An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame, it uses the destination MAC address of the frame to look for a match in the MAC address table.

· The device forwards the frame out of the outgoing interface in the matching entry if a match is found.

· The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries manually added.

MAC address learning

The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each interface.

The device performs the following operations to learn the source MAC address of incoming packets:

1. Checks the source MAC address (for example, MAC-SOURCE) of the frame.

2. Looks up the source MAC address in the MAC address table.

? The device updates the entry if an entry is found.

? The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.

When the device receives a frame destined for MAC-SOURCE after learning this source MAC address, the device performs the following operations:

1. Finds the MAC-SOURCE entry in the MAC address table.

2. Forwards the frame out of the port in the entry.

The device performs the learning process for each incoming frame with an unknown source MAC address until the table is fully populated.

Manually configuring MAC address entries

Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames, which can invite security hazards. When Host A is connected to port A, a MAC address entry will be learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames with MAC A as the source MAC address to port B, the device performs the following operations:

1. Learns a new MAC address entry with port B as the outgoing interface and overwrites the old entry for MAC A.

2. Forwards frames destined for MAC A out of port B to the illegal user.

As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually configure a static entry to bind Host A to port A. Then, the frames destined for Host A are always sent out of port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

· Static entries—A static entry is manually added to forward frames with a specific destination MAC address out of the associated interface, and it never ages out. A static entry has higher priority than a dynamically learned one.

· Dynamic entries—A dynamic entry can be manually configured or dynamically learned to forward frames with a specific destination MAC address out of the associated interface. A dynamic entry might age out. A manually configured dynamic entry has the same priority as a dynamically learned one.

· Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole entry is configured for filtering out frames with a specific destination MAC address. For example, to block all frames destined for a user, you can configure the MAC address of the user as a blackhole MAC address entry. A blackhole entry has higher priority than a dynamically learned one.

A static or blackhole MAC address entry can overwrite a dynamic MAC address entry, but not vice versa. A static MAC address and a blackhole MAC address cannot overwrite each other.

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

MAC address table configuration task list

The configuration tasks discussed in the following sections can be performed in any order.

This document covers only the configuration of MAC address entries, including static, dynamic, and blackhole MAC address entries.

To configure the MAC address table, perform the following tasks:

Tasks at a glance
(Optional.) Configuring MAC address entries · Adding or modifying a static or dynamic MAC address entry globally · Adding or modifying a static or dynamic MAC address entry on an interface · Adding or modifying a blackhole MAC address entry
(Optional.) Disabling MAC address learning
(Optional.) Setting the aging timer for dynamic MAC address entries
(Optional.) Setting the MAC learning limit on interfaces
(Optional.) Configuring the device to forward unknown frames after the MAC learning limit on an interface is reached
(Optional.) Assigning MAC learning priority to interfaces
(Optional.) Configuring MAC address move notifications and suppression
(Optional.) Enabling SNMP notifications for the MAC address table

Configuring MAC address entries

Configuration guidelines

· You cannot add a dynamic MAC address entry if a learned entry already exists with a different outgoing interface for the MAC address.

· The manually configured static and blackhole MAC address entries cannot survive a reboot if you do not save the configuration. The manually configured dynamic MAC address entries are lost upon reboot whether or not you save the configuration.

A frame whose source MAC address matches different types of MAC address entries is processed differently.

Type	Description
Static MAC address entry	Forwards the frame according to the destination MAC address regardless of whether the frame's ingress interface is the same as that in the entry.
Dynamic MAC address entry	· Learns the MAC address of the frames received on a different interface from that in the entry and overwrites the original entry. · Forwards the frame received on the same interface as that in the entry and updates the aging timer for the entry.

Type

Description

Static MAC address entry

Forwards the frame according to the destination MAC address regardless of whether the frame's ingress interface is the same as that in the entry.

Dynamic MAC address entry

· Learns the MAC address of the frames received on a different interface from that in the entry and overwrites the original entry.

· Forwards the frame received on the same interface as that in the entry and updates the aging timer for the entry.

Adding or modifying a static or dynamic MAC address entry globally

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add or modify a static or dynamic MAC address entry.	mac-address { dynamic \| static } mac-address interface interface-type interface-number vlan vlan-id	By default, no MAC address entry is configured globally. Make sure you have created the VLAN and assigned the interface to the VLAN.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Add or modify a static or dynamic MAC address entry.

mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id

By default, no MAC address entry is configured globally.

Make sure you have created the VLAN and assigned the interface to the VLAN.

Adding or modifying a static or dynamic MAC address entry on an interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Add or modify a static or dynamic MAC address entry.	mac-address { dynamic \| static } mac-address vlan vlan-id	By default, no MAC address entry is configured on the interface. Make sure you have created the VLAN and assigned the interface to the VLAN.

Adding or modifying a blackhole MAC address entry

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Add or modify a blackhole MAC address entry.	mac-address blackhole mac-address vlan vlan-id	By default, no blackhole MAC address entry is configured. Make sure you have created the VLAN.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Add or modify a blackhole MAC address entry.

mac-address blackhole mac-address vlan vlan-id

By default, no blackhole MAC address entry is configured.

Make sure you have created the VLAN.

Disabling MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated when the device is experiencing attacks, disable MAC address learning. For example, you can disable MAC address learning to prevent the device from being attacked by a large amount of frames with different source MAC addresses.

After MAC address learning is disabled, existing dynamic MAC address entries will age out.

Disabling global MAC address learning

Disabling global MAC address learning disables MAC address learning on all interfaces. The device stops learning MAC addresses.

To disable global MAC address learning:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable global MAC address learning.	undo mac-address mac-learning enable	By default, global MAC address learning is enabled.

Disabling MAC address learning on interfaces

When global MAC address learning is enabled, you can disable MAC address learning on a single interface.

To disable MAC address learning on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Disable MAC address learning on the interface.	undo mac-address mac-learning enable	By default, MAC address learning on the interface is enabled.

Setting the aging timer for dynamic MAC address entries

For security and efficient use of table space, the MAC address table uses an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can promptly update to accommodate latest network topology changes.

A stable network requires a longer aging interval, and an unstable network requires a shorter aging interval.

An aging interval that is too long might cause the MAC address table to retain outdated entries. As a result, the MAC address table resources might be exhausted, and the MAC address table might fail to update its entries to accommodate the latest network changes.

An interval that is too short might result in removal of valid entries, which would cause unnecessary floods and possibly affect the device performance.

To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations.

To set the aging timer for dynamic MAC address entries:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the aging timer for dynamic MAC address entries.	mac-address timer { aging seconds \| no-aging }	The default setting is 300 seconds. The no-aging keyword disables the aging timer.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Set the aging timer for dynamic MAC address entries.

mac-address timer { aging seconds | no-aging }

The default setting is 300 seconds.

The no-aging keyword disables the aging timer.

Setting the MAC learning limit on interfaces

This feature limits the MAC address table size. A large MAC address table will degrade forwarding performance.

To set the MAC learning limit on an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Set the MAC learning limit on the interface.	mac-address max-mac-count count	By default, the MAC learning limit is the device-specific maximum value for the count argument. For more information, see Layer 2—LAN Switching Command Reference.

Configuring the device to forward unknown frames after the MAC learning limit on an interface is reached

You can enable or disable forwarding of unknown frames after the MAC learning limit on an interface is reached.

In this document, unknown frames refer to frames whose source MAC addresses are not in the MAC address table.

To configure the device to forward unknown frames received on the interface after the MAC learning limit on the interface is reached:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view. interface interface-type interface-number · Enter Layer 2 aggregate interface view. interface bridge-aggregation interface-number	N/A
3. Configure the device to forward unknown frames received on the interface after the MAC learning limit on the interface is reached.	mac-address max-mac-count enable-forwarding	By default, the device can forward unknown frames received on an interface after the MAC learning limit on the interface is reached.

Assigning MAC learning priority to interfaces

The MAC learning priority mechanism assigns either low priority or high priority to an interface. An interface with high priority can learn MAC addresses as usual. However, an interface with low priority is not allowed to learn MAC addresses already learned on a high-priority interface.

The MAC learning priority mechanism can help defend your network against MAC address spoofing attacks. In a network that performs MAC-based forwarding, an upper layer device MAC address might be learned by a downlink interface because of a loop or attack to the downlink interface. To avoid this problem, perform the following tasks:

· Assign high MAC learning priority to an uplink interface.

· Assign low MAC learning priority to a downlink interface.

To assign MAC learning priority to an interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Assign MAC learning priority to the interface.	mac-address mac-learning priority { high \| low }	By default, low MAC learning priority is used.

Configuring MAC address move notifications and suppression

The outgoing interface for a MAC address entry learned on interface A is changed to interface B when the following conditions exist:

· Interface B receives a packet with the MAC address as the source MAC address.

· Interface B belongs to the same VLAN as interface A.

In this case, the MAC address is moved from interface A to interface B, and a MAC address move occurs.

The MAC address move notifications feature enables the device to output MAC address move logs when MAC address moves are detected.

If a MAC address is continuously moved between the two interfaces, Layer 2 loops might occur. To detect and locate loops, you can view the MAC address move information. To display the MAC address move records after the device is started, use the display mac-address mac-move command.

If the system detects that MAC address moves occur frequently on an interface, you can configure MAC address move suppression to shut the interface down. The interface automatically goes up after a suppression interval. Or, you can manually bring up the interface.

To configure MAC address move notifications and MAC address move suppression:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable MAC address move notifications and optionally specify a MAC move detection interval.	mac-address notification mac-move [ interval interval-value ]	By default, MAC address move notifications are disabled. If you do not specify a detection interval, the default setting of 1 minute is used. After you execute this command, the system sends only log messages to the information center module. If the device is also configured with the snmp-agent trap enable mac-address command, the system also sends SNMP notifications to the SNMP module.
3. (Optional.) Set MAC address move suppression parameters.	mac-address notification mac-move suppression { interval interval-value \| threshold threshold-value }	By default, the suppression interval is 30 seconds, and the suppression threshold is 3.
4. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
5. Enable MAC address move suppression.	mac-address notification mac-move suppression	By default, MAC address move suppression is disabled.

Enabling SNMP notifications for the MAC address table

After you enable SNMP notifications for the MAC address table, the device will send SNMP notifications to the SNMP module to notify the NMS of important events. You can set the notification sending parameters in SNMP to determine the attributes of sending notifications.

After you disable SNMP notifications for the MAC address table, the device will send only log messages to the information center module. You can set the output rules and destinations to examine the log messages of the MAC address table module.

For more information about SNMP notifications and information center, see Network Management and Monitoring Configuration Guide.

To enable SNMP notifications for the MAC address table:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for the MAC address table.	snmp-agent trap enable mac-address [ mac-move ]	By default, SNMP notifications are enabled for the MAC address table. When SNMP notifications are disabled for the MAC address table, syslog messages are sent to notify important events on the MAC address table module.

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable SNMP notifications for the MAC address table.

snmp-agent trap enable mac-address [ mac-move ]

By default, SNMP notifications are enabled for the MAC address table.

When SNMP notifications are disabled for the MAC address table, syslog messages are sent to notify important events on the MAC address table module.

Displaying and maintaining the MAC address table

Execute display commands in any view.

Task	Command
Display MAC address table information.	display mac-address [ mac-address [ vlan vlan-id ] \| [ [ dynamic \| static ] [ interface interface-type interface-number ] \| blackhole ] [ vlan vlan-id ] [ count ] ]
Display the aging timer for dynamic MAC address entries.	display mac-address aging-time
Display the system or interface MAC address learning state.	display mac-address mac-learning [ interface interface-type interface-number ]
Display the MAC address move records.	display mac-address mac-move [ slot slot-number ]

MAC address table configuration example

Network requirements

As shown in Figure 1:

· Host A at MAC address 000f-e235-dc71 is connected to interface GigabitEthernet 1/0/1 of the AC and belongs to VLAN 1.

· Host B at MAC address 000f-e235-abcd, which behaved suspiciously on the network, also belongs to VLAN 1.

Configure the MAC address table as follows:

· To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of the AC.

· To drop all frames destined for Host B, add a blackhole MAC address entry for Host B.

· Set the aging timer to 500 seconds for dynamic MAC address entries.

Figure 1 Network diagram

Configuration procedure

# Add a static MAC address entry for MAC address 000f-e235-dc71 on GigabitEthernet 1/0/1 that belongs to VLAN 1.

<AC> system-view

[AC] mac-address static 000f-e235-dc71 interface gigabitethernet 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.

[AC] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.

[AC] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for interface GigabitEthernet 1/0/1.

[AC] display mac-address static interface gigabitethernet 1/0/1

MAC Address VLAN ID State Port/NickName Aging

000f-e235-dc71 1 Static GE1/0/1 N

# Display the blackhole MAC address entries.

[AC] display mac-address blackhole

MAC Address VLAN ID State Port/NickName Aging

000f-e235-abcd 1 Blackhole N/A N

# Display the aging time of dynamic MAC address entries.

[AC] display mac-address aging-time

MAC address aging time: 500s.

Configuring Ethernet link aggregation

Overview

Ethernet link aggregation bundles multiple physical Ethernet links into one logical link called an aggregate link.

Link aggregation has the following benefits:

· Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.

· Improved link reliability. The member ports dynamically back up one another. When a member port fails, its traffic is automatically switched to other member ports.

As shown in Figure 2, Device A and Device B are connected by three physical Ethernet links. These physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the traffic previously transmitted on the failed link is switched to the other two links.

Figure 2 Ethernet link aggregation diagram

Aggregation group, member port, and aggregate interface

An aggregation group is a group of Ethernet interfaces bundled together. These Ethernet interfaces are called member ports of the aggregation group. Each aggregation group has a corresponding logical interface (called an aggregate interface).

When an aggregate interface is created, the device automatically creates an aggregation group of the same type and number as the aggregate interface.

The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex mode is the same as that of the Selected member ports. For more information about Selected member ports, see "Aggregation states of member ports in an aggregation group."

Aggregation states of member ports in an aggregation group

A member port in an aggregation group can be in any of the following aggregation states:

· Selected—A Selected port can forward traffic.

· Unselected—An Unselected port cannot forward traffic.

Operational key

When aggregating ports, the system automatically assigns each port an operational key based on port information, such as port rate and duplex mode. Any change to this information triggers a recalculation of the operational key.

In an aggregation group, all Selected ports have the same operational key.

Configuration types

Port configurations include attribute configurations and protocol configurations. Attribute configurations of a link aggregation member port affect its aggregation state.

· Attribute configurations—To become a Selected port, a member port must have the same attribute configurations as the aggregate interface.

The attribute configurations contain the following VLAN attribute configurations:

? Permitted VLAN IDs.

? PVID.

? Link type (trunk, hybrid, or access).

For information about VLANs, see "Configuring VLANs."

Attribute configuration changes made on an aggregate interface are automatically synchronized to all member ports. If the changes fail to be synchronized to a Selected port, the port might change to the Unselected state. To make the port become Selected again, you can change the attribute configurations on the aggregate interface or the member port. The synchronization failure does not affect the attribute configuration changes made on the aggregate interface. The configurations that have been synchronized from the aggregate interface are retained on the member ports even after the aggregate interface is deleted.

Any attribute configuration change on a member port might affect the aggregation states and running services of the member ports. The system displays a warning message every time you try to change an attribute configuration setting on a member port.

· Protocol configurations—Settings that do not affect the aggregation state of a member port even if they are different from those on the aggregate interface. MAC address learning settings are examples of protocol configurations.

For an aggregation, only the protocol configurations on the aggregate interface take effect. The protocol configurations on the member ports will not take effect until after the ports leave the aggregation group.

Link aggregation modes

An aggregation group operates in one of the following modes:

· Static—Static aggregation is stable. An aggregation group in static mode is called a static aggregation group. The aggregation states of the member ports in a static aggregation group are not affected by the peer ports.

· Dynamic—An aggregation group in dynamic mode is called a dynamic aggregation group. The local system and the peer system automatically maintain the aggregation states of the member ports. Dynamic link aggregation reduces the administrators' workload.

How static link aggregation works

Choosing a reference port

When setting the aggregation states of the ports in an aggregation group, the system automatically chooses a member port as the reference port. A Selected port must have the same operational key and attribute configurations as the reference port.

The system chooses a reference port from the member ports in up state.

The candidate reference ports are organized into different priority levels following these rules:

1. In descending order of port priority.

2. Full duplex.

3. In descending order of speed.

4. Half duplex.

5. In descending order of speed.

From the candidate ports with the same attribute configurations as the aggregate interface, the one with the highest priority level is chosen as the reference port.

· If multiple ports have the same priority level, the port that has been Selected (if any) is chosen. If multiple ports with the same priority level have been Selected, the one with the smallest port number is chosen.

· If multiple ports have the same priority level and none of them has been Selected, the port with the smallest port number is chosen.

Setting the aggregation state of each member port

After the reference port is chosen, the system sets the aggregation state of each member port in the static aggregation group.

Figure 3 Setting the aggregation state of a member port in a static aggregation group

After the limit on Selected ports is reached, the aggregation state of a new member port varies by following conditions:

· The port is placed in Unselected state if the port and the Selected ports have the same port priority. This mechanism prevents traffic interruption on the existing Selected ports. A device reboot can cause the device to recalculate the aggregation states of member ports.

· The port is placed in Selected state when the following conditions are met:

? The port and the Selected ports have different port priorities, and the port has a higher port priority than a minimum of one Selected port.

? The port has the same attribute configurations as the aggregate interface.

Any operational key or attribute configuration change might affect the aggregation states of link aggregation member ports.

LACP

Dynamic aggregation is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP).

LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices. Each member port in a dynamic aggregation group can exchange information with its peer. When a member port receives an LACPDU, it compares the received information with information received on the other member ports. In this way, the two systems reach an agreement on which ports are placed in Selected state.

LACP functions

LACP offers basic LACP functions. Basic LACP functions are implemented through the basic LACPDU fields, including the system LACP priority, system MAC address, port priority, port number, and operational key.

LACP operating modes

LACP can operate in active or passive mode.

When LACP is operating in passive mode on a local member port and its peer port, both ports cannot send LACPDUs. When LACP is operating in active mode on either end of a link, both ports can send LACPDUs.

LACP priorities

LACP priorities include system LACP priority and port priority, as described in Table 1. The smaller the priority value, the higher the priority.

Table 1 LACP priorities

Type	Description
System LACP priority	Used by two peer devices (or systems) to determine which one is superior in link aggregation. In dynamic link aggregation, the system that has higher system LACP priority sets the Selected state of member ports on its side. The system that has lower priority sets the aggregation state of local member ports the same as their respective peer ports.
Port priority	Determines the likelihood of a member port to be a Selected port on a system. A port with a higher port priority is more likely to become Selected.

Type

Description

System LACP priority

Used by two peer devices (or systems) to determine which one is superior in link aggregation.

In dynamic link aggregation, the system that has higher system LACP priority sets the Selected state of member ports on its side. The system that has lower priority sets the aggregation state of local member ports the same as their respective peer ports.

Port priority

Determines the likelihood of a member port to be a Selected port on a system. A port with a higher port priority is more likely to become Selected.

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the peer port. If a local member port has not received LACPDUs from the peer within the LACP timeout interval, the member port considers the peer as failed.

The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout intervals include the following types:

· Short timeout interval—3 seconds. If you use the short timeout interval, the peer sends one LACPDU per second.

· Long timeout interval—90 seconds. If you use the long timeout interval, the peer sends one LACPDU every 30 seconds.

How dynamic link aggregation works

Choosing a reference port

The system chooses a reference port from the member ports in up state. A Selected port must have the same operational key and attribute configurations as the reference port.

The local system (the actor) and the peer system (the partner) negotiate a reference port by using the following workflow:

1. The two systems determine the system with the smaller system ID.

A system ID contains the system LACP priority and the system MAC address.

a. The two systems compare their LACP priority values.

The lower the LACP priority, the smaller the system ID. If the LACP priority values are the same, the two systems proceed to step b.

b. The two systems compare their MAC addresses.

The lower the MAC address, the smaller the system ID.

2. The system with the smaller system ID chooses the port with the smallest port ID as the reference port.

A port ID contains a port priority and a port number. The lower the port priority, the smaller the port ID.

a. The system chooses the port with the lowest priority value as the reference port.

If the ports have the same priority, the system proceeds to step b.

b. The system compares their port numbers.

The smaller the port number, the smaller the port ID.

The port with the smallest port number and the same attribute configurations as the aggregate interface is chosen as the reference port.

Setting the aggregation state of each member port

After the reference port is chosen, the system with the smaller system ID sets the state of each member port on its side.

Figure 4 Setting the state of a member port in a dynamic aggregation group

The system with the greater system ID can detect the aggregation state changes on the peer system. The system with the greater system ID sets the aggregation state of local member ports the same as their peer ports.

When you aggregate interfaces in dynamic mode, follow these guidelines:

· A dynamic link aggregation group preferably chooses full-duplex ports as the Selected ports. The group chooses only one half-duplex port as a Selected port when either of the following conditions exist:

? None of the full-duplex ports can become Selected ports.

? Only half-duplex ports exist in the group.

· For stable aggregation and service continuity, do not change the operational key or attribute configurations on any member port.

· After the Selected port limit is reached, a newly joining port becomes a Selected port if it is more eligible than a current Selected port.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be distributed across the Selected ports on a per-flow basis. The aggregation group classifies packets into flows and forwards packets of the same flow on the same link. The load sharing mode can be one or any combination of the following traffic classification criteria:

· Source or destination IP address.

· Source or destination MAC address.

Ethernet link aggregation configuration task list

Tasks at a glance
(Required.) Configuring a Layer 2 aggregation group
(Optional.) Configuring an aggregate interface: · Setting the description for an aggregate interface · Setting the minimum and maximum numbers of Selected ports for an aggregation group · Setting the expected bandwidth for an aggregate interface · Shutting down an aggregate interface · Restoring the default settings for an aggregate interface
(Optional.) Configuring load sharing for link aggregation groups: · Setting load sharing modes for link aggregation groups · Enabling local-first load sharing for link aggregation
Enabling link-aggregation traffic redirection

Configuring a Layer 2 aggregation group

This section explains how to configure an aggregation group.

Configuration restrictions and guidelines

When you configure an aggregation group, follow these restrictions and guidelines:

· Table 2 shows the interfaces that cannot be assigned to a Layer 2 aggregation group.

Table 2 Interfaces that cannot be assigned to a Layer 2 aggregation group

Interface type	Reference
Interface configured with MAC authentication	MAC authentication in Security Configuration Guide
Interface configured with port security	Port security in Security Configuration Guide
Interface configured with 802.1X	802.1X in Security Configuration Guide

· Deleting an aggregate interface also deletes its aggregation group and causes all member ports to leave the aggregation group.

· You must configure the same aggregation mode on the two ends of an aggregate link.

· For a successful static aggregation, make sure the ports at both ends of each link are in the same aggregation state.

· For a successful dynamic aggregation, make sure the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the aggregation state of each member port.

Configuring a Layer 2 static aggregation group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same.
3. Exit to system view.	quit	N/A
4. Assign an interface to the specified Layer 2 aggregation group.	a Enter Layer 2 Ethernet interface view: interface interface-type interface-number b Assign the interface to the specified Layer 2 aggregation group: port link-aggregation group number	Repeat these two substeps to assign more Layer 2 Ethernet interfaces to the aggregation group.

Configuring a Layer 2 dynamic aggregation group

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the system LACP priority.	lacp system-priority system-priority	By default, the system LACP priority is 32768. Changing the system LACP priority might affect the aggregation states of the ports in a dynamic aggregation group.
3. Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same.
4. Configure the aggregation group to operate in dynamic mode.	link-aggregation mode dynamic	By default, an aggregation group operates in static mode.
5. Exit to system view.	quit	N/A
6. Assign an interface to the specified Layer 2 aggregation group.	a Enter Layer 2 Ethernet interface view: interface interface-type interface-number b Assign the interface to the specified Layer 2 aggregation group: port link-aggregation group number	Repeat these two substeps to assign more Layer 2 Ethernet interfaces to the aggregation group.
7. Set the LACP operating mode for the interface.	· Set the LACP operating mode to passive: lacp mode passive · Set the LACP operating mode to active: undo lacp mode	By default, LACP is operating in active mode.
8. Set the port priority for the interface.	link-aggregation port-priority port-priority	The default setting is 32768.
9. Set the short LACP timeout interval (3 seconds) for the interface.	lacp period short	By default, the long LACP timeout interval (90 seconds) is used by the interface.

Configuring an aggregate interface

Most configurations that can be made on Layer 2 Ethernet interfaces can also be made on Layer 2 aggregate interfaces.

Setting the description for an aggregate interface

You can set the description for an aggregate interface for administration purposes, for example, describing the purpose of the interface.

To set the description for an aggregate interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	N/A
3. Set the description for the aggregate interface or subinterface.	description text	By default, the description of an interface is interface-name Interface.

Setting the minimum and maximum numbers of Selected ports for an aggregation group

IMPORTANT:

The minimum and maximum numbers of Selected ports must be the same for the local and peer aggregation groups.

The bandwidth of an aggregate link increases as the number of Selected member ports increases. To avoid congestion, you can set the minimum number of Selected ports required for bringing up an aggregate interface.

This minimum threshold setting affects the aggregation states of aggregation member ports and the state of the aggregate interface.

· When the number of member ports eligible to be Selected ports is smaller than the minimum threshold, the following events occur:

? The eligible member ports are placed in Unselected state.

? The link layer state of the aggregate interface becomes down.

· When the number of member ports eligible to be Selected ports reaches or exceeds the minimum threshold, the following events occur:

? The eligible member ports are placed in Selected state.

? The link layer state of the aggregate interface becomes up.

The maximum number of Selected ports allowed in an aggregation group is limited by either manual configuration or hardware limitation, whichever value is smaller.

You can implement backup between two ports by performing the following tasks:

· Assigning two ports to an aggregation group.

· Setting the maximum number of Selected ports to 1 for the aggregation group.

Then, only one Selected port is allowed in the aggregation group, and the Unselected port acts as a backup port.

To set the minimum and maximum numbers of Selected ports for an aggregation group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	N/A
3. Set the minimum number of Selected ports for the aggregation group.	link-aggregation selected-port minimum number	By default, the minimum number of Selected ports is not specified for an aggregation group.
4. Set the maximum number of Selected ports for the aggregation group.	link-aggregation selected-port maximum number	By default, the maximum number of Selected ports for an aggregation group depends on hardware limitation.

Setting the expected bandwidth for an aggregate interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	N/A
3. Set the expected bandwidth for the interface.	bandwidth bandwidth-value	By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

Shutting down an aggregate interface

Shutting down or bringing up an aggregate interface affects the aggregation states and link states of member ports in the corresponding aggregation group as follows:

· When an aggregate interface is shut down, all Selected ports in the corresponding aggregation group become Unselected ports and all member ports go down.

· When an aggregate interface is brought up, the aggregation states of member ports in the corresponding aggregation group are recalculated.

To shut down an aggregate interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	N/A
3. Shut down the aggregate interface.	shutdown	By default, a Layer 2 aggregate interface is up.

Restoring the default settings for an aggregate interface

You can restore all configurations on an aggregate interface to the default settings.

To restore the default settings for an aggregate interface:

Step	Command
1. Enter system view.	system-view
2. Enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number
3. Restore the default settings for the aggregate interface.	default

Configuring load sharing for link aggregation groups

This section explains how to configure the load sharing modes for link aggregation groups and how to enable local-first load sharing for link aggregation.

Setting load sharing modes for link aggregation groups

You can set the global or group-specific load sharing mode. A link aggregation group preferentially uses the group-specific load sharing mode. If the group-specific load sharing mode is not available, the group uses the global load sharing mode.

Setting the global link-aggregation load sharing mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the global link-aggregation load sharing mode.	link-aggregation global load-sharing mode { destination-ip \| destination-mac \| source-ip \| source-mac } *	By default, packets are distributed based on the source and destination IP addresses on aggregate links.

Setting the group-specific load sharing mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 aggregate interface view.	interface bridge-aggregation interface-number	N/A
3. Set the load sharing mode for the aggregation group.	link-aggregation load-sharing mode { destination-ip \| destination-mac \| source-ip \| source-mac } *	By default, an aggregation group uses the global link-aggregation load sharing mode.

Enabling local-first load sharing for link aggregation

The following matrix shows the feature and hardware compatibility:

Hardware series	Model	Local-first load sharing compatibility
WX1800H series	WX1804H WX1810H WX1820H WX1840H	No
WX3800H series	WX3820H WX3840H	Yes
WX5800H series	WX5860H	Yes

Use local-first load sharing in a multidevice link aggregation scenario to distribute traffic preferentially across member ports on the ingress card or device.

When you aggregate ports on different member devices in an IRF fabric, you can use local-first load sharing to reduce traffic on IRF links, as shown in Figure 5. For more information about IRF, see IRF Configuration Guide.

Figure 5 Load sharing for multidevice link aggregation in an IRF fabric

To enable local-first load sharing for link aggregation:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable local-first load sharing for link aggregation.	link-aggregation load-sharing mode local-first	By default, local-first load sharing for link aggregation is enabled.

Enabling link-aggregation traffic redirection

Link-aggregation traffic redirection prevents traffic interruption.

When you restart an IRF member device that contains Selected ports, this feature redirects traffic of the IRF member device to other IRF member devices.

Configuration restrictions and guidelines

When you enable link-aggregation traffic redirection, follow these restrictions and guidelines:

· Link-aggregation traffic redirection applies only to dynamic link aggregation groups.

· To prevent traffic interruption, enable link-aggregation traffic redirection on devices at both ends of the aggregate link.

Configuration procedure

To enable link-aggregation traffic redirection:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable link-aggregation traffic redirection.	link-aggregation lacp traffic-redirect-notification enable	By default, link-aggregation traffic redirection is disabled.

Displaying and maintaining Ethernet link aggregation

Execute display commands in any view and reset commands in user view.

Task	Command
Display information for an aggregate interface or multiple aggregate interfaces.	display interface bridge-aggregation [ interface-number ] [ brief [ description \| down ] ]
Display the local system ID.	display lacp system-id
Display the global or group-specific link-aggregation load sharing modes.	display link-aggregation load-sharing mode [ interface [ bridge-aggregation interface-number ] ]
Display detailed link aggregation information for link aggregation member ports.	display link-aggregation member-port [ interface-list ]
Display summary information about all aggregation groups.	display link-aggregation summary
Display detailed information about the specified aggregation groups.	display link-aggregation verbose [ bridge-aggregation [ interface-number ] ]
Clear LACP statistics for the specified link aggregation member ports.	reset lacp statistics [ interface interface-list ]
Clear statistics for the specified aggregate interfaces.	reset counters interface [ bridge-aggregation [ interface-number ] ]

Ethernet link aggregation configuration examples

Layer 2 static aggregation configuration example

Network requirements

On the network shown in Figure 6, perform the following tasks:

· Configure a Layer 2 static aggregation group on both AC 1 and AC 2.

· Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end.

· Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other end.

Figure 6 Network diagram

Configuration procedure

1. Configure AC 1:

# Create VLAN 10, and assign port GigabitEthernet 1/0/4 to VLAN 10.

<AC1> system-view

[AC1] vlan 10

[AC1-vlan10] port gigabitethernet 1/0/4

[AC1-vlan10] quit

# Create VLAN 20, and assign port GigabitEthernet 1/0/5 to VLAN 20.

[AC1] vlan 20

[AC1-vlan20] port gigabitethernet 1/0/5

[AC1-vlan20] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 1.

[AC1] interface bridge-aggregation 1

[AC1-Bridge-Aggregation1] quit

# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-aggregation group 1

[AC1-GigabitEthernet1/0/1] quit

[AC1] interface gigabitethernet 1/0/2

[AC1-GigabitEthernet1/0/2] port link-aggregation group 1

[AC1-GigabitEthernet1/0/2] quit

[AC1] interface gigabitethernet 1/0/3

[AC1-GigabitEthernet1/0/3] port link-aggregation group 1

[AC1-GigabitEthernet1/0/3] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 10 and 20.

[AC1] interface bridge-aggregation 1

[AC1-Bridge-Aggregation1] port link-type trunk

[AC1-Bridge-Aggregation1] port trunk permit vlan 10 20

[AC1-Bridge-Aggregation1] quit

2. Configure AC 2 in the same way AC 1 is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on AC 1.

[AC1] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,

G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static

Loadsharing Type: Shar

Port Status Priority Oper-Key

--------------------------------------------------------------------------------

GE1/0/1 S 32768 1

GE1/0/2 S 32768 1

GE1/0/3 S 32768 1

The output shows that link aggregation group 1 is a Layer 2 static aggregation group that contains three Selected ports.

Layer 2 dynamic aggregation configuration example

Network requirements

On the network shown in Figure 7, perform the following tasks:

· Configure a Layer 2 dynamic aggregation group on both AC 1 and AC 2.

· Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end.

· Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other end.

Figure 7 Network diagram

Configuration procedure

1. Configure AC 1:

# Create VLAN 10, and assign the port GigabitEthernet 1/0/4 to VLAN 10.

<AC1> system-view

[AC1] vlan 10

[AC1-vlan10] port gigabitethernet 1/0/4

[AC1-vlan10] quit

# Create VLAN 20, and assign the port GigabitEthernet 1/0/5 to VLAN 20.

[AC1] vlan 20

[AC1-vlan20] port gigabitethernet 1/0/5

[AC1-vlan20] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to dynamic.

[AC1] interface bridge-aggregation 1

[AC1-Bridge-Aggregation1] link-aggregation mode dynamic

[AC1-Bridge-Aggregation1] quit

# Assign ports GigabitEthernet 1/0/1 through GigabitEthernet 1/0/3 to link aggregation group 1.

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-aggregation group 1

[AC1-GigabitEthernet1/0/1] quit

[AC1] interface gigabitethernet 1/0/2

[AC1-GigabitEthernet1/0/2] port link-aggregation group 1

[AC1-GigabitEthernet1/0/2] quit

[AC1] interface gigabitethernet 1/0/3

[AC1-GigabitEthernet1/0/3] port link-aggregation group 1

[AC1-GigabitEthernet1/0/3] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 10 and 20.

[AC1] interface bridge-aggregation 1

[AC1-Bridge-Aggregation1] port link-type trunk

[AC1-Bridge-Aggregation1] port trunk permit vlan 10 20

[AC1-Bridge-Aggregation1] quit

2. Configure AC 2 in the same way AC 1 is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on AC 1.

[AC1] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,

G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic

Loadsharing Type: Shar

System ID: 0x8000, 000f-e267-6c6a

Local:

Port Status Priority Oper-Key Flag

--------------------------------------------------------------------------------

GE1/0/1 S 32768 1 {ACDEF}

GE1/0/2 S 32768 1 {ACDEF}

GE1/0/3 S 32768 1 {ACDEF}

Remote:

Actor Partner Priority Oper-Key SystemID Flag

--------------------------------------------------------------------------------

GE1/0/1 1 32768 1 0x8000, 000f-e267-57ad {ACDEF}

GE1/0/2 2 32768 1 0x8000, 000f-e267-57ad {ACDEF}

GE1/0/3 3 32768 1 0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group that contains three Selected ports.

Layer 2 aggregation load sharing configuration example

Network requirements

On the network shown in Figure 8, perform the following tasks:

· Configure Layer 2 static aggregation groups 1 and 2 on AC 1 and AC 2, respectively.

· Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end.

· Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other end.

· Configure link aggregation groups 1 and 2 to distribute traffic across aggregation group member ports.

? Configure link aggregation group 1 to distribute packets based on source MAC addresses.

? Configure link aggregation group 2 to distribute packets based on destination MAC addresses.

Figure 8 Network diagram

Configuration procedure

1. Configure AC 1:

# Create VLAN 10, and assign the port GigabitEthernet 1/0/5 to VLAN 10.

<AC1> system-view

[AC1] vlan 10

[AC1-vlan10] port gigabitethernet 1/0/5

[AC1-vlan10] quit

# Create VLAN 20, and assign the port GigabitEthernet 1/0/6 to VLAN 20.

[AC1] vlan 20

[AC1-vlan20] port gigabitethernet 1/0/6

[AC1-vlan20] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 1.

[AC1] interface bridge-aggregation 1

# Configure Layer 2 aggregation group 1 to distribute packets based on source MAC addresses.

[AC1-Bridge-Aggregation1] link-aggregation load-sharing mode source-mac

[AC1-Bridge-Aggregation1] quit

# Assign ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to link aggregation group 1.

[AC1] interface gigabitethernet 1/0/1

[AC1-GigabitEthernet1/0/1] port link-aggregation group 1

[AC1-GigabitEthernet1/0/1] quit

[AC1] interface gigabitethernet 1/0/2

[AC1-GigabitEthernet1/0/2] port link-aggregation group 1

[AC1-GigabitEthernet1/0/2] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLAN 10.

[AC1] interface bridge-aggregation 1

[AC1-Bridge-Aggregation1] port link-type trunk

[AC1-Bridge-Aggregation1] port trunk permit vlan 10

[AC1-Bridge-Aggregation1] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 2.

[AC1] interface bridge-aggregation 2

# Configure Layer 2 aggregation group 2 to distribute packets based on destination MAC addresses.

[AC1-Bridge-Aggregation2] link-aggregation load-sharing mode destination-mac

[AC1-Bridge-Aggregation2] quit

# Assign ports GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 to link aggregation group 2.

[AC1] interface gigabitethernet 1/0/3

[AC1-GigabitEthernet1/0/3] port link-aggregation group 2

[AC1-GigabitEthernet1/0/3] quit

[AC1] interface gigabitethernet 1/0/4

[AC1-GigabitEthernet1/0/4] port link-aggregation group 2

[AC1-GigabitEthernet1/0/4] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to VLAN 20.

[AC1] interface bridge-aggregation 2

[AC1-Bridge-Aggregation2] port link-type trunk

[AC1-Bridge-Aggregation2] port trunk permit vlan 20

[AC1-Bridge-Aggregation2] quit

2. Configure AC 2 in the same way AC 1 is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on AC 1.

[AC1] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags: A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

D -- Synchronization, E -- Collecting, F -- Distributing,

G -- Defaulted, H -- Expired

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static

Loadsharing Type: Shar

Port Status Priority Oper-Key

--------------------------------------------------------------------------------

GE1/0/1 S 32768 1

GE1/0/2 S 32768 1

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static

Loadsharing Type: Shar

Port Status Priority Oper-Key

--------------------------------------------------------------------------------

GE1/0/3 S 32768 2

GE1/0/4 S 32768 2

The output shows that:

· Link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups.

· Each aggregation group contains two Selected ports.

# Display all the group-specific load sharing modes on AC 1.

[AC1] display link-aggregation load-sharing mode interface

Bridge-Aggregation1 Load-Sharing Mode:

source-mac address

Bridge-Aggregation2 Load-Sharing Mode:

destination-mac address

The output shows that:

· Link aggregation group 1 distributes packets based on source MAC addresses.

· Link aggregation group 2 distributes packets based on destination MAC addresses.

Configuring VLANs

Overview

Ethernet is a family of shared-media LAN technologies based on the CSMA/CD mechanism. An Ethernet LAN is both a collision domain and a broadcast domain. Because the medium is shared, collisions and broadcasts are common in an Ethernet LAN. Typically, bridges and Layer 2 switches can reduce collisions in an Ethernet LAN. To confine broadcasts, a Layer 2 switch must use the Virtual Local Area Network (VLAN) technology.

VLANs enable a Layer 2 switch to break a LAN down into smaller broadcast domains, as shown in Figure 9.

Figure 9 A VLAN diagram

A VLAN is logically divided on an organizational basis rather than on a physical basis. For example, you can assign all workstations and servers used by a particular workgroup to the same VLAN, regardless of their physical locations. Hosts in the same VLAN can directly communicate with one another. You need a router or a Layer 3 switch for hosts in different VLANs to communicate with one another.

All these VLAN features reduce bandwidth waste, improve LAN security, and enable flexible virtual group creation.

The term "switch" in this document refers to access controllers and access controller modules.

VLAN frame encapsulation

To identify Ethernet frames from different VLANs, IEEE 802.1Q inserts a four-byte VLAN tag between the destination and source MAC address (DA&SA) field and the Type field.

Figure 10 VLAN tag placement and format

A VLAN tag includes the following fields:

· TPID—16-bit tag protocol identifier that indicates whether a frame is VLAN-tagged. By default, the TPID value 0x8100 identifies a VLAN-tagged frame. A device vendor can set the TPID to a different value. For compatibility with a neighbor device, set the TPID value on the device to be the same as the neighbor device.

· Priority—3-bit long, identifies the 802.1p priority of the frame. For more information, see ACL and QoS Configuration Guide.

· CFI—1-bit long canonical format indicator that indicates whether the MAC addresses are encapsulated in the standard format when packets are transmitted across different media. Available values include:

? 0 (default)—The MAC addresses are encapsulated in the standard format.

? 1—The MAC addresses are encapsulated in a non-standard format.

This field is always set to 0 for Ethernet.

· VLAN ID—12-bit long, identifies the VLAN to which the frame belongs. The VLAN ID range is 0 to 4095. VLAN IDs 0 and 4095 are reserved, and VLAN IDs 1 to 4094 are user configurable.

The way a network device handles an incoming frame depends on whether the frame has a VLAN tag and the value of the VLAN tag (if any). For more information, see "Introduction."

Ethernet supports encapsulation formats Ethernet II, 802.3/802.2 LLC, 802.3/802.2 SNAP, and 802.3 raw. The Ethernet II encapsulation format is used here. For information about the VLAN tag fields in other frame encapsulation formats, see related protocols and standards.

For a frame that has multiple VLAN tags, the device handles it according to its outermost VLAN tag and transmits its inner VLAN tags as the payload.

Protocols and standards

IEEE 802.1Q, IEEE Standard for Local and Metropolitan Area Networks: Virtual Bridged Local Area Networks

Configuring basic VLAN settings

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. (Optional.) Create a VLAN and enter its view, or create a list of VLANs.	vlan { vlan-id1 [ to vlan-id2 ] \| all }	By default, only the system default VLAN (VLAN 1) exists.
3. Enter VLAN view.	vlan vlan-id	To configure a VLAN after you create a list of VLANs, you must perform this step.
4. Set a name for the VLAN.	name text	By default, the name of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the name of VLAN 100 is VLAN 0100.
5. Set the description for the VLAN.	description text	By default, the description of a VLAN is VLAN vlan-id. The vlan-id argument specifies the VLAN ID in a four-digit format. If the VLAN ID has fewer than four digits, leading zeros are added. For example, the default description of VLAN 100 is VLAN 0100.

NOTE:

· As the system default VLAN, VLAN 1 cannot be created or deleted.

· Before you delete a dynamic VLAN or a VLAN locked by an application, you must first remove the configuration from the VLAN.

Configuring basic settings of a VLAN interface

Hosts of different VLANs use VLAN interfaces to communicate at Layer 3. VLAN interfaces are virtual interfaces and they do not exist as physical entities on devices. For each VLAN, you can create one VLAN interface and assign an IP address to it. The VLAN interface acts as the gateway of the VLAN to forward packets destined for another IP subnet at Layer 3.

Before you create a VLAN interface for a VLAN, create the VLAN first.

To configure basic settings of a VLAN interface:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VLAN interface and enter VLAN interface view.	interface vlan-interface interface-number	If the VLAN interface already exists, you enter its view directly. By default, no VLAN interface is created.
3. Assign an IP address to the VLAN interface.	ip address ip-address { mask \| mask-length } [ sub ]	By default, no IP address is assigned to a VLAN interface.
4. Set the description for the VLAN interface.	description text	The default setting is the VLAN interface name. For example, Vlan-interface1 Interface.
5. Set the MTU for the VLAN interface.	mtu size	The default setting is 1500 bytes.
6. (Optional.) Set the expected bandwidth for the VLAN interface.	bandwidth bandwidth-value	By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.
7. (Optional.) Restore the default settings for the VLAN interface.	default	N/A
8. (Optional.) Bring up the VLAN interface.	undo shutdown	By default, a VLAN interface is not manually shut down.

Configuring port-based VLANs

Introduction

Port-based VLANs group VLAN members by port. A port forwards packets from a VLAN only after it is assigned to the VLAN.

Port link type

You can set the link type of a port to access, trunk, or hybrid. The port link type determines whether the port can be assigned to multiple VLANs. The link types use the following VLAN tag handling methods:

· Access—An access port can forward packets only from one VLAN and send these packets untagged. An access port is typically used in the following conditions:

? Connecting to a terminal device that does not support VLAN packets.

? In scenarios that do not distinguish VLANs.

· Trunk—A trunk port can forward packets from multiple VLANs. Except packets from the port VLAN ID (PVID), packets sent out of a trunk port are VLAN-tagged. Ports connecting network devices are typically configured as trunk ports.

· Hybrid—A hybrid port can forward packets from multiple VLANs. The tagging status of the packets forwarded by a hybrid port depends on the port configuration.

PVID

The PVID identifies the default VLAN of a port. Untagged packets received on a port are considered as the packets from the port PVID.

When you set the PVID for a port, follow these restrictions and guidelines:

· An access port can join only one VLAN. The VLAN to which the access port belongs is the PVID of the port.

· A trunk or hybrid port supports multiple VLANs and the PVID configuration.

· When you use the undo vlan command to delete the PVID of a port, either of the following events occurs depending on the port link type:

? For an access port, the PVID of the port changes to VLAN 1.

? For a hybrid or trunk port, the PVID setting of the port does not change.

You can use a nonexistent VLAN as the PVID for a hybrid or trunk port, but not for an access port.

· H3C recommends that you set the same PVID for a local port and its peer.

· To prevent a port from dropping untagged packets or PVID-tagged packets, assign the port to its PVID.

How ports of different link types handle frames

Actions	Access	Trunk	Hybrid
In the inbound direction for an untagged frame	Tags the frame with the PVID tag.	· If the PVID is permitted on the port, tags the frame with the PVID tag. · If not, drops the frame.
In the inbound direction for a tagged frame	· Receives the frame if its VLAN ID is the same as the PVID. · Drops the frame if its VLAN ID is different from the PVID.	· Receives the frame if its VLAN is permitted on the port. · Drops the frame if its VLAN is not permitted on the port.
In the outbound direction	Removes the VLAN tag and sends the frame.	· Removes the tag and sends the frame if the frame carries the PVID tag and the port belongs to the PVID. · Sends the frame without removing the tag if its VLAN is carried on the port but is different from the PVID.		Sends the frame if its VLAN is permitted on the port. The tagging status of the frame depends on the port hybrid vlan command configuration.

Assigning an access port to a VLAN

You can assign an access port to a VLAN in VLAN view or interface view.

Make sure the VLAN has been created.

Assign one or multiple access ports to a VLAN in VLAN view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN view.	vlan vlan-id	N/A
3. Assign one or multiple access ports to the VLAN.	port interface-list	By default, all ports belong to VLAN 1.

Assign an access port to a VLAN in interface view

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Set the port link type to access.	port link-type access	By default, all ports are access ports.
4. (Optional.) Assign the access port to a VLAN.	port access vlan vlan-id	By default, all access ports belong to VLAN 1.

Assigning a trunk port to a VLAN

A trunk port supports multiple VLANs. You can assign it to a VLAN in interface view.

When you assign a trunk port to a VLAN, follow these restrictions and guidelines:

· To change the link type of a port from trunk to hybrid, set the link type to access first.

· To enable a trunk port to transmit packets from its PVID, you must assign the trunk port to the PVID by using the port trunk permit vlan command.

To assign a trunk port to one or multiple VLANs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Set the port link type to trunk.	port link-type trunk	By default, all ports are access ports.
4. Assign the trunk port to the specified VLANs.	port trunk permit vlan { vlan-id-list \| all }	By default, a trunk port permits only VLAN 1.
5. (Optional.) Set the PVID for the trunk port.	port trunk pvid vlan vlan-id	The default setting is VLAN 1.

Assigning a hybrid port to a VLAN

A hybrid port supports multiple VLANs. You can assign it to the specified VLANs in interface view. Make sure the VLANs have been created.

When you assign a hybrid port to a VLAN, follow these restrictions and guidelines:

· To change the link type of a port from trunk to hybrid, set the link type to access first.

· To enable a hybrid port to transmit packets from its PVID, you must assign the hybrid port to the PVID by using the port hybrid vlan command.

To assign a hybrid port to one or multiple VLANs:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	N/A
3. Set the port link type to hybrid.	port link-type hybrid	By default, all ports are access ports.
4. Assign the hybrid port to the specified VLANs.	port hybrid vlan vlan-id-list { tagged \| untagged }	By default, the hybrid port is an untagged member of the VLAN to which the port belongs when its link type is access.
5. (Optional.) Set the PVID for the hybrid port.	port hybrid pvid vlan vlan-id	By default, the PVID of a hybrid port is the ID of the VLAN to which the port belongs when its link type is access.

Configuring a VLAN group

A VLAN group includes a set of VLANs.

On an authentication server, a VLAN group name represents a group of authorization VLANs. When an 802.1X user passes authentication, the authentication server assigns a VLAN group name to the device. The device then uses the received VLAN group name to match the locally configured VLAN group names. If a match is found, the device selects a VLAN from the group and assigns the VLAN to the user. For more information about 802.1X authentication, see Security Configuration Guide.

To configure a VLAN group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Create a VLAN group and enter VLAN group view.	vlan-group group-name	By default, no VLAN group exists.
3. Add VLANs to the VLAN group.	vlan-list vlan-id-list	By default, no VLAN exists in a VLAN group. You can add multiple VLAN lists to a VLAN group.

Displaying and maintaining VLAN s

Execute display commands in any view and reset commands in user view.

Task	Command
Display VLAN interface information.	display interface vlan-interface [ interface-number ] [ brief [ description \| down ] ]
Display VLAN information.	display vlan [ vlan-id1 [ to vlan-id2 ] \| all \| dynamic \| static ]
Display brief VLAN information.	display vlan brief
Display VLAN group information.	display vlan-group [ group-name ]
Display hybrid ports or trunk ports on the device.	display port { hybrid \| trunk }
Clear statistics on a port.	reset counters interface vlan-interface [ interface-number ]

Configuring loop detection

Overview

Incorrect network connections or configurations can create Layer 2 loops, which results in repeated transmission of broadcasts, multicasts, or unknown unicasts. The repeated transmissions can waste network resources and can paralyze networks. The loop detection mechanism immediately generates a log when a loop occurs so that you are promptly notified to adjust network connections and configurations. You can configure loop detection to shut down the looped port. Logs are maintained in the information center. For more information, see Network Management and Monitoring Configuration Guide.

Loop detection mechanism

The device detects loops by sending detection frames and then checking whether these frames return to any port on the device. If they do, the device considers that the port is on a looped link.

Figure 11 Ethernet frame header for loop detection

The Ethernet frame header for loop detection contains the following fields:

· DMAC—Destination MAC address of the frame, which is the multicast MAC address 010F-E200-0007. When a loop detection-enabled device receives a frame with this destination MAC address, it performs the following operations:

? Sends the frame to the CPU.

? Floods the frame in the VLAN from which the frame was originally received.

· SMAC—Source MAC address of the frame, which is the bridge MAC address of the sending device.

· TPID—Type of the VLAN tag, with the value of 0x8100.

· TCI—Information of the VLAN tag, including the priority and VLAN ID.

· Type—Protocol type, with the value of 0x8918.

Figure 12 Inner frame header for loop detection

The inner frame header for loop detection contains the following fields:

· Code—Protocol sub-type, which is 0x0001, indicating the loop detection protocol.

· Version—Protocol version, which is always 0x0000.

· Length—Length of the frame. The value includes the inner header, but excludes the Ethernet header.

· Reserved—This field is reserved.

Frames for loop detection are encapsulated as TLV triplets.

Table 3 TLVs supported by loop detection

TLV	Description	Remarks
End of PDU	End of a PDU.	Optional.
Device ID	Bridge MAC address of the sending device.	Required.
Port ID	ID of the PDU sending port.	Optional.
Port Name	Name of the PDU sending port.	Optional.
System Name	Device name.	Optional.
Chassis ID	Chassis ID of the sending port.	Optional.
Slot ID	Slot ID of the sending port.	Optional.
Sub Slot ID	Sub-slot ID of the sending port.	Optional.

Loop detection interval

Loop detection is a continuous process as the network changes. Loop detection frames are sent at the loop detection interval to determine whether loops occur on ports and whether loops are removed.

Loop protection actions

When the device detects a loop on a port, it generates a log but performs no action on the port by default. You can configure the device to take one of the following actions:

· Block—Disables the port from learning MAC addresses and blocks the port.

· No-learning—Disables the port from learning MAC addresses.

· Shutdown—Shuts down the port to disable it from receiving and sending any frames.

Port status auto recovery

When the device configured with the block or no-learning loop action detects a loop on a port, it performs the action and waits three loop detection intervals. If the device does not receive a loop detection frame within three loop detection intervals, it performs the following operations:

· Automatically sets the port to the forwarding state.

· Notifies the user of the event.

When the device configured with the shutdown action detects a loop on a port, the following events occur:

1. The device automatically shuts down the port.

2. The device automatically sets the port to the forwarding state after the detection timer set by using the shutdown-interval command expires. For more information about the shutdown-interval command, see Fundamentals Command Reference.

3. The device shuts down the port again if a loop is still detected on the port when the detection timer expires.

This process is repeated until the loop is removed.

NOTE:

Incorrect recovery can occur when loop detection frames are discarded to reduce the load. To avoid this, use the shutdown action, or manually remove the loop.

Loop detection configuration task list

Tasks at a glance
(Required.) Enabling loop detection
(Optional.) Setting the loop protection action
(Optional.) Setting the loop detection interval

Enabling loop detection

You can enable loop detection globally or on a per-port basis. The global configuration applies to all ports in the specified VLANs. The per-port configuration applies to the individual port only when the port belongs to the specified VLANs. Per-port configurations take precedence over global configurations.

When EVB is enabled on a Layer 2 Ethernet interface or Layer 2 aggregate interface, the loop detection feature does not take effect on the interface.

Enabling loop detection globally

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Globally enable loop detection.	loopback-detection global enable vlan { vlan-id--list \| all }	Disabled by default.

Enabling loop detection on a port

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface view or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable loop detection on the port.	loopback-detection enable vlan { vlan-id--list \| all }	Disabled by default.

Setting the loop protection action

You can set the loop protection action globally or on a per-port basis. The global setting applies to all ports. The per-port setting applies to the individual ports. The per-port setting takes precedence over the global setting.

Setting the global loop protection action

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the global loop protection action.	loopback-detection global action shutdown	By default, the device generates a log but performs no action on the port on which a loop is detected.

Setting the loop protection action on a Layer 2 Ethernet interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface view.	interface interface-type interface-number	N/A
3. Set the loop protection action on the interface.	loopback-detection action { block \| no-learning \| shutdown }	By default, the device generates a log but performs no action on the port on which a loop is detected.

Setting the loop protection action on a Layer 2 aggregate interface

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Set the loop protection action on the interface.	loopback-detection action shutdown	By default, the device generates a log but performs no action on the port on which a loop is detected.

Setting the loop detection interval

With loop detection enabled, the device sends loop detection frames at the loopback detection interval. A shorter interval offers more sensitive detection but consumes more resources. Consider the system performance and loop detection speed when you set the loop detection interval.

To set the loop detection interval:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the loop detection interval.	loopback-detection interval-time interval	The default setting is 30 seconds.

Displaying and maintaining loop detection

Execute display commands in any view.

Task	Command
Display the loop detection configuration and status.	display loopback-detection

Loop detection configuration example

Network requirements

As shown in Figure 13, configure loop detection on Device A to meet the following requirements:

· Device A generates a log as a notification.

· Device A automatically shuts down the port on which a loop is detected.

Figure 13 Network diagram

Configuration procedure

1. Configure Device A:

# Create VLAN 100, and globally enable loop detection for the VLAN.

<DeviceA> system-view

[DeviceA] vlan 100

[DeviceA-vlan100] quit

[DeviceA] loopback-detection global enable vlan 100

# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to VLAN 100.

[DeviceA] interface GigabitEthernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-type trunk

[DeviceA-GigabitEthernet1/0/1] port trunk permit vlan 100

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port link-type trunk

[DeviceA-GigabitEthernet1/0/2] port trunk permit vlan 100

[DeviceA-GigabitEthernet1/0/2] quit

# Set the global loop protection action to shutdown.

[DeviceA] loopback-detection global action shutdown

# Set the loop detection interval to 35 seconds.

[DeviceA] loopback-detection interval-time 35

2. Configure Device B:

# Create VLAN 100.

<DeviceB> system-view

[DeviceB] vlan 100

[DeviceB–vlan100] quit

# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to VLAN 100.

[DeviceB] interface GigabitEthernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] port link-type trunk

[DeviceB-GigabitEthernet1/0/1] port trunk permit vlan 100

[DeviceB-GigabitEthernet1/0/1] quit

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] port link-type trunk

[DeviceB-GigabitEthernet1/0/2] port trunk permit vlan 100

[DeviceB-GigabitEthernet1/0/2] quit

3. Configure Device C:

# Create VLAN 100.

<DeviceC> system-view

[DeviceC] vlan 100

[DeviceC–vlan100] quit

# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports, and assign them to VLAN 100.

[DeviceC] interface GigabitEthernet 1/0/1

[DeviceC-GigabitEthernet1/0/1] port link-type trunk

[DeviceC-GigabitEthernet1/0/1] port trunk permit vlan 100

[DeviceC-GigabitEthernet1/0/1] quit

[DeviceC] interface gigabitethernet 1/0/2

[DeviceC-GigabitEthernet1/0/2] port link-type trunk

[DeviceC-GigabitEthernet1/0/2] port trunk permit vlan 100

[DeviceC-GigabitEthernet1/0/2] quit

Verifying the configuration

# View the system logs on devices, for example, Device A.

[DeviceA]

%Feb 24 15:04:29:663 2013 DeviceA LPDT/4/LPDT LOOPED: Loopback exists on GigabitEthernet1/0/1.

%Feb 24 15:04:29:667 2013 DeviceA LPDT/4/LPDT LOOPED: Loopback exists on GigabitEthernet1/0/2.

%Feb 24 15:04:44:243 2013 DeviceA LPDT/5/LPDT RECOVERED: Loopback on GigabitEthernet1/0/1 recovered.

%Feb 24 15:04:44:248 2013 DeviceA LPDT/5/LPDT RECOVERED: Loopback on GigabitEthernet1/0/2 recovered.

The output shows the following information:

· Device A detected loops on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 within a loop detection interval.

· Loops on ports GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 were removed.

# Use the display loopback-detection command to display the loop detection configuration and status on devices, for example, Device A.

[DeviceA] display loopback-detection

Loop detection is enabled.

Loop detection interval is 35 second(s).

No loopback is detected.

The output shows that the device has removed the loops from GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 according to the shutdown action.

# Display the status of GigabitEthernet 1/0/1 on devices, for example, Device A.

[DeviceA] display interface gigabitethernet 1/0/1

GigabitEthernet1/0/1 current state: DOWN (Loop detection down)

...

The output shows that GigabitEthernet 1/0/1 is already shut down by the loop detection module.

# Display the status of GigabitEthernet 1/0/2 on devices, for example, Device A.

[DeviceA] display interface gigabitethernet 1/0/2

GigabitEthernet1/0/2 current state: DOWN (Loop detection down)

...

The output shows that GigabitEthernet 1/0/2 is already shut down by the loop detection module.

Configuring spanning tree protocols

Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state.

The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP), the Per-VLAN Spanning Tree (PVST), and the Multiple Spanning Tree Protocol (MSTP).

STP

STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a LAN. Networks often have redundant links as backups in case of failures, but loops are a very serious problem. Devices running STP detect loops in the network by exchanging information with one another. They eliminate loops by selectively blocking certain ports to prune the loop structure into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in a loop network.

In a narrow sense, STP refers to IEEE 802.1d STP. In a broad sense, STP refers to the IEEE 802.1d STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol frames

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol frames. This chapter uses BPDUs to represent all types of spanning tree protocol frames.

STP-enabled devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient information for the devices to complete spanning tree calculation.

STP uses two types of BPDUs, configuration BPDUs and topology change notification (TCN) BPDUs.

Configuration BPDUs

Devices exchange configuration BPDUs to elect the root bridge and determine port roles. Figure 14 shows the configuration BPDU format.

Figure 14 Configuration BPDU format

The payload of a configuration BPDU includes the following fields:

· Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.

· Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is 0x00.

· BPDU type—Type of the BPDU. The value is 0x00 for a configuration BPDU.

· Flags—An 8-bit field indicates the purpose of the BPDU. The lowest bit is the Topology Change (TC) flag. The highest bit is the Topology Change Acknowledge (TCA) flag. All other bits are reserved.

· Root ID—Root bridge ID formed by the priority and MAC address of the root bridge.

· Root path cost—Cost of the path to the root bridge.

· Bridge ID—Designated bridge ID formed by the priority and MAC address of the designated bridge.

· Port ID—Designated port ID formed by the priority and global port number of the designated port.

· Message age—Age of the configuration BPDU while it propagates in the network.

· Max age—Maximum age of the configuration BPDU stored on the switch.

