
A protocol-based VLAN has one or multiple protocol templates. A protocol template defines a
protocol type and an encapsulation format as the match criteria to match inbound packets. Each
protocol template has a unique index in the protocol-based VLAN. All protocol templates in a
protocol-based VLAN have the same VLAN ID.
For a port to assign inbound packets to protocol-based VLANs, perform the following tasks:
• Assign the port to the protocol-based VLANs.
• Associate the port with the protocol templates of the protocol-based VLANs.
When an untagged packet arrives at the port, the port processes the packet as follows:
• If the protocol type and encapsulation format in the packet match a protocol template, the port
tags the packet with the VLAN tag specific to the protocol template.
• If no protocol templates are matched, the port tags the packet with its PVID.
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as
both a protocol-based VLAN and a voice VLAN.
To configure a protocol-based VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A

160
 Step Command Remarks
protocol-vlan [ protocol-index ] { at | ipv4
3. Associate the VLAN | ipv6 | ipx { ethernetii | llc | raw | snap } | By default, a VLAN is not
with a protocol mode { ethernetii etype etype-id | llc associated with a protocol
template. { dsap dsap-id [ ssap ssap-id ] | ssap template.
ssap-id } | snap etype etype-id } }
4. Exit VLAN view. quit N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
5. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
6. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.

7. Assign the hybrid port By default, a hybrid port is an

to the specified port hybrid vlan vlan-id-list { tagged | untagged member of the VLAN
protocol-based VLANs. untagged } to which the port belongs when
its link type is access.
8. Associate the hybrid By default, a hybrid port is not
port with the specified port hybrid protocol-vlan vlan vlan-id
associated with a
protocol-based VLAN. { protocol-index [ to protocol-end ] | all }
protocol-based VLAN.

Configuring a VLAN group

A VLAN group includes a set of VLANs.
On an authentication server, a VLAN group name represents a group of authorization VLANs. When
an 802.1X user passes authentication, the authentication server assigns a VLAN group name to the
device. If the received VLAN group name matches a locally configured VLAN group name on the
device, the device assigns a VLAN in the group to the user. For more information about 802.1X
authentication, see Security Configuration Guide.
To configure a VLAN group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN group and
enter its view. vlan-group group-name By default, no VLAN groups exist.

By default, no VLANs exist in a

3. Add VLANs to the VLAN VLAN group.
group. vlan-list vlan-id-list
You can add multiple VLAN lists to
a VLAN group.

Displaying and maintaining VLANs

Execute display commands in any view and reset commands in user view.

161
 Task Command
display interface vlan-interface [ interface-number ] [ brief
Display VLAN interface information.
[ description | down ] ]
Display information about IP
display ip-subnet-vlan interface { interface-type
subnet-based VLANs that are associated
interface-number1 [ to interface-type interface-number2 ] | all }
with the specified ports.
Display information about IP
display ip-subnet-vlan vlan { vlan-id1 [ to vlan-id2 ] | all }
subnet-based VLANs.
Display information about protocol-based
display protocol-vlan interface { interface-type
VLANs that are associated with the
interface-number1 [ to interface-type interface-number2 ] | all }
specified ports.
Display information about protocol-based
display protocol-vlan vlan { vlan-id1 [ to vlan-id2 ] | all }
VLANs.
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved
Display VLAN information.
| static ]
Display brief VLAN information. display vlan brief
Display VLAN group information. display vlan-group [ group-name ]
Display hybrid ports or trunk ports on the
display port { hybrid | trunk }
device.
Clear statistics on a port. reset counters interface vlan-interface [ interface-number ]

VLAN configuration examples

Port-based VLAN configuration example
Network requirements
As shown in Figure 53:
• Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.
• Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each
other.
Figure 53 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and assign Ten-GigabitEthernet 1/0/1 to VLAN 100.
<DeviceA> system-view

162
 [DeviceA] vlan 100
[DeviceA-vlan100] port ten-gigabitethernet 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign Ten-GigabitEthernet 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port ten-gigabitethernet 1/0/2
[DeviceA-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign the port to VLANs 100 and
200.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.
b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D.
(Details not shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C.
(Details not shown.)
# Verify that VLANs 100 and 200 are correctly configured on Device A.
[DeviceA-Ten-GigabitEthernet1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:
Ten-GigabitEthernet1/0/3
Untagged ports:
Ten-GigabitEthernet1/0/1
[DeviceA-Ten-GigabitEthernet1/0/3] display vlan 200
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
Ten-GigabitEthernet1/0/3
Untagged ports:
Ten-GigabitEthernet1/0/2

163
MAC-based VLAN configuration example
Network requirements
As shown in Figure 54:
• Ten-GigabitEthernet 1/0/1 of Device A and Device C are each connected to a meeting room.
Laptop 1 and Laptop 2 are used for meetings and might be used in either of the two meeting
rooms.
• One department uses VLAN 100 and owns Laptop 1. The other department uses VLAN 200
and owns Laptop 2.
Configure MAC-based VLANs, so that Laptop 1 and Laptop 2 can access Server 1 and Server 2,
respectively, no matter which meeting room they are used in.
Figure 54 Network diagram

Configuration procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200,
respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid

164
 [DeviceA-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on Ten-GigabitEthernet 1/0/1.
[DeviceA-Ten-GigabitEthernet1/0/1] mac-vlan enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit
# Configure the uplink port (Ten-GigabitEthernet 1/0/2) as a trunk port, and assign it to VLANs
100 and 200.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceA-Ten-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLAN 100, and assign Ten-GigabitEthernet 1/0/3 to VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port ten-gigabitethernet 1/0/3
[DeviceB-vlan100] quit
# Create VLAN 200 and assign Ten-GigabitEthernet 1/0/4 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port ten-gigabitethernet 1/0/4
[DeviceB-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 100 and
200.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLANs 100 and
200.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceB-Ten-GigabitEthernet1/0/2] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
Verifying the configuration
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not
shown.)
# Verify the MAC-to-VLAN entries on Device A and Device C, for example, on Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Priority State
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count: 2

165
IP subnet-based VLAN configuration example
Network requirements
As shown in Figure 55, the hosts in the office belong to different IP subnets.
Configure Device C to transmit packets from 192.168.5.0/24 and 192.168.50.0/24 in VLANs 100 and
200, respectively.
Figure 55 Network diagram

Device A Device B

VLAN 100 VLAN 200

XGE1/0/2 XGE1/0/3

Device C
XGE1/0/1

192.168.5.0/24 192.168.50.0/24
Office

Configuration procedure
1. Configure Device C:
# Associate IP subnet 192.168.5.0/24 with VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0
[DeviceC-vlan100] quit
# Associate IP subnet 192.168.50.0/24 with VLAN 200.
[DeviceC] vlan 200
[DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0
[DeviceC-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLAN 100 as a tagged
VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/2] port hybrid vlan 100 tagged
[DeviceC-Ten-GigabitEthernet1/0/2] quit

166
 # Configure Ten-GigabitEthernet 1/0/3 as a hybrid port, and assign it to VLAN 200 as a tagged
VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/3
[DeviceC-Ten-GigabitEthernet1/0/3] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/3] port hybrid vlan 200 tagged
[DeviceC-Ten-GigabitEthernet1/0/3] quit
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate Ten-GigabitEthernet 1/0/1 with the IP subnet-based VLANs 100 and 200.
[DeviceC-Ten-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100
[DeviceC-Ten-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200
[DeviceC-Ten-GigabitEthernet1/0/1] quit
2. Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively.
(Details not shown.)
Verifying the configuration
# Verify the IP subnet-based VLAN configuration on Device C.
[DeviceC] display ip-subnet-vlan vlan all
VLAN ID: 100
Subnet index IP address Subnet mask
0 192.168.5.0 255.255.255.0

VLAN ID: 200

Subnet index IP address Subnet mask
0 192.168.50.0 255.255.255.0

# Verify the IP subnet-based VLAN configuration on Ten-GigabitEthernet 1/0/1 of Device C.

[DeviceC] display ip-subnet-vlan interface ten-gigabitethernet 1/0/1
Interface: Ten-GigabitEthernet1/0/1
VLAN ID Subnet index IP address Subnet mask Status
100 0 192.168.5.0 255.255.255.0 Active
200 0 192.168.50.0 255.255.255.0 Active

Protocol-based VLAN configuration example

Network requirements
As shown in Figure 56:
• The majority of hosts in a lab environment run the IPv4 protocol.
• The other hosts run the IPv6 protocol for teaching purposes.
To isolate IPv4 and IPv6 traffic at Layer 2, configure protocol-based VLANs to associate the IPv4 and
ARP protocols with VLAN 100, and associate the IPv6 protocol with VLAN 200.

167
 Figure 56 Network diagram
VLAN 100 VLAN 200

IPv4 server IPv6 server

XGE1/0/3
XGE1/0/4

XGE1/0/1 XGE1/0/2
Device

L2 switch A L2 switch B

IPv4 host A IPv6 host A IPv4 host B IPv6 host B

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Configuration procedure
In this example, L2 Switch A and L2 Switch B use the factory configuration.
1. Configure Device:
# Create VLAN 100, and configure the description for VLAN 100 as protocol VLAN for IPv4.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
# Assign Ten-GigabitEthernet 1/0/3 to VLAN 100.
[Device-vlan100] port ten-gigabitethernet 1/0/3
[Device-vlan100] quit
# Create VLAN 200, and configure the description for VLAN 200 as protocol VLAN for IPv6.
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
# Assign Ten-GigabitEthernet 1/0/4 to VLAN 200.
[Device-vlan200] port ten-gigabitethernet 1/0/4
# Configure VLAN 200 as a protocol-based VLAN, and create an IPv6 protocol template with
the index 1 for VLAN 200.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
# Configure VLAN 100 as a protocol-based VLAN. Create an IPv4 protocol template with the
index 1, and create an ARP protocol template with the index 2. (In Ethernet II encapsulation, the
protocol type ID for ARP is 0806 in hexadecimal notation.)
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4
[Device-vlan100] protocol-vlan 2 mode ethernetii etype 0806
[Device-vlan100] quit

168
 # Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[Device] interface ten-gigabitethernet 1/0/1
[Device-Ten-GigabitEthernet1/0/1] port link-type hybrid
[Device-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate Ten-GigabitEthernet 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100
and the IPv6 protocol template of VLAN 200.
[Device-Ten-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 100 1 to 2
[Device-Ten-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 200 1
[Device-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 100 and 200 as
an untagged VLAN member.
[Device] interface ten-gigabitethernet 1/0/2
[Device-Ten-GigabitEthernet1/0/2] port link-type hybrid
[Device-Ten-GigabitEthernet1/0/2] port hybrid vlan 100 200 untagged
# Associate Ten-GigabitEthernet 1/0/2 with the IPv4 and ARP protocol templates of VLAN 100
and the IPv6 protocol template of VLAN 200.
[Device-Ten-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 100 1 to 2
[Device-Ten-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 200 1
[Device-Ten-GigabitEthernet1/0/2] quit
2. Configure hosts and servers:
a. Configure IPv4 Host A, IPv4 Host B, and IPv4 server to be on the same network segment
(192.168.100.0/24, for example). (Details not shown.)
b. Configure IPv6 Host A, IPv6 Host B, and IPv6 server to be on the same network segment
(2001::1/64, for example). (Details not shown.)
Verifying the configuration
1. Verify the following:
{ The hosts and the server in VLAN 100 can successfully ping one another. (Details not
shown.)
{ The hosts and the server in VLAN 200 can successfully ping one another. (Details not
shown.)
{ The hosts or the server in VLAN 100 cannot ping the hosts or server in VLAN 200. (Details
not shown.)
2. Verify the protocol-based VLAN configuration:
# Display protocol-based VLANs on Device.
[Device] display protocol-vlan vlan all
VLAN ID: 100
Protocol index Protocol type
1 IPv4
2 Ethernet II Etype 0x0806

VLAN ID: 200

Protocol index Protocol type
1 IPv6
# Display protocol-based VLANs on the ports of Device.
[Device] display protocol-vlan interface all
Interface: Ten-GigabitEthernet1/0/1
VLAN ID Protocol index Protocol type Status

169
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

Interface: Ten-GigabitEthernet 1/0/2

VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

170
Configuring super VLANs
Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with
other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This
requires a large number of IP addresses.
The super VLAN feature was introduced to save IP addresses. A super VLAN is associated with
multiple sub-VLANs. These sub-VLANs use the VLAN interface of the super VLAN (also known as a
super VLAN interface) as the gateway for Layer 3 communication.
You can create a VLAN interface for a super VLAN and assign an IP address to it. However, you
cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but
you cannot assign a physical port to a super VLAN. Sub-VLANs are isolated at Layer 2.
To enable Layer 3 communication between sub-VLANs, perform the following tasks:
1. Create a super VLAN and the VLAN interface for the super VLAN.
2. Enable local proxy ARP or ND on the super VLAN interface as follows:
{ In an IPv4 network, enable local proxy ARP on the super VLAN interface. The super VLAN
can then process ARP requests and replies sent from the sub-VLANs.
{ In an IPv6 network, enable local proxy ND on the super VLAN interface. The super VLAN
can then process the NS and NA messages sent from the sub-VLANs.

Super VLAN configuration task list

Tasks at a glance
(Required.) Creating a sub-VLAN
(Required.) Configuring a super VLAN
(Required.) Configuring a super VLAN interface

Creating a sub-VLAN
Step Command Remarks
1. Enter system view. system-view N/A

2. Create a sub-VLAN. By default, only the system default VLAN

vlan vlan-id
(VLAN 1) exists.

Configuring a super VLAN

When you configure a super VLAN, follow these restrictions and guidelines:
• Do not configure the VLAN of a MAC address-to-VLAN entry as a super VLAN.
• Do not configure a VLAN as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical
VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs, see
Security Configuration Guide.
• Do not configure a VLAN as both a super VLAN and a sub-VLAN.
• Layer 2 multicast configuration for super VLANs does not take effect because they do not have
physical ports.

171
 To configure a super VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Configure the VLAN
as a super VLAN. supervlan By default, a VLAN is not a super VLAN.

By default, a super VLAN is not associated with

4. Associate the super any sub-VLANs.
VLAN with the subvlan vlan-id-list
sub-VLANs. Make sure the sub-VLANs already exist before
associating them with a super VLAN.

Configuring a super VLAN interface

As a best practice, do not configure VRRP for a super VLAN interface because the configuration
affects network performance. For more information about VRRP, see High Availability Configuration
Guide.
To configure a VLAN interface for a super VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN
interface and enter its interface vlan-interface The value for the interface-number
view. interface-number argument must be the super VLAN ID.

• Configure an IPv4 address:

ip address ip-address
3. Configure an IP { mask-length | mask } [ sub ]
address for the super By default, no IP address is
• Configure an IPv6 address:
VLAN interface. configured for a VLAN interface.
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
By default:
• Sub-VLANs cannot
communicate with each other at
Layer 3.
• Enable local proxy ARP for • Local proxy ARP or ND is
devices that run IPv4 protocols: disabled.
4. Configure Layer 3 local-proxy-arp enable
communication For more information about local
between sub-VLANs. • Enable local proxy ND for proxy ARP and ND, see Layer 3—IP
devices that run IPv6 protocols: Services Configuration Guide. For
local-proxy-nd enable more information about
local-proxy-arp enable and
local-proxy-nd enable commands,
see Layer 3—IP Services Command
Reference.

Displaying and maintaining super VLANs

Execute display commands in any view.

172
 Task Command
Display information about super VLANs and their
display supervlan [ supervlan-id ]
associated sub-VLANs.

Super VLAN configuration example

Network requirements
As shown in Figure 57:
• Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 are in VLAN 2.
• Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 are in VLAN 3.
• Ten-GigabitEthernet 1/0/5 and Ten-GigabitEthernet 1/0/6 are in VLAN 5.
To save IP addresses and enable sub-VLANs to be isolated at Layer 2 but interoperable at Layer 3,
perform the following tasks:
• Create a super VLAN and assign an IP address to its VLAN interface.
• Associate the super VLAN with VLANs 2, 3, and 5.
Figure 57 Network diagram

Configuration procedure
# Create VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit

# Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it.

[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0

# Enable local proxy ARP.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

# Create VLAN 2, and assign Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to the VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] port ten-gigabitethernet 1/0/1 ten-gigabitethernet 1/0/2

173
 [DeviceA-vlan2] quit

# Create VLAN 3, and assign Ten-GigabitEthernet 1/0/3 and Ten-GigabitEthernet 1/0/4 to the VLAN.
[DeviceA] vlan 3
[DeviceA-vlan3] port ten-gigabitethernet 1/0/3 ten-gigabitethernet 1/0/4
[DeviceA-vlan3] quit

# Create VLAN 5, and assign Ten-GigabitEthernet 1/0/5 and Ten-GigabitEthernet 1/0/6 to the VLAN.
[DeviceA] vlan 5
[DeviceA-vlan5] port ten-gigabitethernet 1/0/5 ten-gigabitethernet 1/0/6
[DeviceA-vlan5] quit

# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 5 with the super VLAN.
[DeviceA] vlan 10
[DeviceA-vlan10] supervlan
[DeviceA-vlan10] subvlan 2 3 5
[DeviceA-vlan10] quit
[DeviceA] quit

Verifying the configuration

# Display information about super VLAN 10 and its associated sub-VLANs.
<DeviceA> display supervlan
Super VLAN ID: 10
Sub-VLAN ID: 2-3 5

VLAN ID: 10
VLAN type: Static
It is a super VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports: None

VLAN ID: 2
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2

VLAN ID: 3

174
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/3
Ten-GigabitEthernet1/0/4

VLAN ID: 5
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/5
Ten-GigabitEthernet1/0/6

175
Configuring the private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a
network, customer traffic must be isolated for security or accounting purposes. If VLANs are
assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
• Primary VLAN—Used for connecting the upstream device. A primary VLAN can be associated
with multiple secondary VLANs. The upstream device identifies only the primary VLAN.
• Secondary VLANs—Used for connecting users. Secondary VLANs are isolated at Layer 2. To
implement Layer 3 communication between secondary VLANs associated with the primary
VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A
in Figure 58).
As shown in Figure 58, the private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary
VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is
only aware of VLAN 10.
Figure 58 Private VLAN example

If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on
the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required
between secondary VLANs that are associated with the same primary VLAN, or between secondary
VLANs and other networks.
• Method 1:
a. Create VLAN interfaces for the secondary VLANs.
b. Assign IP addresses to the secondary VLAN interfaces.
• Method 2:
a. Enable Layer 3 communication between the secondary VLANs that are associated with the
primary VLAN.
b. Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not
create secondary VLAN interfaces if you use this method.)
c. Enable local proxy ARP or ND on the primary VLAN interface.

Configuration task list

To configure the private VLAN feature, perform the following tasks:
1. Configure the primary VLAN.
2. Configure the secondary VLANs.

176
 3. Associate the secondary VLANs with the primary VLAN.
4. Configure the uplink and downlink ports:
{ Configure the uplink port (for example, the port connecting L2 Device B to L3 Device A
in Figure 58):
− When the port allows only one primary VLAN, configure the port as a promiscuous port
of the primary VLAN. The promiscuous port can be automatically assigned to the
primary VLAN and its associated secondary VLANs.
− When the port allows multiple primary VLANs, configure the port as a trunk promiscuous
port of the primary VLANs. The trunk promiscuous port can be automatically assigned to
the primary VLANs and their associated secondary VLANs.
{ Configure a downlink port (for example, the port connecting L2 Device B to a host in Figure
58) as a host port. The host port can be automatically assigned to the secondary VLAN and
its associated primary VLAN.
{ If a downlink port allows multiple secondary VLANs, configure the port as a trunk secondary
port. The trunk secondary port can be automatically assigned to the secondary VLANs and
their associated primary VLANs.
For more information about promiscuous, trunk promiscuous, host, and trunk secondary ports,
see Layer 2—LAN Switching Command Reference.
5. Configure Layer 3 communication between the specified secondary VLANs that are associated
with the primary VLAN.

Configuration restrictions and guidelines

When you configure the private VLAN feature, follow these restrictions and guidelines:
• Make sure the following requirements are met:
{ For a promiscuous port:
− The primary VLAN is the PVID of the port.
− The port is an untagged member of the primary VLAN and secondary VLANs.
{ For a host port:
− The PVID of the port is a secondary VLAN.
− The port is an untagged member of the primary VLAN and the secondary VLAN.
{ A trunk promiscuous or trunk secondary port must be a tagged member of the primary
VLANs and the secondary VLANs.
• VLAN 1 (system default VLAN) does not support the private VLAN configuration.

Configuration procedure
To configure the private VLAN feature:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN and enter
VLAN view. vlan vlan-id N/A

3. Configure the VLAN as a By default, a VLAN is not a

primary VLAN. private-vlan primary
primary VLAN.
4. Return to system view. quit N/A

177
Step Command Remarks
5. Create one or multiple
secondary VLANs. vlan { vlan-id1 [ to vlan-id2 ] | all } N/A

6. Return to system view. quit N/A

7. Enter VLAN view of the
primary VLAN. vlan vlan-id N/A

8. Associate the primary By default, a primary VLAN is not

VLAN with the secondary private-vlan secondary vlan-id-list associated with any secondary
VLANs. VLANs.
9. Return to system view. quit N/A
10. Enter interface view of the interface interface-type
uplink port. N/A
interface-number
• Configure the uplink port as a
promiscuous port of the
specified VLAN:
11. Configure the uplink port port private-vlan vlan-id
as a promiscuous or trunk promiscuous By default, a port is not a
promiscuous port of the promiscuous or trunk
• Configure the uplink port as a
specified VLANs. promiscuous port of any VLANs.
trunk promiscuous port of the
specified VLANs:
port private-vlan vlan-id-list
trunk promiscuous
12. Return to system view. quit N/A
13. Enter interface view of the interface interface-type
downlink port. N/A
interface-number
a Set the link type of the port:
port link-type { access |
hybrid | trunk }
b Assign the access port to the
specified VLAN:
port access vlan vlan-id
14. Assign the downlink port to c Assign the trunk port to the Select substep b, c, or d
secondary VLANs. specified VLANs: depending on the port link type.
port trunk permit vlan
{ vlan-id-list | all }
d Assign the hybrid port to the
specified VLANs:
port hybrid vlan vlan-id-list
{ tagged | untagged }
• Configure the downlink port as a
host port:
port private-vlan host
15. Configure the downlink
port as a host or trunk • Configure the downlink port as a By default, a port is not a host or
secondary port. trunk secondary port of the trunk secondary port.
specified VLANs:
port private-vlan vlan-id-list
trunk secondary
16. Return to system view. quit N/A
17. Enter VLAN view of a
secondary VLAN. vlan vlan-id N/A

18. (Optional.) Enable Layer 2 By default, ports in the same

communication for ports in • undo private-vlan isolated secondary VLAN can
the same secondary • private-vlan community communicate with each other at
VLAN. Layer 2.

178
 Step Command Remarks
19. Return to system view. quit N/A
a Enter VLAN interface view of
the primary VLAN interface: Use substeps a, b, c, and e for
interface vlan-interface devices that run IPv4 protocols.
interface-number Use substeps a, b, d, and f for
b Enable Layer 3 communication devices that run IPv6 protocols.
between secondary VLANs that By default:
are associated with the primary
• Secondary VLANs cannot
VLAN:
communicate with each
private-vlan secondary
other at Layer 3.
vlan-id-list
20. (Optional.) Configure • No IP address is configured
c Assign an IPv4 address to the
Layer 3 communication for a VLAN interface.
primary VLAN interface:
between the specified ip address ip-address • Local proxy ARP and ND
secondary VLANs. { mask-length | mask } [ sub ] are disabled.
d Assign an IPv6 address to the For more information about local
primary VLAN interface: proxy ARP and ND, see Layer
ipv6 address { ipv6-address 3—IP Services Configuration
prefix-length | Guide. For more information
ipv6-address/prefix-length } about the local-proxy-arp
e Enable local proxy ARP: enable and local-proxy-nd
local-proxy-arp enable enable commands, see Layer
f Enable local proxy ND: 3—IP Services Command
local-proxy-nd enable Reference.

Displaying and maintaining the private VLAN

Execute display commands in any view.

Task Command
Display information about primary VLANs and the
display private-vlan [ primary-vlan-id ]
secondary VLANs associated with each primary VLAN.

Private VLAN configuration examples

Promiscuous port configuration example
Network requirements
As shown in Figure 59, configure the private VLAN feature to meet the following requirements:
• On Device B, VLAN 5 is a primary VLAN that is associated with secondary VLANs 2 and 3.
Ten-GigabitEthernet 1/0/5 is in VLAN 5. Ten-GigabitEthernet 1/0/2 is in VLAN 2.
Ten-GigabitEthernet 1/0/3 is in VLAN 3.
• On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4.
Ten-GigabitEthernet 1/0/5 is in VLAN 6. Ten-GigabitEthernet 1/0/3 is in VLAN 3.
Ten-GigabitEthernet 1/0/4 is in VLAN 4.
• Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C.

179
 Figure 59 Network diagram

Configuration procedure
This example describes the configurations on Device B and Device C.
1. Configure Device B:
# Configure VLAN 5 as a primary VLAN.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# Create VLANs 2 and 3.
[DeviceB] vlan 2 to 3
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Configure the uplink port (Ten-GigabitEthernet 1/0/5) as a promiscuous port of VLAN 5.
[DeviceB] interface ten-gigabitethernet 1/0/5
[DeviceB-Ten-GigabitEthernet1/0/5] port private-vlan 5 promiscuous
[DeviceB-Ten-GigabitEthernet1/0/5] quit
# Assign downlink port Ten-GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Assign downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-Ten-GigabitEthernet1/0/3] port private-vlan host

180
 [DeviceB-Ten-GigabitEthernet1/0/3] quit
2. Configure Device C:
# Configure VLAN 6 as a primary VLAN.
<DeviceC> system-view
[DeviceC] vlan 6
[DeviceC–vlan6] private-vlan primary
[DeviceC–vlan6] quit
# Create VLANs 3 and 4.
[DeviceC] vlan 3 to 4
# Associate secondary VLANs 3 and 4 with primary VLAN 6.
[DeviceC] vlan 6
[DeviceC-vlan6] private-vlan secondary 3 to 4
[DeviceC-vlan6] quit
# Configure the uplink port (Ten-GigabitEthernet 1/0/5) as a promiscuous port of VLAN 6.
[DeviceC] interface ten-gigabitethernet 1/0/5
[DeviceC-Ten-GigabitEthernet1/0/5] port private-vlan 6 promiscuous
[DeviceC-Ten-GigabitEthernet1/0/5] quit
# Assign downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host
port.
[DeviceC] interface ten-gigabitethernet 1/0/3
[DeviceC-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceC-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceC-Ten-GigabitEthernet1/0/3] quit
# Assign downlink port Ten-GigabitEthernet 1/0/4 to VLAN 4, and configure the port as a host
port.
[DeviceC] interface ten-gigabitethernet 1/0/4
[DeviceC-Ten-GigabitEthernet1/0/4] port access vlan 4
[DeviceC-Ten-GigabitEthernet1/0/4] port private-vlan host
[DeviceC-Ten-GigabitEthernet1/0/4] quit

Verifying the configuration

# Verify the private VLAN configurations on the devices, for example, on Device B.
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/3
Ten-GigabitEthernet1/0/5

181
 VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/5

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: None
Untagged Ports:
Ten-GigabitEthernet1/0/3
Ten-GigabitEthernet1/0/5

The output shows that:

• The promiscuous port (Ten-GigabitEthernet 1/0/5) is an untagged member of primary VLAN 5
and secondary VLANs 2 and 3.
• Host port Ten-GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port Ten-GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Trunk promiscuous port configuration example

Network requirements
As shown in Figure 60, configure the private VLAN feature to meet the following requirements:
• VLANs 5 and 10 are primary VLANs on Device B. The uplink port (Ten-GigabitEthernet 1/0/1)
on Device B permits the packets from VLANs 5 and 10 to pass through tagged.
• On Device B, downlink port Ten-GigabitEthernet 1/0/2 permits secondary VLAN 2. Downlink
port Ten-GigabitEthernet 1/0/3 permits secondary VLAN 3. Secondary VLANs 2 and 3 are
associated with primary VLAN 5.
• On Device B, downlink port Ten-GigabitEthernet 1/0/4 permits secondary VLAN 6. Downlink
port Ten-GigabitEthernet 1/0/5 permits secondary VLAN 8. Secondary VLANs 6 and 8 are
associated with primary VLAN 10.
• Device A is aware of only VLANs 5 and 10 on Device B.

182
 Figure 60 Network diagram

Configuration procedure
1. Configure Device B:
# Configure VLANs 5 and 10 as primary VLANs.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# Create VLANs 2, 3, 6, and 8.
[DeviceB] vlan 2 to 3
[DeviceB] vlan 6
[DeviceB-vlan6] quit
[DeviceB] vlan 8
[DeviceB-vlan8] quit
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Associate secondary VLANs 6 and 8 with primary VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan secondary 6 8
[DeviceB-vlan10] quit
# Configure the uplink port (Ten-GigabitEthernet 1/0/1) as a trunk promiscuous port of VLANs 5
and 10.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port private-vlan 5 10 trunk promiscuous
[DeviceB-Ten-GigabitEthernet1/0/1] quit

183
 # Assign downlink port Ten-GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-Ten-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Assign downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Assign downlink port Ten-GigabitEthernet 1/0/4 to VLAN 6, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/4
[DeviceB-Ten-GigabitEthernet1/0/4] port access vlan 6
[DeviceB-Ten-GigabitEthernet1/0/4] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/4] quit
# Assign downlink port Ten-GigabitEthernet 1/0/5 to VLAN 8, and configure the port as a host
port.
[DeviceB] interface ten-gigabitethernet 1/0/5
[DeviceB-Ten-GigabitEthernet1/0/5] port access vlan 8
[DeviceB-Ten-GigabitEthernet1/0/5] port private-vlan host
[DeviceB-Ten-GigabitEthernet1/0/5] quit
2. Configure Device A:
# Create VLANs 5 and 10.
[DeviceA] vlan 5
[DeviceA-vlan5] quit
[DeviceA] vlan 10
[DeviceA-vlan10] quit
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 5 and 10 as a
tagged VLAN member.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid vlan 5 10 tagged
[DeviceA-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device B. The following output uses primary VLAN 5 as
an example.
[DeviceB] display private-vlan 5
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005

184
 Name: VLAN 0005
Tagged ports:
Ten-GigabitEthernet1/0/1
Untagged ports:
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports:
Ten-GigabitEthernet1/0/1
Untagged ports:
Ten-GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged ports:
Ten-GigabitEthernet1/0/1
Untagged ports:
Ten-GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port (Ten-GigabitEthernet 1/0/1) is a tagged member of primary VLAN 5
and secondary VLANs 2 and 3.
• Host port Ten-GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port Ten-GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Trunk promiscuous and trunk secondary port configuration

example
Network requirements
As shown in Figure 61, configure the private VLAN feature to meet the following requirements:
• VLANs 10 and 20 are primary VLANs on Device A. The uplink port (Ten-GigabitEthernet 1/0/5)
on Device A permits the packets from VLANs 10 and 20 to pass through tagged.
• VLANs 11, 12, 21, and 22 are secondary VLANs on Device A.
{ Downlink port Ten-GigabitEthernet 1/0/2 permits the packets from secondary VLANs 11 and
21 to pass through tagged.
{ Downlink port Ten-GigabitEthernet 1/0/1 permits secondary VLAN 22.

