03-Layer 2—LAN Switching Configuration Guide

HomeSupportResource CenterConfigure & DeployConfiguration GuidesH3C S12500-X & S12500X-AF Switch Series Configuration Guides-Release 113x-6W10103-Layer 2—LAN Switching Configuration Guide
01-Text
Title Size Download
01-Text 2.26 MB

Contents

Configuring Ethernet interfaces· 1

Configuring a management Ethernet interface· 1

Ethernet interface naming conventions· 1

Configuring common Ethernet interface settings· 1

Splitting a 40-GE interface and combining 10-GE breakout interfaces· 2

Configuring basic settings of an Ethernet interface or Layer 3 Ethernet subinterface· 3

Configuring the link mode of an Ethernet interface· 4

Configuring jumbo frame support 5

Configuring physical state change suppression on an Ethernet interface· 5

Configuring generic flow control on an Ethernet interface· 6

Configuring PFC on an Ethernet interface· 7

Enabling energy saving features on an Ethernet interface· 9

Configuring a Layer 2 Ethernet interface· 10

Configuring storm suppression· 10

Configuring storm control on an Ethernet interface· 10

Forcibly bringing up a fiber port 12

Setting the MDIX mode of an Ethernet interface· 13

Testing the cable connection of an Ethernet interface· 14

Configuring a Layer 3 Ethernet interface or subinterface· 14

Setting the MTU for an Ethernet interface or subinterface· 14

Displaying and maintaining an Ethernet interface· 14

Configuring loopback, null, and inloopback interfaces· 16

Configuring a loopback interface· 16

Configuring a null interface· 16

Configuring an inloopback interface· 17

Displaying and maintaining loopback, null, and inloopback interfaces· 17

Bulk configuring interfaces· 18

Configuration restrictions and guidelines· 18

Configuration procedure· 18

Displaying and maintaining bulk interface configuration· 19

Configuring the MAC address table· 20

Overview·· 20

How a MAC address entry is created· 20

Types of MAC address entries· 20

MAC address table configuration task list 21

Configuring MAC address entries· 21

Configuration guidelines· 21

Adding or modifying a static or dynamic MAC address entry globally· 22

Adding or modifying a static or dynamic MAC address entry on an interface· 22

Adding or modifying a blackhole MAC address entry· 23

Adding or modifying a multiport unicast MAC address entry· 23

Disabling MAC address learning· 24

Disabling global MAC address learning· 24

Disabling MAC address learning on interfaces· 24

Configuring the aging timer for dynamic MAC address entries· 25

Enabling MAC address synchronization· 25

Enabling MAC addresses learning at ingress· 27

Displaying and maintaining the MAC address table· 27

MAC address table configuration example· 28

Network requirements· 28

Configuration procedure· 28

Verifying the configuration· 28

Configuring MAC Information· 29

Enabling MAC Information· 29

Configuring the MAC Information mode· 29

Configuring the MAC change notification interval 30

Configuring the MAC Information queue length· 30

MAC Information configuration example· 30

Network requirements· 30

Configuration restrictions and guidelines· 30

Configuration procedure· 31

Configuring Ethernet link aggregation· 33

Basic concepts· 33

Aggregation group, member port, and aggregate interface· 33

Aggregation states of member ports in an aggregation group· 33

Operational key· 34

Configuration types· 34

Link aggregation modes· 34

Aggregating links in static mode· 35

Choosing a reference port 35

Setting the aggregation state of each member port 35

Aggregating links in dynamic mode· 36

LACP· 36

How dynamic link aggregation works· 37

Edge aggregate interface· 39

Load sharing modes for link aggregation groups· 39

Ethernet link aggregation configuration task list 39

Configuring an aggregation group· 40

Configuration restrictions and guidelines· 40

Configuring a static aggregation group· 41

Configuring a dynamic aggregation group· 42

Configuring an aggregate interface· 43

Setting the description for an aggregate interface· 43

Specifying ignored VLANs for a Layer 2 aggregate interface· 44

Setting the MTU for a Layer 3 aggregate interface or subinterface· 44

Setting the minimum and maximum numbers of Selected ports for an aggregation group· 45

Setting the expected bandwidth for an aggregate interface· 45

Configuring an edge aggregate interface· 46

Enabling BFD for an aggregation group· 46

Shutting down an aggregate interface· 47

Restoring the default settings for an aggregate interface· 48

Configuring load sharing for link aggregation groups· 48

Setting load sharing modes for link aggregation groups· 48

Enabling local-first load sharing for link aggregation· 50

Enabling link-aggregation traffic redirection· 50

Configuration restrictions and guidelines· 51

Configuration procedure· 51

Configuring the link aggregation capability for the device· 52

Displaying and maintaining Ethernet link aggregation· 52

Ethernet link aggregation configuration examples· 53

Layer 2 static aggregation configuration example· 53

Layer 2 dynamic aggregation configuration example· 55

Layer 2 aggregation load sharing configuration example· 56

Layer 3 static aggregation configuration example· 59

Layer 3 dynamic aggregation configuration example· 60

Layer 3 edge aggregate interface configuration example· 61

Configuring port isolation· 64

Assigning ports to an isolation group· 64

Displaying and maintaining port isolation· 64

Port isolation configuration example· 65

Network requirements· 65

Configuration procedure· 65

Verifying the configuration· 65

Configuring spanning tree protocols· 67

STP· 67

STP protocol packets· 67

Basic concepts in STP· 68

Calculation process of the STP algorithm·· 69

RSTP· 73

MSTP· 73

MSTP features· 74

MSTP basic concepts· 74

How MSTP works· 77

MSTP implementation on devices· 78

Protocols and standards· 78

Spanning tree configuration task lists· 78

Configuration restrictions and guidelines· 79

STP configuration task list 79

RSTP configuration task list 79

MSTP configuration task list 80

Setting the spanning tree mode· 81

Configuring an MST region· 81

Configuring the root bridge or a secondary root bridge· 82

Configuring the current device as the root bridge of a specific spanning tree· 83

Configuring the current device as a secondary root bridge of a specific spanning tree· 83

Configuring the device priority· 83

Configuring the maximum hops of an MST region· 83

Configuring the network diameter of a switched network· 84

Setting spanning tree timers· 84

Configuration restrictions and guidelines· 85

Configuration procedure· 85

Configuring the timeout factor 85

Configuring the BPDU transmission rate· 86

Configuring edge ports· 86

Configuration restrictions and guidelines· 86

Configuration procedure· 87

Configuring path costs of ports· 87

Specifying a standard for the device to use when it calculates the default path cost 87

Configuring path costs of ports· 89

Configuration example· 89

Configuring the port priority· 89

Configuring the port link type· 90

Configuration restrictions and guidelines· 90

Configuration procedure· 90

Configuring the mode a port uses to recognize and send MSTP packets· 91

Enabling outputting port state transition information· 91

Enabling the spanning tree feature· 92

Performing mCheck· 92

Performing mCheck globally· 92

Performing mCheck in interface view·· 92

Configuring Digest Snooping· 93

Configuration restrictions and guidelines· 93

Configuration procedure· 93

Digest Snooping configuration example· 94

Configuring No Agreement Check· 95

Configuration prerequisites· 96

Configuration procedure· 96

No Agreement Check configuration example· 96

Configuring protection features· 97

Enabling BPDU guard· 97

Enabling root guard· 97

Enabling loop guard· 98

Configuring port role restriction· 98

Configuring TC-BPDU transmission restriction· 99

Enabling TC-BPDU guard· 99

Displaying and maintaining the spanning tree· 100

Spanning tree configuration example· 101

Network requirements· 101

Configuration procedure· 101

Verifying the configuration· 103

Configuring loop detection· 105

Overview·· 105

Loop detection mechanism·· 105

Loop detection interval 106

Loop protection actions· 106

Port status auto recovery· 106

Loop detection configuration task list 107

Enabling loop detection· 107

Enabling loop detection globally· 107

Enabling loop detection on a port 107

Setting the loop protection action· 107

Setting the global loop protection action· 108

Setting the loop protection action on a Layer 2 Ethernet interface· 108

Setting the loop protection action on a Layer 2 aggregate interface· 108

Setting the loop detection interval 108

Displaying and maintaining loop detection· 109

Loop detection configuration example· 109

Network requirements· 109

Configuration procedure· 109

Verifying the configuration· 110

Configuring VLANs· 112

Overview·· 112

VLAN frame encapsulation· 112

Protocols and standards· 113

Configuring basic VLAN settings· 113

Configuring basic settings of a VLAN interface· 114

Reserving VLAN interface resources· 115

Reserving local-type VLAN interface resources· 115

Reserving global-type VLAN interface resources· 115

Configuration restrictions and guidelines· 115

Configuration procedure· 116

Configuring port-based VLANs· 116

Introduction to port-based VLAN·· 116

Assigning an access port to a VLAN·· 117

Assigning a trunk port to a VLAN·· 118

Assigning a hybrid port to a VLAN·· 119

Displaying and maintaining VLANs· 120

Port-based VLAN configuration example· 120

Network requirements· 120

Configuration procedure· 121

Verifying the configuration· 121

Configuring VLAN mapping· 123

Overview·· 123

Application scenario of one-to-one VLAN mapping· 123

Application scenario of one-to-two and two-to-two VLAN mapping· 124

Application scenario of zero-to-two VLAN mapping· 125

Application scenario of two-to-three VLAN mapping· 125

VLAN mapping implementations· 125

Configuration restrictions and guidelines· 128

VLAN mapping configuration task list 128

Configuring one-to-one VLAN mapping· 129

Configuring one-to-two VLAN mapping· 129

Configuring zero-to-two VLAN mapping· 130

Configuring two-to-two VLAN mapping· 131

Configuring two-to-three VLAN mapping· 132

Displaying and maintaining VLAN mapping· 133

VLAN mapping configuration examples· 133

One-to-one VLAN mapping configuration example· 133

One-to-two and two-to-two VLAN mapping configuration example· 135

Configuring LLDP· 139

Overview·· 139

Basic concepts· 139

Work mechanism·· 144

Protocols and standards· 145

LLDP configuration task list 145

Performing basic LLDP configuration· 145

Enabling LLDP· 145

Configuring the LLDP bridge mode· 146

Setting the LLDP operating mode· 146

Setting the LLDP re-initialization delay· 147

Enabling LLDP polling· 147

Configuring the advertisable TLVs· 148

Configuring the management address and its encoding format 150

Setting other LLDP parameters· 150

Setting an encapsulation format for LLDP frames· 151

Configuring CDP compatibility· 152

Configuration prerequisites· 152

Configuration procedure· 152

Configuring DCBX· 153

DCBX configuration task list 154

Enabling LLDP and DCBX TLV advertising· 154

Configuring the DCBX version· 154

Configuring APP parameters· 155

Configuring ETS parameters· 157

Configuring PFC parameters· 158

Configuring LLDP trapping and LLDP-MED trapping· 159

Displaying and maintaining LLDP· 160

LLDP configuration example· 160

Network requirements· 160

Configuration procedure· 161

Verifying the configuration· 161

DCBX configuration example· 165

Network requirements· 165

Configuration procedure· 165

Verifying the configuration· 166

Index· 171


Configuring Ethernet interfaces

The switch series supports Ethernet interfaces, management Ethernet interfaces, and Console interfaces. For the interface types and the number of interfaces supported by a switch model, see the installation guide.

This document describes how to configure management Ethernet interfaces and Ethernet interfaces.

Configuring a management Ethernet interface

A management interface uses an RJ-45 connector. You can connect the interface to a PC for software loading and system debugging.

To configure a management Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter management Ethernet interface view.

interface M-GigabitEthernet interface-number

N/A

3.       (Optional.) Set the interface description.

description text

The default setting is M-GigabitEthernet0/0/0 Interface.

4.       (Optional.) Shut down the interface.

shutdown

By default, the management Ethernet interface is up.

5.       (Optional.) Set the duplex mode for the interface.

duplex { auto | full | half }

By default, the management Ethernet interface automatically negotiates the duplex mode with its peer.

6.       (Optional.) Set the speed for the interface.

speed { 10 | 100 | 1000 | auto }

By default, the management Ethernet interface automatically negotiates the speed with its peer.

 

 

NOTE:

Set the same speed and duplex mode for a management Ethernet interface and its peer port.

 

Ethernet interface naming conventions

For a switch in an IRF fabric, its Ethernet interfaces are numbered in the format of interface type A/B/C/D. For a switch not in an IRF fabric, its Ethernet interfaces are numbered in the format of interface type B/C/D. The following definitions apply:

·          A—Number of the switch in an IRF fabric.

·          B—Slot number of the card in the switch.

·          C—Sub-slot number on a card.

·          D—Number of an interface on a card.

Configuring common Ethernet interface settings

This section describes the settings common to Layer 2 Ethernet interfaces and Layer 3 Ethernet interfaces/subinterfaces. You can set an Ethernet interface as a Layer 3 interface by using the port link-mode route command. For more information, see "Configuring the link mode of an Ethernet interface." For more information about the settings specific to Layer 2 Ethernet interfaces, see "Configuring a Layer 2 Ethernet interface."

Splitting a 40-GE interface and combining 10-GE breakout interfaces

Splitting a 40-GE interface into four 10-GE breakout interfaces

You can use a 40-GE interface as a single interface. To improve port density, reduce costs, and improve network flexibility, you can also split a 40-GE interface into four 10-GE breakout interfaces.

For example, you can split a 40-GE interface FortyGigE 1/0/16 into four 10-GE breakout interfaces Ten-GigabitEthernet 1/0/16:1 through Ten-GigabitEthernet 1/0/16:4.

After you split a 40-GE interface into four 10-GE breakout interfaces, reboot the device. The system deletes the 40-GE interface and creates the four 10-GE breakout interfaces.

Before rebooting a switch configured with this command, save the splitting configuration even if the switch is an IRF member switch.

To split a 40-GE interface into four 10-GE breakout interfaces:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter 40-GE interface view.

interface interface-type interface-number

N/A

3.       Split the 40-GE interface into four 10-GE breakout interfaces.

using tengige

By default, a 40-GE interface is not split and operates as a single interface.

The 10-GE breakout interfaces split from a 40-GE interface support the same configuration and attributes as common 10-GE interfaces, except that they are numbered differently.

A 40-GE interface split into four 10-GE breakout interfaces must use a dedicated 1-to-4 cable or a 1-to-4 fiber and transceiver modules.

 

Combining four 10-GE breakout interfaces into a 40-GE interface

If you need higher bandwidth, you can combine the four 10-GE breakout interfaces into a 40-GE interface.

After you combine four 10-GE breakout interfaces into a 40-GE interface, reboot the device. The system deletes the four 10-GE breakout interfaces and creates the combined 40-GE interface.

Before rebooting a switch configured with this command, save the combining configuration even if the switch is an IRF member switch.

To combine four 10-GE breakout interfaces into a 40-GE interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter the view of a 10-GE breakout interface split from a 40-GE interface.

interface interface-type interface-number

N/A

3.       Combine the four 10-GE breakout interfaces into a 40-GE interface.

using fortygige

By default, a 40-GE interface is not split and operates as a single interface.

After you combine the four 10-GE breakout interfaces, use a dedicated 1-to-1 cable or a 40-GE transceiver module and fiber.

 

Configuring basic settings of an Ethernet interface or Layer 3 Ethernet subinterface

Configuring an Ethernet interface

You can configure an Ethernet interface to operate in one of the following duplex modes:

·          FullInterfaces can send and receive packets simultaneously.

·          HalfInterfaces cannot send and receive packets simultaneously.

·          AutoInterfaces negotiate a duplex mode with their peers.

You can set the speed of an Ethernet interface or enable it to automatically negotiate a speed with its peer.

To configure an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Set the interface description.

description text

The default setting is in the format of interface-name Interface. For example, FortyGigE1/0/1 Interface.

4.       Set the duplex mode of the Ethernet interface.

duplex { auto | full | half }

This command is not applicable to 100-GE CXP interfaces and 100-GE CFP2 interfaces.

Copper ports operating at 1000 Mbps or 10 Gbps and fiber ports do not support the half keyword.

By default, 100-GE CXP interfaces and 100-GE CFP2 interfaces operate in full duplex mode, and other Ethernet interfaces automatically negotiate a duplex mode with the peer.

5.       Set the interface speed.

speed { 10 | 100 | 1000 | 10000 | 40000 | 100000 | auto }

By default, 100-GE CXP interfaces and 100-GE CFP2 interfaces operate at 100 Gbps, and other Ethernet interfaces automatically negotiate a speed with the peer.

Support for the keywords varies by interface type. For more information, execute the speed ? command in interface view.

6.       Configure the expected bandwidth of the interface.

bandwidth bandwidth-value

By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

7.       Restore the default settings for the Ethernet interface.

default

N/A

8.       Bring up the Ethernet interface.

undo shutdown

By default, Ethernet interfaces are in up state.

 

Configuring a Layer 3 Ethernet subinterface

Each of the Layer 3 interfaces and subinterfaces use one VLAN interface resource. To successfully create the Layer 3 interfaces and subinterfaces, use the reserve-vlan-interface command to reserve VLAN interface resources for them before you create them. For example, before creating four Layer 3 subinterfaces on a Layer 3 interface, you must reserve five VLAN interface resources by using the reserve-vlan-interface command.

To reserve global VLAN interface resources, specify the global keyword in the reserve-vlan-interface command. To reserve local VLAN interface resources, do not specify the global keyword. Reserved VLAN interface resources are local in this chapter.

Before creating a Layer 3 Ethernet subinterface, do not reserve a resource for the VLAN interface whose interface number matches the subinterface number. After you reserve a VLAN interface resource, do not create a Layer 3 Ethernet subinterface whose subinterface number is the VLAN interface number. A Layer 3 Ethernet subinterface uses the VLAN interface resource in processing tagged packets whose VLAN ID matches the subinterface number.

For more information about reserving VLAN interface resources, see "Configuring VLANs."

To configure a Layer 3 Ethernet subinterface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create an Ethernet subinterface and enter subinterface view.

interface interface-type interface-number.subnumber

N/A

3.       Set the description for the Ethernet subinterface.

description text

The default setting is interface-name Interface. For example, FortyGigE1/0/1.1 Interface.

4.       Restore the default settings for the Ethernet subinterface.

default

N/A

5.       Set the expected bandwidth for the Ethernet subinterface.

bandwidth bandwidth-value

By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

6.       Bring up the Ethernet subinterface.

undo shutdown

By default, Ethernet subinterfaces are in up state.

 

Configuring the link mode of an Ethernet interface

WARNING

CAUTION:

After you change the link mode of an Ethernet interface, all commands (except the shutdown command) on the Ethernet interface are restored to their defaults in the new link mode.

 

Each of the Layer 3 interfaces and subinterfaces use one VLAN interface resource. To successfully configure an Ethernet interface to operate in route mode, use the reserve-vlan-interface command to reserve a VLAN interface resource for the interface first. For example, before configuring four Layer 2 interfaces to operate in route mode, you must reserve four VLAN interface resources by using the reserve-vlan-interface command.

To reserve global VLAN interface resources, specify the global keyword in the reserve-vlan-interface command. To reserve local VLAN interface resources, do not specify the global keyword. Reserved VLAN interface resources are local in this chapter.

For more information about reserving VLAN interface resources, see "Configuring VLANs."

On the switch, Ethernet interfaces can operate either as Layer 2 or Layer 3 Ethernet interfaces (you can set the link mode to bridge or route).

To change the link mode of an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Change the link mode of the Ethernet interface.

port link-mode { bridge | route }

By default, an Ethernet interface operates in bridge mode.

 

Configuring jumbo frame support

An Ethernet interface might receive some frames larger than the standard Ethernet frame size (called jumbo frames) during high-throughput data exchanges, such as file transfers. When the Ethernet interface is configured to deny jumbo frames, the Ethernet interface discards jumbo frames without further processing. When the Ethernet interface is configured with jumbo frame support, the Ethernet interface processes jumbo frames within the specified length.

To configure jumbo frame support:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Configure jumbo frame support.

jumboframe enable [ value ]

By default, the switch allows jumbo frames within 12288 bytes to pass through Ethernet interfaces.

If you set the value argument multiple times, the most recent configuration takes effect.

 

Configuring physical state change suppression on an Ethernet interface

The physical link state of an Ethernet interface is either up or down. Each time the physical link of an interface goes up or comes down, the interface immediately reports the change to the CPU. The CPU then performs the following operations:

·          Notifies the upper-layer protocol modules (such as routing and forwarding modules) of the change for guiding packet forwarding.

·          Automatically generates traps and logs to inform the user to take corresponding actions.

To prevent frequent physical link flapping from affecting system performance, configure physical state change suppression to suppress the reporting of physical link state changes. You can configure this feature to suppress only link-down events, only link-up events, or both. If an event of the specified type still exists when the suppression interval expires, the system reports the event.

