Login
| Title | Size | Downloads |
|---|---|---|
| H3C S12500 Switch Series FAQ-R7328-6W101-book.pdf | 1.12 MB |
- Table of Contents
H3C S12500 Switch Series (R7328) FAQ
|
Copyright © 2014 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. |
|
Contents
Q. What models does the H3C S12500 Routing Switch Series include?
Q. Does the switch support power over Ethernet (PoE)?
Q. Does the switch support DC power modules?
Q. Are the power modules of the switch hot swappable?
Q. Is it normal that the power module fans make a lot of noise?
Q. Is it normal that a power module has an over-low output current?
Q. Are the switching fabric modules of the switch hot swappable?
Q. Is active/standby switchover of MPUs supported on the switch?
Q. How do I identify the card serial number or manufacture information?
Q. Can the switch automatically adjust the fan speed?
Q. How is the LST2XP32 oversubscribed?
Q. How is the LST1CP4 oversubscribed?
Q. How is the LST1XP40 oversubscribed?
Q. Does the switch provide 40G and 100G ports?
Q. Can the 40GE and 100GE ports on the switch be split into 10GE ports?
Q. Do 10 Gigabit ports on the switch support Gigabit transceiver modules?
Q. In what system operating modes does the switch support LPUs with the mark XXXFD or XXXFG?
Q. Does the BootWare support forward compatibility?
Q. How do I view the system version information and operation time information?
Q. Why should I upgrade the Comware system software? How should I upgrade the software?
Q. Can I delete the Comware system software image file after the upgrade is completed?
Q. How can I empty the recycle bin?
Q. Is software patching supported?
Q. Should I remove the old patch file before installing a new patch file?
Q. What is the name of the default configuration file?
Q. What should I do before installing patches?
Q. Why doesn't the switch display the saved configuration file?
System management and maintenance.
Q. Information displayed on the console terminal is incorrect sometimes. Why?
Q. What commands should I configure to enable AUX login?
Q. How can I clear a Telnet connection?
Q. Can a Telnet user's username contain the at sign (@)?
Q. How do I format the Flash or CF card from the BootWare?
Q. How do I examine the memory of the switch before the switch starts up?
Q. Why should I wait for all LPUs to operate correctly before I save the running configuration?
Q. Can the management Ethernet interface come up without an IP address?
Q. Can the switch operate as a TFTP server?
Q. Can I power on the switch immediately after I power off the switch?
Q. How are packets arriving at the standby MPU's management Ethernet interface handled?.
Q. Does the switch support license authorization? Which features require a license to run?
Q. Which license-based feature packages are available for the switch?
Network security and attack protection
Q. What the main attack protection functions does the switch support?
Q. What roles can the switch play when using different SSH versions?
Q. Do the switch support local authentication before RADIUS authentication?
Q. Why can the level for the RADIUS server (the switch) only be 1 when it connects to an ACS server?
Q. Does the switch support local authentication when HWTACACS authentication fails?
Q. Can the switch be connected to a TACACS server that runs third-party TACACS server software?
Q. How do I prevent gateway spoofing when the switch acts as a gateway?
Q. What is the maximum number of bits of a port count?
Q. Does the switch support jumbo frames?
Q. Are the MAC address tables the same for different cards of the switch?
Q. Can frames be correctly forwarded when the MAC address learning limit is set to 0?
Q. Why is a MAC address learned into multiple VLANs?
Q. How is the traffic load-shared for link aggregation on the switch?
Q. Does the switch support configuring static MAC address entries on an aggregate interface?
Q. Does the switch configured with link aggregation support RRPP?
Q. What fields are displayed in the output transceiver module optical power information?
Q. How is the port rate percentage calculated?
Q. What restrictions and guidelines should I follow when I configure loop detection?
Q. Does the switch support private VLAN?
Q. Does the switch support super VLANs?
Q. How many Layer 2 aggregation groups does the switch support?
Q. What spanning tree protocols are supported?
Q. How are ARP entries and MAC address entries handled when the STP topology changes?
Q. When does an MSTP port send TC BPDUs?
Q. Why are MSTP port states wrong when MSTP configuration is correct on the switch?
Q. Do RSTP and MSTP have TCN BPDUs?
Q. Why are ports on a Cisco device down when MSTP is disabled on the connected ports of the switch?
Q. What STP modes are interoperable between the switch and the Cisco devices?
Q. How can I interoperate the switch with a Cisco device in MSTP mode?
Q. What are the precautions for configuring digest snooping?
Q. Does the switch support configuring an IP address for an Ethernet port?
Q. Does the switch support configuring a secondary IP address for a VLAN interface?
Q. Is the secondary IP address still valid when the primary IP address is removed?
Q. What is the MAC address of a VLAN interface used for?
Q. Does the switch send trap messages when the maximum size of the ARP table is reached?
Q. How is ECMP load sharing implemented on the switch?
Q. Does the switch support weighted ECMP load sharing?
Q. How does VRRP tracking function?
Q. How does the switch handle an ICMP ping packet whose size exceeds 1500 bytes?
Q. Is the sending interval of ICMP ping packets configurable on the switch?
Q. What are the restrictions and guidelines for URPF configuration?
Q. Does the switch support configuring blackhole routes?
Q. What are the preferences of different routing protocols?
Q. What are the possible reasons for the OSPF CONFIG ERROR trap?
Q. Why is the LS ACK: BAD ack count a non-zero value when I display OSPF error information?
Q. Can I change the MAC address of a VLAN interface?
Q. Is IGMPv3 supported on the switch?
Q. How do I deny multicast packets from an illegal multicast source?
Q. Is multicast group filtering supported on the switch?
Q. How does the switch forward a multicast packet that has failed the RPF check to the receiver?
Q. Does the link-aggregation load-sharing mode command enable load sharing of multicast traffic?
Q. Is BIDIR-PIM supported on the switch?
Q. Does the switch support multiboard traffic mirroring and port mirroring?
Q. Does the switch support multichassis traffic mirroring and port mirroring?
Q. What restrictions and guidelines should I follow when I configure port mirroring on the switch?
Q. How many monitor ports can I configure for traffic mirroring on the switch?
Q. Can I configure both traffic mirroring and port mirroring on the switch?
Q. Does packet filtering configured on the switch affect the port mirroring function?
Q. Where can I apply a QoS policy on the switch?
Q. Does the switch support a QoS policy for outgoing traffic?
Q. What are the priorities of QoS policies configured on the switch?
Q. What's the match order of ACL rules on the switch?
Q. What are the differences when the permit or deny statement is used in different applications?
Q. What's the order in which ACL rules are restored after a card is restarted?
Q. Can the match criteria configured on the switch match Layer 2 or Layer 3 packets?
Q. How do I configure packet filtering on the switch?
Q. Does the switch support traffic policing for traffic flows on multiple ports (aggregate CAR)?
Q. Does the switch support traffic redirection?
Q. Why can a tracert response be received from the switch after the switch is configured with PBR?
Q. How do I clear traffic statistics on the switch?
Q. Can an ACL match ICMP packets encapsulated with PPPoE on the switch?
Q. Does the switch trust the priorities of a packet by default?
Q. Does the switch functioning as a P device in an MPLS network trust the EXP value of a packet?
Q. Can WRR be configured together with GTS?
Q. Does the switch support collecting traffic statistics of a VLAN interface?
Q. What protocol packets can be rate limited by a QoS policy applied to a control plane?
Q. Does the switch support OpenFlow?
Q. What is the difference between OpenFlow switches and ordinary switches?
Q. What OpenFlow protocol version does the switch support?
Q. What controllers does the switch support when the switch acts as an OpenFlow switch?
Q. How many controllers can an OpenFlow instance on the switch support?
Q. What benefits does QinQ provide?
Q. Can QinQ add another tier of VLAN tag to a double-tagged customer frame?
Q. Does the switch learn MAC addresses to the SVLAN or CVLAN on a QinQ port?
Q. Can an H3C S12500 switch form an IRF fabric with other series devices?
Q. How many chassis can an H3C S12500 IRF fabric have?
Q. Are there any special requirements for connecting IRF member chassis?
Q. Why can't I bind a physical port to or remove it from an IRF port in IRF mode?
Q. What topologies does IRF support?
Q. Does an IRF fabric support multichassis Ethernet link aggregation?
Q. Can I set up an IRF connection that has multiple links?
Q. Can IRF member chassis use duplicate member IDs?
Q. Are there any software feature consistency requirements for a successful IRF setup?
Q. Can I change the MDC settings on the member devices of a split IRF fabric before it reunites?.
Q. Why can't I configure a port as a Layer 3 Ethernet interface?
Q. Why can't I disable enhanced IRF?
Q. Can I configure multiple MAD mechanisms for an IRF fabric?
Q. Can I run LACP MAD on any Ethernet link aggregation?
Q. Why doesn't BFD MAD take effect when the spanning tree feature is enabled globally in IRF mode?
Q. Why are ports that were shut down by MAD still down after an IRF merge?
Q. Why do the subordinate chassis reboot automatically upon IRF merge?
Q. In what situations must I reboot a chassis manually to complete an IRF merge?
Q. Why can't data traffic be forwarded at the wire speed across chassis in an IRF fabric?
Q. Can I configure multiple ENDSs for an EVI tunnel?
Q. What is the difference between an EVI link and an EVI tunnel?
Q. What is the difference between EVI edge devices and PE devices?
Q. Under what conditions should I configure selective flooding for a MAC address?
Q. How does EVI prevent forwarding loops?
Q. What should I do if an SPBM neighbor is in Up* state?
Q. What requirements must the MST instance for SPBM meet?
Q. In what situations should I enable the multicast B-VLAN feature?
Q. What restrictions should I follow when I configure B-VLANs?
Q. What benefits does the Agreement Protocol (AP) provide?
Q. Can I migrate a PBB network to an SPB network?
Q. Does SPB support static forwarding paths?
Q. Can a protocol operate continuously during an ISSU?
Q. Why does an LPU that supports ISSU reboot need 1 GB memory?
Q. How are switching fabric modules upgraded during an ISSU?
Q. How many MDCs does the switch support?
Q. Are there memory requirements for cards to support MDCs?
Q. I want to configure both IRF and MDC on the switch. Which should I configure first?
Q. Does the IRF enhanced mode support MDCs?
Q. Must an MDC that is established across member devices have IRF links between the member devices?
Q. How does MAD operate on an IRF fabric with MDCs?
H3C S12500 Switch Series (R7328) FAQ
Hardware
This section contains the most frequently asked questions about the switch hardware.
Q. What models does the H3C S12500 Routing Switch Series include?
A. The H3C S12500 Routing Switch Series includes H3C S12504, H3C S12508, and H3C S12518.
· An H3C S12504 switch has slot 0 and slot 1 for main processing units (MPUs), and has slots 2 through 5 for line processing units (LPUs).
· An H3C S12508 switch has slot 0 and slot 1 for MPUs, and has slots 2 through 9 for LPUs.
· An H3C S12518 switch has slot 0 and slot 1 for MPUs, and has slots 2 through 19 for LPUs.
H3C S12504, H3C S12508, and H3C S12518 switches are illustrated from left to right in Figure 1.
Q. Does the switch support power over Ethernet (PoE)?
A. No. The switch does not support PoE.
Q. Does the switch support DC power modules?
A. Yes. The switch supports both AC and DC power modules.
Q. Are the power modules of the switch hot swappable?
A. Yes. The power modules of the switch are hot swappable. As long as the power provided by the operating power modules meets the requirements, the switch runs correctly.
Q. Is it normal that the power module fans make a lot of noise?
A. Yes. An operating power module adjusts its fan speed based on its temperature. It is normal that the fans operate at a higher speed for a period of time under the following conditions:
· For an AC power module:
? Hard switching is performed. When the current of an AC power module is less than 5 A, the power module uses hard switching. When hard switching is performed, a large amount of heat is produced, causing high fan speed. When the current is greater than 5 A, the power module uses soft switching. When soft switching is performed, a small amount of heat is produced, resulting in low fan speed.
? The power module is under a heavy load, producing a large amount of heat.
· For a DC power module:
The power module is under a heavy load, producing a large amount of heat.
In these conditions, the power module does not generate an alarm. If the power module is faulty, an alarm is generated.
Q. Is it normal that a power module has an over-low output current?
A. Yes. It is normal that a power module's output current is an over-low value or 0 when the system power load is less than 25% of the system power capacity. When the load is increased or one or more power modules are removed, the power module monitoring software will automatically adjust the output current of each available power module and the output current value will go up accordingly.
If a power module's output current remains at about 0 when the system power load increases or one or more power modules are removed, the power module might be faulty.
Q. Are the switching fabric modules of the switch hot swappable?
A. Yes. The switching fabric modules of the switch are hot swappable.
Q. Is active/standby switchover of MPUs supported on the switch?
A. Yes. The switch supports active/standby switchover of the MPUs. The standby MPU can automatically take over the responsibility of the failed active MPU, ensuring uninterrupted services. For a successful active/standby switchover, make sure the software versions on the active and standby MPUs are consistent. You can also use the slave switchover command to manually perform an active and standby switchover:
· In standalone mode:
reboot [ slot slot-number ] [ force ]
· In IRF mode:
reboot [ chassis chassis-number [ slot slot-number ] ] [ force ]
Before manually performing an active and standby switchover, make sure the configuration of the active MPU has been backed up to the standby MPU. If the manual switchover takes place during the backup process, the switchover fails and the system displays an error message.
