Download Book

Title	Size	Downloads
H3C Legacy ISP BtoC MAN Solution Guide-6W100-book.pdf	561.65 KB

Table of Contents

H3C Legacy ISP BtoC MAN Solution Guide-6W100

Related Documents

Legacy ISP BtoC MAN Solution Guide V1.0

Document version: 6W100-20221213

No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.

Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.

The information in this document is subject to change without notice.

Contents

Legacy ISP BtoC MAN solution· 1

Overall deployment 1

Deploy PPPoE· 2

Configure PPPoE (BRAS as PPPoE server) 2

Deploy GPON· 5

Network diagram·· 6

Analysis· 7

Configuration workflow· 8

Configure the ONU templates· 8

Configure the data/network access service· 11

Configure the AP access service· 13

Configure the VoIP service (based on SIP) 18

Configure the camera access service· 22

Deploy access switches· 25

Network diagram·· 25

Analysis· 26

Configuration workflow· 26

Configure link aggregation· 26

Configure spanning tree· 28

Configure port isolation· 32

Configure VLANs· 33

Configure QinQ·· 36

Configure QoS and ACL· 38

Configure DHCP snooping· 41

Configure MAC authentication· 41

Configure 802.1X authentication· 44

Configure SNMP· 45

Configure port mirroring· 47

Legacy ISP BtoC MAN solution

Deploy PPPoE

Configure PPPoE (BRAS as PPPoE server)

This section uses the command references and configuration guides for CR16000-F B75D058SP. The command lines and command outputs might vary by device model and software version.

Network configuration

Host is connected to BRAS through Network, and a remote DHCP server is used. Host accesses BRAS through PPPoE, and BRAS acts as a PPPoE server and DHCP relay agent to request an IPv4 address from the remote DHCP server.

Figure 2 Network diagram

Prerequisites

Configure IP addresses for interfaces, and make sure devices can reach each other at Layer 3.

Procedure

1. Configure BRAS (PPPoE server):

# Configure Virtual-Template 1 to use CHAP for authenticating the peer.

<BRAS> system-view

[BRAS] interface virtual-template 1

[BRAS-Virtual-Template1] ppp authentication-mode chap domain dm1

[BRAS-Virtual-Template1] quit

# Enable the PPPoE server on GigabitEthernet 3/1/1, and bind it to Virtual-Template 1.

[BRAS] interface gigabitethernet 3/1/1

[BRAS-GigabitEthernet3/1/1] pppoe-server bind virtual-template 1

[BRAS-GigabitEthernet3/1/1] quit

# Enable DHCP.

[BRAS] dhcp enable

# Create remote BAS IP address pool pool1, and specify the gateway address, excluded IP address 2.2.2.1, and DHCP server for the address pool.

[BRAS] ip pool pool1 bas remote

[BRAS-ip-pool-pool1] gateway 2.2.2.1 24

[BRAS-ip-pool-pool1] forbidden-ip 2.2.2.1

[BRAS-ip-pool-pool1] remote-server 4.4.4.3

[BRAS-ip-pool-pool1] quit

# Enter the view of interface GigabitEthernet 3/1/1.

[BRAS] interface gigabitethernet 3/1/1

# Enable the DHCPv4 relay agent on the interface.

[BRAS–GigabitEthernet3/1/1] dhcp select relay

[BRAS–GigabitEthernet3/1/1] quit

# Configure a PPPoE user.

[BRAS] local-user user1 class network

[BRAS-luser-network-user1] password simple 123456TESTplat&!

[BRAS-luser-network-user1] service-type ppp

[BRAS-luser-network-user1] quit

# Create RADIUS scheme rs1, and enter its view.

[BRAS] radius scheme rs1

# Configure primary servers and keys for authentication and accounting.

[BRAS-radius-rs1] primary authentication 4.4.4.1

[BRAS-radius-rs1] primary accounting 4.4.4.1

[BRAS-radius-rs1] key authentication simple radius

[BRAS-radius-rs1] key accounting simple radius

# Exclude the ISP name from the username sent to the RADIUS server.

[BRAS-radius-rs1] user-name-format without-domain

[BRAS-radius-rs1] quit

# Create ISP domain dm1, and enter its view.

[BRAS] domain name dm1

# Configure the ISP domain to use RADIUS scheme rs1 for authentication, authorization, and accounting and authorize the remote BAS IP address pool.

[BRAS-isp-dm1] authentication ppp radius-scheme rs1

[BRAS-isp-dm1] authorization ppp radius-scheme rs1

[BRAS-isp-dm1] accounting ppp radius-scheme rs1

[BRAS-isp-dm1] authorization-attribute ip-pool pool1

[BRAS-isp-dm1] quit

2. Configure DHCP (DHCP server):

# Enable DHCP.

<DHCP> system-view

[DHCP] dhcp enable

# Create IP address pool pool1, and configure the IP subnet, gateway address, and DNS server address for DHCP clients.

[DHCP] ip pool pool1

[DHCP-ip-pool-pool1] network 2.2.2.0 24

[DHCP-ip-pool-pool1] gateway-list 2.2.2.1

[DHCP-ip-pool-pool1] dns-list 8.8.8.8

# Exclude IP address 2.2.2.1 from dynamic allocation.

[DHCP-ip-pool-pool1] forbidden-ip 2.2.2.1

[DHCP-ip-pool-pool1] quit

# Configure a static route to the PPPoE server.

[DHCP] ip route-static 2.2.2.0 24 10.1.1.2

Verify the configuration

# After the configuration is completed, verify that an IPv4 address is allocated to Host when Host accesses BRAS through PPPoE by using username user1 and password 123456TESTplat&!.

[BRAS] display access-user interface gigabitethernet 3/1/1

UserIDInterfaceIP address MAC address S-/C-VLAN

Username IPv6 addressAccess type

0xc GE3/1/1 2.2.2.2 001b-21a8-0949 -/-

user1 - PPPoE

Deploy GPON

This chapter uses the command references and configuration guides for P3500 devices. The command lines and command outputs might vary by device model and software version.

Network diagram

Figure 3 Network diagram

NOTE:

Directly deploy the DHCP server and RADIUS server on ACG Switch, as shown above.

Analysis

Deploy ONUs in the following methods:

1. Deploy fibers to desktop, fibers to ceiling, fibers to wall-mounted panel, and fibers to wall-mounted information box.

2. An ONU uses Ethernet interfaces to connect to user endpoints, and provides services such as network access/data, voice, wireless, and surveillance.

3. For video surveillance and wireless Wi-Fi coverage, an ONU can supply power to cameras and APs through PoE.

Typical requirements

Configure a campus network to meet the following requirements:

· The overall network uses the passive optical network (PON) architecture.

· Networks are divided based on IP and VLAN.

· An ONU has APs attached, and provides the wireless AP access function.

· An ONU has analog phone endpoints attached, and provides the VoIP function.

· An ONU has cameras attached, and provides the camera access function.

Network configuration scheme

To meet the typical requirements above, configure the following network configuration scheme:

· Determine the number of ONUs according to the number of endpoints deployed or the number of network interfaces, and deploy the ONUs on the corridors or inside the rooms.

· Plan the OLT bandwidth.

· Use the 802.1Q VLAN feature to divide Layer 2 networks. As a best practice, divide VLANs based on OLT interfaces.

· As a best practice, use the north-south traffic model as the data service model.

· Use an access controller (AC) to centrally manage the APs attached to the GPON network.

· IP addresses are obtained from the BRAS, and authentication is performed through interaction between the BRAS and AAA server, which are transparent to the other core switches.

Configuration workflow

Figure 4 Flowchart

NOTE:

The AP access service configuration is the same as the Wi-Fi access service configuration. The following section describes only the AP access service configuration. For more information about GPON redundancy backup, see All-Optical PON Network Configuration Examples.

Configure the ONU templates

Plan the configuration

A GPON OLT has a default HGU template, and you can configure an MDU or SFU template as needed. As a best practice, configure the maximum available uplink bandwidth for the ONU, so that the PON network can fully share the uplink bandwidth. A flow template is used to describe the uplink flow attributes, and a Tcont template is used to describe the DBA bindings.

Table 1 Flow template configuration table

Configuration item	Plan
Flow template name	newprof_flow_2
GEM port ID	1
Matching UNIs	All UNIs
Matching VLANs	VLAN101
Matching VLAN priority values	All priority values

Table 2 Tcont template configuration table

Configuration item	Plan
Tcont template name	newprof_tcontbind_2
Tcont ID	2
DBA	1244160
UNI rate limiting	No rate limit

Procedure

1. Configure a modular OLT:

# Set the device name for the OLT.

P3500#system name OLT

# Enter the view for an OLT card.

OLT#slot 1

GPFA-1-1> enable

GPFA-1-1#configure terminal

# Configure an ONU flow template. For the ONU flow template, set the ID to 2, the index parameter to 1, the name parameter to newprof_flow_2, and the uni-type parameter (which specifies the ONU type) to ethernet-uni, which corresponds to SFUs. The uni-bitmap parameter specifies the permitted UNIs. In this example, set the parameter to 0xf, which represents 4-port ONUs. The upmap-type parameter matches packets by vlanId. If you configure vlanId 101 for this parameter, packets tagged with VLAN 101 are matched. The first 101 represents the start VLAN, and the following 101 represents the end VLAN. When the upmap-type parameter is configured as vlanid, the pri-bitmap parameter is populated with 0xf by default. The vport 1 configuration specifies that traffic is forwarded through vPort 1.

GPFA-1-1(config-t)#gpon profile flow id 2 1 name newprof_flow_2 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 101 101 pri-bitmap 0xf vport 1

# In the ONU Tcont template, configure the DBA ID as 2 and name as newprof_dba_2. Set the value for the DBA mode to type4, which specifies the maximum uplink bandwidth, and set the maximum bandwidth to 1244160.

GPFA-1-1(config-t)#gpon profile dba id 2 name newprof_dba_2 type4 max 1244160

# Bind the Tcont service template to DBA template 2.

GPFA-1-1(config-t)#gpon profile tcont-svc id 2 name newprof_tcontsvc_2 dba-id 2

# In the vPort service template (GEM port service template), configure the ID as 2 and name as newprof_vportsvc_2. Set the us-pri parameter to 0, which means that the uplink traffic is assigned to queue 0. The usratectrl-id and dsratectrl-id parameters specify the uplink rate limit and downlink rate limit, respectively. A value of 0 means the rate is not limited.

GPFA-1-1(config-t)#gpon profile vportsvc id 2 name newprof_vportsvc_2 us-pri 0 usratectrl-id 0 dsratectrl-id 0

# Bind the related configurations together to the Tcont template: set the tcont-bind id parameter to 2, the v-port parameter to 1, and the name parameter to newprof_tcontbind_2. Set the vportsvc-id, tcont-id, and tcontsvc-id parameters to 2.