When you configure this feature, follow these guidelines:

·          To suppress only link-down events, configure the link-delay [ msec ] delay-time command.

·          To suppress only link-up events, configure the link-delay [ msec ] delay-time mode up command.

·          To suppress both link-down and link-up events, configure the link-delay [ msec ] delay-time mode updown command.

·          Do not configure physical state change suppression on an interface with MSTP enabled.

·          When you separately enable state change suppression for link-up and link-down events, both configurations take effect. For example, if you configure the link-delay [ msec ] delay-time mode up command and then configure the link-delay [ msec ] delay-time command, both commands take effect.

·          If you configure this command multiple times for link-up or link-down events on an Ethernet interface, the most recent configuration takes effect.

To configure physical state change suppression on an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Set the link-down event suppression interval.

link-delay delay-time

By default, each time the physical link of an interface comes down, the interface immediately reports the change to the CPU.

4.       Set the link-up event suppression interval.

link-delay [ msec ] delay-time mode up

By default, each time the physical link of an interface goes up, the interface immediately reports the change to the CPU.

5.       Set the link-updown event suppression interval.

link-delay [ msec ] delay-time mode updown

By default, each time the physical link of an interface goes up or comes down, the interface immediately reports the change to the CPU.

 

Configuring generic flow control on an Ethernet interface

To avoid packet drops on a link, you can enable generic flow control at both ends of the link. When traffic congestion occurs at the receiving end, the receiving end sends a flow control (Pause) frame to ask the sending end to suspend sending packets.

·          With TxRx mode generic flow control enabled, an interface can both send and receive flow control frames. When congestion occurs, the interface sends a flow control frame to its peer. When the interface receives a flow control frame from the peer, it suspends sending packets.

·          With Rx flow mode generic control enabled, an interface can receive flow control frames, but it cannot send flow control frames. When the interface receives a flow control frame from its peer, it suspends sending packets to the peer. When congestion occurs, the interface cannot send flow control frames to the peer.

As shown in Figure 1, when both Port A and Port B forward packets at the rate of 1000 Mbps, Port C will be congested. To avoid packet loss, enable flow control on Port A and Port B.

Figure 1 Flow control on ports

 

When TxRx mode generic flow control is enabled on Port B and Rx mode generic flow control is enabled on Port A:

·          When Port C is congested, Switch B buffers the packet. When the buffered packets reach a size, Switch B learns that the traffic forwarded from Port B to Port C exceeds the forwarding capability of Port C. In this case, Port B sends generic pause frames to Port A and tells Port A to suspend sending packets.

·          When Port A receives the generic pause frames, Port A suspends sending packets to Port B for a certain period, which is carried in the generic pause frames. Port B sends generic pause frames to Port A until congestion is removed.

To handle unidirectional traffic congestion on a link, configure the flow-control receive enable command at one end and the flow-control command at the other end. To enable both ends of a link to handle traffic congestion, configure the flow-control command at both ends.

To enable generic flow control on an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Enable generic flow control.

·         Enable TxRx mode generic flow control:
flow-control

·         Enable Rx mode generic flow control:
flow-control receive enable

By default, generic flow control is disabled on an Ethernet interface.

 

Configuring PFC on an Ethernet interface

IMPORTANT

IMPORTANT:

This feature is available only when the system operates in advanced mode. For more information about system operating modes, see Fundamentals Configuration Guide.

 

PFC performs flow control based on 802.1p priorities. With PFC enabled, an interface requires its peer to suspend sending packets with the specified 802.1p priorities when congestion occurs. By decreasing the transmission rate, PFC helps avoid packet loss.

You can enable PFC for the specified 802.1p priorities at the two ends of a link. When network congestion occurs, the local device checks the PFC status for the 802.1p priority carried in each arriving packet. The device processes the packet depending on the PFC status as follows:

·          If PFC is enabled for the 802.1p priority, the local device accepts the packet and sends a PFC pause frame to the peer. The peer stops sending packets carrying this 802.1p priority for an interval as specified in the PFC pause frame. This process is repeated until the congestion is removed.

·          If PFC is disabled for the 802.1p priority, the local interface drops the packet.

To configure PFC on an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Enable PFC on the interface through automatic negotiation or forcibly.

priority-flow-control { auto | enable }

By default, PFC is disabled.

4.       Enable PFC for specific 802.1p priorities.

priority-flow-control no-drop dot1p dot1p-list

By default, PFC is disabled for all 802.1p priorities.

 

When you configure PFC, follow these guidelines:

·          To perform PFC on a network interface of an IRF member device, configure PFC on both the network interface and the IRF physical interfaces. For information about IRF, see IRF configuration Guide.

·          As a best practice to ensure correct operations of IRF and other protocols, do not enable PFC for 802.1p priorities 0, 6, and 7.

·          Make the same PFC configuration on all interfaces that traffic travels through.

·          An interface can receive PFC pause frames whether or not PFC is enabled on the interface. However, only an interface with PFC enabled can process PFC pause frames. To make PFC take effect, make sure PFC is enabled on both the local end and the peer end.

The relationship between the PFC function and the generic flow control function is shown in Table 1.

Table 1 The relationship between the PFC function and the generic flow control function

flow-control

priority-flow-control enable

priority-flow-control no-drop dot1p

Remarks

Unconfigurable

Configured

Configured

You cannot enable flow control by using the flow-control command on an interface where PFC is enabled and PFC is enabled for the specified 802.1p priority values.

Configured

Configurable

Unconfigurable

·         On an interface configured with the flow-control command, you can enable PFC, but you cannot enable PFC for specific 802.1p priorities.

·         Enabling both generic flow control and PFC on an interface disables the interface from sending common or PFC pause frames to inform the peer of congestion conditions. However, the interface can still handle common and PFC pause frames from the peer.

 

Enabling energy saving features on an Ethernet interface

Enabling auto power-down on an Ethernet interface

IMPORTANT

IMPORTANT:

Fiber ports do not support this feature.

 

When an Ethernet interface with auto power-down enabled has been down for a certain period of time, both of the following events occur:

·          The device automatically stops supplying power to the Ethernet interface.

·          The Ethernet interface enters the power save mode.

The time period depends on the chip specifications and is not configurable.

When the Ethernet interface comes up, both of the following events occur:

·          The device automatically restores power supply to the Ethernet interface.

·          The Ethernet interface restores to its normal state.

To enable auto power-down on an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Enable auto power-down on the Ethernet interface.

port auto-power-down

By default, auto power-down is disabled on an Ethernet interface.

 

Enabling EEE on an Ethernet interface

IMPORTANT

IMPORTANT:

·      Fiber ports do not support this feature.

·      Ports on an LSXM1GT48FX1 card do not support this feature when they operate at 100 Mbps.

 

With Energy Efficient Ethernet (EEE) enabled, a link-up interface enters low power state if it has not received any packets for a period of time. The time period depends on the chip specifications and is not configurable. When a packet arrives later, the device automatically restores power supply to the interface and the interface restores to the normal state.

To enable EEE on an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Enable EEE on the Ethernet interface.

eee enable

By default, EEE is disabled on an Ethernet interface.

 

Configuring a Layer 2 Ethernet interface

Configuring storm suppression

You can use the storm suppression feature to limit the size of a particular type of traffic (broadcast, multicast, or unknown unicast traffic) on an interface. When the broadcast, multicast, or unknown unicast traffic on the interface exceeds this threshold, the system discards packets until the traffic drops below this threshold.

Any of the storm-constrain, broadcast-suppression, multicast-suppression, and unicast-suppression commands can suppress storm on an interface. The broadcast-suppression, multicast-suppression, and unicast-suppression commands suppress traffic in hardware, and have less impact on device performance than the storm-constrain command, which performs suppression in software.

Configuration guidelines

For the same type of traffic, do not configure the storm constrain command together with any of the broadcast-suppression, multicast-suppression, and unicast-suppression commands. Otherwise, the traffic suppression result is not determined. For more information about the storm-constrain command, see "Configuring storm control on an Ethernet interface."

Configuration procedure

To set storm suppression thresholds on one or multiple Ethernet interfaces:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Enable broadcast suppression and set the broadcast suppression threshold.

broadcast-suppression { ratio | pps max-pps | kbps max-kbps }

By default, broadcast traffic is allowed to pass through an interface.

4.       Enable multicast suppression and set the multicast suppression threshold.

multicast-suppression { ratio | pps max-pps | kbps max-kbps }

By default, multicast traffic is allowed to pass through an interface.

5.       Enable unknown unicast suppression and set the unknown unicast suppression threshold.

unicast-suppression { ratio | pps max-pps | kbps max-kbps }

By default, unknown unicast traffic is allowed to pass through an interface.

 

Configuring storm control on an Ethernet interface

About storm control

Storm control compares broadcast, multicast, and unknown unicast traffic regularly with their respective traffic thresholds on an Ethernet interface. For each type of traffic, storm control provides a lower threshold and a higher threshold.

For management purposes, you can configure the interface to output threshold event traps and log messages when monitored traffic meets either of the following conditions:

·          Exceeds the upper threshold.

·          Falls below the lower threshold from the upper threshold.

Depending on your configuration, when a particular type of traffic exceeds its upper threshold, the interface performs either of the following operations:

·          Blocks this type of traffic and forwards other types of traffic—Even though the interface does not forward the blocked traffic, it still counts the traffic. When the blocked traffic drops below the lower threshold, the interface begins to forward the traffic.

·          Goes down automatically—The interface goes down automatically and stops forwarding traffic. When the blocked traffic is detected dropping below the lower threshold, the interface does not forward the traffic. To bring up the interface, use the undo shutdown command or disable the storm control function.

Any of the storm-constrain, broadcast-suppression, multicast-suppression, and unicast-suppression commands can suppress storm on an interface. The broadcast-suppression, multicast-suppression, and unicast-suppression commands suppress traffic in hardware, and have less impact on device performance than the storm-constrain command, which performs suppression in software.

Storm control uses a complete polling cycle to collect traffic data, and analyzes the data in the next cycle. An interface takes one to two polling intervals to take a storm control action.

Configuration guidelines

For the same type of traffic, do not configure the storm constrain command together with any of the broadcast-suppression, multicast-suppression, and unicast-suppression commands. Otherwise, the traffic suppression result is not determined. For more information about the broadcast-suppression, multicast-suppression, and unicast-suppression commands, see "Configuring storm suppression."

Configuration procedure

To configure storm control on an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       (Optional.) Set the traffic polling interval of the storm control module.

storm-constrain interval seconds

The default setting is 10 seconds.

For network stability, use the default or set a higher traffic polling interval (10 seconds).

3.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

4.       (Optional.) Enable storm control, and set the lower and upper thresholds for broadcast, multicast, or unknown unicast traffic.

storm-constrain { broadcast | multicast | unicast } { pps | kbps | ratio } max-pps-values min-pps-values

By default, storm control is disabled.

5.       Set the control action to take when monitored traffic exceeds the upper threshold.

storm-constrain control { block | shutdown }

By default, storm control is disabled.

6.       (Optional.) Enable the interface to log storm control threshold events.

storm-constrain enable log

By default, the interface outputs log messages when monitored traffic exceeds the upper threshold or falls below the lower threshold from the upper threshold.

7.       (Optional.) Enable the interface to send storm control threshold event traps.

storm-constrain enable trap

By default, the interface sends traps when monitored traffic exceeds the upper threshold or drops below the lower threshold from the upper threshold.

 

Forcibly bringing up a fiber port

CAUTION

CAUTION:

The following operations on a fiber port will cause link updown events before the port finally stays up:

·      Configure both the port up-mode command and the speed or duplex command.

·      Install or remove fiber links or transceiver modules after you forcibly bring up the fiber port.

 

IMPORTANT

IMPORTANT:

Copper ports do not support this feature.

 

As shown in Figure 2, a fiber port uses separate fibers for transmitting and receiving packets. The physical state of the fiber port is up only when both transmit and receive fibers are physically connected. If one of the fibers is disconnected, the fiber port does not work.

To enable a fiber port to forward traffic over a single link, use the port up-mode command. This command forcibly brings up a fiber port, even when no fiber links or transceiver modules are present for the fiber port. When one fiber link is present and up, the fiber port can forward packets over the link unidirectionally.

Figure 2 Forcibly bring up a fiber port

 

Configuration restrictions and guidelines

When you forcibly bring up a fiber port, follow these restrictions and guidelines:

·          To enable this feature on a fiber port, make sure the port is operating in bridge mode.

·          The port up-mode, shutdown, and loopback commands are exclusive with each other.

·          A GE fiber port forcibly brought up cannot correctly forward traffic if it is installed with a fiber-to-copper converter, 100/1000-Mbps transceiver module, or 100-Mbps transceiver module. To solve the problem, use the undo port up-mode command on the fiber port.

To forcibly bring up a fiber port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Forcibly bring up the fiber port.

port up-mode

By default, a fiber port is not forcibly brought up, and the physical state of a fiber port depends on the physical state of the fibers.

 

Setting the MDIX mode of an Ethernet interface

IMPORTANT

IMPORTANT:

Fiber ports do not support this feature.

 

A physical Ethernet interface has eight pins. Each pin plays a dedicated role by default. For example, pins 1 and 2 receive signals, and pins 3 and 6 transmit signals. You can use both crossover and straight-through Ethernet cables to connect copper Ethernet interfaces. To accommodate these types of cables, a copper Ethernet interface can operate in one of the following Medium Dependent Interface-Crossover (MDIX) modes:

·          MDIX mode—Pins 1 and 2 are receive pins and pins 3 and 6 are transmit pins.

·          MDI mode—Pins 1 and 2 are transmit pins and pins 3 and 6 are receive pins.

·          AutoMDIX mode—The interface negotiates pin roles with its peer.

For a copper Ethernet interface to communicate with its peer, set the MDIX mode of the interface by following these guidelines:

·          Typically, set the MDIX mode of the interface to AutoMDIX. Set the MDIX mode of the interface to MDI or MDIX only when the device cannot determine the cable type.

·          When a straight-through cable is used, configure the interface to operate in an MDIX mode different than its peer.

·          When a crossover cable is used, perform one of the following tasks:

?  Configure the interface to operate in the same MDIX mode as its peer.

?  Configure either end to operate in AutoMDIX mode.

To set the MDIX mode of an Ethernet interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface view.

interface interface-type interface-number

N/A

3.       Set the MDIX mode of the Ethernet interface.

mdix-mode { automdix | mdi | mdix }

By default, a copper Ethernet interface operates in auto mode to negotiate pin roles with its peer.

 

Testing the cable connection of an Ethernet interface

IMPORTANT

IMPORTANT:

·      Fiber ports do not support this feature.

·      If the link of an Ethernet interface is up, testing its cable connection will cause the link to go down and then come up.

 

This feature tests the cable connection of an Ethernet interface and displays cable test result within 5 seconds. The test result includes the cable's status and some physical parameters. If a fault is detected, the test result shows the length from the local interface to the faulty point.

To test the cable connection of an Ethernet interface:

 

Step

Command

1.       Enter system view.

system-view

2.       Enter Ethernet interface view.

interface interface-type interface-number

3.       Perform a test for the cable connected to the Ethernet interface.

virtual-cable-test

 

Configuring a Layer 3 Ethernet interface or subinterface

Setting the MTU for an Ethernet interface or subinterface

The maximum transmission unit (MTU) of an Ethernet interface affects the fragmentation and reassembly of IP packets on the interface. Typically, you do not need to modify the MTU of an interface.

To set the MTU for an Ethernet interface or subinterface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Ethernet interface or subinterface view.

interface interface-type { interface-number | interface-number.subnumber }

N/A

3.       Set the MTU for the Ethernet interface or subinterface.

mtu size

By default, the MTU of an Ethernet interface or subinterface is 1500 bytes.

 

Displaying and maintaining an Ethernet interface

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display interface traffic statistics.

display counters { inbound | outbound } interface [ interface-type [ interface-number ] ]

Display traffic rate statistics of interfaces in up state over the last sampling interval.

display counters rate { inbound | outbound } interface [ interface-type [ interface-number ] ]

Display the operational and status information of the specified interface or all interfaces.

display interface [ interface-type [ interface-number | interface-number.subnumber ] ]

Display summary information about the specified interface or all interfaces.

display interface [ interface-type [ interface-number | interface-number.subnumber ] ] brief [ description ]

Display information about dropped packets on the specified interface or all interfaces.

display packet-drop { interface [ interface-type [ interface-number ] ] | summary }

Display information about storm control on the specified interface or all interfaces.

display storm-constrain [ broadcast | multicast | unicast ] [ interface interface-type interface-number ]

Display the Ethernet module statistics.

display ethernet statistics

Clear the interface statistics.

reset counters interface [ interface-type [ interface-number ] ]

Clear the statistics of dropped packets on the specified interfaces.

reset packet-drop interface [ interface-type [ interface-number ] ]

Clear the Ethernet module statistics.

reset ethernet statistics

 


Configuring loopback, null, and inloopback interfaces

This chapter describes how to configure a loopback interface, a null interface, and an inloopback interface.

Configuring a loopback interface

A loopback interface is a virtual interface. The physical layer state of a loopback interface is always up unless the loopback interface is manually shut down. Because of this benefit, loopback interfaces are widely used in the following scenarios:

·          Configuring a loopback interface address as the source address of the IP packets that the device generates—Because loopback interface addresses are stable unicast addresses, they are usually used as device identifications.

?  When you configure a rule on an authentication or security server to permit or deny packets that a device generates, you can simplify the rule by configuring it to permit or deny packets carrying the loopback interface address that identifies the device.

?  When you use a loopback interface address as the source address of IP packets, make sure the route from the loopback interface to the peer is reachable by performing routing configuration. All data packets sent to the loopback interface are considered packets sent to the device itself, so the device does not forward these packets.

·          Using a loopback interface in dynamic routing protocols—With no router ID configured for a dynamic routing protocol, the system selects the highest loopback interface IP address as the router ID. In BGP, to avoid interruption of BGP sessions due to physical port failure, you can use a loopback interface as the source interface of BGP packets.

To configure a loopback interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a loopback interface and enter loopback interface view.

interface loopback interface-number

N/A

3.       Set the interface description.

description text

The default setting is interface name Interface (for example, LoopBack1 Interface).

4.       Configure the expected bandwidth of the loopback interface.

bandwidth bandwidth-value

By default, the expected bandwidth of a loopback interface is 0 kbps.

5.       Restore the default settings for the loopback interface.

default

N/A

6.       Bring up the loopback interface.

undo shutdown

By default, a loopback interface is up.

 

Configuring a null interface

A null interface is a virtual interface and is always up, but you can neither use it to forward data packets nor can you configure it with an IP address or link layer protocol. The null interface provides a simpler way to filter packets than ACL. You can filter undesired traffic by transmitting it to a null interface instead of applying an ACL. For example, if you specify a null interface as the next hop of a static route to a specific network segment, any packets routed to the network segment are dropped.

To configure a null interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter null interface view.

interface null 0

Interface Null 0 is the default null interface on the device and cannot be manually created or removed.

Only one null interface, Null 0, is supported on the device. The null interface number is always 0.

3.       Set the interface description.

description text

The default setting is NULL0 Interface.

4.       Restore the default settings for the null interface.

default

N/A

 

Configuring an inloopback interface

An inloopback interface is a virtual interface created by the system, which cannot be configured or deleted. The physical layer and link layer protocol states of an inloopback interface are always up. All IP packets sent to an inloopback interface are considered packets sent to the device itself and are not further forwarded.

Displaying and maintaining loopback, null, and inloopback interfaces

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information about the specified or all loopback interfaces.

display interface [ loopback ] [ brief [ down ] ]

display interface [ loopback [ interface-number ] ] [ brief [ description ] ]

Display information about the null interface.

display interface [ null [ 0 ] ] [ brief [ description ] ]

Display information about the inloopback interface.

display interface [ inloopback [ 0 ] ] [ brief [ description ] ]

Clear the statistics on the specified or all loopback interfaces.

reset counters interface loopback [ interface-number ]

Clear the statistics on the null interface.

reset counters interface [ null [ 0 ] ]

Clear the statistics on the inloopback interface.

reset counters interface

 

 


Bulk configuring interfaces

You can enter interface range view to bulk configure multiple interfaces with the same feature instead of configuring them one by one. For example, you can execute the shutdown command in interface range view to shut down a range of interfaces.

Configuration restrictions and guidelines

When you bulk configure interfaces in interface range view, follow these restrictions and guidelines:

·          In interface range view, only the commands supported by the first interface are available. The first interface is specified with the interface range command.

·          If you cannot enter the view of an interface by using the interface interface-type interface-number command, do not configure the interface as the first interface in the interface range.

·          Do not assign an aggregate interface and any of its member interfaces to an interface range at the same time. Some commands, after being executed on both an aggregate interface and its member interfaces, can break up the aggregation.