Q. How do I identify the card serial number or manufacture information?
A. Use the display device manuinfo command on the switch. The following is a sample command output.
<Sysname>display device manuinfo
Chassis self
Slot 0:
DEVICE_NAME : LST1MRPNC1
DEVICE_SERIAL_NUMBER : 210231A9680112000022
MAC_ADDRESS : 3822-D645-EC00
MANUFACTURING_DATE : 2012-10-21
VENDOR_NAME : H3C
Slot 2:
DEVICE_NAME : LST1GT48LEC1
DEVICE_SERIAL_NUMBER : 210231A85L0123456789
MAC_ADDRESS : NONE
MANUFACTURING_DATE : 2012-10-21
VENDOR_NAME : H3C
Q. Can the switch automatically adjust the fan speed?
A. Yes. The switch can automatically adjust the fan speed based on the temperature in the chassis. You can use the display fan verbose command to display detailed information about fans. The following is a sample command output.
<Sysname>display fan verbose
Fan-tray verbose state on chassis 2:
Fan-tray 1:
Software version: 105
Hardware version: Ver.A
CPLD version: 002
Fan number: 12
Temperature: 37 °C
High temperature alarm threshold: 60 °C
Low speed alarm threshold: 750 rpm
Fan Status Speed(rpm)
--- ---------- ----------
1 normal 4320
2 normal 4440
3 normal 4380
4 normal 4740
5 normal 4080
6 normal 4440
7 normal 4320
8 normal 4320
9 normal 4380
10 normal 4560
11 normal 4500
12 normal 4500
Fan-tray 2:
Software version: 105
Hardware version: Ver.A
CPLD version: 002
Fan number: 12
Temperature: 37 °C
High temperature alarm threshold: 60 °C
Low speed alarm threshold: 750 rpm
Fan Status Speed(rpm)
--- ---------- ----------
1 normal 4320
2 normal 4440
3 normal 4380
4 normal 4740
5 normal 4080
6 normal 4440
7 normal 4320
8 normal 4320
9 normal 4380
10 normal 4560
11 normal 4500
12 normal 4500
Q. How is the LST2XP32 oversubscribed?
A. The LST2XP32 is 4:1 oversubscribed. Its thirty-two 10GE ports are divided into eight oversubscription groups with four ports in each group as follows. Each group shares a 10 Gbps bandwidth. The total bandwidth of the card is 80 Gbps.
· Ports 1, 5, 9, and 13
· Ports 2, 6, 10, and 14
· Ports 3, 7, 11, and 15
· Ports 4, 8, 12, and 16
· Ports 17, 21, 25, and 29
· Ports 18, 22, 26, and 30
· Ports 19, 23, 27, and 31
· Ports 20, 24, 28, and 32
Q. How is the LST1CP4 oversubscribed?
A. The LST1CP4 is 2:1 oversubscribed. Its four 100GE ports are divided into two oversubscription groups, with ports 1 and 2 in one group and ports 3 and 4 in the other. Each group shares a 100 Gbps bandwidth. The total bandwidth of the card is 200 Gbps.
Q. How is the LST1XP40 oversubscribed?
A. The LST1XP40RFD and LST1XP40RFG each provide forty 10GE ports. The forty ports are divided into two oversubscription groups, with ports 1 to 20 in one group and ports 21 to 40 in the other. Each group shares a 160 Gbps bandwidth. The total bandwidth of the card is 320 Gbps.
Q. Does the switch provide 40G and 100G ports?
A. Yes. The switch provides 40G and 100G ports.
40G cards available for the switch include LST1XLP16RFD1 and LST1XLP16RFD2. 100G cards available for the switch include LST1CP4RFD1, LST1CP4RFD2, LST1CP4RFG1, and LST1CP4RFG2.
Q. Can the 40GE and 100GE ports on the switch be split into 10GE ports?
A. A 40GE port can be split into four 10GE ports. A 100GE port cannot be split into 10GE ports.
Q. Do 10 Gigabit ports on the switch support Gigabit transceiver modules?
A. Yes. The 10 Gigabit ports on the LST1XP40, LST1XP20, and LST1XP48 support Gigabit transceiver modules.
Q. In what system operating modes does the switch support LPUs with the mark XXXFD or XXXFG?
A. The switch supports LPUs with the mark XXXFD or XXXFG in any system operating mode.
If LPUs on the switch are only XXXFD, XXXFG, or both, H3C recommends that you set the system operating mode to grand for best performance of the LPUs.
Software
This section contains the most frequently asked questions about the switch software.
Q. Does the BootWare support forward compatibility?
A. Yes. The BootWare supports forward compatibility. After a software upgrade, you can roll back the Comware system software without rolling back the BootWare.
Q. How do I view the system version information and operation time information?
A. Use the display version command. This command displays information about the current BootWare version, Comware system software version, and system operation time.
Q. Why should I upgrade the Comware system software? How should I upgrade the software?
A. H3C continually improves the Comware system software to meet customer requirements and solve problems. By upgrading the Comware system software, you can fix existing software bugs, and obtain more features and functions, optimized applications, and higher device performance, availability, and attack protection capability.
To make sure the configuration file can operate correctly after an upgrade, do the following:
1. Before the upgrade, use the save command to save the running configuration, and use FTP to save a copy of the file to a PC.
2. After the upgrade is completed, examine that all cards are operating correctly, use the save command to save the running configuration, and use FTP to save a copy of the file to a PC.
3. Compare the two configuration files and reconfigure the commands that are missing.
H3C recommends that you use a file comparing tool, such as Beyond Compare. The configuration files usually contain a large quantity of commands.
This procedure applies to upgrades from one Comware V5 version to another Comware V5 version and upgrades from one Comware V7 version to another Comware V7 version. For information about how to upgrade the software from Comware V5 to Comware V7, see H3C S12500 Comware V5-V7 Migration Guide.
Q. Can I delete the Comware system software image file after the upgrade is completed?
A. No. The file contains the software images for MPUs and the software images for LPUs. MPUs and LPUs read these images during startup.
Q. Can I view deleted files?
A. Yes if the files were deleted by a delete command without the /unreserved option. A delete command with the /unreserved option permanently deletes files. A delete command without the /unreserved option moves commands to the recycle bin.
To view the commands in the recycle bin, use the dir /all command. The name of a file in the recycle bin is placed in brackets ([ ]).
You can use the undelete command to restore commands from the recycle bin.
Q. How can I empty the recycle bin?
A. Use the reset recycle-bin command. If a file in the recycle bin is corrupt, use the reset recycle-bin command with the /force keyword to delete the file.
Q. Is software patching supported?
A. Yes. The switch supports software patching.
Q. Should I remove the old patch file before installing a new patch file?
A. Yes. You must remove the old patch file from the storage media manually before installing a new patch file. A new patch file contains the patches in the old patch file.
Q. What is the name of the default configuration file?
A. The name of the default configuration file is flash:/config.cfg.
Q. What should I do before installing patches?
A. Before installing patches, do the following:
· Make sure the patch image file is saved to the same type of storage medium (flash or CF card) on the MPUs.
· Make sure the patch image files on the MPUs are located in the same directory.
· Specify the path of the patch image file for the patch file location argument.
Q. Why doesn't the switch display the saved configuration file?
A. The device does not display the saved configuration file at the first startup:
<Sysname>display startup
MainBoard:
Startup saved-configuration file: NULL
Next startup saved-configuration file: flash:/config.cfg
SlaveBoard:
Startup saved-configuration file: NULL
Next startup saved-configuration file: flash:/config.cfg
System management and maintenance
This section contains the most frequently asked questions about system management and maintenance.
Q. Information displayed on the console terminal is incorrect sometimes. Why?
A. If nothing is displayed on the console terminal, examine the following:
· Whether the power system is operating correctly.
· Whether the MPUs are operating correctly.
· Whether the console cable is connected to the console port correctly.
If no problem is found, the reason might be one of the following:
· The access port specified for the terminal is different from the port to which the console cable is connected.
· Settings on the configuration terminal are incorrect.
· The cable has a problem.
If garbled characters are displayed on the terminal, settings on the configuration terminal might be incorrect.
The correct terminal settings are as follows:
· Bits per second—9600 bps
· Flow control—None
· Parity—None
· Stop bits—1
· Data bits—8
· Terminal display type—VT100
If you are running the terminal software SecureCRT, you must deselect the DTR/DSR option and RTS/CTS option for flow control. By default, the RTS/CTS option is selected for flow control.
Q. What commands should I configure to enable AUX login?
A. You can configure the following commands:
# Enter AUX 0 user line view.
<Sysname> system-view
[Sysname] line aux 0
# Disable login authentication for the user line.
[Sysname-line-aux0] authentication-mode none
# Assign the user role network-admin to the user line.
[Sysname-line-aux0] user-role network-admin
Q. How can I clear a Telnet connection?
A. Use the free user-interface vty number command in user view.
Q. Can a Telnet user's username contain the at sign (@)?
A. The username of a Telnet user that is configured on the switch cannot contain the at sign (@).
Q. I cleared the packet statistics on an interface by using the reset counters interface command. Why does the MIB browser show that the error packet count is still the same?
A. The MIB browser shows the values of the hardware counters. The reset counters interface command does not reset the hardware counters. This command clears only the statistics calculated by software.
Q. How do I format the Flash or CF card from the BootWare?
A. To format the Flash or CF card, follow these steps:
1. Access the extended BootWare menu.
2. Access the storage media management menu and select the storage medium to be formatted.
3. Format the storage medium.
For example, to format the Flash:
1. Power on or reboot the switch.
The startup information appears.
RAM test successful.
System is starting...
Press Ctrl+D to access BASIC-BOOTWARE MENU...
Booting Normal Extended BootWare
The Extended BootWare is self-decompressing...........................Done.
****************************************************************************
* *
* H3C S12500 BootWare, Version 1.01 *
* *
****************************************************************************
Compiled Date : Mar 27 2013
CPU Type : P5040
CPU L1 Cache : 32KB
CPU L2 Cache : 1024KB
CPU Clock Speed : 1800MHz
Memory Type : DDR3 SDRAM
Memory Size : 8192MB
Memory Speed : 1066MHz
BootWare Size : 8MB
Flash Size : 512MB
cfa0 Size : 4002MB
NVRAM Size : 1024KB
BASIC CPLD Version : 001C
EXTENDED CPLD Version : 001C
PCB Version : Ver.A
Board self testing...........................
Board steady testing... [ PASS ]
Board SlotNo... [ 0 ]
DX246 testing... [ PASS ]
PHY88E1111 testing... [ PASS ]
CPLD1 testing... [ PASS ]
CPLD2 testing... [ PASS ]
NS16550 register testing... [ PASS ]
The switch's Mac address... [00:0F:E2:0E:08:03]
CF Card testing... [ PASS ]
BootWare Validating...
Press Ctrl+B to access EXTENDED-BOOTWARE MENU...
2. Press Ctrl + B within three seconds after the "Press Ctrl+B to access EXTENDED-BOOTWARE MENU..." prompt message appears.
The extended BootWare menu appears.
Password recovery capability is enabled.
Note: The current operating device is cfa0
Enter < Storage Device Operation > to select device.
==========================<EXTENDED-BOOTWARE MENU>==========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> BootWare Operation Menu |
|<7> Skip Authentication for Console Login |
|<8> Storage Device Operation |
|<9> Product Special Operation |
|<0> Reboot |
============================================================================
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9): 8
3. Enter 8 to access the storage media management menu.
==============================<DEVICE CONTROL>==============================
|<1> Display All Available Nonvolatile Storage Device(s) |
|<2> Set The Operating Device |
|<3> Set The Default Boot Device |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-3): 2
4. Enter 2 to specify the operating storage medium.
Please set the operating device:
============================================================================
|Note:the operating device is cfa0 |
|NO. Device Name File System Total Size Available Space |
|1 flash VFS 132909056 132892672 |
|2 cfa0 FAT 1044549632 282378240 |
|0 Exit |
============================================================================
Enter your choice(0-2):1
Set the operation device successful!
5. Enter 1 to use the Flash as the operating storage medium.
==============================<DEVICE CONTROL>==============================
|<1> Display All Available Nonvolatile Storage Device(s) |
|<2> Set The Operating Device |
|<3> Set The Default Boot Device |
|<0> Exit To Main Menu |
============================================================================
Enter your choice(0-3): 0
6. Enter 0 to return to the extended BootWare menu.
==========================<EXTENDED-BOOTWARE MENU>==========================
|<1> Boot System |
|<2> Enter Serial SubMenu |
|<3> Enter Ethernet SubMenu |
|<4> File Control |
|<5> Restore to Factory Default Configuration |
|<6> BootWare Operation Menu |
|<7> Skip Authentication for Console Login |
|<8> Storage Device Operation |
|<9> Product Special Operation |
|<0> Reboot |
===========================================================================
Ctrl+Z: Access EXTENDED ASSISTANT MENU
Ctrl+F: Format File System
Enter your choice(0-9):
Warning:All files on flash will be lost! Are you sure to format? [Y/N] Y
7. Press Ctrl+F to format the Flash.
Q. How do I examine the memory of the switch before the switch starts up?
A. For an LST1MRPNC1 MPU, power on the switch and press Ctrl+T or Ctrl+Y as prompted.
Press Ctrl+T to start the 5-step memory test procedure:
DDR2 SDRAM test successful.
Press Ctrl+T to start five-step full RAM test...
Press Ctrl+Y to start nine-step full RAM test...
Running five-step RAM test...