· Hello time—Configuration BPDU transmission interval.

· Forward delay—Delay for STP bridges to transit port state.

Devices use the root bridge ID, root path cost, designated bridge ID, designated port ID, message age, max age, hello time, and forward delay for spanning tree calculation.

TCN BPDUs

Devices use TCN BPDUs to announce changes in the network topology. Figure 15 shows the TCN BPDU format.

Figure 15 TCN BPDU format

The payload of a TCN BPDU includes the following fields:

· Protocol ID—Fixed at 0x0000, which represents IEEE 802.1d.

· Protocol version ID—Spanning tree protocol version ID. The protocol version ID for STP is 0x00.

· BPDU type—Type of the BPDU. The value is 0x80 for a TCN BPDU.

A non-root bridge sends TCN BPDUs when one of the following events occurs on the bridge:

· A port transits to the forwarding state, and the bridge has a minimum of one designated port.

· A port transits from the forwarding or learning state to the blocking state.

The non-root bridge uses TCN BPDUs to notify the root bridge once the network topology changes. The root bridge then sets the TC flag in its configuration BPDU and propagates it to other bridges.

Basic concepts in STP

Root bridge

A tree network must have a root bridge. The entire network contains only one root bridge, and all the other bridges in the network are called leaf nodes. The root bridge is not permanent, but can change with changes of the network topology.

Upon initialization of a network, each device generates and periodically sends configuration BPDUs, with itself as the root bridge. After network convergence, only the root bridge generates and periodically sends configuration BPDUs. The other devices only forward the BPDUs.

Root port

On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.

Designated bridge and designated port

Classification	Designated bridge	Designated port
For a device	Device directly connected to the local device and responsible for forwarding BPDUs to the local device	Port through which the designated bridge forwards BPDUs to this device
For a LAN	Device responsible for forwarding BPDUs to this LAN segment	Port through which the designated bridge forwards BPDUs to this LAN segment

As shown in Figure 16, Device B and Device C are directly connected to a LAN.

If Device A forwards BPDUs to Device B through port A1, the designated bridge and designated port are as follows:

· The designated bridge for Device B is Device A.

· The designated port for Device B is port A1 on Device A.

If Device B forwards BPDUs to the LAN, the designated bridge and designated port are as follows:

· The designated bridge for the LAN is Device B.

· The designated port for the LAN is port B2 on Device B.

Figure 16 Designated bridges and designated ports

Port states

Table 4 lists the port states in STP.

Table 4 STP port states

State	Receives/sends BPDUs	Learns MAC addresses	Forwards user data
Disabled	No	No	No
Listening	Yes	No	No
Learning	Yes	Yes	No
Forwarding	Yes	Yes	Yes
Blocking	Receive	No	No

Path cost

Path cost is a reference value used for link selection in STP. To prune the network into a loop-free tree, STP calculates path costs to select the most robust links and block redundant links that are less robust.

Calculation process of the STP algorithm

The spanning tree calculation process described in the following sections is an example of a simplified process.

Calculation process

The STP algorithm uses the following calculation process:

1. Network initialization.

Upon initialization of a device, each port generates a BPDU with the following contents:

? The port as the designated port.

? The device as the root bridge.

? 0 as the root path cost.

? The device ID as the designated bridge ID.

2. Root bridge selection.

Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its own device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.

3. Root port and designated ports selection on the non-root bridges.

Step	Description
1	A non-root-bridge device regards the port on which it received the optimum configuration BPDU as the root port. Table 5 describes how the optimum configuration BPDU is selected.
2	Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the other ports. · The root bridge ID is replaced with that of the configuration BPDU of the root port. · The root path cost is replaced with that of the configuration BPDU of the root port plus the path cost of the root port. · The designated bridge ID is replaced with the ID of this device. · The designated port ID is replaced with the ID of this port.
3	The device compares the calculated configuration BPDU with the configuration BPDU on the port whose port role will be determined. Then, the device acts depending on the result of the comparison: · If the calculated configuration BPDU is superior, the device performs the following operations: ? Considers this port as the designated port. ? Replaces the configuration BPDU on the port with the calculated configuration BPDU. ? Periodically sends the calculated configuration BPDU. · If the configuration BPDU on the port is superior, the device blocks this port without updating its configuration BPDU. The blocked port can receive BPDUs, but cannot send BPDUs or forward data traffic.

When the network topology is stable, only the root port and designated ports forward user traffic. Other ports are all in the blocking state to receive BPDUs but not to forward BPDUs or user traffic.

Table 5 Selecting the optimum configuration BPDU

Step

Actions

Upon receiving a configuration BPDU on a port, the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port.

· If the former priority is lower, the device discards the received configuration BPDU and keeps the configuration BPDU the port generated.

· If the former priority is higher, the device replaces the content of the configuration BPDU generated by the port with the content of the received configuration BPDU.

The device compares the configuration BPDUs of all the ports and chooses the optimum configuration BPDU.

The following are the principles of configuration BPDU comparison:

a. The configuration BPDU with the lowest root bridge ID has the highest priority.

b. If configuration BPDUs have the same root bridge ID, their root path costs are compared. For example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The configuration BPDU with the smallest S value has the highest priority.

c. If all configuration BPDUs have the same root bridge ID and S value, the following attributes are compared in sequence:

- Designated bridge IDs.

- Designated port IDs.

- IDs of the receiving ports.

The configuration BPDU that contains a smaller designated bridge ID, designated port ID, or receiving port ID is selected.

A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.

Example of STP calculation

Figure 17 provides an example showing how the STP algorithm works.

Figure 17 The STP algorithm

As shown in Figure 17, the priority values of Device A, Device B, and Device C are 0, 1, and 2, respectively. The path costs of links among the three devices are 5, 10, and 4.

1. Device state initialization.

In Table 6, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.

Table 6 Initial state of each device

Device	Port name	Configuration BPDU on the port
Device A	Port A1	{0, 0, 0, Port A1}
Device A	Port A2	{0, 0, 0, Port A2}
Device B	Port B1	{1, 0, 1, Port B1}
Device B	Port B2	{1, 0, 1, Port B2}
Device C	Port C1	{2, 0, 2, Port C1}
Device C	Port C2	{2, 0, 2, Port C2}

2. Configuration BPDUs comparison on each device.

In Table 7, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.

Table 7 Comparison process and result on each device

Device

Comparison process

Configuration BPDU on ports after comparison

Device A

Port A1 performs the following operations:

3. Receives the configuration BPDU of Port B1 {1, 0, 1, Port B1}.

4. Determines that its existing configuration BPDU {0, 0, 0, Port A1} is superior to the received configuration BPDU.

5. Discards the received one.

Port A2 performs the following operations:

6. Receives the configuration BPDU of Port C1 {2, 0, 2, Port C1}.

7. Determines that its existing configuration BPDU {0, 0, 0, Port A2} is superior to the received configuration BPDU.

8. Discards the received one.

Device A determines that it is both the root bridge and designated bridge in the configuration BPDUs of all its ports. It considers itself as the root bridge. It does not change the configuration BPDU of any port and starts to periodically send configuration BPDUs.

· Port A1: {0, 0, 0, Port A1}

· Port A2: {0, 0, 0, Port A2}

Device B

Port B1 performs the following operations:

9. Receives the configuration BPDU of Port A1 {0, 0, 0, Port A1}.

10. Determines that the received configuration BPDU is superior to its existing configuration BPDU {1, 0, 1, Port B1}.

11. Updates its configuration BPDU.

Port B2 performs the following operations:

12. Receives the configuration BPDU of Port C2 {2, 0, 2, Port C2}.

13. Determines that its existing configuration BPDU {1, 0, 1, Port B2} is superior to the received configuration BPDU.

14. Discards the received BPDU.

· Port B1: {0, 0, 0, Port A1}

· Port B2: {1, 0, 1, Port B2}

Device B performs the following operations:

15. Compares the configuration BPDUs of all its ports.

16. Decides that the configuration BPDU of Port B1 is the optimum.

17. Selects Port B1 as the root port with the configuration BPDU unchanged.

Based on the configuration BPDU and path cost of the root port, Device B calculates a designated port configuration BPDU for Port B2 {0, 5, 1, Port B2}. Device B compares it with the existing configuration BPDU of Port B2 {1, 0, 1, Port B2}. Device B determines that the calculated one is superior, and determines that Port B2 is the designated port. It replaces the configuration BPDU on Port B2 with the calculated one, and periodically sends the calculated configuration BPDU.

· Root port (Port B1): {0, 0, 0, Port A1}

· Designated port (Port B2): {0, 5, 1, Port B2}

Device C

Port C1 performs the following operations:

18. Receives the configuration BPDU of Port A2 {0, 0, 0, Port A2}.

19. Determines that the received configuration BPDU is superior to its existing configuration BPDU {2, 0, 2, Port C1}.

20. Updates its configuration BPDU.

Port C2 performs the following operations:

21. Receives the original configuration BPDU of Port B2 {1, 0, 1, Port B2}.

22. Determines that the received configuration BPDU is superior to the existing configuration BPDU {2, 0, 2, Port C2}.

23. Updates its configuration BPDU.

· Port C1: {0, 0, 0, Port A2}

· Port C2: {1, 0, 1, Port B2}

Device C performs the following operations:

24. Compares the configuration BPDUs of all its ports.

25. Decides that the configuration BPDU of Port C1 is the optimum.

26. Selects Port C1 as the root port with the configuration BPDU unchanged.

Based on the configuration BPDU and path cost of the root port, Device C calculates the configuration BPDU of Port C2 {0, 10, 2, Port C2}. Device C compares it with the existing configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C determines that the calculated configuration BPDU is superior to the existing one, selects Port C2 as the designated port, and replaces the configuration BPDU of Port C2 with the calculated one.

· Root port (Port C1): {0, 0, 0, Port A2}

· Designated port (Port C2): {0, 10, 2, Port C2}

Port C2 performs the following operations:

27. Receives the updated configuration BPDU of Port B2 {0, 5, 1, Port B2}.

28. Determines that the received configuration BPDU is superior to its existing configuration BPDU {0, 10, 2, Port C2}.

29. Updates its configuration BPDU.

Port C1 performs the following operations:

30. Receives a periodic configuration BPDU {0, 0, 0, Port A2} from Port A2.

31. Determines that it is the same as the existing configuration BPDU.

32. Discards the received BPDU.

· Port C1: {0, 0, 0, Port A2}

· Port C2: {0, 5, 1, Port B2}

Device C determines that the root path cost of Port C1 is larger than that of Port C2. The root path cost of Port C1 is 10, root path cost of the received configuration BPDU (0) plus path cost of Port C1 (10). The root path cost of Port C2 is 9, root path cost of the received configuration BPDU (5) plus path cost of Port C2 (4). Device C determines that the configuration BPDU of Port C2 is the optimum, and selects Port C2 as the root port with the configuration BPDU unchanged.

Based on the configuration BPDU and path cost of the root port, Device C performs the following operations:

33. Calculates a designated port configuration BPDU for Port C1 {0, 9, 2, Port C1}.

34. Compares it with the existing configuration BPDU of Port C1 {0, 0, 0, Port A2}.

35. Determines that the existing configuration BPDU is superior to the calculated one and blocks Port C1 with the configuration BPDU unchanged.

Port C1 does not forward data until a new event triggers a spanning tree calculation process: for example, the link between Device B and Device C is down.

· Blocked port (Port C1): {0, 0, 0, Port A2}

· Root port (Port C2): {0, 5, 1, Port B2}

After the comparison processes described in Table 7, a spanning tree with Device A as the root bridge is established, as shown in Figure 18.

Figure 18 The final calculated spanning tree

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:

· Upon network initiation, every device regards itself as the root bridge and generates configuration BPDUs with itself as the root. Then it sends the configuration BPDUs at a regular hello interval.

· If the root port receives a configuration BPDU superior to the configuration BPDU of the port, the device performs the following operations:

? Increases the message age carried in the configuration BPDU.

? Starts a timer to time the configuration BPDU.

? Sends this configuration BPDU through the designated port.

· If a designated port receives a configuration BPDU with a lower priority than its configuration BPDU, the port immediately responds with its configuration BPDU.

· If a path fails, the root port on this path no longer receives new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. The device generates a configuration BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately. As a result, the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path. If the new root ports and designated ports begin to forward data as soon as they are elected, a temporary loop might occur.

STP timers

The most important timing parameters in STP calculation are forward delay, hello time, and max age.

· Forward delay

Forward delay is the delay time for port state transition. By default, the forward delay is 15 seconds.

A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the change. However, the resulting new configuration BPDU cannot propagate throughout the network immediately. If the newly elected root ports and designated ports start to forward data immediately, a temporary loop will likely occur.

The newly elected root ports or designated ports must go through the listening and learning states before they transit to the forwarding state. This requires twice the forward delay time and allows the new configuration BPDU to propagate throughout the network.

· Hello time

The device sends configuration BPDUs at the hello time interval to the neighboring devices to ensure that the paths are fault-free. By default, the hello time is 2 seconds. If the device does not receive configuration BPDUs within the timeout period, it recalculates the spanning tree. The formula for calculating the timeout period is timeout period = timeout factor × 3 × hello time.

· Max age

The device uses the max age to determine whether a stored configuration BPDU has expired and discards it if the max age is exceeded. By default, the max age is 20 seconds. In the CIST of an MSTP network, the device uses the max age timer to determine whether a configuration BPDU received by a port has expired. If it is expired, a new spanning tree calculation process starts. The max age timer does not take effect on MSTIs.

If a port does not receive any configuration BPDUs within the timeout period, the port transits to the listening state. The device will recalculate the spanning tree. It takes the port 50 seconds to transit back to the forwarding state. This period includes 20 seconds for the max age, 15 seconds for the listening state, and 15 seconds for the learning state.

To ensure a fast topology convergence, make sure the timer settings meet the following formulas:

· 2 × (forward delay – 1 second) ≥ max age

· Max age ≥ 2 × (hello time + 1 second)

RSTP

RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP.

RSTP protocol frames

An RSTP BPDU uses the same format as an STP BPDU except that a Version1 length field is added to the payload of RSTP BPDUs. The differences between an RSTP BPDU and an STP BPDU are as follows:

· Protocol version ID—The value is 0x02 for RSTP.

· BPDU type—The value is 0x02 for RSTP BPDUs.

· Flags—All 8 bits are used.

· Version1 length—The value is 0x00, which means no version 1 protocol information is present.

RSTP does not use TCN BPDUs to advertise topology changes. RSTP floods BPDUs with the TC flag set in the network to advertise topology changes.

Basic concepts in RSTP

Port roles

In addition to root port and designated port, RSTP also uses the following port roles:

· Alternate port—Acts as the backup port for a root port. When the root port is blocked, the alternate port takes over.

· Backup port—Acts as the backup port of a designated port. When the designated port is invalid, the backup port becomes the new designated port. A loop occurs when two ports of the same spanning tree device are connected, so the device blocks one of the ports. The blocked port is the backup port.

· Edge port—Directly connects to a user host rather than a network device or network segment.

Port states

RSTP uses the discarding state to replace the disabled, blocking, and listening states in STP. Table 8 shows the differences between the port states in RSTP and STP.

Table 8 Port state differences between RSTP and STP

STP port state	RSTP port state	Sends BPDU	Learns MAC addresses	Forwards user data
Disabled	Discarding	No	No	No
Blocking	Discarding	No	No	No
Listening	Discarding	Yes	No	No
Learning	Learning	Yes	Yes	No
Forwarding	Forwarding	Yes	Yes	Yes

How RSTP works

During RSTP calculation, the following events occur:

· If a port in discarding state becomes an alternate port, it retains its state.

· If a port in discarding state is elected as the root port or designated port, it enters the learning state after the forward delay. The port learns MAC addresses, and enters the forwarding state after another forward delay.

? A newly elected RSTP root port rapidly enters the forwarding state if the following requirements are met:

- The old root port on the device has stopped forwarding data.

- The upstream designated port has started forwarding data.

? A newly elected RSTP designated port rapidly enters the forwarding state if one of the following requirements is met:

- The designated port is configured as an edge port which directly connects to a user terminal.

- The designated port connects to a point-to-point link and receives a handshake response from the directly connected device.

RSTP BPDU processing

In RSTP, a non-root bridge actively sends RSTP BPDUs at the hello time through designated ports without waiting for the root bridge to send RSTP BPDUs. This enables RSTP to quickly detect link failures. If a device fails to receive any RSTP BPDUs on a port within triple the hello time, the device considers that a link failure has occurred. After the stored configuration BPDU expires, the device floods RSTP BPDUs with the TC flag set to initiate a new RSTP calculation.

In RSTP, a port in blocking state can immediately respond to an RSTP BPDU with a lower priority than its own BPDU.

As shown in Figure 19, Device A is the root bridge. The priority of Device B is higher than the priority of Device C. GigabitEthernet 1/0/2 on Device C is blocked.

When the link between Device A and Device B fails, the following events occur:

1. Device B sends an RSTP BPDU with itself as the root bridge to Device C.

2. Device C compares the RSTP BPDU with its own BPDU.

3. Because the RSTP BPDU from Device B has a lower priority, Device C sends its own BPDU to Device B.

4. Device B considers that GigabitEthernet 1/0/2 is the root port and stops sending RSTP BPDUs to Device C.

Figure 19 BPDU processing in RSTP

PVST

In an STP- or RSTP-enabled LAN, all bridges share one spanning tree. Traffic from all VLANs is forwarded along the spanning tree, and ports cannot be blocked on a per-VLAN basis to prune loops.

PVST allows every VLAN to have its own spanning tree, which increases usage of links and bandwidth. Because each VLAN runs RSTP independently, a spanning tree only serves its VLAN.

A PVST-enabled H3C device can communicate with a third-party device that is running Rapid PVST or PVST. The PVST-enabled H3C device supports fast network convergence like RSTP when connected to PVST-enabled H3C devices or third-party devices enabled with Rapid PVST.

PVST protocol frames

As shown in Figure 20, a PVST BPDU uses the same format as an RSTP BPDU except the following differences:

· The destination MAC address of a PVST BPDU is 01-00-0c-cc-cc-cd, which is a private MAC address.

· Each PVST BPDU carries a VLAN tag. The VLAN tag identifies the VLAN to which the PVST BPDU belongs.

· The organization code and PID fields are added to the LLC header of the PVST BPDU.

Figure 20 PVST BPDU format

A port's link type determines the type of BPDUs the port sends.

· An access port sends RSTP BPDUs.

· A trunk or hybrid port sends RSTP BPDUs in the default VLAN and sends PVST BPDUs in other VLANs.

Basic concepts in PVST

PVST uses the same port roles and port states as RSTP for fast convergence. For more information, see "Basic concepts in RSTP."

How PVST works

PVST implements per-VLAN spanning tree calculation by mapping each VLAN to an MSTI. In PVST, each VLAN runs RSTP independently to maintain its own spanning tree without affecting the spanning trees of other VLANs. In this way, loops in each VLAN are eliminated and traffic of different VLANs is load shared over links. PVST uses RSTP BPDUs in the default VLAN and PVST BPDUs in other VLANs for spanning tree calculation.

MSTP

MSTP overcomes the following STP, RSTP, and PVST limitations:

· STP limitations—STP does not support rapid state transition of ports. A newly elected port must wait twice the forward delay time before it transits to the forwarding state.

· RSTP limitations—Although RSTP enables faster network convergence than STP, RSTP fails to provide load balancing among VLANs. As with STP, all RSTP bridges in a LAN share one spanning tree and forward frames from all VLANs along this spanning tree.

· PVST limitations—Because each VLAN has its spanning tree, the amount of PVST BPDUs is proportional to the number of VLANs on a trunk or hybrid port. When the trunk or hybrid port permits too many VLANs, both resources and calculations for maintaining the VLAN spanning trees increase dramatically. If a status change occurs on the trunk or hybrid port that permits multiple VLANs, the device CPU will be overburdened with recalculating the affected spanning trees. As a result, network performance is degraded.

MSTP features

Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP, RSTP, and PVST. In addition to supporting rapid network convergence, it allows data flows of different VLANs to be forwarded along separate paths. This provides a better load sharing mechanism for redundant links.

MSTP provides the following features:

· MSTP divides a switched network into multiple regions, each of which contains multiple spanning trees that are independent of one another.

· MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one instance.

· MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless cycling of frames in a loop network. In addition, it supports load balancing of VLAN data by providing multiple redundant paths for data forwarding.

· MSTP is compatible with STP and RSTP, and partially compatible with PVST.

MSTP protocol frames

Figure 21 shows the format of an MSTP BPDU.

Figure 21 MSTP BPDU format

The first 13 fields of an MSTP BPDU are the same as an RSTP BPDU. The other six fields are unique to MSTP.

· Protocol version ID—The value is 0x03 for MSTP.

· BPDU type—The value is 0x02 for RSTP/MSTP BPDUs.

· Root ID—ID of the common root bridge.

· Root path cost—CIST external path cost.

· Bridge ID—ID of the regional root for the IST or an MSTI.

· Port ID—ID of the designated port in the CIST.

· Version3 length—Length of the MSTP-specific fields. Devices use this field for verification upon receiving an MSTP BPDU.

· MST configuration ID—Includes the format selector, configuration name, revision level, and configuration digest. The value for format selector is fixed at 0x00. The other parameters are used to identify the MST region for the originating bridge.

· CIST IRPC—Internal root path cost (IRPC) from the originating bridge to the root of the MST region.

· CIST bridge ID—ID of the bridge that sends the MSTP BPDU.

· CIST remaining ID—Remaining hop count. This field limits the scale of the MST region. The regional root sends a BPDU with the remaining hop count set to the maximum value. Each device that receives the BPDU decrements the hop count by one. When the hop count reaches zero, the BPDU is discarded. Devices beyond the maximum hops of the MST region cannot participate in spanning tree calculation. The default remaining hop count is 20.

· MSTI configuration messages—Contains MSTI configuration messages. Each MSTI configuration message is 16 bytes. This field can contain 0 to 64 MSTI configuration messages. The number of the MSTI configuration messages is determined by the number of MSTIs in the MST region.

Basic concepts in MSTP

Figure 22 shows a switched network that contains four MST regions, each MST region containing four MSTP devices. Figure 23 shows the networking topology of MST region 3.

Figure 22 Basic concepts in MSTP

Figure 23 Network diagram and topology of MST region 3

MST region

A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics:

· A spanning tree protocol enabled

· Same region name

· Same VLAN-to-instance mapping configuration

· Same MSTP revision level

· Physically linked together

Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region, as shown in Figure 22.

· The switched network contains four MST regions, MST region 1 through MST region 4.

· All devices in each MST region have the same MST region configuration.

MSTI

MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree is mapped to the specific VLANs. Each spanning tree is referred to as a multiple spanning tree instance (MSTI).

In Figure 23, MST region 3 contains three MSTIs, MSTI 1, MSTI 2, and MSTI 0.

VLAN-to-instance mapping table

As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs.

In Figure 23, the VLAN-to-instance mapping table of MST region 3 is as follows:

· VLAN 1 to MSTI 1.

· VLAN 2 and VLAN 3 to MSTI 2.

· Other VLANs to MSTI 0.

MSTP achieves load balancing by means of the VLAN-to-instance mapping table.

CST

The common spanning tree (CST) is a single spanning tree that connects all MST regions in a switched network. If you regard each MST region as a device, the CST is a spanning tree calculated by these devices through STP or RSTP.

The blue lines in Figure 22 represent the CST.

IST

An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0, a special MSTI to which all VLANs are mapped by default.

In Figure 22, MSTI 0 is the IST in MST region 3.

CIST

The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in a switched network. It consists of the ISTs in all MST regions and the CST.

In Figure 22, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the entire network.

Regional root

The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI. Based on the topology, different spanning trees in an MST region might have different regional roots, as shown in MST region 3 in Figure 23.

· The regional root of MSTI 1 is Device B.

· The regional root of MSTI 2 is Device C.

· The regional root of MSTI 0 (also known as the IST) is Device A.

Common root bridge

The common root bridge is the root bridge of the CIST.

In Figure 22, the common root bridge is a device in MST region 1.

Port roles

A port can play different roles in different MSTIs. As shown in Figure 24, an MST region contains Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other MST regions. Port D3 of Device D directly connects to a host.

Figure 24 Port roles

MSTP calculation involves the following port roles:

· Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have any root port.

· Designated port—Forwards data to the downstream network segment or device.

· Alternate port—Acts as the backup port for a root port or master port. When the root port or master port is blocked, the alternate port takes over.

· Edge port—Directly connects to a user host rather than a network device or network segment.

· Master port—Acts as a port on the shortest path from the local MST region to the common root bridge. The master port is not always located on the regional root. It is a root port on the IST or CIST and still a master port on the other MSTIs.

· Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the CIST. However, that is not true with master ports. A master port on MSTIs is a root port on the CIST.

Port states

In MSTP, a port can be in one of the following states:

· Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic.

· Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user traffic. Learning is an intermediate port state.

· Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward user traffic.

NOTE:

When in different MSTIs, a port can be in different states.

A port state is not exclusively associated with a port role. Table 9 lists the port states that each port role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates that the port does not support this state.)

Table 9 Port states that different port roles support

Port role (right) Port state (below)	Root port/master port	Designated port	Alternate port	Backup port
Forwarding	√	√	—	—
Learning	√	√	—	—
Discarding	√	√	√	√

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among these MSTIs, MSTI 0 is the IST.

Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.

CIST calculation

During the CIST calculation, the following process takes place:

· The device with the highest priority is elected as the root bridge of the CIST.

· MSTP generates an IST within each MST region through calculation.

· MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation.

The CST and ISTs constitute the CIST of the entire network.

MSTI calculation

Within an MST region, MSTP generates different MSTIs for different VLANs based on the VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation process similar to spanning tree calculation in STP. For more information, see "Calculation process of the STP algorithm."

In MSTP, a VLAN frame is forwarded along the following paths:

· Within an MST region, the frame is forwarded along the corresponding MSTI.

· Between two MST regions, the frame is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for spanning tree calculation can identify STP and RSTP protocol frames.

In addition to basic MSTP features, the following features are provided for ease of management:

· Root bridge hold

· Root bridge backup

· Root guard

· BPDU guard

· Loop guard

· TC-BPDU guard

· Port role restriction

· TC-BPDU transmission restriction

· Support for hot swapping of interface cards and active/standby changeover.

Rapid transition mechanism

In STP, a port must wait twice the forward delay (30 seconds by default) before it transits from the blocking state to the forwarding state. The forward delay is related to the hello time and network diameter. If the forward delay is too short, loops might occur. This affects the stability of the network.

RSTP, PVST, and MSTP all use the rapid transition mechanism to speed up port state transition for edge ports, root ports, and designated ports. The rapid transition mechanism for designated ports is also known as the proposal/agreement (P/A)_transition.

Edge port rapid transition

As shown in Figure 25, Port C3 is an edge port connected to a host. When a network topology change occurs, the port can immediately transit from the blocking state to the forwarding state because no loop will be caused.

Because a device cannot determine whether a port is directly connected to a terminal, you must manually configure the port as an edge port.

Figure 25 Edge port rapid transition

Root port rapid transition

When a root port is blocked, the bridge will elect the alternate port with the highest priority as the new root port. If the new root port's peer is in the forwarding state, the new root port immediately transits to the forwarding state.

As shown in Figure 26, Port C2 on Device C is a root port and Port C1 is an alternate port. When Port C2 transits to the blocking state, Port C1 is elected as the root port and immediately transits to the forwarding state.

Figure 26 Root port rapid transition

P/A transition

The P/A transition enables a designated port to rapidly transit to the forwarding state after a handshake with its peer. The P/A transition applies only to point-to-point links.

· P/A transition for RSTP and PVST.

In RSTP or PVST, the ports on a new link or recovered link are designated ports in blocking state. When one of the designated ports transits to the discarding or learning state, it sets the proposal flag in its BPDU. Its peer bridge receives the BPDU and determines whether the receiving port is the root port. If it is the root port, the bridge blocks the other ports except edge ports. The bridge then replies an agreement BPDU to the designated port. The designated port immediately transits to the forwarding state upon receiving the agreement BPDU. If the designated port does not receive the agreement BPDU, it waits for twice the forward delay to transit to the forwarding state.

As shown in Figure 27, the P/A transition operates as follows:

a. Device A sends a proposal BPDU to Device B through GigabitEthernet 1/0/1.

b. Device B receives the proposal BPDU on GigabitEthernet 1/0/2. GigabitEthernet 1/0/2 is elected as the root port.

c. Device B blocks its designated port GigabitEthernet 1/0/1 and alternate port GigabitEthernet 1/0/3 to eliminate loops.

d. The root port GigabitEthernet 1/0/2 transits to the forwarding state and sends an agreement BPDU to Device A.

e. The designated port GigabitEthernet 1/0/1 on Device A immediately transits to the forwarding state after receiving the agreement BPDU.

Figure 27 P/A transition for RSTP and PVST

· P/A transition for MSTP.

In MSTP, an upstream bridge sets both the proposal and agreement flags in its BPDU. If a downstream bridge receives the BPDU and its receiving port is elected as the root port, the bridge blocks all the other ports except edge ports. The downstream bridge then replies an agreement BPDU to the upstream bridge. The upstream port immediately transits to the forwarding state upon receiving the agreement BPDU. If the upstream port does not receive the agreement BPDU, it waits for twice the forward delay to transit to the forwarding state.

As shown in Figure 28, the P/A transition operates as follows:

a. Device A sets the proposal and agreement flags in its BPDU and sends it to Device B through GigabitEthernet 1/0/1.

b. Device B receives the BPDU. GigabitEthernet 1/0/2 of Device B is elected as the root port.

c. Device B then blocks all its ports except the edge ports.

d. The root port GigabitEthernet 1/0/2 of Device B transits to the forwarding state and sends an agreement BPDU to Device A.

e. GigabitEthernet 1/0/1 of Device A immediately transits to the forwarding state upon receiving the agreement BPDU.

Figure 28 P/A transition for MSTP

Protocols and standards

MSTP is documented in the following protocols and standards:

· IEEE 802.1d, Media Access Control (MAC) Bridges

· IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration

· IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees

· IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area Networks —Clause 13: Spanning tree Protocols

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Spanning tree configuration task lists

Before configuring a spanning tree, complete the following tasks:

· Determine the spanning tree protocol to be used (STP, RSTP, PVST, or MSTP).

· Plan the device roles (the root bridge or leaf node).

When you configure spanning tree protocols, follow these restrictions and guidelines:

· Configurations made in system view take effect globally. Configurations made in Ethernet interface view or WLAN mesh interface view take effect only on the interface. Configurations made in Layer 2 aggregate interface view take effect only on the aggregate interface. Configurations made on an aggregation member port can take effect only after the port is removed from the aggregation group.