·          No limit is set on the maximum number of interfaces in an interface range. The more interfaces in an interface range, the longer the command execution time.

·          The maximum number of interface range names is only limited by the system resources. As a best practice to guarantee bulk interface configuration performance, configure fewer than 1000 interface range names.

·          After a command is executed in interface range view, one of the following situations might occur:

?  The system stays in interface range view and displays no error messages. It means that the execution succeeded on all member interfaces in the interface range.

?  The system displays an error message and stays in interface range view. It means that the execution failed on member interfaces in the interface range.

-      If the execution failed on the first member interface in the interface range, the command is not executed on any member interfaces.

-      If the execution failed on non-first member interfaces, the command takes effect on the other member interfaces.

?  The system returns to system view. It means that:

-      The command is supported in both system view and interface view.

-      The execution failed on a member interface in interface range view and succeeded in system view.

-      The command is not executed on the subsequent member interfaces.

You can use the display this command to verify the configuration in interface view of each member interface. In addition, if the configuration in system view is not needed, use the undo form of the command to remove the configuration.

Configuration procedure

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface range view.

·         interface range { interface-type interface-number [ to interface-type interface-number ] } &<1-24>

·         interface range name name [ interface { interface-type interface-number [ to interface-type interface-number ] } &<1-24> ]

Use either command.

By using the interface range name command, you assign a name to an interface range and can specify this name rather than the interface range to enter the interface range view.

3.       (Optional.) Display commands available for the first interface in the interface range.

Enter a question mark (?) at the interface range prompt.

N/A

4.       Use available commands to configure the interfaces.

Available commands vary by interface.

N/A

5.       (Optional.) Verify the configuration.

display this

N/A

 

Displaying and maintaining bulk interface configuration

Execute display commands in any view.

 

Task

Command

Display information about interface ranges configured through the interface range name command.

display interface range [ name name ]

 


Configuring the MAC address table

Overview

An Ethernet device uses a MAC address table to forward frames. A MAC address entry includes a destination MAC address, an outgoing interface, and a VLAN ID. When the device receives a frame, it uses the destination MAC address of the frame to look for a match in the MAC address table.

·          The device forwards the frame out of the outgoing interface in the matching entry if a match is found.

·          The device floods the frame in the VLAN of the frame if no match is found.

How a MAC address entry is created

The entries in the MAC address table include entries automatically learned by the device and entries manually added.

MAC address learning

The device can automatically populate its MAC address table by learning the source MAC addresses of incoming frames on each interface.

The device performs the following operations to learn the source MAC maddress of incoming packets:

1.        Checks the source MAC address (for example, MAC-SOURCE) of the frame.

2.        Looks up the source MAC address in the MAC address table.

?  The device updates the entry if an entry is found.

?  The device adds an entry for MAC-SOURCE and the incoming port if no entry is found.

When the device receives a frame destined for MAC-SOURCE after learning this source MAC address, the device performs the following operations:

3.       Finds the MAC-SOURCE entry in the MAC address table.

4.        Forwards the frame out of the port in the entry.

The device performs the learning process for each incoming frame with an unknown source MAC address until the MAC address table is fully populated.

Manually configuring MAC address entries

Dynamic MAC address learning does not distinguish between illegitimate and legitimate frames, which can invite security hazards. When Host A is connected to port A, a MAC address entry will be learned for the MAC address of Host A (for example, MAC A). When an illegal user sends frames with MAC A as the source MAC address to port B, the device performs the following tasks:

1.        Learns a new MAC address entry with port B as the outgoing interface and overwrites the old entry for MAC A.

2.        Forwards frames destined for MAC A out of port B to the illegal user.

As a result, the illegal user obtains the data of Host A. To improve the security for Host A, manually configure a static entry to bind Host A to port A. Then, the frames destined for Host A are always sent out of port A. Other hosts using the forged MAC address of Host A cannot obtain the frames destined for Host A.

Types of MAC address entries

A MAC address table can contain the following types of entries:

·          Static entries—A static entry is manually added to forward frames with a specific destination MAC address out of the associated interface, and it never ages out. A static entry has higher priority than a dynamically learned one.

·          Dynamic entries—A dynamic entry can be manually configured or dynamically learned to forward frames with a specific destination MAC address out of the associated interface. A dynamic entry might age out. A manually configured dynamic entry has the same priority as a dynamically learned one.

·          Blackhole entries—A blackhole entry is manually configured and never ages out. A blackhole entry is configured for filtering out frames with a specific destination MAC address. For example, to block all frames destined for a specific user for security concerns, you can configure the MAC address of this user as a blackhole MAC address entry.

·          Multiport unicast entriesA multiport unicast entry is manually added to send frames with a specific unicast destination MAC address out of multiple ports, and it never ages out. A multiport unicast entry has higher priority than a dynamically learned one.

A static, blackhole, or multiport unicast MAC address entry can overwrite a dynamic MAC address entry, but not vice versa.

MAC address table configuration task list

The configuration tasks discussed in the following sections can be performed in any order.

This document covers only the configuration of unicast MAC address entries, including static, dynamic, blackhole, and multiport unicast MAC address entries. For information about configuring static multicast MAC address entries, see IP Multicast Configuration Guide.

To configure the MAC address table, perform the following tasks:

 

Tasks at a glance

(Optional.) Configuring MAC address entries:

·         Adding or modifying a static or dynamic MAC address entry globally

·         Adding or modifying a static or dynamic MAC address entry on an interface

·         Adding or modifying a blackhole MAC address entry

·         Adding or modifying a multiport unicast MAC address entry

(Optional.) Disabling MAC address learning

(Optional.) Configuring the aging timer for dynamic MAC address entries

(Optional.) Enabling MAC address synchronization

(Optional.) Enabling MAC addresses learning at ingress

 

Configuring MAC address entries

Configuration guidelines

·          You cannot add a dynamic MAC address entry if a learned entry already exists with a different outgoing interface for the MAC address.

·          The manually configured static, blackhole, and multiport unicast MAC address entries cannot survive a reboot if you do not save the configuration. The manually configured dynamic MAC address entries, however, are lost upon reboot whether or not you save the configuration.

A frame whose source MAC address matches different types of MAC address entries is differently processed.

 

Type

Description

Static MAC address entry

·         Discards the frame received on a different interface from that in the entry.

·         Forwards the frame received on the same interface as that in the entry.

Multiport unicast MAC address entry

·         Learns the MAC address (for example, MAC A) of the frame, adds a dynamic MAC address entry for MAC A, and forwards the frame.

·         Forwards the frames destined for MAC A based on the multiport unicast MAC address entry.

Dynamic MAC address entry

·         Learns the MAC address of the frame received on a different interface from that in the entry and overwrites the original entry.

·         Forwards the frame received on the same interface as that in the entry and updates the aging timer for the entry.

 

Adding or modifying a static or dynamic MAC address entry globally

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Add or modify a static or dynamic MAC address entry.

mac-address { dynamic | static } mac-address interface interface-type interface-number vlan vlan-id

By default, no MAC address entry is configured globally.

Make sure you have created the VLAN and assigned the interface to the VLAN.

 

Adding or modifying a static or dynamic MAC address entry on an interface

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

·         Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

N/A

3.       Add or modify a static or dynamic MAC address entry.

mac-address { dynamic | static } mac-address vlan vlan-id

By default, no MAC address entry is configured on an interface.

Make sure you have created the VLAN and assigned the interface to the VLAN.

 

Adding or modifying a blackhole MAC address entry

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Add or modify a blackhole MAC address entry.

mac-address blackhole mac-address vlan vlan-id

By default, no blackhole MAC address entry is configured.

Make sure you have created the VLAN.

 

Adding or modifying a multiport unicast MAC address entry

You can configure a multiport unicast MAC address entry to associate a unicast destination MAC address with multiple ports, so that the frame with a destination MAC address matching the entry is forwarded out of multiple ports.

For example, in NLB unicast mode, all servers within the cluster uses the cluster's MAC address as their own address, and frames destined for the cluster are forwarded to every server. In this case, you can configure a multiport unicast MAC address entry on the device connected to the server group. Then, the device forwards the frame destined for the server group through all ports connected to the servers within the cluster.

Figure 3 NLB cluster

 

You can configure a multiport unicast MAC address entry globally or on an interface.

Configuring a multiport unicast MAC address entry globally

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Add or modify a multiport unicast MAC address entry.

mac-address multiport mac-address interface interface-list vlan vlan-id

By default, no multiport unicast MAC address entry is configured globally.

Make sure you have created the VLAN and assigned the interface to the VLAN.

 

Configuring a multiport unicast MAC address entry on an interface

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

·         Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

N/A

3.       Add the interface to a multiport unicast MAC address entry.

mac-address multiport mac-address vlan vlan-id

By default, no multiport unicast MAC address entry is configured on an interface.

Make sure you have created the VLAN and assigned the interface to the VLAN.

Do not configure an interface as the output interface of a multiport unicast MAC address entry if the interface receives frames destined for the multiport unicast MAC address. Otherwise, the frames are flooded in the VLAN to which they belong.

 

Disabling MAC address learning

MAC address learning is enabled by default. To prevent the MAC address table from being saturated when the device is experiencing attacks, disable MAC address learning. For example, you can disable MAC address learning to prevent the device from being attacked by a large amount of frames with different source MAC addresses.

When MAC address learning is disabled, the learned dynamic MAC addresses remain valid until they age out.

Disabling global MAC address learning

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Disable global MAC address learning.

undo mac-address mac-learning enable

By default, global MAC address learning is enabled.

 

Disabling global MAC address learning disables MAC address learning on all interfaces.

Disabling MAC address learning on interfaces

When global MAC address learning is enabled, you can disable MAC address learning on a single interface.

To disable MAC address learning on an interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter interface view.

·         Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

N/A

3.       Disable MAC address learning on the interface.

undo mac-address mac-learning enable

By default, MAC address learning on the interface is enabled.

 

Configuring the aging timer for dynamic MAC address entries

For security and efficient use of table space, the MAC address table uses an aging timer for each dynamic MAC address entry. If a dynamic MAC address entry is not updated before the aging timer expires, the device deletes the entry. This aging mechanism ensures that the MAC address table can promptly update to accommodate latest network topology changes.

A stable network requires a longer aging interval, and an unstable network requires a shorter aging interval.

An aging interval that is too long might cause the MAC address table to retain outdated entries. As a result, the MAC address table resources might be exhausted, and the MAC address table might fail to update to accommodate the latest network changes.

An interval that is too short might result in removal of valid entries, which would cause unnecessary floods and possibly affect the device performance.

To reduce floods on a stable network, set a long aging timer or disable the timer to prevent dynamic entries from unnecessarily aging out. Reducing floods improves the network performance. Reducing flooding also improves the security because it reduces the chances for a data frame to reach unintended destinations.

To configure the aging timer for dynamic MAC address entries:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the aging timer for dynamic MAC address entries.

mac-address timer { aging seconds | no-aging }

By default, the aging timer for dynamic MAC address entries is 300 seconds.

The no-aging keyword disables the aging timer.

 

Enabling MAC address synchronization

To avoid unnecessary floods and improve forwarding speed, make sure all cards have the same MAC address table. After you enable MAC address synchronization, each card advertises learned MAC address entries to other cards. (In standalone mode.)

To avoid unnecessary floods and improve forwarding speed, make sure all cards have the same MAC address table. After you enable MAC address synchronization, each card advertises learned MAC address entries to other cards of all member devices. (In IRF mode.)

As shown in Figure 4:

·          Device A and Device B form an IRF fabric enabled with MAC address synchronization.

·          Device A and Device B connect to AP C and AP D, respectively.

When Client A associates with AP C, Device A learns a MAC address entry for Client A and advertises it to Device B.

Figure 4 MAC address tables of devices when Client A accesses AP C

 

When Client A roams to AP D, Device B learns a MAC address entry for Client A. Device B advertises it to Device A to ensure service continuity for Client A, as shown in Figure 5.

Figure 5 MAC address tables of devices when Client A roams to AP D

 

To enable MAC address synchronization:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable MAC address synchronization.

mac-address mac-roaming enable

By default, MAC address synchronization is disabled.

 

Enabling MAC addresses learning at ingress

IMPORTANT

IMPORTANT:

This feature is available in Release 11xx.

 

The device can learn the source MAC address of a packet when it receives the packet or when it sends out the packet.

For the device to correctly learn the source MAC address of Layer 3 forwarded packets, you must enable MAC address learning at ingress.

At egress, the source MAC address of Layer 3 forwarded packets is replaced by the outgoing interface's MAC address. The device cannot learn the original source MAC address.

To enable MAC address learning at ingress:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable MAC address learning at ingress.

mac-address mac-learning ingress

By default, the device learns MAC addresses at egress.

 

Displaying and maintaining the MAC address table

Execute display commands in any view.

 

Task

Command

Display MAC address table information.

display mac-address [ mac-address [ vlan vlan-id ] | [ [ dynamic | static ] [ interface interface-type interface-number ] | blackhole | multiport ] [ vlan vlan-id ] [ count ] ]

Display the aging timer for dynamic MAC address entries.

display mac-address aging-time

Display the system or interface MAC address learning state.

display mac-address mac-learning [ interface interface-type interface-number ]

Display MAC address statistics.

display mac-address statistics

 

MAC address table configuration example

Network requirements

On a network:

·          Host A at 000f-e235-dc71 is connected to interface FortyGigE 1/0/1 of Device and belongs to VLAN 1.

·          Host B at 000f-e235-abcd, which behaved suspiciously on the network, also belongs to VLAN 1.

Configure the MAC address table as follows:

·          To prevent MAC address spoofing, add a static entry for Host A in the MAC address table of Device.

·          To drop all frames destined for Host B, add a blackhole MAC address entry for the host.

·          Set the aging timer to 500 seconds for dynamic MAC address entries.

Configuration procedure

# Add a static MAC address entry for MAC address 000f-e235-dc71 on FortyGigE 1/0/1 that belongs to VLAN 1.

<Device> system-view

[Device] mac-address static 000f-e235-dc71 interface fortygige 1/0/1 vlan 1

# Add a blackhole MAC address entry for MAC address 000f-e235-abcd that belongs to VLAN 1.

[Device] mac-address blackhole 000f-e235-abcd vlan 1

# Set the aging timer to 500 seconds for dynamic MAC address entries.

[Device] mac-address timer aging 500

Verifying the configuration

# Display the static MAC address entries for interface FortyGigE 1/0/1.

[Device] display mac-address static interface fortygige 1/0/1

MAC Address      VLAN ID    State            Port/NickName            Aging

000f-e235-dc71   1          Static           FGE1/0/1                   N

# Display the blackhole MAC address entries.

[Device] display mac-address blackhole

MAC Address      VLAN ID    State            Port/NickName            Aging

000f-e235-abcd   1          Blackhole        N/A                      N

# Display the aging time of dynamic MAC address entries.

[Device] display mac-address aging-time

MAC address aging time: 500s.

 


Configuring MAC Information

The MAC Information feature can generate syslog messages or SNMP notifications when MAC address entries are learned or deleted. You can use these messages to monitor users leaving or joining the network and analyze network traffic.

The MAC Information feature buffers the MAC change syslog messages or SNMP notifications in a queue. The device overwrites the oldest MAC address change written into the queue with the most recent MAC address change when the following conditions exist:

·          The MAC change notification interval does not expire.

·          The queue has been exhausted.

To send a syslog message or SNMP notification immediately after it is created, set the queue length to zero.

The device does not write MAC address change information or send MAC address change messages for blackhole MAC addresses, static MAC addresses, multiport unicast MAC addresses, multicast MAC addresses, and local MAC addresses except for dynamic MAC addresses.

Enabling MAC Information

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable MAC Information globally.

mac-address information enable

By default, MAC Information is globally disabled.

3.       Enter Layer 2 Ethernet interface view.

interface interface-type interface-number

N/A

4.       Enable MAC Information on the interface.

mac-address information enable { added | deleted }

By default, MAC Information is disabled on an interface.

Make sure you have enabled MAC Information globally before you enable it on the interface.

 

Configuring the MAC Information mode

The following MAC Information modes are available for sending MAC address changes:

·          Syslog—The device sends syslog messages to notify MAC address changes. In this mode, the device sends syslog messages to the information center, which then outputs them to the monitoring terminal. For more information about information center, see Network Management and Monitoring Configuration Guide.

·          Trap—The device sends SNMP notifications to notify MAC address changes. In this mode, the device sends SNMP notifications to the NMS. For more information about SNMP, see Network Management and Monitoring Configuration Guide.

To configure the MAC Information mode:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the MAC Information mode.

mac-address information mode { syslog | trap }

The default setting is trap.

 

Configuring the MAC change notification interval

To prevent syslog messages or SNMP notifications from being sent too frequently, you can set the MAC change notification interval to a larger value.

To set the MAC change notification interval:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the MAC change notification interval.

mac-address information interval interval-time

The default setting is 1 second.

 

Configuring the MAC Information queue length

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the MAC Information queue length.

mac-address information queue-length value

The default setting is 50.

 

MAC Information configuration example

Network requirements

Enable MAC Information on interface FortyGigE 1/0/1 on Device in Figure 6 to send MAC address changes in syslog messages to the log host, Host B, through interface FortyGigE 1/0/2.

Figure 6 Network diagram

 

Configuration restrictions and guidelines

When you edit the file /etc/syslog.conf, follow these restrictions and guidelines:

·          Comments must be on a separate line and must begin with a pound sign (#).

·          No redundant spaces are allowed after the file name.

·          The logging facility name and the severity level specified in the /etc/syslog.conf file must be the same as those configured on the device. Otherwise, the log information might not be output correctly to the log host. The logging facility name and the severity level are configured by using the info-center loghost and info-center source commands.

Configuration procedure

1.        Configure Device to send syslog messages to Host B:

# Enable the information center.

<Device> system-view

[Device] info-center enable

# Specify the log host 192.168.1.2/24 and specify local4 as the logging facility.

[Device] info-center loghost 192.168.1.2 facility local4

# Disable log output to the log host.

[Device] info-center source default loghost deny

To avoid output of unnecessary information, disable all modules from outputting logs to the specified destination (loghost, in this example) before you configure an output rule.

# Configure an output rule to output to the log host MAC address logs that have a severity level of at least informational.

[Device] info-center source mac loghost level informational

2.        Configure the log host, Host B:

Configure Solaris as follows. Configure other UNIX operating systems in the same way Solaris is configured.

a.    Log in to the log host as a root user.

b.    Create a subdirectory named Device in directory /var/log/, and then create file info.log in the Device directory to save logs from Device.

# mkdir /var/log/Device

# touch /var/log/Device/info.log

c.    Edit the file syslog.conf in directory /etc/ and add the following contents:

# Device configuration messages

local4.info /var/log/Device/info.log

In this configuration, local4 is the name of the logging facility that the log host uses to receive logs, and info is the informational level. The UNIX system records the log information that has a severity level of at least informational to the file /var/log/Device/info.log.

d.    Display the process ID of syslogd, kill the syslogd process, and then restart syslogd using the –r option to make the new configuration take effect.

# ps -ae | grep syslogd

147

# kill -HUP 147

# syslogd -r &

Now, the device can output MAC address logs to the log host, which stores the logs to the specified file.

3.        Enable MAC Information on Device:

# Enable MAC Information globally.

[Device] mac-address information enable

# Configure the MAC Information mode as syslog.

[Device] mac-address information mode syslog

# Enable MAC Information on interface FortyGigE 1/0/1 to enable the interface to record MAC address change information when the interface performs either of the following tasks:

?  Learns a new MAC address.

?  Deletes an existing MAC address.

[Device] interface fortygige 1/0/1

[Device-FortyGigE1/0/1] mac-address information enable added

[Device-FortyGigE1/0/1] mac-address information enable deleted

[Device-FortyGigE1/0/1] quit

# Set the MAC Information queue length to 100.

[Device] mac-address information queue-length 100

# Set the MAC change notification interval to 20 seconds.

[Device] mac-address information interval 20


Configuring Ethernet link aggregation

Ethernet link aggregation bundles multiple physical Ethernet links into one logical link, called an aggregate link. Link aggregation has the following benefits:

·          Increased bandwidth beyond the limits of any single link. In an aggregate link, traffic is distributed across the member ports.

·          Improved link reliability. The member ports dynamically back up one another. When a member port fails, its traffic is automatically switched to other member ports.

As shown in Figure 7, Device A and Device B are connected by three physical Ethernet links. These physical Ethernet links are combined into an aggregate link called link aggregation 1. The bandwidth of this aggregate link can reach up to the total bandwidth of the three physical Ethernet links. At the same time, the three Ethernet links back up one another. When a physical Ethernet link fails, the traffic previously carried on the failed link is switched to the other two links.

