h3c low-end and mid-range ethernet switches configuration examples(v1.01)-book

H3C Low-End and Mid-Range Ethernet Switches Configuration Examples

Hangzhou H3C Technologies Co., Ltd. http://www.h3c.com

Manual Version: 20081203-C-1.01

Copyright 2008, Hangzhou H3C Technologies Co., Ltd. and its licensors

All Rights ReservedNo part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd.

TrademarksH3C, , Aolynk, , H3Care, , TOP G, , IRF, NetPilot, Neocean, NeoVTL, SecPro, SecPoint, SecEngine, SecPath, Comware, Secware, Storware, NQA, VVG, V2G, VnG, PSPT, XGbus, N-Bus, TiGem, InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co., Ltd. All other trademarks that may be mentioned in this manual are the property of their respective owners.

NoticeThe information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute the warranty of any kind, express or implied.

Technical [email protected] http://www.h3c.com

About This ManualOrganizationH3C Low-End and Mid-Range Ethernet Switches Configuration Examples is organized as follows:

Partz z

Contents Configuring Telnet Login Using Console Port Configuring Console Port Login Using Telnet Configuring to Log In to a Switch Through the Web-Based NMS Configuring to Control the Login Users Configuring Port-Based VLAN Configuring MAC-Based VLAN Configuring Protocol-Based VLAN Configuring IP Subnet-Based VLAN Configuring Isolate-User-VLAN Configuring a Super VLAN

01-Login Configuration Guide

z

z z z

02-VLAN Configuration Guide

z z z z

03-GVRP Configuration Guide 04-Voice VLAN Configuration Guide 05-IP Addressing and Performance Configuration Guide 06-QinQ Configuration Guide 07-BPDU Tunnel Configuration Guide 08-VLAN Mapping Configuration Guide 09-MAC Address Table Management Configuration Guide 10-Link Aggregation Configuration Guide 11-IP Source Guard Configuration Guide 12-DLDP Configuration Guide 13-MSTP Configuration Guide

Configuring GVRP Configuring Voice VLANz z z z z

Configuring IP Addressing Configuring IP Performance Configuring QinQ Configuring Flow-Based Selective QinQ Configuring One-to-One VLAN Mapping

Configuring BPDU Tunnelz

One-to-One/Many-to-One VLAN Mapping Configuration Example One-to-Two/Two-to-Two VLAN Mapping Configuration Example

z

Configuring MAC Address Table Management Configuring Link Aggregationz z

Configuring Static Binding Entries Configuring Dynamic Binding

Configuring DLDPz z

Configuring MSTP Configuring RSTP

Partz z z z z z z z z z z z z

Contents Configuring a Static Route Configuring the RIP Version Configuring RIP Route Redistribution Configuring an Additional Metric for a RIP Interface Configuring RIP to Advertise a Summary Route Configuring OSPF Basic Functions Configuring OSPF Configuring OSPF to Advertise a Summary Route Configuring an OSPF Stub Area Configuring an OSPF NSSA Area Configuring OSPF DR Election Configuring an OSPF Virtual Link Configuring OSPF GR Configuring Route Filtering Configuring IS-IS Basic Functions Configuring IS-IS DIS Election Configuring IS-IS Route Redistribution Configuring IS-IS GR Configuring IS-IS Authentication Configuring BGP Basic Functions Configuring BGP and IGP Route Synchronization Configuring BGP Load Balancing Configuring BGP Community Configuring BGP Route Reflector Configuring BGP Confederation Configuring BGP Path Selection Configuring Route Policy Application in IPv4 Route Redistribution Applying a Route Policy to Filter Received BGP Routes Configuring IPv6 Basics Configuring IPv6 Manual Tunnel Configuring Automatic IPv4-Compatible IPv6 Tunnel Configuring Automatic 6to4 Tunnel Configuring ISATAP Tunnel Configuring an IPv6 Static Route Configuring IPv6 RIPng Configuring RIPng Route Redistribution Configuring IPv6 RIPng over IPv4 Tunnel Configuring an OSPFv3 Area Configuring OSPFv3 Route Redistribution Configure OSPFv3 DR Election Configuring IPv6 IS-IS Configuring IPv6 BGP Configuring IPv6 BGP Route Reflector Configuring Route Policy Application in IPv6 Route Redistribution

14-IPv4 Routing Configuration Guide

z z z z z z z z z z z z z z

z z z

15-IPv6 Configuration Guide

z z z z z z z z

16-IPv6 Routing Configuration Guide

z z z z z z

Partz z z

Contents IGMP Configuration Examples IGMP Snooping Configuration Examples Multicast VLAN Configuration Examples PIM Configuration Examples MSDP Configuration Examples Multicast Routing and Forwarding Configuration Example MBGP Configuration Examples MLD Configuration Examples MLD Snooping Configuration Examples IPv6 Multicast VLAN Configuration Examples IPv6 MBGP Configuration Examples Configuring 802.1x Configuring Dynamic VLAN Assignment Configuring ACL Assignment Configuring EAD Fast Deployment Configuring AAA by HWTACACS Server for Telnet Users Configuring AAA by Separate Servers for Telnet Users Configuring AAA by RADIUS Server for SSH Users Configuring EAD Application Configuring Local MAC Authentication Configuring RADIUS Based MAC Authentication Configuring ACL Assignment Configuring Direct Portal Authenction Configuring Re-DHCP Portal Authentication Configuring Layer 3 Portal Authentication Configuring Direct Portal Authentication for EAD Configuring ARP Basics Configuring Proxy ARP Configuring Local Proxy ARP ARP Detection Configuration Example Configuring Static IP Address Allocation Configuring Dynamic IP Address Allocation Configuring DHCP Relay Agent Configuring DHCP Snooping Configuring DHCP Snooping Option 82 Support Configuring DHCP Client Configuring Auto-Configuration Configuring a Basic IPv4 ACL Configuring an Advanced IPv4 ACL Configuring an Ethernet Frame Header ACL Configuring a User-Defined ACL and a Flow Template Configuring a Basic IPv6 ACL Configuring an Advanced IPv6 ACL

17-IPv4 Multicast Configuration Guide

z z z z z

18-IPv6 Multicast Configuration Examples

z z z z

19-802.1x Configuration Guide

z z z z

20-AAA Configuration Guide

z z z z

21-MAC Authentication Configuration Guide

z z z

22-Portal Configuration Guide

z z z z

23-ARP Configuration Guide

z z z z z z

24-DHCP Configuration Guide

z z z z z z z

25-ACL Configuration Guide

z z z z

Partz z

Contents Configuring Rate Limiting and Traffic Policing Configuring Priority Marking and Queue Scheduling Configuring Priority Mapping and Queue Scheduling Configuring Traffic Mirroring and Redirecting Traffic to a Port Redirecting Traffic to the Next Hop Configuring Local Port Mirroring Configuring Remote Port Mirroring (with a Reflector Port) Configuring Remote Port Mirroring (with an Egress Port)

26-QoS Configuration Guide

z z

z z

27-Port Mirroring Configuration Guide 28-Cluster Management Configuration Guide

z z

Configuring Cluster Managementz

Configuring SNMPv2c to Monitor and Manage a Switch Configuring SNMPv3 to Monitor and Manage a Switch Configuring SNMP Logging Configuring RMON Configuring NTP Client/Server Mode Configuring NTP Symmetric Peers Mode Configuring NTP Broadcast Mode Configuring NTP Multicast Mode Configuring NTP Broadcast Mode with Authentication Configuring FTP Client Configuring FTP Server Configuring TFTP Client

29-SNMP-RMON Configuration Guide

z z z z z

30-NTP Configuration Guide

z z z z

31-FTP-TFTP Configuration Guide 32-UDP Helper Configuration Guide 33-Information Center Configuration Guide

z z

Configuring UDP Helperz z z z

Configuring to Output Log Information to a Unix Log Host Configuring to Output Log Information to a Linux Log Host Configuring to Output Log Information to the Console Configuring Static Domain Name Resolution Configuring Dynamic Domain Name Resolution Configuring DNS Proxy Configuring File System Management Configuring Configuration File Management Configuring Remote Upgrade (on a Distributed Switch) Configuring Remote Upgrade (on a Centralized Switch) ICMP Echo Test Configuration Example DHCP Test Configuration Example FTP Test Configuration Example HTTP Test Configuration Example UDP Jitter Test Configuration Example SNMP Test Configuration Example TCP Test Configuration Example UDP Echo Test Configuration Example

34-DNS Configuration Guide 35-File System Management Configuration Guide 36-Remote Upgrade Configuration Guide

z z z z z z z z z

37-NQA Configuration Guide

z z z z z

Partz z

Contents Configuring Single VRRP Group Configuring VRRP Interface Tracking Configuring Multiple VRRP Groups Configuring Single VRRP Group Configuring VRRP Interface Tracking Configuring Multiple VRRP Groups SSH Server Configuration (Password Authentication) SSH Server Configuration (Publickey Authentication) SSH Client Configuration (Password Authentication) SSH Client Configuration (Publickey Authentication) SFTP Client Configuration SFTP Server Configuration Configuring the Port Security autolearn Mode Configuring the userLoginWithOUI Mode Configuring the macAddressWithRadius Mode Configuring macAddressElseUserLoginSecure Mode

38-VRRP Configuration Guide

z z z z z z

39-SSH Configuration Guide

z z z z z

40-Port Security Configuration Guide

z z z

41-Port Isolation Configuration Guide 42-LLDP Configuration Guide

Configuring Port Isolationz z z

Configuring LLDP CDP-Compatible LLDP Configuration Example Configuring MCE OSPF/RIP/IS-IS) (Redistributing VPN Routes by

43-MCE Configuration Guidez z z

Configuring MCE (Redistributing VPN Routes by BGP) Configuring PoE for Centralized Devices Configuring PoE for Distributed Devices

44-PoE Configuration Guide 45-OAM Configuration Guide 46-Connectivity Fault Detection Configuration Guide

Configuring OAM Configuring Connectivity Fault Detectionz z

Configuring a Single-Ring Topology Configuring a Single-Domain Intersecting-Ring Topology Configuring a Multi-Domain Intersecting-Ring Topology Configuring a Single-Ring Topology Configuring a Intersecting-Ring Topology Configuring Intersecting-Ring Load Balancing

47-RRPP Configuration Guide

z z z z

48-sFlow Configuration Guide 49-SSL-HTTPS Configuration Guide

Configuring sFlow Configuring SSL-HTTPSz z

Requesting a Certificate from a CA Running RSA Keon Requesting a Certificate from a CA Running Windows 2003 Server Configuring a Certificate Attribute-Based Access Control Policy Configuring VRRP-Track-NQA Collaboration Configuring Static Routing-Track-NQA Collaboration OLT Configuration Examples ONU Remote Management Configuration Examples UNI Port Configuration Examples

50-PKI Configuration Guidez

51-Track Configuration Guide

z z z

52-EPON-OLT Configuration Guide

z z

Partz

Contents Single Smart Link Group Configuration Example Multiple Smart Link Groups Load Sharing Configuration Example MPLS Configuration Guide Guide for Configuring a Remote CCC Connection Configuring SVC MPLS L2VPN Configuring Martini MPLS L2VPN Configuring Kompella MPLS L2VPN Configuring MPLS L3VPNs Configuring Inter-Provider VPN Option A Configuring Inter-Provider VPN Option B Configuring Inter-Provider VPN Option C Configuring Carriers Carrier Configuring Nested VPN Configuring OSPF Sham Links Configuring BGP AS Number Substitution

53-Smart Link Configuration Guide

z

z z z z z z

54-MPLS Configuration Guide

z z z z z z z

ConventionsThe manual uses the following conventions:

GUI conventionsConvention Boldface > Description Window names, button names, field names, and menu items are in Boldface. For example, the New User window appears; click OK. Multi-level menus are separated by angle brackets. For example, File > Create > Folder.

