HPE FlexNetwork 5510 HI Switch Series

Layer 2—LAN Switching

Configuration Guide

Part number: 5200-3622

Software version: Release 13xx
Document version: 6W100-20170315
© Copyright 2015, 2017 Hewlett Packard Enterprise Development LP
The information contained herein is subject to change without notice. The only warranties for Hewlett Packard
Enterprise products and services are set forth in the express warranty statements accompanying such
products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett
Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein.
Confidential computer software. Valid license from Hewlett Packard Enterprise required for possession, use, or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software, Computer Software
Documentation, and Technical Data for Commercial Items are licensed to the U.S. Government under vendor’s
standard commercial license.
Links to third-party websites take you outside the Hewlett Packard Enterprise website. Hewlett Packard
Enterprise has no control over and is not responsible for information outside the Hewlett Packard Enterprise
website.
Acknowledgments
Intel®, Itanium®, Pentium®, Intel Inside®, and the Intel Inside logo are trademarks of Intel Corporation in the
United States and other countries.
Microsoft® and Windows® are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.
Adobe® and Acrobat® are trademarks of Adobe Systems Incorporated.
Java and Oracle are registered trademarks of Oracle and/or its affiliates.
UNIX® is a registered trademark of The Open Group.
Contents
Configuring Ethernet interfaces ···························································1
Ethernet interface naming conventions ··························································································· 1
Configuring a management Ethernet interface ·················································································· 1
Configuring common Ethernet interface settings ··············································································· 1
Configuring a combo interface (single combo interface) ······························································· 2
Splitting a 40-GE interface and combining 10-GE breakout interfaces ············································· 2
Configuring basic settings of an Ethernet interface or subinterface ················································· 3
Configuring the link mode of an Ethernet interface ······································································ 5
Configuring jumbo frame support ···························································································· 5
Configuring physical state change suppression on an Ethernet interface ········································· 6
Configuring dampening on an Ethernet interface ········································································ 6
Enabling loopback testing on an Ethernet interface ····································································· 8
Configuring generic flow control on an Ethernet interface ····························································· 9
Enabling energy saving features on an Ethernet interface ···························································· 9
Setting the statistics polling interval ······················································································· 10
Enabling automatic negotiation for speed downgrading ····························································· 10
Configuring the interface card operating mode ········································································· 11
Configuring a Layer 2 Ethernet interface ······················································································· 12
Configuring storm suppression ····························································································· 12
Configuring storm control on an Ethernet interface ··································································· 12
Forcibly bringing up a fiber port ···························································································· 14
Setting the MDIX mode of an Ethernet interface ······································································· 15
Testing the cable connection of an Ethernet interface ································································ 16
Enabling bridging on an Ethernet interface ·············································································· 16
Configuring a Layer 3 Ethernet interface or subinterface··································································· 17
Setting the MTU for an Ethernet interface or subinterface ·························································· 17
Displaying and maintaining an Ethernet interface or subinterface ······················································· 17
Configuring loopback, null, and inloopback interfaces ···························· 19
Configuring a loopback interface ································································································· 19
Configuring a null interface········································································································· 19
Configuring an inloopback interface ····························································································· 20
Displaying and maintaining loopback, null, and inloopback interfaces ·················································· 20
Bulk configuring interfaces ······························································· 21
Configuration restrictions and guidelines ······················································································· 21
Configuration procedure ············································································································ 21
Displaying and maintaining bulk interface configuration ···································································· 22
Configuring the MAC address table ···················································· 23
Overview ································································································································ 23
How a MAC address entry is created ····················································································· 23
Types of MAC address entries ····························································································· 23
MAC address table configuration task list ······················································································ 24
Configuring MAC address entries ································································································ 25
Configuration guidelines ····································································································· 25
Adding or modifying a static or dynamic MAC address entry globally ············································ 25
Adding or modifying a static or dynamic MAC address entry on an interface ·································· 26
Adding or modifying a blackhole MAC address entry ································································· 26
Adding or modifying a multiport unicast MAC address entry ························································ 26
Disabling MAC address learning ································································································· 27
Disabling global MAC address learning ·················································································· 28
Disabling MAC address learning on interfaces ········································································· 28
Disabling MAC address learning on a VLAN············································································ 28
Setting the aging timer for dynamic MAC address entries ································································· 29
Setting the MAC learning limit ····································································································· 29
Configuring the unknown frame forwarding rule after the MAC learning limit is reached ·························· 29

i
 Assigning MAC learning priority to interfaces ················································································· 30
Enabling MAC address synchronization ························································································ 30
Configuring MAC address move notifications and suppression ·························································· 32
Enabling ARP fast update for MAC address moves ········································································· 33
Enabling SNMP notifications for the MAC address table ··································································· 34
Displaying and maintaining the MAC address table ········································································· 34
MAC address table configuration example ····················································································· 34
Network requirements ········································································································ 34
Configuration procedure ····································································································· 35
Verifying the configuration ··································································································· 35
Configuring MAC Information ···························································· 36
Enabling MAC Information ········································································································· 36
Configuring the MAC Information mode ························································································ 36
Setting the MAC change notification interval ·················································································· 37
Setting the MAC Information queue length ···················································································· 37
MAC Information configuration example ························································································ 37
Network requirements ········································································································ 37
Configuration restrictions and guidelines ················································································ 37
Configuration procedure ····································································································· 38
Configuring Ethernet link aggregation ················································· 40
Overview ································································································································ 40
Ethernet link aggregation application scenario ········································································· 40
Aggregation group, member port, and aggregate interface ························································· 40
Aggregation states of member ports in an aggregation group ······················································ 40
Operational key················································································································· 41
Configuration types ············································································································ 41
Link aggregation modes ······································································································ 42
How static link aggregation works ························································································· 42
LACP ······························································································································ 43
How dynamic link aggregation works ····················································································· 45
Edge aggregate interface ···································································································· 47
Load sharing modes for link aggregation groups ······································································ 47
Ethernet link aggregation configuration task list ·············································································· 47
Configuring an aggregation group································································································ 48
Configuration restrictions and guidelines ················································································ 48
Configuring a Layer 2 aggregation group ················································································ 49
Configuring a Layer 3 aggregation group ················································································ 50
Configuring an aggregate interface ······························································································ 51
Configuring the description of an aggregate interface ································································ 52
Specifying ignored VLANs for a Layer 2 aggregate interface ······················································· 52
Setting the MTU for a Layer 3 aggregate interface ···································································· 52
Setting the minimum and maximum numbers of Selected ports for an aggregation group ················· 53
Setting the expected bandwidth for an aggregate interface ························································· 54
Configuring an edge aggregate interface ················································································ 54
Enabling BFD for an aggregation group·················································································· 54
Shutting down an aggregate interface ···················································································· 56
Restoring the default settings for an aggregate interface ···························································· 56
Configuring load sharing for link aggregation groups ······································································· 56
Setting load sharing modes for link aggregation groups ····························································· 56
Enabling local-first load sharing for link aggregation ·································································· 57
Configuring link aggregation load sharing algorithm settings ······················································· 58
Enabling link-aggregation traffic redirection ··················································································· 58
Configuration restrictions and guidelines ················································································ 59
Configuration procedure ····································································································· 59
Displaying and maintaining Ethernet link aggregation ······································································ 59
Ethernet link aggregation configuration examples ··········································································· 60
Layer 2 static aggregation configuration example ····································································· 60
Layer 2 dynamic aggregation configuration example ································································· 62
Layer 2 aggregation load sharing configuration example ···························································· 64
Layer 2 edge aggregate interface configuration example ··························································· 66

ii
 Layer 3 static aggregation configuration example ····································································· 68
Layer 3 dynamic aggregation configuration example ································································· 69
Layer 3 aggregation load sharing configuration example ···························································· 70
Layer 3 edge aggregate interface configuration example ··························································· 72
Configuring port isolation ································································· 74
Assigning a port to an isolation group ··························································································· 74
Displaying and maintaining port isolation ······················································································· 74
Port isolation configuration example ····························································································· 75
Network requirements ········································································································ 75
Configuration procedure ····································································································· 75
Verifying the configuration ··································································································· 75
Configuring spanning tree protocols ··················································· 77
STP ······································································································································ 77
STP protocol frames ·········································································································· 77
Basic concepts in STP ········································································································ 79
Calculation process of the STP algorithm ··············································································· 80
RSTP ···································································································································· 86
RSTP protocol frames ········································································································ 86
Basic concepts in RSTP ····································································································· 86
How RSTP works ·············································································································· 87
RSTP BPDU processing ····································································································· 87
PVST ···································································································································· 88
PVST protocol frames ········································································································ 88
Basic concepts in PVST ······································································································ 89
How PVST works ·············································································································· 89
MSTP ···································································································································· 89
MSTP features·················································································································· 89
MSTP protocol frames ········································································································ 90
Basic concepts in MSTP ····································································································· 91
How MSTP works ·············································································································· 94
MSTP implementation on devices ························································································· 95
Rapid transition mechanism ································································································· 95
Protocols and standards ············································································································ 97
Spanning tree configuration task lists ··························································································· 98
STP configuration task list ··································································································· 98
RSTP configuration task list ································································································· 99
PVST configuration task list ································································································· 99
MSTP configuration task list ······························································································ 100
Setting the spanning tree mode································································································· 101
Configuring an MST region ······································································································ 102
Configuring the root bridge or a secondary root bridge ··································································· 102
Configuring the device as the root bridge of a specific spanning tree ·········································· 103
Configuring the device as a secondary root bridge of a specific spanning tree ······························ 103
Configuring the device priority··································································································· 104
Configuring the maximum hops of an MST region ········································································· 104
Configuring the network diameter of a switched network································································· 105
Setting spanning tree timers ····································································································· 105
Configuration restrictions and guidelines ·············································································· 106
Configuration procedure ··································································································· 106
Setting the timeout factor ········································································································· 106
Configuring the BPDU transmission rate ····················································································· 107
Configuring edge ports ············································································································ 107
Configuration restrictions and guidelines ·············································································· 107
Configuration procedure ··································································································· 108
Configuring path costs of ports·································································································· 108
Specifying a standard for the device to use when it calculates the default path cost ······················· 108
Configuring path costs of ports ··························································································· 110
Configuration example ······································································································ 111
Configuring the port priority ······································································································ 111
Configuring the port link type ···································································································· 112

iii
 Configuration restrictions and guidelines ·············································································· 112
Configuration procedure ··································································································· 112
Configuring the mode a port uses to recognize and send MSTP frames ············································· 113
Enabling outputting port state transition information ······································································· 113
Enabling the spanning tree feature ···························································································· 114
Enabling the spanning tree feature in STP/RSTP/MSTP mode ·················································· 114
Enabling the spanning tree feature in PVST mode ·································································· 114
Performing mCheck ················································································································ 115
Configuration restrictions and guidelines ·············································································· 115
Performing mCheck globally ······························································································ 115
Performing mCheck in interface view ··················································································· 115
Disabling inconsistent PVID protection ······················································································· 115
Configuring Digest Snooping ···································································································· 116
Configuration restrictions and guidelines ·············································································· 116
Configuration procedure ··································································································· 117
Digest Snooping configuration example ··············································································· 117
Configuring No Agreement Check ····························································································· 118
Configuration prerequisites ································································································ 119
Configuration procedure ··································································································· 120
No Agreement Check configuration example ········································································· 120
Configuring TC Snooping········································································································· 120
Configuration restrictions and guidelines ·············································································· 121
Configuration procedure ··································································································· 121
Configuring protection features ································································································· 122
Configuring BPDU guard ··································································································· 122
Enabling root guard ········································································································· 123
Enabling loop guard ········································································································· 123
Configuring port role restriction ··························································································· 124
Configuring TC-BPDU transmission restriction ······································································· 124
Enabling TC-BPDU guard ································································································· 125
Enabling BPDU drop ········································································································ 125
Enabling PVST BPDU guard ······························································································ 126
Enabling the device to log events of detecting or receiving TC BPDUs ·············································· 126
Disabling the device from reactivating edge ports shut down by BPDU guard ····································· 126
Enabling SNMP notifications for new-root election and topology change events ·································· 127
Displaying and maintaining the spanning tree ·············································································· 127
Spanning tree configuration example ························································································· 128
MSTP configuration example ····························································································· 128
PVST configuration example ······························································································ 132
Configuring loop detection ······························································ 136
Overview ······························································································································ 136
Loop detection mechanism ································································································ 136
Loop detection interval ····································································································· 137
Loop protection actions ····································································································· 137
Port status auto recovery ·································································································· 137
Loop detection configuration task list ·························································································· 138
Enabling loop detection ··········································································································· 138
Enabling loop detection globally ························································································· 138
Enabling loop detection on a port ························································································ 138
Setting the loop protection action ······························································································· 139
Setting the global loop protection action ··············································································· 139
Setting the loop protection action on a Layer 2 Ethernet interface ·············································· 139
Setting the loop protection action on a Layer 2 aggregate interface ············································ 139
Setting the loop detection interval ······························································································ 139
Displaying and maintaining loop detection ··················································································· 140
Loop detection configuration example ························································································ 140
Network requirements ······································································································ 140
Configuration procedure ··································································································· 140
Verifying the configuration ································································································· 141

iv
Configuring VLANs ······································································· 143
Overview ······························································································································ 143
VLAN frame encapsulation ································································································ 143
Protocols and standards ··································································································· 144
Configuring a VLAN ················································································································ 144
Restrictions and guidelines ································································································ 144
Configuration procedure ··································································································· 144
Configuring VLAN interfaces ···································································································· 145
Configuring basic settings of a VLAN interface······································································· 145
Configuring port-based VLANs·································································································· 146
Introduction ···················································································································· 146
Assigning an access port to a VLAN ···················································································· 147
Assigning a trunk port to a VLAN ························································································ 148
Assigning a hybrid port to a VLAN ······················································································· 148
Configuring MAC-based VLANs ································································································ 149
Introduction ···················································································································· 149
General configuration restrictions and guidelines···································································· 152
Configuring static MAC-based VLAN assignment ··································································· 152
Configuring dynamic MAC-based VLAN assignment ······························································· 152
Configuring server-assigned MAC-based VLAN ····································································· 153
Configuring IP subnet-based VLANs ·························································································· 154
Configuring protocol-based VLANs ···························································································· 155
Configuring a VLAN group ······································································································· 156
Displaying and maintaining VLANs ···························································································· 156
VLAN configuration examples ··································································································· 157
Port-based VLAN configuration example ·············································································· 157
MAC-based VLAN configuration example ············································································· 158
IP subnet-based VLAN configuration example ······································································· 160
Protocol-based VLAN configuration example ········································································· 162
Configuring super VLANs ······························································· 166
Super VLAN configuration task list ····························································································· 166
Creating a sub-VLAN ·············································································································· 166
Configuring a super VLAN ······································································································· 166
Configuring a super VLAN interface ··························································································· 167
Displaying and maintaining super VLANs ···················································································· 167
Super VLAN configuration example ··························································································· 168
Network requirements ······································································································ 168
Configuration procedure ··································································································· 168
Verifying the configuration ································································································· 169
Configuring the private VLAN ·························································· 171
Configuration task list·············································································································· 171
Configuration restrictions and guidelines ····················································································· 172
Configuration procedure ·········································································································· 172
Displaying and maintaining the private VLAN ··············································································· 174
Private VLAN configuration examples ························································································· 174
Promiscuous port configuration example ·············································································· 174
Trunk promiscuous port configuration example ······································································ 177
Trunk promiscuous and trunk secondary port configuration example ·········································· 180
Secondary VLAN Layer 3 communication configuration example ··············································· 184
Configuring voice VLANs ······························································· 187
Overview ······························································································································ 187
Methods of identifying IP phones ······························································································· 187
Identifying IP phones through OUI addresses ········································································ 187
Automatically identifying IP phones through LLDP ·································································· 188
Advertising the voice VLAN information to IP phones ····································································· 188
IP phone access methods ········································································································ 188
Connecting the host and the IP phone in series ····································································· 188
Connecting the IP phone to the device ················································································· 189

v
 Voice VLAN assignment modes ································································································ 189
Automatic mode ·············································································································· 189
Manual mode ················································································································· 190
Cooperation of voice VLAN assignment modes and IP phones ················································· 190
Security mode and normal mode of voice VLANs ·········································································· 191
Voice VLAN configuration task list ····························································································· 192
Configuring the QoS priority settings for voice traffic ······································································ 192
Configuring a port to operate in automatic voice VLAN assignment mode ·········································· 193
Configuration restrictions and guidelines ·············································································· 193
Configuration procedure ··································································································· 193
Configuring a port to operate in manual voice VLAN assignment mode ············································· 194
Configuration restrictions and guidelines ·············································································· 194
Configuration procedure ··································································································· 194
Enabling LLDP for automatic IP phone discovery ·········································································· 195
Configuration restrictions and guidelines ·············································································· 195
Configuration procedure ··································································································· 195
Configuring LLDP to advertise a voice VLAN ··············································································· 195
Configuring CDP to advertise a voice VLAN ················································································ 196
Displaying and maintaining voice VLANs ···················································································· 196
Voice VLAN configuration examples ·························································································· 197
Automatic voice VLAN assignment mode configuration example ··············································· 197
Manual voice VLAN assignment mode configuration example ··················································· 199
Configuring MVRP ········································································ 201
MRP ··································································································································· 201
MRP implementation ········································································································ 201
MRP messages ·············································································································· 201
MRP timers ···················································································································· 203
MVRP registration modes ········································································································ 204
Protocols and standards ·········································································································· 204
MVRP configuration task list ····································································································· 204
Configuration restrictions and guidelines ····················································································· 204
Configuration prerequisites ······································································································ 205
Enabling MVRP ····················································································································· 205
Setting an MVRP registration mode ··························································································· 205
Setting MRP timers ················································································································ 206
Enabling GVRP compatibility ···································································································· 207
Displaying and maintaining MVRP ····························································································· 207
MVRP configuration example ··································································································· 207
Network requirements ······································································································ 207
Configuration procedure ··································································································· 208
Verifying the configuration ································································································· 211
Configuring QinQ ········································································· 217
Overview ······························································································································ 217
How QinQ works ············································································································· 217
QinQ implementations ······································································································ 218
Protocols and standards ··································································································· 219
Restrictions and guidelines ······································································································ 219
Enabling QinQ ······················································································································· 219
Configuring transparent transmission for VLANs ··········································································· 219
Configuring the TPID for VLAN tags ··························································································· 220
Configuring the TPID for CVLAN tags ·················································································· 221
Configuring the TPID for SVLAN tags ·················································································· 221
Setting the 802.1p priority in SVLAN tags ···················································································· 221
Displaying and maintaining QinQ······························································································· 223
QinQ configuration examples···································································································· 223
Basic QinQ configuration example ······················································································ 223
VLAN transparent transmission configuration example ···························································· 225
Configuring VLAN mapping ···························································· 227
Overview ······························································································································ 227

vi
 VLAN mapping application scenarios ··················································································· 227
VLAN mapping implementations ························································································· 229
VLAN mapping configuration task list ························································································· 232
Configuring one-to-one VLAN mapping ······················································································· 233
Configuring many-to-one VLAN mapping ···················································································· 233
Configuring many-to-one VLAN mapping in a network with dynamic IP address assignment ··········· 233
Configuring many-to-one VLAN mapping in a network with static IP address assignment ················ 236
Configuring one-to-two VLAN mapping ······················································································· 238
Configuring two-to-two VLAN mapping ······················································································· 239
Displaying and maintaining VLAN mapping ················································································· 239
VLAN mapping configuration examples ······················································································ 239
One-to-one and many-to-one VLAN mapping configuration example ·········································· 239
One-to-two and two-to-two VLAN mapping configuration example ············································· 245
Configuring LLDP ········································································· 248
Overview ······························································································································ 248
Basic concepts ··············································································································· 248
Working mechanism ········································································································ 253
Collaboration with Track ··································································································· 254
Protocols and standards ··································································································· 254
LLDP configuration task list ······································································································ 255
Performing basic LLDP configurations ························································································ 255
Enabling LLDP················································································································ 255
Setting the LLDP bridge mode ··························································································· 256
Setting the LLDP operating mode ······················································································· 256
Setting the LLDP reinitialization delay ·················································································· 257
Enabling LLDP polling ······································································································ 257
Configuring the advertisable TLVs ······················································································ 258
Configuring the management address and its encoding format ·················································· 260
Setting other LLDP parameters ·························································································· 262
Setting an encapsulation format for LLDP frames ··································································· 262
Disabling LLDP PVID inconsistency check ············································································ 263
Configuring CDP compatibility ·································································································· 263
Configuration prerequisites ································································································ 264
Configuration procedure ··································································································· 264
Configuring LLDP trapping and LLDP-MED trapping······································································ 265
Setting the source MAC address of LLDP frames to the MAC address of a Layer 3 Ethernet subinterface 266
Enabling the device to generate ARP or ND entries for received management address LLDP TLVs ········ 266
Displaying and maintaining LLDP ······························································································ 267
LLDP configuration examples ··································································································· 267
Basic LLDP configuration example ······················································································ 267
CDP-compatible LLDP configuration example ······································································· 271
Configuring L2PT ········································································· 274
Overview ······························································································································ 274
Background···················································································································· 274
L2PT operating mechanism ······························································································· 275
L2PT configuration task list ······································································································ 276
Enabling L2PT ······················································································································ 276
Restrictions and guidelines ································································································ 276
Enabling L2PT for a protocol ······························································································ 276
Setting the destination multicast MAC address for tunneled packets ················································· 277
Displaying and maintaining L2PT ······························································································ 277
L2PT configuration examples ··································································································· 278
Configuring L2PT for STP ································································································· 278
Configuring L2PT for LACP ······························································································· 279
Configuring service loopback groups ················································ 283
Configuration procedure ·········································································································· 283
Displaying and maintaining service loopback groups ····································································· 284
Service loopback group configuration example ············································································· 284
Network requirements ······································································································ 284

vii
 Configuration procedure ··································································································· 284
Document conventions and icons ···················································· 285
Conventions ························································································································· 285
Network topology icons ··········································································································· 286
Support and other resources ·························································· 287
Accessing Hewlett Packard Enterprise Support ············································································ 287
Accessing updates ················································································································· 287
Websites ······················································································································· 288
Customer self repair ········································································································· 288
Remote support ·············································································································· 288
Documentation feedback ·································································································· 288
Index ························································································· 290

viii
Configuring Ethernet interfaces
The Switch Series supports Ethernet interfaces, management Ethernet interfaces, Console
interfaces, and USB interfaces. For the interface types and the number of interfaces supported by a
switch model, see the installation guide.
This chapter describes how to configure management Ethernet interfaces and Ethernet interfaces.

Ethernet interface naming conventions

The Ethernet interfaces are named in the format of interface type A/B/C. The letters that follow the
interface type represent the following elements:
• A—IRF member ID. If the switch is not in an IRF fabric, A is 1 by default.
• B—Card slot number. 0 indicates the interface is a fixed interface of the switch. 1 indicates the
interface is on expansion interface-card 1. 2 indicates the interface is on expansion
interface-card 2.
• C—Port index.
A 10-GE breakout interface split from a 40-GE interface is named in the format of interface type
A/B/C:D. A/B/C is the interface number of the 40-GE interface and D is the number of the 10-GE
interface, which is in the range of 1 to 4. For information about splitting a 40-GE interface, see
"Splitting a 40-GE interface and combining 10-GE breakout interfaces."

Configuring a management Ethernet interface

A management interface uses an RJ-45 connector. You can connect the interface to a PC for
software loading and system debugging, or connect it to a remote NMS for remote system
management.
To configure a management Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter management interface

Ethernet interface view. M-GigabitEthernet N/A
interface-number
3. (Optional.) Set the The default setting is
interface description. description text
M-GigabitEthernet0/0/0 Interface.
4. (Optional.) Shut down By default, the management Ethernet
the interface. shutdown
interface is up.

Configuring common Ethernet interface settings

This section describes the settings common to Layer 2 Ethernet interfaces, Layer 3 Ethernet
interfaces, and Layer 3 Ethernet subinterfaces. For more information about the settings specific to
Layer 2 Ethernet interfaces or subinterfaces, see "Configuring a Layer 2 Ethernet interface." For
more information about the settings specific to Layer 3 Ethernet interfaces or subinterfaces, see
"Configuring a Layer 3 Ethernet interface or subinterface."

1
Configuring a combo interface (single combo interface)
A combo interface is a logical interface that physically comprises one fiber combo port and one
copper combo port. The two ports share one forwarding channel and one interface view. As a result,
they cannot work simultaneously. When you activate one port, the other port is automatically
disabled. In the interface view, you can activate the fiber or copper combo port, and configure other
port attributes such as the interface rate and duplex mode.
Configuration prerequisites
Before you configure combo interfaces, complete the following tasks:
• Determine the combo interfaces on your device. Identify the two physical interfaces that belong
to each combo interface according to the marks on the device panel.
• Use the display interface command to determine which port (fiber or copper) of each combo
interface is active:
 If the copper port is active, the output includes "Media type is twisted pair, Port hardware
type is 1000_BASE_T."
 If the fiber port is active, the output does not include this information.
Also, you can use the display this command in the view of each combo interface to display the
combo interface configuration:
 If the fiber port is active, the combo enable fiber command exists in the output.
 If the copper port is active, the combo enable fiber command does not exist in the output.
Changing the active port of a combo interface

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Activate the copper combo By default, the copper combo port
port or fiber combo port. combo enable { copper | fiber }
is active.

Splitting a 40-GE interface and combining 10-GE breakout

interfaces
Splitting a 40-GE interface into four 10-GE breakout interfaces
You can use a 40-GE interface as a single interface. To improve port density, reduce costs, and
improve network flexibility, you can also split a 40-GE interface into four 10-GE breakout interfaces.
For example, you can split 40-GE interface FortyGigE 1/0/1 into four 10-GE breakout interfaces
Ten-GigabitEthernet 1/0/1:1 through Ten-GigabitEthernet 1/0/1:4.
After you configure this feature on a 40-GE interface, the system deletes the 40-GE interface and
creates the four 10-GE breakout interfaces.
To split a 40-GE interface into four 10-GE breakout interfaces:

Step Command Remarks

1. Enter system view. system-view N/A

Enter 40-GE interface view. interface interface-type

2. N/A
interface-number

2
 Step Command Remarks
By default, a 40-GE interface is not
split and operates as a single
interface.
3. Split the 40-GE interface into
four 10-GE breakout using tengige The 10-GE breakout interfaces
interfaces. support the same configuration and
attributes as common 10-GE
interfaces, except that they are
numbered differently.

Combining four 10-GE breakout interfaces into a 40-GE interface

If you need higher bandwidth on a single interface, you can combine the four 10-GE breakout
interfaces into a 40-GE interface.
After you configure this feature on a 10-GE breakout interface, the system deletes the four 10-GE
breakout interfaces and creates the 40-GE interface.
To combine four 10-GE breakout interfaces into a 40-GE interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter the view of any 10-GE interface interface-type
breakout interface. N/A
interface-number
3. Combine the four 10-GE By default, a 10-GE breakout
breakout interfaces into a using fortygige interface operates as a single
40-GE interface. interface.

Configuring basic settings of an Ethernet interface or

subinterface
You can configure an Ethernet interface to operate in one of the following duplex modes:
• Full-duplex mode—The interface can send and receive packets simultaneously.
• Half-duplex mode—The interface can only send or receive packets at a given time.
• Autonegotiation mode—The interface negotiates a duplex mode with its peer.
You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its
peer.
Configuring an Ethernet interface

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Set the description for The default setting is interface-name

the Ethernet interface. description text Interface. For example,
GigabitEthernet1/0/1 Interface.
By default, the duplex mode is auto for
4. Set the duplex mode for Ethernet interfaces.
the Ethernet interface. duplex { auto | full | half }
Copper ports operating at 1000 Mbps or
10 Gbps and fiber ports do not support the

3
 Step Command Remarks
half keyword.
The default setting is auto for Ethernet
interfaces.
5. Set the speed for the speed { 10 | 100 | 1000 |
Ethernet interface. 10000 | 40000 | auto } Support for the keywords depends on the
interface type. For more information, use
the speed ? command in interface view.
6. Set the expected By default, the expected bandwidth (in
bandwidth for the bandwidth bandwidth-value kbps) is the interface baud rate divided by
Ethernet interface. 1000.
7. Restore the default
settings for the Ethernet default N/A
interface.
By default, Ethernet interfaces are in up
state.

8. Bring up the Ethernet The shutdown and port up-mode

interface. undo shutdown commands are exclusive with each other.
The shutdown command cannot be
configured on an interface in a loopback
test.

Configuring an Ethernet subinterface

Step Command Remarks

1. Enter system view. system-view N/A
2. Create an Ethernet interface interface-type
subinterface. N/A
interface-number.subnumber
The default setting is
3. Set the description for the interface-name Interface. For
Ethernet subinterface. description text
example, GigabitEthernet1/0/1.1
Interface.
4. Restore the default settings
for the Ethernet subinterface. default N/A

By default, the expected

5. Set the expected bandwidth bandwidth (in kbps) is the
for the Ethernet subinterface. bandwidth bandwidth-value
interface baud rate divided by
1000.
By default, Ethernet subinterfaces
are in up state.
The shutdown and port
6. Bring up the Ethernet up-mode commands are
subinterface. undo shutdown
exclusive with each other.
The shutdown command cannot
be configured on an interface in a
loopback test.

4
Configuring the link mode of an Ethernet interface
CAUTION:
After you change the link mode of an Ethernet interface, all commands (except the shutdown and
combo enable commands) on the Ethernet interface are restored to their defaults in the new link
mode.

The interfaces on this Switch Series can operate either as Layer 2 or Layer 3 Ethernet interfaces.
You can set the link mode to bridge or route.
To configure the link mode of an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Configure the link mode of By default, Ethernet interfaces
the Ethernet interface. port link-mode { bridge | route }
operate in bridge mode.

Configuring jumbo frame support

An Ethernet interface might receive frames larger than the standard Ethernet frame size during
high-throughput data exchanges, such as file transfers. These frames are called jumbo frames.
The Ethernet interface processes jumbo frames in the following ways:
• When the Ethernet interface is configured to deny jumbo frames, the Ethernet interface
discards jumbo frames.
• When the Ethernet interface is configured with jumbo frame support, the Ethernet interface
performs the following operations:
 Processes jumbo frames within the specified length.
 Discards jumbo frames that exceed the specified length.
To configure jumbo frame support in interface view:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

3. Configure jumbo frame By default, the switch allows jumbo

support. jumboframe enable [ size ] frames within 12288 bytes to pass
through all Ethernet interfaces.

5
Configuring physical state change suppression on an
Ethernet interface
IMPORTANT:
Do not enable this feature on an interface that has RRPP, spanning tree protocols, or Smart Link
enabled.

The physical link state of an Ethernet interface is either up or down. Each time the physical link of an
interface comes up or goes down, the interface immediately reports the change to the CPU. The
CPU then performs the following operations:
• Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the
change for guiding packet forwarding.
• Automatically generates traps and logs to inform users to take the correct actions.
To prevent frequent physical link flapping from affecting system performance, configure physical
state change suppression. You can configure this feature to suppress only link-down events, only
link-up events, or both. If an event of the specified type still exists when the suppression interval
expires, the system reports the event.
When you configure this feature, follow these guidelines:
• To suppress only link-down events, configure the link-delay [ msec ] delay-time command.
• To suppress only link-up events, configure the link-delay [ msec ] delay-time mode up
command.
• To suppress both link-down and link-up events, configure the link-delay [ msec ] delay-time
mode updown command.
To configure physical state change suppression on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface-type
interface view. N/A
interface-number
By default, the link-down or link-up event is
3. Configure physical link-delay [ msec ] immediately reported to the CPU.
state change delay-time [ mode { up | If you configure this command multiple times on
suppression. updown } ] an Ethernet interface, the most recent
configuration takes effect.

Configuring dampening on an Ethernet interface

The interface dampening feature uses an exponential decay mechanism to prevent excessive
interface flapping events from adversely affecting routing protocols and routing tables in the network.
Suppressing interface state change events protects the system resources.
If an interface is not dampened, its state changes are reported. For each state change, the system
also generates an SNMP trap and log message.
After a flapping interface is dampened, it does not report its state changes to the CPU. For state
change events, the interface only generates SNMP trap and log messages.
Parameters
• Penalty—The interface has an initial penalty of 0. When the interface flaps, the penalty
increases by 1000 for each down event until the ceiling is reached. It does not increase for up

6
 events. When the interface stops flapping, the penalty decreases by half each time the half-life
timer expires until the penalty drops to the reuse threshold.
• Ceiling—The penalty stops increasing when it reaches the ceiling.
• Suppress-limit—The accumulated penalty that triggers the device to dampen the interface. In
dampened state, the interface does not report its state changes to the CPU. For state change
events, the interface only generates SNMP traps and log messages.
• Reuse-limit—When the accumulated penalty decreases to this reuse threshold, the interface is
not dampened. Interface state changes are reported to the upper layers. For each state
change, the system also generates an SNMP trap and log message.
• Decay—The amount of time (in seconds) after which a penalty is decreased.
• Max-suppress-time—The maximum amount of time the interface can be dampened. If the
penalty is still higher than the reuse threshold when this timer expires, the penalty stops
increasing for down events. The penalty starts to decrease until it drops below the reuse
threshold.
The ceiling is equal to 2(Max-suppress-time/Decay) × reuse-limit. It is not user configurable.
Figure 1 shows the change rule of the penalty value. The lines t0 and t2 indicate the start time and
end time of the suppression, respectively. The period from t0 to t2 indicates the suppression period, t0
to t1 indicates the max-suppress-time, and t1 to t2 indicates the complete decay period.
Figure 1 Change rule of the penalty value
Penalty

t0 t1 t2

Ceiling

Suppress limit

Reuse limit

Time

Not suppressed Suppressed Not suppressed

Configuration restrictions and guidelines

When you configure dampening on an Ethernet interface, follow these restrictions and guidelines:
• The dampening command and the link-delay command cannot be configured together on an
interface.
• The dampening command does not take effect on the administratively down events. When you
execute the shutdown command, the penalty restores to 0, and the interface reports the down
event to the upper-layer protocols.
• Do not enable the dampening feature on an interface with RRPP, MSTP, or Smart Link enabled.

7
Configuration procedure
To configure dampening on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface-type
interface view. N/A
interface-number

3. Enable dampening on dampening [ half-life reuse By default, interface dampening is

the interface. suppress max-suppress-time ] disabled on Ethernet interfaces.

Enabling loopback testing on an Ethernet interface

CAUTION:
After you enable this feature on an Ethernet interface, the interface cannot forward data traffic
correctly.

Perform this task to determine whether an Ethernet link works correctly.

Loopback testing includes the following types:
• Internal loopback testing—Tests the device where the Ethernet interface resides. The
Ethernet interface sends outgoing packets back to the local device. If the device fails to receive
the packets, the device fails.
• External loopback testing—Tests the inter-device link. The Ethernet interface sends incoming
packets back to the remote device. If the remote device fails to receive the packets, the
inter-device link fails.
Configuration restrictions and guidelines
• On an administratively shut down Ethernet interface (displayed as in ADM or Administratively
DOWN state), you cannot perform an internal or external loopback test.
• The speed, duplex, mdix-mode, and shutdown commands are not available during a
loopback test.
• A loopback test cannot be performed on an interface configured with the port up-mode
command.
• During a loopback test, the Ethernet interface operates in full duplex mode. When a loopback
test is complete, the port returns to its duplex setting.
Configuration procedure
To enable loopback testing on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number

Enable loopback testing. By default, no loopback test is

3. loopback { external | internal }
performed.

8
Configuring generic flow control on an Ethernet interface
To avoid dropping packets on a link, you can enable generic flow control at both ends of the link.
When traffic congestion occurs at the receiving end, the receiving end sends a flow control (Pause)
frame to ask the sending end to suspend sending packets. Generic flow control includes the
following types:
• TxRx-mode generic flow control—Enabled by using the flow-control command. With
TxRx-mode generic flow control enabled, an interface can both send and receive flow control
frames:
 When congestion occurs, the interface sends a flow control frame to its peer.
 When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
• Rx-mode generic flow control—Enabled by using the flow-control receive enable
command. With Rx-mode generic flow control enabled, an interface can receive flow control
frames, but it cannot send flow control frames:
 When congestion occurs, the interface cannot send flow control frames to its peer.
 When the interface receives a flow control frame from its peer, it suspends sending packets
to its peer.
To handle unidirectional traffic congestion on a link, configure the flow-control receive enable
command at one end and the flow-control command at the other end. To enable both ends of a link
to handle traffic congestion, configure the flow-control command at both ends.
To enable generic flow control on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
• Enable TxRx-mode
generic flow control:
flow-control
3. Enable generic flow By default, generic flow control is
control. • Enable Rx-mode generic
disabled on an Ethernet interface.
flow control:
flow-control receive
enable

Enabling energy saving features on an Ethernet interface

IMPORTANT:
Fiber ports do not support these features.

Enabling auto power-down on an Ethernet interface

When an Ethernet interface with auto power-down enabled has been down for a certain period of
time, both of the following events occur:
• The device automatically stops supplying power to the Ethernet interface.
• The Ethernet interface enters the power save mode.
The time period depends on the chip specifications and is not configurable.
When the Ethernet interface comes up, both of the following events occur:
• The device automatically restores power supply to the Ethernet interface.

9
 • The Ethernet interface restores to its normal state.
To enable auto power-down on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable auto power-down on By default, auto power-down is
the Ethernet interface. port auto-power-down
disabled on an Ethernet interface.

Enabling EEE on an Ethernet interface

With Energy Efficient Ethernet (EEE) enabled, a link-up interface enters low power state if it has not
received any packet for a period of time. The time period depends on the chip specifications and is
not configurable. When a packet arrives later, the device automatically restores power supply to the
interface and the interface restores to the normal state.
To enable EEE on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable EEE on the By default, EEE is disabled on
Ethernet interface. eee enable
an Ethernet interface.

Setting the statistics polling interval

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Set the statistics polling
interval for the Ethernet By default, the statistics polling
flow-interval interval
interface. interval is 300 seconds.

To display the interface statistics collected in the last statistics polling interval, use the display
interface command.

Enabling automatic negotiation for speed downgrading

Perform this task to enable interfaces at two ends of a link to automatically negotiate about
downgrading their speed when the following conditions exist:
• The interfaces automatically negotiate a speed of 1000 Mbps.
• The interfaces cannot operate at 1000 Mbps because of link restrictions.
To enable automatic negotiation for speed downgrading:

10
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable automatic By default, automatic negotiation
negotiation for speed speed auto downgrade for speed downgrading is
downgrading. enabled.

Configuring the interface card operating mode

IMPORTANT:
This feature is applicable only to HPE 5510 24G 4SFP+ HI 1-slot Switch (JH145A) and HPE 5510
48G PoE+ 4SFP+ HI 1-slot Switch (JH148A) switches.

An interface card can operate in one of the following operating modes:

• 0—All interfaces on the interface card are not available, and interfaces GigabitEthernet 1/0/41
through GigabitEthernet 1/0/48 on the front panel are available.
• 1—Interfaces numbered 5 through 8 on the interface card are not available, and the following
interfaces are available:
 Interfaces numbered 1 through 4 on the interface card.
 Interfaces GigabitEthernet 1/0/41 through GigabitEthernet 1/0/48 on the front panel.
• 2—Interfaces GigabitEthernet 1/0/41 through GigabitEthernet 1/0/48 on the front panel are not
available, and all interfaces on the interface card are available.
For HPE 5510 24G 4SFP+ HI 1-slot Switch and HPE 5510 48G PoE+ 4SFP+ HI 1-slot Switch
switches, the operating modes supported by the interface cards are as shown in Table 1.
Table 1 Operating modes supported by interface cards

Interface card Supported operating modes Remarks

The operating modes take effect
HPE 5510 2-port QSFP+ Module only on 10-GE breakout
0 and 2.
(JH155A) interfaces split from a QSFP+
interface.

After you configure the interface card operating mode, reboot the switch to make the configuration
take effect.
You can view the interface card operating mode information by using the display
port-configuration-mode status command.
To configure the interface card operating mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the interface port-configuration-mode slot By default, the operating mode of the
card operating mode. slot-number { 0 | 1 | 2 } interface card is 0.

11
Configuring a Layer 2 Ethernet interface
Configuring storm suppression
The storm suppression feature ensures that the size of a particular type of traffic (broadcast,
multicast, or unknown unicast traffic) does not exceed the threshold on an interface. When the
broadcast, multicast, or unknown unicast traffic on the interface exceeds this threshold, the system
discards packets until the traffic drops below this threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
uses the chip to suppress traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic.
Configuration restrictions and guidelines
When you configure storm suppression, follow these restrictions and guidelines:
• For the traffic suppression result to be determined, do not configure storm control together with
storm suppression for the same type of traffic. For more information about storm control, see
"Configuring storm control on an Ethernet interface."
• When you configure the suppression threshold in kbps, the actual suppression threshold might
be different from the configured one as follows:
 If the configured value is smaller than 64, the value of 64 takes effect.
 If the configured value is greater than 64 but not an integer multiple of 64, the integer
multiple of 64 that is greater than and closest to the configured value takes effect.
For the suppression threshold that takes effect, see the prompt on the device.
Configuration procedure
To set storm suppression thresholds on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable broadcast
suppression and set the broadcast-suppression { ratio | By default, broadcast suppression
broadcast suppression pps max-pps | kbps max-kbps } is disabled.
threshold.
4. Enable multicast
suppression and set the multicast-suppression { ratio |
By default, multicast suppression
multicast suppression pps max-pps | kbps max-kbps }
is disabled.
threshold. [ unknown ]

5. Enable unknown unicast

suppression and set the unicast-suppression { ratio | pps By default, unknown unicast
unknown unicast max-pps | kbps max-kbps } suppression is disabled.
suppression threshold.

Configuring storm control on an Ethernet interface

About storm control
Storm control compares broadcast, known unicast, multicast, and unknown unicast traffic regularly
with their respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control
provides a lower threshold and an upper threshold.

12
 Depending on your configuration, when a particular type of traffic exceeds its upper threshold, the
interface performs either of the following operations:
• Blocks this type of traffic and forwards other types of traffic—Even though the interface
does not forward the blocked traffic, it still counts the traffic. When the blocked traffic drops
below the lower threshold, the interface begins to forward the traffic.
• Goes down automatically—The interface goes down automatically and stops forwarding any
traffic. When the blocked traffic drops below the lower threshold, the interface does not
automatically come up. To bring up the interface, use the undo shutdown command or disable
the storm control feature.
You can configure an Ethernet interface to output threshold event traps and log messages when
monitored traffic meets one of the following conditions:
• Exceeds the upper threshold.
• Drops below the lower threshold.
Both storm suppression and storm control can suppress storms on an interface. Storm suppression
uses the chip to suppress traffic. Storm suppression has less impact on the device performance than
storm control, which uses software to suppress traffic.
Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next
cycle. An interface takes one to two polling intervals to take a storm control action.
Configuration restrictions and guidelines
For the traffic suppression result to be determined, do not configure storm control together with storm
suppression for the same type of traffic. For more information about storm suppression, see
"Configuring storm suppression."
Configuration procedure
To configure storm control on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
The default setting is 10 seconds.
2. (Optional.) Set the statistics
polling interval of the storm storm-constrain interval interval For network stability, use the
control module. default or set a longer statistics
polling interval.
3. Enter Ethernet interface interface interface-type
view. N/A
interface-number
4. (Optional.) Enable storm
control, and set the lower storm-constrain { broadcast |
and upper thresholds for known-unicast | multicast | By default, storm control is
broadcast, multicast, or unicast } { pps | kbps | ratio } disabled.
unknown unicast traffic. max-pps-values min-pps-values

5. Set the control action to take

when monitored traffic storm-constrain control { block By default, storm control is
exceeds the upper | shutdown } disabled.
threshold.
6. (Optional.) Enable the By default, the Ethernet interface
Ethernet interface to output outputs log messages when
log messages when it storm-constrain enable log monitored traffic exceeds the
detects storm control upper threshold or drops below
threshold events. the lower threshold.
7. (Optional.) Enable the By default, the Ethernet interface
Ethernet interface to send sends traps when monitored
storm control threshold storm-constrain enable trap
traffic exceeds the upper
event traps. threshold or drops below the

13
 Step Command Remarks
lower threshold from the upper
threshold.

Forcibly bringing up a fiber port

IMPORTANT:
Copper ports do not support this feature.

As shown in Figure 2, a fiber port uses separate fibers for transmitting and receiving packets. The
physical state of the fiber port is up only when both transmit and receive fibers are physically
connected. If one of the fibers is disconnected, the fiber port does not work.
To enable a fiber port to forward traffic over a single link, you can use the port up-mode command.
This command forcibly brings up a fiber port, even when no fiber links or transceiver modules are
present for the fiber port. When one fiber link is present and up, the fiber port can forward packets
over the link unidirectionally.
Figure 2 Forcibly bring up a fiber port
When Ethernet interfaces
Correct fiber When Ethernet interfaces
cannot be or are not forcibly
connection are forcibly brought up
brought up

Device A Device A Device A

Device B Device B Device B

Fiber port Tx end Rx end Fiber link The fiber is disconnected.

Packets The interface is down.

Configuration restrictions and guidelines

When you forcibly bring up a fiber port, follow these restrictions and guidelines:
• The shutdown and port up-mode commands are exclusive with each other.
• The following operations on a fiber port will cause link updown events before the port finally
stays up:
 Configure both the port up-mode command and the speed or duplex command.
 Install or remove fiber links or transceiver modules after you forcibly bring up the fiber port.

14
 • A GE fiber port forcibly brought up cannot correctly forward traffic if it is installed with a
fiber-to-copper converter, 100/1000-Mbps transceiver module, or 100-Mbps transceiver
module. To solve the problem, use the undo port up-mode command on the fiber port.
Configuration procedure
To forcibly bring up a fiber port:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Ethernet interface interface interface-type

view. N/A
interface-number

By default, a fiber port is not forcibly

3. Forcibly bring up the fiber brought up, and the physical state of a
port. port up-mode
fiber port depends on the physical state
of the fibers.

Setting the MDIX mode of an Ethernet interface

IMPORTANT:
Fiber ports do not support the MDIX mode setting.

A physical Ethernet interface has eight pins, each of which plays a dedicated role. For example, pins
1 and 2 transmit signals, and pins 3 and 6 receive signals. You can use both crossover and
straight-through Ethernet cables to connect copper Ethernet interfaces. To accommodate these
types of cables, a copper Ethernet interface can operate in one of the following Medium Dependent
Interface-Crossover (MDIX) modes:
• MDIX mode—Pins 1 and 2 are receive pins and pins 3 and 6 are transmit pins.
• MDI mode—Pins 1 and 2 are transmit pins and pins 3 and 6 are receive pins.
• AutoMDIX mode—The interface negotiates pin roles with its peer.

NOTE:
This feature does not take effect on pins 4, 5, 7, and 8 of physical Ethernet interfaces.
• Pins 4, 5, 7, and 8 of interfaces operating at 10 Mbps or 100 Mbps do not receive or transmit
signals.
• Pins 4, 5, 7, and 8 of interfaces operating at 1000 Mbps or higher rates receive and transmit
signals.

To enable a copper Ethernet interface to communicate with its peer, set the MDIX mode of the
interface by following these guidelines:
• Typically, set the MDIX mode of the interface to AutoMDIX. Set the MDIX mode of the interface
to MDI or MDIX only when the device cannot determine the cable type.
• When a straight-through cable is used, configure the interface to operate in an MDIX mode
different than its peer.
• When a crossover cable is used, perform one of the following tasks:
 Configure the interface to operate in the same MDIX mode as its peer.
 Configure either end to operate in AutoMDIX mode.
To set the MDIX mode of an Ethernet interface:

15
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
By default, a copper Ethernet
interface operates in auto mode to
3. Set the MDIX mode of the mdix-mode { automdix | mdi | negotiate pin roles with its peer.
Ethernet interface. mdix }
10-GE interfaces support only the
automdix mode.

Testing the cable connection of an Ethernet interface

IMPORTANT:
If the link of an Ethernet interface is up, testing its cable connection will cause the link to go down
and then come up.

NOTE:
Fiber ports do not support this feature.

This feature tests the cable connection of an Ethernet interface and displays cable test result within 5
seconds. The test result includes the cable's status and some physical parameters. If any fault is
detected, the test result shows the length from the local port to the faulty point.
To test the cable connection of an Ethernet interface:

Step Command
1. Enter system view. system-view
2. Enter Ethernet interface view. interface interface-type interface-number
3. Perform a test for the cable connected to the
Ethernet interface. virtual-cable-test

Enabling bridging on an Ethernet interface

By default, the device drops packets whose outgoing interface and incoming interface are the same.
To enable the device to forward such packets rather than drop them, enable the bridging feature in
Ethernet interface view.
To enable bridging on an Ethernet interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type
view. N/A
interface-number
3. Enable bridging on the By default, bridging is disabled on
Ethernet interface. port bridge enable
an Ethernet interface.

16
Configuring a Layer 3 Ethernet interface or
subinterface
Setting the MTU for an Ethernet interface or subinterface
The maximum transmission unit (MTU) of an Ethernet interface affects the fragmentation and
reassembly of IP packets on the interface. Typically, you do not need to modify the MTU of an
interface.
To set the MTU for an Ethernet interface or subinterface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Ethernet interface interface interface-type { interface-number |
or subinterface view. N/A
interface-number.subnumber }
3. Set the MTU of the
Ethernet interface or The default setting is 1500
mtu size
subinterface. bytes.

Displaying and maintaining an Ethernet interface

or subinterface
Execute display commands in any view and reset commands in user view.

Task Command
display counters { inbound | outbound } interface
Display interface traffic statistics. [ interface-type [ interface-number |
interface-number.subnumber ] ]
Display traffic rate statistics of interfaces display counters rate { inbound | outbound } interface
in up state over the last statistics polling [ interface-type [ interface-number |
interval. interface-number.subnumber ] ]
Display the operational and status display interface [ interface-type [ interface-number |
information of the specified interfaces. interface-number.subnumber ] ] [ brief [ description | down ] ]
display packet-drop { interface [ interface-type
Display information about dropped
[ interface-number | interface-number.subnumber ] ] |
packets on the specified interfaces.
summary }
display storm-constrain [ broadcast | known-unicast |
Display information about storm control
multicast | unicast ] [ interface interface-type
on the specified interfaces.
interface-number ]
Display interface card operating mode
information. (Applicable only to HPE
5510 48G 4SFP+ HI 1-slot Switch and display port-configuration-mode status
HPE 5510 48G PoE+ 4SFP+ HI 1-slot
Switch switches.)
Display the Ethernet module statistics. display ethernet statistics slot slot-number
reset counters interface [ interface-type [ interface-number |
Clear interface or subinterface statistics.
interface-number.subnumber ] ]

17
Task Command
Clear the statistics of dropped packets reset packet-drop interface [ interface-type [ interface-number
on the specified interfaces. | interface-number.subnumber ] ]
Clear the Ethernet module statistics. reset ethernet statistics [ slot slot-number ]

18
Configuring loopback, null, and
inloopback interfaces
This chapter describes how to configure a loopback interface, a null interface, and an inloopback
interface.

Configuring a loopback interface

A loopback interface is a virtual interface. The physical layer state of a loopback interface is always
up unless the loopback interface is manually shut down. Because of this benefit, loopback interfaces
are widely used in the following scenarios:
• Configuring a loopback interface address as the source address of the IP packets that
the device generates—Because loopback interface addresses are stable unicast addresses,
they are usually used as device identifications.
 When you configure a rule on an authentication or security server to permit or deny packets
that a device generates, you can simplify the rule by configuring it to permit or deny packets
carrying the loopback interface address that identifies the device.
 When you use a loopback interface address as the source address of IP packets, make
sure the route from the loopback interface to the peer is reachable by performing routing
configuration. All data packets sent to the loopback interface are considered packets sent to
the device itself, so the device does not forward these packets.
• Using a loopback interface in dynamic routing protocols—With no router ID configured for
a dynamic routing protocol, the system selects the highest loopback interface IP address as the
router ID. In BGP, to avoid interruption of BGP sessions due to physical port failure, you can use
a loopback interface as the source interface of BGP packets.
To configure a loopback interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a loopback interface
and enter loopback interface interface loopback
N/A
view. interface-number

3. Configure the interface The default setting is interface name

description. description text Interface (for example, LoopBack1
Interface).
4. Configure the expected
bandwidth of the loopback By default, the expected bandwidth
bandwidth bandwidth-value
interface. of a loopback interface is 0 kbps.

5. Restore the default settings

for the loopback interface. default N/A

6. Bring up the loopback By default, a loopback interface is

interface. undo shutdown
up.

Configuring a null interface

A null interface is a virtual interface and is always up, but you cannot use it to forward data packets or
configure it with an IP address or link layer protocol. The null interface provides a simpler way to filter
packets than ACL. You can filter undesired traffic by transmitting it to a null interface instead of

19
 applying an ACL. For example, if you specify a null interface as the next hop of a static route to a
network segment, any packets routed to the network segment are dropped.
To configure a null interface:

Step Command Remarks

1. Enter system view. system-view N/A
Interface Null 0 is the default null
interface on the device and cannot
be manually created or removed.
2. Enter null interface view. interface null 0
Only one null interface, Null 0, is
supported on the device. The null
interface number is always 0.
3. Configure the interface The default setting is NULL0
description. description text
Interface.
4. Restore the default settings
for the null interface. default N/A

Configuring an inloopback interface

An inloopback interface is a virtual interface created by the system, which cannot be configured or
deleted. The physical layer and link layer protocol states of an inloopback interface are always up. All
IP packets sent to an inloopback interface are considered packets sent to the device itself and are
not forwarded.

Displaying and maintaining loopback, null, and

inloopback interfaces
Execute display commands in any view and reset commands in user view.

Task Command
Display information about the specified or all display interface loopback [ interface-number ] [ brief
loopback interfaces. [ description | down ] ]
display interface null [ 0 ] [ brief [ description |
Display information about the null interface.
down ] ]
Display information about the inloopback display interface inloopback [ 0 ] [ brief [ description
interface. | down ] ]
Clear the statistics on the specified or all reset counters interface loopback
loopback interfaces. [ interface-number ]
Clear the statistics on the null interface. reset counters interface null [ 0 ]

20
Bulk configuring interfaces
You can enter interface range view to bulk configure multiple interfaces with the same feature instead
of configuring them one by one. For example, you can execute the shutdown command in interface
range view to shut down a range of interfaces.

Configuration restrictions and guidelines

When you bulk configure interfaces in interface range view, follow these restrictions and guidelines:
• In interface range view, only commands supported by the first interface in the specified interface
list are available for configuration.
• Before you configure an interface as the first interface in an interface range, make sure you can
enter the view of the interface by using the interface interface-type { interface-number |
interface-number.subnumber } command.
• Do not assign both an aggregate interface and any of its member interfaces to an interface
range. Some commands, after being executed on both an aggregate interface and its member
interfaces, can break up the aggregation.
• Understand that the more interfaces you specify in an interface range, the longer the command
execution time.
• To guarantee bulk interface configuration performance, configure fewer than 1000 interface
range names.
• After a command is executed in interface range view, one of the following situations might
occur:
 The system displays an error message and stays in interface range view. This means that
the execution failed on one or multiple member interfaces.
− If the execution failed on the first member interface, the command is not executed on
any member interfaces.
− If the execution failed on a non-first member interface, the command takes effect on the
remaining member interfaces.
 The system returns to system view. This means that:
− The command is supported in both system view and interface view.
− The execution failed on a member interface in interface range view and succeeded in
system view.
− The command is not executed on the subsequent member interfaces.
You can use the display this command to verify the configuration in interface view of each
member interface. In addition, if the configuration in system view is not needed, use the
undo form of the command to remove the configuration.

Configuration procedure
Step Command Remarks
1. Enter system view. system-view N/A

21
 Step Command Remarks
• interface range
{ interface-type
interface-number [ to
interface-type By using the interface range name
interface-number ] } &<1-24> command, you assign a name to an
2. Enter interface range
view. • interface range name name interface range and can specify this
[ interface { interface-type name rather than the interface range
interface-number [ to to enter the interface range view.
interface-type
interface-number ] }
&<1-24> ]
3. (Optional.) Display
commands available for Enter a question mark (?) at the
the first interface in the N/A
interface range prompt.
interface range.

4. Use available
commands to configure Available commands depend on
N/A
the interfaces. the interface.

5. (Optional.) Verify the

configuration. display this N/A

Displaying and maintaining bulk interface

configuration
Execute the display command in any view.

Task Command
Display information about the interface ranges
created by using the interface range name display interface range [ name name ]
command.

22
Configuring the MAC address table
Overview
An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a
destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame,
it uses the destination MAC address of the frame to look for a match in the MAC address table.
• The device forwards the frame out of the outgoing interface in the matching entry if a match is
found.
• The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries
manually added.
MAC address learning
The device can automatically populate its MAC address table by learning the source MAC addresses
of incoming frames on each interface.
The device performs the following operations to learn the source MAC address of incoming packets:
1. Checks the source MAC address (for example, MAC-SOURCE) of the frame.
2. Looks up the source MAC address in the MAC address table.
 The device updates the entry if an entry is found.
 The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.
When the device receives a frame destined for MAC-SOURCE after learning this source MAC
address, the device performs the following operations:
1. Finds the MAC-SOURCE entry in the MAC address table.
2. Forwards the frame out of the port in the entry.
The device performs the learning process for each incoming frame with an unknown source MAC
address until the table is fully populated.
Manually configuring MAC address entries
Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames,
which can invite security hazards. When Host A is connected to port A, a MAC address entry will be
learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames
with MAC A as the source MAC address to port B, the device performs the following operations:
1. Learns a new MAC address entry with port B as the outgoing interface and overwrites the old
entry for MAC A.
2. Forwards frames destined for MAC A out of port B to the illegal user.
As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually
configure a static entry to bind Host A to port A. Then, the frames destined for Host A are always sent
out of port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined
for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

23
 • Static entries—A static entry is manually added to forward frames with a specific destination
MAC address out of the associated interface, and it never ages out. A static entry has higher
priority than a dynamically learned one.
• Dynamic entries—A dynamic entry can be manually configured or dynamically learned to
forward frames with a specific destination MAC address out of the associated interface. A
dynamic entry might age out. A manually configured dynamic entry has the same priority as a
dynamically learned one.
• Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole
entry is configured for filtering out frames with a specific source or destination MAC address.
For example, to block all frames destined for or sourced from a user, you can configure the
MAC address of the user as a blackhole MAC address entry. A blackhole entry has higher
priority than a dynamically learned one.
• Multiport unicast entries—A multiport unicast entry is manually added to send frames with a
specific unicast destination MAC address out of multiple ports, and it never ages out. A multiport
unicast entry has higher priority than a dynamically learned one.
A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address
entry, but not vice versa. A static entry, a blackhole entry, and a multiport unicast entry cannot
overwrite one another.
Multiport unicast MAC address entries have no impact on the MAC address learning. When
receiving a frame whose source MAC address matches a multiport unicast entry, the device can still
learn the MAC address of the frame and generate a dynamic entry. However, the generated dynamic
entry has lower priority. The device prefers to use the multiport unicast entry to forward frames
destined for the MAC address in the entry.

MAC address table configuration task list

The configuration tasks discussed in the following sections can be performed in any order.
This document covers only the configuration of unicast MAC address entries, including static,
dynamic, blackhole, and multiport unicast MAC address entries. For information about configuring
static multicast MAC address entries, see IP Multicast Configuration Guide. For information about
MAC address table configuration in VPLS, see MPLS Configuration Guide.
To configure the MAC address table, perform the following tasks:

Tasks at a glance
(Optional.) Configuring MAC address entries
• Adding or modifying a static or dynamic MAC address entry globally
• Adding or modifying a static or dynamic MAC address entry on an interface
• Adding or modifying a blackhole MAC address entry
• Adding or modifying a multiport unicast MAC address entry
(Optional.) Disabling MAC address learning
(Optional.) Setting the aging timer for dynamic MAC address entries
(Optional.) Setting the MAC learning limit
(Optional.) Configuring the unknown frame forwarding rule after the MAC learning limit is reached
(Optional.) Assigning MAC learning priority to interfaces
(Optional.) Enabling MAC address synchronization
(Optional.) Configuring MAC address move notifications and suppression
(Optional.) Enabling ARP fast update for MAC address moves

24
 Tasks at a glance
(Optional.) Enabling SNMP notifications for the MAC address table

Configuring MAC address entries

Configuration guidelines
You cannot add a dynamic MAC address entry if a learned entry already exists with a different
outgoing interface for the MAC address.
The manually configured static, blackhole, and multiport unicast MAC address entries cannot survive
a reboot if you do not save the configuration. The manually configured dynamic MAC address entries
are lost upon reboot whether or not you save the configuration.
A frame whose source MAC address matches different types of MAC address entries is processed
differently.

Type Description
Forwards the frame according to the destination MAC address regardless of
Static MAC address entry
whether the frame's ingress interface is the same as that in the entry.
• Learns the MAC address (MACA) of the frame and generates a dynamic
MAC address entry, but the generated dynamic MAC address entry does
Multiport unicast MAC not take effect.
address entry
• Forwards frames destined for MACA based on the multiport unicast MAC
address entry.
Blackhole MAC address
Drops the frame.
entry
• Learns the MAC address of the frames received on a different interface
Dynamic MAC address from that in the entry and overwrites the original entry.
entry • Forwards the frame received on the same interface as that in the entry
and updates the aging timer for the entry.

Adding or modifying a static or dynamic MAC address entry

globally
Step Command Remarks
1. Enter system view. system-view N/A
By default, no MAC address entry
mac-address { dynamic | static } is configured globally.
2. Add or modify a static or mac-address interface
dynamic MAC address entry. interface-type interface-number Make sure you have created the
vlan vlan-id VLAN and assigned the interface
to the VLAN.

25
Adding or modifying a static or dynamic MAC address entry
on an interface
Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
By default, no MAC address entry
is configured on the interface.
3. Add or modify a static or mac-address { dynamic |
dynamic MAC address entry. static } mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Adding or modifying a blackhole MAC address entry

Step Command Remarks
1. Enter system view. system-view N/A
By default, no blackhole MAC
2. Add or modify a blackhole mac-address blackhole address entry is configured.
MAC address entry. mac-address vlan vlan-id Make sure you have created the
VLAN.

Adding or modifying a multiport unicast MAC address entry

You can configure a multiport unicast MAC address entry to associate a unicast destination MAC
address with multiple ports. The frame with a destination MAC address matching the entry is sent out
of multiple ports.
For example, in NLB unicast mode (see Figure 3):
• All servers within a cluster uses the cluster's MAC address as their own address.
• Frames destined for the cluster are forwarded to every server in the group.
In this case, you can configure a multiport unicast MAC address entry on the device connected to the
server group. Then, the device forwards the frame destined for the server group to every server
through all ports connected to the servers within the cluster.

26
 Figure 3 NLB cluster

Device

NLB cluster

You can configure a multiport unicast MAC address entry globally or on an interface.
Configuring a multiport unicast MAC address entry globally

Step Command Remarks

1. Enter system view. system-view N/A
By default, no multiport unicast
MAC address entry is configured
2. Add or modify a multiport mac-address multiport globally.
unicast MAC address entry. mac-address interface
interface-list vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Configuring a multiport unicast MAC address entry on an interface

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
2. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
By default, no multiport unicast
MAC address entry is configured
3. Add the interface to a on the interface.
multiport unicast MAC mac-address multiport
address entry. mac-address vlan vlan-id Make sure you have created the
VLAN and assigned the interface
to the VLAN.

Disabling MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated
when the device is experiencing attacks, disable MAC address learning. For example, you can
disable MAC address learning to prevent the device from being attacked by a large amount of frames
with different source MAC addresses.

27
 After MAC address learning is disabled, the device immediately deletes existing dynamic MAC
address entries.

Disabling global MAC address learning

Global MAC address learning does not take effect on a VPLS VSI. For information about VPLS VSIs,
see MPLS Configuration Guide.
To disable global MAC address learning:

Step Command Remarks

1. Enter system view. system-view N/A
2. Disable global MAC address undo mac-address By default, global MAC address
learning. mac-learning enable learning is enabled.

Disabling MAC address learning on interfaces

When global MAC address learning is enabled, you can disable MAC address learning on a single
interface.
To disable MAC address learning on an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number

3. Disable MAC address By default, MAC address

undo mac-address mac-learning
learning on the interface. learning on the interface is
enable
enabled.

Disabling MAC address learning on a VLAN

When global MAC address learning is enabled, you can disable MAC address learning on a
per-VLAN basis.
To disable MAC address learning on a VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable global MAC address mac-address mac-learning By default, global MAC address
learning. enable learning is enabled.
3. Enter VLAN view. vlan vlan-id N/A
4. Disable MAC address undo mac-address By default, MAC address learning
learning on the VLAN. mac-learning enable on the VLAN is enabled.

28
Setting the aging timer for dynamic MAC address
entries
For security and efficient use of table space, the MAC address table uses an aging timer for each
dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer
expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can
promptly update to accommodate latest network topology changes.
A stable network requires a longer aging interval, and an unstable network requires a shorter aging
interval.
An aging interval that is too long might cause the MAC address table to retain outdated entries. As a
result, the MAC address table resources might be exhausted, and the MAC address table might fail
to update its entries to accommodate the latest network changes.
An interval that is too short might result in removal of valid entries, which would cause unnecessary
floods and possibly affect the device performance.
To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic
entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing
flooding also improves the security because it reduces the chances for a data frame to reach
unintended destinations.
To set the aging timer for dynamic MAC address entries:

Step Command Remarks

1. Enter system view. system-view N/A
The default setting is 300
2. Set the aging timer for seconds.
dynamic MAC address mac-address timer { aging
entries. seconds | no-aging } The no-aging keyword disables
the aging timer.

Setting the MAC learning limit

This feature limits the MAC address table size. A large MAC address table will degrade forwarding
performance.
To set the MAC learning limit on an interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
3. Set the MAC learning limit on mac-address max-mac-count By default, the MAC address table
the interface. count size is not limited on an interface.

Configuring the unknown frame forwarding rule

after the MAC learning limit is reached
You can enable or disable forwarding of unknown frames after the MAC learning limit is reached.

29
 To configure the device to forward unknown frames received on the interface after the MAC learning
limit on the interface is reached:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet interface interface-type

interface view. N/A
interface-number

3. Configure the device to

forward unknown frames By default, the device can forward
received on the interface mac-address max-mac-count unknown frames received on an
after the MAC learning limit enable-forwarding interface after the MAC learning
on the interface is reached. limit on the interface is reached.

Assigning MAC learning priority to interfaces

The MAC learning priority mechanism assigns either low priority or high priority to an interface. An
interface with high priority can learn MAC addresses as usual. However, an interface with low priority
is not allowed to learn MAC addresses already learned on a high-priority interface.
The MAC learning priority mechanism can help defend your network against MAC address spoofing
attacks. In a network that performs MAC-based forwarding, an upper layer device MAC address
might be learned by a downlink interface because of a loop or attack to the downlink interface. To
avoid this problem, perform the following tasks:
• Assign high MAC learning priority to an uplink interface.
• Assign low MAC learning priority to a downlink interface.
To assign MAC learning priority to an interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
3. Assign MAC learning priority mac-address mac-learning By default, low MAC learning
to the interface. priority { high | low } priority is used.