Figure 7 Ethernet link aggregation diagram

 

Basic concepts

Aggregation group, member port, and aggregate interface

Link bundling is implemented through interface bundling. An aggregation group is a group of Ethernet interfaces bundled together, which are called member ports of the aggregation group. For each aggregation group, a logical interface (called an aggregate interface), is created.

Aggregate interfaces include Layer 2 aggregate interfaces and Layer 3 aggregate interfaces. On a Layer 3 aggregate interface, you can create subinterfaces.

When you create an aggregate interface, the device automatically creates an aggregation group of the same type and number as the aggregate interface. For example, when you create aggregate interface 1, aggregation group 1 is created.

You can assign Layer 2 Ethernet interfaces only to a Layer 2 aggregation group, and Layer 3 Ethernet interfaces only to a Layer 3 aggregation group.

The port rate of an aggregate interface equals the total rate of its Selected member ports. Its duplex mode is the same as that of the selected member ports. For more information about the states of member ports in an aggregation group, see "Aggregation states of member ports in an aggregation group."

Aggregation states of member ports in an aggregation group

A member port in an aggregation group can be in any of the following aggregation states:

·          SelectedA Selected port can forward traffic.

·          UnselectedAn Unselected port cannot forward traffic.

·          Individual—An Individual port can forward traffic as a normal physical port. A port is placed in the Individual state when the following conditions exist:

?  The corresponding aggregate interface is configured as an edge aggregate interface.

?  The port has not received LACPDUs from its peer port.

Operational key

When aggregating ports, the system automatically assigns each port an operational key based on port information, such as port rate and duplex mode. Any change to this information triggers a recalculation of the operational key.

In an aggregation group, all Selected ports are assigned the same operational key.

Configuration types

Every configuration setting on a port might affect its aggregation state. Port configurations include the following types:

·          Attribute configurations—To become a Selected port, a member port must have the same attribute configurations as the aggregate interface. Table 2 describes the attribute configurations.

Attribute configurations made on an aggregate interface are automatically synchronized to all member ports. These configurations are retained on the member ports even after the aggregate interface is removed.

Any attribute configuration change might affect the aggregation state of link aggregation member ports and running services. To make sure that you are aware of the risk, the system displays a warning message every time you attempt to change an attribute configuration setting on a member port.

Table 2 Attribute configurations

Feature

Considerations

Port isolation

Indicates whether the port has joined an isolation group and which isolation group the port belongs to.

VLAN

VLAN attribute configurations include:

·         Permitted VLAN IDs.

·         PVID.

·         Link type (trunk, hybrid, or access).

·         Operating mode (promiscuous, trunk promiscuous, or host).

·         VLAN tagging mode.

For information about VLAN, see "Configuring VLANs."

 

·          Protocol configurations—Protocol configurations of a member port do not affect the aggregation state of the member port. MAC address learning and spanning tree settings are examples of protocol configurations.

 

 

NOTE:

The protocol configurations for a member port take effect only when the member port leaves the aggregation group.

 

Link aggregation modes

An aggregation group operates in one of the following modes:

·          Static—Static aggregation is stable. An aggregation group in static mode is called a static aggregation group. The aggregation states of the member ports in a static aggregation group are not affected by the peer ports.

·          DynamicAn aggregation group in dynamic mode is called a dynamic aggregation group. The local system and the peer system automatically maintain the aggregation states of the member ports, which reduces the administrators' workload.

Aggregating links in static mode

Choosing a reference port

When setting the aggregation state of the ports in an aggregation group, the system automatically picks a member port as the reference port. A Selected port must have the same operational key and attribute configurations as the reference port.

The system chooses a reference port from the member ports that are in up state.

The candidate reference ports are organized into different priority levels following these rules:

1.        In descending order of port priority.

2.        Full duplex.

3.        In descending order of speed.

4.        Half duplex.

5.        In descending order of speed.

From the candidate ports with the same attribute configurations as the aggregate interface, the one with the highest priority level is chosen as the reference port.

·          If multiple ports have the same priority level, the port that has been Selected (if any) is chosen. If multiple ports with the same priority level have been Selected, the one with the smallest port number is chosen.

·          If multiple ports have the same priority level and none of them has been Selected, the port with the smallest port number is chosen.

Setting the aggregation state of each member port

After a static aggregation group has reached the limit on Selected ports, any port that joins the group is placed in Unselected state to avoid traffic interruption on the existing Selected ports.

Figure 8 Setting the aggregation state of a member port in a static aggregation group

 

To configure the maximum number of Selected ports in a static aggregation group, see "Setting the minimum and maximum numbers of Selected ports for an aggregation group."

Any operational key or attribute configuration change might affect the aggregation states of link aggregation member ports.

Aggregating links in dynamic mode

Dynamic aggregation mode is implemented through IEEE 802.3ad Link Aggregation Control Protocol (LACP).

LACP

LACP uses LACPDUs to exchange aggregation information between LACP-enabled devices.

Each member port in an LACP-enabled aggregation group exchanges information with its peer. When a member port receives an LACPDU, it compares the received information with information received on the other member ports. In this way, the two systems reach an agreement on which ports are placed in Selected state.

LACP functions

LACP offers basic LACP functions and extended LACP functions, as described in Table 3.

Table 3 Basic and extended LACP functions

Category

Description

Basic LACP functions

Implemented through the basic LACPDU fields, including the system LACP priority, system MAC address, port priority, port number, and operational key.

Extended LACP functions

Implemented by extending the LACPDU with new TLV fields. This is how the LACP MAD mechanism of the IRF feature is implemented. it can participate in LACP MAD as either an IRF member device or an intermediate device.

For more information about IRF and the LACP MAD mechanism, see IRF Configuration Guide.

 

LACP priorities

LACP priorities include system LACP priority and port priority, as described in Table 4. The smaller the priority value, the higher the priority.

Table 4 LACP priorities

Type

Description

System LACP priority

Used by two peer devices (or systems) to determine which one is superior in link aggregation.

In dynamic link aggregation, the system that has higher system LACP priority sets the Selected state of member ports on its side, after which the system that has lower priority sets port state accordingly.

Port priority

Determines the likelihood of a member port to be selected on a system. The higher port priority, the higher the likelihood of selection.

 

LACP timeout interval

The LACP timeout interval specifies how long a member port waits to receive LACPDUs from the peer port. If a local member port fails to receive LACPDUs from the peer within the LACP timeout interval, the member port considers the peer as failed.

The LACP timeout interval also determines the LACPDU sending rate of the peer. LACP timeout intervals include the following types:

·          Short timeout interval—3 seconds. If you configure the short timeout interval, the peer sends one LACPDU per second.

·          Long timeout interval—90 seconds. If you configure the long timeout interval, the peer sends one LACPDU every 30 seconds.

How dynamic link aggregation works

Choosing a reference port

The system chooses a reference port from the member ports that are in up state and have the same attribute configurations as the aggregate interface. A Selected port must have the same operational key and attribute configurations as the reference port.

The local system (the actor) and the remote system (the partner) negotiate a reference port by using the following workflow:

1.        The systems compare their system IDs. (A system ID contains the system LACP priority and the system MAC address.) The lower the LACP priority, the smaller the system ID. If LACP priority values are the same, the two systems compare their MAC addresses. The lower the MAC address, the smaller the system ID.

2.        The system with the smaller system ID chooses the port with the smallest port ID as the reference port. (A port ID contains a port priority and a port number.) The port with the lower priority value is chosen. If two ports have the same aggregation priority, the system compares their port numbers. The port with the smaller port number and the same attribute configurations as the aggregate interface becomes the reference port.

Setting the aggregation state of each member port

After the reference port is chosen, the system with the lower system ID sets the state of each member port in the dynamic aggregation group on its side as shown in Figure 9.

Figure 9 Setting the state of a member port in a dynamic aggregation group

 

Meanwhile, the system with the higher system ID, being aware of the aggregation state changes on the remote system, sets the aggregation state of local member ports the same as their peer ports.

When you aggregate interfaces in dynamic mode, follow these guidelines:

·          To configure the maximum number of Selected ports in a dynamic aggregation group, see "Setting the minimum and maximum numbers of Selected ports for an aggregation group."

·          A dynamic link aggregation group preferably chooses full-duplex ports as the Selected ports. The group will choose only one half-duplex port as a Selected port when either of the following conditions exist:

?  None of the full-duplex ports can be chosen as Selected ports.

?  Only half-duplex ports exist in the group.

·          To ensure stable aggregation and service continuity, do not change the operational key or attribute configurations on any member port.

·          In a dynamic aggregation group, when the aggregation state of a local port changes, the aggregation state of the peer port also changes.

·          After the Selected port limit has been reached, a port joining the aggregation group is placed in the Selected state if it is more eligible than a current Selected port.

Edge aggregate interface

Dynamic link aggregation fails on a server-facing aggregate interface if dynamic link aggregation is configured only on the device. The device forwards traffic by using only one of the physical ports that are connected to the server.

To improve link reliability, configure the aggregate interface as an edge aggregate interface. This feature enables all member ports of the aggregation group to forward traffic. When a member port fails, its traffic is automatically switched to other member ports.

After dynamic link aggregation is configured on the server, the device can receive LACPDUs from the server. Then, link aggregation between the device and the server operates correctly.

An edge aggregate interface takes effect only when it is configured on an aggregate interface corresponding to a dynamic aggregation group.

Load sharing modes for link aggregation groups

In a link aggregation group, traffic can be load shared across the Selected ports based on any of the following modes:

·          Per-flow load sharing—Load shares traffic on a per-flow basis. The load sharing mode classifies packets into flows and forwards packets of the same flow on the same link. This mode can be one or any combination of the following criteria that classify traffic:

?  Source or destination MAC address.

?  Source or destination port number.

?  Ingress port.

?  Source or destination IP address.

?  Protocol number.

·          Per-packet load sharing—Load shares traffic on a per-packet basis.

Ethernet link aggregation configuration task list

Tasks at a glance

(Required.) Configuring an aggregation group:

·         Configuring a static aggregation group

·         Configuring a dynamic aggregation group

(Optional.) Configuring an aggregate interface:

·         Setting the description for an aggregate interface

·         Specifying ignored VLANs for a Layer 2 aggregate interface

·         Setting the MTU for a Layer 3 aggregate interface or subinterface

·         Setting the minimum and maximum numbers of Selected ports for an aggregation group

·         Setting the expected bandwidth for an aggregate interface

·         Configuring an edge aggregate interface

·         Enabling BFD for an aggregation group

·         Shutting down an aggregate interface

·         Restoring the default settings for an aggregate interface

(Optional.) Configuring load sharing for link aggregation group:

·         Setting load sharing modes for link aggregation groups

·         Enabling local-first load sharing for link aggregation

(Optional.) Enabling link-aggregation traffic redirection

(Optional.) Configuring the link aggregation capability for the device

 

Configuring an aggregation group

This section explains how to configure an aggregation group.

Configuration restrictions and guidelines

When you configure an aggregation group, follow these restrictions and guidelines:

·          Deleting an aggregate interface also deletes its aggregation group and causes all member ports to leave the aggregation group.

·          You must configure the same aggregation mode on the two ends of an aggregate link.

·          Before creating a Layer 3 aggregate interface or subinterface, use the reserve-vlan-interface command to reserve enough VLAN interface resources. If not enough VLAN interface resources are reserved, the system fails to create the Layer 3 aggregate interface or subinterface.

Before creating a Layer 3 aggregate interface, reserve a VLAN interface resource for each of the following interfaces:

?  Layer 3 aggregate interface.

?  Member ports in the corresponding Layer 3 aggregation group.

For example, before creating a Layer 3 aggregation group containing three member ports, reserve four VLAN interface resources. The Layer 3 aggregate interface uses one VLAN interface resource and each of the member ports uses one VLAN interface resource.

Before creating Layer 3 aggregate subinterfaces on a Layer 3 aggregate interface, reserve a VLAN interface resource for each of the following interface:

?  Layer 3 aggregate interface.

?  Member ports in the corresponding Layer 3 aggregation group.

?  Layer 3 aggregate subinterfaces.

For example, before creating four Layer 3 aggregate subinterfaces on a Layer 3 aggregate interface whose corresponding aggregation group has two member ports, reserve seven VLAN interface resources. The aggregate interface uses one VLAN interface resource. Each of the member ports and aggregate subinterfaces uses one VLAN interface resource.

Before creating a Layer 3 aggregate subinterface, do not reserve a resource for the VLAN interface whose interface number matches the subinterface number. After you reserve a VLAN interface resource, do not create a Layer 3 aggregate subinterface whose subinterface number is the VLAN interface number. A Layer 3 aggregate subinterface uses the VLAN interface resource to process tagged packets whose VLAN ID matches the subinterface number.

To reserve global-type VLAN interface resources, specify the global keyword in the reserve-vlan-interface command. To reserve local-type VLAN interface resources, do not specify the global keyword. Reserved VLAN interface resources are of the local type in this chapter.

For more information about reserving VLAN interface resources, see "Configuring VLANs."

Configuring a static aggregation group

For a successful static aggregation, make sure the ports at both ends of each link are in the same aggregation state.

Avoid assigning ports to a static aggregation group where the limit on Selected ports has been reached. New member ports in the static aggregation group will be placed in the Unselected state to avoid traffic interruption on the current Selected ports. However, a device reboot can cause the aggregation state of member ports to change.

Configuring a Layer 2 static aggregation group

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same.

3.       Exit to system view.

quit

N/A

4.       Assign an interface to the specified Layer 2 aggregation group.

a         Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

b        Assign the interface to the specified Layer 2 aggregation group:
port link-aggregation group number

Repeat these two sub-steps to assign more Layer 2 Ethernet interfaces to the aggregation group.

 

Configuring a Layer 3 static aggregation group

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.

interface route-aggregation interface-number

When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.

3.       Exit to system view.

quit

N/A

4.       Assign an interface to the specified Layer 3 aggregation group.

a         Enter Layer 3 Ethernet interface view:
interface interface-type interface-number

b        Assign the interface to the specified Layer 3 aggregation group:
port link-aggregation group number

Repeat these two substeps to assign more Layer 3 Ethernet interfaces to the aggregation group.

 

Configuring a dynamic aggregation group

For a successful dynamic aggregation, make sure the peer ports of the ports aggregated at one end are also aggregated. The two ends can automatically negotiate the aggregation state of each member port.

Configuring a Layer 2 dynamic aggregation group

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the system LACP priority.

lacp system-priority system-priority

By default, the system LACP priority is 32768.

Changing the system LACP priority might affect the aggregation state of the ports in a dynamic aggregation group.

3.       Create a Layer 2 aggregate interface and enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

When you create a Layer 2 aggregate interface, the system automatically creates a Layer 2 static aggregation group numbered the same.

4.       Configure the aggregation group to operate in dynamic aggregation mode.

link-aggregation mode dynamic

By default, an aggregation group operates in static aggregation mode.

5.       Exit to system view.

quit

N/A

6.       Assign an interface to the specified Layer 2 aggregation group.

a         Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

b        Assign the interface to the specified Layer 2 aggregation group:
port link-aggregation group number

Repeat these two sub-steps to assign more Layer 2 Ethernet interfaces to the aggregation group.

7.       Set the port priority for the interface.

link-aggregation port-priority port-priority

The default setting is 32768.

8.       Set the short LACP timeout interval (3 seconds) on the interface.

lacp period short

By default, the long LACP timeout interval (90 seconds) is adopted by the interface. The peer sends LACPDUs slowly.

 

Configuring a Layer 3 dynamic aggregation group

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the system LACP priority.

lacp system-priority system-priority

By default, the system LACP priority is 32768.

Changing the system LACP priority might affect the aggregation states of the ports in the dynamic aggregation group.

3.       Create a Layer 3 aggregate interface and enter Layer 3 aggregate interface view.

interface route-aggregation interface-number

When you create a Layer 3 aggregate interface, the system automatically creates a Layer 3 static aggregation group numbered the same.

4.       Configure the aggregation group to operate in dynamic mode.

link-aggregation mode dynamic

By default, an aggregation group operates in static mode.

5.       Exit to system view.

quit

N/A

6.       Assign an interface to the specified Layer 3 aggregation group.

a         Enter Layer 3 Ethernet interface view:
interface interface-type interface-number

b        Assign the interface to the specified Layer 3 aggregation group:
port link-aggregation group number

Repeat these two substeps to assign more Layer 3 Ethernet interfaces to the aggregation group.

7.       Set the port priority for the interface.

link-aggregation port-priority port-priority

The default setting is 32768.

8.       Set the short LACP timeout interval (3 seconds) on the interface.

lacp period short

By default, the long LACP timeout interval (90 seconds) is adopted by the interface.

 

Configuring an aggregate interface

In addition to the configurations in this section, most of the configurations that can be performed on Layer 2 or Layer 3 Ethernet interfaces can also be performed on Layer 2 or Layer 3 aggregate interfaces.

Setting the description for an aggregate interface

You can set the description for an aggregate interface for administration purposes such as describing the purpose of the interface.

To set the description for an aggregate interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface or subinterface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number | interface-number.subnumber }

N/A

3.       Set the description for the aggregate interface or subinterface.

description text

By default, the description of an interface is in the format of interface-name Interface.

 

Specifying ignored VLANs for a Layer 2 aggregate interface

By default, the member ports cannot become Selected ports when the permit state and tagging mode of each VLAN are not same for the member ports and the Layer 2 aggregate interface.

You can set a VLAN as an ignored VLAN if you want to allow member ports to be set in Selected state even if the permit state and tagging mode of the VLAN are different between the member ports and the Layer 2 aggregate interface.

To specify ignored VLANs for a Layer 2 aggregate interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

N/A

3.       Specify ignored VLANs.

link-aggregation ignore vlan vlan-id-list

By default, a Layer 2 aggregate interface does not ignore any VLANs.

 

Setting the MTU for a Layer 3 aggregate interface or subinterface

The MTU of an interface affects IP packet fragmentation and reassembly on the interface.

To set the MTU for a Layer 3 aggregate interface or subinterface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 3 aggregate interface or subinterface view.

interface route-aggregation { interface-number | interface-number.subnumber }

N/A

3.       Set the MTU for the Layer 3 aggregate interface or subinterface.

mtu size

The default setting is 1500 bytes.

 

Setting the minimum and maximum numbers of Selected ports for an aggregation group

IMPORTANT

IMPORTANT:

The minimum and maximum number of Selected ports must be the same for the local and peer aggregation groups.

 

The bandwidth of an aggregate link increases as the number of selected member ports increases. To avoid congestion caused by insufficient Selected ports on an aggregate link, you can set the minimum number of Selected ports required for bringing up the specific aggregate interface.

This minimum threshold setting affects the aggregation state of both aggregation member ports and the aggregate interface:

·          When the number of member ports eligible to be selected is smaller than the minimum threshold, all member ports change to the Unselected state and the link of the aggregate interface goes down.

·          When the minimum threshold is reached, the eligible member ports change to the Selected state, and the link of the aggregate interface goes up.

The maximum number of Selected ports allowed in an aggregation group is limited by either the configured maximum number or hardware capability, whichever value is smaller.

You can configure backup between two ports by assigning two ports to an aggregation group and configuring the maximum number of Selected ports allowed in the aggregation group as 1. In this way, only one Selected port is allowed in the aggregation group at any point in time, while the Unselected port serves as a backup port.

To set the minimum and maximum numbers of Selected ports for an aggregation group:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface view:
interface route-aggregation interface-number

N/A

3.       Set the minimum number of Selected ports for the aggregation group.

link-aggregation selected-port minimum number

By default, the minimum number of Selected ports for the aggregation group is not specified.

4.       Set the maximum number of Selected ports for the aggregation group.

link-aggregation selected-port maximum number

By default, the maximum number of Selected ports for an aggregation group is 16.

 

Setting the expected bandwidth for an aggregate interface

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface or subinterface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface /subinterface view:
interface route-aggregation { interface-number | interface-number.subnumber }

N/A

3.       Set the expected bandwidth for the interface.

bandwidth bandwidth-value

By default, the expected bandwidth (in kbps) is the interface baud rate divided by 1000.

 

Configuring an edge aggregate interface

This configuration takes effect on only the aggregate interface corresponding to a dynamic aggregation group.

To configure an edge aggregate interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface view:
interface route-aggregation interface-number

N/A

3.       Configure the aggregate interface as an edge aggregate interface.

lacp edge-port

By default, an aggregate interface does not operate as an edge aggregate interface.

 

Enabling BFD for an aggregation group

BFD for Ethernet link aggregation can monitor member link status in an aggregation group. After you enable BFD on an aggregate interface, each Selected port in the aggregation group establishes a BFD session with its peer port. All the BFD sessions use UDP port 6784 and destination MAC address 01-00-5E-90-00-01. BFD operates differently depending on the aggregation mode.