SymbolsConvention Description Means reader be careful. Improper operation may cause data loss or damage to equipment. Means a complementary description.

Table of Contents1 Login Configuration Guide 1-1 Configuring Telnet Login Using Console Port1-1 Network Diagram1-1 Networking and Configuration Requirements1-1 Applicable Product Matrix1-1 Configuration Procedure1-1 Complete Configuration1-3 Configuration Guidelines 1-4 Configuring Console Port Login Using Telnet1-4 Network Diagram1-4 Networking and Configuration Requirements1-4 Applicable Product Matrix1-4 Configuration Procedure1-5 Complete Configuration1-6 Configuration Guidelines 1-7 Configuring to Log In to a Switch Through the Web-Based NMS 1-7 Network Diagram1-7 Networking and Configuration Requirements1-7 Applicable Product Matrix1-7 Configuration Procedure1-7 Complete Configuration1-8 Configuration Guidelines 1-9 Configuring to Control the Login Users1-9 Network Diagram1-9 Networking and Configuration Requirements1-9 Applicable Product Matrix1-9 Configuration Procedure1-9 Complete Configuration1-10 Configuration Guidelines 1-11

i

1

Login Configuration Guide

Configuring Telnet Login Using Console PortIt is the most common way to log in to a switch through its console port, and also the basis to configure other login methods.

Network DiagramFigure 1-1 Network diagram for configuring Telnet login using console port

Networking and Configuration RequirementsAs shown in Figure 1-1, the serial port of a PC/terminal is connected to the console port of the switch using a console cable. The current user logs into the switch from the AUX user interface on the console port to configure Telnet login. The current user level is 3, that is, the manage level.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches Release 2102 Release 6100, Release 6300 Hardware version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI All versions All versions

Configuration Procedurez

Common configuration for Telnet login

# Enter system view, and enable Telnet service. system-view [Sysname] telnet server enable

1-1

# Set the level of commands accessible to the virtual type terminal (VTY) 0 user to 2.[Sysname] user-interface vty 0 [Sysname-ui-vty0] user privilege level 2

# Enable the Telnet service on VTY 0.[Sysname-ui-vty0] protocol inbound telnet

# Set the number of lines that can be viewed on the screen of the VTY 0 user to 30.[Sysname-ui-vty0] screen-length 30

# Set the history command buffer size to 20 for VTY 0.[Sysname-ui-vty0] history-command max-size 20

# Set the idle-timeout time of VTY 0 to 6 minutes.[Sysname-ui-vty0] idle-timeout 6z

Configure the authentication mode for Telnet login

The following three authentication modes are available for Telnet login: none, password, and scheme. The configuration procedures for the three authentication modes are described below: 1) Configure not to authenticate Telnet users on VTY 0.

[Sysname] user-interface vty 0 [Sysname-ui-vty0] authentication-mode none

2)

Configure password authentication for Telnet login on VTY 0, and set the password to 123456 in plain text.

[Sysname] user-interface vty 0 [Sysname-ui-vty0] authentication-mode password [Sysname-ui-vty0] set authentication password simple 123456

3)

Configure local authentication in scheme mode for login users.

# Create a local user named guest and enter local user view.[Sysname] local-user guest

# Set the authentication password to 123456 in plain text.[Sysname-luser-guest] password simple 123456

# Set the service type to Telnet and the user level to 2 for the user guest.[Sysname-luser-guest] service-type telnet level 2 [Sysname-luser-guest] quit

# Enter VTY 0 user interface view.[Sysname] user-interface vty 0

# Set the authentication mode to scheme for Telnet login on VTY 0.[Sysname-ui-vty0] authentication-mode scheme [Sysname-ui-vty0] quit

# Specify the domain system as the default domain, and configure the domain to adopt local authentication in scheme mode.[Sysname] domain default enable system [Sysname] domain system [Sysname-isp-system] scheme local

1-2

Complete Configurationz

Telnet login configuration with the authentication mode being none

# telnet server enable # user-interface vty 0 authentication-mode none user privilege level 2 history-command max-size 20 idle-timeout 6 0 screen-length 30 protocol inbound telnetz

Telnet login configuration with the authentication mode being password

# telnet server enable # user-interface vty 0 authentication-mode password user privilege level 2 set authentication password simple 123456 history-command max-size 20 idle-timeout 6 0 screen-length 30 protocol inbound telnetz

Telnet login configuration with the authentication mode being scheme

# domain system authentication default local # telnet server enable # local-user guest service-type telnet level 2 password simple 123456 # user-interface vty 0 authentication-mode scheme user privilege level 2 history-command max-size 20 idle-timeout 6 0

1-3

screen-length 30 protocol inbound telnet

Configuration GuidelinesN/A

Configuring Console Port Login Using TelnetAn Ethernet switch supports Telnet, so you can manage and maintain the switch remotely by Telnetting to it.

Network DiagramFigure 1-2 Network diagram for configuring console port login using Telnet

Networking and Configuration RequirementsAs shown in Figure 1-2, telnet to the switch to configure console login. The current user level is 3, that is, the manage level.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 Hardware version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI

1-4

Product series S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches

Software version Release 2102 Release 6100, Release 6300

Hardware version All versions All versions


Common configuration for console login

# Specify the level of commands accessible to the AUX 0 user interface to 2.[Sysname] user-interface aux 0 [Sysname-ui-aux0] user privilege level 2

# Set the baud rate of the console port to 19200 bps.[Sysname-ui-aux0] speed 19200

# Set the number of lines that can be viewed on the screen of the AUX 0 user to 30.[Sysname-ui-aux0] screen-length 30

# Set the history command buffer size to 20 for AUX 0.[Sysname-ui-aux0] history-command max-size 20

# Set the idle-timeout time of AUX 0 to 6 minutes.[Sysname-ui-aux0] idle-timeout 6z

Configure the authentication mode for console login

The following three authentication modes are available for console login: none, password, and scheme. The configuration procedures for the three authentication modes are described below: 1) Configure not to authenticate console login users.

[Sysname] user-interface aux 0 [Sysname-ui-aux0] authentication-mode none

2)

Configure password authentication for console login, and set the password to 123456 in plain text.

[Sysname] user-interface aux 0 [Sysname-ui-aux0] authentication-mode password [Sysname-ui-aux0] set authentication password simple 123456

3)

Configure local authentication in scheme mode for console login.

# Create a local user named guest and enter local user view.[Sysname] local-user guest

# Set the authentication password to 123456 in plain text.[Sysname-luser-guest] password simple 123456

# Set the service type to Terminal and the user level to 2 for the user guest.[Sysname-luser-guest] service-type terminal level 2 [Sysname-luser-guest] quit

# Enter AUX 0 user interface view.[Sysname] user-interface aux 0

# Set the authentication mode to scheme for console login.[Sysname-ui-aux0] authentication-mode scheme

1-5

# Specify the domain system as the default domain, and configure the domain to adopt local authentication in scheme mode.[Sysname] domain default enable system [Sysname] domain system [Sysname-isp-system] scheme local


Console login configuration with the authentication mode being none

# user-interface aux 0 authentication-mode none user privilege level 2 history-command max-size 20 idle-timeout 6 0 speed 19200 screen-length 30z

Console login configuration with the authentication mode being password

# user-interface aux 0 authentication-mode password user privilege level 2 set authentication password simple 123456 history-command max-size 20 idle-timeout 6 0 speed 19200 screen-length 30z

Console login configuration with the authentication mode being scheme

# domain system authentication default local # local-user guest password simple 123456 service-type terminal level 2 # user-interface aux 0 authentication-mode scheme user privilege level 2 history-command max-size 20 idle-timeout 6 0 speed 19200 screen-length 30

1-6

Configuration GuidelinesN/A

Configuring to Log In to a Switch Through the Web-Based NMSNetwork DiagramFigure 1-3 Network diagram for logging in through the web-based network management system

Networking and Configuration RequirementsAs shown in Figure 1-3, a PC logs into a switch through web-based network management system and manages the switch remotely.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 S5500-EI Series Ethernet Switches Release 2102 Hardware version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI All versions

Configuration Procedure# Configure the IP address of VLAN 1 (default VLAN of the switch) interface as 10.153.17.82 with the mask 255.255.255.0. system-view [Sysname] interface vlan-interface 1 [Sysname-VLAN-interface1] ip address 10.153.17.82 255.255.255.0 [Sysname-VLAN-interface1] quit

# Configure the Web-based network management system user name as admin, and password as admin, and set the user level to 3.[Sysname] local-user admin [Sysname-luser-admin] service-type telnet level 3

1-7

[Sysname-luser-admin] password simple admin [Sysname-luser-admin] quit

# Enable the Web server on the switch.[Sysname] ip http enable

Log in to the switch through IE: Launch IE on the Web-based network management terminal (your PC) and enter http://10.153.17.82 in the address bar (make sure the route between the Web-based network management terminal and the switch is available), and the login authentication page appears, as shown in Figure 1-4. Figure 1-4 The login page of the Web-based network management system

# Enter the user name and the password configured on the switch and click Login to display the initial page of the Web-based network management system.

Complete Configuration# local-user admin password simple admin service-type telnet level 3 # interface Vlan-interface1 ip address 10.153.17.82 255.255.255.0

1-8

Configuration GuidelinesBy default, web-based network management system is enabled.