· After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system performs spanning tree calculation on the Layer 2 aggregate interface. It does not perform spanning tree calculation on the aggregation member ports. The spanning tree protocol enable state and forwarding state of each selected member port is consistent with those of the corresponding Layer 2 aggregate interface.

· The member ports of an aggregation group do not participate in spanning tree calculation. However, the ports still reserve their spanning tree configurations for participating in spanning tree calculation after leaving the aggregation group.

STP configuration task list

Tasks at a glance
Configuring the root bridge: · (Required.) Setting the spanning tree mode · (Optional.) Configuring the root bridge or a secondary root bridge · (Optional.) Configuring the device priority · (Optional.) Configuring the network diameter of a switched network · (Optional.) Setting spanning tree timers · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
Configuring the leaf nodes: · (Required.) Setting the spanning tree mode · (Optional.) Configuring the device priority · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring path costs of ports · (Optional.) Configuring the port priority · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Enabling SNMP notifications for new-root election and topology change events

RSTP configuration task list

Tasks at a glance
Configuring the root bridge: · (Required.) Setting the spanning tree mode · (Optional.) Configuring the root bridge or a secondary root bridge · (Optional.) Configuring the device priority · (Optional.) Configuring the network diameter of a switched network · (Optional.) Setting spanning tree timers · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring edge ports · (Optional.) Configuring the port link type · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
Configuring the leaf nodes: · (Required.) Setting the spanning tree mode · (Optional.) Configuring the device priority · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring edge ports · (Optional.) Configuring path costs of ports · (Optional.) Configuring the port priority · (Optional.) Configuring the port link type · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Enabling SNMP notifications for new-root election and topology change events

PVST configuration task list

Tasks at a glance
Configuring the root bridge: · (Required.) Setting the spanning tree mode · (Optional.) Configuring the root bridge or a secondary root bridge · (Optional.) Configuring the device priority · (Optional.) Configuring the network diameter of a switched network · (Optional.) Setting spanning tree timers · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring edge ports · (Optional.) Configuring the port link type · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
Configuring the leaf nodes: · (Required.) Setting the spanning tree mode · (Optional.) Configuring the device priority · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring edge ports · (Optional.) Configuring path costs of ports · (Optional.) Configuring the port priority · (Optional.) Configuring the port link type · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Disabling inconsistent PVID protection
(Optional.) Configuring protection features
(Optional.) Enabling SNMP notifications for new-root election and topology change events

MSTP configuration task list

Tasks at a glance
Configuring the root bridge: · (Required.) Setting the spanning tree mode · (Required.) Configuring an MST region · (Optional.) Configuring the root bridge or a secondary root bridge · (Optional.) Configuring the device priority · (Optional.) Configuring the maximum hops of an MST region · (Optional.) Configuring the network diameter of a switched network · (Optional.) Setting spanning tree timers · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring edge ports · (Optional.) Configuring the port link type · (Optional.) Configuring the mode a port uses to recognize and send MSTP frames · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
Configuring the leaf nodes: · (Required.) Setting the spanning tree mode · (Required.) Configuring an MST region · (Optional.) Configuring the device priority · (Optional.) Setting the timeout factor · (Optional.) Configuring the BPDU transmission rate · (Optional.) Configuring edge ports · (Optional.) Configuring path costs of ports · (Optional.) Configuring the port priority · (Optional.) Configuring the port link type · (Optional.) Configuring the mode a port uses to recognize and send MSTP frames · (Optional.) Enabling outputting port state transition information · (Required.) Enabling the spanning tree feature
(Optional.) Performing mCheck
(Optional.) Configuring Digest Snooping
(Optional.) Configuring No Agreement Check
(Optional.) Configuring TC Snooping
(Optional.) Configuring protection features
(Optional.) Enabling SNMP notifications for new-root election and topology change events

Setting the spanning tree mode

The spanning tree modes include:

· STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port supports only STP.

· RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically transits to the STP mode when it receives STP BPDUs from the peer device. A port in this mode does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.

· PVST mode—All ports of the device send PVST BPDUs. Each VLAN maintains a spanning tree. In a network, the amount of spanning trees maintained by all devices equals the number of PVST-enabled VLANs multiplied by the number of PVST-enabled ports. If the amount of spanning trees exceeds the capacity of the network, device CPUs will be overloaded. Packet forwarding is interrupted, and the network becomes unstable.

· MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically transits to the STP mode when receiving STP BPDUs from the peer device. A port in this mode does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.

The MSTP mode is compatible with the RSTP mode, and the RSTP mode is compatible with the STP mode.

Compatibility of the PVST mode depends on the link type of a port.

· On an access port, the PVST mode is compatible with other spanning tree modes in all VLANs.

· On a trunk port or hybrid port, the PVST mode is compatible with other spanning tree modes only in the default VLAN.

To set the spanning tree mode:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the spanning tree mode.	stp mode { mstp \| pvst \| rstp \| stp }	The default setting is the MSTP mode.

Configuring an MST region

Spanning tree devices belong to the same MST region if they are both connected through a physical link and configured with the following details:

· Format selector (0 by default, not configurable).

· MST region name.

· MST region revision level.

· VLAN-to-instance mapping entries in the MST region.

The configuration of MST region-related parameters (especially the VLAN-to-instance mapping table) might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of topology instability, the MST region configuration takes effect only after you activate it by doing one of the following:

· Use the active region-configuration command.

· Enable a spanning tree protocol by using the stp global enable command if the spanning tree protocol is disabled.

In STP, RSTP, or PVST mode, MST region configurations do not take effect.

To configure an MST region:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter MST region view.	stp region-configuration	N/A
3. Configure the MST region name.	region-name name	The default setting is the MAC address.
4. Configure the VLAN-to-instance mapping table.	· instance instance-id vlan vlan-id-list · vlan-mapping modulo modulo	Use one of the commands. By default, all VLANs in an MST region are mapped to the CIST (or MSTI 0).
5. Configure the MSTP revision level of the MST region.	revision-level level	The default setting is 0.
6. (Optional.) Display the MST region configurations that are not activated yet.	check region-configuration	N/A
7. Manually activate MST region configuration.	active region-configuration	N/A

Configuring the root bridge or a secondary root bridge

You can have the spanning tree protocol determine the root bridge of a spanning tree through calculation. You can also specify a device as the root bridge or as a secondary root bridge.

A device has independent roles in different spanning trees. It can act as the root bridge in one spanning tree and as a secondary root bridge in another. However, one device cannot be the root bridge and a secondary root bridge in the same spanning tree.

A spanning tree can have only one root bridge. If multiple devices can be selected as the root bridge in a spanning tree, the device with the lowest MAC address is selected.

When the root bridge of an instance fails or is shut down and no new root bridge is specified, the following events occur:

· If you specify only one secondary root bridge, it becomes the root bridge.

· If you specify multiple secondary root bridges for the instance, the secondary root bridge with the lowest MAC address is given priority.

· If you do not specify a secondary root bridge, a new root bridge is calculated.

You can specify one root bridge for each spanning tree, regardless of the device priority settings. Once you specify a device as the root bridge or a secondary root bridge, you cannot change its priority.

You can configure a device as the root bridge by setting the device priority to 0. For the device priority configuration, see "Configuring the device priority."

Configuring the current device as the root bridge of a specific spanning tree

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the current device as the root bridge.

· In STP/RSTP mode:
stp root primary

· In PVST mode:
stp vlan vlan-id-list root primary

· In MSTP mode:
stp [ instance instance-list ] root primary

By default, a device does not function as the root bridge.

Configuring the current device as a secondary root bridge of a specific spanning tree

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the current device as a secondary root bridge.

· In STP/RSTP mode:
stp root secondary

· In PVST mode:
stp vlan vlan-id-list root secondary

· In MSTP mode:
stp [ instance instance-list ] root secondary

By default, a device does not function as a secondary root bridge.

Configuring the device priority

Device priority is a factor in calculating the spanning tree. The priority of a device determines whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. You can set the priority of a device to a low value to specify the device as the root bridge of the spanning tree. A spanning tree device can have different priorities in different spanning trees.

During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address is selected. You cannot change the priority of a device after it is configured as the root bridge or as a secondary root bridge.

To configure the priority of a device in a specified MSTI:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the priority of the current device.

· In STP/RSTP mode:
stp priority priority

· In PVST mode:
stp vlan vlan-id-list priority priority

· In MSTP mode:
stp [ instance instance-list ] priority priority

The default setting is 32768.

Configuring the maximum hops of an MST region

Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on the regional root bridge is used as the hop limit for the MST region.

Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum value. When a device receives this configuration BPDU, it decrements the hop count by one, and uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hops can no longer participate in spanning tree calculations, so the size of the MST region is limited.

Make this configuration only on the root bridge. All other devices in the MST region use the maximum hop value set for the root bridge.

You can configure the maximum hops of an MST region based on the STP network size. H3C recommends that you set the maximum hops to a value that is greater than the maximum hops of each edge device to the root bridge.

To configure the maximum number of hops of an MST region:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Configure the maximum hops of the MST region.	stp max-hops hops	The default setting is 20.

Configuring the network diameter of a switched network

Any two terminal devices in a switched network can reach each other through a specific path, and there are a series of devices on the path. The switched network diameter is the maximum number of devices on the path for an edge device to reach another one in the switched network through the root bridge. The network diameter indicates the network size. The bigger the diameter, the larger the network size.

Based on the network diameter you configured, the system automatically sets an optimal hello time, forward delay, and max age for the device.

In STP, RSTP, or MSTP mode, each MST region is considered a device. The configured network diameter takes effect only on the CIST (or the common root bridge) but not on other MSTIs.

In PVST mode, the configured network diameter takes effect only on the root bridges of the specified VLANs.

To configure the network diameter of a switched network:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Configure the network diameter of the switched network.

· In STP/RSTP/MSTP mode:
stp bridge-diameter diameter

· In PVST mode:
stp vlan vlan-id-list bridge-diameter diameter

The default setting is 7.

Setting spanning tree timers

The following timers are used for spanning tree calculation:

· Forward delay—Delay time for port state transition. To prevent temporary loops on a network, the spanning tree feature sets an intermediate port state (the learning state) before it transits from the discarding state to the forwarding state. The feature also requires that the port transit its state after a forward delay timer. This ensures that the state transition of the local port stays synchronized with the peer.

· Hello time—Interval at which the device sends configuration BPDUs to detect link failures. If the device does not receive configuration BPDUs within the timeout period, it recalculates the spanning tree. The formula for calculating the timeout period is timeout period = timeout factor × 3 × hello time.

· Max age—In the CIST of an MSTP network, the device uses the max age timer to determine whether a configuration BPDU received by a port has expired. If it is expired, a new spanning tree calculation process starts. The max age timer does not take effect on MSTIs.

To ensure a fast topology convergence, make sure the timer settings meet the following formulas:

· 2 × (forward delay – 1 second) ≥ max age

· Max age ≥ 2 × (hello time + 1 second)

H3C recommends not manually setting the spanning tree timers. H3C recommends that you specify the network diameter and letting spanning tree protocols automatically calculate the timers based on the network diameter. If the network diameter uses the default value, the timers also use their default values.

Set the timers only on the root bridge. The timer settings on the root bridge apply to all devices on the entire switched network.

Configuration restrictions and guidelines

· The length of the forward delay is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be. H3C recommends that you use the automatically calculated value because inappropriate forward delay setting might cause temporary redundant paths or increase the network convergence time.

· An appropriate hello time setting enables the device to promptly detect link failures on the network without using excessive network resources. If the hello time is too long, the device mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If the hello time is too short, the device frequently sends the same configuration BPDUs, which wastes device and network resources. H3C recommends that you use the automatically calculated value.

· If the max age timer is too short, the device frequently begins spanning tree calculations and might mistake network congestion as a link failure. If the max age timer is too long, the device might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing the auto-sensing capability of the network. H3C recommends that you use the automatically calculated value.

Configuration procedure

To set the spanning tree timers:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the forward delay timer.	· In STP/RSTP/MSTP mode: stp timer forward-delay time · In PVST mode: stp vlan vlan-id-list timer forward-delay time	The default setting is 15 seconds.
3. Set the hello timer.	· In STP/RSTP/MSTP mode: stp timer hello time · In PVST mode: stp vlan vlan-id-list timer hello time	The default setting is 2 seconds.
4. Set the max age timer.	· In STP/RSTP/MSTP mode: stp timer max-age time · In PVST mode: stp vlan vlan-id-list timer max-age time	The default setting is 20 seconds.

Setting the timeout factor

The timeout factor is a parameter used to decide the timeout period. The formula for calculating the timeout period is: timeout period = timeout factor × 3 × hello time.

In a stable network, each non-root-bridge device forwards configuration BPDUs to the downstream devices at the hello time interval to detect link failures. If a device does not receive a BPDU from the upstream device within nine times the hello time, it assumes that the upstream device has failed. Then, it starts a new spanning tree calculation process.

A device might fail to receive a BPDU from the upstream device because the upstream device is busy. If a spanning tree calculation occurs, the calculation can fail and also waste network resources. On a stable network, you can prevent undesired spanning tree calculations by setting the timeout factor to 5, 6, or 7.

To set the timeout factor:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the timeout factor of the device.	stp timer-factor factor	The default setting is 3.

Configuring the BPDU transmission rate

The maximum number of BPDUs a port can send within each hello time equals the BPDU transmission rate plus the hello timer value. Configure an appropriate BPDU transmission rate based on the physical status of the port and the network structure.

The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the more system resources are used. By setting an appropriate BPDU transmission rate, you can limit the rate at which the port sends BPDUs. Setting an appropriate rate also prevents spanning tree protocols from using excessive network resources when the network topology changes. H3C recommends that you use the default setting.

To configure the BPDU transmission rate:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the BPDU transmission rate of the ports.	stp transmit-limit limit	The default setting is 10.

Configuring edge ports

If a port directly connects to a user terminal rather than another device or a shared LAN segment, this port is regarded as an edge port. When network topology change occurs, an edge port will not cause a temporary loop. Because a device does not determine whether a port is directly connected to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly transit from the blocking state to the forwarding state.

Configuration restrictions and guidelines

· If BPDU guard is disabled, a port set as an edge port becomes a non-edge port again if it receives a BPDU from another port. To restore the edge port, re-enable it.

· If a port directly connects to a user terminal, configure it as an edge port and enable BPDU guard for it. This enables the port to quickly transit to the forwarding state when ensuring network security.

· On a port, the loop guard feature and the edge port setting are mutually exclusive.

Configuration procedure

To configure a port as an edge port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the current ports as edge ports.	stp edged-port	By default, all ports are non-edge ports.

Configuring path costs of ports

Path cost is a parameter related to the link speed of a port. On a spanning tree device, a port can have different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows to be forwarded along different physical links, achieving VLAN-based load balancing.

You can have the device automatically calculate the default path cost, or you can configure the path cost for ports.

Specifying a standard for the device to use when it calculates the default path cost

CAUTION:

If you change the standard that the device uses to calculate the default path costs, you restore the path costs to the default.

You can specify a standard for the device to use in automatic calculation for the default path cost. The device supports the following standards:

· dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.

· dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.

· legacy—The device calculates the default path cost for ports based on a private standard.

When you specify a standard for the device to use when it calculates the default path cost, follow these guidelines:

· When it calculates the path cost for an aggregate interface, IEEE 802.1t takes into account the number of Selected ports in its aggregation group. However, IEEE 802.1d-1998 does not take into account the number of Selected ports. The calculation formula of IEEE 802.1t is: Path cost = 200,000,000/link speed (in 100 kbps). The link speed is the sum of the link speed values of the Selected ports in the aggregation group.

· IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a single port or aggregate interface with a speed exceeding 10 Gbps. The forwarding path selected based on this criterion might not be the best one. To solve this problem, perform one of the following tasks:

? Use dot1t as the standard for default path cost calculation.

? Manually set the path cost for the port (see "Configuring path costs of ports").

To specify a standard for the device to use when it calculates the default path cost:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Specify a standard for the device to use when it calculates the default path costs of its ports.	stp pathcost-standard { dot1d-1998 \| dot1t \| legacy }	By default, the device uses dot1t when it calculates the default path costs of its ports.

Table 10 Mappings between the link speed and the path cost

Link speed	Port type	Path cost
Link speed	Port type	IEEE 802.1d-1998	IEEE 802.1t	Private standard
0	N/A	65535	200000000	200000
100 Mbps	Single port	19	200000	200
	Aggregate interface containing two Selected ports		100000	180
	Aggregate interface containing three Selected ports		66666	160
	Aggregate interface containing four Selected ports		50000	140
1000 Mbps	Single port	4	20000	20
	Aggregate interface containing two Selected ports		10000	18
	Aggregate interface containing three Selected ports		6666	16
	Aggregate interface containing four Selected ports		5000	14
10 Gbps	Single port	2	2000	2
	Aggregate interface containing two Selected ports		1000	1
	Aggregate interface containing three Selected ports		666	1
	Aggregate interface containing four Selected ports		500	1
20 Gbps	Aggregate interface containing two Selected ports	1	500	1
	Aggregate interface containing three Selected ports		333	1
	Aggregate interface containing four Selected ports		250	1

Configuring path costs of ports

When the path cost of a port changes, the system recalculates the role of the port and initiates a state transition.

To configure the path cost of a port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the path cost of the ports.	· In STP/RSTP mode: stp cost cost · In PVST mode: stp vlan vlan-id-list cost cost · In MSTP mode: stp [ instance instance-list ] cost cost	By default, the system automatically calculates the path cost of each port.

Configuring the port priority

The priority of a port is a factor that determines whether the port can be elected as the root port of a device. If all other conditions are the same, the port with the highest priority is elected as the root port.

On a spanning tree device, a port can have different priorities and play different roles in different spanning trees. As a result, data of different VLANs can be propagated along different physical paths, implementing per-VLAN load balancing. You can set port priority values based on the actual networking requirements.

When the priority of a port changes, the system recalculates the port role and initiates a state transition.

To configure the priority of a port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the port priority.	· In STP/RSTP mode: stp port priority priority · In PVST mode: stp vlan vlan-id-list port priority priority · In MSTP mode: stp [ instance instance-list ] port priority priority	The default setting is 128 for all ports.

Configuring the port link type

A point-to-point link directly connects two devices. If two root ports or designated ports are connected over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement handshake process.

Configuration restrictions and guidelines

· You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that operates in full duplex mode. H3C recommends that you use the default setting and letting the device automatically detect the port link type.

· In PVST or MSTP mode, the stp point-to-point force-false or stp point-to-point force-true command configured on a port takes effect on all VLANs or all MSTIs.

· If you configure a non-point-to-point link as a point-to-point link, a temporary loop might occur.

Configuration procedure

To configure the link type of a port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the port link type.	stp point-to-point { auto \| force-false \| force-true }	By default, the link type is auto where the port automatically detects the link type.

Configuring the mode a port uses to recognize and send MSTP frames

A port can receive and send MSTP frames in the following formats:

· dot1s—802.1s-compliant standard format

· legacy—Compatible format

By default, the frame format recognition mode of a port is auto. The port automatically distinguishes the two MSTP frame formats, and determines the format of frames that it will send based on the recognized format.

You can configure the MSTP frame format on a port. Then, the port sends only MSTP frames of the configured format to communicate with devices that send frames of the same format.

By default, a port in auto mode sends 802.1s MSTP frames. When the port receives an MSTP frame of a legacy format, the port starts to send frames only of the legacy format. This prevents the port from frequently changing the format of sent frames. To configure the port to send 802.1s MSTP frames, shut down and then bring up the port.

When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP frames.

To configure the MSTP frame format to be supported on a port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the mode that the port uses to recognize/send MSTP frames.	stp compliance { auto \| dot1s \| legacy }	The default setting is auto.

Enabling outputting port state transition information

In a large-scale spanning tree network, you can enable devices to output the port state transition information. Then, you can monitor the port states in real time.

To enable outputting port state transition information:

Step

Command

Remarks

1. Enter system view.

system-view

N/A

2. Enable outputting port state transition information.

· In STP/RSTP mode:
stp port-log instance 0

· In PVST mode:
stp port-log vlan vlan-id-list

· In MSTP mode:
stp port-log { all | instance instance-list }

By default, this feature is enabled.

Enabling the spanning tree feature

You must enable the spanning tree feature for the device before any other spanning tree related configurations can take effect. In STP, RSTP, or MSTP mode, make sure the spanning tree feature is enabled globally and on the desired ports. In PVST mode, make sure the spanning tree feature is enabled globally, in the desired VLANs, and on the desired ports.

To exclude specific ports from spanning tree calculation and save CPU resources, disable the spanning tree feature for these ports with the undo stp enable command. Make sure no loops occur in the network after you disable the spanning tree feature on these ports.

Enabling the spanning tree feature in STP/RSTP/MSTP mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the spanning tree feature.	stp global enable	By default, the spanning tree feature is globally disabled.
3. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
4. (Optional.) Enable the spanning tree feature for the port.	stp enable	By default, the spanning tree feature is enabled on all ports.

Enabling the spanning tree feature in PVST mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the spanning tree feature.	stp global enable	By default, the spanning tree feature is globally disabled.
3. Enable the spanning tree feature in VLANs.	stp vlan vlan-id-list enable	By default, the spanning tree feature is enabled in VLANs.
4. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
5. Enable the spanning tree feature on the port.	stp enable	By default, the spanning tree feature is enabled on all ports.

Performing mCheck

The mCheck feature enables user intervention in the port status transition process.

When a port on an MSTP, RSTP, or PVST device connects to an STP device and receives STP BPDUs, the port automatically transits to the STP mode. However, the port cannot automatically transit back to the original mode when the following conditions exist:

· The peer STP device is shut down or removed.

· The port cannot detect the change.

To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.

For example, Device A, Device B, and Device C are connected in sequence. Device A runs STP, Device B does not run any spanning tree protocol, and Device C runs RSTP, PVST, or MSTP. In this case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving port transits to the STP mode. If you configure Device B to run RSTP, PVST, or MSTP with Device C, you must perform mCheck operations on the ports interconnecting Device B and Device C.

Configuration restrictions and guidelines

When you configure mCheck, follow these restrictions and guidelines:

· The mCheck operation takes effect on devices operating in MSTP, PVST, or RSTP mode.

· When you enable or disable TRILL on a port, the port might send TCN BPDUs to the peer port, which causes the peer port to transit to STP mode. When you disable TRILL and enable STP on a port, H3C recommends that you perform mCheck on both the port and the peer port.

Performing mCheck globally

Step	Command
1. Enter system view.	system-view
2. Perform mCheck.	stp global mcheck

Performing mCheck in interface view

Step	Command
1. Enter system view.	system-view
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number
3. Perform mCheck.	stp mcheck

Disabling inconsistent PVID protection

In PVST, if two connected ports use different PVIDs, PVST calculation errors might occur. By default, inconsistent PVID protection is enabled to avoid PVST calculation errors. If PVID inconsistency is detected on a port, the system blocks the port.

If different PVIDs are required on two connected ports, disable inconsistent PVID protection on the devices that host the ports. To avoid PVST calculation errors, make sure the following requirements are met:

· Make sure the VLANs on one device do not use the same ID as the PVID of its peer port (except the default VLAN) on another device.

· If the local port or its peer is a hybrid port, do not configure the local and peer ports as untagged members of the same VLAN.

· Disable inconsistent PVID protection on both the local device and the peer device.

This feature takes effect only when the device is operating in PVST mode.

To disable the inconsistent PVID protection feature:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable the inconsistent PVID protection feature.	stp ignore-pvid-inconsistency	By default, the inconsistent PVID protection feature is enabled.

Configuring Digest Snooping

CAUTION:

Use caution with global Digest Snooping in the following situations:

· When you modify the VLAN-to-instance mappings.

· When you restore the default MST region configuration.

If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or traffic interruption will occur.

As defined in IEEE 802.1s, connected devices are in the same region only when they have the same MST region-related configurations, including:

· Region name.

· Revision level.

· VLAN-to-instance mappings.

A spanning tree device identifies devices in the same MST region by determining the configuration ID in BPDUs. The configuration ID includes the region name, revision level, and configuration digest. It is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on VLAN-to-instance mappings.

Because spanning tree implementations vary by vendor, the configuration digests calculated through private keys are different. The devices of different vendors in the same MST region cannot communicate with each other.

To enable communication between an H3C device and a third-party device in the same MST region, enable Digest Snooping on the H3C device port connecting them.

Configuration restrictions and guidelines

When you configure Digest Snooping, follow these guidelines:

· Before you enable Digest Snooping, make sure associated devices of different vendors are connected and run spanning tree protocols.

· With Digest Snooping enabled, in-the-same-region verification does not require comparison of configuration digest. The VLAN-to-instance mappings must be the same on associated ports.

· To make Digest Snooping take effect, you must enable Digest Snooping both globally and on associated ports. H3C recommends that you enable Digest Snooping on all associated ports first and then enable it globally. This will make the configuration take effect on all configured ports and reduce impact on the network.

· To prevent loops, do not enable Digest Snooping on MST region edge ports.

· H3C recommends that you enable Digest Snooping first and then the spanning tree feature. To avoid traffic interruption, do not configure Digest Snooping when the network is already working well.

Configuration procedure

Use this feature on when your H3C device is connected to a third-party device that uses its private key to calculate the configuration digest.

To configure Digest Snooping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable Digest Snooping on the interface.	stp config-digest-snooping	By default, Digest Snooping is disabled on ports.
4. Return to system view.	quit	N/A
5. Enable Digest Snooping globally.	stp global config-digest-snooping	By default, Digest Snooping is disabled globally.

Configuring No Agreement Check

In RSTP and MSTP, the following types of messages are used for rapid state transition on designated ports:

· Proposal—Sent by designated ports to request rapid transition

· Agreement—Used to acknowledge rapid transition requests

Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port receives an agreement packet from the downstream device. RSTP and MSTP devices have the following differences:

· For MSTP, the root port of the downstream device sends an agreement packet only after it receives an agreement packet from the upstream device.

· For RSTP, the downstream device sends an agreement packet whether or not an agreement packet from the upstream device is received.

Figure 29 Rapid state transition of an MSTP designated port

Figure 30 Rapid state transition of an RSTP designated port

If the upstream device is a third-party device, the rapid state transition implementation might be limited as follows:

· The upstream device uses a rapid transition mechanism similar to that of RSTP.

· The downstream device runs MSTP and does not operate in RSTP mode.

In this case, the following occurs:

1. The root port on the downstream device receives no agreement from the upstream device.

2. It sends no agreement to the upstream device.

As a result, the designated port of the upstream device can transit to the forwarding state only after a period twice the forward delay.

To enable the designated port of the upstream device to transit its state rapidly, enable No Agreement Check on the downstream device's port.

Configuration prerequisites

Before you configure the No Agreement Check feature, complete the following tasks:

· Connect a device to a third-party upstream device that supports spanning tree protocols through a point-to-point link.

· Configure the same region name, revision level, and VLAN-to-instance mappings on the two devices.

Configuration procedure

Enable the No Agreement Check feature on the root port.

To configure No Agreement Check:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable No Agreement Check.	stp no-agreement-check	By default, No Agreement Check is disabled.

Configuring TC Snooping

As shown in Figure 31, an IRF fabric connects to two user networks through double links.

· Device A and Device B form the IRF fabric.

· The spanning tree feature is disabled on Device A and Device B and enabled on all devices in user network 1 and user network 2.

· The IRF fabric transparently transmits BPDUs for both user networks and is not involved in the calculation of spanning trees.

When the network topology changes, it takes time for the IRF fabric to update its MAC address table and ARP table. During this period, traffic in the network might be interrupted.

Figure 31 TC Snooping application scenario

image14.emf

To avoid traffic interruption, you can enable TC Snooping on the IRF fabric. After receiving a TC-BPDU through a port, the IRF fabric updates MAC address table and ARP table entries associated with the port's VLAN. In this way, TC Snooping prevents topology change from interrupting traffic forwarding in the network. For more information about the MAC address table and the ARP table, see "Configuring the MAC address table" and Layer 3—IP Services Configuration Guide.

Configuration restrictions and guidelines

When you configure TC Snooping, follow these restrictions and guidelines:

· TC Snooping and the spanning tree feature are mutually exclusive. You must globally disable the spanning tree feature before enabling TC Snooping.

· The priority of BPDU tunneling is higher than that of TC Snooping. When BPDU tunneling is enabled on a port, the TC Snooping feature does not take effect on the port.

· TC Snooping does not support the PVST mode.

Configuration procedure

To enable TC Snooping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Globally disable the spanning tree feature.	undo stp global enable	By default, the spanning tree feature is globally disabled.
3. Enable TC Snooping.	stp tc-snooping	By default, TC Snooping is disabled.

Configuring protection features

A spanning tree device supports the following protection features:

· BPDU guard

· Root guard

· Loop guard

· Port role restriction

· TC-BPDU transmission restriction

· TC-BPDU guard

· PVST BPDU guard

Enabling BPDU guard

For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file servers. The access ports are configured as edge ports to allow rapid transition. When these ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new spanning tree calculation process. This causes a change of network topology. Under normal conditions, these ports should not receive configuration BPDUs. However, if someone uses configuration BPDUs maliciously to attack the devices, the network will become unstable.

The spanning tree protocol provides the BPDU guard feature to protect the system against such attacks. When edge ports receive configuration BPDUs on a device with BPDU guard enabled, the device performs the following operations:

· Shuts down these ports.

· Notifies the NMS that these ports have been shut down by the spanning tree protocol.

The device reactivates the ports that have been shut down when the port status detection timer expires. You can set this timer by using the shutdown-interval command. For more information about this command, see device management commands in Fundamentals Command Reference.

BPDU guard does not take effect on loopback-testing-enabled ports. For more information about loopback testing, see Ethernet interface configuration in Interface Configuration Guide.

Configure BPDU guard on a device with edge ports configured.

To enable BPDU guard:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the BPDU guard feature for the device.	stp bpdu-protection	By default, BPDU guard is disabled.

Enabling root guard

The root bridge and secondary root bridge of a spanning tree should be located in the same MST region. Especially for the CIST, the root bridge and secondary root bridge are put in a high-bandwidth core region during network design. However, due to possible configuration errors or malicious attacks in the network, the legal root bridge might receive a configuration BPDU with a higher priority. Another device supersedes the current legal root bridge, causing an undesired change of the network topology. The traffic that should go over high-speed links is switched to low-speed links, resulting in network congestion.

To prevent this situation, MSTP provides the root guard feature. If root guard is enabled on a port of a root bridge, this port plays the role of designated port on all MSTIs. After this port receives a configuration BPDU with a higher priority from an MSTI, it performs the following operations:

· Immediately sets that port to the listening state in the MSTI.