Enabling MAC address synchronization

To avoid unnecessary floods and improve forwarding speed, make sure all member devices have the
same MAC address table. After you enable MAC address synchronization, each member device
advertises learned MAC address entries to other member devices.
As shown in Figure 4:
• Device A and Device B form an IRF fabric enabled with MAC address synchronization.
• Device A and Device B connect to AP C and AP D, respectively.

30
When Client A associates with AP C, Device A learns a MAC address entry for Client A and
advertises it to Device B.
Figure 4 MAC address tables of devices when Client A accesses AP C

MAC address Port MAC address Port

MAC A A1 MAC A A1

Device A IRF Device B

Port A1 Port B1

AP C AP D

Client A

When Client A roams to AP D, Device B learns a MAC address entry for Client A. Device B
advertises it to Device A to ensure service continuity for Client A, as shown in Figure 5.
Figure 5 MAC address tables of devices when Client A roams to AP D

MAC address Port MAC address Port

MAC A A1 B1 MAC A B1

Device A IRF Device B

Port A1 Port B1

AP C AP D

Client A

To enable MAC address synchronization:

Step Command Remarks

1. Enter system view. system-view N/A

31
 Step Command Remarks
2. Enable MAC address mac-address mac-roaming By default, MAC address
synchronization. enable synchronization is disabled.

Configuring MAC address move notifications and

suppression
The outgoing interface for a MAC address entry learned on interface A is changed to interface B
when the following conditions exist:
• Interface B receives a packet with the MAC address as the source MAC address.
• Interface B belongs to the same VLAN as interface A.
In this case, the MAC address is moved from interface A to interface B, and a MAC address move
occurs.
The MAC address move notifications feature enables the device to output MAC address move logs
when MAC address moves are detected.
If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur. To
detect and locate loops, you can view the MAC address move information. To display the MAC
address move records after the device is started, use the display mac-address mac-move
command.
If the system detects that MAC address moves occur frequently on an interface, you can configure
MAC address move suppression to shut the interface down. The interface automatically goes up
after a suppression interval. Or, you can manually bring up the interface.
The MAC address move suppression feature must work with the ARP fast update for MAC address
moves feature. For information about ARP fast update for MAC address moves, see "Enabling ARP
fast update for MAC address moves."
To configure MAC address move notifications and MAC address move suppression:

Step Command Remarks

1. Enter system view. system-view N/A

By default, MAC address move

notifications are disabled.
If you do not specify a detection
interval, the default setting of 1
minute is used.
2. Enable MAC address move
After you execute this command,
notifications and optionally mac-address notification the system sends only log
specify a MAC move mac-move [ interval interval ] messages to the information center
detection interval.
module. If the device is also
configured with the snmp-agent
trap enable mac-address
command, the system also sends
SNMP notifications to the SNMP
module.

(Optional.) Set MAC mac-address notification

3. By default, the suppression interval
address move suppression mac-move suppression
is 30 seconds, and the suppression
parameters. { interval interval | threshold
threshold is 3.
threshold }

32
 Step Command Remarks
• Enter Layer 2 Ethernet
interface view:
interface interface-type
interface-number
4. Enter interface view. • Enter Layer 2 aggregate N/A
interface view:
interface
bridge-aggregation
interface-number
5. Enable MAC address move mac-address notification By default, MAC address move
suppression. mac-move suppression suppression is disabled.
6. Return to system view. quit N/A
7. Enable ARP fast update for mac-address mac-move By default, ARP fast update for
MAC address moves. fast-update MAC address moves is disabled.

Enabling ARP fast update for MAC address

moves
ARP fast update for MAC address moves allows the device to update an ARP entry immediately after
the outgoing interface for a MAC address changes. This feature ensures data connection without
interruption.
As shown in Figure 6, a mobile user laptop accesses the network by connecting to AP 1 or AP 2.
When the AP to which the user connects changes, the switch updates the ARP entry for the user
immediately after it detects a MAC address move.
Figure 6 ARP fast update application scenario
Switch

GE1/0/1 GE1/0/2

AP 1 AP 2

Laptop

To enable ARP fast update for MAC address moves:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable ARP fast update for mac-address mac-move By default, ARP fast update for
MAC address moves. fast-update MAC address moves is disabled.

33
Enabling SNMP notifications for the MAC address
table
To report critical MAC address move events to an NMS, enable SNMP notifications for the MAC
address table. For MAC address move event notifications to be sent correctly, you must also
configure SNMP on the device.
When SNMP notifications are disabled for the MAC address table, the device sends the generated
logs to the information center. To display the logs, configure the log destination and output rule
configuration in the information center.
For more information about SNMP and information center configuration, see the network
management and monitoring configuration guide for the device.
To enable SNMP notifications for the MAC address table:

Step Command Remarks

1. Enter system view. system-view N/A
By default, SNMP notifications are enabled
for the MAC address table.
2. Enable SNMP
notifications for the snmp-agent trap enable When SNMP notifications are disabled for the
MAC address table. mac-address [ mac-move ] MAC address table, syslog messages are
sent to notify important events on the MAC
address table module.

Displaying and maintaining the MAC address

table
Execute display commands in any view.

Task Command
display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic
Display MAC address table
| static ] [ interface interface-type interface-number ] | blackhole |
information.
multiport ] [ vlan vlan-id ] [ count ] ]
Display the aging timer for dynamic
display mac-address aging-time
MAC address entries.
Display the system or interface MAC display mac-address mac-learning [ interface interface-type
address learning state. interface-number ]
Display MAC address statistics. display mac-address statistics
Display the MAC address move
display mac-address mac-move [ slot slot-number ]
records.

MAC address table configuration example

Network requirements
As shown in Figure 7:

34
 • Host A at MAC address 000f-e235-dc71 is connected to GigabitEthernet 1/0/1 of Device and
belongs to VLAN 1.
• Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also
belongs to VLAN 1.
Configure the MAC address table as follows:
• To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of
Device.
• To drop all frames destined for Host B, add a blackhole MAC address entry for Host B.
• Set the aging timer to 500 seconds for dynamic MAC address entries.
Figure 7 Network diagram

GE1/0/1

Host A Device Host B

000f-e235-dc71 000f-e235-abcd

Configuration procedure
# Add a static MAC address entry for MAC address 000f-e235-dc71 on GigabitEthernet 1/0/1 that
belongs to VLAN 1.
<Device> system-view
[Device] mac-address static 000f-e235-dc71 interface gigabitethernet 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.
[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.
[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for GigabitEthernet 1/0/1.
[Device] display mac-address static interface gigabitethernet 1/0/1
MAC Address VLAN ID State Port/NickName Aging
000f-e235-dc71 1 Static GE1/0/1 N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole
MAC Address VLAN ID State Port/NickName Aging
000f-e235-abcd 1 Blackhole N/A N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time
MAC address aging time: 500s.

35
Configuring MAC Information
The MAC Information feature can generate syslog messages or SNMP notifications when MAC
address entries are learned or deleted. You can use these messages to monitor user's leaving or
joining the network and analyze network traffic.
The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a
queue. The device overwrites the oldest MAC address change written into the queue with the most
recent MAC address change when the following conditions exist:
• The MAC change notification interval does not expire.
• The queue has been exhausted.
To send a syslog message or SNMP notification immediately after it is created, set the queue length
to zero.

Enabling MAC Information

Step Command Remarks
1. Enter system view. system-view N/A
2. Enable MAC Information mac-address information By default, MAC Information is
globally. enable globally disabled.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, MAC Information is
disabled on the interface.
4. Enable MAC Information on mac-address information
the interface. enable { added | deleted } Make sure you have enabled
MAC Information globally before
you enable it on the interface.

Configuring the MAC Information mode

The following MAC Information modes are available for sending MAC address changes:
• Syslog—The device sends syslog messages to notify MAC address changes. The device
sends syslog messages to the information center, which then outputs them to the monitoring
terminal. For more information about information center, see Network Management and
Monitoring Configuration Guide.
• Trap—The device sends SNMP notifications to notify MAC address changes. The device sends
SNMP notifications to the NMS. For more information about SNMP, see Network Management
and Monitoring Configuration Guide.
To configure the MAC Information mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the MAC mac-address information mode
Information mode. The default setting is trap.
{ syslog | trap }

36
Setting the MAC change notification interval
To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the
MAC change notification interval to a larger value.
To set the MAC change notification interval:

Step Command Remarks

1. Enter system view. system-view N/A

2. Set the MAC change mac-address information

notification interval. The default setting is 1 second.
interval interval

Setting the MAC Information queue length

Step Command Remarks
1. Enter system view. system-view N/A

2. Set the MAC Information mac-address information

queue length. The default setting is 50.
queue-length value

MAC Information configuration example

Network requirements
Enable MAC Information on GigabitEthernet 1/0/1 on Device in Figure 8 to send MAC address
changes in syslog messages to the log host, Host B, through interface GigabitEthernet 1/0/2.
Figure 8 Network diagram
Device

GE1/0/1 GE1/0/3

Host A GE1/0/2
Server
192.168.1.1/24 192.168.1.3/24

Host B
192.168.1.2/24

Configuration restrictions and guidelines

When you edit the file /etc/syslog.conf, follow these restrictions and guidelines:
• Comments must be on a separate line and must begin with a pound sign (#).
• No redundant spaces are allowed after the file name.
• The logging facility name and the severity level specified in the /etc/syslog.conf file must be
the same as those configured on the device. Otherwise, the log information might not be output

37
 correctly to the log host. The logging facility name and the severity level are configured by using
the info-center loghost and info-center source commands, respectively.

Configuration procedure
1. Configure Device to send syslog messages to Host B:
# Enable the information center.
<Device> system-view
[Device] info-center enable
# Specify the log host 192.168.1.2/24 and specify local4 as the logging facility.
[Device] info-center loghost 192.168.1.2 facility local4
# Disable log output to the log host.
[Device] info-center source default loghost deny
To avoid output of unnecessary information, disable all modules from outputting logs to the
specified destination (loghost, in this example) before you configure an output rule.
# Configure an output rule to output to the log host MAC address logs that have a severity level
no lower than informational.
[Device] info-center source mac loghost level informational
2. Configure the log host, Host B:
Configure Solaris as follows. Configure other UNIX operating systems in the same way Solaris
is configured.
a. Log in to the log host as a root user.
b. Create a subdirectory named Device in directory /var/log/.
# mkdir /var/log/Device
c. Create file info.log in the Device directory to save logs from Device.
# touch /var/log/Device/info.log
d. Edit the file syslog.conf in directory /etc/ and add the following contents:
# Device configuration messages
local4.info /var/log/Device/info.log
In this configuration, local4 is the name of the logging facility that the log host uses to
receive logs, and info is the informational level. The UNIX system records the log
information that has a severity level no lower than informational to the file
/var/log/Device/info.log.
e. Display the process ID of syslogd, end the syslogd process, and then restart syslogd
using the –r option to make the new configuration take effect.
# ps -ae | grep syslogd
147
# kill -HUP 147
# syslogd -r &
The device can output MAC address logs to the log host, which stores the logs to the specified
file.
3. Enable MAC Information on Device:
# Enable MAC Information globally.
[Device] mac-address information enable
# Configure the MAC Information mode as syslog.
[Device] mac-address information mode syslog
# Enable MAC Information on GigabitEthernet 1/0/1 to enable the port to record MAC address
change information when the interface performs either of the following operations:

38
 Learns a new MAC address.
 Deletes an existing MAC address.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] mac-address information enable added
[Device-GigabitEthernet1/0/1] mac-address information enable deleted
[Device-GigabitEthernet1/0/1] quit
# Set the MAC Information queue length to 100.
[Device] mac-address information queue-length 100
# Set the MAC change notification interval to 20 seconds.
[Device] mac-address information interval 20

39
Configuring Ethernet link aggregation
Overview
Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an
aggregate link. Link aggregation provides the following benefits:
• Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is
distributed across the member ports.
• Improved link reliability. The member ports dynamically back up one another. When a member
port fails, its traffic is automatically switched to other member ports.

Ethernet link aggregation application scenario

As shown in Figure 9, Device A and Device B are connected by three physical Ethernet links. These
physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth
of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the
same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the
traffic previously transmitted on the failed link is switched to the other two links.
Figure 9 Ethernet link aggregation diagram
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Link aggregation 1
GE1/0/3 GE1/0/3

Device A Device B

Aggregation group, member port, and aggregate interface

An aggregation group is a group of Ethernet interfaces bundled together. These Ethernet interfaces
are called member ports of the aggregation group. Each aggregation group has a corresponding
logical interface called an aggregate interface.
When an aggregate interface is created, the device automatically creates an aggregation group of
the same type and number as the aggregate interface.
An aggregate interface can be one of the following types:
• Layer 2—A Layer 2 aggregate interface is created manually. The member ports of the
corresponding Layer 2 aggregation group can only be Layer 2 Ethernet interfaces.
• Layer 3—A Layer 3 aggregate interface is created manually. The member ports of the
corresponding Layer 3 aggregation group can only be Layer 3 Ethernet interfaces.
The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex
mode is the same as that of the Selected member ports. For more information about Selected
member ports, see "Aggregation states of member ports in an aggregation group."

Aggregation states of member ports in an aggregation group

A member port in an aggregation group can be in any of the following aggregation states:
• Selected—A Selected port can forward traffic.
• Unselected—An Unselected port cannot forward traffic.

40
 • Individual—An Individual port can forward traffic as a normal physical port. A port is placed in
the Individual state when the following conditions exist:
 Its aggregate interface is configured as an edge aggregate interface.
 The port has not received Link Aggregation Control Protocol Data Units (LACPDUs) from its
peer port.

Operational key
When aggregating ports, the system automatically assigns each port an operational key based on
port information, such as port rate and duplex mode. Any change to this information triggers a
recalculation of the operational key.
In an aggregation group, all Selected ports have the same operational key.

Configuration types
Port configurations include attribute configurations and protocol configurations. Attribute
configurations affect the aggregation state of the port but the protocol configurations do not.
Attribute configurations
To become a Selected port, a member port must have the same attribute configurations as the
aggregate interface. Table 2 describes the attribute configurations.
Attribute configuration changes made on an aggregate interface are automatically synchronized to
all member ports. If the changes fail to be synchronized to a Selected port, the port might change to
the Unselected state. To make the port become Selected again, you can change the attribute
configurations on the aggregate interface or the member port. The synchronization failure does not
affect the attribute configuration changes made on the aggregate interface. The configurations that
have been synchronized from the aggregate interface are retained on the member ports even after
the aggregate interface is deleted.
Any attribute configuration change on a member port might affect the aggregation states and running
services of the member ports. The system displays a warning message every time you try to change
an attribute configuration setting on a member port.
Table 2 Attribute configurations

Feature Attribute configurations

Membership of the port in an isolation group.
Port isolation
Isolation group number.
QinQ status (enabled/disabled), TPID for VLAN tags, and VLAN transparent
QinQ
transmission. For information about QinQ, see "Configuring QinQ."
VLAN mapping configured on the port. For more information about VLAN
VLAN mapping
mapping, see "Configuring VLAN mapping."
VLAN attribute configurations include the following:
• Permitted VLAN IDs.
• PVID.
• Link type (trunk, hybrid, or access).
• PVLAN port type (promiscuous, trunk promiscuous, host, or trunk
VLAN secondary).
• IP subnet-based VLAN configuration.
• Protocol-based VLAN configuration.
• VLAN tagging mode.
For information about VLANs, see "Configuring VLANs."

41
Protocol configurations
Settings that do not affect the aggregation state of a member port even if they are different from
those on the aggregate interface. MAC address learning settings are examples of protocol
configurations.
For an aggregation, only the protocol configurations on the aggregate interface take effect. The
protocol configurations on the member ports will not take effect until after the ports leave the
aggregation group.

Link aggregation modes

An aggregation group operates in one of the following modes:
• Static—Static aggregation is stable. An aggregation group in static mode is called a static
aggregation group. The aggregation states of the member ports in a static aggregation group
are not affected by the peer ports.
• Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. The
local system and the peer system automatically maintain the aggregation states of the member
ports. Dynamic link aggregation reduces the administrators' workload.

How static link aggregation works

Choosing a reference port
When setting the aggregation states of the ports in an aggregation group, the system automatically
chooses a member port as the reference port. A Selected port must have the same operational key
and attribute configurations as the reference port.
The system chooses a reference port from the member ports in up state.
The candidate reference ports are organized into different priority levels following these rules:
1. In descending order of port priority.
2. Full duplex.
3. In descending order of speed.
4. Half duplex.
5. In descending order of speed.
From the candidate ports with the same attribute configurations as the aggregate interface, the one
with the highest priority level is chosen as the reference port.
• If multiple ports have the same priority level, the port that has been Selected (if any) is chosen.
If multiple ports with the same priority level have been Selected, the one with the smallest port
number is chosen.
• If multiple ports have the same priority level and none of them has been Selected, the port with
the smallest port number is chosen.
Setting the aggregation state of each member port
After the reference port is chosen, the system sets the aggregation state of each member port in the
static aggregation group.

42
 Figure 10 Setting the aggregation state of a member port in a static aggregation group

Set the aggregation state of a member port

Yes
Is there any hardware restriction?

No

No
Is the port up？

Yes

Operational key/attribute No
configurations same as the reference
port?

Yes

More candidate ports than max. Yes

number of Selected ports?

No

Set the port to the

Set the port to the Selected state
Unselected state

After the limit on Selected ports is reached, the aggregation state of a new member port varies by
following conditions:
• The port is placed in Unselected state if the port and the Selected ports have the same port
priority. This mechanism prevents traffic interruption on the existing Selected ports. A device
reboot can cause the device to recalculate the aggregation states of member ports.
• The port is placed in Selected state when the following conditions are met:
 The port and the Selected ports have different port priorities, and the port has a higher port
priority than a minimum of one Selected port.
 The port has the same attribute configurations as the aggregate interface.
Any operational key or attribute configuration change might affect the aggregation states of link
aggregation member ports.

LACP
Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol
(LACP).
LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each
member port in a dynamic aggregation group can exchange information with its peer. When a
member port receives an LACPDU, it compares the received information with information received

43
 on the other member ports. In this way, the two systems reach an agreement on which ports are
placed in Selected state.
LACP functions
LACP offers basic LACP functions and extended LACP functions, as described in Table 3.
Table 3 Basic and extended LACP functions

Category Description
Implemented through the basic LACPDU fields, including the system LACP
Basic LACP functions
priority, system MAC address, port priority, port number, and operational key.
Implemented by extending the LACPDU with new TLV fields. Extended LACP can
implement LACP MAD for the IRF feature.
Extended LACP
functions The switch series can participate in LACP MAD as either an IRF member device or
an intermediate device. For more information about IRF and the LACP MAD
mechanism, see IRF Configuration Guide.

LACP operating modes

LACP can operate in active or passive mode.
When LACP is operating in passive mode on a local member port and its peer port, both ports cannot
send LACPDUs. When LACP is operating in active mode on either end of a link, both ports can send
LACPDUs.
LACP priorities
LACP priorities include system LACP priority and port priority, as described in Table 4. The smaller
the priority value, the higher the priority.
Table 4 LACP priorities

Type Description
Used by two peer devices (or systems) to determine which one is superior in link
aggregation.
System LACP In dynamic link aggregation, the system that has higher system LACP priority sets
priority the Selected state of member ports on its side. The system that has lower priority
sets the aggregation state of local member ports the same as their respective peer
ports.
Determines the likelihood of a member port to be a Selected port on a system. A port
Port priority
with a higher port priority is more likely to become Selected.

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the
peer port. If a local member port has not received LACPDUs from the peer within the LACP timeout
interval, the member port considers the peer as failed.
The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout
intervals include the following types:
• Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one
LACPDU per second.
• Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one
LACPDU every 30 seconds.

44
How dynamic link aggregation works
Choosing a reference port
The system chooses a reference port from the member ports in up state. A Selected port must have
the same operational key and attribute configurations as the reference port.
The local system (the actor) and the peer system (the partner) negotiate a reference port by using
the following workflow:
1. The two systems determine the system with the smaller system ID.
A system ID contains the system LACP priority and the system MAC address.
a. The two systems compare their LACP priority values.
The lower the LACP priority, the smaller the system ID. If the LACP priority values are the
same, the two systems proceed to step b.
b. The two systems compare their MAC addresses.
The lower the MAC address, the smaller the system ID.
2. The system with the smaller system ID chooses the port with the smallest port ID as the
reference port.
A port ID contains a port priority and a port number. The lower the port priority, the smaller the
port ID.
a. The system chooses the port with the lowest priority value as the reference port.
If the ports have the same priority, the system proceeds to step b.
b. The system compares their port numbers.
The smaller the port number, the smaller the port ID.
The port with the smallest port number and the same attribute configurations as the
aggregate interface is chosen as the reference port.
Setting the aggregation state of each member port
After the reference port is chosen, the system with the smaller system ID sets the state of each
member port on its side.

45
Figure 11 Setting the state of a member port in a dynamic aggregation group

Set the aggregation state of a member port

Yes
Is there any hardware restriction?

No

No
Is the port up?

Yes

No
Operational key/attribute configurations
same as the reference port?

Yes

No
Operational key/attribute configurations of
the peer port same as the peer port of the
reference port?

Yes

Yes No
More candidate ports than allowed max. Port number as low as to set the port
number of Selected ports? to the Selected state?

No Yes

Set the port to the

Set the port to the Selected state
Unselected state

The system with the greater system ID can detect the aggregation state changes on the peer
system. The system with the greater system ID sets the aggregation state of local member ports the
same as their peer ports.
When you aggregate interfaces in dynamic mode, follow these guidelines:
• A dynamic link aggregation group chooses only full-duplex ports as the Selected ports.
• For stable aggregation and service continuity, do not change the operational key or attribute
configurations on any member port.
• After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more
eligible than a current Selected port.

46
Edge aggregate interface
Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is
configured only on the device. The device forwards traffic by using only one of the physical ports that
are connected to the server.
To improve link reliability, configure the aggregate interface as an edge aggregate interface. This
feature enables all member ports of the aggregation group to forward traffic. When a member port
fails, its traffic is automatically switched to other member ports.
After dynamic link aggregation is configured on the server, the device can receive LACPDUs from
the server. Then, link aggregation between the device and the server operates correctly.
An edge aggregate interface takes effect only when it is configured on an aggregate interface
corresponding to a dynamic aggregation group.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be load shared across the Selected ports based on any of the
following modes:
• Per-flow load sharing—Load shares traffic on a per-flow basis. The load sharing mode
classifies packets into flows and forwards packets of the same flow on the same link. This mode
can be one or any combination of the following traffic classification criteria:
 Ingress port.
 Source IP.
 Destination IP.
 Source MAC.
 Destination MAC.
 Source port number.
 Destination port number.
• Packet type-based load sharing—Load shares traffic automatically based on packet types
(Layer 2 protocol, IPv4, or IPv6).

Ethernet link aggregation configuration task list

Tasks at a glance
(Required.) Configuring an aggregation group:
• Configuring a Layer 2 aggregation group
• Configuring a Layer 3 aggregation group
(Optional.) Configuring an aggregate interface:
• Configuring the description of an aggregate interface
• Specifying ignored VLANs for a Layer 2 aggregate interface
• Setting the MTU for a Layer 3 aggregate interface
• Setting the minimum and maximum numbers of Selected ports for an aggregation group
• Setting the expected bandwidth for an aggregate interface
• Configuring an edge aggregate interface
• Enabling BFD for an aggregation group
• Shutting down an aggregate interface
• Restoring the default settings for an aggregate interface

47
 Tasks at a glance
(Optional.) Configuring load sharing for link aggregation groups:
• Setting load sharing modes for link aggregation groups
• Enabling local-first load sharing for link aggregation
• Configuring link aggregation load sharing algorithm settings
(Optional.) Enabling link-aggregation traffic redirection

Configuring an aggregation group

Configuration restrictions and guidelines
The following information describes restrictions and guidelines that you must follow when you
configure link aggregations.
Aggregation member interface restrictions
• You cannot assign an interface to a Layer 2 aggregation group if any features in Table 5 are
configured on that interface.
Table 5 Features incompatible with Layer 2 aggregation member interfaces

Feature on the interface Reference

MAC authentication MAC authentication in Security Configuration Guide
Port security Port security in Security Configuration Guide
802.1X 802.1X in Security Configuration Guide
Service instance bound to a cross connect MPLS L2VPN in MPLS Configuration Guide
Service instance bound to a VSI VPLS in MPLS Configuration Guide

• You cannot assign an interface to a Layer 3 aggregation group if any features in Table 6 are
configured on that interface.
Table 6 Features incompatible with Layer 3 aggregation member interfaces

Feature on the interface Reference

Interface bound to a cross connect MPLS L2VPN in MPLS Configuration Guide
Interface bound to a VSI VPLS in MPLS Configuration Guide

• Do not assign a reflector port for port mirroring to an aggregation group. For more information
about reflector ports, see Network Management and Monitoring Configuration Guide.
Configuration consistency requirements
• You must configure the same aggregation mode on the two ends of an aggregate link.
• For a successful static aggregation, make sure the ports at both ends of each link are in the
same aggregation state.
• For a successful dynamic aggregation, make sure the peer ports of the ports aggregated at one
end are also aggregated. The two ends can automatically negotiate the aggregation state of
each member port.

48
Miscellaneous
Deleting an aggregate interface also deletes its aggregation group and causes all member ports to
leave the aggregation group.

Configuring a Layer 2 aggregation group

Configuring a Layer 2 static aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
When you create a Layer 2
2. Create a Layer 2 aggregate aggregate interface, the system
interface and enter Layer 2 interface bridge-aggregation
automatically creates a Layer 2
aggregate interface view. interface-number
static aggregation group
numbered the same.
3. Exit to system view. quit N/A
a Enter Layer 2 Ethernet
You can assign multiple Layer 2
interface view:
Ethernet interfaces to an
interface interface-type
aggregation group.
4. Assign an interface to the interface-number
specified Layer 2 b Assign the interface to the To synchronize the attribute
aggregation group. specified Layer 2 configurations from the aggregate
aggregation group: interface when the current
port link-aggregation interface joins the aggregation
group group-id [ force ] group, specify the force keyword.

5. (Optional.) Set the port link-aggregation port-priority The default port priority of an
priority for the interface. priority interface is 32768.

Configuring a Layer 2 dynamic aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
By default, the system LACP
priority is 32768.
2. Set the system LACP priority. lacp system-priority priority Changing the system LACP
priority might affect the
aggregation states of the ports in
a dynamic aggregation group.
When you create a Layer 2
3. Create a Layer 2 aggregate aggregate interface, the system
interface and enter Layer 2 interface bridge-aggregation
automatically creates a Layer 2
aggregate interface view. interface-number
static aggregation group
numbered the same.
4. Configure the aggregation
group to operate in dynamic By default, an aggregation group
link-aggregation mode dynamic
mode. operates in static mode.

5. Exit to system view. quit N/A

6. Assign an interface to the a Enter Layer 2 Ethernet You can assign multiple Layer 2
specified Layer 2 interface view: Ethernet interfaces to an

49
 Step Command Remarks
aggregation group. interface interface-type aggregation group.
interface-number To synchronize the attribute
b Assign the interface to the configurations from the aggregate
specified Layer 2 interface when the current
aggregation group: interface joins the aggregation
port link-aggregation group, specify the force keyword.
group group-id [ force ]
• Set the LACP operating
mode to passive:
7. Set the LACP operating lacp mode passive By default, LACP is operating in
mode for the interface. • Set the LACP operating active mode.
mode to active:
undo lacp mode
8. Set the port priority for the link-aggregation port-priority
interface. The default setting is 32768.
priority
By default, the long LACP timeout
interval (90 seconds) is used by
the interface.
9. Enable the short LACP To avoid traffic interruption during
timeout interval (3 seconds) lacp period short an ISSU, do not enable the short
on the interface. LACP timeout interval before
performing the ISSU. For more
information about ISSU, see
Fundamentals Configuration
Guide.

Configuring a Layer 3 aggregation group

Configuring a Layer 3 static aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
When you create a Layer 3
2. Create a Layer 3 aggregate aggregate interface, the system
interface and enter Layer 3 interface route-aggregation
automatically creates a Layer 3
aggregate interface view. interface-number
static aggregation group
numbered the same.

3. Exit to system view. quit N/A

a Enter Layer 3 Ethernet

interface view:
interface interface-type
4. Assign an interface to the interface-number You can assign multiple Layer 3
specified Layer 3 b Assign the interface to the Ethernet interfaces to an
aggregation group. specified Layer 3 aggregation group.
aggregation group:
port link-aggregation
group group-id

5. (Optional.) Set the port link-aggregation port-priority The default port priority of an
priority for the interface. priority interface is 32768.

50
Configuring a Layer 3 dynamic aggregation group

Step Command Remarks

1. Enter system view. system-view N/A
By default, the system LACP
priority is 32768.
2. Set the system LACP priority. lacp system-priority priority Changing the system LACP
priority might affect the
aggregation states of the ports in
the dynamic aggregation group.
When you create a Layer 3
3. Create a Layer 3 aggregate aggregate interface, the system
interface and enter Layer 3 interface route-aggregation
automatically creates a Layer 3
aggregate interface view. interface-number
static aggregation group
numbered the same.
4. Configure the aggregation
group to operate in dynamic By default, an aggregation group
link-aggregation mode dynamic
mode. operates in static mode.

5. Exit to system view. quit N/A

a Enter Layer 3 Ethernet
interface view:
interface interface-type
6. Assign an interface to the interface-number You can assign multiple Layer 3
specified Layer 3 b Assign the interface to the Ethernet interfaces to an
aggregation group. specified Layer 3 aggregation group.
aggregation group:
port link-aggregation
group group-id
• Set the LACP operating
mode to passive:
7. Set the LACP operating lacp mode passive By default, LACP is operating in
mode for the interface. • Set the LACP operating active mode.
mode to active:
undo lacp mode

8. Set the port priority for the link-aggregation port-priority

interface. The default setting is 32768.
priority

By default, the long LACP timeout

interval (90 seconds) is used by
the interface.
9. Enable the short LACP To avoid traffic interruption during
timeout interval (3 seconds) lacp period short an ISSU, do not enable the short
for the interface. LACP timeout interval before
performing the ISSU. For more
information about ISSU, see
Fundamentals Configuration
Guide.

Configuring an aggregate interface

Most configurations that can be made on Layer 2 or Layer 3 Ethernet interfaces can also be made on
Layer 2 or Layer 3 aggregate interfaces.

51
Configuring the description of an aggregate interface
You can configure the description of an aggregate interface for administration purposes, for
example, describing the purpose of the interface.
To configure the description of an aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
2. Enter aggregate interface-number
interface view. N/A
• Enter Layer 3 aggregate
interface view:
interface route-aggregation
interface-number
3. Configure the By default, the description of an
description of the description text interface is interface-name
aggregate interface. Interface.

Specifying ignored VLANs for a Layer 2 aggregate interface

To become Selected, a member port by default must have the same VLAN permit state and tagging
mode as the Layer 2 aggregate interface. To ignore the VLAN permit state and tagging mode of a
VLAN when choosing Selected ports, specify the VLAN as an ignored VLAN.
To specify ignored VLANs for a Layer 2 aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 aggregate interface bridge-aggregation
interface view. N/A
interface-number
By default, a Layer 2 aggregate
Specify ignored VLANs. link-aggregation ignore vlan
3. interface does not ignore any
vlan-id-list
VLANs.

Setting the MTU for a Layer 3 aggregate interface

The MTU of an interface affects IP packets fragmentation and reassembly on the interface.
To set the MTU for a Layer 3 aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 3 aggregate interface route-aggregation
interface view. N/A
interface-number
3. Set the MTU for the Layer 3
aggregate interface. mtu size The default setting is 1500 bytes.

52
Setting the minimum and maximum numbers of Selected
ports for an aggregation group
IMPORTANT:
The minimum and maximum numbers of Selected ports must be the same for the local and peer
aggregation groups.

The bandwidth of an aggregate link increases as the number of Selected member ports increases.
To avoid congestion, you can set the minimum number of Selected ports required for bringing up an
aggregate interface.
This minimum threshold setting affects the aggregation states of aggregation member ports and the
state of the aggregate interface.
• When the number of member ports eligible to be Selected ports is smaller than the minimum
threshold, the following events occur:
 The eligible member ports are placed in Unselected state.
 The link layer state of the aggregate interface becomes down.
• When the number of member ports eligible to be Selected ports reaches or exceeds the
minimum threshold, the following events occur:
 The eligible member ports are placed in Selected state.
 The link layer state of the aggregate interface becomes up.
The maximum number of Selected ports allowed in an aggregation group is limited by either manual
configuration or hardware limitation, whichever value is smaller.
You can implement backup between two ports by performing the following tasks:
• Assigning two ports to an aggregation group.
• Setting the maximum number of Selected ports to 1 for the aggregation group.
Then, only one Selected port is allowed in the aggregation group, and the Unselected port acts as a
backup port.
To set the minimum and maximum numbers of Selected ports for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Set the minimum number of By default, the minimum number
Selected ports for the link-aggregation selected-port
of Selected ports is not specified
aggregation group. minimum min-number
for an aggregation group.
4. Set the maximum number of By default, the maximum number
Selected ports for the link-aggregation selected-port
of Selected ports for an
aggregation group. maximum max-number
aggregation group is 32.

53
Setting the expected bandwidth for an aggregate interface
Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
By default, the expected
3. Set the expected bandwidth bandwidth (in kbps) is the
for the interface. bandwidth bandwidth-value
interface baud rate divided by
1000.

Configuring an edge aggregate interface

When you configure an edge aggregate interface, follow these restrictions and guidelines:
• This configuration takes effect only on the aggregate interface corresponding to a dynamic
aggregation group.
• Link-aggregation traffic redirection cannot operate correctly on an edge aggregate interface.
For more information about link-aggregation traffic redirection, see "Enabling link-aggregation
traffic redirection."
To configure an edge aggregate interface:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Configure the aggregate By default, an aggregate interface
interface as an edge lacp edge-port does not operate as an edge
aggregate interface. aggregate interface.

Enabling BFD for an aggregation group

BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you
enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a
BFD session with its peer port. BFD operates differently depending on the aggregation mode.

54
 • BFD for static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link
aggregation module that the peer port is unreachable. The local port is placed in Unselected
state. The BFD session between the local and peer ports remains, and the local port keeps
sending BFD packets. When the link is recovered, the local port receives BFD packets from the
peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable.
The local port is placed in Selected state again. This mechanism ensures that the local and
peer ports of a static aggregate link have the same aggregation state.
• BFD for dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet
link aggregation module that the peer port is unreachable. BFD clears the session and stops
sending BFD packets. When the link is recovered and the local port is placed in Selected state
again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link
aggregation module that the peer port is reachable. Because BFD provides fast failure
detection, the local and peer systems of a dynamic aggregate link can negotiate the
aggregation state of their member ports faster.
For more information about BFD, see High Availability Configuration Guide.
Configuration restrictions and guidelines
When you enable BFD for an aggregation group, follow these restrictions and guidelines:
• Make sure the source and destination IP addresses are consistent between the two ends of an
aggregate link. For example, if you execute link-aggregation bfd ipv4 source 1.1.1.1
destination 2.2.2.2 at the local end, execute link-aggregation bfd ipv4 source 2.2.2.2
destination 1.1.1.1 at the peer end. The source and destination IP addresses cannot be the
same.
• The BFD parameters configured on an aggregate interface take effect on all BFD sessions in
the aggregation group. BFD sessions for link aggregation do not support the echo packet mode
or the Demand mode.
• As a best practice, do not configure other protocols to collaborate with BFD on a BFD-enabled
aggregate interface.
• Make sure the number of member ports in a BFD-enabled aggregation group is less than or
identical to the number of BFD sessions supported by the device. If the aggregation group
contains more member ports than the supported sessions, some Selected ports might change
to the Unselected state.
• If the number of BFD sessions differs between the two ends of an aggregate link, check their
settings for inconsistency in the maximum number of Selected ports. You must make sure the
two ends have the same setting for the maximum number of Selected ports.
Configuration procedure
To enable BFD for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate interface view:
interface route-aggregation
interface-number
By default, BFD is disabled
for an aggregation group.
3. Enable BFD for the link-aggregation bfd ipv4 source The source and destination
aggregation group. ip-address destination ip-address IP addresses of BFD
sessions must be unicast
addresses excluding
0.0.0.0.

55
Shutting down an aggregate interface
Shutting down or bringing up an aggregate interface affects the aggregation states and link states of
member ports in the corresponding aggregation group as follows:
• When an aggregate interface is shut down, all Selected ports in the corresponding aggregation
group become Unselected ports and all member ports go down.
• When an aggregate interface is brought up, the aggregation states of member ports in the
corresponding aggregation group are recalculated.
To shut down an aggregate interface:

Step Command
1. Enter system view. system-view
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number
2. Enter aggregate interface view.
• Enter Layer 3 aggregate interface view:
interface route-aggregation interface-number
3. Shut down the aggregate interface. shutdown

Restoring the default settings for an aggregate interface

You can restore all configurations on an aggregate interface to the default settings.
To restore the default settings for an aggregate interface:

Step Command
1. Enter system view. system-view
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number
2. Enter aggregate interface view.
• Enter Layer 3 aggregate interface view:
interface route-aggregation interface-number
3. Restore the default settings for the
aggregate interface. default

Configuring load sharing for link aggregation

groups
Setting load sharing modes for link aggregation groups
You can set the global or group-specific load sharing mode. A link aggregation group preferentially
uses the group-specific load sharing mode. If the group-specific load sharing mode is not available,
the group uses the global load sharing mode.
Setting the global link-aggregation load sharing mode

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the global link-aggregation global By default, the system load

56
 Step Command Remarks
link-aggregation load load-sharing mode { destination-ip shares traffic automatically
sharing mode. | destination-mac | destination-port based on packet types.
| ingress-port | source-ip |
source-mac | source-port } *

Setting the group-specific load sharing mode

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface route-aggregation
interface-number
link-aggregation load-sharing
Set the load sharing mode By default, the group-specific
3. mode { destination-ip |
for the aggregation group. load sharing mode is the same
destination-mac | source-ip |
as the global load sharing mode.
source-mac } *

Enabling local-first load sharing for link aggregation

Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially
across member ports on the ingress card or device.
When you aggregate ports on different member devices in an IRF fabric, you can use local-first load
sharing to reduce traffic on IRF links, as shown in Figure 12. For more information about IRF, see IRF
Configuration Guide.
Figure 12 Load sharing for multidevice link aggregation in an IRF fabric

The egress port for a traffic flow is an

aggregate interface that has Selected
ports on different IRF member devices

Yes Local-first load sharing No

mechanism enabled?

No
Any Selected ports on the
ingress device?

Yes

Packets are load-shared only

Packets are load-shared across
across the Selected ports on the
all Selected ports
ingress device

57
 To enable local-first load sharing for link aggregation:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable local-first load link-aggregation load-sharing By default, local-first load sharing
sharing for link aggregation. mode local-first for link aggregation is enabled.

Configuring link aggregation load sharing algorithm settings

To optimize traffic distribution on aggregate links, you can configure a link aggregation load sharing
algorithm and an algorithm seed. You can set only the algorithm or the algorithm seed, or both. You
can combine an algorithm with different algorithm seeds to obtain different effects.
This feature takes effect only when the per-flow load sharing mode is used and the per-flow load
sharing mode does not use the following traffic classification criteria:
• Source IP address.
• Destination IP address.
• Source MAC address.
• Destination MAC address.
• Source and destination IP addresses.
• Source and destination MAC addresses.
To configure a link aggregation load sharing algorithm:

Step Command Remarks

1. Enter system view. system-view N/A
By default, algorithm 0 is used.
link-aggregation global If the device fails to load share
2. Configure a link aggregation traffic flows across all Selected
load sharing algorithm. load-sharing algorithm
algorithm-number ports, you can specify algorithm 1
to 13 in sequence until the
problem is solved.
3. Configure a link aggregation link-aggregation global By default, algorithm seed 0 is
load sharing algorithm seed. load-sharing seed seed-number used.

Enabling link-aggregation traffic redirection

This feature redirects traffic on a Selected port to the remaining available Selected ports of an
aggregation group if one of the following events occurs:
• The port is shut down by using the shutdown command.
• The slot that hosts the port reboots, and the aggregation group spans multiple slots.
This feature ensures zero packet loss for known unicast traffic, but does not protect unknown unicast
traffic.
You can enable link-aggregation traffic redirection globally or for an aggregation group. Global
link-aggregation traffic redirection settings take effect on all aggregation groups. A link aggregation
group preferentially uses the group-specific link-aggregation traffic redirection settings. If
group-specific link-aggregation traffic redirection is not configured, the group uses the global
link-aggregation traffic redirection settings.

58
Configuration restrictions and guidelines
When you enable link-aggregation traffic redirection, follow these restrictions and guidelines:
• Link-aggregation traffic redirection applies only to dynamic link aggregation groups.
• To prevent traffic interruption, enable link-aggregation traffic redirection on devices at both ends
of the aggregate link.
• To prevent packet loss that might occur when a slot reboots, do not enable spanning tree
together with link-aggregation traffic redirection.
• Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.
• As a best practice, enable link-aggregation traffic redirection on aggregate interfaces. If you
enable this feature globally, communication with a third-party peer device might be affected if
the peer is not compatible with this feature.

Configuration procedure
To enable link-aggregation traffic redirection globally:

Step Command Remarks

1. Enter system view. system-view N/A

Enable link-aggregation link-aggregation lacp

2. By default, link-aggregation traffic
traffic redirection globally. traffic-redirect-notification
redirection is disabled globally.
enable

To enable link-aggregation traffic redirection for an aggregation group:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
2. Enter aggregate interface interface-number
view. N/A
• Enter Layer 3 aggregate
interface view:
interface
route-aggregation
interface-number
3. Enable link-aggregation link-aggregation lacp By default, link-aggregation traffic
traffic redirection for the traffic-redirect-notification redirection is disabled for an
aggregation group. enable aggregation group.

Displaying and maintaining Ethernet link

aggregation
Execute display commands in any view and reset commands in user view.

Task Command
Display information for an aggregate interface display interface [ { bridge-aggregation |

59
 Task Command
or multiple aggregate interfaces. route-aggregation } [ interface-number ] ] [ brief
[ description | down ] ]
Display the local system ID. display lacp system-id
display link-aggregation load-sharing mode [ interface
Display the global or group-specific
[ { bridge-aggregation | route-aggregation }
link-aggregation load sharing modes.
interface-number ] ]
display link-aggregation load-sharing path interface
{ bridge-aggregation | route-aggregation }
interface-number ingress-port interface-type
interface-number [ route ] { { destination-ip ip-address |
Display forwarding information for the specified
destination-ipv6 ipv6-address } | { source-ip ip-address |
traffic flow.
source-ipv6 ipv6-address } | destination-mac
mac-address | destination-port port-id | ethernet-type
type-number | ip-protocol protocol-id | source-mac
mac-address | source-port port-id | vlan vlan-id } *
Display detailed link aggregation information
display link-aggregation member-port [ interface-list ]
for link aggregation member ports.
Display summary information about all
display link-aggregation summary
aggregation groups.
display link-aggregation verbose
Display detailed information about the
[ { bridge-aggregation | route-aggregation }
specified aggregation groups.
[ interface-number ] ]
Clear LACP statistics for the specified link
reset lacp statistics [ interface interface-list ]
aggregation member ports.
Clear statistics for the specified aggregate reset counters interface [ { bridge-aggregation |
interfaces. route-aggregation } [ interface-number ] ]

Ethernet link aggregation configuration examples

Layer 2 static aggregation configuration example
Network requirements
On the network shown in Figure 13, perform the following tasks:
• Configure a Layer 2 static aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.

60
 Figure 13 Network diagram

VLAN 10 VLAN 10

GE1/0/4 GE1/0/4
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Device A Link aggregation 1 Device B
GE1/0/3 GE1/0/3

GE1/0/5 BAGG1 BAGG1 GE1/0/5

VLAN 20 VLAN 20

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign port GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign port GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.

61
 [DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/1(R) S 32768 1
GE1/0/2 S 32768 1
GE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 2 static aggregation group that contains
three Selected ports.

Layer 2 dynamic aggregation configuration example

Network requirements
On the network shown in Figure 14, perform the following tasks:
• Configure a Layer 2 dynamic aggregation group on both Device A and Device B.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
Figure 14 Network diagram

VLAN 10 VLAN 10

GE1/0/4 GE1/0/4
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Device A Link aggregation 1 Device B
GE1/0/3 GE1/0/3

GE1/0/5 BAGG1 BAGG1 GE1/0/5

VLAN 20 VLAN 20

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port GigabitEthernet 1/0/4 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10

62
 [DeviceA-vlan10] port gigabitethernet 1/0/4
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port GigabitEthernet 1/0/5 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 1/0/5
[DeviceA-vlan20] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode
to dynamic.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLANs 10 and 20.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20
[DeviceA-Bridge-Aggregation1] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1(R) S 32768 11 1 {ACDEF}
GE1/0/2 S 32768 12 1 {ACDEF}
GE1/0/3 S 32768 13 1 {ACDEF}

63
 Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group that contains
three Selected ports.

Layer 2 aggregation load sharing configuration example

Network requirements
On the network shown in Figure 15, perform the following tasks:
• Configure Layer 2 static aggregation groups 1 and 2 on Device A and Device B, respectively.
• Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other
end.
• Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other
end.
• Configure link aggregation groups 1 and 2 to load share traffic across aggregation group
member ports.
 Configure link aggregation group 1 to load share packets based on source MAC addresses.
 Configure link aggregation group 2 to load share packets based on destination MAC
addresses.
Figure 15 Network diagram

VLAN 10 VLAN 10

GE1/0/5 BAGG1 BAGG1 GE1/0/5

GE1/0/1 GE1/0/1
GE1/0/2 Link aggregation 1 GE1/0/2
Device A Device B
GE1/0/3 Link aggregation 2 GE1/0/3
GE1/0/4 GE1/0/4
GE1/0/6 BAGG2 BAGG2 GE1/0/6

VLAN 20 VLAN 20

Configuration procedure
1. Configure Device A:
# Create VLAN 10, and assign the port GigabitEthernet 1/0/5 to VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] port gigabitethernet 1/0/5
[DeviceA-vlan10] quit
# Create VLAN 20, and assign the port GigabitEthernet 1/0/6 to VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] port gigabitethernet 1/0/6
[DeviceA-vlan20] quit

64
 # Create Layer 2 aggregate interface Bridge-Aggregation 1.
[DeviceA] interface bridge-aggregation 1
# Configure Layer 2 aggregation group 1 to load share packets based on source MAC
addresses.
[DeviceA-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac
[DeviceA-Bridge-Aggregation1] quit
# Assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to link aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to
VLAN 10.
[DeviceA] interface bridge-aggregation 1
[DeviceA-Bridge-Aggregation1] port link-type trunk
[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10
[DeviceA-Bridge-Aggregation1] quit
# Create Layer 2 aggregate interface Bridge-Aggregation 2.
[DeviceA] interface bridge-aggregation 2
# Configure Layer 2 aggregation group 2 to load share packets based on destination MAC
addresses.
[DeviceA-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac
[DeviceA-Bridge-Aggregation2] quit
# Assign ports GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to link aggregation group 2.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 2
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port link-aggregation group 2
[DeviceA-GigabitEthernet1/0/4] quit
# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to
VLAN 20.
[DeviceA] interface bridge-aggregation 2
[DeviceA-Bridge-Aggregation2] port link-type trunk
[DeviceA-Bridge-Aggregation2] port trunk permit vlan 20
[DeviceA-Bridge-Aggregation2] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

65
 Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/1(R) S 32768 1
GE1/0/2 S 32768 1

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/3(R) S 32768 2
GE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups.
• Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface

Bridge-Aggregation1 Load-Sharing Mode:

source-mac address

Bridge-Aggregation2 Load-Sharing Mode:

destination-mac address

The output shows that:

• Link aggregation group 1 load shares packets based on source MAC addresses.
• Link aggregation group 2 load shares packets based on destination MAC addresses.

Layer 2 edge aggregate interface configuration example

Network requirements
As shown in Figure 16, a Layer 2 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
can forward traffic to improve link reliability.
Figure 16 Network diagram

GE1/0/1
GE1/0/2 Link aggregation 1

Device BAGG1 BAGG1 Server

66
Configuration procedure
# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface bridge-aggregation 1
[Device-Bridge-Aggregation1] link-aggregation mode dynamic

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as an edge aggregate interface.

[Device-Bridge-Aggregation1] lacp edge-port
[Device-Bridge-Aggregation1] quit

# Assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to link aggregation group 1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1 I 32768 11 1 {AG}
GE1/0/2 I 32768 12 1 {AG}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 0 0x8000, 0000-0000-0000 {DEF}
GE1/0/2 32768 82 0 0x8000, 0000-0000-0000 {DEF}

The output shows that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are in Individual state when
they do not receive LACPDUs from the server. Both GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
can forward traffic. When one port fails, its traffic is automatically switched to the other port.

67
Layer 3 static aggregation configuration example
Network requirements
On the network shown in Figure 17, perform the following tasks:
• Configure a Layer 3 static aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 17 Network diagram
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Link aggregation 1
GE1/0/3 GE1/0/3

Device A RAGG1 RAGG1 Device B

192.168.1.1/24 192.168.1.2/24

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and
subnet mask for the aggregate interface.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to
aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None

68
 Port Status Priority Oper-Key
GE1/0/1(R) S 32768 1
GE1/0/2 S 32768 1
GE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 3 static aggregation group that contains
three Selected ports.

Layer 3 dynamic aggregation configuration example

Network requirements
On the network shown in Figure 18, perform the following tasks:
• Configure a Layer 3 dynamic aggregation group on both Device A and Device B.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
Figure 18 Network diagram
GE1/0/1 GE1/0/1
GE1/0/2 GE1/0/2
Link aggregation 1
GE1/0/3 GE1/0/3

Device A RAGG1 RAGG1 Device B

192.168.1.1/24 192.168.1.2/24

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Set the link aggregation mode to dynamic.
[DeviceA-Route-Aggregation1] link-aggregation mode dynamic
# Configure an IP address and subnet mask for Route-Aggregation 1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to
aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/3] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual

69
 Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1(R) S 32768 11 1 {ACDEF}
GE1/0/2 S 32768 12 1 {ACDEF}
GE1/0/3 S 32768 13 1 {ACDEF}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}
GE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 3 dynamic aggregation group that contains
three Selected ports.

Layer 3 aggregation load sharing configuration example

Network requirements
On the network shown in Figure 19, perform the following tasks:
• Configure Layer 3 static aggregation groups 1 and 2 on Device A and Device B, respectively.
• Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.
• Configure link aggregation group 1 to load share packets based on source IP addresses.
• Configure link aggregation group 2 to load share packets based on destination IP addresses.
Figure 19 Network diagram
192.168.1.1/24 192.168.1.2/24
RAGG1 RAGG1
GE1/0/1 GE1/0/1
GE1/0/2 Link aggregation 1 GE1/0/2
GE1/0/3 Link aggregation 2 GE1/0/3
GE1/0/4 GE1/0/4
RAGG2 RAGG2
Device A Device B
192.168.2.1/24 192.168.2.2/24

Configuration procedure
1. Configure Device A:
# Create Layer 3 aggregate interface Route-Aggregation 1.
<DeviceA> system-view
[DeviceA] interface route-aggregation 1
# Configure Layer 3 aggregation group 1 to load share packets based on source IP addresses.
[DeviceA-Route-Aggregation1] link-aggregation load-sharing mode source-ip

70
 # Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation
1.
[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24
[DeviceA-Route-Aggregation1] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to
aggregation group 1.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1
[DeviceA-GigabitEthernet1/0/2] quit
# Create Layer 3 aggregate interface Route-Aggregation 2.
[DeviceA] interface route-aggregation 2
# Configure Layer 3 aggregation group 2 to load share packets based on destination IP
addresses.
[DeviceA-Route-Aggregation2] link-aggregation load-sharing mode destination-ip
# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation
2.
[DeviceA-Route-Aggregation2] ip address 192.168.2.1 24
[DeviceA-Route-Aggregation2] quit
# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to
aggregation group 2.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 2
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/4
[DeviceA-GigabitEthernet1/0/4] port link-aggregation group 2
[DeviceA-GigabitEthernet1/0/4] quit
2. Configure Device B in the same way Device A is configured. (Details not shown.)
Verifying the configuration
# Display detailed information about all aggregation groups on Device A.
[DeviceA] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/1(R) S 32768 1
GE1/0/2 S 32768 1

71
 Aggregate Interface: Route-Aggregation2
Aggregation Mode: Static
Loadsharing Type: Shar
Management VLANs: None
Port Status Priority Oper-Key
GE1/0/3(R) S 32768 2
GE1/0/4 S 32768 2

The output shows that:

• Link aggregation groups 1 and 2 are both load-shared Layer 3 static aggregation groups.
• Each aggregation group contains two Selected ports.
# Display all the group-specific load sharing modes on Device A.
[DeviceA] display link-aggregation load-sharing mode interface

Route-Aggregation1 Load-Sharing Mode:

source-ip address

Route-Aggregation2 Load-Sharing Mode:

destination-ip address

The output shows that:

• Link aggregation group 1 load shares packets based on source IP addresses.
• Link aggregation group 2 load shares packets based on destination IP addresses.

Layer 3 edge aggregate interface configuration example

Network requirements
As shown in Figure 20, a Layer 3 dynamic aggregation group is configured on the device. The server
is not configured with dynamic link aggregation.
Configure an edge aggregate interface so that both GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
can forward traffic to improve link reliability.
Figure 20 Network diagram

GE1/0/1
GE1/0/2 Link aggregation 1

Device RAGG1 RAGG1 Server

192.168.1.1/24 192.168.1.2/24

Configuration procedure
# Create Layer 3 aggregate interface Route-Aggregation 1, and set the link aggregation mode to
dynamic.
<Device> system-view
[Device] interface route-aggregation 1
[Device-Route-Aggregation1] link-aggregation mode dynamic

# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation 1.
[Device-Route-Aggregation1] ip address 192.168.1.1 24

# Configure Layer 3 aggregate interface Route-Aggregation 1 as an edge aggregate interface.

[Device-Route-Aggregation1] lacp edge-port

72
 [Device-Route-Aggregation1] quit

# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to aggregation
group 1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port link-aggregation group 1
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port link-aggregation group 1
[Device-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not
configured with dynamic link aggregation.
[Device] display link-aggregation verbose
Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing
Port Status: S -- Selected, U -- Unselected, I -- Individual
Port: A -- Auto port, M -- Management port, R -- Reference port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic
Loadsharing Type: Shar
Management VLANs: None
System ID: 0x8000, 000f-e267-6c6a
Local:
Port Status Priority Index Oper-Key Flag
GE1/0/1 I 32768 11 1 {AG}
GE1/0/2 I 32768 12 1 {AG}
Remote:
Actor Priority Index Oper-Key SystemID Flag
GE1/0/1 32768 81 0 0x8000, 0000-0000-0000 {DEF}
GE1/0/2 32768 82 0 0x8000, 0000-0000-0000 {DEF}

The output shows that GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are in Individual state when
they do not receive LACPDUs from the server. Both GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
can forward traffic. When one port fails, its traffic is automatically switched to the other port.

73
Configuring port isolation
The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.
Ports in an isolation group cannot communicate with each other. However, they can communicate
with ports outside the isolation group.

Assigning a port to an isolation group

The device supports multiple isolation groups, which can be configured manually. The number of
ports assigned to an isolation group is not limited.
To assign a port to an isolation group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create an isolation
group. port-isolate group group-id By default, no isolation groups exist.

• The configuration in Layer 2

Ethernet interface view applies only
to the interface.
• Enter Layer 2 Ethernet • The configuration in Layer 2
interface view: aggregate interface view applies to
interface interface-type the Layer 2 aggregate interface and
interface-number its aggregation member ports. If the
Enter interface view. device fails to apply the configuration
3. • Enter Layer 2 aggregate
to the aggregate interface, it does
interface view:
not assign any aggregation member
interface
port to the isolation group. If the
bridge-aggregation
failure occurs on an aggregation
interface-number
member port, the device skips the
port and continues to assign other
aggregation member ports to the
isolation group.
By default, the port is not in any isolation
group.
4. Assign the port to the port-isolate enable group You can assign a port to only one isolation
isolation group. group-id group. If you execute the port-isolate
enable group command multiple times,
the most recent configuration takes effect.

Displaying and maintaining port isolation

Execute display commands in any view.

Task Command
Display isolation group information. display port-isolate group [ group-id ]

74
Port isolation configuration example
Network requirements
As shown in Figure 21:
• LAN users Host A, Host B, and Host C are connected to GigabitEthernet 1/0/1, GigabitEthernet
1/0/2, and GigabitEthernet 1/0/3 on the device, respectively.
• The device connects to the Internet through GigabitEthernet 1/0/4.
Configure the device to provide Internet access for the hosts, and isolate them from one another at
Layer 2.
Figure 21 Network diagram

Internet

GE1/0/4
Device
GE1/0/1 GE1/0/3

GE1/0/2

Host A Host B Host C

Configuration procedure
# Create isolation group 1.
<Device> system-view
[Device] port-isolate group 1

# Assign GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 to isolation group
1.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port-isolate enable group 1
[Device-GigabitEthernet1/0/1] quit
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port-isolate enable group 1
[Device-GigabitEthernet1/0/2] quit
[Device] interface gigabitethernet 1/0/3
[Device-GigabitEthernet1/0/3] port-isolate enable group 1
[Device-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about isolation group 1.
[Device] display port-isolate group 1

75
 Port isolation group information:
Group ID: 1
Group members:
GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3

The output shows that GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are
assigned to isolation group 1. As a result, Host A, Host B, and Host C are isolated from one another
at layer 2.

76
Configuring spanning tree protocols
Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking
redundant links and putting them in a standby state.
The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN
Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).

STP
STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in
a LAN. Networks often have redundant links as backups in case of failures, but loops are a very
serious problem. Devices running STP detect loops in the network by exchanging information with
one another. They eliminate loops by selectively blocking certain ports to prune the loop structure
into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would
occur in a loop network.
In a narrow sense, STP refers to IEEE 802.1d STP. In a broad sense, STP refers to the IEEE 802.1d
STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol frames

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol
frames. This chapter uses BPDUs to represent all types of spanning tree protocol frames.
STP-enabled devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient
information for the devices to complete spanning tree calculation.
STP uses two types of BPDUs, configuration BPDUs and topology change notification (TCN)
BPDUs.
Configuration BPDUs
Devices exchange configuration BPDUs to elect the root bridge and determine port roles. Figure 22
shows the configuration BPDU format.
Figure 22 Configuration BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address Protocol ID 2
L/T: Frame length Protocol version ID 1
LLC header: Logical link control header
Payload: BPDU data BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2

The payload of a configuration BPDU includes the following fields:

77
 • Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x00 for a configuration BPDU.
• Flags—An 8-bit field indicates the purpose of the BPDU. The lowest bit is the Topology Change
(TC) flag. The highest bit is the Topology Change Acknowledge (TCA) flag. All other bits are
reserved.
• Root ID—Root bridge ID formed by the priority and MAC address of the root bridge.
• Root path cost—Cost of the path to the root bridge.
• Bridge ID—Designated bridge ID formed by the priority and MAC address of the designated
bridge.
• Port ID—Designated port ID formed by the priority and global port number of the designated
port.
• Message age—Age of the configuration BPDU while it propagates in the network.
• Max age—Maximum age of the configuration BPDU stored on the switch.
• Hello time—Configuration BPDU transmission interval.
• Forward delay—Delay for STP bridges to transit port state.
Devices use the root bridge ID, root path cost, designated bridge ID, designated port ID, message
age, max age, hello time, and forward delay for spanning tree calculation.
TCN BPDUs
Devices use TCN BPDUs to announce changes in the network topology. Figure 23 shows the TCN
BPDU format.
Figure 23 TCN BPDU format

DMA SMA L/T LLC header Payload

DMA: Destination MAC address Fields Byte

SMA: Source MAC address
Protocol ID 2
L/T: Frame length
LLC header: Logical link control header Protocol version ID 1
Payload: BPDU data BPDU type 1

The payload of a TCN BPDU includes the following fields:

• Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.
• Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is
0x00.
• BPDU type—Type of the BPDU. The value is 0x80 for a TCN BPDU.
A non-root bridge sends TCN BPDUs when one of the following events occurs on the bridge:
• A port transits to the forwarding state, and the bridge has a minimum of one designated port.
• A port transits from the forwarding or learning state to the blocking state.
The non-root bridge uses TCN BPDUs to notify the root bridge once the network topology changes.
The root bridge then sets the TC flag in its configuration BPDU and propagates it to other bridges.

78
Basic concepts in STP
Root bridge
A tree network must have a root bridge. The entire network contains only one root bridge, and all the
other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change
with changes of the network topology.
Upon initialization of a network, each device generates and periodically sends configuration BPDUs,
with itself as the root bridge. After network convergence, only the root bridge generates and
periodically sends configuration BPDUs. The other devices only forward the BPDUs.
Root port
On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates
with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.
Designated bridge and designated port

Classification Designated bridge Designated port

Device directly connected to the local device
Port through which the designated
For a device and responsible for forwarding BPDUs to the
bridge forwards BPDUs to this device.
local device.
Port through which the designated
Device responsible for forwarding BPDUs to
For a LAN bridge forwards BPDUs to this LAN
this LAN segment.
segment.

As shown in Figure 24, Device B and Device C are directly connected to a LAN.
If Device A forwards BPDUs to Device B through port A1, the designated bridge and designated port
are as follows:
• The designated bridge for Device B is Device A.
• The designated port for Device B is port A1 on Device A.
If Device B forwards BPDUs to the LAN, the designated bridge and designated port are as follows:
• The designated bridge for the LAN is Device B.
• The designated port for the LAN is port B2 on Device B.
Figure 24 Designated bridges and designated ports
Device A

Port A1 Port A2

Device B Device C
Port B1 Port C1

Port B2 Port C2

LAN

Port states
Table 7 lists the port states in STP.

79
 Table 7 STP port states

State Receives/sends BPDUs Learns MAC addresses Forwards user data

Disabled No No No
Listening Yes No No
Learning Yes Yes No
Forwarding Yes Yes Yes
Blocking Receive No No

Path cost
Path cost is a reference value used for link selection in STP. To prune the network into a loop-free
tree, STP calculates path costs to select the most robust links and block redundant links that are less
robust.

Calculation process of the STP algorithm

The spanning tree calculation process described in the following sections is an example of a
simplified process.
Calculation process
The STP algorithm uses the following calculation process:
1. Network initialization.
Upon initialization of a device, each port generates a BPDU with the following contents:
 The port as the designated port.
 The device as the root bridge.
 0 as the root path cost.
 The device ID as the designated bridge ID.
2. Root bridge selection.
Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its
own device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare
their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.
3. Root port and designated ports selection on the non-root bridges.

Step Description
A non-root-bridge device regards the port on which it received the optimum configuration
1 BPDU as the root port. Table 8 describes how the optimum configuration BPDU is
selected.
Based on the configuration BPDU and the path cost of the root port, the device calculates
a designated port configuration BPDU for each of the other ports.
• The root bridge ID is replaced with that of the configuration BPDU of the root port.
2 • The root path cost is replaced with that of the configuration BPDU of the root port plus
the path cost of the root port.
• The designated bridge ID is replaced with the ID of this device.
• The designated port ID is replaced with the ID of this port.
The device compares the calculated configuration BPDU with the configuration BPDU on
the port whose port role will be determined. Then, the device acts depending on the result
3 of the comparison:
• If the calculated configuration BPDU is superior, the device performs the following
operations:

80
 Step Description
 Considers this port as the designated port.
 Replaces the configuration BPDU on the port with the calculated configuration
BPDU.
 Periodically sends the calculated configuration BPDU.
• If the configuration BPDU on the port is superior, the device blocks this port without
updating its configuration BPDU. The blocked port can receive BPDUs, but cannot
send BPDUs or forward data traffic.

When the network topology is stable, only the root port and designated ports forward user traffic.
Other ports are all in the blocking state to receive BPDUs but not to forward BPDUs or user
traffic.
Table 8 Selecting the optimum configuration BPDU

Step Actions
Upon receiving a configuration BPDU on a port, the device compares the priority of the
received configuration BPDU with that of the configuration BPDU generated by the port.
• If the former priority is lower, the device discards the received configuration BPDU
1
and keeps the configuration BPDU the port generated.
• If the former priority is higher, the device replaces the content of the configuration
BPDU generated by the port with the content of the received configuration BPDU.
The device compares the configuration BPDUs of all the ports and chooses the optimum
2
configuration BPDU.

The following are the principles of configuration BPDU comparison:

a. The configuration BPDU with the lowest root bridge ID has the highest priority.
b. If configuration BPDUs have the same root bridge ID, their root path costs are compared.
For example, the root path cost in a configuration BPDU plus the path cost of a receiving
port is S. The configuration BPDU with the smallest S value has the highest priority.
c. If all configuration BPDUs have the same root bridge ID and S value, the following attributes
are compared in sequence:
− Designated bridge IDs.
− Designated port IDs.
− IDs of the receiving ports.
The configuration BPDU that contains a smaller designated bridge ID, designated port ID,
or receiving port ID is selected.
A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.
Example of STP calculation
Figure 25 provides an example showing how the STP algorithm works.

81
Figure 25 The STP algorithm
Device A
Priority = 0

Port A1 Port A2

Pa
=5

th
st

co
co

st
th

=1
Pa

0
Port B1 Port C1
Port B2 Port C2

Path cost = 4
Device B Device C
Priority = 1 Priority = 2

As shown in Figure 25, the priority values of Device A, Device B, and Device C are 0, 1, and 2,
respectively. The path costs of links among the three devices are 5, 10, and 4.
1. Device state initialization.
In Table 9, each configuration BPDU contains the following fields: root bridge ID, root path cost,
designated bridge ID, and designated port ID.
Table 9 Initial state of each device

Configuration BPDU on
Device Port name
the port
Port A1 {0, 0, 0, Port A1}
Device A
Port A2 {0, 0, 0, Port A2}
Port B1 {1, 0, 1, Port B1}
Device B
Port B2 {1, 0, 1, Port B2}
Port C1 {2, 0, 2, Port C1}
Device C
Port C2 {2, 0, 2, Port C2}

2. Configuration BPDUs comparison on each device.

In Table 10, each configuration BPDU contains the following fields: root bridge ID, root path
cost, designated bridge ID, and designated port ID.