GPFA-1-1(config-t)#gpon profile tcont-bind id 2 v-port 1 name newprof_tcontbind_2 vportsvc-id 2 tcont-id 2 tcontsvc-id 2

2. Configure a fixed-port OLT:

# Set the device name for the OLT.

telnet@GX3116H> enable

telnet@GX3116H#configure management

telnet@GX3116H(config-mgmt)#system hostname OLT

telnet@OLT#configure terminal

telnet@OLT(config-t)#gpon profile flow id 2 1 name newprof_flow_2 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 101 101 pri-bitmap 0xf vport 1

telnet@OLT(config-t)#gpon profile dba id 2 name newprof_dba_2 type4 max 1244160

# Bind the Tcont service template to DBA template 2.

telnet@OLT(config-t)#gpon profile tcont-svc id 2 name newprof_tcontsvc_2 dba-id 2

telnet@OLT(config-t)#gpon profile vportsvc id 2 name newprof_vportsvc_2 us-pri 0 usratectrl-id 0 dsratectrl-id 0

telnet@OLT(config-t)#gpon profile tcont-bind id 2 v-port 1 name newprof_tcontbind_2 vportsvc-id 2 tcont-id 2 tcontsvc-id 2

Register and onboard ONUs

You can bind ONUs to ONU interfaces through the following methods: manual, bulk, and automatic.

Plan the configuration

This section uses the automatic binding method. After an ONU accesses, it can be automatically registered and onboarded.

Procedure

1. Configure a modular OLT:

# Enter the view for an OLT card.

OLT#slot 1

GPFA-1-1> enable

GPFA-1-1#configure terminal

# Enable automatic ONU binding globally.

GPFA-1-1(config-t)#gpon ont-authentication disable

Info:Change auth mode will clean all onu config, are you sure to change mode? (y

/n)y

GPFA-1-1(config-t)#exit

2. Configure a fixed-port OLT:

# Enable automatic ONU binding globally.

telnet@GX3116H> enable

telnet@OLT#configure terminal

telnet@OLT(config-t)#gpon ont-authentication disable

Info:Change auth mode will clean all onu config, are you sure to change mode? (y

/n)y

telnet@OLT(config-t)#exit

Configure the data/network access service

Plan the configuration

Table 3 Data/network access service configuration table

Configuration item	Plan
VLAN planning	Service VLAN for UNI 1: VLAN 101
Uplink interface on OLT: Dynamic Layer 2 aggregate interface	Bridge-Aggregation 1
Uplink interfaces on OLT: Aggregation member ports	Aggregation member ports on modular OLT: · XGE 3 · XGE 4 Aggregation member ports on fixed-port OLT: · XGE 2/1 · XGE 2/2
PON port	Olt 1/1
ONU interface	Onu 1/1/1
UNI	1
Flow template name	newprof_flow_2
GEM port ID in flow template	1
UNIs matched by flow template	All UNIs
VLANs matched by flow template	VLAN101
VLAN priority values matched by flow template	All priority values
Tcont template name	newprof_tcontbind_2
Tcont template ID	2
DBA in Tcont template	1244160
UNI rate limiting in Tcont template	No rate limit

Procedure

1. Configure a modular OLT:

# Create Layer 2 dynamic aggregate interface 1, and assign two member ports to it.

OLT# configure

OLT(CONFIG)# l2

OLT(CONFIG/L2)# port trunk 1 agge1 xge 3,4 srcMAC lacp

# Create SVLAN 2.

OLT(CONFIG/L2)# vlan

OLT(CONFIG/L2/VLAN)# vid 101 name 101

# Assign Layer 2 dynamic aggregate interface 1 to VLAN 101 as a tagged member.

OLT(CONFIG/L2/VLAN)# interface trunk 1 vid 101 tag

# Assign interface IS 1/1 to VLAN 101 as a tagged member.

OLT(CONFIG/L2/VLAN)# interface is 1/1 vid 101 tag

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 101 on virtual-port 1 of ONT 1 attached to port 1 in slot 1.

OLT(CONFIG/L2/VLAN)# translate slot 1 port 1 ont 1 virtual-port 1 cvid 101 new-svid 101

# Connect the ONU to interface OLT 1/1. Automatic ONU binding is enabled globally. Interface ONU 1/1/1 will be automatically created. The ONU template has been created. Enable virtual-port 1 on interface ONU 1/1/1, and deploy the ONU template created in "Configure the ONU templates" to it.

OLT(CONFIG)#slot 1

GPFA-1-1> enable

GPFA-1-1#configure terminal

GPFA-1-1(config-t)#interface gpon-olt 1/1

GPFA-1-1(config-t-if-gpon-olt-1/1)#ont 1

GPFA-1-1(config-if-gpon-ont-1/1/1)#virtual-port 1 port unlock

# Apply the flow template and Tcont template to the ONU interface.

GPFA-1-1(config-if-gpon-ont-1/1/1)#service flow-profile 2 tcont-bind-profile 2

# Configure UNI 1 of the ONU. The up-mode parameter specifies the uplink mode. The add-vid parameter specifies adding a layer of VLAN tag. The down-mode parameter specifies the downlink mode. The delete-vid parameter specifies removing a layer of VLAN tag. The up-pri parameter modifies the priority to 0 for uplink packets. The up-vid parameter specifies adding VLAN tag 101 to the uplink untagged packets.

GPFA-1-1(config-if-gpon-ont-1/1/1)# ont-vlan eth-uni 1 up-mode add-vid down-mode delete-vid up-pri 0 up-vid 101

2. Configure a fixed-port OLT:

# Create Layer 2 dynamic aggregate interface 1, and assign two member ports to it.

telnet@OLT> enable

telnet@OLT#configure terminal

telnet@OLT(config-t)#interface link-aggregation 1

telnet@OLT(config-t-if-lg-1)#load-balance src-MAC

telnet@OLT(config-t-if-lg-1)#member ge2/1-2

# A Layer 2 aggregate interface is down by default. Manually bring up Layer 2 aggregate interface 1.

telnet@OLT(config-t-if-lg-1)#no shutdown

telnet@OLT(config-t-if-lg-1)#exit

# Create SVLAN 2.

telnet@OLT(config-t)#vlan 101

telnet@OLT(config-t-vlan-101)#exit

# Assign the uplink aggregate interface to VLAN 101.

telnet@OLT(config-t)#interface link-aggregation 1

telnet@OLT(config-t-if-lg-1)# add-to vlan 101 tagged

telnet@OLT(config-t-if-lg-1)#exit

# Assign the internal interface of the OLT to VLAN 101.

telnet@OLT(config-t)#vlan 101

telnet@OLT(config-t-vlan-101)#member ge1/1 tagged

telnet@OLT(config-t-vlan-101)#exit

telnet@OLT(config-t)#interface gpon-olt 1/1

telnet@OLT(config-t-if-gpon-olt-1/1)#ont 1

telnet@OLT(config-if-gpon-ont-1/1/1)#virtual-port 1 port unlock

# Apply the flow template and Tcont template to the ONU interface.

telnet@OLT(config-if-gpon-ont-1/1/1)#service flow-profile 2 tcont-bind-profile 2

telnet@OLT(config-if-gpon-ont-1/1/1)# ont-vlan eth-uni 1 up-mode add-vid down-mode delete-vid up-pri 0 up-vid 101

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 101. The value 101 to 101 specifies packets from VLAN 101.

telnet@OLT(config-t)#interface gpon-olt 1/1

telnet@OLT(config-t-if-gpon-olt-1/1)#vlantranslate 1/1 101 to 101

Configure the AP access service

Separate APs are attached to the ONU, which correspond to the separate APs attached to ONU 2 on OLT 1/2 in network diagram Figure 3.

Plan the configuration

Table 4 AP access service configuration table

Configuration item	Plan
VLAN planning	VLAN 61: Management VLAN for ONUs. VLAN 401: Service VLAN for ONUs.
Uplink interface on OLT: Dynamic Layer 2 aggregate interface	Bridge-Aggregation 1
Uplink interfaces on OLT: Aggregation member ports	Aggregation member ports on modular OLT: · XGE 3 · XGE 4 Aggregation member ports on fixed-port OLT: · XGE 2/1 · XGE 2/2
Interface connecting to AC	Interface connecting to AC on modular OLT: XGE 1 Interface connecting to AC on fixed-port OLT: GE 2/ 3
PON port	Olt 1/2
ONU interface	Onu 1/2/1
UNI	1
Flow template name	newprof_flow_3
GEM port ID in flow template	1
UNIs matched by flow template	All UNIs
VLANs matched by flow template	VLAN 61 and VLAN 401
VLAN priority values matched by flow template	All priority values
Tcont template name	newprof_tcontbind_3
Tcont template ID	3
DBA in Tcont template	1244160
UNI rate limiting in Tcont template	No rate limit

Procedure

# If no new configuration is added to public interfaces, the previous configuration will be inherited. (Details not shown.)

# Bind ONUs to ONU interfaces on the OLT. Automatic ONU binding is enabled globally. Interface ONU 1/2/1 will be automatically created.

1. Configure a modular OLT:

# Enable PoE on a UNI on the PoE-ONU, so that the UNI can supply power to APs. This step is optional. On a PoE-capable ONU, PoE is enabled by default.

OLT#slot 1

GPFA-1-1> enable

GPFA-1-1#con t

GPFA-1-1(config-t)#int gp 1/2

GPFA-1-1(config-t-if-gpon-olt-1/2)#ont 1

GPFA-1-1(config-if-gpon-ont-1/2/1)#eth-uni 1 poe enable

# Create VLAN 61, which is to be used as the management VLAN.

OLT#configure

OLT(CONFIG)#l2

OLT(CONFIG/L2)#vlan

OLT(CONFIG/L2/VLAN)#vid 61 name 61

# Assign both interface XGE 1 connecting to the AC and OLT internal interface IS 1/1 (which corresponds to OLT 1/1 through OLT 1/4) to VLAN 61, so that the APs and AC can communicate at Layer 2 and APs can register with the AC.

OLT(CONFIG/L2/VLAN)#interface xge 1 vid 61 tag

OLT(CONFIG/L2/VLAN)#interface is 1/1 vid 61 tag

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 61 on virtual-port 1 of ONT 1 attached to port 2 in slot 1.

OLT(CONFIG/L2/VLAN)# translate slot 1 port 2 ont 1 virtual-port 1 cvid 61 new-svid 61

# Create SVLAN 401.

OLT(CONFIG/L2/VLAN)# vid 401 name 401

# Assign uplink interface Bridge-Aggregation 1 to VLAN 401.

OLT(CONFIG/L2/VLAN)# interface trunk 1 vid 401 tag

# Configure the OLT to transparently transmit (keep the VLAN tag unchanged) uplink and downlink packets from VLAN 401 on virtual-port 1 of ONT 2 attached to port 1 in slot 1.

OLT(CONFIG/L2/VLAN)# translate slot 1 port 2 ont 1 virtual-port 1 cvid 401 new-svid 401

# Configure an ONU flow template.

OLT# slot 1

GPFA-1-1> enable

GPFA-1-1# configure terminal

# For the ONU flow template, set the ID to 3, the index parameter to 1, the name parameter to newprof_flow_3, and the uni-type parameter (which specifies the ONU type) to ethernet-uni, which corresponds to SFUs. The uni-bitmap parameter specifies the permitted UNIs. In this example, set the parameter to 0xf, which represents 4-port ONUs. The upmap-type parameter matches packets by vlanId. If you configure vlanId 61 for this parameter, packets tagged with VLAN 61 are matched. The first 61 represents the start VLAN, and the following 61 represents the end VLAN. When the upmap-type parameter is configured as vlanid, the pri-bitmap parameter is populated with 0xf by default. The vport 1 configuration specifies that traffic is forwarded through vPort 1.