This operation may take several minutes. Please wait...
DDR2 SDRAM dataline testing... [ PASS ]
DDR2 SDRAM addressline testing... [ PASS ]
Five-step RAM test succeeded.
System is starting...
Press Ctrl+Y to start the 9-step memory test procedure:
DDR2 SDRAM test successful.
Press Ctrl+T to start five-step full RAM test...
Press Ctrl+Y to start nine-step full RAM test...
Running Nine-Step RAM test…
This operation may take several minutes. Please wait...
DDR2 SDRAM dataline testing... [ PASS ]
DDR2 SDRAM addressline testing... [ PASS ]
DDR2 SDRAM unit testing... [ PASS ]
Nine-Step ram test successful.
System is starting...
Press Ctrl+D to access BASIC-BOOTWARE MENU...
Booting Normal Extend BootWare
The Extend BootWare is self-decompressing.....................Done!
Q. Will the switch relearn MAC address entries, ARP entries, and FIB entries after an active/standby switchover?
A. No, the switch does not relearn MAC address entries and ARP entries, and it differs for FIB entries depending on whether or not GR and NSR are configured for the routing protocol:
· MAC address entries are saved on LPUs. A switchover does not affect MAC entries or data forwarding based on the entries.
· ARP entries are backed up on the standby MPU. A switchover does not affect ARP entries or data forwarding based on the entries.
· FIB entries are also backed up on the standby MPU:
? If GR or NSR is configured for the routing protocol, the routing protocol continues to operate after a switchover, and the switch has to relearn routes. However, data forwarding based on the existing entries is not affected.
? If both GR and NSR are not configured for the routing protocol, a switchover brings the routing protocol down and causes the FIB entries to be lost. Data forwarding is stopped and the switch must learn FIB entries again.
Q. Why should I wait for all LPUs to operate correctly before I save the running configuration?
A. The configuration is saved on the Flash or CF card. During startup, the switch configures LPUs by loading the configuration to memory. If you execute the save command before the process is completed, the incomplete configuration in memory will be saved to the Flash to replace the complete configuration, resulting in configuration loss.
Q. Can the management Ethernet interface come up without an IP address?
A. Yes. The interface can come up as long as the Layer 2 link is up. In addition, flow control is performed on the interface by software, and excessive packets arriving at the interface cannot affect system operation.
Q. I was using TFTP to transfer data from the switch. Why did the transfer fail when the amount of transferred data reached about 32 MB?
A. This problem is caused by the TFTP server. Some TFTP servers have a limit of 32 MB on a transferred data block. When the amount of transferred data for the block reaches approximately 32 MB, the TFTP server stops requesting data transfer. If you experience this problem, please change the TFTP server software.
Q. Can the switch operate as a TFTP server?
A. No.
Q. Can I power on the switch immediately after I power off the switch?
A. H3C recommends that you follow these steps to power cycle the device:
1. Power off the device by turning off the power switches one by one.
2. Wait 10 seconds so electricity is completely released.
3. Power on the device by turning on the power switches one by one.
Q. How are packets arriving at the standby MPU's management Ethernet interface handled?
A. A packet arriving at a management Ethernet interface is always forwarded to the CPU. Then, the software examines whether or not the MPU that holds the management Ethernet interface is the standby MPU:
· If it is the standby MPU, the switch discards the packet.
· If it is the active MPU, the switch proceeds to process the packet.
The CPU on an MPU processes up to 2000 packets per second.
Q. Why does the Input interface value or Output interface value field in an sFlow packet have a value of 0?
A. A sample packet in the inbound direction does not carry the outbound packet count. A sample packet in the outbound direction does not carry the inbound packet count.
Figure 2 Sample in the inbound direction
Figure 3 Sample in the outbound direction
Q. I compressed the diagnostic information and transferred it to a host. When I used WINRAR to decompress it on the host, however, a file corruption error message appeared and the diagnostic information contains garbled characters. Why?
A. If you use FTP to transfer a .gz file to a host in ASCII mode, the decompressed file on the host might contain garbled characters. If you use FTP to transfer a file that is not compressed to a host in ASCII mode, the file on the host has an extra question mark (?) at the end of each line.
To use WINRAR to decompress a file transferred by using FTP, make sure you set the file transfer mode to binary before transferring the file.
Q. Does the switch support license authorization? Which features require a license to run?
A. Yes, the switch supports license authorization. License-based features include EVI, MDC, SPB, and FCoE.
Q. Which license-based feature packages are available for the switch?
A. License-based feature packages available for the switch are as follows:
· CAMPUS—Includes the MDC feature.
· DATACENTER—Includes the EVI, FCoE, SPB, and MDC features.
Network security and attack protection
This section contains the most frequently asked questions about network security and attack protection.
Q. What the main attack protection functions does the switch support?
A. The switch supports the link layer attack protections, ARP attack protections, network layer attack protections, and transport layer attack protections, as shown in Table 1.
Table 1 Attack protection types
|
Attack protection types |
Description |
|
|
Link layer attack protection |
MAC address attack protection |
Prevents the attack of packets with different source MAC addresses or VLANs by configuring the maximum number of MAC addresses that an interface can learn. |
|
STP packet attack protection |
Provides protection measures such as BPDU guard, root guard, loop guard, and TC-BPDU guard. |
|
|
ARP attack protection |
ARP source suppression |
Prevents IP attack packets from fixed sources. |
|
ARP black hole routing |
Prevents IP attack packets from sources that are not fixed. |
|
|
ARP active acknowledgement |
Prevents user spoofing. |
|
|
Source MAC-based ARP attack detection |
Prevents ARP packet attacks from the same source MAC. |
|
|
ARP packet source MAC consistency check |
Prevents attacks from ARP packets whose source MAC address in the Ethernet header is different from the sender MAC address in the message body. |
|
|
ARP packet rate limit |
Prevents attacks from a large number of ARP packets. |
|
|
Authorized ARP |
Prevents user spoofing by learning only ARP entries generated based on the DHCP clients' address leases on the DHCP server or security entries on the DHCP relay agent. |
|
|
ARP detection |
Prevents user spoofing and gateway spoofing attacks by blocking ARP packets from unauthorized clients. |
|
|
Network layer attack protection |
uRPF check |
Protects a network against source spoofing attacks. |
|
ICMP attack protection |
Prevents ICMP fragments attacks by disabling forwarding ICMP fragments. |
|
|
TTL attack protection |
Prevents an attack by disabling sending ICMP time exceeded messages. |
|
|
Transport layer attack protection |
SYN flood attack protection |
Enables the server to directly return a SYN ACK message upon receiving a TCP connection request, without establishing a half-open TCP connection. |
Q. What roles can the switch play when using different SSH versions?
A. Table 2 describes roles for the switch according to SSH version.
Table 2 Switch roles and SSH versions
|
Version/Feature |
SSH1 |
SSH2 |
|
S12500 |
Acts as the server that operates in non-FIPS mode. |
Acts as the server and the client. |
Q. Do the switch support local authentication before RADIUS authentication?
A. No. Local authentication can be performed only when no response is received from the RADIUS server.
Q. Why cannot a user log in to an ACS authentication server through a console port when the switch uses RADIUS authentication?
A. The user can log in to an ACS server through a console port only when you deselect the login-service option for the ACS server configuration.
Q. Why can the level for the RADIUS server (the switch) only be 1 when it connects to an ACS server?
A. The symptom might occur when one of the following conditions takes place:
· The 2011/002 private attributes for the ACS server are not complete.
· The login-service attribute for the ACS server is not configured.
Q. Does the switch support local authentication when HWTACACS authentication fails?
A. The switch supports local authentication when the HWTACACS server is disconnected.
The switch does not support local authentication when the HWTACACS server operates correctly with an authentication failure due to a wrong username or a wrong password. To enable local authentication, specify the local keyword in the authentication default command. The command configures the default authentication mode for an ISP domain to use an HWTACACS scheme and use local authentication as the backup. The following commands must be executed:
· domain isp-name
· authentication default hwtacacs-scheme hwtacacs-scheme-name local
Q. Can the switch be connected to a TACACS server that runs third-party TACACS server software?
A. As long as the TACACS server is configured with the standard RADIUS protocol, the switch can be connected to the server. The servers include ACS servers from Cisco and TACACS servers open to public (for example, free TACACS servers).
Q. Does the reply from a RADIUS server include the login-service option after the authentication succeeds?
A. It depends on the server. The login-service option does not matter to the switch.
Q. How do I set a user role?
A. The following methods are provided to set a user role:
· To assign a user role to a user line, execute the user-role command in user line view or user line class view.
· To set the authorization user profile for a local user, execute the authorization-attribute level command in local user view.
· If you use the remote AAA authentication, set the user role on the remote server.
Q. What is the relationship between the levels authorized by an S12500 HWTACACS server and the levels authorized by a Cisco ACS server?
A. The levels 0 to 16 authorized by an H3C S12500 HWTACACS server correspond to the levels 0 to 16 authorized by a Cisco ACS server.
Q. Which one of the user role configured in VTY user interface and the user role configured on a RADIUS server or a HWTACACS server prevails for a Telnet user?
A. The user role configured on a RADIUS server or a HWTACACS server prevails. Both the default user roles are network-operator.
For example, if the user role network-admin or level 15 is configured in VTY user interface, and no user role is configured on the server, the default user role network-operator takes effect for the Telnet user.
If no user role or any user role is configured in VTY user interface, and user role level 15 is configured on the server, the configured user role level 15 takes effect for the Telnet user.
The user role configured in VTY user interface takes effect only after the authentication-mode one command or the password command is executed in VTY user interface.
Q. How do I prevent gateway spoofing when the switch acts as a gateway?
A. When receiving an ARP packet from a device that acts as a gateway, the switch (the gateway) sends a gratuitous ARP packet to modify the spoofed ARP entries. If a large number of attack packets exist, the switch detects the incoming interface of the attack packets, captures the packets to obtain packet information, and sets an ACL rule to filter the attack packets.
Network access
This section contains the most frequently asked questions about network access.
Q. What is the maximum number of bits of a port count?
A. On the switch, the port count can be up to 64 bits, and the port count will be reset after it exceeds 64 bits.
Q. Can the interface of the switch suppress unicast packets, broadcast packets, and multicast packets at the same time?
A. The interface of a switch can suppress unicast packets, broadcast packets, and multicast packets at the same time. However, the suppression must be configured for unicast packets, broadcast packets, and multicast packets, respectively, with the same suppression threshold as follows:
[Sysname-GigabitEthernet1/5/0/24] unicast-suppression [pps | kbps] xxx
[Sysname-GigabitEthernet1/5/0/24] multicast-suppression [pps | kbps] xxx
[Sysname-GigabitEthernet1/5/0/24]broadcast-suppression [pps | kbps] xxx
Q. What are the meanings of the error packet fields for input and output packets in the output from the display interface command?
A. Table 3 and Table 4 describe the meanings of the error packet fields for input and output packets in the output from the display interface command.
Table 3 Error packet fields for input packets
|
Field |
Description |
|
runts |
Number of inbound frames shorter than 64 bytes, in correct format, and containing valid CRCs. |
|
giants |
Number of inbound frames larger than the maximum frame length supported on the interface and containing valid CRCs. |
|
throttles |
Number of inbound frames shorter than 64 bytes and containing CRC errors. |
|
CRC |
Total number of inbound frames that had a normal length, but contained CRC errors. |
|
frame |
Total number of inbound frames that contained unknown errors. |
|
overruns |
Number of packets dropped because the input rate of the port exceeded the queuing capability. This problem occurs when the network is congested. |
|
Aborts |
Number of inbound frames with input description errors. The type of error frames will not occur on the H3C S12500 switches. |
Table 4 Error packet fields for output packets
|
Field |
Description |
|
Underruns |
Number of packets dropped because the output rate of the interface exceeded the output queuing capability. The type of error frames will not occur on the H3C S12500 switches. |
|
buffer failures |
Number of packets dropped because the transmit buffer of the interface ran low. The type of error frames will not occur on the H3C S12500 switches. |
|
aborts |
Packets that failed to be forwarded at the MAC layer due to network congestion. |
|
deferred |
Number of frames that the interface operating in half duplex mode deferred to transmit because of detected collisions. |
|
collisions |
Number of frames that the interface stopped transmitting because Ethernet collisions were detected during transmission. |
|
late collisions |
Number of frames that the interface deferred to transmit and were buffered at the MAC layer. The type of error frames will not occur on the H3C S12500 switches. |
|
lost carrier |
Number of carrier losses during transmission. The type of error frames will not occur on the H3C S12500 switches. |
|
no carrier |
Number of times that the port failed to detect the carrier when attempting to send frames. The type of error frames will not occur on the H3C S12500 switches. |
The output packet errors seldom occur. Most packets errors are input packet errors.
· When error frames of the runts, giants, throttles, CRC, and frame types are received, you must verify whether the peer device or the transmission link in between fails.
· When overruns error frames are received, you must verify whether the link bandwidth of the local end is enough.
Q. Does the switch support jumbo frames?
A. The switch supports setting the maximum jumbo frame size, which is a maximum of 9216 bytes. On LST1XP16LEB1 and LST1XP16LEC1 cards, the maximum jumbo frame size is a maximum of 8164 bytes.
Q. Are the MAC address tables the same for different cards of the switch?
A. The MAC address tables for different cards might be different. The MAC address table of a card contains the MAC address entries of VLANs to which the ports belong. When a VLAN spans across multiple cards, the MAC address entries must be synchronized between cards.