· Does not forward the received configuration BPDU.

This is equivalent to disconnecting the link connected to this port in the MSTI. If the port receives no BPDUs with a higher priority within twice the forwarding delay, it reverts to its original state.

On a port, the loop guard feature and the root guard feature are mutually exclusive.

Configure root guard on a designated port.

To enable root guard:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable the root guard feature.	stp root-protection	By default, root guard is disabled.

Enabling loop guard

By continuing to receive BPDUs from the upstream device, a device can maintain the state of the root port and blocked ports. However, link congestion or unidirectional link failures might cause these ports to fail to receive BPDUs from the upstream devices. In this situation, the device reselects the following port roles:

· Those ports in forwarding state that failed to receive upstream BPDUs become designated ports.

· The blocked ports transit to the forwarding state.

As a result, loops occur in the switched network. The loop guard feature can suppress the occurrence of such loops.

The initial state of a loop guard-enabled port is discarding in every MSTI. When the port receives BPDUs, it transits its state. Otherwise, it stays in the discarding state to prevent temporary loops.

Do not enable loop guard on a port that connects user terminals. Otherwise, the port stays in the discarding state in all MSTIs because it cannot receive BPDUs.

On a port, the loop guard feature is mutually exclusive with the root guard feature or the edge port setting.

Configure loop guard on the root port and alternate ports of a device.

To enable loop guard:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable the loop guard feature for the ports.	stp loop-protection	By default, loop guard is disabled.

Configuring port role restriction

CAUTION:

Use this feature with caution, because enabling port role restriction on a port might affect the connectivity of the spanning tree topology.

The bridge ID change of a device in the user access network might cause a change to the spanning tree topology in the core network. To avoid this problem, you can enable port role restriction on a port. With this feature enabled, when the port receives a superior BPDU, it becomes an alternate port rather than a root port.

Make this configuration on the port that connects to the user access network.

To configure port role restriction:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable port role restriction.	stp role-restriction	By default, port role restriction is disabled.

Configuring TC-BPDU transmission restriction

CAUTION:

Enabling TC-BPDU transmission restriction on a port might cause the previous forwarding address table to fail to be updated when the topology changes.

The topology change to the user access network might cause the forwarding address changes to the core network. When the user access network topology is unstable, the user access network might affect the core network. To avoid this problem, you can enable TC-BPDU transmission restriction on a port. With this feature enabled, when the port receives a TC-BPDU, it does not forward the TC-BPDU to other ports.

Make this configuration on the port that connects to the user access network.

To configure TC-BPDU transmission restriction:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2 Ethernet interface or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable TC-BPDU transmission restriction.	stp tc-restriction	By default, TC-BPDU transmission restriction is disabled.

Enabling TC-BPDU guard

When a device receives topology change (TC) BPDUs (the BPDUs that notify devices of topology changes), it flushes its forwarding address entries. If someone uses TC-BPDUs to attack the device, the device will receive a large number of TC-BPDUs within a short time. Then, the device is busy with forwarding address entry flushing. This affects network stability.

TC-BPDU guard allows you to set the maximum number of immediate forwarding address entry flushes performed within 10 seconds after the device receives the first TC-BPDU. For TC-BPDUs received in excess of the limit, the device performs a forwarding address entry flush when the time period expires. This prevents frequent flushing of forwarding address entries. H3C recommends that you enable TC-BPDU guard.

To enable TC-BPDU guard:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable the TC-BPDU guard feature.	stp tc-protection	By default, TC-BPDU guard is enabled. H3C recommends not disabling this feature.
3. (Optional.) Configure the maximum number of forwarding address entry flushes that the device can perform every 10 seconds.	stp tc-protection threshold number	The default setting is 6.

Enabling PVST BPDU guard

An MSTP-enabled device forwards PVST BPDUs as data traffic because it cannot recognize PVST BPDUs. If a PVST-enabled device in another independent network receives the PVST BPDUs, a PVST calculation error might occur. To avoid PVST calculation errors, enable PVST BPDU guard on the MSTP-enabled device. The device shuts down a port if the port receives PVST BPDUs.

To enable PVST BPDU guard:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable PVST BPDU guard.	stp pvst-bpdu-protection	By default, PVST BPDU guard is disabled.

Enabling SNMP notifications for new-root election and topology change events

This task enables the device to generate logs and report new-root election events or spanning tree topology changes to SNMP. For the event notifications to be sent correctly, you must also configure SNMP as described in Network Management and Monitoring Configuration Guide.

When you use the snmp-agent trap enable stp [ new-root | tc ] command, follow these guidelines:

· The new root keyword applies only to STP, MSTP, and RSTP modes.

· The tc keyword applies only to PVST mode.

· In STP, MSTP, or RSTP mode, the snmp-agent trap enable stp command enables SNMP notifications for new-root election events.

· In PVST mode, the snmp-agent trap enable stp enables SNMP notifications for spanning tree topology changes.

To enable SNMP notifications for new-root election events:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable SNMP notifications for new-root election events.	In STP, MSTP, or RSTP mode, execute either of the following commands: · snmp-agent trap enable stp new root · snmp-agent trap enable stp	The default settings are as follows: · SNMP notifications are disabled for new-root election events. · In MSTP mode, SNMP notifications are enabled in MSTI 0 and disabled in other MSTIs for spanning tree topology changes. · In PVST mode, SNMP notifications are disabled for spanning tree topology changes in all VLANs.
3. Enable SNMP notifications for spanning tree topology changes.	In PVST mode, execute either of the following commands: · snmp-agent trap enable stp tc · snmp-agent trap enable stp

Displaying and maintaining the spanning tree

Execute display commands in any view and reset command in user view.

Task	Command
Display information about ports blocked by spanning tree protection features.	display stp abnormal-port
Display BPDU statistics on ports.	display stp bpdu-statistics [ interface interface-type interface-number [ instance instance-list ] ]
Display information about ports shut down by spanning tree protection features.	display stp down-port
Display the port role calculation history for the specified MSTI or all MSTIs.	display stp [ instance instance-list \| vlan vlan-id-list ] history [ slot slot-number ]
Display the incoming and outgoing TC/TCN BPDU statistics by all ports in the specified MSTI or all MSTIs.	display stp [ instance instance-list \| vlan vlan-id-list ] tc [ slot slot-number ]
Display the spanning tree status and statistics.	display stp [ instance instance-list \| vlan vlan-id-list ] [ interface interface-list \| slot slot-number ] [ brief ]
Display the MST region configuration information that has taken effect.	display stp region-configuration
Display the root bridge information of all MSTIs.	display stp root
Clear the spanning tree statistics.	reset stp [ interface interface-list ]

MSTP configuration example

Network requirements

As shown in Figure 32, all devices on the network are in the same MST region. Device A and Device B work at the distribution layer. Device C and AC work at the access layer.

Configure MSTP so that frames of different VLANs are forwarded along different spanning trees.

· VLAN 10 frames are forwarded along MSTI 1.

· VLAN 30 frames are forwarded along MSTI 3.

· VLAN 40 frames are forwarded along MSTI 4.

· VLAN 20 frames are forwarded along MSTI 0.

VLAN 10 and VLAN 30 are terminated on the distribution layer devices, and VLAN 40 is terminated on the access layer devices. The root bridges of MSTI 1 and MSTI 3 are Device A and Device B, respectively, and the root bridge of MSTI 4 is AC.

Figure 32 Network diagram

Configuration procedure

1. Configure VLANs and VLAN member ports. (Details not shown.)

? Create VLAN 10, VLAN 20, and VLAN 30 on both Device A and Device B.

? Create VLAN 10, VLAN 20, and VLAN 40 on the AC.

? Create VLAN 20, VLAN 30, and VLAN 40 on Device C.

? Configure the ports on these devices as trunk ports and assign them to related VLANs.

2. Configure Device A:

# Enter MST region view, and configure the MST region name as example.

<DeviceA> system-view

[DeviceA] stp region-configuration

[DeviceA-mst-region] region-name example

# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.

[DeviceA-mst-region] instance 1 vlan 10

[DeviceA-mst-region] instance 3 vlan 30

[DeviceA-mst-region] instance 4 vlan 40

# Configure the revision level of the MST region as 0.

[DeviceA-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceA-mst-region] active region-configuration

[DeviceA-mst-region] quit

# Configure the current device as the root bridge of MSTI 1.

[DeviceA] stp instance 1 root primary

# Enable the spanning tree feature globally.

[DeviceA] stp global enable

3. Configure Device B:

# Enter MST region view, and configure the MST region name as example.

<DeviceB> system-view

[DeviceB] stp region-configuration

[DeviceB-mst-region] region-name example

# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.

[DeviceB-mst-region] instance 1 vlan 10

[DeviceB-mst-region] instance 3 vlan 30

[DeviceB-mst-region] instance 4 vlan 40

# Configure the revision level of the MST region as 0.

[DeviceB-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceB-mst-region] active region-configuration

[DeviceB-mst-region] quit

# Configure the current device as the root bridge of MSTI 3.

[DeviceB] stp instance 3 root primary

# Enable the spanning tree feature globally.

[DeviceB] stp global enable

4. Configure the AC:

# Enter MST region view, and configure the MST region name as example.

<AC> system-view

[AC] stp region-configuration

[AC-mst-region] region-name example

# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.

[AC-mst-region] instance 1 vlan 10

[AC-mst-region] instance 3 vlan 30

[AC-mst-region] instance 4 vlan 40

# Configure the revision level of the MST region as 0.

[AC-mst-region] revision-level 0

# Activate MST region configuration.

[AC-mst-region] active region-configuration

[AC-mst-region] quit

# Configure the current device as the root bridge of MSTI 4.

[AC] stp instance 4 root primary

# Enable the spanning tree feature globally.

[AC] stp global enable

5. Configure Device C:

# Enter MST region view, and configure the MST region name as example.

<DeviceC> system-view

[DeviceC] stp region-configuration

[DeviceC-mst-region] region-name example

# Map VLAN 10, VLAN 30, and VLAN 40 to MSTI 1, MSTI 3, and MSTI 4, respectively.

[DeviceC-mst-region] instance 1 vlan 10

[DeviceC-mst-region] instance 3 vlan 30

[DeviceC-mst-region] instance 4 vlan 40

# Configure the revision level of the MST region as 0.

[DeviceC-mst-region] revision-level 0

# Activate MST region configuration.

[DeviceC-mst-region] active region-configuration

[DeviceC-mst-region] quit

# Enable the spanning tree feature globally.

[DeviceC] stp global enable

Verifying the configuration

In this example, Device B has the lowest root bridge ID. As a result, Device B is elected as the root bridge in MSTI 0.

When the network is stable, you can use the display stp brief command to display brief spanning tree information on each device.

# Display brief spanning tree information on Device A.

[DeviceA] display stp brief

MST ID Port Role STP State Protection

0 GigabitEthernet1/0/1 ALTE DISCARDING NONE

0 GigabitEthernet1/0/2 DESI FORWARDING NONE

0 GigabitEthernet1/0/3 ROOT FORWARDING NONE

1 GigabitEthernet1/0/1 DESI FORWARDING NONE

1 GigabitEthernet1/0/3 DESI FORWARDING NONE

3 GigabitEthernet1/0/2 DESI FORWARDING NONE

3 GigabitEthernet1/0/3 ROOT FORWARDING NONE

# Display brief spanning tree information on Device B.

[DeviceB] display stp brief

MST ID Port Role STP State Protection

0 GigabitEthernet1/0/1 DESI FORWARDING NONE

0 GigabitEthernet1/0/2 DESI FORWARDING NONE

0 GigabitEthernet1/0/3 DESI FORWARDING NONE

1 GigabitEthernet1/0/2 DESI FORWARDING NONE

1 GigabitEthernet1/0/3 ROOT FORWARDING NONE

3 GigabitEthernet1/0/1 DESI FORWARDING NONE

3 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on the AC.

[AC] display stp brief

MST ID Port Role STP State Protection

0 GigabitEthernet1/0/1 DESI FORWARDING NONE

0 GigabitEthernet1/0/2 ROOT FORWARDING NONE

0 GigabitEthernet1/0/3 DESI FORWARDING NONE

1 GigabitEthernet1/0/1 ROOT FORWARDING NONE

1 GigabitEthernet1/0/2 ALTE DISCARDING NONE

4 GigabitEthernet1/0/3 DESI FORWARDING NONE

# Display brief spanning tree information on Device C.

[DeviceC] display stp brief

MST ID Port Role STP State Protection

0 GigabitEthernet1/0/1 ROOT FORWARDING NONE

0 GigabitEthernet1/0/2 ALTE DISCARDING NONE

0 GigabitEthernet1/0/3 ALTE DISCARDING NONE

3 GigabitEthernet1/0/1 ROOT FORWARDING NONE

3 GigabitEthernet1/0/2 ALTE DISCARDING NONE

4 GigabitEthernet1/0/3 ROOT FORWARDING NONE

Based on the output, you can draw each MSTI mapped to each VLAN, as shown in Figure 33.

Figure 33 MSTIs mapped to different VLANs

Configuring LLDP

Support for interfaces of different types varies by device model. For more information, see Ethernet interface configuration in Interface Configuration Guide.

Overview

In a heterogeneous network, a standard configuration exchange platform ensures that different types of network devices from different vendors can discover one another and exchange configuration.

The Link Layer Discovery Protocol (LLDP) is specified in IEEE 802.1AB. The protocol operates on the data link layer to exchange device information between directly connected devices. With LLDP, a device sends local device information as TLV (type, length, and value) triplets in LLDP Data Units (LLDPDUs) to the directly connected devices. Local device information includes its system capabilities, management IP address, device ID, port ID, and so on. The device stores the device information in LLDPDUs from the LLDP neighbors in a standard MIB. For more information about MIBs, see Network Management and Monitoring Configuration Guide. LLDP enables a network management system to quickly detect and identify Layer 2 network topology changes.

Basic concepts

LLDP agent

An LLDP agent is a mapping of an entity where LLDP runs. Multiple LLDP agents can run on the same interface.

LLDP agents are divided into the following types:

· Nearest bridge agent.

· Nearest customer bridge agent.

· Nearest non-TPMR bridge agent.

A Two-port MAC Relay (TPMR) is a type of bridge that has only two externally-accessible bridge ports. It supports a subset of the features of a MAC bridge. A TPMR is transparent to all frame-based media-independent protocols except for the following protocols:

· Protocols destined to it.

· Protocols destined to reserved MAC addresses that the relay feature of the TPMR is configured not to forward.

LLDP exchanges packets between neighbor agents and creates and maintains neighbor information for them. Figure 34 shows the neighbor relationships for these LLDP agents. LLDP has two bridge modes: customer bridge (CB) and service bridge (SB).

Figure 34 LLDP neighbor relationships

LLDP frame formats

LLDP sends device information in LLDP frames. LLDP frames are encapsulated in Ethernet II or Subnetwork Access Protocol (SNAP) frames.

· LLDP frame encapsulated in Ethernet II

Figure 35 Ethernet II-encapsulated LLDP frame

Table 11 Fields in an Ethernet II-encapsulated LLDP frame

Field	Description
Destination MAC address	MAC address to which the LLDP frame is advertised. LLDP specifies different multicast MAC addresses as destination MAC addresses for LLDP frames destined for agents of different types. This helps distinguish between LLDP frames sent and received by different agent types on the same interface. The destination MAC address is fixed to one of the following multicast MAC addresses: · 0x0180-C200-000E for LLDP frames destined for nearest bridge agents. · 0x0180-C200-0000 for LLDP frames destined for nearest customer bridge agents. · 0x0180-C200-0003 for LLDP frames destined for nearest non-TPMR bridge agents.
Source MAC address	MAC address of the sending port.
Type	Ethernet type for the upper-layer protocol. This field is 0x88CC for LLDP.
Data	LLDPDU.
FCS	Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame.

· LLDP frame encapsulated in SNAP

Figure 36 SNAP-encapsulated LLDP frame

Table 12 Fields in a SNAP-encapsulated LLDP frame

Field	Description
Destination MAC address	MAC address to which the LLDP frame is advertised. It is the same as that for Ethernet II-encapsulated LLDP frames.
Source MAC address	MAC address of the sending port.
Type	SNAP type for the upper-layer protocol. This field is 0xAAAA-0300-0000-88CC for LLDP.
Data	LLDPDU.
FCS	Frame check sequence, a 32-bit CRC value used to determine the validity of the received Ethernet frame.

LLDPDUs

LLDP uses LLDPDUs to exchange information. An LLDPDU comprises multiple TLVs. Each TLV carries a type of device information, as shown in Figure 37.

Figure 37 LLDPDU encapsulation format

An LLDPDU can carry up to 32 types of TLVs. Mandatory TLVs include Chassis ID TLV, Port ID TLV, and Time to Live TLV. Other TLVs are optional.

TLVs

A TLV is an information element that contains the type, length, and value fields.

LLDPDU TLVs include the following categories:

· Basic management TLVs

· Organizationally (IEEE 802.1 and IEEE 802.3) specific TLVs

· LLDP-MED (media endpoint discovery) TLVs

Basic management TLVs are essential to device management.

Organizationally specific TLVs and LLDP-MED TLVs are used for enhanced device management. They are defined by standardization or other organizations and are optional for LLDPDUs.

· Basic management TLVs

Table 13 lists the basic management TLV types. Some of them are mandatory for LLDPDUs.

Table 13 Basic management TLVs

Type	Description	Remarks
Chassis ID	Specifies the bridge MAC address of the sending device.	Mandatory.
Port ID	Specifies the ID of the sending port: · If the LLDPDU carries LLDP-MED TLVs, the port ID TLV carries the MAC address of the sending port. · Otherwise, the port ID TLV carries the port name.
Time to Live	Specifies the life of the transmitted information on the receiving device.
End of LLDPDU	Marks the end of the TLV sequence in the LLDPDU.	Optional.
Port Description	Specifies the description for the sending port.
System Name	Specifies the assigned name of the sending device.
System Description	Specifies the description for the sending device.
System Capabilities	Identifies the primary features of the sending device and the enabled primary features.
Management Address	Specifies the following elements: · The management address of the local device. · The interface number and object identifier (OID) associated with the address.

· IEEE 802.1 organizationally specific TLVs

Table 14 IEEE 802.1 organizationally specific TLVs

Type	Description
Port VLAN ID (PVID)	Specifies the port VLAN identifier.
Port And Protocol VLAN ID (PPVID)	Indicates whether the device supports protocol VLANs and, if so, what VLAN IDs these protocols will be associated with.
VLAN Name	Specifies the textual name of any VLAN to which the port belongs.
Protocol Identity	Indicates protocols supported on the port.
DCBX	Data center bridging exchange protocol. DCBX TLVs are not supported in the current software version.
EVB module	Edge Virtual Bridging module, including EVB TLV and CDCP TLV. EVB TLVs are not supported in the current software version.
Link Aggregation	Indicates whether the port supports link aggregation, and if yes, whether link aggregation is enabled.
Management VID	Management VLAN ID.
VID Usage Digest	VLAN ID usage digest.
ETS Configuration	Enhanced Transmission Selection configuration.
ETS Recommendation	ETS recommendation.
PFC	Priority-based Flow Control.
APP	Application protocol.
QCN	Quantized Congestion Notification.

NOTE:

· H3C devices support only receiving protocol identity TLVs and VID usage digest TLVs.

· Layer 3 Ethernet ports support only link aggregation TLVs.

· IEEE 802.3 organizationally specific TLVs

Table 15 IEEE 802.3 organizationally specific TLVs

Type	Description
MAC/PHY Configuration/Status	Contains the bit-rate and duplex capabilities of the port, support for autonegotiation, enabling status of autonegotiation, and the current rate and duplex mode.
Power Via MDI	Contains the power supply capabilities of the port: · Port class (PSE or PD). · Power supply mode. · Whether PSE power supply is supported. · Whether PSE power supply is enabled. · Whether pair selection can be controlled. · Power supply type. · Power source. · Power priority. · PD requested power. · PSE allocated power.
Maximum Frame Size	Indicates the supported maximum frame size.
Power Stateful Control	Indicates the power state control configured on the sending port, including the following: · Power supply mode of the PSE/PD. · PSE/PD priority. · PSE/PD power.
Energy-Efficient Ethernet	Indicates Energy Efficient Ethernet (EEE).

NOTE:

The Power Stateful Control TLV is defined in IEEE P802.3at D1.0 and is not supported in later versions. H3C devices send this type of TLVs only after receiving them.

· LLDP-MED TLVs

LLDP-MED TLVs provide multiple advanced applications for voice over IP (VoIP), such as basic configuration, network policy configuration, and address and directory management. LLDP-MED TLVs provide a cost-effective and easy-to-use solution for deploying voice devices in Ethernet. LLDP-MED TLVs are shown in Table 16.

Table 16 LLDP-MED TLVs

Type	Description
LLDP-MED Capabilities	Allows a network device to advertise the LLDP-MED TLVs that it supports.
Network Policy	Allows a network device or terminal device to advertise the VLAN ID of a port, the VLAN type, and the Layer 2 and Layer 3 priorities for specific applications.
Extended Power-via-MDI	Allows a network device or terminal device to advertise power supply capability. This TLV is an extension of the Power Via MDI TLV.
Hardware Revision	Allows a terminal device to advertise its hardware version.
Firmware Revision	Allows a terminal device to advertise its firmware version.
Software Revision	Allows a terminal device to advertise its software version.
Serial Number	Allows a terminal device to advertise its serial number.
Manufacturer Name	Allows a terminal device to advertise its vendor name.
Model Name	Allows a terminal device to advertise its model name.
Asset ID	Allows a terminal device to advertise its asset ID. The typical case is that the user specifies the asset ID for the endpoint to facilitate directory management and asset tracking.
Location Identification	Allows a network device to advertise the appropriate location identifier information for a terminal device to use in the context of location-based applications.

NOTE:

· If the MAC/PHY configuration/status TLV is not advertisable, none of the LLDP-MED TLVs will be advertised even if they are advertisable.

· If the LLDP-MED capabilities TLV is not advertisable, the other LLDP-MED TLVs will not be advertised even if they are advertisable.

Management address

The network management system uses the management address of a device to identify and manage the device for topology maintenance and network management. The management address is encapsulated in the management address TLV.

Working mechanism

LLDP operating modes

An LLDP agent can operate in one of the following modes:

· TxRx mode—An LLDP agent in this mode can send and receive LLDP frames.

· Tx mode—An LLDP agent in this mode can only send LLDP frames.

· Rx mode—An LLDP agent in this mode can only receive LLDP frames.

· Disable mode—An LLDP agent in this mode cannot send or receive LLDP frames.

Each time the LLDP operating mode of an LLDP agent changes, its LLDP protocol state machine reinitializes. A configurable reinitialization delay prevents frequent initializations caused by frequent changes to the operating mode. If you configure the reinitialization delay, an LLDP agent must wait the specified amount of time to initialize LLDP after the LLDP operating mode changes.

Transmitting LLDP frames

An LLDP agent operating in TxRx mode or Tx mode sends LLDP frames to its directly connected devices both periodically and when the local configuration changes. To prevent LLDP frames from overwhelming the network during times of frequent changes to local device information, LLDP uses the token bucket mechanism to rate limit LLDP frames. For more information about the token bucket mechanism, see ACL and QoS Configuration Guide.

LLDP automatically enables the fast LLDP frame transmission mechanism in either of the following cases:

· A new LLDP frame is received and carries device information new to the local device.

· The LLDP operating mode of the LLDP agent changes from Disable or Rx to TxRx or Tx.

The fast LLDP frame transmission mechanism successively sends the specified number of LLDP frames at a configurable fast LLDP frame transmission interval. The mechanism helps LLDP neighbors discover the local device as soon as possible. Then, the normal LLDP frame transmission interval resumes.

Receiving LLDP frames

An LLDP agent operating in TxRx mode or Rx mode confirms the validity of TLVs carried in every received LLDP frame. If the TLVs are valid, the LLDP agent saves the information and starts an aging timer. The initial value of the aging timer is equal to the TTL value in the Time To Live TLV carried in the LLDP frame. When the LLDP agent receives a new LLDP frame, the aging timer restarts. When the aging timer decreases to zero, all saved information ages out.

Protocols and standards

· IEEE 802.1AB-2005, Station and Media Access Control Connectivity Discovery

· IEEE 802.1AB-2009, Station and Media Access Control Connectivity Discovery

· ANSI/TIA-1057, Link Layer Discovery Protocol for Media Endpoint Devices

· DCB Capability Exchange Protocol Specification Rev 1.00

· DCB Capability Exchange Protocol Base Specification Rev 1.01

· IEEE Std 802.1Qaz-2011, Media Access Control (MAC) Bridges and Virtual Bridged Local Area Networks-Amendment 18: Enhanced Transmission Selection for Bandwidth Sharing Between Traffic Classes

LLDP configuration task list

Tasks at a glance

Performing basic LLDP configurations:

· (Required.) Enabling LLDP

· (Optional.) Setting the LLDP bridge mode

· (Optional.) Setting the LLDP operating mode

· (Optional.) Setting the LLDP reinitialization delay

· (Optional.) Enabling LLDP polling

· (Optional.) Configuring the advertisable TLVs

· (Optional.) Configuring the management address and its encoding format

· (Optional.) Setting other LLDP parameters

· (Optional.) Setting an encapsulation format for LLDP frames

· (Optional.) Disabling LLDP PVID inconsistency check

(Optional.) Configuring LLDP trapping and LLDP-MED trapping

Performing basic LLDP configurations

Enabling LLDP

To make LLDP take effect on specific ports, you must enable LLDP both globally and on these ports.

To enable LLDP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enable LLDP globally.	lldp global enable	By default, LLDP is enabled globally.
3. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
4. Enable LLDP.	lldp enable	By default, LLDP is enabled on a port.

Setting the LLDP bridge mode

The following LLDP bridge modes are available:

· Customer bridge mode—LLDP supports nearest bridge agents, nearest non-TPMR bridge agents, and nearest customer bridge agents. LLDP processes the LLDP frames with destination MAC addresses for these agents and transparently transmits the LLDP frames with other destination MAC addresses in the VLAN.

· Service bridge mode—LLDP supports nearest bridge agents and nearest non-TPMR bridge agents. LLDP processes the LLDP frames with destination MAC addresses for these agents and transparently transmits the LLDP frames with other destination MAC addresses in the VLAN.

To set the LLDP bridge mode:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the LLDP bridge mode to service bridge.	lldp mode service-bridge	By default, LLDP operates in customer bridge mode.

Setting the LLDP operating mode

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Set the LLDP operating mode.	· In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] admin-status { disable \| rx \| tx \| txrx } · In Layer 2 aggregate interface view: lldp agent { nearest-customer \| nearest-nontpmr } admin-status { disable \| rx \| tx \| txrx }	By default: · The nearest bridge agent operates in txrx mode. · The nearest customer bridge agent and nearest non-TPMR bridge agent operate in disable mode. In Ethernet interface view, if you do not specify an agent type, the command sets the operating mode for nearest bridge agents. In aggregate interface view, you can set the operating mode only for nearest customer bridge agents and nearest non-TPMR bridge agents.

Setting the LLDP reinitialization delay

When the LLDP operating mode changes on a port, the port initializes the protocol state machines after an LLDP reinitialization delay. By adjusting the delay, you can avoid frequent initializations caused by frequent changes to the LLDP operating mode on a port.

To set the LLDP reinitialization delay for ports:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the LLDP reinitialization delay.	lldp timer reinit-delay delay	The default setting is 2 seconds.

Enabling LLDP polling

With LLDP polling enabled, a device periodically searches for local configuration changes. When the device detects a configuration change, it sends LLDP frames to inform neighboring devices of the change.

To enable LLDP polling:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable LLDP polling and set the polling interval.	· In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] check-change-interval interval · In Layer 2 aggregate interface view: lldp agent { nearest-customer \| nearest-nontpmr } check-change-interval interval	By default, LLDP polling is disabled.

Configuring the advertisable TLVs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Configure the advertisable TLVs (in Layer 2 Ethernet interface view).	· lldp tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address ] } \| dot1-tlv { all \| port-vlan-id \| link-aggregation \| protocol-vlan-id [ vlan-id ] \| vlan-name [ vlan-id ] \| management-vid [ mvlan-id ] } \| dot3-tlv { all \| mac-physic \| max-frame-size \| power } \| med-tlv { all \| capability \| inventory \| network-policy [ vlan-id ] \| power-over-ethernet \| location-id { civic-address device-type country-code { ca-type ca-value }&<1-10> \| elin-address tel-number } } } · lldp agent nearest-nontpmr tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address ] } \| dot1-tlv { all \| port-vlan-id \| link-aggregation } } · lldp agent nearest-customer tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address ] } \| dot1-tlv { all \| port-vlan-id \| link-aggregation } }	By default: · Nearest bridge agents can advertise all LLDP TLVs except the location identification, port and protocol VLAN ID, VLAN name, management VLAN ID, and Energy-Efficient Ethernet TLVs. · Nearest customer bridge agents can advertise basic TLVs and IEEE 802.1 organizationally specific TLVs.
4. Configure the advertisable TLVs (in Layer 3 Ethernet interface view).	· lldp tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address \| interface loopback interface-number ] } \| dot1-tlv { all \| link-aggregation } \| dot3-tlv { all \| mac-physic \| max-frame-size \| power } \| med-tlv { all \| capability \| inventory \| power-over-ethernet \| location-id { civic-address device-type country-code { ca-type ca-value }&<1-10> \| elin-address tel-number } } } · lldp agent { nearest-nontpmr \| nearest-customer } tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address ] } \| dot1-tlv { all \| link-aggregation } }	By default: · Nearest bridge agents can advertise all types of LLDP TLVs (only link aggregation TLV is supported in 802.1 organizationally specific TLVs) except network policy and Energy-Efficient Ethernet TLVs. · Nearest non-TPMR bridge agents do not advertise TLVs. · Nearest customer bridge agents can advertise basic TLVs and IEEE 802.1 organizationally specific TLVs (only link aggregation TLV is supported).
5. Configure the advertisable TLVs (in management Ethernet interface view).	· lldp tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address ] } \| dot1-tlv { all \| link-aggregation } \| dot3-tlv { all \| mac-physic \| max-frame-size \| power } \| med-tlv { all \| capability \| inventory \| power-over-ethernet \| location-id { civic-address device-type country-code { ca-type ca-value }&<1-10> \| elin-address tel-number } } } · lldp agent { nearest-nontpmr \| nearest-customer } tlv-enable { basic-tlv { all \| port-description \| system-capability \| system-description \| system-name \| management-address-tlv [ ipv6 ] [ ip-address ] } \| dot1-tlv { all \| link-aggregation } }	By default: · Nearest bridge agents can advertise all types of LLDP TLVs (only link aggregation TLV is supported in 802.1 organizationally specific TLVs) except network policy and Energy-Efficient Ethernet TLVs. · Nearest non-TPMR bridge agents do not advertise TLVs. · Nearest customer bridge agents can advertise basic TLVs and IEEE 802.1 organizationally specific TLVs (only link aggregation TLV is supported).
6. Configure the advertisable TLVs (in Layer 2 aggregate interface view).	· lldp agent nearest-nontpmr tlv-enable { basic-tlv { all \| management-address-tlv [ ipv6 ] [ ip-address ] \| port-description \| system-capability \| system-description \| system-name } \| dot1-tlv { all \| port-vlan-id } } · lldp agent nearest-customer tlv-enable { basic-tlv { all \| management-address-tlv [ ipv6 ] [ ip-address ] \| port-description \| system-capability \| system-description \| system-name } \| dot1-tlv { all \| port-vlan-id } } · lldp tlv-enable dot1-tlv { protocol-vlan-id [ vlan-id ] \| vlan-name [ vlan-id ] \| management-vid [ mvlan-id ] }	By default, nearest customer bridge agents can advertise basic TLVs and IEEE 802.1 organizationally specific TLVs (only port and protocol VLAN ID, VLAN name, and management VLAN ID TLVs are supported). Nearest bridge agents are not supported on Layer 2 aggregate interfaces.