185
 { Downlink port Ten-GigabitEthernet 1/0/3 permits secondary VLAN 12.
• Secondary VLANs 11 and 12 are associated with primary VLAN 10.
• Secondary VLANs 21 and 22 are associated with primary VLAN 20.
Figure 61 Network diagram

Configuration procedure
1. Configure Device A:
# Configure VLANs 10 and 20 as primary VLANs.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# Create VLANs 11, 12, 21, and 22.
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# Associate secondary VLANs 11 and 12 with primary VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan secondary 11 12
[DeviceA-vlan10] quit
# Associate secondary VLANs 21 and 22 with primary VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan secondary 21 22

186
 [DeviceA-vlan20] quit
# Configure the uplink port (Ten-GigabitEthernet 1/0/5) as a trunk promiscuous port of VLANs
10 and 20.
[DeviceA] interface ten-gigabitethernet 1/0/5
[DeviceA-Ten-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous
[DeviceA-Ten-GigabitEthernet1/0/5] quit
# Assign downlink port Ten-GigabitEthernet 1/0/1 to VLAN 22 and configure the port as a host
port.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port access vlan 22
[DeviceA-Ten-GigabitEthernet1/0/1] port private-vlan host
[DeviceA-Ten-GigabitEthernet1/0/1] quit
# Assign downlink port Ten-GigabitEthernet 1/0/3 to VLAN 12 and configure the port as a host
port.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port access vlan 12
[DeviceA-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Configure downlink port Ten-GigabitEthernet 1/0/2 as a trunk secondary port of VLANs 11
and 21.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port private-vlan 11 21 trunk secondary
[DeviceA-Ten-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLANs 11 and 21.
<DeviceB> system-view
[DeviceB] vlan 11
[DeviceB-vlan11] quit
[DeviceB] vlan 21
[DeviceB-vlan21] quit
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 11 and 21 as a
tagged VLAN member.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type hybrid
[DeviceB-Ten-GigabitEthernet1/0/2] port hybrid vlan 11 21 tagged
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Assign Ten-GigabitEthernet 1/0/3 to VLAN 11.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port access vlan 11
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Assign Ten-GigabitEthernet 1/0/4 to VLAN 21.
[DeviceB] interface ten-gigabitethernet 1/0/4
[DeviceB-Ten-GigabitEthernet1/0/4] port access vlan 21
[DeviceB-Ten-GigabitEthernet1/0/4] quit
3. Configure Device C:
# Create VLANs 10 and 20.
<DeviceC> system-view
[DeviceC] vlan 10

187
 [DeviceC-vlan10] quit
[DeviceC] vlan 20
[DeviceC-vlan20] quit
# Configure Ten-GigabitEthernet 1/0/5 as a hybrid port, and assign it to VLANs 10 and 20 as a
tagged VLAN member.
[DeviceC] interface ten-gigabitethernet 1/0/5
[DeviceC-Ten-GigabitEthernet1/0/5] port link-type hybrid
[DeviceC-Ten-GigabitEthernet1/0/5] port hybrid vlan 10 20 tagged
[DeviceC-Ten-GigabitEthernet1/0/5] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device A. The following output uses primary VLAN 10
as an example.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 11-12

VLAN ID: 10
VLAN type: Static
Private-vlan type: Primary
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/5
Untagged ports:
Ten-GigabitEthernet1/0/3

VLAN ID: 11
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0011
Name: VLAN 0011
Tagged ports:
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/5
Untagged ports: None

VLAN ID: 12
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0012
Name: VLAN 0012
Tagged ports:
Ten-GigabitEthernet1/0/5
Untagged ports:

188
 Ten-GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port (Ten-GigabitEthernet 1/0/5) is a tagged member of primary VLAN
10 and secondary VLANs 11 and 12.
• The trunk secondary port (Ten-GigabitEthernet 1/0/2) is a tagged member of primary VLAN 10
and secondary VLAN 11.
• The host port (Ten-GigabitEthernet 1/0/3) is an untagged member of primary VLAN 10 and
secondary VLAN 12.

Secondary VLAN Layer 3 communication configuration

example
Network requirements
As shown in Figure 62, configure the private VLAN feature to meet the following requirements:
• Primary VLAN 10 on Device A is associated with secondary VLANs 2 and 3. The IP address of
VLAN-interface 10 is 192.168.1.1/24.
• Ten-GigabitEthernet 1/0/1 belongs to VLAN 10. Ten-GigabitEthernet 1/0/2 and
Ten-GigabitEthernet 1/0/3 belong to VLAN 2 and VLAN 3, respectively.
• Secondary VLANs are isolated at Layer 2 but interoperable at Layer 3.
Figure 62 Network diagram

Configuration procedure
# Create VLAN 10 and configure it as a primary VLAN.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit

# Create VLANs 2 and 3.

<DeviceA> system-view
[DeviceA] vlan 2 to 3

# Associate primary VLAN 10 with secondary VLANs 2 and 3.

[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] private-vlan secondary 2 3
[DeviceA-vlan10] quit

189
 # Configure the uplink port (Ten-GigabitEthernet 1/0/1) as a promiscuous port of VLAN 10.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port private-vlan 10 promiscuous
[DeviceA-Ten-GigabitEthernet1/0/1] quit

# Assign downlink port Ten-GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port access vlan 2
[DeviceA-Ten-GigabitEthernet1/0/2] port private-vlan host
[DeviceA-Ten-GigabitEthernet1/0/2] quit

# Assign downlink port Ten-GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port access vlan 3
[DeviceA-Ten-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-Ten-GigabitEthernet1/0/3] quit

# Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with
primary VLAN 10.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] private-vlan secondary 2 3

# Assign IP address 192.168.1.1/24 to VLAN-interface 10.

[DeviceA-Vlan-interface10] ip address 192.168.1.1 255.255.255.0

# Enable local proxy ARP on VLAN-interface 10.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

Verifying the configuration

# Display the configuration of primary VLAN 10.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 2-3

VLAN ID: 10
VLAN type: Static
Private VLAN type: Primary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2
Ten-GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured

190
 IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
Ten-GigabitEthernet1/0/1
Ten-GigabitEthernet1/0/3

The Route interface field in the output is Configured, indicating that secondary VLANs 2 and 3 are
interoperable at Layer 3.

191
Configuring voice VLANs
Overview
A voice VLAN is used for transmitting voice traffic. The device can configure QoS parameters for
voice packets to ensure higher transmission priority of the voice packets.
Common voice devices include IP phones and integrated access devices (IADs). This chapter uses
IP phones as an example.
For an IP phone to access a device, the device must perform the following operations:
1. Identify the IP phone in the network and obtain the MAC address of the IP phone.
2. Advertise the voice VLAN information to the IP phone.
After receiving the voice VLAN information, the IP phone performs automatic configuration. Voice
packets sent from the IP phone can then be transmitted within the voice VLAN.

Methods of identifying IP phones

Devices can use the OUI addresses or LLDP to identify IP phones.

Identifying IP phones through OUI addresses

A device identifies voice packets based on their source MAC addresses. A packet whose source
MAC address complies with an Organizationally Unique Identifier (OUI) address of the device is
regarded as a voice packet.
You can use system default OUI addresses (see Table 14) or configure OUI addresses for the device.
You can manually remove or add the system default OUI addresses.
Table 14 Default OUI addresses

Number OUI address Vendor

1 0001-e300-0000 Siemens phone
2 0003-6b00-0000 Cisco phone
3 0004-0d00-0000 Avaya phone
4 000f-e200-0000 H3C Aolynk phone
5 0060-b900-0000 Philips/NEC phone
6 00d0-1e00-0000 Pingtel phone
7 00e0-7500-0000 Polycom phone
8 00e0-bb00-0000 3Com phone

Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a
globally unique identifier that IEEE assigns to a vendor. However, OUI addresses in this chapter are
addresses that the system uses to identify voice packets. They are the logical AND results of the
mac-address and oui-mask arguments in the voice-vlan mac-address command.

192
Automatically identifying IP phones through LLDP
If IP phones support LLDP, configure LLDP for automatic IP phone discovery on the device. The
device can then automatically discover the peer through LLDP, and exchange LLDP TLVs with the
peer.
If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a telephone,
the device performs the following operations:
1. Sends an LLDP TLV with the voice VLAN configuration to the peer.
2. Assigns the receiving port to the voice VLAN.
3. Increases the transmission priority of the voice packets sent from the IP phone.
4. Adds the MAC address of the IP phone to the MAC address table to ensure that the IP phone
can pass authentication.
Use LLDP instead of the OUI list to identify IP phones if the network has more IP phone categories
than the maximum number of OUI addresses supported on the device. LLDP has higher priority than
the OUI list.
For more information about LLDP, see "Configuring LLDP."

Advertising the voice VLAN information to IP

phones
Figure 63 shows the workflow of advertising the voice VLAN information to IP phones.
Figure 63 Workflow of advertising the voice VLAN information to IP phones

IP phone access methods

Connecting the host and the IP phone in series
As shown in Figure 64, the host is connected to the IP phone, and the IP phone is connected to the
device. In this scenario, the following requirements must be met:
• The host and the IP phone use different VLANs.
• The IP phone is able to send out VLAN-tagged packets, so that the device can differentiate
traffic from the host and the IP phone.
• The port connecting to the IP phone forwards packets from the voice VLAN and the PVID.

193
 Figure 64 Connecting the host and IP phone in series

Voice gateway

Host IP phone Device

Connecting the IP phone to the device

As shown in Figure 65, IP phones are connected to the device without the presence of the host. Use
this connection method when IP phones sends out untagged voice packets. In this scenario, you
must configure the voice VLAN as the PVID of the access port of the IP phone, and configure the port
to forward the packets from the PVID.
Figure 65 Connecting the IP phone to the device

Voice VLAN assignment modes

A port can be assigned to a voice VLAN automatically or manually.

Automatic mode
Use automatic mode when PCs and IP phones are connected in series to access the network
through the device, as shown in Figure 64. Ports on the device transmit both voice traffic and data
traffic.
When an IP phone is powered on, it sends out protocol packets. After receiving these protocol
packets, the device uses the source MAC address of the protocol packets to match its OUI
addresses. If the match succeeds, the device performs the following operations:
• Assigns the receiving port of the protocol packets to the voice VLAN.
• Issues ACL rules to set the packet precedence.
• Starts the voice VLAN aging timer.
If no voice packet is received from the port before the aging timer expires, the device will remove the
port from the voice VLAN. The aging timer is also configurable.

194
 When the IP phone reboots, the port is reassigned to the voice VLAN to ensure the correct operation
of the existing voice connections. The reassignment occurs automatically without being triggered by
voice traffic as long as the voice VLAN operates correctly.

Manual mode
Use manual mode when only IP phones access the network through the device, as shown in Figure
65. In this mode, ports are assigned to a voice VLAN that transmits voice traffic exclusively. No data
traffic affects the voice traffic transmission.
You must manually assign the port that connects to the IP phone to a voice VLAN. The device uses
the source MAC address of the received voice packets to match its OUI addresses. If the match
succeeds, the device issues ACL rules to set the packet precedence.
To remove the port from the voice VLAN, you must manually remove it.

Cooperation of voice VLAN assignment modes and IP

phones
Some IP phones send out VLAN-tagged packets, and others send out only untagged packets. For
correct packet processing, ports of different link types must meet specific configuration requirements
in different voice VLAN assignment modes.
Access ports do not transmit tagged packets.
Table 15 Configuration requirements for trunk and hybrid ports to support tagged voice
traffic

Port link Voice VLAN

Configuration requirements
type assignment mode
Automatic The PVID of the port cannot be the voice VLAN.
Trunk The PVID of the port cannot be the voice VLAN.
Manual
The port must forward packets from the voice VLAN.
Automatic The PVID of the port cannot be the voice VLAN.

Hybrid The PVID of the port cannot be the voice VLAN.

Manual The port must forward packets from the voice VLAN with VLAN
tags.

When IP phones send out untagged packets, you must set the voice VLAN assignment mode to
manual.
Table 16 Configuration requirements for ports in manual mode to support untagged voice
traffic

Port link
Configuration requirements
type
Access The voice VLAN must be the PVID of the port.
The voice VLAN must be the PVID of the port.
Trunk
The port must forward packets from the voice VLAN.
The voice VLAN must be the PVID of the port.
Hybrid
The port must forward packets from the voice VLAN without VLAN tags.

195
 If an IP phone sends out tagged voice traffic, and its access port is configured with 802.1X
authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, VLAN IDs must be different for the
following VLANs:
• Voice VLAN.
• PVID of the access port.
• 802.1X guest, Auth-Fail, or critical VLAN.
If an IP phone sends out untagged voice traffic, the PVID of the access port must be the voice VLAN.
In this scenario, 802.1X authentication is not supported.

Security mode and normal mode of voice VLANs

Depending on the filtering mechanisms to incoming packets, a voice VLAN-enabled port can operate
in one of the following modes:
• Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice
VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the
port operates in manual VLAN assignment mode, the port forwards all the received untagged
packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send a large
number of forged voice-VLAN-tagged or untagged packets to affect voice communication.
• Security mode—The port uses the source MAC addresses of voice packets to match the OUI
addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode. This mode reduces
system resource consumption in source MAC address checking.
In either mode, the device modifies the transmission priority only for voice VLAN packets whose
source MAC addresses match OUI addresses of the device.
As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you must
transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled.
Table 17 Packet processing on a voice VLAN-enabled port in normal or security mode

Voice VLAN
Packet type Packet processing
mode
• Untagged packets The port does not examine their source MAC addresses.
• Packets with the Both voice traffic and non-voice traffic can be transmitted in
Normal voice VLAN tags the voice VLAN.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.
• If the source MAC address of a packet matches an OUI
• Untagged packets address on the device, the packet is forwarded in the
• Packets with the voice VLAN.
Security voice VLAN tags • If the source MAC address of a packet does not match
an OUI address on the device, the packet is dropped.
Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.

Voice VLAN configuration task list

Tasks at a glance
(Required.) Configuring the QoS priority settings for voice traffic

196
 Tasks at a glance
(Required.) Use one of the following methods:
• Configuring a port to operate in automatic voice VLAN assignment mode
• Configuring a port to operate in manual voice VLAN assignment mode
(Optional.) Enabling LLDP for automatic IP phone discovery
(Optional.) Use one of the following methods:
• Configuring LLDP to advertise a voice VLAN
• Configuring CDP to advertise a voice VLAN

Configuring the QoS priority settings for voice

traffic
The QoS priority settings carried in voice traffic include the CoS and DSCP values. You can
configure the device to modify the QoS priority settings for voice traffic.
You cannot configure the QoS priority settings on a voice VLAN-enabled port. Before you configure
the QoS priority settings for voice traffic on a port, you must disable the voice VLAN feature on it.
To configure the QoS priority settings for voice traffic:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
By default, a port modifies the
CoS and DSCP values for voice
VLAN packets to 6 and 46,
• Configure the port to trust the QoS respectively.
priority settings: If a port trusts the QoS priority
3. Configure QoS voice-vlan qos trust
priority settings for settings in incoming voice VLAN
incoming voice • Configure the port to modify the CoS packets, the port does not modify
VLAN packets. and DSCP values: their CoS and DSCP values.
voice-vlan qos cos-value If you execute the voice-vlan qos
dscp-value and voice-vlan qos trust
commands multiple times, the
most recent configuration takes
effect.

197
Configuring a port to operate in automatic voice
VLAN assignment mode
Configuration restrictions and guidelines
When you configure a port to operate in automatic voice VLAN assignment mode, follow these
restrictions and guidelines:
• Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN.
{ A voice VLAN in automatic mode on a hybrid port processes only tagged incoming voice
traffic.
{ A protocol-based VLAN on a hybrid port processes only untagged incoming packets. For
more information about protocol-based VLANs, see "Configuring protocol-based VLANs."
• As a best practice, do not use this mode with MSTP. In MSTP mode, if a port is blocked in the
MSTI of the target voice VLAN, the port drops the received packets instead of delivering them to
the CPU. As a result, the port will not be dynamically assigned to the voice VLAN.
• As a best practice, do not use this mode with PVST. In PVST mode, if the target voice VLAN is
not permitted on a port, the port is placed in blocked state. The port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the voice VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.

Configuration procedure
To configure a port to operate in automatic voice VLAN assignment mode:

Step Command Remarks

1. Enter system view. system-view N/A
By default, the aging timer of a
voice VLAN is 1440 minutes.
2. (Optional.) Set the voice The voice VLAN aging timer
VLAN aging timer. voice-vlan aging minutes
takes effect only on ports in
automatic voice VLAN
assignment mode.
3. (Optional.) Enable the
voice VLAN security By default, the voice VLAN
voice-vlan security enable
mode. security mode is enabled.

4. (Optional.) Add an OUI By default, system default

address for voice packet voice-vlan mac-address oui mask OUI addresses exist. For
identification. oui-mask [ description text ] more information, see Table
14.
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
5. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number

198
 Step Command Remarks
6. Configure the link type of • port link-type trunk
the port. N/A
• port link-type hybrid
7. Configure the port to By default, the automatic
operate in automatic voice voice-vlan mode auto voice VLAN assignment mode
VLAN assignment mode. is enabled.
By default, the voice VLAN
feature is disabled.
8. Enable the voice VLAN Before you execute this
feature on the port. voice-vlan vlan-id enable
command, make sure the
specified VLAN already
exists.

Configuring a port to operate in manual voice

VLAN assignment mode
Configuration restrictions and guidelines
When you configure a port to operate in manual voice VLAN assignment mode, follow these
restrictions and guidelines:
• You can configure different voice VLANs for different ports on the same device. Make sure the
following requirements are met:
{ One port can be configured with only one voice VLAN.
{ Voice VLANs must be existing static VLANs.
• Do not enable voice VLAN on the member ports of a link aggregation group. For more
information about link aggregation, see "Configuring Ethernet link aggregation."
• To make a voice VLAN take effect on a port operating in manual mode, you must manually
assign the port to the voice VLAN.

Configuration procedure
To configure a port to operate in manual voice VLAN assignment mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. (Optional.) Enable the
voice VLAN security By default, the voice VLAN
voice-vlan security enable
mode. security mode is enabled.

3. (Optional.) Add an OUI By default, system default OUI

address for voice packet voice-vlan mac-address oui mask
addresses exist. For more
identification. oui-mask [ description text ]
information, see Table 14.
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
4. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number

199
 Step Command Remarks
5. Configure the port to
operate in manual voice By default, a port operates in
VLAN assignment undo voice-vlan mode auto automatic voice VLAN
mode. assignment mode.

• For the access port, see "Assigning

an access port to a VLAN." After you assign an access
6. Assign the access,
• For the trunk port, see "Assigning a port to the voice VLAN, the
trunk, or hybrid port to
trunk port to a VLAN." voice VLAN becomes the
the voice VLAN.
• For the hybrid port, see "Assigning a PVID of the port.
hybrid port to a VLAN."
7. (Optional.) Configure • For the trunk port, see "Assigning a This step is required for
the voice VLAN as the trunk port to a VLAN." untagged incoming voice
PVID of the trunk or • For the hybrid port, see "Assigning a traffic and prohibited for
hybrid port. hybrid port to a VLAN." tagged incoming voice traffic.

By default, the voice VLAN

feature is disabled.
8. Enable the voice VLAN
feature on the port. voice-vlan vlan-id enable Before you execute this
command, make sure the
specified VLAN already exists.

Enabling LLDP for automatic IP phone discovery

Configuration restrictions and guidelines
When you enable LLDP for automatic IP phone discovery, following these restrictions and
guidelines:
• Before you enable this feature, enable LLDP both globally and on access ports.
• Use this feature only with the automatic voice VLAN assignment mode.
• Do not use this feature together with CDP compatibility.
• After you enable this feature on the device, each port of the device can be connected to a
maximum of five IP phones.

Configuration procedure
To enable LLDP for automatic IP phone discovery:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable LLDP for automatic
IP phone discovery. voice-vlan track lldp By default, this feature is disabled.

Configuring LLDP to advertise a voice VLAN

For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones
through the LLDP-MED TLVs.
Before you configure this feature, enable LLDP both globally and on access ports.
To configure LLDP to advertise a voice VLAN:

200
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, no advertised
voice VLAN ID is configured.
3. Configure an advertised lldp tlv-enable med-tlv For more information about
voice VLAN ID. network-policy vlan-id the command, see Layer
2—LAN Switching Command
Reference.
For more information about
4. (Optional.) Display the voice the command, see Layer
VLAN advertised by LLDP. display lldp local-information
2—LAN Switching Command
Reference.

Configuring CDP to advertise a voice VLAN

If an IP phone supports CDP but does not support LLDP, it will send out CDP packets to the device to
request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period,
it will send out untagged packets. The device cannot differentiate untagged voice packets from other
types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
• Receive and identify CDP packets from the IP phone.
• Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone performs automatic voice VLAN
configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
LLDP packets sent from the device carry the priority information. CDP packets sent from the device
do not carry the priority information.
Before you configure this feature, enable LLDP globally and on access ports.
To configure CDP to advertise a voice VLAN:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable CDP compatibility. By default, CDP compatibility

lldp compliance cdp
is disabled.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

4. Configure CDP-compatible CDP-compatible LLDP

LLDP to operate in TxRx lldp compliance admin-status cdp operating in TxRx mode can
mode. txrx send and receive CDP
packets.
By default, no advertised
voice VLAN ID is configured.
5. Configure an advertised For more information about
voice VLAN ID. cdp voice-vlan vlan-id
the command, see Layer
2—LAN Switching Command
Reference.

201
Displaying and maintaining voice VLANs
Execute display commands in any view.

Task Command
Display the voice VLAN state. display voice-vlan state
Display OUI addresses on a device. display voice-vlan mac-address

Voice VLAN configuration examples

Automatic voice VLAN assignment mode configuration
example
Network requirements
As shown in Figure 66, Device A transmits traffic from IP phones and hosts.
For correct voice traffic transmission, perform the following tasks on Device A:
• Configure voice VLANs 2 and 3 to transmit voice packets from IP phone A and IP phone B,
respectively.
• Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to operate in automatic
voice VLAN assignment mode.
• Add MAC addresses of IP phones A and B to the device for voice packet identification. The
mask of the two MAC addresses is FFFF-FF00-0000.
• Set an aging timer for voice VLANs.
Figure 66 Network diagram

Configuration procedure
1. Configure voice VLANs:
# Create VLANs 2 and 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Set the voice VLAN aging timer to 30 minutes.

202
 [DeviceA] voice-vlan aging 30
# Enable security mode for voice VLANs.
[DeviceA] voice-vlan security enable
# Add MAC addresses of IP phones A and B to the device with mask FFFF-FF00-0000.
[DeviceA] voice-vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP
phone A
[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP
phone B
2. Configure Ten-GigabitEthernet 1/0/1:
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid
# Configure Ten-GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode.
[DeviceA-Ten-GigabitEthernet1/0/1] voice-vlan mode auto
# Enable voice VLAN on Ten-GigabitEthernet 1/0/1 and configure VLAN 2 as the voice VLAN
for it.
[DeviceA-Ten-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit
3. Configure Ten-GigabitEthernet 1/0/2:
# Configure Ten-GigabitEthernet 1/0/2 as a hybrid port.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type hybrid
# Configure Ten-GigabitEthernet 1/0/2 to operate in automatic voice VLAN assignment mode.
[DeviceA-Ten-GigabitEthernet1/0/2] voice-vlan mode auto
# Enable voice VLAN on Ten-GigabitEthernet 1/0/2 and configure VLAN 3 as the voice VLAN
for it.
[DeviceA-Ten-GigabitEthernet1/0/2] voice-vlan 3 enable
[DeviceA-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes

203
 Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
XGE1/0/1 2 Auto 6 46
XGE1/0/2 3 Auto 6 46

Manual voice VLAN assignment mode configuration example

Network requirements
As shown in Figure 67, IP phone A send untagged voice traffic.
To enable Ten-GigabitEthernet 1/0/1 to transmit only voice packets, perform the following tasks on
Device A:
• Create VLAN 2. This VLAN will be used as a voice VLAN.
• Configure Ten-GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode and
add it to VLAN 2.
• Add the OUI address of IP phone A to the OUI list of Device A.
Figure 67 Network diagram

Configuration procedure
# Enable security mode for voice VLANs.
<DeviceA> system-view
[DeviceA] voice-vlan security enable

# Add MAC address 0011-2200-0001 with mask FFFF-FF00-0000.

[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description test

# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit

# Configure Ten-GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.

[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] undo voice-vlan mode auto

# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port.

[DeviceA-Ten-GigabitEthernet1/0/1] port link-type hybrid

# Set the PVID of Ten-GigabitEthernet 1/0/1 to VLAN 2.

[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid pvid vlan 2

# Assign Ten-GigabitEthernet 1/0/1 to VLAN 2 as an untagged VLAN member.

[DeviceA-Ten-GigabitEthernet1/0/1] port hybrid vlan 2 untagged

204
 # Enable voice VLAN and configure VLAN 2 as the voice VLAN on Ten-GigabitEthernet 1/0/1.
[DeviceA-Ten-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-2200-0000 ffff-ff00-0000 test
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
XGE1/0/1 2 Manual 6 46

205
Configuring MVRP
Multiple Registration Protocol (MRP) is an attribute registration protocol used to transmit attribute
values. Multiple VLAN Registration Protocol (MVRP) is a typical MRP application. It synchronizes
VLAN information among devices.
MVRP propagates local VLAN information to other devices, receives VLAN information from other
devices, and dynamically updates local VLAN information. When the network topology changes,
MVRP propagates and learns VLAN information again according to the new topology.

MRP
MRP allows devices in the same LAN to transmit attribute values on a per MSTI basis. For more
information about MSTIs, see "Configuring spanning tree protocols."

MRP implementation
An MRP-enabled port is called an MRP participant. An MVRP-enabled port is called an MVRP
participant.
As shown in Figure 68, an MRP participant sends declarations and withdrawals to notify other
participants to register and deregister its attribute values. It also registers and deregisters the
attribute values of other participants according to the received declarations and withdrawals. MRP
rapidly propagates the configuration information of an MRP participant throughout the LAN.
Figure 68 MRP implementation

For example, MRP registers and deregisters VLAN attributes as follows:

• When a port receives a declaration for a VLAN, the port registers the VLAN and joins the VLAN.
• When a port receives a withdrawal for a VLAN, the port deregisters the VLAN and leaves the
VLAN.
Figure 68 shows a simple MRP implementation on an MSTI. In a network with multiple MSTIs, MRP
performs attribute registration and deregistration on a per-MSTI basis.

MRP messages
MRP messages include the following types:
• Declaration—Includes Join and New messages.
• Withdrawal—Includes Leave and LeaveAll messages.

206
Join message
An MRP participant sends a Join message to request the peer participant to register attributes in the
Join message.
When receiving a Join message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the Join message.
• Propagates the Join message to all other participants on the device.
After receiving the Join message, other participants send the Join message to their respective peer
participants.
Join messages sent from a local participant to its peer participant include the following types:
• JoinEmpty—Declares an unregistered attribute. For example, when an MRP participant joins
an unregistered static VLAN, it sends a JoinEmpty message.
VLANs created manually and locally are called static VLANs. VLANs learned through MRP are
called dynamic VLANs.
• JoinIn—Declares a registered attribute. A JoinIn message is used in one of the following
situations:
{ An MRP participant joins an existing static VLAN and sends a JoinIn message after
registering the VLAN.
{ The MRP participant receives a Join message propagated by another participant on the
device and sends a JoinIn message after registering the VLAN.
New message
Similar to a Join message, a New message enables MRP participants to register attributes.
When the MSTP topology changes, an MRP participant sends a New message to the peer
participant to declare the topology change.
Upon receiving a New message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the message.
• Propagates the New message to all other participants on the device.
After receiving the New message, other participants send the New message to their respective peer
participants.
Leave message
An MRP participant sends a Leave message to the peer participant when it wants the peer
participant to deregister attributes that it has deregistered.
When the peer participant receives the Leave message, it performs the following tasks:
• Deregisters the attribute in the Leave message.
• Propagates the Leave message to all other participants on the device.
After a participant on the device receives the Leave message, it determines whether to send the
Leave message to its peer participant depending on the attribute status on the device.
• If the VLAN in the Leave message is a dynamic VLAN not registered by any participants on the
device, both of the following events occur:
{ The VLAN is deleted on the device.
{ The participant sends the Leave message to its peer participant.
• If the VLAN in the Leave message is a static VLAN, the participant will not send the Leave
message to its peer participant.

207
LeaveAll message
Each MRP participant starts its LeaveAll timer when starting up. When the timer expires, the MRP
participant sends LeaveAll messages to the peer participant.
Upon sending or receiving a LeaveAll message, the local participant starts the Leave timer. The local
participant determines whether to send a Join message depending on its attribute status. A
participant can re-register the attributes in the received Join message before the Leave timer
expires.
When the Leave timer expires, a participant deregisters all attributes that have not been
re-registered to periodically clear useless attributes in the network.

MRP timers
MRP uses the following timers to control message transmission.
Periodic timer
The Periodic timer controls the transmission of MRP messages. An MRP participant starts its own
Periodic timer upon startup, and stores MRP messages to be sent before the Periodic timer expires.
When the Periodic timer expires, MRP sends stored MRP messages in as few MRP frames as
possible and restarts the Periodic timer. This mechanism reduces the number of MRP frames sent.
You can enable or disable the Periodic timer. When the Periodic timer is disabled, MRP does not
periodically send MRP messages. Instead, an MRP participant sends MRP messages when the
LeaveAll timer expires or the participant receives a LeaveAll message from the peer participant.
Join timer
The Join timer controls the transmission of Join messages. An MRP participant starts the Join timer
after sending a Join message to the peer participant. Before the Join timer expires, the participant
does not resend the Join message when the following conditions exist:
• The participant receives a JoinIn message from the peer participant.
• The received JoinIn message has the same attributes as the sent Join message.
When both the Join timer and the Periodic timer expire, the participant resends the Join message.
Leave timer
The Leave timer controls the deregistration of attributes.
An MRP participant starts the Leave timer in one of the following conditions:
• The participant receives a Leave message from its peer participant.
• The participant receives or sends a LeaveAll message.
The MRP participant does not deregister the attributes in the Leave or LeaveAll message if the
following conditions exist:
• The participant receives a Join message before the Leave timer expires.
• The Join message includes the attributes that have been encapsulated in the Leave or LeaveAll
message.
If the participant does not receive a Join message for these attributes before the Leave timer expires,
MRP deregisters the attributes.
LeaveAll timer
After startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, the
MRP participant sends out a LeaveAll message and restarts the LeaveAll timer.
Upon receiving the LeaveAll message, other participants restart their LeaveAll timer. The value of
the LeaveAll timer is randomly selected between the LeaveAll timer and 1.5 times the LeaveAll timer.
This mechanism provides the following benefits:

208
 • Effectively reduces the number of LeaveAll messages in the network.
• Prevents the LeaveAll timer of a particular participant from always expiring first.

MVRP registration modes

VLAN information propagated by MVRP includes dynamic VLAN information from other devices and
local static VLAN information.
MVRP has the following registration modes, which process dynamic VLANs in different ways.
Normal
An MVRP participant in normal registration mode registers and deregisters dynamic VLANs.
Fixed
An MVRP participant in fixed registration mode disables deregistering dynamic VLANs and drops
received MVRP frames. The MVRP participant does not deregister dynamic VLANs or register new
dynamic VLANs.
Forbidden
An MVRP participant in forbidden registration mode disables registering dynamic VLANs and drops
received MVRP frames. The MVRP participant does not register new dynamic VLANs or re-register
a deregistered dynamic VLAN.

Protocols and standards

IEEE 802.1ak, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks – Amendment 07: Multiple Registration Protocol

MVRP configuration task list

Tasks at a glance
(Required.) Enabling MVRP
(Optional.) Setting an MVRP registration mode
(Optional.) Setting MRP timers
(Optional.) Enabling GVRP compatibility

Configuration restrictions and guidelines

When you configure MVRP, follow these restrictions and guidelines:
• MVRP can work with STP, RSTP, or MSTP. Ports blocked by STP, RSTP, or MSTP can receive
and send MVRP frames. Do not configure MVRP with other link layer topology protocols, such
as service loopback, PVST, RRPP, and Smart Link.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree
protocols." For more information about service loopback, see "Configuring service loopback
groups." For more information about RRPP and Smart Link, see High Availability Configuration
Guide.
• Do not configure both MVRP and remote port mirroring on a port. Otherwise, MVRP might
register the remote probe VLAN with incorrect ports, which would cause the monitor port to

209
 receive undesired copies. For more information about port mirroring, see Network Management
and Monitoring Configuration Guide.
• MVRP takes effect only on trunk ports. For more information about trunk ports, see "Configuring
VLANs."
• Enabling MVRP on a Layer 2 aggregate interface takes effect on the aggregate interface and all
Selected member ports in the link aggregation group.
• MVRP configuration made on an aggregation group member port takes effect only after the port
is removed from the aggregation group.

Configuration prerequisites
Before configuring MVRP, make sure each MSTI is mapped to an existing VLAN on each device in
the network.

Enabling MVRP
Step Command Remarks
1. Enter system view. system-view N/A
By default, MVRP is globally
disabled.
2. Enable MVRP globally. mvrp global enable For MVRP to take effect on a port,
enable MVRP both on the port
and globally.
3. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

By default, each port is an access

port. For more information about
4. Configure the port as a trunk
port link-type trunk the port link-type trunk
port.
command, see Layer 2—LAN
Switching Command Reference.
By default, a trunk port permits
only VLAN 1.
Make sure the trunk port permits
5. Configure the trunk port to port trunk permit vlan all registered VLANs.
permit the specified VLANs. { vlan-id-list | all } For more information about the
port trunk permit vlan
command, see Layer 2—LAN
Switching Command Reference.

6. Enable MVRP on the port. By default, MVRP is disabled on a

mvrp enable
port.

Setting an MVRP registration mode

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

210
 Step Command Remarks
Optional.
3. Set an MVRP registration mvrp registration { fixed |
mode for the port. forbidden | normal } The default setting is normal
registration mode.