82
Table 10 Comparison process and result on each device

Configuration BPDU
Device Comparison process on ports after
comparison
Port A1 performs the following operations:
5. Receives the configuration BPDU of Port B1 {1, 0, 1,
Port B1}.
6. Determines that its existing configuration BPDU {0, 0,
0, Port A1} is superior to the received configuration
BPDU.
7. Discards the received one.
Port A2 performs the following operations: • Port A1: {0, 0, 0, Port
8. Receives the configuration BPDU of Port C1 {2, 0, 2, A1}
Device A Port C1}. • Port A2: {0, 0, 0, Port
9. Determines that its existing configuration BPDU {0, 0, A2}
0, Port A2} is superior to the received configuration
BPDU.
10. Discards the received one.
Device A determines that it is both the root bridge and
designated bridge in the configuration BPDUs of all its
ports. It considers itself as the root bridge. It does not
change the configuration BPDU of any port and starts to
periodically send configuration BPDUs.
Port B1 performs the following operations:
11. Receives the configuration BPDU of Port A1 {0, 0, 0,
Port A1}.
12. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {1, 0, 1,
Port B1}. • Port B1: {0, 0, 0, Port
13. Updates its configuration BPDU. A1}
Port B2 performs the following operations: • Port B2: {1, 0, 1, Port
14. Receives the configuration BPDU of Port C2 {2, 0, 2, B2}
Port C2}.
15. Determines that its existing configuration BPDU {1, 0,
1, Port B2} is superior to the received configuration
BPDU.
16. Discards the received BPDU.
Device B
Device B performs the following operations:
17. Compares the configuration BPDUs of all its ports.
18. Decides that the configuration BPDU of Port B1 is the
optimum.
19. Selects Port B1 as the root port with the configuration
BPDU unchanged. • Root port (Port B1):
Based on the configuration BPDU and path cost of the root {0, 0, 0, Port A1}
port, Device B calculates a designated port configuration • Designated port (Port
BPDU for Port B2 {0, 5, 1, Port B2}. Device B compares it B2): {0, 5, 1, Port B2}
with the existing configuration BPDU of Port B2 {1, 0, 1, Port
B2}. Device B determines that the calculated one is
superior, and determines that Port B2 is the designated
port. It replaces the configuration BPDU on Port B2 with the
calculated one, and periodically sends the calculated
configuration BPDU.
Port C1 performs the following operations: • Port C1: {0, 0, 0, Port
20. Receives the configuration BPDU of Port A2 {0, 0, 0, A2}
Device C
Port A2}. • Port C2: {1, 0, 1, Port
21. Determines that the received configuration BPDU is B2}

83
 Configuration BPDU
Device Comparison process on ports after
comparison
superior to its existing configuration BPDU {2, 0, 2,
Port C1}.
22. Updates its configuration BPDU.
Port C2 performs the following operations:
23. Receives the original configuration BPDU of Port B2
{1, 0, 1, Port B2}.
24. Determines that the received configuration BPDU is
superior to the existing configuration BPDU {2, 0, 2,
Port C2}.
25. Updates its configuration BPDU.
Device C performs the following operations:
26. Compares the configuration BPDUs of all its ports.
27. Decides that the configuration BPDU of Port C1 is the
optimum.
28. Selects Port C1 as the root port with the configuration • Root port (Port C1):
BPDU unchanged. {0, 0, 0, Port A2}
Based on the configuration BPDU and path cost of the root • Designated port (Port
port, Device C calculates the configuration BPDU of Port C2 C2): {0, 10, 2, Port
{0, 10, 2, Port C2}. Device C compares it with the existing C2}
configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C
determines that the calculated configuration BPDU is
superior to the existing one, selects Port C2 as the
designated port, and replaces the configuration BPDU of
Port C2 with the calculated one.
Port C2 performs the following operations:
29. Receives the updated configuration BPDU of Port B2
{0, 5, 1, Port B2}.
30. Determines that the received configuration BPDU is
superior to its existing configuration BPDU {0, 10, 2,
Port C2}. • Port C1: {0, 0, 0, Port
A2}
31. Updates its configuration BPDU.
• Port C2: {0, 5, 1, Port
Port C1 performs the following operations: B2}
32. Receives a periodic configuration BPDU {0, 0, 0, Port
A2} from Port A2.
33. Determines that it is the same as the existing
configuration BPDU.
34. Discards the received BPDU.
Device C determines that the root path cost of Port C1 is
larger than that of Port C2. The root path cost of Port C1 is
10, root path cost of the received configuration BPDU (0)
plus path cost of Port C1 (10). The root path cost of Port C2
is 9, root path cost of the received configuration BPDU (5)
plus path cost of Port C2 (4). Device C determines that the
configuration BPDU of Port C2 is the optimum, and selects
Port C2 as the root port with the configuration BPDU • Blocked port (Port
unchanged. C1): {0, 0, 0, Port A2}
• Root port (Port C2):
Based on the configuration BPDU and path cost of the root
{0, 5, 1, Port B2}
port, Device C performs the following operations:
35. Calculates a designated port configuration BPDU for
Port C1 {0, 9, 2, Port C1}.
36. Compares it with the existing configuration BPDU of
Port C1 {0, 0, 0, Port A2}.
37. Determines that the existing configuration BPDU is
superior to the calculated one and blocks Port C1 with

84
 Configuration BPDU
Device Comparison process on ports after
comparison
the configuration BPDU unchanged.
Port C1 does not forward data until a new event triggers a
spanning tree calculation process: for example, the link
between Device B and Device C is down.

After the comparison processes described in Table 10, a spanning tree with Device A as the root
bridge is established, as shown in Figure 26.
Figure 26 The final calculated spanning tree

A
Root bridge

Root port

Designated port

Blocked port

Normal link

B C Blocked link

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:
• Upon network initiation, every device regards itself as the root bridge and generates
configuration BPDUs with itself as the root. Then it sends the configuration BPDUs at a regular
hello interval.
• If the root port receives a configuration BPDU superior to the configuration BPDU of the port,
the device performs the following operations:
 Increases the message age carried in the configuration BPDU.
 Starts a timer to time the configuration BPDU.
 Sends this configuration BPDU through the designated port.
• If a designated port receives a configuration BPDU with a lower priority than its configuration
BPDU, the port immediately responds with its configuration BPDU.
• If a path fails, the root port on this path no longer receives new configuration BPDUs and the old
configuration BPDUs will be discarded due to timeout. The device generates a configuration
BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new
spanning tree calculation process to establish a new path to restore the network connectivity.
However, the newly calculated configuration BPDU cannot be propagated throughout the network
immediately. As a result, the old root ports and designated ports that have not detected the topology
change continue forwarding data along the old path. If the new root ports and designated ports begin
to forward data as soon as they are elected, a temporary loop might occur.
STP timers
The most important timing parameters in STP calculation are forward delay, hello time, and max age.
• Forward delay
Forward delay is the delay time for port state transition. By default, the forward delay is 15
seconds.

85
 A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the
change. However, the resulting new configuration BPDU cannot propagate throughout the
network immediately. If the newly elected root ports and designated ports start to forward data
immediately, a temporary loop will likely occur.
The newly elected root ports or designated ports must go through the listening and learning
states before they transit to the forwarding state. This requires twice the forward delay time and
allows the new configuration BPDU to propagate throughout the network.
• Hello time
The device sends configuration BPDUs at the hello time interval to the neighboring devices to
ensure that the paths are fault-free. By default, the hello time is 2 seconds. If the device does
not receive configuration BPDUs within the timeout period, it recalculates the spanning tree.
The formula for calculating the timeout period is timeout period = timeout factor × 3 × hello time.
• Max age
The device uses the max age to determine whether a stored configuration BPDU has expired
and discards it if the max age is exceeded. By default, the max age is 20 seconds. In the CIST
of an MSTP network, the device uses the max age timer to determine whether a configuration
BPDU received by a port has expired. If it is expired, a new spanning tree calculation process
starts. The max age timer does not take effect on MSTIs.
If a port does not receive any configuration BPDUs within the timeout period, the port transits to the
listening state. The device will recalculate the spanning tree. It takes the port 50 seconds to transit
back to the forwarding state. This period includes 20 seconds for the max age, 15 seconds for the
listening state, and 15 seconds for the learning state.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)

RSTP
RSTP achieves rapid network convergence by allowing a newly elected root port or designated port
to enter the forwarding state much faster than STP.

RSTP protocol frames

An RSTP BPDU uses the same format as an STP BPDU except that a Version1 length field is added
to the payload of RSTP BPDUs. The differences between an RSTP BPDU and an STP BPDU are as
follows:
• Protocol version ID—The value is 0x02 for RSTP.
• BPDU type—The value is 0x02 for RSTP BPDUs.
• Flags—All 8 bits are used.
• Version1 length—The value is 0x00, which means no version 1 protocol information is
present.
RSTP does not use TCN BPDUs to advertise topology changes. RSTP floods BPDUs with the TC
flag set in the network to advertise topology changes.

Basic concepts in RSTP

Port roles
In addition to root port and designated port, RSTP also uses the following port roles:

86
 • Alternate port—Acts as the backup port for a root port. When the root port is blocked, the
alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port is the backup port.
• Edge port—Directly connects to a user host rather than a network device or network segment.
Port states
RSTP uses the discarding state to replace the disabled, blocking, and listening states in STP. Table
11 shows the differences between the port states in RSTP and STP.
Table 11 Port state differences between RSTP and STP

RSTP port Sends Learns MAC Forwards user

STP port state
state BPDU addresses data
Disabled Discarding No No No
Blocking Discarding No No No
Listening Discarding Yes No No
Learning Learning Yes Yes No
Forwarding Forwarding Yes Yes Yes

How RSTP works

During RSTP calculation, the following events occur:
• If a port in discarding state becomes an alternate port, it retains its state.
• If a port in discarding state is elected as the root port or designated port, it enters the learning
state after the forward delay. The port learns MAC addresses, and enters the forwarding state
after another forward delay.
 A newly elected RSTP root port rapidly enters the forwarding state if the following
requirements are met:
− The old root port on the device has stopped forwarding data.
− The upstream designated port has started forwarding data.
 A newly elected RSTP designated port rapidly enters the forwarding state if one of the
following requirements is met:
− The designated port is configured as an edge port which directly connects to a user
terminal.
− The designated port connects to a point-to-point link and receives a handshake
response from the directly connected device.

RSTP BPDU processing

In RSTP, a non-root bridge actively sends RSTP BPDUs at the hello time through designated ports
without waiting for the root bridge to send RSTP BPDUs. This enables RSTP to quickly detect link
failures. If a device fails to receive any RSTP BPDUs on a port within triple the hello time, the device
considers that a link failure has occurred. After the stored configuration BPDU expires, the device
floods RSTP BPDUs with the TC flag set to initiate a new RSTP calculation.
In RSTP, a port in blocking state can immediately respond to an RSTP BPDU with a lower priority
than its own BPDU.

87
 As shown in Figure 27, Device A is the root bridge. The priority of Device B is higher than the priority
of Device C. Port C2 on Device C is blocked.
When the link between Device A and Device B fails, the following events occur:
1. Device B sends an RSTP BPDU with itself as the root bridge to Device C.
2. Device C compares the RSTP BPDU with its own BPDU.
3. Because the RSTP BPDU from Device B has a lower priority, Device C sends its own BPDU to
Device B.
4. Device B considers that Port B2 is the root port and stops sending RSTP BPDUs to Device C.
Figure 27 BPDU processing in RSTP
Device A Failed link
Root bridge
BID=0.MAC A RSTP BPDU with
low priority
RSTP BPDU with
Port A1 Port A2 high priority

Port B1
Device A is the root Port C1
Device B Device C
BID=4096.MAC B Port B2 Port C2 BID=8192.MAC C
Device B is the root

PVST
In an STP- or RSTP-enabled LAN, all bridges share one spanning tree. Traffic from all VLANs is
forwarded along the spanning tree, and ports cannot be blocked on a per-VLAN basis to prune loops.
PVST allows every VLAN to have its own spanning tree, which increases usage of links and
bandwidth. Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN.
A PVST-enabled HPE device can communicate with a third-party device that is running Rapid PVST
or PVST. The PVST-enabled HPE device supports fast network convergence like RSTP when
connected to PVST-enabled HPE devices or third-party devices enabled with Rapid PVST.

PVST protocol frames

As shown in Figure 28, a PVST BPDU uses the same format as an RSTP BPDU except the following
differences:
• The destination MAC address of a PVST BPDU is 01-00-0c-cc-cc-cd, which is a private MAC
address.
• Each PVST BPDU carries a VLAN tag. The VLAN tag identifies the VLAN to which the PVST
BPDU belongs.
• The organization code and PID fields are added to the LLC header of the PVST BPDU.
Figure 28 PVST BPDU format

DMA SMA L/T VLAN tag LLC header Payload

Organization code
PID

88
 A port's link type determines the type of BPDUs the port sends.
• An access port sends RSTP BPDUs.
• A trunk or hybrid port sends RSTP BPDUs in the default VLAN and sends PVST BPDUs in other
VLANs.

Basic concepts in PVST

PVST uses the same port roles and port states as RSTP for fast convergence. For more information,
see "Basic concepts in RSTP."

How PVST works

In PVST, each VLAN runs RSTP independently to maintain its own spanning tree without affecting
the spanning trees of other VLANs. In this way, loops in each VLAN are eliminated and traffic of
different VLANs is load shared over links. PVST uses RSTP BPDUs in the default VLAN and PVST
BPDUs in other VLANs for spanning tree calculation. HPE PVST implements per-VLAN spanning
tree calculation by mapping each VLAN to an MSTI.

MSTP
MSTP overcomes the following STP, RSTP, and PVST limitations:
• STP limitations—STP does not support rapid state transition of ports. A newly elected port
must wait twice the forward delay time before it transits to the forwarding state.
• RSTP limitations—Although RSTP enables faster network convergence than STP, RSTP fails
to provide load balancing among VLANs. As with STP, all RSTP bridges in a LAN share one
spanning tree and forward frames from all VLANs along this spanning tree.
• PVST limitations—Because each VLAN has its spanning tree, the amount of PVST BPDUs is
proportional to the number of VLANs on a trunk or hybrid port. When the trunk or hybrid port
permits too many VLANs, both resources and calculations for maintaining the VLAN spanning
trees increase dramatically. If a status change occurs on the trunk or hybrid port that permits
multiple VLANs, the device CPU will be overburdened with recalculating the affected spanning
trees. As a result, network performance is degraded.

MSTP features
Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In
addition to supporting rapid network convergence, it allows data flows of different VLANs to be
forwarded along separate paths. This provides a better load sharing mechanism for redundant links.
MSTP provides the following features:
• MSTP divides a switched network into multiple regions, each of which contains multiple
spanning trees that are independent of one another.
• MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance
mapping table. MSTP can reduce communication overheads and resource usage by mapping
multiple VLANs to one instance.
• MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless
cycling of frames in a loop network. In addition, it supports load balancing of VLAN data by
providing multiple redundant paths for data forwarding.
• MSTP is compatible with STP and RSTP, and partially compatible with PVST.

89
MSTP protocol frames
Figure 29 shows the format of an MSTP BPDU.
Figure 29 MSTP BPDU format
Fields Byte
Protocol ID 2
Protocol version ID 1
BPDU type 1
Flags 1
Root ID 8
Root path cost 4
Bridge ID 8
Port ID 2
Message age 2
Max age 2
Hello time 2
Forward delay 2
Version1 length=0 1
Version3 length 2
MST configuration ID 51
CIST IRPC 4
MSTP-specific
CIST bridge ID 8 fields
CIST remaining ID 1
MSTI configuration messages LEN

The first 13 fields of an MSTP BPDU are the same as an RSTP BPDU. The other six fields are
unique to MSTP.
• Protocol version ID—The value is 0x03 for MSTP.
• BPDU type—The value is 0x02 for RSTP/MSTP BPDUs.
• Root ID—ID of the common root bridge.
• Root path cost—CIST external path cost.
• Bridge ID—ID of the regional root for the IST or an MSTI.
• Port ID—ID of the designated port in the CIST.
• Version3 length—Length of the MSTP-specific fields. Devices use this field for verification
upon receiving an MSTP BPDU.
• MST configuration ID—Includes the format selector, configuration name, revision level, and
configuration digest. The value for format selector is fixed at 0x00. The other parameters are
used to identify the MST region for the originating bridge.
• CIST IRPC—Internal root path cost (IRPC) from the originating bridge to the root of the MST
region.
• CIST bridge ID—ID of the bridge that sends the MSTP BPDU.
• CIST remaining ID—Remaining hop count. This field limits the scale of the MST region. The
regional root sends a BPDU with the remaining hop count set to the maximum value. Each
device that receives the BPDU decrements the hop count by one. When the hop count reaches
zero, the BPDU is discarded. Devices beyond the maximum hops of the MST region cannot
participate in spanning tree calculation. The default remaining hop count is 20.
• MSTI configuration messages—Contains MSTI configuration messages. Each MSTI
configuration message is 16 bytes. This field can contain 0 to 64 MSTI configuration messages.
The number of the MSTI configuration messages is determined by the number of MSTIs in the
MST region.

90
Basic concepts in MSTP
Figure 30 shows a switched network that contains four MST regions, each MST region containing
four MSTP devices. Figure 31 shows the networking topology of MST region 3.
Figure 30 Basic concepts in MSTP
VLAN 1 à MSTI 1 VLAN 1 à MSTI 1
VLAN 2 à MSTI 2 VLAN 2 à MSTI 2
Other VLANs à MSTI 0 Other VLANs à MSTI 0

MST region 1 MST region 4

MST region 2 MST region 3

VLAN 1 à MSTI 1 VLAN 1 à MSTI 1

VLAN 2 à MSTI 2 CST VLAN 2&3 à MSTI 2
Other VLANs à MSTI 0 Other VLANs à MSTI 0

Figure 31 Network diagram and topology of MST region 3

To MST region 4

A B A B
To MST region 2

MST region 3
Device A Device B

C D C D
MSTI 1 MSTI 2

A B
Regional root

Device C Device D C D MSTI

MSTI 0
VLAN 1 à MSTI 1
VLAN 2&3 à MSTI 2 Topology of MSTIs in MST region 3
Other VLANs à MSTI 0

91
MST region
A multiple spanning tree region (MST region) consists of multiple devices in a switched network and
the network segments among them. All these devices have the following characteristics:
• A spanning tree protocol enabled
• Same region name
• Same VLAN-to-instance mapping configuration
• Same MSTP revision level
• Physically linked together
Multiple MST regions can exist in a switched network. You can assign multiple devices to the same
MST region, as shown in Figure 30.
• The switched network contains four MST regions, MST region 1 through MST region 4.
• All devices in each MST region have the same MST region configuration.
MSTI
MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree
is mapped to the specific VLANs. Each spanning tree is referred to as a multiple spanning tree
instance (MSTI).
In Figure 31, MST region 3 contains three MSTIs, MSTI 1, MSTI 2, and MSTI 0.
VLAN-to-instance mapping table
As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping
relationships between VLANs and MSTIs.
In Figure 31, the VLAN-to-instance mapping table of MST region 3 is as follows:
• VLAN 1 to MSTI 1.
• VLAN 2 and VLAN 3 to MSTI 2.
• Other VLANs to MSTI 0.
MSTP achieves load balancing by means of the VLAN-to-instance mapping table.
CST
The common spanning tree (CST) is a single spanning tree that connects all MST regions in a
switched network. If you regard each MST region as a device, the CST is a spanning tree calculated
by these devices through STP or RSTP.
The blue lines in Figure 30 represent the CST.
IST
An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0,
a special MSTI to which all VLANs are mapped by default.
In Figure 30, MSTI 0 is the IST in MST region 3.
CIST
The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in
a switched network. It consists of the ISTs in all MST regions and the CST.
In Figure 30, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the
entire network.
Regional root
The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI.
Based on the topology, different spanning trees in an MST region might have different regional roots,
as shown in MST region 3 in Figure 31.

92
 • The regional root of MSTI 1 is Device B.
• The regional root of MSTI 2 is Device C.
• The regional root of MSTI 0 (also known as the IST) is Device A.
Common root bridge
The common root bridge is the root bridge of the CIST.
In Figure 30, the common root bridge is a device in MST region 1.
Port roles
A port can play different roles in different MSTIs. As shown in Figure 32, an MST region contains
Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the
common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C
connect to other MST regions. Port D3 of Device D directly connects to a host.
Figure 32 Port roles
To the common root

MST region Port A1 Port A2

Root port

Port A3 Port A4 Designated port

Device A
(Root bridge) Alternate port

Device B Device D Backup port

Port B1 Port D1
Edge port
Port B2 Port B3 Port D2
Port D3
Master port

Boundary port

Port C1
Port C2
Normal link
Device C
Blocked link
Port C3 Port C4

To other MST regions

MSTP calculation involves the following port roles:

• Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not
have any root port.
• Designated port—Forwards data to the downstream network segment or device.
• Alternate port—Acts as the backup port for a root port or master port. When the root port or
master port is blocked, the alternate port takes over.
• Backup port—Acts as the backup port of a designated port. When the designated port is
invalid, the backup port becomes the new designated port. A loop occurs when two ports of the
same spanning tree device are connected, so the device blocks one of the ports. The blocked
port acts as the backup.
• Edge port—Directly connects to a user host rather than a network device or network segment.
• Master port—Acts as a port on the shortest path from the local MST region to the common root
bridge. The master port is not always located on the regional root. It is a root port on the IST or
CIST and still a master port on the other MSTIs.
• Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running
device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the

93
 CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the
CIST.
Port states
In MSTP, a port can be in one of the following states:
• Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user
traffic.
• Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward
user traffic. Learning is an intermediate port state.
• Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or
forward user traffic.

NOTE:
When in different MSTIs, a port can be in different states.

A port state is not exclusively associated with a port role. Table 12 lists the port states that each port
role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates
that the port does not support this state.)
Table 12 Port states that different port roles support

Port role (right) Root

Designated
port/master Alternate port Backup port
Port state (below) port
port
Forwarding √ √ — —
Learning √ √ — —
Discarding √ √ √ √

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a
calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among
these MSTIs, MSTI 0 is the IST.
Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is
that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.
CIST calculation
During the CIST calculation, the following process takes place:
• The device with the highest priority is elected as the root bridge of the CIST.
• MSTP generates an IST within each MST region through calculation.
• MSTP regards each MST region as a single device and generates a CST among these MST
regions through calculation.
The CST and ISTs constitute the CIST of the entire network.
MSTI calculation
Within an MST region, MSTP generates different MSTIs for different VLANs based on the
VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation
process similar to spanning tree calculation in STP. For more information, see "Calculation process
of the STP algorithm."
In MSTP, a VLAN frame is forwarded along the following paths:

94
 • Within an MST region, the frame is forwarded along the corresponding MSTI.
• Between two MST regions, the frame is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for
spanning tree calculation can identify STP and RSTP protocol frames.
In addition to basic MSTP features, the following features are provided for ease of management:
• Root bridge hold
• Root bridge backup
• Root guard
• BPDU guard
• Loop guard
• TC-BPDU guard
• Port role restriction
• TC-BPDU transmission restriction

Rapid transition mechanism

In STP, a port must wait twice the forward delay (30 seconds by default) before it transits from the
blocking state to the forwarding state. The forward delay is related to the hello time and network
diameter. If the forward delay is too short, loops might occur. This affects the stability of the network.
RSTP, PVST, and MSTP all use the rapid transition mechanism to speed up port state transition for
edge ports, root ports, and designated ports. The rapid transition mechanism for designated ports is
also known as the proposal/agreement (P/A)_transition.
Edge port rapid transition
As shown in Figure 33, Port C3 is an edge port connected to a host. When a network topology
change occurs, the port can immediately transit from the blocking state to the forwarding state
because no loop will be caused.
Because a device cannot determine whether a port is directly connected to a terminal, you must
manually configure the port as an edge port.
Figure 33 Edge port rapid transition
Root port
Port A1 Port A2
Designated port
Device A
Root bridge Alternate port

Port B1 Port C1 Edge port

Device B Device C Normal link

Port B2 Port C2
Port C3
Blocked link

95
Root port rapid transition
When a root port is blocked, the bridge will elect the alternate port with the highest priority as the new
root port. If the new root port's peer is in the forwarding state, the new root port immediately transits
to the forwarding state.
As shown in Figure 34, Port C2 on Device C is a root port and Port C1 is an alternate port. When Port
C2 transits to the blocking state, Port C1 is elected as the root port and immediately transits to the
forwarding state.
Figure 34 Root port rapid transition
Root port
Designated port
Alternate port
Normal link
Blocked link
Device A Device A
Root bridge Root bridge

Port A1 Port A2 Port A1 Port A2

Port B1 Port C1 Port B1 Port C1

Device B Device C Device B Device C

Port B2 Port C2 Port B2 Port C2

P/A transition
The P/A transition enables a designated port to rapidly transit to the forwarding state after a
handshake with its peer. The P/A transition applies only to point-to-point links.
• P/A transition for RSTP and PVST.
In RSTP or PVST, the ports on a new link or recovered link are designated ports in blocking
state. When one of the designated ports transits to the discarding or learning state, it sets the
proposal flag in its BPDU. Its peer bridge receives the BPDU and determines whether the
receiving port is the root port. If it is the root port, the bridge blocks the other ports except edge
ports. The bridge then replies an agreement BPDU to the designated port. The designated port
immediately transits to the forwarding state upon receiving the agreement BPDU. If the
designated port does not receive the agreement BPDU, it waits for twice the forward delay to
transit to the forwarding state.
As shown in Figure 35, the P/A transition operates as follows:
a. Device A sends a proposal BPDU to Device B through Port A1.
b. Device B receives the proposal BPDU on Port B2. Port B2 is elected as the root port.
c. Device B blocks its designated port Port B1 and alternate port Port B3 to eliminate loops.
d. The root port Port B2 transits to the forwarding state and sends an agreement BPDU to
Device A.
e. The designated port Port A1 on Device A immediately transits to the forwarding state after
receiving the agreement BPDU.

96
 Figure 35 P/A transition for RSTP and PVST
Root port
Designated port
Alternate port
Edge port
Device A Device A
RID=0.MAC A RID=0.MAC A
Port A1 Port A1

Proposal Agreement

Port B2 Port B2
Device B Device B
RID=4096.MAC B RID=4096.MAC B
Port B3 Port B1 Port B3 Port B1

• P/A transition for MSTP.

In MSTP, an upstream bridge sets both the proposal and agreement flags in its BPDU. If a
downstream bridge receives the BPDU and its receiving port is elected as the root port, the
bridge blocks all the other ports except edge ports. The downstream bridge then replies an
agreement BPDU to the upstream bridge. The upstream port immediately transits to the
forwarding state upon receiving the agreement BPDU. If the upstream port does not receive the
agreement BPDU, it waits for twice the forward delay to transit to the forwarding state.
As shown in Figure 36, the P/A transition operates as follows:
a. Device A sets the proposal and agreement flags in its BPDU and sends it to Device B
through Port A1.
b. Device B receives the BPDU. Port B1 of Device B is elected as the root port.
c. Device B then blocks all its ports except the edge ports.
d. The root port Port B1 of Device B transits to the forwarding state and sends an agreement
BPDU to Device A.
e. Port A1 of Device A immediately transits to the forwarding state upon receiving the
agreement BPDU.
Figure 36 P/A transition for MSTP
Proposal

Device A Port A1 Port B1 Device B

RID=0.MAC A RID=4096.MAC B

Agreement

Protocols and standards

MSTP is documented in the following protocols and standards:
• IEEE 802.1d, Media Access Control (MAC) Bridges
• IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid
Reconfiguration
• IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees
• IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks —Clause 13: Spanning tree Protocols

97
Spanning tree configuration task lists
Before configuring a spanning tree, complete the following tasks:
• Determine the spanning tree protocol to be used (STP, RSTP, PVST, or MSTP).
• Plan the device roles (the root bridge or leaf node).
When you configure spanning tree protocols, follow these restrictions and guidelines:
• If both MVRP and a spanning tree protocol are enabled on a device, MVRP packets are
forwarded along MSTIs. To advertise a specific VLAN within the network through MVRP, make
sure this VLAN is mapped to an MSTI when you configure the VLAN-to-instance mapping table.
For more information about MVRP, see "Configuring MVRP."
• The spanning tree configurations are mutually exclusive with any of the following features on a
port: service loopback group, RRPP, L2PT, and Smart Link.
• Configurations made in system view take effect globally. Configurations made in Ethernet
interface view take effect only on the interface. Configurations made in Layer 2 aggregate
interface view take effect only on the aggregate interface. Configurations made on an
aggregation member port can take effect only after the port is removed from the aggregation
group.
• After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system
performs spanning tree calculation on the Layer 2 aggregate interface. It does not perform
spanning tree calculation on the aggregation member ports. The spanning tree protocol enable
state and forwarding state of each selected member port is consistent with those of the
corresponding Layer 2 aggregate interface.
• The member ports of an aggregation group do not participate in spanning tree calculation.
However, the ports still reserve their spanning tree configurations for participating in spanning
tree calculation after leaving the aggregation group.

STP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Configuring TC Snooping

98
 Tasks at a glance
(Optional.) Configuring protection features
(Optional.) Disabling the device from reactivating edge ports shut down by BPDU guard
(Optional.) Enabling SNMP notifications for new-root election and topology change events

RSTP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Disabling the device from reactivating edge ports shut down by BPDU guard
(Optional.) Enabling SNMP notifications for new-root election and topology change events

PVST configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the network diameter of a switched network

99
 Tasks at a glance
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Disabling inconsistent PVID protection
(Optional.) Configuring protection features
(Optional.) Enabling the device to log events of detecting or receiving TC BPDUs
(Optional.) Disabling the device from reactivating edge ports shut down by BPDU guard
(Optional.) Enabling SNMP notifications for new-root election and topology change events

MSTP configuration task list

Tasks at a glance
Configuring the root bridge:
• (Required.) Setting the spanning tree mode
• (Required.) Configuring an MST region
• (Optional.) Configuring the root bridge or a secondary root bridge
• (Optional.) Configuring the device priority
• (Optional.) Configuring the maximum hops of an MST region
• (Optional.) Configuring the network diameter of a switched network
• (Optional.) Setting spanning tree timers
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring the port link type
• (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
Configuring the leaf nodes:
• (Required.) Setting the spanning tree mode
• (Required.) Configuring an MST region

100
 Tasks at a glance
• (Optional.) Configuring the device priority
• (Optional.) Setting the timeout factor
• (Optional.) Configuring the BPDU transmission rate
• (Optional.) Configuring edge ports
• (Optional.) Configuring path costs of ports
• (Optional.) Configuring the port priority
• (Optional.) Configuring the port link type
• (Optional.) Configuring the mode a port uses to recognize and send MSTP frames
• (Optional.) Enabling outputting port state transition information
• (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring Digest Snooping
(Optional.) Configuring No Agreement Check
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Disabling the device from reactivating edge ports shut down by BPDU guard
(Optional.) Enabling SNMP notifications for new-root election and topology change events

Setting the spanning tree mode

The spanning tree modes include:
• STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device
of a port supports only STP.
• RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically
transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode
does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.
• PVST mode—All ports of the device send PVST BPDUs. Each VLAN maintains a spanning
tree. In a network, the amount of spanning trees maintained by all devices equals the number of
PVST-enabled VLANs multiplied by the number of PVST-enabled ports. If the amount of
spanning trees exceeds the capacity of the network, device CPUs will be overloaded. Packet
forwarding is interrupted, and the network becomes unstable. The number of PVST-enabled
VLANs that the device can maintain is 128.
• MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically
transits to the STP mode when receiving STP BPDUs from the peer device. A port in this mode
does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.
The MSTP mode is compatible with the RSTP mode, and the RSTP mode is compatible with the STP
mode.
Compatibility of the PVST mode depends on the link type of a port.
• On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.
• On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes
only in the default VLAN.
To set the spanning tree mode:

Step Command Remarks

1. Enter system view. system-view N/A

101
 Step Command Remarks

Set the spanning tree mode. The default setting is the

2. stp mode { mstp | pvst | rstp | stp }
MSTP mode.

Configuring an MST region

Spanning tree devices belong to the same MST region if they are both connected through a physical
link and configured with the following details:
• Format selector (0 by default, not configurable).
• MST region name.
• MST region revision level.
• VLAN-to-instance mapping entries in the MST region.
The configuration of MST region-related parameters (especially the VLAN-to-instance mapping
table) might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of
topology instability, the MST region configuration takes effect only after you activate it by doing one
of the following:
• Use the active region-configuration command.
• Enable a spanning tree protocol by using the stp global enable command if the spanning tree
protocol is disabled.
In STP, RSTP, or PVST mode, MST region configurations do not take effect.
To configure an MST region:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter MST region view. stp region-configuration N/A
3. Configure the MST region The default setting is the MAC
name. region-name name
address.
• instance instance-id vlan Use one of the commands.
4. Configure the vlan-id-list
VLAN-to-instance mapping By default, all VLANs in an MST
table. • vlan-mapping modulo region are mapped to the CIST (or
modulo MSTI 0).
5. Configure the MSTP revision
level of the MST region. revision-level level The default setting is 0.

6. (Optional.) Display the MST

region configurations that are check region-configuration N/A
not activated yet.
7. Manually activate MST
region configuration. active region-configuration N/A

Configuring the root bridge or a secondary root

bridge
You can have the spanning tree protocol determine the root bridge of a spanning tree through
calculation. You can also specify a device as the root bridge or as a secondary root bridge.

102
 A device has independent roles in different spanning trees. It can act as the root bridge in one
spanning tree and as a secondary root bridge in another. However, one device cannot be the root
bridge and a secondary root bridge in the same spanning tree.
A spanning tree can have only one root bridge. If multiple devices can be selected as the root bridge
in a spanning tree, the device with the lowest MAC address is selected.
When the root bridge of an instance fails or is shut down and no new root bridge is specified, the
following events occur:
• If you specify only one secondary root bridge, it becomes the root bridge.
• If you specify multiple secondary root bridges for the instance, the secondary root bridge with
the lowest MAC address is given priority.
• If you do not specify a secondary root bridge, a new root bridge is calculated.
You can specify one root bridge for each spanning tree, regardless of the device priority settings.
Once you specify a device as the root bridge or a secondary root bridge, you cannot change its
priority.
You can configure a device as the root bridge by setting the device priority to 0. For the device priority
configuration, see "Configuring the device priority."

Configuring the device as the root bridge of a specific

spanning tree
Step Command Remarks
1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp root primary
• In PVST mode:
2. Configure the device as By default, the device is not a
stp vlan vlan-id-list root primary
the root bridge. root bridge.
• In MSTP mode:
stp [ instance instance-list ] root
primary

Configuring the device as a secondary root bridge of a

specific spanning tree
Step Command Remarks
1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp root secondary
• In PVST mode:
2. Configure the device as a By default, the device is not
stp vlan vlan-id-list root secondary
secondary root bridge. a secondary root bridge.
• In MSTP mode:
stp [ instance instance-list ] root
secondary

103
Configuring the device priority
Device priority is a factor in calculating the spanning tree. The priority of a device determines
whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a
higher priority. You can set the priority of a device to a low value to specify the device as the root
bridge of the spanning tree. A spanning tree device can have different priorities in different spanning
trees.
During root bridge selection, if all devices in a spanning tree have the same priority, the one with the
lowest MAC address is selected. You cannot change the priority of a device after it is configured as
the root bridge or as a secondary root bridge.
To configure the priority of the device in a specified MSTI:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp priority priority
• In PVST mode:
2. Configure the priority of
the device.
stp vlan vlan-id-list priority priority The default setting is 32768.
• In MSTP mode:
stp [ instance instance-list ] priority
priority

Configuring the maximum hops of an MST region

Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on
the regional root bridge is used as the hop limit for the MST region.
Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum
value. When a device receives this configuration BPDU, it decrements the hop count by one, and
uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches
zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops
can no longer participate in spanning tree calculations, so the size of the MST region is limited.
Make this configuration only on the root bridge. All other devices in the MST region use the maximum
hop value set for the root bridge.
You can configure the maximum hops of an MST region based on the STP network size. As a best
practice, set the maximum hops to a value that is greater than the maximum hops of each edge
device to the root bridge.
To configure the maximum number of hops of an MST region:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the maximum
hops of the MST region. stp max-hops hops The default setting is 20.

104
Configuring the network diameter of a switched
network
Any two terminal devices in a switched network can reach each other through a specific path, and
there are a series of devices on the path. The switched network diameter is the maximum number of
devices on the path for an edge device to reach another one in the switched network through the root
bridge. The network diameter indicates the network size. The bigger the diameter, the larger the
network size.
Based on the network diameter you configured, the system automatically sets an optimal hello time,
forward delay, and max age for the device.
In STP, RSTP, or MSTP mode, each MST region is considered a device. The configured network
diameter takes effect only on the CIST (or the common root bridge) but not on other MSTIs.
In PVST mode, the configured network diameter takes effect only on the root bridges of the specified
VLANs.
To configure the network diameter of a switched network:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
2. Configure the network stp bridge-diameter diameter
diameter of the switched • In PVST mode: The default setting is 7.
network. stp vlan vlan-id-list bridge-diameter
diameter

Setting spanning tree timers

The following timers are used for spanning tree calculation:
• Forward delay—Delay time for port state transition. To prevent temporary loops on a network,
the spanning tree feature sets an intermediate port state (the learning state) before it transits
from the discarding state to the forwarding state. The feature also requires that the port transit
its state after a forward delay timer. This ensures that the state transition of the local port stays
synchronized with the peer.
• Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If
the device does not receive configuration BPDUs within the timeout period, it recalculates the
spanning tree. The formula for calculating the timeout period is timeout period = timeout factor ×
3 × hello time.
• Max age—In the CIST of an MSTP network, the device uses the max age timer to determine
whether a configuration BPDU received by a port has expired. If it is expired, a new spanning
tree calculation process starts. The max age timer does not take effect on MSTIs.
To ensure a fast topology convergence, make sure the timer settings meet the following formulas:
• 2 × (forward delay – 1 second) ≥ max age
• Max age ≥ 2 × (hello time + 1 second)
As a best practice, specify the network diameter and letting spanning tree protocols automatically
calculate the timers based on the network diameter instead of manually setting the spanning tree
timers. If the network diameter uses the default value, the timers also use their default values.
Set the timers only on the root bridge. The timer settings on the root bridge apply to all devices on the
entire switched network.

105
Configuration restrictions and guidelines
When you set spanning tree timers, follow these restrictions and guidelines:
• The length of the forward delay is related to the network diameter of the switched network. The
larger the network diameter is, the longer the forward delay time should be. As a best practice,
use the automatically calculated value because inappropriate forward delay setting might cause
temporary redundant paths or increase the network convergence time.
• An appropriate hello time setting enables the device to promptly detect link failures on the
network without using excessive network resources. If the hello time is too long, the device
mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If
the hello time is too short, the device frequently sends the same configuration BPDUs, which
wastes device and network resources. As a best practice, use the automatically calculated
value.
• If the max age timer is too short, the device frequently begins spanning tree calculations and
might mistake network congestion as a link failure. If the max age timer is too long, the device
might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing
the auto-sensing capability of the network. As a best practice, use the automatically calculated
value.

Configuration procedure
To set the spanning tree timers:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP/MSTP mode:
stp timer forward-delay time
2. Set the forward delay
timer. • In PVST mode: The default setting is 15 seconds.
stp vlan vlan-id-list timer
forward-delay time
• In STP/RSTP/MSTP mode:
stp timer hello time
3. Set the hello timer. • In PVST mode: The default setting is 2 seconds.
stp vlan vlan-id-list timer hello
time
• In STP/RSTP/MSTP mode:
stp timer max-age time
4. Set the max age timer. • In PVST mode: The default setting is 20 seconds.
stp vlan vlan-id-list timer
max-age time

Setting the timeout factor

The timeout factor is a parameter used to decide the timeout period. The formula for calculating the
timeout period is: timeout period = timeout factor × 3 × hello time.
In a stable network, each non-root-bridge device forwards configuration BPDUs to the downstream
devices at the hello time interval to detect link failures. If a device does not receive a BPDU from the
upstream device within nine times the hello time, it assumes that the upstream device has failed.
Then, it starts a new spanning tree calculation process.
As a best practice, set the timeout factor to 5, 6, or 7 in the following situations:

106
 • To prevent undesired spanning tree calculations. An upstream device might be too busy to
forward configuration BPDUs in time, for example, many Layer 2 interfaces are configured on
the upstream device. In this case, the downstream device fails to receive a BPDU within the
timeout period and then starts an undesired spanning tree calculation.
• To save network resources on a stable network.
To set the timeout factor:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the timeout factor of the
device. stp timer-factor factor The default setting is 3.

Configuring the BPDU transmission rate

The maximum number of BPDUs a port can send within each hello time equals the BPDU
transmission rate plus the hello timer value. Configure an appropriate BPDU transmission rate based
on the physical status of the port and the network structure.
The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the
more system resources are used. By setting an appropriate BPDU transmission rate, you can limit
the rate at which the port sends BPDUs. Setting an appropriate rate also prevents spanning tree
protocols from using excessive network resources when the network topology changes. As a best
practice, use the default setting.
To configure the BPDU transmission rate:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the BPDU

transmission rate of the stp transmit-limit limit The default setting is 10.
ports.

Configuring edge ports

If a port directly connects to a user terminal rather than another device or a shared LAN segment,
this port is regarded as an edge port. When network topology change occurs, an edge port will not
cause a temporary loop. Because a device does not determine whether a port is directly connected
to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly
transit from the blocking state to the forwarding state.

Configuration restrictions and guidelines

When you configure edge ports, follow these restrictions and guidelines:
• If BPDU guard is disabled on a port configured as an edge port, the port becomes a non-edge
port again if it receives a BPDU from another port. To restore the edge port, re-enable it.

107
 • If a port directly connects to a user terminal, configure it as an edge port and enable BPDU
guard for it. This enables the port to quickly transit to the forwarding state when ensuring
network security.
• On a port, the loop guard feature and the edge port setting are mutually exclusive.

Configuration procedure
To configure a port as an edge port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the port as an By default, all ports are

edge port. stp edged-port
non-edge ports.

Configuring path costs of ports

Path cost is a parameter related to the link speed of a port. On a spanning tree device, a port can
have different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows
to be forwarded along different physical links, achieving VLAN-based load balancing.
You can have the device automatically calculate the default path cost, or you can configure the path
cost for ports.

Specifying a standard for the device to use when it calculates

the default path cost
CAUTION:
If you change the standard that the device uses to calculate the default path costs, you restore the
path costs to the default.

You can specify a standard for the device to use in automatic calculation for the default path cost.
The device supports the following standards:
• dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.
• dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.
• legacy—The device calculates the default path cost for ports based on a private standard.
When you specify a standard for the device to use when it calculates the default path cost, follow
these guidelines:
• When it calculates the path cost for an aggregate interface, IEEE 802.1t takes into account the
number of Selected ports in its aggregation group. However, IEEE 802.1d-1998 does not take
into account the number of Selected ports. The calculation formula of IEEE 802.1t is: Path cost
= 200,000,000/link speed (in 100 kbps). The link speed is the sum of the link speed values of
the Selected ports in the aggregation group.
• IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a
single port or aggregate interface with a speed exceeding 10 Gbps. The forwarding path
selected based on this criterion might not be the best one. To solve this problem, perform one of
the following tasks:

108
  Use dot1t as the standard for default path cost calculation.
 Manually set the path cost for the port (see "Configuring path costs of ports").
To specify a standard for the device to use when it calculates the default path cost:

Step Command Remarks

1. Enter system view. system-view N/A
2. Specify a standard for the
device to use when it By default, the device uses
stp pathcost-standard
calculates the default path legacy to calculate the default
{ dot1d-1998 | dot1t | legacy }
costs of its ports. path costs of its ports.

Table 13 Mappings between the link speed and the path cost

Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
0 N/A 65535 200000000 200000
Single port 2000000 2000
Aggregate interface
containing two Selected 1000000 1800
ports

10 Mbps Aggregate interface 100

containing three Selected 666666 1600
ports
Aggregate interface
containing four Selected 500000 1400
ports
Single port 200000 200
Aggregate interface
containing two Selected 100000 180
ports

100 Mbps Aggregate interface 19

containing three Selected 66666 160
ports
Aggregate interface
containing four Selected 50000 140
ports
Single port 20000 20
Aggregate interface
containing two Selected 10000 18
100 ports
0 Aggregate interface 4
Mbp containing three Selected 6666 16
s ports
Aggregate interface
containing four Selected 5000 14
ports
Single port 2000 2
10 Gbps 2
Aggregate interface 1000 1
containing two Selected

109
 Path cost
Link speed Port type IEEE Private
IEEE 802.1t
802.1d-1998 standard
ports

Aggregate interface
containing three Selected 666 1
ports
Aggregate interface
containing four Selected 500 1
ports
Single port 1000 1
Aggregate interface
containing two Selected 500 1
ports

20 Gbps Aggregate interface 1

containing three Selected 333 1
ports
Aggregate interface
containing four Selected 250 1
ports
Single port 500 1
Aggregate interface
containing two Selected 250 1
ports

40 Gbps Aggregate interface 1

containing three Selected 166 1
ports
Aggregate interface
containing four Selected 125 1
ports
Single port 200 1
Aggregate interface
containing two Selected 100 1
ports

100 Gbps Aggregate interface 1

containing three Selected 66 1
ports
Aggregate interface
containing four Selected 50 1
ports

Configuring path costs of ports

When the path cost of a port changes, the system recalculates the role of the port and initiates a
state transition.
To configure the path cost of a port:

110
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

• In STP/RSTP mode:
stp cost cost-value
• In PVST mode: By default, the system
3. Configure the path cost of
the ports.
stp vlan vlan-id-list cost cost-value automatically calculates
• In MSTP mode: the path cost of each port.
stp [ instance instance-list ] cost
cost-value

Configuration example
# In MSTP mode, perform the following tasks:
• Configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998.
• Set the path cost of GigabitEthernet 1/0/3 to 200 on MSTI 2.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
Cost of every port will be reset and automatically re-calculated after you change the
current pathcost standard. Continue?[Y/N]:y
Cost of every port has been re-calculated.
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] stp instance 2 cost 200

# In PVST mode, perform the following tasks:

• Configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998.
• Set the path cost of GigabitEthernet 1/0/3 to 2000 on VLAN 20 through VLAN 30.
<Sysname> system-view
[Sysname] stp pathcost-standard dot1d-1998
Cost of every port will be reset and automatically re-calculated after you change the
current pathcost standard. Continue?[Y/N]:y
Cost of every port has been re-calculated
[Sysname] interface gigabitethernet 1/0/3
[Sysname-GigabitEthernet1/0/3] stp vlan 20 to 30 cost 2000

Configuring the port priority

The priority of a port is a factor that determines whether the port can be elected as the root port of a
device. If all other conditions are the same, the port with the highest priority is elected as the root
port.
On a spanning tree device, a port can have different priorities and play different roles in different
spanning trees. As a result, data of different VLANs can be propagated along different physical
paths, implementing per-VLAN load balancing. You can set port priority values based on the actual
networking requirements.
When the priority of a port changes, the system recalculates the port role and initiates a state
transition.
To configure the priority of a port:

111
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type interface-number N/A
aggregate interface view.
• In STP/RSTP mode:
stp port priority priority
• In PVST mode:
3. Configure the port priority.
stp vlan vlan-id-list port priority The default setting is 128
priority for all ports.
• In MSTP mode:
stp [ instance instance-list ] port
priority priority

Configuring the port link type

A point-to-point link directly connects two devices. If two root ports or designated ports are connected
over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement
handshake process.

Configuration restrictions and guidelines

When you configure the port link type, follow these restrictions and guidelines:
• You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that
operates in full duplex mode. As a best practice, use the default setting and let the device
automatically detect the port link type.
• In PVST or MSTP mode, the stp point-to-point force-false or stp point-to-point force-true
command configured on a port takes effect on all VLANs or all MSTIs.
• Before you set the link type of a port to point-to-point, make sure the port is connected to a
point-to-point link. Otherwise, a temporary loop might occur.

Configuration procedure
To configure the link type of a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

By default, the link type is auto

Configure the port link type. stp point-to-point { auto |
3. where the port automatically
force-false | force-true }
detects the link type.

112
Configuring the mode a port uses to recognize
and send MSTP frames
A port can receive and send MSTP frames in the following formats:
• dot1s—802.1s-compliant standard format
• legacy—Compatible format
By default, the frame format recognition mode of a port is auto. The port automatically distinguishes
the two MSTP frame formats, and determines the format of frames that it will send based on the
recognized format.
You can configure the MSTP frame format on a port. Then, the port sends only MSTP frames of the
configured format to communicate with devices that send frames of the same format.
By default, a port in auto mode sends 802.1s MSTP frames. When the port receives an MSTP frame
of a legacy format, the port starts to send frames only of the legacy format. This prevents the port
from frequently changing the format of sent frames. To configure the port to send 802.1s MSTP
frames, shut down and then bring up the port.
When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP frames.
To configure the MSTP frame format to be supported on a port:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the mode that the

port uses to recognize/send stp compliance { auto | dot1s | legacy } The default setting is auto.
MSTP frames.

Enabling outputting port state transition

information
In a large-scale spanning tree network, you can enable devices to output the port state transition
information. Then, you can monitor the port states in real time.
To enable outputting port state transition information:

Step Command Remarks

1. Enter system view. system-view N/A
• In STP/RSTP mode:
stp port-log instance 0
2. Enable outputting port • In PVST mode:
state transition stp port-log vlan vlan-id-list By default, this feature is
information. enabled.
• In MSTP mode:
stp port-log { all | instance
instance-list }

113
Enabling the spanning tree feature
You must enable the spanning tree feature for the device before any other spanning tree related
configurations can take effect. In STP, RSTP, or MSTP mode, make sure the spanning tree feature is
enabled globally and on the desired ports. In PVST mode, make sure the spanning tree feature is
enabled globally, in the desired VLANs, and on the desired ports.
To exclude specific ports from spanning tree calculation and save CPU resources, disable the
spanning tree feature for these ports with the undo stp enable command. Make sure no loops occur
in the network after you disable the spanning tree feature on these ports.

Enabling the spanning tree feature in STP/RSTP/MSTP

mode
Step Command Remarks
1. Enter system view. system-view N/A
When the device starts up with
initial settings, the spanning tree
feature is globally disabled.
When the device starts up with
2. Enable the spanning tree factory defaults, the spanning tree
feature. stp global enable
feature is globally enabled.
For more information about the
initial settings and factory
defaults, see Fundamentals
Configuration Guide.
3. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

4. (Optional.) Enable the

spanning tree feature for the By default, the spanning tree
stp enable
port. feature is enabled on all ports.

Enabling the spanning tree feature in PVST mode

Step Command Remarks
1. Enter system view. system-view N/A
When the device starts up with
initial settings, the spanning tree
feature is globally disabled.
When the device starts up with
2. Enable the spanning tree factory defaults, the spanning tree
feature. stp global enable
feature is globally enabled.
For more information about the
initial settings and factory
defaults, see Fundamentals
Configuration Guide.
3. Enable the spanning tree By default, the spanning tree
feature in VLANs. stp vlan vlan-id-list enable
feature is enabled in VLANs.
4. Enter Layer 2 Ethernet
interface interface-type N/A
interface or Layer 2

114
 Step Command Remarks
aggregate interface view. interface-number
5. Enable the spanning tree By default, the spanning tree
feature on the port. stp enable
feature is enabled on all ports.

Performing mCheck
The mCheck feature enables user intervention in the port status transition process.
When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP
BPDUs, the port automatically transits to the STP mode. However, the port cannot automatically
transit back to the original mode when the following conditions exist:
• The peer STP device is shut down or removed.
• The port cannot detect the change.
To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.
For example, Device A, Device B, and Device C are connected in sequence. Device A runs STP,
Device B does not run any spanning tree protocol, and Device C runs RSTP, PVST, or MSTP. In this
case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving
port transits to the STP mode. If you configure Device B to run RSTP, PVST, or MSTP with Device C,
you must perform mCheck operations on the ports interconnecting Device B and Device C.

Configuration restrictions and guidelines

The mCheck operation takes effect on devices operating in MSTP, PVST, or RSTP mode.

Performing mCheck globally

Step Command
1. Enter system view. system-view

2. Perform mCheck. stp global mcheck

Performing mCheck in interface view

Step Command
1. Enter system view. system-view
2. Enter Layer 2 Ethernet interface or Layer 2
aggregate interface view. interface interface-type interface-number

3. Perform mCheck. stp mcheck

Disabling inconsistent PVID protection

In PVST, if two connected ports use different PVIDs, PVST calculation errors might occur. By default,
inconsistent PVID protection is enabled to avoid PVST calculation errors. If PVID inconsistency is
detected on a port, the system blocks the port.

115
 If different PVIDs are required on two connected ports, disable inconsistent PVID protection on the
devices that host the ports. To avoid PVST calculation errors, make sure the following requirements
are met:
• Make sure the VLANs on one device do not use the same ID as the PVID of its peer port (except
the default VLAN) on another device.
• If the local port or its peer is a hybrid port, do not configure the local and peer ports as untagged
members of the same VLAN.
• Disable inconsistent PVID protection on both the local device and the peer device.
This feature takes effect only when the device is operating in PVST mode.
To disable the inconsistent PVID protection feature:

Step Command Remarks

1. Enter system view. system-view N/A
2. Disable the inconsistent By default, the inconsistent PVID
PVID protection feature. stp ignore-pvid-inconsistency
protection feature is enabled.

Configuring Digest Snooping

CAUTION:
Use caution with global Digest Snooping in the following situations:
• When you modify the VLAN-to-instance mappings.
• When you restore the default MST region configuration.
If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or
traffic interruption will occur.

As defined in IEEE 802.1s, connected devices are in the same region only when they have the same
MST region-related configurations, including:
• Region name.
• Revision level.
• VLAN-to-instance mappings.
A spanning tree device identifies devices in the same MST region by determining the configuration
ID in BPDUs. The configuration ID includes the region name, revision level, and configuration digest.
It is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on
VLAN-to-instance mappings.
Because spanning tree implementations vary by vendor, the configuration digests calculated through
private keys are different. The devices of different vendors in the same MST region cannot
communicate with each other.
To enable communication between an HPE device and a third-party device in the same MST region,
enable Digest Snooping on the HPE device port connecting them.

Configuration restrictions and guidelines

When you configure Digest Snooping, follow these restrictions and guidelines:
• Before you enable Digest Snooping, make sure associated devices of different vendors are
connected and run spanning tree protocols.
• With Digest Snooping enabled, in-the-same-region verification does not require comparison of
configuration digest. The VLAN-to-instance mappings must be the same on associated ports.
116
 • To make Digest Snooping take effect, you must enable Digest Snooping both globally and on
associated ports. As a best practice, enable Digest Snooping on all associated ports first and
then enable it globally. This will make the configuration take effect on all configured ports and
reduce impact on the network.
• To prevent loops, do not enable Digest Snooping on MST region edge ports.
• As a best practice, enable Digest Snooping first and then enable the spanning tree feature. To
avoid traffic interruption, do not configure Digest Snooping when the network is already working
well.

Configuration procedure
Use this feature on when your HPE device is connected to a third-party device that uses its private
key to calculate the configuration digest.
To configure Digest Snooping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable Digest Snooping on By default, Digest Snooping is

the interface. stp config-digest-snooping
disabled on ports.

4. Return to system view. quit N/A

5. Enable Digest Snooping stp global By default, Digest Snooping is
globally. config-digest-snooping disabled globally.

Digest Snooping configuration example

Network requirements
As shown in Figure 37, Device A and Device B connect to Device C, which is a third-party device. All
these devices are in the same region.
Enable Digest Snooping on the ports of Device A and Device B that connect to Device C, so that the
three devices can communicate with one another.

117
 Figure 37 Network diagram

MST region Device C

Root bridge

GE1/0/1 GE1/0/2 Root port

Designated port

Blocked port

Normal link

GE1/0/1 GE1/0/1
Blocked link
GE1/0/2 GE1/0/2

Device A Device B

Configuration procedure
# Enable Digest Snooping on GigabitEthernet 1/0/1 of Device A and enable global Digest Snooping
on Device A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] stp global config-digest-snooping

# Enable Digest Snooping on GigabitEthernet 1/0/1 of Device B and enable global Digest Snooping
on Device B.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] stp config-digest-snooping
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] stp global config-digest-snooping

Configuring No Agreement Check

In RSTP and MSTP, the following types of messages are used for rapid state transition on
designated ports:
• Proposal—Sent by designated ports to request rapid transition
• Agreement—Used to acknowledge rapid transition requests
Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port
receives an agreement packet from the downstream device. RSTP and MSTP devices have the
following differences:
• For MSTP, the root port of the downstream device sends an agreement packet only after it
receives an agreement packet from the upstream device.
• For RSTP, the downstream device sends an agreement packet whether or not an agreement
packet from the upstream device is received.

118
 Figure 38 Rapid state transition of an MSTP designated port
Upstream device Downstream device

(1) Proposal for rapid transition The root port blocks non-edge
ports.

The root port changes to the

(2) Agreement forwarding state and sends an
Agreement to the upstream
device.

The designated port (3) Agreement

changes to the
forwarding state.

Root port Designated port

Figure 39 Rapid state transition of an RSTP designated port

Upstream device Downstream device

The root port blocks non-edge

(1) Proposal for rapid transition ports, changes to the forwarding
state, and sends an Agreement to
the upstream device.

The designated (2) Agreement

port changes to the
forwarding state.

Root port Designated port

If the upstream device is a third-party device, the rapid state transition implementation might be
limited as follows:
• The upstream device uses a rapid transition mechanism similar to that of RSTP.
• The downstream device runs MSTP and does not operate in RSTP mode.
In this case, the following occurs:
1. The root port on the downstream device receives no agreement from the upstream device.
2. It sends no agreement to the upstream device.
As a result, the designated port of the upstream device can transit to the forwarding state only after a
period twice the forward delay.
To enable the designated port of the upstream device to transit its state rapidly, enable No
Agreement Check on the downstream device's port.

Configuration prerequisites
Before you configure the No Agreement Check feature, complete the following tasks:
• Connect a device to a third-party upstream device that supports spanning tree protocols
through a point-to-point link.
• Configure the same region name, revision level, and VLAN-to-instance mappings on the two
devices.

119
Configuration procedure
Enable the No Agreement Check feature on the root port.
To configure No Agreement Check:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type interface-number N/A
aggregate interface view.
3. Enable No Agreement By default, No Agreement
Check. stp no-agreement-check
Check is disabled.

No Agreement Check configuration example

Network requirements
As shown in Figure 40, Device A connects to a third-party device that has a different spanning tree
implementation. Both devices are in the same region.
The third-party device (Device B) is the regional root bridge, and Device A is the downstream device.
Figure 40 Network diagram
Root bridge
GE1/0/1 GE1/0/1

Device A Device B

Root port Designated port

Configuration procedure
# Enable No Agreement Check on GigabitEthernet 1/0/1 of Device A.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] stp no-agreement-check

Configuring TC Snooping
As shown in Figure 41, an IRF fabric connects to two user networks through double links.
• Device A and Device B form the IRF fabric.
• The spanning tree feature is disabled on Device A and Device B and enabled on all devices in
user network 1 and user network 2.
• The IRF fabric transparently transmits BPDUs for both user networks and is not involved in the
calculation of spanning trees.
When the network topology changes, it takes time for the IRF fabric to update its MAC address table
and ARP table. During this period, traffic in the network might be interrupted.

120
 Figure 41 TC Snooping application scenario
IRF

Device A Device B
IRF link

User network 1 User network 2

To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a
TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries
associated with the port's VLAN. In this way, TC Snooping prevents topology change from
interrupting traffic forwarding in the network. For more information about the MAC address table and
the ARP table, see "Configuring the MAC address table" and Layer 3—IP Services Configuration
Guide.

Configuration restrictions and guidelines

When you configure TC Snooping, follow these restrictions and guidelines:
• TC Snooping and the spanning tree feature are mutually exclusive. You must globally disable
the spanning tree feature before enabling TC Snooping.
• The priority of L2PT is higher than that of TC Snooping. When L2PT is enabled on a port, the TC
Snooping feature does not take effect on the port.
• TC Snooping does not support the PVST mode.

Configuration procedure
To enable TC Snooping:

Step Command Remarks

1. Enter system view. system-view N/A

When the device starts up with

initial settings, the spanning tree
feature is globally disabled.
When the device starts up with
2. Globally disable the spanning factory defaults, the spanning
tree feature. undo stp global enable
tree feature is globally enabled.
For more information about the
initial settings and factory
defaults, see Fundamentals
Configuration Guide.

3. Enable TC Snooping. By default, TC Snooping is

stp tc-snooping
disabled.

121
Configuring protection features
A spanning tree device supports the following protection features:
• BPDU guard
• Root guard
• Loop guard
• Port role restriction
• TC-BPDU transmission restriction
• TC-BPDU guard
• BPDU drop
• PVST BPDU guard

Configuring BPDU guard

For access layer devices, the access ports can directly connect to the user terminals (such as PCs)
or file servers. The access ports are configured as edge ports to allow rapid transition. When these
ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and
starts a new spanning tree calculation process. This causes a change of network topology. Under
normal conditions, these ports should not receive configuration BPDUs. However, if someone uses
configuration BPDUs maliciously to attack the devices, the network will become unstable.
The spanning tree protocol provides the BPDU guard feature to protect the system against such
attacks. When edge ports receive configuration BPDUs on a device with BPDU guard enabled, the
device performs the following operations:
• Shuts down these ports.
• Notifies the NMS that these ports have been shut down by the spanning tree protocol.
The device reactivates the shutdown ports after a detection interval. For more information about this
detection interval, see Fundamentals Configuration Guide.
You can configure the BPDU guard feature globally or on a per-edge port basis.
BPDU guard does not take effect on loopback-testing-enabled ports. For more information about
loopback testing, see Interface Configuration Guide.
Enabling BPDU guard globally
The global BPDU guard setting takes effect on all edge ports that are not configured by using the stp
port bpdu-protection command.
To enable BPDU guard globally:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable BPDU guard globally. By default, BPDU guard is globally

stp bpdu-protection
disabled.

Configuring BPDU guard on an interface

An edge port preferentially uses the port-specific BPDU guard setting. If the port-specific BPDU
guard setting is not available, the edge port uses the global BPDU guard setting.
To configure BPDU guard on an interface:

122
 Step Command Remarks
1. Enter system view. system-view N/A

2. Enter Layer 2 Ethernet The specified interface must

interface or Layer 2 interface interface-type connect to a user terminal rather
aggregate interface view. interface-number than other device or shared LAN
segment.
By default, BPDU guard is not
configured on a per-edge port
Configure BPDU guard. stp port bpdu-protection
3. basis. The status of BPDU guard on
{ enable | disable }
an interface is the same as the
global BPDU status.

Enabling root guard

The root bridge and secondary root bridge of a spanning tree should be located in the same MST
region. Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth
core region during network design. However, due to possible configuration errors or malicious
attacks in the network, the legal root bridge might receive a configuration BPDU with a higher priority.
Another device supersedes the current legal root bridge, causing an undesired change of the
network topology. The traffic that should go over high-speed links is switched to low-speed links,
resulting in network congestion.
To prevent this situation, MSTP provides the root guard feature. If root guard is enabled on a port of
a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a
configuration BPDU with a higher priority from an MSTI, it performs the following operations:
• Immediately sets that port to the listening state in the MSTI.
• Does not forward the received configuration BPDU.
This is equivalent to disconnecting the link connected to this port in the MSTI. If the port receives no
BPDUs with a higher priority within twice the forwarding delay, it reverts to its original state.
On a port, the loop guard feature and the root guard feature are mutually exclusive.
Configure root guard on a designated port.
To enable root guard:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface or Layer interface interface-type
2 aggregate interface view. N/A
interface-number

3. Enable the root guard feature. By default, root guard is

stp root-protection
disabled.

Enabling loop guard

By continuing to receive BPDUs from the upstream device, a device can maintain the state of the
root port and blocked ports. However, link congestion or unidirectional link failures might cause these
ports to fail to receive BPDUs from the upstream devices. In this situation, the device reselects the
following port roles:
• Those ports in forwarding state that failed to receive upstream BPDUs become designated
ports.
• The blocked ports transit to the forwarding state.

123
 As a result, loops occur in the switched network. The loop guard feature can suppress the
occurrence of such loops.
The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives
BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops.
Do not enable loop guard on a port that connects user terminals. Otherwise, the port stays in the
discarding state in all MSTIs because it cannot receive BPDUs.
On a port, the loop guard feature is mutually exclusive with the root guard feature or the edge port
setting.
Configure loop guard on the root port and alternate ports of a device.
To enable loop guard:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface or interface interface-type
Layer 2 aggregate interface view. N/A
interface-number
3. Enable the loop guard feature for the By default, loop guard is
ports. stp loop-protection
disabled.

Configuring port role restriction

CAUTION:
Use this feature with caution, because enabling port role restriction on a port might affect the
connectivity of the spanning tree topology.

The bridge ID change of a device in the user access network might cause a change to the spanning
tree topology in the core network. To avoid this problem, you can enable port role restriction on a
port. With this feature enabled, when the port receives a superior BPDU, it becomes an alternate port
rather than a root port.
Make this configuration on the port that connects to the user access network.
To configure port role restriction:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable port role restriction. By default, port role restriction is

stp role-restriction
disabled.

Configuring TC-BPDU transmission restriction

CAUTION:
Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address
table to fail to be updated when the topology changes.

The topology change to the user access network might cause the forwarding address changes to the
core network. When the user access network topology is unstable, the user access network might

124
 affect the core network. To avoid this problem, you can enable TC-BPDU transmission restriction on
a port. With this feature enabled, when the port receives a TC-BPDU, it does not forward the
TC-BPDU to other ports.
Make this configuration on the port that connects to the user access network.
To configure TC-BPDU transmission restriction:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable TC-BPDU By default, TC-BPDU

transmission restriction. stp tc-restriction transmission restriction is
disabled.

Enabling TC-BPDU guard

When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology
changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device,
the device will receive a large number of TC-BPDUs within a short time. Then, the device is busy with
forwarding address entry flushing. This affects network stability.
TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry
flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs
received in excess of the limit, the device performs a forwarding address entry flush when the time
period expires. This prevents frequent flushing of forwarding address entries. As a best practice,
enable TC-BPDU guard.
To enable TC-BPDU guard:

Step Command Remarks

1. Enter system view. system-view N/A
By default, TC-BPDU guard
is enabled.
2. Enable the TC-BPDU guard feature. stp tc-protection
As a best practice, do not
disable this feature.
3. (Optional.) Configure the maximum
number of forwarding address entry stp tc-protection threshold
flushes that the device can perform The default setting is 6.
number
every 10 seconds.

Enabling BPDU drop

In a spanning tree network, every BPDU arriving at the device triggers an STP calculation process
and is then forwarded to other devices in the network. Malicious attackers might use the vulnerability
to attack the network by forging BPDUs. By continuously sending forged BPDUs, they can make all
devices in the network continue performing STP calculations. As a result, problems such as CPU
overload and BPDU protocol status errors occur.
To avoid this problem, you can enable BPDU drop on ports. A BPDU drop-enabled port does not
receive any BPDUs and is invulnerable to forged BPDU attacks.
To enable BPDU drop on an Ethernet interface:

125
 Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
3. Enable BPDU drop on the By default, BPDU drop is
interface. bpdu-drop any
disabled.