Q. How long is the aging timer for dynamic MAC address entries? How are the dynamic MAC address entries aged?
A. The aging time for dynamic MAC address entries is 5 minutes by default. The aging time can be modified by using the mac-address timer aging command.
When a data flow enters a port, the MAC address of the data flow is dynamically learned. When the data flow continues to send traffic, the aging time of the MAC address entry continues to be refreshed, and the MAC address entry will not be aged. When the data flow stops sending traffic, the MAC address entry is aged after the aging time expires.
The aging time of a dynamic MAC address entry cannot be queried.
Q. Can frames be correctly forwarded when the MAC address learning limit is set to 0?
A. When the MAC address learning limit is set to 0 on a port, the port does not learn MAC addresses, and frames are broadcast in VLANs by default. If you do not want to forward the frames, you can use the undo mac-address max-mac-count enable-forwarding command to configure the device not to forward frames with unknown source MAC addresses after the MAC address learning limit is reached.
Q. Why does a port still have MAC address entries after the mac-address max-mac-count 0 command is configured on the port?
A. These MAC address entries are learned before MAC address learning was disabled. When MAC address learning is disabled, the software does not actively delete these MAC address entries. Instead, the software waits for these MAC address entries to age out.
Q. Why is a MAC address learned into multiple VLANs?
A. The switch learns MAC address entries in the MAC+VLAN method. When multiple VLANs receive packets with the same MAC address, all these VLANs will learn the MAC address.
Q. How is the traffic load-shared for link aggregation on the switch?
A. You can use the link-aggregation global load-sharing mode command to change the load sharing criteria and flexibly load-share the traffic across the member ports of aggregation groups. The system uses the hash algorithm to calculate the load sharing criteria. The algorithm can calculate the load sharing criteria based on the MPLS label, service port number, IP address, MAC address, ingress port, and any combination of the fields.
Q. Does the switch support configuring static MAC address entries on an aggregate interface?
A. The switch supports configuring static MAC address entries on an aggregate interface.
Q. Does the switch configured with link aggregation support RRPP?
A. Yes. The switch configured with link aggregation supports RRPP.
Q. Does DLDP take effect when one fiber is connected in case that two fibers of a link are both disconnected?
A. When both ends of a link are down, DLDP neighborship cannot be established. As a result, DLDP does not take effect.
Q. What fields are displayed in the output transceiver module optical power information?
A. The switch supports diagnosing transceiver modules. When the Rx or Tx optical power of a transceiver module is not within the normal range, the ports might go down. In this case, you can verify that the transceiver module models at both end match and whether the link is operating correctly. The optical power fields are as follows:
· RX power is high!
· RX power is low!
· RX power is normal!
· TX power is high!
· TX power is low!
Q. How is the port rate percentage calculated?
A. The port rate percentage is the ratio of the actual traffic to the total port bandwidth and describes the actual port bandwidth usage. When you calculate the port rate percentage, the inter-frame gap and the preamble must be added as follows:
(ulActualSpeed + 20 (preamble + inter-frame gap) * ulPktSpeed) * 8/ulRatedSpeed
· ulActualSpeed—Rate in kbps (the field in red) in the output.
· ulPktSpeed—Rate in pps (the field in blue) in the output.
· ulRatedSpeed—Port rate. For example, the port rate of a 10-GE port is 10000000000 bps.
[Sysname-Ten-GigabitEthernet5/0/2]display interface Te5/0/2
Ten-GigabitEthernet5/0/2 current state: DOWN
IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 00e0-fc00-0000
Description: Ten-GigabitEthernet5/0/2 Interface
Loopback is not set
……
Peak value of input: 0 bytes/sec, at 2000-04-26 12:00:32
Peak value of output: 0 bytes/sec, at 2000-04-26 12:00:32
Last 300 seconds input: 0 packets/sec 0 bytes/sec 0%
Last 300 seconds output: 0 packets/sec 0 bytes/sec 0%
Input (total): 0 packets, 0 bytes
- unicasts, - broadcasts, - multicasts
Input (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts
Input: 0 input errors, 0 runts, 0 giants, 0 throttles
0 CRC, 0 frame, 0 overruns, - aborts
- ignored, - parity errors
Output (total): 0 packets, 0 bytes
- unicasts, - broadcasts, - multicasts, - pauses
Output (normal): 0 packets, 0 bytes
0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses
Output: 0 output errors, - underruns, - buffer failures
0 aborts, 0 deferred, 0 collisions, 0 late collisions
- lost carrier, - no carrier
Q. How are the Selected ports determined when GE ports and 10-GE ports are added to an aggregation group?
A. Link aggregation has dynamic and static modes. The following section describes how the Selected ports are determined in static mode and dynamic mode when the ports have the same aggregation priority.
· Static aggregation
The candidate ports are sorted in the following order: Full duplex/high speed > Full duplex/low speed > Half duplex/high speed > Half duplex/low speed. The candidate port at the top and with the same class-two configurations as the aggregate interface is chosen as the reference port. As a result, a 10-GE port will be selected as the reference port, the 10-GE port becomes a Selected port, and the GE port becomes an Unselected port.. For more information about class-two configurations, see Layer 2—LAN Switching Configuration Guide.
· Dynamic aggregation
Dynamic aggregation chooses the port with the smallest port number as the reference port. The port number is not the port number used for configuration. Instead, the port number is a 16-bit index. To view the port number of a port, use the display link-aggregation member-port command. The port number determines which port becomes a Selected port.
[Sysname-Ten-GigabitEthernet15/0/1]dis link-aggregation member-port Ten-GigabitEther
net 15/0/1
Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,
D -- Synchronization, E -- Collecting, F -- Distributing,
G -- Defaulted, H -- Expired
Ten-GigabitEthernet15/0/1:
Aggregation Interface: Bridge-Aggregation5
Local:
Port Number: 105
Port Priority: 32768
Oper-Key: 4
Flag: {AC}
Remote:
System ID: 0x8000, 3822-d659-7c00
Port Number: 112
Port Priority: 32768
Oper-Key: 1
Flag: {AC}
Received LACP Packets: 3 packet(s)
Illegal: 0 packet(s)
Sent LACP Packets: 3 packet(s)
|
|
NOTE: IRF physical ports are assigned to and removed from aggregation groups by the switch, and GE ports and 10-GE ports are not differentiated. When IRF physical ports include both GE ports and 10-GE ports, make sure the traffic passing through any IRF physical port does not exceed the rate of 1 Gbps. Otherwise, packet loss might occur when traffic passes through GE ports. |
Q. Why is the peer port down and the local port not down when the port of an S12500 switch is connected to the port of another device?
A. When fiber GE ports are connected and the local port is manually configured with a speed and duplex mode, the local port can go up only if the port can receive fiber signals. When the speed and duplex mode of the local port are autonegotiated, the local port goes down when the peer port goes down.
When fiber 10-GE ports of two S12500 switches are connected, the MAC layer will negotiate the port status. If one end detects local faults, the port will go down and send remote faults to notify the remote end. When the remote end detects remote faults, the remote port will go down.
When the port of an S12500 switch connects to the port of a device other than an S12500 switch, the local port does not go down if both of the following are true:
· The remote port is down but sends out fiber signals correctly.
· The remote port does not send remote faults.
Q. What restrictions and guidelines should I follow when I configure loop detection?
A. When you configure loop detection, follow these restrictions and guidelines:
· Configure loop detection for only the suspicious VLANs or the VLANs where loops might occur because many devices are attached. To save system resources, H3C recommends not configuring loop detection for all VLANs. If link redundancy and backup are planned for the links, you can configure STP rather than loop detection.
· Loop detection and STP do not conflict with each other. However, it is a good practice to configure STP separately.
· Typically, H3C recommends that you use STP to detect the loops in the network. When troubleshooting the network, you can use loop detection to rapidly locate the looped ports.
· When you use loopback detection together with STP, do not set the loop protection action to shutdown. Otherwise, the ports shut down by loop detection might affect the actions of STP.
· If loop detection has been enabled for a VLAN, do not configure port mirroring on the ports in the VLAN. Otherwise, the loop detection function might fail.
· When the loopback-detection action none command is configured, the system generates logs and traps on detecting loops, but the system does not perform actions to eliminate the loops. If loops are not eliminated for a long time, the loop detection frames might increase the broadcast traffic within the loops.
· Within the VLANs with loop detection enabled, a port is shut down to eliminate loops when the following are true:
? The port receive a packet with the source MAC address as the local bridge MAC address
? The loopback protection action is set to shutdown.
If you use STP in this situation, STP shuts down a small number of ports to eliminate loops in the network.
· A port shut down by the loop detection action stays down until you use the undo shutdown command to manually bring up the port. This mechanism might cause traffic interruption on the ports. When the loop detection feature is used, H3C recommends that you manually bring up the looped ports after eliminating the loops.
Q. Does the switch support private VLAN?
A. Yes. The switch supports private VLAN.
The private VLAN feature uses a two-tier VLAN structure, including a primary VLAN and secondary VLANs. This feature simplifies the network configuration and saves VLAN resources.
A primary VLAN is used for upstream data exchange. A primary VLAN can be associated with multiple secondary VLANs. Because the upstream device identifies only the primary VLAN and not the secondary VLANs, network configuration is simplified and VLAN resources are saved.
Secondary VLANs are isolated at Layer 2. To implement Layer 3 communication between the secondary VLANs that are associated with the same primary VLAN, use one of the following methods:
· Enable local proxy ARP or local proxy ND on the upstream device (for example, Device A in Figure 4).
· Perform the following tasks on the local device (for example, Device B in Figure 4):
a. Configure a primary VLAN, and associate secondary VLANs with the primary VLAN.
b. Enable Layer 3 communication between the secondary VLANs that are associated with the primary VLAN.
c. Assign an IP address to the primary VLAN interface and enable local proxy ARP or local proxy ND on this interface.
As shown in Figure 4, the private VLAN feature is enabled on Device B. VLAN 10 is the primary VLAN. VLAN 2, VLAN 5, and VLAN 8 are secondary VLANs associated with VLAN 10 and are invisible to Device A.
Q. Does the switch support super VLANs?
A. Yes. The switch supports super VLANs.
Q. How many Layer 2 aggregation groups does the switch support?
A. Layer 2 aggregation groups include the following types:
· Generic Layer 2 aggregation group—Corresponds to a generic Layer 2 aggregate interface. You can create up to 240 generic Layer 2 aggregation groups on a device in standalone mode or on an IRF fabric. For a device in standalone mode, the maximum number of Selected ports in a generic Layer 2 aggregation group is 12. For an IRF fabric, the maximum number of Selected ports in a generic Layer 2 aggregation group is identical to 12 multiplied by the number of member devices.
· Lite Layer 2 aggregation group—Corresponds to a lite Layer 2 aggregate interface, and it is configurable only in IRF mode. An IRF fabric supports up to 1024 lite Layer 2 aggregation groups. Each IRF member device can have a maximum of one Selected port in a lite Layer 2 aggregation group. The maximum number of Selected ports in a lite Layer 2 aggregation group is identical to the number of member devices.
Spanning tree protocols
This section contains the most frequently asked questions about spanning tree protocols.
Q. What spanning tree protocols are supported?
A. The switch supports the following spanning tree protocols:
· STP.
· RSTP—Compatible with STP.
· MSTP—The default one. MSTP is compatible with STP and RSTP.
· PVST—Compatibility of the PVST mode depends on the link type of a port:
? On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.
? On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes only in VLAN 1.
Q. How are ARP entries and MAC address entries handled when the STP topology changes?
A. When the STP topology changes, the MAC address entries on the changed ports are removed.
The ARP entries of these MAC addresses are set as invalid entries, and ARP requests are sent out. If the corresponding ARP response reaches the device, the ARP entry status is updated. Otherwise, the ARP entry is removed.
If a new MAC address is learned after the STP topology changes, the ARP entry related to the MAC address is also updated.
Q. When does an MSTP port send TC BPDUs?
A. According to IEEE 802.1s MSTP, a port running MSTP generates TC BPDUs when all of the following requirements are met:
· The port is not an edge port.
· The port role transits from alternate, backup, or disabled to root, designated, or master.
· The port state transits from discarding or learning to forwarding.
A port running STP or RSTP also generates TC BPDUs when the above requirements are met.
The TC BPDU generation might result from STP recalculation. STP recalculation is caused by the following reasons:
· Device failure or recovery.
· Link state change.
· Device configuration change.
· Abnormal BPDU sending or receiving.
Q. Why are MSTP port states wrong when MSTP configuration is correct on the switch?
A. When the switch is operating in MSTP mode, its ports can operate in STP compatibility mode or MSTP mode. If a port is connected to another switch enabled with STP, the port transits to STP compatibility mode automatically. However, when the connected switch is changed to one enabled with MSTP, the port cannot transit back to MSTP mode automatically. In this case, MSTP calculation errors occur. To make MSTP operate correctly, use the stp mcheck command in interface view.
Q. Do RSTP and MSTP have TCN BPDUs?
A. RSTP does not have TCN BPDUs. When network topology changes, RSTP sets the TC bit to 1 in configuration BPDUs and sends the BPDUs to the root port.
Q. Why are ports on a Cisco device down when MSTP is disabled on the connected ports of the switch?
A. The switch will transparently transmit the STP BPDUs sent by the Cisco device. The Cisco device considers that it has received BPDUs sent by itself and a loop exists, so it shuts down the port receiving the BPDUs.