Configuring to Control the Login UsersNetwork DiagramFigure 1-5 Network diagram for controlling the login users10.110.100.46 Host A

IP networkSwitch

Host B 10.110.100.52

Networking and Configuration RequirementsAs shown in Figure 1-5, only Telnet/SNMP/Web users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 are permitted to log in to the switch.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches Release 2102 Release 6100, Release 6300 Hardware version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI All versions All versions

Configuration Procedure# Create basic ACL 2000 and enter basic ACL view.[Sysname] acl number 2000 match-order config [Sysname-acl-basic-2000]

# Define ACL rules to allow only Telnet/SNMP/Web users sourced from the IP addresses of 10.110.100.52 and 10.110.100.46 to log in to the switch.[Sysname-acl-basic-2000] rule 1 permit source 10.110.100.52 0

1-9

[Sysname-acl-basic-2000] rule 2 permit source 10.110.100.46 0 [Sysname-acl-basic-2000] rule 3 deny source any [Sysname-acl-basic-2000] quit

# Apply ACL 2000 to control Telnet users by source IP address.[Sysname] user-interface vty 0 4 [Sysname-ui-vty0-4] acl 2000 inbound

# Apply ACL 2000 to control SNMP users by source IP address.[Sysname] snmp-agent community read aaa acl 2000 [Sysname] snmp-agent group v2c groupa acl 2000 [Sysname] snmp-agent usm-user v2c usera groupa acl 2000

# Apply ACL 2000 to control Web users by source IP address.[Sysname] ip http acl 2000


Configuration for controlling Telnet users by source IP address

# acl number 2000 rule 1 permit source 10.110.100.52 0 rule 2 permit source 10.110.100.46 0 rule 3 deny # user-interface vty 0 4 acl 2000 inboundz

Configuration for controlling SNMP users by source IP address

# acl number 2000 rule 1 permit source 10.110.100.52 0 rule 2 permit source 10.110.100.46 0 rule 3 deny # snmp-agent community read aaa acl 2000 snmp-agent group v2c groupa acl 2000 snmp-agent usm-user v2c usera groupaz

acl 2000

Configuration for controlling Web users by source IP addressip http acl 2000

#

# acl number 2000 rule 1 permit source 10.110.100.52 0 rule 2 permit source 10.110.100.46 0 rule 3 deny

1-10

Configuration GuidelinesThe S7500E series Ethernet switches with software version do not support Web login. Therefore, Web user control is not applicable to an S7500E series with software version.

1-11

Table of Contents1 VLAN Configuration Guide 1-1 Configuring Port-Based VLAN 1-1 Network Diagram1-1 Networking and Configuration Requirements1-1 Applicable Product Matrix1-1 Configuration Procedure1-2 Complete Configuration1-3 Configuration Guidelines 1-4 Configuring MAC-Based VLAN1-4 Network Diagram1-4 Networking and Configuration Requirements1-4 Applicable Product Matrix1-4 Configuration Procedure1-5 Complete Configuration1-6 Configuration Guidelines 1-7 Configuring Protocol-Based VLAN1-7 Network Diagram1-7 Networking and Configuration Requirements1-7 Applicable Product Matrix1-7 Configuration Procedure1-8 Complete Configuration1-8 Configuration Guidelines 1-9 Configuring IP Subnet-Based VLAN 1-10 Network Diagram1-10 Networking and Configuration Requirements1-10 Applicable Product Matrix1-10 Configuration Procedure1-10 Complete Configuration1-11 Configuration Guidelines 1-11 Configuring Isolate-User-VLAN1-12 Network Diagram1-12 Networking and Configuration Requirements1-12 Applicable Product Matrix1-12 Configuration Procedure1-12 Complete Configuration1-14 Configuration Guidelines 1-15 Configuring a Super VLAN1-16 Network Diagram1-16 Networking and Configuration Requirements1-16 Applicable Product Matrix1-16 Configuration Procedure1-16 Complete Configuration1-18 Configuration Guidelines 1-19i

ii

1

VLAN Configuration Guide

Configuring Port-Based VLANNetwork DiagramFigure 1-1 Network diagram for port-based VLAN configurationServer2 Server1

SwitchAGE1/0/12 GE1/0/2 GE1/0/10 GE1/0/1 GE1/0/13

SwitchB GE1/0/11

Host1

Host2

Networking and Configuration Requirementsz

As shown in Figure 1-1, Switch A and Switch B connect to Host 1 and Server 1 of a department and Host 2 and Server 2 of another department. To isolate the communication between the two departments at Layer 2, assign Host 1 and Server 1 to VLAN 100 with the descriptive string being Dept1, and Host 2 and Server 2 to VLAN 200 with the descriptive string being Dept2.

z

z

Configure VLAN interfaces for the two VLANs on Switch A for forwarding data from Host 1 to Server 2 at Layer 3.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 Hardware version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI

1-1





Configuration on Switch A

# Create VLAN 100, specify its descriptive string as Dept1, and assign GigabitEthernet 1/0/1 to VLAN 100. system-view [SwitchA] vlan 100 [SwitchA-vlan100] description Dept1 [SwitchA-vlan100] port GigabitEthernet 1/0/1 [SwitchA-vlan100] quit

# Create VLAN 200, and specify its descriptive string as Dept2.[SwitchA] vlan 200 [SwitchA-vlan200] description Dept2 [SwitchA-vlan200] quit

# Create VLAN-interface 100 and VLAN-interface 200, and assign IP addresses 192.168.1.1 and 192.168.2.1 to them respectively. The two VLAN-interfaces are used for forwarding packets from Host 1 to Server 2 at Layer 3.[SwitchA] interface Vlan-interface 100 [SwitchA-Vlan-interface100] ip address 192.168.1.1 24 [SwitchA-Vlan-interface100] quit [SwitchA] interface Vlan-interface 200 [SwitchA-Vlan-interface200] ip address 192.168.2.1 24z

Configuration on Switch B

# Create VLAN 100, specify its descriptive string as Dept1, and assign GigabitEthernet 1/0/13 to VLAN 100. system-view [SwitchB] vlan 100 [SwitchB-vlan100] description Dept1 [SwitchB-vlan100] port GigabitEthernet 1/0/13 [SwitchB-vlan100] quit

# Create VLAN 200, specify its descriptive string as Dept2, and assign GigabitEthernet 1/0/11 and GigabitEthernet 1/0/12 to VLAN 200.[SwitchB] vlan 200 [SwitchB-vlan200] description Dept2 [SwitchB-vlan200] port GigabitEthernet1/0/11 GigabitEthernet 1/0/12 [SwitchB-vlan200] quitz

Configure the link between Switch A and Switch B.

1-2

Because the link between Switch A and Switch B needs to transmit data of both VLAN 100 and VLAN 200, you can configure the ports at both ends of the link as trunk ports and assign the two ports to the two VLANs. # Configure GigabitEthernet 1/0/2 of Switch A as a trunk port and assign it to VLAN 100 and VLAN 200.[SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 200

# Configure GigabitEthernet 1/0/10 of Switch B as a trunk port and assign it to VLAN 100 and VLAN 200.[SwitchB] interface GigabitEthernet 1/0/10 [SwitchB-GigabitEthernet1/0/10] port link-type trunk [SwitchB-GigabitEthernet1/0/10] port trunk permit vlan 100 200



# vlan 100 description dept1 # vlan 200 description dept2 # interface Vlan-interface 100 ip address 192.168.1.1 255.255.255.0 # interface Vlan-interface 200 ip address 192.168.2.1 255.255.255.0 # interface GigabitEthernet1/0/1 port access vlan 100 # interface GigabitEthernet1/0/2 port link-type trunk port trunk permit vlan 1 100 200z


# vlan 100 description dept1 # vlan 200 description dept2 # interface GigabitEthernet1/0/10 port link-type trunk port trunk permit vlan 1 100 200 #

1-3

interface GigabitEthernet1/0/11 port access vlan 200 # interface GigabitEthernet1/0/12 port access vlan 200 # interface GigabitEthernet1/0/13 port access vlan 100

Configuration GuidelinesNone

Configuring MAC-Based VLANNetwork DiagramFigure 1-2 Network diagram for MAC-based VLAN configurationServer1 VLAN100 Server2 VLAN200

GE1/0/13 GE1/0/3

GE1/0/14

Core switch

GE1/0/4

GE1/0/2

GE1/0/2

SwitchAGE1/0/1

SwitchBGE1/0/1

Laptop1

Laptop2

Networking and Configuration Requirementsz

As shown in 0, GigabitEthernet 1/0/1 of Switch A and GigabitEthernet 1/0/1 of Switch B are each connected to a meeting room. Laptop 1 and Laptop 2 are used for meeting and each of them may be used in any of the two meeting rooms.

z

Laptop 1 and Laptop 2 are owned by different departments. The two departments use VLAN 100 and VLAN 200 respectively. It is required that each Laptop could access only its corresponding server regardless of the meeting room it is used in.

z

The MAC address of Laptop 1 is 000d-88f8-4e71, and that of Laptop 2 is 0014-222c-aa69.

Applicable Product MatrixProduct series Software version Release 1207 S5500-SI Series Ethernet Switches Release 13011-4

Hardware version All versions except S5500-20TP-SI S5500-20TP-SI






# Create VLAN 100 and VLAN 200, configure GigabitEthernet 1/0/2 as a trunk port, and assign the port to VLAN 100 and VLAN 200. system-view [SwitchA] vlan 100 [SwitchA-vlan100] quit [SwitchA] vlan 200 [SwitchA-vlan200] quit [SwitchA] interface GigabitEthernet1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan 100 200 [SwitchA-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/1 as a hybrid port and assign it to VLAN 100 and VLAN 200 in untagged mode.[SwitchA] interface GigabitEthernet1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type hybrid [SwitchA-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged [SwitchA-GigabitEthernet1/0/1] quit

# Associate the MAC address of Laptop 1 with VLAN 100, and associate the MAC address of Laptop 2 with VLAN 200. Enable MAC-based VLAN on GigabitEthernet 1/0/1.[SwitchA] mac-vlan mac-address 000d-88f8-4e71 vlan 100 [SwitchA] mac-vlan mac-address 0014-222c-aa69 vlan 200 [SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] mac-vlan enablez

Configuration on SwitchB

The configuration on Switch B is the same as that on Switch A.z

Configuration on Core Switch

# Create VLAN 100, and assign GigabitEthernet 1/0/13 to VLAN 100. Create VLAN 200 and assign GigabitEthernet 1/0/14 to VLAN 200. system-view [CoreSwitch] vlan 100 [CoreSwitch-vlan100] port gigabitethernet 1/0/13 [CoreSwitch-vlan100] quit [CoreSwitch] vlan 200 [CoreSwitch-vlan200] port gigabitethernet 1/0/14 [CoreSwitch-vlan200] quit

1-5

# Configure GigabitEthernet 1/0/3 and GigabitEthernet 1/0/4 as trunk ports, and assign them to VLAN 100 and VLAN 200.[CoreSwitch] interface GigabitEthernet1/0/3 [CoreSwitch-GigabitEthernet1/0/3] port link-type trunk [CoreSwitch-GigabitEthernet1/0/3] port trunk permit vlan 100 200 [CoreSwitch-GigabitEthernet1/0/3] quit [CoreSwitch] interface GigabitEthernet1/0/4 [CoreSwitch-GigabitEthernet1/0/4] port link-type trunk [CoreSwitch-GigabitEthernet1/0/4] port trunk permit vlan 100 200 [CoreSwitch-GigabitEthernet1/0/4] quit


Configuration on Switch Amac-vlan mac-address 000d-88f8-4e71 vlan 100 priority 0 mac-vlan mac-address 0014-222c-aa69 vlan 200 priority 0

#

# vlan 100 # vlan 200 # # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid vlan 1 100 200 untagged mac-vlan enable # interface GigabitEthernet1/0/2 port link-type trunk port trunk permit vlan 1 100 200

The configuration on Switch B is the same as that on Switch A.z

Configuration on Core Switch

# vlan 100 # vlan 200 # interface GigabitEthernet1/0/3 port link-type trunk port trunk permit vlan 1 100 200 # interface GigabitEthernet1/0/4 port link-type trunk port trunk permit vlan 1 100 200 # interface GigabitEthernet1/0/13 port access vlan 100

1-6

# interface GigabitEthernet1/0/14 port access vlan 200

Configuration GuidelinesMAC-based VLANs are supported only on hybrid ports.