Setting MRP timers

To avoid frequent VLAN registrations and deregistrations, use the same MRP timers throughout the
network.
Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port
maintains a Leave timer.
To set MRP timers:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Optional.
3. Set the LeaveAll timer. mrp timer leaveall timer-value The default setting is 1000
centiseconds.
Optional.
4. Set the Join timer. mrp timer join timer-value The default setting is 20
centiseconds.
Optional.
5. Set the Leave timer. mrp timer leave timer-value The default setting is 60
centiseconds.
Optional.
The default setting is 100
6. Set the Periodic timer. mrp timer periodic timer-value centiseconds.
You can restore the Periodic timer
to the default at any time.

Table 18 shows the value ranges for Join, Leave, and LeaveAll timers and their dependencies.
• If you set a timer to a value beyond the allowed value range, your configuration fails. You can
set a timer by tuning the value of any other timer. The value of each timer must be an integer
multiple of 20 centiseconds and in the range defined in Table 18.
• As a best practice, restore the timers in the order of Join, Leave, and LeaveAll.
Table 18 Dependencies of the Join, Leave, and LeaveAll timers

Timer Lower limit Upper limit

Join 20 centiseconds Half the Leave timer
Leave Twice the Join timer LeaveAll timer
LeaveAll Leave timer on each port 32760 centiseconds

211
Enabling GVRP compatibility
Enable GVRP compatibility for MVRP when the peer device supports GVRP. Then, the local end can
receive and send both MVRP and GVRP frames.
When you enable GVRP compatibility, follow these restrictions and guidelines:
• GVRP compatibility enables MVRP to work with STP or RSTP, but not MSTP.
• When the system is busy, disable the Period timer to prevent the participant from frequently
registering or deregistering attributes.
For more information about GVRP, see the IEEE 802.1Q standard.
To enable GVRP compatibility:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable GVRP compatibility. By default, GVRP compatibility is

mvrp gvrp-compliance enable
disabled.

Displaying and maintaining MVRP

Execute display commands in any view and reset commands in user view.

Task Command
Display MVRP running status. display mvrp running-status [ interface interface-list ]
Display the MVRP state of a port in a display mvrp state interface interface-type interface-number
VLAN. vlan vlan-id
Display MVRP statistics. display mvrp statistics [ interface interface-list ]
Clear MVRP statistics. reset mvrp statistics [ interface interface-list ]

MVRP configuration example

Network requirements
As shown in Figure 69:
• Create VLAN 10 on Device A and VLAN 20 on Device B.
• Configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 to MSTI 2, and map the other VLANs
to MSTI 0.
Configure MVRP on Device A, Device B, Device C, and Device D to meet the following
requirements:
• The devices can register and deregister dynamic VLANs.
• The devices can keep identical VLAN configurations for each MSTI.

212
 Figure 69 Network diagram
Device A Device B
Permit: all VLANs
XGE1/0/3 XGE1/0/3
XG 2

XG
E1 /0/ VLAN 20

/0/
VLAN 10 /0/ E1

E1
E1
2 XG

/0/
XG

1
Permit: all VLANs Permit: VLANs 20, 40
s Pe
AN rm
ll VL it:
VL

1
a

XG
it: AN
/0/
E1 rm 40 XG

E1
2 Pe E1
/0/ /0/
E1
XG

/0/
2
XG

1
VLAN 10 MSTI 1
VLAN 20 MSTI 2
Other VLANs MSTI 0
Device C Device D

A B A B A B

C D C C D
MSTI 0 MSTI 1 MSTI 2

Link not blocked by Link blocked by

Root bridge spanning tree spanning tree

Blocked port Root port Designated port

Topology of each MSTI

Configuration procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp global enable
# Globally enable MVRP.

213
 [DeviceA] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on port Ten-GigabitEthernet 1/0/1.
[DeviceA-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceA-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceA-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceA-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-Ten-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/3.
[DeviceA-Ten-GigabitEthernet1/0/3] mvrp enable
[DeviceA-Ten-GigabitEthernet1/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp global enable
# Globally enable MVRP.
[DeviceB] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] port link-type trunk

214
 [DeviceB-Ten-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on Ten-GigabitEthernet 1/0/1.
[DeviceB-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceB-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-Ten-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/3.
[DeviceB-Ten-GigabitEthernet1/0/3] mvrp enable
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure Device C as the root bridge of MSTI 0.
[DeviceC] stp instance 0 root primary
# Globally enable the spanning tree feature.
[DeviceC] stp global enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface ten-gigabitethernet 1/0/1
[DeviceC-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/1.
[DeviceC-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceC-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.

215
 [DeviceC] interface ten-gigabitethernet 1/0/2
[DeviceC-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceC-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceC-Ten-GigabitEthernet1/0/2] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp global enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and
40.
[DeviceD] interface ten-gigabitethernet 1/0/1
[DeviceD-Ten-GigabitEthernet1/0/1] port link-type trunk
[DeviceD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on Ten-GigabitEthernet 1/0/1.
[DeviceD-Ten-GigabitEthernet1/0/1] mvrp enable
[DeviceD-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface ten-gigabitethernet 1/0/2
[DeviceD-Ten-GigabitEthernet1/0/2] port link-type trunk
[DeviceD-Ten-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on Ten-GigabitEthernet 1/0/2.
[DeviceD-Ten-GigabitEthernet1/0/2] mvrp enable
[DeviceD-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

Verifying the normal registration mode configuration
# Display local VLAN information on Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

216
 ----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 10, 20
Propagated VLANs :
1(default)

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
None
Declared VLANs :
1(default)
Propagated VLANs :
None

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
20
Declared VLANs :
1(default), 10
Propagated VLANs :
20

The output shows that the following events have occurred:

• Ten-GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1, VLAN 10, and VLAN 20,
and propagated VLAN 1 through MVRP.
• Ten-GigabitEthernet 1/0/2 has declared VLAN 1, and registered and propagated no VLANs.

217
• Ten-GigabitEthernet 1/0/3 has registered VLAN 20, declared VLAN 1 and VLAN 10, and
propagated VLAN 20 through MVRP.
# Display local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10

218
 Declared VLANs :
20
Propagated VLANs :
10

The output shows that the following events have occurred:

• Ten-GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1 and VLAN 20, and
propagated VLAN 1 through MVRP.
• Ten-GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 10, declared VLAN 1 and VLAN 20,
and propagated VLAN 1.
• Ten-GigabitEthernet 1/0/3 has registered VLAN 1 and VLAN 10, declared VLAN 20, and
propagated VLAN 10 through MVRP.
# Display local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10, 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 10

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default), 10
Propagated VLANs :
1(default), 20

The output shows that the following events have occurred:

219
 • Ten-GigabitEthernet 1/0/1 has registered VLAN 1, VLAN 10, and VLAN 20, declared VLAN 1,
and propagated VLAN 1 and VLAN 10 through MVRP.
• Ten-GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 20, declared VLAN 1 and VLAN 10,
and propagated VLAN 1 and VLAN 20 through MVRP.
# Display local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 20

----[Ten-GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
None
Propagated VLANs :
None

The output shows that the following events have occurred:

• Ten-GigabitEthernet 1/0/1 has registered and propagated VLAN 10 and VLAN 20, and declared
VLAN 1 through MVRP.
• Ten-GigabitEthernet 1/0/2 has registered VLAN 1, and declared and propagated no VLANs
through MVRP.
Verifying the configuration after changing the registration mode
When the network is stable, set the MVRP registration mode to fixed on the port of Device B
connected to Device A. Then, verify that dynamic VLANs on the port will not be deregistered.
# Set the MVRP registration mode to fixed on Ten-GigabitEthernet 1/0/3 of Device B.

220
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] mvrp registration fixed
[DeviceB-Ten-GigabitEthernet1/0/3] quit

# Display local MVRP VLAN information on Ten-GigabitEthernet 1/0/3.

[DeviceB] display mvrp running-status interface ten-gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10

The output shows that VLAN information on Ten-GigabitEthernet 1/0/3 is not changed after you set
its MVRP registration mode to fixed.
# Delete VLAN 10 on Device A.
[DeviceA] undo vlan 10

# Display local MVRP VLAN information on Ten-GigabitEthernet 1/0/3 of Device B.

[DeviceB] display mvrp running-status interface ten-gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[Ten-GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10

221
The output shows that dynamic VLAN information on Ten-GigabitEthernet 1/0/3 is not changed after
you set its MVRP registration mode to fixed.

222
Configuring QinQ
This document uses the following terms:
• CVLAN—Customer network VLANs, also called inner VLANs, refer to VLANs that a customer
uses on the private network.
• SVLAN—Service provider network VLANs, also called outer VLANs, refer to VLANs that a
service provider uses to transmit VLAN tagged traffic for customers.

Overview
802.1Q-in-802.1Q (QinQ) adds an 802.1Q tag to 802.1Q tagged customer traffic. It enables a
service provider to extend Layer 2 connections across an Ethernet network between customer sites.
QinQ provides the following benefits:
• Enables a service provider to use a single SVLAN to convey multiple CVLANs for a customer.
• Enables customers to plan CVLANs without conflicting with SVLANs.
• Enables customers to keep their VLAN assignment schemes unchanged when the service
provider changes its VLAN assignment scheme.
• Allows different customers to use overlapping CVLAN IDs. Devices in the service provider
network make forwarding decisions based on SVLAN IDs instead of CVLAN IDs.

How QinQ works

As shown in Figure 70, a QinQ frame transmitted over the service provider network carries the
following tags:
• CVLAN tag—Identifies the VLAN to which the frame belongs when it is transmitted in the
customer network.
• SVLAN tag—Identifies the VLAN to which the QinQ frame belongs when it is transmitted in the
service provider network. The service provider allocates the SVLAN tag to the customer.
The devices in the service provider network forward a tagged frame according to its SVLAN tag only.
The CVLAN tag is transmitted as part of the frame's payload.
Figure 70 Single-tagged Ethernet frame header and double-tagged Ethernet frame header

As shown in Figure 71, customer A has remote sites CE 1 and CE 4. Customer B has remote sites
CE 2 and CE 3. The CVLANs of the two customers overlap. The service provider assigns SVLANs 3
and 4 to customers A and B, respectively.

223
 When a tagged Ethernet frame from CE 1 arrives at PE 1, the PE tags the frame with SVLAN 3. The
double-tagged Ethernet frame travels over the service provider network until it arrives at PE 2. PE 2
removes the SVLAN tag of the frame, and then sends the frame to CE 4.
Figure 71 Typical QinQ application scenario
VLANs 1 to 20 VLANs 1 to 10

CE 3 CE 4
Customer Customer
network B network A
CVLAN B Data CVLAN A Data

SVLAN 4 CVLAN B Data SVLAN 3 CVLAN A Data

PE 1 Internet PE 2

SVLAN 3 CVLAN A Data SVLAN 4 CVLAN B Data

Service provider network

CVLAN A Data CVLAN B Data

Customer Customer
network A network B
CE 1 CE 2

VLANs 1 to 10 VLANs 1 to 20

QinQ implementations
QinQ is enabled on a per-port basis. The link type of a QinQ-enabled port can be access, hybrid, or
trunk. The QinQ tagging behaviors are the same across these types of ports.
A QinQ-enabled port tags all incoming frames (tagged or untagged) with the PVID tag.
• If an incoming frame already has one tag, it becomes a double-tagged frame.
• If the frame does not have any 802.1Q tags, it becomes a frame tagged with the PVID.
QinQ provides the most basic VLAN manipulation method to tag all incoming frames (tagged or
untagged) with the PVID tag. To perform advanced VLAN manipulations, use VLAN mappings or
QoS policies as follows:
• To add different SVLANs for different CVLAN tags, use one-to-two VLAN mappings.
• To replace the SVLAN ID, CVLAN ID, or both IDs for an incoming double-tagged frame, use
two-to-two VLAN mappings.
• QinQ and two-to-two mappings are mutually exclusive. The device does not support adding an
SVLAN tag on a QinQ-enabled port and then modifying the CVLAN and SVLAN IDs.
• To use criteria other than the CVLAN ID to match packets for SVLAN tagging, use the QoS nest
action. The QoS nest action can also be used with other actions in the same traffic behavior.
• To set the 802.1p priority in SVLAN tags, use the priority marking action as described in "Setting
the 802.1p priority in SVLAN tags."
For more information about VLAN mappings, see "Configuring VLAN mapping." For more
information about QoS, see ACL and QoS Configuration Guide.

224
Protocols and standards
• IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks
• IEEE 802.1ad, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks-Amendment 4: Provider Bridges

Restrictions and guidelines

When you configure QinQ, follow these restrictions and guidelines:
• The inner 802.1Q tag of QinQ frames is treated as part of the payload. As a best practice to
ensure correct transmission of QinQ frames, set the MTU to a minimum of 1504 bytes for each
port on their forwarding path. This value is the sum of the default Ethernet interface MTU (1500
bytes) and the length (4 bytes) of a VLAN tag.
• You can use a QoS policy, a VLAN mapping, and QinQ on a port for VLAN tag manipulation. If
their settings conflict, the QoS policy has the highest priority, the VLAN mapping has the
medium priority, and QinQ has the lowest priority.

Enabling QinQ
Enable QinQ on customer-side ports of PEs. A QinQ-enabled port tags an incoming frame with its
PVID.
Before you enable or disable QinQ on a port, you must remove any VLAN mappings on the port.
To enable QinQ:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable QinQ. qinq enable By default, QinQ is disabled.

Configuring transparent transmission for VLANs

You can exclude a VLAN (for example, the management VLAN) from the QinQ tagging action on a
customer-side port. This VLAN is called a transparent VLAN.
To ensure successful transmission for a transparent VLAN, follow these configuration guidelines:
• Set the link type of the port to trunk or hybrid, and assign the port to the transparent VLAN.
• Do not configure any other VLAN manipulation actions for the transparent VLAN on the port.
• Make sure all ports on the traffic path permit the transparent VLAN to pass through.
• If you use both transparent VLANs and VLAN mappings on an interface, the transparent VLANs
cannot be the following VLANs:
{ Original or translated VLANs of one-to-one, many-to-one, and one-to-two VLAN mappings.
{ Original or translated outer VLANs of two-to-two VLAN mappings.
To enable transparent transmission for a list of VLANs:

225
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Set the port link type. By default, the link type of a port is
3. port link-type { hybrid | trunk }
access.
• For the hybrid port: By default, a trunk port allows
4. Configure the port to allow port hybrid vlan vlan-id-list packets only from VLAN 1 to pass
packets from its PVID and { tagged | untagged } through. A hybrid port is an
the transparent VLANs to • For the trunk port: untagged member of the VLAN to
pass through. port trunk permit vlan which the port belongs when its
{ vlan-id-list | all } link type is access.

By default, transparent
5. Specify transparent VLANs. qinq transparent-vlan vlan-id-list transmission is not configured for
any VLANs.

Configuring the TPID for VLAN tags

TPID identifies a frame as an 802.1Q tagged frame. The TPID value varies by vendor. On an HPE
device, the TPID in the 802.1Q tag added on a QinQ-enabled port is 0x8100 by default, in
compliance with IEEE 802.1Q. In a multi-vendor network, make sure the TPID setting is the same
between directly connected devices so 802.1Q tagged frames can be identified correctly.
TPID settings include CVLAN TPID and SVLAN TPID.
A QinQ-enabled port uses the CVLAN TPID to match incoming tagged frames. An incoming frame is
handled as untagged if its TPID is different from the CVLAN TPID. The device does not modify the
TPID in CVLAN tags.
SVLAN TPIDs are configurable on a per-port basis. A service provider-side port uses the SVLAN
TPID to replace the TPID in outgoing frames' SVLAN tags and match incoming tagged frames. An
incoming frame is handled as untagged if the TPID in its outer VLAN tag is different from the SVLAN
TPID.
For example, a PE device is connected to a customer device that uses the TPID 0x8200 and to a
provider device that uses the TPID 0x9100. For correct packet processing, you must set the CVLAN
TPID and SVLAN TPID to 0x8200 and 0x9100 on the PE, respectively.
The TPID field is at the same position as the EtherType field in an untagged Ethernet frame. To
ensure correct packet type identification, do not set the TPID value to any of the values listed in Table
19.
Table 19 Reserved EtherType values

Protocol type Value

ARP 0x0806
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86dd
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848

226
 Protocol type Value
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
LLDP 0x88cc
802.1X 0x888e
802.1ag 0x8902
Cluster 0x88a7
Reserved 0xfffd/0xfffe/0xffff

Configuring the TPID for CVLAN tags

Perform this task on the PE device.
To configure the TPID value for CVLAN tags:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the TPID value for qinq ethernet-type
CVLAN tags. The default setting is 0x8100.
customer-tag hex-value

Configuring the TPID for SVLAN tags

Perform this task on the service provider-side ports of PEs.
When you configure the TPID value for SVLAN tags on a port, do not enable QinQ on it.
To configure the TPID value for SVLAN tags:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the TPID value for qinq ethernet-type service-tag

SVLAN tags. The default setting is 0x8100.
hex-value

Setting the 802.1p priority in SVLAN tags

By default, the 802.1p priority in the SVLAN tag added by a QinQ-enabled port depends on the
priority trust mode on the port.
• If the 802.1p priority in frames is trusted, the device copies the 802.1p priority in the CVLAN tag
to the SVLAN tag.
• If the 802.1p priority in frames is not trusted, the device copies the port priority (0 by default) to
the SVLAN tag.
To set the 802.1p priority in SVLAN tags:

227
 Step Command Remarks
1. Enter system view. system-view N/A
2. Create a traffic class and traffic classifier classifier-name [ operator By default, no traffic
enter its view. { and | or } ] classes exist.
• Match CVLAN IDs:
if-match customer-vlan-id vlan-id-list
3. Configure CVLAN match
criteria. • Match 802.1p priority: N/A
if-match customer-dot1p
dot1p-value&<1-8>
4. Return to system view. quit N/A
5. Create a traffic behavior By default, no traffic
and enter its view. traffic behavior behavior-name
behaviors exist.
• Replace the priority in the SVLAN tags of
matching frames with the configured
6. Configure a priority priority:
marking action for SVLAN remark dot1p dot1p-value N/A
tags. • Copy the 802.1p priority in the CVLAN
tag to the SVLAN tag:
remark dot1p customer-dot1p-trust
7. Return to system view. quit N/A
8. Create a QoS policy and By default, no QoS
enter its view. qos policy policy-name
policies exist.
9. Specify the traffic behavior
for the traffic class in the classifier classifier-name behavior
N/A
QoS policy. behavior-name

10. Return to system view. quit N/A

11. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

By default, a port does

not trust the 802.1p
priority in frames.
12. Configure the port to trust This step is required if
the 802.1p priority in qos trust dot1p the remark dot1p
incoming frames. command is configured.
It is optional if the
remark dot1p
customer-dot1p-trust
command is configured.
13. Enable QinQ. qinq enable N/A
14. Apply the QoS policy to
the inbound direction of qos apply policy policy-name inbound N/A
the port.

For more information about QoS policies, see ACL and QoS Configuration Guide.

Displaying and maintaining QinQ

Execute display commands in any view.

228
 Task Command
display qinq [ interface interface-type
Display QinQ-enabled ports.
interface-number ]

QinQ configuration examples

Basic QinQ configuration example
Network requirements
As shown in Figure 72:
• The service provider assigns VLAN 100 to Company A's VLANs 10 through 70.
• The service provider assigns VLAN 200 to Company B's VLANs 30 through 90.
• The devices between PE 1 and PE 2 in the service provider network use a TPID value of
0x8200.
Configure QinQ on PE 1 and PE 2 to transmit traffic in VLANs 100 and 200 for Company A and
Company B, respectively.
For the QinQ frames to be identified correctly, set the SVLAN TPID to 0x8200 on the service
provider-side ports of PE 1 and PE 2.
Figure 72 Network diagram

Configuration procedure
1. Configure PE 1:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 100 and VLANs 10
through 70.
<PE1> system-view
[PE1] interface ten-gigabitethernet 1/0/1
[PE1-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 10 to 70

229
 # Set the PVID of Ten-GigabitEthernet 1/0/1 to VLAN 100.
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] qinq enable
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on Ten-GigabitEthernet 1/0/2.
[PE1-Ten-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE1-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 200 and VLANs 30
through 90.
[PE1] interface ten-gigabitethernet 1/0/3
[PE1-Ten-GigabitEthernet1/0/3] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/3] port trunk permit vlan 200 30 to 90
# Set the PVID of Ten-GigabitEthernet 1/0/3 to VLAN 200.
[PE1-Ten-GigabitEthernet1/0/3] port trunk pvid vlan 200
# Enable QinQ on Ten-GigabitEthernet 1/0/3.
[PE1-Ten-GigabitEthernet1/0/3] qinq enable
[PE1-Ten-GigabitEthernet1/0/3] quit
2. Configure PE 2:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 200 and VLANs 30
through 90.
<PE2> system-view
[PE2] interface ten-gigabitethernet 1/0/1
[PE2-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200 30 to 90
# Set the PVID of Ten-GigabitEthernet 1/0/1 to VLAN 200.
[PE2-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 200
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE2-Ten-GigabitEthernet1/0/1] qinq enable
[PE2-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE2] interface ten-gigabitethernet 1/0/2
[PE2-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on Ten-GigabitEthernet 1/0/2.
[PE2-Ten-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE2-Ten-GigabitEthernet1/0/2] quit
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 100 and VLANs 10
through 70.
[PE2] interface ten-gigabitethernet 1/0/3
[PE2-Ten-GigabitEthernet1/0/3] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/3] port trunk permit vlan 100 10 to 70
# Set the PVID of Ten-GigabitEthernet 1/0/3 to VLAN 100.
[PE2-Ten-GigabitEthernet1/0/3] port trunk pvid vlan 100

230
 # Enable QinQ on Ten-GigabitEthernet 1/0/3.
[PE2-Ten-GigabitEthernet1/0/3] qinq enable
[PE2-Ten-GigabitEthernet1/0/3] quit
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 200 to pass
through without removing the VLAN tag. (Details not shown.)

VLAN transparent transmission configuration example

Network requirements
As shown in Figure 73:
• The service provider assigns VLAN 100 to a company's VLANs 10 through 50.
• VLAN 3000 is the dedicated VLAN of the company on the service provider network.
Configure QinQ on PE 1 and PE 2 to provide Layer 2 connectivity for CVLANs 10 through 50 over the
service provider network.
Configure VLAN transparent transmission for VLAN 3000 on PE 1 and PE 2 to enable the hosts in
VLAN 3000 to communicate without using an SVLAN.
Figure 73 Network diagram

Configuration procedure
1. Configure PE 1:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 10 through 50,
100, and 3000.
<PE1> system-view
[PE1] interface ten-gigabitethernet 1/0/1
[PE1-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 10 to 50
# Set the PVID of Ten-GigabitEthernet 1/0/1 to VLAN 100.
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on Ten-GigabitEthernet 1/0/1.

231
 [PE1-Ten-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
[PE1-Ten-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 10 through 50,
100, and 3000.
<PE2> system-view
[PE2] interface ten-gigabitethernet 1/0/1
[PE2-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 10 to 50
# Set the PVID of Ten-GigabitEthernet 1/0/1 to VLAN 100.
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE2-Ten-GigabitEthernet1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on Ten-GigabitEthernet 1/0/1.
[PE2-Ten-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE2-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE2] interface ten-gigabitethernet 1/0/2
[PE2-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE2-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 3000 to pass
through without removing the VLAN tag. (Details not shown.)

232
Configuring VLAN mapping
Overview
VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. Hewlett Packard Enterprise
provides the following types of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another.
• Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag.
• Two-to-two VLAN mapping—Replaces the outer and inner VLAN IDs of double tagged traffic
with a new pair of VLAN IDs.

VLAN mapping application scenarios

One-to-one and many-to-one VLAN mapping
Figure 74 shows a typical application scenario of one-to-one and many-to-one VLAN mapping. The
scenario implements broadband Internet access for a community.

233
 Figure 74 Application scenario of one-to-one and many-to-one VLAN mapping
DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP VLAN 3 -> VLAN 301

Wiring-closet
switch DHCP server
VLAN 1
PC VLAN 1 -> VLAN 102
VLAN 2 -> VLAN 202
VLAN 3 -> VLAN 302

...
VLAN 2
VoD
Home gateway VLANs 101 and 102 -> VLAN 501
VLANs 201 and 202 -> VLAN 502
VLAN 3 VLANs 301 and 302 -> VLAN 503
VoIP

...
...

...

...

Campus switch

...
VLAN 1
PC
VLANs 199 and 200 -> VLAN 501
VLANs 299 and 300 -> VLAN 502
Home gateway VLANs 399 and 400 -> VLAN 503
VLAN 2
VoD
Distribution
...

VLAN 1 -> VLAN 199 network

VLAN 3 VLAN 2 -> VLAN 299
VoIP VLAN 3 -> VLAN 399

Wiring-closet
switch
VLAN 1
PC VLAN 1 -> VLAN 200
VLAN 2 -> VLAN 300
VLAN 3 -> VLAN 400

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

As shown in Figure 74, the network is implemented as follows:

• Each home gateway uses different VLANs to transmit the PC, VoD, and VoIP services.
• To further subclassify each type of traffic by customer, configure one-to-one VLAN mapping on
the wiring-closet switches. This feature assigns a separate VLAN to each type of traffic from
each customer. The required total number of VLANs in the network can be very large.
• To prevent the maximum number of VLANs from being exceeded on the distribution layer
device, configure many-to-one VLAN mapping on the campus switch. This feature assigns the
same VLAN to the same type of traffic from different customers.
One-to-two and two-to-two VLAN mapping
Figure 75 shows a typical application scenario of one-to-two and two-to-two VLAN mapping. In this
scenario, the two remote sites of the same VPN must communicate across two SP networks.

234
 Figure 75 Application scenario of one-to-two and two-to-two VLAN mapping

Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The SP 1 network assigns SVLAN 10 to
Site 1. The SP 2 network assigns SVLAN 20 to Site 2. When the packet from Site 1 arrives at PE 1,
PE 1 tags the packet with SVLAN 10 by using one-to-two VLAN mapping.
When the double-tagged packet from the SP 1 network arrives at the SP 2 network interface, PE 3
processes the packet as follows:
• Replaces SVLAN tag 10 with SVLAN tag 20.
• Replaces CVLAN tag 2 with CVLAN tag 3.
One-to-two VLAN mapping provides the following benefits:
• Enables a customer network to plan its CVLAN assignment without conflicting with SVLANs.
• Adds a VLAN tag to a tagged packet and expands the number of available VLANs to 4094 ×
4094.
• Reduces the stress on the SVLAN resources, which were 4094 VLANs in the SP network
before the mapping process was initiated.

VLAN mapping implementations

Figure 76 shows a simplified network that illustrates basic VLAN mapping terms.
Basic VLAN mapping terms include the following:
• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer
network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.

235
 Figure 76 Basic VLAN mapping terms

SP

Network-side port
Customer-side port
Uplink traffic
Downlink traffic

One-to-one VLAN mapping

As shown in Figure 77, one-to-one VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN with the SVLAN for the uplink traffic.
• Replaces the SVLAN with the CVLAN for the downlink traffic.
Figure 77 One-to-one VLAN mapping implementation

Many-to-one VLAN mapping

As shown in Figure 78, many-to-one VLAN mapping is implemented on both the customer-side and
network-side ports as follows:
• For the uplink traffic, the customer-side many-to-one VLAN mapping replaces multiple CVLANs
with the same SVLAN.
• For the downlink traffic, the network-side many-to-one VLAN mapping replaces the SVLAN with
the CVLAN found in the DHCP or ARP snooping table. For more information about DHCP and
ARP snooping, see Layer 3—IP Services Configuration Guide.

236
 Figure 78 Many-to-one VLAN mapping implementation

...

...
One-to-two VLAN mapping
As shown in Figure 79, one-to-two VLAN mapping is implemented on the customer-side port to add
the SVLAN tag for the uplink traffic.
For the downlink traffic to be correctly sent to the customer network, make sure the SVLAN tag is
removed on the customer-side port before transmission. Use one of the following methods to remove
the SVLAN tag from the downlink traffic:
• Configure the customer-side port as a hybrid port and assign the port to the SVLAN as an
untagged member.
• Configure the customer-side port as a trunk port and set the port PVID to the SVLAN.
Figure 79 One-to-two VLAN mapping implementation

Two-to-two VLAN mapping

As shown in Figure 80, two-to-two VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN and the SVLAN with the CVLAN' and the SVLAN' for the uplink traffic.
• Replaces the SVLAN' and CVLAN' with the SVLAN and the CVLAN for the downlink traffic.

237
 Figure 80 Two-to-two VLAN mapping implementation

VLAN mapping configuration task list

When you configure VLAN mapping, follow these guidelines:
• To add VLAN tags to packets, you can configure both VLAN mapping and QinQ. VLAN mapping
takes effect if a configuration conflict occurs. For more information about QinQ, see
"Configuring QinQ."
• To add or replace VLAN tags for packets, you can configure both VLAN mapping and a QoS
policy. The QoS policy takes effect if a configuration conflict occurs. For information about QoS
policies, see ACL and QoS Configuration Guide.

IMPORTANT:
Use the appropriate VLAN mapping methods for the devices in the network.

To configure VLAN mapping:

Tasks at a glance Remarks

Configure one-to-one VLAN mapping on the
Configuring one-to-one VLAN mapping
wiring-closet switch, as shown in Figure 74.
Configuring many-to-one VLAN mapping
• Configuring many-to-one VLAN mapping in a
Configure many-to-one VLAN mapping on the
network with dynamic IP address assignment
campus switch, as shown in Figure 74.
• Configuring many-to-one VLAN mapping in a
network with static IP address assignment
Configure one-to-two VLAN mapping on PE 1 and
PE 4, as shown in Figure 75, through which traffic
Configuring one-to-two VLAN mapping
from customer networks enters the service provider
networks.
Configure two-to-two VLAN mapping on PE 3, as
Configuring two-to-two VLAN mapping shown in Figure 75, which is an edge device of the
SP 2 network.

Configuring one-to-one VLAN mapping

Configure one-to-one VLAN mapping on the customer-side ports of wiring-closet switches
(see Figure 74) to isolate traffic of the same service type from different homes.
Before you configure one-to-one VLAN mapping, create the original VLAN and the translated VLAN.
To configure one-to-one VLAN mapping:

238
 Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged
5. Configure a one-to-one VLAN vlan mapping vlan-id By default, no VLAN mapping
mapping. translated-vlan vlan-id is configured on an interface.

Configuring many-to-one VLAN mapping

Configure many-to-one VLAN mapping on campus switches (see Figure 74) to transmit the same
type of traffic from different users in one VLAN.

Configuring many-to-one VLAN mapping in a network with

dynamic IP address assignment
In a network that uses dynamic address assignment, configure many-to-one VLAN mapping with
DHCP snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the DHCP snooping entry lookup.
Configuration restrictions and guidelines
When you configure many-to-one VLAN mapping in a network that uses dynamic address
assignment, follow these restrictions and guidelines:
• Before you configure many-to-one VLAN mapping, create the original VLANs and the
translated VLANs.
• To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
• To modify many-to-one VLAN mappings, first use the reset dhcp snooping binding command
to clear the DHCP snooping entries.

239
Many-to-one VLAN mapping configuration task list

Tasks at a glance
Enabling DHCP snooping
Enabling ARP detection
Configuring the customer-side port
Configuring the network-side port

Enabling DHCP snooping

Step Command Remarks

1. Enter system view. system-view N/A
By default, DHCP snooping is disabled.
2. Enable DHCP For more information about DHCP snooping
snooping. dhcp snooping enable
configuration commands, see Layer 3—IP
Services Command Reference.

Enabling ARP detection

Enable ARP detection for the original VLANs and the translated VLANs.
To enable ARP detection:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, ARP detection is disabled.
3. Enable ARP detection. arp detection enable For more information about ARP detection
configuration commands, see Security Command
Reference.

Configuring the customer-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid

240
 Step Command Remarks
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

Configure a many-to-one vlan mapping uni { range

5. By default, no VLAN mapping
VLAN mapping. vlan-range-list | single vlan-id-list }
is configured on an interface.
translated-vlan vlan-id

6. Enable DHCP snooping entry By default, DHCP snooping

recording. dhcp snooping binding record entry recording is disabled on
an interface.

Configuring the network-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
translated VLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
tagged
By default, all ports that
5. Configure the port as a support DHCP snooping are
DHCP snooping trusted port. dhcp snooping trust
untrusted ports when DHCP
snooping is enabled.
6. Configure the port as an ARP By default, all ports are ARP
trusted port. arp detection trust
untrusted ports.
7. Configure the port to use the
original VLAN tags of the By default, the port does not
many-to-one mapping to replace the VLAN tags of the
replace the VLAN tags of the vlan mapping nni
packets destined for the user
packets destined for the user network.
network.