GPFA-1-1(config-t)# gpon profile flow id 3 1 name newprof_flow_3 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 61 61 pri-bitmap 0xf vport 1

# For the ONU flow template, set the ID to 3, the index parameter to 2, the name parameter to newprof_flow_3_2, and the uni-type parameter (which specifies the ONU type) to ethernet-uni, which corresponds to SFUs. The uni-bitmap parameter specifies the permitted UNIs. In this example, set the parameter to 0xf, which represents 4-port ONUs. The upmap-type parameter matches packets by vlanId. If you configure vlanId 401 for this parameter, packets tagged with VLAN 401 are matched. The first 401 represents the start VLAN, and the following 401 represents the end VLAN. When the upmap-type parameter is configured as vlanid, the pri-bitmap parameter is populated with 0xf by default. The vport 1 configuration specifies that traffic is forwarded through vPort 1.

GPFA-1-1(config-t)# gpon profile flow id 3 2 name newprof_flow_3_2 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 401 401 pri-bitmap 0xf vport 1

# In the ONU Tcont template, configure the DBA ID as 3 and name as newprof_dba_3. Set the value for the DBA mode to type4, which specifies the maximum uplink bandwidth, and set the maximum bandwidth to 1244160.

GPFA-1-1(config-t)# gpon profile dba id 3 name newprof_dba_3 type4 max 1244160

# Bind the Tcont service template to DBA template 3, with the name as newprof_tcontsvc_3 and dba-id as 3.

GPFA-1-1(config-t)# gpon profile tcont-svc id 3 name newprof_tcontsvc_3 dba-id 3

# In the vPort service template (GEM port service template), configure the ID as 3 and name as newprof_vportsvc_3. Set the us-pri parameter to 0, which means that the uplink traffic is assigned to queue 0. The usratectrl-id and dsratectrl-id parameters specify the uplink rate limit and downlink rate limit, respectively. A value of 0 means the rate is not limited.

GPFA-1-1(config-t)# gpon profile vportsvc id 3 name newprof_vportsvc_3 us-pri 0 usratectrl-id 0 dsratectrl-id 0

# Bind the related configurations together to the Tcont template: set the tcont-bind id parameter to 3, the v-port parameter to 1, and the name parameter to newprof_tcontbind_3. Set the vportsvc-id, tcont-id, and tcontsvc-id parameters to 3.

GPFA-1-1(config-t)# gpon profile tcont-bind id 3 v-port 1 name newprof_tcontbind_3 vportsvc-id 3 tcont-id 3 tcontsvc-id 3

# Connect the ONU to interface OLT 1/2. Automatic ONU binding is enabled globally. Interface ONU 1/2/1 will be automatically created. The ONU template has been created. Enable virtual-port 1 on interface ONU 1/2/1, and deploy the ONU template to it.

OLT(CONFIG)# slot 1

GPFA-1-1> enable

GPFA-1-1# configure terminal

GPFA-1-1(config-t)# interface gpon-olt 1/2

GPFA-1-1(config-t-if-gpon-olt-1/2)# ont 1

GPFA-1-1(config-if-gpon-ont-1/2/1)# virtual-port 1 port unlock

# Apply the flow template and Tcont template to the ONU interface.

GPFA-1-1(config-if-gpon-ont-1/2/1)# service flow-profile 3 tcont-bind-profile 3

# Configure a VLAN for the UNI of the ONU. The port-vlan parameter specifies a VLAN configuration method. The downstream parameter specifies the downstream VLAN processing method. The inverse-upstream parameter specifies the inverse of the upstream processing method. Set both the intpid and outtpid parameters, which specify the packet types, to 0x8100.

GPFA-1-1(config-if-gpon-ont-1/2/1)# port-vlan 1 downstream inverse-upstream intpid 0x8100 outtpid 0x8100

# Configure the ONT to transparently transmit uplink and downlink single-tagged packets. The downstream parameter and the rule parameter must be configured together.

GPFA-1-1(config-if-gpon-ont-1/2/1)# port-vlan 1 rule 1 single-tag transparent

# The untag parameter specifies adding a layer of VLAN tag to uplink untagged packets. The add-vid parameter specifies adding tags. The inner-pri parameter specifies the priority as 0 for the tag added. The inner-vid parameter specifies adding VLAN tag 61.

GPFA-1-1(config-if-gpon-ont-1/2/1)# port-vlan 1 rule 2 untag add-vid inner-pri 0 inner-vid 61

2. Configure a fixed-port OLT:

# Enable PoE on a UNI on the PoE-ONU, so that the UNI can supply power to APs. This step is optional. On a PoE-capable ONU, PoE is enabled by default.

telnet@OLT> enable

telnet@OLT# configure terminal

telnet@OLT(config-t)# interface gpon-olt 1/2

telnet@OLT(config-t-if-gpon-olt-1/2)# ont 1

telnet@OLT(config-if-gpon-ont-1/2/1)# eth-uni 1 poe enable

telnet@OLT(config-if-gpon-ont-1/2/1)# exit

telnet@OLT(config-t-if-gpon-olt-1/2)# exit

# Create VLAN 61, which is to be used as the management VLAN.

telnet@OLT(config-t)# vlan 61

# Assign both interface GE 2/3 connecting to the AC and OLT internal interface GE 1/2 to VLAN 61, so that the APs and AC can communicate at Layer 2 and APs can register with the AC.

telnet@OLT(config-t-vlan-61)# member ge2/3 tagged

telnet@OLT(config-t-vlan-61)# member ge1/2 tagged

telnet@OLT(config-t-vlan-61)# exit

# Create SVLAN 401.

telnet@OLT(config-t)# vlan 401

telnet@OLT(config-t-vlan-401)# exit

# Assign the uplink aggregate interface to VLAN 401.

telnet@OLT(config-t)# interface link-aggregation 1

telnet@OLT(config-t-if-lg-1)# add-to vlan 401 tagged

telnet@OLT(config-t-if-lg-1)# exit

telnet@OLT(config-t)# gpon profile flow id 3 1 name newprof_flow_3 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 61 61 pri-bitmap 0xf vport 1

telnet@OLT(config-t)# gpon profile flow id 3 2 name newprof_flow_3_2 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 401 401 pri-bitmap 0xf vport 1

telnet@OLT(config-t)# gpon profile dba id 3 name newprof_dba_3 type4 max 1244160

# Bind the Tcont service template to DBA template 3, with the name as newprof_tcontsvc_3 and dba-id as 3.

telnet@OLT(config-t)# gpon profile tcont-svc id 3 name newprof_tcontsvc_3 dba-id 3

telnet@OLT(config-t)# gpon profile vportsvc id 3 name newprof_vportsvc_3 us-pri 0 usratectrl-id 0 dsratectrl-id 0

telnet@OLT(config-t)# gpon profile tcont-bind id 3 v-port 1 name newprof_tcontbind_3 vportsvc-id 3 tcont-id 3 tcontsvc-id 3

telnet@OLT(config-t)# interface gpon-olt 1/2

telnet@OLT(config-t-if-gpon-olt-1/2)# ont 1

telnet@OLT(config-if-gpon-ont-1/2/1)# virtual-port 1 port unlock

# Apply the flow template and Tcont template to the ONU interface.

telnet@OLT(config-if-gpon-ont-1/2/1)# service flow-profile 3 tcont-bind-profile 3

# Configure a VLAN for the UNI of the ONU. The port-vlan parameter specifies a VLAN configuration method. The downstream parameter specifies the downstream VLAN processing method. The inverse-upstream parameter specifies the inverse of the upstream processing method. Set both the intpid and outtpid parameters, which specify the packet types, to 0x8100. telnet@OLT(config-if-gpon-ont-1/2/1)# port-vlan 1 downstream inverse-upstream intpid 0x8100 outtpid 0x8100

# Configure the ONT to transparently transmit uplink and downlink single-tagged packets. The downstream parameter and the rule parameter must be configured together.

telnet@OLT(config-if-gpon-ont-1/2/1)# port-vlan 1 rule 1 single-tag transparent

# For the uplink untagged packets, the processing method is to add inner VLAN tag 61. The downstream parameter and the rule parameter must be configured together.

telnet@OLT(config-if-gpon-ont-1/2/1)# port-vlan 1 rule 2 untag add-vid inner-vid 61

telnet@OLT(config-if-gpon-ont-1/2/1)# exit

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 61. The value 61 to 61 specifies packets from VLAN 61.

telnet@OLT(config-t-if-gpon-olt-1/2)# vlantranslate 1/1 61 to 61

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 401. The value 401 to 401 specifies packets from VLAN 401.

telnet@OLT(config-t-if-gpon-olt-1/2)# vlantranslate 1/1 401 to 401

Configure the VoIP service (based on SIP)

Plan the configuration

Table 5 VoIP service configuration table

Configuration item	Plan
Voice VLAN	VLAN102
Voice VLAN interface address	192.168.2.1/24
VLAN for connecting to SIP server	VLAN 102
IP address of SIP proxy server	20.20.1.2
Phone number	3001
Interface connecting OLT to SIP server	XGE 1
PON port	OLT 1/1
ONU interface	Onu 1/1/1
Voice port	1
ONU management IP Voice service IP	192.168.2.11/24

Procedure

1. Configure a modular OLT:

# Create VLAN 102, which is to be used as the management VLAN and voice VLAN, and configure the VLAN to operate in routed mode.

OLT#configure

OLT(CONFIG)#l2

OLT(CONFIG/L2)#vlan

OLT(CONFIG/L2/VLAN)#vid 102 name 102 mode routed

# Assign uplink interface XGE 1 and interface IS 1/1 to VLAN 102.

OLT(CONFIG/L2/VLAN)#interface xge 1 vid 102 tag

OLT(CONFIG/L2/VLAN)#interface is 1/1 vid 102 tag

OLT(CONFIG/L2/VLAN)#exit

OLT(CONFIG/L2)#exit

# Assign an IP address to the management VLAN and voice VLAN interface. For VLAN 102:1, 1 is the sub-VLAN of VLAN 102. When configuring an IP address, you must specify the sub-VLAN.

OLT(CONFIG)#l3

OLT(CONFIG/L3)#interface

OLT(CONFIG/L3/VLAN)# interface vlan 102:1 ip 192.168.2.1 netmask 255.255.2555.0

OLT(CONFIG/L3/VLAN)#exit

OLT(CONFIG/L3)#exit

# Configure the OLT to transparently transmit (keep the tag unchanged) uplink and downlink packets from VLAN 101 on virtual-port 1 of ONT 1 attached to port 1 in slot 1.

OLT(CONFIG)#l2

OLT(CONFIG/L2)#vlan

OLT(CONFIG/L2/VLAN)# translate slot 1 port 1 ont 1 virtual-port 1 cvid 102 new-svid 102

# Configure the flow template and voice template for the ONU management IP.

OLT# slot 1

GPFA-1-1> enable

GPFA-1-1# configure terminal

# Configure the flow template for the ONU management IP. For the ONU flow template, set the ID to 4, the index parameter to 1, the name parameter to newprof_flow_4, and the uni-type parameter to ip-host, which corresponds the management IP. The uni-bitmap parameter specifies the permitted UNIs. In this example, set the parameter to 0xf, which represents 4-port ONUs. The upmap-type parameter matches packets by vlanId. If you configure vlanId 102 for this parameter, packets tagged with VLAN 102 are matched. The first 102 represents the start VLAN, and the following 102 represents the end VLAN. When the upmap-type parameter is configured as vlanid, the pri-bitmap parameter is populated with 0xf by default. The vport 1 configuration specifies that traffic is forwarded through vPort 1.