Configuring the management address and its encoding format

LLDP encodes management addresses in numeric or string format in management address TLVs.

If a neighbor encodes its management address in string format, set the encoding format of the management address to string on the connecting port. This guarantees normal communication with the neighbor.

To configure a management address to be advertised and its encoding format on a port:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Allow LLDP to advertise the management address in LLDP frames and configure the advertised management address.	· In Layer 2 Ethernet interface view or management Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] tlv-enable basic-tlv management-address-tlv [ ipv6 ] [ ip-address ] · In Layer 3 Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] tlv-enable basic-tlv management-address-tlv [ ipv6 ] [ ip-address ] \| interface loopback interface-number ] · In Layer 2 aggregate interface view: lldp agent { nearest-customer \| nearest-nontpmr } tlv-enable basic-tlv management-address-tlv [ ipv6 ] [ ip-address ]	By default: · Nearest bridge agents and nearest customer bridge agents can advertise the management address in LLDP frames. · Nearest non-TPMR bridge agents cannot advertise the management address in LLDP frames.
4. Set the encoding format of the management address to string.	· In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] management-address-format string · In Layer 2 aggregate interface view: lldp agent { nearest-customer \| nearest-nontpmr } management-address-format string	By default, the encoding format of the management address is numeric.

Setting other LLDP parameters

The Time to Live TLV carried in an LLDPDU determines how long the device information carried in the LLDPDU can be saved on a recipient device.

By setting the TTL multiplier, you can configure the TTL of locally sent LLDPDUs. The TTL is expressed by using the following formula:

TTL = Min (65535, (TTL multiplier × LLDP frame transmission interval + 1))

As the expression shows, the TTL can be up to 65535 seconds. TTLs greater than 65535 will be rounded down to 65535 seconds.

To set LLDP parameters:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Set the TTL multiplier.	lldp hold-multiplier value	The default setting is 4.
3. Set the LLDP frame transmission interval.	lldp timer tx-interval interval	The default setting is 30 seconds.
4. Set the token bucket size for sending LLDP frames.	lldp max-credit credit-value	The default setting is 5.
5. Set the number of LLDP frames sent each time fast LLDP frame transmission is triggered.	lldp fast-count count	The default setting is 4.
6. Set the fast LLDP frame transmission interval.	lldp timer fast-interval interval	The default setting is 1 second.

Setting an encapsulation format for LLDP frames

LLDP frames can be encapsulated in the following formats:

· Ethernet II—With Ethernet II encapsulation configured, an LLDP port sends LLDP frames in Ethernet II frames.

· SNAP—With SNAP encapsulation configured, an LLDP port sends LLDP frames in SNAP frames.

Earlier versions of LLDP require the same encapsulation format on both ends to process LLDP frames. To successfully communicate with a neighboring device running an earlier version of LLDP, the local device must be set with the same encapsulation format.

To set the encapsulation format for LLDP frames to SNAP:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Set the encapsulation format for LLDP frames to SNAP.	· In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] encapsulation snap · In Layer 2 aggregate interface view: lldp agent { nearest-customer \| nearest-nontpmr } encapsulation snap	By default, Ethernet II encapsulation format applies.

Disabling LLDP PVID inconsistency check

By default, when the system receives an LLDP packet, it compares the PVID value contained in the packet with the PVID configured on the receiving interface. If the two PVIDs do not match, a log message will be printed to notify the user.

You can disable PVID inconsistency check if different PVIDs are required on a link.

To disable LLDP PVID inconsistency check:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Disable LLDP PVID inconsistency check.	lldp ignore-pvid-inconsistency	By default, LLDP PVID inconsistency check is enabled.

Configuring LLDP trapping and LLDP-MED trappin g

LLDP trapping or LLDP-MED trapping notifies the network management system of events such as newly detected neighboring devices and link failures.

To prevent excessive LLDP traps from being sent when the topology is unstable, set a trap transmission interval for LLDP.

To configure LLDP trapping and LLDP-MED trapping:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 2/Layer 3 Ethernet interface view, management Ethernet interface view, or Layer 2 aggregate interface view.	interface interface-type interface-number	N/A
3. Enable LLDP trapping.	· In Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view: lldp [ agent { nearest-customer \| nearest-nontpmr } ] notification remote-change enable · In Layer 2 aggregate interface view: lldp agent { nearest-customer \| nearest-nontpmr } notification remote-change enable	By default, LLDP trapping is disabled.
4. Enable LLDP-MED trapping (in Layer 2/Layer 3 Ethernet interface view or management Ethernet interface view).	lldp notification med-topology-change enable	By default, LLDP-MED trapping is disabled.
5. Return to system view.	quit	N/A
6. (Optional.) Set the LLDP trap transmission interval.	lldp timer notification-interval interval	The default setting is 30 seconds.

Displaying and maintaining LLDP

Execute display commands in any view.

Task	Command
Display local LLDP information.	display lldp local-information [ global \| interface interface-type interface-number ]
Display the information contained in the LLDP TLVs sent from neighboring devices.	display lldp neighbor-information [ [ [ interface interface-type interface-number ] [ agent { nearest-bridge \| nearest-customer \| nearest-nontpmr } ] [ verbose ] ] \| list [ system-name system-name ] ]
Display LLDP statistics.	display lldp statistics [ global \| [ interface interface-type interface-number ] [ agent { nearest-bridge \| nearest-customer \| nearest-nontpmr } ] ]
Display LLDP status of a port.	display lldp status [ interface interface-type interface-number ] [ agent { nearest-bridge \| nearest-customer \| nearest-nontpmr } ]
Display types of advertisable optional LLDP TLVs.	display lldp tlv-config [ interface interface-type interface-number ] [ agent { nearest-bridge \| nearest-customer \| nearest-nontpmr } ]

Basic LLDP configuration example

Network requirements

As shown in Figure 38, configure LLDP on the switch and the AC to monitor the link between them.

Figure 38 Network diagram

Configuration procedure

1. Configure the switch:

# Enable LLDP globally.

<Switch> system-view

[Switch] lldp global enable

# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.

[Switch] interface gigabitethernet 1/0/1

[Switch-GigabitEthernet1/0/1] lldp enable

# Set the LLDP operating mode to Rx on GigabitEthernet 1/0/1.

[Switch-GigabitEthernet1/0/1] lldp admin-status rx

[Switch-GigabitEthernet1/0/1] quit

# Enable LLDP on GigabitEthernet 1/0/2. By default, LLDP is enabled on ports.

[Switch] interface gigabitethernet1/2

[Switch-GigabitEthernet1/0/2] lldp enable

# Set the LLDP operating mode to Rx on GigabitEthernet 1/0/2.

[Switch-GigabitEthernet1/0/2] lldp admin-status rx

[Switch-GigabitEthernet1/0/2] quit

2. Configure the AC:

# Enable LLDP globally.

<AC> system-view

[AC] lldp global enable

# Enable LLDP on GigabitEthernet 1/0/1. By default, LLDP is enabled on ports.

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] lldp enable

# Set the LLDP operating mode to Tx on GigabitEthernet 1/0/1.

[AC-GigabitEthernet1/0/1] lldp admin-status tx

[AC-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that GigabitEthernet 1/0/2 of the switch meets the following conditions:

· The port connects to a neighboring device.

· The port operates in Rx mode, and it can receive LLDP frames but cannot send LLDP frames.

[Switch] display lldp status

Global status of LLDP: Enable

Bridge mode of LLDP: customer-bridge

The current number of LLDP neighbors: 2

The current number of CDP neighbors: 0

LLDP neighbor information last changed time: 0 days, 0 hours, 4 minutes, 40 seconds

Transmit interval : 30s

Fast transmit interval : 1s

Transmit credit max : 5

Hold multiplier : 4

Reinit delay : 2s

Trap interval : 30s

Fast start times : 4

LLDP status information of port 2 [GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:

Port status of LLDP : Enable

Admin status : Rx_Only

Trap flag : No

MED trap flag : No

Polling interval : 0s

Number of LLDP neighbors : 1

Number of MED neighbors : 0

Number of CDP neighbors : 0

Number of sent optional TLV : 21

Number of received unknown TLV : 3

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable

Admin status : Disable

Trap flag : No

MED trap flag : No

Polling interval : 0s

Number of LLDP neighbors : 0

Number of MED neighbors : 0

Number of CDP neighbors : 0

Number of sent optional TLV : 1

Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable

Admin status : Disable

Trap flag : No

MED trap flag : No

Polling interval : 0s

Number of LLDP neighbors : 0

Number of MED neighbors : 0

Number of CDP neighbors : 0

Number of sent optional TLV : 16

Number of received unknown TLV : 0

# Remove the link between the switch and the AC.

# Verify that GigabitEthernet 1/0/2 of the switch does not connect to any neighboring devices.

[Switch] display lldp status

Global status of LLDP: Enable

The current number of LLDP neighbors: 1

The current number of CDP neighbors: 0

LLDP neighbor information last changed time: 0 days, 0 hours, 5 minutes, 20 seconds

Transmit interval : 30s

Fast transmit interval : 1s

Transmit credit max : 5

Hold multiplier : 4

Reinit delay : 2s

Trap interval : 30s

Fast start times : 4

LLDP status information of port 2 [GigabitEthernet1/0/2]:

LLDP agent nearest-bridge:

Port status of LLDP : Enable

Admin status : Rx_Only

Trap flag : No

MED trap flag : No

Polling interval : 0s

Number of LLDP neighbors : 0

Number of MED neighbors : 0

Number of CDP neighbors : 0

Number of sent optional TLV : 0

Number of received unknown TLV : 0

LLDP agent nearest-nontpmr:

Port status of LLDP : Enable

Admin status : Disable

Trap flag : No

MED trap flag : No

Polling interval : 0s

Number of LLDP neighbors : 0

Number of MED neighbors : 0

Number of CDP neighbors : 0

Number of sent optional TLV : 1

Number of received unknown TLV : 0

LLDP agent nearest-customer:

Port status of LLDP : Enable

Admin status : Disable

Trap flag : No

MED trap flag : No

Polling interval : 0s

Number of LLDP neighbors : 0

Number of MED neighbors : 0

Number of CDP neighbors : 0

Number of sent optional TLV : 16

Number of received unknown TLV : 0

Configuring Layer 2 forwarding

Command and hardware compatibility

The WX1800H series access controllers do not support the slot keyword or the slot-number argument.

Configuring normal Layer 2 forwarding

When an incoming frame's destination MAC address does not match any Layer 3 interface's MAC address, normal Layer 2 forwarding forwards the frame through a Layer 2 interface.

The device uses the destination MAC address of the frame to look for a match in the MAC address table.

· The device forwards the frame out of the outgoing interface in the matching entry if a match is found.

· The device floods the frame to all interfaces in the VLAN of the frame if no match is found.

Configuration procedure

Normal Layer 2 forwarding is enabled by default.

Displaying and maintaining normal Layer 2 forwarding

Execute display commands in any view and reset commands in user view.

Task	Command
Display Layer 2 forwarding statistics.	display mac-forwarding statistics [ interface interface-type interface-number ]
Clear Layer 2 forwarding statistics.	reset mac-forwarding statistics

Configuring fast Layer 2 forwarding

Fast Layer 2 forwarding improves packet forwarding efficiency by using a high-speed cache and flow-based technology. It identifies a flow by using the following items:

· Source IP address.

· Source port number.

· Destination IP address.

· Destination port number.

· Protocol number.

· Input interface.

· Output interface.

· VLAN ID.

Fast Layer 2 forwarding creates an entry in a high-speed cache by obtaining the forwarding information of a flow's first packet. Subsequent packets of the flow are forwarded based on the entry.

Configuration procedure

Fast Layer 2 forwarding is enabled by default.

Displaying and maintaining fast Layer 2 forwarding

Execute display commands in any view.

Task	Command
Display IPv4 fast forwarding entries.	display mac-forwarding cache ip [ ip-address ] [ slot slot-number ]
Display IPv4 fast forwarding entries for fragments.	display mac-forwarding cache ip fragment [ ip-address ] [ slot slot-number ]
Display IPv6 fast forwarding entries.	display mac-forwarding cache ipv6 [ ipv6-address ] [ slot slot-number ]

Configuring VLAN termination

Overview

VLAN termination typically processes packets that include VLAN tags. A VLAN termination-enabled interface performs the following tasks when receiving a VLAN-tagged packet:

1. Assigns the packet to an interface according to its VLAN tags.

2. Removes the VLAN tags of the packet.

3. Delivers the packet to Layer 3 forwarding or other processing pipelines.

Before sending the packet, the VLAN termination-enabled interface determines whether to add new VLAN tags to the packet, based on the VLAN termination type.

VLAN termination can also process packets that do not include any VLAN tags.

This document uses the following VLAN tag concepts for a packet that has two or more layers of VLAN tags:

· Layer 1 VLAN tag—Specifies the outermost layer of VLAN tags.

· Layer 2 VLAN tag—Specifies the second outermost layer of VLAN tags.

The VLAN IDs of the packets are numbered in the same manner as the VLAN tags.

VLAN termination types

VLAN termination types	Types of packets to be terminated on the interface	Tagging status of outgoing packets on the interface
Dot1q termination	The packets must meet both of the following requirements: · The packets include one or more layers of VLAN tags. · The outermost VLAN tag matches the configured value.	Single-tagged
QinQ termination	The packets must meet both of the following requirements: · The packets include two or more layers of VLAN tags. · The outermost two layers of tags match the configured values.	Double-tagged
Untagged termination	Untagged packets	Untagged
Default termination	Packets that cannot be processed on any other subinterfaces of the same main interface	Untagged

VLAN termination application scenarios

Inter-VLAN communication

Hosts in different VLANs cannot directly communicate with each other. You can use Layer 3 routing to allow all VLANs to communicate. To restrict communication to the specified VLANs, configure VLAN termination on subinterfaces or VLAN interfaces.

As shown in Figure 39, Host A and Host B are in different VLANs. The two hosts can communicate with each other after you perform the following tasks:

1. Specify 1.1.1.1/24 and 1.1.2.1/24 as the gateway IP addresses for Host A and Host B, respectively.

2. On the device, configure VLAN termination on Layer 3 Ethernet subinterfaces GigabitEthernet 1/0/1.1 and GigabitEthernet 1/0/2.1.

Figure 39 VLAN termination for inter-VLAN communication

LAN-WAN communication

Typically, WAN protocols such as PPP do not recognize VLAN-tagged packets from LANs. Before packets are sent to a WAN, the sending port must locally record the VLAN information and remove VLAN tags from the packets. To do that, configure VLAN termination on subinterfaces or VLAN interfaces.

As shown in Figure 40, a host is located on a customer network and wants to access the WAN network. CVLAN and SVLAN represent the VLAN on the customer network and service provider network, respectively.

To access the WAN network, a packet originating from the host is processed as follows:

1. Layer 2 Switch A adds a CVLAN tag to the packet and sends the packet.

2. Layer 2 Switch B adds an SVLAN tag to the packet on the QinQ-enabled port.

3. The packet is forwarded on the service provider network based on the SVLAN tag.

4. The gateway removes the two layers of VLAN tags from the packet and adds new VLAN tags on the QinQ termination-enabled port.

5. The gateway sends the packet to the WAN network.

Figure 40 VLAN termination enables LAN-WAN communication

Feature and hardware compatibility

The following matrix shows the VLAN termination and hardware compatibility:

Hardware series	Model	VLAN termination compatibility
WX1800H series	WX1804H WX1810H WX1820H	Yes
WX2500H series	WX2510H WX2540H WX2560H	Yes
WX3000H series	WX3010H WX3010H-L WX3010H-X WX3024H WX3024H-L	Yes: · WX3010H · WX3024H No: · WX3010H-L · WX3010H-X · WX3024H-L
WX3500H series	WX3508H WX3510H WX3520H WX3540H	No
WX5500E series	WX5510E WX5540E	No
WX5500H series	WX5540H WX5560H WX5580H	No
Access controller modules	EWPXM1MAC0F EWPXM2WCMD0F LSQM1WCMX20 LSQM1WCMX40 LSUM1WCME0 LSUM1WCMX20RT LSUM1WCMX40RT	No

Configuration restrictions and guidelines

When you configure VLAN termination, follow these restrictions and guidelines:

· On a portal-enabled interface, log off all portal users before you change the VLAN termination type, for example, from Dot1q termination to QinQ termination. Any portal users who remain online after the change cannot be logged off or reauthenticated. For more information about portal authentication, see Security Configuration Guide.

· A main interface cannot terminate VLAN-tagged packets. To terminate VLAN-tagged packets, you can create subinterfaces for the main interface.

· Layer 3 Ethernet subinterfaces and VLAN interfaces can terminate the following packets:

? Packets with matching Layer 1 VLAN IDs.

? Packets with matching Layer 1 and Layer 2 VLAN IDs.

A VLAN interface can terminate only the packets whose Layer 1 VLAN ID is numbered the same as the VLAN interface. For example, VLAN-interface 10 can terminate only the packets that have Layer 1 VLAN tag 10.

· After you modify the VLAN termination configuration for a Layer 3 Ethernet subinterface, the subinterface automatically restarts. All dynamic ARP table entries for the subinterface are deleted.

· When a main interface bound to a VLAN interface receives a VLAN-tagged packet, the main interface processes the packet according to the VLAN interface configuration.

After you configure VLAN termination, the system finds an interface for a received packet in the following order:

· Subinterface configured with QinQ termination.

· Subinterface configured with Dot1q termination, or subinterface that supports Dot1q termination by default.

· Subinterface configured with untagged termination.

· Subinterface configured with default termination.

· Main interface.

VLAN termination configuration task list

Tasks at a glance

(Required.) Perform one of the following tasks:

· Configuring Dot1q termination

? Configuring ambiguous Dot1q termination

? Configuring unambiguous Dot1q termination

· Configuring QinQ termination

? Configuring ambiguous QinQ termination

? Configuring unambiguous QinQ termination

· Configuring untagged termination

· Configuring default termination

(Optional.) Enabling a VLAN termination-enabled interface to transmit broadcasts and multicasts

Configuring Dot1q termination

Based on the range of outermost VLAN IDs in the VLAN-tagged packets that can be terminated by a subinterface, the following types of Dot1q termination are available:

· Ambiguous Dot1q termination—Terminates VLAN-tagged packets whose outermost VLAN IDs are in the specified range. Any other VLAN-tagged packets are not allowed to pass through this subinterface.

When the subinterface receives a packet, it removes the outermost layer of tags from the packet. When the subinterface sends a packet, it tags the packet with a VLAN ID as follows:

? For a PPPoE packet, the VLAN ID is obtained by searching the PPPoE session entries.

? For a DHCP relay packet, the VLAN ID is obtained by searching the DHCP session entries.

? For an IPv4 packet, the VLAN ID is obtained by searching the ARP entries.

· Unambiguous Dot1q termination—Terminates only VLAN-tagged packets whose outermost VLAN ID matches the specified VLAN ID. Any other VLAN-tagged packets are not allowed to pass through this subinterface.

When the subinterface receives a packet, it removes the outermost VLAN tag of the packet.

When the subinterface sends a packet, it tags the packet with the specified VLAN ID.

Configuring ambiguous Dot1q termination

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet subinterface view.	interface interface-type interface-number.subnumber	N/A
3. Configure ambiguous Dot1q termination.	vlan-type dot1q vid vlan-id-list	By default, Dot1q termination is disabled on a subinterface.

Configuring unambiguous Dot1q termination

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet subinterface view.	interface interface-type interface-number.subnumber	N/A
3. Configure unambiguous Dot1q termination.	vlan-type dot1q vid vlan-id	By default, Dot1q termination is disabled on a subinterface.

Configuring QinQ termination

QinQ termination allows only packets that include specific VLAN tags to pass through the subinterface or VLAN interface. The following types of QinQ termination are available:

· Ambiguous QinQ termination—Terminates QinQ packets whose outermost two layers of VLAN IDs are in the specified range.

When the subinterface or VLAN interface receives a packet, it removes the outermost two layers of VLAN tags of the packet.

When the subinterface or VLAN interface sends a packet, it tags the packet with the outermost two layers of VLAN IDs, which are determined as follows:

? For a PPPoE packet, the outermost two layers of VLAN IDs are obtained by searching the PPPoE session entries.

? For a DHCP relay packet, the outermost two layers of VLAN IDs are obtained by searching the DHCP relay entries.

? For an IPv4 packet, the outermost two layers of VLAN IDs are obtained by searching the ARP entries.

· Unambiguous QinQ termination—Terminates QinQ packets whose outermost two layers of VLAN IDs match the specified values.

When the subinterface or VLAN interface receives a packet, it removes the two layers of VLAN tags of the packet.

When the subinterface or VLAN interface sends the packet, it tags the packet with two layers of VLAN tags as specified.

Configuring ambiguous QinQ termination

Configuring ambiguous QinQ termination by specifying the outermost two layers of VLAN IDs

When you configure ambiguous QinQ termination by using this method, follow these restrictions and guidelines:

· If you specify the same Layer 1 VLAN ID for multiple subinterfaces under a main interface, the Layer 2 VLAN IDs specified for them must be different. However, if you specify different Layer 1 VLAN IDs for the subinterfaces, the Layer 2 VLAN IDs specified for the subinterfaces are not required to be different.

· Subinterfaces under different main interfaces can terminate VLAN-tagged packets with the same Layer 1 and Layer 2 VLAN IDs.

· When you use the vlan-type dot1q vid second-dot1q command to configure ambiguous QinQ termination multiple times, one of the following conditions occurs:

? If the most recently specified Layer 1 ID is the same as the current Layer 1 ID, the specified Layer 2 IDs in both configurations take effect.

? If the most recently specified Layer 1 ID is different from the current Layer 1 ID, you must first delete the old configuration.

To configure ambiguous QinQ termination:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet subinterface view.	interface interface-type interface-number.subnumber	N/A
3. Configure ambiguous QinQ termination by specifying the outermost two layers of VLAN IDs.	vlan-type dot1q vid vlan-id-list second-dot1q { vlan-id-list \| any }	By default, QinQ termination is disabled on an interface.

Configuring ambiguous QinQ termination by specifying the Layer 2 VLAN IDs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN interface view.	interface vlan-interface interface-number	N/A
3. Configure ambiguous QinQ termination by specifying the Layer 2 VLAN IDs.	second-dot1q { vlan-id-list \| any }	By default, QinQ termination is disabled on an interface. The Layer 1 VLAN ID of the VLAN-tagged packets that can be terminated by the subinterface or VLAN interface is the number of the subinterface or VLAN interface. This Layer 1 VLAN ID is not configurable.

NOTE:

After you enable ambiguous QinQ termination on a VLAN interface, Layer 2 Ethernet interfaces bound to the VLAN interface operate as follows:

· Process only packets that match the ambiguous QinQ termination configuration of the VLAN interface.

· Drop any other packets sent to the VLAN interface.

Configuring unambiguous QinQ termination

Configuring unambiguous QinQ termination by specifying the outermost two layers of VLAN IDs

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet subinterface view.	interface interface-type interface-number.subnumber	N/A
3. Configure unambiguous QinQ termination by specifying the outermost two layers of VLAN IDs.	vlan-type dot1q vid vlan-id second-dot1q vlan-id	By default, QinQ termination is disabled on an interface.

Configuring unambiguous QinQ termination by specifying the Layer 2 VLAN ID

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter VLAN interface view.	interface vlan-interface interface-number	N/A
3. Configure unambiguous QinQ termination by specifying the Layer 2 VLAN ID.	second-dot1q vlan-id	By default, QinQ termination is disabled on an interface. The Layer 1 VLAN ID of the VLAN-tagged packets that can be terminated by the subinterface or VLAN interface is the number of the subinterface or VLAN interface. This Layer 1 VLAN ID is not configurable.

NOTE:

After you enable unambiguous QinQ termination on a VLAN interface, Layer 2 Ethernet interfaces bound to the VLAN interface operate as follows:

· Process only packets that match the unambiguous QinQ termination configuration of the VLAN interface.

· Drop any other packets sent to the VLAN interface.

Configuring untagged termination

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet subinterface view.	interface interface-type interface-number.subnumber	N/A
3. Configure untagged termination.	vlan-type dot1q untagged	By default, untagged termination is disabled on a subinterface.

Configuring default termination

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter Layer 3 Ethernet subinterface view.	interface interface-type interface-number.subnumber	N/A
3. Configure default termination.	vlan-type dot1q default	By default, default termination is disabled on a subinterface.

Enabling a VLAN termination-enabled interface to transmit broadcasts and multicasts

This function enables ambiguous Dot1q or QinQ termination-enabled interfaces to transmit broadcasts and multicasts.

To enable a VLAN termination-enabled interface to transmit broadcasts and multicasts:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 3 Ethernet subinterface view: interface interface-type interface-number.subnumber · Enter VLAN interface view: interface vlan-interface interface-number	N/A
3. Enable the interface to transmit broadcasts and multicasts.	vlan-termination broadcast enable	By default, an ambiguous Dot1q or QinQ termination-enabled interface does not transmit broadcasts and multicasts.

VLAN termination configuration examples

Unambiguous Dot1q termination configuration example

Network requirements

As shown in Figure 41, configure unambiguous Dot1q termination on subinterfaces of the device to implement intra-VLAN and inter-VLAN communications between hosts.

Figure 41 Network diagram

Configuration procedure

IMPORTANT:

The vlan-type dot1q vid command is required for devices that support it, because an Ethernet subinterface can be activated and transmit packets only after it is associated with VLANs.

1. Configure Host A, Host B, Host C, and Host D:

# On Host A, specify 1.1.1.1/8 and 1.0.0.1/8 as its IP address and gateway IP address, respectively. (Details not shown.)

# On Host B, specify 2.2.2.2/8 and 2.0.0.1/8 as its IP address and gateway IP address, respectively. (Details not shown.)

# On Host C, specify 3.3.3.3/8 and 3.0.0.1/8 as its IP address and gateway IP address, respectively. (Details not shown.)

# On Host D, specify 4.4.4.4/8 and 4.0.0.1/8 as its IP address and gateway IP address, respectively. (Details not shown.)

2. Configure Layer 2 Switch A:

# Create VLAN 10.

<L2_SwitchA> system-view

[L2_SwitchA] vlan 10

# Assign GigabitEthernet 1/0/2 to VLAN 10.

[L2_SwitchA-vlan10] port gigabitethernet 1/0/2

[L2_SwitchA-vlan10] quit

# Create VLAN 20.

[L2_SwitchA] vlan 20

# Assign GigabitEthernet 1/0/3 to VLAN 20.

[L2_SwitchA-vlan20] port gigabitethernet 1/0/3

[L2_SwitchA-vlan20] quit

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLANs 10 and 20.

[L2_SwitchA] interface gigabitethernet 1/0/1

[L2_SwitchA-GigabitEthernet1/0/1] port link-type trunk

[L2_SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 10 20

3. Configure Layer 2 Switch B in the same way you configure Layer 2 Switch A. (Details not shown.)

4. Configure the AC:

# Create GigabitEthernet 1/0/1.10, and assign an IP address to this interface.

<AC> system-view

[AC] interface gigabitethernet 1/0/1.10

[AC-GigabitEthernet1/0/1.10] ip address 1.0.0.1 255.0.0.0

# Configure GigabitEthernet 1/0/1.10 to terminate packets tagged with VLAN 10.

[AC-GigabitEthernet1/0/1.10] vlan-type dot1q vid 10

[AC-GigabitEthernet1/0/1.10] quit

# Create GigabitEthernet 1/0/1.20, and assign an IP address to this interface.

[AC] interface gigabitethernet 1/0/1.20

[AC-GigabitEthernet1/0/1.20] ip address 2.0.0.1 255.0.0.0

# Configure GigabitEthernet 1/0/1.20 to terminate packets tagged with VLAN 20.

[AC-GigabitEthernet1/0/1.20] vlan-type dot1q vid 20

[AC-GigabitEthernet1/0/1.20] quit

# Configure GigabitEthernet 2/0/1.10, and assign an IP address to this interface.

[AC] interface gigabitethernet 2/0/1.10

[AC-GigabitEthernet2/0/1.10] ip address 3.0.0.1 255.0.0.0

# Configure GigabitEthernet 2/0/1.10 to terminate packets tagged with VLAN 10.

[AC-GigabitEthernet2/0/1.10] vlan-type dot1q vid 10

[AC-GigabitEthernet2/0/1.10] quit

# Configure GigabitEthernet 2/0/1.20, and assign an IP address to this interface.

[AC] interface gigabitethernet 2/0/1.20

[AC-GigabitEthernet2/0/1.20] ip address 4.0.0.1 255.0.0.0

# Configure GigabitEthernet 2/0/1.20 to terminate packets tagged with VLAN 20.

[AC-GigabitEthernet2/0/1.20] vlan-type dot1q vid 20

[AC-GigabitEthernet2/0/1.20] quit

Verifying the configuration

# Verify that Host A, Host B, Host C, and Host D can ping each other. (Details not shown.)

Ambiguous Dot1q termination configuration example

Network requirements

As shown in Figure 42, configure ambiguous Dot1q termination, so that hosts in different VLANs can communicate with the server group.

Figure 42 Network diagram

Configuration procedure

In this example, L2 switch B uses the factory configuration.