Configuring Protocol-Based VLANNetwork DiagramFigure 1-3 Network diagram for protocol-based VLAN configurationIPv4 server IPv6 server

GE1/0/11 GE1/0/1

GE1/0/12 GE1/0/2

IPv4 Host

IPv6 Host IPv6 Host

IPv4 Host

Office

Lab

Networking and Configuration RequirementsAs shown in 0, configure protocol-based VLANs on the switch to satisfy the following requirements:z

IPv4 hosts in the office area and lab area can communicate with the IPv4 server; IPv6 hosts in the office area and lab area can communicate with the IPv6 server. The IPv4 server and IPv6 server are in different VLANs. IPv4 packets are isolated from IPv6 packets through VLANs. The IPv4 network uses VLAN 100, and IPv6 network uses VLAN 200.

z z z

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches S5500-EI Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 2102 Hardware version All versions All versions All versions

1-7

Product series S7500E Series Ethernet Switches

Software version Release 6100, Release 6300

Hardware version All versions


Configure the uplink port

# Create VLAN 100, and assign GigabitEthernet 1/0/11 to VLAN 100. system-view [Sysname] vlan 100 [Sysname-vlan100] port GigabitEthernet 1/0/11

# Create VLAN 200, and assign GigabitEthernet 1/0/12 to VLAN 200.[Sysname-vlan100] quit [Sysname] vlan 200 [Sysname-vlan200] port GigabitEthernet 1/0/12

# Configure protocol templates and associate them with the corresponding downlink ports. # Create a protocol template for VLAN 100 to carry IPv4 and a protocol template for VLAN 200 to carry IPv6.[Sysname-vlan200] protocol-vlan ipv6 [Sysname-vlan200] quit [Sysname] vlan100 [Sysname-vlan100] protocol-vlan ipv4 [Sysname-vlan100] quit

# Configure GigabitEthernet 1/0/1 as a hybrid port and assign it to VLAN 100 and VLAN 200 in untagged mode.[Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type hybrid [Sysname-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged

# Associate GigabitEthernet 1/0/1 with protocol template 0 of VLAN 100 and protocol template 0 of VLAN 200.[Sysname-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 100 0 [Sysname-GigabitEthernet1/0/1] port hybrid protocol-vlan vlan 200 0

# Configure GigabitEthernet 1/0/2 as a hybrid port and assign it to VLAN 100 and VLAN 200 in untagged mode. Associate it with protocol template 0 of VLAN 100 and protocol template 0 of VLAN 200.[Sysname] interface GigabitEthernet 1/0/2 [Sysname-GigabitEthernet1/0/2] port link-type hybrid [Sysname-GigabitEthernet1/0/2] port hybrid vlan 100 200 untagged [Sysname-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 100 0 [Sysname-GigabitEthernet1/0/2] port hybrid protocol-vlan vlan 200 0

Complete Configuration#

1-8

vlan 100 protocol-vlan 0 ipv4 # vlan 200 protocol-vlan 0 ipv6 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid vlan 1 100 200 untagged port hybrid protocol-vlan vlan 100 0 port hybrid protocol-vlan vlan 200 0 # interface GigabitEthernet1/0/2 port link-type hybrid port hybrid vlan 1 100 200 untagged port hybrid protocol-vlan vlan 100 0 port hybrid protocol-vlan vlan 200 0 # interface Ethernet1/0/11 port access vlan 100 # interface Ethernet1/0/12 port access vlan 200


1-9

Configuring IP Subnet-Based VLANNetwork DiagramFigure 1-4 Network diagram for IP subnet-based VLAN configuration

Networking and Configuration RequirementsAs shown in 0, hosts in the office area are configured on two network segments 192.168.5.0/24 and 10.200.50.0/24. Configure IP subnet-based VLANs on the switch to enable GigabitEthernet 1/0/1 of the switch to transmit packets received from different network segments in different VLANs to the corresponding gateways (Router A and Router B). Packets from network segment 192.168.5.0/24 are transmitted in VLAN 100, and packets from network segment 10.200.50.0/24 are transmitted in VLAN 200.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Release 2102 Release 6100, Release 6300 Hardware version All versions All versions All versions All versions


Configure the uplink port

# Create VLAN 100, and assign GigabitEthernet 1/0/12 to VLAN 100.1-10

[Sysname] vlan 100 [Sysname-vlan100] port GigabitEthernet 1/0/12

# Create VLAN 200, and assign GigabitEthernet 1/0/11 to VLAN 200.[Sysname-vlan100] quit [Sysname] vlan 200 [Sysname-vlan200] port GigabitEthernet 1/0/11z

Configure IP subnet-based VLANs and associate them with the downlink port.

# Associate network segment 10.200.50.0/24 with VLAN 200 and network segment 192.168.5.0/24 with VLAN 100.[Sysname-vlan200] ip-subnet-vlan ip 10.200.50.0 255.255.255.0 [Sysname-vlan200] quit [Sysname] vlan100 [Sysname-vlan100] ip-subnet-vlan ip 192.168.5.0 255.255.255.0

# Configure GigabitEthernet 1/0/1 as a hybrid port and assign it to VLAN 100 and VLAN 200 in untagged mode.[Sysname] interface GigabitEthernet 1/0/1 [Sysname-GigabitEthernet1/0/1] port link-type hybrid [Sysname-GigabitEthernet1/0/1] port hybrid vlan 100 200 untagged

# Associate GigabitEthernet 1/0/1 with the IP subnet-basedVLAN 100 and the IP subnet-based VLAN 200.[Sysname-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 100 [Sysname-GigabitEthernet1/0/1] port hybrid ip-subnet-vlan vlan 200

Complete Configuration# vlan 100 ip-subnet-vlan 0 ip 192.168.5.0 255.255.255.0 # vlan 200 ip-subnet-vlan 0 ip 10.200.50.0 255.255.255.0 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid vlan 1 100 200 untagged port hybrid ip-subnet-vlan vlan 100 port hybrid ip-subnet-vlan vlan 200 # interface Ethernet1/0/11 port access vlan 200 # interface Ethernet1/0/12 port access vlan 100

Configuration GuidelinesNone1-11

Configuring Isolate-User-VLANNetwork DiagramFigure 1-5 Network diagram for isolate-user-VLAN configurationVLAN 5 VLAN 3 VLAN 6 VLAN 3

Host A

GE 2/0 /1

/3 2/0 GE

GE2/0/5/2 2/0 GE Device B

Host C

GE2/0/5 GE2/0/2

GE2/0/1

Device A

Device C

GE 2/0 /4

Host B VLAN 2

Host D VLAN 4

Networking and Configuration RequirementsDevice B and Device C are located in two independent networks, each device configured with VLANs as required. Due to network design changes, you are required to use Device A to interconnect Device B and Device C. When doing that, consider the following:z

For security sake, devices attached to Device B should not communicate directly with devices attached to Device C. However, because the VLANs on Device B and Device C overlap, Host A and Host C will be in the same VLAN after the network design changes, which can result in safety problems, as shown in 0. To address the problem, you can use the isolate-user-VLAN function to make VLAN 2 and VLAN 3 on Device B and VLAN 3 and VLAN 4 on Device C become locally significant. On Device A, use VLAN 5 and VLAN 6 to isolate the two networks, without having to consider their respective internal VLAN configurations.

z

Configure VLAN interfaces on Device A for forwarding packets between the two networks at Layer 3.

Applicable Product MatrixProduct series S7500E Series Ethernet Switches Software version Release 6100, Release 6300 Hardware version All versions


Configuration on Device B

# Configure VLAN 5 as an isolate-user-VLAN. system-view [DeviceB] vlan 5 [DeviceB-vlan5] isolate-user-vlan enable [DeviceB-vlan5] port GigabitEthernet 2/0/5

1-12

[DeviceB-vlan5] quit

# Configure VLAN 2 and VLAN 3.[DeviceB] vlan 3 [DeviceB-vlan3] port GigabitEthernet 2/0/1 [DeviceB-vlan3] quit [DeviceB] vlan 2 [DeviceB-vlan2] port GigabitEthernet 2/0/2 [DeviceB-vlan2] quit

# Configure VLAN 2 and VLAN 3 as secondary VLANs under VLAN 5.[DeviceB] isolate-user-vlan 5 secondary 2 to 3z

Configuration on Device C

# Configure VLAN 6 as an isolate-user-VLAN. system-view [DeviceC] vlan 6 [DeviceC-vlan6] isolate-user-vlan enable [DeviceC-vlan6] port GigabitEthernet 2/0/5 [DeviceC-vlan6] quit

# Configure VLAN 3 and VLAN 4.[DeviceC] vlan 3 [DeviceC-vlan3] port GigabitEthernet 2/0/3 [DeviceC-vlan3] quit [DeviceC] vlan 4 [DeviceC-vlan4] port GigabitEthernet 2/0/4

# Configure VLAN 3 and VLAN 4 as secondary VLANs under VLAN 6.[DeviceC-vlan4] quit [DeviceC] isolate-user-vlan 6 secondary 3 to 4z

Configuration on Device A

# Create VLAN 5 and VLAN 6. Assign GigabitEthernet 2/0/1 to VLAN 5, and assign GigabitEthernet 2/0/2 to VLAN 6. In this example, the two ports are access ports.[DeviceA] vlan 5 [DeviceA-vlan5] port GigabitEthernet 2/0/1 [DeviceA-vlan5] quit [DeviceA] vlan 6 [DeviceA-vlan6] port GigabitEthernet 2/0/2 [DeviceA-vlan6] quit