GPFA-1-1(config-t)# gpon profile flow id 4 1 name newprof_flow_4 uni-type ip-host uni-bitmap 0xf upmap-type vlanId 102 102 pri-bitmap 0xf vport 1

# Configure the voip-sip-server template, with the ID as 1 and name as 1. The proxy-addr parameter specifies the proxy voice server address as 20.20.1.2. The external-proxy-addr parameter specifies the external proxy voice server address as 20.20.1.2. The registering-addr parameter specifies the registered voice server address as 20.20.1.2. The tcp-port parameter specifies the voice server port number as 5060.

GPFA-1-1(config-t)# gpon profile voip-sip-server id 1 name 1 proxy-addr 20.20.1.2 external-proxy-addr 20.20.1.2 registering-addr 20.20.1.2 tcp-port 5060

# In the ONU Tcont template, configure the DBA ID as 4 and name as newprof_dba_4. Set the value for the DBA mode to type4, which specifies the maximum uplink bandwidth, and set the maximum bandwidth to 1244160.

GPFA-1-1(config-t)# gpon profile dba id 4 name newprof_dba_4 type4 max 1244160

# Bind the Tcont service template to DBA template 4, with the name as newprof_tcontsvc_4 and dba-id as 4.

GPFA-1-1(config-t)# gpon profile tcont-svc id 4 name newprof_tcontsvc_4 dba-id 4

# In the vPort service template (GEM port service template), configure the ID as 4 and name as newprof_vportsvc_4. Set the us-pri parameter to 0, which means that the uplink traffic is assigned to queue 0. The usratectrl-id and dsratectrl-id parameters specify the uplink rate limit and downlink rate limit, respectively. A value of 0 means the rate is not limited.

GPFA-1-1(config-t)# gpon profile vportsvc id 4 name newprof_vportsvc_4 us-pri 0 usratectrl-id 0 dsratectrl-id 0

# Bind the related configurations together to the Tcont template: set the tcont-bind id parameter to 4, the v-port parameter to 1, and the name parameter to newprof_tcontbind_4. Set the vportsvc-id, tcont-id, and tcontsvc-id parameters to 4.

GPFA-1-1(config-t)# gpon profile tcont-bind id 4 v-port 1 name newprof_tcontbind_4 vportsvc-id 4 tcont-id 4 tcontsvc-id 4

OLT(CONFIG)# slot 1

GPFA-1-1> enable

GPFA-1-1# configure terminal

GPFA-1-1(config-t)# interface gpon-olt 1/1

GPFA-1-1(config-t-if-gpon-olt-1/2)# ont 1

GPFA-1-1(config-if-gpon-ont-1/2/1)# virtual-port 1 port unlock

# Apply the flow template and Tcont template to the ONU interface.

GPFA-1-1(config-if-gpon-ont-1/2/1)# service flow-profile 4 tcont-bind-profile 4

# Configure 192.168.2.11 as the management IP address of the ONU. Configure 192.168.2.1 as the gateway address. The static parameter specifies that the IP address is static, and the value 1 after static is a flag.

GPFA-1-1(config-if-gpon-ont-1/2/1)# ip-host 192.168.2.11 255.255.255.0 192.168.2.1 static 1

# For the first voice interface, execute the ont-pots-uni 1 command. In this command, the first 3001 specifies a phone number, the second 3001 specifies a username, the third 3001 specifies a password, and the fourth 3001 specifies the name displayed. The value 1 before ip-host specifies voice template 1 (gpon profile voip-sip-server id 1). The value 1 after ip-host specifies the static 1 configuration in the ip-host command above.

GPFA-1-1(config-if-gpon-ont-1/2/1)# ont-pots-uni 1 3001 3001 3001 3001 1 ip-host 1

# Configure the VLAN operation mode as VLAN PVID for the voice interface of the ONU. The port-vlan parameter specifies a VLAN configuration method. The downstream parameter specifies the downstream VLAN processing method. The inverse-upstream parameter specifies the inverse of the upstream processing method. Set both the intpid and outtpid parameters, which specify the packet types, to 0x8100.

GPFA-1-1(config-if-gpon-ont-1/2/1)# port-vlan 128 downstream inverse-upstream intpid 0x8100 outtpid 0x8100

# Execute the port-vlan 128 command to configure the VLAN mode for the voice VLAN. Add VLAN tag 102 to the uplink untagged voice packets and set the inner-pri to 0 for the packets. In the downlink direction, allow only voice packets from VLAN 102 to pass through, and forward these packets after removing their VLAN tags.

GPFA-1-1(config-if-gpon-ont-1/2/1)# port-vlan 128 rule 1 untag add-vid inner-pri 0 inner-vid 102

2. Configure a fixed-port OLT:

# Enable ARP learning globally.

telnet@OLT(config-t)# arp-learning enable

# Create VLAN 102, which is to be used as the management VLAN and voice VLAN.

telnet@OLT(config-t)# vlan 102

# Assign uplink interface GE 2/1 and internal interface GE 1/1 connecting the OLT interface to the forwarding chip to VLAN 102.

telnet@OLT(config-t-vlan-102)# member ge1/1 tagged

telnet@OLT(config-t-vlan-102)# member ge2/1 tagged

telnet@OLT(config-t-vlan-102)# exit

# Assign an IP address to the management VLAN and voice VLAN interface.

telnet@OLT(config-t)# interface vlan 102

telnet@OLT(config-t-if-vlan-102)# ip address 192.168.2.1 255.255.255.0

telnet@OLT(config-t-if-vlan-102)# no shutdown

telnet@OLT(config-t-if-vlan-102)# exit

telnet@OLT(config-t)# gpon profile flow id 4 1 name newprof_flow_4 uni-type ip-host uni-bitmap 0xf upmap-type vlanId 102 102 pri-bitmap 0xf vport 1

telnet@OLT(config-t)# gpon profile voip-sip-server id 1 name 1 proxy-addr 20.20.1.2 external-proxy-addr 20.20.1.2 registering-addr 20.20.1.2 tcp-port 5060

telnet@OLT(config-t)# gpon profile dba id 4 name newprof_dba_4 type4 max 1244160

# Bind the Tcont service template to a DBA template, with the tcont-svc id as 4, name as newprof_tcontsvc_4, and dba-id as 4.

telnet@OLT(config-t)# gpon profile tcont-svc id 4 name newprof_tcontsvc_4 dba-id 4

telnet@OLT(config-t)# gpon profile vportsvc id 4 name newprof_vportsvc_4 us-pri 0 usratectrl-id 0 dsratectrl-id 0

telnet@OLT(config-t)# gpon profile tcont-bind id 4 v-port 1 name newprof_tcontbind_4 vportsvc-id 4 tcont-id 4 tcontsvc-id 4

telnet@OLT(config-t)# interface gpon-olt 1/1

telnet@OLT(config-t-if-gpon-olt-1/1)# ont 1

telnet@OLT(config-if-gpon-ont-1/1/1)# virtual-port 1 port unlock

# Apply the flow template and Tcont template to the ONU interface.

telnet@OLT(config-if-gpon-ont-1/1/1)# service flow-profile 4 tcont-bind-profile 4

telnet@OLT(config-if-gpon-ont-1/1/1)# ip-host 192.168.2.11 255.255.255.0 192.168.2.1 static 1

telnet@OLT(config-if-gpon-ont-1/1/1)# ont-pots-uni 1 3001 3001 3001 3001 1 ip-host 1

telnet@OLT(config-if-gpon-ont-1/1/1)# port-vlan 128 downstream inverse-upstream intpid 0x8100 outtpid 0x8100

telnet@OLT(config-if-gpon-ont-1/1/1)# port-vlan 128 rule 1 untag add-vid inner-pri 0 inner-vid 102

telnet@OLT(config-if-gpon-ont-1/1/1)# exit

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 102. The value 102 to 102 specifies packets from VLAN 102.

telnet@OLT(config-t-if-gpon-olt-1/1)# vlantranslate 1/1 102 to 102

Configure the camera access service

Plan the configuration

Table 6 Camera access service configuration table

Configuration item	Plan
VLAN planning	VLAN 301: Service VLAN for UNI1.
Uplink interface on OLT: Dynamic Layer 2 aggregate interface	Bridge-Aggregation 1
Uplink interfaces on OLT: Aggregation member ports	Aggregation member ports on modular OLT: · XGE 3 · XGE 4 Aggregation member ports on fixed-port OLT: · XGE 2/1 · XGE 2/2
PON port	Olt 1/3
ONU interface	Onu 1/3/1
UNI	1
Flow template name	newprof_flow_4
GEM port ID in flow template	1
UNIs matched by flow template	All UNIs
VLANs matched by flow template	VLAN301
VLAN priority values matched by flow template	All priority values
Tcont template name	newprof_tcontbind_4
Tcont template ID	4
DBA in Tcont template	1244160
UNI rate limiting in Tcont template	No rate limit

Procedure

# If no new configuration is added to public interfaces, the previous configuration will be inherited. (Details not shown.)

1. Configure a modular OLT:

# Enable PoE on a UNI on the PoE-ONU, so that the UNI can supply power to cameras. This step is optional. On a PoE-capable ONU, PoE is enabled by default.

OLT# slot 1

GPFA-1-1> enable

GPFA-1-1# con t

GPFA-1-1(config-t)# int gp 1/3

GPFA-1-1(config-t-if-gpon-olt-1/3)# ont 1

GPFA-1-1(config-if-gpon-ont-1/3/1)# eth-uni 1 poe enable

# Create VLAN 301, which is to be used as the video service VLAN.

OLT# configure

OLT(CONFIG)# l2

OLT(CONFIG/L2)# vlan

OLT(CONFIG/L2/VLAN)# vid 301 name 301

# Assign uplink interface Bridge-Aggregation 1 to VLAN 301.

OLT(CONFIG/L2/VLAN)# interface trunk 1 vid 301 tag

# Configure the OLT to transparently transmit (keep the VLAN tags unchanged) uplink and downlink packets from VLAN 301 on virtual-port 1 of ONT 1 attached to port 1 in slot 1.

OLT(CONFIG/L2/VLAN)# translate slot 1 port 3 ont 1 virtual-port 1 cvid 301 new-svid 301

# Configure an ONU flow template to match traffic from VLAN 301.

OLT# slot 1

GPFA-1-1> enable

GPFA-1-1# configure terminal

GPFA-1-1(config-t)# gpon profile flow id 4 1 name newprof_flow_4 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 301 301 pri-bitmap 0xf vport 1

# Configure an ONU Tcont template. Configure the maximum available value for the uplink bandwidth. Do not rate-limit the UNI.

GPFA-1-1(config-t)# gpon profile dba id 4 name newprof_dba_4 type4 max 1244160

GPFA-1-1(config-t)# gpon profile tcont-svc id 4 name newprof_tcontsvc_4 dba-id 4

GPFA-1-1(config-t)# gpon profile vportsvc id 4 name newprof_vportsvc_4 us-pri 0 usratectrl-id 0 dsratectrl-id 0

GPFA-1-1(config-t)# gpon profile tcont-bind id 4 v-port 1 name newprof_tcontbind_4 vportsvc-id 4 tcont-id 4 tcontsvc-id 4

# Connect the ONU to interface OLT 1/3. Automatic ONU binding is enabled globally. Interface ONU 1/3/1 will be automatically created. The ONU template has been created. Enable virtual-port 1 on interface ONU 1/3/1, and deploy the ONU template to it.