Q. What STP modes are interoperable between the switch and the Cisco devices?
A. The switch can interoperate with Cisco devices in MSTP mode and in MSTI 0 of the PVST+ mode. The switch cannot interoperate with Cisco devices in PVST mode.
Q. How can I interoperate the switch with a Cisco device in MSTP mode?
A. In MSTP mode, the switch and its connected Cisco device each considers itself as the regional root, even if they have the same region configuration. They cannot be in the same region.
To make the switch interoperate with the Cisco device in MSTP mode, execute the stp config-digest-snooping command on the ports connected to the Cisco device in interface view.
The switch sends and receives standard-format MSTP BPDUs, while the Cisco device might send and receive MSTP BPDUs in a different format.
· If the Cisco device sends non-standard-format BPDUs, execute the stp compliance auto command on the switch to configure the ports to recognize the MSTP BPDU format automatically and determine the format of MSTP BPDUs to send.
· If the Cisco device sends and receives standard-format MSTP BPDUs, execute the stp compliance dot1s command on the switch. The switch will send and receive standard-format MSTP BPDUs on the ports.
Q. What are the precautions for configuring digest snooping?
A. When you configure digest snooping, follow these restrictions and guidelines:
· Enable digest snooping on all the ports that connect the switch to the third-party devices in the same MST region. The switch and the third-party devices must have the same MST region configuration. Otherwise, inconsistent VLAN-to-instance mapping on neighbor devices can cause broadcast storms.
· To avoid loops, do not enable digest snooping on MST region edge ports.
· To make digest snooping take effect, you must enable digest snooping both globally and on associated ports.
· Enable digest snooping on all associated ports first and then globally.
· When digest snooping is enabled globally, do not modify the MST region configuration. To modify the region configuration, disable digest snooping on all devices in the MST region first. Otherwise, inconsistent VLAN-to-instance mapping on neighbor devices can cause broadcast storms.
· When digest snooping is enabled globally and on a port, the switch saves the most recent configuration digest received by the port. The configuration digest takes effect even if digest snooping is disabled on the port.
IP forwarding services
This section contains the most frequently asked questions about IP forwarding services.
Q. Does the switch support configuring an IP address for an Ethernet port?
A. You can configure an IP address for a physical Ethernet port on the switch. Before the configuration, you must use the port link-mode route command to configure the Ethernet port to operate in Layer 3 mode. By default, an Ethernet port operates in Layer 2 mode.
Q. Does the switch support configuring a secondary IP address for a VLAN interface?
A. Yes. You can configure a secondary IP address for the VLAN interface of the switch. The secondary IP address has a similar function as the primary IP address. The secondary IP address cannot be used for multicast. The users on the network segment to which the secondary IP address belongs cannot receive any multicast packets or establish OSPF neighbor relationship.
In addition, you can configure secondary IP addresses for any Layer 3 interface, including Layer 3 Ethernet interfaces (subinterfaces) and Layer 3 aggregation interfaces (subinterfaces).
Q. Is the secondary IP address still valid when the primary IP address is removed?
A. No. To delete the primary IP address of a VLAN interface or a Layer 3 interface, you must delete all of its secondary IP addresses first. Otherwise, the primary address cannot be deleted.
[Sysname-Vlan-interface1]undo ip address 1.1.1.1 24
Warning: Must delete sub address before deleting primary address!
Q. What is the MAC address of a VLAN interface used for?
A. When an Ethernet interface operates in bridge mode (configured with the port link-mode bridge command), the switch examines the MAC address of a packet received on the interface. If the MAC address of the packet matches the MAC address of the VLAN interface, the switch forwards the packet at Layer 3 or sends the packet through MPLS network. If not, the switch forwards the packet at Layer 2.
Q. Does the switch send trap messages when the maximum size of the ARP table is reached?
A. No. But the following log is generated:
%Oct 5 09:53:33:655 2012 H3C DRVL3/3/DRVL3_LOG_EMERG: No enough resource!
Q. How is ECMP load sharing implemented on the switch?
A. The switch supports ECMP load sharing based on destination MAC address, source MAC address, source IP address, destination IP address, destination TCP/UDP port, and source TCP/UDP port. You can configure ECMP load sharing as required, and you can configure it in the same way you configure link aggregation load sharing. For more information, see Layer 2—LAN Switching Configuration Guide.
When you use the link-aggregation global load-sharing mode command to configure the load sharing criteria, follow these restrictions and guidelines:
· All criteria except mpls-label1, mpls-label2, mpls-label3, and per-packet apply to ECMP load sharing for unicast traffic.
· Per-packet load sharing applies to Ethernet link aggregation, but not to ECMP.
Q. Does the switch support weighted ECMP load sharing?
A. No.
Q. How does VRRP tracking function?
A. You can configure a VRRP group to monitor the status of an interface on the master through a track entry. If the interface is down or removed, the priority of the master automatically decreases by a specific value, and the backup with higher priority takes over. The switch can only track Layer 3 Ethernet interfaces, VLAN interfaces, and Layer 3 aggregate interfaces. If a VLAN interface is tracked, the priority of the switch is not decreased as long as one of the physical ports in the VLAN is up.
Q. Does the VRRP module of the switch support associating a track entry with a physical port on the master?
A. Yes. You can associate a track entry with a VRRP group to monitor the status of a physical port and change the priority of the master in the VRRP group.
Q. In the FIB table, when a route obtained from the routing table conflicts with a host route obtained from the ARP table, which route has a higher priority for packet forwarding?
A. The route with a 32-bit mask obtained from the routing table has a higher priority.
Q. Does the unauthorized DHCP server detection function take effect when the switch operates as a Layer 2 device?
A. No. You must use the DHCP module to provide the unauthorized DHCP server detection function. If the switch operates as a Layer 2 device, the DHCP requests received cannot be delivered to the CPU for processing, so the switch cannot check for unauthorized DHCP servers.
Q. How does the switch handle an ICMP ping packet whose size exceeds 1500 bytes?
A. When sending an ICMP echo request whose size (including the IP header) exceeds 1500 bytes (the default MTU value), the switch fragments the packet. If the Don't fragment flag is set, the packet fails to be sent out.
When receiving an ICMP echo request that exceeds 1500 bytes, the switch can process the request and respond with an ICMP echo reply if configured with jumbo frame support. The switch fragments the reply if its size exceeds 1500 bytes.
Q. Is the sending interval of ICMP ping packets configurable on the switch?
A. Upon receiving an ICMP echo request, the CPU of the switch responds with an ICMP echo reply.
Upon receiving an ICMP echo reply, the switch sends the next request by default. If no reply is received, the switch sends the next request when the aging timer expires. By default, the aging timer is 2 seconds.
If you specify the -m interval option in the ping command, the switch sends the next ICMP echo request at the specified interval after receiving an ICMP echo reply.
Q. What are the restrictions and guidelines for URPF configuration?
A. When configuring URPF, follow these restrictions and guidelines:
· URPF is only configurable in VLAN interface view.
· The switch does not support URPF check by using an ECMP route that has more than eight next hops.
· Do not configure URPF on a private VLAN interface bound to a VPN instance that has no reserved VLAN configured when the system operates in standard mode.
· The link layer check feature does not support ECMP routing. If ECMP routes exist, disable the link layer check feature.
· URPF check takes effect on only incoming packets on the interface.
Q. How do I set an MTU value?
A. MTU value setting takes effect on IPv4 software forwarding, but not on hardware forwarding. IPv6 supports setting MTU values on both software and hardware forwarding, and you can set a maximum of 14 MTU values.
You can set the MTU value for IPv4 and IPv6 as follows:
[Sysname-Vlan-interface30]mtu ?
INTEGER<64-9198> MTU value
[Sysname-Vlan-interface30]ipv6 mtu ?
INTEGER<1280-9198> MTU (bytes)
IP routing
This section contains the most frequently asked questions about IP routing.
Q. Does the switch support configuring blackhole routes?
A. Yes. A blackhole route is a static route whose output interface is Null 0. The switch discards the matching packets without sending ICMP messages to notify the source host. To prevent IP attacks, you can configure blackhole routes to discard packets destined for specific destinations. The following example shows how to configure a blackhole route:
<Sysname>system-view
[Sysname]ip route-static 1.1.1.1 32 null 0 preference 1
Q. Is the OSPF cost of an interface on the switch relevant to the rate of the corresponding Layer 2 Ethernet interface?
A. No. The OSPF cost is configured on a VLAN interface. By default, a VLAN interface computes its OSPF cost according to the interface bandwidth.
Q. What are the preferences of different routing protocols?
A. Routing protocols, including static routing, each have a preference by default. If they find multiple routes to the same destination, the router selects the route with the highest preference as the optimal route. The preference of a direct route is always 0 and cannot be changed. You can configure a preference for each static route and each dynamic routing protocol. Table 5 lists the route types and default preferences. The smaller the value, the higher the preference.
Table 5 Route types and default route preferences
|
Route type |
Preference |
|
Direct route |
0 |
|
OSPF |
10 |
|
IS-IS |
15 |
|
Static route |
60 |
|
RIP |
100 |
|
OSPF ASE |
150 |
|
OSPF NSSA |
150 |
|
IBGP |
255 |
|
EBGP |
255 |
|
Unknown (route from an untrusted source) |
256 |
Q. What are the possible reasons for the OSPF CONFIG ERROR trap?
A. The following configuration errors cause the switch to output the OSPF CONFIG ERROR trap:
· The switch is configured with an IP address on the same network segment as a device that is in the same VLAN as the switch but in a different area.
· The virtual link configuration is performed on the peer device but not on the switch. When the switch receives packets sent from the peer device through the virtual link, the switch outputs the OSPF CONFIG ERROR trap.
Q. Why is the LS ACK: BAD ack count a non-zero value when I display OSPF error information?
A. For example, in daisy chain networking Switch A—Switch B—Switch C (Switch A, Switch B, and Switch C are called A, B, and C in this example):
1. A sends LSA-1 to B. B forwards LSA-1 to C, and stores a copy of LSA-1 in the retransmission list. When receiving LSA-1, C uses the LSA to update its LSDB. Before C sends an LSAck packet to acknowledge LSA-1, the next step occurs.
2. A updates LSA-1 and sends the updated LSA to B. B forwards the updated LSA to C, and stores a copy of the updated LSA in the retransmission list. The copy of updated LSA replaces the copy of LSA-1 because LSA-1 has not been acknowledged.
3. Before receiving the updated LSA, C sends an LSAck packet to acknowledge LSA-1.
4. B examines the LSAck packet by using the LSA in the retransmission list and finds that they do not match. This error increases the count of LS ACK: BAD ack by one.
Q. When the next hop of a static route becomes invalid, the switch performs route recursion and the blackhole route applies. How do I resolve this problem?
A. The problem might occur if the following static routes are configured:
ip route-static 110.75.0.0 23 Null0 preference 240 description HZCM4_T18_VIP_BGP_Advertise
ip route-static 110.75.4.0 24 110.75.0.234 description HZCM4_T18_VIP
ip route-static 110.75.4.0 24 110.75.0.254 preference 240 description HZCM4_T18_VIP
When the next hop 110.75.0.234 to network 110.75.4.0/24 becomes invalid, the switch performs route recursion, and the static route with destination 110.75.0.0/23 applies. Null 0 becomes the output interface to reach network 110.75.4.0/24.
display fib 110.75.4.0
Destination count: 1 FIB entry count: 1
Flag:
U:Useable G:Gateway H:Host B:Blackhole D:Dynamic S:Static
R:Relay F:FRR
Destination/Mask Nexthop Flag OutInterface/Token Label
110.75.4.0/24 110.75.0.234 USB NULL0 Null
To avoid route recursion, specify an output interface for the static route with next hop 110.75.0.234.
ip route-static 110.75.4.0 24 vlan-interface 100 110.75.0.234 preference 240
When the next hop 110.75.0.234 becomes invalid, the static route with next hop 110.75.0.254 applies.
Q. Can I change the MAC address of a VLAN interface?
A. Yes. You can use the mac-address offset value command to configure the MAC address offset of a VLAN interface. The MAC address of the VLAN interface is its default MAC address plus the offset value.
Follow these restrictions and guidelines when you configure the MAC address offsets of VLAN interfaces:
· Different VLAN interfaces can have the same MAC address offset value.
· When both BFD MAD and MAC address offset are configured for a VLAN interface, only BFD MAD takes effect.
· To ensure correct traffic forwarding, do not configure MAC address offset for VLAN interfaces of B-VLANs or FCoE-enabled VLANs.
· When you configure the private VLAN feature, configure the MAC address offset for the VLAN interface of the primary VLAN. The VLAN interfaces of the secondary VLANs that are associated with the primary VLAN use the MAC address of the primary VLAN interface. If the primary VLAN interface is not created, the secondary VLAN interfaces use the default MAC address.
The MAC address offset configured for a secondary VLAN interface takes effect only after the secondary VLAN becomes a common VLAN.
IP multicast
This section contains the most frequently asked questions about IP multicast.
Q. Is IGMPv3 supported on the switch?
A. Yes.
Q. How do I deny multicast packets from an illegal multicast source?
A. You can configure ACL rules to permit multicast packets only from legal sources. For example, to establish a multicast forwarding entry with the multicast source address 99.100.100.4 and the multicast group address 225.1.1.1, you can perform the following operations:
1. Configure an ACL rule.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 permit ip source 99.100.100.4 0 destination 225.1.1.1 0
[Sysname-acl-adv-3000] rule 1 deny ip
2. Use the source-policy command in PIM view to reference the configured ACL rule.
[Sysname-pim] source-policy 3000
Q. Is multicast group filtering supported on the switch?
A. Yes. You can use the igmp-snooping group-policy acl-number [ vlan vlan-list ] command on a Layer 2 Ethernet port, Layer 2 aggregation interface, or port group to filter multicast groups.