# Create VLAN-interface 5 and VLAN-interface 6, and assign IP addresses 192.168.0.1 and 192.168.1.1 to them respectively.[DeviceA] interface Vlan-interface 5 [DeviceA-Vlan-interface5] ip address 192.168.0.1 24 [DeviceA-Vlan-interface5] quit [DeviceA] interface Vlan-interface 6 [DeviceA-Vlan-interface6] ip address 192.168.1.1 24

Alternatively, you can configure GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 as trunk ports or hybrid ports, just making sure that the ports send packets of VLAN 5 and VLAN 6 untagged.1-13


Configuration on Device B

# vlan 2 to 3 # vlan 5 isolate-user-vlan enable # interface GigabitEthernet2/0/1 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 3 5 untagged port hybrid pvid vlan 3 # interface GigabitEthernet2/0/2 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 2 5 untagged port hybrid pvid vlan 2 # interface GigabitEthernet2/0/5 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 2 3 5 untagged port hybrid pvid vlan 5 # isolate-user-vlan 5 secondary 2 3z

Configuration on Device C

# vlan 3 to 4 # vlan 6 isolate-user-vlan enable # interface GigabitEthernet2/0/3 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 3 6 untagged port hybrid pvid vlan 3

# interface GigabitEthernet2/0/4 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 4 6 untagged port hybrid pvid vlan 4

1-14

# interface GigabitEthernet2/0/5 port link-type hybrid undo port hybrid vlan 1 port hybrid vlan 3 4 6 untagged port hybrid pvid vlan 6 # isolate-user-vlan 50 secondary 2 3z

Configuration on Device A

# vlan 5 to 6 # interface Vlan-interface 5 ip address 192.168.0.1 255.255.255.0 # interface Vlan-interface 6 ip address 192.168.1.1 255.255.255.0 # interface GigabitEthernet2/0/1 port access vlan 5 # interface GigabitEthernet2/0/2 port access vlan 6


1-15

Configuring a Super VLANNetwork DiagramFigure 1-6 Network diagram for super VLAN configuration

/2 2/0 GE3 GE2 /0/4 GE 2/0 /

G E2 /0 /6

Networking and Configuration RequirementsAs shown in Figure 1-6, Switch A works at the distribution layer to distribute traffic for the numerous hosts attached to the access switches connected to Switch A. All the hosts are assigned IP addresses from network segment 10.0.0.0/24. Switch A connects to the external network through VLAN-interface 20. For management sake, assign these hosts to three VLANs to prevent Layer 2 communication between the hosts in different VLANs. To save IP address resources, use VLAN-interface 10 on Switch A as the gateway to the external network for all the hosts in the three VLANs rather than assigning subnets for the VLANs separately. In addition, to enable the hosts in different VLANs to communicate at Layer 3, ARP proxy is used.

2/0 GE

/5

Applicable Product MatrixProduct series S7500E Series Ethernet Switches Software version Release 6300 Hardware version All versions

Configuration Procedure# Create VLAN 20, assign GigabitEthernet 2/0/20 to VLAN 20, and assign IP address 10.0.1.1/24 to VLAN-interface 20. system-view [Sysname] vlan 20 [Sysname-vlan20] port gigabitethernet 2/0/20

1-16

[Sysname-vlan20] quit [Sysname] interface vlan-interface 20 [Sysname-Vlan-interface20] ip address 10.0.1.1 255.255.255.0

# Create VLAN 10, and assign IP address 10.0.0.1/24 to VLAN-interface 10. system-view [Sysname] vlan 10 [Sysname-vlan10] quit [Sysname] interface vlan-interface 10 [Sysname-Vlan-interface10] ip address 10.0.0.1 255.255.255.0

# Enable local ARP proxy on VLAN-interface 10 to permit ARP requests and replies to be exchanged between VLANs 2, 3 and 5.[Sysname-Vlan-interface10] local-proxy-arp enable [Sysname-Vlan-interface10] quit

# Create VLAN 2 and assign GigabitEthernet 2/0/1 and GigabitEthernet 2/0/2 to it.[Sysname] vlan 2 [Sysname-vlan2] port GigabitEthernet 2/0/1 GigabitEthernet 2/0/2

# Create VLAN 3 and assign GigabitEthernet 2/0/3 and GigabitEthernet 2/0/4 to it.[Sysname-vlan2] quit [Sysname] vlan 3 [Sysname-vlan3] port GigabitEthernet 2/0/3 GigabitEthernet 2/0/4

# Create VLAN 5 and assign GigabitEthernet 2/0/5 and GigabitEthernet 2/0/6 to it.[Sysname-vlan3] quit [Sysname] vlan 5 [Sysname-vlan5] port GigabitEthernet 2/0/5 GigabitEthernet 2/0/6

# Configure VLAN 10 as the super VLAN, and VLAN 2, VLAN 3 and VLAN 5 as sub VLANs.[Sysname-vlan5] quit [Sysname] vlan 10 [Sysname-vlan10] supervlan [Sysname-vlan10] subvlan 2 3 5

# Display information about VLAN 10 to verify the configurations. display supervlan SuperVLAN ID : SubVLAN ID : 10

2-3 5

VLAN ID: 10 VLAN Type: static It is a Super VLAN. Route Interface: configured IP Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0010 Tagged Ports: none

Untagged Ports: none

1-17

VLAN ID: 2 VLAN Type: static It is a Sub VLAN. Route Interface: configured IP Address: 10.0.0.1 Subnet Mask: 255.255.255.0 Description: VLAN 0002 Tagged Ports: none

Untagged Ports: GigabitEthernet2/0/1 GigabitEthernet2/0/2





Complete Configuration# vlan 2 to 3 # vlan 5 # vlan 10 supervlan subvlan 2 to 3 5 # vlan 20 # interface Vlan-interface10 ip address 10.0.0.1 255.255.255.0

1-18

local-proxy-arp enable # interface Vlan-interface20 ip address 10.0.1.1 255.255.255.0 # interface GigabitEthernet2/0/1 port access vlan 2 # interface GigabitEthernet2/0/2 port access vlan 2 # interface GigabitEthernet2/0/3 port access vlan 3 # interface GigabitEthernet2/0/4 port access vlan 3 # interface GigabitEthernet2/0/5 port access vlan 5 # interface GigabitEthernet2/0/6 port access vlan 5 # interface GigabitEthernet2/0/20 port access vlan 20

Configuration Guidelinesz

For more information about the local-proxy-arp enable command and local ARP proxy, refer to ARP Configuration Guide. A super VLAN cannot be configured as a guest VLAN, and the opposite is also true. For more information about guest VLANs, refer to 802.1x Configuration Guide. You can configure the Layer 2 multicast function in a super VLAN. However, because a super VLAN does not contain any ports, the configuration will not take effect. You can configure DHCP, Layer 3 multicast, and dynamic route on the VLAN interface of a super VLAN, but only DHCP takes effect. You are recommended not to configure VRRP on the VLAN interface of a super VLAN, because the configuration can impact on network performance.

z

z

z

z

1-19

Table of Contents1 GVRP Configuration Guide1-1 Configuring GVRP1-1 Network Diagram1-1 Networking and Configuration Requirements1-1 Applicable Product Matrix1-1 Configuration Procedure1-2 Complete Configuration1-4 Configuration Guidelines 1-6

i

1

GVRP Configuration Guide

Configuring GVRPGVRP enables a switch to propagate local VLAN registration information to other participant switches and dynamically update the VLAN registration information from other switches to its local database about active VLAN members and through which port they can be reached. GVRP ensures that all switches on a bridged LAN maintain the same VLAN registration information, while less manual configuration workload is involved.

Network DiagramFigure 1-1 Network diagram for GVRP configuration

Networking and Configuration RequirementsOn the network as shown in Figure 1-1:z

Configure all the involved Ethernet ports on the switches as trunk ports that carry the traffic of all VLANs. Enable GVRP both globally and on all the ports on each switch. Configure static VLAN 5 for Switch C, static VLAN 8 for Switch D, and static VLAN 5 and static VLAN 7 for Switch E. Switch A and Switch B are not configured with static VLANs. Set the registration mode of GigabitEthernet 1/0/1 on Switch E to fixed, and display dynamic VLAN registration information of Switch A, Switch B, and Switch E. Set the registration mode of GigabitEthernet 1/0/1 on Switch E to forbidden, and display dynamic VLAN registration information of Switch A, Switch B, and Switch E.

z z

z

z

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Release 5303 Hardware version All versions All versions

1-1

Product series

Software version Release 1207

Hardware version All versions except S5500-20TP-SI S5500-20TP-SI All versions All versions

S5500-SI Series Ethernet Switches Release 1301 S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches Release 2102 Release 6100, Release 6300



# Enable GVRP globally. system-view [SwitchA] gvrp

# Configure GigabitEthernet 1/0/1 as a trunk port and assign it to all VLANs.[SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] port link-type trunk [SwitchA-GigabitEthernet1/0/1] port trunk permit vlan all

# Enable GVRP on GigabitEthernet 1/0/1.[SwitchA-GigabitEthernet1/0/1] gvrp [SwitchA-GigabitEthernet1/0/1] quit

# Configure GigabitEthernet 1/0/2 to be a trunk port and assign it to all VLANs.[SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] port link-type trunk [SwitchA-GigabitEthernet1/0/2] port trunk permit vlan all

# Enable GVRP on GigabitEthernet 1/0/2.[SwitchA-GigabitEthernet1/0/2] gvrp [SwitchA-GigabitEthernet1/0/2] quit

# Configure GigabitEthernet 1/0/3 to be a trunk port and assign it to all VLANs.[SwitchA] interface GigabitEthernet 1/0/3 [SwitchA-GigabitEthernet1/0/3] port link-type trunk [SwitchA-GigabitEthernet1/0/3] port trunk permit vlan all

# Enable GVRP on GigabitEthernet 1/0/3.[SwitchA-GigabitEthernet1/0/3] gvrpz


# Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as trunk ports and assign them to all VLANs. Enable GVRP globally and enable GVRP on the two ports. The configuration on Switch B is similar to that on Switch A.z

Configuration on Switch C

# Create VLAN 5. system-view [SwitchC] vlan5

1-2

[SwitchC-vlan5]

# Configure GigabitEthernet 1/0/1 as a trunk port and assign it to all the VLANs. Enable GVRP globally and enable GVRP on the port. The configuration on Switch C is similar to that on Switch A.

For simplicity, the following provides only configuration steps. For configuration commands, refer to the configuration above.

z

Configuration on Switch D

# Configure GigabitEthernet 1/0/1 as a trunk port and assign it to all the VLANs. Enable GVRP globally and enable GVRP on the port. # Create VLAN 8.z

Configuration on Switch E

# Configure GigabitEthernet 1/0/1 as a trunk port and assign it to all the VLANs. Enable GVRP globally and enable GVRP on the port. # Create VLAN 5 and VLAN 7.z

Display the dynamic VLAN registration information on Switch A, Switch B, and Switch E.