·          BFD for static aggregation—When BFD detects a link failure, BFD notifies the Ethernet link aggregation module that the peer port is unreachable. The local port is placed in the Unselected state. The BFD session between the local and peer ports remains, and the local port keeps sending BFD packets. When the link is recovered, the local port receives BFD packets from the peer port, and BFD notifies the Ethernet link aggregation module that the peer port is reachable. The local port is placed in the Selected state again. This mechanism ensures that the local and peer ports of a static aggregate link have the same aggregation state.

·          BFD for dynamic aggregation—When BFD detects a link failure, BFD notifies the Ethernet link aggregation module that the peer port is unreachable. BFD clears the session and stops sending BFD packets. When the link is recovered and the local port is placed in the Selected state again, the local port establishes a new session with the peer port. BFD notifies the Ethernet link aggregation module that the peer port is reachable. Because BFD provides fast failure detection, the local and peer systems of a dynamic aggregate link can negotiate the aggregation state of their member ports faster.

To enable BFD for an aggregation group:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface view:
interface route-aggregation interface-number

N/A

3.       Enable BFD for the aggregation group.

link-aggregation bfd ipv4 source ip-address destination ip-address

By default, BFD is disabled for an aggregation group.

 

Shutting down an aggregate interface

Make sure no member port in an aggregation group is configured with the loopback command when you shut down the aggregate interface. Similarly, a port configured with the loopback command cannot be assigned to an aggregate interface already shut down. For more information about the loopback command, see Layer 2—LAN Switching Command Reference.

Shutting down or bringing up an aggregate interface affects the aggregation state and link state of ports in the corresponding aggregation group in the following ways:

·          When an aggregate interface is shut down, all Selected ports in the corresponding aggregation group become unselected and their link state becomes down.

·          When an aggregate interface is brought up, the aggregation state of ports in the corresponding aggregation group is recalculated.

To shut down an aggregate interface:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface or subinterface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number | interface-number.subnumber }

N/A

3.       Shut down the aggregate interface.

shutdown

By default, aggregate interfaces are up.

 

Restoring the default settings for an aggregate interface

You can return all configurations on an aggregate interface to default settings.

To restore the default settings for an aggregate interface:

 

Step

Command

1.       Enter system view.

system-view

2.       Enter aggregate interface or subinterface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface or subinterface view:
interface route-aggregation { interface-number | interface-number.subnumber }

3.       Restore the default settings for the aggregate interface.

default

 

Configuring load sharing for link aggregation groups

This section explains how to set load sharing modes for link aggregation groups and how to enable local-first load sharing for link aggregation.

Setting load sharing modes for link aggregation groups

You can set the global or group-specific load sharing mode. The global load sharing mode takes effect on all link aggregation groups. A link aggregation group preferentially uses the group-specific load sharing mode. If the group-specific load sharing mode is not available, the group uses the global load sharing mode.

If you configure both link aggregation load sharing and per-flow load sharing over equal-cost routes, the latest configuration takes effect. Per-flow load sharing over equal-cost routes identifies a flow based on five tuples (source IP address, destination IP address, source port number, destination port number, and IP protocol number). For information about configuring per-flow load sharing over equal-cost routes, see Layer 3—IP Services Configuration Guide.

Setting the global link-aggregation load sharing mode

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the global link-aggregation load sharing mode.

link-aggregation global load-sharing mode { destination-ip | destination-mac | destination-port | ingress-port | ip-protocol | source-ip | source-mac | source-port } *

The default settings are as follows:

·         Layer 2 traffic is distributed based on the Ethernet type, source and destination MAC address, and source port.

·         IPv4 or IPv6 traffic is distributed based on the source and destination IP addresses, source and destination ports, and protocol number.

·         MPLS traffic with three or fewer layers of labels is distributed based on the source and destination IP addresses, source and destination ports, and protocol number. MPLS traffic with more than three layers of labels is distributed based on the source and destination IP addresses.

 

 

NOTE:

·      If you set the global load-sharing mode to source MAC address, the setting takes effect only on Layer 2 aggregation groups. A Layer 3 aggregation group forwards traffic by using one of its Selected ports rather than load shares traffic. When the Selected port fails, traffic is switched to another Selected port in the aggregation group.

·      If an unsupported load sharing mode is set, an error prompt appears.

 

Setting the group-specific load sharing mode

The switch can perform link-aggregation load sharing on a per-packet basis.

To set the group-specific load sharing mode:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 aggregate interface view.

interface bridge-aggregation interface-number

N/A

3.       Configure the aggregation group to load share traffic on a per-packet basis.

link-aggregation load-sharing mode flexible

By default, the load sharing mode of a group is the same as the global load sharing mode.

 

Enabling local-first load sharing for link aggregation

Use the local-first load sharing mechanism in a multi-device link aggregation scenario to distribute traffic preferentially across member ports on the ingress card or device rather than all member ports.

When you aggregate ports on different member devices in an IRF fabric, you can use local-first load sharing to reduce traffic on IRF links, as shown in Figure 10. For more information about IRF, see IRF Configuration Guide.

Figure 10 Load sharing for multi-switch link aggregation in an IRF fabric

 

To enable local-first load sharing for link aggregation:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable local-first load sharing for link aggregation.

link-aggregation load-sharing mode local-first

By default, local-first load sharing for link aggregation is enabled.

 

 

NOTE:

Local-first load sharing for link aggregation takes effect on only known unicast packets.

 

Enabling link-aggregation traffic redirection

IMPORTANT

IMPORTANT:

This feature is available in Release 1138P01 and later versions.

 

Link-aggregation traffic redirection prevents traffic interruption.

When you restart a card that contains Selected ports, this feature redirects traffic of the card to other cards. (In standalone mode.)

When you restart an IRF member device that contains Selected ports, this feature redirects traffic of the IRF member device to other IRF member devices. When you restart a card that contains Selected ports, this feature redirects traffic of the card to other cards. (In IRF mode.)

You can enable link-aggregation traffic redirection globally or for an aggregation group. Global link-aggregation traffic redirection settings take effect on all aggregation groups. A link aggregation group preferentially uses the group-specific link-aggregation traffic redirection settings. If group-specific link-aggregation traffic redirection is not configured, the group uses the global link-aggregation traffic redirection settings.

Configuration restrictions and guidelines

When you enable link-aggregation traffic redirection, follow these restrictions and guidelines:

·          Link-aggregation traffic redirection applies only to dynamic link aggregation groups.

·          To prevent traffic interruption, enable link-aggregation traffic redirection on devices at both ends of the aggregate link.

·          To prevent packet loss that might occur at a reboot, do not enable spanning tree together with link-aggregation traffic redirection.

·          Link-aggregation traffic redirection does not operate correctly on an edge aggregate interface.

·          As a best practice, enable link-aggregation traffic redirection on aggregate interfaces. If you enable this feature globally, communication with a third-party peer device might be affected if the peer is not compatible with this feature.

Configuration procedure

To enable link-aggregation traffic redirection globally:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable link-aggregation traffic redirection globally.

link-aggregation lacp traffic-redirect-notification enable

By default, link-aggregation traffic redirection is disabled globally.

 

To enable link-aggregation traffic redirection for an aggregation group:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter aggregate interface view.

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         Enter Layer 3 aggregate interface view:
interface route-aggregation interface-number

N/A

3.       Enable link-aggregation traffic redirection for the aggregation group.

link-aggregation lacp traffic-redirect-notification enable

By default, link-aggregation traffic redirection is disabled for an aggregation group.

 

Configuring the link aggregation capability for the device

IMPORTANT

IMPORTANT:

This feature is available in Release 1138P01 and later versions.

 

By default, the device supports a maximum of 1024 aggregation groups, and an aggregation group can have a maximum of 16 Selected ports. You can perform this task to modify the maximum number of aggregation groups and the maximum number of Selected ports per aggregation group.

After you configure the link aggregation capability for the device, save the configuration and reboot the device for the configuration to take effect. Before rebooting the device, make sure you know the possible impact on the network.

The maximum number of Selected ports allowed in an aggregation group is limited by one of the following values, whichever value is smaller:

·          Maximum number set by using the link-aggregation selected-port maximum command.

·          Maximum number of Selected ports allowed by the link aggregation capability.

To configure the link aggregation capability for the device:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the link aggregation capability for the device.

link-aggregation capability max-group max-group-number max-selected-port max-selected-port-number

By default, the device supports a maximum of 1024 aggregation groups, and an aggregation group can have a maximum of 16 Selected ports.

 

Displaying and maintaining Ethernet link aggregation

IMPORTANT

IMPORTANT:

The display link-aggregation capability command is available in Release 1138P01 and later versions.

 

Execute display commands in any view and reset commands in user view.

 

Task

Command

Display information for an aggregate interface or multiple aggregate interfaces.

display interface [ bridge-aggregation| route-aggregation ] [ brief [ down | description ] ]

display interface { bridge-aggregation | route-aggregation } interface-number [ brief [ description ] ]

Display the local system ID.

display lacp system-id

Display the link aggregation capability for the device.

display link-aggregation capability

Display the global or group-specific link-aggregation load sharing modes.

display link-aggregation load-sharing mode [ interface [ { bridge-aggregation | route-aggregation } interface-number ] ]

Display forwarding information for the specified traffic flow.

display link-aggregation load-sharing path interface { bridge-aggregation | route-aggregation } interface-number ingress-port interface-type interface-number [ route ] { { destination-ip ip-address | destination-ipv6 ipv6-address } | { source-ip ip-address | source-ipv6 ipv6-address } | destination-mac mac-address | destination-port port-id | ethernet-type type-number | ip-protocol protocol-id | source-mac mac-address | source-port port-id | vlan vlan-id }*

Display detailed link aggregation information for link aggregation member ports.

display link-aggregation member-port [ interface-list ]

Display summary information about all aggregation groups.

display link-aggregation summary

Display detailed information about the specified aggregation groups.

display link-aggregation verbose [ { bridge-aggregation | route-aggregation } [ interface-number ] ]

Clear LACP statistics for the specified link aggregation member ports.

reset lacp statistics [ interface interface-list ]

Clear statistics for the specified aggregate interfaces.

reset counters interface [ { bridge-aggregation | route-aggregation } [ interface-number ] ]

 

Ethernet link aggregation configuration examples

Layer 2 static aggregation configuration example

Network requirements

As shown in Figure 11, configure a Layer 2 static aggregation group on both Device A and Device B, and enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20 at one end to communicate with VLAN 20 at the other end.

Figure 11 Network diagram

 

Configuration procedure

1.        Configure Device A:

# Create VLAN 10, and assign port FortyGigE 1/0/4 to VLAN 10.

<DeviceA> system-view

[DeviceA] vlan 10

[DeviceA-vlan10] port fortygige 1/0/4

[DeviceA-vlan10] quit

# Create VLAN 20, and assign port FortyGigE 1/0/5 to VLAN 20.

[DeviceA] vlan 20

[DeviceA-vlan20] port fortygige 1/0/5

[DeviceA-vlan20] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 1.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] quit

# Assign ports FortyGigE 1/0/1 through FortyGigE 1/0/3 to link aggregation group 1.

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] port link-aggregation group 1

[DeviceA-FortyGigE1/0/1] quit

[DeviceA] interface fortygige 1/0/2

[DeviceA-FortyGigE1/0/2] port link-aggregation group 1

[DeviceA-FortyGigE1/0/2] quit

[DeviceA] interface fortygige 1/0/3

[DeviceA-FortyGigE1/0/3] port link-aggregation group 1

[DeviceA-FortyGigE1/0/3] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 10 and 20.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] port link-type trunk

[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20

[DeviceA-Bridge-Aggregation1] quit

2.        Configure Device B in the same way Device A is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on Device A.

[DeviceA] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static

Loadsharing Type: Shar

  Port             Status  Priority Oper-Key

--------------------------------------------------------------------------------

  FGE1/0/1           S       32768    1

  FGE1/0/2           S       32768    1

  FGE1/0/3           S       32768    1

The output shows that link aggregation group 1 is a Layer 2 static aggregation group and it contains three Selected ports.

Layer 2 dynamic aggregation configuration example

Network requirements

As shown in Figure 12, configure a Layer 2 dynamic aggregation group on both Device A and Device B, enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end, and VLAN 20 at one end to communicate with VLAN 20 at the other end.

Figure 12 Network diagram

 

Configuration procedure

1.        Configure Device A:

# Create VLAN 10, and assign the port FortyGigE 1/0/4 to VLAN 10.

<DeviceA> system-view

[DeviceA] vlan 10

[DeviceA-vlan10] port fortygige 1/0/4

[DeviceA-vlan10] quit

# Create VLAN 20, and assign the port FortyGigE 1/0/5 to VLAN 20.

[DeviceA] vlan 20

[DeviceA-vlan20] port fortygige 1/0/5

[DeviceA-vlan20] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 1, and set the link aggregation mode to dynamic.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] link-aggregation mode dynamic

[DeviceA-Bridge-Aggregation1] quit

# Assign ports FortyGigE 1/0/1 through FortyGigE 1/0/3 to link aggregation group 1.

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] port link-aggregation group 1

[DeviceA-FortyGigE1/0/1] quit

[DeviceA] interface fortygige 1/0/2

[DeviceA-FortyGigE1/0/2] port link-aggregation group 1

[DeviceA-FortyGigE1/0/2] quit

[DeviceA] interface fortygige 1/0/3

[DeviceA-FortyGigE1/0/3] port link-aggregation group 1

[DeviceA-FortyGigE1/0/3] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLANs 10 and 20.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] port link-type trunk

[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10 20

[DeviceA-Bridge-Aggregation1] quit

2.        Configure Device B in the same way Device A is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on Device A.

[DeviceA] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Dynamic

Loadsharing Type: Shar

System ID: 0x8000, 000f-e267-6c6a

Local:

  Port             Status  Priority Oper-Key  Flag

--------------------------------------------------------------------------------

  FGE1/0/1           S       32768    1         {ACDEF}

  FGE1/0/2           S       32768    1         {ACDEF}

  FGE1/0/3           S       32768    1         {ACDEF}

Remote:

  Actor            Partner Priority Oper-Key  SystemID               Flag

--------------------------------------------------------------------------------

  FGE1/0/1           1       32768    1         0x8000, 000f-e267-57ad {ACDEF}

  FGE1/0/2           2       32768    1         0x8000, 000f-e267-57ad {ACDEF}

  FGE1/0/3           3       32768    1         0x8000, 000f-e267-57ad {ACDEF}

The output shows that link aggregation group 1 is a Layer 2 dynamic aggregation group and it contains three Selected ports.

Layer 2 aggregation load sharing configuration example

Network requirements

As shown in Figure 13:

·          Configure two Layer 2 static aggregation groups (1 and 2) on Device A and Device B, respectively.

·          Enable VLAN 10 at one end of the aggregate link to communicate with VLAN 10 at the other end.

·          Enable VLAN 20 at one end of the aggregate link to communicate with VLAN 20 at the other end.

·          Configure the global load sharing mode to load share traffic across aggregation group member ports based on source MAC addresses.

Figure 13 Network diagram

 

Configuration procedure

1.        Configure Device A:

# Create VLAN 10, and assign the port FortyGigE 1/0/5 to VLAN 10.

<DeviceA> system-view

[DeviceA] vlan 10

[DeviceA-vlan10] port fortygige 1/0/5

[DeviceA-vlan10] quit

# Create VLAN 20, and assign the port FortyGigE 1/0/6 to VLAN 20.

[DeviceA] vlan 20

[DeviceA-vlan20] port fortygige 1/0/6

[DeviceA-vlan20] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 1.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] quit

# Assign ports FortyGigE 1/0/1 and FortyGigE 1/0/2 to link aggregation group 1.

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] port link-aggregation group 1

[DeviceA-FortyGigE1/0/1] quit

[DeviceA] interface fortygige 1/0/2

[DeviceA-FortyGigE1/0/2] port link-aggregation group 1

[DeviceA-FortyGigE1/0/2] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 1 as a trunk port and assign it to VLAN 10.

[DeviceA] interface bridge-aggregation 1

[DeviceA-Bridge-Aggregation1] port link-type trunk

[DeviceA-Bridge-Aggregation1] port trunk permit vlan 10

[DeviceA-Bridge-Aggregation1] quit

# Create Layer 2 aggregate interface Bridge-Aggregation 2.

[DeviceA] interface bridge-aggregation 2

[DeviceA-Bridge-Aggregation2] quit

# Assign ports FortyGigE 1/0/3 and FortyGigE 1/0/4 to link aggregation group 2.

[DeviceA] interface fortygige 1/0/3

[DeviceA-FortyGigE1/0/3] port link-aggregation group 2

[DeviceA-FortyGigE1/0/3] quit

[DeviceA] interface fortygige 1/0/4

[DeviceA-FortyGigE1/0/4] port link-aggregation group 2

[DeviceA-FortyGigE1/0/4] quit

# Configure Layer 2 aggregate interface Bridge-Aggregation 2 as a trunk port and assign it to VLAN 20.

[DeviceA] interface bridge-aggregation 2

[DeviceA-Bridge-Aggregation2] port link-type trunk

[DeviceA-Bridge-Aggregation2] port trunk permit vlan 20

[DeviceA-Bridge-Aggregation2] quit

# Configure the global link-aggregation load sharing mode to load share packets based on source MAC addresses.

[DeviceA] link-aggregation global load-sharing mode source-mac

2.        Configure Device B in the same way Device A is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on Device A.

[DeviceA] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Bridge-Aggregation1

Aggregation Mode: Static

Loadsharing Type: Shar

  Port             Status  Priority Oper-Key

--------------------------------------------------------------------------------

  FGE1/0/1           S       32768    1

  FGE1/0/2           S       32768    1

 

Aggregate Interface: Bridge-Aggregation2

Aggregation Mode: Static

Loadsharing Type: Shar

    Port             Status  Priority Oper-Key

--------------------------------------------------------------------------------

  FGE1/0/3           S       32768    2

  FGE1/0/4           S       32768    2

The output shows that link aggregation groups 1 and 2 are both load-shared Layer 2 static aggregation groups and each contains two Selected ports.

# Display all the group-specific load sharing modes on Device A.

[DeviceA] display link-aggregation load-sharing mode interface

 

Bridge-Aggregation1 Load-Sharing Mode:

source-mac address

 

Bridge-Aggregation2 Load-Sharing Mode:

source-mac address

The output shows that both link aggregation group 1 and link aggregation group 2 load share packets based on source MAC addresses.

Layer 3 static aggregation configuration example

Network requirements

As shown in Figure 14:

·          Reserve four VLAN interface resources before creating a Layer 3 aggregate interface.

·          Configure a Layer 3 static aggregation group on both Device A and Device B.

·          Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.

Figure 14 Network diagram

 

Configuration procedure

1.        Configure Device A:

# Reserve VLAN interface resources of VLANs 3000 to 3500. For more information about reserving VLAN interface resources, see "Configuring VLANs."

<DeviceA> system-view

[DeviceA] reserve-vlan-interface 3000 to 3500

# Create Layer 3 aggregate interface Route-Aggregation 1, and configure an IP address and subnet mask for the aggregate interface.

<DeviceA> system-view

[DeviceA] interface route-aggregation 1

[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24

[DeviceA-Route-Aggregation1] quit

# Assign Layer 3 Ethernet interfaces FortyGigE 1/0/1 through FortyGigE 1/0/3 to aggregation group 1.

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] port link-aggregation group 1

[DeviceA-FortyGigE1/0/1] quit

[DeviceA] interface fortygige 1/0/2

[DeviceA-FortyGigE1/0/2] port link-aggregation group 1

[DeviceA-FortyGigE1/0/2] quit

[DeviceA] interface fortygige 1/0/3

[DeviceA-FortyGigE1/0/3] port link-aggregation group 1

[DeviceA-FortyGigE1/0/3] quit

2.        Configure Device B in the same way Device A is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on Device A.

[DeviceA] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Static

Loadsharing Type: Shar

  Port               Status  Priority Oper-Key

--------------------------------------------------------------------------------

  FGE1/0/1           S       32768    1

  FGE1/0/2           S       32768    1

  FGE1/0/3           S       32768    1

The output shows that link aggregation group 1 is a non-load-shared Layer 3 static aggregation group that contains three Selected ports.

Layer 3 dynamic aggregation configuration example

Network requirements

As shown in Figure 15:

·          Reserve four VLAN interface resources before creating a Layer 3 aggregate interface.

·          Configure a Layer 3 dynamic aggregation group on both Device A and Device B.

·          Configure IP addresses and subnet masks for the corresponding Layer 3 aggregate interfaces.

Figure 15 Network diagram

 

Configuration procedure

1.        Configure Device A:

# Reserve VLAN interface resources of VLANs 3000 to 3500. For more information about reserving VLAN interface resources, see "Configuring VLANs."