When you configure a multicast group filter, follow these restrictions and guidelines:
· A host joins only the multicast groups that match the permit statement in the specified ACL. If the specified ACL does not exist or the ACL does not have any rules configured, the host cannot join any multicast groups.
· The multicast group filtering takes effect on all ports in the specified VLAN.
· The multicast group filtering does not take effect on static member ports.
Q. How does the switch forward a multicast packet that has failed the RPF check to the receiver?
A. As shown in Figure 5, because Switch B acts as the DR, a multicast packet from the source is forwarded along the path to the receiver: Switch A to Switch B and then to Switch A. The multicast packet from Switch B will fail the RPF check and will be dropped on Switch A, because the RPF interface on Switch A for the multicast packet is VLAN-interface 10. This causes the receiver host unable to receive the multicast packet.
To solve this problem, use one of the following methods:
· Make sure Switch A can win the DR election, so multicast packets from the source are forwarded to the receiver directly by Switch A. You can assign VLAN-interface 20 on Switch A a higher IP address than the IP address of VLAN-interface 20 on Switch B.
The VRRP virtual IP addresses configured on the VLAN-interface 20 on Switch A and VLAN-interface 20 on Switch B do not participate in the DR election.
· Perform the following operations on Switch A:
a. Use the multicast rpf-fail-pkt flooding command in system view to enable flooding IPv6 multicast packets that have failed RPF checks in all VLANs.
b. Use the multicast rpf-fail-pkt bridging command in VLAN view of VLAN 20 to enable multicasting IPv6 multicast packets that have failed RPF checks in the current VLAN.
After the configuration, multicast packets that fail RPF checks are multicast in VLAN 20.
Q. Can the VRRP virtual IP address be the next hop of the multicast route from the switch to the multicast source?
A. No.
Q. Does the link-aggregation load-sharing mode command enable load sharing of multicast traffic?
A. No.
Q. Is BIDIR-PIM supported on the switch?
A. Yes.
When you configure the BIDIR-PIM, follow these restrictions and guidelines:
· The switch does not support BIDIR-PIM when it operates in standard mode.
· Do not configure tunnel interfaces on the BIDIR-PIM network. If the incoming interface or outgoing interface in an (S, G) entry for BIDIR-PIM is a tunnel interface, the multicast traffic cannot be correctly forwarded. You can use the display multicast forwarding-table command to check the multicast forwarding entries.
QACL
This section contains the most frequently asked questions about QACL.
Q. Does the switch support multiboard traffic mirroring and port mirroring?
A. Yes.
Q. Does the switch support multichassis traffic mirroring and port mirroring?
A. The switch does not support multichassis port mirroring. In IRF mode, the source port of port mirroring or the ports in the source VLAN must be on the same IRF member device as the monitor port.
The switch does not support multichassis traffic mirroring. In IRF mode, the source port of traffic mirroring must be on the same IRF member device as the monitor port, the ports of the destination VLAN, or the CPU. However, the switch supports multichassis traffic mirroring that mirrors traffic to an aggregate interface on another IRF member device. (When two aggregate group member ports are on different IRF member devices, traffic is mirrored to the local aggregate group member port but not the remote one. This is the case even if the local aggregate group member port goes down.)
Q. What restrictions and guidelines should I follow when I configure traffic mirroring and port mirroring on the switch in IRF mode?
A. When you configure traffic mirroring and port mirroring on the switch in IRF mode, follow these restrictions and guidelines:
· The switch supports mirroring traffic to a VLAN. When two Ethernet interfaces belong to the same VLAN but on different IRF member devices, traffic is mirrored to the local Ethernet interface but not the remote one.
· The switch cannot mirror packets from a source VLAN to a monitor port.
· You cannot configure common ports on the switch as the monitor ports for multichassis port mirroring or traffic mirroring. Only the internal interface of the OAA card can be configured as the monitor ports for multichassis port mirroring and traffic mirroring.
Q. What restrictions and guidelines should I follow when I configure port mirroring on the switch?
A. When you configure port mirroring on the switch, follow these restrictions and guidelines:
· Do not assign a source port to a source VLAN.
· Do not configure flow sampling on a source port from which the outbound packets are mirrored.
· A mirroring group can contain multiple source ports but only one monitor port.
· A port belongs to only one mirroring group.
· Do not assign the monitor port to a source VLAN or enable the spanning tree feature on the monitor port.
· When a Layer 2 aggregate interface is configured as the monitor port, do not configure its member interfaces as source ports or assign them to the source VLAN.
· Use a monitor port for port mirroring only. This makes the data monitoring device receive only the mirrored traffic rather than a mix of mirrored traffic and correctly forwarded traffic.
Q. How many monitor ports can I configure for traffic mirroring on the switch?
A. The switch supports mirroring only inbound traffic to common ports, aggregate interfaces, VLANs, and the CPU. Traffic mirroring to the CPU uses one monitor port resource regardless of whether traffic mirroring to the CPU is configured. You can configure a maximum of six monitor ports in total for traffic mirroring to common ports, aggregate interfaces, and VLANs in each card of the switch.
The LST1XP16LEB1, LST1XP16LEC1, and LST1XP16LEC2 cards do not support mirroring traffic to VLANs.
Q. How can I configure monitor ports on Ethernet interface cards for mirrored packets in the same direction?
A. Select monitor ports on Ethernet interface cards for mirrored packets in the same direction as follows:
Table 6 Supported monitor ports on Ethernet interface cards
|
Interface card type |
Number of supported monitor ports |
Interface selection range for each monitor port |
|
48-port Gigabit Ethernet interface card |
2 |
· Ports 1 to 24. · Ports 25 to 48. |
|
4-port 10-Gigabit Ethernet interface card |
2 |
· Ports 1 to 2. · Ports 3 to 4. |
|
8-port 10-Gigabit Ethernet interface card |
4 |
Every two consecutive ports, starting with port 1. |
|
16-port 10-Gigabit Ethernet interface card |
8 |
· Every two ports of consecutive odd numbers, starting with port 1. · Every two ports of consecutive even numbers, starting with port 2. |
|
20-port 10-Gigabit Ethernet interface card |
1 |
Ports 1 to 20. |
|
32-port 10-Gigabit Ethernet interface card |
4 |
· Ports 1, 3, 5, 7, 9, 11, 13, and 15. · Ports 2, 4, 6, 8, 10, 12, 14, and 16. · Ports 17, 19, 21, 23, 25, 27, 29, and 31. · Ports 18, 20, 22, 24, 26, 28, 30, and 32. |
|
40-port 10-Gigabit Ethernet interface card |
2 |
· Ports 1 to 20. · Ports 21 to 40. |
|
48-port 10-Gigabit Ethernet interface card |
4 |
· Ports 1 to 12. · Ports 13 to 24. · Ports 25 to 36. · Ports 37 to 48. |
|
16-port 40-Gigabit Ethernet interface card |
4 |
· Ports 1 to 4. · Ports 5 to 8. · Ports 9 to 12. · Ports 13 to 16. |
|
4-port 100-Gigabit Ethernet interface card |
2 |
· Ports 1 to 2. · Ports 3 to 4. |
Q. Can I configure both traffic mirroring and port mirroring on the switch?
A. Yes. However, traffic mirroring and port mirroring cannot use the same monitor port.
Q. Does packet filtering configured on the switch affect the port mirroring function?
A. No. All packets received on a port are mirrored to the monitor port regardless of the packet filtering function.
Q. Where can I apply a QoS policy on the switch?
A. You can apply a QoS policy to the following destinations:
· An interface—The QoS policy takes effect on the traffic sent or received on the interface.
· A VLAN—The QoS policy takes effect on the traffic sent or received on all interfaces in the VLAN.
· Globally—The QoS policy takes effect on the traffic sent or received on all interfaces.
· A control plane—The QoS policy takes effect on the traffic received on the control plane.
· Management interface control plane—The QoS policy takes effect on the traffic sent from the management interface to the control plane.
Q. Does the switch support a QoS policy for outgoing traffic?
A. Yes. On the switch, a QoS policy for outgoing traffic supports only the packet filtering, traffic policing, traffic accounting, colored and uncolored dscp/dot1p/exp priority marking, and the outer VLAN tag adding actions.
Q. What are the priorities of QoS policies configured on the switch?
A. Global QoS policies, interface QoS policies, and VLAN QoS policies are in descending order of priority.
Q. What restrictions and guidelines should I follow when I configure VLAN QoS policies on the switch?
A. VLAN QoS policies are used to match packets only when the packets fail to match global QoS policies and interface QoS policies. When you apply a QoS policy to VLANs, the QoS policy is applied to the specified VLANs on all interface cards. If the hardware resources of an interface card are insufficient, the QoS policy fails to be applied to the VLANs on the interface card.
The system does not automatically roll back the QoS policy configuration already applied to the main processing unit or other interface cards. To ensure consistency, use the undo qos vlan-policy vlan command to manually remove the QoS policy configuration applied to them. Similarly, if VLAN QoS policies on an interface card cannot be updated because of insufficient hardware resources, you also need to use the undo qos vlan-policy vlan command to manually remove the QoS policy configuration applied to the main processing unit or other interface cards to ensure consistency.
Q. What restrictions and guidelines should I follow when I configure global QoS policies on the switch?
A. Global QoS policies are used to match packets preferentially. After packets match a global QoS policy, interface QoS policies and VLAN QoS policies do not take effect.
Global QoS policies are applied to all interface cards. If the hardware resources of an interface card are insufficient, the QoS policy fails to be applied to the interface card. The system does not automatically roll back the QoS policy configuration already applied to the main processing unit or other interface cards. To ensure consistency, use the undo qos apply policy global command to manually remove the QoS policy configuration applied to them. Similarly, if global QoS policies on an interface card cannot be updated because of insufficient hardware resources, you also need to use the undo qos apply policy global command to manually remove the QoS policy configuration applied to the main processing unit or other interface cards.
Q. What's the match order of ACL rules on the switch?
A. The following ACL match orders are available on the switch:
· config—Sorts ACL rules in ascending order of rule ID. A rule with a lower ID is matched before a rule with a higher ID. This match order is the default order.
· auto—Sorts ACL rules in depth-first order. Depth-first order makes sure any subset of a rule is always matched before the rule.
The match order of user-defined ACLs can only be config.
The ACL rules are displayed in the actual match order in the display acl acl-number command output.
[Sysname]display acl 3000
Advanced ACL 3000, named -none-, 3 rules, match-order is auto,
ACL's step is 5
rule 10 permit tcp source 10.11.0.0 0.0.255.255
rule 5 permit ip source 10.11.113.0 0.0.0.255
rule 0 permit ip
Q. What are the differences when the permit or deny statement is used in different applications?
A. The differences when the permit or deny statement is used in different applications are as follows:
· When an ACL is for QoS traffic classification, the deny statement disables QoS from executing the behavior associated with the class, and the permit statement enables QoS to execute the behavior associated with the class.
· When an ACL is for packet filtering, packets matching the deny statement are dropped, and packets that do not match the deny statement are allowed to pass through.
· When an ACL is for policy-based routing (PBR), the following describes how PBR forwards packets based on different policy node configurations:
? If packets match a permit policy node that references a permit ACL rule, PBR forwards the matching packets to the specified output interface or next hop. If the output interface or next hop is invalid, the switch uses the routing table to forward the packets. The switch matches the packets that do not match the node against the next node.
? If packets match a permit policy node that references a deny ACL rule, the switch matches the packets against the next node regardless of whether the packets match the node.
? If packets match a deny policy node that references a permit ACL rule, the switch uses the routing table to forward the matching packets. The switch matches the packets that do not match the node against the next node.
? If packets match a deny policy node that references a deny ACL rule, the switch matches the packets against the next node regardless of whether the packets match the node.
· When an ACL is for other applications, packets that do not match the permit statement are denied.
Q. Why cannot a device on an external network ping the VLAN interface of the switch configured with PBR?
A. ICMP ping packets need to be forwarded to the CPU for processing based on the FIB. The packets matching an ACL will be forwarded to the next hop based on PBR. Therefore, the packets cannot be forwarded to the CPU and the ping fails.
H3C recommends that you configure packet filtering to reference an ACL rule with the permit statement to forward packets with the destination MAC address as the VLAN interface MAC address to the CPU.
Q. What's the order in which ACL rules are restored after a card is restarted?
A. The order in which ACL rules are displayed in the display acl acl-number command output is the order in which the ACL rules are restored after a card is restarted.
Q. How do I resolve the problem that the switch discards packets because congestion occurs on an interface?
A. To resolve the problem:
1. Use the buffer egress slot slot-number packet total-shared size-value command to increase the shared buffer size.
2. Execute the buffer apply command.
Q. Can the match criteria configured on the switch match Layer 2 or Layer 3 packets?
A. Only the if-match forwarding-layer { bridge | route } command can match Layer 2 or Layer 3 packets.
The if-match forwarding-layer bridge and if-match forwarding-layer route commands are mutually exclusive in a class.
You must use a forwarding-layer match criterion together with other match criteria. The other match criteria in the class cannot conflict with the forwarding-layer match criterion, regardless of the operator of the class.