241
Configuring many-to-one VLAN mapping in a network with
static IP address assignment
In a network that uses static IP addresses, configure many-to-one VLAN mapping with ARP
snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the ARP snooping entry lookup.
Configuration restrictions and guidelines
When you configure many-to-one VLAN mapping in a network that uses static address assignment,
follow these restrictions and guidelines:
• Before you configure many-to-one VLAN mapping, create the original VLANs and the
translated VLANs.
• Make sure hosts in different CVLANs do not use the same IP address.
• When an IP address is no longer associated with the MAC address and VLAN in an ARP
snooping entry, wait for this entry to be aged out. You can also use the reset arp snooping ip
ip-address command to clear the entry.
• Before you modify many-to-one VLAN mapping, use the reset arp snooping vlan vlan-id
command to clear the ARP snooping entries in each CVLAN.
• To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
Configuration task list

Tasks at a glance
Enabling ARP snooping
Configuring the customer-side port
Configuring the network-side port

Enabling ARP snooping

Enable ARP snooping for the original VLANs and the translated VLANs.
To enable ARP snooping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, ARP snooping is disabled.
3. Enable ARP snooping. arp snooping enable For more information about ARP
snooping commands, see Layer 3—IP
Services Command Reference.

Configuring the customer-side port

Step Command Remarks

1. Enter system view. system-view N/A

242
 Step Command Remarks
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 • Enter Layer 2 aggregate N/A
aggregate interface view. interface view:
interface
bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk
Set the link type of the port. By default, the link type of a port is
3. • Set the port link type to
access.
hybrid:
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged
vlan mapping uni { range
5. Configure a many-to-one vlan-range-list | single By default, no VLAN mapping is
VLAN mapping. vlan-id-list } translated-vlan configured on an interface.
vlan-id

Configuring the network-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 • Enter Layer 2 aggregate N/A
aggregate interface view. interface view:
interface
bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk
Set the link type of the port. By default, the link type of a port is
3. • Set the port link type to
access.
hybrid:
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
translated VLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
tagged
5. Configure the port to use the
original VLAN tags of the By default, the port does not
many-to-one mapping to replace the VLAN tags of the
replace the VLAN tags of the vlan mapping nni
packets destined for the user
packets destined for the user network.
network.

243
Configuring one-to-two VLAN mapping
Configure one-to-two VLAN mapping on the customer-side ports of edge devices from which
customer traffic enters SP networks, for example, on PEs 1 and 4 in Figure 75. One-to-two VLAN
mapping enables the edge devices to add an SVLAN tag to each incoming packet.
Before you configure one-to-two VLAN mapping, create the CVLAN and the SVLAN.
The MTU of an interface is 1500 bytes by default. After a VLAN tag is added to a packet, the packet
length is added by 4 bytes. As a best practice, set the MTU to a minimum of 1504 bytes for ports on
the forwarding path of the packet in the service provider network.
To configure one-to-two VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
CVLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
{ tagged | untagged }
• For the trunk port:
a. Configure the SVLAN as the
PVID of the trunk port:
port trunk pvid vlan vlan-id
5. Configure the port to allow b. Assign the trunk port to the
packets from the SVLAN to SVLAN: N/A
pass through untagged. port trunk permit vlan
{ vlan-id-list | all }
• For the hybrid port:
port hybrid vlan vlan-id-list
untagged
By default, no VLAN mapping
is configured on an interface.
Only one SVLAN tag can be
6. Configure a one-to-two VLAN vlan mapping nest { range added to packets from the
mapping. vlan-range-list | single vlan-id-list } same CVLAN. To add
nested-vlan vlan-id different SVLAN tags to
different CVLAN packets, set
the port link type to hybrid and
repeat this command.

244
Configuring two-to-two VLAN mapping
Configure two-to-two VLAN mapping on the customer-side port of an edge device that connects two
SP networks, for example, on PE 3 in Figure 75. Two-to-two VLAN mapping enables two sites in
different VLANs to communicate at Layer 2 across two service provider networks that use different
VLAN assignment schemes.
Before you configure two-to-two VLAN mapping, create the original VLANs and the translated
VLANs.
To configure two-to-two VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk By default, the link type of a
3. Set the link type of the port.
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

Configure a two-to-two VLAN vlan mapping tunnel outer-vlan-id

5. By default, no VLAN mapping
mapping. inner-vlan-id translated-vlan
is configured on an interface.
outer-vlan-id inner-vlan-id

Displaying and maintaining VLAN mapping

Execute display commands in any view.

Task Command
Display VLAN mapping information. display vlan mapping [ interface interface-type interface-number ]

VLAN mapping configuration examples

One-to-one and many-to-one VLAN mapping configuration
example
Network requirements
As shown in Figure 81:

245
• Each household subscribes to PC, VoD, and VoIP services, and obtains the IP address through
DHCP.
• On the home gateways, VLANs 1, 2, and 3 are assigned to PC, VoD, and VoIP traffic,
respectively.
To isolate traffic of the same service type from different households, configure one-to-one VLAN
mappings on the wiring-closet switches. This feature assigns one VLAN to each type of traffic from
each household.
To save VLAN resources, configure many-to-one VLAN mappings on the campus switch (Switch C).
This feature transmits the same type of traffic from different households in one VLAN. Use VLANs
501, 502, and 503 for PC, VoD, and VoIP traffic, respectively.
Table 20 VLAN mappings for each service

VLANs on home VLANs on wiring-closet switches VLANs on campus

Service
gateways (Switch A and Switch B) switch (Switch C)
PC VLAN 1 VLANs 101, 102, 103, 104 VLAN 501
VoD VLAN 2 VLANs 201, 202, 203, 204 VLAN 502
VoIP VLAN 3 VLANs 301, 302, 303, 304 VLAN 503

246
 Figure 81 Network diagram
DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP XGE1/0/1 VLAN 3 -> VLAN 301

Wiring-closet XGE1/0/3
Switch A
VLAN 1 XGE1/0/2
PC VLAN 1 -> VLAN 102 DHCP server
VLAN 2 -> VLAN 202
VLAN 3 -> VLAN 302

VLAN 2
VoD
Home gateway VLANs 101–102 -> VLAN 501
VLAN 3 VLANs 201–202 -> VLAN 502
VoIP XGE1/0/1 VLANs 301–302 -> VLAN 503
Campus switch XGE1/0/3 XGE1/0/1
Switch D
Switch C
VLAN 1 XGE1/0/2 VLANs 103–104 -> VLAN 501
PC
VLANs 203–204 -> VLAN 502
Home gateway VLANs 303–304 -> VLAN 503
VLAN 2
VoD
Distribution
VLAN 1 -> VLAN 103 network
VLAN 3 VLAN 2 -> VLAN 203
VoIP XGE1/0/1 VLAN 3 -> VLAN 303

Wiring-closet XGE1/0/3
Switch B
VLAN 1 XGE1/0/2
PC VLAN 1 -> VLAN 104
VLAN 2 -> VLAN 204
VLAN 3 -> VLAN 304

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

Configuration procedure
1. Configure Switch A:
# Create the original VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
# Create the translated VLANs.
[SwitchA] vlan 101 to 102
[SwitchA] vlan 201 to 202
[SwitchA] vlan 301 to 302
# Configure customer-side port Ten-GigabitEthernet 1/0/1 as a trunk port.
<SwitchA> system-view
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk

247
 # Assign Ten-GigabitEthernet 1/0/1 to all original VLANs and translated VLANs.
[SwitchA-Ten-GigabitEthernet1/0/1] port trunk permit vlan 1 2 3 101 201 301
# Configure one-to-one VLAN mappings on Ten-GigabitEthernet 1/0/1 to map VLANs 1, 2, and
3 to VLANs 101, 201, and 301, respectively.
[SwitchA-Ten-GigabitEthernet1/0/1] vlan mapping 1 translated-vlan 101
[SwitchA-Ten-GigabitEthernet1/0/1] vlan mapping 2 translated-vlan 201
[SwitchA-Ten-GigabitEthernet1/0/1] vlan mapping 3 translated-vlan 301
[SwitchA-Ten-GigabitEthernet1/0/1] quit
# Configure customer-side port Ten-GigabitEthernet 1/0/2 as a trunk port.
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/2 to all original VLANs and translated VLANs.
[SwitchA-Ten-GigabitEthernet1/0/2] port trunk permit vlan 1 2 3 102 202 302
# Configure one-to-one VLAN mappings on Ten-GigabitEthernet 1/0/2 to map VLANs 1, 2, and
3 to VLANs 102, 202, and 302, respectively.
[SwitchA-Ten-GigabitEthernet1/0/2] vlan mapping 1 translated-vlan 102
[SwitchA-Ten-GigabitEthernet1/0/2] vlan mapping 2 translated-vlan 202
[SwitchA-Ten-GigabitEthernet1/0/2] vlan mapping 3 translated-vlan 302
[SwitchA-Ten-GigabitEthernet1/0/2] quit
# Configure the network-side port (Ten-GigabitEthernet 1/0/3) as a trunk port.
[SwitchA] interface ten-gigabitethernet 1/0/3
[SwitchA-Ten-GigabitEthernet1/0/3] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/3 to the translated VLANs.
[SwitchA-Ten-GigabitEthernet1/0/3] port trunk permit vlan 101 201 301 102 202 302
[SwitchA-Ten-GigabitEthernet1/0/3] quit
2. Configure Switch B in the same way Switch A is configured. (Details not shown.)
3. Configure Switch C:
# Enable DHCP snooping.
<SwitchC> system-view
[SwitchC] dhcp snooping enable
# Create the original VLANs and translated VLANs, and enable ARP detection for these
VLANs.
[SwitchC] vlan 101
[SwitchC-vlan101] arp detection enable
[SwitchC-vlan101] vlan 201
[SwitchC-vlan201] arp detection enable
[SwitchC-vlan201] vlan 301
[SwitchC-vlan301] arp detection enable
[SwitchC-vlan301] vlan 102
[SwitchC-vlan102] arp detection enable
[SwitchC-vlan102] vlan 202
[SwitchC-vlan202] arp detection enable
[SwitchC-vlan202] vlan 302
[SwitchC-vlan302] arp detection enable
[SwitchC-vlan302] vlan 103
[SwitchC-vlan103] arp detection enable
[SwitchC-vlan103] vlan 203
[SwitchC-vlan203] arp detection enable

248
[SwitchC-vlan203] vlan 303
[SwitchC-vlan303] arp detection enable
[SwitchC-vlan303] vlan 104
[SwitchC-vlan104] arp detection enable
[SwitchC-vlan104] vlan 204
[SwitchC-vlan204] arp detection enable
[SwitchC-vlan204] vlan 304
[SwitchC-vlan304] arp detection enable
[SwitchC-vlan304] vlan 501
[SwitchC-vlan501] arp detection enable
[SwitchC-vlan501] vlan 502
[SwitchC-vlan502] arp detection enable
[SwitchC-vlan502] vlan 503
[SwitchC-vlan503] arp detection enable
[SwitchC-vlan503] quit
# Configure customer-side port Ten-GigabitEthernet 1/0/1 as a trunk port.
[SwitchC] interface ten-gigabitethernet 1/0/1
[SwitchC-Ten-GigabitEthernet1/0/1] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/1 to all original VLANs and translated VLANs.
[SwitchC-Ten-GigabitEthernet1/0/1] port trunk permit vlan 101 102 201 202 301 302 501
to 503
# Configure many-to-one VLAN mappings on Ten-GigabitEthernet 1/0/1 to map VLANs for PC,
VoD, and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-Ten-GigabitEthernet1/0/1] vlan mapping uni range 101 to 102 translated-vlan
501
[SwitchC-Ten-GigabitEthernet1/0/1] vlan mapping uni range 201 to 202 translated-vlan
502
[SwitchC-Ten-GigabitEthernet1/0/1] vlan mapping uni range 301 to 302 translated-vlan
503
# Enable DHCP snooping entry recording on Ten-GigabitEthernet 1/0/1.
[SwitchC-Ten-GigabitEthernet1/0/1] dhcp snooping binding record
[SwitchC-Ten-GigabitEthernet1/0/1] quit
# Configure customer-side port Ten-GigabitEthernet 1/0/2 as a trunk port.
[SwitchC] interface ten-gigabitethernet 1/0/2
[SwitchC-Ten-GigabitEthernet1/0/2] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/2 to all original VLANs and translated VLANs.
[SwitchC-Ten-GigabitEthernet1/0/2] port trunk permit vlan 103 104 203 204 303 304 501
to 503
# Configure many-to-one VLAN mappings on Ten-GigabitEthernet 1/0/2 to map VLANs for PC,
VoD, and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-Ten-GigabitEthernet1/0/2] vlan mapping uni range 103 to 104 translated-vlan
501
[SwitchC-Ten-GigabitEthernet1/0/2] vlan mapping uni range 203 to 204 translated-vlan
502
[SwitchC-Ten-GigabitEthernet1/0/2] vlan mapping uni range 303 to 304 translated-vlan
503
# Enable recording of client information in DHCP snooping entries on Ten-GigabitEthernet
1/0/2.
[SwitchC-Ten-GigabitEthernet1/0/2] dhcp snooping binding record

249
 [SwitchC-Ten-GigabitEthernet1/0/2] quit
# Configure the network-side port (Ten-GigabitEthernet 1/0/3) to use the original VLAN tags of
the many-to-one mappings to replace the VLAN tags of the packets destined for the user
network.
[SwitchC] interface ten-gigabitethernet 1/0/3
[SwitchC-Ten-GigabitEthernet1/0/3] vlan mapping nni
# Configure Ten-GigabitEthernet 1/0/3 as a trunk port.
[SwitchC-Ten-GigabitEthernet1/0/3] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/3 to the translated VLANs.
[SwitchC-Ten-GigabitEthernet1/0/3] port trunk permit vlan 501 to 503
# Configure Ten-GigabitEthernet 1/0/3 as a DHCP snooping trusted and ARP trusted port.
[SwitchC-Ten-GigabitEthernet1/0/3] dhcp snooping trust
[SwitchC-Ten-GigabitEthernet1/0/3] arp detection trust
[SwitchC-Ten-GigabitEthernet1/0/3] quit
4. Configure Switch D:
# Create the translated VLANs.
<SwitchD> system-view
[SwitchD] vlan 501 to 503
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port.
<SwitchD> system-view
[SwitchD] interface ten-gigabitethernet 1/0/1
[SwitchD-Ten-GigabitEthernet1/0/1] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/1 to the translated VLANs.
[SwitchD-Ten-GigabitEthernet1/0/1] port trunk permit vlan 501 to 503
[SwitchD-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify VLAN mapping information on the wiring-closet switches, for example, Switch A.
[SwitchA] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 101 N/A
2 N/A 201 N/A
3 N/A 301 N/A
Interface Ten-GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 102 N/A
2 N/A 202 N/A
3 N/A 302 N/A

# Verify VLAN mapping information on Switch C.

[SwitchC] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
101-102 N/A 501 N/A
201-202 N/A 502 N/A
301-302 N/A 503 N/A
Interface Ten-GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN

250
 103-104 N/A 501 N/A
203-204 N/A 502 N/A
303-304 N/A 503 N/A

One-to-two and two-to-two VLAN mapping configuration

example
Network requirements
As shown in Figure 82:
• Two VPN A branches, Site 1 and Site 2, are in VLAN 5 and VLAN 6, respectively.
• The two sites use different VPN access services from different service providers, SP 1 and SP
2.
• SP 1 assigns VLAN 100 to Site 1 and Site 2. SP 2 assigns VLAN 200 to Site 1 and Site 2.
Configure one-to-two VLAN mappings and two-to-two VLAN mappings to enable the two branches
to communicate across networks SP 1 and SP 2.
Figure 82 Network diagram

Configuration procedure
1. Configure PE 1:
# Create VLANs 5 and 100.
<PE1> system-view
[PE1] vlan 5
[PE1-vlan5] quit
[PE1] vlan 100
[PE1-vlan100] quit
# Configure a one-to-two VLAN mapping on the customer-side port (Ten-GigabitEthernet 1/0/1)
to add SVLAN tag 100 to packets from VLAN 5.
[PE1] interface ten-gigabitethernet 1/0/1
[PE1-Ten-GigabitEthernet1/0/1] vlan mapping nest single 5 nested-vlan 100
# Configure Ten-GigabitEthernet 1/0/1 as a hybrid port.
[PE1-Ten-GigabitEthernet1/0/1] port link-type hybrid
# Assign Ten-GigabitEthernet 1/0/1 to VLAN 5 as a tagged member.
[PE1-Ten-GigabitEthernet1/0/1] port hybrid vlan 5 tagged

251
 # Assign Ten-GigabitEthernet 1/0/1 to VLAN 100 as an untagged member.
[PE1-Ten-GigabitEthernet1/0/1] port hybrid vlan 100 untagged
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure the network-side port (Ten-GigabitEthernet 1/0/2) as a trunk port.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 100.
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE1-Ten-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Create VLAN 100.
<PE2> system-view
[PE2] vlan 100
[PE2-vlan100] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port.
[PE2] interface ten-gigabitethernet 1/0/1
[PE2-Ten-GigabitEthernet1/0/1] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/1 to VLAN 100.
[PE2-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100
[PE2-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port.
[PE2] interface ten-gigabitethernet 1/0/2
[PE2-Ten-GigabitEthernet1/0/2] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 100.
[PE2-Ten-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE2-Ten-GigabitEthernet1/0/2] quit
3. Configure PE 3:
# Create VLANs 5, 6, 100, and 200.
<PE3> system-view
[PE3] vlan 5 to 6
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] vlan 200
[PE3-vlan200] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port.
[PE3] interface ten-gigabitethernet 1/0/1
[PE3-Ten-GigabitEthernet1/0/1] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/1 to VLANs 100 and 200.
[PE3-Ten-GigabitEthernet1/0/1] port trunk permit vlan 100 200
# Configure a two-to-two VLAN mapping on Ten-GigabitEthernet 1/0/1 to map SVLAN 100 and
CVLAN 5 to SVLAN 200 and CVLAN 6.
[PE3-Ten-GigabitEthernet1/0/1] vlan mapping tunnel 100 5 translated-vlan 200 6
[PE3-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port.
[PE3] interface ten-gigabitethernet 1/0/2
[PE3-Ten-GigabitEthernet1/0/2] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 200.

252
 [PE3-Ten-GigabitEthernet1/0/2] port trunk permit vlan 200
[PE3-Ten-GigabitEthernet1/0/2] quit
4. Configure PE 4:
# Create VLANs 6 and 200.
<PE4> system-view
[PE4] vlan 6
[PE4-vlan6] quit
[PE4] vlan 200
[PE4-vlan200] quit
# Configure the network-side port (Ten-GigabitEthernet 1/0/1) as a trunk port.
[PE4] interface ten-gigabitethernet 1/0/1
[PE4-Ten-GigabitEthernet1/0/1] port link-type trunk
# Assign Ten-GigabitEthernet 1/0/1 to VLAN 200.
[PE4-Ten-GigabitEthernet1/0/1] port trunk permit vlan 200
[PE4-Ten-GigabitEthernet1/0/1] quit
# Configure the customer-side port (Ten-GigabitEthernet 1/0/2) as a hybrid port.
[PE4] interface ten-gigabitethernet 1/0/2
[PE4-Ten-GigabitEthernet1/0/2] port link-type hybrid
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 6 as a tagged member.
[PE4-Ten-GigabitEthernet1/0/2] port hybrid vlan 6 tagged
# Assign Ten-GigabitEthernet 1/0/2 to VLAN 200 as an untagged member.
[PE4-Ten-GigabitEthernet1/0/2] port hybrid vlan 200 untagged
# Configure a one-to-two VLAN mapping on Ten-GigabitEthernet 1/0/2 to add SVLAN tag 200
to packets from VLAN 6.
[PE4-Ten-GigabitEthernet1/0/2] vlan mapping nest single 6 nested-vlan 200
[PE4-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify VLAN mapping information on PE 1.
[PE1] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
5 N/A 100 5

# Verify VLAN mapping information on PE 3.

[PE3] display vlan mapping
Interface Ten-GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
100 5 200 6

# Verify VLAN mapping information on PE 4.

[PE4] display vlan mapping
Interface Ten-GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
6 N/A 200 6

253
Configuring LLDP
Overview
In a heterogeneous network, a standard configuration exchange platform ensures that different
types of network devices from different vendors can discover one another and exchange
configuration.
The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on
the data link layer to exchange device information between directly connected devices. With LLDP, a
device sends local device information as TLV (type, length, and value) triplets in LLDP Data Units
(LLDPDUs) to the directly connected devices. Local device information includes its system
capabilities, management IP address, device ID, port ID, and so on. The device stores the device
information in LLDPDUs from the LLDP neighbors in a standard MIB. For more information about
MIBs, see Network Management and Monitoring Configuration Guide. LLDP enables a network
management system to quickly detect and identify Layer 2 network topology changes.

Basic concepts
LLDP agent
An LLDP agent is a mapping of an entity where LLDP runs. Multiple LLDP agents can run on the
same interface.
LLDP agents are divided into the following types:
• Nearest bridge agent.
• Nearest customer bridge agent.
• Nearest non-TPMR bridge agent.
A Two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible bridge
ports. It supports a subset of the features of a MAC bridge. A TPMR is transparent to all frame-based
media-independent protocols except for the following protocols:
• Protocols destined to it.
• Protocols destined to reserved MAC addresses that the relay feature of the TPMR is configured
not to forward.
LLDP exchanges packets between neighbor agents and creates and maintains neighbor information
for them. Figure 83 shows the neighbor relationships for these LLDP agents. LLDP has two bridge
modes: customer bridge (CB) and service bridge (SB).
Figure 83 LLDP neighbor relationships

254
LLDP frame formats
LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or
Subnetwork Access Protocol (SNAP) frames.
• LLDP frame encapsulated in Ethernet II
Figure 84 Ethernet II-encapsulated LLDP frame

Table 21 Fields in an Ethernet II-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. LLDP specifies
different multicast MAC addresses as destination MAC addresses for
LLDP frames destined for agents of different types. This helps
distinguish between LLDP frames sent and received by different agent
types on the same interface. The destination MAC address is fixed to
one of the following multicast MAC addresses:
Destination MAC address • 0x0180-c200-000E for LLDP frames destined for nearest bridge
agents.
• 0x0180-c200-0000 for LLDP frames destined for nearest customer
bridge agents.
• 0x0180-c200-0003 for LLDP frames destined for nearest
non-TPMR bridge agents.
Source MAC address MAC address of the sending port.
Type Ethernet type for the upper-layer protocol. This field is 0x88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the
FCS
validity of the received Ethernet frame.

• LLDP frame encapsulated in SNAP

255
 Figure 85 SNAP-encapsulated LLDP frame

Table 22 Fields in a SNAP-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. It is the same as
Destination MAC address
that for Ethernet II-encapsulated LLDP frames.
Source MAC address MAC address of the sending port.
SNAP type for the upper-layer protocol. This field is
Type
0xAAAA-0300-0000-88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the
FCS
validity of the received Ethernet frame.

LLDPDUs
LLDP uses LLDPDUs to exchange information. An LLDPDU comprises multiple TLVs. Each TLV
carries a type of device information, as shown in Figure 86.
Figure 86 LLDPDU encapsulation format

An LLDPDU can carry up to 32 types of TLVs. Mandatory TLVs include Chassis ID TLV, Port ID TLV,
and Time to Live TLV. Other TLVs are optional.
TLVs
A TLV is an information element that contains the type, length, and value fields.
LLDPDU TLVs include the following categories:
• Basic management TLVs
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs
• LLDP-MED (media endpoint discovery) TLVs
Basic management TLVs are essential to device management.
Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management.
They are defined by standardization or other organizations and are optional for LLDPDUs.
• Basic management TLVs
Table 23 lists the basic management TLV types. Some of them are mandatory for LLDPDUs.

256
 Table 23 Basic management TLVs

Type Description Remarks

Chassis ID Specifies the bridge MAC address of the sending device.
Specifies the ID of the sending port:
• If the LLDPDU carries LLDP-MED TLVs, the port ID
Port ID
TLV carries the MAC address of the sending port. Mandatory.
• Otherwise, the port ID TLV carries the port name.
Specifies the life of the transmitted information on the
Time to Live
receiving device.
End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.
Port Description Specifies the description for the sending port.
System Name Specifies the assigned name of the sending device.
System Description Specifies the description for the sending device.
Identifies the primary features of the sending device and the Optional.
System Capabilities
enabled primary features.
Specifies the following elements:
• The management address of the local device.
Management Address
• The interface number and object identifier (OID)
associated with the address.

• IEEE 802.1 organizationally specific TLVs

Table 24 IEEE 802.1 organizationally specific TLVs

Type Description
Port VLAN ID (PVID) Specifies the port VLAN identifier.
Port And Protocol VLAN ID Indicates whether the device supports protocol VLANs and, if so, what
(PPVID) VLAN IDs these protocols will be associated with.
VLAN Name Specifies the textual name of any VLAN to which the port belongs.
Protocol Identity Indicates protocols supported on the port.
Data center bridging exchange protocol.
DCBX NOTE:
Switches of this series do not support DCBX TLVs.
Edge Virtual Bridging module, including EVB TLV and CDCP TLV.
EVB module NOTE:
Switches of this series do not support EVB TLVs.
Indicates whether the port supports link aggregation, and if yes,
Link Aggregation
whether link aggregation is enabled.
Management VID Management VLAN ID.
VID Usage Digest VLAN ID usage digest.
ETS Configuration Enhanced Transmission Selection configuration.
ETS Recommendation ETS recommendation.
PFC Priority-based Flow Control.
APP Application protocol.

257
 Type Description
QCN Quantized Congestion Notification.

NOTE:
• HPE devices support only receiving protocol identity TLVs and VID usage digest TLVs.
• Layer 3 Ethernet ports support only link aggregation TLVs.

• IEEE 802.3 organizationally specific TLVs

Table 25 IEEE 802.3 organizationally specific TLVs

Type Description
Contains the bit-rate and duplex capabilities of the port, support
MAC/PHY Configuration/Status for autonegotiation, enabling status of autonegotiation, and the
current rate and duplex mode.
Contains the power supply capabilities of the port:
• Port class (PSE or PD).
• Power supply mode.
• Whether PSE power supply is supported.
• Whether PSE power supply is enabled.
Power Via MDI • Whether pair selection can be controlled.
• Power supply type.
• Power source.
• Power priority.
• PD requested power.
• PSE allocated power.
Maximum Frame Size Indicates the supported maximum frame size.
Indicates the power state control configured on the sending
port, including the following:
Power Stateful Control • Power supply mode of the PSE/PD.
• PSE/PD priority.
• PSE/PD power.
Energy-Efficient Ethernet Indicates Energy Efficient Ethernet (EEE).

NOTE:
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0 and is not supported in later
versions. HPE devices send this type of TLVs only after receiving them.

• LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as
basic configuration, network policy configuration, and address and directory management.
LLDP-MED TLVs provide a cost-effective and easy-to-use solution for deploying voice devices
in Ethernet. LLDP-MED TLVs are shown in Table 26.
Table 26 LLDP-MED TLVs

Type Description
Allows a network device to advertise the LLDP-MED TLVs that it
LLDP-MED Capabilities
supports.

258
 Type Description
Allows a network device or terminal device to advertise the
Network Policy VLAN ID of a port, the VLAN type, and the Layer 2 and Layer 3
priorities for specific applications.
Allows a network device or terminal device to advertise power
Extended Power-via-MDI supply capability. This TLV is an extension of the Power Via MDI
TLV.
Hardware Revision Allows a terminal device to advertise its hardware version.
Firmware Revision Allows a terminal device to advertise its firmware version.
Software Revision Allows a terminal device to advertise its software version.
Serial Number Allows a terminal device to advertise its serial number.
Manufacturer Name Allows a terminal device to advertise its vendor name.
Model Name Allows a terminal device to advertise its model name.
Allows a terminal device to advertise its asset ID. The typical
Asset ID case is that the user specifies the asset ID for the endpoint to
facilitate directory management and asset tracking.
Allows a network device to advertise the appropriate location
Location Identification identifier information for a terminal device to use in the context of
location-based applications.

NOTE:
• If the MAC/PHY configuration/status TLV is not advertisable, none of the LLDP-MED TLVs
will be advertised even if they are advertisable.
• If the LLDP-MED capabilities TLV is not advertisable, the other LLDP-MED TLVs will not be
advertised even if they are advertisable.

Management address
The network management system uses the management address of a device to identify and manage
the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.

Working mechanism
LLDP operating modes
An LLDP agent can operate in one of the following modes:
• TxRx mode—An LLDP agent in this mode can send and receive LLDP frames.
• Tx mode—An LLDP agent in this mode can only send LLDP frames.
• Rx mode—An LLDP agent in this mode can only receive LLDP frames.
• Disable mode—An LLDP agent in this mode cannot send or receive LLDP frames.
Each time the LLDP operating mode of an LLDP agent changes, its LLDP protocol state machine
reinitializes. A configurable reinitialization delay prevents frequent initializations caused by frequent
changes to the operating mode. If you configure the reinitialization delay, an LLDP agent must wait
the specified amount of time to initialize LLDP after the LLDP operating mode changes.
Transmitting LLDP frames
An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected
devices both periodically and when the local configuration changes. To prevent LLDP frames from
overwhelming the network during times of frequent changes to local device information, LLDP uses

259
 the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket
mechanism, see ACL and QoS Configuration Guide.
LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following
cases:
• A new LLDP frame is received and carries device information new to the local device.
• The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.
The fast LLDP frame transmission mechanism successively sends the specified number of LLDP
frames at a configurable fast LLDP frame transmission interval. The mechanism helps LLDP
neighbors discover the local device as soon as possible. Then, the normal LLDP frame transmission
interval resumes.
Receiving LLDP frames
An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every
received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an
aging timer. The initial value of the aging timer is equal to the TTL value in the Time To Live TLV
carried in the LLDP frame. When the LLDP agent receives a new LLDP frame, the aging timer
restarts. When the aging timer decreases to zero, all saved information ages out.

Protocols and standards

• IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery
• IEEE 802.1AB-2009, Station and Media Access Control Connectivity Discovery
• ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices
• DCB Capability Exchange Protocol Specification Rev 1.00
• DCB Capability Exchange Protocol Base Specification Rev 1.01
• IEEE Std 802.1Qaz-2011, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes

LLDP configuration task list

Tasks at a glance
Performing basic LLDP configurations:
• (Required.) Enabling LLDP
• (Optional.) Setting the LLDP bridge mode
• (Optional.) Setting the LLDP operating mode
• (Optional.) Setting the LLDP reinitialization delay
• (Optional.) Enabling LLDP polling
• (Optional.) Configuring the advertisable TLVs
• (Optional.) Configuring the management address and its encoding format
• (Optional.) Setting other LLDP parameters
• (Optional.) Setting an encapsulation format for LLDP frames
• (Optional.) Disabling LLDP PVID inconsistency check
(Optional.) Configuring CDP compatibility
(Optional.) Configuring LLDP trapping and LLDP-MED trapping

260
Performing basic LLDP configurations
Enabling LLDP
To make LLDP take effect on specific ports, you must enable LLDP both globally and on these ports.
To use LLDP together with OpenFlow, you must enable LLDP globally on OpenFlow switches. To
prevent LLDP from affecting topology discovery of OpenFlow controllers, disable LLDP on ports of
OpenFlow instances. For more information about OpenFlow, see OpenFlow Configuration Guide.
To enable LLDP:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable LLDP globally. By default, LLDP is

lldp global enable
enabled globally.
3. Enter Layer 2/Layer 3 Ethernet interface
view, management Ethernet interface interface interface-type
view, Layer 2/Layer 3 aggregate interface N/A
interface-number
view, or IRF physical interface view.

4. Enable LLDP. By default, LLDP is

lldp enable
enabled on a port.

NOTE:
An LLDP-enabled IRF physical interface supports only the nearest bridge agents.

Setting the LLDP bridge mode

The following LLDP bridge modes are available:
• Customer bridge mode—LLDP supports nearest bridge agents, nearest non-TPMR bridge
agents, and nearest customer bridge agents. LLDP processes the LLDP frames with
destination MAC addresses for these agents and transparently transmits the LLDP frames with
other destination MAC addresses in the VLAN.
• Service bridge mode—LLDP supports nearest bridge agents and nearest non-TPMR bridge
agents. LLDP processes the LLDP frames with destination MAC addresses for these agents
and transparently transmits the LLDP frames with other destination MAC addresses in the
VLAN.
To set the LLDP bridge mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the LLDP bridge mode By default, LLDP operates in
to service bridge. lldp mode service-bridge
customer bridge mode.