Enabling PVST BPDU guard

An MSTP-enabled device forwards PVST BPDUs as data traffic because it cannot recognize PVST
BPDUs. If a PVST-enabled device in another independent network receives the PVST BPDUs, a
PVST calculation error might occur. To avoid PVST calculation errors, enable PVST BPDU guard on
the MSTP-enabled device. The device shuts down a port if the port receives PVST BPDUs.
To enable PVST BPDU guard:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable PVST BPDU guard. By default, PVST BPDU guard is

stp pvst-bpdu-protection
disabled.

Enabling the device to log events of detecting or

receiving TC BPDUs
This feature allows the device to generate logs when it detects or receives TC BPDUs. This feature
applies only to PVST mode.
To enable the device to log events of detecting or receiving TC BPDUs:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable the device to log By default, the device does not
events of receiving or stp log enable tc generate logs when it detects or
detecting TC BPDUs. receives TC BPDUs.

Disabling the device from reactivating edge ports

shut down by BPDU guard
A device enabled with BPDU guard shuts down edge ports that have received configuration BPDUs
and notifies the NMS of the shutdown event. After a port status detection interval, the device
reactivates the shutdown ports.
After you perform this task, the device stops reactivating the shutdown edge ports. This task takes
effect only on edge ports that are shut down by BPDU guard after you perform this task. To bring up
these ports, you must use the undo shutdown command.
For more information about the port status detection interval, see device management configuration
in Fundamentals Configuration Guide.

126
 To disable the device from reactivating edge ports shut down by BPDU guard:

Step Command Remarks

1. Enter system view. system-view N/A
By default, the device reactivates
2. Disable the device from an edge port that is shut down by
reactivating edge ports shut stp port shutdown permanent BPDU guard after the port status
down by BPDU guard. detection interval set by using the
shutdown-interval command.

Enabling SNMP notifications for new-root election

and topology change events
This task enables the device to generate logs and report new-root election events or spanning tree
topology changes to SNMP. For the event notifications to be sent correctly, you must also configure
SNMP on the device. For more information about SNMP configuration, see the network
management and monitoring configuration guide for the device.
When you use the snmp-agent trap enable stp [ new-root | tc ] command, follow these guidelines:
• The new-root keyword applies only to STP, MSTP, and RSTP modes.
• The tc keyword applies only to PVST mode.
• In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables SNMP
notifications for new-root election events.
• In PVST mode, the snmp-agent trap enable stp enables SNMP notifications for spanning tree
topology changes.
To enable SNMP notifications for new-root election and topology change events:

Step Command Remarks

1. Enter system view. system-view N/A
In STP, MSTP, or RSTP mode, The default settings are as
execute either of the following follows:
commands: • SNMP notifications are
2. Enable SNMP notifications
for new-root election events. • snmp-agent trap enable disabled for new-root
stp new-root election events.
• snmp-agent trap enable • In MSTP mode, SNMP
stp notifications are enabled in
MSTI 0 and disabled in other
In PVST mode, execute either of MSTIs for spanning tree
the following commands: topology changes.
3. Enable SNMP notifications
for spanning tree topology • snmp-agent trap enable • In PVST mode, SNMP
changes. stp tc notifications are disabled for
• snmp-agent trap enable spanning tree topology
stp changes in all VLANs.

Displaying and maintaining the spanning tree

Execute display commands in any view and reset command in user view.

127
 Task Command
Display history about ports blocked by spanning tree
display stp abnormal-port
protection features.
display stp bpdu-statistics [ interface
Display BPDU statistics on ports. interface-type interface-number [ instance
instance-list ] ]
Display information about ports shut down by spanning
display stp down-port
tree protection features.
Display the port role calculation history for the specified display stp [ instance instance-list | vlan
MSTI or all MSTIs. vlan-id-list ] history [ slot slot-number ]
Display the incoming and outgoing TC/TCN BPDU display stp [ instance instance-list | vlan
statistics by all ports in the specified MSTI or all MSTIs. vlan-id-list ] tc [ slot slot-number ]
display stp [ instance instance-list | vlan
Display the spanning tree status and statistics. vlan-id-list ] [ interface interface-list | slot
slot-number ] [ brief ]
Display the MST region configuration information that
display stp region-configuration
has taken effect.
Display the root bridge information of all MSTIs. display stp root
Clear the spanning tree statistics. reset stp [ interface interface-list ]

Spanning tree configuration example

MSTP configuration example
Network requirements
As shown in Figure 42, all devices on the network are in the same MST region. Device A and Device
B work at the distribution layer. Device C and Device D work at the access layer.
Configure MSTP so that frames of different VLANs are forwarded along different spanning trees.
• VLAN 10 frames are forwarded along MSTI 1.
• VLAN 30 frames are forwarded along MSTI 3.
• VLAN 40 frames are forwarded along MSTI 4.
• VLAN 20 frames are forwarded along MSTI 0.
VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated
on the access layer devices. The root bridges of MSTI 1 and MSTI 3 are Device A and Device B,
respectively, and the root bridge of MSTI 4 is Device C.

128
 Figure 42 Network diagram

MST region
Device A Device B
Permit: all VLAN
GE1/0/3 GE1/0/3
GE /2

GE
1/0 1/0

/
1/0
/2 GE

1/0
GE

/
1
Permit: VLANs 10 and Permit: VLANs 20 and
20 0 Pe 30
n d2 rm
it:
1 0a VL
AN
Ns
1

GE
A s2
/
1/0

L 0a
t: V GE

1/0
2 mi
nd
/0/
GE

r 30 1/0
E1

/
Pe /2

1
G
GE1/0/3 GE1/0/3
Permit: VLANs 20 and 40

Device C Device D

Configuration procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
 Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
 Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Enter MST region view, and configure the MST region name as example.
<DeviceA> system-view
[DeviceA] stp region-configuration
[DeviceA-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 3 vlan 30
[DeviceA-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceA-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure the Device A as the root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Enable the spanning tree feature globally.
[DeviceA] stp global enable
3. Configure Device B:
# Enter MST region view, and configure the MST region name as example.
<DeviceB> system-view
[DeviceB] stp region-configuration
[DeviceB-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.

129
 [DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 3 vlan 30
[DeviceB-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceB-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the root bridge of MSTI 3.
[DeviceB] stp instance 3 root primary
# Enable the spanning tree feature globally.
[DeviceB] stp global enable
4. Configure Device C:
# Enter MST region view, and configure the MST region name as example.
<DeviceC> system-view
[DeviceC] stp region-configuration
[DeviceC-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 3 vlan 30
[DeviceC-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceC-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure the Device C as the root bridge of MSTI 4.
[DeviceC] stp instance 4 root primary
# Enable the spanning tree feature globally.
[DeviceC] stp global enable
5. Configure Device D:
# Enter MST region view, and configure the MST region name as example.
<DeviceD> system-view
[DeviceD] stp region-configuration
[DeviceD-mst-region] region-name example
# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 3 vlan 30
[DeviceD-mst-region] instance 4 vlan 40
# Configure the revision level of the MST region as 0.
[DeviceD-mst-region] revision-level 0
# Activate MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Enable the spanning tree feature globally.
[DeviceD] stp global enable

130
Verifying the configuration
In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root
bridge in MSTI 0.
When the network is stable, you can use the display stp brief command to display brief spanning
tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ALTE DISCARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 ROOT FORWARDING NONE
1 GigabitEthernet1/0/1 DESI FORWARDING NONE
1 GigabitEthernet1/0/3 DESI FORWARDING NONE
3 GigabitEthernet1/0/2 DESI FORWARDING NONE
3 GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
1 GigabitEthernet1/0/2 DESI FORWARDING NONE
1 GigabitEthernet1/0/3 ROOT FORWARDING NONE
3 GigabitEthernet1/0/1 DESI FORWARDING NONE
3 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING NONE
0 GigabitEthernet1/0/2 ROOT FORWARDING NONE
0 GigabitEthernet1/0/3 DESI FORWARDING NONE
1 GigabitEthernet1/0/1 ROOT FORWARDING NONE
1 GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
MST ID Port Role STP State Protection
0 GigabitEthernet1/0/1 ROOT FORWARDING NONE
0 GigabitEthernet1/0/2 ALTE DISCARDING NONE
0 GigabitEthernet1/0/3 ALTE DISCARDING NONE
3 GigabitEthernet1/0/1 ROOT FORWARDING NONE
3 GigabitEthernet1/0/2 ALTE DISCARDING NONE
4 GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 43.

131
 Figure 43 MSTIs mapped to different VLANs

A B A B

C C D

MSTI 1 mapped to VLAN 10 MSTI 0 mapped to VLAN 20

A B

D C D

MSTI 3 mapped to VLAN 30 MSTI 4 mapped to VLAN 40

Root bridge Normal link Blocked link

PVST configuration example

Network requirements
As shown in Figure 44, Device A and Device B work at the distribution layer, and Device C and
Device D work at the access layer.
Configure PVST to meet the following requirements:
• Frames of a VLAN are forwarded along the spanning trees of the VLAN.
• VLAN 10, VLAN 20, and VLAN 30 are terminated on the distribution layer devices, and VLAN
40 is terminated on the access layer devices.
• The root bridge of VLAN 10 and VLAN 20 is Device A.
• The root bridge of VLAN 30 is Device B.
• The root bridge of VLAN 40 is Device C.

132
 Figure 44 Network diagram
Device A Device B
Permit: all VLAN
GE1/0/3 GE1/0/3
GE /2

/1

GE
1/0 1/0

1/0
/2 GE

1/0
GE

/1
Permit: VLANs 10 and Permit: VLANs 20 and
20 0 Pe 30
d2 rm
an it:
s 10 VL
AN
/1

AN

GE
s2
1/0

VL 0a GE

1/0
2 it:
/0/ nd
GE

1 erm 1/0

/1
GE P 30 /2

GE1/0/3 GE1/0/3
Permit: VLANs 20 and 40

Device C Device D

Configuration procedure
1. Configure VLANs and VLAN member ports. (Details not shown.)
 Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.
 Create VLAN 10, VLAN 20, and VLAN 40 on Device C.
 Create VLAN 20, VLAN 30, and VLAN 40 on Device D.
 Configure the ports on these devices as trunk ports and assign them to related VLANs.
2. Configure Device A:
# Set the spanning tree mode to PVST.
<DeviceA> system-view
[DeviceA] stp mode pvst
# Configure the device as the root bridge of VLAN 10 and VLAN 20.
[DeviceA] stp vlan 10 20 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceA] stp global enable
[DeviceA] stp vlan 10 20 30 enable
3. Configure Device B:
# Set the spanning tree mode to PVST.
<DeviceB> system-view
[DeviceB] stp mode pvst
# Configure the device as the root bridge of VLAN 30.
[DeviceB] stp vlan 30 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 30.
[DeviceB] stp global enable
[DeviceB] stp vlan 10 20 30 enable
4. Configure Device C:
# Set the spanning tree mode to PVST.
<DeviceC> system-view
[DeviceC] stp mode pvst
# Configure the device as the root bridge of VLAN 40.
[DeviceC] stp vlan 40 root primary
# Enable the spanning tree feature globally and in VLAN 10, VLAN 20, and VLAN 40.
[DeviceC] stp global enable

133
 [DeviceC] stp vlan 10 20 40 enable
5. Configure Device D:
# Set the spanning tree mode to PVST.
<DeviceD> system-view
[DeviceD] stp mode pvst
# Enable the spanning tree feature globally and in VLAN 20, VLAN 30, and VLAN 40.
[DeviceD] stp global enable
[DeviceD] stp vlan 20 30 40 enable

Verifying the configuration

When the network is stable, you can use the display stp brief command to display brief spanning
tree information on each device.
# Display brief spanning tree information on Device A.
[DeviceA] display stp brief
VLAN ID Port Role STP State Protection
10 GigabitEthernet1/0/1 DESI FORWARDING NONE
10 GigabitEthernet1/0/3 DESI FORWARDING NONE
20 GigabitEthernet1/0/1 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
30 GigabitEthernet1/0/2 DESI FORWARDING NONE
30 GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief
VLAN ID Port Role STP State Protection
10 GigabitEthernet1/0/2 DESI FORWARDING NONE
10 GigabitEthernet1/0/3 ROOT FORWARDING NONE
20 GigabitEthernet1/0/1 DESI FORWARDING NONE
20 GigabitEthernet1/0/2 DESI FORWARDING NONE
20 GigabitEthernet1/0/3 ROOT FORWARDING NONE
30 GigabitEthernet1/0/1 DESI FORWARDING NONE
30 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief
VLAN ID Port Role STP State Protection
10 GigabitEthernet1/0/1 ROOT FORWARDING NONE
10 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/1 ROOT FORWARDING NONE
20 GigabitEthernet1/0/2 ALTE DISCARDING NONE
20 GigabitEthernet1/0/3 DESI FORWARDING NONE
40 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief
VLAN ID Port Role STP State Protection
20 GigabitEthernet1/0/1 ALTE DISCARDING NONE
20 GigabitEthernet1/0/2 ROOT FORWARDING NONE
20 GigabitEthernet1/0/3 ALTE DISCARDING NONE
30 GigabitEthernet1/0/1 ROOT FORWARDING NONE

134
 30 GigabitEthernet1/0/2 ALTE DISCARDING NONE
40 GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw a topology for each VLAN spanning tree, as shown in Figure 45.
Figure 45 VLAN spanning tree topologies

A B A B

C C D

Spanning tree for VLAN 10 Spanning tree for VLAN 20

A B

D C D

Spanning tree for VLAN 30 Spanning tree for VLAN 40

Root bridge Normal link Blocked link

135
Configuring loop detection
Overview
Incorrect network connections or configurations can create Layer 2 loops, which results in repeated
transmission of broadcasts, multicasts, or unknown unicasts. The repeated transmissions can waste
network resources and can paralyze networks. The loop detection mechanism immediately
generates a log when a loop occurs so that you are promptly notified to adjust network connections
and configurations. You can configure loop detection to shut down the looped port. Logs are
maintained in the information center. For more information, see Network Management and
Monitoring Configuration Guide.

Loop detection mechanism

The device detects loops by sending detection frames and then checking whether these frames
return to any port on the device. If they do, the device considers that the port is on a looped link.
Loop detection usually works within a VLAN. If a detection frame is returned with a different VLAN
tag than it was sent out with, an inter-VLAN loop has occurred. To remove the loop, examine the
QinQ or VLAN mapping configuration for incorrect settings. For more information about QinQ and
VLAN mapping, see "Configuring QinQ" and "Configuring VLAN mapping."
Figure 46 Ethernet frame header for loop detection
0 15 31
DMAC

SMAC

TPID TCI

Type

The Ethernet frame header for loop detection contains the following fields:
• DMAC—Destination MAC address of the frame, which is the multicast MAC address
010f-e200-0007. When a loop detection-enabled device receives a frame with this destination
MAC address, it performs the following operations:
 Sends the frame to the CPU.
 Floods the frame in the VLAN from which the frame was originally received.
• SMAC—Source MAC address of the frame, which is the bridge MAC address of the sending
device.
• TPID—Type of the VLAN tag, with the value of 0x8100.
• TCI—Information of the VLAN tag, including the priority and VLAN ID.
• Type—Protocol type, with the value of 0x8918.
Figure 47 Inner frame header for loop detection
0 15 31
Code Version

Length Reserved

136
 The inner frame header for loop detection contains the following fields:
• Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol.
• Version—Protocol version, which is always 0x0000.
• Length—Length of the frame. The value includes the inner header, but excludes the Ethernet
header.
• Reserved—This field is reserved.
Frames for loop detection are encapsulated as TLV triplets.
Table 14 TLVs supported by loop detection

TLV Description Remarks

End of PDU End of a PDU. Optional.

Device ID Bridge MAC address of the sending device. Required.

Port ID ID of the PDU sending port. Optional.

Port Name Name of the PDU sending port. Optional.

System Name Device name. Optional.

Chassis ID Chassis ID of the sending port. Optional.

Slot ID Slot ID of the sending port. Optional.

Sub Slot ID Sub-slot ID of the sending port. Optional.

Loop detection interval

Loop detection is a continuous process as the network changes. Loop detection frames are sent at
the loop detection interval to determine whether loops occur on ports and whether loops are
removed.

Loop protection actions

When the device detects a loop on a port, it generates a log but performs no action on the port by
default. You can configure the device to take one of the following actions:
• Block—Disables the port from learning MAC addresses and blocks the port.
• No-learning—Disables the port from learning MAC addresses.
• Shutdown—Shuts down the port to disable it from receiving and sending any frames.

Port status auto recovery

When the device configured with the block or no-learning loop action detects a loop on a port, it
performs the action and waits three loop detection intervals. If the device does not receive a loop
detection frame within three loop detection intervals, it performs the following operations:
• Automatically sets the port to the forwarding state.
• Notifies the user of the event.
When the device configured with the shutdown action detects a loop on a port, the following events
occur:

137
 1. The device automatically shuts down the port.
2. The device automatically sets the port to the forwarding state after the detection timer set by
using the shutdown-interval command expires. For more information about the
shutdown-interval command, see Fundamentals Command Reference.
3. The device shuts down the port again if a loop is still detected on the port when the detection
timer expires.
This process is repeated until the loop is removed.

NOTE:
Incorrect recovery can occur when loop detection frames are discarded to reduce the load. To avoid
this, use the shutdown action, or manually remove the loop.

Loop detection configuration task list

Tasks at a glance
(Required.) Enabling loop detection

(Optional.) Setting the loop protection action

(Optional.) Setting the loop detection interval

Enabling loop detection

The loop protection action on a port can be triggered even if loop detection is disabled on the port
when the following requirements are met:
• Loop detection is enabled globally or on any other port on the device.
• The port receives a loop detection frame of any VLAN.

Enabling loop detection globally

Step Command Remarks
1. Enter system view. system-view N/A
2. Globally enable loop loopback-detection global
detection. Disabled by default.
enable vlan { vlan-id--list | all }

Enabling loop detection on a port

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable loop detection on the loopback-detection enable vlan

port. Disabled by default.
{ vlan-id--list | all }

138
Setting the loop protection action
You can set the loop protection action globally or on a per-port basis. The global setting applies to all
ports. The per-port setting applies to the individual ports. The per-port setting takes precedence over
the global setting.

Setting the global loop protection action

Step Command Remarks
1. Enter system view. system-view N/A

2. Set the global loop protection By default, the device generates a

loopback-detection global
action. log but performs no action on the
action shutdown
port on which a loop is detected.

Setting the loop protection action on a Layer 2 Ethernet

interface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, the device
3. Set the loop protection action loopback-detection action generates a log but performs
on the interface. { block | no-learning | shutdown } no action on the port on which
a loop is detected.

Setting the loop protection action on a Layer 2 aggregate

interface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 aggregate interface interface-type
interface view. N/A
interface-number
By default, the device
3. Set the loop protection action loopback-detection action generates a log but performs
on the interface. shutdown no action on the port on which
a loop is detected.

Setting the loop detection interval

With loop detection enabled, the device sends loop detection frames at the loopback detection
interval. A shorter interval offers more sensitive detection but consumes more resources. Consider
the system performance and loop detection speed when you set the loop detection interval.
To set the loop detection interval:

139
 Step Command Remarks
1. Enter system view. system-view N/A
2. Set the loop detection loopback-detection
interval. The default setting is 30 seconds.
interval-time interval

Displaying and maintaining loop detection

Execute display commands in any view.

Task Command
Display the loop detection configuration and status. display loopback-detection

Loop detection configuration example

Network requirements
As shown in Figure 48, configure loop detection on Device A to meet the following requirements:
• Device A generates a log as a notification.
• Device A automatically shuts down the port on which a loop is detected.
Figure 48 Network diagram

Device A
/1

GE
1/0

1/0
GE

/2
/2

GE
1/0

1/0
GE

/1

GE1/0/1 GE1/0/2

Device B Device C

VLAN 100

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and globally enable loop detection for the VLAN.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] loopback-detection global enable vlan 100

140
 # Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to
VLAN 100.
[DeviceA] interface GigabitEthernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceA-GigabitEthernet1/0/2] quit
# Set the global loop protection action to shutdown.
[DeviceA] loopback-detection global action shutdown
# Set the loop detection interval to 35 seconds.
[DeviceA] loopback-detection interval-time 35
2. Configure Device B:
# Create VLAN 100.
<DeviceB> system-view
[DeviceB] vlan 100
[DeviceB–vlan100] quit
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to
VLAN 100.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceB-GigabitEthernet1/0/1] quit
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device C:
# Create VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC–vlan100] quit
# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to
VLAN 100.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 100
[DeviceC-GigabitEthernet1/0/1] quit
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 100
[DeviceC-GigabitEthernet1/0/2] quit

Verifying the configuration

# View the system logs on devices, for example, Device A.

141
[DeviceA]
%Feb 24 15:04:29:663 2013 DeviceA LPDT/4/LPDT LOOPED: Loopback exists on
GigabitEthernet1/0/1.
%Feb 24 15:04:29:667 2013 DeviceA LPDT/4/LPDT LOOPED: Loopback exists on
GigabitEthernet1/0/2.
%Feb 24 15:04:44:243 2013 DeviceA LPDT/5/LPDT RECOVERED: Loopback on GigabitEthernet1/0/1
recovered.
%Feb 24 15:04:44:248 2013 DeviceA LPDT/5/LPDT RECOVERED: Loopback on GigabitEthernet1/0/2
recovered.

The output shows the following information:

• Device A detected loops on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 within a loop
detection interval.
• Loops on GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 were removed.
# Use the display loopback-detection command to display the loop detection configuration and
status on devices, for example, Device A.
[DeviceA] display loopback-detection
Loop detection is enabled.
Loop detection interval is 35 second(s).
No loopback is detected.

The output shows that the device has removed the loops from GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2 according to the shutdown action.
# Display the status of GigabitEthernet 1/0/1 on devices, for example, Device A.
[DeviceA] display interface gigabitethernet 1/0/1
GigabitEthernet1/0/1 current state: DOWN (Loop detection down)
...

The output shows that GigabitEthernet 1/0/1 is already shut down by the loop detection module.
# Display the status of GigabitEthernet 1/0/2 on devices, for example, Device A.
[DeviceA] display interface gigabitethernet 1/0/2
GigabitEthernet1/0/2 current state: DOWN (Loop detection down)
...

The output shows that GigabitEthernet 1/0/2 is already shut down by the loop detection module.

142
Configuring VLANs
Overview
Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An
Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared,
collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches
can reduce collisions in an Ethernet LAN. To confine broadcasts, a Layer 2 switch must use the
Virtual Local Area Network (VLAN) technology.
VLANs enable a Layer 2 switch to break a LAN down into smaller broadcast domains, as shown in
Figure 49.
Figure 49 A VLAN diagram
VLAN 2

Switch A Switch B
Router

VLAN 5

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example,
you can assign all workstations and servers used by a particular workgroup to the same VLAN,
regardless of their physical locations. Hosts in the same VLAN can directly communicate with one
another. You need a router or a Layer 3 switch for hosts in different VLANs to communicate with one
another.
All these VLAN features reduce bandwidth waste, improve LAN security, and enable flexible virtual
group creation.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag
between the destination and source MAC address (DA&SA) field and the Type field.
Figure 50 VLAN tag placement and format
VLAN Tag

DA&SA TPID Priority CFI VLAN ID Type Data FCS

A VLAN tag includes the following fields:

• TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default,
the hexadecimal TPID value 8100 identifies a VLAN-tagged frame. A device vendor can set the

143
 TPID to a different value. For compatibility with a neighbor device, set the TPID value on the
device to be the same as the neighbor device. For more information about setting the TPID
value, see "Configuring QinQ."
• Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL
and QoS Configuration Guide.
• CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are
encapsulated in the standard format when packets are transmitted across different media.
Available values include:
 0 (default)—The MAC addresses are encapsulated in the standard format.
 1—The MAC addresses are encapsulated in a non-standard format.
This field is always set to 0 for Ethernet.
• VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0
to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.
The way a network device handles an incoming frame depends on whether the frame has a VLAN
tag and the value of the VLAN tag (if any). For more information, see "Introduction."
Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and
802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag
fields in other frame encapsulation formats, see related protocols and standards.
For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag
and transmits its inner VLAN tags as the payload.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks

Configuring a VLAN
Restrictions and guidelines
When you configure a VLAN, follow these restrictions and guideline:
• As the system default VLAN, VLAN 1 cannot be created or deleted.
• Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove
the configuration from the VLAN.

Configuration procedure
To configure a VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. (Optional.) Create a
VLAN and enter its By default, only the system default VLAN
view, or create a list of vlan { vlan-id-list | all }
(VLAN 1) exists.
VLANs.

3. Enter VLAN view. To configure a VLAN after you create a list

vlan vlan-id
of VLANs, you must perform this step.
4. Set a name for the By default, the name of a VLAN is VLAN
VLAN. name text
vlan-id. The vlan-id argument specifies

144
 Step Command Remarks
the VLAN ID in a four-digit format. If the
VLAN ID has fewer than four digits,
leading zeros are added. For example, the
name of VLAN 100 is VLAN 0100.
By default, the description of a VLAN is
VLAN vlan-id. The vlan-id argument
5. Configure the specifies the VLAN ID in a four-digit
description for the description text format. If the VLAN ID has fewer than four
VLAN. digits, leading zeros are added. For
example, the default description of VLAN
100 is VLAN 0100.

Configuring VLAN interfaces

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are
virtual interfaces that do not exist as physical entities on devices. For each VLAN, you can create
one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the
VLAN to forward packets destined for another IP subnet at Layer 3.

Configuring basic settings of a VLAN interface

When you configure a VLAN interface, follow these restrictions and guidelines:
• Before you create a VLAN interface for a VLAN, create the VLAN first.
• You cannot create VLAN interfaces for sub-VLANs. For more information about sub-VLANs,
see "Configuring super VLANs."
• You cannot create VLAN interfaces for secondary VLANs that have the following
characteristics:
 Associated with the same primary VLAN.
 Enabled with Layer 3 communication in VLAN interface view of the primary VLAN interface.
For more information about secondary VLANs, see "Configuring the private VLAN."
To configure basic settings of a VLAN interface:

Step Command Remarks

1. Enter system view. system-view N/A
If the VLAN interface already exists,
2. Create a VLAN interface interface vlan-interface you enter its view directly.
and enter its view. interface-number
By default, no VLAN interfaces exist.
3. Assign an IP address to ip address ip-address { mask | By default, no IP address is assigned to
the VLAN interface. mask-length } [ sub ] a VLAN interface.

4. Configure the description The default setting is the VLAN

for the VLAN interface. description text interface name. For example,
Vlan-interface1 Interface.

5. (Optional.) Specify a traffic By default, no traffic processing slot is

processing slot for the specified for the VLAN interface. Traffic
service slot slot-number
VLAN interface. on a VLAN interface is processed on
the slot at which the traffic arrives.
6. Set the MTU for the VLAN
interface. mtu size The default setting is 1500 bytes.

145
 Step Command Remarks
7. Set the expected By default, the expected bandwidth (in
bandwidth for the bandwidth bandwidth-value kbps) is the interface baud rate divided
interface. by 1000.
8. (Optional.) Restore the
default settings for the default N/A
VLAN interface.
9. (Optional.) Bring up the
VLAN interface. undo shutdown N/A

Configuring port-based VLANs

Introduction
Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it
is assigned to the VLAN.
Port link type
You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether
the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling
methods:
• Access—An access port can forward packets only from one VLAN and send these packets
untagged. An access port is typically used in the following conditions:
 Connecting to a terminal device that does not support VLAN packets.
 In scenarios that do not distinguish VLANs.
• Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port
VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network
devices are typically configured as trunk ports.
• Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the
packets forwarded by a hybrid port depends on the port configuration. In one-to-two VLAN
mapping, hybrid ports are used to remove SVLAN tags for downlink traffic. For more
information about one-to-two VLAN mapping, see "Configuring VLAN mapping."
PVID
The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered
as the packets from the port PVID.
When you set the PVID for a port, follow these restrictions and guidelines:
• An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID
of the port.
• A trunk or hybrid port supports multiple VLANs and the PVID configuration.
• When you use the undo vlan command to delete the PVID of a port, either of the following
events occurs depending on the port link type:
 For an access port, the PVID of the port changes to VLAN 1.
 For a hybrid or trunk port, the PVID setting of the port does not change.
You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access
port.
• As a best practice, set the same PVID for a local port and its peer.
• To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to
its PVID.

146
How ports of different link types handle frames

Actions Access Trunk Hybrid

In the inbound • If the PVID is permitted on the port, tags the frame with
Tags the frame with the the PVID tag.
direction for an
PVID tag.
untagged frame • If not, drops the frame.
• Receives the
frame if its VLAN
ID is the same as
In the inbound the PVID. • Receives the frame if its VLAN is permitted on the port.
direction for a
• Drops the frame if • Drops the frame if its VLAN is not permitted on the port.
tagged frame
its VLAN ID is
different from the
PVID.
• Removes the tag
and sends the frame
if the frame carries
the PVID tag and the
port belongs to the Sends the frame if its VLAN is
PVID. permitted on the port. The
In the outbound Removes the VLAN tag
tagging status of the frame
direction and sends the frame. • Sends the frame
depends on the port hybrid
without removing the vlan command configuration.
tag if its VLAN is
carried on the port
but is different from
the PVID.

In a VLAN-aware network, the default processing order for untagged packets is as follows, in
descending order of priority:
• MAC-based VLANs.
• IP subnet-based VLANs.
• Protocol-based VLANs.
• Port-based VLANs.

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view.
Make sure the VLAN has been created.
Assign one or multiple access ports to a VLAN in VLAN view

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Assign one or multiple By default, all ports belong to
access ports to the VLAN. port interface-list
VLAN 1.

Assign an access port to a VLAN in interface view

Step Command Remarks

1. Enter system view. system-view N/A

Enter interface view. • Enter Layer 2 Ethernet interface

2. N/A
view:

147
 Step Command Remarks
interface interface-type
interface-number
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
3. Set the port link type to By default, all ports are
access. port link-type access
access ports.
4. (Optional.) Assign the By default, all access ports
access port to a VLAN. port access vlan vlan-id
belong to VLAN 1.

Assigning a trunk port to a VLAN

A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.
When you assign a trunk port to a VLAN, follow these restrictions and guidelines:
• To change the link type of a port from trunk to hybrid, set the link type to access first.
• To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the
PVID by using the port trunk permit vlan command.
To assign a trunk port to one or multiple VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
3. Set the port link type to By default, all ports are
trunk. port link-type trunk
access ports.
4. Assign the trunk port to By default, a trunk port
the specified VLANs. port trunk permit vlan { vlan-id-list | all }
permits only VLAN 1.
5. (Optional.) Set the The default setting is VLAN
PVID for the trunk port. port trunk pvid vlan vlan-id
1.

Assigning a hybrid port to a VLAN

A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view.
Make sure the VLANs have been created.
When you assign a hybrid port to a VLAN, follow these restrictions and guidelines:
• To change the link type of a port from trunk to hybrid, set the link type to access first.
• To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the
PVID by using the port hybrid vlan command.
To assign a hybrid port to one or multiple VLANs:

148
 Step Command Remarks
1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface view:
interface interface-type
interface-number
2. Enter interface view. N/A
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation
interface-number
3. Set the port link type to By default, all ports are
hybrid. port link-type hybrid
access ports.
By default, the hybrid port is
Assign the hybrid port an untagged member of the
4. port hybrid vlan vlan-id-list { tagged |
to the specified VLANs. VLAN to which the port
untagged }
belongs when its link type is
access.
By default, the PVID of a
5. (Optional.) Set the hybrid port is the ID of the
PVID for the hybrid port hybrid pvid vlan vlan-id VLAN to which the port
port. belongs when its link type is
access.

Configuring MAC-based VLANs

Introduction
This feature is available only on hybrid ports.
The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature
is also called user-based VLAN because VLAN configuration remains the same regardless of a
user's physical location.
Static MAC-based VLAN assignment
Use static MAC-based VLAN assignment in networks that have a small number of VLAN users. To
configure static MAC-based VLAN assignment on a port, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Assign the port to the MAC-based VLAN.
A port configured with static MAC-based VLAN assignment processes a received frame as follows
before sending the frame out:
• For an untagged frame, the port determines its VLAN ID in the following workflow:
a. The port first performs a fuzzy match as follows:
− Searches for the MAC-to-VLAN entries whose masks are not all Fs.
− Performs a logical AND operation on the source MAC address and each of these
masks.
If an AND operation result matches the MAC address in a MAC-to-VLAN entry, the port
tags the frame with the VLAN ID specific to this entry.
b. If the fuzzy match fails, the port performs an exact match. It searches for MAC-to-VLAN
entries whose masks are all Fs. If the source MAC address of the frame exactly matches the
MAC address of a MAC-to-VLAN entry, the port tags the frame with the VLAN ID specific to
this entry.

149
 c. If no matching VLAN ID is found, the port determines the VLAN for the packet by using the
following VLAN match order:
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
When a match is found, the port tags the packet with the matching VLAN ID.
• For a tagged frame, the port determines whether the VLAN ID of the frame is permitted on the
port.
 If the VLAN ID of the frame is permitted on the port, the port forwards the frame.
 If the VLAN ID of the frame is not permitted on the port, the port drops the frame.
Dynamic MAC-based VLAN assignment
When you cannot determine the target MAC-based VLANs of a port, use dynamic MAC-based VLAN
assignment on the port. To use dynamic MAC-based VLAN assignment, perform the following tasks:
1. Create MAC-to-VLAN entries.
2. Enable the MAC-based VLAN feature on the port.
3. Enable dynamic MAC-based VLAN assignment on the port.
Dynamic MAC-based VLAN assignment uses the following workflow, as shown in Figure 51:
1. When a port receives a frame, it first determines whether the frame is tagged.
 If the frame is tagged, the port gets the source MAC address of the frame.
 If the frame is untagged, the port selects a VLAN for the frame by using the following
matching order:
− MAC-based VLAN (fuzzy and exact MAC address match).
− IP subnet-based VLAN.
− Protocol-based VLAN.
− Port-based VLAN.
After tagging the frame with the selected VLAN, the port gets the source MAC address of the
frame.
2. The port uses the source address and VLAN of the frame to match the MAC-to VLAN entries.
 If the source MAC address of the frame exactly matches the MAC address in a
MAC-to-VLAN entry, the port checks whether the VLAN ID of the frame matches the VLAN
in the entry.
− If the two VLAN IDs match, the port joins the VLAN and forwards the frame.
− If the two VLAN IDs do not match, the port drops the frame.
 If the source MAC address of the frame does not exactly match any MAC addresses in
MAC-to-VLAN entries, the port checks whether the VLAN ID of the frame is its PVID.
− If the VLAN ID of the frame is the PVID of the port, the port determines whether it allows
the PVID.
If the PVID is allowed, the port forwards the frame within the PVID. If the PVID is not
allowed, the port drops the frame.
− If the VLAN ID of the frame is not the PVID of the port, the port determines whether the
VLAN ID is the primary VLAN ID and the port PVID is a secondary VLAN ID.
If yes, the port forwards the frame. Otherwise, the port drops the frame.

150
 Figure 51 Flowchart for processing a frame in dynamic MAC-based VLAN assignment
The port receives a
frame

No
Tagged frame ?

Yes

Selects a VLAN for the

Gets the source MAC
frame

Uses source MAC to

match the MAC in MAC-
to-VLAN entries

MAC addresses No No Yes

VLAN ID match the Is the VLAN ID the primary VLAN ID and the
match? port PVID? port PVID a secondary VLAN ID?
Yes Yes
No

No VLAN IDs No
PVID allowed? Drops the frame
match?

Yes Yes

Forwards the frame in

Drops the frame Joins the VLAN
the VLAN

When you configure dynamic MAC-based VLAN assignment, follow these guidelines:
• When a port joins a VLAN specified in the MAC-to-VLAN entry, one of the following events
occurs depending on the port configuration:
 If the port has not been configured to allow packets from the VLAN to pass through, the port
joins the VLAN as an untagged member.
 If the port has been configured to allow packets from the VLAN to pass through, the port
configuration remains the same.
• If you configure both static and dynamic MAC-based VLAN assignments on a port, dynamic
MAC-based VLAN assignment takes effect.
• The 802.1p priority of the VLAN in a MAC-to-VLAN entry determines the transmission priority of
the matching packets.
Server-assigned MAC-based VLAN
Use this feature with access authentication, such as MAC-based 802.1X authentication, to
implement secure and flexible terminal access.
To implement server-assigned MAC-based VLAN, perform the following tasks:
1. Configure the server-assigned MAC-based VLAN feature on the access device.
2. Configure username-to-VLAN entries on the access authentication server.
When a user passes authentication of the access authentication server, the server assigns the
authorization VLAN information for the user to the device. The device then performs the following
operations:
1. Generates a MAC-to-VLAN entry by using the source MAC address of the user packet and the
authorization VLAN information. The authorization VLAN is a MAC-based VLAN.
The generated MAC-to-VLAN entry cannot conflict with the existing static MAC-to-VLAN entries.
If a confliction exists, the dynamic MAC-to-VLAN entry cannot be generated.

151
 2. Assigns the port that connects the user to the MAC-based VLAN.
When the user goes offline, the device automatically deletes the MAC-to-VLAN entry and removes
the port from the MAC-based VLAN. For more information about 802.1X and MAC authentication,
see Security Configuration Guide.

General configuration restrictions and guidelines

When you configure MAC-based VLANs, follow these restrictions and guideline:
• Do not configure a VLAN as both a super VLAN and a MAC-based VLAN.
• The MAC-based VLAN feature is mainly configured on downlink ports of user access devices.
Do not use this feature with link aggregation.

Configuring static MAC-based VLAN assignment

Step Command Remarks
1. Enter system view. system-view N/A

Create a MAC-to-VLAN mac-vlan mac-address mac-address

2. By default, no MAC-to-VLAN
entry. [ mask mac-mask ] vlan vlan-id [ dot1q
entries exist.
priority ]

3. Enter Layer 2 Ethernet

interface view. interface interface-type interface-number N/A

4. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.
By default, a hybrid port is an
Assign the hybrid port to untagged member of the
5. port hybrid vlan vlan-id-list { tagged |
the MAC-based VLANs. VLAN to which the port
untagged }
belongs when its link type is
access.
6. Enable the MAC-based By default, this feature is
VLAN feature. mac-vlan enable
disabled.

7. (Optional.) Configure By default, the system assigns

the system to assign VLANs based on the MAC
VLANs based on the address preferentially when
vlan precedence mac-vlan
MAC address both the MAC-based VLAN
preferentially. and IP subnet-based VLAN
are configured on a port.

Configuring dynamic MAC-based VLAN assignment

Configuration restrictions and guidelines
When you configure dynamic MAC-based VLAN assignment, follow these restrictions and guideline:
• As a best practice to ensure correct operation of 802.1X and MAC authentication, do not use
dynamic MAC-based VLAN assignment with 802.1X or MAC authentication.
• When dynamic MAC-based VLAN assignment is enabled on a port, the configuration of
disabling of MAC address learning does not take effect.
• For successful dynamic MAC-based VLAN assignment, use static VLANs when you create
MAC-to-VLAN entries.
• As a best practice, do not use dynamic MAC-based VLAN assignment with MSTP. In MSTP
mode, if a port is blocked in the MSTI of its target VLAN, the port drops the received packets

152
 instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the target VLAN.
• As a best practice, do not use dynamic MAC-based VLAN assignment with PVST. In PVST
mode, if the target VLAN of a port is not permitted on the port, the port is placed in blocked
state. The port drops the received packets instead of delivering them to the CPU. As a result,
the port will not be dynamically assigned to the target VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.
Configuration procedure
To configure dynamic MAC-based VLAN assignment:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a mac-vlan mac-address mac-address By default, no MAC-to-VLAN
MAC-to-VLAN entry. vlan vlan-id [ dot1q priority ] entries exist.
3. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

4. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.
5. Enable the
MAC-based VLAN By default, MAC-based VLAN
mac-vlan enable
feature. is disabled.

By default, dynamic
MAC-based VLAN assignment
is disabled.
6. Enable dynamic The VLAN assignment for a
MAC-based VLAN mac-vlan trigger enable port is triggered only when the
assignment. source MAC address of its
receiving packet exactly
matches the MAC address in a
MAC-to-VLAN entry.

7. (Optional.) Configure By default, the system assigns

the system to assign VLANs based on the MAC
VLANs based on the address preferentially when
vlan precedence mac-vlan
MAC address both the MAC-based VLAN and
preferentially. IP subnet-based VLAN are
configured on a port.
8. (Optional.) Disable the By default, when a port
port from forwarding receives packets whose source
packets that fail the port pvid forbidden MAC addresses fail the exact
exact MAC address match, the port forwards them
match in its PVID. in its PVID.

Configuring server-assigned MAC-based VLAN

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

3. Set the port link type to By default, all ports are

hybrid. port link-type hybrid
access ports.

153
 Step Command Remarks
By default, a hybrid port is an
4. Assign the hybrid port untagged member of the
to the MAC-based port hybrid vlan vlan-id-list { tagged |
VLAN to which the port
VLANs. untagged }
belongs when its link type is
access.
5. Enable the
MAC-based VLAN By default, MAC-based VLAN
mac-vlan enable
feature. is disabled.

6. Configure 802.1X or For more information, see Security

MAC authentication. N/A
Command Reference.

Configuring IP subnet-based VLANs

In this method, untagged packets are assigned to VLANs based on their source IP addresses and
subnet masks. A port configured with IP subnet-based VLANs assigns a received untagged packet
to a VLAN based on the source address of the packet.
Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a
VLAN.
This feature is available only on hybrid ports, and it processes only untagged packets.
An IP subnet-based VLAN has one or multiple subnets to match inbound packets. Each subnet has
a unique index in the IP subnet-based VLAN. All subnets in an IP subnet-based VLAN have the
same VLAN ID.
To configure an IP subnet-based VLAN:

Task Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, a VLAN is not
associated with an IP subnet or IP
3. Associate the VLAN with address.
an IP subnet or IP ip-subnet-vlan [ ip-subnet-index ] ip
address. ip-address [ mask ] A multicast subnet or a multicast
address cannot be associated with
a VLAN.
4. Return to system view. quit N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
5. Enter interface view. N/A
• Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
6. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.

7. Assign the hybrid port to By default, a hybrid port is an

the specified IP port hybrid vlan vlan-id-list untagged member of the VLAN to
subnet-based VLANs. { tagged | untagged } which the port belongs when its
link type is access.
8. Associate the hybrid port port hybrid ip-subnet-vlan vlan By default, a hybrid port is not

154
 Task Command Remarks
with the specified IP vlan-id associated with a subnet-based
subnet-based VLAN. VLAN.

Configuring protocol-based VLANs

The protocol-based VLAN feature assigns inbound packets to different VLANs based on their
protocol types and encapsulation formats. The protocols available for VLAN assignment include IP,
IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.
This feature is available only on hybrid ports, and it processes only untagged packets. It associates
the available network service types with VLANs and facilitates network management and
maintenance.
A protocol-based VLAN has one or multiple protocol templates. A protocol template defines a
protocol type and an encapsulation format as the match criteria to match inbound packets. Each
protocol template has a unique index in the protocol-based VLAN. All protocol templates in a
protocol-based VLAN have the same VLAN ID.
For a port to assign inbound packets to protocol-based VLANs, perform the following tasks:
• Assign the port to the protocol-based VLANs.
• Associate the port with the protocol templates of the protocol-based VLANs.
When an untagged packet arrives at the port, the port processes the packet as follows:
• If the protocol type and encapsulation format in the packet match a protocol template, the port
tags the packet with the VLAN tag specific to the protocol template.
• If no protocol templates are matched, the port tags the packet with its PVID.
The voice VLAN in automatic mode processes only tagged voice traffic. Do not configure a VLAN as
both a protocol-based VLAN and a voice VLAN.
To configure a protocol-based VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
protocol-vlan [ protocol-index ] { at | ipv4
3. Associate the VLAN | ipv6 | ipx { ethernetii | llc | raw | snap } | By default, a VLAN is not
with a protocol mode { ethernetii etype etype-id | llc associated with a protocol
template. { dsap dsap-id [ ssap ssap-id ] | ssap template.
ssap-id } | snap etype etype-id } }
4. Exit VLAN view. quit N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
interface-number
5. Enter interface view. N/A
• Enter Layer 2 aggregate interface
view:
interface bridge-aggregation
interface-number
6. Set the port link type to By default, all ports are access
hybrid. port link-type hybrid
ports.
7. Assign the hybrid port By default, a hybrid port is an
to the specified port hybrid vlan vlan-id-list { tagged |
untagged } untagged member of the VLAN
protocol-based VLANs. to which the port belongs when

155
 Step Command Remarks
its link type is access.
8. Associate the hybrid By default, a hybrid port is not
port with the specified port hybrid protocol-vlan vlan vlan-id
associated with a
protocol-based VLAN. { protocol-index [ to protocol-end ] | all }
protocol-based VLAN.

Configuring a VLAN group

A VLAN group includes a set of VLANs.
On an authentication server, a VLAN group name represents a group of authorization VLANs. When
an 802.1X or MAC authentication user passes authentication, the authentication server assigns a
VLAN group name to the device. If the received VLAN group name matches a locally configured
VLAN group name on the device, the device assigns a VLAN in the group to the user. For more
information about 802.1X and MAC authentication, see Security Configuration Guide.
To configure a VLAN group:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN group and
enter its view. vlan-group group-name By default, no VLAN groups exist.

By default, no VLANs exist in a

3. Add VLANs to the VLAN VLAN group.
group. vlan-list vlan-id-list
You can add multiple VLAN lists to
a VLAN group.

Displaying and maintaining VLANs

Execute display commands in any view and reset commands in user view.

Task Command
display interface vlan-interface [ interface-number ] [ brief
Display VLAN interface information.
[ description | down ] ]
Display information about IP
display ip-subnet-vlan interface { interface-type
subnet-based VLANs that are associated
interface-number1 [ to interface-type interface-number2 ] | all }
with the specified ports.
Display information about IP
display ip-subnet-vlan vlan { vlan-id1 [ to vlan-id2 ] | all }
subnet-based VLANs.
Display information about protocol-based
display protocol-vlan interface { interface-type
VLANs that are associated with the
interface-number1 [ to interface-type interface-number2 ] | all }
specified ports.
Display information about protocol-based
display protocol-vlan vlan { vlan-id1 [ to vlan-id2 ] | all }
VLANs.
display vlan [ vlan-id1 [ to vlan-id2 ] | all | dynamic | reserved
Display VLAN information.
| static ]
Display brief VLAN information. display vlan brief
Display VLAN group information. display vlan-group [ group-name ]

156
 Task Command
Display hybrid ports or trunk ports on the
display port { hybrid | trunk }
device.
Clear statistics on a port. reset counters interface vlan-interface [ interface-number ]

VLAN configuration examples

Port-based VLAN configuration example
Network requirements
As shown in Figure 52:
• Host A and Host C belong to Department A. VLAN 100 is assigned to Department A.
• Host B and Host D belong to Department B. VLAN 200 is assigned to Department B.
Configure port-based VLANs so that only hosts in the same department can communicate with each
other.
Figure 52 Network diagram
GE1/0/3 GE1/0/3
Device A Device B
GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2

Host A Host B Host C Host D

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Configuration procedure
1. Configure Device A:
# Create VLAN 100, and assign GigabitEthernet 1/0/1 to VLAN 100.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] port gigabitethernet 1/0/1
[DeviceA-vlan100] quit
# Create VLAN 200, and assign GigabitEthernet 1/0/2 to VLAN 200.
[DeviceA] vlan 200
[DeviceA-vlan200] port gigabitethernet 1/0/2
[DeviceA-vlan200] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan 100 200
Please wait... Done.
2. Configure Device B in the same way Device A is configured. (Details not shown.)
3. Configure hosts:
a. Configure Host A and Host C to be on the same IP subnet. For example, 192.168.100.0/24.

157
 b. Configure Host B and Host D to be on the same IP subnet. For example, 192.168.200.0/24.
Verifying the configuration
# Verify that Host A and Host C can ping each other, but they both fail to ping Host B and Host D.
(Details not shown.)
# Verify that Host B and Host D can ping each other, but they both fail to ping Host A and Host C.
(Details not shown.)
# Verify that VLANs 100 and 200 are correctly configured on Device A.
[DeviceA-GigabitEthernet1/0/3] display vlan 100
VLAN ID: 100
VLAN type: Static
Route interface: Not configured
Description: VLAN 0100
Name: VLAN 0100
Tagged ports:
GigabitEthernet1/0/3
Untagged ports:
GigabitEthernet1/0/1
[DeviceA-GigabitEthernet1/0/3] display vlan 200
VLAN ID: 200
VLAN type: Static
Route interface: Not configured
Description: VLAN 0200
Name: VLAN 0200
Tagged ports:
GigabitEthernet1/0/3
Untagged ports:
GigabitEthernet1/0/2

MAC-based VLAN configuration example

Network requirements
As shown in Figure 53:
• GigabitEthernet 1/0/1 of Device A and Device C are each connected to a meeting room. Laptop
1 and Laptop 2 are used for meetings and might be used in either of the two meeting rooms.
• One department uses VLAN 100 and owns Laptop 1. The other department uses VLAN 200
and owns Laptop 2.
Configure MAC-based VLANs, so that Laptop 1 and Laptop 2 can access Server 1 and Server 2,
respectively, no matter which meeting room they are used in.

158
 Figure 53 Network diagram
VLAN 100 VLAN 200
Server1 Server2
IP: 1.1.1.1/24 IP: 1.1.2.1/24

GE1/0/3 GE1/0/4

GE1/0/1 GE1/0/2
Device B

GE1/0/2 GE1/0/2

Device A Device C
GE1/0/1 GE1/0/1

VLAN 100 VLAN 200

Laptop1 Laptop2
IP: 1.1.1.2/24 IP: 1.1.2.2/24
MAC: 000d-88f8-4e71 MAC: 0014-222c-aa69

Configuration procedure
1. Configure Device A:
# Create VLANs 100 and 200.
<DeviceA> system-view
[DeviceA] vlan 100
[DeviceA-vlan100] quit
[DeviceA] vlan 200
[DeviceA-vlan200] quit
# Associate the MAC addresses of Laptop 1 and Laptop 2 with VLANs 100 and 200,
respectively.
[DeviceA] mac-vlan mac-address 000d-88f8-4e71 vlan 100
[DeviceA] mac-vlan mac-address 0014-222c-aa69 vlan 200
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Enable the MAC-based VLAN feature on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mac-vlan enable
[DeviceA-GigabitEthernet1/0/1] quit
# Configure the uplink port (GigabitEthernet 1/0/2) as a trunk port, and assign it to VLANs 100
and 200.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceA-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLAN 100, and assign GigabitEthernet 1/0/3 to VLAN 100.

159
 <DeviceB> system-view
[DeviceB] vlan 100
[DeviceB-vlan100] port gigabitethernet 1/0/3
[DeviceB-vlan100] quit
# Create VLAN 200 and assign GigabitEthernet 1/0/4 to VLAN 200.
[DeviceB] vlan 200
[DeviceB-vlan200] port gigabitethernet 1/0/4
[DeviceB-vlan200] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLANs 100 and 200.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100 200
[DeviceB-GigabitEthernet1/0/2] quit
3. Configure Device C in the same way as the Device A is configured. (Details not shown.)
Verifying the configuration
# Verify that Laptop 1 can access only Server 1, and Laptop 2 can access only Server 2. (Details not
shown.)
# Verify the MAC-to-VLAN entries on Device A and Device C, for example, on Device A.
[DeviceA] display mac-vlan all
The following MAC VLAN addresses exist:
S:Static D:Dynamic
MAC address Mask VLAN ID Priority State
000d-88f8-4e71 ffff-ffff-ffff 100 0 S
0014-222c-aa69 ffff-ffff-ffff 200 0 S

Total MAC VLAN address count: 2

IP subnet-based VLAN configuration example

Network requirements
As shown in Figure 54, the hosts in the office belong to different IP subnets.
Configure Device C to transmit packets from 192.168.5.0/24 and 192.168.50.0/24 in VLANs 100 and
200, respectively.

160
 Figure 54 Network diagram

Device A Device B

VLAN 100 VLAN 200

GE1/0/2 GE1/0/3

Device C

GE1/0/1

192.168.5.0/24 192.168.50.0/24
Office

Configuration procedure
1. Configure Device C:
# Associate IP subnet 192.168.5.0/24 with VLAN 100.
<DeviceC> system-view
[DeviceC] vlan 100
[DeviceC-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0
[DeviceC-vlan100] quit
# Associate IP subnet 192.168.50.0/24 with VLAN 200.
[DeviceC] vlan 200
[DeviceC-vlan200] ip-subnet-vlan ip 192.168.50.0 255.255.255.0
[DeviceC-vlan200] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLAN 100 as a tagged
VLAN member.
[DeviceC] interface gigabitethernet 1/0/2
[DeviceC-GigabitEthernet1/0/2] port link-type hybrid
[DeviceC-GigabitEthernet1/0/2] port hybrid vlan 100 tagged
[DeviceC-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a hybrid port, and assign it to VLAN 200 as a tagged
VLAN member.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port link-type hybrid
[DeviceC-GigabitEthernet1/0/3] port hybrid vlan 200 tagged
[DeviceC-GigabitEthernet1/0/3] quit
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.

161
 [DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type hybrid
[DeviceC-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/1 with the IP subnet-based VLANs 100 and 200.
[DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100
[DeviceC-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200
[DeviceC-GigabitEthernet1/0/1] quit
2. Configure Device A and Device B to forward packets from VLANs 100 and 200, respectively.
(Details not shown.)
Verifying the configuration
# Verify the IP subnet-based VLAN configuration on Device C.
[DeviceC] display ip-subnet-vlan vlan all
VLAN ID: 100
Subnet index IP address Subnet mask
0 192.168.5.0 255.255.255.0

VLAN ID: 200

Subnet index IP address Subnet mask
0 192.168.50.0 255.255.255.0

# Verify the IP subnet-based VLAN configuration on GigabitEthernet 1/0/1 of Device C.

[DeviceC] display ip-subnet-vlan interface gigabitethernet 1/0/1
Interface: GigabitEthernet1/0/1
VLAN ID Subnet index IP address Subnet mask Status
100 0 192.168.5.0 255.255.255.0 Active
200 0 192.168.50.0 255.255.255.0 Active

Protocol-based VLAN configuration example

Network requirements
As shown in Figure 55:
• The majority of hosts in a lab environment run the IPv4 protocol.
• The other hosts run the IPv6 protocol for teaching purposes.
To isolate IPv4 and IPv6 traffic at Layer 2, configure protocol-based VLANs to associate the IPv4 and
ARP protocols with VLAN 100, and associate the IPv6 protocol with VLAN 200.

162
 Figure 55 Network diagram
VLAN 100 VLAN 200

IPv4 server IPv6 server

GE1/0/3
GE1/0/4

GE1/0/1 GE1/0/2
Device

L2 switch A L2 switch B

IPv4 host A IPv6 host A IPv4 host B IPv6 host B

VLAN 100 VLAN 200 VLAN 100 VLAN 200

Configuration procedure
In this example, L2 Switch A and L2 Switch B use the factory configuration.
1. Configure Device:
# Create VLAN 100, and configure the description for VLAN 100 as protocol VLAN for IPv4.
<Device> system-view
[Device] vlan 100
[Device-vlan100] description protocol VLAN for IPv4
# Assign GigabitEthernet 1/0/3 to VLAN 100.
[Device-vlan100] port gigabitethernet 1/0/3
[Device-vlan100] quit
# Create VLAN 200, and configure the description for VLAN 200 as protocol VLAN for IPv6.
[Device] vlan 200
[Device-vlan200] description protocol VLAN for IPv6
# Assign GigabitEthernet 1/0/4 to VLAN 200.
[Device-vlan200] port gigabitethernet 1/0/4
# Configure VLAN 200 as a protocol-based VLAN, and create an IPv6 protocol template with
the index 1 for VLAN 200.
[Device-vlan200] protocol-vlan 1 ipv6
[Device-vlan200] quit
# Configure VLAN 100 as a protocol-based VLAN. Create an IPv4 protocol template with the
index 1, and create an ARP protocol template with the index 2. (In Ethernet II encapsulation, the
protocol type ID for ARP is 0806 in hexadecimal notation.)
[Device] vlan 100
[Device-vlan100] protocol-vlan 1 ipv4
[Device-vlan100] protocol-vlan 2 mode ethernetii etype 0806
[Device-vlan100] quit

163
 # Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[Device] interface gigabitethernet 1/0/1
[Device-GigabitEthernet1/0/1] port link-type hybrid
[Device-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/1 with the IPv4 and ARP protocol templates of VLAN 100 and
the IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 100 1 to 2
[Device-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 100 and 200 as an
untagged VLAN member.
[Device] interface gigabitethernet 1/0/2
[Device-GigabitEthernet1/0/2] port link-type hybrid
[Device-GigabitEthernet1/0/2] port hybrid vlan 100 200 untagged
# Associate GigabitEthernet 1/0/2 with the IPv4 and ARP protocol templates of VLAN 100 and
the IPv6 protocol template of VLAN 200.
[Device-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 100 1 to 2
[Device-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 200 1
[Device-GigabitEthernet1/0/2] quit
2. Configure hosts and servers:
a. Configure IPv4 Host A, IPv4 Host B, and IPv4 server to be on the same network segment
(192.168.100.0/24, for example). (Details not shown.)
b. Configure IPv6 Host A, IPv6 Host B, and IPv6 server to be on the same network segment
(2001::1/64, for example). (Details not shown.)
Verifying the configuration
1. Verify the following:
 The hosts and the server in VLAN 100 can successfully ping one another. (Details not
shown.)
 The hosts and the server in VLAN 200 can successfully ping one another. (Details not
shown.)
 The hosts or the server in VLAN 100 cannot ping the hosts or server in VLAN 200. (Details
not shown.)
2. Verify the protocol-based VLAN configuration:
# Display protocol-based VLANs on Device.
[Device] display protocol-vlan vlan all
VLAN ID: 100
Protocol index Protocol type
1 IPv4
2 Ethernet II Etype 0x0806

VLAN ID: 200

Protocol index Protocol type
1 IPv6
# Display protocol-based VLANs on the ports of Device.
[Device] display protocol-vlan interface all
Interface: GigabitEthernet1/0/1
VLAN ID Protocol index Protocol type Status

164
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

Interface: GigabitEthernet 1/0/2

VLAN ID Protocol index Protocol type Status
100 1 IPv4 Active
100 2 Ethernet II Etype 0x0806 Active
200 1 IPv6 Active

165
Configuring super VLANs
Hosts in a VLAN typically use IP addresses in the same subnet. For Layer 3 interoperability with
other VLANs, you can create a VLAN interface for the VLAN and assign an IP address to it. This
requires a large number of IP addresses.
The super VLAN feature was introduced to save IP addresses. A super VLAN is associated with
multiple sub-VLANs. These sub-VLANs use the VLAN interface of the super VLAN (also known as a
super VLAN interface) as the gateway for Layer 3 communication.
You can create a VLAN interface for a super VLAN and assign an IP address to it. However, you
cannot create a VLAN interface for a sub-VLAN. You can assign a physical port to a sub-VLAN, but
you cannot assign a physical port to a super VLAN. Sub-VLANs are isolated at Layer 2.
To enable Layer 3 communication between sub-VLANs, perform the following tasks:
1. Create a super VLAN and the VLAN interface for the super VLAN.
2. Enable local proxy ARP or ND on the super VLAN interface as follows:
 In an IPv4 network, enable local proxy ARP on the super VLAN interface. The super VLAN
can then process ARP requests and replies sent from the sub-VLANs.
 In an IPv6 network, enable local proxy ND on the super VLAN interface. The super VLAN
can then process the NS and NA messages sent from the sub-VLANs.

Super VLAN configuration task list

Tasks at a glance
(Required.) Creating a sub-VLAN
(Required.) Configuring a super VLAN
(Required.) Configuring a super VLAN interface

Creating a sub-VLAN
Step Command Remarks
1. Enter system view. system-view N/A

2. Create a sub-VLAN. By default, only the system default VLAN

vlan vlan-id-list
(VLAN 1) exists.

Configuring a super VLAN

When you configure a super VLAN, follow these restrictions and guidelines:
• Do not configure the VLAN of a MAC address-to-VLAN entry as a super VLAN.
• Do not configure a VLAN as both a super VLAN and a guest VLAN, Auth-Fail VLAN, or critical
VLAN. For more information about guest VLANs, Auth-Fail VLANs, and critical VLANs, see
Security Configuration Guide.
• Do not configure a VLAN as both a super VLAN and a sub-VLAN.
• Layer 2 multicast configuration for super VLANs does not take effect because they do not have
physical ports.

166
 To configure a super VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
3. Configure the VLAN
as a super VLAN. supervlan By default, a VLAN is not a super VLAN.

By default, a super VLAN is not associated with

4. Associate the super any sub-VLANs.
VLAN with the subvlan vlan-id-list
sub-VLANs. Make sure the sub-VLANs already exist before
associating them with a super VLAN.

Configuring a super VLAN interface

As a best practice, do not configure VRRP for a super VLAN interface because the configuration
affects network performance. For more information about VRRP, see High Availability Configuration
Guide.
To configure a VLAN interface for a super VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN
interface and enter its interface vlan-interface The value for the interface-number
view. interface-number argument must be the super VLAN ID.

• Configure an IPv4 address:

ip address ip-address
3. Configure an IP { mask-length | mask } [ sub ]
address for the super By default, no IP address is
• Configure an IPv6 address:
VLAN interface. configured for a VLAN interface.
ipv6 address { ipv6-address
prefix-length |
ipv6-address/prefix-length }
By default:
• Sub-VLANs cannot
communicate with each other at
Layer 3.
• Enable local proxy ARP for • Local proxy ARP or ND is
devices that run IPv4 protocols: disabled.
4. Configure Layer 3 local-proxy-arp enable
communication For more information about local
between sub-VLANs. • Enable local proxy ND for proxy ARP and ND, see Layer 3—IP
devices that run IPv6 protocols: Services Configuration Guide. For
local-proxy-nd enable more information about
local-proxy-arp enable and
local-proxy-nd enable commands,
see Layer 3—IP Services Command
Reference.

Displaying and maintaining super VLANs

Execute display commands in any view.

167
 Task Command
Display information about super VLANs and their
display supervlan [ supervlan-id ]
associated sub-VLANs.

Super VLAN configuration example

Network requirements
As shown in Figure 56:
• GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 are in VLAN 2.
• GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 are in VLAN 3.
• GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 are in VLAN 5.
To save IP addresses and enable sub-VLANs to be isolated at Layer 2 but interoperable at Layer 3,
perform the following tasks:
• Create a super VLAN and assign an IP address to its VLAN interface.
• Associate the super VLAN with VLANs 2, 3, and 5.
Figure 56 Network diagram

VLAN 2

GE1/0/1 GE1/0/2
Vlan-int10
GE1/0/3 10.1.1.1/24
GE1/0/4
Device A
VLAN 3 GE1/0/5 GE1/0/6 Device B

VLAN 5

Configuration procedure
# Create VLAN 10.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] quit

# Create VLAN-interface 10, and assign IP address 10.1.1.1/24 to it.

[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] ip address 10.1.1.1 255.255.255.0

# Enable local proxy ARP.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

# Create VLAN 2, and assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to the VLAN.
[DeviceA] vlan 2
[DeviceA-vlan2] port gigabitethernet 1/0/1 gigabitethernet 1/0/2

168
 [DeviceA-vlan2] quit

# Create VLAN 3, and assign GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to the VLAN.
[DeviceA] vlan 3
[DeviceA-vlan3] port gigabitethernet 1/0/3 gigabitethernet 1/0/4
[DeviceA-vlan3] quit

# Create VLAN 5, and assign GigabitEthernet 1/0/5 and GigabitEthernet 1/0/6 to the VLAN.
[DeviceA] vlan 5
[DeviceA-vlan5] port gigabitethernet 1/0/5 gigabitethernet 1/0/6
[DeviceA-vlan5] quit

# Configure VLAN 10 as a super VLAN, and associate sub-VLANs 2, 3, and 5 with the super VLAN.
[DeviceA] vlan 10
[DeviceA-vlan10] supervlan
[DeviceA-vlan10] subvlan 2 3 5
[DeviceA-vlan10] quit
[DeviceA] quit

Verifying the configuration

# Display information about super VLAN 10 and its associated sub-VLANs.
<DeviceA> display supervlan
Super VLAN ID: 10
Sub-VLAN ID: 2-3 5

VLAN ID: 10
VLAN type: Static
It is a super VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports: None

VLAN ID: 2
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/1
GigabitEthernet1/0/2

VLAN ID: 3

169
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/4

VLAN ID: 5
VLAN type: Static
It is a sub VLAN.
Route interface: Configured
Ipv4 address: 10.1.1.1
Ipv4 subnet mask: 255.255.255.0
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/5
GigabitEthernet1/0/6

170
Configuring the private VLAN
VLAN technology provides a method for isolating traffic from customers. At the access layer of a
network, customer traffic must be isolated for security or accounting purposes. If VLANs are
assigned on a per-user basis, a large number of VLANs will be required.
The private VLAN feature saves VLAN resources. It uses a two-tier VLAN structure as follows:
• Primary VLAN—Used for connecting the upstream device. A primary VLAN can be associated
with multiple secondary VLANs. The upstream device identifies only the primary VLAN.
• Secondary VLANs—Used for connecting users. Secondary VLANs are isolated at Layer 2. To
implement Layer 3 communication between secondary VLANs associated with the primary
VLAN, enable local proxy ARP or ND on the upstream device (for example, L3 Device A in
Figure 57).
As shown in Figure 57, the private VLAN feature is enabled on L2 Device B. VLAN 10 is the primary
VLAN. VLANs 2, 5, and 8 are secondary VLANs that are associated with VLAN 10. L3 Device A is
only aware of VLAN 10.
Figure 57 Private VLAN example

L3 Device A

VLAN 10

VLAN 10

L2 Device B

VLAN 2 VLAN 5 VLAN 8

If the private VLAN feature is configured on a Layer 3 device, use one of the following methods on
the Layer 3 device to enable Layer 3 communication. Layer 3 communication might be required
between secondary VLANs that are associated with the same primary VLAN, or between secondary
VLANs and other networks.
• Method 1:
a. Create VLAN interfaces for the secondary VLANs.
b. Assign IP addresses to the secondary VLAN interfaces.
• Method 2:
a. Enable Layer 3 communication between the secondary VLANs that are associated with the
primary VLAN.
b. Create the VLAN interface for the primary VLAN and assign an IP address to it. (Do not
create secondary VLAN interfaces if you use this method.)
c. Enable local proxy ARP or ND on the primary VLAN interface.

Configuration task list

To configure the private VLAN feature, perform the following tasks:
1. Configure the primary VLAN.
2. Configure the secondary VLANs.