Q. Does the switch support QoS traffic classification policies that reference basic/advanced ACLs and Ethernet frame header ACLs at the same time?
A. If a traffic class uses the OR operator, QoS policies that reference basic/advanced ACLs and Ethernet frame header ACLs can be configured on the switch at the same time. If a traffic class uses the AND operator, either QoS policies that reference basic/advanced ACLs or those reference Ethernet frame header ACLs are supported. In traffic classification, either QoS policies that reference basic/advanced ACLs or those reference Ethernet frame header ACLs can be used with the if-match command.
Q. How do I configure packet filtering on the switch?
A. Configure an ACL. Apply the rule to filter packets. An example is as follows:
# Configure ACL 3000.
[Sysname] acl number 3000
[Sysname-acl-adv-3000] rule 0 deny ip source 192.168.1.2 0
# Apply the rule to filter incoming packets on a VLAN interface.
[Sysname] interface vlan-interface 2
[Sysname-Vlan-interface2] packet-filter 3000 inbound
[Sysname-Vlan-interface2] quit
Q. Does the switch support traffic policing for traffic flows on multiple ports (aggregate CAR)?
A. Yes. However, the ports must be on the same forwarding module.
Q. Why do interface traffic statistics not change after CAR is configured on an interface on the switch?
A. After CAR is configured on an interface, the display interface command still displays interface traffic statistics before CAR is performed. CAR is performed after interface traffic statistics are collected.
Q. Does the switch support traffic redirection?
A. The switch supports traffic redirection only in the inbound direction. Packets can be redirected to the CPU, common interfaces, and aggregate interfaces.
Q. Why can a tracert response be received from the switch after the switch is configured with PBR?
A. The switch reduces the TTL by 1 when forwarding an ICMP packet based on PBR. The CPU processes an ICMP packet with the TTL value of 1 and returns a response.
Q. How do I clear traffic statistics on the switch?
A. You can use the reset counters interface interface-type interface-number command to clear traffic statistics.
<Sysname>reset counters interface g7/0/17
<Sysname>display qos policy interface g7/0/17
Interface: GigabitEthernet7/0/17
Direction: Inbound
Policy: p1
Classifier: c1
Operator: AND
Rule(s) : If-match acl 2020
Behavior: b1
Accounting Enable:
0 (Packets)
Q. Can an ACL match ICMP packets encapsulated with PPPoE on the switch?
A. The switch can distinguish between PPPoE control and data packets and use user-defined ACLs to match PPPoE encapsulated ICMP packets based on ICMP packet characteristics. The switch cannot use basic, advanced, and Ethernet frame header ACLs to match PPPoE packet fields.
Q. What are the functions of the qos priority dot1p and qos trust dot1p commands configured on an interface on the switch?
A. The qos priority dot1p command configured on an interface changes the 802.1p priority value of the interface. The default 802.1p priority value of an interface is 0.
When an interface uses the default dot1p/exp/dscp/lp/dp values, the packets forwarded on the interface inherit the default interface priority configurations.
After an interface is configured with the qos priority dot1p command, the interface changes the 802.1p priority of an incoming packet to the interface 802.1p priority and forwards the packet.
After the qos trust dot1p command is configured on an interface:
· For a tagged packet, the interface searches the priority mapping tables dot1p-exp, dot1p-dscp, dot1p-lp, and dot1p-dp based on the packet 802.1p priority value and changes the packet priority values according to the mappings.
· For an untagged packet:
? If the qos priority dot1p command is used to change the interface 802.1p priority value, the interface changes the packet 802.1p priority value to the interface 802.1p priority value.
? If the qos priority dot1p command is not used to change the interface 802.1p priority value, the interface changes the packet 802.1p priority value to the default interface 802.1p priority value.
After the qos trust dot1p override command is configured on an interface:
· For a tagged packet, the interface searches the dot1p-dot1p priority mapping table based on the packet 802.1p value and searches the mapped 802.1p value in the priority mapping tables dot1p-exp, dot1p-dscp, dot1p-lp, and dot1p-dp. Then the interface changes the packet priority values according to the mappings.
· For an untagged packet:
? If the qos priority dot1p command is used to change the interface 802.1p priority value, the interface changes the packet 802.1p priority value to the interface 802.1p priority value.
? If the qos priority dot1p command is not used to change the interface 802.1p priority value, the interface changes the packet 802.1p priority value to the default interface 802.1p priority value.
Q. Does the switch trust the priorities of a packet by default?
A. The switch does not trust the 802.1p priority, EXP value, and DSCP value of a packet by default. When an interface uses the default priority configurations, the packets received on the interface inherit the default interface priority configurations (dot1p/exp/dscp/lp/dp). When the packets are forwarded on this interface, the packet priority values will not be changed.
Q. Does the switch functioning as a P device in an MPLS network trust the EXP value of a packet?
A. The switch functioning as a P device in an MPLS network does not trust the EXP value of a packet by default. You can execute the qos trust exp command on the incoming interface to configure the interface to trust the EXP value of an MPLS packet.
Q. Why is the scheduling inaccurate when both SP and WRR scheduling algorithms are configured in a queue scheduling profile?
A. The scheduling might be inaccurate if the queues in a WRR group have inconsecutive numbers. When both SP and WRR scheduling algorithms are configured in a queue scheduling profile, make sure the queues in a WRR group have consecutive numbers.
Q. Can WRR be configured together with GTS?
A. Yes.
Q. Does the switch support collecting traffic statistics of a VLAN interface?
A. No.
Q. Do statistics collected by the per-port queue-based accounting include statistics about outgoing packets that are filtered out on the switch?
A. No.
Q. What restrictions and guidelines should I follow when I configure traffic mirroring and port mirroring on the switch in IRF mode?
A. Follow these restrictions and guidelines when you configure traffic and port mirroring on the switch in IRF mode:
· The switch in IRF mode supports inbound traffic mirroring to a VLAN. When two Ethernet interfaces belong to the same VLAN but on different IRF member devices, traffic is mirrored to the local Ethernet interface but not the remote one.
· The switch in IRF mode cannot mirror traffic from a specific source VLAN to a destination interface.
Q. What protocol packets can be rate limited by a QoS policy applied to a control plane?
A. The switch supports rate limiting the packets of these protocols: ARP, BGP, DHCP, DHCP snooping, DHCPv6, DLDP, GVRP, ICMP, ICMPv6, IGMP, ISIS, LACP, LDP, LLDP, MLD, NTP, OAM, OSPF, PIM, Portal, RIP, RIPng, SNMP, STP, TACACS, UDP helper, VRRP, and Telnet.
OpenFlow
This section contains the most frequently asked questions about OpenFlow.
Q. Does the switch support OpenFlow?
A. Yes. The switch supports OpenFlow.
Q. What is the difference between OpenFlow switches and ordinary switches?
A. OpenFlow switches are switches that support the OpenFlow protocol. OpenFlow switches are classified into the following types:
· OpenFlow-only—Supports only OpenFlow operation.
· OpenFlow-hybrid—Supports both OpenFlow operation and traditional Ethernet switching operation. The S12500 series switches are OpenFlow-hybrid switches.
An OpenFlow switch separates the data forwarding and routing decision functions. It keeps the flow-based forwarding function and employs a separate controller to make routing decisions. An OpenFlow switch communicates with the controller through a secure channel. Packets in an OpenFlow switch are matched and forwarded base on the flow table deployed by the controller. An ordinary switch does not separate the data forwarding and routing decision functions and uses the normal forwarding process.
Q. What OpenFlow protocol version does the switch support?
A. The switch supports OpenFlow protocol version 1.3.1 and is backward compatible with OpenFlow protocol version 1.0.0.
Q. What controllers does the switch support when the switch acts as an OpenFlow switch?
A. When the switch acts as an OpenFlow switch, the switch supports H3C Virtual Converged Framework (VCF) Controller and HP VAN SDN Controller.
Q. How many controllers can an OpenFlow instance on the switch support?
A. An OpenFlow instance in the switch supports up to 64 controllers.
QinQ
This section contains the most frequently asked questions about QinQ.
Q. What is QinQ?
A. 802.1Q-in-802.1Q (QinQ), also called "802.1Q tunneling," is a Layer 2 VPN technology that enables a service provider to extend Layer 2 Ethernet connections across an Ethernet MAN between customer sites.
Q. How does QinQ work?
A. QinQ is typically deployed on the edge devices of a service provider network. This feature is enabled on a per-port basis. A QinQ-enabled port tags all incoming frames (tagged or untagged) with the PVID tag.
QinQ tags all incoming frames with the PVID tag without discriminating between CVLANs. To perform advanced VLAN manipulations, use VLAN mapping.
Q. What benefits does QinQ provide?
A. QinQ provides the following benefits:
· Enables a service provider to use a single service VLAN (SVLAN) to convey multiple customer VLANs (CVLANs) for a customer.
· Enables customers to plan CVLANs without conflicting with SVLANs.
· Enables customers to keep their VLAN assignment schemes unchanged when the service provider changes its VLAN assignment scheme.
· Allows customers to use overlapping CVLAN IDs, because devices in the service provider network make forwarding decisions based on SVLAN IDs instead of CVLAN IDs.
Q. Can QinQ add another tier of VLAN tag to a double-tagged customer frame?
A. Yes.
Q. What VLAN tags do the if-match service-vlan-id command and the if-match customer-vlan-id command match?
A. The if-match customer-vlan-id command matches the inner VLAN ID of double-tagged frames.
The if-match service-vlan-id command matches the outer VLAN ID of double-tagged frames or the VLAN ID of single-tagged frames. If the frames do not have VLAN tags, the service-vlan-id represents the PVID of the port.
Q. Does the switch learn MAC addresses to the SVLAN or CVLAN on a QinQ port?
A. The switch learns MAC addresses to the SVLAN on QinQ ports.
IRF
This section contains the most frequently asked questions about IRF.
Q. Can an H3C S12500 switch form an IRF fabric with other series devices?
A. No. An H3C S12500 switch can form an IRF fabric with switches in the same series.
Q. How many chassis can an H3C S12500 IRF fabric have?
A. By default, an H3C S12500 IRF fabric can have two member chassis. To set up a four-chassis IRF fabric, you must configure the irf mode enhanced command.
Q. Are there any special requirements for connecting IRF member chassis?
A. Yes. When you connect two neighboring IRF members, you must connect the physical ports of IRF-port 1 on one member to the physical ports of IRF-port 2 on the other. The IRF fabric cannot be formed if physical connections are incorrect.
When you bind physical ports to IRF ports, you must make sure the bindings are consistent with the physical connections.
Q. Why can't I bind a physical port to or remove it from an IRF port in IRF mode?
A. In IRF mode, you must shut down a physical port before you bind it to or remove it from an IRF port. You cannot shut down the port if one of the following conditions is met:
· The port is the only member port of a subordinate chassis in an IRF port binding.
· Among all ports of a subordinate chassis in an IRF port binding, only the port is in up state.
Q. What topologies does IRF support?
A. IRF supports the following topologies:
· A three- or four-chassis S12500 IRF fabric must use the ring topology, and the IRF fabric cannot have any relay device between member devices.
· A two-chassis S12500 IRF fabric must use the daisy-chained topology. If enhanced IRF is disabled, a two-chassis S12500 IRF fabric can have relay devices between member devices.
IRF does not support the full mesh topology.
Q. Does an IRF fabric support multichassis Ethernet link aggregation?
A. Yes.
Q. Can I set up an IRF connection that has multiple links?
A. Yes, you can bind multiple physical links into one IRF connection. These links aggregate automatically. You do not need to create a link aggregation group as you do for creating an Ethernet link aggregation.
Q. Can IRF member chassis use duplicate member IDs?
A. No. You must assign a unique IRF member ID to each member chassis before setting up an IRF fabric. If a chassis has different member IDs on its active MPU and the standby MPU, the standby MPU will reboot automatically with the member ID on the active MPU.
Q. Are there any software feature consistency requirements for a successful IRF setup?
A. Yes. To set up an IRF fabric, you must make sure all member chassis have the same settings for the following commands:
· acl hardware-mode ipv6
· irf mode enhanced
· system-working-mode
Q. Can I install an MPU to an H3C S12500 IRF fabric if it runs a different software version than the global active MPU?
A. Yes. By default, the software auto-update function is enabled on H3C S12500 switches. When you add a new MPU to an IRF fabric, this feature enables the MPU to synchronize its startup software images automatically with the master MPU.
However, software synchronization might fail if software auto-update is not supported between the current software version on the new MPU and the running software version on the global active MPU. Typically, this feature might fail when the version gap is large. For more information, see the release notes for the software versions.
If software synchronization fails, you must manually update software images for the new MPU.
|
|
NOTE: Master MPU (also called the "global active MPU") refers to the active MPU on the master chassis. |
Q. Can I change the MDC settings on the member devices of a split IRF fabric before it reunites?
A. No. If you change the MDC settings, the split IRF fabric might fail to reunite.
Q. Why can't I configure a port as a Layer 3 Ethernet interface?
A. Check the IRF mode. If enhanced IRF is enabled, the switch does not support the Layer 3 Ethernet interface, Layer 3 Ethernet subinterface, Layer 3 aggregate interface, or Layer 3 aggregate subinterface.
Q. Why can't I disable enhanced IRF?
A. To execute the undo irf mode enhanced command, verify that the following requirements are met:
· The IRF fabric has only up to two member chassis.
· On each member chassis, only one of the IRF ports has IRF physical port bindings.