Setting the LLDP operating mode

Step Command Remarks
1. Enter system view. system-view N/A

261
 Step Command Remarks
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type
N/A
2/Layer 3 aggregate interface-number
interface view, or IRF
physical interface view.
By default:
• The nearest bridge agent
• In Layer 2/Layer 3 Ethernet operates in txrx mode.
interface view or management
• The nearest customer
Ethernet interface view:
bridge agent and nearest
lldp [ agent { nearest-customer
non-TPMR bridge agent
| nearest-nontpmr } ]
operate in disable mode.
admin-status { disable | rx | tx |
txrx } In Ethernet interface view, if you
3. Set the LLDP operating • In Layer 2/Layer 3 aggregate do not specify an agent type, the
mode. interface view: command sets the operating
lldp agent { nearest-customer | mode for nearest bridge agents.
nearest-nontpmr } In aggregate interface view, you
admin-status { disable | rx | tx | can set the operating mode only
txrx } for nearest customer bridge
• In IRF physical interface view: agents and nearest non-TPMR
lldp admin-status { disable | rx | bridge agents.
tx | txrx } In IRF physical interface view,
you can set the operating mode
only for nearest bridge agents.

Setting the LLDP reinitialization delay

When the LLDP operating mode changes on a port, the port initializes the protocol state machines
after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations
caused by frequent changes to the LLDP operating mode on a port.
To set the LLDP reinitialization delay for ports:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the LLDP reinitialization
delay. lldp timer reinit-delay delay The default setting is 2 seconds.

Enabling LLDP polling

With LLDP polling enabled, a device periodically searches for local configuration changes. When the
device detects a configuration change, it sends LLDP frames to inform neighboring devices of the
change.
To enable LLDP polling:

Step Command Remarks

1. Enter system view. system-view N/A

262
 Step Command Remarks
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, Layer 2/Layer N/A
interface-number
3 aggregate interface view, or
IRF physical interface view.
• In Layer 2/Layer 3 Ethernet
interface view or management
Ethernet interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ]
check-change-interval interval
3. Enable LLDP polling and set • In Layer 2/Layer 3 aggregate By default, LLDP polling is
the polling interval. interface view: disabled.
lldp agent { nearest-customer |
nearest-nontpmr }
check-change-interval interval
• In IRF physical interface view:
lldp check-change-interval
interval

Configuring the advertisable TLVs

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type
N/A
2/Layer 3 aggregate interface-number
interface view, or IRF
physical interface view.

263
Step Command Remarks
• lldp tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | congestion-notification |
port-vlan-id | link-aggregation
| protocol-vlan-id [ vlan-id ] |
vlan-name [ vlan-id ] |
management-vid [ mvlan-id ] } |
dot3-tlv { all | mac-physic |
max-frame-size | power } |
med-tlv { all | capability | By default:
inventory | network-policy • Nearest bridge agents can
[ vlan-id ] | advertise all LLDP TLVs
power-over-ethernet | except the location
location-id { civic-address identification, port and
device-type country-code protocol VLAN ID, VLAN
{ ca-type ca-value }&<1-10> | name, and management
3. Configure the advertisable elin-address tel-number } } } VLAN ID TLVs.
TLVs (in Layer 2 Ethernet
• lldp agent nearest-nontpmr • Nearest non-TPMR bridge
interface view).
tlv-enable { basic-tlv { all | agents do not advertise
port-description | TLVs.
system-capability |
• Nearest customer bridge
system-description |
agents can advertise basic
system-name |
TLVs and IEEE 802.1
management-address-tlv
organizationally specific
[ ipv6 ] [ ip-address ] } | dot1-tlv
TLVs.
{ all | congestion-notification |
port-vlan-id |
link-aggregation } }
• lldp agent nearest-customer
tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | congestion-notification |
port-vlan-id |
link-aggregation } }

264
Step Command Remarks
• lldp tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address | interface By default:
loopback interface-number ] } | • Nearest bridge agents can
dot1-tlv { all | advertise all types of LLDP
link-aggregation } | dot3-tlv TLVs (only link aggregation
{ all | mac-physic | TLV is supported in 802.1
max-frame-size | power } | organizationally specific
med-tlv { all | capability | TLVs) except the network
4. Configure the advertisable inventory | policy TLV.
TLVs (in Layer 3 Ethernet power-over-ethernet | • Nearest non-TPMR bridge
interface view). location-id { civic-address agents do not advertise
device-type country-code TLVs.
{ ca-type ca-value }&<1-10> |
elin-address tel-number } } } • Nearest customer bridge
agents can advertise basic
• lldp agent { nearest-nontpmr | TLVs and IEEE 802.1
nearest-customer } tlv-enable organizationally specific
{ basic-tlv { all | TLVs (only link aggregation
port-description | TLV is supported).
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | link-aggregation } }
• lldp tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv By default:
[ ipv6 ] [ ip-address ] } | dot1-tlv • Nearest bridge agents can
{ all | link-aggregation } | advertise all types of LLDP
dot3-tlv { all | mac-physic | TLVs (only link aggregation
max-frame-size | power } | TLV is supported in 802.1
med-tlv { all | capability | organizationally specific
inventory | TLVs) except the network
5. Configure the advertisable power-over-ethernet | policy TLV.
TLVs (in management location-id { civic-address • Nearest non-TPMR bridge
Ethernet interface view). device-type country-code agents do not advertise
{ ca-type ca-value }&<1-10> | TLVs.
elin-address tel-number } } }
• Nearest customer bridge
• lldp agent { nearest-nontpmr | agents can advertise basic
nearest-customer } tlv-enable TLVs and IEEE 802.1
{ basic-tlv { all | organizationally specific
port-description | TLVs (only link aggregation
system-capability | TLV is supported).
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | link-aggregation } }

265
 Step Command Remarks
• lldp agent nearest-nontpmr
tlv-enable { basic-tlv { all |
management-address-tlv
[ ipv6 ] [ ip-address ] | By default:
port-description | • Nearest non-TPMR bridge
system-capability | agents do not advertise
system-description | TLVs.
system-name } | dot1-tlv { all | • Nearest customer bridge
port-vlan-id } } agents can advertise basic
• lldp agent nearest-customer TLVs and IEEE 802.1
6. Configure the advertisable
tlv-enable { basic-tlv { all | organizationally specific
TLVs (in Layer 2 aggregate
interface view).
management-address-tlv TLVs (only port and
[ ipv6 ] [ ip-address ] | protocol VLAN ID, VLAN
port-description | name, and management
system-capability | VLAN ID TLVs are
system-description | supported).
system-name } | dot1-tlv { all |
Nearest bridge agents are not
port-vlan-id } }
supported on Layer 2 aggregate
• lldp tlv-enable dot1-tlv interfaces.
{ protocol-vlan-id [ vlan-id ] |
vlan-name [ vlan-id ] |
management-vid [ mvlan-id ] }
By default:
lldp agent { nearest-nontpmr | • Nearest non-TPMR bridge
nearest-customer } tlv-enable agents do not advertise
basic-tlv { all | TLVs.
7. Configure the advertisable
TLVs (in Layer 3 aggregate management-address-tlv [ ipv6 ] • Nearest customer bridge
interface view). [ ip-address ] | port-description | agents can advertise only
system-capability | basic TLVs.
system-description |
Nearest bridge agents are not
system-name }
supported on Layer 3 aggregate
interfaces.
An LLDP-enabled IRF physical
lldp tlv-enable basic-tlv interface supports only the
8. Configure the advertisable { port-description | nearest bridge agent.
TLVs (in IRF physical system-capability |
interface view). system-description | By default, nearest bridge
system-name } agents can advertise all types of
LLDP TLVs.

Configuring the management address and its encoding

format
LLDP encodes management addresses in numeric or string format in management address TLVs.
If a neighbor encodes its management address in string format, set the encoding format of the
management address to string on the connecting port. This guarantees normal communication with
the neighbor.
To configure a management address to be advertised and its encoding format on a port:

Step Command Remarks

1. Enter system view. system-view N/A

266
 Step Command Remarks
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, or Layer N/A
interface-number
2/Layer 3 aggregate
interface view.
• In Layer 2 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent
{ nearest-customer |
nearest-nontpmr } ] tlv-enable By default:
basic-tlv • Nearest bridge agents
management-address-tlv and nearest customer
[ ipv6 ] [ ip-address ] bridge agents can
• In Layer 3 Ethernet interface advertise the
3. Allow LLDP to advertise the view: management address in
management address in lldp [ agent LLDP frames.
LLDP frames and configure { nearest-customer | • Nearest non-TPMR
the advertised management nearest-nontpmr } ] tlv-enable bridge agents cannot
address. basic-tlv advertise the
management-address-tlv management address in
[ ipv6 ] [ ip-address ] | interface LLDP frames.
loopback interface-number ]
The device supports only the
• In Layer 2/Layer 3 aggregate numeric encoding format for
interface view: IPv6 management addresses.
lldp agent { nearest-customer
| nearest-nontpmr } tlv-enable
basic-tlv
management-address-tlv
[ ipv6 ] [ ip-address ]
• In Layer 2/Layer 3 Ethernet
interface view or management
Ethernet interface view:
lldp [ agent
{ nearest-customer |
nearest-nontpmr } ]
4. Set the encoding format of management-address-format By default, the encoding
the management address to string format of the management
string. address is numeric.
• In Layer 2/Layer 3 aggregate
interface view:
lldp agent { nearest-customer
| nearest-nontpmr }
management-address-format
string

Setting other LLDP parameters

The Time to Live TLV carried in an LLDPDU determines how long the device information carried in
the LLDPDU can be saved on a recipient device.
By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs. The TTL is
expressed by using the following formula:
TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))
As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be
rounded down to 65535 seconds.
To set LLDP parameters:

267
 Step Command Remarks
1. Enter system view. system-view N/A
2. Set the TTL multiplier. lldp hold-multiplier value The default setting is 4.
3. Set the LLDP frame The default setting is 30
transmission interval. lldp timer tx-interval interval
seconds.
4. Set the token bucket size for
sending LLDP frames. lldp max-credit credit-value The default setting is 5.

5. Set the number of LLDP

frames sent each time fast
LLDP frame transmission is lldp fast-count count The default setting is 4.
triggered.
6. Set the fast LLDP frame
transmission interval. lldp timer fast-interval interval The default setting is 1 second.

Setting an encapsulation format for LLDP frames

LLDP frames can be encapsulated in the following formats:
• Ethernet II—With Ethernet II encapsulation configured, an LLDP port sends LLDP frames in
Ethernet II frames.
• SNAP—With SNAP encapsulation configured, an LLDP port sends LLDP frames in SNAP
frames.
Earlier versions of LLDP require the same encapsulation format on both ends to process LLDP
frames. To successfully communicate with a neighboring device running an earlier version of LLDP,
the local device must be set with the same encapsulation format.
To set the encapsulation format for LLDP frames to SNAP:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ] encapsulation
3. Set the encapsulation snap By default, Ethernet II
format for LLDP frames to • In Layer 2/Layer 3 aggregate interface encapsulation format
SNAP. view: applies.
lldp agent { nearest-customer |
nearest-nontpmr } encapsulation
snap
• In IRF physical interface view:
lldp encapsulation snap

268
Disabling LLDP PVID inconsistency check
By default, when the system receives an LLDP packet, it compares the PVID value contained in
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
To disable LLDP PVID inconsistency check:

Step Command Remarks

1. Enter system view. system-view N/A

2. Disable LLDP PVID By default, LLDP PVID

inconsistency check. lldp ignore-pvid-inconsistency inconsistency check is
enabled.

Configuring CDP compatibility

To enable your device to exchange information with a directly connected Cisco device that supports
only CDP, you must enable CDP compatibility.
CDP compatibility enables your device to receive and recognize CDP packets from the neighboring
CDP device and send CDP packets to the neighboring device. The CDP packets sent to the
neighboring CDP device carry the following information:
• Device ID.
• ID of the port connecting to the neighboring device.
• Port IP address.
• TTL.
The port IP address is the primary IP address of a VLAN interface in up state. The VLAN ID of the
VLAN interface must be the lowest among the VLANs permitted on the port. If no VLAN interfaces of
the permitted VLANs are assigned an IP address or all VLAN interfaces are down, no port IP address
will be advertised.
You can view the neighboring CDP device information that can be recognized by the device in the
output of the display lldp neighbor-information command. For more information about the display
lldp neighbor-information command, see Layer 2—LAN Switching Command Reference.
To make your device work with Cisco IP phones, you must enable CDP compatibility.
If your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of
Cisco IP phones for the voice VLAN ID configured on the device. As a result, a requesting Cisco IP
phone sends voice traffic without any tag to your device. Your device cannot differentiate the voice
traffic from other types of traffic.
CDP compatibility enables your device to receive and recognize CDP packets from a Cisco IP phone
and respond with CDP packets carrying TLVs with the configured voice VLAN. If no voice VLAN is
configured for CDP packets, CDP packets carry the voice VLAN of the port or the voice VLAN
assigned by the RADIUS server. The assigned voice VLAN has a higher priority. According to TLVs
with the voice VLAN configuration, the IP phone automatically configures the voice VLAN. As a result,
the voice traffic is confined in the configured voice VLAN and is differentiated from other types of
traffic.
For more information about voice VLANs, see "Configuring voice VLANs."
When the device is connected to a Cisco IP phone that has a host attached to its data port, the host
must access the network through the Cisco IP phone. If the data port goes down, the IP phone will
send a CDP packet to the device so the device can log out the user.

269
Configuration prerequisites
Before you configure CDP compatibility, complete the following tasks:
• Globally enable LLDP.
• Enable LLDP on the port connecting to a CDP device.
• Configure LLDP to operate in TxRx mode on the port.

Configuration procedure
CDP-compatible LLDP operates in one of the following modes:
• TxRx—CDP packets can be transmitted and received.
• Rx—CDP packets can be received but cannot be transmitted.
• Disable—CDP packets cannot be transmitted or received.
To make CDP-compatible LLDP take effect on a port, follow these steps:
1. Enable CDP-compatible LLDP globally.
2. Configure CDP-compatible LLDP to operate in TxRx mode on the port.
The maximum TTL value that CDP allows is 255 seconds. To make CDP-compatible LLDP work
correctly with CDP devices, configure the LLDP frame transmission interval to be no more than 1/3 of
the TTL value.
To configure LLDP to be compatible with CDP:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable CDP compatibility By default, CDP compatibility is
globally. lldp compliance cdp
disabled globally.
3. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, or Layer N/A
interface-number
2/Layer 3 aggregate
interface view.
4. Configure CDP-compatible
LLDP to operate in TxRx lldp compliance admin-status By default, CDP-compatible LLDP
mode. cdp txrx operates in disable mode.

5. Set the voice VLAN ID By default, no voice VLAN ID is

carried in CDP packets. cdp voice-vlan vlan-id configured to be carried in CDP
packets.

Configuring LLDP trapping and LLDP-MED

trapping
LLDP trapping or LLDP-MED trapping notifies the network management system of events such as
newly detected neighboring devices and link failures.
To prevent excessive LLDP traps from being sent when the topology is unstable, set a trap
transmission interval for LLDP.
To configure LLDP trapping and LLDP-MED trapping:

270
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ] notification
remote-change enable
• In Layer 2/Layer 3 aggregate interface By default, LLDP trapping
3. Enable LLDP trapping.
view: is disabled.
lldp agent { nearest-customer |
nearest-nontpmr } notification
remote-change enable
• In IRF physical interface view:
lldp notification remote-change
enable
4. Enable LLDP-MED
trapping (in Layer 2/Layer
3 Ethernet interface view lldp notification med-topology-change By default, LLDP-MED
or management Ethernet enable trapping is disabled.
interface view).
5. Return to system view. quit N/A
6. (Optional.) Set the LLDP The default setting is 30
trap transmission interval. lldp timer notification-interval interval
seconds.

Displaying and maintaining LLDP

Execute display commands in any view.

Task Command
Display local LLDP display lldp local-information [ global | interface interface-type
information. interface-number ]
Display the information
display lldp neighbor-information [ [ [ interface interface-type
contained in the LLDP
interface-number ] [ agent { nearest-bridge | nearest-customer |
TLVs sent from
nearest-nontpmr } ] [ verbose ] ] | list [ system-name system-name ] ]
neighboring devices.
display lldp statistics [ global | [ interface interface-type interface-number ]
Display LLDP statistics.
[ agent { nearest-bridge | nearest-customer | nearest-nontpmr } ] ]
Display LLDP status of a display lldp status [ interface interface-type interface-number ] [ agent
port. { nearest-bridge | nearest-customer | nearest-nontpmr } ]
Display types of
display lldp tlv-config [ interface interface-type interface-number ] [ agent
advertisable optional LLDP
{ nearest-bridge | nearest-customer | nearest-nontpmr } ]
TLVs.

271
LLDP configuration examples
Basic LLDP configuration example
Network requirements
As shown in Figure 87, enable LLDP globally on Switch A and Switch B to perform the following
tasks:
• Monitor the link between Switch A and Switch B on the NMS.
• Monitor the link between Switch A and the MED device on the NMS.
Figure 87 Network diagram

Configuration procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP on Ten-GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Rx on Ten-GigabitEthernet 1/0/1.
[SwitchA-Ten-GigabitEthernet1/0/1] lldp admin-status rx
[SwitchA-Ten-GigabitEthernet1/0/1] quit
# Enable LLDP on Ten-GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] lldp enable
# Set the LLDP operating mode to Rx on Ten-GigabitEthernet 1/0/2.
[SwitchA-Ten-GigabitEthernet1/0/2] lldp admin-status rx
[SwitchA-Ten-GigabitEthernet1/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view
[SwitchB] lldp global enable
# Enable LLDP on Ten-GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchB] interface ten-gigabitethernet 1/0/1
[SwitchB-Ten-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Tx on Ten-GigabitEthernet 1/0/1.
[SwitchB-Ten-GigabitEthernet1/0/1] lldp admin-status tx

272
 [SwitchB-Ten-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify the following items:
• Ten-GigabitEthernet 1/0/1 of Switch A connects to a MED device.
• Ten-GigabitEthernet 1/0/2 of Switch A connects to a non-MED device.
• Both ports operate in Rx mode, and they can receive LLDP frames but cannot send LLDP
frames.
[SwitchA] display lldp status
Global status of LLDP: Enable
Bridge mode of LLDP: customer-bridge
The current number of LLDP neighbors: 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 4 minutes, 40 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [Ten-GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

LLDP status information of port 2 [Ten-GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:

273
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 3

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

# Remove the link between Switch A and Switch B.

# Verify that Ten-GigabitEthernet 1/0/2 of Switch A does not connect to any neighboring devices.
[SwitchA] display lldp status
Global status of LLDP: Enable
The current number of LLDP neighbors: 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 5 minutes, 20 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit credit max : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

274
LLDP status information of port 1 [Ten-GigabitEthernet1/0/1]:
LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP status information of port 2 [Ten-GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0

275
 Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

CDP-compatible LLDP configuration example

Network requirements
As shown in Figure 88, Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 of Switch A are
each connected to a Cisco IP phone, which sends tagged voice traffic.
Configure voice VLAN 2 on Switch A. Enable CDP compatibility of LLDP on Switch A to allow the
Cisco IP phones to automatically configure the voice VLAN. The voice VLAN feature performs the
following operations:
• Confines the voice traffic to the voice VLAN.
• Isolates the voice traffic from other types of traffic.
Figure 88 Network diagram

Configuration procedure
1. Configure a voice VLAN on Switch A:
# Create VLAN 2.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Set the link type of Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to trunk, and
enable voice VLAN on them.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/1] voice vlan 2 enable
[SwitchA-Ten-GigabitEthernet1/0/1] quit
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-Ten-GigabitEthernet1/0/2] voice vlan 2 enable
[SwitchA-Ten-GigabitEthernet1/0/2] quit
2. Configure CDP-compatible LLDP on Switch A:

276
 # Enable LLDP globally, and enable CDP compatibility globally.
[SwitchA] lldp global enable
[SwitchA] lldp compliance cdp
# Enable LLDP on Ten-GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/1
[SwitchA-Ten-GigabitEthernet1/0/1] lldp enable
# Configure LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/1.
[SwitchA-Ten-GigabitEthernet1/0/1] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/1.
[SwitchA-Ten-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx
[SwitchA-Ten-GigabitEthernet1/0/1] quit
# Enable LLDP on Ten-GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface ten-gigabitethernet 1/0/2
[SwitchA-Ten-GigabitEthernet1/0/2] lldp enable
# Configure LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/2.
[SwitchA-Ten-GigabitEthernet1/0/2] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on Ten-GigabitEthernet 1/0/2.
[SwitchA-Ten-GigabitEthernet1/0/2] lldp compliance admin-status cdp txrx
[SwitchA-Ten-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify that Switch A has completed the following operations:
• Discovering the IP phones connected to Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet
1/0/2.
• Obtaining IP phone information.
[SwitchA] display lldp neighbor-information

CDP neighbor-information of port 1[Ten-GigabitEthernet1/0/1]:

CDP neighbor index : 1
Chassis ID : SEP00141CBCDBFE
Port ID : Port 1
Software version : P0030301MFG2
Platform : Cisco IP Phone 7960
Duplex : Full

CDP neighbor-information of port 2[Ten-GigabitEthernet1/0/2]:

CDP neighbor index : 2
Chassis ID : SEP00141CBCDBFF
Port ID : Port 1
Software version : P0030301MFG2
Platform : Cisco IP Phone 7960
Duplex : Full

277
Configuring L2PT
Overview
Layer 2 Protocol Tunneling (L2PT) can transparently send Layer 2 protocol packets from
geographically dispersed customer networks across a service provider network.

Background
Dedicated lines are used in a service provider network to build user-specific Layer 2 networks. As a
result, a customer network contains sites located at different sides of the service provider network.
As shown in Figure 89, Customer A's network is divided into network 1 and network 2, which are
connected by the service provider network. For Customer A's network to implement Layer 2 protocol
calculations, the Layer 2 protocol packets must be transmitted across the service provider network.
Upon receiving a Layer 2 protocol packet, the PEs cannot determine whether the packet is from the
customer network or the service provider network. They must deliver the packet to the CPU for
processing. In this case, the Layer 2 protocol calculation in Customer A's network is mixed with the
Layer 2 protocol calculation in the service provider network. Neither the customer network nor the
service provider network can implement independent Layer 2 protocol calculations.
Figure 89 L2PT application scenarios

L2PT is introduced to resolve the problem. L2PT provides the following functions:
• Multicasts Layer 2 protocol packets from a customer network in a VLAN. Dispersed customer
networks can complete an independent Layer 2 protocol calculation, which is transparent to the
service provider network.
• Isolates Layer 2 protocol packets from different customer networks through different VLANs.
HPE devices support L2PT for the following protocols:
• CDP.
• DLDP.
• EOAM.
• GVRP.
• LACP.
• LLDP.
• MVRP.
• PAgP.

278
 • PVST.
• STP (including STP, RSTP, and MSTP).
• UDLD.
• VTP.

L2PT operating mechanism

As shown in Figure 90, L2PT operates as follows:
• When a port of PE 1 receives a Layer 2 protocol packet from the customer network in a VLAN,
it performs the following operations:
{ Multicasts the packet out of all customer-facing ports in the VLAN except the receiving port.
{ Changes the packet's destination multicast MAC address to a specified multicast address,
and multicasts it out of all ISP-facing ports in the VLAN. The modified packet is called the
tunneled packet.
• When a port of PE 1 in the VLAN receives the tunneled packet from the service provider
network, it performs the following operations:
{ Multicasts the packet out of all ISP-facing ports in the VLAN except the receiving port.
{ Changes the destination multicast MAC address to the original MAC address, and
multicasts the packet out of all customer-facing ports in the VLAN.
Figure 90 L2PT operating mechanism

Customer Customer
Service provider network
network network

Layer 2 protocol packets

from customer networks
PE 1 PE 2
Tunneled packets

For example, as shown in Figure 91, PE 1 receives an STP packet (BPDU) from network 1 to
network 2. CEs are the edge devices on the customer network, and PEs are the edge devices on the
service provider network. L2PT processes the packet as follows:
1. PE 1 performs the following operations:
a. Changes the packet's destination multicast MAC address 0180-c200-0000 to a specified
multicast MAC address (010f-e200-0003 by default) for the BPDU.
b. Sends the tunneled packet out of all ISP-facing ports in the packet's VLAN.
2. Upon receiving the tunneled packet, PE 2 decapsulates the packet and sends the BPDU to CE
2.
Through L2PT, both the ISP network and Customer A's network can perform independent spanning
tree calculations.

279
 Figure 91 L2PT network diagram

L2PT configuration task list

Tasks at a glance
(Required.) Enabling L2PT
(Optional.) Setting the destination multicast MAC address for tunneled packets

Enabling L2PT
Restrictions and guidelines
• Before you enable L2PT for a Layer 2 protocol on a port, perform the following tasks:
{ Enable the protocol on the connected CE, and disable the protocol on the port.
{ Enable L2PT on PE ports connected to a customer network. If you enable L2PT on ports
connected to the service provider network, L2PT determines that the ports are connected to
a customer network.
{ Make sure the VLAN tags of Layer 2 protocol packets are not changed or deleted for the
tunneled packets to be transmitted correctly across the service provider network.
• L2PT for LLDP supports LLDP packets from only nearest bridge agents.
• You can enable L2PT on a member port of a Layer 2 aggregation group, but the configuration
does not take effect.
• Do not enable L2PT on a port that is going to join a service loopback group. All configuration is
removed after the port joins the group.
• LACP and EOAM require point-to-point transmission. If you enable L2PT for LACP or EOAM,
L2PT multicasts LACP or EOAM packets out of customer-facing ports. As a result, the
transmission between two CEs is not point-to-point. To ensure point-to-point transmission for
the LACP or EOAM packets, you must configure other features (for example, VLAN).

Enabling L2PT for a protocol

Step Command Remarks
1. Enter system view. system-view N/A

280
 Step Command Remarks
• Enter Layer 2 Ethernet interface view:
interface interface-type interface-number
2. Enter interface view. • Enter Layer 2 aggregate interface view: N/A
interface bridge-aggregation interface-type
interface-number
• In Layer 2 Ethernet interface view:
l2protocol { cdp | dldp | eoam | gvrp | lacp | lldp
| mvrp | pagp | pvst | stp | udld | vtp } tunnel By default, L2PT is
3. Enable L2PT for a dot1q
protocol. disabled for all
• In Layer 2 aggregate interface view: protocols.
l2protocol { gvrp | mvrp | pvst | stp | vtp }
tunnel dot1q

Setting the destination multicast MAC address for

tunneled packets
When you set the destination multicast MAC address for tunneled packets, follow these restrictions
and guidelines:
• For tunneled packets to be recognized, set the same destination multicast MAC addresses on
PEs that are connected to the same customer network.
• As a best practice, set different destination multicast MAC addresses on PEs connected to
different customer networks. It prevents L2PT from sending packets of a customer network to
another customer network.
To set the destination multicast MAC address for tunneled packets:

Step Command Remarks

1. Enter system view. system-view N/A
The available multicast MAC
2. Set the destination addresses are 010f-e200-0003,
multicast MAC address l2protocol tunnel-dmac 0100-0ccd-cdd0, 0100-0ccd-cdd1,
for tunneled packets. mac-address and 0100-0ccd-cdd2. By default,
010f-e200-0003 is used for tunneled
packets.

Displaying and maintaining L2PT

Execute display commands in any view and reset commands in user view.

Task Command
display l2protocol statistics [ interface interface-type
Display L2PT statistics.
interface-number ]
reset l2protocol statistics [ interface interface-type
Clear L2PT statistics.
interface-number ]

281
L2PT configuration examples
Configuring L2PT for STP
Network requirements
As shown in Figure 92, the MAC addresses of CE 1 and CE 2 are 00e0-fc02-5800 and
00e0-fc02-5802, respectively. MSTP is enabled in Customer A's network, and default MSTP settings
are used.
Perform the following tasks on the PEs:
• Configure the ports that connect to CEs as access ports, and configure the ports in the service
provider network as trunk ports. Configure ports in the service provider network to allow packets
from any VLAN to pass.
• Enable L2PT for STP to enable Customer A's network to implement independent spanning tree
calculation across the service provider network.
• Set the destination multicast MAC address to 0100-0ccd-cdd0 for tunneled packets.
Figure 92 Network diagram

Configuration procedures
1. Configure PE 1:
# Set the destination multicast address to 0100-0ccd-cdd0 for tunneled packets.
<PE1> system-view
[PE1] l2protocol tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2.
[PE1] vlan 2
[PE1-vlan2] quit
# Configure Ten-GigabitEthernet 1/0/1 as an access port and assign the port to VLAN 2.
[PE1] interface ten-gigabitethernet 1/0/1
[PE1-Ten-GigabitEthernet1/0/1] port access vlan 2
# Disable STP and enable L2PT for STP on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] undo stp enable
[PE1-Ten-GigabitEthernet1/0/1] l2protocol stp tunnel dot1q
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 connected to the service provider network as a trunk
port, and assign the port to all VLANs.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk

282
 [PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan all
[PE1-Ten-GigabitEthernet1/0/2] quit
2. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that the root bridge of Customer A's network is CE 1.
<CE2> display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.00e0-fc02-5800 0 0

# Verify that the root bridge of the service provider network is not CE 1.
[PE1] display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.0cda-41c5-ba50 0 0

Configuring L2PT for LACP

Network requirements
As shown in Figure 93, the MAC addresses of CE 1 and CE 2 are 0001-0000-0000 and
0004-0000-0000, respectively.
Perform the following tasks:
• Configure Ethernet link aggregation on CE 1 and CE 2.
• Configure Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 on CE 1 to form aggregate
links with Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 on CE 2, respectively.
• Enable L2PT for LACP to enable CE 1 and CE 2 to implement Ethernet link aggregation across
the service provider network.
Figure 93 Network diagram

Requirements analysis
To meet the network requirements, perform the following tasks:
• For Ethernet link aggregation to operate correctly, configure VLANs on the PEs to ensure
point-to-point transmission between CE 1 and CE 2 in an aggregation group.
{ Set the PVIDs to VLAN 2 and VLAN 3 for Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 on PE 1, respectively.
{ Configure PE 2 in the same way PE 1 is configured.
{ Configure ports that connect to the CEs as trunk ports.
• To retain the VLAN tag of the customer network, enable QinQ on Ten-GigabitEthernet 1/0/1 and
Ten-GigabitEthernet 1/0/2 on both PE 1 and PE 2.

283
 • For packets from any VLAN to be transmitted, configure all ports in the service provider network
as trunk ports.
Configuration procedures
1. Configure CE 1:
# Configure Layer 2 aggregation group Bridge-Aggregation 1 to operate in dynamic
aggregation mode.
<CE1> system-view
[CE1] interface bridge-aggregation 1
[CE1-Bridge-Aggregation1] port link-type access
[CE1-Bridge-Aggregation1] link-aggregation mode dynamic
[CE1-Bridge-Aggregation1] quit
# Assign Ten-GigabitEthernet 1/0/1 and Ten-GigabitEthernet 1/0/2 to Bridge-Aggregation 1.
[CE1] interface ten-gigabitethernet 1/0/1
[CE1-Ten-GigabitEthernet1/0/1] port link-aggregation group 1
[CE1-Ten-GigabitEthernet1/0/1] quit
[CE1] interface ten-gigabitethernet 1/0/2
[CE1-Ten-GigabitEthernet1/0/2] port link-aggregation group 1
[CE1-Ten-GigabitEthernet1/0/2] quit
2. Configure CE 2 in the same way CE 1 is configured. (Details not shown.)
3. Configure PE 1:
# Create VLANs 2 and 3.
<PE1> system-view
[PE1] vlan 2
[PE1-vlan2] quit
[PE1] vlan 3
[PE1-vlan3] quit
# Configure Ten-GigabitEthernet 1/0/1 as a trunk port, assign the port to VLAN 2, and set the
PVID to VLAN 2.
[PE1] interface ten-gigabitethernet 1/0/1
[PE1-Ten-GigabitEthernet1/0/1] port link-mode bridge
[PE1-Ten-GigabitEthernet1/0/1] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/1] port trunk permit vlan 2
[PE1-Ten-GigabitEthernet1/0/1] port trunk pvid vlan 2
# Enable QinQ on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] qinq enable
# Enable L2PT for LACP on Ten-GigabitEthernet 1/0/1.
[PE1-Ten-GigabitEthernet1/0/1] l2protocol lacp tunnel dot1q
[PE1-Ten-GigabitEthernet1/0/1] quit
# Configure Ten-GigabitEthernet 1/0/2 as a trunk port, assign the port to VLAN 3, and set the
PVID to VLAN 3.
[PE1] interface ten-gigabitethernet 1/0/2
[PE1-Ten-GigabitEthernet1/0/2] port link-mode bridge
[PE1-Ten-GigabitEthernet1/0/2] port link-type trunk
[PE1-Ten-GigabitEthernet1/0/2] port trunk permit vlan 3
[PE1-Ten-GigabitEthernet1/0/2] port trunk pvid vlan 3
# Enable QinQ on Ten-GigabitEthernet 1/0/2.
[PE1-Ten-GigabitEthernet1/0/2] qinq enable

284
 # Enable L2PT for LACP on Ten-GigabitEthernet 1/0/2.
[PE1-Ten-GigabitEthernet1/0/2] l2protocol lacp tunnel dot1q
[PE1-Ten-GigabitEthernet1/0/2] quit
4. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that CE 1 and CE 2 have completed Ethernet link aggregation successfully.
[CE1] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Ten-GigabitEthernet1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

Ten-GigabitEthernet1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)
[CE2] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

285
Ten-GigabitEthernet1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

Ten-GigabitEthernet1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)

286
Configuring cut-through forwarding
A cut-through forwarding-enabled device forwards a frame after it receives the first 64 bytes of the
frame. This feature reduces the transmission time of a frame and enhances forwarding performance.
To configure cut-through forwarding:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable cut-through
forwarding. cut-through enable By default, cut-through forwarding is disabled.