171
 3. Associate the secondary VLANs with the primary VLAN.
4. Configure the uplink and downlink ports:
 Configure the uplink port (for example, the port connecting L2 Device B to L3 Device A in
Figure 57):
− When the port allows only one primary VLAN, configure the port as a promiscuous port
of the primary VLAN. The promiscuous port can be automatically assigned to the
primary VLAN and its associated secondary VLANs.
− When the port allows multiple primary VLANs, configure the port as a trunk promiscuous
port of the primary VLANs. The trunk promiscuous port can be automatically assigned to
the primary VLANs and their associated secondary VLANs.
 Configure a downlink port (for example, the port connecting L2 Device B to a host in Figure
57) as a host port. The host port can be automatically assigned to the secondary VLAN and
its associated primary VLAN.
 If a downlink port allows multiple secondary VLANs, configure the port as a trunk secondary
port. The trunk secondary port can be automatically assigned to the secondary VLANs and
their associated primary VLANs.
For more information about promiscuous, trunk promiscuous, host, and trunk secondary ports,
see Layer 2—LAN Switching Command Reference.
5. Configure Layer 3 communication between the specified secondary VLANs that are associated
with the primary VLAN.

Configuration restrictions and guidelines

When you configure the private VLAN feature, follow these restrictions and guidelines:
• Make sure the following requirements are met:
 For a promiscuous port:
− The primary VLAN is the PVID of the port.
− The port is an untagged member of the primary VLAN and secondary VLANs.
 For a host port:
− The PVID of the port is a secondary VLAN.
− The port is an untagged member of the primary VLAN and the secondary VLAN.
 A trunk promiscuous or trunk secondary port must be a tagged member of the primary
VLANs and the secondary VLANs.
• VLAN 1 (system default VLAN) does not support the private VLAN configuration.

Configuration procedure
To configure the private VLAN feature:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a VLAN and enter
VLAN view. vlan vlan-id N/A

3. Configure the VLAN as a By default, a VLAN is not a

primary VLAN. private-vlan primary
primary VLAN.
4. Return to system view. quit N/A
5. Create one or multiple vlan { vlan-id-list | all } N/A

172
Step Command Remarks
secondary VLANs.
6. Return to system view. quit N/A
7. Enter VLAN view of the
primary VLAN. vlan vlan-id N/A

8. Associate the primary By default, a primary VLAN is not

VLAN with the secondary private-vlan secondary vlan-id-list associated with any secondary
VLANs. VLANs.
9. Return to system view. quit N/A
10. Enter interface view of the interface interface-type
uplink port. N/A
interface-number
• Configure the uplink port as a
promiscuous port of the
specified VLAN:
11. Configure the uplink port port private-vlan vlan-id
as a promiscuous or trunk promiscuous By default, a port is not a
promiscuous port of the promiscuous or trunk
• Configure the uplink port as a
specified VLANs. promiscuous port of any VLANs.
trunk promiscuous port of the
specified VLANs:
port private-vlan vlan-id-list
trunk promiscuous
12. Return to system view. quit N/A
13. Enter interface view of the interface interface-type
downlink port. N/A
interface-number
a Set the link type of the port:
port link-type { access |
hybrid | trunk }
b Assign the access port to the
specified VLAN:
port access vlan vlan-id
14. Assign the downlink port to c Assign the trunk port to the Select substep b, c, or d
secondary VLANs. specified VLANs: depending on the port link type.
port trunk permit vlan
{ vlan-id-list | all }
d Assign the hybrid port to the
specified VLANs:
port hybrid vlan vlan-id-list
{ tagged | untagged }
• Configure the downlink port as a
host port:
port private-vlan host
15. Configure the downlink
port as a host or trunk • Configure the downlink port as a By default, a port is not a host or
secondary port. trunk secondary port of the trunk secondary port.
specified VLANs:
port private-vlan vlan-id-list
trunk secondary
16. Return to system view. quit N/A
17. Enter VLAN view of a
secondary VLAN. vlan vlan-id N/A

18. (Optional.) Enable Layer 2 By default, ports in the same

communication for ports in • undo private-vlan isolated secondary VLAN can
the same secondary • private-vlan community communicate with each other at
VLAN. Layer 2.
19. Return to system view. quit N/A

173
 Step Command Remarks
a Enter VLAN interface view of
the primary VLAN interface: Use substeps a, b, c, and e for
interface vlan-interface devices that run IPv4 protocols.
interface-number Use substeps a, b, d, and f for
b Enable Layer 3 communication devices that run IPv6 protocols.
between secondary VLANs that By default:
are associated with the primary
• Secondary VLANs cannot
VLAN:
communicate with each
private-vlan secondary
other at Layer 3.
vlan-id-list
20. (Optional.) Configure • No IP address is configured
c Assign an IPv4 address to the
Layer 3 communication for a VLAN interface.
primary VLAN interface:
between the specified ip address ip-address • Local proxy ARP and ND
secondary VLANs. { mask-length | mask } [ sub ] are disabled.
d Assign an IPv6 address to the For more information about local
primary VLAN interface: proxy ARP and ND, see Layer
ipv6 address { ipv6-address 3—IP Services Configuration
prefix-length | Guide. For more information
ipv6-address/prefix-length } about the local-proxy-arp
e Enable local proxy ARP: enable and local-proxy-nd
local-proxy-arp enable enable commands, see Layer
f Enable local proxy ND: 3—IP Services Command
local-proxy-nd enable Reference.

Displaying and maintaining the private VLAN

Execute display commands in any view.

Task Command
Display information about primary VLANs and the
display private-vlan [ primary-vlan-id ]
secondary VLANs associated with each primary VLAN.

Private VLAN configuration examples

Promiscuous port configuration example
Network requirements
As shown in Figure 58, configure the private VLAN feature to meet the following requirements:
• On Device B, VLAN 5 is a primary VLAN that is associated with secondary VLANs 2 and 3.
GigabitEthernet 1/0/5 is in VLAN 5. GigabitEthernet 1/0/2 is in VLAN 2. GigabitEthernet 1/0/3 is
in VLAN 3.
• On Device C, VLAN 6 is a primary VLAN that is associated with secondary VLANs 3 and 4.
GigabitEthernet 1/0/5 is in VLAN 6. GigabitEthernet 1/0/3 is in VLAN 3. GigabitEthernet 1/0/4 is
in VLAN 4.
• Device A is aware of only VLAN 5 on Device B and VLAN 6 on Device C.

174
 Figure 58 Network diagram
Device A

VLAN 5 Device B Device C VLAN 6

GE1/0/5 GE1/0/5

GE1/0/3 GE1/0/2 GE1/0/3 GE1/0/4

Host A Host B Host C Host D

VLAN 3 VLAN 2 VLAN 3 VLAN 4

Configuration procedure
This example describes the configurations on Device B and Device C.
1. Configure Device B:
# Configure VLAN 5 as a primary VLAN.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
# Create VLANs 2 and 3.
[DeviceB] vlan 2 to 3
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a promiscuous port of VLAN 5.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port private-vlan 5 promiscuous
[DeviceB-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-GigabitEthernet1/0/2] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quit

175
 2. Configure Device C:
# Configure VLAN 6 as a primary VLAN.
<DeviceC> system-view
[DeviceC] vlan 6
[DeviceC–vlan6] private-vlan primary
[DeviceC–vlan6] quit
# Create VLANs 3 and 4.
[DeviceC] vlan 3 to 4
# Associate secondary VLANs 3 and 4 with primary VLAN 6.
[DeviceC] vlan 6
[DeviceC-vlan6] private-vlan secondary 3 to 4
[DeviceC-vlan6] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a promiscuous port of VLAN 6.
[DeviceC] interface gigabitethernet 1/0/5
[DeviceC-GigabitEthernet1/0/5] port private-vlan 6 promiscuous
[DeviceC-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceC] interface gigabitethernet 1/0/3
[DeviceC-GigabitEthernet1/0/3] port access vlan 3
[DeviceC-GigabitEthernet1/0/3] port private-vlan host
[DeviceC-GigabitEthernet1/0/3] quit
# Assign downlink port GigabitEthernet 1/0/4 to VLAN 4, and configure the port as a host port.
[DeviceC] interface gigabitethernet 1/0/4
[DeviceC-GigabitEthernet1/0/4] port access vlan 4
[DeviceC-GigabitEthernet1/0/4] port private-vlan host
[DeviceC-GigabitEthernet1/0/4] quit

Verifying the configuration

# Verify the private VLAN configurations on the devices, for example, on Device B.
[DeviceB] display private-vlan
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/3
GigabitEthernet1/0/5

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary

176
 Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged Ports: None
Untagged Ports:
GigabitEthernet1/0/3
GigabitEthernet1/0/5

The output shows that:

• The promiscuous port (GigabitEthernet 1/0/5) is an untagged member of primary VLAN 5 and
secondary VLANs 2 and 3.
• Host port GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Trunk promiscuous port configuration example

Network requirements
As shown in Figure 59, configure the private VLAN feature to meet the following requirements:
• VLANs 5 and 10 are primary VLANs on Device B. The uplink port (GigabitEthernet 1/0/1) on
Device B permits the packets from VLANs 5 and 10 to pass through tagged.
• On Device B, downlink port GigabitEthernet 1/0/2 permits secondary VLAN 2. Downlink port
GigabitEthernet 1/0/3 permits secondary VLAN 3. Secondary VLANs 2 and 3 are associated
with primary VLAN 5.
• On Device B, downlink port GigabitEthernet 1/0/4 permits secondary VLAN 6. Downlink port
GigabitEthernet 1/0/5 permits secondary VLAN 8. Secondary VLANs 6 and 8 are associated
with primary VLAN 10.
• Device A is aware of only VLANs 5 and 10 on Device B.

177
 Figure 59 Network diagram

Device A

GE1/0/1 VLAN 5
VLAN 10

GE1/0/1

Device B

GE1/0/2 GE1/0/5

GE1/0/3 GE1/0/4

Host A Host B Host C Host D

VLAN 2 VLAN 3 VLAN 6 VLAN 8

Configuration procedure
1. Configure Device B:
# Configure VLANs 5 and 10 as primary VLANs.
<DeviceB> system-view
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan primary
[DeviceB-vlan5] quit
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan primary
[DeviceB-vlan10] quit
# Create VLANs 2, 3, 6, and 8.
[DeviceB] vlan 2 to 3
[DeviceB] vlan 6
[DeviceB-vlan6] quit
[DeviceB] vlan 8
[DeviceB-vlan8] quit
# Associate secondary VLANs 2 and 3 with primary VLAN 5.
[DeviceB] vlan 5
[DeviceB-vlan5] private-vlan secondary 2 to 3
[DeviceB-vlan5] quit
# Associate secondary VLANs 6 and 8 with primary VLAN 10.
[DeviceB] vlan 10
[DeviceB-vlan10] private-vlan secondary 6 8
[DeviceB-vlan10] quit
# Configure the uplink port (GigabitEthernet 1/0/1) as a trunk promiscuous port of VLANs 5 and
10.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port private-vlan 5 10 trunk promiscuous
[DeviceB-GigabitEthernet1/0/1] quit

178
 # Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port access vlan 2
[DeviceB-GigabitEthernet1/0/2] port private-vlan host
[DeviceB-GigabitEthernet1/0/2] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 3
[DeviceB-GigabitEthernet1/0/3] port private-vlan host
[DeviceB-GigabitEthernet1/0/3] quit
# Assign downlink port GigabitEthernet 1/0/4 to VLAN 6, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port access vlan 6
[DeviceB-GigabitEthernet1/0/4] port private-vlan host
[DeviceB-GigabitEthernet1/0/4] quit
# Assign downlink port GigabitEthernet 1/0/5 to VLAN 8, and configure the port as a host port.
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] port access vlan 8
[DeviceB-GigabitEthernet1/0/5] port private-vlan host
[DeviceB-GigabitEthernet1/0/5] quit
2. Configure Device A:
# Create VLANs 5 and 10.
[DeviceA] vlan 5
[DeviceA-vlan5] quit
[DeviceA] vlan 10
[DeviceA-vlan10] quit
# Configure GigabitEthernet 1/0/1 as a hybrid port, and assign it to VLANs 5 and 10 as a tagged
VLAN member.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 5 10 tagged
[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device B. The following output uses primary VLAN 5 as
an example.
[DeviceB] display private-vlan 5
Primary VLAN ID: 5
Secondary VLAN ID: 2-3

VLAN ID: 5
VLAN type: Static
Private VLAN type: Primary
Route interface: Not configured
Description: VLAN 0005
Name: VLAN 0005
Tagged ports:
GigabitEthernet1/0/1
Untagged ports:

179
 GigabitEthernet1/0/2
GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0002
Name: VLAN 0002
Tagged ports:
GigabitEthernet1/0/1
Untagged ports:
GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Not configured
Description: VLAN 0003
Name: VLAN 0003
Tagged ports:
GigabitEthernet1/0/1
Untagged ports:
GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port (GigabitEthernet 1/0/1) is a tagged member of primary VLAN 5 and
secondary VLANs 2 and 3.
• Host port GigabitEthernet 1/0/2 is an untagged member of primary VLAN 5 and secondary
VLAN 2.
• Host port GigabitEthernet 1/0/3 is an untagged member of primary VLAN 5 and secondary
VLAN 3.

Trunk promiscuous and trunk secondary port configuration

example
Network requirements
As shown in Figure 60, configure the private VLAN feature to meet the following requirements:
• VLANs 10 and 20 are primary VLANs on Device A. The uplink port (GigabitEthernet 1/0/5) on
Device A permits the packets from VLANs 10 and 20 to pass through tagged.
• VLANs 11, 12, 21, and 22 are secondary VLANs on Device A.
 Downlink port GigabitEthernet 1/0/2 permits the packets from secondary VLANs 11 and 21
to pass through tagged.
 Downlink port GigabitEthernet 1/0/1 permits secondary VLAN 22.
 Downlink port GigabitEthernet 1/0/3 permits secondary VLAN 12.
• Secondary VLANs 11 and 12 are associated with primary VLAN 10.
• Secondary VLANs 21 and 22 are associated with primary VLAN 20.

180
 Figure 60 Network diagram

VLAN 10 VLAN 20

Device C

GE1/0/5

GE1/0/5

Device A
GE1/0/1 GE1/0/3
GE1/0/2

GE1/0/2

Device B
GE1/0/3 GE1/0/4

Host C Host D
VLAN 22 VLAN 12

Host A Host B
VLAN 11 VLAN 21

Configuration procedure
1. Configure Device A:
# Configure VLANs 10 and 20 as primary VLANs.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan primary
[DeviceA-vlan20] quit
# Create VLANs 11, 12, 21, and 22.
[DeviceA] vlan 11 to 12
[DeviceA] vlan 21 to 22
# Associate secondary VLANs 11 and 12 with primary VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan secondary 11 12
[DeviceA-vlan10] quit
# Associate secondary VLANs 21 and 22 with primary VLAN 20.
[DeviceA] vlan 20
[DeviceA-vlan20] private-vlan secondary 21 22
[DeviceA-vlan20] quit
# Configure the uplink port (GigabitEthernet 1/0/5) as a trunk promiscuous port of VLANs 10
and 20.

181
 [DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] port private-vlan 10 20 trunk promiscuous
[DeviceA-GigabitEthernet1/0/5] quit
# Assign downlink port GigabitEthernet 1/0/1 to VLAN 22 and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port access vlan 22
[DeviceA-GigabitEthernet1/0/1] port private-vlan host
[DeviceA-GigabitEthernet1/0/1] quit
# Assign downlink port GigabitEthernet 1/0/3 to VLAN 12 and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port access vlan 12
[DeviceA-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] quit
# Configure downlink port GigabitEthernet 1/0/2 as a trunk secondary port of VLANs 11 and 21.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port private-vlan 11 21 trunk secondary
[DeviceA-GigabitEthernet1/0/2] quit
2. Configure Device B:
# Create VLANs 11 and 21.
<DeviceB> system-view
[DeviceB] vlan 11
[DeviceB-vlan11] quit
[DeviceB] vlan 21
[DeviceB-vlan21] quit
# Configure GigabitEthernet 1/0/2 as a hybrid port, and assign it to VLANs 11 and 21 as a
tagged VLAN member.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type hybrid
[DeviceB-GigabitEthernet1/0/2] port hybrid vlan 11 21 tagged
[DeviceB-GigabitEthernet1/0/2] quit
# Assign GigabitEthernet 1/0/3 to VLAN 11.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port access vlan 11
[DeviceB-GigabitEthernet1/0/3] quit
# Assign GigabitEthernet 1/0/4 to VLAN 21.
[DeviceB] interface gigabitethernet 1/0/4
[DeviceB-GigabitEthernet1/0/4] port access vlan 21
[DeviceB-GigabitEthernet1/0/4] quit
3. Configure Device C:
# Create VLANs 10 and 20.
<DeviceC> system-view
[DeviceC] vlan 10
[DeviceC-vlan10] quit
[DeviceC] vlan 20
[DeviceC-vlan20] quit
# Configure GigabitEthernet 1/0/5 as a hybrid port, and assign it to VLANs 10 and 20 as a
tagged VLAN member.
[DeviceC] interface gigabitethernet 1/0/5

182
 [DeviceC-GigabitEthernet1/0/5] port link-type hybrid
[DeviceC-GigabitEthernet1/0/5] port hybrid vlan 10 20 tagged
[DeviceC-GigabitEthernet1/0/5] quit

Verifying the configuration

# Verify the primary VLAN configurations on Device A. The following output uses primary VLAN 10
as an example.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 11-12

VLAN ID: 10
VLAN type: Static
Private-vlan type: Primary
Route interface: Not configured
Description: VLAN 0010
Name: VLAN 0010
Tagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5
Untagged ports:
GigabitEthernet1/0/3

VLAN ID: 11
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0011
Name: VLAN 0011
Tagged ports:
GigabitEthernet1/0/2
GigabitEthernet1/0/5
Untagged ports: None

VLAN ID: 12
VLAN type: Static
Private-vlan type: Secondary
Route interface: Not configured
Description: VLAN 0012
Name: VLAN 0012
Tagged ports:
GigabitEthernet1/0/5
Untagged ports:
GigabitEthernet1/0/3

The output shows that:

• The trunk promiscuous port (GigabitEthernet 1/0/5) is a tagged member of primary VLAN 10
and secondary VLANs 11 and 12.
• The trunk secondary port (GigabitEthernet 1/0/2) is a tagged member of primary VLAN 10 and
secondary VLAN 11.

183
 • The host port (GigabitEthernet 1/0/3) is an untagged member of primary VLAN 10 and
secondary VLAN 12.

Secondary VLAN Layer 3 communication configuration

example
Network requirements
As shown in Figure 61, configure the private VLAN feature to meet the following requirements:
• Primary VLAN 10 on Device A is associated with secondary VLANs 2 and 3. The IP address of
VLAN-interface 10 is 192.168.1.1/24.
• GigabitEthernet 1/0/1 belongs to VLAN 10. GigabitEthernet 1/0/2 and GigabitEthernet 1/0/3
belong to VLAN 2 and VLAN 3, respectively.
• Secondary VLANs are isolated at Layer 2 but interoperable at Layer 3.
Figure 61 Network diagram

Device B

VLAN 10
Vlan-int10
GE1/0/1
192.168.1.1/24

Device A
GE1/0/2 GE1/0/3

VLAN 2 VLAN 3

Configuration procedure
# Create VLAN 10 and configure it as a primary VLAN.
<DeviceA> system-view
[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] quit

# Create VLANs 2 and 3.

<DeviceA> system-view
[DeviceA] vlan 2 to 3

# Associate primary VLAN 10 with secondary VLANs 2 and 3.

[DeviceA] vlan 10
[DeviceA-vlan10] private-vlan primary
[DeviceA-vlan10] private-vlan secondary 2 3
[DeviceA-vlan10] quit

# Configure the uplink port (GigabitEthernet 1/0/1) as a promiscuous port of VLAN 10.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port private-vlan 10 promiscuous
[DeviceA-GigabitEthernet1/0/1] quit

# Assign downlink port GigabitEthernet 1/0/2 to VLAN 2, and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/2

184
 [DeviceA-GigabitEthernet1/0/2] port access vlan 2
[DeviceA-GigabitEthernet1/0/2] port private-vlan host
[DeviceA-GigabitEthernet1/0/2] quit

# Assign downlink port GigabitEthernet 1/0/3 to VLAN 3, and configure the port as a host port.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port access vlan 3
[DeviceA-GigabitEthernet1/0/3] port private-vlan host
[DeviceA-GigabitEthernet1/0/3] quit

# Enable Layer 3 communication between secondary VLANs 2 and 3 that are associated with
primary VLAN 10.
[DeviceA] interface vlan-interface 10
[DeviceA-Vlan-interface10] private-vlan secondary 2 3

# Assign IP address 192.168.1.1/24 to VLAN-interface 10.

[DeviceA-Vlan-interface10] ip address 192.168.1.1 255.255.255.0

# Enable local proxy ARP on VLAN-interface 10.

[DeviceA-Vlan-interface10] local-proxy-arp enable
[DeviceA-Vlan-interface10] quit

Verifying the configuration

# Display the configuration of primary VLAN 10.
[DeviceA] display private-vlan 10
Primary VLAN ID: 10
Secondary VLAN ID: 2-3

VLAN ID: 10
VLAN type: Static
Private VLAN type: Primary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0010
Name: VLAN 0010
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/1
GigabitEthernet1/0/2
GigabitEthernet1/0/3

VLAN ID: 2
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0002
Name: VLAN 0002
Tagged ports: None
Untagged ports:

185
 GigabitEthernet1/0/1
GigabitEthernet1/0/2

VLAN ID: 3
VLAN type: Static
Private VLAN type: Secondary
Route interface: Configured
IPv4 address: 192.168.1.1
IPv4 subnet mask: 255.255.255.0
Description: VLAN 0003
Name: VLAN 0003
Tagged ports: None
Untagged ports:
GigabitEthernet1/0/1
GigabitEthernet1/0/3

The Route interface field in the output is Configured, indicating that secondary VLANs 2 and 3 are
interoperable at Layer 3.

186
Configuring voice VLANs
Overview
A voice VLAN is used for transmitting voice traffic. The device can configure QoS parameters for
voice packets to ensure higher transmission priority of the voice packets.
Common voice devices include IP phones and integrated access devices (IADs). This chapter uses
IP phones as an example.
For an IP phone to access a device, the device must perform the following operations:
1. Identify the IP phone in the network and obtain the MAC address of the IP phone.
2. Advertise the voice VLAN information to the IP phone.
After receiving the voice VLAN information, the IP phone performs automatic configuration. Voice
packets sent from the IP phone can then be transmitted within the voice VLAN.

Methods of identifying IP phones

Devices can use the OUI addresses or LLDP to identify IP phones.

Identifying IP phones through OUI addresses

A device identifies voice packets based on their source MAC addresses. A packet whose source
MAC address complies with an Organizationally Unique Identifier (OUI) address of the device is
regarded as a voice packet.
You can use system default OUI addresses (see Table 15) or configure OUI addresses for the
device. You can manually remove or add the system default OUI addresses.
Table 15 Default OUI addresses

Number OUI address Vendor

1 0001-e300-0000 Siemens phone
2 0003-6b00-0000 Cisco phone
3 0004-0d00-0000 Avaya phone
4 000f-e200-0000 H3C Aolynk phone
5 0060-b900-0000 Philips/NEC phone
6 00d0-1e00-0000 Pingtel phone
7 00e0-7500-0000 Polycom phone
8 00e0-bb00-0000 3Com phone

Typically, an OUI address refers to the first 24 bits of a MAC address (in binary notation) and is a
globally unique identifier that IEEE assigns to a vendor. However, OUI addresses in this chapter are
addresses that the system uses to identify voice packets. They are the logical AND results of the
mac-address and oui-mask arguments in the voice-vlan mac-address command.

187
Automatically identifying IP phones through LLDP
If IP phones support LLDP, configure LLDP for automatic IP phone discovery on the device. The
device can then automatically discover the peer through LLDP, and exchange LLDP TLVs with the
peer.
If the LLDP System Capabilities TLV received on a port indicates that the peer can act as a
telephone, the device performs the following operations:
1. Sends an LLDP TLV with the voice VLAN configuration to the peer.
2. Assigns the receiving port to the voice VLAN.
3. Increases the transmission priority of the voice packets sent from the IP phone.
4. Adds the MAC address of the IP phone to the MAC address table to ensure that the IP phone
can pass authentication.
Use LLDP instead of the OUI list to identify IP phones if the network has more IP phone categories
than the maximum number of OUI addresses supported on the device. LLDP has higher priority than
the OUI list.
For more information about LLDP, see "Configuring LLDP."

Advertising the voice VLAN information to IP

phones
Figure 62 shows the workflow of advertising the voice VLAN information to IP phones.
Figure 62 Workflow of advertising the voice VLAN information to IP phones

Yes Advertise the

Is LLDP/CDP configured to
voice VLAN ID to the IP
advertise the voice VLAN
phone
ID?

No

Yes
Is the authorization VLAN Advertise the
received from the authorization VLAN to
authentication server? to the IP phone

No

Advertise the voice VLAN

configured on the port to the
IP phone

IP phone access methods

Connecting the host and the IP phone in series
As shown in Figure 63, the host is connected to the IP phone, and the IP phone is connected to the
device. In this scenario, the following requirements must be met:
• The host and the IP phone use different VLANs.
• The IP phone is able to send out VLAN-tagged packets, so that the device can differentiate
traffic from the host and the IP phone.
• The port connecting to the IP phone forwards packets from the voice VLAN and the PVID.

188
 Figure 63 Connecting the host and IP phone in series

Voice gateway

Host IP phone Device

Connecting the IP phone to the device

As shown in Figure 64, IP phones are connected to the device without the presence of the host. Use
this connection method when IP phones sends out untagged voice packets. In this scenario, you
must configure the voice VLAN as the PVID of the access port of the IP phone, and configure the port
to forward the packets from the PVID.
Figure 64 Connecting the IP phone to the device

Voice gateway

Device

IP phone IP phone

Voice VLAN assignment modes

A port can be assigned to a voice VLAN automatically or manually.

Automatic mode
Use automatic mode when PCs and IP phones are connected in series to access the network
through the device, as shown in Figure 63. Ports on the device transmit both voice traffic and data
traffic.
When an IP phone is powered on, it sends out protocol packets. After receiving these protocol
packets, the device uses the source MAC address of the protocol packets to match its OUI
addresses. If the match succeeds, the device performs the following operations:
• Assigns the receiving port of the protocol packets to the voice VLAN.
• Issues ACL rules to set the packet precedence.
• Starts the voice VLAN aging timer.
If no voice packet is received from the port before the aging timer expires, the device will remove the
port from the voice VLAN. The aging timer is also configurable.

189
 When the IP phone reboots, the port is reassigned to the voice VLAN to ensure the correct operation
of the existing voice connections. The reassignment occurs automatically without being triggered by
voice traffic as long as the voice VLAN operates correctly.

Manual mode
Use manual mode when only IP phones access the network through the device, as shown in Figure
64. In this mode, ports are assigned to a voice VLAN that transmits voice traffic exclusively. No data
traffic affects the voice traffic transmission.
You must manually assign the port that connects to the IP phone to a voice VLAN. The device uses
the source MAC address of the received voice packets to match its OUI addresses. If the match
succeeds, the device issues ACL rules to set the packet precedence.
To remove the port from the voice VLAN, you must manually remove it.

Cooperation of voice VLAN assignment modes and IP

phones
Some IP phones send out VLAN-tagged packets, and others send out only untagged packets. For
correct packet processing, ports of different link types must meet specific configuration requirements
in different voice VLAN assignment modes.
Access ports do not transmit tagged packets.
Table 16 Configuration requirements for trunk and hybrid ports to support tagged voice
traffic

Port link Voice VLAN

Configuration requirements
type assignment mode
Automatic The PVID of the port cannot be the voice VLAN.
Trunk The PVID of the port cannot be the voice VLAN.
Manual
The port must forward packets from the voice VLAN.
Automatic The PVID of the port cannot be the voice VLAN.

Hybrid The PVID of the port cannot be the voice VLAN.

Manual The port must forward packets from the voice VLAN with VLAN
tags.

When IP phones send out untagged packets, you must set the voice VLAN assignment mode to
manual.
Table 17 Configuration requirements for ports in manual mode to support untagged voice
traffic

Port link
Configuration requirements
type
Access The voice VLAN must be the PVID of the port.
The voice VLAN must be the PVID of the port.
Trunk
The port must forward packets from the voice VLAN.
The voice VLAN must be the PVID of the port.
Hybrid
The port must forward packets from the voice VLAN without VLAN tags.

190
 If an IP phone sends out tagged voice traffic, and its access port is configured with 802.1X
authentication, guest VLAN, Auth-Fail VLAN, or critical VLAN, VLAN IDs must be different for the
following VLANs:
• Voice VLAN.
• PVID of the access port.
• 802.1X guest, Auth-Fail, or critical VLAN.
If an IP phone sends out untagged voice traffic, the PVID of the access port must be the voice VLAN.
In this scenario, 802.1X authentication is not supported.

Security mode and normal mode of voice VLANs

Depending on the filtering mechanisms to incoming packets, a voice VLAN-enabled port can operate
in one of the following modes:
• Normal mode—The port receives voice-VLAN-tagged packets and forwards them in the voice
VLAN without examining their MAC addresses. If the PVID of the port is the voice VLAN and the
port operates in manual VLAN assignment mode, the port forwards all the received untagged
packets in the voice VLAN.
In this mode, voice VLANs are vulnerable to traffic attacks. Malicious users might send a large
number of forged voice-VLAN-tagged or untagged packets to affect voice communication.
• Security mode—The port uses the source MAC addresses of voice packets to match the OUI
addresses of the device. Packets that fail the match will be dropped.
In a safe network, you can configure the voice VLANs to operate in normal mode. This mode reduces
system resource consumption in source MAC address checking.
In either mode, the device modifies the transmission priority only for voice VLAN packets whose
source MAC addresses match OUI addresses of the device.
As a best practice, do not transmit both voice traffic and non-voice traffic in a voice VLAN. If you must
transmit different traffic in a voice VLAN, make sure the voice VLAN security mode is disabled.
Table 18 Packet processing on a voice VLAN-enabled port in normal or security mode

Voice VLAN
Packet type Packet processing
mode
• Untagged packets The port does not examine their source MAC addresses.
• Packets with the Both voice traffic and non-voice traffic can be transmitted in
Normal voice VLAN tags the voice VLAN.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.
• If the source MAC address of a packet matches an OUI
• Untagged packets address on the device, the packet is forwarded in the
• Packets with the voice VLAN.
Security voice VLAN tags • If the source MAC address of a packet does not match
an OUI address on the device, the packet is dropped.

Packets with other VLAN The port forwards or drops them depending on whether the
tags port permits packets from these VLANs to pass through.

191
Voice VLAN configuration task list
Tasks at a glance
(Required.) Configuring the QoS priority settings for voice traffic
(Required.) Use one of the following methods:
• Configuring a port to operate in automatic voice VLAN assignment mode
• Configuring a port to operate in manual voice VLAN assignment mode
(Optional.) Enabling LLDP for automatic IP phone discovery
(Optional.) Use one of the following methods:
• Configuring LLDP to advertise a voice VLAN
• Configuring CDP to advertise a voice VLAN

Configuring the QoS priority settings for voice

traffic
The QoS priority settings carried in voice traffic include the CoS and DSCP values. You can
configure the device to modify the QoS priority settings for voice traffic.
You cannot configure the QoS priority settings on a voice VLAN-enabled port. Before you configure
the QoS priority settings for voice traffic on a port, you must disable the voice VLAN feature on it.
To configure the QoS priority settings for voice traffic:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2
Ethernet interface interface interface-type interface-number N/A
view.
By default, a port modifies the
CoS and DSCP values for voice
VLAN packets to 6 and 46,
• Configure the port to trust the QoS respectively.
priority settings: If a port trusts the QoS priority
3. Configure QoS
priority settings for
voice-vlan qos trust settings in incoming voice VLAN
incoming voice • Configure the port to modify the CoS packets, the port does not modify
VLAN packets. and DSCP values: their CoS and DSCP values.
voice-vlan qos cos-value If you execute the voice-vlan qos
dscp-value and voice-vlan qos trust
commands multiple times, the
most recent configuration takes
effect.

192
Configuring a port to operate in automatic voice
VLAN assignment mode
Configuration restrictions and guidelines
When you configure a port to operate in automatic voice VLAN assignment mode, follow these
restrictions and guidelines:
• Do not configure a VLAN as both a voice VLAN and a protocol-based VLAN.
 A voice VLAN in automatic mode on a hybrid port processes only tagged incoming voice
traffic.
 A protocol-based VLAN on a hybrid port processes only untagged incoming packets. For
more information about protocol-based VLANs, see "Configuring protocol-based VLANs."
• As a best practice, do not use this mode with MSTP. In MSTP mode, if a port is blocked in the
MSTI of the target voice VLAN, the port drops the received packets instead of delivering them to
the CPU. As a result, the port will not be dynamically assigned to the voice VLAN.
• As a best practice, do not use this mode with PVST. In PVST mode, if the target voice VLAN is
not permitted on a port, the port is placed in blocked state. The port drops the received packets
instead of delivering them to the CPU. As a result, the port will not be dynamically assigned to
the voice VLAN.
• As a best practice, do not configure both dynamic MAC-based VLAN assignment and automatic
voice VLAN assignment mode on a port. They can have a negative impact on each other.

Configuration procedure
To configure a port to operate in automatic voice VLAN assignment mode:

Step Command Remarks

1. Enter system view. system-view N/A
By default, the aging timer of a
voice VLAN is 1440 minutes.
2. (Optional.) Set the voice The voice VLAN aging timer
VLAN aging timer. voice-vlan aging minutes
takes effect only on ports in
automatic voice VLAN
assignment mode.
3. (Optional.) Enable the
voice VLAN security By default, the voice VLAN
voice-vlan security enable
mode. security mode is enabled.

4. (Optional.) Add an OUI By default, system default

address for voice packet voice-vlan mac-address oui mask OUI addresses exist. For
identification. oui-mask [ description text ] more information, see Table
15.
5. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
6. Configure the link type of • port link-type trunk
the port. N/A
• port link-type hybrid
7. Configure the port to By default, the automatic
operate in automatic voice voice-vlan mode auto voice VLAN assignment mode
VLAN assignment mode. is enabled.
8. Enable the voice VLAN voice-vlan vlan-id enable By default, the voice VLAN

193
 Step Command Remarks
feature on the port. feature is disabled.
Before you execute this
command, make sure the
specified VLAN already
exists.

Configuring a port to operate in manual voice

VLAN assignment mode
Configuration restrictions and guidelines
When you configure a port to operate in manual voice VLAN assignment mode, follow these
restrictions and guidelines:
• You can configure different voice VLANs for different ports on the same device. Make sure the
following requirements are met:
 One port can be configured with only one voice VLAN.
 Voice VLANs must be existing static VLANs.
• Do not enable voice VLAN on the member ports of a link aggregation group. For more
information about link aggregation, see "Configuring Ethernet link aggregation."
• To make a voice VLAN take effect on a port operating in manual mode, you must manually
assign the port to the voice VLAN.

Configuration procedure
To configure a port to operate in manual voice VLAN assignment mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. (Optional.) Enable the
voice VLAN security By default, the voice VLAN
voice-vlan security enable
mode. security mode is enabled.

3. (Optional.) Add an OUI By default, system default OUI

address for voice packet voice-vlan mac-address oui mask
addresses exist. For more
identification. oui-mask [ description text ]
information, see Table 15.
4. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

5. Configure the port to

operate in manual voice By default, a port operates in
VLAN assignment undo voice-vlan mode auto automatic voice VLAN
mode. assignment mode.

• For the access port, see "Assigning

an access port to a VLAN." After you assign an access
6. Assign the access,
• For the trunk port, see "Assigning a port to the voice VLAN, the
trunk, or hybrid port to
trunk port to a VLAN." voice VLAN becomes the
the voice VLAN.
• For the hybrid port, see "Assigning a PVID of the port.
hybrid port to a VLAN."
7. (Optional.) Configure • For the trunk port, see "Assigning a This step is required for
the voice VLAN as the trunk port to a VLAN." untagged incoming voice

194
 Step Command Remarks
PVID of the trunk or • For the hybrid port, see "Assigning a traffic and prohibited for
hybrid port. hybrid port to a VLAN." tagged incoming voice traffic.

By default, the voice VLAN

feature is disabled.
8. Enable the voice VLAN
feature on the port. voice-vlan vlan-id enable Before you execute this
command, make sure the
specified VLAN already exists.

Enabling LLDP for automatic IP phone discovery

Configuration restrictions and guidelines
When you enable LLDP for automatic IP phone discovery, following these restrictions and
guidelines:
• Before you enable this feature, enable LLDP both globally and on access ports.
• Use this feature only with the automatic voice VLAN assignment mode.
• Do not use this feature together with CDP compatibility.
• After you enable this feature on the device, each port of the device can be connected to a
maximum of five IP phones.

Configuration procedure
To enable LLDP for automatic IP phone discovery:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable LLDP for automatic
IP phone discovery. voice-vlan track lldp By default, this feature is disabled.

Configuring LLDP to advertise a voice VLAN

For IP phones that support LLDP, the device advertises the voice VLAN information to the IP phones
through the LLDP-MED TLVs.
Before you configure this feature, enable LLDP both globally and on access ports.
To configure LLDP to advertise a voice VLAN:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number
By default, no advertised
voice VLAN ID is configured.
3. Configure an advertised lldp tlv-enable med-tlv
voice VLAN ID. network-policy vlan-id For more information about
the command, see Layer
2—LAN Switching Command

195
 Step Command Remarks
Reference.
For more information about
4. (Optional.) Display the voice the command, see Layer
VLAN advertised by LLDP. display lldp local-information
2—LAN Switching Command
Reference.

Configuring CDP to advertise a voice VLAN

If an IP phone supports CDP but does not support LLDP, it will send out CDP packets to the device to
request the voice VLAN ID. If the IP phone does not receive the voice VLAN ID within a time period,
it will send out untagged packets. The device cannot differentiate untagged voice packets from other
types of packets.
You can configure CDP compatibility on the device to enable it to perform the following operations:
• Receive and identify CDP packets from the IP phone.
• Send CDP packets to the IP phone. The voice VLAN information is carried in the CDP packets.
After receiving the advertised VLAN information, the IP phone performs automatic voice VLAN
configuration. Packets from the IP phone will be transmitted in the dedicated voice VLAN.
LLDP packets sent from the device carry the priority information. CDP packets sent from the device
do not carry the priority information.
Before you configure this feature, enable LLDP globally and on access ports.
To configure CDP to advertise a voice VLAN:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable CDP compatibility. By default, CDP compatibility

lldp compliance cdp
is disabled.
3. Enter Layer 2 Ethernet interface interface-type
interface view. N/A
interface-number

4. Configure CDP-compatible CDP-compatible LLDP

LLDP to operate in TxRx lldp compliance admin-status cdp operating in TxRx mode can
mode. txrx send and receive CDP
packets.
By default, no advertised
voice VLAN ID is configured.
5. Configure an advertised For more information about
voice VLAN ID. cdp voice-vlan vlan-id
the command, see Layer
2—LAN Switching Command
Reference.

Displaying and maintaining voice VLANs

Execute display commands in any view.

Task Command
Display the voice VLAN state. display voice-vlan state

196
 Task Command
Display OUI addresses on a device. display voice-vlan mac-address

Voice VLAN configuration examples

Automatic voice VLAN assignment mode configuration
example
Network requirements
As shown in Figure 65, Device A transmits traffic from IP phones and hosts.
For correct voice traffic transmission, perform the following tasks on Device A:
• Configure voice VLANs 2 and 3 to transmit voice packets from IP phone A and IP phone B,
respectively.
• Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate in automatic voice VLAN
assignment mode.
• Add MAC addresses of IP phones A and B to the device for voice packet identification. The
mask of the two MAC addresses is FFFF-FF00-0000.
• Set an aging timer for voice VLANs.
Figure 65 Network diagram
Device A Device B
Internet
GE1/0/1
GE1/0/2

VLAN 2 VLAN 3
IP phone A IP phone B
010-1001 010-1002
MAC: 0011-1100-0001 MAC: 0011-2200-0001
Mask: ffff-ff00-0000 Mask: ffff-ff00-0000 0755-2002

PC A PC B
MAC: 0022-1100-0002 MAC: 0022-2200-0002

Configuration procedure
1. Configure voice VLANs:
# Create VLANs 2 and 3.
<DeviceA> system-view
[DeviceA] vlan 2 to 3
# Set the voice VLAN aging timer to 30 minutes.
[DeviceA] voice-vlan aging 30
# Enable security mode for voice VLANs.
[DeviceA] voice-vlan security enable
# Add MAC addresses of IP phones A and B to the device with mask FFFF-FF00-0000.

197
 [DeviceA] voice-vlan mac-address 0011-1100-0001 mask ffff-ff00-0000 description IP
phone A
[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description IP
phone B
2. Configure GigabitEthernet 1/0/1:
# Configure GigabitEthernet 1/0/1 as a hybrid port.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type hybrid
# Configure GigabitEthernet 1/0/1 to operate in automatic voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/1] voice-vlan mode auto
# Enable voice VLAN on GigabitEthernet 1/0/1 and configure VLAN 2 as the voice VLAN for it.
[DeviceA-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-GigabitEthernet1/0/1] quit
3. Configure GigabitEthernet 1/0/2:
# Configure GigabitEthernet 1/0/2 as a hybrid port.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type hybrid
# Configure GigabitEthernet 1/0/2 to operate in automatic voice VLAN assignment mode.
[DeviceA-GigabitEthernet1/0/2] voice-vlan mode auto
# Enable voice VLAN on GigabitEthernet 1/0/2 and configure VLAN 3 as the voice VLAN for it.
[DeviceA-GigabitEthernet1/0/2] voice-vlan 3 enable
[DeviceA-GigabitEthernet1/0/2] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-1100-0000 ffff-ff00-0000 IP phone A
0011-2200-0000 ffff-ff00-0000 IP phone B
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 2
Voice VLAN security mode: Security
Voice VLAN aging time: 30 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
GE1/0/1 2 Auto 6 46
GE1/0/2 3 Auto 6 46

198
Manual voice VLAN assignment mode configuration example
Network requirements
As shown in Figure 66, IP phone A send untagged voice traffic.
To enable GigabitEthernet 1/0/1 to transmit only voice packets, perform the following tasks on
Device A:
• Create VLAN 2. This VLAN will be used as a voice VLAN.
• Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode and add it
to VLAN 2.
• Add the OUI address of IP phone A to the OUI list of Device A.
Figure 66 Network diagram
Device A Device B

Internet
GE1/0/1
VLAN 2

IP phone A IP phone B
010-1001 0755-2002
MAC: 0011-2200-0001
Mask: ffff-ff00-0000

Configuration procedure
# Enable security mode for voice VLANs.
<DeviceA> system-view
[DeviceA] voice-vlan security enable

# Add MAC address 0011-2200-0001 with mask FFFF-FF00-0000.

[DeviceA] voice-vlan mac-address 0011-2200-0001 mask ffff-ff00-0000 description test

# Create VLAN 2.
[DeviceA] vlan 2
[DeviceA-vlan2] quit

# Configure GigabitEthernet 1/0/1 to operate in manual voice VLAN assignment mode.

[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] undo voice-vlan mode auto

# Configure GigabitEthernet 1/0/1 as a hybrid port.

[DeviceA-GigabitEthernet1/0/1] port link-type hybrid

# Set the PVID of GigabitEthernet 1/0/1 to VLAN 2.

[DeviceA-GigabitEthernet1/0/1] port hybrid pvid vlan 2

# Assign GigabitEthernet 1/0/1 to VLAN 2 as an untagged VLAN member.

[DeviceA-GigabitEthernet1/0/1] port hybrid vlan 2 untagged

# Enable voice VLAN and configure VLAN 2 as the voice VLAN on GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] voice-vlan 2 enable
[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display the OUI addresses supported on Device A.

199
[DeviceA] display voice-vlan mac-address
OUI Address Mask Description
0001-e300-0000 ffff-ff00-0000 Siemens phone
0003-6b00-0000 ffff-ff00-0000 Cisco phone
0004-0d00-0000 ffff-ff00-0000 Avaya phone
000f-e200-0000 ffff-ff00-0000 H3C Aolynk phone
0011-2200-0000 ffff-ff00-0000 test
0060-b900-0000 ffff-ff00-0000 Philips/NEC phone
00d0-1e00-0000 ffff-ff00-0000 Pingtel phone
00e0-7500-0000 ffff-ff00-0000 Polycom phone
00e0-bb00-0000 ffff-ff00-0000 3Com phone

# Display the voice VLAN state.

[DeviceA] display voice-vlan state
Current voice VLANs: 1
Voice VLAN security mode: Security
Voice VLAN aging time: 1440 minutes
Voice VLAN enabled ports and their modes:
Port VLAN Mode CoS DSCP
GE1/0/1 2 Manual 6 46

200
Configuring MVRP
Multiple Registration Protocol (MRP) is an attribute registration protocol used to transmit attribute
values. Multiple VLAN Registration Protocol (MVRP) is a typical MRP application. It synchronizes
VLAN information among devices.
MVRP propagates local VLAN information to other devices, receives VLAN information from other
devices, and dynamically updates local VLAN information. When the network topology changes,
MVRP propagates and learns VLAN information again according to the new topology.

MRP
MRP allows devices in the same LAN to transmit attribute values on a per MSTI basis. For more
information about MSTIs, see "Configuring spanning tree protocols."

MRP implementation
An MRP-enabled port is called an MRP participant. An MVRP-enabled port is called an MVRP
participant.
As shown in Figure 67, an MRP participant sends declarations and withdrawals to notify other
participants to register and deregister its attribute values. It also registers and deregisters the
attribute values of other participants according to the received declarations and withdrawals. MRP
rapidly propagates the configuration information of an MRP participant throughout the LAN.
Figure 67 MRP implementation
Register

Device A Device B

Declaration
Deregister
Withdrawal

For example, MRP registers and deregisters VLAN attributes as follows:

• When a port receives a declaration for a VLAN, the port registers the VLAN and joins the VLAN.
• When a port receives a withdrawal for a VLAN, the port deregisters the VLAN and leaves the
VLAN.
Figure 67 shows a simple MRP implementation on an MSTI. In a network with multiple MSTIs, MRP
performs attribute registration and deregistration on a per-MSTI basis.

MRP messages
MRP messages include the following types:
• Declaration—Includes Join and New messages.
• Withdrawal—Includes Leave and LeaveAll messages.

201
Join message
An MRP participant sends a Join message to request the peer participant to register attributes in the
Join message.
When receiving a Join message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the Join message.
• Propagates the Join message to all other participants on the device.
After receiving the Join message, other participants send the Join message to their respective peer
participants.
Join messages sent from a local participant to its peer participant include the following types:
• JoinEmpty—Declares an unregistered attribute. For example, when an MRP participant joins
an unregistered static VLAN, it sends a JoinEmpty message.
VLANs created manually and locally are called static VLANs. VLANs learned through MRP are
called dynamic VLANs.
• JoinIn—Declares a registered attribute. A JoinIn message is used in one of the following
situations:
 An MRP participant joins an existing static VLAN and sends a JoinIn message after
registering the VLAN.
 The MRP participant receives a Join message propagated by another participant on the
device and sends a JoinIn message after registering the VLAN.
New message
Similar to a Join message, a New message enables MRP participants to register attributes.
When the MSTP topology changes, an MRP participant sends a New message to the peer
participant to declare the topology change.
Upon receiving a New message from the peer participant, an MRP participant performs the following
tasks:
• Registers the attributes in the message.
• Propagates the New message to all other participants on the device.
After receiving the New message, other participants send the New message to their respective peer
participants.
Leave message
An MRP participant sends a Leave message to the peer participant when it wants the peer
participant to deregister attributes that it has deregistered.
When the peer participant receives the Leave message, it performs the following tasks:
• Deregisters the attribute in the Leave message.
• Propagates the Leave message to all other participants on the device.
After a participant on the device receives the Leave message, it determines whether to send the
Leave message to its peer participant depending on the attribute status on the device.
• If the VLAN in the Leave message is a dynamic VLAN not registered by any participants on the
device, both of the following events occur:
 The VLAN is deleted on the device.
 The participant sends the Leave message to its peer participant.
• If the VLAN in the Leave message is a static VLAN, the participant will not send the Leave
message to its peer participant.

202
LeaveAll message
Each MRP participant starts its LeaveAll timer when starting up. When the timer expires, the MRP
participant sends LeaveAll messages to the peer participant.
Upon sending or receiving a LeaveAll message, the local participant starts the Leave timer. The local
participant determines whether to send a Join message depending on its attribute status. A
participant can re-register the attributes in the received Join message before the Leave timer
expires.
When the Leave timer expires, a participant deregisters all attributes that have not been
re-registered to periodically clear useless attributes in the network.

MRP timers
MRP uses the following timers to control message transmission.
Periodic timer
The Periodic timer controls the transmission of MRP messages. An MRP participant starts its own
Periodic timer upon startup, and stores MRP messages to be sent before the Periodic timer expires.
When the Periodic timer expires, MRP sends stored MRP messages in as few MRP frames as
possible and restarts the Periodic timer. This mechanism reduces the number of MRP frames sent.
You can enable or disable the Periodic timer. When the Periodic timer is disabled, MRP does not
periodically send MRP messages. Instead, an MRP participant sends MRP messages when the
LeaveAll timer expires or the participant receives a LeaveAll message from the peer participant.
Join timer
The Join timer controls the transmission of Join messages. An MRP participant starts the Join timer
after sending a Join message to the peer participant. Before the Join timer expires, the participant
does not resend the Join message when the following conditions exist:
• The participant receives a JoinIn message from the peer participant.
• The received JoinIn message has the same attributes as the sent Join message.
When both the Join timer and the Periodic timer expire, the participant resends the Join message.
Leave timer
The Leave timer controls the deregistration of attributes.
An MRP participant starts the Leave timer in one of the following conditions:
• The participant receives a Leave message from its peer participant.
• The participant receives or sends a LeaveAll message.
The MRP participant does not deregister the attributes in the Leave or LeaveAll message if the
following conditions exist:
• The participant receives a Join message before the Leave timer expires.
• The Join message includes the attributes that have been encapsulated in the Leave or LeaveAll
message.
If the participant does not receive a Join message for these attributes before the Leave timer expires,
MRP deregisters the attributes.
LeaveAll timer
After startup, an MRP participant starts its own LeaveAll timer. When the LeaveAll timer expires, the
MRP participant sends out a LeaveAll message and restarts the LeaveAll timer.
Upon receiving the LeaveAll message, other participants restart their LeaveAll timer. The value of
the LeaveAll timer is randomly selected between the LeaveAll timer and 1.5 times the LeaveAll timer.
This mechanism provides the following benefits:

203
 • Effectively reduces the number of LeaveAll messages in the network.
• Prevents the LeaveAll timer of a particular participant from always expiring first.

MVRP registration modes

VLAN information propagated by MVRP includes dynamic VLAN information from other devices and
local static VLAN information.
MVRP has the following registration modes, which process dynamic VLANs in different ways.
Normal
An MVRP participant in normal registration mode registers and deregisters dynamic VLANs.
Fixed
An MVRP participant in fixed registration mode disables deregistering dynamic VLANs and drops
received MVRP frames. The MVRP participant does not deregister dynamic VLANs or register new
dynamic VLANs.
Forbidden
An MVRP participant in forbidden registration mode disables registering dynamic VLANs and drops
received MVRP frames. The MVRP participant does not register new dynamic VLANs or re-register
a deregistered dynamic VLAN.

Protocols and standards

IEEE 802.1ak, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area
Networks – Amendment 07: Multiple Registration Protocol

MVRP configuration task list

Tasks at a glance
(Required.) Enabling MVRP
(Optional.) Setting an MVRP registration mode
(Optional.) Setting MRP timers
(Optional.) Enabling GVRP compatibility

Configuration restrictions and guidelines

When you configure MVRP, follow these restrictions and guidelines:
• MVRP can work with STP, RSTP, or MSTP. Ports blocked by STP, RSTP, or MSTP can receive
and send MVRP frames. Do not configure MVRP with other link layer topology protocols, such
as service loopback, PVST, RRPP, and Smart Link.
For more information about STP, RSTP, MSTP, and PVST, see "Configuring spanning tree
protocols." For more information about service loopback, see "Configuring service loopback
groups." For more information about RRPP and Smart Link, see High Availability Configuration
Guide.
• Do not configure both MVRP and remote port mirroring on a port. Otherwise, MVRP might
register the remote probe VLAN with incorrect ports, which would cause the monitor port to

204
 receive undesired copies. For more information about port mirroring, see Network Management
and Monitoring Configuration Guide.
• MVRP takes effect only on trunk ports. For more information about trunk ports, see "Configuring
VLANs."
• Enabling MVRP on a Layer 2 aggregate interface takes effect on the aggregate interface and all
Selected member ports in the link aggregation group.
• MVRP configuration made on an aggregation group member port takes effect only after the port
is removed from the aggregation group.

Configuration prerequisites
Before configuring MVRP, make sure each MSTI is mapped to an existing VLAN on each device in
the network.

Enabling MVRP
Step Command Remarks
1. Enter system view. system-view N/A
By default, MVRP is globally
disabled.
2. Enable MVRP globally. mvrp global enable For MVRP to take effect on a port,
enable MVRP both on the port
and globally.
3. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

By default, each port is an access

port. For more information about
4. Configure the port as a trunk
port link-type trunk the port link-type trunk
port.
command, see Layer 2—LAN
Switching Command Reference.
By default, a trunk port permits
only VLAN 1.
Make sure the trunk port permits
5. Configure the trunk port to port trunk permit vlan all registered VLANs.
permit the specified VLANs. { vlan-id-list | all } For more information about the
port trunk permit vlan
command, see Layer 2—LAN
Switching Command Reference.

6. Enable MVRP on the port. By default, MVRP is disabled on a

mvrp enable
port.

Setting an MVRP registration mode

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

205
 Step Command Remarks
Optional.
3. Set an MVRP registration mvrp registration { fixed |
mode for the port. forbidden | normal } The default setting is normal
registration mode.

Setting MRP timers

To avoid frequent VLAN registrations and deregistrations, use the same MRP timers throughout the
network.
Each port maintains its own Periodic, Join, and LeaveAll timers, and each attribute of a port
maintains a Leave timer.
To set MRP timers:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Optional.
3. Set the LeaveAll timer. mrp timer leaveall timer-value The default setting is 1000
centiseconds.
Optional.
4. Set the Join timer. mrp timer join timer-value The default setting is 20
centiseconds.
Optional.
5. Set the Leave timer. mrp timer leave timer-value The default setting is 60
centiseconds.
Optional.
The default setting is 100
6. Set the Periodic timer. mrp timer periodic timer-value centiseconds.
You can restore the Periodic timer
to the default at any time.

Table 19 shows the value ranges for Join, Leave, and LeaveAll timers and their dependencies.
• If you set a timer to a value beyond the allowed value range, your configuration fails. You can
set a timer by tuning the value of any other timer. The value of each timer must be an integer
multiple of 20 centiseconds and in the range defined in Table 19.
• As a best practice, restore the timers in the order of Join, Leave, and LeaveAll.
Table 19 Dependencies of the Join, Leave, and LeaveAll timers

Timer Lower limit Upper limit

Join 20 centiseconds Half the Leave timer
Leave Twice the Join timer LeaveAll timer
LeaveAll Leave timer on each port 32760 centiseconds

206
Enabling GVRP compatibility
Enable GVRP compatibility for MVRP when the peer device supports GVRP. Then, the local end can
receive and send both MVRP and GVRP frames.
When you enable GVRP compatibility, follow these restrictions and guidelines:
• GVRP compatibility enables MVRP to work with STP or RSTP, but not MSTP.
• When the system is busy, disable the Period timer to prevent the participant from frequently
registering or deregistering attributes.
For more information about GVRP, see the IEEE 802.1Q standard.
To enable GVRP compatibility:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enable GVRP compatibility. By default, GVRP compatibility is

mvrp gvrp-compliance enable
disabled.

Displaying and maintaining MVRP

Execute display commands in any view and reset commands in user view.

Task Command
Display MVRP running status. display mvrp running-status [ interface interface-list ]
Display the MVRP state of a port in a display mvrp state interface interface-type interface-number
VLAN. vlan vlan-id
Display MVRP statistics. display mvrp statistics [ interface interface-list ]
Clear MVRP statistics. reset mvrp statistics [ interface interface-list ]

MVRP configuration example

Network requirements
As shown in Figure 68:
• Create VLAN 10 on Device A and VLAN 20 on Device B.
• Configure MSTP, map VLAN 10 to MSTI 1, map VLAN 20 to MSTI 2, and map the other VLANs
to MSTI 0.
Configure MVRP on Device A, Device B, Device C, and Device D to meet the following
requirements:
• The devices can register and deregister dynamic VLANs.
• The devices can keep identical VLAN configurations for each MSTI.

207
 Figure 68 Network diagram
Device A Device B
Permit: all VLANs
GE1/0/3 GE1/0/3
GE /2

GE
1/0 1/0 VLAN 20

/
VLAN 10

1/0
/2 GE

1/0
GE

1 /
Permit: all VLANs Permit: VLANs 20, 40
Ns Pe
rm
V LA it:
all VL

GE
t: AN
1
mi
/ GE
1/0 r 40

1/0
Pe
/0/2 1/0
GE

/
1 /2

1
GE

VLAN 10 à MSTI 1
VLAN 20 à MSTI 2
Other VLANs à MSTI 0
Device C Device D

A B A B A B

C D C C D
MSTI 0 MSTI 1 MSTI 2

Link not blocked by Link blocked by

Root bridge spanning tree spanning tree

Blocked port Root port Designated port

Topology of each MSTI

Configuration procedure
1. Configure Device A:
# Enter MST region view.
<DeviceA> system-view
[DeviceA] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceA-mst-region] region-name example
[DeviceA-mst-region] instance 1 vlan 10
[DeviceA-mst-region] instance 2 vlan 20
[DeviceA-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceA-mst-region] active region-configuration
[DeviceA-mst-region] quit
# Configure Device A as the primary root bridge of MSTI 1.
[DeviceA] stp instance 1 root primary
# Globally enable the spanning tree feature.
[DeviceA] stp global enable
# Globally enable MVRP.

208
 [DeviceA] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port link-type trunk
[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on port GigabitEthernet 1/0/1.
[DeviceA-GigabitEthernet1/0/1] mvrp enable
[DeviceA-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port link-type trunk
[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceA-GigabitEthernet1/0/2] mvrp enable
[DeviceA-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port link-type trunk
[DeviceA-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/3.
[DeviceA-GigabitEthernet1/0/3] mvrp enable
[DeviceA-GigabitEthernet1/0/3] quit
# Create VLAN 10.
[DeviceA] vlan 10
[DeviceA-vlan10] quit
2. Configure Device B:
# Enter MST region view.
<DeviceB> system-view
[DeviceB] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceB-mst-region] region-name example
[DeviceB-mst-region] instance 1 vlan 10
[DeviceB-mst-region] instance 2 vlan 20
[DeviceB-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceB-mst-region] active region-configuration
[DeviceB-mst-region] quit
# Configure Device B as the primary root bridge of MSTI 2.
[DeviceB] stp instance 2 root primary
# Globally enable the spanning tree feature.
[DeviceB] stp global enable
# Globally enable MVRP.
[DeviceB] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and 40.
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] port link-type trunk
[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 20 40

209
 # Enable MVRP on GigabitEthernet 1/0/1.
[DeviceB-GigabitEthernet1/0/1] mvrp enable
[DeviceB-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] port link-type trunk
[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceB-GigabitEthernet1/0/2] mvrp enable
[DeviceB-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and configure it to permit all VLANs.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] port link-type trunk
[DeviceB-GigabitEthernet1/0/3] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/3.
[DeviceB-GigabitEthernet1/0/3] mvrp enable
[DeviceB-GigabitEthernet1/0/3] quit
# Create VLAN 20.
[DeviceB] vlan 20
[DeviceB-vlan20] quit
3. Configure Device C:
# Enter MST region view.
<DeviceC> system-view
[DeviceC] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceC-mst-region] region-name example
[DeviceC-mst-region] instance 1 vlan 10
[DeviceC-mst-region] instance 2 vlan 20
[DeviceC-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceC-mst-region] active region-configuration
[DeviceC-mst-region] quit
# Configure Device C as the root bridge of MSTI 0.
[DeviceC] stp instance 0 root primary
# Globally enable the spanning tree feature.
[DeviceC] stp global enable
# Globally enable MVRP.
[DeviceC] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface gigabitethernet 1/0/1
[DeviceC-GigabitEthernet1/0/1] port link-type trunk
[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/1.
[DeviceC-GigabitEthernet1/0/1] mvrp enable
[DeviceC-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit all VLANs.
[DeviceC] interface gigabitethernet 1/0/2

210
 [DeviceC-GigabitEthernet1/0/2] port link-type trunk
[DeviceC-GigabitEthernet1/0/2] port trunk permit vlan all
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceC-GigabitEthernet1/0/2] mvrp enable
[DeviceC-GigabitEthernet1/0/2] quit
4. Configure Device D:
# Enter MST region view.
<DeviceD> system-view
[DeviceD] stp region-configuration
# Configure the MST region name, VLAN-to-instance mappings, and revision level.
[DeviceD-mst-region] region-name example
[DeviceD-mst-region] instance 1 vlan 10
[DeviceD-mst-region] instance 2 vlan 20
[DeviceD-mst-region] revision-level 0
# Manually activate the MST region configuration.
[DeviceD-mst-region] active region-configuration
[DeviceD-mst-region] quit
# Globally enable the spanning tree feature.
[DeviceD] stp global enable
# Globally enable MVRP.
[DeviceD] mvrp global enable
# Configure GigabitEthernet 1/0/1 as a trunk port, and configure it to permit VLANs 20 and 40.
[DeviceD] interface gigabitethernet 1/0/1
[DeviceD-GigabitEthernet1/0/1] port link-type trunk
[DeviceD-GigabitEthernet1/0/1] port trunk permit vlan 20 40
# Enable MVRP on GigabitEthernet 1/0/1.
[DeviceD-GigabitEthernet1/0/1] mvrp enable
[DeviceD-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and configure it to permit VLAN 40.
[DeviceD] interface gigabitethernet 1/0/2
[DeviceD-GigabitEthernet1/0/2] port link-type trunk
[DeviceD-GigabitEthernet1/0/2] port trunk permit vlan 40
# Enable MVRP on GigabitEthernet 1/0/2.
[DeviceD-GigabitEthernet1/0/2] mvrp enable
[DeviceD-GigabitEthernet1/0/2] quit

Verifying the configuration

Verifying the normal registration mode configuration
# Display local VLAN information on Device A.
[DeviceA] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled

211
 Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 10, 20
Propagated VLANs :
1(default)

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
None
Declared VLANs :
1(default)
Propagated VLANs :
None

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
20
Declared VLANs :
1(default), 10
Propagated VLANs :
20

The output shows that the following events have occurred:

• GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1, VLAN 10, and VLAN 20, and
propagated VLAN 1 through MVRP.
• GigabitEthernet 1/0/2 has declared VLAN 1, and registered and propagated no VLANs.
• GigabitEthernet 1/0/3 has registered VLAN 20, declared VLAN 1 and VLAN 10, and propagated
VLAN 20 through MVRP.

212
# Display local VLAN information on Device B.
[DeviceB] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
1(default), 20
Propagated VLANs :
1(default)

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10
Declared VLANs :
20

213
 Propagated VLANs :
10

The output shows that the following events have occurred:

• GigabitEthernet 1/0/1 has registered VLAN 1, declared VLAN 1 and VLAN 20, and propagated
VLAN 1 through MVRP.
• GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 10, declared VLAN 1 and VLAN 20,
and propagated VLAN 1.
• GigabitEthernet 1/0/3 has registered VLAN 1 and VLAN 10, declared VLAN 20, and propagated
VLAN 10 through MVRP.
# Display local VLAN information on Device C.
[DeviceC] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 10, 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 10

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default), 10
Propagated VLANs :
1(default), 20

The output shows that the following events have occurred:

• GigabitEthernet 1/0/1 has registered VLAN 1, VLAN 10, and VLAN 20, declared VLAN 1, and
propagated VLAN 1 and VLAN 10 through MVRP.

214
 • GigabitEthernet 1/0/2 has registered VLAN 1 and VLAN 20, declared VLAN 1 and VLAN 10,
and propagated VLAN 1 and VLAN 20 through MVRP.
# Display local VLAN information on Device D.
[DeviceD] display mvrp running-status
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/1]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default), 20
Declared VLANs :
1(default)
Propagated VLANs :
1(default), 20

----[GigabitEthernet1/0/2]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Normal
Registered VLANs :
1(default)
Declared VLANs :
None
Propagated VLANs :
None

The output shows that the following events have occurred:

• GigabitEthernet 1/0/1 has registered and propagated VLAN 10 and VLAN 20, and declared
VLAN 1 through MVRP.
• GigabitEthernet 1/0/2 has registered VLAN 1, and declared and propagated no VLANs through
MVRP.
Verifying the configuration after changing the registration mode
When the network is stable, set the MVRP registration mode to fixed on the port of Device B
connected to Device A. Then, verify that dynamic VLANs on the port will not be deregistered.
# Set the MVRP registration mode to fixed on GigabitEthernet 1/0/3 of Device B.
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] mvrp registration fixed

215
[DeviceB-GigabitEthernet1/0/3] quit

# Display local MVRP VLAN information on GigabitEthernet 1/0/3.

[DeviceB] display mvrp running-status interface gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10

The output shows that VLAN information on GigabitEthernet 1/0/3 is not changed after you set its
MVRP registration mode to fixed.
# Delete VLAN 10 on Device A.
[DeviceA] undo vlan 10

# Display local MVRP VLAN information on GigabitEthernet 1/0/3 of Device B.

[DeviceB] display mvrp running-status interface gigabitethernet 1/0/3
-------[MVRP Global Info]-------
Global Status : Enabled
Compliance-GVRP : False

----[GigabitEthernet1/0/3]----
Config Status : Enabled
Running Status : Enabled
Join Timer : 20 (centiseconds)
Leave Timer : 60 (centiseconds)
Periodic Timer : 100 (centiseconds)
LeaveAll Timer : 1000 (centiseconds)
Registration Type : Fixed
Registered VLANs :
1(default), 10
Declared VLANs :
20
Propagated VLANs :
10

The output shows that dynamic VLAN information on GigabitEthernet 1/0/3 is not changed after you
set its MVRP registration mode to fixed.

216
Configuring QinQ
This document uses the following terms:
• CVLAN—Customer network VLANs, also called inner VLANs, refer to VLANs that a customer
uses on the private network.
• SVLAN—Service provider network VLANs, also called outer VLANs, refer to VLANs that a
service provider uses to transmit VLAN tagged traffic for customers.