OLT(CONFIG)# slot 1

GPFA-1-1> enable

GPFA-1-1# configure terminal

GPFA-1-1(config-t)# interface gpon-olt 1/3

GPFA-1-1(config-t-if-gpon-olt-1/3)# ont 1

GPFA-1-1(config-if-gpon-ont-1/3/1)# virtual-port 1 port unlock

GPFA-1-1(config-if-gpon-ont-1/3/1)# service flow-profile 4 tcont-bind-profile 4

# Set the VLAN operation mode to tag mode on UNI 1 of the PoE-ONU. Then, packets received on UNI 1 will be tagged with VLAN 301.

GPFA-1-1(config-if-gpon-ont-1/3/1)# port-vlan 1 downstream inverse-upstream intpid 0x8100 outtpid 0x8100

GPFA-1-1(config-if-gpon-ont-1/3/1)# port-vlan 1 rule 1 single-tag transparent

GPFA-1-1(config-if-gpon-ont-1/3/1)# port-vlan 1 rule 2 untag add-vid inner-pri 0 inner-vid 301

# Enable flow control on UNI 1 to avoid packet loss caused by congestion. Also, enable flow control on the peer of the UNI, the camera.

GPFA-1-1(config-if-gpon-ont-1/3/1)# eth-uni 1 config pause-time 10

GPFA-1-1(config-if-gpon-ont-1/3/1)# exit

2. Configure a fixed-port OLT:

# Enable PoE on a UNI on the PoE-ONU, so that the UNI can supply power to cameras. This step is optional. On a PoE-capable ONU, PoE is enabled by default.

telnet@OLT> enable

telnet@OLT# configure terminal

telnet@OLT(config-t)# interface gpon-olt 1/3

telnet@OLT(config-t-if-gpon-olt-1/3)# ont 1

telnet@OLT(config-if-gpon-ont-1/3/1)# eth-uni 1 poe enable

telnet@OLT(config-if-gpon-ont-1/3/1)# exit

telnet@OLT(config-t-if-gpon-olt-1/3)# exit

# Create VLAN 301, which is to be used as the video service VLAN.

telnet@OLT(config-t)# vlan 301

telnet@OLT(config-t-vlan-301)# exit

# Assign the uplink aggregate interface to VLAN 301.

telnet@OLT(config-t)# interface link-aggregation 1

telnet@OLT(config-t-if-lg-1)# add-to vlan 301 tagged

telnet@OLT(config-t-if-lg-1)# exit

# Configure an ONU flow template to match traffic from VLAN 301.

telnet@OLT(config-t)# gpon profile flow id 4 1 name newprof_flow_4 uni-type ethernet-uni uni-bitmap 0xf upmap-type vlanId 301 301 pri-bitmap 0xf vport 1

# Configure an ONU Tcont template. Configure the maximum available value for the uplink bandwidth. Do not rate-limit the UNI.

telnet@OLT(config-t)# gpon profile dba id 4 name newprof_dba_4 type4 max 1244160

telnet@OLT(config-t)# gpon profile tcont-svc id 4 name newprof_tcontsvc_4 dba-id 4

telnet@OLT(config-t)# gpon profile vportsvc id 4 name newprof_vportsvc_4 us-pri 0 usratectrl-id 0 dsratectrl-id 0

telnet@OLT(config-t)# gpon profile tcont-bind id 4 v-port 1 name newprof_tcontbind_4 vportsvc-id 4 tcont-id 4 tcontsvc-id 4

telnet@OLT(config-t)# interface gpon-olt 1/3

telnet@OLT(config-t-if-gpon-olt-1/3)# ont 1

telnet@OLT(config-if-gpon-ont-1/3/1)# virtual-port 1 port unlock

telnet@OLT(config-if-gpon-ont-1/3/1)# service flow-profile 4 tcont-bind-profile 4

# Set the VLAN operation mode to tag mode on UNI 1 of the PoE-ONU. Then, packets received on UNI 1 will be tagged with VLAN 301.

telnet@OLT(config-if-gpon-ont-1/3/1)# port-vlan 1 downstream inverse-upstream intpid 0x8100 outtpid 0x8100

telnet@OLT(config-if-gpon-ont-1/3/1)# port-vlan 1 rule 1 single-tag transparent

telnet@OLT(config-if-gpon-ont-1/3/1)# port-vlan 1 rule 2 untag add-vid inner-vid 301

# Enable flow control on UNI 1 to avoid packet loss caused by congestion. Also, enable flow control on the peer of the UNI, the camera.

telnet@OLT(config-if-gpon-ont-1/3/1)# eth-uni 1 config pause-time 10

telnet@OLT(config-if-gpon-ont-1/3/1)# exit

# Configure the OLT to transparently transmit uplink and downlink packets (keep the VLAN tags unchanged) from VLAN 301. The value 301 to 301 specifies packets from VLAN 301.

telnet@OLT(config-t-if-gpon-olt-1/3)# vlantranslate 1/1 301 to 301

Deploy access switches

Network diagram

Figure 5 Network diagram

Analysis

Ethernet access deployment methods

· Deploy fibers/network cables to rooms.

· Connect Ethernet ports to user endpoints through IPoE to provide network access/data, voice, wireless, and monitoring services.

· To implement video surveillance and Wi-Fi coverage, access switches can supply power to cameras and APs through PoE.

Typical requirements

· The overall network uses the fiber and network cable architecture.

· Networks are divided based on IP and VLAN.

· The access device is connected to hosts to provide authentication.

· The access network is configured with Layer 2 services to ensure service reliability.

Network configuration scheme

To meet the typical requirements above, configure the following network configuration scheme:

· Determine the number of access switches according to the number of endpoints deployed or the number of network interfaces.

· Use the 802.1Q VLAN feature to divide Layer 2 networks. As a best practice, divide VLANs based on access switch ports.

· As a best practice, use the north-south traffic model as the data service model.

· IP addresses are obtained from the BRAS, and authentication is performed through interaction between the BRAS and AAA servers, which are transparent to the other core switches.

Configuration workflow

Figure 6 Flowchart

Configure link aggregation

An aggregation group operates in one of the following modes:

· Static—Static aggregation is stable. An aggregation group in static mode is called a static aggregation group. The aggregation states of the member ports in a static aggregation group are not affected by the peer ports.

· Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP). The local system and the peer system automatically maintain the aggregation states of the member ports.

This section describes the dynamic aggregation group configuration.

Plan the configuration

Table 7 Link aggregation configuration table

Configuration item	Plan
Link aggregation mode	Dynamic
VLANs	VLAN 10, VLAN 20
Interfaces	GE1/0/1, GE1/0/2, GE1/0/3, GE1/0/4, and GE1/0/5
Link type	Trunk
Aggregation group	1

Procedure

1. Configure Device A:

# Create VLAN 10, and assign GigabitEthernet 1/0/4 to the VLAN.

<DeviceA> system-view

[DeviceA] vlan 10

[DeviceA-vlan10] port gigabitethernet 1/0/4

[DeviceA-vlan10] quit

# Create VLAN 20, and assign GigabitEthernet 1/0/5 to the VLAN.

[DeviceA] vlan 20

[DeviceA-vlan20] port gigabitethernet 1/0/5

[DeviceA-vlan20] quit

# Create Layer-2 aggregate interface Bridge-Aggregation 1 and set its aggregation mode to dynamic.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic

[DeviceA-Bridge-Aggregation1] quit

# Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 1

[DeviceA-GigabitEthernet1/0/2] quit

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] port link-aggregation group 1

[DeviceA-GigabitEthernet1/0/3] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 10 and 20.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] port link-type trunk

[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20

[DeviceA-Bridge-Aggregation1] quit

2. Configure Device B:

Configure Device B in the same way Device A is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on Device A.

[DeviceA] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Port: A -- Auto port, M -- Management port, R -- Reference port

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,

G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Creation Mode: Manual

Aggregation Mode: Dynamic

Loadsharing Type: Shar

Management VLANs: None

System ID: 0x8000, 000f-e267-6c6a

Local:

Port Status Priority Index Oper-Key Flag

GE1/0/1(R) S 32768 11 1 {ACDEF}

GE1/0/2 S 32768 12 1 {ACDEF}

GE1/0/3 S 32768 13 1 {ACDEF}

Remote:

Actor Priority Index Oper-Key SystemID Flag

GE1/0/1 32768 81 1 0x8000, 000f-e267-57ad {ACDEF}

GE1/0/2 32768 82 1 0x8000, 000f-e267-57ad {ACDEF}

GE1/0/3 32768 83 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group in load sharing mode that contains three Selected ports.

Configure spanning tree

Plan the configuration

Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state. The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP). This section describes MSTP configuration.

Table 8 Spanning tree configuration table

Configuration item	Plan
Spanning tree mode	MSTP mode
VLANs	VLAN 10, VLAN 20, VLAN 30, VLAN 40
Link type	Trunk
MST region name	Example
MST region revision level	0

Network diagram

Figure 7 Spanning tree network diagram

Procedure

1. Configure VLANs and VLAN member ports.

Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B. Create VLAN 10, VLAN 20, and VLAN 40 on Device C. Create VLAN 20, VLAN 30, and VLAN 40 on Device D. Configure the ports on these devices as trunk ports and assign them to related VLANs.

[DeviceA]vlan 10

[DeviceA-vlan10]port g 1/0/1

[DeviceA-GigabitEthernet1/0/1]port link-type trunk

[DeviceA-GigabitEthernet1/0/17]port trunk permit vlan 10

# Configure Device B, Device C, and Device D in the same way Device A is configured. (Details not shown.)

2. Configure Device A:

# Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0.

<DeviceA> system-view

# Enter MST region view.

[DeviceA] stp region-configuration

[DeviceA-mst-region] region-name example

[DeviceA-mst-region] instance 1 vlan 10

[DeviceA-mst-region] instance 3 vlan 30

[DeviceA-mst-region] instance 4 vlan 40

[DeviceA-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceA-mst-region] active region-configuration

[DeviceA-mst-region] quit

# Configure the local device as the root bridge of MSTI 1.

[DeviceA] stp instance 1 root primary

# Enable the spanning tree feature globally.

[DeviceA] stp global enable

3. Configure Device B:

# Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0.

<DeviceB> system-view

[DeviceB] stp region-configuration

[DeviceB-mst-region] region-name example

[DeviceB-mst-region] instance 1 vlan 10

[DeviceB-mst-region] instance 3 vlan 30

[DeviceB-mst-region] instance 4 vlan 40

[DeviceB-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceB-mst-region] active region-configuration

[DeviceB-mst-region] quit

# Configure the local device as the root bridge of MSTI 3.

[DeviceB] stp instance 3 root primary

# Enable the spanning tree feature globally.

[DeviceB] stp global enable

4. Configure Device C:

# Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0.

<DeviceC> system-view

[DeviceC] stp region-configuration

[DeviceC-mst-region] region-name example

[DeviceC-mst-region] instance 1 vlan 10

[DeviceC-mst-region] instance 3 vlan 30

[DeviceC-mst-region] instance 4 vlan 40

[DeviceC-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceC-mst-region] active region-configuration

[DeviceC-mst-region] quit

# Configure the local device as the root bridge of MSTI 4.

[DeviceC] stp instance 4 root primary

# Enable the spanning tree feature globally.

[DeviceC] stp global enable

5. Configure Device D:

# Configure the MST region name as example, map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively, and configure the revision level of the MST region as 0.

<DeviceD> system-view

[DeviceD] stp region-configuration

[DeviceD-mst-region] region-name example

[DeviceD-mst-region] instance 1 vlan 10

[DeviceD-mst-region] instance 3 vlan 30

[DeviceD-mst-region] instance 4 vlan 40

[DeviceD-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceD-mst-region] active region-configuration

[DeviceD-mst-region] quit

# Enable the spanning tree feature globally.

[DeviceD] stp global enable

Verifying the configuration

In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root bridge in MSTI 0.