NOTE:
A frame is forwarded before its CRC field is received, and thus CRC-error frames are forwarded
instead of dropped.

287
Configuring service loopback groups
A service loopback group contains one or multiple Ethernet ports for looping packets sent out by the
device back to the device. This feature must work with other features, such as GRE.
A service loopback group provides one of the following services:
• Tunnel—Supports unicast tunnel traffic.
• Multicast tunnel—Supports multicast tunnel traffic.
• Multiport—Supports multiport ARP traffic.
• VSI gateway—Supports VSI gateway traffic.
You can configure only one service loopback group for a service type. However, you can use one
service loopback group with multiple features.
Member ports in a service loopback group are load balanced.

Configuration procedure
Follow these guidelines when you configure a service loopback group:
• Make sure the ports you are assigning to a service loopback group meet the following
requirements:
{ The ports are not used for any other purposes. The configuration on a port is removed when
it is assigned to a service loopback group.
{ The ports support the service type of the service loopback group and are not members of
any other service loopback group.
• You cannot change the service type of a service loopback group.
• Do not delete a service loopback group that is being used by a feature.
• To avoid IRF split, do not assign a physical interface to a service loopback group if that interface
is the only member interface of an IRF port.
• For correct traffic processing, make sure a service loopback group has a minimum of one
member port when it is being used by a feature.
To configure a service loopback group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a service loopback service-loopback group group-id
group and specify its service By default, no service
type { { multicast-tunnel | tunnel } *
type. loopback groups exist.
| multiport | vsi-gateway }
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, a port does not
belong to any service loopback
4. Assign the port to the service port service-loopback group group.
loopback group. group-id You can assign a maximum of
32 ports to a service loopback
group.

288
Displaying and maintaining service loopback
groups
Execute display commands in any view.

Task Command
Display information about service loopback groups. display service-loopback group [ group-id ]

Service loopback group configuration example

Network requirements
All Ethernet ports on Device A support the tunnel service. Assign Ten-GigabitEthernet 1/0/1 through
Ten-GigabitEthernet 1/0/3 to a service loopback group to loop GRE packets sent out by the device
back to the device.

Configuration procedure
# Create service loopback group 1, and specify its service type as tunnel.
<DeviceA> system-view
[DeviceA] service-loopback group 1 type tunnel

# Assign Ten-GigabitEthernet 1/0/1 through Ten-GigabitEthernet 1/0/3 to service loopback group 1.

[DeviceA] interface ten-gigabitethernet 1/0/1
[DeviceA-Ten-GigabitEthernet1/0/1] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-Ten-GigabitEthernet1/0/1] quit
[DeviceA] interface ten-gigabitethernet 1/0/2
[DeviceA-Ten-GigabitEthernet1/0/2] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-Ten-GigabitEthernet1/0/2] quit
[DeviceA] interface ten-gigabitethernet 1/0/3
[DeviceA-Ten-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-Ten-GigabitEthernet1/0/3] quit

# Create the interface Tunnel 1 and set it to GRE mode. The interface will automatically use service
loopback group 1.
[DeviceA] interface tunnel 1 mode gre
[DeviceA-Tunnel1]

289
Document conventions and icons
Conventions
This section describes the conventions used in the documentation.
Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window opens; click OK.
Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.
An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

290
Network topology icons
Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

T Represents a wireless terminator unit.

T Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL

VPN, IPS, or ACG module.

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.

291
Support and other resources
Accessing Hewlett Packard Enterprise Support
• For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
www.hpe.com/assistance
• To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website:
www.hpe.com/support/hpesc
Information to collect
• Technical support registration number (if applicable)
• Product name, model or version, and serial number
• Operating system name and version
• Firmware version
• Error messages
• Product-specific reports and logs
• Add-on products or components
• Third-party products or components

Accessing updates
• Some software products provide a mechanism for accessing software updates through the
product interface. Review your product documentation to identify the recommended software
update method.
• To download product updates, go to either of the following:
{ Hewlett Packard Enterprise Support Center Get connected with updates page:
www.hpe.com/support/e-updates
{ Software Depot website:
www.hpe.com/support/softwaredepot
• To view and update your entitlements, and to link your contracts, Care Packs, and warranties
with your profile, go to the Hewlett Packard Enterprise Support Center More Information on
Access to Support Materials page:
www.hpe.com/support/AccessToSupportMaterials

IMPORTANT:
Access to some updates might require product entitlement when accessed through the Hewlett
Packard Enterprise Support Center. You must have an HP Passport set up with relevant
entitlements.

292
Websites
Website Link
Networking websites
Hewlett Packard Enterprise Information Library for
www.hpe.com/networking/resourcefinder
Networking
Hewlett Packard Enterprise Networking website www.hpe.com/info/networking
Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support
Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking
Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty
General websites
Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs
Hewlett Packard Enterprise Support Center www.hpe.com/support/hpesc
Hewlett Packard Enterprise Support Services Central ssc.hpe.com/portal/site/ssc/
Contact Hewlett Packard Enterprise Worldwide www.hpe.com/assistance
Subscription Service/Support Alerts www.hpe.com/support/e-updates
Software Depot www.hpe.com/support/softwaredepot
Customer Self Repair (not applicable to all devices) www.hpe.com/support/selfrepair
Insight Remote Support (not applicable to all devices) www.hpe.com/info/insightremotesupport/docs

Customer self repair

Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If
a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your
convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized
service provider will determine whether a repair can be accomplished by CSR.
For more information about CSR, contact your local service provider or go to the CSR website:
www.hpe.com/support/selfrepair

Remote support
Remote support is available with supported devices as part of your warranty, Care Pack Service, or
contractual support agreement. It provides intelligent event diagnosis, and automatic, secure
submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast
and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly
recommends that you register your device for remote support.
For more information and device support details, go to the following website:
www.hpe.com/info/insightremotesupport/docs

Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help
us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback ([email protected]). When submitting your feedback, include the document title,

293
part number, edition, and publication date located on the front cover of the document. For online help
content, include the product name, product version, help edition, and publication date located on the
legal notices page.

294
Index
Numerics MAC Information queue length, 38
advertising
1:1 VLAN mapping
LLDP advertisable TLV, 263
application scenario, 233, 233
voice VLAN advertisement (CDP), 201
configuration, 238, 245
voice VLAN advertisement (LLDP), 200
implementation, 235, 236
voice VLAN information advertisement to IP
1:2 VLAN mapping phones, 193
application scenario, 233, 234 aggregating
configuration, 244, 251 link. See link aggregation
implementation, 235, 237 aging
10-GE interface;010-GE interface MAC address table timer, 28
combine, 2 spanning tree max age timer, 109
2:2 VLAN mapping algorithm
application scenario, 233, 234 Ethernet link aggregation load sharing algorithm
configuration, 245, 251 settings, 59
implementation, 235, 237 STP calculation, 84
40-GE interface;040-GE interface alternate port (MST), 97
split, 2 ARP
802 MAC address table ARP fast update, 32
802.1 LLDPDU TLV types, 256 ARP detection
802.1Q-in-802.1Q. Use QinQ M:1 VLAN mapping (dynamic IP address
802.3 LLDPDU TLV types, 256 assignment), 240
QinQ SVLAN tag 802.1p priority, 227 ARP snooping
802.1X M:1 VLAN mapping (static IP address
VLAN group configuration, 161 assignment), 242
assigning
A
MAC address table learning priority, 29
accessing MAC-based VLAN assignment (dynamic), 155
port-based VLAN assignment (access MAC-based VLAN assignment
port), 152 (server-assigned), 156
action MAC-based VLAN assignment (static), 154
loop detection block, 142 port isolation group (multiple ports), 78
loop detection no-learning protection, 142 port-based VLAN access port, 152
loop detection protection action (Layer 2 port-based VLAN access port (interface
aggregate interface), 144 view), 153
loop detection protection action setting, 144 port-based VLAN access port (VLAN view), 152
loop detection shutdown protection, 142 port-based VLAN hybrid port, 153
adding port-based VLAN trunk port, 153
MAC address table blackhole entry, 25 voice VLAN assignment mode (automatic), 194
MAC address table entry (global), 24 voice VLAN assignment mode (manual), 195
MAC address table entry (on interface), 25 attribute
MAC address table multiport unicast entry, 25 Ethernet link aggregation attribute
address configuration, 42
Ethernet interface MAC address (Layer 3), 16 auto
Ethernet subinterface MAC address (Layer Ethernet interface auto power-down, 9
3), 16 loop detection port status auto recovery, 142
MAC address learning disable, 26 voice VLAN assignment (automatic), 194
MAC address table learning limit, 28

295
 voice VLAN assignment mode configuration spanning tree loop guard, 127
(automatic), 202 spanning tree root bridge, 107
voice VLAN LLDP automatic IP phone spanning tree root bridge (device), 107
discovery enable, 200 spanning tree root guard, 127
voice VLAN port operation configuration spanning tree secondary root bridge (device), 108
(automatic assignment), 198
STP designated bridge, 83
AutoMDIX mode (Ethernet interface), 14
STP root bridge, 83
B bulk
backing up interface configuration, 20, 20
MST backup port, 97 interface configuration display, 21
bandwidth interface configuration restrictions, 20
Ethernet link aggregate interface (expected C
bandwidth), 55
cable
basic management LLDPDU TLV types, 256
Ethernet interface cable connection (Layer 2), 14
BFD
calculating
Ethernet link aggregation group BFD, 56
MSTI calculation, 99
blackhole
MSTP CIST calculation, 99
MAC address table, 22
spanning tree port path cost calculation
MAC address table entry, 25
standard, 113
block action (loop detection), 142
spanning tree timeout factor, 111
boundary port (MST), 97
STP algorithm, 84
BPDU
CDP
configuration BPDUs, 81
LLDP CDP compatibility, 269
MST region max hops, 108
LLDP CDP-compatible configuration, 276
MSTP BPDU protocol frames, 94
voice VLAN advertisement, 201
PVST BPDU guard, 130
voice VLAN information advertisement to IP
RSTP BPDU processing, 92 phones, 193
spanning tree BPDU drop, 129 CE
spanning tree BPDU guard, 126 L2PT configuration, 278, 280, 282
spanning tree BPDU transparent transmission L2PT for LACP configuration, 283
(on port), 131
L2PT for STP configuration, 282
spanning tree hello time, 109
checking
spanning tree max age timer, 109
spanning tree No Agreement Check, 122, 124
spanning tree TC BPDU event logging (PVST
choosing
mode), 131
Ethernet link aggregation reference port, 43, 46
spanning tree TC-BPDU guard, 129
Cisco
spanning tree TC-BPDU transmission
restriction, 128 Discovery Protocol. Use CDP
STP BPDU forwarding, 89 LLDP CDP compatibility, 269
TCN BPDUs, 82 LLDP configuration (CDP-compatible), 276
transmission rate configuration, 111 CIST
bridging calculation, 99
Ethernet interface bridging enable (Layer network device connection, 97
2), 15 spanning tree max age timer, 109
LLDP agent customer bridge, 254 combining
LLDP agent nearest bridge, 254 Ethernet interfaces (10-GE > 40-GE), 2
LLDP agent non-TPMR bridge, 254 common root bridge, 97
LLDP bridge mode configuration, 261 configuring
MST common root bridge, 97 1:1 VLAN mapping, 238, 245
MST regional root, 97 1:2 VLAN mapping, 244, 251
spanning tree dispute guard, 130 2:2 VLAN mapping, 245, 251

296
Ethernet aggregate interface, 52 L2PT for LACP, 283
Ethernet aggregate interface (description), 52 L2PT for STP, 282
Ethernet aggregate interface (Layer 3 Layer 2 forwarding (cut-through), 287
edge), 76 LLDP, 254, 260, 272
Ethernet interface, 1 LLDP (CDP-compatible), 276
Ethernet interface (Layer 2), 11 LLDP advertisable TLVs, 263
Ethernet interface (Layer 3), 16 LLDP basics, 261, 272
Ethernet interface basic settings, 3 LLDP CDP compatibility, 269
Ethernet interface common settings, 1 LLDP management address, 266
Ethernet interface generic flow control, 7 LLDP management address encoding
Ethernet interface jumbo frame support, 5 format, 266
Ethernet interface link mode, 4 LLDP trapping, 270
Ethernet interface PFC, 7 LLDP-MED trapping, 270
Ethernet interface physical state change loop detection, 141, 143, 145
suppression, 5 M:1 VLAN mapping, 239, 245
Ethernet interface storm control (Layer 2), 11 M:1 VLAN mapping (dynamic IP address
Ethernet interface storm suppression, 10 assignment), 239
Ethernet link aggregate interface (Layer 2 M:1 VLAN mapping (static IP address
edge), 70 assignment), 242
Ethernet link aggregation, 41, 48, 64 M:1 VLAN mapping customer-side port (dynamic
Ethernet link aggregation (Layer 2 IP address assignment), 240
dynamic), 66 M:1 VLAN mapping customer-side port (static IP
Ethernet link aggregation (Layer 2 static), 64 address assignment), 242
Ethernet link aggregation (Layer 3 M:1 VLAN mapping network-side port (dynamic
dynamic), 73 IP address assignment), 241
Ethernet link aggregation (Layer 3 static), 71 M:1 VLAN mapping network-side port (static IP
Ethernet link aggregation edge aggregate address assignment), 243
interface, 55 MAC address move suppression, 31
Ethernet link aggregation group, 49 MAC address table, 22, 23, 35
Ethernet link aggregation group (Layer 2 MAC address table frame forwarding rule, 29
dynamic), 50 MAC address table multiport unicast entry
Ethernet link aggregation group (Layer 2 (global), 26
static), 49 MAC address table multiport unicast entry (on
Ethernet link aggregation group (Layer 3 interface), 26
dynamic), 51 MAC Information, 37, 38
Ethernet link aggregation group (Layer 3 MAC Information mode, 37
static), 51 MAC-based VLAN, 154, 164
Ethernet link aggregation group BFD, 56 MAC-based VLAN (server-assigned), 159
Ethernet link aggregation group load MAC-based VLAN assignment (dynamic), 157
sharing, 58 MAC-based VLAN assignment (static), 157
Ethernet link aggregation load sharing (Layer management Ethernet interface, 1
2), 68
MST region, 106
Ethernet link aggregation load sharing (Layer
MST region max hops, 108
3), 74
MSTP, 105, 133
Ethernet subinterface (Layer 3), 16
MVRP, 209, 212
Ethernet subinterface basic settings, 3
port isolation, 78, 79
interface (inloopback), 19
port-based VLAN, 151, 162
interface (loopback), 18
private VLAN, 176, 177, 179
interface (null), 18
private VLAN promiscuous port, 179
interfaces in bulk, 20, 20
private VLAN trunk promiscuous port, 182
IP subnet-based VLAN, 159, 166
private VLAN trunk promiscuous+secondary
L2PT, 278, 280, 282
port, 185

297
protocol-based VLAN, 160, 167 voice VLAN port operation (automatic
PVST, 104, 137 assignment), 198
QinQ, 223, 229 voice VLAN port operation (manual
QinQ basics, 229 assignment), 199
QinQ CVLAN tag TPID value, 227 voice VLAN traffic QoS priority settings, 197
QinQ SVLAN tag TPID value, 227 connecting
QinQ VLAN tag TPID value, 226 Ethernet interface cable connection (Layer 2), 14
QinQ VLAN transparent voice VLAN host+IP phone connection (in
transmission, 225, 231 series), 193
RSTP, 103 voice VLAN IP phone+device, 194
secondary VLAN Layer 3 communication, 189 CoS
service loopback group, 288, 289 voice VLAN traffic QoS priority settings, 197
spanning tree, 81, 102, 133 cost
spanning tree BPDU guard, 126 spanning tree port path cost calculation
standard, 113
spanning tree BPDU transmission rate, 111
spanning tree port path cost
spanning tree device priority, 108
configuration, 112, 115
spanning tree Digest Snooping, 120, 121
STP path cost, 84
spanning tree edge port, 112
creating
spanning tree No Agreement Check, 122, 124
super VLAN sub-VLAN, 171
spanning tree port link type, 116
CST
spanning tree port mode, 117
MST region connection, 96
spanning tree port path cost, 112, 115
customer
spanning tree port priority, 116
LLDP customer bridge mode, 261
spanning tree port role restriction, 128
cut-through Layer 2 forwarding configuration, 287
spanning tree protection, 126
CVLAN
spanning tree root bridge, 107
QinQ basic configuration, 229
spanning tree root bridge (device), 107
QinQ configuration, 223, 229
spanning tree secondary root bridge, 107
QinQ VLAN transparent transmission
spanning tree secondary root bridge configuration, 231
(device), 108
VLAN mapping application scenario, 233
spanning tree switched network diameter, 109
VLAN mapping configuration, 233, 238, 245
spanning tree TC Snooping, 124
VLAN mapping implementation, 235
spanning tree TC-BPDU transmission
restriction, 128 D
spanning tree timeout factor, 111 default
spanning tree timer, 109 Ethernet link aggregate interface default
STP, 103 settings, 57
super VLAN, 171, 171, 173 designated
super VLAN interface, 172 MST port, 97
VLAN, 148, 162 STP bridge, 83
VLAN basic settings, 149 STP port, 83
VLAN group, 161 detecting
VLAN interface, 150 Ethernet link aggregation group BFD, 56
VLAN mapping, 233, 238, 245 device
voice VLAN, 192, 196, 202 Ethernet interface configuration, 1
voice VLAN advertisement (CDP), 201 Layer 2 forwarding configuration
voice VLAN advertisement (LLDP), 200 (cut-through), 287
voice VLAN assignment mode LLDP basic configuration, 261, 272
(automatic), 202 LLDP CDP compatibility, 269
voice VLAN assignment mode (manual), 204 LLDP configuration, 254, 260, 272
LLDP configuration (CDP-compatible), 276

298
 LLDP parameters, 267 loop detection, 145
loop protection actions, 142 MAC address table, 35
MSTP implementation, 99 MVRP, 212
MVRP configuration, 206, 209, 212 port isolation, 78
PVST BPDU guard, 130 private VLAN, 179
spanning tree BPDU drop, 129 QinQ, 228
spanning tree BPDU guard, 126 service loopback group, 289
spanning tree Digest Snooping, 120, 121 spanning tree, 132
spanning tree dispute guard, 130 super VLAN, 172
spanning tree inconsistent PVID protection VLAN, 161
disable, 120 VLAN mapping, 245
spanning tree loop guard, 127 voice VLAN, 202
spanning tree No Agreement Check, 122, 124 dispute
spanning tree port role restriction, 128 spanning tree dispute guard, 130
spanning tree priority, 108 distance
spanning tree protection, 126 Ethernet interface connection distance (Layer
spanning tree root guard, 127 2), 15
spanning tree SNMP notification (new-root dot1d-1998 (STP port path cost calculation), 113
election, topology change events), 132 dot1s (STP port mode), 117
spanning tree TC BPDU event logging (PVST dot1t (STP port path cost calculation), 113
mode), 131 DSCP
spanning tree TC Snooping, 124 voice VLAN traffic QoS priority settings, 197
spanning tree TC-BPDU guard, 129 dynamic
spanning tree TC-BPDU transmission Ethernet link aggregation (dynamic mode), 44
restriction, 128
Ethernet link aggregation (Layer 2), 66
voice VLAN IP phone+device connection, 194
Ethernet link aggregation (Layer 3), 73
DHCP snooping
Ethernet link aggregation edge aggregate
M:1 VLAN mapping, 240 interface, 48
diameter Ethernet link aggregation group, 49, 51
spanning tree switched network diameter, 109 Ethernet link aggregation group BFD, 56
Digest Snooping (spanning tree), 120, 121 Ethernet link aggregation mode, 43
directing Layer 2 Ethernet link aggregation group, 50
Ethernet link aggregation traffic redirection, 60 Layer 3 Ethernet link aggregation group, 51
disabling MAC address table dynamic aging timer, 28
LLDP PVID inconsistency check, 269 MAC address table entry, 22
MAC address learning (global), 27 MAC address table entry configuration
MAC address learning (on interface), 27 (global), 24
MAC address learning (on VLAN), 27 MAC address table entry configuration (on
MAC address table static source check, 33 interface), 25
spanning tree inconsistent PVID MAC-based VLAN assignment, 155, 157
protection, 120
E
discarding
MST discarding port state, 98 edge
displaying Ethernet aggregate interface (Layer 3 edge), 76
bulk interface configuration, 21 Ethernet link aggregate interface (Layer 2
edge), 70
Ethernet interface, 16
STP edge port rapid transition, 99
Ethernet link aggregation, 63
edge port
Ethernet subinterface, 16
MST, 97
interface, 19
spanning tree, 112
L2PT, 281
EEE energy saving, 9
LLDP, 271

299
enabling LLDP frame encapsulation (Ethernet II), 255
conversational remote MAC learning, 34 LLDP frame encapsulation (SNAP), 255
Ethernet interface auto power-down, 9 LLDP frame encapsulation format, 268
Ethernet interface bridging (Layer 2), 15 VLAN frame encapsulation, 148
Ethernet interface EEE, 9 Energy Efficient Ethernet. See EEE
Ethernet interface energy-saving features, 8 energy-saving features, 8
Ethernet interface loopback testing, 6 entry
Ethernet link aggregation traffic redirection, 60 conversational remote MAC learning, 34
L2PT, 280 Ethernet
L2PT (for protocol), 280 Ethernet interface auto power-down enable, 9
LLDP, 261 interface. See Ethernet interface
LLDP polling, 262 interface 10-GE > 40-GE combine;010-GE >
loop detection (global), 143 40-GE combine, 2
loop detection (port-specific), 143 interface 40-GE split;040-GE split, 2
M:1 VLAN mapping ARP detection (dynamic interface basic settings configuration, 3
IP address assignment), 240 interface bridging enable (Layer 2), 15
M:1 VLAN mapping ARP snooping (static IP interface cable connection (Layer 2), 14
address assignment), 242 interface configuration (Layer 2), 11
M:1 VLAN mapping DHCP snooping (dynamic interface configuration (Layer 3), 16
IP address assignment), 240 interface connection distance (Layer 2), 15
MAC address synchronization, 30 interface display, 16
MAC address table ARP fast update, 32 interface EEE enable, 9
MAC address table move notification, 31 interface energy-saving features, 8
MAC address table SNMP notification, 34 interface fiber port (Layer 2), 12
MAC Information, 37 interface fiber port restrictions (Layer 2), 13
MVRP, 210 interface generic flow control, 7
MVRP GVRP compatibility, 212 interface jumbo frame support configuration, 5
PVST BPDU guard, 130 interface link mode, 4
QinQ, 225 interface loopback test restrictions, 6
spanning tree BPDU drop, 129 interface loopback testing, 6
spanning tree BPDU guard (global), 126 interface maintain, 16
spanning tree BPDU guard (on interface), 126 interface MDIX mode (Layer 2), 14
spanning tree BPDU transparent transmission interface MTU setting (Layer 3), 16
(on port), 131
interface PFC configuration, 7
spanning tree dispute guard, 130
interface PFC configuration restrictions, 8
spanning tree feature, 118
interface physical state change suppression, 5
spanning tree loop guard, 127
interface statistics polling interval, 9
spanning tree port state transition information
interface storm control (Layer 2), 11
output, 118
interface storm control configuration restrictions
spanning tree root guard, 127
(Layer 2), 11
spanning tree SNMP notification (new-root
interface storm suppression, 10
election, topology change events), 132
interface storm suppression restrictions, 10
spanning tree TC BPDU event logging (PVST
mode), 131 link aggregation. See Ethernet link aggregation
spanning tree TC-BPDU guard, 129 LLDP frame encapsulation, 255
voice VLAN LLDP automatic IP phone LLDP trapping, 270
discovery, 200 LLDP-MED trapping, 270
encapsulating loop detection configuration, 141, 145
L2PT configuration, 278, 280, 282 loop detection protection action (Layer 2 Ethernet
L2PT for LACP configuration, 283 interface), 144
L2PT for STP configuration, 282 MAC address table configuration, 22, 23, 35
MAC Information configuration, 37, 38

300
 port isolation configuration, 78, 79 configuration, 41, 48, 64
port-based VLAN assignment (access configuration types, 42
port), 152 display, 63
port-based VLAN assignment (hybrid dynamic mode, 44
port), 153 edge aggregate interface, 48, 55
port-based VLAN assignment (trunk port), 153 group (Layer 3 dynamic), 51
port-based VLAN configuration, 151 group (Layer 3 static), 51
private VLAN configuration, 176, 177, 179 group configuration, 49
private VLAN promiscuous port group configuration (Layer 2), 49
configuration, 179
group configuration (Layer 3), 51
private VLAN trunk promiscuous port
group load sharing configuration, 58
configuration, 182
group load sharing mode, 58
private VLAN trunk promiscuous+secondary
port configuration, 185 how dynamic link aggregation works, 46
QinQ CVLAN frame header tag, 223 interface configuration (expected bandwidth), 55
QinQ SVLAN frame header tag, 223 LACP, 45
secondary VLAN Layer 3 communication Layer 2 aggregate interface (ignored
configuration, 189 VLAN), 53, 53
service loopback group Layer 2 aggregate interface (Layer 2 edge), 70
configuration, 288, 289 Layer 2 aggregation configuration (dynamic), 66
subinterface. See Ethernet interface, Ethernet Layer 2 aggregation configuration (static), 64
subinterface, subinterface Layer 2 aggregation load sharing (Layer 2), 68
subinterface MAC address (Layer 3), 16 Layer 2 group (dynamic), 50
subinterface MTU setting (Layer 3), 16 Layer 2 group (static), 49
super VLAN configuration, 171, 171, 173 Layer 3 aggregate interface (Layer 3 edge), 76
super VLAN sub-VLAN creation, 171 Layer 3 aggregate interface configuration
VLAN basic configuration, 149 (MTU), 54
VLAN configuration, 148, 162 Layer 3 aggregation configuration (dynamic), 73
VLAN frame encapsulation, 148 Layer 3 aggregation configuration (static), 71
VLAN interface, 150 Layer 3 aggregation configuration load
VLAN port-based configuration, 162 sharing, 74
voice VLAN configuration, 192, 196, 202 load sharing algorithm settings, 59
Ethernet interface load sharing mode, 48
common settings configuration, 1 local-first load sharing, 59
configuration, 1 maintain, 63
MAC address (Layer 3), 16 management subnet, 62
management interface configuration, 1 management VLAN+management port, 61
naming conventions, 1 member port, 41
Ethernet link aggregation member port state, 41, 43, 46
aggregate group Selected ports min/max, 54 modes, 43
aggregate interface, 41 operational key, 42
aggregate interface (description), 52 reference port, 46
aggregate interface (MAC address), 53 reference port choice, 43
aggregate interface configuration, 52 static mode, 43
aggregate interface default settings, 57 traffic redirection, 60
aggregate interface shutdown, 57 traffic redirection restrictions, 61
aggregation group, 41 Ethernet subinterface, 1, See also Ethernet interface,
Layer 2 Ethernet subinterface, Layer 3 Ethernet
aggregation group restrictions, 49
subinterface
basic concepts, 41
basic settings, 3
BFD configuration, 56
display, 16
BFD configuration restrictions, 56
maintain, 16

301
external STP TCN BPDU protocol frames, 81
Ethernet interface external loopback testing, 6 VLAN frame encapsulation, 148
F G
fast GARP
MAC address table ARP fast update, 32 VLAN Registration Protocol. Use GVRP
fiber port generating
Ethernet interface fiber port (Layer 2), 12 conversational remote MAC learning, 34
flow control generic flow control (Ethernet interface), 7
Ethernet interface generic flow control, 7 Generic VLAN Registration Protocol. Use GVRP
Ethernet interface PFC, 7 global
forcing Ethernet link aggregation load sharing mode
Ethernet interface fiber port (Layer 2), 12 set, 58
format loop detection enable, 143
LLDP frame encapsulation (Ethernet II), 255 loop detection protection action, 144
LLDP frame encapsulation (SNAP), 255 MAC address learning disable, 27
LLDP frame encapsulation format, 268 MAC address table multiport unicast entry
LLDP management address encoding configuration, 26
format, 266 group
forwarding Ethernet link aggregate group Selected ports
Layer 2 forwarding configuration min/max, 54
(cut-through), 287 Ethernet link aggregation, 49
MAC address table frame forwarding rule, 29 Ethernet link aggregation group, 41
MST forwarding port state, 98 Ethernet link aggregation group (Layer 2
spanning tree forward delay timer, 109 static), 49, 50
STP BPDU forwarding, 89 Ethernet link aggregation group (Layer 2), 49
STP forward delay timer, 90 Ethernet link aggregation group (Layer 3
dynamic), 51
frame
Ethernet link aggregation group (Layer 3
Ethernet interface jumbo frame support, 5
static), 51
Layer 2 forwarding configuration
Ethernet link aggregation group (Layer 3), 51
(cut-through), 287
Ethernet link aggregation group load sharing, 58
LLDP frame encapsulation format, 268
Ethernet link aggregation LACP, 45
loop detection (Ethernet frame header), 141
Ethernet link aggregation load sharing
loop detection (inner frame header), 141
mode, 48, 58
loop detection interval, 142
Ethernet link aggregation member port state, 41
MAC address learning, 22
VLAN group configuration, 161
MAC address table blackhole entry, 25
GVRP
MAC address table configuration, 22, 23, 35
MVRP compatibility, 212
MAC address table entry configuration, 24
MAC address table frame forwarding rule, 29 H
MAC address table multiport unicast entry, 25 hello
MAC Information configuration, 37, 38 spanning tree timer, 109
MSTP BPDU protocol frames, 94 STP timer, 90
port-based VLAN frame handling, 152 host
PVST BPDU protocol frames, 92, 92 voice VLAN host+IP phone connection (in
QinQ CVLAN Ethernet frame header tag, 223 series), 193
QinQ implementation, 224 voice VLAN IP phone+device connection, 194
QinQ SVLAN Ethernet frame header tag, 223 hybrid port
RSTP BPDU protocol frames, 90 port-based VLAN assignment (hybrid port), 153
spanning tree port mode configuration, 117 I
STP BPDU protocol frames, 81
identifying

302
 voice VLAN IP phone identification voice VLAN assignment mode+IP phone
(LLDP), 193 cooperation, 195
voice VLAN IP phone identification (OUI voice VLAN host+IP phone connection (in
address), 192 series), 193
ignored VLAN voice VLAN identification (LLDP), 193
Layer 2 aggregate interface, 53 voice VLAN identification (OUI address), 192
implementing voice VLAN information advertisement, 193
1:1 VLAN mapping, 235, 236 voice VLAN IP phone access method, 193
1:2 VLAN mapping, 235, 237 voice VLAN IP phone+device connection, 194
2:2 VLAN mapping, 235, 237 IP subnet-based VLAN
M:1 VLAN mapping, 235, 236 configuration, 159, 166
MSTP device, 99 isolating
QinQ, 224 ports. See port isolation
inloopback interface IST
configuration, 19 MST region, 97
display, 19 J
maintain, 19
jumbo frame support (Ethernet interface), 5
interface
bulk configuration, 20, 20 K
configuration (inloopback), 18, 19 key
configuration (loopback), 18, 18 Ethernet link aggregation operational key, 42
configuration (null), 18, 18
L
Ethernet aggregate interface, 52
Ethernet aggregate interface (description), 52 L2PT
Ethernet aggregate interface (MAC configuration, 278, 280, 282
address), 53 display, 281
Ethernet link aggregate interface default enable, 280
settings, 57 enable restrictions, 280
Ethernet link aggregate interface how it works, 279
shutdown, 57 LACP configuration, 283
Ethernet link aggregation edge aggregate maintain, 281
interface, 48, 55 STP configuration, 282
Layer 2 Ethernet aggregate interface (ignored tunneled packet destination multicast MAC
VLAN), 53
address, 281
Layer 3 aggregate interface configuration
LACP
(MTU), 54
Ethernet link aggregation, 45
internal
L2PT for LACP configuration, 283
Ethernet interface internal loopback testing, 6
LAN
interval
Virtual Local Area Network. Use VLAN
Ethernet link aggregation LACP long
timeout, 45 LAN switching
Ethernet link aggregation LACP short 1:1 VLAN mapping configuration, 238, 245
timeout, 45 1:2 VLAN mapping configuration, 244, 251
loop detection, 142, 144 2:2 VLAN mapping configuration, 245, 251
MAC change notification interval, 38 Ethernet aggregate interface, 52
IP addressing Ethernet aggregate interface (description), 52
IP subnet-based VLAN Ethernet aggregate interface (ignored VLAN), 53
configuration, 159, 166 Ethernet aggregate interface (Layer 3 edge), 76
super VLAN configuration, 171, 171, 173 Ethernet link aggregate group Selected ports
super VLAN interface configuration, 172 min/max, 54
voice VLAN configuration, 192, 196, 202 Ethernet link aggregate interface (expected
IP phone bandwidth), 55