Overview
802.1Q-in-802.1Q (QinQ) adds an 802.1Q tag to 802.1Q tagged customer traffic. It enables a
service provider to extend Layer 2 connections across an Ethernet network between customer sites.
QinQ provides the following benefits:
• Enables a service provider to use a single SVLAN to convey multiple CVLANs for a customer.
• Enables customers to plan CVLANs without conflicting with SVLANs.
• Enables customers to keep their VLAN assignment schemes unchanged when the service
provider changes its VLAN assignment scheme.
• Allows different customers to use overlapping CVLAN IDs. Devices in the service provider
network make forwarding decisions based on SVLAN IDs instead of CVLAN IDs.

How QinQ works

As shown in Figure 69, a QinQ frame transmitted over the service provider network carries the
following tags:
• CVLAN tag—Identifies the VLAN to which the frame belongs when it is transmitted in the
customer network.
• SVLAN tag—Identifies the VLAN to which the QinQ frame belongs when it is transmitted in the
service provider network. The service provider allocates the SVLAN tag to the customer.
The devices in the service provider network forward a tagged frame according to its SVLAN tag only.
The CVLAN tag is transmitted as part of the frame's payload.
Figure 69 Single-tagged Ethernet frame header and double-tagged Ethernet frame header
6 bytes 6 bytes 4 bytes 2 bytes 46–1500 bytes 4 bytes
CVLAN
DA SA Etype Data FCS
tag
Single-tagged frame structure

6 bytes 6 bytes 4 bytes 4 bytes 2 bytes 46–1500 bytes 4 bytes

SVLAN CVLAN
DA SA Etype Data FCS
tag tag
Double-tagged frame
structure Outer Inner
VLAN tag VLAN tag

As shown in Figure 70, customer A has remote sites CE 1 and CE 4. Customer B has remote sites
CE 2 and CE 3. The CVLANs of the two customers overlap. The service provider assigns SVLANs 3
and 4 to customers A and B, respectively.

217
 When a tagged Ethernet frame from CE 1 arrives at PE 1, the PE tags the frame with SVLAN 3. The
double-tagged Ethernet frame travels over the service provider network until it arrives at PE 2. PE 2
removes the SVLAN tag of the frame, and then sends the frame to CE 4.
Figure 70 Typical QinQ application scenario
VLANs 1 to 20 VLANs 1 to 10

CE 3 CE 4
Customer Customer
network B network A
CVLAN B Data CVLAN A Data

SVLAN 4 CVLAN B Data SVLAN 3 CVLAN A Data

PE 1 Internet PE 2

SVLAN 3 CVLAN A Data SVLAN 4 CVLAN B Data

Service provider network

CVLAN A Data CVLAN B Data

Customer Customer
network A network B
CE 1 CE 2

VLANs 1 to 10 VLANs 1 to 20

QinQ implementations
QinQ is enabled on a per-port basis. The link type of a QinQ-enabled port can be access, hybrid, or
trunk. The QinQ tagging behaviors are the same across these types of ports.
A QinQ-enabled port tags all incoming frames (tagged or untagged) with the PVID tag.
• If an incoming frame already has one tag, it becomes a double-tagged frame.
• If the frame does not have any 802.1Q tags, it becomes a frame tagged with the PVID.
QinQ provides the most basic VLAN manipulation method to tag all incoming frames (tagged or
untagged) with the PVID tag. To perform advanced VLAN manipulations, use VLAN mappings or
QoS policies as follows:
• To add different SVLANs for different CVLAN tags, use one-to-two VLAN mappings.
• To replace the SVLAN ID, CVLAN ID, or both IDs for an incoming double-tagged frame, use
two-to-two VLAN mappings.
• QinQ and two-to-two mappings are mutually exclusive. The device does not support adding an
SVLAN tag on a QinQ-enabled port and then modifying the CVLAN and SVLAN IDs.
• To use criteria other than the CVLAN ID to match packets for SVLAN tagging, use the QoS nest
action. The QoS nest action can also be used with other actions in the same traffic behavior.
• To set the 802.1p priority in SVLAN tags, use the priority marking action as described in "Setting
the 802.1p priority in SVLAN tags."
For more information about VLAN mappings, see "Configuring VLAN mapping." For more
information about QoS, see ACL and QoS Configuration Guide.

218
Protocols and standards
• IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks
• IEEE 802.1ad, IEEE Standard for Local and Metropolitan Area Networks-Virtual Bridged Local
Area Networks-Amendment 4: Provider Bridges

Restrictions and guidelines

When you configure QinQ, follow these restrictions and guidelines:
• The inner 802.1Q tag of QinQ frames is treated as part of the payload. As a best practice to
ensure correct transmission of QinQ frames, set the MTU to a minimum of 1504 bytes for each
port on their forwarding path. This value is the sum of the default Ethernet interface MTU (1500
bytes) and the length (4 bytes) of a VLAN tag.
• You can use a VLAN mapping, a QoS policy, and QinQ on a port for VLAN tag manipulation. If
their settings conflict, the configurations take effect based on their priorities in the following
descending order:
 QoS policy.
 VLAN mapping.
 QinQ.

Enabling QinQ
Enable QinQ on customer-side ports of PEs. A QinQ-enabled port tags an incoming frame with its
PVID.
Before you enable or disable QinQ on a port, you must remove any VLAN mappings on the port.
To enable QinQ:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Enable QinQ. qinq enable By default, QinQ is disabled.

Configuring transparent transmission for VLANs

You can exclude a VLAN (for example, the management VLAN) from the QinQ tagging action on a
customer-side port. This VLAN is called a transparent VLAN.
To ensure successful transmission for a transparent VLAN, follow these configuration guidelines:
• Set the link type of the port to trunk or hybrid, and assign the port to the transparent VLAN.
• Do not configure any other VLAN manipulation actions for the transparent VLAN on the port.
• Make sure all ports on the traffic path permit the transparent VLAN to pass through.
• If you use both transparent VLANs and VLAN mappings on an interface, the transparent VLANs
cannot be the following VLANs:
 Original or translated VLANs of one-to-one, many-to-one, and one-to-two VLAN mappings.

219
  Original or translated outer VLANs of two-to-two VLAN mappings.
To enable transparent transmission for a list of VLANs:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

Set the port link type. By default, the link type of a port is
3. port link-type { hybrid | trunk }
access.
• For the hybrid port: By default, a trunk port allows
4. Configure the port to allow port hybrid vlan vlan-id-list packets only from VLAN 1 to pass
packets from its PVID and { tagged | untagged } through. A hybrid port is an
the transparent VLANs to • For the trunk port: untagged member of the VLAN to
pass through. port trunk permit vlan which the port belongs when its
{ vlan-id-list | all } link type is access.

By default, transparent
5. Specify transparent VLANs. qinq transparent-vlan vlan-id-list transmission is not configured for
any VLANs.

Configuring the TPID for VLAN tags

TPID identifies a frame as an 802.1Q tagged frame. The TPID value varies by vendor. On an HPE
device, the TPID in the 802.1Q tag added on a QinQ-enabled port is 0x8100 by default, in
compliance with IEEE 802.1Q. In a multi-vendor network, make sure the TPID setting is the same
between directly connected devices so 802.1Q tagged frames can be identified correctly.
TPID settings include CVLAN TPID and SVLAN TPID.
A QinQ-enabled port uses the CVLAN TPID to match incoming tagged frames. An incoming frame is
handled as untagged if its TPID is different from the CVLAN TPID. The device does not modify the
TPID in CVLAN tags.
SVLAN TPIDs are configurable on a per-port basis. A service provider-side port uses the SVLAN
TPID to replace the TPID in outgoing frames' SVLAN tags and match incoming tagged frames. An
incoming frame is handled as untagged if the TPID in its outer VLAN tag is different from the SVLAN
TPID.
For example, a PE device is connected to a customer device that uses the TPID 0x8200 and to a
provider device that uses the TPID 0x9100. For correct packet processing, you must set the CVLAN
TPID and SVLAN TPID to 0x8200 and 0x9100 on the PE, respectively.
The TPID field is at the same position as the EtherType field in an untagged Ethernet frame. To
ensure correct packet type identification, do not set the TPID value to any of the values listed in Table
20.
Table 20 Reserved EtherType values

Protocol type Value

ARP 0x0806
PUP 0x0200
RARP 0x8035
IP 0x0800
IPv6 0x86dd

220
 Protocol type Value
PPPoE 0x8863/0x8864
MPLS 0x8847/0x8848
IPX/SPX 0x8137
IS-IS 0x8000
LACP 0x8809
LLDP 0x88cc
802.1X 0x888e
802.1ag 0x8902
Cluster 0x88a7
Reserved 0xfffd/0xfffe/0xffff

Configuring the TPID for CVLAN tags

Perform this task on the PE device.
To configure the TPID value for CVLAN tags:

Step Command Remarks

1. Enter system view. system-view N/A
2. Configure the TPID value for qinq ethernet-type
CVLAN tags. The default setting is 0x8100.
customer-tag hex-value

Configuring the TPID for SVLAN tags

Perform this task on the service provider-side ports of PEs.
When you configure the TPID value for SVLAN tags on a port, do not enable QinQ on it.
To configure the TPID value for SVLAN tags:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet
interface view or Layer 2 interface interface-type
N/A
aggregate interface view. interface-number

3. Configure the TPID value for qinq ethernet-type service-tag

SVLAN tags. The default setting is 0x8100.
hex-value

Setting the 802.1p priority in SVLAN tags

By default, the 802.1p priority in the SVLAN tag added by a QinQ-enabled port depends on the
priority trust mode on the port.
• If the 802.1p priority in frames is trusted, the device copies the 802.1p priority in the CVLAN tag
to the SVLAN tag.

221
• If the 802.1p priority in frames is not trusted, the device copies the port priority (0 by default) to
the SVLAN tag.
To set the 802.1p priority in SVLAN tags:

Step Command Remarks

1. Enter system view. system-view N/A
2. Create a traffic class and traffic classifier classifier-name [ operator By default, no traffic
enter its view. { and | or } ] classes exist.
• Match CVLAN IDs:
if-match customer-vlan-id vlan-id-list
3. Configure CVLAN match
criteria. • Match 802.1p priority: N/A
if-match customer-dot1p
dot1p-value&<1-8>
4. Return to system view. quit N/A
5. Create a traffic behavior By default, no traffic
and enter its view. traffic behavior behavior-name
behaviors exist.
• Replace the priority in the SVLAN tags of
matching frames with the configured
6. Configure a priority priority:
marking action for SVLAN remark dot1p dot1p-value N/A
tags. • Copy the 802.1p priority in the CVLAN
tag to the SVLAN tag:
remark dot1p customer-dot1p-trust
7. Return to system view. quit N/A
8. Create a QoS policy and By default, no QoS
enter its view. qos policy policy-name
policies exist.
9. Specify the traffic behavior
for the traffic class in the classifier classifier-name behavior
N/A
QoS policy. behavior-name

10. Return to system view. quit N/A

11. Enter Layer 2 Ethernet
interface view. interface interface-type interface-number N/A

By default, a port does

not trust the 802.1p
priority in frames.
12. Configure the port to trust This step is required if
the 802.1p priority in qos trust dot1p the remark dot1p
incoming frames. command is configured.
It is optional if the
remark dot1p
customer-dot1p-trust
command is configured.
13. Enable QinQ. qinq enable N/A
14. Apply the QoS policy to
the inbound direction of qos apply policy policy-name inbound N/A
the port.

For more information about QoS policies, see ACL and QoS Configuration Guide.

222
Displaying and maintaining QinQ
Execute display commands in any view.

Task Command
display qinq [ interface interface-type
Display QinQ-enabled ports.
interface-number ]

QinQ configuration examples

Basic QinQ configuration example
Network requirements
As shown in Figure 71:
• The service provider assigns VLAN 100 to Company A's VLANs 10 through 70.
• The service provider assigns VLAN 200 to Company B's VLANs 30 through 90.
• The devices between PE 1 and PE 2 in the service provider network use a TPID value of
0x8200.
Configure QinQ on PE 1 and PE 2 to transmit traffic in VLANs 100 and 200 for Company A and
Company B, respectively.
For the QinQ frames to be identified correctly, set the SVLAN TPID to 0x8200 on the service
provider-side ports of PE 1 and PE 2.
Figure 71 Network diagram
VLANs 30 to 90 VLANs 10 to 70

Site 3 CE3 CE4 Site 2

Company B Company A

GE1/0/3 GE1/0/3

GE1/0/2 GE1/0/2
PE1 VLANs 100 and 200 PE2
TPID = 0x 8200
GE1/0/1 GE1/0/1

Service provider network

Company A Company B
Site 1 CE1 CE2 Site 4

VLANs 10 to 70 VLANs 30 to 90

Configuration procedure
1. Configure PE 1:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 100.

223
 <PE1> system-view
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan 100
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq enable
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on GigabitEthernet 1/0/2.
[PE1-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE1-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 200.
[PE1] interface gigabitethernet 1/0/3
[PE1-GigabitEthernet1/0/3] port link-type trunk
[PE1-GigabitEthernet1/0/3] port trunk permit vlan 200
# Set the PVID of GigabitEthernet 1/0/3 to VLAN 200.
[PE1-GigabitEthernet1/0/3] port trunk pvid vlan 200
# Enable QinQ on GigabitEthernet 1/0/3.
[PE1-GigabitEthernet1/0/3] qinq enable
[PE1-GigabitEthernet1/0/3] quit
2. Configure PE 2:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 200.
<PE2> system-view
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk permit vlan 200
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 200.
[PE2-GigabitEthernet1/0/1] port trunk pvid vlan 200
# Enable QinQ on GigabitEthernet 1/0/1.
[PE2-GigabitEthernet1/0/1] qinq enable
[PE2-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 200.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100 200
# Set the TPID value in the SVLAN tags to 0x8200 on GigabitEthernet 1/0/2.
[PE2-GigabitEthernet1/0/2] qinq ethernet-type service-tag 8200
[PE2-GigabitEthernet1/0/2] quit
# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 100.
[PE2] interface gigabitethernet 1/0/3
[PE2-GigabitEthernet1/0/3] port link-type trunk
[PE2-GigabitEthernet1/0/3] port trunk permit vlan 100

224
 # Set the PVID of GigabitEthernet 1/0/3 to VLAN 100.
[PE2-GigabitEthernet1/0/3] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/3.
[PE2-GigabitEthernet1/0/3] qinq enable
[PE2-GigabitEthernet1/0/3] quit
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 200 to pass
through without removing the VLAN tag. (Details not shown.)

VLAN transparent transmission configuration example

Network requirements
As shown in Figure 72:
• The service provider assigns VLAN 100 to a company's VLANs 10 through 50.
• VLAN 3000 is the dedicated VLAN of the company on the service provider network.
Configure QinQ on PE 1 and PE 2 to provide Layer 2 connectivity for CVLANs 10 through 50 over the
service provider network.
Configure VLAN transparent transmission for VLAN 3000 on PE 1 and PE 2 to enable the hosts in
VLAN 3000 to communicate without using an SVLAN.
Figure 72 Network diagram

PE 1 PE 2
GE1/0/2 GE1/0/2
VLANs 100 and 3000
GE1/0/1 GE1/0/1

Service provider network

Site 1 Site 2
CE 1 CE 2

VLANs 10 to 50, 3000 VLANs 10 to 50, 3000

Configuration procedure
1. Configure PE 1:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 100 and 3000.
<PE1> system-view
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan 100 3000
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq enable

225
 # Enable transparent transmission for VLAN 3000 on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
[PE1-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 100 and 3000.
<PE2> system-view
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
[PE2-GigabitEthernet1/0/1] port trunk permit vlan 100 3000
# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100
# Enable QinQ on GigabitEthernet 1/0/1.
[PE2-GigabitEthernet1/0/1] qinq enable
# Enable transparent transmission for VLAN 3000 on GigabitEthernet 1/0/1.
[PE2-GigabitEthernet1/0/1] qinq transparent-vlan 3000
[PE2-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLANs 100 and 3000.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100 3000
3. Configure the devices between PE 1 and PE 2:
# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details
not shown.)
# Configure all ports on the forwarding path to allow frames from VLANs 100 and 3000 to pass
through without removing the VLAN tag. (Details not shown.)

226
Configuring VLAN mapping
Overview
VLAN mapping re-marks VLAN tagged traffic with new VLAN IDs. Hewlett Packard Enterprise
provides the following types of VLAN mapping:
• One-to-one VLAN mapping—Replaces one VLAN tag with another.
• Many-to-one VLAN mapping—Replaces multiple VLAN tags with the same VLAN tag.
• One-to-two VLAN mapping—Tags single-tagged packets with an outer VLAN tag.
• Two-to-two VLAN mapping—Replaces the outer and inner VLAN IDs of double tagged traffic
with a new pair of VLAN IDs.

VLAN mapping application scenarios

One-to-one and many-to-one VLAN mapping
Figure 73 shows a typical application scenario of one-to-one and many-to-one VLAN mapping. The
scenario implements broadband Internet access for a community.

227
 Figure 73 Application scenario of one-to-one and many-to-one VLAN mapping
DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP VLAN 3 -> VLAN 301

Wiring-closet
switch DHCP server
VLAN 1
PC VLAN 1 -> VLAN 102
VLAN 2 -> VLAN 202
VLAN 3 -> .VLAN 302
..
VLAN 2
VoD
Home gateway VLANs 101 and 102 -> VLAN 501
VLANs 201 and 202 -> VLAN 502
VLAN 3 VLANs 301 and .302 -> VLAN 503
VoIP ..
... ... ...
Campus switch ..
.
VLAN 1
PC
VLANs 199 and 200 -> VLAN 501
VLANs 299 and 300 -> VLAN 502
Home gateway VLANs 399 and 400 -> VLAN 503
VLAN 2
VoD ...
Distribution
VLAN 1 -> VLAN 199 network
VLAN 3 VLAN 2 -> VLAN 299
VoIP VLAN 3 -> VLAN 399

Wiring-closet
switch
VLAN 1
PC VLAN 1 -> VLAN 200
VLAN 2 -> VLAN 300
VLAN 3 -> VLAN 400

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

As shown in Figure 73, the network is implemented as follows:

• Each home gateway uses different VLANs to transmit the PC, VoD, and VoIP services.
• To further subclassify each type of traffic by customer, configure one-to-one VLAN mapping on
the wiring-closet switches. This feature assigns a separate VLAN to each type of traffic from
each customer. The required total number of VLANs in the network can be very large.
• To prevent the maximum number of VLANs from being exceeded on the distribution layer
device, configure many-to-one VLAN mapping on the campus switch. This feature assigns the
same VLAN to the same type of traffic from different customers.
One-to-two and two-to-two VLAN mapping
Figure 74 shows a typical application scenario of one-to-two and two-to-two VLAN mapping. In this
scenario, the two remote sites of the same VPN must communicate across two SP networks.

228
 Figure 74 Application scenario of one-to-two and two-to-two VLAN mapping

One-to-two VLAN Two-to-two VLAN One-to-two VLAN

mapping mapping mapping

VLAN 10 VLAN 2 Data VLAN 20 VLAN 3 Data

PE 1 PE 2 PE 3 PE 4
SP 1 SP 2

VLAN 2 Data VLAN 3 Data

Traffic
VPN A VPN A
CE 1 Site 1 Site 2 CE 2

Site 1 and Site 2 are in VLAN 2 and VLAN 3, respectively. The SP 1 network assigns SVLAN 10 to
Site 1. The SP 2 network assigns SVLAN 20 to Site 2. When the packet from Site 1 arrives at PE 1,
PE 1 tags the packet with SVLAN 10 by using one-to-two VLAN mapping.
When the double-tagged packet from the SP 1 network arrives at the SP 2 network interface, PE 3
processes the packet as follows:
• Replaces SVLAN tag 10 with SVLAN tag 20.
• Replaces CVLAN tag 2 with CVLAN tag 3.
One-to-two VLAN mapping provides the following benefits:
• Enables a customer network to plan its CVLAN assignment without conflicting with SVLANs.
• Adds a VLAN tag to a tagged packet and expands the number of available VLANs to 4094 ×
4094.
• Reduces the stress on the SVLAN resources, which were 4094 VLANs in the SP network
before the mapping process was initiated.

VLAN mapping implementations

Figure 75 shows a simplified network that illustrates basic VLAN mapping terms.
Basic VLAN mapping terms include the following:
• Uplink traffic—Traffic transmitted from the customer network to the service provider network.
• Downlink traffic—Traffic transmitted from the service provider network to the customer
network.
• Network-side port—A port connected to or closer to the service provider network.
• Customer-side port—A port connected to or closer to the customer network.

229
 Figure 75 Basic VLAN mapping terms

SP

Network-side port
Customer-side port
Uplink traffic
Downlink traffic

One-to-one VLAN mapping

As shown in Figure 76, one-to-one VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN with the SVLAN for the uplink traffic.
• Replaces the SVLAN with the CVLAN for the downlink traffic.
Figure 76 One-to-one VLAN mapping implementation
One-to-one VLAN mapping

CVLAN Data SVLAN Data

Customer
SP network
network
CVLAN Data SVLAN Data

Network-side port Customer-side port Uplink traffic Downlink traffic

Many-to-one VLAN mapping

As shown in Figure 77, many-to-one VLAN mapping is implemented on both the customer-side and
network-side ports as follows:
• For the uplink traffic, the customer-side many-to-one VLAN mapping replaces multiple CVLANs
with the same SVLAN.
• For the downlink traffic, the network-side many-to-one VLAN mapping replaces the SVLAN with
the CVLAN found in the DHCP or ARP snooping table. For more information about DHCP and
ARP snooping, see Layer 3—IP Services Configuration Guide.

230
 Figure 77 Many-to-one VLAN mapping implementation
Customer- Network-side
side many-to- many-to-one
CVLAN 1 Data one VLAN VLAN SVLAN Data
.. mapping mapping ..
. .

CVLAN n Data SVLAN Data

User network SP network

CVLAN Data SVLAN Data

DHCP snooping or ARP snooping table lookup

Network-side port Customer-side port Uplink traffic Downlink traffic

One-to-two VLAN mapping

As shown in Figure 78, one-to-two VLAN mapping is implemented on the customer-side port to add
the SVLAN tag for the uplink traffic.
For the downlink traffic to be correctly sent to the customer network, make sure the SVLAN tag is
removed on the customer-side port before transmission. Use one of the following methods to remove
the SVLAN tag from the downlink traffic:
• Configure the customer-side port as a hybrid port and assign the port to the SVLAN as an
untagged member.
• Configure the customer-side port as a trunk port and set the port PVID to the SVLAN.
Figure 78 One-to-two VLAN mapping implementation
One-to-two
VLAN mapping
to add the
SVLAN tag to
uplink traffic

CVLAN Data SVLAN CVLAN Data

Customer
SP network
network
CVLAN Data SVLAN CVLAN Data

Remove the SVLAN tag from downlink

traffic

Network-side port Customer-side port Uplink traffic Downlink traffic

Two-to-two VLAN mapping

As shown in Figure 79, two-to-two VLAN mapping is implemented on the customer-side port and
replaces VLAN tags as follows:
• Replaces the CVLAN and the SVLAN with the CVLAN' and the SVLAN' for the uplink traffic.
• Replaces the SVLAN' and CVLAN' with the SVLAN and the CVLAN for the downlink traffic.

231
 Figure 79 Two-to-two VLAN mapping implementation
2:2 VLAN mapping

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

SP1 network SP2 network

SVLAN CVLAN Data SVLAN’ CVLAN’ Data

Network-side port Customer-side port Uplink traffic Downlink traffic

VLAN mapping configuration task list

When you configure VLAN mapping, follow these guidelines:
• To add VLAN tags to packets, you can configure both VLAN mapping and QinQ. VLAN mapping
takes effect if a configuration conflict occurs. For more information about QinQ, see
"Configuring QinQ."
• To add or replace VLAN tags for packets, you can configure both VLAN mapping and a QoS
policy. The QoS policy takes effect if a configuration conflict occurs. For information about QoS
policies, see ACL and QoS Configuration Guide.
• The following features are mutually exclusive with one another on a Layer 2 Ethernet interface
or Layer 2 aggregate interface:
 VLAN mapping.
 Binding an Ethernet service instance to a VSI or to an MPLS L2VPN cross-connect.
Do not configure these features simultaneously on the same interface. Otherwise, the features
cannot take effect.

IMPORTANT:
Use the appropriate VLAN mapping methods for the devices in the network.

To configure VLAN mapping:

Tasks at a glance Remarks

Configure one-to-one VLAN mapping on the
Configuring one-to-one VLAN mapping
wiring-closet switch, as shown in Figure 73.
Configuring many-to-one VLAN mapping
• Configuring many-to-one VLAN mapping in a
Configure many-to-one VLAN mapping on the
network with dynamic IP address assignment
campus switch, as shown in Figure 73.
• Configuring many-to-one VLAN mapping in a
network with static IP address assignment
Configure one-to-two VLAN mapping on PE 1 and
PE 4, as shown in Figure 74, through which traffic
Configuring one-to-two VLAN mapping
from customer networks enters the service provider
networks.
Configure two-to-two VLAN mapping on PE 3, as
Configuring two-to-two VLAN mapping shown in Figure 74, which is an edge device of the
SP 2 network.

232
Configuring one-to-one VLAN mapping
Configure one-to-one VLAN mapping on the customer-side ports of wiring-closet switches (see
Figure 73) to isolate traffic of the same service type from different homes.
Before you configure one-to-one VLAN mapping, create the original VLAN and the translated VLAN.
To configure one-to-one VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
3. Set the link type of the port.
port link-type trunk By default, the link type of a
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged
5. Configure a one-to-one VLAN vlan mapping vlan-id By default, no VLAN mapping
mapping. translated-vlan vlan-id is configured on an interface.

Configuring many-to-one VLAN mapping

Configure many-to-one VLAN mapping on campus switches (see Figure 73) to transmit the same
type of traffic from different users in one VLAN.

Configuring many-to-one VLAN mapping in a network with

dynamic IP address assignment
In a network that uses dynamic address assignment, configure many-to-one VLAN mapping with
DHCP snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the DHCP snooping entry lookup.
Configuration restrictions and guidelines
When you configure many-to-one VLAN mapping in a network that uses dynamic address
assignment, follow these restrictions and guidelines:
• Before you configure many-to-one VLAN mapping, create the original VLANs and the
translated VLANs.

233
 • To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
• To modify many-to-one VLAN mappings, first use the reset dhcp snooping binding command
to clear the DHCP snooping entries.
Many-to-one VLAN mapping configuration task list

Tasks at a glance
Enabling DHCP snooping
Enabling ARP detection
Configuring the customer-side port
Configuring the network-side port

Enabling DHCP snooping

Step Command Remarks

1. Enter system view. system-view N/A
By default, DHCP snooping is disabled.
2. Enable DHCP For more information about DHCP snooping
snooping. dhcp snooping enable
configuration commands, see Layer 3—IP
Services Command Reference.

Enabling ARP detection

Enable ARP detection for the original VLANs and the translated VLANs.
To enable ARP detection:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, ARP detection is disabled.
3. Enable ARP detection. arp detection enable For more information about ARP detection
configuration commands, see Security Command
Reference.

Configuring the customer-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
3. Set the link type of the port. port link-type trunk By default, the link type of a
port is access.
• Set the port link type to hybrid:

234
 Step Command Remarks
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

Configure a many-to-one vlan mapping uni { range

5. By default, no VLAN mapping
VLAN mapping. vlan-range-list | single vlan-id-list }
is configured on an interface.
translated-vlan vlan-id

6. Enable DHCP snooping entry By default, DHCP snooping

recording. dhcp snooping binding record entry recording is disabled on
an interface.

Configuring the network-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
3. Set the link type of the port.
port link-type trunk By default, the link type of a
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
translated VLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
tagged
By default, all ports that
5. Configure the port as a support DHCP snooping are
DHCP snooping trusted port. dhcp snooping trust
untrusted ports when DHCP
snooping is enabled.
6. Configure the port as an ARP By default, all ports are ARP
trusted port. arp detection trust
untrusted ports.
7. Configure the port to use the
original VLAN tags of the By default, the port does not
many-to-one mapping to replace the VLAN tags of the
replace the VLAN tags of the vlan mapping nni
packets destined for the user
packets destined for the user network.
network.

235
Configuring many-to-one VLAN mapping in a network with
static IP address assignment
In a network that uses static IP addresses, configure many-to-one VLAN mapping with ARP
snooping.
The switch replaces the SVLAN tag of the downlink traffic with the associated CVLAN tag based on
the ARP snooping entry lookup.
Configuration restrictions and guidelines
When you configure many-to-one VLAN mapping in a network that uses static address assignment,
follow these restrictions and guidelines:
• Before you configure many-to-one VLAN mapping, create the original VLANs and the
translated VLANs.
• Make sure hosts in different CVLANs do not use the same IP address.
• When an IP address is no longer associated with the MAC address and VLAN in an ARP
snooping entry, wait for this entry to be aged out. You can also use the reset arp snooping ip
ip-address command to clear the entry.
• Before you modify many-to-one VLAN mapping, use the reset arp snooping vlan vlan-id
command to clear the ARP snooping entries in each CVLAN.
• To ensure correct traffic forwarding from the service provider network to the customer network,
do not configure many-to-one VLAN mapping together with uRPF. For more information about
uRPF, see Security Configuration Guide.
Configuration task list

Tasks at a glance
Enabling ARP snooping
Configuring the customer-side port
Configuring the network-side port

Enabling ARP snooping

Enable ARP snooping for the original VLANs and the translated VLANs.
To enable ARP snooping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter VLAN view. vlan vlan-id N/A
By default, ARP snooping is disabled.
3. Enable ARP snooping. arp snooping enable For more information about ARP
snooping commands, see Layer 3—IP
Services Command Reference.

Configuring the customer-side port

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2 Ethernet • Enter Layer 2 Ethernet
interface view or Layer 2 interface view: N/A
aggregate interface view. interface interface-type

236
 Step Command Remarks
interface-number
• Enter Layer 2 aggregate
interface view:
interface
bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk
Set the link type of the port. By default, the link type of a port is
3. • Set the port link type to
access.
hybrid:
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged
vlan mapping uni { range
5. Configure a many-to-one vlan-range-list | single By default, no VLAN mapping is
VLAN mapping. vlan-id-list } translated-vlan configured on an interface.
vlan-id

Configuring the network-side port

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet
interface view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 • Enter Layer 2 aggregate N/A
aggregate interface view. interface view:
interface
bridge-aggregation
interface-number
• Set the port link type to trunk:
port link-type trunk
Set the link type of the port. By default, the link type of a port is
3. • Set the port link type to
access.
hybrid:
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
translated VLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
tagged
5. Configure the port to use the
original VLAN tags of the By default, the port does not
many-to-one mapping to replace the VLAN tags of the
replace the VLAN tags of the vlan mapping nni
packets destined for the user
packets destined for the user network.
network.

237
Configuring one-to-two VLAN mapping
Configure one-to-two VLAN mapping on the customer-side ports of edge devices from which
customer traffic enters SP networks, for example, on PEs 1 and 4 in Figure 74. One-to-two VLAN
mapping enables the edge devices to add an SVLAN tag to each incoming packet.
Before you configure one-to-two VLAN mapping, create the CVLAN and the SVLAN.
The MTU of an interface is 1500 bytes by default. After a VLAN tag is added to a packet, the packet
length is added by 4 bytes. As a best practice, set the MTU to a minimum of 1504 bytes for ports on
the forwarding path of the packet in the service provider network.
To configure one-to-two VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
3. Set the link type of the port.
port link-type trunk By default, the link type of a
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the vlan-id-list
CVLANs. N/A
• For the hybrid port:
port hybrid vlan vlan-id-list
{ tagged | untagged }
• For the trunk port:
a. Configure the SVLAN as the
PVID of the trunk port:
port trunk pvid vlan vlan-id
5. Configure the port to allow b. Assign the trunk port to the
packets from the SVLAN to SVLAN: N/A
pass through untagged. port trunk permit vlan
{ vlan-id-list | all }
• For the hybrid port:
port hybrid vlan vlan-id-list
untagged
By default, no VLAN mapping
is configured on an interface.
Only one SVLAN tag can be
6. Configure a one-to-two VLAN vlan mapping nest { range added to packets from the
mapping. vlan-range-list | single vlan-id-list } same CVLAN. To add
nested-vlan vlan-id different SVLAN tags to
different CVLAN packets, set
the port link type to hybrid and
repeat this command.

238
Configuring two-to-two VLAN mapping
Configure two-to-two VLAN mapping on the customer-side port of an edge device that connects two
SP networks, for example, on PE 3 in Figure 74. Two-to-two VLAN mapping enables two sites in
different VLANs to communicate at Layer 2 across two service provider networks that use different
VLAN assignment schemes.
Before you configure two-to-two VLAN mapping, create the original VLANs and the translated
VLANs.
To configure two-to-two VLAN mapping:

Step Command Remarks

1. Enter system view. system-view N/A
• Enter Layer 2 Ethernet interface
view:
interface interface-type
2. Enter Layer 2 Ethernet interface-number
interface view or Layer 2 N/A
aggregate interface view. • Enter Layer 2 aggregate
interface view:
interface bridge-aggregation
interface-number
• Set the port link type to trunk:
3. Set the link type of the port.
port link-type trunk By default, the link type of a
• Set the port link type to hybrid: port is access.
port link-type hybrid
• For the trunk port:
port trunk permit vlan
4. Assign the port to the original vlan-id-list
VLANs and the translated N/A
VLANs. • For the hybrid port:
port hybrid vlan vlan-id-list
tagged

Configure a two-to-two VLAN vlan mapping tunnel outer-vlan-id

5. By default, no VLAN mapping
mapping. inner-vlan-id translated-vlan
is configured on an interface.
outer-vlan-id inner-vlan-id

Displaying and maintaining VLAN mapping

Execute display commands in any view.

Task Command
Display VLAN mapping information. display vlan mapping [ interface interface-type interface-number ]

VLAN mapping configuration examples

One-to-one and many-to-one VLAN mapping configuration
example
Network requirements
As shown in Figure 80:

239
• Each household subscribes to PC, VoD, and VoIP services, and obtains the IP address through
DHCP.
• On the home gateways, VLANs 1, 2, and 3 are assigned to PC, VoD, and VoIP traffic,
respectively.
To isolate traffic of the same service type from different households, configure one-to-one VLAN
mappings on the wiring-closet switches. This feature assigns one VLAN to each type of traffic from
each household.
To save VLAN resources, configure many-to-one VLAN mappings on the campus switch (Switch C).
This feature transmits the same type of traffic from different households in one VLAN. Use VLANs
501, 502, and 503 for PC, VoD, and VoIP traffic, respectively.
Table 21 VLAN mappings for each service

VLANs on home VLANs on wiring-closet switches VLANs on campus

Service
gateways (Switch A and Switch B) switch (Switch C)
PC VLAN 1 VLANs 101, 102, 103, 104 VLAN 501
VoD VLAN 2 VLANs 201, 202, 203, 204 VLAN 502
VoIP VLAN 3 VLANs 301, 302, 303, 304 VLAN 503

240
 Figure 80 Network diagram
DHCP client

VLAN 1
PC

Home gateway
VLAN 2
VoD

VLAN 1 -> VLAN 101

VLAN 3 VLAN 2 -> VLAN 201
VoIP GE1/0/1 VLAN 3 -> VLAN 301

Wiring-closet GE1/0/3
Switch A
VLAN 1 GE1/0/2
PC VLAN 1 -> VLAN 102 DHCP server
VLAN 2 -> VLAN 202
VLAN 3 -> VLAN 302

VLAN 2
VoD
Home gateway VLANs 101–102 -> VLAN 501
VLAN 3 VLANs 201–202 -> VLAN 502
VoIP GE1/0/1 VLANs 301–302 -> VLAN 503
Campus switch GE1/0/3 GE1/0/1
Switch D
Switch C
VLAN 1 GE1/0/2 VLANs 103–104 -> VLAN 501
PC
VLANs 203–204 -> VLAN 502
Home gateway VLANs 303–304 -> VLAN 503
VLAN 2
VoD
Distribution
VLAN 1 -> VLAN 103 network
VLAN 3 VLAN 2 -> VLAN 203
VoIP GE1/0/1 VLAN 3 -> VLAN 303

Wiring-closet GE1/0/3
Switch B
VLAN 1 GE1/0/2
PC VLAN 1 -> VLAN 104
VLAN 2 -> VLAN 204
VLAN 3 -> VLAN 304

VLAN 2
VoD
Home gateway
VLAN 3
VoIP

Configuration procedure
1. Configure Switch A:
# Create the original VLANs.
<SwitchA> system-view
[SwitchA] vlan 2 to 3
# Create the translated VLANs.
[SwitchA] vlan 101 to 102
[SwitchA] vlan 201 to 202
[SwitchA] vlan 301 to 302
# Configure customer-side port GigabitEthernet 1/0/1 as a trunk port.
<SwitchA> system-view
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk

241
 # Assign GigabitEthernet 1/0/1 to all original VLANs and translated VLANs.
[SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 1 2 3 101 201 301
# Configure one-to-one VLAN mappings on GigabitEthernet 1/0/1 to map VLANs 1, 2, and 3 to
VLANs 101, 201, and 301, respectively.
[SwitchA-GigabitEthernet1/0/1] vlan mapping 1 translated-vlan 101
[SwitchA-GigabitEthernet1/0/1] vlan mapping 2 translated-vlan 201
[SwitchA-GigabitEthernet1/0/1] vlan mapping 3 translated-vlan 301
[SwitchA-GigabitEthernet1/0/1] quit
# Configure customer-side port GigabitEthernet 1/0/2 as a trunk port.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to all original VLANs and translated VLANs.
[SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 1 2 3 102 202 302
# Configure one-to-one VLAN mappings on GigabitEthernet 1/0/2 to map VLANs 1, 2, and 3 to
VLANs 102, 202, and 302, respectively.
[SwitchA-GigabitEthernet1/0/2] vlan mapping 1 translated-vlan 102
[SwitchA-GigabitEthernet1/0/2] vlan mapping 2 translated-vlan 202
[SwitchA-GigabitEthernet1/0/2] vlan mapping 3 translated-vlan 302
[SwitchA-GigabitEthernet1/0/2] quit
# Configure the network-side port (GigabitEthernet 1/0/3) as a trunk port.
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port link-type trunk
# Assign GigabitEthernet 1/0/3 to the translated VLANs.
[SwitchA-GigabitEthernet1/0/3] port trunk permit vlan 101 201 301 102 202 302
[SwitchA-GigabitEthernet1/0/3] quit
2. Configure Switch B in the same way Switch A is configured. (Details not shown.)
3. Configure Switch C:
# Enable DHCP snooping.
<SwitchC> system-view
[SwitchC] dhcp snooping enable
# Create the original VLANs and translated VLANs, and enable ARP detection for these
VLANs.
[SwitchC] vlan 101
[SwitchC-vlan101] arp detection enable
[SwitchC-vlan101] vlan 201
[SwitchC-vlan201] arp detection enable
[SwitchC-vlan201] vlan 301
[SwitchC-vlan301] arp detection enable
[SwitchC-vlan301] vlan 102
[SwitchC-vlan102] arp detection enable
[SwitchC-vlan102] vlan 202
[SwitchC-vlan202] arp detection enable
[SwitchC-vlan202] vlan 302
[SwitchC-vlan302] arp detection enable
[SwitchC-vlan302] vlan 103
[SwitchC-vlan103] arp detection enable
[SwitchC-vlan103] vlan 203
[SwitchC-vlan203] arp detection enable

242
[SwitchC-vlan203] vlan 303
[SwitchC-vlan303] arp detection enable
[SwitchC-vlan303] vlan 104
[SwitchC-vlan104] arp detection enable
[SwitchC-vlan104] vlan 204
[SwitchC-vlan204] arp detection enable
[SwitchC-vlan204] vlan 304
[SwitchC-vlan304] arp detection enable
[SwitchC-vlan304] vlan 501
[SwitchC-vlan501] arp detection enable
[SwitchC-vlan501] vlan 502
[SwitchC-vlan502] arp detection enable
[SwitchC-vlan502] vlan 503
[SwitchC-vlan503] arp detection enable
[SwitchC-vlan503] quit
# Configure customer-side port GigabitEthernet 1/0/1 as a trunk port.
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to all original VLANs and translated VLANs.
[SwitchC-GigabitEthernet1/0/1] port trunk permit vlan 101 102 201 202 301 302 501 to
503
# Configure many-to-one VLAN mappings on GigabitEthernet 1/0/1 to map VLANs for PC, VoD,
and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-GigabitEthernet1/0/1] vlan mapping uni range 101 to 102 translated-vlan 501
[SwitchC-GigabitEthernet1/0/1] vlan mapping uni range 201 to 202 translated-vlan 502
[SwitchC-GigabitEthernet1/0/1] vlan mapping uni range 301 to 302 translated-vlan 503
# Enable DHCP snooping entry recording on GigabitEthernet 1/0/1.
[SwitchC-GigabitEthernet1/0/1] dhcp snooping binding record
[SwitchC-GigabitEthernet1/0/1] quit
# Configure customer-side port GigabitEthernet 1/0/2 as a trunk port.
[SwitchC] interface gigabitethernet 1/0/2
[SwitchC-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to all original VLANs and translated VLANs.
[SwitchC-GigabitEthernet1/0/2] port trunk permit vlan 103 104 203 204 303 304 501 to
503
# Configure many-to-one VLAN mappings on GigabitEthernet 1/0/2 to map VLANs for PC, VoD,
and VoIP traffic to VLANs 501, 502, and 503, respectively.
[SwitchC-GigabitEthernet1/0/2] vlan mapping uni range 103 to 104 translated-vlan 501
[SwitchC-GigabitEthernet1/0/2] vlan mapping uni range 203 to 204 translated-vlan 502
[SwitchC-GigabitEthernet1/0/2] vlan mapping uni range 303 to 304 translated-vlan 503
# Enable recording of client information in DHCP snooping entries on GigabitEthernet 1/0/2.
[SwitchC-GigabitEthernet1/0/2] dhcp snooping binding record
[SwitchC-GigabitEthernet1/0/2] quit
# Configure the network-side port (GigabitEthernet 1/0/3) to use the original VLAN tags of the
many-to-one mappings to replace the VLAN tags of the packets destined for the user network.
[SwitchC] interface gigabitethernet 1/0/3
[SwitchC-GigabitEthernet1/0/3] vlan mapping nni
# Configure the network-side port GigabitEthernet 1/0/3 as a trunk port.

243
 [SwitchC-GigabitEthernet1/0/3] port link-type trunk
# Assign GigabitEthernet 1/0/3 to the translated VLANs.
[SwitchC-GigabitEthernet1/0/3] port trunk permit vlan 501 to 503
# Configure GigabitEthernet 1/0/3 as a DHCP snooping trusted and ARP trusted port.
[SwitchC-GigabitEthernet1/0/3] dhcp snooping trust
[SwitchC-GigabitEthernet1/0/3] arp detection trust
[SwitchC-GigabitEthernet1/0/3] quit
4. Configure Switch D:
# Create the translated VLANs.
<SwitchD> system-view
[SwitchD] vlan 501 to 503
# Configure GigabitEthernet 1/0/1 as a trunk port.
<SwitchD> system-view
[SwitchD] interface gigabitethernet 1/0/1
[SwitchD-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to the translated VLANs.
[SwitchD-GigabitEthernet1/0/1] port trunk permit vlan 501 to 503
[SwitchD-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify VLAN mapping information on the wiring-closet switches, for example, Switch A.
[SwitchA] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 101 N/A
2 N/A 201 N/A
3 N/A 301 N/A
Interface GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
1 N/A 102 N/A
2 N/A 202 N/A
3 N/A 302 N/A

# Verify VLAN mapping information on Switch C.

[SwitchC] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
101-102 N/A 501 N/A
201-202 N/A 502 N/A
301-302 N/A 503 N/A
Interface GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
103-104 N/A 501 N/A
203-204 N/A 502 N/A
303-304 N/A 503 N/A

244
One-to-two and two-to-two VLAN mapping configuration
example
Network requirements
As shown in Figure 81:
• Two VPN A branches, Site 1 and Site 2, are in VLAN 5 and VLAN 6, respectively.
• The two sites use different VPN access services from different service providers, SP 1 and SP
2.
• SP 1 assigns VLAN 100 to Site 1 and Site 2. SP 2 assigns VLAN 200 to Site 1 and Site 2.
Configure one-to-two VLAN mappings and two-to-two VLAN mappings to enable the two branches
to communicate across networks SP 1 and SP 2.
Figure 81 Network diagram

SP 1 SP 2
PE 1 PE 2 PE 3 PE 4
GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1 GE1/0/2 GE1/0/1

GE1/0/1 VLAN 100 VLAN 5 Data VLAN 200 VLAN 6 Data GE1/0/2

VLAN 5 Data VLAN 6 Data

VPN A VPN A CE 2
CE 1
Site 1 Site 2

Configuration procedure
1. Configure PE 1:
# Create VLANs 5 and 100.
<PE1> system-view
[PE1] vlan 5
[PE1-vlan5] quit
[PE1] vlan 100
[PE1-vlan100] quit
# Configure a one-to-two VLAN mapping on the customer-side port (GigabitEthernet 1/0/1) to
add SVLAN tag 100 to packets from VLAN 5.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] vlan mapping nest single 5 nested-vlan 100
# Configure GigabitEthernet 1/0/1 as a hybrid port.
[PE1-GigabitEthernet1/0/1] port link-type hybrid
# Assign GigabitEthernet 1/0/1 to VLAN 5 as a tagged member.
[PE1-GigabitEthernet1/0/1] port hybrid vlan 5 tagged
# Assign GigabitEthernet 1/0/1 to VLAN 100 as an untagged member.
[PE1-GigabitEthernet1/0/1] port hybrid vlan 100 untagged
[PE1-GigabitEthernet1/0/1] quit

245
 # Configure the network-side port (GigabitEthernet 1/0/2) as a trunk port.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to VLAN 100.
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE1-GigabitEthernet1/0/2] quit
2. Configure PE 2:
# Create VLAN 100.
<PE2> system-view
[PE2] vlan 100
[PE2-vlan100] quit
# Configure GigabitEthernet 1/0/1 as a trunk port.
[PE2] interface gigabitethernet 1/0/1
[PE2-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to VLAN 100.
[PE2-GigabitEthernet1/0/1] port trunk permit vlan 100
[PE2-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port.
[PE2] interface gigabitethernet 1/0/2
[PE2-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to VLAN 100.
[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100
[PE2-GigabitEthernet1/0/2] quit
3. Configure PE 3:
# Create VLANs 5, 6, 100, and 200.
<PE3> system-view
[PE3] vlan 5 to 6
[PE3] vlan 100
[PE3-vlan100] quit
[PE3] vlan 200
[PE3-vlan200] quit
# Configure GigabitEthernet 1/0/1 as a trunk port.
[PE3] interface gigabitethernet 1/0/1
[PE3-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to VLANs 100 and 200.
[PE3-GigabitEthernet1/0/1] port trunk permit vlan 100 200
# Configure a two-to-two VLAN mapping on GigabitEthernet 1/0/1 to map SVLAN 100 and
CVLAN 5 to SVLAN 200 and CVLAN 6.
[PE3-GigabitEthernet1/0/1] vlan mapping tunnel 100 5 translated-vlan 200 6
[PE3-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port.
[PE3] interface gigabitethernet 1/0/2
[PE3-GigabitEthernet1/0/2] port link-type trunk
# Assign GigabitEthernet 1/0/2 to VLAN 200.
[PE3-GigabitEthernet1/0/2] port trunk permit vlan 200
[PE3-GigabitEthernet1/0/2] quit
4. Configure PE 4:

246
 # Create VLANs 6 and 200.
<PE4> system-view
[PE4] vlan 6
[PE4-vlan6] quit
[PE4] vlan 200
[PE4-vlan200] quit
# Configure the network-side port (GigabitEthernet 1/0/1) as a trunk port.
[PE4] interface gigabitethernet 1/0/1
[PE4-GigabitEthernet1/0/1] port link-type trunk
# Assign GigabitEthernet 1/0/1 to VLAN 200.
[PE4-GigabitEthernet1/0/1] port trunk permit vlan 200
[PE4-GigabitEthernet1/0/1] quit
# Configure the customer-side port (GigabitEthernet 1/0/2) as a hybrid port.
[PE4] interface gigabitethernet 1/0/2
[PE4-GigabitEthernet1/0/2] port link-type hybrid
# Assign GigabitEthernet 1/0/2 to VLAN 6 as a tagged member.
[PE4-GigabitEthernet1/0/2] port hybrid vlan 6 tagged
# Assign GigabitEthernet 1/0/2 to VLAN 200 as an untagged member.
[PE4-GigabitEthernet1/0/2] port hybrid vlan 200 untagged
# Configure a one-to-two VLAN mapping on GigabitEthernet 1/0/2 to add SVLAN tag 200 to
packets from VLAN 6.
[PE4-GigabitEthernet1/0/2] vlan mapping nest single 6 nested-vlan 200
[PE4-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify VLAN mapping information on PE 1.
[PE1] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
5 N/A 100 5

# Verify VLAN mapping information on PE 3.

[PE3] display vlan mapping
Interface GigabitEthernet1/0/1:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
100 5 200 6

# Verify VLAN mapping information on PE 4.

[PE4] display vlan mapping
Interface GigabitEthernet1/0/2:
Outer VLAN Inner VLAN Translated Outer VLAN Translated Inner VLAN
6 N/A 200 6

247
Configuring LLDP
Overview
In a heterogeneous network, a standard configuration exchange platform ensures that different
types of network devices from different vendors can discover one another and exchange
configuration.
The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on
the data link layer to exchange device information between directly connected devices. With LLDP, a
device sends local device information as TLV (type, length, and value) triplets in LLDP Data Units
(LLDPDUs) to the directly connected devices. Local device information includes its system
capabilities, management IP address, device ID, port ID, and so on. The device stores the device
information in LLDPDUs from the LLDP neighbors in a standard MIB. For more information about
MIBs, see Network Management and Monitoring Configuration Guide. LLDP enables a network
management system to quickly detect and identify Layer 2 network topology changes.

Basic concepts
LLDP agent
An LLDP agent is a mapping of an entity where LLDP runs. Multiple LLDP agents can run on the
same interface.
LLDP agents are divided into the following types:
• Nearest bridge agent.
• Nearest customer bridge agent.
• Nearest non-TPMR bridge agent.
A Two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible bridge
ports. It supports a subset of the features of a MAC bridge. A TPMR is transparent to all frame-based
media-independent protocols except for the following protocols:
• Protocols destined to it.
• Protocols destined to reserved MAC addresses that the relay feature of the TPMR is configured
not to forward.
LLDP exchanges packets between neighbor agents and creates and maintains neighbor information
for them. Figure 82 shows the neighbor relationships for these LLDP agents. LLDP has two bridge
modes: customer bridge (CB) and service bridge (SB).
Figure 82 LLDP neighbor relationships
Nearest Nearest
customer customer
bridge bridge

Nearest non- Nearest non- Nearest non- Nearest non-

TPMR bridge TPMR bridge TPMR bridge TPMR bridge

Nearest bridge Nearest bridge Nearest bridge Nearest bridge

GE1/0/1 GE1/0/2 GE1/0/3 GE1/0/4

CB 1 SB 1 CB 2

248
LLDP frame formats
LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or
Subnetwork Access Protocol (SNAP) frames.
• LLDP frame encapsulated in Ethernet II
Figure 83 Ethernet II-encapsulated LLDP frame
0 15 31
Destination MAC address

Source MAC address

Type

Data = LLDPDU
(1500 bytes)

FCS

Table 22 Fields in an Ethernet II-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. LLDP specifies
different multicast MAC addresses as destination MAC addresses for
LLDP frames destined for agents of different types. This helps
distinguish between LLDP frames sent and received by different agent
types on the same interface. The destination MAC address is fixed to
one of the following multicast MAC addresses:
Destination MAC address • 0x0180-c200-000E for LLDP frames destined for nearest bridge
agents.
• 0x0180-c200-0000 for LLDP frames destined for nearest customer
bridge agents.
• 0x0180-c200-0003 for LLDP frames destined for nearest
non-TPMR bridge agents.

Source MAC address MAC address of the sending port.

Type Ethernet type for the upper-layer protocol. This field is 0x88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the
FCS
validity of the received Ethernet frame.

• LLDP frame encapsulated in SNAP

249
 Figure 84 SNAP-encapsulated LLDP frame
0 15 31
Destination MAC address

Source MAC address

Type

Data = LLDPDU
(n bytes)

FCS

Table 23 Fields in a SNAP-encapsulated LLDP frame

Field Description
MAC address to which the LLDP frame is advertised. It is the same as
Destination MAC address
that for Ethernet II-encapsulated LLDP frames.

Source MAC address MAC address of the sending port.

SNAP type for the upper-layer protocol. This field is

Type
0xAAAA-0300-0000-88CC for LLDP.
Data LLDPDU.
Frame check sequence, a 32-bit CRC value used to determine the
FCS
validity of the received Ethernet frame.

LLDPDUs
LLDP uses LLDPDUs to exchange information. An LLDPDU comprises multiple TLVs. Each TLV
carries a type of device information, as shown in Figure 85.
Figure 85 LLDPDU encapsulation format

Chassis ID TLV Port ID TLV Time To Live TLV Optional TLV ... Optional TLV End of LLDPDU TLV

An LLDPDU can carry up to 32 types of TLVs. Mandatory TLVs include Chassis ID TLV, Port ID TLV,
and Time to Live TLV. Other TLVs are optional.
TLVs
A TLV is an information element that contains the type, length, and value fields.
LLDPDU TLVs include the following categories:
• Basic management TLVs
• Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs
• LLDP-MED (media endpoint discovery) TLVs
Basic management TLVs are essential to device management.
Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management.
They are defined by standardization or other organizations and are optional for LLDPDUs.
• Basic management TLVs
Table 24 lists the basic management TLV types. Some of them are mandatory for LLDPDUs.

250
 Table 24 Basic management TLVs

Type Description Remarks

Chassis ID Specifies the bridge MAC address of the sending device.

Specifies the ID of the sending port:

• If the LLDPDU carries LLDP-MED TLVs, the port ID
Port ID
TLV carries the MAC address of the sending port. Mandatory.
• Otherwise, the port ID TLV carries the port name.
Specifies the life of the transmitted information on the
Time to Live
receiving device.
End of LLDPDU Marks the end of the TLV sequence in the LLDPDU.
Port Description Specifies the description for the sending port.
System Name Specifies the assigned name of the sending device.
System Description Specifies the description for the sending device.
Identifies the primary features of the sending device and the Optional.
System Capabilities
enabled primary features.
Specifies the following elements:
• The management address of the local device.
Management Address
• The interface number and object identifier (OID)
associated with the address.

• IEEE 802.1 organizationally specific TLVs

Table 25 IEEE 802.1 organizationally specific TLVs

Type Description
Port VLAN ID (PVID) Specifies the port VLAN identifier.
Port And Protocol VLAN ID Indicates whether the device supports protocol VLANs and, if so, what
(PPVID) VLAN IDs these protocols will be associated with.
VLAN Name Specifies the textual name of any VLAN to which the port belongs.
Protocol Identity Indicates protocols supported on the port.
Data center bridging exchange protocol.
DCBX NOTE:
The DCBX TLV is not supported in this switch series.
Edge Virtual Bridging module, including EVB TLV and CDCP TLV.
EVB module NOTE:
The EVB TLV is not supported in this switch series.
Indicates whether the port supports link aggregation, and if yes,
Link Aggregation
whether link aggregation is enabled.
Management VID Management VLAN ID.
VID Usage Digest VLAN ID usage digest.
ETS Configuration Enhanced Transmission Selection configuration.
ETS Recommendation ETS recommendation.
Priority-based Flow Control.
PFC NOTE:
The PFC TLV is not supported in this switch series.

251
 Type Description
APP Application protocol.
Quantized Congestion Notification.
QCN NOTE:
The QCN TLV is not supported in this switch series.

NOTE:
• The device can receive protocol identity TLVs and VID usage digest TLVs, but it cannot send
these TLVs.
• Layer 3 Ethernet ports support only link aggregation TLVs.

• IEEE 802.3 organizationally specific TLVs

Table 26 IEEE 802.3 organizationally specific TLVs

Type Description
Contains the bit-rate and duplex capabilities of the port, support
MAC/PHY Configuration/Status for autonegotiation, enabling status of autonegotiation, and the
current rate and duplex mode.
Contains the power supply capabilities of the port:
• Port class (PSE or PD).
• Power supply mode.
• Whether PSE power supply is supported.
• Whether PSE power supply is enabled.
Power Via MDI • Whether pair selection can be controlled.
• Power supply type.
• Power source.
• Power priority.
• PD requested power.
• PSE allocated power.
Maximum Frame Size Indicates the maximum supported frame size.
Indicates the power state control configured on the sending
port, including the following:
Power Stateful Control • Power supply mode of the PSE/PD.
• PSE/PD priority.
• PSE/PD power.
Energy-Efficient Ethernet Indicates Energy Efficient Ethernet (EEE).

NOTE:
The Power Stateful Control TLV is defined in IEEE P802.3at D1.0 and is not supported in later
versions. HPE devices send this type of TLVs only after receiving them.

• LLDP-MED TLVs
LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as
basic configuration, network policy configuration, and address and directory management.
LLDP-MED TLVs provide a cost-effective and easy-to-use solution for deploying voice devices
in Ethernet. LLDP-MED TLVs are shown in Table 27.

252
 Table 27 LLDP-MED TLVs

Type Description
Allows a network device to advertise the LLDP-MED TLVs that it
LLDP-MED Capabilities
supports.

Allows a network device or terminal device to advertise the

Network Policy VLAN ID of a port, the VLAN type, and the Layer 2 and Layer 3
priorities for specific applications.

Allows a network device or terminal device to advertise power

Extended Power-via-MDI supply capability. This TLV is an extension of the Power Via MDI
TLV.

Hardware Revision Allows a terminal device to advertise its hardware version.

Firmware Revision Allows a terminal device to advertise its firmware version.

Software Revision Allows a terminal device to advertise its software version.

Serial Number Allows a terminal device to advertise its serial number.

Manufacturer Name Allows a terminal device to advertise its vendor name.

Model Name Allows a terminal device to advertise its model name.

Allows a terminal device to advertise its asset ID. The typical

Asset ID case is that the user specifies the asset ID for the endpoint to
facilitate directory management and asset tracking.

Allows a network device to advertise the appropriate location

Location Identification identifier information for a terminal device to use in the context of
location-based applications.

NOTE:
• If the MAC/PHY configuration/status TLV is not advertisable, none of the LLDP-MED TLVs
will be advertised even if they are advertisable.
• If the LLDP-MED capabilities TLV is not advertisable, the other LLDP-MED TLVs will not be
advertised even if they are advertisable.

Management address
The network management system uses the management address of a device to identify and manage
the device for topology maintenance and network management. The management address is
encapsulated in the management address TLV.

Working mechanism
LLDP operating modes
An LLDP agent can operate in one of the following modes:
• TxRx mode—An LLDP agent in this mode can send and receive LLDP frames.
• Tx mode—An LLDP agent in this mode can only send LLDP frames.
• Rx mode—An LLDP agent in this mode can only receive LLDP frames.
• Disable mode—An LLDP agent in this mode cannot send or receive LLDP frames.
Each time the LLDP operating mode of an LLDP agent changes, its LLDP protocol state machine
reinitializes. A configurable reinitialization delay prevents frequent initializations caused by frequent

253
 changes to the operating mode. If you configure the reinitialization delay, an LLDP agent must wait
the specified amount of time to initialize LLDP after the LLDP operating mode changes.
Transmitting LLDP frames
An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected
devices both periodically and when the local configuration changes. To prevent LLDP frames from
overwhelming the network during times of frequent changes to local device information, LLDP uses
the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket
mechanism, see ACL and QoS Configuration Guide.
LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following
cases:
• A new LLDP frame is received and carries device information new to the local device.
• The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.
The fast LLDP frame transmission mechanism successively sends the specified number of LLDP
frames at a configurable fast LLDP frame transmission interval. The mechanism helps LLDP
neighbors discover the local device as soon as possible. Then, the normal LLDP frame transmission
interval resumes.
Receiving LLDP frames
An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every
received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an
aging timer. The initial value of the aging timer is equal to the TTL value in the Time To Live TLV
carried in the LLDP frame. When the LLDP agent receives a new LLDP frame, the aging timer
restarts. When the aging timer decreases to zero, all saved information ages out.

Collaboration with Track

You can configure a track entry and associate it with an LLDP interface. The LLDP module checks
the neighbor availability status of the LLDP interface regularly and reports the check result to the
Track module. The Track module changes the track entry status accordingly so the associated
application module can take correct actions.
The Track module changes the track entry status based on the neighbor availability status of a
monitored LLDP interface as follows:
• If the neighbor of the LLDP interface is available, the Track module sets the track entry to
Positive state.
• If the neighbor of the LLDP interface is unavailable, the Track module sets the track entry to
Negative state.
For more information about collaboration between Track and LLDP, see High Availability
Configuration Guide.

Protocols and standards

• IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery
• IEEE 802.1AB-2009, Station and Media Access Control Connectivity Discovery
• ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices
• IEEE Std 802.1Qaz-2011, Media Access Control (MAC) Bridges and Virtual Bridged Local Area
Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between
Traffic Classes

254
LLDP configuration task list
Tasks at a glance
Performing basic LLDP configurations:
• (Required.) Enabling LLDP
• (Optional.) Setting the LLDP bridge mode
• (Optional.) Setting the LLDP operating mode
• (Optional.) Setting the LLDP reinitialization delay
• (Optional.) Enabling LLDP polling
• (Optional.) Configuring the advertisable TLVs
• (Optional.) Configuring the management address and its encoding format
• (Optional.) Setting other LLDP parameters
• (Optional.) Setting an encapsulation format for LLDP frames
• (Optional.) Disabling LLDP PVID inconsistency check
(Optional.) Configuring CDP compatibility
(Optional.) Configuring LLDP trapping and LLDP-MED trapping
(Optional.) Setting the source MAC address of LLDP frames to the MAC address of a Layer 3 Ethernet
subinterface
(Optional.) Enabling the device to generate ARP or ND entries for received management address LLDP
TLVs

Performing basic LLDP configurations

Enabling LLDP
To make LLDP take effect on specific ports, you must enable LLDP both globally and on these ports.
To use LLDP together with OpenFlow, you must enable LLDP globally on OpenFlow switches. To
prevent LLDP from affecting topology discovery of OpenFlow controllers, disable LLDP on ports of
OpenFlow instances. For more information about OpenFlow, see OpenFlow Configuration Guide.
To enable LLDP:

Step Command Remarks

1. Enter system view. system-view N/A
By default:
• If the device is started with the
software default settings, LLDP
is disabled globally.
• If the device is started with the
2. Enable LLDP globally. lldp global enable factory default settings, LLDP is
enabled globally.
For more information about device
startup with software or factory
default settings, see Fundamentals
Configuration Guide.

255
 Step Command Remarks
3. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, Layer 2/Layer 3 N/A
interface-number
aggregate interface view, or
IRF physical interface view.

4. Enable LLDP. By default, LLDP is enabled on a

lldp enable
port.

NOTE:
An LLDP-enabled IRF physical interface supports only the nearest bridge agents.

Setting the LLDP bridge mode

The following LLDP bridge modes are available:
• Customer bridge mode—LLDP supports nearest bridge agents, nearest non-TPMR bridge
agents, and nearest customer bridge agents. LLDP processes the LLDP frames with
destination MAC addresses for these agents and transparently transmits the LLDP frames with
other destination MAC addresses in a VLAN.
• Service bridge mode—LLDP supports nearest bridge agents and nearest non-TPMR bridge
agents. LLDP processes the LLDP frames with destination MAC addresses for these agents
and transparently transmits the LLDP frames with other destination MAC addresses in a VLAN.
To set the LLDP bridge mode:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the LLDP bridge mode By default, LLDP operates in
to service bridge. lldp mode service-bridge
customer bridge mode.

Setting the LLDP operating mode

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type
N/A
2/Layer 3 aggregate interface-number
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet By default:
interface view or management
• The nearest bridge agent
Ethernet interface view:
operates in txrx mode.
lldp [ agent { nearest-customer
3. Set the LLDP operating • The nearest customer
| nearest-nontpmr } ]
mode. bridge agent and nearest
admin-status { disable | rx | tx |
txrx } non-TPMR bridge agent
operate in disable mode.
• In Layer 2/Layer 3 aggregate
interface view: In Ethernet interface view, if you

256
 Step Command Remarks
lldp agent { nearest-customer | do not specify an agent type, the
nearest-nontpmr } command sets the operating
admin-status { disable | rx | tx | mode for nearest bridge agents.
txrx } In aggregate interface view, you
• In IRF physical interface view: can set the operating mode only
lldp admin-status { disable | rx | for nearest customer bridge
tx | txrx } agents and nearest non-TPMR
bridge agents.
In IRF physical interface view,
you can set the operating mode
only for nearest bridge agents.

Setting the LLDP reinitialization delay

When the LLDP operating mode changes on a port, the port initializes the protocol state machines
after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations
caused by frequent changes to the LLDP operating mode on a port.
To set the LLDP reinitialization delay for ports:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the LLDP reinitialization
delay. lldp timer reinit-delay delay The default setting is 2 seconds.

Enabling LLDP polling

With LLDP polling enabled, a device periodically searches for local configuration changes. When the
device detects a configuration change, it sends LLDP frames to inform neighboring devices of the
change.
To enable LLDP polling:

Step Command Remarks

1. Enter system view. system-view N/A

2. Enter Layer 2/Layer 3

Ethernet interface view,
management Ethernet interface interface-type
interface view, Layer 2/Layer N/A
interface-number
3 aggregate interface view, or
IRF physical interface view.