<DeviceA> system-view

[DeviceA] reserve-vlan-interface 3000 to 3500

# Create Layer 3 aggregate interface Route-Aggregation 1.

<DeviceA> system-view

[DeviceA] interface route-aggregation 1

# Configure the link aggregation mode as dynamic.

[DeviceA-Route-Aggregation1] link-aggregation mode dynamic

# Configure an IP address and subnet mask for Route-Aggregation 1.

[DeviceA-Route-Aggregation1] ip address 192.168.1.1 24

[DeviceA-Route-Aggregation1] quit

# Assign Layer 3 Ethernet interfaces FortyGigE 1/0/1 through FortyGigE 1/0/3 to aggregation group 1.

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] port link-aggregation group 1

[DeviceA-FortyGigE1/0/1] quit

[DeviceA] interface fortygige 1/0/2

[DeviceA-FortyGigE1/0/2] port link-aggregation group 1

[DeviceA-FortyGigE1/0/2] quit

[DeviceA] interface fortygige 1/0/3

[DeviceA-FortyGigE1/0/3] port link-aggregation group 1

[DeviceA-FortyGigE1/0/3] quit

2.        Configure Device B in the same way Device A is configured. (Details not shown.)

Verifying the configuration

# Display detailed information about all aggregation groups on Device A.

[DeviceA] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic

Loadsharing Type: Shar

System ID: 0x8000, 000f-e267-6c6a

Local:

  Port               Status  Priority Oper-Key  Flag

--------------------------------------------------------------------------------

  FGE1/0/1           S       32768    1         {ACDEF}

  FGE1/0/2           S       32768    1         {ACDEF}

  FGE1/0/3           S       32768    1         {ACDEF}

Remote:

  Actor            Partner Priority Oper-Key  SystemID               Flag

--------------------------------------------------------------------------------

  FGE1/0/1           1       32768    1         0x8000, 000f-e267-57ad {ACDEF}

  FGE1/0/2           2       32768    1         0x8000, 000f-e267-57ad {ACDEF}

  FGE1/0/3           3       32768    1         0x8000, 000f-e267-57ad {ACDEF}

The output shows that:

·          Link aggregation group 1 is a non-load-shared Layer 3 dynamic aggregation group.

·          The aggregation group contains three Selected ports.

Layer 3 edge aggregate interface configuration example

Network requirements

As shown in Figure 16, a Layer 3 dynamic aggregation group is configured on the device. The server is not configured with dynamic link aggregation.

Configure an edge aggregate interface so that both FortyGigE 1/0/1 and FortyGigE 1/0/2 can forward traffic to improve link reliability.

Reserve three VLAN interface resources before creating the Layer 3 aggregate interface.

Figure 16 Network diagram

 

Configuration procedure

# Reserve VLAN interface resources of VLANs 3000 to 3500. For more information about reserving VLAN interface resources, see "Configuring VLANs."

<DeviceA> system-view

[DeviceA] reserve-vlan-interface 3000 to 3500

# Create Layer 3 aggregate interface Route-Aggregation 1, and set the link aggregation mode to dynamic.

<Device> system-view

[Device] interface route-aggregation 1

[Device-Route-Aggregation1] link-aggregation mode dynamic

# Configure an IP address and subnet mask for Layer 3 aggregate interface Route-Aggregation 1.

[Device-Route-Aggregation1] ip address 192.168.1.1 24

# Configure Layer 3 aggregate interface Route-Aggregation 1 as an edge aggregate interface.

[Device-Route-Aggregation1] lacp edge-port

[Device-Route-Aggregation1] quit

# Assign Layer 3 Ethernet interfaces FortyGigE 1/0/1 and FortyGigE 1/0/2 to aggregation group 1.

[Device] interface fortygige 1/0/1

[Device-FortyGigE1/0/1] port link-aggregation group 1

[Device-FortyGigE1/0/1] quit

[Device] interface fortygige 1/0/2

[Device-FortyGigE1/0/2] port link-aggregation group 1

[Device-FortyGigE1/0/2] quit

Verifying the configuration

# Display detailed information about all aggregation groups on the device when the server is not configured with dynamic link aggregation.

[Device] display link-aggregation verbose

Loadsharing Type: Shar -- Loadsharing, NonS -- Non-Loadsharing

Port Status: S -- Selected, U -- Unselected, I -- Individual

Flags:  A -- LACP_Activity, B -- LACP_Timeout, C -- Aggregation,

        D -- Synchronization, E -- Collecting, F -- Distributing,

        G -- Defaulted, H -- Expired

 

Aggregate Interface: Route-Aggregation1

Aggregation Mode: Dynamic

Loadsharing Type: NonS

System ID: 0x8000, 000f-e267-6c6a

Local:

  Port             Status  Priority Oper-Key  Flag

--------------------------------------------------------------------------------

  FGE1/0/1          I       32768    1         {AG}

  FGE1/0/2          I       32768    1         {AG}

Remote:

  Actor            Partner Priority Oper-Key  SystemID               Flag

--------------------------------------------------------------------------------

  FGE1/0/1          0       32768    0         0x8000, 0000-0000-0000 {DEF}

  FGE1/0/2          0       32768    0         0x8000, 0000-0000-0000 {DEF}

The output shows that FortyGigE 1/0/1 and FortyGigE 1/0/2 are in Individual state when they do not receive LACPDUs from the server. Both FortyGigE 1/0/1 and FortyGigE 1/0/2 can forward traffic. When one port fails, its traffic is automatically switched to the other port.


Configuring port isolation

The port isolation feature isolates Layer 2 traffic for data privacy and security without using VLANs. You can also use this feature to isolate the hosts in a VLAN from one another.

You can manually create isolation groups on the switch, but only the isolation group numbered 1 is valid. The number of ports assigned to an isolation group is not limited.

Within the same VLAN, ports in an isolation group can communicate with those outside the isolation group at Layer 2.

Assigning ports to an isolation group

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Create an isolation group.

port-isolate group group-number

For this switch series, only the isolation group numbered 1 is valid.

3.       Enter interface view.

·         Enter Layer 2 Ethernet interface view:
interface interface-type interface-number

·         Enter Layer 2 aggregate interface view:
interface bridge-aggregation interface-number

·         The configuration in Layer 2 Ethernet interface view applies only to the interface.

·         The configuration in Layer 2 aggregate interface view applies to the Layer 2 aggregate interface and its aggregation member ports. If the device fails to apply the configuration to the aggregate interface, it does not assign any aggregation member port to the isolation group. If the failure occurs on an aggregation member port, the device skips the port and continues to assign other aggregation member ports to the isolation group.

4.       Assign ports to the specified isolation group.

port-isolate enable group group-number

No ports are assigned to an isolation group by default.

For this switch series, you can assign ports to only isolation group 1.

 

Displaying and maintaining port isolation

Execute display commands in any view.

 

Task

Command

Display isolation group information

display port-isolate group [ group-number ] [ | { begin | exclude | include } regular-expression ]

 

Port isolation configuration example

Network requirements

As shown in Figure 17, LAN users Host A, Host B, and Host C are connected to FortyGigE 1/0/1, FortyGigE 1/0/2, and FortyGigE 1/0/3 on the device, respectively. The device connects to the Internet through FortyGigE 1/0/4.

Configure the device to provide Internet access for the hosts, and isolate them from one another at Layer 2.

Figure 17 Network diagram

 

Configuration procedure

# Create isolation group 1.

<Device> system-view

[Device] port-isolate group 1

# Assign FortyGigE 1/0/1, FortyGigE 1/0/2, and FortyGigE 1/0/3 to isolation group 1.

[Device] interface fortygige 1/0/1

[Device-FortyGigE1/0/1] port-isolate enable group 1

[Device-FortyGigE1/0/1] quit

[Device] interface fortygige 1/0/2

[Device-FortyGigE1/0/2] port-isolate enable group 1

[Device-FortyGigE1/0/2] quit

[Device] interface fortygige 1/0/3

[Device-FortyGigE1/0/3] port-isolate enable group 1

Verifying the configuration

# Display information about isolation group 1.

[Device-FortyGigE1/0/3] display port-isolate group 1

 Port isolation group information:

 Group ID: 1

 Group members:

   FortyGigE1/0/1

   FortyGigE1/0/2

   FortyGigE1/0/3

 


Configuring spanning tree protocols

Spanning tree protocols eliminate loops in a physical link-redundant network by selectively blocking redundant links and putting them in a standby state.

The recent versions of STP include the Rapid Spanning Tree Protocol (RSTP) and the Multiple Spanning Tree Protocol (MSTP).

STP

STP was developed based on the 802.1d standard of IEEE to eliminate loops at the data link layer in a LAN. Networks often have redundant links as backups in case of failures, but loops are a very serious problem. Devices running STP detect loops in the network by exchanging information with one another, and eliminate loops by selectively blocking certain ports to prune the loop structure into a loop-free tree structure. This avoids proliferation and infinite cycling of packets that would occur in a loop network.

In the narrow sense, STP refers to IEEE 802.1d STP. In the broad sense, STP refers to the IEEE 802.1d STP and various enhanced spanning tree protocols derived from that protocol.

STP protocol packets

STP uses bridge protocol data units (BPDUs), also known as configuration messages, as its protocol packets. This chapter uses BPDUs to represent all types of spanning tree protocol packets.

STP-enabled network devices exchange BPDUs to establish a spanning tree. BPDUs contain sufficient information for the network devices to complete spanning tree calculation.

STP uses the following types of BPDUs:

·          Configuration BPDUs—Used by the network devices to calculate a spanning tree and maintain the spanning tree topology.

·          Topology change notification (TCN) BPDUs—Notify network devices of network topology changes.

Configuration BPDUs contain sufficient information for the network devices to complete spanning tree calculation. Important fields in a configuration BPDU include the following:

·          Root bridge ID—Consisting of the priority and MAC address of the root bridge.

·          Root path cost—Cost of the path to the root bridge denoted by the root identifier from the transmitting bridge.

·          Designated bridge ID—Consisting of the priority and MAC address of the designated bridge.

·          Designated port ID—Consisting of the priority and global port number of the designated port.

·          Message age—Age of the configuration BPDU while it propagates in the network.

·          Max age—Maximum age of the configuration BPDU stored on the switch.

·          Hello time—Configuration BPDU transmission interval.

·          Forward delay—Delay that STP bridges use to transit port state.

Basic concepts in STP

Root bridge

A tree network must have a root bridge. The entire network contains only one root bridge, and all the other bridges in the network are called "leaf nodes". The root bridge is not permanent, but can change with changes of the network topology.

Upon initialization of a network, each device generates and periodically sends configuration BPDUs, with itself as the root bridge. After network convergence, only the root bridge generates and periodically sends configuration BPDUs. The other devices only forward the BPDUs.

Root port

On a non-root bridge, the port nearest to the root bridge is the root port. The root port communicates with the root bridge. Each non-root bridge has only one root port. The root bridge has no root port.

Designated bridge and designated port

Classification

Designated bridge

Designated port

For a device

Device directly connected to the local device and responsible for forwarding BPDUs to the local device

Port through which the designated bridge forwards BPDUs to this device

For a LAN

Device responsible for forwarding BPDUs to this LAN segment

Port through which the designated bridge forwards BPDUs to this LAN segment

 

As shown in Figure 18, Device B and Device C are directly connected to a LAN. If Device A forwards BPDUs to Device B through port A1, the designated bridge for Device B is Device A, and the designated port of Device B is port A1 on Device A. If Device B forwards BPDUs to the LAN, the designated bridge for the LAN is Device B, and the designated port for the LAN is port B2 on Device B.

Figure 18 Designated bridges and designated ports

 

Path cost

Path cost is a reference value used for link selection in STP. STP calculates path costs to select the most robust links and block redundant links that are less robust, to prune the network into a loop-free tree.

Calculation process of the STP algorithm

The spanning tree calculation process described in the following sections is a simplified process for example only.

Calculation process

The STP algorithm uses the following calculation process:

1.        Network initialization.

Upon initialization of a device, each port generates a BPDU with the port as the designated port, the device as the root bridge, 0 as the root path cost, and the device ID as the designated bridge ID.

2.        Root bridge selection.

Initially, each STP-enabled device on the network assumes itself to be the root bridge, with its own device ID as the root bridge ID. By exchanging configuration BPDUs, the devices compare their root bridge IDs to elect the device with the smallest root bridge ID as the root bridge.

3.        Root port and designated ports selection on the non-root bridges.

 

Step

Description

1

A non-root–bridge device regards the port on which it received the optimum configuration BPDU as the root port. Table 5 describes how the optimum configuration BPDU is selected.

2

Based on the configuration BPDU and the path cost of the root port, the device calculates a designated port configuration BPDU for each of the other ports.

·         The root bridge ID is replaced with that of the configuration BPDU of the root port.

·         The root path cost is replaced with that of the configuration BPDU of the root port plus the path cost of the root port.

·         The designated bridge ID is replaced with the ID of this device.

·         The designated port ID is replaced with the ID of this port.

3

The device compares the calculated configuration BPDU with the configuration BPDU on the port whose port role will be determined, and acts depending on the result of the comparison:

·         If the calculated configuration BPDU is superior, the device considers this port as the designated port, replaces the configuration BPDU on the port with the calculated configuration BPDU, and periodically sends the calculated configuration BPDU.

·         If the configuration BPDU on the port is superior, the device blocks this port without updating its configuration BPDU. The blocked port can receive BPDUs, but cannot send BPDUs or forward data traffic.

 

When the network topology is stable, only the root port and designated ports forward user traffic. Other ports are all in the blocked state to receive BPDUs but not to forward BPDUs or user traffic.

Table 5 Selecting the optimum configuration BPDU

Step

Actions

1

Upon receiving a configuration BPDU on a port, the device compares the priority of the received configuration BPDU with that of the configuration BPDU generated by the port, and:

·         If the former priority is lower, the device discards the received configuration BPDU and keeps the configuration BPDU the port generated.

·         If the former priority is higher, the device replaces the content of the configuration BPDU generated by the port with the content of the received configuration BPDU.

2

The device compares the configuration BPDUs of all the ports and chooses the optimum configuration BPDU.

 

The following are the principles of configuration BPDU comparison:

a.    The configuration BPDU with the lowest root bridge ID has the highest priority.

b.    If configuration BPDUs have the same root bridge ID, their root path costs are compared. For example, the root path cost in a configuration BPDU plus the path cost of a receiving port is S. The configuration BPDU with the smallest S value has the highest priority.

c.    If all configuration BPDUs have the same root bridge ID and S value, their designated bridge IDs, designated port IDs, and the IDs of the receiving ports are compared in sequence. The configuration BPDU that contains a smaller designated bridge ID, designated port ID, or receiving port ID is selected.

A tree-shape topology forms when the root bridge, root ports, and designated ports are selected.

Example of STP calculation

Figure 19 provides an example showing how the STP algorithm works.

Figure 19 The STP algorithm

 

As shown in Figure 19, the priority values of Device A, Device B, and Device C are 0, 1, and 2, and the path costs of links among the three devices are 5, 10, and 4, respectively.

1.        Device state initialization.

In Table 6, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.

Table 6 Initial state of each device

Device

Port name

Configuration BPDU on the port

Device A

Port A1

{0, 0, 0, Port A1}

Port A2

{0, 0, 0, Port A2}

Device B

Port B1

{1, 0, 1, Port B1}

Port B2

{1, 0, 1, Port B2}

Device C

Port C1

{2, 0, 2, Port C1}

Port C2

{2, 0, 2, Port C2}

 

2.        Configuration BPDUs comparison on each device.

In Table 7, each configuration BPDU contains the following fields: root bridge ID, root path cost, designated bridge ID, and designated port ID.

Table 7 Comparison process and result on each device

Device

Comparison process

Configuration BPDU on ports after comparison

Device A

·         Port A1 receives the configuration BPDU of Port B1 {1, 0, 1, Port B1}, finds that its existing configuration BPDU {0, 0, 0, Port A1} is superior to the received configuration BPDU, and discards the received one.

·         Port A2 receives the configuration BPDU of Port C1 {2, 0, 2, Port C1}, finds that its existing configuration BPDU {0, 0, 0, Port A2} is superior to the received configuration BPDU, and discards the received one.

·         Device A finds that it is both the root bridge and designated bridge in the configuration BPDUs of all its ports, and considers itself as the root bridge. It does not change the configuration BPDU of any port and starts to periodically send configuration BPDUs.

·         Port A1: {0, 0, 0, Port A1}

·         Port A2: {0, 0, 0, Port A2}

Device B

·         Port B1 receives the configuration BPDU of Port A1 {0, 0, 0, Port A1}, finds that the received configuration BPDU is superior to its existing configuration BPDU {1, 0, 1, Port B1}, and updates its configuration BPDU.

·         Port B2 receives the configuration BPDU of Port C2 {2, 0, 2, Port C2}, finds that its existing configuration BPDU {1, 0, 1, Port B2} is superior to the received configuration BPDU, and discards the received one.

·         Port B1: {0, 0, 0, Port A1}

·         Port B2: {1, 0, 1, Port B2}

·         Device B compares the configuration BPDUs of all its ports, decides that the configuration BPDU of Port B1 is the optimum, and selects Port B1 as the root port with the configuration BPDU unchanged.

·         Based on the configuration BPDU and path cost of the root port, Device B calculates a designated port configuration BPDU for Port B2 {0, 5, 1, Port B2}, and compares it with the existing configuration BPDU of Port B2 {1, 0, 1, Port B2}. Device B finds that the calculated one is superior, decides that Port B2 is the designated port, replaces the configuration BPDU on Port B2 with the calculated one, and periodically sends the calculated configuration BPDU.

·         Root port (Port B1): {0, 0, 0, Port A1}

·         Designated port (Port B2): {0, 5, 1, Port B2}

Device C

·         Port C1 receives the configuration BPDU of Port A2 {0, 0, 0, Port A2}, finds that the received configuration BPDU is superior to its existing configuration BPDU {2, 0, 2, Port C1}, and updates its configuration BPDU.

·         Port C2 receives the original configuration BPDU of Port B2 {1, 0, 1, Port B2}, finds that the received configuration BPDU is superior to the existing configuration BPDU {2, 0, 2, Port C2}, and updates its configuration BPDU.

·         Port C1: {0, 0, 0, Port A2}

·         Port C2: {1, 0, 1, Port B2}

·         Device C compares the configuration BPDUs of all its ports, decides that the configuration BPDU of Port C1 is the optimum, and selects Port C1 as the root port with the configuration BPDU unchanged.

·         Based on the configuration BPDU and path cost of the root port, Device C calculates the configuration BPDU of Port C2 {0, 10, 2, Port C2}, and compares it with the existing configuration BPDU of Port C2 {1, 0, 1, Port B2}. Device C finds that the calculated configuration BPDU is superior to the existing one, selects Port C2 as the designated port, and replaces the configuration BPDU of Port C2 with the calculated one.

·         Root port (Port C1): {0, 0, 0, Port A2}

·         Designated port (Port C2): {0, 10, 2, Port C2}

·         Port C2 receives the updated configuration BPDU of Port B2 {0, 5, 1, Port B2}, finds that the received configuration BPDU is superior to its existing configuration BPDU {0, 10, 2, Port C2}, and updates its configuration BPDU.

·         Port C1 receives a periodic configuration BPDU {0, 0, 0, Port A2} from Port A2, finds that it is the same as the existing configuration BPDU, and discards the received one.

·         Port C1: {0, 0, 0, Port A2}

·         Port C2: {0, 5, 1, Port B2}

·         Device C finds that the root path cost of Port C1 (10) (root path cost of the received configuration BPDU (0) plus path cost of Port C1 (10)) is larger than that of Port C2 (9) (root path cost of the received configuration BPDU (5) plus path cost of Port C2 (4)), decides that the configuration BPDU of Port C2 is the optimum, and selects Port C2 as the root port with the configuration BPDU unchanged.

·         Based on the configuration BPDU and path cost of the root port, Device C calculates a designated port configuration BPDU for Port C1 {0, 9, 2, Port C1} and compares it with the existing configuration BPDU of Port C1 {0, 0, 0, Port A2}. Device C finds that the existing configuration BPDU is superior to the calculated one and blocks Port C1 with the configuration BPDU unchanged. Then Port C1 does not forward data until a new event triggers a spanning tree calculation process, for example, the link between Device B and Device C is down.

·         Blocked port (Port C1): {0, 0, 0, Port A2}

·         Root port (Port C2): {0, 5, 1, Port B2}

 

After the comparison processes described in Table 7, a spanning tree with Device A as the root bridge is established, and the topology is shown in Figure 20.

Figure 20 The final calculated spanning tree

 

The configuration BPDU forwarding mechanism of STP

The configuration BPDUs of STP are forwarded according to these guidelines:

·          Upon network initiation, every device regards itself as the root bridge, generates configuration BPDUs with itself as the root, and sends the configuration BPDUs at a regular hello interval.