# Display the dynamic VLAN information on Switch A.[SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8,

# Display the dynamic VLAN information on Switch B.[SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8,

# Display the dynamic VLAN information on Switch E.[SwitchE] display vlan dynamic Total 1 dynamic VLAN exist(s). The following dynamic VLANs exist: 8z

Set the registration mode of GigabitEthernet 1/0/1 on Switch E to fixed, and display the dynamic VLAN registration information on Switch A, Switch B, and Switch E.

# Set the registration mode of GigabitEthernet 1/0/1 on Switch E to fixed.[SwitchE] interface GigabitEthernet 1/0/1 [SwitchE-GigabitEthernet1/0/1] gvrp registration fixed

# Display the dynamic VLAN information on Switch A.[SwitchA] display vlan dynamic Total 3 dynamic VLAN exist(s).

1-3

The following dynamic VLANs exist: 5, 7, 8,

# Display the dynamic VLAN information on Switch B.[SwitchB] display vlan dynamic Total 3 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 7, 8,

# Display the dynamic VLAN information on Switch E.[SwitchE-GigabitEthernet1/0/1] display vlan dynamic No dynamic vlans exist!z

Set the registration mode of GigabitEthernet 1/0/1 on Switch E to forbidden, and display the dynamic VLAN registration information on Switch A, Switch B, and Switch E.

# Set the registration mode of GigabitEthernet 1/0/1 on Switch E to forbidden.[SwitchE-GigabitEthernet1/0/1] gvrp registration forbidden

# Display the dynamic VLAN information on Switch A.[SwitchA] display vlan dynamic Total 2 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 8,

# Display the dynamic VLAN information on Switch B.[SwitchB] display vlan dynamic Total 2 dynamic VLAN exist(s). The following dynamic VLANs exist: 5, 8,

# Display the dynamic VLAN information on Switch E.[SwitchE] display vlan dynamic No dynamic vlans exist!


Configuration on SwitchAgvrp

#

# interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all gvrp # interface GigabitEthernet1/0/2 port link-type trunk port trunk permit vlan all gvrp # interface GigabitEthernet1/0/3

1-4

port link-type trunk port trunk permit vlan all gvrpz

Configuration on SwitchBgvrp

#

# interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all gvrp # interface GigabitEthernet1/0/2 port link-type trunk port trunk permit vlan all gvrpz

Configuration on SwitchCgvrp

#

# vlan 5 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all gvrpz

Configuration on SwitchDgvrp

#

# vlan 8 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all gvrpz

Configuration on SwitchEgvrp

#

# vlan 5 # vlan 7 # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan all gvrp registration forbidden

1-5

gvrp

Configuration Guidelinesz

On a GVRP-enabled trunk port, you must configure the port trunk permit vlan all command to ensure that the traffic of all dynamically registered VLANs can pass through. To prevent users of unauthorized VLANs from accessing restrictive resources from a GVRP-disabled port, you are discouraged to use the command on the port.

z z

Before enabling GVRP on a port, enable GVRP globally first. GVRP can only be configured on trunk ports. You cannot change the link type of a trunk port with GVRP enabled. GVRP is mutually exclusive with the service loopback feature. In an MSTP network, GVRP can run on only the common and internal spanning tree (CIST). In addition, blocked ports on the CIST cannot receive/send GVRP packets.

z z

1-6

Table of Contents1 Voice VLAN Configuration Guide 1-1 Configuring Voice VLAN 1-1 Network Diagram1-1 Networking and Configuration Requirements1-1 Applicable Product Matrix1-2 Configuration Procedure1-2 Complete Configuration1-3 Configuration Guidelines 1-4

i

1

Voice VLAN Configuration Guide

Configuring Voice VLANThe voice VLAN feature is provided to separate voice traffic from data traffic and assign higher priority to voice traffic, thus decreasing voice transmission delay and jitter. You can assign or remove a port to or from the voice VLAN manually or have the switch do that dynamically by configuring the automatic voice VLAN assignment mode on the port. On a port configured with the automatic voice VLAN assignment mode, the switch automatically assigns the port to the voice VLAN when receiving a packet with the source MAC address matching a recognizable voice device vendor OUI. As soon as the port is assigned to the voice VLAN, an aging timer starts. If no recognizable voice traffic has been received before the timer expires, the port is removed from the voice VLAN.

Network DiagramFigure 1-1 Network diagram for automatic voice VLAN assignment configurationIP Phone1 (Tag) 000f-e234-1234 Voice GatewayGE1/0/1

PC

VoIP Network

SwitchAGE1/0/2

SwitchB

Server IP Phone2 (Untag) Oui:000f-2200-0000

Networking and Configuration RequirementsAs shown in Figure 1-10, PC is connected to GigabitEthernet 1/0/1 of Switch A through IP phone 1, and IP phone 2 is connected to GigabitEthernet 1/0/2 of Switch A. IP phone 1 sends out voice traffic with the tag of the voice VLAN, while IP phone 2 sends out voice traffic without any VLAN tag. Configure the voice VLAN feature to satisfy the following requirements:z

Configure VLAN 2 as the voice VLAN, and set the aging time of the voice VLAN to 100 minutes. Use VLAN 6 to transmit user service data. GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 can recognize voice traffic automatically. Service data from PC and voice traffic are assigned to different VLANs and then transmitted to the server and the voice gateway respectively through Switch B.

z

1-1

z

Because the OUI addresses of IP phone 1 and IP phone 2 are not in the default voice device vendor OUI list of the switch, you are required to add their OUI addresses 000f-e200-0000 and 000f-2200-0000 to the OUI list. In addition, configure their descriptions as IP Phone1 and IP Phone2 respectively.

Applicable Product MatrixProduct Series S3610 series Ethernet switches S5510 series Ethernet switches Software Version Release 5301, Release 5303 Release 5301, Release 5303 Release 1207 S5510-SI series Ethernet switches Release 1301 S5510-EI series Ethernet switches S7500E series Ethernet switches Release 2102 Release 6100, Release 6300 Hardware Version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI All versions All versions

Configuration Procedure# Create VLAN 2 and VLAN 6. system-view [SwitchA] vlan 2 [SwitchA-vlan2] quit [SwitchA] vlan 6 [SwitchA-vlan6] quit

# Set the aging time for the voice VLAN.[SwitchA] voice vlan aging 100

# Add 000f-e200-0000 to the OUI address list and configure its description as IP Phone1.[SwitchA] voice vlan mac-address 000f-e200-0000 mask ffff-ff00-0000 description IP Phone1

# Add 000f-2200-0000 to the OUI address list and configure its description as IP Phone2.[SwitchA] voice vlan mac-address 000f-2200-0000 mask ffff-ff00-0000 description IP Phone2

# Configure VLAN 2 as the voice VLAN.[SwitchA] voice vlan 2 enable

# Configure the automatic voice VLAN assignment mode on Ethernet 1/0/1. This step is optional, because the mode is enabled by default.[SwitchA] interface GigabitEthernet 1/0/1 [SwitchA-GigabitEthernet1/0/1] voice vlan mode auto

# Configure Ethernet 1/0/1 as a trunk port.[SwitchA-GigabitEthernet1/0/1] port link-type trunk

# Configure VLAN 6 as the default VLAN of Ethernet 1/0/1 and configure Ethernet 1/0/1 to permit the packets of VLAN 6 to pass through. (PC data will be transmitted in the VLAN.)1-2

[SwitchA-GigabitEthernet1/0/1] port trunk pvid vlan 6 [SwitchA-GigabitEthernet1/0/1] port trunk permit vlan 6

# Enable voice VLAN on GigabitEthernet 1/0/1.[SwitchA-GigabitEthernet1/0/1] voice vlan enable

z

After the configuration is completed, PC data will be assigned to VLAN 6 (the data VLAN) on GigabitEthernet 1/0/1 for transmission. When IP phone traffic arrives at GigabitEthernet 1/0/1, the port automatically joins the voice VLAN and transmits the voice traffic with the voice VLAN tag, so that IP phone 1 can receive packets normally.

z

GigabitEthernet 1/0/1 can be a hybrid port. In this case, you can follow the same configuration procedure except that you should set the data VLAN as the default VLAN. When IP phone traffic arrives at the port, the port automatically permits the voice VLAN and transmits the traffic with the voice VLAN tag.

# Set the voice VLAN assignment mode of GigabitEthernet 1/0/2 to manual. The manual mode must be adopted because the voice traffic from IP phone 2 is untagged.[SwitchA-GigabitEthernet1/0/1] quit [SwitchA] interface GigabitEthernet 1/0/2 [SwitchA-GigabitEthernet1/0/2] undo voice vlan mode auto

# Configure GigabitEthernet 1/0/2 to be an access port and assign it to the voice VLAN.[SwitchA-GigabitEthernet1/0/2] port access vlan 2

# Enable voice VLAN on GigabitEthernet 1/0/2.[SwitchA-GigabitEthernet1/0/2] voice vlan enable

z

You can set GigabitEthernet 1/0/2 as a trunk or hybrid port. In either case, configure the voice VLAN as the default VLAN and configure the port to remove the VLAN tag when forwarding traffic with the voice VLAN tag.

z

If traffic from IP phone 2 is tagged, configure GigabitEthernet 1/0/2 as a trunk or hybrid port and send the packets of VLAN 2 with the VLAN tag.