303
Ethernet link aggregate interface (Layer 2 L2PT configuration, 278, 282
edge), 70 L2PT display, 281
Ethernet link aggregate interface default L2PT enable, 280
settings, 57 L2PT enable restrictions, 280
Ethernet link aggregate interface L2PT for LACP configuration, 283
shutdown, 57
L2PT for STP configuration, 282
Ethernet link aggregation (dynamic mode), 44
L2PT maintain, 281
Ethernet link aggregation (Layer 2
LLDP basic concepts, 254
dynamic), 66
LLDP basic configuration, 261, 272
Ethernet link aggregation (Layer 2 static), 64
LLDP CDP compatibility, 269
Ethernet link aggregation (Layer 3
dynamic), 73 LLDP configuration, 254, 260, 272
Ethernet link aggregation (Layer 3 static), 71 LLDP configuration (CDP-compatible), 276
Ethernet link aggregation (static mode), 43 LLDP display, 271
Ethernet link aggregation basic concepts, 41 LLDP protocols and standards, 260
Ethernet link aggregation BFD configuration loop detection configuration, 141, 143, 145
restrictions, 56 M:1 VLAN mapping configuration, 239, 245
Ethernet link aggregation M:1 VLAN mapping restrictions (dynamic IP
configuration, 41, 48, 64 address assignment), 239
Ethernet link aggregation display, 63 M:1 VLAN mapping restrictions (static IP address
Ethernet link aggregation edge aggregate assignment), 242
interface, 48, 55 MAC address table configuration, 22, 23, 35
Ethernet link aggregation group, 49 MAC Information configuration, 37, 38
Ethernet link aggregation group (dynamic MAC-based VLAN assignment (dynamic), 157
dynamic), 50 MAC-based VLAN assignment (static), 157
Ethernet link aggregation group (Layer 2 MAC-based VLAN assignment configuration
static), 49 restrictions (dynamic), 157
Ethernet link aggregation group (Layer 2), 49 MAC-based VLAN configuration, 154, 164
Ethernet link aggregation group (Layer 3 MAC-based VLAN configuration
dynamic), 51 (server-assigned), 159
Ethernet link aggregation group (Layer 3 MRP implementation, 206
static), 51 MST region, 106
Ethernet link aggregation group load MSTP configuration, 133
sharing, 58 MVRP configuration, 206, 209, 212
Ethernet link aggregation group load sharing MVRP configuration restrictions, 209
mode, 58
MVRP display, 212
Ethernet link aggregation group
MVRP GVRP compatibility, 212
restrictions, 49
MVRP maintain, 212
Ethernet link aggregation LACP, 45
MVRP protocols and standards, 209
Ethernet link aggregation load sharing (Layer
2), 68 MVRP registration mode setting, 210
Ethernet link aggregation load sharing (Layer MVRP timer set, 211
3), 74 port isolation configuration, 78, 79
Ethernet link aggregation load sharing port isolation display, 78
mode, 48 port isolation group assignment (multiple
Ethernet link aggregation local-first load ports), 78
sharing, 59 port-based VLAN assignment (access port), 152
Ethernet link aggregation maintain, 63 port-based VLAN assignment (hybrid port), 153
Ethernet link aggregation traffic redirection, 60 port-based VLAN assignment (trunk port), 153
Ethernet link aggregation traffic redirection port-based VLAN configuration, 151
restrictions, 61 private VLAN configuration, 176, 177, 179
IP subnet-based VLAN private VLAN configuration restrictions, 177
configuration, 159, 166
private VLAN display, 179

304
private VLAN promiscuous port voice VLAN display, 202
configuration, 179 voice VLAN LLDP automatic IP phone discovery
private VLAN trunk promiscuous port enable, 200
configuration, 182 voice VLAN port operation configuration
private VLAN trunk promiscuous+secondary (automatic assignment), 198
port configuration, 185 voice VLAN port operation configuration (manual
protocol-based VLAN configuration, 160, 167 assignment), 199
PVST configuration, 137 voice VLAN port operation configuration
QinQ basic configuration, 229 restrictions (automatic assignment), 198
QinQ configuration, 223, 229 voice VLAN port operation configuration
QinQ configuration restrictions, 225 restrictions (manual assignment), 199
QinQ display, 228 Layer 2
QinQ implementation, 224 Ethernet interface bridging enable, 15
QinQ protocols and standards, 225 Ethernet interface cable connection, 14
QinQ SVLAN tag 802.1p priority, 227 Ethernet interface configuration, 1, 11
QinQ VLAN tag TPID value, 226 Ethernet interface connection distance, 15
QinQ VLAN transparent transmission Ethernet interface fiber port, 12
configuration, 231 Ethernet interface fiber port restrictions, 13
secondary VLAN Layer 3 communication Ethernet interface MDIX mode, 14
configuration, 189 Ethernet interface storm control configuration, 11
service loopback group Ethernet interface storm control configuration
configuration, 288, 289 restrictions, 11
service loopback group display, 289 Ethernet link aggregate interface (Layer 2
spanning tree configuration, 81, 133 edge), 70
spanning tree Digest Snooping, 120, 121 Ethernet link aggregation (Layer 2 dynamic), 66
spanning tree display, 132 Ethernet link aggregation (Layer 2 static), 64
spanning tree maintain, 132 Ethernet link aggregation load sharing, 68
spanning tree No Agreement Check, 122, 124 forwarding configuration (cut-through), 287
spanning tree protection configuration, 126 L2PT configuration, 280
spanning tree TC Snooping, 124 L2PT tunneled packet destination multicast MAC
super VLAN configuration, 171, 171, 173 address, 281
super VLAN display, 172 LLDP basic configuration, 272
super VLAN interface configuration, 172 LLDP configuration, 272
super VLAN sub-VLAN creation, 171 LLDP trapping, 270
VLAN basic configuration, 149 LLDP-MED trapping, 270
VLAN configuration, 148, 162 loop detection protection action (Layer 2
aggregate interface), 144
VLAN configuration restrictions, 157
loop detection protection action (Layer 2 Ethernet
VLAN display, 161
interface), 144
VLAN group configuration, 161
VLAN basic configuration, 149
VLAN interface, 150
VLAN configuration, 148, 162
VLAN maintain, 161
voice VLAN configuration, 192, 196, 202
VLAN mapping configuration, 233, 238, 245
Layer 2 Protocol Tunneling. Use L2PT
VLAN mapping display, 245
Layer 3
VLAN port-based configuration, 162
aggregate interface configuration (MTU), 54
VLAN protocols and standards, 149
Ethernet aggregate interface, 52
voice VLAN advertisement (CDP), 201
Ethernet aggregate interface (description), 52
voice VLAN advertisement (LLDP), 200
Ethernet aggregate interface (Layer 3 edge), 76
voice VLAN assignment mode configuration
Ethernet aggregate interface (MAC address), 53
(automatic), 202
Ethernet interface configuration, 1, 16
voice VLAN assignment mode configuration
(manual), 204 Ethernet interface MAC address, 16
Ethernet interface MTU setting, 16

305
 Ethernet link aggregate group Selected ports loop detection no-learning action, 142
min/max, 54 MAC address, 22
Ethernet link aggregate interface (expected MAC address learning disable, 26
bandwidth), 55 MAC address table learning limit, 28
Ethernet link aggregate interface default MAC address table learning priority, 29
settings, 57
MST learning port state, 98
Ethernet link aggregate interface
legacy
shutdown, 57
spanning tree port mode, 117
Ethernet link aggregation (Layer 3
dynamic), 73 spanning tree port path cost calculation, 113
Ethernet link aggregation (Layer 3 static), 71 link
Ethernet link aggregation aggregation. See link aggregation
configuration, 41, 48, 64 Ethernet interface link mode, 4
Ethernet link aggregation edge aggregate Link Layer Discovery Protocol. Use LLDP
interface, 48, 55 MSTP configuration, 133
Ethernet link aggregation group, 49, 51 PVST configuration, 137
Ethernet link aggregation group load spanning tree configuration, 81, 102, 133
sharing, 58 spanning tree hello time, 109
Ethernet link aggregation group load sharing spanning tree port link type configuration, 116
mode, 58 link aggregation
Ethernet link aggregation load sharing, 74 Ethernet link aggregation. See Ethernet link
Ethernet link aggregation local-first load aggregation
sharing, 59 LLDP
Ethernet link aggregation traffic redirection, 60 advertisable TLV configuration, 263
Ethernet subinterface configuration, 16 agent, 254
Ethernet subinterface MAC address, 16 basic concepts, 254
Ethernet subinterface MTU setting, 16 basic configuration, 261, 272
IP subnet-based VLAN configuration, 159 bridge mode configuration, 261
LAN switching LAN switching VLAN CDP compatibility configuration, 269
interface, 150
CDP-compatible configuration, 276
LLDP basic configuration, 272
configuration, 254, 260, 272
LLDP configuration, 272
disabling PVID inconsistency check, 269
LLDP trapping, 270
display, 271
LLDP-MED trapping, 270
enable, 261
port-based VLAN assignment (access
frame encapsulation (Ethernet II), 255
port), 152
frame encapsulation (SNAP), 255
port-based VLAN assignment (hybrid
port), 153 frame encapsulation format, 268
port-based VLAN assignment (trunk port), 153 frame format, 255
port-based VLAN configuration, 151 frame reception, 260
private VLAN configuration, 179 frame transmission, 259
private VLAN promiscuous port how it works, 259
configuration, 179 LLDPDU management address TLV, 259
private VLAN trunk promiscuous port LLDPDU TLV types, 256
configuration, 182 LLDPDU TLVs, 256
private VLAN trunk promiscuous+secondary LLDP-MED trapping configuration, 270
port configuration, 185 management address configuration, 266
protocol-based VLAN configuration, 160 management address encoding format, 266
secondary VLAN Layer 3 communication operating mode (disable), 259
configuration, 189 operating mode (Rx), 259
super VLAN configuration, 173 operating mode (Tx), 259
voice VLAN configuration, 192, 196, 202 operating mode (TxRx), 259
learning

306
 operating mode set, 261 logging
parameter set, 267 spanning tree TC BPDU event logging (PVST
polling enable, 262 mode), 131
protocols and standards, 260 loop
reinitialization delay, 262 MSTP configuration, 133
trapping configuration, 270 PVST configuration, 137
voice VLAN advertisement, 200 spanning tree configuration, 81, 102, 133
voice VLAN information advertisement to IP spanning tree loop guard, 127
phones, 193 loop detection
voice VLAN IP phone identification, 193 configuration, 141, 143, 145
voice VLAN IP phone identification display, 145
method, 192 enable, 143
voice VLAN LLDP automatic IP phone interval, 142
discovery enable, 200 interval setting, 144
LLDPDU mechanisms, 141
LLDP basic configuration, 261, 272 port status auto recovery, 142
LLDP configuration, 254, 260, 272 protection action setting, 144
LLDP parameters, 267 protection action setting (Layer 2 aggregate
management address configuration, 266 interface), 144
management address encoding format, 266 protection actions, 142
management address TLV, 259 loopback
TLV basic management types, 256 Ethernet interface loopback testing, 6
TLV LLDP-MED types, 256 loopback interface
TLV organization-specific types, 256 configuration, 18
load balancing display, 19
service loopback group maintain, 19
configuration, 288, 289
M
load sharing
Ethernet link aggregation group M:1 VLAN mapping
configuration, 58 application scenario, 233, 233
Ethernet link aggregation group load ARP detection (dynamic IP address
sharing, 48 assignment), 240
Ethernet link aggregation load sharing (Layer ARP snooping (static IP address
2), 68 assignment), 242
Ethernet link aggregation load sharing (Layer configuration, 239, 245
3), 74 configuration (dynamic IP address
Ethernet link aggregation load sharing assignment), 239
algorithm settings, 59 configuration (static IP address assignment), 242
Ethernet link aggregation load sharing configuration restrictions (dynamic IP address
mode, 58 assignment), 239
Ethernet link aggregation load sharing mode configuration restrictions (static IP address
for MAC-in-MAC traffic (global), 60 assignment), 242
Ethernet link aggregation local-first load customer-side port (dynamic IP address
sharing, 59 assignment), 240
Ethernet link aggregation packet type-based customer-side port (static IP address
load sharing, 48 assignment), 242
Ethernet link aggregation per-flow load DHCP snooping (dynamic IP address
sharing, 48 assignment), 240
Ethernet link aggregation per-packet load implementation, 235, 236
sharing, 48 network-side port (dynamic IP address
local assignment), 241
Ethernet link aggregation local-first load
sharing, 59

307
 network-side port (static IP address mode configuration, 37
assignment), 243 queue length setting, 38
MAC address table MAC relay (LLDP agent), 254
address learning, 22 MAC-based VLAN
address synchronization, 30 assignment (dynamic), 157
ARP fast update enable, 32 assignment (static), 157
blackhole entry, 25 configuration, 154, 164
configuration, 22, 23, 35 configuration (server-assigned), 159
conversational remote MAC learning dynamic assignment, 155
enable, 34 dynamic assignment configuration
display, 35 restrictions, 157
dynamic aging timer, 28 server-assigned, 156
entry configuration, 24 static assignment, 154
entry configuration (global), 24 MAC-in-MAC
entry configuration (on interface), 25 Ethernet link aggregation group load sharing
entry creation, 22 mode for MAC-in-MAC traffic, 60
entry types, 22 maintaining
frame forwarding rule, 29 Ethernet interface, 16
learning limit setting set, 28 Ethernet link aggregation, 63
learning priority assignment, 29 Ethernet subinterface, 16
MAC address learning disable, 26 interface, 19
MAC address move suppression, 31 L2PT, 281
manual entries, 22 MVRP, 212
move notification, 31 spanning tree, 132
multiport unicast entry, 25 VLAN, 161
SNMP notification enable, 34 management address
static source check enable, 33 LLDP encoding format, 266
MAC addressing manual
Ethernet aggregate interface, 53 voice VLAN assignment mode, 195
Ethernet interface MAC address (Layer 3), 16 voice VLAN assignment mode configuration, 204
Ethernet subinterface MAC address (Layer voice VLAN port operation configuration, 199
3), 16 mapping
L2PT tunneled packet destination multicast 1:1 VLAN mapping, 233
MAC address, 281 1:2 VLAN mapping, 234
MAC-based VLAN assignment 2:2 VLAN mapping, 234
(dynamic), 155, 157
M:1 VLAN mapping, 233
MAC-based VLAN assignment
MSTP VLAN-to-instance mapping table, 96
(server-assigned), 156
master
MAC-based VLAN assignment
(static), 154, 157 MSTP master port, 97
MAC-based VLAN configuration, 154, 164 max age timer (STP), 90
MAC-based VLAN configuration maximum transmission unit. Use MTU
(server-assigned), 159 mCheck
VLAN frame encapsulation, 148 global performance, 119
MAC authentication interface view performance, 120
VLAN group configuration, 161 spanning tree, 119
MAC Information MDI mode (Ethernet interface), 14
change notification interval, 38 MDIX mode (Ethernet interface), 14
configuration, 37, 38 MED (LLDP-MED trapping), 270
configuration restrictions, 38 message
enable, 37 MRP JoinEmpty, 206
MRP JoinIn, 206

308
 MRP Leave, 206 timers, 208
MRP LeaveAll, 206 MST
MRP New, 206 region max hops, 108
MRP timers, 208 MSTI
MIB calculation, 99
LLDP basic configuration, 261, 272 MRP, 206
LLDP configuration, 254, 260, 272 MST instance, 96
mode MSTP, 81, See also STP
Ethernet interface Auto MDIX (Layer 2), 14 basic concepts, 95
Ethernet interface link, 4 CIST, 97
Ethernet interface MDI (Layer 2), 14 CIST calculation, 99
Ethernet interface MDIX (Layer 2), 14 common root bridge, 97
Ethernet link aggregation dynamic, 43, 44 configuration, 105, 133
Ethernet link aggregation LACP operation CST, 96
active, 45 device implementation, 99
Ethernet link aggregation LACP operation feature enable, 118
passive, 45 features, 93
Ethernet link aggregation load sharing, 48 how it works, 98
Ethernet link aggregation static, 43, 43 IST, 97
LLDP customer bridge, 261 mode set, 106
LLDP disable, 259, 261 MST region, 96
LLDP Rx, 259, 261 MST region configuration, 106
LLDP service bridge, 261 MSTI, 96
LLDP Tx, 259, 261 MSTI calculation, 99
LLDP TxRx, 259, 261 port roles, 97
MAC Information syslog, 37 port states, 98
MAC Information trap, 37 protocol frames, 94
MVRP registration, 210 protocols and standards, 102
MVRP registration fixed, 209 rapid transition, 99
MVRP registration forbidden, 209 regional root, 97
MVRP registration normal, 209 relationships, 93
spanning tree mCheck, 119 spanning tree max age timer, 109
spanning tree MSTP, 106 spanning tree port mode configuration, 117
spanning tree PVST, 106 VLAN-to-instance mapping table, 96
spanning tree RSTP, 106 MTU
spanning tree STP, 106 Ethernet subinterface MTU setting (Layer 3), 16
voice VLAN assignment automatic, 194 Layer 3 Ethernet aggregate interface, 54
voice VLAN assignment manual, 195 multicast
voice VLAN port operation normal, 196 L2PT tunneled packet destination multicast MAC
voice VLAN port operation security, 196 address, 281
modifying multiple
MAC address table blackhole entry, 25 Multiple Registration Protocol. Use MRP
MAC address table entry (global), 24 VLAN registration protocol. Use MVRP
MAC address table entry (on interface), 25 Multiple Spanning Tree Protocol. Use MSTP
MAC address table multiport unicast entry, 25 multiport unicast entry (MAC address table), 22, 25
moving MVRP
MAC address table move notification, 31 configuration, 206, 209, 212
MRP configuration restrictions, 209
implementation, 206 display, 212
messages, 206 enable, 210
MVRP configuration, 206, 209, 212

309
 GVRP compatibility, 212 Ethernet link aggregation (Layer 3 dynamic), 73
maintain, 212 Ethernet link aggregation (Layer 3 static), 71
MRP implementation, 206 Ethernet link aggregation (static mode), 43
protocols and standards, 209 Ethernet link aggregation configuration types, 42
registration mode setting, 210 Ethernet link aggregation edge aggregate
registration modes, 209 interface, 48
timer set, 211 Ethernet link aggregation LACP, 45
Ethernet link aggregation load sharing (Layer
N
2), 68
network Ethernet link aggregation load sharing (Layer
1:1 VLAN mapping configuration, 238, 245 3), 74
1:2 VLAN mapping configuration, 244, 251 Ethernet link aggregation member port
2:2 VLAN mapping configuration, 245, 251 state, 43, 46
conversational remote MAC learning, 34 Ethernet link aggregation modes, 43
Ethernet aggregate interface (Layer 3 Ethernet link aggregation operational key, 42
edge), 76 Ethernet link aggregation reference port, 46
Ethernet interface basic settings, 3 Ethernet link aggregation reference port
Ethernet interface bridging enable (Layer choice, 43
2), 15 Ethernet subinterface basic settings, 3
Ethernet interface cable connection (Layer Ethernet subinterface configuration (Layer 3), 16
2), 14 Ethernet subinterface MAC address (Layer 3), 16
Ethernet interface common settings Ethernet subinterface MTU setting (Layer 3), 16
configuration, 1 interface auto power-down, 9
Ethernet interface configuration (Layer 2), 11 interface configuration (inloopback), 19
Ethernet interface configuration (Layer 3), 16 interface configuration (loopback), 18
Ethernet interface connection distance (Layer interface configuration (null), 18
2), 15
IP subnet-based VLAN configuration, 159, 166
Ethernet interface EEE, 9
L2PT for LACP configuration, 283
Ethernet interface energy-saving features, 8
L2PT for STP configuration, 282
Ethernet interface fiber port (Layer 2), 12
L2PT tunneled packet destination multicast MAC
Ethernet interface generic flow control, 7 address, 281
Ethernet interface jumbo frame support, 5 Layer 2 forwarding configuration
Ethernet interface link mode, 4 (cut-through), 287
Ethernet interface loopback testing, 6 LLDP basic configuration, 261, 272
Ethernet interface MAC address (Layer 3), 16 LLDP configuration (CDP-compatible), 276
Ethernet interface MDIX mode (Layer 2), 14 loop detection enable, 143
Ethernet interface MTU setting (Layer 3), 16 loop detection interval, 142, 144
Ethernet interface PFC, 7 loop detection protection action setting, 144
Ethernet interface physical state change loop protection actions, 142
suppression, 5 M:1 VLAN mapping configuration, 239, 245
Ethernet interface split (40-GE), 2 M:1 VLAN mapping configuration (dynamic IP
Ethernet interface statistics polling interval, 9 address assignment), 239
Ethernet interface storm control (Layer 2), 11 M:1 VLAN mapping configuration (static IP
Ethernet interface storm suppression, 10 address assignment), 242
Ethernet interfaces combine (10-GE > M:1 VLAN mapping customer-side port (dynamic
40-GE), 2 IP address assignment), 240
Ethernet link aggregate interface (Layer 2 M:1 VLAN mapping customer-side port (static IP
edge), 70 address assignment), 242
Ethernet link aggregation (dynamic mode), 44 M:1 VLAN mapping network-side port (dynamic
Ethernet link aggregation (Layer 2 IP address assignment), 241
dynamic), 66 M:1 VLAN mapping network-side port (static IP
Ethernet link aggregation (Layer 2 static), 64 address assignment), 243

310
MAC address move suppression, 31 QinQ VLAN transparent transmission
MAC address table address configuration, 231
synchronization, 30 RSTP basic concepts, 91
MAC address table ARP fast update, 32 RSTP network convergence, 90
MAC address table blackhole entry, 25 RSTP port role, 91
MAC address table dynamic aging timer, 28 RSTP port state, 91
MAC address table entry configuration, 24 secondary VLAN Layer 3 communication
MAC address table entry types, 22 configuration, 189
MAC address table learning limit, 28 service loopback group configuration, 289
MAC address table learning priority, 29 spanning tree BPDU drop, 129
MAC address table move notification, 31 spanning tree BPDU guard, 126
MAC address table multiport unicast entry, 25 spanning tree BPDU transmission rate, 111
MAC address table SNMP notification, 34 spanning tree BPDU transparent transmission (on
MAC address table static source check, 33 port), 131
MAC Information configuration, 38 spanning tree Digest Snooping, 120, 121
MAC-based VLAN assignment (dynamic), 157 spanning tree dispute guard, 130
MAC-based VLAN assignment spanning tree edge port, 112
(server-assigned), 156 spanning tree inconsistent PVID protection
MAC-based VLAN assignment (static), 157 disable, 120
MAC-based VLAN configuration, 154, 164 spanning tree loop guard, 127
MAC-based VLAN configuration spanning tree mode set, 106
(server-assigned), 159 spanning tree No Agreement Check, 122, 124
management Ethernet interface spanning tree port link type, 116
configuration, 1 spanning tree port mode, 117
MRP timers, 208 spanning tree port path cost, 112, 115
MST region configuration, 106 spanning tree port priority, 116
MSTP basic concepts, 95 spanning tree port role restriction, 128
MSTP configuration, 133 spanning tree port state transition, 118
MVRP enable, 210 spanning tree priority, 108
MVRP timer set, 211 spanning tree protection, 126
port isolation group assignment (multiple spanning tree root bridge, 107
ports), 78 spanning tree root bridge (device), 107
port-based VLAN assignment (access spanning tree root guard, 127
port), 152 spanning tree secondary root bridge (device), 108
port-based VLAN assignment (hybrid spanning tree SNMP notification (new-root
port), 153 election, topology change events), 132
port-based VLAN assignment (trunk port), 153 spanning tree switched network diameter, 109
port-based VLAN configuration, 151 spanning tree TC BPDU event logging (PVST
private VLAN promiscuous port mode), 131
configuration, 179 spanning tree TC Snooping, 124
private VLAN trunk promiscuous port spanning tree TC-BPDU guard, 129
configuration, 182
spanning tree TC-BPDU transmission
private VLAN trunk promiscuous+secondary restriction, 128
port configuration, 185
STP algorithm calculation, 84
protocol-based VLAN configuration, 160, 167
STP basic concepts, 83
PVST basic concepts, 93
STP path cost, 84
PVST BPDU guard, 130
super VLAN configuration, 171, 173
PVST configuration, 137
super VLAN interface configuration, 172
QinQ basic configuration, 229
super VLAN sub-VLAN creation, 171
QinQ VLAN tag TPID value, 226
VLAN basic configuration, 149
QinQ VLAN transparent transmission, 225
VLAN group configuration, 161

311
 VLAN interface, 150 service loopback group configuration, 288
VLAN mapping 1:1 implementation, 236 spanning tree configuration, 81, 102, 133
VLAN mapping 1:2 implementation, 237 super VLAN configuration, 171
VLAN mapping 2:2 implementation, 237 VLAN configuration, 148, 162
VLAN mapping M:1 implementation, 236 VLAN mapping configuration, 233, 238, 245
VLAN port-based configuration, 162 voice VLAN configuration, 192, 196
voice VLAN advertisement (CDP), 201 No Agreement Check (spanning tree), 122, 124
voice VLAN advertisement (LLDP), 200 no-learning action (loop detection), 142
voice VLAN assignment mode, 194 normal
voice VLAN assignment mode configuration voice VLAN operation mode, 196
(automatic), 202 notifying
voice VLAN assignment mode configuration MAC address table move notification, 31
(manual), 204 MAC address table SNMP notification, 34
voice VLAN configuration, 202 MAC Information change notification interval, 38
voice VLAN host+IP phone connection (in null interface
series), 193
configuration, 18, 18
voice VLAN information advertisement to IP
display, 19
phones, 193
maintain, 19
voice VLAN IP phone access method, 193
voice VLAN IP phone identification O
(LLDP), 193 operational key (Ethernet link aggregation), 42
voice VLAN IP phone identification (OUI organization-specific LLDPDU TLV types, 256
address), 192
OUI
voice VLAN IP phone+device connection, 194
voice VLAN IP phone identification (OUI
voice VLAN LLDP automatic IP phone address), 192
discovery enable, 200
voice VLAN IP phone identification method, 192
voice VLAN port operation configuration
(automatic assignment), 198 outputting
voice VLAN port operation configuration spanning tree port state transition
information, 118
(manual assignment), 199
voice VLAN port operation mode, 196 P
voice VLAN traffic QoS priority settings, 197 P/A transition (STP), 100
network management packet
Ethernet interface configuration, 1 1:1 VLAN mapping configuration, 238, 245
Ethernet link aggregation basic concepts, 41 1:2 VLAN mapping configuration, 244, 251
Ethernet link aggregation 2:2 VLAN mapping configuration, 245, 251
configuration, 41, 48, 64
Ethernet link aggregation group BFD, 56
interface bulk configuration, 20, 20
Ethernet link aggregation packet type-based load
interface configuration (inloopback), 18 sharing, 48
interface configuration (loopback), 18 L2PT configuration, 278, 280, 282
interface configuration (null), 18 L2PT for LACP configuration, 283
L2PT configuration, 278, 280, 282 L2PT for STP configuration, 282
LLDP basic concepts, 254 L2PT tunneled packet destination multicast MAC
LLDP configuration, 254, 260, 272 address, 281
loop detection, 141 LLDP CDP compatibility, 269
loop detection configuration, 143, 145 M:1 VLAN mapping configuration, 239, 245
MAC address table configuration, 22, 23, 35 M:1 VLAN mapping configuration (dynamic IP
MAC Information configuration, 37 address assignment), 239
MVRP, 206, 209, 212 M:1 VLAN mapping configuration (static IP
port isolation configuration, 78, 79 address assignment), 242
private VLAN configuration, 176, 177, 179 service loopback group configuration, 288, 289
QinQ configuration, 223, 229 VLAN mapping configuration, 233, 238, 245

312
parameter Ethernet link aggregation group (Layer 2
spanning tree timeout factor, 111 static), 49, 50
PE Ethernet link aggregation group (Layer 2), 49
L2PT configuration, 278, 280, 282 Ethernet link aggregation group (Layer 3
L2PT for LACP configuration, 283 dynamic), 51
L2PT for STP configuration, 282 Ethernet link aggregation group (Layer 3
static), 51
per-flow load sharing, 48
Ethernet link aggregation group (Layer 3), 51
performing
Ethernet link aggregation group load sharing, 58
spanning tree mCheck, 119
Ethernet link aggregation LACP, 45
spanning tree mCheck globally, 119
Ethernet link aggregation LACP port priority, 45
spanning tree mCheck in interface view, 120
Ethernet link aggregation load sharing (Layer
per-packet load sharing, 48
2), 68
Per-VLAN Spanning Tree Protocol. Use PVST
Ethernet link aggregation load sharing (Layer
PFC (Ethernet interface), 7 3), 74
physical Ethernet link aggregation load sharing algorithm
Ethernet interface physical state change settings, 59
suppression, 5 Ethernet link aggregation load sharing mode, 48
polling Ethernet link aggregation local-first load
Ethernet interface statistics polling interval, 9 sharing, 59
LLDP enable, 262 Ethernet link aggregation member port, 41
port Ethernet link aggregation member port
aggregate interface (MAC address), 53 state, 41, 43, 46
Ethernet aggregate interface, 52 Ethernet link aggregation modes, 43
Ethernet aggregate interface (description), 52 Ethernet link aggregation operational key, 42
Ethernet aggregate interface (Layer 3 Ethernet link aggregation reference port, 46
edge), 76 Ethernet link aggregation reference port
Ethernet interface fiber port (Layer 2), 12 choice, 43
Ethernet link aggregate group Selected ports Ethernet link aggregation traffic redirection, 60
min/max, 54 isolation. See port isolation
Ethernet link aggregate interface (expected Layer 2 aggregate interface (ignored VLAN), 53
bandwidth), 55 Layer 3 aggregate interface configuration
Ethernet link aggregate interface (Layer 2 (MTU), 54
edge), 70 link aggregation management subnet, 62
Ethernet link aggregate interface default link aggregation management
settings, 57 VLAN+management port, 61
Ethernet link aggregate interface LLDP basic configuration, 261, 272
shutdown, 57
LLDP configuration, 254, 260, 272
Ethernet link aggregation (dynamic mode), 44
LLDP disable operating mode, 259
Ethernet link aggregation (Layer 2
LLDP enable, 261
dynamic), 66
LLDP frame encapsulation format, 268
Ethernet link aggregation (Layer 2 static), 64
LLDP frame reception, 260
Ethernet link aggregation (Layer 3
dynamic), 73 LLDP frame transmission, 259
Ethernet link aggregation (Layer 3 static), 71 LLDP operating mode, 261
Ethernet link aggregation (static mode), 43 LLDP polling, 262
Ethernet link aggregation LLDP reinitialization delay, 262
configuration, 41, 48, 64 LLDP Rx operating mode, 259
Ethernet link aggregation configuration LLDP Tx operating mode, 259
types, 42 LLDP TxRx operating mode, 259
Ethernet link aggregation edge aggregate loop detection configuration, 141, 143, 145
interface, 48, 55 loop detection enable (port-specific), 143
Ethernet link aggregation group, 49 loop detection interval, 142, 144