• In Layer 2/Layer 3 Ethernet

interface view or management
Ethernet interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ]
3. Enable LLDP polling and set check-change-interval interval By default, LLDP polling is
the polling interval. • In Layer 2/Layer 3 aggregate disabled.
interface view:
lldp agent { nearest-customer |
nearest-nontpmr }
check-change-interval interval
• In IRF physical interface view:

257
 Step Command Remarks
lldp check-change-interval
interval

Configuring the advertisable TLVs

Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type
N/A
2/Layer 3 aggregate interface-number
interface view, or IRF
physical interface view.
• lldp tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | port-vlan-id |
link-aggregation |
protocol-vlan-id [ vlan-id ] |
vlan-name [ vlan-id ] |
management-vid [ mvlan-id ] } |
dot3-tlv { all | mac-physic |
max-frame-size | power } | By default:
med-tlv { all | capability | • Nearest bridge agents can
inventory | network-policy advertise all LLDP TLVs
[ vlan-id ] | except the location
power-over-ethernet | identification, port and
location-id { civic-address protocol VLAN ID, VLAN
device-type country-code name, and management
3. Configure the advertisable { ca-type ca-value }&<1-10> | VLAN ID TLVs.
TLVs (in Layer 2 Ethernet elin-address tel-number } } }
interface view). • Nearest non-TPMR bridge
• lldp agent nearest-nontpmr agents do not advertise
tlv-enable { basic-tlv { all | any TLVs.
port-description |
• Nearest customer bridge
system-capability |
agents can advertise basic
system-description |
TLVs and IEEE 802.1
system-name |
organizationally specific
management-address-tlv
TLVs.
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | port-vlan-id |
link-aggregation } }
• lldp agent nearest-customer
tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | port-vlan-id |
link-aggregation } }
4. Configure the advertisable • lldp tlv-enable { basic-tlv { all | By default:

258
Step Command Remarks
TLVs (in Layer 3 Ethernet port-description | • Nearest bridge agents can
interface view). system-capability | advertise all types of LLDP
system-description | TLVs (only link aggregation
system-name | TLV is supported in 802.1
management-address-tlv organizationally specific
[ ipv6 ] [ ip-address | interface TLVs) except network
loopback interface-number ] } | policy LVs.
dot1-tlv { all | • Nearest non-TPMR bridge
link-aggregation } | dot3-tlv agents do not advertise
{ all | mac-physic | TLVs.
max-frame-size | power } |
• Nearest customer bridge
med-tlv { all | capability |
inventory | agents can advertise basic
TLVs and IEEE 802.1
power-over-ethernet |
location-id { civic-address organizationally specific
TLVs (only link aggregation
device-type country-code
TLV is supported).
{ ca-type ca-value }&<1-10> |
elin-address tel-number } } }
• lldp agent { nearest-nontpmr |
nearest-customer } tlv-enable
{ basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | link-aggregation } }
• lldp tlv-enable { basic-tlv { all |
port-description |
system-capability |
system-description |
system-name |
management-address-tlv By default:
[ ipv6 ] [ ip-address ] } | dot1-tlv • Nearest bridge agents can
{ all | link-aggregation } | advertise all types of LLDP
dot3-tlv { all | mac-physic | TLVs (only link aggregation
max-frame-size | power } | TLV is supported in 802.1
med-tlv { all | capability | organizationally specific
inventory | TLVs) except network
5. Configure the advertisable power-over-ethernet | policy TLVs.
TLVs (in management location-id { civic-address • Nearest non-TPMR bridge
Ethernet interface view). device-type country-code agents do not advertise
{ ca-type ca-value }&<1-10> | TLVs.
elin-address tel-number } } }
• Nearest customer bridge
• lldp agent { nearest-nontpmr | agents can advertise basic
nearest-customer } tlv-enable TLVs and IEEE 802.1
{ basic-tlv { all | organizationally specific
port-description | TLVs (only link aggregation
system-capability | TLV is supported).
system-description |
system-name |
management-address-tlv
[ ipv6 ] [ ip-address ] } | dot1-tlv
{ all | link-aggregation } }
• lldp agent nearest-nontpmr
By default:
tlv-enable { basic-tlv { all |
6. Configure the advertisable management-address-tlv • Nearest customer bridge
TLVs (in Layer 2 aggregate [ ipv6 ] [ ip-address ] | agents can advertise basic
interface view). port-description | TLVs and IEEE 802.1
system-capability | organizationally specific
system-description | TLVs (only port and

259
 Step Command Remarks
system-name } | dot1-tlv { all | protocol VLAN ID, VLAN
port-vlan-id } } name, and management
• lldp agent nearest-customer VLAN ID TLVs are
tlv-enable { basic-tlv { all | supported).
management-address-tlv Nearest bridge agents are not
[ ipv6 ] [ ip-address ] | supported on Layer 2 aggregate
port-description | interfaces.
system-capability |
system-description |
system-name } | dot1-tlv { all |
port-vlan-id } }
• lldp tlv-enable dot1-tlv
{ protocol-vlan-id [ vlan-id ] |
vlan-name [ vlan-id ] |
management-vid [ mvlan-id ] }
By default:
lldp agent { nearest-nontpmr | • Nearest non-TPMR bridge
nearest-customer } tlv-enable agents do not advertise
basic-tlv { all | TLVs.
7. Configure the advertisable
TLVs (in Layer 3 aggregate management-address-tlv [ ipv6 ] • Nearest customer bridge
interface view). [ ip-address ] | port-description | agents can advertise only
system-capability | basic TLVs.
system-description |
Nearest bridge agents are not
system-name }
supported on Layer 3 aggregate
interfaces.
An LLDP-enabled IRF physical
lldp tlv-enable basic-tlv interface supports only the
8. Configure the advertisable { port-description | nearest bridge agent.
TLVs (in IRF physical system-capability |
interface view). system-description | By default, nearest bridge
system-name } agents can advertise all types of
LLDP TLVs.

Configuring the management address and its encoding

format
LLDP encodes management addresses in numeric or string format in management address TLVs.
If a neighbor encodes its management address in string format, set the encoding format of the
management address to string on the connecting port. This guarantees normal communication with
the neighbor.
You can configure advertisement of the management address TLV globally or on a per-interface
basis. The device selects the management address TLV advertisement setting for an interface in the
following order:
1. Interface-based setting, configured by using the lldp tlv-enable command with the
management-address-tlv keyword.
2. Global setting, configured by using the lldp global tlv-enable basic-tlv
management-address-tlv command.
3. Default setting for the interface.
By default:
 The nearest bridge agent and nearest customer bridge agent advertise the management
address TLV.
 The nearest non-TPMR bridge agent does not advertise the management address TLV.

260
To configure advertisement of the management address TLV and set the management address
encoding format:

Step Command Remarks

1. Enter system view. system-view N/A
lldp [ agent { nearest-customer |
2. Enable advertisement of the nearest-nontpmr } ] global
management address TLV tlv-enable basic-tlv By default, advertisement of
globally and set the management-address-tlv [ ipv6 ] the management address TLV
management address to be { ip-address | interface loopback is disabled globally.
advertised. interface-number | interface
vlan-interface interface-number }
3. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, or Layer N/A
interface-number
2/Layer 3 aggregate
interface view.
• In Layer 2 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent
{ nearest-customer |
nearest-nontpmr } ] tlv-enable By default:
basic-tlv
management-address-tlv • The nearest bridge agent
[ ipv6 ] [ ip-address ] and nearest customer
bridge agent advertise the
• In Layer 3 Ethernet interface management address
4. Enable advertisement of the view: TLV.
management address TLV lldp [ agent
on the interface and set the { nearest-customer | • The nearest non-TPMR
management address to be nearest-nontpmr } ] tlv-enable bridge agent does not
advertised. basic-tlv advertise the
management-address-tlv management address
[ ipv6 ] [ ip-address ] | interface TLV.
loopback interface-number ] The device supports only the
• In Layer 2/Layer 3 aggregate numeric encoding format for
interface view: IPv6 management addresses.
lldp agent { nearest-customer
| nearest-nontpmr } tlv-enable
basic-tlv
management-address-tlv
[ ipv6 ] [ ip-address ]
• In Layer 2/Layer 3 Ethernet
interface view or management
Ethernet interface view:
lldp [ agent
{ nearest-customer |
nearest-nontpmr } ]
5. Set the encoding format of management-address-format By default, the encoding
the management address to string format of the management
string. address is numeric.
• In Layer 2/Layer 3 aggregate
interface view:
lldp agent { nearest-customer
| nearest-nontpmr }
management-address-format
string

261
Setting other LLDP parameters
The Time to Live TLV carried in an LLDPDU determines how long the device information carried in
the LLDPDU can be saved on a recipient device.
By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs. The TTL is
expressed by using the following formula:
TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))
As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be
rounded down to 65535 seconds.
To set LLDP parameters:

Step Command Remarks

1. Enter system view. system-view N/A
2. Set the TTL multiplier. lldp hold-multiplier value The default setting is 4.
3. Set the LLDP frame The default setting is 30
transmission interval. lldp timer tx-interval interval
seconds.
4. Set the token bucket size for
sending LLDP frames. lldp max-credit credit-value The default setting is 5.

5. Set the number of LLDP

frames sent each time fast
LLDP frame transmission is lldp fast-count count The default setting is 4.
triggered.
6. Set the fast LLDP frame
transmission interval. lldp timer fast-interval interval The default setting is 1 second.

Setting an encapsulation format for LLDP frames

LLDP frames can be encapsulated in the following formats:
• Ethernet II—With Ethernet II encapsulation configured, an LLDP port sends LLDP frames in
Ethernet II frames.
• SNAP—With SNAP encapsulation configured, an LLDP port sends LLDP frames in SNAP
frames.
Earlier versions of LLDP require the same encapsulation format on both ends to process LLDP
frames. To successfully communicate with a neighboring device running an earlier version of LLDP,
the local device must be set with the same encapsulation format.
To set the encapsulation format for LLDP frames to SNAP:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
3. Set the encapsulation • In Layer 2/Layer 3 Ethernet interface By default, Ethernet II
format for LLDP frames to view or management Ethernet encapsulation format
SNAP. interface view: applies.

262
 Step Command Remarks
lldp [ agent { nearest-customer |
nearest-nontpmr } ] encapsulation
snap
• In Layer 2/Layer 3 aggregate interface
view:
lldp agent { nearest-customer |
nearest-nontpmr } encapsulation
snap
• In IRF physical interface view:
lldp encapsulation snap

Disabling LLDP PVID inconsistency check

By default, when the system receives an LLDP packet, it compares the PVID value contained in
packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log
message will be printed to notify the user.
You can disable PVID inconsistency check if different PVIDs are required on a link.
To disable LLDP PVID inconsistency check:

Step Command Remarks

1. Enter system view. system-view N/A

2. Disable LLDP PVID By default, LLDP PVID

inconsistency check. lldp ignore-pvid-inconsistency inconsistency check is
enabled.

Configuring CDP compatibility

To enable your device to exchange information with a directly connected Cisco device that supports
only CDP, you must enable CDP compatibility.
CDP compatibility enables your device to receive and recognize CDP packets from the neighboring
CDP device and send CDP packets to the neighboring device. The CDP packets sent to the
neighboring CDP device carry the following information:
• Device ID.
• ID of the port connecting to the neighboring device.
• Port IP address.
• TTL.
The port IP address is the primary IP address of a VLAN interface in up state. The VLAN ID of the
VLAN interface must be the lowest among the VLANs permitted on the port. If no VLAN interfaces of
the permitted VLANs are assigned an IP address or all VLAN interfaces are down, no port IP address
will be advertised.
You can view the neighboring CDP device information that can be recognized by the device in the
output of the display lldp neighbor-information command. For more information about the display
lldp neighbor-information command, see Layer 2—LAN Switching Command Reference.
To make your device work with Cisco IP phones, you must enable CDP compatibility.
If your LLDP-enabled device cannot recognize CDP packets, it does not respond to the requests of
Cisco IP phones for the voice VLAN ID configured on the device. As a result, a requesting Cisco IP

263
 phone sends voice traffic without any tag to your device. Your device cannot differentiate the voice
traffic from other types of traffic.
CDP compatibility enables your device to receive and recognize CDP packets from a Cisco IP phone
and respond with CDP packets carrying TLVs with the configured voice VLAN. If no voice VLAN is
configured for CDP packets, CDP packets carry the voice VLAN of the port or the voice VLAN
assigned by the RADIUS server. The assigned voice VLAN has a higher priority. According to TLVs
with the voice VLAN configuration, the IP phone automatically configures the voice VLAN. As a
result, the voice traffic is confined in the configured voice VLAN and is differentiated from other types
of traffic.
For more information about voice VLANs, see "Configuring voice VLANs."
When the device is connected to a Cisco IP phone that has a host attached to its data port, the host
must access the network through the Cisco IP phone. If the data port goes down, the IP phone will
send a CDP packet to the device so the device can log out the user.

Configuration prerequisites
Before you configure CDP compatibility, complete the following tasks:
• Globally enable LLDP.
• Enable LLDP on the port connecting to a CDP device.
• Configure LLDP to operate in TxRx mode on the port.

Configuration procedure
CDP-compatible LLDP operates in one of the following modes:
• TxRx—CDP packets can be transmitted and received.
• Rx—CDP packets can be received but cannot be transmitted.
• Disable—CDP packets cannot be transmitted or received.
To make CDP-compatible LLDP take effect on a port, follow these steps:
1. Enable CDP-compatible LLDP globally.
2. Configure CDP-compatible LLDP to operate in TxRx mode on the port.
The maximum TTL value that CDP allows is 255 seconds. To make CDP-compatible LLDP work
correctly with CDP devices, configure the LLDP frame transmission interval to be no more than 1/3 of
the TTL value.
To configure LLDP to be compatible with CDP:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enable CDP compatibility By default, CDP compatibility is
lldp compliance cdp
globally. disabled globally.
3. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet interface interface-type
interface view, or Layer N/A
interface-number
2/Layer 3 aggregate
interface view.
4. Configure CDP-compatible
lldp compliance admin-status By default, CDP-compatible LLDP
LLDP to operate in TxRx
cdp txrx operates in disable mode.
mode.

264
 Step Command Remarks

5. Set the voice VLAN ID By default, no voice VLAN ID is

carried in CDP packets. cdp voice-vlan vlan-id configured to be carried in CDP
packets.

Configuring LLDP trapping and LLDP-MED

trapping
LLDP trapping or LLDP-MED trapping notifies the network management system of events such as
newly detected neighboring devices and link failures.
To prevent excessive LLDP traps from being sent when the topology is unstable, set a trap
transmission interval for LLDP.
To configure LLDP trapping and LLDP-MED trapping:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 2/Layer 3
Ethernet interface view,
management Ethernet
interface view, Layer interface interface-type interface-number N/A
2/Layer 3 aggregate
interface view, or IRF
physical interface view.
• In Layer 2/Layer 3 Ethernet interface
view or management Ethernet
interface view:
lldp [ agent { nearest-customer |
nearest-nontpmr } ] notification
remote-change enable
• In Layer 2/Layer 3 aggregate interface By default, LLDP trapping
3. Enable LLDP trapping.
view: is disabled.
lldp agent { nearest-customer |
nearest-nontpmr } notification
remote-change enable
• In IRF physical interface view:
lldp notification remote-change
enable
4. Enable LLDP-MED
trapping (in Layer 2/Layer
3 Ethernet interface view lldp notification med-topology-change By default, LLDP-MED
or management Ethernet enable trapping is disabled.
interface view).
5. Return to system view. quit N/A
6. (Optional.) Set the LLDP The default setting is 30
trap transmission interval. lldp timer notification-interval interval
seconds.

265
Setting the source MAC address of LLDP frames
to the MAC address of a Layer 3 Ethernet
subinterface
Step Command Remarks
1. Enter system view. system-view N/A
2. Enter Layer 3 Ethernet
interface view. interface interface-type interface-number N/A

By default, the source MAC

address of LLDP frames is the
3. Set the source MAC MAC address of the Layer 3
address of LLDP Ethernet interface.
frames to the MAC lldp source-mac vlan vlan-id The specified VLAN ID is used
address of a Layer 3 as the subnumber element of
Ethernet subinterface. the Layer 3 Ethernet
subinterface number
interface-number.subnumber.

Enabling the device to generate ARP or ND

entries for received management address LLDP
TLVs
This feature enables the device to generate an ARP or ND entry for a received LLDP frame that
carries a management address TLV. The ARP or ND entry contains the management address and
the source MAC address of the frame.
You can enable the device to generate both ARP and ND entries. If the management address TLV
contains an IPv4 address, the device generates an ARP entry. If the management address TLV
contains an IPv6 address, the device generates an ND entry.
To enable the device to generate an ARP or ND entry for a received management address LLDP
TLV:

Step Command Remarks

1. Enter system view. system-view N/A
2. Enter Layer 3 Ethernet interface interface-type
interface view. N/A
interface-number
By default, the device does not
generate an ARP or ND entry
when receiving a management
3. Enable the device to address LLDP TLV.
generate an ARP or ND lldp management-address Include the vlan vlan-id option in
entry for a management { arp-learning | nd-learning } the command to generate the ARP
address LLDP TLV received [ vlan vlan-id ] or ND entry for the Layer 3
on the interface. Ethernet subinterface identified by
interface-number.subnumber,
where subnumber is the specified
VLAN ID.

266
Displaying and maintaining LLDP
Execute display commands in any view.

Task Command
Display local LLDP display lldp local-information [ global | interface interface-type
information. interface-number ]
Display the information
display lldp neighbor-information [ [ [ interface interface-type
contained in the LLDP
interface-number ] [ agent { nearest-bridge | nearest-customer |
TLVs sent from
nearest-nontpmr } ] [ verbose ] ] | list [ system-name system-name ] ]
neighboring devices.
display lldp statistics [ global | [ interface interface-type interface-number ]
Display LLDP statistics.
[ agent { nearest-bridge | nearest-customer | nearest-nontpmr } ] ]
Display LLDP status of a display lldp status [ interface interface-type interface-number ] [ agent
port. { nearest-bridge | nearest-customer | nearest-nontpmr } ]
Display types of
display lldp tlv-config [ interface interface-type interface-number ] [ agent
advertisable optional LLDP
{ nearest-bridge | nearest-customer | nearest-nontpmr } ]
TLVs.

LLDP configuration examples

Basic LLDP configuration example
Network requirements
As shown in Figure 86, enable LLDP globally on Switch A and Switch B to perform the following
tasks:
• Monitor the link between Switch A and Switch B on the NMS.
• Monitor the link between Switch A and the MED device on the NMS.
Figure 86 Network diagram

MED

GE1/0/1
NMS
GE1/0/2 GE1/0/1

Switch A Switch B

Configuration procedure
1. Configure Switch A:
# Enable LLDP globally.
<SwitchA> system-view
[SwitchA] lldp global enable
# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/1

267
 [SwitchA-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] lldp admin-status rx
[SwitchA-GigabitEthernet1/0/1] quit
# Enable LLDP on GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lldp enable
# Set the LLDP operating mode to Rx on GigabitEthernet 1/0/2.
[SwitchA-GigabitEthernet1/0/2] lldp admin-status rx
[SwitchA-GigabitEthernet1/0/2] quit
2. Configure Switch B:
# Enable LLDP globally.
<SwitchB> system-view
[SwitchB] lldp global enable
# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] lldp enable
# Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1.
[SwitchB-GigabitEthernet1/0/1] lldp admin-status tx
[SwitchB-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify the following items:
• GigabitEthernet 1/0/1 of Switch A connects to a MED device.
• GigabitEthernet 1/0/2 of Switch A connects to a non-MED device.
• Both ports operate in Rx mode, and they can receive LLDP frames but cannot send LLDP
frames.
[SwitchA] display lldp status
Global status of LLDP: Enable
Bridge mode of LLDP: customer-bridge
The current number of LLDP neighbors: 2
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 4 minutes, 40 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit max credit : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s

268
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

LLDP status information of port 2 [GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 21
Number of received unknown TLV : 3

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No

269
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

# Remove the link between Switch A and Switch B.

# Verify that GigabitEthernet 1/0/2 of Switch A does not connect to any neighboring devices.
[SwitchA] display lldp status
Global status of LLDP: Enable
The current number of LLDP neighbors: 1
The current number of CDP neighbors: 0
LLDP neighbor information last changed time: 0 days, 0 hours, 5 minutes, 20 seconds
Transmit interval : 30s
Fast transmit interval : 1s
Transmit max credit : 5
Hold multiplier : 4
Reinit delay : 2s
Trap interval : 30s
Fast start times : 4

LLDP status information of port 1 [GigabitEthernet1/0/1]:

LLDP agent nearest-bridge:
Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 1
Number of MED neighbors : 1
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 5

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP status information of port 2 [GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:

270
 Port status of LLDP : Enable
Admin status : Rx_Only
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 0
Number of received unknown TLV : 0

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 1
Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable
Admin status : Disable
Trap flag : No
MED trap flag : No
Polling interval : 0s
Number of LLDP neighbors : 0
Number of MED neighbors : 0
Number of CDP neighbors : 0
Number of sent optional TLV : 16
Number of received unknown TLV : 0

CDP-compatible LLDP configuration example

Network requirements
As shown in Figure 87, GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 of Switch A are each
connected to a Cisco IP phone, which sends tagged voice traffic.
Configure voice VLAN 2 on Switch A. Enable CDP compatibility of LLDP on Switch A to allow the
Cisco IP phones to automatically configure the voice VLAN. The voice VLAN feature performs the
following operations:
• Confines the voice traffic to the voice VLAN.
• Isolates the voice traffic from other types of traffic.

271
 Figure 87 Network diagram
GE1/0/1 GE1/0/2

Cisco IP phone 1 Switch A Cisco IP phone 2

Configuration procedure
1. Configure a voice VLAN on Switch A:
# Create VLAN 2.
<SwitchA> system-view
[SwitchA] vlan 2
[SwitchA-vlan2] quit
# Set the link type of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to trunk, and enable voice
VLAN on them.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] voice-vlan 2 enable
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port link-type trunk
[SwitchA-GigabitEthernet1/0/2] voice-vlan 2 enable
[SwitchA-GigabitEthernet1/0/2] quit
2. Configure CDP-compatible LLDP on Switch A:
# Enable LLDP globally, and enable CDP compatibility globally.
[SwitchA] lldp global enable
[SwitchA] lldp compliance cdp
# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] lldp enable
# Configure LLDP to operate in TxRx mode on GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/1.
[SwitchA-GigabitEthernet1/0/1] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet1/0/1] quit
# Enable LLDP on GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] lldp enable
# Configure LLDP to operate in TxRx mode on GigabitEthernet 1/0/2.
[SwitchA-GigabitEthernet1/0/2] lldp admin-status txrx
# Configure CDP-compatible LLDP to operate in TxRx mode on GigabitEthernet 1/0/2.
[SwitchA-GigabitEthernet1/0/2] lldp compliance admin-status cdp txrx
[SwitchA-GigabitEthernet1/0/2] quit

Verifying the configuration

# Verify that Switch A has completed the following operations:
• Discovering the IP phones connected to GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.
• Obtaining IP phone information.
[SwitchA] display lldp neighbor-information

272
CDP neighbor-information of port 1[GigabitEthernet1/0/1]:
LLDP agent nearest-bridge:
CDP neighbor index : 1
Chassis ID : SEP00141CBCDBFE
Port ID : Port 1

CDP neighbor-information of port 2[GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:
CDP neighbor index : 2
Chassis ID : SEP00141CBCDBFF
Port ID : Port 1

273
Configuring L2PT
Overview
Layer 2 Protocol Tunneling (L2PT) can transparently send Layer 2 protocol packets from
geographically dispersed customer networks across a service provider network or drop them.

Background
Dedicated lines are used in a service provider network to build user-specific Layer 2 networks. As a
result, a customer network contains sites located at different sides of the service provider network.
As shown in Figure 88, Customer A's network is divided into network 1 and network 2, which are
connected by the service provider network. For Customer A's network to implement Layer 2 protocol
calculations, the Layer 2 protocol packets must be transmitted across the service provider network.
Upon receiving a Layer 2 protocol packet, the PEs cannot determine whether the packet is from the
customer network or the service provider network. They must deliver the packet to the CPU for
processing. In this case, the Layer 2 protocol calculation in Customer A's network is mixed with the
Layer 2 protocol calculation in the service provider network. Neither the customer network nor the
service provider network can implement independent Layer 2 protocol calculations.
Figure 88 L2PT application scenarios

PE 1 PE 2

ISP network

CE 1 CE 2

Customer A Customer A
network 1 network 2
VLAN 100 VLAN 100

L2PT is introduced to resolve the problem. L2PT provides the following functions:
• Multicasts Layer 2 protocol packets from a customer network in a VLAN. Dispersed customer
networks can complete an independent Layer 2 protocol calculation, which is transparent to the
service provider network.
• Isolates Layer 2 protocol packets from different customer networks through different VLANs.
HPE devices support L2PT for the following protocols:
• CDP.
• DLDP.
• EOAM.
• GVRP.
• LACP.
• LLDP.
• MVRP.
• PAgP.

274
 • PVST.
• STP (including STP, RSTP, and MSTP).
• UDLD.
• VTP.

L2PT operating mechanism

As shown in Figure 89, L2PT operates as follows:
• When a port of PE 1 receives a Layer 2 protocol packet from the customer network in a VLAN,
it performs the following operations:
 Multicasts the packet out of all customer-facing ports in the VLAN except the receiving port.
 Changes the packet's destination multicast MAC address to a specified multicast address,
and multicasts it out of all ISP-facing ports in the VLAN. The modified packet is called the
tunneled packet.
• When a port of PE 2 in the VLAN receives the tunneled packet from the service provider
network, it performs the following operations:
 Multicasts the packet out of all ISP-facing ports in the VLAN except the receiving port.
 Changes the destination multicast MAC address to the original MAC address, and
multicasts the packet out of all customer-facing ports in the VLAN.
Figure 89 L2PT operating mechanism

Customer Customer
Service provider network
network network

Layer 2 protocol packets

from customer networks
PE 1 PE 2
Tunneled packets

For example, as shown in Figure 90, PE 1 receives an STP packet (BPDU) from network 1 to
network 2. CEs are the edge devices on the customer network, and PEs are the edge devices on the
service provider network. L2PT processes the packet as follows:
1. PE 1 performs the following operations:
a. Changes the packet's destination multicast MAC address 0180-c200-0000 to a specified
multicast MAC address (010f-e200-0003 by default) for the BPDU.
b. Sends the tunneled packet out of all ISP-facing ports in the packet's VLAN.
2. Upon receiving the tunneled packet, PE 2 decapsulates the packet and sends the BPDU to CE
2.
Through L2PT, both the ISP network and Customer A's network can perform independent spanning
tree calculations.

275
 Figure 90 L2PT network diagram

PE 1 ISP network PE 2

Tunnel

CE 1 CE 2

Customer A Customer A
network 1 network 2

L2PT configuration task list

Tasks at a glance
(Required.) Enabling L2PT
(Optional.) Setting the destination multicast MAC address for tunneled packets

Enabling L2PT
Restrictions and guidelines
• Before you enable L2PT for a Layer 2 protocol on a port, perform the following tasks:
 Enable the protocol on the connected CE, and disable the protocol on the port.
 Enable L2PT on PE ports connected to a customer network. If you enable L2PT on ports
connected to the service provider network, L2PT determines that the ports are connected to
a customer network.
 Make sure the VLAN tags of Layer 2 protocol packets are not changed or deleted for the
tunneled packets to be transmitted correctly across the service provider network.
• L2PT for LLDP supports LLDP packets from only nearest bridge agents.
• You can enable L2PT on a member port of a Layer 2 aggregation group, but the configuration
does not take effect.
• Do not enable L2PT on a port that is going to join a service loopback group. All configuration is
removed after the port joins the group.
• LACP and EOAM require point-to-point transmission. If you enable L2PT for LACP or EOAM,
L2PT multicasts LACP or EOAM packets out of customer-facing ports. As a result, the
transmission between two CEs is not point-to-point. To ensure point-to-point transmission for
the LACP or EOAM packets, you must configure other features (for example, VLAN).

Enabling L2PT for a protocol

Step Command Remarks
1. Enter system view. system-view N/A

2. Enter interface view. • Enter Layer 2 Ethernet interface view: N/A

276
 Step Command Remarks
interface interface-type interface-number
• Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-type
interface-number
• In Layer 2 Ethernet interface view:
l2protocol { cdp | dldp | eoam | gvrp | lacp | lldp
| mvrp | pagp | pvst | stp | udld | vtp } tunnel By default, L2PT is
3. Enable L2PT for a
protocol.
dot1q disabled for all
• In Layer 2 aggregate interface view: protocols.
l2protocol { gvrp | mvrp | pvst | stp | vtp }
tunnel dot1q

Setting the destination multicast MAC address for

tunneled packets
When you set the destination multicast MAC address for tunneled packets, follow these restrictions
and guidelines:
• For tunneled packets to be recognized, set the same destination multicast MAC addresses on
PEs that are connected to the same customer network.
• As a best practice, set different destination multicast MAC addresses on PEs connected to
different customer networks. It prevents L2PT from sending packets of a customer network to
another customer network.
To set the destination multicast MAC address for tunneled packets:

Step Command Remarks

1. Enter system view. system-view N/A

The available multicast MAC

2. Set the destination addresses are 010f-e200-0003,
multicast MAC address l2protocol tunnel-dmac 0100-0ccd-cdd0, 0100-0ccd-cdd1,
for tunneled packets. mac-address and 0100-0ccd-cdd2. By default,
010f-e200-0003 is used for tunneled
packets.

Displaying and maintaining L2PT

Execute display commands in any view and reset commands in user view.

Task Command
display l2protocol statistics [ interface interface-type
Display L2PT statistics.
interface-number ]
reset l2protocol statistics [ interface interface-type
Clear L2PT statistics.
interface-number ]

277
L2PT configuration examples
Configuring L2PT for STP
Network requirements
As shown in Figure 91, the MAC addresses of CE 1 and CE 2 are 00e0-fc02-5800 and
00e0-fc02-5802, respectively. MSTP is enabled in Customer A's network, and default MSTP settings
are used.
Perform the following tasks on the PEs:
• Configure the ports that connect to CEs as access ports, and configure the ports in the service
provider network as trunk ports. Configure ports in the service provider network to allow packets
from any VLAN to pass.
• Enable L2PT for STP to enable Customer A's network to implement independent spanning tree
calculation across the service provider network.
• Set the destination multicast MAC address to 0100-0ccd-cdd0 for tunneled packets.
Figure 91 Network diagram

PE 1 PE 2
ISP network
BPDU tunnel
GE1/0/1 GE1/0/1
VLAN 2 VLAN 2

CE 1 CE 2

User A network 1 User A network 2

Configuration procedures
1. Configure PE 1:
# Set the destination multicast address to 0100-0ccd-cdd0 for tunneled packets.
<PE1> system-view
[PE1] l2protocol tunnel-dmac 0100-0ccd-cdd0
# Create VLAN 2.
[PE1] vlan 2
[PE1-vlan2] quit
# Configure GigabitEthernet 1/0/1 as an access port and assign the port to VLAN 2.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port access vlan 2
# Disable STP and enable L2PT for STP on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] undo stp enable
[PE1-GigabitEthernet1/0/1] l2protocol stp tunnel dot1q
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 connected to the service provider network as a trunk port,
and assign the port to all VLANs.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-type trunk

278
 [PE1-GigabitEthernet1/0/2] port trunk permit vlan all
[PE1-GigabitEthernet1/0/2] quit
2. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that the root bridge of Customer A's network is CE 1.
<CE2> display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.00e0-fc02-5800 0 0

# Verify that the root bridge of the service provider network is not CE 1.
[PE1] display stp root
MST ID Root Bridge ID ExtPathCost IntPathCost Root Port
0 32768.0cda-41c5-ba50 0 0

Configuring L2PT for LACP

Network requirements
As shown in Figure 92, the MAC addresses of CE 1 and CE 2 are 0001-0000-0000 and
0004-0000-0000, respectively.
Perform the following tasks:
• Configure Ethernet link aggregation on CE 1 and CE 2.
• Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on CE 1 to form aggregate links with
GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on CE 2, respectively.
• Enable L2PT for LACP to enable CE 1 and CE 2 to implement Ethernet link aggregation across
the service provider network.
Figure 92 Network diagram

PE 1 PE 2
ISP network
GE1/0/1 Tunnel
VLAN 2 GE1/0/1
VLAN 2
GE1/0/2 GE1/0/2
GE1/0/1 VLAN 3 VLAN 3 GE1/0/1

CE 1 GE1/0/2 GE1/0/2 CE 2

User A network 1 User A network 2

Requirements analysis
To meet the network requirements, perform the following tasks:
• For Ethernet link aggregation to operate correctly, configure VLANs on the PEs to ensure
point-to-point transmission between CE 1 and CE 2 in an aggregation group.
 Set the PVIDs to VLAN 2 and VLAN 3 for GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2
on PE 1, respectively.
 Configure PE 2 in the same way PE 1 is configured.
 Configure ports that connect to the CEs as trunk ports.
• To retain the VLAN tag of the customer network, enable QinQ on GigabitEthernet 1/0/1 and
GigabitEthernet 1/0/2 on both PE 1 and PE 2.

279
 • For packets from any VLAN to be transmitted, configure all ports in the service provider network
as trunk ports.
Configuration procedures
1. Configure CE 1:
# Configure Layer 2 aggregation group Bridge-Aggregation 1 to operate in dynamic
aggregation mode.
<CE1> system-view
[CE1] interface bridge-aggregation 1
[CE1-Bridge-Aggregation1] port link-type access
[CE1-Bridge-Aggregation1] link-aggregation mode dynamic
[CE1-Bridge-Aggregation1] quit
# Assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to Bridge-Aggregation 1.
[CE1] interface gigabitethernet 1/0/1
[CE1-GigabitEthernet1/0/1] port link-aggregation group 1
[CE1-GigabitEthernet1/0/1] quit
[CE1] interface gigabitethernet 1/0/2
[CE1-GigabitEthernet1/0/2] port link-aggregation group 1
[CE1-GigabitEthernet1/0/2] quit
2. Configure CE 2 in the same way CE 1 is configured. (Details not shown.)
3. Configure PE 1:
# Create VLANs 2 and 3.
<PE1> system-view
[PE1] vlan 2
[PE1-vlan2] quit
[PE1] vlan 3
[PE1-vlan3] quit
# Configure GigabitEthernet 1/0/1 as a trunk port, assign the port to VLAN 2, and set the PVID
to VLAN 2.
[PE1] interface gigabitethernet 1/0/1
[PE1-GigabitEthernet1/0/1] port link-mode bridge
[PE1-GigabitEthernet1/0/1] port link-type trunk
[PE1-GigabitEthernet1/0/1] port trunk permit vlan 2
[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 2
# Enable QinQ on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] qinq enable
# Enable L2PT for LACP on GigabitEthernet 1/0/1.
[PE1-GigabitEthernet1/0/1] l2protocol lacp tunnel dot1q
[PE1-GigabitEthernet1/0/1] quit
# Configure GigabitEthernet 1/0/2 as a trunk port, assign the port to VLAN 3, and set the PVID
to VLAN 3.
[PE1] interface gigabitethernet 1/0/2
[PE1-GigabitEthernet1/0/2] port link-mode bridge
[PE1-GigabitEthernet1/0/2] port link-type trunk
[PE1-GigabitEthernet1/0/2] port trunk permit vlan 3
[PE1-GigabitEthernet1/0/2] port trunk pvid vlan 3
# Enable QinQ on GigabitEthernet 1/0/2.
[PE1-GigabitEthernet1/0/2] qinq enable

280
 # Enable L2PT for LACP on GigabitEthernet 1/0/2.
[PE1-GigabitEthernet1/0/2] l2protocol lacp tunnel dot1q
[PE1-GigabitEthernet1/0/2] quit
4. Configure PE 2 in the same way PE 1 is configured. (Details not shown.)
Verifying the configuration
# Verify that CE 1 and CE 2 have completed Ethernet link aggregation successfully.
[CE1] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

GigabitEthernet1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

GigabitEthernet1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0004-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)
[CE2] display link-aggregation member-port
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired

281
GigabitEthernet1/0/1:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 3
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 23 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 26 packet(s)

GigabitEthernet1/0/2:
Aggregate Interface: Bridge-Aggregation1
Local:
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Remote:
System ID: 0x8000, 0001-0000-0000
Port Number: 4
Port Priority: 32768
Oper-Key: 1
Flag: {ACDEF}
Received LACP Packets: 10 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 13 packet(s)

282
Configuring service loopback groups
A service loopback group contains one or multiple Ethernet ports for looping packets sent out by the
device back to the device. This feature must work with other features, such as GRE.
A service loopback group provides one of the following services:
• Tunnel—Supports unicast tunnel traffic.
• Multicast tunnel—Supports multicast tunnel traffic.
• Multiport—Supports multiport ARP traffic.
• VSI gateway—Supports VSI gateway traffic.
You can configure only one service loopback group for a service type. However, you can use one
service loopback group with multiple features.
Member ports in a service loopback group are load balanced.

Configuration procedure
Follow these guidelines when you configure a service loopback group:
• Make sure the ports you are assigning to a service loopback group meet the following
requirements:
 The ports are not used for any other purposes. The configuration on a port is removed when
it is assigned to a service loopback group.
 The ports support the service type of the service loopback group and are not members of
any other service loopback group.
• You cannot change the service type of a service loopback group.
• Do not delete a service loopback group that is being used by a feature.
• To avoid IRF split, do not assign a port to a service loopback group if that port is the only IRF
physical interface of an IRF port.
• For correct traffic processing, make sure a service loopback group has a minimum of one
member port when it is being used by a feature.
To configure a service loopback group:

Step Command Remarks

1. Enter system view. system-view N/A

2. Create a service loopback service-loopback group group-id

By default, no service
group and specify its service type { { multicast-tunnel | tunnel } *
type. loopback groups exist.
| multiport | vsi-gateway }

3. Enter Layer 2 Ethernet interface interface-type

interface view. N/A
interface-number
By default, a port does not
belong to any service loopback
4. Assign the port to the service port service-loopback group group.
loopback group. group-id You can assign a maximum of
32 ports to a service loopback
group.

283
Displaying and maintaining service loopback
groups
Execute display commands in any view.

Task Command

Display information about service loopback groups. display service-loopback group [ group-id ]

Service loopback group configuration example

Network requirements
All Ethernet ports on Device A support the tunnel service. Assign GigabitEthernet 1/0/1 through
GigabitEthernet 1/0/3 to a service loopback group to loop GRE packets sent out by the device back
to the device.

Configuration procedure
# Create service loopback group 1, and specify its service type as tunnel.
<DeviceA> system-view
[DeviceA] service-loopback group 1 type tunnel

# Assign GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to service loopback group 1.

[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] port service-loopback group 1
All configurations on the interface will be lost. Continue?[Y/N]:y
[DeviceA-GigabitEthernet1/0/3] quit

# Create the interface Tunnel 1 and set it to GRE mode. The interface will automatically use service
loopback group 1.
[DeviceA] interface tunnel 1 mode gre
[DeviceA-Tunnel1]

284
Document conventions and icons
Conventions
This section describes the conventions used in the documentation.
Command conventions

Convention Description
Boldface Bold text represents commands and keywords that you enter literally as shown.

Italic Italic text represents arguments that you replace with actual values.
[] Square brackets enclose syntax choices (keywords or arguments) that are optional.
Braces enclose a set of required syntax choices separated by vertical bars, from which
{ x | y | ... }
you select one.
Square brackets enclose a set of optional syntax choices separated by vertical bars,
[ x | y | ... ]
from which you select one or none.
Asterisk marked braces enclose a set of required syntax choices separated by vertical
{ x | y | ... } *
bars, from which you select at least one.
Asterisk marked square brackets enclose optional syntax choices separated by vertical
[ x | y | ... ] *
bars, from which you select one choice, multiple choices, or none.
The argument or keyword and argument combination before the ampersand (&) sign
&<1-n>
can be entered 1 to n times.
# A line that starts with a pound (#) sign is comments.

GUI conventions

Convention Description
Window names, button names, field names, and menu items are in Boldface. For
Boldface
example, the New User window opens; click OK.
Multi-level menus are separated by angle brackets. For example, File > Create >
>
Folder.

Symbols

Convention Description
An alert that calls attention to important information that if not understood or followed
WARNING! can result in personal injury.
An alert that calls attention to important information that if not understood or followed
CAUTION: can result in data loss, data corruption, or damage to hardware or software.

IMPORTANT: An alert that calls attention to essential information.

NOTE: An alert that contains additional or supplementary information.

TIP: An alert that provides helpful information.

285
Network topology icons
Convention Description

Represents a generic network device, such as a router, switch, or firewall.

Represents a routing-capable device, such as a router or Layer 3 switch.

Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that

supports Layer 2 forwarding and other Layer 2 features.

Represents an access controller, a unified wired-WLAN module, or the access

controller engine on a unified wired-WLAN switch.

Represents an access point.

T Represents a wireless terminator unit.

T Represents a wireless terminator.

Represents a mesh access point.

Represents omnidirectional signals.

Represents directional signals.

Represents a security product, such as a firewall, UTM, multiservice security

gateway, or load balancing device.

Represents a security module, such as a firewall, load balancing, NetStream, SSL

VPN, IPS, or ACG module.

Examples provided in this document

Examples in this document might use devices that differ from your device in hardware model,
configuration, or software version. It is normal that the port numbers, sample output, screenshots,
and other information in the examples differ from what you have on your device.

286
Support and other resources
Accessing Hewlett Packard Enterprise Support
• For live assistance, go to the Contact Hewlett Packard Enterprise Worldwide website:
www.hpe.com/assistance
• To access documentation and support services, go to the Hewlett Packard Enterprise Support
Center website:
www.hpe.com/support/hpesc
Information to collect
• Technical support registration number (if applicable)
• Product name, model or version, and serial number
• Operating system name and version
• Firmware version
• Error messages
• Product-specific reports and logs
• Add-on products or components
• Third-party products or components

Accessing updates
• Some software products provide a mechanism for accessing software updates through the
product interface. Review your product documentation to identify the recommended software
update method.
• To download product updates, go to either of the following:
 Hewlett Packard Enterprise Support Center Get connected with updates page:
www.hpe.com/support/e-updates
 Software Depot website:
www.hpe.com/support/softwaredepot
• To view and update your entitlements, and to link your contracts, Care Packs, and warranties
with your profile, go to the Hewlett Packard Enterprise Support Center More Information on
Access to Support Materials page:
www.hpe.com/support/AccessToSupportMaterials

IMPORTANT:
Access to some updates might require product entitlement when accessed through the Hewlett
Packard Enterprise Support Center. You must have an HP Passport set up with relevant
entitlements.

287
Websites
Website Link
Networking websites
Hewlett Packard Enterprise Information Library for
www.hpe.com/networking/resourcefinder
Networking
Hewlett Packard Enterprise Networking website www.hpe.com/info/networking
Hewlett Packard Enterprise My Networking website www.hpe.com/networking/support
Hewlett Packard Enterprise My Networking Portal www.hpe.com/networking/mynetworking
Hewlett Packard Enterprise Networking Warranty www.hpe.com/networking/warranty
General websites
Hewlett Packard Enterprise Information Library www.hpe.com/info/enterprise/docs
Hewlett Packard Enterprise Support Center www.hpe.com/support/hpesc
Hewlett Packard Enterprise Support Services Central ssc.hpe.com/portal/site/ssc/
Contact Hewlett Packard Enterprise Worldwide www.hpe.com/assistance
Subscription Service/Support Alerts www.hpe.com/support/e-updates
Software Depot www.hpe.com/support/softwaredepot
Customer Self Repair (not applicable to all devices) www.hpe.com/support/selfrepair
Insight Remote Support (not applicable to all devices) www.hpe.com/info/insightremotesupport/docs

Customer self repair

Hewlett Packard Enterprise customer self repair (CSR) programs allow you to repair your product. If
a CSR part needs to be replaced, it will be shipped directly to you so that you can install it at your
convenience. Some parts do not qualify for CSR. Your Hewlett Packard Enterprise authorized
service provider will determine whether a repair can be accomplished by CSR.
For more information about CSR, contact your local service provider or go to the CSR website:
www.hpe.com/support/selfrepair

Remote support
Remote support is available with supported devices as part of your warranty, Care Pack Service, or
contractual support agreement. It provides intelligent event diagnosis, and automatic, secure
submission of hardware event notifications to Hewlett Packard Enterprise, which will initiate a fast
and accurate resolution based on your product’s service level. Hewlett Packard Enterprise strongly
recommends that you register your device for remote support.
For more information and device support details, go to the following website:
www.hpe.com/info/insightremotesupport/docs

Documentation feedback
Hewlett Packard Enterprise is committed to providing documentation that meets your needs. To help
us improve the documentation, send any errors, suggestions, or comments to Documentation
Feedback ([email protected]). When submitting your feedback, include the document title,

288
part number, edition, and publication date located on the front cover of the document. For online help
content, include the product name, product version, help edition, and publication date located on the
legal notices page.

289
Index
Numerics address
MAC address learning disable, 27
0\
MAC address table learning limit, 29
2 VLAN mappingapplication scenario, 227
MAC Information queue length, 37
2 VLAN mappingimplementation, 229
advertising
1\
LLDP advertisable TLV, 258
1 VLAN mappingapplication scenario, 227,
voice VLAN advertisement (CDP), 196
227
voice VLAN advertisement (LLDP), 195
1 VLAN mappingconfiguration, 233, 239
voice VLAN information advertisement to IP
1 VLAN mappingimplementation, 229, 230
phones, 188
2 VLAN mappingapplication scenario, 227,
aggregating
228
link. See link aggregation
2 VLAN mappingconfiguration, 238, 245
aging
2 VLAN mappingimplementation, 229, 231
MAC address table timer, 29
10-GE interface;010-GE interface
spanning tree max age timer, 105
combine, 2
algorithm
2\
Ethernet link aggregation load sharing algorithm
2 VLAN mappingapplication scenario, 227,
settings, 58
228
STP calculation, 80
2 VLAN mappingconfiguration, 239, 245
alternate port (MST), 93
2 VLAN mappingimplementation, 229, 231
application scenario
3 VLAN mappingapplication scenario, 227
Ethernet link aggregation, 40
3 VLAN mappingimplementation, 229
ARP
40-GE interface;040-GE interface
LLDP ARP entry generation, 266
split, 2
MAC address table ARP fast update, 33
802
ARP detection
802.1 LLDPDU TLV types, 250
M\1 VLAN mapping (dynamic IP address
802.1Q-in-802.1Q. Use QinQ
assignment), 234
802.3 LLDPDU TLV types, 250
ARP snooping
QinQ SVLAN tag 802.1p priority, 221
M\1 VLAN mapping (static IP address
VLAN group configuration, 156 assignment), 236
A assigning
accessing MAC address table learning priority, 30
port-based VLAN assignment (access port), MAC-based VLAN assignment (dynamic), 150
147 MAC-based VLAN assignment (server-assigned),
action 151
loop detection block, 137 MAC-based VLAN assignment (static), 149
loop detection no-learning protection, 137 port isolation group (multiple ports), 74
loop detection protection action (Layer 2 port-based VLAN access port, 147
aggregate interface), 139 port-based VLAN access port (interface view),
loop detection protection action setting, 139 147
loop detection shutdown protection, 137 port-based VLAN access port (VLAN view), 147
adding port-based VLAN hybrid port, 148
MAC address table blackhole entry, 26 port-based VLAN trunk port, 148
MAC address table entry (global), 25 voice VLAN assignment mode (automatic), 189
MAC address table entry (on interface), 26 voice VLAN assignment mode (manual), 190
MAC address table multiport unicast entry, 26 attribute

290
 Ethernet link aggregation attribute MST common root bridge, 93
configuration, 41 MST regional root, 92
auto spanning tree loop guard, 123
interface auto power-down (Ethernet), 9 spanning tree root bridge, 102
interface automatic negotiation (Ethernet), 10 spanning tree root bridge (device), 103
loop detection port status auto recovery, 137 spanning tree root guard, 123
voice VLAN assignment (automatic), 189 spanning tree secondary root bridge (device), 103
voice VLAN assignment mode configuration STP designated bridge, 79
(automatic), 197 STP root bridge, 79
voice VLAN LLDP automatic IP phone bulk
discovery enable, 195
interface configuration, 21, 21
voice VLAN port operation configuration
interface configuration display, 22
(automatic assignment), 193
interface configuration restrictions, 21
AutoMDIX mode (Ethernet interface), 15
C
B
cable
backing up
interface cable connection (Layer 2 Ethernet), 16
MST backup port, 93
calculating
bandwidth
MSTI calculation, 94
Ethernet link aggregate interface (expected
bandwidth), 54 MSTP CIST calculation, 94
basic management LLDPDU TLV types, 250 spanning tree port path cost calculation standard,
108
BFD
spanning tree timeout factor, 106
Ethernet link aggregation group BFD, 54
STP algorithm, 80
blackhole
CDP
MAC address table, 23
LLDP CDP compatibility, 263
MAC address table entry, 26
LLDP CDP-compatible configuration, 271
block action (loop detection), 137
voice VLAN advertisement, 196
boundary port (MST), 93
voice VLAN information advertisement to IP
BPDU
phones, 188
configuration BPDUs, 77
CE
MST region max hops, 104
L2PT configuration, 274, 276, 278
MSTP BPDU protocol frames, 90
L2PT for LACP configuration, 279
PVST BPDU guard, 126
L2PT for STP configuration, 278
RSTP BPDU processing, 87
changing
spanning tree BPDU drop, 125
combo interface active port (Ethernet combo), 2
spanning tree BPDU guard, 122
checking
spanning tree hello time, 105
LLDP PVID inconsistency check disable, 263
spanning tree max age timer, 105
spanning tree No Agreement Check, 118, 120
spanning tree TC-BPDU guard, 125
choosing
spanning tree TC-BPDU transmission
Ethernet link aggregation reference port, 42, 45
restriction, 124
Cisco
STP BPDU forwarding, 85
Discovery Protocol. Use CDP
TCN BPDUs, 78
LLDP CDP compatibility, 263
transmission rate configuration, 107
LLDP configuration (CDP-compatible), 271
bridging
CIST
interface bridging enable (Layer 2 Ethernet),
16 calculation, 94
LLDP agent customer bridge, 248 network device connection, 92
LLDP agent nearest bridge, 248 spanning tree max age timer, 105
LLDP agent non-TPMR bridge, 248 collaborating
LLDP bridge mode configuration, 256 LLDP+Track collaboration, 254

291
combining interface physical state change suppression
interfaces (Ethernet 10-GE > 40-GE), 2 (Ethernet), 6
common root bridge, 93 interface storm control (Layer 2 Ethernet), 12
configuring interface storm suppression (Ethernet), 12
1\1 VLAN mapping, 233, 239 interfaces in bulk, 21, 21
1\2 VLAN mapping, 238, 245 IP subnet-based VLAN, 154, 160
2\2 VLAN mapping, 239, 245 L2PT, 274, 276, 278
Ethernet aggregate interface, 51 L2PT for LACP, 279
Ethernet aggregate interface (description), 52 L2PT for STP, 278
Ethernet aggregate interface (Layer 3 edge), LLDP, 248, 255, 267
72 LLDP (CDP-compatible), 271
Ethernet link aggregate interface (Layer 2 LLDP advertisable TLVs, 258
edge), 66 LLDP basics, 255, 267
Ethernet link aggregation, 40, 47, 60 LLDP CDP compatibility, 263
Ethernet link aggregation (Layer 2 dynamic), LLDP management address, 260
62 LLDP management address encoding format,
Ethernet link aggregation (Layer 2 static), 60 260
Ethernet link aggregation (Layer 3 dynamic), LLDP trapping, 265
69 LLDP-MED trapping, 265
Ethernet link aggregation (Layer 3 static), 68 logging events of detecting or receiving TC
Ethernet link aggregation edge aggregate BPDUs (in PVST mode), 126
interface, 54 loop detection, 136, 138, 140
Ethernet link aggregation group, 48 M\1 VLAN mapping, 233, 239
Ethernet link aggregation group (Layer 2 M\1 VLAN mapping (dynamic IP address
dynamic), 49 assignment), 233
Ethernet link aggregation group (Layer 2 M\1 VLAN mapping (static IP address
static), 49 assignment), 236
Ethernet link aggregation group (Layer 3 M\1 VLAN mapping customer-side port (dynamic
dynamic), 51 IP address assignment), 234
Ethernet link aggregation group (Layer 3 M\1 VLAN mapping customer-side port (static IP
static), 50 address assignment), 236
Ethernet link aggregation group BFD, 54 M\1 VLAN mapping network-side port (dynamic
Ethernet link aggregation group load sharing, IP address assignment), 235
56 M\1 VLAN mapping network-side port (static IP
Ethernet link aggregation load sharing (Layer address assignment), 237
2), 64 MAC address move suppression, 32
Ethernet link aggregation load sharing (Layer MAC address table, 23, 24, 34
3), 70
MAC address table entry, 25
interface (Ethernet single combo), 2
MAC address table frame forwarding rule, 29
interface (Ethernet), 1
MAC address table multiport unicast entry
interface (inloopback), 20 (global), 27
interface (Layer 2 Ethernet), 12 MAC address table multiport unicast entry (on
interface (Layer 3 Ethernet), 17 interface), 27
interface (loopback), 19 MAC Information, 36, 37
interface (null), 19 MAC Information mode, 36
interface basic settings (Ethernet), 3 MAC-based VLAN, 149, 158
interface card operating mode (Ethernet), 11 MAC-based VLAN (server-assigned), 153
interface common settings (Ethernet), 1 MAC-based VLAN assignment (dynamic), 152
interface dampening (Ethernet), 6 MAC-based VLAN assignment (static), 152
interface generic flow control (Ethernet), 9 management interface, 1
interface jumbo frame support (Ethernet), 5 MST region, 102
interface link mode (Ethernet), 5 MST region max hops, 104

292
MSTP, 100, 128 VLAN, 143, 157
MVRP, 204, 207 VLAN basic settings, 144
port isolation, 74 VLAN group, 156
port isolation (multiple isolation groups), 75 VLAN interface, 145
port-based VLAN, 146, 157 VLAN interface basics, 145
private VLAN, 171, 172, 174 VLAN mapping, 227, 232, 239
private VLAN promiscuous port, 174 voice VLAN, 187, 192, 197
private VLAN trunk promiscuous port, 177 voice VLAN advertisement (CDP), 196
private VLAN trunk promiscuous+secondary voice VLAN advertisement (LLDP), 195
port, 180 voice VLAN assignment mode (automatic), 197
protocol-based VLAN, 155, 162 voice VLAN assignment mode (manual), 199
PVST, 99, 132 voice VLAN port operation (automatic
QinQ, 217, 223 assignment), 193
QinQ basics, 223 voice VLAN port operation (manual assignment),
QinQ CVLAN tag TPID value, 221 194
QinQ SVLAN tag TPID value, 221 voice VLAN traffic QoS priority settings, 192
QinQ VLAN tag TPID value, 220 connecting
QinQ VLAN transparent transmission, 219, interface cable connection (Layer 2 Ethernet), 16
225 voice VLAN host+IP phone connection (in series),
RSTP, 99 188
secondary VLAN Layer 3 communication, 184 voice VLAN IP phone+device, 189
service loopback group, 283, 284 CoS
spanning tree, 77, 98, 128 voice VLAN traffic QoS priority settings, 192
spanning tree BPDU guard, 122 cost
spanning tree BPDU transmission rate, 107 spanning tree port path cost calculation standard,
spanning tree device priority, 104 108
spanning tree Digest Snooping, 116, 117 spanning tree port path cost configuration, 108,
110
spanning tree edge port, 107
STP path cost, 80
spanning tree No Agreement Check, 118, 120
creating
spanning tree port link type, 112
super VLAN sub-VLAN, 166
spanning tree port mode, 113
CST
spanning tree port path cost, 108, 110
MST region connection, 92
spanning tree port priority, 111
customer
spanning tree port role restriction, 124
LLDP customer bridge mode, 256
spanning tree protection, 122
CVLAN
spanning tree root bridge, 102
QinQ basic configuration, 223
spanning tree root bridge (device), 103
QinQ configuration, 217, 223
spanning tree secondary root bridge, 102
QinQ VLAN transparent transmission
spanning tree secondary root bridge (device),
configuration, 225
103
VLAN mapping application scenario, 227
spanning tree switched network diameter, 105
VLAN mapping configuration, 227, 232, 239
spanning tree TC Snooping, 120
VLAN mapping implementation, 229
spanning tree TC-BPDU transmission
restriction, 124 D
spanning tree timeout factor, 106 dampening
spanning tree timer, 105 interface dampening (Ethernet), 6
STP, 98 default
subinterface (Layer 3 Ethernet), 17 Ethernet link aggregate interface default settings,
subinterface basic settings (Ethernet), 3 56
super VLAN, 166, 166, 168 designated
super VLAN interface, 167 MST port, 93

293
 STP bridge, 79 spanning tree inconsistent PVID protection, 115
STP port, 79 discarding
detecting MST discarding port state, 94
Ethernet link aggregation group BFD, 54 displaying
device bulk interface configuration, 22
disabling the device to reactivate the Ethernet link aggregation, 59
shutdown edge ports, 126 interface, 20
interface configuration (Ethernet), 1 interface (Ethernet), 17
LLDP basic configuration, 255, 267 L2PT, 277
LLDP CDP compatibility, 263 LLDP, 267
LLDP configuration, 248, 255, 267 loop detection, 140
LLDP configuration (CDP-compatible), 271 MAC address table, 34
LLDP parameters, 262 MVRP, 207
logging events of detecting or receiving TC port isolation, 74
BPDUs (in PVST mode), 126 private VLAN, 174
loop protection actions, 137 QinQ, 223
MSTP implementation, 95 service loopback group, 284
MVRP configuration, 201, 204, 207 spanning tree, 127
PVST BPDU guard, 126 subinterface (Ethernet), 17
spanning tree BPDU drop, 125 super VLAN, 167
spanning tree BPDU guard, 122 VLAN, 156
spanning tree Digest Snooping, 116, 117 VLAN mapping, 239
spanning tree inconsistent PVID protection voice VLAN, 196
disable, 115
Dot1
spanning tree loop guard, 123
spanning tree dot1d-1998 (port path cost
spanning tree No Agreement Check, 118, 120 calculation), 108
spanning tree port role restriction, 124 spanning tree dot1t (port path cost calculation),
spanning tree priority, 104 108
spanning tree protection, 122 dot1s (STP port mode), 113
spanning tree root guard, 123 DSCP
spanning tree SNMP notification (new-root voice VLAN traffic QoS priority settings, 192
election, topology change events), 127 dynamic
spanning tree TC Snooping, 120 Ethernet link aggregation (Layer 2), 62
spanning tree TC-BPDU guard, 125 Ethernet link aggregation (Layer 3), 69
spanning tree TC-BPDU transmission Ethernet link aggregation edge aggregate
restriction, 124 interface, 47
voice VLAN IP phone+device connection, 189 Ethernet link aggregation group, 49, 50
DHCP snooping Ethernet link aggregation group BFD, 54
M\1 VLAN mapping, 234 Ethernet link aggregation mode, 42
diameter Layer 2 Ethernet link aggregation group, 49
spanning tree switched network diameter, 105 Layer 3 Ethernet link aggregation group, 51
Digest Snooping (spanning tree), 116, 117 MAC address table dynamic aging timer, 29
directing MAC address table entry, 23
Ethernet link aggregation traffic redirection, 58 MAC address table entry configuration (global),
disabling 25
LLDP PVID inconsistency check, 263 MAC address table entry configuration (on
MAC address learning, 27 interface), 26
MAC address learning (global), 28 MAC-based VLAN assignment, 150, 152
MAC address learning (on interface), 28 E
MAC address learning (on VLAN), 28
edge

294
 Ethernet aggregate interface (Layer 3 edge), voice VLAN LLDP automatic IP phone discovery,
72 195
Ethernet link aggregate interface (Layer 2 encapsulating
edge), 66 L2PT configuration, 274, 276, 278
STP edge port rapid transition, 95 L2PT for LACP configuration, 279
edge port L2PT for STP configuration, 278
MST, 93 LLDP frame encapsulation (Ethernet II), 249
spanning tree, 107 LLDP frame encapsulation (SNAP), 249
EEE energy saving, 10 LLDP frame encapsulation format, 262
enabling VLAN frame encapsulation, 143
Ethernet link aggregation traffic redirection, 58 Energy Efficient Ethernet. See EEE
interface auto power-down (Ethernet), 9 energy-saving features, 9
interface automatic negotiation (Ethernet), 10 Ethernet
interface bridging (Layer 2 Ethernet), 16 ARP entry generation, 266
interface EEE (Ethernet), 10 interface. See Ethernet interface
interface energy-saving features (Ethernet), 9 link aggregation. See Ethernet link aggregation
interface loopback testing (Ethernet), 8 LLDP frame encapsulation, 249
L2PT, 276 LLDP trapping, 265
L2PT (for protocol), 276 LLDP-MED trapping, 265
LLDP, 255 loop detection configuration, 136, 140
LLDP ARP entry generation, 266 loop detection protection action (Layer 2 Ethernet
LLDP ND entry generation, 266 interface), 139
LLDP polling, 257 MAC address table configuration, 23, 24, 34
loop detection (global), 138 MAC Information configuration, 36, 37
loop detection (port-specific), 138 ND entry generation, 266
M\1 VLAN mapping ARP detection (dynamic port isolation configuration, 74
IP address assignment), 234 port isolation configuration (multiple isolation
M\1 VLAN mapping ARP snooping (static IP groups), 75
address assignment), 236 port-based VLAN assignment (access port), 147
M\1 VLAN mapping DHCP snooping (dynamic port-based VLAN assignment (hybrid port), 148
IP address assignment), 234 port-based VLAN assignment (trunk port), 148
MAC address synchronization, 30 port-based VLAN configuration, 146
MAC address table ARP fast update, 33 private VLAN configuration, 171, 172, 174
MAC address table move notification, 32 private VLAN promiscuous port configuration, 174
MAC address table SNMP notification, 34 private VLAN trunk promiscuous port
MAC Information, 36 configuration, 177
MVRP, 205 private VLAN trunk promiscuous+secondary port
MVRP GVRP compatibility, 207 configuration, 180
PVST BPDU guard, 126 QinQ CVLAN frame header tag, 217
QinQ, 219 QinQ SVLAN frame header tag, 217
spanning tree BPDU drop, 125 secondary VLAN Layer 3 communication
spanning tree BPDU guard (global), 122 configuration, 184
spanning tree BPDU guard (on interface), 122 service loopback group configuration, 283, 284
spanning tree feature, 114 subinterface. See Ethernet interface, Ethernet
spanning tree loop guard, 123 subinterface, subinterface
spanning tree port state transition information super VLAN configuration, 166, 166, 168
output, 113 super VLAN sub-VLAN creation, 166
spanning tree root guard, 123 VLAN basic configuration, 144
spanning tree SNMP notification (new-root VLAN configuration, 143, 157
election, topology change events), 127 VLAN frame encapsulation, 143
spanning tree TC-BPDU guard, 125 VLAN interface, 145

295
 VLAN interface basics, 145 aggregation group restrictions, 48
VLAN port-based configuration, 157 application scenario, 40
voice VLAN configuration, 187, 192, 197 BFD configuration, 54
Ethernet interface BFD configuration restrictions, 55
10-GE > 40-GE combine;010-GE > 40-GE configuration, 40, 47, 60
combine, 2 configuration types, 41
40-GE split;040-GE split, 2 display, 59
auto power-down enable, 9 edge aggregate interface, 47, 54
automatic negotiation enable, 10 group (Layer 3 dynamic), 51
basic settings configuration, 3 group (Layer 3 static), 50
bridging enable (Layer 2), 16 group configuration, 48
cable connection (Layer 2), 16 group configuration (Layer 2), 49
combo interface active port, 2 group configuration (Layer 3), 50
common settings configuration, 1 group load sharing configuration, 56
configuration, 1 group load sharing mode, 56
configuration (Layer 2), 12 how dynamic link aggregation works, 45
configuration (Layer 3), 17 interface configuration (expected bandwidth), 54
dampening, 6 LACP, 43
dampening restrictions, 7 Layer 2 aggregate interface (ignored VLAN), 52,
display, 17 52
EEE enable, 10 Layer 2 aggregate interface (Layer 2 edge), 66
energy-saving features, 9 Layer 2 aggregation configuration (dynamic), 62
fiber port (Layer 2), 14 Layer 2 aggregation configuration (static), 60
fiber port restrictions (Layer 2), 14 Layer 2 aggregation load sharing (Layer 2), 64
generic flow control, 9 Layer 2 group (dynamic), 49
interface card operating mode, 11 Layer 2 group (static), 49
jumbo frame support configuration, 5 Layer 3 aggregate interface (Layer 3 edge), 72
link mode, 5 Layer 3 aggregate interface configuration (MTU),
loopback test restrictions, 8 52
loopback testing, 8 Layer 3 aggregation configuration (dynamic), 69
maintain, 17 Layer 3 aggregation configuration (static), 68
management interface configuration, 1 Layer 3 aggregation configuration load sharing,
MDIX mode (Layer 2), 15 70
MTU setting (Layer 3), 17 load sharing algorithm settings, 58
naming conventions, 1 load sharing mode, 47
physical state change suppression, 6 local-first load sharing, 57
single combo interface configuration, 2 maintain, 59
statistics polling interval, 10 member port, 40
storm control (Layer 2), 12 member port state, 40, 42, 45
storm control configuration restrictions (Layer modes, 42
2), 13 operational key, 41
storm suppression, 12 reference port, 45
storm suppression restrictions, 12 reference port choice, 42
Ethernet link aggregation static mode, 42
aggregate group Selected ports min/max, 53 traffic redirection, 58
aggregate interface, 40 traffic redirection restrictions, 59
aggregate interface (description), 52 Ethernet subinterface, 1, See also Ethernet interface,
aggregate interface configuration, 51 Layer 2 Ethernet subinterface, Layer 3 Ethernet
subinterface
aggregate interface default settings, 56
basic settings, 3
aggregate interface shutdown, 56
display, 17
aggregation group, 40

296
 maintain, 17 STP BPDU protocol frames, 77
MTU setting (Layer 3), 17 STP TCN BPDU protocol frames, 77
external VLAN frame encapsulation, 143
interface external loopback testing (Ethernet), G
8
GARP
F
VLAN Registration Protocol. Use GVRP
fast generic flow control (Ethernet interface), 9
MAC address table ARP fast update, 33 Generic VLAN Registration Protocol. Use GVRP
fiber port global
interface fiber port (Layer 2 Ethernet), 14 Ethernet link aggregation load sharing mode set,
flow control 56
interface generic flow control (Ethernet), 9 loop detection enable, 138
forcing loop detection protection action, 139
interface fiber port (Layer 2 Ethernet), 14 MAC address learning disable, 28
format MAC address table multiport unicast entry
LLDP frame encapsulation (Ethernet II), 249 configuration, 27
LLDP frame encapsulation (SNAP), 249 spanning tree BPDU guard enable, 122
LLDP frame encapsulation format, 262 group
LLDP management address encoding format, Ethernet link aggregate group Selected ports
260 min/max, 53
forwarding Ethernet link aggregation, 48
MAC address table frame forwarding rule, 29 Ethernet link aggregation group, 40
MST forwarding port state, 94 Ethernet link aggregation group (Layer 2 static),
spanning tree forward delay timer, 105 49, 49
STP BPDU forwarding, 85 Ethernet link aggregation group (Layer 2), 49
STP forward delay timer, 85 Ethernet link aggregation group (Layer 3
dynamic), 51
frame
Ethernet link aggregation group (Layer 3 static),
interface jumbo frame support (Ethernet), 5
50
LLDP ARP entry generation, 266
Ethernet link aggregation group (Layer 3), 50
LLDP frame encapsulation format, 262
Ethernet link aggregation group load sharing, 56
LLDP ND entry generation, 266
Ethernet link aggregation LACP, 43
LLDP source MAC address, 266
Ethernet link aggregation load sharing mode, 47,
loop detection (Ethernet frame header), 136 56
loop detection (inner frame header), 136 Ethernet link aggregation member port state, 40
loop detection interval, 137 port isolation configuration (multiple isolation
MAC address learning, 23 groups), 75
MAC address table blackhole entry, 26 VLAN group configuration, 156
MAC address table configuration, 23, 24, 34 GVRP
MAC address table entry configuration, 25 MVRP compatibility, 207
MAC address table frame forwarding rule, 29
H
MAC address table multiport unicast entry, 26
MAC Information configuration, 36, 37 hello
MSTP BPDU protocol frames, 90 spanning tree timer, 105
port-based VLAN frame handling, 147 STP timer, 85
PVST BPDU protocol frames, 88, 88 host
QinQ CVLAN Ethernet frame header tag, 217 voice VLAN host+IP phone connection (in series),
188
QinQ implementation, 218
voice VLAN IP phone+device connection, 189
QinQ SVLAN Ethernet frame header tag, 217
hybrid port
RSTP BPDU protocol frames, 86
port-based VLAN assignment (hybrid port), 148
spanning tree port mode configuration, 113