·          If the root port received a configuration BPDU and the received configuration BPDU is superior to the configuration BPDU of the port, the device increases the message age carried in the configuration BPDU following a certain rule and starts a timer to time the configuration BPDU while sending this configuration BPDU through the designated port.

·          If the configuration BPDU received on a designated port has a lower priority than the configuration BPDU of the local port, the port immediately sends its own configuration BPDU in response.

·          If a path becomes faulty, the root port on this path no longer receives new configuration BPDUs and the old configuration BPDUs will be discarded due to timeout. The device generates a configuration BPDU with itself as the root and sends the BPDUs and TCN BPDUs. This triggers a new spanning tree calculation process to establish a new path to restore the network connectivity.

However, the newly calculated configuration BPDU cannot be propagated throughout the network immediately, so the old root ports and designated ports that have not detected the topology change continue forwarding data along the old path. If the new root ports and designated ports begin to forward data as soon as they are elected, a temporary loop might occur.

STP timers

The most important timing parameters in STP calculation are forward delay, hello time, and max age.

·          Forward delayForward delay is the delay time for port state transition.

A path failure can cause spanning tree re-calculation to adapt the spanning tree structure to the change. However, the resulting new configuration BPDU cannot propagate throughout the network immediately. If the newly elected root ports and designated ports start to forward data immediately, a temporary loop will likely occur.

For this reason, as a mechanism for state transition in STP, the newly elected root ports or designated ports require twice the forward delay time before they transit to the forwarding state to make sure the new configuration BPDU has propagated throughout the network.

·          Hello timeThe device sends hello packets at the hello time interval to the neighboring devices to make sure the paths are fault-free.

·          Max ageThe device uses the max age to determine whether a stored configuration BPDU has expired and discards it if the max age is exceeded.

RSTP

RSTP achieves rapid network convergence by allowing a newly elected root port or designated port to enter the forwarding state much faster than STP.

If the old root port on the device has stopped forwarding data and the upstream designated port has started forwarding data, a newly elected RSTP root port rapidly enters the forwarding state.

A newly elected RSTP designated port rapidly enters the forwarding state if it is an edge port (a port that directly connects to a user terminal rather than to another network device or a shared LAN segment) or it connects to a point-to-point link. Edge ports directly enter the forwarding state. Connecting to a point-to-point link, a designated port enters the forwarding state immediately after the device receives a handshake response from the directly connected device.

MSTP

MSTP overcomes the following STP and RSTP limitations:

·          STP limitations—STP does not support rapid state transition of ports. A newly elected port must wait twice the forward delay time before it transits to the forwarding state, even if it connects to a point-to-point link or is an edge port.

·          RSTP limitations—Although RSTP enables faster network convergence than STP, RSTP fails to provide load balancing among VLANs. As with STP, all RSTP bridges in a LAN share one spanning tree and forward packets from all VLANs along this spanning tree.

MSTP features

Developed based on IEEE 802.1s, MSTP overcomes the limitations of STP and RSTP. In addition to supporting rapid network convergence, it provides a better load sharing mechanism for redundant links by allowing data flows of different VLANs to be forwarded along separate paths.

MSTP provides the following features:

·          MSTP divides a switched network into multiple regions, each of which contains multiple spanning trees that are independent of one another.

·          MSTP supports mapping VLANs to spanning tree instances by means of a VLAN-to-instance mapping table. MSTP can reduce communication overheads and resource usage by mapping multiple VLANs to one instance.

·          MSTP prunes a loop network into a loop-free tree, which avoids proliferation and endless cycling of packets in a loop network. In addition, it supports load balancing of VLAN data by providing multiple redundant paths for data forwarding.

·          MSTP is compatible with STP and RSTP.

MSTP basic concepts

Figure 21 shows a switched network that contains four MST regions, each MST region containing four MSTP devices. Figure 22 shows the networking topology of MST region 3.

Figure 21 Basic concepts in MSTP 

 

Figure 22 Network diagram and topology of MST region 3

 

MST region

A multiple spanning tree region (MST region) consists of multiple devices in a switched network and the network segments among them. All these devices have the following characteristics:

·          A spanning tree protocol enabled

·          Same region name

·          Same VLAN-to-instance mapping configuration

·          Same MSTP revision level

·          Physically linked together

Multiple MST regions can exist in a switched network. You can assign multiple devices to the same MST region. In Figure 21, the switched network contains four MST regions, MST region 1 through MST region 4, and all devices in each MST region have the same MST region configuration.

MSTI

MSTP can generate multiple independent spanning trees in an MST region, and each spanning tree is mapped to the specific VLANs. Each spanning tree is referred to as a "multiple spanning tree instance (MSTI)".

In Figure 22, MST region 3 contains three MSTIs, MSTI 1, MSTI 2, and MSTI 0.

VLAN-to-instance mapping table

As an attribute of an MST region, the VLAN-to-instance mapping table describes the mapping relationships between VLANs and MSTIs.

In Figure 22, the VLAN-to-instance mapping table of MST region 3 is: VLAN 1 to MSTI 1, VLAN 2 and VLAN 3 to MSTI 2, and other VLANs to MSTI 0. MSTP achieves load balancing by means of the VLAN-to-instance mapping table.

CST

The common spanning tree (CST) is a single spanning tree that connects all MST regions in a switched network. If you regard each MST region as a device, the CST is a spanning tree calculated by these devices through STP or RSTP.

The blue lines in Figure 21 represent the CST.

IST

An internal spanning tree (IST) is a spanning tree that runs in an MST region. It is also called MSTI 0, a special MSTI to which all VLANs are mapped by default.

In Figure 21, MSTI 0 is the IST in MST region 3.

CIST

The common and internal spanning tree (CIST) is a single spanning tree that connects all devices in a switched network. It consists of the ISTs in all MST regions and the CST.

In Figure 21, the ISTs (MSTI 0) in all MST regions plus the inter-region CST constitute the CIST of the entire network.

Regional root

The root bridge of the IST or an MSTI within an MST region is the regional root of the IST or MSTI. Based on the topology, different spanning trees in an MST region might have different regional roots.

In MST region 3 in Figure 22, the regional root of MSTI 1 is Device B, the regional root of MSTI 2 is Device C, and the regional root of MSTI 0 (also known as the IST) is Device A.

Common root bridge

The common root bridge is the root bridge of the CIST.

In Figure 21, the common root bridge is a device in MST region 1.

Port roles

A port can play different roles in different MSTIs. As shown in Figure 23, an MST region contains Device A, Device B, Device C, and Device D. Port A1 and port A2 of Device A connect to the common root bridge. Port B2 and Port B3 of Device B form a loop. Port C3 and Port C4 of Device C connect to other MST regions. Port D3 of Device D directly connects to a host.

Figure 23 Port roles

 

MSTP calculation involves the following port roles:

·          Root port—Forwards data for a non-root bridge to the root bridge. The root bridge does not have any root port.

·          Designated port—Forwards data to the downstream network segment or device.

·          Alternate port—Serves as the backup port for a root port or master port. When the root port or master port is blocked, the alternate port takes over.

·          Backup port—Serves as the backup port of a designated port. When the designated port is invalid, the backup port becomes the new designated port. A loop occurs when two ports of the same spanning tree device are connected, so the device blocks one of the ports. The blocked port acts as the backup.

·          Edge port—Does not connect to any network device or network segment, but directly connects to a user host.

·          Master port—Serves as a port on the shortest path from the local MST region to the common root bridge. The master port is not always located on the regional root. It is a root port on the IST or CIST and still a master port on the other MSTIs.

·          Boundary port—Connects an MST region to another MST region or to an STP/RSTP-running device. In MSTP calculation, a boundary port's role on an MSTI is consistent with its role on the CIST. But that is not true with master ports. A master port on MSTIs is a root port on the CIST.

Port states

In MSTP, a port can be in one of the following states:

·          Forwarding—The port receives and sends BPDUs, learns MAC addresses, and forwards user traffic.

·          Learning—The port receives and sends BPDUs, learns MAC addresses, but does not forward user traffic. Learning is an intermediate port state.

·          Discarding—The port receives and sends BPDUs, but does not learn MAC addresses or forward user traffic.

 

 

NOTE:

When in different MSTIs, a port can be in different states.

 

A port state is not exclusively associated with a port role. Table 8 lists the port states that each port role supports. (A check mark [√] indicates that the port supports this state, while a dash [—] indicates that the port does not support this state.)

Table 8 Port states that different port roles support

Port role (right)

Port state (below)

Root port/master port

Designated port

Alternate port

Backup port

Forwarding

Learning

Discarding

 

How MSTP works

MSTP divides an entire Layer 2 network into multiple MST regions, which are connected by a calculated CST. Inside an MST region, multiple spanning trees, called MSTIs, are calculated. Among these MSTIs, MSTI 0 is the IST.

Like STP, MSTP uses configuration BPDUs to calculate spanning trees. An important difference is that an MSTP BPDU carries the MSTP configuration of the bridge from which the BPDU is sent.

CIST calculation

The calculation of a CIST tree is also the process of configuration BPDU comparison. During this process, the device with the highest priority is elected as the root bridge of the CIST. MSTP generates an IST within each MST region through calculation. At the same time, MSTP regards each MST region as a single device and generates a CST among these MST regions through calculation. The CST and ISTs constitute the CIST of the entire network.

MSTI calculation

Within an MST region, MSTP generates different MSTIs for different VLANs based on the VLAN-to-instance mappings. For each spanning tree, MSTP performs a separate calculation process similar to spanning tree calculation in STP. For more information, see "Calculation process of the STP algorithm."

In MSTP, a VLAN packet is forwarded along the following paths:

·          Within an MST region, the packet is forwarded along the corresponding MSTI.

·          Between two MST regions, the packet is forwarded along the CST.

MSTP implementation on devices

MSTP is compatible with STP and RSTP. Devices that are running MSTP and that are used for spanning tree calculation can identify STP and RSTP protocol packets.

In addition to basic MSTP features, the following features are provided for ease of management:

·          Root bridge hold

·          Root bridge backup

·          Root guard

·          BPDU guard

·          Loop guard

·          TC-BPDU guard

·          Port role restriction

·          TC-BPDU transmission restriction

·          Support for hot swapping of interface cards

Protocols and standards

MSTP is documented in the following protocols and standards:

·          IEEE 802.1d, Media Access Control (MAC) Bridges

·          IEEE 802.1w, Part 3: Media Access Control (MAC) Bridges—Amendment 2: Rapid Reconfiguration

·          IEEE 802.1s, Virtual Bridged Local Area Networks—Amendment 3: Multiple Spanning Trees

·          IEEE 802.1Q-REV/D1.3, Media Access Control (MAC) Bridges and Virtual Bridged Local Area Networks —Clause 13: Spanning tree Protocols

Spanning tree configuration task lists

Before configuring a spanning tree, you must determine the spanning tree protocol to be used (STP, RSTP, or MSTP) and plan the device roles (the root bridge or leaf node).

Configuration restrictions and guidelines

When you configure the spanning tree feature, follow these restrictions and guidelines:

·          Configurations made in system view take effect globally. Configurations made in Ethernet interface view or WLAN mesh interface view take effect on the interface only. Configurations made in Layer 2 aggregate interface view take effect only on the aggregate interface. Configurations made on an aggregation member port can take effect only after the port is removed from the aggregation group.

·          After you enable a spanning tree protocol on a Layer 2 aggregate interface, the system performs spanning tree calculation on the Layer 2 aggregate interface, but not on the aggregation member ports. The spanning tree protocol enable state and forwarding state of each selected member port is consistent with those of the corresponding Layer 2 aggregate interface.

·          Though the member ports of an aggregation group do not participate in spanning tree calculation, the ports still reserve their spanning tree configurations for participating in spanning tree calculation after leaving the aggregation group.

STP configuration task list

Tasks at a glance

Configuring the root bridge:

·         (Required.) Setting the spanning tree mode

·         (Optional.) Configuring the root bridge or a secondary root bridge

·         (Optional.) Configuring the device priority

·         (Optional.) Configuring the network diameter of a switched network

·         (Optional.) Setting spanning tree timers

·         (Optional.) Configuring the timeout factor

·         (Optional.) Configuring the BPDU transmission rate

·         (Optional.) Enabling outputting port state transition information

·         (Required.) Enabling the spanning tree feature

Configuring the leaf nodes:

·         (Required.) Setting the spanning tree mode

·         (Optional.) Configuring the device priority

·         (Optional.) Configuring the timeout factor

·         (Optional.) Configuring the BPDU transmission rate

·         (Optional.) Configuring path costs of ports

·         (Optional.) Configuring the port priority

·         (Optional.) Enabling outputting port state transition information

·         (Required.) Enabling the spanning tree feature

(Optional.) Configuring protection features

 

RSTP configuration task list

Tasks at a glance

Configuring the root bridge:

·         (Required.) Setting the spanning tree mode

·         (Optional.) Configuring the root bridge or a secondary root bridge

·         (Optional.) Configuring the device priority

·         (Optional.) Configuring the network diameter of a switched network

·         (Optional.) Setting spanning tree timers

·         (Optional.) Configuring the timeout factor

·         (Optional.) Configuring the BPDU transmission rate

·         (Optional.) Configuring edge ports

·         (Optional.) Configuring the port link type

·         (Optional.) Enabling outputting port state transition information

·         (Required.) Enabling the spanning tree feature

Configuring the leaf nodes:

·         (Required.) Setting the spanning tree mode

·         (Optional.) Configuring the device priority

·         (Optional.) Configuring the timeout factor

·         (Optional.) Configuring the BPDU transmission rate

·         (Optional.) Configuring edge ports

·         (Optional.) Configuring path costs of ports

·         (Optional.) Configuring the port priority

·         (Optional.) Configuring the port link type

·         (Optional.) Enabling outputting port state transition information

·         (Required.) Enabling the spanning tree feature

(Optional.) Performing mCheck

(Optional.) Configuring protection features

 

MSTP configuration task list

Tasks at a glance

Configuring the root bridge:

·         (Required.) Setting the spanning tree mode

·         (Required.) Configuring an MST region

·         (Optional.) Configuring the root bridge or a secondary root bridge

·         (Optional.) Configuring the device priority

·         (Optional.) Configuring the maximum hops of an MST region

·         (Optional.) Configuring the network diameter of a switched network

·         (Optional.) Setting spanning tree timers

·         (Optional.) Configuring the timeout factor

·         (Optional.) Configuring the BPDU transmission rate

·         (Optional.) Configuring edge ports

·         (Optional.) Configuring the port link type

·         (Optional.) Configuring the mode a port uses to recognize and send MSTP packets

·         (Optional.) Enabling outputting port state transition information

·         (Required.) Enabling the spanning tree feature

Configuring the leaf nodes:

·         (Required.) Setting the spanning tree mode

·         (Required.) Configuring an MST region

·         (Optional.) Configuring the device priority

·         (Optional.) Configuring the timeout factor

·         (Optional.) Configuring the BPDU transmission rate

·         (Optional.) Configuring edge ports

·         (Optional.) Configuring path costs of ports

·         (Optional.) Configuring the port priority

·         (Optional.) Configuring the port link type

·         (Optional.) Configuring the mode a port uses to recognize and send MSTP packets

·         (Optional.) Enabling outputting port state transition information

·         (Required.) Enabling the spanning tree feature

(Optional.) Performing mCheck

(Optional.) Configuring Digest Snooping

(Optional.) Configuring No Agreement Check

(Optional.) Configuring protection features

 

Setting the spanning tree mode

The spanning tree modes include:

·          STP mode—All ports of the device send STP BPDUs. Select this mode when the peer device of a port supports only STP.

·          RSTP mode—All ports of the device send RSTP BPDUs. A port in this mode automatically transits to the STP mode when it receives STP BPDUs from the peer device, and a port in this mode does not transit to the MSTP mode when it receives MSTP BPDUs from the peer device.

·          MSTP mode—All ports of the device send MSTP BPDUs. A port in this mode automatically transits to the STP mode when receiving STP BPDUs from the peer device, and a port in this mode does not transit to the RSTP mode when receiving RSTP BPDUs from the peer device.

MSTP mode is compatible with RSTP mode, and RSTP mode is compatible with STP mode.

To set the spanning tree mode:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Set the spanning tree mode.

stp mode { mstp | rstp | stp }

The default setting is the MSTP mode.

 

 

NOTE:

·      In STP or RSTP mode, do not specify an MSTI. Otherwise, the spanning tree configuration does not take effect.

·      In MSTP mode, if you specify an MSTI, the spanning tree configuration takes effect on the specified MSTI. If you do not specify an MSTI, the spanning tree configuration takes effect on the CIST.

 

Configuring an MST region

Two or more spanning tree devices belong to the same MST region only if they are configured to have the same format selector (0 by default, not configurable), MST region name, MST region revision level, and the same VLAN-to-instance mapping entries in the MST region, and they are connected through a physical link.

The configuration of MST region-related parameters (especially the VLAN-to-instance mapping table) might cause MSTP to begin a new spanning tree calculation. To reduce the possibility of topology instability, the MST region configuration takes effect only after you activate it by using the active region-configuration command, or enable a spanning tree protocol by using the stp global enable command if the spanning tree protocol is disabled.

To configure an MST region:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter MST region view.

stp region-configuration

N/A

3.       Configure the MST region name.

region-name name

The default setting is the MAC address.

4.       Configure the VLAN-to-instance mapping table.

·         instance instance-id vlan vlan-id-list

·         vlan-mapping modulo modulo

Use one of the commands.

By default, all VLANs in an MST region are mapped to the CIST (or MSTI 0).

5.       Configure the MSTP revision level of the MST region.

revision-level level

The default setting is 0.

6.       (Optional.) Display the MST region configurations that are not activated yet.

check region-configuration

N/A

7.       Manually activate MST region configuration.

active region-configuration

N/A

8.       (Optional.) Display the activated configuration information of the MST region.

display stp region-configuration

Available in any view.

 

Configuring the root bridge or a secondary root bridge

You can have the spanning tree protocol determine the root bridge of a spanning tree through MSTP calculation, or you can specify the current device as the root bridge or as a secondary root bridge.

A device has independent roles in different spanning trees. It can act as the root bridge in one spanning tree and as a secondary root bridge in another. However, one device cannot be the root bridge and a secondary root bridge in the same spanning tree.

A spanning tree can have only one root bridge. If two or more devices are selected as the root bridge in a spanning tree at the same time, the device with the lowest MAC address is chosen.

When the root bridge of an instance fails or is shut down, the secondary root bridge (if you have specified one) becomes the root bridge if you have not specified a new root bridge. If you specify multiple secondary root bridges for an instance, the secondary root bridge with the lowest MAC address is given priority.

You can specify one root bridge for each spanning tree, regardless of the device priority settings. Once you specify a device as the root bridge or a secondary root bridge, you cannot change its priority.

You can configure the current device as the root bridge by setting the device priority to 0. For the device priority configuration, see "Configuring the device priority."

Configuring the current device as the root bridge of a specific spanning tree

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the current device as the root bridge.

·         In STP/RSTP mode:
stp root primary

·         In MSTP mode:
stp [ instance instance-list ] root primary

By default, a device does not function as the root bridge.

 

Configuring the current device as a secondary root bridge of a specific spanning tree

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the current device as a secondary root bridge.

·         In STP/RSTP mode:
stp root secondary

·         In MSTP mode:
stp [ instance instance-list ] root secondary

By default, a device does not function as a secondary root bridge.

 

Configuring the device priority

Device priority is a factor in calculating the spanning tree. The priority of a device determines whether the device can be elected as the root bridge of a spanning tree. A lower value indicates a higher priority. You can set the priority of a device to a low value to specify the device as the root bridge of the spanning tree. A spanning tree device can have different priorities in different MSTIs.

During root bridge selection, if all devices in a spanning tree have the same priority, the one with the lowest MAC address is selected as the root bridge of the spanning tree. You cannot change the priority of a device after it is configured as the root bridge or as a secondary root bridge.

To configure the priority of a device in a specified MSTI:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the priority of the current device.

·         In STP/RSTP mode:
stp priority priority

·         In MSTP mode:
stp [ instance instance-list ] priority priority

The default setting is 32768.

 

Configuring the maximum hops of an MST region

Restrict the region size by setting the maximum hops of an MST region. The hop limit configured on the regional root bridge is used as the hop limit for the MST region.

Configuration BPDUs sent by the regional root bridge always have a hop count set to the maximum value. When a device receives this configuration BPDU, it decrements the hop count by one, and uses the new hop count in the BPDUs that it propagates. When the hop count of a BPDU reaches zero, it is discarded by the device that received it. Devices beyond the reach of the maximum hop can no longer participate in spanning tree calculations, so the size of the MST region is limited.

Make this configuration only on the root bridge. All other devices in the MST region use the maximum hop value set for the root bridge.

To configure the maximum number of hops of an MST region:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the maximum hops of the MST region.

stp max-hops hops

The default setting is 20.