When the network is stable, you can use the display stp brief command to display brief spanning tree information on each device.

# Display brief spanning tree information on Device A.

[DeviceA] display stp brief

MST IDPort Role STP State Protection

0 GigabitEthernet1/0/1 ALTE DISCARDING NONE

0 GigabitEthernet1/0/2 DESI FORWARDING NONE

0 GigabitEthernet1/0/3 ROOT FORWARDING NONE

1 GigabitEthernet1/0/1 DESI FORWARDING NONE

1 GigabitEthernet1/0/3 DESI FORWARDING NONE

3 GigabitEthernet1/0/2 DESI FORWARDING NONE

3 GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief

MST IDPort Role STP State Protection

0 GigabitEthernet1/0/1 DESI FORWARDING NONE

0 GigabitEthernet1/0/2 DESI FORWARDING NONE

0 GigabitEthernet1/0/3 DESI FORWARDING NONE

1 GigabitEthernet1/0/2 DESI FORWARDING NONE

1 GigabitEthernet1/0/3 ROOT FORWARDING NONE

3 GigabitEthernet1/0/1 DESI FORWARDING NONE

3 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief

MST IDPort Role STP State Protection

0 GigabitEthernet1/0/1 DESI FORWARDING NONE

0 GigabitEthernet1/0/2 ROOT FORWARDING NONE

0 GigabitEthernet1/0/3 DESI FORWARDING NONE

1 GigabitEthernet1/0/1 ROOT FORWARDING NONE

1 GigabitEthernet1/0/2 ALTE DISCARDING NONE

4 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device D.

[DeviceD] display stp brief

MST IDPort Role STP State Protection

0 GigabitEthernet1/0/1 ROOT FORWARDING NONE

0 GigabitEthernet1/0/2 ALTE DISCARDING NONE

0 GigabitEthernet1/0/3 ALTE DISCARDING NONE

3 GigabitEthernet1/0/1 ROOT FORWARDING NONE

3 GigabitEthernet1/0/2 ALTE DISCARDING NONE

4 GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 8.

Figure 8 MSTIs mapped to different VLANs

Configure port isolation

Plan the configuration

The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group. You can configure community VLANs in an isolation group. Ports in an isolation group can communicate with each other if they belong to a community VLAN.

Table 9 Port isolation configuration table

Configuration item	Plan
Isolation group	1
Ports in the isolation group	GE1/0/1, GE1/0/2, and GE1/0/3

Procedure

# Create isolation group 1.

[Device] port-isolate enable group 1

# Assign interfaces GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to isolation group 1.

<Device> system-view

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] port-isolate enable group 1

[Device-GigabitEthernet1/0/1] quit

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] port-isolate enable group 1

[Device-GigabitEthernet1/0/2] quit

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] port-isolate enable group 1

[Device-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about isolation group 1.

[Device] display port-isolate group

Port isolation group information:

Group ID: 1

Group members:

GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3

Community VLAN ID: None

The output shows that GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are assigned to isolation group 1. As a result, Host A, Host B, and Host C are isolated from one another at Layer 2.

Configure VLANs

Plan the configuration

The Virtual Local Area Network (VLAN) technology divides a physical LAN into multiple logical LANs. It has the following benefits:

· Security—Hosts in the same VLAN can communicate with one another at Layer 2, but they are isolated from hosts in other VLANs at Layer 2.

· Broadcast traffic isolation—Each VLAN is a broadcast domain that limits the transmission of broadcast packets. Flexibility—A VLAN can be logically divided on a workgroup basis. Hosts in the same workgroup can be assigned to the same VLAN, regardless of their physical locations.

Table 10 VLAN configuration table

Configuration item	Plan
MAC-based VLAN	MAC address: 0-1-1 VLAN ID: 100 802.1p priority: 7
Port-based VLAN	Interface: GE1/0/1 VLAN IDs: 2, 4, 50 to 100.
IP subnet-based VLAN	Interface: GE1/0/1 IP address: 192.168.1.0/24 VLAN ID: 3
Protocol-based VLAN	VLAN ID: 2 Protocol: IPv4

Procedure

1. Configure port-based VLAN:

The port-based VLAN feature provides the simplest and most effective way to divide VLANs. Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.

# Set the port link type.

You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling methods:

¡ Access—An access port can forward packets only from one VLAN and send these packets untagged. An access port is typically used in the following conditions:

- Connecting to a terminal device that does not support VLAN packets.

- In scenarios that do not distinguish VLANs.

¡ Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network devices are typically configured as trunk ports.

¡ Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the packets forwarded by a hybrid port depends on the port configuration. In one-to-two VLAN mapping, hybrid ports are used to remove SVLAN tags for downlink traffic.

# Configure the default VLAN.

The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.

An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.

A trunk or hybrid port supports multiple VLANs and the PVID configuration.

# Display hybrid ports or trunk ports on the device.

display port

# Set the link type of the port.

port link-type { access | hybrid | trunk }

# Assign the trunk port to the specified VLANs.

port trunk permit vlan

# To change the link type of a port from trunk to hybrid or from hybrid to trunk, set the link type to access first.

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 2, 4, and 50 and 100.

<H3C> system-view

[H3C] interface gigabitethernet 1/0/1

[H3C-GigabitEthernet1/0/1] port link-type trunk

[H3C-GigabitEthernet1/0/1] port trunk permit vlan 2 4 50 to 100

2. Configure MAC-based VLAN

The MAC-based VLAN feature assigns hosts to a VLAN based on their MAC addresses. This feature is also called user-based VLAN because VLAN configuration remains the same regardless of a user's physical location.

# Display MAC-to-VLAN entries.

display mac-vlan

# Enable the MAC-based VLAN feature.

mac-vlan enable

# Create a MAC-to-VLAN entry.

mac-vlan mac-address

# Associate MAC address 0000-0001-0001 with VLAN 100, and set the 802.1p priority to 7 for VLAN 100 in this entry.

<Sysname> system-view

[Sysname] mac-vlan mac-address 0-1-1 vlan 100 dot1q 7

# Associate VLAN 100 with MAC addresses whose six high-order bits are 1211-22, and set the 802.1p priority to 4 for VLAN 100 in this entry.

<Sysname> system-view

[Sysname] mac-vlan mac-address 1211-2222-3333 mask ffff-ff00-0000 vlan 100 dot1q

3. Configure IP subnet-based VLAN

The IP subnet-based VLAN feature assigns untagged packets to VLANs based on their source IP addresses and subnet masks. Use this feature when untagged packets from an IP subnet or IP address must be transmitted in a VLAN.

# Display information about IP subnet-based VLANs that are associated with the specified ports.

display ip-subnet-vlan interface

# Display information about IP subnet-based VLANs.

display ip-subnet-vlan vlan

# Associate a VLAN with an IP subnet or IP address.

ip-subnet-vlan

# Associate the hybrid port with the specified IP subnet-based VLAN.

port hybrid ip-subnet-vlan

# Associate GigabitEthernet 1/0/1 with IP subnet-based VLAN 3.

<Sysname> system-view

[Sysname] vlan 3

[Sysname-vlan3] ip-subnet-vlan ip 192.168.1.0 255.255.255.0

[Sysname-vlan3] quit

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port link-type hybrid

[Sysname-GigabitEthernet1/0/1] port hybrid vlan 3 untagged

[Sysname-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 3

# Associate Layer-2 aggregate interface Bridge-Aggregation 1 with IP subnet-based VLAN 3.

<Sysname> system-view

[Sysname] vlan 3

[Sysname-vlan3] ip-subnet-vlan ip 192.168.1.0 255.255.255.0

[Sysname-vlan3] quit

[Sysname] interface bridge-aggregation 1

[Sysname-Bridge-Aggregation1] port link-type hybrid

[Sysname-Bridge-Aggregation1] port hybrid vlan 3 untagged

[Sysname-Bridge-Aggregation1] port hybrid ip-subnet-vlan vlan 3

4. Configure protocol-based VLAN

The protocol-based VLAN feature assigns inbound packets to different VLANs based on their protocol types and encapsulation formats. The protocols available for VLAN assignment include IP, IPX, and AT. The encapsulation formats include Ethernet II, 802.3 raw, 802.2 LLC, and 802.2 SNAP.

This feature associates the available network service types with VLANs and facilitates network management and maintenance.

# Display information about protocol-based VLANs that are associated with the specified ports.

display protocol-vlan interface

# Display information about IP subnet-based VLANs.

display protocol-vlan vlan

# Associate a hybrid port with the specified protocol-based VLAN.

port hybrid protocol-vlan

# Associate a VLAN with a protocol template.

protocol-vlan

# Associate GigabitEthernet 1/0/1 with protocol template 1 in VLAN 2.

<Sysname> system-view

[Sysname] vlan 2

[Sysname-vlan2] protocol-vlan 1 ipv4

[Sysname-vlan2] quit

[Sysname] interface gigabitethernet 1/0/1

[Sysname-GigabitEthernet1/0/1] port link-type hybrid

[Sysname-GigabitEthernet1/0/1] port hybrid vlan 2 untagged

# Associate the hybrid port with protocol-based VLAN.

[Sysname-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 2 1

# Assign ARP packets in Ethernet II encapsulation and IPv4 packets to VLAN 3 for transmission. (The protocol type ID for ARP is 0806 in hexadecimal notation.)

<Sysname> system-view

[Sysname] vlan 3

[Sysname-vlan3] protocol-vlan 1 ipv4

[Sysname-vlan3] protocol-vlan 2 mode ethernetii etype 0806

Configure QinQ

Plan the configuration

Table 11 QinQ configuration table

Configuration item	Plan
Devices	PE1, PE2
Service VLANs	VLANs 10 to 50 VLAN 3000 (enterprise-specific VLAN) VLAN 100 (service provider VLAN)
Ports	PE1: l GE 1/0/1 with endpoints attached l GE 1/0/2 connected to service provider network PE2: l GE 1/0/1 with endpoints attached l GE 1/0/2 connected to service provider network

Procedure

1. Configuring PE 1:

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 10 to 50, VLAN 100, and VLAN 3000.

<PE1> system-view

[PE1] interface gigabitethernet 1/0/1

[PE1-GigabitEthernet1/0/1] port link-type trunk

[PE1-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 10 to 50

# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.

[PE1-GigabitEthernet1/0/1] port trunk pvid vlan 100

A QinQ-enabled port will tag incoming frames with the PVID tag. Before you enable or disable QinQ on a port, you must remove any VLAN mappings on the port.

# Enable QinQ on GigabitEthernet 1/0/1.

[PE1-GigabitEthernet1/0/1] qinq enable

With QinQ enabled, the port will tag incoming frames with the PVID tag. You can exclude a VLAN (for example, the management VLAN) from the QinQ tagging action on a customer-side port. This VLAN is called a transparent VLAN.

When you configure the transparent VLAN, follow these restrictions and guidelines:

¡ Make sure all ports on the traffic path permit the transparent VLAN to pass through.

¡ Do not configure any other VLAN manipulation actions for the transparent VLAN on the port.

¡ If you use both transparent VLANs and VLAN mappings on an interface, the transparent VLANs cannot be the following VLANs: 

- Original or translated VLANs of one-to-one, one-to-two, and many-to-one VLAN mappings.