297
I super VLAN configuration, 166, 166, 168
identifying super VLAN interface configuration, 167
voice VLAN IP phone identification (LLDP), voice VLAN configuration, 187, 192, 197
188 IP phone
voice VLAN IP phone identification (OUI voice VLAN assignment mode+IP phone
address), 187 cooperation, 190
ignored VLAN voice VLAN host+IP phone connection (in series),
Layer 2 aggregate interface, 52 188
implementing voice VLAN identification (LLDP), 188
0\2 VLAN mapping, 229 voice VLAN identification (OUI address), 187
1\1 VLAN mapping, 229, 230 voice VLAN information advertisement, 188
1\2 VLAN mapping, 229, 231 voice VLAN IP phone access method, 188
2\2 VLAN mapping, 229, 231 voice VLAN IP phone+device connection, 189
2\3 VLAN mapping, 229 IP subnet-based VLAN
M\1 VLAN mapping, 229, 230 configuration, 154, 160
MSTP device, 95 isolating
QinQ, 218 ports. See port isolation
inconsistency check (LLDP), 263 IST
inloopback interface MST region, 92
configuration, 20 J
display, 20 jumbo frame support (Ethernet interface), 5
maintain, 20
K
interface
bulk configuration, 21, 21 key
configuration (inloopback), 19, 20 Ethernet link aggregation operational key, 41
configuration (loopback), 19, 19 L
configuration (null), 19, 19
L2PT
Ethernet aggregate interface, 51
configuration, 274, 276, 278
Ethernet aggregate interface (description), 52
display, 277
Ethernet link aggregate interface default
enable, 276
settings, 56
enable restrictions, 276
Ethernet link aggregate interface shutdown,
56 how it works, 275
Ethernet link aggregation edge aggregate LACP configuration, 279
interface, 47, 54 maintain, 277
Layer 2 Ethernet aggregate interface (ignored STP configuration, 278
VLAN), 52 tunneled packet destination multicast MAC
Layer 3 aggregate interface configuration address, 277
(MTU), 52 LACP
internal Ethernet link aggregation, 43
interface internal loopback testing (Ethernet), L2PT for LACP configuration, 279
8 LAN
interval Virtual Local Area Network. Use VLAN
Ethernet link aggregation LACP long timeout, LAN switching
44 1\1 VLAN mapping configuration, 233, 239
Ethernet link aggregation LACP short timeout, 1\2 VLAN mapping configuration, 238, 245
44
2\2 VLAN mapping configuration, 239, 245
loop detection, 137, 139
Ethernet aggregate interface, 51
MAC change notification interval, 37
Ethernet aggregate interface (description), 52
IP addressing
Ethernet aggregate interface (ignored VLAN), 52
IP subnet-based VLAN configuration, 154,
160 Ethernet aggregate interface (Layer 3 edge), 72

298
Ethernet link aggregate group Selected ports IP subnet-based VLAN configuration, 154, 160
min/max, 53 L2PT configuration, 274, 278
Ethernet link aggregate interface (expected L2PT display, 277
bandwidth), 54 L2PT enable, 276
Ethernet link aggregate interface (Layer 2 L2PT enable restrictions, 276
edge), 66
L2PT for LACP configuration, 279
Ethernet link aggregate interface default
L2PT for STP configuration, 278
settings, 56
L2PT maintain, 277
Ethernet link aggregate interface shutdown,
56 LLDP basic concepts, 248
Ethernet link aggregation (Layer 2 dynamic), LLDP basic configuration, 255, 267
62 LLDP CDP compatibility, 263
Ethernet link aggregation (Layer 2 static), 60 LLDP configuration, 248, 255, 267
Ethernet link aggregation (Layer 3 dynamic), LLDP configuration (CDP-compatible), 271
69 LLDP display, 267
Ethernet link aggregation (Layer 3 static), 68 LLDP protocols and standards, 254
Ethernet link aggregation (static mode), 42 LLDP PVID inconsistency check disable, 263
Ethernet link aggregation BFD configuration loop detection configuration, 136, 138, 140
restrictions, 55 M\1 VLAN mapping configuration, 233, 239
Ethernet link aggregation configuration, 40, M\1 VLAN mapping restrictions (dynamic IP
47, 60 address assignment), 233
Ethernet link aggregation display, 59 M\1 VLAN mapping restrictions (static IP address
Ethernet link aggregation edge aggregate assignment), 236
interface, 47, 54 MAC address table configuration, 23, 24, 34
Ethernet link aggregation group, 48 MAC address table display, 34
Ethernet link aggregation group (dynamic MAC Information configuration, 36, 37
dynamic), 49 MAC-based VLAN assignment (dynamic), 152
Ethernet link aggregation group (Layer 2 MAC-based VLAN assignment (static), 152
static), 49
MAC-based VLAN assignment configuration
Ethernet link aggregation group (Layer 2), 49 restrictions (dynamic), 152
Ethernet link aggregation group (Layer 3 MAC-based VLAN configuration, 149, 158
dynamic), 51
MAC-based VLAN configuration
Ethernet link aggregation group (Layer 3 (server-assigned), 153
static), 50
MRP implementation, 201
Ethernet link aggregation group load sharing,
MST region, 102
56
MSTP configuration, 128
Ethernet link aggregation group load sharing
mode, 56 MVRP configuration, 201, 204, 207
Ethernet link aggregation group restrictions, MVRP configuration restrictions, 204
48 MVRP display, 207
Ethernet link aggregation LACP, 43 MVRP GVRP compatibility, 207
Ethernet link aggregation load sharing (Layer MVRP maintain, 207
2), 64 MVRP protocols and standards, 204
Ethernet link aggregation load sharing (Layer MVRP registration mode setting, 205
3), 70 MVRP timer set, 206
Ethernet link aggregation load sharing mode, port isolation configuration, 74
47 port isolation configuration (multiple isolation
Ethernet link aggregation local-first load groups), 75
sharing, 57 port isolation display, 74
Ethernet link aggregation maintain, 59 port isolation group assignment (multiple ports),
Ethernet link aggregation traffic redirection, 58 74
Ethernet link aggregation traffic redirection port-based VLAN assignment (access port), 147
restrictions, 59 port-based VLAN assignment (hybrid port), 148

299
port-based VLAN assignment (trunk port), 148 voice VLAN advertisement (CDP), 196
port-based VLAN configuration, 146 voice VLAN advertisement (LLDP), 195
private VLAN configuration, 171, 172, 174 voice VLAN assignment mode configuration
private VLAN configuration restrictions, 172 (automatic), 197
private VLAN display, 174 voice VLAN assignment mode configuration
private VLAN promiscuous port configuration, (manual), 199
174 voice VLAN display, 196
private VLAN trunk promiscuous port voice VLAN LLDP automatic IP phone discovery
configuration, 177 enable, 195
private VLAN trunk promiscuous+secondary voice VLAN port operation configuration
port configuration, 180 (automatic assignment), 193
protocol-based VLAN configuration, 155, 162 voice VLAN port operation configuration (manual
PVST configuration, 132 assignment), 194
QinQ basic configuration, 223 voice VLAN port operation configuration
restrictions (automatic assignment), 193
QinQ configuration, 217, 223
voice VLAN port operation configuration
QinQ configuration restrictions, 219
restrictions (manual assignment), 194
QinQ display, 223
Layer 2
QinQ implementation, 218
Ethernet interface bridging enable, 16
QinQ protocols and standards, 219
Ethernet interface cable connection, 16
QinQ SVLAN tag 802.1p priority, 221
Ethernet interface configuration, 12
QinQ VLAN tag TPID value, 220
Ethernet interface fiber port, 14
QinQ VLAN transparent transmission
Ethernet interface fiber port restrictions, 14
configuration, 225
Ethernet interface MDIX mode, 15
secondary VLAN Layer 3 communication
configuration, 184 Ethernet interface storm control configuration, 12
service loopback group configuration, 283, Ethernet interface storm control configuration
284 restrictions, 13
service loopback group display, 284 Ethernet link aggregate interface (Layer 2 edge),
66
spanning tree configuration, 77, 128
Ethernet link aggregation (Layer 2 dynamic), 62
spanning tree Digest Snooping, 116, 117
Ethernet link aggregation (Layer 2 static), 60
spanning tree display, 127
Ethernet link aggregation load sharing, 64
spanning tree maintain, 127
interface configuration (Ethernet), 1
spanning tree No Agreement Check, 118, 120
L2PT configuration, 276
spanning tree protection configuration, 122
L2PT tunneled packet destination multicast MAC
spanning tree TC Snooping, 120
address, 277
super VLAN configuration, 166, 166, 168
LLDP basic configuration, 267
super VLAN display, 167
LLDP configuration, 267
super VLAN interface configuration, 167
LLDP trapping, 265
super VLAN sub-VLAN creation, 166
LLDP-MED trapping, 265
VLAN basic configuration, 144
loop detection protection action (Layer 2
VLAN configuration, 143, 157 aggregate interface), 139
VLAN configuration restrictions, 152 loop detection protection action (Layer 2 Ethernet
VLAN display, 156 interface), 139
VLAN group configuration, 156 protocol tunneling. Use L2PT
VLAN interface, 145 VLAN basic configuration, 144
VLAN interface basics, 145 VLAN configuration, 143, 157
VLAN maintain, 156 voice VLAN configuration, 187, 192, 197
VLAN mapping configuration, 227, 232, 239 Layer 3
VLAN mapping display, 239 aggregate interface configuration (MTU), 52
VLAN port-based configuration, 157 Ethernet aggregate interface, 51
VLAN protocols and standards, 144 Ethernet aggregate interface (description), 52

300
Ethernet aggregate interface (Layer 3 edge), private VLAN trunk promiscuous+secondary port
72 configuration, 180
Ethernet interface configuration, 17 protocol-based VLAN configuration, 155
Ethernet interface MTU setting, 17 secondary VLAN Layer 3 communication
Ethernet link aggregate group Selected ports configuration, 184
min/max, 53 super VLAN configuration, 168
Ethernet link aggregate interface (expected voice VLAN configuration, 187, 192, 197
bandwidth), 54 learning
Ethernet link aggregate interface default loop detection no-learning action, 137
settings, 56 MAC address, 23
Ethernet link aggregate interface shutdown, MAC address learning disable, 27
56
MAC address table learning limit, 29
Ethernet link aggregation (Layer 3 dynamic),
MAC address table learning priority, 30
69
MST learning port state, 94
Ethernet link aggregation (Layer 3 static), 68
legacy
Ethernet link aggregation configuration, 40,
47, 60 spanning tree port mode, 113
Ethernet link aggregation edge aggregate spanning tree port path cost calculation, 108
interface, 47, 54 link
Ethernet link aggregation group, 48, 50 aggregation. See link aggregation
Ethernet link aggregation group load sharing, interface link mode (Ethernet), 5
56 Link Layer Discovery Protocol. Use LLDP
Ethernet link aggregation group load sharing MSTP configuration, 128
mode, 56 PVST configuration, 132
Ethernet link aggregation load sharing, 70 spanning tree configuration, 77, 98, 128
Ethernet link aggregation local-first load spanning tree hello time, 105
sharing, 57 spanning tree port link type configuration, 112
Ethernet link aggregation traffic redirection, 58 link aggregation
Ethernet subinterface configuration, 17 Ethernet link aggregation. See Ethernet link
Ethernet subinterface MTU setting, 17 aggregation
interface configuration (Ethernet), 1 LLDP
IP subnet-based VLAN configuration, 154 advertisable TLV configuration, 258
LAN switching LAN switching VLAN interface, agent, 248
145 ARP entry generation, 266
LAN switching LAN switching VLAN interface basic concepts, 248
basics, 145
basic configuration, 255, 267
LLDP ARP entry generation, 266
bridge mode configuration, 256
LLDP basic configuration, 267
CDP compatibility configuration, 263
LLDP configuration, 267
CDP-compatible configuration, 271
LLDP ND entry generation, 266
configuration, 248, 255, 267
LLDP trapping, 265
display, 267
LLDP-MED trapping, 265
enable, 255
port-based VLAN assignment (access port),
frame encapsulation (Ethernet II), 249
147
frame encapsulation (SNAP), 249
port-based VLAN assignment (hybrid port),
148 frame encapsulation format, 262
port-based VLAN assignment (trunk port), 148 frame format, 249
port-based VLAN configuration, 146 frame reception, 254
private VLAN configuration, 174 frame transmission, 254
private VLAN promiscuous port configuration, how it works, 253
174 LLDPDU management address TLV, 253
private VLAN trunk promiscuous port LLDPDU TLV types, 250
configuration, 177 LLDPDU TLVs, 250

301
 LLDP-MED trapping configuration, 265 Ethernet link aggregation local-first load sharing,
management address configuration, 260 57
management address encoding format, 260 Ethernet link aggregation packet type-based load
ND entry generation, 266 sharing, 47
operating mode (disable), 253 Ethernet link aggregation per-flow load sharing,
47
operating mode (Rx), 253
Ethernet link aggregation per-packet load
operating mode (Tx), 253
sharing, 47
operating mode (TxRx), 253
local
operating mode set, 256
Ethernet link aggregation local-first load sharing,
parameter set, 262 57
polling enable, 257 loop
protocols and standards, 254 MSTP configuration, 128
PVID inconsistency check disable, 263 PVST configuration, 132
reinitialization delay, 257 spanning tree configuration, 77, 98, 128
source MAC address, 266 spanning tree loop guard, 123
Track collaboration function, 254 loop detection
trapping configuration, 265 configuration, 136, 138, 140
voice VLAN advertisement, 195 display, 140
voice VLAN information advertisement to IP enable, 138
phones, 188
interval, 137
voice VLAN IP phone identification, 188
interval setting, 139
voice VLAN IP phone identification method,
mechanisms, 136
187
port status auto recovery, 137
voice VLAN LLDP automatic IP phone
discovery enable, 195 protection action setting, 139
LLDPDU protection action setting (Layer 2 aggregate
interface), 139
LLDP basic configuration, 255, 267
protection actions, 137
LLDP configuration, 248, 255, 267
loopback
LLDP parameters, 262
interface loopback testing (Ethernet), 8
management address configuration, 260
loopback interface
management address encoding format, 260
configuration, 19
management address TLV, 253
display, 20
TLV basic management types, 250
maintain, 20
TLV LLDP-MED types, 250
TLV organization-specific types, 250 M
load balancing M\
service loopback group configuration, 283, 1 VLAN mappingapplication scenario, 227, 227
284 1 VLAN mappingARP detection (dynamic IP
load sharing address assignment), 234
Ethernet link aggregation group configuration, 1 VLAN mappingARP snooping (static IP address
56 assignment), 236
Ethernet link aggregation group load sharing, 1 VLAN mappingconfiguration, 233, 239
47 1 VLAN mappingconfiguration (dynamic IP
Ethernet link aggregation load sharing (Layer address assignment), 233
2), 64 1 VLAN mappingconfiguration (static IP address
Ethernet link aggregation load sharing (Layer assignment), 236
3), 70 1 VLAN mappingconfiguration restrictions
Ethernet link aggregation load sharing (dynamic IP address assignment), 233
algorithm settings, 58 1 VLAN mappingconfiguration restrictions (static
Ethernet link aggregation load sharing mode, IP address assignment), 236
56 1 VLAN mappingcustomer-side port (dynamic IP
address assignment), 234

302
 1 VLAN mappingcustomer-side port (static IP MAC relay (LLDP agent), 248
address assignment), 236 MAC-based VLAN
1 VLAN mappingDHCP snooping (dynamic IP assignment (dynamic), 152
address assignment), 234 assignment (static), 152
1 VLAN mappingimplementation, 229, 230 configuration, 149, 158
1 VLAN mappingnetwork-side port (dynamic configuration (server-assigned), 153
IP address assignment), 235
dynamic assignment, 150
1 VLAN mappingnetwork-side port (static IP
dynamic assignment configuration restrictions,
address assignment), 237
152
MAC address table
server-assigned, 151
address learning, 23
static assignment, 149
address synchronization, 30
maintaining
ARP fast update enable, 33
Ethernet link aggregation, 59
blackhole entry, 26
interface, 20
configuration, 23, 24, 34
interface (Ethernet), 17
display, 34
L2PT, 277
dynamic aging timer, 29
MVRP, 207
entry configuration, 25
spanning tree, 127
entry configuration (global), 25
subinterface (Ethernet), 17
entry configuration (on interface), 26
VLAN, 156
entry creation, 23
management address
entry types, 23
LLDP encoding format, 260
frame forwarding rule, 29
manual
learning limit setting set, 29
voice VLAN assignment mode, 190
learning priority assignment, 30
voice VLAN assignment mode configuration, 199
MAC address learning disable, 27
voice VLAN port operation configuration, 194
MAC address move suppression, 32
mapping
manual entries, 23
1\1 VLAN mapping, 227
move notification, 32
1\2 VLAN mapping, 228
multiport unicast entry, 26
2\2 VLAN mapping, 228
SNMP notification enable, 34
M\1 VLAN mapping, 227
MAC addressing
MSTP VLAN-to-instance mapping table, 92
L2PT tunneled packet destination multicast
master
MAC address, 277
MSTP master port, 93
LLDP source MAC address, 266
max age timer (STP), 85
MAC-based VLAN assignment (dynamic),
150, 152 maximum transmission unit. Use MTU
MAC-based VLAN assignment mCheck
(server-assigned), 151 global performance, 115
MAC-based VLAN assignment (static), 149, interface view performance, 115
152 spanning tree, 115
MAC-based VLAN configuration, 149, 158 MDI mode (Ethernet interface), 15
MAC-based VLAN configuration MDIX mode (Ethernet interface), 15
(server-assigned), 153 MED (LLDP-MED trapping), 265
VLAN frame encapsulation, 143 message
MAC Information MRP JoinEmpty, 201
change notification interval, 37 MRP JoinIn, 201
configuration, 36, 37 MRP Leave, 201
configuration restrictions, 37 MRP LeaveAll, 201
enable, 36 MRP New, 201
mode configuration, 36 MRP timers, 203
queue length setting, 37

303
MIB calculation, 94
LLDP basic configuration, 255, 267 MRP, 201
LLDP configuration, 248, 255, 267 MST instance, 92
mode MSTP, 77, See also STP
Ethernet link aggregation dynamic, 42 basic concepts, 91
Ethernet link aggregation LACP operation CIST, 92
active, 44 CIST calculation, 94
Ethernet link aggregation LACP operation common root bridge, 93
passive, 44 configuration, 100, 128
Ethernet link aggregation load sharing, 47 CST, 92
Ethernet link aggregation static, 42, 42 device implementation, 95
interface Auto MDIX (Layer 2 Ethernet), 15 feature enable, 114
interface link (Ethernet), 5 features, 89
interface MDI (Layer 2 Ethernet), 15 how it works, 94
interface MDIX (Layer 2 Ethernet), 15 IST, 92
LLDP customer bridge, 256 mode set, 101
LLDP disable, 253, 256 MST region, 92
LLDP Rx, 253, 256 MST region configuration, 102
LLDP service bridge, 256 MSTI, 92
LLDP Tx, 253, 256 MSTI calculation, 94
LLDP TxRx, 253, 256 port roles, 93
MAC Information syslog, 36 port states, 94
MAC Information trap, 36 protocol frames, 90
MVRP registration, 205 protocols and standards, 97
MVRP registration fixed, 204 rapid transition, 95
MVRP registration forbidden, 204 regional root, 92
MVRP registration normal, 204 relationships, 89
spanning tree mCheck, 115 spanning tree max age timer, 105
spanning tree MSTP, 101 spanning tree port mode configuration, 113
spanning tree PVST, 101 VLAN-to-instance mapping table, 92
spanning tree RSTP, 101 MTU
spanning tree STP, 101 Layer 3 Ethernet aggregate interface, 52
voice VLAN assignment automatic, 189 subinterface MTU setting (Layer 3 Ethernet), 17
voice VLAN assignment manual, 190 multicast
voice VLAN port normal, 191 L2PT tunneled packet destination multicast MAC
voice VLAN port security, 191 address, 277
modifying multiple
MAC address table blackhole entry, 26 Multiple Registration Protocol. Use MRP
MAC address table entry (global), 25 Multiple VLAN Registration Protocol. Use MVRP
MAC address table entry (on interface), 26 Multiple Spanning Tree Protocol. Use MSTP
MAC address table multiport unicast entry, 26 multiport unicast entry (MAC address table), 23, 26
moving MVRP
MAC address table move notification, 32 configuration, 201, 204, 207
MRP configuration restrictions, 204
implementation, 201 display, 207
messages, 201 enable, 205
MVRP configuration, 201, 204, 207 GVRP compatibility, 207
timers, 203 maintain, 207
MST MRP implementation, 201
region max hops, 104 protocols and standards, 204
MSTI

304
 registration mode setting, 205 interface configuration (Layer 2 Ethernet), 12
registration modes, 204 interface configuration (Layer 3 Ethernet), 17
timer set, 206 interface configuration (loopback), 19
N interface configuration (null), 19
interface dampening (Ethernet), 6
negotiating
interface EEE (Ethernet), 10
interface automatic negotiation (Ethernet), 10
interface energy-saving features (Ethernet), 9
network
interface fiber port (Layer 2 Ethernet), 14
1\1 VLAN mapping configuration, 233, 239
interface generic flow control (Ethernet), 9
1\2 VLAN mapping configuration, 238, 245
interface jumbo frame support (Ethernet), 5
2\2 VLAN mapping configuration, 239, 245
interface link mode (Ethernet), 5
disabling the device to reactivate the
interface loopback testing (Ethernet), 8
shutdown edge ports, 126
interface MDIX mode (Layer 2 Ethernet), 15
Ethernet aggregate interface (Layer 3 edge),
72 interface MTU setting (Layer 3 Ethernet), 17
Ethernet link aggregate interface (Layer 2 interface physical state change suppression
edge), 66 (Ethernet), 6
Ethernet link aggregation (Layer 2 dynamic), interface split (Ethernet 40-GE), 2
62 interface statistics polling interval (Ethernet), 10
Ethernet link aggregation (Layer 2 static), 60 interface storm control (Layer 2 Ethernet), 12
Ethernet link aggregation (Layer 3 dynamic), interface storm suppression (Ethernet), 12
69 interfaces combine (Ethernet 10-GE > 40-GE), 2
Ethernet link aggregation (Layer 3 static), 68 IP subnet-based VLAN configuration, 154, 160
Ethernet link aggregation (static mode), 42 L2PT for LACP configuration, 279
Ethernet link aggregation configuration types, L2PT for STP configuration, 278
41 L2PT tunneled packet destination multicast MAC
Ethernet link aggregation edge aggregate address, 277
interface, 47 LLDP basic configuration, 255, 267
Ethernet link aggregation LACP, 43 LLDP configuration (CDP-compatible), 271
Ethernet link aggregation load sharing (Layer LLDP source MAC address, 266
2), 64 logging events of detecting or receiving TC
Ethernet link aggregation load sharing (Layer BPDUs (in PVST mode), 126
3), 70 loop detection enable, 138
Ethernet link aggregation member port state, loop detection interval, 137, 139
42, 45
loop detection protection action setting, 139
Ethernet link aggregation modes, 42
loop protection actions, 137
Ethernet link aggregation operational key, 41
M\1 VLAN mapping configuration, 233, 239
Ethernet link aggregation reference port, 45
M\1 VLAN mapping configuration (dynamic IP
Ethernet link aggregation reference port address assignment), 233
choice, 42
M\1 VLAN mapping configuration (static IP
interface auto power-down (Ethernet), 9 address assignment), 236
interface automatic negotiation (Ethernet), 10 M\1 VLAN mapping customer-side port (dynamic
interface basic settings (Ethernet), 3 IP address assignment), 234
interface bridging enable (Layer 2 Ethernet), M\1 VLAN mapping customer-side port (static IP
16 address assignment), 236
interface cable connection (Layer 2 Ethernet), M\1 VLAN mapping network-side port (dynamic
16 IP address assignment), 235
interface card operating mode (Ethernet), 11 M\1 VLAN mapping network-side port (static IP
interface common settings configuration address assignment), 237
(Ethernet), 1 MAC address move suppression, 32
interface configuration (Ethernet single MAC address table address synchronization, 30
combo), 2 MAC address table ARP fast update, 33
interface configuration (inloopback), 20 MAC address table blackhole entry, 26

305
MAC address table dynamic aging timer, 29 secondary VLAN Layer 3 communication
MAC address table entry configuration, 25 configuration, 184
MAC address table entry types, 23 service loopback group configuration, 284
MAC address table learning limit, 29 spanning tree BPDU drop, 125
MAC address table learning priority, 30 spanning tree BPDU guard, 122
MAC address table move notification, 32 spanning tree BPDU transmission rate, 107
MAC address table multiport unicast entry, 26 spanning tree Digest Snooping, 116, 117
MAC address table SNMP notification, 34 spanning tree edge port, 107
MAC Information configuration, 37 spanning tree inconsistent PVID protection
MAC-based VLAN assignment (dynamic), 152 disable, 115
MAC-based VLAN assignment spanning tree loop guard, 123
(server-assigned), 151 spanning tree mode set, 101
MAC-based VLAN assignment (static), 152 spanning tree No Agreement Check, 118, 120
MAC-based VLAN configuration, 149, 158 spanning tree port link type, 112
MAC-based VLAN configuration spanning tree port mode, 113
(server-assigned), 153 spanning tree port path cost, 108, 110
management interface configuration, 1 spanning tree port priority, 111
MRP timers, 203 spanning tree port role restriction, 124
MST region configuration, 102 spanning tree port state transition, 113
MSTP basic concepts, 91 spanning tree priority, 104
MSTP configuration, 128 spanning tree protection, 122
MVRP enable, 205 spanning tree root bridge, 102
MVRP timer set, 206 spanning tree root bridge (device), 103
port isolation configuration (multiple isolation spanning tree root guard, 123
groups), 75 spanning tree secondary root bridge (device), 103
port isolation group assignment (multiple spanning tree SNMP notification (new-root
ports), 74 election, topology change events), 127
port-based VLAN assignment (access port), spanning tree switched network diameter, 105
147 spanning tree TC Snooping, 120
port-based VLAN assignment (hybrid port), spanning tree TC-BPDU guard, 125
148
spanning tree TC-BPDU transmission restriction,
port-based VLAN assignment (trunk port), 148 124
port-based VLAN configuration, 146 STP algorithm calculation, 80
private VLAN promiscuous port configuration, STP basic concepts, 79
174
STP path cost, 80
private VLAN trunk promiscuous port
subinterface basic settings (Ethernet), 3
configuration, 177
subinterface configuration (Layer 3 Ethernet), 17
private VLAN trunk promiscuous+secondary
port configuration, 180 subinterface MTU setting (Layer 3 Ethernet), 17
protocol-based VLAN configuration, 155, 162 super VLAN configuration, 166, 168
PVST basic concepts, 89 super VLAN interface configuration, 167
PVST BPDU guard, 126 super VLAN sub-VLAN creation, 166
PVST configuration, 132 VLAN basic configuration, 144
QinQ basic configuration, 223 VLAN group configuration, 156
QinQ VLAN tag TPID value, 220 VLAN interface, 145
QinQ VLAN transparent transmission, 219 VLAN interface basics, 145
QinQ VLAN transparent transmission VLAN mapping 1\1 implementation, 230
configuration, 225 VLAN mapping 1\2 implementation, 231
RSTP basic concepts, 86 VLAN mapping 2\2 implementation, 231
RSTP network convergence, 86 VLAN mapping M\1 implementation, 230
RSTP port role, 86 VLAN port-based configuration, 157
RSTP port state, 87 voice VLAN advertisement (CDP), 196

306
 voice VLAN advertisement (LLDP), 195 normal
voice VLAN assignment mode, 189 voice VLAN mode, 191
voice VLAN assignment mode configuration notifying
(automatic), 197 MAC address table move notification, 32
voice VLAN assignment mode configuration MAC address table SNMP notification, 34
(manual), 199 MAC Information change notification interval, 37
voice VLAN configuration, 197 null interface
voice VLAN host+IP phone connection (in configuration, 19, 19
series), 188
display, 20
voice VLAN information advertisement to IP
maintain, 20
phones, 188
voice VLAN IP phone access method, 188 O
voice VLAN IP phone identification (LLDP), operational key (Ethernet link aggregation), 41
188 organization-specific LLDPDU TLV types, 250
voice VLAN IP phone identification (OUI OUI
address), 187
voice VLAN IP phone identification (OUI
voice VLAN IP phone+device connection, 189 address), 187
voice VLAN LLDP automatic IP phone voice VLAN IP phone identification method, 187
discovery enable, 195
outputting
voice VLAN port mode, 191
spanning tree port state transition information,
voice VLAN port operation configuration 113
(automatic assignment), 193
voice VLAN port operation configuration P
(manual assignment), 194 P/A transition (STP), 96
voice VLAN traffic QoS priority settings, 192 packet
network management 1\1 VLAN mapping configuration, 233, 239
Ethernet link aggregation configuration, 40, 1\2 VLAN mapping configuration, 238, 245
47, 60 2\2 VLAN mapping configuration, 239, 245
interface bulk configuration, 21, 21 Ethernet link aggregation group BFD, 54
interface configuration (Ethernet), 1 Ethernet link aggregation packet type-based load
interface configuration (inloopback), 19 sharing, 47
interface configuration (loopback), 19 L2PT configuration, 274, 276, 278
interface configuration (null), 19 L2PT for LACP configuration, 279
L2PT configuration, 274, 276, 278 L2PT for STP configuration, 278
LLDP basic concepts, 248 L2PT tunneled packet destination multicast MAC
LLDP configuration, 248, 255, 267 address, 277
loop detection, 136 LLDP CDP compatibility, 263
loop detection configuration, 138, 140 M\1 VLAN mapping configuration, 233, 239
MAC address table configuration, 23, 24, 34 M\1 VLAN mapping configuration (dynamic IP
MAC Information configuration, 36 address assignment), 233
MVRP, 201, 204, 207 M\1 VLAN mapping configuration (static IP
port isolation configuration, 74 address assignment), 236
private VLAN configuration, 171, 172, 174 service loopback group configuration, 283, 284
QinQ configuration, 217, 223 VLAN mapping configuration, 227, 232, 239
service loopback group configuration, 283 parameter
spanning tree configuration, 77, 98, 128 spanning tree timeout factor, 106
super VLAN configuration, 166 PE
VLAN configuration, 143, 157 L2PT configuration, 274, 276, 278
VLAN mapping configuration, 227, 232, 239 L2PT for LACP configuration, 279
voice VLAN configuration, 187, 192 L2PT for STP configuration, 278
No Agreement Check (spanning tree), 118, 120 per-flow load sharing, 47
no-learning action (loop detection), 137 performing

307
 spanning tree mCheck, 115 Ethernet link aggregation LACP port priority, 44
spanning tree mCheck globally, 115 Ethernet link aggregation load sharing (Layer 2),
spanning tree mCheck in interface view, 115 64
per-packet load sharing, 47 Ethernet link aggregation load sharing (Layer 3),
Per-VLAN Spanning Tree Protocol. Use PVST 70
physical Ethernet link aggregation load sharing algorithm
settings, 58
interface physical state change suppression
(Ethernet), 6 Ethernet link aggregation load sharing mode, 47
polling Ethernet link aggregation local-first load sharing,
57
interface statistics polling interval (Ethernet),
10 Ethernet link aggregation member port, 40
LLDP enable, 257 Ethernet link aggregation member port state, 40,
42, 45
port
Ethernet link aggregation modes, 42
Ethernet aggregate interface, 51
Ethernet link aggregation operational key, 41
Ethernet aggregate interface (description), 52
Ethernet link aggregation reference port, 45
Ethernet aggregate interface (Layer 3 edge),
72 Ethernet link aggregation reference port choice,
42
Ethernet link aggregate group Selected ports
min/max, 53 Ethernet link aggregation traffic redirection, 58
Ethernet link aggregate interface (expected interface fiber port (Layer 2 Ethernet), 14
bandwidth), 54 isolation. See port isolation
Ethernet link aggregate interface (Layer 2 Layer 2 aggregate interface (ignored VLAN), 52
edge), 66 Layer 3 aggregate interface configuration (MTU),
Ethernet link aggregate interface default 52
settings, 56 LLDP ARP entry generation, 266, 266
Ethernet link aggregate interface shutdown, LLDP basic configuration, 255, 267
56 LLDP configuration, 248, 255, 267
Ethernet link aggregation (Layer 2 dynamic), LLDP disable operating mode, 253
62 LLDP enable, 255
Ethernet link aggregation (Layer 2 static), 60 LLDP frame encapsulation format, 262
Ethernet link aggregation (Layer 3 dynamic), LLDP frame reception, 254
69
LLDP frame transmission, 254
Ethernet link aggregation (Layer 3 static), 68
LLDP operating mode, 256
Ethernet link aggregation (static mode), 42
LLDP polling, 257
Ethernet link aggregation configuration, 40,
LLDP reinitialization delay, 257
47, 60
LLDP Rx operating mode, 253
Ethernet link aggregation configuration types,
41 LLDP Tx operating mode, 253
Ethernet link aggregation edge aggregate LLDP TxRx operating mode, 253
interface, 47, 54 loop detection configuration, 136, 138, 140
Ethernet link aggregation group, 48 loop detection enable (port-specific), 138
Ethernet link aggregation group (Layer 2 loop detection interval, 137, 139
static), 49, 49 loop detection protection action setting, 139
Ethernet link aggregation group (Layer 2), 49 loop detection protection actions, 137
Ethernet link aggregation group (Layer 3 loop detection status auto recovery, 137
dynamic), 51 M\1 VLAN mapping customer-side port (dynamic
Ethernet link aggregation group (Layer 3 IP address assignment), 234
static), 50 M\1 VLAN mapping customer-side port (static IP
Ethernet link aggregation group (Layer 3), 50 address assignment), 236
Ethernet link aggregation group load sharing, M\1 VLAN mapping network-side port (dynamic
56 IP address assignment), 235
Ethernet link aggregation LACP, 43 M\1 VLAN mapping network-side port (static IP
address assignment), 237

308
 MAC address learning, 23 group assignment (multiple ports), 74
MAC address table blackhole entry, 26 port-based VLAN
MAC address table configuration, 23, 24, 34 assignment (access port), 147
MAC address table entry configuration, 25 assignment (hybrid port), 148
MAC address table multiport unicast entry, 26 assignment (trunk port), 148
MAC Information configuration, 36, 37 configuration, 146, 157
MST port roles, 93 port frame handling, 147
MST port states, 94 port link type, 146
MVRP application, 201, 204, 207 PVID, 146
MVRP timer set, 206 power
PVST BPDU guard, 126 interface auto power-down (Ethernet), 9
QinQ implementation, 218 interface EEE (Ethernet), 10
RSTP network convergence, 86 interface energy-saving features (Ethernet), 9
service loopback group configuration, 283, priority
284 Ethernet link aggregation LACP, 43
spanning tree BPDU drop, 125 Ethernet link aggregation LACP port priority, 44
spanning tree BPDU guard, 122 Ethernet link aggregation LACP system priority,
spanning tree BPDU transmission rate, 107 44
spanning tree edge port configuration, 107 MAC address table learning priority, 30
spanning tree forward delay timer, 105 QinQ SVLAN tag 802.1p priority, 221
spanning tree loop guard, 123 spanning tree device priority, 104
spanning tree mCheck, 115 spanning tree port priority configuration, 111
spanning tree path cost calculation standard, private VLAN
108 configuration, 171, 172, 174
spanning tree path cost configuration, 108, configuration restrictions, 172
110 display, 174
spanning tree port link type configuration, 112 promiscuous port configuration, 174
spanning tree port mode configuration, 113 secondary VLAN Layer 3 communication
spanning tree port priority configuration, 111 configuration, 184
spanning tree port role restriction, 124 trunk promiscuous port configuration, 177
spanning tree port state transition output, 113 trunk promiscuous+secondary port configuration,
spanning tree root guard, 123 180
spanning tree TC-BPDU guard, 125 procedure
spanning tree TC-BPDU transmission adding MAC address table blackhole entry, 26
restriction, 124 adding MAC address table entry (global), 25
STP designated port, 79 adding MAC address table entry (on interface), 26
STP edge port rapid transition, 95 adding MAC address table multiport unicast entry,
STP port state, 79 26
STP rapid transition, 95 assigning MAC address table learning priority to
STP root port, 79 interface, 30
STP root port rapid transition, 96 assigning port isolation group (multiple ports), 74
VLAN port link type, 146 assigning port-based VLAN access port (interface
voice VLAN port mode, 191 view), 147
voice VLAN port operation configuration assigning port-based VLAN access port (VLAN
(automatic assignment), 193 view), 147
voice VLAN port operation configuration assigning port-based VLAN hybrid port, 148
(manual assignment), 194 assigning port-based VLAN trunk port, 148
port isolation bulk configuring interfaces, 21, 21
configuration, 74 changing combo interface active port (Ethernet
configuration (multiple isolation groups), 75 combo), 2
display, 74 combining interfaces (Ethernet 10-GE > 40-GE),
2

309
configuring 1\1 VLAN mapping, 233, 239 configuring interface common settings (Ethernet),
configuring 1\2 VLAN mapping, 238, 245 1
configuring 2\2 VLAN mapping, 239, 245 configuring interface dampening (Ethernet), 6
configuring Ethernet aggregate interface, 51 configuring interface EEE (Ethernet), 10
configuring Ethernet aggregate interface configuring interface energy-saving features
(description), 52 (Ethernet), 9
configuring Ethernet aggregate interface configuring interface generic flow control
(Layer 3 edge), 72 (Ethernet), 9
configuring Ethernet link aggregate interface configuring interface jumbo frame support
(Layer 2 edge), 66 (Ethernet), 5
configuring Ethernet link aggregation, 47 configuring interface link mode (Ethernet), 5
configuring Ethernet link aggregation (Layer 2 configuring interface physical state change
dynamic), 62 suppression (Ethernet), 6
configuring Ethernet link aggregation (Layer 2 configuring interface storm control (Layer 2
static), 60 Ethernet), 12
configuring Ethernet link aggregation (Layer 3 configuring interface storm suppression
dynamic), 69 (Ethernet), 12
configuring Ethernet link aggregation (Layer 3 configuring IP subnet-based VLAN, 154, 160
static), 68 configuring L2PT, 276
configuring Ethernet link aggregation edge configuring L2PT for LACP, 279
aggregate interface, 54 configuring L2PT for STP, 278
configuring Ethernet link aggregation group, configuring LAN switching QinQ VLAN tag TPID
48 value, 220
configuring Ethernet link aggregation group configuring LAN switching spanning tree Digest
(Layer 2 dynamic), 49 Snooping, 117
configuring Ethernet link aggregation group configuring LLDP, 255
(Layer 2 static), 49 configuring LLDP (CDP-compatible), 271
configuring Ethernet link aggregation group configuring LLDP advertisable TLVs, 258
(Layer 3 dynamic), 51
configuring LLDP basics, 255, 267
configuring Ethernet link aggregation group
configuring LLDP CDP compatibility, 263
(Layer 3 static), 50
configuring LLDP management address, 260
configuring Ethernet link aggregation group
BFD, 54 configuring LLDP management address encoding
format, 260
configuring Ethernet link aggregation group
load sharing, 56 configuring LLDP trapping, 265
configuring Ethernet link aggregation load configuring LLDP-MED trapping, 265
sharing (Layer 2), 64 configuring loop detection, 138, 140
configuring Ethernet link aggregation load configuring M\1 VLAN mapping, 233, 239
sharing (Layer 3), 70 configuring M\1 VLAN mapping (dynamic IP
configuring Ethernet link aggregation load address assignment), 233
sharing algorithm settings, 58 configuring M\1 VLAN mapping (static IP address
configuring interface (Ethernet single combo), assignment), 236
2 configuring M\1 VLAN mapping customer-side
configuring interface (inloopback), 20 port (dynamic IP address assignment), 234
configuring interface (Layer 2 Ethernet), 12 configuring M\1 VLAN mapping customer-side
configuring interface (Layer 3 Ethernet), 17 port (static IP address assignment), 236
configuring interface (loopback), 19 configuring M\1 VLAN mapping network-side port
(dynamic IP address assignment), 235
configuring interface (null), 19
configuring M\1 VLAN mapping network-side port
configuring interface auto power-down
(static IP address assignment), 237
(Ethernet), 9
configuring MAC address move suppression, 32
configuring interface basic settings (Ethernet),
3 configuring MAC address table, 24, 34
configuring interface card operating mode configuring MAC address table entry, 25
(Ethernet), 11

310
configuring MAC address table frame configuring spanning tree port mode for MSTP
forwarding rule, 29 frames, 113
configuring MAC address table multiport configuring spanning tree port path cost, 108, 110
unicast entry (global), 27 configuring spanning tree port priority, 111
configuring MAC address table multiport configuring spanning tree port role restriction, 124
unicast entry (on interface), 27 configuring spanning tree protection, 122
configuring MAC Information, 37 configuring spanning tree root bridge, 102
configuring MAC Information mode, 36 configuring spanning tree root bridge (device),
configuring MAC-based VLAN, 149, 158 103
configuring MAC-based VLAN configuring spanning tree secondary root bridge,
(server-assigned), 153 102
configuring MAC-based VLAN assignment configuring spanning tree secondary root bridge
(dynamic), 152 (device), 103
configuring MAC-based VLAN assignment configuring spanning tree switched network
(static), 152 diameter, 105
configuring management interface, 1 configuring spanning tree TC Snooping, 120
configuring MST region, 102 configuring spanning tree TC-BPDU transmission
configuring MST region max hops, 104 restriction, 124
configuring MSTP, 100, 128 configuring spanning tree timeout factor, 106
configuring MVRP, 204, 207 configuring spanning tree timer, 105
configuring port isolation (multiple isolation configuring STP, 98
groups), 75 configuring subinterface (Layer 3 Ethernet), 17
configuring port-based VLAN, 146, 157 configuring subinterface basic settings (Ethernet),
configuring private VLAN, 172 3
configuring private VLAN promiscuous port, configuring super VLAN, 166, 166, 168
174 configuring super VLAN interface, 167
configuring private VLAN trunk promiscuous configuring VLAN basic settings, 144
port, 177 configuring VLAN group, 156
configuring private VLAN trunk configuring VLAN interface, 145
promiscuous+secondary port, 180
configuring VLAN interface basics, 145
configuring protocol-based VLAN, 155, 162
configuring VLAN mapping, 232
configuring PVST, 99, 132
configuring voice VLAN, 192
configuring QinQ basics, 223
configuring voice VLAN advertisement (CDP),
configuring QinQ CVLAN tag TPID value, 221 196
configuring QinQ SVLAN tag TPID value, 221 configuring voice VLAN advertisement (LLDP),
configuring QinQ VLAN transparent 195
transmission, 219, 225 configuring voice VLAN assignment mode
configuring RSTP, 99 (automatic), 197
configuring secondary VLAN Layer 3 configuring voice VLAN assignment mode
communication, 184 (manual), 199
configuring service loopback group, 283, 284 configuring voice VLAN port operation (automatic
configuring spanning tree, 98 assignment), 193
configuring spanning tree BPDU guard, 122 configuring voice VLAN port operation (manual
configuring spanning tree BPDU transmission assignment), 194
rate, 107 configuring voice VLAN traffic QoS priority
configuring spanning tree device priority, 104 settings, 192
configuring spanning tree Digest Snooping, creating super VLAN sub-VLAN, 166
116 disabling LLDP PVID inconsistency check, 263
configuring spanning tree edge port, 107 disabling MAC address learning, 27
configuring spanning tree No Agreement disabling MAC address learning (global), 28
Check, 118, 120 disabling MAC address learning (on interface), 28
configuring spanning tree port link type, 112 disabling MAC address learning (on VLAN), 28

311
disabling spanning tree inconsistent PVID enabling MAC address table move notification, 32
protection, 115 enabling MAC address table SNMP notification,
disabling the device to reactivate the 34
shutdown edge ports, 126 enabling MAC Information, 36
displaying bulk interface configuration, 22 enabling MVRP, 205
displaying Ethernet link aggregation, 59 enabling MVRP GVRP compatibility, 207
displaying interface, 20 enabling PVST BPDU guard, 126
displaying interface (Ethernet), 17 enabling QinQ, 219
displaying L2PT, 277 enabling spanning tree BPDU drop, 125
displaying LLDP, 267 enabling spanning tree BPDU guard (global), 122
displaying loop detection, 140 enabling spanning tree BPDU guard (on
displaying MAC address table, 34 interface), 122
displaying MVRP, 207 enabling spanning tree feature, 114
displaying port isolation, 74 enabling spanning tree loop guard, 123
displaying private VLAN, 174 enabling spanning tree port state transition
displaying QinQ, 223 information output, 113
displaying service loopback group, 284 enabling spanning tree root guard, 123
displaying spanning tree, 127 enabling spanning tree SNMP notification
displaying subinterface (Ethernet), 17 (new-root election, topology change events), 127
displaying super VLAN, 167 enabling spanning tree TC-BPDU guard, 125
displaying VLAN, 156 enabling voice VLAN LLDP automatic IP phone
discovery, 195
displaying VLAN mapping, 239
forcing interface fiber port (Layer 2 Ethernet), 14
displaying voice VLAN, 196
maintaining Ethernet link aggregation, 59
enable interface bridging (Layer 2 Ethernet),
16 maintaining interface, 20
enabling Ethernet link aggregation local-first maintaining interface (Ethernet), 17
load sharing, 57 maintaining L2PT, 277
enabling Ethernet link aggregation traffic maintaining MVRP, 207
redirection, 58 maintaining spanning tree, 127
enabling interface automatic negotiation maintaining subinterface (Ethernet), 17
(Ethernet), 10 maintaining VLAN, 156
enabling interface loopback testing (Ethernet), modifying MAC address table blackhole entry, 26
8 modifying MAC address table entry (global), 25
enabling L2PT, 276 modifying MAC address table entry (on interface),
enabling L2PT (for protocol), 276 26
enabling LLDP, 255 modifying MAC address table multiport unicast
enabling LLDP ARP entry generation, 266 entry, 26
enabling LLDP ND entry generation, 266 performing spanning tree mCheck, 115
enabling LLDP polling, 257 performing spanning tree mCheck globally, 115
enabling logging events of detecting or performing spanning tree mCheck in interface
receiving TC BPDUs (in PVST mode), 126 view, 115
enabling loop detection (global), 138 restoring Ethernet link aggregate interface default
enabling loop detection (port-specific), 138 settings, 56
enabling M\1 VLAN mapping ARP detection setting Ethernet link aggregate group Selected
(dynamic IP address assignment), 234 ports min/max, 53
enabling M\1 VLAN mapping ARP snooping setting Ethernet link aggregate interface
(static IP address assignment), 236 (expected bandwidth), 54
enabling M\1 VLAN mapping DHCP snooping setting Ethernet link aggregation load sharing
(dynamic IP address assignment), 234 mode (global), 56
enabling MAC address synchronization, 30 setting Ethernet link aggregation load sharing
enabling MAC address table ARP fast update, mode (group-specific), 57
33

312
 setting interface MDIX mode (Layer 2 spanning tree protection, 122
Ethernet), 15 spanning tree SNMP notification (new-root
setting interface MTU (Layer 3 Ethernet), 17 election, topology change events), 127
setting interface statistics polling interval protocol-based VLAN
(Ethernet), 10 configuration, 155, 162
setting L2PT tunneled packet destination protocols and standards
multicast MAC address, 277 Ethernet link aggregation protocol configuration,
setting Layer 3 aggregate interface (MTU), 52 41
setting LLDP bridge mode, 256 LLDP, 254
setting LLDP frame encapsulation format, 262 MSTP, 97
setting LLDP operating mode, 256 MSTP protocol frames, 90
setting LLDP parameters, 262 MVRP, 204
setting LLDP reinitialization delay, 257 PVST protocol frames, 88
setting LLDP source MAC address, 266 QinQ, 219
setting loop detection interval, 139 RSTP protocol frames, 86
setting loop detection protection action STP protocol frames, 77
(global), 139 VLAN, 144
setting loop detection protection action (Layer PVID
2 aggregate interface), 139
LLDP PVID inconsistency check disable, 263
setting loop detection protection action (Layer
spanning tree inconsistent PVID protection
2 Ethernet interface), 139
disable, 115
setting MAC address table dynamic aging
PVID (port-based VLAN), 146
timer, 29
PVST, 77, See also STP
setting MAC address table learning limit, 29
basic concepts, 89
setting MAC Information change notification
interval, 37 configuration, 99, 132
setting MAC Information queue length, 37 feature enable, 114
setting MVRP registration mode, 205 how it works, 89
setting MVRP timer, 206 mode set, 101
setting QinQ SVLAN tag 802.1p priority, 221 port links, 88
setting spanning tree mode, 101 protocol frames, 88
setting subinterface MTU (Layer 3 Ethernet), rapid transition, 95
17 Q
shutting down Ethernet link aggregate
QinQ
interface, 56
basic configuration, 223
specifying Layer 2 aggregate interface
(ignored VLAN), 52 configuration, 217, 223
specifying spanning tree port path cost configuration restrictions, 219
calculation standard, 108 CVLAN tag, 217
splitting interface (Ethernet 40-GE), 2 display, 223
testing interface cable connection (Layer 2 enable, 219
Ethernet), 16 how it works, 217
promiscuous implementation, 218
private VLAN promiscuous port configuration, loop detection configuration, 136, 138, 140
174 protocols and standards, 219
private VLAN trunk promiscuous port SVLAN tag, 217
configuration, 177 SVLAN tag 802.1p priority, 221
private VLAN trunk promiscuous+secondary VLAN tag TPID value, 220
port configuration, 180
VLAN transparent transmission, 219
protecting
VLAN transparent transmission configuration,
disabling the device to reactivate the 225
shutdown edge ports, 126
QoS
loop detection protection action setting, 139

313
 QinQ SVLAN tag 802.1p priority, 221 QinQ configuration, 219
voice VLAN traffic QoS priority settings, 192 spanning tree port role restriction, 124
queuing spanning tree TC-BPDU transmission restriction,
MAC Information queue length, 37 124
STP Digest Snooping configuration, 116
R
STP edge port configuration, 107
Rapid Spanning Tree Protocol. Use RSTP STP mCheck configuration, 115
rate STP port link type configuration, 112
spanning tree BPDU transmission rate, 107 STP TC Snooping configuration, 121
receiving STP timer configuration, 106
LLDP frames, 254 VLAN configuration, 152
recovering voice VLAN LLDP automatic IP phone discovery
loop detection port status auto recovery, 137 enable, 195
redirecting voice VLAN port operation configuration
Ethernet link aggregation traffic redirection, 58 (automatic assignment), 193
reference port (Ethernet link aggregation), 42, 45 voice VLAN port operation configuration
region restrictions (manual assignment), 194
MST, 92 root
MST region configuration, 102 MST common root bridge, 93
MST region max hops, 104 MST regional root, 92
MST regional root, 92 MST root port role, 93
registering spanning tree root bridge, 102
MVRP registration fixed mode, 204 spanning tree root bridge (device), 103
MVRP registration forbidden mode, 204 spanning tree root guard, 123
MVRP registration mode, 205 spanning tree secondary root bridge (device), 103
MVRP registration normal mode, 204 STP algorithm calculation, 80
reinitialization delay (LLDP), 257 STP edge port rapid transition, 96
restoring STP root bridge, 79
Ethernet link aggregate interface default STP root port, 79
settings, 56 routing
restrictions IP subnet-based VLAN configuration, 154, 160
bulk interface configuration, 21 MAC-based VLAN assignment (dynamic), 152
Ethernet interface loopback test, 8 MAC-based VLAN assignment (static), 152
Ethernet interface storm suppression, 12 MAC-based VLAN configuration, 149, 158
Ethernet link aggregation BFD configuration, MAC-based VLAN configuration
55 (server-assigned), 153
Ethernet link aggregation group, 48 protocol-based VLAN configuration, 155, 162
Ethernet link aggregation traffic redirection, 59 voice VLAN configuration, 187, 192, 197
interface dampening (Ethernet), 7 voice VLAN IP phone access method, 188
L2PT enable, 276 RSTP, 77, See also STP
Layer 2 Ethernet interface fiber port, 14 basic concepts, 86
Layer 2 Ethernet interface storm control BPDU processing, 87
configuration, 13 configuration, 99
M\1 VLAN mapping configuration (dynamic IP feature enable, 114
address assignment), 233 how it works, 87
M\1 VLAN mapping configuration (static IP mode set, 101
address assignment), 236
MSTP device implementation, 95
MAC Information configuration, 37
network convergence, 86
MAC-based VLAN assignment configuration
port role, 86
(dynamic), 152
port state, 87
MVRP configuration, 204
protocol frames, 86
private VLAN configuration, 172

314
 rapid transition, 95 loop detection protection action (Layer 2
rule aggregate interface), 139
MAC address table frame forwarding rule, 29 loop detection protection action (Layer 2 Ethernet
interface), 139
S
MAC address table dynamic aging timer, 29
security MAC address table learning limit, 29
voice VLAN mode, 191 MAC Information change notification interval, 37
selecting MAC Information queue length, 37
Ethernet link aggregation Selected ports MVRP registration mode, 205
min/max, 53 MVRP timer, 206
Ethernet link aggregation selected state, 40 QinQ SVLAN tag 802.1p priority, 221
Ethernet link aggregation unselected state, 40 spanning tree mode, 101
series subinterface MTU (Layer 3 Ethernet), 17
voice VLAN host+IP phone connection (in shutting down
series), 188
Ethernet link aggregate interface, 56
server
loop detection shutdown action, 137
MAC-based VLAN assignment
single combo interface, 2
(server-assigned), 151
SNAP
MAC-based VLAN configuration
(server-assigned), 153 LLDP frame encapsulation, 249
service LLDP frame encapsulation format, 262
LLDP service bridge mode, 256 SNMP
service loopback group MAC address table SNMP notification, 34
configuration, 283, 284 MAC Information configuration, 36, 37
display, 284 snooping
setting spanning tree Digest Snooping, 116, 117
Ethernet link aggregate group Selected ports spanning tree TC Snooping, 120
min/max, 53 spanning tree, 77, See also STP, RSTP, PVST, MSTP
Ethernet link aggregate interface (expected BPDU drop, 125
bandwidth), 54 BPDU guard configuration, 122
Ethernet link aggregation load sharing mode BPDU transmission rate configuration, 107
(global), 56 configuration, 77, 98, 128
Ethernet link aggregation load sharing mode device priority configuration, 104
(group-specific), 57 Digest Snooping, 116, 117
Ethernet link aggregation member port state, disabling the device to reactivate the shutdown
42, 45 edge ports, 126
interface MDIX mode (Layer 2 Ethernet), 15 display, 127
interface MTU (Layer 3 Ethernet), 17 edge port configuration, 107
interface statistics polling interval (Ethernet), feature enable, 114
10
inconsistent PVID protection disable, 115
L2PT tunneled packet destination multicast
logging events of detecting or receiving TC
MAC address, 277
BPDUs (in PVST mode), 126
Layer 3 aggregate interface (MTU), 52
loop guard enable, 123
LLDP bridge mode, 256
maintain, 127
LLDP frame encapsulation format, 262
mCheck, 115
LLDP operating mode, 256
mode set, 101
LLDP parameters, 262
MST region max hops, 104
LLDP reinitialization delay, 257
No Agreement Check, 118, 120
LLDP source MAC address, 266
port link type configuration, 112
loop detection interval, 139
port mode configuration, 113
loop detection protection action (global), 139
port path cost calculation standard, 108
port path cost configuration, 108, 110

315
 port priority configuration, 111 STP
port role restriction, 124 algorithm calculation, 80
port state transition output, 113 basic concepts, 79
protection configuration, 122 BPDU forwarding, 85
PVST BPDU guard, 126 configuration, 98
root bridge configuration, 102 configuration BPDUs, 77
root bridge configuration (device), 103 designated bridge, 79
root guard enable, 123 designated port, 79
secondary root bridge configuration (device), Digest Snooping configuration restrictions, 116
103 edge port configuration restrictions, 107
SNMP notification enable (new-root election, feature enable, 114
topology change events), 127 L2PT for STP configuration, 278
switched network diameter, 105 loop detection, 77
TC Snooping, 120 mCheck configuration restrictions, 115
TC-BPDU guard, 125 mode set, 101
TC-BPDU transmission restriction, 124 MSTP device implementation, 95
timeout factor configuration, 106 P/A transition, 96
timer configuration, 105 path cost, 80
specifying port link type configuration restrictions, 112
Layer 2 aggregate interface (ignored VLAN), port state, 79
52
protocol frames, 77
spanning tree port path cost calculation
root bridge, 79
standard, 108
root port, 79
splitting
TC Snooping configuration restrictions, 121
interface (Ethernet 40-GE), 2
TCN BPDUs, 78
state
timer configuration restrictions, 106
Ethernet link aggregation member port state,
40, 42, 45 timers, 85
interface state change suppression subinterface, 1, See also Ethernet subinterface
(Ethernet), 6 LLDP ARP entry generation, 266
static LLDP ND entry generation, 266
Ethernet link aggregation (Layer 2), 60 LLDP source MAC address, 266
Ethernet link aggregation (Layer 3), 68 subnetting
Ethernet link aggregation (static mode), 42 IP subnet-based VLAN configuration, 154, 160
Ethernet link aggregation group, 49, 50 sub-VLAN
Ethernet link aggregation group BFD, 54 creation, 166
Ethernet link aggregation mode, 42 super VLAN
Layer 2 Ethernet link aggregation group, 49 configuration, 166, 166, 168
Layer 3 Ethernet link aggregation group, 50 display, 167
MAC address table entry, 23 interface configuration, 167
MAC address table entry configuration sub-VLAN creation, 166
(global), 25 suppressing
MAC address table entry configuration (on interface physical state change suppression
interface), 26 (Ethernet), 6
MAC-based VLAN assignment, 149, 152 interface storm control configuration (Layer 2
statistics Ethernet), 12
interface automatic negotiation (Ethernet), 10 interface storm suppression (Ethernet), 12
interface statistics polling interval (Ethernet), MAC address move, 32
10 SVLAN
storm QinQ basic configuration, 223
interface storm control (Layer 2 Ethernet), 12 QinQ configuration, 217, 223
interface storm suppression (Ethernet), 12 QinQ SVLAN tag 802.1p priority, 221

316
 QinQ VLAN transparent transmission Ethernet link aggregation LACP short timeout
configuration, 225 interval, 44
VLAN mapping application scenario, 227 spanning tree timeout factor, 106
VLAN mapping configuration, 227, 232, 239 timer
VLAN mapping implementation, 229 LLDP reinitialization delay, 257
switching MAC address table dynamic aging, 29
interface configuration (Ethernet), 1 MRP Join, 203
interface configuration (inloopback), 19, 20 MRP Leave, 203
interface configuration (loopback), 19, 19 MRP LeaveAll, 203
interface configuration (null), 19, 19 MRP Periodic, 203
spanning tree switched network diameter, 105 MVRP set, 206
synchronizing spanning tree forward delay, 105
MAC addresses, 30 spanning tree hello, 105
syslog spanning tree max age, 105
MAC Information configuration, 36, 37 STP forward delay, 85
MAC Information mode configuration, 36 STP hello, 85
system STP max age, 85
interface bulk configuration, 21, 21 TLV
T LLDP advertisable TLV configuration, 258
LLDP management address configuration, 260
table
LLDP management address encoding format,
MAC address, 23, 24, 34 260
MAC address table learning limit, 29 LLDP parameters, 262
MSTP VLAN-to-instance mapping table, 92 LLDPDU basic management types, 250
tag LLDPDU LLDP-MED types, 250
1\1 VLAN mapping configuration, 233, 239 LLDPDU management address TLV, 253
1\2 VLAN mapping configuration, 238, 245 LLDPDU organization-specific types, 250
2\2 VLAN mapping configuration, 239, 245 topology
M\1 VLAN mapping configuration, 233, 239 PVST BPDU protocol frames, 88
M\1 VLAN mapping configuration (dynamic IP STP TCN BPDU protocol frames, 77
address assignment), 233
Track
M\1 VLAN mapping configuration (static IP
LLDP collaboration, 254
address assignment), 236
traffic
QinQ CVLAN, 217
Ethernet link aggregation traffic redirection, 58
QinQ SVLAN, 217
private VLAN configuration, 172, 174
QinQ SVLAN tag 802.1p priority, 221
voice VLAN traffic QoS priority settings, 192
QinQ VLAN tag TPID value, 220
transmitting
VLAN mapping configuration, 227, 232, 239
LLDP frames, 254
TC Snooping (spanning tree), 120
QinQ VLAN transparent transmission, 219, 225
TC-BPDU
spanning tree TC-BPDU transmission restriction,
spanning tree TC-BPDU guard, 125
124
spanning tree TC-BPDU transmission
transparent transmission (QinQ for VLAN), 219, 225
restriction, 124
trapping
testing
LLDP configuration, 265
interface cable connection (Layer 2 Ethernet),
16 LLDP-MED configuration, 265
time MAC Information configuration, 36, 37
Ethernet link aggregation LACP timeout MAC Information mode configuration, 36
interval, 43 trunk port
timeout port-based VLAN assignment (trunk port), 148
Ethernet link aggregation LACP long timeout private VLAN trunk promiscuous port
interval, 44 configuration, 177

317
 private VLAN trunk promiscuous+secondary port link type, 146
port configuration, 180 port-based configuration, 146, 157
tunneling port-based VLAN assignment (access port), 147
L2PT configuration, 274, 276, 278 port-based VLAN assignment (hybrid port), 148
L2PT enable, 276 port-based VLAN assignment (trunk port), 148
L2PT for LACP configuration, 279 port-based VLAN frame handling, 147
L2PT for STP configuration, 278 private VLAN configuration, 171, 172
L2PT tunneled packet destination multicast private VLAN configuration restrictions, 172
MAC address, 277 protocol-based VLAN configuration, 155, 162
U protocols and standards, 144
unicast PVID, 146
MAC address table configuration, 23, 24, 34 PVST, 88
MAC address table multiport unicast entry, 23 QinQ basic configuration, 223
QinQ configuration, 217, 223
V
QinQ CVLAN tag, 217
virtual QinQ implementation, 218
Virtual Local Area Network. Use VLAN QinQ SVLAN tag, 217
VLAN QinQ SVLAN tag 802.1p priority, 221
basic configuration, 144 QinQ transparent transmission, 219
configuration, 143, 157 QinQ VLAN tag TPID value, 220
configuration restrictions, 152 QinQ VLAN transparent transmission
display, 156 configuration, 225
frame encapsulation, 143 spanning tree inconsistent PVID protection
group configuration, 156 disable, 115
interface basics configuration, 145 super VLAN configuration, 166, 166, 168
interface configuration, 145 super VLAN interface configuration, 167
IP subnet-based VLAN configuration, 154, termination. See VLAN termination
160 voice VLAN advertisement (CDP), 196
L2PT configuration, 274, 276, 278 voice VLAN advertisement (LLDP), 195
L2PT for LACP configuration, 279 voice VLAN assignment mode, 189
L2PT for STP configuration, 278 voice VLAN assignment mode configuration
Layer 2 Ethernet aggregate interface (ignored (automatic), 197
VLAN), 52 voice VLAN assignment mode configuration
LLDP CDP compatibility, 263 (manual), 199
LLDP configuration (CDP-compatible), 271 voice VLAN configuration, 187, 192, 197
LLDP source MAC address, 266 voice VLAN host+IP phone connection (in series),
loop detection configuration, 136, 138, 140 188
MAC address learning disable, 28 voice VLAN IP phone access method, 188
MAC-based assignment (dynamic), 152 voice VLAN IP phone+device connection, 189
MAC-based assignment (static), 152 voice VLAN LLDP automatic IP phone discovery
enable, 195
MAC-based configuration, 158
voice VLAN port mode, 191
MAC-based VLAN configuration, 149
voice VLAN port operation configuration
MAC-based VLAN configuration (automatic assignment), 193
(server-assigned), 153
voice VLAN port operation configuration (manual
maintain, 156 assignment), 194
mapping. See VLAN mapping voice VLAN port operation configuration
MRP implementation, 201 restrictions (automatic assignment), 193
MSTP VLAN-to-instance mapping table, 92 voice VLAN port operation configuration
MVRP configuration, 201, 204, 207 restrictions (manual assignment), 194
MVRP GVRP compatibility, 207 voice VLAN traffic QoS priority settings, 192
port isolation configuration, 74 VLAN mapping

318
 0\2 application scenario, 227 port operation configuration (manual
0\2 implementation, 229 assignment), 194
1\1 application scenario, 227, 227 port operation configuration restrictions
1\1 configuration, 233, 239 (automatic assignment), 193
1\1 implementation, 229, 230 port operation configuration restrictions (manual
assignment), 194
1\2 application scenario, 227, 228
traffic QoS priority setting configuration, 192
1\2 configuration, 238, 245
VoIP
1\2 implementation, 229, 231
voice VLAN configuration, 187, 192, 197
2\2 application scenario, 227, 228
voice VLAN information advertisement to IP
2\2 configuration, 239, 245
phones, 188
2\2 implementation, 229, 231
voice VLAN IP phone access method, 188
2\3 application scenario, 227
voice VLAN IP phone identification (LLDP), 188
2\3 implementation, 229
voice VLAN IP phone identification (OUI
configuration, 227, 232, 239 address), 187
display, 239 VPN
M\1 application scenario, 227, 227 QinQ basic configuration, 223
M\1 configuration, 233, 239 QinQ configuration, 217, 223
M\1 configuration (dynamic IP address QinQ VLAN transparent transmission
assignment), 233 configuration, 225
M\1 configuration (static IP address
assignment), 236
M\1 implementation, 229, 230
voice traffic
LLDP CDP compatibility, 263
LLDP configuration (CDP-compatible), 271
voice VLAN
advertisement configuration (CDP), 196
advertisement configuration (LLDP), 195
assignment mode, 189
assignment mode (automatic), 189
assignment mode (manual), 190
assignment mode configuration (automatic),
197
assignment mode configuration (manual), 199
assignment mode+IP phone cooperation, 190
configuration, 187, 192, 197
display, 196
host+IP phone connection (in series), 188
information advertisement to IP phone, 188
IP phone access method, 188
IP phone identification (LLDP), 188
IP phone identification (OUI address), 187
IP phone identification method, 187
IP phone+device connection, 189
LLDP automatic IP phone discovery enable,
195
LLDP automatic IP phone discovery enable
restrictions, 195
port mode, 191
port operation configuration (automatic
assignment), 193

319