1. Configure Host A, Host B, and Host C:

# Assign 1.1.1.1/24, 1.1.1.2/24, and 1.1.1.3/24 to Host A, Host B, and Host C, respectively. (Details not shown.)

# Specify 1.1.1.11/24 as the gateway IP address for the hosts. (Details not shown.)

2. Configure Layer 2 Switch A:

# Create VLAN 11.

<L2_SwitchA> system-view

[L2_SwitchA] vlan 11

# Assign GigabitEthernet 1/0/1 to VLAN 11.

[L2_SwitchA-vlan11] port gigabitethernet 1/0/1

[L2_SwitchA-vlan11] quit

# Create VLAN 12.

[L2_SwitchA] vlan 12

# Assign GigabitEthernet 1/0/2 to VLAN 12.

[L2_SwitchA-vlan12] port gigabitethernet 1/0/2

[L2_SwitchA-vlan12] quit

# Create VLAN 13.

[L2_SwitchA] vlan 13

# Assign GigabitEthernet 1/0/3 to VLAN 13.

[L2_SwitchA-vlan13] port gigabitethernet 1/0/3

[L2_SwitchA-vlan13] quit

# Configure GigabitEthernet 1/0/7 as a trunk port, and assign the port to VLANs 11 through 13.

[L2_SwitchA] interface gigabitethernet 1/0/7

[L2_SwitchA-GigabitEthernet1/0/7] port link-type trunk

[L2_SwitchA-GigabitEthernet1/0/7] port trunk permit vlan 11 to 13

3. Configure the AC:

# Create Ethernet subinterface GigabitEthernet 1/0/1.10, and assign an IP address to the subinterface.

<AC> system-view

[AC] interface gigabitethernet 1/0/1.10

[AC-GigabitEthernet1/0/1.10] ip address 1.1.1.11 255.255.255.0

# Enable Dot1q termination on GigabitEthernet 1/0/1.10 to terminate VLAN-tagged packets whose Layer 1 VLAN IDs are 11, 12, or 13.

[AC-GigabitEthernet1/0/1.10] vlan-type dot1q vid 11 to 13

# Enable GigabitEthernet 1/0/1.10 to transmit broadcasts and multicasts.

[AC-GigabitEthernet1/0/1.10] vlan-termination broadcast enable

[AC-GigabitEthernet1/0/1.10] quit

# Configure an IP address for GigabitEthernet 1/0/2.

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] ip address 1.1.2.11 255.255.255.0

4. Configure the server group:

# Assign each device in the server group an IP address on the network segment 1.1.2.0/24. (Details not shown.)

# Specify 1.1.2.11/24 as the gateway IP address for the server group. (Details not shown.)

Verifying the configuration

# Verify that Host A, Host B, and Host C can ping the device in the server group. (Details not shown.)

Configuration example for Dot1q termination supporting PPPoE server

Network requirements

As shown in Figure 43, the AC acts as a PPPoE server. Hosts in different VLANs access the Internet through the PPPoE server.

Configure Dot1q termination so that hosts in different VLANs can access the Internet.

Figure 43 Network diagram

Configuration procedure

# Configure VLANs and Dot1q termination. For the configuration procedure, see "Ambiguous Dot1q termination configuration example." (Details not shown.)

# Configure the AC as the PPPoE server. Configure PPPoE settings on GigabitEthernet 1/0/1.10 on the AC. For more information about the PPPoE configuration, see Layer 2—WAN Configuration Guide. (Details not shown.)

Unambiguous QinQ termination configuration example

Network requirements

As shown in Figure 44:

· Layer 2 Switch C supports only single VLAN-tagged packets.

· On Layer 2 Switch B, GigabitEthernet 1/0/2 is enabled with QinQ to adds an SVLAN tag 100 to the packets with CVLAN ID 11.

Configure unambiguous QinQ termination so that Host A can communicate with Host B.

Figure 44 Network diagram

Configuration procedure

In this example, Layer 2 Switch C uses the factory configuration.

1. Configure Host A and Host B:

# On Host A, specify 1.1.1.1/24 and 1.1.1.11/24 as its IP address and gateway IP address, respectively. (Details not shown.)

# On Host B, specify 1.1.2.1/24 and 1.1.2.11/24 as its IP address and gateway IP address, respectively. (Details not shown.)

2. Configure Layer 2 Switch A:

# Create VLAN 11.

<L2_SwitchA> system-view

[L2_SwitchA] vlan 11

# Assign GigabitEthernet 1/0/2 to VLAN 11.

[L2_SwitchA-vlan11] port gigabitethernet 1/0/2

[L2_SwitchA-vlan11] quit

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 11.

[L2_SwitchA] interface gigabitethernet 1/0/1

[L2_SwitchA-GigabitEthernet1/0/1] port link-type trunk

[L2_SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 11

3. Configure Layer 2 Switch B:

# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 11 and VLAN 100.

<L2_SwitchB> system-view

[L2_SwitchB] interface gigabitethernet 1/0/2

[L2_SwitchB-GigabitEthernet1/0/2] port link-type trunk

[L2_SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 11 100

# Set the PVID of GigabitEthernet 1/0/2 to VLAN 100.

[L2_SwitchB-GigabitEthernet1/0/2] port trunk pvid vlan 100

# Enable QinQ on GigabitEthernet 1/0/2.

[L2_SwitchB-GigabitEthernet1/0/2] qinq enable

[L2_SwitchB-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 100.

[L2_SwitchB] interface gigabitethernet 1/0/1

[L2_SwitchB-GigabitEthernet1/0/1] port link-type trunk

[L2_SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 100

4. Configure the AC:

# Create Ethernet subinterface GigabitEthernet 1/0/1.10, and assign an IP address to the subinterface.

<AC> system-view

[AC] interface gigabitethernet 1/0/1.10

[AC-GigabitEthernet1/0/1.10] ip address 1.1.1.11 255.255.255.0

# Enable QinQ termination on GigabitEthernet 1/0/1.10 to terminate the VLAN-tagged packets with the Layer 1 VLAN ID 100 and the Layer 2 VLAN ID 11.

[AC-GigabitEthernet1/0/1.10] vlan-type dot1q vid 100 second-dot1q 11

[AC-GigabitEthernet1/0/1.10] quit

# Assign an IP address to GigabitEthernet 1/0/2.

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] ip address 1.1.2.11 255.255.255.0

Verifying the configuration

# Verify that Host A and Host B can ping each other. (Details not shown.)

Ambiguous QinQ termination configuration example

Network requirements

As shown in Figure 45, QinQ is enabled on GigabitEthernet 1/0/2 of Layer 2 Switch B.

Configure ambiguous QinQ termination, so that hosts can communicate with the server group.

Figure 45 Network diagram

Configuration procedure

In this example, Layer 2 Switch C uses the factory configuration.

1. Configure Host A, Host B, and Host C:

# Assign IP addresses 1.1.1.1/24, 1.1.1.2/24, and 1.1.1.3/24 to Host A, Host B, and Host C, respectively. (Details not shown.)

# Specify 1.1.1.11/24 as the gateway address for the hosts. (Details not shown.)

2. Configure Layer 2 Switch A:

# Create VLAN 11.

<L2_SwitchA> system-view

[L2_SwitchA] vlan 11

# Assign GigabitEthernet 1/0/1 to VLAN 11.

[L2_SwitchA-vlan11] port gigabitethernet 1/0/1

[L2_SwitchA-vlan11] quit

# Create VLAN 12.

[L2_SwitchA] vlan 12

# Assign GigabitEthernet 1/0/2 to VLAN 12.

[L2_SwitchA-vlan12] port gigabitethernet 1/0/2

[L2_SwitchA-vlan12] quit

# Create VLAN 13.

[L2_SwitchA] vlan 13

# Assign GigabitEthernet 1/0/3 to VLAN 13.

[L2_SwitchA-vlan13] port gigabitethernet 1/0/3

[L2_SwitchA-vlan13] quit

# Configure GigabitEthernet 1/0/7 as a trunk port, and assign the port to VLANs 11 through 13.

[L2_SwitchA] interface gigabitethernet 1/0/7

[L2_SwitchA-GigabitEthernet1/0/7] port link-type trunk

[L2_SwitchA-GigabitEthernet1/0/7] port trunk permit vlan 11 to 13

3. Configure Layer 2 Switch B:

# Configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLANs 11 through 13 and VLAN 100.

<L2_SwitchB> system-view

[L2_SwitchB] interface gigabitethernet 1/0/2

[L2_SwitchB-GigabitEthernet1/0/2] port link-type trunk

[L2_SwitchB-GigabitEthernet1/0/2] port trunk permit vlan 11 to 13 100

# Set the PVID of GigabitEthernet 1/0/2 to VLAN 100.

[L2_SwitchB-GigabitEthernet1/0/2] port trunk pvid vlan 100

# Enable QinQ on GigabitEthernet 1/0/2.

[L2_SwitchB-GigabitEthernet1/0/2] qinq enable

[L2_SwitchB-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/1 as a trunk port, and assign the port to VLAN 100.

[L2_SwitchB] interface gigabitethernet 1/0/1

[L2_SwitchB-GigabitEthernet1/0/1] port link-type trunk

[L2_SwitchB-GigabitEthernet1/0/1] port trunk permit vlan 100

4. Configure the AC:

# Create Ethernet subinterface GigabitEthernet 1/0/1.10, and assign an IP address to the subinterface.

<AC> system-view

[AC] interface gigabitethernet 1/0/1.10

[AC-GigabitEthernet1/0/1.10] ip address 1.1.1.11 255.255.255.0

# Configure GigabitEthernet 1/0/1.10 to terminate VLAN-tagged packets whose Layer 1 VLAN ID is 100 and Layer 2 VLAN ID is 11, 12, or 13.

[AC-GigabitEthernet1/0/1.10] vlan-type dot1q vid 100 second-dot1q 11 to 13

# Enable GigabitEthernet 1/0/1.10 to transmit broadcasts and multicasts.

[AC-GigabitEthernet1/0/1.10] vlan-termination broadcast enable

[AC-GigabitEthernet1/0/1.10] quit

# Assign an IP address to GigabitEthernet 1/0/2.

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] ip address 1.1.2.11 255.255.255.0

5. Configure the server group:

# Assign each device in the server group an IP address on the network segment 1.1.2.0/24. (Details not shown.)

# Specify 1.1.2.11/24 as the gateway IP address for the server group. (Details not shown.)

Verifying the configuration

# Verify that Host A, Host B, and Host C can ping the server group. (Details not shown.)

Configuring port isolation

The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs.

Ports in an isolation group cannot communicate with each other. However, they can communicate with ports outside the isolation group.

Assigning a port to the isolation group

The device supports only one isolation group that is automatically created as isolation group 1. You cannot remove the isolation group or create other isolation groups on the device. The number of ports assigned to the isolation group is not limited.

To assign a port to the isolation group:

Step	Command	Remarks
1. Enter system view.	system-view	N/A
2. Enter interface view.	· Enter Layer 2 Ethernet interface view: interface interface-type interface-number · Enter Layer 2 aggregate interface view: interface bridge-aggregation interface-number	· The configuration in Layer 2 Ethernet interface view applies only to the interface. · The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.
3. Assign the port to the isolation group.	port-isolate enable	By default, the port is not in the isolation group.

Displaying and maintaining port isolation

Execute display commands in any view.

Task	Command
Display port isolation group information.	display port-isolate group

Port isolation configuration example

Network requirements

As shown in Figure 46:

· AP1, AP2, and AP3 are connected to GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 on the AC, respectively.

· The AC connects to the Internet through GigabitEthernet 1/0/4.

Configure the AC to provide Internet access for all the APs, and isolate them from one another.

Figure 46 Network diagram

Configuration procedure

# Assign ports GigabitEthernet1/0/1, GigabitEthernet1/0/2, and GigabitEthernet1/0/3 to the isolation group.

<AC> system-view

[AC] interface gigabitethernet 1/0/1

[AC-GigabitEthernet1/0/1] port-isolate enable

[AC-GigabitEthernet1/0/1] quit

[AC] interface gigabitethernet 1/0/2

[AC-GigabitEthernet1/0/2] port-isolate enable

[AC-GigabitEthernet1/0/2] quit

[AC] interface gigabitethernet 1/0/3

[AC-GigabitEthernet1/0/3] port-isolate enable

[AC-GigabitEthernet1/0/3] quit

Verifying the configuration

# Display information about the isolation group.

[AC] display port-isolate group

Port isolation group information:

Group ID: 1

Group members:

GigabitEthernet1/0/1 GigabitEthernet1/0/2 GigabitEthernet1/0/3

The output shows that ports GigabitEthernet 1/0/1, GigabitEthernet 1/0/2, and GigabitEthernet 1/0/3 are assigned to the isolation group. As a result, AP1, AP2, and AP3 are isolated from one another at Layer 2.