- Original or translated outer VLANs of two-to-two VLAN mappings.

# Enable transparent transmission for VLAN 3000 on GigabitEthernet 1/0/1.

[PE1-GigabitEthernet1/0/1] qinq transparent-vlan 3000

[PE1-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLAN 100 and VLAN 3000.

[PE1] interface gigabitethernet 1/0/2

[PE1-GigabitEthernet1/0/2] port link-type trunk

[PE1-GigabitEthernet1/0/2] port trunk permit vlan 100 3000

[PE1-GigabitEthernet1/0/2] quit

2. Configuring PE 2:

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLANs 10 to 50, VLAN 100, and VLAN 3000.

<PE2> system-view

[PE2] interface gigabitethernet 1/0/1

[PE2-GigabitEthernet1/0/1] port link-type trunk

[PE2-GigabitEthernet1/0/1] port trunk permit vlan 100 3000 10 to 50

# Set the PVID of GigabitEthernet 1/0/1 to VLAN 100.

[PE2-GigabitEthernet1/0/1] port trunk pvid vlan 100

# Enable QinQ on GigabitEthernet 1/0/1.

[PE2-GigabitEthernet1/0/1] qinq enable

# Enable transparent transmission for VLAN 3000 on GigabitEthernet 1/0/1.

[PE2-GigabitEthernet1/0/1] qinq transparent-vlan 3000

[PE2-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 as a trunk port, and assign it to VLAN 100 and VLAN 3000.

[PE2] interface gigabitethernet 1/0/2

[PE2-GigabitEthernet1/0/2] port link-type trunk

[PE2-GigabitEthernet1/0/2] port trunk permit vlan 100 3000

[PE2-GigabitEthernet1/0/2] quit

3. Configure the devices between PE 1 and PE 2:

# Set the MTU to a minimum of 1504 bytes for each port on the path of QinQ frames. (Details not shown.)

# Configure all ports on the forwarding path to allow frames from VLANs 100 and 3000 to pass through without removing the VLAN tag. (Details not shown.)

Configure QoS and ACL

Plan the QoS configuration

The QoS techniques include traffic classification, traffic policing, traffic shaping, rate limit, congestion management, and congestion avoidance.

Table 12 QoS configuration table

Configuration item	Plan
ACL type and rule	Basic ACL: ACL 2000 Rule: Permit source IP address 192.168.0.1
Traffic classes	host: Match IPv4 basic ACL 2000 any: Match all packets
Traffic behaviors	a: Class-based accounting action. m: Action of mirroring to interface GigabitEthernet 1/0/3. r: Action of setting the DSCP value for packets to 50. c: Action of traffic policing. Set the CIR to 10240 kbps and CBS to 102400 bytes.
Policies	Accounting-type QoS policy policy_a: Contains traffic class host and traffic behavior a. Mirroring-type QoS policy policy_m: Contains traffic class host and traffic behavior m. Marking-type QoS policy policy_r: Contains traffic class host and traffic behavior r. Generic QoS policy policy_g: Contains traffic class any and traffic behavior c.
Associated ports	Mirroring port: GE1/0/3 Interface where the policies are applied: GE1/0/1

QoS configuration procedure

# Create basic ACL 2000, and configure a rule to match packets with source IP address 192.168.0.1.

<Device> system-view

[Device] acl basic 2000

[Device-acl-ipv4-basic-2000] rule permit source 192.168.0.1 0

[Device-acl-ipv4-basic-2000] quit

# Create a traffic class named host, and use ACL 2000 as the match criterion in the traffic class.

[Device] traffic classifier host

[Device-classifier-host] if-match acl 2000

[Device-classifier-host] quit

# Create a traffic behavior named any to match all packets.

[Device] traffic classifier any

[Device-classifier-any] if-match any

[Device-classifier-any] quit

# Create a traffic behavior named a, and configure a class-based accounting action.

[Device] traffic behavior a

[Device-behavior-a] accounting packet

[Device-behavior-a] quit

# Create a traffic behavior named m, and configure an action of mirroring to interface GigabitEthernet 1/0/3.

[Device] traffic behavior m

[Device-behavior-m] mirror-to interface gigabitethernet 1/0/3

[Device-behavior-m] quit

# Create a traffic behavior named r, and configure the action of setting the DSCP value to 50.

[Device] traffic behavior r

[Device-behavior-r] remark dscp 50

[Device-behavior-r] quit

# Configure a CAR action in traffic behavior c. Set the CIR to 10240 kbps and CBS to 102400 bytes.

[Device] traffic behavior c

[Device-behavior-c] car cir 10240 cbs 102400 green pass yellow pass red discard

[Device-behavior-c] quit

# Create an accounting-type QoS policy named policy_a, and associate traffic class host with traffic behavior a in the QoS policy.

[Device] qos accounting policy policy_a

[Device-qospolicy-policy_a] classifier host behavior a

[Device-qospolicy-policy_a] quit

# Create a mirroring-type QoS policy named policy_m, and associate traffic class host with traffic behavior m in the QoS policy.

[Device] qos mirroring policy policy_m

[Device-qospolicy-policy_m] classifier host behavior m

[Device-qospolicy-policy_m] quit

# Create a marking-type QoS policy policy_r, and associate traffic class host with traffic behavior r in the QoS policy.

[Device] qos remarking policy policy_r

[Device-qospolicy-policy_r] classifier host behavior r

[Device-qospolicy-policy_r] quit

# Create a generic QoS policy policy_g, and associate traffic class any with traffic behavior c in the QoS policy.

[Device] qos policy policy_g

[Device-qospolicy-policy_g] classifier any behavior c

[Device-qospolicy-policy_g] quit

# Apply QoS policies policy_a, policy_m, policy_r, and policy_g to the incoming traffic of GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] qos apply accounting policy policy_a inbound

[Device-GigabitEthernet1/0/1] qos apply mirroring policy policy_m inbound

[Device-GigabitEthernet1/0/1] qos apply remarking policy policy_r inbound

[Device-GigabitEthernet1/0/1] qos apply policy policy_g inbound

[Device-GigabitEthernet1/0/1] quit

Plan the ACL configuration

An access control list (ACL) is a set of rules for identifying traffic based on criteria such as source IP address, destination IP address, and port number. The rules are also called permit or deny statements.

ACLs are primarily used for packet filtering. You can also use ACLs in QoS, security, routing, and other modules for identifying traffic. The packet drop or forwarding decisions depend on the modules that use ACLs.

Table 13 ACL configuration table

Configuration item	Plan
Network service address	IP address: 192.168.0.100
Port assignment	Server: GE1/0/1 President’s office: GE1/0/2 Finance department: GE1/0/3 Marketing department: GE1/0/4
Advanced ACL 3000	l Permit access from the President's office at any time to the financial database server. l Permit access from the Finance department to the financial database server only during working hours (from 8:00 to 18:00) on working days. l Deny access from any other department to the financial database server.
ACL implementation	Enable packet filter on the specified port.

ACL configuration procedure

# Create a periodic time range from 8:00 to 18:00 on working days.

<Device> system-view

[Device] time-range work 08:00 to 18:00 working-day

# Create an IPv4 advanced ACL numbered 3000. Configure the following rules:

· Permit access from the President's office at any time to the financial database server.

· Permit access from the Finance department to the financial database server only during working hours (from 8:00 to 18:00) on working days.

· Deny access from any other department to the financial database server.

[Device] acl advanced 3000

[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.1.0 0.0.0.255 destination 192.168.0.100 0

[Device-acl-ipv4-adv-3000] rule permit ip source 192.168.2.0 0.0.0.255 destination 192.168.0.100 0 time-range work

[Device-acl-ipv4-adv-3000] rule deny ip source any destination 192.168.0.100 0

# Apply IPv4 advanced ACL 3000 to filter outgoing packets on interface GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] packet-filter 3000 outbound

[Device-GigabitEthernet1/0/1] quit

# Verify that a PC in each department can ping the database server. Display configuration and match statistics for IPv4 advanced ACL 3000 on the device.

Configure DHCP snooping

Plan the configuration

Table 14 DHCP snooping configuration table

Configuration item	Plan
DHCP server	Server address pool: 10.0.0.1/24
Trusted port	Port number: GE1/0/2
Port enabled to record DHCP snooping entries	Port number: GE1/0/1
Endpoint	PC, access port GE1/0/1

Procedure

1. Enable DHCP snooping.

On a device, you can enable DHCP snooping globally or for a specific VLAN.

¡ If you enable DHCP snooping globally (including enable DHCP snooping, configure trusted port, and enable the recording of DHCP snooping entries), you can disable DHCP snooping with only the associated global command.

¡ If you enable DHCP snooping for a specific VLAN (including enable DHCP snooping, configure trusted port, and enable the recording of DHCP snooping entries), you can disable DHCP snooping with only the associated VLAN-specific command.

<Device> system-view

[Device] dhcp snooping enable

# Configure only the port connected to the DHCP server as trusted port. This can ensure that the DHCP can obtain an IP address from only the authorized DHCP server.

# Configure GigabitEthernet 1/0/2 connected to the DHCP server as a trusted port.

[Device] interface gigabitethernet 1/0/2

[Device-GigabitEthernet1/0/2] dhcp snooping trust

2. Enable recording clients' IP-to-MAC bindings.

# Enable recording clients' IP-to-MAC bindings on GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] dhcp snooping binding record

[Device-GigabitEthernet1/0/1] quit

Verifying the configuration

# Display IPv4SG bindings on GigabitEthernet 1/0/1 generated based on DHCP snooping.

[Device] display ip source binding dhcp-snooping

Total entries found: 1

IP addressMAC address Interface VLAN Type

0001-0203-0406 GE1/0/11 DHCP snooping

Configure MAC authentication

MAC authentication controls network access by authenticating source MAC addresses on a port. The feature does not require client software, and users do not have to enter a username and password for network access. The device initiates a MAC authentication process when it detects an unknown source MAC address on a MAC authentication-enabled port. If the MAC address passes authentication, the user can access authorized network resources. If the authentication fails, the device marks the MAC address as a silent MAC address, drops the packet, and starts a quiet timer. The device drops all subsequent packets from the MAC address within the quiet time. The quiet mechanism avoids repeated authentication during a short time.

Plan the configuration

NOTE:

For more information about server configuration, see RADIUS server usage guide.

Table 15 MAC authentication configuration table

Configuration item	Plan
Access User	Username: aaa Password: 123456
RADIUS authentication server	Primary server IP address: 10.1.1.1 Port number: 1812 Password: abc
RADIUS accounting server	Server IP address: 10.1.1.2 Port number: 1813 Password: abc
RADIUS scheme	Scheme name: 2000
ISP domain	Domain name: bbb
Authentication method	CHAP
MAC authentication user account format	Shared username and password
Authentication port	GE1/0/1
Access endpoints	PC, access authentication port

Procedure

1. Configure the RADIUS servers to provide authentication, authorization, and accounting services. Create an access user account with username aaa and password 123456 for MAC authentication users. (Details not shown.)

2. Configure RADIUS-based MAC authentication on the device:

# Configure a RADIUS scheme.

<Device> system-view

[Device] radius scheme 2000

[Device-radius-2000] primary authentication 10.1.1.1 1812

[Device-radius-2000] primary accounting 10.1.1.2 1813

[Device-radius-2000] key authentication simple abc

[Device-radius-2000] key accounting simple abc

# Whether the username sent to the server carries domain name depends on the following settings:

¡ Whether the server supports usernames carrying domain names.