Complete Configuration# vlan 1 to 2 # vlan 6 #

1-3

interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 1 6 port trunk pvid vlan 6 voice vlan enable # interface GigabitEthernet1/0/2 port access vlan 2 undo voice vlan mode auto voice vlan enable # voice vlan aging 100 voice vlan mac-address 000f-2200-0000 mask ffff-ff00-0000 description IP Phone2 voice vlan mac-address 000f-e200-0000 mask ffff-ff00-0000 description IP Phone1 voice vlan 2 enable

Configuration GuidelinesBy default, the system maintains the OUI list shown in Table 1-1. You can remove or modify these pre-defined OUI addresses as needed. Table 1-1 Default OUI addresses preconfigured on the switch No. 1 2 3 4 5 6 7 OUI Address 0001-e300-0000 0003-6b00-0000 0004-0d00-0000 00d0-1e00-0000 0060-b900-0000 00e0-7500-0000 00e0-bb00-0000 Vendor Siemens phones Cisco phones Avaya phones Pingtel phones Philips/NEC phones Polycom phones 3com phones

z

To use a VLAN as a protocol VLAN and the voice VLAN at the same time, ensure that the voice VLAN assignment mode on the port to be associated with the protocol VLAN is not automatic mode. In automatic mode, the port cannot be assigned to the voice VLAN manually and thus can cause your attempt to associate the protocol VLAN with the port to fail.

z

You cannot set the voice VLAN as the default VLAN on a port in automatic voice VLAN assignment mode. The switch supports only one voice VLAN. Only a static VLAN can be configured as the voice VLAN. In the voice VLAN operating in security mode, the device allows only the packets whose source address matches a recognizable voice device vendor OUI to pass through. All other packets, including authentication packets such as 802.1x authentication packets, will be dropped. Therefore, you are discouraged to transmit both voice and data in the voice VLAN at the same time. If that is needed, disable the security mode of the voice VLAN first.

z z z

1-4

Table of Contents1 IP Addressing and Performance Configuration Guide 1-1 Configuring IP Addressing 1-1 Network Diagram1-1 Networking and Configuration Requirements1-1 Applicable Product Matrix1-1 Configuration Procedure1-2 Complete Configuration1-3 Configuration Guidelines 1-3 Configuring IP Performance1-3 Network Diagram1-3 Networking and Configuration Requirements1-3 Applicable Product Matrix1-3 Configuration Procedure1-4 Complete Configuration1-5 Configuration Guidelines 1-5

i

1

IP Addressing and Performance Configuration

GuideConfiguring IP AddressingNetwork DiagramFigure 1-1 Network diagram for IP address configuration

Networking and Configuration RequirementsAs shown in the above figure, VLAN-interface 1 on Switch is connected to a LAN in which hosts belong to two subnets: 172.16.1.0/24 and 172.16.2.0/24. It is required to enable the hosts in the LAN to communicate with external networks through Switch, and to enable the hosts in the two network segments to communicate with each other.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches Software version Release 5301 Release 5303 Release 5301 Release 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 Hardware version All versions

S5510 Series Ethernet Switches

All versions All versions except S5500-20TP-SI S5500-20TP-SI

1-1

Product series S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches S3500-EA Series Ethernet Switches

Software version Release 2102 Release 6100 Release 6300 Release 5303

Hardware version All versions All versions All versions

Configuration ProcedureAssign a primary IP address and a secondary IP address to VLAN-interface 1 of Switch to ensure that all the hosts on the LAN can access external networks through Switch. Set Switch as the gateway on all the hosts of the two subnets to ensure that they can communicate with each other. # Assign a primary IP address and a secondary IP address to VLAN-interface 1. system-view [Switch] interface vlan-interface 1 [Switch-Vlan-interface1] ip address 172.16.1.1 255.255.255.0 [Switch-Vlan-interface1] ip address 172.16.2.1 255.255.255.0 sub [Switch-Vlan-interface1] return

# Set the gateway address to 172.16.1.1 on the hosts in subnet 172.16.1.0/24, and to 172.16.2.1 on the hosts in subnet 172.16.2.0/24. # Ping Host B on Switch to verify the connectivity to subnet 172.16.1.0/24. ping 172.16.1.2 PING 172.16.1.2: 56 data bytes, press CTRL_C to break

Reply from 172.16.1.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.1.2: bytes=56 Sequence=2 ttl=255 time=27 ms Reply from 172.16.1.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.1.2: bytes=56 Sequence=5 ttl=255 time=26 ms

--- 172.16.1.2 ping statistics --5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/26/27 ms

Information shows that Switch and Host B are reachable to each other. # Ping Host A on Switch to verify the connectivity to subnet 172.16.2.0/24. ping 172.16.2.2 PING 172.16.2.2: 56 data bytes, press CTRL_C to break

Reply from 172.16.2.2: bytes=56 Sequence=1 ttl=255 time=25 ms Reply from 172.16.2.2: bytes=56 Sequence=2 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=3 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=4 ttl=255 time=26 ms Reply from 172.16.2.2: bytes=56 Sequence=5 ttl=255 time=26 ms

--- 172.16.2.2 ping statistics ---

1-2

5 packet(s) transmitted 5 packet(s) received 0.00% packet loss round-trip min/avg/max = 25/25/26 ms

Information shows that Switch and Host A are reachable to each other. # Ping Host B on Host A to verify the connectivity between subnet 172.16.1.0/24 and subnet 172.16.1.0/24. Ping Host B on Host A to verify that the ping operation is successful.

Complete Configuration# interface Vlan-interface1 ip address 172.16.1.1 255.255.255.0 ip address 172.16.2.1 255.255.255.0 sub #

Configuration Guidelinesz z z

The primary IP address you assigned to the interface can overwrite the old one if there is any. You cannot assign secondary IP addresses to an interface that has BOOTP, or DHCP configured. The primary and secondary IP addresses you assign to the interface can be located on the same network segment. However, this should not violate the rule that different interfaces on the switch must reside on different network segments.

Configuring IP PerformanceNetwork DiagramFigure 1-2 Network diagram for configuring reception and forwarding of directed broadcasts

Networking and Configuration RequirementsAs shown in the figure above, the hosts interface and VLAN-interface 3 on Switch A are on the same subnet (1.1.1.0/24). VLAN-interface 2 on Switch A and VLAN-interface 2 on Switch B are on the other subnet (2.2.2.0/24). Set the default gateway on the host to VLAN-interface 3 on Switch A. Configure a static route to the host on Switch B.

Applicable Product MatrixProduct series S3610 Series Ethernet Switches Software version Release 5301 Release 5303 Hardware version All versions

1-3

Product series S5510 Series Ethernet Switches

Software version Release 5301 Release 5303 Release 1207

Hardware version All versions All versions except S5500-20TP-SI S5500-20TP-SI All versions All versions All versions

S5500-SI Series Ethernet Switches Release 1301 S5500-EI Series Ethernet Switches S7500E Series Ethernet Switches S3500-EA Series Ethernet Switches Release 2102 Release 6100 Release 6300 Release 5303


Configure Switch A

# Enable Switch A to receive directed broadcasts. system-view [SwitchA] ip forward-broadcast

# Create VLAN 2 and VLAN 3.[SwitchA] Vlan 2 [SwitchA-Vlan2] quit [SwitchA] Vlan 3 [SwitchAVlan3] quit

# Configure IP addresses for VLAN-interface 3 and VLAN-interface 2 respectively.[SwitchA] interface vlan-interface 3 [SwitchA-Vlan-interface3] ip address 1.1.1.2 24 [SwitchA-Vlan-interface3] quit [SwitchA] interface vlan-interface 2 [SwitchA-Vlan-interface2] ip address 2.2.2.2 24

# Enable VLAN-interface 2 to forward directed broadcasts.[SwitchA-Vlan-interface2] ip forward-broadcastz

Configure Switch B

# Enable Switch B to receive directed broadcasts. system-view [SwitchB] ip forward-broadcast

# Create VLAN 2.[SwitchB] Vlan 2 [SwitchB-Vlan2] quit

# Configure a static route to the host.[SwitchB] ip route-static 1.1.1.1 24 2.2.2.2

# Configure an IP address for VLAN-interface 2.[SwitchB] interface vlan-interface 2

1-4

[SwitchB-Vlan-interface2] ip address 2.2.2.1 24

After the above configuration, if you ping the subnet broadcast address (2.2.2.255) on the host, ping packets can be received by VLAN-interface 2 of Switch B. However, if you undo the ip forward-broadcast command, ping packets cannot be received by VLAN-interface 2 of Switch B.


Configure Switch Aip forward-broadcast

#

# vlan 2 # vlan 3 # interface Vlan-interface2 ip address 2.2.2.2 255.255.255.0 ip forward-broadcast # interface Vlan-interface3 ip address 1.1.1.2 255.255.255.0z

Configure Switch Bip forward-broadcast

#

# vlan 2 # interface Vlan-interface2 ip address 2.2.2.1 255.255.255.0 # ip route-static 1.1.1.0 255.255.255.0 2.2.2.2

Configuration GuidelinesNone.

1-5

Table of Contents1 QinQ Configuration Guide 1-1 Configuring QinQ 1-1 Network diagram 1-1 Networking and Configuration Requirements1-1 Applicable Product Matrix1-2 Configuration Procedure1-2 Complete Configuration1-4 Configuration Guidelines 1-5 Configuring Flow-Based Selective QinQ1-6 Network Diagram1-6 Networking and Configuration Requirements1-6 Applicable Product Matrix1-6 Configuration Procedure1-6 Complete Configuration1-9 Configuration Guidelines 1-10 Configuring One-to-One VLAN Mapping 1-11 Network Diagram1-11 Networking and Configuration Requirements1-11 Applicable Product Matrix1-11 Configuration Procedure1-11 Complete Configuration1-16 Configuration Guidelines 1-19

i

1

QinQ Configuration Guide

Configuring QinQNetwork diagramFigure 1-1 Network diagram for QinQ configurationCustomer A

GE1/0/1 Hybrid

Provider AGE1/0/2 Access

GE1/0/3 Trunk

Public Network VLAN1000,VLAN2000 GE1/0/1 TPID=0x8200Trunk

Provider BGE1/0/2 Access

Customer B

Customer C

Networking and Configuration Requirementsz z z

Provider A and Provider B are service provider network access devices. Customer A, Customer B and Customer C are customer network access devices. Provider A and Provider B are interconnected through a trunk port. Provider A belongs to service provider VLAN (SVLAN) 1000, and Provider B belongs to SVLAN 2000. Third-party devices are deployed between Provider A and Provider B, with a TPID value of 0x8200.

z

By default, H3C series switches adopt the TPID value 0x8100.

Configure the network to satisfy the following requirements:1-1

z

Frames of VLAN 10 of Customer A and frames of VLAN 10 of Customer B can be forwarded to each other through SVLAN 1000; Frames of VLAN 20 of Customer A and frames of VLAN 20 of Customer C can be forwarded to each other through SVLAN 2000.

z

Applicable Product MatrixProduct series S3610 Series Ethernet Switches S5510 Series Ethernet Switches Software version Release 5301, Release 5303 Release 5301, Rlease 5303 Release 1207 S5500-SI Series Ethernet Switches Release 1301 S5500-EI Series Ethernet Switches Release 2102 Hardware version All versions All versions All versions except S5500-20TP-SI S5500-20TP-SI All versions

Configuration Procedure

This example assumes that the SVLANs can pass through the devices inside the network of the service provider.

1)

Configuration on Provider A

# Create VLAN 1000 and VLAN 2000. system-view [ProviderA] vlan 1000 [ProviderA-vlan1000] quit [ProviderA] vlan 2000 [ProviderA-vlan2000] quitz

Configuration on GigabitEthernet 1/0/1

# Configure GigabitEthernet 1/0/1 as a hybrid port and assign it to VLAN 1000 and VLAN 2000 in untagged mode.[ProviderA] interface GigabitEthernet 1/0/1 [ProviderA-GigabitEthernet1/0/1] port link-type hybrid [ProviderA-GigabitEthernet1/0/1] port hybrid vlan 1000 2000 untagged

1-2

z

If your switch is an S3610 or S5510 switch using Release 5301 software version, you must also assign GigabitEthernet 1/0/1 to VLAN 10 and VLAN 20 in untagged mode using the port hybrid vlan 10 20 1000 2000 untagged command.

z

If your switch is an an S3610 or S5510 switch using Release 5303 software version, you can disable VLAN check using the vlan-check disable command in interface view. In this way, you do not need to configure GigabitEthernet 1/0/1 to permit VLAN 10 and VLAN 20.