 

Configuring the network diameter of a switched network

Any two terminal devices in a switched network are connected through a specific path composed of a series of devices. The network diameter is the number of devices on the path composed of the most devices. The network diameter is a parameter that indicates the network size. A bigger network diameter indicates a larger network size.

Based on the network diameter you configured, the system automatically sets an optimal hello time, forward delay, and max age for the device. Each MST region is considered a device and the configured network diameter is effective only on the CIST (or the common root bridge) but not on other MSTIs.

To configure the network diameter of a switched network:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the network diameter of the switched network.

stp bridge-diameter diameter

The default setting is 7.

 

Setting spanning tree timers

The following timers are used for spanning tree calculation:

·          Forward delayDelay time for port state transition. To prevent temporary loops on a network, the spanning tree feature sets an intermediate port state (the learning state) before it transits from the discarding state to the forwarding state. The feature also requires that the port transit its state after a forward delay timer to make sure the state transition of the local port stays synchronized with the peer.

·          Hello timeInterval at which the device sends configuration BPDUs to detect link failures. If the device receives no configuration BPDUs within the timeout time, it recalculates the spanning tree. (Timeout time = timeout factor × 3 × hello time.)

·          Max age—In the CIST of an MSTP network, the device uses the max age timer to determine if a configuration BPDU received by a port has expired. If it has, a new spanning tree calculation process starts. The max age timer does not take effect on other MSTIs except the CIST.

To avoid frequent network changes, make sure the timer settings meet the following formulas:

·          2 × (forward delay – 1 second) ≥ max age

·          Max age ≥ 2 × (hello time + 1 second)

As a best practice, specify the network diameter instead of manually setting the spanning tree timers. The spanning tree protocols will automatically calculate the timers based on the network diameter. If the network diameter uses the default value, the timers also use their default values.

Set the timers only on the root bridge. The timer settings on the root bridge apply to all devices on the entire switched network.

Configuration restrictions and guidelines

When you configure spanning tree timers, follow these restrictions and guidelines:

·          The length of the forward delay timer is related to the network diameter of the switched network. The larger the network diameter is, the longer the forward delay time should be. As a best practice, use the automatically calculated value because inappropriate forward delay setting might cause temporary redundant paths or increase the network convergence time.

·          An appropriate hello time setting enables the device to promptly detect link failures on the network without using excessive network resources. If the hello time is too long, the device mistakes packet loss for a link failure and triggers a new spanning tree calculation process. If the hello time is too short, the device frequently sends the same configuration BPDUs, which waste device and network resources. As a best practice, use the default setting.

·          If the max age timer is too short, the device frequently begins spanning tree calculations and might mistake network congestion as a link failure. If the max age timer is too long, the device might fail to promptly detect link failures and quickly launch spanning tree calculations, reducing the auto-sensing capability of the network. As a best practice, use the default setting.

Configuration procedure

To configure the spanning tree timers:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the forward delay timer.

stp timer forward-delay time

The default setting is 15 seconds.

3.       Configure the hello timer.

stp timer hello time

The default setting is 2 seconds.

4.       Configure the max age timer.

stp timer max-age time

The default setting is 20 seconds.

 

Configuring the timeout factor

The timeout factor is a parameter used to decide the timeout time, in the following formula: Timeout time = timeout factor × 3 × hello time.

After the network topology is stabilized, each non-root-bridge device forwards configuration BPDUs to the downstream devices at the hello interval to detect link failures. If a device does not receive a BPDU from the upstream device within nine times the hello time, it assumes that the upstream device has failed and starts a new spanning tree calculation process.

An upstream device might be too busy to forward configuration BPDUs in time, for example, many Layer 2 interfaces are configured on the upstream device. As a result, the downstream device fails to receive a BPDU within the timeout period and then starts an undesired spanning tree calculation. The calculation might fail, and it also wastes network resources. To prevent undesired spanning tree calculation and save network resources on a stable network, you can set the timeout factor to 5, 6, or 7.

To configure the timeout factor:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Configure the timeout factor of the device.

stp timer-factor factor

The default setting is 3.

 

Configuring the BPDU transmission rate

The maximum number of BPDUs a port can send within each hello time equals the BPDU transmission rate plus the hello timer value. Configure an appropriate BPDU transmission rate based on the physical status of the port and the network structure.

The higher the BPDU transmission rate, the more BPDUs are sent within each hello time, and the more system resources are used. By setting an appropriate BPDU transmission rate, you can limit the rate at which the port sends BPDUs and prevent spanning tree protocols from using excessive network resources when the network topology changes. As a best practice, use the default setting.

To configure the BPDU transmission rate:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Configure the BPDU transmission rate of the ports.

stp transmit-limit limit

The default setting is 10.

 

Configuring edge ports

If a port directly connects to a user terminal rather than another device or a shared LAN segment, this port is regarded as an edge port. When network topology change occurs, an edge port will not cause a temporary loop. Because a device does not determine whether a port is directly connected to a terminal, you must manually configure the port as an edge port. After that, the port can rapidly transit from the blocked state to the forwarding state.

Configuration restrictions and guidelines

When you configure edge ports, follow these restrictions and guidelines:

·          If BPDU guard is disabled, a port set as an edge port becomes a non-edge port again if it receives a BPDU from another port. To restore the edge port, re-enable it.

·          If a port directly connects to a user terminal, configure it as an edge port and enable BPDU guard for it. This enables the port to quickly transit to the forwarding state when ensuring network security.

·          On a port, the loop guard feature and the edge port setting are mutually exclusive.

Configuration procedure

To specify a port as an edge port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Configure the current ports as edge ports.

stp edged-port

By default, all ports are non-edge ports.

 

Configuring path costs of ports

Path cost is a parameter related to the rate of a port. On a spanning tree device, a port can have different path costs in different MSTIs. Setting appropriate path costs allows VLAN traffic flows to be forwarded along different physical links, achieving VLAN-based load balancing.

You can have the device automatically calculate the default path cost, or you can configure the path cost for ports.

Specifying a standard for the device to use when it calculates the default path cost

CAUTION

CAUTION:

If you change the standard that the device uses to calculate the default path costs, you restore the path costs to the default.

 

You can specify a standard for the device to use in automatic calculation for the default path cost. The device supports the following standards:

·          dot1d-1998—The device calculates the default path cost for ports based on IEEE 802.1d-1998.

·          dot1t—The device calculates the default path cost for ports based on IEEE 802.1t.

·          legacy—The device calculates the default path cost for ports based on a private standard.

Table 9 shows the mapping between the link speed and the path cost.

Table 9 Mappings between the link speed and the path cost

Link speed

Port type

Path cost

IEEE 802.1d-1998

IEEE 802.1t

Private standard

0

N/A

65535

200000000

200000

10 Mbps

Single port

100

2000000

2000

Aggregate interface containing 2 Selected ports

1000000

1800

Aggregate interface containing 3 Selected ports

666666

1600

Aggregate interface containing 4 Selected ports

500000

1400

100 Mbps

Single port

19

200000

200

Aggregate interface containing 2 Selected ports

100000

180

Aggregate interface containing 3 Selected ports

66666

160

Aggregate interface containing 4 Selected ports

50000

140

1000 Mbps

Single port

4

20000

20

Aggregate interface containing 2 Selected ports

10000

18

Aggregate interface containing 3 Selected ports

6666

16

Aggregate interface containing 4 Selected ports

5000

14

10 Gbps

Single port

2

2000

2

Aggregate interface containing 2 Selected ports

1000

1

Aggregate interface containing 3 Selected ports

666

1

Aggregate interface containing 4 Selected ports

500

1

 

Configuration restrictions and guidelines

When you specify a standard for the device to use when it calculates the default path cost, follow these restrictions and guidelines:

·          When it calculates the path cost for an aggregate interface, IEEE 802.1t takes into account the number of Selected ports in its aggregation group, but IEEE 802.1d-1998 does not. The calculation formula of IEEE 802.1t is: Path cost = 200,000,000/link speed (in 100 kbps), where link speed is the sum of the link speed values of the Selected ports in the aggregation group.

·          IEEE 802.1d-1998 or the private standard always assigns the smallest possible value to a single port or an aggregate interface when the link speed of the port or interface exceeds 10 Gbps. The forwarding path selected based on this criterion might not be the best one. To solve this problem, use dot1t as the standard for default path cost calculation, or manually set the path cost for the port (see "Configuring path costs of ports").

Configuration procedure

To specify a standard for the device to use when it calculates the default path cost:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Specify a standard for the device to use when it calculates the default path costs of its ports.

stp pathcost-standard { dot1d-1998 | dot1t | legacy }

The default setting is legacy.

 

Configuring path costs of ports

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Configure the path cost of the ports.

·         In STP/RSTP mode:
stp cost cost

·         In MSTP mode:
stp [ instance instance-list ] cost cost

By default, the system automatically calculates the path cost of each port.

 

 

NOTE:

When the path cost of a port changes, the system re-calculates the role of the port and initiates a state transition.

 

Configuration example

# In MSTP mode, configure the device to calculate the default path costs of its ports by using IEEE 802.1d-1998, and set the path cost of FortyGigE 1/0/3 to 200 on MSTI 2.

<Sysname> system-view

[Sysname] stp pathcost-standard dot1d-1998

Cost of every port will be reset and automatically re-calculated after you change the current pathcost standard. Continue?[Y/N]:y

Cost of every port has been re-calculated.

[Sysname] interface fortygige 1/0/3

[Sysname-FortyGigE1/0/3] stp instance 2 cost 200

Configuring the port priority

The priority of a port is a factor that determines whether the port can be elected as the root port of a device. If all other conditions are the same, the port with the highest priority is elected as the root port.

On a spanning tree device, a port can have different priorities and play different roles in different spanning trees, so that data of different VLANs can be propagated along different physical paths, implementing per-VLAN load balancing. You can set port priority values based on the actual networking requirements.

To configure the priority of a port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Configure the port priority.

·         In STP/RSTP mode:
stp port priority priority

·         In MSTP mode:
stp [ instance instance-list ] port priority priority

The default setting is 128 for all ports.

 

 

NOTE:

When the priority of a port changes, the system re-calculates the port role and initiates a state transition.

 

Configuring the port link type

A point-to-point link directly connects two devices. If two root ports or designated ports are connected over a point-to-point link, they can rapidly transit to the forwarding state after a proposal-agreement handshake process.

Configuration restrictions and guidelines

When you configure the port link type, follow these restrictions and guidelines:

·          You can configure the link type as point-to-point for a Layer 2 aggregate interface or a port that operates in full duplex mode. As a best practice, use the default setting for the device to automatically detect the port link type.

·          The stp point-to-point force-false or stp point-to-point force-true command configured on a port in MSTP mode is effective on all MSTIs.

·          If you configure a non-point-to-point link as a point-to-point link, the configuration might cause a temporary loop.

Configuration procedure

To configure the link type of a port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Configure the port link type.

stp point-to-point { auto | force-false | force-true }

By default, the link type is auto where the port automatically detects the link type.

 

Configuring the mode a port uses to recognize and send MSTP packets

A port can receive and send MSTP packets in the following formats:

·          dot1s—802.1s-compliant standard format

·          legacy—Compatible format

When the number of existing MSTIs exceeds 48, the port can send only 802.1s MSTP packets.

By default, the packet format recognition mode of a port is auto. The port automatically distinguishes the two MSTP packet formats, and determines the format of packets that it will send based on the recognized format.

You can configure the MSTP packet format on a port. When operating in MSTP mode after the configuration, the port sends only MSTP packets of the format that you have configured to communicate with devices that send packets of the same format.

A port in auto mode sends 802.1s MSTP packets by default. When the port receives an MSTP packet of a legacy format, the port starts to send packets only of the legacy format. This prevents the port from frequently changing the format of sent packets. To configure the port to send 802.1s MSTP packets, shut down and then bring up the port.

To configure the MSTP packet format to be supported on a port:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Configure the mode that the port uses to recognize/send MSTP packets.

stp compliance { auto | dot1s | legacy }

The default setting is auto.

 

Enabling outputting port state transition information

In a large-scale spanning tree network, you can enable devices to output the port state transition information of all MSTIs or the specified MSTI in order to monitor the port states in real time.

To enable outputting port state transition information:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable outputting port state transition information.

·         In STP/RSTP mode:
stp port-log instance 0

·         In MSTP mode:
stp port-log { all | instance instance-list }

By default, this feature is enabled.

 

Enabling the spanning tree feature

You must enable the spanning tree feature for the device before any other spanning tree related configurations can take effect. Make sure the spanning tree feature is enabled globally and on the desired ports.

You can disable the spanning tree feature for certain ports with the undo stp enable command to exclude them from spanning tree calculation and save CPU resources of the device.

To enable the spanning tree feature:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the spanning tree feature globally.

stp global enable

By default, the spanning tree feature is disabled globally.

3.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

4.       (Optional.) Enable the spanning tree feature for the port.

stp enable

By default, the spanning tree feature is enabled on all ports.

 

Performing mCheck

The mCheck feature enables user intervention in the port status transition process.

If a port on a device that is running MSTP or RSTP connects to an STP device, this port automatically transits to STP mode when the port receives STP BPDUs. However, if the peer STP device is shut down or removed and the local device cannot detect the change, the local device cannot automatically transit back to the original mode. To forcibly transit the port to operate in the original mode, you can perform an mCheck operation.

Suppose a scenario where Device A, Device B, and Device C are connected in sequence. Device A runs STP, Device B does not run any spanning tree protocol, and Device C runs RSTP or MSTP. In this case, when Device C receives an STP BPDU transparently transmitted by Device B, the receiving port transits to the STP mode. If you configure Device B to run RSTP or MSTP with Device C, you must perform mCheck operations on the ports interconnecting Device B and Device C.

The following methods for performing mCheck produce the same result.

Performing mCheck globally

Step

Command

1.       Enter system view.

system-view

2.       Perform mCheck.

stp global mcheck

 

Performing mCheck in interface view

Step

Command

1.       Enter system view.

system-view

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

3.       Perform mCheck.

stp mcheck

 

 

NOTE:

An mCheck operation takes effect on a device that operates in MSTP or RSTP mode.

 

Configuring Digest Snooping

As defined in IEEE 802.1s, connected devices are in the same region only when their MST region-related configurations (region name, revision level, and VLAN-to-instance mappings) are identical. A spanning tree device identifies devices in the same MST region by determining the configuration ID in BPDU packets. The configuration ID includes the region name, revision level, and configuration digest, which is 16-byte long and is the result calculated through the HMAC-MD5 algorithm based on VLAN-to-instance mappings.

Because spanning tree implementations vary by vendor, the configuration digests calculated through private keys are different. The devices of different vendors in the same MST region cannot communicate with each other.

To enable communication between an H3C device and a third-party device, enable the Digest Snooping feature on the port that connects the H3C device to the third-party device in the same MST region.

Configuration restrictions and guidelines

When you configure Digest Snooping, follow these restrictions and guidelines:

·          Before you enable Digest Snooping, make sure associated devices of different vendors are connected and run spanning tree protocols.

·          With Digest Snooping enabled, in-the-same-region verification does not require comparison of configuration digest, so the VLAN-to-instance mappings must be the same on associated ports.

·          With Digest Snooping enabled globally, modify the VLAN-to-instance mappings or execute the undo stp region-configuration command to restore the default MST region configuration with caution. If the local device has different VLAN-to-instance mappings than its neighboring devices, loops or traffic interruption occurs.

·          To make Digest Snooping take effect, you must enable Digest Snooping both globally and on associated ports. As a best practice, enable Digest Snooping on all associated ports first and then enable it globally. This will make the configuration take effect on all configured ports and reduce impact on the network.

·          To prevent loops, do not enable Digest Snooping on MST region edge ports.

·          As a best practice, enable Digest Snooping first and then the spanning tree feature. To avoid traffic interruption, do not configure Digest Snooping when the network is already working well.

Configuration procedure

You can enable Digest Snooping only on the H3C device that is connected to a third-party device that uses its private key to calculate the configuration digest.

To configure Digest Snooping:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Enable Digest Snooping on the interface.

stp config-digest-snooping

By default, Digest Snooping is disabled on ports.

4.       Return to system view.

quit

N/A

5.       Enable Digest Snooping globally.

stp global config-digest-snooping

By default, Digest Snooping is disabled globally.

 

Digest Snooping configuration example

Network requirements

As shown in Figure 24, Device A and Device B connect to Device C, which is a third-party device. All these devices are in the same region.

Enable Digest Snooping on the ports of Device A and Device B that connect to Device C, so that the three devices can communicate with one another.

Figure 24 Network diagram

 

Configuration procedure

# Enable Digest Snooping on FortyGigE 1/0/1 of Device A and enable global Digest Snooping on Device A.

<DeviceA> system-view

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] stp config-digest-snooping

[DeviceA-FortyGigE1/0/1] quit

[DeviceA] stp global config-digest-snooping

# Enable Digest Snooping on FortyGigE 1/0/1 of Device B and enable global Digest Snooping on Device B.

<DeviceB> system-view

[DeviceB] interface fortygige 1/0/1

[DeviceB-FortyGigE1/0/1] stp config-digest-snooping

[DeviceB-FortyGigE1/0/1] quit

[DeviceB] stp global config-digest-snooping

Configuring No Agreement Check

In RSTP and MSTP, the following types of messages are used for rapid state transition on designated ports:

·          Proposal—Sent by designated ports to request rapid transition

·          Agreement—Used to acknowledge rapid transition requests

Both RSTP and MSTP devices can perform rapid transition on a designated port only when the port receives an agreement packet from the downstream device. RSTP and MSTP devices have the following differences:

·          For MSTP, the root port of the downstream device sends an agreement packet only after it receives an agreement packet from the upstream device.

·          For RSTP, the downstream device sends an agreement packet regardless of whether an agreement packet from the upstream device is received.

Figure 25 Rapid state transition of an MSTP designated port

 

Figure 26 Rapid state transition of an RSTP designated port

 

If the upstream device is a third-party device, the rapid state transition implementation might be limited. For example, when the upstream device uses a rapid transition mechanism similar to that of RSTP, and the downstream device adopts MSTP and does not operate in RSTP mode, the root port on the downstream device receives no agreement packet from the upstream device and sends no agreement packets to the upstream device. As a result, the designated port of the upstream device fails to transit rapidly, and can only change to the forwarding state after a period twice the Forward Delay.

You can enable the No Agreement Check feature on the downstream device's port to enable the designated port of the upstream device to transit its state rapidly.

Configuration prerequisites

Before you configure the No Agreement Check feature, complete the following tasks:

·          Connect a device to a third-party upstream device that supports spanning tree protocols through a point-to-point link.

·          Configure the same region name, revision level and VLAN-to-instance mappings on the two devices, assigning them to the same region.

Configuration procedure

Enable the No Agreement Check feature on the root port.

To configure No Agreement Check:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enter Layer 2 Ethernet or aggregate interface view.

interface interface-type interface-number

N/A

3.       Enable No Agreement Check.

stp no-agreement-check

By default, No Agreement Check is disabled.

 

No Agreement Check configuration example

Network requirements

As shown in Figure 27:

·          Device A connects to a third-party device that has a different spanning tree implementation. Both devices are in the same region.

·          The third-party device (Device B) is the regional root bridge, and Device A is the downstream device.

Figure 27 Network diagram

 

Configuration procedure

# Enable No Agreement Check on FortyGigE 1/0/1 of Device A.

<DeviceA> system-view

[DeviceA] interface fortygige 1/0/1

[DeviceA-FortyGigE1/0/1] stp no-agreement-check

Configuring protection features

A spanning tree device supports the following protection features:

·          BPDU guard

·          Root guard

·          Loop guard

·          Port role restriction

·          TC-BPDU transmission restriction

·          TC-BPDU guard

Enabling BPDU guard

For access layer devices, the access ports can directly connect to the user terminals (such as PCs) or file servers. The access ports are configured as edge ports to allow rapid transition. When these ports receive configuration BPDUs, the system automatically sets the ports as non-edge ports and starts a new spanning tree calculation process. This causes a change of network topology. Under normal conditions, these ports should not receive configuration BPDUs. However, if someone forges configuration BPDUs maliciously to attack the devices, the network will become unstable.

The spanning tree protocol provides the BPDU guard feature to protect the system against such attacks. With the BPDU guard feature enabled on the devices, when edge ports receive configuration BPDUs, the system closes these ports and notifies the NMS that these ports have been closed by the spanning tree protocol. The device reactivates the closed ports after a detection interval. For more information about this detection interval, see Fundamentals Configuration Guide.

BPDU guard does not take effect on loopback-testing-enabled ports. For more information about loopback testing, see "Configuring Ethernet interfaces."

Configure BPDU guard on a device with edge ports configured.

To enable BPDU guard:

 

Step

Command

Remarks

1.       Enter system view.

system-view

N/A

2.       Enable the BPDU guard feature for the device.