Index

Numerics

802

802.1 LLDPDU TLV types, 98

802.3 LLDPDU TLV types, 98

VLAN group configuration, 36

VLAN termination configuration (Dot1q ambiguous), 120, 121, 126

VLAN termination configuration (Dot1q PPPoE server support), 128

VLAN termination configuration (Dot1q unambiguous), 120, 121, 125

VLAN termination configuration (QinQ ambiguous), 121, 122, 123, 130

VLAN termination configuration (QinQ unambiguous), 121, 129

VLAN termination configuration (untagged), 124

VLAN termination default, 124

accessing

port-based VLAN assignment (access port), 35

action

loop detection block, 39

loop detection no-learning protection, 39

loop detection protection action (Layer 2 aggregate interface), 41

loop detection protection action (S-channel aggregate interface), 41

loop detection protection action (S-channel bundle interface), 41

loop detection protection action setting, 41

loop detection shutdown protection, 39

adding

MAC address table blackhole entry, 4

MAC address table entry (global), 3

MAC address table entry (on interface), 3

address

MAC address learning disable, 4

MAC address move suppression, 7

MAC address table learning priority, 6

MAC address table move notification, 7

MAC address table SNMP notification, 8

advertising

LLDP advertisable TLV, 105

aggregating

link. See Ethernet link aggregation

aging

MAC address table timer, 5

spanning tree max age timer, 73

algorithm

STP calculation, 48

alternate port (MST), 61

assigning

Layer 2 LAN switching port-based VLAN access port, 35

MAC address table learning priority, 6

port isolation group (single port), 133

port-based VLAN access port (interface view), 35

port-based VLAN access port (VLAN view), 35

port-based VLAN hybrid port, 36

port-based VLAN trunk port, 35

attribute

Ethernet link aggregation attribute configuration, 12

auto

loop detection port status auto recovery, 39

backing up

MST backup port, 61

bandwidth

Ethernet link aggregate interface (expected bandwidth), 20

basic management LLDPDU TLV types, 98

blackhole entry

MAC address table, 1, 4

block action (loop detection), 39

boundary port (MST), 61

BPDU

configuration BPDUs, 45

MST region max hops, 72

PVST BPDU guard, 90

spanning tree BPDU guard, 87

spanning tree hello time, 73

spanning tree max age timer, 73

spanning tree TC-BPDU guard, 90

spanning tree TC-BPDU transmission restriction, 89

STP BPDU forwarding, 53

TCN BPDUs, 46

transmission rate configuration, 75

BPDU processing

RSTP, 55

bridging

LLDP agent customer bridge, 96

LLDP agent nearest bridge, 96

LLDP agent non-TPMR bridge, 96

LLDP bridge mode configuration, 103

MST common root bridge, 61

MST regional root, 61

spanning tree loop guard, 88

spanning tree root bridge, 71

spanning tree root bridge (device), 71

spanning tree root guard, 88

spanning tree secondary root bridge (device), 71

STP designated bridge, 47

STP root bridge, 47

broadcast

VLAN termination transmission, 124

calculating

MSTI calculation, 63

MSTP CIST calculation, 63

spanning tree port path cost calculation standard, 76

spanning tree timeout factor, 75

STP algorithm, 48

checking

LLDP PVID inconsistency check disable, 110

spanning tree No Agreement Check, 84

choosing

Ethernet link aggregation reference port, 12, 15

CIST

calculation, 63

network device connection, 61

spanning tree max age timer, 73

command and hardware compatibility

Layer 2 forwarding, 115

spanning tree configuration, 66

common root bridge, 61

compatibility

VLAN termination hardware compatibility, 119

configuring

Ethernet aggregate interface, 19

Ethernet link aggregation, 11, 17, 24

Ethernet link aggregation group (Layer 2), 17

Ethernet link aggregation group load sharing, 21

Layer 2 Ethernet link aggregation (dynamic), 26

Layer 2 Ethernet link aggregation (static), 24

Layer 2 Ethernet link aggregation group (dynamic), 18

Layer 2 Ethernet link aggregation group (static), 18

Layer 2 Ethernet link aggregation load sharing, 28

Layer 2 forwarding, 115

Layer 2 forwarding (fast), 115

Layer 2 forwarding (normal), 115

LLDP, 96, 102

LLDP advertisable TLVs, 105

LLDP basics, 103, 111

LLDP management address, 107

LLDP management address encoding format, 107

LLDP trapping, 110

LLDP-MED trapping, 110

loop detection, 38, 40, 42

MAC address move suppression, 7

MAC address table, 1, 2, 9

MAC address table entry, 3

MAC address table frame forwarding rule (on interface), 6

MST region, 70

MST region max hops, 72

MSTP, 68, 92

port isolation, 133

port isolation (single isolation group), 133

port-based VLAN, 33

PVST, 68

RSTP, 67

spanning tree, 45, 66

spanning tree BPDU transmission rate, 75

spanning tree device priority, 72

spanning tree Digest Snooping, 83

spanning tree edge port, 75

spanning tree No Agreement Check, 84

spanning tree port link type, 79

spanning tree port mode, 79

spanning tree port path cost, 76, 78

spanning tree port priority, 78

spanning tree port role restriction, 89

spanning tree protection features, 87

spanning tree root bridge, 71

spanning tree root bridge (device), 71

spanning tree secondary root bridge, 71

spanning tree secondary root bridge (device), 71

spanning tree switched network diameter, 73

spanning tree TC Snooping, 86

spanning tree TC-BPDU transmission restriction, 89

spanning tree timeout factor, 75

spanning tree timer, 73

STP, 66

VLAN, 31

VLAN basic settings, 32

VLAN group, 36

VLAN interface basics, 33

VLAN termination, 117, 120, 125

VLAN termination (default), 124

VLAN termination (Dot1q ambiguous), 120, 121, 126

VLAN termination (Dot1q PPPoE server support), 128

VLAN termination (Dot1q unambiguous), 120, 121, 125

VLAN termination (QinQ ambiguous), 121, 122, 130

VLAN termination (QinQ ambiguous/Layer 2 VLAN ID), 122

VLAN termination (QinQ ambiguous/outermost VLAN ID), 122

VLAN termination (QinQ unambiguous), 121, 129

VLAN termination (QinQ unambiguous/Layer 2 VLAN ID), 123

VLAN termination (QinQ unambiguous/outermost VLAN ID), 123

VLAN termination (untagged), 124

VLAN termination configuration (QinQ unambiguous), 123

cost

spanning tree port path cost calculation standard, 76

spanning tree port path cost configuration, 76, 78

STP path cost, 48

CST

MST region connection, 60

customer

LLDP customer bridge mode, 103

CVLAN

VLAN termination application scenario, 117

VLAN termination configuration, 117, 120, 125

default

Ethernet link aggregate interface (default settings), 21

VLAN default termination, 117, 124

designated

MST port, 61

STP bridge, 47

STP port, 47

device

disabling inconsistent PVID protection, 82

Layer 2 forwarding (normal), 115

Layer 2 forwarding configuration, 115

Layer 2 forwarding configuration (fast), 115

LLDP basic configuration, 103, 111

LLDP configuration, 96, 102

LLDP parameters, 108

loop protection actions, 39

MSTP implementation, 63

PVST BPDU guard, 90

SNMP notifications for new-root election and topology change events, 91

spanning tree BPDU guard, 87

spanning tree Digest Snooping, 83

spanning tree loop guard, 88

spanning tree No Agreement Check, 84

spanning tree port role restriction, 89

spanning tree priority, 72

spanning tree protection features, 87

spanning tree root guard, 88

spanning tree TC Snooping, 86

spanning tree TC-BPDU guard, 90

spanning tree TC-BPDU transmission restriction, 89

VLAN termination configuration (Dot1q PPPoE server support), 128

VLAN termination configuration (QinQ ambiguous), 130

VLAN termination configuration (QinQ unambiguous), 129

VLAN termination hardware compatibility, 119

DHCP

VLAN termination configuration (QinQ unambiguous), 121

Digest Snooping (spanning tree), 83

disabling

LLDP PVID inconsistency check, 110

MAC address learning, 4

MAC address learning (global), 4

MAC address learning (on interface), 4

discarding

MST discarding port state, 62

displaying

Ethernet link aggregation, 24

Layer 2 forwarding (fast), 116

Layer 2 forwarding (normal), 115

LLDP, 111

loop detection, 42

MAC address table, 9

port isolation, 133

spanning tree, 91

VLAN, 37

Dot1

VLAN termination configuration (Dot1q ambiguous), 120, 121, 126

VLAN termination configuration (Dot1q PPPoE server support), 128

VLAN termination configuration (Dot1q unambiguous), 120, 121, 125

VLAN termination configuration (QinQ ambiguous), 121, 122, 123, 130

VLAN termination configuration (QinQ unambiguous), 121, 129

VLAN termination configuration (untagged), 124

VLAN termination default, 124

VLAN termination type, 117

dot1d-1998 (STP port path cost calculation), 76

dot1s (STP port mode), 79

dot1t (STP port path cost calculation), 76

dynamic

Ethernet link aggregation group, 17

Ethernet link aggregation mode, 12

Layer 2 Ethernet link aggregation, 26

MAC address table dynamic aging timer, 5

MAC address table entry, 1

MAC address table entry configuration (global), 3

MAC address table entry configuration (on interface), 3

edge port

MST, 61

spanning tree, 75

edge port rapid transition

rapid transition mechanism, 63

enabling

Ethernet link aggregation traffic redirection, 23

LLDP, 103

LLDP polling, 104

loop detection (global), 40

loop detection (port-specific), 40

MAC address table move notification, 7

MAC address table SNMP notification, 8

PVST BPDU guard, 90

SNMP notifications for new-root election and topology change events, 91

spanning tree BPDU guard, 87

spanning tree feature, 80

spanning tree loop guard, 88

spanning tree port state transition information output, 80

spanning tree root guard, 88

spanning tree TC-BPDU guard, 90

VLAN termination interface broadcast transmission, 124

VLAN termination interface multicast transmission, 124

encapsulating

LLDP frame encapsulation (Ethernet II), 97

LLDP frame encapsulation (SNAP), 97

LLDP frame encapsulation format, 109

VLAN frame encapsulation, 31

Ethernet

link aggregation. See Ethernet link aggregation

LLDP frame encapsulation, 97

LLDP trapping, 110

LLDP-MED trapping, 110

loop detection configuration, 38, 42

loop detection protection action (Layer 2 Ethernet interface), 41

MAC address table configuration, 1, 2, 9

port isolation configuration, 133

port isolation configuration (single isolation group), 133

port-based VLAN assignment (access port), 35

port-based VLAN assignment (hybrid port), 36

port-based VLAN assignment (trunk port), 35

port-based VLAN configuration, 33

VLAN basic configuration, 32

VLAN configuration, 31

VLAN frame encapsulation, 31

VLAN interface basics, 33

Ethernet link aggregation

aggregate group (Selected ports), 19

aggregate interface, 11

aggregate interface (default settings), 21

aggregate interface (description), 19

aggregate interface configuration, 19

aggregate interface shutdown, 21

aggregation group, 11

aggregation group restrictions, 17

configuration, 11, 17, 24

configuration types, 12

display, 24

group configuration (Layer 2), 17

group load sharing configuration, 21

group load sharing mode, 21

how dynamic link aggregation works, 15

interface configuration (expected bandwidth), 20

LACP, 14

Layer 2 aggregation (dynamic), 26

Layer 2 aggregation (static), 24

Layer 2 aggregation load sharing, 28

load sharing mode, 17

local-first load sharing, 22

maintain, 24

member port, 11

member port state, 11, 13, 15

modes, 12

operational key, 11

reference port, 15

reference port choice, 12

static mode, 12

traffic redirection, 23

traffic redirection restrictions, 23

EVB

loop detection protection action (S-channel interface), 41

fast

Layer 2 forwarding configuration (fast), 115

format

LLDP frame encapsulation (Ethernet II), 97

LLDP frame encapsulation (SNAP), 97

LLDP frame encapsulation format, 109

LLDP management address encoding format, 107

forwarding

Layer 2 forwarding (normal), 115

Layer 2 forwarding configuration, 115

Layer 2 forwarding configuration (fast), 115

MST forwarding port state, 62

spanning tree forward delay timer, 73

STP BPDU forwarding, 53

STP forward delay timer, 53

frame

Layer 2 forwarding (normal), 115

Layer 2 forwarding configuration, 115

Layer 2 forwarding configuration (fast), 115

LLDP frame encapsulation format, 109

loop detection (Ethernet frame header), 38

loop detection (inner frame header), 38

loop detection interval, 39

MAC address learning, 1

MAC address table blackhole entry, 4

MAC address table configuration, 1, 2, 9

MAC address table entry configuration, 3

MSTP BPDU protocol frames, 58

port-based VLAN frame handling, 34

PVST BPDU protocol frames, 56, 56

RSTP BPDU protocol frames, 54

spanning tree port mode configuration, 79

STP BPDU protocol frames, 45

STP TCN BPDU protocol frames, 45

VLAN frame encapsulation, 31

group

Ethernet link aggregate group (Selected ports), 19

Ethernet link aggregation group, 11

Ethernet link aggregation group (Layer 2), 17

Ethernet link aggregation group load sharing, 21

Ethernet link aggregation LACP, 14

Ethernet link aggregation load sharing mode, 17, 21

Ethernet link aggregation member port state, 11

port isolation configuration (single isolation group), 133

VLAN group configuration, 36

hello

spanning tree timer, 73

STP timer, 53

hybrid port

port-based VLAN assignment (hybrid port), 36

ignoring

VLAN, 82

implementing

MSTP device implementation, 63

inconsistency check (LLDP), 110

interface

Ethernet aggregate interface, 19

Ethernet aggregate interface (description), 19

Ethernet link aggregate interface (default settings), 21

Ethernet link aggregate interface shutdown, 21

interval

Ethernet link aggregation LACP long timeout, 14

Ethernet link aggregation LACP short timeout, 14

loop detection, 39, 41

IPv4

VLAN termination configuration (QinQ unambiguous), 121

isolating

ports. See port isolation

IST

MST region, 61

key

Ethernet link aggregation operational key, 11

LACP

Ethernet link aggregation, 14

LAN switching

Ethernet aggregate interface, 19

Ethernet aggregate interface (description), 19

Ethernet link aggregate group (Selected ports), 19

Ethernet link aggregate interface (default settings), 21

Ethernet link aggregate interface (expected bandwidth), 20

Ethernet link aggregate interface shutdown, 21

Ethernet link aggregation (dynamic), 26

Ethernet link aggregation (static), 24

Ethernet link aggregation configuration, 11, 17, 24

Ethernet link aggregation display, 24

Ethernet link aggregation group (Layer 2), 17

Ethernet link aggregation group load sharing, 21

Ethernet link aggregation group load sharing mode, 21

Ethernet link aggregation group restrictions, 17

Ethernet link aggregation LACP, 14

Ethernet link aggregation load sharing, 28

Ethernet link aggregation load sharing mode, 17

Ethernet link aggregation local-first load sharing, 22

Ethernet link aggregation maintain, 24

Ethernet link aggregation static mode, 12

Ethernet link aggregation traffic redirection, 23

Ethernet link aggregation traffic redirection restrictions, 23

Layer 2 forwarding configuration, 115

LLDP basic concepts, 96

LLDP basic configuration, 103, 111

LLDP configuration, 96, 102

LLDP display, 111

LLDP protocols and standards, 102

LLDP PVID inconsistency check disable, 110

loop detection configuration, 38, 40, 42

MAC address table configuration, 1, 2, 9

MAC address table display, 9

port isolation configuration, 133

port isolation configuration (single isolation group), 133

port isolation display, 133

port isolation group assignment (single port), 133

port-based VLAN assignment (access port), 35

port-based VLAN assignment (hybrid port), 36

port-based VLAN assignment (trunk port), 35

port-based VLAN configuration, 33

Virtual Local Area Network. Use VLAN

VLAN basic configuration, 32

VLAN configuration, 31

VLAN display, 37

VLAN frame encapsulation, 31

VLAN group configuration, 36

VLAN interface basics, 33

VLAN maintain, 37

VLAN protocols and standards, 32

VLAN termination configuration, 117, 120, 125

VLAN termination configuration (Dot1q ambiguous), 126

VLAN termination configuration (Dot1q PPPoE server support), 128

VLAN termination configuration (Dot1q unambiguous), 125

VLAN termination configuration (Dot1q), 120

VLAN termination configuration (QinQ ambiguous), 130

VLAN termination configuration (QinQ unambiguous), 129

VLAN termination configuration (QinQ), 121

VLAN termination configuration (untagged), 124

VLAN termination configuration restrictions, 119

VLAN termination default, 124

Layer 2

Ethernet link aggregation group (dynamic), 18

forwarding configuration, 115

forwarding configuration (fast), 115

forwarding configuration (normal), 115

forwarding display (fast), 116

forwarding display (normal), 115

forwarding maintain (fast), 116

forwarding maintain (normal), 115

LLDP basic configuration, 111

LLDP trapping, 110

LLDP-MED trapping, 110

loop detection protection action (Layer 2 aggregate interface), 41

loop detection protection action (Layer 2 Ethernet interface), 41

loop detection protection action (S-channel aggregate interface), 41

loop detection protection action (S-channel bundle interface), 41

loop detection protection action (S-channel interface), 41

VLAN basic configuration, 32

VLAN configuration, 31

Layer 2 forwarding

command and hardware compatibility, 115

Layer 2 LAN switching

displaying spanning tree, 91

Ethernet link aggregation group (static), 18

maintaining spanning tree, 91

MST region, 70

MSTP configuration, 92

spanning tree configuration, 45

spanning tree Digest Snooping, 83

Layer 3

Ethernet link aggregation group load sharing, 21

Ethernet link aggregation local-first load sharing, 22

LAN switching LAN switching VLAN interface basics, 33

LLDP basic configuration, 111

LLDP trapping, 110

LLDP-MED trapping, 110

port-based VLAN assignment (access port), 35

port-based VLAN assignment (hybrid port), 36

port-based VLAN assignment (trunk port), 35

port-based VLAN configuration, 33

learning

loop detection no-learning action, 39

MAC address, 1

MAC address learning disable, 4

MAC address table learning priority, 6

MST learning port state, 62

legacy

spanning tree port mode, 79

spanning tree port path cost calculation, 76

link

aggregation. See Ethernet link aggregation

Link Layer Discovery Protocol. Use LLDP

MSTP configuration, 92

spanning tree configuration, 45, 66

spanning tree hello time, 73

spanning tree port link type configuration, 79

LLDP

advertisable TLV configuration, 105

agent, 96

basic concepts, 96

basic configuration, 103, 111

bridge mode configuration, 103

configuration, 96, 102

display, 111

enable, 103

frame encapsulation (Ethernet II), 97

frame encapsulation (SNAP), 97

frame encapsulation format, 109

frame format, 97

frame reception, 102

frame transmission, 101

how it works, 101

LLDPDU management address TLV, 101

LLDPDU TLV types, 98

LLDPDU TLVs, 98

LLDP-MED trapping configuration, 110

management address configuration, 107

management address encoding format, 107

operating mode (disable), 101

operating mode (Rx), 101

operating mode (Tx), 101

operating mode (TxRx), 101

operating mode set, 103

parameter set, 108

polling enable, 104

protocols and standards, 102

PVID inconsistency check disable, 110

reinitialization delay, 104

trapping configuration, 110

LLDPDU

LLDP basic configuration, 103, 111

LLDP configuration, 96, 102

LLDP parameters, 108

management address configuration, 107

management address encoding format, 107

management address TLV, 101

TLV basic management types, 98

TLV LLDP-MED types, 98

TLV organization-specific types, 98

load sharing

Ethernet link aggregation group configuration, 21

Ethernet link aggregation group load sharing, 17

Ethernet link aggregation load sharing mode, 21

Ethernet link aggregation local-first load sharing, 22

Ethernet link aggregation packet type-based load sharing, 17

Ethernet link aggregation per-flow load sharing, 17

Ethernet link aggregation per-packet load sharing, 17

Layer 2 Ethernet link aggregation configuration, 28

local

Ethernet link aggregation local-first load sharing, 22

logging

loop detection configuration, 38, 40, 42

loop

MSTP configuration, 92

spanning tree configuration, 45, 66

spanning tree loop guard, 88

loop detection

configuration, 38, 40, 42

displaying, 42

enable (global), 40

enable (port-specific), 40

interval, 39

interval setting, 41

mechanism, 38

port status auto recovery, 39

protection action setting (global), 41

protection action setting (Layer 2 aggregate interface), 41

protection action setting (Layer 2 Ethernet interface), 41

protection action setting (S-channel aggregate interface), 41

protection action setting (S-channel bundle interface), 41

protection action setting (S-channel interface), 41

protection actions, 39

MAC address table

address learning, 1

blackhole entry, 4

configuration, 1, 2, 9

displaying, 9

dynamic aging timer, 5

entry configuration, 3

entry configuration (global), 3

entry configuration (on interface), 3

entry creation, 1

entry types, 1

learning priority assignment, 6

MAC address learning disable, 4

MAC address move suppression, 7

manual entries, 1

move notification, 7

SNMP notification enable, 8

MAC addressing

VLAN frame encapsulation, 31

MAC relay (LLDP agent), 96

maintaining

Ethernet link aggregation, 24

Layer 2 forwarding (fast), 116

Layer 2 forwarding (normal), 115

spanning tree, 91

VLAN, 37

management address

LLDP encoding format, 107

mapping

MSTP VLAN-to-instance mapping table, 60

master

MSTP master port, 61

max age timer (STP), 53

mCheck

global performance, 82

interface view performance, 82

spanning tree, 81

MED (LLDP-MED trapping), 110

MIB

LLDP basic configuration, 103, 111

LLDP configuration, 96, 102

mode

Ethernet link aggregation dynamic, 12

Ethernet link aggregation LACP operation active, 14

Ethernet link aggregation LACP operation passive, 14

Ethernet link aggregation load sharing, 17

Ethernet link aggregation static, 12, 12

LLDP customer bridge, 103

LLDP disable, 101, 103

LLDP Rx, 101, 103

LLDP service bridge, 103

LLDP Tx, 101, 103

LLDP TxRx, 101, 103

spanning tree mCheck, 81

spanning tree MSTP, 69

spanning tree PVST, 69

spanning tree RSTP, 69

spanning tree STP, 69

modifying

MAC address table blackhole entry, 4

MAC address table entry (global), 3

MAC address table entry (on interface), 3

moving

MAC address table move notification, 7

MPLS

VLAN termination configuration (QinQ unambiguous), 121

MST

region max hops, 72

MSTI

calculation, 63

MST instance, 60

MSTP, 45, See also STP

basic concepts, 59

CIST, 61

CIST calculation, 63

common root bridge, 61

configuration, 68, 92

CST, 60

device implementation, 63

feature enable, 81

features, 57

how it works, 62

IST, 61

mode set, 69

MST region, 60

MST region configuration, 70

MSTI, 60

MSTI calculation, 63

port roles, 61

port states, 62

protocol frames, 58

protocols and standards, 66

rapid transition mechanism, 63

regional root, 61

relationships, 57

spanning tree max age timer, 73

spanning tree port mode configuration, 79

VLAN-to-instance mapping table, 60

multicast

VLAN termination transmission, 124

Multiple Spanning Tree Protocol. Use MSTP

network

disabling inconsistent PVID protection, 82

Ethernet link aggregation configuration types, 12

Ethernet link aggregation LACP, 14

Ethernet link aggregation member port state, 13, 15

Ethernet link aggregation modes, 12

Ethernet link aggregation operational key, 11

Ethernet link aggregation reference port, 15

Ethernet link aggregation reference port choice, 12

Ethernet link aggregation static mode, 12

Layer 2 Ethernet link aggregation (dynamic), 26

Layer 2 Ethernet link aggregation (static), 24

Layer 2 Ethernet link aggregation load sharing, 28

Layer 2 forwarding (normal), 115

Layer 2 forwarding configuration (fast), 115

LLDP basic configuration, 103, 111

loop detection enable, 40

loop detection interval, 39, 41

loop detection protection action setting, 41

loop protection actions, 39

MAC address move suppression, 7

MAC address table blackhole entry, 4

MAC address table dynamic aging timer, 5

MAC address table entry configuration, 3

MAC address table entry types, 1

MAC address table learning priority, 6

MAC address table move notification, 7

MAC address table SNMP notification, 8

MST region configuration, 70

port isolation configuration (single isolation group), 133

port isolation group assignment (single port), 133

port-based VLAN assignment (access port), 35

port-based VLAN assignment (hybrid port), 36

port-based VLAN assignment (trunk port), 35

port-based VLAN configuration, 33

PVST BPDU guard, 90

RSTP network convergence, 54

RSTP port role, 54

RSTP port state, 55

SNMP notifications for new-root election and topology change events, 91

spanning tree BPDU guard, 87

spanning tree BPDU transmission rate, 75

spanning tree Digest Snooping, 83

spanning tree edge port, 75

spanning tree loop guard, 88

spanning tree mode set, 69

spanning tree No Agreement Check, 84

spanning tree port link type, 79

spanning tree port mode, 79

spanning tree port path cost, 76, 78

spanning tree port priority, 78

spanning tree port role restriction, 89

spanning tree port state transition, 80

spanning tree priority, 72

spanning tree protection features, 87

spanning tree root bridge, 71

spanning tree root bridge (device), 71

spanning tree root guard, 88

spanning tree secondary root bridge (device), 71

spanning tree switched network diameter, 73

spanning tree TC Snooping, 86

spanning tree TC-BPDU guard, 90

spanning tree TC-BPDU transmission restriction, 89

STP algorithm calculation, 48

STP designated bridge, 47

STP designated port, 47

STP path cost, 48

STP port state, 47

STP root bridge, 47

STP root port, 47

VLAN basic configuration, 32

VLAN group configuration, 36

VLAN interface basics, 33

VLAN termination application scenario, 117

VLAN termination configuration (Dot1q ambiguous), 121, 126

VLAN termination configuration (Dot1q PPPoE server support), 128

VLAN termination configuration (Dot1q unambiguous), 121, 125

VLAN termination configuration (Dot1q), 120

VLAN termination configuration (QinQ ambiguous), 122, 130

VLAN termination configuration (QinQ unambiguous), 123, 129

VLAN termination configuration (QinQ), 121

VLAN termination configuration (untagged), 124

VLAN termination default, 124

VLAN termination interface broadcast transmission, 124

VLAN termination interface multicast transmission, 124

VLAN termination types, 117

network management

Ethernet link aggregation configuration, 11, 17, 24

Layer 2 forwarding configuration, 115

LLDP basic concepts, 96

LLDP configuration, 96, 102

loop detection, 38

loop detection configuration, 40, 42

MAC address table configuration, 1, 2, 9

MSTP configuration, 92

port isolation configuration, 133

spanning tree configuration, 45, 66

VLAN configuration, 31

VLAN termination configuration, 117, 120, 125

No Agreement Check (spanning tree), 84

no-learning action (loop detection), 39

notifying

MAC address table move notification, 7

MAC address table SNMP notification, 8

operational key (Ethernet link aggregation), 11

organization-specific LLDPDU TLV types, 98

outputting

spanning tree port state transition information, 80

P/A transition

rapid transition mechanism, 64

packet

Ethernet link aggregation packet type-based load sharing, 17

VLAN termination configuration, 117, 120, 125

VLAN termination configuration (Dot1q), 120

VLAN termination configuration (QinQ), 121

parameter

spanning tree timeout factor, 75

per-flow load sharing, 17

performing

spanning tree mCheck, 81

spanning tree mCheck globally, 82

spanning tree mCheck in interface view, 82

per-packet load sharing, 17

Per-VLAN Spanning Tree Protocol. Use PVST

polling

LLDP enable, 104

port

Ethernet aggregate interface, 19

Ethernet aggregate interface (description), 19

Ethernet link aggregate group (Selected ports), 19

Ethernet link aggregate interface (default settings), 21

Ethernet link aggregate interface (expected bandwidth), 20

Ethernet link aggregate interface shutdown, 21

Ethernet link aggregation configuration, 11, 17, 24

Ethernet link aggregation configuration types, 12

Ethernet link aggregation group (Layer 2), 17

Ethernet link aggregation group load sharing, 21

Ethernet link aggregation LACP, 14

Ethernet link aggregation LACP port priority, 14

Ethernet link aggregation load sharing mode, 17

Ethernet link aggregation local-first load sharing, 22

Ethernet link aggregation member port, 11

Ethernet link aggregation member port state, 11, 13, 15

Ethernet link aggregation modes, 12

Ethernet link aggregation operational key, 11

Ethernet link aggregation reference port, 15

Ethernet link aggregation reference port choice, 12

Ethernet link aggregation static mode, 12

Ethernet link aggregation traffic redirection, 23

isolation. See port isolation

Layer 2 Ethernet link aggregation (dynamic), 26

Layer 2 Ethernet link aggregation (static), 24

Layer 2 Ethernet link aggregation load sharing, 28

LLDP basic configuration, 103, 111

LLDP configuration, 96, 102

LLDP disable operating mode, 101

LLDP enable, 103

LLDP frame encapsulation format, 109

LLDP frame reception, 102

LLDP frame transmission, 101

LLDP operating mode, 103

LLDP polling, 104

LLDP reinitialization delay, 104

LLDP Rx operating mode, 101

LLDP Tx operating mode, 101

LLDP TxRx operating mode, 101

loop detection configuration, 38, 40, 42

loop detection interval, 39, 41

loop detection protection action setting, 41

loop detection protection actions, 39

loop detection status auto recovery, 39

MAC address learning, 1

MAC address table blackhole entry, 4

MAC address table configuration, 1, 2, 9

MAC address table entry configuration, 3

MST port roles, 61

MST port states, 62

PVST BPDU guard, 90

RSTP network convergence, 54

spanning tree BPDU guard, 87

spanning tree BPDU transmission rate, 75

spanning tree edge port configuration, 75

spanning tree forward delay timer, 73

spanning tree loop guard, 88

spanning tree path cost calculation standard, 76

spanning tree path cost configuration, 76, 78

spanning tree port link type configuration, 79

spanning tree port mode configuration, 79

spanning tree port priority configuration, 78

spanning tree port role restriction, 89

spanning tree port state transition output, 80

spanning tree root guard, 88

spanning tree TC-BPDU guard, 90

spanning tree TC-BPDU transmission restriction, 89

STP designated port, 47

STP root port, 47

VLAN port link type, 33

port isolation

configuration, 133

configuration (single isolation group), 133

display, 133

group assignment (single port), 133

port state

rapid transition mechanism, 63

port-based VLAN

access port assignment (interface view), 35

access port assignment (VLAN view), 35

assignment (access port), 35

assignment (hybrid port), 36

assignment (trunk port), 35

configuration, 33

port frame handling, 34

port link type, 33

PVID, 34

PPPoE

VLAN termination configuration (Dot1q PPPoE server support), 128

VLAN termination configuration (QinQ unambiguous), 121

priority

Ethernet link aggregation LACP, 14

Ethernet link aggregation LACP port priority, 14

Ethernet link aggregation LACP system priority, 14

MAC address table learning priority, 6

spanning tree device priority, 72

spanning tree port priority configuration, 78

procedure

adding MAC address table blackhole entry, 4

adding MAC address table entry (global), 3

adding MAC address table entry (on interface), 3

assigning MAC address table learning priority to interface, 6

assigning port isolation group (single port), 133

assigning port-based VLAN access port, 35

assigning port-based VLAN access port (interface view), 35

assigning port-based VLAN access port (VLAN view), 35

assigning port-based VLAN hybrid port, 36

assigning port-based VLAN trunk port, 35

configuring Ethernet aggregate interface, 19

configuring Ethernet link aggregation, 17

configuring Ethernet link aggregation group (Layer 2), 17

configuring Ethernet link aggregation group load sharing, 21

configuring Layer 2 Ethernet link aggregation (dynamic), 26

configuring Layer 2 Ethernet link aggregation (static), 24

configuring Layer 2 Ethernet link aggregation group (dynamic), 18

configuring Layer 2 Ethernet link aggregation group (static), 18

configuring Layer 2 Ethernet link aggregation load sharing, 28

configuring Layer 2 forwarding (fast), 115

configuring Layer 2 forwarding (normal), 115

configuring LLDP, 102

configuring LLDP advertisable TLVs, 105

configuring LLDP basics, 103, 111

configuring LLDP management address, 107

configuring LLDP management address encoding format, 107

configuring LLDP trapping, 110

configuring LLDP-MED trapping, 110

configuring loop detection, 40, 42

configuring MAC address move suppression, 7

configuring MAC address table, 2, 9

configuring MAC address table entry, 3

configuring MAC address table frame forwarding rule (on interface), 6

configuring MST region, 70

configuring MST region max hops, 72

configuring MSTP, 68, 92

configuring port isolation (single isolation group), 133

configuring port-based VLAN, 33

configuring PVST, 68

configuring RSTP, 67

configuring spanning tree, 66

configuring spanning tree BPDU transmission rate, 75

configuring spanning tree device priority, 72

configuring spanning tree Digest Snooping, 83

configuring spanning tree edge port, 75

configuring spanning tree No Agreement Check, 84

configuring spanning tree port link type, 79

configuring spanning tree port mode for MSTP frames, 79

configuring spanning tree port path cost, 76, 78

configuring spanning tree port priority, 78

configuring spanning tree port role restriction, 89

configuring spanning tree protection features, 87

configuring spanning tree root bridge, 71

configuring spanning tree root bridge (device), 71

configuring spanning tree secondary root bridge, 71

configuring spanning tree secondary root bridge (device), 71

configuring spanning tree switched network diameter, 73

configuring spanning tree TC Snooping, 86

configuring spanning tree TC-BPDU transmission restriction, 89

configuring spanning tree timeout factor, 75

configuring spanning tree timer, 73

configuring STP, 66

configuring VLAN basic settings, 32

configuring VLAN group, 36

configuring VLAN interface basics, 33

configuring VLAN termination, 120

configuring VLAN termination (default), 124

configuring VLAN termination (Dot1q ambiguous), 120, 121, 126

configuring VLAN termination (Dot1q PPPoE server support), 128

configuring VLAN termination (Dot1q unambiguous), 120, 121, 125

configuring VLAN termination (QinQ ambiguous), 121, 122, 130

configuring VLAN termination (QinQ ambiguous/Layer 2 VLAN ID), 122

configuring VLAN termination (QinQ ambiguous/outermost VLAN ID), 122

configuring VLAN termination (QinQ unambiguous), 121, 129

configuring VLAN termination (QinQ unambiguous/Layer 2 VLAN ID), 123

configuring VLAN termination (QinQ unambiguous/outermost VLAN ID), 123

configuring VLAN termination (untagged), 124

configuring VLAN termination configuration (QinQ ambiguous), 123

disabling inconsistent PVID protection, 82

disabling LLDP PVID inconsistency check, 110

disabling MAC address learning, 4

disabling MAC address learning (global), 4

disabling MAC address learning (on interface), 4

displaying Ethernet link aggregation, 24

displaying Layer 2 forwarding (fast), 116

displaying Layer 2 forwarding (normal), 115

displaying LLDP, 111

displaying loop detection, 42

displaying MAC address table, 9

displaying port isolation, 133

displaying spanning tree, 91

displaying VLAN, 37

enabling Ethernet link aggregation local-first load sharing, 22

enabling Ethernet link aggregation traffic redirection, 23

enabling LLDP, 103

enabling LLDP polling, 104

enabling loop detection (global), 40

enabling loop detection (port-specific), 40

enabling MAC address table move notification, 7

enabling MAC address table SNMP notification, 8

enabling PVST BPDU guard, 90

enabling SNMP notifications for new-root election and topology change events, 91

enabling spanning tree BPDU guard, 87

enabling spanning tree feature, 80

enabling spanning tree loop guard, 88

enabling spanning tree port state transition information output, 80

enabling spanning tree root guard, 88

enabling spanning tree TC-BPDU guard, 90

enabling VLAN termination interface broadcast transmission, 124

enabling VLAN termination interface multicast transmission, 124

maintaining Ethernet link aggregation, 24

maintaining Layer 2 forwarding (fast), 116

maintaining Layer 2 forwarding (normal), 115

maintaining spanning tree, 91

maintaining VLAN, 37

modifying MAC address table blackhole entry, 4

modifying MAC address table entry (global), 3

modifying MAC address table entry (on interface), 3

performing spanning tree mCheck, 81

performing spanning tree mCheck globally, 82

performing spanning tree mCheck in interface view, 82

restoring Ethernet link aggregate interface (default settings), 21

setting Ethernet aggregate interface (description), 19

setting Ethernet link aggregate group (Selected ports), 19

setting Ethernet link aggregate interface (expected bandwidth), 20

setting Ethernet link aggregation group load sharing mode, 21

setting Ethernet link aggregation load sharing mode (global), 21

setting Ethernet link aggregation load sharing mode (group-specific), 22

setting LLDP bridge mode, 103

setting LLDP frame encapsulation format, 109

setting LLDP operating mode, 103

setting LLDP parameters, 108

setting LLDP reinitialization delay, 104

setting loop detection interval, 41

setting loop detection protection action (global), 41

setting loop detection protection action (Layer 2 aggregate interface), 41

setting loop detection protection action (Layer 2 Ethernet interface), 41

setting loop detection protection action (S-channel aggregate interface), 41

setting loop detection protection action (S-channel bundle interface), 41

setting loop detection protection action (S-channel interface), 41

setting MAC address table dynamic aging timer, 5

setting MAC address table learning limit (on interface), 5

setting spanning tree mode, 69

shutting down Ethernet link aggregate interface, 21

specifying spanning tree port path cost calculation standard, 76

protecting

loop detection protection action setting, 41

SNMP notifications for new-root election and topology change events, 91

spanning tree protection features, 87

protocols and standards

Ethernet link aggregation protocol configuration, 12

LLDP, 102

MSTP, 66

MSTP protocol frames, 58

PVST protocol frames, 56

RSTP protocol frames, 54

STP protocol frames, 45

VLAN, 32

PVID

LLDP PVID inconsistency check disable, 110

PVID (port-based VLAN), 34

PVST, 45, See also STP

basic concepts, 57

configuration, 68

feature enable, 81

how it works, 57

mode set, 69

port links, 56

protocol frames, 56

rapid transition mechanism, 63

QinQ

loop detection configuration, 38, 40, 42

VLAN termination configuration (QinQ ambiguous), 121, 122, 123, 130

VLAN termination configuration (QinQ unambiguous), 121, 129

VLAN termination type, 117

Rapid Spanning Tree Protocol. Use RSTP

rapid transition mechanism

edge port rapid transition, 63

MSTP, 63

P/A transition, 64

port state, 63

PVST, 63

root port rapid transition, 64

RSTP, 63

rate

spanning tree BPDU transmission rate, 75

receiving

LLDP frames, 102

recovering

loop detection port status auto recovery, 39

reference port (Ethernet link aggregation), 12, 15

region

MST, 60

MST region configuration, 70

MST region max hops, 72

MST regional root, 61

reinitialization delay (LLDP), 104

restoring

Ethernet link aggregate interface (default settings), 21

restrictions

Ethernet link aggregation group, 17

Ethernet link aggregation traffic redirection, 23

LAN switching STP Digest Snooping configuration, 83

LAN switching STP edge port configuration, 76

LAN switching STP mCheck configuration, 82

LAN switching STP port link type configuration, 79

LAN switching STP TC Snooping configuration, 86

spanning tree port role restriction, 89

spanning tree TC-BPDU transmission restriction, 89

STP Digest Snooping configuration, 74

STP edge port configuration, 74

STP mCheck configuration, 74

STP port link type configuration, 74

STP TC Snooping configuration, 74

STP timer configuration, 74

VLAN termination configuration, 119

VLAN termination hardware compatibility, 119

root

MST common root bridge, 61

MST regional root, 61

MST root port role, 61

spanning tree root bridge, 71

spanning tree root bridge (device), 71

spanning tree root guard, 88

spanning tree secondary root bridge (device), 71

STP algorithm calculation, 48

STP root bridge, 47

STP root port, 47

root port rapid transition

rapid transition mechanism, 64

RSTP, 45, See also STP

basic concepts, 54

BPDU processing, 55

configuration, 67

feature enable, 81

how it works, 55

mode set, 69

MSTP device implementation, 63

network convergence, 54

port role, 54

port state, 55

protocol frames, 54

rapid transition mechanism, 63

selecting

Ethernet link aggregation (Selected ports), 19

Ethernet link aggregation selected state, 11

Ethernet link aggregation unselected state, 11

service

LLDP service bridge mode, 103

setting

Ethernet aggregate interface (description), 19

Ethernet link aggregate group (Selected ports), 19

Ethernet link aggregate interface (expected bandwidth), 20

Ethernet link aggregation group load sharing mode, 21

Ethernet link aggregation load sharing mode (global), 21

Ethernet link aggregation load sharing mode (group-specific), 22

Ethernet link aggregation member port state, 13, 15

LLDP bridge mode, 103

LLDP frame encapsulation format, 109

LLDP operating mode, 103

LLDP parameters, 108

LLDP reinitialization delay, 104

loop detection interval, 41

loop detection protection action (global), 41

loop detection protection action (Layer 2 aggregate interface), 41

loop detection protection action (Layer 2 Ethernet interface), 41

loop detection protection action (S-channel aggregate interface), 41

loop detection protection action (S-channel bundle interface), 41

loop detection protection action (S-channel interface), 41

MAC address table dynamic aging timer, 5

MAC address table learning limit (on interface), 5

spanning tree mode, 69

shutting down

Ethernet link aggregate interface, 21

loop detection shutdown action, 39

SNAP

LLDP frame encapsulation, 97

LLDP frame encapsulation format, 109

SNMP

MAC address table SNMP notification, 8

snooping

spanning tree Digest Snooping, 83

spanning tree TC Snooping, 86

spanning tree, 45, See also STP, RSTP, PVST, MSTP

BPDU guard enable, 87

BPDU transmission rate configuration, 75

configuration, 45, 66

device priority configuration, 72

Digest Snooping, 83

disabling inconsistent PVID protection, 82

displaying, 91

edge port configuration, 75

feature enable, 80

loop guard enable, 88

maintaining, 91

mCheck, 81

mode set, 69

MST region max hops, 72

MSTP, 57, See also MSTP

No Agreement Check, 84

port link type configuration, 79

port mode configuration, 79

port path cost calculation standard, 76

port path cost configuration, 76, 78

port priority configuration, 78

port role restriction, 89

port state transition output, 80

protection features, 87

PVST, 56, See also PVST

PVST BPDU guard, 90

root bridge configuration, 71

root bridge configuration (device), 71

root guard enable, 88

RSTP, 54, See also RSTP

secondary root bridge configuration (device), 71

SNMP notifications for new-root election and topology change events, 91

switched network diameter, 73

TC Snooping, 86

TC-BPDU guard, 90

TC-BPDU transmission restriction, 89

timeout factor configuration, 75

timer configuration, 73

spanning tree configuration

command and hardware compatibility, 66

specifying

spanning tree port path cost calculation standard, 76

state

Ethernet link aggregation member port state, 11, 13, 15

static

Ethernet link aggregation group, 17

Ethernet link aggregation mode, 12

Ethernet link aggregation static mode, 12

Layer 2 Ethernet link aggregation, 24

MAC address table entry, 1

MAC address table entry configuration (global), 3

MAC address table entry configuration (on interface), 3

STP

algorithm calculation, 48

basic concepts, 47

BPDU forwarding, 53

configuration, 66

configuration BPDUs, 45

designated bridge, 47

designated port, 47

Digest Snooping configuration restrictions, 74, 83

edge port configuration restrictions, 74, 76

feature enable, 81

loop detection, 45

mCheck configuration restrictions, 74, 82

mode set, 69

MSTP device implementation, 63

path cost, 48

port link type configuration restrictions, 74, 79

port state, 47

protocol frames, 45

root bridge, 47

root port, 47

TC Snooping configuration restrictions, 74, 86

TCN BPDUs, 46

timer configuration restrictions, 74

timers, 53

suppressing

MAC address move, 7

SVLAN

VLAN termination application scenario, 117

VLAN termination configuration, 117, 120, 125

switching

spanning tree switched network diameter, 73

table

MAC address, 1, 2, 9

MSTP VLAN-to-instance mapping table, 60

tag

VLAN termination configuration, 117, 120, 125

VLAN termination configuration (Dot1q), 120

VLAN termination configuration (QinQ), 121

VLAN termination types, 117

TC Snooping (spanning tree), 86

TC-BPDU

spanning tree TC-BPDU guard, 90

spanning tree TC-BPDU transmission restriction, 89

time

Ethernet link aggregation LACP timeout interval, 14

timeout

Ethernet link aggregation LACP long timeout interval, 14

Ethernet link aggregation LACP short timeout interval, 14

spanning tree timeout factor, 75

timer

LLDP reinitialization delay, 104

MAC address table dynamic aging timer, 5

spanning tree forward delay, 73

spanning tree hello, 73

spanning tree max age, 73

STP forward delay, 53

STP hello, 53

STP max age, 53

TLV

LLDP advertisable TLV configuration, 105

LLDP management address configuration, 107

LLDP management address encoding format, 107

LLDP parameters, 108

LLDPDU basic management types, 98

LLDPDU LLDP-MED types, 98

LLDPDU management address TLV, 101

LLDPDU organization-specific types, 98

topology

PVST BPDU protocol frames, 56

STP TCN BPDU protocol frames, 45

traffic

Ethernet link aggregation traffic redirection, 23

transmitting

LLDP frames, 101

spanning tree TC-BPDU transmission restriction, 89

VLAN termination broadcast, 124

VLAN termination multicast, 124

trapping

LLDP configuration, 110

LLDP-MED configuration, 110

trunk port

port-based VLAN assignment (trunk port), 35

type

VLAN termination default, 117

VLAN termination Dot1q, 117

VLAN termination QinQ, 117

VLAN termination untagged, 117

untagged VLAN termination, 117, 124

virtual

Local Area Network. Use VLAN

Virtual Local Area Network. Use VLAN

VLAN

basic configuration, 32

configuration, 31

disabling inconsistent PVID protection, 82

display, 37

frame encapsulation, 31

group configuration, 36

interface basics configuration, 33

loop detection configuration, 38, 40, 42

maintain, 37

MSTP VLAN-to-instance mapping table, 60

port isolation configuration, 133

port link type, 33

port-based configuration, 33

port-based VLAN assignment (access port), 35

port-based VLAN assignment (hybrid port), 36

port-based VLAN assignment (trunk port), 35

port-based VLAN frame handling, 34

port-based VLAN PVID, 34

protocols and standards, 32

PVST, 56

VLAN termination

application scenario, 117

configuration, 117, 120, 125

configuration (Dot1q ambiguous), 120, 121, 126

configuration (Dot1q PPPoE server support), 128

configuration (Dot1q unambiguous), 120, 121, 125

configuration (QinQ ambiguous), 121, 122, 130

configuration (QinQ unambiguous), 121, 123, 129

configuration (untagged), 124

configuration restrictions, 119

default, 124

interface broadcast transmission, 124

interface multicast transmission, 124

types, 117

VLAN termination and hardware compatibility, 119

WAN access

VLAN termination LAN-WAN communication, 117

04-Layer 2 - LAN Switching

Overview

MAC address learning

Manually configuring MAC address entries

Command and hardware compatibility

MAC address table configuration task list

Configuring MAC address entries

Disabling MAC address learning

Disabling MAC address learning on interfaces

Setting the aging timer for dynamic MAC address entries

Setting the MAC learning limit on interfaces

Configuring MAC address move notifications and suppression

MAC address table configuration example

Configuration types

LACP functions

LACP operating modes

LACP priorities

LACP timeout interval

Load sharing modes for link aggregation groups

Setting the expected bandwidth for an aggregate interface

Setting the global link-aggregation load sharing mode

Setting the group-specific load sharing mode

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Network requirements

Configuration procedure

Verifying the configuration

Configuring VLANs

Overview

Configuring port-based VLANs

Port link type

PVID

How ports of different link types handle frames

Assigning an access port to a VLAN

Assign one or multiple access ports to a VLAN in VLAN view

Assign an access port to a VLAN in interface view

Configuring a VLAN group

Displaying and maintaining VLANs

Configuring loop detection

Overview

Loop detection mechanism

Loop detection interval

Enabling loop detection

Setting the loop protection action

Displaying and maintaining loop detection

Loop detection configuration example

Configuring spanning tree protocols

Configuration BPDUs

TCN BPDUs

Root bridge

Root port

Designated bridge and designated port

Port states

Path cost

Calculation process of the STP algorithm

Calculation process

Example of STP calculation

The configuration BPDU forwarding mechanism of STP

STP timers

Port roles

Port states

MST region

Displaying and maintaining VLAN s