# Configure the port to tag frames from VLAN 10 with an outer tag with the VLAN ID of 1000.[ProviderA-GigabitEthernet1/0/1] qinq vid 1000 [ProviderA-GigabitEthernet1/0/1-vid-1000] raw-vlan-id inbound 10 [ProviderA-GigabitEthernet1/0/1-vid-1000] quit

# Configure the port to tag frames from VLAN 20 with an outer tag with the VLAN ID of 2000.[ProviderA-GigabitEthernet1/0/1] qinq vid 2000 [ProviderA-GigabitEthernet1/0/1-vid-2000] raw-vlan-id inbound 20 [ProviderA-GigabitEthernet1/0/1-vid-2000] quit [ProviderA-GigabitEthernet1/0/1] quitz


# Configure GigabitEthernet 1/0/2 as an access port and assign it to VLAN 1000.[ProviderA] interface GigabitEthernet 1/0/2 [ProviderA-GigabitEthernet1/0/2] port access vlan 1000

# Enable basic QinQ so that the port tags frames from VLAN 10 with an outer tag with the VLAN ID of 1000.[ProviderA-GigabitEthernet1/0/2] qinq enable [ProviderA-GigabitEthernet1/0/2] quitz

Configuration on GigabitEthernet 1/0/3.

# Configure GigabitEthernet 1/0/3 as a trunk port, and assign it to VLAN 1000 and VLAN 2000.[ProviderA] interface GigabitEthernet 1/0/3 [ProviderA-GigabitEthernet1/0/3] port link-type trunk [ProviderA-GigabitEthernet1/0/3] port trunk permit vlan 1000 2000

# To enable interoperability with the third-party devices in the public network, set the TPID value to be carried in VLAN tags to 0x8200.[ProviderA-GigabitEthernet1/0/3] quit [ProviderA] qinq ethernet-type service-tag 8200

1-3

z

The TPID configuration command on an S3610, S5510, or S5500-SI series switch is different from that on an S5500-EI series switch. For details, refer to the corresponding operation manual. On the S5500-EI and S5500-SI series switches, selective QinQ configuration can coexist with basic QinQ configuration but enjoys a higher priority, that is, a received frame will be tagged with an outer VLAN ID based on basic QinQ only after it fails to match the match criteria defined in the traffic class. On the S3610 and S5510 series switches, basic QinQ and selective QinQ are mutually exclusive.

z

2)

Configuration on Provider B

# Create VLAN 1000 and VLAN 2000. system-view [ProviderB] vlan 1000 [ProviderB-vlan1000] quit [ProviderB] vlan 2000 [ProviderB-vlan2000] quitz


# Configure GigabitEthernet 1/0/1 as a trunk port, and assign it to VLAN 1000 and VLAN 2000. system-view [ProviderB] interface GigabitEthernet 1/0/1 [ProviderB-GigabitEthernet1/0/1] port link-type trunk [ProviderB-GigabitEthernet1/0/1] port trunk permit vlan 1000 2000

# To enable interoperability with the third-party devices in the public network, set the TPID value to be carried in VLAN tags to 0x8200.[ProviderB-GigabitEthernet1/0/1] quit [ProviderB] qinq ethernet-type service-tag 8200z


# Configure GigabitEthernet 1/0/2 as an access port and assign it to VLAN 2000.[ProviderB] interface GigabitEthernet 1/0/2 [ProviderB-GigabitEthernet1/0/2] port access vlan 2000

# Enable basic QinQ so as to tag frames from VLAN 20 with an outer tag with the VLAN ID of 2000.[ProviderB-GigabitEthernet1/0/2] qinq enable

3)

Configuration on the devices on the public network

As third-party devices are deployed between Provider A and Provider B, only the basic configurations that should be made on the devices are discussed here. Configure that device connecting with GigabitEthernet 1/0/3 of Provider A and the device connecting with GigabitEthernet 1/0/1 of Provider B so that the involved ports on them send tagged frames of VLAN 1000 and VLAN 2000. The configuration steps are omitted here.


Configuration on ProviderA

#

1-4

qinq ethernet-type service-tag 8200 # vlan 1000 # vlan 2000 # interface GigabitEthernet1/0/1 port link-type hybrid port hybrid vlan 1 1000 2000 untagged qinq vid 1000 raw-vlan-id inbound 10 qinq vid 2000 raw-vlan-id inbound 20 # interface GigabitEthernet1/0/2 port access vlan 1000 qinq enable # interface GigabitEthernet1/0/3 port link-type trunk port trunk permit vlan 1 1000 2000z

Configuration on DeviceBqinq ethernet-type service-tag 8200

#

# vlan 1000 # vlan 2000 # # interface GigabitEthernet1/0/1 port link-type trunk port trunk permit vlan 1 1000 2000 # interface GigabitEthernet1/0/2 port access vlan 2000 qinq enable

Configuration GuidelinesAn inner VLAN tag corresponds to only one outer VLAN tag. If you want to change an outer VLAN tag, you must delete the old outer VLAN tag configuration and configure a new outer VLAN tag.

1-5

Configuring Flow-Based Selective QinQNetwork DiagramFigure 1-2 Network diagram for flow-based selective QinQ configurationCustomer A Customer D

VLAN 10, VLAN 20

Eth2/0/1

Eth2/0/3

Provider A

Eth2/0/3 Eth2/0/2

Public network VLAN 1000/2000/3000 TPID=0x8200

Eth2/0/1 Eth2/0/2

Provider B

VLAN 10

VLAN 20

Customer B

Customer C

Networking and Configuration Requirementsz z z

Provider A and Provider B are service provider network access devices. Customer A, Customer B, Customer C, and Customer D are customer network access devices. Provider A and Provider B are interconnected through a trunk port, which permits the frames of SVLAN 1000, SVLAN 2000, and SVLAN 3000 to pass through. Third-party devices are deployed between Provider A and Provider B, with a TPID value of 0x8200.

z

Configure the network to satisfy the following requirements:z z z

VLAN 10 of Customer A and VLAN 10 of Customer B can intercommunicate across SVLAN 1000. VLAN 20 of Customer A and VLAN 20 of Customer C can intercommunicate across SVLAN 2000. Frames of the VLANs other than VLAN 10 and VLAN 20 of Customer A can be forwarded to Customer D across SVLAN 3000.

Applicable Product MatrixProduct series S7500E Series Ethernet Switches Software version Release 6100, Release 6300 Hardware version All versions

Configuration Procedure1) Configuration on Provider A

# Create VLAN 1000, VLAN 2000, and VLAN 3000. system-view [ProviderA] vlan 1000

1-6

[ProviderA-vlan1000] quit [ProviderA] vlan 2000 [ProviderA-vlan2000] quit [ProviderA] vlan 3000 [ProviderA-vlan3000] quitz

Configuration on Ethernet 2/0/1

# Configure Ethernet 2/0/1 as a hybrid port and assign it to VLAN 1000, VLAN 2000, and VLAN 3000 in untagged mode.[ProviderA] interface ethernet 2/0/1 [ProviderA-Ethernet2/0/1] port link-type hybrid [ProviderA-Ethernet2/0/1] port hybrid vlan 1000 2000 3000 untagged

# Configure VLAN 3000 as the default VLAN of Ethernet 2/0/1, and enable basic QinQ on Ethernet 2/0/1. As a result, the frames received on the port are tagged with the outer VLAN tag 3000.[ProviderA-Ethernet2/0/1] port hybrid pvid vlan 3000 [ProviderA-Ethernet2/0/1] qinq enable [ProviderA-Ethernet2/0/1] quit

# Create a class A10 to match frames of VLAN 10 of Customer A.[ProviderA] traffic classifier A10 [ProviderA-classifier-A10] if-match customer-vlan-id 10 [ProviderA-classifier-A10] quit

# Create a traffic behavior P1000 and configure the action of tagging frames with the outer VLAN tag 1000 for the traffic behavior.[ProviderA] traffic behavior P1000 [ProviderA-behavior-P1000] nest top-most vlan-id 1000 [ProviderA-behavior-P1000] quit

# Create a class A20 to match frames of VLAN 20 of Customer A. Create a traffic behavior P2000 and configure the action of tagging frames with the outer VLAN tag 2000 for the traffic behavior.[ProviderA] traffic classifier A20 [ProviderA-classifier-A20] if-match customer-vlan-id 20 [ProviderA-classifier-A20] quit [ProviderA] traffic behavior P2000 [ProviderA-behavior-P2000] nest top-most vlan-id 2000 [ProviderA-behavior-P2000] quit

# Create a QoS policy qinq. Associate the class A10 with the traffic behavior P1000, and associate the class A20 with the traffic behavior P2000 in the QoS policy qinq.[ProviderA] qos policy qinq [ProviderA-qospolicy-qinq] classifier A10 behavior P1000 [ProviderA-qospolicy-qinq] classifier A20 behavior P2000 [ProviderA-qospolicy-qinq] quit

# Apply the QoS policy qinq in the inbound direction of Ethernet 2/0/1.[ProviderA] interface Ethernet 2/0/1 [ProviderA-Ethernet2/0/1] qos apply policy qinq inboundz

Configuration on Ethernet 2/0/2

# Configure VLAN 1000 as the default VLAN of Ethernet 2/0/2.1-7

[ProviderA] interface ethernet 2/0/2 [ProviderA-Ethernet2/0/2] port access vlan 1000

# Enable basic QinQ. Tag frames from VLAN 10 with the outer VLAN tag 1000.[ProviderA-Ethernet2/0/2] qinq enable [ProviderA-Ethernet2/0/2] quitz

Configuration on Ethernet 2/0/3.

# Configure Ethernet 2/0/3 as a trunk port, and assign it to VLAN 1000 and VLAN 2000.[ProviderA] interface ethernet 2/0/3 [ProviderA-Ethernet2/0/3] port link-type trunk [ProviderA-Ethernet2/0/3] port trunk permit vlan 1000 2000

# To enable interoperability with the third-party devices in the public network, set the TPID of the SVLAN tags to 0x8200. Therefore, the port tags the frames with the outer VLAN tag whose TPID is 0x8200.[ProviderA-Ethernet2/0/3] qinq ethernet-type service-tag 8200

2)

Configuration on Provider B

# Create VLAN 1000, VLAN 2000, and VLAN 3000. system-view [Pr

h3c low-end and mid-range ethernet switches configuration examples(v1.01)-book

Documents