Q. Can I configure multiple MAD mechanisms for an IRF fabric?
A. Yes. You can configure BFD MAD and ARP MAD together in an IRF fabric for prompt IRF split detection. LACP MAD handles collisions differently than BFD MAD and ARP MAD. To avoid conflicts, do not enable LACP MAD together with any of those mechanisms in an IRF fabric.
Q. Can I run LACP MAD on any Ethernet link aggregation?
A. No. To run LACP MAD, make sure the aggregation meets following requirements:
· The remote device is a Comware-based H3C device that can process the LACPDUs that convey the ActiveID field for MAD.
· The aggregation mode is dynamic.
· The aggregation includes at least one link from each member chassis.
Q. Why doesn't BFD MAD take effect when the spanning tree feature is enabled globally in IRF mode?
A. This issue occurs if the spanning tree feature is enabled both globally and on the physical ports in the BFD MAD VLAN. To resolve this issue, you must disable the spanning tree feature on the physical ports in the BFD MAD VLAN.
In IRF mode, the member chassis are considered as one system. The spanning tree feature can cause shutdown of physical links in the BFD MAD VLAN for detection of loops:
· If BFD MAD links are between member chassis, the system will shut down the physical ports in the BFD MAD VLAN because the STP BPDUs sent between them are all sent by the system itself.
· If BFD MAD links are between the member chassis and a remote device, the remote device will shut down all but one physical port in the BFD MAD VLAN, because the ports receive STP BPDUs sent by the same system.
Q. Why are ports that were shut down by MAD still down after an IRF merge?
A. If you reboot the active fabric instead of the recovery IRF fabric to complete an IRF merge, the ports that were shut down by MAD cannot be restored automatically. You must use the mad restore command to restore their original physical state.
To avoid this issue, reboot the recovery IRF fabric instead of the active IRF fabric to complete an IRF merge.
Q. Why doesn't the running configuration on a re-unified IRF fabric include the configuration that I made on one chassis after an IRF split?
A. When an IRF fabric merges, chassis in the Recovery-state IRF fabric reboot with the running configuration on the active IRF fabric. The configuration you made on the recovery IRF fabric will not take effect.
Q. Will the active IRF fabric retain configuration for chassis in the recovery IRF fabric after an IRF split?
A. Yes. In the running configuration, the active IRF fabric will retain the settings for the chassis in the recovery IRF fabric. You do not need to reconfigure these settings after the recovery IRF fabric rejoins the active IRF fabric. However, the display current-configuration command does not display these settings.
These settings will be lost if the active IRF fabric reboots before an IRF merge occurs. The reason is that you cannot save these settings to the configuration file on the active IRF fabric while the subordinate chassis is absent.
Q. Why do the subordinate chassis reboot automatically upon IRF merge?
A. When an IRF merge occurs after a split, the subordinate chassis reboots automatically if the following conditions are met:
· The IRF split occurred because of an IRF hello timeout.
· IRF port bindings have not been changed.
Q. In what situations must I reboot a chassis manually to complete an IRF merge?
A. When the member chassis receive IRF hello messages from each other after an IRF split, some of the member chassis must be rebooted to complete a merge. A manual reboot is required if the IRF split meets the following conditions:
· The IRF split occurred because of an IRF hello timeout.
· IRF port bindings have been changed.
If no MAD mechanisms are available, the system instructs you to reboot the lowest-priority chassis.
If a MAD mechanism is available, the system instructs you to reboot the highest-numbered chassis.
Q. Why can't data traffic be forwarded at the wire speed across chassis in an IRF fabric?
A. This issue might occur for various reasons, including:
· Tag removal on outgoing ports—Frames sent on IRF links always have a 4-byte VLAN tag. If the VLAN tag is removed on the outgoing port, the traffic rate will not reach the wire speed.
· Unbalanced traffic distribution—IRF distributes traffic across member chassis on a flow-by-flow basis. All traffic of a flow will be forwarded on the same IRF link. As a result, some IRF links might have heavy traffic while others have light traffic.
· Control traffic—Part of bandwidth is used for configuration synchronization and IRF protocol traffic (for example, IRF hello packets) between member chassis.
EVI
This section contains the most frequently asked questions about EVI.
Q. Can I configure multiple ENDSs for an EVI tunnel?
A. Yes. You can configure up to two ENDSs on a tunnel source interface. To guarantee that each edge device can obtain the addresses of all its EVI neighbors, make sure the ENDSs are the same across the EVI network.
Q. What is the difference between an EVI link and an EVI tunnel?
A. An EVI link is a bidirectional virtual Ethernet channel between a pair of edge devices in an EVI network. Data is transported transparently over EVI links between network sites. EVI links are conveyed on EVI tunnels. An EVI tunnel can convey multiple EVI links. Each EVI link is uniquely identified by a pair of source and destination EVI tunnel interface IP addresses.
An EVI tunnel is a point-to-many automatic GRE tunnel. It conveys up to 32 EVI links for an EVI network. An edge device establishes connections with multiple remote-site edge devices over an EVI tunnel. Each connection is represented as an EVI link.
Q. What is the difference between EVI edge devices and PE devices?
A. In an EVI network, edge devices are located at the boundaries of customer sites. In an MPLS VPN network, provider edge (PE) devices are located at the boundaries of the service provider network.
Q. What are extended VLANs?
A. Extended VLANs are customer VLANs extended by EVI between remote customer sites over a transport network. An extended VLAN can be assigned to only one EVI network.
Q. Under what conditions should I configure selective flooding for a MAC address?
A. By default, EVI does not flood unknown unicast or multicast traffic out of EVI tunnel interfaces to remote sites. Selective flooding enables an edge device to send an unknown unicast or multicast frame out of an EVI tunnel interface.
You can configure this feature for special multicast addresses that require flooding across sites but cannot be added to a multicast forwarding table by IGMP snooping.
For example, you must configure selective flooding for PIM hellos, IGMP general query packets, and Microsoft NLBS cluster traffic to be sent out of an EVI tunnel interface.
Q. How does EVI prevent forwarding loops?
A. EVI implements split horizon to prevent loops among edge devices. This feature prevents frames received from EVI tunnels from being forwarded back to the transport. Split horizon takes effect on all types of frames, including unicast, multicast, and broadcast.
Q. How does an edge device handle destination-unknown unicast, unknown multicast, and broadcast traffic?
A. An EVI edge device floods broadcast, unknown unicast, and unknown multicast traffic as follows:
· Broadcast frame—Floods the frame to all interfaces in the VLAN where the frame has been received, including internal interfaces and EVI-Link interfaces. For ARP packets, you can use the ARP flooding suppression feature to reduce ARP broadcasts.
· Unknown unicast or multicast frame—Floods the frame to all internal interfaces in the VLAN where the frame has been received. The edge device typically does not forward destination-unknown frames to other sites. If a site-to-site flooding is desirable for a special MAC address, use the selective flooding feature.
SPB
This section contains the most frequently asked questions about SPB.
Q. What should I do if an SPBM neighbor is in Up* state?
A. Check and modify the SPBM settings on the local device and the neighbor.
The Up* state indicates that the adjacency with the neighbor is up, but traffic cannot be transmitted on the adjacency because of configuration inconsistency. To resolve the issue, make sure the following settings are the same on the neighbor devices:
|
Settings |
To verify |
To modify |
|
MST region settings: · Region name · Revision level · VLAN-to-MSTI mapping table |
display stp region-configuration |
· Region name: · Revision level: · VLAN-to-MSTI mapping table: |
|
B-VLAN to ECT algorithm mappings |
display spbm ect |
ect |
|
B-VLANs |
display spbm bvlan-info |
For more information about configuring B-VLANs, see SPB Configuration Guide. |
Q. What requirements must the MST instance for SPBM meet?
A. SPBM must run on MSTI 4092. To meet this requirement, you must map all B-VLANs to MSTI 4092 by using the instance command. The following is sample command output:
[sysname]stp region-configuration
[sysname-mst-region]display this
#
stp region-configuration
region-name spb
instance 4092 vlan 3001 to 3028
active region-configuration
#
return
Q. In what situations should I enable the multicast B-VLAN feature?
A. By default, the device uses one B-VLAN to transmit both unicast and multicast traffic. If tandem multicast replication is used, you must enable the multicast VLAN feature for the device to use separate VLANs for unicast and multicast traffic.
If the multicast B-VLAN feature is enabled, you must assign an odd B-VLAN ID to an I-SID for SPBM to transmit unicast traffic. SPBM automatically chooses the next higher even B-VLAN ID (odd B-VLAN ID plus 1) for multicast traffic.
ISIS-SPB only advertises the odd B-VLAN IDs. It uses the odd B-VLAN IDs when populating the unicast FDB table with routes. When populating the multicast FDB table with routes, it uses the even B-VLAN IDs.
Q. What restrictions should I follow when I configure C-VLANs for an Ethernet service instance on a BEB?
A. Do not use the C-VLANs (outer VLANs specified by using the encapsulation command) to provide any other Layer 2 and Layer 3 services.
Q. What restrictions should I follow when I configure B-VLANs?
A. Do not use B-VLANs for any other purposes, including VLAN interfaces and EVI extended VLANs. Before specifying a VLAN as a B-VLAN, you must remove all features that have been configured on the VLAN.
Q. What benefits does the Agreement Protocol (AP) provide?
A. AP prevents temporary loops that might occur when the topologies of SPBM nodes do not match.
In an SPBM network, each node independently learns the network topology and calculates forwarding paths. When network topology changes, temporary topology inconsistency occurs because latency varies for the change to be propagated to SPBM nodes.
AP enables SPBM to issue forwarding entries to the forwarding plane only if AP declares a topology match.
Q. Why can't the device work with a third-party device in an SPBM network enabled with the multicast B-VLAN feature?
A. The device cannot work with a third-party device because the two devices have different B-VLAN to ECT algorithm mappings.
Q. Can I migrate a PBB network to an SPB network?
A. You can migrate a PBB network to an SPB network only if all devices in the PBB network support SPB.
Q. Does SPB support static forwarding paths?
A. SPB does not support static forwarding paths. All SPB forwarding paths are calculated by ISIS-SPB.
ISSU
This section contains the most frequently asked questions about In-Service Software Upgrade (ISSU).
Q. Can a protocol operate continuously during an ISSU?
A. It depends. To make sure protocols can operate continuously during an ISSU:
· Enable GR or NSR for protocols including LDP, RSVP, OSPF, ISIS, BGP, and FSPF.
· Disable BFD for protocols including LDP, RSVP, OSPF, ISIS, RIP, BGP, VRRP, and NQA.
Q. Why does an LPU that supports ISSU reboot need 1 GB memory?
A. Because the LPU needs to save its operating data in the memory.
Q. Can I connect or disconnect a network cable on an LPU during an ISSU reboot? Can I use the CLI during the period?
A. No. You must keep the system stable during an ISSU reboot.
Q. How are switching fabric modules upgraded during an ISSU?
A. Switching fabric modules are upgraded one by one. The system upgrades one switching fabric module at a time and proceeds to reboot another switching fabric module only when the previously upgraded switching fabric module restarts up.
MDC
Q. How many MDCs does the switch support?
A. The maximum number of MDCs depends on the MPU model:
· When using LST1MRPNE1 or LST1MRPNE2 MPUs, the switch supports up to nine MDCs (including the default MDC).
· When using LST1MRPNC1 or LST2MRPNC1 MPUs, the switch supports up to four MDCs (including the default MDC).
Some LPUs can be shared by multiple MDCs. See Table 7.
|
LPU |
Maximum number of MDCs |
|
|
LPUs with a 512-MB memory |
1, including the default MDC. |
|
|
LPUs with a 1-GB memory |
2, including the default MDC. |
|
|
LPUs with a 4-GB memory |
LST1XP20RFD1, LST1XP20RFD2 |
1, including the default MDC. |
|
LST1XP48LFD1, LST1XP48LFD2, LST1XLP16RFD1, LST1XLP16RFD2 |
4, including the default MDC. |
|
|
Others |
2, including the default MDC. |
|
Q. Are there memory requirements for cards to support MDCs?
A. Yes. An MPU must have 4-GB memory to support MDCs.
Q. I want to configure both IRF and MDC on the switch. Which should I configure first?
A. Configure IRF first. When the switch joins the IRF fabric as a subordinate member, it will reboot and load the master's configuration. None of the switch's settings will take effect, except for the IRF port settings.
Q. Does the IRF enhanced mode support MDCs?
A. No. IRF enhanced mode is mutually exclusive with the MDC technology.
Q. Must an MDC that is established across member devices have IRF links between the member devices?
A. Yes. This kind of MDC needs IRF links between the member devices to forward traffic correctly.
Q. How does MAD operate on an IRF fabric with MDCs?
A. On an IRF fabric with MDCs, you can display and manage the IRF fabric only on the default MDC. The displayed IRF status information is for the entire IRF fabric, rather than individual MDCs. The IRF fabric is considered split only when all IRF links are down.
MAD takes effect only when the IRF fabric is considered split. MAD takes effect globally. It shuts down all physical ports on the member device with the greatest member ID, regardless of which MDCs the ports belong to.
You can configure MAD on each MDC. You can also configure different MAD mechanisms on the same MDC. The MAD mechanisms can operate at the same time without affecting each other.
If the IRF fabric does not split but an IRF link of an MDC fails, the MDC's IRF status detection mechanism shuts down the ports on the MDC's member device with the greatest member ID. MAD does not take actions in this case.