¡ Whether the service used by user authentication configured on the server carries domain name suffix.

If the server does not support usernames carrying domain names, or the service used by user authentication configured on the server does not carry domain name suffix, specify the without-domain keyword on the device.

If the server supports usernames carrying domain names, or the service used by user authentication configured on the server carries domain name suffix, specify the with-domain keyword on the device.

[Device-radius-2000] user-name-format without-domain

# MAC authentication through the RADIUS server supports the following methods:

¡ The PAP authentication method uses username and password to authenticate users. Username and password are transmitted on the network in plaintext form. This authentication method applies only to the environments with relatively low network security requirements.

¡ The CHAP authentication method authenticates user identity by transmitting usernames on the network in plaintext form and transmitting passwords in encrypted form. Compared with PAP, CHAP authentication provides better privacy, security, and reliability.

# Configure the MAC authentication method as CHAP.

[Device] mac-authentication authentication-method chap

# Apply the RADIUS scheme to an ISP domain for authentication, authorization, and accounting.

[Device] domain bbb

[Device-isp-bbb] authentication default radius-scheme 2000

[Device-isp-bbb] authorization default radius-scheme 2000

[Device-isp-bbb] accounting default radius-scheme 2000

[Device-isp-bbb] quit

# MAC authentication takes effect on a port only after you enable MAC authentication globally and on the port. The configuration result depends on the device model.

# Enable MAC authentication on GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] mac-authentication

[Device-GigabitEthernet1/0/1] quit

# Specify the ISP domain for MAC authentication.

[Device] mac-authentication domain bbb

# Configure MAC authentication timers.

[Device] mac-authentication timer offline-detect 180

[Device] mac-authentication timer quiet 180

# MAC authentication supports the following user account policies:

¡ One MAC-based user account for each user. The access device uses the source MAC addresses in packets as the usernames and passwords, or uses the source MAC addresses as usernames and user-configured passwords for MAC authentication.

¡ Shared user account:

- Common shared user account for all users. The device uses the specified username and password for MAC authentication of all users. Because all MAC authentication users use a single account for authentication, you only need to create one account on the authentication server. This user account type is suitable for trusted networks.

- Dedicated shared user account. MAC authentication also supports setting separate usernames and passwords for users within specific MAC address ranges (for example, setting separate usernames and passwords for MAC addresses with specific OUIs). Users within the specified MAC address ranges use shared usernames and passwords. You only need to create the associated account on the authentication server based on account configuration on the device.

# Configure a shared account for MAC authentication users, and set the username to aaa and password to plaintext string of 123456.

[Device] mac-authentication user-name-format fixed account aaa password simple 123456

# Enable MAC authentication globally.

[Device] mac-authentication

Verifying the configuration

Use display mac-authentication [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ] to display MAC authentication settings and statistics.

If you do not specify any parameters, this command displays all MAC authentication information including the global settings, port-specific settings, MAC authentication statistics, and online user statistics.

[Device] display mac-authentication

Configure 802.1X authentication

802.1X is a port-based network access control protocol widely used on Ethernet networks. The protocol controls network access by authenticating the devices connected to 802.1X-enabled LAN ports.

Plan the configuration

Table 16 802.1X authentication configuration table

Configuration item	Plan
RADIUS authentication server	Primary server IP address: 10.1.1.1 Secondary server IP address: 10.1.1.2
RADIUS accounting server	Server IP address: 10.1.1.1 Secondary server IP address: 10.1.1.2
RADIUS scheme	Scheme name: Radius1
ISP domain	Domain name: bbb
Authentication port	Authentication port: GE1/0/1 Authentication method: mac-based
Access endpoints	PC, access authentication port

Procedure

1. Configuring a RADIUS scheme

# Create a RADIUS scheme named radius1 and enter RADIUS scheme view.

[Device] radius scheme radius1

# Specify the IP addresses of the primary authentication and accounting RADIUS servers.

[Device-radius-radius1] primary authentication 10.1.1.1

[Device-radius-radius1] primary accounting 10.1.1.1

# Specify the IP addresses of the secondary authentication and accounting RADIUS servers.

[Device-radius-radius1] secondary authentication 10.1.1.2

[Device-radius-radius1] secondary accounting 10.1.1.2

# Specify the shared key between the access device and the authentication and accounting servers.

[Device-radius-radius1] key authentication simple name

[Device-radius-radius1] key accounting simple money

# Exclude the ISP domain names from the usernames sent to the RADIUS servers.

[Device-radius-radius1] user-name-format without-domain

2. Configure the ISP domain on the access device:

# Create an ISP domain named bbb and enter ISP domain view.

[Device] domain bbb

# Apply RADIUS scheme radius1 to the ISP domain, and specify local authentication as the secondary authentication method.

[Device-isp-bbb] authentication lan-access radius-scheme radius1

[Device-isp-bbb] authorization lan-access radius-scheme radius1

[Device-isp-bbb] accounting lan-access radius-scheme radius1

3. Configure 802.1X on the access device:

# Use the dot1x command to enable 802.1X globally or on a port. For 802.1X to take effect on a port, you must enable it both globally and on the port. Supported ports include Layer 2 Ethernet ports and Layer 2 aggregation ports.

# Enable 802.1X on GigabitEthernet 1/0/1.

[Device] interface gigabitethernet 1/0/1

[Device-GigabitEthernet1/0/1] dot1x

# Enable MAC-based access control on the port. By default, the port uses MAC-based access control.

¡ macbased: Uses MAC-based access control on the port to separately authenticate each user attempting to access the network. Using this method, when an authenticated user logs off, no other online users are affected. Support for the MAC-based access control depends on the device model.

¡ portbased: Uses port-based access control on the port. Using this method, once an 802.1X user passes authentication on the port, any subsequent user can access the network through the port without authentication. When the authenticated user logs off, all other users are logged off.

[Device-GigabitEthernet1/0/1] dot1x port-method macbased

# Specify ISP domain bbb as the mandatory domain.

# Enable 802.1X users on the specified port to select an authentication domain in the following order: Mandatory domain specified on the port-->ISP domain specified in the username-->system default ISP domain.

[Device-GigabitEthernet1/0/1] dot1x mandatory-domain bbb

# Enable 802.1X globally.

Verifying the configuration

# Use display dot1x to display 802.1X session information, statistics, or configuration information of specified or all ports.

display dot1x [ sessions | statistics ] [ ap ap-name [ radio radio-id ] | interface interface-type interface-number ]

If you do not specify the sessions keyword or the statistics keyword, this command displays all information about 802.1X, including session information, statistics, and settings.

If you do not specify the ap or interface keyword, this command displays all 802.1X information, including wired 802.1X information and wireless 802.1X information.

[Device]display dot1x

Configure SNMP

Plan the configuration

Simple Network Management Protocol (SNMP) is used for a management station to access and operate the devices on a network, regardless of their vendors, physical characteristics, and interconnect technologies. SNMP enables network administrators to read and set the variables on managed devices for state monitoring, troubleshooting, statistics collection, and other management purposes.

Table 17 SNMP configuration table

Configuration item	Plan
SNMP Version	V1
SNMP community	Read and write
Agent IP address	1.1.1.1/24

Procedure

1. Configure the SNMP agent:

# Assign IP address 1.1.1.1/24 to the agent and make sure the agent and the NMS can reach each other. (Details not shown.)

# Specify SNMPv1, and create read-only community public and read and write community private.

<Agent> system-view

[Agent] snmp-agent sys-info version v1

[Agent] snmp-agent community read public

[Agent] snmp-agent community write private

# Configure contact and physical location information for the agent.

[Agent] snmp-agent sys-info contact Mr.Wang-Tel:3306

[Agent] snmp-agent sys-info location telephone-closet,3rd-floor

# Enable SNMP notifications, specify the NMS at 1.1.1.2 as an SNMP trap destination, and use public as the community name.

[Agent] snmp-agent trap enable

[Agent] snmp-agent target-host trap address udp-domain 1.1.1.2 params securityname public v1

To make sure the NMS can receive traps, specify the same SNMP version in the snmp-agent target-host command as is configured on the NMS.

2. Configure the SNMP NMS:

# Specify SNMPv1. Create read-only community public, and create read and write community private. Set the timeout timer and maximum number of retries as needed.

The SNMP settings on the agent and the NMS must match.

Verifying the configuration

# Try to get the MTU value of the NULL0 interface from the agent. The attempt succeeds.

Send request to 1.1.1.1/161 ...

Protocol version: SNMPv1

Operation: Get

Request binding:

1: 1.3.6.1.2.1.2.2.1.4.135471

Response binding:

1: Oid=ifMtu.135471 Syntax=INT Value=1500

Get finished

# Use a wrong community name to get the value of a MIB node on the agent. You can see an authentication failure trap on the NMS.

1.1.1.1/2934 V1 Trap = authenticationFailure

SNMP Version = V1

Community = public

Command = Trap

Enterprise = 1.3.6.1.4.1.43.1.16.4.3.50

GenericID = 4

SpecificID = 0

Time Stamp = 8:35:25.68

Configure port mirroring

Plan the configuration

Port mirroring copies the packets passing through a port, VLAN, or CPU to a port that connects to a data monitoring device for packet analysis.

Table 18 Port mirroring configuration table

Configuration item	Plan
Mirroring group	Local
Source ports	GE1/0/1, GE1/0/2
Monitor port	GE1/0/3

Procedure

# Create local mirroring group 1.

<Device> system-view

[Device] mirroring-group 1 local

# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as source ports for local mirroring group 1, and configure GigabitEthernet 1/0/3 as the monitor port for local mirroring group 1.

[Device] mirroring-group 1 mirroring-port gigabitethernet 1/0/1 gigabitethernet 1/0/2 both

[Device] mirroring-group 1 monitor-port gigabitethernet 1/0/3

# Disable the spanning tree feature on the monitor port (GigabitEthernet 1/0/3). Perform this task only when the monitor port operates in Layer 2 mode.

[Device] interface gigabitethernet 1/0/3

[Device-GigabitEthernet1/0/3] undo stp enable

[Device-GigabitEthernet1/0/3] quit

Verifying the configuration

# Verify the mirroring group configuration.

[Device] display mirroring-group all

Mirroring group 1:

Type: Local

Status: Active

Mirroring port: GigabitEthernet1/0/1 Both

GigabitEthernet1/0/2 Both

Monitor port: GigabitEthernet1/0/3

H3C Legacy ISP BtoC MAN Solution Guide-6W100

Network configuration

Prerequisites

Procedure

Verify the configuration

Typical requirements

Network configuration scheme

Plan the configuration

Procedure

Plan the configuration

Procedure

Plan the configuration

Procedure

Plan the configuration

Procedure

Plan the configuration

Procedure

Plan the configuration

Procedure

Deploy access switches

Ethernet access deployment methods

Typical requirements

Network configuration scheme

Plan the configuration

Procedure

Verifying the configuration

Plan the configuration

Network diagram

Procedure

Verifying the configuration

Plan the configuration

Procedure

Verifying the configuration

Plan the configuration

Procedure

Plan the configuration

Procedure

Plan the QoS configuration

QoS configuration procedure

Plan the ACL configuration

ACL configuration procedure

Plan the configuration

Procedure

Verifying the configuration

Plan the configuration

Procedure

Verifying the configuration

Plan the configuration

Procedure

Verifying the configuration

Plan the configuration

Procedure

Verifying the configuration

Plan the configuration

Procedure

Verifying the configuration

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us