313
loop detection protection action setting, 144 STP rapid transition, 99
loop detection protection actions, 142 STP root port, 83
loop detection status auto recovery, 142 STP root port rapid transition, 100
M:1 VLAN mapping customer-side port VLAN port link type, 151
(dynamic IP address assignment), 240 voice VLAN port operation configuration
M:1 VLAN mapping customer-side port (static (automatic assignment), 198
IP address assignment), 242 voice VLAN port operation configuration (manual
M:1 VLAN mapping network-side port assignment), 199
(dynamic IP address assignment), 241 voice VLAN port operation mode, 196
M:1 VLAN mapping network-side port (static port isolation
IP address assignment), 243 configuration, 78, 79
MAC address learning, 22 display, 78
MAC address table blackhole entry, 25 group assignment (multiple ports), 78
MAC address table configuration, 22, 23, 35 port-based VLAN
MAC address table entry configuration, 24 assignment (access port), 152
MAC address table multiport unicast entry, 25 assignment (hybrid port), 153
MAC Information configuration, 37, 38 assignment (trunk port), 153
MST port roles, 97 configuration, 151, 162
MST port states, 98 port frame handling, 152
MVRP application, 206, 209, 212 port link type, 151
MVRP timer set, 211 PVID, 151
PVST BPDU guard, 130 power
QinQ implementation, 224 Ethernet interface auto power-down, 9
RSTP network convergence, 90 Ethernet interface EEE, 9
service loopback group Ethernet interface energy-saving features, 8
configuration, 288, 289
priority
spanning tree BPDU drop, 129
Ethernet link aggregation LACP, 45
spanning tree BPDU guard, 126
Ethernet link aggregation LACP port priority, 45
spanning tree BPDU transmission rate, 111
Ethernet link aggregation LACP system
spanning tree BPDU transparent transmission priority, 45
(on port), 131
MAC address table learning priority, 29
spanning tree dispute guard, 130
priority-based flow control. Use PFC
spanning tree edge port configuration, 112
QinQ SVLAN tag 802.1p priority, 227
spanning tree forward delay timer, 109
spanning tree device priority, 108
spanning tree loop guard, 127
spanning tree port priority configuration, 116
spanning tree mCheck, 119
private VLAN
spanning tree path cost calculation
configuration, 176, 177, 179
standard, 113
configuration restrictions, 177
spanning tree path cost
configuration, 112, 115 display, 179
spanning tree port link type configuration, 116 promiscuous port configuration, 179
spanning tree port mode configuration, 117 secondary VLAN Layer 3 communication
configuration, 189
spanning tree port priority configuration, 116
trunk promiscuous port configuration, 182
spanning tree port role restriction, 128
trunk promiscuous+secondary port
spanning tree port state transition output, 118
configuration, 185
spanning tree root guard, 127
procedure
spanning tree TC-BPDU guard, 129
adding MAC address table blackhole entry, 25
spanning tree TC-BPDU transmission
adding MAC address table entry (global), 24
restriction, 128
adding MAC address table entry (on interface), 25
STP designated port, 83
adding MAC address table multiport unicast
STP edge port rapid transition, 99
entry, 25
STP port state, 83

314
assigning MAC address table learning priority configuring Ethernet link aggregation (Layer 3
to interface, 29 static), 71
assigning port isolation group (multiple configuring Ethernet link aggregation edge
ports), 78 aggregate interface, 55
assigning port-based VLAN access port, 152 configuring Ethernet link aggregation group, 49
assigning port-based VLAN access port configuring Ethernet link aggregation group
(interface view), 153 (Layer 2 dynamic), 50
assigning port-based VLAN access port configuring Ethernet link aggregation group
(VLAN view), 152 (Layer 2 static), 49
assigning port-based VLAN hybrid port, 153 configuring Ethernet link aggregation group
assigning port-based VLAN trunk port, 153 (Layer 3 dynamic), 51
bulk configuring interfaces, 20, 20 configuring Ethernet link aggregation group
combining Ethernet interfaces (10-GE > (Layer 3 static), 51
40-GE), 2 configuring Ethernet link aggregation group
configuring 1:1 VLAN mapping, 238, 245 BFD, 56
configuring 1:2 VLAN mapping, 244, 251 configuring Ethernet link aggregation group load
sharing, 58
configuring 2:2 VLAN mapping, 245, 251
configuring Ethernet link aggregation load sharing
configuring Ethernet aggregate interface, 52
(Layer 2), 68
configuring Ethernet aggregate interface
configuring Ethernet link aggregation load sharing
(description), 52
(Layer 3), 74
configuring Ethernet aggregate interface
configuring Ethernet link aggregation load sharing
(Layer 3 edge), 76
algorithm settings, 59
configuring Ethernet interface (Layer 2), 11
configuring Ethernet subinterface (Layer 3), 16
configuring Ethernet interface (Layer 3), 16
configuring Ethernet subinterface basic
configuring Ethernet interface auto settings, 3
power-down, 9
configuring interface (inloopback), 19
configuring Ethernet interface basic settings, 3
configuring interface (loopback), 18
configuring Ethernet interface common
configuring interface (null), 18
settings, 1
configuring IP subnet-based VLAN, 159, 166
configuring Ethernet interface EEE, 9
configuring L2PT, 280
configuring Ethernet interface energy-saving
features, 8 configuring L2PT for LACP, 283
configuring Ethernet interface generic flow configuring L2PT for STP, 282
control, 7 configuring LAN switching QinQ VLAN tag TPID
configuring Ethernet interface jumbo frame value, 226
support, 5 configuring Layer 2 forwarding (cut-through), 287
configuring Ethernet interface link mode, 4 configuring LLDP, 260
configuring Ethernet interface PFC, 7 configuring LLDP (CDP-compatible), 276
configuring Ethernet interface physical state configuring LLDP advertisable TLVs, 263
change suppression, 5 configuring LLDP basics, 261, 272
configuring Ethernet interface storm control configuring LLDP CDP compatibility, 269
(Layer 2), 11 configuring LLDP management address, 266
configuring Ethernet interface storm configuring LLDP management address encoding
suppression, 10 format, 266
configuring Ethernet link aggregate interface configuring LLDP trapping, 270
(Layer 2 edge), 70 configuring LLDP-MED trapping, 270
configuring Ethernet link aggregation, 48 configuring loop detection, 143, 145
configuring Ethernet link aggregation (Layer 2 configuring M:1 VLAN mapping, 239, 245
dynamic), 66
configuring M:1 VLAN mapping (dynamic IP
configuring Ethernet link aggregation (Layer 2 address assignment), 239
static), 64
configuring M:1 VLAN mapping (static IP address
configuring Ethernet link aggregation (Layer 3 assignment), 242
dynamic), 73

315
configuring M:1 VLAN mapping customer-side configuring spanning tree BPDU transmission
port (dynamic IP address assignment), 240 rate, 111
configuring M:1 VLAN mapping customer-side configuring spanning tree device priority, 108
port (static IP address assignment), 242 configuring spanning tree Digest
configuring M:1 VLAN mapping network-side Snooping, 120, 121
port (dynamic IP address assignment), 241 configuring spanning tree edge port, 112
configuring M:1 VLAN mapping network-side configuring spanning tree No Agreement
port (static IP address assignment), 243 Check, 122, 124
configuring MAC address move configuring spanning tree port link type, 116
suppression, 31 configuring spanning tree port mode for MSTP
configuring MAC address table, 23, 35 frames, 117
configuring MAC address table frame configuring spanning tree port path cost, 112, 115
forwarding rule, 29 configuring spanning tree port priority, 116
configuring MAC address table multiport configuring spanning tree port role restriction, 128
unicast entry (global), 26
configuring spanning tree protection, 126
configuring MAC address table multiport
configuring spanning tree root bridge, 107
unicast entry (on interface), 26
configuring spanning tree root bridge
configuring MAC Information, 38
(device), 107
configuring MAC Information mode, 37
configuring spanning tree secondary root
configuring MAC-based VLAN, 154, 164 bridge, 107
configuring MAC-based VLAN configuring spanning tree secondary root bridge
(server-assigned), 159 (device), 108
configuring MAC-based VLAN assignment configuring spanning tree switched network
(dynamic), 157 diameter, 109
configuring MAC-based VLAN assignment configuring spanning tree TC Snooping, 124
(static), 157
configuring spanning tree TC-BPDU transmission
configuring management Ethernet interface, 1 restriction, 128
configuring MST region, 106 configuring spanning tree timeout factor, 111
configuring MST region max hops, 108 configuring spanning tree timer, 109
configuring MSTP, 105, 133 configuring STP, 103
configuring MVRP, 209, 212 configuring super VLAN, 171, 171, 173
configuring port-based VLAN, 151, 162 configuring super VLAN interface, 172
configuring private VLAN, 176, 177 configuring VLAN basic settings, 149
configuring private VLAN promiscuous configuring VLAN group, 161
port, 179
configuring VLAN interface, 150
configuring private VLAN trunk promiscuous
configuring VLAN mapping, 238
port, 182
configuring voice VLAN, 196
configuring private VLAN trunk
promiscuous+secondary port, 185 configuring voice VLAN advertisement
(CDP), 201
configuring protocol-based VLAN, 160, 167
configuring voice VLAN advertisement
configuring PVST, 104, 137
(LLDP), 200
configuring QinQ basics, 229
configuring voice VLAN assignment mode
configuring QinQ CVLAN tag TPID value, 227 (automatic), 202
configuring QinQ SVLAN tag TPID value, 227 configuring voice VLAN assignment mode
configuring QinQ VLAN transparent (manual), 204
transmission, 225, 231 configuring voice VLAN port operation (automatic
configuring RSTP, 103 assignment), 198
configuring secondary VLAN Layer 3 configuring voice VLAN port operation (manual
communication, 189 assignment), 199
configuring service loopback group, 288, 289 configuring voice VLAN traffic QoS priority
configuring spanning tree, 102 settings, 197
configuring spanning tree BPDU guard, 126 creating super VLAN sub-VLAN, 171
disabling LLDP PVID inconsistency check, 269

316
disabling MAC address learning (global), 27 enabling MAC address table ARP fast update, 32
disabling MAC address learning (on enabling MAC address table move notification, 31
interface), 27 enabling MAC address table SNMP
disabling MAC address learning (on notification, 34
VLAN), 27 enabling MAC Information, 37
disabling MAC address table static source enabling MVRP, 210
check, 33 enabling MVRP GVRP compatibility, 212
disabling spanning tree inconsistent PVID enabling PVST BPDU guard, 130
protection, 120
enabling QinQ, 225
displaying bulk interface configuration, 21
enabling spanning tree BPDU drop, 129
displaying Ethernet interface, 16
enabling spanning tree BPDU guard (global), 126
displaying Ethernet link aggregation, 63
enabling spanning tree BPDU guard (on
displaying Ethernet subinterface, 16 interface), 126
displaying interface, 19 enabling spanning tree BPDU transparent
displaying L2PT, 281 transmission (on port), 131
displaying LLDP, 271 enabling spanning tree dispute guard, 130
displaying loop detection, 145 enabling spanning tree feature, 118
displaying MAC address table, 35 enabling spanning tree loop guard, 127
displaying MVRP, 212 enabling spanning tree port state transition
displaying port isolation, 78 information output, 118
displaying private VLAN, 179 enabling spanning tree root guard, 127
displaying QinQ, 228 enabling spanning tree SNMP notification
displaying service loopback group, 289 (new-root election, topology change events), 132
displaying spanning tree, 132 enabling spanning tree TC BPDU event logging
displaying super VLAN, 172 (PVST mode), 131
displaying VLAN, 161 enabling spanning tree TC-BPDU guard, 129
displaying VLAN mapping, 245 enabling voice VLAN LLDP automatic IP phone
discovery, 200
displaying voice VLAN, 202
forcing Ethernet interface fiber port (Layer 2), 12
enable Ethernet interface bridging (Layer
2), 15 maintaining Ethernet interface, 16
enabling conversational remote MAC maintaining Ethernet link aggregation, 63
learning, 34 maintaining Ethernet subinterface, 16
enabling Ethernet interface loopback maintaining interface, 19
testing, 6 maintaining L2PT, 281
enabling Ethernet link aggregation local-first maintaining MVRP, 212
load sharing, 59 maintaining spanning tree, 132
enabling Ethernet link aggregation traffic maintaining VLAN, 161
redirection, 60 modifying MAC address table blackhole entry, 25
enabling L2PT, 280 modifying MAC address table entry (global), 24
enabling L2PT (for protocol), 280 modifying MAC address table entry (on
enabling LLDP, 261 interface), 25
enabling LLDP polling, 262 modifying MAC address table multiport unicast
enabling loop detection (global), 143 entry, 25
enabling loop detection (port-specific), 143 performing spanning tree mCheck, 119
enabling M:1 VLAN mapping ARP detection performing spanning tree mCheck globally, 119
(dynamic IP address assignment), 240 performing spanning tree mCheck in interface
enabling M:1 VLAN mapping ARP snooping view, 120
(static IP address assignment), 242 restoring Ethernet link aggregate interface default
enabling M:1 VLAN mapping DHCP snooping settings, 57
(dynamic IP address assignment), 240 setting Ethernet aggregate interface (MAC
enabling MAC address synchronization, 30 address), 53

317
setting Ethernet interface connection distance specifying link aggregation management
(Layer 2), 15 subnet, 62, 62
setting Ethernet interface MAC address specifying link aggregation management
(Layer 3), 16 VLAN+management port, 61, 61
setting Ethernet interface MDIX mode (Layer specifying spanning tree port path cost calculation
2), 14 standard, 113
setting Ethernet interface MTU (Layer 3), 16 splitting Ethernet interface (40-GE), 2
setting Ethernet interface statistics polling testing Ethernet interface cable connection (Layer
interval, 9 2), 14
setting Ethernet link aggregate group promiscuous
Selected ports min/max, 54 private VLAN promiscuous port configuration, 179
setting Ethernet link aggregate interface private VLAN trunk promiscuous port
(expected bandwidth), 55 configuration, 182
setting Ethernet link aggregation load sharing private VLAN trunk promiscuous+secondary port
mode (global), 58 configuration, 185
setting Ethernet link aggregation load sharing protecting
mode (group-specific), 58 loop detection protection action setting, 144
setting Ethernet link aggregation load sharing spanning tree protection, 126
mode for MAC-in-MAC traffic (global), 60
spanning tree SNMP notification (new-root
setting Ethernet subinterface MAC address election, topology change events), 132
(Layer 3), 16
protocol-based VLAN
setting Ethernet subinterface MTU (Layer
configuration, 160, 167
3), 16
protocols and standards
setting L2PT tunneled packet destination
multicast MAC address, 281 Ethernet link aggregation protocol
configuration, 42
setting Layer 3 aggregate interface (MTU), 54
LLDP, 260
setting LLDP bridge mode, 261
MSTP, 102
setting LLDP frame encapsulation format, 268
MSTP protocol frames, 94
setting LLDP operating mode, 261
MVRP, 209
setting LLDP parameters, 267
PVST protocol frames, 92
setting LLDP reinitialization delay, 262
QinQ, 225
setting loop detection interval, 144
RSTP protocol frames, 90
setting loop detection protection action
(global), 144 STP protocol frames, 81
setting loop detection protection action (Layer VLAN, 149
2 aggregate interface), 144 PVID
setting loop detection protection action (Layer spanning tree inconsistent PVID protection
2 Ethernet interface), 144 disable, 120
setting MAC address table dynamic aging PVID (port-based VLAN), 151
timer, 28 PVST, 81, See also STP
setting MAC address table learning limit, 28 basic concepts, 93
setting MAC Information change notification configuration, 104, 137
interval, 38 feature enable, 119
setting MAC Information queue length, 38 how it works, 93
setting MVRP registration mode, 210 mode set, 106
setting MVRP timer, 211 port links, 92
setting QinQ SVLAN tag 802.1p priority, 227 protocol frames, 92
setting spanning tree mode, 106 rapid transition, 99
shutting down Ethernet link aggregate spanning tree TC BPDU event logging (PVST
interface, 57 mode), 131
specifying Layer 2 aggregate interface
(ignored VLAN), 53 Q
QinQ

318
 basic configuration, 229 Ethernet interface storm suppression, 10
configuration, 223, 229 Ethernet link aggregation BFD configuration, 56
configuration restrictions, 225 Ethernet link aggregation group, 49
CVLAN tag, 223 Ethernet link aggregation traffic redirection, 61
display, 228 L2PT enable, 280
enable, 225 Layer 2 Ethernet interface fiber port, 13
how it works, 223 Layer 2 Ethernet interface storm control
implementation, 224 configuration, 11
loop detection configuration, 141, 143, 145 M:1 VLAN mapping configuration (dynamic IP
protocols and standards, 225 address assignment), 239
SVLAN tag, 223 M:1 VLAN mapping configuration (static IP
address assignment), 242
SVLAN tag 802.1p priority, 227
MAC Information configuration, 38
VLAN tag TPID value, 226
MAC-based VLAN assignment configuration
VLAN transparent transmission, 225
(dynamic), 157
VLAN transparent transmission
MVRP configuration, 209
configuration, 231
private VLAN configuration, 177
QoS
QinQ configuration, 225
QinQ SVLAN tag 802.1p priority, 227
spanning tree port role restriction, 128
voice VLAN traffic QoS priority settings, 197
spanning tree TC-BPDU transmission
queuing
restriction, 128
MAC Information queue length, 38
STP Digest Snooping configuration, 121
R STP edge port configuration, 112
Rapid Spanning Tree Protocol. Use RSTP STP mCheck configuration, 119
rate STP port link type configuration, 116
spanning tree BPDU transmission rate, 111 STP TC Snooping configuration, 125
receiving STP timer configuration, 110
LLDP frames, 260 VLAN configuration, 157
recovering voice VLAN LLDP automatic IP phone discovery
loop detection port status auto recovery, 142 enable, 200
redirecting voice VLAN port operation configuration
(automatic assignment), 198
Ethernet link aggregation traffic redirection, 60
voice VLAN port operation configuration
reference port (Ethernet link aggregation), 43, 46 restrictions (manual assignment), 199
region root
MST, 96 MST common root bridge, 97
MST region configuration, 106 MST regional root, 97
MST region max hops, 108 MST root port role, 97
MST regional root, 97 spanning tree root bridge, 107
registering spanning tree root bridge (device), 107
MVRP registration fixed mode, 209 spanning tree root guard, 127
MVRP registration forbidden mode, 209 spanning tree secondary root bridge (device), 108
MVRP registration mode, 210 STP algorithm calculation, 84
MVRP registration normal mode, 209 STP edge port rapid transition, 100
reinitialization delay (LLDP), 262
STP root bridge, 83
restoring
STP root port, 83
Ethernet link aggregate interface default
routing
settings, 57
IP subnet-based VLAN configuration, 159, 166
restrictions
MAC-based VLAN assignment (dynamic), 157
bulk interface configuration, 20
MAC-based VLAN assignment (static), 157
Ethernet interface loopback test, 6
MAC-based VLAN configuration, 154, 164
Ethernet interface PFC configuration, 8

319
 MAC-based VLAN configuration Ethernet link aggregate group Selected ports
(server-assigned), 159 min/max, 54
protocol-based VLAN configuration, 160, 167 Ethernet link aggregate interface (expected
voice VLAN configuration, 192, 196, 202 bandwidth), 55
voice VLAN IP phone access method, 193 Ethernet link aggregation load sharing mode
RSTP, 81, See also STP (global), 58
basic concepts, 91 Ethernet link aggregation load sharing mode
(group-specific), 58
BPDU processing, 92
Ethernet link aggregation load sharing mode for
configuration, 103
MAC-in-MAC traffic (global), 60
feature enable, 118
Ethernet link aggregation member port
how it works, 91 state, 43, 46
mode set, 106 Ethernet subinterface MAC address (Layer 3), 16
MSTP device implementation, 99 Ethernet subinterface MTU (Layer 3), 16
network convergence, 90 L2PT tunneled packet destination multicast MAC
port role, 91 address, 281
port state, 91 Layer 3 aggregate interface (MTU), 54
protocol frames, 90 LLDP bridge mode, 261
rapid transition, 99 LLDP frame encapsulation format, 268
rule LLDP operating mode, 261
MAC address table frame forwarding rule, 29 LLDP parameters, 267
S LLDP reinitialization delay, 262
loop detection interval, 144
security
loop detection protection action (global), 144
voice VLAN operation mode, 196
loop detection protection action (Layer 2
selecting aggregate interface), 144
Ethernet link aggregation Selected ports loop detection protection action (Layer 2 Ethernet
min/max, 54
interface), 144
Ethernet link aggregation selected state, 41
MAC address table dynamic aging timer, 28
Ethernet link aggregation unselected state, 41
MAC address table learning limit, 28
series
MAC Information change notification interval, 38
voice VLAN host+IP phone connection (in
MAC Information queue length, 38
series), 193
MVRP registration mode, 210
server
MVRP timer, 211
MAC-based VLAN assignment
(server-assigned), 156 QinQ SVLAN tag 802.1p priority, 227
MAC-based VLAN configuration spanning tree mode, 106
(server-assigned), 159 shutting down
service Ethernet link aggregate interface, 57
LLDP service bridge mode, 261 loop detection shutdown action, 142
service loopback group SNAP
configuration, 288, 289 LLDP frame encapsulation, 255
display, 289 LLDP frame encapsulation format, 268
setting SNMP
Ethernet aggregate interface (MAC MAC address table SNMP notification, 34
address), 53 MAC Information configuration, 37, 38
Ethernet interface connection distance (Layer snooping
2), 15 spanning tree Digest Snooping, 120, 121
Ethernet interface MAC address (Layer 3), 16 spanning tree TC Snooping, 124
Ethernet interface MDIX mode (Layer 2), 14 source
Ethernet interface MTU (Layer 3), 16 MAC address table static source check, 33
Ethernet interface statistics polling interval, 9 spanning tree, 81, See also STP, RSTP, PVST, MSTP
BPDU drop, 129

320
 BPDU guard configuration, 126 Ethernet interface state change suppression, 5
BPDU transmission rate configuration, 111 Ethernet link aggregation member port
BPDU transparent transmission (on port), 131 state, 41, 43, 46
configuration, 81, 102, 133 static
device priority configuration, 108 Ethernet link aggregation (Layer 2), 64
Digest Snooping, 120, 121 Ethernet link aggregation (Layer 3), 71
display, 132 Ethernet link aggregation (static mode), 43
dispute guard enable, 130 Ethernet link aggregation group, 49, 51
edge port configuration, 112 Ethernet link aggregation group BFD, 56
feature enable, 118 Ethernet link aggregation mode, 43
inconsistent PVID protection disable, 120 Layer 2 Ethernet link aggregation group, 49
loop guard enable, 127 Layer 3 Ethernet link aggregation group, 51
maintain, 132 MAC address table entry, 22
mCheck, 119 MAC address table entry configuration
mode set, 106 (global), 24
MST region max hops, 108 MAC address table entry configuration (on
interface), 25
No Agreement Check, 122, 124
MAC address table static source check, 33
port link type configuration, 116
MAC-based VLAN assignment, 154, 157
port mode configuration, 117
statistics
port path cost calculation standard, 113
Ethernet interface statistics polling interval, 9
port path cost configuration, 112, 115
storm
port priority configuration, 116
Ethernet interface storm control (Layer 2), 11
port role restriction, 128
Ethernet interface storm suppression, 10
port state transition output, 118
STP
protection configuration, 126
algorithm calculation, 84
PVST BPDU guard, 130
basic concepts, 83
root bridge configuration, 107
BPDU forwarding, 89
root bridge configuration (device), 107
configuration, 103
root guard enable, 127
configuration BPDUs, 81
secondary root bridge configuration
(device), 108 designated bridge, 83
SNMP notification enable (new-root election, designated port, 83
topology change events), 132 Digest Snooping configuration restrictions, 121
switched network diameter, 109 edge port configuration restrictions, 112
TC BPDU event logging (PVST mode), 131 feature enable, 118
TC Snooping, 124 L2PT for STP configuration, 282
TC-BPDU guard, 129 loop detection, 81
TC-BPDU transmission restriction, 128 mCheck configuration restrictions, 119
timeout factor configuration, 111 mode set, 106
timer configuration, 109 MSTP device implementation, 99
specifying P/A transition, 100
Layer 2 aggregate interface (ignored path cost, 84
VLAN), 53 port link type configuration restrictions, 116
link aggregation management subnet, 62 port state, 83
link aggregation management protocol frames, 81
VLAN+management port, 61 root bridge, 83
spanning tree port path cost calculation root port, 83
standard, 113 TC Snooping configuration restrictions, 125
splitting TCN BPDUs, 82
Ethernet interface (40-GE), 2 timer configuration restrictions, 110
state timers, 90

321
subinterface, 1, See also Ethernet subinterface M:1 VLAN mapping configuration (dynamic IP
subnetting address assignment), 239
IP subnet-based VLAN M:1 VLAN mapping configuration (static IP
configuration, 159, 166 address assignment), 242
sub-VLAN QinQ CVLAN, 223
creation, 171 QinQ SVLAN, 223
super VLAN QinQ SVLAN tag 802.1p priority, 227
configuration, 171, 171, 173 QinQ VLAN tag TPID value, 226
display, 172 VLAN mapping configuration, 233, 238, 245
interface configuration, 172 TC Snooping (spanning tree), 124
sub-VLAN creation, 171 TC-BPDU
suppressing spanning tree TC-BPDU guard, 129
Ethernet interface physical state change, 5 spanning tree TC-BPDU transmission
Ethernet interface storm control configuration restriction, 128
(Layer 2), 11 testing
Ethernet interface storm suppression, 10 Ethernet interface cable connection (Layer 2), 14
suppression time
MAC address move, 31 Ethernet link aggregation LACP timeout
SVLAN interval, 45
QinQ basic configuration, 229 timeout
QinQ configuration, 223, 229 Ethernet link aggregation LACP long timeout
interval, 45
QinQ SVLAN tag 802.1p priority, 227
Ethernet link aggregation LACP short timeout
QinQ VLAN transparent transmission
interval, 45
configuration, 231
spanning tree timeout factor, 111
VLAN mapping application scenario, 233
timer
VLAN mapping configuration, 233, 238, 245
LLDP reinitialization delay, 262
VLAN mapping implementation, 235
MAC address table dynamic aging, 28
switching
MRP Join, 208
Ethernet interface configuration, 1
MRP Leave, 208
interface configuration (inloopback), 18, 19
MRP LeaveAll, 208
interface configuration (loopback), 18, 18
MRP Periodic, 208
interface configuration (null), 18, 18
MVRP set, 211
spanning tree switched network diameter, 109
spanning tree forward delay, 109
synchronizing
spanning tree hello, 109
MAC addresses, 30
spanning tree max age, 109
syslog
STP forward delay, 90
MAC Information configuration, 37, 38
STP hello, 90
MAC Information mode configuration, 37
STP max age, 90
system
TLV
interface bulk configuration, 20, 20
LLDP advertisable TLV configuration, 263
T LLDP management address configuration, 266
table LLDP management address encoding
MAC address, 22, 23, 35 format, 266
MAC address table learning limit, 28 LLDP parameters, 267
MSTP VLAN-to-instance mapping table, 96 LLDPDU basic management types, 256
tag LLDPDU LLDP-MED types, 256
1:1 VLAN mapping configuration, 238, 245 LLDPDU management address TLV, 259
1:2 VLAN mapping configuration, 244, 251 LLDPDU organization-specific types, 256
2:2 VLAN mapping configuration, 245, 251 topology
M:1 VLAN mapping configuration, 239, 245 PVST BPDU protocol frames, 92

322
 STP TCN BPDU protocol frames, 81 L2PT for STP configuration, 282
traffic Layer 2 Ethernet aggregate interface (ignored
Ethernet link aggregation traffic redirection, 60 VLAN), 53
private VLAN configuration, 177, 179 link aggregation management subnet, 62
voice VLAN traffic QoS priority settings, 197 link aggregation management
transmitting VLAN+management port, 61
LLDP frames, 259 LLDP CDP compatibility, 269
QinQ VLAN transparent LLDP configuration (CDP-compatible), 276
transmission, 225, 231 loop detection configuration, 141, 143, 145
spanning tree TC-BPDU transmission MAC address learning disable, 27
restriction, 128 MAC-based assignment (dynamic), 157
transparent transmission (QinQ for MAC-based assignment (static), 157
VLAN), 225, 231 MAC-based configuration, 164
trapping MAC-based VLAN configuration, 154
LLDP configuration, 270 MAC-based VLAN configuration
LLDP-MED configuration, 270 (server-assigned), 159
MAC Information configuration, 37, 38 maintain, 161
MAC Information mode configuration, 37 mapping. See VLAN mapping
trunk port MRP implementation, 206
port-based VLAN assignment (trunk port), 153 MSTP VLAN-to-instance mapping table, 96
private VLAN trunk promiscuous port MVRP configuration, 206, 209, 212
configuration, 182 MVRP GVRP compatibility, 212
private VLAN trunk promiscuous+secondary port isolation configuration, 78, 79
port configuration, 185 port link type, 151
tunneling port-based configuration, 151, 162
L2PT configuration, 278, 280, 282 port-based VLAN assignment (access port), 152
L2PT enable, 280 port-based VLAN assignment (hybrid port), 153
L2PT for LACP configuration, 283 port-based VLAN assignment (trunk port), 153
L2PT for STP configuration, 282 port-based VLAN frame handling, 152
L2PT tunneled packet destination multicast private VLAN configuration, 176, 177
MAC address, 281
private VLAN configuration restrictions, 177
U protocol-based VLAN configuration, 160, 167
unicast protocols and standards, 149
MAC address table configuration, 22, 23, 35 PVID, 151
MAC address table multiport unicast entry, 22 PVST, 92
QinQ basic configuration, 229
V
QinQ configuration, 223, 229
virtual QinQ CVLAN tag, 223
Virtual Local Area Network. Use VLAN QinQ implementation, 224
VLAN QinQ SVLAN tag, 223
basic configuration, 149 QinQ SVLAN tag 802.1p priority, 227
configuration, 148, 162 QinQ transparent transmission, 225
configuration restrictions, 157 QinQ VLAN tag TPID value, 226
display, 161 QinQ VLAN transparent transmission
frame encapsulation, 148 configuration, 231
group configuration, 161 spanning tree inconsistent PVID protection
interface configuration, 150 disable, 120
IP subnet-based VLAN super VLAN configuration, 171, 171, 173
configuration, 159, 166 super VLAN interface configuration, 172
L2PT configuration, 278, 280, 282 termination. See VLAN termination
L2PT for LACP configuration, 283 voice VLAN advertisement (CDP), 201

323
 voice VLAN advertisement (LLDP), 200 assignment mode+IP phone cooperation, 195
voice VLAN assignment mode configuration configuration, 192, 196, 202
(automatic), 202 display, 202
voice VLAN assignment mode configuration host+IP phone connection (in series), 193
(manual), 204 information advertisement to IP phone, 193
voice VLAN configuration, 192, 196, 202 IP phone access method, 193
voice VLAN host+IP phone connection (in IP phone identification (LLDP), 193
series), 193
IP phone identification (OUI address), 192
voice VLAN IP phone access method, 193
IP phone identification method, 192
voice VLAN IP phone+device connection, 194
IP phone+device connection, 194
voice VLAN LLDP automatic IP phone
LLDP automatic IP phone discovery enable, 200
discovery enable, 200
LLDP automatic IP phone discovery enable
voice VLAN port operation configuration
restrictions, 200
(automatic assignment), 198
port operation configuration (automatic
voice VLAN port operation configuration
assignment), 198
(manual assignment), 199
port operation configuration (manual
voice VLAN port operation configuration
assignment), 199
restrictions (automatic assignment), 198
port operation configuration restrictions
voice VLAN port operation configuration
(automatic assignment), 198
restrictions (manual assignment), 199
port operation configuration restrictions (manual
voice VLAN port operation mode, 196
assignment), 199
voice VLAN traffic QoS priority settings, 197
port operation mode, 196
VLAN mapping
traffic QoS priority setting configuration, 197
1:1 application scenario, 233, 233
VoIP
1:1 configuration, 238, 245
voice VLAN configuration, 192, 196, 202
1:1 implementation, 235, 236
voice VLAN information advertisement to IP
1:2 application scenario, 233, 234 phones, 193
1:2 configuration, 244, 251 voice VLAN IP phone access method, 193
1:2 implementation, 235, 237 voice VLAN IP phone identification (LLDP), 193
2:2 application scenario, 233, 234 voice VLAN IP phone identification (OUI
2:2 configuration, 245, 251 address), 192
2:2 implementation, 235, 237 VPN
configuration, 233, 238, 245 QinQ basic configuration, 229
display, 245 QinQ configuration, 223, 229
M:1 application scenario, 233, 233 QinQ VLAN transparent transmission
M:1 configuration, 239, 245 configuration, 231
M:1 configuration (dynamic IP address
assignment), 239
M:1 configuration (static IP address
assignment), 242
M:1 implementation, 235, 236
voice traffic
LLDP CDP compatibility, 269
LLDP configuration (CDP-compatible), 276
voice VLAN
advertisement configuration (CDP), 201
advertisement configuration (LLDP), 200
assignment mode (automatic), 194
assignment mode (manual), 195
assignment mode configuration
(automatic), 202
assignment mode configuration (manual), 204

324